From dcbf7ef6de0eedc346d668392a639026340226e7 Mon Sep 17 00:00:00 2001
From: wangxiaodong1030 <wangxiaodong1030@phytium.com.cn>
Date: Tue, 21 Jan 2025 11:27:45 +0800
Subject: [PATCH] code update 2025_01_21

---
 README.md                                     |   10 +-
 docs/ChangeLog.md                             |   58 +
 drivers/eth/gmac/fgmac_os.c                   |    4 +-
 drivers/eth/xmac/fxmac_os.c                   |    1 +
 drivers/media/fmedia_os.c                     |   19 +-
 drivers/media/fmedia_os.h                     |    2 +-
 .../d2000_aarch32_test_eventgroup.config      |    7 +
 .../d2000_aarch64_test_eventgroup.config      |    7 +
 .../e2000d_aarch32_demo_eventgroup.config     |    7 +
 .../e2000d_aarch64_demo_eventgroup.config     |    7 +
 .../e2000q_aarch32_demo_eventgroup.config     |    7 +
 .../e2000q_aarch64_demo_eventgroup.config     |    7 +
 .../ft2004_aarch32_dsk_eventgroup.config      |    7 +
 .../ft2004_aarch64_dsk_eventgroup.config      |    7 +
 ...hytiumpi_aarch32_firefly_eventgroup.config |    7 +
 ...hytiumpi_aarch64_firefly_eventgroup.config |    7 +
 example/freertos_feature/eventgroup/sdkconfig |    7 +
 .../freertos_feature/eventgroup/sdkconfig.h   |    7 +
 .../d2000_aarch32_test_interrupt.config       |    7 +
 .../d2000_aarch64_test_interrupt.config       |    7 +
 .../e2000d_aarch32_demo_interrupt.config      |    7 +
 .../e2000d_aarch64_demo_interrupt.config      |    7 +
 .../e2000q_aarch32_demo_interrupt.config      |    7 +
 .../e2000q_aarch64_demo_interrupt.config      |    7 +
 .../ft2004_aarch32_dsk_interrupt.config       |    7 +
 .../ft2004_aarch64_dsk_interrupt.config       |    7 +
 ...phytiumpi_aarch32_firefly_interrupt.config |    7 +
 ...phytiumpi_aarch64_firefly_interrupt.config |    7 +
 example/freertos_feature/interrupt/sdkconfig  |    7 +
 .../freertos_feature/interrupt/sdkconfig.h    |    7 +
 .../configs/d2000_aarch32_test_queue.config   |    7 +
 .../configs/d2000_aarch64_test_queue.config   |    7 +
 .../configs/e2000d_aarch32_demo_queue.config  |    7 +
 .../configs/e2000d_aarch64_demo_queue.config  |    7 +
 .../configs/e2000q_aarch32_demo_queue.config  |    7 +
 .../configs/e2000q_aarch64_demo_queue.config  |    7 +
 .../configs/ft2004_aarch32_dsk_queue.config   |    7 +
 .../configs/ft2004_aarch64_dsk_queue.config   |    7 +
 .../phytiumpi_aarch32_firefly_queue.config    |    7 +
 .../phytiumpi_aarch64_firefly_queue.config    |    7 +
 example/freertos_feature/queue/sdkconfig      |    7 +
 example/freertos_feature/queue/sdkconfig.h    |    7 +
 .../configs/d2000_aarch32_test_resoure.config |    7 +
 .../configs/d2000_aarch64_test_resoure.config |    7 +
 .../e2000d_aarch32_demo_resoure.config        |    7 +
 .../e2000d_aarch64_demo_resoure.config        |    7 +
 .../e2000q_aarch32_demo_resoure.config        |    7 +
 .../e2000q_aarch64_demo_resoure.config        |    7 +
 .../configs/ft2004_aarch32_dsk_resoure.config |    7 +
 .../configs/ft2004_aarch64_dsk_resoure.config |    7 +
 .../phytiumpi_aarch32_firefly_resoure.config  |    7 +
 .../phytiumpi_aarch64_firefly_resoure.config  |    7 +
 example/freertos_feature/resource/sdkconfig   |    7 +
 example/freertos_feature/resource/sdkconfig.h |    7 +
 .../freertos_feature/software_timer/README.md |    3 +
 .../d2000_aarch32_test_software_timer.config  |    7 +
 .../d2000_aarch64_test_software_timer.config  |    7 +
 .../e2000d_aarch32_demo_software_timer.config |    7 +
 .../e2000d_aarch64_demo_software_timer.config |    7 +
 .../e2000q_aarch32_demo_software_timer.config |    7 +
 .../e2000q_aarch64_demo_software_timer.config |    7 +
 .../ft2004_aarch32_dsk_software_timer.config  |    7 +
 .../ft2004_aarch64_dsk_software_timer.config  |    7 +
 ...umpi_aarch32_firefly_software_timer.config |    7 +
 ...umpi_aarch64_firefly_software_timer.config |    7 +
 .../figs/tick_interrupt_source_config.png     |  Bin 0 -> 13001 bytes
 .../freertos_feature/software_timer/sdkconfig |    7 +
 .../software_timer/sdkconfig.h                |    7 +
 .../configs/d2000_aarch32_test_task.config    |    7 +
 .../configs/d2000_aarch64_test_task.config    |    7 +
 .../configs/e2000d_aarch32_demo_task.config   |    7 +
 .../configs/e2000d_aarch64_demo_task.config   |    7 +
 .../configs/e2000q_aarch32_demo_task.config   |    7 +
 .../configs/e2000q_aarch64_demo_task.config   |    7 +
 .../configs/ft2004_aarch32_dsk_task.config    |    7 +
 .../configs/ft2004_aarch64_dsk_task.config    |    7 +
 .../phytiumpi_aarch32_firefly_task.config     |    7 +
 .../phytiumpi_aarch64_firefly_task.config     |    7 +
 example/freertos_feature/task/sdkconfig       |    7 +
 example/freertos_feature/task/sdkconfig.h     |    7 +
 .../d2000_aarch32_test_task_notify.config     |    7 +
 .../d2000_aarch64_test_task_notify.config     |    7 +
 .../e2000d_aarch32_demo_task_notify.config    |    7 +
 .../e2000d_aarch64_demo_task_notify.config    |    7 +
 .../e2000q_aarch32_demo_task_notify.config    |    7 +
 .../e2000q_aarch64_demo_task_notify.config    |    7 +
 .../ft2004_aarch32_dsk_task_notify.config     |    7 +
 .../ft2004_aarch64_dsk_task_notify.config     |    7 +
 ...ytiumpi_aarch32_firefly_task_notify.config |    7 +
 ...ytiumpi_aarch64_firefly_task_notify.config |    7 +
 .../freertos_feature/task_notify/sdkconfig    |    7 +
 .../freertos_feature/task_notify/sdkconfig.h  |    7 +
 example/network/lwip_https/Kconfig            |    4 +
 example/network/lwip_https/README.md          |  152 +
 .../d2000_aarch32_test_lwip_https.config      |  606 ++
 .../d2000_aarch64_test_lwip_https.config      |  595 ++
 .../e2000d_aarch32_demo_lwip_https.config}    |  288 +-
 .../e2000d_aarch64_demo_lwip_https.config}    |  288 +-
 .../e2000q_aarch32_demo_lwip_https.config}    |  288 +-
 .../e2000q_aarch64_demo_lwip_https.config}    |  288 +-
 .../ft2004_aarch32_dsk_lwip_https.config      |  606 ++
 .../ft2004_aarch64_dsk_lwip_https.config      |  595 ++
 ...ytiumpi_aarch32_firefly_lwip_https.config} |  288 +-
 ...ytiumpi_aarch64_firefly_lwip_https.config} |  288 +-
 .../network/lwip_https/fig/https_client.png   |  Bin 0 -> 56683 bytes
 .../network/lwip_https/fig/https_server.png   |  Bin 0 -> 21774 bytes
 .../network/lwip_https/inc/https_example.h    |   51 +
 example/network/lwip_https/main.c             |   77 +
 example/network/lwip_https/makefile           |   28 +
 example/network/lwip_https/sdkconfig          |  606 ++
 example/network/lwip_https/sdkconfig.h        |  536 +
 example/network/lwip_https/src/cmd_https.c    |   91 +
 .../network/lwip_https/src/https_example.c    |  448 +
 example/network/lwip_https/tools/ssl_server   |  Bin 0 -> 566672 bytes
 .../d2000_aarch32_test_lwip_iperf.config      |    7 +
 .../d2000_aarch64_test_lwip_iperf.config      |    7 +
 .../e2000d_aarch32_demo_lwip_iperf.config     |    7 +
 .../e2000d_aarch64_demo_lwip_iperf.config     |    7 +
 .../e2000q_aarch32_demo_lwip_iperf.config     |    7 +
 .../e2000q_aarch64_demo_lwip_iperf.config     |    7 +
 .../ft2004_aarch32_dsk_lwip_iperf.config      |    7 +
 .../ft2004_aarch64_dsk_lwip_iperf.config      |    7 +
 ...hytiumpi_aarch32_firefly_lwip_iperf.config |    7 +
 ...hytiumpi_aarch64_firefly_lwip_iperf.config |    7 +
 example/network/lwip_iperf/sdkconfig          |    7 +
 example/network/lwip_iperf/sdkconfig.h        |    7 +
 .../d2000_aarch32_test_lwip_startup.config    |    7 +
 .../d2000_aarch64_test_lwip_startup.config    |    7 +
 .../e2000d_aarch32_demo_lwip_startup.config   |    7 +
 .../e2000d_aarch64_demo_lwip_startup.config   |    7 +
 .../e2000q_aarch32_demo_lwip_startup.config   |    7 +
 .../e2000q_aarch64_demo_lwip_startup.config   |    7 +
 .../ft2004_aarch32_dsk_lwip_startup.config    |    7 +
 .../ft2004_aarch64_dsk_lwip_startup.config    |    7 +
 ...tiumpi_aarch32_firefly_lwip_startup.config |    7 +
 ...tiumpi_aarch64_firefly_lwip_startup.config |    7 +
 example/network/lwip_startup/sdkconfig        |    7 +
 example/network/lwip_startup/sdkconfig.h      |    7 +
 .../lwip_startup/src/lwip_dhcp_example.c      |    9 +-
 .../d2000_aarch32_test_udp_multicast.config   |    7 +
 .../d2000_aarch64_test_udp_multicast.config   |    7 +
 .../e2000d_aarch32_demo_udp_multicast.config  |    7 +
 .../e2000d_aarch64_demo_udp_multicast.config  |    7 +
 .../e2000q_aarch32_demo_udp_multicast.config  |    7 +
 .../e2000q_aarch64_demo_udp_multicast.config  |    7 +
 .../ft2004_aarch32_dsk_udp_multicast.config   |    7 +
 .../ft2004_aarch64_dsk_udp_multicast.config   |    7 +
 ...iumpi_aarch32_firefly_udp_multicast.config |    7 +
 ...iumpi_aarch64_firefly_udp_multicast.config |    7 +
 .../network/sockets/udp_multicast/sdkconfig   |    7 +
 .../network/sockets/udp_multicast/sdkconfig.h |    7 +
 .../configs/e2000d_aarch32_demo_wlan.config   |    7 +
 .../configs/e2000d_aarch64_demo_wlan.config   |    7 +
 .../configs/e2000q_aarch32_demo_wlan.config   |    7 +
 .../configs/e2000q_aarch64_demo_wlan.config   |    7 +
 example/network/wlan/sdkconfig                |    7 +
 example/network/wlan/sdkconfig.h              |    7 +
 .../can/configs/d2000_aarch32_test_can.config |    7 +
 .../can/configs/d2000_aarch64_test_can.config |    7 +
 .../configs/e2000d_aarch32_demo_can.config    |    7 +
 .../configs/e2000d_aarch64_demo_can.config    |    7 +
 .../configs/e2000q_aarch32_demo_can.config    |    7 +
 .../configs/e2000q_aarch64_demo_can.config    |    7 +
 .../can/configs/ft2004_aarch32_dsk_can.config |    7 +
 .../can/configs/ft2004_aarch64_dsk_can.config |    7 +
 example/peripheral/can/can/sdkconfig          |    7 +
 example/peripheral/can/can/sdkconfig.h        |    7 +
 .../configs/e2000d_aarch32_demo_canfd.config  |    7 +
 .../configs/e2000d_aarch64_demo_canfd.config  |    7 +
 .../configs/e2000q_aarch32_demo_canfd.config  |    7 +
 .../configs/e2000q_aarch64_demo_canfd.config  |    7 +
 example/peripheral/can/canfd/sdkconfig        |    7 +
 example/peripheral/can/canfd/sdkconfig.h      |    7 +
 .../configs/e2000d_aarch32_demo_ddma.config   |    7 +
 .../configs/e2000d_aarch64_demo_ddma.config   |    7 +
 .../configs/e2000q_aarch32_demo_ddma.config   |    7 +
 .../configs/e2000q_aarch64_demo_ddma.config   |    7 +
 .../phytiumpi_aarch32_firefly_ddma.config     |    7 +
 .../phytiumpi_aarch64_firefly_ddma.config     |    7 +
 example/peripheral/dma/ddma/sdkconfig         |    7 +
 example/peripheral/dma/ddma/sdkconfig.h       |    7 +
 .../configs/e2000d_aarch32_demo_gdma.config   |    7 +
 .../configs/e2000d_aarch64_demo_gdma.config   |    7 +
 .../configs/e2000q_aarch32_demo_gdma.config   |    7 +
 .../configs/e2000q_aarch64_demo_gdma.config   |    7 +
 .../phytiumpi_aarch32_firefly_gdma.config     |    7 +
 .../phytiumpi_aarch64_firefly_gdma.config     |    7 +
 example/peripheral/dma/gdma/sdkconfig         |    7 +
 example/peripheral/dma/gdma/sdkconfig.h       |    7 +
 .../configs/d2000_aarch32_test_gpio.config    |    7 +
 .../configs/d2000_aarch64_test_gpio.config    |    7 +
 .../configs/e2000d_aarch32_demo_gpio.config   |    7 +
 .../configs/e2000d_aarch64_demo_gpio.config   |    7 +
 .../configs/e2000q_aarch32_demo_gpio.config   |    7 +
 .../configs/e2000q_aarch64_demo_gpio.config   |    7 +
 .../phytiumpi_aarch32_firefly_gpio.config     |    7 +
 .../phytiumpi_aarch64_firefly_gpio.config     |    7 +
 example/peripheral/gpio/sdkconfig             |    7 +
 example/peripheral/gpio/sdkconfig.h           |    7 +
 .../configs/e2000d_aarch32_demo_i2c.config    |    7 +
 .../configs/e2000d_aarch64_demo_i2c.config    |    7 +
 .../configs/e2000q_aarch32_demo_i2c.config    |    7 +
 .../configs/e2000q_aarch64_demo_i2c.config    |    7 +
 .../phytiumpi_aarch32_firefly_i2c.config      |    7 +
 .../phytiumpi_aarch64_firefly_i2c.config      |    7 +
 example/peripheral/i2c/sdkconfig              |    7 +
 example/peripheral/i2c/sdkconfig.h            |    7 +
 .../configs/e2000d_aarch32_demo_i2s.config    |    7 +
 .../configs/e2000d_aarch64_demo_i2s.config    |    7 +
 .../configs/e2000q_aarch32_demo_i2s.config    |    7 +
 .../configs/e2000q_aarch64_demo_i2s.config    |    7 +
 example/peripheral/i2s/sdkconfig              |    7 +
 example/peripheral/i2s/sdkconfig.h            |    7 +
 .../configs/e2000d_aarch32_demo_media.config  |   21 +-
 .../configs/e2000d_aarch64_demo_media.config  |   21 +-
 .../configs/e2000q_aarch32_demo_media.config  |   21 +-
 .../configs/e2000q_aarch64_demo_media.config  |   23 +-
 .../phytiumpi_aarch32_firefly_media.config    |   21 +-
 .../phytiumpi_aarch64_firefly_media.config    |   21 +-
 example/peripheral/media/lvgl_demo/sdkconfig  |   33 +-
 .../peripheral/media/lvgl_demo/sdkconfig.h    |   28 +-
 example/peripheral/media/lvgl_demo/src/cmd.c  |    2 +-
 .../media/lvgl_demo/src/lv_demo_test.c        |   90 +-
 .../configs/e2000d_aarch32_demo_media.config  |   21 +-
 .../configs/e2000d_aarch64_demo_media.config  |   23 +-
 .../configs/e2000q_aarch32_demo_media.config  |   21 +-
 .../configs/e2000q_aarch64_demo_media.config  |   23 +-
 .../phytiumpi_aarch32_firefly_media.config    |   21 +-
 .../phytiumpi_aarch64_firefly_media.config    |   21 +-
 example/peripheral/media/lvgl_indev/sdkconfig |   31 +-
 .../peripheral/media/lvgl_indev/sdkconfig.h   |   26 +-
 example/peripheral/media/lvgl_indev/src/cmd.c |    1 -
 .../media/lvgl_indev/src/lv_indev_test.c      |   88 +-
 .../configs/e2000d_aarch32_demo_media.config  |   21 +-
 .../configs/e2000d_aarch64_demo_media.config  |   23 +-
 .../configs/e2000q_aarch32_demo_media.config  |   21 +-
 .../configs/e2000q_aarch64_demo_media.config  |   23 +-
 .../phytiumpi_aarch32_firefly_media.config    |   21 +-
 .../phytiumpi_aarch64_firefly_media.config    |   21 +-
 example/peripheral/media/lvgl_ui/sdkconfig    |   21 +-
 example/peripheral/media/lvgl_ui/sdkconfig.h  |   18 +-
 example/peripheral/media/lvgl_ui/src/cmd.c    |    1 -
 .../media/lvgl_ui/src/lv_indev_test.c         |   86 +-
 .../configs/e2000d_aarch32_demo_media.config  |   23 +-
 .../configs/e2000d_aarch64_demo_media.config  |   25 +-
 .../configs/e2000q_aarch32_demo_media.config  |   23 +-
 .../configs/e2000q_aarch64_demo_media.config  |   25 +-
 .../phytiumpi_aarch32_firefly_media.config    |   23 +-
 .../phytiumpi_aarch64_firefly_media.config    |   23 +-
 example/peripheral/media/media_test/sdkconfig |   33 +-
 .../peripheral/media/media_test/sdkconfig.h   |   28 +-
 .../media/media_test/src/cmd_media.c          |    1 -
 .../media/media_test/src/media_example.c      |   91 +-
 .../configs/e2000d_aarch32_demo_pwm.config    |    7 +
 .../configs/e2000d_aarch64_demo_pwm.config    |    7 +
 .../configs/e2000q_aarch32_demo_pwm.config    |    7 +
 .../configs/e2000q_aarch64_demo_pwm.config    |    7 +
 .../phytiumpi_aarch32_firefly_pwm.config      |    7 +
 .../phytiumpi_aarch64_firefly_pwm.config      |    7 +
 example/peripheral/pwm/sdkconfig              |    7 +
 example/peripheral/pwm/sdkconfig.h            |    7 +
 .../configs/d2000_aarch32_test_qspi.config    |    7 +
 .../configs/d2000_aarch64_test_qspi.config    |    7 +
 .../configs/e2000d_aarch32_demo_qspi.config   |    7 +
 .../configs/e2000d_aarch64_demo_qspi.config   |    7 +
 .../configs/e2000q_aarch32_demo_qspi.config   |    7 +
 .../configs/e2000q_aarch64_demo_qspi.config   |    7 +
 .../configs/ft2004_aarch32_dsk_qspi.config    |    7 +
 .../configs/ft2004_aarch64_dsk_qspi.config    |    7 +
 .../phytiumpi_aarch32_firefly_qspi.config     |    7 +
 .../phytiumpi_aarch64_firefly_qspi.config     |    7 +
 example/peripheral/qspi/main.c                |    4 +-
 example/peripheral/qspi/sdkconfig             |    7 +
 example/peripheral/qspi/sdkconfig.h           |    7 +
 .../configs/e2000d_aarch32_demo_sdif.config   |    7 +
 .../configs/e2000d_aarch64_demo_sdif.config   |    7 +
 .../configs/e2000q_aarch32_demo_sdif.config   |    7 +
 .../configs/e2000q_aarch64_demo_sdif.config   |    7 +
 example/peripheral/sdif/sdkconfig             |    7 +
 example/peripheral/sdif/sdkconfig.h           |    7 +
 .../configs/e2000d_aarch32_demo_spi.config    |    7 +
 .../configs/e2000d_aarch64_demo_spi.config    |    7 +
 .../configs/e2000q_aarch32_demo_spi.config    |    7 +
 .../configs/e2000q_aarch64_demo_spi.config    |    7 +
 .../phytiumpi_aarch32_firefly_spi.config      |    7 +
 .../phytiumpi_aarch64_firefly_spi.config      |    7 +
 example/peripheral/spi/sdkconfig              |    7 +
 example/peripheral/spi/sdkconfig.h            |    7 +
 .../configs/e2000d_aarch32_demo_timer.config  |    7 +
 .../configs/e2000d_aarch64_demo_timer.config  |    7 +
 .../configs/e2000q_aarch32_demo_timer.config  |    7 +
 .../configs/e2000q_aarch64_demo_timer.config  |    7 +
 .../phytiumpi_aarch32_firefly_timer.config    |    7 +
 .../phytiumpi_aarch64_firefly_timer.config    |    7 +
 example/peripheral/timer_tacho/sdkconfig      |    7 +
 example/peripheral/timer_tacho/sdkconfig.h    |    7 +
 .../configs/e2000d_aarch32_demo_pusb2.config  |    7 +
 .../configs/e2000d_aarch64_demo_pusb2.config  |    7 +
 .../configs/e2000q_aarch32_demo_pusb2.config  |    7 +
 .../configs/e2000q_aarch64_demo_pusb2.config  |    7 +
 example/peripheral/usb/pusb2_device/main.c    |    2 +-
 example/peripheral/usb/pusb2_device/sdkconfig |    7 +
 .../peripheral/usb/pusb2_device/sdkconfig.h   |    7 +
 .../usb/pusb2_device/src/cmd_pusb2.c          |    5 +-
 .../phytiumpi_aarch32_firefly_pusb2.config    |    7 +
 .../phytiumpi_aarch64_firefly_pusb2.config    |    7 +
 example/peripheral/usb/pusb2_host/sdkconfig   |    7 +
 example/peripheral/usb/pusb2_host/sdkconfig.h |    7 +
 .../d2000_aarch32_test_cherry_usb.config      |    7 +
 .../d2000_aarch64_test_cherry_usb.config      |    7 +
 .../e2000d_aarch32_demo_cherry_usb.config     |    7 +
 .../e2000d_aarch64_demo_cherry_usb.config     |    7 +
 .../e2000q_aarch32_demo_cherry_usb.config     |    7 +
 .../e2000q_aarch64_demo_cherry_usb.config     |    7 +
 example/peripheral/usb/xhci_pcie/sdkconfig    |    7 +
 example/peripheral/usb/xhci_pcie/sdkconfig.h  |    7 +
 .../e2000d_aarch32_demo_cherry_usb.config     |    7 +
 .../e2000d_aarch64_demo_cherry_usb.config     |    7 +
 .../e2000q_aarch32_demo_cherry_usb.config     |    7 +
 .../e2000q_aarch64_demo_cherry_usb.config     |    7 +
 ...hytiumpi_aarch32_firefly_cherry_usb.config |    7 +
 ...hytiumpi_aarch64_firefly_cherry_usb.config |    7 +
 .../peripheral/usb/xhci_platform/sdkconfig    |    7 +
 .../peripheral/usb/xhci_platform/sdkconfig.h  |    7 +
 .../wdt/configs/d2000_aarch32_test_wdt.config |    7 +
 .../wdt/configs/d2000_aarch64_test_wdt.config |    7 +
 .../configs/e2000d_aarch32_demo_wdt.config    |    7 +
 .../configs/e2000d_aarch64_demo_wdt.config    |    7 +
 .../configs/e2000q_aarch32_demo_wdt.config    |    7 +
 .../configs/e2000q_aarch64_demo_wdt.config    |    7 +
 .../wdt/configs/ft2004_aarch32_dsk_wdt.config |    7 +
 .../wdt/configs/ft2004_aarch64_dsk_wdt.config |    7 +
 .../phytiumpi_aarch32_firefly_wdt.config      |    7 +
 .../phytiumpi_aarch64_firefly_wdt.config      |    7 +
 example/peripheral/wdt/sdkconfig              |    7 +
 example/peripheral/wdt/sdkconfig.h            |    7 +
 .../configs/e2000d_aarch32_demo_fatfs.config  |    7 +
 .../configs/e2000d_aarch64_demo_fatfs.config  |    7 +
 .../configs/e2000q_aarch32_demo_fatfs.config  |    7 +
 .../configs/e2000q_aarch64_demo_fatfs.config  |    7 +
 .../phytiumpi_aarch32_firefly_fatfs.config    |    7 +
 .../phytiumpi_aarch64_firefly_fatfs.config    |    7 +
 example/storage/fatfs/sdkconfig               |    7 +
 example/storage/fatfs/sdkconfig.h             |    7 +
 .../d2000_aarch32_test_qspi_spiffs.config     |    7 +
 .../d2000_aarch64_test_qspi_spiffs.config     |    7 +
 .../e2000d_aarch32_demo_qspi_spiffs.config    |    7 +
 .../e2000d_aarch64_demo_qspi_spiffs.config    |    7 +
 .../e2000q_aarch32_demo_qspi_spiffs.config    |    7 +
 .../e2000q_aarch64_demo_qspi_spiffs.config    |    7 +
 .../ft2004_aarch32_dsk_qspi_spiffs.config     |    7 +
 .../ft2004_aarch64_dsk_qspi_spiffs.config     |    7 +
 ...ytiumpi_aarch32_firefly_qspi_spiffs.config |    7 +
 ...ytiumpi_aarch64_firefly_qspi_spiffs.config |    7 +
 example/storage/qspi_spiffs/sdkconfig         |    7 +
 example/storage/qspi_spiffs/sdkconfig.h       |    7 +
 .../e2000d_aarch32_demo_spi_spiffs.config     |    7 +
 .../e2000d_aarch64_demo_spi_spiffs.config     |    7 +
 .../e2000q_aarch32_demo_spi_spiffs.config     |    7 +
 .../e2000q_aarch64_demo_spi_spiffs.config     |    7 +
 ...hytiumpi_aarch32_firefly_spi_spiffs.config |    7 +
 ...hytiumpi_aarch64_firefly_spi_spiffs.config |    7 +
 example/storage/spim_spiffs/sdkconfig         |    7 +
 example/storage/spim_spiffs/sdkconfig.h       |    7 +
 example/system/amp/README.md                  |    2 +-
 .../amp/openamp/common/openamp_configs.h      |   15 +-
 ...00_aarch32_test_openamp_device_core.config |    6 +
 ...00_aarch64_test_openamp_device_core.config |    6 +
 ...0d_aarch32_demo_openamp_device_core.config |    5 +
 ...0d_aarch64_demo_openamp_device_core.config |    5 +
 ...0q_aarch32_demo_openamp_device_core.config |    5 +
 ...0q_aarch64_demo_openamp_device_core.config |    5 +
 ...aarch32_firefly_openamp_device_core.config |    5 +
 ...aarch64_firefly_openamp_device_core.config |    5 +
 .../system/amp/openamp/device_core/sdkconfig  |   16 +-
 .../amp/openamp/device_core/sdkconfig.h       |   16 +-
 .../system/amp/openamp/driver_core/README.md  |   22 +-
 .../amp/openamp/driver_core/amp_config.json   |   56 +-
 ...00_aarch32_test_openamp_driver_core.config |   25 +-
 ...00_aarch64_test_openamp_driver_core.config |   25 +-
 ...0d_aarch32_demo_openamp_driver_core.config |   22 +-
 ...0d_aarch64_demo_openamp_driver_core.config |   20 +-
 ...0q_aarch32_demo_openamp_driver_core.config |   22 +-
 ...0q_aarch64_demo_openamp_driver_core.config |   20 +-
 ...aarch32_firefly_openamp_driver_core.config |   22 +-
 ...aarch64_firefly_openamp_driver_core.config |   20 +-
 .../openamp/driver_core/fig/1677585960509.png |  Bin 114715 -> 0 bytes
 .../driver_core/fig/20230512192325.png        |  Bin 257953 -> 0 bytes
 .../driver_core/fig/20230512195526.png        |  Bin 114642 -> 0 bytes
 .../driver_core/fig/20230512200435.png        |  Bin 215850 -> 0 bytes
 ...{20231017165755.png => Test32_Results.png} |  Bin
 ...{20231017160632.png => Test64_Results.png} |  Bin
 .../fig/e2000_aarch32_openamp_startup.png     |  Bin 251503 -> 133687 bytes
 .../fig/e2000_aarch64_openamp_startup.png     |  Bin 242426 -> 136696 bytes
 .../amp/openamp/driver_core/fig/openamp32.png |  Bin 0 -> 85046 bytes
 .../driver_core/fig/openamp32_auto.png        |  Bin 0 -> 213806 bytes
 .../amp/openamp/driver_core/fig/openamp64.png |  Bin 0 -> 84465 bytes
 .../driver_core/fig/openamp64_auto.png        |  Bin 0 -> 226121 bytes
 .../system/amp/openamp/driver_core/sdkconfig  |   31 +-
 .../amp/openamp/driver_core/sdkconfig.h       |   30 +-
 ...2000_aarch32_test_openamp_for_linux.config |    8 +
 ...2000_aarch64_test_openamp_for_linux.config |    8 +
 ...000d_aarch32_demo_openamp_for_linux.config |    5 +
 ...000d_aarch64_demo_openamp_for_linux.config |    5 +
 ...000q_aarch32_demo_openamp_for_linux.config |    5 +
 ...000q_aarch64_demo_openamp_for_linux.config |    5 +
 ...i_aarch32_firefly_openamp_for_linux.config |    5 +
 ...i_aarch64_firefly_openamp_for_linux.config |    5 +
 .../system/amp/openamp_for_linux/sdkconfig    |    5 +
 .../system/amp/openamp_for_linux/sdkconfig.h  |    5 +
 .../configs/d2000_aarch32_test_atomic.config  |    7 +
 .../configs/d2000_aarch64_test_atomic.config  |    7 +
 .../configs/e2000d_aarch32_demo_atomic.config |    7 +
 .../configs/e2000d_aarch64_demo_atomic.config |    7 +
 .../configs/e2000q_aarch32_demo_atomic.config |    7 +
 .../configs/e2000q_aarch64_demo_atomic.config |    7 +
 .../configs/ft2004_aarch32_dsk_atomic.config  |    7 +
 .../configs/ft2004_aarch64_dsk_atomic.config  |    7 +
 .../phytiumpi_aarch32_firefly_atomic.config   |    7 +
 .../phytiumpi_aarch64_firefly_atomic.config   |    7 +
 example/system/atomic/sdkconfig               |    7 +
 example/system/atomic/sdkconfig.h             |    7 +
 .../d2000_aarch32_test_exception.config       |    7 +
 .../d2000_aarch64_test_exception.config       |    7 +
 .../e2000d_aarch32_demo_exception.config      |    7 +
 .../e2000d_aarch64_demo_exception.config      |    7 +
 .../e2000q_aarch32_demo_exception.config      |    7 +
 .../e2000q_aarch64_demo_exception.config      |    7 +
 .../ft2004_aarch32_dsk_exception.config       |    7 +
 .../ft2004_aarch64_dsk_exception.config       |    7 +
 ...phytiumpi_aarch32_firefly_exception.config |    7 +
 ...phytiumpi_aarch64_firefly_exception.config |    7 +
 example/system/exception_debug/main.c         |    8 +-
 example/system/exception_debug/sdkconfig      |    7 +
 example/system/exception_debug/sdkconfig.h    |    7 +
 .../exception_debug/src/exception_test.c      |    2 -
 ...d2000_aarch32_test_nested_interrupt.config |    7 +
 ...d2000_aarch64_test_nested_interrupt.config |    7 +
 ...2000d_aarch32_demo_nested_interrupt.config |    7 +
 ...2000d_aarch64_demo_nested_interrupt.config |    7 +
 ...2000q_aarch32_demo_nested_interrupt.config |    7 +
 ...2000q_aarch64_demo_nested_interrupt.config |    7 +
 ...ft2004_aarch32_dsk_nested_interrupt.config |    7 +
 ...ft2004_aarch64_dsk_nested_interrupt.config |    7 +
 ...pi_aarch32_firefly_nested_interrupt.config |    7 +
 ...pi_aarch64_firefly_nested_interrupt.config |    7 +
 example/system/nested_interrupt/sdkconfig     |    7 +
 example/system/nested_interrupt/sdkconfig.h   |    7 +
 .../configs/d2000_aarch32_test_posix.config   |    7 +
 .../configs/d2000_aarch64_test_posix.config   |    7 +
 .../configs/e2000d_aarch32_demo_posix.config  |    7 +
 .../configs/e2000d_aarch64_demo_posix.config  |    7 +
 .../configs/e2000q_aarch32_demo_posix.config  |    7 +
 .../configs/e2000q_aarch64_demo_posix.config  |    7 +
 .../configs/ft2004_aarch32_dsk_posix.config   |    7 +
 .../configs/ft2004_aarch64_dsk_posix.config   |    7 +
 .../phytiumpi_aarch32_firefly_posix.config    |    7 +
 .../phytiumpi_aarch64_firefly_posix.config    |    7 +
 example/system/posix/sdkconfig                |    7 +
 example/system/posix/sdkconfig.h              |    7 +
 .../configs/d2000_aarch32_test_eg.config      |    7 +
 .../configs/d2000_aarch64_test_eg.config      |    7 +
 .../configs/e2000d_aarch32_demo_eg.config     |    7 +
 .../configs/e2000d_aarch64_demo_eg.config     |    7 +
 .../configs/e2000q_aarch32_demo_eg.config     |    7 +
 .../configs/e2000q_aarch64_demo_eg.config     |    7 +
 .../configs/ft2004_aarch32_dsk_eg.config      |    7 +
 .../configs/ft2004_aarch64_dsk_eg.config      |    7 +
 .../phytiumpi_aarch32_firefly_eg.config       |    7 +
 .../phytiumpi_aarch64_firefly_eg.config       |    7 +
 example/template/sdkconfig                    |    7 +
 example/template/sdkconfig.h                  |    7 +
 install.py                                    |    2 +-
 third-party/freertos/freertos.kconfig         |   17 +-
 .../portable/GCC/ft_platform/aarch64/port.c   |   34 +-
 .../freertos/portable/freertos_configs.c      |   24 +-
 third-party/include.mk                        |    4 +
 third-party/letter-shell-3.1/Kconfig          |   15 +
 .../port/pl011/fpl011_os_port.c               |   57 +-
 third-party/lvgl-8.3/port/lv_port_disp.c      |    6 +-
 third-party/mbedtls-3.6/Kconfig               |    3 +
 third-party/mbedtls-3.6/include.mk            |   14 +
 third-party/mbedtls-3.6/include/.gitignore    |    4 +
 .../mbedtls-3.6/include/CMakeLists.txt        |   16 +
 third-party/mbedtls-3.6/include/mbedtls/aes.h |  443 +
 .../mbedtls-3.6/include/mbedtls/aesni.h       |  143 +
 .../mbedtls-3.6/include/mbedtls/arc4.h        |  174 +
 .../mbedtls-3.6/include/mbedtls/asn1.h        |  383 +
 .../mbedtls-3.6/include/mbedtls/asn1write.h   |  274 +
 .../mbedtls-3.6/include/mbedtls/base64.h      |  120 +
 .../mbedtls-3.6/include/mbedtls/bignum.h      |  809 ++
 .../mbedtls-3.6/include/mbedtls/blowfish.h    |  230 +
 .../mbedtls-3.6/include/mbedtls/bn_mul.h      |  924 ++
 .../mbedtls-3.6/include/mbedtls/camellia.h    |  262 +
 third-party/mbedtls-3.6/include/mbedtls/ccm.h |  207 +
 .../mbedtls-3.6/include/mbedtls/certs.h       |  131 +
 .../include/mbedtls/check_config.h            |  753 ++
 .../mbedtls-3.6/include/mbedtls/cipher.h      |  777 ++
 .../include/mbedtls/cipher_internal.h         |  135 +
 .../mbedtls-3.6/include/mbedtls/cmac.h        |  239 +
 .../mbedtls-3.6/include/mbedtls/compat-1.3.h  | 2555 +++++
 .../mbedtls-3.6/include/mbedtls/config.h      | 2976 ++++++
 .../mbedtls-3.6/include/mbedtls/ctr_drbg.h    |  543 ++
 .../mbedtls-3.6/include/mbedtls/debug.h       |  254 +
 third-party/mbedtls-3.6/include/mbedtls/des.h |  382 +
 third-party/mbedtls-3.6/include/mbedtls/dhm.h | 1086 +++
 .../mbedtls-3.6/include/mbedtls/ecdh.h        |  308 +
 .../mbedtls-3.6/include/mbedtls/ecdsa.h       |  426 +
 .../mbedtls-3.6/include/mbedtls/ecjpake.h     |  285 +
 third-party/mbedtls-3.6/include/mbedtls/ecp.h |  736 ++
 .../include/mbedtls/ecp_internal.h            |  324 +
 .../mbedtls-3.6/include/mbedtls/entropy.h     |  316 +
 .../include/mbedtls/entropy_poll.h            |  135 +
 .../mbedtls-3.6/include/mbedtls/error.h       |  149 +
 third-party/mbedtls-3.6/include/mbedtls/gcm.h |  320 +
 .../mbedtls-3.6/include/mbedtls/havege.h      |  106 +
 .../mbedtls-3.6/include/mbedtls/hmac_drbg.h   |  495 +
 third-party/mbedtls-3.6/include/mbedtls/md.h  |  480 +
 third-party/mbedtls-3.6/include/mbedtls/md2.h |  334 +
 third-party/mbedtls-3.6/include/mbedtls/md4.h |  339 +
 third-party/mbedtls-3.6/include/mbedtls/md5.h |  339 +
 .../mbedtls-3.6/include/mbedtls/md_internal.h |  140 +
 .../include/mbedtls/memory_buffer_alloc.h     |  176 +
 third-party/mbedtls-3.6/include/mbedtls/net.h |   62 +
 .../mbedtls-3.6/include/mbedtls/net_sockets.h |  264 +
 third-party/mbedtls-3.6/include/mbedtls/oid.h |  614 ++
 .../mbedtls-3.6/include/mbedtls/padlock.h     |  139 +
 third-party/mbedtls-3.6/include/mbedtls/pem.h |  161 +
 third-party/mbedtls-3.6/include/mbedtls/pk.h  |  647 ++
 .../mbedtls-3.6/include/mbedtls/pk_internal.h |  140 +
 .../mbedtls-3.6/include/mbedtls/pkcs11.h      |  199 +
 .../mbedtls-3.6/include/mbedtls/pkcs12.h      |  155 +
 .../mbedtls-3.6/include/mbedtls/pkcs5.h       |  130 +
 .../mbedtls-3.6/include/mbedtls/platform.h    |  373 +
 .../include/mbedtls/platform_time.h           |  107 +
 .../mbedtls-3.6/include/mbedtls/ripemd160.h   |  264 +
 third-party/mbedtls-3.6/include/mbedtls/rsa.h | 1170 +++
 .../include/mbedtls/rsa_internal.h            |  251 +
 .../mbedtls-3.6/include/mbedtls/sha1.h        |  347 +
 .../mbedtls-3.6/include/mbedtls/sha256.h      |  303 +
 .../mbedtls-3.6/include/mbedtls/sha512.h      |  305 +
 third-party/mbedtls-3.6/include/mbedtls/ssl.h | 2697 ++++++
 .../mbedtls-3.6/include/mbedtls/ssl_cache.h   |  175 +
 .../include/mbedtls/ssl_ciphersuites.h        |  517 +
 .../mbedtls-3.6/include/mbedtls/ssl_cookie.h  |  140 +
 .../include/mbedtls/ssl_internal.h            |  821 ++
 .../mbedtls-3.6/include/mbedtls/ssl_ticket.h  |  167 +
 .../mbedtls-3.6/include/mbedtls/threading.h   |  139 +
 .../mbedtls-3.6/include/mbedtls/timing.h      |  186 +
 .../mbedtls-3.6/include/mbedtls/version.h     |  137 +
 .../mbedtls-3.6/include/mbedtls/x509.h        |  358 +
 .../mbedtls-3.6/include/mbedtls/x509_crl.h    |  199 +
 .../mbedtls-3.6/include/mbedtls/x509_crt.h    |  710 ++
 .../mbedtls-3.6/include/mbedtls/x509_csr.h    |  332 +
 .../mbedtls-3.6/include/mbedtls/xtea.h        |  166 +
 third-party/mbedtls-3.6/library/.gitignore    |    4 +
 .../mbedtls-3.6/library/CMakeLists.txt        |  169 +
 third-party/mbedtls-3.6/library/Makefile      |  172 +
 third-party/mbedtls-3.6/library/aes.c         | 1565 +++
 third-party/mbedtls-3.6/library/aesni.c       |  489 +
 third-party/mbedtls-3.6/library/arc4.c        |  230 +
 third-party/mbedtls-3.6/library/asn1parse.c   |  418 +
 third-party/mbedtls-3.6/library/asn1write.c   |  446 +
 third-party/mbedtls-3.6/library/base64.c      |  427 +
 third-party/mbedtls-3.6/library/bignum.c      | 2708 ++++++
 third-party/mbedtls-3.6/library/blowfish.c    |  681 ++
 third-party/mbedtls-3.6/library/camellia.c    | 1097 +++
 third-party/mbedtls-3.6/library/ccm.c         |  504 +
 third-party/mbedtls-3.6/library/certs.c       |  463 +
 third-party/mbedtls-3.6/library/cipher.c      |  948 ++
 third-party/mbedtls-3.6/library/cipher_wrap.c | 1476 +++
 third-party/mbedtls-3.6/library/cmac.c        | 1107 +++
 third-party/mbedtls-3.6/library/ctr_drbg.c    |  696 ++
 third-party/mbedtls-3.6/library/debug.c       |  425 +
 third-party/mbedtls-3.6/library/des.c         | 1086 +++
 third-party/mbedtls-3.6/library/dhm.c         |  716 ++
 third-party/mbedtls-3.6/library/ecdh.c        |  305 +
 third-party/mbedtls-3.6/library/ecdsa.c       |  575 ++
 third-party/mbedtls-3.6/library/ecjpake.c     | 1131 +++
 third-party/mbedtls-3.6/library/ecp.c         | 2633 +++++
 third-party/mbedtls-3.6/library/ecp_curves.c  | 1354 +++
 third-party/mbedtls-3.6/library/entropy.c     |  755 ++
 .../mbedtls-3.6/library/entropy_poll.c        |  254 +
 third-party/mbedtls-3.6/library/error.c       |  850 ++
 third-party/mbedtls-3.6/library/gcm.c         |  983 ++
 third-party/mbedtls-3.6/library/havege.c      |  282 +
 third-party/mbedtls-3.6/library/hmac_drbg.c   |  660 ++
 third-party/mbedtls-3.6/library/md.c          |  503 +
 third-party/mbedtls-3.6/library/md2.c         |  395 +
 third-party/mbedtls-3.6/library/md4.c         |  503 +
 third-party/mbedtls-3.6/library/md5.c         |  530 +
 third-party/mbedtls-3.6/library/md_wrap.c     |  611 ++
 .../mbedtls-3.6/library/memory_buffer_alloc.c |  779 ++
 third-party/mbedtls-3.6/library/net_sockets.c |  625 ++
 third-party/mbedtls-3.6/library/oid.c         |  780 ++
 third-party/mbedtls-3.6/library/padlock.c     |  195 +
 third-party/mbedtls-3.6/library/pem.c         |  520 +
 third-party/mbedtls-3.6/library/pk.c          |  407 +
 third-party/mbedtls-3.6/library/pk_wrap.c     |  551 ++
 third-party/mbedtls-3.6/library/pkcs11.c      |  265 +
 third-party/mbedtls-3.6/library/pkcs12.c      |  394 +
 third-party/mbedtls-3.6/library/pkcs5.c       |  446 +
 third-party/mbedtls-3.6/library/pkparse.c     | 1485 +++
 third-party/mbedtls-3.6/library/pkwrite.c     |  567 ++
 third-party/mbedtls-3.6/library/platform.c    |  370 +
 third-party/mbedtls-3.6/library/ripemd160.c   |  587 ++
 third-party/mbedtls-3.6/library/rsa.c         | 2602 +++++
 .../mbedtls-3.6/library/rsa_internal.c        |  512 +
 third-party/mbedtls-3.6/library/sha1.c        |  584 ++
 third-party/mbedtls-3.6/library/sha256.c      |  616 ++
 third-party/mbedtls-3.6/library/sha512.c      |  653 ++
 third-party/mbedtls-3.6/library/ssl_cache.c   |  352 +
 .../mbedtls-3.6/library/ssl_ciphersuites.c    | 1915 ++++
 third-party/mbedtls-3.6/library/ssl_cli.c     | 3801 ++++++++
 third-party/mbedtls-3.6/library/ssl_cookie.c  |  283 +
 third-party/mbedtls-3.6/library/ssl_srv.c     | 4160 ++++++++
 third-party/mbedtls-3.6/library/ssl_ticket.c  |  534 +
 third-party/mbedtls-3.6/library/ssl_tls.c     | 8604 +++++++++++++++++
 third-party/mbedtls-3.6/library/threading.c   |  180 +
 third-party/mbedtls-3.6/library/timing.c      |  560 ++
 third-party/mbedtls-3.6/library/version.c     |   75 +
 .../mbedtls-3.6/library/version_features.c    |  759 ++
 third-party/mbedtls-3.6/library/x509.c        | 1121 +++
 third-party/mbedtls-3.6/library/x509_create.c |  365 +
 third-party/mbedtls-3.6/library/x509_crl.c    |  801 ++
 third-party/mbedtls-3.6/library/x509_crt.c    | 2506 +++++
 third-party/mbedtls-3.6/library/x509_csr.c    |  448 +
 .../mbedtls-3.6/library/x509write_crt.c       |  551 ++
 .../mbedtls-3.6/library/x509write_csr.c       |  331 +
 third-party/mbedtls-3.6/library/xtea.c        |  306 +
 third-party/mbedtls-3.6/makefile              |    5 +
 third-party/mbedtls-3.6/mbedtls.kconfig       |    3 +
 third-party/mbedtls-3.6/mbedtls_freertos.mk   |    8 +
 .../mbedtls-3.6/ports/inc/tls_certificate.h   |   28 +
 third-party/mbedtls-3.6/ports/inc/tls_net.h   |  224 +
 .../mbedtls-3.6/ports/src/tls_certificate.c   |   47 +
 third-party/mbedtls-3.6/ports/src/tls_net.c   |  508 +
 third-party/mbedtls-3.6/src.mk                |   11 +
 third-party/third-party.kconfig               |   11 +
 third-party/thirdparty.mk                     |   11 +
 640 files changed, 111057 insertions(+), 589 deletions(-)
 create mode 100644 example/freertos_feature/software_timer/figs/tick_interrupt_source_config.png
 create mode 100644 example/network/lwip_https/Kconfig
 create mode 100644 example/network/lwip_https/README.md
 create mode 100644 example/network/lwip_https/configs/d2000_aarch32_test_lwip_https.config
 create mode 100644 example/network/lwip_https/configs/d2000_aarch64_test_lwip_https.config
 rename example/{peripheral/media/media_test/configs/e2000d_aarch32_demo_freertos.config => network/lwip_https/configs/e2000d_aarch32_demo_lwip_https.config} (58%)
 rename example/{peripheral/media/media_test/configs/e2000d_aarch64_demo_freertos.config => network/lwip_https/configs/e2000d_aarch64_demo_lwip_https.config} (57%)
 rename example/{peripheral/media/media_test/configs/e2000q_aarch32_demo_freertos.config => network/lwip_https/configs/e2000q_aarch32_demo_lwip_https.config} (58%)
 rename example/{peripheral/media/media_test/configs/e2000q_aarch64_demo_freertos.config => network/lwip_https/configs/e2000q_aarch64_demo_lwip_https.config} (57%)
 create mode 100644 example/network/lwip_https/configs/ft2004_aarch32_dsk_lwip_https.config
 create mode 100644 example/network/lwip_https/configs/ft2004_aarch64_dsk_lwip_https.config
 rename example/{peripheral/media/media_test/configs/phytiumpi_aarch32_firefly_freertos.config => network/lwip_https/configs/phytiumpi_aarch32_firefly_lwip_https.config} (58%)
 rename example/{peripheral/media/media_test/configs/phytiumpi_aarch64_firefly_freertos.config => network/lwip_https/configs/phytiumpi_aarch64_firefly_lwip_https.config} (57%)
 create mode 100644 example/network/lwip_https/fig/https_client.png
 create mode 100644 example/network/lwip_https/fig/https_server.png
 create mode 100644 example/network/lwip_https/inc/https_example.h
 create mode 100644 example/network/lwip_https/main.c
 create mode 100644 example/network/lwip_https/makefile
 create mode 100644 example/network/lwip_https/sdkconfig
 create mode 100644 example/network/lwip_https/sdkconfig.h
 create mode 100644 example/network/lwip_https/src/cmd_https.c
 create mode 100644 example/network/lwip_https/src/https_example.c
 create mode 100644 example/network/lwip_https/tools/ssl_server
 delete mode 100644 example/system/amp/openamp/driver_core/fig/1677585960509.png
 delete mode 100644 example/system/amp/openamp/driver_core/fig/20230512192325.png
 delete mode 100644 example/system/amp/openamp/driver_core/fig/20230512195526.png
 delete mode 100644 example/system/amp/openamp/driver_core/fig/20230512200435.png
 rename example/system/amp/openamp/driver_core/fig/{20231017165755.png => Test32_Results.png} (100%)
 rename example/system/amp/openamp/driver_core/fig/{20231017160632.png => Test64_Results.png} (100%)
 create mode 100644 example/system/amp/openamp/driver_core/fig/openamp32.png
 create mode 100644 example/system/amp/openamp/driver_core/fig/openamp32_auto.png
 create mode 100644 example/system/amp/openamp/driver_core/fig/openamp64.png
 create mode 100644 example/system/amp/openamp/driver_core/fig/openamp64_auto.png
 create mode 100644 third-party/mbedtls-3.6/Kconfig
 create mode 100644 third-party/mbedtls-3.6/include.mk
 create mode 100644 third-party/mbedtls-3.6/include/.gitignore
 create mode 100644 third-party/mbedtls-3.6/include/CMakeLists.txt
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/aes.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/aesni.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/arc4.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/asn1.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/asn1write.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/base64.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/bignum.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/blowfish.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/bn_mul.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/camellia.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/ccm.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/certs.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/check_config.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/cipher.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/cipher_internal.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/cmac.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/compat-1.3.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/config.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/ctr_drbg.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/debug.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/des.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/dhm.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/ecdh.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/ecdsa.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/ecjpake.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/ecp.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/ecp_internal.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/entropy.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/entropy_poll.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/error.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/gcm.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/havege.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/hmac_drbg.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/md.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/md2.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/md4.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/md5.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/md_internal.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/memory_buffer_alloc.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/net.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/net_sockets.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/oid.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/padlock.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/pem.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/pk.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/pk_internal.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/pkcs11.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/pkcs12.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/pkcs5.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/platform.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/platform_time.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/ripemd160.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/rsa.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/rsa_internal.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/sha1.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/sha256.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/sha512.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/ssl.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/ssl_cache.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/ssl_ciphersuites.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/ssl_cookie.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/ssl_internal.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/ssl_ticket.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/threading.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/timing.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/version.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/x509.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/x509_crl.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/x509_crt.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/x509_csr.h
 create mode 100644 third-party/mbedtls-3.6/include/mbedtls/xtea.h
 create mode 100644 third-party/mbedtls-3.6/library/.gitignore
 create mode 100644 third-party/mbedtls-3.6/library/CMakeLists.txt
 create mode 100644 third-party/mbedtls-3.6/library/Makefile
 create mode 100644 third-party/mbedtls-3.6/library/aes.c
 create mode 100644 third-party/mbedtls-3.6/library/aesni.c
 create mode 100644 third-party/mbedtls-3.6/library/arc4.c
 create mode 100644 third-party/mbedtls-3.6/library/asn1parse.c
 create mode 100644 third-party/mbedtls-3.6/library/asn1write.c
 create mode 100644 third-party/mbedtls-3.6/library/base64.c
 create mode 100644 third-party/mbedtls-3.6/library/bignum.c
 create mode 100644 third-party/mbedtls-3.6/library/blowfish.c
 create mode 100644 third-party/mbedtls-3.6/library/camellia.c
 create mode 100644 third-party/mbedtls-3.6/library/ccm.c
 create mode 100644 third-party/mbedtls-3.6/library/certs.c
 create mode 100644 third-party/mbedtls-3.6/library/cipher.c
 create mode 100644 third-party/mbedtls-3.6/library/cipher_wrap.c
 create mode 100644 third-party/mbedtls-3.6/library/cmac.c
 create mode 100644 third-party/mbedtls-3.6/library/ctr_drbg.c
 create mode 100644 third-party/mbedtls-3.6/library/debug.c
 create mode 100644 third-party/mbedtls-3.6/library/des.c
 create mode 100644 third-party/mbedtls-3.6/library/dhm.c
 create mode 100644 third-party/mbedtls-3.6/library/ecdh.c
 create mode 100644 third-party/mbedtls-3.6/library/ecdsa.c
 create mode 100644 third-party/mbedtls-3.6/library/ecjpake.c
 create mode 100644 third-party/mbedtls-3.6/library/ecp.c
 create mode 100644 third-party/mbedtls-3.6/library/ecp_curves.c
 create mode 100644 third-party/mbedtls-3.6/library/entropy.c
 create mode 100644 third-party/mbedtls-3.6/library/entropy_poll.c
 create mode 100644 third-party/mbedtls-3.6/library/error.c
 create mode 100644 third-party/mbedtls-3.6/library/gcm.c
 create mode 100644 third-party/mbedtls-3.6/library/havege.c
 create mode 100644 third-party/mbedtls-3.6/library/hmac_drbg.c
 create mode 100644 third-party/mbedtls-3.6/library/md.c
 create mode 100644 third-party/mbedtls-3.6/library/md2.c
 create mode 100644 third-party/mbedtls-3.6/library/md4.c
 create mode 100644 third-party/mbedtls-3.6/library/md5.c
 create mode 100644 third-party/mbedtls-3.6/library/md_wrap.c
 create mode 100644 third-party/mbedtls-3.6/library/memory_buffer_alloc.c
 create mode 100644 third-party/mbedtls-3.6/library/net_sockets.c
 create mode 100644 third-party/mbedtls-3.6/library/oid.c
 create mode 100644 third-party/mbedtls-3.6/library/padlock.c
 create mode 100644 third-party/mbedtls-3.6/library/pem.c
 create mode 100644 third-party/mbedtls-3.6/library/pk.c
 create mode 100644 third-party/mbedtls-3.6/library/pk_wrap.c
 create mode 100644 third-party/mbedtls-3.6/library/pkcs11.c
 create mode 100644 third-party/mbedtls-3.6/library/pkcs12.c
 create mode 100644 third-party/mbedtls-3.6/library/pkcs5.c
 create mode 100644 third-party/mbedtls-3.6/library/pkparse.c
 create mode 100644 third-party/mbedtls-3.6/library/pkwrite.c
 create mode 100644 third-party/mbedtls-3.6/library/platform.c
 create mode 100644 third-party/mbedtls-3.6/library/ripemd160.c
 create mode 100644 third-party/mbedtls-3.6/library/rsa.c
 create mode 100644 third-party/mbedtls-3.6/library/rsa_internal.c
 create mode 100644 third-party/mbedtls-3.6/library/sha1.c
 create mode 100644 third-party/mbedtls-3.6/library/sha256.c
 create mode 100644 third-party/mbedtls-3.6/library/sha512.c
 create mode 100644 third-party/mbedtls-3.6/library/ssl_cache.c
 create mode 100644 third-party/mbedtls-3.6/library/ssl_ciphersuites.c
 create mode 100644 third-party/mbedtls-3.6/library/ssl_cli.c
 create mode 100644 third-party/mbedtls-3.6/library/ssl_cookie.c
 create mode 100644 third-party/mbedtls-3.6/library/ssl_srv.c
 create mode 100644 third-party/mbedtls-3.6/library/ssl_ticket.c
 create mode 100644 third-party/mbedtls-3.6/library/ssl_tls.c
 create mode 100644 third-party/mbedtls-3.6/library/threading.c
 create mode 100644 third-party/mbedtls-3.6/library/timing.c
 create mode 100644 third-party/mbedtls-3.6/library/version.c
 create mode 100644 third-party/mbedtls-3.6/library/version_features.c
 create mode 100644 third-party/mbedtls-3.6/library/x509.c
 create mode 100644 third-party/mbedtls-3.6/library/x509_create.c
 create mode 100644 third-party/mbedtls-3.6/library/x509_crl.c
 create mode 100644 third-party/mbedtls-3.6/library/x509_crt.c
 create mode 100644 third-party/mbedtls-3.6/library/x509_csr.c
 create mode 100644 third-party/mbedtls-3.6/library/x509write_crt.c
 create mode 100644 third-party/mbedtls-3.6/library/x509write_csr.c
 create mode 100644 third-party/mbedtls-3.6/library/xtea.c
 create mode 100644 third-party/mbedtls-3.6/makefile
 create mode 100644 third-party/mbedtls-3.6/mbedtls.kconfig
 create mode 100644 third-party/mbedtls-3.6/mbedtls_freertos.mk
 create mode 100644 third-party/mbedtls-3.6/ports/inc/tls_certificate.h
 create mode 100644 third-party/mbedtls-3.6/ports/inc/tls_net.h
 create mode 100644 third-party/mbedtls-3.6/ports/src/tls_certificate.c
 create mode 100644 third-party/mbedtls-3.6/ports/src/tls_net.c
 create mode 100644 third-party/mbedtls-3.6/src.mk

diff --git a/README.md b/README.md
index a3d96ba5..2bd91a10 100644
--- a/README.md
+++ b/README.md
@@ -2,13 +2,21 @@
 
 **v1.1.0** [ReleaseNote](./docs/ChangeLog.md)
 
+**如需Phytium全系CPU的软件适配支持，请联系 ``linan1284@phytium.com.cn``**
+
+[飞腾腾云S系列高性能服务器CPU](https://www.phytium.com.cn/homepage/production/list/0)
+
+[飞腾腾锐D系列高效能桌面CPU](https://www.phytium.com.cn/homepage/production/list/1)
+
+[飞腾腾珑E系列高端嵌入式CPU](https://www.phytium.com.cn/homepage/production/list/2)
+
 ## 1. 介绍
 
 本项目发布了Phytium系列CPU的FreeRTOS源代码，参考例程以及配置构建工具
 
 代码仓库整体共分为两个分支： 
 - master 分支：开发分支，用于保存最新的协作开发代码以及bug修复后的代码。其只要求保障新功能基本正确并且能够满足基本的使用需求，并没有经过系统性和复杂条件下的测试。 
-- release 分支：发布分支，包含核心启动代码、芯片外设驱动、用户使用例程和构建的脚本工具。用于保存经过系统性测试的代码并对外发布版本，默认下载此分支的代码。
+- release 分支：发布分支，包含核心启动代码、芯片外设驱动、用户使用例程和构建的脚本工具。用于保存经过系统性测试的代码并对外发布版本。
 
 ---
 
diff --git a/docs/ChangeLog.md b/docs/ChangeLog.md
index 88fb9b4b..6c31897e 100644
--- a/docs/ChangeLog.md
+++ b/docs/ChangeLog.md
@@ -1,3 +1,61 @@
+# Phytium FreeRTOS SDK 2025-01-20 ChangeLog
+
+Change Log since 2025-01-15
+
+## example
+
+- Change the media example to support new media driver
+
+## driver
+
+- Change the media example to support new sdk media driver
+
+- Change the gmac driver to support sdk gitee
+
+# Phytium FreeRTOS SDK 2025-01-15 ChangeLog
+
+Change Log since 2025-01-14
+
+## example
+
+- Refine dhcp and qspi examples
+
+## third-party
+
+- Add prvTaskExitError() function in aarch64 port
+
+# Phytium FreeRTOS SDK 2024-12-03 ChangeLog
+
+Change Log since 2024-10-15
+
+## example
+
+- Modify the openamp example to support MSDF(multi-core system deployment framework)
+
+# Phytium FreeRTOS SDK 2024-10-15 ChangeLog
+
+Change Log since 2024-10-15
+
+## third-party
+
+- Add polled letter-shell config
+
+## third-party
+
+- Add virtual timer as FreeRtos tick interrupt source 
+
+# Phytium FreeRTOS SDK 2024-10-15 ChangeLog
+
+Change Log since 2024-10-15
+
+## example
+
+- Add an https test
+
+## third-party
+
+- Add mbedtls encryption library
+
 # Phytium FreeRTOS SDK 2024-10-15 v1.1.0 ChangeLog
 
 Change Log since 2024-10-12
diff --git a/drivers/eth/gmac/fgmac_os.c b/drivers/eth/gmac/fgmac_os.c
index 7eb95597..f392f9b4 100644
--- a/drivers/eth/gmac/fgmac_os.c
+++ b/drivers/eth/gmac/fgmac_os.c
@@ -339,7 +339,7 @@ FError FGmacOsInit(FGmacOs *instance_p)
     }
 
     /* Initialize Rx Description list : ring Mode */
-    status = FGmacSetupRxDescRing(gmac_p, (FGmacDmaDesc *)(instance_p->rx_desc), instance_p->rx_buf, FGMAC_MAX_PACKET_SIZE, GMAC_RX_DESCNUM);
+    status = FGmacSetupRxDescRing(gmac_p, (FGmacDmaDesc *)(instance_p->rx_desc), (uintptr)(instance_p->rx_desc), instance_p->rx_buf, (uintptr)(instance_p->rx_buf), FGMAC_MAX_PACKET_SIZE, GMAC_RX_DESCNUM);
     if (FT_SUCCESS != status)
     {
         OS_MAC_DEBUG_E("Gmac setup rx return err code %d", status);
@@ -347,7 +347,7 @@ FError FGmacOsInit(FGmacOs *instance_p)
     }
 
     /* Initialize Tx Description list : ring Mode */
-    status = FGmacSetupTxDescRing(gmac_p, (FGmacDmaDesc *)(instance_p->tx_desc), instance_p->tx_buf, FGMAC_MAX_PACKET_SIZE, GMAC_TX_DESCNUM);
+    status = FGmacSetupTxDescRing(gmac_p, (FGmacDmaDesc *)(instance_p->tx_desc), (uintptr)(instance_p->tx_desc), instance_p->tx_buf, (uintptr)(instance_p->tx_buf), FGMAC_MAX_PACKET_SIZE, GMAC_TX_DESCNUM);
     if (FT_SUCCESS != status)
     {
         OS_MAC_DEBUG_E("Gmac setup tx return err code %d", status);
diff --git a/drivers/eth/xmac/fxmac_os.c b/drivers/eth/xmac/fxmac_os.c
index c2420349..132a9764 100644
--- a/drivers/eth/xmac/fxmac_os.c
+++ b/drivers/eth/xmac/fxmac_os.c
@@ -25,6 +25,7 @@
 #include "fparameters.h"
 #include "fassert.h"
 #include "fxmac_os.h"
+#include "fxmac_phy.h"
 #include "fxmac.h"
 #include "fcache.h"
 #include "fxmac_bdring.h"
diff --git a/drivers/media/fmedia_os.c b/drivers/media/fmedia_os.c
index 8b801997..ff8848b6 100644
--- a/drivers/media/fmedia_os.c
+++ b/drivers/media/fmedia_os.c
@@ -32,7 +32,6 @@
 #include "fdcdp.h"
 #include "fdp_hw.h"
 #include "fdp.h"
-#include "fdc_common_hw.h"
 
 /***************** Macros (Inline Functions) Definitions *********************/
 
@@ -47,32 +46,24 @@
  * @name: FFreeRTOSMediaHwInit
  * @msg:  init the media,dc and dp
  * @param  {u32} channel is the dc channel
+ * @param  {FFreeRTOSMedia*} instance is the driver instance
  * @param  {u32} width is the width
  * @param  {u32} height is the height
- * @param  {u32} multi_mode is multi display mode,0:clone,1:hor,2:ver
- * @param  {u32} color_depth is the color depth
- * @param  {u32} refresh_rate is the refresh rate of screen
  * @return err code information, 0 indicates success，others indicates failed
  */
-FFreeRTOSMedia *FFreeRTOSMediaHwInit(u32 channel,FFreeRTOSMedia *instance)
+FFreeRTOSMedia *FFreeRTOSMediaHwInit(FFreeRTOSMedia *instance, u32 width, u32 height)
 {
     FError ret = FT_SUCCESS;
     u32 index;
-    FDcDpCfgInitialize(&instance->dcdp_ctrl);
 
     for (index = 0; index < FDCDP_INSTANCE_NUM; index ++)
     {
-        instance->dcdp_ctrl.dc_instance_p[index].config = *FDcLookupConfig(index);
-        instance->dcdp_ctrl.dp_instance_p[index].config = *FDpLookupConfig(index);
+        ret = FDcDpInitial(&instance->dcdp_ctrl, index, width, height);
     }
-    ret = FDcDpInitialize(&instance->dcdp_ctrl, channel);
-    if (ret != FMEDIA_DP_SUCCESS)
+    if((instance->dcdp_ctrl.is_initialized[0]) | (instance->dcdp_ctrl.is_initialized[1]))
     {
-        FMEDIA_ERROR("DcDp initial failed");
-        goto err_exit;
+        ret = FDP_SUCCESS;
     }
-
-err_exit:
     return (FT_SUCCESS == ret) ? instance : NULL; /* exit with NULL if failed */
 }
 
diff --git a/drivers/media/fmedia_os.h b/drivers/media/fmedia_os.h
index fa1e8165..d70115ec 100644
--- a/drivers/media/fmedia_os.h
+++ b/drivers/media/fmedia_os.h
@@ -48,7 +48,7 @@ typedef struct
 } FFreeRTOSMedia;
 
 /*init the media and return the meidia instance*/
-FFreeRTOSMedia *FFreeRTOSMediaHwInit(u32 channel,FFreeRTOSMedia *instance);
+FFreeRTOSMedia *FFreeRTOSMediaHwInit(FFreeRTOSMedia *instance, u32 width, u32 height);
 
 
 #ifdef __cplusplus
diff --git a/example/freertos_feature/eventgroup/configs/d2000_aarch32_test_eventgroup.config b/example/freertos_feature/eventgroup/configs/d2000_aarch32_test_eventgroup.config
index ddbc8c4f..4d7aa1e9 100644
--- a/example/freertos_feature/eventgroup/configs/d2000_aarch32_test_eventgroup.config
+++ b/example/freertos_feature/eventgroup/configs/d2000_aarch32_test_eventgroup.config
@@ -54,6 +54,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +100,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/eventgroup/configs/d2000_aarch64_test_eventgroup.config b/example/freertos_feature/eventgroup/configs/d2000_aarch64_test_eventgroup.config
index 1e979599..c0419832 100644
--- a/example/freertos_feature/eventgroup/configs/d2000_aarch64_test_eventgroup.config
+++ b/example/freertos_feature/eventgroup/configs/d2000_aarch64_test_eventgroup.config
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -283,6 +285,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -292,6 +295,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -314,6 +319,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/eventgroup/configs/e2000d_aarch32_demo_eventgroup.config b/example/freertos_feature/eventgroup/configs/e2000d_aarch32_demo_eventgroup.config
index 36ec22a7..65fff9a5 100644
--- a/example/freertos_feature/eventgroup/configs/e2000d_aarch32_demo_eventgroup.config
+++ b/example/freertos_feature/eventgroup/configs/e2000d_aarch32_demo_eventgroup.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -112,6 +113,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -307,6 +309,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -316,6 +319,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -338,6 +343,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/eventgroup/configs/e2000d_aarch64_demo_eventgroup.config b/example/freertos_feature/eventgroup/configs/e2000d_aarch64_demo_eventgroup.config
index ed089464..1e1aa9ff 100644
--- a/example/freertos_feature/eventgroup/configs/e2000d_aarch64_demo_eventgroup.config
+++ b/example/freertos_feature/eventgroup/configs/e2000d_aarch64_demo_eventgroup.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -106,6 +107,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -296,6 +298,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -305,6 +308,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -327,6 +332,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/eventgroup/configs/e2000q_aarch32_demo_eventgroup.config b/example/freertos_feature/eventgroup/configs/e2000q_aarch32_demo_eventgroup.config
index a0ee85b6..bfd63965 100644
--- a/example/freertos_feature/eventgroup/configs/e2000q_aarch32_demo_eventgroup.config
+++ b/example/freertos_feature/eventgroup/configs/e2000q_aarch32_demo_eventgroup.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -111,6 +112,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -306,6 +308,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -315,6 +318,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -337,6 +342,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/eventgroup/configs/e2000q_aarch64_demo_eventgroup.config b/example/freertos_feature/eventgroup/configs/e2000q_aarch64_demo_eventgroup.config
index 5c1ddf31..a0ab76c7 100644
--- a/example/freertos_feature/eventgroup/configs/e2000q_aarch64_demo_eventgroup.config
+++ b/example/freertos_feature/eventgroup/configs/e2000q_aarch64_demo_eventgroup.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -295,6 +297,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -304,6 +307,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -326,6 +331,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/eventgroup/configs/ft2004_aarch32_dsk_eventgroup.config b/example/freertos_feature/eventgroup/configs/ft2004_aarch32_dsk_eventgroup.config
index 707209d9..25a06495 100644
--- a/example/freertos_feature/eventgroup/configs/ft2004_aarch32_dsk_eventgroup.config
+++ b/example/freertos_feature/eventgroup/configs/ft2004_aarch32_dsk_eventgroup.config
@@ -54,6 +54,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +100,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/eventgroup/configs/ft2004_aarch64_dsk_eventgroup.config b/example/freertos_feature/eventgroup/configs/ft2004_aarch64_dsk_eventgroup.config
index 8f66c8a8..2dcb55e6 100644
--- a/example/freertos_feature/eventgroup/configs/ft2004_aarch64_dsk_eventgroup.config
+++ b/example/freertos_feature/eventgroup/configs/ft2004_aarch64_dsk_eventgroup.config
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -283,6 +285,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -292,6 +295,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -314,6 +319,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/eventgroup/configs/phytiumpi_aarch32_firefly_eventgroup.config b/example/freertos_feature/eventgroup/configs/phytiumpi_aarch32_firefly_eventgroup.config
index b77b6348..5e3fc363 100644
--- a/example/freertos_feature/eventgroup/configs/phytiumpi_aarch32_firefly_eventgroup.config
+++ b/example/freertos_feature/eventgroup/configs/phytiumpi_aarch32_firefly_eventgroup.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -95,6 +96,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -290,6 +292,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -299,6 +302,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -321,6 +326,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/eventgroup/configs/phytiumpi_aarch64_firefly_eventgroup.config b/example/freertos_feature/eventgroup/configs/phytiumpi_aarch64_firefly_eventgroup.config
index 29126d74..20a67624 100644
--- a/example/freertos_feature/eventgroup/configs/phytiumpi_aarch64_firefly_eventgroup.config
+++ b/example/freertos_feature/eventgroup/configs/phytiumpi_aarch64_firefly_eventgroup.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -89,6 +90,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -279,6 +281,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -288,6 +291,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -310,6 +315,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/eventgroup/sdkconfig b/example/freertos_feature/eventgroup/sdkconfig
index 29126d74..20a67624 100644
--- a/example/freertos_feature/eventgroup/sdkconfig
+++ b/example/freertos_feature/eventgroup/sdkconfig
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -89,6 +90,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -279,6 +281,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -288,6 +291,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -310,6 +315,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/eventgroup/sdkconfig.h b/example/freertos_feature/eventgroup/sdkconfig.h
index cdc7fa45..43aff328 100644
--- a/example/freertos_feature/eventgroup/sdkconfig.h
+++ b/example/freertos_feature/eventgroup/sdkconfig.h
@@ -44,6 +44,7 @@
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
 #define CONFIG_SOC_NAME "phytiumpi"
 #define CONFIG_SOC_CORE_NUM 4
 #define CONFIG_F32BIT_MEMORY_ADDRESS 0x80000000
@@ -83,6 +84,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 #define CONFIG_INTERRUPT_ROLE_MASTER
 /* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -247,6 +249,7 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
+/* CONFIG_USE_MBEDTLS is not set */
 #define CONFIG_USE_LETTER_SHELL
 
 /* Letter Shell Configuration */
@@ -255,6 +258,8 @@
 #define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
 /* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
@@ -275,6 +280,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/freertos_feature/interrupt/configs/d2000_aarch32_test_interrupt.config b/example/freertos_feature/interrupt/configs/d2000_aarch32_test_interrupt.config
index 54a6d759..a4d21793 100644
--- a/example/freertos_feature/interrupt/configs/d2000_aarch32_test_interrupt.config
+++ b/example/freertos_feature/interrupt/configs/d2000_aarch32_test_interrupt.config
@@ -54,6 +54,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +100,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/interrupt/configs/d2000_aarch64_test_interrupt.config b/example/freertos_feature/interrupt/configs/d2000_aarch64_test_interrupt.config
index 572d6135..b332ca91 100644
--- a/example/freertos_feature/interrupt/configs/d2000_aarch64_test_interrupt.config
+++ b/example/freertos_feature/interrupt/configs/d2000_aarch64_test_interrupt.config
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -283,6 +285,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -292,6 +295,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -314,6 +319,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/interrupt/configs/e2000d_aarch32_demo_interrupt.config b/example/freertos_feature/interrupt/configs/e2000d_aarch32_demo_interrupt.config
index 8efa6b27..81f1bc3c 100644
--- a/example/freertos_feature/interrupt/configs/e2000d_aarch32_demo_interrupt.config
+++ b/example/freertos_feature/interrupt/configs/e2000d_aarch32_demo_interrupt.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -112,6 +113,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -307,6 +309,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -316,6 +319,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -338,6 +343,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/interrupt/configs/e2000d_aarch64_demo_interrupt.config b/example/freertos_feature/interrupt/configs/e2000d_aarch64_demo_interrupt.config
index 7a351643..3d5dc006 100644
--- a/example/freertos_feature/interrupt/configs/e2000d_aarch64_demo_interrupt.config
+++ b/example/freertos_feature/interrupt/configs/e2000d_aarch64_demo_interrupt.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -106,6 +107,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -296,6 +298,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -305,6 +308,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -327,6 +332,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/interrupt/configs/e2000q_aarch32_demo_interrupt.config b/example/freertos_feature/interrupt/configs/e2000q_aarch32_demo_interrupt.config
index c9b7f64b..9dcb569e 100644
--- a/example/freertos_feature/interrupt/configs/e2000q_aarch32_demo_interrupt.config
+++ b/example/freertos_feature/interrupt/configs/e2000q_aarch32_demo_interrupt.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -111,6 +112,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -306,6 +308,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -315,6 +318,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -337,6 +342,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/interrupt/configs/e2000q_aarch64_demo_interrupt.config b/example/freertos_feature/interrupt/configs/e2000q_aarch64_demo_interrupt.config
index 655538d2..b6fbc624 100644
--- a/example/freertos_feature/interrupt/configs/e2000q_aarch64_demo_interrupt.config
+++ b/example/freertos_feature/interrupt/configs/e2000q_aarch64_demo_interrupt.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -295,6 +297,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -304,6 +307,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -326,6 +331,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/interrupt/configs/ft2004_aarch32_dsk_interrupt.config b/example/freertos_feature/interrupt/configs/ft2004_aarch32_dsk_interrupt.config
index 4eaa1e5e..ad490326 100644
--- a/example/freertos_feature/interrupt/configs/ft2004_aarch32_dsk_interrupt.config
+++ b/example/freertos_feature/interrupt/configs/ft2004_aarch32_dsk_interrupt.config
@@ -54,6 +54,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +100,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/interrupt/configs/ft2004_aarch64_dsk_interrupt.config b/example/freertos_feature/interrupt/configs/ft2004_aarch64_dsk_interrupt.config
index 0080b72c..31bc7adf 100644
--- a/example/freertos_feature/interrupt/configs/ft2004_aarch64_dsk_interrupt.config
+++ b/example/freertos_feature/interrupt/configs/ft2004_aarch64_dsk_interrupt.config
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -283,6 +285,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -292,6 +295,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -314,6 +319,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/interrupt/configs/phytiumpi_aarch32_firefly_interrupt.config b/example/freertos_feature/interrupt/configs/phytiumpi_aarch32_firefly_interrupt.config
index f828ffe7..989c6473 100644
--- a/example/freertos_feature/interrupt/configs/phytiumpi_aarch32_firefly_interrupt.config
+++ b/example/freertos_feature/interrupt/configs/phytiumpi_aarch32_firefly_interrupt.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -110,6 +111,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -305,6 +307,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -314,6 +317,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -336,6 +341,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/interrupt/configs/phytiumpi_aarch64_firefly_interrupt.config b/example/freertos_feature/interrupt/configs/phytiumpi_aarch64_firefly_interrupt.config
index 0adf13c0..c7f44459 100644
--- a/example/freertos_feature/interrupt/configs/phytiumpi_aarch64_firefly_interrupt.config
+++ b/example/freertos_feature/interrupt/configs/phytiumpi_aarch64_firefly_interrupt.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/interrupt/sdkconfig b/example/freertos_feature/interrupt/sdkconfig
index 0adf13c0..c7f44459 100644
--- a/example/freertos_feature/interrupt/sdkconfig
+++ b/example/freertos_feature/interrupt/sdkconfig
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/interrupt/sdkconfig.h b/example/freertos_feature/interrupt/sdkconfig.h
index 43acfeb0..48484cfd 100644
--- a/example/freertos_feature/interrupt/sdkconfig.h
+++ b/example/freertos_feature/interrupt/sdkconfig.h
@@ -44,6 +44,7 @@
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
 #define CONFIG_SOC_NAME "phytiumpi"
 #define CONFIG_SOC_CORE_NUM 4
 #define CONFIG_F32BIT_MEMORY_ADDRESS 0x80000000
@@ -96,6 +97,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 #define CONFIG_INTERRUPT_ROLE_MASTER
 /* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -260,6 +262,7 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
+/* CONFIG_USE_MBEDTLS is not set */
 #define CONFIG_USE_LETTER_SHELL
 
 /* Letter Shell Configuration */
@@ -268,6 +271,8 @@
 #define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
 /* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
@@ -288,6 +293,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/freertos_feature/queue/configs/d2000_aarch32_test_queue.config b/example/freertos_feature/queue/configs/d2000_aarch32_test_queue.config
index 5831753b..ec921027 100644
--- a/example/freertos_feature/queue/configs/d2000_aarch32_test_queue.config
+++ b/example/freertos_feature/queue/configs/d2000_aarch32_test_queue.config
@@ -54,6 +54,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +100,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/queue/configs/d2000_aarch64_test_queue.config b/example/freertos_feature/queue/configs/d2000_aarch64_test_queue.config
index 05fa24b7..62273286 100644
--- a/example/freertos_feature/queue/configs/d2000_aarch64_test_queue.config
+++ b/example/freertos_feature/queue/configs/d2000_aarch64_test_queue.config
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -283,6 +285,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -292,6 +295,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -314,6 +319,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/queue/configs/e2000d_aarch32_demo_queue.config b/example/freertos_feature/queue/configs/e2000d_aarch32_demo_queue.config
index c14faba9..bdb5c5b9 100644
--- a/example/freertos_feature/queue/configs/e2000d_aarch32_demo_queue.config
+++ b/example/freertos_feature/queue/configs/e2000d_aarch32_demo_queue.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -112,6 +113,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -307,6 +309,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -316,6 +319,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -338,6 +343,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/queue/configs/e2000d_aarch64_demo_queue.config b/example/freertos_feature/queue/configs/e2000d_aarch64_demo_queue.config
index 75d88d07..c48adf26 100644
--- a/example/freertos_feature/queue/configs/e2000d_aarch64_demo_queue.config
+++ b/example/freertos_feature/queue/configs/e2000d_aarch64_demo_queue.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -106,6 +107,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -296,6 +298,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -305,6 +308,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -327,6 +332,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/queue/configs/e2000q_aarch32_demo_queue.config b/example/freertos_feature/queue/configs/e2000q_aarch32_demo_queue.config
index 14e83f3f..fe37d918 100644
--- a/example/freertos_feature/queue/configs/e2000q_aarch32_demo_queue.config
+++ b/example/freertos_feature/queue/configs/e2000q_aarch32_demo_queue.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -111,6 +112,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -306,6 +308,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -315,6 +318,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -337,6 +342,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/queue/configs/e2000q_aarch64_demo_queue.config b/example/freertos_feature/queue/configs/e2000q_aarch64_demo_queue.config
index 296be302..e238d0a3 100644
--- a/example/freertos_feature/queue/configs/e2000q_aarch64_demo_queue.config
+++ b/example/freertos_feature/queue/configs/e2000q_aarch64_demo_queue.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -295,6 +297,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -304,6 +307,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -326,6 +331,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/queue/configs/ft2004_aarch32_dsk_queue.config b/example/freertos_feature/queue/configs/ft2004_aarch32_dsk_queue.config
index c9db9e65..217fa7b8 100644
--- a/example/freertos_feature/queue/configs/ft2004_aarch32_dsk_queue.config
+++ b/example/freertos_feature/queue/configs/ft2004_aarch32_dsk_queue.config
@@ -54,6 +54,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +100,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/queue/configs/ft2004_aarch64_dsk_queue.config b/example/freertos_feature/queue/configs/ft2004_aarch64_dsk_queue.config
index 92697740..a082de99 100644
--- a/example/freertos_feature/queue/configs/ft2004_aarch64_dsk_queue.config
+++ b/example/freertos_feature/queue/configs/ft2004_aarch64_dsk_queue.config
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -283,6 +285,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -292,6 +295,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -314,6 +319,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/queue/configs/phytiumpi_aarch32_firefly_queue.config b/example/freertos_feature/queue/configs/phytiumpi_aarch32_firefly_queue.config
index 55fb5135..312ee508 100644
--- a/example/freertos_feature/queue/configs/phytiumpi_aarch32_firefly_queue.config
+++ b/example/freertos_feature/queue/configs/phytiumpi_aarch32_firefly_queue.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -110,6 +111,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -305,6 +307,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -314,6 +317,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -336,6 +341,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/queue/configs/phytiumpi_aarch64_firefly_queue.config b/example/freertos_feature/queue/configs/phytiumpi_aarch64_firefly_queue.config
index 804de2d0..79ec01e3 100644
--- a/example/freertos_feature/queue/configs/phytiumpi_aarch64_firefly_queue.config
+++ b/example/freertos_feature/queue/configs/phytiumpi_aarch64_firefly_queue.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/queue/sdkconfig b/example/freertos_feature/queue/sdkconfig
index 804de2d0..79ec01e3 100644
--- a/example/freertos_feature/queue/sdkconfig
+++ b/example/freertos_feature/queue/sdkconfig
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/queue/sdkconfig.h b/example/freertos_feature/queue/sdkconfig.h
index 12b86c67..37aa65b7 100644
--- a/example/freertos_feature/queue/sdkconfig.h
+++ b/example/freertos_feature/queue/sdkconfig.h
@@ -44,6 +44,7 @@
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
 #define CONFIG_SOC_NAME "phytiumpi"
 #define CONFIG_SOC_CORE_NUM 4
 #define CONFIG_F32BIT_MEMORY_ADDRESS 0x80000000
@@ -96,6 +97,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 #define CONFIG_INTERRUPT_ROLE_MASTER
 /* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -260,6 +262,7 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
+/* CONFIG_USE_MBEDTLS is not set */
 #define CONFIG_USE_LETTER_SHELL
 
 /* Letter Shell Configuration */
@@ -268,6 +271,8 @@
 #define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
 /* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
@@ -288,6 +293,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/freertos_feature/resource/configs/d2000_aarch32_test_resoure.config b/example/freertos_feature/resource/configs/d2000_aarch32_test_resoure.config
index f393b868..dd22c2c3 100644
--- a/example/freertos_feature/resource/configs/d2000_aarch32_test_resoure.config
+++ b/example/freertos_feature/resource/configs/d2000_aarch32_test_resoure.config
@@ -54,6 +54,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +100,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/resource/configs/d2000_aarch64_test_resoure.config b/example/freertos_feature/resource/configs/d2000_aarch64_test_resoure.config
index 1ee78324..bb8a8d8b 100644
--- a/example/freertos_feature/resource/configs/d2000_aarch64_test_resoure.config
+++ b/example/freertos_feature/resource/configs/d2000_aarch64_test_resoure.config
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -283,6 +285,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -292,6 +295,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -314,6 +319,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/resource/configs/e2000d_aarch32_demo_resoure.config b/example/freertos_feature/resource/configs/e2000d_aarch32_demo_resoure.config
index 1b67bc96..c5b50c1a 100644
--- a/example/freertos_feature/resource/configs/e2000d_aarch32_demo_resoure.config
+++ b/example/freertos_feature/resource/configs/e2000d_aarch32_demo_resoure.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -112,6 +113,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -307,6 +309,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -316,6 +319,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -338,6 +343,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/resource/configs/e2000d_aarch64_demo_resoure.config b/example/freertos_feature/resource/configs/e2000d_aarch64_demo_resoure.config
index 3d30e301..b65da87e 100644
--- a/example/freertos_feature/resource/configs/e2000d_aarch64_demo_resoure.config
+++ b/example/freertos_feature/resource/configs/e2000d_aarch64_demo_resoure.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -106,6 +107,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -296,6 +298,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -305,6 +308,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -327,6 +332,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/resource/configs/e2000q_aarch32_demo_resoure.config b/example/freertos_feature/resource/configs/e2000q_aarch32_demo_resoure.config
index dc1e0b77..705f05e2 100644
--- a/example/freertos_feature/resource/configs/e2000q_aarch32_demo_resoure.config
+++ b/example/freertos_feature/resource/configs/e2000q_aarch32_demo_resoure.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -111,6 +112,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -306,6 +308,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -315,6 +318,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -337,6 +342,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/resource/configs/e2000q_aarch64_demo_resoure.config b/example/freertos_feature/resource/configs/e2000q_aarch64_demo_resoure.config
index 03e9adbe..5f911cc5 100644
--- a/example/freertos_feature/resource/configs/e2000q_aarch64_demo_resoure.config
+++ b/example/freertos_feature/resource/configs/e2000q_aarch64_demo_resoure.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -295,6 +297,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -304,6 +307,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -326,6 +331,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/resource/configs/ft2004_aarch32_dsk_resoure.config b/example/freertos_feature/resource/configs/ft2004_aarch32_dsk_resoure.config
index c378fd3f..c82d7e2b 100644
--- a/example/freertos_feature/resource/configs/ft2004_aarch32_dsk_resoure.config
+++ b/example/freertos_feature/resource/configs/ft2004_aarch32_dsk_resoure.config
@@ -54,6 +54,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +100,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/resource/configs/ft2004_aarch64_dsk_resoure.config b/example/freertos_feature/resource/configs/ft2004_aarch64_dsk_resoure.config
index 195394a5..4daf60b4 100644
--- a/example/freertos_feature/resource/configs/ft2004_aarch64_dsk_resoure.config
+++ b/example/freertos_feature/resource/configs/ft2004_aarch64_dsk_resoure.config
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -283,6 +285,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -292,6 +295,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -314,6 +319,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/resource/configs/phytiumpi_aarch32_firefly_resoure.config b/example/freertos_feature/resource/configs/phytiumpi_aarch32_firefly_resoure.config
index bbc779d0..3bf02446 100644
--- a/example/freertos_feature/resource/configs/phytiumpi_aarch32_firefly_resoure.config
+++ b/example/freertos_feature/resource/configs/phytiumpi_aarch32_firefly_resoure.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -110,6 +111,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -305,6 +307,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -314,6 +317,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -336,6 +341,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/resource/configs/phytiumpi_aarch64_firefly_resoure.config b/example/freertos_feature/resource/configs/phytiumpi_aarch64_firefly_resoure.config
index 6ef610d9..1de70412 100644
--- a/example/freertos_feature/resource/configs/phytiumpi_aarch64_firefly_resoure.config
+++ b/example/freertos_feature/resource/configs/phytiumpi_aarch64_firefly_resoure.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/resource/sdkconfig b/example/freertos_feature/resource/sdkconfig
index 6ef610d9..1de70412 100644
--- a/example/freertos_feature/resource/sdkconfig
+++ b/example/freertos_feature/resource/sdkconfig
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/resource/sdkconfig.h b/example/freertos_feature/resource/sdkconfig.h
index a0b66d17..24f78c45 100644
--- a/example/freertos_feature/resource/sdkconfig.h
+++ b/example/freertos_feature/resource/sdkconfig.h
@@ -44,6 +44,7 @@
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
 #define CONFIG_SOC_NAME "phytiumpi"
 #define CONFIG_SOC_CORE_NUM 4
 #define CONFIG_F32BIT_MEMORY_ADDRESS 0x80000000
@@ -96,6 +97,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 #define CONFIG_INTERRUPT_ROLE_MASTER
 /* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -260,6 +262,7 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
+/* CONFIG_USE_MBEDTLS is not set */
 #define CONFIG_USE_LETTER_SHELL
 
 /* Letter Shell Configuration */
@@ -268,6 +271,8 @@
 #define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
 /* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
@@ -288,6 +293,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/freertos_feature/software_timer/README.md b/example/freertos_feature/software_timer/README.md
index 59dce8cf..882eb7c5 100644
--- a/example/freertos_feature/software_timer/README.md
+++ b/example/freertos_feature/software_timer/README.md
@@ -42,6 +42,9 @@ FreeRTOS 提供的软件定时器支持单次模式和周期模式；
 
 - CONFIG_USE_LETTER_SHELL
 
+- CONFIG_NON_SECURE_PHYSICAL_TIMER 或 CONFIG_NON_SECURE_VIRTUAL_TIMER 选择使用非安全物理定时器或者虚拟定时器作为Tick中断源
+![tick_interrupt_source_config](./figs/tick_interrupt_source_config.png)
+
 本例子已经提供好具体的编译指令，以下进行介绍:
 - make                 将目录下的工程进行编译
 - make clean           将目录下的工程进行清理
diff --git a/example/freertos_feature/software_timer/configs/d2000_aarch32_test_software_timer.config b/example/freertos_feature/software_timer/configs/d2000_aarch32_test_software_timer.config
index 81d62a6f..1b432716 100644
--- a/example/freertos_feature/software_timer/configs/d2000_aarch32_test_software_timer.config
+++ b/example/freertos_feature/software_timer/configs/d2000_aarch32_test_software_timer.config
@@ -54,6 +54,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +100,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/software_timer/configs/d2000_aarch64_test_software_timer.config b/example/freertos_feature/software_timer/configs/d2000_aarch64_test_software_timer.config
index 249e75b6..bd90f95b 100644
--- a/example/freertos_feature/software_timer/configs/d2000_aarch64_test_software_timer.config
+++ b/example/freertos_feature/software_timer/configs/d2000_aarch64_test_software_timer.config
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -283,6 +285,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -292,6 +295,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -314,6 +319,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/software_timer/configs/e2000d_aarch32_demo_software_timer.config b/example/freertos_feature/software_timer/configs/e2000d_aarch32_demo_software_timer.config
index 3e736184..442d426f 100644
--- a/example/freertos_feature/software_timer/configs/e2000d_aarch32_demo_software_timer.config
+++ b/example/freertos_feature/software_timer/configs/e2000d_aarch32_demo_software_timer.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -112,6 +113,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -307,6 +309,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -316,6 +319,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -338,6 +343,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/software_timer/configs/e2000d_aarch64_demo_software_timer.config b/example/freertos_feature/software_timer/configs/e2000d_aarch64_demo_software_timer.config
index 431241b0..8a7ad6ca 100644
--- a/example/freertos_feature/software_timer/configs/e2000d_aarch64_demo_software_timer.config
+++ b/example/freertos_feature/software_timer/configs/e2000d_aarch64_demo_software_timer.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -106,6 +107,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -296,6 +298,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -305,6 +308,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -327,6 +332,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/software_timer/configs/e2000q_aarch32_demo_software_timer.config b/example/freertos_feature/software_timer/configs/e2000q_aarch32_demo_software_timer.config
index 3c35d420..9ba33418 100644
--- a/example/freertos_feature/software_timer/configs/e2000q_aarch32_demo_software_timer.config
+++ b/example/freertos_feature/software_timer/configs/e2000q_aarch32_demo_software_timer.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -111,6 +112,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -306,6 +308,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -315,6 +318,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -337,6 +342,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/software_timer/configs/e2000q_aarch64_demo_software_timer.config b/example/freertos_feature/software_timer/configs/e2000q_aarch64_demo_software_timer.config
index 7e651cb9..38b3d982 100644
--- a/example/freertos_feature/software_timer/configs/e2000q_aarch64_demo_software_timer.config
+++ b/example/freertos_feature/software_timer/configs/e2000q_aarch64_demo_software_timer.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -295,6 +297,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -304,6 +307,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -326,6 +331,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/software_timer/configs/ft2004_aarch32_dsk_software_timer.config b/example/freertos_feature/software_timer/configs/ft2004_aarch32_dsk_software_timer.config
index aa975b7c..fa4a0e64 100644
--- a/example/freertos_feature/software_timer/configs/ft2004_aarch32_dsk_software_timer.config
+++ b/example/freertos_feature/software_timer/configs/ft2004_aarch32_dsk_software_timer.config
@@ -54,6 +54,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +100,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/software_timer/configs/ft2004_aarch64_dsk_software_timer.config b/example/freertos_feature/software_timer/configs/ft2004_aarch64_dsk_software_timer.config
index 2bca5361..fd19cdc8 100644
--- a/example/freertos_feature/software_timer/configs/ft2004_aarch64_dsk_software_timer.config
+++ b/example/freertos_feature/software_timer/configs/ft2004_aarch64_dsk_software_timer.config
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -283,6 +285,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -292,6 +295,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -314,6 +319,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/software_timer/configs/phytiumpi_aarch32_firefly_software_timer.config b/example/freertos_feature/software_timer/configs/phytiumpi_aarch32_firefly_software_timer.config
index f62ed805..3a9c9b71 100644
--- a/example/freertos_feature/software_timer/configs/phytiumpi_aarch32_firefly_software_timer.config
+++ b/example/freertos_feature/software_timer/configs/phytiumpi_aarch32_firefly_software_timer.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -110,6 +111,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -305,6 +307,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -314,6 +317,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -336,6 +341,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/software_timer/configs/phytiumpi_aarch64_firefly_software_timer.config b/example/freertos_feature/software_timer/configs/phytiumpi_aarch64_firefly_software_timer.config
index b9835fcb..98e28cda 100644
--- a/example/freertos_feature/software_timer/configs/phytiumpi_aarch64_firefly_software_timer.config
+++ b/example/freertos_feature/software_timer/configs/phytiumpi_aarch64_firefly_software_timer.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/software_timer/figs/tick_interrupt_source_config.png b/example/freertos_feature/software_timer/figs/tick_interrupt_source_config.png
new file mode 100644
index 0000000000000000000000000000000000000000..cdce90547050a6ba17e6d8b482df5123d118718b
GIT binary patch
literal 13001
zcmdse3slorx^Envv2UH)0)minY<&z=iWCqqWM-_S)lvqjKm-yCLTq@cF^UOE96Lv=
zfH_ni@=V86Q4*4Y7$T1(IvOYh$S5Qc0z`oj;ZG6*Bq4+(cL%L)@9C^_)>&unz3XNz
z*Ps7me|zum`P<+3dErl=qF#T+^A#8j_WH*keYhV6TX`1-TcLgFSK!H&-(r6OE-MK8
zQGbMSdN)jhn^m|!MEwB<YoNcn^!YEr{mVx`LK9%HH}1Lqt?0<PaTo^Mf%*8uKYW&p
z(G4fFIEe>;Ghto1w4zH<rFlQW$L}vuuRZ+R8}FRB^T&UD8L@Td_xn#|n!b6be)YP~
z>l<$s4|?$Xw^#1K|6<RMzYcu(i>TkADEn6(fAegV^JV9qf>cQZgkkE9#y0p|HQ^HU
zZ~3MITWW#Ueudmy$+rxhV&u(sj@2@#i%*~Y_-7o1pF6bXM?ZR&&wu^^``X=8NV^4W
za;Bx{++zdHY5QWyvu4&0JPH25^K4E)vFBe_z+ks4M%E6!!Au)o2W@}iNv>g0dJn{r
zUmqBd_+jVG7mR+$x(vQaw-_3#tr?xGYi!AAmXw#x?>C4?PWiH~85G<~%j>X($KS2p
z)ha61w&0pNg7kdc32JwJ5|>SGs41~$-yDiA(cl_I8HkP%ih0yuQm=QuiAyK9jax?D
zKBYLLbs5QcIPCGiNzXkVSo3nUargb8-kp}!-#oIt#r=bC_*_+j7xH0Qxz3bSMat2N
zB3PI%=+Rt~p?OFdYBBF0DN9tV_`S64Tq}WUh;N&>tv-|g=!=)OcZm*^!Y?3{E#ji-
zZbC{{TRgAM%xIPItB=#7tyMKPC}gh6ARbCA(V$Xf1llF^(#<4jNjqDC)LN*LePSBy
z_E-DX+<n)bZ#1{yN^|6h=ptR&dK2GxvRck>MvHp*)&#+u(otc{+t&nLvwPSVh*@kw
z@9~)KH0#035>y;{bf94ihnMHY(4_9V7}OAq5%9CHP1)qZ+)62)WZbH_-*VeW6CGo@
z@`7xPsE`k_LncT;yu7%+Ku9M^6t>*f%L@ufDQ)rYW9SH0=ctw~CCa58(2aIxQ+j$6
z%3sM*B?$HPOnFl2>NEaH$6x9l4T$5Yh{Ei`<JudRqg{@MTBTZ#fI@>9@;DwP-T0=L
zP900WR3qo4vW2}<Jc!v)UQ#oF*0j`@n+}t#10%k;5@Lag!!!9|yeIP;jt?v5%~LnY
z8+5)Y(OmH`SwVOQt3;6_jj<Nba#O)<)^-kAi87J)we_U&nGQ6YojU!Is6H!|Ida3D
z(Ycte_3l)fZs2ZZ6NDbHyqW&pN4rfa%!Sad8tt?fIl9^47oy^o$?&X!2w!7LvGo3;
zoO~pe8Hls{+AJx7z6c&K&X9I8&R^Y*gZvb#)&o-{J`ZteUh>Ef8H=a)3(_q+F1n+$
zn{ZxUI;;twZsSf1Q<`K&wtT!}$hPaa1J8EPNfnOZiy1nkl%C?7P60IaX(!sZ#<Qo_
zz_5?fUJ~7>`jQLqd$)t_ae1b#)Ng|;G|U85>-kR-*C}I4^BY>Qz6xbaa4_#-V0eZJ
zla4E#eK$U>8STfqFghX}EJ4JL1q4g!Y(*h^I-qV_b2nb3xKF$ue_6t_Gp{5DL69bX
zvCdCC^_`W~;3>NmbZppD!%HgYnPonzd+5b)zMY-Q%WJw6*?e_85d9wP+ucV47AGD^
z(~KUK8dQV!kVX_4#B(sM7>XPACgNe)7a2IH`^ILe<WZMHf=`Bu=jh|8h8tzbYuv&@
zb3(nhE@lIeAlfk)*Xt?oUX%@sr{sr?`-Wnnegu8K`Z!izG#8)B%>971UW2pj0Gz1}
zJMQQb9uAUkjqjd?%@o!8oCVr+iDXPnZ05#90WJ{cm<eu-dSK=IrjcPe3UMRNzv-&3
zvR(zGad8hbuX9fpCs~HSdPPb~-QMaWApu2cIak61Yqv2pJmPhMHq(iw%0tOb%?~h4
zN+gMb&U1s3Eh*@z54vz<NkS7x`CxC<W>&Q>sH=?VmJcazL_pQL)py!SyN^DwUEj}d
z4puAriKQ&CE|z6ii$Sq>7$1=@Szu?s3nvIGYMN@3al`;+dn%`g+n%yZ%D2AF8@WOc
z@@=?%$;cL!(SaVB+ljvB0|A1A%J!>QWcbE~tta2(@lqTg4dX?H9ZA>Y*V$Bgl^JuW
z!}eopKZe|tq9g5@{(>Bzn#FO?nakQW5jTrYPEta_3f}&{I>ZBZda-PZ*(C6k-(NPz
zf^&~YzgB;gPPShEWvx_1&5OG0lUKj;&I;bfh5cP2Pk$#}sm;gYM2bUeL=!6>e-pNf
zwz$RlGH}+Ipxy6-i|YMVD`Bv|y}tYXJAv-bO4(MH@OmOc)rIG73~#-n$sdUbsL`N^
z2(6g`x#2JmUA{}P{_G0Ond$R$p5!|C2xF@1lau<`5$V&VD~Zh*v?T?6439DEs!!Di
zGXDO<fRTR`B{RmF-&mo{<)9AZYSv|pp%!;&&D@INIfCU)!}>GQz*Q^TV7!gm{m3Dt
za^n+Endz(V9qee;2(xCEosm0fS#u}N<Jk%<9xSCs_PdF67tb-2Qb;mI+-xo=SRBl4
z?VTDN@>5R?=CKnmq!}^8-FWQH{K4GB*tx8{Qo74Q4(1LknkWM;x-Z7EwzDQB%!GB&
zXqa^6%+fOXg?mKv?vwtd$?(EG!lg`Z2~<>4^QJ+bhNzw34dR<*ewY-dJ<!)A<c$&&
z1EJ3OS)MSy_jiy7l#GMWZD9}HQ-RBy)cx{~Zkb~PYx>dD`Q4{;#Ie1T60+9BLB)|G
z$!X04HNw2O#2z#Hf;%%Q<J!rSSl-fBH`8oZUQ=(1P?&g)6CbV``v?on7`Ds*+@Uk>
zhs-NYU2C2k8&(;L2_)mlX(3o#OH5Q}+NE)b*yJOj_eb*b`1?azxoGNJ`H|MIS&c(}
zrScDt88EsoAC}A9SL9+|y9@KbGrf9B4*&bU%v;KB+WFCdrsIgl{ULSbCU}o!inp*=
zS0w6YJBOARR6Eaac;Lh0GZ7azQGg>_In$Qsan@ik^t}U<-FrbOzPnyuE|Inf;tiz3
z*RnsmtVy>Vdk1+j%{b8F4uzfqrn$VP{K2Hw8u^C-Wv2F|lZcC^(ONy=)i7e$E+BxK
zhS_^3_!Y90ARlEp2J1Vas)&g;wA3o*r<M)qN48jw&gt%`C`m}_$c<A=JBV%><gu2w
zZFN@?>oZbgx^Y41yth_9w%#UN^wl(P&qM2|TeWVDvTE6HVS?ipvn~;6zppmu+HL;g
z`g!!K#|qJcBtaLl1=vS!*7e;p^ri3U-x|A%4!R!T?`>Qt{;T3Qufbq<2y*YUvi0fF
z-Zd(bXLuSi!VN2RSy1gxOR*iIq&2p90PDhB@}~yGRqoWTw#SlrEAHJn7CMlDP94ag
zy{_C<tEadk=&597Er=4ZU2CvQ{$HoeyonrVG@^nJdF<T2h5TOXG`~%ujab771q%@B
zeZUVe9r+3-<)xiz^ucxH*WW3-EG*?3`4N`W3*9SVcOar=qNlRMVo=lGYP-MoXqOLv
zi@C{GOzdx0Ra9W#Ci4)H&Ft%iX+&d-Ae-Dc^hq2%)zqRNp19N=+3YDTn2K!17biY|
z;MLxQ`j})lnF8!L?OU-2^d>SFEN%Lx677ed%Ze(^N#mn4OBwa?HZsE3zKLkqDit(L
zhvkEqlOUgnv{}sSb>b9-_;~ioY7@Vqv6r+0c1D^@T#nHQ-e7DmJ>5PKc5o72F6T_c
zmCT`!xY>O1R({!|ErAd=G^Dk6aWEkcFf!@V#@jJd%oxr^Yl6CKHY@WMsxz%|u$vtW
zW&}V6l_gSaxPUsQCYaZko48e#$z{ku{&ocb>`G&%19^8(@Y?$cO@^YSZRs{t?YQdE
z5&D25u<W+jGf`M3N1%*#J&YDv_XFE^qXVW)b;>n>_;*%s+<E)HgGnr{G@;PhpQ$V4
z96dG#g^y1;P?-;zTLjVmBK(W(vB8krRr<9_RkJItH<9<tM0JG%h<!3B_)UmR;pHU;
zN+m>=u4jr@(aqi>#Wi@+A&(sIP8?B~MD|w3^wfI-Ye?*CPge$%N>bl&QG2pBX@m9i
zp*4E)Oax$qzx>2Y=epE?0^9N*cHccS9PLCL-8A41^!4cJzKsiT#}oL&+=-9gn_2n%
z;rA-rk%p}TV$=}NKR$WoJqZ66%Xk~}K(!^GkYql1DTQd?01&L{v`cTvuRI?s-96LX
z@b)#X4ng#%KI$Tu2v^JY2nDfvfAc&CS}eB9N+`#`Qp(ESxXavl=!4&XSo_+W*J^d)
zY4GC%8K(=CmO;ZnvkloH`^+o>ktb<{=XG|Bp$pP}ft6+mo0L>p@31qJdcD#AQyA>=
zY{YAKEfx#h{`&~8H}_JnZO*6n*E~|`V-+!8IT?8Bf$1Kzho-S2xKu8IMp|^8#{p(k
zAqNFLd=Mq2a+9B;of(t8hf6zgvYQ`CMDI$(J=?U)uk32wxD$hGxX~jBLW@e|=?!RV
z6Gmq+vFByoW-m$p*Oj_sht&@-D0ApfG?w>lZTb-*`P5VF`R#-7@jzbQW^+H}=jPoh
z>&8ciA}dTd=*TtNbp;$zdoYv>Fd2&f6FThc--&j*bib8sGwXP^oU>!5>9$SQx35Kb
zYU-}gP4#~2_DFJZ(q@+Krim$vB^=;x&KEQ^avC<-HUuo2!gg9ZKAD~MT#nw0*mwBG
zl8Q}(qQ;u)Q}56&4mcicvjztbrZze28f7=N?4jL&Mn^&=vQhSHo}+}og9b!<xSMUG
zt6;G0h5<VbfUkm{-U<zFdxP^xwI<yjQ|cwRbdxTP?Dkav36nlkDLRteut7hVV(j4;
zYIN292XTdD%Jl02Owb62Hz<Gf5!+zuna%3)b63_kg|KA!^f=2UA`^g}KC^)6+k9gp
zu8@?<ssAFC2YE<G1LB_(d;R?5tM<<+<3Cc{N&og=)Wkj48h2;@w|*|<!tETsckkYq
z-A<_hdpM&U*Y{M0&<$#F^kwjNrXtUn-_ZCD__J;ExkKR6^ttQce#q;8=*IZ@OCs_2
za}7O<RWR72zYn*bGAu#=025|D(d$%#XVX1)PX(u87rp{7egIppo0<FuaCvmjx#vyS
z?QL>yZf@HTl!d3~CX9BQ<qOwa%sR2ht6;NPATYYdZ1nh_zj+bKU7R}w5(Ce6aMYq7
z4tIuq09KKB8z^r5^4#x%2nn8K-dpR6gTVku{BX0B;>rdzJ)so=`P>QqK3oBeuuM5;
zr0sN`)A3w-_koQ62c`3KvWA~~Y_r)uc%eIAKHI^NkZkD{zwtU)qnmz2M9ElIlUJz$
zZeX2171eW){9FbL*mqnqEo?o1{(Q%eC|8E$_^8D+#%A#LaS+f#K<8g0s(+yt{L4wV
zpWnFPi?!~3X1w=*Mt^>yO#l6xv3qNmCTkhjKL%pRjr#A?`8gH;KTB;)KPN-dmZo{K
zhtF)tv3c447b*{dy)`|_S#}ETz%70$e%a;gUj5k*&Z(D`J$NZ<*%{4*EF0~Zo~*Ww
zjFpL(G|x=r!jGMcOIjh+v5@BzQ^Q?;;Af5FXFS}Cv*rJ@V+vbkNavD~CyUtkEO<O;
z>2o*YARcis*a$cb*yCUO6IFWVI$m&7^;cl_KQ;IEVTNOp;khiGzYm`h+mglJp1^Ux
zx1juwAOA~y`hVY=UD|YS49B39K6hu&wB?^0!?GULJX0|@0OGLrsrctE|38bo$1KAJ
zs>PUrwH^FEq=RS*@H${V2&R{#BTg^P_eK8~sr_6C_|I1Ge`U=7w@Bi@sC9V(|2!M@
zA3Vmw`>WJy^>Yh!L5gQC_=(=7DbLLG=(D3d7@GJ!w)(Lvdv0Lg0~hCS0U$V&<w9_~
zM$~HLh<#oS4p(;|^NWM?lEWf)7F`)5wdvmyEN&Q@O3K|^OYM!;t%TM5buqsoWhRL7
zCGDn6vIgxGdt=XQXR0WU-1_at0kdfZ%zx;?#@piu(ZhtbhI*m)cM9Ydl%bx2iHV~{
zm4(f@SsWV<%UVTc^(8HvtO;cja=Ps<Az-nfU3N^)l8y%IMr!pdVO5jgt*w$U=0c3-
z5zIq7T*ysOw~CsM$CYU4q%Jb;Q<5w^zvEG}wPfMDZHSrvOL-GqyXjb01nkZ)r^8k;
z2<m8K6~ksPOqyECK+qG#5rINmzLA~omZ)1VL47*;=h~CwfixYL9&26!+x~cH<3e+V
z{m!vo!s(03C(Ua0cklL!CkVGqP+(uH*h7YoltE7k5eKnV4_8LlTS5`DR@3rkw>hJZ
z`eO*jmIDM~UO?T2W<RXAuCM_e<<9^K;mqMFNqhlmtQnnLnUj%jJ=oV?ht82pO^ah;
zQh^cVKEXGXkA;Y_a%ROQV-3?J*&BWHLZmgO4WwDKvcJ{kM-sEz>N{td9?B3>PrRBQ
zs}`WKo$<`&RNn^J+6~@k^G8A+1&=7Y73j=c>Y@ZM1E{EAlD#019Z#A54#T=M9okaH
zgknco4VYc+U9PNMx$7NUpbRCEIW>vLv#6gjLJwlQNsW00d@DgIOo(RpaB#LVsOfr7
zN0NU#u?I8vHTGubs4vMTXaFC0z-H(oQ+*D?u_SXYq3+6as<e6Qwi`<vM~F_4KBe|z
zTr~#ahytHH(QgCEUS;k5_*7wTK{DByNqODZA~+65K}@h?kPons_O|tSgG4o=A-J_h
zN6W6MZCI?JPi;4fddxXs?DBk6gN14^DyceU#4A45_VpR@qL<5vg=rwYFCU4EQ?^GM
z@kH(eM|sm`4ml3mAsq3m8OFXn#<Hed3+b8~Oen;qL@3}F<hj@DFF+YjtB-XJ@U=$_
zp*T}<-e%TKWq^CCFzI?dbb&uW9Ojmo4mY4{YLATv8RVELN`_?{<SFgFqS=w<4K`1;
zc&T%jCPKv4n7>&H1A#I=Sjrr((Bv=Y@<FQ4OTsLvNa1fMj5|^?PfkoByhFu7b)gzZ
z9H<N2+E3tYvbd*eC*nsp@oJb>wg@DkVkM4gQWLGzpbNctELo^r`p!n^vIVQeJ@hFY
zc?E2p*wzXrH4DUcFlo;TbD<zf0Fj0{szDD!JzXJ42ZbF$1JjO<O6PCygOY{ftss}q
zPY)VtCkZ8NTADNX<Sitt`PRsKo-MpWHpPnJXrEfMTm`F)?4S`=&;3EL0_TG~G!Bsz
zZwQi&qVTwMn?NZHymX(;hy6`x!8(UKkPBZT7q;$P+^oXSHEf@#y8_AO3x3K8-eR4O
z)wr}(F+nm0tJ_nz2TCp7X1cX$GjyS$B+plo9t4V7fkKBop%Rj)^1SHH`=sV<87Dm`
zK&`mde55o-LP=z{T*<eZTfkZQfNs)czJ+idnHNEIpaz13BPQWjjV&p~&=;0o^H;{0
zC@&U1n(Gc**rHy#C-ZUIXm&30m72xEd4>8!4#m+tnnBIieqFsjmABNK4V(gVHta)m
zPtZ@@nsbI`@93b};+?TIyY8%6&E1^`=UI-It_C1l;jq&d=ycj*_1yVGz|H2G9m7tm
zGlB}KXmc?${bF4>f6c<5W5t&~)qPoAwMaY;%C9r8*}2XR=iI_-+N=`(OMm0*BWqqh
z>WQTtMW95%B)&)lDzrAN!;XC8F0CzMRasJrhQ&m_!`8pb9e$ee8)|j;RO7-Yt<Iaa
zq`pwgd=g__G|ps)%c~dH*D=IfSz{;Lw!kVE7*31RW~_AHb1ndti2A0GE<#t$7LMN(
zTZ`vv7C*T%N!iR>C>ku^WP=|tho0iLbcEWHMk6ln)7|S!q^Ki_T9G9pyzBr*wy$kV
z*`w8G+(%VTJ&nAyh;vRb51FIBu@pWzk~i+A&dWZwxnP5}B5Z#+;jl9{3D4a((zk8Y
zDiFC}N~FkKlngQ}VQxRNudKyTwz#xn=TmH+R!m*WaY&HPtyd`Po>EeGdcvC}A&kVT
zmp3uFH-kg!dPX<Z&Tlw&)6S(Z0tFF_Id&V3S3y9olvxAk_aoIWXo+)e45XtQY4b<E
zlCEAwQhQu#2c?9)ptdDw4o22}nTWQ3a%t*Qdy-{wZ(CQ&riKW!JohsKufi`Pa4@8u
zOaw(8UPZ7>SKsCjW>Bk|#B5Xpsd`ebpv1{VN8<V>aD$E(RI6T|o<f;s8E;Ia2cb8d
ziJ$0j@}hl^_W3^g*@2KhGu7{ZYK`0hl@G^Pf_h!R?Q12narQ)&j5yh|h-(-iT6yu8
z>*@C|JvEi(R)!yU6dlaQnQPc>IIW1wVw8BeGPL9%)cj)OLQ!D49X0!62rT#CBCO+=
zJ7{K^lSMy^5(R81q`R_G@s;5Z*9aPC%d6x`qXdMF^u?SoNtg{S*9N^GKuF8dCjL<G
zGy;8E)=R<0BYgvaCpB@WOjWJUy;<xpAaXNlSRnwZKTs5Sd+}kJXnx^Ur%t+%b2eVj
zVrTe)1g-zC1h<xFm?8}8*C|;qMucBg()3mozPWmU+&EiPZ4+^*aloq~Agml}zVEme
z(KS0@+8WPQEe3-^Z3?XIkIpHqeQ->?ROTE;-QBb-t8@g<hM(iPra5szHolF_rc#O@
zv4dM99uht{`61UiG)M109?rBJHrc~0lw>>m{-bG<LR_aL+_W=CYIwXxXcGdJ3aD$a
z=P}ltv%H0;m6C1hj~Z({!oT)cW>K25Q;%lwWaC|0bFqx5=*#cH^Pnbw3=Z1Vu!&^X
z*3iB!Rjn6pVHuRo2B-^njhza1QHQ)LKsBk00^@A^GUF<f1r%dgBK*RNnOD5mpUnqF
zq&(uh*T+MGpt}6#D>+=%(v4qbe_=kIWbLk*E$7%Gg)M$=<VMI(d6AzL1qz#iOviFr
z<^w5#EVO98vk~>=@Rsv+$v9(7baTXk9J;4LgBl#c(A;u<JPy{jLkP+&Ijd^TE09O0
zln-uFP|1Xx+f5_N&S}Chl=wga*I|zpB66PacddcdG-tl_t0N`wPwi)3>5y})Gbpbo
z6AZPp4-N1$?(NS~3?Mf*(*}If2|Rpyyq|kH)&@I+d-~MB{h;Rjs-1;g<ZT};7ItTL
zZBj~k6US4tLnm?}HNnogAmd^+ZhleDy>KHQz_dXGlkKPgF2Ht$B8rQkp^(gLqAe`(
z^~5Uc*WDO67k<b0*tkn1MT12zz#4ZlP8(OYQ>;HG)gHS~5GqFyX~s?bO%0+`lq?PV
zcT#L$eedwVduqrJQ$N)Az;?+bgfe__2hd<HqW;%BC9af)mrY_|m~UgxKOR8l$*kw+
z>YaC~tU0W7PGp+fIT|{WVW<I?G<ZNjjmjoE>KT?x*~SW4ub;J~!cR2nCJSwmTLsh+
z7RNe*9o%<1YDLYvyJyz4%B@_@Y4zgi4aN<Ipw?QZ<#g{{iz(wcYc9v$cIrgFGVers
zPmdm|vWX;wOV23RWr!?g=KYx1Gq}m8Yd53?$^DQ!rV6zHt%>T(H5nirr3(YIXhTd4
zt~uedW~}8DqR)Jo5>N)-xv`8fInlb#f~l14Qb7=ND7Lc~LGsrQ*=`8NucH4cfv-)6
zDZ-=zK_oFC<e_;Fh>uc`YTkNk8<UceebO9i2@XeAXjBzwk>XYZUJ>4B?m$ctOY?)!
z5uk&_7jM6T1KK@Tmz$mOnL7c@vt9!`()O+R<=#;yIjkk(T@d)Y7p26+zKPWB?Qx4;
zjPe9`Wss`|EMLeJ7h!UQy=KS-ha5LS?C5PaU<}iu!KDYLZAMI1x&q5lRRqHc0Zk9%
z9o?V<htmK+L@!6Rh+%7o?6Mwg*Adx({WI-QJU1ktuGc<YEY9Ty2SUJNqbljm9*L8_
zwDiWBOhkS>FE84FnIbmjaJPU`8tjAD?jjQyp!}Sk&ga?bpvtT01Hp&cfN6`b1Tf8%
z=_JfWYu>aR>!nyoIE#FO&WXNY!3XjN2OOwbQy4T^u2Z+Gl9F)1JNPRIdWUwxKkXK-
za}PQypsQz|#LESU*9DG+prUrN$yt;q>?Oq&i!g>v8KHMWGR|fuH9qoN^ZT*>jkyz5
zv<06~abXGZdsK-hM+yfp0ZkSDw05Y1(TPuG>s1#`d`_VWQ2b;WMRUgk8ywpX<9vj4
zg1%MRdK{aUELp&d5+(~92Ww(-n&J!UC!`Ex%LJ}*5L7Y3IXq|<cU|EEV__<m^0K6h
zxLJYyV~#91BFt80JBUE$|Facf8y<$M=AM=xn3i&Q6fy$MPQs-iV0SY-&*E^Lk-nli
zSx~Dpc2>t=#aS4W@*Xo|a(JH*VD7yRH<Bfw)mgG|F;>Q?ZYD*edXdU$M|7uv#yL1l
zORG*6m{8S?G$5HYD?rbIt>T~k77vl_JPN%gQ6d7%7l7qA?t-o40(VU|G4txtg)Z?p
z2y?nH7QB49YbYo}mGiAKk;}7_5JW_mB}J(S=M~cRx+)uHd9QB~e60t0o-Q@8YbR91
zIOGnM7(_o5Ka1T{zw?wc7^`6B`Jd#B)PO~6MZKY7HfRj$R948B6%84p=I|DangmLu
z%JQ`N0GUdz)~TSIP>jfZ<zoi>jk_lJZI<&-2oqeyBczDxJ4q>-@2W5I(NUG~FUYCR
zZ4DlD>ojSzir|)S^efY(CU^Jr*JRSC!`iO~D;1Kw0_3#^%`D5wDWU9t!@JaPb%plY
z`zgC7cu;w!EQWmw(ZweQfzF=t<c@^?iNTgDbmP7*b5Cz~3TUi}D==q*`m$nOs;@PU
z-Gd)o`bgzvi@qSq?ZzotqatG%hgp%>Nnb|App_ueeJ<dQ-(L+`#h6|5FxIyH-SEKn
z^wS(rW4zw>X-wSZP`+V*V_<4#>G|3}MG$`cU^VP)=1bJht`PgvBQ?-Wg<+#eHb6#5
zS5kOf2HFQ8YHpURIB<reoagRV|9!jca`Qfl+o<v%MTltKm)b7v!s<3R*wH_*KzaOz
zx9D@*U;m;YSO<**<JacaJ3hy(gWdjj=I*1N2hgH0Q>AIjfzZzT7~jIp?5MU4e76W`
z!|)lv>(wI0`YG9(Au{!%cIhFe@98!SWAt5dq;i74;>@c%cdQZ^AB2p>ielgc;@bJD
zho|~utBhYG<hGd&)wVXWJuB}-?>5W7o2nXR@0HjP+8UV-ev^#NaPFHL*2WGy-|fw<
zBMVDM?Ba3lDwwQ&YVDA%o&3QF;U*=ns#P1LpWK#gbBsCs?ffu#sH|043HnHSHw-ZP
z5EkVJBkK3`rmu0Ld0CFZfnA*Y#hFUm(wq#Av`zC|Xz&qJT|lQ^7WGH?_72Z^TIP#6
z6sN!4)ch9$=1WYD8xo-9UIb6yEbbME#QSQT50QOB8*NhdDlA)nZ7J%gl?M(w#9>96
zHD>q|g}X&+<}@^2=kQvtWQ@gh3zRX1sM`K{_PlvEi=E89NI^UC%gKT5o|<%$5WVz~
z?&1##fuWC7?rA{{Arp~AVQyuHX)0xxrzWnT_p9bBpfd}!`B^>aDLw2aTz{Y{WFmDq
zv)TkONmNi*$I#vg)=eUM11w>F4Cxs2pTM5)#mA*S@I&@N{>CfPsmLJVq8#`o?&dJy
zk1tj6Xy}fF9By}}Gnl4tarctMZy1<6sO44>!5uh43!zN!F<;QP_<*PqG|FO_fsGV^
zoM><5ldL7e_^K9~!aWsb<C#Lqx0(TJ<lbL#X3x3DV<fw;Wk(oUfdufC4!Rj*Q0AOe
z?a;lVk^SM}<R-l&()c#Y+}3WDAEAHk$}6~%6*|y+6q6UEXeTQJnp`zs(Fo<R5|tX`
zYHhRu?v+%O%%x;r6aB8aWYNP*7hm;Its<OsgT4RxOA#EU__#llhqLn_v~z1*Nm8-A
z8({NXuW(a$-8@PNBEl@F<kqwJ=sZagf_seG4+`@^rPTq_w854d(8<`VU@qX<g>()S
z*3QJ_r7M7k$Sj3RuEvPQL0@7@nv*m<F&dU{BC!DP4kH3eHO#MN_w(2WN#rrup$BUF
zu-bc3lAw`YF;D{a5^|hbW=<;H!&|x-Ye+j`X43%FhD%77`s0K(CFD>|ThVQG7dj}o
ztB0*H%`ei2`nFl#f1W3({;k;pnoPHfJTt}ymU$1@;RgrjUsrb(PqZmcp8-0oh?H-e
z1lg(Rh_H9Xo-1K*9JE(H4#sd$>Vjx%BtnHu6f}6|fIcD_o=npAntiH6Sd8U!OAL22
z%b*KrJf7`;vg@=w(`jxwr6^j!Pk$w!LuspyuR%u_@Si6P%70)E2*7?Ez??lQRn2-r
z*7xkW%1+;-@JbzU473!=bG<Ug(1tDy)5JzX)g~BhOW2N8?k2CfX)ohV^$na&V4V)T
zD16{2zN+IwnFi1N6cGTYW29236OZ@1Xe}>sU_g)IP+bWkCGRtkZ5t%)HPnrW>YFxK
zXaaSP0iS?~x)*tc0pfKfLoyoHj^eYF$Gqi3zh*i>>fwi$D*vWB0k*IM3P!RnKsP{y
zf?SHO8uEiH1F+l`X9DNXJ>EKTH5g7#S^BJOP+Ku-A6~>TY#FA(<SCQC?L&0bM1REX
zzf1?7(rf?my}uk-+kH&4x)^|8RlRKWSI!Nype5_^z~TkQ!i6=vkD5xjc^cyy=gb<o
z7{G7pTL$Yas8cNz=H!j-#+LebVbmb+gzPURs$yk+;%|H}TK=Jrq3A#%;TsNUkUDR{
z%xc)vRGMB()w^oxa9w<HpmacI_l~jnX%$+G+0W8PcD##)@U)vb2JZcf9{E!~8krx~
z>?^ay(@gQSr#=TwRU;V(dS(xFc98uI$tSZvAkh*{d~acd_98=T<|WIO%!u<PwwsLB
zfsBMS?&;I@gEI24z!KJE_;|BQZ~)&0)YOA(IXzDC>!Os19;zq0Fv1Nm*oUApJuA5D
zYS3S;Io~OEKp;gR!7fQU;I;-hdC7G&eRAFmY9p=irHLHJ#2DT2lumtuqfX#_oC|d4
zg3+D&#6997O1vZme8JJoI5-{((;p!1bA0C$<YuvUGL|~mG#K)<;m8vVzG&JQE}jdA
zFLs4Z>~ji0+VYlVe;2`z8{d4MOS41BV*dv7(!<!A*k-jKHe~>F01-&m)ivUV#p6;&
zS~7{|w9uUQGS<m1aOGU*BA0gKf~~Mv^bl*_W;c#V%LCx@z<p7b`Lfyx>D+sUQ#s<T
zqINX(Tk7je<{YPa4JDE_y8)u~lM7|xu?8_kOrC;bAt*G92Kbevvb+;Zl0pYC0zYgq
zrBO+pkBHRxjFJac+^yCMmMq5%nD(g8efLrCzc`-)UKsryqy9cLO*~a&1nkL)c<sJ;
zexG>$^WXF?P0Jk9V+^O2K@0c**M*^3%V^fWnro?3wGpqqrdi!T7+<_J<wLX!Xf^@d
zk(nWlaEaTrkSI1KBHv<}bX3sg^hg;iqw~|ajkwmF&-Bb)28`&n%gi}m-i5aV+$7qA
zhE_!x@pLkfD&*-;D<xhidvdic*jTlAutbQbA^azB+_X+5BL8^$q_4e!bAw!35gcD)
z??N093J+e(nHLrI%i{8U4%k1rWr-n2TH?t#?&k-3xw7W@QY6aKPxfBs3C|*|llh0I
z&POQ7zA|Qyz>vifl@jR#;D4DMLLtoy&K0js4x+l(6@d0G80_OcpMJ>s<Ds+v3k}~)
A00000

literal 0
HcmV?d00001

diff --git a/example/freertos_feature/software_timer/sdkconfig b/example/freertos_feature/software_timer/sdkconfig
index b9835fcb..98e28cda 100644
--- a/example/freertos_feature/software_timer/sdkconfig
+++ b/example/freertos_feature/software_timer/sdkconfig
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/software_timer/sdkconfig.h b/example/freertos_feature/software_timer/sdkconfig.h
index fb36b657..7d311497 100644
--- a/example/freertos_feature/software_timer/sdkconfig.h
+++ b/example/freertos_feature/software_timer/sdkconfig.h
@@ -44,6 +44,7 @@
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
 #define CONFIG_SOC_NAME "phytiumpi"
 #define CONFIG_SOC_CORE_NUM 4
 #define CONFIG_F32BIT_MEMORY_ADDRESS 0x80000000
@@ -96,6 +97,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 #define CONFIG_INTERRUPT_ROLE_MASTER
 /* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -260,6 +262,7 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
+/* CONFIG_USE_MBEDTLS is not set */
 #define CONFIG_USE_LETTER_SHELL
 
 /* Letter Shell Configuration */
@@ -268,6 +271,8 @@
 #define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
 /* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
@@ -288,6 +293,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/freertos_feature/task/configs/d2000_aarch32_test_task.config b/example/freertos_feature/task/configs/d2000_aarch32_test_task.config
index aacc0958..b77847ec 100644
--- a/example/freertos_feature/task/configs/d2000_aarch32_test_task.config
+++ b/example/freertos_feature/task/configs/d2000_aarch32_test_task.config
@@ -54,6 +54,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +100,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/task/configs/d2000_aarch64_test_task.config b/example/freertos_feature/task/configs/d2000_aarch64_test_task.config
index 6bd09997..cfb4c823 100644
--- a/example/freertos_feature/task/configs/d2000_aarch64_test_task.config
+++ b/example/freertos_feature/task/configs/d2000_aarch64_test_task.config
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -283,6 +285,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -292,6 +295,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -314,6 +319,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/task/configs/e2000d_aarch32_demo_task.config b/example/freertos_feature/task/configs/e2000d_aarch32_demo_task.config
index 999f5bc2..cf75ab40 100644
--- a/example/freertos_feature/task/configs/e2000d_aarch32_demo_task.config
+++ b/example/freertos_feature/task/configs/e2000d_aarch32_demo_task.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -112,6 +113,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -307,6 +309,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -316,6 +319,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -338,6 +343,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/task/configs/e2000d_aarch64_demo_task.config b/example/freertos_feature/task/configs/e2000d_aarch64_demo_task.config
index eac9c5e3..c5e05a4f 100644
--- a/example/freertos_feature/task/configs/e2000d_aarch64_demo_task.config
+++ b/example/freertos_feature/task/configs/e2000d_aarch64_demo_task.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -106,6 +107,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -296,6 +298,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -305,6 +308,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -327,6 +332,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/task/configs/e2000q_aarch32_demo_task.config b/example/freertos_feature/task/configs/e2000q_aarch32_demo_task.config
index b3518f36..3035f5a7 100644
--- a/example/freertos_feature/task/configs/e2000q_aarch32_demo_task.config
+++ b/example/freertos_feature/task/configs/e2000q_aarch32_demo_task.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -111,6 +112,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -306,6 +308,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -315,6 +318,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -337,6 +342,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/task/configs/e2000q_aarch64_demo_task.config b/example/freertos_feature/task/configs/e2000q_aarch64_demo_task.config
index 2aef1fe1..d99320c9 100644
--- a/example/freertos_feature/task/configs/e2000q_aarch64_demo_task.config
+++ b/example/freertos_feature/task/configs/e2000q_aarch64_demo_task.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -295,6 +297,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -304,6 +307,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -326,6 +331,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/task/configs/ft2004_aarch32_dsk_task.config b/example/freertos_feature/task/configs/ft2004_aarch32_dsk_task.config
index 18aa8da6..0af6789c 100644
--- a/example/freertos_feature/task/configs/ft2004_aarch32_dsk_task.config
+++ b/example/freertos_feature/task/configs/ft2004_aarch32_dsk_task.config
@@ -54,6 +54,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +100,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/task/configs/ft2004_aarch64_dsk_task.config b/example/freertos_feature/task/configs/ft2004_aarch64_dsk_task.config
index 6d75425a..a6869714 100644
--- a/example/freertos_feature/task/configs/ft2004_aarch64_dsk_task.config
+++ b/example/freertos_feature/task/configs/ft2004_aarch64_dsk_task.config
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -283,6 +285,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -292,6 +295,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -314,6 +319,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/task/configs/phytiumpi_aarch32_firefly_task.config b/example/freertos_feature/task/configs/phytiumpi_aarch32_firefly_task.config
index 972a2455..0f6ea4dd 100644
--- a/example/freertos_feature/task/configs/phytiumpi_aarch32_firefly_task.config
+++ b/example/freertos_feature/task/configs/phytiumpi_aarch32_firefly_task.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -110,6 +111,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -305,6 +307,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -314,6 +317,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -336,6 +341,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/task/configs/phytiumpi_aarch64_firefly_task.config b/example/freertos_feature/task/configs/phytiumpi_aarch64_firefly_task.config
index 6961ce5b..1833862c 100644
--- a/example/freertos_feature/task/configs/phytiumpi_aarch64_firefly_task.config
+++ b/example/freertos_feature/task/configs/phytiumpi_aarch64_firefly_task.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/task/sdkconfig b/example/freertos_feature/task/sdkconfig
index 6961ce5b..1833862c 100644
--- a/example/freertos_feature/task/sdkconfig
+++ b/example/freertos_feature/task/sdkconfig
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/task/sdkconfig.h b/example/freertos_feature/task/sdkconfig.h
index 7212abd1..3e3dafdb 100644
--- a/example/freertos_feature/task/sdkconfig.h
+++ b/example/freertos_feature/task/sdkconfig.h
@@ -44,6 +44,7 @@
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
 #define CONFIG_SOC_NAME "phytiumpi"
 #define CONFIG_SOC_CORE_NUM 4
 #define CONFIG_F32BIT_MEMORY_ADDRESS 0x80000000
@@ -96,6 +97,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 #define CONFIG_INTERRUPT_ROLE_MASTER
 /* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -260,6 +262,7 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
+/* CONFIG_USE_MBEDTLS is not set */
 #define CONFIG_USE_LETTER_SHELL
 
 /* Letter Shell Configuration */
@@ -268,6 +271,8 @@
 #define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
 /* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
@@ -288,6 +293,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/freertos_feature/task_notify/configs/d2000_aarch32_test_task_notify.config b/example/freertos_feature/task_notify/configs/d2000_aarch32_test_task_notify.config
index 6c425a70..694f06e2 100644
--- a/example/freertos_feature/task_notify/configs/d2000_aarch32_test_task_notify.config
+++ b/example/freertos_feature/task_notify/configs/d2000_aarch32_test_task_notify.config
@@ -54,6 +54,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +100,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/task_notify/configs/d2000_aarch64_test_task_notify.config b/example/freertos_feature/task_notify/configs/d2000_aarch64_test_task_notify.config
index 899d58e6..679082d7 100644
--- a/example/freertos_feature/task_notify/configs/d2000_aarch64_test_task_notify.config
+++ b/example/freertos_feature/task_notify/configs/d2000_aarch64_test_task_notify.config
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -283,6 +285,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -292,6 +295,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -314,6 +319,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/task_notify/configs/e2000d_aarch32_demo_task_notify.config b/example/freertos_feature/task_notify/configs/e2000d_aarch32_demo_task_notify.config
index 17ca7714..dbe8bb07 100644
--- a/example/freertos_feature/task_notify/configs/e2000d_aarch32_demo_task_notify.config
+++ b/example/freertos_feature/task_notify/configs/e2000d_aarch32_demo_task_notify.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -112,6 +113,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -307,6 +309,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -316,6 +319,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -338,6 +343,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/task_notify/configs/e2000d_aarch64_demo_task_notify.config b/example/freertos_feature/task_notify/configs/e2000d_aarch64_demo_task_notify.config
index 901b2e55..37ad40db 100644
--- a/example/freertos_feature/task_notify/configs/e2000d_aarch64_demo_task_notify.config
+++ b/example/freertos_feature/task_notify/configs/e2000d_aarch64_demo_task_notify.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -106,6 +107,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -296,6 +298,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -305,6 +308,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -327,6 +332,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/task_notify/configs/e2000q_aarch32_demo_task_notify.config b/example/freertos_feature/task_notify/configs/e2000q_aarch32_demo_task_notify.config
index fc59368b..c6a178ec 100644
--- a/example/freertos_feature/task_notify/configs/e2000q_aarch32_demo_task_notify.config
+++ b/example/freertos_feature/task_notify/configs/e2000q_aarch32_demo_task_notify.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -111,6 +112,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -306,6 +308,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -315,6 +318,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -337,6 +342,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/task_notify/configs/e2000q_aarch64_demo_task_notify.config b/example/freertos_feature/task_notify/configs/e2000q_aarch64_demo_task_notify.config
index 5d5d0b6d..696d22bb 100644
--- a/example/freertos_feature/task_notify/configs/e2000q_aarch64_demo_task_notify.config
+++ b/example/freertos_feature/task_notify/configs/e2000q_aarch64_demo_task_notify.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -295,6 +297,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -304,6 +307,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -326,6 +331,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/task_notify/configs/ft2004_aarch32_dsk_task_notify.config b/example/freertos_feature/task_notify/configs/ft2004_aarch32_dsk_task_notify.config
index 9c6e8658..e4a8bba7 100644
--- a/example/freertos_feature/task_notify/configs/ft2004_aarch32_dsk_task_notify.config
+++ b/example/freertos_feature/task_notify/configs/ft2004_aarch32_dsk_task_notify.config
@@ -54,6 +54,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +100,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/task_notify/configs/ft2004_aarch64_dsk_task_notify.config b/example/freertos_feature/task_notify/configs/ft2004_aarch64_dsk_task_notify.config
index aceabd12..097bd613 100644
--- a/example/freertos_feature/task_notify/configs/ft2004_aarch64_dsk_task_notify.config
+++ b/example/freertos_feature/task_notify/configs/ft2004_aarch64_dsk_task_notify.config
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -283,6 +285,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -292,6 +295,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -314,6 +319,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/task_notify/configs/phytiumpi_aarch32_firefly_task_notify.config b/example/freertos_feature/task_notify/configs/phytiumpi_aarch32_firefly_task_notify.config
index 1079c45d..d537e165 100644
--- a/example/freertos_feature/task_notify/configs/phytiumpi_aarch32_firefly_task_notify.config
+++ b/example/freertos_feature/task_notify/configs/phytiumpi_aarch32_firefly_task_notify.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -110,6 +111,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -305,6 +307,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -314,6 +317,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -336,6 +341,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/task_notify/configs/phytiumpi_aarch64_firefly_task_notify.config b/example/freertos_feature/task_notify/configs/phytiumpi_aarch64_firefly_task_notify.config
index b0f893a1..966cd05e 100644
--- a/example/freertos_feature/task_notify/configs/phytiumpi_aarch64_firefly_task_notify.config
+++ b/example/freertos_feature/task_notify/configs/phytiumpi_aarch64_firefly_task_notify.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/task_notify/sdkconfig b/example/freertos_feature/task_notify/sdkconfig
index b0f893a1..966cd05e 100644
--- a/example/freertos_feature/task_notify/sdkconfig
+++ b/example/freertos_feature/task_notify/sdkconfig
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/freertos_feature/task_notify/sdkconfig.h b/example/freertos_feature/task_notify/sdkconfig.h
index db587eff..cd311f52 100644
--- a/example/freertos_feature/task_notify/sdkconfig.h
+++ b/example/freertos_feature/task_notify/sdkconfig.h
@@ -44,6 +44,7 @@
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
 #define CONFIG_SOC_NAME "phytiumpi"
 #define CONFIG_SOC_CORE_NUM 4
 #define CONFIG_F32BIT_MEMORY_ADDRESS 0x80000000
@@ -96,6 +97,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 #define CONFIG_INTERRUPT_ROLE_MASTER
 /* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -260,6 +262,7 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
+/* CONFIG_USE_MBEDTLS is not set */
 #define CONFIG_USE_LETTER_SHELL
 
 /* Letter Shell Configuration */
@@ -268,6 +271,8 @@
 #define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
 /* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
@@ -288,6 +293,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/network/lwip_https/Kconfig b/example/network/lwip_https/Kconfig
new file mode 100644
index 00000000..1e8d2b19
--- /dev/null
+++ b/example/network/lwip_https/Kconfig
@@ -0,0 +1,4 @@
+mainmenu "Phytium FreeRTOS Configuration"
+	
+source "$(SDK_DIR)/../freertos.kconfig"
+
diff --git a/example/network/lwip_https/README.md b/example/network/lwip_https/README.md
new file mode 100644
index 00000000..e1aeb9ab
--- /dev/null
+++ b/example/network/lwip_https/README.md
@@ -0,0 +1,152 @@
+# LWIP HTTPS 测试
+- MbedTLS 是一个轻量级的、适用于嵌入式设备的开源加密库，它为各种安全通信协议和加密算法提供实现，广泛用于资源受限的环境，如物联网设备、嵌入式系统、和微控制器等。该库原本叫做 PolarSSL，后来被 ARM 收购并更名为 MbedTLS。它可以用于实现许多加密功能，确保网络通信的安全性。
+- MbedTLS 提供了如下的能力:
+  - 完整的 SSL v3、TLS v1.0、TLS v1.1 和 TLS v1.2 协议实现
+  - X.509 证书处理
+  - 基于 TCP 的 TLS 传输加密
+  - 基于 UDP 的 DTLS（Datagram TLS）传输加密
+  - 其它加解密库实现
+
+## 1. 例程介绍
+
+><font size="1">介绍例程的用途，使用场景，相关基本概念，描述用户可以使用例程完成哪些工作</font><br />
+
+本例程示范了一个简单的Https client，与测试网站建立TLS连接并获取加密数据。
+
+### 1.1 Https client测试例程 (https_example.c)
+- ipv4模式下初始化开发板上所有网口以及对应网卡控制器
+- 为每个网卡配置静态IPv4地址
+- client连接主机TLS测试网站
+- client和server握手成功
+- client发送请求
+- server回应请求
+
+## 2. 如何使用例程
+
+><font size="1">描述开发平台准备，使用例程配置，构建和下载镜像的过程</font><br />
+
+本例程需要以下硬件，
+
+- E2000D/Q Demo板，FT2000/4开发板，D2000开发板，PhytiumPi
+- 串口线和串口上位机
+
+### 2.1 硬件配置方法
+
+><font size="1">哪些硬件平台是支持的，需要哪些外设，例程与开发板哪些IO口相关等（建议附录开发板照片，展示哪些IO口被引出）</font><br />
+- 为方便测试，一般需要自带路由器设备。
+- 利用路由器上的多个接口，我们可以更加方便的进行多网口测试。
+- 路由器一般能够提供dhcp服务，利用该服务，我们可以在运行网卡dhcp模式初始化测试例程时看到相应的dhcp服务器分配地址的现象。
+- 关于路由器配置，请参考网上相关资料自行配置。
+
+### 2.2 SDK配置方法
+
+><font size="1">依赖哪些驱动、库和第三方组件，如何完成配置（列出需要使能的关键配置项）</font><br />
+
+本例程需要：
+- LWIP组件，依赖 USE_LWIP
+- Letter Shell组件，依赖 USE_LETTER_SHELL
+- MBEDTLS组件，依赖 USE_MBEDTLS
+
+对应的配置项是，
+
+- CONFIG_USE_LWIP
+- CONFIG_USE_LETTER_SHELL
+- CONFIG_USE_MBEDTLS
+
+- 本例子已经提供好具体的编译指令，以下进行介绍：
+
+  1. make 将目录下的工程进行编译
+  2. make clean  将目录下的工程进行清理
+  3. make image   将目录下的工程进行编译，并将生成的elf 复制到目标地址
+  4. make list_kconfig 当前工程支持哪些配置文件
+  5. make load_kconfig LOAD_CONFIG_NAME=`<kconfig configuration files>`  将预设配置加载至工程中
+  6. make menuconfig   配置目录下的参数变量
+  7. make backup_kconfig 将目录下的sdkconfig 备份到./configs下
+- 具体使用方法为：
+
+  - 在当前目录下
+  - 执行以上指令
+
+### 2.3 构建和下载
+
+><font size="1">描述构建、烧录下载镜像的过程，列出相关的命令</font><br />
+
+本文档将以E2000D demo开发板为例，对于其它平台，使用对应的默认配置
+
+- 在host端完成配置
+- 选择目标平台
+
+```
+make load_kconfig LOAD_CONFIG_NAME=e2000d_aarch64_demo_lwip_https
+```
+
+- 选择例程需要的配置
+
+```
+make menuconfig
+```
+
+- 进行编译
+
+```
+make
+```
+
+- 将编译出的镜像放置到tftp目录下
+
+```
+make image
+```
+
+- host侧设置重启host侧tftp服务器
+
+```
+sudo service tftpd-hpa restart
+```
+
+- 开发板侧使用bootelf命令跳转
+
+```
+setenv ipaddr 192.168.4.20  
+setenv serverip 192.168.4.50 
+setenv gatewayip 192.168.4.1 
+tftpboot 0x90100000 freertos.elf
+bootelf -p 0x90100000
+```
+
+### 2.4 输出与实验现象
+
+><font size="1">描述输入输出情况，列出存在哪些输出，对应的输出是什么（建议附录相关现象图片）</font><br />
+
+#### 2.4.1 Https client测试例程 (https_example.c)
+
+首先在主机端tools目录下启动https服务器
+
+![https_server](./fig/https_server.png)
+
+然后在开发板端启动https客户端，并连接到测试网站
+```
+lwip https
+```
+
+![https_client](./fig/https_client.png)
+
+
+## 3. 如何解决问题
+
+- Q: 如何静态配置开发板的ip地址？
+- A: ipv4地址在board_mac_config静态变量中修改如下成员变量即可：
+
+```
+      .ipaddr="192.168.4.10",
+      .gw="192.168.4.1",
+      .netmask="255.255.255.0",
+```
+
+- A: ipv6地址在board_mac_config静态变量中修改如下成员变量即可：
+
+```
+      .mac_address={0x98, 0x0e, 0x24, 0x00, 0x11, 0x1},
+```
+
+## 4. 修改历史记录
diff --git a/example/network/lwip_https/configs/d2000_aarch32_test_lwip_https.config b/example/network/lwip_https/configs/d2000_aarch32_test_lwip_https.config
new file mode 100644
index 00000000..6edc5b32
--- /dev/null
+++ b/example/network/lwip_https/configs/d2000_aarch32_test_lwip_https.config
@@ -0,0 +1,606 @@
+CONFIG_USE_FREERTOS=y
+
+#
+# Arch configuration
+#
+CONFIG_TARGET_ARMv8=y
+CONFIG_ARCH_NAME="armv8"
+
+#
+# Arm architecture configuration
+#
+# CONFIG_ARCH_ARMV8_AARCH64 is not set
+CONFIG_ARCH_ARMV8_AARCH32=y
+
+#
+# Compiler configuration
+#
+CONFIG_ARM_GCC_SELECT=y
+# CONFIG_ARM_CLANG_SELECT is not set
+CONFIG_TOOLCHAIN_NAME="gcc"
+CONFIG_TARGET_ARMV8_AARCH32=y
+CONFIG_ARCH_EXECUTION_STATE="aarch32"
+
+#
+# Fpu configuration
+#
+CONFIG_CRYPTO_NEON_FP_ARMV8=y
+# CONFIG_VFPV4 is not set
+# CONFIG_VFPV4_D16 is not set
+# CONFIG_VFPV3 is not set
+# CONFIG_VFPV3_D16 is not set
+CONFIG_ARM_MFPU="crypto-neon-fp-armv8"
+CONFIG_MFLOAT_ABI_HARD=y
+# CONFIG_MFLOAT_ABI_SOFTFP is not set
+CONFIG_ARM_MFLOAT_ABI="hard"
+# end of Fpu configuration
+# end of Compiler configuration
+
+# CONFIG_USE_L3CACHE is not set
+CONFIG_USE_AARCH64_L1_TO_AARCH32=y
+# end of Arm architecture configuration
+
+CONFIG_MMU_PAGE_SIZE=0x1000
+CONFIG_FMMU_NUM_L2_TABLES=256
+# end of Arch configuration
+
+#
+# Soc configuration
+#
+# CONFIG_TARGET_PHYTIUMPI is not set
+# CONFIG_TARGET_E2000Q is not set
+# CONFIG_TARGET_E2000D is not set
+# CONFIG_TARGET_E2000S is not set
+# CONFIG_TARGET_FT2004 is not set
+CONFIG_TARGET_D2000=y
+# CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
+CONFIG_SOC_NAME="d2000"
+CONFIG_SOC_CORE_NUM=8
+CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
+CONFIG_F32BIT_MEMORY_LENGTH=0x80000000
+CONFIG_F64BIT_MEMORY_ADDRESS=0x2000000000
+CONFIG_F64BIT_MEMORY_LENGTH=0x800000000
+CONFIG_DEFAULT_DEBUG_PRINT_UART1=y
+# CONFIG_DEFAULT_DEBUG_PRINT_UART0 is not set
+# CONFIG_DEFAULT_DEBUG_PRINT_UART2 is not set
+# end of Soc configuration
+
+#
+# Board Configuration
+#
+CONFIG_BOARD_NAME="test"
+CONFIG_D2000_TEST_BOARD=y
+
+#
+# IO mux configuration when board start up
+#
+# CONFIG_CUS_DEMO_BOARD is not set
+
+#
+# Build project name
+#
+CONFIG_TARGET_NAME="lwip_https"
+# end of Build project name
+# end of Board Configuration
+
+#
+# Sdk common configuration
+#
+CONFIG_ELOG_LINE_BUF_SIZE=0x100
+# CONFIG_LOG_VERBOS is not set
+# CONFIG_LOG_DEBUG is not set
+# CONFIG_LOG_INFO is not set
+# CONFIG_LOG_WARN is not set
+CONFIG_LOG_ERROR=y
+# CONFIG_LOG_NONE is not set
+# CONFIG_LOG_EXTRA_INFO is not set
+# CONFIG_LOG_DISPALY_CORE_NUM is not set
+# CONFIG_BOOTUP_DEBUG_PRINTS is not set
+CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
+CONFIG_INTERRUPT_ROLE_MASTER=y
+# CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
+# end of Sdk common configuration
+
+#
+# Drivers configuration
+#
+CONFIG_USE_IOMUX=y
+CONFIG_ENABLE_IOCTRL=y
+# CONFIG_ENABLE_IOPAD is not set
+# CONFIG_USE_SPI is not set
+# CONFIG_USE_QSPI is not set
+CONFIG_USE_SERIAL=y
+
+#
+# Usart Configuration
+#
+CONFIG_ENABLE_Pl011_UART=y
+# end of Usart Configuration
+
+# CONFIG_USE_GPIO is not set
+CONFIG_USE_ETH=y
+
+#
+# Eth Configuration
+#
+# CONFIG_ENABLE_FXMAC is not set
+CONFIG_ENABLE_FGMAC=y
+CONFIG_FGMAC_PHY_COMMON=y
+# CONFIG_FGMAC_PHY_AR803X is not set
+# end of Eth Configuration
+
+# CONFIG_USE_CAN is not set
+# CONFIG_USE_I2C is not set
+# CONFIG_USE_TIMER is not set
+# CONFIG_USE_MIO is not set
+# CONFIG_USE_SDMMC is not set
+# CONFIG_USE_PCIE is not set
+# CONFIG_USE_WDT is not set
+# CONFIG_USE_DMA is not set
+# CONFIG_USE_NAND is not set
+# CONFIG_USE_RTC is not set
+# CONFIG_USE_SATA is not set
+# CONFIG_USE_ADC is not set
+# CONFIG_USE_PWM is not set
+# CONFIG_USE_IPC is not set
+# CONFIG_USE_MEDIA is not set
+# CONFIG_USE_SCMI_MHU is not set
+# CONFIG_USE_I2S is not set
+# CONFIG_USE_I3C is not set
+# end of Drivers configuration
+
+#
+# Build setup
+#
+CONFIG_CHECK_DEPS=y
+CONFIG_OUTPUT_BINARY=y
+
+#
+# Optimization options
+#
+# CONFIG_DEBUG_NOOPT is not set
+# CONFIG_DEBUG_CUSTOMOPT is not set
+CONFIG_DEBUG_FULLOPT=y
+CONFIG_DEBUG_OPT_UNUSED_SECTIONS=y
+CONFIG_DEBUG_LINK_MAP=y
+# CONFIG_CCACHE is not set
+# CONFIG_ARCH_COVERAGE is not set
+# CONFIG_LTO_FULL is not set
+# end of Optimization options
+
+#
+# Debug options
+#
+# CONFIG_DEBUG_ENABLE_ALL_WARNING is not set
+# CONFIG_WALL_WARNING_ERROR is not set
+# CONFIG_STRICT_PROTOTYPES is not set
+# CONFIG_DEBUG_SYMBOLS is not set
+# CONFIG_FRAME_POINTER is not set
+# CONFIG_OUTPUT_ASM_DIS is not set
+# CONFIG_ENABLE_WSHADOW is not set
+# CONFIG_ENABLE_WUNDEF is not set
+CONFIG_DOWNGRADE_DIAG_WARNING=y
+# end of Debug options
+
+#
+# Lib
+#
+CONFIG_USE_COMPILE_CHAIN=y
+# CONFIG_USE_NEWLIB is not set
+# CONFIG_USE_USER_DEFINED is not set
+# end of Lib
+
+# CONFIG_ENABLE_CXX is not set
+
+#
+# Linker Options
+#
+CONFIG_DEFAULT_LINKER_SCRIPT=y
+# CONFIG_USER_DEFINED_LD is not set
+CONFIG_IMAGE_LOAD_ADDRESS=0x80100000
+CONFIG_IMAGE_MAX_LENGTH=0x2000000
+CONFIG_HEAP_SIZE=1
+CONFIG_SVC_STACK_SIZE=0x1000
+CONFIG_SYS_STACK_SIZE=0x1000
+CONFIG_IRQ_STACK_SIZE=0x1000
+CONFIG_ABORT_STACK_SIZE=0x1000
+CONFIG_FIQ_STACK_SIZE=0x1000
+CONFIG_UNDEF_STACK_SIZE=0x1000
+# end of Linker Options
+# end of Build setup
+
+#
+# Component Configuration
+#
+
+#
+# Freertos Uart Drivers
+#
+CONFIG_FREERTOS_USE_UART=y
+# end of Freertos Uart Drivers
+
+#
+# Freertos Pwm Drivers
+#
+# CONFIG_FREERTOS_USE_PWM is not set
+# end of Freertos Pwm Drivers
+
+#
+# Freertos Qspi Drivers
+#
+# CONFIG_FREERTOS_USE_QSPI is not set
+# end of Freertos Qspi Drivers
+
+#
+# Freertos Wdt Drivers
+#
+# CONFIG_FREERTOS_USE_WDT is not set
+# end of Freertos Wdt Drivers
+
+#
+# Freertos Eth Drivers
+#
+# CONFIG_FREERTOS_USE_XMAC is not set
+CONFIG_FREERTOS_USE_GMAC=y
+# end of Freertos Eth Drivers
+
+#
+# Freertos Spim Drivers
+#
+# CONFIG_FREERTOS_USE_FSPIM is not set
+# end of Freertos Spim Drivers
+
+#
+# Freertos DMA Drivers
+#
+# CONFIG_FREERTOS_USE_FDDMA is not set
+# CONFIG_FREERTOS_USE_FGDMA is not set
+# end of Freertos DMA Drivers
+
+#
+# Freertos Adc Drivers
+#
+# CONFIG_FREERTOS_USE_ADC is not set
+# end of Freertos Adc Drivers
+
+#
+# Freertos Can Drivers
+#
+# CONFIG_FREERTOS_USE_CAN is not set
+# end of Freertos Can Drivers
+
+#
+# Freertos I2c Drivers
+#
+# CONFIG_FREERTOS_USE_I2C is not set
+# end of Freertos I2c Drivers
+
+#
+# Freertos Mio Drivers
+#
+# CONFIG_FREERTOS_USE_MIO is not set
+# end of Freertos Mio Drivers
+
+#
+# Freertos Timer Drivers
+#
+# CONFIG_FREERTOS_USE_TIMER is not set
+# end of Freertos Timer Drivers
+
+#
+# Freertos Media Drivers
+#
+# CONFIG_FREERTOS_USE_MEDIA is not set
+# end of Freertos Media Drivers
+
+#
+# Freertos I2s Drivers
+#
+# CONFIG_FREERTOS_USE_I2S is not set
+# end of Freertos I2s Drivers
+# end of Component Configuration
+
+#
+# Third-party configuration
+#
+CONFIG_USE_LWIP=y
+
+#
+# LWIP Freertos Port Configuration
+#
+
+#
+# LWIP Configuration
+#
+
+#
+# LWIP Port Configuration
+#
+# CONFIG_LWIP_FXMAC is not set
+CONFIG_LWIP_FGMAC=y
+# CONFIG_LWIP_FSDIF is not set
+# end of LWIP Port Configuration
+
+# CONFIG_LWIP_NO_SYS is not set
+CONFIG_LWIP_LOCAL_HOSTNAME="phytium"
+
+#
+# LWIP_APP
+#
+# CONFIG_USE_LWIP_APP_LWIPERF is not set
+# CONFIG_USE_LWIP_APP_TFTP is not set
+# CONFIG_USE_LWIP_APP_SNTP is not set
+# end of LWIP_APP
+
+#
+# Memory configuration
+#
+# CONFIG_LWIP_USE_MEM_POOL is not set
+CONFIG_LWIP_USE_MEM_HEAP=y
+# CONFIG_LWIP_USE_MEM_HEAP_DEBUG is not set
+CONFIG_MEM_SIZE=2
+CONFIG_MEM_ALIGNMENT=64
+# end of Memory configuration
+
+#
+# Pbuf options
+#
+CONFIG_PBUF_POOL_BUFSIZE=2
+CONFIG_PBUF_POOL_SIZE=1
+# end of Pbuf options
+
+#
+# ARP
+#
+CONFIG_ARP_QUEUEING_EN=y
+# end of ARP
+
+#
+# IPV4
+#
+# CONFIG_USE_IPV4_ONLY is not set
+CONFIG_LWIP_IP4_REASSEMBLY=y
+CONFIG_LWIP_IP4_FRAG=y
+# CONFIG_LWIP_IP_FORWARD is not set
+CONFIG_IP_REASS_MAX_PBUFS=32
+# end of IPV4
+
+#
+# ICMP
+#
+CONFIG_LWIP_ICMP=y
+CONFIG_LWIP_MULTICAST_PING=y
+CONFIG_LWIP_BROADCAST_PING=y
+# end of ICMP
+
+#
+# LWIP RAW API
+#
+CONFIG_LWIP_RAW_API_EN=y
+CONFIG_LWIP_MAX_RAW_PCBS=16
+CONFIG_LWIP_RAW_RECVMBOX_SIZE=6
+# end of LWIP RAW API
+
+#
+# DHCP
+#
+CONFIG_LWIP_DHCP_ENABLE=y
+# CONFIG_LWIP_DHCP_DOES_ARP_CHECK is not set
+# CONFIG_LWIP_DHCP_GET_NTP_SRV is not set
+# CONFIG_LWIP_DHCP_DISABLE_CLIENT_ID is not set
+# CONFIG_LWIP_DHCP_RESTORE_LAST_IP is not set
+CONFIG_LWIP_DHCP_OPTIONS_LEN=68
+CONFIG_LWIP_DHCP_DISABLE_VENDOR_CLASS_ID=y
+# end of DHCP
+
+#
+# AUTOIP
+#
+# CONFIG_LWIP_AUTOIP is not set
+# end of AUTOIP
+
+#
+# IGMP
+#
+CONFIG_LWIP_IGMP_EN=y
+# end of IGMP
+
+#
+# DNS
+#
+CONFIG_LWIP_DNS_SUPPORT_MDNS_QUERIES=y
+# end of DNS
+
+#
+# UDP
+#
+CONFIG_LWIP_MAX_UDP_PCBS=16
+CONFIG_LWIP_UDP_RECVMBOX_SIZE=6
+# CONFIG_LWIP_NETBUF_RECVINFO is not set
+# end of UDP
+
+#
+# TCP
+#
+CONFIG_LWIP_TCP_WND_DEFAULT=5744
+CONFIG_LWIP_TCP_MAXRTX=12
+CONFIG_LWIP_TCP_SYNMAXRTX=12
+CONFIG_LWIP_TCP_QUEUE_OOSEQ=y
+# CONFIG_LWIP_TCP_SACK_OUT is not set
+CONFIG_LWIP_TCP_MSS=1440
+CONFIG_LWIP_TCP_SND_BUF_DEFAULT=5744
+CONFIG_LWIP_TCP_OVERSIZE_MSS=y
+# CONFIG_LWIP_TCP_OVERSIZE_QUARTER_MSS is not set
+# CONFIG_LWIP_TCP_OVERSIZE_DISABLE is not set
+CONFIG_LWIP_TCP_TMR_INTERVAL=250
+CONFIG_LWIP_TCP_MSL=60000
+# CONFIG_LWIP_WND_SCALE is not set
+CONFIG_LWIP_TCP_RTO_TIME=1500
+CONFIG_LWIP_MAX_ACTIVE_TCP=16
+CONFIG_LWIP_MAX_LISTENING_TCP=16
+CONFIG_LWIP_TCP_HIGH_SPEED_RETRANSMISSION=y
+CONFIG_LWIP_TCP_RECVMBOX_SIZE=6
+# end of TCP
+
+#
+# Network_Interface
+#
+# CONFIG_LWIP_NETIF_API is not set
+# CONFIG_LWIP_NETIF_STATUS_CALLBACK is not set
+# end of Network_Interface
+
+#
+# LOOPIF
+#
+CONFIG_LWIP_NETIF_LOOPBACK=y
+CONFIG_LWIP_LOOPBACK_MAX_PBUFS=8
+# end of LOOPIF
+
+#
+# SLIPIF
+#
+# CONFIG_LWIP_SLIP_SUPPORT is not set
+# end of SLIPIF
+
+CONFIG_LWIP_TCPIP_CORE_LOCKING=y
+
+#
+# Socket
+#
+CONFIG_LWIP_MAX_SOCKETS=10
+# CONFIG_LWIP_SO_LINGER is not set
+CONFIG_LWIP_SO_REUSE=y
+CONFIG_LWIP_SO_REUSE_RXTOALL=y
+# end of Socket
+
+# CONFIG_LWIP_STATS is not set
+
+#
+# PPP
+#
+# CONFIG_LWIP_PPP_SUPPORT is not set
+CONFIG_LWIP_IPV6_MEMP_NUM_ND6_QUEUE=3
+CONFIG_LWIP_IPV6_ND6_NUM_NEIGHBORS=5
+# end of PPP
+
+#
+# Checksums
+#
+# CONFIG_LWIP_CHECKSUM_CHECK_IP is not set
+# CONFIG_LWIP_CHECKSUM_CHECK_UDP is not set
+CONFIG_LWIP_CHECKSUM_CHECK_ICMP=y
+# end of Checksums
+
+#
+# IPV6
+#
+CONFIG_LWIP_IPV6=y
+# CONFIG_LWIP_IPV6_AUTOCONFIG is not set
+CONFIG_LWIP_IPV6_NUM_ADDRESSES=3
+# CONFIG_LWIP_IPV6_FORWARD is not set
+CONFIG_LWIP_IP6_FRAG=y
+# CONFIG_LWIP_IP6_REASSEMBLY is not set
+# end of IPV6
+
+CONFIG_LWIP_DEBUG=y
+# CONFIG_LWIP_DEBUG_ESP_LOG is not set
+CONFIG_LWIP_NETIF_DEBUG=y
+# CONFIG_LWIP_PBUF_DEBUG is not set
+# CONFIG_LWIP_ETHARP_DEBUG is not set
+# CONFIG_LWIP_API_LIB_DEBUG is not set
+# CONFIG_LWIP_SOCKETS_DEBUG is not set
+# CONFIG_LWIP_IP_DEBUG is not set
+# CONFIG_LWIP_ICMP_DEBUG is not set
+# CONFIG_LWIP_DHCP_STATE_DEBUG is not set
+# CONFIG_LWIP_DHCP_DEBUG is not set
+# CONFIG_LWIP_IP6_DEBUG is not set
+# CONFIG_LWIP_ICMP6_DEBUG is not set
+# CONFIG_LWIP_TCP_DEBUG is not set
+# CONFIG_LWIP_UDP_DEBUG is not set
+# CONFIG_LWIP_SNTP_DEBUG is not set
+# CONFIG_LWIP_DNS_DEBUG is not set
+# end of LWIP Configuration
+
+#
+# Tcp/ip task resource configuration
+#
+CONFIG_LWIP_TCPIP_TASK_STACK_SIZE=3072
+CONFIG_LWIP_TCPIP_TASK_PRIO=6
+CONFIG_LWIP_TCPIP_RECVMBOX_SIZE=32
+# end of Tcp/ip task resource configuration
+
+#
+# lwip port thread Configuration
+#
+CONFIG_LWIP_PORT_USE_RECEIVE_THREAD=y
+CONFIG_LWIP_PORT_RECEIVE_THREAD_STACKSIZE=1024
+CONFIG_LWIP_PORT_RECEIVE_THREAD_PRIORITY=5
+CONFIG_LWIP_PORT_USE_LINK_DETECT_THREAD=y
+CONFIG_LWIP_PORT_LINK_DETECT_STACKSIZE=1024
+CONFIG_LWIP_PORT_LINK_DETECT_PRIORITY=5
+CONFIG_LWIP_PORT_DHCP_THREAD=y
+CONFIG_LWIP_PORT_DHCP_STACKSIZE=2048
+CONFIG_LWIP_PORT_DHCP_PRIORITY=5
+# end of lwip port thread Configuration
+# end of LWIP Freertos Port Configuration
+
+CONFIG_USE_MBEDTLS=y
+
+#
+# MBEDTLS Freertos Port Configuration
+#
+CONFIG_USE_LETTER_SHELL=y
+
+#
+# Letter Shell Configuration
+#
+CONFIG_LS_PL011_UART=y
+CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
+# CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
+# CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
+# end of Letter Shell Configuration
+
+# CONFIG_USE_AMP is not set
+# CONFIG_USE_YMODEM is not set
+# CONFIG_USE_SFUD is not set
+CONFIG_USE_BACKTRACE=y
+# CONFIG_USE_FATFS_0_1_4 is not set
+CONFIG_USE_TLSF=y
+# CONFIG_USE_SPIFFS is not set
+# CONFIG_USE_LITTLE_FS is not set
+# CONFIG_USE_LVGL is not set
+# CONFIG_USE_FREEMODBUS is not set
+# CONFIG_USE_CHERRY_USB is not set
+# CONFIG_USE_FSL_SDMMC is not set
+# CONFIG_USE_FSL_WIFI is not set
+# end of Third-party configuration
+
+#
+# FreeRTOS Kernel Configuration
+#
+CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
+CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
+CONFIG_FREERTOS_MAX_PRIORITIES=32
+CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
+CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
+CONFIG_FREERTOS_THREAD_LOCAL_STORAGE_POINTERS=1
+CONFIG_FREERTOS_MINIMAL_TASK_STACKSIZE=1024
+CONFIG_FREERTOS_MAX_TASK_NAME_LEN=32
+CONFIG_FREERTOS_TIMER_TASK_PRIORITY=1
+CONFIG_FREERTOS_TIMER_TASK_STACK_DEPTH=2048
+CONFIG_FREERTOS_TIMER_QUEUE_LENGTH=10
+CONFIG_FREERTOS_QUEUE_REGISTRY_SIZE=0
+CONFIG_FREERTOS_GENERATE_RUN_TIME_STATS=y
+CONFIG_FREERTOS_USE_TRACE_FACILITY=y
+CONFIG_FREERTOS_USE_STATS_FORMATTING_FUNCTIONS=y
+# CONFIG_FREERTOS_USE_TICKLESS_IDLE is not set
+CONFIG_FREERTOS_TOTAL_HEAP_SIZE=10240
+CONFIG_FREERTOS_TASK_FPU_SUPPORT=1
+# CONFIG_FREERTOS_USE_POSIX is not set
+# end of FreeRTOS Kernel Configuration
diff --git a/example/network/lwip_https/configs/d2000_aarch64_test_lwip_https.config b/example/network/lwip_https/configs/d2000_aarch64_test_lwip_https.config
new file mode 100644
index 00000000..ede77f56
--- /dev/null
+++ b/example/network/lwip_https/configs/d2000_aarch64_test_lwip_https.config
@@ -0,0 +1,595 @@
+CONFIG_USE_FREERTOS=y
+
+#
+# Arch configuration
+#
+CONFIG_TARGET_ARMv8=y
+CONFIG_ARCH_NAME="armv8"
+
+#
+# Arm architecture configuration
+#
+CONFIG_ARCH_ARMV8_AARCH64=y
+# CONFIG_ARCH_ARMV8_AARCH32 is not set
+
+#
+# Compiler configuration
+#
+CONFIG_ARM_GCC_SELECT=y
+# CONFIG_ARM_CLANG_SELECT is not set
+CONFIG_TOOLCHAIN_NAME="gcc"
+CONFIG_TARGET_ARMV8_AARCH64=y
+CONFIG_ARCH_EXECUTION_STATE="aarch64"
+CONFIG_ARM_NEON=y
+CONFIG_ARM_CRC=y
+CONFIG_ARM_CRYPTO=y
+CONFIG_ARM_FLOAT_POINT=y
+# CONFIG_GCC_CODE_MODEL_TINY is not set
+CONFIG_GCC_CODE_MODEL_SMALL=y
+# CONFIG_GCC_CODE_MODEL_LARGE is not set
+# end of Compiler configuration
+
+# CONFIG_USE_L3CACHE is not set
+# CONFIG_BOOT_WITH_FLUSH_CACHE is not set
+# CONFIG_MMU_DEBUG_PRINTS is not set
+# end of Arm architecture configuration
+
+CONFIG_MMU_PAGE_SIZE=0x1000
+CONFIG_MAX_XLAT_TABLES=256
+# end of Arch configuration
+
+#
+# Soc configuration
+#
+# CONFIG_TARGET_PHYTIUMPI is not set
+# CONFIG_TARGET_E2000Q is not set
+# CONFIG_TARGET_E2000D is not set
+# CONFIG_TARGET_E2000S is not set
+# CONFIG_TARGET_FT2004 is not set
+CONFIG_TARGET_D2000=y
+# CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
+CONFIG_SOC_NAME="d2000"
+CONFIG_SOC_CORE_NUM=8
+CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
+CONFIG_F32BIT_MEMORY_LENGTH=0x80000000
+CONFIG_F64BIT_MEMORY_ADDRESS=0x2000000000
+CONFIG_F64BIT_MEMORY_LENGTH=0x800000000
+CONFIG_DEFAULT_DEBUG_PRINT_UART1=y
+# CONFIG_DEFAULT_DEBUG_PRINT_UART0 is not set
+# CONFIG_DEFAULT_DEBUG_PRINT_UART2 is not set
+# end of Soc configuration
+
+#
+# Board Configuration
+#
+CONFIG_BOARD_NAME="test"
+CONFIG_D2000_TEST_BOARD=y
+
+#
+# IO mux configuration when board start up
+#
+# CONFIG_CUS_DEMO_BOARD is not set
+
+#
+# Build project name
+#
+CONFIG_TARGET_NAME="lwip_https"
+# end of Build project name
+# end of Board Configuration
+
+#
+# Sdk common configuration
+#
+CONFIG_ELOG_LINE_BUF_SIZE=0x100
+# CONFIG_LOG_VERBOS is not set
+# CONFIG_LOG_DEBUG is not set
+# CONFIG_LOG_INFO is not set
+# CONFIG_LOG_WARN is not set
+CONFIG_LOG_ERROR=y
+# CONFIG_LOG_NONE is not set
+# CONFIG_LOG_EXTRA_INFO is not set
+# CONFIG_LOG_DISPALY_CORE_NUM is not set
+# CONFIG_BOOTUP_DEBUG_PRINTS is not set
+CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
+CONFIG_INTERRUPT_ROLE_MASTER=y
+# CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
+# end of Sdk common configuration
+
+#
+# Drivers configuration
+#
+CONFIG_USE_IOMUX=y
+CONFIG_ENABLE_IOCTRL=y
+# CONFIG_ENABLE_IOPAD is not set
+# CONFIG_USE_SPI is not set
+# CONFIG_USE_QSPI is not set
+CONFIG_USE_SERIAL=y
+
+#
+# Usart Configuration
+#
+CONFIG_ENABLE_Pl011_UART=y
+# end of Usart Configuration
+
+# CONFIG_USE_GPIO is not set
+CONFIG_USE_ETH=y
+
+#
+# Eth Configuration
+#
+# CONFIG_ENABLE_FXMAC is not set
+CONFIG_ENABLE_FGMAC=y
+CONFIG_FGMAC_PHY_COMMON=y
+# CONFIG_FGMAC_PHY_AR803X is not set
+# end of Eth Configuration
+
+# CONFIG_USE_CAN is not set
+# CONFIG_USE_I2C is not set
+# CONFIG_USE_TIMER is not set
+# CONFIG_USE_MIO is not set
+# CONFIG_USE_SDMMC is not set
+# CONFIG_USE_PCIE is not set
+# CONFIG_USE_WDT is not set
+# CONFIG_USE_DMA is not set
+# CONFIG_USE_NAND is not set
+# CONFIG_USE_RTC is not set
+# CONFIG_USE_SATA is not set
+# CONFIG_USE_ADC is not set
+# CONFIG_USE_PWM is not set
+# CONFIG_USE_IPC is not set
+# CONFIG_USE_MEDIA is not set
+# CONFIG_USE_SCMI_MHU is not set
+# CONFIG_USE_I2S is not set
+# CONFIG_USE_I3C is not set
+# end of Drivers configuration
+
+#
+# Build setup
+#
+CONFIG_CHECK_DEPS=y
+CONFIG_OUTPUT_BINARY=y
+
+#
+# Optimization options
+#
+# CONFIG_DEBUG_NOOPT is not set
+# CONFIG_DEBUG_CUSTOMOPT is not set
+CONFIG_DEBUG_FULLOPT=y
+CONFIG_DEBUG_OPT_UNUSED_SECTIONS=y
+CONFIG_DEBUG_LINK_MAP=y
+# CONFIG_CCACHE is not set
+# CONFIG_ARCH_COVERAGE is not set
+# CONFIG_LTO_FULL is not set
+# end of Optimization options
+
+#
+# Debug options
+#
+# CONFIG_DEBUG_ENABLE_ALL_WARNING is not set
+# CONFIG_WALL_WARNING_ERROR is not set
+# CONFIG_STRICT_PROTOTYPES is not set
+# CONFIG_DEBUG_SYMBOLS is not set
+# CONFIG_FRAME_POINTER is not set
+# CONFIG_OUTPUT_ASM_DIS is not set
+# CONFIG_ENABLE_WSHADOW is not set
+# CONFIG_ENABLE_WUNDEF is not set
+CONFIG_DOWNGRADE_DIAG_WARNING=y
+# end of Debug options
+
+#
+# Lib
+#
+CONFIG_USE_COMPILE_CHAIN=y
+# CONFIG_USE_NEWLIB is not set
+# CONFIG_USE_USER_DEFINED is not set
+# end of Lib
+
+# CONFIG_ENABLE_CXX is not set
+
+#
+# Linker Options
+#
+CONFIG_DEFAULT_LINKER_SCRIPT=y
+# CONFIG_USER_DEFINED_LD is not set
+CONFIG_IMAGE_LOAD_ADDRESS=0x80100000
+CONFIG_IMAGE_MAX_LENGTH=0x2000000
+CONFIG_HEAP_SIZE=1
+CONFIG_STACK_SIZE=0x400
+# end of Linker Options
+# end of Build setup
+
+#
+# Component Configuration
+#
+
+#
+# Freertos Uart Drivers
+#
+CONFIG_FREERTOS_USE_UART=y
+# end of Freertos Uart Drivers
+
+#
+# Freertos Pwm Drivers
+#
+# CONFIG_FREERTOS_USE_PWM is not set
+# end of Freertos Pwm Drivers
+
+#
+# Freertos Qspi Drivers
+#
+# CONFIG_FREERTOS_USE_QSPI is not set
+# end of Freertos Qspi Drivers
+
+#
+# Freertos Wdt Drivers
+#
+# CONFIG_FREERTOS_USE_WDT is not set
+# end of Freertos Wdt Drivers
+
+#
+# Freertos Eth Drivers
+#
+# CONFIG_FREERTOS_USE_XMAC is not set
+CONFIG_FREERTOS_USE_GMAC=y
+# end of Freertos Eth Drivers
+
+#
+# Freertos Spim Drivers
+#
+# CONFIG_FREERTOS_USE_FSPIM is not set
+# end of Freertos Spim Drivers
+
+#
+# Freertos DMA Drivers
+#
+# CONFIG_FREERTOS_USE_FDDMA is not set
+# CONFIG_FREERTOS_USE_FGDMA is not set
+# end of Freertos DMA Drivers
+
+#
+# Freertos Adc Drivers
+#
+# CONFIG_FREERTOS_USE_ADC is not set
+# end of Freertos Adc Drivers
+
+#
+# Freertos Can Drivers
+#
+# CONFIG_FREERTOS_USE_CAN is not set
+# end of Freertos Can Drivers
+
+#
+# Freertos I2c Drivers
+#
+# CONFIG_FREERTOS_USE_I2C is not set
+# end of Freertos I2c Drivers
+
+#
+# Freertos Mio Drivers
+#
+# CONFIG_FREERTOS_USE_MIO is not set
+# end of Freertos Mio Drivers
+
+#
+# Freertos Timer Drivers
+#
+# CONFIG_FREERTOS_USE_TIMER is not set
+# end of Freertos Timer Drivers
+
+#
+# Freertos Media Drivers
+#
+# CONFIG_FREERTOS_USE_MEDIA is not set
+# end of Freertos Media Drivers
+
+#
+# Freertos I2s Drivers
+#
+# CONFIG_FREERTOS_USE_I2S is not set
+# end of Freertos I2s Drivers
+# end of Component Configuration
+
+#
+# Third-party configuration
+#
+CONFIG_USE_LWIP=y
+
+#
+# LWIP Freertos Port Configuration
+#
+
+#
+# LWIP Configuration
+#
+
+#
+# LWIP Port Configuration
+#
+# CONFIG_LWIP_FXMAC is not set
+CONFIG_LWIP_FGMAC=y
+# CONFIG_LWIP_FSDIF is not set
+# end of LWIP Port Configuration
+
+# CONFIG_LWIP_NO_SYS is not set
+CONFIG_LWIP_LOCAL_HOSTNAME="phytium"
+
+#
+# LWIP_APP
+#
+# CONFIG_USE_LWIP_APP_LWIPERF is not set
+# CONFIG_USE_LWIP_APP_TFTP is not set
+# CONFIG_USE_LWIP_APP_SNTP is not set
+# end of LWIP_APP
+
+#
+# Memory configuration
+#
+# CONFIG_LWIP_USE_MEM_POOL is not set
+CONFIG_LWIP_USE_MEM_HEAP=y
+# CONFIG_LWIP_USE_MEM_HEAP_DEBUG is not set
+CONFIG_MEM_SIZE=2
+CONFIG_MEM_ALIGNMENT=64
+# end of Memory configuration
+
+#
+# Pbuf options
+#
+CONFIG_PBUF_POOL_BUFSIZE=2
+CONFIG_PBUF_POOL_SIZE=1
+# end of Pbuf options
+
+#
+# ARP
+#
+CONFIG_ARP_QUEUEING_EN=y
+# end of ARP
+
+#
+# IPV4
+#
+# CONFIG_USE_IPV4_ONLY is not set
+CONFIG_LWIP_IP4_REASSEMBLY=y
+CONFIG_LWIP_IP4_FRAG=y
+# CONFIG_LWIP_IP_FORWARD is not set
+CONFIG_IP_REASS_MAX_PBUFS=32
+# end of IPV4
+
+#
+# ICMP
+#
+CONFIG_LWIP_ICMP=y
+CONFIG_LWIP_MULTICAST_PING=y
+CONFIG_LWIP_BROADCAST_PING=y
+# end of ICMP
+
+#
+# LWIP RAW API
+#
+CONFIG_LWIP_RAW_API_EN=y
+CONFIG_LWIP_MAX_RAW_PCBS=16
+CONFIG_LWIP_RAW_RECVMBOX_SIZE=6
+# end of LWIP RAW API
+
+#
+# DHCP
+#
+CONFIG_LWIP_DHCP_ENABLE=y
+# CONFIG_LWIP_DHCP_DOES_ARP_CHECK is not set
+# CONFIG_LWIP_DHCP_GET_NTP_SRV is not set
+# CONFIG_LWIP_DHCP_DISABLE_CLIENT_ID is not set
+# CONFIG_LWIP_DHCP_RESTORE_LAST_IP is not set
+CONFIG_LWIP_DHCP_OPTIONS_LEN=68
+CONFIG_LWIP_DHCP_DISABLE_VENDOR_CLASS_ID=y
+# end of DHCP
+
+#
+# AUTOIP
+#
+# CONFIG_LWIP_AUTOIP is not set
+# end of AUTOIP
+
+#
+# IGMP
+#
+CONFIG_LWIP_IGMP_EN=y
+# end of IGMP
+
+#
+# DNS
+#
+CONFIG_LWIP_DNS_SUPPORT_MDNS_QUERIES=y
+# end of DNS
+
+#
+# UDP
+#
+CONFIG_LWIP_MAX_UDP_PCBS=16
+CONFIG_LWIP_UDP_RECVMBOX_SIZE=6
+# CONFIG_LWIP_NETBUF_RECVINFO is not set
+# end of UDP
+
+#
+# TCP
+#
+CONFIG_LWIP_TCP_WND_DEFAULT=5744
+CONFIG_LWIP_TCP_MAXRTX=12
+CONFIG_LWIP_TCP_SYNMAXRTX=12
+CONFIG_LWIP_TCP_QUEUE_OOSEQ=y
+# CONFIG_LWIP_TCP_SACK_OUT is not set
+CONFIG_LWIP_TCP_MSS=1440
+CONFIG_LWIP_TCP_SND_BUF_DEFAULT=5744
+CONFIG_LWIP_TCP_OVERSIZE_MSS=y
+# CONFIG_LWIP_TCP_OVERSIZE_QUARTER_MSS is not set
+# CONFIG_LWIP_TCP_OVERSIZE_DISABLE is not set
+CONFIG_LWIP_TCP_TMR_INTERVAL=250
+CONFIG_LWIP_TCP_MSL=60000
+# CONFIG_LWIP_WND_SCALE is not set
+CONFIG_LWIP_TCP_RTO_TIME=1500
+CONFIG_LWIP_MAX_ACTIVE_TCP=16
+CONFIG_LWIP_MAX_LISTENING_TCP=16
+CONFIG_LWIP_TCP_HIGH_SPEED_RETRANSMISSION=y
+CONFIG_LWIP_TCP_RECVMBOX_SIZE=6
+# end of TCP
+
+#
+# Network_Interface
+#
+# CONFIG_LWIP_NETIF_API is not set
+# CONFIG_LWIP_NETIF_STATUS_CALLBACK is not set
+# end of Network_Interface
+
+#
+# LOOPIF
+#
+CONFIG_LWIP_NETIF_LOOPBACK=y
+CONFIG_LWIP_LOOPBACK_MAX_PBUFS=8
+# end of LOOPIF
+
+#
+# SLIPIF
+#
+# CONFIG_LWIP_SLIP_SUPPORT is not set
+# end of SLIPIF
+
+CONFIG_LWIP_TCPIP_CORE_LOCKING=y
+
+#
+# Socket
+#
+CONFIG_LWIP_MAX_SOCKETS=10
+# CONFIG_LWIP_SO_LINGER is not set
+CONFIG_LWIP_SO_REUSE=y
+CONFIG_LWIP_SO_REUSE_RXTOALL=y
+# end of Socket
+
+# CONFIG_LWIP_STATS is not set
+
+#
+# PPP
+#
+# CONFIG_LWIP_PPP_SUPPORT is not set
+CONFIG_LWIP_IPV6_MEMP_NUM_ND6_QUEUE=3
+CONFIG_LWIP_IPV6_ND6_NUM_NEIGHBORS=5
+# end of PPP
+
+#
+# Checksums
+#
+# CONFIG_LWIP_CHECKSUM_CHECK_IP is not set
+# CONFIG_LWIP_CHECKSUM_CHECK_UDP is not set
+CONFIG_LWIP_CHECKSUM_CHECK_ICMP=y
+# end of Checksums
+
+#
+# IPV6
+#
+CONFIG_LWIP_IPV6=y
+# CONFIG_LWIP_IPV6_AUTOCONFIG is not set
+CONFIG_LWIP_IPV6_NUM_ADDRESSES=3
+# CONFIG_LWIP_IPV6_FORWARD is not set
+CONFIG_LWIP_IP6_FRAG=y
+# CONFIG_LWIP_IP6_REASSEMBLY is not set
+# end of IPV6
+
+CONFIG_LWIP_DEBUG=y
+# CONFIG_LWIP_DEBUG_ESP_LOG is not set
+CONFIG_LWIP_NETIF_DEBUG=y
+# CONFIG_LWIP_PBUF_DEBUG is not set
+# CONFIG_LWIP_ETHARP_DEBUG is not set
+# CONFIG_LWIP_API_LIB_DEBUG is not set
+# CONFIG_LWIP_SOCKETS_DEBUG is not set
+# CONFIG_LWIP_IP_DEBUG is not set
+# CONFIG_LWIP_ICMP_DEBUG is not set
+# CONFIG_LWIP_DHCP_STATE_DEBUG is not set
+# CONFIG_LWIP_DHCP_DEBUG is not set
+# CONFIG_LWIP_IP6_DEBUG is not set
+# CONFIG_LWIP_ICMP6_DEBUG is not set
+# CONFIG_LWIP_TCP_DEBUG is not set
+# CONFIG_LWIP_UDP_DEBUG is not set
+# CONFIG_LWIP_SNTP_DEBUG is not set
+# CONFIG_LWIP_DNS_DEBUG is not set
+# end of LWIP Configuration
+
+#
+# Tcp/ip task resource configuration
+#
+CONFIG_LWIP_TCPIP_TASK_STACK_SIZE=3072
+CONFIG_LWIP_TCPIP_TASK_PRIO=6
+CONFIG_LWIP_TCPIP_RECVMBOX_SIZE=32
+# end of Tcp/ip task resource configuration
+
+#
+# lwip port thread Configuration
+#
+CONFIG_LWIP_PORT_USE_RECEIVE_THREAD=y
+CONFIG_LWIP_PORT_RECEIVE_THREAD_STACKSIZE=1024
+CONFIG_LWIP_PORT_RECEIVE_THREAD_PRIORITY=5
+CONFIG_LWIP_PORT_USE_LINK_DETECT_THREAD=y
+CONFIG_LWIP_PORT_LINK_DETECT_STACKSIZE=1024
+CONFIG_LWIP_PORT_LINK_DETECT_PRIORITY=5
+CONFIG_LWIP_PORT_DHCP_THREAD=y
+CONFIG_LWIP_PORT_DHCP_STACKSIZE=2048
+CONFIG_LWIP_PORT_DHCP_PRIORITY=5
+# end of lwip port thread Configuration
+# end of LWIP Freertos Port Configuration
+
+CONFIG_USE_MBEDTLS=y
+
+#
+# MBEDTLS Freertos Port Configuration
+#
+CONFIG_USE_LETTER_SHELL=y
+
+#
+# Letter Shell Configuration
+#
+CONFIG_LS_PL011_UART=y
+CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
+# CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
+# CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
+# end of Letter Shell Configuration
+
+# CONFIG_USE_AMP is not set
+# CONFIG_USE_YMODEM is not set
+# CONFIG_USE_SFUD is not set
+CONFIG_USE_BACKTRACE=y
+# CONFIG_USE_FATFS_0_1_4 is not set
+CONFIG_USE_TLSF=y
+# CONFIG_USE_SPIFFS is not set
+# CONFIG_USE_LITTLE_FS is not set
+# CONFIG_USE_LVGL is not set
+# CONFIG_USE_FREEMODBUS is not set
+# CONFIG_USE_CHERRY_USB is not set
+# CONFIG_USE_FSL_SDMMC is not set
+# CONFIG_USE_FSL_WIFI is not set
+# end of Third-party configuration
+
+#
+# FreeRTOS Kernel Configuration
+#
+CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
+CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
+CONFIG_FREERTOS_MAX_PRIORITIES=32
+CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
+CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
+CONFIG_FREERTOS_THREAD_LOCAL_STORAGE_POINTERS=1
+CONFIG_FREERTOS_MINIMAL_TASK_STACKSIZE=1024
+CONFIG_FREERTOS_MAX_TASK_NAME_LEN=32
+CONFIG_FREERTOS_TIMER_TASK_PRIORITY=1
+CONFIG_FREERTOS_TIMER_TASK_STACK_DEPTH=2048
+CONFIG_FREERTOS_TIMER_QUEUE_LENGTH=10
+CONFIG_FREERTOS_QUEUE_REGISTRY_SIZE=0
+CONFIG_FREERTOS_GENERATE_RUN_TIME_STATS=y
+CONFIG_FREERTOS_USE_TRACE_FACILITY=y
+CONFIG_FREERTOS_USE_STATS_FORMATTING_FUNCTIONS=y
+# CONFIG_FREERTOS_USE_TICKLESS_IDLE is not set
+CONFIG_FREERTOS_TOTAL_HEAP_SIZE=10240
+CONFIG_FREERTOS_TASK_FPU_SUPPORT=1
+# CONFIG_FREERTOS_USE_POSIX is not set
+# end of FreeRTOS Kernel Configuration
diff --git a/example/peripheral/media/media_test/configs/e2000d_aarch32_demo_freertos.config b/example/network/lwip_https/configs/e2000d_aarch32_demo_lwip_https.config
similarity index 58%
rename from example/peripheral/media/media_test/configs/e2000d_aarch32_demo_freertos.config
rename to example/network/lwip_https/configs/e2000d_aarch32_demo_lwip_https.config
index fa32385e..6ae23dfc 100644
--- a/example/peripheral/media/media_test/configs/e2000d_aarch32_demo_freertos.config
+++ b/example/network/lwip_https/configs/e2000d_aarch32_demo_lwip_https.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -92,7 +93,7 @@ CONFIG_BOARD_NAME="demo"
 #
 # Build project name
 #
-CONFIG_TARGET_NAME="freertos"
+CONFIG_TARGET_NAME="lwip_https"
 # end of Build project name
 # end of Board Configuration
 
@@ -101,10 +102,10 @@ CONFIG_TARGET_NAME="freertos"
 #
 CONFIG_ELOG_LINE_BUF_SIZE=0x100
 # CONFIG_LOG_VERBOS is not set
-CONFIG_LOG_DEBUG=y
+# CONFIG_LOG_DEBUG is not set
 # CONFIG_LOG_INFO is not set
 # CONFIG_LOG_WARN is not set
-# CONFIG_LOG_ERROR is not set
+CONFIG_LOG_ERROR=y
 # CONFIG_LOG_NONE is not set
 # CONFIG_LOG_EXTRA_INFO is not set
 # CONFIG_LOG_DISPALY_CORE_NUM is not set
@@ -112,6 +113,7 @@ CONFIG_LOG_DEBUG=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -131,7 +133,17 @@ CONFIG_ENABLE_Pl011_UART=y
 # end of Usart Configuration
 
 # CONFIG_USE_GPIO is not set
-# CONFIG_USE_ETH is not set
+CONFIG_USE_ETH=y
+
+#
+# Eth Configuration
+#
+CONFIG_ENABLE_FXMAC=y
+# CONFIG_ENABLE_FGMAC is not set
+CONFIG_FXMAC_PHY_COMMON=y
+# CONFIG_FXMAC_PHY_YT is not set
+# end of Eth Configuration
+
 # CONFIG_USE_CAN is not set
 # CONFIG_USE_I2C is not set
 # CONFIG_USE_TIMER is not set
@@ -146,14 +158,7 @@ CONFIG_ENABLE_Pl011_UART=y
 # CONFIG_USE_ADC is not set
 # CONFIG_USE_PWM is not set
 # CONFIG_USE_IPC is not set
-CONFIG_USE_MEDIA=y
-
-#
-# Media Configuration
-#
-CONFIG_ENABLE_FDC_DP_USE_LIB=y
-# end of Media Configuration
-
+# CONFIG_USE_MEDIA is not set
 # CONFIG_USE_SCMI_MHU is not set
 # CONFIG_USE_I2S is not set
 # CONFIG_USE_I3C is not set
@@ -208,7 +213,7 @@ CONFIG_USE_COMPILE_CHAIN=y
 CONFIG_DEFAULT_LINKER_SCRIPT=y
 # CONFIG_USER_DEFINED_LD is not set
 CONFIG_IMAGE_LOAD_ADDRESS=0x80100000
-CONFIG_IMAGE_MAX_LENGTH=0x20000000
+CONFIG_IMAGE_MAX_LENGTH=0x2000000
 CONFIG_HEAP_SIZE=1
 CONFIG_SVC_STACK_SIZE=0x1000
 CONFIG_SYS_STACK_SIZE=0x1000
@@ -250,7 +255,7 @@ CONFIG_FREERTOS_USE_UART=y
 #
 # Freertos Eth Drivers
 #
-# CONFIG_FREERTOS_USE_XMAC is not set
+CONFIG_FREERTOS_USE_XMAC=y
 # CONFIG_FREERTOS_USE_GMAC is not set
 # end of Freertos Eth Drivers
 
@@ -300,7 +305,7 @@ CONFIG_FREERTOS_USE_UART=y
 #
 # Freertos Media Drivers
 #
-CONFIG_FREERTOS_USE_MEDIA=y
+# CONFIG_FREERTOS_USE_MEDIA is not set
 # end of Freertos Media Drivers
 
 #
@@ -313,7 +318,252 @@ CONFIG_FREERTOS_USE_MEDIA=y
 #
 # Third-party configuration
 #
-# CONFIG_USE_LWIP is not set
+CONFIG_USE_LWIP=y
+
+#
+# LWIP Freertos Port Configuration
+#
+
+#
+# LWIP Configuration
+#
+
+#
+# LWIP Port Configuration
+#
+CONFIG_LWIP_FXMAC=y
+# CONFIG_LWIP_FGMAC is not set
+# CONFIG_LWIP_FSDIF is not set
+# end of LWIP Port Configuration
+
+# CONFIG_LWIP_NO_SYS is not set
+CONFIG_LWIP_LOCAL_HOSTNAME="phytium"
+
+#
+# LWIP_APP
+#
+# CONFIG_USE_LWIP_APP_LWIPERF is not set
+# CONFIG_USE_LWIP_APP_TFTP is not set
+# CONFIG_USE_LWIP_APP_SNTP is not set
+# end of LWIP_APP
+
+#
+# Memory configuration
+#
+# CONFIG_LWIP_USE_MEM_POOL is not set
+CONFIG_LWIP_USE_MEM_HEAP=y
+# CONFIG_LWIP_USE_MEM_HEAP_DEBUG is not set
+CONFIG_MEM_SIZE=2
+CONFIG_MEM_ALIGNMENT=64
+# end of Memory configuration
+
+#
+# Pbuf options
+#
+CONFIG_PBUF_POOL_BUFSIZE=2
+CONFIG_PBUF_POOL_SIZE=1
+# end of Pbuf options
+
+#
+# ARP
+#
+CONFIG_ARP_QUEUEING_EN=y
+# end of ARP
+
+#
+# IPV4
+#
+# CONFIG_USE_IPV4_ONLY is not set
+CONFIG_LWIP_IP4_REASSEMBLY=y
+CONFIG_LWIP_IP4_FRAG=y
+# CONFIG_LWIP_IP_FORWARD is not set
+CONFIG_IP_REASS_MAX_PBUFS=32
+# end of IPV4
+
+#
+# ICMP
+#
+CONFIG_LWIP_ICMP=y
+CONFIG_LWIP_MULTICAST_PING=y
+CONFIG_LWIP_BROADCAST_PING=y
+# end of ICMP
+
+#
+# LWIP RAW API
+#
+CONFIG_LWIP_RAW_API_EN=y
+CONFIG_LWIP_MAX_RAW_PCBS=16
+CONFIG_LWIP_RAW_RECVMBOX_SIZE=6
+# end of LWIP RAW API
+
+#
+# DHCP
+#
+CONFIG_LWIP_DHCP_ENABLE=y
+# CONFIG_LWIP_DHCP_DOES_ARP_CHECK is not set
+# CONFIG_LWIP_DHCP_GET_NTP_SRV is not set
+# CONFIG_LWIP_DHCP_DISABLE_CLIENT_ID is not set
+# CONFIG_LWIP_DHCP_RESTORE_LAST_IP is not set
+CONFIG_LWIP_DHCP_OPTIONS_LEN=68
+CONFIG_LWIP_DHCP_DISABLE_VENDOR_CLASS_ID=y
+# end of DHCP
+
+#
+# AUTOIP
+#
+# CONFIG_LWIP_AUTOIP is not set
+# end of AUTOIP
+
+#
+# IGMP
+#
+CONFIG_LWIP_IGMP_EN=y
+# end of IGMP
+
+#
+# DNS
+#
+CONFIG_LWIP_DNS_SUPPORT_MDNS_QUERIES=y
+# end of DNS
+
+#
+# UDP
+#
+CONFIG_LWIP_MAX_UDP_PCBS=16
+CONFIG_LWIP_UDP_RECVMBOX_SIZE=6
+# CONFIG_LWIP_NETBUF_RECVINFO is not set
+# end of UDP
+
+#
+# TCP
+#
+CONFIG_LWIP_TCP_WND_DEFAULT=5744
+CONFIG_LWIP_TCP_MAXRTX=12
+CONFIG_LWIP_TCP_SYNMAXRTX=12
+CONFIG_LWIP_TCP_QUEUE_OOSEQ=y
+# CONFIG_LWIP_TCP_SACK_OUT is not set
+CONFIG_LWIP_TCP_MSS=1440
+CONFIG_LWIP_TCP_SND_BUF_DEFAULT=5744
+CONFIG_LWIP_TCP_OVERSIZE_MSS=y
+# CONFIG_LWIP_TCP_OVERSIZE_QUARTER_MSS is not set
+# CONFIG_LWIP_TCP_OVERSIZE_DISABLE is not set
+CONFIG_LWIP_TCP_TMR_INTERVAL=250
+CONFIG_LWIP_TCP_MSL=60000
+# CONFIG_LWIP_WND_SCALE is not set
+CONFIG_LWIP_TCP_RTO_TIME=1500
+CONFIG_LWIP_MAX_ACTIVE_TCP=16
+CONFIG_LWIP_MAX_LISTENING_TCP=16
+CONFIG_LWIP_TCP_HIGH_SPEED_RETRANSMISSION=y
+CONFIG_LWIP_TCP_RECVMBOX_SIZE=6
+# end of TCP
+
+#
+# Network_Interface
+#
+# CONFIG_LWIP_NETIF_API is not set
+# CONFIG_LWIP_NETIF_STATUS_CALLBACK is not set
+# end of Network_Interface
+
+#
+# LOOPIF
+#
+CONFIG_LWIP_NETIF_LOOPBACK=y
+CONFIG_LWIP_LOOPBACK_MAX_PBUFS=8
+# end of LOOPIF
+
+#
+# SLIPIF
+#
+# CONFIG_LWIP_SLIP_SUPPORT is not set
+# end of SLIPIF
+
+CONFIG_LWIP_TCPIP_CORE_LOCKING=y
+
+#
+# Socket
+#
+CONFIG_LWIP_MAX_SOCKETS=10
+# CONFIG_LWIP_SO_LINGER is not set
+CONFIG_LWIP_SO_REUSE=y
+CONFIG_LWIP_SO_REUSE_RXTOALL=y
+# end of Socket
+
+# CONFIG_LWIP_STATS is not set
+
+#
+# PPP
+#
+# CONFIG_LWIP_PPP_SUPPORT is not set
+CONFIG_LWIP_IPV6_MEMP_NUM_ND6_QUEUE=3
+CONFIG_LWIP_IPV6_ND6_NUM_NEIGHBORS=5
+# end of PPP
+
+#
+# Checksums
+#
+# CONFIG_LWIP_CHECKSUM_CHECK_IP is not set
+# CONFIG_LWIP_CHECKSUM_CHECK_UDP is not set
+CONFIG_LWIP_CHECKSUM_CHECK_ICMP=y
+# end of Checksums
+
+#
+# IPV6
+#
+CONFIG_LWIP_IPV6=y
+# CONFIG_LWIP_IPV6_AUTOCONFIG is not set
+CONFIG_LWIP_IPV6_NUM_ADDRESSES=3
+# CONFIG_LWIP_IPV6_FORWARD is not set
+CONFIG_LWIP_IP6_FRAG=y
+# CONFIG_LWIP_IP6_REASSEMBLY is not set
+# end of IPV6
+
+CONFIG_LWIP_DEBUG=y
+# CONFIG_LWIP_DEBUG_ESP_LOG is not set
+CONFIG_LWIP_NETIF_DEBUG=y
+# CONFIG_LWIP_PBUF_DEBUG is not set
+# CONFIG_LWIP_ETHARP_DEBUG is not set
+# CONFIG_LWIP_API_LIB_DEBUG is not set
+# CONFIG_LWIP_SOCKETS_DEBUG is not set
+# CONFIG_LWIP_IP_DEBUG is not set
+# CONFIG_LWIP_ICMP_DEBUG is not set
+# CONFIG_LWIP_DHCP_STATE_DEBUG is not set
+# CONFIG_LWIP_DHCP_DEBUG is not set
+# CONFIG_LWIP_IP6_DEBUG is not set
+# CONFIG_LWIP_ICMP6_DEBUG is not set
+# CONFIG_LWIP_TCP_DEBUG is not set
+# CONFIG_LWIP_UDP_DEBUG is not set
+# CONFIG_LWIP_SNTP_DEBUG is not set
+# CONFIG_LWIP_DNS_DEBUG is not set
+# end of LWIP Configuration
+
+#
+# Tcp/ip task resource configuration
+#
+CONFIG_LWIP_TCPIP_TASK_STACK_SIZE=3072
+CONFIG_LWIP_TCPIP_TASK_PRIO=6
+CONFIG_LWIP_TCPIP_RECVMBOX_SIZE=32
+# end of Tcp/ip task resource configuration
+
+#
+# lwip port thread Configuration
+#
+CONFIG_LWIP_PORT_USE_RECEIVE_THREAD=y
+CONFIG_LWIP_PORT_RECEIVE_THREAD_STACKSIZE=1024
+CONFIG_LWIP_PORT_RECEIVE_THREAD_PRIORITY=5
+CONFIG_LWIP_PORT_USE_LINK_DETECT_THREAD=y
+CONFIG_LWIP_PORT_LINK_DETECT_STACKSIZE=1024
+CONFIG_LWIP_PORT_LINK_DETECT_PRIORITY=5
+CONFIG_LWIP_PORT_DHCP_THREAD=y
+CONFIG_LWIP_PORT_DHCP_STACKSIZE=2048
+CONFIG_LWIP_PORT_DHCP_PRIORITY=5
+# end of lwip port thread Configuration
+# end of LWIP Freertos Port Configuration
+
+CONFIG_USE_MBEDTLS=y
+
+#
+# MBEDTLS Freertos Port Configuration
+#
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -323,6 +573,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -330,7 +582,7 @@ CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_USE_SFUD is not set
 CONFIG_USE_BACKTRACE=y
 # CONFIG_USE_FATFS_0_1_4 is not set
-# CONFIG_USE_TLSF is not set
+CONFIG_USE_TLSF=y
 # CONFIG_USE_SPIFFS is not set
 # CONFIG_USE_LITTLE_FS is not set
 # CONFIG_USE_LVGL is not set
@@ -345,6 +597,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/media/media_test/configs/e2000d_aarch64_demo_freertos.config b/example/network/lwip_https/configs/e2000d_aarch64_demo_lwip_https.config
similarity index 57%
rename from example/peripheral/media/media_test/configs/e2000d_aarch64_demo_freertos.config
rename to example/network/lwip_https/configs/e2000d_aarch64_demo_lwip_https.config
index 2a178386..31aa6e73 100644
--- a/example/peripheral/media/media_test/configs/e2000d_aarch64_demo_freertos.config
+++ b/example/network/lwip_https/configs/e2000d_aarch64_demo_lwip_https.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -86,7 +87,7 @@ CONFIG_BOARD_NAME="demo"
 #
 # Build project name
 #
-CONFIG_TARGET_NAME="freertos"
+CONFIG_TARGET_NAME="lwip_https"
 # end of Build project name
 # end of Board Configuration
 
@@ -95,10 +96,10 @@ CONFIG_TARGET_NAME="freertos"
 #
 CONFIG_ELOG_LINE_BUF_SIZE=0x100
 # CONFIG_LOG_VERBOS is not set
-CONFIG_LOG_DEBUG=y
+# CONFIG_LOG_DEBUG is not set
 # CONFIG_LOG_INFO is not set
 # CONFIG_LOG_WARN is not set
-# CONFIG_LOG_ERROR is not set
+CONFIG_LOG_ERROR=y
 # CONFIG_LOG_NONE is not set
 # CONFIG_LOG_EXTRA_INFO is not set
 # CONFIG_LOG_DISPALY_CORE_NUM is not set
@@ -106,6 +107,7 @@ CONFIG_LOG_DEBUG=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -125,7 +127,17 @@ CONFIG_ENABLE_Pl011_UART=y
 # end of Usart Configuration
 
 # CONFIG_USE_GPIO is not set
-# CONFIG_USE_ETH is not set
+CONFIG_USE_ETH=y
+
+#
+# Eth Configuration
+#
+CONFIG_ENABLE_FXMAC=y
+# CONFIG_ENABLE_FGMAC is not set
+CONFIG_FXMAC_PHY_COMMON=y
+# CONFIG_FXMAC_PHY_YT is not set
+# end of Eth Configuration
+
 # CONFIG_USE_CAN is not set
 # CONFIG_USE_I2C is not set
 # CONFIG_USE_TIMER is not set
@@ -140,14 +152,7 @@ CONFIG_ENABLE_Pl011_UART=y
 # CONFIG_USE_ADC is not set
 # CONFIG_USE_PWM is not set
 # CONFIG_USE_IPC is not set
-CONFIG_USE_MEDIA=y
-
-#
-# Media Configuration
-#
-CONFIG_ENABLE_FDC_DP_USE_LIB=y
-# end of Media Configuration
-
+# CONFIG_USE_MEDIA is not set
 # CONFIG_USE_SCMI_MHU is not set
 # CONFIG_USE_I2S is not set
 # CONFIG_USE_I3C is not set
@@ -202,7 +207,7 @@ CONFIG_USE_COMPILE_CHAIN=y
 CONFIG_DEFAULT_LINKER_SCRIPT=y
 # CONFIG_USER_DEFINED_LD is not set
 CONFIG_IMAGE_LOAD_ADDRESS=0x80100000
-CONFIG_IMAGE_MAX_LENGTH=0x20000000
+CONFIG_IMAGE_MAX_LENGTH=0x2000000
 CONFIG_HEAP_SIZE=1
 CONFIG_STACK_SIZE=0x400
 # end of Linker Options
@@ -239,7 +244,7 @@ CONFIG_FREERTOS_USE_UART=y
 #
 # Freertos Eth Drivers
 #
-# CONFIG_FREERTOS_USE_XMAC is not set
+CONFIG_FREERTOS_USE_XMAC=y
 # CONFIG_FREERTOS_USE_GMAC is not set
 # end of Freertos Eth Drivers
 
@@ -289,7 +294,7 @@ CONFIG_FREERTOS_USE_UART=y
 #
 # Freertos Media Drivers
 #
-CONFIG_FREERTOS_USE_MEDIA=y
+# CONFIG_FREERTOS_USE_MEDIA is not set
 # end of Freertos Media Drivers
 
 #
@@ -302,7 +307,252 @@ CONFIG_FREERTOS_USE_MEDIA=y
 #
 # Third-party configuration
 #
-# CONFIG_USE_LWIP is not set
+CONFIG_USE_LWIP=y
+
+#
+# LWIP Freertos Port Configuration
+#
+
+#
+# LWIP Configuration
+#
+
+#
+# LWIP Port Configuration
+#
+CONFIG_LWIP_FXMAC=y
+# CONFIG_LWIP_FGMAC is not set
+# CONFIG_LWIP_FSDIF is not set
+# end of LWIP Port Configuration
+
+# CONFIG_LWIP_NO_SYS is not set
+CONFIG_LWIP_LOCAL_HOSTNAME="phytium"
+
+#
+# LWIP_APP
+#
+# CONFIG_USE_LWIP_APP_LWIPERF is not set
+# CONFIG_USE_LWIP_APP_TFTP is not set
+# CONFIG_USE_LWIP_APP_SNTP is not set
+# end of LWIP_APP
+
+#
+# Memory configuration
+#
+# CONFIG_LWIP_USE_MEM_POOL is not set
+CONFIG_LWIP_USE_MEM_HEAP=y
+# CONFIG_LWIP_USE_MEM_HEAP_DEBUG is not set
+CONFIG_MEM_SIZE=2
+CONFIG_MEM_ALIGNMENT=64
+# end of Memory configuration
+
+#
+# Pbuf options
+#
+CONFIG_PBUF_POOL_BUFSIZE=2
+CONFIG_PBUF_POOL_SIZE=1
+# end of Pbuf options
+
+#
+# ARP
+#
+CONFIG_ARP_QUEUEING_EN=y
+# end of ARP
+
+#
+# IPV4
+#
+# CONFIG_USE_IPV4_ONLY is not set
+CONFIG_LWIP_IP4_REASSEMBLY=y
+CONFIG_LWIP_IP4_FRAG=y
+# CONFIG_LWIP_IP_FORWARD is not set
+CONFIG_IP_REASS_MAX_PBUFS=32
+# end of IPV4
+
+#
+# ICMP
+#
+CONFIG_LWIP_ICMP=y
+CONFIG_LWIP_MULTICAST_PING=y
+CONFIG_LWIP_BROADCAST_PING=y
+# end of ICMP
+
+#
+# LWIP RAW API
+#
+CONFIG_LWIP_RAW_API_EN=y
+CONFIG_LWIP_MAX_RAW_PCBS=16
+CONFIG_LWIP_RAW_RECVMBOX_SIZE=6
+# end of LWIP RAW API
+
+#
+# DHCP
+#
+CONFIG_LWIP_DHCP_ENABLE=y
+# CONFIG_LWIP_DHCP_DOES_ARP_CHECK is not set
+# CONFIG_LWIP_DHCP_GET_NTP_SRV is not set
+# CONFIG_LWIP_DHCP_DISABLE_CLIENT_ID is not set
+# CONFIG_LWIP_DHCP_RESTORE_LAST_IP is not set
+CONFIG_LWIP_DHCP_OPTIONS_LEN=68
+CONFIG_LWIP_DHCP_DISABLE_VENDOR_CLASS_ID=y
+# end of DHCP
+
+#
+# AUTOIP
+#
+# CONFIG_LWIP_AUTOIP is not set
+# end of AUTOIP
+
+#
+# IGMP
+#
+CONFIG_LWIP_IGMP_EN=y
+# end of IGMP
+
+#
+# DNS
+#
+CONFIG_LWIP_DNS_SUPPORT_MDNS_QUERIES=y
+# end of DNS
+
+#
+# UDP
+#
+CONFIG_LWIP_MAX_UDP_PCBS=16
+CONFIG_LWIP_UDP_RECVMBOX_SIZE=6
+# CONFIG_LWIP_NETBUF_RECVINFO is not set
+# end of UDP
+
+#
+# TCP
+#
+CONFIG_LWIP_TCP_WND_DEFAULT=5744
+CONFIG_LWIP_TCP_MAXRTX=12
+CONFIG_LWIP_TCP_SYNMAXRTX=12
+CONFIG_LWIP_TCP_QUEUE_OOSEQ=y
+# CONFIG_LWIP_TCP_SACK_OUT is not set
+CONFIG_LWIP_TCP_MSS=1440
+CONFIG_LWIP_TCP_SND_BUF_DEFAULT=5744
+CONFIG_LWIP_TCP_OVERSIZE_MSS=y
+# CONFIG_LWIP_TCP_OVERSIZE_QUARTER_MSS is not set
+# CONFIG_LWIP_TCP_OVERSIZE_DISABLE is not set
+CONFIG_LWIP_TCP_TMR_INTERVAL=250
+CONFIG_LWIP_TCP_MSL=60000
+# CONFIG_LWIP_WND_SCALE is not set
+CONFIG_LWIP_TCP_RTO_TIME=1500
+CONFIG_LWIP_MAX_ACTIVE_TCP=16
+CONFIG_LWIP_MAX_LISTENING_TCP=16
+CONFIG_LWIP_TCP_HIGH_SPEED_RETRANSMISSION=y
+CONFIG_LWIP_TCP_RECVMBOX_SIZE=6
+# end of TCP
+
+#
+# Network_Interface
+#
+# CONFIG_LWIP_NETIF_API is not set
+# CONFIG_LWIP_NETIF_STATUS_CALLBACK is not set
+# end of Network_Interface
+
+#
+# LOOPIF
+#
+CONFIG_LWIP_NETIF_LOOPBACK=y
+CONFIG_LWIP_LOOPBACK_MAX_PBUFS=8
+# end of LOOPIF
+
+#
+# SLIPIF
+#
+# CONFIG_LWIP_SLIP_SUPPORT is not set
+# end of SLIPIF
+
+CONFIG_LWIP_TCPIP_CORE_LOCKING=y
+
+#
+# Socket
+#
+CONFIG_LWIP_MAX_SOCKETS=10
+# CONFIG_LWIP_SO_LINGER is not set
+CONFIG_LWIP_SO_REUSE=y
+CONFIG_LWIP_SO_REUSE_RXTOALL=y
+# end of Socket
+
+# CONFIG_LWIP_STATS is not set
+
+#
+# PPP
+#
+# CONFIG_LWIP_PPP_SUPPORT is not set
+CONFIG_LWIP_IPV6_MEMP_NUM_ND6_QUEUE=3
+CONFIG_LWIP_IPV6_ND6_NUM_NEIGHBORS=5
+# end of PPP
+
+#
+# Checksums
+#
+# CONFIG_LWIP_CHECKSUM_CHECK_IP is not set
+# CONFIG_LWIP_CHECKSUM_CHECK_UDP is not set
+CONFIG_LWIP_CHECKSUM_CHECK_ICMP=y
+# end of Checksums
+
+#
+# IPV6
+#
+CONFIG_LWIP_IPV6=y
+# CONFIG_LWIP_IPV6_AUTOCONFIG is not set
+CONFIG_LWIP_IPV6_NUM_ADDRESSES=3
+# CONFIG_LWIP_IPV6_FORWARD is not set
+CONFIG_LWIP_IP6_FRAG=y
+# CONFIG_LWIP_IP6_REASSEMBLY is not set
+# end of IPV6
+
+CONFIG_LWIP_DEBUG=y
+# CONFIG_LWIP_DEBUG_ESP_LOG is not set
+CONFIG_LWIP_NETIF_DEBUG=y
+# CONFIG_LWIP_PBUF_DEBUG is not set
+# CONFIG_LWIP_ETHARP_DEBUG is not set
+# CONFIG_LWIP_API_LIB_DEBUG is not set
+# CONFIG_LWIP_SOCKETS_DEBUG is not set
+# CONFIG_LWIP_IP_DEBUG is not set
+# CONFIG_LWIP_ICMP_DEBUG is not set
+# CONFIG_LWIP_DHCP_STATE_DEBUG is not set
+# CONFIG_LWIP_DHCP_DEBUG is not set
+# CONFIG_LWIP_IP6_DEBUG is not set
+# CONFIG_LWIP_ICMP6_DEBUG is not set
+# CONFIG_LWIP_TCP_DEBUG is not set
+# CONFIG_LWIP_UDP_DEBUG is not set
+# CONFIG_LWIP_SNTP_DEBUG is not set
+# CONFIG_LWIP_DNS_DEBUG is not set
+# end of LWIP Configuration
+
+#
+# Tcp/ip task resource configuration
+#
+CONFIG_LWIP_TCPIP_TASK_STACK_SIZE=3072
+CONFIG_LWIP_TCPIP_TASK_PRIO=6
+CONFIG_LWIP_TCPIP_RECVMBOX_SIZE=32
+# end of Tcp/ip task resource configuration
+
+#
+# lwip port thread Configuration
+#
+CONFIG_LWIP_PORT_USE_RECEIVE_THREAD=y
+CONFIG_LWIP_PORT_RECEIVE_THREAD_STACKSIZE=1024
+CONFIG_LWIP_PORT_RECEIVE_THREAD_PRIORITY=5
+CONFIG_LWIP_PORT_USE_LINK_DETECT_THREAD=y
+CONFIG_LWIP_PORT_LINK_DETECT_STACKSIZE=1024
+CONFIG_LWIP_PORT_LINK_DETECT_PRIORITY=5
+CONFIG_LWIP_PORT_DHCP_THREAD=y
+CONFIG_LWIP_PORT_DHCP_STACKSIZE=2048
+CONFIG_LWIP_PORT_DHCP_PRIORITY=5
+# end of lwip port thread Configuration
+# end of LWIP Freertos Port Configuration
+
+CONFIG_USE_MBEDTLS=y
+
+#
+# MBEDTLS Freertos Port Configuration
+#
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -312,6 +562,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -319,7 +571,7 @@ CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_USE_SFUD is not set
 CONFIG_USE_BACKTRACE=y
 # CONFIG_USE_FATFS_0_1_4 is not set
-# CONFIG_USE_TLSF is not set
+CONFIG_USE_TLSF=y
 # CONFIG_USE_SPIFFS is not set
 # CONFIG_USE_LITTLE_FS is not set
 # CONFIG_USE_LVGL is not set
@@ -334,6 +586,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/media/media_test/configs/e2000q_aarch32_demo_freertos.config b/example/network/lwip_https/configs/e2000q_aarch32_demo_lwip_https.config
similarity index 58%
rename from example/peripheral/media/media_test/configs/e2000q_aarch32_demo_freertos.config
rename to example/network/lwip_https/configs/e2000q_aarch32_demo_lwip_https.config
index 5ed7b7db..21dee350 100644
--- a/example/peripheral/media/media_test/configs/e2000q_aarch32_demo_freertos.config
+++ b/example/network/lwip_https/configs/e2000q_aarch32_demo_lwip_https.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -91,7 +92,7 @@ CONFIG_E2000Q_DEMO_BOARD=y
 #
 # Build project name
 #
-CONFIG_TARGET_NAME="freertos"
+CONFIG_TARGET_NAME="lwip_https"
 # end of Build project name
 # end of Board Configuration
 
@@ -100,10 +101,10 @@ CONFIG_TARGET_NAME="freertos"
 #
 CONFIG_ELOG_LINE_BUF_SIZE=0x100
 # CONFIG_LOG_VERBOS is not set
-CONFIG_LOG_DEBUG=y
+# CONFIG_LOG_DEBUG is not set
 # CONFIG_LOG_INFO is not set
 # CONFIG_LOG_WARN is not set
-# CONFIG_LOG_ERROR is not set
+CONFIG_LOG_ERROR=y
 # CONFIG_LOG_NONE is not set
 # CONFIG_LOG_EXTRA_INFO is not set
 # CONFIG_LOG_DISPALY_CORE_NUM is not set
@@ -111,6 +112,7 @@ CONFIG_LOG_DEBUG=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -130,7 +132,17 @@ CONFIG_ENABLE_Pl011_UART=y
 # end of Usart Configuration
 
 # CONFIG_USE_GPIO is not set
-# CONFIG_USE_ETH is not set
+CONFIG_USE_ETH=y
+
+#
+# Eth Configuration
+#
+CONFIG_ENABLE_FXMAC=y
+# CONFIG_ENABLE_FGMAC is not set
+CONFIG_FXMAC_PHY_COMMON=y
+# CONFIG_FXMAC_PHY_YT is not set
+# end of Eth Configuration
+
 # CONFIG_USE_CAN is not set
 # CONFIG_USE_I2C is not set
 # CONFIG_USE_TIMER is not set
@@ -145,14 +157,7 @@ CONFIG_ENABLE_Pl011_UART=y
 # CONFIG_USE_ADC is not set
 # CONFIG_USE_PWM is not set
 # CONFIG_USE_IPC is not set
-CONFIG_USE_MEDIA=y
-
-#
-# Media Configuration
-#
-CONFIG_ENABLE_FDC_DP_USE_LIB=y
-# end of Media Configuration
-
+# CONFIG_USE_MEDIA is not set
 # CONFIG_USE_SCMI_MHU is not set
 # CONFIG_USE_I2S is not set
 # CONFIG_USE_I3C is not set
@@ -207,7 +212,7 @@ CONFIG_USE_COMPILE_CHAIN=y
 CONFIG_DEFAULT_LINKER_SCRIPT=y
 # CONFIG_USER_DEFINED_LD is not set
 CONFIG_IMAGE_LOAD_ADDRESS=0x80100000
-CONFIG_IMAGE_MAX_LENGTH=0x20000000
+CONFIG_IMAGE_MAX_LENGTH=0x2000000
 CONFIG_HEAP_SIZE=1
 CONFIG_SVC_STACK_SIZE=0x1000
 CONFIG_SYS_STACK_SIZE=0x1000
@@ -249,7 +254,7 @@ CONFIG_FREERTOS_USE_UART=y
 #
 # Freertos Eth Drivers
 #
-# CONFIG_FREERTOS_USE_XMAC is not set
+CONFIG_FREERTOS_USE_XMAC=y
 # CONFIG_FREERTOS_USE_GMAC is not set
 # end of Freertos Eth Drivers
 
@@ -299,7 +304,7 @@ CONFIG_FREERTOS_USE_UART=y
 #
 # Freertos Media Drivers
 #
-CONFIG_FREERTOS_USE_MEDIA=y
+# CONFIG_FREERTOS_USE_MEDIA is not set
 # end of Freertos Media Drivers
 
 #
@@ -312,7 +317,252 @@ CONFIG_FREERTOS_USE_MEDIA=y
 #
 # Third-party configuration
 #
-# CONFIG_USE_LWIP is not set
+CONFIG_USE_LWIP=y
+
+#
+# LWIP Freertos Port Configuration
+#
+
+#
+# LWIP Configuration
+#
+
+#
+# LWIP Port Configuration
+#
+CONFIG_LWIP_FXMAC=y
+# CONFIG_LWIP_FGMAC is not set
+# CONFIG_LWIP_FSDIF is not set
+# end of LWIP Port Configuration
+
+# CONFIG_LWIP_NO_SYS is not set
+CONFIG_LWIP_LOCAL_HOSTNAME="phytium"
+
+#
+# LWIP_APP
+#
+# CONFIG_USE_LWIP_APP_LWIPERF is not set
+# CONFIG_USE_LWIP_APP_TFTP is not set
+# CONFIG_USE_LWIP_APP_SNTP is not set
+# end of LWIP_APP
+
+#
+# Memory configuration
+#
+# CONFIG_LWIP_USE_MEM_POOL is not set
+CONFIG_LWIP_USE_MEM_HEAP=y
+# CONFIG_LWIP_USE_MEM_HEAP_DEBUG is not set
+CONFIG_MEM_SIZE=2
+CONFIG_MEM_ALIGNMENT=64
+# end of Memory configuration
+
+#
+# Pbuf options
+#
+CONFIG_PBUF_POOL_BUFSIZE=2
+CONFIG_PBUF_POOL_SIZE=1
+# end of Pbuf options
+
+#
+# ARP
+#
+CONFIG_ARP_QUEUEING_EN=y
+# end of ARP
+
+#
+# IPV4
+#
+# CONFIG_USE_IPV4_ONLY is not set
+CONFIG_LWIP_IP4_REASSEMBLY=y
+CONFIG_LWIP_IP4_FRAG=y
+# CONFIG_LWIP_IP_FORWARD is not set
+CONFIG_IP_REASS_MAX_PBUFS=32
+# end of IPV4
+
+#
+# ICMP
+#
+CONFIG_LWIP_ICMP=y
+CONFIG_LWIP_MULTICAST_PING=y
+CONFIG_LWIP_BROADCAST_PING=y
+# end of ICMP
+
+#
+# LWIP RAW API
+#
+CONFIG_LWIP_RAW_API_EN=y
+CONFIG_LWIP_MAX_RAW_PCBS=16
+CONFIG_LWIP_RAW_RECVMBOX_SIZE=6
+# end of LWIP RAW API
+
+#
+# DHCP
+#
+CONFIG_LWIP_DHCP_ENABLE=y
+# CONFIG_LWIP_DHCP_DOES_ARP_CHECK is not set
+# CONFIG_LWIP_DHCP_GET_NTP_SRV is not set
+# CONFIG_LWIP_DHCP_DISABLE_CLIENT_ID is not set
+# CONFIG_LWIP_DHCP_RESTORE_LAST_IP is not set
+CONFIG_LWIP_DHCP_OPTIONS_LEN=68
+CONFIG_LWIP_DHCP_DISABLE_VENDOR_CLASS_ID=y
+# end of DHCP
+
+#
+# AUTOIP
+#
+# CONFIG_LWIP_AUTOIP is not set
+# end of AUTOIP
+
+#
+# IGMP
+#
+CONFIG_LWIP_IGMP_EN=y
+# end of IGMP
+
+#
+# DNS
+#
+CONFIG_LWIP_DNS_SUPPORT_MDNS_QUERIES=y
+# end of DNS
+
+#
+# UDP
+#
+CONFIG_LWIP_MAX_UDP_PCBS=16
+CONFIG_LWIP_UDP_RECVMBOX_SIZE=6
+# CONFIG_LWIP_NETBUF_RECVINFO is not set
+# end of UDP
+
+#
+# TCP
+#
+CONFIG_LWIP_TCP_WND_DEFAULT=5744
+CONFIG_LWIP_TCP_MAXRTX=12
+CONFIG_LWIP_TCP_SYNMAXRTX=12
+CONFIG_LWIP_TCP_QUEUE_OOSEQ=y
+# CONFIG_LWIP_TCP_SACK_OUT is not set
+CONFIG_LWIP_TCP_MSS=1440
+CONFIG_LWIP_TCP_SND_BUF_DEFAULT=5744
+CONFIG_LWIP_TCP_OVERSIZE_MSS=y
+# CONFIG_LWIP_TCP_OVERSIZE_QUARTER_MSS is not set
+# CONFIG_LWIP_TCP_OVERSIZE_DISABLE is not set
+CONFIG_LWIP_TCP_TMR_INTERVAL=250
+CONFIG_LWIP_TCP_MSL=60000
+# CONFIG_LWIP_WND_SCALE is not set
+CONFIG_LWIP_TCP_RTO_TIME=1500
+CONFIG_LWIP_MAX_ACTIVE_TCP=16
+CONFIG_LWIP_MAX_LISTENING_TCP=16
+CONFIG_LWIP_TCP_HIGH_SPEED_RETRANSMISSION=y
+CONFIG_LWIP_TCP_RECVMBOX_SIZE=6
+# end of TCP
+
+#
+# Network_Interface
+#
+# CONFIG_LWIP_NETIF_API is not set
+# CONFIG_LWIP_NETIF_STATUS_CALLBACK is not set
+# end of Network_Interface
+
+#
+# LOOPIF
+#
+CONFIG_LWIP_NETIF_LOOPBACK=y
+CONFIG_LWIP_LOOPBACK_MAX_PBUFS=8
+# end of LOOPIF
+
+#
+# SLIPIF
+#
+# CONFIG_LWIP_SLIP_SUPPORT is not set
+# end of SLIPIF
+
+CONFIG_LWIP_TCPIP_CORE_LOCKING=y
+
+#
+# Socket
+#
+CONFIG_LWIP_MAX_SOCKETS=10
+# CONFIG_LWIP_SO_LINGER is not set
+CONFIG_LWIP_SO_REUSE=y
+CONFIG_LWIP_SO_REUSE_RXTOALL=y
+# end of Socket
+
+# CONFIG_LWIP_STATS is not set
+
+#
+# PPP
+#
+# CONFIG_LWIP_PPP_SUPPORT is not set
+CONFIG_LWIP_IPV6_MEMP_NUM_ND6_QUEUE=3
+CONFIG_LWIP_IPV6_ND6_NUM_NEIGHBORS=5
+# end of PPP
+
+#
+# Checksums
+#
+# CONFIG_LWIP_CHECKSUM_CHECK_IP is not set
+# CONFIG_LWIP_CHECKSUM_CHECK_UDP is not set
+CONFIG_LWIP_CHECKSUM_CHECK_ICMP=y
+# end of Checksums
+
+#
+# IPV6
+#
+CONFIG_LWIP_IPV6=y
+# CONFIG_LWIP_IPV6_AUTOCONFIG is not set
+CONFIG_LWIP_IPV6_NUM_ADDRESSES=3
+# CONFIG_LWIP_IPV6_FORWARD is not set
+CONFIG_LWIP_IP6_FRAG=y
+# CONFIG_LWIP_IP6_REASSEMBLY is not set
+# end of IPV6
+
+CONFIG_LWIP_DEBUG=y
+# CONFIG_LWIP_DEBUG_ESP_LOG is not set
+CONFIG_LWIP_NETIF_DEBUG=y
+# CONFIG_LWIP_PBUF_DEBUG is not set
+# CONFIG_LWIP_ETHARP_DEBUG is not set
+# CONFIG_LWIP_API_LIB_DEBUG is not set
+# CONFIG_LWIP_SOCKETS_DEBUG is not set
+# CONFIG_LWIP_IP_DEBUG is not set
+# CONFIG_LWIP_ICMP_DEBUG is not set
+# CONFIG_LWIP_DHCP_STATE_DEBUG is not set
+# CONFIG_LWIP_DHCP_DEBUG is not set
+# CONFIG_LWIP_IP6_DEBUG is not set
+# CONFIG_LWIP_ICMP6_DEBUG is not set
+# CONFIG_LWIP_TCP_DEBUG is not set
+# CONFIG_LWIP_UDP_DEBUG is not set
+# CONFIG_LWIP_SNTP_DEBUG is not set
+# CONFIG_LWIP_DNS_DEBUG is not set
+# end of LWIP Configuration
+
+#
+# Tcp/ip task resource configuration
+#
+CONFIG_LWIP_TCPIP_TASK_STACK_SIZE=3072
+CONFIG_LWIP_TCPIP_TASK_PRIO=6
+CONFIG_LWIP_TCPIP_RECVMBOX_SIZE=32
+# end of Tcp/ip task resource configuration
+
+#
+# lwip port thread Configuration
+#
+CONFIG_LWIP_PORT_USE_RECEIVE_THREAD=y
+CONFIG_LWIP_PORT_RECEIVE_THREAD_STACKSIZE=1024
+CONFIG_LWIP_PORT_RECEIVE_THREAD_PRIORITY=5
+CONFIG_LWIP_PORT_USE_LINK_DETECT_THREAD=y
+CONFIG_LWIP_PORT_LINK_DETECT_STACKSIZE=1024
+CONFIG_LWIP_PORT_LINK_DETECT_PRIORITY=5
+CONFIG_LWIP_PORT_DHCP_THREAD=y
+CONFIG_LWIP_PORT_DHCP_STACKSIZE=2048
+CONFIG_LWIP_PORT_DHCP_PRIORITY=5
+# end of lwip port thread Configuration
+# end of LWIP Freertos Port Configuration
+
+CONFIG_USE_MBEDTLS=y
+
+#
+# MBEDTLS Freertos Port Configuration
+#
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -322,6 +572,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -329,7 +581,7 @@ CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_USE_SFUD is not set
 CONFIG_USE_BACKTRACE=y
 # CONFIG_USE_FATFS_0_1_4 is not set
-# CONFIG_USE_TLSF is not set
+CONFIG_USE_TLSF=y
 # CONFIG_USE_SPIFFS is not set
 # CONFIG_USE_LITTLE_FS is not set
 # CONFIG_USE_LVGL is not set
@@ -344,6 +596,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/media/media_test/configs/e2000q_aarch64_demo_freertos.config b/example/network/lwip_https/configs/e2000q_aarch64_demo_lwip_https.config
similarity index 57%
rename from example/peripheral/media/media_test/configs/e2000q_aarch64_demo_freertos.config
rename to example/network/lwip_https/configs/e2000q_aarch64_demo_lwip_https.config
index 225ecf5d..48bed033 100644
--- a/example/peripheral/media/media_test/configs/e2000q_aarch64_demo_freertos.config
+++ b/example/network/lwip_https/configs/e2000q_aarch64_demo_lwip_https.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -85,7 +86,7 @@ CONFIG_E2000Q_DEMO_BOARD=y
 #
 # Build project name
 #
-CONFIG_TARGET_NAME="freertos"
+CONFIG_TARGET_NAME="lwip_https"
 # end of Build project name
 # end of Board Configuration
 
@@ -94,10 +95,10 @@ CONFIG_TARGET_NAME="freertos"
 #
 CONFIG_ELOG_LINE_BUF_SIZE=0x100
 # CONFIG_LOG_VERBOS is not set
-CONFIG_LOG_DEBUG=y
+# CONFIG_LOG_DEBUG is not set
 # CONFIG_LOG_INFO is not set
 # CONFIG_LOG_WARN is not set
-# CONFIG_LOG_ERROR is not set
+CONFIG_LOG_ERROR=y
 # CONFIG_LOG_NONE is not set
 # CONFIG_LOG_EXTRA_INFO is not set
 # CONFIG_LOG_DISPALY_CORE_NUM is not set
@@ -105,6 +106,7 @@ CONFIG_LOG_DEBUG=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -124,7 +126,17 @@ CONFIG_ENABLE_Pl011_UART=y
 # end of Usart Configuration
 
 # CONFIG_USE_GPIO is not set
-# CONFIG_USE_ETH is not set
+CONFIG_USE_ETH=y
+
+#
+# Eth Configuration
+#
+CONFIG_ENABLE_FXMAC=y
+# CONFIG_ENABLE_FGMAC is not set
+CONFIG_FXMAC_PHY_COMMON=y
+# CONFIG_FXMAC_PHY_YT is not set
+# end of Eth Configuration
+
 # CONFIG_USE_CAN is not set
 # CONFIG_USE_I2C is not set
 # CONFIG_USE_TIMER is not set
@@ -139,14 +151,7 @@ CONFIG_ENABLE_Pl011_UART=y
 # CONFIG_USE_ADC is not set
 # CONFIG_USE_PWM is not set
 # CONFIG_USE_IPC is not set
-CONFIG_USE_MEDIA=y
-
-#
-# Media Configuration
-#
-CONFIG_ENABLE_FDC_DP_USE_LIB=y
-# end of Media Configuration
-
+# CONFIG_USE_MEDIA is not set
 # CONFIG_USE_SCMI_MHU is not set
 # CONFIG_USE_I2S is not set
 # CONFIG_USE_I3C is not set
@@ -201,7 +206,7 @@ CONFIG_USE_COMPILE_CHAIN=y
 CONFIG_DEFAULT_LINKER_SCRIPT=y
 # CONFIG_USER_DEFINED_LD is not set
 CONFIG_IMAGE_LOAD_ADDRESS=0x80100000
-CONFIG_IMAGE_MAX_LENGTH=0x20000000
+CONFIG_IMAGE_MAX_LENGTH=0x2000000
 CONFIG_HEAP_SIZE=1
 CONFIG_STACK_SIZE=0x400
 # end of Linker Options
@@ -238,7 +243,7 @@ CONFIG_FREERTOS_USE_UART=y
 #
 # Freertos Eth Drivers
 #
-# CONFIG_FREERTOS_USE_XMAC is not set
+CONFIG_FREERTOS_USE_XMAC=y
 # CONFIG_FREERTOS_USE_GMAC is not set
 # end of Freertos Eth Drivers
 
@@ -288,7 +293,7 @@ CONFIG_FREERTOS_USE_UART=y
 #
 # Freertos Media Drivers
 #
-CONFIG_FREERTOS_USE_MEDIA=y
+# CONFIG_FREERTOS_USE_MEDIA is not set
 # end of Freertos Media Drivers
 
 #
@@ -301,7 +306,252 @@ CONFIG_FREERTOS_USE_MEDIA=y
 #
 # Third-party configuration
 #
-# CONFIG_USE_LWIP is not set
+CONFIG_USE_LWIP=y
+
+#
+# LWIP Freertos Port Configuration
+#
+
+#
+# LWIP Configuration
+#
+
+#
+# LWIP Port Configuration
+#
+CONFIG_LWIP_FXMAC=y
+# CONFIG_LWIP_FGMAC is not set
+# CONFIG_LWIP_FSDIF is not set
+# end of LWIP Port Configuration
+
+# CONFIG_LWIP_NO_SYS is not set
+CONFIG_LWIP_LOCAL_HOSTNAME="phytium"
+
+#
+# LWIP_APP
+#
+# CONFIG_USE_LWIP_APP_LWIPERF is not set
+# CONFIG_USE_LWIP_APP_TFTP is not set
+# CONFIG_USE_LWIP_APP_SNTP is not set
+# end of LWIP_APP
+
+#
+# Memory configuration
+#
+# CONFIG_LWIP_USE_MEM_POOL is not set
+CONFIG_LWIP_USE_MEM_HEAP=y
+# CONFIG_LWIP_USE_MEM_HEAP_DEBUG is not set
+CONFIG_MEM_SIZE=2
+CONFIG_MEM_ALIGNMENT=64
+# end of Memory configuration
+
+#
+# Pbuf options
+#
+CONFIG_PBUF_POOL_BUFSIZE=2
+CONFIG_PBUF_POOL_SIZE=1
+# end of Pbuf options
+
+#
+# ARP
+#
+CONFIG_ARP_QUEUEING_EN=y
+# end of ARP
+
+#
+# IPV4
+#
+# CONFIG_USE_IPV4_ONLY is not set
+CONFIG_LWIP_IP4_REASSEMBLY=y
+CONFIG_LWIP_IP4_FRAG=y
+# CONFIG_LWIP_IP_FORWARD is not set
+CONFIG_IP_REASS_MAX_PBUFS=32
+# end of IPV4
+
+#
+# ICMP
+#
+CONFIG_LWIP_ICMP=y
+CONFIG_LWIP_MULTICAST_PING=y
+CONFIG_LWIP_BROADCAST_PING=y
+# end of ICMP
+
+#
+# LWIP RAW API
+#
+CONFIG_LWIP_RAW_API_EN=y
+CONFIG_LWIP_MAX_RAW_PCBS=16
+CONFIG_LWIP_RAW_RECVMBOX_SIZE=6
+# end of LWIP RAW API
+
+#
+# DHCP
+#
+CONFIG_LWIP_DHCP_ENABLE=y
+# CONFIG_LWIP_DHCP_DOES_ARP_CHECK is not set
+# CONFIG_LWIP_DHCP_GET_NTP_SRV is not set
+# CONFIG_LWIP_DHCP_DISABLE_CLIENT_ID is not set
+# CONFIG_LWIP_DHCP_RESTORE_LAST_IP is not set
+CONFIG_LWIP_DHCP_OPTIONS_LEN=68
+CONFIG_LWIP_DHCP_DISABLE_VENDOR_CLASS_ID=y
+# end of DHCP
+
+#
+# AUTOIP
+#
+# CONFIG_LWIP_AUTOIP is not set
+# end of AUTOIP
+
+#
+# IGMP
+#
+CONFIG_LWIP_IGMP_EN=y
+# end of IGMP
+
+#
+# DNS
+#
+CONFIG_LWIP_DNS_SUPPORT_MDNS_QUERIES=y
+# end of DNS
+
+#
+# UDP
+#
+CONFIG_LWIP_MAX_UDP_PCBS=16
+CONFIG_LWIP_UDP_RECVMBOX_SIZE=6
+# CONFIG_LWIP_NETBUF_RECVINFO is not set
+# end of UDP
+
+#
+# TCP
+#
+CONFIG_LWIP_TCP_WND_DEFAULT=5744
+CONFIG_LWIP_TCP_MAXRTX=12
+CONFIG_LWIP_TCP_SYNMAXRTX=12
+CONFIG_LWIP_TCP_QUEUE_OOSEQ=y
+# CONFIG_LWIP_TCP_SACK_OUT is not set
+CONFIG_LWIP_TCP_MSS=1440
+CONFIG_LWIP_TCP_SND_BUF_DEFAULT=5744
+CONFIG_LWIP_TCP_OVERSIZE_MSS=y
+# CONFIG_LWIP_TCP_OVERSIZE_QUARTER_MSS is not set
+# CONFIG_LWIP_TCP_OVERSIZE_DISABLE is not set
+CONFIG_LWIP_TCP_TMR_INTERVAL=250
+CONFIG_LWIP_TCP_MSL=60000
+# CONFIG_LWIP_WND_SCALE is not set
+CONFIG_LWIP_TCP_RTO_TIME=1500
+CONFIG_LWIP_MAX_ACTIVE_TCP=16
+CONFIG_LWIP_MAX_LISTENING_TCP=16
+CONFIG_LWIP_TCP_HIGH_SPEED_RETRANSMISSION=y
+CONFIG_LWIP_TCP_RECVMBOX_SIZE=6
+# end of TCP
+
+#
+# Network_Interface
+#
+# CONFIG_LWIP_NETIF_API is not set
+# CONFIG_LWIP_NETIF_STATUS_CALLBACK is not set
+# end of Network_Interface
+
+#
+# LOOPIF
+#
+CONFIG_LWIP_NETIF_LOOPBACK=y
+CONFIG_LWIP_LOOPBACK_MAX_PBUFS=8
+# end of LOOPIF
+
+#
+# SLIPIF
+#
+# CONFIG_LWIP_SLIP_SUPPORT is not set
+# end of SLIPIF
+
+CONFIG_LWIP_TCPIP_CORE_LOCKING=y
+
+#
+# Socket
+#
+CONFIG_LWIP_MAX_SOCKETS=10
+# CONFIG_LWIP_SO_LINGER is not set
+CONFIG_LWIP_SO_REUSE=y
+CONFIG_LWIP_SO_REUSE_RXTOALL=y
+# end of Socket
+
+# CONFIG_LWIP_STATS is not set
+
+#
+# PPP
+#
+# CONFIG_LWIP_PPP_SUPPORT is not set
+CONFIG_LWIP_IPV6_MEMP_NUM_ND6_QUEUE=3
+CONFIG_LWIP_IPV6_ND6_NUM_NEIGHBORS=5
+# end of PPP
+
+#
+# Checksums
+#
+# CONFIG_LWIP_CHECKSUM_CHECK_IP is not set
+# CONFIG_LWIP_CHECKSUM_CHECK_UDP is not set
+CONFIG_LWIP_CHECKSUM_CHECK_ICMP=y
+# end of Checksums
+
+#
+# IPV6
+#
+CONFIG_LWIP_IPV6=y
+# CONFIG_LWIP_IPV6_AUTOCONFIG is not set
+CONFIG_LWIP_IPV6_NUM_ADDRESSES=3
+# CONFIG_LWIP_IPV6_FORWARD is not set
+CONFIG_LWIP_IP6_FRAG=y
+# CONFIG_LWIP_IP6_REASSEMBLY is not set
+# end of IPV6
+
+CONFIG_LWIP_DEBUG=y
+# CONFIG_LWIP_DEBUG_ESP_LOG is not set
+CONFIG_LWIP_NETIF_DEBUG=y
+# CONFIG_LWIP_PBUF_DEBUG is not set
+# CONFIG_LWIP_ETHARP_DEBUG is not set
+# CONFIG_LWIP_API_LIB_DEBUG is not set
+# CONFIG_LWIP_SOCKETS_DEBUG is not set
+# CONFIG_LWIP_IP_DEBUG is not set
+# CONFIG_LWIP_ICMP_DEBUG is not set
+# CONFIG_LWIP_DHCP_STATE_DEBUG is not set
+# CONFIG_LWIP_DHCP_DEBUG is not set
+# CONFIG_LWIP_IP6_DEBUG is not set
+# CONFIG_LWIP_ICMP6_DEBUG is not set
+# CONFIG_LWIP_TCP_DEBUG is not set
+# CONFIG_LWIP_UDP_DEBUG is not set
+# CONFIG_LWIP_SNTP_DEBUG is not set
+# CONFIG_LWIP_DNS_DEBUG is not set
+# end of LWIP Configuration
+
+#
+# Tcp/ip task resource configuration
+#
+CONFIG_LWIP_TCPIP_TASK_STACK_SIZE=3072
+CONFIG_LWIP_TCPIP_TASK_PRIO=6
+CONFIG_LWIP_TCPIP_RECVMBOX_SIZE=32
+# end of Tcp/ip task resource configuration
+
+#
+# lwip port thread Configuration
+#
+CONFIG_LWIP_PORT_USE_RECEIVE_THREAD=y
+CONFIG_LWIP_PORT_RECEIVE_THREAD_STACKSIZE=1024
+CONFIG_LWIP_PORT_RECEIVE_THREAD_PRIORITY=5
+CONFIG_LWIP_PORT_USE_LINK_DETECT_THREAD=y
+CONFIG_LWIP_PORT_LINK_DETECT_STACKSIZE=1024
+CONFIG_LWIP_PORT_LINK_DETECT_PRIORITY=5
+CONFIG_LWIP_PORT_DHCP_THREAD=y
+CONFIG_LWIP_PORT_DHCP_STACKSIZE=2048
+CONFIG_LWIP_PORT_DHCP_PRIORITY=5
+# end of lwip port thread Configuration
+# end of LWIP Freertos Port Configuration
+
+CONFIG_USE_MBEDTLS=y
+
+#
+# MBEDTLS Freertos Port Configuration
+#
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -311,6 +561,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -318,7 +570,7 @@ CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_USE_SFUD is not set
 CONFIG_USE_BACKTRACE=y
 # CONFIG_USE_FATFS_0_1_4 is not set
-# CONFIG_USE_TLSF is not set
+CONFIG_USE_TLSF=y
 # CONFIG_USE_SPIFFS is not set
 # CONFIG_USE_LITTLE_FS is not set
 # CONFIG_USE_LVGL is not set
@@ -333,6 +585,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/lwip_https/configs/ft2004_aarch32_dsk_lwip_https.config b/example/network/lwip_https/configs/ft2004_aarch32_dsk_lwip_https.config
new file mode 100644
index 00000000..65d6ba04
--- /dev/null
+++ b/example/network/lwip_https/configs/ft2004_aarch32_dsk_lwip_https.config
@@ -0,0 +1,606 @@
+CONFIG_USE_FREERTOS=y
+
+#
+# Arch configuration
+#
+CONFIG_TARGET_ARMv8=y
+CONFIG_ARCH_NAME="armv8"
+
+#
+# Arm architecture configuration
+#
+# CONFIG_ARCH_ARMV8_AARCH64 is not set
+CONFIG_ARCH_ARMV8_AARCH32=y
+
+#
+# Compiler configuration
+#
+CONFIG_ARM_GCC_SELECT=y
+# CONFIG_ARM_CLANG_SELECT is not set
+CONFIG_TOOLCHAIN_NAME="gcc"
+CONFIG_TARGET_ARMV8_AARCH32=y
+CONFIG_ARCH_EXECUTION_STATE="aarch32"
+
+#
+# Fpu configuration
+#
+CONFIG_CRYPTO_NEON_FP_ARMV8=y
+# CONFIG_VFPV4 is not set
+# CONFIG_VFPV4_D16 is not set
+# CONFIG_VFPV3 is not set
+# CONFIG_VFPV3_D16 is not set
+CONFIG_ARM_MFPU="crypto-neon-fp-armv8"
+CONFIG_MFLOAT_ABI_HARD=y
+# CONFIG_MFLOAT_ABI_SOFTFP is not set
+CONFIG_ARM_MFLOAT_ABI="hard"
+# end of Fpu configuration
+# end of Compiler configuration
+
+# CONFIG_USE_L3CACHE is not set
+CONFIG_USE_AARCH64_L1_TO_AARCH32=y
+# end of Arm architecture configuration
+
+CONFIG_MMU_PAGE_SIZE=0x1000
+CONFIG_FMMU_NUM_L2_TABLES=256
+# end of Arch configuration
+
+#
+# Soc configuration
+#
+# CONFIG_TARGET_PHYTIUMPI is not set
+# CONFIG_TARGET_E2000Q is not set
+# CONFIG_TARGET_E2000D is not set
+# CONFIG_TARGET_E2000S is not set
+CONFIG_TARGET_FT2004=y
+# CONFIG_TARGET_D2000 is not set
+# CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
+CONFIG_SOC_NAME="ft2004"
+CONFIG_SOC_CORE_NUM=4
+CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
+CONFIG_F32BIT_MEMORY_LENGTH=0x80000000
+CONFIG_F64BIT_MEMORY_ADDRESS=0x2000000000
+CONFIG_F64BIT_MEMORY_LENGTH=0x800000000
+CONFIG_DEFAULT_DEBUG_PRINT_UART1=y
+# CONFIG_DEFAULT_DEBUG_PRINT_UART0 is not set
+# CONFIG_DEFAULT_DEBUG_PRINT_UART2 is not set
+# end of Soc configuration
+
+#
+# Board Configuration
+#
+CONFIG_BOARD_NAME="dsk"
+CONFIG_FT2004_DSK_BOARD=y
+
+#
+# IO mux configuration when board start up
+#
+# CONFIG_CUS_DEMO_BOARD is not set
+
+#
+# Build project name
+#
+CONFIG_TARGET_NAME="lwip_https"
+# end of Build project name
+# end of Board Configuration
+
+#
+# Sdk common configuration
+#
+CONFIG_ELOG_LINE_BUF_SIZE=0x100
+# CONFIG_LOG_VERBOS is not set
+# CONFIG_LOG_DEBUG is not set
+# CONFIG_LOG_INFO is not set
+# CONFIG_LOG_WARN is not set
+CONFIG_LOG_ERROR=y
+# CONFIG_LOG_NONE is not set
+# CONFIG_LOG_EXTRA_INFO is not set
+# CONFIG_LOG_DISPALY_CORE_NUM is not set
+# CONFIG_BOOTUP_DEBUG_PRINTS is not set
+CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
+CONFIG_INTERRUPT_ROLE_MASTER=y
+# CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
+# end of Sdk common configuration
+
+#
+# Drivers configuration
+#
+CONFIG_USE_IOMUX=y
+CONFIG_ENABLE_IOCTRL=y
+# CONFIG_ENABLE_IOPAD is not set
+# CONFIG_USE_SPI is not set
+# CONFIG_USE_QSPI is not set
+CONFIG_USE_SERIAL=y
+
+#
+# Usart Configuration
+#
+CONFIG_ENABLE_Pl011_UART=y
+# end of Usart Configuration
+
+# CONFIG_USE_GPIO is not set
+CONFIG_USE_ETH=y
+
+#
+# Eth Configuration
+#
+# CONFIG_ENABLE_FXMAC is not set
+CONFIG_ENABLE_FGMAC=y
+CONFIG_FGMAC_PHY_COMMON=y
+# CONFIG_FGMAC_PHY_AR803X is not set
+# end of Eth Configuration
+
+# CONFIG_USE_CAN is not set
+# CONFIG_USE_I2C is not set
+# CONFIG_USE_TIMER is not set
+# CONFIG_USE_MIO is not set
+# CONFIG_USE_SDMMC is not set
+# CONFIG_USE_PCIE is not set
+# CONFIG_USE_WDT is not set
+# CONFIG_USE_DMA is not set
+# CONFIG_USE_NAND is not set
+# CONFIG_USE_RTC is not set
+# CONFIG_USE_SATA is not set
+# CONFIG_USE_ADC is not set
+# CONFIG_USE_PWM is not set
+# CONFIG_USE_IPC is not set
+# CONFIG_USE_MEDIA is not set
+# CONFIG_USE_SCMI_MHU is not set
+# CONFIG_USE_I2S is not set
+# CONFIG_USE_I3C is not set
+# end of Drivers configuration
+
+#
+# Build setup
+#
+CONFIG_CHECK_DEPS=y
+CONFIG_OUTPUT_BINARY=y
+
+#
+# Optimization options
+#
+# CONFIG_DEBUG_NOOPT is not set
+# CONFIG_DEBUG_CUSTOMOPT is not set
+CONFIG_DEBUG_FULLOPT=y
+CONFIG_DEBUG_OPT_UNUSED_SECTIONS=y
+CONFIG_DEBUG_LINK_MAP=y
+# CONFIG_CCACHE is not set
+# CONFIG_ARCH_COVERAGE is not set
+# CONFIG_LTO_FULL is not set
+# end of Optimization options
+
+#
+# Debug options
+#
+# CONFIG_DEBUG_ENABLE_ALL_WARNING is not set
+# CONFIG_WALL_WARNING_ERROR is not set
+# CONFIG_STRICT_PROTOTYPES is not set
+# CONFIG_DEBUG_SYMBOLS is not set
+# CONFIG_FRAME_POINTER is not set
+# CONFIG_OUTPUT_ASM_DIS is not set
+# CONFIG_ENABLE_WSHADOW is not set
+# CONFIG_ENABLE_WUNDEF is not set
+CONFIG_DOWNGRADE_DIAG_WARNING=y
+# end of Debug options
+
+#
+# Lib
+#
+CONFIG_USE_COMPILE_CHAIN=y
+# CONFIG_USE_NEWLIB is not set
+# CONFIG_USE_USER_DEFINED is not set
+# end of Lib
+
+# CONFIG_ENABLE_CXX is not set
+
+#
+# Linker Options
+#
+CONFIG_DEFAULT_LINKER_SCRIPT=y
+# CONFIG_USER_DEFINED_LD is not set
+CONFIG_IMAGE_LOAD_ADDRESS=0x80100000
+CONFIG_IMAGE_MAX_LENGTH=0x2000000
+CONFIG_HEAP_SIZE=1
+CONFIG_SVC_STACK_SIZE=0x1000
+CONFIG_SYS_STACK_SIZE=0x1000
+CONFIG_IRQ_STACK_SIZE=0x1000
+CONFIG_ABORT_STACK_SIZE=0x1000
+CONFIG_FIQ_STACK_SIZE=0x1000
+CONFIG_UNDEF_STACK_SIZE=0x1000
+# end of Linker Options
+# end of Build setup
+
+#
+# Component Configuration
+#
+
+#
+# Freertos Uart Drivers
+#
+CONFIG_FREERTOS_USE_UART=y
+# end of Freertos Uart Drivers
+
+#
+# Freertos Pwm Drivers
+#
+# CONFIG_FREERTOS_USE_PWM is not set
+# end of Freertos Pwm Drivers
+
+#
+# Freertos Qspi Drivers
+#
+# CONFIG_FREERTOS_USE_QSPI is not set
+# end of Freertos Qspi Drivers
+
+#
+# Freertos Wdt Drivers
+#
+# CONFIG_FREERTOS_USE_WDT is not set
+# end of Freertos Wdt Drivers
+
+#
+# Freertos Eth Drivers
+#
+# CONFIG_FREERTOS_USE_XMAC is not set
+CONFIG_FREERTOS_USE_GMAC=y
+# end of Freertos Eth Drivers
+
+#
+# Freertos Spim Drivers
+#
+# CONFIG_FREERTOS_USE_FSPIM is not set
+# end of Freertos Spim Drivers
+
+#
+# Freertos DMA Drivers
+#
+# CONFIG_FREERTOS_USE_FDDMA is not set
+# CONFIG_FREERTOS_USE_FGDMA is not set
+# end of Freertos DMA Drivers
+
+#
+# Freertos Adc Drivers
+#
+# CONFIG_FREERTOS_USE_ADC is not set
+# end of Freertos Adc Drivers
+
+#
+# Freertos Can Drivers
+#
+# CONFIG_FREERTOS_USE_CAN is not set
+# end of Freertos Can Drivers
+
+#
+# Freertos I2c Drivers
+#
+# CONFIG_FREERTOS_USE_I2C is not set
+# end of Freertos I2c Drivers
+
+#
+# Freertos Mio Drivers
+#
+# CONFIG_FREERTOS_USE_MIO is not set
+# end of Freertos Mio Drivers
+
+#
+# Freertos Timer Drivers
+#
+# CONFIG_FREERTOS_USE_TIMER is not set
+# end of Freertos Timer Drivers
+
+#
+# Freertos Media Drivers
+#
+# CONFIG_FREERTOS_USE_MEDIA is not set
+# end of Freertos Media Drivers
+
+#
+# Freertos I2s Drivers
+#
+# CONFIG_FREERTOS_USE_I2S is not set
+# end of Freertos I2s Drivers
+# end of Component Configuration
+
+#
+# Third-party configuration
+#
+CONFIG_USE_LWIP=y
+
+#
+# LWIP Freertos Port Configuration
+#
+
+#
+# LWIP Configuration
+#
+
+#
+# LWIP Port Configuration
+#
+# CONFIG_LWIP_FXMAC is not set
+CONFIG_LWIP_FGMAC=y
+# CONFIG_LWIP_FSDIF is not set
+# end of LWIP Port Configuration
+
+# CONFIG_LWIP_NO_SYS is not set
+CONFIG_LWIP_LOCAL_HOSTNAME="phytium"
+
+#
+# LWIP_APP
+#
+# CONFIG_USE_LWIP_APP_LWIPERF is not set
+# CONFIG_USE_LWIP_APP_TFTP is not set
+# CONFIG_USE_LWIP_APP_SNTP is not set
+# end of LWIP_APP
+
+#
+# Memory configuration
+#
+# CONFIG_LWIP_USE_MEM_POOL is not set
+CONFIG_LWIP_USE_MEM_HEAP=y
+# CONFIG_LWIP_USE_MEM_HEAP_DEBUG is not set
+CONFIG_MEM_SIZE=2
+CONFIG_MEM_ALIGNMENT=64
+# end of Memory configuration
+
+#
+# Pbuf options
+#
+CONFIG_PBUF_POOL_BUFSIZE=2
+CONFIG_PBUF_POOL_SIZE=1
+# end of Pbuf options
+
+#
+# ARP
+#
+CONFIG_ARP_QUEUEING_EN=y
+# end of ARP
+
+#
+# IPV4
+#
+# CONFIG_USE_IPV4_ONLY is not set
+CONFIG_LWIP_IP4_REASSEMBLY=y
+CONFIG_LWIP_IP4_FRAG=y
+# CONFIG_LWIP_IP_FORWARD is not set
+CONFIG_IP_REASS_MAX_PBUFS=32
+# end of IPV4
+
+#
+# ICMP
+#
+CONFIG_LWIP_ICMP=y
+CONFIG_LWIP_MULTICAST_PING=y
+CONFIG_LWIP_BROADCAST_PING=y
+# end of ICMP
+
+#
+# LWIP RAW API
+#
+CONFIG_LWIP_RAW_API_EN=y
+CONFIG_LWIP_MAX_RAW_PCBS=16
+CONFIG_LWIP_RAW_RECVMBOX_SIZE=6
+# end of LWIP RAW API
+
+#
+# DHCP
+#
+CONFIG_LWIP_DHCP_ENABLE=y
+# CONFIG_LWIP_DHCP_DOES_ARP_CHECK is not set
+# CONFIG_LWIP_DHCP_GET_NTP_SRV is not set
+# CONFIG_LWIP_DHCP_DISABLE_CLIENT_ID is not set
+# CONFIG_LWIP_DHCP_RESTORE_LAST_IP is not set
+CONFIG_LWIP_DHCP_OPTIONS_LEN=68
+CONFIG_LWIP_DHCP_DISABLE_VENDOR_CLASS_ID=y
+# end of DHCP
+
+#
+# AUTOIP
+#
+# CONFIG_LWIP_AUTOIP is not set
+# end of AUTOIP
+
+#
+# IGMP
+#
+CONFIG_LWIP_IGMP_EN=y
+# end of IGMP
+
+#
+# DNS
+#
+CONFIG_LWIP_DNS_SUPPORT_MDNS_QUERIES=y
+# end of DNS
+
+#
+# UDP
+#
+CONFIG_LWIP_MAX_UDP_PCBS=16
+CONFIG_LWIP_UDP_RECVMBOX_SIZE=6
+# CONFIG_LWIP_NETBUF_RECVINFO is not set
+# end of UDP
+
+#
+# TCP
+#
+CONFIG_LWIP_TCP_WND_DEFAULT=5744
+CONFIG_LWIP_TCP_MAXRTX=12
+CONFIG_LWIP_TCP_SYNMAXRTX=12
+CONFIG_LWIP_TCP_QUEUE_OOSEQ=y
+# CONFIG_LWIP_TCP_SACK_OUT is not set
+CONFIG_LWIP_TCP_MSS=1440
+CONFIG_LWIP_TCP_SND_BUF_DEFAULT=5744
+CONFIG_LWIP_TCP_OVERSIZE_MSS=y
+# CONFIG_LWIP_TCP_OVERSIZE_QUARTER_MSS is not set
+# CONFIG_LWIP_TCP_OVERSIZE_DISABLE is not set
+CONFIG_LWIP_TCP_TMR_INTERVAL=250
+CONFIG_LWIP_TCP_MSL=60000
+# CONFIG_LWIP_WND_SCALE is not set
+CONFIG_LWIP_TCP_RTO_TIME=1500
+CONFIG_LWIP_MAX_ACTIVE_TCP=16
+CONFIG_LWIP_MAX_LISTENING_TCP=16
+CONFIG_LWIP_TCP_HIGH_SPEED_RETRANSMISSION=y
+CONFIG_LWIP_TCP_RECVMBOX_SIZE=6
+# end of TCP
+
+#
+# Network_Interface
+#
+# CONFIG_LWIP_NETIF_API is not set
+# CONFIG_LWIP_NETIF_STATUS_CALLBACK is not set
+# end of Network_Interface
+
+#
+# LOOPIF
+#
+CONFIG_LWIP_NETIF_LOOPBACK=y
+CONFIG_LWIP_LOOPBACK_MAX_PBUFS=8
+# end of LOOPIF
+
+#
+# SLIPIF
+#
+# CONFIG_LWIP_SLIP_SUPPORT is not set
+# end of SLIPIF
+
+CONFIG_LWIP_TCPIP_CORE_LOCKING=y
+
+#
+# Socket
+#
+CONFIG_LWIP_MAX_SOCKETS=10
+# CONFIG_LWIP_SO_LINGER is not set
+CONFIG_LWIP_SO_REUSE=y
+CONFIG_LWIP_SO_REUSE_RXTOALL=y
+# end of Socket
+
+# CONFIG_LWIP_STATS is not set
+
+#
+# PPP
+#
+# CONFIG_LWIP_PPP_SUPPORT is not set
+CONFIG_LWIP_IPV6_MEMP_NUM_ND6_QUEUE=3
+CONFIG_LWIP_IPV6_ND6_NUM_NEIGHBORS=5
+# end of PPP
+
+#
+# Checksums
+#
+# CONFIG_LWIP_CHECKSUM_CHECK_IP is not set
+# CONFIG_LWIP_CHECKSUM_CHECK_UDP is not set
+CONFIG_LWIP_CHECKSUM_CHECK_ICMP=y
+# end of Checksums
+
+#
+# IPV6
+#
+CONFIG_LWIP_IPV6=y
+# CONFIG_LWIP_IPV6_AUTOCONFIG is not set
+CONFIG_LWIP_IPV6_NUM_ADDRESSES=3
+# CONFIG_LWIP_IPV6_FORWARD is not set
+CONFIG_LWIP_IP6_FRAG=y
+# CONFIG_LWIP_IP6_REASSEMBLY is not set
+# end of IPV6
+
+CONFIG_LWIP_DEBUG=y
+# CONFIG_LWIP_DEBUG_ESP_LOG is not set
+CONFIG_LWIP_NETIF_DEBUG=y
+# CONFIG_LWIP_PBUF_DEBUG is not set
+# CONFIG_LWIP_ETHARP_DEBUG is not set
+# CONFIG_LWIP_API_LIB_DEBUG is not set
+# CONFIG_LWIP_SOCKETS_DEBUG is not set
+# CONFIG_LWIP_IP_DEBUG is not set
+# CONFIG_LWIP_ICMP_DEBUG is not set
+# CONFIG_LWIP_DHCP_STATE_DEBUG is not set
+# CONFIG_LWIP_DHCP_DEBUG is not set
+# CONFIG_LWIP_IP6_DEBUG is not set
+# CONFIG_LWIP_ICMP6_DEBUG is not set
+# CONFIG_LWIP_TCP_DEBUG is not set
+# CONFIG_LWIP_UDP_DEBUG is not set
+# CONFIG_LWIP_SNTP_DEBUG is not set
+# CONFIG_LWIP_DNS_DEBUG is not set
+# end of LWIP Configuration
+
+#
+# Tcp/ip task resource configuration
+#
+CONFIG_LWIP_TCPIP_TASK_STACK_SIZE=3072
+CONFIG_LWIP_TCPIP_TASK_PRIO=6
+CONFIG_LWIP_TCPIP_RECVMBOX_SIZE=32
+# end of Tcp/ip task resource configuration
+
+#
+# lwip port thread Configuration
+#
+CONFIG_LWIP_PORT_USE_RECEIVE_THREAD=y
+CONFIG_LWIP_PORT_RECEIVE_THREAD_STACKSIZE=1024
+CONFIG_LWIP_PORT_RECEIVE_THREAD_PRIORITY=5
+CONFIG_LWIP_PORT_USE_LINK_DETECT_THREAD=y
+CONFIG_LWIP_PORT_LINK_DETECT_STACKSIZE=1024
+CONFIG_LWIP_PORT_LINK_DETECT_PRIORITY=5
+CONFIG_LWIP_PORT_DHCP_THREAD=y
+CONFIG_LWIP_PORT_DHCP_STACKSIZE=2048
+CONFIG_LWIP_PORT_DHCP_PRIORITY=5
+# end of lwip port thread Configuration
+# end of LWIP Freertos Port Configuration
+
+CONFIG_USE_MBEDTLS=y
+
+#
+# MBEDTLS Freertos Port Configuration
+#
+CONFIG_USE_LETTER_SHELL=y
+
+#
+# Letter Shell Configuration
+#
+CONFIG_LS_PL011_UART=y
+CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
+# CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
+# CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
+# end of Letter Shell Configuration
+
+# CONFIG_USE_AMP is not set
+# CONFIG_USE_YMODEM is not set
+# CONFIG_USE_SFUD is not set
+CONFIG_USE_BACKTRACE=y
+# CONFIG_USE_FATFS_0_1_4 is not set
+CONFIG_USE_TLSF=y
+# CONFIG_USE_SPIFFS is not set
+# CONFIG_USE_LITTLE_FS is not set
+# CONFIG_USE_LVGL is not set
+# CONFIG_USE_FREEMODBUS is not set
+# CONFIG_USE_CHERRY_USB is not set
+# CONFIG_USE_FSL_SDMMC is not set
+# CONFIG_USE_FSL_WIFI is not set
+# end of Third-party configuration
+
+#
+# FreeRTOS Kernel Configuration
+#
+CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
+CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
+CONFIG_FREERTOS_MAX_PRIORITIES=32
+CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
+CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
+CONFIG_FREERTOS_THREAD_LOCAL_STORAGE_POINTERS=1
+CONFIG_FREERTOS_MINIMAL_TASK_STACKSIZE=1024
+CONFIG_FREERTOS_MAX_TASK_NAME_LEN=32
+CONFIG_FREERTOS_TIMER_TASK_PRIORITY=1
+CONFIG_FREERTOS_TIMER_TASK_STACK_DEPTH=2048
+CONFIG_FREERTOS_TIMER_QUEUE_LENGTH=10
+CONFIG_FREERTOS_QUEUE_REGISTRY_SIZE=0
+CONFIG_FREERTOS_GENERATE_RUN_TIME_STATS=y
+CONFIG_FREERTOS_USE_TRACE_FACILITY=y
+CONFIG_FREERTOS_USE_STATS_FORMATTING_FUNCTIONS=y
+# CONFIG_FREERTOS_USE_TICKLESS_IDLE is not set
+CONFIG_FREERTOS_TOTAL_HEAP_SIZE=10240
+CONFIG_FREERTOS_TASK_FPU_SUPPORT=1
+# CONFIG_FREERTOS_USE_POSIX is not set
+# end of FreeRTOS Kernel Configuration
diff --git a/example/network/lwip_https/configs/ft2004_aarch64_dsk_lwip_https.config b/example/network/lwip_https/configs/ft2004_aarch64_dsk_lwip_https.config
new file mode 100644
index 00000000..ff832d48
--- /dev/null
+++ b/example/network/lwip_https/configs/ft2004_aarch64_dsk_lwip_https.config
@@ -0,0 +1,595 @@
+CONFIG_USE_FREERTOS=y
+
+#
+# Arch configuration
+#
+CONFIG_TARGET_ARMv8=y
+CONFIG_ARCH_NAME="armv8"
+
+#
+# Arm architecture configuration
+#
+CONFIG_ARCH_ARMV8_AARCH64=y
+# CONFIG_ARCH_ARMV8_AARCH32 is not set
+
+#
+# Compiler configuration
+#
+CONFIG_ARM_GCC_SELECT=y
+# CONFIG_ARM_CLANG_SELECT is not set
+CONFIG_TOOLCHAIN_NAME="gcc"
+CONFIG_TARGET_ARMV8_AARCH64=y
+CONFIG_ARCH_EXECUTION_STATE="aarch64"
+CONFIG_ARM_NEON=y
+CONFIG_ARM_CRC=y
+CONFIG_ARM_CRYPTO=y
+CONFIG_ARM_FLOAT_POINT=y
+# CONFIG_GCC_CODE_MODEL_TINY is not set
+CONFIG_GCC_CODE_MODEL_SMALL=y
+# CONFIG_GCC_CODE_MODEL_LARGE is not set
+# end of Compiler configuration
+
+# CONFIG_USE_L3CACHE is not set
+# CONFIG_BOOT_WITH_FLUSH_CACHE is not set
+# CONFIG_MMU_DEBUG_PRINTS is not set
+# end of Arm architecture configuration
+
+CONFIG_MMU_PAGE_SIZE=0x1000
+CONFIG_MAX_XLAT_TABLES=256
+# end of Arch configuration
+
+#
+# Soc configuration
+#
+# CONFIG_TARGET_PHYTIUMPI is not set
+# CONFIG_TARGET_E2000Q is not set
+# CONFIG_TARGET_E2000D is not set
+# CONFIG_TARGET_E2000S is not set
+CONFIG_TARGET_FT2004=y
+# CONFIG_TARGET_D2000 is not set
+# CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
+CONFIG_SOC_NAME="ft2004"
+CONFIG_SOC_CORE_NUM=4
+CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
+CONFIG_F32BIT_MEMORY_LENGTH=0x80000000
+CONFIG_F64BIT_MEMORY_ADDRESS=0x2000000000
+CONFIG_F64BIT_MEMORY_LENGTH=0x800000000
+CONFIG_DEFAULT_DEBUG_PRINT_UART1=y
+# CONFIG_DEFAULT_DEBUG_PRINT_UART0 is not set
+# CONFIG_DEFAULT_DEBUG_PRINT_UART2 is not set
+# end of Soc configuration
+
+#
+# Board Configuration
+#
+CONFIG_BOARD_NAME="dsk"
+CONFIG_FT2004_DSK_BOARD=y
+
+#
+# IO mux configuration when board start up
+#
+# CONFIG_CUS_DEMO_BOARD is not set
+
+#
+# Build project name
+#
+CONFIG_TARGET_NAME="lwip_https"
+# end of Build project name
+# end of Board Configuration
+
+#
+# Sdk common configuration
+#
+CONFIG_ELOG_LINE_BUF_SIZE=0x100
+# CONFIG_LOG_VERBOS is not set
+# CONFIG_LOG_DEBUG is not set
+# CONFIG_LOG_INFO is not set
+# CONFIG_LOG_WARN is not set
+CONFIG_LOG_ERROR=y
+# CONFIG_LOG_NONE is not set
+# CONFIG_LOG_EXTRA_INFO is not set
+# CONFIG_LOG_DISPALY_CORE_NUM is not set
+# CONFIG_BOOTUP_DEBUG_PRINTS is not set
+CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
+CONFIG_INTERRUPT_ROLE_MASTER=y
+# CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
+# end of Sdk common configuration
+
+#
+# Drivers configuration
+#
+CONFIG_USE_IOMUX=y
+CONFIG_ENABLE_IOCTRL=y
+# CONFIG_ENABLE_IOPAD is not set
+# CONFIG_USE_SPI is not set
+# CONFIG_USE_QSPI is not set
+CONFIG_USE_SERIAL=y
+
+#
+# Usart Configuration
+#
+CONFIG_ENABLE_Pl011_UART=y
+# end of Usart Configuration
+
+# CONFIG_USE_GPIO is not set
+CONFIG_USE_ETH=y
+
+#
+# Eth Configuration
+#
+# CONFIG_ENABLE_FXMAC is not set
+CONFIG_ENABLE_FGMAC=y
+CONFIG_FGMAC_PHY_COMMON=y
+# CONFIG_FGMAC_PHY_AR803X is not set
+# end of Eth Configuration
+
+# CONFIG_USE_CAN is not set
+# CONFIG_USE_I2C is not set
+# CONFIG_USE_TIMER is not set
+# CONFIG_USE_MIO is not set
+# CONFIG_USE_SDMMC is not set
+# CONFIG_USE_PCIE is not set
+# CONFIG_USE_WDT is not set
+# CONFIG_USE_DMA is not set
+# CONFIG_USE_NAND is not set
+# CONFIG_USE_RTC is not set
+# CONFIG_USE_SATA is not set
+# CONFIG_USE_ADC is not set
+# CONFIG_USE_PWM is not set
+# CONFIG_USE_IPC is not set
+# CONFIG_USE_MEDIA is not set
+# CONFIG_USE_SCMI_MHU is not set
+# CONFIG_USE_I2S is not set
+# CONFIG_USE_I3C is not set
+# end of Drivers configuration
+
+#
+# Build setup
+#
+CONFIG_CHECK_DEPS=y
+CONFIG_OUTPUT_BINARY=y
+
+#
+# Optimization options
+#
+# CONFIG_DEBUG_NOOPT is not set
+# CONFIG_DEBUG_CUSTOMOPT is not set
+CONFIG_DEBUG_FULLOPT=y
+CONFIG_DEBUG_OPT_UNUSED_SECTIONS=y
+CONFIG_DEBUG_LINK_MAP=y
+# CONFIG_CCACHE is not set
+# CONFIG_ARCH_COVERAGE is not set
+# CONFIG_LTO_FULL is not set
+# end of Optimization options
+
+#
+# Debug options
+#
+# CONFIG_DEBUG_ENABLE_ALL_WARNING is not set
+# CONFIG_WALL_WARNING_ERROR is not set
+# CONFIG_STRICT_PROTOTYPES is not set
+# CONFIG_DEBUG_SYMBOLS is not set
+# CONFIG_FRAME_POINTER is not set
+# CONFIG_OUTPUT_ASM_DIS is not set
+# CONFIG_ENABLE_WSHADOW is not set
+# CONFIG_ENABLE_WUNDEF is not set
+CONFIG_DOWNGRADE_DIAG_WARNING=y
+# end of Debug options
+
+#
+# Lib
+#
+CONFIG_USE_COMPILE_CHAIN=y
+# CONFIG_USE_NEWLIB is not set
+# CONFIG_USE_USER_DEFINED is not set
+# end of Lib
+
+# CONFIG_ENABLE_CXX is not set
+
+#
+# Linker Options
+#
+CONFIG_DEFAULT_LINKER_SCRIPT=y
+# CONFIG_USER_DEFINED_LD is not set
+CONFIG_IMAGE_LOAD_ADDRESS=0x80100000
+CONFIG_IMAGE_MAX_LENGTH=0x2000000
+CONFIG_HEAP_SIZE=1
+CONFIG_STACK_SIZE=0x400
+# end of Linker Options
+# end of Build setup
+
+#
+# Component Configuration
+#
+
+#
+# Freertos Uart Drivers
+#
+CONFIG_FREERTOS_USE_UART=y
+# end of Freertos Uart Drivers
+
+#
+# Freertos Pwm Drivers
+#
+# CONFIG_FREERTOS_USE_PWM is not set
+# end of Freertos Pwm Drivers
+
+#
+# Freertos Qspi Drivers
+#
+# CONFIG_FREERTOS_USE_QSPI is not set
+# end of Freertos Qspi Drivers
+
+#
+# Freertos Wdt Drivers
+#
+# CONFIG_FREERTOS_USE_WDT is not set
+# end of Freertos Wdt Drivers
+
+#
+# Freertos Eth Drivers
+#
+# CONFIG_FREERTOS_USE_XMAC is not set
+CONFIG_FREERTOS_USE_GMAC=y
+# end of Freertos Eth Drivers
+
+#
+# Freertos Spim Drivers
+#
+# CONFIG_FREERTOS_USE_FSPIM is not set
+# end of Freertos Spim Drivers
+
+#
+# Freertos DMA Drivers
+#
+# CONFIG_FREERTOS_USE_FDDMA is not set
+# CONFIG_FREERTOS_USE_FGDMA is not set
+# end of Freertos DMA Drivers
+
+#
+# Freertos Adc Drivers
+#
+# CONFIG_FREERTOS_USE_ADC is not set
+# end of Freertos Adc Drivers
+
+#
+# Freertos Can Drivers
+#
+# CONFIG_FREERTOS_USE_CAN is not set
+# end of Freertos Can Drivers
+
+#
+# Freertos I2c Drivers
+#
+# CONFIG_FREERTOS_USE_I2C is not set
+# end of Freertos I2c Drivers
+
+#
+# Freertos Mio Drivers
+#
+# CONFIG_FREERTOS_USE_MIO is not set
+# end of Freertos Mio Drivers
+
+#
+# Freertos Timer Drivers
+#
+# CONFIG_FREERTOS_USE_TIMER is not set
+# end of Freertos Timer Drivers
+
+#
+# Freertos Media Drivers
+#
+# CONFIG_FREERTOS_USE_MEDIA is not set
+# end of Freertos Media Drivers
+
+#
+# Freertos I2s Drivers
+#
+# CONFIG_FREERTOS_USE_I2S is not set
+# end of Freertos I2s Drivers
+# end of Component Configuration
+
+#
+# Third-party configuration
+#
+CONFIG_USE_LWIP=y
+
+#
+# LWIP Freertos Port Configuration
+#
+
+#
+# LWIP Configuration
+#
+
+#
+# LWIP Port Configuration
+#
+# CONFIG_LWIP_FXMAC is not set
+CONFIG_LWIP_FGMAC=y
+# CONFIG_LWIP_FSDIF is not set
+# end of LWIP Port Configuration
+
+# CONFIG_LWIP_NO_SYS is not set
+CONFIG_LWIP_LOCAL_HOSTNAME="phytium"
+
+#
+# LWIP_APP
+#
+# CONFIG_USE_LWIP_APP_LWIPERF is not set
+# CONFIG_USE_LWIP_APP_TFTP is not set
+# CONFIG_USE_LWIP_APP_SNTP is not set
+# end of LWIP_APP
+
+#
+# Memory configuration
+#
+# CONFIG_LWIP_USE_MEM_POOL is not set
+CONFIG_LWIP_USE_MEM_HEAP=y
+# CONFIG_LWIP_USE_MEM_HEAP_DEBUG is not set
+CONFIG_MEM_SIZE=2
+CONFIG_MEM_ALIGNMENT=64
+# end of Memory configuration
+
+#
+# Pbuf options
+#
+CONFIG_PBUF_POOL_BUFSIZE=2
+CONFIG_PBUF_POOL_SIZE=1
+# end of Pbuf options
+
+#
+# ARP
+#
+CONFIG_ARP_QUEUEING_EN=y
+# end of ARP
+
+#
+# IPV4
+#
+# CONFIG_USE_IPV4_ONLY is not set
+CONFIG_LWIP_IP4_REASSEMBLY=y
+CONFIG_LWIP_IP4_FRAG=y
+# CONFIG_LWIP_IP_FORWARD is not set
+CONFIG_IP_REASS_MAX_PBUFS=32
+# end of IPV4
+
+#
+# ICMP
+#
+CONFIG_LWIP_ICMP=y
+CONFIG_LWIP_MULTICAST_PING=y
+CONFIG_LWIP_BROADCAST_PING=y
+# end of ICMP
+
+#
+# LWIP RAW API
+#
+CONFIG_LWIP_RAW_API_EN=y
+CONFIG_LWIP_MAX_RAW_PCBS=16
+CONFIG_LWIP_RAW_RECVMBOX_SIZE=6
+# end of LWIP RAW API
+
+#
+# DHCP
+#
+CONFIG_LWIP_DHCP_ENABLE=y
+# CONFIG_LWIP_DHCP_DOES_ARP_CHECK is not set
+# CONFIG_LWIP_DHCP_GET_NTP_SRV is not set
+# CONFIG_LWIP_DHCP_DISABLE_CLIENT_ID is not set
+# CONFIG_LWIP_DHCP_RESTORE_LAST_IP is not set
+CONFIG_LWIP_DHCP_OPTIONS_LEN=68
+CONFIG_LWIP_DHCP_DISABLE_VENDOR_CLASS_ID=y
+# end of DHCP
+
+#
+# AUTOIP
+#
+# CONFIG_LWIP_AUTOIP is not set
+# end of AUTOIP
+
+#
+# IGMP
+#
+CONFIG_LWIP_IGMP_EN=y
+# end of IGMP
+
+#
+# DNS
+#
+CONFIG_LWIP_DNS_SUPPORT_MDNS_QUERIES=y
+# end of DNS
+
+#
+# UDP
+#
+CONFIG_LWIP_MAX_UDP_PCBS=16
+CONFIG_LWIP_UDP_RECVMBOX_SIZE=6
+# CONFIG_LWIP_NETBUF_RECVINFO is not set
+# end of UDP
+
+#
+# TCP
+#
+CONFIG_LWIP_TCP_WND_DEFAULT=5744
+CONFIG_LWIP_TCP_MAXRTX=12
+CONFIG_LWIP_TCP_SYNMAXRTX=12
+CONFIG_LWIP_TCP_QUEUE_OOSEQ=y
+# CONFIG_LWIP_TCP_SACK_OUT is not set
+CONFIG_LWIP_TCP_MSS=1440
+CONFIG_LWIP_TCP_SND_BUF_DEFAULT=5744
+CONFIG_LWIP_TCP_OVERSIZE_MSS=y
+# CONFIG_LWIP_TCP_OVERSIZE_QUARTER_MSS is not set
+# CONFIG_LWIP_TCP_OVERSIZE_DISABLE is not set
+CONFIG_LWIP_TCP_TMR_INTERVAL=250
+CONFIG_LWIP_TCP_MSL=60000
+# CONFIG_LWIP_WND_SCALE is not set
+CONFIG_LWIP_TCP_RTO_TIME=1500
+CONFIG_LWIP_MAX_ACTIVE_TCP=16
+CONFIG_LWIP_MAX_LISTENING_TCP=16
+CONFIG_LWIP_TCP_HIGH_SPEED_RETRANSMISSION=y
+CONFIG_LWIP_TCP_RECVMBOX_SIZE=6
+# end of TCP
+
+#
+# Network_Interface
+#
+# CONFIG_LWIP_NETIF_API is not set
+# CONFIG_LWIP_NETIF_STATUS_CALLBACK is not set
+# end of Network_Interface
+
+#
+# LOOPIF
+#
+CONFIG_LWIP_NETIF_LOOPBACK=y
+CONFIG_LWIP_LOOPBACK_MAX_PBUFS=8
+# end of LOOPIF
+
+#
+# SLIPIF
+#
+# CONFIG_LWIP_SLIP_SUPPORT is not set
+# end of SLIPIF
+
+CONFIG_LWIP_TCPIP_CORE_LOCKING=y
+
+#
+# Socket
+#
+CONFIG_LWIP_MAX_SOCKETS=10
+# CONFIG_LWIP_SO_LINGER is not set
+CONFIG_LWIP_SO_REUSE=y
+CONFIG_LWIP_SO_REUSE_RXTOALL=y
+# end of Socket
+
+# CONFIG_LWIP_STATS is not set
+
+#
+# PPP
+#
+# CONFIG_LWIP_PPP_SUPPORT is not set
+CONFIG_LWIP_IPV6_MEMP_NUM_ND6_QUEUE=3
+CONFIG_LWIP_IPV6_ND6_NUM_NEIGHBORS=5
+# end of PPP
+
+#
+# Checksums
+#
+# CONFIG_LWIP_CHECKSUM_CHECK_IP is not set
+# CONFIG_LWIP_CHECKSUM_CHECK_UDP is not set
+CONFIG_LWIP_CHECKSUM_CHECK_ICMP=y
+# end of Checksums
+
+#
+# IPV6
+#
+CONFIG_LWIP_IPV6=y
+# CONFIG_LWIP_IPV6_AUTOCONFIG is not set
+CONFIG_LWIP_IPV6_NUM_ADDRESSES=3
+# CONFIG_LWIP_IPV6_FORWARD is not set
+CONFIG_LWIP_IP6_FRAG=y
+# CONFIG_LWIP_IP6_REASSEMBLY is not set
+# end of IPV6
+
+CONFIG_LWIP_DEBUG=y
+# CONFIG_LWIP_DEBUG_ESP_LOG is not set
+CONFIG_LWIP_NETIF_DEBUG=y
+# CONFIG_LWIP_PBUF_DEBUG is not set
+# CONFIG_LWIP_ETHARP_DEBUG is not set
+# CONFIG_LWIP_API_LIB_DEBUG is not set
+# CONFIG_LWIP_SOCKETS_DEBUG is not set
+# CONFIG_LWIP_IP_DEBUG is not set
+# CONFIG_LWIP_ICMP_DEBUG is not set
+# CONFIG_LWIP_DHCP_STATE_DEBUG is not set
+# CONFIG_LWIP_DHCP_DEBUG is not set
+# CONFIG_LWIP_IP6_DEBUG is not set
+# CONFIG_LWIP_ICMP6_DEBUG is not set
+# CONFIG_LWIP_TCP_DEBUG is not set
+# CONFIG_LWIP_UDP_DEBUG is not set
+# CONFIG_LWIP_SNTP_DEBUG is not set
+# CONFIG_LWIP_DNS_DEBUG is not set
+# end of LWIP Configuration
+
+#
+# Tcp/ip task resource configuration
+#
+CONFIG_LWIP_TCPIP_TASK_STACK_SIZE=3072
+CONFIG_LWIP_TCPIP_TASK_PRIO=6
+CONFIG_LWIP_TCPIP_RECVMBOX_SIZE=32
+# end of Tcp/ip task resource configuration
+
+#
+# lwip port thread Configuration
+#
+CONFIG_LWIP_PORT_USE_RECEIVE_THREAD=y
+CONFIG_LWIP_PORT_RECEIVE_THREAD_STACKSIZE=1024
+CONFIG_LWIP_PORT_RECEIVE_THREAD_PRIORITY=5
+CONFIG_LWIP_PORT_USE_LINK_DETECT_THREAD=y
+CONFIG_LWIP_PORT_LINK_DETECT_STACKSIZE=1024
+CONFIG_LWIP_PORT_LINK_DETECT_PRIORITY=5
+CONFIG_LWIP_PORT_DHCP_THREAD=y
+CONFIG_LWIP_PORT_DHCP_STACKSIZE=2048
+CONFIG_LWIP_PORT_DHCP_PRIORITY=5
+# end of lwip port thread Configuration
+# end of LWIP Freertos Port Configuration
+
+CONFIG_USE_MBEDTLS=y
+
+#
+# MBEDTLS Freertos Port Configuration
+#
+CONFIG_USE_LETTER_SHELL=y
+
+#
+# Letter Shell Configuration
+#
+CONFIG_LS_PL011_UART=y
+CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
+# CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
+# CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
+# end of Letter Shell Configuration
+
+# CONFIG_USE_AMP is not set
+# CONFIG_USE_YMODEM is not set
+# CONFIG_USE_SFUD is not set
+CONFIG_USE_BACKTRACE=y
+# CONFIG_USE_FATFS_0_1_4 is not set
+CONFIG_USE_TLSF=y
+# CONFIG_USE_SPIFFS is not set
+# CONFIG_USE_LITTLE_FS is not set
+# CONFIG_USE_LVGL is not set
+# CONFIG_USE_FREEMODBUS is not set
+# CONFIG_USE_CHERRY_USB is not set
+# CONFIG_USE_FSL_SDMMC is not set
+# CONFIG_USE_FSL_WIFI is not set
+# end of Third-party configuration
+
+#
+# FreeRTOS Kernel Configuration
+#
+CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
+CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
+CONFIG_FREERTOS_MAX_PRIORITIES=32
+CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
+CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
+CONFIG_FREERTOS_THREAD_LOCAL_STORAGE_POINTERS=1
+CONFIG_FREERTOS_MINIMAL_TASK_STACKSIZE=1024
+CONFIG_FREERTOS_MAX_TASK_NAME_LEN=32
+CONFIG_FREERTOS_TIMER_TASK_PRIORITY=1
+CONFIG_FREERTOS_TIMER_TASK_STACK_DEPTH=2048
+CONFIG_FREERTOS_TIMER_QUEUE_LENGTH=10
+CONFIG_FREERTOS_QUEUE_REGISTRY_SIZE=0
+CONFIG_FREERTOS_GENERATE_RUN_TIME_STATS=y
+CONFIG_FREERTOS_USE_TRACE_FACILITY=y
+CONFIG_FREERTOS_USE_STATS_FORMATTING_FUNCTIONS=y
+# CONFIG_FREERTOS_USE_TICKLESS_IDLE is not set
+CONFIG_FREERTOS_TOTAL_HEAP_SIZE=10240
+CONFIG_FREERTOS_TASK_FPU_SUPPORT=1
+# CONFIG_FREERTOS_USE_POSIX is not set
+# end of FreeRTOS Kernel Configuration
diff --git a/example/peripheral/media/media_test/configs/phytiumpi_aarch32_firefly_freertos.config b/example/network/lwip_https/configs/phytiumpi_aarch32_firefly_lwip_https.config
similarity index 58%
rename from example/peripheral/media/media_test/configs/phytiumpi_aarch32_firefly_freertos.config
rename to example/network/lwip_https/configs/phytiumpi_aarch32_firefly_lwip_https.config
index 4cf49b27..878de18d 100644
--- a/example/peripheral/media/media_test/configs/phytiumpi_aarch32_firefly_freertos.config
+++ b/example/network/lwip_https/configs/phytiumpi_aarch32_firefly_lwip_https.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -90,7 +91,7 @@ CONFIG_FIREFLY_DEMO_BOARD=y
 #
 # Build project name
 #
-CONFIG_TARGET_NAME="freertos"
+CONFIG_TARGET_NAME="lwip_https"
 # end of Build project name
 # end of Board Configuration
 
@@ -99,10 +100,10 @@ CONFIG_TARGET_NAME="freertos"
 #
 CONFIG_ELOG_LINE_BUF_SIZE=0x100
 # CONFIG_LOG_VERBOS is not set
-CONFIG_LOG_DEBUG=y
+# CONFIG_LOG_DEBUG is not set
 # CONFIG_LOG_INFO is not set
 # CONFIG_LOG_WARN is not set
-# CONFIG_LOG_ERROR is not set
+CONFIG_LOG_ERROR=y
 # CONFIG_LOG_NONE is not set
 # CONFIG_LOG_EXTRA_INFO is not set
 # CONFIG_LOG_DISPALY_CORE_NUM is not set
@@ -110,6 +111,7 @@ CONFIG_LOG_DEBUG=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -129,7 +131,17 @@ CONFIG_ENABLE_Pl011_UART=y
 # end of Usart Configuration
 
 # CONFIG_USE_GPIO is not set
-# CONFIG_USE_ETH is not set
+CONFIG_USE_ETH=y
+
+#
+# Eth Configuration
+#
+CONFIG_ENABLE_FXMAC=y
+# CONFIG_ENABLE_FGMAC is not set
+CONFIG_FXMAC_PHY_COMMON=y
+# CONFIG_FXMAC_PHY_YT is not set
+# end of Eth Configuration
+
 # CONFIG_USE_CAN is not set
 # CONFIG_USE_I2C is not set
 # CONFIG_USE_TIMER is not set
@@ -144,14 +156,7 @@ CONFIG_ENABLE_Pl011_UART=y
 # CONFIG_USE_ADC is not set
 # CONFIG_USE_PWM is not set
 # CONFIG_USE_IPC is not set
-CONFIG_USE_MEDIA=y
-
-#
-# Media Configuration
-#
-CONFIG_ENABLE_FDC_DP_USE_LIB=y
-# end of Media Configuration
-
+# CONFIG_USE_MEDIA is not set
 # CONFIG_USE_SCMI_MHU is not set
 # CONFIG_USE_I2S is not set
 # CONFIG_USE_I3C is not set
@@ -206,7 +211,7 @@ CONFIG_USE_COMPILE_CHAIN=y
 CONFIG_DEFAULT_LINKER_SCRIPT=y
 # CONFIG_USER_DEFINED_LD is not set
 CONFIG_IMAGE_LOAD_ADDRESS=0x80100000
-CONFIG_IMAGE_MAX_LENGTH=0x20000000
+CONFIG_IMAGE_MAX_LENGTH=0x2000000
 CONFIG_HEAP_SIZE=1
 CONFIG_SVC_STACK_SIZE=0x1000
 CONFIG_SYS_STACK_SIZE=0x1000
@@ -248,7 +253,7 @@ CONFIG_FREERTOS_USE_UART=y
 #
 # Freertos Eth Drivers
 #
-# CONFIG_FREERTOS_USE_XMAC is not set
+CONFIG_FREERTOS_USE_XMAC=y
 # CONFIG_FREERTOS_USE_GMAC is not set
 # end of Freertos Eth Drivers
 
@@ -298,7 +303,7 @@ CONFIG_FREERTOS_USE_UART=y
 #
 # Freertos Media Drivers
 #
-CONFIG_FREERTOS_USE_MEDIA=y
+# CONFIG_FREERTOS_USE_MEDIA is not set
 # end of Freertos Media Drivers
 
 #
@@ -311,7 +316,252 @@ CONFIG_FREERTOS_USE_MEDIA=y
 #
 # Third-party configuration
 #
-# CONFIG_USE_LWIP is not set
+CONFIG_USE_LWIP=y
+
+#
+# LWIP Freertos Port Configuration
+#
+
+#
+# LWIP Configuration
+#
+
+#
+# LWIP Port Configuration
+#
+CONFIG_LWIP_FXMAC=y
+# CONFIG_LWIP_FGMAC is not set
+# CONFIG_LWIP_FSDIF is not set
+# end of LWIP Port Configuration
+
+# CONFIG_LWIP_NO_SYS is not set
+CONFIG_LWIP_LOCAL_HOSTNAME="phytium"
+
+#
+# LWIP_APP
+#
+# CONFIG_USE_LWIP_APP_LWIPERF is not set
+# CONFIG_USE_LWIP_APP_TFTP is not set
+# CONFIG_USE_LWIP_APP_SNTP is not set
+# end of LWIP_APP
+
+#
+# Memory configuration
+#
+# CONFIG_LWIP_USE_MEM_POOL is not set
+CONFIG_LWIP_USE_MEM_HEAP=y
+# CONFIG_LWIP_USE_MEM_HEAP_DEBUG is not set
+CONFIG_MEM_SIZE=2
+CONFIG_MEM_ALIGNMENT=64
+# end of Memory configuration
+
+#
+# Pbuf options
+#
+CONFIG_PBUF_POOL_BUFSIZE=2
+CONFIG_PBUF_POOL_SIZE=1
+# end of Pbuf options
+
+#
+# ARP
+#
+CONFIG_ARP_QUEUEING_EN=y
+# end of ARP
+
+#
+# IPV4
+#
+# CONFIG_USE_IPV4_ONLY is not set
+CONFIG_LWIP_IP4_REASSEMBLY=y
+CONFIG_LWIP_IP4_FRAG=y
+# CONFIG_LWIP_IP_FORWARD is not set
+CONFIG_IP_REASS_MAX_PBUFS=32
+# end of IPV4
+
+#
+# ICMP
+#
+CONFIG_LWIP_ICMP=y
+CONFIG_LWIP_MULTICAST_PING=y
+CONFIG_LWIP_BROADCAST_PING=y
+# end of ICMP
+
+#
+# LWIP RAW API
+#
+CONFIG_LWIP_RAW_API_EN=y
+CONFIG_LWIP_MAX_RAW_PCBS=16
+CONFIG_LWIP_RAW_RECVMBOX_SIZE=6
+# end of LWIP RAW API
+
+#
+# DHCP
+#
+CONFIG_LWIP_DHCP_ENABLE=y
+# CONFIG_LWIP_DHCP_DOES_ARP_CHECK is not set
+# CONFIG_LWIP_DHCP_GET_NTP_SRV is not set
+# CONFIG_LWIP_DHCP_DISABLE_CLIENT_ID is not set
+# CONFIG_LWIP_DHCP_RESTORE_LAST_IP is not set
+CONFIG_LWIP_DHCP_OPTIONS_LEN=68
+CONFIG_LWIP_DHCP_DISABLE_VENDOR_CLASS_ID=y
+# end of DHCP
+
+#
+# AUTOIP
+#
+# CONFIG_LWIP_AUTOIP is not set
+# end of AUTOIP
+
+#
+# IGMP
+#
+CONFIG_LWIP_IGMP_EN=y
+# end of IGMP
+
+#
+# DNS
+#
+CONFIG_LWIP_DNS_SUPPORT_MDNS_QUERIES=y
+# end of DNS
+
+#
+# UDP
+#
+CONFIG_LWIP_MAX_UDP_PCBS=16
+CONFIG_LWIP_UDP_RECVMBOX_SIZE=6
+# CONFIG_LWIP_NETBUF_RECVINFO is not set
+# end of UDP
+
+#
+# TCP
+#
+CONFIG_LWIP_TCP_WND_DEFAULT=5744
+CONFIG_LWIP_TCP_MAXRTX=12
+CONFIG_LWIP_TCP_SYNMAXRTX=12
+CONFIG_LWIP_TCP_QUEUE_OOSEQ=y
+# CONFIG_LWIP_TCP_SACK_OUT is not set
+CONFIG_LWIP_TCP_MSS=1440
+CONFIG_LWIP_TCP_SND_BUF_DEFAULT=5744
+CONFIG_LWIP_TCP_OVERSIZE_MSS=y
+# CONFIG_LWIP_TCP_OVERSIZE_QUARTER_MSS is not set
+# CONFIG_LWIP_TCP_OVERSIZE_DISABLE is not set
+CONFIG_LWIP_TCP_TMR_INTERVAL=250
+CONFIG_LWIP_TCP_MSL=60000
+# CONFIG_LWIP_WND_SCALE is not set
+CONFIG_LWIP_TCP_RTO_TIME=1500
+CONFIG_LWIP_MAX_ACTIVE_TCP=16
+CONFIG_LWIP_MAX_LISTENING_TCP=16
+CONFIG_LWIP_TCP_HIGH_SPEED_RETRANSMISSION=y
+CONFIG_LWIP_TCP_RECVMBOX_SIZE=6
+# end of TCP
+
+#
+# Network_Interface
+#
+# CONFIG_LWIP_NETIF_API is not set
+# CONFIG_LWIP_NETIF_STATUS_CALLBACK is not set
+# end of Network_Interface
+
+#
+# LOOPIF
+#
+CONFIG_LWIP_NETIF_LOOPBACK=y
+CONFIG_LWIP_LOOPBACK_MAX_PBUFS=8
+# end of LOOPIF
+
+#
+# SLIPIF
+#
+# CONFIG_LWIP_SLIP_SUPPORT is not set
+# end of SLIPIF
+
+CONFIG_LWIP_TCPIP_CORE_LOCKING=y
+
+#
+# Socket
+#
+CONFIG_LWIP_MAX_SOCKETS=10
+# CONFIG_LWIP_SO_LINGER is not set
+CONFIG_LWIP_SO_REUSE=y
+CONFIG_LWIP_SO_REUSE_RXTOALL=y
+# end of Socket
+
+# CONFIG_LWIP_STATS is not set
+
+#
+# PPP
+#
+# CONFIG_LWIP_PPP_SUPPORT is not set
+CONFIG_LWIP_IPV6_MEMP_NUM_ND6_QUEUE=3
+CONFIG_LWIP_IPV6_ND6_NUM_NEIGHBORS=5
+# end of PPP
+
+#
+# Checksums
+#
+# CONFIG_LWIP_CHECKSUM_CHECK_IP is not set
+# CONFIG_LWIP_CHECKSUM_CHECK_UDP is not set
+CONFIG_LWIP_CHECKSUM_CHECK_ICMP=y
+# end of Checksums
+
+#
+# IPV6
+#
+CONFIG_LWIP_IPV6=y
+# CONFIG_LWIP_IPV6_AUTOCONFIG is not set
+CONFIG_LWIP_IPV6_NUM_ADDRESSES=3
+# CONFIG_LWIP_IPV6_FORWARD is not set
+CONFIG_LWIP_IP6_FRAG=y
+# CONFIG_LWIP_IP6_REASSEMBLY is not set
+# end of IPV6
+
+CONFIG_LWIP_DEBUG=y
+# CONFIG_LWIP_DEBUG_ESP_LOG is not set
+CONFIG_LWIP_NETIF_DEBUG=y
+# CONFIG_LWIP_PBUF_DEBUG is not set
+# CONFIG_LWIP_ETHARP_DEBUG is not set
+# CONFIG_LWIP_API_LIB_DEBUG is not set
+# CONFIG_LWIP_SOCKETS_DEBUG is not set
+# CONFIG_LWIP_IP_DEBUG is not set
+# CONFIG_LWIP_ICMP_DEBUG is not set
+# CONFIG_LWIP_DHCP_STATE_DEBUG is not set
+# CONFIG_LWIP_DHCP_DEBUG is not set
+# CONFIG_LWIP_IP6_DEBUG is not set
+# CONFIG_LWIP_ICMP6_DEBUG is not set
+# CONFIG_LWIP_TCP_DEBUG is not set
+# CONFIG_LWIP_UDP_DEBUG is not set
+# CONFIG_LWIP_SNTP_DEBUG is not set
+# CONFIG_LWIP_DNS_DEBUG is not set
+# end of LWIP Configuration
+
+#
+# Tcp/ip task resource configuration
+#
+CONFIG_LWIP_TCPIP_TASK_STACK_SIZE=3072
+CONFIG_LWIP_TCPIP_TASK_PRIO=6
+CONFIG_LWIP_TCPIP_RECVMBOX_SIZE=32
+# end of Tcp/ip task resource configuration
+
+#
+# lwip port thread Configuration
+#
+CONFIG_LWIP_PORT_USE_RECEIVE_THREAD=y
+CONFIG_LWIP_PORT_RECEIVE_THREAD_STACKSIZE=1024
+CONFIG_LWIP_PORT_RECEIVE_THREAD_PRIORITY=5
+CONFIG_LWIP_PORT_USE_LINK_DETECT_THREAD=y
+CONFIG_LWIP_PORT_LINK_DETECT_STACKSIZE=1024
+CONFIG_LWIP_PORT_LINK_DETECT_PRIORITY=5
+CONFIG_LWIP_PORT_DHCP_THREAD=y
+CONFIG_LWIP_PORT_DHCP_STACKSIZE=2048
+CONFIG_LWIP_PORT_DHCP_PRIORITY=5
+# end of lwip port thread Configuration
+# end of LWIP Freertos Port Configuration
+
+CONFIG_USE_MBEDTLS=y
+
+#
+# MBEDTLS Freertos Port Configuration
+#
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -321,6 +571,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -328,7 +580,7 @@ CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_USE_SFUD is not set
 CONFIG_USE_BACKTRACE=y
 # CONFIG_USE_FATFS_0_1_4 is not set
-# CONFIG_USE_TLSF is not set
+CONFIG_USE_TLSF=y
 # CONFIG_USE_SPIFFS is not set
 # CONFIG_USE_LITTLE_FS is not set
 # CONFIG_USE_LVGL is not set
@@ -343,6 +595,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/media/media_test/configs/phytiumpi_aarch64_firefly_freertos.config b/example/network/lwip_https/configs/phytiumpi_aarch64_firefly_lwip_https.config
similarity index 57%
rename from example/peripheral/media/media_test/configs/phytiumpi_aarch64_firefly_freertos.config
rename to example/network/lwip_https/configs/phytiumpi_aarch64_firefly_lwip_https.config
index efbfdcc5..3762ee10 100644
--- a/example/peripheral/media/media_test/configs/phytiumpi_aarch64_firefly_freertos.config
+++ b/example/network/lwip_https/configs/phytiumpi_aarch64_firefly_lwip_https.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -84,7 +85,7 @@ CONFIG_FIREFLY_DEMO_BOARD=y
 #
 # Build project name
 #
-CONFIG_TARGET_NAME="freertos"
+CONFIG_TARGET_NAME="lwip_https"
 # end of Build project name
 # end of Board Configuration
 
@@ -93,10 +94,10 @@ CONFIG_TARGET_NAME="freertos"
 #
 CONFIG_ELOG_LINE_BUF_SIZE=0x100
 # CONFIG_LOG_VERBOS is not set
-CONFIG_LOG_DEBUG=y
+# CONFIG_LOG_DEBUG is not set
 # CONFIG_LOG_INFO is not set
 # CONFIG_LOG_WARN is not set
-# CONFIG_LOG_ERROR is not set
+CONFIG_LOG_ERROR=y
 # CONFIG_LOG_NONE is not set
 # CONFIG_LOG_EXTRA_INFO is not set
 # CONFIG_LOG_DISPALY_CORE_NUM is not set
@@ -104,6 +105,7 @@ CONFIG_LOG_DEBUG=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -123,7 +125,17 @@ CONFIG_ENABLE_Pl011_UART=y
 # end of Usart Configuration
 
 # CONFIG_USE_GPIO is not set
-# CONFIG_USE_ETH is not set
+CONFIG_USE_ETH=y
+
+#
+# Eth Configuration
+#
+CONFIG_ENABLE_FXMAC=y
+# CONFIG_ENABLE_FGMAC is not set
+CONFIG_FXMAC_PHY_COMMON=y
+# CONFIG_FXMAC_PHY_YT is not set
+# end of Eth Configuration
+
 # CONFIG_USE_CAN is not set
 # CONFIG_USE_I2C is not set
 # CONFIG_USE_TIMER is not set
@@ -138,14 +150,7 @@ CONFIG_ENABLE_Pl011_UART=y
 # CONFIG_USE_ADC is not set
 # CONFIG_USE_PWM is not set
 # CONFIG_USE_IPC is not set
-CONFIG_USE_MEDIA=y
-
-#
-# Media Configuration
-#
-CONFIG_ENABLE_FDC_DP_USE_LIB=y
-# end of Media Configuration
-
+# CONFIG_USE_MEDIA is not set
 # CONFIG_USE_SCMI_MHU is not set
 # CONFIG_USE_I2S is not set
 # CONFIG_USE_I3C is not set
@@ -200,7 +205,7 @@ CONFIG_USE_COMPILE_CHAIN=y
 CONFIG_DEFAULT_LINKER_SCRIPT=y
 # CONFIG_USER_DEFINED_LD is not set
 CONFIG_IMAGE_LOAD_ADDRESS=0x80100000
-CONFIG_IMAGE_MAX_LENGTH=0x20000000
+CONFIG_IMAGE_MAX_LENGTH=0x2000000
 CONFIG_HEAP_SIZE=1
 CONFIG_STACK_SIZE=0x400
 # end of Linker Options
@@ -237,7 +242,7 @@ CONFIG_FREERTOS_USE_UART=y
 #
 # Freertos Eth Drivers
 #
-# CONFIG_FREERTOS_USE_XMAC is not set
+CONFIG_FREERTOS_USE_XMAC=y
 # CONFIG_FREERTOS_USE_GMAC is not set
 # end of Freertos Eth Drivers
 
@@ -287,7 +292,7 @@ CONFIG_FREERTOS_USE_UART=y
 #
 # Freertos Media Drivers
 #
-CONFIG_FREERTOS_USE_MEDIA=y
+# CONFIG_FREERTOS_USE_MEDIA is not set
 # end of Freertos Media Drivers
 
 #
@@ -300,7 +305,252 @@ CONFIG_FREERTOS_USE_MEDIA=y
 #
 # Third-party configuration
 #
-# CONFIG_USE_LWIP is not set
+CONFIG_USE_LWIP=y
+
+#
+# LWIP Freertos Port Configuration
+#
+
+#
+# LWIP Configuration
+#
+
+#
+# LWIP Port Configuration
+#
+CONFIG_LWIP_FXMAC=y
+# CONFIG_LWIP_FGMAC is not set
+# CONFIG_LWIP_FSDIF is not set
+# end of LWIP Port Configuration
+
+# CONFIG_LWIP_NO_SYS is not set
+CONFIG_LWIP_LOCAL_HOSTNAME="phytium"
+
+#
+# LWIP_APP
+#
+# CONFIG_USE_LWIP_APP_LWIPERF is not set
+# CONFIG_USE_LWIP_APP_TFTP is not set
+# CONFIG_USE_LWIP_APP_SNTP is not set
+# end of LWIP_APP
+
+#
+# Memory configuration
+#
+# CONFIG_LWIP_USE_MEM_POOL is not set
+CONFIG_LWIP_USE_MEM_HEAP=y
+# CONFIG_LWIP_USE_MEM_HEAP_DEBUG is not set
+CONFIG_MEM_SIZE=2
+CONFIG_MEM_ALIGNMENT=64
+# end of Memory configuration
+
+#
+# Pbuf options
+#
+CONFIG_PBUF_POOL_BUFSIZE=2
+CONFIG_PBUF_POOL_SIZE=1
+# end of Pbuf options
+
+#
+# ARP
+#
+CONFIG_ARP_QUEUEING_EN=y
+# end of ARP
+
+#
+# IPV4
+#
+# CONFIG_USE_IPV4_ONLY is not set
+CONFIG_LWIP_IP4_REASSEMBLY=y
+CONFIG_LWIP_IP4_FRAG=y
+# CONFIG_LWIP_IP_FORWARD is not set
+CONFIG_IP_REASS_MAX_PBUFS=32
+# end of IPV4
+
+#
+# ICMP
+#
+CONFIG_LWIP_ICMP=y
+CONFIG_LWIP_MULTICAST_PING=y
+CONFIG_LWIP_BROADCAST_PING=y
+# end of ICMP
+
+#
+# LWIP RAW API
+#
+CONFIG_LWIP_RAW_API_EN=y
+CONFIG_LWIP_MAX_RAW_PCBS=16
+CONFIG_LWIP_RAW_RECVMBOX_SIZE=6
+# end of LWIP RAW API
+
+#
+# DHCP
+#
+CONFIG_LWIP_DHCP_ENABLE=y
+# CONFIG_LWIP_DHCP_DOES_ARP_CHECK is not set
+# CONFIG_LWIP_DHCP_GET_NTP_SRV is not set
+# CONFIG_LWIP_DHCP_DISABLE_CLIENT_ID is not set
+# CONFIG_LWIP_DHCP_RESTORE_LAST_IP is not set
+CONFIG_LWIP_DHCP_OPTIONS_LEN=68
+CONFIG_LWIP_DHCP_DISABLE_VENDOR_CLASS_ID=y
+# end of DHCP
+
+#
+# AUTOIP
+#
+# CONFIG_LWIP_AUTOIP is not set
+# end of AUTOIP
+
+#
+# IGMP
+#
+CONFIG_LWIP_IGMP_EN=y
+# end of IGMP
+
+#
+# DNS
+#
+CONFIG_LWIP_DNS_SUPPORT_MDNS_QUERIES=y
+# end of DNS
+
+#
+# UDP
+#
+CONFIG_LWIP_MAX_UDP_PCBS=16
+CONFIG_LWIP_UDP_RECVMBOX_SIZE=6
+# CONFIG_LWIP_NETBUF_RECVINFO is not set
+# end of UDP
+
+#
+# TCP
+#
+CONFIG_LWIP_TCP_WND_DEFAULT=5744
+CONFIG_LWIP_TCP_MAXRTX=12
+CONFIG_LWIP_TCP_SYNMAXRTX=12
+CONFIG_LWIP_TCP_QUEUE_OOSEQ=y
+# CONFIG_LWIP_TCP_SACK_OUT is not set
+CONFIG_LWIP_TCP_MSS=1440
+CONFIG_LWIP_TCP_SND_BUF_DEFAULT=5744
+CONFIG_LWIP_TCP_OVERSIZE_MSS=y
+# CONFIG_LWIP_TCP_OVERSIZE_QUARTER_MSS is not set
+# CONFIG_LWIP_TCP_OVERSIZE_DISABLE is not set
+CONFIG_LWIP_TCP_TMR_INTERVAL=250
+CONFIG_LWIP_TCP_MSL=60000
+# CONFIG_LWIP_WND_SCALE is not set
+CONFIG_LWIP_TCP_RTO_TIME=1500
+CONFIG_LWIP_MAX_ACTIVE_TCP=16
+CONFIG_LWIP_MAX_LISTENING_TCP=16
+CONFIG_LWIP_TCP_HIGH_SPEED_RETRANSMISSION=y
+CONFIG_LWIP_TCP_RECVMBOX_SIZE=6
+# end of TCP
+
+#
+# Network_Interface
+#
+# CONFIG_LWIP_NETIF_API is not set
+# CONFIG_LWIP_NETIF_STATUS_CALLBACK is not set
+# end of Network_Interface
+
+#
+# LOOPIF
+#
+CONFIG_LWIP_NETIF_LOOPBACK=y
+CONFIG_LWIP_LOOPBACK_MAX_PBUFS=8
+# end of LOOPIF
+
+#
+# SLIPIF
+#
+# CONFIG_LWIP_SLIP_SUPPORT is not set
+# end of SLIPIF
+
+CONFIG_LWIP_TCPIP_CORE_LOCKING=y
+
+#
+# Socket
+#
+CONFIG_LWIP_MAX_SOCKETS=10
+# CONFIG_LWIP_SO_LINGER is not set
+CONFIG_LWIP_SO_REUSE=y
+CONFIG_LWIP_SO_REUSE_RXTOALL=y
+# end of Socket
+
+# CONFIG_LWIP_STATS is not set
+
+#
+# PPP
+#
+# CONFIG_LWIP_PPP_SUPPORT is not set
+CONFIG_LWIP_IPV6_MEMP_NUM_ND6_QUEUE=3
+CONFIG_LWIP_IPV6_ND6_NUM_NEIGHBORS=5
+# end of PPP
+
+#
+# Checksums
+#
+# CONFIG_LWIP_CHECKSUM_CHECK_IP is not set
+# CONFIG_LWIP_CHECKSUM_CHECK_UDP is not set
+CONFIG_LWIP_CHECKSUM_CHECK_ICMP=y
+# end of Checksums
+
+#
+# IPV6
+#
+CONFIG_LWIP_IPV6=y
+# CONFIG_LWIP_IPV6_AUTOCONFIG is not set
+CONFIG_LWIP_IPV6_NUM_ADDRESSES=3
+# CONFIG_LWIP_IPV6_FORWARD is not set
+CONFIG_LWIP_IP6_FRAG=y
+# CONFIG_LWIP_IP6_REASSEMBLY is not set
+# end of IPV6
+
+CONFIG_LWIP_DEBUG=y
+# CONFIG_LWIP_DEBUG_ESP_LOG is not set
+CONFIG_LWIP_NETIF_DEBUG=y
+# CONFIG_LWIP_PBUF_DEBUG is not set
+# CONFIG_LWIP_ETHARP_DEBUG is not set
+# CONFIG_LWIP_API_LIB_DEBUG is not set
+# CONFIG_LWIP_SOCKETS_DEBUG is not set
+# CONFIG_LWIP_IP_DEBUG is not set
+# CONFIG_LWIP_ICMP_DEBUG is not set
+# CONFIG_LWIP_DHCP_STATE_DEBUG is not set
+# CONFIG_LWIP_DHCP_DEBUG is not set
+# CONFIG_LWIP_IP6_DEBUG is not set
+# CONFIG_LWIP_ICMP6_DEBUG is not set
+# CONFIG_LWIP_TCP_DEBUG is not set
+# CONFIG_LWIP_UDP_DEBUG is not set
+# CONFIG_LWIP_SNTP_DEBUG is not set
+# CONFIG_LWIP_DNS_DEBUG is not set
+# end of LWIP Configuration
+
+#
+# Tcp/ip task resource configuration
+#
+CONFIG_LWIP_TCPIP_TASK_STACK_SIZE=3072
+CONFIG_LWIP_TCPIP_TASK_PRIO=6
+CONFIG_LWIP_TCPIP_RECVMBOX_SIZE=32
+# end of Tcp/ip task resource configuration
+
+#
+# lwip port thread Configuration
+#
+CONFIG_LWIP_PORT_USE_RECEIVE_THREAD=y
+CONFIG_LWIP_PORT_RECEIVE_THREAD_STACKSIZE=1024
+CONFIG_LWIP_PORT_RECEIVE_THREAD_PRIORITY=5
+CONFIG_LWIP_PORT_USE_LINK_DETECT_THREAD=y
+CONFIG_LWIP_PORT_LINK_DETECT_STACKSIZE=1024
+CONFIG_LWIP_PORT_LINK_DETECT_PRIORITY=5
+CONFIG_LWIP_PORT_DHCP_THREAD=y
+CONFIG_LWIP_PORT_DHCP_STACKSIZE=2048
+CONFIG_LWIP_PORT_DHCP_PRIORITY=5
+# end of lwip port thread Configuration
+# end of LWIP Freertos Port Configuration
+
+CONFIG_USE_MBEDTLS=y
+
+#
+# MBEDTLS Freertos Port Configuration
+#
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -310,6 +560,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -317,7 +569,7 @@ CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_USE_SFUD is not set
 CONFIG_USE_BACKTRACE=y
 # CONFIG_USE_FATFS_0_1_4 is not set
-# CONFIG_USE_TLSF is not set
+CONFIG_USE_TLSF=y
 # CONFIG_USE_SPIFFS is not set
 # CONFIG_USE_LITTLE_FS is not set
 # CONFIG_USE_LVGL is not set
@@ -332,6 +584,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/lwip_https/fig/https_client.png b/example/network/lwip_https/fig/https_client.png
new file mode 100644
index 0000000000000000000000000000000000000000..c77509ed1f33096489a57b94be12a4d7ca885370
GIT binary patch
literal 56683
zcmbTe2~?8X+c#`knw8RU%B+;mX|Tc6GPN|Jva(XMv{G|GGiMRga6+K6^fYN@ie`!p
zYL1Wt=16K~ib|$}f`Fz(iio0sfWU{H^MBs=S<m-<>s_yFv2Jd-+56smU;Da$*YEmW
z-oJ3(PJ89%m1=5g+Go$4bXHSS=c=hK<*d+9eKJ!`Nm3n_L^<1?P%H1=I<7id7I@t8
zxSHDg)Kv?<%T?!E5og?^)YNoZ7hg--VDGN0sWH^fo;-dj)_YQZe2RPc1xL>Gzck!;
z2$6A2UF*}Z{&nq@Yu5Gr8r0tvza&Lt-QPEyt}RJ17|Zk9kTNwh*b;gYwk<khWsFwc
z+qcPo?RoaY_ADU`tqDB&k{Epd_3kXN%QGcdDa9#i>Z<<LZq3Gy;!)!;F#=8WT8C>a
zEays%XT;R$IN7Sj?;~HdO4*_^rHJQ&u73+bgVrk?<V}so=egzLS7m&vu|%3zFA`TD
zTv>6R<xM(|m{M4w(Tl^MKI^@$G)68Ar^5L-uL)s{<-Gw|jpA7XQXue^*V1H_1T-rC
z_oWvS@u)~{<wVY)u2=!8>iLBtifg#l{OAx|ah6=y&P`L*Uc|1uLKlzh%NQ!Jkx5kq
z(1Pc2T71ORmX>%eUwzdD9~GW%;?{F9wc40VbTs|K4g0%Q+lFrXUAW0!f4j}=N=~hz
zdxoXP39Uo^Bw?mlyRtJkUARBPmw<Fr$TuG?g&M<_3NF>WFJ}@RFPsMtcV)a6))p<L
zT|JXQZG&#2hcR>I1{SX6cK-7(je7ya*dRK@T<&5|#a7E*JerV*`iEt*o28Cn#QK|b
z`ijLn8Z~N_LRXf&-+i)H;Hu@@bSWY`@U|{)|DBhhp+|L!$VP3tPar1Qe`+hmcGuxk
zXb2@(r#{gEnenz!ATCaYucRAQE6ONMhrSZ>ooMC*iX{2vL2&huphP;W-dcAJk%%HZ
z;oGUYQtJ*}ODU5Hf83ckTB56wQQMFc_ws~i%#Bw&HcXD$%!C?W-=U6KmXn@Ezqe<y
z{2uYJPx(DzaNHEjrS^x#*MpBehaZ<MzrJrMiE~dVP^==2)f9%KACuhp*sHSwu59)U
z9n9_E*2E}Id^7<!w1v0v&i!5%@2>|-4O^V|2KkfhO&#x*kL7>6rzdW%ZK<nj{wpto
zK*!%6|Lf0)erc)nV|8H>6}tKc!gHO0hc?X_Kn<uMx40_>pwiXc`&3u1>#HI#ph{j@
z-he`I*mWjb76;Z)ddkg7Blo1wQ^6oUd$r}d-3?;@mKlK!X9d?8wKnsLZO)wl_ng7*
zUk3gprYtAisZnTZ1Tl7yeMR2iCM*3(O0JV%rh}_#(n@%k8#N3!S(t^?`B+9=$6TV?
z0GPCdk1ruUPgZD_jO@~FN~EqIL5_TGi5J-?UoE3sH}O$I15-k+@f#uDfIz;$EJc*2
z#yMT4ADS|;&%kQ;abL(P<I(-;Fa~qvpu|`5>U-1T&WZrFb(IFTKDJziIP0|$D8u7(
zgSb|H)@S8kq#<;pvR$Pz|H(QYI+>Wodl#o152RrKpjbj-mI@8!g=k*JqEAsPtdQiw
zksq=!oIh;a4*1&WZu4S9>u?$V4S|hY$2@BKSGLym!QP`ckJ0uH6O;ioWU(^hNCWaa
zVjwyg?%PN}hg6F>eyvgwFWsbVg~~Unecb1sB>Zz(DHvI2Gqj1B*b{OhrPMwKNVxmj
z;mp%`8nsYJXT6IS(hii`59TF2FxtM}&CiQdlMJL(FNr+$x-4VIALrRg#IrUFMD}wr
zM%4v$oJ>==yLb~D3*?2eUXDKv`z5WZhN4&;LihDJay*-F1=F(3Sham0Tf^8WX(KnK
zw(ct|P6nV0TJvih1{H}d@u0uC>V&>_kQS5a9AU;Mvc4!a;B=$jE5~Js<{|o*0{P1U
zNV(i!`Kf|;)sRU%?}(;|$PWZko+E$zdkAE)v*{J>nw?#hF%%m~luvfc<3IU0?X?WJ
zWVkeJli)6WT^TMrk%!N**c31UgyD9T0*;F;Kv~w-^?Uf#yXO&3f^Wu5%o1CDoq0+5
zh-F)=@DtAjx^BU%)~i;Y&%<8zSae$D=`b2|MBL{Hj`DxJUAk1&@2%FIt#y#$O$S$f
z==G<WIDt!=Oc__F%gx@U@~~uaFn!UNZkxM{2Z8n{WD4oA;|Gu471o^iy@Nn>)mDyi
zn!UTNVtb3!<ImDX^TG1Y`sT=jUfKS>WcsY<@1vR;=h#1QhOhr#O*OTbtA9H`wOeU%
zul{x991e4O<1ezR6*YnPzEZkjyK8cGIgvTl+sm=zODh9#6GKi%!F9?Y*=)&Zti!}4
z#v&>^p`IlT#q3Tl<Qh{)RuS?5*>d>VDctycxBFHxO%UJ5n!PIp99Hd_b51L`g7x8I
zb@1B-?EUP<z{9a85eB0TzVdV#Sx?q#sGqu$QBAai{^iXvl%-6;49CeB4?OxBNe-{T
zpOM?9mJ@{=+pN`wdzfaW^?=VqHB<btM<b=(!L3qzF?PKuIn~M_v>kQOVa=}sqE~ru
z=ZM@&&YS$Fsa-})m}@UuZj#xlh;)6J*~G)djF>18DTIb~LdcB>xfj^NTN<mWc9e!l
z7N*Xt9c}j^G>@yA7Gdqg$>sbzOK!H<>8GYIn3&$7{yZ)Z?Ih?kSluWTsh=O_dmvew
zs#C6{Z{@4qvWxPyS#kbnqJI-^!dtOMZ>sqjtfo-lD*5Tw2|TlN@iD@fk~2Vm+m9LB
zMFErIB&6^*C|*qDnQuGlf#?>#Cjph{FaV!bv)dtSO>`~Op}vz;C44X2rduZvZ!o5V
zbSa#{XFT<}?(VPiLQ8nP*E+e6i?Zl43k#PQ3g-_NOS4V=p?V&id8YmLAZ&&x>=%q+
zV4E!^bursQ-Vth!vjx^!7wsp}aZm)hS3fneSPJ_EyG+ACkPZBR@=!PIxLaHn-d>(s
zs(h0YqxMmzasZ(rPja*zqkXD&TWbaMT-Ah(4$Gq}3zo#~8Vb|$m`d#H*bf;G<Lwb@
zW!(;&6H9FNaq;RXSM0@aDXU0=B79Tm1(UwOwa<WmP(o#u<;p__kbb$NgF1~4_rz+S
z*!9&bY+IGAi?tDsn2>qg&@Ymf)VQ8~pD;*l2l;21H3W{<o<STnh*R_gdo)eNvL4@U
z_yC$^CB|o>5*$%+dHadF6Ra!VoVANqVza+Rx@LH+wY~eQV`2e2`BB1$Q)arYot^W!
zb3Tq5*J!2|Ww@W}jv6!7>JbwBA%bQ_&mgV0KQII=<`+F4I!3L=xtDAC5R7w(Lz5Pr
z>XV2=>#2j{0hx9q(cM{du-qoG4mh?DuVV%a<$e=kcd-?veDG`0e8@OVU{Hzb`dCqH
zQ!R&<KlCaGr-jSt`<u?amCP6Cd!UBI>h-Ic)op&EvOZDGm2?s-vH@m_KEB2TLNkNL
zErgKxiPD-3>Jf#?AR9{j-BQ7(k-#0jtTf=Y&j2i?nK9>kb@n!84PjDE^aJ2*Y2|@9
zhrBKcf3lrqRKES0ku`Purb*p-^-QnCy7vQ3pF#(h3}m&$FGwd)#YdZ7NV8W5rDGn1
zL&=wrW3Xyc7|nY*TOe-&FS{m_B15P)6K`w`vgw7w1n-h?Np_0(N|wor)4jTXp>lXo
zgTdLCgaw^<$|QkR8&GBMG3iZ#jD1gJ+ioPjdFG`V)0QM`%qg=Ol^SW_+vBsEJAN2k
zBTrZiJ;ba%mov%kb4K-eKYpM-SKZuWD|Pa6!|}jo{vY<Zm)dG%bwn41lckC)Lqsho
z-NUJV!AEIuC>BE5gFZ^AA=kFV_s%d|Rz0AxJDPC3dYa(!JEbkxgmhT2I8lXCyn%LA
ze!|7bi1Thv)m=S2J!;^A4_<wtA^c}2ksATAFWzccwL_V~SbsX}>XxlGZ<Wtg&RN-c
zQ~oOGy^h}Xz4ZKI8@Rme1A0A;P?H-iaR%wBQKW?@cryb`kP16|R^a^*Iy=G~NteWW
zP~<!GujO3jyHS0$Y1E6>y1R|EX2B!8;*sbPw{jzeEgYdMjW_#TC;0yP;ZekkQ`2X1
zlIrM%eE=m^@7wPE1aghVVd*VAlfo*n3Z>`2R+-EH>N*^;UIwX$_OER7L&#okFV&@o
z@nWgdcdpI2t~^&Ie5I(=EmOKI?oE#%9WD>(!&%ME(RwJ#6&3)LcPpz4ElLBqun)KG
zF3UQG_W~&ltG7DVs~0S_Q$X8FYlJmL-L&YUASXE51DbrMSF|?>V*;%>Y<yjrPrp{*
zIWsT>D&x#vg_Bq}8(h-}bb`@1x0>`VgZxH8ahXt7EslAD)>@}*4%RrM2=xjCQl1f&
z1IYPP{C#PFYX4sz7n1f{eyfDjj^=Ipk2zdy^vupglL3tJP8NH-BWiHQ+(kK#8j!$5
z2G@h>5Afmh+%Bm72Ft@M#YK%qv87JF)3`}6v_tOBLI;@3UzHIZ`8@>tQwR&8C7-WI
zd=)02bxKshv!rOr>^6o*=lh13h9G)ubDtetWid`(=up?{h5c=a4Z%RV4i~#tv@&T#
zJe~-bx?0>7_GAD)Kuw_Ah3Ig3DoFK^;)mF}0U=T9<98>AsoHsaNvm9SC1n$xt)#sz
zx5>+wlM<d3bOik#%~uOfOC5Or@nAGi0Uk(-!(*RG*X>}O9?AP+g4-}jbqgNsQ1q65
z!)8lU-~9qOpQo}4kfl(}3(+NUjR5hC>kPv^i<aa=nO8AMqwi~xAu^AW4z?wbzu^HX
zcV75()Y32<4UNMpnVv@`fblown#l%>yRCYEsYh?=LuIo|{L&Ab0y=j*cMJjHf3muA
zDCyFOQZ3CT>(_Ky48-HQX|5{2@J0BvIW?4csnNk}%rc{m>R>b3c|3eeL7k@hGX!ea
z4*F?kUO|D=b0Y)%<#(xXrog;Nd2OxIp*Yp#GTPd-)Ptt5Xf&LPYQ6C?XL+b~Q*kf`
zOaFPvz3e2tRHXbO3bw&gi@i|2Gv3FyY)s~;@0fVW%ccoHM?jA}vt5)ul@t7}aSiHf
z%x9}qNOE`sPu!5s$y1@cw`(XWB(0`)Sg*xu@u+6_4{TBUe?ck#z#FxQgLmP-FFpVB
zUW+uJ$l%N6(PtYpe72;Rs6HQdPyrXTjDjxFS?`5zWXND5n>1Oq{d4Q9)EJBhnn)JT
zi=eAdc?CkS1kwV}YQfsBgCVsS2sIDV&BEH`w3s5QA5C!Pa2+@_73Uh0G27aHQ)HiA
z>)6DA?c?lx*@8t)5Ea5urBH^I0-bRH)GxGD5vpuM^JLyPAu@<^!S?keQ3PI)P!*x#
zHc!fY>vQF}6R9HmazE>8cq<SsH}@z6D#ALVqXwB_WU1BWc8fnIdQ0n&YHIwSTE2|c
z&yt&muO4QcpsbBw@Hy%Q2wZVGo!8?ft4EUcmYVp=o4dbbJ&yi}rN*;GN1wd(TNjQw
zDRHr?Bj&sZXK&-Q{K93Kifxr8z^mIK%B|^^e_CEXZ`1*Ec0rfmwbAn6i;6<xu8#XB
zCD4UBd5^L#)C~s(s(rMMC*!9ya%vQUPfPmQ7CJZE2KRthI8^eeH#WL-Y|#9)E|zRM
zd)5tInl{I=FkEeE!pOCoY5ItFl{=v8Jqt?!-aiNARd|Et1D=^tBlKlwVY?XJxv7<X
z5E=HhVDwQnn5#(C`gpL{ARTta9qp&XLeD|uP<&-K%Wg#GRN*Chc&|@1wdEapo=G49
zdyN#iq;i<*&Jgi@yrOeS0dR#g4pA3;%=5)y$(~u$<RqaAm6=#XJWvcx_KXy~RyN#3
z80<hay|7&f?JP$-yI~WDfGnj|cT+&i%Vi93lar?av|Lg*80pS2xLwtx@SQ*3V31~F
zxYBH@-b>%KzYDbo523p~5G_$_*sn`T9P~1a$mV-AU^IhUZBi7C*n)-20Rf+m4)1d>
zZ)@O3^ZBA?*S{<)CpEI;Bze~1t;jZ++2s+dT=N+ELBNWV02VcKO;l~b6xJ!-GHIV$
zLxp9%&AsWeeSC(YK5Jj-4tjYpv8(POkA#Y=^sL01WF0HqkE@PF-FBz)p3%DZ%WJR5
zXY#GVRR;W|5anK}lRd&>tI0n=PG9Qudh(KYFSdU##)MPSmu`(fU3>>>DxM&|B3=%L
zpoBBbYb)=gSKq!_cPV~nsiFGBA7N?7QNB7)vRlhvD~uDUNtd<6fEC<UK~g+#E5)3r
zt`_S-!lN9uL(D2y95;Qqthp49H`B?0S%z*_3vBt65izP!d?j3Rt~g>p9Al9d!DWJL
zSib7#t$k9M>#H8NCDn~6-%OY72Pc<t-7Kx2n5)k`)c;0LMt_#Qt|LB<6zcWE_(AU8
zB~=Tj&Y&*1;cS|2a+1G{dex#Y%k3Ds($V}6DVOB^^pdx3O_Qwa*k`jnU!vYf=ZnkH
zT#kJifnB1)B2x#2b$IU=?zs9?#MRXI_5)?5%Gj(pp6<#FWq!+oL5$vl_p6v7Yb_3f
zT)HKFaafRtcu=S3S4(AdM$qQBMw&Nzj}4lD8|?x<d{5l2Hy>oO{rT;<&)W=jh@sa_
zL&5;ZGNQNS?{8beJ^a;dq}|A`)G0Ju(s|I~)_Yk<!b<s$n$*VO5hbJhkFy@jc_sV7
zPk0u5cLq-7Dgk(2<&p(qbab}k$5pMj2@TG#kY9+pqA~*5at{z9olShF!Y%U9c0`CY
zwXoPGz3ri^ZoMaZ7ej>29tV#%;Re068G?rp<BkIjdwfDtaTHMz4_3ApLuALoD%Snn
z@r1rDt09^GZUuMUix};<i7LipQg@kcPT{t2u5Vy&?-B~J4Hdxu%rcxl50B<WA9IUQ
zMSasn8NN0KPuLnEDioPG_hYymZfdU04AFR`J@Q3olZhfPB5lZ`L+#R6uCK%wlF8eu
zuntRXfXODqokP$YM6bB}P_hsb;17EK6f7!RBT;SyjmtS7Fu0Dl9p|skUqqMjzQokM
zsWC!D_2$%vWxTB7)P=I>EJu1to~LRx|5T$N3xi-vG)3=HRUkPW+o7P8{zjL(LVd$?
zgHr~v%eE-c`%6jr?9=kqF=ZWiWBB8IW+3n=h87@;f?MAme}7()C{m5)mOP*DE?zmN
zaXQ@8xq|Ccymi-7fR^RXTIlnLKgZyEV083?(s!F>RimCMpI}pjh_LadZ`6GL-LOF#
zL`vQ9M=8wJ9_`W8=3N%S#bx31_Tw)0gKC?QukqdpROX&m$M$RbLb>4uMy|EK$-hu^
zv^Bo?ykxYb5qT912^p70sj%qVU7e53y25uc?skl<n|VPRZp`zJscpF8<rV|apoVS3
zPHaHk-i9W7oy8xx-~`=Ro`%;^8-O6)QZ)$9O}me53fFf?Z#_9Y?%Vh+H_?B~8Hwzs
z)AZpWf)dt|`O&nBQ_#%lL+$iNY~W&lt)~gzNb&tN)*_M}JCROEC@U7V^H{DcxPx{5
z`h2LYrb)T1m=@JGy7N^vnEKrq(gD;rRz1o@q9b;0CZc40dKAUr=TJVccFolCYaTx{
z@owcrQLgNV&6GLh{2z|55-z%`p2j}tE?=(zoe<5!O0o*`W~HCp@<GtrIxtqjyphdb
z0`*w>CcCJj(tjomvtITgBp}FEauGT3jLns0w}BXRP;6&;<<IZIP|2NQkz^RpB%rx6
zr@YrT`Jno(CR+7#oTWSgL$pgojHVZFNcs2f2!k}$e42N5VcHB6%fL}cw+l5LLd>*R
z{EJ3llN>RWSV8%T2i2S%^d_Eyt)(m(b}>&Dik7q;X^oH3<GZ_ROYPt4v_HWFsRxtu
zn9ku<{yvZw<2Tgd#Kx5}*Np0-g=1?8FJvBJR|Dbmlnf{OA4!Wym<KtfoVi>TI6LF)
zfni9aR7i4gwm(6K7O7|_ZH094dZiNQf5M<$kA2VI35~QEST#|!jaZT{C6O~PcRvpe
z`~g=10XdgCqL5_P7oz9Ixy>(B3ym$dDXl-Ap?5QL$$jNj%cBe`=*(9Wa2oux3L_tP
zJ{9Dgw8au%0jJ$iGf%$c5{UK*oUkP1SPn-e`nPTw?t;@T=5LY?Ko3&$&CtXyt~QNC
zCwgZOklfm&Vf*=wg(2WzS@s?<17MA*7H_jhe375=@NTCQ$3=T4A^zxa7f=(eHJ&$9
z&LCzKC}a21qDV9AngUDFis0!Ny#8;-XdSj_!7M{8B@!O%Iv}gs-V`e;31m$C<;9rP
z(j5>5Mk+7Q?1<Hx=&|`>J|yS8AT?7bz>sUX3wtcKXPy!h?|ywwMlI>Ngf0;roVTTE
zs!f-xp!JNoWrX8b9Sg>-{ECJM_)}I=_t6D=z3`!rLkHFIm$EFFYKM244FG7qxaJ(o
z*hhoWTNU6CT%Om_dS!P!8}(gSQ)}ar0qF=LaoM!M3llK_E$-=&dD=P(2ekFve)|~E
zMG^2~Z?1Nm{kTm#yhz0q)GvIufR)*kX8LI$RU~zpEyzw4hbUI#jvns5>n@>-NBp_7
zwzR((f=HgkkS2&ER!-pxk8a16D7SuGzwys2ccM;@+drO=woSB1eHWh__VkuI^RCEw
z^`|ckg8*iiE<P#KbI=Ct7BJJcjuo{&*6I(~64q$hmAh+j@J*11W2~1V;psBj?&tMO
z=5*kdW(mh_I#Ctey_2J_8W{+OMks=RrRmSGU@85Q#inUPdei%aL_BgY1~*0KMYd53
z@Zpz${Nma6+rEsD!`{xwpu@ParXUw6Or0l)qQBf*k{*=ZuV4*;%CIKYA(-Ex*&zSX
z;U|i5!}W@VHMz>ig8jY>K>y%Db$@voSWZLpCJ4<*UI_E%h3rW`N&gcMFQuE88@Nh^
zH(_n}RB-wh4;4GJE$*fq(y00@^&fii{|JO9sZ3n;_p$vyNIpw<B^RTJCW^)Moim%~
zf}G}m0b+MZRgC<{7u1zpR+ErbtQqs)pt<Z4O_Y#Ff(`|WLs|LWsllY}Bac%|q^UHv
z#Z)VOr(CKypP(3Q9;MHII^3kD79_fh57&^ySU;&1Q;mgEgX{XQs4KXsLD;nIVbG5=
zr<6V0J*OUu<{}c7sC}EXQTYZQKRRNXM}c@7Pp_kBd3Z!5^q}WfU}UdtY__Th;6n%%
zynL3Z-XeYPTf(iM%7G;h&%ajwT5Bvmg@|7yOb@9Dy-l8(&GXPr(;i~Mtv6eMe;mrl
z>42E@Bv&l^yMi6xDGL`X!ht7uM2ZjB4K_8{829pw3DDOFI6pe+K;@(@-L9m`My~jl
z)l3;85EQjgo|M%8T$|wUX&3$^!!z19qELkjb*(2g<5;^{z%R%EG1vPxX0)WmdJbDG
zH}B1L>f>O~Ikwg3)0l+W)St0EB2Dwk##W0D@H4Vx_KOMJFC`!p2uFiH$d{<ioBqae
z9cGm`n>C|$%=?4`)<;iA*1Pwrjo<fuU7wUV_Cyc=nXh8~t0w5ZLQNNo@;0BDrgSJ?
zotBr-WW(ErnpXxz6#fh4T)K4*nOIC`^2ksGKGzfN@?-w$tcJWW9{n$<+kHcE@f(nz
z6p6_020s|xNd<*xKZ85()>rST5DKY6WpWkyy!;4SwJ5jDAL7HozhIc)Z_vQC1xr3f
zZUbpwmkW9kV;+i|AD$mSyDRT{`^Vb9j<)B8P@9{NX4cu6tzwwcBOhy!Qp15|k%(^j
zpF_;JpF7I2MKyZ2=uqAQkt2O#IW1I%V@$Z(A}nFynCNz#lOu60^I*;LZ+dOi7p{CT
zO`dOqRr!-&sWCj!mjW>^7hTn6U#|F4ps+Gw8Mk52*6`3~Jidts1ns2+HzD69uoX}%
zmDPQGq2k~)odmww5?SO0Q(}g}-;EKOnG^b}y(0~npsQ?Ar%2N_;KDO{#xol8#Fh_m
znas%pwN3rJy!4I!El7wcYG(>g+nHX%1JDHOr<51@CTz(`FK<IS`0?0GIg{x&Dlx2?
zY_ZB$WJ^noh>>~|Qp^r!RIJQ_T_T40N+hGIY(VK*R^`-&ugDekfca;iG{yUp@3Spf
zvXQ2rpN1tfyf>FE-6+~$T*RL74TA5W&uqlvO&o%bYH8fx3NiPtQC3aj*a!h9Ekm%G
zHrnWqu!VDgyqVW@qVNI9=^F)oiKSG{Fi&Aqw`fF{guXV?ymY~-b^ym!XMMnhYqag=
znGZDgq{4t@Uz#h@x2`!)+BZX}36X5+NS$b<sMeY@|DqvU8O(rGbJ8e+>S9_OcMDJM
z@?7RY0A(TjRY+h12Afx=440z|MNb8%%!TixgV1VfpvzHi7})nTVD~AUK1E$L-Y7cm
z67AKKU$NL(U327(f=>us_Wk#O6A!QsIlpXaS(${aY$+aoC<RxcT3nut<Z>9hBbcPC
zik5hEj~GRdfk~a*1NUL!E=5WeDc{iT>d~p;|MnGw#_0`dGIy5(3gSN}vXg64uP}U$
z2;)P1GI-!GN7o2NcCU~_bv4g{eaU5Ri}-?7qKrsLZ%j}IGa>IgB|GdrKwZ_xUn|<T
z5#kUeIg~uQlZf6B$?f_^0edjd2$ik$!V93Y^$BWf7xEWzz-zrvS%4sAbvGzII<}$=
zg4)GBCr5?l-hJ}m`1nQ4_<3=1H>paz>AZT;sYV0FqE+2gH}Xh*P-rVt?~t5rFDRR|
z$?T16k&jfT>Mj*H0Vo+_=9@{)aF5q;X!FcvkyLJ1PjramNlsq&wnH><Yb>wCD1xoL
zUrPb(G=5Je28MBw9h#>}LuE>pxiE+dL1?OqIl%|~Lwnu7`?;b)T-5QK^<s9mrl+jr
zdVBe`Ul9Ki_3W)G<N^d+8V;D<T9vUAnme4amItsr_IOfZJ=lR-Q)<ZUKD`yPkNHaZ
zPJ|I9e2-9EbhBnceLNa))#wK&(4j}XBW0FUbl*zkA#XyRqC=s4BDy#Qk<X|!4V17|
zT*}=3`UF!CbEn+~0jra;(g&|Gv}PU1Rpou#gnyg*I?^|<_USzKcHZS2K;;EI5mNb|
zMt%fK-PMz;(;$KMInf#Kz9lF5*NYuU%(4UzH(-E#5@jJ|9rPF<oiCo&k=s=g3o80K
z>!ES?3Pu?rli0tgtgES*>kPIHB4H+DK(jUOuMZP>?-c=q)pDgT@68ag?)SF4;j2IG
zubHSeeeRs^A5{PqRdw3UZk@0GNBdgOHd#rd`&750OXFg<|KfKhf8$ejv{>E3{AKoO
zPv_=dkSZIU2UyMRMZW77)x+X|sYPJbPeaFFBMP(;PDJtCEcvudm4*yi!7Txq{Z8bm
z<tCGc|G(HV@7<*kDP0a)m~)WA8!SZps2;`dp4AMv)h%^MpQ}QjS}v{zF^#WYWWVUQ
z7j|^ZJ6zz|!D7C;>SZrVUSESwf0HV9RqZX!TrlKpAh9ZoK1P>QAdRg3ZD-}<g$gc&
zD1s1`Man;g(&1!9A)hEhFHoEKr^MAtAsM`*L&bZwV$nQeG`iFOG1x(ZRa6<(yI+=<
zu`L#6sE|sybc9?GW{Kf-iAr&Ao`%`J0(FJZ+cH)WsFSSiB3-q~UyFR#(&XlD`N!ia
zrQ1)s!DjxJ!y|!fDUiX$RIyji%={wBbwTwAznJ|uRdS#7Mn>0@RcZwpzm&hwiUQ9O
zrGFX=gyf5H>myy*pI$HQG8fjYq)$_^8`)@S=<Anfp0mE-=s;`Du?~@>7dN7NAQvfC
z^~|+tt=n>mAti0sSbbM0KJ5msu><n!twv^q-+6I=3_5*rL}41ZCe-nXM9dLN>J%)H
zOTKuk>)sLFCdVgp0pEF(l1<Z1BJe48n_eiIBG+7h%fG;8FRQdd@nvh1(sZPku3??M
zfc&GWad`7{IK3X0rx-!djnNL3^9bX50<s|zojw?Y*w9i%d;qzl_A#n4#tq%4_5iP7
z>S%MlSa478hIZ8wdD*Dwk6$nq+om}~{J6q9O)lPB$+Z*Lm?6D8m+(^gX#GHl*(--T
zQ$UuXaUAwe0%NkIG%EGjRfy6w!O%Ok9kX7gtzZOX7uF4$EEk1tDal9vFuC~C-?Uz5
zxYW~)IMlEtSue9w%w~`hpNtrQl+4pEioIrlYX;w*8&Un3G4<jYnUCSq`oKQz0)gnm
zqe`>mVcw~XE0vum4sYp@(ZdNN(Ss&0;kxy>*9d!l^l78Y6k9Roid-R-1*-B^%voH4
zwlVdc+%c{`#dAe4jo8m_l;w^hAdeH2Tg6!noJ{8yAY7@@-$t@c5feo2V08H5rs5RH
zt6#AFyupZs!T8nC36q$^kewap+1#3c(wE1b7SoqlGRE~Nw#I}gjfEXpUIk7%X63cF
zaUCV?HgqMSeH#()H}BHNy2l^l9?-)5FScs~&#Zg0u*TK9gichOj{OanXa`x(G!sQ<
z)?B&@?rduw<^?#aH+1?))+WYS`aHz!OU&Q>lHK7^dz^SWSVGd<HaacOzf4p?g+u<M
z@vArTJq9(b)pR=eHRvcdXZof-H$bx>zz6wW{br@S77CzL+7h$$2Nm(fqwM3pUJTG>
z4*APyiFAI$14Ti&lYHi~r(LmPf_K^32qJ=2IAyU{^9N&BH%v(yppxRz#`JoJM&nXU
z0EIg>noIGUTo=8Mivzq=U{=l|hWw|iU!l9cMX&3Q(cw~B#U^S;nSYf6Se+zGdi2KY
z(ly>X&IPygAgK7%&f&M<1$LqrBJ1Vqqx(Rg{4acHyLCQR-I2I|vh(9Wc#m`?yNw8I
zbcit6#(0zUynD*h>=-~ZCY1@f%9dM;$q|TIUho8T>3s&JTZt%l;(tJ=u{A3Iorpt;
z7hze)b7HDvWc#2;yvG_52K-gkJQsxGkLoteoPO5~eSlR=bBRlcgTE&U1Hbbm69L_>
z<9??QO{&DGiX|GeV$b(g&9v0NB=7r8c{%Gu8RG{RDX)6t&RV@88};!#<3}`;6-ic3
z$A>7b-A4-(YtX6kPUb_R{RNCweYEwqQfnb^J@K@gW<)dzZvZ$Pss41F-+nyk#`Je9
zw@eK~bM@ETHTd_Skx)(<xoh)|4pOLONy6h={lw<0-K{FijZ+553SWhj`$T)ixVnX7
z8Uy#;D>g)bL=_E^y9@>tTG=TWvwOmM;g9$Jmkl7jkvH35erP%^w@CVx6@nS8YFydD
zCMoon;<Z1C;I;8SsnUinNy9&E*FIlH_J6Tmowc&psUP0f9ei}o%dbfM8SMA7V`?@k
zz%OS3@yTf&g%|BaKhpOYuQNRMU0jM-9tm8SY9(B!HlK*YZ$0cY?Y;HbnJsbLlD&}1
z{mV(n2;dZ~VV4FXl?Ay9_dP?+EkcCYcuQ<W{MX9%ZD=B@7Q3BBWEPCFPx>~B7LK?i
zWk36DwOQr?M@-#J*jWXI+3*CZ0B(_0;}3}^6`N{>H7dIY4}BRNZ8pB^k`Cr?>fIwI
z?||#26D{vbDjRk+_pKlvdqU)t?-<zhuFzr?^{kubt&J++xcS3b$?Gv6zIkgr0a<!-
z%jI;IujxTgi_A?%ZHakpe3P;-rq_4Uqpo`2k48gxgF{w30p7>RxM5cn`|b+E7!xTb
z?y5wwysX$J=4jKpf77vwUl9^1C&~*Ann<X)q!YC>KRHdi;aC_c2m>iJenerWc{Q{l
zqhfPTNM4td0o=AQ6Sb`+M@mVSqt%JH!O$dOah4hknTkDPI@z1WOMEj~@x~qkBoeD8
zS}s5l9U`4d$V}RE4>2`K@aD_(+!`5yNKws}dP_Wg(RNh~3UzefD=2~+jNub3-z%%>
zS9m+goH|89pX7Rxc`133y~_RH*eirnv}x}orrIKzTI<*$lJ1W$DMvcfFD?97s&+o_
zNNEi^uPMOI1d6Nj3W<<@Yi9U_6wZVClT{N`XL^aAJE#czfE*PA*ow;-;GrbLH}#Li
zrJ*cW7)wN@-E2rW<_5DyZIOAXQldaeH9T0A%I6949XE=VBt@uJw|N0_{vc<zjt#S7
zW*<s|Yn8VT`luGrVD8F<3E1z-k*I`8hgpCehn8Cnfq_xtIe?Oay5a0h1ub-2-E!?S
zpfI+zB)oe8@KjcZ$Htc-FQhCY*9R=uU5U41@y{c^4m0T9ur<CW9$RUK-q<Ze><*Z|
zQI^y}Y}QQ=;{TbWar|L){G8(ZUOuF#^@0k{K9$|}MG2~c_aRbwRWI@A-Kss-AkO{F
zA`KBva%t2i9*)3{Ju()X+F$J?mqcBONvPgRgv!ebY-+YbMi5`59IVD7PtFtgE4P$4
z#5DC2X6_V`vtN=+GSKrJzc8Cp<(%C0bK3CEcXr~xsS(W=qmIm9m2>Pn)4-ntmihK6
z*Zt)Jk}W^!A}{M84FjOS)=AR)PCx+G$!zK#YKa<|@Mmc%uJ*S3iD*+c=*hm{iD2I7
zTx(3q=7#zuA#d3+lp6A;uEgr+*WV!)2R8|!g1cA?R)=pO;uD)QJx;R~G<ggqU4GDw
z{1fGZ50qI3fxHdYQ69e#^}Gb1;?4MXjHj>&iYxsp4$Jkwb66zn9F_Y+PjcR{$<rN)
zqYjzrL?qCgU|iX?O0ex<YJF+lHcJ=o|3+T<_N~J0$u}`C<^oGrag(c4W$S$IyTjE2
z35)6Cnt6pLbV`fR<g0NyVDB#T#CvhOU{_s3)<g{tBi)E4;zr`2P?xsb2u2#vOO2#o
z%BF!f;mh_bn`QR<YS40pUPhMac-70>gI6S7Bexmntvy^CiB+<gvIM`_ipuzCaJIBC
z04}Zym07N!_r5#gt#g#=XU<#SU`W?J(cgxdn72`-l2zlJcxgVz9Wn|Tl@z~-mefMe
zr}v+$>MF@4hyMStS?nk8N{RkU$EoGvTfzpaUDtQ26hRq~yF+epxgXqDJ|H^4pQ(u{
z#1^UF+Fpy-dFgJkdgM=4SUErfu#Y9g+fkMMbWJspty`P@HY1QOPX*J}j&AhTH@S_U
z_pAb|&Zgafn<#~{!zKDi?DXKo8)2q&{YLCV(V~dh;32;00p43QAzVDWH9K-JR&`WU
zJO4ijFjXr1{EzRfDX{`ozr&l}+C%#N3;7xfpkIjLmJwNvnx$DEW9z-8#_ozVM?kUl
z!BSw|0_R6CPu1W@M0=93`)((_+P*2{gv5;skv}mYC7q6AH4>wXs6bwr@CYrGpb8&U
z7sr|m;z6qw8!DeX2f(SaHMvPo;4>$XmR$r$6n|$aSoa@&^XyuRp)3P)tAAatf&Rw&
zCT>Xinr)?E&EMb7pENF|XAR4EG)Tel&*Yx+`Z;QL9HV|RTaYiHeKcf~HXiTn^S|NL
z;9iLQ`>HfImfr+*;doSa`^!lLP1{NXdbp?=b}giL;2X1|dupOz?)}b=CjeGAe)%>P
z*?%uRKIwK72&&>zRq6TCpIO2^5mMiemKvA&UC#lZ*gKC7`ZOp^Ycud41i7*@;xaCN
zM=7LD{Nh_s;t%$<mK=tK?seb>?>3Vy;g+Oj!SzGccvNEwdugr7sSu1ZkJmV~4vrnd
zd4mVnP%i)5%Q{Rm{gzp>GXe%b66OqYZ+dtlO^a-6>aFd#u8*=bV^84HU%YE3ek#U}
zcq#KvF53TN&`PeT+F`eMaT)mvvlRUUE@roxx*UbN-th2av&ktm?_dN@kuj)|wcH7<
zcfl3Q`=>95XTDx7&1)<Y^@x9T1d<TPjeG(dE1N^TQBiIULtlhOcZ!yM=_^Ha>j;aS
zb$S))E1N?Hp^wusVCx`6Vf-%Js2f`*CMp++SCuHU{a`5|QMPB3LuKn{5_%8B7_2uH
zS|i3}3v6RMGy)vmswx*|Y`D3nj%6?9PUx;{in=E}<pGdwS2hhswbmhj9>>F+pTT?Y
z2}P<D_M-Uxq8m{CF<54q^vDzcHla4*!Cjo^SDf}kKQGU3_U?BD<2L+F6xW)fhK0cc
zbZ$VC{WCh=#m$wcsxDAdBX3k0BPb|LFTl9Q!)o^h)RX<#0~!mabL5GZEF-^$x1g)%
zE%Me<up21;=zL<{o_|HCyKj)KQg$_m*t?OF%=~l&cZG|0SHhW)`u&z~46k2H0Ytuc
z3aN2=00?N58@6*=F{@^G4X~GH0KamQ`{6(NOyo@cU16Ox%<$DAq<yo<^s09gKa-b3
z1HB*W29bSYD~J%(6_@{7hZS7Sr_;~<5?v>d>RN73xBU$tZRI^<hu7YsY^0P-RBGxP
zv1@u@a=28l!mB07SJEE&w2K~^kxdW05-r&v{O8vB_wcAqanALfZ&Rms?cSw+?Rw^)
zz<@h}54UYp9(w6T$nhs@RDDsA^!<UFUVj9!uiS2I2@01yjI@LD4?UbRsVQ(O?N9#A
ziZ|%~U#MFChd=r6gt|9Srn|T>pF-~mVJs=E-?w}*%vW|b1x6C1??;*pM{cPZLGkMQ
zxCfwdWwseO1`#*)Sjx$@lI3>|?P5*UC}=x7iX7$pxD?1<63a2ixV|sgFwh#@H{a_d
zrxH;-B1-9^w4D$(1LRIDG*3B?L$V%Dg(|sN^qJ>!sv;SzROJ*DnWW9=OaWLP>>gcN
zEcGBk=SOkG0Pb8X)^RZ0n4ZmZhuCc&Oge#l(N9R-uN#INB-%}y7<q<|N+zSv5}Pi^
z)apP!lHz(hu-2~K<cBv@nQ{Z6_~<J|V(S-m!#0lJ>q$)%C_Z-$#qo@uPLu4mX3io(
zz-rgiko6n%u&PwsbShs}MDot@lV}OMWB9~cik-Msqc+4um(rz~F2l>sXMKe#9gOnT
zRuyD?*C1Krl)nC<AiJ-RwKuF4g1)K}=HTu}{&f+xg&2;W-1=l6o#RAIQg<Xb$+%|%
z7ZQr1g4{4s4qqa33|Bqu1JC`EdL*Z4c0VH9fq<Ar4RYebbu*u`Zi`Lec!`QS@R?vp
zImQhprk$Gd0i3E(BPT#3niqQT+u!PSCN2f_ox-E`N-$mWYPa-OH`1-P`JN<iE@0*4
z<j4Oo39vD_`#oT%W<%$WlkDuv6jr9DE;_UMNsYG1L&$&Ad{5Uiu_7EH);C?4ZiHgM
z1?~@QFkW<!_Yt#in@I!i8Nuj18VAU#(uaebOc^f(#9A=P>yiw4IcCTrt8Shb1(Wt&
zRBq6uvh-cQjEvqk8<~AdZmSaOaQTtPuuxOfoFGQ{tN9W&rdjiPOTCb6GY|1uhU)^-
zWZHW}H8$rT6wuCU{7TLR?v+MWOA;p**$1LmcY<5HrUb~6B|dCFbfG9)`w4t%=C%h!
z84>X`)@D~CuH{incqPz<F_{-gB)q>$Gc?%IO&W+HaCYB?=XfG=_8a}YpzLWDqJPB>
z8%>b037~GKVD>=sJ>l>tsLpc<=xI91CK+*Vj9yo?aJflq{p^w}6`rYaEFP1^OKdwi
zCD<Gj!C{-28Pqg0$(3Bqa=kI{a?46jqQR)em_~b!-Wf98m;Sx4*7O4<14oCL2?duY
z#JF-aL1by$59-y-D2qyfrLUc<$xsY_LnmcH=mm<%N^y~1ha&Gv?ZWw{1HZ`zB7Iqb
z{L0p#=N)I1w8O{142du8=L^NqHR+lKzxj_j#>+kQ9_;|%Dg;c89rO29+!|W&Eq_Pc
z;@OAVL>gu<Nqp)XXWJNU@Mt$J@MY~87_Q+;4Z646A~%a`26P>r8I#L4>Zdw#l82BT
zBtOeVnKyNN)2&Rpu_yoL)De5P&ew`Jek#T3%ttB5j~&>!g#`@)fPk~0$=L(`dK6sI
zg{R~1j@zX!Q$H?G&Tb&1+!*1MKaQ=_<onpV#TaVrt4XL%hZ2B!J%~H;v0;DfE5MsQ
zLrGLV?rFRvL@0Bmg15-BE09B)8G6^Xxn{g;n$fz}J{9T)XpcU*3k&^#d!`@K*m&-N
zD!g?xcoT4>6%lQ1@vm)UG*4=g0jl}v@Je#E+_a}_>s!zVOo4DyeL|)y1p+)QKi;d-
z=VW1j*fs_QS?eWC9^Lfbpy~GvJeA(<oY^2pqR1#ta!*A==$pLUibwl7gmp(^zF>*7
zEM)7lj-BS=y&0@kLfAgs?B6rTrefcZ_KYYC{Xp=SMw8~JM`jO<R)T;o8-0=UYEKip
zy1zRDH<1!g>s-Mt%o#`u4l`=mwr6C%rYhyP&y#Nzn;r#xy&W*Nv@v(^{A_a|y<oP+
zj9TFRO`r@XO490<)8FjJF(4Cc*kvYBs@M~<I5T&|nZnTX-!IEu2GI?518k|;cn%{e
zmQoOmFuzGML2a879{+WQvALy=s-R1igWZ6Pu*wRsrMm?GY)P^_&w=?S;L_^TL#wB9
zfgcj<nxE^dX~T0hHWLg)*}^%^Dl}lElNtJfbnN8BB#n2g`EM5%XeJbqB$Sd@F(e^Z
z#F8HqX8NvEtlk5^?j%}IRdLWo$#TTu*>JMb6``yUTkZpK41j%&JkL@;kofJG*p*hX
z0D6ZGjmsHrQ;(9%M?a%L9h?BgfakM=GM*&}I4Vx~&hhIwSlXt4FviCL?G)Ypqxq6}
zgm6gT(_Ay?@}`yWpX$6H=rh1Q{h)gm55WU9&v8r$jSaiPBu*&CFNrLnvejdEAuEwu
z+H$iCG{}D><^D<?V0ZMbFbL6!S7(P@YA$o^7#p~Ka{_671`2zn9eo76db2Dltr}1w
z$)3xUx2KILsT$iO$6sDlYNN_Jn*Z)I&xpq&@#jObW28qaRr(*BABI}o==wt5)(JwO
zTdE8_^&wM%>We)+v7H22cI$`LU+oo9Hg`<6tXzni+I}Z~YSpKnxqEkr;fO8A2;MY-
zb)I5N2X`Jh`();ruin(ab8_3~SjQA|$;+^=Lpu{dC;`XsoHQ4XJ67&eujBRXXy#RG
z(an#Pt$7};-@-fFLvN6?+UOZSETbv_4ZPs}kg8W8db$`#KzC0_Jv`7EfVKYCm&D{8
zsnZF%h|+7UoCa_{RxPMtgNbmJ#-6V3DAXo%5oeb<@XDy=czD6bgdiQv$NsxVVB0Eo
z&awNoPkZLD&9w?nA3pYs$O$-Sp|hz##j8jZzH+0{tPh}vqh{_nm5!`>C`lGk-r<#D
z1h1&6KO;GX;C){8U_81rEuMlR1e07}DF9_eqtSOWx29$<ep%XkV2b9PB6%@$_ljiU
z$dB0>FEG$$qBZ`|tu$4J?>MXQF8s)?RSi;=H2&OVB1Ld&O9s(PMTBuHuj(><ii6&#
zEGov|O<=7>*t-N?S)o_ca}!i-_<V%USvuve&<1=9X+6c#?*_d2q8K`<^xZj>kElJK
zB)$#%&CYnDRjx76XkB8_51WMSR_>u+Zhb<DuRN2te@^MZqUPcPtdrq2It<D2)tH%G
zEy#(67eha{ry#XFGL9sdsMP5y8j+d-v6Tb8(c{^6k2Nben)Vrd{Z%N*$bdO+a1`|p
z@_Hfq-z8L~69L)R15Kol@Ka4}gMg9O>(9S-gtO+VF{(YSvRzjuk)}9O!iCX9dX8`k
z!S<B$xpeY7`d_N)U->=v`m~?{KSdDl;3Qx4Lx+F2+Vm9gty8l`*|p%SzP3a)D$hP<
znttaYnSWVV;!_pJ^8<U4{`xn^vo-Uw6+L!WIr+!@qltVQ@Q&q}ohD>I=fYQ0qCLV^
zB|k3LydlqRVME%wK_)GtU_a!99P5mxD%X>CqX?Jx8rx3r^&zM@#L$3J2VDuRvqfgi
zCoGJS+n)c#Gf~HK%}Qf_wstTpnKuvGe<c+DsTp&Dcmh!e=uhl048{=M<CMj+LYF~S
z70)blq7<6^KruLk4&i=R@sl*ReYTNCdWG^kwCA*jY5q2EmjbU@MVXC3HCywsy!Py<
z&q+{b8Y>#1{#5%ouKS#v9e8zb;L?<wU<>sRM3nv%;8A=26ZC2&MQ64B1da2K<?f31
zK7<9NYH=rKZLcVf65Nvej@wv}p2A_P4my)*{y`+pMKpJh5FCFrPo8kIjnh>%eluY;
zyoz|e$`-j%HMC#kw!0$y6n2F}vKYd(l1<-VkULGO<fX2=G=o16yX#RH$=I^qpX<lI
zDv#yxVb!cJjDoZap2WHP=E}LB+Uyb$CR*a5+K)}Y_oF>Jm-%LK+_m}2yL>$rirw50
zfH1EjVZnEKn!ntb%*rCYOv<ym^zNPJ{xs+yvF#<WK|D#L9N_}5{MJ6b_0aqKr1)e1
zB8gN>zbfB(Gf6m8^XG~;if#K`K-M2aiizgb_w!A*^fpsjq|t2RAgA|H{k1h|k%Sos
zPv8*+<Go&g$@qfLox6=-q#`>;;qbD}89Iiutl1BLYXhzC;$XKTmVcZ^h?pG81@x@=
zy<$Xn1x>I-cbPrp+yy0vqWm>;E2e?Y%T##J##sUFz4c>&hSQSyL2Ro1mKN#!3)%3Q
zugDLz{*(;ea$^B~C@Z-zYz0>eqnHh81@BSl+r>Fu0FZ4_fsDWDkj90wm9m;5^aGlr
zAPg9@luEF5REGTm=Zkkx^O@c|c>;TSL$z^pGW6Vn?>@F_ISY@1t3;fTpRHtM=zhSL
z13-$PhTlpOjM3+o$F0dyl}UR&$u1I7U2<=H>qi^->@WhoZJd7Lyt(Q!6@0~V(~(l-
z(6+!}QfVEWF!RWwluHJ%XS0>}a?aFT-1KZgu(>uW)ubPE<c7SOjZ`3_*s8jk9wBh6
zmBH7Vi_-aXK;3YUXi4YTY|qH-4POtpngUo(^1-z4>(6|i)_yO$5^^a@jRtF4P(K`p
zCmr`js%5G7gtbmT=ZtY5Pd+LjJ|=igTHe2Bp-&(;wxJNg1X!CuB?j?UoUWDAhroua
zDztvk<B<Xa+F}k^g#MO9fCLiR;nt{<e~TT`1wNt?l_qO|*p>?{fO>N=U8-d1qj`0)
z6F3WCiGJb>8XhtV3nKY^0v>v9`?^Arq4gG0UkAkle?}9oE4l{XFVK=>kt((-@u?rZ
zt)Y#@%t0k_!WJERi7(^3s?|Cf2PJze9_kDsJZ^aMeBn`Pp7z65x$wS4Cn`FaBzr4=
zG$gwCPeFx+!KQnoUB6}zNGs0K4!w&i2-^YzN)j9zVPlJ7Cw4qpps5(w_fo17ydOC%
z<LL+Ql)lm0!~8qswu({uKOyR{nP>TE)UJjsX}1EJ>5t14Y8w3gJ9r&7i^YtZn3klZ
z{Sz0@uko65&}{{cHY2Q#Mr`~~5yt-rSO2S$WA@YUs#4i>uhuyAcHnDti=9e$q4v=)
z&bN_^Yjs)6m-ovU&7+yk{BrP9)BPqRD54OP9M*fjPEuo_`Ue4C1t(F@exS+_#rcE<
zyMcQ2k2N{kJ)`dribm+iIVRFYKFNT4-xmp!;6Zib8v6;PU2jcjOe0wsuJ!G%&{8nb
z#=hNPQhkklWU<WTmb}5&jVRPr@)`a#<Iz37m+0lr-iIauEz&K2mKMgfwL7A8tGOnE
zQ@Th!Rof<0^49oi+FCkA=;c~>$!oAYoG?vcg^P&Vm3LLmpKx;$q@+#9Vr`FBa>@8;
z&@wf(V`WKrZ+GJ(nHGFi?MXfILfY3M_4t`PA%QJp3ANlt;!ggk@jYQePO`sKqU->k
zMq)=Lb_MGbx@Q_Iz9gU}TQ{A1=6m8!WzPON1^Qz6v#>33kiQaC==_D4I%MpJh*dV7
zB3UL%N#-GF7el&Xg%Iz0ZU8ja!IwDPAt-`n(jncB8jqX09+dj7=6)7G>apCeC$~)K
zTBD43IZqFjdHO1^MAkgmAxdqa%rzt*L!#HfWi?(5$vLUhglCW==Y8KyIZc(%3d{b3
zoUEFMpq@jO2CL`R;{ZF<G!p3t9EQRvhla_kQ4A{wcfEz>8~NE9DeX&&8#ab}M8INq
z*zCqMkHf?ESzoYFAAG2vm(9!K_H80OI(+i+tKBxgy8Bs44^%Y*%^wI2NqyGWX@*i+
zL)Sj&b@lUADYZ81Ec%d?Z(v-JRetI#XS7E`QT`OTP83!|tdl32B>lBTjOhdGtw`hK
zZWPL!i&;eIA<n)%*+=c1c$GocLPfC+P*qr+cgn>rCh^OI+o7oFQyTH({_`XJsjkUR
zv(_6nX1<K>W#|5$(R}GWJ<ZL8H0|WN>7>j~(Ba-q&vVoVu6^@*r^J_CVT*Q=_SMSG
zs~^h5Rh|CW1M~omx#%nSS^8%>#Fv#tXBzin+j*0v-bX`;gH=uaiX-8z)8a5jSsX+v
zAFL1(Uq}mEJ)z2;>cS=kO@t9J1^Ydsui70vbLE*7(-Jhk@YZz-z?0QH6D90quNUgm
zji;RU%j}tc6IG!eD)asrQXlB0amRS59kFva)u`m?JlyxMnYv}fuuS`k#Bc0_6Bt;#
z)uGDk52DkbjNJPfX0z({r|O)Vt?;;=?nzaHubD5@()VTuW&4?n$dl3C@@*?@Oa71>
z8eTMn%d2_dbcliNY$(a1*iZ;e3Er|hxz4eTtwVzRKg_*(T#{?MHf+n4=1Q~K%&As$
zIi;oLL}o23EiF?~M6^<KKumK)B-3=Y8f-N{YKmn!BnmlzGY*v{D&_zR3YwuMBBlZg
z0`F}-``P>X_Oti<{`vjqk00J#(|uj%b)3g>ocqP;A{oRH-S|-Qc4B{U$yJaApMaU$
z4lIU{!*+h>RD#{SEO|QwrP^<ws8X&itlp`bQQq~c&$epuSU6teoO|+{M(Cqx@5F-_
z_8xdCXCo`QRX1m@$Q!`0^0RJYFtWb<oy6cp8QM5drveqkPRnf2l+a;!M$bk0(8+})
zV6b4}p~nm0q0db4<Y|u8I}vO!sM#*J{XI391v8p(09w))qRt!ji{J7!b44~vVY=#Z
z^W|%68C%luUq-Hb`*IC4k`_IvBb6j*6t@RWcunzi0r0T6#XAvi!0A(jn@peqZ_s6x
z+=#(hBFJHJtq%(w6GC$a#>Iqt#|(ZEfX>titjE%nZozT`XmG^m3k%ndQXBh76z{I(
z7o(_Omo766R80_3S~(p}5$pOM0vSY^pHIsfDA<I4(0Tx&{mg?@QfIZDMhJD6H6(;k
zL*MyddeeASZ&qTevlX-t0#P{h30>e|&4EHPOZD2|>|hdvfv)5imr_WwSBdayMkFhH
z0Ms`BBock<HIowk7i*`~@I3h%h*~>0K_JQcBY*BY04-i~5)s&B(Gaxindsxkn4_V}
z6d-#D+JeIrs`F}_lc*yXwMl1|gk@{GEis;dwQ^o)<geX=71xkX^`jm1q9-L2FXWR6
zWkOc1JRj}?tPs{Nt~sBaDUCc3ZW&Ct4yimKPPZA3-`B=(eJjyw%R(?U9U#sMg2qz(
zf6R#{FMMst$79#^_YySEy$Y*+mU{bIM9paM%u%*82^5!uyPq49PHHX=yMwwEDM5v<
z*ii+Kk{0q1zY6;>jN7doZ?IVT%aY9sWOUjTr`j$`)+&A)Fo?v&qPHeO75FuEBzdol
zI>+JLj=NcJl<*T2pU6ROvIcG+NF&J$0ZB@XY=HSvtr^u^B)_Ie;lY&?0~8*?Rxq#L
zBvbx1JyHB~dHK?$?63)>pB@eg0fhonY3KGk9=niI5<xVi{=L@q@QtYEV@cGwq%DtD
zZ>U@9O2}G$WZxYw<X(!KW!{?36ppaAu*JPhPFu=}F2>;xXwhXe>!PGKWiF$(kjY&4
zUeK7*21KEG`tyyT8%B7Mfx}>~M54nKSyJ0EmYaF>{qQ+@K;cG7Yk>@M8r`_{W25hZ
zLJkZ*;XtuNRsuB7raI<Y`b6_((?1`rfCsyN%?xUHG>e;SJpmqPa~>+!3!Add3|XA;
z4L)<AhCYiURcYE?MJQ;Udu66hkz+uM#09>C>eL6=%XsL@Jz8r6g07^HEJxc!gbSzw
zuf{yuQ}H_&DaYxoLY<wDN7hg}|B^ZGWmXi+F(g^x>;;c@+V<G|A&bKH>1_-H6&(@6
z2tXcwm-d0D1W!ZIhjTR#3xP9r!Os^A!iGHs_-#iNG0O>ue<$f|%g&t6FD*d6U;cuU
zO-pdARrk-pVMGXsIF>*BHww^yaNO7&1omy{5q*A!(bwfH-HrF5x1y!Th?C7p3>ZQ@
z;(tlJ>^@<|6oKAQ;ZqxaaL5s}LvlK_H5!y4<FShr7e|*K^$nW9$1N6PC_;wu`DM~N
zAZrO+YpqV7R$bErFv!KahM}yvb$oPWUAk~WOcoL4ld{pfLUa=P$g624C*NY-(uqC5
z%=94BqAmB<3$bL)mjH2H7(q&DXq9}FWd9o5B6$RG017cvd&Xii@7I-4K46{ee7V4Z
zG^5Y9#-raVxw3Kz`du**7r~&@=pA^2VqRVND=27k$?c=!mmP6uMFtf-plt`W=q8qk
zrYkBQbEsS5*=-@!s-GyoG9FXfJ8nN!z4D(15>L;3nU0T6X|7L<(*|(=CfTFmccg&0
z+vQN&F3S<nOWO>Df-djP9I+8t)|D1OW7K;mxt>)NBStr;!;a!}7IhPKkQ7|MlxHhr
z>}Lkr;>jY_(tHUmO~RPwB<~BQ4p_B`y>;xR`a=feVxRXGLag;Om-PXKvqBatFLH6(
z;@(?1162bAKQl)${<5sC*8>AfZ*JSD)^Y*~u1pzZb!Mp)Wj4z(fVA`>pd8e=$u)j!
z?)=`LAD<{C&*OZg140c2<sg0ngK!v|QGA~*VR2l=<R>UUWh{9qR*ly-k9#i(6$y^D
zNC1<FZ<ZE+`c7#@1R`(3k5+^5Wjox_Lec(x7!#@G;GS15g1BjbOd6-UEcd(XQ?TMm
z&bv&N$5eazp$9^$i{NkVqIo}<N->k_5isI&Fz=B)oPXn@%AG&#My__Id`BMY?bE2Z
z%(!YQFA~`l$XHUB0lQ}B1<bM0l{)C*n8nMsV_Y(ca=xGAT$g<#2s^yU&kfGM+*(Vh
z0$t?~qffwP5D}ri4G-I}Q}e545_Bq3mU$g%SCct+y1EPl2yTo(ES%ADh<>aGfZLP{
zhK_|ukdbSlx`}!lHY+oU;R7oK?+mVoTOfi=pLWKBk@~&zQrVs=8@22#8QB%wSW-e+
z8W&k^l|Z(=SqiKEyZlyk!*y^53>GS7N-X&>wU@WOrXMOx96FOU55WmHBNy$_q-1uZ
zv8U$Lc>~}LvV8o*twHBh%`x|fKYtdYO11VPeL_`J=Cf7_GD2xUk4TD*s!|;hE@qL>
zM*xcTKHGME#3F7h;M_sOm&xH$&*QJk4fMMWu1l|9MwjJ5?UobD#|U<KM`f3Nu*bUi
zq;p_$8nt#q%J;Z#S+ywf0+=?BI~jjqP9NZHumHQDNrap9$<9ePR&FC%oj1rYEkU#7
zPh7p21htGQP3>$+)H0JL@jKQ0$AAG`8K-SUdNy5l2k@#>y*PeKaoF$+r%(e%?y@n%
zF|T!}7+0|zw)~Hi03A)U;`Vow6+0(^!whzfrDeAR5PEUOT53t4ucBbyGA_q~BQ7aI
z$r?an+U-z!v^Z86_TisWvi59e);f-=lqj+RgmZ9$p;Luob0rlKj?RBU31GEF*uO`j
zjhkM!zrQ{@VGfXk<hI86P-$y|^$F7a#MWhSWyX5>W$p(o5?1Hz-uQGyw!)h+SeV07
zEm`CSm6v@MsF{4oGuEHlwHKhG>awi(7Il}ILA4-MSxSSWJAD(PZHzhhr-;*seo@%`
zgTFn41qphEh0Qz`rGT=yA}r}4`J0X?mmA#BEQQ*hMY?eL2+<zu`}G2&V4kKoQjGJ0
z0t-?wpL+pPsQbyFUXuP30!eg0m%V_>b=%=h22|vP16&6PI1_JZ_@fd#H4HbDr`T)l
z{^@<dAD?e!l2V1Tz!&w+(Z^?<k{zoiR`5AJ=$kR(0qz<F<(d)>lGH1}>kNvDzacK{
z-rmsgP4339$P`Zx8&t+jgYKC9-B*5H8XMAf39?7G$Dmzsy37g4ATYUDQhX>B7$bH!
zi5PyiVz0dEfcR|`$24W9xzVGn6_6S0p+C&#>FOBeVWI|!T~Z<1>c;w2`QnC+cR*ZG
zo@l5}29df{+w@w*#LwpHH6GE%2uSAMNw3ct@nI}ZM>*HBs7;v7Woq~MpgJNaX5A?J
z`iFza4vmkW0>e=$ng+e7mA{rD{lMf(nSX*y;yLXuNX>!07g?-hbxX?!Ah3HU9?_yF
z_dXz&v)q5koo2jO@#6H6nxqDFKSe>WGm-w8x!en-xRt5VHW?jxg{CFTUmQtUNB@2T
zdflbQU+_(wyJnelqJ;Z-!Tv9rsej&?|C{?k$3}Xce80<=Mwph%=jk%>D8S}kEtdxy
zli%E1kRh&qJorUAKc)se^%&a>uXAn7uqB>aJ1whnYDn@G032$v3^q8{V)Y|w9H;t`
zDCfth{RX5-Q=_Lw2M)LoP=J4Jvi`G0(m)vwdr&RZB6J7c0z~z-^D*n`Z&ZIIu$R?3
zNew<y<i?$UjlQUxCrcM3AAXhdcGU`?7??%cNIUV<J)uwHn}`}=EE-x6PIfZhm|4p*
z6P>x~Z(T3e{w^ACkpwK<Y;7djZi_CEwTcc2tFz%9iOEE?G@~5m{8XgZ?ntwkp=wI~
zyvM=7nP6$kLLTPZ0%kaS&eMzdno+WeB-3d$;D;2SO%5aM#~W0lb6#_oF@U(r0I=or
zhy}FC-GJ7UYcKq6|Frkk?J(E*(^uz>2eAnSL-|fp$K6E(jI*nB$nom?wRE1sl``0m
zUNg$<8(b9&PPd!w`G^2<awXCj&naMB{wVT{gmv#cA$)U4W<P0QCfhCn7@8Jgh-fe<
zLNSS1p2m?+>-~q9kgKjlEjXv&+4q%sY>aj>!MyKIgz2C3s<`3RURh0JE00og=kP%x
zsB#VJ3}(IRz_MRZ_4KEXK+BHZuzX^Yj}%hsZ(D{2u9@Sg00y7-k|nB%uV5<&pd*Ah
zNiuNr%(;deDsQ;cn0<Xp4u=6s0>EABRJt&Dn~DGL+QtRl7<JwCUmvch{@wXhcVx0F
zdq)M88t~S?9jocM9=yJSu9kFT*s=&RXYtCo*Y`-dOal!`VO$xkA(n-pZ*?R@RRUc!
zK||_6A-zT{NWZ?SfFt@juBpyotf^Vrz{Tna|ALoCojWR$9JDQ+_6xkyrY<S9r)2~m
zeX^o^<)PRNf(HFtxe*4QU@+a*xVuIAh7UrNSl|sd$^VjC+OrHk^P%;i1R924I*7>^
zBc!v-F`vzG3%t`Y(&(;D#y$~7r_=mUU|l)_6Tq?T+rDng7;)2ww8Hnq>5@c5>8RP{
zbJX!`MC28zDq$D15zO{hBOLyrSK4Dt`8xM01~JI)`@ZoJSBp<X--(%K0nb;O<hIr>
zb^dz)V)X+`e_Ejz^yv&EIOUd1FhhPK*{SSmVN;bB?G`KTn;BJ@^M)LP$f%*Rg$uHL
z7D(rh{O+w-Misi@v;1tgC_N6TCCDHlsUmt9^^=s0T3mj<{`0l;fMaL_++F?jJL5_o
zTD!+1uA4uP+i%?=%0}<G`7$-*B5HQD$OvC2Jfp`T1#DQnu&tIL9}&^2GD9bv!Hg=(
zO`c}7^bE_uyETC-@~CQS{?CVRq09D!n6%!qtO!$CO1d$bR*0PtOvF??{3Ja-H#?EH
zUpTL@_&zzw==Jrm!?@hS-t!-RFydZ!*TxO|O+Fug6pH?v+r~m(m)6CY^KzJ-a+P|X
zW(_eMi<~WN&Je2eHV9ZJ^DyFf{;0kAL+leQW4(H`r6D?;RVv*G^zYcYqj(+vy|)8@
zftsGCt`R}O`<{qz)~IcmjrGKxID)zH<crZ|i<Ox6JU!Lg^R>ANzFPo(QbY7r;668&
z<Y}{k4g)BXW0JR0k_Da&M-;%vWYJ&cdekaIj$X<i<*;Q3yn(R8c&W1DOH*Rjtw&}K
zH60r|P{aMduC#Qr`>Qqi*Mbqj1)TF1Z<{=Rc+je-=)oO$9p67YRzBPB22ok@8jK!m
z5|LTEC^c~Ddsoe1g%8-0`ZNezDCTQ_T@SxPwzPDBvJA3X6L=yfKZ3H~)Z~EIbdfBy
z$`Ho<o$S0kjoD}Y^#*oJPrlEVRPv#-2*&b<M9UVd82cZVc{c#+-ka4wc0#48bmD#J
zPpPXP=>Lv^{<r=7pPqX^LDm1_X7fJ-ssBHG2-^@aXyqpG1Y(4YjCdq%pg>JfSVP6W
zTDeu_M}VkEWz_LdS4*T-koq*OKB$z%w>ZT|ED!92_z!>RFTwBm592Zvjn^Nb>UT_5
z?81lgqDZ2?gcNy1jfS+h7I2hZ-rA2ekkxqWkEFXseLo(w%xYBQ)dZ}kqY&K&%c5MR
zCMxm~(Kxwa*E1WdXVECe6Jtxz3p?)eSAt5=4ygb5QU$S0<8i>9yd4$u%}Bs72vfI5
z-opvgMye$R$wA%|y7zT>ZlyzZRAO0aMxz|dS|WF)QtJ)`;SN4fnB~{`oV9Lu-<U52
zv{8S-Zr}&I<*i9Vo?Fr%$DuMy(a%$IW|lo}7N>@`*g^m~m+ew7t#4B)^V7qm3V93c
zZ~n1bIs@Umi8a!%mT494<x3mVge+Y{<=a8(9b~JQFPRjN%TiUC*@<b!Nf4f(crWjU
z7AE9yCzr=e$y+dY<EWPF?%g(;&2fkEk5i^P9-FU_#=OD4L81l5#$Y3p9XLStWwg$&
zH-wjeUQ4bYuU#*V3;+w3R#I)K`V=%<g|alGU#A()(C{DjtZOJowAqcyr=j-i(!S9p
zp)AhBTKM8G%Y)uz-rxcz*XM2AVr+iyu|Z|(^FMuJ>Q{X+dLEoEG3>B^^JSlZgK3IB
zJ;*nF?fqEKnucCG7m`;wsFDt2$pJ<!@Qk=<!6v$GYuKv>O5!S`S0gXf9Ey>2+ZtkS
z^-e3ou4kqDOw9G}-y+#Xb9dnx>BBX-719Vw?99BPb8?b`cWN;fBED(%A}`98!>Fdr
zdN>$&df?;m7(^%S3aQ+0-ThU(Z)R*;UNP!n!-eL){(6k0d?!@AxmKd}Y8v9npp=5t
zg-(^gZAa+_V`hav3THYQcrx8-GM{^@dM92dnhOb}Yfbeo@>3*XgTuy)bYc3G13Tnm
zKcxzE{V%&^&hAK<-S2p<l;>tX1ucWRU(|R^k#kqB7H`9&1N!<p^b(3IxXMGZ<3}Rm
zMg{U57&KD&YD%3uBc*>5xWjgy(xP))>eYN}T=}ZAi~i9$i*>QEC1d}FGCM0sOKqdw
zVJ;MGK)1$HK^p8z?sc@d-Wjc!-b4>2dma~+`v7JU!*-{P_jAB#6xvkE!Yjh1A+tZ+
zuY$yniTWy4S%baNax=HE?$Zs3Z51#7-WK)_q%m=gvZ>JxOn9BqP9m0-xtxq2gb67X
zcIjh}8zi6dVvuKRd~n2;S)EBj7+U=9;hWGpptDMGPbWI?$k81-3w=|DuTXIe-HU0&
z3yYOA{%MJ;Dl1M7f5xR%P)Vbnq#(jF{jrb<&>61sDm>V?qUXr*7Q^M9r>;yM>;$W>
z7@QL9NNO)lKo(jpa?4TS4zk01mmhnnFK2_mYhnc$*8%8D7;oM!yz7sEocfPGt<!wk
zy7+T<-IhVTU%2gu5b~J5zn;rKwql!~+wlMH6NaPzr!Clzo&_N`17UPzgHSA8c=<h9
zt)9$#C3wiieTmGTj4|q?rba`?&$e2*q;T?HE1De9%GVp0L^L@}K8BOUf(l^3VrWC=
z6WKyf(95>2jR_p9u#ZXAKfDM2oT*&l54|TB?VIcZftL-ZM;6(;@v#i)7Qd-&{GLui
zbZ?mS2~oZ!RoJ?Y-v1SWyGd;PK@6pdcl)Dq-O;z3kNC@OwYV{2bHrSl_F8&>E`xJ!
z0DUe%Ad0^ZMss9NKObv|w^Z-0{ca!bu%L|}8Y?s8Wco#Gwr3?nEy6PS)yw%N;<FDv
zjRvV1(;<^zO7qvAx-Kj}jP|<lnNd;&pjodz+wSoLXW%biC&Rf|Y>CCq$T7P+ytyLT
z;m2a$W#;5KEZ7X7p&=%!QEUo=4^z2Hw%jYAU<N(lG8uOds}B-$3;;g7AO$4FAy)&+
z6Cq>TWa5LU*sgJY!r(lz{_bNT=(!0<p0Ah|A57IuQVgbkr@W*Fwn(s?q+GTlN^z?M
z;IAI(WBI6<q@1;Wa7J_EhMUQVorh=KF*uV>&B3*HON!67V<Yo16&-nfm^aF;c^w}#
z$_R`TIXy7%FO!!UmP_c6>=Gci{g<RfjLlMiPZ$#oB-g3wWACV$1fo-=mjbc{Wcg<!
zBu(~&2dbI%SbCLV?fXk0GM}QA;+-6Wgf7ORGPk`hr9c|zh2Y5}Zeq)`icf9^l)ogQ
zV#Y|f=#wrC?hlQszk7d};wYWHlREWEkR)Z5C;pD#(6>S<4lj;x^3l>T>+}oXaw<S|
zV{a36%}fe%sFPEe3_DWoh7nJW(W(bBpViziUQzlW**`()Nctv%U4gOLRcP1jDH%U>
zPHStkGxUvJ)s>NF+9NJZ9;}Yy9S5(pnz3L7t9)Iy9L>puyCMhx3e%o}))c3g&?<8P
z%9k1RL9qHZCjZIo9n@Zyj_@p8HX#{^E|j2$U=T@mf#PaBwah9h8kicw7|Ss>u@hLC
z%&~x%#fp#D(E`dNKRMOrkzGe+P)n>XT@5&3Y}nG&XsXU$l_^7Ko9d^>k3}}^S<!6p
z;4lzW<{SaPC1eyN`v<yiN#C@G%s!6tA?~9WV$ARdc(7sl*(;{{U4NDAnyi?RpAq6N
zRAU%Rq(=cCIGY8Wfr8~$GKszrMHuStMd=4=v<zM-fAkPqNaiQ$?Bo3);bh#mZVZf`
zz@0>&t|twVl*NMPA$&rJ3M!#f^Ls0&fq2dpc&U!E58#nj*2<R!vAQar)D;*V{F6B4
z8v5+J=BYLQwmRW2#BhR(5fsdzQ}*_H2n#F-;psp^N}pioC?LF^y(KYZ<BC0v_@XjQ
zhUhj)exZ?sVoI_}ioQ_3=1E^!m6Ugo?}koX6nsh*GUcXL;R<~ttq-ao`DOLb=O18+
z;et?XURUcluv6m604-9x{+9B2?Pr_g0Z*dYJI#bATYOC5>by_oWJV$VoWHG`;zg&B
zq5i(Gd>1?NJ{#uFZD`zxg{5Nep)Qg6rG^v_1zohyyR!3|f7xp}JE2NQGe*CX-La_3
zm|n<&+bF=d|IrFDvAP*Zi^$|+`5jNdAzzmVNYN5DpOj;C@w+N9gd8<UmP(rSEg@f6
z91YwmNa$=yb9G-({kz{odf!^;Hc(!-Z=jd395Lh~mruaYRe}1Jk7`G9h9O0?kae&k
zw>&s-*jFMS<2)1tK8-gnqfUTb*7Q{<m*3T+I-%NA8c~21xTMc&Hy+T+o|gI9KmhZ;
zt#ix$3eUMcTkN-<5p;gHC*cf}-+8O>BE*|1sk0~v!(EV0=xrH)EVG9IgmJ4{RJrhA
zB<j-3)x3V0|BS@HL6|EXMXaB!LFg&nNRK}Uj&=ELq*-*xSoE=3wC`iH;oXLbYg->1
z(GP3XPvv!}4=go%1_@#fa!=H|#Ur}0s4VeKb*o-Y^9!0~DUwu|M`a~0w#AU4bH!$7
zg@h2r=3cA)%w`SI*}=upTRDqJ$+sbv$n&Ja3zd*Kpa9%ye>p?)jqYRdCWC`6v{9n5
z@!6kenG&bPH_ii!-ia3&xd-4-xFmOtS^~n7Vzhp@T{#Fom^DV-!@6LlxSD}IKPK-_
zV(Xo6oH?}MqvQg$5*!C%Ta}e&*1D+iMw{aG_rga_%-^jU+AN4t7FPB(xx2A7j_g?E
zcx6;4moJGVrId4^M=uS0CU_NqRBT6hlTK+{NvIQ$h9nejxr<DZowQxgubGgCEanK~
zR1TJ9)Qf}thgYK;eK>t|&J!&6BtW37OshFFIp%p@fsw~wmF~?T+~_;Hp5X{=U`!FA
zvebPpKK5d~R;Ako^XZS$Aw>^*(N>`kTyhA@M}A5%_eR+ho1;f`Zw#O9esUxGQ0Fi1
z6i2V5r!_i(A4-wvij?9Wr6XpvrL(*&mCI*SLU;K1Uc`M-s_HaV9w#BcFsgnWE-!TN
zX4n1-+H@7LpetO@A_7Eoi3^yGd1L;JO1jOPTOx)(y<tI~xF~Rr2ac23kC*+tr*FQd
z=;_dngx?`vK%Qc`@%IS>%*D1R6@0I2^>??534NAs>9>@rnv@b_f0ks}Zqyc~nP7$2
zksG2WlYwB!&(Z}jwYLsCwtAQL6n_hSh0Urq!Rl^cQlLN=>u+YnHR<ja>HC@I3F?s>
zWYU`@f!CC5RNG8|xYBVu9=%==`Eg|+_eRv%0+2UY*qbWM=y@ghG@om%F@iq==m3@M
zewK*<oYMcdTbm1yB38)Ja)bgVXP{l`RYr!4W&9+Aq!1&S#KY0VU{y2}yCg+Q@MF9R
zk&#k8#_~5FRH0bHDPRhP46Q%_e?umP8x|1?R$p(QP_aalgI@U>JSB!x>w^J}{`*2N
zoPhish-A*%T$A>2an-|}lxP&i>}zs>ij?GXQBzbWPpG4z!mCVzu^F**Trygum^DyL
zQKScDlHB)m!cxjk-__SGzI34$mW>|jPSmIlh_vVaXu~dj8Ixr#s*m~nq7?K87@hW-
zD1Ytzb&E=<`13aYGk@r0E~X?jR(RYa=GeUPq(~r*dn+oC4u>Xwp9_|a+URel7n<zw
zl;(?H1x#sAEY2luU-B#QhuXCsNn0^;cNLFz3=HBPJ2QDDD8)EwxUQ={Fo@AWIeM)-
zLA-)ic&kD+jIjFXc?wc3RTvb15o|!a6IwCJj-T00ks=5evKl`mwqT#83QwN|2gT?q
zb=@J#0n>&#jh9PJj}vU$kR1MYR-f&nyd`#ZP$++~39xhW3|LFYaku+JCF9<IQgcBQ
zYZYIkZ2eIeHql=-9J#*&2=DFiiai^iDX24z9~Fxf8AU<v7?E*m<sd~yQN0%qwaUl%
zx+YcJE|)4ysa<K&6&ebvA<Yha?#i^6f~E-d8K)>L=LBdePDZJ-8kCq&S3^-Doyz6w
z(cK%>Uv?ZrG|~=Qrr2sv-<}un4|54-k9yA;2YA8~43)Q=KjqgeTrlo)f!3dq_V+GA
z;d&RutTyfmXuM1g4<z-n>ulF7If@s~q!%Tk&_!?>oqt$R5p5~F7Kv)Um0b_Wfem3-
znZ3UD>p_I(%0j5)K(3A?B?OJi{a-_{fXg!v=RPyv@WWT0nQt493OyeC2Dd3m@wdF*
zCk7A$mb`o~e&1XvUzo+(K65Cny(_En!Dh|gpN%_h%vypkh?&@Aw;Ef~1|>g`fgWAa
zt5~48U4?q5UGYkKuUO>B&}-T!un32R8O3d4I7NLytO&@=3#a052^HT#4KqeP@CPLs
zP|l13NWn5LUj3L@XP|!Kcb%YJQOb3Po2BIyPNh42eA`5aQ!K1q>jqYo=tcaYeA?3Q
z+$jw!9u=`FXzMGbY$iZE2ePR^rH!;<R;QUV3S#_eI^{jlw;|D~KlcDDO!+)~@Z$^A
z8k;0eGZwb<iU~^0;$XNN{86;L@Ou+v;h@J+&D|-vsqZepN?omBuexfAqY~_jAi_2*
zgtX6^(Y&Dn@J`CJ@r~qPrd;15NAtHlnp@fSyVA4vi8LWP+hH30rh?kbnaG@oJ359Z
z=R_-9<QxT`QnyxMQdqgPeGBAWgiq4e`c$ERj8ECGANm7KjSzA0#`W8t1|!z+?6f~%
zRpZR!v>RpEOdspjM{eEV<{^IbPFnnCYv#bz-^`n=Kg0-5<mg_qP-P?=g4WQ~d`;(A
zfKldc(pd;Q7+!LCj>K$!0h(hCqQZWOIdbC}tFaNZm)ScwU>QR1J#@+!BCjuv<_D8{
zf8EH!03qeO%RR5*2F0{>Z33OIayEKT^Aa|GH|l9HEmd#?FVO3oK#}C!%lo%j1KPXA
zp@fV;3>@8<C9mI1rvf})II^H?Zo(6c8(MUO_@e4Jc1@JCg>!c*zx%>0l$As?Z~TWl
z&Gxhq>q+YM+UuKS0k7m1*X)rQM14vw1o7Oi%qVvqeXQ9v+|N>GtGy*sQ0$>|<o9ww
zJpLunGK=@Q#J~_sKR{TSawK5U>oTPDbY;MKH*^t#=EW0XRHex~fb^ZMQ#n7_o#fIh
zm*|Fj*d9)?YZy-l2wuKm4yXv?W>E6g!QPaV92v*C{)}Iao=Do9%J_wHt~M|HNd{qR
z0{gcWI)qx1fjzEM7fqOMOX=b(-8c*E1$&g^Ed~mvy~J_c5)8!w3>(7b7E6J!=e4v+
zQzcd&nrWZD8oTRu@|hfx{h7!I{Tu5eCsnEMZsY*=e2aqzm1{4d)-xpzC}fv6nQSwl
zsk@e5#XovxxMF&++kh!zOng{5+nk};k`lM^%Pu@i%G^~XkPwfaq^NgIq^Alm8kCEl
z0JSuB*VDGUvx8FP<v!kv3l9Srxu7a;Rh!fII4l=v@8#w8!tDTS_tvr}>h*I0U%Y$=
zO1<TO``dbpezq2-!TZ$IqEUb5qW_-9r7j-f)?(e6zI5s(+3J)w=4{1fmFr9qf~P6u
z9}OL5&-#HPj)58CiQxEMA0^-Ji+}GIQLsa;pH)Krhs9Ek)WkRQ?ADe9_!jtK9}ByA
zvTI1gM?25qHVa*t^)m#}vi@05vg~P;wUVDsApJlPeZuLTB36M@7$vy;K4pgr1R6%|
z1hT@bGmjQ&8d$x{yuDHT!{&=72TJUGJUa1lDfU0c&kAra6{br>&l&>32sq8(;!sj~
z%rzp6VF#D;qQbJg$k;~30{M%rfc2FIDwY@V@AOX*w5q8rESc1i%$V<_RvPsS_Zq;;
zr<ikvq<T@@KGL=C3&M|Y@HJ;wDMcKb_Hs!by+}0bbf(#}SJ&NcGP&Yqzj*7P(QTp1
zp}NS?y70WuDuugV&pe47^7Dcu#W;fr2CnC_eoU>eIX;wSj<nfYM%amUAGC8cpqPa7
zY<aDmoqd8BPVMjY0W@6s-TcO)%=;<F!Lht2cHn43Y=((f%%rgIAFoY2u<~+Odv|3h
z-N?7y1C%lm*{Uwp5*y`}qKKnO+Z42E0T8ZE2T#rg%zfjwaW9wKQgNvjeg3vZE(?bi
zY9)P-nv+qVW2PO@2Oq2-e6T&GoEup;8r+m6UDrEqe@}a1Q5KoiTvN*>XdIhUKBf0=
z<fES3XdWVIYs7VYFcldhBCzYxd=VX_;oEDlk^e22#ZJr1f6ZXdM)UV2Z#QIRQmDPJ
z+ZY#wC80QstpAjBG4lH2)?0<m6Tiew_QY#RVrzAMCGRASnY7y$ruU@`JLTu|Co|H%
zfqG@%<|6C4jMV5>!30<GIKxEj<*&PJIyUz10L})d6Us7_G4UpgR!SrLa@W&aHOm$O
z-&-~Eu1uxe^|WKiQ9Fz@XLe|Ij#8n2tr?Ppl%d56+PpbjLd+%5L_qAkp!{nFsQQ$~
z%bVf?mCfOPk4ScTK4Th3HjHzrO?wUAma_`YN(&?Ncq%XU-CpsORPXi%on5{5G0_R#
zT~*jy+fZggMOX&ur|n`5dlQCc5A(hD@{)9{JSj}kc>%$KNyFw-8IktZyAF@#*3)Dr
zGAw5fFrX5_`(rSY?s1fL`lrViWjzxkGfpchOUFkSBB_|mJ2o3ZejXSTb4-pGRxF6t
z{Y6Ri{aI!-B7)3OO|ip6S_OBd0&{z&EIfXSBS$I(_Ffxu`LkzM90fOe0qSCt#~B&|
ztWev`iL;(w8WDdUWriIhZwdVJVuUB)%^z!zP=49bbScYy1`A2}o#^}d_CO%fd`VvU
z_;0HM74Qbji2aYf3N^8<&Szgt7nfs5^<WmIvp~kvyug=hlwCgsAU%HzG=W^v)nULt
zG3>FrZK?k-7}{81d)8}FV<H*u2stM~K2PfBM=g90J%x&j{!<U?>%RbvR%6ixA~nG`
zWOuLs@J!G*H%+`-W(yq7=@33&E(QQI&LNcJ4zjVog-T6g6Bns#s81#M#A~i@?DP62
zt>sXu3l$^x9!hVQsRMB19(KhvtShb13V`{V=B|QZ_l*@T1w^t~YXiYhdh%ErX{q%r
z%<m%99za}*EEAe^J!E9Xph9cI2gM`wfg3W`q2AntIDMs&M+bRZkz}GB9mr#9DUHOh
z;^9sNcDp@wS5<m>ox!$yY>KpQPmeDl+WCYaOiF>+Tq(|~MdJ9aNBkA(k`BOo@dAsA
zHA+WJ{$Jq5{GNY>7YBNE02_LW4?;F9H=ZKjR?8$iwISYyUuvm^JGDqyK*77w>Ka(x
z7hVcT*0*dCEa!<qLeNWJgQaf3ql6*PP%y;}UmHaf`C|HsK{Ow|Fh`IvrZZ~r-_!Rg
zdU2Ql%aYd=K<ovQOF~KKKud#<`QzmcgSo=!Ll5D5`wDZtFywoy(XxHt^;_xN2Yf5g
zPoj$_5gtKZ_GF06<<HW`f;1eyRvf$dj2K<b!V%9f93b-E#6><3xGuGUq=F=83V^iF
z|48igYkpgoWby8yMXi{TvCuhG0T&Fi(2@(|Ea3V8BiH*e0OPe6|C90BgH;5O?C|+>
zUs}S=0a104^6Ui%u;QohnndQ_%P~|8`9@9QA5(@37(JU|x>u>_ZOh{>MV1haDFG6G
zxJr_I1kdXTjfokSvf6&fgBUd|Gzw$>8?lDSYay#WWINa9*cvFa8S=uSr6ZU5v|5GV
zFT{>Y$DfMnR<XhE!~~#1-XlszOUXY3)2sR_3>wM&*|tM>C_zBIgCK(5*#`!!Zr@v`
ze8Ok!whE?~@XZja_ELy!z{?2HLeAMlc}i1J{8iF*Yxb)xbJk#)x6veL?*Y)=Z?kW!
zw6k0s!RRt`vVv(iq1!EAkTVVr1su=(uVn^2|JO1D0P80dSG_d!p2vb5EwRgC@k^cE
z+wPMRPc+V#$|5}>a_BNWa)84EASvyvr#afEhdKJ#)hbs4P2-{jr)dMBRBMr)lUw?m
zsf+T2j~oQ9Cc~`W(M_c^fSQmg9t>cqQg3(I@_-<@l2Vc~?9nSSgG5s-?1J*5kvwV2
zIV5UQgcy*2v=FwB<Mkcfj!7@Cdg)dTQR97VvRKKw@&MMIO4;<6q;3X!)M2Ux0G=eo
z`scp1)x5Eeqy!|ls!9e_tJ0T<B8-bxbC|PlMtm@FwgpCtGmT3N8S*+#+giH?S<r^}
ziigJ8YCKqyG(JH=lWDz60)TnMMmj{r*$nJ_+o2dDcMqIFQJeEfOWRg?{e3YaC-4EC
zN=|$C-5)jPkX6uBy_vp=l^u$%YaCS=0F?@4_Jwa`C1L_Y-V^htU*g#nSxfEXwIl=w
z+Qu8q-%S0G(-Iya3ss)zP+ag&%BWLsw3sJoGtadwuJgCOVlabE*fs)?+y^;nCevS*
z&aZ2%;wp<0_e|V)lAuw^g;D?I#*mW-%)A9+J-sT$tabHqc}JJc0c~TamIt!B?BJ@3
zT(?zsg3>Fw6V0KA9$9x(W(d?;pFOs8j+hJbwwC5XjK5k`_WOBr&VU&R0t((3x$Wtu
z@HM=~cD}nPJqAE}Sd=K~1hb;vZt=yX8eC+%KVzkZ&dx{T2*RzJzq6Z%cRi3yHii*l
zYt^H3Z&sJ4=VZF5A{6@4%mytqHqUt3;y)3rb#1SSuaWCII!^*g?DDdXspQ^!t941-
z(>q?pg}IBxa%;75N{9KkR%hhy#5VsQor*Egp${8|{GM2#^3YiQ9XCDm8JAPV<qAGF
zhfdngT1Myfll%ATuS)kOTUObS5&B!`RkG*M0O<iSf+V{qlu)&lvj&@=5T`p2wN26P
z0Zh)#^kLMeEbVFUCje@&)v3Wmu5Iq=p@<6H2N;@B`@|YN%6rfX@g4;=JwneOOlH}_
zCtS(>L|+Eyy&WIB&%l~Fo6^^R;5N%Si%QvRS(2M&kMo^#Sel77`2oKVw6&!RnGuHm
zSFaUE?!F#Ets{azHx$|)n`DJt)S_3hAYqC<%OGxdc)DcgDXC>YC0I%aT)fk4Egyyd
z!il&Y*BQ{`>k88lo}Fx|{kIloH9=t7Bhn0`VIQ6`PcC*Iz^z_>F)sw&x9)s$h&fBx
z@$a$Wf$_@%FB6Q5`fktGs~Zg=RIPZyr*Og4X`rSe3g3Zb_Q4VEsEhs<K|s?g89=hJ
zFI8CC)A~`xcN;07l1gwZL+{VCx^3!R-_|frz5Qa}W0OhAQ)2FG3JC>NKZ5VCI3kY{
z^kYnVlg`uS@4m%z^*39BSMwS<3O4$CJMdcN06FuzHN^F!fn?LHeI~+UjUc}AThfXt
zwtvHGnO2HmbM&$YF+Zlr<z^+NR^G{?Z>3LA#~#_!a5Z*@MG&sUX`!rPkM+}F5!E}p
zwN}hMd4BlOQ2%<N32OAh(&rbiDIWu7L%%$Xg)eSmUcSVbYd!j3gL8m6G68RqB%1gS
z-*9em4Y~2;w=<6E!toU^th#e|;ISl6jPNeemu0|oCs865wH9tb($xff&mVdd_S0BD
zkNm?}zuvt|mrOgvSa_}w5@6}liObWu@=*@c<lN*=a_4ZtTC}|>TDt;h5s8u+*=piy
z_)+#*Jj#g#RCw4YT`Tti^W^uB&^(F*95J1_8|YACxSCpg)Q3Cz3%$|fhbxRhrxG-O
zn{~L0N)Qq67KJlSU#}ssryj^MO_zOo-G}=?J{ZgFD;O?<U<BLx^vv*Q;p30TtYrZo
z3i$VOeeE8*G!~xi7wwm}ZjN4lmCHNc$o-Ll8HWc+1rOfn)6o*Ur9r~%|Em$%0Sp3X
zH1ngl&`rji=F>Tcnqll^ovc~2vD^^GSy^XKQq5x%1V}SnbVN<gj&E~{Gw#J`UIhv6
z8^iMdKQMGRkgK;<-;C_=_)YuSt9L2;EO$Iyud%nv|02ZK_faye{gRh&lh59j&|-(3
z)&m>Mrsq2Pqa~Rn48OCA0-c^wyn=TZ4f&o$54<GFHc0`(QYAF(JQ_apW=Y#OKH`~L
z{H&#psD9RLN8L8f-{-2SuU9|BKGl&Yw42Y?N@y!={MY@ltOAu>$gh>Z0ZO)1EKN0L
z?c_`}{t6Dkxtk1{<5?7~D_sh&TXQK2b{4Jf--O)&1RFrh^b)tUha9`eliWcaCm1jV
zV+eHNO^&Jg!@WA#M=Q?5xAbFT3%ur^cYFzNd6W9tCmz%{I2#Jub;#!304F>@5Vl}`
zy0x~T*`Fs$qgGUS1}^hOl_P;GkSM+MH49jX5<V`>jWCs0d~br<_vrI6$sTExU(za?
z;*Ujuyq-Q8mYMudQRkK*3?<=*16iWl+LAIf-Wcy`#F0C*UQF+P$ujXcLnYC+%y1q_
zGi#yuzsXu^6VDBGe7Du#lfP8s0b%c8h4($XtZ70pT`H?hh4W&isp5Ituit>;XBG3s
zs=%Rt129vr$X!EgvQw7Q9?Hsh24{G6RV+T&{nJJ8RRXF&vENXFgO?{AU?ciAOKtqt
z5GEq^1T2xtOpc6YUvWa<to1`%@l4NOk2VHvtZBm6{`QldVFIvJ&olN2)`@ci?_2$J
zWNP>i2mk+>jjHZ1tNe*+GYw_H>jY3FpbcJNfrKiA<{F2$)Ruz$W!t+J4@JY#^v41T
z&vlv&m<iV)K0yVowbKmah1g9D3S@HbT$^>?zoOH?)8bG-KoCI0y@7n~Py0)De4Te+
zm11$3u1&@O?|h-jlSaU-cb?pq8qF8kwfpiVh6G;)ZJ8M`B5ODc#wp*_zT*2{yV2gV
zvk|Js!xfjwXq$oK%8R2Af5VphX1cpTR3y8gDE-*_&<4r(uEk0B<xa<;fs;Mp#^RsE
zS9%?03#hVM5y%tF5KUm@6h{hPZIlk|oB>FKfY7=afMe9SaD=HZJ3cnZlGZL0jOr<t
zt9csA9bLcPuIuOlDj&1wtkP2+9zAlEiWJlVS^46OM>WqZS7C?y!%_?xeU!C+wbW7o
zFCKs&Rt}gWk8;GJa}A9^jbbkn%+6~M0iW9_gRm;f6jy_R%7pd(v$?LrfNc6A7(qam
zPG6GVq@X)R?9P~9SGY~Ok)|Bo>IN<+es%PZr$7OR)yo*`XKqW}H9|4<8;|3GlklV0
z9Bu64Q8N@@DN>aBXbJ~y;lE_^tvr(`=aO-SV#N^p=)wXpn{5f%)RBOhtExBqm20-`
z{NrYGL5wNOD$c-Uv|$(@e4}AAoxpf&@zS9q@ms`)GQ@%+C^gzE*05qY+9Fl+B$6&R
zumxrwgJTsPo;lYX8tpOsdS6LNMiNpO*+%`q!O+K`ExhPNirT9m8jfGb7sMGW7@z|g
z1bgfx_0ic0@_Wf%Qf$P?_vk-hNq;|Rm>))<AsCm`=$pU-5pYrZrdpcLg55LBWWSiE
z-&eGBJxegRV&A1jM!<s|&V}xMm<&IPR~3>guDT6lD=wBdh^mf`{93`(QE6f}OMMhR
zC~t==_%a!b<;Ftq2Zpy+K^9TZ%kZ_k;8n2Y@C?(pXA0*LB)z5f>>K=3SbD5;;QgrQ
znr(CC{LrMj0SU)h*4tJ)9T)r?@4dw3!kNL8`-F;b{|!m~K@$K8Hqea_+qA$wqG0Eg
z_A3JqRs=;JE7my5oV~Oa50uef5c&+SW_<}<i(5xuEi7JrGxYkX11nb|&(Hfto186`
z^<+r``|-8zZjI0F0AwPQw;}bNdltV4;TV0SONM#^v|}}IlWcrl8{>Ahm#|M=GM{De
zIh}(18Qmch2*hdaK+2Tc^YrG?$QxgO2{|2UTBNZ_WBV0TjWBcNp8n>@`Nm61;rau#
z%9PlB=q10z!kNE=X)mCYAa5S+jc~aUt^!<2ORXcz?l49=VCVRGvmGkQzCzEf?xJoi
zbIfV7OwkfrIQD8I{QxO;P^4z952ImLe@QV=98~$f_k$CdEUt2Lo$v=7<?69NQs;?j
z%1+v0n|G-`VY+_WdfXySSTsF2>v8P{bmD<z%4`d0cjBqV7aIIb>@+RD253S#7X`$8
znIu$u8q2JJyEwZYT%p%?OZfS_`$bPQ9QB8UZ)EjlA>sbNpq7A&dxi<r_bCj@{DN@Q
z2n;ISeuYEyeHMIR4Ut!wb{m`NMXM}qRD^jBVb#9P-jkIFb8O7;JXT?rOe0pht@1PJ
zDru~m$Y!gw>6+wA_^9#kLiOxGI{%dbBsYquSp&Nk9Iz^X)J#0OHpJm%=&C`>AMuU5
z`JY`MZz(S#>%+)hCr}~{i0ZA3ad`!_9HjM<N}i|QLoEXS&n!Ej=I4vSHK@2!+s1NP
zj5}1;FVyZs2+T7GK?4ai$&96%aEJ_CK3H+f$?-_GovBvLd#asA?VTjW!tW_<?`p4f
z!&ROI9{Z}PZ;e!xKz#!}+HNI(MFDGUhxVaDhh)Qwq(CamSMZH4GUGf?oVEQe{AfX=
zoAq+BZt+@2Dn<fnv(soSlUY_3mMi+YML{S9VpUtu=0M~lLeOalUyCkel>|)M4CCws
z5cJ|AyconTjQNzxXdj~raH7MCWF!eaj#Ghop`%fT??eegPXpLb0Bx_0hMiWE8@8*i
zo5r01rvFx9s?fCPmbrQ9Qb57L3eIPg@s<L>RzEy1!8Lxn!2G%Y5?{DD>LG~;R;e+*
znkrhz5pL6si=@T~L0^FM_$EMhk}Ikzkh|Hla6%cZ<=Sn7Keo0s>_Fx3#$!8pbOgbp
z7If!xe8~&SJ!VTNv7_gWj-oz?P}%ibV%g_d)$qsIcdqze*1yH~fIx%5J!;Nl`$ahA
zsSSFWNKK1OAC%cO#Am%a-_Z6oExJ?i<_znFk;zStz2%jNy~^+3nZ1OYD}RoNkBR9q
zbYWK<9(fvJs(6gaS)9e_^|ukw<>!0{ZShs;P$Wr&i)PC4CWPO3*^)nht&_DR%zZCA
z$Y*Uc%@X!6J%$W_FH<M{H5Qsgi_{6zDV0@1-GSwBKAg}WnRr_7Zb0@P-Tx7Y1Bja@
zW4Fb4DHi*=_{vO8yhXXMh3;4?spGXW4KP|cT5AI^A=!>Vn6LrqQmpnRN2_{C>TIC>
zOl_G+tMtGTtk}usX0O(K=1%@WoBi?8-r+cOHQMBLgDL~LRhs`#Zr%?S%zqaB`F9~h
z(e-Z#G2s4y_{Laf`zs;i^NHatFKtF`A}Jin9Wm=O?URtfvc)r&t8<nVqd14~xVdlh
zP;^a5E}O6qAsJf^A1w8ChNGt#Jvc7M-3J{~oIyfOHuMoTeQ+^j6FOP4Klxm(Z6e{n
zq`H3u6ToZf7`RqZY5(Hazq<jqL{E3EUuar8dr<Ga5`%lZlS0ARv1vN2fMUBF4-hWX
ziH)EZN#j2bbah_T)h*Yt@vanq)4J2Ke8C0sy^5#ZuU97rtzI8Ba#+|H2b;X!8#a4b
zJ)b#?yd{kDur-PbQ@JkugdnW(N1;=NsAcFT4lOXCr!Yt>A61qKoR6KNSo}?tKQLLn
ze{$};??F7R;(atwftC!^vpc+fh-r-nq%HsQ-v;aHtL^j51$9y^A2S`FL-#j%qsQJO
z&|X<_C)~o;<gm_QX0rIRz7Klb)D?z{&$Gemz{GOY9aU+;aCoenfy?;pXTNRXBvhHx
zqA0~5nI7rp1u5(ty$twfCpCEU2s}{Lq2~S`4B4B#;dQn<xge<)2?QF_tOEJA3Q5@%
zn5}Pq4IS6_y$3o~E|Uj~7&Gb_5jeeu1`p!>5dqtM{dc*|mjx?=$^XXs<K~S4E7azF
z5Dl-Y%sFMY_Z;=$^O#ku1J?$t-q*6;Mp8Zp`jEAPU;&tCi*~o~c8ElwuH@;Oaq}tZ
z%HOV;Ce?Wbt_`Q|<c(^)B^2||rN15$F#*}A;w};J)@xMsMM)2ANW8?HWho=R#og(D
z+~4m=X|R&Wi9Hix$3*SqdGgTrOOz8ja?oVdtGUzlCimIC)Y2VCreEH_9jzOenDgns
z13t*b5hVRpea_L@;}w<;4bRR$6n|-nO8ZsZqtv@vob)FysON(6xJ0rrx_d!<agQaD
zW*p@0IUY^6q1ZN%U|o#~(c-}No0+Xpl`qlTi4F2BdH!1T;N=$D%t_~Pol34{TJ$#)
zUd1G)vOmcm`lG#mlZcyzMy$o?5A}`>OD&83KKIw@nnXPnWe`SfV{FNxfLCx;0|xJK
z|IQ^>kYvFsds-liUEhJu4C+bG6ge;4Z?&=q$W-FFG=JN+HIn+--fgi*SLMJUD!p0V
ze{WOfA73!M#Z5GQO~_Dx9H4zi7(n)N=6SE?edpD1H`6C3MZl2aDP@Yi@y$E^f{ff)
zFZL7E+g9)a82@Jw;wnym_!cR$@f|9E=x_U5owg%_u!~2W7>#tbEC|p|NX+>&+ufxz
z&xNqKJ!zp%>j%fMzA$4IubAT%n@qfNaLY6LbB(|MBC_YX_9szG$>lQfB~*#>NH8>$
zF~+sd<a)pb8-T!HesYl1$D6wQssS`$MA3cB0CNAl64b8UZR1`3!})OBVSuQ2X1JCA
zojv#GSiqnoKWb0-Xz$#fpDiNu?gqRtakZt^?%Bzk&x%Y=oEZbX-=@DZUX3Sej8U7k
z30nh<)a-UK-lQh^^2gr|^|j~~DFFwp{eYk$2wQa!??^3W`ogXE@Hf)Ug(l2b@`Ho9
z&Mc!Z?c}sEj9AZr9>f%#?iHoS>#VL9+f2r3habpfwrZuz^T~`e`sTN-f~fD!1gMiW
z>F+cE1WF*Lh+*|+z`dyo6$Zu<U+Z+c@VeKmhXJT%9X=QeaQI&H`$<t3psT`4fjOAU
zABb5FOh%8ew46fjcQyd5anuEGX=|KXQYHH>GB>gw@QtXW(ppj1=0)D+_x%l6uvc5;
zpoX*MOF_CY8u4FweGCzhpV!z6Io`(1I}$T*%iAQptvYrmplr=TVKmT3C%!;M$c#A$
z@chU^9O@J_wDoFjqSKLZjlRQe<G>na+3jP>9~dDznq!hOViu)(Cf|Pi@*VMqayMx`
zu|aV4zv3;3v7>-FGH;FYoY&cHGpFOti!7Coqg@9FrLgopdQxubH(U3VOD-qDIMz;e
z?YZ7uH@G_t7ng_E<gG90;g{%5sqzhMHInw?5?yqPA=6@<Y?;_M4H8bN7olq7wK}|+
z$kf7Z8-=Ry#exV!`13WcJs#3q(K6BGRcVTW>%_$6>&s5U^K2wZ&!iXt5%t}Y0DY}I
zn_~ym^@~B4_E{})uaG^FiNVVWsQ(6_%xne{lmXoq>TdxHrduJu*uPajG2CS4e-v25
zZ?=HTiqv>%I@JX`l`o)BpOee+C3bk7vbzAUZ;7}cweSHUSk6|S()&FL3YkQ}dWE<I
z`N4<l6&Hc>WV-jAmQ2e7#_Prh`hM(IlkySN;ASTwaPP!e`}QnT_J<!Y)FXkJ{T3Z3
zwPgq0Yr}FZL+q9tN?pl++;<l_YbU16!;)weAc<9v0qA^GrS1<J)$@S&<l)YqQ>e5R
z;PKlZ9n+&jzaQIczLut#?@4K`J=jOXWPgzMDqp)CP%}C^6;|w(TOV|JWLCpG>HL;?
z9@87BX!40zkw@yPqSCRRw}fY<R}{oDj&DwZ+)r|R#x0U$OlrI>4zuzdvU)MLD~Z-;
znbMSf6sHTE3o&}WGq6T_MB+z@8`bG(ZGFp3-Q;>wDTlv--7C&3Y^@!o^%Uv@_jV=U
z_kbQiY(o3h#%v4wApY_lql(EU^B=iD0M^J8{{bihsLKVG&NnCx3{vzCg#sKsAWFMQ
zyg%{Xcn{RiV_9v|q`Ct?cDwegzE3OLjc2O|@csbS-nt)H$Nz=3XE45O)jnF--a`N}
z2Pc&i%kwiF@5chMlINU-zbsM*w>wt`pFWpFk<wuo2nJp17<bTVIuN*^lFrm#Tee&-
ztrP+-Rw$6|c2EP2;Y&EkS3L8fd=2|L*FKB@Jg#z<Tp6%3OL5&|*-`*4Y03D$9Vnun
zl5IkfRVc8Eg&@Un#&V3*#6xBi+0eq|&_L5#k))=>zk`ebw-wiL@+c-PL>^VlOT$%%
zuHsFvCcNTeuY9vJEQh^ruo;}@Cb4J-a0dFH>~P7;IVvd<M;+O9>dG%2lO58`1<w_x
zc`|TMP|C>E%5gZ#t0jT|WVi3JLqhG0gVs^Gi=Uem<;~fr1;(_-7VcHeRrw~Uq-}V>
z2>ZvQ@{x3>lw)wyPhTZvtoT1dxp!2b4d%-Hb7dI6T=ki=kK0lW)}}DV*9y?_+l0<t
zqI350!$Ay&NTA#*amodRTF7PE<cyp>xgu)t#<q&Y;%0t?W*J&A0m#Mz#!W3&>gqiH
zjEub(V0uuwm(@UFsaoIm`7j&k9JRzHK<T*fI}*tUY5K8%Nee_tFz)z=NoU9pFJC;R
zPyS>{vXk+59PL;Y`ksT-K{?o3=b=pD^29xJ(zgbG0sV-v#Mh8yc*dB*+l={_nW(S5
zt)#otu@z@)w#9vr=TL}yy-4q_O{D*QY4Lb(?(n?xO+VKE;qFbtl3x3^QCpTaI5ev{
zP^-Zvr5r02vR11>&C<#N$4t!uwG1ajEK4g(E9a4{oN~Y%z?sxlrl?dZD2O<OrieHJ
z0s{MQ-S_ihAJ2R5XYc*xJ>HLT*#DZZ>o=Ug^K3^vWDimyvA*c0=KpBdJOcj(xPU%^
zJIKL#$95ce7a1axt&pl0Mo5UU)_+_r+fMxS&_VyBvs}iVW5`wM#V~x!@--FxFz2o-
zb)KKhOPe9O{?4}COQffDr&T_%)FtS|3SHvUeB9Xvv@%CoC)K=g$@8Mw6m*YzmyL3C
z63<%B|Kw~VyFWG1=9HIKJ(|`gyaRAxe)u=&E$SEOtxv?NK?%;C;e8J!h~W;9Ex#Y(
zH2y}GZuC33r*}SPx6O7dYY!_>?*^I4XZNeUU#GTg*Jv%*eMI)V({9Hs1So~Im#9Q-
z@2R(fS1HK3(8BaxTaGTruHiXhh8FO%uJCXo%?p9PGIzEwfR(|@-O6$Gk$S4D7SHLR
zt3;ptNP=8$QDdeZx)-~W!RVRQ-&WDqe1MraOsHGz&h&9MWEGo2ACgm{fqu@&Om^dQ
z_@IF1(>X!fasw{9fHDxV9wGkQdWA*|5O8~PW%R*i1ET4pCqJU~c0lCxqMvz}`dM=5
z!N+okaN#dthN?Y%?T^NR5DV=VtxJK&B*vJvMz{-Fn)`sh3tCbEx$7(TgiM*8PQ(6S
zKb-#Ow)$4dHVr$YV}p8n$V`9CivRnDQ#XmYFQ@!OeQi8Wd@KTvOua?xeeaJc5OeGQ
zn=%EnCTIIZ@04*gxHILbT+CJ*N4e_r3ZExW|7gxG(z=(%O3Jy|t&p5_-{BhNkoB~!
zNf^Mg($0^In2mpW-)QZ0KGhLKE<3)`0N!Ouk8}9$FNpXgNu8?|i!y=7H}~zlo@g!?
zVSU#b!S2NoT<mmTC`YZdtN!yAs0ODGQ*_O9;=0$!%()Ef0?Z<VPCpf7uYA6FtZ{#~
zrh%&RgP=bfy;E38et4(3o>aUZ=Ub6uGhT-(7A;GzT*R?~^!}yjlXp=!^341QM-SaG
zFRhHc^Z~lhG(ZZ-(@=1QFqey!QU7Xr*8NUQO~tH8%n_?#6;|UQ92Ig*%WH*$X=xuW
zxfOx39d%+t@ASDj;lBA}rvX|5ZimvaeoMm%{j~7J*uFxeqrQC3xajP20Ws}P!#KKd
zxGLrhvOs8YhXJ0cQmjWn?n=pzzU9B|QGV07Lgs0dmp?{#mWMS`YOHCJ2<QKM7$#7a
z+~lSW6(sF4IPgbDz0T-NZA-2CiTL;M!<6&tfN3-3)sabs|44mlAEkHuHlNcbYO6oF
zIh>dlp%sRST!`N?l@!nI8ErUhUnlfy^ZzT=mc~=25wL0ih%dtos@f67y0!{BjBti=
z96*u-dAXuh4^N%6ffX=9xbrc0{EwD{W-tRq7dC4(9&^}4^w;?4#rCLhKZ_Gd=Dz2?
zd{_GHjC8DlJC-M&DiyKS%*s%ucGG5DCwuFoP<mRmi2qIO-tB}5Ysv@f%I#=RYf6h;
zZkit9uE<VINc74>hg^`PyO8ujQAT3;)<#2oqI0OYcO;QPm?b9MHuIFv1<3(afi>Qf
zY<``;x1?DDRF|`RD+vewQ#d9p|H0CY;g3}YukV_J;ryV92jwfgJ3`|!nA~`|l_BCt
zA5b`QTb7^8j2M!EjO9w`)PUHM#G^-2H==>P^HXwVgy-$s&?w2-c+{{x&Go>30Yt?n
zl{~%Wg?umkdXe>AjH$1*^Z3?_HCI1s!bF%~ovijQ27fu8S>g&874a!W1ya#}Flvx7
zHT`S+w*~GDf*1H^=D!r$hw7(WDZL6^@7=;lpdnJuyu4|q7u~0%70i9f%$NImcF>aE
z${ZYoRhfoc>xGf$SxHXk$IN8=CH<+;gQX3-lcjGuFoRB|Fe>efmMhPjy489CN87cM
z4eRQu6mmYmla3H>6C3X0>RPK4UMr{JM$JW`>Fx<s+=NqTpTN9S*R?mdu6ef@dxbE~
zyUNC1w371w*Ep$vhi5`XN>nIy`{7G=TTGJ_0zx+eRghc8ms_=a0dZ0y@K-;Zn6eX)
z_$E@ALM4qOJN#uh$=~~O6IfwIl#E{s|AkMAwmxHzc97&tv^P`^GxIj76E6I&lw98T
zkekMgLx^tuXf?}L?tRYxM~?r2itNNQ3N2U7Et$ECzhgVVEA=0&qv4tVGKyqBmW-_c
zHAi#)ft$(QukS|uDeM=aIQtKUvcMgbngZtW^iL)~Ez!;N8<-(duLQbo(ikwFypb^#
zx=?rAR&s+M8r1p;5nS=LxRlYBT?Pq*2>vXIjJ)vrazqB>TcMO=LCam0-#J}|uT^OF
zeT}YD^wfgd{$<~uaS@&V1IU~W8fthi1`0z}1R|W|FMITLD(@YjO)KNubk3er&Ub%}
zCiLw2^M<WgAJ-Xw<L`0*m|knpQBD&YAK`_12Obz7JJnM@*%~oQEH`@q7<E^3QBk6$
zRau`RK2TiY%>*<trn|qe4=ZgA*cqg?xu7jN)U}|=J9MM&O|_Zs(~BX-w6TjleWX1_
z`_wFBBc8b)ea5TRu5E&JAd^Ff5<|R<hFp4Q3$RXi@1N<1)QIe;+I-U(pOeMAkrz-~
zIr=Qsggi6Zo_pEPP_-4$T?WrT<mQnE5sLmuUD~;3;N@<A#e5DI){bALW9%-{?OMxB
zCIu*afWD?)=_EmuAu$ITz>f!(9Kty20@m)PFeiIgHGlY@#I)CYM(L{ZzKd?hHEKKD
zc&C~J<R0MyR7^&UV#uDGe*%d)BgkW-l5ZS;_IP^E+CBSUZMu4$Iz9f!)mAO*C%QUN
zwd{VjEdiac+i_pqhuJwg@lm+^AcUGnm(~62GJ?p{m#SvcTAby8;-?6Aq6RDghKgtB
zPG@cW5I-VJU+wUb>nJrn?zf7Zp1V;d&0=SDXEAA4%TWmMBv>goDm3fMBK4OS<lr=~
z>`1*Jko-U6uLpY+E`EH~a?|v762Io5wc2`Y6Bs``paFT1;TQOK=?Q!64F?cs(@yBS
zo~m4!{KrKZi54onHv`_B8NDSoE0y<>e{IHfaQLsf<LiG2d(64>7dKaNU|q4Zp6_AD
z?`0kHK0AC(#ZJ2li(8AZXeC#eVxh^xtVZpCZ7P{b@W{UTA~uQJN!ymXf%fJDL9u{e
z-i*bWeLBvD@<G@}cqrbw6|zd&wlO!DBs><D;}vi#dWT{VqIJ#4u^|1Ju2I6-<rnu|
zO&d}~$mcooRkph=ln(DNEtVfTgy0@p_we4aubHeZ3ZH{BspqTE`H&3A*0_N-*0##~
z9Gl+D-FmdC#RoQSal}REf$vNBPYOWxDVxPOubJ2>Dc$0FvifI99o&}_INS6@yyd;W
z^<+Aa#KX*dSP$s=L|LOh4uvI78hm}PHTUV3%x!PjXDLW7yzO+i!Zno`=c`+;RPr>t
z>VupriP5%pAZOKnhk&Z4U4M%GV{p80Y*&Z#$2>AOC?*z>Jj(jv5p<q<pmauT5ax_t
zOcWLQhnOUoXc>wf+Wn9)Z~p#A{xOYOaSJ+Pcm!wqxC<q>%7f}EB#rr|=JZ?#E)-JG
zs|sD&D(V`>chdood}Z5fxN2Xfr%SLbZc)LD-gTuzcaOCl=F<p;dPk-)ESkPg2@YRX
z)!q7F=N`Ag8_LC`vni|tqf<rTz)VqAqfsAB7~*v@#v`#Eh?O((qzZ6XJv&5!s7U>Y
zW`y?y0_{U-=t?+nR|Z7|-c@T<IS@Mn*0&sw4qk!zevHg*DeZ%T^muPdNLNRX7B6z1
zD0y$7QO^_5?dIqKv<(M+4W(7+g!fmi4Ed>C2^7|3O~XZ1S<FQ5bd<8G)+Vt75vm1;
z4FYWI`tUKr&gMW1bk=Y~uK*rmDcT0S_#aIolH|M8^bT&4^U^z}p(7uqy{l_>bJ+Ax
zIbyN!M_Y^5zQ}W<1;wacJWh3P9u^?TRDN-iEiPMC?E|Tt=tTG__abfybj01<>sL$L
z-zK(OqRFp>>A@3L(-5Z(H!(v2Y3PN;tl<A@&(c1WZ=VoTT~_t;qU2QLnqkuy){07a
z1uxI9b&&O;=Iwn)2wG}=U?QS7Wj(PaEbF~6j6D^%PxQ#5+03wucbUJ~gQ$RN?iU>i
zprrDA1__JE^0OvP9_Q`!IDa(Ab;d70KoSMyFPh5&bW4?q8MLY;gD~w=gi<ciBjLQQ
zOFyP&LfA!o6?`Q?02jln`M`AiB_isnv}>$BB#jk7GR|46`kJ2d?1MG1<4yr;UAqEy
zA0$|15B_Zzcg5H3WL!f2Il+w-?)=%Y2WqE9p4^qW56M|AfV>|~!j18`V*<K{afA8?
zgkm<_vLzr0CGdo8Q^e6U->74j1FEr319~jyqqK_qI$X#o&%w$}>7<sru<9vA;sQ&?
zi*8LC!^6-0dwqnm6TH1Kg9nov9PmxvxqmNqF%ANS?BxYc+e2Q(4Em72fJ6UL(X8P*
zm>y#VcvpwKCsvoWL`MP|t300}f=l{^*}aUt)A|pm=R3w|Ufv$e=(^IvoI?qs=Yy^$
zPKU<h%I4B5iLRW$1qt;^<d^w@@0cAwEV5qbez!|<^~#=GF&b<TuVz+8G@Gv4%g<%}
zu!!SYtjak@+W~-uxz^8xZ<VVG8;1W}4ON%|I&B{}IS!w7t)JNi{5#ALfMkHbD6>o;
z=T~zlCpP>~aLK@l0M3No|6!~&PXO8lI+M)c0Ag2+f0_skT@*#Y)D?F(<+=}h5JM<P
zAvbx-4Ec)7z&bB*5zc5$>iDp0jFIXmA|)UYCi+2>t`dv?WfuINTBy%zpbKgJea75~
zBMnXjY({+{RdsdVAQ!ij_a}R;H5XoQt?%nyJMe>L=yIeqaaPQ(EM?hPiNaX*uKZ0b
zdJUmL7&|@vD*?tiw4Rkl+nyRbXoXHiWWosrtq~UMhxeYQ6lWT`<ZohGP}%)!e->GW
zW)Omk*OOU@#O9BKI;BV=fHkm0H+)f1K}H=~ZC(cKrNjzI4JMt=SS+e&rbGbbr}Ef*
zmI(|-(kS9kSoR^<%{lDA#Zwv1zwEeTCwmI%w4ZEIAQ8!8>z4#HIog9McBN$G#y(#7
zx&V~PBLJB(jf)fW)K|aXcmN<H*}5zo?9#c9BqIITbqS%_4%pJ92F;s?3AXlW5<sGc
z2oHlxCjov2z{v1RZ;hZ^`d?^uae*w`$$e7f<>cgmyLC^Vv&S}iJ2N1?!Vo1^2jt9e
zyK?kKYyH|YqXaDiZmF@NnZH2NAO~NvjtTU^Oql^}bD~9fTV<i}cLFi8Ruh=0-NOsR
z8yn)97E<I%O$t#y+)#2B)!PyD+b~tK3nxV!F7^F2LP~NBB1=CG0awT2NY#*8ht)ZV
zZmX+sQOX8yCo6A=0H8yFj+-Onvb!_&==DS{58xvOV*3-V5rR;%>;6)F&n|3uT19g{
zs(=dwx&=AEXjHxc=*B&12bB3rBKMxPCC62BO-n%`f~Bm7Tr0MI8TJ6+DYyu2+?1F&
z$hcmE<WK!sB<f!ac5pq*Jo?gxKawAQdf-3eyFRl7*9Ei@S26q@GGT^?q1A_+Wk6E6
z)Bam=Lurt|=WRk%rqfny5&*-Z<4r}t;9xfl%|9!mOBC!i>M!pkE29n$sz2lw@Eiu)
z>i~T=y&GrosI8G-DFO14gR5LwGT8k9rQf%gRnwdiHFmFObJ4HNYH4`VFUo!(@b}vf
z_&@I!`2TRJbpeZ5P8cR|8O=I$fDhz5;tAjM8`Fr)`K69$WvM<iJBo9)#?iw-bfBUm
zK+KNlSaM&ir>Lj|r2T_bXmFC+8?|$Q?6htD&}SxHcZxE9M(HFPScz;BEe>&~A^TwM
zEM&kk5D?>RpL-C7Q#O9coux8tJ)f8D5#4cjPWU9!b=BLw8k3cQ{F4P_iKB-y%<H?1
z7($D=Tx}|{V(Lsn)6?Darz*03#^(VLXyi~h(a=1~so-Q3ws*c^-hNLhVaw{}zq~n6
zi%fArzIxjl(YsLJY(j(oQFs@}3->}zoJJ8`+K)Bc+4BiO8(p#}b^C8`Bg1m$R!*;;
zP0*Nudz1R?b$AmLaTcH(Vlh}K5+lw}u549|)OysslR>u}vGJBmUCeI^8T1-yXm_g$
z>Zq`Hk%O)~h}>{DGBBue<r<oh?NidHvo2UQGtESoB;vzGBlQjGFH~p1RYTu{HyDWU
z^{98&%m+WKv->1w?;ub38Hj<9LBnI0Q9V5Vn2}Ne<w#qEw*Jqy%3drJADROqC$-<Y
z)_e_Qk!no#k(|lfCpdTiJ=9<co#KP>0hmlA-ltY4yD?fDpgWwKQ2fkOWF1NSCMVnS
z<;_ZG^pH||%))Rq^ln-UJGEt^pdv~W|EaG{sT6D^GeBGS#_d%J!B7rYSNbsRg+tU5
zUq?SHU%2mVp0CuA%ifE)7(m*7U?&^xhKe*d@$57R&I@`E!zo*1&&Pr{Z*=ADlg)cr
zrAQlV6~Y~F_<!&(MvrAz*KT}$y!41Dre0cdNR;(nqHXfKhXAZaH}`pl+#|LuSbX{`
z=$X9!r{QNdCu)sY$7FB7aEtPsg2qyl^}AfsdC~yyrxOuugMnm3nXWZ%u+K+ldHXa}
zVy19hx73=5kmgSRkQ?s4?>F4eFTxH;?isGxJJe1U`x#bSzZt4!-}z!v3xQx0_qTC$
z3+g>ZLr(nUS{GeQmFAV(91|C`2HA{{aYFML+bA_dY5AA~XQEEiK-FTxqXL3qpR{z+
z8n_vgA^;*F?{DnruL{TFWvPyfr$gLp|1y}*_4%5npid2YaoE-VZ;e~yl>R<<6l!Pr
z_6t7@3G6YqsxSi1N@Zg6_J=Xq0Czb95{w$F?A04X-3ddTG5YB2OD%TrGHIg3$*8T>
z4_2zsuWmESC(Nk*k*gR9JOJ$Bq0mMT-4D;Mp|xs1{=^ezlAKgABA?@>C8C&0sqxh%
ze1RnUCD8ci*?;xZ(w^^iaYn`zp*CYwyrxo7PGFw1DQSQF{jsG-Z58Efv5`hH_IjJ?
zeig-vtR1Yf_XK>C`GB6(rP0+S+S-1$YN~nWFSIX>z-4=MoO+=4kB`ZC2=XtKR!LL9
zce@p%jY86W0Gtm^{LwhZ_BfP9pREV3aFBtR@LaNTCHXeVHWvz9vzMozx7ADe%-5uK
zf>&<GPAJ~8Xk54xrZ{6ZV7j~1uAiaq)Xr3iVdvn&YyD3iA7C`2bv$KKLR_oc^ooGv
zpj?v|@JRA@Q!jT+qIOUR`V;?TuK9`znFbV<N(0|Qq1)FHGg6($Qm|Cl9bDk`3iAvM
zQH#78ovk)-F}+K<{%pX3jvn48YnRKV<9YgLu?AJm6eC!RXa8t^166GDUH<Ex22Z+x
z4}A|wtjY^`BH7DM+Sv7}+5V!?8;;JkqWO??R0Q8Y+{*}awg+l|U!IW$+7hg5xS=Bc
zvwzKXm3&ve+?R~OiZK~fu|coC@?T9Y9`1t5Qo3B0d@Pqbx0GA~d2wvVqa93%W<Ner
zzs!4Jc1p^<f2=SMk~FIa_z!@^MP;Qb06M@~C+>MAxb6?_y3U*IV_m)jB0u8dBrje~
zNv*bvt~p3;F~8^akUMH835Qh(s_K-zWvr?o7p3>bFy`K3DEcd9P<y+wwJuLGp?Gkz
zWR0cj0t=*|)x<>Z8F^8t1_BuJ=aNg%1LXENge`w+=Tm_gC%y3EY1`8PsT}8O|D7lj
z;&zPF?TBlr2^@%=vf(u?h2`ZP83!JDF#Zj*AtAB<WHN31o>KuHoh9o2vd;7^&u1<n
z^k`r9+gr}_QA$3dm_yiUsg8lz$_`D@?yj^Bl>kd~q8PZ5GBigNW4@)_528~2Qx#U;
zQ0S-4bX1SZ%kqk{S3-gf!j{e^1@aji01i3zI-zox3>_?bQK8Gad?D7RTcY`sdVblw
z;zaNAYvEc^*)@=1aCSy>fT%%CXWxNY9!w&H?>TWh>ERE_VNH*C+_yVo+l2ndirK~d
z4R|v{QLA!t?kA%n;n}lNJ6oQym6#OyyJNi%xo|Sr3?WMhy8`L{<55gY*V(yP@b-zj
zZEXuP!dpSPs;05Z4=byld(}N!uu|H{x?ztNxtMt1{IkY^#4x+W?JK4@@$Det`RD*V
z>%*?YpsScY*AlHa0txf!tm&k2O7F0BPS^tfO5t~vyLBE%uit3lU>5!B4K<UV@Rxsx
zYx2U<k0;>F28|8GdHK>3gC%26v32<G?im9<QP6h5tDEAjtNPh)01#c~OC^8MTEC%T
z*k;wlNd{n3ZY{_W`YrCxRa40gFdk*>=h}q1{70)E4&r|j!2D&M|7UpGYFqy~3i`j@
zM=V!`lYTL7@+DNAO$bUuI2(p0gtQP!hIFSF#v{OD9WIcQ2CR!Wxqy&X(y6LuAgAMO
zg|fxsD~X!akek!FzT-RTOy5*Z9NU+6n-%OPE&~#rO#odRdX*|BiGiLah~~jp>i|?i
ztR9r_YQviC(u?JLyZkb_RTf{lqwaA6(>$HiZk;^v&jFwu6hX&|9<ACv&Zx5p1h{tS
z6>&!g6Cm`wB`yOXz;R1ofE;A^5!iax+FwR@V9}vcaR1tym;<NJd)5=L*}eVK9!qh?
zHAQ708ktn^(E@_=kNEg9)^T@nR0A)qhoM`wk`;M;E4~Z|k*5G`IYy8Cw{@WfFsY|d
zbgWkwExp<~(OQ4Bt>?1{{i~Z4UWB_@n2s}JkQy;@Is!0{Dv^&6#z%6LyBoSLgKzQj
zagg&ASFipUwIu-f6_wy(@dyE)Sp{ta_C|(^B8w?}+8<$ke+l9g0WAwG1kP<PnC04>
z8c5Rl?(PV~yk$w5_%mNqEof+|$Y5M64k5s!(2-~W5e$5x**N!?Z}lv4)wd!H&D86|
z5Ad_JAIybR(%tPT<jDb{%B(r)OQ`?~&`58ZCT#xQbm76$w46Un?S`w$F=7Cis14o$
zJyzPFHvcnT0gg&2lR5%C{}`zm^dyAuvf5M_3cUH3qeUUNpE_1b!$8$j&H5*cDrU`^
z%!ci#LJgRdTmiXzpYD7BKvb-P=-27SxH^h;<_nG;y1#U;tzM<imWax#fSBIvLBBFh
zYh68MVNh@cDdJ){Y+>Jv<`FXhjZ^4ZFpVt(0O78iSouhDq28=9HJG^i#b^pQ%Dw62
zg;}7Iuxb2BL@B=Tfl43SmK}@$2KrMNh}^YuA+=={{|oTEcLQcH*#Y6lsEAtTBr7+*
zZr+()!#!Cq$wGV6$L_A)3NoCjrdDAAv1*4qecj;qv_FE2YPf1?gItx255p_@(bb8l
zuP)sR_|-LJC{xkF`s1!q*<Sr@1|1-<tPIy(t>~7Siya0g6ThdsaWaGz7}Kz6WSsEa
zPaxsk%~F+|W&8>A?x%ZBuZu_gItB8&x4|ftuG%!toymW7Vgd!2+NJfSd-ob6kFGjn
zB~67+UPW=9!`odC{4jikuz+D=ropipOM4z$j7aLFv+c{Tcz5mp{r|l-vasczH&7)3
z<DMg{!;*Q|bn%zBEHi@o?Fj#OvM2w~_uGLj|7NqqOKA8G@i0TznW58pQ<=_%;JKN!
z{dEeBx`R@_-=rj@?zu=5;*g4ty$0g4HUWKbbG-@_?394M?<H+evMEHO*){<3MFOaw
z`!&MQwM%$+#xQ`+<?||{EJeS18Qs1S@a-Q4hHleXxgSNzpv=qwYHM-f(u(F}rJ#!8
z66iax{<5k^2-otS)lu^F<5q72YqiZA0FGA7bdK<B6m&IkDicit{Bf2{W5YX6U?Oqd
z=-URKF+aEOS<~8t%3Cj{EM@c%>BJ1CD>z=n2Hn6MV7b$sQ?u)iy5OvNg@mRyh<a+^
zAn(x3Vkb}GIj4>hXtM4zkU_3UsI{^}b|Bl?gN4xKgu1t)$;L<;WL%oaos*y%4)FDV
zg%nQYZep3AnA@0K`!PKz@sGscCCBqe-8@t`p1J))OD-|4uP|eSWt*ObKFj97@tDlo
zORaE@)dTN+JA^yfQ=5dJbom1y21u@)zT$b&L^OIYQF3Lt{XE~=A?jy<@cc5q&*=Az
zja#`p%ZZ+hq>TfjAzvXRYAi9c?S770c4w%Hir#{(lv>|CYM4F<0>Ju+cWs?lxr1*s
zemwL)>tv^r+VpxRuBySfDx2m?<te0l_OLo@JW4!-G2_z#X`DwRGige2vAfQk79C1o
zC}iK2<~ILxfxG87Luvv=11M4!oX|M2H31i!=X0_{=B0i6D0lFkZfT*{SMiH!3b>)^
zZ@tJvG<|Z0TloChg@A-9WeDZQWglquQXE%|yeCa&T8NG&02#Aa;#IiS$8sZ}-uBqO
zQMcn+b+*ev?r(qG=c-*C9H1hPwAJGy@tQW$E>CHV2*~6m23w-n3q)|ZtB<hlR!yQN
z13JzGuYT)kJCG8RiFP(%RJk0*sQ$#pCeE0Bt)IL4qip=A@Y%}ONf<H^Zg2cR*u#p)
zmmttPJZV2Kv@gY_ZxWTzil&rP%O&SQ;K~($d+XBQ>V+DlM+mk|qkZ#cNy0{u4d#}r
z)root?O<y?dQh|<;jnT6hYvyf&=&6iLtNvNcu|mkg%|f1tnl|Lt?ovlWYScvqVUXl
z-(%>o6Xgo#W2n}8Jov9Sinow{{4|`I2i>#L+l(Fy)93|xediUJ1uXXdSj=<n1x*vT
z{@&C^afr5c^$i=INKO*~)&j3Nj(l8e??{~IU+#HkkzJe`sC=3-I_k?tB7%2_S|E|s
zCt^uE>nmnC@lF?lMPxFJ3sAc7mM*5N1B~;pP2NDC?fbcF!tAUAUPpksN(a3Qv?A)B
ztVe$)rm;&mux1Tu2Ofb}16(rIn_43_-`F}fG7?w$=-><g4WQr?>+@3$<H-97D`%&B
zE!D`1gSk#kblxo2g!Oj-GA8Qk7R!F6pUO9M)3G&hXOw~dTsxl>CU{>li`p^<>)Qc*
z^>o$2QW${4&wMc+#}h5XNX0?Ny1EW@er6gyQhpoHN_I>&?9LQ2XZbMn^Xa7up@EMw
zt1iPIjhr03N1VZap9%Fu##$aT<a}WIvamIw=ychD!<NXZr3{>789+L@K#YGY@@|ZD
zwm0@~$n<bdWrJ7mrjH>{DiSDr-Swb;S&HZ|8G0!Y`H+#>Om@vh<$g41a7eG&|BDj%
zBWrglp_I9}?vi=-@6Z=ErUFp)s>qGH9G&=Izx;1!!TtZa_5WWG#9IafHb*lM_(HJ)
z)0S9==uGM=$PqQR8VJ{QmR!)`GP;>Y0a7tFw3uRdk5Zu+ACNYMaz;1N2y~Gj0=dfW
zt}prm%N;}mT*<}5Z^|T`k#yc)7lafswT{pv6l??*1~Ul+x&H9|{PwKAJL-8dX<+jk
zk|r6}+*fqR3E3Jt6?ir)^9oxm?kCv+f4yv~tjOZiY6$lh{VB(K!;(gJDwQYlI^9u+
zG_Rbg-+W5m*H$vd)~}Mr4vw;NM=J{?iFYmS(f-J&^1jk~?)2ml;46{2aV~P0kUmQ<
zHTR}lx$A&esu5|AzK0anH*fl5vP#nd6A6vrF0Srlh&95Vb4q`6Gh;}`P<17QH{3JN
z2-#eszFGUhGl$$JV}tbjPRA+j<lq(Qose!Irlr&#B{ngM_mTkAJVj`OBPyy?b1%xf
zNJ;Mak4o1ArO?AK`T#MW0O=5_T>{A!xm`qlrG3qP&(5KKbFqOoS`X`IdS~TB>Ug=S
zNz<6PK5yqp$;FQD_b_i0*Hz=v??$We-jms5MVj(BKvl(1_Bvl!IaKd+I&f`_YoLRn
z^2jUU!!CfSn0U%b9GHQ$wdHS?Z!vkb-e@tOl-KYuXPc`WhuT}+20<JxE+%}i6(z19
zG&RZUG~2qS;1kUWG!J2hS%@xg(<Y<<M=8vQzoHqSGOE`%$&<Bp&=QBk{Jg3hEYOo^
z!;T6_&&_ai?_IY<vR_YXWKnMY-O*@$#+qF^s8KYwCYYjJ_1)#MW6$HBm1EmikQ=uI
zn9Z|7>V|RM`lEMHw_eP`vCM8&xt4bIk0Q8x8kl7kY_BZ)xQqo?aO}_f`)z@wlgIy~
zmVnj)P*l9ATbw|BPm_Kdd|?PuCp>X*qGtC|?!{#F#OKe&&@k(BC{x2pOu7c6Zn0;u
zXLZAT+yyReud)w`hJz}$H=F-6I`HzCqy7ofTI!=cPV}aF9eIuo$l<a^&v=9<D{!B@
zq*s*0wS))fX%5u`=?5L~<8`r{UmawWzL8LQd>l}LTLSpIsRd^JG{62O**!G1w4Br}
z{BHTa^TCo0W!OpoUpvgL8&KYGfNs<9ooz~P;oLMT3z=hKtGr&Ds&UM7hbPy)2L#wZ
zYW7=nQeqRs|1R5owYhesDh^@oEqh^ef$tyoWn7^j4Jy{!_WFj1f8U*6Mb6csWhqkC
zDicOjbA?_*fy!mpZ368pcY03JejOzHU?+R9;#ao9+ftH3q~U$TNH_bl_L%9EGJ-2v
zJ=sF=XJA%Is;k<2vL;Y+P?_C@GjzZL0+Ht;eJU?RJ<$uZw8!Mrs^Cb3J6)3>AJsg>
zJIks9s4Ljmnfc{+zYar%*P`d#bPLvau7>~NhGHc9=q;w_oDBxxXU-Pz&RE{vS?Ts6
z%GK)h6$j-8WbD_mf3=Zxs<)jT)BThcanIfw?@i;~i1i?aX<UH)V4x#WyTCEl8YPGR
zy}ON|ZkLUhxpK`V=2-TcU>nRinWxkHnYJ-2*TUW_uDhJq2n)UbxOfj6ptR8CqHo#T
z;n8Gjy%rD)W)D_3_2PVl{nfdnwHXp<oh#@%=<URc{(FYqyrAVJJ7VtlTqP;6s={!7
zTH9Ij1id*!SxybnNld&67d&++u7&giVkY`vv}%wtI#D*-ILP?^Cv2jkO2`2n|M;cT
z3|&`piQ@6_%5tD2Kj*#{)oi^w4tn7+RlkeeN5~TwTD+gEj1n)h?v9>xB<&RP`U0?q
zP3QZufb?A)8vw%t`Enu#EqC{5hVUT=cIsctSGASw9da7-5aUx(s<{%PoBX5BbFc-w
zFx*eB$Q9)v)Gw?siFy;}0-K?ob?~TJ4p6J;eu1j3JqYRcoenIbx~68_$Uc<Pywza|
z@u+}zjfW=(Y4nv<y8=n^<mDB8{v;KQ(L*Go#3R2Kv*1)|yOQRL(PNgaCfQ1`O24n~
z@yMKS5Pu?7GevHCH2*_yr9Ql`{J;!Aagx=)1U_$+uwlO;7jv76KCHgh5_u7EPTb&5
zYvQZHgx<l(_d=M*iB!q$(tz>3)3#@)odo&c{&fs9Cx91~l$Z4@b>;Fug4M5Hb^i<J
z=9vY$fgutB`X7qbs~)Kq`-l4~znZJ$8=5bIiqL|@4i1#h5HH{*7L}&c88|U}vd;NA
zCrV)P#wiC(cu1tyo0?{Bc*_8uxb<(<I5Y^IJB+TP-DrcODXtt|;A(gzErZNmO>ii4
zvW7T7YG<n9R`_!tY4Se4bHU}bo{}Vgzn{$qRnn~S&#U=jYB)Nu4E_9`xNKG9;}k(_
zRFuiH1M2=NSKQQL7aB^r`iH!6+RLE{$$nE(9Z_h^d!GLk^t@JLfu=5Hbkk*mk_Xx%
z#kClX<5<&1Qkod$8Hnm*?fm_|d#f1iG@SEYP3mIDka8N<r>E>tjVKfl%rhNsnEmb=
zSipX#i))-xw(B)2ULe0=8;W~NIUx;dNM2k%Ju!6m=s)iChZh0mfhZAd%&aIW0M;rr
zIf$P7<2cIx1E-g#kKUa5Lh~8LchiylQ*>PfGZlU%AZux)JYP~no({wtYTd?hu&<$X
zta^-VosQ-Pg#Z*lk$Vczp)jiv7owy$j_)~AH`Ed7|0G4I&9WVcE#rc2(~6uRp^y!<
z*1$Mwu;0^ySsPp#)Q(F^k-Tu^F;jI-?CAsvFVLsmu#zwac8*5n0JVFgoJk2W(d8$r
zV36m!p4DAX;4>8AqC^RCjrQ@uP=MNZwcjjXx!v_qM#?`e!=b7ny)z^PYs3+H`)*82
z7>-1q^73x`5jX{B&vZRk-z;Ro)mF4l{v`H$5A}G8@iSnDv<vwAu``999~UpEUQimV
zfj8V}_LSn@!>#E?T2ZD{wQuf!_Xfs9qG|V5GU0Os|6K{h?#ZONm7wQ1kM#NH<ZpK&
zAF4i^L)C=y%lwsQmqHo=CJgqJR<jMOEyDJ{g17$=H4X~h7%o3JOq?34u}PDXOp_ZR
zU2GGYE{f=hfO5r?hg^m<>I-`<Fs8%5$JCR#IwnAJdK=S?p(y9qnTEeEH?<gD<^(bO
z*c+D;kuQAbLaQJ&hBWm*oY`n7J9bwMPAg9d1Y)i4X|`3*)p;DRI-H+blrmMWU(j;f
z6f-oFrZVim6r@|{9543E36Tc;B$;S%?n)Gfwf8{gnXt;n!1qat0vh#B_sdED-Pbh9
z4emQzqS{VKXi&G<K()BbCR(ca<<~g*L=;x4==$;@7gORLMOaDQzz3M^myt&4A!zkk
zx|Vllq34QA`kjD-QaVSne~gKoC9K?jaPNvsDn_ZfpGo(R$OV;W(Rxo9lzPu1JLyTu
zjgyDIDaR<w^tw)}=}Xn;c?&&38qYyd<tsHo$~XFXJ)oZbzgft#geQ)qrD^u(Iu0uP
z3to_%64D5XdWeAcffzE|D%Zpg=dQX>ftx{U7rj?|cw6qwdF9Nb^p6)+if&9323(m7
zQwY{H*7m*ibd93Og4(K~9YFSHW>+3|Nzk-bfE!Z4NQmlfT1Z(WQ3Ah4&&`AnRiKTN
z5bdH%b&2nEDks0dt3?%pNWHG@#3)rD|JH<OgV++CG;jb6A?>ozYPkDMJM}t*Tu6zF
z%7e!_s4#PqZ5oylmQkNYOg4^+xIVcz@=Zzw#940~VKCKLu0LELYcK)2HQUx-nS&6o
z*|K#fyJ^a>ieNQbx!sL_Fpyk!2vg5Ndi}ASy1>~?j)~fSG4eLC!(hLXb2-%2mSvwi
zQ^S;RxoGlg*S%|j*vNw^I?$od<H*SM@f*-Mr_mVR7hc~2R3V14F{ai=+#B<c5P)qB
zJE4Y78un|C@ptg-8Zz%!1?=9(_F!dE3)uH!#QxHYjx=%@T_?uX)Bb8le>;y;3_gb{
zL!j5Or+Zx0@fTC~B9c9v$m2LL9{TTdQyfUbNzg;{>3g})`28!PuDbus41PXTzZipS
zWS{|TA<kofu*g`L%tF+QX~P(n$opxi#G&#0^sO{AAZ{y%5%_D66f1%7a@S-|{=)nO
zmH9gIAqjY<olQl6ywdFH*;{S{fqyV-1h99tZ^4-N8JKT+V?hE@7$zb>4hGVd8i5(j
z6FU6(97QP{y8z8P6`qGk_W`ACBlkBfK{LbgL}{gcGp_MG6}P?CT7}%C931?H=baiS
ziHN^EJiOtn^hF1kR0qv!)&(hr+(1ra=jBsyD^6(a%92*bqi!V^UmV3p{2D`^L_c0u
z3b5AUyQ?ZE#47tOQpegNC3Ad|T`HVZ(nR<!qS@4;s3O4n8i6g3MeoB8nO&e?iqZ9i
zZj##<dy-EhB@gX59ubV3=t7-?K0cBL#A8K{7i&2NT#93HqF5t=(OXTprJl<E>JoZn
zCeb6T!Y=iKdN~`DDVc#CVN{}Fx2d+B6YDr9SHdjS`8m$sjo40ZBJDd=s=TI$oj5;T
zxa93oRwLO?yAd_86Xs1bYCGxL(73i=k|Vm_Q3>@EPVOsDdx?%9Y#<qf<HDG|qR{t=
zqG#oP?e3;EuR?ErPYiBfHr1-|w83!h<RlB$gW7@eUi_u}m@lknPg+=x=e6WM=-C>6
z(a><IP~4|$Vi!kz`c>`rQH(-qW$DNh-eSJgyq5GmmEU;No)lYQV0^G>1~Vu*%6cv-
z*8!ugwYC-W58^|~LUR!M>!So<Ivpf8ue^Zc>zp5eE#9Zl3TvS6QYWeP6&#abr6vRT
zc}2B{DXms#q3UwycxEr%ue>^l{S(oXC3=dR^<$1xm<-R+y3@AkvNNbla6lF0i3j%H
zaFGg*6I7bPRFrCxYsjt?m&CHwyHfEQd+;k-$xLfo<7*&kHMPkW-E^R+%U#EmHza@>
z2RobyEssz1-h#gq+1SnuezVXPMUE6)D~^yF0gOK5W?RTr;<78!YYop(txzuub`jBJ
z&y;-K;#qf7w+rf?BxSFLl7%ghPQVF}{i3ygN6hJ|XB|p*s*gW^MqVgHs9e6>=Kle;
zu~G49%$!~zytYrSle}>58;PXD@OV%wzWL|2&o#^(6$Ms_cI|}^k#ErT%2KE0cwr^3
zQMCEU{P0`)umek8ytF3yq*r2qby+`C8z|a9xyfIs;XnN~b=zsdz0tw(+?FroHJ;w`
z`&!%%)szqI)~o5sJhcf<r*yVs(};!qrUJ<u9Lk3K!Tk1N*KZ_WK(w;qmj6qqIGlvH
zyi1C<Zx6~&kJwIe_gTFe-<x?0JQ_lf=j&Gum#R#0Ng4Vh$m1|c{M}j{5`?0ZBJbo=
zt8;lg5}Oe|I4bHCyC2epf<sqUzUW|a5(}mnR*o)*vV`83yi@leo>Fw+Hzl)d#!T->
zA*rh(A%ndjy2+g+XfI~WT5uf-$HZ@pK%-)~5-Yx?IDhupxVbAut%*oz+Fh)~s#{Pi
zW5#d2&yOz-oc4X-G}oUBYIL&)^MD!$X;*4m<+nI%Kf#|IGb%eL1sb+kpxoYd9C;7v
zTcZnY?z7wny(asdUG*LGlwJ4XIkn?-vB6v*+xtVfOuc`+pyrBijv*p<2Mz5Ghm9kE
zxsoT;3ln{5+IAR$m?d`Y;%uM=z%`3;>1jJ0Q&YqUOzwu`rASqLdZpJ#Xd~DJP@`o#
z3cedLdD!bfuw!+`4h3uCH50YKr)j8nkirhZv3bFpO=r1WFb0$=a$^Z@MM|lHw;#l^
zi+U6F6J+B{{K=YAWXhqMm6hYSjsi&Fo==mW1-e-Ps*blqbQXu!om$*7+&@7aL1+`7
zh*JaGJhh6C6)CYgPY*gZ>kVlSGLixC*kzz-a#Ia6!@+flG}CdtlN?)S8D4BnkE@G9
zdJC0_-wa-NYE+%a7m{^}%DPof>OWFfPam*_Jk)DS)RytQs(fDaZ11BT^iy^?#0Nqr
zvzJBgcP+eviEU0TB|v3*1}f3?Q*rl8s=p0*jWaG0DXU{o6_>mVAc=(}U9O765`Qw(
zD2MbeF=EoC*kfVQ;Hpc>kQ`Br^{Yx*?3iZJj<Tp<F?`eEZK5Nha9^EH5<qnbH3ED?
z><r9CdP}`j$HN2Cilj=S>;8(fz|``P(GNDgin1rI{YxPF)9J>;p3{DUpEjXp;a8l`
z*@LbnV^_u2mNd4I=^M)LUO9xSz@dHHQgM;&i^Ep~IHlZ}DB(w9ALl2p?-ItNG2#Z8
z5b^>RfH4!rnBaHf@>Y@7fj(`GnMQ+wrw`GxGzPAf&=a>A50oBq9VUB<)#V6OVM+4z
zUaY6w=MBYTW<tX&o%TizaLe6^dYAxk-+$Q>{onADQDSe*__tT5;IJE&kly($r-0ER
z$Fi`f3o}wpk~Rw)Sk*4@C5_W{h&0zvklF!4fus$LJ9=@XNm+WCQdsiE<gHNrC)b+W
zat%rK1Z4b@_q7R+N_alA@5=S5mzju}AH7O3fuqyS`*%eVBg2FZpk;|(+$ZVds2Jzg
z4~oUTj5x+_kR)|u+E(8}N~0%RWDvH^@ht|Ujv)tt6jV|$v&I;rkft6N2oDEJ=_&X^
z?fGH$gmRQ<&j?!fRJQ;4whxra2g+*3KQ~#|e#iK&PUNwm<Jv(|Ll|0Q<y(7{$%`10
zcdpLW6YTC(Faq93L%fUVzL5mpjM1ry?Dgv1AGpY13#=gTC~^)=-e4c-&EljzrVm-5
zH+=fg$@D?X=^MUD!u#=_SU1%kQOihMptPR(qrdOuK2ev;MzyXYOFJhgdb4F9D@dch
zC5142m-a=niJ#Lf;Z9F)Q%W@yS)^h%b(#2QL1X8pPl7g0!PR{zgjK`dx4OD8Kphln
zN+s2BL(*B}Qk1DuFE@jKpAae4-%StUE=<Oi(2NL|VI=LU8VaRGlQ6~A5mhy#CwQD}
zl{cPsBy(E8l(-=((uej9XMKvJ@b2;x8LeQHdr{%w>=Xyd+#8t-7<a7L`%lznE^Brv
zUJe`{`92wXo2FKHzfwedT7ztc%P29%A5Fb>a{t@uj9;e~)9QA2s_{;Dv#Wm}^)9Yq
zni;w`<(uVnA@M_7-PUQ>T=;XKOSbOe&xb5w@XF|3?Vq;=)P)5{oaFOOhfX%)ozlxC
z`I7d2l*H@Q@@vxyGw!X^o9|A({j|`_JlFrR{wo9s8TpY`jP?!N9S`~nQ^KWAtbq-i
z?taPZc!Dl;#Wtel<9SB|+Zw?XoS~LNs{E5m>38?0*Mf8h_3F-g7@rb>?$84DPw+OR
zj`kqtab-2$#erD3HBr)k+lN%cHf)pxFU{Mpl%_9>?$khvarZ=!Jc0dunFc?Lq+K_D
zhs^~Hz7jS`D5<-FVNRyw*tS&Khxmnr5QhK}v&wWLFz_s-brQJEk4xQ_2%1$n0`kfp
zW>wWcyip%LThn#T-+O!D>k-PZtf=pnUg5!`HePk(h#yK{J}=miQ>@`<Zw^Xt;-I2l
zf9k@U!=>sv>_h(aF%;gg6xMsR8g#Rr_-L!=^SnTzHVXN~cI=%hy7ojyMZONlk_+mz
ze5&os<UJidRPrs3{-%7x=!Y5fX(Sf(HP@;uE?fGpFHb9<sZG_h1B&rQ)d7JELx(sW
zO6lDnTLR+P@*NbsBj{O~Qh}W0qgQ6l9N5@^r~d9|Yp3NjGfiFekCRbTSqQB4?i~TO
z1>5f^-Nll%QYm-B*v?@4C7F)RH@wt`R5I_lI{T4q7%nUzB4C$S40zL%1LNQNvAa*$
zQ3ogg@g`4u)92Jiu*7T?tE_5G?Lz{<s9sr!d}X3VNu(fvH+Y6*B@QmNuEmmtu=myj
zq%Tx)!+Dd-hjD|Uk&xEH!TqI$0Pw=#iV{#^`*F)s9wzc(69AAIQJWEmhV1;JE;AEO
z+7G1bk1lNC{cSHF?fpV+X}ecHP?mb~$KILeK-|XqxS1k_piLTPeCc%qe!mF(UUu?V
z76s7x`p*dox3|AzHLU>eH_^jYz{84Bw`D#G*19|Ax}_rsa@L1{^6kWOg3#KHryv_&
zzNs^mf~@qnSxU0tg(d~g_vV5}7rcQ?64_MKaT;wMwcY~7p$tX15L0<j8`?IgzGz@+
zL#|BoRd2ZxeAXSq_MkDY{dIv4x}#ZdwuZ>)_SWRsr=8M<pru*k9pq2Bq}cIG*$9of
zfUfXAZ-=(c#1Dl7+ycASv(%zq2PnlqVq9$opJ86gd9VPJ<1qQUK12=&$m55D2%kxj
z8g$TBsJ9onMiT55MI-l>6-2tD%_=ZuHG&49ozUqD$yX2Ab8V^*J=A1e9P~;lv9Y*}
zPx@aJFPKzW>8(HPTyLy+>3!#bd7p;Cj3vPKC}0~YH(TbcWbgwr2la_TXwh;D(n<uv
za>E2hPEDgtUi=SJp$`#NuIx&-XO<+*b0Obu&)R3GVV4C5JACFs06K#b1Ln*;iwrW=
zV)rJ7CMWZyd#xrtTZQ4k;*2nJc9({F&53@R|Lt?yQQy97ef*>7JuxK$LkDj-ES0q^
ziQxmbW=`bAs+u0s375$8TzQ9pRV1!9Ey5S3UQ{xD!*-aBrFtw}V6y)#MH{uAsstbg
za|>D;t8SEuiJ`(q?~azwR{}QTV^S<`mUO1cy)%sI_c7VnQZit)b?p%R50O$)T8!}_
zS0l=G7-VR8RL{$<2ZxT@d~&##!vWiJ{t1>n!(u~Ulx%$fuT#eF{vk{(fYhN(U2~3e
zFt|0`>YVeM;C}X7j`C$s)KmANR~`qptc?{P)389aU%ehKs4Sbhk$WeLkF2l_Zy1(_
z*%i%7hmG1%mw2e5;io{@46=B~WER9>3^xsxv3-hrbTSuXG97TvUSq1=f`xGgz+W$|
zTjkOyT%>aVn#+6W4Med~6VGE=f)>w%#zj$5r1X=t;itrFSQIR!-xNHle9mkWX7MFA
zQ(qqT>kA0<6FkZTr;*}hqJxn(_Jjo4{ra~nWFN(AejJQWQZ?v~Nxk5^+1VLlyj&CW
z!DqLv#ye};OT~C*3u0RQJr$=&mcPtoLJ@OON%sTx9S88W1t|}f9YwGsG&k8ZOImQ0
zjTpM4FW8f!8QyrCdLBR#P{)r;vM8xIS4H9_|HUD)4Qc3(_q9~Jb+0dcP24JW!8ST`
z(2aIBT=d>>?!#=@7>e-y?{9*Ca!9f`P#ijmi>odynk@lnA(IxbJ7c5^7OH2?9(W=2
zgtbO^KM1I>Bxy0b>kXNPG@1?M&<VyG8JCwpR)@H)8F>CTJBm-IReD8l8)}0~Ac~o-
zL9Y*C)x&f;>hCf;V^}{}!ym6sA6r{BCL(^1!PnG(n(h>#_B5V%m3urdnuO00l{v>n
zGrpKwwpgc{EJ<}}-hjk`?@1!qmGp?-n0czOb`4HF$U?OP?g!7>G<eyzke;Xl7d@uJ
zul8vl_k-ZdN<D^+-8ZL`M<uu$c;SMiSu<CE56jro!p=(}cFlr)l;P>?^Eko?Dv`hI
zsbnHp)JdlJO}@rBOc;Ke9|I~y5=8v%Pw6Tu^Q^YJzSQ6wDnJ(O{C-IDB?%yKhf>I$
zw_Hkd4>3__5LQU=Coj+_jkqeJRM#;IDZp6eG&;<>7oeOj+uPB3(?o9taRYBaUMBln
zQftJgqn!qiFDaeA70p!Mc#YX)?$9O2?N`Rtu<h07yj=Klmzk$_Omo6JN6e02u~0rR
z$&`y}Km0T*`PDR3k^2&kiy4Z%g0F__Dw(=mddfV4KWB@n^`Cyl|10M+k54ObGPVlG
z2L|is9MOMi6z$R{K6QTDf!ExQTxW%juZ7=9o=ov)WV5!#EiRi0d8KGnMILI}YO>@#
z^MdO0)_~YkrC4Vzkl#@$9sH!8SQ#bC;)nhogb4S05W%`J*xDaGiUF4z&F_~-`kwa1
zd@)Obl`$M2JF3r>D?c_d@z}P~9E>`6NO_n{(R_adq<mR6qh;hS#)>Z}SDNrU>p!h!
zOZqJA5}yO4h`v;2H+O%!(@wlVfh+*=wQqgrJL_>4>*7y*)NVVU7tpy7z)%wPVdIvX
zhUO6u?`Bzu@>y@$NCXpvY{dGpq-Su0hvA{(`9IlvQ4t>!-x&G&SYI8Mx@Wxc7xiT(
zJnv*41uq)4^bIHGtS_Vj6eyQtryc@+wYfb79%vzWm&fVT63ImCpMu+`d8&jHzon2A
zFHD-ld`7CwO0i80V~S6}<iY~+Uwc(WbjH2nq|?MnI0gVD!)yw6e^WN(UgXtTGRUAK
z<U8#aexlo=v)`&Cr?BPl0?AgK;2I-O*$QFb2evbY3+f~tQT9Jc?FaD!5eSf75kr5p
z`UA8vVNYn@9}?d^FW^_>3a<}K-<Gj$+o6BkV!^26?l4_-{--<#O>!_(-;t=Y-)qVb
zkFQy2{Tk|<h?4oJmJ{U#6j;<RJX+&p@OYz3@U4+l<@isymkzC+E#K}Q3mI-f-px4@
zW7Q6U4?16V+4j$(=R3vEu=Q_FU1xiE<U<x^2CAQ<rWfa=Q$`0lN!jCxDkxDOSKbP>
z)3Xp@z}nGON`gBd5Lv>afY84<+!zzpi0xg%uPf%fySGBt0?!N3z|`~oeMk!uWuifi
zb<NZXKQrBWLi*;TRUM<UeLbhDT-0ZiHqx@*=>#gG3V&}VpEe;?#?$<Iv%&5Z$|c(V
z7-_3a)fJHOT*(lQd3v@nhX0+HDwkCC6jyf8b~>wE>?d@0caBGVfmqk1JhZxg@FYM}
z8;I$Yye%eOBXbk`kz^~)0Q_jw!oa|1FNZclzJ$6EtoaIsyGg4jhLMC3()U*b7WvTO
zBL_uNOEQ$VW=eVfPM(>|*h0L~OW|eC;P>3?Z2Aynmn|&7G0wDBXCo`)7+ZHoqW1^=
zJ&=-`$a}>NE)mGZWM-V$1vw)t)AO^@-Awhb{9G*!1_*EhjhDNXPu+4hy#HP4%}Sx@
z((O&O?w(_cgi!S^>Hu<IVf|VJT`vs7r%l_IX&W->Zo&3gLX)0M0?U``UGIu;DIhc%
z!n45Ryu2yD#Wq1#{mP`wS}{PucumTusN+-o-nxhMAmN$rjk*bMeN2>3xGVuxdMxNu
z;l5Tut<seKcLsnnL(26E45hi;p?Ov?+^=sP*$`MV%2%%RTcvBaNVhamgk-KB8J5$`
zTPJ%^XJ2*U`BYC<_L1H`h-2@m0^HFmYb)dXi|vH4yxtW8AmR4x(g_?IgS)e=xG);{
z`OjMxML8~uR8K}>i?p{fHNvq0b<F9SOI6eKg4$Vz{Yg+g_?2Df8kyWNAjuRYn^OHL
zqJ)T5oc469;t4xtdKKTK&O~>BS;}Oa)&-gzr!K;i?{O}iq7sk+cTpIbXz{po^2fDm
zf_n7Px>Iti<G&|$m5cu2w}HsROyB!w{!IYL8ZIp^Pppn7K)V^1(W=DE-FvEXKkdE(
z(M`S4>5U7%GN2tiqW_dzcD;NOIBY5JMYP+))}!J7<ity*Y&yH<!KqzxUr%|J702D2
z`E(=uk`sQPwt1`f<~LX8hr}Mzlg*zue{4H@`ZKFG2%Uj8K1#m2Ykby>Iesz~MEfMv
z(ZJkwhK9fw-v(uWXw)!s1$4>G(zi$_g2^%G>`8t5kZHz)$T|ti1i6A52;`Wjh&M;S
zPtYX4oh?NRy}wJ&PI=wV#WEm8od2t-D-UY&3gV~~Qk0`3SSS!nt>6KKnifGMT(wk0
zP-!*D5h8_fSL9HR5F{XfD5Mp~aLD1vA%#dF5S$>S28M7*!kG}lRRe;A00BM%Ur5rg
zP;LKy`{wO?yZdH#_P4*)ooUd7zn=~}QmYwj9<ypk7spq|=-~=juYXeYzP-H_f|pJ^
zhT$?h6<Tl#n*vJdHg7b}VUzga0HvmT&&<N+1Br>MUm3sHj_#BenjRyGFMu?Lf~2!Z
z4ld-ats)=GJBnoFL8+0TRk0}XmKD^QT3*!=Uq+M3-6$hEX{C7O4n8wcl&JqWPAtck
z66DIjvYRQrq;N2;ASe8_@{}rO)RcFjGtSal_KQP+FEfQbcYNZdL`&>aco(iYKzRFL
z-9s-2%TU!fy@(O70&j4QNM4Ox9tTv@>$p~K(p88AvQa4Llwp~O+9;%2>d4o%?X;`J
zlZ)|F_ck=5+q#v3{3$~&i^`EpJ{42OyKkuFI-{$!G?!m3r7bJ*wy}{Lg}*j1`9Kv5
z1X3NEoT&M*jMC3KlTIzUq@2q>Sf<AG+>sw1Y$O|V5oGI^2I<YT-3_i3q0619=<Te8
zbO>+blSRC}DWfv^A!qlb?{u20=|Fi7gkB;3L$9hf9kkOKXlJ;C@YJc?FYc41UL<Yh
zGXfFKK0}t1T}6!~$`=%(jS_=j>}iqvjJ1Ib07|CJqVEASxBf5~9l|AT%(=#up!||&
zPLkG>ZWBC&*D%cxhn!ulFS=B7{#_!&zh$4YS2C<p7_gEj=QF!!<0Bc&V$Q@ShC4BZ
znw?M_kH+99k|BM%Y*`>LlKXsO^6@*~HY;RXQ9Hj~-lfMvopAt{l#l3jZ845en|4@T
zHn0H~#B97sXbs?mha!yjwjUAM#4;>ZyfXnyfS`cYPu?7x9R?!992h0p{itv!_2Q?t
z>jdQRIN5%ZixFqK<%K#2PhAT%mZ>Is<jCvnHCcIr?byAK`qL%7(>}1SERh~-iI!xP
z2YP1%Yl=13vRn%tuPVJx(d_oKFNc~5UdV^RB%DGXq#wc>Kwcp<+&y6xSHT?<RV&wN
zEh2zN$@BHAkkr)qK?QpgVcX&S77l`va|L!EIq)pqrf`76y;N6hnD6nIsG17*Kb>(t
zf-tD+mwl@v=+7%hMU5Ds119J9W5w^4>%j;4%V1PWxO~C=#4rRkXVXo2!I!vM3)X6n
zxHI^#YUjMHJu5ao$B!FD73wW|kEEFq=&z)i?kx`{Zl#(<wGNi1MWyrtmp>S?-VvgW
zdB4xu+R)qj6HK1ACd4==;8)rTRX3^j*GH2nPNF=gEx`Yyd^9vy!Iht?;h06tZg{%o
z&H{67BRmxLJ&x?UjVh-C+Ns?C?)n2-ckr&#GQPrw4r_rrN}r&{L-+oiY-QXrIa8r5
z|7LM!;eXFfMHL2=stc=d;*BhzDSaUOAp)9v63@i7UN0j^?FAQoWN>g!K13l-CmWR<
zqCU6!;5Yq=nZRY|67{v%V@0TIjvDN>5Jl3g;%Ey^c5$6XGfR!fM|d6oO&xPUthl2N
zgr3a4WWe513XDk{u}PKFkgS8LjrY_2T|V}&?=}Qr@vwI^z8h829@n|x8F;wk@QAL(
zKJ)L$?pSaQ>!|U}zt0C03{;HNA23%`8}(?(X@}knp%LI!#;XM}53)^m6S9_+F?#k%
zB5ht2bh9-uW-jMKLs1+I3^%9JVESgM<v2RKt%>VKFsy_i-a@HXuL(KsjGw>D_R(eO
z%Z_?~UkjogaV!VdM}<oy-h{p8&Dz=)frpT)ir$*tNcb@TJts@B@Q>iELr1O{ut3ZJ
zC#nu(1cmpXQ0bH~xpL$Nybl5*ubhU7oe-Ho@5=ox2spBh+70^M|G;f)S)$V4+vzFf
SPX$4%YUj^+egDEWDC2K`5K$KZ

literal 0
HcmV?d00001

diff --git a/example/network/lwip_https/fig/https_server.png b/example/network/lwip_https/fig/https_server.png
new file mode 100644
index 0000000000000000000000000000000000000000..7323e7364fa6356df2980ffcbdb97240c53d1b49
GIT binary patch
literal 21774
zcmdSBXIPV2+cwHL<M@D%j(~uoFe->Bf{0Whv4C`=pcElQ2t^1zpg>5lfzkz3z(Ar%
zQ7NH?5=vCMKq58tNDUZ5fJj0T0{dp>dB6Sb<K6o`zW2x8$G3lQgxuV#U+Y}wbzavZ
z_WCu`KO_!Gh>3~)VQyw@BPRA6R7~ubw152$JP{cAX#yX=AZ<)9i<M9gF92VD^SWex
zNldIPdH06vPT;$EpqV35Ol)t{_RlYE0q@<##BRPbH@<W;%!M`13jbkHA@<Fwb=2Xj
z`BCqqx2}I$h>f4!=j&MBdME991Ez?v_@F2`#VSL*gHPTPv7_vPI>nOm=63)efjdlO
zfsY4LCrR5+vo7{*xA^_HIQ8wXD%V4P0Y3CTkIFznjq0?mO<_P_Ee8E!^z;7S@VZDS
zSb{2g(jF;5%?JgKVg5hUm~mYMcO(T*ub@R^VU=F&C62H@3=|@>+OWB)RxLEG(ZIwA
zr|yr|YfQAnq68{aQp?{OLMq~@Jt$4?{V9bk{-HGsaD?4fJM)LP=1;WB4DSHYc1ikZ
z3_3~%Ctu`pu~!>DIm;0k(bqqJByT)OSZ&Iv?!;*{WaPE^`}JiIgRXKO>ldLTN_yFs
zLG<UKt4^BN%4=bbpg5Kt=XJ5F0izxYvWvi+ri{a*9dv1Ok_ohTJG?NeI(RNNA&oY$
zJcNCdsLxKC-iNB-zgqhIPMUgI52Q#Vbo%*wMWs<;c+2UXE?Q26Q1fLXkAhyY9g_`+
zfYs-{<Ncgj-^fAnmwEE0td_8RNW>otPhjtk3D@AL+r#ncRK_zjd+;2trIE}<4DWYY
ziCE8JUkLcYic?>Ru2`N*QGj5b^=@9l$6tBwGG7Hg+DA6?@*_2Rii%viVr0LqZs_ja
z@BuY_&R%Q4OdcLNEJ)0)7W}T=9LWFjjhDtYz0VrrMNpcwE96SJm47y&gA|NMjB_#E
z*084y^z)B6jx5)u#Zc|@4Eu6T#(=(n#a$Ba+f5EaU0hLnGR=7uuv%Dq)1_?=akAdC
zgmQOM`&2JAPB_(8qcOp041?@qFAT5nO?bg8E<VEv)ZI&j$Nvn^7Ik}cdw37f5TpXF
zm(sSElS*si)oNhAU=Kib_A&yW75eqMVvTT(6Q@Ycdnv0eMT&KsC*J66jf8f##cO2k
zYxv$jr+EsDkLru7f1W;4N#+;B$r_Y*$Ne`OlerF%A>z{&zHb|UC(~zW>%?6YC55wI
zXc)rY%+i{6GTc46emDpp@Zl$UT|pAn?c6EE<SO!7Ai=PD26_dTG}b5E%#a=LWND=%
zS{UsOdiLwur^;dA@&b9($}0bGDSJGtKy;E^b%ec>hgt;zMeoW&^S=)L**-dHw)$YN
zNuv3}@ASKU<i995Cpnjsb<8$|3_6s0e-|&9S$OY(u&p4xfcdLQdh70ijg}(O7rV^S
zR%aW0Q&y*lhhC~n@zFfg@6tTS+0*##<y;mwLhBlHh#k+lJ8j}=2rib5sigP@^b)JJ
zbh(<@<Rv<<s&B%Y^@{qG5?OK{--1l$Rn%%szm|njTRRBY5gJT)FyK+EoIe^_TqN@3
zIR7@6HlwMwM)T>DL(m$lr<{F|eIyOpR{k|n2y!S2r;^-!c7fKo)hIWW#h#rXUcc$0
zVQc80Tu@<9<i*iOZmzp$2<6_H3e0IW8g`tH(Xkp0Ph2AP0$tV#rD;^1upqb9!ppz4
z$BUNB@P|SCNDQ1F*c=Y29(-BY%y`B*tY7%S+7AO?lz~wN?SFT%O`zW`$l^|w@#KjO
z|00}**}6h_*@>iJFwfx$uW&t*F<~D@;R^yj62Q?7&nPM#ZKqg}T<g_lrVoZ%<jw*0
z4u&T!nuL)Lt;9Y{Ag&0I?04~Av)ZmTn1-0iP*>2FSKDiG8K_`yzHGj4xo8p}FsHXH
z5;GZ58o2mVmm`u7r`!L~-T7vBzg>@qT)-Z?+xD|!NuCIe?t(OzJN{@){u<FgV|7e0
z^n!3i$euIY;`MtTcL^oR{o#YAOew_CyL~8E=q&-kX=`ukvWy8k=Yj^m`m@q-kPB9U
zO&y=@ZE@3sU%@Yoe1P8fyZ5{41#YPxo^rMzT(JkK4XPU0#NZQIb0}C%x)+baWwwTO
zmooB*f9UXX+~Q2{fY8|4Oqaxi{(W+V+##!zlnaz=1A6qz7$XM1cD;+?Y>1j9o?+Am
z8b{hFGSM}W=!v%C#0rv5dc&a6H|nXz?BRoInS$i3fn{7P7mX|$fom<r&yS4B#;+$G
zLun?YCxf#`SISI$pN1ui7LC9a=q1HYuF>#NUpvXuhic8q#B~l1#3tPut;S9b<G{K<
z50L0>4)lH(r&rT|FbYdId+Zh?W*eTBFgL@{kb;JcH5%A%iF~56AUjd?`uxa~xx)v&
zPC#L!@mFCf94P~MngC-$BkJv1SX>&Vn%;zmeZpz@HLDyuXE(D}z<+(ccGqg-zJpA4
z=MYDiA@ZHIZ0eQ~qC)O$ujh1G?!N21^^H#xTjNo-@@*fX;GI4)xzPic7KDXHbaF<>
zE3Azj&MB%XJ%Gf&P1Ef@TipWRPn1ivcp4Pu>)-`uY}~m=<+V1lS2DfF5=7e3S8yc(
z&9&!}+ip%()~Li7nIR6joi7S#fW2%e!SS8_=&z=eelUCxP`J<oTluO#YAcN6;?jJ#
zvi{y{dLWBi`@UFIBF#2Og3x<9nTM#(x!u-xSUjc=VnmA3YSdGn5dil8X~<5dCRLCQ
z;%kHP9j+?}g&FuJeoYfu*G0=-H1U&w;4pYxEj%PsICUwW&z&Y|c*>x=sFRUnlXUW2
z<2=C|H$bV}YSPQo^OO-185>V{H9F}>m=-=Os(8k%{+Q<AprbWVuQNrZ`)F}ll;J%x
zV_J=1BoJK<)ws-jO(ZNWOjO*UP4r#LWnaa9%d$<dV3g;U$znONS$H#S?e?0ybOXDP
z^)$SOpSikI>bQvGp#9xtj|kuo_{i>I7unX^6Q_42Y5z+Gs<Y$yK2WB$POoRAFXs&p
z-36;z+FFvSS<!{Yl)c)8hC_FX;`<}7EXn^Yhmb<1sYQF6YA7akk=aDK?pe{8U_FZk
z*T!@<GB_}<lM7pJIua_JGW@|<o$rQ?r?-p<H3fWi>QDshC8*E~^8s^>n_cJw<_JT=
z_Gc12Xbp#J$b#^()_M1!uLCrUeH<@WA3s@i^JiINWvzIT(eMcGZdQe`GBhR*r$_Cq
zkWF?4QKvS4XU9k4S{O3OA@8wxJ`)z<kJ7NQvZswDGPW?HlM~58x5@_DeXKg6+o;oo
z?B@ytIfhMLTknJy+RAUA9(X{mi2E}o)UQYtODz{AmF4h);|5p)N2}hEcRbX0;%sBO
zE|J#s*)DSF6l%XCtsWf;;o%ZVT-@F&E~5Xg6qZvur>>K@@)}j9jc@12R;n7hj1cBY
zHVHAzKEWZzisPteLYID3$%I|xvD@&Su&5mbaVBy&3a!X#FN+Ac8L}WlU(+O?P=puG
zr|!IO`dlVPwx?`MxVtOxx=sM@>)1!+K|xl-9YrK^(5?UZoc>r1R(LaxT4X&tvKc+u
zI8loZ!i9(6ExnMH^GHm|h;VILmsHHZ$*tJ9EYB>c;|eQ;q&mz!>(>ZT(KXTUQ=sku
zhbWOr1cGuO%QHoSIA}E^dTeEFEUvZ~o!lCJqL>^HcTYk>vKX_6rZo3t4-~JfsWBWm
zfsrx#1a{u12wPtcvvsYCVW`TTZmdDVifT1v{L<Q8#>U|lAfyP{*(NJo>*9aNdMdyz
zInwMRzj7RLO-JB<xB=mzx=lJubQPhYLnGdWF}>Ks?-A^Uzg9<j?^fKWd=Rl}SDBDI
z8dY;r`rs6u=r$&!!2ULEqb#*M6r}cN(`T-W@o4ju)D49~ux0n!Z!S^>3m`cv^M|mb
z3?7QpAoZUh*6cs#r=ws=0tv!%6X$h8?vAcucckmoDxM}cMm@|dh69t_8_L`4bIzB|
zz$^+}PgBnv!p}NT-*>|;G1G(oMIQ7P{en=BGR3Le@#Bqp)LcwOfZF~%{UjMLug3eG
z87~Gm$8<>};b-vp^O&Hb+hEa#Fxi$z3q}77IMm92*>=15XkgSCH_gSZk95jh7CX+%
zuRjaIGNhV}jQuu<^IbxnrR>B8oeZBc)F31_d$AqIT@V^I8jr_UKCCGk+7=pF(OMWz
ztTuEIqw(awmO8)FYc!@bGs#}gZTVwV0czwiqkt4MvN6pZNrHrfI(cVMZ6C7-8u9nh
z<erguR%r2P`cy63x1Y!hDXoP)zKS(vY%Jf_WdPIqSxe^w+rA?LI?c~8Qe0#nO_B4A
zL#2GE9+t&Fn|1iS`71%ZLk%>p*NF^VcF^4=4UKuAHnK-5+s`c5nn3<#Fn)2g;ITpd
zoqX8@KG};#4S2EHqP*J^39ZK1Aq$HT6aE>Hm6rOm)i=Oxmm@uc91_<`1%_W^j5^vB
z;N+n~4?0s{mWvJx8Z{UKKtfJ%rb?9}QctwUQl}PwGFfd7OOD>;IQo3+detC30y7w}
zwYFNeuyPeVt|-KggdiHwMo~RWLjSSOc)6FeWhW;Jbc^+qZR*q}(mqADYL$iOfAKp6
zR~{8A#Bsg~Lf?67(v29kXSXg!3POogpP9yamLuoam4!V_64|qAPR9_>zV)5x|Dl&^
z9q050zt-4oO!2t`nf4o#?Sp4xpiA){!q*mHT~&W4kul}RkA|iQD8Dh8PR<t@tZrE8
za8=7ouy&Dy9M$>&@g!oyD@+lv4rN5yl+bZMo)lO<l!=i*y*3sEuopJ<)8T)P#(#=D
z#8By-D`|uw@~T9ULR!}*pNqb!+pr|fIFvZ)?2dNw<2I}0e1pxbsVu+#CeQoMtkQ_)
zK1~X}-jk>0xAFeZWizb%#_xs;Fga3_6edN(nS59Gw_p!UpgpIiV=ilN$h{$i##|@X
zulNAI*CAQ8<vo(lh*T%)S5J+TGdyINhy35yci%azE6G@MkZ0T*+nPE!Hc>EZ)Kkr3
zltu=<r`854oc3yrYShHLA8b31KTk!A5;PmC5AyEoGX@<K>-}H2X|g8!VeYI3n|hUp
ze5L8yj8361F*a#nc#L;1%bqGba{kPm6PTJ;Hb@A9M|Ixol)Fm#apyRwg{Z<CQk2Bs
zs49tM@g102@~C12uP+Fu)*1w>(MbJ{2BvQsN#q!{d{9ILi6Y6p<WYu~s4?$IQ{5tF
z<hFfp5@a21i7dMGy=a1=)f%Ed=p*7gLYqlNl`*Ch0mj^8<t1j|l#2cPC;F~U6RQX2
zCOP#HB5!ufOb1&wMJGiRM?lo)N1X|ChnU*dTk<B}G4#v1yQZY}$4^=_w`cwALE))H
zt*FfhWg{l(^js&0l{=q<1lY#q#JQ)3wej?-l4tj`w6eO<zaZFQuose36=CB;+|en{
z*NUJQ@8%YZK#)CAc-|?JJNRe~c<y@83&v?`n}H9A><8V?*7MTC3U>@{ds$F7Rw#Uw
z9Zw}Yg#_8*Rbt3JfDdILy7W4#tL^QM_C!VR2^qoq5?%?kbwb!^9qF=gL<->o7y52c
zg#F>3-Mkk)@-l$NASQ+Z|F5|B4|8?{?|u@O{=3YzH~$S~;Q#%i9tFvS&NcE@BLUAx
z;_20GTXmcF`6SE?RdfzdXKO+>jRu5>rsK2?%jR9ch$+C(K?M4i=)P!E&FFq(^+{4>
zBveCQ(<X%f?vQYEuQW7C1tcc6jFg7ni-`a2YR@b^citv)6ZSuz+JsEfY(i8)TLdXZ
zF|l?1sOtH1n<VP{o9^wSFC^2BrW99o3fDKCU82(B4v$aASEVy)ZRJq>;Y2D`TA=p9
z1wY1c#zF3|l4X4Cg47pbh@yT|-L_;V&129%!J7E}8$R7+5B><EK$`7czt#x8fS+$v
z^dS~>2IY8Rh+KDi7R@Bul^UQ9Q{+`S1u4uqUI52qFxW_qa*kBeK0vmq0Xv2)q$Pwu
z(mhdF(frQxlZ^S#Z}}<Dils7o0?|h`@u^E6*lP{|w8rhcaV6L>{)Rh9G?H!}O!A*N
zk)xTebZ$_sEK9P*gdVMJMe7!T+>743UW?}hqZUzKS?@UEca!$bw|b9VSkbD=3J`66
zbaK%e)8zyibnETobh4{M#vA$dHZw$ZX<&xFOGlN?_kzg+asR)LLQkm7Diz_R?NY0-
zw<OVNJX;^z2({d@L2jgg_yS&I<&2f+Sh5K$y8Nhdgn7pe-R|%U+6q?5T_CZvFt6If
z)w9diMYnXJT18RleXUdV6NJ^nQOQFH=mlWaJ~?i>^e9{AE)B-oTkNS*a(A^_|2o~D
z_9f!c;I)gE;`B|Ws8nTWEznpQt!#m1`QvHLO~M~Z18Nf?s~NMXuo(xxJUxvghWOS-
zMQ`CmEWRwVWKCFDLiWtKqB-$dZyzh4V~ak+SAIkYWvv6-!i(<}ua54m@#Q(&tULF3
zY@BcU@(!E=dOyE<{j*n-;SK8U;{c70ep;Cn<hSse?{egVouw+pau=0hVv^2nkOIS3
zgoXYjPlqi*V=SJ*ueT+W`L;*v;?$j10CkPBn!FitqxPbWg#-s9cvA5~8e|*dc)}cl
zP@?znvtDMMY1@}XEL{Fp&1`jS{rSD@&@0U|`f!$)Ec7dqLK^|WQEURqgsf_}ZwcjP
z03O$-;vXVST$soHseLua5-(OHRbB%)z*b{(;(gCUx?8)_zIeNYPt^z__(M>mvd*?2
zYEs{hn7f)OzPla8;*Vv$$~rK3=-}zwVR8a;BzoNK`rW8`hciteH8(Vt{$t;Qf;OIo
zRy0EGi(zNC9%Ql$Hkh;U{o&;4NEyw<X8nT{uj8N;IfVgFOT`KnjdVQ{&=_s&>*voY
z+wD7X(AKTC+{&WB-LuldxB^4s=QjJ|mb)cOu`hDn{p_Z#mN>CWZ>AvyG*K6$qUj?U
z1%As9i7^g!Wi%d`wml_L*=j-EwfiU>Mx1I&foq?kUN55`XH=B2-!-v6m*CI0HFy=F
zqfA~<mMU8>2L-&9e*6|%SL#%Y3A~AYHDL5ATNt?Ap{9mOf~?2{Em^nOfm}@6{pq2?
z$qiu1Uz{Xu{N7X`WoME;GW|(E2DLOsj{j9mY~!>v6cgV|0GVxmSDqv1OyhuuNjd)w
zxcp34Cnapj&vnw)-u>M8Rj@@|<gHaKj|D9A(TfpL6_v7y#FCMjEyNO=I-sp_AcIP-
zEFehhgQGqNM0M{Fdq7?Uq(aqSvQ<80-<|?si?<TmFy_V)0phE)HwO*?Uw5q^kza#>
z`j-h7ayoNC_;gul(gg2AX=M<-e`Lnw19qVPn4jG-1|wiw-F<-P;7rm@c8sV%2o|^l
zP)zKLySiN0io_htfww|XQDL2_6RK?3^Q^Rk4nxMDgJMq~R|T}<PgFjjb<s{7h*KwD
z!si0&ssuIhw%-qvB>W9L^#UNB2|eDm@ApQ^4p-Y@2Zz_4wojMujE(G^&W*B3mGQLO
z$3~4B@1g)XS#2~?d_IS4Dwz>^ZTQd^j`v9(5+8tnkeJL6+)L3}E0X{W9b;=X-*zur
zblVKo`^>t+`nV>Q;j9{wD`&+zh9G2TU+wXLLsU}q33Et#{Cp!p@Nvn0OSSUmn3<m?
zBDpd%UfSxAA290d^ISAE<RIvXUMqS~1`xLgg|g6?95em!yGrHpzj@rfz($#Q&h2~@
zx}$FprUhAzDf1LPnUnf+$?MtZT*1LZe)(l~%#0S5bCma)&AeW@#G1;{e(F_s^2cN}
zwRLf@ah_Z*%V8)O7QWRt<sBO-DTBouy_ddu%x~@(4_0VBvr!-4-l#FHDeb)3F8D?4
zd$mwL%B=czuCC;;+KK}JpNQk;^xj1kKBujsxylHi5eQCcCiUdg<FArcQ$VY>JJE*K
zyLY7M5G(eN5<vMv+AVsY7sbbyGTHDfEAiFTP)dc(GwX=@3y6j(V69Wzhr?u1lpkkG
znx@ximcT09jrvZD9|R9Kpg<|zX%!K@&MA`FHaVkIKdX!{EvYeq;P5X_y?1R7A+rCK
zB<w@!3@0`#$y9$G4s#=0*wneQ?&sAS1=&4D?q!?I`1+nI^0;*!@OBrd_Nv$JujwR@
z*^=!7=|XKDN<qH@u$7?AW_rj6mDuQJ|8G|A2cWP0;!rnYom7ZqBU-KO4z5FMky>xQ
zt-d^D(Y^%6E++_Zc5}$SvA*wF3?1IFV4bSmDRUis{ToSdTU(Njy|0v!e8909cAw)x
zZfM;dAY^fPVc!AhkB&AilXSyN%(Q`vZhES`G?gkAzxjzUR%tL%N64Kj34<EHVPD7Q
z-qUdt4oqN!x7L_R;KE`Nv!7QQq@$Ay3ZT)(=Z<*W&R>X?_OkH%;x!F5479U#mY@N!
zP!Ja0lLry=Hy=1|&g(WXKb$(?7DZJmhp%QtHAJfAko|Fs#f-z55aW70$n|u~oPS++
zM3EVO&FG-im+loEVG?mcn{pLS&L^rX)Df|wqvM94zG00eZ#XE?D6w1LUS6v_SvOI1
zJFN10s=R~**5t7Tc76CRmK%J$(UdqWIn3KAN`RlL2d0$o;sOwWCthg@R<F#gW4pc@
z>6?q(k?m<|st*sAK+G+aG}RosRk284kYAnPU}~SRo=a3^nc&(F@N!<Q`=3}rAH5^&
zlV$0&@Rc~t#0FTyEWcft5hwf39|o|DOh^dC38@a~g7NLcLt_N1nMT!0M|_!KYne_N
zM@ly_lht|9@3x!JB^Ke%2Eg=b!#F{91(n;(iggc4wwcO^ubiaM_yY3=zSI-_w4r3a
zH!8<nNIQDWZ(Ubkej7oqhfKN>HgdPgXTAJ?kEq@gtdpF#glwT86U^hIQ5!~^vR}7)
zw|>-;U{MKMXkGGWaxnQ9v5WmE8EET{w)yCeIRJtF4kS4@f_GEL0gN|_Q`hLPA#ZwY
zN4rXY-ZM$xv=+?@)-+M|mX8|2vMkD~jCpiUr*TholPc-v->}yUP;pQREZr%XpR>a<
zHm4JHBV;l#PW{$DbpTju7Obyy6-$2f6Y$7h-JBu+xOwtlc~5Fkkv%%XN{ThUG=WO}
zE#7K?nI_EY<ftlHq^wuwYLXhCHpmOV(q6P_Vj<^ax<x-`;N3KB%6*?cs4!e~ZA(3&
z`sg`^O__U2&F>6Aepxj-(uQE!Uz|78o#U*Ao@rg!BMg*kAjgTa<QVBbMTnq#X)8sW
z_ZuS7RxDu8!&Wd+eIDF=vLJ1)KR;zGW>l@sQRTq9qv5BNtUu8GDYo=0qr(npGKasX
z<Lhzrq2~|$F}-=3`0J6!JcZiIQ2qvqAj@>7s(=_Q(e1YIc`siritgGd>+@_xZ3ye>
zy$jsqKnJa4k$Wj#Ms{!6?YOJl(|?8Fe&sk43ai+=icSaaji-6M_9{YN&w>G7a?9`$
zo?$XTAUCc|aP}=E1<aX78+)(W4!ro5AbzFZ8t1N&7FQcAq@4PtzC)-=R5g<6HJcdW
z#5SwkHB(PVF7N^dwycyudHMltdyld3dKpf(ti%tY6KB3rW8^o6t>Ni9>PGit;mgzA
zUVH~%5K9hMR}x81<%eg2alcU<cx#t}Fxf+-{IEZg*|jiWmNX*zayp?~C!%l}YaN#&
zirzr>PWinuzo9H{`NKT?LeOC{PWC*`?2}H~m-fhGE8-R%vyo5_?`wr+ODnOIa3tBr
z*#eoVycEx;@ZL0%wNuamRpOL_e(JdspN;-lvbQA1go8P?bh3JPo)$%g#Lfd5plB~!
zoz{?af;)3FE~{*b`FLvM+~?3WlvcA}r~+_6&^cU_bS34poinSrv6s!GGqJaD=jj7!
zt7fZ4C9ab_cuB>ZA;U?K>wncQN{xG94M9En0ZTNpU5I1W<L|iNxu<i(ad1xTl5juM
z0`B3rDzd0rBHRg@D%B%f1VU}=W8{oB4gullsAfeql5y&^88-MFO~unu@>RdkS0%~u
zGPkHWclm??{)%M2XRxEfX~;cA>&A59E%R@TmD^qSCooY~Bgnm#e~)x^<ogCzc%Ubl
zhz1(<Zd-mI`cl}zJ3U-a-r-dw6g<}>+xSA66{7}#yS7~2P(R;GR)wk9XjbcP7BXYp
zy*I;Vx-oCM&$%j+T|oEjA)9+G4>t*Z`!EPYfpkrktsc&t!&5`9t`6zWjj<t{p$ldF
z$Z}3aMnFUR{{5LqK65zhF~>3amfo)^Mt>~YJDs(A$TxNi>nE+2*`YMW$6!ugMHR;>
zeTL<FSv{VX?oj?j0^EP;55NvxH8e;+1I84iroo%;+H0Dpl)+byRXtB0_SI54(1cVC
zGNZjnof$LI7gtWo3snyPB3t=`Jps83$~N2Mbh%^pc{8Q0ed;h4i6Sr2#z%{HOHD^o
zHApkaYa%M+a2D0a+O{qz>(Y;aVSmlGmN3XO9HTXI?}fs*fD$$7KE3(F7gt6}(kqY)
zLAwX(y|cDNK=T?hTgQU{g#83t(Zw{(v%1q3)}~VrOvH2ch>3l>5yJl?2LGCn+CMVA
zjMb+CSPFnrzzxCLGwg_BQ#7nQ99Y<Y$MGNkuQ~d&C#ScL@m51cCylm}1sgJHwSWuG
z%8G;mxVa*y2^_bWLY^8aVP{g$J9AMRZ7sNNQwXrwlfC&If(-P~N_cpWa<I;8KY)%_
zw_#D651#J+tp~Zj&t^NF08?0fn)FkA@ZUgdMh1ZPa*`TpqY!gryO<lpv}ZQ^?|cOE
zz<;2v<d)gPJf+lji+k1DQyfx`<&3W}H94pA!i|5b1iE9Kx_;FBj7Y*9pWBUdnop}X
z!=AskS$Hb?3Fv?VsZG|e0^&4wvu*5#`>6x^tGVY5@Mn6~U$mW4YL^!tkkXg$;UMqy
zD8uYii^1S46^tfEX%E$@lLkcNrZ+?VG+>Ih7l32V9z`ZEoU{D&(LBhfLhYC|IA}lr
z=f!oY-`5~Fa?9%UA=8AkEl^MvHQem*eQ9Td$s9`>??>6L)Sp))k0JK4?Jd`R&yO6w
z6>_lkHLv2-pCKzwi$Qs3`wgD<U?#c*jdFw9@ssEBo6wv&Ca`duF}#f{qzb&dO0+w2
zO={^yr6+#wu5x)caJZQLjxb4A6IYYDT&|NWt?&ijEwyzmEIYF`l*L~hB0Mjy*zbol
z?#YW(SZz3|S`~gL>KI()F9N-wwi?Ow89Z(4MC}E3U_`*}kXoixiBpcYGS~5Pwxd#U
zim^`CBFH{uf$S31>%k_NK8aU%#G1AtS_+KtM})*afv@rCPh^DW;%!B~ONdPZNncHE
z)R^M>9)CY|(D_vTncbm%3ioulhX6<&m}s0&Rl_90O;^6l9)Qk~x#z;at8i1wEc_JI
z&mRVm3%VG4Y9o&N^<y_PP96Q$-O<4zJMo$lB?U9lQIgZ?mwhE6vKO$r^)s7ydh%R0
z9AdZGbgEaJdZ*IrK~~vUzaQfMSB`^vi1=40w*q^V>3xlQ<qcf7GIuS?1wr`fmyeuf
z;#&-!HW(H^13;&=sS|MNA5~s!hWncj{U9Bk%mOQ1s~6<@Uzkj;T<DMAMNl)GiRDVO
zhv7`VG0mYI?T2FNK2`b(2#DTVm37^W+8j%lI|s??hC1?fm9PeMPzg^9<$oX^?_H6X
zJX|kVGeN*42o2ga54ZqEgXga1biN1!Wjsj)&t5|(Sj5ghZ`XLy>bzEc&8B+9%6#^#
z(Ty&tDPd?unFSLN0*22k<xQ_aeQng1L{_M?oSTnG`|;mKF7${-B=zM}bl?x+9&D9|
zuTUv&S*#YHBLD6}oyUoK>;;wJeU0VToj(*hxrHIP{2)sL0Bd3ztA8WMnmC8FTqatG
zG0l7OGge6s_{&|}ZTx_oEs9eow&8RCc4ZmBvojWC7bItqen9o_4fcSuO@96#^Mn4A
z3V3dl@ER|Iom3p4rmSxLLEN%F&;Fr10SlO#W(LQPZ~MH50TrvH`V=V=6QBfDRYm<(
zc2^mx2%~kf_-yJIB$9kaHGzU{i(TPNtZhad-=<f~$cc~hsi{wkb2<--4`WXZV#}uF
z;?${9O@05kq~YWoOXYCA;`Zfy^U1k_M|v@jK69FvL;hWu89?&gkm&gcsCfool<L%@
zHiewcF>Cz$E*valZD772P2#WrQ_c(Rx{N>5onr}N*ZV~@Ix*VTnCB3@PtJC5qg1i0
z3@xRVK2D)l5EK3yLZdU*E{HCSCPz{#FkighRcPb0dvVv$#Z>BGRsmC<aW=y49rI&1
zK(GskmL3wx#jPVk2P$<oY;LR0r4f{W4}kZTiJJLdmA%uDc3U^i6YkK<HD;6;<Aw~m
zz0`r!+GWTTQ)Cs(IKLSILc5)Z?0DMzUWbrs$p5P5MwCOSxxYvoSJm9z=H^Lr@qN~%
zLUcUQ3q<4`;ED@O^~QAOY%dYE1U(7LwlloV5kH+61qgl2jUqy9R+AZah%|z{wzr0y
zbX#~KuBahE3u9DYQqLy=+yh$g+T&q%Hpbo0>WhsH@x~j66AH*RcXj>0RGn3Fnfw<c
zFBIZG!bVk~h4?_(-Ew@=Y1-0Fdi)>V{GTft1caVeJSb*Hi$#lMKU(=<q$A$twYeS>
z>Xsef&F?|h_)0n1qbQHN<tPJ7gz3Rej2i+!sBh?kE(WBPy*w9_bVoOuvLqcgPDA(h
zE8pVG99MRPJ}SFzQR>q%_I)Au?5pMCw0?`r2W}qH%4`W-3By^*g1VRAue<o(r4%I7
zBC=dY$R>)MbqZJg5S}tO{I4#rP;19f4b#v1rWDsYYhP%$elo6syw_PcDqhk6W0abv
z7y-xBUQWJAy7~vXtx*+Us14DqwA?)xcjs1WZBK>yr1i;3c~ErOb*$}0?S(&1_?RAm
za#<}gcX~WtM|JFzhUze+ZjN`}2&AMShx~ydA}Q~@*o0qcoA(}VkFQyfNjo4Wc4s>p
zutyvwc+&a&V&0P}A>tLVj1>`&Zkf+rrJjh^WjzVVR66n&_tP$QE;9S6G?cs45;GTh
zNH`QL4bAyyI#u2uAq-_5kA6Du=vREYz70Z$wH1p*&4Y~&UZh?Bv*S7_e!c6tyR$kk
z*VXJS34{<IJnyOb*+)4=l);**ouJ-`T~x@^l%<}LkZW4!aR1$0d*p3#kN5ME36Ner
z`KQV?O?vSw0m#>)8zb#mmR@e*d*Oa=Odo1^&(g4v`GCmQ%$_cyYK{2D78$`9dUG6x
zB!DsiA;^PBDp;S3c`|iRBvP5qYl|`V?@xRw*%CTcrUSY2d&QS)0Wk2}Cjr{6^JTfE
z=jX<JCc@9voxE=Nu0i%_4}Z_jhtZmQ<AE^l%Q*FH&&aFtUdM-DQ`LFM38%IkZAQC3
z5SzYs7s}FCflR<!?(Hi=C-=j2DXlIF1NnJGZm&T>5P|`mM|#azQA7_+TSKf!F<lN=
z=ug6bIMh$VHU<I@9>5?yv(+a>q}FbceLjGC5AOeWG`@#9mNz%aA&o$Gqy@{xHLDXs
zIXce~8qI}20caG#g$ZGs#8IQ@GyvtaO}qIiWm|Dk;ed;_+&57Iz*}kf%JhMjr^y87
ztPX|eHCc;a#>S~94%Hj>Bulsbn^f^w_wQMQt}Y2HBB9pq&_CkT<J9vQfSkvv_v-OT
zd4hH(t3!`PxY(qmzEZTZiz32+<bt%$&NU{S8>UPC@M%ASbG=9TfQgS+U?G|7P^Mq4
zN;*k;fdh_53TIcGx^80gmLoX3Xw!$BKYvb|uCsf8icWTeNqQr_lV&<uO97OY`K(cC
zs5I1q3hY$|U*07BXb@DX;fm%P0aLC|MXD9@b&o`cpVkUO^urWUw8H;@FYzPix2POm
z4e~*<6kwIzAmyMw6}M@Q*5{eV2y`%H`75Uu4EAQ(_x(BA%{=C3a3NmZdx<GWKXN@}
z_((Ew*=2^IhLAFX7aCcYuh_xQz=Qg;XwgqsHb?lR75P~Nb?&eWK+^(i$b9qk7f;mE
zJ`IFc7<*V4&WVarYx07MKyNdXwPox)&98+NohPdwB{^%Pmr&mlZXM0#u9s3i5FAH`
zM`%ce)Y8jQ*5Qj<Df}ng({3`1k;uz_ucM#mah<CLyAuw)MmpWqAc>r_9*1Jraq5gZ
zi%og20%U(yI(#1kJz>gtk6gc;LIcihU`=c{0Gq%W|1@v=p;Dvz8LO-kog27#np}ko
zdpSx-?HF{3XFOfYRSGtHW7qP0WO}xCuEYOBcT<PQ@gRSyN)62Q%Er}bIpXL~Ds8Y*
z+PiMxgn=D`;+Il!LsB1{XVlH8IaGLkru~REV}UtYUow6Fr+#Ggrd6d&)CgjGL017;
zLOm$M@x&3w;MbX{qZhyEo>In`Yai{Dtl4gy5qq<^#s+2hDwhkRGHlH!j+OtWLBl};
z$qL_+k<5b1`;UXMm}@CzoS|2KYqE+6X-9kW$_F<{ZF7D(sMiE<qrt$Wr<xX;dOj4}
zE`yeu?E8BmQjsEW!VzG@bt>|)>PYlzzuI3LO(yA>dZ)Tt(<lM@de7|JN08>y!S3Af
zfqdul4xQXupF;AyLuNbaTuMdCh`SeY=tOA&f6R^%n6Fr^o6NX@#5F2Vn1XtI<X&oN
z;e0s}I61$o0pTYb4Kp=0i6f&w;C7P4`agRPAyzi(sakRBJ(n+i>oZCJjxjoAljT4Z
zm%04WJixz@{N14zXeN27rQA9fzlu&N!LHe+^3eTRvao$+P89YGGAu4Qi-Rg}_`8X1
z$58x}K}y^yW!KXw&Buu0RrBXgq;fDZGkz0|+JjU4@ME_ue`AVIy)*wYE#MCd5LCw8
zbK_;5<N<|Q)IYSb;MO-Y#O{`$Lh_(PkAAfY_gH||I6>a;qo}CS1yof9!kTvLlRbSa
z^pF=QljpDMR0BY|FijE(q;79pbsV7O=g%-Rm5v9qo?krEML-<5?0Fl0Ew=9@q}d66
z2FFfYw(0TErp!#-_bv(V)!tN!9H$m_D->=n0UCB6u(6E2p?nwPkv*u=yJ=m#(pzeo
zqdxL-r_VF0hFsh^3nK*$!*vBs!$$<>41H!n7_K4|u&UlnOEd%iJ9RR|Z?g8?Xl2n<
zM$6gy?Rg0d;4w`M3nABO;8_Jpdvgaf)f9lKKhQTxkLq6j5PPd9kE^#+RG`-k<i9^S
z6Q{nF(@VHM){MCYI5%R?{_U6kC;s?<pPK$Zg@U6Qmshu-oLQ#eh7WJ=DlszZ)o5sI
z6}x^yag~3@-z!Yu0yJ<ptPY5No$Qtr*_B6?7Dy8R237htzYJha3qrjYn+oI92}wZ+
zXt?W-hZV@XJ+oBYXVG@3;z30NfTXwwd(CGGB{Zl?K83Yg2Os8i7S<QNUj_s@#!?{+
z<qfm_JR2+$)PP?}oV>8@km~<aRs=XIkbb~vjAs0>h>o}46trl?j?hKgDN)7qy@YB-
zxC6=+)`wwes!F@vmWEQ^Zd30p7U0uN7uYJ8DFGWLDB*^8Q9A)MBkCX7>3f3etqvt$
zkpw5*vKsNCQibxujFAx0ANcm6%=zTrtb!FEw68RDl|Lw<1texl$i;6iaTcWJS5}-|
z$*mY4jyOUZTHdB;{?iGes0fp_5j3zRuys?MZw;J_M^)B(636v8<mK&YdlrTUVueWx
zR`={p(%+I>R6Kj(ojX3C`ejM7wB@iw2j?5lFmo*XJR$XS-Uqg0o%fk5sd`llZ8!qL
z%I+yY0iCNIBF_6;71WJ8cFU1I4W~yxx$j#yymb}(36n=CAciLYA?oH8rnMCLBn&)e
zESH>1ro5QZ;CZnN>IM<iY1>%8LmC$fi`ReS9y>h!Drn!FW`{6|;#J1|g4+Y{W^9=K
z0;nH%lG6cocV;Ei-A^PX^th~Z!nv?nM;RGDn&%;Dcg-Dd-f!12<$P2%E6T=|&vwLy
zr;_I3>rX6SM=7h)OVyWsV}HUBQlkW$MIh%%g;gLwcx#ll!uQwsvf_LShgAbHMIW0{
zTA;FqlLsy<^cr$L^QE)U8o+sHT>l=}|2V3OkLry>Qs0g~bUtBwrR=R6?t7xin><Z%
zrm!Qe&r6bcugBv!XuufxDnni1ph6fmNy+Q3Eio1lh_Ni1lMJ++Gfd@ehTaU<Smo%`
z*`qWfr~Dv($i)ibV$^6`5hj&QWwJd0b9~0z$n8}7g(X!GKJ`i&e?a8?N}PU9`~v94
zX%*_@sQP)y5rQwMrD0v$B>ihdp8^XD3(}BaW>s63sj^Jp%=eDO*Pfqay{6!psesNA
zqT>?z&p5W|AqOQtqN0*z#VlfP<CfRNCjbWPBR+2!3o4y2*Eotcoa?E5>1LlbO;9EM
z#zg@9eX3S9JH7ut&q24~tK-OFaFwhw)~hZ*eC{|$wOU{JA4Zg?rG%+VtHg!^=7jU?
z7`;B^s9diVo;sxB-KnGo`6?i!C$mzLYrk1t+|BHg+Wa+MeR{2vKOxX(?ORwHC0wgL
zd%mlVIOy7i)>Q4_-tlaJO~Zv0Y6Od@y%*`o8g)Jndf4C)zZiAtdlxuZ$0g|RA#GUo
zC@)A6(H+p*`ExQsGU!C}HD}eJY;bx>riyEY68FR!*+;7S8qVvO_<Xm~+rwQ_<0gtC
zfgr;$L)wc;WmLbmd<)IB?i~UQL(sSzr75#^B3frUtPb8=NI>vaQ&GX-k*IqX@LO!G
zD-?^*^=>IBlWie_CEHrU$G>GzA!D5YyzK`&g#5C%;5qQ?GU6oZ6ReESyA6B^(>9R}
zLvmoe8-W1bTsQjPGVcaJ@&9xW=)cD44M2Eoqs<EF+o&A2lr0(v-KN*%znnw(8=Gta
zJxYs?=P|(KbZTPjqf0D)Pd#CLTOtHCf-R{7{Ur;EK(0aa++k<hse9R;njUcIbPZM7
zeLHBwkHn1tyH4yc*^{K79Z|UN_wipcBzAoG*Y<U!F+2g4YgT?VQG^z$8QC8=Ns?Be
z<B$#3r$}m3ydV)Nq$MdaT$VPFyh7*MM~U76sP;V=&m1Cr*^WIO&T|ZLl-(nNDVpz<
z)fhBMeFfaBX#-^2u_6gYWM1f6@*3-DPWKg)^vRL>PvwYx+djf8R!*m<>z%oRICXDK
zva|%|Qcs@2pfwUom4<%h9FE%Q6ZOk><tK;LNyhQ2;F}@hXo-UNI!|vORXWFrz&7AR
zya`NT#y-C3<Aw4CYEe73PsFfx&mLtF9XTf+ajIlYlJoiI*>(lIwAA`LK<D_`2Xo5e
zbn{KpT{ql%fD|4nAaeiE7i2d}O9IM1cxt$Ao?diz`B!|%!tTqctp`g$dz&k^aq88K
zs@)eFhDdwYb346QQW}_se*p!OmcP?OIwbZ0+{V!9ulL<=qc%1mq<&-CnsJXuh8Jrq
z;U7V$Z3xI(=n(y|zgE7ZsW4u>8+?A$279G=`Oi#Xl56HAU1)$e@D;Z-as{aMP2P==
zTJw%DT&~y77+G1U&Hm{RWFz4Ht#!x&=oHgO7Ak<*eylvm{RyIBmZ&Y#K%oqTEHw3~
zDl9`3@zo)t<3Rk5lpU?Fya?=m!Mx&DW{xE);lp#A=dkqFMO<MbmX!%R4V;$`;5*~h
z$!*A}i#(p7kh%RNYFjcEzzX>&{MYq=KcbDIx8*~z???X2TW<fgb^q^Gl)urq$)iWn
zw$x#?<X+C!M@{v2Y-(^_k{s>_$I16f7O)cE)58k^BVEmuEMYUf7HZEF8?&aF5w%8J
zK)T4%UBcnhivS0zZDHt2LtT#Gi$fEs9ze!f=e?$^0v)HIBE8D_)zj3WOG!29Tfy7;
zGU+IwzBXDO?s}*=?V$PA>9kT<=JHN}L9LdrN4k&$rZ;$^0Yby=5N~O|9p{K}T-MSg
z{ju@jrbZj!hUkp}^6oArtq=1y<{`Sf&r!oXB)O-h8vh3)5&~PyVyriGJDqN^?Dzjm
zQA_YbudKBM`O$u2$~@rg+SVOiX-KRU3?%jEua0%=(aL@IUdhohB5Pfm(6$4yRZ>@8
zbV1Mq62Aa`>D4_diR-!HAvASC9o5S|(f|%7@}C&lhAe;wQdQXSF5cL$#p?;lgxxzu
zhe>67!PNNLpIqrvGCYL8!sr5>G0|z-TCg1;`~;p}BfFeGag6u`(P?<FGj-&}`NWPv
zwPC=k`T;4`jg!d!5&HQ2;JLRJ=CtEXM8bed45zHs_`IbA)`B*!AXM+J-H&&FXZ;rl
zespSc=o?I-Y0xF1RYcE18ha=Jw|V5xNT_<3FdImb=-;PmE0Z7!O%@w{hdXyZE}$So
z6m@=j)kgaFA*aJC^zays`+J{3)(rt<jGEXdvQD22a9TVg(<OyFs((nT=*4_O$Kdn#
zXQT>*5D_~$6ldPwYHYyNf>u~{UDj#)*hPM+BvTZx>vU+v+{e#t#Zh@pw<UMuAra)|
zV6Wt;Fjr;xc=`}y=NB`>bc>Y^xWk$D*=gU_vsJLXFHQa*l7phsclP6J(|7G^R*A#`
zjxLzJYwP*a^S_9xZ)zQb`;;~R*6oh<DI3_Ht30h5dEy2$jr`M=^=O%N)d}tqI}TOe
zKX%<}s_@?(5LfwtMFqvULO(m4nKN9Xc{K)@vS{Vk%T5{hQ#w8Oykmqv>-@2DWR4>*
zaeA81&qRd>UX1+0I0&4goC#){x^2#&vi)?F(47HLFSQ=@;Gjd_2!|oygYnI@^HXX4
zBfxcmYc{&PsXa}kdk3JcMjx|RL|*wduxN*_(Y)Fh+{N#ltX3=L7)tRcJd`s(ClC#z
z$6HQappr}HgNL?bX`A&lAYmx?#OrqTKVon5#M4cJhqnl582-I>$v89RiAJiKCs+AF
ziuNGT7{?w6QiR?dY-IX!Eml;yX;XbhgNe|C)43eytm%AA5u3V17J=@gf3~C#Z(wfq
zD9hlN|7iuFwt{9j8`8{(`O<XeZI(bTHJ9He+-Kb%qghBTD8o7Sjd2}RGo6YM8Nw3x
zYOREdnx#RSca+)v3!oJxVwvna*DlYx{IJNjiUza6r{QCYyD8v`BuFvdwQ(Fdpszc(
z{4G2wD~0F}9d9s%(h|qVM>$%!IZh5rKO6+w7R^7+hnl3fLo%^T=Ccj>FYt%Pepab8
z30k+rg$A|oLy~3D7js<t<q+EJ?AWDowM&p!%%o<O!%bHs?<s#MZkSJ)Hj={%NK0P6
z1Nl|-;Sohu%F8)hmX}-r2ZUNRl%3{WENa6nA&*EXaQL~k^~)|vmEO&!+n12#MBf#A
zckWG>*pZ3?u!j!ZOx}!}lsbgP2LtEtcMoak_wMefhO3`}cfa%gdyeFPpWFO@g#ODa
zaq5b&bY@gKfoVFa51d&K@ZW$0W*0J$>mm?2Vm4OSf<$x%Z;d=kE^GwD{rp83j4Tcz
zW9x&gKiG!O|BC};1a>jBx<Uz&eyaDv>)IW5b$bm!WZs>p_rj~IS{$}%)NZOQR3bS*
zWp+)6X}krT0t=ENHj_~_e)&|<43!7p#&Ouz-5!sVR$~kUZXMxUnLvqheb4RYzs?O_
z;w-e0oynlqwirF?T+K*)Z`L*=`UrCgsdYSXXinhvIaomiM+-wWkNVf>XxuH5kV$SA
zCMAUSM^^FtBO_~NiHPl?y{5xLhAq}@FL@SzU$*MWGo+qx8;Sg~8g9~Ra2F(R^17dP
zy+4!PvO(u-1MgoPc8coFgYF5-nJ+&z{}T;u1a;!|hVzm?_nW#GJ)TR$418E+-p;$+
z$+!xbjMy7>K=TBd-w4J4S3k)P=VKGLdCf}fbH2kBJVYAWYrxp~;_vAxoIkfUswFyH
z5xy-vxRTjv>Z(2DLeWT<-OBeRfTXQ=q*6yztR9gmX$y>OsNzB98~*w~iA$~W8`kNm
zci&C|ubriaetuiUtt$IozIoGPyHB<vtooIrnA&mPRHhtI`6n{dC|<pg9ALw-`h3Un
zNrvyn(Glwf(&Z>~_o8=mw!?MOeZodHUJg0m@c#A~X3oT`e}KLh`=(B^!h=+a2PKqw
zwIGK`If+A9+TZgedd-M_9eT-&DBCnN3F!w4eF8825wFhD%)e}L2?IS;fhy5iy6!8-
z(lFSwGtp5I8P7Lvjfem>+)60_V(qQbijW3^lwxm+0UaDIXr?RP+uk3TYF!{qj|Y%>
zo5p^xM%6+74guEx`rpgc3Um4ogKk@1WALKl36M2DTEr%ghHWzzK-Lo5bOfU07I(eO
z=VqDjhL*gyqkzR*+bWGI>RyrI3Z(&cY_pIz#Svr^_sK%{LTNxOZgtmobooIOKtIsI
zSe1(Lf<4#FTj?L>%S+XF)Hl%UWj}mhLyNME^0$?hPXWDZz-R&;PgEBG7XgegESI0r
zNgI83+bActaRNwpg_-?Jbn3=tp^oD!R&q*R6IxjZ7`cGaM`vWf$j=X;V{*eIHoMBc
zoC5gwUgmF62S*39R1%4hR*b^Q-w#*G_8~hFt($d3aHZ@AdZ_PL&3fMcL#LrAA+O(*
z7e=;k5&ex)Z`|tU&na~mLw@_&v1oYoh-8oBm+c0FvQt;zTDzRTo0yq8>9L9x;MR~s
z4t4#Y1sn6PZ8Mnlh}WDSWkOmC&|=PKt(FJBa@`i;uYp<p_`Djf;e)`rt#>sh2U*fW
zP!Y8*>f?t_3mrxQ&LXxM4qV%Mg&)drr@fM#ZFJB&eJVt!ZBc4$)qyv&l~Kn12wc&R
zv#Bs{(2(=()~MoMIZ`UyalL(gbL`~xC%ha5#uYC5HG&rkwgb~g#&idN+qN+lKgUwF
z<Jv28zGn3Eqv9oU1pN|VVEyqyK0A{lH19<EpSmvXX7`%2N*Ws37y8L1L9l+G>VZ1z
zvt&Z3Nq#&HNL>?M(}cg52SnYnPQU!i+xsp(9!QXG8xT*MXV@_jpn~)1YUcD)q@U>4
zLCkw#$S(%(BVcE4M|0i6^Mju**8QE*vddc<+Uj1r(ecPdnNN`%y&^ev=Mk#Q0oA=*
zX{UFQdM10YRNe5!TqHSPDA<)M{FR&2*VYI#4a&}LcTt-vyVu@$dfU1KpL+sQ#dXV$
z#f-{)_xmY(_QlRGz7D)>s6-l2y0?y%cfyzI`4&MBnWSr;h<3O)h*a-7Q_Ai5#;qk9
zk!7d(wbdWih9}~s-wkr8OaIX~z_oGweCN5!2s-!zB2D@2%9C|ZwVzhyI`B)b{)4=?
z@aQ#h!JLYAOnCZ8uD-_H4OP$cgN;5sU(N5C4RZKShCOz4&VjYAP|o)D2mH<-^^hO<
z=Iv9EE~!QeeD>m7db~m2qhIb1Oo?w>vkkz=&qbE!aLxZPNk1bhu!_TPY$G(xqG#5f
z1G_RTEZqL5BcFtS=i`X!{r}1F0mkv4Ivi-$Gs_W@|9xuK;sfU*|NY-e8Zk1s$M)uo
zz<aGxqeg(w`zaoP)A6YL>4aprIxo@3oK6PMt@|_`e`S=)<gu7+>Y~7Tf<6%%!$7{-
zR*MJkBmK@$OGH!${7d@1eE^g!f61}jOyg@l#2D<?SifbG9$oy!qHex784XAgT?%Z8
zL;GYc9!2B4fS8p&h83VTexXxqeRSy(&~pVK-vNlsb>g3c?PlhMj*;b4Zy?4SK$gK#
z7YHgH$ZJ4s6%X?4XZZiLRSMiZQgROuPM2&{4|3WNm=>PZREl(jp>MoP4M_q|;#(J5
z=XdYoKrX#tq@gWxv`V~gTHNO7bnKIX?mcrtyEUQNYyb4b5WObd1Lal&X8|`Oz3wg|
zeRX9NVwg0|gA~WN7gv@YYRkyQq4_$@ij8vApMa&5h5_4PPC^`Ru`bi$rev<JRQ4{Y
z$W8JBXaX7qU<-7IL4xj2B96K|R8Q`woeMux?Rerlm}j1j4H6aKbCri*ow7Z1-93j@
zWjxpjhg`6|;i^ggI@~P;E*fQ)`4#`A<&dZuRbPjRSjzpU#p^(e^FAH^s{4Hps0cvm
z=FHybe^P{UlAkdOoF`@1Lpsu0T2y`$a0~G>vLiF%3&}FjR895AS5q5{bv%_oy3t>*
z+$jE5IyyMQ>(a+t(%B(?uFy`c(C-eq#X@FD6-=Xk7hpaA0%Y)*FISG2O<<STs0UI9
zUj}U)?QvFW;>?8Jt-clFs8j?$=cp5qrcwijh1AMV*SH{V`gNH_8t_DpAe?^Dd~mf3
zDv<K_@(nso6gd}U;8Qdt(jGBDY1HkC_X8IBWH?_1n(toA7f;kI%U)Zt0s^w@4D(QP
z++ALk<Zx9mp2g6S23zmHC9frk&s#|dv7=>Q4>6ZP?4#)43^~XRH@pH|B*H0Puw!oi
zSo5mand|)9dcGtHvFa&L0^TJ@A2o*^xF%!1Xt?r+G*pJBKAQegiV3>3$prF`BfrL#
zMVa>~>oHpNhn~-kRWk=G4R`HI9ymB?!$RuddpST)w`U?=7HaU)Snb7fB26c?VWnWX
z1wXHmI%EU{d0B3YNBL?=T4tiI!EZozyDuJyOjI-M#g|K$o=Qz8YW}+7Sa{&L#0p)x
zhTEPc>vh+XzBS8a>hLZLue2TVl{V-d9(_jtcfYv@fTcRvpyCcBG?+cFdqTKlA$Xcw
zdOOTPsSJILPK9SKCYw(?Yd$<I$%t+-c*VJf&P7m8lhpo?POil->2r-!t=qCXnw6U7
z%ChWc&I_7|TV<BcV`@|LMun3Uk&I9j#nq;EBQvX2AgraCQzSJsl#82&nF7lc6czFY
zCLtLL0)ppfpYu6?!1)v2=kvbL_kEu4MSiF2j@B)if`57YEx`7NI6=$3qZIXzi~^fu
zVyWcaE87$s<Daw-uWOx^#wung_`fH^10F_JcO7mK`I}E(x(uVubS&l^N&mlArzb+W
z^aYbnHuQyXin;?cnog$$4%l@1P3Nu5!^VRkW24Fu{8A8kF|LT>;yu57@e_j@l2P*&
z8DH!;(}1h%1~2;UIAWZ>ocSR&57?K$3U!#7*9IhJ&&;fzor=*LY$!^FZ(dD3IS&<L
z8jXPY%IkOTjLUK?7vDN#QDNSCHT`<5s>#Ewo7HI5BV+|!bk03UxrUcj$Y%uV_Sz`!
z8*J@Q$s^))pPGCa_)qv?Xhpa`AHVBHyNzbZ$gox9BH(JyW*9wEWvJ(*h#yMQUaYR7
zZ3KD$O$SgG9dkfTFX|s1+QMEb8)QGR{$-`?j4L31cZlp8!8Y8vlJWP2K4fsvr8+{S
zL4Vh(m2fLxe`~eMgDQDsXs`Iy)q~p5s}!U_@#p%u+MGOW?nml?9C@Zu+KW+{(68!k
z70-E+Wkzhz>G)Ua$GbNpLy8zB+7WVw5+1{K-Hs|yY{uAf#HvAh23bcYmLfP!n>&%l
zk%;8HDI~OP!V0ny)B@iMY=LDTGr6`7(l)xR<z@lc(pMI3_9Xd_4*_)KBSf*R;y#E$
zQQG5Nt*xHK`Gwj2C~rRAc4al}4AipfD^rp_=7m$i2lJ$SrcZYrYI~ra?jh8gGaE+x
zZ(>d%ReaMS4Yv88%pLvEiJJkOMqt3TmZ_CumHiL3s;$km%4RPPtk_%ay#-L1XV1UT
z=0NZDh3bwcE)>*GVy+9A-_V+|>LnoK^#iToz7djUihnqJ*#%=}IR42=qa4aweU0VP
zDd~}x>Co>dHLDr6V#ppox^_xB8FC!R7)j2J74~kpJ4<Q`^cXFn?<K*SIO$%CUY>-(
z9yx@<tvhX@@$5Z^YmqpG`xoa56_|Q&_+@N>B98czRM8i@zu+w6t7o%uyR;IkJED3<
zVR2%v??WY=F_bjP^`Sm^K`qz#`fVy2X3@jBA;}@*N9zV*`y(*})2Te4XH2b};DC#a
z`Z^cgmhHiIwx+CEvr}>TK?NaAqcZzeKOw=yYEIU%5qtkFMq!S>nN>7y5(Vedv<NQ(
za)GCQ7^^vf5+N>LN7#*O)n#V(88v$;XyFckEAzZqTto@Srvm+2hc=tw`QT-6|8nq>
zdh`?njHm@Ww{H1!zE-WrUiM0cc7koIrk&8vv8YYx6cJB(4(Yg7iJ#+N^o5%GG;`JT
zhXS65`Y}J%q1fv&dsUauwU4L2or$_S9EL1frNZMvN)1ihF$r{b=u#kd0Wz?j+8VZh
zNs1qM6|3P_Yr*j0^NuMRc6*cbX<kmy1wa`Wgg@jDKf>B{?bPl9ligEgI3z>hN_3~F
zezNa|L?K+BFA#BFqxM$O_(bmEbiz^Y(}4LTIPpGmt9YiL%C8)n_w@RvZt69=L~;q9
zshKn=MLoiu><m>_X)@0z+e=H;_bM|H(F-$k2f6bW2RM#pUia8GV)4}zAB>$db2-p=
z@ce0B?bjv{=r3UK<Tq-Qp3M<)nzcQj<n+0uvpH$E*=KjNzke-jsV@1OkwN-M?Ae`n
z<eoG&wP<6C`)(Rq$s8dymQfdKz>nQkb7N@8%6?9ud@yapzzr>VB?*D4+0;5J+G;t8
zXty0Ww54b&>O(Dj)=ie}m#kK3k-@JY#EtPdhY?j?va_(X^f<n!dnsF#bH(6C(S`X2
z6K#@oV|@fHJ@p}Vd>dud`vaLKioBtSqlFw4SQax1b$dx-fob1~S|s~e;xtDH&x)5t
z&0|w%CFEDzRKa7?6XMy?jNAkcw}SguICRVY*z|Q2;>1H&T9!HITh@v)uYC3!xW|ol
zRy^0A80~C|3szmnvzUQ!)`(&$$h?sV)MdpPBQeGxX9d07gN8Wkz?&K16%pGHDw{nb
zcer#h22#1hO~Nd*b7jN*<0PqwwH?Xb!pr%@&vu7afge2~45rJRFlmj~Q~`iC?={I-
zX4Se(ywy^<i@<9T980V=E5Eyw{)}+*b5jFluTp%Qj<sz~Xb`$|^yB<2N@<cDg)tmi
z@~X*`TE?!iE^^z{Y8OLyD7TR#%Il#KM19v3y@qQpD$(X<05Z_ii3^R3oyDVo#wgSx
zE3Fm(oG!IBULAbWi5*L~sTO3xp}kn)h$Ay|Q$WGEbU&Q!3N6Kw;RvS}>b<#+H}LzK
z)lc<5pb9+s^wVu{ku#1LgmJtlejaC(_)U?Ft3V46MuACDFOTCS;abD=N!;7gQ$5n?
z+0Wp0Dlnwjiw53|gp&_3lrg9V`H$H(=BJgPR-g)#a+0pS{mcaFfhzWC9B9-2;iCu}
z<L8E78@`Mz>Kh16;ifNE<b3roB@XwA{E7h!l^7p(B*Y%>_KaN}GFB~;`*OXy<ytHT
z>XuxDFiO=~zsmwF3Nct?Hmcpe!dRt5&!hd1WkSWZv{xx<z7)PUc)8d-LGZg6xzdy%
zm0Pj`f5XFWv<l`<!7z&H^)nAgP7;PXg`bXWN~Z`>X;9%V!TiWR3)2|hgDU*PG_S`(
zc<Loerf?Q68i_X~oGj`vG1)R1;BvY!2vAyFAF<WDVSdyc|LuH8yGnUH{6SuPcUnZ&
z2J4fA`nprddMqkYm02X@zPlAVzV@P4e&}082B|Mbg4ud%!_RT3LEwE%pZ70UX3ye|
z>CU;k9SSh=33z|^eq``*m+6i&o3yErEKV-Dor6Ta5hMVhlKk-%M>pyL^Ow6-OQZV9
zqyk1J^@6SZu3TsO(Ff0n=J!fc{kKvumsCYlVkZQ{J+4t<{LXB5n<JpF=N8;*fCaY`
zVsrunnMYX@+van@i{hh6u1=@j)7G1feW@KIB8jml)3i^n_@*-6y-V|9Zdr@tM%SiG
zdt}jK8QBQ_mmX|{Rz71}GUMwF1%9kBlAlzUo`-SMGILtpZgMBoBJs%jKUYXB&@o;z
zZ(5HuPS87GEt{|a+G>Ejw%mbg4tYPnw(p?)<D>5E&)B1qHXt}dU7x}4^U!|ynGyJL
zKo^!f#mAxqSyi$tqAd&02|`gvh>|H#=~F|>0rQ12c?bWVxZ}Vrlf78upqn881)6lE
zN&@5?Zu5llX2|Geo2SgXfI=yHJ(88U5c_@r9)B~%tx}zbSiBjHN5#@X`oK$?cOcPi
zAYDyVT(B(iQ0U>pL0`b;GY6h3?e-~cye4$9Qnd8rX1dlZ$yEBR?(TFgQLLYw`y~kC
zTd5}2*P0Xlq5E=^AnwEX<skF-01%&8NIGXqI-5MZ7B?s75|+8UbH0BN%XYDmc6Cu*
zIn%Et8)XwKBsbC4iX`+=9@u`(J@C$0)G;Oa5Jtt=+#b{*oe;kmt+#WHjY{@2dFp%u
zB|C`hi2$uB2`kdJf4a(OhrCqx=WJJg&1YVsI_G1F`1|~yxG_sF<)!&i`w968u}gyx
z&)-1`HR87J98F)ZXuuyjyOAPnc+sx+Jks^F*3NA(TQw;>Ii3*5Y@gzoXW_j7Q_z|L
zA*H9SqWjgs3dy~*dQuhdd0jy-%aKDhzC2)vDK#0`5s->s2>bKJzduSM4<MYH)RjXy
z<Tvc+Y2xTm$#0@ZM%)46MHDJi$+Vs-+*S|^01V)n6*Wk4pu7|NZ5{4Z7M8ey61Ii^
z{+Y85bnD5)(zbCb;k@6v7T0jYSmz@h7IeWrVDlO38~X9Nt3EBV_qh%rd&TW93m8!F
lmqptD5<>?UY8KXm9^bbM^;r@Ce7r#?0{(rp=J1&-{{ihIOz;2z

literal 0
HcmV?d00001

diff --git a/example/network/lwip_https/inc/https_example.h b/example/network/lwip_https/inc/https_example.h
new file mode 100644
index 00000000..3fec7962
--- /dev/null
+++ b/example/network/lwip_https/inc/https_example.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright : (C) 2023 Phytium Information Technology, Inc.
+ * All Rights Reserved.
+ * 
+ * This program is OPEN SOURCE software: you can redistribute it and/or modify it
+ * under the terms of the Phytium Public License as published by the Phytium Technology Co.,Ltd,
+ * either version 1.0 of the License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Phytium Public License for more details.
+ * 
+ * 
+ * FilePath: https_example.h
+ * Created Date: 2024-9-29 16:00:10
+ * Last Modified: 2024-09-29 15:52:28
+ * Description:  This file is for https example function definition.
+ * 
+ * Modify History:
+ *  Ver      Who         Date               Changes
+ * -----  ----------   --------  ---------------------------------
+ *  1.0   huangjin     2024/9/29          first release
+ */
+#ifndef  HTTPS_EXAMPLE_H
+#define  HTTPS_EXAMPLE_H
+
+/***************************** Include Files *********************************/
+#include "ftypes.h"
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+/************************** Constant Definitions *****************************/
+
+/**************************** Type Definitions *******************************/
+
+/************************** Variable Definitions *****************************/
+
+/***************** Macros (Inline Functions) Definitions *********************/
+
+/************************** Function Prototypes ******************************/
+/* entry function for https example */
+int FFreeRTOSHttpsTaskCreate(void);
+void HttpsTestDeinit(void);
+#ifdef __cplusplus
+}
+#endif
+
+#endif
\ No newline at end of file
diff --git a/example/network/lwip_https/main.c b/example/network/lwip_https/main.c
new file mode 100644
index 00000000..d0553aa6
--- /dev/null
+++ b/example/network/lwip_https/main.c
@@ -0,0 +1,77 @@
+/*
+ * Copyright : (C) 2023 Phytium Information Technology, Inc.
+ * All Rights Reserved.
+ * 
+ * This program is OPEN SOURCE software: you can redistribute it and/or modify it
+ * under the terms of the Phytium Public License as published by the Phytium Technology Co.,Ltd,
+ * either version 1.0 of the License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Phytium Public License for more details.
+ * 
+ * 
+ * FilePath: main.c
+ * Created Date: 2024-09-29 18:26:15
+ * Last Modified: 2024-09-29 11:47:17
+ * Description:  This file is for https example main functions.
+ * 
+ * Modify History:
+ *  Ver      Who         Date               Changes
+ * -----  ----------   --------  ---------------------------------
+ *  1.0   huangjin     2024/9/29          first release
+ */
+
+#include <stdio.h>
+#include "FreeRTOS.h"
+#include "task.h"
+#include "lwip/tcpip.h"
+#include "sdkconfig.h"
+#ifdef CONFIG_USE_LETTER_SHELL
+#include "shell_port.h"
+#else
+#include "https_example.h"
+
+#define LWIP_HTTPS_EXAMPLE_TASK_PRIORITY 2
+
+void HttpsExampleTaskEntry()
+{
+    /* example functions */
+    FFreeRTOSHttpsTaskCreate();
+    HttpsTestDeinit();
+    
+    /* end flag */
+    printf("[test_end]\r\n");
+    vTaskDelete(NULL);
+}
+#endif
+
+int main(void)
+{
+    BaseType_t ret = pdPASS; /* 定义一个创建信息返回值，默认为 pdPASS */
+
+#ifdef CONFIG_USE_LETTER_SHELL
+    ret = LSUserShellTask();
+#else
+    /* used in no-letter-shell mode */
+    ret = xTaskCreate((TaskFunction_t)HttpsExampleTaskEntry,    /* 任务入口函数 */
+                      (const char *)"HttpsExampleTaskEntry",    /* 任务名字 */
+                      4096,                          /* 任务栈大小 */
+                      NULL,                                    /* 任务入口函数参数 */
+                      (UBaseType_t)LWIP_HTTPS_EXAMPLE_TASK_PRIORITY, /* 任务优先级 */
+                      NULL);                                   /* 任务句柄 */
+#endif
+    if (ret != pdPASS)
+    {
+        goto FAIL_EXIT;
+    }
+    
+    tcpip_init(NULL, NULL);
+    /* 启动任务，开启调度 */
+    vTaskStartScheduler(); 
+    while (1); /* 正常不会执行到这里 */
+
+FAIL_EXIT:
+    printf("Failed,the ret value is 0x%x. \r\n", ret);
+    return -2;
+}
\ No newline at end of file
diff --git a/example/network/lwip_https/makefile b/example/network/lwip_https/makefile
new file mode 100644
index 00000000..01747b88
--- /dev/null
+++ b/example/network/lwip_https/makefile
@@ -0,0 +1,28 @@
+PROJECT_DIR = $(CURDIR)
+FREERTOS_SDK_DIR = $(CURDIR)/../../../
+
+# # 设置启动镜像名
+BOOT_IMG_NAME      ?= freertos
+
+USER_CSRC := main.c
+USER_CSRC += $(wildcard  src/*.c)
+
+USER_INCLUDE := $(PROJECT_DIR)	\
+				$(PROJECT_DIR)/inc
+
+include $(FREERTOS_SDK_DIR)/tools/makeall.mk
+
+# 用户定义的编译目标文件上传路径 
+ifeq ($(OS),Windows_NT)
+USR_BOOT_DIR		?= /d/tftpboot
+else
+USR_BOOT_DIR		?= /mnt/d/tftpboot
+endif
+
+image:
+	$(MAKE) all -j
+	@cp ./$(IMAGE_OUT_NAME).elf $(USR_BOOT_DIR)/$(BOOT_IMG_NAME).elf
+ifdef CONFIG_OUTPUT_BINARY
+	@cp ./$(IMAGE_OUT_NAME).bin $(USR_BOOT_DIR)/$(BOOT_IMG_NAME).bin
+endif
+	@ls $(USR_BOOT_DIR)/$(BOOT_IMG_NAME).* -l
\ No newline at end of file
diff --git a/example/network/lwip_https/sdkconfig b/example/network/lwip_https/sdkconfig
new file mode 100644
index 00000000..3762ee10
--- /dev/null
+++ b/example/network/lwip_https/sdkconfig
@@ -0,0 +1,606 @@
+CONFIG_USE_FREERTOS=y
+
+#
+# Arch configuration
+#
+CONFIG_TARGET_ARMv8=y
+CONFIG_ARCH_NAME="armv8"
+
+#
+# Arm architecture configuration
+#
+CONFIG_ARCH_ARMV8_AARCH64=y
+# CONFIG_ARCH_ARMV8_AARCH32 is not set
+
+#
+# Compiler configuration
+#
+CONFIG_ARM_GCC_SELECT=y
+# CONFIG_ARM_CLANG_SELECT is not set
+CONFIG_TOOLCHAIN_NAME="gcc"
+CONFIG_TARGET_ARMV8_AARCH64=y
+CONFIG_ARCH_EXECUTION_STATE="aarch64"
+CONFIG_ARM_NEON=y
+CONFIG_ARM_CRC=y
+CONFIG_ARM_CRYPTO=y
+CONFIG_ARM_FLOAT_POINT=y
+# CONFIG_GCC_CODE_MODEL_TINY is not set
+CONFIG_GCC_CODE_MODEL_SMALL=y
+# CONFIG_GCC_CODE_MODEL_LARGE is not set
+# end of Compiler configuration
+
+# CONFIG_BOOT_WITH_FLUSH_CACHE is not set
+# CONFIG_MMU_DEBUG_PRINTS is not set
+# end of Arm architecture configuration
+
+CONFIG_MMU_PAGE_SIZE=0x1000
+CONFIG_MAX_XLAT_TABLES=256
+# end of Arch configuration
+
+#
+# Soc configuration
+#
+CONFIG_TARGET_PHYTIUMPI=y
+# CONFIG_TARGET_E2000Q is not set
+# CONFIG_TARGET_E2000D is not set
+# CONFIG_TARGET_E2000S is not set
+# CONFIG_TARGET_FT2004 is not set
+# CONFIG_TARGET_D2000 is not set
+# CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
+CONFIG_SOC_NAME="phytiumpi"
+CONFIG_SOC_CORE_NUM=4
+CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
+CONFIG_F32BIT_MEMORY_LENGTH=0x80000000
+CONFIG_F64BIT_MEMORY_ADDRESS=0x2000000000
+CONFIG_F64BIT_MEMORY_LENGTH=0x800000000
+CONFIG_TARGET_E2000=y
+CONFIG_DEFAULT_DEBUG_PRINT_UART1=y
+# CONFIG_DEFAULT_DEBUG_PRINT_UART0 is not set
+# CONFIG_DEFAULT_DEBUG_PRINT_UART2 is not set
+# end of Soc configuration
+
+#
+# Board Configuration
+#
+CONFIG_BOARD_NAME="firefly"
+# CONFIG_USE_SPI_IOPAD is not set
+# CONFIG_USE_GPIO_IOPAD is not set
+# CONFIG_USE_CAN_IOPAD is not set
+# CONFIG_USE_QSPI_IOPAD is not set
+# CONFIG_USE_PWM_IOPAD is not set
+# CONFIG_USE_MIO_IOPAD is not set
+# CONFIG_USE_TACHO_IOPAD is not set
+# CONFIG_USE_UART_IOPAD is not set
+# CONFIG_USE_THIRD_PARTY_IOPAD is not set
+CONFIG_FIREFLY_DEMO_BOARD=y
+
+#
+# IO mux configuration when board start up
+#
+# end of IO mux configuration when board start up
+
+# CONFIG_CUS_DEMO_BOARD is not set
+
+#
+# Build project name
+#
+CONFIG_TARGET_NAME="lwip_https"
+# end of Build project name
+# end of Board Configuration
+
+#
+# Sdk common configuration
+#
+CONFIG_ELOG_LINE_BUF_SIZE=0x100
+# CONFIG_LOG_VERBOS is not set
+# CONFIG_LOG_DEBUG is not set
+# CONFIG_LOG_INFO is not set
+# CONFIG_LOG_WARN is not set
+CONFIG_LOG_ERROR=y
+# CONFIG_LOG_NONE is not set
+# CONFIG_LOG_EXTRA_INFO is not set
+# CONFIG_LOG_DISPALY_CORE_NUM is not set
+# CONFIG_BOOTUP_DEBUG_PRINTS is not set
+CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
+CONFIG_INTERRUPT_ROLE_MASTER=y
+# CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
+# end of Sdk common configuration
+
+#
+# Drivers configuration
+#
+CONFIG_USE_IOMUX=y
+# CONFIG_ENABLE_IOCTRL is not set
+CONFIG_ENABLE_IOPAD=y
+# CONFIG_USE_SPI is not set
+# CONFIG_USE_QSPI is not set
+CONFIG_USE_SERIAL=y
+
+#
+# Usart Configuration
+#
+CONFIG_ENABLE_Pl011_UART=y
+# end of Usart Configuration
+
+# CONFIG_USE_GPIO is not set
+CONFIG_USE_ETH=y
+
+#
+# Eth Configuration
+#
+CONFIG_ENABLE_FXMAC=y
+# CONFIG_ENABLE_FGMAC is not set
+CONFIG_FXMAC_PHY_COMMON=y
+# CONFIG_FXMAC_PHY_YT is not set
+# end of Eth Configuration
+
+# CONFIG_USE_CAN is not set
+# CONFIG_USE_I2C is not set
+# CONFIG_USE_TIMER is not set
+# CONFIG_USE_MIO is not set
+# CONFIG_USE_SDMMC is not set
+# CONFIG_USE_PCIE is not set
+# CONFIG_USE_WDT is not set
+# CONFIG_USE_DMA is not set
+# CONFIG_USE_NAND is not set
+# CONFIG_USE_RTC is not set
+# CONFIG_USE_SATA is not set
+# CONFIG_USE_ADC is not set
+# CONFIG_USE_PWM is not set
+# CONFIG_USE_IPC is not set
+# CONFIG_USE_MEDIA is not set
+# CONFIG_USE_SCMI_MHU is not set
+# CONFIG_USE_I2S is not set
+# CONFIG_USE_I3C is not set
+# end of Drivers configuration
+
+#
+# Build setup
+#
+CONFIG_CHECK_DEPS=y
+CONFIG_OUTPUT_BINARY=y
+
+#
+# Optimization options
+#
+# CONFIG_DEBUG_NOOPT is not set
+# CONFIG_DEBUG_CUSTOMOPT is not set
+CONFIG_DEBUG_FULLOPT=y
+CONFIG_DEBUG_OPT_UNUSED_SECTIONS=y
+CONFIG_DEBUG_LINK_MAP=y
+# CONFIG_CCACHE is not set
+# CONFIG_ARCH_COVERAGE is not set
+# CONFIG_LTO_FULL is not set
+# end of Optimization options
+
+#
+# Debug options
+#
+# CONFIG_DEBUG_ENABLE_ALL_WARNING is not set
+# CONFIG_WALL_WARNING_ERROR is not set
+# CONFIG_STRICT_PROTOTYPES is not set
+# CONFIG_DEBUG_SYMBOLS is not set
+# CONFIG_FRAME_POINTER is not set
+# CONFIG_OUTPUT_ASM_DIS is not set
+# CONFIG_ENABLE_WSHADOW is not set
+# CONFIG_ENABLE_WUNDEF is not set
+CONFIG_DOWNGRADE_DIAG_WARNING=y
+# end of Debug options
+
+#
+# Lib
+#
+CONFIG_USE_COMPILE_CHAIN=y
+# CONFIG_USE_NEWLIB is not set
+# CONFIG_USE_USER_DEFINED is not set
+# end of Lib
+
+# CONFIG_ENABLE_CXX is not set
+
+#
+# Linker Options
+#
+CONFIG_DEFAULT_LINKER_SCRIPT=y
+# CONFIG_USER_DEFINED_LD is not set
+CONFIG_IMAGE_LOAD_ADDRESS=0x80100000
+CONFIG_IMAGE_MAX_LENGTH=0x2000000
+CONFIG_HEAP_SIZE=1
+CONFIG_STACK_SIZE=0x400
+# end of Linker Options
+# end of Build setup
+
+#
+# Component Configuration
+#
+
+#
+# Freertos Uart Drivers
+#
+CONFIG_FREERTOS_USE_UART=y
+# end of Freertos Uart Drivers
+
+#
+# Freertos Pwm Drivers
+#
+# CONFIG_FREERTOS_USE_PWM is not set
+# end of Freertos Pwm Drivers
+
+#
+# Freertos Qspi Drivers
+#
+# CONFIG_FREERTOS_USE_QSPI is not set
+# end of Freertos Qspi Drivers
+
+#
+# Freertos Wdt Drivers
+#
+# CONFIG_FREERTOS_USE_WDT is not set
+# end of Freertos Wdt Drivers
+
+#
+# Freertos Eth Drivers
+#
+CONFIG_FREERTOS_USE_XMAC=y
+# CONFIG_FREERTOS_USE_GMAC is not set
+# end of Freertos Eth Drivers
+
+#
+# Freertos Spim Drivers
+#
+# CONFIG_FREERTOS_USE_FSPIM is not set
+# end of Freertos Spim Drivers
+
+#
+# Freertos DMA Drivers
+#
+# CONFIG_FREERTOS_USE_FDDMA is not set
+# CONFIG_FREERTOS_USE_FGDMA is not set
+# end of Freertos DMA Drivers
+
+#
+# Freertos Adc Drivers
+#
+# CONFIG_FREERTOS_USE_ADC is not set
+# end of Freertos Adc Drivers
+
+#
+# Freertos Can Drivers
+#
+# CONFIG_FREERTOS_USE_CAN is not set
+# end of Freertos Can Drivers
+
+#
+# Freertos I2c Drivers
+#
+# CONFIG_FREERTOS_USE_I2C is not set
+# end of Freertos I2c Drivers
+
+#
+# Freertos Mio Drivers
+#
+# CONFIG_FREERTOS_USE_MIO is not set
+# end of Freertos Mio Drivers
+
+#
+# Freertos Timer Drivers
+#
+# CONFIG_FREERTOS_USE_TIMER is not set
+# end of Freertos Timer Drivers
+
+#
+# Freertos Media Drivers
+#
+# CONFIG_FREERTOS_USE_MEDIA is not set
+# end of Freertos Media Drivers
+
+#
+# Freertos I2s Drivers
+#
+# CONFIG_FREERTOS_USE_I2S is not set
+# end of Freertos I2s Drivers
+# end of Component Configuration
+
+#
+# Third-party configuration
+#
+CONFIG_USE_LWIP=y
+
+#
+# LWIP Freertos Port Configuration
+#
+
+#
+# LWIP Configuration
+#
+
+#
+# LWIP Port Configuration
+#
+CONFIG_LWIP_FXMAC=y
+# CONFIG_LWIP_FGMAC is not set
+# CONFIG_LWIP_FSDIF is not set
+# end of LWIP Port Configuration
+
+# CONFIG_LWIP_NO_SYS is not set
+CONFIG_LWIP_LOCAL_HOSTNAME="phytium"
+
+#
+# LWIP_APP
+#
+# CONFIG_USE_LWIP_APP_LWIPERF is not set
+# CONFIG_USE_LWIP_APP_TFTP is not set
+# CONFIG_USE_LWIP_APP_SNTP is not set
+# end of LWIP_APP
+
+#
+# Memory configuration
+#
+# CONFIG_LWIP_USE_MEM_POOL is not set
+CONFIG_LWIP_USE_MEM_HEAP=y
+# CONFIG_LWIP_USE_MEM_HEAP_DEBUG is not set
+CONFIG_MEM_SIZE=2
+CONFIG_MEM_ALIGNMENT=64
+# end of Memory configuration
+
+#
+# Pbuf options
+#
+CONFIG_PBUF_POOL_BUFSIZE=2
+CONFIG_PBUF_POOL_SIZE=1
+# end of Pbuf options
+
+#
+# ARP
+#
+CONFIG_ARP_QUEUEING_EN=y
+# end of ARP
+
+#
+# IPV4
+#
+# CONFIG_USE_IPV4_ONLY is not set
+CONFIG_LWIP_IP4_REASSEMBLY=y
+CONFIG_LWIP_IP4_FRAG=y
+# CONFIG_LWIP_IP_FORWARD is not set
+CONFIG_IP_REASS_MAX_PBUFS=32
+# end of IPV4
+
+#
+# ICMP
+#
+CONFIG_LWIP_ICMP=y
+CONFIG_LWIP_MULTICAST_PING=y
+CONFIG_LWIP_BROADCAST_PING=y
+# end of ICMP
+
+#
+# LWIP RAW API
+#
+CONFIG_LWIP_RAW_API_EN=y
+CONFIG_LWIP_MAX_RAW_PCBS=16
+CONFIG_LWIP_RAW_RECVMBOX_SIZE=6
+# end of LWIP RAW API
+
+#
+# DHCP
+#
+CONFIG_LWIP_DHCP_ENABLE=y
+# CONFIG_LWIP_DHCP_DOES_ARP_CHECK is not set
+# CONFIG_LWIP_DHCP_GET_NTP_SRV is not set
+# CONFIG_LWIP_DHCP_DISABLE_CLIENT_ID is not set
+# CONFIG_LWIP_DHCP_RESTORE_LAST_IP is not set
+CONFIG_LWIP_DHCP_OPTIONS_LEN=68
+CONFIG_LWIP_DHCP_DISABLE_VENDOR_CLASS_ID=y
+# end of DHCP
+
+#
+# AUTOIP
+#
+# CONFIG_LWIP_AUTOIP is not set
+# end of AUTOIP
+
+#
+# IGMP
+#
+CONFIG_LWIP_IGMP_EN=y
+# end of IGMP
+
+#
+# DNS
+#
+CONFIG_LWIP_DNS_SUPPORT_MDNS_QUERIES=y
+# end of DNS
+
+#
+# UDP
+#
+CONFIG_LWIP_MAX_UDP_PCBS=16
+CONFIG_LWIP_UDP_RECVMBOX_SIZE=6
+# CONFIG_LWIP_NETBUF_RECVINFO is not set
+# end of UDP
+
+#
+# TCP
+#
+CONFIG_LWIP_TCP_WND_DEFAULT=5744
+CONFIG_LWIP_TCP_MAXRTX=12
+CONFIG_LWIP_TCP_SYNMAXRTX=12
+CONFIG_LWIP_TCP_QUEUE_OOSEQ=y
+# CONFIG_LWIP_TCP_SACK_OUT is not set
+CONFIG_LWIP_TCP_MSS=1440
+CONFIG_LWIP_TCP_SND_BUF_DEFAULT=5744
+CONFIG_LWIP_TCP_OVERSIZE_MSS=y
+# CONFIG_LWIP_TCP_OVERSIZE_QUARTER_MSS is not set
+# CONFIG_LWIP_TCP_OVERSIZE_DISABLE is not set
+CONFIG_LWIP_TCP_TMR_INTERVAL=250
+CONFIG_LWIP_TCP_MSL=60000
+# CONFIG_LWIP_WND_SCALE is not set
+CONFIG_LWIP_TCP_RTO_TIME=1500
+CONFIG_LWIP_MAX_ACTIVE_TCP=16
+CONFIG_LWIP_MAX_LISTENING_TCP=16
+CONFIG_LWIP_TCP_HIGH_SPEED_RETRANSMISSION=y
+CONFIG_LWIP_TCP_RECVMBOX_SIZE=6
+# end of TCP
+
+#
+# Network_Interface
+#
+# CONFIG_LWIP_NETIF_API is not set
+# CONFIG_LWIP_NETIF_STATUS_CALLBACK is not set
+# end of Network_Interface
+
+#
+# LOOPIF
+#
+CONFIG_LWIP_NETIF_LOOPBACK=y
+CONFIG_LWIP_LOOPBACK_MAX_PBUFS=8
+# end of LOOPIF
+
+#
+# SLIPIF
+#
+# CONFIG_LWIP_SLIP_SUPPORT is not set
+# end of SLIPIF
+
+CONFIG_LWIP_TCPIP_CORE_LOCKING=y
+
+#
+# Socket
+#
+CONFIG_LWIP_MAX_SOCKETS=10
+# CONFIG_LWIP_SO_LINGER is not set
+CONFIG_LWIP_SO_REUSE=y
+CONFIG_LWIP_SO_REUSE_RXTOALL=y
+# end of Socket
+
+# CONFIG_LWIP_STATS is not set
+
+#
+# PPP
+#
+# CONFIG_LWIP_PPP_SUPPORT is not set
+CONFIG_LWIP_IPV6_MEMP_NUM_ND6_QUEUE=3
+CONFIG_LWIP_IPV6_ND6_NUM_NEIGHBORS=5
+# end of PPP
+
+#
+# Checksums
+#
+# CONFIG_LWIP_CHECKSUM_CHECK_IP is not set
+# CONFIG_LWIP_CHECKSUM_CHECK_UDP is not set
+CONFIG_LWIP_CHECKSUM_CHECK_ICMP=y
+# end of Checksums
+
+#
+# IPV6
+#
+CONFIG_LWIP_IPV6=y
+# CONFIG_LWIP_IPV6_AUTOCONFIG is not set
+CONFIG_LWIP_IPV6_NUM_ADDRESSES=3
+# CONFIG_LWIP_IPV6_FORWARD is not set
+CONFIG_LWIP_IP6_FRAG=y
+# CONFIG_LWIP_IP6_REASSEMBLY is not set
+# end of IPV6
+
+CONFIG_LWIP_DEBUG=y
+# CONFIG_LWIP_DEBUG_ESP_LOG is not set
+CONFIG_LWIP_NETIF_DEBUG=y
+# CONFIG_LWIP_PBUF_DEBUG is not set
+# CONFIG_LWIP_ETHARP_DEBUG is not set
+# CONFIG_LWIP_API_LIB_DEBUG is not set
+# CONFIG_LWIP_SOCKETS_DEBUG is not set
+# CONFIG_LWIP_IP_DEBUG is not set
+# CONFIG_LWIP_ICMP_DEBUG is not set
+# CONFIG_LWIP_DHCP_STATE_DEBUG is not set
+# CONFIG_LWIP_DHCP_DEBUG is not set
+# CONFIG_LWIP_IP6_DEBUG is not set
+# CONFIG_LWIP_ICMP6_DEBUG is not set
+# CONFIG_LWIP_TCP_DEBUG is not set
+# CONFIG_LWIP_UDP_DEBUG is not set
+# CONFIG_LWIP_SNTP_DEBUG is not set
+# CONFIG_LWIP_DNS_DEBUG is not set
+# end of LWIP Configuration
+
+#
+# Tcp/ip task resource configuration
+#
+CONFIG_LWIP_TCPIP_TASK_STACK_SIZE=3072
+CONFIG_LWIP_TCPIP_TASK_PRIO=6
+CONFIG_LWIP_TCPIP_RECVMBOX_SIZE=32
+# end of Tcp/ip task resource configuration
+
+#
+# lwip port thread Configuration
+#
+CONFIG_LWIP_PORT_USE_RECEIVE_THREAD=y
+CONFIG_LWIP_PORT_RECEIVE_THREAD_STACKSIZE=1024
+CONFIG_LWIP_PORT_RECEIVE_THREAD_PRIORITY=5
+CONFIG_LWIP_PORT_USE_LINK_DETECT_THREAD=y
+CONFIG_LWIP_PORT_LINK_DETECT_STACKSIZE=1024
+CONFIG_LWIP_PORT_LINK_DETECT_PRIORITY=5
+CONFIG_LWIP_PORT_DHCP_THREAD=y
+CONFIG_LWIP_PORT_DHCP_STACKSIZE=2048
+CONFIG_LWIP_PORT_DHCP_PRIORITY=5
+# end of lwip port thread Configuration
+# end of LWIP Freertos Port Configuration
+
+CONFIG_USE_MBEDTLS=y
+
+#
+# MBEDTLS Freertos Port Configuration
+#
+CONFIG_USE_LETTER_SHELL=y
+
+#
+# Letter Shell Configuration
+#
+CONFIG_LS_PL011_UART=y
+CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
+# CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
+# CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
+# end of Letter Shell Configuration
+
+# CONFIG_USE_AMP is not set
+# CONFIG_USE_YMODEM is not set
+# CONFIG_USE_SFUD is not set
+CONFIG_USE_BACKTRACE=y
+# CONFIG_USE_FATFS_0_1_4 is not set
+CONFIG_USE_TLSF=y
+# CONFIG_USE_SPIFFS is not set
+# CONFIG_USE_LITTLE_FS is not set
+# CONFIG_USE_LVGL is not set
+# CONFIG_USE_FREEMODBUS is not set
+# CONFIG_USE_CHERRY_USB is not set
+# CONFIG_USE_FSL_SDMMC is not set
+# CONFIG_USE_FSL_WIFI is not set
+# end of Third-party configuration
+
+#
+# FreeRTOS Kernel Configuration
+#
+CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
+CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
+CONFIG_FREERTOS_MAX_PRIORITIES=32
+CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
+CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
+CONFIG_FREERTOS_THREAD_LOCAL_STORAGE_POINTERS=1
+CONFIG_FREERTOS_MINIMAL_TASK_STACKSIZE=1024
+CONFIG_FREERTOS_MAX_TASK_NAME_LEN=32
+CONFIG_FREERTOS_TIMER_TASK_PRIORITY=1
+CONFIG_FREERTOS_TIMER_TASK_STACK_DEPTH=2048
+CONFIG_FREERTOS_TIMER_QUEUE_LENGTH=10
+CONFIG_FREERTOS_QUEUE_REGISTRY_SIZE=0
+CONFIG_FREERTOS_GENERATE_RUN_TIME_STATS=y
+CONFIG_FREERTOS_USE_TRACE_FACILITY=y
+CONFIG_FREERTOS_USE_STATS_FORMATTING_FUNCTIONS=y
+# CONFIG_FREERTOS_USE_TICKLESS_IDLE is not set
+CONFIG_FREERTOS_TOTAL_HEAP_SIZE=10240
+CONFIG_FREERTOS_TASK_FPU_SUPPORT=1
+# CONFIG_FREERTOS_USE_POSIX is not set
+# end of FreeRTOS Kernel Configuration
diff --git a/example/network/lwip_https/sdkconfig.h b/example/network/lwip_https/sdkconfig.h
new file mode 100644
index 00000000..aefa7778
--- /dev/null
+++ b/example/network/lwip_https/sdkconfig.h
@@ -0,0 +1,536 @@
+#ifndef SDK_CONFIG_H__
+#define SDK_CONFIG_H__
+
+#define CONFIG_USE_FREERTOS
+
+/* Arch configuration */
+
+#define CONFIG_TARGET_ARMv8
+#define CONFIG_ARCH_NAME "armv8"
+
+/* Arm architecture configuration */
+
+#define CONFIG_ARCH_ARMV8_AARCH64
+/* CONFIG_ARCH_ARMV8_AARCH32 is not set */
+
+/* Compiler configuration */
+
+#define CONFIG_ARM_GCC_SELECT
+/* CONFIG_ARM_CLANG_SELECT is not set */
+#define CONFIG_TOOLCHAIN_NAME "gcc"
+#define CONFIG_TARGET_ARMV8_AARCH64
+#define CONFIG_ARCH_EXECUTION_STATE "aarch64"
+#define CONFIG_ARM_NEON
+#define CONFIG_ARM_CRC
+#define CONFIG_ARM_CRYPTO
+#define CONFIG_ARM_FLOAT_POINT
+/* CONFIG_GCC_CODE_MODEL_TINY is not set */
+#define CONFIG_GCC_CODE_MODEL_SMALL
+/* CONFIG_GCC_CODE_MODEL_LARGE is not set */
+/* end of Compiler configuration */
+/* CONFIG_BOOT_WITH_FLUSH_CACHE is not set */
+/* CONFIG_MMU_DEBUG_PRINTS is not set */
+/* end of Arm architecture configuration */
+#define CONFIG_MMU_PAGE_SIZE 0x1000
+#define CONFIG_MAX_XLAT_TABLES 256
+/* end of Arch configuration */
+
+/* Soc configuration */
+
+#define CONFIG_TARGET_PHYTIUMPI
+/* CONFIG_TARGET_E2000Q is not set */
+/* CONFIG_TARGET_E2000D is not set */
+/* CONFIG_TARGET_E2000S is not set */
+/* CONFIG_TARGET_FT2004 is not set */
+/* CONFIG_TARGET_D2000 is not set */
+/* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
+#define CONFIG_SOC_NAME "phytiumpi"
+#define CONFIG_SOC_CORE_NUM 4
+#define CONFIG_F32BIT_MEMORY_ADDRESS 0x80000000
+#define CONFIG_F32BIT_MEMORY_LENGTH 0x80000000
+#define CONFIG_F64BIT_MEMORY_ADDRESS 0x2000000000
+#define CONFIG_F64BIT_MEMORY_LENGTH 0x800000000
+#define CONFIG_TARGET_E2000
+#define CONFIG_DEFAULT_DEBUG_PRINT_UART1
+/* CONFIG_DEFAULT_DEBUG_PRINT_UART0 is not set */
+/* CONFIG_DEFAULT_DEBUG_PRINT_UART2 is not set */
+/* end of Soc configuration */
+
+/* Board Configuration */
+
+#define CONFIG_BOARD_NAME "firefly"
+/* CONFIG_USE_SPI_IOPAD is not set */
+/* CONFIG_USE_GPIO_IOPAD is not set */
+/* CONFIG_USE_CAN_IOPAD is not set */
+/* CONFIG_USE_QSPI_IOPAD is not set */
+/* CONFIG_USE_PWM_IOPAD is not set */
+/* CONFIG_USE_MIO_IOPAD is not set */
+/* CONFIG_USE_TACHO_IOPAD is not set */
+/* CONFIG_USE_UART_IOPAD is not set */
+/* CONFIG_USE_THIRD_PARTY_IOPAD is not set */
+#define CONFIG_FIREFLY_DEMO_BOARD
+
+/* IO mux configuration when board start up */
+
+/* end of IO mux configuration when board start up */
+/* CONFIG_CUS_DEMO_BOARD is not set */
+
+/* Build project name */
+
+#define CONFIG_TARGET_NAME "lwip_https"
+/* end of Build project name */
+/* end of Board Configuration */
+
+/* Sdk common configuration */
+
+#define CONFIG_ELOG_LINE_BUF_SIZE 0x100
+/* CONFIG_LOG_VERBOS is not set */
+/* CONFIG_LOG_DEBUG is not set */
+/* CONFIG_LOG_INFO is not set */
+/* CONFIG_LOG_WARN is not set */
+#define CONFIG_LOG_ERROR
+/* CONFIG_LOG_NONE is not set */
+/* CONFIG_LOG_EXTRA_INFO is not set */
+/* CONFIG_LOG_DISPALY_CORE_NUM is not set */
+/* CONFIG_BOOTUP_DEBUG_PRINTS is not set */
+#define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
+#define CONFIG_INTERRUPT_ROLE_MASTER
+/* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
+/* end of Sdk common configuration */
+
+/* Drivers configuration */
+
+#define CONFIG_USE_IOMUX
+/* CONFIG_ENABLE_IOCTRL is not set */
+#define CONFIG_ENABLE_IOPAD
+/* CONFIG_USE_SPI is not set */
+/* CONFIG_USE_QSPI is not set */
+#define CONFIG_USE_SERIAL
+
+/* Usart Configuration */
+
+#define CONFIG_ENABLE_Pl011_UART
+/* end of Usart Configuration */
+/* CONFIG_USE_GPIO is not set */
+#define CONFIG_USE_ETH
+
+/* Eth Configuration */
+
+#define CONFIG_ENABLE_FXMAC
+/* CONFIG_ENABLE_FGMAC is not set */
+#define CONFIG_FXMAC_PHY_COMMON
+/* CONFIG_FXMAC_PHY_YT is not set */
+/* end of Eth Configuration */
+/* CONFIG_USE_CAN is not set */
+/* CONFIG_USE_I2C is not set */
+/* CONFIG_USE_TIMER is not set */
+/* CONFIG_USE_MIO is not set */
+/* CONFIG_USE_SDMMC is not set */
+/* CONFIG_USE_PCIE is not set */
+/* CONFIG_USE_WDT is not set */
+/* CONFIG_USE_DMA is not set */
+/* CONFIG_USE_NAND is not set */
+/* CONFIG_USE_RTC is not set */
+/* CONFIG_USE_SATA is not set */
+/* CONFIG_USE_ADC is not set */
+/* CONFIG_USE_PWM is not set */
+/* CONFIG_USE_IPC is not set */
+/* CONFIG_USE_MEDIA is not set */
+/* CONFIG_USE_SCMI_MHU is not set */
+/* CONFIG_USE_I2S is not set */
+/* CONFIG_USE_I3C is not set */
+/* end of Drivers configuration */
+
+/* Build setup */
+
+#define CONFIG_CHECK_DEPS
+#define CONFIG_OUTPUT_BINARY
+
+/* Optimization options */
+
+/* CONFIG_DEBUG_NOOPT is not set */
+/* CONFIG_DEBUG_CUSTOMOPT is not set */
+#define CONFIG_DEBUG_FULLOPT
+#define CONFIG_DEBUG_OPT_UNUSED_SECTIONS
+#define CONFIG_DEBUG_LINK_MAP
+/* CONFIG_CCACHE is not set */
+/* CONFIG_ARCH_COVERAGE is not set */
+/* CONFIG_LTO_FULL is not set */
+/* end of Optimization options */
+
+/* Debug options */
+
+/* CONFIG_DEBUG_ENABLE_ALL_WARNING is not set */
+/* CONFIG_WALL_WARNING_ERROR is not set */
+/* CONFIG_STRICT_PROTOTYPES is not set */
+/* CONFIG_DEBUG_SYMBOLS is not set */
+/* CONFIG_FRAME_POINTER is not set */
+/* CONFIG_OUTPUT_ASM_DIS is not set */
+/* CONFIG_ENABLE_WSHADOW is not set */
+/* CONFIG_ENABLE_WUNDEF is not set */
+#define CONFIG_DOWNGRADE_DIAG_WARNING
+/* end of Debug options */
+
+/* Lib */
+
+#define CONFIG_USE_COMPILE_CHAIN
+/* CONFIG_USE_NEWLIB is not set */
+/* CONFIG_USE_USER_DEFINED is not set */
+/* end of Lib */
+/* CONFIG_ENABLE_CXX is not set */
+
+/* Linker Options */
+
+#define CONFIG_DEFAULT_LINKER_SCRIPT
+/* CONFIG_USER_DEFINED_LD is not set */
+#define CONFIG_IMAGE_LOAD_ADDRESS 0x80100000
+#define CONFIG_IMAGE_MAX_LENGTH 0x2000000
+#define CONFIG_HEAP_SIZE 1
+#define CONFIG_STACK_SIZE 0x400
+/* end of Linker Options */
+/* end of Build setup */
+
+/* Component Configuration */
+
+/* Freertos Uart Drivers */
+
+#define CONFIG_FREERTOS_USE_UART
+/* end of Freertos Uart Drivers */
+
+/* Freertos Pwm Drivers */
+
+/* CONFIG_FREERTOS_USE_PWM is not set */
+/* end of Freertos Pwm Drivers */
+
+/* Freertos Qspi Drivers */
+
+/* CONFIG_FREERTOS_USE_QSPI is not set */
+/* end of Freertos Qspi Drivers */
+
+/* Freertos Wdt Drivers */
+
+/* CONFIG_FREERTOS_USE_WDT is not set */
+/* end of Freertos Wdt Drivers */
+
+/* Freertos Eth Drivers */
+
+#define CONFIG_FREERTOS_USE_XMAC
+/* CONFIG_FREERTOS_USE_GMAC is not set */
+/* end of Freertos Eth Drivers */
+
+/* Freertos Spim Drivers */
+
+/* CONFIG_FREERTOS_USE_FSPIM is not set */
+/* end of Freertos Spim Drivers */
+
+/* Freertos DMA Drivers */
+
+/* CONFIG_FREERTOS_USE_FDDMA is not set */
+/* CONFIG_FREERTOS_USE_FGDMA is not set */
+/* end of Freertos DMA Drivers */
+
+/* Freertos Adc Drivers */
+
+/* CONFIG_FREERTOS_USE_ADC is not set */
+/* end of Freertos Adc Drivers */
+
+/* Freertos Can Drivers */
+
+/* CONFIG_FREERTOS_USE_CAN is not set */
+/* end of Freertos Can Drivers */
+
+/* Freertos I2c Drivers */
+
+/* CONFIG_FREERTOS_USE_I2C is not set */
+/* end of Freertos I2c Drivers */
+
+/* Freertos Mio Drivers */
+
+/* CONFIG_FREERTOS_USE_MIO is not set */
+/* end of Freertos Mio Drivers */
+
+/* Freertos Timer Drivers */
+
+/* CONFIG_FREERTOS_USE_TIMER is not set */
+/* end of Freertos Timer Drivers */
+
+/* Freertos Media Drivers */
+
+/* CONFIG_FREERTOS_USE_MEDIA is not set */
+/* end of Freertos Media Drivers */
+
+/* Freertos I2s Drivers */
+
+/* CONFIG_FREERTOS_USE_I2S is not set */
+/* end of Freertos I2s Drivers */
+/* end of Component Configuration */
+
+/* Third-party configuration */
+
+#define CONFIG_USE_LWIP
+
+/* LWIP Freertos Port Configuration */
+
+/* LWIP Configuration */
+
+/* LWIP Port Configuration */
+
+#define CONFIG_LWIP_FXMAC
+/* CONFIG_LWIP_FGMAC is not set */
+/* CONFIG_LWIP_FSDIF is not set */
+/* end of LWIP Port Configuration */
+/* CONFIG_LWIP_NO_SYS is not set */
+#define CONFIG_LWIP_LOCAL_HOSTNAME "phytium"
+
+/* LWIP_APP */
+
+/* CONFIG_USE_LWIP_APP_LWIPERF is not set */
+/* CONFIG_USE_LWIP_APP_TFTP is not set */
+/* CONFIG_USE_LWIP_APP_SNTP is not set */
+/* end of LWIP_APP */
+
+/* Memory configuration */
+
+/* CONFIG_LWIP_USE_MEM_POOL is not set */
+#define CONFIG_LWIP_USE_MEM_HEAP
+/* CONFIG_LWIP_USE_MEM_HEAP_DEBUG is not set */
+#define CONFIG_MEM_SIZE 2
+#define CONFIG_MEM_ALIGNMENT 64
+/* end of Memory configuration */
+
+/* Pbuf options */
+
+#define CONFIG_PBUF_POOL_BUFSIZE 2
+#define CONFIG_PBUF_POOL_SIZE 1
+/* end of Pbuf options */
+
+/* ARP */
+
+#define CONFIG_ARP_QUEUEING_EN
+/* end of ARP */
+
+/* IPV4 */
+
+/* CONFIG_USE_IPV4_ONLY is not set */
+#define CONFIG_LWIP_IP4_REASSEMBLY
+#define CONFIG_LWIP_IP4_FRAG
+/* CONFIG_LWIP_IP_FORWARD is not set */
+#define CONFIG_IP_REASS_MAX_PBUFS 32
+/* end of IPV4 */
+
+/* ICMP */
+
+#define CONFIG_LWIP_ICMP
+#define CONFIG_LWIP_MULTICAST_PING
+#define CONFIG_LWIP_BROADCAST_PING
+/* end of ICMP */
+
+/* LWIP RAW API */
+
+#define CONFIG_LWIP_RAW_API_EN
+#define CONFIG_LWIP_MAX_RAW_PCBS 16
+#define CONFIG_LWIP_RAW_RECVMBOX_SIZE 6
+/* end of LWIP RAW API */
+
+/* DHCP */
+
+#define CONFIG_LWIP_DHCP_ENABLE
+/* CONFIG_LWIP_DHCP_DOES_ARP_CHECK is not set */
+/* CONFIG_LWIP_DHCP_GET_NTP_SRV is not set */
+/* CONFIG_LWIP_DHCP_DISABLE_CLIENT_ID is not set */
+/* CONFIG_LWIP_DHCP_RESTORE_LAST_IP is not set */
+#define CONFIG_LWIP_DHCP_OPTIONS_LEN 68
+#define CONFIG_LWIP_DHCP_DISABLE_VENDOR_CLASS_ID
+/* end of DHCP */
+
+/* AUTOIP */
+
+/* CONFIG_LWIP_AUTOIP is not set */
+/* end of AUTOIP */
+
+/* IGMP */
+
+#define CONFIG_LWIP_IGMP_EN
+/* end of IGMP */
+
+/* DNS */
+
+#define CONFIG_LWIP_DNS_SUPPORT_MDNS_QUERIES
+/* end of DNS */
+
+/* UDP */
+
+#define CONFIG_LWIP_MAX_UDP_PCBS 16
+#define CONFIG_LWIP_UDP_RECVMBOX_SIZE 6
+/* CONFIG_LWIP_NETBUF_RECVINFO is not set */
+/* end of UDP */
+
+/* TCP */
+
+#define CONFIG_LWIP_TCP_WND_DEFAULT 5744
+#define CONFIG_LWIP_TCP_MAXRTX 12
+#define CONFIG_LWIP_TCP_SYNMAXRTX 12
+#define CONFIG_LWIP_TCP_QUEUE_OOSEQ
+/* CONFIG_LWIP_TCP_SACK_OUT is not set */
+#define CONFIG_LWIP_TCP_MSS 1440
+#define CONFIG_LWIP_TCP_SND_BUF_DEFAULT 5744
+#define CONFIG_LWIP_TCP_OVERSIZE_MSS
+/* CONFIG_LWIP_TCP_OVERSIZE_QUARTER_MSS is not set */
+/* CONFIG_LWIP_TCP_OVERSIZE_DISABLE is not set */
+#define CONFIG_LWIP_TCP_TMR_INTERVAL 250
+#define CONFIG_LWIP_TCP_MSL 60000
+/* CONFIG_LWIP_WND_SCALE is not set */
+#define CONFIG_LWIP_TCP_RTO_TIME 1500
+#define CONFIG_LWIP_MAX_ACTIVE_TCP 16
+#define CONFIG_LWIP_MAX_LISTENING_TCP 16
+#define CONFIG_LWIP_TCP_HIGH_SPEED_RETRANSMISSION
+#define CONFIG_LWIP_TCP_RECVMBOX_SIZE 6
+/* end of TCP */
+
+/* Network_Interface */
+
+/* CONFIG_LWIP_NETIF_API is not set */
+/* CONFIG_LWIP_NETIF_STATUS_CALLBACK is not set */
+/* end of Network_Interface */
+
+/* LOOPIF */
+
+#define CONFIG_LWIP_NETIF_LOOPBACK
+#define CONFIG_LWIP_LOOPBACK_MAX_PBUFS 8
+/* end of LOOPIF */
+
+/* SLIPIF */
+
+/* CONFIG_LWIP_SLIP_SUPPORT is not set */
+/* end of SLIPIF */
+#define CONFIG_LWIP_TCPIP_CORE_LOCKING
+
+/* Socket */
+
+#define CONFIG_LWIP_MAX_SOCKETS 10
+/* CONFIG_LWIP_SO_LINGER is not set */
+#define CONFIG_LWIP_SO_REUSE
+#define CONFIG_LWIP_SO_REUSE_RXTOALL
+/* end of Socket */
+/* CONFIG_LWIP_STATS is not set */
+
+/* PPP */
+
+/* CONFIG_LWIP_PPP_SUPPORT is not set */
+#define CONFIG_LWIP_IPV6_MEMP_NUM_ND6_QUEUE 3
+#define CONFIG_LWIP_IPV6_ND6_NUM_NEIGHBORS 5
+/* end of PPP */
+
+/* Checksums */
+
+/* CONFIG_LWIP_CHECKSUM_CHECK_IP is not set */
+/* CONFIG_LWIP_CHECKSUM_CHECK_UDP is not set */
+#define CONFIG_LWIP_CHECKSUM_CHECK_ICMP
+/* end of Checksums */
+
+/* IPV6 */
+
+#define CONFIG_LWIP_IPV6
+/* CONFIG_LWIP_IPV6_AUTOCONFIG is not set */
+#define CONFIG_LWIP_IPV6_NUM_ADDRESSES 3
+/* CONFIG_LWIP_IPV6_FORWARD is not set */
+#define CONFIG_LWIP_IP6_FRAG
+/* CONFIG_LWIP_IP6_REASSEMBLY is not set */
+/* end of IPV6 */
+#define CONFIG_LWIP_DEBUG
+/* CONFIG_LWIP_DEBUG_ESP_LOG is not set */
+#define CONFIG_LWIP_NETIF_DEBUG
+/* CONFIG_LWIP_PBUF_DEBUG is not set */
+/* CONFIG_LWIP_ETHARP_DEBUG is not set */
+/* CONFIG_LWIP_API_LIB_DEBUG is not set */
+/* CONFIG_LWIP_SOCKETS_DEBUG is not set */
+/* CONFIG_LWIP_IP_DEBUG is not set */
+/* CONFIG_LWIP_ICMP_DEBUG is not set */
+/* CONFIG_LWIP_DHCP_STATE_DEBUG is not set */
+/* CONFIG_LWIP_DHCP_DEBUG is not set */
+/* CONFIG_LWIP_IP6_DEBUG is not set */
+/* CONFIG_LWIP_ICMP6_DEBUG is not set */
+/* CONFIG_LWIP_TCP_DEBUG is not set */
+/* CONFIG_LWIP_UDP_DEBUG is not set */
+/* CONFIG_LWIP_SNTP_DEBUG is not set */
+/* CONFIG_LWIP_DNS_DEBUG is not set */
+/* end of LWIP Configuration */
+
+/* Tcp/ip task resource configuration */
+
+#define CONFIG_LWIP_TCPIP_TASK_STACK_SIZE 3072
+#define CONFIG_LWIP_TCPIP_TASK_PRIO 6
+#define CONFIG_LWIP_TCPIP_RECVMBOX_SIZE 32
+/* end of Tcp/ip task resource configuration */
+
+/* lwip port thread Configuration */
+
+#define CONFIG_LWIP_PORT_USE_RECEIVE_THREAD
+#define CONFIG_LWIP_PORT_RECEIVE_THREAD_STACKSIZE 1024
+#define CONFIG_LWIP_PORT_RECEIVE_THREAD_PRIORITY 5
+#define CONFIG_LWIP_PORT_USE_LINK_DETECT_THREAD
+#define CONFIG_LWIP_PORT_LINK_DETECT_STACKSIZE 1024
+#define CONFIG_LWIP_PORT_LINK_DETECT_PRIORITY 5
+#define CONFIG_LWIP_PORT_DHCP_THREAD
+#define CONFIG_LWIP_PORT_DHCP_STACKSIZE 2048
+#define CONFIG_LWIP_PORT_DHCP_PRIORITY 5
+/* end of lwip port thread Configuration */
+/* end of LWIP Freertos Port Configuration */
+#define CONFIG_USE_MBEDTLS
+
+/* MBEDTLS Freertos Port Configuration */
+
+#define CONFIG_USE_LETTER_SHELL
+
+/* Letter Shell Configuration */
+
+#define CONFIG_LS_PL011_UART
+#define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
+/* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
+/* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
+/* end of Letter Shell Configuration */
+/* CONFIG_USE_AMP is not set */
+/* CONFIG_USE_YMODEM is not set */
+/* CONFIG_USE_SFUD is not set */
+#define CONFIG_USE_BACKTRACE
+/* CONFIG_USE_FATFS_0_1_4 is not set */
+#define CONFIG_USE_TLSF
+/* CONFIG_USE_SPIFFS is not set */
+/* CONFIG_USE_LITTLE_FS is not set */
+/* CONFIG_USE_LVGL is not set */
+/* CONFIG_USE_FREEMODBUS is not set */
+/* CONFIG_USE_CHERRY_USB is not set */
+/* CONFIG_USE_FSL_SDMMC is not set */
+/* CONFIG_USE_FSL_WIFI is not set */
+/* end of Third-party configuration */
+
+/* FreeRTOS Kernel Configuration */
+
+#define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
+#define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
+#define CONFIG_FREERTOS_MAX_PRIORITIES 32
+#define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
+#define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
+#define CONFIG_FREERTOS_THREAD_LOCAL_STORAGE_POINTERS 1
+#define CONFIG_FREERTOS_MINIMAL_TASK_STACKSIZE 1024
+#define CONFIG_FREERTOS_MAX_TASK_NAME_LEN 32
+#define CONFIG_FREERTOS_TIMER_TASK_PRIORITY 1
+#define CONFIG_FREERTOS_TIMER_TASK_STACK_DEPTH 2048
+#define CONFIG_FREERTOS_TIMER_QUEUE_LENGTH 10
+#define CONFIG_FREERTOS_QUEUE_REGISTRY_SIZE 0
+#define CONFIG_FREERTOS_GENERATE_RUN_TIME_STATS
+#define CONFIG_FREERTOS_USE_TRACE_FACILITY
+#define CONFIG_FREERTOS_USE_STATS_FORMATTING_FUNCTIONS
+/* CONFIG_FREERTOS_USE_TICKLESS_IDLE is not set */
+#define CONFIG_FREERTOS_TOTAL_HEAP_SIZE 10240
+#define CONFIG_FREERTOS_TASK_FPU_SUPPORT 1
+/* CONFIG_FREERTOS_USE_POSIX is not set */
+/* end of FreeRTOS Kernel Configuration */
+
+#endif
diff --git a/example/network/lwip_https/src/cmd_https.c b/example/network/lwip_https/src/cmd_https.c
new file mode 100644
index 00000000..204ae2a8
--- /dev/null
+++ b/example/network/lwip_https/src/cmd_https.c
@@ -0,0 +1,91 @@
+/*
+ * Copyright : (C) 2023 Phytium Information Technology, Inc.
+ * All Rights Reserved.
+ * 
+ * This program is OPEN SOURCE software: you can redistribute it and/or modify it
+ * under the terms of the Phytium Public License as published by the Phytium Technology Co.,Ltd,
+ * either version 1.0 of the License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Phytium Public License for more details.
+ * 
+ * 
+ * FilePath: cmd_https.c
+ * Created Date: 2024-9-29 11:06:40
+ * Last Modified: 2024-09-29 15:52:43
+ * Description:  This file is for https example cmd catalogue.
+ * 
+ * Modify History:
+ *  Ver      Who         Date               Changes
+ * -----  ----------   --------  ---------------------------------
+ *  1.0   huangjin     2024/9/29          first release
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include "sdkconfig.h"
+#ifndef SDK_CONFIG_H__
+    #warning "Please include sdkconfig.h"
+#endif
+
+#ifdef CONFIG_USE_LETTER_SHELL
+#include "shell.h"
+#include "strto.h"
+
+#include "https_example.h"
+
+#define EXAMPLE_IDLE 0
+#define HTTPS_EXAMPLE_RUNNING 1
+
+static u32 init_flag_mask = EXAMPLE_IDLE;
+
+static void  HttpsExampleCheckState(void)
+{
+    switch(init_flag_mask)
+    {
+        case HTTPS_EXAMPLE_RUNNING:
+            printf("Https example is running, we need to deinitialize it first! \r\n");
+            HttpsTestDeinit();
+            init_flag_mask = EXAMPLE_IDLE;
+            break;
+        default:
+            break;
+    }
+}
+
+/* usage info function for https example */
+static void HttpsExampleUsage(void)
+{
+    printf("Usage:\r\n");
+    printf("lwip https\r\n");
+    printf("-- run https example to initialize mac controller\r\n");
+}
+
+/* entry function for https example */
+static int HttpsExampleEntry(int argc, char *argv[])
+{
+    int ret = 0;
+
+    /* check input args of example, exit if invaild */
+    if (argc < 2)
+    {
+        HttpsExampleUsage();
+        return -1;
+    }
+
+    /* parser example input args and run example */
+    if (!strcmp(argv[1], "https"))
+    {
+        HttpsExampleCheckState();
+        ret = FFreeRTOSHttpsTaskCreate();
+        init_flag_mask = HTTPS_EXAMPLE_RUNNING;       
+    }
+
+    return ret;
+}
+
+/* register command for https example */
+SHELL_EXPORT_CMD(SHELL_CMD_TYPE(SHELL_TYPE_CMD_MAIN), lwip, HttpsExampleEntry, https example);
+#endif
\ No newline at end of file
diff --git a/example/network/lwip_https/src/https_example.c b/example/network/lwip_https/src/https_example.c
new file mode 100644
index 00000000..ecf53304
--- /dev/null
+++ b/example/network/lwip_https/src/https_example.c
@@ -0,0 +1,448 @@
+/*
+ * Copyright : (C) 2023 Phytium Information Technology, Inc.
+ * All Rights Reserved.
+ * 
+ * This program is OPEN SOURCE software: you can redistribute it and/or modify it
+ * under the terms of the Phytium Public License as published by the Phytium Technology Co.,Ltd,
+ * either version 1.0 of the License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Phytium Public License for more details.
+ * 
+ * 
+ * FilePath: https_example.c
+ * Created Date: 2024-9-29 11:12:04
+ * Last Modified: 2024-09-29 15:53:23
+ * Description:  This file is for https example function implementation.
+ * 
+ * Modify History:
+ *  Ver      Who         Date               Changes
+ * -----  ----------   --------  ---------------------------------
+ *  1.0   huangjin     2024/9/29          first release
+ */
+
+#include <string.h>
+#include <stdio.h>
+#include "strto.h"
+#include "sdkconfig.h"
+#include "ftypes.h"
+#include "fassert.h"
+#include "fparameters.h"
+#include "eth_board.h"
+#ifndef SDK_CONFIG_H__
+    #error "Please include sdkconfig.h first"
+#endif
+#include "FreeRTOS.h"
+
+#include "lwip_port.h"
+#include "lwip/ip4_addr.h"
+#include "lwip/init.h"
+#include "netif/ethernet.h"
+#include "lwip/netif.h"
+#include "lwip/tcpip.h"
+#include "lwip/inet.h"
+
+/* mbedtls头文件 */
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "mbedtls/net_sockets.h"
+#include "mbedtls/debug.h"
+#include "mbedtls/ssl.h"
+#include "mbedtls/entropy.h"
+#include "mbedtls/ctr_drbg.h"
+#include "mbedtls/error.h"
+#include "mbedtls/certs.h"
+
+#include "tls_certificate.h"
+#include "tls_net.h"
+
+/* https server 参数 */
+#define SERVER_NAME "localhost"
+#define SERVER_IP   "192.168.4.50"
+#define SERVER_PORT "4433"
+
+#define GET_REQUEST "GET / HTTP/1.0\r\n\r\n"
+
+#define ETH_NAME_PREFIX 'e'
+
+#define CONFIG_DEFAULT_INIT(config,driver_config,instance_id,interface_type)           \
+		.config.magic_code = LWIP_PORT_CONFIG_MAGIC_CODE,  \
+		.config.driver_type = driver_config,		  \
+		.config.mac_instance = instance_id,                          \
+		.config.mii_interface = interface_type, \
+		.config.autonegotiation = 1,                       \
+		.config.phy_speed = LWIP_PORT_SPEED_1000M,         \
+		.config.phy_duplex = LWIP_PORT_FULL_DUPLEX, \
+		.config.capability = LWIP_PORT_MODE_NAIVE, 
+        
+#define TIMER_OUT (pdMS_TO_TICKS(5000UL))
+
+enum
+{
+    HTTPS_EXAMPLE_SUCCESS = 0,
+    HTTPS_EXAMPLE_UNKNOWN_STATE = 1,
+    HTTPS_EXAMPLE_INIT_FAILURE = 2,
+};
+static QueueHandle_t xQueue = NULL;
+
+typedef struct
+{
+    UserConfig lwip_mac_config;
+    u32 dhcp_en;
+    char*  ipaddr;
+    char*  netmask; 
+    char*  gw;
+    unsigned char mac_address[6];
+    struct netif netif;
+} BoardMacConfig;
+
+
+ static BoardMacConfig board_mac_config[MAC_NUM] = 
+ {
+    #if defined(MAC_NUM0)
+            {
+                CONFIG_DEFAULT_INIT(lwip_mac_config,MAC_NUM0_LWIP_PORT_TYPE,MAC_NUM0_CONTROLLER,MAC_NUM0_MII_INTERFACE)
+                .dhcp_en=0,
+                .ipaddr="192.168.4.10",
+                .gw="192.168.4.1",
+                .netmask="255.255.255.0",
+                .mac_address={0x98, 0x0e, 0x24, 0x00, 0x11, 0x0},
+            },
+    #endif
+    #if defined(MAC_NUM1) 
+            {
+                CONFIG_DEFAULT_INIT(lwip_mac_config,MAC_NUM1_LWIP_PORT_TYPE,MAC_NUM1_CONTROLLER,MAC_NUM1_MII_INTERFACE)
+                .dhcp_en=0,
+                .ipaddr="192.168.4.11",
+                .gw="192.168.4.1",
+                .netmask="255.255.255.0",
+                .mac_address={0x98, 0x0e, 0x24, 0x00, 0x11, 0x1},
+            },
+    #endif
+};
+
+
+static void my_debug( void *ctx, int level, const char *file, int line, const char *str )
+{
+    ((void) level);
+    fprintf( (FILE *) ctx, "%s:%04d: %s", file, line, str );
+}
+
+static void SetIP(ip_addr_t* ipaddr,ip_addr_t* gw,ip_addr_t* netmask,u32 mac_id)
+{
+    if(inet_aton(board_mac_config[mac_id].ipaddr,ipaddr)==0)
+        printf("The addr of ipaddr is wrong\r\n");      
+    if(inet_aton(board_mac_config[mac_id].gw,gw)==0)
+        printf("The addr of gw is wrong\r\n");
+    if(inet_aton(board_mac_config[mac_id].netmask,netmask)==0)
+        printf("The addr of netmask is wrong\r\n");
+}
+ 
+static int entropy_source(void *data, uint8_t *output, size_t len, size_t *olen)
+{
+    uint32_t seed;
+
+    seed = rand();
+
+    if ( len > sizeof(seed) ) 
+    {
+        len = sizeof(seed);
+    }
+    memcpy(output, &seed, len);
+
+    *olen = len;
+    return 0;
+}
+
+void HttpsInitTask(void)
+{
+    int task_res = HTTPS_EXAMPLE_SUCCESS;
+
+    /* MAC初始化 */
+    for (int i = 0; i < MAC_NUM; i++)
+    {
+        struct netif *netif_p = NULL;
+        ip_addr_t ipaddr,netmask, gw;
+        board_mac_config[i].lwip_mac_config.name[0] = ETH_NAME_PREFIX;
+        itoa(board_mac_config[i].lwip_mac_config.mac_instance, &(board_mac_config[i].lwip_mac_config.name[1]), 10);
+
+        /* mac ip addr set: char* -> ip_addr_t */
+        SetIP(&ipaddr,&gw,&netmask,i);
+
+        netif_p= &board_mac_config[i].netif;
+        /* Add network interface to the netif_list, and set it as default */
+        if (!LwipPortAdd(netif_p, &ipaddr, &netmask, &gw, board_mac_config[i].mac_address, (UserConfig *)&board_mac_config[i]))
+        {
+            printf("Error adding N/W interface %d.\n\r",board_mac_config[i].lwip_mac_config.mac_instance);
+            task_res = HTTPS_EXAMPLE_INIT_FAILURE;
+            goto exit;
+        }
+        printf("LwipPortAdd mac_instance %d is over.\n\r",board_mac_config[i].lwip_mac_config.mac_instance);
+
+        netif_set_default(netif_p);
+
+        if (netif_is_link_up(netif_p))
+        {
+            /* 当netif完全配置好时，必须调用该函数 */
+            netif_set_up(netif_p);
+            if (board_mac_config[i].dhcp_en == 1)
+            {
+                LwipPortDhcpSet(netif_p, TRUE);
+            }
+        }
+        else
+        {
+            /* 当netif链接关闭时，必须调用该函数 */
+            netif_set_down(netif_p);
+        }
+    }
+    printf("Network setup complete.\n");
+
+    /* 进行Https测试 */
+    printf("\n  . Start Https test!");
+    int ret, len = 0;
+    uint32_t flags;
+    uint8_t buf[256];
+
+    const char *pers = "tls_client";
+
+    /* 初始化数据 */
+    mbedtls_entropy_context entropy;
+    mbedtls_ctr_drbg_context ctr_drbg;
+    mbedtls_ssl_context ssl;
+    mbedtls_x509_crt cacert;
+    mbedtls_ssl_config conf;
+    mbedtls_net_context server_fd;   
+
+    mbedtls_net_init(&server_fd);
+    mbedtls_ssl_init(&ssl);
+    mbedtls_x509_crt_init(&cacert);
+    mbedtls_ssl_config_init(&conf);
+    mbedtls_entropy_init(&entropy);
+    mbedtls_ctr_drbg_init(&ctr_drbg);
+
+    /* 添加熵源接口，设置熵源属性 */ 
+    printf("\n  . Seeding the random number generator..."); 
+    mbedtls_entropy_add_source(&entropy, 
+                                entropy_source, 
+                                NULL,
+                                MBEDTLS_ENTROPY_MAX_GATHER, //熵源可用阈值，随机数达到阈值时熵源才被使用
+                                MBEDTLS_ENTROPY_SOURCE_STRONG); //强熵源，一般是硬件真随机数生成器
+    if((task_res = mbedtls_ctr_drbg_seed(&ctr_drbg, 
+                                    mbedtls_entropy_func, 
+                                    &entropy, 
+                                    (const unsigned char *)pers, 
+                                    strlen(pers))) != 0)
+    {
+        printf("failed\n ! mbedtls_ctr_drbg_seed returned %d\n", task_res);
+        goto exit;
+    }
+    printf("ok\n");
+
+    /* 初始化证书 */
+    printf( "  . Loading the CA root certificate ..." );
+    task_res = mbedtls_x509_crt_parse( &cacert, 
+                                        (const unsigned char *) mbedtls_test_cas_pem,
+                                        mbedtls_test_cas_pem_len );
+    if( task_res < 0 )
+    {
+        printf( " failed\n  !  mbedtls_x509_crt_parse returned -0x%x\n\n", -task_res );
+        goto exit;
+    }
+    printf( " ok (%d skipped)\n", task_res );    
+
+    /* 开始连接 */
+    printf( "  . Connecting to tcp/%s/%s...", SERVER_IP, SERVER_PORT );
+    if( ( task_res = mbedtls_net_connect( &server_fd, 
+                                     SERVER_IP,
+                                     SERVER_PORT, 
+                                     MBEDTLS_NET_PROTO_TCP ) ) != 0 )
+    {
+        printf( " failed\n  ! mbedtls_net_connect returned %d\n\n", task_res );
+        goto exit;
+    }
+    printf( " ok\n" );     
+
+    /* TLS握手过程的初始化 */
+    printf( "  . Setting up the SSL/TLS structure..." );
+    if( ( task_res = mbedtls_ssl_config_defaults( &conf,
+                                            MBEDTLS_SSL_IS_CLIENT,
+                                            MBEDTLS_SSL_TRANSPORT_STREAM,
+                                            MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
+    {
+        printf( " failed\n  ! mbedtls_ssl_config_defaults returned %d\n\n", task_res );
+        goto exit;
+    }
+    printf( " ok\n" );
+
+    /* 配置认证模式、CA证书链、随机数生成器、调试回调、设置TLS结构体、设置服务器主机名和设置TLS连接的底层W/R操作 */
+    mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_OPTIONAL );
+    mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
+    mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
+    mbedtls_ssl_conf_dbg( &conf, my_debug, stdout );
+    if( ( task_res = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
+    {
+        printf( " failed\n  ! mbedtls_ssl_setup returned %d\n\n", task_res );
+        goto exit;
+    }
+    if( ( task_res = mbedtls_ssl_set_hostname( &ssl, SERVER_NAME ) ) != 0 )
+    {
+        printf( " failed\n  ! mbedtls_ssl_set_hostname returned %d\n\n", task_res );
+        goto exit;
+    }
+    mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); 
+
+    /* TLS握手 */   
+    printf( "  . Performing the SSL/TLS handshake..." );
+    while( ( task_res = mbedtls_ssl_handshake( &ssl ) ) != 0 )
+    {
+        if( task_res != MBEDTLS_ERR_SSL_WANT_READ && task_res != MBEDTLS_ERR_SSL_WANT_WRITE )
+        {
+            printf( " failed\n  ! mbedtls_ssl_handshake returned -0x%x\n\n", -task_res );
+            goto exit;
+        }
+    }
+    printf( " ok\n" );
+
+    /* 验证服务器证书 */
+    printf( "  . Verifying peer X.509 certificate..." );
+    if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
+    {
+        char vrfy_buf[512];
+
+        printf( " failed\n" );
+
+        mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), "  ! ", flags );
+
+        printf( "%s\n", vrfy_buf );
+    }
+    else
+    {
+        printf( " ok\n" );   
+    }
+
+    /* 编写GET请求 */
+    printf( "  > Write to server:" );
+    len = sprintf( (char *) buf, GET_REQUEST );
+    while( ( ret = mbedtls_ssl_write( &ssl, buf, len ) ) <= 0 )
+    {
+        if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE )
+        {
+            printf( " failed\n  ! mbedtls_ssl_write returned %d\n\n", ret );
+            goto exit;
+        }
+    }
+    len = ret;
+    printf( " %d bytes written\n\n%s", len, (char *) buf );   
+
+    /* 读取HTTPS响应 */
+    printf( "  < Read from server:" );
+    do
+    {
+        len = sizeof( buf ) - 1;
+        memset( buf, 0, sizeof( buf ) );
+        ret = mbedtls_ssl_read( &ssl, buf, len );
+
+        if( ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE )
+            continue;
+
+        if( ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY )
+            break;
+
+        if( ret < 0 )
+        {
+            printf( "failed\n  ! mbedtls_ssl_read returned %d\n\n", ret );
+            break;
+        }
+
+        if( ret == 0 )
+        {
+            printf( "\n\nEOF\n\n" );
+            break;
+        }
+
+        len = ret;
+        printf( " %d bytes read\n\n%s", len, (char *) buf );
+    }
+    while( 1 );
+
+    mbedtls_ssl_close_notify( &ssl );     
+ 
+
+exit:
+    mbedtls_net_free( &server_fd );
+    mbedtls_x509_crt_free( &cacert );
+    mbedtls_ssl_free( &ssl );
+    mbedtls_ssl_config_free( &conf );
+    mbedtls_entropy_free(&entropy);
+    mbedtls_ctr_drbg_free(&ctr_drbg);
+
+    xQueueSend(xQueue, &task_res, 0);
+    vTaskDelete(NULL);
+}
+
+int FFreeRTOSHttpsTaskCreate(void)
+{
+    BaseType_t xReturn = pdPASS; /* 定义一个创建信息返回值，默认为 pdPASS */
+    int ret = HTTPS_EXAMPLE_UNKNOWN_STATE;
+
+    xQueue = xQueueCreate(1, sizeof(int)); /* 创建消息队列 */
+    if (xQueue == NULL)
+    {
+        printf("xQueue create failed.\r\n");
+        goto exit;
+    }
+    
+    xReturn = xTaskCreate((TaskFunction_t)HttpsInitTask, /* 任务入口函数 */
+                      (const char *)"HttpsInitTask", /* 任务名字 */
+                      4096,                 /* 任务栈大小 */
+                        NULL,                   /* 任务入口函数参数 */
+                      (UBaseType_t)configMAX_PRIORITIES - 1, /* 任务的优先级 */
+                      NULL);                          /* 任务控制块指针 */
+    if (xReturn == pdFAIL)
+    {
+        printf("xTaskCreate HttpsInitTask failed.\r\n");
+        goto exit;
+    }
+
+    xReturn = xQueueReceive(xQueue, &ret, TIMER_OUT);
+    if (xReturn == pdFAIL)
+    {
+        printf("xQueue receive timeout.\r\n");
+        goto exit;
+    }
+
+exit:
+    if (xQueue != NULL)
+    {
+        vQueueDelete(xQueue);
+    }
+
+    if (ret != HTTPS_EXAMPLE_SUCCESS)
+    {
+        printf("%s@%d: Https example [failure], ret = %d\r\n", __func__, __LINE__, ret);
+        return ret;
+    }
+    else
+    {
+        printf("%s@%d: Https example [success].\r\n", __func__, __LINE__);
+        return ret;
+    }
+}
+
+void HttpsTestDeinit(void)
+{
+    for (int i = 0; i < MAC_NUM; i++)
+    {
+        struct netif *netif_p = NULL;
+        netif_p = &board_mac_config[i].netif;
+        vPortEnterCritical();
+        LwipPortStop(netif_p,board_mac_config[i].dhcp_en);
+        vPortExitCritical(); 
+    }
+}
\ No newline at end of file
diff --git a/example/network/lwip_https/tools/ssl_server b/example/network/lwip_https/tools/ssl_server
new file mode 100644
index 0000000000000000000000000000000000000000..35fc3ad1977753cbf493de7de0f833852f96859f
GIT binary patch
literal 566672
zcmeFadwf*Y)yF*{L57=WRM1$pj5^j(Z;65?k5V&`$QhkzRL}q_K`sX65+TueK?9RW
zPRG&IYihlut=6<^O>Kn?C{6$&SkVYxqP7z8cE+egREQwv{jI&%nVc-m`+h#}-{pDg
zoc%p(@4fcgYp;DdXC}87hR++6mgaH(rF(wkp;Y!_P4f9h{Uct!@_6z+xt@{uuirDq
za}a0-{+G{p<!8qreZ%>5N=XN%e3^9dGoMFm>~TIF4e68e4fL<GMBi~fJwBbLe1qw-
zl>UQ%rRu+_&+oSAQk_qCK6NKs<%VJUf0ktF20EYad}N#M=|faS-PelGLS29M0@j1|
zq|zu~#~-wO$5Z`3yV(%Vr(;jjk^Yy<_LQG~+@pVf^<R%i<}2ZR^0R>DolmNR{$2V>
z#hm{?^%Zlz{3x{&ej`2u$0+P^KArk5Mn0WG-~a#mFPqbI3D-AJKlr#GoKH5d=d=a$
zuRe3!X$$6@vS9wA%BoYUa?d>F%yFkKU3}{4s%p}U>L72JeBo3N`Yl0>&8Yff6sPHa
z;oQ4N&7XAZ2^+r4`)gqP8Bf1+>p6p*GN?|Hp?{R0hm1<o^+f!SWOVzNBjHnw1hS5~
z^XNC`zP6CAf9~JK$av__+{i}3KgX|w?9cI41Mn3n$Nw|sQ)_;%9RC3IRt%u$2?Ov&
z1Mr~(@Z14-_5l3j0rbCr06u*He#QX&!~yJZ^8orZ4N%Sn1IP~>fS)@+Ih6y*A3T7b
z+Xg77ZUFx70Q{~2_>ckWy>I~el>_Mi>HypvpqxihuOIj1zup1L88iTopn#wA|C<Nk
zB>QvnO9$W+2dMYe0pv#yAb;cl@|y?X_YF|ahXe4v1MsH@;L8W7chvy$jRWw~0r;;5
zDF37Z_`(6o`EmgHX9n<}hX;^<b^z`hpx!qJ;K>2_@Bzx-4}OT}C{JgzUSBxtffrHE
zak%%Bf0z$v)AV<yXX)bE*Uhc)%$v8Ma%q`o=FIXX^A}ajn>oAeI?vpy`4yhoix(}L
zJG%mR=FOSAphDf4y<qXuxpU?(@yx53yI_H5>HKRJ&063oudG-Kv85HWW?x5QGw02k
zujuTuSxY<%<}a<7yU4S2?gA?9nuQhf7tZy}yJjx(%$~Ji!Q$DTr4>sSKmusioH@{9
z-eS+fxeJ#<Io!ejqwKj$mMmI46T-79<}Y64xqAMhIi7h-=gz&3Bxf%yr_9u##pTFU
zR#`D;@r{c}b62C50#;Ti`SP1Q^HftjOJ<><nKN%#y2vfrSJvY4xr?a1GiO$zc@<}l
z^DLP=`-XW-7BBS7S}<$LLfq(=b>>X1xw6*08<)(lKwFp0oi&FPq?Rw9H)qyO$VF<G
z-=xH#CP}DkZpNZnun|GjjXGz|o;?>0n>llK)vTHG=ELUmZ=UN}dec%eAeB#&+Hmt`
zFREC8EYQo<BGk5U@eNRg+Jn0=Dj99&OmYY6xFr=c7tWf$$TJUyUcAKPv`LlinH&yH
zoHX<FQ%}!LU7nS?${E*pIX-pS2Twn>kDhTV6bnr$nmK3glDXHAUo4qYG-<)&MRTXj
zx_ZG}=yT1&#fw;<nOgK`1>x3%u*RbQqqWvg|1Se8x}VZMqH|N;gZjx0QsoZ8x?0Mn
ztM!~io!ZkpLp&I2&UV35_qzwMyz_d-BYx1j@`(BKM|vQW&*}Tr{ewK`bNYUj9_*RQ
z=}}5P!&A!X%3sVMN?Kma>53yMJ;-wd()7>Sk2vGrSFU*v?^7J!&ig>`b^YT+;$poI
z$`#yZUM9Hj5-r~#crNoc!AqI<2wulLYe9c~nwggf-od<1aL=V$pBBNhnA?IEGtXSu
zzus!*rr^!Ys|4?4-Xyqhiq@w?@LcBJMg8k7Wu7Z|9rH55o0&HV-od<0aL-h&PmkbP
z%(E8v*Qc0yiQv`D>jZCR-XeG>b6arVWm=!i^8WSaGB*V;VO}M8HS;FHo0xY9-p<^6
zegArUnCA-azg+8CCio?DG;a{xWcfD17qfhi;AJeIwWPm3b<9fyZ(&|1xXrvpa9@em
z(-u6JdFImo^_DR=1#e(pC3u2)li;1qI|TPk)B1QT`q%4co-6pBY_~GO|LWLZ@J-Cy
z1mEG<U+{g*vnu=RbJ$$1XNlnXtY@9zWz1UyuV-!x-oiZdhW_<-GB*YHPS^TW34SW;
z*(7+Fd57S0nR{>SUvD;-pDTC?^D@D!nKuaD#Jo-LcIG{T_b|_@>aUM~2HRioV&-*%
zS2J%ByqUQzcqjABoBG##8{5Ye+<OJvU+`?^O@fy&?-0D2x%cM&^)@lj6}+8!nczLl
z8wAg~QtR0!cnR|!!Rwf3-O^v57Um^_cQUUN+;f$#w?%M2b6fCy=9#zlueX%BDfq+O
zFI9ranKudkHuDa_cQN-a>tFA%d0PKm!H;KNCU`aL*&uim^EScTnfD0Z!#wM@{`&le
z>n#!d3g&f!`)9KK1vi=7f|oPTyuE+D4a`l!6U?gwx0yEyUdeiP2<|J@dU~t-*Lx4k
z=L(+9@@0Y-Gj9;Qnt7Yx&CGiQ?_{2}yuUuaSz6B$!Jl>PFL*A?w+LR!+!nl!dFG1#
z^)@p%1@B;9CAjx$t!I<qxy(BRFJ<nH^sl#?d9L71%*zCCXWk%q5A!y`{j;^6J%XFe
zvugV5Q_j3Z@J8l!g10ko5!}P`yDfM&^UT`*^}fpeYYKkhWPMs+CwSEk-L3|~+nF~B
z?&;L>ErOfO+XSy;-XZv(KG5aZf<Mo^NALuf<GrJQdu`^Kf@glH%g+*gE0>=uxXJRS
z;8n~^1aD?uCU__FD#0^%YJKViFJs;yc!GJ8;N8qy1ke45?J2nb_u5`Pf_FBs9ar|Z
zXCw1W!AqHE3GQc}D|qLFx?EH6M&>1gmohIC+|Rs9@XiNx`E`OfGH(#PlzEfjiTiaq
zErM4wZxcM9d57SQ_vvzM!AqI<2<~U@t<(9O^NmhRr!xi5k7}MJxQBVJ;ECUAc~kIe
z<|UHftL4iC&u3mGxQBV2;E8*5ISqnWGj9?+pLvVm9_DR=Cw`~P?-0D2xh;4;^B%!H
z%)M-H$Nq_WU4EwEe&$(%ciye#a|Lf?ZVK*UULttnE?rKU;ML5l1n-P#`8vTp%o_yv
z->K!B1aD;d7QquN-zIn``&+l*-*)Nv<7NMH?CE#>Q1I?Y^ub@T;0fj>1MpJ8>sh``
z@N(w$f*)W#n*^`scC`yW><f;of;;j)&gZoENS4nM+>tL9{8ubrCb%PCCwQsTF2ReL
zHwd23yixFM=FNipnYRqU6M}a?toyM|@OI|if}g?d^|F6Cb}Qv{w&3|JZwl_nmkFN#
zkk+SM@NDMwg8P{_2<~IvD0t`Zb@@$#Cz!VjUc~y_g6H$N^YN!+hiNRICAcGRO3r!~
z3+}YHT<}tsuM)hNd9~n9d+P*u+S@GnT-Lu$a6iYfZowC_yqE7gc5vjg1n*`&vjy*T
z>>zkM^Af=m%u5BYXI>_FIrDnKD_Q?0!SgxJw+ns;%iDrG@;=Vz*x^Bz&l22`FBiP{
z586Mg2H@3#`&qtDa1Zll!JAm0Ho;4Ie(V-J&hlQq@3hO2&lda@mNx}=<m(0RWIY=O
z;EjSevwV}_^~~D^f1mZS1yAt$$LFjg^y4be7c8G8xFcUI_yLwL6Wo!n7yRHa^?cMM
zxFg>#_;D<63+~AKc%9|+%b6^nCAcGBEcp2>UnaOCUoZF!M}NT``F6n<IQk3j$ose-
z9Q~I$`U~#J7Ylxuqrc#ee7)e0Ir<Ck$hS$(^I*H+&CELlZ)Dync)c^93SP~;NAPmy
z9%rAy{+Z9*E4ZI|w&1h*oWT^llhfsbH?w`}1b5_{1+V7v+XQ#yeZ1dt`nR0NY32aj
zFSrxmvIKYHTe09TIQ}5Ghxd>5g10&TAh;vnF8G@)Zwv0oXLCJHdp+DQxdZTg!JYVK
z3hu<Wa=|;D{t~>D&kdRd|AOV)1b5`S1@B>bFYn`>b~*Cdf@gfC<C`hCBVR7~VJu%K
zxFg>z_;D=XCb%QtEqD&gd!6$V9!HLRw%`*S{RMaA%LNZP`U~#JHw!-1(O+;!zFY8F
zj{e-AKe4~y3myFhcgimlypdi|#J_UE>zP*xUd_B(@N(w$f|oLH5WJXqqu_q#O@e!v
zw+a4-{o3C;1b>dXE%<uoJ%Yc=-20H;XFGQO5A#gHKV_aJcsKK0!973lxDb38^Af>F
zF)tJRm(1$~UvYsxA8ru5`dR%3d86Q^%$o!+X5K7#KJymAJ<Jn=cm7@1+a`EB^LD`#
z%x%G^a=Us2FXwtaf9T&|PP@E<JMHobp3UWC3huPaFSygLEWw?2Wee`K%M?6|+f^cX
zGuxq5@OtKDf>$#y7rdN#mEhUTs|EKluM^zEyk79`XLSEI3BLb)?T0ObH*z@%!JT%s
z3GTG3UGP#ar$cb3U7dnE?Xm@T+SM(%(=N}${r#$(pTGD7&nnjK%@lk&%V!DxDDzyw
zO)e*2@V~Nrwcyt<uNQn1^9I3RXWk_Ed(2w||A=`)@UNJ+3%;Lur{Ec;wvR2i!MsQC
zqnUdj>2LoNnEM3JX6_e!0`qLa&tsk|_{Get1;2{hRWCWqHwfMo((P>$d@jqk2!0*&
zgy3&Fb{2do%XbRCjJYlNK|CIN1YgPW-bee}`FG5Hg6DBLe!>61^4Wqv!8}*+1ze6P
z__HiuB6ys6so;-sIgNssu-%#k-@xUx2%b9c68sgG?+|=D^G?B?b5Z|e{q1=X>ys_G
zGr#8!z)iu+I6jmJ?yM_H2jJy`ce4J~f;;P+x&e5D;EPzFCc&NcRr3HmA$SFs(=K>w
zT{i%?1;3fg=@HynFL@gK_lv`Qf>(1ne!-n}TGjwOSMWQy98+*--B>&TFBLq={Z%fw
zv(Bs%{2P|96MPWIr3S&Bb#J5KBUrv!@S~U~1b5ckZGxY`@}58Tw|^mz3!mWQSUywm
ziOjPEKaY8?;1@E_7yL@*#ey$jUMlz!=4FE4%)C+Xvz+)N_-|RhMexU%w+a3<^A5pR
zG4B+7EAwu_-)HXmQ-Aw^!rUwP0p^*4AI$MKOYltQ*@9;?&lfz%yjbuHn3o7Xn|Ybw
z70jyyzm0jd;14jb7yL=)je<LNZW7$FbBo~5a5-&)KhL~f@Ryl)3jP-JZoxlb-XnN7
zbMK$~_wOLyUt|hCoVj1{W0+?Pej4+9!E>3Lf}hX4MDQz^mkB<XdAZ;>GOrfgVqP!!
zz04a1;GKe>7u5UlZowbra(V=RmbvHg{&v2I%kc@mmE|)9|A4t)@E@3G3qClk*OR$|
zAHh6d@Bs5-!B1gcBKRccrGigoUM~1m%&P>yo_V$4w==I7ypDN;;14lR2p;6P+AjE$
zEZ-scI_9?E?aX@wf0McAiT?dNs7Tx2C-_G!?-%?t=2?P&&pcP~5nR40xQ}_U;3qII
z75q%*<$~ukuM&JJ^Mv4!^80n|f-h$I4#BILcM5(db6fDcnfC~OFLTdd`rH2r=3c>1
z%-7@BC-^fg?-%?Z%(DbfFwYiz3-esT|IOSK{B`EVg1^taMDP!pmkRzd^K!v$=2e3C
zGOreV#D&^#>jXcTd4u4GGH(?8H0Di$=Q3{={A}h4!3&wU34RIlcEKI_4#8)!ye;@#
z=G}r<G4B!lI_91y`}^A+%zc9YmU*V&k23cQUe7#B@MoCk3jPn~`GT)!ZVJAdd9mQH
zF)tN-8}l;3JDHaYZZoeEyo-6A;JcXD3*O7TLGWQ0Y5!~#d?fQ`!4F~HBDkM<LhvJ)
zw+TL$d57SqFz*z6GILw-GnjV^eg$(+Q-8lIW$qPx0dt?=^O$D}zJz&};5RVO7QBvm
zuHd&a&lmg&=EZ{lm3fKaapt9hKg+yK@D0qX1b>ZrwcsBzuM>PX^LoL*W8NtE_sp9F
z_whcxS@2$#w*?Pgto^oI@Wku-JiJHnX6D|%_V<TQ=03rz+jTj9!4q$5o+WrA^K8NW
zZ)kZ_@DS@?EO;^NQzCdH^HRZ^-_qrm37&XU^J>9Mnb!$k&b(gmM&=EIm$E)hf?ve#
zY8KpSSBv2FTu!Ipj-IyQ*{n~u;6CO(f;)P8|JJ|Xr?Q?t!5uv_1<z+a{epM0{j&sb
zXMOSociLqN?zF2|aHm}*f;;Uh6WlqUDHpt+{jf^#&ezya1TWvNd7a?x+cd8iJfC@k
z;LTibqu|xdn*=Xr-YmF>d5h%SFKvRi^M1TT@J@bS)+u;9b6fBP^KQXC>Q~Y{o*u#L
zS>E$he}5}y?iIY0xliz7=2?QbOww^LSMYq6&lfzKxhc4xd9mR6Bk9-6Jf0H4yPwwm
zUMhGy^D@B`%*zFDW?m<_^Sq`(@J5zz6uh2!li=0Nn+5m%P3zwxcrnW-1kYyPCb*w@
zyWl?NozM2~_e4zB>uv7Ooph<-rHy(&RVKLqNzKaz&wpC;D#870G_MxC=Q+*m1o!__
z^LoiQYThV#=Q_=s1kc~1d9&b&4$a%xKIFxkD0lO;yEy%JmGiH|#gBI&K5Z92+r_(G
ze3FYhzlTJ1PIU8UbidGl>33V4f3}P3H*@rzZWq@*t9g%$>k-5y{k^YzJ#sboy116m
z+~?xXyDxMn)5Y<FFR6ci7ax|Q`29c^r{9Wl{$;!P2nXUb*TwMzHK~93E`D%|dOW6!
z8!le#;?8e1((Mu#Kg1<p>f-L-Nh@>l!(8&^E>6G0==`g4@zD;%XSItT?&5VWeuRtH
zyLhIHH@NsOT)ff6k8<%Q7k7T^lx{b>IR7N3%GKiHzjT$8aPcuN-sa+d7jJj*V_m$%
z#gB9GP8Scjxb5O6xOlgV|H{RCT>L~A_waZmAJ1}euZxd$ai5F-+Ql<noPN{I`R8}>
zlO2f9EEhk;#j{=fR2R>6@zY#9-^H_C+;s6A7cX}4(_Os8#p$;roqwe+KF)#oEOYVk
zE?(~9XS#Tmi=XA<)h?dv;&m>b=i>D){(mms;Ns`Fc%zF?aPcM=|BZ_`yEy%3rSq@F
z#q%AA&xDHyUHpHS|FgjVEbu=I{Lcdav%vo>@KXzXWBhWT8TrC%Mh9=XXo$zGO;il(
zZ8swuy&IHp@A$tJ4e{*mJ>e;Q7-KvnUq*L!CqL}%?X6d7+7RtdzL84PMre1kHI=3f
z(C*|vQfb=w>`wkMm8Q+s?&R-MY1#noPA*TSX;HX4d3`EP8=l?CS*bK_bap2%PNivs
zvpX3~rD<ccJDHP8(}reu^4L_GHZr@DhosW9f!Uo*OQmV!vOD?pk4}4O!-Dpw(zH=Q
z`%`J!prHM!G;K`K{#2SaBxrvsO&bxkKb58p2-=@Y)5ZhsPo-(Yf%d1;v=K)8Q)$|G
zp#7;dZ8*^WRGKy#Xn!hA8w|8Rm8Oja+Mi0(h63$B;I!Yb(jTVMw1GhTQ)${bp#7=z
z@hbg~RGKyrXn!hA8wa#Mm8J~?+Mi0(Mgi?lrD=nJ_NUUcF+lrMY1$B={i!r<1knCe
znl=Dve=1E2f3!c9rUgIRpGwn0AMO9aX+JIS(f_G5E$q?$RGJp_Xn!hA3wiW^DoqP`
zv_F-mg*)1xO4EWJ?N6m?p^o;a(zHNF`%`IJn4|rvG%d){{#2R{KG6PDnil40zmvx3
z{^SB0-31;szL9=8)Ia^ANIx&q&xrIBBK?R+-!IZJk**c#Wg=ZE(hEg;u1H@g(o;pc
zNTdrzdV)xg7wJ<(`UH_aMx;lJ^hl8&EYb(e{{8WtNPj8PpNRB-Mfxp~-YU{Bi}Z^k
z{k%v&BhpWZ^dlmDzevYKx>lr@iFBn%FBIvyB7LPuPZjARkuDVJ2_ijSq)!p)6GZwL
zksdA5BSm_!NFSIi`d_5K6zNZ#v>DAffu>7icuVzTy}cV~z7Ad<yev31IA!Xk=JGGv
zFuBbkDGI8lRTF3d$Vr&7D+0OUSViC*)7oLio(_~_k`Bk_1WN5VrmwKIHw@T~nce;?
z(x$b`4&Fq3mp$zzq+<nvV$<4eS_Oejdk7|&u=SZe=J7OjCtuyk2-u5C(*bG%*_h#3
z+GlV1V330KSVl1P+8JjL^5pc|k6>yyW8)8R%kaEJtB#z6{T{-!8J%z#EN0)Pu1C)t
zJJ@4J$2Y(TRBhdgG*8glT$?azKZe3)bo3o05F7s(K1kr2K7kEdV6-aXoIqhtB4-PV
zDnwDXCz9@zGXqN)GdAJ1O&K10=zb^=8~+QJPUmTzZl_$IBg~?V*ytx9oU;e!v{%Do
ztWXct7n@K^1ts>Wg2uWEI)Kb*+?iC+AJz4gfX|HH8t?{NXqAI{Z{9)X8X2Y%zJisw
zV0tcxf=?!VjV?IbRq*4w;QyY7f=#7i&bD=AQR=~WUQFpXks2DE67Zs?#@`H5x67)C
zjs7F@g1$$NflOBujg9;R78ho;B9IA&MxTtehrL>5_*bABJ({zPginC4n9)&zu=Ob=
z4?>dlJ^~ent*^+TJh2oVqg!*;%V^E-zwhl0TMGhN<T=e)+l8$;0e{Ha2&c3cVC_SB
zN3A7o#vj<+=P3W6eu_@`ybw*Eifh%kq>k#7kI*ONA>`6%#;8n>2LkFQwd3(4(T=-s
zq<a%OHbRTTpam-U)>T2VuE3%SzJ<xV4x3kRt*_pB`|^FB2YY*s+9#Dq@3KFOP+gTD
zp{zSmRv{dFV~;BCDI^`oPSeHx9~JimiVIsk@oLpWpRMVImfx69!F<%%2mj^qSnC6~
zPoQcl-l^SY-2FJJTE4G(C9192h3m+^W~1gUT<m=hTCa0y{g8H!Dp$=b2}LI)3Q+S&
zbd5T`LDjI!)5y7o{<;yyO~^_pm%$*cgs$P)Jzc+u^q`)JsHb1UZ-Zxrt$nPnx1O4R
z+nd(<u=OFg7D^2#vyRZ(9PZNQdsw>bkbdQziV8@nQ<WjB$dHpZAop#1dwY}LVel1L
z`%vN-S1JEg{dH#`9}cr-4$N3!p<S<;Ryg3dH+_gP6vY+tQS2K(6s0N6>|2z#?X?es
zL(teAj!%ji_dbSL7Ck3mzcK?c47xnmLN|8VuVC=d2+g#!)lk4#weL8S%D*+>v;Xtn
zAgbBkh+?hv+-j%C4Z!5(*mkHpzjt(ieZPZyBqum`&T_TueY$hJbLYRVJFRqQDDD_z
z@@aIbLhqy?lu#9hqZl^fC<c=K07MIG;VOqhJoy$D{z2<yYdz})EyvTqD~D7#_JT5D
zfwfCnF>L*4*L6}{_`bmUTxEdxE3H(EeJ*J*579+c{f4VOC(xaRs0SVZc^mSM5r)yN
z>nMQ6CaglW(8T`BcW{9kRmuieDLbgUPedsYU5O&>+aQ-bP3L_Mrmz<h_$7d7&-2ut
zM#_E?TI?8SFUtO@ac&~9R+K?@r1>-F%aHZPRi?GmjC|Z(JS7|({J@$F8XRNP$Akv7
zpm+3={2`ui>!I0AL5h=um(WLEPsM0#wJ*dy+G-E&?KH;FnD%VoPsoRq{P>CVG4@B(
z>NZ=yI@fINNjK9rnQ#19F$x8o!UcGHJLjo&yOW>vtDZ0tc|DaUO*JDEhCvek`ANkH
zjOfFWu!nxz+iTB(ikk+1f^^!I$eXI4@+WV^P1c9fQ;V!t(>f5e+SG72tv6_ljDGng
z*zjZ+2i|{WGJOx_@dPg~vR-#BFHDToP;{Etv@jy93IuIyO2CgncXGc)M=r#25}|0&
z*LA3B4<?5W6M?LDHVySiS6bzlX4I$ZU#lkmEiLp|pvz!ABX(M(r?+CLY5aNp(%rEU
z+2PoNKsKFhK>3`+#ptAO(YtZ{2@D#gYp9HMl(2_=)7y)oe-7rX+#<_1qXkeBGhVhC
z#h9(i>Miz{OgC%aH)`l_?3l4hy*ckIU)@{~z??zGEeLoKoI_YBSsS{3q4kd}2zb+|
zFs}*4jGB`uGwQ)anz2=9%LverqrV_!MkirbAJv8ySG*j20X^oK7#s147Hc=R+cgQJ
zrWMHoXgSKXIwr<WR(A`mZ$j24)sPEfw@&bc$NsoygHd@-?fVtE=%Q!e9SpP5{1Tv6
z!u-(SWNu|9wbI|$N|;3z6pEfl$^@)r<V!E?_U`%&Ph>+{I6A_o%!Yp2o-{YN!by4y
zja6Ihwy)s>4WYEnkpn$O?P6dwdsNu^CZ{(TE67NLeMTj_FigomB44BhBR^m=JPL9u
z)F^xDMkkL3RB5G2*xG+ltU$FY(wkOM5ypZtHu^ohB7op>$!^teCsV5iXptGM36N*a
zG0)KJ+sYDi`9^Zd8CM3c2woYyDmZh49zWK*CfeBg;X$$M)6~fXiew$A&i8dd`v5J~
zbao<?))5}NsVL1(&V|zUpK*)N$E*qWOc+8VszC3jX*h(ew}MlG)~i#k?=Cg1{aAP-
zXu=ck43yxrCQ*@ZjI9Zj;@TK{XP{ht-lrB!#@L4gv=lbRJ|1XPpHByx)#twg3HA9x
zpdFw6#uNQjN(@rC!4YOOokERaMymXt3UA&i-<>nWv+P8&4N0YJW7OUS2ZMb`F~>d|
zXba#E$KbbW=qLxEb(aqd5Vp@=3<R&<JrrPZiksOe0dNGJljt453Fxc|Kf=>*Jk*@s
z9!aE`4Vwx^`G;*P$neAa(~GR`0_(%D^*L64ddwwfkX4Jidwb{2JJlFdLu0`+Pn|cq
z!i!I}z_okv0#L(yE6UC25VADdK3BK>s=V>vpFPB5eRu1W;PUU)TIqrUt1V=G8nWID
zT3h#a^tBOd$zs*MoJ8<qgb<8__bJ}}=PUSnG(BwXR4OM^`XWZaqEvm#qLn^alQc|O
z(_Xgg=i1}mkC8i=);R&hN*~2aFJk4Wetm1Ens^MF7{W3JO*~XLad_VN!_mZ`wP)EW
zqz}oa^f79KRQU3ZREMJzMgYxgwBO68a0wrUul5-NYo4&R6-6~56AYm{JvKPGF2hrd
zVfgPadwWCCA-eYptUV#C1M#L18y)mx@C6TYA%e~`b|p3y1oGj<1%YhXD)NGIYSdeR
z7=#Fc{X$QXwHMK>GE*Jh>Twxb{v-W8B%`JP&V%)1k@emAv2)HwoC`)iF^pOZUQtxL
zr=lcGOD^=%wa|-$Q%*v;YmxQ6eFC&JqZt7N3m-H@6vQk_yP8ytCk=y}Ci`Ig9YJI4
z5Y<j<iS;!~{l!m8wYPmitCvqz;Db7()p^FM@OTdgN#uI$#gs1gpIzb;ja3EXJ(MF>
z+*!SE<{CP1G$ySNMK-0OsEKt2C;P*B|I)+0_ItHV>VA<-S!DefvNksv6}irO!TJj2
zoPiK^8!E$wW$d0%WOJH5jv9=ZyeYV6vr+l3sl{+NjJA`VCidyZcCtNCQ5gx=fsvGf
z$Y6a&N;Y8`WVb-h8IiO;pwWhSGKBnajP}FKqS`GLhvkj8a))?s9iIFYs{~%BxJI*D
zm(qFxZiO*zy{5cQ#Y$yE3Yg!jewd2o2OU;q!36!rLM8w$My?3>!f+y*u5Nw-M#n<^
z^se4sbUhkUfG)H?FVK6X3lLVqs_U&CIf*_$SM?NGZ=i(VpalDy&yhWLQKrm49QkQv
zQO&85Re2~z6)EQ$Rrc?ofQnaSAB16LpHvtgzvwK4VXw1pOMav0N3v(X^O+``-cZy0
zVFUtizs5J<mWp*oO)=_L@$LXR!KhK=oZ`JvgPjKk$QGmK6kOzu?>UpA!?(trzoZ<9
z)!2&xY*phwWW7y85i199?D5<yoNV2H5zOUjQT&Hu1#FeMmKRm3$CMF^X(*a-MR;0v
z7<-+jB$=!b&f8O9CBxQk>Ixm@Ni?69MVaepOA9xSze;B^z4k}=i?GJ3nm{A;z$Rm6
zu!Pn?%b=}kT|v=ef7dX~x5lb;OrCRS?S=XKoMDw;g~sk}=|!+mT}xvjOszp{L(6-K
zV-XQHCih@FYVSZFLl>>o#7#BlkeCPCTGEy^L<OexK~19aVKa()O|;!>Zl076K@Y_Y
z+%(3f8)LD6i?x_2AD4doFWXMLG+mu2ybDRPXdQh*cPxPs?v#y5D{FJ~3<R(xWYFHF
z-Z-Ki89>=H92@y&JOk%$gSX=&C$Wxh+9fttKIxlk0?(4V)2Bsx(u|sWaT)0uWYqi(
z7o>m6)X4o1a&voNrcCo}w4}0*8ib`TH7Hu`M_HtpmmH{eG;OLV=)=YOynHddocz({
z<+7$j`fBQW9Q_lHUf}E3@7N)?;jkcCfpIj@ee4*MQ)v3X5H0PS{Z+h}G8Lh~uKf%P
zF*uCJ+EozsW7&<FC{6X|@h8yVwyqe8c{}pMaO1uNDNBnyy@H_ewRs52?scut^y(~x
zV1xeiOtrSs673~=Du_-gbB(!zKnW^pfL1x%A_vmq^q|tXZ+#0r03>I?!Bu2^8t%|E
z=f^RDQP_$(94A%qa5IMGwwnK7=9B3n-#&n$LH53%>cUn$)2#inGCO&@Dv#EW(WwZ(
zm6`VAO0Xg?dba(0wB3v@%xZZ7t$=(*Ai69gI(0;}(yPj|(&?=8rk9n>IxSQAA6>e&
z3w4jMSD`fYJGO-3KnePHggX7LJQB}+%XH^%X!$#GcD<%Q-my1+O5LURzc@R#wg#tQ
z(S*4CowAwRU??!PAS<9iU|$1`bG8Lxmln2I+_4zUMVzeRGYZI9naXxh^Jrx&G|;Ho
zL*}7HDA^E^UY&Ziq8rF|qtI#8I(RNb_d~SL9$!L6+ry}%r2-X_5o|$B@vNc2qm)OO
z%b<?87k@$}R^Gx!hpl7KJZNpCYF0p^5WRC)^z3zX^lBgL+^f7<R}a^|67|uDGE;-b
zsHM(?VM_|EPPQ%lKKO#_8FV9QU3)$mI}RQ_Ti>z&30=B&)I&G=Q?Q=o0X;v^{WTD_
z@1^@M)l<5K(h*8OTOWLZ`Yl<G|M2BPx;q$m`}QNe-b4qkp)u627ctAy-^z}jYg!`$
zWG-i7Ma*(_EH)32%1O`^QH?V2nMqc)FF;LXu4j<Ip$lx`ixu}q_N5ss9|DS=t)kV-
zxTLMcsBrAofIm)Mp#q*6`&ZyZ6kKF|ji`YTM+uL;Nf%o8cO)V>MoX(atEl$lic97p
z;UA<z7$!Z4nvrt?hPhe&2~FdU=^)=2i?N{(8i!;Ax{jMykC}f|^lVHhQ21z7_WAH^
zEL;`^Ut9%CQP887x%zJmmAiZ+S*5_TU9peGLti5>uhC)HTBvFjQsB2PL3!w(7ip(q
zPeRaxZ#~xapy~%~A!08C8qpr)bBu`m$htWl`Ff+vJofEu%asr_R%`J!G;-FF!E7Hi
z*Unv4Mm=@3bZq<4ovPCFQ?0gN_*ivM&5LlS;EUu*>WDBEAIX5}Fd+5i4acDO0zoSy
zko-h>AL3E)Me<vHMEK&1bomNy*-xONlz&k$h@Pv$GY0>)s1ZYk3Y<~>@m_0vP9k|3
zm|jm%Jnk?5e{T6#y-NO9{p8K~`{P!<v*LrJCLug$<?L~}CA<(TB07udH1~dp3$yj}
zLrrT`z}%ZusUG<C8#&v|*6$BB$F`dDx8zSWJm%Qf@q`8^R9>8v{Q4t3gyHSZsli|j
z->eOG;=|tFK7DI@s|xK?(C(m>s7+KIRA41$Y`}Q5r{NSAJ)LcLcB18&l>HSaM|#RC
zPK@**^pG>O{0oMgQD77%kZD7(Wi66jFX?+-tAj1glzuj4&;IK{*fBcB)nrW4KsgDV
zP}R|y(DMDXk}~clO5Tb64vy|#N2JDh=hemDAMo(NoW0*Z02Qrwaq1nrB@OGI7WlZw
z+}?Tq(1MM=0&T|miS0#K`^;ARSJtNa37b}F);K)4*)w+i{PmQ?!LeF6;QSjk8U=V_
zmb1<N2*$#&y6C0}cE=8E5m7ibJs8Q&s2HpaU`8KSs>9Al>-i^}))y$mHO8>f#@>a_
z)mOmJy8hkbX~4%uZL$~bQ=q?VN1@LLv_GML&bOaI)v|x$*o>fm#@qS0srx5~`Ujna
z{;8(^c@7<r>L1k)+(~P+K-Y8JNq_6}hX@|M9H9s1ja2a2b~irsV4i`+Mh%%qogbSm
z)fcCE=p_+aGZ=^9m}0V*&!MP1r@yfvp^Z;Y@1^kbOnW)nYDTZb!7<Jv4<L6zbfFi^
z#}I~orc=IY{nw2Cfw}^7RfT~*JgLwV%zN3mb3GVVYraq(7I{YPKUH#SW+)Fcs!{tm
zCE+EpO01?Z(b}`2JS`8rwTYm$$*7G$0I{?%AE6Xm1Y8ys<1!pDaXGaVms0{I(ZVV-
z@?tYY5&H`Q<rNduN$EP;8reaV7y>P$hq`c$3AS+uJwv&lx;%u9K$#hRp7Pr7%t=E4
ztvm_CF0;VucDX}6HNN(UUOf<lYWnW#z`UvQ>$GkD7Zo9<mXRJ^YkuM%Zu^q2P!v(;
z(-{3nL&<RTY;tH{5gpHdi6Ifa&Wi($ocD`xrkrV_WUMez@=2=RA$0sOIGoqL42Qr7
zAvnPZMORV}sIA!9$d69K=7jo#ro-S#L#RJ4p&QZ5GefZ(u~OV+?}pZB^xwY;8jD8+
zLeZDV6fo;WULxouTwk6^*H;AmxSp9s*K-2dxV|Qrt``KTa~7L)T@j$(xv_+<Zw*lQ
z++If4=oDN}uA=KZ1J$~UyX){7ir%L-gCXld3LUg*J=#9-J_YJsiO}Yis#mrA%0_&W
zr-rbDC@akQm<}2zg<&Su-B<<NQ>YItl}UHEQKL$YF2#D{bNdP0#-X=2w0Uwl%7TSf
zk{3{%O)Znu=`79dnRz86Za>q+T<`T%Oyvy=7A7#OX?c_XMquchzsSNNYe@2WQ1s8b
z1d3H!*{%OUo#<EE;Zz)~ib1v1QC&|3U!cgBycLe6YK-QOz!S=(D|f`5yIl#X;XxYA
zM>f~<lG;5~sK+q7ts60}-5VHXHTV4yKXad!)<59ojOZA$YmSOPedF4UE%Vw_uYs|m
zYNXlI-lKNyvM;93+V?BpoN;Anb4Gwvpq)?Z@H91_v{c`X?N8tQE7LSSLe?JjiU=LN
zSlh8Er0xkvuW>K#otXzqF{5U-^7Bu^u?hK4VaE!6{`jACPy7HLk<g613%k(CxPcx1
zmH5zca)(+i7nVZWj5R-vC4&6|GGRP=b&hi&daXb19gQUq?o#eCR60dGyA}JrlIgYY
z)6qpa?sWW3)r$>z*eKj*ujt~EqJ^bcPF_1Agr#O~u*Fa1Snp#0zb+e>z4cz~N#dhX
z1*FuX1**P-vQXr6^a15yPI_n5z7SPX)Aqcd?wN)sfE{M+PBm!y{0|Q)alE|=&wKOQ
zD!;}F(@~^6t=Dvu?$ITe;KSabc5>Q`eXETVemV>Gbt1Z;IC&o}xlVr<Zm-Y7r|9!B
z>l=)pYS+@BAW(&eHP*-Uy!tSx91p>WPH!Bg6?y%yPH$YSw4vVk%;}9&k%{by{AYZw
z%^AXz5^LABei&&Nvc@k&k+4)96@$fq$Nn|;mT2}x#MLVx3vmn5@1-iTv2LXzo8L?K
z(6Kqx>}&l{^nNu({0(+-2Z#Be^G8~w|HL0N0do?<ADf%BKL+t?NBk`GhGT)tp%GNy
ziu>9hFM?v2BH14^2ctC$kg3lfCnCqS`SFP^f4rMYhd=u59C)+#$A<%*)Zekug}Q3T
zC1>vcd6y(V{HaS`)ZZlwP!@_DLmw`eT#H^Km;CcCmrK%?QIBu)C;m9KzdsJr#kM^O
zf4m6$4RyAO?0r2#{z%q#O~XIukAHgmXZ#V5xzIM3OV$KB08(E0%vb1>t6W~W2YR5D
zdHB$MvKC8!-6!Ogs!uwQiM?{<zJ6Ybr@n)yA!~fL_R8IValG<AbS=DcPRc9a!7WG^
zq$;`u6_Hm?N9p=u4r$tFh7m9WHAeg9zuuydpReM1@bZwgmmf-{;-wcB`-y+{sJ1Kr
z+>ZP4go=)8m9C@1NJkxdd`&?u8*19Cu_d9Gn_eH8t|IG+FQV1TPxrzm^a`1saj=6Z
zloq3z_QfQX3Z+|6(6zq!>!{HQrEfl=T{p|V0UaMkD5G_NR^;yxkG~0F=<qb;bRNV(
zAdh_>ZA{-U!CMWN;@)(~%%HNYy{1vnZpI!Cw5x(XP!F)|o+F?LHujx><f<+BjRvKd
zip<}0WTwXrnHUAZmH_13v3V!z#7Vvro6km7sPS<6a1Dg#RR8U@-y5NgbovXf0r4%0
z<at!a=OjvZ#pm6RtI}KWVV{fL9gPR-wmwIo@j$&h@OTJNe7<LUYCKGZqg@Ym<0osk
zoPome`X%{_X?>$BU;c%5x75*DO`r|c(n!IiIww$S{{uTJGT)Zr)WFZ|W7oR7TzSEd
zxYajUlown;QWU~>+2x1hGDZuq&+KvSxQ26ZI1fNWKeURUr8SKI*%>%9;CmQ2xx`gC
ze-yVMJsi?{gdWLy&0@XcI8@RDh#Jsmw}W9fYNNK>2K)MLcs^oACzp~Ta00EimU)xQ
zjhY7`75`qn>N)x}REL9a_&C)%iMpjpZG;L-&FIu}Gg_y&q($YXRj)3i_fxb&fe79B
z7-m{HA%e73rvYWE%_kAOZ80XYEHmx4BhB=QndV6o{iaoG;!aNDN?sqifbt(a)`$&m
zfll%7pr29;zWCceL9Iiemde-{9p}~SwbW}tyhDQ{)1X?{=@T|`ta8!<PkM1SjKw>R
z7HF_bJ;|b#YF59%Nv*<p%6n<)IEVVoo`_Gi!w6t;fi*T(!}f(k$u;&C7^^z%L2vZ-
zUKksN0$VSLW&Apf!hPn1YS__O`7zatVcLk4X}zM}atsG@FN|dzPmf1Xb+$bS-9rz`
zeDpRawl<&RIpbmW7bsOfny~O{(k}a)LFpdaD`81J?q|-<?ngzmB1hNL`I&3TIL|M!
z#muFlPYtJ<GDB%w?K?8i4&=*5waOry?2iVcxfUYIF57z$`R)sWDwK#PTr}CCg(qW+
zrru_wBgIm+&<|VPMb=j#>*c;4LH?q&PwXeC2-J#orYf=)rQ`ICO8=Xx2<HtDQKt_|
zU`}84mXh5WKKp5<!3`s+-K0y-w$R>hvABR+;U%CNC`TK(RU?K3>qZ<zt3oqxedSk0
zX`eb-jTLk_OO>ABq1LJ8q#q@@_3an0>ghcrJk#2QEmPhOqsBs{>4z#mNLCUf8+1K^
zt*Xz1#lHHkkV@Q##1slo-@K;wN9w#`N^b?Wm-L!L$ZEs+m}%`ctsh^avwHjN1HHY|
zr|Cy11$x&P96+94Te64$j6CMYcW8brvR>x5&eaITZrM+cj|Ya22TIXw8VcBn@1mn;
zdfb`Y&;Rw}&VKJldfTwqJ`N4QUOSv-tIay>ix;D4cgH?{1C9PzP2h286<>h==mT1Q
zqdc43zn&C+59OHAae?z=x1NEQmOi(KzTVsW62%*P#{n$ktxal_oerXpsL@^L_0oIR
zFT?3iqs}MIQgP0xJ(OzJYbJSM45!1eCO`M1o%9O*eW*zJ#v5qIdTN1bucV<3nQU@V
zyalq${shB}--;fVo{k5)*m3=Xa?;?Uk&=s773kq&J}oB7@pKer;=vm>$QdwYXQb1h
zqBHBsx{(b&`*D;)FL`mHwW@r)2o3+oC4H`d#2O#!V3Di)R9J~i^(Zo&_mQzOPOhKe
z@eF?-bx^Qw)DZ3On{NCH?&^cwl3IG)m`^3=!mN0g1_r+Ehdu+pfnrhy{sbb*z((yK
z;H_i_lPsdVW9-{zIt*x+(xB;QrgdaEJ)%Ftr7{!FlF)=sylARTqXN#Ft*`2TFk1oM
zCHI+o@j}m5oEB%8v5b4n*3LmV9#-)KK>^1x)@Elty$f$?jI!sDm0SU&0M&5-nXi<<
z_aPv%28#<vqhtG&I}exZ=vGnQr-nLB$w}z)$$mqE*;58<r^wrM<Cmex%cCH-q^1B5
zxzML7N`1Q@mW$n|9uCnul!6D&m=G7tyzP~E-{EVzOEJjNyUmQW>ich0ew{4DFje{B
zJ6LroAFn+VrsnQ4R&0Yr(ge}#rf5dM5i3T}Vx^1~^j=@`Y7k}JWGSxj#Dika&L7kz
zMVxnVX)k|;=6f6~oq@9rb?WAw2Y<wQ<qSMl$K#IrEjk$1(I*ZvKEig^JA+<N%}>3b
zN@pYAuFFKbuxfaV%F%~AAER(O*9n=?!@`!|w94?5KA+rIP4ih!Jf`Rty~KwYUHPqP
z1${XQwVsEO$X3)>=`%2iBi^-mmgA)P!+ys%yxw;ned35_aw#<>)}oeQuVd+HMsF#_
zv@rvx)+ohXzL{2G$=Xfnec!J$qqmph2Ay{#AI2WoRR!<o`O&H@f3Yfm5|xkQQL9?v
zjYZiwOY5WRAY~E?{)sNMeM<iR3smW}m*PL`qi)_xH~XfadRnu5jTc6+$a&)T8J<h^
zipSco)<LZgVI6cGSq&>m`;d2NpsuAognFrBrx}e<gr#0={c6yR;1#`{^=5Qs12J^f
z(R$tY5@qOZ$GZy^Bm34}If)Gj6<B!QguBk_Zw~5%B1c0J`_I^J(u2=ltkhikD$k0&
zRE=DA_Sf`vqqVf=v;*q;mSTHt4-K4K%IxRV#l6`G4>%`ukDvD{zor9wD#N2)b@^uX
zJsoQ0EfjQOYnA0+e^y;9dw;Y=U8@c15uJ2>i`V{O996cKelf~E6yME(dCD+3*nioi
zOjS-31qK9O)w{P!U2m&6+DzN0^yxA6Ja6W`Q~5PAlCZr{Wqhh$34d8}sEX&&g+6-<
z-N4gntfAI6ljI~_MS`x+(%0>DeG7)78N0Uut5+E}&~6@aeFmkiOCuKDSfa<Tz{vs3
z|Hy;9H^5@_7;J+vc1x)hL+#g9s9siTZ+cnbDsyvTDOr(jA8eQE+g0|H>UM24-NAgc
zSzVDFD!UYw#mjX~XE-&PRv}KZu1x;@P3)=ql!Kl0^AhB{tO5CcK}+G-==~31e|4GK
zoum#iafDfiZU{%8q-w($g8dd3YW<eLcrH<^2{dgY>Ixz1MXP-FCOidz%NjMW52dr}
zmo*<{ulo*tO7p6^`5A6T3p430oV#De;Kug&z#dwptfV7Gq;}yQVWfI63Xy8vrBWWc
zN7HyPy82ey^F$K4RHnCfk5P-4^wi*rUxStfdsq7)Toik(gg$T(7aQ$EQ+Z6%5o<jx
z7RE9l+y1lanZnZP)54f{{gIY>l#Ta<_EUAV@r$a$Lb1m(LBiIKYqNtb`7jL~L}8A^
zmSptRPHDm32dN3c>A@Mb2~}Q@UWvs@!>FY{^cIReNUEbh!d6E}&qLun_!B*5xLZ|#
zBeHBtt;|9}bn#d&Up#2y!WfJD#vw-;hg|AYuf`Z-uLu+yW2dNR7k85^o?EEDf~4l7
zFy7nM^I1{e*W|Z&bJbB_ogI|XphFv8gn`u8akve5kqo-i8w$V2a8QPiR(b6?k1Fqb
z1k&-B)P`zT2;X|ZEA;oJ_Mi4?*b-4qa9Y^90J7I+D_g}|wd1XTu<8vvK;C1$8(*)>
zg80mLRq&cgBIs4Tq?!>Rd)wdRpdh{hayWmc;Sd{rwj+aVN0a_^oR8+%uR(O08M`$9
zDkpx6xD|{RW)wz?yb=4LU~4ix(s`hep5_^~x1zD+wPD(AzC?%FA?ydT@To2`9pWd|
zj8*w3lVDb)bI>_y=8;>lN}}gqkq_}@hE_aY!NV7_gPH_}{V~IH8I-=`UT*v4XvD?w
zQz+Q{*iLZ(4<O-C$hy(Lry8&IdD700W#k#P^wMGxp8NU3Y2D=Ue)YiZA+i|8gP+dp
zu>ssi&m(<iY@F9#yn%|N6y3)y63GvzeXs6btnQ*wv>wI_g0!thsXh!zboX5|;X+td
z7`1;@{XP|ytY|@F)l^i7EO-kJ8(kbUVFZ}bH3{6qmZ7&jgq=dQO5j_GJM3R~(YHyJ
z2TdlU>O&1IlId7wWZ%u*XlO7xRh8<aH8Mul4*TIgfg50IN5G%6g|gq)clRB-8(Eft
zH~K!rWf8VySkTdd0sDV@2=7j9f&zKlD!-0*Llu3HM6)LR=GX8c^h)>dGB6v{1KlOq
z))Y`b@On<~SzX(fizqBD-$+psZ^if9s^?Q=_M?O2m!o$gJ?TcxaO$Sm=z5f|p2DKj
z5j01ll3?6}HDA{ws-E~CA?E}rrP!KBm1378qx}Kx;Wz?OG)caSw`5d43V^6{|2?R4
zt*+_>S5@}6PHU2<V-3(ZCAj^G9^h77rG~h66zxlX<t@jzYF|pZ+4-??d9<(a*<N)E
zj)YhIm0u>~SPScQG?ky3yrO@)>kp~*6zjd5^nMb3lAHwfXg)^}#-rX_1I4_@`M^&5
zn)W!#kuHSI>1J8#=EvQsn>o0tzfib%?;wm#yqFEI4(T^ZKR{rIYtaj!uu?F(ER&oD
z-wJ@5Mh*3rk}ixEVhW(WW?Beej;a`rua(hpMYlQj4U7*pqVZzZ4WlCVAbLS-CAqel
zhPS6N+QPAOjw&S2!70mc$RJsvSjI2uA~X4&>actjTOw7Xh8Q*fB6VYf|Ey;>p82NY
zz_@Sbdk|-eNYTufOvBqUun*fUgg%ZplHG=@od>k1BO$VzX}w1WQ(5->-8cY%37`eN
zGeCHgJq0lNE39pJ-KKmV4)j?)3j7deNUotitH+A694W^mA+ZP&YARbBpfQRW<1Tn+
z!K*5AmFh15_tw*#jibVJHThK@jT6LbNUzPNEO>_mE!PhgjlvF^fBh65bv(Zmb(~0A
z)KX`}Mqh>E^&H`W_fvV<c*h(YHZ_y*v<$ib+^qvYRe|Z5r>_}2T;MqP$^$AYq<6b-
z?V%T$(L<=K4f*0RYH=IP!FK&8L5i%&fA+zz31SKBNj|C;g@ea@rTT^YEay{qpDo4l
zy3=Pxc!P$VB7_+0Q=Va3U;m7Abf9n5G=sH)N4+$eoQ_^#ot9AbtEu`iRK2xBO^bBX
zJ`?LL6{~6!)`rTkx`Ftp1KE-8n?}vfee{YCeL<(0wj*uixUtbaclO04d-K0Z<lW>D
zII9+|CDB%hc5PR)Vr=jU=$7~xSg0UsVzwE*+EoAo+c@km5!mj=X0{a-a;8n#iNsIT
znMQSOfe!m)Ah%JYc0kOIttCqh{)Fg>M7MytR<L@%hv%Dp>r}jqg6Br=)hWgqP8Fj=
zilYAtl%tR$92=>XVzgeJqeUBN6NA@KjG9_pgrW}zXg3l0aj;P{4j}R)hUIW|agb5-
zkh;K<AP0IE;U&cB7>41fnH!Gg<5Ubi8Um!{M*KKTJoKLYYKYQ`=`=uNHG&VFeE8yO
zjjNVIgB_oq*P8H#(%ymnZj5Gl<^}P45+$nmqSDav)<)E5zp@o3vFz|zY;X{1?!s>`
zc(7=UT{MU?Bg>Fb-d1D9b-<yqTSIyOHCD{THO4vKPr`7t=fkEr)K+Kuc!e)^-;qu5
zGo1d@;+PCIh2B&>W0ZQQ%&5JAGDkLM^_$Q<Egp<3YW;7KDWzv}wu;sTTBAFaX;>?6
z2)-aXw$04zFjl-mL*IIje$nA|`;)jD5t+&3Q~`*G*4xQj5W?WjBj9rJjbzH$;0^F9
z7-#x#UEVns#~lb~Ba#!5_op3#08D|-yGHlMkM{iIs5dIFboIn4l&%-0)5&eo`JTR>
z_|p1mPtcy*&PR+>zbb|J+oD`M0gd%M=ji>c*1HS6sirc-&o_XaDIZN5id$&XO4MQ>
zycwHvn*EbEpd|ZlY|vfKPWw&0UrW7T62b!!e7y|2cIO=vliob0NhkV3z=oFUd%Wt2
zNWc9W9U@>@F2gjrrW)6w=sAH%&k(%@FbdQ`sy{>%rJAtpaS+5au)2c47`(qf2=e0s
z`ll#vPLeq*euKLz_B@2Ubf`-;q*g~L2qT7E6)U7B-09~{1<DiPo3w`eT$NYZOfwfM
z|D4#{nmuf+x*{-!CYxdtPY*g#j<NDF{5SROVVv))AH=vHO3;YA1}>q>#qSHKGK|_O
zKs2X&%^aK<Z#MVtFo$lY$AtUL*4}eNt)HJ8jC`I(OP?|5R~#p%(=&*Jj@?&q>>ER0
zsT-9}C$piv&6OXUd5#WuKnFAOG9FMciBwQ6G%fAN(I++G8`g+^9DtgJLu@>>!5uU0
zZF>*jY@wSpA^%8O@C-^d;!mKAzGQT_LZ8{ke2HnB-t0{6XQ<26Du{}XjmxsBKVXWQ
zE1*&Ga){cwtNP^0pKy+})lB>P(s16(H{#rFyK}CQV~4B_p}p^ihT`iXVe7q6>wbKX
z{_}H{dA3v>PjbepaYOL9Y*bpou^$AF-BvL4?fklN>hL<0*IN0ZG79#Yp*(x((>RLc
z^EtJU&4kCtuf^0h74Bbm2S$N)KrO*9wGY||J4BZG@pP(}d?s33N*}RfW|0`Z+L(L_
zK&=bat<dZ@@o>mkxs^I%Y`bYGs$cWOV@{M1D?tWlg^yu(Jl6Nds(WZV71=qcdLOoF
z+i1~IY({qWkbdD|Bjak8u->z8P+Oxygn3o&G#uIF8mrV^>?*y-i`G*4s*IgI;jsx!
z1cOF~@jxQ|d74~$r}|Ond3DrC#Nl1|P6S1@2wJanvge@1g?K7)_etm`euWQbXzHk;
z5Wn$&EH6-CD2A=Bs8!!oj168%JBr^@8K}Zzx39+wG{`&MIg-V=ddZ7BUB{-@*LYo2
z&3Uo#>AlryX+~`n_anRTP5Y^yoGtmrs=a+iG45|Q)3%s-uidz%W?SVFGjEeo^9UK3
zwkmjQG5#p3MzdzFR1xgu8iY>FP#$|S6zOY2H4rzOGTopv{Ti9H^pP%UoNpF-^d@&u
z#e*$WTGz_>BBzO}X4LpAY!6_FOHm`tf<=Y>CiWc3jqvXHLsIznTKHE=xEeOJpCsW2
zA?&>G9GzTh;ut#GqK^0))N6H<O3lbx+8cPH>W?6po1MQ^gY$&y4w@tI&#K2+rKjRx
z{li2D<NY=|N{*;Q)59wc*;M^13HH6ejFZYXfa?DnRr!&=nLfjP088T$$JX@CYqawq
z+6Ga8Lu2PfcxEby)=eQ_gVF_79j(_8$lpxRh|&6z1{H@!o7GYdd*&*<QRdcaxUP5*
zDu%sN`XmR^CwMtjc>qoqe{i@`<^2^ub3PdPqADDHl171RqQOhVQ0^>JuCHT_nt4k9
zD@zNa&lJ-oy^(z_Jhgf)nJcYg7{1eVxKTsfItSrZY#YZhk)BaTje#ykQhg2bei~kN
zctc?sETR(8qReRFs68ubXb-|ygRt|co0wL2K4fZh!9uNHcnj+MoXW2&PeZ6FN2sAQ
zYRu2aA%iPWyam63`9E8Z`FYVxWaVWhgcCUNL7U1Ejf|Rqszh})^;GnJvOzc+Gx4GB
zdT_2up(R?95kHv@39Mb0z@ip5H7NKl6s#8Lb~fA+`6zo3r~M&($3CBCxOpf&vL9>E
z+i@qdA8n#P?uN?Ef@n4ENefAbtEoCDl=FTvjui&)<D#`>;7HHmM(tKOJQ_`E8LKkM
z<OUTJSyqbXJb*ev_;T0}^nj-|>8mr-)T16H4&bdb$$peMh@;3K>df?hJxbqAY9V#a
zlXN7+V#2s%FZoOKMamV5Y{a+EZp^@`{0RFm{~$XmL7eZXQc0f^(XR+ZrFat|dQTI2
zqpm!I(k#NPcra=%jZ~8W;+D!iufQrlXj8ry*;U$DU7R-0DjsUADo(E}9!?qXay;pw
zp8f3Vt?#CefKRdua?CMm9>)d?-x4TQM_sogk-UdCzRvuL0|LC&e%DCVu)^{+6kh4|
zqHGkOh2qUvRk3~J$Fu~(U1*34H3O&{S2;H*u;B)|qq<SZH`sevS9R;xe2c!dM}?p7
zh*IL1PjpQ%vhq5}q$_iq(c&!o_GhUr@KHD)oQ{1fUWTTJ)0KZJ$LlT6f;;{IKZHB>
z-UdJa%Q~HL+Ev)tWI<LJu0F^UYbT%qR4Vcf!`?;3WfKRYezeOIzZn(i69Sz7qP%N8
z_P7@?H(`*Ln=wdXI#zwbvnJl+$GmnUer{%0b;#OcU*1Vagd0ny(~MaAE^JH-Hu~26
ze{QE4kGd{Td5=+h1rqVA)y~Bkv}i>hYK8bF8nkiR?>IHxuS|~J54rR(n48iF59A7L
z{P?eEG^>5tI_x`DLwK_1^W20oXr!|Tjq&026%}@P&4HSzNUVv58LQPU!dRUsHdaj>
zME^;HZjUU}zx;5l(hJo_HsYWa51v%uh@XVo(Nh%GRPS)rXw4C5O`ir%?Xl5eD$w2y
z3!@nOAv`jfc9r_lW##qp@hHu)i&}LJ)!m$lJoaO2$TEo0sdc(hTSwN8Y^>`4HG-7?
zTd(ik5&3=)wrf~J7QT+-uD$I#x+WjN*1VopH91r#)Mq2!R;?WCFSnw`WoUEPomkhz
zF5MT|c>w!sgen!%4#$Q1Wg>E;OmZVLYG&e$Ef!2O_u>Jb8rLCfYiR6S;k+c`9r_&K
z(azb{b%<UEYL8Mr8cJ)$J41(<IN=TDy|oliQgu*@R+iKIYDKY%!RYbJaLD~UdA4!a
z2`EgtKx7j}a#e0`aW;Q#H4|f4jiKm^`4Gjp!jqlyZ2S19^$-b1RT1In6I4IlE{csf
zJZxz_uqQyrok&|eS~LZx#z&$i<x-cx74EqOHaQZ;4APRayoi3xOP$PrNJppcVPQ}D
zFUAC(AF*0BaC?;eDvTQcC5jB6jdMPu_CkzHYN2sgIv}0acj9a)KEbI}X@PuqV0@td
zL#h7XW0wg7QS_onc0BnahBlOm7f?QQ4BADtT|>FB$vX++<e$cB-#ok)cLtt!3_@ue
zZ_e;wgE-z;t*os!{*XTN+L88D<!Oa@vF6h?BT*hzl&`|s1@!Za6r;5JBl0OTQ*g`X
zTTbLFc0}ps@tsaSSLEX!%Cc+!rh5lZtITMAmYJqBN^alp?9bH#qjoh8;*vHF|5E;~
z=0I9l{QsH;YrjWX#ws=ECQDIxeWdH4$VUf^+Ow2%6qXm}e96-VT3v*%r)Sc`B4-al
zeQ@OabRhbXH?jdS8?W%`860-arB%&xUe%mKvtvOZuWm}<|K<f-Tk&-03vc{S6nLq>
zFdv2klh7yGH)Y`22kjrO9f=;yqe0lFI(%w5eL={Kp6@rKczF}2GLasyQ8P)o!QiFn
z%lK1N9MbH(Y6F5Y|5JrRW@8hHjY<5d{)2rsDu76wMCw<=x(~zTypKWs_hZ$cS_5g%
zijBULgwKFdJVBLAPc40}Lo<=>6SN|JIh-*`FZ|KIGx#Fu#otmYfSP_J^{XsLHql9|
ze(UUf7$dCbMs*Y0X#4vo>Ha~q_osCe-a9~7@Y-OXeF1V8)-A%fH}(4RUfL2AS-0V<
zR_E!kgkM#w8IN(Mp0nupVetGK@56+x>ob$r;urI{y}EtYE@KtCl*iZLw_sRwFuHaa
zB8}RN#p!Q?K|*^kzHaNoqNg0j(172pjg6jjBgOe)u&Np`G@*0sxnIS;*x=i+J&w~~
z3_};332DsUnJU=O+pC#HX<vs=GX40{IUa}N9|tMB;a_BW2v7{ddtSj78lo4)&N-bz
zkZB!_@3G&Q9lV^TXZ*qog{bV};3dJ!?5p0zbN$FhCsxkXzH=7(Grk>Ka8RPBKRTj(
zAE#eCg)`Ej{w{PX^t=nt@wBDV9-&}tkA-Jp`HSyg8a2mZJW>CnE%B>V|D!DG|4sR1
zMl~m3NNvJj$L16~zwG~IC7ASLdPM(NZ|r?HvTqQ=5|V{)=y{CCQ}QXqOkO`v+?3(P
z4~%}9jN^<H`8dww(L{2LGvCqkd1shF*#w%8cCD&}SI1!5<Xft^8ZtR-{!enK<Rtu_
z9JPan5XEv={%W272FhPV`R{k-r}=ejfBC4EKab>(A^Ev3c^z75&Z@%UbaM+-u*;r+
zP$$|0Wuvfu{8uP2c^Gn0F98~~<)Qhi%#)ARRZgnD*yzrR)RueJb2M)Sr>kdJ$dyk;
z&7q>`2TG_Ybcqi=ilT7)YV2RjzC9P^t;6D3w-?VpQC>mJ`~h>L-pCK9QfHPV=OB98
zcl{ZY*I!fOq!LPc2Q7txr)pL1gWTKLPb5!A4pfB)(2&^+Ww4i{ANhsouOX^xw4a6~
zeHCQRpVae+<tYDiTFc|N`zW9w=XT^omc2_=Lm^<dL8auI@S9-V51IHss8H7BZY{k9
z(z=2RP(jxdsre*GKX3U2x$m^2Xm?3xT@ORpIqM=b*+<ZJNINsi#rr%o4iLFKo7GH0
zf6ibN`mMYhD$tK<ROYDa<8x7@THK+I>rn^F&PUnyW_$r2!_td29KDIB;w6^6)~@(0
z%E1l&mCkW6<@kg&=*!XfJlKpH(dAbl2YwOd^yqR@EN9!^f6xI0jzKF*)KMeG1y)*b
z*p=TKtF}ca`*6pa?8{q!>(Jy6*mP3;)K2tA1-8PD#(%^q0yMsB3F;pWjq&IK8u0f9
zRJmRMbe|Xgh5RcEokcb*K`zIJ^!09^y-ja+N~>Gc8G=!JEOZRVPPiJ?blu|Y-*`7_
zMlbc+rSJiqi@;4U%`CzX9+30vjY&MDeFAHGwLV-m$*01orTPP7suYh)=m-d!ymmb{
zI3w((WI-&y|BYvW)2Cr#sr?$=rbMF+N|e5fT78S}a5H*_QCoqyQ~jG!M(uUDpnPZG
zVJ3R^3fxscVaxF+vdrr<YCa$jP)A9F@cnRgC{=N=bHIb&FMdaT$7DJU6iiIyobZT0
z>S1y!^s}G;JKNW%&jwRpYK76^7AL22#zy~GuC`7WQaHH{*>r2MJ*lU_#qG9h@DvK_
zK0|l4W@$+}ltz4_0*k0X*q;W}It)J8=`Sc3>zNVuP3S0WI!2(kwKgiAtJb9_$HN@1
zM;`oqPYwIeP)__FI8cyYm$@9p(NCRyr&{cM8;C~JmS>=JWLXwYH4erg!X(=aMOuo2
zxIXFrMzYV?_HdqUtaui|3Jq`$9F3auU_HmcM$I4TcI3qd<Um>XD&g85B;X}B6@$kf
zfpA`%v9b>LLiE0~;zsQ}s&})JrOe8+VuQz{0m|Ok2E67B1T^K&#W3|@q;<5G$_>td
z)sBVmjQHCSBUK|ibbUtcYg9D+<r}=8Mqaj`ZbWOTiEDHdYa0oTT~DrqpCUABvXm7H
zaoW~MM}o?eQ3TF#>7DMun-Bov-=QL?l18f3>8%ZxC+g<}uqwz^E2VB^*1uEO+m1Ly
zQ`do1GnC8yjv`xZ^x8!z<sLMM_U~$e6<q!U{qRIZF-X;Eq1hWTvZ$%3K9{P$Qpf2P
z$fz~T`B?R<{lin#nJSdI9vSt;C&ZM&$m??ZQ?w3ekq+xrZXPhh=!|xkeeIjQy<{5d
zc%$}Y^f+c7=%!DA(kgxzSvDfQGD@PonBnz)t0s)L)7<+@s*D^P_n~|ng`wE!R~DkO
zKf-LuVp>mdymQ=yOdX^bLB~NlewuFTgUF(^4#&nHO(F15(lz>sasbS#^x$@78!Ae6
zU|6N*6KI`XM27{>lOT0XXzUI=WT5_6okY*6=`cU~TRQl|(`VIJ9NQ=lc9v=*I@x75
zG+_ue;V#-XS-YrbL%0o<UqbZ2-Q)t+)?N!Wv8z%&y9+fKbyq^a(Cq(&^Y$An>DM02
zbkzvcQXk>GE+e9T4h;tV4c@<_HTRhm^mMo-m3UB~x<gT2oHRq7l}??yf9$XSicEO_
z0~l`-pvQC<979=1TkSAMLBEpe$u?dmk^!b>p%atzGmtp%jx5VYw||Be3aa~n_7xA1
z4?}P5d3qUwdiGoggDgXx$y-%fHIN|F7GWIK(X0^t9gU`fyjP6K14za)4$WJC<B(up
zYk@JTt-!MSk2TbmOM9vZsF2v`1}c3FwFqW80&6k$vyX9`{OnL_5G#eO9T=C$bv5P6
zLnkF|wZ_ZGb8>ofV-NQ6C<udLqaMe35Y+Zqi~S5HJ>?(K=P7z2AS&NU`_ca8!!Uym
zX2~$^jq7PtAWo3)sNFKY(8Kl{i5l^JyceotsD8exz5s=x7s*{Nr9Q($s>_|Ie=k%*
zzs5%Y{aUq<qGj4?&}G_H$&-;8W_}Rm(BII3{)5q{@egG`APe#@LVo)@?Aemv>Q4Iy
zneh<_C(lEdB6otoUkQxYU=>;)e*vKD+4u;TA=NaJu1$G_Rts)qH&EdZqHwHZ)I0UD
zk@PG}JygdJ$As}TCVIOWG*+tze)C%GA(74@(TwHvR<_Sr_0pX%YV@3VUXN)^-fZS=
zxZ#kXbDUiJ7c#iD0n<n+^(KDb6aBq+r<y!x(05KYX5z7EUp&L8A>VSADb{;>33vqZ
z+ReY$?ox&qi!k-H(rik;5<W%^)ypt~>DRNXA**Iux_7p|w+{wJ%`oSf`OZr9Yc!kZ
zVbXzmlHRyI5jh}A4;sHI;|GmDVw|XswHN#a!%MyFFg<xLMzQlgg8Tg&>?4PSqjz^g
zjsEARc)+?7Z>_8!5z2eRSg{=2CNp|>8^q9w>F7jbRWQw1b^V~$PG9S%-l5&NP9NH>
z=c@)YtsN?rLM78$N!tpXr>4b^$5xeoM)ytZX~=i!N2wj-*Sv(H_49)m)q+jBQL~-2
zS{=-YKKC?6FP%~0e3qVUuECAyJ@hoMAa;H)hB3Z~1`Vt8@UrGmQkCLWZ1BCbYo(!f
zN&GC-4VAWD<BYY7ND1`sWSjwD2TPIeWvmRW4EzXKYy3A5M*$;KU2z{}B(JdN!KzVw
zK}dN+>X)_EJi=S3yxLAue8p;%hhZfJ(M-M7(sE1u#_D6f#!2tIylDqj9%igM=2Ikc
zr{R3(eKZh$j!-cb`ncxJOZ0ZU7i$;$j>jo3Jg+uySl|`K=6$Os7kaZT9Ia2Fj3P4T
z9$cViGHx*Xi#!}aK2P>DR#hE@Coe;a(%v>!l?-j&=?%7i<_ive2hiL45nl}}n!O9R
zhHeKPK6JY|`~6U?;26A*yAf|J(PAq$X@m*e(LqgAHQ&tJY^?kcs~I}Z&?jEoaQu{$
zxU>kriy9lenA{W-I`zs~Xb1Wt82N07y&Bs{KHyNg;u$=C?fusyaF9E~p8f#dx$z<s
zUSOG4fVZkzccov2qp*r|@$^1#yK%?$C^4M2H<b34Id;41FJsja&VC|drv<HV@cX;l
zKPnjd9#+I()g6I?s1WPD$j%`ZXI&T@agx;@ry5k|5Z)^{$8H$=299I!W=R^RcEnL@
z_x7E5Phx0$<a=-B?qFS-+1izkTG#bbbMOkn21G;pV-Lt(F&$s5J3lrmr)wDIGxfFD
zipkZvy%oFBs~^yLoU(yhplm^ygEhv^MXxqvzoULcj2&{CcE~!2B(LT9G8p-INJS3x
z8h5bOjYwDV^cwnFs`{nQg0Va4uM1Qo?XkMI_e7FuO=%U;JbWJx74Pg{@d90O^Bh!s
zmfC2cC(l;hXsozT`Hh~2qH39pfJa`07c7+1<*mQrGCU-rSu32j8H?F<w6+b$M&PMr
z51mz>6l=sitRmHnHug1&4thyx=5-q@zo9;}Ub83MPd%^8)HNVTl+t?{(Pr{u`wE(5
zfG{a)Z*L(?UqK#&FA~xB>-xS&w2!_=M50Q@KK35YiogI*!#qkYh#ySD3T2SlpPLQq
zZ?2{y=^tG50OD7#8d!D^URg5zCxco0gL))Bf~GV00L2L9bNL>4nzeiEyTR={3x*<`
z(%*HcJ0kfJdQaywR!>XApdV_~{(`3HRl)S!;BcdsCU4Y4V>W?_&Wx;4IvKSzrzW4l
zf6#-^Q4dmG)Eb->Q>cxN{_1M<U}Yn@&RvjAC`ZAV!>KZaDrl354d1=U3*lA>>vhK@
z<S>`NNJjPKL;aO|aD|@$!|~#tjhG%5mKyhOps}FNW$9=#?cez7sXYT$4Oz9i7Z5<V
zA{#n~Ok0?<B|6MPyuKs@&vr9HQ6+@~Ka&sqsBe_9f9CNohb@j)$r3f)=c65H#5J@9
zIg<KKwLUg_-z>Cw`D0F-W7r3%fs>5jiY5ZYbL4vm`EnAM#S4%Xjo*k|um!gtxr5X7
zZ}!bdUVwbC@a$9_%EFWN4*gE5?J%mX`fga5&J~@>cq`0WjG7kG9-3wyN5c}zv*S^$
z#Z|WiOOhw5E{>=5ui{^n5#yi4n<3ufLAXoqN9%)A5H#bPPyx#SFIsYG*CV)^fei63
zP_=mbx|F9VRBo43ex>4C<cI8JvRfTw9j`%6FCmA0UP|(JS~8CK6K{ZIR}-x<{^ZJo
za#rImver=6;YvvyyCp9}R<-|+-0t<!_Yy1cd;OD3F%eZ@Yx<xbuB*v0oTvHeJo8sz
zb2mu|4vAFLG@q9GJ|eAG%;*t0i9IVS(b>L=1z3VKp$ucy#e-<QVYcqfGFw0On?rXa
zIYfVCfMn{+!N#iphp~5okFvP_xO0Ud;06>$MMaGYY8Au_5zs6ovI`qU1;u+>l~S*$
ziQtvMCM4^+iWe&NU#q=XZL1Y+xh!4?pak!T^<EXM;<H8tQ4tWy`~97Hp3Nq;@B8MX
z?DNcXX6DS9GiT16Iddl3jaMQ%a+;^d=17khDIrf>TK@Vq`*9v165n>xbTDWtQQ{k3
zd|m$c@2p&cvefSU-%yXX)LZSLhTEu`#yAW{gTXj3SO*5{!C*D7V4xo`SPuqz1cTGT
zU_BUo3<j%%>U*q-lrO*b5KbAJ@hpN+<Umw>=SkNc9ZB44$Z%!=oXoFm@N&a5w1fnO
ztc>(9eEC*Sf^f>o5qaa|Nc=@)uO)W%SDKW(_Z?+P{21Sk*Un#f9@-M$-mkXc{FO+>
zb-YK}Gv@v-K{<6n3@*9RgK(^Lec}RNZomz*SPi2>l&~?DFV$|_|1ln%aGiWXXi=Z~
z?VRa}Q`C}r6k<I0>gLmV`3=an|0A`2`^9xlHdfLHP`HgoO6|);L`4Is$a|O)byOBT
z$QyyKCOgV$bWd`g+F^Pv1(4}2tu2dGicu-mZ~ggXpGtNcb?2`H&nRTk%Bv4xWNC8?
z<|P1HChr76*Ej2+tpnUE2diIbf*}5hitS^7O?DzTYo9ayS~m?UmZIqb@smX9P{U?W
z4JZDU_=ZX&6axyUQ8J~CRNYbmyl3z8#Z_n#78ld$_va&6zhr`MirRO&@X-wA-68O-
z9onrtI7uo~mKG%{vKi&xc3mo)Yx2Dh-?fFSIcn4$lfEEmnKcx=Rxurb(BICZc}G*Y
z?^KYp-eK(saQa;36phJrJ7R!L*C|sqGzl`9p5&J2ZHof^OY~Vfh>X_YjC`DO%!ht_
zH`!iJ1C{iHjzIfRba<lW(0WhyV~oH}^%N6Ha#p~b17jt}a1yoW^pls?u#mKCkw#F=
z{%Vo>Tds@`yW(CxH=y?^<cn8vZ&9wr%Ixnl$!wXe&0BmfwHaKQeCTq1%#N}c%9>`O
z6~i^8#*)qT^oZR%Aiu8aWDn|o2O*yRmnfy)0t=`#fx5l!%pKYM<A7%xRDRRhPq24(
zC~>eF&2#t}DRkkde>@3kJi+(Gi6q|QmaI~Icj4x@g2d%tl~gp>=Hn`1?mD;~;sbVV
zsqbRs4NR)q{~IXmRr-Tg(;39NSszW^%pETrQa~*~;shk)wZ9gTnQ_4Rx95mkZEs0^
z{~0Z!b=xu684J+G6zmnSG@pD9oiAcK+n@O>GRccfvUBB<=?5AWjhAEF(JAWmt0EI1
zuCpk<-f`7H>c)m~D;4}+28h!E);cSeymbxGqIl!&q-Aci59$_CQ{Pl=<C7$Fl(U6!
z>_*3cRJg{UhOe4!#5Rw{L(K*W&V}9l$5`SqjiKBfot|P9@4mNe45{#$0lw)HuD}i?
z*Vh-?c$jiFJ^dxKcUR`BCs!{14ej7)q-gk#Cqw&hXl<EA{1Z)8Z40OBIHS2jGGY1W
zrI~UhU)H{;g=&#1_h|>^b~0M%wGET0{~6It_rV3@Fa3lFEy-Y`0`MP^uz)WX_=%va
zMrPWijPB1m$H_CmhR~|?y}N0uF#m7B8H%nXIK?YeOS{M-3kKq3k<eR}mv0oDj49mA
zXTiSMLlhfO?-Pg4AffX(s{x;SUG~L(uN*29%yxC{-EtN=Ug@B>ayWSspV^;rFt%o9
zU)p*2GnAPycS6l4@mqH9&SgTW-e*{Pv)l}oPRi>!DOq}p9$mv!ELkSkmN7L!fQpi<
z2#3Hs_UqJ=M_K+7N?Iv5))>m?5(~p(Pb_$#(5J5n_inU2y%6~=`VOKso#^{V7Cz2X
zsNAGaW4-z?IgK!0(*|Ntu7DcG{E3BfE|9c|uPO>HnkyM5VH5v2zkRNbAgYvzbMlO&
z=9v)K>xKAw-1Wv5>A16f->W6Qu0M-aR`iYYtpr>_6APWlsO^s1=|77tJ+<%=eU5Kn
znYTHAO?2=Y{OnkcU$ZB_jJm|@@f9VfCU-A6C9(Ui<twh?OtHCI<qWLu+)Y$flWdmv
zzQ%J4Efb?KL$*PVKzh>Ee|C%1o@dh4cik<9%h?Qi!U&=@1rg7>#74tOW3IMC;Lt&!
zJ9KSpg~mW0>k<aMd3Dr}&d;yA#eWGcDqx}BT);gjmqALZz5y;v=d-ozMjGe8Cz)iT
zTfFW<#Z4grp9-_AF)e>&zUWyTZ`mbLRgx)V00-mIM~DdY`s1x$KMDC)RZZqMlH0__
zTkPXTZ;!RX2s+7zar!_ZrWS$e2BsK||A`Rk3axoNFq6I5IK?inmmEcYP(pgYpkd^H
zRzsWpKjpu<bIY{8CLY=A2$ec(gz;~rRWlS=b1r=*yT*~$re-DZ7m0rcUu>JTd_FHM
z9tp#qtBtzx`4joYQ~Jy1UqZtF%AdgSxL9nC<{sa$v&X86W_#5*)_9F?$WIj=7r<=z
zu>-)D4;%8W2&wqX*A>M#Y%~bH+Wpaq#Z&c|m4}JN+D=d0tN9_fHKM1huP{}#Q0Qmt
z{3fT)4&$+pUnDVoY9w*iv;be;hwwf;=Y1gWgL2-7^G@2SgJOxXLvnFY{Ry0@bMcKN
z7OOv44a~J43zaXE2|H|=o@p^-Hr|l(Q~w0Yub})$ZrMTmB8lSxVL8C6DKWi&E{I$I
zZ7;0r72j4ky?f*$t{FJywH*D?m2ay+n&aq&Jk)%hDP8RB)8OmYC-<%+Ik$M9UtBz)
zxs2z`zZZ2<Agz8|btV?f*LY9NeUKkHDKt=)o6qz;v7lM${(iO2=e=bnaSJ^k;b`eS
zD<a6Eds<3XIM0M=eCNPW)1DAEmcW+6RO}H(zB}*HSzGfeWHH%J`F1R2nPd!G-I2sA
z+H<Jn(8dr_MDl$t+)V{=UF=j(DUWyaOvY<#T+jOBQ5o$q`P6VLqrG+??@R}#1pC$+
zm-yEohv%GE-O74ON?1vX8_pv968tjVw}<tuv4zi8B>NI2wPW#gQe81!>p^S>jF*2@
zq2A{J>-afpqPv=))q9(y|FVPGCPN#?|JuF9w@|*r*ZUjK7Fw!vvjWuH(mCpXFdlTW
z_bD19e}Ny}#XG*ve_>4|zMX!sT{-EnDZr>|n)UT}qV||bGC4!9+{ktiNBW(eEtlS}
z)qNdxc0pzHdVpb6CkR^O%BMdg6XbIJk%+tEjfw;c`J=!bHN2PU2_r?I@;WknWj{X=
zQ_CM;GZ>8ZROIfbKQoqEyp=b*3XWie7HiJANGQhatmjMV2<hYAmlxPg0fX7*Ga!lM
zcS&>VRKE^UuYDEC3qHtwsvoNi!S>c~c0Mqm|E9mr4=po%&a6(X5>kZn)WVCt^^x()
zPBTQ1KVlaZ-Io-H#vbRh3drt?IQknNoDYvWJR14!1eH5J!@2bM4mGAEsJ;^|mX9|S
z4vyL#4ja8Ec>n*RLvO$SV*PfZLymmcN)PJ!`Y-axQ(tA}Rbug`-1jV-e#^RFOH=W0
zp}GvpUv`tm;mXJ;83RI1$B-ONJ~mBXxgeoNl#2+2OM^5>$8zISzx<9VBEkV|oYGeT
zUjC-|_8DdMCf&%<>Bdj$21Z*Om7u>)Y^ZXF07U%Td^hNyq!tXdu4Wcw|0GM|-S`hB
z*9_AUM-IJih$dsZZ{;*{>DJWvcAIS<T2<8F2<76&g=K@OS7lpP7S)}_2;=U^MZ1?Z
zmu^{JQ2Pd3t`mFh#KpX1XWJ@&+$A6P+sdVVs0`pW^nLG4!^~P7YTU&od$VpptvG_0
zaFWY-2@f@~*A9x>k(oi7ji<~$_9SCtAD%k;V>+tRSvBH!jjxWqO+|>8so+Ejh8PkV
zD}c6KD-hbOaJZiJfN1jO5`z2DY3;R#dC!1DH2=8>+eDF3J89>2Z;4H;_FzqGe8IkN
zM19D|9MbsnS+Z#c-?IFIIwBf0-+Q%E|9iagT}FiFd$0ZJ?^*ptNBiTx{-Wn#eIxxQ
z&^H{+52kN8m=0$0>0{*u@X~VP8yvi8JpYZK!GEV-N1t)<-*;$8KM9{z$(FC{7T>U}
zL;F$xRMhV*ntohGXwfRv%%0eiXN{b#8Fc!Ap~ZFzFutMt@(tam96WPJk5vSUOa$5-
z<I&00jwY$R9ObQhe8bER)H>Rm15zB{@KFbd^2aw6=HQF|_gZIsX@5@sY<qI_Lpfa1
z-GRJF;;i0OqcqbmEVK1Xhkj~Z<Ku^Xc@W|<B|Kt3cP!v1=e`QQFLB>n>_bQEoj#<2
zzf2lbUM-#vP3w37nNIr71j&}3$qMP1^?YZ}JZrL<xTTa7CPz=pt&gF={hebi)2>7d
z%N%z)OC@U`aSC%fJkZCw<98m|@(+%ritjm<lTX_VYDdPm7xH=~uXJ^jeuz~74!jo6
z@`3ieWp4*|k^}pB2UvyRlnj!axKoX{y&cf704N8WtUO4Lb;mrLtf9?nu(W~k$<vC2
z)#35ayYV}H1gC$n`*+W-(+K{hb=p>)67%Vij1B~f11T?JMaaM9bspMY7XHW;)~BEE
z-C>8=6tPxbIhJ+PcMTF*+N(rBSbKk>ns`fZoBwruI5|Cn$zdlJ!=G?l*&?@<McR5u
z9`i)`Cfrt51^p=gmFUX$7Y(YI+M)0MWPbrantNq9w5;n>YmahWmyaDpH``zTymhwY
zA8(&uidnM8(7J!0k5<FBm;aN?4FUZ%TiZ0)URxJ&=I`3eSy;}mW(ghMhw@VWA}7nH
zXiHXabsQJ$eu190(VMI}!2G6r$nmePO}5+d<a5?0S#v4vEJ~xG_A1CdhY~ub^Oe5Q
z`O9E@$ri5#wmA#odn}|v4Z2*<O4?g^J-TmDKK5^wd9;=3+<@w42$9;O>G7wtaAp?x
zHfC5{uN-;gut~U7)1;%{(6!E9z;wL+GjjuaN+!F-Dg^-{rHr<8!^%lphEa;S+;)R~
zP`P`xJxQxrWYH_vKI>0{ZNKwnV28Y+Kf7l(<48AU?oaiH_@jH~K-?Yw_xG_DNHjTf
zs(^R(9@+=}C`r`NFRp>I$s1>Q|ItJ0?)l)Xe$I`<NBrIFe%(*iKPf%EpIZ7OEq!mi
z9JT2GO037yw%r6hwkA1W<{xbNOPStr>CCSqplwwz*);H)oWP}^lZD!T$tInkPR!B2
z-idIEzIs)LCLl8ZCh8`Tbus{Coe+_P3q|6$lyV!qmJD~29tbPS#b6Y-I0AXKqXS=J
zt&E|%_Z1F*=|6*fV1qJ#nc)m1jbrHZUSQkSw?iT;*AjX{_A7BD@9Do&fLw%krR_Am
zntbP5f!qxEGD|6=XL81b_O<w<a8XlLUgkVgZ<tTg_o;TDQ>^w!$5|=eRr~GaZhJLH
z1kUZM`*{28)S~*T!cd<ol%uQ0mxlUOm-2ANz)+t_19>=?FqG#H;o+i+P@hXGc(`mr
zsLvG>c(}GE)Tge7ha0Db`rJH?hj=~23-xK#Ps9&*n`oS?xA=`y^J*(h*Yxi{Q=cTN
zFm1SlTe3lTz4j7gjhRZX@&5#LvuUN?;_q4e*np2P)G293UhNUF<lj__zZCn*+kCYZ
z$I8jpVWZgDn4$3H<5Ufl_P3o(MXeCeO!bbM#;4Y*sT6}F^g2QLN*oeG9oITHke_2w
z+G|JqgTOfLV6MIQ1!LV_-k%_&>zy-dT4#$@)hFjVSx8`pV7&j7eiG$uD6CtiD)vXx
zGp}x`<yZl`%CcJJ*X_b31ewv)FlBDn{2l#iitMs_YE@yyUV%A^-fXxQd&i*8#*&xR
zuqdeQrC>C}_^bq2T6vInKW8lAPCJ>$TX?i!;m=cl2gKWYOIA}PG1gwxOX_+?ArErq
zpkqGUN@Vd!>nwG+{<@g<aEGo}YU)P#{@qBct)_F={ed-b2t_(;UL^IDvUrvA;R`=@
z@o;-4cJW6KU|3Hfh2GKwOLW!Vsqk3pZ(FIwFiZV$LJ^OxaYcUBpTmw9R~2qv-pvmy
zEYfG*n`bI~`9|+Y_a00A(d_i6oTX&q7qQ^yc7?=ee6R?|mt5^Wd^v|e=Awt7HZ@_@
z$L~g7gnnBMxwtkFypPvfi^M11s`cV}t~!m&>LjxGI>#dgx<;aU8Z&GS*2_rZR*$cC
zKP*=%H_v|A8rRt&{%q>&wAPdScvb<9-9qn$D{Y|EFtvvo_lK+Wotf*yz{ZPAk|aLE
z<jArUks~LwHe|%qct2jQ2jdv;YkR(Vvghf+k8JFlavJMtgZ=_Rn*m04#AnsD4v(<#
z5Whtd1|Dim*hW;n@;$4G#KG<5@SSWvZ5odj^V|iZ)?}SH-kiy>Di5S={keSWub})y
z{6P}b)P~3TYLNChl6c-*<{*^KAX0ir&FC3PMS4e4b^K219p2JVrcqc>cd>6SW7h-r
z{hR6HS{Npr;f)*D6K0KzB$5>>D3P=kVB&95*CUC4I34}&7JIWOE#8TYN~Ffcn#Cn~
zR?ZE|h_`Ufy2}}Vp2wUzWc>TDI^4?Or|Nj`2U9D!uKlS8soM01<1SM-KBb0xhw0g|
zr&J2Yhrsm5V?a?J)e8ObsLJ%mqZ*|@9$W0e9#?lfs=xIIK#tWiFz=BnTKNE?mpumL
z;9x^qj)LiO9Hxng2wVQhyv8IsXr#Zp?EUq6-+-9eTY90+=WPNeJp+Z%?M3bwL6+RT
z$mwL!M7(T!ph%ix&@twA(U}qAvw%#*S}4TG!E{yPmE&RJW}~CicX!n~?{nxSsM0G{
zHE!l{+dj<K{(j0G%BMoX_B5B}OlA2Q_Jy1*+K-u3gHvYz*4d9R)RiN1Db38zC#|y|
z4bo31J(#aT4IcoS)n`%VH3F8A7R)J!#Ao*6yq|orh(E&zZ@HVot`IY3?KtlH9KN%L
ztWo`~V|!6!UTtrK%lz;U8`tjT!&QbF?eup0*4XYz@tZW-)wGz#UOXD7_I*3_q2P0i
z`+O;%>D_TB_`R!M+6yv@Gc6dQ&3~D*X{wtE{Ya4tu{893Uu(k=F_Qnj!(3`0EoB7Z
zVx#q*^VF)SWhZZ$_&EG@3IE1Y|Lm{UMF;;I3wb2}Bh0tnv|rH~h4+hXc_p12IAB6=
zGU=RVo>|0|nCx_HOt%HSX$sg2r&t^2l+&NRr{g&e2>mZ(YDQ;kOfPqrDs(lly7hAS
zOogx80=2FUvxhh-J!@ZW7rbf9oA5;Fa~Ng&om=Al<vP&R;c6L?5U85VFVQ2k`+)k4
zSMeVu$yO=5=|k=2?1vX<za}3?nSr&nQ7)jr?n-U*qV8KLhx&TKuoRpepHWm$cY6IZ
zQz<R4Za?!(6U8X<&R6{+ZyB?yQQrxzI|&Dc>zKASde>&Z9_+pn&H1_fHZJN_*$|kW
z0V`&l15DpfqdP6=5*0?*BZouRg={Z&j1xyjqpLr@?owu<2ob+N$?|PEo_w!}R@ou>
z-}w?b`PyB+XO(Z>|IBBnob7&jt6#lxhHqAkFEc%;b*wlH+sn``-ZS@8f3opG-kBNk
zn$)jtp!<&x3TghBWO}zYJ`%jOHa_Y<wl@AV`!u)X^BR|pPB)ME*2Z^&gx1D&{v%h2
z^rSW~_>z2PAO#F<@q07pfa8=z<0ha;$qTATjqS~AN$}cgKG-UW)c!%LyDiLZ-TU7r
z2j5yP)SgmnyZamv=-xxOxTB7(RnuIqstW%%qF?XcOOPe+*ItAQGDFJk9^S!5$D3z(
zmtPD)TdQUmyw-vC`Q)!fX4ZYx?(+m!T;mKM845d6Yye}PdwymKqAJkOQEnat*zlph
z_NC^wX4!L4ddTeUxQLRO2wEHUsy`l^gGXCHWTxhnXZlK~c((59*a+7RkSiy&T5x+T
z7CLpNZ4$f+=SXrl_Cz<sg>#)gl)n|4-48Dv6dt|nk4KfJzf2|4xkJ9fY>$vy8Csm$
z#BXSE|0&B?;&T0dW%)~?hObmU3y1XfUBw7CVzl~x@fbTZe3h1xjNP$XLLni}IXjpl
ziLX7o)X9@j;|!iyI5$pH$}?g-qLW?33o8eYx89*Slk}FH_aJZeH}uA3u95_F&R!vZ
zoKg)#^#Zqc9Z&V%TCL|WEM+6{7~`^pP$9A8Uz_d6Xir2C^+qiD<a|rKbuK^E5{V0;
zn|a+mDgws0jttE?2h!D#07H3K*56o|7it`9PngykN7>VEJPos_-FX^pPyKk>pQq5G
zGe)2vu8eR_uxVEkaK4<l+emf<Mn)B}@&~mvRlD0Li_sb*ctK(<J8a?h*EIvrgWxQa
z37cK14O2dTA5Gm;mRDh!%KCGs1IH?oV>swr$u;DQ#`F)bsx0eW7$!DMe?=2*CpK?o
z*<PHiDI1`0GX2BtZ;C;FO9$$<xBlUDJzi1i8+dm#-HKjea<qEzr{Pr9Cn{<m+{QlB
z^;*ll620#!$1y#GfcVTR(?0~-t@_5nOf1_&DLwiAO_(4xyTT=ZI-1#u#9rQY^cB51
zGh69{Qn^z7W&>eN<rQhEEl#U<Fr1(DV}=o);y44IBw$u(dEWOF$Ao|{N`!7@AP*<r
zW_k`eg9!mK54)^_PpD-88NF{*0X!<19_RrL2V)#zd~T&s{gLG+jIilns*iF6VXEJ|
zLpu}>Y)off<qCs>xyIkfUR%tODZZ+=H*9%!0)0nKqU!WN{Pw$pE^5DuRg<W>J33A0
z!dlF>rLbcN`w3pYG5ov*fHP{B*iUud1@PA{7gi=x?~u?Dfebmnj)ZLdpl_)K$X{^Y
z?i^wYK<KnX#tcb1a_|eYsDjj&Lol(0Cwf=2uBvn{(#XPr;ne6abdy1ohr3{9`6a|M
zIFu(vH3}`7rL8HVJm1z2$2tb`YU<8CfgelWFLXGFA1z-QYRUtOOj<V)3Mrg`L9b;Q
z0+FyEG7L6=Eq3Tq0nZk2W%82#xX#`ZiWKLCQFc_wwWNpZw@Q16>;<jXZ5@}Y?cdu=
zFUwM14$6`d&`Z@jhg`hLaXn?UxAcZe>U+@xb~DPFoH-i(X+rvP2_N+iM0w{Zcxa}&
zJ%004PVAqHcXj~_k8a&Nn2tp?@$UeHn!8B5J4)-v<fIBLh<N@Rv9Mannmp59n$%~p
z<YVhpNAlECYx~|T#FG_87S#LqfGMzI!?9G8ifoUsC$v-)>wua3PqkQ5k;JQhkhu4W
zBE_X<C0s$096ONkwu4v2IWdqLxgRccvGR?frX$fPqWRDJLZ1_V>Zj=7SJa7wriu>!
z0Jl|#4bq{qtR`uC0%Le;ZZN7tiS|I+uNdc-5;w_RAPEiW2_3Mkwumgx!rSRHz<UY>
zT?=LA9qBVW@xhLTx2(653tO!5k%3tAh+1<~NkwGvi{8Qu-1iI8=THLlyq(f0<Fud*
zs%oEx%VDI#Q;eunQ@xHP3BXrS$I|DK3Fw15pa*c13zzhGPXp|(>%qW>fOWBta^fCU
z;7z1%(e;kp31^{?h&J!-b|)qn3w_ioc^adaVk3~JE?!|QIZtHMA<4#iDn~hHeRvjh
zN}Beg2r2G?5p+ky*b;$&v=7ESmYhLtQPy+w9w9N3y1G4*zq!7Eu2k3p#Y^yo1BX0@
zuBFFA^HxOi*WzkD{iUI68$jt~V0aBRTut#v+s%|7$U_KoAcTP?p`XE+zh;eS!UZZW
z6yk8dSRvh%!}6aVVVt}T>FYIOp5cz#S<eVqvr(vNg$_Z1oG(mk(QNS#dByrIn^?hc
zsmZG?w|$sl{^Va*3InRT`r!n3y+Xp4tSi{<YSR#?9f7T|L*MEWSsZVAWpGi&vo>3W
zHe=7EB3J3joWt^+^D~IN(+liQvGCLRNSwiMga^O8l)+0N!u(L>dzmi<w|@f(4wKa{
zX=xg2oC`6+@$KOFcfRnnXQ=UP#FQEnYB*H_%OVz2CWNozu<Z!aAa#gUYWiq$XXf(B
z^#0uGB;Hb-NdPH)qp30N_;#EG*qozW?upD=>66H9?Md}J|L{(8&wEolkvP;iVjJ@A
zX*;a<DjI;>2TN9Qr_nA1&<!>GndX7i>8usgWfW^-swAgSuc>R1X|?z1yx-s`p`iTe
zx17Z@ogs&zmJKt8diF5*V;)Q1^zCj&u|@97ZlV5rKDr71AnLFu_4StQ>at-^*hm2d
z?j&>Y9c=G&h5uZI57#=ogVRC{pJ4|i!bm+Q20{(*xfdbJjSE`^YQmmEx>wNT3&buR
zvOaSpARYRzE+1=Lpy?n8L#cIbjQ!})?UNC-<5Ru*#&kkr>>x#<Y~qq^Mp3L=zP<gO
zx8!}YA)sQ4qs37Tr3^eyJ`8<7mRPMzV>aU)s41Yaos%Uh{+6SwISx!*%S37&nUET_
zh`&?|&%wQx3bEciu{-0Zg{szYPaX0V!AfMd3dEKlHgc^mtf~{<1g}pL|0N=cgcByA
z6d=KuP-A)I)*7VzRJ%fAha`oYq<z5^|Asc7P27xkM~4>G_H7Tx*RxrE3l~rI+CQp@
z7a6itHDK0X$HUMUhH8M^J`VX7OROPWS|oL$-@AjiM$5N{Lw7$PJ>ZpSDk)hJA!N?4
zmxmU;prp{_*hrR(M~ZfVuZAMQT0{4)h#c^iJb{3HPp*@+n$S{_(Bp4K^WTb$(kip=
zUt}u(9+%4K0nf)0ZIR{w=@A>;7CGRf=-}<Kgvnnpth+k%HPG4d9CWLRJB7D{fJQwC
zt{#JQJ`pD<6z$82{5-qz%xHKBJ?T>@HiCe8p+<L-xoWD5M>v$ZWbz;wZiz}7Odx+l
zgG&X7I4vosbSS-!pXLeqm2`q)H{br2P2slk3O}pHab{UCx=!REA2EUkMpFZZM`ryX
z0L{jHvA936(3o!s#TlLTmA)`dDJbXR3d(7*Hkp~ZAknIpK1jwRZK_Spm}>KxiYl3K
zhWC5c$O;^5EnQAa1r@Z`v9nqiEC1%2pJ(lfoJ5ZeU89>#zyC1OV-+51k>xwNC1B%8
z)hwC`Ifv3fczK4+@ztrK!nvVErKp`f)S<dh^?=Rc1GZIit-^%%Sb0m``e=L=?ETHP
zkKndeR>M+ePq5%#9`f#{0tezqA6itdz^=*;Z<g&jbZd`Iv~kZU!(v@%5l?v8pU!fw
zw%URe)HA?4Yz~>bJB{}VE^@$kn1|DMF;RyVmi32&J4x6Xtl`n{SSj6(REr}rky$32
zkSXV*-;rfCS-b~iJ;)VI>yQWGWy+R3za(|WcNX%tFV!UHPNl0D=Y5h@1EdU84PY@i
zXFusFoz@?*Q6To1L{`W8BXi?7lEL*b2%0Z<z1&J?F~Oh8Pmai3aEM`cq%d3f3z}f}
zih(*<Ka3{iT9WG5J7}%<k&G1`_}85iUM8QDs>F^=160%eL*B`ho30h6seZ4Qb)wWM
zU8<?bspiiCsAu%FV4|6yS+SK88?WO${t#1>o39+Q!Lrn58LB=HWrbSLr6}*{&d7!u
z$1sVsJsj8vxz31or4I+s%o(hM{q#o=?`=$wnV<2G>@<Tn<0rKaN@Cw#tslbTbe{wr
zkgrY`62+Ws0E1B|LFoh4AE|!-I*7(=J>Xp@T;fg{BI0a^u`7IbsPV+_sqVwC9sT}C
z+(}cNGc9Has;5NR{nNh!_niLh<r;qhwR*>j(6id}7_y;;i<t4M65FglbKqBkDp(#V
z_+sF5dN$Nh4*OLmw%30=bJljL3ZVwwES2eFvpfBfT@tTk_rjE;%mSVmziV}DJPc}z
zVc*EI=FH3sY)kp{72c;no*X<5LA3ynKOYDlH~*YUhHnvggPN&GPMmn{+RwEv%eBff
zjx4#TH=etRwm+?GnXf>}@k?dW7QEs3wmm})^Pyw<g`Ck~D#+E~3Lg7WD11$uy$3G*
zNy6RgYX9y4YJa(=OYOsGE0oum4mIkEX1k&~P=h#HsDe*^4&+V~y`a$`Iw1WZ*koSn
zpi^2Q{5yGpd;?R1-b~fn4a8{kR9$s51XJQVC>5*(Y~KHxa^F=3f*ZRf>EPDrU}jPu
z6wfOhZ*BDzVKNv_<^_}yTD;2?mOT~HfYS@WK(oOZmTjY{xtN++iv88Kn8nZ*KU6ap
z3$n{O)q9W|*o2iofnjcG5nlS#=zo$;UhfYDpn91xryx%oW>eEksFJa?j%+mGEGdH;
zKVYgD^o6GJfXR&mp}~RRVY!&l06rezv|^C}Y?;Ub=mdd&Z{)gpD)Yr5VA$9~ndiik
zsA#UPv#VJ}97n{Il30GrDXF584t<aL1U=(8ixke>6Iv82+hgda9;=y9_Rxg#ktUQq
zw4AzANTV=hj)Q$W=06T!L$~x7V3ujKg+o1nHhvE#EoU4&0^@=4@Ae1dI@Yt92<#v+
zL+ci@s7k*AeE9UtjYuX9qYa(2|H@^*P}z@D_8w$Ux8wjBmk$_hwG0>7vhx6|qBv^!
z1B6N!I>EIMAARdB0|^Q5%@gE<2vDYx+nC^T(0=n!EAX@ZDDX<aa>ruBJ<LRIFlF|p
z9^!+6xa_+*1sviE__GSQ`F!dbPCa0B3hC*8q2^}}r4%Na?6BGsfKJ28`>ut2c_gR*
zkW;udxN(r-H<sf4(YN|sfZssi3Yoie!~m7{chGwYnN4c+O8P94JPkeY`ie;E37N&c
zv8O1ldMfH!<`c;h67w>9GoB&ObDb9^wQiPOy)OlxO2xV4X<X1oLr{>j>u&D|HKf`R
z;9^ar?}-41xP(iU@Uas5xr8r4Gkvl|$6O{#nm3=^+mL^>WR!r%(pMQzO|`rAy2{Zb
z9CC*Xxq>cz*SH(V(f#;dX8uf(>0P?A(pA(B!+try1g6;J%5wm|Q~dd~tj3uu9V$<1
zrae!noDV8uX@!T$7!RBVssn_o)E>qz1^$)-y@M#qX;dTv(@!v_TQU9tu*_byPf@L7
zf+?x-uMEIUqm4C*kw(?Nw`xC{+S704bht6d@7>bz5Nn2s=ZDXxfI<rJem34{*-cCA
z_uSyvxle~D=`8?)o_F0}KvoWAwKs~VKFr}k5E#MGqFK+A(fh3^bk;`j__8Y=XFEK8
z2N>iNIrpb{XuzYRK_9imr@?f<91Wr>vWOz-EFHhz_EnDj(SFe+R`BKwIbZqz2_?Yh
zc;%N-gYGEx7EVS5Z5$w-v!!;wwzISHORXFJbbI?K#nK2h-meTK)qQHa@#~o$Y&ZUC
z3Z<ndQvshT{++!8^!`dC%n`)g0Mf4m8O(-8{_R-X$?z~4ydy!Q)zF|GmBe^@Gsr;s
zMJk{E7i<Br7}!efPWx;;47^_k1ZJaU!u0(#THnHKdjf=4IfUmiM`p&E`sefw=MO|x
zkMJe^cTC34=c9xwA!0zW5-)z1>-zsgBl35|B^zAb*t&JX!dLm&o;p}>ff0-Me!SDR
z7b!oO<f-#`M~dI>CH`0W+2gs|H|NYrRYk7&F#iKCQ`jV0<!r5XY^$<z@V8#4u#9Zj
zR|wi^Y?}hHjwk2UD|4ZXAulIV&{!{pWCy6JE8YGtMDGSx)_ldkIMZm~5kOjvd&JP-
zAL2&*Cab@>^S)22q0}xWxs>85Z&80*nNlm+<-{;2mzF7W(=7p{^*-PQ&XU^%I1E0U
zVNpWuOOK|ofRDT_OX2&==*IMtuGv?zJ3(y`mpwuD7bbNTx{H<l2(qg>=DzehIi--f
zr)9Pwc^jEC`NlByV8G^^{Kv?*n&~$^OuK@qe(&#zJB5#&MGqO6voFgYn=ESQvCVZ7
zg{eb{Yej22pPi3ymPNyzpcfyTUMUe1vd9tHebEPuv&=M6Uk=|*;5~+U9<Ak0+b{7i
zuWQkU2g~aI!BuuH(jxcdh;2h=Y(_uo$pYu~7_0LB1eIg`Ljbzaq7!o0(>?w5bkA7%
z3b&r_DfQ<};o)2l<c6SYV|12ZZU#K=o-j898e5aBmp3cpbYd1o*p55)>VA=)4*h~o
zHR13ZbSDUU>mKk*pNXOtnC09?^OdS%v&lE?uACc`nOK8+qdQ*lL%bzK@wi&m{!Ww}
zd>0boo}BeaxoQPZ@jE^Fq7&D9sLn5`v+Y(Ae~@}KAqP+a>FZ~KQL5h;{eZldMPz5D
z{P_}Ch54gBeNv}<l=hgb;vZy$r^S@VD0?SO;6P>X<(Tqj)qXamwAFj}RU+QA@=p9`
zJ48J(5xHZFIuqz0Ik*AsS-wBtMiOtNe{e2QlU?1%Q@4@YOP}tzFfhy$AqsyUmMP-3
zPpmKTS!Z789fVGAIFpG(P_Mqn%#g=SkEc7p-$O(*b~ip_*%q$Rk4`5Ri#y8iU#Iub
z$@Ys!tKt^^Kywft_9Z#bG7Nsl-;E?{3|`EsUVC@6H<DN*W?ZG>h$|T6RPDb~9j%Qj
zLVq3e2!gg`-wwut{`WA*>9}FL({W2r;}+R>G?SReq|X;>-GgjSSnEO!L+A(UXc)wA
zFog^nVB+j!CQ_g&?vveuId2gp4dy&6H9P-+@O+RHIdQ~&rkUsVHSw+Ob%!un%oX0X
zTz)N)urawnW7&J}`rQ5&UW2x}zIhPnz^dRj-s*b9x3a#)``4~?YdA*_H_P=<{TScc
zFVwJ|t`kt>I`yHOlGJCAT$Cf0smPc$^5oZcQvtO%v6|EO%yDJ`KuX+iuMgU5MK+%7
zzK$rnL6pn}zKv2i;JO~1Jh+dyDRTqjjc{-mpm}DVwKClNYwdf`5&J$_94_Lc67PP%
zCD!Kjz~`=zix9V&>#YzlS7>Xykl=+-vyOTu>q=8+<|ihVvelJRkZ1b;7FO`-=g3X3
z9og6KHELmM``f8<1!PEOGE^UQN~j@2PIpKnI)jhz@tQu35`vI>#sMGqu`RG4rNI7z
zg4|xR3Fpuvi|&N)<<INOG5R+_OfdPAmaSJ<IpFdK@&}U0JHQIaZkXYOM{8V|!Bd19
zMA;8bSFHbA3UeHgDFU(j^1QkMiRJP21@+swxAcWbd_AInd9O%$O2WQ&S1K-4#TQU<
zTcZngS5bRYa^74%b5%{zBSUJhjIS#kSy0y<w=%4hHrzM<D?1?64H^(~!w&lN4oais
zEzFjg&v*D9m6<>AWL!WvSkMlD$2s8h#VF4J!XUkmq#SMN3Aa+cy%b{hW5va43kS)I
zmtG7uSt9Lt(otX}MPxpr?f&?6-ke}_8x^GAq~uJgy6iR80q3hdHpBeQ)iOx6JYG#9
z;!}`WBtWPkK#GaeGjveCz?uPbw=l0_2QKF{4D+SrF^0;jcZ5l$AOAr+_;*tlia15>
zFO0_RmuKga7K9`{esCzUF!Bzka89}m1YAPmut=&|9?O9~B_|uSx>Z<O%2!MNIj8G|
zqb%2h!k1hKP0OYDDP7?O<24%mjpqHft9R&i%FUsxD_wGpyxvB6HI{7WC6rL?wbvQk
zWbe2a?V-jSWf=^_8|pGo_6E5J^PSt(+r`1M-(<;un`SNhvUZpl_!*^v@P63yi)kdZ
z=yd)(l63HZt{tg5pQ<Ojw~FU<5)$G*Yul5*+SLZ$%YlySeZs`c@v$X9yZuy&_?2$n
zcn`XnXC3<HPn{q8iTE(G#_KN|A4Z;k|0_OBcw#v5@}$I@cDiTQ7wXC!{jZ^{KM6xy
z5^EBh6+q_W{QQ<4YeI|eb=ukv!ZfDtRZzEPJDVI~DIyDJ!eZR;_E-0&xq_Lsv5nuP
zK@Q#0+BA`TI?=%y<{BPbn^X`(wEf_JV94kl8Cjf{aK$dE`JC{UYEq(UGC<1&H6?LF
zQ8>N>kC!6GNNZeuRajV<j{|RQoi|tBPl+*ThGUp6xECd%!?rIj6$i&xtEg0Qtf`yc
zJl?#TRr!>m*amq;${F9p6Wztl<01iS+(`cp`OkP|i(Zs+(`8n_SrykI^@6t9!MvQs
zn{{1#`>Z=ewTh8K!J5J4RXIekL(v^Xn35P*6yM46t3O%Ul`RWt1Fdvv9%W1kT~!>y
z;uK!OOI~O&-fBwfMUq|y2H*8EL@#~)FBN*}=f6zQOMm~RMlbvLFVpn0pS?7c)l)_8
zyE-%X{lPBp3%b0wba`LX<$Yb3cM(3fd^H$lKUCn|^t6+ozeMU;&o_4CDM#N*75}QS
zTL&xP_}-NP{<0*O0S*V+X8_otw|i6lr~m~N?Y&o?TfXF_J9;y#bt_OZ4tZ~*E^;_a
zbCvg!o|ExGJWEj25^ZIOJ-@*5;e3Kgb&+rGtW45Hn&A+3KY&cGbb<5Z-wZdQGF&xX
zt>>HoI5|g2l7AD06+k2KFGqMql2?>^BbBM~OZMASch3-BIdX<`s)3xz^0T$qpI3hL
zF8Eymmf#j+IW~H0dt}c^Q2w(F8sd)vaz4B8d$oMelBV#d<W*|yP8>ICd&S%H+3m)y
zg?VR*=4?M+gB4#<-=1IFYiJ9<g+MJ|S781x!iOPIyJvi7QQa=du|@tlbk1>GImzz1
zHM;Wzg5O{8eSv2oSC}}f2<UohR3HHRO@<m@sQWyzXKrro530Vz@rmg{J$lCoz>Y(!
zPLptH6nCw63yo>@@v!e>e~fP|h;Qwt-SNE8Xufr#r#ZLPi^t%Qy54r*XZc&TyE9Q1
zB}-9fHZPH^u=f7s`E-u6B<m%za`JEf|DQitb|qdSWI%28v-OnZo$(sQrH&oXn!p|I
zIe2M_YG5Xt%qMAW5Aq%?T!Z<2R?j@Z!i-85p07-qn>?8)qupz#PCpJFsQo$j&{^@g
zp-k5$U)~q5s;t@}x%sH}C6wB>+u{4T*W+2$OYZAl8@i?KCBJ`kyfSs{p8(6SDc!MO
z@$5i=bM7aj+|mG_3<_yyb;tE*_^folzJXem>i0o6noLNY;>ncW<veLqJ;le8>{$g-
z5L&!~#7gw;VXOngT)7(mPhos}&(NH2G?-Y1gccED6#Vfo!FW)ad_*T2LyJ~&L1$rQ
zsM6!$OkD|%CXEM@E{g2ZmNm#-XiJ<b3-0F}Q?vf&1gEI(ui$@|0i&?Qjf^uY^bIM5
zL_b~SxjPPgf63r_ioQ5ZatmktKPc5JQL6EuKiH6}+zVsL#J#wmqNK-~`jLC(MdsrS
zF5iv#%ECzgI}z@YXgr>G4$4lBCT}XU)9-tD5C2<LVc<)$8}|7ymMDC;Q-$ti^DmE8
zC>@+CgQLxZu$6m5$)#@eBh%vuGv`sYAvL~GZhcK3Y0`BroAo32%L_Fsf$ggOK=P*j
z49TqspZM09p*j7?I4(6HUl$rQl^7*JC;wH8gs=U(r7%I_xl#2j_(Kgkw>xT<9#fCf
zpQGyE=Fv95mQLVZvWp_}ybB-JzRmjdI=F*GY2)b6sL@M{f|c@ZW8m`>JI3=8Mbiav
zD1hk!$`|_MnrnYfo;l>95R0tqiq9L}aqhjdXJ1Eoqt?D_7&G&<^<+F~&GI5IOAiCV
z49j$Xf4DQN#kX^Z^=&`4x66a6fnP9s08Kr8Fc@X7B3Ce8W$qs(=7%JH8*fDy1>d&{
zSt>jRivHpH1^_rN*&6WFX9W_;9jmjDdu7Q<2tzJGkCeX}YWxLtThQ!(k~e)rPDQqq
zI9RKPRKLrp%C{qZQPI_o^xi|D@GebudN6E8W7dLWdKksER!pm>=#0$RlFv&I*V_ra
zVX|Nz0k%c3&vmMr%H~Le>i2a4jhvx6k0zgWi^kv-)p-ep%*`254bxx>%A2P0;*{6+
zcQJkXGaemx_>}uCh1xoh>q)12<4)FixH&Jp#S~XguPa(Zs3F3TvpYaFP$U~7$@%j&
zW)*Yc6&t)3i%)e#-8C}US#g}Q1qdT8+&+C84#Cs-o$4L)rZKpGrT7%fUNzYo6azMz
zTBf4|-ebQmFc#W{rbLrX6RhgGyktovIVYHa`nL_};6M4-${drOi@vfpAK%%){MUS2
zzAR&9I4d$u=Q5Fq2b?6`WRgNavu(aa6i48#3oW`!0#U_$zg7~1(<9U3ALn~lZ*!^~
z_rK$O`XeMN;7R0Y?CFy5ZOP{;eO6BG#z(_?8y_768dx=DkNne#s=R9Q(xLP#aeTHs
zmtVJ+4Vp)a>Pn4E{*s4c5o*YXR@sif;*Ty{Wim3YN~iiKgKGL_)d!dxzp%i5G!*Xn
z2kQdw1Zqk*2?Erz5Kr_nh&u(*ABfDJJ8TpVBRzdL9Fw`y4a)<S@Prc1cL{xzutW(l
z5+eDpan(&X>YGx&f2i^3?XdZxeYdikGyFoxaUkzT0j(TiLgZ<Bs`xS0Zx5=rQSHqi
z<r)=^f0@sCsQ}F-^-1+c)w;|~OaKH6vHl1x`n9@--s;>lZ-4KMB~us?m=?z5kRM`X
zR5kuD?S-7zr7DH|ZX5xqI<fXVI<RgR9$A!)QKAjKObw6e*<I=Sl`HC874<P|<jfzH
zgS+(*g0+41029^rup0K`6V1(3^Gi=pP#hohAKX!myQ-Ou6fPq=H8SF~lDdA8<kh8c
zTdDWgBVA+a>5z0gv<gI@qa(&28uRW>FsK0o<DZ~sy;FXlZNOOd1b)Iy4~KN7$Glyv
zh+nISE1*Z_8fuCrA9x44N8On<yUd~!9j)>QT;=B}=YK|!^E+~e(}TqGe^jsfHlH47
zC?I(ZaE3fI#ggwWAd5|4S$uzoB{FkA<BD#25i4W*o1FGi!sZ_f^D?_L9W4DB$UVZ!
zax*n9Jwh*V*QdP1*Of?nUmO2;XMDww%vzFiEJk*|T3TbMqPe`H`Re>Ye@<*#O0n(V
zzZ2hCKnN@J-|ycBq&b|Qt5G|BoIM&9(JO&Y70yp|ql~<z=DEINiB@`vJ$3)V;5E*N
zeJeifD*$rx-Sq#N{R`_ZK%uV<$9ERjmMzJ<54?94)D{pwfY_xpblzl`Br$g@x{Iw0
zV0WeWzCt@#iRP~9{hrsJLN2_O>90q^oL`J4UhPl~6K_OjePQ}{qLyQ9-2GmvGa}qI
z{aGi&i8uhkIOt*p)oAzXcXL599^qa3w3EhFHA^di)AmAYfv#Tm=3l8**7E{cXkT#Y
z`%nQjW_EmVB2~4M{%}Y75jLKYht%blalMU?Y&A@SuA2NoS&&7R%T?3vd52~{xZ7&1
z8YcQxrCzU&Os83<&%Em|a?N|aZ(&|r%-7eYXB>Gz$6$jYmv%QUzVZjSz3K#b6wF8Y
zdFPS0Gb_JwzlM23nP`}^fp)PPGwV4KpOZN<zUaW49ge6cjW+9G+;COJWm$>m(}O?)
zhS<8@A3NTQ<)~KiTzzPGXFLZxJXev!yB}cR-O}kpYS*yN@E^O;`D?*nA^3wB2)X5-
z*cpDEgP$V!QG)*liIxjL;V0pb6MS#Muj~R}*%^MmE5DoIKVZ3^xw{MexX$oX9sFC{
zfPYNz+QRVu!`2bwQsXUrRy6UN9|D+wvz3WfR*)DA6+CiK4#T^h;>4%k;>nnM6C0z6
z=e&_;7vKX=>`dOh{m*fX|27?^_s4m6i_IDZoV9U4dcdFyg3qBw?Z<KTrQGqzcW=js
zr>!V$M|;2TNbLr=l0F2Hwy^X>_1n!syNPTAlRQ{#{P-aOa=eAdYy5BY9wS2sA1VUQ
z`2Q0hcHYHhJ&c0%+@Q`%yy>5g|7JmZGSjy73@U~HW>AZpoySpC+ugbS-P9Scy&YaB
z3$J|vwzv<u@UuI^f3AfF^S|J~JPvpkWS#iww$AV`JNOOX1OJTR3xW5(ImG%~z5xe+
ze?&Lk7WqRYHR@690kUzm^>^|&3@L_0IVZ*<{va(0v8sOP%{f$aY~9B)9}$Cyy8?rG
zK?}Z)L?{1~#lOC$n@PYsAS6BUFt5vov@q)(!9T3?ufwaYI@LUciO`oPOMBRt;`2a_
zSa?}`N^-&wRMjDPp6{dmRnAn#w;om-ihE_UAaoBW2wvJ!q)`9t2=uKkUwv)w#J1!u
zMQwlg+tUgPEGvrJukNO~huVw#gHC|I_+Og|-7_CEDyGc+NqbDH`1!-T<r#`?eO$R6
zc=axSyY6d>bMoVV<Zt}{$d9t4Fo_jHZ#a{9w!8qpL(LF*A~?$G*dr<a<nD3sbr1h<
z^(V)g&E}ZteL4Sn-M;ayMXa8oeASATbFs(h2+>_Fp+znEEi30TDb3S!Kp(T!b+K<*
zd4<>Qo?B2*f7krN-{6a;178rj*9!0G-?)c5QW*NRU#H0<!F$CW$sN%6Yx=PU@FB2J
z6gUz<nf}S?{k5$xxloM>y&$~Ily`(qEcIx~WM<vytetrkG`eXvFzA<z-;D3!5?Zw2
zY7#?>mS`!q=5sAxzTG0RP{k3Jx`L%gif@uLhPO{(ScLp@`YiBT>q{wlh<$a|5_5e}
zY*WtUXo2QLLidDQr47>u3RN(_XyP4wAi;<wRSm0BL01oE1ML<(nOT(GrJ~!X4Ugr2
z-9BxIU!3<rvVbTBLgJ6q8jZIX)E*22a35-RqICROo!C${v^}%krUur{k>qZEB^-q>
z8Qr}50oZ9&XC&EkbaU)Lj;9nBbSX*vh?U12>c%@W$iI%Yi5GFy!jo&=*+*xc3;r9A
zApb92{#VG=_AK)b%Z?LBvJw!?2#L*yn3$UigtrL)26yw@{>UyqPA4^eeoh83I8l(d
z8RXqaIo%yYsb>htI^Rki3=pt=1zTgV+Dd;xW8JquaPy~yq2mB+uduQEma#`*ORgH)
z@<>H(Pk!PvOAiZUqpnP}tPGze{}rJ$fFi?ZrqP%D`cnNK#VymcNV&WW_ck4+bwc+@
zd<IuIH@uA5vnqLEuPWICK85l=zg09~!TJgVn$L}_EYvSPQ?B_O`&p4V@)zGCz!!}v
zmLNde<W$o5BG4EC+0qw+1g$)R`X@ZAg)Lg?HLmvX+0o=xH67ll4F&4-_%jOx7HasG
zf33vS_->Yyq6y&8C`FahucpNGuUzS`;tv|?Go~A#Q-k<SEQe_6r31aeL)FablR0)4
zOI}Azg_AcCiJ~+#XCO6&lVf{{UG*GEp3DX>E4tlyi6s}+Q+Kt7?c<bYgj&^q=|Cam
z#+s=P*u8*`CdXnXy6n)f*@Gjk6{Uh(HRh0kLtCsLqr~&Y)>+V>;0?vJNT&`rU6Y~s
zXULux4OM*=%l|U-FwX`*wB0-40AsBK@!?E=0LRdBZl?~dPFUk@8~6RAeanwm#wrsO
zm$C~Fr56qW<IY&FR4q_C^LO!9cK)JM<#`!SoV7cT+B@X2e<m*&m*M28y=0fTiIoh^
zf##PTTBXo?UviAV7Lk7_!xochPe0^(A(BPu&YvNoU<RECOSGGX`vX3v|Lg$w4*-eb
zCpqKI@);sGfW(i&y8Mgj6)ZV_joxyQ^r(v|zy>D8!UJbh5X|)&evjT2kO3(%ysKuU
z4novk!70pUahAm-@ruO8^-F}0V_HhPTqr*0P`rsEjp-(MpBR0|*7)$vRe2l)J-532
zi_mQLmm&RGHC)rh{apC1Sb?0$Y#Pg#Nb*)y$c;Op_?uMtNKvTq4-k`Cl6!>vgqtVX
z()UJ^R7hyiUzMG%gdLDWvGPwtO}c<e_ZbZSoZA)hLvuFr9=+%+j_21E1m`bfECow-
z$X2@-aPJXo!WaSNN%0czk;LVMGeKT@FJW7WB%Y@N`dibAg|12gGh))f&~4HZXrmZm
zMAe{~MDW}xy|fOi4GPw;s_>L_RDa_@=;S#%O&k)i;r)lJ^o`y_TZw;P{%vS>r9(Z&
zu`omZ7~XrJ&4x91#aAKH!59PkbK&NbcPf!z>HQ#IMA&z<Cj2*zj5NU7sOSPEX_QAH
zVjMUPRA7KtIXP&(<?RU;RWPnu)b4iV+)}S;ub}pvH1;mvT<Yh)9rVe6JNdnTAEqvg
zQCIo;P}7_rMfi2PAQyEmH0L_rBZ<|^&J;-vb4GH(ltj7Cd}8hav#=d*a5OsJA$Dwl
z7+J%KSJMOv$Rnyt_p1CY@X^qg%I3O!?;<MJA@JdRbh-C(xxYWsZx%B1M1W#RI=Z@i
z1A#)YjeuQju;dxoy~DeWi)iY~0^-yh$H)oIUg4l3gK-oQ)RVkdC-0CdL2NKCjjAmh
zNaTGR5r6IJlO|n53j_Kta89LHf{6F@VAc6mwb=3!prgrUDoJYI3+<c#P78IZ^7m^Z
zgE?e0wM5q@=tyN#Ij|UB(S)H_xb<XO8BN{NTfuF(g1IETis%Y-eMxFGv35@GkysOM
zKBe0ff?cG>74z7g=A7I!nzTUu-uL@xDh(@w9-ewksL|w}v3$=C-VSZ4Un;i7hi?@_
zK{0ts2+0w@sjNTK$?stXCgEcM2xb#{{vJ*OGW1($r}sYVP6kILIoH{zi7fIb{7jQ4
zXeiysQ!K%v0})uA_$-?EH~L-Mf$%G{N&za|&UQ^&r!iY5M~+dB*F@&TD(~Aru`SOC
zdOM~y3zgkXW$7?qsegCsw~oV@jKvSSdlNw;^B7X!Uw=q8XnsoGW!}JGb^11VQBxPj
zm%Pg6YY&lV&ZJ1yIM<8G>%^Ct(=i>==w-A$Xfz01N~P32{|Fkrf%Vg>Dz)uP+Ma1*
zw5LxHIQV7RKxcf&@JlivjqhO1_Bh!xy399{>=Q}d%qis0wnh^Q2Qx9Bhl$06qy0QG
zc)KofO}v`wRqF1n$n2)_v7Kkpv0=R4mET<mO`>EQhSBnuL$ljyRPHd`sHQWPmdI5n
zXB<{02v);D%=CiC(?@h|z(7i-0e{Askp|pG1HNL>nR!_x<I1R=@YuxSouYK6jz%T>
zglP*+*`f3umVQ3zvBZA}g!8k4>ckG~%&6qt4kOe$L|RE?@TMpmmrWUxpk^#_F&voq
zLVVLdswk!3_{_ziNxa#%xA)E;*cVtdt$1{E?XaTI;)<ft&6UH7ISHP;iDf`)T0vub
z9XEh{n3_-!<qFAI;)mul3ll3;dH-1A(<#eWa2o!)g6h=e#ob~_YMYWcv*;9|NUz^O
z7fxyImbVLCJ`*?IfCC`J{kSxGZ3jzIZ@BJqw0&k+pwd94YbB#n{cZpxU;?jH-F+>R
zJrcJ~bvRvneVO&FMcn)>>-6R7SD$YvZ49MR&`{O&n#g@V1!SdG@pa8%kn5ROfUxgo
zf+1f-8@hJN_onsM7uH@JG-U&&I?;HdEA-#^B07nGuxmxA=`w21mR=N^b1v_yA)jc7
zs7K7QT>|(cZMgZmJGapfU0c6IcShuenpeO&mf~VE7S*0tzeGZX7C*(m0YZm5t&CQV
zatMvjB6Lrgku}t`lA^K*6^7>ggLff>bGi@$J=NsuA;O6e$ksKLm!PhbvvnQd>iP&9
zg=_qvpsoXe&#kKu@2ZR7tvPiOPF)H-Z3*#XMZhO_Wy{~@#^FrL_g=x4NLHe3#8)#Q
z7bxS<mbOrgV=AyZ0{?qmx!`Vasmq*_s$^W0uM0Kxam~i}yjyH=OGJ^`c2Wa9j2E5g
zotn@s8h@23Z!IdBiftQGnOGA`d>xH1SGlRtjOA8}kEPCTuWa6%g9<N2lUHx83N3p7
zn?H?9P28IfEoVJjw>ma>1>oCVptOo29>dKQ#U$<UlL~kwsgQcx24?wu2MtU=Ob29k
zgNui*&8$N=p{1!<Kl}vNa?eg#iPIXGWmc)5Ov$h9UEr8-8@||Z_F0Ge{SaE*Tn|(%
z`G|f9G_rg-BQaLiKmAKu?#({X=ZOBiRi`EuRS*8Qx}3146UzpLnhHq_Ee040b;~;l
zQFKay>SJ*>gPwX90$D)4HF`jy#;=j;ZH7+IATNl#%1X;I#GX{8%*?Pw7RPPc3~wdd
zF0mwa*^EesKW8IF1HRcc<n|zcb^e=F;l0lKLs1|4n;^#89bqmVs5yB`B3yua%7(5w
zE;9IoaI0<Y!qZH4k82Nem5sM>d~8X6_MG7z#uM${)*9r6JDM|*r1W|)u_duJ2ZSDl
zq%`P9RzBW%u*eK%Z5d3Qv)PLT{iteY;|v&UbjQ@WmvUUg6cY>``DeH;o5H>(nf?@H
z^1d8soihEDj$w1%X!QUnxv|M~xS6uDTob2=^!?(R510$G$)A8#I-%rMxyd(b^?SFH
zAJ0wxKP5k*<oQarn#}B-E$=o#JSB+hfB@%BT4tq+8`!c-%YIFRTxTCf6JTuS6m3da
zD6}SMlRRMwxmf_z4aiLA-Pa?~zlw<Wf;<d0oG7qf1vs8%Om&T=F7M6gMYH=WU!=#y
zTNu3=#g}Qi*OG238<ea1c&T^W+sCY`Jhpq`nC8l3yNync9OhlGG~Sq~HZdO->3ea$
zK7q_DXoTIEK`D9{CQuoB;CNJz-s;~$EQbohsWVX#mvgIF^Q6KlRf)PHJ0fnqnbrb1
zXgcJmVv`Z#yulGU?|}XN0k#MjcyqpC{IM-PT8bm(YeG%G<qN82fppK}Xln6;fM~$A
z=ObP$0}FFz1SEyMxyj*PmE_ItBRX3$$QNgtzeC6Pi~_A20@fYi5E?Cn=I%$|nntI2
z@j|*IXI?zq0q!Nh#bBPP;;?PD`wykJ(-YPG)0r-_$=iTVN0eMcGI4=2-!U@$wefwf
zE|-I4@&}zOZ2F{7q|&K*?_^c@uT7eW+r4+s<K<#BCh3jNH&4r9?N}ylKh!(^K2u&p
z4Rb{OWJLPweqhK-kCC_<HJgG@rC=My-u!*xSUH&JOb(pJ{V#8WrClI#5@+pd(rcB)
z>|Yyb5t;icGqM0P=yJ9|^1O*mJhB|Kkhg=5f&JF^^!o%12Cgq;rA|pkRf?mW7tyLA
z$35tFeZivbX}5orjZ!`9i)JdROrBcOY2RpuRukI@I;L}%k@(CSup_cpst?WOV7;h*
zF2~57-7eMdVruc88~}zab#IugwylyTev||;YuMmqSRYX#dkCzY{-{h=mrzr$P{S}_
zdFm5tddKM3`zwTAW#YxiMMZZ;@>ieOzAln%tOwcj8AR}M#PSddH1gAdKBet)b*=da
z0hi|u^f8(-HjB|{_TRa9JvHG6u5b#?xrJ32m$0K|@Q_T&)m+A%R_*nhnYY>rkPmlP
z!t8o_#0+Au>ODRjnekhJ#%Gl9xYvQA&P@c=peGYM+wan@whPR6$G*xB2gsV%OXm)f
zOI%?riFVk>nI+C&H+hY-J-<q7_$lhaqa5Rv3uH0$eZ?)R5KW06P!lV(vz)QygyC@E
z5W5DW9*b8bna-9z&E990gintp-VJkFK2|o|JF`|BeXHcH#1ViO3<RnLCT3WNb!c<t
z-bK*drZi2I%@g}`?>Jx`S0NLAsgS$F8a2cDpsVsiItJ{{-#a#Frzz?8=rzYLz7xe+
zOgePlAhb8{y1hH>yOm`#a`u=1P)5nKo--~@Y|1g42l5-LRwkQoV<BqRjTlSK)~XU1
zH81^D*DCW|l?zemyh5rJyY90*%NzsAn>`o%#335m53N=Q)Q>E~N_7bR>nLxhpnUT$
zCqwN-Y)izQkL}y_eC+bj>@N;rAm{(9Dzx~fvZ8QuKpEn^wS?D=TBVmS4>jI&kTfKx
z$Xw?nN%}xW7zFALwr*ydu$Pk~t@UcI{%C10ex_7uX{~tq;D_JM+<Fo*cVfL=%UPcM
z?H%^bNY{H@Z69QY_s<^EC~lsNEyEl~qpf3SP)J_1wMm8P&l}j23d|nN7D|+D8z!#L
zQA$HEd3AiMPCQ-@m>Zf$phHCyV`rozw1P8kl4aq<1L{ZGG>os_to}Z}Ciwm=p)%ez
zd3QcLUcqoo4hrzj06Oy_imAU3K-X1Fb)H0vrH>?5Wm@>EE}a~A?+f(q3ys5}lf$f^
zGb1ff3<zWnbmBa<_wAl6aL2IkhMUv|U{e#mH~ZX8jJ>#5XqKXBJab^kEBVybdk?r7
zL&TR1VgMilPCJa0_>$r7ZH(TM^%WW%%<@`_4~h^DsRGcZx+C?`ZRu#RjqW_wCNR`A
z$QQcdH`f(%3zvT{Q0ZRLE@~Ug@oP~>XX|S$Rnrakn^41-dx7#!g1G*3e?4>yH4H`K
z#CMj28h=KmL|k)aR@J!uEIJY;cpM^R^pM!#_0{<wM^ZM=5h>b>-J(lMO`0zlsLa(h
z)|ZZ!ha&jX?~1gkeixz$GFz2GQ}546USUROJQd51uYa20b0VwoVrY@r*da<{iH9Ub
zR^^qN`1l0JAiv&j4CC~`u4DN%gg&)q&@;W`_kcH6zy+%C(wkiGKgoMKAKW@got18}
z_@uJskxe=JKa;I%B?Buf0)Bgdx=1eMb}4<=k&cJ0fA;+<li+@c(OpB07xJ!FG!TRF
zVoFT!-xZBIhsNPT<NAJJUnJ~(UOiW~K^qh;Zs}PBSPrj7$Y8u$ga!w>HPt@IZ~8(q
zc53Y*&Y|r&-1@w}<PuVu-$;S>tNIdSp{r^XV-9-$22d*^mK=yZCOen@i{+Ah4HzM;
z{%&KO+D<g~(@UAgMa8vGWvRGMpM${b;}N7pNtYn4AHhUF4<ubl>wb)HEykzvU<8>3
z?V$gSZs-_)5jv($ogiwY`sD?Pc~MZw{0k$MYJK`O*W1tWp1z#{+Nu2uAsl(1gA86@
zvZ<*~rh5l<pgSq2(;Kd#Ip!eT_!azaL#(Pad6!NEqYEdhI1dtP=4gK&`t$90BI6mT
zT7|md3+^+VSM@2>O0-3J!~S|VP(DB?z5!`E0l(+E_y7kiE8?#N{4M&d+IRV#ynMz>
z`bFiWm$TK(bvZvnarTZS50gQN&zZEJ_4kggGk@{l*ZTwGH^KYIj&up$$*UGrC0@<k
zz-#V&!Fh2<D$}vG-?Uj{(Qh!#eeWYvq%Ra6KMMEZlo05rK9@Ar__F!Ybe2nYpgLu_
zB+di~Q;JK(q%t?K$=v(yHxMw>#nzfYLW`t+u13&|<UXY0mC%gfov~2WYK}wBllDeu
zzpc0n2lrJh@kS+8X~uevE_PnF^GZqcnIN?2cKPiE=bVEnoPkZO#FNX&8(MTkk>=>s
zjDkq{_RyTd!vMEf%TvI<^XX`2#NJGcF{0yhO5zwTp=yt@V-lMp^HE{7;%aQ5o$2qp
zj?+?_1nL8X`lYO^GT&iB^!K~ny}g<YB&hu@rZbo=xLzz7L26eJ1=GR}dk@UW3hTe1
z%h=N5a!F?sCO5cB7WZR>i<*J3-X<|<LCZBGz|q;sAT?K>7`T7Qw;^Xz7<+xTo*xk)
zR?m!VJ@el*emFI#C;T*Jsy4|e?=nfdEer)WkEeg$Rj|+A-DputcJG2xUuJ#!U6vkF
zSbR_8IRgzXO=mVTyi>3&sk=w(1FDc+2V>wa7y@ZEemlIi?0@+)jLwW`u!S~fne*?5
z(oa3$nodKmn>)o_3yR)~kdIpw+-OV#jU>+_U8TVvdRlub$b&SP#{h38XNSPc^dP^c
znZPd8peV4?IoYy#R_iYzom`?_Q?EA`e!Z`<U0OaFJLA}5?g7-Vg0e@R-0}T@t&cW#
z%{h0pA~gGabOlv~v+?OX+O}{0f70vK--(Tv7DN;8GU5ipm$2u}_?{W(cpK;!)f7q9
zG0DHnUWazeHI|$=&Y$0K-;<Me51-3HDV!ggwXKemgm%a9q>%MEe4f9vT1mv;+a98R
zRN>q1*YD=g9rN_NEp$hU-^%3p0`M3sQre`j)flp0TVEfeaOeeZ=&p`7vDEkid>+QI
zmuey6(*+s}oEw3oXvN|nPpD7*aEkdR9J(sXEtAa=UO@D+1M!h4rh)iJaP!c>P}4<B
zP}W*UZICvpv5xC^{fhv&{-U@S+j)oT7LGZ;p}vzti!MI=5P}=W4nH)!{F9P!kC&@2
z`UL4v#xj0eL1@m8=m_Idl>-M!*fehBjV!f?A4HbQ!^^_UH<VOyOGl4ZU=BYRwD9XI
zDpN${#-~uD2&G?7Z&zZj*yUa9FbNdHMx{hJ8z&cyTMn=ujHRwU$a`eE_PbbI1i|gE
z+QlgG7~C8vbKW<Eib<af=J+u{W8(xuD8jV{5}pL<ZX$#CxskcL2IrBg$>$`Wu>Cjg
zhm>iQXtQ{a)a_C=Vg|PRld!X!FmG?2B`E#bEhOHV?BFAED1zPYXo7AT-M=z%LrLps
zq=<knE#<@l9s(E9C*dv6v-<iS##D~$)b_!T=Ah<r{YiyspMW_u9+)bozGBQlN527|
zrf1U>P=0}PVAg=j<O1Qqv~e2@z`8dUs$|;meqiOI;HHg&H#vEI52MZ<K~8|)(#j`U
zRF<COpeT46pQ)=BU{^j}1mvRz$;h~95{h}znzlUyzokjou3L&m+yG%b3<JsGSpPEV
zJ1H=jOKsP$KiE-xABqn@TR#VJaW+LRJqoe}qR1ON4H>$26T<3Q3$NG8Be;8aL`lB`
zaiUqeSUM-8%x~2(@0e6hqnmhV(bt)~l*vSkzaFT7#k4~CpQ{mB%2_E)8y-nc9s<8f
z?rPOxrKC98@xW`wKDf%^tf!dG>KXhrQZq`t-S8Cm#qDOMKbtegWao^9PU!Cgc1BG$
zJu18k<fPzSx7-Ivx>7k({k}o*3g9Mt{ecT6uwd>|odmIP6W0PwV@p|96K}Nxjr%Ff
z(3p@#<LOt8NcRNAho2^+rY@~py#;W7X2ds+yk~V*g2uX;;T&>$TUncBhHZ3k^C%&w
z8y<VhYB*YOYXsNRhnor#IdK1khiT|8f_p@8|M|+5H=uL9%U`qdKJE=%z2Ke_oMVdx
zJf^31onH?Gl#&-H$IcRe4r>II-eN4-gkrRHWFHJarbjVy{!8p3T%F0IS1iSacKL5a
z2CvYi7ef@{`ZN{441`S84^IxCooJ1JhQi;iB6QEHczZF5TaUN!0;=s%(SW=<Sz5lV
zOqx#E9*=L!58Zwsl8%tF@DuxH1<}E46l->n_K`x1Ux;FbzwH67yx4D3x(aQ4igGyQ
ztaW_T6LgiYQ<^bd?2S{3Cddv6o~-I$z1Nq~_@`UhaqT51)`pjfQ=tOxcnf`6ry_p&
zFUYjDi0mb}72<8n>35{DJZ}a?Qe$>TnYWsbVyecZa{#Q%h8SNk@;oOa&nL0L|B05r
z8)}GRFGznZox&fMHsA}KxEa{X^n*qQ{M7CY_@i?N{F#^2v+KX;q&6%vwZXb;$zcFL
zB`qs+2)cLt#{QfnI$NR<YvG`wFFdPH5)fC?5T}m0q1bQ*LLk#j!I9*wH3qcYEIiLk
zT{i>gQ+m>UGJCWMDzJe@LX|i#kR(x4+nIN7dC7S46lQDh3)+%7lnMm*HhNajc4TLv
zTPGbNxaWWa!>YvB>HL5~fNX{T;if`?{9a@k1d>@fc+zDQ{vt@EH>>2_#nE})E#r&K
zbYA~%K9@hBCd69~u_<@oz3DH`uQfukNOJr^k<<+Xb)G@TXA|T4k59&q+&V518?-et
znEzH)=6lP%!o>1#A`fM5MSWF!b`LOhL*@0g*6uS^=eN|EIg0wcOJ7&ZRv1}jVT9pE
zjK;HUcb-R#9u&Hxr_Cu}MG|j&`@N}x&D!!Easy$et%V_lw8hk($240=cZVh$;TvyM
zv5>EtT#c_?s`w}X)5`@TQk;^y{BX0eRM0(^<!Q2r=SIE9?BeB<m-T&reXPXmiTk^b
zD6?CZ$74Q)aoKtbEv{li2!{%7bCR@~i`!O*Qx_D)%KsB;dIW}^65o1INWm4I{q-}j
z3oUMmUR2Z+%in5N`y<NO6xkb{)-VUnNRjo;kz#z9^7<lc1NyH#(y%TJM{h90^ie!$
z+C_t}aYj!K9Opke_}|g|4|MGqJ*vSzMy@Z(Bg)ceswTnN=z77aIx9+o=~Oj#r^d`(
z8J7X%dgUN@hKQZ&cPAMH`tQO3Ie8*5cmLMZ(MjB^z?is$7sGUp=^+88y3kn|WX|-F
zqK@{U>ma}b1y;w;{5ocIs-q~>aHG|6K6T)Fd}UC_B^`B4ZmqwE@~w`|n0;f(V?^Z2
zpdB<|4FiCxj%DOjA|2U${N4*uQ8d}D5;@Cu)+3s~>EX5J@tD|0TYt7Iaz2mh`JzZ_
z+)i~o9jZOg#!CCJsH$5e{yBkM5Qny={TazIj<A|<@N4KcT+`Owgl$_N(wQcnFR^d`
z;G6L1{w?ZXIoa#hN#=vgO>$=3;@!>%^hf+BkgkaZENAmFea);rvMfC)Xq|QJct^ub
zH@|(}(FI!aQ`!{knj7G2R^T*(KxS-WDs;jW(!j0QHcIZLIAXiB^>yoPVARHjdXl+B
z0xSOXwn%bh88mzbMs*@Id1_7K&Ls>kDdZ6RaT)}zF9r$k$$XgV5=l$AkZ+rFI(!Pt
zYT!l!C#GrwRP#{aUz3<;$}L+lxAEX}JbgSj=;K{Giv1*~*u|XFrPxo4U9m&_Vnd5<
zdYkeWoQ3w}NM?RrpDDOk#@BTZ53ho~T6Q=j)BAyb$56S`m3A+sInC4fp9N=Uq5I+`
zv~$u16+x#|cj}aG`PR;f6yg1WoS8{fW$YK8wJjfCz`7TGR((6C87FBR5ICP);*MXD
zF`T@zmvyEtO&kJjH2LfKj$L2mg0a4l)L6QUjgz+^nCoV)b!lA98*zySxm~;dh%qB(
zd<C1^)y38FWWk#8AO&&el|I~0mwe#3qi3>J4t=MxM+>3ZxrF3}x_?`mVv}C&_X<Uq
z<;C(puTE8t!k?!3Q7fqHg&}2rfYY*UfYUM+as-7)+>$3RGYWIBW{@eUD>*ab9WPsl
z?v8-;o)rDQ`~)}_kwvm5-BiSqwxw|S`jQ^oA{Vjh9?2jaP-cdy!x5F$sgXro0>tSH
z#s;B_YRuKn-10`2`TJ!QQ%RT(R>s)2dLi;Rnp94IB>gMZ?><St_{xF_EM?Z?y%{b4
z=mH8ngaR*|zS5lOa?EHVu5Uw=vt0p(w2WuU#1c~`<g8r(ADS_ff7INQIx7kfyN*AY
zO1+gV2{Su^OFtym5S2jAhI%oK0d6}%!e0`d3~HU1M8{l2HOt5@4WhNPj{JeE=2`N4
z=c$@|fy=I!^ODnc_ZKs^YjPYD@2ZNTqGzT0GfLg2?VC(+7-6#8s?Xc|OhlL2=Mu-1
zc|Tu-S^k)^D&51hy?IP=cnM=8?<q~inQ^kUK2^q}+sz%i#h@}rlP*a>(OHUZT2E6p
z@{cGM>rAo26~-XnFwVR?AwuS56#!ceqUgL#l3{6ESSxt*x2>AaVwSdc$bLx3)W85X
z>mselmTUK5g+LHYyMAOlTaBmjZi;(m!M8$?X?0+*j<GKJZinG<8F+NaiUm996(JI6
zV&3n5PE!V}?KI`B&b`tdPe6KgkeagUN1Bok9LW0%f^jx=%3K#<%_8!a)3YeAmd(zV
zukx>*R+79`#$Hw;--!~D#Ea4L7ecd#NP|yBO4E<i7Xh=w(BC)}<ZsAj?_CC3$1-z0
zU(yQ%o$7ZRpKW-c(+~2V=mfW1a8Ee6i*w+nc?pwWjP%U4EI^nEo)PK91|UG)r^1I6
zew6CI`G=i?5U;t96WqtXDp6UybAd1pvAkpXoE|FZRKKr~*9Mcjobe4($cbK&LNljF
zEIiWgelb4{8;Xo*Tt{u8rfcvxQ0%2VD#G}eKAE~MEuc2Se)*~=e6oR_Hl*mB;bs85
zsqC0e7QjC(V=%<Zj=_i~bJy+fvpT}qGf3M<x4&vu%}EI1CuI&S|2lNXQzQ|YL}o$E
z<aa!35QY<;+l78pkkS_w#0GmYJSuM+2MCd)E(SqNTh>i>7x~*eIqRD$UZL3xR7W^e
zYZzf>L4E1-o!aO|Hg2$uZg1Qdh`B_QKAv;7Y3a-5(~)RpD;%G%Z~j!({IH#1VYkxl
zl6Vha%%Gs`{f8s2X1KnyVeu~A2CXK7g6qBe2^gCh#HdPNmBal8yMkk*zzzbI_4=)>
z6s8IIhY$S$x46^fe1@A@x09)3z@0>f&I9ge7ck(KPz0*n=PUxZQERyVX7))M<qaW$
zjamVb`7bYX1?w2=#vJK$C^J*$5dOiU0?|${8JCJ3SYQk6$gFL76=ITw2&J6UiP(Tj
znkVLC2l6dREPk6~1-RhhuFdHTY(|fnt;n`3W?(w1s;SQZG?wT^oKeh1Q=gIk*b9yC
z>uOyq<J*lmNym_X|Fo>#=(kXWUFFO}$i{Tv9KmSxEOH~~9V8PJYJi>tw?dvy>*!t2
zr*Xgefb6g2EZr>o$4^;z{Km4I!_@lk>5j_*mhk#Cr#iT6;SUCV8PHx2bz3EH%o@d+
z7olmoch_CMA07M%SNdHb7pL^j$X$IN$nE$yl-H^~t<mqF(_j3YkkGQQ0d8*3ye**Q
zc^ETN{X9xee@<(h{K#Xjv#}7%Z;KB8s5<c@CvYcv$AaVJbK)aWU*w?_Y8(Q)n~{z?
z<m^P#AD?!j|9ocO@H3jJme_QK$58Qh#**#=Ol+Kx4oPG2m!OwZxAz`Yrbj1-IscX2
znQ359(DRt!%(vQGSnW1uj?!QOSccz0TC^rIOqtA=5d|W0XK=kG04G+ewVDN&4g;4!
ze1<vP9z9pocsD&%DvL?QOEuOB9LFhtQyjeO)OAn1@4D{I&Ruto8>0&pj^Px+C4fs0
z=-OlB`A(S$ei)wWvDZ1V+PTM;okM4gBfD4i+0J%s2-pqABqtuZV{~HTpdFcuSYf7L
zrNy1Jnd9LB3Latwn}K)6e-%7M1%Le>_{Z5-3pFnCaIYCLwKUZDC{NMU49+=xZowCH
zGD{0F?+h?7bGmsaYf_&D=>NmmnZQR`B>g`j0fL|tR?v7y4Que)ps0zUW+2Ejnka}M
z2rBD=uE&Zx11Q(PWFX@>$f~Tzda$~#y6UbcW>7TY3Wx`aD4w9}@r)6{i%TW{@2~rr
zBgp@KUq2toGtbjqU0qdOU0q#WjmDz)MiE|Lnh~N``2yu6*Egn(E!Z5fnEh3WC;D!o
zvqN$y@4h_>oGuVfx|r+g@60e`cltaajW9hNn*5s1%KJAA5Hca}*Fulv1Pf2MNLZ!V
zAV_-yDf#ZMqwuGn3~~0RK2(=8Y&0O+Q$3*S@4Qd-t~s1FgE$XmO7rh*Gu2~MKalFF
zM<{HJ7~OzmP&K8Wv@HIoDJ@RW6StM@AMM+Fe<bZ)3WyrBD#fv#9y8Z^W9AVlrv6xd
z8{Jwm;W2l(mmbuC`K&4R(l55@8b-r`@u*a<cyk$}+o(qd*AEQfi!mfJQ*%ZCQm(0`
zgiTcT2&QIISMa3=fkFNVi+oC1BTfS6)Z%qeWZSN@Og-PB$YTCLP*G$Lbr8B|z`5Jb
zqk|Due`;4@y%|POJ(8`y3V%cU>Pc0vp}OR0X%0&elVw(<1`5khh2?>i8_4ORV|R|z
zAlaEZ6_b^M$4HGml+#IC-BYz5r&e<8u5$7^M59FOmW-SnFTC3Ak{l|$o_J5=WiY$<
z-0W>m_WBl_<}QC+$_^K<iD&fHuQBAGl<)4z2Ms4Fp9diZ%1J`8&l4(d3rCf-087Nt
zRVVlTSb(1?`LvADM9(pxlV+0p;CIrCs5t;o@^1K*eAbrhn=S_!Z5mCaD1K(0+$!(j
zZeP^a)(;$f^?#EBd4AWvzxBQ8`zD5pH%3mPe*3=n!t<1R>Rk+K<+_V5`jsb_hv)R5
zqkmxZG($Lfm3kh%kJsRTFCeqJ%H6OTu;n?D;;p_`3<vlyfD3&9jg<sHVY@b}J&5}N
zk$h~|9{6kzj>+~Qq^8<&?-DigE&fm%ST9Tu%ULRe>t-lV_ism{D|f}y{k<wbZ7aV=
z!DJ6r){F`>sQj$0tl{u8hlksB(oLO9<)E!xgKkK^LD$k`q4I=m%P&(oH3%+&<h5$2
zMMbmioSALsb`{;9qD<teeSn^n12_%V4C#Xq3*hf#Dw&z#LLt}Af~gg9@8QNz_Su!H
z?{7BM--8?8P(MV~DV9OW-BZ=?qI$-+F%R8k{2Hlq*ojJBokL}VR9DNZ8Cj?+zugt;
z3&Vgq0I2vm>QBcwkcc5|r~hmyGk+75nT(*N?n2Izr|sJBxvd8AgH03RTVcvLHPKES
z&Q%lZ*HC@`UHjb(c*wRMM7@3=@f!?#s``AYi~4s7%;sG?dKf|mn7a&^u%@038+WDt
z8|MIKl&Tl+s%Rg4+EgE9vABckf2VrtXcfMH*R~c|Rvn#fEBKqXE>>F`-=_NP9Gz--
z(uiUN)s0|GkF|6-L2Wfr*i3Wbc1wrt-<Z;`n9}KKu2Ajej&1k*p|m#@5JS^KiBSKW
zA$m^oF?dINQ-OfCTFHXx!i!Ru?*O&ic4fxjSVvLx9E+OBa1X^(z0{8_fJwtP{kZd6
zQ@9s}-5V&D4DJf<i;bp4fdwa~oJqO%qERKpm$J(OzV|_y<mQ}qz-2kab}yyBtq&v@
z>`KZftnfTY8A$n88u+>ud_#as9=5BXPJv$l44J}afG(nN`vLm+5U@Fs>I4;l&_|>M
zK<6+=3;`OIE2(UVKywoH$%4?%(E5`g{J7fm=M;FC47Tsj7EpF;gyluBz)UeT^f;7C
zK8X4;Q&Z|X^9jFAhjy}XLCW;tSwLi$k=s}jx0i)4&jy9-K*5O9@$En?v>?W}1M&QC
zKs+Q6$J$<8t6uD%qeVGhVyrvpQLf%hpn7sJ%r~T>Hyf===*mY!EcaYB&`u)^Py?^O
zX~?vf8t6^~t@jy>FK>tOqZZ?rk+y873x0#~cV_``3IGj=x^^IXS`d@lfoS4Rm-ck~
zw?I^-L1?{dus6bf8jKhJ+ku!W5bYHFRRXc)4G)W-u>G<irn9>Sh@W6}wj(G128(im
zcoq=p`59s+?}R$3(c2K~xx0>mNmfDJZ@`){@TH4%T?d5ZC%YD2_=LgXI$Kx+JgLGp
zDtywei>O7YbP%qwg=bLs77Di)_nUNSN=H@iwCi~52K%YrG1FhSPSxAdtDmYbf1T<d
zw-YdgC~TRwobDlR*!S*ULUo?p2Wxg!$%k8syW12t>i<(#RPEb(vzE5bS6k2QTK)5{
z4XWp7t3UXg>T^~70IEyCvXHZ^yjBHvyyo$~wVn9Pu(a3?n%N4cs*Up83I1q-cmWW&
z_g_n1g$c`$G7<zq{_}5x<nsoGNm=?UcPynED4x7<SJVHT|C+)LnFig}6waazT=(TO
zX)U1Y!*;FyB20sK0bBhq5dSZ#etIsl(^Y*BRj=B$`n{i->U(5cKj$~CSF8G}Rk`8H
zb8!L2R%eop=_0eZuQu+VR40pmI*r%iXkt6Qw)d+h0n40vta&y&*&$oZKIaF4#8AAQ
zH{cQMQRaC0D`qP_hC}p8)jHqIa-I#an*pYSR{BE%Fb-F>tq#O{lxcZ~LyNt|50rWe
zFp<pFVAX7{Bn2Taco<KW=Bb3IYV))gPZfIdMKNII7!K!{88Gk}=0S+stO;|#7dy$h
z#pK_5KlwJCs=Eavbh;Cd2`na^54_&RA-<o^G1~nuHg4^H7n@0CzM4KwUAD2?<<oB0
zC$b3H8zf7xJnw7}1!8X{AC=QEwrLn`kD$@C<EL5(d@6?A0Jdp^*Zog`E0r6=x3{&O
zpXvk@Y6UeR-v$(upQ%VN)IkZ)jL+2p9ChY0EXq168>4LN+nIP;rRNI7ej#_<PfF6o
zeoH5Z3=m41KYNuZ^#TE?p}cX;OW+=-;|dQZxa0a!CcUh-I`ANlIz=8t(zk}Lck(Yl
z0BXzd{(eP+zcN~rJJE2^^cu~}@@wJiAMY+hQP|^_UQW|=em!da9Wy=oeOfO9iP>zC
z`T>+9fZ{&-Uu=zL8~3L*@wS|@)IZEl1ivt#{foj8Mn(&iXw_BTrweq7;;j#*_v?0(
zKX1l2j~Wtk9{*B2y5<fXCsto}7jGeRe6ZcJ>SKHi*)6L>&F|?&?z&S*5E~DTB_U1c
zI?{q-K%4FP4R9t9e>t<qwVK~foP&wtnEQQ|b>Z~~Ogu#TzThzmzpyLob9kx4V9j55
z^;h;N^F>qC8B{r?j8(uV0vlU;W}>h^UAzQ~GTBFB#fm)ohG{}OINIr{Ejv~hTUK}}
z%HvPfV-m3G#=kbMc&|sK8wcertS|)l1h1iz{P|;xHR?9&rP)lwbIqPuDZlAxHSvmM
z<Ws!HsiwJwnI0Z%eoyCA?YV@%(EeC|QlN22`iG3b`>LBPInP;JR_cD%Pad6f%f=I|
zK#NTpFQ>8@IySPk!fBbMNJCZa!&OX8U0U?@y5nlfPBXt^+t^o*wQODArDfzOu?W^R
zw;iG#?gRa?ZCl@~OLW`IIPO~auyW&D&?Dcspl`vUJ8BMH-sO9L!yWkwVl+;96RI#%
z4NhFAl)U15&XLJ?_{ot;$p{%F+8vp!_UMz{Y&=l@<OBF8d!CXq+3%}Zv87(+pUn5{
zx5cWfQ-`qi7H0ZnZ?QGe^DtC@dX%$XxSKo@{)J|spJkOoB?XfEQaD|TN*fuA?w@T@
zl$uG}3*5efd$@GMKiv&)0q8tl`c(e|Oe5+&uNilQQ9=IUWWzP7aA$l|1ZUd~j&0&i
zlasi*Y^2+nW>Sw*V%%Kv+#>V$J;hg>g?7uofW5=Q9tCU@_~E(c*bwus@*t)@6aKj8
z5cl0rcgoo6ipK89tPP6y+NHw2f*`G;)U|Wh?`#YA+sA*=NMH1qVvV(EBcGCcsfuwD
z&9SvUW!5vbh_=E%L;zN^g0EJ(X90nnf+n(^8Z>#Pyin7rmh27`=<zUhGdTqhro4Jc
zPC~MWeCy!*zqH*p-LDU^Bp&0xkOlj>?9xp$SPf_IcTl%2=DtCWLw*d78eUIBFi@6U
zg*o~hRkEh=BoZe?PvR-=ke_3o<~9(Eoza23J)OqI26S@2t~MJB^_nk}CxE13I)#i?
zd;{o$^(M?Gcl;+{+Y%M0^dFC|eKPn6g|iU0mjPkO>94SWt9U6j+nTnOEiHYI8OZa1
zj7P8By%<`gUZAdt_o0lt8qCyF@D?9@FZ|A=4)VS5nc7;+t8qH5>6`uSLF&0ukaEdx
zHgq%-{2wgb(|z_2#&cM%s&5fMs`6V*SxC5#=!z=YGY~V~YrQsoUIgx)2ZqU`E%&~{
zWX;mYz3}6m3ehXin=QRpUnbJzjPwY284u%(rIPoYp`MvP>*5a=^U2KT_7I+>&b~D2
zKR0=)_yOI-gR5v833t0#p&6^lZRI)N)HZiB#nd7H=nHm30Btr0s+Rg@h6x0-!+>t>
z&ooEn<OJKZJ=HUf1UL4Ph5-}93<BDaW(D7Hyu%EDJ*kwOW@~)N(%IDT6Y<i#p}3~Y
z3Y9GIcWFke3>1{flD>1;vi7|&5b+z19blr>(y|-fD2+tez0iyHreLEw8|b~%$zKwP
z{L;%e>lVU5t+n%havcqW$CWy3(kYEElo<*p?)UIQG$6w)Cdd1MUC+EcGhe}VgT|5)
zu!lcBobwC~nz&+fHHoR>sEauMVo$*|n8cFod*5<AG|=gnqYNz?#=|QpY);1zzc6PJ
zwtzndz}O(nL{v`Vst(Dm9-5^AllW%p1|#TCusE~?b}Xi2IRtZN2M)HBFjMe6?03HI
zbCn2GXIxN1jyc@&0f9rciK%6ERbTmLzpj8wn$fY5WEYA;jo};!fgZ=viUAKj{50i$
z1_S8U$Z@_+O=c_Viedu&4)=AhF5&-jec}cPwkRi+xFcRyS@g<iEVQHi7pD1R(wV~4
z;<`lNBS{%opq>5Me^H<#Se%hKx?l1zi-rFjI!n{bzcjo1@2>Z-QM#aFcZ9(O_@n&i
z*J6Vcr#x3eO;X7V2Qk7q0~i|a#24Nr=EoCZqop`v_-$Q0+Q5&t)ePHuC5J$RSJ0xF
zPpnApZ5Q2jH0-|dzUi}f{3^fo=(%;6710|(I9ZcZ&8W6wTd{{K&Qrz2pY!Vy(^y^<
z9>qyU4*K-yXKs3OF4?TCgJjAkHbP-y?9rY;G}puelh$y5-f+>Ql$bBNr$W&<5|o|-
zk{8gd!#9MX8T$P53y&~uL6V`7%3H0U^x@7noh$0s;le=Tybc#}QVHvJyU#a!Bbur<
z(Z53=aV-g0$#nA(FGTw!>9>g>?shyx7y{h0(r|%!onZd=1Izvv8(qvEOTqc01R}B@
zYh$Ah{#lZzUS8cVpMTHo*P;1~qAqKlOEx-*;WWR4Lr@#knr`l_t@_LtecNlBv6*~~
z<|Tag0NQ@Em=?aJpVRtfw61Fgh-Ka%n>lUl@%Lz0oR@QcRRM%gff3S9!jIKHX{Z-&
zV0tQGT3w!wYyQ&4H3!QG7iG(*>RaFJ1r)Wx%}$XNOioNQLh=XsD!hpulGNeVflB4V
z?XmaR%}HEp78&j>gN#<7`9@8gdA|CujXG|eZ-0HnFQYYlFT9aF)>zTnExMlNuLmAe
z5y)?_8qbD6OaIXdk**w_xEm0p2kmAPfu1NB_#H8k6n<Ail#G;*lNd(otCb2UAP|PO
z+vW-%FWCGh`dUYl>tvXBvJxf*;v>imJONFI#p{k(sST>F?zD4FZ$^&e%p8G-iCfH!
z<m*nBF5k76l2Nt$*kV1B7t7cEic&oWG3UFFuh8R^vT9%VN!5BBQ#QocedG{5LMW<@
z)#KG=<Eb`YkI$6}6<_zK^d}I%qs)xw*j)Xojcv%xZ;GtP9$xO<XA5Vzbs$YTQSt{Y
zFz7c2g1WwU?eJ|eSI9#)kEA^0wQ{*`vR8Yqo^9)%qq=L>di0LgAf_Uzm!mFtAR2~H
zZSvQOk%ZTv?*-e&7020R?7a+;b`pb-dWEWAfjJFk7XdbTru7PM`V@Yv5;6~S$I)2U
z)51IV+>=ePzOe*S-)%L{fdkrOd!sd_{sAbrR|eZClU^2EqJOW%24{`}V=~=bzz@ET
z%!wyIgIAEEDhIg6KTyH>%Z~uQ;vGXqxlP_Bzl8(d(m+M1TVH)wsuO&)lfeecB$6EX
zn=tajc+at!P7IR08E>qxQ2U|%Q+c9=V0@~F{MAw-^{vuxi6QxfVxcs3G^lFDg!faJ
zifzdc`DR85`qtXd^0p^>{++qXJq#?t@C~$OS6W#vq)1n=i2)&`tfjD82a9yuUG#2(
zg>?bXU-(;_xTI4cwxyP&va`NtXgIN}>0NA0S!wIU^t#-)pnsV=ErHRuL@57)T@hO@
zPJPWg-bCN#O@KhN*axw1xuBtgo6iTSR=@H;8<)zRpqu<X<TK8Z*7Tg_UcLs@O*-W-
zC)9d=1bJ-o-D_^4!DRwJ86x82t1Z(4;AN(oWKZ#dWNv@~KE5X!HPmtU1s+q$#DxkP
zDplILB56#?TWU1IXi6o&vntojU5hLsM*_=z|823Gb?%%7Nw!rwJ&PgZ0(k31*JECF
z;1z7O(e;IZRdjui^tv$}U*AeVL^{4c_SbYQJ$*Ru1GAO>SKEtEK4Cz}Ruf6j1A~<E
z^d?hjj+-7*>vKEF{)ggj1;xa1kJCTG$uy@??@gpww5+}lmWtK$tkxSFh`fA-RJkvD
ztlq?yF2w4}GuK`!wx%NR);ENXm*odYRHc($MFHRGByfE%5PQe%wp3v^yi@EAPKG83
z;;TOqOCk`PC8(HEo$4eZ%9;lRM9}34ZwLutj99%c$*Ld+98QwC#Alxx+s41s@?{&e
z_+Dspi_S9X#)93P7>Yd7O8E9NuF+UdZn`gnxb%L`pSZ#>RqU-u#Q@I$?w&J%Ayhw0
zs97IFsLm{;4I86kqqIZjBtosQGzvkQ)<{T|g|{S!^uW6xiX&|&3f>E=twJCX*2p|x
zeUYg^nR%3fQ7m1*Oil(I<vUUSWwQ*JNhOa{S4)^)IFm7{lYN*mBzCQOhw~a5dx>G4
z#t}j~u{`wv^};99fSmVEOA8`~jD7F)e$&a{W>o8}DHQR&a7Mm&M$k!I$6c1oC#(dS
z&8V*A?O>6*g}t%lfE@A|kw0U#>Ck1;a9_TO!1*Z#9Xsa~1k5T7A^LHuioHTH+l6Q)
z3k{8j{^VpinrE!tkqt9%QFGh3=i~?Q&OzAmYlFi?jkGxTea}GO@FCFu2=qbm%P?L)
zN54>r#rIus1aiJBjTorH^!yK^>RUiM2ql+zkRLdHhZ)271SrR`hlCC(;KnNGXyzl|
zf)2g~RcJkgs2LAauxyxjTwz$CYISIX{8q#80!K#xOXidjffH>PYGg1dA;9mkbCUX$
zio<L9mvx#zXJw{frz8*7m+Sa4ZZ3!0=M4No3-m!Hsgrr|^Z`XLqLaxzSj(gezRP_-
zSnm(i`_|2w_a2!CLfY_Tg|k-i<Zm$nRR+Z&nr!fcdu!2Xf5a7ntuS;OJ{ASw6dFg0
zUm-E_rjRO|MrvX=KMDu@P=m)OBw~{~<%JFoPwJc(DhZR>E%ZCz3*)<BGv|-18qe{x
zRn$s8%|F=*o8COm1c_Yy9xdiR!g2@Nl`EDZRYNDT_9!U|_xmYF9&(%<sq-kQ?Ob$8
zg>lH<3i478PA!_EQtG0b{KhiGmc7h~i!D>>3a82qb#Fb(&J%$|;ek%ovfydH1(^S1
z5t5HXtu|OtCs~hq#T>ADUq`udivmzO!>Nlsk0U29bryz&g=4Zv<89Ai6KXJZ7ES`E
z^y<icxlfK&GI|r}OVbqr1&U06A3i>*E+l&Tc+Qf`o%I^_%^z|h1#=;F7bJY6CB`L6
ze%*bt_8$4tb?|3agxcZ$9Y%yUhNo~vM(9h1s?ryvaRY&RctP8@uY)B$Xi<tTv$!5q
zGIe0`B2|$1q{rVCw#ryl`E(UXj>tvw&5E4vUj41)o3Or88R2u7t3)kOW<i?ecesCf
zUZ`t$N_jpR+McC3bT=LNdg7P<cw#P1YeuMVV1=ReF_$IS)Dk8H@G;b!kyc;*LTUys
z!3PjOdNI8am2YFaQwMTbVF$~`C}9pu$Ux*9rm4?&){<X~!eh!xT6<c57w0wWr-LN5
zb-)K_W#wz3ROP_@(C36JE+g_GKzd;TjvK%xspYk>4Z03vR6xixP)<g7LoIj7t4y{S
zzW%DgrM_FEK=$_=%xP8zCtb;$vF4VRu6|w6!iZ(aa6=0x(zu@m_6(MMi~}@jPWV@;
zH>cex+bMW30LEfjYW_4R86T24j(jyhRI=Wd^r<N?CvZPXL#`4|a8CdUmHIc`iWQa#
zTy6ZRxfC$tDk(Y?mZ`Js4do>_<}4Y^T(HFs=27n=1|P8Y(QX1P5>U5}y8(248kSW2
zz%u6SI_`k*$f8Z9&#0T+3PdPYA^<DV;~0WPgf9QP)b64DSslY_AoKH7u39vJce<O|
z3j)A*0??Hb;1_)zR3kqZl3APwzv8Mos6F4U5!2hG(yj3|WB`I>vWzFYyY;E<#2srr
zu0hFwuV$Gs)mdY7pkH-dL9aB*(Mq&u9jZk!+ja51M6l!u29nlL?^#G^q#<!MGt5VK
z(;EVDw$`V|@-1zJKZu+pbwiFBi|*Ykh>adDp%@t(QiM(poBmdcb$;asNxMm-ewgcV
z@N(35vKX4D$Ft$fbUQsZzXMqZ05<j2*M?+0Xx#*_rk?uVyeQC%g}_KXz>B!i>oqvk
zqIZE7s@`h)RClI$--7C{m40%Gl=GvJSuZd3QL6#+GR-8T;FP+UX5?ZX&X2UdfG$tm
zW)#eELZ<+7rbbeZ@p6JpB^U!EM80qM4vD&|*exwa52X|Mq`ulnQz+&#`~(!8BfM*<
z>YuSQJO||J&x6qVahrae$`2iIb10F6$4qL`z`xeez+{nS787d5dLBjGMV~ENibR`~
ze4+Wv4({_|JJncql^VfZjfX<sd$TibGZ>QTI?`Be-mx>?SfM8tO4#9GI{FhZje(Ch
zUnF`SMf2V`&>Hr^<)}|p(NXbe)Uy-f9LSAujR~TC0k5<vw^D<Z`%zhIB-cx7OeGVi
zx$bRxG)jQV0hA`GJNPK8hr<l-)aL}VXZ0<B-V)nJf?4WvV-tj_ss?Tp#=nSieA5_#
zWE0iEwq-dZ;aCN1GtP=w2z+7IOLegyebLWsuYVGZ#|2yKT<ncHe2B3xQmgoE^(<Pa
z0bY5>H73$Wvj|-7zCF#Z3oqrBcz733(&Pe@jc=I+_R+GZF9#t*y3`;E=pi*^FA-5v
zC-M{brl?j=iyA>jd09EDrY?{k0+IzBe`+<g;Ke@bA=6a!cp6WBm!*N-gn19nQSnMD
zx~(i|Qoo~fmaovwFT;7V`n)fT?f{b<x_Pd2Gwov{R2S*`>JF%v;68Kv5w<*>Mx6Kn
z&V4VIPXPOa{V)-(2X$ztLk2<Zox3-x#VH1~bot@}bD!Fzv28;}N<%MXp4HfUfUcxP
z1AynkIbbcoYIkRgUgPzho@vmzy?W=&)Qbr*&)IJoK+WXol%)DZs;8L%D&KOIXDUF0
z=zF_7?#~ZK^lZr`*n1=T4QnP;squx>@n&hxiRap+n$c6I6LN*8C3-4<v8(IxRw_L9
zXx5)c@rs_zSPDMIG)VOP>P_(R<R5%41a^DTuPx8%Sn3M{U?0#(o+oAZjL{~W+*$by
zjAsxQz;6R&vOr(&(APvqwP7NIQW5*&UA?$TdhR9w+P*|jLj;(iju!66^GwC?63RUc
zC35b)=k=YcJ`AK&$6I)_^dh1chuIe)y?8(<bhj@SH1T37<V+P=(8E-sMOEI!ItJ(f
zy*NWJKKaJH=%W`}kfvVeh25m+cp>vE?C#SvH2Gifx5rR)0Of%<;7lnS)C6&qnxG?!
z8R>BMIKopNe}P7id=7Ai>{@iKJz(`ZSZTz%hfU^Hi~Ayfz~@peN;)zhv0Jf%22Q1c
zv_Qb9=h+5N)v`)TewCxa%$)Tk+@Zpr!e|b~+VgYD?>%gA?4<S+Hbj9?H2IeJ@%4X!
zcs3G~l?lF|6g3cEd>x4WfvBa1POPQgr#Rm`ss8n<|1Vx}i4yPLL1L48fPYGi<;Ad9
zc=4uK5M>?Bi`9Tj&en^o?ezDGUVI>mkLE>ESE#i^;{m?YvA#m%`6fDcI+Zgc@S$Eg
zf?916yG9T<3t|`B#2CHk!ca_Y(+sPPhA&?8MgU9&t1>C`yXlKY_1UzdEgsWhwnS4d
zM}{fXQ(&qkUrGC-P%pGUotkeAgdc#K+^WvqYF~V&7m5c<O|viF(u>;#;~M*-NiWW#
z<#eY(&f%TAk~LHYgK;$I4t`o5|Be-s>iaZ4j<d7Hn}}yJt`~>e7k^fXCvqeNm_M!p
zW(b(6-%%(V8>tRoSmqItDLnNvaf{}@ZztZ_noRk@A&QRD&6;b?{jl*@!gSjG>OVW%
z%;8pcxZEp2&WT0zfrCj7TKZ5&hsVBjo6MKTwE@<rNt?&qPui%U<Ry&?4s88~`OVyC
z8hfDuN;$DR<r8vZw`v<L=l<{X9iQAm{J-UsUqpmxHlO@|_yygJpsm2yV}u8ieEKRR
zxtJxc!o-f`PE2o`V!f0$b6&<^+{p_sh5YY)vrEnNvgh5*SM3tV%Rk{A_fKYX>;8<4
z&{l}HtkA|EHlA#ygU&<`xgRak!M>7&f2(%qX6ayOWcwZy_ilt}dCr;*kLi?<FS-_Q
zM8dzLj+2{(kqxBE-vc*uU2H80hGHwYAtJKjXLBz9DSVQV?f8gJHh|a+Fb^rVzk8JF
zp!Dop#3v(OhSuxduVXsJQ&OOPO+U%D>;KL!dwg_>SrrT-LzW%j&$60=T+CHxVZ(Z=
zNx4-LJ#SkHIrpX`y6=QUFebkri$;8otQyH&@W{-x!4jP!VffJhav80g1E6LzZ~`C!
zZlDg4yOTv{&whY~dmk?Y`dTrIMFW9%!}Bgg$Vlja5Ov}WVKGHp4TtM@<VI!6FXz!N
z)Sf;B35XA<bmG@n)Fq~Nr~x@uo@`P@XJgl{GQY`UKZFy)Bg`6`&;*>amF~@)xbu%5
z?TLtzBWfMa;nMBNM=aXldg}^LUE3RQurpM~-!LfOKZHKCFs|7!t#J1={irFcl$xna
zTuR0bo97N^I==4R<*V+dC5+pb^Ys9V11R|-&3g9VF$k!PmlwnnBQj=1&~>Jfz3nZK
z?$wuYB4+NN6kfUc?=Mk*X8h0j@6$IbM889UXviFaaVjc)%5M;9{Z|%#@??CiX-v%g
zG-|oQ<r;ADjwHAXQARf~O)&n6HJ*p=xy<~+4i)%ytQNgX*a_tmJbGz`4-#xg9-#O^
z>f8N5YVpz%9|nkVb5*~QsR6W7#k`Tw#7#bXAv}!@1|+y4qYDhR)<IMtt^!fF7Kq||
zsUq{rJ?3Pyh%e78%$!0OlS3n&#LaotU>8}uM`q`9KIqb1^c8T2-lgd(1THl<r%D>m
zC}c0)9%gS&6*rtgE_QRWz2V~Y8TW<(oNhM=*dy<h=hnW4Gcbg0$pKvc*0e|FY6R^I
zrjz!&MI6S4P$x=O8tJMhy4q=)OF#b$0kaf!&riaQFPNjvIzaSWafzkhYVEOjX+OEl
zmTJj$(yxYSS23+vC?>ys51`~+eDMXAfVueMBOc%Z!61{a$m41p-Fj>ECGCU{Y->9u
zd^ase$3Q7Hy=agmEBGlgO%Lvj!Wf++UY=}K!^FP|cgeZ?gU~(}488TCmvH<g6s1LQ
z2kL_wKVkjm;CXeU)%x`pWmM8L0xdUBJh1}EP`H>Dyf~!VL|ON2Ox^~z0h+pbNu`}c
zUxMC9Kj4dgjLHmGaeTUxXdl$MG;RI&z)jq^HPVJ&UyIKxapSM%c_q)0?IhAala1cU
zb`t47V;)GP|2Xk6k?kyTJ|eV1p1bI&+?|1erBEsClXo&m-==sT%{#o_##QAWk7v<+
z=?jSWB>hi51`eqr);{U=iORdzTmEil9mQxcM{2zhM!j25WzcOA#<+Xx3sSpLGjFw+
zTR2#OkW76D1R_v`Z2Cl%4l*rf=FEHOo?4m732(rS1YGjHtj3xQ%cQZ^wAWaprkYj<
ztJM;Clo|$d^0#|@{R<-(r~rJJfe(HMQ8LZfG>Wl85@Wfs1$M3w9pd2zt%tT1gmgDd
znyEOaA{z?g!%7lo{2bZNZR5?69bHKnS@c$@NaOZ%gp`(CE#w}e;nZ>zohN7X><Z*o
z`sFDWKw7)e;q-U{vHHbk+8T|dx;vjYsL-xSUc6;-hah;=jSVLoL5q3)Y{n!*L-#>n
zra&>9?T7H^)nCV__K19zuiKv8i8nzD@2Y2rpeVIM@G~o~M@8;L&%J0h6P7ufX1UOK
z$fJe>*F8fwp0Ql97a9-jWHy99XoiHs!yVz_$;pI0?3Kn|;4`z7Cs|8ad_Y1I^u^Bl
znd~l_B)--XAfn_YT4|;g0>Ub>S(Ns8sHX8Ctq>Td?8hWN?q(!v(AWzvs)?H@i9sTG
z6e7p#h%mWqB)4Oo7GMEeoEJRFCS4s+?Vu8lbmBJ+!K$>ORKJ%vm;@q&M%pVnag-`l
z>NGxx@pOOaBih5z8EjqQ(kS)F<4E0Q5`9DZ20tgU{@xYS-WAgRS4ts>6Th*tZ75OL
z%Z1$v*3qh|J3g_R@kkUm4E(*`*Z{QgCGOgP8b*^RQCTeD&DBpsjy-77(kDJvr1%r&
zIRffFOJO$ZNh?EPa?Es1m#fSFhPne@G!ovA((Xr=Gh_Xuliesq9^wr_aw1(oMFTmT
zcDUz4l4uZqTmXbV7Q%McV3|zBT>tL=SuKM%J{5BXupy3q`8lSMZ@+ZYGiC{;INVS>
z-K>E2RCo3k1&QZpGU75zV0-tjxchowZP$}p9Q9OL{2!F^@N~M-^^MQK6K2+qkwtUS
zA^HA=R`HPMtA3q!U1|30M6f3t#<#$Sydc-DCl@mu4G;_eX=_*?2x#{{;OY7}uA5X<
zl(wqr8Zi&jDV+n6mX7hpxx9|H1y2OrVeP@)X2HEq3+`DSIJ8{4KDQ>e6vm&rL-n@=
z|3F}ijLkXVD)MZcifAC6`^L#LGk+D;__0T1QX%?(6p=AN85^Igh#hXqIjtscaxNMy
zE^m*;)fS7v!eRyMCUr`|lGKMDrx+}1;&Ua$q#q0(mz<GP-`H6fTL>KmVU`Es@VvZC
zZFNW}pDdJdJY4Vj3-=PIB8#*?hZc(PZ?cy(niK;BH=5$9MMkGxL=*0jg58+M0OGDV
z>=jefz2iYKb{c6J7dwe+lbw;J!GHp550B^sOSl!XfIkJi&bO~m=k7>d|Azfz_6OZL
z523LNaE>aSxQ@3j`Zq&?Am5=@oXWw&Am;w#DR~^*f<0<t+qitYOyM?M;#gBwP?!I!
zHy;Fge@xx%Y*ib3awNT6p4Y+sVv|vguOUN8-Jl|Mu4`3|{kZK-tKV1u$m$qf0wHv9
zMKeFm_emo?{m%;xHmH*P)Y>Pr(Sqr@0CC^RLRs1<6{Tp#zG~dh)*tWHe~tRrBT%g`
zkDF^v<kav?c?1BN^40%<rvL-fE_ZO%%O7P9&u9R-&v&vLKVPvdl+2hae>X+u+A6qo
z|6+ch17FPbJFJO{`n>HPxlg_^R!@~kpIMTcif>;wNc3WM(}4xNhRw7Q?=H9SsB{DI
z#w(BzCw@|Z{65;Dd{NM2n_KrW{S3rUR|tuX*_zL%s^U;9xj_wLJpjVp63Xo`6b=|E
zGnZDNF$ST!3<cfhe`_lP2@8#N5--a&7q4({Ax)~MmR|y4i{EhWm8j+iYtB+`7|LE-
zu~4<xopyWn$W+r|G3`T@n%vyQm?5CChtNp$T!9Wv3;x*(lJ)MesLTJ+J?=RqF7`Df
zBI!};G4|4p{ndN1p|>TeyQfFYQqx0j-pi9*m>FS>ZQ`<Y6M!~1?|opDr#+(df4d%|
z+-oF36p-mew@f3GY$JI&jhI_8hNIY0t8smTi#w7d?x|5oyEjf=VSn5B1WM2;=Aj4|
zQr@`OBtq*(cIHOpF3YPsRcl49%{{K|yOM&MoXJSTmhuFuM>eoa_>QVe`r>zK_rXzm
z+0PA^xLTmkMyI3U5>s;OZb}+C@x2gfFty0i6n{vM8p*X)TYNKrRU@(QxldBTI<vp!
zXC0xV9csBKW#$HcG2T1XCC<XP@tGO)&q~SH#@=)XKVT<VI-4w^egC<JsZ3mFCHk_m
z>o^TP0=wVG3UhBl%$)e&*g4G`g=gWzVAuGt3YijrWckQ`EEA=-=&A#mqu6~HKV$Qx
zO0<7dlvOaxJM5WWpB3(JcE>#m*EAem;$Fv*dfN8UcJc^eh0eL=dvA<I8jYSI`oma+
zjio?G9WT<a#9S>%NG!U|Pzw4c(BtP6W<>gN*rky`?)-{cEH^8W%t(J8FE7z%ojfZw
zrpa=B(m^^wD24CdSh@>x8c}*%>@xB?^Lay~=U?!Kgc&m?Z+;QF*Bo%BAR|Nd41LXr
zp@&<ZH8m$wlk&yxI<%k)S-2bcntVsiBzlfa12+i}pURd?uB8B=I$9(ua>|W#8z`3@
ziF@Mm@6#sBhx@E!x&ZGbsYIzVWi$uKHf?~c&Y9C_`I7~({-S>wbBMLGu5J*;ArHC3
zCKaRhQ4FGld(YbR>Z*P#14vtI+Xc%MH<WrD;|P#(fgJNVW9v?DOX(rTWlp(>Eq95^
z^;NlRDQ9im+g7VJN!@4`6{*wj$7f^b3!{LuXX3i(a}ob&4b_Ay%Ypy&1cOI`;J-uH
zQa%rl=a8bDavQHT<vxVA?h`7fP2%`aHcp!hg~E|)V+jAqKSMM3x39j;8khH~`Zc0p
z+MAdvR$L8AxZGQ>KCskGbh4o@fMl@ZJ`_{(6KUXnmulgxyg8NvilDG}#7Q=HceTQG
z1$Ls+^-xAuzv02k)TP&$9(4gFJJP)y6)t>|-o1~i_QbqDSZF@ZTnlxOK*Z;*fcoK+
zeH?!<zcUL(Z{?r9(`K*!`E~mdWcd}j{9C$N5955#R<x&_a<a@F)@IPHSGExUBCVT~
z7=#cZSXPZ%FhiOns<WqMQQ(G_vXga|;pBXKr^`Fs>2gM*$KfXWuEyfVFj8JayovO^
zZLTf>HBuY<o_u#s!F}qB!y)t<&f|fOE;sP<-ZkyajQ7h}jY+sK=we35!X#{&0Gm@E
zAqvtFTf!z77at!opOm&u&x^*`?8WLEk-v+v?C!@p%b(P6kkQK3^4NuE70T|!0%+-!
zdO#5F-W9@&EDM1!LJ;0#_2f@NFPW6JWgTnc!@DUWb`NFRj&=c83{JlK2|nziGBsr!
zEPk{0sQzVjoHt1=x0cG-)CZVN$%ICyQ~(_`$Ue$Kil$mw2fJ6(RB{d_(jQk^4f6&c
zt=VygS;|?ThZ)|BD3Lr}RT4cPNf*NpWJ1f!vGPjn;t#5mn3A<SEBAJXARDiQrmXj9
zGC2%5od2R^r6DL|;-@DJdbL7tBec}SfeP2+l#`hBl^-)2MBXv1`(z8|n^E(;=7?JF
zv{B*`wzU~jwf4Xfi37BW;w1iB=ciC?r5ToOtG#h>fDxJ+9Gqqu`YD)!$RX<Jm7<<(
z|JvRg=<ot`R>MHTxtfN!Lkw~TAI~e9V_YkLfxW18d4~ejC$>qRJB@?qtXwAnQx0_6
zXnC$c)@FT>4La$Tpqir};s>A4xysO@npWNJkTq4CGV(}2A9X3kITRf`slNzuV((+z
zTzB$?L>4g`I<R-aP&vN7DR{DP!DhheXi1U#;-3V7CjtcyRl!a*4JQv+UUPUszKWmT
zFy-(<{p?sE7d-F_xu>I$yK^39BO?&w00I_IP3$wpL+kkFxY&@+PQssF;rQXIQt^I^
zIi>y#fHgV&30vNde~SM2AErO|AfYPva{F?5kOgWxDz~4?olDdSYgLmCGfSRnR+0}@
zu?MwQGUiEYj0vmU#I};X&XlEo`j}j5pmcK8eNs2RnIoV!`lbKLZrKIGW0_b{!Alg<
z3d;mO_pNlJSJ+^Z9{R?5y_)Nia5-sD$5*r2D^1ZUmHBSfnDpNETDT%zl$&hxfE`v1
zKFYU1Y<-`ViVjTu?9E`mv?s$bYdQG;L;rsF56DpWl_l5m_T|1}tU#{)RPJl&km^Ob
z+?i+iOR8tQH?xp+B<pY}oIIEb*_(OpK_h!th)!CUnc<&gZ&vK-)qdvw{Xb26kFgqc
zZ&G{D6Y`PU-WM-s+G{ow0+XPZVbyqU=e?Zy&S|uC!)@<n8t&^gd`kO<pM2OfT%m^Z
z)o_0kYf^2-&>zhLj1wT73+YkjzI8sjT+usCu_eCx8b0c^dXw3)V^kQ8_@!t6J_*?K
z|1RsShqB}PnJZwnCKj`Gx7@*2cT<cYkCrcg0jt-$EsHrYfD2*$tDKJ|31ua51y1~)
zbx08I0<8Y%9*B8rnJ4Sx+uIKZ{>$`fj2b@%w?XO(pbE`GOs<@<bAdIN`l?(<m8(`c
zrhv{8*SipCY<(y3yaLb@HTaV7TjAC+U-Fyus|!=R%DE@rF12c&sW6{ctOWx3Z)vfx
zKi|-zDi_FaPW=Nvr;xd{y<++iQIq~>JiC*iSn635OL2AD)*+_I-H^->>T~8Fj37lC
zG0WbWl@3f%N#i{FmK>Iq#%`4Nr19&ly?F>qK)9UWUMTK*$l!8-aQS9FxEuj4Dz^>`
zA%}oHEdhTZp3GgUa&3f3IPsgUtx4R?>jW1hr{z%H2uEkM3tfGQYIq}VCjQ_g)>Em)
zR8}KDwMS+&9uG>-Q6m?rk$Wh|VlP>SG#HJM+Dq};5=F(u692#sK<?OitT98jv5>)G
zZO+D<mMNb(y}$RI74Ea7#iV)JlE(nX7=YtJMY5XcIKkpv1Quxn&@8T}qC`Bp-lp?f
zHU_7KL8PvP+IOY;LDQ8b$ftXUy8I^e0r(LY!>p6qkqN@wp<eX-s|xRnxt@BE!U7s@
z5407FmvVnrxzhynCdzSC*fIfEbd<1*R6YOD(m&}&^35DBnnY&xrlq3=;mP}eP${-$
zF2+cY=^ZR)X{e)$&7zo$G4^OO{=d|CZ_0fjrzf;|$fKs->yJ_Ies$!1a8XAp+IQp#
zI|3e7xd|%wv{%k)U#?9qJCgaS+*v9YqnukmN7Qdlmb5SYwk<qFg%4HXF%*uiH|N>@
zK0<eUw6TfKnfO7*5-M_^7!Go5tLv};o1xZilG<;BMft?`&~LNQzo&=p5>alaSMIX*
z<!WuYS5@wBD)%nsjQZ9EPCF#NxQOU~awWV;UBrHx`cl^(%0E$5bi7_rh6~DEL3uJ~
z<}$-8&zb}mP|P~}+;xAW@Fgnz!>)z*v4ty4;V>~=?&B(aq6+KcV(`lU2QrWH(nt{h
z)%+|9X#xE7#|HIr7lHbHV4FIbv6uX7j%qU~O`LBqfAtZAl3E$0R#vY!weLo-l5IJC
zl~9If8lk+CDsG7iKSW`O0z&K6S`p>JW+LCy$kE#fpijP+(xFW0hv;GQ7cFf_=GCsW
zNnO-Ur3Yt9Un1DtQkvKLAT9Zk_2j6W-l+e!6O2wbd=GWI+D`OWGgpID>z!0wjz1xJ
znbteyZKjX%awNy-#lH4Mp*mfs7oF^jXH{aLUi<|6f$^YT=s;fzBUdl3(~HCPVhu0S
z=Mp(=H^S+%S$U?0596wII7O~0<1uv&(|&ej(0;_T{E000s|wJ}`V=3|{YS&_#J*yF
zg~&BFx!8R*u937<itrKM*Tk<XsbSGEsOl$Q{l9sErPeLD2mkKvi_S8?cXkVQ;&AHT
zp_^D$lsZ*smWIZ2xh89cGs_8`37*s^Cm)t?L1A}}2lg$Fwe;CqUAZ|}TpeyJ4V@O*
zus-7Y`|mgL1VSCS8|SUiJKTO$SvjyWbhr~AP15~qup8DnUEJV)@}ljfTc4uGKs@8e
z@MDm*wT-TcZ6FTJe}Vr(FTRUTg3+*2E`Q=XzFt)S<Z}0mn{|%J7ySb-Tkm8Pwk}Qk
zLpnQEn}cJAhgZ&bVr!kmIYlNijdcvicVh##xvx5Gwh$^D*>-=hw{mP96FyYAOUSTQ
zBckr@#D*6;1<*FOw?3OM?0_s~)4@E4AsTj!Ef4S?B0KVfCq;I23LY2vx&wIyCJu1o
zeu9!AU1cPd->AVidd-GtXM1_y)^$s=@h}b+#)|Lru{WCH1)~F1P5TLObslpb<XAEn
zdnvM$Oa=b{hW}ipAS<bjAEqmFj|_GNsgluz&B+fF=6LS0p^Xk6E-?SWJv@d<Lq8|z
za;u^~D_i%n{Zj(AsujVD!u@^6h6r|A89dh<>Fm9N^l~AGb3FNPYF`~D!sbF&s<rzP
zn%d`$$`xYu&eBj>hSmE!Rck_P`!tzg9ZP?334^NWRbu;~u)b`6W1Hi5z6L>h?VOGx
zZ$9*`suiKbW1G9YyHK@y<%jd~W_+oCt2Q_0twT6!7F&Ag2l0W7li2J2bN#V*l#<Pv
zv0O%_;qZ(Wv!aF3?jyfwbrQOPlZ(M)BU39nOgmRsw<3qb7%{_(Li-^|cC_5vAVCWD
zO~*gPqf5b#Hz&rUO+4YZ4(@AxHyCQC!W6`AUK3XB)^%1oB(4(HdJrLIO?+$pBJ-P3
z?Zkc+f}VUPUR1P%`&=s~a{R>-3>vp_mMqMNR#2Vm?}8_Y{~Qmf<8W1llQ_HDiEYck
z+a=$CJB7Mb3cU#cd58so&itS2_s^;C{<eMz?U(*f?f(+Zwl6{7rTzc4{!8il(p_k}
z&`{6UZk7pepeUVKtK>1ZKK&taYq`w8*fz7j!hT{p|3WkJT(v3K(Y+j?)DOLCf=Uh7
z*%RH@$=@-TYEGmje>niE-lM!UW+la28!UemOUluEFO?T3tcUm6sIbx!`lhi}e5sR@
z@lF)ycwlK(zRBgKor2ofMs=Y6V+sUfACr%VErZZ!PD_1R7&hxa<*m{0`Q{hUd2aHa
zeZ6Z)MbW$7WS!98r}&_QQuU{?Iy7g<PUPXtMBm@bt3wFkl(Hc<b6n!mvXQ#ag1{p}
zEx)Se?@0IEfxy?<D(TGqsVN^4%kY}AAx`g4<e^|(EceYk8_U@#V9&xt@7DJIArQL&
zZSslxuqaBgk%8DC*o0T$VC}f-CW0+m>HWlaTGgQzcK=cHM+qc%&gZW(Xi=>kI0l64
zfQ`3c{7K6l5F1ik0G`SDbkiWcIdBy7PizbIN}WV~*=9aS^o6NgM17NSul{9TC&J-R
z*pb|Ezpws1pb57P2FxZ?crv<xezMWH5rx?j6?gPsZNIC_ii2EUVT<*RU=gWU{FX9t
zl`L1?OkzV{^alAjW-OHi<Yc(=^xVsmMMEujM!n)mOanqyh#X7R<RDt(v_4cpDt>St
zuZuq^BvPBOwdSfl)476Lh?^KrOe`dPLn;4C+_nMK#1&W~wtY<<ryr$A-o_(kD<KfY
z-H}I|Zb$Le;_4cXG>j=5Z@<-YTsro4tqu#;;_fPOU!$zTaG6DTC%7_3I7nGxQiB|W
zY%rWSw%vm^YL$NLJ&sOS1QPRf(yuNNH5%*76K#ukYJ5VrkyiF30Ky2aO>!^x+cJL?
z-eNH@jD{Ach4$YoY=LvqK;ZeL41n>*DQDoi`+A@h&AJQ0=7}x2G&}P+3-uSRB1Joz
zt;m#dkM=%)Y(9gzDPykkJDFWF_%~O=k?x6Y|ITU&Y>TM15>Tc$rrVfl!9$$<<+P!B
zNWEJ12iyLXbOV8-3`mMN1`SJ~XanWlPdb`y`RLgcHayVH!Gr_GR8n-U)3uRFiaLo~
zj52T%cNk@0GNXOv{(7WsO&2r<IP&lGyQ8d;;=X8zv7mD#PW-vDCbjj<3~Mrt;X~YN
z7Oub??~9(v3lV#gDvLveDe4s}^B~op&nqYXQdyY4?$sWYeFQ!+Z=1*=Df!AB(AT08
zVZb^4P%pmv|L~||1Y5UpvT=V#X=(y*j2)ua8+h$c%+m1HV41-;b77<O`Z0NjF+~2r
zD^D-C3_@IZrNkbp{E%SY^D$Kpv#prXp5U#9v9ak|A3G+mOx;l+qv2QTKxEC>6{&A{
zCpbz;?N7`W5~&FcAiWzb*yhc0O3}@cbkpo$cq8twY*|Pe?&Nb0-)1|2r}%gkM^+IC
zGe9r*ieI7P*dxT!!&_hUV2X>w^?IOQgX%%pbiL^wNh^e_5r?=5i>fPFbQeWynUBir
zxOZ|E*U}*&IvB?peTKHN0p+Mm)R##xr8hahZ<4Q^%WJt%ydnD))6Qy&=s!(CDz5+Z
zyumz~JPa7k=5MY3y0cEPygrWkLWm({=ay9_*@)2?s4bv(wemVHbH{ikxfTi`(s<*D
zg2TBG%6ToTmJ_qBIR#mSN4ghLS!TMKwurtqVp?ImL>7YkYk!Lf{s9mnf2x_-YV%h)
zRUdN&wW{Ehu5}VGnNGTk7{3^IQ@{iy$i<17I5rUDMmIJ)e6v4+56VhVA~2=)W&I>8
zUv3{<_>K2`fSf#q4=|la0&ywPhp;}}$p;BgC-dfg-b8t0AU58w0^|7UkI$232@18*
z#rSs+lrD??G4t}2Jihqq|Dk_xm1^VKZ_eydB(km47rlZ95%3DbJdXz3`&k<3h^CPe
z(fNwn{3es(b~sf6i6`glW7U$0rK#fu0|l^IWX~6;#1_8!W=Xeen(B>{w#heV5I<Q1
zU`Ff+D1D9@=gLSkvZ0n~_>U)pBnf~FcXW<Dwj#2jsejlPCH%iFynSZqE+;aTIL#yZ
zQ^GL(8)aTDrCB>)4xK8SVo-^hDIYRIU=m88lJ79swG7IeX<lP;<gaE~hABehsWSn8
zN?wr&rO5>$Q5wct^-zY7L`%}E4(h+<HgBboXpvX{xjj6&lo!y6ykrU!PJOa|LL9?}
z1q2F4Hw&yNlv;=8v8?>7Sot^HKHeDe8YP#877qsgr4R?%>g{R5yQQBKPwKNJBS)ZI
za>+;-Pm_r6eN0|2^XqogMCufvQ^wP+TP(B>{gFkc1#%kLw$z+yB3Om~SdjtmF10lt
zGap04{OsTG@f0XG-B*7uk1*69GcVZzPW^(6+rH&}NZ(#Te(lfjdVW5opDlw*)H4Z6
z{p*?HW<1R0yTsndK5OGW0x-u6fcJQ+&w!dQs$IrU(^UiB3^VC|ALAkw$W)rZlY8Aw
z#-{u~GIXFf3TBHU%vwggnVzqLQd)58Kh0v|EQ@Ni?yO!K?Ph=-z!T{ZJ14p=Gvy%8
zn$P@Q=BZ-q8YsJ(2czD+F}K#V7CI;pS+qgGebKCR+^c?0Mdh1*l3W7br+%*%4ym^1
z*@#Q@$#mEwm4ISqJ~WdO>sy_7%Q?>$`NqjvaG=Dse}X$`8I7jhM4FgLQLep6w!`Z`
z0G;rZecHh3P4zi(!d07b-@%@y$;Kt%tABy_0h5hvPwEn$fpXS<DGqC?Jwjzlc!?WW
zjjVSceT%iK*`H2v*2_N}FIrzf5_+puS>lAQ{BR$l(D|b@DJphLDhMS?6rE;<@<8w9
zPX03E)FL)bbA)@lBAa6C&8&Ur`}tCbQY7_pYM&BDa(wl&MTo|(@zreOW~y%atv8LE
zTO0e{W5GE9z$jBol{q<SwTfn8?hyBxW36Y_&!>d(atHmVgxU5C4WMozqx4Ez2`w;u
z@V^pX#{&Mb^m<;z0b@(9+26v&)>p+xT5hek>r&H&ch+e=k6o>P1bV;g<gaaq`YYai
zQN!HaEj5^N=-D-|$gz<+kryI$0x;G-Dd3I!=ZVDmWEYpTXXL~96r9*rm{Q(OJalxB
z>4ESVa<RBW*jhE7Ku%nOR!N3RAzVI7%dM|1<7ZPf7*;GvnP5~Mt6i$As=_qM#*n{_
z_45w1epbH2ZCXE5$lV%Z0e!FAG+}3(!H*R*cRFs>BKjvUANG6{YYwU;4d(^15o4%h
zCV-#Cx7adVc~0V9yY4mqIIy{5l2_(d!&@c3ZrVGU2LK}EhiKZ9pW9sc5L^GU-UE0T
zIGsQ06a|g=X3Nj%#Mo*5#7;f$@-eav5u3^fk)~H3`r?$lFgF+^$ZteJ_cnO#hnUQJ
zoBa9sQ)_(AXYNOEMEFL7@W=3flUu1iFlneuSsI_fno+%m%xOWC|LUdiyU5Urw0!wr
z%0t#$8`FQ?$)J|Q^0YpHqFHk8Rx1#7{uSdm?yt~T<?;la7f$STD3koAz~*moTAIPS
zO*bR<4dNvpJ(`|0yd~4@l5MqBn|wqzXmqv)@^>o2`ctR(&(yy?U0;;3AVi?=ZZHdq
zhQHYQPSwx8S<1shCF(n@PtEML)xE;5PaCe#$Gc>e%(}poTN21$PAg`QVGxaEfzy)V
zt9y&r$kExlhi2+J-ilI&$yWEf-o_4U;HKJiGh1W;_Rei)OY3f%>E$)EOcgAO?8|v|
zX~r7SrkR_)X70%ry){!b9z7a?)5W5Rjw?6r($tW6w4AS|V?3Af%%4*G=Ro^MHlO%&
z$MwimWNC#MRFQ3|S58Yc6tykgxto@%`I>I2zlB|C|L8Um+SQ_1EghND5@}4+-PgV0
z?Mb)h>s|U|IrQ~)Rt#>=)}5ZI8#jIgWPww=37MBQM7HUxW!b-vvMf7GuP(s@y~>Go
zEA!1dmEW}q6JsUUR%xwnLq-j`dy=pAWrYrrGyx}zyU~aieta~SW`Vw*&*o<NY?uYo
zBhP=4r{`qKq36gI$JEh#RUrQjH}GM;=xBNaUOJDPM^_OkHnPt1WYR65n>v&$hCBf2
zJSn+Dk4D0*zj({i{9rKtysR_;0G7$}=oExYbS&i$uovi;9Ys-mXP-E@xHV!evtY>G
z<9D`kZM7OYG275lJl1dmG1H#%r{0=C9&E#pminUm^6@ci4MV5AM@f419F*L$loNwD
z@L<L?C_Exg(z3<EG^_zsO2cZk3Hqvg>wJ;tMe4*NnLqSWS%pg&vrgie<AxRHwT|FC
zt+ZzbedWl8f*xQ)L7F?skA1M@TIu6x)1=D`=o>Dqi%&1{1WXpq8a0tPrjskmf2o`p
ze}BoW)$W6IKYS&GX{q&&^!@_7f%L+?+Tc8?*tx5=%Jt3sk%`ONQ&O|$*s7gp(_J42
z{M~fD7ubQ@N{icKi<gr)<;-&m^VkweMCXGZUAY`Y419;<2^{e3?o@r^BZyJt`9U6&
z1AGg7{sz(&?dT9<$LVaMPR`=!ky8}N$2?mZJhac->G~u~TTTYVZr#mZOT$@sO@<U*
z|0T!AO3bMzNhrq2Jpb}e9*<LpFekO|&%X_2e#6S)f3~dri3%PozvhvXfs3@DvHjz)
z*i}Od^9I$o`5JoA1^<?oYF~6F-+4lun(PzDR(IMbwi<Q&3SW_|o9q*bs~Ytb`HJO}
z7OGYpQ_~G65IF{bGn{M5?TCNLLu^bIv7vhGy`(1Q_Fk7do|T2{t2DoAci+FzHMV~}
zvtag6|Kf{evS+$?%Mi}OZD|SnqW`ei(!bB_6a6b?@bH!XU1*=^-@W#U{(WGd=wAsF
z3gzhE2tCdCDlaUHU-O>V*?Yj+v*+0GGxOOuU+h-UUb@;MK1LRnooI&Y(WsDAp9~xW
zV~d5sILaNW?j#RJNfySQ85l5i@#h73sVc~UePZCexO+Gi9-P%$%~@QQ>CxZ<oSOva
zXCSBHOx`^l_bS_`hAf<^xp0mX99;pMhEub9IP*O?)mb<v<ih#-zre}J6{E59?%|B|
z;B3Qf=Jji%9@G7LP;mS?_^bdyE1&J?T<pPlDhub~TsY?oPC*Ww`0nAXxYE)`?mrJ7
z<sS2R{u*7(n)rra*X|xp*n?A=h0`+w2Y$W!8Tjm*gHONR!>RP(tlN>n=XE`%=`&Ms
z-UqETzdG(7&gMVae$CCoiRQvNS#bWA17|e^+YOx`_24*JIH%;o`TkSjT#y6j-rd6)
z>%qy(!ud(=w{*Y$B{+xVz`1nya7sKljjC+N#gn;kE*6|mp?sP?NADia>MJaL#%JMN
zmJ4Tp!FebL&L#-98~QYOaLTiA4$6h|_6FcwmILR7-NUK&;K=Xp^=qvj4SiC50Koc$
z$)?fFosZ#z8Atp9<Lr+hx*NPUU+(cg3on|1hdiDvydD8l_n)+E^`l+SFr^;=%>t|u
zN7N=x_yhQ6cU+A<GCcPBFeh=)uMHjLdMGj5nXQH7JKa0_b&&kQp1p*D#rdVI!LbuJ
z6eiRNFf+zRwd{gzH&g|Bw*>N+9e<QV4hjN{wS^gaF1j&PY0SY0VH6kC^xkG8Ph=}*
z^P%v~&?Co^%$=X6fO;*f-FBwbCU@;Pk!Dh}ZGIumx6U*3zWTpqwr1ACVAs^QpQPuF
zbUcZ^$IbU%*25`(h-kCcW?F(M4;X6<3bb~|{vz%=crpPtxKTe0vUz?LhvPPeTy1Qd
zw7XxrNyDblTI^whS!}pMwtw+~#WO00AJi)^v`__XA|@gl(smZ_j6=e!nH$TI_Gj4$
zhs6D6ktDqK&Y@p?^jKlWS^a^fP@V0v`0#4($P1C&@P=|HKGktcEQ0SeLKRu<Hsq$B
zANFT%+)a*e%;tL1raW8A!Lp(p_X0U=Fg)Z9+l$%WNzAhAw>7MX<zT>)EcN;qzo9~h
zQ*V^jVBA%S$yd0Se_*$FE-`Ow%8IsxEysF#=SEuGz8~8nQz#ODv4MYO#LnSw;_Nol
z5dwZVCsfZBL3#1`Eh@kY{Q~}`LxNNQ=f0B6x%1}bV_xdaPJ9?Hvm4m^CQDKaDVE(G
zcbWkC=<g_Jd@=Fc1<gr>x;crdoRMvG_*om<?vDRZ+eDE`rr_;i^Ooc&SXLW|h|9;9
z_Mui$3?>dK*7yc(a8JFDW@W+0<LZJFe|9c^;xDQJC7L56ntWOev2$>(yMI`f_VGo<
zn#7Au{Ba*6hZ4_^^31h#G!|J=I!Nvk8rZ0B_=w=pC-!6bwZinrCZ;OJ;S~gS+@;nP
z7>-GTFC{kzQHb!1r40bjailOrJ^uM4uNAkxk(D?9jMo@iWS%qTPc_yWzdPimZsa#*
zJG4HiV6pq$9+z^Hnf!R|?>FQqR0XIg;-ir!<<;4yzfi2&?8!Uvd#!63LL$9(r=W%(
zoB^pV>tQz9as;uyOl0ZPgd1@T4|(ns@+mP23L;%e-La^Iw%nEGRlFeBG5lJGSV26Y
z1+s*t1Pc^lG5T=LXJ(^1+MUxqyteCV6>6pMu7!poR%`Tr1>!NKY%D+*38;JQ?ebC*
zQAZpd5`%;Z;Uf31h#xDzsD=R%JihwzJjfZSEyhyvhv^Jog*u=mt4RpXZ2{l-$>!?u
zfy7w`Pcuz?<qr2o5V^7BUn9@(9c6}xi7WD*ez)r}bfCnIhX7uA{dJ2kk<!H7OJqho
zqLps6Y1&>jM_pakqlU%ZEqY_3*#hw=%H-y&O*}5yuLD4lx_9k8I6MicP+tS=0m$Ki
z67=(3;S9r#NS`NxuW&B`n)O%fvMc0Qe0M)SP>uScgX}xQpWX-AcM8oU{dpkvk+v<I
z$l+Vf;<q-Iiq8{xa)mG=IXCO#(SygGW)OfYde2jL18lCFZeJtJ)L&8~m~QWPvAWIu
zP-HbJ&kOF)h$~h%ai6`9uUn0jE2~MUh^H}K3eary@lhb)@JI)#Y!Sd2OC_{9GnLlo
zwQ|H8@#WCQm+p%gM_md6iI>Vuhrc;MoeOr1)Rv7Q?Bk^})8!Kl8G=PKcq>9%)KF%4
z55-Q4UV^WH<SKv+j-&{tNNP0y*!f;x%(WE0nkAC8iuAl<PgI*RFFl~V@+RI*q%|VA
zkr7*$c%n=kPTgvTa}7HiuZ2^+C?9^UI#!VS31iL;j5WrEoiFTo9;6t-%(boFeWeW6
z&5)-S^1J#QD=gEvMjbK)vLju|<#<!tZWP}|1v83kc|ehJI6_yBX2|&P{)UW&{>WZg
zDsDC}ebGtuAT5>}vVUX%JLK-pnFz=kt}qOhk|?Rv;NO-S$hej>Py%hdXbJ8ya!1`t
z_$VAM4KQL+v<M9oM~mD17c;2qKUMRQy%YgO+Fo%J_m@P1erm7OeH5cjF#{$3E?gDD
zH1?i)`ynBdzB`t9`P=K_uar{Ne3p>)d0UZ1c=<QEf5Ov(bbc(OY*2#G``Au$*_G=8
zFegz{cIl8Bdc{DXU5=Tn;R;ooDJwm)w3MoB5EHSGM_@2mPy&81|J9f*kw)^n@TwN<
zB>K;p7?m7f-;wH)y>B!}^waahjJ+hlCcm%rJsFhLk3r=6lUaiNUdr}V?4z34&oxkW
z16?zAnjdMAzCi<ZiG5Jhdq>skDF^jg2~CiA(D&WZOm2)nuQgUcz5H}_@qd(A5`7+O
zmMojYlOo9fN)0(LQ!XOTcul;p4ji1sD-t>P<F^QH+m;`>!(gV^ZG057kpITK)r>Rk
zN2SMEA=h7+5F<ajRzg%8<NOkvZyCKbWR3XD8wPx5KZJoPb(+E`ECnqcisMa{2rbjN
zRdshi*(MssX&Fwd*0f&DS_&2HC7+`v9HP$Lyd`NBI~9ygy!Q+q41Eb2j`7TX-hU0P
zpi$|dM4f1bSQ046Sp~G+5YXEOA#fivBqcx<5}-=A2P5A~k1y&9x{)AXbRo~FH~2^W
ztA_E9QBcoeo|j5p?2qdyYcJUKh<}8Qzpst0(rUx6Ou#T9##L;PfRV#^?4a=&`!x`I
ztuD5_j!B~aKFZ*va~nr1@Nd}`<1j1r)oZ-tG@Z|%)=Ezfxp}9<1nw0WTs&?@<&npR
z_U0lyX4g05cP)9_%ojuD5j6ws5hG4#7u8jzLdyg3>B^BGJWifN0xtUQtGMia{IT!-
zeHK?&E)N#_!#het_h+KA?~p$+P_;I+1|+0C<xKq%kF<@MoD7$_f3J}bd22TKqik^c
z>c>e062Y==fdnH_#^m8ho@T<oi4bvArFwiSl~66M`yq5z-{$ItQoi<iTiekzX;i~m
zre~oKjA~%?u$ttwPf%CW>ARkWiJ#?ekkzL6c}m{<NJzc>&T9P`{<7qId!czf2uHb=
zYT0$#Tsz06&S%0gaz&Rlep-t?x<ga$GHDB*7l=$RDhO@%I5500^hJ15hl0?0?hh!1
z&c1qWmK!d;MwxQUrDnK<p=7vpJp)cOctrD(g&O+T+?Iku>ZP<<Xxca9vPGM>>P|ac
zEq?JuR!Ovx>`>=6GI(b7tETq$bnIl95&8gvjbsbHF1Eoc*^v-&*p={ygXN-Qsr!o-
z;LtJkEEpj=<tA$Q2L^=1ryBVwl>GEXeir-te6Ir>C6XUsG!K;1GUS{6J=N24v?}#1
z^{t+<U9(%%2bfNx^m94ej;&@%<=*w9hm+jbFf0tgZUtg`{V3_sxc3jO<J4trg_GFx
z1VVY;v387?<gPh2UY!;qH8mKwJBjJ6Se=&Hvh>V5axXZ&x6f!+SZ;HwfN<N~+BUv|
z2#R3m)Wz^~+}xa{zTr=NFEcQzeA7EO3Sh7kD~%e2a73Z~a9-i`jpj?}%lLUk=3T!L
zMbqC89>bp?@frLHt%{H6R&`#t&=PJjtU9ka^kV$<9#w;T_#V)~0dt-qepa`tv%5`O
z)jHqOHGX=xs=?htP4TmeZ98WdPkXjCGFK-Dh|7q4lN)%>{D_m|FC*C^RJ1T>aEFgF
z+tR^-ai>Rod~xD0S3{!M-iZ<Uv0;VrA>CrbisD0xV#B({hZM&1V#A7K1AAyPC3-7k
zM27Z6aEeDSX_WA`{@49(#7>*<S?Qfgw4=i(*h!t8-UK(lJ#7rPs6{@T9%iHC3|$8W
zqE2jI-I13VUc^OVuAg)kOzy;x?!CJsHCBJnB*B`8c?WPf_j2&ZH2y(jss60-_(i*J
zfiYAQbMyG%Gm4-HLfUv5eZQTAm(ix(eowFQOnzu<H|NCg-vyU3?K){3w{$T7<|`3L
z<g^N3RQqdOXpg~r5#j8{f-Tj?SiScBv|uk+v`i_EENH~kKzK@WK9$Wfi2T_AvRd~?
zUM9jqUXkii={IW*RjtC*6EJH2JzKLZQ}bj#W@?6}%TOaS@n>Iscdyoi*;?O{R?4<_
z2lAh-6;QMlh`0LcKcsZ>A^tIuH0)@T50_ffY)?^#STtYs2p}7E!ucLw{bLkvyyqi3
zUUy@EX{Gu9wZD`mx7z9_BHT-9u9nz%X;dvESTYy6z2TgZM9uNV()xEA^zh}eJXMK_
z|IjjuCw;t`k4_b^xSvf52m(f5L9y6zgk3R;x0(4#Fv}H?TI#S|8B6;Lkf|m*wT_wl
z!hP*D^H+5k3&QCV>ftOra+Wh|>z?^$RWrn?Dh?jmc+Psv3Ten=@(xF5*I&qEYBQ~x
z->EM%?Q>yQQD`-w#v(mu8#)qXt<cmfI6ZDwK($pXd=beHW2F{kDwtrr(AoE#gk2@-
zn!jRVV#Dfe!v2+AW+EU<+)iwP%go}YF3O22cc>tJ#XQ20H-<e1zPT+>v9)HsNo;L{
zipjKd4}VBj9W)gjK!k?Za=4%(c&g}Ane0eGGx5D=V7PaXIGjSnmas6j6+?%c8oucI
zUnLuMJl9qsp1ykB>X_06d4@jNn_s0C^GoYdj>J0!NTWIaP7;o9-4c4EK0E~#ohm;0
z>a{19nw_psJ`X;n!u)Q$A3;nhKFRVs3s0mA8>|h`B?e*gB?%~9EHxs`%~wRXQ=5=a
z70z!o`Xs6)WlBNxjq?S6AD-Or*qHR<@dBKJP*9VsME^@g#UqEHOCsN}LdQas0?1h`
zB5!C`#6G>S6xZT?%aVNza$DU%vF+|uBOPPdQ7<?+Bd=ayuMPa%>K^2kO;9%w-$xuS
ztxX)Q%T9cA%8d+lFtUT8g4xD$ZmU1m+5OUIxOG11@$i2HVuOnV1%r!F+yOE&;uf8=
z5qRbn%!4O{8V@#O+tbI01Tke9zrqg`L`PTV7+q#QJSNOIKp@^!2EM8#!3qB5gDdl2
zuBNyRvAO~3(XiJ3zIy2!?8el=c4*e{%lFVbH$*jWSgZrFeHae(qSPN7T;g_QaRT(a
zfew&zut&#s3REo%RR>xIR{#zjuq1S|Q*~fj(4W)nFGDiT23d`?cniP0#!~TB?KkeP
zryd&1>O*P|p3oXH*%}phnA(oSxIdn4{exzGV9w?`G2F-B!*$~5GSi2di8FJeZ%(fQ
zLs!-b;T`+p4@NbHca->|U-006Nt26CtC>(Vq?AeWKs>Vyk8*QTL4GC8#|L^*ET2lV
zW~@kKH`KCr4=_TD0$dt9^Dq_Qkb4Ww>bmU0!+Z;lOPsYjyuFKWHfKxn;+zp(oS*0x
z%U>Dm$}9}iuWw7#_E{b4T8j_<E$*Q25b7S;eq3VcrM}u%XEYnTp=--Pp$a>OkUX#1
z+Kqi8-&Sz`6TnX(ckvsP4lF;>cR~J^7|${81Y2-pTOxSsYW?K+@9QlCi!2Z>KFsVl
z_!gWT*#w+6;9M#=lZoa7!~U=2x5an{MV6E2w4I(fci+`Dm@NYJYRkZG9zLBsdznil
zGjI+xaJm_MEF5kstrMJ4Z37Zh4p|+W+|8+aHMFW_Aj653dSYZzT3`7V>=8*-7<#Sc
zQ~b>0EWvoT=v)apSN8^;tBM1hcwJT3`_n*TC<h65a8~Djs<jMcx`tk)TyF)m<U6(s
zGrMbI=<4u}E)%E5hxG^~&dg8rxGn$f*f8A02E9Lm-noaZ=0$*Gu&)IYfi0{+y87yu
z1B^vyXi!bOz&~S~?})s-iB*xdeJA$C1JG~cv5_79Ciaf(>^2eYv*(Q0*qyti$J0*!
ztEaYowh(V}p1<nt>0Oi@>(<Al)AA(o5AdY;L!=_lDA0xY=JQ(L@o#A=2p#1A(~90>
zZe6_aAl}Vr9@2Pl$L5tCW^6AXb8Cl*Py7G0S|4XDHt%08oUx<pdk^LLZd>eI@OEVJ
zfvt11{B69SO^DR-YRk~UAD*0lK8|HZSAfJmwXqBGQb%a0%~!du(zCJJ9RHmeZ;EeC
zTb#eKdo!bL8n*FgFu4@V(|yN`qfjM8f5(Y;g>O#02dnow@etE(Z(~1X6kF(EW9ynb
zM?8I21~ERE+gJ)-t#7+Oo|zs00p0v(mZI_#uodUTUiF{LJ-wj$6Y2{*<TfaF-@Hp6
zx6tvCew~7+Gb|%JI&yY}6lG=+9hq8`w=iqI7N=FJ8P`JRn7rR-y|-Sxnz;qoYScra
zQy{h+g&O1(jl-B*?B$Qy*PJg39bTvDNH%=t3_bU$tkb#a%=lx1VEXUo)|_F^J9bN5
zFJ=g<6e*oN4R|3>-Z-=T;4r;mNn|m%N54jYe^!5Y)r0P}U5qk2+zar}Rc4_x(}>Ys
z#)lIxsEJ*ME%KQ+<E=*>VrE}c<P;nwqu_7@EA*UUW5M1|)!KzRYk=wB`mj3!?5%tm
z{LV|3BDS6r2i>dfn@W^|Jp_wK17o8t2iy8GO`TdeGD}l4k7c6SEyT`b<ig)IIs^RD
zX?*hN;6x@DWA`1d0#zRePp@xcUwl-vHh<X>!Kmzb?+S)t?l!P*P!p@PRgT>xKScPj
z8NJyT=^-FCBAyilX2N<miajV3=wn)xRaRm)Q!H#6s>#B3Z}I@XK~WFj5*|H(-Y#n$
zr;^L0w-aYf4{txj?;G%rzoAEGGx<~vES+$Sb4nYPg1y*pEa&7yhwzR=CUgw%m>zm#
zp?aNLc;cGnHHD>gbi3R)TZrfSQxC-hY;rdlR3;5JXxvb3Q6Le0rAhdp?Yw2orPwS*
zHN7{t_7Xlaje6e5d}aIQK4E(kJI)9no@AZT5O)}={mnGUVf`6P#m%%-v-xN4iERC+
zdlt2Gf~CFnp#Qu8X<<B<o~CUD5X7%!atUIJMSd-vNCpag;l0I@$gku%xN{kM=~iDY
z;$_|<_CMf*iYKO$t>|-huTdoZi5hLIQ&{JhY%XvNJ2ZAs{l?(va3w~1&%^gF$O~Re
zV@2d??1oj(0_Ll8az(-fQ-nFl=01PA7oc#qjSz4Y3uuBAmeyANG=Y8mfjIrP1n1XQ
z$-?Zpq&E?Ci4&TB2jP8#-)+4+J%6d58N(Sl-F>`59S*mutBQh$83q)90}PP!|ER$x
zQlZ82un8WDUkp|g60tesYO^H&uN`lLVlDm=b+I?RYzz>C1J0Plu^;F@=3|b1WR4`@
z+|gJwv#<LnHX+erm(i^QNXBG$3>hhZhbD}HhAv{uC9Y2JMSg`3atHVRmWi)ZaA<5@
z@6FQWI?K?_vy%R+GLfa_Ir5R!cPb3$Sm$!pA1(g7JJdgkmJ~^f9wLE|rzK9AL(((1
z+XQVPo~n)ad>#kICltzwr2`Obs|5FS&zz>UC~q(>iE$Z4C3$CiYGo<;a*xawXePBw
zjz&;8aUjwEXa@A`rRq3?-+jEslZ2kO9pa5P-_XVBZLg=9Yh!VAvfKURAa6Y~jNpDF
zN+Sg&rvc^t7!5okPY8&`PceGGrmd@cDV%4C4Psf6nO}e19j5}Z&m|MHN%F~Vy>Ubh
zVnV}mWM%P{yPkZxT1$!gJ?!9=q?BtKbr;jHcYev9PuYzmc<_(d6~5h5ai{-J@Gs87
zmpzV(A77|J+H1yj1!#+m$kmtWoI#%^HnO4%G>loF6+3JsR%7|d-I3%3khIs+`WruC
z=B*uh&DoGm?(|pHZ;pBd+5gz&uJ#J9Fa<4KdS2+sU5Vs$#!_KHXo8t?m$1I=xgYod
z_Z$P4`@_;eLyt>0^m!Y1X`hu>(x!61$v<+SyX9-s@W}I9XQ#(;;)Gd?3+!6T^uYZc
z?9c7S_tX*6U+ZuDgcs*zy3x2Y-Hq;qFn@CZVjUeosw3qx0>2x_8~mOz6*jpyr%Q*3
zb3WnfbfXN&`B2=T%>6RoUdef{mAd8GLwO+0j=IoLD|9!_{J>o39;{}XwSIbzC+T}*
zE3kv%uJHp*se4}4Lt<F9)wjwO5m{pMaeNT^Zgj4<R`n&XSbTxl=0NWz?YhiSGI9>3
z)~}p&cx|GZ<zr`lIk7!znNh3W@Xh=To||Z@Fb_netn^1do$e2FjZ3}G4@Ewm5;~5b
z`N2#1w?pWxfD#|fd4f+|(ayy<)dl04n~S)gT`*&vTOYCWLU?;&=rGC_`sRcw8#hHe
z`c{%U)s#z3fx6sZcQ1c(>@8~K2hZ^>FvUA~MTb(x<1^n2rX8p6ShCd}oaRr91I-(X
zYP&S+cL9IF2vbj}r1s0!Yn*S|N#Dnpq0h83>S6z{2=%lp&CaPL{D9c?V2va1e$}(J
zGxTMC4CpGh?{kJx`<3mq3&WN9_<7Td*Um1n8t55<I3oSa@<Yt{`}SGMfmYwVW-Xxn
zG47t)cNd%cP|YfyU2E`Y{lwC%^<9Hd>znS>>UI-)#{c`j;pdwp&sMmyLnxGk<0~vL
zz_HG3c(dE?aGB4<(cDQ8J~eOBFn^1dLJIGXapuIM57g__{25wpIi;z=ry8Bk{+$y$
ziRx{kPvl_JBHgo2_BWlf-TB;bzx89=n|Iy+oYt;4X?ml-MQn!FZ%pXy;^qQ%W@x4}
z_|`kSoBkhr?*blWb@hEG5FjWzQG;NMZERyDRa+uhh=-EVMDNjw(t4ux*kY}%)>4=O
zthNRx5vJp`Xj`AQZ*6Vu!Ja;CwTdT9Kn`l<WJNrJsIZ49CoPGH<oo^CzGpHMu+Q_n
z*Z02Pb-mxmrJ4KQ_dcw>_F8MNz4qE`?^b^jAMS@&+#zMR5A|wRJ(=-@?Qnm^tY+GC
z`5|3T=lkaYUEm>nz#UKuVTf;R{EBV6BdF_S75d$)S|<!lo*$Bv`?>*<Y>a0Hz>kTu
zVr(WtpFt)Pxqm1(khQ)$WadYB3$ot=ebcIlqFWwspu-~``kCmrdEp|@BnGdi$G-X6
zQ)b_L$p63-0&}i_iRFQL`8^xqj|Q3jXb(7!W01;c;7Bkc$euy_5oj{GpNKA`|DPD&
z6xKt&ecx(+e55}Tu4P9-h5Yw6pK=6J>jccbX{ae2u$VTASr`mSKkXWT(aXti1sNb^
zFSUGaOo2Uap@0l`UB?&TlQ1;RjB9i*E_3hWBmo6q8_QhG!sJrSc$cDhT+Au#x2Ihl
zYj|bG>5=;fV)2U;#J_GWO3HU<kkGI=@j&zuak>nKB33_VCBGzM-KQTNRyA7*C7zBx
zqG9S<?Bz3ncRhq&y`TnI{W|ogC!2{)=k^oBWnya}fAkRvq^=*hhfm_1)FZd)<;GAS
zx22=sKl*pJGwo*>9?e%IFKGxt^rUG2?RSO6MOq|j$Ho|Ck=%#A|2(hQGUM6i%KWlF
zI|>h9%$y7O)H-2sr2Q`{LY21pfOo+VcW1u7WL$M=@j0-Wd4%wBYZG6hK0lIpEgl>r
zh@6VZkDI|b$>yU|7z?hLZdl8g`NA0fj%#J#E<t$U5x$ndad~_$>Ut5pQ0GX|TRgoo
zhP=e!6KhzV+}`zAI4?vW*6?-R6Mfk5dY7AWq9)Y*e%EM4k1CPY(zDaAM(Uuhf~I|g
zm(d@>5+YLs!TX8DXO0pNi4C-kR-#MeQHnOVXudvnz3#T1;Lr2={nF!lG{5a@el}Y;
zHttU=#?p}(2Y{0Rtz*y?g7iT5ZnsxdRy9ZiIGRk!S7}FHzIlC7u3G1)nd5b+J^f7A
z!FhhQAZQ9I_Tg9q_Jrit7~&U&{sq|x)&U>`f>)~@u|)#HB=4efz`ajlNsB~ox*E%9
zOZv(BCkpfJ<|-D)0aoko*O2m<hL&OC3{tDh<^|<Lf`e9ZyqUiI|DXSlLQ5>QD-xO0
zi#~uh7=bi~L~fD+B$mom{(qPpS~!t-tj)v!ITAosd2%hRGcXdl6<HGzqnNV~6G3uQ
zsDIQykt0lRpT4QNbcH5TJHfzApje1+<50}*nM?|^BrvCHH<<0KID26kHXy4PGc;xH
zp3gARWCpjO&NPh0>=KY`bUbp}i539w6sC(avZMZ`O@`1-`9=9ABOKVLck%SgvGk&O
zvCJW{OcHS<BVgvF&GF19Bs@}!nF`)*iQG-FqL0TTcVEs*ypws_#J7dDBe=pM<N#)z
zSKaT!FIDmMbv?n-3fpaoHEc=#N@0da(_k!fA`KEqlXIS2Dn?kmE%EX$_X<7mRi*}(
z*RSTH&P=7B2V$9~XUlNxXjs-5xs{X1%VKE~VwrKPSpNs9=QzW-&61=|<LMG>Sd)Az
z$eide(g^BS=mLnw$o=e)pU6*dw62pQlT)5R;p@Z?bTJ!jcdrT}cXtQnJA!mI0*<I|
z4NH>iki5m4d4g_qkm7p0()7Ii)i_~ph-WWBCtg~ruZH`a_?Vw&=ABAL1gnPawMUtc
zF%)PjvQ%Db;zTHs#Z?KDdcVbhKkr_GB`1H;py*Rm1__u&Zt6J2#XJjzXQc@B+&JDe
z7K*ls(1)4$lRZJ_hME9>p-xv53|(2jI@Y~SZzP6qMzjCS3~ukZcE1=GP_(a(MVeQl
zin2iT<G`Rm%OjXNynbl<CKJ)2ONSWTOHa2=tYGQsX1p@{i6*K`^9x(OaJYqys_ZHF
zIIh+NxT{Zp4bn^~4(u+h43?@!)R3Ouq;rdo<7(o8z74-o7KGbV;-oVEZ&hxCXZD^d
zc7WJ;BO!V|W+XF!z)JDVSJ6z~jy1e9?ZCYGi<02S_6=lN?iwp?jo2$4i7VnnJ(X4Q
z40Q50RJ$2rm%8yFTDLALl4#;c97Fzd_~o})Mi&ACM9M7ujlNBX`P`?|oBIZT?5S8|
z2<Q94nG4PO*hJ!)ne1oojNBxfc3eipuJZhCVHd#9Yy0#8Av4l;8~IpxE-XuM$0+-$
zuuSCCZRieRx3{`?fQ@b&1hUVa(_(r<wpu&iw1I7QtD6XJ;^`it<f9?J6}getsg?1v
z^<j{DkMWWZWmUcEyjspzE&QM%<_}awFR>FT;N5IyxvS{Br?1jHxnq%ygu$^~L8N&}
z2rpc`*hM|a8mWjuE5F4b<bpgRyM7Srf8JMBhzlCJBW*t3&S?+=YYrkuv)`^gNnt91
zcs;+WtEy-`mHK6mySIbv<Z{B-!LxF>)pm4NGo&nF$z#yqkbmE)LRRMm@<%~{l8~ra
z)T&<=D%~z6f{DVi0s?F-dsvj+_3L^1g8jS@*f~$v?p~IWGOP=S1@l>9y+8Wx$Ttt<
z{~>$nxHw})4vMH-k~I7gft*$)#W!*gmjNPQN(IU2Mee9E(w$ocuK1}CJ{aHA8KCVw
zcblzgBkebnqdEO*W`A4h#4{IHMZ2HpI965j&{v}!xgqQ>uBv-3ayR?vcdv-1ca=X$
zjA(`7hVSd+Q#Lh6?#H%gdVQv1c`S3%Q%o_BBZ}XRmG{Kc70b0pt*z+wR*K-=Ge*Ux
z>@t0M*c!z33JeZwOyu)z=4SEq-uz>uu05Z<JMy%xhZ94spx^*_dbriyXCIQAn$zp8
zZ<+nspNw{|Z63Nl+Tql(j=H6hyH}?7MDFg4+`YYgNBR(QMDBi$$ZM(VD$AgbM2v{w
z?9nm!Q+nwt+gr@9%q^K=OE78B&1Fob&+)r5UQYO#VfMv(Rn8i&dWq-NQ!8gaabbOj
zb&d0-d-u;`CjV=JC`eM)^{@!`M2Vn16{5VZm?*#ZDM=xR2!;^01f4w-gL*C|IWDLh
zz!{?SK#h1vo8fvRz;P3)-?;(Ll^rv%QsLj1-hqXob29`~u`+nZrPh~wIcoHR^71dv
zlXSi{*vqTdUF9>c2r_4j<q*FFqsDGWW!q;SQs2?GIx#+$O_sZ;U%PWLadTDbwTZSf
zoqqm|>`5+I+JPMC4LH>GOh@qXAxu}SA_1u&P-xuGNAsb~-mZ-ZlcM<vajEcOEJSap
z!l#-$b28N{*zv1k{i%6gA~Ds|m^e6y+_`Z2oAI=KPJMY#fXkDdgY2N%(0+(-5K<=q
zF;)3E;hAxGdG1V3lo(N*r{m@~G9JN${L#PG`qlEWM#`X`tjggE(U=$%v~N#r;i9J^
z`=<?g=la2UdxG%k=BV?jjv-9k1B-{hAm6wj#E!cL={2Fss7<`eoeLq<A1@9%w+xJx
z|0~|`&C0~l?(3{emp030fLNDFok(@zoZaj<oaU1QiFO*23{Lo&HwsSB@sF{Dxksh2
zejxPI&t-?n3&eWGc#Xrlxv3}h>V)8#jj^HQR3r&^=A}MJ4dn@BA@A32BhTzHroOUc
z9l7zxR5s)6xa}UUlq#^E>W0KJ6=j{T4usCyFlU(AD7~_aDF}W|FVSjrqt7;OjAh%>
z*tRqI70*43lP?9?>qp?SB%yP(uiDCJ(5+mM+FFh#nJ+tcCL(8H^4UDkc{^d<X0EP3
zw0@^M<7iESn+P`8^}8$PT_|Mr8gE*@V){?Nqrr%#UY{r(KIrTktU+-Pf>5zkyxe)7
zS{S+U@ANyCdVk`K^KBYwSTy}OBpz(`e1JgBHZANSMA-`{aIX#w=gCYp3Z{djCNZlm
zNn$yWIV*w7+j&N3ODW@rM)W8}<<#KBiz}y}9QA~WR6=sIyHdB_%e@NbwC9>YCNugo
zo13uHKeIj<+7qPtfRQa|xVUoW^BT;eBhTzl@4RbbW8}w6AkD!9_I1~DE<rP@E*dBr
z`4WD_p39~rJcK4jF?c=R&=I*&n@^FpKk=6k{u5`MF7B%DI4e7BA#@YVARW`gFu)*1
z#ILx-Y6D}*%r^)|JmW(JeqCCz(05yE&gqpiw}@`p9}ZbIPNmTY8_5z)zgWLBTK7EO
zVGE1m#b*WpoqCT^B()hBmq5%-jKec7J`~mW6g010TGvVKg#M^~|N5O5=B6XPj4uFv
zgGS<I4}b3KV4_c-5PgKeMA~jpUnN5#1^k#6@^y?(j9y{~)3(i(Sme*D>KbbGZ#I48
z`c?WK^@>r$!fEx<`LxqJvrbJPZ<P)ceA7;`8VTi}=<Ep^5(|4~yy;6dA?0L$J72OL
zOV`hlaF%9t%nLOof1wm#b=Pv$_df?ehTLNK)jxwDKAU!4=FpkfHf4sear)gawXdEv
zLp>O4J*bp?M*qU=A`kt{y6JB+4R?JkuYZ03{8T8==Y{>aO)rA~+F#*{e|y-Ym#>)D
z{X#U2qnbKt8rYL1?h(Gfafl~=;%S^DTg8A;apu5PJ<(O~VqT5bcScjMl{crKY(C=o
zXlg@wQ+hu;>+~B@Sm;t=x?PaDri$f9Ra4!Irci|NpOI-=+;ev3>c?R;T&&qP&c*At
z#OfBun3U_c$Ln4Ei0$zswnfu>nu(HF&ndq(BnF+iiOp;{bh?Sr^vlghyfAcm^oYex
zN3250iq`EIx}^Dt%}qmj+Yuf5L`+lCZ4zfd=N%LZ^BekvO_?OL0<s@p*03dd<Y<Ti
zmSrvKm#lf6fiq|Ur~B$y!Af<&l**!rB=k)8j7d3;DxqD5d*9(Q^$FsL7U;c1UWUsX
zZW<tXB7P_h-8c}Oz-bs+v0n!|t_FzV@)TWKQLE81uat+B&a|Y77=BE>#d_y=`k1=j
z!6VFYwio}}c3;iymc0d?95?Rz7wbE`JY}vMIBFrbg(dtVX-2WESwkI?G;aqDj(x0b
z#b(X$AL+UfK4cec;7C0Bf;90lIx77TGr>%Zagzbok{0~3B`<yBS6Ji8TC5ngZ17aL
zg5A2_oJvmf--*`&ruUvN%^W0+it80@=1jd=>OpPB>^JgQ(KyjdTpei59vYsDw0#nc
z#T&X3huW;a&TZHsEpdrZ`=sF{&eh9)fvw|v_mb8kXOKKzbKq6$q*&_uCxq8nLrZ1k
z#;v57g1NeWr{O<S@mw>=Y1kGOcJMw)S3K8}so-ek8l=3Cs&L69daeD*<kM2kP^IL$
z`s9png60)nM-=EISgKP5%$I!DT0rYevXP(35#PSm$l26p2I){gjyijf($cP58cWwU
zlR#`uQ+iwJx}VAtpCT|B_Mt<=in<<_oW=hq&7RVm?jgn|yyxsuw9u|Qq6?Vgdb@t&
z%0BMx{iwSHpI|Y$+E(Y8k7Nc!?q=uZ+Rvkp=}NpIrrEOpuB!!>3qDvtD%KFTrc9#R
zn8SmpWKYWMLzV$P%j?}QlF1VV^4dLRORofL1KSZ$X|->So10-}=2L2aG2%4e{v6wg
z>1%(T`>j{%j!GY0(tKl~{dMj}pQWPv<@C{EW5DOmwDyy4rH@un&VM5>R`!z@unIOU
zxpMDQUg-Rtc2^`XhIwC^P+t7>h<@?{EovX~>A%_Dq7Q7Zu77)>e_VLY$+H%rHTCA?
z5)m1|xCp;0v7Ct}9&Ce9Sg3(X6gF591dJ;uC_!Hu?E!)5O%n%_LDh_bL26qFFxobb
zlvoC1B6`MQvCL^zUHf}|6r)Q5mbiYc^Z*G(6NZmcp9#Z*^7G@~@-RE@Xjx}g<2>Y7
ziE#;`UiVicblEaajAt*_`QyY<tXG>6l`~+rb!TLTt<`Z*jA3it<J=t?1BRHaJugHv
zgQJnVo6)I;1eud+-C%P}V&C8GHeaBo+Mr-$h_ruKoliYJxnKb?bCBm>Oe?udV6TEc
zCqCqO{t|bbUB3Nz0X<w+l)Sa@CS=*w9AUrhz^so4W6o1_3z^24TdW1w{83prnnL?V
zXkW9%>a3Dsy|TU|d)l5<&w-ISPhj0*n;N|^jf-LWS&eIcJV)CwYJ~ORp5uN3&K-mX
z7Z%rxQtuKqZ>{=mY8oA!sF2!o5>y&=ZX6)@G-gwbY>hjYoWzAmtl3PTJ_h{xQTm!j
zX{*~GYoSk=jHqLCQf{`}0VKp<>OJK2PSKH!f(x1sFUtli(+lOXe^W2X*)tw%eRojg
zCPLGcr8a-5br;V!@NDfzA3;*Fy6JXJ<|Wlsdu7qMt+rYppS7=XGvILkuxi{Dh+hxn
zy?GGNQsF5TwThYzy^qZO5o}yBFV!_BnDU~DYMm3j>D#n#C(puTXUyH*;uA_6!vyxg
z&c`G>>ZYnL!&Fl1&Ot6&lf+z99f*=j?v5x6y#ut<ahbe3_FY-xtL|@fJ*?n8=!C1b
zal-(;k+vVwwrq=IPl+txeunHhE7NN^r4YGkA`NBFc}zH*BQ+$|HJ;AoK1Fh#ep|m&
zc5HHKbZN6qV_ko6PuV`YeCBS?{g8G-dQG_t@IXv=XNPGi2oJOPlTS_O){4}tC)rZ0
zVi!Vy>xd|1SjHNd<Is?&<CGg8{G@BaJhc~TFC#hMrsd6zwv3HsDL00Ew?!WTUA;Ng
z<r=u;Bjvty5}nW`FsZH!)Cpp`QM1YS=y?x*2DC%`GN8S);9gwK<xkkbZxOe&)y^kD
zs^S~WU$}_pj~x>qn<h}}BW)*(3eubLK1nUC$j<KFvu98Dsw0*i*~-5}F5TIgtNKH0
zE9=0fPW({@1d*my>7|WjOM}!41B1HF!R%dsqYa|?fFmaVNPC+eII=Zmw`|^F|7;>}
zSUTf4c0xG8Hsh0#1*i08r>;zQ>Ojtn7qe3z<6+RuX~LSc2Yf%5&b0I1I6O2doa$D$
z!8WlTu};AR-hC<3E}uBO7}a<0!Wi-$yBT;fSG2ynAB&gr&8_bq;LlqwsgNf!mlWqF
zgYkK(+?Qa#nWxxz=guL?m$z)fkS(0E)An#vL^Yz1S#w+0-DYIST|@5q3`=kBay@B3
zHg^zDZYJXx(vhFe_ccFi^7ZQZhGIq0^Aod{I|$0$_Y6FuwEq10U~^+$fsNx?l+vdl
zh{-m(;}8OWHra@#SwbITUd@wj#?QKQ!uXng@F-zw!0<de|7<fO=P@nzPOE9jk+w3<
zYI_qrSz9TcFE*EF{Zq~J{G)2VgU5W9yTW8;xu-8nM^Tn#MOjw%Wm#X8#T8}Q)|W-C
z<QuY;5}(wNX#_mGJ;+4{IsFPRGRYj|)&KDbTe~kQiIRF!ZCL^%`AJM4TinUq!|lI(
zMuIcbX5oE`Wb)Sr8#xN|r4jt|^I-Po+E!YNXZ^)Q@$8RkJM8`Ewd?KIhvY&{#oms;
zJ{!VzaMqo|CCHiyPS7ulCAJ@*bI00?<yq%y>_vr^x@w+t7eS2u+O-7`RkM(AQ@JKM
zJb+7|68Lrhdzf-xEw0b!HP>`16J#}|^+9&~?pyAoef7w^W*g^)%xO;SvJ@<)lkC(1
zytaZKji$TnHID(-@9em@cL?|q@oXsqa}U9ptlyZV?FjHltJPiP_9~lvJYUwL<0&5#
z|2hwq@bAW3gTk^JjKePiq`gDKP($mH_7)lg?RGb_#%#2m4|jXG$yg`2^N?Br-CQ=>
zN{z5m-EMrYI9qD{#J+sk!6$NrogI5S*J5PBY|T+v8$%W}QsWz4HF}ASrJ4gLeKlB1
zf3eknLI=mY!;VSByaJ*B8~A2gDIWta$mCCUQ-O6*0*tmND4qgxAqWueSjw$>)`H;)
zd5f0BJ$-K4zi&%N>ExS_!@}jYRW0dtEeijCwT5CbYfx|2_6=VxeSA?%`e{>Ky6XHo
z*Ixt0=C6Dgu%egam|a%xu3}jYi?>U&^Nxvb8QL(b!GGw$!Xyx47b)rN>S&$Dra^on
z1O*NkG^Ox9koWbVYlU^e=zz`($*hlrzsZK=fH_>66VAkO(1Df5yWoOpDM!RFSQfeI
zLWWYAYLp3IMlL?|7z;Nk^^N9)SA2T}#$-<Ff!Kip^D-hp5)Y||%Bk}ru1QMcG(s2$
z8v$LG$f4mis+xVS@Yp;9C&?P;UE(vyj9V7Zp7b=2WoKlnk88;e8yz&PiQISvG#y)7
z4sYVMqLqDlEM1=4NH+8i_Gr*;Ybfn&OAI<A6F;s;jY!~{_+J;KD^;VK$54wQJZzFP
z+(D)S7;m<T175D7E%CCXao^<P=N~sR9I|#Yc!B&oq#5g=nI4KNA{+e3CX~cbp$p@~
zumNgIa@~$%2ogcTfDXfvI}lhW08y3uhYg{}L@Zl98q)Z_RK*}OKm#Ug#kyF!Vze7;
zO-9;uuG+Ib)G~(1HL>)IVy+1cdG364RIe{YAHyuxo7=28TPiJ8mgPDi2rlR1mXDV7
zhL-euD)MoPgrJ=yTXLlBA5bQqHL%buQNmO=|5<J)Nj=fKK$WQNshHG7X0w9B*knD0
z7&GNL0;cr30}n=z19Bl;NKUUS#;pJ@MX<-e0xC3uDt9+)7xBg@^)Y*rxfW0dYc=;c
zvRt1;4&oE+f4D4myHS3|Y|qhr*entL6taPqRjK|J15q--zI}H(@{Y>qa?*&7Ud^~+
zCS<_GD7=nl9es5z@#(qLtR`~fr;rRD@49?ul6dqoF(ns&NgAt{HX!2QD>aKZ%eJMf
zLrqM<c*1Qc|F2)C;beX($Vq({??>7%rcZbiMDE5TxuRAP?xf(ieTy9>p`g)(??tK(
z&ma?T@$|4-_n=LCEVTr`m%KnlJ}wgTHJXuWT^J6-z59wl*k}G1O$cIr@HRn_1F`^E
z{wv50wX)5qDDezh0NCjV&hPPL^(IA>m)uX~*J?C^o6Y3_rSU!p2yCss&UJbYXy0RE
zt&aqLYT`4}zR}V{p~Bu-YIJ#yy==Cbmi6YoKs}PnAFTf_>t~O`$SWDCOIsNBz3kVA
za7I}3!`}Amp^<*}D22M%9{Lzb6=r7>>*kwdigaI`#_BtCnoGei3ML_BM}JjZlR=fc
z&2z(C8DRr<1mx2FN`0^UE=+H>$i!h?NpA-d7qWA=&P`)RMrM6C6i5h#8sm-7RL;Ap
zq`raUt$|scU5ADGn!h_u_59J-^BFWZz3y*0uU(hV2hj;772ZU5ICh*d#YR=2>v}P?
zkUryHIiTNx4nICvZO6|#QQ-i%*NdAU5{KoQp7-My#;Pj#n+2G>f=n6y1-9eAXuibW
zqWQAG+J274JHH;melz>cpBTzar7}p1&beuM&}YxN6EVmJB(8$#f4C#pGukY+R&7qb
zH!z5tjfUZ0ssg)iq=V=U>-WSP)<@=ifpV#dkUS$<VoVUWHMEoTkUTJ+cCpl(<t^E7
z;H`da>OBlVGM2|OUyv~`(w5>Sj#Cia-dq0`C&Es>d0^SR1*~mIzOX#RcPtaF$`1P%
ziA<gqRqR5h7tY?GrC*XO(cVh#7t0PC%NdRV$&YpJsz|NJS9kFMJChqsSxxXV4trIP
zh|X>9jm|x9PmtPz<lEDm{6kDzn;3|aKTyEiMv21FEs8~XG-MN9(yVz6TwxYOlvTRV
zto6r|70p*zgaAf`r}{LDvmO@O^Oki51kc+)ta=NK)9a?bU=;dCCiceOWMv+CXJ(s@
zEQ?Qh+q5ejyV7erdp=sfsBRJRv^u9r34MS)d<9uV+1lgg!|ReAmw-6{uhumymuceO
z6=Z*2+e!hPPyw9=F4GL5`A4Z5oGX0-7yi0>znp9zK{euZ6ri`T7P0teO7$fu#DuYH
zX!eXT*;B?#0h$^)t+P;XzP`E5%;%;hJ9VPctuZ|u|9i|lhY(-f+ob#|{w_ooS`;c{
zJZ)b2e;9_FT=~m6Zps1<X@%*5K5Lc~+nviXXuWRUe&Ky#_y})LuL&dU#L`cjc_zF#
zY;Av|%rbA3(Wy=yo<vc?S70;dnFnP`@irQ5Qv40^8rr{pOt;NvSjg8(YcMTya)qnK
ziA|PTRFS>WEH|r<;IOQ>+$`+eoVVO8<g}tJH!q|+%Q}P9ix_UYmNbp3I)Fb1u{-)!
z;@jHgOz$#}B~^bE7$EF?-ZHGP7diWAu)g4i@Ez-5^2<`X)So^9bOE%dF88xZ7S1a%
z@enZoK5ntfeU@>aXVP>B2RBzgKL7%^tys5-?seU1@-+GgnC|Vmjd%*OsSrv&o<003
z!kX!ND;&s>F}BNsJ-Z-T(7<KCy&UbwWBKaZ%C4imp5{fj>`4Q>M;R-8?BZpKE24N>
zgG#oePfo9lPeH;<-a`6Nl^G1`S#n+OXN!@d+PZ}-cp$GaZYI*Iz2k;EZOd9(5!)g8
zO%skW=C5(me$sq&+up7h-MN+Oj-MaByv#e8KW)(;%%mcp@9cd(_G}v0x`bE`zJj!i
zy4zMen%v%wQzPyV)h|GlCRRq0F&WRAaqO8YSU<E`$K3pN#=qbHqih%KFW}@I*IlTH
zcr@8a+pVOBOQ)>QI`;;WoUV)wPA;oKAk4W&Wx?vzMQL9o?d)vR(2DsLfMOR4M^o!7
z&(2D}0l!b-Y4^{d?irl!UPJdzvPfW+Rp0SohlgB0dC2odAoxU!JNlxvjQ;Vso}YZi
z|5;Pey-aw)$-iVWiQKeF)iQAae_8ag8vZ`q$REk8KxyU^1gseFrh+7vU#^<iv{I&6
zP^9tXY^wmCAlp_uLBF7pD7GF>qZrXh)tT9f8-naHgePL(1Ki2N%~thDH+eP7hK6<1
zx`dC>F2<{##<+<*i9g3%iUb^Dw=Jg?Wonl89bVBRJSl=G@MNTYW+iSCXpzLB;6w4W
zFfTY+lVD`dBUVYz*^xQAH%Ra`VtN=6eMm!RyvD%=9P;@;)iW|U?8PAU+Ab~sgBB@Q
z95o>Muns2WRL4O2J1O@ZjElcW_K^?=g#NU<4qR>({ULchHG?Z9j?wfn)EZW{@}2H+
zGVxLA+Zhvy^9clgY^uFFrF#$e2P`k*g@M3;Hw>I?m4F(YZ^_YUR4!662iv-~+76zD
z%?UE+EqKW&f9@?R#m*M#Nc+w1ew59yb=^A_&w4|apbi+&Soceu*29Ik1wyW_wOi8i
z>tL<c$gU>EsIvkXSi~EoAE|A%U(5xQdi@2j?)Ik{QRX^yDzL!1#l6VbQm)G1pw|A5
z=!el5qYO26&VP$LY6TcXYz1sBooXG<latH@K1|<bMx>G&h$GRd`xXI1h0mXaRbr-q
zUIS&h*|Z3EDQznUfg@-XVppK{xd0tc|JkBew`eQj&$V|bi51u^vvFiU2lQ9d?Nld|
znHRovR^{v*s=o~ri%mRzpM`yorI#xZtcm`eERI8DSX9_un(c9KbE$vme7>&#ose7=
zC#Z_*lfE;L-<I^7K_(A}2Q8L8y*!@r4QS^oWns0&XX@r<>VZn)Q!iT%3&`tPZf7s5
z9~oqCwuP&pvo?gVmh>xKpO0l{II&v*EuzVvFQ8-D?_!+d(w3eOYV<ocU6+g$s#<9v
zZ<<i6fqV2R9S<SmP9)WCNR_p-+lFJqa@CsnnIHii-#A1U&QnClobxPGRIZypeg0}9
z!48^nV=11iLPzlVC9VdM9(}BezYo{&$HbM=a&f8%^;hK+OGh88<nP1EZ26Ryt0kY%
z(ZNeN-y8i*c1I%KLWcM<6Bs_!W?z}iUg;1h$o+Ut;rl7}J+AR(DTH^$3is6=g|D^t
zRf|boTQc32kmS80^38(+RO`q=hsqm1_eJ}_d?&IW?Uq3BzWKJPe97sab5?3R_U48O
zXpqg+*zImFWNerHw`ls4ZEQkr8JR<bdwR$to_%%v{5j?Qb2FA<2Le;(77)kriRa6}
z2~7Ow+WGdoIKTeF4}jZfyUNqg+a94jDXTZ*u!-*(Zqax;;>w4g>7Me$8D5BKs}y#u
z+b;L%q32@KYk*P`SKIXN?`OeH_s`}&pa^r)f*+npqYvs&*H7zrc70DZ)rcG+#gGoU
zxq*p0jF6d~%J78r$h{}y6(Zxp$-+`&?hG3N%BwRX_^{jJ4)HM(i|8xpy)bkK)cS~V
zzWC=3a-el01lVcHGjmINjr14~Ob%-oKC&T579mqXgxvkhG;wW<enH`WqF<C@XF?MD
zt2T?_V?jYS<7&^~Vt6fKOte-vDkr_mbG+wrHCgEVxRrgK=V(Q0NdW<_fyR-hg#k4*
z6oxc+0(2q?3qG9W%RMwJplqD8*HRZ^4Pi@+BqT$S7Z-Y&<Rje)N9saLdQ%KjEvu47
zl+wJ!(ZY19Y`0Ur<qA54-8nfZM=rd#9%ozo^4bZBi`5?#?H11UrMKlfrX|U`p!_WX
zJ=tBe)P!RD)wPX@#UAC#OsPWtb;SbcGItUs2+Q)57D5~`reG34^5Rq&)vya32BP0A
z(+S?__tnIqxdyh0DgIleZHgXI5_gs{`J8XOCq*c|W$6$Ii$(h`HwzsQZp}^LtGnv`
z_lrYZ<?RDlslywy%t~+<P?V^&8hoj=S2HVSFRz^h2bvO&p2XuA_`>AYNPg|1CjT%Y
z|Inxh@=nU<ot*!2nI7CUL^JaDEUjd#n6`$w^>kP|>{_GNO>U*$VJX2<(59foVg6cD
z)G2{oq)suOrYCQ5!>#h<of2QT-J`KgmL5UjMo#SQ#Cv)h=NGE|c?a{n<Ge$p?Gt3;
z%tPmNry-fFgI%05g-Zxs1J=j&P-ukL7ctL!2RxNCPmsu+OQt*g=TOp~WQqk6b>_q2
zoIaev34yB&lLnBKM^K!3#Uwx$#?NDz{+Kb#^lg3BKR!;)qjZ)YME<S(x~WVOQpXac
z_H|sBy84dqtbc;zHp}S4hnck6C_+B#hk});AFn7yXFiZ3Tis<g??&3cXdHSyGl~$o
zjyxVG|9O4CE7T_`R2A08>Jn7w77X{Op<-5js91f3X-o=`Ze++Wc-`|}Z))34F}s?<
z_M7Z-57oN)SzqS9d>JMFHY_6##hgxT^z~N<s8&SUckrctr^Ru#`s`p8>7Qg!NRNw`
zSP;Y-_C(s{dWa)su8!aQyd!56efukw*RRg~gP(AChcXAM6CbxE^PRW}O3od^yL;)~
z5_a_QfwhXB{bm(906gdoNty^NNvMA@n7yZrhnZ7?^lRo-`HnXFq&0Fd_Z7R|1l!sM
zPbh9TYMZtSvMgIEHP6nE5+8z~V+}iW4#!suJNb5!hrmW^S#0E8pSxagpAnQs=i&M5
ze&WKfs-zwuATIO1p(WyDG(^|8B8Fry6QxQ!9T|kn-XQDO#^%$Z>5yDklF7u$R6U?Q
zwDMymd6tORKP^5B%<#X<n<2lb7cfOyjgs?=de;giN|0&r6+c~b#+9aL{mI_0ubqm6
zb^fqbu^izziSgeIFMq^;V5e1`l@$a-6XMr3E-BRC)~0XdS<i1g`<vPhy_3t<xp#yw
zW5i<LTO=u}?bFuqX^fk}li1{%FlDs6+@4su(!qkPCHgh18|2?GEnWFiB5PY|#pFyC
zwCBdMlFD~}iZPF->`2=MdJX~A)Ew*^S_Z$->Z6V^rapW6lU~S4d$V+I!Y_HTGPxya
zp2D(>t?I`N6fF80OLw@dc#Ji45TTMi%4K9$#QBx_&7RTADZB1ftk0Hq02Sxw)(71y
zgCm;O^vE~R!svr<Rd}Q=4z8UY(0P^?36W=8Vb}Bn2p~_{ZWFiwyzft>5sAvtGN-bU
zgpqHf`yT$6f?fW8VQUXq{=_N&bFE$LTWgn<GDv|(wrBZkN}dmjp3}9~9-kVDR%;oG
z%IUV7Fx}+ea*W6%)xVg#o*(Yk!Qnedzsx+Oq0PyQfmkV;8z)JNpKPBOhrQU2=%Hh6
zFH=3kIgCX|Z|>U^@k?bp5-{T#3$0-L{#@9ltwUCW)bqINtLgf#Em|0YZg;Dn&Dv)O
ziIVm<o&Fp@TVd}qQVm_US!NSt4aC5IAH<%8(TRm{9;YgFl8ZHNKxkHL$7ZFYe2(^S
zTGHPA6;VJX|82ThVOj~-Kx<Zdo<HvCw@ao2;w#H}y(PU^ha3KJ-Z`v&_TgEr&<Hi=
zR(QSa*9q3xSw`GD$`|dRHG&Ndg)n1cRorc2VvIZ0t6w)r>^3S{#*a_=#IIW-vd9t-
z^NB6do#o|;v)wM+JWhNfMPRxH>9m-B^OFf%29HnnLL!Wh5KMX7=$`p$tGk=s`L2K1
zyn+&9`&Hf^JKsIN<9(*qygk+~b`6iIg93K3fKY}iVnzJM<`T9P<yF^8I!skE_sk_t
zTQz?+JxP44T>K}>xGa2B@|EGU8~>!|*Iwp9&1j7lfnyJtQFa=JzW(2voWk)D2m#R8
zKu*#FU0BbLfylE{8voR_ZT@jzypYdg>O3#xt|>x_kw{pJsrf!jV^NksE%HwdnRd^!
zyYp?&m{;-9D|i0|%;yKm{T&5KvO^ntGT*J|*GNO&x|ap%YMj};mK(=DqAqJ4cn7)S
z2(%9S{gL%UzGMOx5rWKO?zqT13?P14U&$mmT1&@~ZrUS~E4}XP{A%rmVzR<rtVGy*
zw0!s`=?i2VSPtCyC)!u5W`#S>UQDh(=Z>@&YigYv$qRL`0%ms*PzwAJX+L2Qkh42T
zYROzmH?%C3b3d_Py7QfNf3ckn_>5kyr<Xx`RIObwP|#;VgFb|KlEb;jQ|=k$%N6rX
zC+&5E76`uy;(7Y)L3&ti?yuy~eBdi)(;PjcqSihCC^#UWuq;t~E7{l(W0E(22=}1A
zXE5yPW76vILlN#@c~lC?Rqh*1v_dY%1CmuBuG(m{1E94>$-*C8+mL8*s@w?_(GXw*
zu_7v2gO7}r^JDDGF-CY6N^{hB$|<DEz5kdB^JIndv>>Mt@~I}=Og7jowypqeA5j2_
zd6wW|=I*tccv5vht_rC^q`?!>`u>MzHg!^34aP5KwyOok%i5(H-J-jESUe-jwS<+v
zsug>?RzzXTy{;Ff3&ZBul;a+sgG-cnS?OOAM`?<oFV$G-yWJforjjQVeC*tTCYqDz
z7wC6Zt^1R&b9mSY=hZDC(w1a0i>2Aq5Xe{|2#NVZi=3lg&8^&BSl9UN)l&>bSF6Lv
z)aJ54lc%?^+D-0MUv2xDOcMfGvVtCZ_$3v1!KF2wcgJ`Qy-ef(Ve-=f(`&c77B6|*
z2a#%3%f-Si^jWu2OPILTJrgFrNTS-S@=ZkAzD~aoIIyz0Ah@qTZl&k`lMLPh<~D_G
zzb|4njLNLj?N)^8Zzx?V28svqeZ$lhmK$|cCUHuQ&I>fq@j+9Gl#Hn~>|PJiqmW^S
z^<snz&@nRLL&DtOBEn$^jf$Q%iZ)r*g(+4W;u1l>_42V@qPJAK{u^Kl()9uZX4XCO
zio!KYECU3dkXzC(iAF`ctS*foiyQuP*svy)aEUq8YP*(0Dj{FPfRJCfe}mLBHn^NE
z6SxD$h>I&|&b2-mGN%cHke4pf)(ZJ@XYP``%2TL8358m1qS0gc?0&KNea4zS3Wghd
zLI~R@#EHiA-t(sio0~{Y_wg738VWb~)HW^Rb8kcOF=*3wVQ;MD9z|8jX9!{7qDe#m
zER(x~kD(pF{Hr+bn3)Mv-JnoY4~+&@xp8>p^yxGClg}t~vk)<rMfwVQg%--Ey&s(X
z{ztVF_=AD6@@}u+$$VeKaD(>uqB}b$vL%f3DZZ%r@B-0CVH&U2@oNub?4f)~Z1%f{
zFw@M8MjxfNGG0H&@66+(kD}q|HBHf(ACEp->0d9Votf3qM~C^>cln9jq}yZWvB5A9
z?-5hW*TvJCU(nNC^VZPu${&^$*Y0>&qs#3w4V}|R#p{+Svu(5-W|DN6?Ir3G@)&_u
z!@Hi>xtAW&*iElu_@JD@I>Pb?TE~ZtP|9q~1nI$Dr?dV@_3VhWf0WVzx^JUVBH+j!
zQCgZ1!LR0h!-HukZt7xB2U3jG2Iq1s+2ms1i>qPXt#*z&`8(?niy*D2#az8^@_mAd
zfhk%DSI`8?EoZ$72WI8gGY>!q%7Qu4_Gp1tYvDQfs^R2xTcEH<oTy`Y&jRyzz-P_b
zT-xitdB5@{E|inlP2oCB-O;E7SsscyyI1$L+MncZHffjmLmqyrvKDe<5sTn0l-IrP
zhmRUeKZ;F(*-=h%b7+L~X2R?B5}~H|X5&J+{O62u>{uDYD4;|edja8w(SE?Fi{Fkn
zNsJg}&%vffKRDX4-@D*5p@1x-5MfWeJ$t5JprzYh_9J(ReMAJCwfhTJf3KSrer>d`
z2`PCYfx4D(aeZXzCynZH;ivuhlpBr^uyqK$pkQFlhrJa|y)iVJT6}PBC}P8UEMCba
z$QfOLxaiHvD(ODFv1G;O?de<$aN-pM%NA5oBG2o%#ms(FgjmGvZMGL5+SS3y7$aCS
zsZYw&Zm9uXfRq}}Nze>qbUuq;9{iGC&pgiK$A9;hb0sUw9eUs&kN5DC&obW<eU^^!
znJg=dvaBu2vc50NwxTROMOmzB-rYT(|Ju|9uGhAYATpa8&-xq8<Jp`2Mm^fCYKv#R
zbGwf9{gZcQK24BSnnM_5PBlJyk3{+=_jmi<>i%NC-R`&gMNQI~oS)jWm000!wil~o
zox6b-=?*ew74h~)_zk68W7Yr65FoMnVdH9$Gte(wJ`gFf$*qR+=@o?E_Irc<KkZZ7
zF;G#Hyz-9!3e=)CYIUu7T=n(RUG>KMumJkb-M*(!+3!}j$bP%s!}<+-dbd4?J^i)4
zggyN+FOTg9Snf}#yE$zQ<?TPie?<p;k7!2xn;#DAP2%tm8kO8vU<E&)%09EBQziWX
zdOWoEGRbJAkRATpzBcgC{yn^|slkp4aqgFF8e(VJmutPlT;cx8RG?ha+DoVb(eg4v
zBu^dK6HHmNe&c8kS<FBaFr;LZ7?uxPdjPKWK&}5uq2q=orW|XyG6XN4Aw_EizS1M)
zq7_|7f1d6uDy2trcsxC-);*0@8qbWv**h%CS8n|jw07%nII#JamYW77*Ym!XIGt+Q
zSzWQ5vDz;Rsr{Fh9jXQ*1I%h)#mr6^m%Ld;#<D*8F?1aDd=WZ|JM<^yn8!t;Z-7d0
zv0J06K`4UIaG`zwefDYB{Jl#=+K&Oq0<H7|Z{!x0P`4PZV(^9)!28COeGk>e`veaH
znP%;IS}N(#h5H0AYnGltmw*NAW$+2IMl1Ggo5^Iope~sGz>qsyBU2MhVJ*OF(B1Y|
z^+0Pyx=`c0;E$9=ZAaD$J{L@xTH&txz^sRo)goY+VROoc52|ttny<lvSO}1uRmdp`
z^pX7XUs<NH@~8DH>sF?o#1}4vAJD7PKk`{gt0ABJ+yfuf!VVZQg<pK8g6qG4eHfQY
zMA~=5?sCkYq4u*U@7gth5jETz=fQU0d<EHZHr?p+kI6G%JnKbyZVaWhkC{Eb?UL|5
z645UFK6^dNyhu&-yWIT^Wk|2mB+L~pd-5D>lGfZHTFUc1){*c;m5!MJ#w^LOK6>I3
zca$|x=5KweKu38V{Lo{*9gQE<N6<#)4rN9t7vVFQel3OVAfgq8+t)2n(f-^npGCU&
z*u^E?3sFT;_mg!c9ev{OB>;%Ikr~>0j?2W-UkLonviBDP-6DeQ$zOSQuR(c%khuNC
zgFE!u5)4_B#?{xn%LkL#Q!XoDs)T>K9^D&S?)KpdVuRrLqdu_PztWiXjqhr-YJ2r~
z54-(o-;djS_UgyM^rIj_-0Qgy=)s?R@;zv{bl*Lw`=B1!-K5#$YcBerfm`=-Ne`;_
z(Szi-7=?A+dqICLM~NVcH!m#I?QXH!La}Gv&s{6t@%yZ%2juqaHl-pSl4EW;@A;QJ
z+0)?U`@#mJq56>L$d_Lb#3gNHe3iN1vm$jD0~VKW<z|qG=Tw@kR)bhlmWb@}#{h90
zVON!}S`@rSW1(@Ayu%_!*4$XCP*oRDZy*2Ldbn<lg?Tj9GMe6&7}fVZDDPpXscCLS
zRpkCoq9RS(QXIfBj3-HKi7zOW(YcZPo5r&Y-x1@8YXkADJ0t(m*#@WwM}E{Xl)FWC
zCTbOZv5Dm>_tH1jFXIw~XympId2|qfMR|yO{TjFR*hN-lztCBkvR~R+nKns%fBvR!
z&60`{t#T5ZafC%ApAS`H@}gc3?~)3<dp{6fh3{i?(FzeI+Sax)7JM`0UqXM`ey_lF
z=l+ERe44hUX)b+Y@1v-F`a4PeJ(C~@>hCs!Qpf6+5fC)&?*QLlj;ka-qz*T7+rvuw
zxwCeJy6U_6=03XV<8wCbn0`o5zAGr-GjEBGHWG3ZXMlI)4{zf|`y8HGo!F1Cr<^oW
z{T@qw<8iUR<HLoN0x2N=G_G@sKGce0serXqx}`k5to5YvWklHQXd2pCzl^JJI&dvt
z(!w1?>HT)rj*r$`NYH;ax2;YRtu$<>cud0cYQS@f+B-RH4{^q}IgQp~AKG5h)Iy@V
z)i0wZeAzo=L!pfUWK=xDaG>`Qzb-TAp-&7dV}X83X81|F6pmuh-(w`KP8`8?sGlUI
zh+b2jRcU<CIw~>;;Yqk{srp~GbWnmCL?o2Gma-+|8P5!Q>)i@YjC82NLC^EtRUO)k
z;+e*g)J7QXjzmSngd_``k_fi8o|HcbIEZpN*>9|(*AvHLoC~stXH}QtS;jL{sAm!N
z5H%sZ(_)J|Ywi0oJZ#8cXhBGnuD6RYkdN0osD*k0Ko~=Z8;aq>36y#}x&A~abux{k
zqX4<NVQOXajfP1T$@RtDnzwI-XVi!?A7pQ+WOcjr^gvir@YA5~-Bjn~&fGu_4iwYd
zcsn<exdFQGh3+x~@f9E4I|=u`b0(|a;(NWG(Y;<F{`T3vTv@+QgZaZK94PDMe!wu^
z3NYal*$*rNT^B*dsX7{O4AQ3pPe<ajsqa(_2+~I<>lwaJN~242ePederT$UT<x&=H
zjQhGIO}e%f>__ZtzBa!Vn(lfjWT8G<D&Py~bP0@_8n?4?)PO`?`hv>z*~7ScDDkPL
zOi<CBjS?qy{ria;F7d@Nw-NL34U>8=n=r3oQe|RwUW7?L6~2uzd6nnq^TPUDbo0^B
zRpJT4>#k0o%!N#ek8y^pDl%soD5LrEM2$R(pqoz`Q?`<fg6YRl-;+*6+puu@i}{8d
zQJ7Ajkm{+N{?WTCl2_4>{UY}tIQQ%ccMV8h7o<-Qs3=@-W)6*K&u)yRUhN^&_5@B5
zX5xqT#M1Gqo|d|0r(~<k2wR%k(39F#IZeL^6^_1iR-Toq9(;DXy1Zf4v@KnK>BC{>
z!1UP@(w&)e58NG1pIf=R>lWY6{8mYICWr^lJ#fzz`m`rE9pRM6$3a1AVp(E;x-~}K
zD~N~ucO0E<JjNhvQnM-sCk87B<`wgrG8YVsXD{XR*#Y+$Xc&;soKz$3WbV_OFl=}V
zSXFEfmYZA@omvNr@C3AtY{DpnN2Ty5iNOAmwt3Qh6kBi(4^5eCYhqry5L+qI_8O9w
zu+f=sRS@M+?#o|E?HL?t8%1(U!@nYJV=0r`Ga%A-Bi%{u;dZ(wEM*YKG3;STr2Sqp
z!_W}Vb(7-h?Pyb2&U+_~W~eLTx;;0gTRIC@bc#M>ghp)tR#>hjjrm^1GBby%=MWpN
zxW#39*N6SioH{I?IY;M6+I0UWvtKeoX#9BHN;@PPA+5#Y6WPP-k+v5B8!@Fz7rI55
z2W6%YgGf2M$wj%^INBAf`)8274%)1)Ju{m)vdpa{hNkU>m7g;Pxff~s59*+pNssF$
z1=%w>H-PhmlRKP=6WgLZ6f%gHf2AyU01rXxhB0Ma37fX-9@KKA?eBZEMDg>njb`pO
zQu6c*`gFxW_8e$Hjhr(kdVV~;igOe3?5Q<|(3&rPK?{k$P%8Hus|*6Odrane9E7+3
zb^~v$;qk~ExiX%Sz5Wo2BdfQ#ovYEW%BPH>)Rn%x4V!OwjCJw4Nwi4I*;5&lRg~+U
zH1d*5)hu^}^xDM$UT&VpkTX;a6JvKFgLg47=Epeq$VMqPjrdBx7XpC&0L89_V_@2P
zW|i|bfB~gy6^yFWVAc1PP`#4UhStYq9Pv8gsM?nDJ@NAIl(m%qlUpc^!&=H;ZmHXy
ztFrEht{#u1c2Oi(!6@|c^ZeGIlQx|X^ILD{>1+1%OP(&(lj&+j6PVX$#2;UUkn$cP
zx=oth12J%<?Ib?HGB&bfcn)=l%%qC!8Sim0c*eP@T>}$m>+W^CC!O=wk@oi)8LodY
zI=^6y*zL2KfPf*ZB5e!xX@71Bpu}M&_`6qLc=3^fR#*+?Tz*QhB<Vw$vzbGmNZ{=^
zGm!Khn3+oCnyauOu<5<E7fB)vXC~DMrJl0RoDh@yxibVO@6MbFWgo%>a3=O~&TFhr
zT$7nrqnStao!;s>R~)E$0J`2MczL}e`^}oJAEA#@&C!|9*TmqeT#TUzznlEbO(4N@
zz^8cPq{A(QY5!+93dQpaA#sG3%n)QH=#vROwWlI7r+bx_J;OJiH?RzUttl0M3(8l1
zws$>q=k$MR8a-Xp=tx!!JTi?g;_ch|5MGbcmwF%WBw_ZPe+;vq$+k`S;WA%k_+eV#
zhu`~0eekgRzs2(}HvyQu=gzU6iBG0(7*?Jn6rUIU`}^R?t#rzGDL3Q|F^#>4;vSc{
zKK(rmfLT*y=x?f}akLO0EHA)0fC~jBYg8(8IxeEg@1(xXH1kpI`*NBz??H79<6EPV
z4e81t=L(UknQI7_V4STR&fwIIZtClD&`3V2SeWw*>!A4XvgmQcs-@*~o5WC75zi!Z
z?Hv!5L9n|0{QEYJR&UphF8*}Mc82#y#s}>w^FhOl0i9}}*B5e@!Tmt1$c`lUt-mjg
z>q|DrUKmTSwe#joHm~I8TlYH4bkqc>9aCmscaQIzPSEf~$C<GTiHhOBe4~qC52SwX
zEy4kUTPPQLs2_H>;co5av)7kdA_6BP$~HYd3v8@sxb)QTva_wOMjKN-gA-9y7H%d<
zCv9A{%w<29a4zhut_s~ah)Bzpv_>Fz*|`JCE;PpI8;|0$qho2p#vqH?s8wXW^p0@1
zjn=~2E)T1E<F#--Y5InjR=OY)c&h+aur&i4CTF8LD)d7=hC?R#|3^nZR{$2fp(_VG
zQA?_4JL)82LHe}}g+*mY7L}o@M#|~O2_9c|OY-sgA`PnmeO7vue=hL5qV~Hxhf^ZG
z_2S$aPlEfxd2)~c1+55LGbFf&pL(Aa?BmjHQM;GAqbbKc4?!2|%l-cF0zavIZbZNL
z3qDcu-GXdAnfuZa>_=PvuX4S5$dC5^+=olv4c;GChw%RFiG9HfnmxSx_lK8q{ox&7
zT7Pat|M!}b_Ct81^vd8hcwYM)qb2<9w=Z}m7vQ-L^cLf<Ym!VoCHNDq?pT1qyDaxU
zUyG(kzrOR|(c#K+FYoKS!E^715I^5uwh#Q=Q5erIz%7Pn{}=YcPZ2!F^7Y@rbHKj7
zd;E+I@w0j9KH#Y?z;j_gc&?&cKm6pnPa04{AHOG0F}=)*mcGyAYVYFjGbfh5FFm>B
z-Qa!um=N9*_62WHm8Y*if!<>LT}Qe8@Gd2-xcwpZrSILJE`8thsnYi$rSAscsUHpD
z``MCx;Ip!T&;9$s_tZ!Bf{$xclGvHvtnA!8(CtsXUfF@63wELsd61h)o}&I3JOg_<
zf@1W)FL-JS@LUHvi}97&Q@$6zMhqyaKev=TMeXGti1hn@K)?54rSIcQ-<kectUil}
znC3nd%fr84JqWjzaU%on<U0cZgY@Cokt8{(+dqo#tMRcU!q_8|Spya+1#PuDC=c>x
z?~=TX%&}u3>GvNT2dm0~lUd~10RK&KUo8Djko~#&*9Pg6YAx<UxBJff<y7$CTr!~9
zU%}SSJv=sP$+J-<WrMt;v!ilJTkQipj!}-k@!-w{>-8O{ENMGNSz4Jqz5X({VxT_)
z)>D&w`=K(vnQuzBn@&qwUHk&rV%g@y<X75gpS3l{KH1dp1u2iVqx)nv@nRf42Aga&
zQa8lpz3o!=C`h+&kBf1SV=e9v&&{1g7?VZGF3xaQ&4*(+jk&vu(;l(NX^$7hLy6Tr
z?tZl20O>lTZQZ9MXp#GWWbky|u01gU(+6Qf`=@gMt#UW-hU`!uv>~R9jf{X_ClN@Y
z_*@igpnmBmR@Wx6#J=G55`<is|3tDTw{ikq`H7Dkqc@mUV+3T`&a5|zumocY_?6=n
zC)8zjZOG~T)qO?;Xh7q_fI;`r8N3ffD@AK@&Eq3m+iLHmW96LA_Gjc}IgHc=K*iVK
zL;_v3D-w>>h)Nqgy6ql(&yU=@e2HhjGDbHrWQo^j<FzVOQ3$$tF6cRVsL&c|f113s
z;&W*@%%6@?Ja1b|!yCz^xj&O(KD+F_c3ZO>zDVx+=xfmnH1b-P&K%u$pj21zy%`jd
zKIe_0`}7-%0%4J1B6SQ%EWK5~HS;6j!0U6|nsmKvv)lupy`a2pb#yMFf+IiT_6b+s
zwko;a&H`=Dcfx(A(#Rr4?2f9IhE2)8>kx7Jl|KC>a{r-YWWMEq)e;W#J)YbW61ld`
z-S>A1Rf!3G`TNEzPQMv1)W<$`Re}G5qEP~6+7|X>9E}{*QpP~5;QX$|ZhPnZz4OfG
zlf7ZI8%R?@HZ$2qVQmq8&^4nUVhkp?FFmzJS2fDq>G?&nQ&MOj$mBHOI(IWBN%&%a
zbK2VKz9DMBYZ77N?SXrp|10Uw5Z|9gt{GSh`dQv^Do+(}&z&QalKxqBX4ReDsjhg#
z?$T2XYU!WS$Fvq0k{bZA?EAjw^vvo)|15uc=13A+)qvj9Giyq}V;;)y7v#D`seR*R
z<-I(exj!qc<o*<eE+3MF%`GU+9Kz>4wEX2Ev)?qn$Xrkw(MJNdNKors?0nV8<z%vF
z-S{*Kb^zx+q_ONBOl@{y`xXRska>6#d3%2-tckmRM}~Ojs*yTRJO~MvycXdddiE;*
zIV5;G6$DvA22jMyp<OzDYI0+RKes8E`bhC2WQIV`Q)AxV>Z8<s#jl+Hxb)O2@|1P`
zDo;-seU3$FVRhQsQvQbfP6s>q-(;kWx4V8apOa6$UAMU7vF;S;A$ma^3if<%mp&BE
zCqbOJ)<NUXK%($TQ3$Bf^&LLsi=^-p0`Lc^?~J77zY8fr`gUQ6AQnrTM|$*a4CPm^
zdzZ|R^nu_=vl>oHr;DoL#L<1-Cr)0;J+v;hKoA@K#M5Vw%$-U{^5bo0SkAkL3-!q*
zfMTm=Le^o~$ejIAnkCU^_mlx1b~^s5-<(IvoL++?t^#V{!G;i~TPC~oXH3KCRX6OP
zIlY>}Zu_G3Z=Jgp`;`V?cO=ELQ&=p%q4B@Y%Q+Kyz!$myq=9|XZf^C!K3Vs=IXt`&
z%DPSNmVqYgT4Jd^;cOW>ZHX3*DcM2qs))4fs5i7!g%IU(#<?Tz!Zh<?(qiRHV|7cC
z86&xMF2E%N1XrXW4#_TrMPr^m`pF9^8Ab=i>6=B5#LOs~#9jgdMkGA@Rdjy^K{-$#
zZou!BJN`Cd_#Xj!Gx6ct0vOT5Bp=ja=v`I5(C-06Zk)up**-veIokj&nd<s@x_Ug@
z09$j%^T`b7GPD}Qz2R=gmLx2X<6GFhuNg;SRVP<&l#xMWSyb0ms_`g|vvm+3u{$TX
ze-a`O#D{CkAU<MGZZ%1Mn)?t1=W{xNATRuJwU3Cr{QjhEN9KOb`1<vh&g$((TV(hA
zrsjd#h2k(bXfGnOHajI;-{E#skC`cTRVXLA@g%hB@~W3Eat)~2-xk5KkDPrmB9Ocv
z2ALD{i`wUN8o0M9(!5?<Wk?RCVc%niB|o1mW1Qfg!ycvxUXPUqQa)1U2;_%=3<Je2
ziaw(Hy4JW8$X+U6^ExfPWIFm6-TZaaKwYi5m5z?IS__O{=;$H&j;^PpL|jNOmRAm4
zUh1yolMY&}rzJ&W;8_=%e2(N8hux_#GUsm|J!Z_`ZaeA=^Z^t^9}}Q%igGtB;ZkC1
z`V0qIi_idH^}|DRdvEeU=tGX1F~%6@m%UN)IZ&eRlsbWW`X_Flxc62&x`LO^Cii75
zT2zy}9%wvFU4I6a=ws57+;1Lyzqjk>?k#?bW~)5CJa{zS<8-H7gj@R~a25%sEP-HV
z6a0N`c9qBED}0KYrp&(WErg!Z7%UysHAKb$u#+AB4<%-gKVCLdN{*}{*^M`bPmGN|
zLV48Twpz6T`&NWHXdTKYofjy1dI;y^{CP_wQd)aRYC2+>y0s=RbN|B&lizqM4!@Go
z-RM7LxU7<UzR;P2v4a+z0(4`CKc=6d3nT4Ufhy%)BQB<Y%c+tHRoEff_f!+A=EehV
zQK{_kKibdn=Wx6@j~Y<m28Sppbovx82HNHOx)*S7gdaCU3nD=Q@v2!fBkgNQ+pEBR
zVSxwvsFUSa0;v#rnSRF(f0^w*`nOy^>X>emp-%SS-7c)ua-(Zk$?VDZJ~N=qeFmpg
z@18r1r`*^16ylq)3#i1~rY?ng!r?Xy{8H6thdcW@{&U+k#)GyD>fiIg+ge$Ooc!r|
z1IqlUyM_1Dk}g6qdH$b{>msWp`S4zt_@n>u>*8_U$g&D7Y|_urg~^+8N9EfAhR)UW
zxQW&!AIV{TLln*?ZfW0OGt33b{=MqS4)3s^<G;4eh@@z+->c}~<@3U^8@jK-?g>A>
z2~hdLen+Fiys?(Fy}G#67ic?#kGcE#qw#wTl`8iKUff9flAkY4|IA<P(&zs$6$)lT
z^!^XI*1i274h^#Z(Q0JgV|pIBxkhulzaM_D`sPf9p7bxQa(1U!HLP_n`6B(>>Ng_X
zNB!Be@pK*jE68YG<bKuwOUqYsWAP36Pz{)SI!p2uNms0o2U+e5&K~eBpMOMprR6@M
zx*XR8#Y}A2lXPsg7+uX5phfl&!w>#7Hk9*P`55XGnMlx3nb6XVIO8jmTde}@N&6^&
zPUf_Vcy`cVX+LvlWEr>OxQfV=^(&8z@UMPh=lY8JW$9J*owHx9;$Qufyse3*SEW})
zJ98sb8zY^$;nB>vd!ngVBm5W544ccLrc?JHH<wIgIlS}LL8p@#?R>SOiF+e0k-L&!
zjfANK3aM53)aLRh3W<aAiBvFz)XvQZMAMzA4H4=-ESjmF2kh#<vT<kh&>iU|om)l?
zT_s&)+&!I}tI68AvBCq?sRGeeIiEQX*FbBmlL|Sa(hn}B9+Xeb!v%_lkzPRnWPOTe
zDq6$N7=-Hw&wdq7i45IVzjNqH9hQlt7v@-Ou!|Rov>~F(vK2b^35|VdXlJ%Uu_ekn
zH-Bj8LSK-O%PO-BXN~kz(e!G@AlkWplyJxU?DgcXI+8!Nov-Z|?c97|(@<^+SqVe~
z^^q~Qgk_XD(C4l!BphrBl^~rW$}!mIC@&-owS<~{9jlzZSNZp~_EMpjrmzo|G9aJ5
z)9q&o<vszR+yT+f*CI-+2?0}Lg%X(0tXUE~92^x16MVBQ8+dP~Z{!AT`P>ewSYK0k
z+mE*@%eagu-&r+sFmDi@M~?dtZ@%C9Hj=l#P9K!6=x$1{o&6eEtrTi&tQTcfQ6(Ye
zhjye_9w`v?w5)Ueq0ymhm9N6Ty8(I`z)QAbs2<D1d>W^ke4+h$snScfLQC8-UMs_I
zZZI!~R~r@w*dEtKh#U}|y`d5mL30Q7!{_?Se)x1ln}!<JJPM6G)(=spJb4HSLqLMi
z$XFT;dVDP_plo=EvUF27A;}fTYEM<-1UB%akzaJA_Eh3H8LebhR*Oze$2)T$7C9f>
zx%tDTq?{W=2K2@YOC8LJa4b84wBGa@*>c=f7+hkkn2?B%wt^w|MRN*cIls34i7V!1
z68q1>P>7pMM`e0i53kp!r|r(%cYsbvrKir~X*W;0TO>X8`pndx^ga5LnYufDk3M9k
z^`!r1DbseR|K_v4+nT&f%X}p4-tfGLnpFbNlVJkp&WD9c_aF&OdmSd9GdB;E?w4kl
zn8)k=V@2lXK?dK=hqMZYn+K`k^v#E~=`B8RR{G}Qs*1<!F~n8!YVmcgpFOR~KZejX
zdHan!T`g)t@arYhKZES)L^hl`A=Gm+BQoHK`?^z0@qFva1jD$mBy+*;^x3=9lZN5!
zn|zrXyuJ+Hcc3WG1A>wzl?)<Mlre<8;?7}a4wnF}r03`7e(M0KY${gJeX*Q*JBlu_
zcAx#fO4N1mt@+E^Cp5#q2VtFC2?>>e06zYE?Jpq0PSJE;-2T6B{1x|F|Hd_T|K0XK
z`@!x17y5r$e-Qrr{r~g6`Y-#_;crjGFFiZ_&6Ai&u{Iy@+Glwn82Pa;H1Ke4JbUD-
z6Igo(*<+tLk;Q3KW^j=GWh)rSoK+ExENjxFTM^+J^K)x^>X&PKejEO@x1T()Z1zUe
zBepXKN9(!jyra`q;Zpp-wtAAPn(CK$c{hNMNT;#<J0)AuF68o!x%~^w?e(4MCp$M+
z*6+|=1ifW=m#yhsUzy%fzid@UJr@-Gk$?4T>Q}B>QlNiM>O%Zg(az-+O=D-iQ@^m8
zEsIsr)TW84S0`en$d;WtcGx4)^mEb9t!N{gCY~}j{wOw#=Q=l!B&jO3VWLkR_HcCU
zupc(1cL0DA#}2!dmuTmfk;I^nrZ!IWiMLSQJx!UJ^q$)}>UVZNQ8D)H-Q=WQN?OAk
zCT7n4G3}oFXjwhCfcL9pY{d`LPo6rq;$Ew;;z!nH|9mUYIkgAuKIN9^*owIU7e;Q2
zv`0`DRxOhSuP41wI4YoHxj`)q32pT&J2zC;uSsw3%ngt_CtTMr%T}8vlJ2bE!F7oB
zt0E6PQU7G;tBetvV6LKm)$CU_fa&F=ZbUImpHor44K;C~w&wDVZ+U%I?mkzBUYQp0
zy(L>a2KoN}Iq|gQYySRgOlZ}EqsOuNfK5&o6;5zhCOLRWL<WvWZ^iez(#b^)->e>@
zs&ewb8O#4`$pyMs+_$<22`2f${%NFLmu3=y^#bOR@S=i(74;mvB@>s#iN~Hj<{&v}
zHTT(H%+*JG6)l<Xl({XeK_ti<@v^_ax?)TbXj=qP3p<7E-k?!;B^UPr!bx=;0dqJ4
zatqS3JW6ug5SjA{bk^HXUpIbB!A-E)^&!6vpAJ_UzkU5PA-{cTyyv$sObGcc{a$7U
zlW<on{APUClwKG?9j;J(h;8-6{J5yr!E~eH*x4J5>DF{^faxGLW4djT2gEoVV7i5z
z8)5o~>7*l+GTlO$?sed*Um{AW6ag61ErS4Hx>fbtU^>XhsEpOXs)c>{%tZS0U8neN
zxsm@y_%88x=zko1x1x{l65_iR5V-Lj+zB_53BDVbZZa4k`?2FPJR95PJlm0R?6~id
z(X-tSMxNd+uNXTMw%abY%XzkYb)si?_?u%BdskACNpFYm{wl#Rw&LbOi%J)p=c>fz
z_VIgUxJPW~BJDC<%22ya;bB}bdx_?7g$r|~_*hdShgSXX!pFAsl4$*s{|p~b?gJmy
zhL38GkLo^rD7_RP)!?K01Mwk6VITM?mCOHU(??z`FR5QMd!sST4%p|(^qS5smGw(z
zZ#1#It#jl5DzW_ks63u1Rs4UaJYH^!?*Dpu{GjZr(esHx8*XCFesdWnTMN6xc2tc*
z;oU(NCMJ17+{L#NO?f^E^&OblY_Ae4wT!CxaMZ9|G+zS3nlxdft!hrc!=f{~YInM+
zwz8S2=*0F8r0omG${;sr1wUrJixMZKJRWK4z@)d3#H*f|5KZkaKa5pIYQtNpg=5`s
zeuKSl{#oCgS@X5&H3^+d7EsaD9&S~ZsTO-uCk1I2FX7oi`7(J4qabhuarop<=?LOh
zY4rz~?=Sn=#IK;d_BRTC7!3=P+jEbo*I~IDD@U-Ob?#ZL!?q6|mMi!t^()_XL%#59
zKod4vSz36n{V&?>Iz3<RPgc$vT`7aCHs5`t`z#j$W3wnCgL4fLNgmdAf7hWH#q#?4
zR#%B_l7OTM9Qbz;Or@D4UikMAj~UCW?x=E2oWiVZneuuwhez7W!3$$EkV?<URICpg
zJgOt@ze2hp_^a?jwoFl$#|*$=0wXc;GcQzeZmRuGip!V}9+~g&tG!3n5w58+L!wT5
zvJ(Y8;L3jDU4-NrwBl$Zg~$2XixifVxHl>Ml%29*{=wtUpEd7KPcy3cEUAsXh(isg
zdY}(Zebb}i52~dp6*q=1<l!KncuZlOwwYo0-{L#>eTn$6XqgqYq56Ai(Z2bxAAQJ&
zxYCai*J;~&W~&>`ZiU9@V-_l&P0Z~NVe?><OC!bJ&{lUFf=DCv3WLPh97Rt`#-{BT
z1{QTU(d#O2p>LKw`s4In@<e_t@*84M8s5@=E5Qaz(}RX*mCh~WV6(8EjaVo(*0hoj
zrI$eE(eUmkg+W8ZN4EB(SlTV+FJ1kfFW6xPjW6FIghLUje<1$44wCMHt>pL=h25t%
zQ|!?^DR{gd<?*U)?h-lf(<R9YU5}t&VfuWwMRB<Dfq)kX*+TVGLiNLJ%yc~kk~gr4
zRf6R9J4EK50or=eoY{*wo=r$M|8{mlq)OZ94F4Jh^8)IO6Du}E+P|!VNJHF7&L$p0
zb-5=^IA;^3G-5^<?CvmRZMt*bZ{|#-;*x=5Uz(4(&+@0RzjN|mxrxb*BWu^4;N>c7
zop>)`G`GbjFpsd$^T9o;)R`<Zd;_oi9LUe|T{)Lv(e5o0`n9-_+!l`9O{EQQx>^}J
zGJYng+on)d-wh%Ua4E);0YM#FdD2`4BM&TVSarjvBM+=)VBLLFwLg-q3d%3m#(pJE
zj((hYKDMl0ekW$%ncuns{J&g~Uy2vr9WHQix4<o=v1lgByMZZ|PK`w1(^ul7#_wW&
z{oNb9Ot>c8|4!5^&l6#uPJRQBFMq5G+qg`g1!#>>dEYY6HkmB~75mHI4(mzIx2@l9
zcUD5Zn#IX9bN`xXuiyPy^bzaDt?sj+v()~Auh0TTzLIa-vpy&<#z0vD1==;Z&iJzq
zOgh}T?2i4l8c2Mot1%q!!p8j}(+r`bLnnpDr|b3F^--Pa9#zPdO)B}jclIq^7x@Ue
z+rs+xz27v)0iymD_J?H7`=I?He=O1NfB2WiDErOIutN-2rNhD6yB{PD*2wo0BAm$c
z@h9D{^7)c$<Js%3%txi{b#n_J9y7f6I$~yp9u0pH+Qu`$L3&`<9pQdB{y8ly!Oja;
z#CREakhTU>USV$**CO*)R6N0v?&~&ak+$0rp-fzr8l4s*uuVV?n_CqUnEm%VY#<KL
zT}U?8^@d@6$QWTq+E0}P78&%q2{ts>zQm=sl^hB?x$ldvzJ&{Z+k(NjrUjy%WS1uG
zYRUT8S{7Y(t9#%UW%Ku0TAf?nJ20t|Ue%z`<)&|lQt-N5<QnV|G1^o++8x7-1gTsg
za7jS4#Iub9;{N*XO7}9KRgG-lVX#8FtOGXPa`TOque~BoxNqW`#<EvZ3}1mD{iM-Y
z9C`W+E1vwKauB<LuclILO)taU_yA-3SoWF$IKK!N?wdaQ(TY(;iIG=yF0AC+p=V^z
zJ-IA68i^RB4~nHn)pi|_*H?~hMHWCN6N*eN^IMlA6E=I%@LDN9iGEFo#lhMOC6o}{
zJKNvFQeU|+`BiZi`<Iu-ApuE-GryXr#!*q6C62e&`iQb%*RhkLTimF8b}p@=^wW44
zKxrj(Y;r4P`Fo9@XzwW5T|O2xjF`q1uK0YXmR{-Zp>TUgc3v6X;pCJmS!A8s%U+U?
z`9@I~TycS<Khuv$+hC}PP~LXVcb5^vdqG1aa^n^~tB+Im)N={fauLZ7zGb7`wwiC!
z$wb<m8RYyD?h{7dd(^3Aw<}xX@Z1mhUMy$y@lSpXXNGim5fVyr2HLJJPb9-s-J1<v
z|31j-MC){DhS2nz<Jr_t1QpAQO846LEz76<{0(t@%$NDNED9qn6?2k1$#9e?qKD&b
zghrRp!_)ts9^n6ibKWd*Ih{rGESWg2#L_Q(K4Yo@I2;j~vy|t!aG0HWB~qE#n4w^w
zVcr^vPl}4KWV#p@`nhNg!7$D$0xra#f+miUFgWqcax&v^@hK7mSz;_&Tx48nTn(SV
z(R$&?j^QrhlSY~`hqc@`Lw(|Ei)<=1!EH<3_bxX?ej=XD+(XGw5UsEtx)#V)Is`Y4
zGm_FTQCLQbc--nQnW_OQbgx3CTNu6{TQ(NY){klb6+LkuwT^bDYg&>}P}L$ju6wlD
zU16)^O@t<Y=%cyF&2l+GfL!BE22A@b>W*jcTxJFF6t!Th1HIU7zfd2|GgD4b2ZTkM
z4IJRNDs$fkcc=t<*L|72u6>HH`qNhRy{%NuNoqtkbhjs@J7k*s#?3yToObknfaZLg
zthJGX0ILkrRc@(i1RgDay3C_VT|Gd`)=T^;(nmo9M+)c#qTaec+Ko03mPq?Na*9IG
z=0Lj7<n|9gPUoZHFvNsu;B;A`s=95$h_s)rJOx~ow|m$dN>Y#hl~4V+HD;p0@Of`o
zhps5^tK-o&pZi}-JZcdN(xnk<*E6R(Govq_NUGdlF7^6oeze<{Q_x1+(0*3fh;9hB
zMvx!GHw_z+2V*?z2cytd@o233o`>dID-I5+wA;PwrBwTre5IB;&{x`a8vV)1gE1U`
zPe&ouZ*mtIH$>X2$&p*ZpOF7duIA#*n(je7XAAnI<g+O!*~ivHH13g0=zjKL(Wbk{
zKZ~o}Z~U|5m-~r-Zq@V6_I%xyF6AF4xo`W23GQ3|p~hY5AF$`!!w;o9<>xo;=W#~_
z>#(5V1;rsLna=$FX5K&2wh;n5`+zu-$Tr(ddTWUwn~dwzZJWjE+C*kMV*l3b$M%**
z+HRp)i6KlNnrX{l35_){z(q)(&ribLGkZs?-A$1gFIoS~9kvjPwEvo-;to8U3qE~U
zOMayuzp|hH##$H^1JCP$R0=hCher3C&*i7tZ)loD#B|+m>rEy@BK_bZMGO^*L$;NN
zfAtf#250Ixein~zQw{|={rKcBvMP(T{R&{Bvv;>{WpLYGQl|j*o$Wxw?=gEAciPI2
zdyqYk*~e72Bk~|b+OH);&;Wpm8+1o=BXTsJCN%voE`nk+93fGBSqd$5Z-N!2;E5?=
zdpjBA>p8)fj?#4Wkq?0~Hyr?SEC@on6!tlGPsDy1fGh1nY4x```+H$HcRO&Je1+iW
zBD|<5V28&YqiSxkkF9jgk7BNw1Xn(f^B$((*nAe_P_+33ClAwx30}ccu6L8k{C|(r
z@PtmW@;_YaK6i`Oa;$fhCB2As8u&YeY@yFu47=8`<cVjemz(JYespm%`{Qzvwr;_L
z7OD7{-fi5y^?j?8Q&y37(U%+c0}`^wudCGvZi+6c7**z+8b+aD3v8=t@f+QdaAq{U
zn7A7!aRvB>B6(V5AK*SI%>fN+Bc+9c+sC{ryxD2>)$le|>ah9~vDDV`u3rnk?m9}h
zlq2ER`}q$s@BNo??zQ@(kG4JqcAv?zVE&1J>B0=SHB3K|@?EX=UZ!zAn)e(NaX8L4
z9_L2WJr5FGo9*G*Z+bWAB8O$Mdy&5_W|(B`q4$K#?C~#uT($x8<2)Gn+dGJE#SMd7
z-Q~7YZ>v?|0@EeGg5gE=`z0xgrs}wXI&8e$4?upt=9I75JxoR3*}EG1#9PB)r;+OF
z&%FF3?W!vZKAd}QR%hLRkfCTjnCosV=z)3qv#>MyE3IvF6Y@hULF<w+Oo<A-*t?fx
z+C5VIig9SGJK__@)ey!fHEVqNFj0H4j7eUww|t3bhybqj3DedN=5|#yw=S$G`G6|=
z=@AyT;NVb)+~cl9rvL?AKSe3O2Tk!7cR&5~{a1eq=aCBjm2-5PpZ*oryH}F%LF-+u
zC%&pl#4VtA%pUT4cencI$$GxYKX>T)+y0q@Wo7Of|J*}M?v%+k^W334pYhKet}eSU
zSI0|XzS`&f(5Kzjlps7GBjWeglgBiXL2d6x+7wSCo_#=Y5(9|iHCjPr9}pbzG||*{
zu#M}=C)#O`!_7Pg4UY0Qk;@sBnmi*CU_&FW_}E%wy0<=VxVNi6*)4uGz>p6u?9BXF
zj+f+!)pf?R6$9NnAG3^Hps2ZM;JLMIaGzJ!^~3o#LN~kWOy7A3nMK|SC%<QcqYrgM
ztd+$6f}(IPiP_`tLiUBRqeXg(@xbTYi8NF+r{?+9e6G$RqC@&U2rzcy;AB!e42iRt
zVv=8{D&ZzSltUOMa+S1~{kyP54*dv_T=^Hc@7^74d6WNCZOOm&Rb-$k+e0G&sIXt)
z`}@1X_!>PzPcy<Li$9*{hc5BO!kBSKA7l3PUSrmBvOzkuFg_mfoR0BPGuWn=FFJ5U
zFOFW4yXJ_z9_`^+W<SL=CU|UW8CgPEl@e&<YDM|Yc9i*TKv5ShxJJ$`uCd`IzzmT!
z>Rt#MHYcGY7G8zLQj!QFiu9C^Lt^9pk{gvSv5?t(XX~=>fo3`8JRk;<wd`MX#k}Y6
zbXLm{2>AGchQoOA^9Vi$?Z5&m!u3M88_6UdG`N{#gUk=b6ADhr1ko)&iXV3boI(%E
z7m6J7MRWI4!pjSfr$2c-h5l2y@qaDIN3Ao%b1Y2Ai$~hYHO`e4<^vXb^_=&5LrTl1
z&&~VRNy$gw`bu6_AK{M-yuzBSo`@lmmn=Yjyzqz@+zS_2CgqP%ULupR$y+QB1goP9
zD%m3Uk2$6Ils(Q)d@hiR%W%CNX_Ij;GlJ+ba~D|BR(I1Ebvs2zkVy$YL3sx^-bLoz
z?Z5W^P(|eqV)IJkn69h(=-I>l3E&3zO(qpg*f*J8o}83vhLdJJ@10!SM=n*qSx5Jk
z?<+Bl)i6`#N5ZUcU!vD**M)t{+hqXZ!i!1E$N#9`>HffqO{=xBOwysmf3m<|7Y5n$
zD=+3Q5jgRlnPfnh3NN30+K=2hvFt@C&Sn(M&t@g#HyYZ{%n@RwCT6c3;=cNMJ1bHl
zdrHvx78hD*cCvM4ulx4R0w?j|+^_gLuV5#f0!aa7dq!ovf?DOfC_7;VcEUUOQpo;K
z!_;?wD`AYh-DOx==brXxjX}WLmi!2MA~-vN!NJ(T3C}^9e^!)n2v0XIxI6xD*4_m^
z%HrxD-z5no8hBy_4H_h9Dv8%bP+1L<#a($;H#Q0=YAkrEqV<BB6;PDmZh-A}En5Al
zZ?R~rRcl+dDuPBxxWyoM1x2F)FEC4h01Dv}$p8C2^X%^Ppnc!>_y7O-Xm*}Cb2)S7
z%$YN1X3pru1y<tS(7}+nCsO@}sjTtAWpAc>2g)*83#@Cg7CtgVCxE>ira0Hzm{6Ci
z-_%iDV?Cat=TXEI)c_8vWHWh6QH5Ax9Aw41B}G<T#{pUMfCEVkimFV6lO`(>BuN6}
z{ux%RAn-|vQb+-dVC^aclRoLo`-wu|cJ-!^T<oyDLEj<v<TXP3M_-c34og`x{@YS?
zAjX}#!?G=`MSlqC+SS}nT{y>!tb1wa1s(f+0y?T8Rt9#UNEX;9tPDJ9mg+rZ*uIV#
zdPs)Q16Ie3k;I`}Q!8pDTr3H{)??ywtJHIK!i&+}SZcAmXET}A-EZl{{j5^E>BJBa
zSr0OmmS+$nV*Oe2E1|Wj$FEZhL%(NBzmHFfLmc;-C;h%i-5qv_7rZYhYm;F7o>DTv
zk7fHPZcquvQ<bB;O)OKps)Ym3WQUrmnZc+#lYJImQe{n3d<Z4EUe?Mbln(HBm)dzH
zvF=b?@Qalm28I~iPn;#?{sJ_Sts1=Fpas$ZWI}Uu)p{%AO8laMxe2ZaWj!j!Ahli_
zBiD$MN%IJ(R<V|Sb%T@?nk%DwtNMpd_(}ki8Cf!%)tAYngSM)3bmFL$c&a2etS2Xd
zn^p3bH7waJiH$m_dsv^LAzRgzRtB2ClAMhy=1TheMq(X#CLn6-w3NQi{jsi;xf8R`
zwC%5g=ct%tWi6xcR*pWHV8PoQkK?#2UyC%h?$Nss7?9zttEH~GN)mdjdPIKPRY-ne
zPs4A3E)VfeRwk?A@kJ&aEJ7F_eJ%dF)heLcDqxgVKoGy&k$qMWNQ)Y{s=Bm03jCQj
zxQQ$5fM@|KLjS5_vBrj;k|%P6+uPx<0U|srzM6y`a~s*A=2W?ep0vkOgv#(fMwrm3
zgA7L#WkE3mU4Xd;FHnK^xk1!WDC=I#wCalM2{Y;zv$^q0(dk%#F2dfNoO4m-V>LJv
zrHKWG^Yo1UI<g(&+18EitBBo2qY11jNUQ~Pmar`PzFpmK39$DOEnM8L+A;MLFUluP
z=9MD0uz!O@R&`rdzExc<BCYDkzqL}`$Iuy2UB3i3q4|EF#fGYzRo~@^m-@D<sp<M;
zWOb+;f2~{cOC+-D>rk(D=t%lvwCd|XeR)#f4Z6OQ6MHb-NNr-yd&(kXi^Lw`AU@8j
zjaSCW{%G%wx?n!Bks{_rR&8Qkv<$BhFIg|HBsHt0H)~1~5KM3|$Woq@-o(2jY^s#|
zp4C*IuMOi7DAy!Bi>6Ju?dqgt3Eor**Z!o0kX1rIdkN6tIH1+%0t5~`6hIvCUc9{o
zNi@hR;Y*|e4i&%w4Yx|zCpZ{&d>1IytzPRY`fG@^%cWOWu;I5PEBzh7y3!YfpjN}B
z(ghaPZ$p}7r7%>%A~+KAv_m~wtqFb^;HmCywyrXkA=1{pWm4@F3>&c1$%*3uO?U6R
z(q8zzJY+FbhdNLAoP&xMLXN#wwdx98-v%VZUJ(Y<7WKXrw}^3~$6&?Ms{V@T#J>=y
z=Pm3i0pqQ>xuKeG(1kn!pj|8+XW>mJ__7{^U`h&xnvY4dH?U#@@&gjrq{>Y*$sVB|
zp461=;Lvt;ukbR*A6AzrtwZh5C7hk;jZ~aJNcj$R`Zc=XG(mil(5TxEi4Ji`83x4{
zdx$V%h^SBMD<304s>`qZQ8#TaB5l$Q-2V1*HsDb`traGoMgmKJOUkwLEc_n=$dYSs
zV8)>QNL-p~uZ@n=uGf_XkRgS^iXU|3U@1j!)^M~9lKQW-vYe34g7Ic$aZ9A^NU(*-
zbflR`_q8%@K47coRx8sAL<)H+n~~*X$<kd9pTfjH0Y0jomkX`&jHu)k`Q0Q;iFV!q
z6jU?bh)(GbT0cpyg7EM!I)alU1Uw88m;&`yo*Dgp(M*8g7M_k=r^mUmhbbqI79QAV
z9;Vq7(*f<MTx(1v9G2u#&Zx;9y<+;@nxF!gu}SU9E59Ae!(X_vLY1w&<cvq`plV{K
zQ438j?V32fyadya>>a^yS&28IaKtI|BT1$CUot|ihvtW3%y?C)Y6Ow2+_31ORWihm
z-II!?ISC}4^bvXi`bu{2Vw4M)Mlv9Q5X8V}cq5wv!*x9K23-1DqST7%sqDvDC>3Jb
zlh$K~#UzY&7c>UYc183Gjk-Iiz0v&5MsFXH%D)!zNoBc19iPT_9y4$hV1C)1O8yrq
z=3=c>EolPIShcAZaJALQX*vONs?*ci_&zXv-|B2}$rhgk8XZwDrn6qA6Olv!s;#?H
zg`Snn4!2raSK71RoX+0Enf=vt_8nxW7>+f?pp<9zVt(}+v^NXoRRV@DdZb{*kEcOz
zTcB_ox_VNn8sy{X09Ocq$@z@10tpx+WQTidnS>bu{kag-CRefVD$ICqSn;-~e_?D$
z)i9;%sjm~eCOXD1RI)VCTbGf(<f4aDS>PN*BvW%L3(o6gUBr|L9y^n9DD0x9U#eOB
zQTgpq58_w2mn{HW^$u{L#Lrp-!+I-uR*hl`&sU*#7Lcz-KZpSZxyUh>T5*O3LjB_a
zbvn$j>b*eCg3Lf$+Loy;$nITO`){m8=i7{Zu+LB*{*3x?Fn&+Ica%T6WVCk;-kje%
z(i{G6SlO3Ymw-9Si+mt#?#y7(v61G`nQhml<V7GpF&`I|$jUci++w|4g6%q}m*$Y_
zqGM~|&V8SENQ;)QUgN1{NUMfO!kQ)8z?HlX1B(UL$9S}2N)gOr<wb;o!dO%_wD*ui
z#@x^7*(Nb>2Z<X&!!1)*kKrH|rbl(eD}mA*5<em&>y@A0<yVpse5l<6Ol#ba2+MXY
z{=(E}x|n>mDplSRt30tk#<PC&_e__ZW8rr!Yag^-H2uo?*(eGdbe92K)*voIv4QX-
zpl!!$xfER$yWH}JwkR(;cm~`{Z%2mpNYa$`I{sql;7P2<h$9YFeux;mxl!Bu;#uFn
zmg#yQ$GBZ>$LVroRV)=JCTn_nK7${FBz<^^Gi^Q6=e^#?P67*m0fn^n`AL4`y{gRH
zP{?)^f>!)Azufk_1)256@X$fWVv`1&Yi)RM#S4bcgYbll@|x55E(VrSU#km3`dtk4
zDHbK0ZV+o!EwI2tYTwx+HGZ_3_DGzHA@uY9%l<d;fnwu40`=1}L91_uNtkx)8xl(a
z5Pq|_j{K6eFZU3A{6E%jL_P-cF#O`Q6j~l$*nm$wFZ~F9g0V1JtP&KcFvB10LfBPv
zPT3AUF5|u(aL827!!$Ly3L8n7>m)so8=IcjnSA0#?xo&zKgN7qcEi&>Xx|UVyBwsQ
z!~Z2c#;FsfsSg*bUOF&DW$8ebD$o?6)KI%Ffy#&lJ}5zEu0>p`{hEHg08G+v5mH+Q
z{~HqPq0RnB`oW~JH%S?FECvoJ0WTMVsTmJJ-eIWzP$AMnF&>enh=kYYL<^#A3@iK|
zyC4x7VV%!m|BMtZ8>Cl{LrS9XW77WmShj%G{Q?W&{P)A9W&3VO+>Gy}{e>KSb1A#;
zV;BI6IbC7Jk0}BQGbUylX-5^6Iu`u-NF)pXI~q7?-Kw?lNQ>wU4_CNq&cjJDR76QQ
z!UBGl0;Zn>Khsj*R}%(hs6uQEVr$T523{a(Ku@T$p?cCNk>3tA0KaA&cN+k-mfP7X
zSAbnA(*kZv1M^gSxz0hMl3JjDfk<eOnEp_y`UmV;px`8JhbUAn0&Q2H%5R5S!6G<}
z)gp=MQtw+adFo9ol&}7V5C(ps8T)+^31zcY(S;kPDbm<xA4|<2RD=qNNLUdOqwWE)
zoK|o_NzA9)7LeRof~HZ2H4@N~lU?nq%E|(kfxZRHilr03Ct22kvsvJ&$t<j;pOvL2
zBjY2npu!Z+YQmD|&sLtDkUdoUs5DT1ZP}{JqH7}V$XTXO%+$1^jF7zDV5tEm&r7_8
zM5*>^d;bOS^bZ(p^%j<DR8W@~L1GkGQMYc=r&I>8Xww)qVDf|61jnt_t5(`EQai~U
zACuiyq<QU2GgY+Cst#Bj#)r01;yA3MKGkTvA!$Rm>6|ahmr;jv?$F8DC@Q7w>_WAE
zJ4Ayz%+^xf1qn{;L`;Eh8s=%HMFs#>4k6tDkxie(e&kZ2d+1_p3l%Q31IzZUYPiq`
z>kuhbXp7PIwffx_O$n?*(2Lr%LG#G&dUkxSm8)8yvZlPw$`C*lE5Hnc3SfoGTEHx<
zYlB6x)04Tjs?)4o$1{qpMHXn($Td?c`m2?NFOvf;D%-oh*O+ZWly$D1n}f(QTCx<5
z)bIvo0V~+wZU59F?n}Bj^4?WYW-aTK^i-ER*Q#?W6KSr-eu!1;osttR!_u0z^UWWS
z9<wiJA+ViX0WkZqOKsHZ6h_e(I<e{yb~EY*B28FJ6W645Y&B+I7N<rhi^)tC^W;y8
zdDALp6IR3NV$y5&yksE@k$|{#s7iYw67yTDkU!}{Y9XJ1i>z}5o|K0V18&g(`tf&~
zvbP~pcQJ4u0wT1$FFh>An%z>pQKz5$6q&G9m0LN_lH%l`1<%bP>x;~)sx5SKt&;Q5
zuua5i@?f@LtBOf4)toNWlzLv%BWy$Bb6K#H<$1m}(VYAQO;yoF8sm2)vYO*aEXtVa
zaxBnu1i@fK2nI!~+T}qhVZ_=dJkdX(QQ!bHCKGiSs~iZiry4j-;*~YI&+eFC4?*{Z
z>UnNzV%?@APDxIxYNL+8K9<%Mv>t*F8L!kH(&~jiKZTu%6{GbWu6`@hq^1XjH{V+q
zE7UhwQ(i5A&{oc`GUGBuqVr-$bEG_42xfc<8gsF+S}v!U@kdK}-vE1xUhUtdY#%)U
zP?=KM(&$i8B@U%WUPr!V8LmJR7nM*m*@o1T;kH?U_@mkC_MzO4UB;sc7sASb)qAu@
zz_axJ`<G>8!hi#jfX&8sm3N7d>VwPUHG{C2dxRSjZD(oy*Nj&rbCnYW+CPD&q;rQG
zy3Lex?CI(g3sG<C{3K4!fIjnFZ=q8;P3dyAK8ZJ`8rgo?{N_=O^`d&9v9%YuLZ_K{
zcub!U6KyEkq3cK(9jWrc57}yJc~@8MBQCs1wKR0MG?ebUtI^YFq6pbXkOJZXe!-G-
zvd#~n&1bs<Jl%+t>KaKF+Q?*#On0F7#)Jp_nwr1#e*T;DYSFB=*Yvjj(fmU6AH2Yf
zbqmH#AaV@Wa4vrY`aitvz~}Qv6HmG#o(Vvs8SRF%u?dB_BDp@XN=%*iAiXMa+3~{B
z0c6IbU6tsVB(c=LAiTlsc(3mGnRsU@oB_8GNv788!JjJ+CaP`^LYad{k}6mTPN*G{
z5yBOhs%{7yb4_>S=4{;Ah?^N^v=_d+VQEx1JJXf3Ru)Qa$8%kfUSIXm>!Y=y?Xl9t
zSLK#oDg?sq1mS|C#*+`nXyRGtp~!`@Wa|ZeJ2pwL*Sc!X_Imci&v{dKOv7jr9!MIn
ztXl@~$eMY%+jy@cbLQ}FScN(GOt=hDKRN%Z^==F<ts?)7-)i-DQM|FAqm|Qf*qZ90
zgOd=1Cw|yyIa(gm>1LjR7`QRVh@g19%ZlwSu@7MG#gWB*DkMY8h{9<-Y*>==W-DqN
zqIjMIY({lTU4I@Gye@UM{8|=MRRpoCk4p??qS02OO8inS8j>=4;4ZCTyTnYL;t+SY
z7JX#uZdd1jZ50=KE2&d(4t@R|&H?ivU!<<kQ<A((bx$RK45=nE6`l;^u3b5>hoT6~
zW!`)qvQ(qlKLKMm_oHC@5YRWEjDTPg2SljQrK%w!FzJ6TI*O#bC|SEv_X}#F)HS+P
z<f~L}zWa<Shv;&F&(^nz^{J_<ixL}=M9Y_S{WquU*IQ!fg)Y(OS-%v9`#2c*g5<o~
zx3%}$M4V-%#-BbAl9-7|Jx}1EXLO0m8j?KlGEca)p@-S1GI;7``i)2DN5Kg*ncuR?
zOUu`!S}-_qq9oA!0bS~ZOGqUnLj5}3qEaj!Es9bV<pKk`?8?NONTrUym3z8+y&9f6
z&Q;^LPm6etYm%#GxV2DhSMN$UOqy)Q-{#Vn{JjX`9hA9^i#m}Z(%z%xhaL;l&lkCK
zQL4O<jwngpnY>j;U|w%m<1au5(inMhnAEDlL2h_22U*&l*7Iv>8q^cQr=w-+o3{P)
zOri$8ftOk!sA08qtU+Oz<{C5}DXQQY;89~AR%SCH`rzYPk9oCRWIN8J_vBE72GgNF
z1Ho|g7ZU@Nk4O=Vv5lvX;Qb#fG**7}5#kDzfUfIMPeWaj5<&}bfY^w<jKqQPqZA&!
zfC_>X9s|X(z(3?o3=-nrbI8e&qBR^u8rvc2dPD}|)7cFquC&2aMT6lB8p|JCjy39v
zdZEZ^3rM`FlpgU1$D@7u#xslKmuAkyp&ONjAx4H-4=^4n#`U|{pP8Hlso-hr>9Hgv
zUZr0KhC@nO<6yD%$);!{5{^evV=#@LghBX8**df12UubG78NcXCFdtDajF)WC|ccg
zv)<Gw7K`&LQjO~$P)K!$2^jOzeao=ia_NVgeYnFvAsD^2Xc7&*#qbx@1j}<nFn(4e
z%(ZJ2q#X1)Mw#)!jcUnGDdAk&!|J{a^+_C$=>U8KQyQkw79)~@@AU4#`K?S|vza=5
zap2<rLxYnMxfVE~m)hV5a%oZ?V$>kPbe-VJV>P+P2u`eA4z?CFrsjLdcvNYsAGcv7
z!kv=XpNrLcYz4DNKRgRPidGL%ZzJTd+krc(r~yyyS<g+?BOeoFtE;0psZaZsrElUA
z2gu!xUXi)c;xgB^F-%V8Wjh`qMtX3nq(`4uQGOLb@NgARc@bWmWz1cyyBM#A#imP-
zdm4?$YQZqN^!OOJyda$_8r39AM-GyK1?WB;dklGy)7r~r6g;$uz+kSf1&a!|8+G-l
zm(~)jGjR<NPS=_GL`V}0J{$0|25-0vx(c)7fMj$L8Ax4yZYt44781uo41Ea6?w-#}
ziL4k!Pbo6hjGMSx#zs4_E(MBsmK1~R9Rz}KfKU;HOsJ@g9sxga0~bd1?~?op?nA8s
zcdPoQ6aqcEnGEyECU184O3(JtW)s)vOL0LJf8itx_Ql0`t`1*j5N)Zz?j4F72L^<1
z0|*iPgYI^%+Z*NM(FSx*w;#@-2CRi6DSvcv$GY%0?&un0E}oZpqp|TDxH4Tn^V%*i
z+CN~iZzeuB(id$#hx{(I&>GyO>RJV+z<n2T-FS!-6plR}aIP$p)Ff?PiDc&>58DU&
z<*WOV37F<5^1(wX{^VdEhiAG$1UG2*k0lM@oA?B{o1EM9i6W=$K`9k8Yl_At!kv&b
z7MH{)^f048sONu=DjM4|Vnft7IBO=0JXj%?5@qQfeNM$x-+>`0V1Dd@RP2mfvWeWN
zA`{d)DLr4>{Wah|1`+T`N(g2$S|K#Q{hy-wY?CY*^}L;;5j@B6sAP&(XMz|UX@g40
zc(Psl(V38qi&^vq#D)~2(0KwwO-J{)qVr^aQj@^G8qi$;*tmtHjb9F{)oO0s)}lT&
zGL>jE&k><z*m8R)Uwv6j@q7)Czl;5I7j0cn6}>7beqy(9?72{n%tzR3;*(9?3n5Mm
z2m85@MPd%?U>{@JL22rZ^-09;Mx7W*W_-5zz)|O8u=t|?kYi4qI)l;rq8Fr2=zjD>
zF$*6Y2F1acWhSL)4aQ#5sA0!%2yW}#EgV$Cp*p2#l3IN>g^^{b$^+La9~M88A-PD*
zM$A_D76q(B-D1VQZp~q9SYf=ri2DWXkG~E?S!8U%N@lGp^*ACarKVfJ(lpmssQawQ
zs&u5Os;$Tg>B#YFgcUg}9XUarXGOl5jvS}@S&?hfkz-UgBhgH#4YJPNFFk|vTz<^b
z);yq1s%*$b&`#L=VgR+wQtv^_*8PUbPV39+k1$R!nH$MixEKbjRLeRYy^W&GsuL7|
zmg>cZkXv=?y3a~9>-kHhoVq|5qh<glsn(W9S={p%B!fzlhxYKi2m1};4hNBrsN*aQ
z<m^Bag9>%Mg~52i0JAyKsA5JFSbXp*v3Srb-N!W1*|Kd)d#*{VDNQdg4`MTF3WY3R
zGiI?xmIQ_jY(iB)NNi@w%oZ1ohsaRRSZTk9>>+c`6z2Rs5N%;4<2g#mRxEafwA`r6
zrBKi(4gw-tcuMA5qK>gKrD#GRicQxq%$P1ry=&DFmKu^cR2NN1HsCwyGJ6BMCHqx3
zU{<mLIAXyX#u2BOE=kR`=u^bvlcXJ|y4L8<?P*1iXT~w;4iNU{S4h}Ltc-2szhuTS
zYMGVsQ;8l0tqQPl%w3AC110Otq9Ge~Z`!k#s+g7aIf=$Rg$(=thPslc2Afp2Rq2Dy
zoL5;n$2u$J271;zEJ58XRl-=xRh;hle+cpIbX#uq5ce(6@r7tRJ06{(d+>J_UH5a~
zOOw&9>sM<^eJhdgh<K7Lto%Z${Aw#-gFWB#Rz6y_C?G3XqA)Ma0a-_&R^$ASm2pNY
zBj}i?ZkDW}8WWQu1|w!73fFK}Gc)0gOrhGO*C1C5mektM)mglZz^KAXl^LFuT0W5x
z5c;LHM0f|&0fzg`i4cD>N}-)}s9u`OzJ%O}>ca=>gHtJNAScvY2vPXGX2n#fIabJ2
zPg|k!DrSWysA*PcoSJBb#;CgyvW_)Ce?E_h%6Q15pk8x2aS9crh4cc%m^l7F#0^{{
z-C;WQVZ=NOLQ$V7jxMI2hFQUyJOJaoA?E<di|Uk3$PXE~ZvZAaE?;Vn)k~K;{}0sG
zzDiW=r2<+Zonx|{m<VwjW2YMQ5PA%XKwU=%*0;U)C-qvC_9{wa(jn^42qoHnwCOA8
ztnpaKm3lt}dqDy~GfcdSx{~@9Zc)C8Jipmvl?SylQI7)H5IvoXeNMe3v@q&g_OY(?
z^eXGSS1hht2p|>4Vjr-9q=M=wGkDweDg8<MRx<6e<mlT#3{&H!n12sofq}NN=fC?(
zGx*bhigyZasOeB2e8VniV+YhtA`sVv&CsiQtfTG<HUDe$=_qowOi3LodqqkUz8g)a
zjLefZkRPcfV5F&USEUk}Or*D9R$`1ZNipb>T;|mE1w3&N{#eBOJ%XZMW9U{Gb2p$^
zA27k{>xl4!8n{t6W)-N6Wx@n#wGEsWYSAUsIw-$Mtw~fngqxx-3Fr8Yxtl;6$mdG>
zzW6KC5t}RG1yBYuzrr_cTkF}a(4z0^HZR~_+SZ@^b9r?3cT`QixJwRO(hieXZfnj)
zVc&27kHZxhF$v+(qUtPE{<XS!Gm)%W#vYrLIE@TJHFwReMH8s>PM~%hI)?=$?x5X>
zv`(x9tB7tDU7Y9(Jy~^LeOQ`^c74;fjw6BXfyyqlwwi3sGSr^5UUft&Rb8KHI(@iX
z)^<ju6<CP82}JeM38+^gOeH9>2tXNjX?{$0d3sd-%y3k%ew<VTdCry=iCUD$S6#H4
zxeUs%dSGlakyjFdmzY9Qf<J#OO@dDqu<Z2gQ$v?0qmPy7ddXlJL$m(;0_E#<r!h@p
z8%!F>2{CapKjcpHzd^*$`Vqtdy%M3sNgxL$AXg>zDbT+W0y*+IV)yT2Z+#5bD23Jf
zlW$;Y7(Y{{L5g_XGKl-S;i8(hFeGYF9wvWI`BqOP_=*pS2boSOt@@yO9AVrYVtg?p
z$2IH7dl(tcS~CZ&N!)}Fn?YXhuHZ-)ZUD-KExE{P5deED|2TtX;0y+AUf6|1v#i~e
z#BdB-?C&%!19Jhrt!kQ1igV#ircMPM{CNR$T6wr1B<0{b7f$?AaNG!I1>S0mFS$S2
zYlnzJA9^>u6c%KbbA}XKGmkm3%7=V~%t>KU50%~49Lrvoy08)6KAvVVT$8k2805_;
zngET+T=Ef3f4Ed*M957vJL8?pPjMexu0*0`i&Yckfe1p}pO+QZGAz)=(pYmYXS5E$
z$@XJXRx<cS3LovtLF^QC{DCH5=aobXMw`_`$+AN4$UQe6s%N_&`^u^#G~0^Vg>isd
z+kTIAJ?yS;!9W;Q7yrs}V~G19sWZ8BVepf?l4fkiJZW}A54y05;<cy7cI;FML3&a`
zTLi)S7qSY3fD<2Ph-DVR+#rr8@te#0`DS?2ewL74-)g5`LZ()=dQ`FrQ1Axh{9~(m
z=DVz1y<3!oT!QI27q`bmRzmpUR{gsaK~#o^VWA>q4(T&Gj5`_YO=$klU<HQ<ZDx_|
z>Fb*C$0!Z3UD?!c+okN)EMk8lx(iHwsRP+llgQS5+4fp${<AJTKAW0<>*c1_%;Y!A
zdllscV|7B+_yoLiw##@df+ol_XmAb2G%xkHnqt&pN7;JTs8z+&(dS9DWif7552PXa
z8bU>rMO~MM90Bj(okp_q4?0M*D)-A0mH0#ZPl;6ThYZsUTbF1CL}gam?t@=jskd48
zi4*`+@~+vZaMv+f7JNx}1n^IGSjM#YnM?0$Vq*!Mumtzh56G?P-8aZ!u?Y(t!W@(k
ze8`^x-iL3*;}Vz}K7v66kK89}(8kpM6l<q-K6(T@c{ot>v3hwx`X09IW0~<d*MI>!
zISEza7V6XcL7vL!CM_Eh;IDLfa)(Y_dQ96s9=UANAW}325oHar9@G#oK^Sa*F+4{O
zLNFNr8!LfuFyjju0y)(CASFfZFC@Y1au_WBA%8GT)ocs;BReY|u3+}~hw`IMMcHby
zl|=48;zT>_D7-ZWfjxFTx)VcxB7S3o82V=+^IuVAxpdK|`*=P9u+3Z9r#RhSa}hJ&
zZ)N@+CS}f%Y*$(y-4BaBo9;aN%lk^A+<gzd8YAL36XFkZ$4>RBMBr)4g>sSn&nbS#
z<bv~eSapj&FZCOdDWG=Sr|dtSKJhRj)C-p%?sCebC?C)p0!DW9Krte?O_9~Q8L#oi
zU$Sf_ks=oWV)e;7ED$bzu&$u12c#bG4IXI*>0oezK|sg(5tnwZ94X32v?~6T;=4n+
z<hNbz|3s77bwcU_&Q^6P<e6?w9anbL+^OrNHf%<oY*9M|o4fX}gB^67cgN-m(i2T?
zSo>hfHn&(wjYy>islDhNqOcNGbH8$_g~IcFbZ3zSsm_9vUm8)SEg_|x9ftE1=RXHp
zh<_5?_}l>!r%-(Jq*T4IRiX(sC&RbS<P+!~5N|+!oX$2E**InY+Cu9B3$1f3w7LT=
z?ZLDFuAvgwqc@?1Lv?9lftlEFc%9k%TiH9-=~lJlmz>$u8{7mND0rx=?LC?I{wJFC
z#wjMv%>7V>5&bo?vJbFHd6fU5K5I91b1lf@_=0R`%If|Mh{dm_tRMbQD!9oCiha`R
zSC&QHGvy$O$H3T*XTD1kuC74R^!X>Uo3X5a;U`GLrrx9BS}7aOoiLM)qI%iqQ6|GF
z6nx^8YM-rNJ21P;!U33FmkwTL1(jE3GNbMx^s**TQpp#jx&bN5nHvB$J^fBYHlyx%
zeqhSWGd)>35+l3YoCFcm{xs9HgXeId9*63?y4M(&$DZokg_y)GXc^u+0`{`xBXNfz
z9%$FLI?#R>rC0?0OFH-mE2w@ald@c@ITh2v&tPtTn<A$RDa=^UUn4WfITk<kjfFbv
zzk-t-;bOVDjx^^n4QUAvC${b#Xw?fM_D%=gR#0_X>)acE9+eNV`XmuAAs(K7Uq3|x
zoy2B~9_Hz}L}Ie77?8E+-z8=rD3Bzg5qS?^DMF4VAye`&KJ<y3;MljfpNFr{zZ)Eo
z9Gh2-U{s$|olJ2pinpliO9#uWpgIffvDmd7E0Uj~?l!FZbc)DdIMJ^}vQ)1Iqx&&9
zM`+3>9>Xfd8n+yd4{*^EAG&!Q@V(WCaeY9;HAA4x#3{NgnBh@O&3qgvji3LAFS|iH
zOQY1Im+@W*h~-Lrh`ee6N=fT}>G_*}n`Dt3yVj|CPonC5Fx!}peHG{o+p?Q7i&z||
z*zmz)j2TbK2M!*Zjo)C;$B)So=RoFHAvzHKj;F2>GoeBa2E7-+dQZWtZinE*>~*mj
z8=W_gk>)g<ZeX8=AIZ*nun+Z<rp!eEAf^GkTK?>bSbT5^LUA?Z6fGAfK?3J$r#z=Y
z`mzC7xIo?TAs<xUY;6Cz-X|)Fo52IB;ZkdUgAWiaG|ZzLE9;Dd8OHP`sd!t4qp@(D
zzMAon9jV6h?P_T-+A7}Uk`2x`O0YM?Kc)PG_Ji^Z;7~}nzpu3ama=sVx}->)IR(0I
zbq?e>2y;2<kon**g+64zbf5i{F7F>Nr9v&(s_qdHRWsa{9^;0~9E(mkW4UC!CQ=01
zEIPp^=z6~xe-e-tP{TmKG_{vQ#J0^-;o+(C7)jSW|1HmejL))1<5?w-Lnve3uK@pK
zpj!$x1JM)=E<yx#G2Dp}#-j9wsq`SIE%)1wrZy&HA#@<RMF<P#5?WXBYn)mMEEg1_
zIME-Vh*Ow|P6$?`ATBoDp!7U6v&$SX9Lr=7dLBvq;E5LB*!b>ZfA;-5gYjE=u!;6k
z5Jla9#RCidKq{e=6SCyXC+pak5sOg(jjM_S1g(&z*neup&o$u~dlQD9C=78GIpM!Y
zKi}GSw2vE&Klfyay?UWP3#+N-xTid|jh`{;@xz6E+TVnXqcnenAi>h(D;*CNImtIk
zl01n)-uA4zqT*-PyBs&#?RV03muQ+?&^t6uE-a~OqHDn?)Z1iWo7e)uK!mNzY>J49
z3*Ro`0REX^lthYZ5u<*ctGi_jFg0T%^Zc;U#O^N*#!d>x9vTDdBz7F3CGA3FmCxOZ
z1(Au@fs7|{FrU{J8WV;1&2wW{6_z^upX-aRtzC=Rf1SI7$pT2>buagN4*0O_ex}h^
zvf5j++?<cPU1YJ~fQ@F(YL>%iJ8KWZ#ux@FUSq*>pL-)qpn)wv3fnA}$Cc3^1C84Y
zeeTUZY<?DdYuCAa?gRWO+u`0_VLZ7MrT9yJ@Vd8oJ*$|r5OtzLzvpWp<~5#K1gNiM
zZJ_bn!eH#`>|jo-&sYHS_C>yEtIz!zDqI?Ap4`*h@ulDM3DPh1c6?>V?i}K7$FMug
zc(M`K`J`odlkJc(x7lCvt<SyN>*-`=r4`0AO(h3V83U-P<bb&_*;1c75g2d~wQa7<
z`6SS|t<V?U>Zq~B@A=fK5r#2;^h@2;t!(NL)a-LNp+XQh15<|3cppN!KpA%mYl_Of
z(Ief0_$k@x$CGL$2R(<A=yW6lYc*cWOAZ7YzbOPBKq?r$J{wrA4aTm=p2KJ8<TMe!
z@O!?nQ1YRDxgZ&iO!(Y*2Xwt))B!xu2#r)Re!TAejLLvQhu^X;hI;#>%g{F<$QE>B
zIg#|iKwYxh?^%M<8+;{=eh-*RLf{k~T8(J0du5tc0s}tw8w-}Q%W(Fku?=iM25Iz1
zcCf=f_j^7^&PH#?Mw|`-TU18Zz|o2E<Pu?#PhEjVg)DeXX|cEVQ&&c?=q&3Od?eqw
z{6%Ntuh+92Wi17#_)E5%jhhR>q<;5`VC-_3>L1Djdv-<-_}tATl|S;`<X#=EKF?}W
zx1-eycQ&z`&9W}x$R_-){R~9f?2mrK5Go#G{hnq0_U5nG^AW0ChF1GZI(+W-z=uiB
zsT`0%2ek)tn*CA50p)ii>66PUB3*3wSANe*=Ja-aT^aqptSj0aXxxD`${$UT>|VEG
z`Roa)*z4ZKZxG*j2IAgdvZ>+>tdRqan=n$31alhEI&2#ZFEpc<=d+cFcyft9vTt%O
zTiJxVmUuf_qN~fA$%(=Tt>|p`VfMdg2dUsI*->)9>t12+J>a}xMKA|LbS1mO?_MfQ
z0qPywvC-#g)YJoeWx#$WV>h~k-RoYDa{cbF_}8-&wKw=n_JT}-#_utPhZnn72Xj#A
z0?42{3!^K2?xnzYF^Q8a<s!#ojAvjA59BgT1?82**1b(i-Jr+C9^(A*(KsKf%vlsY
zthr~Y@Y|P@j}c0M+d4J|XeAR_h91YzTgO&qKqyM5>fZMYZ!Ghd94L{~Ao&5XRAtWc
z;DBWnuGJz8gVC#tjlgQtSkP?d>;~ye&DaCk^Kpa`-qmn><4Dhm{n{>p-sg*zpJ#>}
zaX<vWNJ6M*)q|&*@Zi37r-_H9_cgjh8-oKfH5f^Cl8Ik|CX*^?@#m}om8U?fhPPsB
z<HX{$f7OAxpIQWCzPICx#KeP~y=svN`%4S(On~fe!6y^UcO9S8#bbr}Easc#FrI#)
zHgdJx5PF)XlBNubd6;!?^`z}{BNyQG3+AUo>gz0-aqagPF$<ZoE8tZp7|&d8a>T_R
zDh@=OgBizww95kS17>)G%gneR=KEs;QHuR#L3cC8W+C>zK&lNcd`cQ5jb0ApG;WDP
z80|ANF3+=4Yw&9M!GOktxnTGE_Xj*{jOi1AuuVT~!U`40h8JZ6I&s%g4w&Wqt@m1)
zuQ}<a4E30=!`q=i*v$0f^-NunQt_zTQMKYst<_-8&Q<E8Og$@qE{o%ld6<hqg=5gf
z;>u{J4500WmC@y#M*Jn;`#sxyRG`SkUe5~rfYsJx3&P!D(gB%pr#WDEAZI0K+KPRx
z(N#6aqa!<_9UZNn)f`jqRS=<=0}4T`*h8iM=#F6Q{%l{#Mz7}wNbOt}>MhyjS?!DN
zLwG5sHt=vT2b*}uV8f$W)f|uUy(_w#V{SKRdiTB#+~WPp8{Hd-?uU!ELJlEs$qvt6
zADWxb0!w!LJt~bN<x&6OfPMawrGcEiX5&t1l~8uQ(S8219cKiK`q!L@;eqD+;)BZ|
z_`IIIK%G-Gj{W&cFfm~!*3FmsWQnh23&bs+IKo!4FAsx*7;lC!-6DK}i|GF77B89(
zF<uebXUybE&=>vMSF!=<qvezxe$O8KKymm4qdGV6ev+X6ysw}&4p@sxX}y`Vij?(7
zKY;+z;&O*E^E#9kO+@#VK!|P>A-%}wX+^`Eyd?*L82ko&=F8iv=NFE7aOZ;6RAJnQ
zP{<;TS7T-;>hndLIWJ(o^E3xix)UjgNsr}~9D$A|UF~<R@fv|$kR$sb3ovi7TrkhW
z+1Azk!NVX-vM2U$yF}~5;VrOmUC0EKDmdFWjN)W~B~Ieyd(7B{lqjDC2dqNEw)K`A
z@JAXZUyQal$bK+YZ>&~Y!9<h>=<7}BJl`6T2hDjR4|-}@K&im>E7tMj(?aNath?;5
zBBbmQ<R_{GiztV<Ct%f&Pd!U>GD^_Bm2MBdzyuawB+f;=N({F7chUA+8L!zOt$n=e
z<(gy2a(NHsx(Xw;G^tz<p;pf!TS47_0{KCPE&q&Dxo&K(LjB<q2p6T%&P$<He;15R
zz-(24(|hBgU7JJjs3cY#8Q5aLg!<$Xv$4IfY#sHu0tzjhy5K3Xb}#{F%XTP>xkbK`
z!%XILe?w&$2LiU?r?<ak8`-Ypkk_*s!>$Cn_73^=c|Mb0zh@(U{UsmU^=|VtDt+q$
zIUkd6q0R+i#wv8LG@iuJjKI<7QlJhc9!7<gP`8N3sG_rgp&N?tkND((?uIDnM;N1-
z{^++r!5{s?PXzYL;NIi&Y{hQ<t=3rI14Ml2bVzB8d;r%o;4Rr!vWMEJ*ZnCJ(qODA
z8*&6&HThAD!406zVklU~%znT}6sl!q>o9cC`V|}@5cuAbPLM4h$Y4Be@s+Hy=-~Hk
zmiBx0@@FUTa(`l`MsHvM&hReyIGD3Ri&38&-&7{QG-f`BLvud&L3od4yD`A$qTN`)
ztdsRdBJ~&D3RHS?<$^Bsmb9U3gams$D=pH09Yl+>t&dOe>o57D1ah10U5m=mUTTxg
zW^@9sU;zotPtYivG43Jz{bgVJ+&Hub8Ad`N?5+L8<vy7H3v*gV?;>Iz-B7a14>7Zr
zL#1S`7khTkEb^6rz-!a3_QrEd&~kMBMpUj>AzxTcXQlU|(pYX0>b07`*s5%~R4IQ^
z<EWxc)aZ?_^Or0Vsk8=lL02ZnK~Ns#0*ftd)-BApT9_v-WJ{!lycdPa_?BQMCTE(W
z-OD*Y<8SQ-^nm?Ge@NZErEX~EyD9HC*yj%*;Un!A1qW>KmLz}&<R9h{Ac^S`&2IKZ
zm%Aa)pIpr5RuO|5a4+^hqU$8S5r3f*>c3JQ?h<@T&M3h`0@=UEFpTc>mF)CFSJ18A
zD!(%BfPklipGPQtOX$8Ukh3R^qB&rX*Y&Zb@l}B^fseJyx7>_Y6;cYnFXp~@F2wYK
zoQVV4F0|xbtQ?9A{ue>L2!a|ZJZm4sdStD+Hi0=LW8Wg^edd6{*==7yzJik{Ukdq*
zv&eGF4$BUa&tFnLmj-U(H3F@!opEeZVugNT7ts+)HpnlZ*g-NyS%h0d#33rrvWM7|
z#-#kkEXCCvmF~o!Q*xPdoGWmN&a%sKYpKnZTVg8A+PWM`j{(!MF}gCrJLwi3lI2M9
zYi#jf_&gZGy8Lyp<^J3};hPC*lqjO5_tSII`l#)Efp+*6jNNND^Xij-@X8!M+|8JN
zKe&eT2kl-}f%s^=vViT>tQ#JJ2ODde2*xJnrDljBoHziXmCeNqF=F=A_BhTN6JQ6+
zFlNYmV6YM6NJzf*@Wxhk%DH%5A@0W+4aj9wpHVY_uPxf_oq?vzWr)yrV9Oqd)d%f~
zI3%w(ggVqR%g)2|A#zAsjB<I|TF-oeu`tS2#wQ)dCJT`H8Znp0dmqLRIN-)Swl|3s
z?`FY%_khi;D9up!fuwwTC_9LS;Sj--mpXv={)`9vTKxh0ELq5oZwkvo!7|i4jp02#
zlKeo=8Z(hEZK|yV3vwl6V?ppebhdl1%;(IUk0}E)a}b>ryR4WL9G6&_;>Y*%0rf5<
zF%vMvb*aT?rR}%&{dHFHpZNh++@txS)8dCo{~!1v)4>mgNz$ucXA3`o<upHJf*;t-
z^m^rg#}9Ll(LL|v2Uqu>@Ixo~0m%Gs_~B@_RyTp7Hhv(UNq)%uU-3hpU}@)vUt_(f
z<-`9KKNJc-P;V1{Adg&w1=lEW#D^k^DqQau0_t5zBsD+0eMXueupa`S=<={mo;o-e
z^72Mk_)xAf;~40W*b;kYF?Q~6$^0+<Qmi5SEAgziAk3Ql+=_#`SoaZs;#u3Vp2R~g
z*fPv&*1=K)=jtHt)?{75V3R+Om^AtIUO<yyZvps4mH;Z2-ljV8rWD^)_X2`C3uiT!
zFh+llw>~HE(~Q==%Aa^vk*;wZf(Mp$<6~J70GPr*32}8HY+lA6$!@BvMWj^+$DahF
za+E;T;-)SRgAfZ8{3d?X-H5_gYC7RO1i44HB#+~CG4}hj4z&LaU3#xf(Iv4$f+WVH
z5=`R!rUnq_ItD={j^Cy<S>*F*vgkA^vgpqgS@@X%<0ttF`!P7o_>+G76sHZWetS&^
ziQgp>OyV~|1BjoW!Bj7%x=p&|X#8|PrSQ|ADg5}ExGg2OP`2lXpTX~`<thB`&_UvN
zq?xfv{7N-|_+>Hp{~vzKQu8+P+xj#34His<?-L&hs>JUU2`2HIr2#@e27w<9MYjHx
z&!g$5)1>I9KU4JMXM%okEV+UH#UA=k`ggD%4>B$>9?;dq@6SsaOyXCi0mScn0)QX2
zH5-2Nc{F}HO$tB#nZl2siRn;e()dA|r0^4pbu1E$C@EIxAd$OCf=T55r~yQ7JcFsu
zEwluHn3`<3{=enLFQ7i9=NnY_T;tLBjzA13NPIgRBuISAB$&kauNpvn$1s@c>=eGb
zBU58XK98oYPLrao{!G!9pNTV$#`lheN8@`UVk~@D;PjEz`ECg&@qIu8h;K22z!$<F
z9hJgYf2Q!2&!h3xX;S#=&lJA=Owb>%gT8lc;xUIu3avvV)=bhT<3k*KSgB2g5q(X8
zN3?U*b#LO71bx;|M@c}p@7|x`_op<wkl!ckAbaaJ9b|81NHE#@^EH62KZZfHUdz!`
z>&ay{?vl@=TmQe1#8VDXb+2%tqPNiQ)Hq1apFz!9#JeQTWhdw$@qXRGWnZPa?B5ob
zY5Dqpg}2U<>NWkD>NS2Qmf%7RH@aK?ML%FT%ACkXOK=`B{+nz$1IyzFtuSEGFmyG<
zxtwfZ<n<joawsD0XBGYeyDbybl{(Y?VlQXgN2=tMh-uBYajQfZ5@9N?1u9aTs<8lD
zA^DJNyl_U>jw8YuW|JK5Jwn890^(_Qlk?`#cChoia={sZ<G|`C;*{vy0lWdPALHih
z(3W4F)axjRdB#?IO$u)x=dhy5xsd}E#*8^A5GQ2g)kS$TeMN>BkG)jPysM~JAbxi?
zb_{yy1M<;}+_(!FI>p=McZux6inW*cA0vT3@DW-wjJM4IfTMz1l!`H%em5TXkZE4z
zu?}mG1Ls+mj7u&Q<h-q%=#^uqccQ?yw^I5Kkt=J~$4I%G@h4NTnKiEhwFIJHd+QlU
zlylASheF5Ry_^@duN|oT*eHQ_<q?6ixidE57kwM~0lz%*S!g^?Es9U}#pfu5U|Ygg
zGY{{B(*bY81@&6QyS%)`9$sAR_q@9apO20WKV0aZCuD+Y01woQs>_r<!?)@ES_E(e
zqw9EYv;j0Nr!grXZvof5hYRCqJ{E{tXwYFV5{%<|Ki^03VY)BPYnw%%Qr*4t7Nfal
z{HdZBP@dLrqlykYm!WvideU1r4kXu>0yuS=wuJ5XMZqj7hgGwHN838@yatqqXJM}F
ze-r`5MV7ozA#caYyI%1(I9Nx1;KpCDBD&SKse)%h1Rq{o;Clw%=rT0p3UBP0O{g4i
z7CrtLe#6_~`)S60gmC3Q-up>#&U$^E-Hc7jHa$a(;b5PJV$-uLw4-ia=qg<B3jM>o
zU<sRzYpQsJ6AzVD&~A-0WH@p~O~CUJ+YMg=sYV-hTTlgfZHzCv%hqbi_iX?#1#=-S
z_bS_slFTBmoAdZb)=s6WKi>S+4TzJ~-@L$$`sh!^Ew?xE-us1C0;6s`P<y|E)#<zE
zfAyw7a2eQzcH#|24R2K&{3&25fGO%cdU~2Nq)Q<F)Mq5N$rD~|2}!ajv`g;A!B5Xt
zwc-?<v)c|rt0(ccf%aDm8G&=qO}mhzX$1eeK(D3|BsWT$Au|Po@HbqtKRz=X0<)|^
zI~?W<%7DZl&Q_0|?{>w)oA4Rlf4uRBDC2KgW5#>tU>et**83AP`a2E}v*|IZM+Ye-
z3K492EE^&G=YpTB=pQ#B5I)$uX1ICFIu!F5ih&ce|FI;I?otx+yP|?o+P^CI55mK`
zYDP$-<8U^64DiOuc%s!LiJ8re$Jk8V53=z~V`#TFuwfH1DR1n~=aT0QwR`{-rh0<6
zd<1U$RXjI(WjuFvAo>=o2}GY@>jTj!8|#lwW3!_(HX)Agie)?y&v}c`*Uk#GzaYrU
z=$-|=kv>sQZR05UpSUn>KVvyCP*qIqp1280>a2Mj5=Xy34#^Lz2d?s+-~Huo^a}iQ
zkNG?X*Sol-g2VNw7lR7iWbyA(UjNHL>H2QWskm<`kks9gXTWNBj<jN4BP#b9{!PgN
z>7*~mBZkXsCn2?CT*_N=RmqpZy!9-mtwpUtLcJfPw}H?K-qJubhQqx+I=CIjK50g>
zNt{TLW?%L8$yRf|M|0qiu56z*Md7|SS_-*}HhLGbDm4*l`G_ha1JPwl;d4G$>y;3q
z@bN$G2tVX@%>ssk#t7^V?N%<7gI7pvev5qS6I^eUX8*p3X_EY7=P$IMZ_oCUn`m3r
zO(G7lTd#3WNvY5!5Y23s^C-UN8`Mj|LEhkS?+5LG2WcNdGjwCx-cZj1m1O;zeiUn(
zhF;KcB*^wE%6E|MSwuiq<K!7l8~iP_eoL+23hTGZ`W<Ke(sIG{wfMzR`ntb^+s)|r
z?CM9ssQjHSXhQNEbz6Zs?n!RKPxv6@$m>jf%c3xC=KW5=-DP%bJhOIw1yV>m;ogI(
z#n}a_FdH}FbpX7QF*{R>nn-3^)<kgS(B;ZQ@}@{8haLZ^4%|D|a{I0ivJt@>8?%UY
zf0r<_b<3_08lg_+H{<UVv7J)UE~GQ&9+QnNSRCdBra_Mi?c^onP(z!c`^Ch(AN1_R
zW6hViLVLV2G{WUYU3fzeN<y}Zlu`;sibM=Wq(MZ@jQ?I3HYIP4;uoAMMbE;K(RVec
z`SBL??Kn^U@GeXiT8r#;;$iFF#CIp)<=1181P{<I!<HB}Z15-(T99Td57>&`?wtED
znyNmq4w0)~;G9GS_!8BeF$n9If3n!;)n%whx07x1E}-Djo{Kdi#P9LMIK&FSjmG)y
zOF(>4Im?<kXfax~o_YvH!I#JFYB-7x4>>*b5KN*)nil8Z`2yzc_|P>Ns%j4sV%$O`
z)!^|1j8@!sv0g2{5Lr2Z;VtMwbv-@;(SjneVp+~N)AHMVHW1CEul{T*#nf~3`D%3<
zvWc*4`{-!-DleY_>GeSRV}%Vk%x8KY3?J_C;IUF*QwAC7hO!1)&5n}KCNz{DN&TBI
zUE+-axnd?SsZsi7tHG!~sv7tAFI!r&G}<=p+ghBYHX`Takjk_}wc{8L;Q05nL#~?`
z4)u|E2?r$Xx|#9)bi9OjLnt8qEsS3(;aUklr{iyB{M|aflwq%qFJrimj+bx(2eMJl
zd5r&1!nG29LdOqc{BLx;ggrWbFynjbcnNR*g_LtX<KLBVt%RdG{42)asMAQeOvhiz
z_$(bS;f=>h+bbFWPYJsuJWa<389!RbOSnYGU%~jp5Cx!T6~k*K?7E8Kmvy{^C+qmD
z8DFX6B|Jcf@z;p#HKZ*l*}%@Elquoobv&>&BKPTd3Hx<Cs9{9<>Uat7fFm%_7Sx8v
zRSDNh_-P#;#`rsQ8VL{8@s}|EI2|wH?|TXkLmAIgXed*{aUEaI_?vXRgwNOU7c)Lb
z$4mIDTq)-w#=j+DmxSwdyod4E>39jBt>cF<-mSy^8D0;^ZNNdouSvM}6vjWI<0X8R
zjz5?2ztr&(J|KKvdk*7QYMz(yi#oo7@gW`WWmu1kS_${l@xvLv8>Tw+wS<>S*mWu6
zpVRRYrUNG6>0`WC$4j`6j`uS@fsu`JB>bTcPhk8L5_a9k@Naaygy~NUW!}&Do;qH_
zn`JD!9$@^tdR$95s^e=If1{3<aG8z|F+NMjOL!v`W0e0O<Nqn)S_x0n@e>(8TE|N`
zQ7GvrG5&C0X^Vu{O4v1-@h_hw@e-aaVb?>9uhj7p9-!kNW_(D>td(#;mk%`&@<+!@
zcsF_<cs|1Tr4oiOV1%F3@sBcmw~m*vSI19fd><Vz;RLt^^uL$!A4=FI;U{$bJ&ga2
zj+d}U$KTEPo;qH_oBK&QcQO853A-d5)$zY&{Ea$Z!eu)CPR3{HcnNPTkaF%|{68h^
zlJGPgKc4ZUb-aX2bo}j%KYX&#M8az&TzebiU)J#wo~+}4&G<?k233v70G(z4!+UkV
zNVr+|%c+ciUdK!LJ{^A=<NZ2b!hLl-=2#=LL-T`#8#O=tlJQULcnRO3<4<S&P#rJf
z<8=H$#($qLG?DOp3A>6JAJ_2`zDdWIF#cUUnvFh{a8$ysQkN^#7n^hEt;H2u-U@EV
z{nEp|sJdcEddWMX5^r>4FrM|7uaim4CMxV*qKhN>s-8)`gj48LSmcaIw+yOn@MnOc
z=s6Gi!&!lnC4q2frZN5dZdeS&r)0549vIl30Su~VbaPe4?>aj}J&HWxLxrFd(uEJ5
zip9_g44h^}MoQq9M&t|$^o9JBz&IoFc^{^^*@(O$fm@BpbP3!B{*u6WBQjV5cN&pn
zC2*G!`38bNeCQ0wZwZ`bL}p2#n-RHP0-3lUE`jcPehweXHX_?Gjf4*!V?-89AlHce
zmjrrY{*geQ5iuojf)VL2ffJ3$K1@pCL-~-e5-2hvFG=8ZBl55W1{#s8CD7A|lt{oZ
zA}$FWXGA{3To*nx*ogc~0v8yOItdIhBGnSO2(L9u;5;L8j06T5k<FMn!-vX^$UF&L
zVnqHRfeIsXn*@e}za%isi1e1gFN{c=!Cc21kwp^d4f!E~3?ni@0$E06gampRky9j)
zgYnUexz05rD<m)+{v9OXGa?U3;4&j}l>|&9QY?YXjYt<}!tkLW{Q64ZN{nv_R2h+o
z1g<tBH%Q=8BXXVu{CfTjA3Dc~Y{CQ>K6EUuYf7Nhh+HXwGR$uhINykLVxkKlx)3fc
zB;dh2s{$&<{3C&qPytx*-7k_H4zAvRY<m5s$3YntSdIl5CpTb7@RsC_)@blnTjK%F
z(d&<4-U=GIlDe?A2gdtE->}v36zWJkgEf89J{#|I4T?++#2Ucc9>e-Q-sdJ5=2P+2
z%s1ANFUJlqCw!O#{vvj7QuzxA@9%(n?eI?EpXf^4H&FjZZ0Dr%w-DayfL~{av;7Ia
z_mFN^jvYRm@Hr0nYuKnsl|O~>sSfx}c6c@6V;%6mc6d4A!yNGDdRzGgg!gyAC)?qj
zIe>S;=#$33%nolMyww5UjOAMj|9Zj~I^fUQ;j;;!<ACqRYAcn03gJ^7@aOFCYQo1l
z;2t}?obX`|`0n|(@(T#>?|{E%hj(TJ-X)t%wJ!W4|JmU!gtt22Zaci5@P!WeYx8XN
z&nA4110Jx$rw~5X0e9Qs)r60Az@K=}R(?6*!yNE3JG_AK{toy9c!nuO|IQwOcfnke
z?*GQQHh2r+tq%BAc6dGE3mxzrJA5|ba~$v&-?f!Lh485k_*HgzHQ{3&@Ekk5obX`|
z_>1q@$}b?izXKky!#leJ-UTyIy8WBqw&iajyww4J!Va$|e4ztgVu#Nre2xR&_-|YJ
zQwX2xfZu0_R}((g0nf3+%LyOmfQQ!G$}b?izXLwR4)4qYybJcKbo--k+48p#-s*sR
z?eKcS>1QvUfAgER{Idz4<ADFyr#AQ$!lydmlkNGd2_Nf#_qD^z2_NQwzh$3y3JCA-
zfZt??cV+_Kg&pxU{>RzjErho^;LZQC;a^YqLI*r*htDQ_jsxzs!>15F)d4^7Ph0ub
zgpYN=-?GEY2_NQw-(iOr5Z>PbFR{ZrGXU@U(cb>e|FG5HLU^kK{)8P~PxwLyJYa{<
zCVY+qzWH@q`BMm=>VQ9IhgTCm)&VcG!^;UD=78`1yRG~J!uvbmui4?9-2m^x395Ae
z-(-ik5Z>y5A7_Wx6TZ*^Z+^{I|7^nNIN+1*@F|2(b->H)@M^-xI^c;{ZRM8}KFk4s
z(GD*lyuSl}l^x#c2E1#Jz5Q-GyoGSOJxtSQ{wucn>j_`zfZt(<&nA411K!sTpF;Rl
z2fX=jw(_e9AM1b*TVsQl6F$rVzs{b&fbjkf_-^b;rRP6*a7lE*0b#m*FWTWPgtt22
z0Xw{&@P!U|0-Hst@@Er1#{qxQ4xd8!R0rI<+LphX@Uaf~9jk2ca>7SA_`9ziUO@Oj
z2fT5mEq`ZMXIG+!13uXfZy|iEgMR|{^6Lq2a=;JR^Uo&y6$gAb&T6LUGllRO4)|M+
z_7i@)1Ad=9e>veJ9Pj~lcmd%99q>k+#Z1-Tc?9qt4)|m{yoK<s4*nTnhu0I{<bXFX
zx0OGe@K+r0$#(b@!e=<(Wp;Qq;kP^B2^^hF;a^Vp2nYNLJG_AKfe!c}d;fJF2E2y@
zUSiMRLikn(|84%rR)0O=O%C{TcKB?<Uva>_cK8&+XE@-ACR_Q{gx~Ifzi5Y-6F$NL
zzs?RXAbg+$ew-cN*$H?L2fP`FIa2g(A)N1hr{%+ac6dGEO%6Dot4imeP53Jg_{OC+
z_!PotIN(t`yqfUa9dNH5UQYN32YmMuTlocq4|Kp^v%@<N0p7y_57^-?gm1+O?R5JS
zIFFj5Pd(vH4)}|9_-w*oalo&$!>15F!vR0e4zDKsb_cu>2M$y9mlHn10l&`<FCcuN
z172c>cOC@1hXcOXKK@z=-@4P@{ze=wOx0gcc#{KupB+A%@K+r0iT3iR5I(~J&#~vP
zCj52>e7?i}LHGy<{3<)VfbfA1c*0@-H~@GL2mCoZyoK<sa9f-1e~%qrPk569o^aSd
z2!F)^pJs<oA$*1d?y<wG3BTO|-|et}5I({If5HwgAbg+$ew7{GxgYQz4tS0o-a`1+
z?e_M+Ww(#i6W-*22kh|Kgumi|AF$g;rVu{E0e{gBuO|F<2mCrayqxe64)}3)cmd%9
z9q`xe_LI&Iz<W60ci7=Agl}!LxBoi(`k|iig~|>;&JLeV_#6j3YPX+EA$+O>?zO|K
z2_Nf#Z?>0TPWUhfe3~6zKzM%#e1IL^xexFz+)zmKccXp%(n5Hv13uYqpQ$H&p#%Oa
zhx{jejsu=!&p(CmsSfyacKb~=;bR@}5<9${@L>-4M!Wr`fbjkf_%u7bb1&dsTkP#G
zv%^~mZ*{;o+wCv)gfDc!pR>bf6F$cQci4BP5I)rbciZz<6F$}ff6H#aDJOiG1Ad(y
zUO;$%2Yk2PKGXRl;9YReneP9$?C=)CTOII#9bQlPLI>P!htDQ_jsyOp-F`EL@Tm^C
z*AA~He5?bWu-jkC2_NQwJM1?Fg!gyApRmubow!Sz==#py{sH##TL^D;z&G0MFZF~k
zbil8&!)Fsd#{u7Mx35ege5wQfoE=_G_*e(rV~3X$KFk5%_%GZ1TtIk#2mC%eymJrW
zU2y1`?*G1acnjgJ4)}|9`B6{!LI>O-A7>Lj#{u7MmoHNYpXz`=XNOl4KGp&E*x}`b
z4|Bjb+U+9+g!gyAC)?qjy8-XQ4XAYcJ$85t;jIq%#=qO>TTl2x2mC%ed^X{89Pk`F
zd<x-H9q?%m`v>7;9dNfDUQYNh2mCp^{i1;I{tkGV9p1SM@UG4F_BX#`YhMfDtu{FJ
zxsu8symI&14r72E^Gf_1DQ}zQeA4(3R3+>w{EU}+^;ewj=J~{9-PnBQlNv@a-shB+
z@ESW0+l4sLxWA&IJu|$?zyamOX6&)g85z5J3@$c=HyeRi?((*~<Q)0hOO3hZcmf&6
z)!@Qmb2*^!agfOra7q`<fuH|I7Ud0pYrtI?Qo@DE_od$Oexv4eoZR~o7rVbS2i*@B
z_PP?D_}qh1f@L4EkYJe#gz<Q1bOX)`!ox-vUOLTW4e(%EZo->EeDERo8z?mgJuWy7
zx@L@toZ<aAvG;52otwr-rU8Ejeza*c92Vd{LHdl~Q0yBP+t10Fv2Z>pV$umC-14+D
zHxJas!q1Wb{PN*=<1azIwzt(O?Vx%3G#uz5=aZXyAT7!`VB$bF&gnJHn1wPW4rk8I
zk^|EkUqFODa&A8mt<SHc5BXLEPvpr)Cy#bVJK#_&ynTr646CoG7@MaTpNJ;%81r9H
zVt7&^9#>dm)am<It?GF|r6G8a5JByt{!9{~I7I}bj#tJ(2zY_nWYHpZK2siVlm~xs
zMZZ;5=39k?KHzN^xriTxN1AK^;n?bZ>}um|EN&6-+DA59tPb`~W|_%);Z5tVqI}Jl
z?3tBjR4C4)kI~mjWR+c^S#vaduPMx4<-hqj=-|Sm@xZm|(lLy|apko;!kgUDWsO^K
zO_uJ$8@CK=+>~$T?3IsAg>*tzw#&R_&szBC9*hSUP|H1F;^{0E?!?%R-;VLhv$)Xv
zc~<sM1ev#N(6?CVCO1B%51e>?5v0$n9@hES*zXrJU62<Wau?wq%i=M?GK_)TCZ3x0
zESvfjTsGl0L+D-W5zPovW2n_b*X>I1Q3|zbd#82YJGv|7_(wkxJy_gZ(5vMTTtcGv
z0A|KT8EpNdvjWi#c(@zRaLk<LX5+S@MqMjndFnYj<5_lQ^bkDx1mkZ^!iRC(4E_Y;
zugoN<X~r1*NO4Uw##uq65n%WLPFRGPES|ZNX;3u|w=f%Sg-8Gw2pYHL&xErbj7N;c
zY+Ri>$4U(dZ&IBL=-FlK^uGLoJTDJK;1u~~jb#mOy)^xdxld&fEAM%|yU)}?(hV;d
zhrZL#stQL1;k^OFPyG@*$iW!LAz~`s%Yr41HMz#zKeC9nKVjUV<Q&$Ar+IP<OC!e;
zAReT`2l7I=RfPY9fm^T@ONPxCR@ITX95EirRTV}ED#Lx9QD8-q#`_^LH}S0M@Z|gy
zKAcyHmsO0*_VT6=MQ86GrB7vO>ahXKLTz%H3(}*t(%qr%WQ`?zLrcm17{AF2Ngg&Q
zyu`HK%L(8~^r&=}H+C7$Klrnk&6oi+;Hwi%gJZ+wowoPXE89Ag^QAuT9>4=L@XRVt
z%vh(7>F*6UfoxZkhENhEISIa63=?<XO4i_xk?~j|$u)lyipL2Pcv><sv@*hE6gpS(
zd}PcxB7|6H)a_*;Dll9#A)UqJu1HA|Rs<wSW<>tZl%SVaZi*(EU@za3tc^(TyF=Y^
zk0N*CcJa%=H%x-j&7hlfj%w&5cfiKS-hLLfklYoT-gWyzxfacZ{$Qd^@61tIE}b%b
z#2q@iPw?39+tNqUDV6TMm}Asx?8~BSjJj*ka8QR&455R{W$=YgII4H%3H85FB?$<9
z$9;pOQ{3?OLI=h3S*8rPV0`dWPy;il3^}|ytUu$!J4paz#z#U`V0FlhzejGw6CJ!s
zupN~Jqq~AR3Wt!8CJ3LK#wxzN38&TyK6Dl#2BA_6J2+uvuo%H^2znt~>131+u@IGk
zA(Ax<?3!s~S5%%CYD?3GRGHsFVp#mnaZ0+Cg1UNuE(x`<S-7_cQsrt=^#-X5lZ?Dr
z6RJhIR8qcK(hU=uNwL*9vJ$K(E(x>wU{3{~1;Z1#cNJ9y(FbGb7IU21jDds0Y<*C+
zb+kvnHDlecv)(uYw<xT!d0B7+Q_5qNxJlTWL<eu9TnlMywMWK_43)j|U<p(s-pw4x
zDkt!2W45CQ3(Fda+nCWKz1MWTQ&fu{@Lq+-RrJFupjO#Fh4~G)ftHj4gR}4=UCqF<
z=Cn#c{>(jZR8J8`@Z6Py@%C{jfwcYjjudIAWj*rRX?R7v_c@i2I|e$RF9k0HM|d`b
zcF%*UtgCH_dT9$qK!xZV)DP6#2C#_#@dfmi$X#4{3*(7ru$<?M&~9EBBl4Di$kc3u
z_gXON!7ENC?{<#kMG+SwY&5__Cx}3g$Fp2m_(KS>91e2cZte+N0>c#)ZWYtYiy8=o
zl##jLc*<9FEv}9-1?GKbK`0*qI6;J)t@(qI8aE{oSyk5XgZa826I`7q3vIn+39iSy
z0ZSxYav=pS!DPwwY`Q<^w1XVQY7Ms4aep(s|EtikwNr|&bs2SccgF=Zs<n!EfWX;6
zvKR(el*V&Iyo&(OC~u;??(kW~Yujf)7cpbyyAb44A9NjEY~E7vCcf{5C63<jhM0}t
zb~oLN5!FKDW-ODb-$D@Y;{<OR%(SP8RT4yi7;fCs{m#6Adl{m)(-;>k+NJM~fxN|_
zCgz9HSK(&UwY(+z1(=uYqi@6xBGP$Cz`_5k?>ouYePy%-a635=g9bauZ4SCB+ss*1
zbEkJ6x|{y5GTCNcc0q~0C??F8dh#vCOwew>J`b0=_s7dTazB>+nwpLv13`A&m?1wn
z@5ox?txHv*%>PgxZ|G(U;r|LPP5KohC)$NRMF)ycMy*|;!My)3jWz0q%h1`LO)}C0
z;WysVyp`5<XWr;8xCO)ikOg?LQN4@#KSd;?4vu(mr4EiAEkd3C9SLRB@gnGdAeK?L
z8bA^}nk&t)^f)J7Abm1<r>o!p*ou+Zv$R?<g$0A3;UgDr&E$!uJ<{K-?PSfQ#BLPQ
z;aF~=G5rD%nM5h9#5LYc@}6VT4L;oetAUu8tg;KGMbN!i!5B0C`=V0jjaQ-Rm<GDk
zAxLX0?T@%ypHyoI8i!+77HA`{-P<^8?>CxYA4oi%Vx_pNhdJn4a+guZ*Qi*|7<gp+
z5B-iJGwb#lb(KKszwh<au*Yd36J)tZ(M!5r?MxGOAQEX}^#zaXH!7ov1%+B-RATV~
zx_zNK)8vJv4H7U(pphUDSxJ47PVos+*a^gQTNY09m^sZ+TE1-7MEXAh!@DYJB4wC^
zMrtBW29VVZ0#9-j6bq#wHj?+UWxS!anUrn6VO!+w2#P~ou!A^+yI+XM3ck$}-jB1-
zH!)2->wX9yU##fa#7fMADSbn@Mi^#G;;?kyD2Uc5Cc`a>UKkaqC_C1>2q$JQ_$`E2
z{QQHkhRKT}Y5@8?@mCZk^Fw^7r_=3H^{t(l?9l+}Jr392MJS^R1?;|43YecNU=!$(
zI2-Ndx<5Yjz#-(H@}Kj+tMfmZ%KrlMzn#keR|qeWRYOn)WtH<B>Cop`e!+h(|0-Sn
zd8zU%Sbi8p(fD15{62JKq5AA=R)A1~SMo)kg)@sPP$fxkjx(o0Zr6hBLo4vds5=(}
z2ct6+_uBB5QA1)Ch$hc93A%SkX+ZZqM1u~w#IpvGEc2)W6W@WwR0n{z`4@Wneo=)w
z<Zhf9>-Vp-GjU9RaK7noQwPyvGurP@h=RnEYkal~cQV)C4kaCnmRgJjT){m`zMCH2
z>%R1^JX}_|VX?y=fhDlEM~s+&tjG%|17eQ|Cu*(x@53cu`aWTDebJFt;fMm}(Me`(
zm^`jxQx+hqVUievivsYpx=G$>JsA}B>ZzM+f?Ry!$yYKE+(-oDzs+wOtMwIGo;{Bf
z{1lZh13i)L61x>g>>2w99cwM+yplHbi1m51{=A2;wDyl*<;EJczi-H%2X3T>_)A<Y
zz)Xrs7j_*fGeajIMl(i#F|#n;4qO31x)N{gk#0ua?J~`b;u;h#5AoijK#j<+5O4J-
z{V<FpzeTr+{|O8k&q~g(L2)N+>Bn5?Iot`S-b>W?NfQb1rCQU{*#+N^wzmS;^B$$X
zz|18OUceb=qc;3NA`+@ubPYUc^uUt+YICg$OgrpCv@v5RspVGYP;$00qg8tR`!ek~
zQEr&-#CQ*2%A4fv8dWrb6mCSK0QF&9+^#8xfE6%k)X!zE-IhxBUy=+S3{fBSqDtJ<
z&4RWXx&t|^+un;Y4nfHrFO<PCK!A@m*A#+WC@I>WmS<61=Wo*fD-Muuco7|`p_f>$
zQh1A(ZBMK7;x7d@nSS69EbI3LF=&>8bZw8#gO<?M_Q5<%iCt~)sM;^}`Xh0n$b?!T
zq4nQu0&u3QSIbytN#|qLe0Ze#8dnss<Txf-+2UF7ifqPj%vZO9T`Wf#bJwVAFaXiG
z&-qHr<$xG-*O>F%)<3+z^g!{xMVX-+>ekhiFZ1WS_buvHGYD{)XrjL3kF*U;uMg-*
z3ARZ*Y=eOaAgqIj;<+d3(TH~*(LkCZEsrIMyG459zEBg2#lI%s@tyqT<AAC5l{F{c
zl@=qNZTtqJN7!g>Q}m9igm;`^bSXyj#~97|>Kk0xK-;<M%}=)9J2ts);1o9w>>r3<
ziPx(-FuZ~8DtTKBD=y`S%@_n(><xFp#ELm6O^*BT3dA2R3`8%JHeMd}d1wKJ2V>nv
zdG@<9de4MF^w*O@r-+pRP9A$dXy9)@vu}gEff{aL3FC;H77M`P2C+?Al));m5ww}*
z-Pe>EI+fh}H}A5`^4<9ER`VxK`{AhjNZaEgFTG6w;@|KlALc>)OFRIk(e~Hq#PMjh
zw%3XLj7}VvqyxXB6Yp}swZB$4%Sm6P#;dj@s)$HXLu^<BAjM1!PH5@IjAy_MCT<Vn
z2aj^$Zy@~01WL_aMkEiP-tZ&i-8H@7lISk4$3Mn+{1BMe#N<pRC7TX`+SMAcI|uCw
zg0L{d5AJn60)IL?LT4vt<LkCr`xa;7iF5=p`i{e5w1;<QX3@UI5N_RAsk_B2`KqQS
z;DJnp*{VHYT=uovuRC)R{GLMau_oRZLigTgeRk;2YjH#C{yzs|J#fQ}ZQM*T2|nh9
zaV$UatV?WE4|Mh__eS(}AUY~@KPvped>M6yexGU#D|i|+E-J|KhW%sUa^NTq1RqPY
zO{kiYlh98lr*1Sof)xoSOV~i#)zwmj5jhA^+E$<JKX0suSJ3eS7ra$4Dzj6(D<<Jl
zywdXCs2)ddBj`w?4VmX*>~tk2;*ZFa#N7y`<Q4lLDglOAHzd{kVuIUxByPq`f7>j(
zH9xsN7a^|wkvup~{E<xC&OUaC@@zz4?%e(vW`DNqDfF54N+Q+0Pfig5v{cOmg4#6+
z9!g9IL@zHfMRk6T{6m>|9_V2?Cuvu|+(4xQUW4GR12CKXN$IJU|DZ?_F-ffpLnlK1
z64|u35|-PxL7j>st^Eqi$5h&1$&+K#{z{~@lo?VNkA`L>8@e71E!zjfJdS;^iA`z@
zK<v>qsKMr@#EWS9CP9J5j8`;y;IRY?N0HzQG=*Bd3yGi_$<%OG0-kMGr>}Q3U*_wi
zelG2{`zZ;aW8q^&{FFFIaT!RFFQnLS6OeixDL#V5BhhkMZ#1>d(1^6X2L!weIWws_
zpJJAJMJfCw`A_8YXquv;hs4_}e3j64;ouE!G;o^#UVRARF<)%bbltK<j3$_1MQP)U
zlOF;-{iY#24CU#A0N5p*jwLr|{HCmm(@+Bbsc&Vt)ST<BM-~jPND*sE^}A7bkn7B8
zONdN*UkLu={!vtmC}Bzz`F<5Xpi%*e@hnKSK`F*aepPd=1w}%&P6PfRIj}JKg&Z?z
zS9gLMlwy>>Om~vT75?Q=5Sm2yDo|RiMx$}G6VV>kbCy0RfcE_j>qg{FQUdK9bE?(O
zLl~AUzBh_5YbHCflBdy0jO7E*Kf$zEFg5Bn{~YjG3%CTpWK&+j5`=6v2MbIYm`2?j
zz?u~WHD=0(U%nCfM`XjA;lrI+GgPeWw7i*|fKXx*K(jy?-Y?NBwtGPu-J8?`;ys6<
z!6+0Beiy50wDSG|RxA5RD{BUz=pa1I=uTCwYf<a~6q_FJ|6~81DSQ!{`xC1CLIa*p
zHu`F-(SHZ-=<vG4FpdAv%{$PxTTwOIG9G6oq%9cnFM>Mhj+9=McYfnNn~(~P+Js}k
zTHUdA<R1#HCY}eaj$PK*(UB`iSHxx@_9rOw-WGvdfZ0!g!!<B+A%F??Cc9@Rbcn=z
z_)wRk0gw|i|HFSS8jCq!+gq_W4v}v}3em^&i5(icf`^9US<j!C>H6Vs@VH<5g$wUi
zL=FHtA3htHWIkINZTjJFNY@AH(y2aSDwyAx>UErcN~Ze53HDU~WGbt=%C&IP!m`qZ
zJWen-o>9mXwnEP6kuId>u4IbYwiK^+x23o|nc@{&iqq{Wuq<dwCVB&jq(Lubv5bZS
zSEOMcaKLV#zabcHSPZhab=bDZNzZV52A<BHI0aq45@%gtk9|MssT#;<U58eu^ecQP
z`Z&KQAN3soa`yCnfr|aR`Ka&f_zlNoq6ZQmae~)0f)WOsrSN2v9xmd4lJon$Bh6S3
zE_|UPUvI{yW-~IQtEvJoAmlN8jv32{RrPkSqjxtb{(Viiyek7<;ra&M;`xm0n}_pM
z{wj`*k@<Sv`}1~sU{_0gg#S=Hp2X<^^{3`sB5;NoJHhm<37yJ{`iV_D_8|1`so7ms
zCPX952Fd*MTyOluKN`z<ga<`r(IeSW1J=nuc%$pPt{H;$2rRNoSktfk&?Qf%pG{q?
zp7(6_2=kT)ddp_MTE|vJ{UAm|2$spMT_Y>z)&2{rLKE95c(m2)n0GZ+$?+u9w><fp
z)~5_<Zv$4fY}L4Ys~xHSI0|0)KfsIa@Bki=<Y|)S?6({<Hlj2bZR*-&B}sRF62Fw`
z<1jsmm0}1wX6Ir=fI5^2y+rEM@!YIyxH+(16@V(5mPTYh`jdMj!f0eV`dsW94SM^q
zV1mX0Srz$`iK1r}(JN_T*J!+U2{&RjC$(Lv^$hM&BJI~*qwz!~AfXH1=Yj&tcS;4!
zS;3B2#C}+de()}Ep%>J*A5%=%j7{1tuuz9GNZ~5u05$}A`Vu}}9)c-;tJ;kmCVp{(
z847nq-UdtQ2O%m$B!$hp7I+Sdge(Pic8$iHILq3eMeSg~wuKstw)eaX$P?1I#3aaU
z^(AVt4LI_<UQb!ub7O3@hON#b^qC|y79Ma=N}?6uGZ?!)ud?ntBVynK8{+0IRlVsw
z51#!z2Ok(EV>bG2S5-b|gttItZOwfI3l}(7+u2oBNWil;0Lffc%-F}Q*vi;%U~K&=
zc*~?b7Qf&E#Di3o@xi^-)o2KdTu?2M9ZaBxBC@OjhOn9ey8n#1*hux3_RdTOumR3f
z15KgtllTaVp<g6FIU}Md;78*MtW_0SZv4c*EOz^oMiVaL$JlgKVePj6hrM@?kFvV<
z|MNhA1OgKjHEmH68x<6kQLIF<W@H8?Iv_2e)cZMF<y2d#CZg7AaFW7wI+iL{+geLo
z?d9lcds>UAsF@%MU`6l>S^>4n9-;(63HSWopS_>C1h757@A<xdfBp1D=6UwBFKe&8
z_F8MNz4qE~ns2S_f$Xe&1H7aB`4))A?<_B>cg*C<%K84J$l0sx_~iGyryO#0egOvT
z=<K(nGvB^m0cSwM#(Akzw7gHl$t#CwRL~wRnj6l?|Di5<2TY7HYB*bOSAC*{sJGrn
z0qMv2xn#$?YD&2sw}x^*(GKKrONU$s2ts@V+)*H8N){oaQ-_gt=F$~CFp}dh=My#1
zZBYA&fxq8C4?e2rmS^!<fjA7FZ*Rb{pwOAxO7Y%HF7ug*ds*t^Feh(%(D&FF8;(6U
zorn8GzDR_`fLkvs5C%VqCiYuyDYF!I8<<HYnF!q2ZoRI|(P*d6$?Ig<roN2Mrj3T-
z`FT4Vpz@Ahc1K<Ggr&(E?z+rvOn0}sd`3mZ&yhZHZV4|!`Y^q*z%XH$8gQWJ!NQO2
z+FZ?Ta0}CprqB{Q>;2!%w>8nXwP)9hV!H?M?<qcxa`^8TSTwPG={55eKs3*h^YWoz
zvLC}(3*-Ha@38d}zkH5(v-EzDf8NBXu$VQ5r)N0Rl;|WYe~*l&E}9{_Dv;;98$P!7
z_3eQh`l2`RGr2r4_=0jCF02d;zNnIi%SQ(WUoo18Yia|7uSHv!FeRFpIEAX4)TFC_
zvG>KuwTVYxWP#>;4o<{?w*T)>J#h21Q(-t0%X`F8#kTgZ^7p8}fZp7la>>gHseH|t
z9&?wg<-*A?g_Dzu!^z9b!pRGVa|K&*@>@famygz+zeB>wZw;l?*f0|^IiWl`xiWbn
zw`ENjnY?*i0)r1!oS3E?m!TQlQ!2P~h#@#__7GhUH}s3M%Xkc>n)=@I@HgH_UQ~A4
zMde;wa^jHW1?B0se!XXxaTQgn$-D50cB4<N$%$p5)DHr0&8no4an<S8GH+XOYt`!0
zCYE{26CVfHq?ZT0)uF`l<OOA+s+Lf2E7=EZS@ldhlzRM(KL&1xzp$AbBJ-M1dU^jK
z*Y~!BtJ1+WsRc)z*fw{f_c3mR>3&=&8xFQrtqQi$e80mdjQ*X<m3Xg*6RqjCvfxT@
zRn@j|uytapsgHNxgneFXVtIOHAh^}rR<$~~TrjSEpz%Lcs4VQYaPc9Hg@UVr&4&tT
zy4ZapL%9!4OTRocq11xI{`-<{uICjvWxxVNS#X|x<I;qKWK|#s$%Ir>?_&qgzs^C@
zKMRR#oR-rq{k+wYM7wsphJ>oxL%}YfEV=jF5A0J?1^5|r_xM|X6Y^dXYTC;LOnbO$
zS8xr$lvkBJUT1+>5eNtOW2g0j@&5g|V|IAlPnTZR-&+;j7UDwVZIP;-A&}s;P;qf6
z-O`8ae9uiajjjDlE#yRx!Cci!A?Yg@Uw*t&DuUa*RvZk{t)*eFHMqKpaeMqr|JlAM
z6Xu3c1}oh%$XgvuGgNf6&t>JOydGTR;3@Oc!ByO(2F9ii3HK7Fxc+Z>x~&g)W-|WZ
zn<1R@!7tZ}Vk}&M2vns&l>=n?o>w;6(aHfbC=bXPAH4WZmA;l_p;=z$LjwU6zuxbR
zr9L$2J~?O(pF8liPx8=|7DDsUkc%U#Z%6?+g9^dvlX>s=$}ltw&PvEAi<dKY{<?E-
z7Lt}ec}V)K>vhAmSx8D9B&h|5e?N9&Di6pY3ka0J9(Q)2R;L#9Ik#qaHy)?y<z)a8
z3AWP!_Y2xyr(26@UE?)p$G7JysT@*HGhUii$Nt;TziB69dO&cs@KHAQ{e9k=;Bv1m
zv6^8S9Nzrw!|Aqi5>^GbT7t9_<o7SFKi?uDy}Xox^0tP8Eg?^1lY0F0E6;y=2V+zm
zY}Et}wt8z40MOKH){^I*O{WKt!i0eMw}lgJwAruij-L%zWyR^%^580OW$<-cS2Kfl
zpYY4g=~blw{5sU&wOE)AZyw$Gs;!?Ss6aIKu{zV|=y|X@W^KBKM!3$jC7AZsFzeMw
z&FWXV9TI9yr^^9J?Z2LAW#Ya6lea!l8?c4oHlfNk9oTvMuZAiAP!OmdZetz_0ulEa
zU%&9N=Yas6(P=@DwvZheK6b<>y2xCO*fB^8li(T%`rO}r;&>YBTJ5bW-AelEgr-s1
zZ@;+U(R54Su9v;7rL8^$Tft(@!h83oTl<H|-x?}iZ4taYkp|+WU%TY%$)VK%5a?PX
z07~J3OeoEx!|(Z9*$;IK=8*J?0bSg1nJ!%g2g(A`>${(HvT@D^Xu7TM0g#lgxvZ(#
zdU2&&`u7BfKA(EQ9lyIF-5NL$9tO7W#t%mBhxi5@1kK<f<Go*}(|r#Hr1viemrPE#
z^)G}0ZhzMuQ@a4ZTwU`KV#zA?_-UtaJM$Ua$jhQCP}S<KOduMX`aS*f8z;JPZ|&Q)
zh9N9n!|;0_Ltg20|E|})HKnUWQwXng8zRPAm6%wPSUo<qpx=*P`CdoYYBwB+F#6E@
zf+60v-m}XS7Yxx(@T|n_az<)mSrkv$N~fpyuro`ex+SlS4Pg;A4=o@YtJkVyX8E&u
z`><Pk`j+*nGC{oZR4pY!iDjYq`{#s5Z1&bB*y4EorsDX-Vvpr|eV@9T^*5uj?Kx-m
zQ5|<?*L(4fS~jTpx96Ojzv1uEZm=e``uB2*@ip@&0eHnEZyB4If%se+Vj~lq8%ruo
z4TA%VB1Q3cdxhpjiUQ4}wdhK;X{q>QTT#OkG4IpZi0xdD+|lT_D^>Qb`iIU>#YR>n
z)+(f5{0?f3zela>ctE*4GO%cR(Y(RG>s4QtXbn6OK4L$+q=Wb8aUwk|D*vQZ19pi_
zH2wiwOp&7VlHt>Lo}b`P9XGIhn<tIP#NXX1!0-Ax3MbFOmP9(<Qc{;3R~k)>8&tFU
z#?H)nd{Sl6)VFcJ`G8$akA0Ekv_3pd^VqHWI8{6#I^xCn#+~t<RMnuWHtr0*%(<6V
zmPNPY%Bi|qZ`^`s$k+HvWw>e=oeMa7#{<sZjO>lc=|zdbiPmKJh`sb?FL_6i_gwmS
z`u=N_ZNI(!Px@u%BCOFp>^(2DpXBzJ4z1tn`@1OHpS9l<OI=%mapzM@Fni(~&q+m@
z)BP$M6U$@X#`vzWvoCsTEZ7frk5~!9ZoCywkaphDf!o6+vQvPcDEN5?ge>=3vv^JN
z!Qr(Hyn=@yINjbcJFlTz;vBIuv8Fx%%3haAp?Gvr&B`0MTg&bSbDhlkE%hge=FrbA
zdA&rnkk@Fe585gpjstBXR=&Su*fsO5nPl+ziaM4$qXkzeFc<~X{;f<No*ZB7>P2tZ
z*gKs$n&TR!%M(+lB*srOMYgGi`;t>j=1nis-v%%6#MJ)truPagnmS<K^xny-W%H&N
z>u*CJz6_c-y)Rz^^QQOX+V^?WOZ2y)lrM+Po8F%<htHcnAUSo&yy<27+c1zXN6wo*
zh%ZOYn;x)T^2gC(vprnCS3qaJ%Gl@De+T*_Pqzk0h2M^UIJ1XRK7;AQbszrTZh_u!
zEk*?^1W+QpROrue{TZu2QCa#9!%LZEqx@I?Xg7=-1~C2gx*7_yHU&Hjv+EHV#x!Vs
zu~%XT(q29mnCvpTAB)GC+_htldrB-S?A9-tGi>h~)zhr~hTCF7(_^VoWk2Oa*|b>d
zxbZ(>=Mx``;9K;P^=NKK5U7bvn%IP)@!z<gNKSjZwVCoRlgOF4zRk{MUGk{9<ZOK2
zHx@&|(bHz(2U{L3eZ65a91nJT_I0nZ>#zkkKDj;D#g}~rPS>ygO6<pVv>Z#0Sxd%W
zrlt~h|MdGG$nQ!Fc$z)AL~eiA`Qre~1hHzlXBRsc_b^=_USRC9t`W6G<Se7F9c%n?
zw{Bu)0&sLZYx#fb?5BSOWYd)LnE8mG{ABUhmzj(5@lPy2_-#HOh~AmW`^-(GvG;RX
z=FKMxtFZW<_UsH$@Aiz&e==)u#E8RY>Hx~c5*wLp`SE%KIw;^bnYjnNU)!_&%%%yl
z66VG?b3)H|3*Yt#JVWrEc_{c~6LauA3I=@RvV{-si4-{iKE(zuXm9QT@0%#o<NLy%
z@9h|%3cg$T?j_B__tQm(z+WD|0SCZ$66Fqr@7l+E)So%(fOlOiRnUH>{i&Ys6QAty
zZs9weGz;JEza9d<>vQ<K4)hk{@6p8v!DszqGRLlz|A*)UXN4npDHwmaQz3kFd%jys
za%LM9`{j3J-sdG>{{A&R%RjNI$Gh!MoHW~?6A#s&wYmQMjNvHk&j89DfN$5IU%j1!
zXGP{dUh?qFMw2M)&j~%>U4L4sIM<)QT8QCap=patfyH^*rH<bBac@+O8#py^cH;hC
zMID1N?+w@eR<c=fVq-j)Gc9Y_T!+?<U1qcSFFJ<_Y#r?M5==u@rX4iD?bd+oo}uaX
z7GmE`C^hPjpZ3<ZF7l@29E@%Cwv%b~3;8Od$?wwsGTT091K5~R`_bf0<yh>@$*%b~
zqsi%&bqSn<to6~q^`Vg#v1vVDviN2Av(xdG+UJ7(8_|dQHv2%>4*%pJ*yj8g*pABX
zL*(J&Jm~>&{rGW<mNx+_)Dx`#Aw14b3``|L8%~g)Opm5U{bJieFm3xG2XTAis}g)w
zs!s>wYd_w{443d#@xQ~@Fve}Wc~%k>Z3gRkZACP}5i5I@5_IM8>@Z(wq0Hj@6edaj
zl8~GIdWI#ZR3=bWYO7V38%@Wz3+n6GRA3Rc{NGLxB;7fky|oGb(t`Xr#getqPs{L0
zK>5XRGFly~+10SQW>#gx`@oFty%!2FN@iC6|1<i~M9GcCX<H5&i?0{7TS&JD)5pz!
z{@>7tJM}_;|M(HJH8t>~d-MH`CZo2$x>N28VGQ!2nw^?2wFsL*(L^uX)!g{x?a8A5
z9<+8-$3gx3VUKqHDgFQV|CRoAZnph9sz<y3=l$zbIDUsy_W`_T@jZoj{Ac}J^r!z#
z|FZn12fnW|2f=gl{}`U*|5xyYELVn}Hf*x^Ui70vJp7;IyGQ@x9~{)bi+Z&4&+t9r
zkN-=2`~396#qvdw7ci$EaebDgp32d<Yu<-(NWD&-{la`Y|M{FgTqytGr{j@7ZJJLF
z$e(TI4}b9CnhKxS602J5K4(rqzrDmV6yHgg_1>ZQi)<VgBF7Wsx0Mt%9F;JaToxW-
z+)a)7^9a%8xkNa4RT2|_W<MZ2JZ~6a2NsowQ)TxgR!>Nkt(?dmb=QQ_nStX|LlU9*
zJN;N0j#zCs&jO2DIBsa>Jhr#{;;*s2JMWJmC3@A)XiaAz{%fA=M(nHe_SdoJRpJG{
zcO%lXj&)Eu=LfBKUB|I``CM0XX?029dy~l%>Pqu{f5X*Ufp8A}bKRlzJN*(Yp6?8K
zYnobad4+>EsXnuRC}*)P+QBQh+`(*rRH(e=gy;ht7`mylZp1PU5c;)mWhrDKz!|LL
zmsan&WHF1|?i^loTU=P>$%J_on}s!g#1dtL!Zj^7Zi{+b?PB{LfMk{3(6FP`YnT~J
z6(1ISxnoq8|HsYf=mWZYD*a9|8KQwOF%9fib97Cnq<B!QrnUa0z@p-#Qqk3oyGn0<
zDHVOLaaW(&{o>|~=mQ<gQqf=Nl{4NK@w!O+cNSij_8s>^4}?qL(!*;K(f!n3Kc{1p
zuebTuhj<IE_6juVYORh}$iKK~OAr5*tgkgEBPJ!DhhScmPsRiE32Ow$o~&MmhcxJA
zjXBh=-MBifdLB7gdZsR|o@I6tjz-&+jfCaF(G$t|HN6hz)h>tKIbUDTah-3&-Kxgk
z<I156s>-bk1I>#tgJH%K2t6;bv;EF_tD9r#h;6Omo~Oha91WNO+2la;Y&y-xs$e-i
zpZae~6)BbnzPFxo@_oK0a6`Cy78wJBi_DXB$5tF@KApVwfSX^<A3n-``aGZVz}%Pr
z;HgXjK)2;T$&TgM^l(0PwNkNlmn@beOEh)C)@Z!DG8!1a+`46_rj#d^$9I+7bY9~-
z82KI~4|A;Pr<4jT8o){0>UkHG|Bf-9r<5mRy)pO2dhO5L$}9IT$l9z-v}-#56aPhB
z8>qGTESEZw+VQBuwZ6VLu2niUQQwO{t0@p2fw`*9Tb{Mu9Z%7`?T%x+gK)$TV7lwf
z4B(Tw;`e*IlNO}J1?9<D@4W!BH?viSwd{Nly%B9g49dSz*y?R_K3r_ApJ6Bs=lAkx
z>cQ&yHl@43w80&;q`_*w#O=p6#DR5^-~4Qa5QhckWSVl@_4X+61!VInPz9a+_y9i-
zS7(m?8YV+~f+gppn>{4oL>p=adg?ZjJ^Nil4fkU~t&`U@M+P~)u8%u$o&<`_tx$qF
z|931u^Zc!6|EEi5o%7)>w5OvV73zDX`d&*)Ogq2Scc4Q<ll2S+3#&JfiIHS-%Gp4+
zB^FT|%y2von1s_PE4!94<Wn{Rwwwey>^$<BP<|dhXln%zZjLw9fd|2r6+XUwCN<=v
z0yJ!SSHvifg=tv16CY0^vO*%`u+U0Ihl1#D^Y(Y?*Z;~tu*d$ou}Fs`V#y`d@(>kT
z=&_BLkTZHYZ)+LH@fwTw6FRv~^%Lvi@q)P)x^!3h1e%h4EvpcorjX2ioz|zOo@ADy
zf%tXy`z90r4Q0G#ve1vKY$)NEa}>+GaRUpU`v;oG+3cNM1MZnA6p49T5u1&>ZILMy
zY4I9&+cMdg{(%Lp1TMfsGdf~zU80|&QH<EgQPm>?KYW(X`o_uNTa#)&3B*4{$(%Ie
z0};mX;ErIo#V`j$c27!tYVIudxJ>ueK+`Be!5VtFwFzPKGYbU1y}gJF=PZnrfJ!Nf
z!*;s~Q`Bd2D?lndP<~k_^C;dh+&>=-xv)Y{9^}h@BQ-)F8k?RxdVch&ub){tW@KdY
z_`1`?c@|H(@rJ8LO}lkg-Dw;#(JAPm%!<$)2K1|6n=&oXJdoFG^gbjK4m5YeMnLsZ
zvD9Tp`KV@6Tvjm-RKHWK<2X}^$^pXguG@KJ;O_h6RR7eOmEp+LQIT-nX<wzqaOC_^
zb>F(?hPu<nd$iavC^YA`^2lkUxP#~SRFTa-{@eqz_fqbG0CQXU_>qC8KXYciptc%V
z>?X>Go@<16+dT>7sg)!}fu@m+Q+&^Hfu^UyNqkQg_aTAH_?|x82WL|_h^%8D7*V+o
zNi|zE$9MKZ3Q;T9RgG@w-}qfG9{Ap!;?Sun{EHnyoGx>yeJ`DXXe5A&`NFT^>0hHn
z){ZcZ(IajNWsBs_dPG+4_S`q4{G84rPEeUQe?<iq!n^Fx;wQ)goKM72QcJ2^fL_yk
zxCvQbs5b5h<zgvD4Qo^c(fU)BUkl^)%ZrU!ZUa-wl_v&-4O(ONx=K2p^z{^-TmOvw
zV(R8^e*Q!@e`;FwXoV0NF3)=b7fZYmLrE6bT&xl+30h!#VY%W4+m~l0k4-tdYB7#{
zHMd{~Z#a#D5{ge*S&~gXn$!Z0{x0!IezH>)4nY-XZ|)8AQ|iz2a~%S5aY14=9St96
z)>}l@LKiy+2Y&cv&8PUzfq}c*WRZ9(N18Q<1)BdNVKwKrk~1qq5l-mxCekaLIts5z
z<rYV{`)*rKS*DH(o_a`%we&r9)cA7)O{4wkU~|`ecJ5Pc?r=fwQ%^rs?m#manhD7A
zFR4T`!RIZILzo}U+YvKQ!)n<_yzNLPrL=|k&S8PO-%+nqkK564k%t!frwZEnQWtOi
z5(npcF}+LqJ(taeR!{R==Q&}1{AHT|yO$BE%#S|lCbwqmc_jrHJngV(=^A2mi1Pgz
z+x#<L>Qdi1JO@l5aQC!AU@RGo@PRp#FYuEulKbf@8g)#CvASHu-E*wYw@fQLR%bh&
z<;H3>FPRJMu-p0bne<#q8)h#w2q9&#(lTLc#Z5XX{{Vfp^C$FNk>2O=u5JxEcYL7v
zJhl@;jkg^M&UG^sJ;Y_uM|a?kn{%kPy*r<iEQsVQ>Dh4g?6`uS{qT6fD)th3?o~A6
zOjWj-@gtv>H6ze03tZ+T<;YRy0NTt^=6*_Kt`ku_r<H`gO34CB4G0Bl_)pc4u{j!v
zGn{!wK9k~R5-=mE%Z4SeETxc75k2c54)t6SoYvGl1cRAPEvB0%5T<so<z4ubK4Hx+
z9G=HSd2Ezz$^3Bv=3#+<p*=5fmdX4a(Wr9+8})FAa|5p&6yGNo4{Tqs+b)!dSER*t
za0hL_5F;=lp#-f`&GHadL?n`^w6_A?6``ulM`WV;9ebGCk*lOTFi~9@euN$o;FVTi
zuS<|~E5W9SsT1z&p;N@Xmgrf<)q%O|Mb3&4aySocl+m^gkkVzoO0B*`U#>Byf#>L;
zT^4Nux#nZqQ0nh(|8208k;TH*g)DqRPuEh2^#XUn$KYv!39Z_$kN<<z-?8i%Lv!eq
zfxx0bXx^kE)*H<slIl{iK1I<Htx>OCeXES6{=;kY`crGeU+J1TTWx7^&i%`+<_6bc
zbAp8cN0TUQm9vW8vbxlFy--_(z9n`_8%p%1QgeZYzssEQps)i5b85ODkjT2;79Jj)
zZxtYcg87(btNDR#iYKe0LW5vC(A;LHfC#DMw^_Lvn3U2nja_xDaOx71ideHJ>jOO2
z58Ns3enh%%#0oFX7Cwuyz+JtVN<6bIOK{D$lJk>82cMr9T3)m2#x1^X&<N^^l7Wz|
zi>f#+TR(7bW(95M<wqhNc%nX_<FfSw_h<f#Z&vjRJ@-2GgN95ozost;aBybr-GQuY
zYx_h^dmYee)Nl6tDFx?iKJPrNr$Fnh53=$qT2n~pJ<4-FYh&-Ccz5smvt}QU9k0v2
zdG({>-M!d)6L;?uCoLL?wEFi{$GeM3{KJOcMJ|KBWap<QX2iEe5iW{7^byhcISlol
zhRW^>qgKa+wm24ZQh|}aNevY(ZcH;sn-@2>@bjL1D>VP-{F^UVjsC$B@q>m5#3Vrd
zuS@)mL;2lD>|GDIQf6srEC;0?w(m%a(Xqr#mJ?TknVD>yXO}x!e7N>Au3-no-wT#=
zx%Tt^{_I>Ny1F;|<8f$zlkWOka<Jx(K~0fI`m2)?ZIg&YiMhSn`o9BjL_YD85}8Y^
z^8apPi*Kgt-gwP?6tG<@L@7G$Qa{j?u{RZ1v>ZqJjus1au0xB9gvqTw3bX5R(Tmnw
zG;2>V$!EgqV=i(W6FJZ{Ts$X92t2JJ6R#0W)p9vmAqMg(v4@qGI|pLl<9qr>lSCPl
z5?FtVj*v8eAexCk&k}JLtK@KE3!8h{7z{)j*aX@8_`>08F%;j;B8k8&oPgsV&*tA!
z+#W@FNcG6sDEVDGl2zSP%2{IdgH`tC%tzp^`)mfzpjZtQC_+<0JQjx%D<TQw&a0AA
zTs<Xpp{bo^p~BSqJQ5RhQ!z*!quP5`ytt@cXTK+IR3~~`26E%v@rIS>ODw_i?C2NI
zeWATQw4`wfzt3gyEo94J?Bo0P>M3GSGc;9h*9i%CGVa@nPxJHuT<kpo;0>Y&@wgcf
zg{27<2QutYpw_33&=rn8l(EFTN(X!*8EQ7YBsN2`Pbt62^CL?hsw-a&=Pm3UwE9Vw
zzZBB@XaQAbnaoB<UbaM!`CpiS?EfJD#Axy;$tI-wj`}mB1oEVfQ`wEG)zlafAKRyX
zNVKN4fkPtxNxgS0eDO2A`VX_sqmTLIp0np30{%NW4_BTYug{vVC>ER-<lq>Cz$j^p
zQlam3bY-<;T1yMN4zqUSZ`;F2eHZ648C$SqyH$+cU1th&{5p4jBPmv1t8*ARe8;=J
zz=9TzcrqzUS7U8IaKAa#=UD1*@5^L_$xXn}Gm&Z0KAdMPX?+IhBjGvR*UD((j^R|E
zhcDjAHXf`!@Z%O2-zYivPvo_5`0%fq1N?K^wSsN$%d){WlemK;C3)J(@_WBNFI%4~
zFQx}nX#1;o^(gypbu=OK9JmOyC$FU5zFblJp^MPJELVVOD$<O9lub6v?7We%k7^lM
zlb(IPW>4Zp?AhX^)H;=%d?GhNV6oOkiXw@vc9S>8NsJk>gq?olQAf_|N&4M(!rOr@
zm=6VAw){VI(IgjRXqCV3;w<U-pJh)xSrCX57}SoBYXyeBOAP%oYdL(^`c$~h89Q;a
z<0Et|ZhS85Z{UoPd6e7s5v}{o_-|`a@E7WT?}7d<n3NgxotB;owQS;AW&VCo5A&q!
z&$MT!FwnmL(}J8oNtrwC-){QFq+iO%$mY+?p47u%L^H#TCr^GXd(1zLC-JX*Gcb|4
z9lrKWjk(Y{hZt7#$@wUo2~0>eYiF}^C$g!A6dZy=JFpr!`X5}8AE?Z8m*wEn=fy>^
z;QZ$teSgOIv6Gj0MdI*K@LUZ%z|wGrh-Zd_1zx;Skz@f))aU>@Fsja;s|1skh6j#o
zcK%p;mq>=5CgGQip!l1{cxqyMPjH&wYUpq0g{XcKy|=tRnix}Uo<C1Rbba-VNaCFk
z?tTemG7O(QKHXcAA0rQ!0#={dH&f8TH!Z#-%02^M?f&?=xJL!RVVEs36KK8pEo*uq
z5J>@$wUcVzpM5?GM?#?^R%kx2brB>E|5j0vb`Ki{kmV`K+rYUj2n(STzp!%=kB#j7
zSZu}W8@YG!3p*bUKSlzN`LO$k2hN8O{(U+6zV1gk`UX4g=4V3>_V2qkoYPM%KPoJL
z(gEc=MtJ_*$nkFr&wHd>c)oEEJef_$d0@Q}wrcsK)5k0`VRB@*l@$Vs<7NOZgKP`G
zkXo7DF~HDomz(;qTp7^RaJ4M3j?0qIj=^LL1k15*^9ouWV(c8ZNl<3S>l5XbGq=n_
zbt-G9#nP*03n(GafCwpy+M(FNnE&-+SEJobfT5<GZe9Gfj-Q)}bh)5^R&v?{<Ag3I
za<O^ic(3T}qQ|?t>-#X`B`6#Wf5#{J`QYoPHXgV0-G9w83&QPMa0_~>k+uG>>g45g
z5`ShrzITEQ-Y9zYWAr+WFY2zc=epZ)4qa7^2da3r@Se3cqN+R9*=?!;nd&Um4Szt(
z6U4tUm)+fiojQM*XDb<4%S|);4)xtF1)R$qQ`{Yik0!s|V+7r)`0fkAHmmt%=Di7w
zbNc<>l9kaK6KMWEjj)f|=e*l=QvQ8y-Bu!MbSB=OWkm{xF0_+B_;P5vgb=LdNr9$N
z9y_|HmTUUeA0JIF$R14};#_sl1S>k4o+SXyLq!;p?rAH)(yCJn8!_%sgZ0y0T=Xmm
z`HP9A3TGepX-w1Z4>Lm2QGwDb3wjCFqD!@hv=2%j{t*~~vHx8&W6FNjTRp1rOcB4`
z`N?`v#~_$W0p{xq*4VJg-1nxnf>p-9TjVwTEqQo+cb|HNpX4C-cS?$$YFx&Ij<k0C
zd2!=Xz<hME5;`6>5B;FW@X^ogUR3tP2&1Ej!v#P$RacOJPIC?>{$?I6=C$cOx}v*#
z5*xedVAHCHNKjNv>dii{;=419L;~AnmYlD?1)3F}irF?KZanP?%>4u^l!e>IL>bLT
zmtRhbzdz3vSw|Kb3o4$J;mwUfH2JtK67{yrwta`6^$*G#cl&4k8gRk{({sk2_`T?=
zK+}l=8EAU}?c&BZY-`$h&GOe#Oib-JH(yr(kgP~kkHRjo{s<0cuyS6iWnz`hv80-r
zRn&2$Ki@e}fPK7JYem_2Rq`j4Od`WO&7HU<sBXpN*JNC+-x_}DkK+5Y@8qYfRmxuo
zQmA;a`^^XcE)+EUDw=xSZk6goty%3-f1p&&Yo*RGPuWy1<zQ8*FN^J$C2q6e=l;j(
z{>NE<u~{bWe>uzlvd}NK5J=25{zqg?H{y$Jj(JKx=hFSzS8~H1%qUVqHO~i{Ke0>P
zT8n@OjsyX{#iNCm<Jk-n{_i5S<Ko3d5F~U*ik92vdgbLIn*4#KGk8^*ot1&+!P-Td
z^SsD0J2Ug~1r^w!!hCD3LoiXri&)*lm1(lRgc}N)e?}7W$n3eCW`CKJpA3s__Y;lm
z;cA)XV}*^`X64y6b8aa<+Y2<W#K7BlOJAN^c(QA7?To{k=vFkPEkx|OwyNI~08FF&
z-^$2zC^091m1x3^bM!1IIM945;5_N*9A09lMtY(v_c5pwEodr4dsDp)+GBTjbXW@N
zGe7pTPPR=fa9Pz`M;H@nPY|5K=X_xcZnj>Jdd&rXHQX^ziw9IQ!xZ_|5Qe|oUY=rM
zIJlY;TTR2j9MG!V@8@}RA`61w&vg?VbSM%KC=N9mYui~gHuwaQ3D%nhkeaCFUg+%X
z#{Y&!nvWDdG?N31isGi%I4>}_w@ng?$6O*5w?<R7Ui2)7yFl|lC~Qlx`yEZq^32KP
z5@KG+eeg*+uxNCAORwlvJIny~7M109%EH%${MyBe`FMu=a<~2BcHbBedX?*V;?1Z<
z>~Fvb(;?L;>W;`F^m}B5_TYzJ>_|ZqJo7M#KHsqOAj4(%-HVIFllFof&5}zG7nh>{
z8Sd<`Dd#EWr>&%{CB?k;Jz2TC%xOwib2g4;j=pV>p4X&-n86Mx_{b4X1)X)JI%Erl
z1L2KQMNkB+Y{{)(va;HD^|KoJK|wnt0Y=9N$P2UTGId|2i`o)6FExhErcO)dQKA71
zH|xV{vHnEMWhL371@rqf&Cs4<Hfk-yuZ;Glu&NwNb)t@&BdVuiG1M?rgGDqnI0(m-
zAkI!x0+*tdaR9@FEHi7rvR^!<EHz*F`F&$IW)jPG!pvAr|1$IGzguxsmbsR)(!*TX
zG#SvW0|EU1bnE)@Xug?WGEV{GCpI#emWpVE;xHpz&N=y<vu#df3YE*d&W4fGLQec>
zjFUGP@GW10{!uq~8MqRz2{u3IVy9W|7a7{4$YFkwzWE}+gc7GB_xVK>Cph1V;%%sv
zS4fSfo)J%%FU9bwj?kC%$oywN^KV?{g?{EejJE3dVUNtser7pkQS)Ly^C~|x;)L1I
zX&$nu3N({!-v{}^_guZ>89BWEcu~|*C`697V|=iDd2yp=z>_p%*2V1%u;cg<8<QI9
z%rE$&aSUB#$<L9oT~sm`IFXjqpu>s@WN)Cc1gu>YsJJugy)IR36p%nlBYc9r)Do=o
z7z#AwGAe>C43slpUMZEa-c*vMS7EfxR@3k#Zg@ixAxDY%qhNw<!bvkmo#y$FrRe*$
zYORb?3H$xe?6g_B&Fl;JccXI<Kvmp~>0reTe_}OT>%aNr!X7o<Mor2bXqr!YeCI<A
zqhmGHS08@zmpw9mC6`h0U8AYLmNSdU&!!>(Ee&*cr{b2OXiFxmANkqb^oXV=O|ijT
zI?X4?I8xGfwm2d+1YJ_oGRCaqyFQ;&2Zp;&riKz5=H<ZM|4xy>q7oL;qvN~!)|bY2
zjfU_^6b8robNb<0M`qTtZtGyYYlR7NsLGn9Y~I^Kw{wv~Vv9NTQwvd(Tx<Y`OeJQ^
zAg5hqf+Sixl0xbDiyaHgT`I=Aw)&|g;{m+FIu1-~L|Ba`*7=B_=IDquZtra)ik^n9
z1d92JWq3|<HLao|N53Li*RBuIrCEr6YQM1F7hT`OizPXB9YKEP1pWx6>p!PoF+<l3
zV@%Z@4>);nDW%K{jeENnKcq_fQOJGRr}h^rZ97i|<~-IX2hI<s$07Lp)!OP5QM>8U
z<)#N`YKMZ2BGdOAJ53JF*R_=@zMiwwYdxiVdYC7-QzfG;sSnkdhipBTuS-{Kev8UA
zEl2y42|bB?8S|TM8rz2X`AMWN=FTs>fol-Dm}`|qfu_f(g0_a5!~P-MIq$a=iNfb(
z($tQw$6}0!#&>%4lh7^roqat{>THyCnv84g3w9GGH$Ba-?CLKYLfDCsZ@p*hDa+tO
zlcg_qZt{ixYo{a1wHme+Zm|ER(P@<AZq<_=r^P&(qC0Iocf8wu1Mn?TcH4XKu9>VK
zH6)A&Cv*Z$Z-Z-RB9S!4Ooge@S2OLQ*vrng1C{4zGZDa9ex^vN4Ad<J+BNZ7W#2<f
z8!eKn6lWB3vtor%?GU^9J$%Hc$A;hfBVrrdI!=u>+-pZz3i?nqAPxL*^9VaKg7<w5
z1ehO-Cr$tQ8~Izx7ROVp)V|j>(Ced5wb7dL`f|5Y)8Ttm8|-zBx0DRz907U_K7JB&
zU7?HQTZONbY6IitW~;TwFd4sbc9FITo4JPsOg|5%J)Yb=%(lf&g=?!}0Xlz)=MiC=
z+HKV|ad7ST4D*UEze3dWID-{xJZE&nubuxfSh5UoA^KV7em+9)s%ugXQvY(AS^--L
z)Z>76tf@r_2LF{ny!h;*cLlK=-R$LUS^m4YNZ?C8ns;vB+wJVvI{m=0<V)G9u#{rW
zxFu%ecX1;SmaW^jA0Sz(U%NT|4*4l`n*Sn;PEYE#%O-haW&_*~Aww+jMQg>WW9U3{
zs?8c<-nc-6zp!&imN2Itzx*9rWwfSu!<pt&Ubt+CvE}x|)6;`{6}1&(rb&Jme>G~x
z;X_gFTIyLW_g1`a|AMZi^Uc$$CV9BBYCr7rHVkGht>SFu$H63SmaVCrtc#0aYaJ*U
z`dOqd-Ih!JtzNIwtKCh1Aa7smsS{*3E>K1b)Pk{63ovHD<jUwOQf;?6=FI)w;nYG&
zMS$mA8nl+Prm^I93PJQha~kv-OJ0vlFNlQcoumm-X3cB%9Q|6neypjk;Scugx=p;7
z$)lz))G&wcQ&Z*9-t77=V}F>5$}}o7U*3@CX`3~B)qm1#ZGq-Xp>oQViLHIvv9+6z
zWM>xem9u3%q%@X1qEE~0y3Af+5y@OYZPcPo-bUMdP*LG?62T`xDPqcM9LxQLOoFi@
z3!{xm3qFK5h1z57vvI7;yIgsh57FdlPLKEo$2yq7-zakbYxYLXpHEaSU5gfIK1O}B
zwR^p}UA?f<q^-1p6C)pT*NOrH2Ujq?Dn-cD*?pR;(_B?ho#I7gtCQR~>LjOwKVfU`
zGILM0oma~bE9tD0aAtM$IJD%ant;#PH^y~T(OIsny&bCNq=xmG4-muo^_R>4GHJpW
zl#TqFlzLXW7K#I{OYZ#!Web8D5KEi{(lb|3JIMm=!@+tyNkbyn$jnUJFnX;W#msFI
z`D<@MPAn0nWRBx=5Bcu)6Sa9^?d$dog4S}MVo%l;1Baw}7+AMCcMZ%^lx{r{ZU+yO
zQ`3%v(VbZoXp-LnhGw^AR>2)cbv{@4fwk_uYt53~=3Dm5T1)C^y7Z{ioQNme`KhuK
z5=*)1Xnx`T+;YVY#s6(KCz%M`{S#1>yGKxZnx<M-Rt=LeDBk1tOUuu#Yb>O|jbK_}
zVVJ43w;Mt5nn0-|qF1xCn>zhNex{f^Rx?*F4qejRB8OMPH`C<Vax)GzaS1!7KxRXr
z2?H~!o#MyREG!0W<nNx1L3Nl0VTi1Fj_AJ1HuDJ0m<qKrBZRftwX!ka%H(`2L-MUa
z4Sp*RSV~|oH%HyJmDK64Q@>gwoK5P8Kk{P!j7XI{a&5>0>cgC-4hJ*VQS>4vULxbB
zimU91VGbv?{Ad7XQj=`sfu`^0YxxdkGo}1-@>e6-h|yWUGx(jeM{+gL^j%6I5}Xg5
zdC1qnPp6!6PWDS2&#$AM+g%EZnMv~qt0PW_VydbNa|cKl9G`0XP=1hK{)2Ut2VX^I
zT)zCAgUj##*p=6HCMv&*a!wI{j1<WO2gMH3`7S8VDyYR*{^2I(6MW~Gp&S6}OmID3
zGX;{m9j{w&*W$d!TjnBLX(MnIIp`kB*ZUri^zJ$JuAtsaErj)pI)0N+6r@*Mr``I8
zI_`E7U-qDUj_mGCr}?{&VOe`KSMbN_H!qUiwAA~eFY_#~Zrm(Cu;(Q?0jKq_?v*%1
zKoyB7{3;-6^AqdBE0>|Gw7SLD=<4cn%V%}Lq%dM8&=PzNv2LU3bYfyKcgf;~ZbNU8
zqOdhNvJ8!SyPV#Y$lu%ZlH$aW$DDJMWIsYACsP}UC#$e2vPy+63thg{bdaZj!)5!U
zeZ#$$uenX^(LH22uBei|oG#)%-M;}BF{O@Zy#46zqWZ~n^5~+D{@L}ZL=`qY$Zuq|
zS!KJvOvU1_synPS^RWGg#8X%YO?}{eJ<nepYic^46XDhl>OhY^eJYQpA0QBbYsSTj
zj(vnKv@Vwd&GlVdI_9`>3eDLkj?>VTkq|eZ-dGSX=YKkI8=(!W2@u!6CswEBv6|gS
zLgq43mW6d1Yvaid8%3@28Q_Uu=f`blcHHKEo8UALnkfLO@yNPr=I<|`h;xMaHK*-H
z?24x^J#>83ONGCldfxwOeAMKG8HtHAI4^AB`PcDIgDve7E4IG#^3p^3_Y}lUYM1{%
zKpq%hHCx*0<M?~*@hwg|?k0VQ$fraLyt$-+ESv0>jKZc)9!YT2vgFChJ8Y=b;^bta
zrCx*MUA@Al-a**Zo6E!4N2-$(D#<-Id3iPQRrQ&BP$!I0096*RxG}SL!9Aes!@QR9
zwLFr%q>OUIBZ;-)#9MWVrKim(KW)Ykq8TVlEQ0fRh)^J^drXLsRGv|=)e0izc}sDo
z7)vP5!5<`lHKpt22tgGGOf63@RY1j1?@KB|K`!@MN3g))n-EBGsQ37a5D`VUrdvxw
zy{A@mtq!GI2Ss{M9TG__4VSjyK%T6t2&I?y53ZJDWi7!7OI5XcQAte2b>ZMTMcV9L
zI|OG5_{NY>@92;SF-5%<;lw(E{iW0R7B3e|sSSA_QxkCt30at|BQ_@CC4Uf5brEi|
zRvg3N24ba#QnAyq<i14gLPB^dTB*0SYYov3l~a*RnRz9p>4>+17=$*4<J*ekw~D5C
zeceWn+#mMVO-wy_jD?l?F~r-FSl0C#K|{l(%e?he-9PwZ*n2yY*pps1(0eTsd_mS~
zY6pnz#7I0cTe3Rjy%kO@?Ro_)l$5>@@m`^si1%)=!+RyM4V;IAyVFYvn);@<RB;Zo
z<x0Zd%ORpScD<Z#?H4ND9QIbGm-P?#W?vZOgY+;yC4}Q_4Fp$5JcXZhMd^Pcqn;~D
z;ZC7GRJtyV$z>>5<xQa@3AcN7^~i{q=G-@EWALMq;9C0MN7p`&vtb}tC^lvmn9&ic
zN^A&qf##M0k<vFnsSu7)pi-Cy%W0uRfnocB(va5~N<B8x6-RCezpr<J+JRw0MS6_-
zes4=Sv5XkLLT0*ua9PCL9(*yBdT^);3BO?k&QOcu7eZaHq?Zkfl<x6f6NY<Ft0qqC
zb`YC*!H(Hd;WpR-ZYQP|49T`y?7b3B>;`{J1Et%%r6TX0pxNSeb11kn-8ukFg4c;e
z$jlaU<V@d)TnSpkrE4wLnOVf)6#9hUb;4>8EDr*wV0mI{$(L0D7-h~8y^=05W(4kB
zAtY&<1zSL20h!veAWoq^9bt-6MepsUrNW;dU2>J8`wC&NgOc8e3{W>A_24jvrF4JT
zbxD>sOB`*2!=K!G*Tp`Kg2j=JP=z|^G`*~EsA@Zy1Xa~*CS6KW*n2CKcp((*NH6Ud
zsahKLUYU?uaFi;cdQdGaheWQ>Do7};g8r5g6jQ~?LHOa_A@AkHW=qX)3VBs4Bi_mh
z%uZDj+zbxk5^F(Q5LPiTT(z1Anu=Gd8p6!SVufBMVC-69IbBj^BHk{rdbWz|dqr6E
zDfG8Q2!m?p`dR{bMyi%;!vA1kwxY42;95(pqSS%HZ?GK{e@PWZsy2jzZ>X&IQaG_f
zbQktXw#p~jQQ3Ni^F{H4K{pJc>UD3OXw!iMK?mCy4okw8RD&-P^tlR#uwG;1qa_*+
zzUaLjPV5P8PcJJKT3-`+X6qOe4(@S?hj=4FXc*p61y^8Tj!+eVN3wc94$9^LhUUE;
zq1_Sh1&DTF7CUrWoWza6vi`x9AgDB~QBq9YzOGLQhTux59r6_?Aj)dh$BY8ulKZKi
z5R4eAwu1m>1_U((RmAIEGEU`%{GjpYq{bi;Tu#X7P}N$8|12oOBO1Y0I2;T^xQ@V+
zZN_#->|e@41LJ^OYaqlhV9VhuIJNl3$+j~5=D>i)Ks>o$xN5%}1C=Mzs$(AkP!952
z`opY`w#66)FopoFuLi@*G(2_?gx=uN^s=(5?F@wITNP>gfa5&<mqPz;2pm#G`VRXb
zIAY14PQS?jh`RkMs`Wt=0QN%X2UM-}G4HS<yM(5IL%y&a{FpfssZtzSG43o%2m<_Z
z!8GV+r@@5Ol5<oKpwgj#ItvD6D=N>=0?40<Akw$IW{d;rYGhRqF7D<*I}@dovC?cv
zJ?7>>RoYUXKS^>^q0FBONB^>8-M4zq0*S`~rJ4kioZG)Vi>S}+5NBtB20(m#K&b|R
znQ)}4P?pNv2=IMrX{gjqf+4PotGOaPxYVBk>7@gah+v;#36;L7F;FewzkvR`US<&b
zg-d<<FV5Ce!o(m>^qY);vZVWlOQ|Z&2oyU|5I8QLw#9N6vM~@YT~3s1u_9LstSD#{
z9N2LovHF&N;`BC_bhbz3!L^8m2>#MtZ&-oZ?iju5uoD8#<Lz=2L|M{<LZ$6qMzo);
zg6Z)_*xRo-+>o#`wUvZQU-H(&U{np{0A5}Sd;2&J=jT`k?z&+1;D2bgM<W^Mu(yZ%
zVTCfPS=u*L+6jvnFLLm-NA$gmkIeFcq0$XLb*l=RK>(0rcZkE(%F)_aGociEdKsDy
zA^jOjhaB`Im<Ec1Xk2;I0dxh2;=Zblpz>fdf+pc|NLi#$gvjpa_bD0*b{0rVRnh`-
zAXUreU9YaM9*U}0fZ?(T=(D2K0fG_>ntc?fOMnIBT9QE+JT^+TfL>92PYl!f9vCJ_
z=K&Zd$AK8uOzMf@J~<5M5Hp&H=?={zREufG;a^}H<Ot1$2rdKRp#1<e_i<<zFZTxx
zJRXSZffm&Wgg!#jA@E$5!*iL#^VOUr$l=*1A9#t6>oKY(hi3X@l^)1A_1Gys6j10J
zzRa+cEGq5?+AW$z*HRt}m_=nzat4n=wq)wxmwe%ejuw4f1AlsHpGZ}^Ps*8_zj>RQ
zg5E{xd0dMDE*%i660Q-NgH)4cOgXZ)Gg9&peN4z6lC6v0LyVT7p>#AckP6{OszlR5
zw(80un!co4`-G}Gt<){fRss$zxff8i6^VmFRX$Z)kRpjKIb1_4>6Q|Bwqx1Zn$X~1
z5*26ZI^bc@dqV^*ID}TPVbz5k>j0#-0g)<*8Z;m6Dv~~7r2-XYnFo_$82|~}Vjd1h
z=s7vkw&)(@&@JJqsu&N*ERSueS}5BN)nd&KJz3_V$sXJw@;@Y^dr&o(Po&exVxM^w
zX8{`C6WeIA4%>ZQ*I3$o2DVFjVmpUwtB1ooBp|urB8zI4poOTG8UuNkf?&&~Ey9KB
z3K6*DAwo4W-SH3A^DmHmw8KszIn&_-$(a#&$!E_ZcMmPS9TL!z#g?xULPhs1F?>Wj
za^`vypPY}(;-*rASjampmVx<SV3}?ofMvK@Ax&F)&STg@=Fdg4iOWhBTB<I~QuXN$
zDpa*YqMDI)s2-UedUWJMR5SG*RUdN@t|8j=GA5!=%@)xbEKuZQTMKR$;>gutCvxxz
zTZNlE=+Zfgekt)W*p+s=w5)2K;~!;{_f7r1E`C@ON$l3@9Pv`R*;@l*k!(RU!!;qR
zVxW_YhFNIBEVR~9L4h&cUx8|6UlJ*O(`$_=54X~wx3i={bGC|pf81Oc{+FeEsH_;U
zUG`fm3x)`8P*D@0cZV*5kS4{IEOtpBT#mZcC#<_8tVXT!x}RY=N=;iCmKkTmz-Gaf
zB|9}%-0g$1<}E|9;WC(I19TII<pmCGR3i^-5_Sx13*pi|8dh&POWWdLhcr7a#<z<U
zgEDmVmBMB<WR-?b4DntFCw6sVfG8`?fO#pyXv^4G9{aLuK<c`;B9utmQTbSC4X)#A
z39(t_kmk18s%`XKSe7!kI)T33G7#I8*s}L-Scu%IXH+lm<uIQ`n_SQ!m2glgMYi#V
z*@6WnH-v1CB)HwiYErLpS5V0NG_lIt+{GmqkDY8AWw9JCZ3}tJB&-;Zk#6Pj8cMBf
zLBWrlwmZ!A;r8lrLST!K1EQCel&<#P7NYh9w@P@0y|s}9=wc2A!6V|N!>Tm_*TJ_E
zuXG7}153AqJs}hPmIar3FJRFDV^|!P4g_goZ>e-vS7=4zV{0YrD~r||i!y8w60Pd$
zpb*+B_|V{vWXa}nkI_*oXz8sL`lVxtS?R<P?0{Gpm;kI1{|=ExWPain6s<$wl(nSv
zZ{D^D$YwpQI`qNY916ZFsxH?q0VcXn=zM@%F+v(&Y--P!guLf5Ur5#f6}AejJZ>^X
z67Q$m26kc7S=PVwH82^59xKH!g6~^G6ds{$CNr0#ylt`fN~HJYOp0yNs=W@ZF_FaO
zjN7hA@^TD<tzfwf%R?kNxgvr+&3nZT`~VCwq0(1V3+y;iqC7%DW?b+?unaZCLcJ#g
z=d0eQk;H@{j7j?WzM;go*b4c9HP?o{jUin{k7a*~_KyzOzmzAioE`I<1iGR_2H^Zr
zdz{wIahLe^{H%Yi+q=*~=>LoNbKH=zn^p(j&oT7>_5B>j+lv0h{TxI8|NA*U<9?1!
zo3z>32o?C}pZ|CFbNJg_3j57YS%J$+Nw6i^FL`G%_x23gr`EX8qI6}dY?+?9#UoKx
z%??3veCHXn&#?D*jKE?3^wRU#s>VIz+w5Ml#W~9QazVgj{BswNQ<(iCj!m+k^3*N7
zjcC=Stc^TT@B<tCQ5B4~6*N5e|J8jN$*C3drkCq)!(eXG`24)-hjEj}7v@br+<LW`
zmW$keRHmKn=K}l}-j{Jp4+L6wy7%l&7zLX?Y*!Rqr-wh#4BPYe;%bKhgfoeD`{<wF
zpAldimTlAlY;9Y70hWJ%23ucEstkM{bbrQ7#=@O}Y0&){xaTc3?_XH3A86e}3;Gwj
zNN3JM7sgVjry{t7O%EydWF+{H>AK#XsLiRP?+Y{LhuHR|ALRmr`!sZr?wa}9p}fu>
zDa4DX%gFD=ZYee#TgUaO$&0u~qj&T)Vh|BZt~5EmJXABWy#C^ly%e6Zf#yfmsUEwJ
z{@Dt*ubbUFwI_M-r%4b*?ew?D=kM2eltIjVhdofYFG`*Ex{f8^_Bekuo&DnY(jj&6
zHm>W~SHh*qsXiCewOF#+D0*S$Yzo@_X7ytLD9FsRDMjv{jrG&0{Bl>hkN?!!=buc~
z|In8(U(9VZl0X0H&d1qP%1p!Tp*}W+3#Oqx)CbK7k-7VN3DnqpCkY{<G}ioWc4=(H
zd)zS6fA-1TX#1SoTF!5K2b!z!Zg88lTMJNh&HQJJ7{X}0qjz2EmR`g|B9IQ=&Tl@;
znT8@0095BW5%rd~DHip2JhPd^j)htJ3MKZM#Z3g&asgEC%J1`s6PwJ*k7#(g7C6xS
zb^0!6kVk(Y;Mm3w2NrE4e%bS>Dcq;JlDJ8C2Ikh1Db8*W(H)lu?jeH7+Q8hAq{*+l
z`HOl`P}R0*e1HGI_c)+}^M(9FQg`gDOHJx!fu;lUDSS!pbr*p2r;0cgbzZ7?>@^8C
z#kDD&x}{%RZST=+<_#%ntL@WwUbI*0yyAJ$;(1dz<c%@g^b;K*@Jrk!=wACZi9jqh
zvAAtwuj25$YkP;{drNMb9@_Cdft~&WqU?#ByLgCs9h1E0V>Ryun&jWY{&Os0xco);
z7!%(v(BwR^3X<^e;sj&fzsm+uiMQj;N1Wp=)W_a1o{F1xa=X-V+U@3osY-s?>w1T#
z?8f&aw!!{X(=lK1Hs?(&1~$SieiIDohNt7~4NsN(?cTqmdrq?@CKjJdrMe@ka&Ja{
z;b#3;dpJV?zuoV~Z}JT8I~aK+XHIp5z9dh-<`UtG2!8X%bHbvdp%WrQY>2npd2(Pp
z5HXKW<#3R?p`6<Mt0u0+g$Vyayv^!#*v~rU&*7kHF`oQ$*MeAgz$h@%I{e)YHvN==
z)i$L`GDYm6=|LW%sq1FA0_%yy2Jzi3_cE9A_b<8vahGqFOI>91-SKVrw%F#Wzlyii
zcZQpvxR2BH`t&@?nYk|IT${2`DGe@Vv`vx1X0CE6$7Jy#mk#8eUuVRAz4KjtEeK<<
z6#se0YyAMf(+R$0k?t-^txIw`0UDMgDbqA|K!mhga64cnLGwjAvOHRUYV~J|{#<EJ
zNhk`>qK(ovN6LY%LXIo9OYek)CULQIqB9nlu-){HTfqVsn&w<d?D&+s)XCPj<SE96
zdDdxm-(~ZT#T`$t16-yNlZZP5<6?#n=@%N!CDWX7^f+JA@X;ji)5dW1DIPboHO#}2
zMs6MT)w3ME=oa*N+G|6c)O_sjdqSjU<<(&*zZ!u87G_SIQpiuO{|^2VFZuBmh+vY9
zkMU`i-V_pNU^I1Sxw-ooQA5Lx0v2b!@66EQnp<7sWx6F>iL>aLx!NU0abC2Ewa74Y
zflEA1eoM-U8~YY>rb|2q;h^i8k0!m`ynn2Y>5VVx805=UTyZU%X8e14_ZIjf<@}5B
zugb--h$+H2^9G1diKS*+7o^`(JDS$vmyBwxEh@@;4<Y{~WM}$~3--eShhB0<^aC@?
z7He1`F!36~*MpC<<R^Eb`|?K}dKg=z>qMsEHxF+l^w)Q4%^B`9!S1lr6%lxh&r|d{
z%ID#x!hQ}ki~U>@Z0P}y8=qL}f^s6ixswPujl~i#O(g{Ij9BWMv!bcXYGbLtE@YTF
zvZT2L#{pz~@y(#&Iv~s;Nocps6!~vDD>2q=JHZ|vPHf<9r1=ML1il@P|Dv3WS^Wj>
zLl+6|;OlVH#@FVSXsTJn6bjteiW53BlW)=RJdTf;M{H#vkEC(te*aD3pleNnH(gvi
zmZ_wpCOYv00*3Q39BFPrwvDtW2kNiGLG9W`9MOsbO*+REY2uXk7kE(VGO`AmBD_&x
zoL0EaD~L}-Xu<_8CB*Fd8IVzH*gC`Oc(~#dz%FJm$@1i%d2F}DOs&qom#M<vkxMl<
z%blK}|JCKqD{2D^+SnMc+Nyw`VtfEne@AdfQ%n6HkoDQP#_JgcGj0z$Q){YG#Hm)V
zU<}o2zDZ8oKvxpsQOMnoAd`5LK{3DR<GHh~f@F$c($Zu>aW~JKS{j;EZvpeOv3ZCw
zU<BTKu0!?1I2sjG?F8M}WVWyhQQe9G*zqg%8-7;?4xw`-zNlJbT_I}WyvB(NJj;`Y
z$e#bX9++&-OZohjVVvz_Rj;q*(L|)Axx3*<nQuuN=jEHDSLwd9%WZTb$kxV_@#i5V
z0(nNYPHzMZ$DN@B+H{B79h>E|JLe_;VO}1vd5f#{ywE<2EKflI!j8trO83>3e#m)i
zdIoO^G&yg0F@AedgSiIKg$JFm0E^KA^!ofImO399X#1*(^BQu}5+!Wnm(kStS^5^!
zS+{lpINCgJ1!;Y=l~1+i5nry#4b&G|_xMRykOWYwZET?V$3P&yLXaOsg~k6%rrol@
zK=Z$mRm_E;UrZEfR0ypt=6C+*b8SuCXxV(O6lW2q{l5RTny-osHm<rT(8NhNG%_Yx
zG-+e*SVoiYb!Iw+EL~c9$`}Sw*?oN3u5y0R;b5#V7p20CJedo|I>&D>iXj{%Kz1<N
zS=K8rcguRwVzty!r6uNet1C2&jg@|6hfKtXGzm1l4r1tz`0wxvH(LMcMr(K;?xmcE
zDj277Gm7dg$udrl<;SVQAE$Ct=5!OMN7R~qmetnJ@yBS3<GfAZvY6eWnurY`&D8S#
zSYnlC(E~?Wc$&3z@p(U5uY~s<{+A1F`Hu(@m%52T=`>&WKWP1<K|wcWR8CO^(vzXV
z;bbl7S>`lKpg+3t&>3Qf3}LOp9LYxuoQ6VFlKBTik;6adkMJfYDq?U)7U>+;AtW28
z&IkBil-_N7J;Us*a`;`CO`2ui_mgxm&nM}ZZIbw&6;eyx>kYn8{EH-kkn^1*RawJC
z$#jI}UsS0uaFt6xMF>;66-=a`@6wMFR&vLV^87=I1ssqdchAAPUWExZQL%5oX}4aW
zb-1dg?nHT(x-b2I#I8B%DbSPiZVe^=6y+t9m>=T@F5H+cpLjwa68GEmL(p@StAh*k
zho*~(f!TfLo7OG7;VTGUxm2s8D?f*-65n~}&Es^>8`vW4H<p6yPt@~&y6@i2IEZ3)
zARdXGu(uA(dR5bu&XW{9OGi5_|8(aKow9FkW4J-^%~r6<Y?0Y+6TYtDjis(b_+K>(
zm*;O-J>JDeV#GM?G@b*9Tg>;7P&!S}FeaKxx=|C~2a;GSsZoig;tTmPp<NOdgpnv1
zm-#NP&WAnl4<>TDp?M2Jq|_Pe**OkW&Q~=^y(>3=INB1&=ShIxQFVUq5=vbg==ZMv
ztv%|Oo>M^4z8ZRvN4eQ(4~7PsHv)Z>^Okl>o<CTpA*aI0)J3zzjYKWa@a-}a<FiDi
z^vP!w@0%B_2mURgP7MG!{D3!R*^V6_kgV#d)vOz;PTg_@uc0NkQ;F%~a8k!#ot(E}
zu-^gk%AJa@2DVu8rV?|NJ&YM>z6l)Jig4fEVqOG1)kEl(KU0Yo#!df0j?kPB8_y*|
z#brF(dO2_O9MgUh?`CFL#;5#z@Z;O*n5rVTS$xg;u%ws7D`!Q0!a*aI<8QRURMJ$v
zlZil_t{=N|8qMpuA}*SGta_m^3ikE~053)KFZ*sqUx~^1i5v5Y<>pmC(V9n`kgPDz
zk;tkb&~yjQsGckNjinyP;aK%MQ5s7vao3NiUD8d$uc|ShX{;e;F&weWTyKB7&DHj|
z(_HFjZpmk^G!vDWr-8+=9BVWSG(94i#evOun@6V}YW$}Pa|%z`D&_=!-ooK5iC;6+
z|2WnhrYCUHpI<@J%l>wo-GkKF?VM5B%9A*P;TPwH>LO^P>8)@e@~+etp}K(3?kEA0
zInQg93TO>898*F1Vv6vP_C$>IjVb2p&s&~7Pli3)fv0(ZYhckNK7kKHx%sC5RAH{-
z$(mtZeOavMu+71@EW#_uDpOOr{Uv^fD$%GH;&l7K9yq=Fh%8Q<VH*d5`&XDAbL49l
zRG?e}lxu7a!g#y?RAHXc6Da#Dze4JN+23ySh@Yd<{LH3wntS=p=%lZY9~<P`>|+qz
z&^G_7SYTLI7ERqNM#m(iPOGnhP8LgXV^gsdVM8`+#`<L&&XnfB=OWu-3IS7^N*3De
zTEje&&C4|%j97uZvc$Bb%+Wx(`Otr=Fz@n|Bc@F2J}0j&Or0i@hnsu+1h)e?Of(+9
z55RbfMqy)q6lR!js`~iTwHo|DQ^0k(!sckR0g&vRy3!nn!t3K@dLQa%y>z7%yeS+v
zGQ)|!;C~#ekEy3e+ZuM;Yo>3no@qWnL}}<|>goy%OoMG5w)lRN8J#P>O8}5>hWTWG
z)R$V`rqPlUbPK7)Z>J$&ft7)e<m<TDf-s(#mP|`~znh{2*b(YPTKE-=ak*wGS9xKs
zE6s|0u0ggL4k%dN_gMu;P=N~b^+>L!%@$^>U)Q6F@p-h_k+0$f`<V@RRWVEG+VzE8
z*+1Bihp4|#zW(nQ)?cpr$C@AK>%Y#g-=2}bMfLwAU;kvkevl#Sf~8-dY|XJ>%7JmF
zJ=%qZO4(SGh+=c(YpJ`|Z0F3Mk2_tcU{3*C-Q+*>&E243Pu=TOGtCwA5wguMrTb)5
zKc)m*ZrjPZPiOd_Y8`~;iF~P{eB$&O%B!aJvv4iHIvXkqJ$N{D`x}i*>Rv~6mL3}N
zHGD(!fp#HP`{}lPyBF9`G1*Sww}h9Mf<wn8WKFMJhnrkJarw(QF{#YuW~%>GVd{9w
zP0XxR^0`D)b))(Q^^MK!*(GiLGg@0PCfBoFb~FG;0)5F4%cq+aWi5&ba#kKt@gCwG
zR0x<7(^irNYl;6<VgAgM<o|u#{U;IBTD4m1hT%ntrCc#3SbPC`2vDc++3`iz_cI4r
z^u~o=R6KD99T}VwOFULBE~BIHti~R<i)!mD5KAnnZsdzLCCH?eH_LU!4z?$UQ5R`^
zR<{{;uIt<eGU%&119@<2m|Y{jcZb~f=j?Y&IwFH8M_H~k_c#gG{3~0#j+cr;9vtb4
z{Gdl_ThylB$DI({0{5jWS2o<BCmXdeetq>!V)$H+;FHauk%Ea=P>-J0yX#?;U)zbK
z>!gL#e5Id5dWo6nKb4!a{ih0Z8c&%L!h`to(yuyOr5(DSwdQE3;}^uHbW<f;N()B}
zEV1gD*$QGgSX?dUE<~i(bdJY1{I{ifyW(^O%^Ymr1sUdBTBKUhz4G~V-~UwCtr>u5
zzS-ATBI|uSR}M%Ua)Wp?PLI5fgO#T8OwO(6)Sb_!u6CrZP-qGKEfi?2LWd#HEHMY)
zqE5;8kNaeadXxWDVcyo$XV?6|4!;t=ia+G4csN(ZPxS<)+{3R})c5Ugx4FyDQE6_m
zDV=5(znLFVWx<**Ymaiu@m`eU_=hv4j{Oe0i6$_P*!=+p=T9Oe4hTs}#xTROTNACa
zKwU;@AnfKYFVHkuOu|`Ort%nK*tM86>u1s*{}wb|_k)gGhqbK4ypQc5np{x5kVY_r
zn)6fPQANk?w^>+#L{s7NUUv76YtpdfuMXVBs?Bb}yg4a#2T@78%%8_HT5WxqcslpY
z6|OK6*lhP|OdlggHHIliQ!`L8hx(2Km#VJ#^E0yx8I((i$d`QO!~i(OPEPDn=8<pM
zRopY8F$Bt5v8~GJNxreo2fQwId!PN$li*35B5w1%XzEta45(qxGlh;6OSD_mng0L@
z3anDjwxmQ;yP3$6#-;%3mq<u(X8S5~(UZ(X<}r4U_;Xs5gW5+RwwxX0L_YfZUcAFQ
zKXv`dpn?<ryJI8R=(EA1_Pn2~yWwHQg_2d%3PeV)!u;L;T)`Wo+HN|owJ|x$q2cBi
zXbV8cuzo$t3N4w+&8;kkGJmpQ)Phs2Vltu;&A@WHO(wyzGc%v>X2X{b*#4{a<0<?1
z_hh%JSuJA#i*mXTGw0RSS6b@I6A~6nZl8eHR}}fiY?-++v;>;QX$XZ&-GE&e-}gyi
zE^(8&250&JZX*cHwc?grcH8iUn8dD7FLrD9VHj`LEwQ1taJAQqYXAaGpR<L+<9dmv
zOTh2bSCgURu=${sYvy<sKE&6pZe@d_b$7oOYW#9h{onQJc|Nht@5RnSX=>oA8mbYI
zU^?E+_9D%Crsxc}4Gf+MHt_+ZS7_imb}P$TLFDOTf?;*3Y2&!!W2<kM(Qa28+u6{5
z!*(w3b(Bv1b(Z`$n_q)#(R{fLdj5_ohYldHJauO}X(BmSgd`62Fhk_bM}fS)?j}kP
z$cTeMpE4svYwo-<h80&$jM0Zu>T8JL!i62AhrSy63dWYu6b|5<Ur6#3Fo=I8{<>{(
z(Q`H}`>s!!O;-7D1ckYH+x~uK$gbD9jnpcBP1RfVo99YPs(0E1EY9LtMX0x$V<0`o
z^yF!50ega{k=f@^4}*kB1U#urO@MA?t~`4yDoJ4O1AGW2pRw%fl&gW&XID<|X*XwK
z^A9Xq8(6e76)x&U6C>G#49xvEifIkGkUm%|#TQBFIXSp$rPEx`q4`jvRRR63jK~W?
z1+@JNf9N)oY0&2i-6n{OgGlRhET}AvPfEp(@g`x_BaCF~!RlYCWMZZIik)jF%zr~H
zF|@jF#M|%y)B9c95L1`kqoLgXLM~gD?GL6uJ0LHa4ey9I46W8Grq%8B07W=4go}oO
z&uqAg{oN#Qid6E0>V+29J#Gb?&$R<}@#p1_!1b8gUv*e6SjgWcL~w^Ih4I+UQzK@h
zusR@JSeQAMSSEmxc?Yu0(_@bBT|jc^DQoTgDf1IJ)mbwR5QXMSVql5mY08-{&`4E6
zUI?mH7XyocAB5GV#(aTI>Oj*wyaZe3Yd^X8)FFK}ze-nf8FJ0ih7Lt*7E_6(YWMRy
zlF&qTBbYJ2rVPlh^VSj~6D|z={Rc&v^>{0<EnVJX`o*_;+y}z#TXpPAzZXr-_M+Z~
zz@mP_Y3M1@J~>KO6K|F7M7{L_y_^r|2i!0g8^JAdt<kd<RF^=>fw@h}1ON~>tE6b6
z+&pvYUOOV0|KO9>li(qNv^f3W-AHA=q9Tb6)~40*JyFM7nbF|DObyB?RxrP?*y`}V
z;+X4dbj=$$)??LI+JwidXY$))_EeDI&mLVlqM4JOG`|#yrY_ayV4(R{y@<e8naNx@
z=dW)PkU?P4?bU<rCZfV~?68rN;$2>8du?EmFUPogdw@3Vaj))Ln>NEZ91g}Jfkn8*
zYV&_}Vl}94<x6_^Fuve5n`jMJt&DlEm%dR~vugIUlTw#|8cI#xH>sv$QefiSrR~ww
zgq>VSbWUk|VmX9AVryc5*LuQRl<toN-%jrz7OMI*%q6*L&hCT!#Oi2z_c=CyYw1oJ
z;aD4OZV1iUSQIWQDs5k^<wGR#e7bvBXwD}^p`s$rNL76j2|gd{`uqIa%5l9#OI#yA
zdpkEXO&YPDRwk#4PYYGO77D&N2?vSmCZ%rT;#k79Z@3^eWOQBEx=ABCv-@mPivhDW
zn(nqxU~?#K14_9RR9=HW4kGG}z@qbrO4jNHmqTq;TZ8F&fx4QP8{P#$z3RYTRa<D@
zsgr76YWS0#>6i;T&0V7<AQ<FW0)1*hbveUHJh-0sk7@pDoD1f!7LUwd(MeB3oTdMq
zIBEVl`3h;m#xN93#1bor2V-vB?9)QS97_iZfaOy_uiE|yE)l_els`uRIHz~5#r@w+
zs?t_F?yC!?7?;Pdn$7Jyt(Hz8g-kDK-$tHUVfthn3pC9|xMUPr&sXg~r`ZrWxxhbB
za;rd|Y5!JXxyMMT4GT@}A<{0@LNhDUq=#uv7sxj&&+f<SSg@axjajc95=}X4PXN(d
zEjw{4Hj2;V)jLUmn-5jIi-WXlr;_^<a5}TeSFkVEV={tA4P$G!>b11<CD=DF6G{ke
z1NRClBO2bV$Q3J@@?wljL8MgA9YhuzmP``qN^`|1U#GCsnK07D)mELp*jJ|?x2ptb
zWsI*;|3XtAUJn307=10I({46iD&FLx^F2%!(+Qu3fC0QBb3VfYKBK8fc_{u7L~bp0
zV@<MqAB8Lr6oX3LvOhMWGv;+gQxiR6GU(Ir_@0uRuGz5^@3}qzpx9i0r6V!6JZdFb
zcG9lmB(s;_Y2E@O4DM{6#W?r!jc#SM^(cOtlQ$1p2J7!P4(6-Vv+*jmTs_`iDo?t)
zWOx|zI6Q2t3m(IAp4I+-{OP=P&X+EukX(6rX5q0Qz$p2m89Cg)o}T>>sV*OwE<eKz
zG9Vx->}o?L*ZUvNQAx2_D>;|@snXE=UcTlh9jT1S#L+lqSkDJM#I}I6tx7EUT|e|`
zB}itCkSAnaYFuBle4SG~)=8E~@|eE+_jOBw5Z_qH$VIspA^lG85$VO<yuGqBREeh}
z9ce3`vBb9zBzD%tZ9K%f8t(ZN@ISi5t|kbG-4JrC39+S<Sb$^{ir$rjgY}y?(c7^U
zcf+%2KNNT(JPgWXpXQoG_?Z2f<K4Je!I@uosHVXmP}8;4WcLe`{Sp(s5W}<A7N+dp
z%w|5C^G-aJf7cs%=OIW{>k+Vykxj;+8QLbot!kB)B+c9CakAN0qU}AL(c~mlD`Of7
z!Q@N3zmh4I{CbHE-=!g4K&xDJX(wWdh%+0U?mK*lvYVnAYU3PhVC-T_>p1nR1`OG1
z8@_7C+*%tyc`uuIc1+D9c$*%eQ52IF^&hpScj#2#O|EoJT}`^-!=@GWx3G`;Oiy~m
zpNk9XwQ+i-e&YvTsOQFoyFvV3{`8e>%dcprSqh^N>l_qI;LT6`%mo0MlWV9VEFU|~
z?h*L=&U4JT1A7Z=65d(CyGQfp33xVZ(pdQ-`$Sg8)E@>%u0O)E-0c2yMnnSN$lPlU
zIywC&!nq!86Z<Up0i>5?+iEMtII9#RroT}l{G+^wnlq17pUZY@ppw_JNC;Qwbe%WF
zVo-C6#p_ZJRyS&>6RQ{+bH%%E;@nR;mFYegZ>>9*s14jE9;E=6b=Oyhu~xi#k!G;t
zh4c7e-n)W+SYB9$wPY<om_Lz6oLQtn=sU~2myj)*`fj=Ww#U-4tR-8`HM{q9+l46?
zfJe0y81Zgk5w=>sr(&-$L8S`IWxICAvVIK%waDg((1X=;$PkLR^_o=kL13=OcNYN^
z_@1Y2@l2KqUFNqiBGvFmvZIQ<WJANV*jR;Vw`=ui*XuFwgIH=D*NE&k^Imh=)%>}s
zviJEZvW&vIXpG3bva`~`R+pN{f_CYRhi4Q^(T=x5ST|j(w?&7`T7f4p-dh<v=8e0(
zhEpab_STK~J9npS1Vyaee@5les}|VTSk1f6udR^Zx)}RI=nou<D7ueVYlI7gmJ9|6
zEs;o`cC+-Al?To5(au4%uu6^RXkZ1@FHL72%c{&LmJvZ21kjX=N^c*B*Fo9xPaW$s
z{Vr4LfB6buU^#%ua#U#F3d}<LSUy;{c|7X6%$t7dv9=;B;@HF6V&3)B`ztrh8U@0c
zc~+WD$Kkgw8zi+wTCF!zc7Hsu=qs3v_GEr$r%|mh?_TH4qCE3Ar85+aLuNM5W&m{^
zU_W&FlUB^cYeaMU23$MbGKH7n=K8&K7jr@upLu&@M4q(h(Qb;${*$}{C5FDs<X8dH
z%HX#RgOc}KUdvKhzbwC8NW}5Lk!7fIYRP>#(SC3<>ll3ir&n@#z+U3Kj=N6H+EqC|
z{UQS>vH&qnYc!Z3Zl+39SQ@wM$#V0=23x?o<y(5w0`h*cvx<2+C%4Lu44qoWHI%Jh
z>GCL-`F_~cVsArZgL`9Ls`waWp7iZC%F#w7Wp2wvE_RvBv3unOK)7Dk2FFZFl?`JO
zWyeSB5#@*YYF4`Vqfe4wC_PXcZv-G>62H}Ok7~V_Tpg?Di<oB8vII%X+qN5-F;Ixl
zf1hwnS1aOX$PhB?GG9~4hkVBT<ASl4T+#S_hQ2&b`tk|Mxgvzn)Nep+mJC8)HP^zM
zf%sqAfi^H_4$+=<*hoF6jT-aV7SutvA!`=8XDv|70{e_Fane1^GIzO$8Rk~^Fx<>?
z59Q`s`|xy;D!jx!Yv<cs;GU(vn(^*=p`Ooh&)OWiBy%D!dH&+lv;4y)ZyY_p2E^OJ
z(k(J+Vw<UFM-GL0v~>FdS;JNo&RMd0n!kRu&*J{S__gMV1wvxH`_91k6yua#h+cua
zWrETf;Gv-%?I<FgFoGjpUtLmn)hFE7ZSAMSO~<x<mT3&;>m*#DLu)!YFfyy-3yw~$
zVL+pN_#T_DDM`NI%XPkbh(5W=j6K8cIf=XV_|$2R_CLv6&I*T3X7f%}R8M?RyS79N
z_y8@PNi3I-XVBio!s6tYDp_fs-oB4{+d}4{bv1kuKlE!_Xln}0+el{L%!<msiThGi
zNyE8*8eEP09MDKfJK35%t?u!Gnd0(U@6d9q^{Jz~eFwi@G-Puljfa}6KXeGclwZN3
zFD23i%=aNeQpyvpU2n$UZEQGsRAUHJ@Cgoowgz*&U-}q+ZAmkYQr4KNO@^6Bm+U6P
z2kN;!6_>qD6joT9Mc&z+`?@pbK$e~Fh5cT*&mnID-wXRb&rd(u_UKZn<#K0(_*XIb
zxp1Asu?^WPwiBDpef~D$9$0wJ&26{C`vGolC$4qI?$yeQR`~t3`jvNBxjDJRVeNQ+
zg(I;|Ev;?5X|wehcb-ukUH+AB7PQIF5@i}A3=1Z69TX0^9ObGkGhaYJP*oW?(g{v^
zeWKqCH{)%-hPCn-C85@w>Jl*L+%$uP8K%l5EFuA?knhei<u2h7yeTzR{TpM<E(Qrw
zx!ZTXBzYlU&AT?)cR2I?FWvb7)9!x~N2HW^1EnmBc+CHFw)-R&!Y9i~e&m00g847j
zZjyS&a;Ka9PrCAg3avv*>KV(>F7ZEoXh-HRcF#ZcjDAe5|7i`MlJ`pbCGOMT<h^3C
ziTm_7^E@95c&6n??i|Ea93<y_I18<=faf$-&m=+NX5|mapV694U&`#m4fjbxkRwMs
zw?`i(X!Fa1dKEoePKq+T2FckqNd1@fdOZ0hQ7#u_N3B+!1tz1DQKitR)O3N6vUKla
z&+3LDh)-4g>~Fp>Zukw2emzjo=#|+<8<NqK^M0q083FN$r&zmq>WHTbi;T(^2{cc$
zxONw0sn|AFe=4>TtkKed@`9Fj?De}BXg=B&yS;jr$~^0rNxL#@3(K_T%Vg}>*}Z=J
zN&Pa9stg^x_(i{if#x*%Bx!%`e|nAuqd;o#--r2%^VfOT)sfw_Csa{Qbn$?)zrC&h
zVyTC%AE2agXmJGt6c~YRh$7tIz~R)NF4uhJn7=ATH#PiDHDMOVHfDBn3Gd(FTF`Y*
z@&JFQ$hEcz=7-0tmy@W|39MMm#t(t~YoUt;;>#ip^dhW>@Z>JDfO)I*r$iu>lWc-l
zKP!0L=~|Qyv*mM+m#l?5PPOgP+OBqc%M=20F?1pbz|s&l4Zn6d)AahOkcc`Rx)85o
zn}hEhell~qvfyyS=J`xLbzU>y`a(mQfu`XgH**Dvb{&yVUq@1AB7gEp_;+<@#*pM7
z{eRed|M<A7YVSXjOqxuaGAX1GG(e(J8$rpCRvK&}r=4lfz(lGgv|doS!bL7}F9->s
z7a=7H&2bn-Ma64XyyB0mz3RPUE#+4xZIiU6ZBn3=mO?4eo@wZB+NMAAeSh|uNhSr+
z`+dC6^ZfDT^~#)m&e>=GSbOcY*IsMwwNh0h-p<t9(|KeVO;+f{q&JxhZjvsmsR1^?
z>bfUS+wJ~i`o01XkoSY&WBN<?8+_u85g&$DXiU%Lb!G_Z`p~dy$bL@=45G&K5t3I@
z+Ou7v7@1ML=Z(R^Ypl7dT`Mr}zfa3DwUtxbO{H3~y|LwWLZ8dfcI3#8>Zk8lF|bX<
zt{)!MXU^21HeF>WrXC|IPG(%)J4@+#V$#8}!*xCOJ{{%VXU1D=w4Z^8tWV+7-|Wqx
zfO|0?rZ%AkWbtgJ!D{l<`0)F)_5L@!cON4)J8QTJMLdk3-OI_b56zkBd(#uNWnNZW
zCeRjPjrTctW8#--s6KT-{k+PPp0rZ;hv=63t22%bdgrU}A(c9JWc%iD*1e9IJ0hM3
zw99M1;eS2*di%fQKf0j*=LRp|&42U$;4Pzq;|jQZsyI0A@?sKKmIuepDJSvy>fpF*
zs!7~X7aaG+I+oE{ETgmjkNc0_mzI}h<k{i)=Wz>N7{9UzSJ5S6{;Kf=T^heQ;=B@E
zffwkqNc;=cR&Y&l<%rejSKtI*A!ZcE?<lu|E39Bo7*3-+68~ytaILf7ir+TDir+L*
z67e#H&JN-S5<`F>zHRsL@;tr?uGZTUKDC0YgR3m_)npY@WCd~Ng9?IY&UuyTJHJ@N
zYHFAgj$es`>Kpjflv)^Z`gl|nabDL~cG!7=TUu5sPp;0PF#FPQB(%kH-cloC_>PG<
zwD<bTx{6)$P7`)k)5dTJw~}dBrO6e!%Iza#uQF04OmGDEHYY56W`=t4P&Q7EE~h6J
z=IKhe!oCBhFyHcsvnAp@YbAR)NxzI%;SD#rhV&|2mW@_!<7;vU&S&tq^_*N_hxSFB
zm#qpOEz8IMO>%WEUWszNtT-In%ISVw$*7TtfXX5jFUgN*a#gN;`+B+X3oK8O6o}7d
zTDT!n!Triyx#z)AvN9PbOgQO8B8qDvlXyjbb1HD6vm)1Yf5ACkM)^}R{!f?Z>nd+V
z;R;+7^^i@jO;0n~e490Bcn!mmQ^Z*%7qb=n>85;#Wh%s34xVK*eH9o?cj+sgq^t5X
zl*x<JoRtyhCHw)=4O|56#RanZs*ciMyr(HAJ$%o;p6?Ym1;5yTxvMAll2LaKL@Jg=
zLeEEhFXI;|%)Y>nt2W<TruWWj+!cnF<I>9m0dMhdHCS<go>{;$w3^P3Q49L;l!rnJ
zPoxoNs~PIh{%{S2nI~q*D|r5_fDlQvPBvY0wwaEnhCvVsy=GOUfE5rJ+4H`oR%llU
zSnQdWc<gL_UW4p~fBgEHp$~_4)LfyE3S0V;avv*bL=umhq45yF*~R!Ha!sQ^h}nS8
zDc?5Bc|Po{!`GG7w+!E35nPu$FHTD={E%v4;Q<4?J@kGt)LTQiWt@OH2jmh>ZlyOw
zLS5`{%lkU4&_RuO;-Or*YmE4)>xhT-q;QS3+zRao*Pvn#9gr8Z5DuKy=30Fq#RKEK
zFPNAhy6|DO<@Cuz@k?R4=*J<n<|R||HPhG~R$np_dYc&qLKW&;OEvqJF&V<RDe*lo
z;gA*T4bxm4e|1=W9pTUc!3Q5(0MPRu3Y>jtmA3%~-vP)?Q3$8^`$H$fp?=Mj(CZqo
zzOG2($qQA7amu;dI6{+y(-*^ZO8Bu=9_K&+kvtxIRqqzUCmu6SX(PTv_|q4(Ny&9q
zQMd-*rdDVTu(SH`qXt3P#`s1O3&*P_NLU%g;F#)_h;J88#ekZo1u*Ac?y>N_hobs`
z)rWtu9hS4x3T<YvOVS?~@iBhzj?-bkfE@9?8G)vV-1y!Ef>vl*xCZI61{`#CUXFy0
z4Oa~gkrxd2K|yz#aega)US$nJ4Cn!uvcBc`CdSoS=s;q@X{OGSN&qXz$ge{ne490m
zEFcg%io?^;Dkefv=ui!wpO^M^I~xHqAO@^wq}yAPhV=*tiwNVS?^XQ#g=-MM7!c#^
z6*hBw2C@LkPhX8ELg1YR=M$D}WVXv6-@>V?23L_l(03fUezF_1-))7S(+n-u5Ag+{
zZvCMo*j5Hmt<WY9@76^^`)4K|Jx?X{CBq@ye7$TDmjUnq+#*8`Lr1_esM+h-K{>cq
z->bP}syqzreJp%0fz!Segw@&Cw;Ws!ZA>gUS2;xNaD<NU_<Y~SaL9FzLLY>yo4kp#
zSIcY&TDw(i6t11kN6vc9iV`6dPRT;4u(O8+oH^m!08WJ+{M5%Pfpx^$C;H@lvj*3H
zi6_s|jTQ>u5lklVge_3KNJh&!fxk0IzK5nz=DosH+@AGC@ZCob{rV|qCJ~DPV+$?5
zrPC4*oN0=ezrd^IMt6WNv$)`CPpfX|gjT7{ZC{sFF(55n;;{?lhSBTy`mh`ouE-4>
zspt#`I(_RIP+Y*{99{&ivai!});lZ10sOx|RBgOBQUq)U)*-!=z*>go5Cvmj!sj|=
zUyQFlVj-~JGQIFS7uu%z2DW!iOFVR;SHz3-92gu5taS#!h&8ztYr_>ifq}5|qOVsi
z2pr-`XrpOFVPB^MhC6t-TbWz2FK{G2r81Iupw@H(N9297Zo&UA6tOQ%nl^yaoix9k
z|FXVLD4fZwo_W1q=_JE}zKXqp!(nHwua6r206);JhyoQa@`Jla4Wt2$)wi^wGXM>Q
zOTv5Y*`};DxTB*o(Qq&jNQt!iFlXsyjHV|Z%T=z3W*a(RHHjJ73HPHg5D|Q@Gn%Eo
zeJm0c28aYw;7L(MS2zH<W*Fq{u&+~KZ!I<zvZ7p3d7kJVO<c=Y9r;#hXMnY)7yOYA
z>kUGJLLm`AaEOkuC0w!2!W}nLtT_F;jD^DK26{dfiUCQ4I00~FWSPJkVFDuTrNfax
zpH+c95l-Bbuv^Y66wAO*b|ADJR>g6Ks-hS7hj{%Ht5a?T2q6&i%3Q&GBcwni^rkpJ
zoNLNYqGph@ocXM(&I@f8HKiU=ac4E~dY}0=4iE#YeftD!KY9o$KtelMyDC;!V2X4k
z9MB_pP?0xHx%J_|PLH*9Tq01wGga)gD&TyV!uvWqoCCyshy*%;qVZn~QLBWrGn5>*
z;IL*g%K-+<V&vc>9eNwVmms9M0=ACH-Dw4q#89d5`bJcP<#f-ihl+UOu^l}kNYKlQ
z1EH4!`zWrMf4_Y8J8$(RaaPDtzOgC*5U@OgHbPd`{Z0`BXC3%AAyV;zL8KDsW?v`s
z16J}h4=7A+)_l{uzzZ}HY&s7jg-upqCmewDrbvTm>vo7&V6B#6yuenh)&d%?VR{CR
zC!QRovVdsC7Ra!OJE)6`%rKs%VNIB!W?5vhALK=7Z6Ch17hI%o;2wOhFo3Ib!-3cF
zjvB656{*-74nW}WM#&<+A4)Y@ta_jq+7nu@HTxlh3xcGadW!cpsZduW0Q&%|52MQ5
zfEq!ABQWC?{SeEEUVkT6Mgn5h)v99eYc?HPRDBR*R_iV+@QM{;HQK8*G^*ki#>!(F
zOBmp{MLZ`&0?)Du7;nmSV46E4zGuTIuZp}yl}Dky8vAlZ79c64WRYT_fq)m$oU!YZ
zUw{<98HOR^8+}_G_U#l0fcs6{HE)c-t}yVp`d^`vSTGHnnJxor@xU0B!8{SSO~9Lc
zQBJ~))D%H2_<UO!Ufv`2lf`6;`-DR+HD5vEN3fv)oYt@)F!5ol48;g*4z4yF7T!je
z!;&q?)5oHfL_#2>4X)n9zJ81N6ruz2G0n6S2PDSHfoagnA&@Xd<u2NE+V^V2*{=!V
zO<3BoJL14yW2r}FT`)X=3Su}(xyAH_Ue;(<MsSguX5`^&EZ<IXOBxN<OV~|VI~oB`
z2=BF&cEH=e&#Uiw(99cZ9FQ`GBEYYNMZXzez-*WUTE9#Ds@FjfGK3%BHB4wG8MBf!
z;c`rCfN*+di#5`Cgx=J22pyT0SYXBk1}La<sG?M?6HF1oW%Bzvbpv~}aJ=bS==Ctc
zX_((5xTA=(J%YbwITSz6aNr{!a>Sg)zp3Z||7E-p!{QubF2S7d?(43Z2=o0ajG|v9
z13v}<fE^Q4m3Zu8Jq)c^Da;SwF@`O%(12GTh2VU}V&QmwyRwj?RvyESX(M2E1bAgN
zY@1LL=1AL}qZG~(pj;4jxrknq3k2S;$}HcjOl$2ZkA_)N4Vxz#3vqxJz)pul@Fwur
zhx@u24;;XPsgPq}Gu8A!4TAmMEPP=0fkKQ&;?are?nT&+`Cf}S?B>M!nz_daCWW_*
z3Xwu!Tk!QGC%A@=f*NI^F2*wSoU_qTkyBKZlLC3AI;#%7q+TSRtTxRj)`;`kw8WEV
znL996jSy1ofNe5F8ke%vVx}bA1`NgPfG)HOME4z`*UpOsAFAV#GpopV6!*O0aNhOE
zH1L}nb8JNa4;bS;XKrEGxfZ&7BL*QHq<$BFu@cb?3HOP9?AiB?^cQ=;pSGv;#6p=^
zcYkAlvG-ykj*#(x-Cyh{OhNz8U#xufO*)p^hQym-$j&&YGaep)%n6S>7V1cS3{8l<
z{Y^67{wAGBJwrChKU0SgA7|OODh_givA)G0T}QTrGkspfyx)pM{e}m#-)8IytSe%P
zFP5P-JTO}ba}-ao2^$~a1!c{cLi@I~9G-mV9ODl*G+4E=<w)UeU%`r^TjFH-uPhue
ziG+>YnAdP+*yHPL**ZYB;C*r4kPdY?T`e6LmrM!O_TIL?|IT6k{gOJeRAKnv7!0j*
z*0*44;jhlAU3uGn>9J9Nj-jvM+(%>@gg=ghomiQg^FZqwtFg*B*qPfn0m;4-D?ZVG
z&J7RB+g@<o^s*@SS=DNnC6}wk=C?e4T70_SE7$2uZpp*_ZE|Z~peMM}nLRhy<4nK8
zU4Y>-BKU9ND0WPHLk@0ZN4Gcl<gvCXSHBH;ya~29_<3_mdqaMFc2RrNDE&4R@aDAk
zhC<$)+TIX|&n|9n8m-@kF}yjWy`hLVr?)qZC6Hb_b~XGq1bKr)+G5_|o_3t^ReLJG
zSG6~srVc;oLAg6zd`z85T?9_tFbq9!d{Y<&WaEQ%g`mKAz91WjEOBpG1`ko^jlZn}
z+wr!8d5f`JxCc?b<#YhRQ;hY~c6WiaJPP}{-K}t?tfURY#Ehc`%kF~dS6AIoPC8zB
z>Oy*%h2Pek$7S<x9M&E?;LA9y#pmS565P%XZ9>obD|A^|UBx9A52R<kUdCM8(W!P9
z2!zJz>@P?RJMaZnCMdR}u@kfxpLlu6!*^V9fidxu{uNyWEHKVkF^N6P=$P`aq*^;(
zvOzO%oUyCi?%szkR%c$CJ}KjE)R#mFJ>f1uy>6a<NQ$1j)c;%Ung-nBMshr#xY%3E
zC+;VVg@I|^!_;XxFZ5rIU1ef6#~3Hw|F&;P%d`YAr7kfL3Y+d2f49%R55>ymCyrw0
zvy`I=%jNU7mNw@F+hmX?_qLoIWjxSBN@FbO42^^5osNY?K+FnQ%7ILyr-_7iy3ZXy
zN*whE(cxV7BFb;JyY3bq(WxS}^=BD7)5MeJX!GM=Ga&x^^dBHDayj3HNdzO&UoxbR
z;<R)TC;V1`!Arah29YLV<}a`{zM7J9*BwvKJp07NoSXlD=!dR0<Cuvrdh<Kui~f!D
zLnw;=c~)@TEwfM*U5ldV+W3qcotZc4@Lj8#;Ms3^nAmo($+8!Jaa-V~w%>m73Fpom
z$&VlD+xGwSl#32r{&Vh%?Zx+g=9EuAaAW=txhu67|K_EZbIx47<tpyVq4cuXU%cVR
z`N@J8?*7D30cUK!wYv7Rr(l$*0zzXt2FHz`tHLSZm)|^m{iBy3c{*J{dVTntw1?J!
zkN*qpp@7W!R8)Ie`mJ_NIz+H_I^r~I#3a9qSF+){n&VlC1(kD6PE<#%9Dtnm#INub
zIwknU?(pLTtGsEqY;VcS;eXjQXsVff!9}Bji$0}8J>={1CtoX0ZYgDDSoEnu^Lrxs
zT4A8anRd*^oF1Kh{{H<U0T}0l+GQ_%zU(*FlAmw-V@kB5Fut&|k(OAGuRYrFM{DuJ
z=YM^g?cf|RF{cjm*Bg1oN2QP6cgeTI*c#vJ-IwegxA(JQ-rwxq7hlzRWo?+E)TtOU
zawI(qDs^U>%eA^ZP<cHUS!<Rr`BwPCFQZ&SFp+$ARI-OCtf<M5^)4gGCQ7Vh68!3r
z)Uj~hy+s5m$eURR^Xx;$>_#dG;ef8oP4<k{HrJPec{cm+4#iZ^#xSsf@O_a0yZa7@
zSRyVv0#$JUbGwSwT%|Txom@Q%G3V;!@`6akTj9Jri;+Z0>NAjBJyy|3I#l*^A*$>k
zyo0%h14t7%Wkd^?QR?c@0R`%)*qmHBMuqNjHmlGbT$UF|R1+pr#cD#(A(dkb%8ots
z0x5+vT9$WbNeC%yXP`4&u_GMVN>B;*pVB_9pbTvuq-<Le)|L)U)CwYcvYS)EBvdln
zyS|DS2>ao%Pg*gSy$pK{w(ib)B0uQb6+p$-71(8pNQHgtkutDN&%3;o{KUo~zQxA8
zYsxGid)5>cunUQ>y--9#>h<>bM0{CChzYhj75k<q&MQRSDB+bLAL?NbPv91=eSy6M
z)e8{xPdY&M8K%iS_$N=HLyE9d@x8?EY8Bnupj{SS*x;-R=Ur1C@%4lWK2joCgR^%=
zVoDC<Rk4Edm4nb7T=oZ6RXi6Ctnwis8z4f68F|3rD&Awo00P8_q-sdQSB;VqNU5dt
zVM8QQCSzSRAw9_5EN4?VF)>#nm{nsX5Fiwdv&n=IQEHVH*n}1lyb0&s!qH?uI-bB%
z%+iQFgK!h6;!-efB~Th53JHS~t^jvwr%MbK#NNrCQ7CyN>n+fAql8($<y2pW_*Jn}
z!J#m5NC-0GY(T#&6zz!wdSdY+qNj9*6XzA%wdi^qr*fVz66Yw&rwOopZE-k0t0)qW
zvg?8|-~n5&>k;Y3uPu$&aqtV(2{X7X^?TNB(Ial4<=FaLkKaG@>D|`i<UjuK4SbVm
z5{r~fu=6{hA$TRxjMwb1cJ??(>b-d#CadOim<*c7VaJ=oTr`CpZwfPmuMiWmvHkEJ
zT+3hn_upSFvhwTJ#!E#hZaFXYF|H-g{<Nr)YjM|)lEMB9J^D7s4##KKh2xh?gj*b+
z6XQ}6pEHX~X?)HVT*~5e=Em>6np8PN6m>rPQVVqChs}6|+d{(a5{o6mj`cirg?g7v
z5u?{(BMZhJAs`MSA5Z`RGkU)rd8ERLl5q$$J3)O$F+%BfNRn>{eO9u7_@T~W^d+Ei
z=&+d(M2QJkyyRnw?tp+u`?PW_8|oQ}l2J|<+C!<MMw@Fmu(@J$V6~bNw(?}i5IV?A
zq@Ce##d;zIidr!wDEtl*BGzkg*ff~=uRxVa8cReQL}9dVN1m?he20Z>2rPUEreef#
zL0`wzUNZ{egQj>vXdj|V-;v~+u@YE_#_TX+u2rG+q&i1e?2a(ACZaubc1TdUQBwOs
ziIYzxyT>NGXcp0AP~J%Bi2!AHa@S}icvvQT>g%-y$*xn(gXHc!uD&k#V#Pp3v^7i9
zM51&5Cy-1jINBN_(F`E^S<4(h!L^$?e!?OA7GL#-2}FZd3egerc(fC1iS?sXvSv;w
z<ywK>h=isCDrIf5n^;kMB2xOGJL5hznkFNSMW>0Jjz&*5L}srKl?7s)6$Q!eQ^JH3
zgHFLJnbb=HETZuhqe3q!V(Z<NS1_K6ecK}~Seo2HK)NHeZc3W$`I1OJm|`7~L~Lvh
zN&vN3Bs{YWkf1+-jtV!7*x%<ykm;2n{Du?;iA2eD*JuTU4k@-Ca#RN;_AVdu3&Ofa
zgA9@>AYO78%_OxZ9iV&77=~5@Jr~`zF_b8f!jVX4ShXc4LS_+`m0Tzbl5XN35!3*J
zPb4u)9UEpIpkh9VKHW#8Qu0zlSD>o`g@92$`VLB`22|0gjZN-`4z1TTLWzy0?S!UP
z9a>0anwAd)ATZ@>51{5zawjd_jbb+}ohB`(oypZ>q<6l%^6Cido*s75T$WcvqHC;*
zT@mTo(Ere&eo2VStcrt{Z?m%>3ja}P<f>d|Q)nY`wV?1Douvd$C5mu>FV<kS0d8vc
zRBC>QC9Y+WPK~w*N3PmJtDQcrbj~`)9Vsb+pxBNx>|B||Na4^@YrSL{HC8Sh=ODx|
zF{XG<fLqFeGH`=7WoM+~I6_?FEm^)*pcPRXUt&>+Bqp-bL9$tuAn_3_GYC)XEfyxV
z-z*j=hLGGJQ8*@1Bc}KSig6ADVS@sYq8*{bc~aLgPOC>5jU1S&n64{nx|<iN*cWYC
zR!;CX7MKw8m*oXrsI;@b!_1=20>yU%E5hKcdA^aQK1^slaT5dz<8cK32c(_AT8zdD
zBDj$#V$uvMs0GYjxwyW<NaDP4vD)kL$=~)BZTwozilE~wHqs90xwd<C>1E-sT@4<q
z6hkKs!L0t#9{(DSpXUqvZq7xvlICD{n&n9HLovVaA}`eAp{<>f7m9%%DKA{UC%vEg
zAC(uL|Mt7e3n%=y<4bMZZ=^DRiun!@Wq|Eye{*`j3G>gXogZJ8h@Cg#|HYU3GxEY;
zV%(c0Px+h33nw67I$2&g;r{}8;S<JH>_~axOz<B`&3niTC;YeNh1W}7c&!^V)%_or
z7a}f1l6X#gLkW_^v)dcS$7h$dH=VBEhBJ8c!S;qy-h80F;mr8#^7f|p>9^ti@!2=Z
z2ab-Kkm)1s4P|8daC^g9@!6H_O=t6qAo3hZ=Q8q(ljM;b`SP9e$QKd%W#OCL{_cr7
zhryT^oRyCk!7n4QYv+=+mk(DG?L-GN3+<u6S%;7nseL-?H!LYJTkLE(39MkYpah0F
zTT%i)4L!aQv1dK<r17}+Fb8M1yS{e_E6*7gRz8G=LWEYqO8myVLQ?|*GBr9auk`5i
zu)HJPtYPVkY1Xj##WZVJ{z9`-xL+7_FX}&f(s{O%<B?f&%&9R*wR7Sb#n3S)t236r
zSuo7FsBnKlndaE?YL0;Dlu0qJ6CWQ-<0UNF9ojS`4qg14U;p~o#!PHyEcm-E(d1hd
z(-Z#dd16&9L*!`%f4rPS)4{eeDoL9U3gJK%!qEF|tv^EotT0{_IdEsXIV{7Xn<K|&
z!pO0ywsf?vRYlcb_Xcv6CtmaATpBOgA|iF(r3t?|y(|;@Dh_c@Tt<$^$$@$Tf8c3h
zbFfVlTt@xPY8!bu@IN~<y1_ObFir=ddxh_Rum#h4XM4D6hn?J(pWK>DVfJ<FTx-Ws
zPk0?{yPq#iucwmmB&tV81>4qw?dI_ey*HpVX3p*nC@Bzax<7W0nouH~A@;^%2z!EU
zrYKK$2L_Ee={!PimJP>jWCD)a$OIg-k;#K&+hSU1M6a~QdQt*advQhvE5Yk%tK}`k
zt(x!|ajWd~59(-#<o1oPs(-B?1Tm5H{(Vx|F466Q?dguC3XSC1gC`-kDkYvi_f;Q=
z1whS7h~(CMcRa96t!6q=N(i5UrjXwc74q*Q8)pA%<jY<iUmkib&uD4-VJ!yKIjI{o
zQ;LDEcW)Z`Fu5rHyRZ1tjhr=9z}JS#w-evrKmk<N%0<{Q@?62YpC_2#V=`;(w<}23
zyrc?AOO4+_@8mD8p#Qt3KkuerLn!>$o-Y`ZACtJ_+Tgf5uO)HMt-*2k-b&*BW?B&(
zH(wWSzww~C{iZJ5e(w=;`+Z%w{qgV3?N4;!_7@%I_LsWY@%wvqapvoi-DJ<doF@;q
zyJr^iItMxRSM0@wE1ujhS+(;g?^DT^Kl#g*t&&}PvgLCJ9y+0kFWIuac<(39x+X2g
z237m++x8z4W%I7uUVP5Y7oVFJYEQNof9Wafs07=*tFsq>rQ)8`(jsm+>7^ch{oIe9
zSe0F|<lP^w`qwXb6>FCKo$s^X@+y|-d&67jkLQkxHD$i|;hHaUN5v9^&%gAsZ*WJ&
znm=PdUbKljDwbIMEc=f$xl_ei>zDn13p~(&{-1%zNd3i-KP4?eH;TrvbFGdg9x|FA
z?M#Z9v@vJhh^1*R8MVTDt|zomOh$iU<nH%K?#>RUtI$qvueOt0Cfk95;G%m5y~`1v
zPVkaPNtS!bV<bzx<Z+V4Uh)LVLXx&KZNRSWYx;@VEyd7RCl+&>57f7Awc}r=vLyQG
zPB|q=x}&1WjyyZL^0ZipCwuHrC)oz<JgY96>>-+AryTYqcNN%uJu$iv+GG2AZO6LH
z#>3ZdqtBGi`=^c40O;s(wf)rjpR9jNg8%4KtN&s52PK$~KKX&)PIysjfEbXP5Pjx{
zm!J7NiT`8q%Wyn39p^1bDx=Sw*_*#eS^zu#FYGdJ=KwK=GSO!y|IywrWq=*OtQw!q
zll8bb`plD?oOwp&5T9Nbi(h5S&jl)yvwi?Ijv-kr2H^54$BWj=()2K4VDe;Txw&aX
z1%h~Tg1L#wEBXVK)#e6v$#x#9oNR8Su%v)GZWN2@t{AdQ+uX1X?hmKuNi6;^M9#W>
zGK(dRxvnD?|5A_IS;&hma`1?Ii7)k<mh;3lJtMJ4iE_fbMV&R#<l0lB$u+0ehfe50
zvil5^>W+q9j8?3ThPtD9(+cZ-C+hPqsCU-Z`}Ws6Yw9by>wPcRJFB9}uCt@bRb{wA
zsSmwk9xOf6OVtOKMk|ii2ad)PQ=ek(=Sw01)%#v27zOp65)C~ct$3SXOdW_(6HPu#
z6W%5ZWu6hu`%E!+RK?qR=jHke+z&2~IUAzMWoO&T9xB`&4K3q=o$NT%q<Uh34Y7)j
zSYVGS@Y!hS?U>JvI>)0G$D+yA)c0)6w-pl|uco*3Cb^u>zE$sRHgA^Mz88d?rizti
zQN9j6ubqCf^UP?)@@U?rrE0FT5e;$--+O@_xT!H;(v4%b4<7)_>noPos;uG#>W})K
zRREggic{?nZjF}P)JIB3)eB?3*P_nzwr@4AF}xaAP-BW#%2!4*NvB99?Lc3w;-y$1
zMdTCn3H7AvL(8Ihx0U0JyT0OCue#N=Ae#5p2~pqM^2)<_+95m!toEwhWlqO4NWk9q
z9k4a(&z9L5JYPQz<pDQTNou_vSYuao#R9vc&T5UT^Rn%usO5rNEVMdSu{jo6Zu?;O
zHmmMf=uNWFg)^cR2kP^tRr7%HB!em~H5K`e<I&zucAsqvrpLS+sw1`54ji&8UW^6s
zA#)(+!(R!*K-sIk>NeXI%c+#HumwL;9a&VJspnYCx15MS27=gll|wno7>W82IK@aW
zW8jY0=UqBkAY(Ta7>HK%)CYtX^+LPnDVTn!E<42FEw?LPh=n#Y5HjP)RQG(kx_UzU
z_*U0D$xL+<qRACh$AG-XJ5^U7dX_C$eIOaF*jpb+)icTrYD;HbwD#3tTfN-Eh+M@G
zb=AcXY}+=X_E|Qv+qpJ!!W&}_q=_i&ciFtenqhjW?Ld{t4xzwDfFn9|m5qagI!_?w
zK%5}`vmg!9OM|U)nX9;uJ)U1uEdWFOu#rn??HDPS`q(RMhO+HjM#`sb&!DXtu0+<(
zEpOf{F5b7nb_zI3aC^SpGPBT!twUpewDy%dYS^aSd*^BW|DyJ^EN!-1cJhDp-aBqe
z8>gJl4g#L{WP7$*NS9;2q%4?P#5Ee5qs`)k)-__V6Tze@w;cx{isBY?x@1=I=714U
zEgBY3wRrq3%SA>$HOt7SZoj_ebxfH4O~rLIo*rD(kkdZySGkQvc!2#=c>D>xtc^P{
z43rEXV&cdqzEVib4NvO$2p~IY;8F+u84Ri%-brS=-~M?@@p;~vT|Tp~$Y))=!lw@s
zczLW^gUHlLhC2AF{~L-R>mz{dq+`=4^jJ!66y9l+rY&pQC{5W;q~y^eYs8Fw+KX%_
zviT?AR*=FCJoaaQ-ahSA^FEsy9kK_IecCLf2Sf6vdp-NKSs8iLt-<+AS=^W03RI1S
zTJXN>z%Bfs6uyh4n&IgO5=FV84v(d`<EMGS1Y~h$sNNRXfz(tR>o6N<Lcx``^Brvo
z>|l@Wv~-Yi_v6Q1=fG!BFR~NNyJReed6$nRy4X(cn9$ykYizvo(hmqm?oTJN3Cm9>
zF)71$pRB}WKZXQH_G3tJ0z54Biou8sG0vFu1BzjLY2NYC*mRO&PEpb`DMOMYlQJYZ
z<9Jx^6@y(_WqSiXH4n&Hl1@?#;X=(*iaA|LPil0&CpG#wQX?Kt@QOinbRMFk^aF~)
zcZ+#PF=wTd6mzzc2#@I0h3yUHwB{4-4HZ0uzY}ae5T8A<z2SrD2NYA8PEriEQYIV4
zd|1i$hL2FpCG8CpDCXk!hAJLT_KNvveD;*~hI7*oDCWF$l46KdZ?aJgerje<Zf`h0
z{vGXJBvbkZR|=ik-cU`UGuj(MWU2ECy&yh2+}===en6oU(@6@QlulCUCzNb&xR7El
zZ*Q1PF`sI0fJ>Wgd&OK7pB-y&_+<J4#Y{;jDQ0RqNii2I+1_x8v2a|{OuN!%mcje(
z;pSZs_?@Pfx1IV<Gt0CA<)ual-}F<w<I8)*Yfz-_>9Z&}M>5YFl}PV$TaveW^C8vG
z^5D@gXkXKG=I?){Z7qMDv9<i^@cT~!&(_6!;^hgpE+kFpai_8PMCuXJ(BG5fhSx$y
z%zpW#=eMciZ2IrnyCTcUq9-TG6Y+5&d7{f@#D+s#c5OJ&m5vlCN{r?0Y{7#~`g&-0
zt8K}Mjja)94exA?IBR%oi-szDZ;SFjdvnVUCwq4rhC9#N-m>JvV+$SMDViLW5p50G
zQNE3mDQ!ntg(C*Zm(;(Z^)%S_O?716GJzp2p)_`K#y(8@=XBSGx6Y<(!+U4bwc*XP
z>Dut_*>r7q`)s;4yni-b8{R<EwNyDH?0$azh~*qSFync$z3QKpZ%QmUVoWFV0LS)S
zlxyUh^@hr)<(u!P>kN2WzWG;6Hov89;gDpLL@DJkCnVzh8ublhhpafZ=p9&6o-O_`
zz{<uF@E{vYz=L54hym8H2t=$`mJCGpCL^$9t|uW?OFRkb;kCmO(u(>oz42uvaQVH+
zL=k-Ywz(@=n2anh*!CdbNG!U?wAqM77s9Bd-`>XCbkuK&ML)16ODsAnxz(Q*i+=Ql
zA+abGdty<^M~B6t-)7}DV$pBvy%_;dqIWM2Y$O()|6G<>R704Bwx+0gu-XP~v&5nv
zeHoT_oCN%AJZ2JR<1xU`#$$k=jmJ#FY&-_|*?0`_v+>viep?GYd@r%;X*AZ8FM9IT
z`Q*=*uYN*)P_pE!Qkx*U^exQDSHHV1BVUz~Kl8*4Oh&%CYQ;$TYJvO5=aH|<sSc&|
z?P8ITkapHkA=grf2fr-&>bRlTSD8AR!HS%0`Reb<kR@N0$A5~SMCIOa?&-@klHgM5
z@{Rm7F^T>ScIRJKk(a|b=A>pY;9mW+6>#(@cIf3<^Oz|nEZOe<Gd0Q^NTGf1?S=M|
zwTEWE{_`I$D>wd;iz@BpiA(Hr$JmE<*#Ee~)l5$wDX^>dY2#7~3Y8hXjGge0Ya)KY
zvhu5zx;ts&i1ov|!o-|CE+g@lx9UbTV)C$gxcdel_K!lohWWG@`Y;``YnR_i4412E
z9-1KYLp+O&I!G}>>&%+%-pR*V>r*fU<5+G7dXd)&J_t|?Q~M3fnKf?}h7P(-d;thr
z6qjRoxl7YWISxxq`Zqp!<`kgWoxlGaI?tcGi_bU{F^3C&CP#PYzr-6s{Hn}8LG?Lz
zmOFDQiM*Y=l(@pF0J(?oQ}5$5i8#^tF}Zbgucj9GLTfQZP%bg=;B*3ZEFC1R;P*PD
zsi5dO@C1Nx?0&@Yl5~5A<$-3T=Z*j}vQz@Rv@N5RtaB#VyL)HvQO~)PJC;H{JGT5&
z=?cv<A#S>a*=(~D&0Amy?5R)Ex;rMyb=RYmV?CuVYfS8+;Rv>!5P}eae5C!lzR3}R
zM+sIAE-ser>-T;hC_E3O*xj*~#>^#)+iPmw?QQ@j*zrI7%z4z~E=fP_<Y@~YHs?Jf
zvg-aU{rETLac;0pDhe$lb+j$#nI3-Jd((MD4q66)!Zh+&>P(J@BSv3>5C@rx`x!EO
zPpzkwgU9yb)z5l=Y)WEPDf<wj8sszx1a=Y;V<$oz?+ZMFnNnVKi-t-8|8VkFH4r^?
zFjngZ?^CrliTQsZp-?%|mJ|6+&tOaej9Pz76PfI7J7{*{8Xz*7Cdlr8(`qP<q6vBP
znLJ-v%~69lcnp&Mh_vYhi*f~{nkpry@MX!10ErCqSyeI_a>yY3$JwRA0b6MYQ|7gz
z15dh_(n1|K<+$q^6U}HdYK)W{@gV6eb>*#!35vkWeZ;8vHV|#agCin`#H1EehWijD
zq@EKn&S|D6ls@&}Q(6rhE6d%Fc#VHBtMS*9-+127#t@;$D)M^h@t>yVL+<0CB#8R?
zCEL9&KAKg`S*GFXF5W0a$@DVRaibBtCMNyh*)&M#=uSYb!K1J4-%~DWXKCsT(8NQ&
zsp&c+yj#+*;+*9|!gdb{&rZMouwL)xb;|(C)Hc)KNkv)hYNMVZ(3^H)%jv;?s9nCS
zb~Tv%%aH6Ha#whj0Q>V{LJjP@+)Bfb0{gvLurHtl5TTThQ=g+rCryW2&F6>QyC`r8
zCunFbbK*0aH;JiZU|ijAtTI^jkxWY{Oz=<jP#A2Guc;!9u7ec8M^nh?ewL3?F^1aR
zO)BkDPUmh6-ST)#)72%KR@Rlzh)*0+p-*5ZkVUXsD@%D0>JUFj3v;?#D@&jj`s*);
z-r3jneW;lmC-zve^VmZQ;t`B=CrVfix_qHt1qA7_=baEyZhFp6jJ^4Nd7dv-f{{(&
z`-J~gj`?-99DM)0ttuxN=|UCZC$Nf?39ohKfAy1jIoBDON};0iV~Mdh@USbt^P?hh
ziAi(0LXY|Sh6ka@*17&A_QUa;TZ^53g>6e7EeH@FNd|Ta|NAX&@l$}Cax6?YOivWO
zKRHkkND|P+>7m)W=_H6p$PI14#5>f}vgbOh-Ct`zT-QE@Rkhn^&l@zo`7T=yo90+g
zT}RE<(`@$e9r(CzIEc0E6M0<Ddg_9_9LHZt)`_O&XD$4A9vv9}bDB&)e*7U_^1lzC
z0PXdYElf5Bvh7U0_|Ux<nHPn;n8FKjH5`OgG`kFc6@SRU96LKdCf=i?*Ws{X7wo~j
z=H_OLFfE8}Fgi>n4;O^1_G12MCASq?Rcpv!7^yl?f8EX*@y3P4L!a&*`jlugWX=8@
zi_^6h+9a!LZKUcrpH7R%78Y|dgcIg*jLfkBL{M5}nvh-2pDDw>Zlzbuj2c>ysTUj3
z<Z;t#<acUx3hPWO`6jilmTdDn{5L#QoZN~%D!w}oggMTSX=8FZCfmiymH0NEdTCi6
zhP4ytMV#}REvIO{Q!?M4D&%NvnigDCR4y@W@M&x(S7WXpP}H8S?>8<;)~GA=Ik*T9
zQF}3x#$b|qfSGKZv1@K@%Sm=}dZxuxxu!7LSxiOuSv(=U!6->l{t0qVAej|R%LuH-
zKWQ#Ac$z~)OLNnyY)duGvY2}}+#{B$j<NrKIm0`|pZt~jc{4YKc^Un@3h{&&*$h?Y
z{Ofz`=b;4*14c^6jEqrqGM@jP(+xXvzBTW7hk$u83C)9G>u330yhSVdyyMM!g`9a=
zq1U;kZXC+go&RaRCR<MW>!wZ%qb3<X^`GLcqq^4;8%^Lh;TaOSQ8AkC&1sLF*i7VD
z$({M3^tu~d6nly=A&pPv1{YoNR8Ddmh*%idt0#GZzT~#j0N5UT5?{aFKCAZlomh33
zRJI%`3byK8Vat(IJpbw~M@A$3_b6`Pcum={qc7CdyL^JzuK4XZ5F~<9H^-os7KdwQ
z9&`2u7p-T!$C;xRoY8PgXAmUFXC=2_f!_&X>B`)5sGrjq%2G_2f{x5%d`opYr`61U
z+nMdJnLXglF2vS;c2TtUa1;FY5a<jaD7c8}O}%ayiJYj6ZIubDdt~1plv5vugnR9U
zngqOlOoIZ|C+xCxKmMgGUK2GovrEgZnp=<I(%tI@b)QJ?Dh)207y^o+eRaV_hrF9o
z@09`}9rT{4p)~vr({PuD*UWwkLuncxTm)FK)863~w4=D@_C55sgz#GHbg`I9@-#-e
zD!G+;wiPI>SHFu5AW94%N<&AS*=6;$$za=M8kB5cv;qY~8>>ppIDKJ~#%X4GW}G;)
z!tq%%PB^-{JbRot^d!T5jZ;y;Vw&Rtj+U&++|#mj7LC)2%wt-(Qr&&aba#*GE@M_?
znhK<x*(K51fu`21W}5vC=W{D*>d=Wjb^-I=nhV;ESXZ^fXI~*c9F7iSq@fV<(+k}u
zE%44V*s6=g?rqcZ4ju92Kj|G;u<Z_tfR?D}EWgHzN&oSo^#RF@nNCigTYkE9EWx&q
zlAp~2Ds^1p*a@^)QlKZd<k}C%640~wsA$WsVrP1>6`xV!OfTV5ioT0WnKQjCo(IDf
z{6>-<h7&iQP+Wq<q!()PXaa`#_;$~WCC*xYss?BL)2#N<<ePq$x<5bxqQ1?niT{3f
zUN(J0<%+A+xF5Pp^sKiSmno-nOvNoWxYPl{oIWEy<q4+Ps7TF}?}RyoLza(EuPIq#
z)s)P0N`hh-?3TmDO^-AF#YTx6ZE=gEwa1$tp`T@TVwTT7)QcU3KZ<FaBC2gcngd5e
zSG9RAcJk<)-<j^`Qs_)C<Wl5JFG@8t=`cPhls*KNy?gN)%)~G8(0!=Wqu1I$T65^}
zb7n;!|Llk1MU1~|mhWd+>~$*pPanw3nGG4W?fB(|@k?w6ll}N8oPAo(;hImgX#FFU
z#b@;$&O#6*it<D1kKa**xn^mN<*)g25ez^HwgY7?gL%Pk{2Rk)CBAZkims$00=O}Z
zMc8}fQ)QScY1LHIs>WKZQO1X8+Jj7l;G%)B{F-$$Bdqw8CzJi9HFqZv{y%Hg)LO~i
zrB=<9xK2D2E6QEXl&{0WF&tLB=z*HpkI455w9KlB`mLIxA9BQ^pM0B0|7&p3M#c=Q
zi$ZFNmo4z<#_DM`S3i|w)qIu%mfcoOS)B7oR(#@P)Kpy4_+83-!J=zSyg{pG;&=GJ
zj}KoIhvMv+UQ@ON0vn0@A7b2V!fj+<9;vZ}9FZD-i$hF4s_!6uUvLrS`de$lD)U9F
z#wxLD{NLd;NUAisqu3mtp<pN(1Zj1&B?%eye>=G7Ir`7y@X)jx))9^aSv8*?0I}j~
zpBkaIs&O@qKg!|gU(J_~8ORI@0S$mAK0%wmUSGR6*rp&|e1r4&q|Z*imLK)4P6J#p
z^uRqmUiJWfrG`NMHP$uWcrXX+1@?|K<aKl_Ra$ekMrVyx^Ep6X7Uv95dT7cRnw3C;
zGg8ie^-W_GT=eR+nplFMp|qQN0I^k5Uq~gz8Zax~fMd3$qI2Y&UQ_gSy#MIanvx&#
ze;<<1Labi!(S!3eW?E6Tb0ShxU*ath)vT<X{R}QTz=FUH-i34^bXR7L;1TQ~@Am>#
zzV=shWTz&=iBPjJR69pa+h3)2Q_>!9Y4J)T5F(uzJh?RT>`Q-c)ijl9RRKi$pEB91
z`I^>}(&5#mRDLawfRyPahDLC_azA}de>jB|%1?-bSY<U?ieYG3h*-NrN9_2NN}a8|
z+#lxTxpQZcLu@sugyG9h*55NfhdH`&ECC31vKhMDpB91e<oho|zO&?EhF<)PRhmh;
zU|bfx_$FMx=*9f8??NwT6vj^v*I1$%A{aH}{w%$abn@K@#_xs+#)qhBB*8e1Iw2TE
zrdb}r$f0cxJEJ4`8aBvV_M|y!wA)}Lh+T6g)Pl*Bp4HiC+2fImr$F2jX<G4wb4WPK
zv=VA+q`}7}B1a+_qC}7&rt`F#yEPGC6k^wWrO-p*DUc2JWgVK4FfO7PnxGkq!60jn
za=4e7JiTTLGjlC;!*T{_d(9PXIdEY$p9Uvf+Pe%qZ*c}Z$|0Or2v8c}Z=EIz1IMOz
z8UiA^SL2V1T2Ow6sN-}<jamU>b<gCR88u-w_f-%cP(YgoGSm&C6j#o7qaHJB{O_P1
zk}91{J(5CQt#}#o;n9t?AU@MtP)T|OMMOb_<h?0}82~ae048JE*MWbJT(%m@@v=ub
zApU|qL_-9Ff;9$OGoT$nBuzVj$2-Y~T%a9+hAd;{r`1r8HSa<_I1x&>-kX4kWKaSW
zWW6XzHvNGjz@lz8_%^ZH&=LsIdyo&q>Q1bF5Aq=*Ky4)=AMYR@hH_|`fL>(s4G|GL
zj?+JpAhG`(w7bkN7rxUAo!g5-y-uE?AjACFJM4h|5*;~r$p{I)_>I(`PNF9qggB@G
z)daA@a*9pcal`Uy<K~{rE(_u9g<eb=m`SVUgs-twJS*o|tj}4WPu*yWOY_%R&&x4e
zQ9cBUg!|&CDPL#4(dJEbQSCX{84R{<6vsP<*=Ai?@0eJ3n6#-Wvtz{SBjO5D|1atg
z!>8*xiVoB6)wkcm7~DjH+$YV*?qC%`Fh2tCPiz8zWk?}*OZ?R(CWb8zD~g+TA*z-8
zB0p#7mloI8?rM6HHljbtBEHlxPE~D_eT}z2P&uQl3rhU$S!J<<BK|zC5ebvI+x<_b
zABN#<B9<1XD=Dgs)%G_%(f^~xuh1j}|E9mzoG5I9*G&WT2CU-5-w{>jOdW!sMO3{z
z2%M!xG+h&QJ|{u^$R=j`Z(`K%OGiOMm<YLW6*<Dh$BrgS&c=5QlIdkw1TXawP4|Mx
zV9V=4tDRte?YXhq)r~*Jo~mhm|DQ5)UAp~^dQ?FDA+vu}pfA}}Wr_(dV)wYzM;W0$
zt35_3#j)Du!PYt2Zc)<OlN$tObia=<F$O1H*#CQv-yPc85GHK|&q^ohvnO%|mOcT>
zIbdTCiG`lCsy;DsT>l4+98xrQkZu%T5XotuF2ECNJ~%EyT(SL)QQN`JZ$}0!LW&Fw
z+|e{fCT&m2^31wGrA$W{dfeCago+zcP}85J6_IYt@10rFLOo#wuDB}~F~NrROPT&f
z@p_?njT%-=b>F99z1G%QkguCvs1;=7>l0H#GUe2I+y7w$Z^0Q{^Ot7Yn>Aq3+TD$p
z3&;dYO)?+T-J{XkfEBs~L}s@Evu{q+3gE^4qch{`bT;SunjWze(*~opFEs5=pRb5I
zV8}^b%F>`^??>eXO9O{&DjjRP6aldI3|_qV#AB5ma0n=<vxc;_vXD%~@T~G;fav;r
za+&?A_ek9@$9anU3c_0A0P<MNn?4IcPHyt`Q4!4js@it4B#f)$+{;E!Jf0X^z#SXM
zAO4X`Fx-P=d#?t9HcG3{ZmS$m8o??|(ci#D*<jmF;_V^sb$>{FPE^N~mqdsi#SwbT
zz~*4v0$MrmXa{41nx8Z>)Hkptabu4m0@s+d9OuB&m0-E?N*Ynb%x@d<acjomOfetx
z-9qDuLY<nR5s=qJJUT6F*}?`5N0G~iJJvzRXvo+pmt=J;|D)W|u@@g3>R2fq6CNT`
zGQGo2S^W!EMc5ph-UX}h%T@)fb_QF&O6%PwECnd!?8WNh+op$lp6TH~dp*om4{!Rz
z(Lv5(7yH!OmH~Php_f!pq+@D#<ujs~`?ANs885A&H)0$%ceaSlkR$fK0jp&jV>MSp
z)wZH>B6bVuF%lPvTgLp)U#$L&ovlkS(nG7p(KW`)`lF}*F0Q|><MDD}M<gbDagHxH
z&!0c407Foj$zKbu*h>lnqsJ7DJtatS{fj6EL!TS<g7ap0GTD)bX@xBFi`|bgT#6%%
zS+miWOxBpVU(|6juX~%Diqb%6g*!Fkj5TC2<`z275KV3wMJ)=rjHuyaDvSA80&W5J
zx7^CIbIV=8eW5{gZf>j&Ry|hPOH+bXMDR4%g_V2MH1-D=@4tnd?O@bNHK_W@OX{df
z1{?=vkMw!PtKnRG1l6k?nC00uvkOr>23t?3A)euYyplBY5e@8UI`@g<k09|JEBe>c
z&#|+QP?1M(O^4m{jn!=9>)<!l6(RjO9X#%b;%G36+<Q^E8GNJ--jmfSAvEu7q(hpi
zL!>U)_F+HWn72%mTx#p|%8hhL^}DCx*w33swE&5El==hY=Rx<AI_R00^acP-V_xh1
zP+ZB4{sFx5x^U{y`fd90c}7Ac`2&E|n@%JiFhCZ)=rC}7z|6CHXRnE5nOdUhhBst^
z^G`4uboLLaJZdnSR=4r@D6y_FN-G1uC_*U&Cea#J0=&o?IJfD<n|u`)MYQIO7x_#~
zUH2>))1c4s0Xm2&QS#}nAFun#_h?f7)9RHlWJzl3J>zcw&KVySj;ehi%cuVU&Mf}z
z$G$%2?7W2wgrhwgAKy}Y$&deZ%fiU-zQJ)VLiQ^6;_9BV89%%Fjd9AhK~I*vc{F+E
z`$m5TEqbfLB)xHYBM1niQvVJZ!4?Em4W)L?^kUGZROr&y=e<B4*D!$><-C|+UM%)r
zaLA=$GB2umG1<KM2`@x#p{?(u%df7Y%U}2%78^y}y`{S=xU*mz&=NusMgs{$o})OW
zmI=UC8Wh?TOMI;Czo1<>GdFJQUiOF_xHbWZHhx6ZZT#miN~>p?R-Ymba!mL=mteRT
zA}|G%G-g<nzWtxR9AmASJ#}Nw775#ceaWaBVD+xgXR;XDhjX4_)k7vuSFq|)6JN@`
zce}w!;o31XnE9L8vx;CNrkwOGYQ6Nj^B%d3^SFq)xAID56QsO4>gzBR{RiOG<8}PN
zJQz##L+&O3A@^pJjg9*t_$RCUW(^s$TRs%MRm{z0@_qgqW0e$a`<kj(878>cg#xC`
zm4a;qb2WRkwiQiRh>y}S*e5|l0Z<B{hp8NMk<{Oj&%@+j{|BfjpBNN2+%}@{ir!77
zWJB5Dk5Ua_KjSxUrP1^iyASfECU<fFci$ELe*oVumqpl<v>t&X@$CyM82h=ZF~tL~
z0adyU(nfRZ(T(xxqKi_};=5hkdVI3@pLqUgV|&u{(b=p&VDP`;!ei_{#I|iy-{QAB
ze;dE%&3BDCOjsO3+tgm32ERMPBF69^QKy%43h_CGV)o&nZ^4(x?j%RtiV52et9+LC
zX!6UMXHC1(Pc|p}-=9vt@{X6UCie&L^^G*3H}x^Fc4$Qw6JunlQRlVAqB${;VR-++
zo-aIVFw*W1D3z<!Xd}I&X-!+T3Y4qWIGZuezNHUTeu@9rZU|l!?m>=yQMh-Uem79&
zMd2+zy7oHnU%nxD`^$y=9OY;C^Zc($f4P;1d&zeDKK(p*2|v&Cb4x!7WxoBGem3*d
z&nNwS+W$iOQ!2eB#moKr=<SR7IZ#W<)U|svH>N68ljJ{>w^y}1pUck+1>{@C|MI`C
zxJ_y~CmnZF-0n`nT6@{^Jv<36GOD%qIZP8ywzxi<aKJmn<z$J)IDfLtUh3ZX8;Qcw
z`#tar3vT4}$=Ce$bt`P&UIy3~OIUk?<7V!O)pp$;jlteIM>6<$3qYQ{se}4+sfSuS
zab(tY+cvw3nQZOmxT1fAfS+&E0{(6dT48WpFiRgI{I=&E=@44C{zOz@-Vvd4u(gv%
zMvcjnX3~v*Z@+iTD5@^#|JV(|TURhicJ~0v0VvwLBtX$_HX!#F0JV!=?eV$9G2|1H
zx$aY$q~HCoOtR4ZWhPndF32Ry-EU=*b?*I{WV8D(ndJN3TQkW|xLTCW@!Sl2z4m%7
zA%Gjr3HDz@<JYP2y_v?pGr=f&jaP$v0s5`$e$5vk{OyO;-FGJN|6{%YzI@W>bHA5v
zR$s0g&m{eBb0&#eE0ZjCZ^|Ug-D@(*I#)q5HKVikW7++==TpqG^(cJ03;SoPg$;k9
zPZ|uhlDxg@|4=7ZX3EL5{kNG$<hno0B>nEgnPj1x$Rvy1`!dOL_s&eR&b>L4Y<B;i
zq!|<=FUXvi9*)m9e*gs2-;ln(5FC6jeLale_m$_}>;Y!S5_1aKczegPy?N6fE?}eI
z;j^a-yPNjJ65rJ49Q+LpMnaqVFG};J&VWo>@W>Wigm?k5P!jh_OW_E7#zY1gU(DCb
zi}ueBhTC(ZwJRD=sXcP%3M^91My|j6s(0EKu)B<(KRbSnpZ#(p3+y$7YFL-9FPx~?
z{x~HWVm;2Vs5YGNmvY@80c$;;7K4k*BkdJddk$_nC39sroj2_Q|Ebg3{o^>W=Zn>@
zZ(8h}&zf|NUtDc=0}TB~|5^cTrOToANoOvUi)476Y9+2<55%s1-dmFaN7fqAS~-CS
zQplnY)Gn};TaG`aH@fBKE{rf&)|<be_{-w{ZN`fRyA^Xxs?~hr-o#34!?JKR4f)cm
zPh;qj<G!hfiTr;i2&)}`pi-q>T3fUw*tU?j6xnoV6lM+OX<@YGSYFe=>e1bN{b2TZ
z@Al3Os-0PE{<kOrHecPrf8_`^pLN+{wUbMV=YKtHci8?*7=o#wsO+~AQ-7MIft5e!
z*<I#YGX>@tULg`1bo(FW#cc+)<v&&p8)KQVPhHJZzQ2r9Io=cZ6=l};(`}?YBj>>Z
zqmepDH2ExmN0~WbFOioO{n>}M0&-*!uK1xnI&0Rl^@QD*iY2CuwwF+n{w}Gn9e}a0
zeZ;Zv4bJ~(?b}=UhSvMr=r`2+GCix^6P!Pd1kvk*ttdc&_05$ohB(qc1A6)kc9m7~
z15`8-gk8uf0Dj)%76mCdR`PhR^9tro{e|S8jtm<E=p8x<uj$0va%clQI47DeK@{V3
zR`hi2C}`Q?t9UWc9c>w?Yr<OTbreXwb?slvF=bjUuU97r{9bjwrS;csGDa^Ry-t_E
z@xN96*4*ULQIt;?td^})yq4o|1mAWD-``n2GR{9&es@JrUB~W%mfb$W*x(+KQ`YK4
zPiU|`lH0QF669I_O!*YvUzDE5rrkI?A1e1n`_QX)0M`WBa7lc1a73{ykgMjkM+WO_
z4+ZCc*-R8hJ;u1*KaFve6)s~_g4C5Kb9llXE>(!zl051sIAZ9aX$##>4&<V(dgb4l
z(azflAo|C6bdT{Y`eY221a+P$+sWhArT*?JXxT-7w*`nMvdnH7q`$Z&46SHKptwY6
zklgMU(&XP`%3sy8z1sJxeH{kz52|_9a3^+XpDY}Ou!ml<11pF69j@pFArhC;@s|Q<
zR&eopg7VuV(5=SGJ$KxL{YkFZi-Q`z*QQX<>D1F7NXtcwCdZtW>GnsRb<sl`V}W%;
z<qzT8`T&-aG<|g)uK2qmc~do1vS#2+t81Sdu5@iDFVxW$8DVJF70I32-xu0Mc-oXq
zwZ*aRVTPEQ0@&|(Ds_i>Y|6=7yq@XT|BP}C5aB?R(R;KojR)eV<VUI?bt*d^&I@!S
zZV(-1T@}5^$Wzn8RLy>}2U}N>O$Q<5`tYE!mcxnk)NlOK2jijdGIINA%~QseHx-HQ
zGyUpod+*#?UyF$4Nh)EO(acO47pq!lw;b`^G1_V#92;ys4Bn6$9c-OXCT-d<{MD1G
z!B+PF!l~^`?o}hHc#|Zo)HjWBJ%?Dw^`V!d?CbE6%RG;9)-~x~0(XnTp4gKesRFAd
z1?H>?bVcVKZKjN-uDa$E_Xb;UQo*f*!S=r=!J|v=3>cZzXSju|L)tsl`r!Nz0>XNy
zw_c*YE?&kQH;N0)mMsOBC9e1<QM5YP?3@BBMt9_&6|35V$QXc;*O;q!k}x1d_?Ppk
z#6+L91WLzY0>V?i0VL5M&-?{qj%RWzbF}tD_2?h#`<Yhr(emK^qj~nU=|1#tMSqb8
zZ~EUjmc~FRR-)~E=fvr(*po%*<{fUP<fawqR}-IMHoh^cW&0&9d+O9xD{zcuTVztO
z+v7v1fPt^;JM@ZG(OI$23apE^9QOxXAEX5F8!=f<Xf26WaV8r?i#ZJch=r^!$6~Uf
zx#9@gRM2xVfyxK7at!l})0*!d=NlbOe8$&UB0ST+x4(DzJrgR`$g|9Tq(1nwSA+M7
zFHLRdu`p4xBpvI<q)O`FcIrOjYrKS8sgB$0XvdM<#t%o@uVvln$V*KoZ)SqfrIBqX
zM{eqLa%lBPjV0m1J3Udo36=^CJvZ~^3h^huqNox4i9`$D;SmB3u#LSQ79#<(VlA%Y
z{^@3ZkkgLgL<rhCcn7x`i3VcFyO+$>D~CgEQxk-GcW?YL$7MR2uD2HJ1)05XIqHpl
zwld6QDwAQl9Us4pdpn;0M_nY|M9LZHY~sN2_$A((-*|64iI#+)nhC@3_RP;EomBI)
z*cOLuur2DPY}brSJ@C|U7Q=mmbNM!QPVNgdIjf;wmuc=<)b2iP#D~GQ4V0DD*PrUc
zyMLs<BBS9Qh5ZB1OcjW(=AB%o0aIe^KkB<MViA4Us_)|CpW+!{_^mF(V7Q4lfAHQs
z>b=Q;q3Lp7{mOgw1Mih5+5>nTo*w@r@0D!0j8IR)Jzky35Z&~C9}=WD+;9I7UTUd9
zRp7#l*BhZ?PijWHcj(<OdG{b?SzcKejI1WuHjnqbHqYbv9~@a#u<Z*5-QP&*Y@EBC
z0u7y*jhxjPfM>6ZLl~KNH7u}Dgbu&L^(AFff!aMDo^PXohmx+Cme=}CnZZL~R@Aiq
z#D?89kI)Z?L%sF2OPijonORqZJML4ia&niN{dd}bRMviIvLrM74ef_)9{i>Kkn&{n
z$48p>n)1_XyW*_b1LGd*NKD%@^%39~oNx1sd;5c(1;Mr{Ld3+_=Y9&!l&x+mPr+Lf
z-^!u%CBGOG>I-!kA}LJ3ZnDJZTrtWv-e;%E_h8dbdtOordtR3=vD&^ye|%j33L*uB
z);-aF(<Q`L+XPX*4f!bg=yi{iDJOBO(Guoh1{>(KYWLy+B{*X#YfICcp^ej=k~3H@
z{Lz*pc4NV`_|@Zc`n&DKEw&a+_<6tWY)kuu<XDD^)1uj`YmWO#hBI!I;}|jyKu$4h
zBuGPl)0=kUcN(Zz;+J-by8I&orwqDd-aY?j^3PkY4n=F<YFY=At}PAox5!hZB8OR4
zY<6FZQ6voZZ*lKK9O>DY!{kfj{|@-abK{@!2Nhk&UkM}N$0C5B6PJgvw)SV*j~OH^
zTT9CCbjb)5vk!x8vRlb({gc{Hs)iJJhFzGR8BFVl)vjpjteNSrIivp!v#;^s<en>0
zc}b-JVXB_)cQEDzABJdAlkBOBS#g%SPd`i_hKU#D2wx4FyasU7_6=4;J!(L+pBc7q
zD5N(x$>?AfN^ay0>G3e84Lgi!Lw)>fIqu7V8{TF}z5&0QZQoGXgnh&E!g^<l%o_^p
zYY#L%Me9J`tkq8QQkrztwl&R%W%wn^yCNU8c($QKVH3*qEJKI6w8559`%-qB>^K<?
zl<rMW_J4OVA&CaxWk3BtYwys*5WT0pL&4v`-l5>XVefFEX%ILvZ13<F?Ewn#(S_Z~
zUuO^Cbtqc9Gus~E$jSBqin;LD*#o@z-u3`P*mlE%@nFp<Y&hOT*M;@rEAYc{=FAK~
z7M(0HYtRNk)Md2=J%0&GkJ%MGb{TF<R)AU)FJSjlh~;KD@Cw_npP&fVhHDHa^?|)s
z0E^ORVaS856Iis8oj_kb;-Sbh8beDR%UC0OGZ{}|FBRAm=*FFSvXJURYlv~tQ5+h;
zWHmRrqL33fm-?MG$u)%-cI6_9_2}E5SwD0<M1Mo;M+p!9()yu1@49}>K~k6&THtBN
zk9p5)IvfmBriH^8Yp}VLUA8}KjcKiv48}8+*h5>S_!9%JYjOH2!4G~U2TWVL=NtY!
zyV=U;H9K)%9dof|%QKBr7Qal&6G{hL^B{b7e1WM85>{r&aj@-9J)URW24qnR_G2P-
z-J;_%`S%+KN5R%I<!0@eaGomfUQYRgPsncw&njsGy-+kD(+f|34VfC%ZsG<Z>F>D>
z3%u6Ky<`MU7MOe_9;n>!J!!4nM`9kaT06J~TkkE<vU4-uwVdm*Zb^*4L5Q>DLFI10
zy7Gh1JWI;#Nvvl+Niv45Lh<82CS^VS2u-t|j4S=b4gB_3W%e@{1Q%WEquRgA4KBJZ
zkHlB~{O6PS%qV`oP{3iXQZQ4#6h-Ioi5Lb;@sh~fgH~XT6&M5)SIJNqtd0bZF$0b<
zF?baTY>hZgL}F=R?L5--Exw?gLJOUky%w8Q83dIEtHPDn*5e+{*{kHOcH*H*dBNgj
zp`CbaXw;i|BrH&e``>5Uk0}?8_0cvzWluZ7&!vNeSfY{Qs`&3f8k5|@+LZK%13iR<
za4g!gzG=A>sKruSs#qDSX^gLpF<$LFunG8yd$Mk$Uz9Fdxnc+`$aJG#-ld1i>F$BY
zHOfc%ghA*4hu!IJ$~?3%Y_LL+azN*onH}yjU_u)4j^-Tkl$Yq(hrhSe-@`}_YUEYz
z9e<}<Z;c^M75A^NXW2FBCIKJ8L#@#j8JjZSrPIG;F<s%6zH?_%raqn<L*Rs^-i5k1
zoxYB!u7+$1@{f?0ljAlKCY~rKt)lhJbRETSR4ON){YuZUANmiOI3yPf-&@%#{wr6)
zZ?jc-gp|UG6O8Ink|>$0_Oxs{$Exb&=)!Yb6!+t~-A*zR;vmILEQDH3Hf2}Q@5sT)
zB(GBCSom%^N{8QUr*y?3BI_e2>ux-nIWx<Qw5f&TEu2zsECX)|S3;}XE@ggXziWEq
z(uDtyd`TC_UW~*WL6&cicjBdo{eD_bW(S|1Scsg0lYsFlU$>kok9k_p!zE2`WQH$z
ze;%+A<9Dmfq41gAYhZ0XQ?BB1kNJqMya%Ve@U2$!-Jv{YyqxbihZLYoSt8DnG>j0e
zRUK;C4k(Wh((Jj{>FjeZDWc{&bAjXn1IaYFPJRy@7Z?ch-UH*v?@QCq%?LT&+^O>C
zTt$Gn%K(sli~(S<ZMMJ$3KfS|nE41i8VgI_9U!kuWZz6t87P<?<jGKYAdRygAj|>l
z))i?;oOl;VZ1Y#0XxRoN_F+k%fdnCc-xCt)_kR`=>GvZc(KQSSqUGEQB)XAD2@-=I
zD#dCGXlk3WKgfF5^hO#&{lQ^=Hu&_-g%j$Uj|*`of;bZw4k6C#!-yjxlc1)V?cvPg
zas$8&&OG2zge<ff1KRwMJVG09E=QcDng(VH4&lvF;SI*fFKG%MCe#Tu8pL_%q$zk(
z4gmI$L7m}=c2bU!Q}8818I72N*nfO2jY7-QC^Qok681FHXv|^2pDBM9e^`XY$zjGa
z@xjde)LFDd{#C!iswGkMdv=-9H&9NQuleX;Bj*uH7C2Yj&&f8_4lM)BOUz1Sq+;;3
zJ5NHtr?jp=F`l2ti`57%>E$G}jC09JP0ZvMeH6E$WvP&BhMx*9!rY<Lcc`!Z(gM47
zU(@c?Y(CNVWRfKdGD7`q%H|S=Scg<8nca5I_-4uzf7bB$2lzJ4F-@SH5lm7k52W*X
z6Ps(4YZ+O<Zg<{6Pvj!n!H$i(V~N=%El1d}S;2=o6uSy1OxGdn?W|@S{E**{kB%iS
zMcjQE$x91yuuQV(aZWkr%t-jLuw8*-05c%%m*NEfluPAQq4U*&_*aUYuO72e0yJ$$
z>e`7<kPSpkNfySxyvMnX-?yFHisD}$h)0h(w-q~=me5o?@j#^*#>{xLqB2#CKhL$&
z%Plb4zafsSX*ArJ`hL~tmbzd3x&YKnyVCOTD6VBWOph^cEOARoT3#_ZeyW8h<}6?_
znrNuv(IP8u5v;8sxH7n=W{$t+&LXz5D{5vI)?8i;6Iu*$*0Dexy(`1eFxdJ!HCc%|
z7W94-@RbZ443uT$&6TBaFa;%<@iI!vSLESmD=}s4#O;6);o)xgIq$aESV3)fmwC6P
z>9>FMZp+hef8pIuNWc9)w>TVaoCeAl#}RF{EUl~P?dyR1C{bI-On*Dn%eykID)H&Z
z0=>LZoVn5uP9Ny&;MfGGHd9ifKM08~g5N1+kttJY>P3Cx=KN}2aK5je6LAe3Q;8ID
zwj(FF0tlgVL7YJJ!a0SObD`zT#5NK@4sZ8m1J2pXEH>HgYR|TR`kS9;C}6{l&CUPj
z^9<i&7mIDpyPs#+2yi|77M)-HpWWXV{-yo>|L*e)ce1e-<NM#)-~SKT`-}h9s_?hB
z_aENBdZrF2+t9Id2p9%j8-*<=6Xgly(4NmThK2lVIWhbWI)+wbxhv+UTsO^pteeT&
z(sYO<a_!{`M2nrJvLSU8n6kR>XyQw`=mtNAZ7?g{I5xMA7ZL;3w17JV@{cayg8hGT
z>nKF>yY4?anDFm3bziqB`Q|9jHviot<an4J;Y3@0tzXYq-S}R8Q+D2;(@P(YvGSk$
ziBd~r&Op6$D2nkpfaTzZyd^lh9xtazx3|s2XGZ?sD9@idMG|a#KTD`P17k@h=op!(
zmQ)6-JX__AeX5EoXN#A%R<6aCQ%vvVv{9yA<Fh%%jr_hb8fI5m4frMk4s0df2)12E
z`BHxf!b3DD*mhdJf!9P?Zty0H7{O|VwXZ`Y$x^qx9O5Z6{M+eYtaeMVO$tQJ8rVzk
zf%Z?RckmA1t)BcR9Kpzg06M9TLbzHMzx#O`OFUZnAT85@0QP&=Lwo_H41=q2qqN1>
zcN~r@@ejEXXDgdxb97^38w>9`!|*Dg=0sW&Jq1W7#?H`%kz)`K|EoC=Pz`)#Nj%ZM
zZl{5`_r;PS>;Iv{0kVz0i-yR1Gs$+6(-I|bnsMh$fcDl5TN>|J@ktu2OXNTBBdNEx
zE8dN-HC<iXCYl&*TLB!?2D^8l5n`>AIyL{R!Z725;6p(^23t_MvS$ZJ1efW2#n3M_
zI8LG|M@TRQBv@!*r2_)D(mov!P#Z)y$~FAO_0D1E6=TM(J?T<VC>k$_V&)pH85OO$
zQV0=j>xcGfENMuRhL|Dc#MPFj7MV4t2XSJ(gHLzj3c-ZGpY||{6Lg$of;rA1ajndN
ztF^SZ8O3?RJA}hQo+l08XJ!NsnGI%YGEc*}(bObm22>MV(doDPj<>w-BQ(oL+E7R2
zw-jj<$2W5^qsvhCGL-fY%uxPAi_E$St;bAR(#*IZ8u?E~S)8A(VFHHQQv$Fl9Fm^;
z0`EwdaO~qyunKPy0+(8&In=?`{TU}(F84It`Q20!g_-+QqD+7()vd2nqwzUG*jfL0
zovC80ktv|!bjRQ4`RihQ0lPIvQ_`j`jmBh+Mzwo^OsqlWa+r{q14}dL-aGH;;AcNC
zs9g`m=aXugXh*37HMI@|wKkBZCyA+z5BqZZ25^9JUFG~#4-ilDYi>VhPlOR=mGtj}
z!KwvmY<SdQLuv~&T>K?3Jsefu^OP5Mqzcgn6$q6)6nf12NOt`hJ~A=2VgcZJ^j<W2
z7t_kjbB{(Ha=%3VscJs(=mJgM%Pz@nRQ~5jl(Td$&#%_=2TY@yfuU!|<$hRCPw@0X
zATt8EuvG41_8T&We-Gfk0G}W8$RNO7pOT{kL#JrZ-_su8>ArRk2a$BjN_Hi}S5(Mj
zMGMuA)BwZd*`xn}e5n+-f}8i~em(jyy>X||(qZk$4G#|cQbhXNLqVdY+Cms9EKF}*
zj4fi0c>pzx#TT0GjSVZzEL~_sa4`o32M;D|LfBdSb!+8fN|bJ^wX$4Av|vlzGEfwp
z|HpjX+<OmkZ2wE{>^Lf!#LUCI9~GScU7kd71UAU%&Tr@Di6A8{mZzRr;<3tkTp!ny
zs-xJViR?CWV`0NqHQ;n{OmSwWO0%nBnX5Y?tLHu!W60%XMF!c6l@S<j1@>qbmWSJ0
zE1P){)*(kXA20<M9Tg3qr8QZ5CPAdyCNc%%Gy!=c`EYEX#;0~Rtr%%1cNBW@2Q(3S
zwKVauHtFIRob@bnf)OIx1(lDeG7PD>pKCCgdyHikao!pZI_Z-EREMv97H&Z|G`VUc
zpGmx^HP?_u1(V@xwh(*W>pA_BK0={$TgF0f1|Vm>R@M4^vP91JQ43}ks<4^l<ANwX
zz7~<#4apAVxPzzMpw)oK2HL1iyJdk+JvX|$zvdmZlYp0Rh#4w-Exg%u`NGwVE*oju
z`c_PB73C;4%`^?B=P~D?`_!+7nt2n1Sg&rRiFVaMuvJm_VmttiZbsfJsV~bYbUW(P
z<ZR`&*6riP*3%-&F|^3e_WIzA1L~mJpL51fn7GfKK|{@6$z}gt&9+oq{7%!lU8Z5C
zP392nF4IQ0l7@+p{THpO_Z_OQI?(ixS;l3!b!{v@u~J>0DG>gY$_?@vyrDWU=MkQ{
zy>|;dAjzc(+|7hmv<wo^K~5oBwiAKDgvQfbmWZO3?Ya1~14RS`P~>-f-{oC6)7uq0
zw^693l@NTx6mtT?8|8^Pm6i3xjKSChQak~D6Fwtx9bIfaV_*`Taa8+LIXO=Ev#2t?
zgkpjQ;<%surPt9FWC^W%Ft}(Bvd-A}96)rz0~4F6qn$f^1;uKQ-1Zt(*Kv>zn-|7P
zT$+#YA;)7?7?$-J`qa#!S$q-h@I`B%Z`vnIsy4-gh{Y=zi2XKZUgtuohA9pvSqKTF
z<7j$&cqC8&VL#)I#J~O`jUr8#smfV4U7R~K{_h-5Z)VUpI}E_;Yy?rFHST@?;+^iP
z^XMofNW>_MMf?YKYThyty^-hlFvQazrydY0Y0l&8o`tz!z&x$$^$oOa8E6?O4Blr!
ziAfW>`A|z2997XpoSfL7`sncbX2<<3R;V?cBL+n=X67)e?R2~U_Elj^Nu~N%`tJS1
zUa)DG>EB7SNi+VopPPYfEuk`Ie(HUI{p8x<|I)Qh%&rYN*a$ejXFa3S^&DgQ=>MLz
z7}>*M>OZJ74JAPc;2aZh%tC5l7Fu_Mb49_4)Hzyoy79o7rjzfkUz}-pp0skYB{?^(
zSxnmpSXZJQUczX}i>Bv<;TV2P*EDERbw~g7xO}rWHniMT4k=vT6qB^2QBQUHal89C
zN#2i_o<Ds^Q^u1XJ<&s4y+NDE`Z*(2PJ3;*;NOm8Z(+LIzicSK+AqnQdzvap%$}R!
zC(uY?*T|%{Yd1FS9pN8Ywi<&>=<I*%(~73U^uWN?!8L<>I~)LwnVfAMkm)}M<q0fg
z&dOJ3Ew7LVt*uw10TPiCrMhvp)`;R+Rs)sYI<gWYCw9kp^@w@6fa%)!G31ZyhUX`q
zg|Kjd93*`gluX2zQ-IS6ee~(JH~E4n97G6X4o&f_RL-Tv6TH3EQUrY;V%>S8F({Ku
z7#3imlk|HR6S8)&f4Q5y<LF@K{J<Cn)AKr<7$1c_9ddXu@2w5IVx={Q=F8zSvpU>b
zsmZGNF~51dnUr|YO(2*Ex8jA$4rpPec>_!E2sv1Z%rR~B@XY7@kHdwU)uNPlNa3LC
zC=w^#$zz=s&#WI@wXAkWL{oFz0UCZ;qG+PW!|j758^s3{_ssXX!1y3wnD{DlkFutY
z;T7iaVO`?qy-E{pxG3m&xDvAych;xb+Fim+gpyY>>~|xS1&9nsuuVLyW-z1>WYpnp
z98_o*e&~DD!;UOSL)3g_o=#@9**FgYc{$GQH5coHZnY~hegl`miIreNDHtRRkjd^s
zz(sxKDneWx%NGE+!*pb~``acR#9XeI5^+L)&7n&Z4;Soap~(xj{ffCS$dCK+ajpY8
z!*|!v{5Z+~3bc)5*1@(mN|Ws@R9HipMTH;d7AmY!AL&V(BH5=WX6tmt#_tZB6@C;T
zq^b>t<vkF$9%PJ`-OkgwAX<7pf~TC@Y^w8oclY0)neQGye1~%1Lhc6vN)hMsHFB@V
zDCch8^sgMA4^$o<uG}ll{Uu;ZRr9&KlkCHpnXjT%CuEGRNMO!-NQF$bSV!hBriU8V
zmJZMMxRy9SGd6H^z@30&eFOETDbe`%l+RB1H*<lO^xpCRvG*oWj$PHcu-XH(3m0W3
z+X)T`=nmD$Z4ITdZG$zHq$)|Jxk_RvYo3SFEQJ`G?gm#nZA`%6KQTk#PeKSJya118
zj19yjBuw@T0Rv&iDjM7l1lr)C-nY-W_v)%j)ot?DTkBuzr&iyVbkDx~oU_k9dpi4^
z`%L$tFVl0I_m2L~Lz1ks?78LMJ2^J8sp89YcfjNuk&w$TAwL{r4Zj1cy4Yy@pis2+
zk-+03otQiZ4C;S59u}XKGFm451B$oP5Z*|ih*kuM`8DJQFxCZ&Uq;0R##hkA<T~`(
z54@(HW&lLTiHn%%ppe6rD1rbx`Va4+zRn$M!El9W#hdW(b~G-nUWs#-!9Tast`qmk
zqtt7zlIipV%&5^TmKeb13jjdt;9n-XoXpS?{h86+6U3npj$AJ#S<MY`s9t(<exws_
zet>ZDo95B)v77b)+^Sbx$_gN4@nemCoPIX)3o+Hsj_ze7pF0i_hxRZ507nl*rnKO{
ze&G{LBK^5gsDww2BgmQCOgouIYft9@H#2|;#mb<l&W_%hV#8ZGS~;+`uXBg>l;VRl
z)6S4xvw!sI$9ZS|^m=p#>^(oaUHE1my$;_fgaJO|WR*=Y3XBPBC6i_jn_sXTPTvK-
zrCzwn-ns!TB$H!)q=l#uTngHSM^tz|T1-CCjr4}a0@?X^rzUj+&mZLs{wua*an^hC
zM#L(9gtu5;2>Hpzh{-p`h&X@zM~}EwAEYNn4=nOh%H(G~pF6gWuWbB@DhW2i{kK!2
zK&i8%qMIHVoTTat)MRiVUL{9CEwt;GBg=~9W6;Yj$iABAmLxIF=SCKvRQ?WmIs6V*
z{wu#!{u)+}&Fy^tjQ(R>lo5*1B$`^I@82jr<q?Z`yYO=8r~IK*cr`1eL=Cij9xntO
zZH|#rHa+!|6~dl8JNn}>+Mi)OK%iIb13RqE9s3qZa_Ts=h!KK;#(xcS<ruoRz4edy
zkNkf|6*3P$gd5gVH-n?L=ymCwxwih5-~9mY-h;2B->XBOjRl%4K0uk62oXGjp&=%t
zpeilO-9VpU2K0mm0!>r8PaLO#r59O%q<F2y$u+P7G3Py}FQhmDC9ZM<f?f_f0!HmN
zB!vd3M(;!9gRor5UbhoL86`H|KvNondxo6<?*KUk*+~kGDo6ON_`w^Vz*IRq`X)YE
zD1lBnd1Ca3HsX~wwmd($iG#16_f`&dIr}^_^5f|fP`Fr0r)FT*@bufc<3FGt-11rK
zt~_>pJI#~JXy|Ct(mLML5NLr+emh<k{(Ra8hFkktrJWPZa(D0h221FH0RQ^Pk5|_a
zKPt&!y$*`m9I!^V4R1Yl0S1ahDVZdUU0HaAc|Yv~?ok(&kk;PPGYv<24_t!9LW*Dz
z;$OV+iEZv|pEO*8m>7}b86XAeUfNXzBjTBFc>?=2QD5Nnn@-(KBYrVyFjaM8#JN5o
zg#}?w5veP!p#c7keohA<z}lN)pOSrBQj}<YVm>hXJotzKGWkOIwmyPeGW%cBDR{Rg
z@zj10nRo~*rx{vAsgPnJXA^@=(wUZ38l-9<VUZ;5-n<UJCE0~n3996-1CIcVtiQWh
zuw``lBb+PzX8JrcT4bMRM=!-ENnj&=(!d`*CFq|2g*GseLu2|NUjK0X?mk{AN5<G0
z_r-S-H*l3RKiaah((EY(HkzX$n_#SikMIf~M`|lo_zU)VcJxzxQiVUnr@&~`R2icQ
zUMSH(&S;{&LNk0n*M&jes#|I3A<%Gt^eWbrxy=n4V%!F2UWa{Y7x96=k=+$I3C!{%
zR+<oYbI`j%xD3LB;N~-<8~fC;x#ROF;m6q#8~vCW9dpN@DZ(>f>FnrdFXzy|hRmYm
zGPX;1^a%m_2Z9WQT=)+nz-I;Me`WVEfHaS=r;6DoPasP@FxvQC-fVhVJK2}PZC=5f
zMN}-}vppIJsM!7s(wy6)7@Ki($7%rGBFQY-qny)^;nv7nlKc-3QrP&Req^XUM%!lp
z1&l}r2}`|W$&^^&AVGZWK!ErYVTCnT3~di$k&FT-KKlUJkjo58(V|h*{`2VH4K(U!
zMqi>&7Wl>cL%z<WhVSH?8MFGZ3544Il@QIeE1@(4*4XGaVV?7&sqHi<e<R>}H+`Zp
zRE12t3v!BDK6ym7sFzQYdx!~yf%vie<go*fGggL!0l9(sI(qp*^f~<q_8s?IY#6C%
z<iuUffDQMZ%o#cB*@uM3UymMoA-i4rm`1`v-2eIm?6%#VhP1y^;?K)G`@SSR_=}<t
zIrMItw+@1nME-VeKDPB7*>Cim$tAIze*c0-?<h`D6#QW#sfS(|@J0C0C8Q+&6TE0-
zr{Mi2zXwnVpDQQwnQ8r<#v3O%K2EtHODC^_EAx{A$s8OGP2L&PF<9<^0GixZu?7Q`
zB+uwVJs;CY7w~x!a*=y!A0<kR-h$XVlmOl%Nn?o@*y0F{&&(Zv2g=C7V*cFd1@i>d
zzTR>2og{vV%wHsA8035D6VI+mBiq?PHwrt4^ae;F%rtTjNB6y$)%ib&+#tsmj(x%q
zc}||ZjIrsN(Hp@`jFCETc3ZH>b4u|cEOgB|zjON7Si@UC@w=o7$QK$Z^N%8-0r?7;
z6YP{rniiwPbu=y8Pa)~_ncLkb?;!ka=6?6(?vo!TafU9Sa4Ucb%%5lHQo1*PK6=}K
zk>P`L);l;y>4OaR<R|H46b3)Dk~U@kjDGNQSTNY9MwO7=0%)qoee#p^F}hg9(|!QE
z4ad!A@r12BOe2|o*?KFG$$pc*8SgK+<tNa#XfiBlVgUJYBa0M8<dXdA2BvD}-iqzo
zzq(=Wt#|LoTI07a#&fqkaWk4f_xdm62aJ}7@c^Av2)pt>?;z9VADQ9uJ(LnN0nLM>
z0yHlcCV4b!8KwuwsV3uzYQu<gHHHW=!~a=o-lQrZeGeLa;BBY?I`N%o0Nc;u{^&m8
z563%D#`q(6lzOIwr~ZPu{|Qk;H-6`r?zz8182Lx&*h4qd5`_K$B5X&0^i%{=+E2$p
z5BDJYd+W33EDtyTi(~}FPu(Z<(0xoaeGc=^W5HvziRvB-d>(ZI?|Tr`c3wm?zx{N?
zkgvG)iud5PRAt<8@B5tl(7m01Azbg2;o1-LTNoFQ1*cXLKD=HC_}&I6!uKt>aRR=}
zIlcusK7^w$W9Gn(<m)NXh`D180!U*k0J(^0uo-7!c{YE7^#cl|W0DO(eo|}u0O*B&
zqzR)$0SUA}6v}=`592;WJDF6YtZ@Ge!hPsRcHbx5|1hhJd2I>d*1H%eEtej}`Tegu
zfgbTw8)z9r<JtVF7w=u){M_khGP{V*vGiIVpF8$)z#)diOh@2*aP$&}uZ?%g<1O%5
zt-!;iIS^yQJinddg;>d;Fgmgc|5NtcYxyzq<W7F*z&k+}N&oGDC-W8l=)+PuQqnyb
zeB{}A=)Kv3o&41|JwfKm)+!7)fI7hACoab}GDNU`<~jP^N8FoN;JFjt%kj;71^)ZB
z_t57(hwj_=X@ts;;yu={B_D`h5&O^9&3`(2&;FGYS6#5OdDTA4SDFuP9Y&cb-#sU;
zpwm@+aQi9BF5o4UBHsHvhwdNaMbs6O47yi_94CcbxV(AM1%#ZW=>DxgklO79-8l)l
zP)5w<GmPUF1de+qs0EID7CXchM%6rLI~8uzD-7n{hw$Lsv5V+8qV+h`n@%ES%t{Uj
z9>puVeG2QXmk{^A2e**(?mqPC_M+QzKOK+2D{OwzeZq&gui%Z^c!i8-^AcJ|Y|r9b
z`x00JIPm2m_8fb&Hn#WBo3(+Z^D#HZ;q<IDUdQgko6ND&hza-VixnqV_gQbnel%Ji
zq?H6Pu$XU+B^m5<z(%0U3G_LNeUI$>r&}+=`@jE{4$b|J2#<F|2>f_%_^rQZYv*i|
z!1%<0x0`s2g!|-8`@vGrd4z@TH;Eq(;jCY1yoXL+iq+At@{Vl%Jw}}Kk@dvoG{#o&
z&SMzj$F`Ilul2+g!u>1w{Znj>T>+w5iCCZ&4hL;t^4J!Hpe*DDRC6EkUV+z`<G(Fr
zRS5O)`<Dy%KQ7&8i)RmQy%)9O==G1ZXP?Ls+9$Raf%eqR-+?YnL2ptAi5aL(=pS#=
zPrz0Dd1ML~fZ>$lyMU*}2#|un(G+^4IyL1V06hBQ`h;@@zL9(%a(oKl7P9F`MnV-`
zD(oqN(1lfbkrXE*yOX^k>}m*pXrN!+jE}k3zY(|TWLY>%k5g0_${M!tN0kI~0-G)`
z>|6%<uD$!{A1ZJRrvqXHA)Fgf3WfDwIXZj)4=<ZLZUq)7N49I0>>9I=4%~$o@#)_q
zo8-C!;P4}dZ+;$Q^;eOnOwExwFqE_lPnr56(^}&EW(P6??bYOdVBX$9){)u0>AY-Y
zeI7Gl-tE0Mi+0fJCNwWrB(S~o2HN(9^Q3Q$xL~Q#vhruJ518VpCtva03z#f^2ooI{
zYhMqPD3gc6KVIx#!PgsUBs8N7`8tP^B>y6FU9fWDrh{wD^y?`0lAy)VABWgapx*pC
z5EIrw>4IG-KXl-q06uy@B|ecOPOsNI^}96uTlDRD^zGXc3;i3ujlS|q$=@L3Q`pn`
z7<RkiFl%wETZCJnaJ4@nq+s2})$b<G#@;+T!3Sov07-n8e0Y1i1fB7qm8~e^O@@Lm
z^(iPg{D7_)-2v`P#JPQiH<Tk@gJ;LaWeNl4#+}{vB@ZHyg?V<QKt*1>4S`Hfrs`gU
z8?gL<mNdHt2yU0_kGn~KoE`l&%*@j#M)$n}yf3WxApezH;B5Jh<xGxPTe+>_J@Fxi
z4Rhcs?tgJV-$8mBt_!FzcJ;qTjDmD|uo1rDeBNW=Q;hPlJay>Ajj)C9J#hohnSY2D
zgIN4vb30(Y=O-5;2<zPZuJsm-)%No#RzSXgn5YNkig?3_&O=Sa!SFbL;V$ug*P?ay
zOrQtZsNFI?rwMoixuEx>8O$@@9=VS*#(pjkUnQm85e2tL-(p4WAallWGA@vDxwunL
zZ$7a5KJ+_qU=r;g-GSP`qx-kQ=nI=KCt_DJ$6$N(bzc2ltiIQ=rrb`k(s?pS&7>qi
zRZQ(SBMA=44x8UWZpP@q>j@C)lr$Rv0xODThwc02sQ5>ZZ+}ejJ+{o|{PdO;5M1#6
zJ8}8x1cq5!E|A6>{ubi+>{J>da>xh#WyFkBFL_l;vf^$B4KS@SgVD2j2X4b5z~D}>
zJ{$DAM}Ld>86*(dr`r4ObsX?h?#gqq(tN;+Un~2N;CBp1++cP4)d!yIKIu4swcrZ*
z>5zUfi?4zM$b<)-gg;8&#_hses5KaWs5Np0QSuQXaz-3QH#Nd*tIv$yCY1P4LZMZl
zX0N&auyEgi`$GN~9d1gIkB@;suv?!EoA8g(Rer*Rq|e9Ax$h)z4sGq^jyN^tY60;#
ziAoeoIWzJIw{R4x;%4+y(Y_iI?<!{bz>GY(0w>`^m(sCi&^Ht7{5Zg?^N<w>p*bv>
z1JCXp1qWSqEuVsOF8;asX=WXL0Z)@XP8-xPAFd#oiuZ!d(Wm*=IWl#q2w6ll7Vdq}
z8;nLcmkD_?mwMfspNH7K72mM9cG0oB+dsmv6DaZ60DMD68Ft-E=UuVi)a{deR!I6|
zm%aM{TW3eW6lX4AU&trKd3qhwm%@o6yXPqe7^Vss+jC+Dfpu&y!Pq?=HtaKH#tS7W
zeHBSv?n7VPCm3N{SF#y_?z5*)%xymX1nd^rI*)BVj*f83kO{(Q!<9cpzeZnKosj=*
z7s@R^AvNMYQAeZ>E(?rGN$-=xi7D(jpq$|RQ-G%!1cKo13+wxjzKqhJDd<3(kXY&;
zNkS(1@x@IASeF7~CYj*K!#joecAw;%#Yn|trXim4yTXJg!xsFxb_op2kG<q|?$@22
z-FGoD(~WM+W$n3BH-81H%?2oDC*IuOe`)75iN|-MCimuDOv1V^yo>EOgI1;KteHFR
zU@iC%FFlDfoN=4m7+kkxp2MrBDM6(80DYou8YaXLo5CT_bnC)n>{0qnAfrn!X98`_
zeJ!uKjTi)FM02bU0qfC6-rl|l0SAKwV)ml*4-+;9h10)?*7Kt;g9KzY%#-$bH|UJ{
za#*3}Od7y%V)oJRzK-1b&oC8phBz1N-3^w=M-p8^w(vV+WXF-Zjo!2mT<6{V(#Z1{
zd}5Ok42;)}PGL331B;QWC2RJ?4g0Zg9JHezUIY%%&mI3bFnA%?=B+1eSGp}cd5OP{
zn!@6&HxQl_9HCZV*4&P-qsNa^WAXmto5*;3GfR1bPIg1V-VNj*RpP(VeC*L}mQKUy
zu{}D49)e)kl1gkagjmr+&wd;R7hD&hMCu#77$YvhIVnfag4O$~b?O2g3JrL)`_j?d
zg!+GhF5=-!rTNY1N^C>?EQ@)33lBr9(yWka)v-c3_4Y5rnz&bzmqb<QrZ0`s0##oD
zOXt*|0!SS0xnoYy^z@s!{-h<0c_yU4I{E+_Me=6_Ga8N4qhFVT1SmcE?0-Z%6r-1d
zYy@$b<~$4BlBOU<5?}_VM!q_O^ULX(_d>-cKBl;DdmEO+92DfksQ#3KX3eEQGx~g3
zt{_=_4Dl$^j8+zTzU3!(0?ovnzZExVcOH*ZjOG!({s)@jquY*Rc!}nuf3P6IMv-i;
zUjT#}PWtDQIDLlCe($FK06T@;*h9hzSs;&FKfWKO)>DLzzmVCtd4_GIcsK6kZbyt1
z?-0D$*{3z6UqOlA^Fs&&gk5lS+0se<{OGx`tI0;feh54O&<8p=LY%pLo|AA%M<w)E
z$RT+HAQ<ki5-1W#JV!q_kI)nn!@tKLeq|RApU~e4JWclXQu_LOG}p`0X)b;>HRQxq
zUn4Zf)<MtB2au9sMV&0G9#q0IBce8N(#dqVbo8_co%l`nFvQrnihEo1z8fL#M46nx
z)yAt5uK(FfK++RI7FYfx2!|fyJoDFr#9($BgR#LJ0guu!A-zIKArsE|2bz1T<Iat)
z13K2j<Ih8-R2$ydfeJfM(f;)GJ94-4{F7e>kY)15(cb}h%<4?O%K3xY$?rj}$acT@
z-9!^~Q@($ZZ{MdAF(9o8=r#bI`cF8!c#ZV!c<}o_+`=1w90wXycnb<CxA)B`n1klN
z8J}*lm^A1+JMr$t#8pQJmr+D>?)dM}FAxzCi~ePbx#O46Z@m2Nmsl}DKz(%2OW0(&
zjgF}hR_nJ%?-Op4y#fOWa$)pQ7WbapBzr|zV*B>!m;m=74o8O48wI#O$1NU^rwKsP
z?DbcXZGCq18ho-q*%S0DsHXbcPCyV{Mz;u11AMY(!&2l^OIp<(Q5X23XgkJHm`N<V
z<JM~kap$k7lJ~t3S%5%)c@B4;c?u4~_UYT8C-}F!ZlC+e!vyvmwg7+>E|hzS@o==O
z`-B3g4pKCb1jvn~+Hq*hn?FZ1g`z)$BLVg1k?IB1H*5*T>^w8NKEwqOEx`#iJu_N6
z#5($H%$|KY>(OmP_Y>^ISiZiGt|NVxEi<qM=^11b(e(Tw#1Lr_#px*8E695W@t(sR
zf(}1p>j~`c1+3R|$0@awH;71o=?xqfQR{6?;2ahbE}wht>&8QQMi}3AM_$FhUCke(
z!_UUOTMzQPOSmibZir#0i0Sb-O&DUCGo#mmoa|-obk;4iu=qQ&km^vzI?UE3K)~g@
zz))vK3!Hn7kyEl2!GEKmf4BX0^e6KD2{4=}<bWw~JqX3v8kWbGh{JKp#TQ23W=kw{
z$DfZ<p}h}|KF@F7#?E;p`Vx<SSh)EM{H7G4GoyF&J8Y}4d-MBznF(C}ak3M@F&|`~
zKN5)c?a{M9G48KlN0Z@00@(ZTNelybNO~<T_Jd%Weir%8-;r@Kr-#7DY=Yd4v$+_`
z&inZ)6b<M%SauAp$lNL3{PyT6V&$EqEGhm0I#BD|qivmlVD5N<27=NX7_S%;tY9mI
zyS!fOCunMH1@YhLYhDtm$Iwb~Kepry(qbzpi+7gc+}5A0xi@hZEj;MU*n%rtasf4E
zx)2sEA|9{5l4y2j^csA+>0nRdKct$@9eW&Kgf25#^93eWaLylvL-~~YJfA(+@OECW
z_!M-(v5PTq*WdgP^z~yvfh9S*zeUoB!|@msRXTG$F>U8wKCJ(GkhAb-0m;^>5U_f=
zkKRWnG=owxM~l1}f5MxAV9J@1oi$_b_#c2mW909@j-$)sF0Y`>D(K_|eMP4Eeg!{|
zl_l4ru1;dCG_0SXUQnH{y@C^Ih)?1eFuKGsL@#j6+9b!YxWOl=<EK9*ju$yOkS9nO
z+#WqFG?}(*jrnSOR1ofe0QXs#0Nl1c`rfs?D}Rc+)RpbgI}b3*A-(JdB!B*3D~3*v
zKE4E<H*Wt}-?7D6zVP@9;hlB`3KH-YTIS7=UVbOK;@zZe9&7<yzI=!EQ!q;c9s<=K
z!Y9Is*c1dy`=@hv+~YiUUwc2D!?7QO4_eZ8A-Z>olg@d05pFt^_uPuL-u4nZJr)NR
zq9!hx&yKzi`Lg*Lvb`+qKJsgXiY~$DEst`(dM#Ra%V~uTQg_Jox%=pK2k_Dk9RAP7
z@s7KX;RsI?YXJE88hoJyZl2*mQ?BwNqS;M|MO?=Z-WetMoy*zO`}U{|eSucodhG?w
zU->xIOY-C>Tp#N8AK;UQf4r0os}QiXoV@w9UGjngAD3|>7+rt9<JQQ5=Z&7aj>T9y
z!yB)*!%gZm<!zk)6FTpT!z27iJEfkFhn_e3_g7)P6_C$k`+^AmI6L5#las5It)Bry
z?siG+ABAEC;BD8k`2gj2c67Uv-D3GCjBagggkoenPEwuGQ~Qmrr{f7sQZ8RO+!lvx
ze^*im2L$wV9-t(;=Y*S|!%Y@&p!tcKLE6!Ukk@Q{k1J6+p3GQ3gfikKPZ3L)XxSdE
zOC_{4z(YCIk$*RfPy8?3r^#@3^d>%T$CrVFSIheR#}bOa2B^H+3#5`aj7yl18$m?y
z26ZN?y-}+6l~T1=3DvTOd}HfA6mY%-e^Ixu!Uhct!{&!jfM62Yd8g1qkom80XEckW
zp=7gl9M3%~<x}9zI)X^2OlPwjPAi+T@EGLbYsB_2IY0SKCc)dU5PHgJa3vFYZ9N`f
zhTJIv0t?Se5)41~cj{navy6d-esFn3s_jN3SwT{tA~`uf7FcITAK`-N9b@74;AnvZ
zpWtf_$KdTEy@+ODA`AnA5~@a*E%JN_9De<p-tW8djvXx8;jJhz7;Za8Gxww$I&ltL
z^vJ1I@VtdvevLhgik@i<e)Ly(ojYYRj^U~BBzE>~UUBaY+qckyze3E{#`8eX&EqX8
zXakmc-i1OrGQ64msk@P}mQWBGui|#!v$g+L+@MOt7EaW7l(~Pry;84^{_29c+ul!=
zO+0iDb~H}hklOv)Q&{m9+kFa+#ZJXf_uBHdUUbv?j)%wX+|fqf_AAl$%g)*MW2cZM
zLA2)c|J0jN?`KZkMgNnYA$>A#!SR2-2^*kA8t_r#Pl(Smcx+<8TjMQfn^qjbg~e=^
z4tD5gc;!y>`R+qsLNJrPZO=Tq#);SGeGRYVkOJNe8*YgBIQDTl({FI9|BWS@;pjBX
zm0!?HFZYk00Y&YBgXp$AH1}HUQHFE%8RSH`4~?*ka_+V4J(!0Ooq*AG#sg1&^Z`5o
z{&rfiqK92~o)Z@xxY?}eI{?B2(t{&p5(A?DA`h8Acaq0VWIeP6mc8kEH-fYKzUJAy
z^uWEgZM^H}v-|mE;(UO3)S(|^Y51n+FwP`r9mW~hQ*rto<nIujPk)}p_ZfWwj_rQ;
z-E_^EkvW@+1so6K@QXQz)A&rK4{eqJU65c*!|+6}M5jg~BM(QjTkh$-f(^k}F$(TY
zobdWyJB`8dZ}iQ069bE}BN^|3Q5g0ob)BtEi(U5~`Yv@HxkuD>_oh#QuJcSL!M@`C
z`l&R2Y`j=|zy#P_3{|#CLqpT#UhknF(JM-Cdkx(=*}(iY5rO1|H|40{lQg4w>BYh_
zz_UO<w9kw!@N8XxPSx1_@#ro%>$v>__lalGfc+y4n9%C0SgS|w&8MN!8XBw5<ZegG
z?CJMQ<MHG1cnFf|rk5VaLI3V;GC4Nq&OQL)#3bQpfmeiOf-4wLkQlq^8B_&MPzNaL
z*a!U6#%E$a-87z082uYjW@Yn=I8leyz|rR+x6q>(Qbl)CZppYh8&&7ncQ>z&4jl!N
zM1DC)jAUh;!sVjk^aqfC&XAw}%X7}J--v%o)~WnM@ysX3KhI)AabEs;vi$tO4O825
z6#3Rqu05BZw>>P{NP-7DlH4bQPYsiQi?cMaIB@ibk9cTl^w1aR<p-~2@_+LlA0jXN
zAUEjM0k5U_E}hPLvX98tub<k(;?A{VxZ&H5TMOHxe@9G^4>_3FbM&*|CsFD^{?m|u
zhja0TT;f<?CCP8c<`&~mA3`MC_kZu~1GX1NejgL-S{B{|_j(UK=)Ms3ft{}%{q4&r
zjTG-~=x=XzF`)#0J^h|3^Y_WpKLMOm<O$^uJUROFmn5Bw9}w?l@9bu30ONr5f9#FM
z`>ef?cbnH8V7vAI1Z4JYK6ZMJ*)={aE^5e-xyg4eR?0eOJUj@CrTG6CJ@uvR1q0vk
z;f*KC=GAa-+LuxJJRg?P>roE*j<BdaK)~=~iJDP%^z-WhBP?rBo+^8O<h$-sEKR(E
zj=cfu(|>XMr*1$Qf8riI;la{BVs0BgtVh93e2AC)6)Qp1i^_cB;^pTk;<bPDYZNkU
zQq_Ijq3G;>fO`Nl4?7>a%!d_PjdxSIbu~s7hoO${zLs|JKR7ytPx2orQ-kC)Q_`P@
z{OUZzgEy)`|3O>)%yaf(?R}qdTmG~AG%e0k7wxIJPa^a2;g{jXJ5Ze-6gMxSVvpsK
z-hJBpM8ge^-aQcZomqB6i<iPY3}cUyHXnAMMdl+m20g;Q{7k^Rc~AJ`L>eDRc>nj@
z>3{Mdukz5pY<}Hy|7mROz5hG-cFFyo`?p{+;?etmMA;>uci%s9U-Gc$?9XvP9gup?
ze#e8PwddlLPWSx}x-Fk;U5wxDr=eEueYA!62B?`u<c`vJc|65?^7@wb0=C)ktCZIK
z3%;0uQ}8pm9rhl2oLLy_MvU=2k6+k+zV;gee=^tpAqSF2wx9iNW*}I;h4%_d#(?!z
z2yDwNexmnh&`<g#oCHa~fBW}a3jCG=zoo!$De(Vq3hYA;%fZ%>gBpG2i1J`dp{$n`
zdi}zJqSdObx3bM{wyE$YTWw{w*{nB}y<`hu8RcQX&dey3%IlP&Y%-(FHS1Mnx>C&6
z+D8=1biG!~rrX7OjUG@ov#o4fnHne?Szx2bQ-gMv?k6)dGgPVarOMT2v7J@6>tieu
zTn|O<Y>hyv%4?MNO1)LA<(2J1R#w+F*Ic7e%uu<vp3I2lybsEBw%NW$nXF}$<?Mh#
z@^M$@lEq3kgU4Q=R8~{jOuN!r?;A9h^>nkn-bglES+uj=Y1XnCv>bgt$8(J`e_|bV
z?0AZrWh<h3(4^3AH(E#3>PkJGtQ6|4_7S4ET1m~4w?}MFE!$pC(X&$;LU_a3tkm5m
zx`?5ub?|Ugna|d;&1AdYlzKc3f4bdV&ooncj5j(duSCJf9nQAfM9xlwQ9K;>Dl^G;
z5;&)~mskfZkSpfbGud3SQ)$y!PttH&JH+SK>%H1K4cM-y&>q=%iS*&D+D7ws*23Gr
znk=&R=fJ>8z*OttG#QWX)eoY3GM&ygrZj};9>_L<vMO>K=%S8z!^#4NpjAkgvwPvC
z_DVoI+AMDu&7Cw@9fOi@Ceztmr&1Y+{3q``O{6iN!<zoVzR0KUNF<=vUZYX!G#cf~
z^6ZSgUc+2!AC3$f*(1t!w%=A4+SSVJ%<Rl{1>H*tt&(~X$zsxnnE<#>jRF)mUK;Lz
z9IX}_B5!AhCL>9Y>(mXvu@=h5iKe~Sk;y5G>Ac5y(wv_*^Y(&gbXu>~+r`|@sn<<b
zI$32sr+o3j){B+%2O)ln?bab>v2_IXAJpjj3Z+H^DL8*<OhiD<6CpMF{-GH~rc-Uu
zFbfzuT!5iKNpes@P)C&bp(HG8hv@$}{jYq{!3-)X*3gDxMj2QpvJuT^6c8_mUkVV2
zzgD5%sbrLBJb0(kfTUA!QL4-pYsFR}n^6c-O!|HOOO=ovX{7|Agxpes>vRSq6W#cE
zO<Ezsvl3;ioor_n>^Z3bvKjMJaozPh@F~O^pa6)Z0&04=QvsTcQYhGgfZvs#-qpSZ
zvwosg2CYtL*X{}lR=hibXpBKw%@~B|r7oeV+UYn!6h*6CY$#j3WJ8&4)YAprz$|YU
zt6)(m9}Ii7rQkoa{YJ3~+M@{>5TTnT)zMO<i;V(+i?v)`NfHH*(8%TLof^hT7|JZ@
zAPlCW0f_?*iW{wL8WKvu=8F<skga7v$jQPM<`*f>Lb6rBqd5iX5;P@QquWC5tq#qO
z>y-yvtT+WtQdWo(p_+jphcuLK@D}fR6BW?-%ljyz$`q>WG~{@ewcO$M9Z@bTCCu4$
zrZ55Ev^(5KltZFfuF`20l=V)#(P8{G@f#xW@Jn+*3z`8|obBm)GowgW&>bQxw-UI3
zU`(B>6!QhhWSS%Fxoj=n96&s$IyptUUPVoeo@uFpLf09TBALlR5!7qR3e#W84oOxT
zLaWp2P<UeO#?D8Ropxbes7H~^(J%_XAU%_LaWI93K)ls3plOBAYJV|?Hrq}fCS6Gc
zmN%AEfbe^r8qdiD@k0~<pVZpKjZi?ndUHIo^b{lG`k1T}q?1Tl$byJKx6y$Zm%2pH
zGx&905w(gxKM4;sA_veTWWRylkVWkx<QTJv=nf<zVVD9+!=G)Z3z#J|`o-FMC7WxL
z<#@HSmRj#6VJ6}SJuQdJQM<ZqHll-o=+JCL6Np!+XkIKkq!=qunymn59KxHr&bosq
zc=yMkRZOmAp3Ka;vXX4(vjVem9^<-!Ow&V(Tr-)k(l8XDTQTO<Vyl`&j}*|gtyZ?0
zg3*XMDrkBPG(#-3L4;Um)}#cb5UVe?n8+ZGtz<Eg2M`Jpl!yzef)|7GE!Ztg!_jjj
zj>Y;|2@H?!0!o<8MAL}|N13dU1tkK4(o^nA{6f}NF;`5Jf*?>5lAJT-C3(oX8Z7iN
zFmWkk4w!86`(w_M0gq>T8ok9Z2%@yr$fjiv>@Jg<Dav?-gG>}Az?D6wJbTS#V~j(B
z>(t6MG)*CVD(C6JLkdQ*Ycvc^7uJ#ZMW;Y9ZfL2g(ufe=@eipn@&OrFJ#kl#1@ufd
zAeGa}G~AX9%mGpxEg0unkdO)eiHbycCJvd^!Z=effT)2@Soau`A`O~+5{}!7hRcCy
zGQ$XfV>7->N=57vV_&o`U0x@jU<|~Vg7E|RznX+3fHA~O8O)Gk4V5s-EpG&y*X!c^
zhZGQigb5{$2!B-BhB>OJCQFdUP@PNzN>dIN_O#n67`@_*s$^^Vc0tyDHuGRb6)Kn(
z^?JFORR|(W=_c72V`fcAkPsv`+UQ!Nk{n=O3*BLj7n{vITu~r{U>RscQT0H+Ra<$q
zfh5Qw_{3<j_=~kk0A`{-Vs-7UXaqoo*e|9_p#9-Zi<(UkVNf#4OdVb{aS<0ya`LBh
z>jlz7;DE`N(nvItg9=<^C0A!+og@^i$r_o@G@31Cuh=dqiONuBoZpz6v1_Qw{UGs-
zht`RJO{!J!Nf<E5#XadM^IqO)86rZl=Q9#MX`WLn#UCP5j8TXsVkZ=6Y!(LHGzm_a
zU|>{87LpxC+FOp1+DLeE%`BT0>{IoWeHUN+RP3k{zFa^MLi5MMk{ZM$>+TY&RVFE=
z3MJ(_8Ipis-BfV5N`{`na08sH0zqEetx6ESSQ`^WR+S_<U`cb~(85@bZ3epCX@CmZ
zUAH+|CvKDNJq-)HKLriDKLrojuq3EjvgQfRkl*1?lEVplOJYxuoJWWwVC#t^b<T2;
z4XYW*vuT#S;CDm)jqUk)(O4%ZsG7|jQjj^0na?d9E(Q4aVt0HynHIhSr&#aUMn?z<
zc4{rZUae=c3L6-s!)z8fup%&%<18pthtCSxIJJPaSQI3v5dxC81;&zOj|tsUa9bR+
zRtnPy=64G6qF$>Elm{z<+pFwlnaZlQ@i1`Z>!c0Diqi0d$Vir{WvYXZy;88%l-ws5
z9Ij%8jLLM2;Fw|`kCcd2GT4qNTg71(mf_WqRsCYMQ^j{Ym&(GB&x$to5y9^eC7nVM
z;+D0jvtU_DC}o&3yYL8d9j+Ek*J3SQ>9A1SLD4(Gs0ialt>4{_C-FQS4~k1pM+y3l
zb>|V7!+Fw_<ocmKqNcoF`EtY=4rX47u5dj><*Ys6*Ge6>R+EMn!NFD)u~ZtbNsAv6
z5$ciR4?8ScQC$nRG#hCmG!u($fMb$jmMY?P*y<gGjNnx5Vn^mrucuRBR&uv!j9KIG
zUkz?Bnnr4Z42f2<%5fv$RlOQPn;aA~ajgi?{ebiFDdSL~$?)LuC)xAN?1!&UO{ZYg
zyktW`bBioBhL)xcLe$iX-2@^&g4^HZ&D>Sa#tgGh7&6)D6<XqLv`^AVBF8g(qe78)
z?)745x#ow{ydfatwp=|2r;r?Dc2^)&rde;WkQEr{a6NYz4|U*hVr)1TG;0?+$<C0t
z2Xv#b21F?LhM+O0Pf!K3Wjl=q=l~#8+A3zUGIpA$frlv$5y}2UXA*N68kKuggR3zq
z+mP5?SjoGi5JPBUO9a+X1C-c9siOb*5DEBs$W4OhI0aY)odj4eYo!i~EGH0ncSHDy
zh|VGPI*Iv}CEmq65I7kvkU9lwh(jt#95xH!_UE9*g+KCV#=Il8nwuaKv=!h*dQ5nE
zR}<y<Y$4ST4&PBs+;>D277P<}Aak&BDwD9vc}Nn_R2(mv^H@P}t8zUgsL(HbRVZW@
zg<P^qgVKUAnJ$p{U~!F}k_jU)MO8`eAEOAkCdJr|MND`{CpB9wv(9?7E>x}H;XKmt
zOr}ZFiv+4v17YG`6qIF73GJzDbyA0gP;5)|s91%9C=#_;r3iUR915=p3uJPSh__Gf
zBm6hSGx&swJ~rEv7-$MDGQai+1^u|$PoiFu4}vJn6kF+Jlj))kWT*fsV4LSb3mUsd
z9iAnE6$l^D;vC`Oi*sOktP_z0WHOf~F7-%~8#1hRFlIh$XK~LkYT66VIyRdf6!T(m
z<93QHyStG96!ezhKcPb~z>DqmVi%T*;8v+9-X{KH$ag&l`8}^>rWPS0#ZIOc_sUdC
zt@4m^9+HBvE1`9XKJt1G9^}t*_!nHS)F>pmGt4&Yhk*-5l*sqYXBBmmG(HfRSnR0R
zV9<2h6g19O8*M3I)4EzIjfkTjRwmo+Bto}T55hf6y9)lD$bmcTDA~C0q$fIii1>+n
zHe+>9JTFruoO0YJ#u^BjVnxPa(6r1l5atDkW1bx8bXdLJV!hLXB}guiNCXZAyN4VY
z#wYTq&KT;+%>QC-*Yua^Td8OBBoCPrFSzeCj$_$531??)&!CwoYho3RtsRf2GQ7O2
zSrCiJ&%_JxO%$WYERvW7oyZ=h1{CTDN<g?{S({HSPKjb3w+T_LUOUX?Dt)7<PzPp{
zh@Qup#7T)*Kj7sKAnc+Z+C<Cm?6xw~VOS@cMK#J{IQ=tw!V>&WM|0k3r)3Rgx`Vnv
zp<U(N`Cy9`6qP|}l>NOxX&-x@d@V@ym~)k6zNI|aXK?3%!t_i^I*?=D@&66@P1)EN
z;i9eYm*JBAA*GQ0{qx)d?|MPu)B4Zen>umxH?R82p$q)`|0w^j?F*jvslUATS%3Dz
z;L`rVZTgG8b>@!W`QR6h*q^IW%~XH3{%q6AcMa8Q@YBv89RF}P^{Sih{V%U=>n}||
zEkAAh760?Up7N2OK4dOGn%I2DU;OPm4m{)4%g_IjXFeDF$q!zB{ihYLKK1A6f4KP0
z2i(T1qWAx4@$#3w=kWtyT0fe7<%_=g?)Sgts?^V8%HyGrzy041J+<+cw^Z|&8vIM2
zxbvd_Y*+Sw{>m4;T6g=a7OydW@!Iddy?6DMPk-HofA->|@A}D8-}QzM|Klqku6slO
z{2!`+`Q;sJS6pei!}IDN-%<MEbME{7EARaE#g{#&d0XO--uGVG&dL5@Hyox#7bpE6
zwjN&fMBIn1&hTNa&V1NzvmXw-twgRp;jm!%q~K)uXpM1Cd<5sR`>5V?!pZ8Tb-q3E
z5uAYUyl{5APh^dA;se}aGl$$0j`jCR;1l4^iO+8JIlW$wRX!+0oV~_Hg5N=;^TO{S
z{(0ed5O**51qT?)>2S&zWh&i5c0KE&z;i$+8`sb|xN}c98372}o^WgwIJa}cj@!4Z
zUKw}piBDE9aosuLWZXFwP8!W!jhv2Gg5TAM^T6*O{d2d6@J}>;I{qo6KNau9=o9@(
zDos#-N`+J5rgUUaI6=k%HCoTxHMQO+11B3GhU`h;J3kzkHG8*zk8+6%WQ`I#Ijvn1
zJP~<EXU_>Q!+%aV8QyckO&Pp%!V}(|TsUPMr*a{OI~R`;-6zU-G;eCTjC{MwWn{ot
zCf_9d(iq5SN<c#Ycf;*KwkMnnA0flvM7yMVW%xMQ9&kH|a87)aV?*_ly|J690?}mk
z?uMJ*zTI%L{>tb#9ZqQ9IpJjWa&a!{rOAE}-1+(|5qozd1v*Z)Q-a^!h;zg59;9=_
z?{555_~{c#8do&_T#9-xI9caVE9Xx}hrRLPk#obzNA^k7%SQHGaPpCz1}BZwl#x9r
zysYyAdyV-^*8d6o^3Lr+FA09i$WCj|w2_?#Cs))|9tbZ_`VF$S?JD2VmR;pLXt%3;
z2dyT`r4H{vBG5-_rv$eH*`9E_r_%I#cXUp`NA`qNx9D5RXaq1e-n-y-qni%5ySvlj
zc6WC=oD3hejsB>=Q`<Kww$A}KX{YR>hu~A~sz(|tS)<So-l{3>lHjLwc3M9q_}ybX
zwcir_l);&Xf7+xH;7Gnr;S8DeFqUsS;C6M6=yq;=)SD-RZ%;U>=hH@FO8pZ2uEtJp
z$5cv9!7CR(jNiyE+Qm;(=GQK`DMLv0?Sh-q;i+&_Iyx0jhL2O5kISxlW%%}llc+31
zis#M`FGDUW9bsH1+A)ED2T{)nPxuA+bK&1L>O?V`7t{(V8pRrmXv)+=)^nk7;wc$P
zBu1G;DFnF0QJO5AhEiw<!Zo{|Id?Od_?viUYR{$ii(Kw=7$&O{3n)lJ_-NLTiM6wI
z*SrwrH9a~}DB}l)cXy#ck7)%0Jtm6e^q5w#^O>pikRIIGv0b8bCyPi=iW--qd(`WR
zCwHQq;C*?aIH7iYUVS%?JH|y@=-*GDxDMc&$3^QhGx&TqE(^Z@9X{WU>-D%!;QB*c
zEnGcZpH<++>$p_-uEzCte19K(;(8IT7vst+6pBmm`7B%u`2M%}d>5|Q;rb(7ug2BH
z)y4HG1&&_D^*6Zw3ct;`K8Wu|eA3b2Z^Y-H;d(2szrpohg+lR{_%z}Adwe(G^LBjR
zj?cH?`cqu*#kGy=Z3<lYydIwhTsnMz39dO@*WmhnTo>c|b6kIb3;z_yaGk`L0j^D4
z9b9zg&0YAs4xc!68AsmYL~&eC$8{LjL0lK%dMB<SE;^~titCT@y^rfwTy0$MS11%8
z!F30&H{tjHgX?|x{y%ZO8P}iS_no-@8sGl{pMQtXlepf1?|0z(Yh3Ta@BbH{e~ZsQ
z#&sLMzZutiaP7zSOk9^M6bd~)-+<2<T(kIoA+9&!`w3i6#rJ36TEKN1eqW61B3zf^
z_XW8A1mFJ%*K=@Pg6k=FV>trXwYZMpvf%o#LZSE&uEV&l#YIaO`*1z&ZhYeUD88S<
zbq%inf$IafuEr()@vH#0gpP#s3bNObHzDj4z-m(i`S9!yi*(puhb1Mf#3lQ<<e9Tr
z)e{y6uVzb;NX2L(F^4TLruY^|N+IJoq&<4`hk#jFCT7_|EHO$<GMY>q*a3&tBdkne
z&jM2Mu_9XO>?jxW<dF1?HPmawMblmNAsa(jK4d#w0EeAbyuW<;T4)z#Hz2iuC(SX?
zmU2GZ7qhd%_HayCs1ou!oW4LLz8-S=ovxLL2WL60_}4xD#g%mer3xndO{w?Dh-!^n
zyGMDllIOjdEEj4O7Uyb|)FiE-p;H*csqho4d*df|w@<{6)y5<e_Oi%|$Ya^DU8uGu
zA5#cR)<{p`yJ;x@p_o5RyNeFvp)oXLxm1y46#Wr@@U0>M-&M&vdc)zS_M;^x0<9y}
zy4YwJ)9Y+~acARzLR`dV<=|SDogp$eOMl_@U@lOy2-y8eASXN=$8<W6Q8bXd*j^{h
zNo4OxV>HqKy*k5)AfuB6H-S_j)l@oR=B|sWK9uJ`$px}DP|wHsrvQ(KVR}E?%}y;%
zoAp>O_yp>y?Gbk*(JrQSN-!TcX55aQK)eyt@d;bpfQ$CO3A@N-SofF*$x5R(0ksF5
zC|1B=W$Z8?w-$8c`;)MS&bQMEAe0Kh=`7^YOtzb+pGkNGSedx`jq(Ec^ymCbNdV&<
z1u-LRuT_0nJ_t))nAoi#CRI@KhLn8BYXP0uUI($0lN$suEp{ZCP%bThQV>;QMk!LU
zC~bu0W3;f_pLR4z8i2ATC^JEJ1I#J?Vh9C%g1p|XA12FL)`1{%kz^nvxJ<;O`C?)=
zv;s@Q;F~U~!byDMsPEP{lW=M5zDItLtP)Y>?0^&Xfh6yDluyIMH1#Ch`T2|Zgze@a
zWj(16sQU^kr(7g)gr|To`t!WaDKcYXmLUIDULU}vOh~Z;X)-XhLO$r;f@K1q1g3Oj
z3&}*yynQ=m$pi?iZ~~tIewgIb;Yo}FzViy4Nqkec;7&Ax;}!S`yAO8?nhAU&+wBGu
z=yra^WAz67;|3g|v>=Hc8qIpUo~~DjFye+bX?S2LB2$-Uj&fd1LV`h8$>x)3O4$<A
zoLRP03MpJ=;xHswkJC;G?*t&WZ(+ubtH6#dW<+A&17<X(3r)q(rY0p^_OcnmNq^_W
zOSTr7kMq2>gm-eQj4+G%R%o8)#IW*wC81QFf{L^zhg(W&0xU_GDOf~VD#{Oe4PqJ3
zYp0yA6p|&eGqQnhod=(CzR@bL!|txNi|xTW5?|ZGgrd%!zdcIU0q3{}VV(=dwk&sQ
z5+5nuFyySF@rS|Z*d=+m3qCAbb2}aqXv5%l;-qBxHap3Mhya$s{tvMtdAs()O>LSS
zPx(*@xphLrcjli7rQ%p9!lIR>lxkCsyCThjt3^s+7?k2LFl|Y@A!y4Conj()wkU%i
zZJ2<ky$Wt0-*Li{x6l17bwQr5Of0~6)vrr?hJ<cP^w_n@mgmw9L^xp!R|Dq{z>s69
zdgKwx2*@FcZaimj!rqbcqy>=#!x%$+HMXBh>BFMXD&q74atbR&IyhpziOt=zS|C9-
zI_x+E`AwQGY)8X*ucqK%He1Q{MmgQmird_2hnCP;nJWkVqYU|7$S$pSF-*J(!l^ab
zaE3JQdUc0wE1Yn{+?gFkvaSFxEEL)*Em%b2M&(I^PuLnN_*08kuh(X^FLSSOZ1U0>
zJ><mgu=pos8pNc`T9;HGGre~_$RsLyi(R8TO33ovacffdutH3xDWn{WJZOQIf_@%R
z1{)x;NG5gw2s5sv?TNy?XLg!gsIeQ;tdnwT`E7x+;><;J_>RU2WKtDVpOMK=!R8$A
zPMrFH9JjRdNfg`c2_(rge&L?(jv^Ur$fu|<J;BE<#X%gPB6tgwkekZFG88uU3F>=d
zz{h$KN%kb)xfcl>6_&Qo=nOWTC}fUlwTeC0+_2c;=}cG?lcvCUN2x#wxvCO7OZP}d
zb5=+;lF0m*L=ro!Badx^7_1~eS7DugvitlVywN&N{6J=}^b{QdLJ8mEQzQ@}jS$h0
zd=F-HTt~`>oevUF@=ure8CQg5+H0qFQLw6U3_`O7Qv`>eh~tCPv^b-UIb&MaB|ei2
zCXqE+pa`cZ$#Rv&B8h9K6-r3uY=`~Uwe0RmLU*N^B4OSAAaG91+KB-aJ5A)S;_RsP
zMkj?W5S)^0A|=-(;;=!J0}9h!v4_GyG@Zz}cLT<)lhI0`zt}j82t|Wrh<3wDl-sS1
zaIOwBpScIl=7(^H?amSR;YcK$f<bbjkMO||!$(ZA5eJG*W%QBrE!5;6eD~4qGOioG
z^XRq)SNYqIZYyww{^QYY8?MMVAKiZb*B;$|Iba<4{(ZnK<NNR7x(pZnUU}fr?flOl
z-Tvy&_$PgTjqE%9mS6YbZC>)<^!;ZK@4iR(Z^QkU>`}H8hxq&C8Q{W<CqdK99>#uZ
z3JHU?m@aBHyHMs)eh7vVJRsRZ5~0TPn=_n%4C^Q~%|)YQEPdqqlg$PB4QU$eI7&fo
zaKIH{Tb>Z0ql3tBppwiU7)y3RZ8Hv(b{4R+`otK=L{WqG5N4(pi6;AGJu;skyN}yD
zS|J92;Vn&+jD>znkl<Xj`6oiWB+{^DW@-^x6|Gtk!BslOs430~#BxY*(`iHGGo)qr
zv0aH7ULtD~20m~2X@f*izUODse!=E<m{k}=G8}W5Vkz2c)NT&Q@so8Q6A^>Jc6ae}
zr9@-yh#33dqqLdUi;9O7CRk7=N>Re~;I66!4wKbL%N4NGm|m1-zkImFY9<UAF3aR{
zb}X1C?n<I<s$oGvF`TW103~#|z;!tDict%LESw&~gW)27k+(XoY${r*QlTjm(jKIO
zdn!|Wbo_`ozBD88dp+N*%MS4xD+aE;fkFxl@ZdT51*8R>%=8m{M>e=3=4`sbv98nc
zA5w)fUBYn-x<olenJB6_3r_SQ$0V56Nr?h7u3&Bi9Z4l<VaO_ne~e}tq=ZI3rd;|<
z3T<~0p5l{GV5150(+pyz<n3T6*KvxOpl_M~$pzBHBV!T*mg^NRF9ljPl!C!MR4SS1
zoxm>-2FOZ<corN1TG!jj`4jbz`?Fi+jvw4zCQ)ySG8OwI6DVv>jmKlkLxN+v2c0AZ
zAfLU;?t-*?ePYujaP0{PBVn&~LWWNahKVw2GW@(7uVgt)wqRHNW4MVH$ok8tyWm;V
zZhU6{V);?pu8SCto$-*H9m6Ir@l4yzE!59W*bt&Ra6@Q^GOhk%*_Ittfap6r>Owf?
z0VfOz-vlKj&B#3$0(bRu$|I!Qlwx2J<=Cx=1wx2N;m8Xb`X`I$h=ho2`rVkGJRT<H
zNan!2V+Un0gfR8k-;>89wF78K)k-lmhDV6=O3@{8;gUz-CYA=L!pprpIW)(6{=hni
zlcEMnI=pFYY>4MD2m*t)ZL?zr<q(`69FG`afQpbEJSm43`a8Kg#vWtGOp4}5Gg}gz
zS()#P$Pg4Vk2AHT6JgoLV0N6Da2zzZQFyb)HVQI$*7sVCS5ll<uw^FJ>Xo!if6jfa
zGHXIQtB*y`xmlr{98d7^RC{N)6}=}MnM&kdGoO|Co3Fo96kx0%W%mV!mE$8F2+MB5
zJr&4>Q{r&GBAvP<x2gCsPRQvP%XtZYd`s4UQXv$dLw~21Lum0sNDr~d;*Pz(gj@a`
z%^Elv2>-&zz(G8P<Y65@B#c}S46IUnjZVpDq}Z;p6)0-}BKSq@xt8JHdpsmM%b}4=
zg|^6ODYGEOE!uF(v4V-2Ql$fwC=kN>BXc&G9@#?<GVc@*fFne~aoz#OI;nX6D_X~o
z@)hYIYrSlIc5>wo`AP>sPk05imd`QDEgn#kuRp>gqS-4~g->FhvI7alcJ9DCx$a5l
zA?wx{=p-Cp4}x(gTV;|<8)-d)=}wkcbe_bAN&G^5c5m@0ItT)O0sb7~aw>jtHta1n
zr`IDAS%_xH#OMxqN$0Fj<cP>fHMLzkqJ%U6u=!+%bP7*RSd4r`8wk1V<X|X3QA)uT
z<ZzSt<lHL8%Qzf!rpbY{Tk$4<-3usV)0!K=6DF>Z0796=`UE3gCLDyA6R%G4Q3x-Y
zW|gdX_RBgGY|Jj(^|WM$@<a029LnHm6>2yZ0>;h<W<Qxsj2^t=@uRE-A^>Gl)Ltx{
zw8$hE3$iF&&v<P6WzT$U`%2+Dd)fHAc#l56IQQ80L0t6xo3mpWqwKpJ{_B@MwynY?
zzjwax(V54#1KP*7Z@|@1J+^%#uKtT2+y3%P9^2O7QsR1K9x%9WBshFt_TtC36}Z0q
z`;Tqkjq7IN`T#zO0DtooJ`h(>G9>=Q-|xSO|Gt!eD1IrxJy(DeZY#v!;%DnZv4nsA
z)$HW&oxcv#pUvs=_?32NDB@Z4*sT#KyE{AM^LQMEq1|q+s`A#J$7apra#;Pge0if#
zF1jo|jm;X2F5;fa7i{(H!MGz947!}XrIm=o83G2Y*=5y6o%Vvy6Lncy@wKH$RMYFb
zBGxrq-XF7BeG%uPt($T!4x(DW&$Ae+q!)tupvKvA7t(%Uh&X$`l5^mT1T}t#wYQ49
z_&s^AG`)VReRk%*TYo<9Ec&b(V6cZbTwzaY!4Y&)f2~%%$L8o+dw^KB)<Kh?!@4lc
znHNpne5Ikmf&a!;Urp<5gp&DT*xjF<sb(TAW2<d;E#^Iy<+WDTyy{)(*R$0~F;VCn
zOg)drurMrS((b%lV=yJks-huXaW4)xe7)#KZ7@4y(Aav5zP7Vo^LTrmm{k=qRT_EY
zP?ha3$IW*Aa?qx!Ev8Ky%TZ_9?e2HufkeQPtmsR<jgrb-o1KaK0<N05V>G#JmbNPC
z^fe6ul{R1X<ozkFHxg5+*GiS5q1RgpcDlJ<$JAM}#nM)dx27qlt2OWJOvvPn20eaD
zLLGKlO0K4Pty*q1qaA0r>ReRYim5?b<<u7YF{`Fft@#$}5l0|p@TM)Dnz`w3b!KOl
z{fjDVxmBv$)&?uCSlOPf`%-m%YSC!x54<a>L9*NEsl9=MAsNV9J%d`K5>FYuF>Bsu
zvszuH*_nJI+RG<AJ%<&%7Scp))+k28X;Tla8R95+Q14vK2czx9X1S3HWHlA9u9I1<
zR)XqgpgDBU&Zu+dUcASiF4-1)z16yPPiS>cRR|b^7N4Wlw-2pLRKx6y%^Htb%Lbn>
z<m@>JQ!u#f>=lA3UB8g7_#@!`gwK{{oNw*>f-=s}$6T@D>`caPa|Gji%qHuK-5PXS
zI{|G}XSGGko>rx0&t)oUUD2Wsy4~^Y((FvQ71BF1d3QULE=D~Dk5RW|^wq1XxF!=(
zo02MX*yxM-?1_NUZtxHMgSDR4wHjB)LuTDtWXTLVIBZKrd!$}AI8q5?c$i%A+lHA{
z_gZhYS1lU4d2Oa&GsXK&pCzO5l=?oMY1O~n(zhJJLc$g-FV4<1O4VFTmrm*Hfr>tE
ziCC)HNMBv)X3C+svy(S!mvS{@+N#=cHwJ-tCgN5_TLn*~R&5y6iFP@Md7+L*!d{zy
z(eKW-ijhRty`c4{`*Bys9j<0A{<J!uD`rAT&7yb3o?GpQDvKLdkKQx{|5=0f#O#bI
zp{v?m4!^HZ3Z_-Icsf(7XexoVQpT}tjA=IP=tnHuD@1MSRYN|pJdByL7L}tBvtEDw
z><klhPQPP{@MA^)XOgk?WF%w0x0ht}oli2Rd;W-3<BP<#{-L$cB_q41mF}HiGX6K}
z|E*;F|FUFslNJtXR&2JobI}`08kSdw3+<(_rCEzL8qt7pXf*fL3u>RsM-nRI>4nlh
zOsm<Mb3xZ5s&XK*x1J>}3r+bObCV0Q&MHZBlC6?F-(hE9HVKl^y{vY-n~{XCR*U%>
znXI;0S9R;w_D0174WVy^3f^YPVX7}g-0fZ{<w)u>MSHigp$Tv37W{dg*B7s^wO0Cd
zuR0W5UMTua(dB+@!M7Z6HZ{H3nYCb8RbCEm6eGG+E7vU5R(&ydq8(lFHLAu%|3*6F
zs;Wb+)<SnVlhjqx%N27uTH8<$Drv1Mn6k~zxQtd~JK7DVo4UkcH5bdPsy@S7xe#ft
ztgLlfx)pD+oYJrMob9E^QpoSr<Wz&eiX$8yYSi6`!33+N;nvt|HnS!bUuqTN?tt4p
zsIIgtS*y*w9FDg)swP8T9rxE$rCP~mOjq^p^6J7$A{6sfjJbGxcBZD&_(L(PHdbmG
zUDnV_Q}5qc)tA*OZ#@^c3^ZP^!>MX$>K^Cvny2OI76Q!$ORLup|DQ@md$a_bF_RT-
z#wDw7(V?#yib3<R?z7fic024TpWXuN&+c>RCCy5D6+J(<W=;ESby2fM1kE~3>v~MH
zLa#zE1qaZs5o>m_r|J8KR)en;?E51@gWpj|;@*JY^GNsp@3q0EgWck?4S0X8d8f-3
z?$}_;6s<as)#eK%mxm#nUz_h1v?-O^Q#CF}{oY8&23x7uGpt32KEtX%6mBoMVk^N`
zX+djVTXHRV)V7V-a$4W=#&h=K;<B}ANo;Hk+?kHwmquQLe$XkxW=zIS!(dX==$S&f
zOfut6S)z&MSgcX4_)H#esJd9S4&56owz|V^t3@X5r`oC}KRdJJEZYKut~cwACc18Y
zd64Ov{Iy;$l^5(MSGt#oTcZR$4R&_MUmFyH8zJjX8b8@l20!$DQ^%Q&a@@0nyLwEf
zIeWoHpB1!+tw&NR?pdxUJj0U42|vb>gv3eYJ$<WhMH8?2SC^Nf*4$b?ywqOmXZtmM
zv5{AmyZT|R6EbMJ2IK5ZTc6Pc>>a&USB=_@{#wRV9Cq7IosX~tw6)q&u#_;{Ry*a^
za53m`>CL^q-9AVcEgOwY*w>w%>DWs(bE6ksDO+u8%VuAzWzpn@_MF|h()OHh#*O{L
zbNFwRQV<AvV({OT%g*@NhjTWpur#g9%&Hu?BhI0>W@xX~8lg-%8u!{P9YbJ{>>G1F
zqsCv-*Uho&T4li*Neo>{%qE*<O}}KaE&DUJQZ3);xJ<dE*==l^^1WbLpICA^BEt=P
zGaOS#J6gMCVL2WuMB*TbF&hiJ9opHMR9QFBh5`;vq1iT+0~<le!OTk2Y6_{NF^#cd
zHkR6&j>G12lV9hEY1DC#W-$>6)lGvnb=fjIlQ6hEKD)u*YFjKSRn(VJt6RRbO<yvp
z?K$&CJ7ssTmNHduvTo?=m%4BPQofd6A6d-CH8xiY)~=~r);X#hF-yLhv{iGO#F|?_
z*a-KRvJO?i)6&{pS)<-*(G_xiwc3%uG0Qc-H|Q@$VE<ZuDvV%e!`6t^{TrH%Qq-We
z^$pFa&bF3bOs#c224BPy@ka}5;4bJh8}kZX8Gkz$cNCKiV`|uH&&~`A_M*pJwM5#@
zLZYYl6<bMX(yy*m7S_V0<cdp|>BfwGU&8K-sSJ_qn!~+fP1NFAbG)cEcZcvB^wG91
zQu8kki$lB99``4$x?DK2u$uSOYW-+Awh&*l4q)>8`%6iCwW~{7HG{>buDlovXOqh=
zYD2YKDft^Zf2`cCnj!^r&K9(-m^>!yT4AVPC~K-A(^@r<&-SurYa_AZS}3&I<&~tb
zn_9JYS79X#?FpPV?<ghWrIn?PidCO=TJ>(Tx@TH6FEkDIPCjdMn!R~v$XW6Rii2#a
z88x`IxlYO%R~0mw*_n#Lov<w#&4W~AEf+LIEp>Hp*}9O)Xxep~vrx!{q7K(^wO#7=
z%FbYJV^Q18x>if-c0Hrc+Z*s39E(Ncn#PHVjk<d)U3H@rwlA~?#z<$SyS%1ru0)Hr
zrgv?vt6K{96E$DmS6uZNiVbhDtqPHri3O55uexe-)QrAVuaq3Dl+%fVtyebK{X>J*
z7}QsmjC$XOy0YOO)<X7RQ0Gf)UFPh-v8c|);SDFUx`wyg3s_<fLn)HhRf~>XPvxt1
zmkNVkDCA9NtB%EhxvVb)W9_Or;A<=-s(zu(`5|<CZ@7{Q>GL&nF_krHO`TvMQCb~F
zOO{O39nYwWHEq6UvwNCte=QlRSv;1gI%sTX^Pza72pQj+ok?p=Mt?P`>Qo2DwQ484
z95ZY<EU9oKvFg&*yo<F~rRmoiyw!zVA%S><&tI@5osLM&8_^jD_2TTz!a}~GsfNR=
z1B*W4+$dtDTov^$8e4H~qP@6kY&Tqs^?@0bwg%mW8hV$jcv`yhK)<2Y*o+#`A>ChW
zEHvAWM!BI`>K7Khg<^5I*zA;i?L@c~_g4*3({ec<h`9@1r`H+n+N&$I<w#qfY^b{l
zV6gR<{8_Cl;a+I08pGDE%Mol;EG?I*(}6X#7*JL0{Z6?$?AtVsX48@G)|<}qGQ3?=
z!fp?BR}oi8v=YX6)~!pJwYFp@RMKh9<>0a{AGAkfYDa!KptG0_eMcl>viLRTQnbEM
zhy)D2Sln*!l+>!(nP}G8(?+`J%z}3*H82H?Ysri;sfDKPW|OYL;<6{_T=XPuQJbe-
zHfyvkhoj+0#?$(|SEE@=L&8)RJ2v-9qTFAKS6VGYu<2@aR-6?}q8Du&Jk3R~EfY^J
zZ}{Cqf6T6J*aNwgdTHP`I+{9nw7-GaMjy5>Z*@9qbm_citILwHq&3mT%D}5_`?`x+
zL!{l)ESD<57+!*@^#zQBVm@BCIO3fiY=)G3F}A8}YBILSMm8VNsh1-w{pDfOowI8<
za+;9K(TdiW?Ea-@Mw{-{?OvBTpmQ$jdkZVJ=JE!loVlYPwBwpZRjiV%l?;{YLL^yt
zhhvLcm47ubScw#S*{;WFcP;nA{cfdP)aM-5N&Pil5pm5W#yLejc788ALh(nPXiM5`
zyW)@kx4rCg&o`v_qqT?lqu^!lxL2~8r^P>I@yDHhQOOz?;-5ZeOcwui`di7>SSMq*
z4iJ5{c}iBqKqup^PQec{TM5FRKfhi_6m^Pb|4sDz?94RH{+sA^v|);7|4sBdwBHoX
z{+sA^#Qvse_TNOW&(75Ka9upEfX}93mZl>gT(#Lk{d&+gOqZ=)IEq=Hx*sl?hW&-r
zw#yT-l~`Od>~pR;Y)Q;=TUfK&30GPcQ#jg98nnq|%%N(jy1tx6ZFH&|4oz=m==A!m
zW#;GD3O;+J-0M3d)_@p)to!V;sJSmx?k(~-q{CsejpLAZTQsre*La+8rSndQfDsxP
z_Oab(h2I^FFOg+j=%)RMIeKkDs{@cWtJ`FbIeh*N_n^O~jbvIats|Z4>rDn%wy0WJ
znVkuA4GFz7;LWQwaZ@~RtFL)f3l*Q%WRDdhmYyNo2qeStYJb=+w3ju(aAzqQHZJAc
zrmQ;|^hBV67nax3zQ9JM)3Xn>nM_mb3B^|}nKk=jJD&{smx`%|qtmhWa^{GxZ4bBN
zMrShasQdF>-N0DSL)tY92K9z1oiril>+deORs9WZ%w$R>9Z5|vQ7mNwLDgzV<&P`}
zq8f*}>R7I<di`O0qvL4@^$}pO#<9E+skeL)cf}Q4Qk!h$!iK%z*7&>;yQdN@w__zZ
zQEL5KZe=wdi~0hYjp)*9FE=#8nOlPu&?{LN3mdwXK(jiC>pJFYGacJ#SeuScIZ(6|
zR@MxqA^eJDFqYG|nvE5&IjgV5^XHB|j_rM!e4H*;Ap<7t`(9L6TFB=7?u^r^)l>$Z
zrE1GjE0tGD&;!GIWU*~a8hpBv)l;mQ3Wg@Ev5gG;OGnqcwqy(x!%4L_u4&pM+KkFt
zO?U?Bmc3x9XPO(OmDG}ZDQQ->oX%*|r_(M6jELOpW@mIu4qH4Gszyu6;!<U0V`Cwd
zwJm58`F3kVXH(^MK~35ltyC@ARwb=T)$MvPM{uCEE;$Oix+e%5qNeM_>>Y1nts1Il
zmkK?z)*23$I!WuWU(~0<p{6?6S+0kyeS<o-kx#nI2y*pQi}0_!p+yty7?&?m^qMo(
zQm&EFxfg~@`f|gXUJW`*=9)R;@PzZGuC{G*_Xn9~zZbP+TS0qZsh$bs)ph?;AqC5L
z!S9VWQgLU})5?1ajg?q4;xIX~t6_7fug+~a^UhvHZr=y(Yavb8?DV)7T`M8PqE#wu
zdnIqoI{kfzsvm1<a#~N;H8hwarTRj!wzg)9*%JOtN!8Fg?cIXisdkyxYUO;?P(aUB
zSZPXVO68%ty|J|7(R4%MjMtVbHr%z<dS_q@>a%LAcHmjcRBY{ywf>TJ*{LqJJMK`*
zpVpW3Wv>}+P&bW@Zm$;cXaeEB&biUj=*{s=*rM}Bj2qUjK37Tk9ep3@9XGY~gLGIQ
zH21ViYc+c|X|2Vpvoou4kD=FJQKh;er#A$vcW7`_V>Pe26dF`3#){Ek)}_K-L%ov=
zWfwiEK_HO|u2$CaalDMw=+0s+B59LTJ6w(jT`o0(?ZIe8t?dRocDR1M+Cb9|*4K1B
zLpu|1WPF)eRW&So+o@z}n2B_YOG}WEk=3EsSZNy&EV5bsW}_+`%Pu+6)!<SZ&fSJF
zT4;xw`k>2K4Elzea6Mzh%N64N_|TW{w|hD>e11<e->47mX;n0tSn}3Q(SFx%OxDbX
zrZ%OkEeGu0;9@eLU(&esLCuo7l~^g*JZs6iZMfR+X7MKPTBniDE@xtWS8K6owmSx9
zqr;Xf4i<~uoUNqNn{26Ma2T+aOm=;9*%YmKOUab3>ELbFk#zCt@<<(7EOzu=t$WdH
zc9<%?tg}%x!XsHK)tnu5#+irQSuFK34R0-wYL)b9lcAmo>Rm%K;xDb9rIM^$VzFVW
z)2fG@>Lr&)pNwQyG!1KHZQwFxUD{wrWr(M>ao1Yf-mD<7)c0BXeO1PkQ^7;128Mps
zs>hi(xRxC8grkIzkIP{5cZ=%9oDW((vjRU$mqDwoi<-7!x!OyWR^7G&#Mp}71H0B1
z>-raL9>g{~SzSD|=5$p0aYIVeH2d{y>8vlmTwT?gSKROx`?-p_6L2Ius|oMgO1`4+
zWE-$4dxeC3!P!}Dh6e+W-Cyv=by{n|R7iQ8w!q?ocOlVQ>Dg6LXVa_7tgU)8HUm_}
zU?HDK+On%A%+0Q&>8#b$OQ{We)#T}v3v2Eb+cJ422<U8N+%`>NW8e=DJu9xbscT85
zhBjj(nz1g}62)NG2|6rzOYT@k?+z^K`Wio;Y}!1lD^AUZS*0n2ebubfVq9HSn@Wy_
zTwt|l4;hA)wQ{X*3$}7yO+Ek&HoGAZ(gZVu#!!_}S%x`Z&Zsk#2gSBNqAm=31xGiV
zhz{Mgveuqcd0eKTDzf6Nd26fIRh!c>JL3tjtX7**@}(A?)lfg*v!>M@mBZN9v<CK`
zHC`|VR@$xfh9#~kT3mzGvf1Jv=Iwfa1|c^aq8NH>K3Q1ld-`jAUB16m+gKRn%1b#<
zsh88VbdEtlQ;tJBMw8l=Y`q%D#x2#RC#-MVJC2~y+eCyuVl!4OF;~66<kjZ}?ph*c
z_8Ri8Zq24mr5xt8*BB2Z9mSPGI@HSAEnQpD*@@*R*2<<UB5u)(`3iwLUId0c!1S7X
zDiQM+M7v-7Jg<HWH0$ZZ5%yjs{nbvtJroZ_h?WlL@?j6Q&mU0=hvzTQsoYmv%~p%S
zrZG4SHj_?cL@0iC#uCg}Tv;n}Eh}1=BUaE=yfJOc-PWW7?Odv0D5wp?Si>4iE;csW
z;efB{tTYUoP_13FWZSAGggi{Kl|iZ=Qh5ftw%Q%luXe3Qv#Gpb!xj^ZtGDbfxeM)z
zT5awxF8316g|(Dnuwqz>2F%uIx*ddT=TDjK-b!N7iP}{LUC3#*whNind}~c*$}Fwu
z2jJLfI;hh{8kVIn0%b+7e!*5Lug0VP<poSm7+i@;6=(gFYQtEhl-K(DEn9eyNfc|V
zD_&d7tX>M{`{6)cH*n}XPMlq(GjF82L0!-9sc9NDD<+YvUkh7TlEX5#Svy_1Zo1_0
zv{c@N-;!TjEcDYW1!Fm_5317^i_H{Vbw+w#Z#kY%sD|34B^E~*F7J$*>^*xwZg;2(
zmO|XP7^t?EHR_68zhX*eL(7f$hDOs21o|yw(bOmuv;Djgk;Os8SG6{Y4#Dd3Ld4oy
zs+wc!C4+Uf;dRE0Fro4x*P!Zhxoh>D#<4bxttN_@W;(I78u52r&NYjsW?RT+bqMAL
z)|Q-$tIKuA!tz3LF&*}1-0|lBX74@Vo2<V7@szz}h=L#^2!%o^%^vK`?lx`GDJW@@
zwrSI(&1l*xQ$P^Jfdd2-1Vv>pK@<=a844nzA|jxOilBg^AR_&}&ok1r6wuGd@9Xvb
zfB!!1$@4t-o_p?m&Ryr8BP~sit28O&)s~`kt5cojtFl$*C7I<V!3u3sdTeZNinr8Q
z5HyvjAdFFAapcO9@=~ms(6VB1xa9uqJe^vWVNOXZtjti@stjT`<P$9EZhcx@enDAk
zYN0l%vMMP*AvN2RmY9hyGBHmRbotWV(dpGXeGq4Wl+nH{aj98as5K}ubCuTgQg^A-
zY1K)xr1AM>C|rN6!z~9d(Wm*vIapY?RhtXSGP09h`KD@jUZE;2y(l)T5QB2LDpjs8
zPOG*gBq@D~iE?i=7G|^-U0I<fCEqAlsR~4?7Kqj)=^U~uZ)IE}*6T!)6q&n1FG~of
zxypR$s><}rJb#+GFsDM6TvAzK&s66mCMIR)#pa|YB|5UJ{gq~P(|O_wJJzjo3w(O5
zMq)NpNTn5(@n9_CigJHYWiHldSR@(NbhBBM9xz)|5}l>?v>ZjLB~7PIDiK2nL7gry
z&9Qh58PT!H?j%vMp)|**&B@lt^UKS#Fm|*S<(MmFS-E*imogY@ig#w}{rbYHjG~m3
zB&W=cp(D6+x-HwBZYlPbxm}6*HmtblOUg3*(%hi8A~9$$&sSM}d6|+dZ>qskB(D^u
zXE_S=8OcUxR++OP7EAM)R)@wBYZ4n(X(eW5T0)-QCpKs1SH$}Cl8Ti4qSTU1kFL}w
zjWt!I`t9zD!ep6IR9$4%mnG>+U6_cNR27vnwLw`S*HvYtmKyZx>bydkM;a_mDfgzQ
zsih{rB~XYCOzp|46jz(lQ^cuRDOFmlB)UMN)?*SNb_XmvM~>a2j&?g`a`e6!U(58m
zpf|%_l&B6==T+$xY6ZrnN-Xz8%iY%03Z2WCA@(U;PH`N*O?SD;<E)BJ)A|gRYMoUd
zXDd(FmdUeA9kJ4!>}W-`7@bFDw6hRf{#h8D%Sz+z+7!skh#Uz?1%5d;Eu-VyL4Tnk
zrAn7uRh1n8<53mLGO7(;Tdq2~DqEdaDvz%&tCUrz1+rzSro2Lv-cpzp?U!VjlVfx7
zZF<q}i(#}qF4vajh?5pXrxp0)Wj;lLDZgCl7i;8sg_%BEesYSo+^hB{MW>Zl6+#H5
zFiC6j#Vd4Jo=#R&yDDNO8IZfs#8+em^oh0veL`U{SME*pC!`umr4nyZn!}iy7|b)v
zQ&JOjVq0}i9tQQXfx;Z63tgnlS0#7nXB7p_#ePkRDyL9x&&#)4@)V^B-h5?cd3-ds
zvP$wiUU5lLoHAc02_yua`Fg3%?2_b^;JXN>%2Y0&D?i>{UT!V)Vp&w|PE9jsxm3DX
zMM-|5!Ix5&T%>VS7i9S3f)!~2o5yO1&dzsarg~g)c6=A6SVy|kZZ{W*^1bddXL4dj
zk+M9`>r&?g%5&{ykjL^E>?xW8k6)jbpjV~&vy_E?l~ty)+ErPmY_w{oS0k~K8+Mhv
zd|z1q*RcFuD#_m!g~{JxMX2t2&|g~r`Y+_~u+~NLcC7rJgq1R>=T;0Ulm_Jg!q&g)
z#czQ04!8bg(P6xuD>3@4aq4Qj9=SC`x+`p50^?}N-Ek`uCJkYvdvweyMT#-iqn5g>
zGo;u=wI|xV&OEP1E|cp$Dzi_eFjQh<60l$e%@fomlts%NR=L%k={2V-tHjuskd>5H
zR7p~kf+gylg2Kd7bBa4z<0-JlTNR$_(yENA><W`ot2HK}X{Y+l#nFMdO1s~g9?Xst
z<+&0h9%r7VyxcF!DZ~IHH#tAaUs&KtElG{ni4*fG?D>f~sSpGRBv~XSDPUCTx^$Vn
zTxW>OQ+r+MUZ*5WUSf@R=GsiD>4uU7WocoGDmM@(DzV0jlAYy-^b|*d*y@QZk{jYQ
zDvUsjax1J(QHDcSR2-M<jE&FpNEJEuBDJc@k(iVoZ!FQsViRKx!776%O{vazRH|%l
ztIB3H<#-L6;wsFm;w>_hLT}E^R{5*V;-qYeHqM!xpi8h?TvkyqIw*COR2XapQbkdM
zHYL%fgJhjXV@*v>F|g8|*f(Kh?h=BK`K%*vSC*dR$xAM_NhKOnrZzD(H>s$^E0QFq
z%Tt2!ytJLR5FNPjrt)^GI(1)XO)5F7BDd0q)hmxY*PNDM)s&f_&cm4Lu9jEpV=eg!
zSU!_F6XT<;*i9*}C@Y3wRDOA~R%@`8r=%3B{aMCLyI)ob3hESRL9)C$1N&R$No55^
z*;O8Fa4So4a#H*SiM}e4M&T<@5{r$tOoQ4hN%6}?eodM<B{?rSQSMK|_%kP09c#Cg
z=eP~2rb=C0rbnfY%?u_O1F1z=ZPIHqQXEy4Dx)>Y2Qf#VG1e7VnVV(I_7+s<8C}^T
zv<GvJJy0UAEcV13R8ogG+2GIfRAwg>dMlOKxGF5s`+dQ<lKAMXGNWH@HyU#i(b1)w
z9GO@GFESV~9Lv;~Sap?hzsXhQbp|uD#X)hUzEUR2GG;|%8BeV<RyyN##^^HaXQ#xe
z;<H4_S^A7bS5Yd-5vF2(iKY82yWAP5P?@4dqTE}pO7Wxi+WRf}*T3?^Sc~{qe)wPc
z;gFOQR#g6#AO62DKg{w-{#-^a$E^GG5Ae^wH2$l<|5$te;$JD_f6rh12j?&Tl`{TU
z%J_d&%9!Po|MJHh^5=g~Vf=dvBmA@_f7X)Zo&WBcqJK|e{D1Bg2Fo8$*Bwq?_ZG%K
zVTry0@$h&o@}wIK38s8$QK_XePZ|rM4{1eJiLy+ZDGh21uzBn$QxxfoN{rQsMWxBM
zau4>3`6C=yoC_M_J(=nH^g@jxD>^&i%P|#*6jjO+rBfSQnS^7cd61!&XJy9biuAr<
zKqg6X>D1A=vWiq&uHFja&0uO~t}$NkDu8T<S(J&rWvx$~RV{OQqT_8zrjp8Fo$bd4
z^TB6)SiSSlVfk-xeN~rC>xubEA^AeRMFX+XLY!|dPBW$BU~jP|`tPl6#_Kg!er?kr
zW@Y<q(o`RRwmBm+rOx^0lpsu|;1pk`I0fsd?D{I>2AM<7tyru5n`z)q!_xU`qbp3l
zkUw87sf38IT!htmtjJ|sG!|{4jmvX_wl@DMT5T{@r_p5O$gPS>n>yCwO%7NB3GuOp
za%Dj7O7m5_vap4sE>2IY)+vi~t1^?N@?xh-Tv?b}mah?K6lU7evSQuptmKT0VwW$j
zIxENI%r2JMgPv$hJf!LDkfy`RBrluBOQzKsU&ebhIkLPGY>(LG8HV&UWpZhnD!tUC
zigl*M$rw32Y#jtM+$nL{8e^i^pP<V~)L2yBDk*KRR7NMJxbvf{^HiS9q!QF=gEdNN
zX!x}HU#rnL9XM~gUYj1B7@b>UN>S+RwWPvSk4CR`X^OQ;dFf(hLPDCeG{4lNkF82o
zV)-y2)nZl9RhZ^0b{7Su1qo@M<b>=hNp@PCuOv1(&KMo7udeWBR0mR>8eK}d&aQGg
zO2s*5Sz?m1$Xcwb^w`R<Ihh<RPA_)IP5QX_0=u+G?KeqP=_T%fJU_8K=o6LNB}r*X
z@l}p2QRc1J`~ErpVkkFMX(bxB&SOfBg(Q2fKEA?Uo|BuO;3>3J1%p*(irCBoeNf@P
zF@H%_Rc1?aauefSI8f}f=Oq`Y3iAVURdl*F!=9@18<TUSR$XFVZdqcQJYAogP#KRM
zLWMKdoN5%?aS$TOnF7)0Ah=7er(9p*(N-l}{IP$7zr_4q{t{37H`eSBf6@J~<S+l+
z{*4wV-&5+Gc*9r0o%f@zLL<VtH+?}$mft0Tkd4(=tc=e#OJgA}6DTm1#FgY&(!CjG
zv075-%+5|STLPI7z>w%tGGe1W6{6w{drpQ`?erAutWsNQmQ9kBRH#&FY)%p6or(+d
zM9>a^-5&M~EVKi#I~62DU8@@)GcL|mtWJ-Y*d6Hns$G!1OUV^k-3F!Xh9}#wEqL8I
zxW9L@4W~6&-2k^d!PxN0HV@<j`I4lQlNt!cr^ICvC$J_Pt8>cy0jE4WJyn(LO2b*2
zB5_elWu?MjU6@>95lK@lSxFKzD2Q=9Ah}xVb;g!@%!abmyzFvQafvQPXOI-gr4S;^
zO)jr0s7lNbDOI-E%2ab^raU^Q(xuGGlZj<nx3wyWv&u{2E8;a7T9Zwct4YX8z^4=+
zFHW!1O<&*LQXhRI`JiGl;?}?w)_*tH@BdBlAgM@c&}d}}wOT6G<GdG%2PIVIdoxOt
zY?^ADKe60ox1=X)WH=9_&CQL=P0T9EHMp(OMy1Ir_seq&V+)fsdap6bR;qx6kwd9R
ztvHJemHxa0g-qoWRoioeigI(JQdZ$LnFHB+hrGO0E!CF$3bNwWz6!stIy*jFR8}f3
z6D3)+I%7d5w%#*+fow~HC775{YID0ZJ~1Sq^Q1macB#^aqfGW>QGrJiCo0IzG-A}`
z(V3GA3Uo$`Azm9Wxvhl|Ah0Txm9aRqqpff{Rc3W;PLbY{uPC#mREiYAYHw-SrgVb^
z$(4P5{V`$Xe|?2Q_W0kkzM=ER|DN^z_pI+fan|=HpPYd4Ye-)StSiJq%``N)IRwx}
z?Q;kQ3I!uZjDR~S8ym!{aTU@<%J*8q2WrinR+rEnfTmh6=Obtp31!W`02~;*ii|Tt
zkh?FCPwFbeJUDkKEQY3G)&gc2oyZum3R=vd4=vvbMdYB6Z}mBC&;srD`MuCl2%CU|
zq3LWGQqC%^E3^8Gpci%+v^j>wXLa#$vhlGwBK>4+>L^FZ4w;<MG5QC&7c*lP0WXG9
zXg0?^jZME9=_So<k-iKVMuHHaoeQAT@W@Ejb@=3lRFM`qR+D3$*!9jrXsmSA+RZ`u
zRF7Mj;V28(p(C7Bok#kT5ZK^mH7k~qmg`8L-s-p3cOx`Sq1WNyaOho!dSs|0j4mUY
zf8?nN)7-8qBIjVKv+qbR)a8X~pQJQ1r4{LGCCF^jSYRn~2#Fjtr1P54DJEwDX@z$%
zW{IG%oa|DCqmm&DQvN6`2#|qHL96gEAQeCXJN;-~PN<FV)r!iEX;pTi5M{z$Xc{7!
zJqAh-*&n=0?1Mu;)Fm<LC;jZczZZ^jMa_iIMg>x0hp8yi)fdVq=tuf^?fp<X?L*R{
z{6$Fqb$TZIlR;Zt_308h&XP%mrvx8C6hecHmC6))itFR+7%l8VMxT9@F10@tZ6j->
zK#$eK8-$Tjrd&hnj&-RG#fw-d5H$TmqpKgfVM)&>qR)pyQe+)`0E%ht)MD9-(!tg8
z-wGFAt&9Rc-c|tV&g3=!BZ@S{>V@JzwhW<Nm5g~Y)~=8uPV*nH^&Q1>UActn2P){j
zU<*)KPx;_lmq3u|vlcq)7ZzdQYh?YxwL;zmpFx9dAbe4OE1cU$ML~k-VcI0G&j+;~
zwkDXGL^%Z9R-4UHR;$dGOcP(1|67DJB{3?Vqa1~dNMVJKG|`(i{TW*S0X>u&4Eh!d
z8TF0<aKM2K-H^$d5aF<P^Oy6*wX>Vy|E2u=1v-B@A5=zkjRDZ7%+Etk;JK!zrrp&R
zcmSN|-pP&L2TYBhdg-=^h!z52H1#pV(5Vg+keXKXS%Yv1gi(>cfx?tHqd0~hSRJnY
zfyyvl#sa8Nm@`N&QrBTfWFY{2n6<0XN-$q~wPqb)Gk2d}?@oU8-H=p1JRbv<Ib*Sy
z`{odXNGy@c<O-!qt<mcA2BSbIOfe-0{WzE*>@5~Xl?Gh*mzFvE12x=7B8;*-D;n~V
zfycSw<FQki0>);D5C-gMOc72&E{yUyOUt0bxzNU-hI>lMo^%;c1h&|X29ZRplPF|z
zqh74n$sxU|P>WSEjZvnNiVb?XQ7$!L9wj#-KSqsAtWb$m3Z+&f7K_AEv05fG8kB0e
z#2}H2l~SovsS@d+E&vLY3<|MEV^Hc;dc6+H@N^1|MsLtcWdM~%Vw8#Wa)W}(k}j>p
zpfniuQl&^K*Q$*osnMubsdY-7TqH;GL{gbvqLE6ZDzOL=i6u&dQfpM<7?4J0l&Ljx
zqtqZ#8fAKoN~@Qvbuy(M%Ye`aBGajW3^%P@Cy^@^Qi()jG#GU{qfV;Qsz6bp&`Hz=
zHWdPaNTg6`#A=mTrO=60I;dKZ80C;m*UBXlrCg#>tEAArpjL|&2DwzOQyE1#n=4jn
zRH$Z|R3lf*v<jR#k|;GOD7{pymuch@BYcrkjmjwJ<57s9Vo+(&A%s$cDKSo7QH~|Z
ziUH}8s|_kSrp#)&MkJMsQMy_br4-SsRC-jFMk7}!q*@e<Sg%zhH+qRqrjr|G60y;M
zEX!0Pkr?x2gG#2-NL4zGL9A2AjY^e4uD~)7YF#YROLZctTC38CB#7T2S4)i|EuHg6
zQgBYvs8A}!s8^#(Bty06#2TqcuG1LN6tqUMRHRa(P!u|aSZ|P{xroqCG!mIisga9O
znwjoUM+&vt9xsfTIWS-$b0~I)a2Q4$svP16B9T-hLNn3pQKKrEQ72OBRYtWzr!Yvh
zM!j4o#Tf}DTBky)kZQzedJyNA7&JPGUayiFbUHaQphUgvWO|X>AVTU4BCSEGR2wCF
zqe9G=w^U&eOVt{KMlP3#<qDBnFHwn6k1B&+Bw@0xR_LVoSVcw!8nRfgmZ=PCEgB#+
z_{j8XsYI@q$n*-06bm^@vB)SEX+&zHMx=sXFr`2skt^`6OQi}Cs!lFJflDN)bD2`6
z6rpjdHEJ1?6oo=8HA)m>WI`g<8)YiQqSMP%I-OW5(J4_D(Bz|2qVlK$MQVvbW}pv3
ziBoWBRa&*dAQ$OH3b|6JR2rp9sLl~db$Wc5I)zNa=T;!t&`2P#0`7#<H_%~g$NFhE
zJhxu6FQ(bYCgBa1eL@6ixs_DjHm5KEQfJ!%&=JrX&>hed5DB1hMKmB5Kn;8dU>HCL
zhyx@5(g0>aF2D+K07yl137`~E4j2!32rwNm1MoE9S-=9oV!%?s3cxzR2EaDJcEC=+
zF2Kit<A9TZQ-ITebAStgKL8QPbaTLMfOdd80bKxh10n%ZfD)hv3<D$q(gF7ZMgy#X
zLVyPl06YK~510aY6z~LKE?_a>CBQ1c8o)-tn}F?rJ%D|H4*?$ojsv~}oB{j-xCHnU
z&=Pgm8qgik8xRAK0@Q#Z01Y4skPgTO<O1#oH~>yS2_OiV2zUtaFyK+ZY{1iiMSzz8
z%K+;DTL3!&9|ArDd<i%S_zrLm@GIbVKtyA-3qVIecR+tYG(Zke0)_x+FE9>}3CIQ9
z3%DOp3MdEAT2~M-1MnE&S->K|tAG`Nb$~Yjy8!P4J_39OI1V@kn2SL|=4)4L+<=Dx
zeE}l?nhc#RMl4YYw8?4N#sqVGjLwn~_F~j3WMQvbUG0lOrxk>sXRLh*^Pz)|yhjZ0
z9&!T(ohHSQoSdME0XK-z=~8MPu&iFsL87YbKtbZ_2dV3TAaxv=Sdha|v`j2@94MA>
z2PTM7ONCT7RDCxJSkH|KixQ|Cu#N+T3U{C&R8Vz-)OA1*a?lveF?=D>Glitg^6sH$
z;PcN+f{;5NhjPk1Q!=<`28Yc^2rcZDFl%2KWTZcY$v+bs_e?n92@X92hn|D^0&hOX
zV@SaL`V4KHFv^sH{?3w-Y3NT20N44zxS82NBf2`*LW^kFBjaA3w&3yM%^&pidQ2A4
zDQkUy!DDjU*$qGEHt&76Wm8Qv?Y3WgT^QA^b;1234qC3(H0t3z*niK5E2dnDcja|S
zxi4CrbBE>FZ-GCma<1+A;^E<0)2}XQ-0Q)j!;MwK-@m=D$>FSDUVS$)dCT?#EsVd;
z85ZnzcgJz5?H0_s*z)&5+b2wXd9=P!r!MO*Ojxr=*r?dzX;U^aVTSu<=$lAi^M1~d
zE1xLu|6@;$@nDx-_Y8m9uwc?x-`(?qP3$~ak{y?}Sh;6Tx7L3=Ax_DB<8-&Y`@Wg|
z<cB+Z-~LI~z(jY=(e?+5><*g%I`mN-`0OHWRCF<sQcU9`ee8&sbw;U&JJ%M`@XxN+
zh(Eqs^ZUW8HQND`0m*>DaBunP)tcF#T&?*4F!RvWnsk8WLf&s@PA*w5ujr6<|Dstb
z?|11r<)a@bt9gpIzcBKRgMzGeac!?YS2FA5?4A2Rw4FVhp3M6f59o5S$KEMPjlX^2
z-YYq0v|o1qe$#s8!BCI8@6)u{r}}Ll?R;kUmADs|op~ryU7>H;m0P_4-|THDoW5+|
zIqnw0zD4xr>DRwUaMv~N>WQl@t`oQ};EL#pzqS!=xm!fU3H)7%xWL^aBCfH2+%2N#
ziJm9gUTAv(x1PAQ?Rl-|wYK=fjd?h6?ZmYU_`{8Ph-lQLd5hM!wQb+=&Q4vrcIzqZ
z9oe`4fPt}MiA<>)GHm!r9h7n<Ca0xmSh92O9etlQ-(FZ$QtB@A1uCkl9~?j7p(#_R
zKQi;NC!T!j**WtTJiqA0B}-pfwqoV#bsJuPWAj_vw(od%*Y5ZC?LYAGC!c<P<mmAe
zCr^EQ`iHaUF8qA)(&az?yvCIWdP4kD&&}NMi$?(ck`v=Wj;u5Lz<D!4I3xy}AwnUT
z&=i*FF|RC9a-zVvMz$BwAFd{Xk?ot%Q+sk7Nlx?(clf~#e(mv$JDzbD2u2bH`OzDN
zVM2or(SkdR%OEj7<W`Hz(4{!x$I|6#vSC4=jfY7K6OIYbrjf!RJ|^YBW75gvz?I1Z
z2(x)&(@pp+FnJ;@q9qhG5(t|#YQZ|voSdE;wGd*yPVPb^4$rtSENB9t3wQFv6Nig;
z_L&j}KPD^_j-DBspv$-u9l8i7?2dFWv^d&CAHED-1{e5D9BjO`>EqJHrjw`1#KESW
z;-+}Gbnvt&O`yjVfMBFhFcOtG5_ddPp>of76$tSRmyrx^dqRX89N>;$T;zslA$bW#
zvd;_+h8EET4&33#hT)#!OkvpgfXjv@e1--SA3YNe;Zl5*UM6iL@j~?J4!U@ubTG6i
zNUa~^E@0BfI5W7wW8x4BBH$R&q7f>u5uUYFiHsY?%DA<lJGsFh&n%7>&kQyEP*}nN
z;EF)Fh!*4zVEpLL`eFJHci@vd^Nbrqn{enN_mOaGgm=QF_;@!qEbGSM^6@ZfA%86s
zmVDXtkQ=3`5nv<}7w<>ufLnxcf?%Q$<7dDG0f64|6hR<_16^<<m`K1l5H5$q_|p&J
zlPg_p*a<?=rDt-%GviBlVJ$6kivZN8k06X2AC9LJ!Gr}}A?N^QBE92IaR`KT2R+;;
zFz)=b02e(^z%O0+72+4~Y;7=KGHL?%MpPkGiYRtGa}KzZI~*D{V%+fDf(Z+ECIH;w
z4QJ+uaNtk)M3!-5o(Y#|Ft|jMo*5bpE)gIa<j;_$SLTItgCif79w-fPBKk-Na2R4t
z+8Gb>V{q8Ca%m!DxKp}>6WUXu&>ua+r#%%7pgk4O1U%zTH~>7en6)@?CtQSu4|_3B
z94&-ra9KaXr6-0KL!SvjxD=ltM2CxyaLFBiLOcPF(gIvu6X=JjLi}=J>7An?<euTj
zATl&2Fpq>obS5x<P1sJ7T22!@H$lgUyPye!8o_XL0l5<%9Gd`vaNvzQ^G-PA2OxaL
z3qKTw!KGk?OW_!*aHqKFnee!HnOCAg9xM<Z6Bl0DG*LYC&!&Ui*fdiRE<VJ=(`V96
z$P@`flfAKV({n^<!x#2!O&X}tHdqW9X2zA>3}!7<+}u}y(Jh&kC+o9h2wuo7J|pU|
z&F1TAKq4|BE}qe6l_(Rd^;$z(VQIRh+9NN|amfqPZK+UtER)NFC27f6UXsLDS5{^~
zGe%KvX)xVZm{?H+)fhgjSXEF}kfBa<W*Jg)3teetCFNP3xa3r2xm|8ePfdl?64W?H
zXKC&67Hy&}E-$gF$|ToH%Wc(CC{s|ECMPBZ>@H}<%o3$nmdK%j&uYqxtqhb^i&CpR
zS!ET@fK!{6ATCUGsyr3uoa|~S=YurnO$zU}RxllAE5jn3SIn<rM@0s(&6iIb(`6oy
z%Y^k#coLdaCBsv#5Bp9&n1*pUcq$3U3G<OqXa-v%0}ef5j>);<32w$4TxvBINmWvX
zSf<eG)LO9?>(3Ib{i5oaOK#98j8ZK6(kikRE3O75)=TA5tr+XPa=Ain5Gz#@gH)u!
zVx(R|%VNwW6aBr552w6AI&b96hm-%!iw`HnMwh8}vx1Qvu)>hErwoRp18zU85n6o?
zA!{Bqu6FwR_i`r+t<Q$Xhb@o>;`1;&olJxjod^rx;R~L8!nwOk|7XqP!~U!h4ga&|
z0HAEdpEd1A{#mmcFh+xC?VmMo0|dH1Yc>HYhvGTxatdCZKk1o=H+*?ybc=}}ujwAw
ze);$=)~T8<eP2!1j2fO<)<RmgcfRe@wg>mDTlc8w{pMHqNLPM)XvB<nPk*s#!I!T+
z+2Zivc0Kl0HnW_6B{q8RM=Ndp9yy$}_ul*B?@vrPc64ori9M&?yHl{R>jN+K5nO8d
z^Pl%re)#IPAKpGIv1N@`9UFVk<u~4Hd5?TX(S5}u<4mOw-aqz@*$)(bWP0?_fv+oj
z4yl>d^1#KP@`tS7-s$rVWiR|VWp;7${6UgldG^l-9p3WI%89)%b(&z?(lYAHQ=9MG
zXc{@EaCnQOd!M=*Oj*ADyEk_I9KE!2hw&SBKR08~g+Z+r4UT*zZ}g8bZ`tPjuva5{
zrG2O0hy5MgN56dksh!EammA6@Ur!%0W`=mNsPdQi!8uuDUW=OY-lUk=nu$^0PFVcy
zfJOUOYKz{RCzzKqw)__5=WsMR-AFQRNc(rjm#lhy@P|tyn=E&^JM~<bW%;pXdF-9X
zHQ$=Xc}BO3Dpf6>)Z>krVO7UG-f14%SJQZsw!_3Hg1wB!wo(0`_&u%Z{IBdeXRq~d
zy)i%IlMkPsb!N?|B|Cl>2D)#3q<;7ws}99|z4qaAuNgm8$WHYA{`>Y@+FaW^{)>}o
z7sh?JIBr_Wi0vCE4u1K?8pDT0=k48SIlRu*A=z~0nW-BGKegwJryHr)Kln-hnc*+B
zoi^y@gGZZxHFjg{gZlHGEF07_`bO=)=gVEMP}f!G;@!_28f;3O_|hZoet%-~ImZ(n
zAMUp{ZPtrhcPw1hbbqTB-l1*ooH^{hN$)&RCoo>jXPb*V3gR9v@7n$G{!2ez-n+xb
z@m-Frxqba#EWf2$@y||b+vD*|FIzV(u2#=1fApaRkGCoq{?@BME&3w+k5`{{Hi_M3
z=|0Lb>&KXmhTx7p-K}?YHC}%9&v%c!BfmV(k}ui++!nKb@Q&VFPJY$z*c+=hPP`f$
zpEU6O>~ZhEvGU-I*PG9*x$Ec$CHud+G^&56$xm;4@Uu5R-yr%$pOkpoHR@>J@aOHB
z6aM(FrdlHk{Pt6}XyDaA%e=8cv%6>a_>RITVc$=B|2D+!t(QKHMsZ-~eFwJ<Ss1_S
z+oLNtU&ESl__gU!`#&B#5I4VzWy;I(>pTDXN{bF{ul})QwBy~yeS=2^$It0}xzoK9
zf6o0pYJbcZSLZcq-umJFPv<YpT>j?K-^Ueft!iGs!0WxoUahIAA7^;{m)5*cQU2=r
zy_2nH4}O1?hBdVpy}e{D&HN&1@7K9oR=<6z%gIZh{;_wGR<?Qkk1w<sN0_6QY<#_~
zV_dse17+WwE?nYV6m?Z}eD3)a>Ai+U<lmHjZgQ2Lx^em_*rR_Q^A{VP?K)rmxo>zr
zc#;cZ@B4h(Ym-LGrf$9SfK4-bX;jwy(%9H}y#H9&i67Q{^ip@(#f=jhja}V$<>~CV
z+g?cf0?YReUdo>uPEUi#aBOK;J<(&M=gpOI^QUjxvth`Ams(zmkN9AG$uqIr9(s6c
z`jzm)Zs@sgkzW^$so<j*DxTUpZR8H`i&M*n%B{^;jEH!{v~y(Ni}%g-{`Bm?g5mu-
zZ&}s3NIx$-LI3NV&+i^PaQ*#{jB4`skmo9k`>XG|1^t38r*??Pjr)C`ws^|+b@9?;
zuhhKQZ+rJ^QMuop3*MKsX!Ed?k}<2IF8A6nqN#eKeZF@6)4dDcAO8Hl(@mOeY&L7k
zd)KA7p2G-J$)TQxa~EU-hfO=~lQ-YCX2_PeGdevmd)(P{b(gHKT3(p-#Ps!>ez|kq
z+<U!8Ui@j~l-C#bdhW@d&vlz+ePj63>GjCfe{HBp|CZY=%E#A#=Lf}I&YrDax;lRC
zZC!JY$0#pOOtI~{Q5^NtcYoU-9)GaAu6n`5aozW?8Pn?RP3Jds6dyVL;2qCJZRvjT
za{r@GKDlkq^P@cj`#zI+taC^Xfv2;vRfSh|pJlMCf9AH)KR3!$4X{i)p}CYhXWr5o
z`9r$9{VRmO^w_m#ma^%Lt@rGG_%%Kpe?K?i?8iUuo-$y;M}r=DRGsx+-oqVDkF~g?
z@$H(4*WB~F-_<4N^2w5>v*vvB-SDrM#)@f6v(82N<Q?ca{2QeA`WKJO-_s*)S9k1v
z<Cn?LcV4>U%C~Rv_~cK|zou_f7L9!U{r&feVZLgAbf@RrJ(zgryIJ$bcfIzt_GH>K
zJLViVs25#aC_NK1actw@&m))EPJR2<<v8uYuYUfhb4k*egZ+jN-9O~F)#eXYH|y?r
zYwDbe%q?fueK&jXYlr3U<?->+olg_psoKeH*nm-^4E?|CIQ;yk6EAimm)eW)Wa9)=
z=1%-XZ;xx9w=kgF_wDg}lK<#^X~Q&|atrzQ>OQK&rxPTydphjM`gnWe#5W%AC>g(P
zeaV(KZ8wtt`kKt%I(6%Qn-6dMY~yOZDNCaHb=kTmZKkwpx}N;Qn_q3r>=XHmqYkcL
zv!~<^#pPqP-59#akFE~!RXr93fA@W|uTRO39opL}kL<2_I=V}!Te!V_&7?nD)m#)z
zTckT9-1gvakBe5fedW=+*wEM)e#5x^?6FPP5=4Ex%T6zC_uYi~r@A!lW#|3*2<z87
z#>vn^nP$pm#^x9Y$J!kgu>mhk2zzKBU6){rH)OzKHwlo1jFcBRSm7j2deI7XW-iur
zcnIIf$`iqgu+`=A*hmDm)KTj3R<S7x;Uz%Xv|k7d?p6{f_G8XQLW7JLAtt(ZJDDOz
zVo0nNieDik$y)Xfg@>4|x2lY!a><N&KB6jN>=rYkrd9|Zx?HSly?8YNjQ`!RM9oO_
z3OVtoC^GmAsSdpmVo?rX|GN371d<dk(!wQikkE(#j!G-ZM_~@*uvsB2DRlZ7dD{XA
z{&F=CO0UjYMiQ1qRvcfmdL2R%Ds(x#RzK*liC_{+^ZXdd99x+JU=6g_o&5X4(FH7i
zinWBw>(=NTem(kS0oWX~2~qd~2(yNzM$jPraC9D<O^43vvISgh$%Z8c6J|*5@Tg(=
zq{gK&rw$Uc4S{P`s0#?wlK5*#JeEs`hHX+@rL*m-4%x8$2~n^?uM_PLDJgJ5j4eE4
zY<lVU<~73NnW3GW3K&g?8c4tu@G*_E5C+}rRw2!HV}x2O8ZOhoLu)oZGOS$?aN8I`
zasi7+`R8neBkzp#W+^@!LS>Wg_pr^E!_RP(qlTE0A)!x3ggERY1a2+eT2Vr-Seb8&
zBgf&TFkdGBrBbo-WyI2nWAn$AH_IH@W-?Id3)qT;5F(CppkbGy7+n2HVsc=J1QQiY
zCxQR4z0L~a2&fva5g|kvURZgAn1YoeblMrQT$cM3c+d=jtgtjV3&e`SMYxQy@zL+i
z>orCH*LfR}X7F!att_7L#ypUrlUC-S^9xiAkhtc*^g3;n!NbqZb0H9z48$)|JwkdY
z0x|Fy;wT;utrHetiG^iEEFS&h<OapfH40XmKEz%*dN<AhONZ2=CS>t6AnRS^sElDh
zTdp2hyiB(*P*&!FF*Z9RP0Lxkr}hM^@*aGhMbz2g;?l>p4-yL|$=aaD3npMC!}9r%
z+b%8hbKMAsALp!axP?&P%(SXHp+a)`)C~n01NIy@5kh8w>pJ*&Gu@%DNXYeZ1BH%3
zg@aK3z9JMClt1%fz?4e!osiN+F8J`bZWs`lMqf(O=QxbP92GzW=;6TTkSqG&xfq1J
z+&Lp4PNl|{4~4&VGy*0bV(+mH^FGEu3B?;Kf2zemSUp8~a1Mo$Ca3NfXAP;h3RPo&
zCN;=6rN`7z!8cf4EdGCAT`V196W||I-+n9e88KZ~SpO`%RW8{20G--$xB)3P!wkN`
z<$?xx^prM+`!-l`sR?Ea>yIwt`jTVl+_<^Xhh>LZ!F(6K7#fq11GRxrdb#f6KV*+w
zy(Qh6uO#WrV#!}?b5uem9^c3f5$Tjl=%eC3rtoGK_Cfh<)PeBj%*AWc8p4ML3_0fH
z56i1U@%;mBici1%uV<IZFX7kr$YB{mz1f|GB%qJh)j%iBl^2EohmtR#cJfyk1dI0{
z4!)6YHoVz`eJJ9KTxTz|2bfNU8xL{g1#5_V@!^Q^up<oOc*NnEAr;fX)8Q^O1PtT3
zk)z9r4I6&mz{bmc_%v9hkKa>9qc4h$AGUDmWAMV5)Afk8^r$7_97UbOQ6X|+^gIDS
z%~-hakG{>?euVD{VKbu;{gm4iC@f;zb8S4_=&AmYkqUxyqw$<OrrP24_`>34j$qI+
zLN=$Ne$7)*fF9lt7Um6&3PbtCC=3a_ZhnH2#aJA5g|e=2!o&v^9?rXAN72d_JU>Fk
zkc;VS+4R%z%|{}1c9Wef)~4phvqh{cGx)de&{(`I9CT&QGjc79a$V~1F=xtBG`iaA
z=jdwO{6tMi1aQQT1`>4S4UY~C8bb5q+H`}Xy1`p02B+K39G<jekS{c(8Bvui9_R+#
zC2mg;=MUKVTz#6g^q7OGG~uI@ejK_lfcXe>I1Yn|Qp6NGE@)%Vy>jtjJeQFg$0WGS
z>#1<!yc@L>$~Hy7OhH(N$;JnKmO$7MCCUh&TVd$9CyRy|E1ELZ6sF6eLx<M7Q)8M5
zbLmM7U{pz&u04?%<?D}DA4^>v&0E-(k2LxmG-=29&dny3ttE~QeV6s<@Sl#)L3@En
zl^b*C+BC7H$d^AKK77Q7##`of#Q4xY5scUZH?*xsk^LS+<)zaIbwyZpAnXuks6>zv
z_FLk*B`*C;{f7>u@GUUB4X`EcL3x!q99}-%8njS4TWrOQA16h*mV4`P_1is9x3<C8
zwl|88`Wk#FC<jbX{Y5y`MNKBWW&4DM9^%``AV$<Smj}mtsbp9>q>TfKBLt2Kv*)qn
z9T-HTDZ62_)LK&e?bY(h8--_&aR2Aw!_Tk&C-H}c&tTc)O|x;sa$xg;{>xBlLps3a
zZ<d-HmuFac=soURQMoZ4wqE}G^!#-?^ik7lNG#?A5H+DWhS0<;9NoJ8{FQXpqt7oT
zf#Wf&N9^Z&!}<xUXXc}!gW@-Ctv4xGrgGWEI&+!Bb_+5$Opg)A=Y2)^5O1CgF8qzx
zVc72~{<>8|;_iH34Mt8!;t(0roiOL*xZ>jI-y%GB4jfhMaum>@m0BjdsB)w48vPfz
zE?5Q95lbVXu=iT7z?XA;s4mc*`8_rdlvZGVK*>d`Ds{SJORbf{d|IurdYuj*AMSd7
zl<EkY*=Q|JTL~5w|5EvKL4=sQv0>`y5D06(>_RAYB8+wley&butp{SUixdQe&B`#q
z;+O$Vm8m>1Oalrg%^<-{mD%#+brhf@$I>$fU!jhfA#5@y33)GWg3X3Y06DK49S2jV
zY$^h^CnBk!p}c{<99j_b#<(064i`5(U<t8wH0T2$Y=aIW=n1&cPQ2DKmKyclrB-(p
z-zibSuz9lAN&j`79{QFrUPejqVzICg{SUV?!nQy*e!V5x%#Tn?q1k|1tQS)O^xZ{F
z*AhPZW&-l*zQO7!SAH~dW!E{Zd<M9N&xVKo4rck6?FE?;7dvj_2Vz+IU?$saVPKp_
z9yI$7AL?MO(}C~7ksm1JW5EtVc>Z*?V@GZXfyqBI2^L986M)L5r(rxc2P`6sN8=oJ
zq=teeH5}Bch#=RM*N*3WkO+kIl-FM;JsIqPms<~Xc|0XPZWWbASlsxCuTmytZM=2I
zD4~YRkBKQ`G)-X#G$CHY=MSxmR_idLVul{He8yBWQ^8d<u(*y>hsDpY6LZTs><|)p
zhB-Vge>rpxKSp@-6_i^o+JP2FhZ_^1bYTgK3Wgir^Zry3x(rJ!R2jtT%o&swEZz|!
zw-LmxY}lPN8^g!V@{QV}<>IMN2gSj#PHX|u)Gmx*-F#9wAFJi(rpr^|>HSM9T4Cv8
z)CAp#dKex$1dR0?UT+JJzjouHE;73ZaDDzlia%~hytcl=>w;!hm}P`7D)Gh2YDA)_
zxb&MtdKGF*C(7fr(;Oz8!cFjf&|bpyTFmP0ASg!wQy66v4jv5cOLo7@cYh_?=KVGd
z@KFNy6Y<*k!y0`<D-B#LLMt06#KZ(#t+o)^H4(l~<?>@>+aYzL#1x<oshT*152xTV
zC^(kWDfglL-*V%OqkEH;<2v;8Slr^)!1)ys6l7=vt2SP4;=}e|9vjvkFiS&r*}XLM
zH0U_EkQj9^Yq@^3`3i3VR)fGg^J!gz&peWVBbE64c|O5xAF~^6&^lG<FXH?gT!gH*
zXIro75Mk=~8HFEwJmh%ubq_i#j07>an_*&?Qw+Q`uwTrqm~;oR4^1-N%ybK>VNe(!
zY|#X4j9MlE7mm5n=R|Wx5MUC|a~XC=j;$XK-$1$&giH+RXt@cWon*%`*uqzgB4!JW
z8VkqDIF~wfG)M-99~>^r<*-9c%A-QDb0uFVoSydeYq=!87HX=bPl)R{xpdxe;LG`I
z1MDgnMk&}e!Okd?CF(FKPe9_gj>C$KNr+ZsHYliOP~u_Bc3~})O>YQ~Z&GNIUMr*x
zs95liuq?fVxYSJAYSXy6!5H6|ktEt&rp}(y#FPz{J(osIv>}ZE3@$#N&aIce>c)$n
zfJS-@%i}AoPFkr>vFZ#F1a^n7UVI4O(3eUJ0qppL-D=kI=_7ph%fgywfI2BejTB&v
zhXEe;o{>ikcmq)FMg`?^!QCZf7fBKIP3SP=0qCZ2GCd%2L@S;HsTi@Lj8|$YsA}5b
zy(t|oJ%kNe3RXc=ZM-*ZSzNhrNBdEuT0~WV$=Xf7bY2wz@cEW<J@Wx+{)GD9z|&y}
zhm9rcP2-0a07~i&<O-<n`Pm?wKNdes*ah7~*m`w{qq2DPdo%8ZeDTN7*+pJ72d}3L
z+!8BNws6UcdU!M%W(5|w<!^30&oLC#Hhq!#q2XQqc-R&g#YYz{B*`FJqeWYz@@M*Q
zBEhUbQu)`WlUbqQzC<j_GaM03mHifREF9%YjXbOxxe*2bd4)4J7N34^UQWDJRg6$a
z3;<miwgav!E7G{fUbXmG!)1gS*dq1Owl^)&A;a_?)WPFXimdn!8SQlp7JbWQkc}Y9
zb@7n^u%^EdEG%5uP@rDf5q;=RK>6LeeX)4-d-HN*@ov<<Yuk1_mit+K2&g@N?#i{T
z+Qx=zre2k%ao{AB-tce<jATxz)d-^uTn&XcFRq^o4|lT?3CE*W)j*|FH9|gwcKzu0
z=H&rn$-pB@+?0<NT2R0Ar57?%511BUxQoRXn*D`_NNhMQ&DLl%Rlo%BK{&3S{1uC*
zV^#x*;X==&AHxxf1TnAysNCw~v8<Lsa=NkTL$TDRkjJNzA|EFVywik<S*_wVPBxGl
zKAahw2ld1Gi@da*7M8A1X2a4K+Ph&F)oK0-#f9t|d~H6AA;FwNAm9T_FwqA_3t3FB
zR9m`59-p5kMiiDVu3XvS2*<YA5eX`#$b&T%3QN2s9N)s$Up?VLX87BH$Y4}|rim~F
zXgV6hb*ByW+iWb@ch~5X({v<^!M19Kn{nDNiF>#hWro;)O~8~uFII?vS^IqRHb`-p
z<25vH#VtmBizdq?35Ym2$AzG$TSNhT9Mj|Q>FE~uITizLbW_3pCC1I+Gq;<O4#{aY
z#DX}f!Unw<!HgRYHaKyQkoXKU#o%VCtSkmUnqbx(!zR}u34<^VXtm>AZas;LA++a<
z)y-1$@)&~gvskuCaNU_8Gc_qSEjv|c$jC^`5bDzO253nU$#VMFn^aLsxUR2(QBRm}
z17n>qU-pZs{o;^LQme|b7PftJi!Q`~SWz`0gmBHIn1|8U(mOItkxP9KUm3Qjc|9-u
z=WyLU=j*HcuZ$B}72~^SFZs@px6B=PXyDn7TYeo}xc2t!Eyq(v4fv(sKKsi9f63bt
z{qmLd_wGr1OVaD5FP^$`I`6yNyT&PQKlt7ALz+*?y8Eld<u6`+-#UNi%9?AfuNVhh
z9NKB_0n<L|+DCTzE+s8&`_V7AXZMlE{`%;I#_E2{W?ej#6S(92A9MRG-JRo8Y+G|z
zqm)gBiFZVHNtiX^Lfm7@&6!(D`&nl?j_w@)VgBGgEz>?&a+_Rw`RK0&HT}CqzPTyu
zv3EYMc=>a4yGQ=mWl+5Fs%`y+ci;ETIPlT#rE}+&obP+@oDGK_d85nfr;hCWTvop2
zY**7gWhXyyRa|xNZ<pG+Xy5T^<~L(9?;b22yUn=t$#?HFBy_ws=#`(BBu*;$soSj8
zyEh#AFz@t*=dLTTzv<9;+L8TZUSIs=FHt+*C|`T6@^1zgXdmjaqgT-1C&}Au<KzQ}
z=AV46SM0z>OHRnQkL%rk`JzF+KDlG9rC@fqv5yt!EuZ{a)4Lb9Ru{Kg{_L=v6HmmA
z$er@vgr~Gx<wKIAn$1oOj{mjiiv!{^o%05ir|o<1va;aR?+>{Ay?qm$f^S~vvo^YA
zK!0d@i8f*ShOf>nZ`XXs2*Vr-KlAH^Ir&+4zTSADbortYo1WVG#O*J=^J0frHuoJc
zbnm!<OC!E{b;%z~hCcqm(X|r~&3w@FX;k3g@+F-cC(BlzqVWIiHRroN4>mu4P1CLK
zINjvczx{1;>Ir*W4;6f`In(UQyAKcOmp$eAZa=(y?(@m{Q)aJkv*@e&V}rv4+x0sm
zms=OywL5V{++APmXT+ZD^Z5ry`n6xa;_IycCOjp!UHf0>uDoNB<;Onj+>w%$O*;#0
zgMNN<UD`u&QSII}m1X~VwEywv;(7+&b7&47I`Yw;(}TObG;2oOh=u3#FH!h|<E9mL
zJK1Mwyr@&&V@H3l>3(|A;cwT+opWE>I47#WZJ7Ao<F~Jpefjy<=ao70`p2yM_QA%5
zhAa1ccY3382!;P|ul-9$4oewR;%=V0^W)9GEC`*;_^Wg?Vz!^3n>Dui#qr9;114+7
z+6T`(y6x24djfM_+!C4j(Q7kT&x+5z?ag6JSI=mlHEEh^=Wji1vo}|_dTY;b`O_!d
zx#GVGPicIoBId&0%CVA_aodMnn4^DxRoAalT0dKSWoPWA&*p7jaN^pANgu0aOU^%?
zyhAZ$*NDpe<+`@^W#7!b_~5*r6h80KbFponH($6ky3*`;et__&wQC2gI%e;(FlSks
z$6s=>-P`YMoba>W5VQEqg`I~79(z$U{aIn#%Y*bQ$Bm%y|Lyg;SQ2@8a<fw}<+j|p
z>es%{O<nq``A*rTBZHEm_e}hVx7*M*Pd{DM(j5C?+dc^|Z-`t|{Nt~$-S%zvX4?bm
zuB#4a{<rb}UkT4?@eqvUGBorC_kTLS*M7XR|JaJH=lJ`w6-N&K({cR&g<b?Q%EPVl
zd<Tb6|9-1*f7gHSwar_v?EhlLvAvh4{oSyHKfB{Sqv`w3e0+XhO@{Ne;_9bW=CrYk
zzImtd!Nqqije6(pJ?U8!o>pHy|F!nHk_=0ym0$e2@K|y7%gS}3GsOQ%y#L$6@byY}
zMjH{Az&5wIlfELl`0ts0`|H2gYEC~n)#2+_TKw2kg`$UA)PMi$l>TQi!^?-B>t8}r
zT8wL?ioK8N!`>&9vG;|{Dv?0&c0Buj!ouDKU$J-LpX`0)=j?sVPWC?G3HHA5QTG1!
ztL*&*DHg^h6xOZ`aT+{f;)T=TS>MY@hF=&zHZXqQTU5O15SDn_$(D^jn|Jip!+QsJ
z9De8gmzV3_yZqwTdmc(mZq=%0&28mRUD*E8hrWBxc0KV->Y;77_cNY&_|FaNPTwt?
z{mGkiuKbwr{rw%=?Ou}0oM{aa$3vBD-nIw7e5vZ`?5PF4_H=xxgV8s5+f4cHUA^wT
z_nCKR&6CdbpFF+b+VSu(;m^+rUOdqDlX=&~XV<9bjhPt#(K8DoZyVa<srK#X+&(*U
z@20CC#8`Y?%HD2Yy<~c1m#6PbdQZ@Od}?v@<;4-pj7>+ie7Stug{32Z`sJ%pjppfB
zHP(mIrssuwmgQXd`qYwR!?&be8b1GC`?<q=8_m4jA^xSw*PP4pe$u{{qU}6p?xFiS
zK6`Xz%GAXV{F-YCIMcrgt#Q;RSnqvgI`p^z$^ef876K*!OaMZq?}rZKLiIJH3!w?_
zEdh-IbU`OR*78_o{E=i3px$+;`^?WD6Rd4=dP2)NXD@5Vwb>qc<LwKtzaoBT?$^#>
zU+d!$ra40ormg<;nGs{7z8dfSy~H{8!Hu&Y&B%)tzjncT;GL@<e`bC18^PE=5?p%=
zzZ&w9f7zUa!Owqv$=Yq;3z`KlWdC^a#psiJGM6VD8Pu!!>(%w5554l=1fTA<oKIKo
zKAgLoLLvT#9<2W~U2DGWpC!qQ=dwpQ{sG!Zq1{nXSmZ1&ah19~W#wL<KTr{@th!-s
z-6B%f5JX&jLSj;KN-E6UW|%FRS=l+cc{h%#){I00#6u<~YO(&Sr;yo=CW6fF9Yb#s
z^t69iW2j(@Zriv~bIzktQ~rT>iD(1;;F0!0k#+%{17gG)nUzSAvy;XoVTDSHy%?Tw
zn}{Y2;7Mxnib}0E3eRi<#Na7L%tzTmz<Ej}vRZF?VNHiLY8gV1E5Z=)!XdQc5ujD9
z7J*(kgw{L));DVr=*4M|DYeU)!stpbkggUB#!QWma5Qexs0rsnY2n=>csE4PyEWq6
zC`R6`G3Q2+;5<7ion{l$xH-MYK*U}eW5bsNSE`Wag6KYt8#ihZfv1p~G*$x|@6o!}
zgH@l#d)!v*f#{$W&FixoLdPZPBnul$BPQ_<8!I%7IutO+i*c5Rm6sGmPizv=h7#_u
z>Ei{gBeN_|0>=UrR5s*AL9Q-wwsn9Db2*HNXevNC#)xl%&9nu!Kq4aA5;_X`=J+wS
zO(G(qH4{XxxK)r)BZ)x95DN<K7C~y8O+>_P6a+<jiy&0T^f`5Biy6uX9X7kq8WTim
zQCk<IDD^nNL+`YZ&our0!<sa%k4QPJi^}DhkQ>#bipEhNnawRBH?D_FxvEQ<%O@c>
zsfSGYsf$c5d~LO&24yyDVoYW;wUv^x7<MO&_96u&XPWKE=R{M(_b0Ih#i6r;m37cr
zDfs&6(aj>7Hf@f~u+fmk5t1Xr29-dEXU2dVy>NKU_lo2=$XFdDm;LN%B7q@>9B^1R
z<iZ7L!4al)d$S*^B#4*=FT&6phuM<DOw*Z7d=lt6lmw*E=7?de^XY1h^9i(8GS?UG
zlG(i-(E>7->KOxC;Lwqr6D0BQS+cH%O6&*HK^$VXJYok9kuxNyarwy*n!wE26~sGZ
z8I55>Q!i`5=Mk6N;rH3BWe!B@^^;h&AeD0omjz`GM-#f$AHyDwVo2+1?X3xPsW5og
zEQAArW^WaT#5}{dIp<57N0<|A$)N}MG6fF$uu<kms@Y!)JX&$VJl;YpMCq6fONMe<
zn1dh<n5`SYw7N1Oq|4(&Hr44Dq-F9gwk19@Y5*E`pOJ44+_ob~HswgNa-OM-F-L(p
z+_WQ*+H*){*q5}1XqlKdehU+5Oa&o_EE=^^0f$4a7YIxvr6LG;nFO10aDb^oD%$~E
zB+Ldg<INsVWia9hBbvkDj05@v39OYsAN&ULp+ia|(jhxW$C11&r)T$p%R`QtO&D&E
z)IcU40#X*{H?zqgj*#75OF)nPX?z|5_D}_-O&Cr{!v!hxIRbW%yQ)-R3O%)avhVcS
zKM%A=bRi_Dx3M~5#Jsc&vf;4bsAt}>haGazAull;J(xj+080WRw$Ee)l?w-9m<v0c
zD$92en+AK;xb4gc#o~2BHw;E8jLC;O{>;dvu0Q%dK`-h71@|z&y_w&h%&(C7Z6%=7
z5HX}fV6ad&(2%Oj$Te9EdRP)kib=pm`(QGG5M$6Aq!i=8dhYd{Xg3YkJL+RH&SYbx
zE&*}|!*9r0z)Q=RlBnY!l*;@Xz|+BC2Bj0Xj)DD8mZRhMex_>=jX?+0zi2!HzQM8k
zHnopUZ>zPQ3Zg<&MnaaxVh|=7a>LZ=l5JIt9B%B{un((+w_!gbY0A_lC+O<M#RaP8
z#bzx`FYk>L%MxfPxwTmh)${dvqL{+sxe2CF$j*mjNC2SDWOaUrDKG6jebr)(YVqv2
z?|+S78~LcX_0a_}ktM@VA6Y4T;M<EwAIdY1zcy=ai%Ta)&#9i*ByrZ9_f|iAA+Pn-
z(aolxOE`Gtly}p_HN9WC|4Ogi`xTeE^=m)hIq>eRH;<mVcR`e6UD=~=-M-MQN}S(j
z+BZ!Xy80cx_}r2FGtsNRZtWI#vNxLg<KTy1Di>9)?U_D(USN<RdsveC;ujxFhAx}5
z%_b@NgKsFen!j?(I)eZ4dF;RQ*Z+S0O0!g&6VtSqX2vu*rui{Vk!hAp6J?q!({!0;
z%rt4Hc{AS_uDk#5pAcV{WX@s2jXeIMyBgNvl(3s8mx>fpy-Fn2>lOHs!*ZQcuT;S-
z9IP?I(4JJTR4K%;N(YOH5~)F}6OlzfC_K|^)UYzAfPFlbNDI?(GQC)&)*3`csRCB&
z3`$t&gJD2}Ua5g~IJpe=4wX;^t<i~P27^|kRZBH0SUHp$5rs|$8-EIgUIJ1gqY{P@
zH7c>jK*k*<YOzvA#u#O4D8d$LR8l?u3?ezq&?$8aBdkLzL<*x;u9s<H<WVmLb&*OW
zh806tLewgiTG(?GDJ4=^`GYY%tp*kokr}0$FD4z5D>7)6Mp(B~!N#H#=9r*CTdR@7
z5Fzp=(TT)5jb5xaXk@T5sDe#ISR;fTN0<wg%aL52Rw9C3Lb*<f5;W*!8l4D4^cqmp
zE6JvxUJXox7&aee5}4c5YGp>TUM$t<pqpE+45b5#t5Hs34cXPx7*u-P8LNjzqg)Py
zj|PcYtdqd}o?NemRZNi<wgvSfJ#19M9-#=uBNiFRHl`FQloDx;*dP+=q_F%4>zE=H
zY8n;`)d~$6c+|-CYCS4XrPsi$p-3vxkg5XalE{d%N-k5VQ1M2+UMhmAMJY6hLo6P7
zfVE1EOexXoWKc*hm%<vRQKgk>)OuJ;)S#%<Vks<FibODgC{-E_Qkd+7=|Tw#S0$IL
zq{tdnnNvX`Au#!=G#FGmkxn6%8Pza3snhFGHz-Vl2tG;}BqXb!Vpx?#TY-H+sZ6Iq
ztxC|Gl+b$)gP$->s8XR8RAgCGCQ@pQFhHqCx?!=>pj9XlKupFt(V$>V5@iCLk|=yJ
z%v++-7-8K~Y=krHC8}XyQl=M(Q4wMRIz9{)FcM*pzcC|FEYb>voYoIkTn>{u#;7)D
z%r)eTLpY4#b!R~p0@e2o6Q^##H%uK2d_&i3Z+_4i3n7eJ#t!#LTM0SQx;mY52phKS
z<_=fHHJezxd3a=brD=z2{(-{_CeInJ?>6M1d-KY~MZc%_KXuAjc0u;qvqKNPdt}LP
zJ<ddbv7(>YA&X#C$MNgEeE;}8@4&_JAFrPN<2*bp(+xjzXF=#_Kpo|cs7(yJV<0Qm
zKq2;SIrbh|)5G^n)h-Ecc`<X{fE90jvt{ABODA0mmQpkU)r?N*{VF~fy?OMaKc`2S
zR=;N$wf@%`T{1EvBgtP_Wz3w@=83~^uHXK{v(`tF&X3UMbctX4Q|fmsm?MdsD?4p_
zEaJl-G@6meMz6f5_v*&h#m{uEp1;0*jrC{2oh$l0T5LVoOttCM+kI!Z89qk6c<48|
z_L^RWzn%T@P?s;7ZQr-cJ!<Y9e>^#H(XOv2e>S}E!i4AImq0?INvZmST^$A<;H&HZ
zK>bm1UU$ujeMI|&URnO(A8&7X>5C1g@7<B5zR=-9?vhC(p8Vv#Zp-Gp*8Fh9y${{K
zb&9ypJ7e2q`bTf|UR!f)!qR3(=lL(p+rHg7@0+P{ThG0>V0*g{7PaZ)8F)J8waNa(
zqpz+Wb!6J_6&dNn=ajxDer0#R#;bRY&)xP*>l5$AJ+btYblcu$h5h^AF{RbUeyUz~
z54u`9Fs0*dDznAc%JF8a;)+3gc1)Zy(EH?~@3*~}RM7R6vKdJ`7N@&*b@~3ukNPy5
z`{@*U+lyrji`#eFzNAYFm$FB4Fuvc0w^qy6wdtl#eC=>*+TQv1{^A)_^wXrraNhl;
z$~!7|Pj1m@*UT$5TOU8;GA+5Z`1h?pSC+r`z92Bdu=u_i8x{_8KKGufdB1^@Wo?gr
zWa~O(OrEah-XAASZ63YoyAOKjY(Be4wmXt(v*Cr<Qrbp(sYBfN!@9)onzZlkICF=)
zI}aJs^kD452~$t5zI6N5UAwwwj*EGt;GNS~p74(e^_M)21#RzYS#I~g-@^S+s<>5R
zw;%6#e!k%6_>3y={+(sX1MY3UY28uP*>}&ZeD=%3<A+V3!iVGUU#^lbnr*G#{DH=o
zuu`ZI-~R2D)akE|d$HB?KYg2&`SEkTo}4?NU)uIp6q|?kUVQD$76>8twh#Tj?SSX@
zq`j29<b_#J&kGzm+40ECi<hGAxO&Hk$AVSwoq1vWBJbRlD_)=W_+6&%QO_p`E`1}t
zd+xD!H|PfM`ndm3uYcLsa^Ewj?tM7vbj$DViXYbIJEuK$kapKwcdob1>N#i45TQOQ
zOY%zNRj>Na9BcQp{^4;iw@O~E8+a=C&fRAO^G6L#cx_PXinX0r%zS$u|9x@Wz=D5_
zKk^0icklcT4!>u_ZyoVFNc=_;zn{c!EAhKa{3a8>*Tio*@jFla1{A*!^>@?v598mn
zGU_wp0s9>1dJ`Xr9g=dEc)?p=OrJ>nK(!(M7vc$B4m5q8_`<xjE~|()+%>WE2=NDP
zqsEJgM{M<!8Hi8JT>DKb@rtk4*L*_!!ZZDWpNVIzd8X44;v4eYcSREKc&e}SL*gF?
z6E8eZJmh3#nu_?yhEHbBAYS5_zdT6%B+w{2mw3uU-@NQ5zH;af%@*P<8_XRZBL1@M
zc)?G^W7<pB#}J<x(d&;n#B083du}W7n;nn6GK_dm<kD8NiSKwOH9kSSr_9~974e^|
zu?LOBgZl32JBs+wj|1M#BVKfT-O~$*A04x;nn672m9@d4#FxHZ`C}aMrXli4cMyNF
zH@=WeJSsw@eT(?i6VF~gK)gz{)zXak)m<6qJ|&*j{#8dN@vQ;E@@(Q=n?8C|Li}s@
zfrFcfhnbgY(ut4FJu~Y#@v>Lq=Y2)|%$B!jC-JoRAJLp7zUDh=3leWzylL&H#NV#2
zJvW+o+?d$TI^uKQW#<<WuRE)@cO`xo)x*}Cc;4wPla3MJyR+)OwZ!|P&EAv5|K?l!
z{;+>|zrD?OyxnWprl}wGICEm(r(=)&Q2CMjr}1fHf8Ffq?0v29e6yG5?0#|QSX--=
zxBb4g$(#`#?vCr$QQo@z?#W}D^!_#YMbzv*yGA~+Y_H_4t$Xflwe|U-$+xwi|88M-
z-Rs)n?{7V{GkL%`$JP1$$LF5C^6B7Zp7-zXoD-Kgvy0v(6j~Be5}<2~#tzKcL#(a^
zahwr{(V^(b2Ss;`TzxOD-PgevLT?<7f&1^b;`mu9j^f}{$^EpN?+qEU5!$M3E{AVe
zq$?m~bk#9WrHH@@O>C@t=z$I>(8;`E7|U20#C-Z~g}8+dmlcbf_NXFKaNVEr<ehB(
zO4fnawFAB=_T5gwFg6OypRhMf;vl`TlukQ>R|&bRHobN6rNSsm6!b*l7<Rq<v1bUO
z!W4&xaHcpC5pqsZ7*InmFV6b1^8D8sWu^5*EHQ?gWMwf~Bf1T^TQX?5@_KQ9l3Nr4
zIB_04)xExHIXZ3Q(sfla*1+Pv9Xo8Q>wEoMdXq)XIz8h3yy`a1PqU7EJnhV&9#@S=
zvUgwoR&@Lc&DN;;A+~=Q|H=!oe}4X<G2`^PFT9@_MlOjyR$8g}<hfBlto)_DIdX0D
z*!p3@-_2Om#xXTke|f2o8B>P)U-ul*sBx2~&6>Ap*{XG$+uF8k-{JO-cih>j^IcuK
z-rcQx4@M@pPMBNZ3wzzuyAJ;KFQPD~2!ZSMFW$Bc$vqPPIhk{h5S)m3pkHwOh{VoQ
z&ol2~$n?0fDC6?&?F&Chy7W>-X7HEi$MtDe+4;(e&vc*e?<p}qVXJszYvcP&!dI5N
ztyB8{zVK+h;DR9|J|DC(W`$5HOSt^~&_5D)zid!0T=(jTeJA&=c%j>=8GQpi3m3n?
zX5^X)GcP>6<l^zSlbXsO9Nn$$5AVL`dEwH}-|pLeo9D|5GndJB<hI=NoW@_cfBg7~
zofW;F=^9<ux%;r{K|LPn{>i*)Yj%Iz?#CWi-re)|{V&Xa^`W$d+Le!O&Pi%nb9CI~
zZAYp)C5_uRdFq_esxj)CAMY3vwPv@Z!%&;})W`>px9`~J&QnQGE*gH|mA=(q{~lO8
z#ozUf{g;K}{9&1Ez9}!+zV+)tBVTyt^ssRqe6u?bSQ+z3c8|u(=Rd#Ev)r(1R=Q|+
zH{;?_-*h<j$M!B=TV<U4?S(#u<7x9cuZY$>@U2VPK6>1pouXDAe0kZWJEyh$Fzq@q
zzFEH2myWcxXY6kOOZ0@tt4`%#{^4N8z>){}avU@4O#3_cmT!&rtvo+vY;a;v`M~Bw
ztSvr^nbUr8%R7!=e5C2s`&#B*ocu_OkE1>=nl<c!&kH^oe0cktQx2}U^8EvAnp_)d
zb_|a-Z1C)xw)TVRk5L`hxvuP0o>;xx>^olO_FdYuYU=3UD!=T!IW_Ql=c4ykoO|$r
z_$FUXeC*r)fi8=`pP4Og(y>lpyu6d#bl}@Z9`zZzUc0~X*8byv`7JQu`_CTgpgOO~
zY9?ND$Be3<KA64mr_nW{^*{8ol`g3tUau+M@zJkCbEJ)*7*}%o%!&AuJ)Vy&yzA#D
z`-|syxp422rZYeM^Ue2FF+Dw5Iinv*JXXJa!FEW4LjyBMHm1PFhbPQEvGW=KQ#-zE
zpVXr2*j>{#i<P4X^XcI2G4t>B@4P>M=lz8^%k6VOLjl$aJj|I#N<!^QL1?joL&IW2
zLui6TLs1|LKG|MLtWjO+tkl}9nmmiYxKftkQ`-{t$@yi5IF(abWJ>Y{ZAQD#tw_lZ
zCZw98Q-h^JnZ{r$%Sv=qWEwD4$}i7K$?_z-g2RUK>Fg8l&U!dMZ_BpMpTGES=dKY?
z{rFgq4(mQ^+2-}r?LGJW)N${+=1nX1ToJok$Z8(l;et8%)0SsfnUX%zY<^mt*ZSG<
zfBhN`)DbedLa9;@9x`+o-bMlhH)LQeWtQy`8|xF<w_jBM0nr0v2E~%}6662htqe!U
zzT8^;(ee$)=X~M)Gj`+gt_OZx_0^_l#`P^WJpSP3x#I_3h?~2p&n4Fr>%RUuqD7~x
zv!)ytI&IF>?DECea+Zu6Hv8gZ{-<xtd3}~QXWxwSpAzq!)P0HNfepENJJg?u=64+P
z^MKx~KiYYI%9yCTsx*7gslM2>`e@axws#F4Go$VEuHldLSiL=X=V$$r#9NNUuBsd}
zYE0%Yk(u8<wJh_s{5kR2Bk%a$R;=Ee`Fi_h17xE<Sik>!O@~!eEsJKK_CDC*j-S>I
zc*|oOz4O)R-^6$MI}IPTzsKx{=Seqzx@y#ieOwdGlIq~pr=#Y?KQ?658%ZU1f4}YB
z*}b9)K4^K^`oycf{us0T!Fb7pv!h3ko_uaiV9M!6z55=WcDLiq#NpF>?_B=O$G><=
z+o`n|ADX0ZJ*bIr@{+{!yPfyV>-oI4=)GRgxlaFPo!_SL{Irjk9bA}RToh|L9JRFF
zGmE9^%UrF`xxX1w-O+S@$mTf%{utNYabZzK#47dh+`R?U+Uh2CnflYr^)Gk~@4Pg5
z?AH5c3^^R|obU;^PkBM#b>z#%+q3dt`#7~(aD>8p{My~a8qL%8`Rsr){`OV}KK`NI
z7xUh}kg&&VZvMdCb0-|GIuv>7*!RD6HC;P7B)RJKEhk*hZvKDly?K00SN!-rnF+$^
zh_$f~4Pqafl3FK`O$37=2nInA3}S6)+N5c;!B8qlHHy{}H7!a}ouZ_*O>3zoNJ~}G
znyQv$BKLWpJCkHY^!t5&ujlvQb6>B?``*tv=X3V`+?$G4&oBCK{pP6gL;d0PF{8%$
zPOiIix+8ASp!gnlKYz96^m_xlHXgv}dzEfoaL5}cD}Oa=r>E`4p(hb9U#sL-ZNjcT
z?dlHQa>80IAt&V3(dr+sIL?0gm398$DjkjWjwv==m_M_PzNp!U6Hjhz?0Ee9=B1CD
zcD!=E&g^crr;K@$)5y?%`@jl23ifpGXngynC*iMk81&|KMUMkRW7cP-PyfE%khkky
zne^iIf42mkKO!yiJJxYx_N>AE(=9DVOv;J={=mqM($87d?fWvi7kKYWZt^64PhrG}
zvp=+*e{;~<@ga}DIM{pXkLJ~mK9?U{{rTlZCpHDvbd0@y?B?mq-)rxCM9%G0w0@Co
zcjLcW_q}{&RmO7jr!$uBxRZ7My(zXImfG@~9pBl0M7O1TSI%DQ_~qYav8`)7sIf0C
zt%3aobJnOG{Tm!v7PtJbGe7M3X3H+0rtRC$eNl6$sO{`K8yYL$t#&f&*V_rx_gwfp
z+h@%$i%;kE-?DpeUd<<ObUm7QY0HiuCww%zPKCLvl4{L5`QF@G^_q;=?zoj&uxIW+
zK~cxgyz+sg>dsSlvljPw?QH$P3%wUL`n0X4nPSwg8QKGixTZVv_6=RvDb}~qmzC`e
zmya8~?c?ji7WevQ-s^*gU;1doLhZL-{;Hg#YM#9H%&M_*b#tl*M$GE>ecP~I5nF4$
zHc&C3e(jcn*7h7)?ZVAt>kiJ@WNfWSxb?=K>HEDJ|6YISlzZ<#sD0^$R!zo_`{IlI
zFMn%S!C#6U^47N_+gb)~SoY!8HDUX`CRciE+V7?XeS%x=+S9J`>?<!duY1(;@w6Qa
zuYb~epYhMk37`M5Y)1OFd(w+*C&dqp9rE+~&kk=^cB<Plvhr+w&0$$Ry7=5&n-SG>
z{0BiJF5Fx;<wDO#Ybs^_xZxk&?fbU^+V=fsWHWoJ_G)DFyQY+5zrQ(d)X7H5o>Sr~
ze|LX>k6J#fyKOK{o|5v)>v5^SWDTq^D06S;N``F>QY!U``SjZB_ktHL-S?o*(9V~;
zSYD`VuzNOcV3&3&l=c3p`swEhd%8t0NN)C3lghdIHJAVJZ~Lu@v%)&A^a%T>=^MZP
z+9mh$;m-bZ_T+qW_3yQzV}iG8RJLk8j_2G9Y&3h*no|M4wAb9}y5T@l#}2!C_yoKg
z)z9n8sr^+i1Wo_iv&z5b8vEMJPh9Og(=va^&c!<qHlDlonzz?`muh_a?yhz{&*V0q
zS!1y8j4ADIU9D$$`&7z@K4H-dUcBs;aB%I12h$h!`Mt}%1@{UXzIA0nugc?oJQ8~}
z%%{P9uS>N%cJA8iYMuRueS7uYP-DQ+@vW4Km4>S~yVP9&`1*{&{W^GGn4A5^y1Laz
z|25<l&nd?@{?yf{dbi4(eTV&VYuSSW$6u@4e7%4Dv~IN<nL=))em4F0J5@$$Qg^lL
zF}%TVjpr6r?B4Io-0>}|HT-SOg~dIRn&nIwIPbg2c9VB`XYSY3J~r>pFDnOiE8P6B
zZIwo!^n3K6d+Uassx^PLu5te1x?Z2WH1LZWH6KkY+HrS6<0E%gg&e$*ob%epKXiWm
zGe0Ta<Nno-M>Y?SKlE0U=<&*o?QzvMpZ>G!s`giQEWF<;rTw%KeqS`HZ5mUl<?OJl
z_q=O=I7YYSWX<=#8gsW%k-zH9IMp_D%&a}Heq@SNuU~(@*0pUX4yK;`^OH7XjoV|k
zXHHA``}3WR-i`g<{#D&CC%u$qI52#C$Ki4MUAtR#JOBIo4v+RVvDQ^bty_~d`t3z)
z9<AE4u>07xX`LU>ZF^(&==c7p{zi?sIxW*)(OhVJ>-dK2*WO>VKYHHglz)bfo7uF!
zbR>D*`=N*H-L10gRFtmWpqt^Bmicu!IQ9O6yU}-~WBz0Q@GF|tE%DDwwIW8|*c*Gh
z)=2N5yqZ0<U;OfC$er!mHrDPRf5q1SL_yHQpyPWEOupZ+Yya^Tnw$z;Kflq%<9**s
zogCKZreW+G-5+cidnUB`k`Y<SX@wiVIR4EM-`cOQNH{S`{Z2~QTc58OqWF45<qyK^
z?nwA-Y%PW6&6ip&35ve+&)}*(9`0y3#?<qr7514g2QGSV$zS(IU%1k>Y5cIx*Ak5h
zf1dc{!CU%i9p|1-Nvibmdc)(ogD>8{{mSY~W43)VY3t#NRlhCV?m0a7dv#K~1;Oi6
z{6mgZn0Wrlck3Hz&R&^y<y6{W@A;QUPt^CCcw@Z((QhvX^q8^!v0rzsH1)6Fn)Ik0
z(cQAF^@lfZJ=&3cC2n~4-yiAUSlOU?<iGwcC#`&>tsVI2oN`XPDGv|EDLy(k!`JKF
z<cHdq_nzC^Yv&k+q20f)HVO^#U7gUsNiBWayI(gfT-A5y@;&dLz537;(mrd#y~+o_
zerxqtD%;fT*FE1l(P3AMyYC0S`eg8}ux6LnR{4H=vv~%;hb=t^T~2LN#WD4Z-^bR<
zjZ;ht|7nv|6Zhwm4J|$@>e)Yi$J@6n=B4lX;=;oPiH%NgyEnS?*)<#IoepX>MgPkB
zBJG!N{e5ZsPp|&@Zoe8`9~FGpaEQ;;J{=}(Z2tM`8+Q^4rgiDqYsA$@zXirQwDZ32
z_fHka>Rm+_vxn$ITC57+-=)i-!EY}~*6!UprKr!U_iYC!ZW$cCw)Tc`Ew`S0`O430
zhD5abIKNqko(&c~9F^FirCE9V@e@<~7M?M+4<y}a<5wZP_BX4VPCa(BXU%WIb5pAw
z|MR>2O4S;B25y=krhjo-+Q_>DMtA(dy6*h4Zw@|)eWiM!|Gd|l88cfMH{O1Hy?*?-
z#)o&;(5&zHv+{@j6L!{q<A?9_R=qUk=M_C(9;^24+Vsmqe`-GZ{H--F?7x*>b>=m{
zM<2BfnODR1WaZvfW4#u}+W$HE+w_gSqYA<ozTM)<2S*w$>G5~qxUeb-QoA+Vr%mtD
z`N`vl#@rfP9$&q?A@b+?YhIW#?TYu{*N$~=GjVFybK_fh-nQi)f1%}H8zsfb71dtd
zqyD4XB*%xZO~_n$<+S?D@~n-cYF|ogU-N+Pju8XCp1<<7yBE67+12jV&hv*=Ke_ss
z=1FZkw0ro;j-a@%ttTHl89BQ~gTLC%>l{>L@^1rH?7ekhLq)?lM;{;WDfJ5e_`dqZ
zubOrL?#R!-4673qoLaL+m1*~?UTSq``}uwocgBw1l6pDq_pc8X9l04hH0j_6sn$pK
z$FI#Z_BE=Ep~+8vurv<%*YnemxhD%d{q*vbpyV0b8`<9uOtOp~rRa8OXx3ccPj7#<
zCMb09n0C=$FMAl>@1rMI9|YV_czF1$#cv<UpD-w4>8_l?4`%QF@={^wnC5pEq+D<K
z?tIPUlwVejUcPkLv{2K~-P+}Y&!<OTQ-1ezw)#t3g*Oj`kKIyz{nmupU(|hlZ{^&r
zc^fLXo$zvK$D_)|!*8b_vR7`FwI;&5Xj;RD-M_4NebZ)jwFjviCjAxXmwb6|Zc)Wo
zhps#Q%Z7okpX%>1s=A>dx#A~B_b9Vk*lxYhBK`5&z|@{|D@GcR?5VhAjNgJ6?RlyH
zShqzR6=N6X>V8^(tNOS*0WYn*dU%k3ox_KR{CVQQwJ#2uH!Li?JE!5W)0J;ln4ad5
z*r$7ynXmdLu1Fj`^G52IAM~BMd&D>O3iqu)J8y8*AA2?zdYw(|e(`9v9eqdLH#B;D
zYs_btYQ6PQx0(aue>;AD`q6$r4>|pHt4^JBj$QTdxb~+SZ;o5Bv_La4Phr$|KK*K!
zGyfEv?L7DJ_WEtV9lm~|B_^oz#{T*iZ=OB0?%<jamR3Jsdselt7d2>m;kBcR<5TLV
z?+r0;XmaSYX`k<&)@gG4?cqb`Pg{BL$2l91<s9xk{?EtN1}(g{B(!0bS?7=SwMAYz
z@M=p#=>Dy@o3G0DyfNyK{d~cOwFBBt{w4kXxTb%muHAQdvGw0}zP+}o8g1TWdyu(*
zj5WFM<lomBYX7?I!id=Y`5!g+`?*V(Pf}NH?eqKC!S~PJZ-4yqqk)emP510MtV+S$
z+FNfXd8At2-f^q)y7zwV(RKI}^Y5#F@?U>xuf5HHcUvpFWS@V3;l~R-F7!C_gJ0W)
ziD#O9*m&K(2Rml&zA!xUpS0mKvRmfe+FUp9Nwy_yUBP>QEIE4i_Q|1L{aQ{q|Jbix
z&H2kcM$a2;oc%|z=KV+Mqt4zqH?>0T{Zk*NH5;=*^_4xgLhbc;k9;)L-0fby7OPuT
z>aum+)SmVKX)>;nV?yRXb^p$7?sw_s+5bEl{MnoSLsSR4?SH5G+yQ=%FI71_alpy#
zqgU)WIpD?HeV69y0>(yv(0O^j_PxXA1$R!r*258dy2*f!hx*T5bmNOHq1{^^nKbBH
zc+#z!vEE*ve&qZ4)T>Y0zBOq=lS-AVgs$Cn)fy6e=30F8r#adNS05c3p<fbR|8<Wa
zPae3jd&;88A6*TRhII+9@=A~Mr*<FQa{A8911YfupVpYLBy4)OugBe7_v8AJ?W5|?
zJ^ZO@T)%&pyr4-KT64s2GwRHIJaXZnon9yO`jfxx?l(E~NB@+awLSbiEk8HxlCf&{
zhx;mqXH7f(X4jt6-`uW!rBB0p9*<khZ1I_~_L$tB@BP+#ewPDZH4E|o`PH<nKJ!lx
z*!x|__TTMqoV6&YLEgVV96xxZy2qL0+iq{@{kFN@+OPVbJ8|u@E#PvM^R14&s+!no
z`LV<f`Ahn@{w#0ru=S6+9Qdb~RQLRY%#ceh+B9ALb*sW#wPzGAuhy*g%5`Jj`?cV1
z<`<`j#cnzL!<PLuMpgRei>i|=+!$~8(K~39>V#(6y}YhhGU^=4%7~2peO||os~UfJ
zeZ|?l*8W*%8$Fn@I543~{dE70eY7(UeS5LvoFhv<eC2w(_G{LKO;_J)_}7hUQI{is
zU4HR$qciizo}Rv_$EgXQ`P8Y<u+5Wie_WQbrm5rKp?|;h&r5SUe%#@eE$=B$og6au
z4SV*UyR(O{?o?;m$yq<9tr+|MHCyj5->7dkMAjN|Y{pl|kKL+LYeC0~wx2`RzV_hA
zlR?|QQ&ihB_Lr}l9r*XhuU@Gzsm6?^O3%*|&z$(8b>^H?)*jUdoxP#2WBh7+fPF_;
zvrKKk{yC>ZAAP%F=Uk(4wzgl<iMK8;x&4kMf7^mZ+wvo04u{uGf5)M`Ir)f3{?B(W
zOnQ9IoOLbc<F?Hz_x$jd*Wr$1`t2R@%iPm9t}h#UYvz$IX_I^Up7q-JR=aoV)(oCy
zQZ)^zyvf$#!<HEZ?YtJp_q%tiiC@Uvnzn#56QT~qSN+|8Z_8}!RYT%;d(Nlye6e!a
zo=fNJtf=ppzgVj+{#s7kXI8^YOrBX1FE#l;UH`UyaCq&TwZ^Q~zMVMdN@Ml^_|1hY
ze;;3BO@9B}<wWz`@dr)>w_dumS_gaXCv6g5yfMg_=XyJ~cy);XKl(xAQzvHMO>3W$
z`Agro&dkcZ)u(mL2eba_-*)5&r!y9xx^75)ztr}#cmMzT_kXW{*Qs=-cb`rN>@R$3
z*`vzou>GS4XC~HZd4Hb%+s)VaR0@B)TE#jBuQTtyJA7R9xUo?^qFROPwhuqL;UoR9
z!B3j3I`iJh;i>C>i2OAu_VJ33ueLjKzVq2(NBlE7T}-**z2kb^(cZVtY#eQET{EI@
z8}-D_**z|II&pW_SB5@%(`S3HwQh3PaHF1aaLa}7fB&-X)L);aR!J_Kga2>Wx68W!
zzrDUaabkynsP`w$@)}xkNcf#Yy#l($x7vRH^=r*eg{dDUZ0xXmjlajP-`{`S@7L46
z{j{#~mp{zuX|4NH;&-~QA8ekU_+ISVlP@il>iiV1y`Q*zeV5slE2tda+kG1)J{*~T
z?a#1YuN1HA7Uk~Gm=o1eY)3uyetvo8Wz*olo}Y2gp|Rk>6XyPx8+WtkxldceNwlkf
z%I`S4+b?_1)>18TSgl4)@9JtcovN|v#8#6JTTKmwOg_lQpR(>so>{&XdsWR__%?fy
zjjH;RRIk{LJH?(>@qU)%Q&(!tW|q5o@x53M?%tzkH}PDbO|O?&`4#uV53v^}?(wR*
zpwQQ)Yrw0;x`ZFB2kXUtnJ{n7YOx2G2x|$Qck&}99;P<CtT%_=`ShhJA)Ei`-*83h
z&cwz&a!08@e)aswOT!1mzq{69NoZ|PxqiZb&eW|xc-HE2t$N4IK@W<~99iId+c;@k
z)`qcBjq+l>6&q*2bF1>zx06qqXZ`!Z*8?x+9D8GW&2hhf^5Maj`R#YltN7cDbKBFF
z%>43kcBfX|{?ea4(5v>2xk+!{Yw_z_uT%}Z|6biDnttQI+PCcPY2D~=>;3$FSa**L
zL;Aij;bhwy+RxTR9$r*oZ-*CuiXKzHLA5$QO@lw*v)pS-p~1Fr@#+z)q#uulKf0p2
z+;e4&GUDZlf4~0Ay5^m`zTf9iyZPzUmj3g_lVKT?L-#ie`lz7N;6JPMjtki2_u6;g
z+<16=eL!HHIhWouKA3rU``XzRhh{B*wCB5z(tkAnTj`S)OF!>@tyj!X$9w#<Y+_@d
zX*=8h^41H3?3v^5Z2WZny`;8NwzTf_@wcgcUw$$n`u#4IS9#C77<BS}^Iyl*>)G|q
zFRq-+xc#p3Zk09-Ez_5zY3jb+PrbG3{OYea{cYIKm%HcG@Jxu(E!yojIL>g$cC^EZ
zRy(SFZ<0Dr@*1n~{lT&SkB~QJO-=dm&xj-KzVW!#EPTzEyI#vb{q^-3El<VQj9oYG
z18bkXn-`D%?8S!%&xW4qJSuEuLE(tiMZ>eZMXFx;`=xy&C$Bi)BzVBFg|8;(ZcCgy
zq(c2owf!44csx*B>-Vp&-rSJ)&R-W69JrzHpI0IJ(!_pmocK=t>E!c1Bi{_Yexb!X
z9s2}bX|O)C%lFM*dtt`t#*csM@j;^T%R>j>t>fSK$jnvSm+oJ%OSyZ;N7)zGzF6;-
zlaJPn8GhS$i2mnsm0$ikWA$5ch4-plo<3;o#&%vi{VWNGzv|R9Ahyw~Z9dlh8vG>f
z!|`uVdH7Pe_YVWC`9Ee2-Vj*OtLD-6TfXSl`Wq={vv#q<9CrWC-r5yU?WwWoK+9_T
zDtWG3*<`}4(|`QdwdnP4H+B9ja{06+b5w1wz2AJ{v6!<D`q%B5JHO$;yMIp|<(Txj
zy+hS=XVQO}y)|NJO7)QX|J>Bf+V<DgVYT8{MA_z<ZuCwveDd$y_fnHv9Ut-gpUXVD
zo8D}5Z&wTJuQ%Ts`pTWEp9a2kf699ybvHNpL({)s!|^M=O5L|}S>oNsr+esfN00he
zUGL+cU;X}k*vRgeJceHwFeJY3yDzMr;5cb%n^2>**8W+_n(L7#4*M^fQ(@}ftsQ=N
z(etNT(Ot$|t6#lA$7-2%2KhW_S`>Wd^CNo}Ecf-gy~S8K$*|3qwQ$4Yv8$s-G+LD>
z#s27hR1v=M(d;YlsBT@Z-1F+nw_}o(ry|TR&zkt}-ygjG^)Cb0U2LAy`B>LC-k;v5
z=Am)zexLtI`iIjFE^YZw{uk|^>>f5RqvGV>LTBth*KB)G+DA(YW>)%g@Z&$Tt90t!
zDz00=Uz_xPXJ0$;U9WFy-`MeR?(wAcS?edf-u0yU-7gm0j*i?m>+@sxJGcM6|C@)R
zq(PhiIy=3A_pdDquEn)&Xc>}rc-O6Oo-oeq)whfI{};1O#osBFWo<e0pna*??9weh
zxrv-H)?-B9>}DfN+RHLGKW?z+4Y)IUtXI9cD=Kv#*1hqu{$FRGDz$XubC0e6?5($8
zU4uLKPObh;J!a0fOPhk;*&N<$h2tB`ngO0JtK$0=;u7DpaKDPp<&FyjA9q9Ui|rSi
z7k@9P*jgpmO|iY=@6i;Sm$xw|_V|j;%iG=)X71-2O6+o@FSDV?Ygzq*#rd6H{rg3Q
zL`N0BI98!5XHN`4eS$+d@*-Y(Zb{;o^L>u0#++*JH`dJfd+Q$GoyHm!+vj!u*xkQ7
z@g9ATx1FATs?nuZryB;^FJ4<b)ZM&~V!p@T@!@L^?dW}}`J*Pb@tazH<8I!)-M#)d
z8>FmD%DLESto3HZyDjUzANjy;Dn8FUq+s$VgTpI-aI*7HcK>F1N8H{1Z|+5Y6#wdS
zUz|_HZbj!Ne=kTF6#t41;VkiP-v8qIzhQ4sU}Tig`#g$Z%^IWl-v#i05r^`u6qo<9
z^mSRTP@W?<nb@Zn|E1bZ^wjPDSLO!Zc^}$;U~pM|;#u)u0eC7j&ps5_+p;Wf2gJ8-
z+%Ki7LM8PJ)oZ@kuyM1Nt=qrSwR^9y-u(v+8#8|5l&LdbPhR})s?{HC{A9<jJzszG
z?eVkMJ?g8v`ZiQ3HgeE5?_9nV&As(vzLW%QFau`s-Nt(%3dJ_4AEQuM;7R268$83j
zoB5IjdjFa)DH_4s`H~T8VFEP$o-gf#`aAhjRdE99k9;W(>R}?({+Tc3Km*K$roZwf
zgBE{aBD6v?v_HUKA%BRTCiwFxUy6ZxI1ifON@#}`XndS6orC85d`a6>p->d$OTkbF
zjnDuSpv93dS)q3kdO2;SgIZ{S{?G!A&<Ycv4W_{)MS=7f8a)amJq6NRRUlbJ!SqB9
zwG|7bINnmwS1OS9L9JJTln1R<3Zyp82`7w#T6KYx2zAv8q#S614~03@wLtD&AjLof
zG(juOgn7^+%&Qkj7oiyz3OV%ggEa^jOsa`{sBeUv@22aT6iDL#d?a!5(*o`AoOo`I
z{Z_=IMS*05SuhFabt;ffw&uBWfuv|dcmvQQ*oF8(v!3`uYhZ!Ytu6A10?E4_@qlfh
z9qOUA5AlWCz6H`ssP9)G<w7I0L;C>y<usmUAm-v!-k<_$3pBu^(0fRMR8_|_)Iu}#
zhZYzPZ7>Gfp$RI67Dy>j3p1brW<w*iLK8d(li+Qb1q-1CdUqh+&=)GA3#0(3g^^GX
zjnDuSpb@6QB$x@apaojtQD}n~p>a6+I^uo=?w|pt!8~{l8e@pp%RIw)XopEqF_QFv
z-f#;vk0QNc7Od(|xJDO9(NG8Dp#dgA6I=<+a0|4;gU}9bP-`rZZbChL49&3WE5sja
zp$+;&I}C^3V@O}9g(j$jDbN5jpb2I}GqgerJO}gOZRkCg^o3c_yA$rl6-a*247))q
zG(c@^fiw?V;3i={p7ayX@E){51tS#QgaWAn%$i8}pe>GY2>B%92~E%jjq${b4n1ia
z`UR(x?$Bf+f1rK_;Sq0M%pzXUdp79>^~<P#U9o2-zhTx2^h50`>I1Z_B|kawXN3XK
zlu5mU7B~;)eMmWgwk*OAwHruhsE1X%6E3KQX6O%XFdXK=7^wJ&@IWn0fkv1CvtYL1
zM)bnGY~1(2-VWSDBaDGIXcDxLAJF<a@$8AcT?JAww83a-hw)Iin{oq9a3!?B-B7WI
zc1f7STxf)Lm;}A_=-FE!nW17I`33dgldplK;|c0Jw0k(Dq#*oPIV7u~r$Z`)wn`2u
zrWf>cNa?}2Yw3`VLL<Bgwf!8DB9!p-cSw4e2UDQl;E=MR_W*}<4;r8%4F3l@q;AkM
z$RWi;Z=*vx2zAf~4PzaWE}Zbd7^shRNV}o;42P818_q-@)ImiA{y`%&%yLL8Vb*Mi
z^bnfnJEW*SJTG)ecBp-Wa7AJdZh~gG4_crN>fdxoH=z}J_2oI4_&_6!hDp!_t#6Y)
zf{Pte)qaFyi9-s9R+uQb)FC~F#$^tvO@G3%967YDAl%Tf(jf&K@E^uPJ2XSXD$)Te
zRy!o00r(I7p)mvfFbl>A`5K2b4|=a9zR&{q3HdsQbW%LSJgE2p{|BOXJ>iE|m;m!&
z8q|L1kSx#y^PplQ={X2{n+O-wZzjK?1!h4T+%4oElU~sK6Nls%h5jwrgSxE_={7V&
z&%wyIk&jTfoqUF7m;tRYTbO5KA7;Tq=)J=sc@M!p^o4ma23kKQp5l2Y;S{u>e<<!g
zBb}i6bK(h;cHs}S!!+o<hjI!nUyz^C=-o>?LJLfS+I<cw6Pn>ZXxfjxVLX3DdO`iy
z#0zG@E#mom@)cTOt>J{@1ooirB>qC}8S)RBZRi<6zWqQxLqo1ZY7m3{>kcUnCgtHT
zwEs$Z5WGb?j>Mn)<SVqobn*PRL&}AgBGPdb_FynHO85)2U_8u&Nl>pSlvWCJxCJJ`
zgU}9b(BM%h-GmnSSjb`3(a4pBQa6|d4bTQ-p;lEWC5dNffjZAZ=_u4!D3mTjBfJMK
z5Kk4}l?$b8Xs%KywHbq6b)ggmvtS%FRV|b<q4ovbLmO-`mT+ncB_qs&iO>c!U>?kd
zc4&o)YK77{=nZc}Ei8mO=sgbqU>leO!=V|*z$|Ej7MKF9Fazen-O$^c^np5f6B^)S
zXo9t3aSwIS3WH%DjE0Kpg;E04K{M3DP0#@MK_ff~O)w88!H3Wcy~YzB=nM0p9@=3P
zRMa57pf^l}T4;tkxCt7d6(+%4Xn_x*6?#oTAM}OZHPH*TFbe8m9Mr=^Xn<yDgqxrV
z?t>PX2eaxB?}_Mr5&KZ#L%Kl|JPIxFBDBGKFb^u?hzG0%6?F?GKd6P>paB|SQa#Ek
z)YZoysD}@sxgqI034dWUOlnjpr9)d|{1Nh($mhvCLtkiz0Z`{#C`Cd8G{Pj90Ie_$
zDw<L5guEs3gWj#kXJ~=mQ?Lhpp`tbVU=oZG&uu9G;u&rd&ut5(9B61yy@|&ijD#i~
z<rL=m7fN<$c!hMEiv3QcFVuG<p3nk)rlGGp`k{9Z!UYY`0`p)YwCO3o)5(`W(g|k4
zY?v2BxrB-^(#eDz8lj~(^&IN^kpDAC??~bSbubbt`jT%@53`{a=D@6e#A7Du2!o-y
zKj{Uv2GR#+LGM|(8$kVm2ABfv&<YiU3MJ13<Wc0S;E+No3)+U_9@<Bd4zmgOSke(@
zjUyeP6&6A}^qxaH#8Pje7V4oHMnM~l6XxS7f6xRi!W<rj7I+cb;X~*>f%wnm83sVz
zMD)NUm<G)-6WZWGXqra+=OKr_&<>-aemeOkXhPq7!Zo8%ng>lV9a`Z&sGmvwhFLIA
za5nK+KswAJU!Wz8^oB``Y3E*p?+_noNvGX`+9lMJMD##EXog1Uy$p9yv5NY%kZ{2^
zP`8@!LDL%Y6B@E;2cdQY;ao(#Hen9)w$c7Wdp6|-Dt1zyUgvo)`2e;1Fo(J?skhLy
zpZb}E{2=KBy}zQoLld+@8$1W?@HSK&BLAQkdcT2xFc@mBq#HCJCOx3x2>Jge&(H|9
zzf<mD)*Z@CGVY)cwA~}0p!a?Jg=RbX2`zt-k13?j1L6z4|E7M4XIS+u@}U4ZR5%DH
z)WKY6f_9i!NO?*{UPQh@J<Nhy33DNbo^Mmn6i=i$Xo86_37Vl9ZW7PRCz4$}L(eqA
z1%04d^+bw<HqR$g1~hp+kuJg{cn?}D^X=osq(hY_QY~nLe$Wnsp<ew&ih(wm1@qu;
zsHplx%7I##3-!<rP0;fl?7e`$&`|A(lnIld1sc7dNDrYEws{v;e<IC;c`zL+YTysl
z!rf30bD#<4LNl~O8}v-aeof*Db+8Sz*CTzPt-%xNB+P?(P|*;7p%!{A!QV#2587Zf
zG&g=CrNAthA>`U8(ruUr3!xo)FC~AQ;1ATpaA<%r&<IV?1XExV%z$Q?4J|MS=E0lL
z4j)5B(<f5ZW$1-ksD=Je2g9KO#=<0+1kG?I%z|5>1s;S}XoEI*6WSq#L!o`?iPQk<
zpbqL`Ff_nuXoT_51e0JATnWu^3(SHCp%q?)cK8q~d`ZXUgc~-1TBw6M7!36=8XBMp
zT41JlZbrF-d9d3G{A*6WLo2jE?-qm~n&4xo@FN}G!ySx)c`zI5T0W7i&<ed*V%~~x
zd&4Z40ClaONJpU!`m7>+Z3zcdv?G6@Nk@7Kb|C!k!;aK1XoiW<+J*81wOuI((9->h
z6tEh7FcNzAz&<p>L}-QCP~Veu&p;on1r>Vy70-dh3+jT1&l=pp7-)tjXoo3K+lz7|
z%%KG)!J{w>UW8V74=RH3XD#7?wV)RIK?CdtjnDv1Fcv1kc`yr_p+1Cq1g+4pj&z0b
z&^wfJ0QE2v8lVN5U=CD-;ZG*vhG|e2PWnI_)PF!cU<}mu#y_Zo>Cgzbz$ADSn&Cxg
zilDr&CtT0~jeYPJCP51{MN-Z_L|<Rx1?>aT2X%vJAH?%u$_exyM!Cx(pN11IXp5m<
zZ6Lg(NN;F2lHcNaJmLEYbC?0G69_*vPNbY{BwVl!v_L(y!zieWBfp^$CPMQf$_F$h
zQGPZNUZ{gvFc?~4G_=1#zCy*D_y=w9D9nQwp+1H5+{|+-<reDRru~D4H1Zjm7ZdM~
z@%J6{K;65<1LiFuJfEO%8PCwLoOIlRz7^PmNiYLu!E9)OR;YcCe1}#Tu$AYPln-cF
zMgBlj7U>D|J|Z65aK8z6P_dbM4~<)pZ^zzt+6icbIpTRI<uIFk_>6pqdYBF^yJ@#!
z9#rf=-xt&$=)IS61}!iXTK5xQs6R+Pd`kGgAzxq?EQB`by_58WzEF3V@Iw=fgjvuC
zt>-8=;`svpS<nw_K^ydgcGykGFA`2@h3PQq(i3SPG{ciH>k94hXP85OXoum@JD2hU
zjnE|IFa;)ECB4P-ZNd$0cL?9-#2ZFJ#a+S&wJ-td{~(;u0FT0?KgkzphMv1{{}<&4
z+F?A@Js`cH0j`9KzsWD?{gCz<YX6}eK(m8z??(R<!Uqj71)5+6G{bB`k0L1-W<fhN
zs){7-9_&GXsH;>Yr9lJCgf?h}dj2cOLm`J=Ul4Ang;v-N=0OA0RW6d^q3wkt=`l1_
zFOtId;xCMWHfVx&m;!aR(YKFyyjUbfL4ExqX%jTSebC$(^DhZ6Yyh>|B55A<Zc-%K
z1e+q?k3JX&tuGZx7V+Gg@Et&38^Q-I&;SkX2p_b;Bw^m6NXmdoFdJq;E7Wx)ouCDJ
z9mJl0krWNJ0Yy@lc!s;7scVts_Z9wi#~d1Z6iErt4AY<mW<s5w@Ipl(=_nXfBt;&A
zz3?B}U>-CFV=kVd*VpKU4WO<c@q>o`Mbb(kH((#;4JeWVtZ*Rd2`z()q?0gdIP!0>
zXCxd@JBDyT3%m{Upyy%aV~eCV&<+!!ZG4fWI6^v1Aio4BlP=I4UnKb+C4FHy%!6^z
z4ilkiI{rf44D@|Vxq^|<Jd^lA8?-_FtRkrp8ld+v>_I<hpHI5Myw{4PdxDAha~yYz
zili+t?+wZmw7-SFIplj<k(2|C?-ofu-(j9!B*j9-GV%plRuI4M3IBWKJ2b4q945he
zFb`%z%lk#rMW|Sfzt9XDoFJSTgdb)>qj+9J_@E7Lg2uH)(m7~YS0vRsi9Q$%bsrQ-
zX2JE8Uzi0Ir_j$;%L#?Yf`JN;dEOrNt5)(ddpP9{Fxzr0UurMx1XuDF@a5;vFKKVS
zl&9iG;~lE;iKwQY>y@PFS+7g0mwlTemG#EJfCKrG>`(}~gntSAbjV9SGRCtHzjS_n
z$MdDOP!Xc>PF0T6cyX)aM>nC!J(MqXtHe#H#(SAENaM3q6{OKF@eI=VrB?{l=u#^N
zY66lgg=vzs3gLGyKQHt>QF0R`+=Tpxn+nQBnzRa`8gm7~KuuBwmCd7yCIH2O8b3V3
zLzDz*yu#GvH7dK2PFudqmw1#fJ%0_zHX-W;ML3s=a4u1WXte2`!5Y8R3cWPC<cbj*
zb4BHvDzfH4H_d@+1I||B*7AM6L=kt_K@ieC2}-JnYjVXfjnz{*Oq1i;TVwMa4+9Yl
zFHdJQYHp*m%?b9aMOyq%>1VE>j4e0jA?n_mj0#gVSrz8NK+;O2Lohncr}Cu^+>0xm
zUo^6V$gT^4oc7@&?IT2fMTq?BE%GbanO}LH$`8u*FHkM?Z$g*hw5we3Y~m;45s$2f
zD1-k~eDbO*Gc>oW57pSKD+hBEq(O3nn_fs}!ayOI@th#w0p*fk8~pP5Az$h&1jH#_
z8L06|RrS(nlRc+ud;;adfsqJvG<Mryx43KsAd5%lhpdgOY%CGwF<sSLqfPbfrSVIy
z5UDYHDDPL%_)#WM?JRA9{GUw98EzZ=m@gf8+HJ6K+uP|j$wT!b1=bH)iQ{15e<VNg
zeX-25`O*l|t=#mI^P{)Oj|h!jsj4H2e(*CzKSbygbv3|Kp~ya;FSX)c)YW8)qNuCF
zEDAI0bIeSbox>~%dy0V?oieV9#w$>*(DIm$S-^#SX^Jp&>clWeJ%zvFcr4151v@F&
zdC8Ry|Je@Yc_{Oqlc`#C6{0Kdr+i72r?UR_#Xk`jZ3Ts5H+Dq+JMD~><0<mE8)i9}
z)e~l1B76p9=a3D0Uie7U)QX`Zor5(7<)d;_IY=$*%0$;~&Z-Q1UY^OiTy36F^-lR&
z=Bz`v(N%bv`XYzaSw;(yd0i=$i8y*!q>V;4K-i;Rr7MF)8K*!ddoGa6ctmOZu^W!v
zDsDOr$b#Ku@tDOT(<A%z=`^8DbZ@)mwxG9$Je#7q?GdT5d&EF$rpFlAn`foLB~Xqo
zH&^?RXTkV)4*!xk%abR<CC5Ror__sN&oE7vhjO%Li$}P|;-L)ZCJ;$f6}iqhYcQpe
zy2`HseT~o6|82OHBHT*Ctt8yE40*~}NVt_E+_FF!^Pk~P$G_-noJlGt+!2~2rE;t$
zjUbzq{7FM$l9J|L)b%pqJ}3If>-kcnl5$gCzvoJCt5TV&$syb}rLrG4;To%QE~Hmc
zDu;7Jx1v;zcwWFo+Y;<Wz0Av(8oTm$35_i68f7L`^m)k@`isENC=R@#H1K5_I&}H+
zTZz7;pYx@&+>1Jws#LC|2?$e1@HbQ~S3ptM4q`9hmwf315l^{~k;epbxe5_|jC=hc
z8y=P$iEy>>)2lM=59ht)_N=(v)8h^=PF?H>dphi`{2%Ozutj4p6MNM>d64_3(masE
z=00A@Qz~x~wr88$V6`94H=)bOnX^~97rIi(6Q5*Nm_|EJ4qc$eE9A&A(gI@}b`!8W
zL)ex3sNSOf%4J^}T%|ZR5o&SYOYX7c@-F<TN=4p>+pfZGaT>VXj?nl7yZ3Ja*gc8e
z;_;(!ABpTDvWexmSB8};5N+o?>^9*1T(NtRw&}?Hko6bt<*@e?@f@zvjx2Gk#b`J7
z4A_ej_WFwSh@x~HBQ~kZI9eysZePSsI(B*sJJgS4B_Z%~=HWxkteE}lGIOP8KaG|_
zfv8L*sL;`Xh9HBpeJe`rDbt0HeLM$X*5GcwB*Nm%U&{PaktffzX$;g<%DtK#6?IHC
z9a5uIL*O8u$H5?BVXaFLRV)bPMz~PU<R(N|d5fC}Bz-j($<RF2P=u;a%5U{U)GB`!
z_QQk*>b0s5mI-P&zlVff`%k{~b4mM9-dI|0AA&VT)nMVnv!mc(wa}%ns!$w#lrM!p
zt*f+cm+PRcD?+sGpOmXBRINo<I=XT=(>R@bXT7J;B&(ET<Q$=|Mr^@OEzUPCb@`XB
z>@Ui<LA344L@{#G#cKQ_$;zQ6g*{kJE7Vt`GdjmcCGs$}a$(6sxO!a4J^gP3{A%z5
z`COPUz2yoIWoRrdP;WKGO_+DXe9P13Vl>lBn1|CA#$fLAgz;iEEX!@cbIV9Dy^*T1
zhh`rgpOp@8pGT08^iy&-3Q05!L^2x2@f-?cV3bR)%;aV&f)Gs(Dr_G8d1mTi_2^e@
zBe2{SCPJ;!3vVeNvQ^5I>{fWMoFtTp04W!6CyVZKGaAXjVnIAN1_Z;P2%+*AH*^3v
zdX2F3B`iUji~REF!z~^YFclh&P>$j};rjq2qg;~Va0t(_P$+cG|1`8uoF`@Z#?>~+
z`96q@9!9=7+ollp#Nu1guH@n-12?Y=H^jqxyv9rPR}YaZs&W?9)nB=nA&RS#(b;^B
zzMov^m22I**gk6I>+a7X>U2~ElfRZ13Z$uwJDmA!5N!eDde>Y>ZtGq3Nv~Y33Gb&d
zjMjvQYxJrr<yT)k%9O25)r1FW^vZ$q!$RjnsQjRe(1Zt~VXB8FysySEMt)N03BozT
zW3I^=KM_Bgvs7gtXMdqn8l7dF1`Z$QmOKPfLjoc-`VpFdP>s%pGanl1#99T?Xxckx
zoc^PYFeoQ#qI+wMeKpZR3~GmKqWfx$qveO$<<|EQH6xdD+Z5#^O?0@%$S?#LR63<5
zdX~l*s)-KN7(&Z+6Q)*u=pp+!LK7XPG0c{OGD^OmRYenR&={%DqCLMyoV*$oIQxX&
zqEC3eWGw4do%)QKTvo6v`ltrTwjleKdvS?*m=0NN!vblDNLzVqLQI&z#AtkCHCoCf
z>8*@J6s%q(8%&k|if&0Bo0@Q+BF-z9ls$QDDvz%hY5c+|e$n#$k4cZv#d1R*^~93<
zP%$<YVcUnEn8pQCP42}N&+jC%IArgNhMxAuH4Y0c8Hb6&J)q1Ck&dFGhbCZvMsJjJ
zB&^KzvzJ;`i8A`stdhx?4llYfnMiBOS9ZA<{<-RrsFNcJ@iTQ&gxiFhS}zqyVZsfU
z$d?pk24n^ykmr5Qd<o_;3$ql=zIwX7#}CzJf>q*)a#_hkFSRJxPTzYKr`K)t6gDf6
zUKW0EiLewR^W$u|yUd#ejY8H?w&k?vi_D0uk((?4Sv)eWn=BI9JY>R8aS1<+$P$o|
zHS#573CP5m^rmjIG-R2`=rZI>*vmwgQATD#wz7=uC^9p$+HP(yy7ak+<(^AlOE-IB
zL2fs0-NRQ4nH8C6L&YV+;>W{DWOZbTQ`QaHMPziz@+IsUkex#&?!_e-i_C@$@8wI#
z<{`^P21;b<Jlsb1qMIxW*+XQa3l*0bbL>WDNA{+x4lQ%81(uFEO2^jBu~n@^6Z`D=
zB~UH;0tJcY?^ht57x(=|osrjM7%!)awYFq2hY*WXWo9ajC663Cd5Xp|xk9REx@w6i
zo^t%rcNBfa@fYEZMP^0zrtpJ$vXsdcYl3}C*7F81XmM6C8d>M6Pq2EZT<1yzI2F1q
z=<;mIIc%4%WkT0dvA(#(vvgh&k2XXlj>8y|JSC8I6{0HuT?<^gT;ZbMa;-BGE;<ZR
z^-DCB7cLRka0*5|y4=fK46-<6?&ZUTEY?jX@*oA75m}-uKg-PnMrvj9Kxsh4;u{U9
zGtI;rkqFB<^qE_g)+Lc{w~?hIOXS|!HWDTGIcgaB9E3tz%MyiQ>ON2V;MDI=0kxvb
zJzn9+4kDvTkuMRB7-TtRWF}<ikh!-dDai7Wxwi)y$O_BIvXS|;e%hWDnLjeE(_3f!
zk?E0zy2)-MOGM`0t`#CnE92Ii26<%}nJ==eGO_?<*~r}UI}+IzWW{w=q=6CHCS>mZ
zCLpsQD_%Df_R^3YMCRT`WFpH!2INcFv+!^ZSt~c$QDk;xFS*GsBCFb_KzhR^6Yb1B
zWNFAOLZ*z@c+)Ejot|}>54A0D&aZhEG9P4-$clA}`Dq(uamWU6uZR%is^}`mG+zDG
zgXBIwlySf@Ka8TVmxaA0!k*kO%6&Z5NXdZ2)iW{c)?u84UC(v}(q&<{pU}w^QaPrI
zJmu-F7E^ZbU_1#?)8sJ67h&6t8w+mS+w2@<2i;^uRgsG<2U&4=liA_$3O^#RWk1HO
zYJ1-65Oq!-$1rA17V{|O6~f5qsK3U`pqAH;eaR?;u0U!p>{8X1i1xN@-MQmzC`#&1
zh&uY28jEu+zXbH@IxvRfUbMN%N>gzHMjSyT;+TP*c<gi%cDMrgWh2W#W*3cZdEua~
zR(UJScpIYDWBoR6BmJo-!mXSqrR$oa>gTu*>x0y)%5)l{A#e`C0@eOFYg3<ouv3Ba
zqZ9b=Hr^ouu6zxZM{6ac4-xKI+}Uww=e{J5XF9VuT+LdhcOW?&E|z5EJBH@0aUGM}
z=q%iB>RjO53&Ky=eo~peAZ4aA^-G%R2sND-ZDWZb2Cwgl@COu>>>(^=VSs+9zi98n
z#lDhAh$m$<g^Bn))diF%k@o~6nG~nJ%DXcnjpca<X`HO0MOAHdjn$ZV^i_-HD~!3P
z?Wato;Lg~!Kx#oAiM(<3=fts`wG`G6ma+`om-XNguH|4=pprYbEj-wSxGhgLmD${g
zHREU)!rYTx9_F`pW}1(&ki?QKimoFZh;Sqn3(cxp9^6erG8vA7%8}Ubjr|}NErVEk
zl^3W_VJei5cezt8XM{oFE3;3?(E6$f*+{I0K`{qb)e~NfM$+3QQU1bBAc9bt1k29N
z00biJa<Co<H=#&oz`i2n)Y024VcR_-)vEErltpJkD_o4_CJKt+i-<)E`|E{$5r4vD
z6=CWltQQB0WN*W-DxH#76z@2dv<YKq4p`C<Srw>O4&<(vn2%sr)Q4`u{@?<sWl5bX
zo|7}BD5(&^YNpI3!*S8(iFaoeyn{HW#9fqF!(rT!%zCk2WfXOfqT{T4LFy>1Z^2FE
zFvd{qS%@~nwf9DwD%|K){!i7{aJ7=P;?nxdDo3139<qrMn`f#jU3e|p8AW5tAMYC$
z_hX{{u7xZK*#?mga+^%Nl3A|Ps-}1p7u{Y*jtTdA?0WJZ;mh2MOQcH_G99w!u6dYi
z4@KT5j9@ig9+8#?PEJpG{S$Y7;|io(LXq4iQ&EytVqNk~vA0we#cu4`u@_ikkL7vV
zkA74r5vFsPi+2r0GK)*dZX;`hOt=@9kQE{eKvvwx37NN+@FVNMy|{$TS4(;z6HA@q
z60!g-;|XM<%8E<KBDK_iWDK?BOUR5`#uLbj(?`e>kXhYiBF)o~-9z>l_fPkk$)58m
zKhCnyTOEz@ZtPllSJJ<-)9y0mppx~L(z5`?>n*Ag^a$nD&OT~YW2IPxG4ysWoyc+U
zZbExI?dkCPBC{duf_LJQ<BzNm*)*p}?k6LWMe`1(eBPk69V;_0ajk`BDOC$8v*iR#
z3}a<|ndtMHSs?x4fk4(L?;*(gXs@3>^I%jKma9!(F>tP--9z7&Sq0K45oWpnVozQ!
zUz1B}XgK2xS7nvsDc&zXhnua!4VQ?!KQdFo(_^)8WQoY!^En3D7G$Ci6qhJ_CZVs`
z9&7iE;aM<c=!BWjZN~f|=I&$HO~`b!X=gAOm$0`FStPQyvV=MdPa=y$Chm)`6mD)J
zHzAKu@<6<w>0f9-O3oq}l$SNpq4HW5OHMR-0nbhy!_*YXa^xZE>E+5fFe1VnPeluu
z%etH^a7i!;Srjs{mf{Q>eezP#*0}e5@*Z!n#-tpfnHQr;qIZ}Vsxgh$%v-=igl1ll
z#-y6<p_v!X<0Sb}8CY&<2v(1CY8WirqP@XePZ}TZ#k^C@y|Y}<?xc#n3}tFb!H7^R
zM8BZJ?r!X!7X!1>GG3;ycI`=9Jyf?mSOgAX5tuy)Iy0+>GP~S>g{xHq)vonoww!b5
z+_5{Bn>jcRg+W44#7#d010Z`M9;zp7a?nxQJO;U}sLYkQ8-=6~WH-}8bw}74fJ7`v
z%W6h)(;va>Py|YKUMU+neG-z{JPVIvWH~l|6A=-TU{<q3=~G2_EqY+Fa<2Nc5~c=B
z*}joAb|ZOWno%CVE|89k`YYEr>XvIijUp!!x3m`sQ7gC0Yp_$~HCRz+GI9UdS|H_f
zFWkGv-SXOmyss*hP~yt2&Bb8-B5n_U!#afMgZ{hBi+vf@7%_+tqY&i~`GzqAE0E>1
zPMiP{=T`!nQ=X497S<N)FWuWHU56+x2TG;UwWVw--ccrx8MD}wY=|+iqEq}<w1&^t
zwFu_mIW+J#u@C0ljK0VX`wB{e>XHO;L*6JCx&$MNZS>_P6zvmS76gTF%DdbcaY3<R
z#mCA?GpEitNd7Bv<=hmfs5ry7+mk!C)7Xx3Ng7q>P6Q-WbCF*jgG%DDje^3aluZtu
z@Jk*O#I<0&bdx;-l8bXM#pf#I@rzPl+`loXILUC?H9`?>Mi%Z8a97;V-bS_?SrW1@
z#h~GTQ3q|sMOPGiQEN!}9Llk?(umT&fag9uM?$%Ru$o#<-cw1JSHKGS<{?r}wmTY5
zLl6Pwx}+4|g(D%csWH@!W}<embLla$*v`m`F3CJ7`zX}KVP!rf$3&G8(G%CxXA?0?
zu9R9ay}}aDrK)A3Nf+rP#;@7$m!3rt^)Hvk&Bx0jMF?e#r<RJfy(Mh77O!tn+L9}(
zJScc&COC}iaMFMd$FH)(c^-)wamhZ4mZ_}|3D2-NR81ElMkm~heMYgT&TY8Zj~C%L
zq9Y0&qq$dLEm=PBG*sP>elNn+?}@OcVJ{tf-wJz-Ipy(fGTXd5YzqBs1O%&<X$)dd
zvPqE42o}!>19B1n9Nagk;*fd>_gtd=$VC>8>=Pl7+mF(<O%}G2EA*rN5KD#ZKG5Q0
z17)=HA}xJbU^$4}Z6$4&+$YH8RW*+kbA?G99*D$#IQF|$<^A)jPQP4zZ0WkB+{gBE
zp7*mURZ1}^d$zXAV;>Qp4D?0%I7-H_qD{+27LBZi$n^g%_rY|8%6BwrltZ(}aL8#H
z1m%`$V(jb(tF|WI^>}xmXQAIU$B5AA7Z6|PlwO?u6!Vb)?51NkM5GUPm$GA3e9qJT
zjHayuQ^t!Gn6y=hfq@zX$sE$8{U+5*rswiL#Zgq5(VJ4=A$>2>u{4gQ=}4Nn&bf*>
z8j0FSqS)INMb$J9?!-C5Fii%(EPh+~S*YGg9&`W0OnJWC3<*<@!%;sJ_Jhov#T+}0
z8fqqKU4ot52rq?!NauKh9^HoYY2lC@+&kkDSu#eK`v>{Fp<EvNXbgii(UBVCV0o91
z0_iFkM7kt_`iRw$0A_E`%(0#IKL`IB@VyO|IOI!|mt16i$TkSc&~n!H`)G75$URm3
z`>3B?RVJ_8SA_$`%D)bk;+sJ8&_7A&m*;EpdPg6|O^m)o1)(MAUD_y!Fqv?(8#j^9
z8;h3aFXu))RHH>>%2_Oa&gNA)uiQc`Dvr=^L;t2$4(a%R_WOOD_0aC2I^)3tM<@#%
zeW2X`pDRg!8p@LN7X>r}{knFHwc9zQ=AJy18CS^pD%W#)juR%v74qVQSZoM(`7=r^
zM?{wE2ebC1;&qJ@>uTkG1|(v&rJrkHBGzW)r4KYR;APPx&qKUks5nX3wshdzAtLUj
zb*KEXseyAX@~&}&CN5B8Vn=>lxq<4XR(@En0jEcTWCg*RIL6<D*!Yf@pTlH@JU1X1
z#`esA{T&j+F&atMaz#6<9a1viNy2;+=Ed_SF?SK)h_WH8F5I{-(I#dizleO9OQwZZ
zWKpj;ocq>t|H3kgk|jG)_Gp~_v2znU7VIn%?&NYRpR1uQSBAKkQ|?JM+%d)z;b=f1
ze~deM?Vhl6tVNcKZ&N8cJuQz!6p7pmc~4O`{-^Y(Yz!-Z#3%Ow;i$+I{=dq%PF!uQ
z>-@gl7RvK{)+<ZeLX(me=yG}#=D(sZ6yL$h?&^>xy2^(88a7Qzas^s>aRU6Q#(;DX
zQ5E0H%Im>5Mz|O8a`g+$kL0x{aX7Mc98U)^4{Oo5>DJTX9J?Dz)@{SZ*n{>&UTYO+
z`1Oq6MVsc{8H9+oP8a&LFibuB8H-}Lc<Qu4qff4wS|QzYiE61*g!deNTk(5sNq8xB
zshj{Kyd)Vb&!xc?%L5|sygD+5(mNz&N#9BtdFK5JSH0$Z`04WVPCiQ*FXE5Bdx3ms
z=;^$BPF++^l{)|qa4_c<C%4LN>1nIW=@|m$^}!tc%MGF)Jndg;zgb#V!Z=>S34wCT
z3JdQ^nmB{TG(=Qkqo}`HDyC;J-!<Z1)SYA{YbCCco0vQ6G55t>UQ=-|8+s)tDSVs*
zH&R8|72iIK{$JRQ#%>07)3KZFijRAF4bzw_%acdBF%g5dAoUncM&;g`tjbZ4_cAIg
zS8+rCUwM#AfKGAw@Oy~vyby<TjZbbfrkAuw-ZU7Vp^UqPzg*t@e35yF@eL|j;?xm<
ztQ)fTgp5+HoJ6uv_J#f^%&eGwQ*6fSbMYB}6J`nFE_ZTzM&LNY*<Mi?g@5APZg%XX
z3in(>Ccg6)-<$9E$P&DS;+t<d$oiJ#x%`evd1XwTwLd|g(>s+JK+xKVyzzR4{v*Pr
z%e{@%iDScJ@JGAoil6-LxITQ_N`yt6*b&RG<go~+0X@NyrERyE1H>XTAd|=DvTk`@
zm-cr?@hCwabEji34tsrtUb!sE^_Hd~*>h2GSrTSkqHG?-ej4`Q7Ht|KOjfGqs0fOv
z(?&$Om_P2%x0*!y$bGfEeki9;=^S0I)4f?hn*Y2i-M75Df=UrLJ?lVG1Nfd2_k=;u
z$-nSk#Y?JDrRfrfy=?5o342^3trC%W4RlCaA>a~a$Be8NGI>lDA>zbwGOyqxQJ7_8
z7KhmpVR?{fQ%N89`5d{MT(PgS5ic3JgsR1^>r)MEpgO{Ne&e*9PM)2q59sY)QjT!!
z-uB638rK?}UU{J0wj)$cY|Cj==tD$(j>C_GgB;Q|5q9#{y*|tR4}K`q2`8nZWG)t>
zW}qY_B^5nf9VthpL?F`aD7y7g4r!RsEy`mbXS$1WorhTpX1j!0X_-PN=VdpP7ODV@
z#kT}~20NVR?&Uoex%|m?IX32M%vh+(C_XwaIw0rVDIB*4aa*Pxl=pNvspxX+%=ZNB
z+OgYOgo#V|Exub=bqHly2;}sU=c=^dZs%}#ed4M9xwo^<iEkYmaobP0<q~D<BC<?m
zlVyohb`RNOWMZjRTr?jF#jCV;Lmko%abM~$eY@-31+gc(_-Sv2y8zrJ;_kA`ooh@W
z*Hz^v63cnEK1@BVc$V&Lv&458eWM-Hi>|Wfe%6IG{p1SFNtE9ZPxpf@A!?2;qq?ME
z&@bWdL3BMv*S{hRa$BlAM$U(*!}&|QCek4fJLiV+oi$;HOUND~OB(KwewHP)<It-M
z^M?@*>31PpR5D(nt#E(mQ2DkTFtWzESkPM@fcW4f9QRdY7+(qZ9BdV*az&d+k}F~{
zGh)`ToH!SkeU;LqY!u}+m@M1|k7Q2na{J8tl=2!5$39h^Xuir$t3%~?=We1SYm}>v
zlG|Sjq*z<gmY#qOR?~=!Qc5%5OWn8lRxTsHT}emWFBEYr?Hec~b4uLECt6+Z#Y=Z0
zO=588H~QH$5oYr+ODxAsjKx-BX2a}?E6(oY-qLp4)gGBWRDq)5ezs?$w{ni{ZlcdP
zhV&Qx1Z8{~6PKsjx6(PMd=9<of9TVp!k+@8i*-m_OY)QSbiK#Oq_3vfi7G9tVQLZI
zINW59FKMIn#ch;`Zwh91%rdJyCw%hQ&9!f4R;d=0A3k~BApAOqKE3JLbk}2M$805L
zO-srXh54C2B!VI0?PrUVtB)7oG)<bp93Fk*5)|JzJ%~&`oATdj%o?(XYOaU_>0V|u
zBCkb>v5oj1YD|Jdnp#o@<ng#Xo{cEG_h+u9{JY#D&_^ABuA3sfv-#E~_hKBdM4bC@
zo!^n`Ul=<}WzRTLh|ghN%b=y!9EbF4IeAlB7K`Tv8dY@p>w26bp36#uhIg~8#lRqq
zUBmH<#~K5IL6D^fjdD3R0}zaJ2~@+C-0|vLwXwxkjNBBv;Y5UnzQw6k*pRhucG-x6
zLMsa!vWp?EXJ<S7n0U2G;`^pg*NM{kLTQ~4>ln(t<z`o~TGR*e%~=!QI$bN$m%MlH
z3s`#dQnGv~>O=8lK$MqxxXH!MxC%U!j?K#VpZV6q^2>`{=0zTh@7NZmF<0i^na7NU
z(?uKS>OWcI@lbwRrUMO=&%k=>8Luy<K6~L-F1w}U#M1qAxxEpuAF0lipU3jM#-e|T
zLZ5a8-|*yKTq3@4deR%&`KQyn{INQ3z8osQj?3$$2K4Pi-@#Q5siJ7)<S@(orse75
z_>M}IUA{g!%xIAN#j1hiOIGPxjEIXC*(PM}<5quUiVaWO3rE%lnaB%q3AZuGqLImK
z|1OzH=tI^}SmF})Qjl4YHIgMxSq8F$$l~2(*~ol8ayZZPx!hWj#UhJ#vv*GDL&or5
zzS{8jHnLn~gM_3^85QSVOA05(B1}F(^yhrv7H9G$WNnazBV&nCzI^zrM;2RbPadyN
z6T2Vsd?p6749qqN+wwUYDuMjoqH=sm$Jt9gLX5?Q{&ej7Y;s5=gncd{%M$vLd3(qr
zS+*OQadYXsLD<Vd7LTmA)0$!n%tf{ZS(GSqjAvc_o?ORD%eAZRGANgnTg5}vgf$@W
z2u<}dJ_B)*HPKTHe@?Smaz?D~D)Tha{WQh_&ZUcJ`F)dq^212cB;zg^cOlQZ``9%F
zIipA<cxk;TFIyba0ufKb`po=5j6+#^aE%MY<h`0Ob!eFi%@z^f`h^{#!8t}SPh#(s
zn7A?}c*<$GI??Gr-ih?{3daAfPmdEDARGHyzElx&aS3}mWDl_?`Y3Vf_yr@=ZR6X)
zLQtk`i78=k_vVjLiKrv<aB~tj+gxszi2W1y_DVPuQE?ykGO^WTe>ZORd=q)Q%dPu6
z>Pn`6uCg4W4&<Kjus{-~o>eTyE$$wpBO4vE|Ez7si#a~?EI#z18?5mr$ZWT9B$fuH
zFX^e#vHvIb?0WG94AD%AvfnKPW;>kco#b(0WQkccW(_cFjXh_Y#FnhFBw(h)tg<lU
z66u<TtW6nNCNjS=G7B<aWYuJsPPa#qY0KEVh)noj?1u=i_+J;#3$It`^TX?lS=sOg
zAS)Z*NMvQhYeeQAUJ;H2WFowEL>$Vbo7rW*ymZUPEC6>kg*z^hZdPQ$ZZe_&95V5(
z?DF*6F^j^iJpEO}=%?It3H@4R32ri>-yd1hbMzZ9OL>ld@$L2u%!>0w=ubknvW#pc
zGIJT(7G&vVWa1m}X=P;Md+@^lVn0N9Zz6kMc*R26^TOKzv$Ek8-<dBP-e6>9!yApP
zY<T05xrbMTEeV<Mzr4K4blESPSG91r53@|%HRoQu173Xg(T03?+4v)~JjV}3Z>RmT
zeu%tjfLV^4E+Nw)J6c8-jLcd_7LDv+8Cg8CePv`x$lSy0iyteIiSTyf-dR5)T=UgY
z#pes;G1WoriSXT3Vox4JK6hTnl5r(foASqP%xaut;;Ipp|D6u!cN}DWeA;QLIKS=w
zZjtLu52MMS%Iz=%<@sJTy1Mb*`2Z0Id5w9F-2VCTn1GoPvnejKRI!dH=Ho{3K?~7(
zJNK?cdS_vG6Ly)x$d{1qMrK1+ygw#nImmL6c{#1gZ9^`yi^wXw$?V9^m9gj9$EmNj
zn>`<7LSIvtOb^>2dyK5L=%eXZ+|T06dpfSQ2wv4^jZjSO=)6kSA;aYN<xS|g`B~|D
z(=xF*=KlVcyw(`z+@Cc)|C>Z2&Ii#I{<)*%ok20qwjm2fChsp3#`4EJrE3Sn%b!=s
zYX`y)ElPuTJ0uPF;?nW+N2W)1K?vmjp0T&<8!^mxl*-L?_+)AEe241Cx;Fg}Zi>H)
z^~@TC9B+AFnmLA2c}5JLo|ztp$?sw8Mwfk$L&|Z@CDJ*3RqQ`|AS&g%?*7YDB)L4?
z!(G~!rQ=r-KLv~Jn~-V6J(rNxLS{ksvMh1R{E+3AvDXdRZDcLo>=}@G?swH)m%dnJ
zIyaeU_vRssK{nHq2l_zP?&CeFA)<b)#LRlg;e3CHdgvP8$oq|a<G_`!&UIJue>Hr+
zc1Y`RC)$9g?7mZKSH$Zcb~CVBRoLZ{<Ike$N@Prj<x9)oTF9)(W(tWMwg{1`)J<{x
zKTs{~1YoCu)!j~CVP~kjofz!Qd&<tUdXlhn?kPJ@>(S%aChX|GVQeqjIk`-izF*I`
zuhJ{9=ABwGT+|s=CFL`PMqb~%jgD?dTzfW*o?U0bm<yzf_a;-td!ES^IjbW^$t87G
zKI(Bg25<fPGrz$7$J{Fhh<YW@kxS?6a`~0(l}H2~-}7SVSgJ@ZW)Q*51j5VA1W>2v
zmxlg>B7CAe{10(#=UILnPom@Y@&EHURy8m_%=y0)N2;D89{q9X*H<i#W9gb!>3poX
zfALajJ<Dwb<o-&m!HfU>5`EgW&PQV--ko!<>n4_TBcbw#Zb(q)u?9J<AL7o8yTj-Z
zb;dm}OT!_KTN|BgfKTV7T%H03Q2x(2q{S{B?&rVczQ9?YI8*XeCm@I28#m(r(Zu7v
zxQ!8QWID18WJ`rkxeUntd1)Dw*Q7#3Ip?$j=akB6A%zD**F|*YqU#q|U*+Bp$m@1;
zd6jiVviJ8<`Q1RE+-La?WSsT`|8vI`F88@9ah2bZW+nWot*dbL*fNq3wHUXV&~+4D
z^4NwmS<$q4BD~`N>)b=$@#*lEx1J-uNh3Z<5b*5ssWZIi(3STidn_e&NlwS|by+-~
z^R2^hc^so<!DROZhqPS8U2Y4N?}~v;G>_dd3;2n-SV_B7o<FYjg{<ctKMYhSa71qy
zNAwJ?uaSxL$UyhKiw^0Xa?+#!)9b%trkq=DVW8`4gRYzC(p`2)m$(<@DqXxYF3$I7
zDdi7>I8Qb@m%>EZtQAH2VZV6XB*G*9Z&5C??_D~cDNl0QERCz!45f&bS>ASji!K3O
z#w(>|U-XA*$kLI`5c-|_zR^cWXg!acFtcNpE6fPL`?w1aT;IbKTl}1RDm(0=LipqC
zw$RW26=DkPN`un9O=^;>PZckG`}C1l46vr>ryY#{xLeJ=Gwn*<ncUp<FS!p@k1DzE
zFTbx8iw?zAhx0o^Xn!XBa$Aw`OjBW~a)hOaV{{`YS%^4AuuhA&?_A#=I4zGAtmyVf
zcY+9?JeQW&*wCmP><otU+=A%C?qN3#yB`R<tTDOX_m|HkaUM8T>^+vZe?CowgXN^>
zg+r(l<tB0n<8bsBmm4wmHzGTVY^AV7TkC2&<aKGe?T8@TI0N-m<3XP3v7U)rziY0w
zKY46J+={<tcBmwg<ril~28M{E4`VbwBm=k3c2NBPtB2_5BkGad)|Y8h<#tf+bHo`4
zpXaqJqW=>AGwbnnhxB(jy5xStU00Te>d5nyp-ay%5q(>Jc1ZJ|)+e`9oc>C$@c*#)
z{_#>xd;I_IoRbdam<ahjQXGUqI0)14AHqQhVNl8y2600eN<tWf5XSEi2Dx&Dxr7h~
zA#T?l<O*RB!a2_O^<MASduGo*Ge><s{`mg!*^kGZb=Gsg_Iv%<Yp=ET+H38N>8?}O
zz~hg0n3xv4l<=fTuFDK;Ed3O9T?crIZCSax&b@!@`LgvUrWN4uPN>x8eu*|i`qjm}
z3fST`j%QeRVzNn@i(ICkxVfk!VQ<7Yn12F)Fm5h=F2CHpj+6pC-7iz655%%Y27((=
zoIF$j7|`nqlk+6Lu)nF;$N8UxB^NmDt}HIbzIoWUlkCGL`sHAYE9m7rW=pWIlT)jW
zO~FJz%EuyLy}m8hT~hA*gT;I-0yY9{8rZRNtgCY|zBx(Oa-M{Ot2J(Lt(|;3Z7z=K
zEXQCI+bOX5J|^jy1C|BbSwya`94S?$(`T`7g-`G5e=zSm*8ipB@D~*7i2XZGkO5(_
zFW+iQLm#v+>55?ABJAsr|Fynx_wKki;lQiAb;nvDjF;kH7pGA;CXZvJT*xNpYXaDE
zFn8bK+EuKhz;L>}MOMn<4D9ce|Gnh~=_{5iivtRCKT)o$sz;T-*4*>dE-<kS_D259
z`#jENmGpRc*f0tl%|jqPsFb8qan&c%h;u0E=>=IY9FxQ`E)U$fb!~!M-&-7h?kDer
zf&mm(95WujaX4-kj{6P&>+=YA4}m!{9A9zQgL^kDCWfN#S>|%UbmTKDKaLoVsi386
zW5yw<r3g3j%kM3V7;dXN7{l9#N);S<YA~!LCr+W-#VK&Z=(q{2-#?%`P*xtxOc2<Y
zGCLfNO$y-+l<=_C<0s$oTVf1lb_(9drq6<ouxuVGYi8v5>Ck#B*{0!NVY9%-fypk}
z2IDsmp1ELw^|s~eD?Bo8SM^cZ>T0lihFg0K?En6I%cEi(uZrWC6v}mBj^4l*UzXPl
zR!^y7_`Pw=G8}W*x&SB#t?na=?Ezl+y_UReuuOG1prf3lsj$_wHont^|E0XQx}O+U
z7eU#=lL)B;?QEbfDY?DqCwDt|)nOO~3l|m6*!~?4#|iTt1oM)2D-qtvx~7(&Bs>@Q
za(!2h6QS>Ve%ZJWboU4Hjm6M9_~w>m%%9ncRsCGn6js5@xlO{>icpiTlMCdjTl4JZ
zf^d8+iX16(jmSEzhM{$lp{4iWt{mlIzos+3FDB{6Cf9Qf9?*usq~6iG+Fj3RZYI?f
z`-THL;w=EEJ@tB)Jd|%h*5kNDnLc{)K9cvd7##V%Y{L7wcfL=Bt&#W+;iv624z0$=
zT>qN=lzff8)C%P*(80!=?sSuDZV7Cz#J33Zf{>SmdFwcz|0;B!2D*35*2Zu>;X8yj
z2a;O1j_TKfc8Hr#)eG7zzD>9r&v&c-tgJVxegidfN#S&LvE=c1IUe6ITv8YZK(E_B
z-?Eriw>I_2H7cBD*pl-&ANFG1n)H6&*Op*@W37a@6#GM4HMQK&@xp85eTe15b1~mh
z`ZcX@E(`JRbv*84x5hWsRwe#e!?R=ivi1t|vnIn{q-Rsh+JAoixVb|Qmv8Ib4V<KR
z5$xr6_-pLR_0jzV^aploYWchto?<ydAAV8|x~SEAB0k0WEm{P-Lpl=2jcsTuyd%C?
z=VN}Iu9Nhl&`pLe4qZFBj$GY`>Z{c^6Z&I?nY;&DioAbZ9g}2n*aFz-y=Rk-AHYT%
z*UuoVC93u$4=Y?ha&31#5&iwWn)IFJ&Yo+lUE5L|KXGG@LnLCD@>#}Qe>a9O3bvAa
z<6D5R%Q1vcrBfh%tpxUs!gnqYmVK@-hv)Km3zD>XGqG<L_F*`~ZNk!EE5N$=*nBW=
zpQgfnm*^IQH9@xlbrHDB!D^w)2y^GLIBqYaUDx@C&2bMV`4Aq3_87-B$hmR#aiE=W
zZJdqU*Scpyt+Q3<8I6Ojsr%yFm{n%WJzpxe*UlE}%iNmPzmz{mGQ_3NzhG|`zWq4|
zeu>*vGOjUAo>%$i?xGtd#ih`N87glPFPUBI?pJ!kM5oa>C-`>gZnVd-bXU%CTd6a8
zWgj*K?e&Jf9{Q_$z=Jj2SIPJz=P=;@#*K?r_gV|V4MmS>Fy><n!F-G%n2&))fq`fZ
z>{z{I<GT7G6xzfMH&?=a!xrD@Jd@W)tNz<COn==JnN^a|f$rNGImB@~zTdg4L>gNI
ze(u}1V0oTX&Ot^l@mmu6*Tvl23#8naZ!XUxC!zj6xv6E(!Z}1+S-vinwxjx6Ift$5
z(!x1Rz}~1+np*x|C|`l=%(Vr)=Y+k!ZP<$<ZCTixKCY=HOna@`CfJ*V?~XJ|YaFaf
z5G(0}bQy#C=+q`1+bvh-U7Ut;92R}BG6|H4-_i#Ow9jts@Oaoy!Tv&oCFPcJbk8FE
z<5?p{*Twp{#f5|9Z5@erM<CiLIAx;k>XL=9+ZEqrb<d+*J9whI_n3-cmSJB{>^rxE
zhS_HQm}+13ZQZQ)c+)`|V-R!O<Au*yxx4_+NV51w3HIUvTbbGpD=m)2Vf*8#K{%=p
zj>20W+))SOC`qkbGctZG>J@zZb$0=X=M;Gc>gHn?pKnXuI1{=C=%nuQ-2FY~mf>Hi
z-{xZ9Fznky_F<DYU?JE9uy~oWRP2wjETM-IDPNY{`<Mp9-liwxJ`~@kZ4`UOHlR2j
z@2{`$nsrQjE>jW)xa)8%Y|Z?8v5uDbP89oKAL4&42gP;|52E-?N~$Y=d)K#P)rC@}
z`1<tdnMj^2guVI+O@;gH7+4OhJJ^n;dE(MARK}QG8ki@I<@?iEmwN@0hSH2$4YhUQ
z1_U*ygxmjb=x-nlIXAKi8v(W)Y)wa$jRRZe(@7pDz?Oo2QHWo$eJQrH7QgDf%AYc=
z>lVV+)bpAO&#EOJIk3rKHl`8*TLG2?`&i<J>u;LOhxR|eez>$Dlz7&kg8KgaRc!|=
zKfmq`TjOCXGO?-UwrUNZ^|`Bmas5xidl`~dG99sGP*nR>lBPL0K6w%PpZH%kVGF>f
zf$b*wh)viMu(^q*mMa}mmIv!~ak2j(*ICUtj7Nf<D>@x}KS?HWN*^PPefMDBK-o8@
zE_5)iz$pH00AB(=O*qE1{b{ggLRb=5(jx8O5pzI%;{+37qyCc8^OXea4z{`2#U|;v
z2P_g`bHREC*g~+uU|YH)Q7+-;z(#?MX8CH>9-#coI^0}sbw`w~-~y6DpSu23<nN@W
zmJ`a9(_-Di`{iUi*C#Gh8Mt;&(li0~W>0R?`AhIe@tX#=0BjNd_q7YS;{0oH+%4Jc
z)~!H)H#Z^+8>235YQb=qJD0_8g<#olS3HDvZ<y?hS&UtEa0`#PrF_?(hVXIRA97s9
zHjn9xSK(nrnFauB-6U<pVJkYN^c;=_8wR$X*vBTiiC`lFED1I$!0rKygYDps)MMv@
zO#=)2*g~)wVA98tO~S~5%?I1g5oIgDa$xmj!{FAQj{Y*(+*N5GaZh(`2jl?0<rZk)
z3;miAus7~%eAipbi@T>my~cGWzURYyM{1!)#qge7_x}36ziU5cN&K!UtxxBHtpxMu
zX%?&|S*-6QFP4IZz;0#PohEY^>^aJ<g`0bX{YJqfvt}g!!g17B*A~N-JnID(2YUwp
zYy0iSwq3!zOD$liRG;<5psl&Cc)aBGcrXtv@C`55CKcy%xOao#MQm>A1+LOSPNS^J
z7Q$~n?B#r62wM!c#K)wbTMo7u%-s{Yen)Y>ZtWSW-yS+`6N>Y7yJKJ8XG`oifGrQO
zVPMMwEC#kTz{Z35<12BS3MTO_7q@$;FBi8A_N@rmUj!D6?=rApe4D_6@eQ3>8efT9
zcQA=>xwu8CFBi9w*taqew>VfZzLUX%@tpw{jPGnPe|#lw88FG;a&cQieYv=;#J(mR
zR|gxi$vN$Gmd3ZEBP{=5!T9z93&wXan8ep_ZzPz+*KaQl7Ay~w!Gh&s23V!?Fo*hb
z>B?fC#Md8>rC<_Ye>_%#1@pJl_|p89JPCtIe9fNp33`D^e9fL@m(&Zxz~%ZnL;&hM
z&NDz|HmT+!d*~%P{3bx#>H4OY8%68ZI~4Do-8xu|^UA`3k`4r(^p<%QkF&P`_C~_q
z6tU;}BW3IbZ@T5PC#_%Y<Lq@k8~ydaD1Ko?X)Nq5hdnp8;QClcU{%74XlW;5_F}D@
zS2+!u+UZR?N5MTK!M(LxFN3ddX={yV5Hc*S&miRdWN=J(9CJASmre3^5m+4TugD7t
zqx(4+cY?hGB>-#^Mg!RLzc7rcu-Eg3(lBO%jRpHF(jjqP4tulyB72fAz5kBuB@pLE
zu<kehHF0i47%A8r1$#H*f1R^|a_t`*b^TX)HFKcTfaX%4m*YajBMW_14Ekm;vjR5L
zusN`_Ph1>-a5j10iLQcL7>c<u4Hwi!G3JT!kE*$)_9Z`tO+fzM)THx*;g^183~c<2
zrj{`>UIat_afep-cX+Gdq_Q1Lea<u+wr1SIXI4d9f%|dZE9R@^bqZxVsYBf}tCg@d
z?AE51m57!vUPW7OjEC>5OIKITfGwa_oe)WPf4Om*S-hu`vNi&&6Ijn$c-rny%RH>=
znQ~*>x|ic_`ntlzEZAFqcay&3!Hw<U1&pvQVa><B$URLhR}{wNieqSl<R0HWGjq?C
zhhmP)Ic)^x+QBa8q5in9sbwSBmQBL12b&1CrvO)fxm!f1?~i>c?31|2))T)GU`xQH
zyotUr$3KiIk*v&y=yPLF%K232JKf);^O)S+q+)*=na(+0nAcfS%w-0JyQ6$l-s@d>
z2@>qdd07IR4Y0Wt{+De8etEFrV3!FfHx~;hdD0r=WX98wmoe1gn|amWO=<LZ&HEIB
zci$u)c0SSp+r{xGH<sbbRI7W$MtMVmjH#dr@{g$u!+X~2MjTQX8{kI%hSW7;B0`yx
zfev~MNys3~$+OrOFIUb`rV8)KYOKPWA<Dd3segs{8RKq7^0E6wwD$-@&Z}&~8o-(Y
zY#3PA2a0Wx=we`_!0a4!0UHmN0NVrqd&ky=q!%vQY2dTKHxrIcSPE<o*d~rBn*){s
z+rY;bfGq@T@UbOeE5XE$Y~tp@R)BSKL|M%R;9y(&SXZ!450)O=6RZ|&ZJ#a*R^wxm
zzTsdV*v6tm85@f9jl{p>c>HwX?pzHmto<lcJ}`~EOqJ7D9&WdO52Dy#2>XK(?)ZXz
zR}U2HG*=c_KSmGNVuj*|`2vL-P`qccoOxFV^t=%5G3>j1_uW59z7EE|aoE>g!p0_b
z#z?TKU^@vwdZ)Rsb84PXz`mK-XXAsCZ_~hLn0?IAk(HK`u6w{!;L~WwKhL678`3DR
z=5C!o!z!dp?AKg`=LV~6|2)mNz)+}kP0Ix9;y()Zy@#4wX8w8n2V#UDui7bd-tooO
zasdp7&H1n&h5eh#*mvcsc-~=OKh>v8lrih4Oi(iDCFgI`1kNAq2G6(bYrwu~*jMfz
zWH|Pvu+Pq|=*NQ1ETflwld&&dCLAeODeRl$vo!*24)q`6e_z{LuAJj@3)K~0_J)TO
z_y|`PAHC6UvPxV+7vuhBHtRZ+K}<@N*VwqeOi%0^jD1h6O1PNsflgVOid&xtOn|L<
zu(h7p!Y1c&8rTA`r2=rh_{S=7nX(PUl!#hPbX-=8cVgD!YxcGHL`W^B90#8Y>3r@8
zOf7}o*uzaNcZpr}oBZQHm}pkj&;R%yvl50u*7Xv!pE%|fd2CbcYXzRwvM$Nh;6==3
zi;`P>C3V7B*c<r-pZT~r;K`zU$NcERonaKZBy{7Un^&dbw#oyPWf`x<bgnXK#;cET
z*do}-KZ(4R@pTt>^qE^dqjYh1lM1k|yUbP4w__BChbQ6sn%kuBAF61}#RnB?uz%RU
zV*)lt!AAI>O)Xn6P5wS`t9l>n5z0SN#B-m!@JUpZ=yr$k)2J5){PHbU*^h$lUhjRl
z`+TZ<=DQ4WnD-3Ibvr}|W$P-Le^>erm`D|#dz9R7qxU%(^6vPPp4Zg!nZ)0<TNU%u
zWrTDxaGC;rWjx`==XIvyMa24Y;=Xt}abK)>kgvcVi1T?0-y%E&FD~})!|OW`=cx#K
zHsaCs`KFe&YAhbb{#C1X00pG{TxZ-%Af(YQ7Wx9?i{QruJ$!PY)Nk*N9u0l~_8$RP
z-f!H1;2SPQefC0=zOTD@t)dR%SiQ_>z76?_XXu5-6%~nGTjOzT<i)0zuknA`>zrjg
zChrPw{X_!qn?15F-soOY>H6C9VJ{1NDca-QEvykjTh&$P8oS9x*e`YJ3h1NrOUKh|
zag#j~EG#y#iEdM{v0(c;qAUV79c*VG>kpOzbL~91q;Uk;60q&1@o;6Pcux{2^C&Y_
z)$KMwp=o10eHQG^`{=J5PhSap!<H1=C`oT8+!PE3vpQK=7;HFLXZ$Z)J$}8wVqg)u
zmRvuG<1`WZW<pmTsll6S<oFo0qyAG2M~)va$Ai6&|4YWtF^}l+f&m>rPeEJraq)P`
z+c{t!nEM8;%Ud^(rrbPYnaP2t#bqx?3Ej18HMqD!|7~iyu1x*pt}Ayh%(_12?ps=4
z-bk;ctr50HebUs@PmH_!KAd+qhIO3H`5Gkid<SFqL};f%yM^Q<>Q?_e6ofm;eUI!D
zTtoeQ^HBPAJhXJoPRrW@*c$mM+85foM%Dzg&JUzPYRKwZxe0E4L+_s7^hb2MUJkpT
zHR(G{i{-amA48hZYszJ@q%j6Ni(to{>p(r>+H`lV<5sX_v<5RNE-qb(IvuuV!`6tU
zO)d8p>R~*0Y1OW|xv|Hhx~lYTX}q(h{M_<^9sh<*Y2A0m%Js5bGHVp#)&B~N7yPfO
z<rB$!mshS{#_-csc;9fz90OU*BA?JMll7Qoki!nl>kl*>Zr)`~(vNUfe$iC;PAJbY
zrbPSa&%1Jp7r043z4Zx3EBad5P|#D6Yb$gm=Kp+&`3U%5(!w%{v~W(Dyq^&-1TSeP
z-OK4q2a=IBdi}%R9N2T?CS>Ema$r`cNIfwXY&qDP_+Pf3_{{`c1{N3K;(~gHZFUtF
z*l}RaJqeRCyAb;NuZs5p{%7*YQ+GWbTi0-a`_4DAMwVS+IHNGdOJ1&34?A6^;r<+U
zj*xKu^;;OTz>C$J7sc)<v~!@9Zv#mj{d1Xci^M*wymI-})@>PLE_pr~Hd0?VwXBcu
zwfqFy3S1)`!@#v$Q+;3g0W8<V$u+kK_ToP`wH#l#PF#5m^j-NZ8*`z*t58xVz*hJw
zw0A3;TAnME?PA;l^@_Z|Vnta~cx9^eF)<7mDB1%$qJ=M0O8dAq2{RG);$J!DhkKC`
za>mh{z?Xa@SfYTZ8F;Ueys2mq?hR|T9?asHn%|mQj;Xf1ET-MXx0sih2fJqV3+40D
z&54wA6TTYdp&8G5%Ghhwj$;x<z1#=1ZXKMx2<*jSZ&6DzO?a{qOjCb<n&f=mgJV3e
zx#h+-<G}VQ->wQxMwvXtOH^Sc4_m{ln+wmvIhIf?8?LQ$b*M}d#MJjPsTtJqc<`aE
zPUkSrf4BzsF*VJF`3jPcW5H&FjV?`tYfp;#$TVcvtlp}P`>8PO&4s;%9h!BnAIip1
z>F9-VhLQI&ZX)@%1e(RrJXR>X<;sE!Q`S_w>2R%2ovx3mPojLS+1zqG?Be~dA<TzG
zo}qTf`?9dqt5sQ)d+CulW-5-kQI63u>uFX_CtzQvwVL(&RIbe^URN$ZTsdWaV6I-r
z^7-NFzIvEn0DB8NHMg8CX?1m$o0EXr8n16-oh9wnLhN1vZMd$vWsmmo6zeRc$3M>o
zZxU%Q%U*&VaC|}Yz;>ACc(R)uISbPqQ}}qmtoFykKMXGJUD{(J@T~R+0~`!j1Owm>
zf&VZQe1(4+X+e%S27a?32UH~i4uoJhj~D@0W>#X6xU-0;%ND|K{<SD?>o%8sCwVd0
zOt2lCN_ES@=7Ra#9q&3E59aUVcLB?T?d&_Y9&FR~noIily}=s5Hdz<Ka_7)pOPtT0
zZ&&?&XIwRH^zo;`UTu%&ziiIT64;xub#tLjmAuM>O$YP$@oTO}`vYeABKLP)!DfR!
z!E47qW>Qr$XJ#47m)>LbMfs92hU3^seKA}qpJTy#f<2G_C9h}??`3LNb!WkX_W7qn
zoADjrh(l(9%>(OLXw%$1c(Kp#@|x=rFn4}H`FdS00k=s!n_zRocBSPegpTH9Fn_t}
z4weG5{E=fDz-EIDQgbfd!@!n-x#}8RbTP0|+c)djE&Ng!jt9$uol>d2_m`VYb#<SP
zZI_$*u;=aZ*Oi+tH{g0|D4st_M?Kgyu=Vi2Y{Ghj%>c7}k#f@rc8}<Io+_3b_ts_>
z9KOeV8jhX1S20{EHz}~mU|Sc;A<p}h>Vq+OQuSn^+zfJa#1_i&dl!#y#PK;f9&E2d
zyW`3YW)HXezNA|h^F;Y_<JxbSbLsAd3O&AWbIDl2V6cf`yNU>#<j+X3Szwkw!s1|a
z!0r(dHer*&8uvrIC5_mG%>Ww~ZEop6Cgo-}*x)|REhnx4kE?Hr?OCx6Wqp(CP~BVB
zjkQtVG{N53LCr1qN*K8REI-zWkGz*Ybi_Ql%L8bz%l}~*fL}1UnE#TF7}$I;f4LbC
zmIbqX=?UFbuq9wW@;v#=4Zb3+Z5W>8%LOcU=R!YwSTQWIu@Gz)*yF*ng7Fo3VG2u|
zYcs`06Z8!S7Hu?wg=S!U1MHuxQeN<0-LJ}*7aMMJaUBJlse_vf-!Kd#oC#pF!Op_}
zI=3Gm1gkn>Ew{=ViHrcxgr@e8X8jff&d;=}eua69GBFTqGv($5<1LyolBO(<>5pUT
z#4ffj_$>vCf^`!xye@PAIw4*0Zxi?kaCdL!`X^^e_r%4y>&+<7*tek^gH7~3!KQ-s
z6@U)-q^dD^+y0AgY;rL6&BMN#HQ3j7*_3amRTz}%)3JJbJASzBAdHQo!N;esAb%Qg
zD6V;d=oPrntyPT<KvBwdvIud>9*(%kIdo&z2g^8tyH9R)o#aB*W2$kTpw124oVd0^
z^0fOc=r0{rdc8M*^#t=@@58`GfLXat;Mf@0D6sulp8VfC!1#w-BXwrrJ`}kipYtxc
zHyzkf#z>Ha!rdx9*7J5igprLIrH8qG@KTBYG0iQ@d0kv1>$F;po49%d!@$+@IhTgk
z{owuGI>X4VxSo$~ZrQAGp5431iuVu2cagdEPydm;txyL^-X>sg`U%BrP|n|Uuq4=S
zs~E;le-g%0*h`#L3}XbsSP3=}Y$E=b^6Gydnj4qGdUHJcl5>Dc7KI3x*a5a`tw8Xl
zs?x{D?m5<QJm^fp_BUc1b2<FaYg_g08|67p*&M<=2%X#U7R(IBZ#L{UjA?H13g^+?
zGZe?<T)%<$GmUt8a2c~`YMrf>u(cev-j_JGeZ9(kJ%(k=7{e9PABXq94f#8^x$ypD
zKHmx4+i|=hhNn1XOpSw`X|Pj!a&yaeQVF>@71t>j#~RqaWoxR#)pd(8z?Q2S4i{gR
ztf_hc(QI9EamUg@q<tYhkWyFwA-o0gW_^zZ&eJ4(1-Evfu08E~JL*U58-=LI=ITGN
z5oa{F%#i%Ychjq{z*Wk5-h;7k$(hY9=Qy?2yCcB{pVi!Qs`Q1pNtquHo;tg<?wAU;
z5G+icgf|mxG1w$wdjEKVRM7SC&c(iA=QJ1QI`EkXMvC!Wo0F_j(EjF9Xj9NmE0mj|
za{ar$vzu@3?lqaO`ATbdv<oEXyVo7)SN*-Y<-<b#TJGM}*>fLcDp#>eK1_t23FjBv
z#W+|JY%<t(tS{SmR_Na68nit?K0_3Qs4AzlrmlXMenU+P?c;^bE$0{dtf*vV%s$hu
z>VJi9gQj23OE2h?iRP9V{@1n}9~8!Uku)`?(Eebbzg-vw=3QJow-I<JfOP`9kmrQw
z&&?Ia>A?4>OB?qvj+u>PMqJYDTj!7VKptA^YbjmblZB>cQgh1+=zVpMtDlSGUmRC(
zZx}CgF=D(9ZxV9fwz0aW{!WAsyZ^U!kCdPBuoav9e^*~fUeAM_Ww0|>(uz%37Hs;Z
zrTM=UECUu65w^kjtpr;L)*u7UuC6IQFL8CWd%up$Cyd!wSEW$1wC*DG>nPV^|GQxS
z>gJY>+QH+-USMldHO6YIWKCpY^hLsrLp$f1=9XJT>%uKQ!@zj)G>mQ7STB~OSC2z6
zD071Jn}73QtM=NzzMbiEH|h)6{VUFO47P?}_kVY;$0Dm{!Ojw~Q@HmDoUdZO;XbaW
z`gX~<)+cOG$LbBM>sHp_yQ%F@fr}5M)KqT^t)g+RkJIHI)CV`C-z{Oe{$m^WS-7|O
zsithRQ|LdAg1y)s#W4jb2NS?1g2|&yDF;`}8eq<A#{7S`_Vu(t{{vH?Kyd4d?wj^V
z^xH!7VJib$+lnpMPUyPl?(pWYZxQzGBKuI(Fi46n3u+h??Y?zUOv2YTqV`_&2cVPd
zUE*_<d?Ts!djun5b+LhNQf7Z$j(rpch&fBT&?}WhCtzX(?2St`x4g?b^%_jqt<dMh
z7*JK!Ep;=h@ZtFsezWizgEZW^?nCsLE>Tr=H1_uAPRy6UdR4&bWpkZ(ULz2PC5Xd<
zyP8|@xRv*}Xs5Ua4I{Vud=(EMO6DlwS%PMAp_4ZZ6DCB0gEiNskJ@k_#y{@n{pz2U
zkz7^vJSmT@yC$wt84r6?VQ=|;%`Klxy-?8}>+N(+g=aRnHE*n&i&C9IXJ-LkPLiz|
zT?cjFwR}{1N-|XEh4J(5$NkAH-Wy_E8?$0umlqvhH;%q3B;BEjL$itKQHIc%po&BV
ziGg;hbNh3@J-d_q838s9$6Qo6|K+YBrYBQXT~q#gb<aLW!rm;{oB3dK%d>@gv)K17
z_NiT;!@WNnUBaqk@M5$fb<0qa^Ki3OXO}$%gF8wZYiFUq_fWI0i9|lQ_h5$gTNiS@
z)?<IC+08oV!PVQvK2M-;I#|Z0?kXGB0JlbUJZ$A*D+;@Et@+=xae%fLxZCK9+2O@^
zan?gR8^^80aia>y;j-g8Mx;&J862nc>lQ=X`{Cj}kBkE>2W#*#F*6vyng=jm3x0{z
zcP?%2T$Ss;qi$_q@q5rxjvHZX{1eSB-?dqe+1JDz!G*}D*3~p_WO1ioeP~^}x^Law
z>H(O=I0CQNJ{b%{0tI$77{ZimeF4H<KBu|t`rTIjo<#NebyHy}39D19F{P>c_zI`X
z&0p>QAo_bx^4fIyQ@no;oclrYPT5mXg&l=j3XdvWm4;EBGHG<pgFgR-{qR%GE$c{P
zie)R1|GZXGRn@0gRW>O1QHx+N_jGg18Z~CG+_lGZkf^DCpsH>vUIL!1!2~eW9f_I>
z-zP^m`a&r1sr#B^;Npu~H7<YpKZH8}S&VyBy4L;o7uk0BoaAB*<mB2N4i}YCyQ-B)
zPwO!PH%=#Y$vv<ieZINnphEt%k)B+;>fz<<5@%1!`wFr5LUYT6LS0hPo?Fu^6DC?$
z-TF?S=xmht7n@twFHL*#+_|*#++j{iynH)QNNW=I`oGlNa(9`uwkpS|cGU-oz1DeG
zm<y1Dy?Yik7v6#9f8N{5UcBnKvLy?xl+^P*A4YxgYO{Wm8Gd0=u%)lD-h@Al-*7PR
z^=4g@cevbF!z|v!hjo5<vlHqd{3bxt8=7K&1NG@N8KdJo6XcsLhAJ5ZLoP{}b8u`H
z#}35*vh~Do0a&Mn#r~APPL<apvvPFvaYerp`f<=dDh7&mu)F`Nx~8Ca-&>O~>mNb=
z0{!8l$0n>dSi>89z6-zDZ3LSSb{YQn*+usO_vK~ck$}GYo2#bp4U=i;Cqw@Q?fb{<
zF@DK+7|R#;N`|gv*vG{$kK=p2wQAwXwGu`KO^4pS118Wm6ze{g??zXCT3;$CKiy$#
z9Bj?VHtU)*yha=aLuO*3#lk8kNe{OE_)Ui{{x;?c2ykKIZ4Iry5#pZpVeZ*!<tkTq
zewIjhu+v`b{J-u0<-q@sb08Gg$jSRFWLq=i94~XQmR|WQ&AI%fX^^H%T=~hiR>nEr
zGU_|P+m?PS>O+SV?MwI1?3-<~zdiL0)Yn1VmcBdnG3q5g7AL=Lv)_~YsnkpT+Lr!d
z>eJNk0DW8Wd6fFatDu*rd^Yvop_)J2|B3xasIOlIz1TmK`bO%df9{We@cf=deS-Q8
zp!erbP(OwGH1(T7@3-$i2iWCZMtzR@Ex`QtgZf(PL&G(HdO+V+dFw!Z1NGarp%**r
zQ6HmTLh+Z)V0ybyKb87m+=KdUs89RsOaA!NY5xOzJ5j%wdMp2?@w=k0r`|hE^GD(%
zKfliY2lgTv`HSPIxAJcqzbm?PGV&Mw4eG7@m@b&!zh|7>OHgm+r;`2(>eJL)`7yoU
z70XvrpQGN&k6&m1i+)||Lx-1^AJYWm-<kRb>aF~g(@QzQV+6O2px*LRu01=(ToK|C
ziQ5v?+xe}eA4B~t>LnFYek$otp*~B!l!dnR_WWR_&%UI~?29>n{Pz@qEqp|=ytSpj
zBje=WA){1p^{3f4+v3W0cg8v1VA^j>FE(zc{&d>6`m>V#yQm*a`)%pP#&h_|HkEoS
z|CQ{|SGhNrdMW>H<^KTcm-+0sm7i0o4~@|L6#H%ICua132I}qlsuceVs2@wcU0;>-
z625FRsPBRQ+ltR^PVIRa>g{^*Ux!vEL^_lD9QAg+RMN}6i`$OW{E@$s|CRLnsM-rt
zZ`VsD{Z7<RV|f$%l3vrxZh!oD6M*dj>cxIr`r9(1_Pmz^*NfRV+jhO&nQ?OOzpJ2^
zb2yXw->A3pU&(%o`t?R@ezv6-`~SpGwkY${u9r&oGfs{9Vbt68Qc2&3`lQc(TlqPe
z`nf*)ZRyWrgmTo|^-?K5=Tl#Ml;)3JFO~FbF+MvoKYPI6R(xciY{RIR_DIgX*_VA*
zCPb^T@VwDJeI@(C>oWL*EyDQA@xs@{&mWGJw{<eufo%l!R-P;Ax6L@Ym+;w_>(TTU
zceB4U^|PqA>%EeGJL<E(_(+^8>35-iCG}SSRMJnNK76$1td(ce+j+3~pG$os^-`Yw
z@d@guQJ<jR%A45_=Fe5sr>VE{R!P4$^*QRTyqP{2pH9?Y7$`sG^ioc0sIMKV`D5ir
z%DKcnXum!65$dh{RMPjLeuU4ylpoUv^JfR@6VzMzsifbU`dPmCNSrF^cceZ`y_KIz
z`tj7Sq~6Mp>4W)mHud$#XntDxsidDu{Rrx<{FpwNKbKQKm3k{bmGsrr&!xVHr}cyB
zgYmDTK1cm_ZRn-^%)-xY$7*`*e2LE=cllqo2h{Px)LZ^n(mz6dlzP!g`7wPk{*O{0
zqh88_{3_|EQ9qN{i|8a>rkCB84*CBo`Gf6g>aF}&(%+kLa_@cWtv_sfvt7s^>c3kB
zy|mZ&P`}nmV$t)geXnGH7WG@Lf?n)Tr#`{_wDNEEgZY00^|PqA@?S}RHT7BQt^Aul
zm_OH0zmj?@|CRJtdb;h)^!9+at@C>Y^&_db@^AKKx5Y{9JV<@`I8mTI#!t$p{7h#q
zkoS=M!8VwBEB}@BkE`5^Q!k<T?FaM!3F>E1Z{^?Y2lYwnGd}y0F4N0yfBdhdewojH
zTl)JmdcfJtPb>ds-)xI3+d~=Wc%hi)XIpwHpZ8IJU7$Qyvi~6U5!$!wrJP>u-$;EU
z^;Z5(AI#62s83LD<-d|XNqw4nEB~es=Fhd%=cu>xUrB$Br(5WF&Cee2wspR)rvA}D
z`8WHr+u|g4_Q(jq^DWw!P()jcpXh@5(~tqg7Ng$EXC?h^87KFq`s_=%mGrw)pZ3{r
zOMeUXi>bHsTgm>d)YqP%`Dy33lD-%94b)rySJLlFeT;gmf6D14U9<6%EkV82Ka#I@
zp3D{9!}15)Eb6WPsigmh%DpW0c79DCJikv-zmj@8zm@dUsSls1`6+)TU6u4VP(PS@
z(Y2+Yk<kO<)Z6*3WdCOBQ`Fn}t)#z>`YiQ!{hHqLUR>F(&o~E@sWiQI{Z`ad9-+Pm
z{B5Q8I_eh&u3xk7KVM?UwgU&rRlE9|*pqF-e>FW)XUdkPzYs=F_e(jJZ7}^({$!g<
zf7tmv@2-zkAEp0E`V;hLsCN|%*fR4o0$o4R<6UN9{~J8sRUGgSw*8F21oMZn6I<H+
zQRnq?=1-`<>!-BO2#hWGH3FG}UvnT|@M{h<d}hb1y-I&AKf^c68Psc9+}sTHTmGi#
zH>)xF?W~6B*Q0R!P5Pgmj}-lKpD0_5{<YNWh3W4|f9^&-z7zc^`q!pEM!(cYvSn^i
z{W|LP67<{okJ2ygv23a7s_&^@tdCW{^ao@M(=YX-Y`M#I|JLgDqF1Va8~Q!^>*>#2
zq5HR`KS6(I^Ixy~*QGy7|9bR$^h<prTjn~|udiM&LBG@=vPJ3NP`!Aszv{cvpSf23
z8_}Pje`ETi^t-v0!sy?W`!h*BUg{s&!t`&hUN3iz?w9&TwiNw4s@L=A---Ur)vAxs
zpP)ZXf9@*X-;I8c{_gaLr|JGJ=}&S0R`h4MzX$y}o*#M(j+|eylptC0wUuxMR{w-~
z{wOOr8jFIr;y?M@c-;ovB>i!^K?72LBt{ADXlDH6x)O_aeI+WSPs*dT4GH{YTWh(d
zZ&i=q2FFM^3H)T+Xf=<Q>qYV~fuC$!^LY7xRpM{;ON{x`NH<D163DkO{pRLpYQAUb
zO1S<_%7-X2guD9EC&=<Q#_~j2!Re0wBz+l@s4snj{_OY~JMI>ZXM`?sD<{nTA-cJn
z^|%b(-~n<yh$6uq2UJL3l-Cbs1*aSS^Pj&XE2OW|@zyViu44LP)HSYR`nE*;Bz;l*
zWE))}ePPxwsw(~s<6lW%6hGNct&qM-$6NaH7GJt*t@Yn5_h;xP>BcJ@C-tK%LlQ}B
zXET1%E($8NZ>(QM<KLvdmE$vnQ&#hMslVm;1dqRIHIFZ?O=+YJr}0)fo0v~PH%!+v
zH*l=9H?EFg{>-WnzZl!Az~P>>UvhkgJDy(6<E=lQ;PJ1m=JBhWKRM=uxoP^774k>g
zZx;sh=iiK<l^b(2>~Am`1xNY=a(sql`Dz|7{R=rh!Q-1(^LXj6xND5@ulq)G%;Ifs
zrT9z#M~=_nCtJ7GJYM=!a(n_m*>+#e<E4M*N;Km?bTyBc{+=A4!B4iMSMzx3Kg#h5
z{A3%qn#W6j)J2`~zktU(WBBuD`7ixjIW&WxY*(-5@zP(G;}iJFcE@TSucZayv;9xg
zP0>vT`UMI4<8-5R!vUSf#`ENU!Cyb0$ouGE{hZ_dgdJzD+<*A%=QPu|s>jRyjK6+P
ztY-LH+gfb?+>NuIG562vXDJ_Rh*_4Oc@@&<@qR8C1G%4*<1^f`U^S1o@u~!mU$mOX
zuWtT$R!->tS^X^cv#yLXe{zhUU03GDcz@1h6dWlha(sql`Dz|7_uF!Og2%61&Ew_%
z-CsY~e5+TS#oOFU@t5%cfBn4PY923T-(Np>Tg~I;{>`0Z=Ks#CdAyWOIX;7*Z2PR{
z@se9|d;&k&hOFlCH8{pao$)`6$2(*A^Jn=lc_)Wv@RRNM)jVF}F2^VElkL?1gX876
z)a~vpcuBemx^cRqku64lBi*p=H&<nazmmTjd23eP`n#4(DKF>~RXt9><X=}W(e4HM
zr95l`|3dmDf6xbLw}gJV-q5DE`yc&s{?W&2m#1G+vA&nXB2EoYuCFfeuSLJ))q2S7
zF7(Uwvo8Fb(+_XSCh?W+lKmwl&x_)hkl&*cGvo)|M!HeD9^Kp{s>{;N&~*pnkEB<&
z!)QN({}cGdd3?}*WHs$;tTCUM_QS9p#V^fxB<UvT#_2}rhUj{9^ABr!V8U&h%bxf9
zPz_1?yHWg7)CcXy$XC^Voa5GVo@A?U)Nn2)m-5pCzuN=4!PGtA(`_XNR&yJ}<E<RL
zO#fRxyJGUAfbKK;zolEqr+}_zu%>4nx^})crQgEsL4Sm<m79G6x`Ff`9N?>&?1KE*
zKzxs--C094rdAq8lUq7Zp??vNm-8gsS>!ejeF6Pzu>9EZmj!g!(!VElmQS|^bobIf
zjylVyM+3U2>A!<I%V&+{s{b7kIKMB_u8o6iNmH+pTR891Z{uB3hW}5tg97Kr>NRtv
zzLRY%uLsLts~^pkdQ-MsAf8t5nrr9#w17RUzs<GtJwBkbcEDVV&v^lz)yL-A^`8jn
ztX?-)>U-Iy1a#J3m@DmwY+o|HRvxV#`H|epSryB>>8yR~L~iA5lYq|JxgO+p{x$SJ
z|2u%^*TU^ZJALWe`5j2V#p6KwkD+VlcO3ne?`P6~9$h=Xe;zYc>=B6H6|{4Q&z{6_
zHvN{4f6)I1T`4c3`*%S1IsMIaCElW|<8^EHy3!w^E9XsgeFD1u=|7RK<d^8i2Xq(G
ze<NKvZ=$=Oe#^f~>3EnrJ0DNd{}NqEul(Ml-^#_u^yleHIHId!`)#_8^lwI2(kr^1
z0=fqJhtie!h;C#+H=6#x`?%;Xr{D7Vdiu?U#ItKe{$Jf~U?0s%OV{nR|0vyq0{h<}
z|CnwQT|2)0FpbTIbi32F{X5X#kM3cC{m0UO2HlGS`=`=>3*A3UZy#PCc3s`i<DRqQ
zrBGqZ(r>y&^j96A>5+3G+h+mY7xe#1R|i9|2A;>6y%7C9=!Ts&jHl6W=Qm3KVRW_B
zQ~ZD6+|K9n7LU_uH$itA-D~KY?t1#~rMpd3%gMt5-DC7;=)Ow#^?>dz`u|P$6S_+S
zx@GjY(Cu`f=6@Ysi{HBR??ktO?%s4QKL^l%2wn3ZPrun4P5%VCr_h}e&|N|Q?R1lL
z9}egqqyGiEPtkodpnHe@9NlGfzYgfWqrZjjS_f&qtWDR_(V6}*-3{q(8_?}Q{~)@%
z(j6Jl#poYL_awS!26X4pKb7u8y7vZj577TK-AC!ZNZ0xqZ_@t>-5==wMAy>$EBzt%
zH(Kal)l0?Nkv<1&erDcM%W1l1Cr5uGYa#2N%=_w3(G9;{y5H)JA++B}J1Gn2J=JFx
zl^$o|#>nGzQ*>iI-i|sbU_Z(IW~Y*C_9L_#3fQ-P%V7cgQQFTj{#hOu4Cl}6v-<U{
zKb2(u<=)hk#otvo`;NL%x@qbXbQ>+-&1L*7|Fdk*<#|99zZ~zQvvf0dUp-2XNYWpt
z8>8E3IwsWWnYsP6{FwbHbrHH@y3w`OettI7MK?n?O_%1~*q;1v_j@v)6~!+_U6O8s
zZs<X^+em+eZrJwIwR|_%`r}><#<AHvqh;Ib6=L&d@_*AFmCci}cHQRDtmJ;1H)H#M
z`lID^v76H9d3N2^^Mcph!~0{n-|B%^SOD$5!sheXJRq?t8xO<#XEc6RZs#%}n@42*
zL7OL3f2baBd?gcZ@s148{dS%$e4F=Uy5CzgeaKIT{-A#X?X?v5JA--p^UU~P>0e?I
z*I@s$zl$HT6qcHd#MB?9+ekM?H%>P}H%T`|H%&J~H%m81H&53)-g8@sZkTR_Zj^2#
z-5A|C-2~kv-4xw4-3;9<-5lLKUGD^jPd7|ALN`jck#3A`oNj_{l5UD_nr?<}mTr!2
zp00Ny!>1dj8=)Je+ekM?H%>P}H%T`|H%&J~H%m81H&0hXZ~ZrORds7vhSa9D{D|7>
zRFTPb>n~Z`XYhU_{A`npLH3JIE=B*b@OrV7UZCOo)s4=k|DWove4PF#=+0MHj+HI<
zocg1$s+(C{y1$*uyjSrcRsO$T2CLypGa>Gve*N|e*B^Gm*{6*^JG|$Py>^W3u=Cl@
zxATR&M0Sky+Hsd{mD5lgPBkocEt8$qUX|BSmREZt%JLd-Vp-n4P=ETPQH|WSdb5;w
z@T`6<<+YyGJEeS0&+4mEzLsb8VkyVB77z6k{lD5nr4}p4*Y?6?Ii6CEDyLt^3zg*|
zFE^%~zO!fTm49zFo-lZk(sCjDtMMcvdZo2I#UrZm#A58Ma(sQy+P|V&>}=p!yI0E5
z%ADfAI&^O}p172&kE`*d#@eq^J1Dfg{z~~KUal;+*0-pZvR>nT-%=#{pR}u0cuE$z
zN)(>=iaOr5<lZ$3esz2Gy<npElFCCYrz5EkU9Y?)tOuM$Zs*I|^;^Kp#piD7^OsjS
z1G~Dvc-I_x<O=0u$zLK*k(>U%<T>&N>Lnc#|L~P+=Q#595N+WJa+~MdgFHoU?S3!v
z4EZ?PIgmUuP3<2{9s_TOCu_r>(DGpQ;OW$V#qw;WZaR3m{JE3*a9j=VK>H6?&_79i
z%=Nw~hVvA8GQeLWxA$M!5jk*)|1y?0c-<!N7j0Lj{BMBdOMcq>w9HO7@OF4Y7`%@9
zfR{_}5ZY;EdYj>wZLG7iiMO2bvHYAsePV*@q#Ve06L>lM@(ojoXL_RQ_E5*0S3$p^
z0)K~g@|UXtE9YO5dsmclR2rH;<c}~zHzUtnsrsBcuKkdBrlu({{bAHMUafpN^>Om(
zH3~LIJY<_f9=lfk?whyx_ZIR57r4BuyFIy`kZ@zyE3oOt@?9R`-i^w)qyAO$NPsUk
zJLK!|gndFDmkI&fp6Yntlc&kgAa9T3BwYFaiEMkT<84VEC%687Z}KF$H5-SM+Y3}o
ze+GGYrW!to_NSPA^5Nt+l4r?>kk2(cw<-9U{3GMHD`0ke?a(|)y239g{|EIOk>|)S
zBHx8P`?`V%%a07#wnKZDYQ#U-EM4-tEU};aLG?RPFUz2Xr&lP?vz$yI&#>Ze(cNCs
z^uH^3k^DjO=pPDdX(t2T4l@LzyiV=@=_B$8IeH9k`;|N#;OnAd6g!~+-yXc&b-gdR
zq|4h^6M8J|pX}@u+vPZ#R@q{ZN&V(MR$4z_?DU&>Ve(!~*9^zeuNZ>}V`FviJqlhf
zK2L*7d@@mu&rsTVn>^G{dBj=6dr`@w<h>D;Z0jI;VkdE!>a&Wyp5W!e?FBC7!TQOY
zXmq`U$*tdPJYK=h`QQ?6>_f(19Z!}82~U5d;1tG3rn3nT|694WvvbH3<S$YG7J1_m
z)$dFG3we_Ke)6?(V<GmV|53fPf3nFpYlP=NRxpwUYZ!Pt%w$Pi3WL}hsUJms@(%^W
zcwR0f&%v5(ub@7X?K*P2%-#97#`P@QEbwyq|0wnOPO4{h>^)DOSX;SW*Y8!Z^9l7)
zX+W{<?Ed1O3Ih}6!mR^$=Vd$9U&i=vOdj1)`CR714&+`$d4l%$Bu|i!B_B?nJzDh(
z$<G3p@)rG43tCEddlylkIYj}Nb9zbg$QjC;Xy;+t@o1+z`BUKK()*Ix=Q@xLsDGE-
z)`@IS{waBg>ki;`+e&g<XJWh#4Z7rKB%tp`ZtFYNp`G2y8w2`b<hIVk?4Lkx>mV%t
zr;{gX$KrnhxvirxJJ*tD1L59Fo(u4~<au(7|Lf$o?!e-+nB3;QT73RT-pKi}>oFf%
z$Zfu?@%1`tekQ3m`(bjMH){5GB)570W=CGIE$7ANof<!y+~zHt{Zq-KoS(Wq<C!40
zdC!)gH<Kr*H~u)e&7U^@8hI+9|C~G>;LYTj0AC;VmZU37Zt>rSJWswo<G&ZVt^2b0
z97JyG#Eg$2w{>L3FDAEjX2x$OkFf)2{4w%4xyAE&@+7&%^G)&$`PPj8f64O!`#+O=
zoZo2nt1+%B`D61R&3<Qcn;&WM>_KkxCynn(Zu2aS4<k=7T;nH@Cj<O!@>GCN1($Zm
z))!m*elxkPGdBJpxve)g{tUUTJ2t-1>~sCG@&A~8t}8bFt=SLoDh$C$JZ)XF={F#^
z^~uJ!Be!+R#`h+-^~%PFnSIW4H+~GctzR~N8o8}wHhvMgt!Fl#B)4_V#_uGz_07f~
zC%1LZ#$P12_0GoMCbxCZ#y=ys_0PtCBDZzW#@9pz>-r&FPiuS=<6MVid}nf7A8mXP
zxvi5nehj&-mo|Qu+2^`w<CmNL0KdcR2l!mG&-Kw}=WVke;9r^j0GBFT^1;?wo1G2F
zZN0Vep5(Uf+IU}bTYqhQ1i7ulHhvnpt;aS#nLM~I`xbIrpKbayd5-HwjXz871^Aof
zwr<<>Ir3CM{|&jV<2L;t<hGvMc&Ib$8J4R?)~j2P+xlqZJCNJDUgLX{+j>^xgUvqI
zks3eP^jv>w{6w>#WPh9SIgH%atC{|6a$6^4{1S3oA7lJnv(I%Q#;*Y{*FU@kT-u8?
z>*w7WpC_H2O}r5tmqRz(ZU3S^PyN^I$G%OTyHkOUpL|8`-L2fl8#~~>O~Q?mpF;cF
zflEI*A6W0uKpy>0`_D1zhmvOl`r+ic03Su}(N2_hCXi<W`pMws^6d)hqu*<M60~!x
z*~ypk2g$u3lv}uun4WfwKMpSWlbNIWb`|YEPu}>Xat_~k3u!01QtcxX-Ig`}Qz>6$
z{FhR`*f`^9c9t0bu~eTkzM_;bHU4ucUuIkeG-P8umxD`slmFCo#dWW@COWRd!<kaP
z4Y-t(B=gzEPj)Ad2l!y}NPr(j-WcHH$U^~sA$Ym+Fd1Cpnc#!@F^vCo@;vzq<oA$g
zWZ)Fr<>XI-OS)3OY5s6H$$JC5T)2xW@Q-Leu|(}#KkX~>B>8lP`v-aCKdKM$ymY`o
znWQWFvGV=NHv*S&p>&{r*oyk(e^vh@^}8AWMESYogUCalDc?}5MelIhpBu0rqdxML
z>ObZE``^jK-zuNWbX`WCBj1$#UUKg{)$c_9qS+@m{U_kkE@xP;W~l$!@lCuK<H=zU
zuRSJWNd6?qBh+sUF8LYyQNz6f<5{xRQ=bW>cNgmO>uEygtK1s~UamYGNqsb|`aJa~
zkw>;vz7O;NEb@3a<-2LLyi34kTrtaWMXUd>pg!GQ^-CE4o5+*fD}RCE-a{Visr-I*
zyvN8x5e1!S=Q;B5?#ej~<h=nd@mUav&wJEI_#oNzOQ~NR&@Xp<T`y6k0frgRmE>c|
zExk3kv6AaC7T_UrFJNa=@@Rl>OCApJ-5uZ9%LL-NAN849ji=Rb`;(^v{0Q=BfS*X7
z2=F+0EWj@y50hK|Tu$x<_zmQ#4yE~dCwVTwA0f{K_%q~*0Dpx%7U1uadjbAm@@RlB
zCl3esujH9EH2!v-wnrCS&U+%jJCkSHm+Choj|TMHk$VBY2YHNk2D2RYGkt&`M4qeG
za7}+Sd8($Ak0p-=_}ONso$BrUUPhh?@SDwkfInpR1N>R?M1W_>V*&mdxkqmK{}XwJ
zv-pj7z=hz>OMq`go@vo`)AZYuM+5qO$#n(}ra>_O4>tR>6D2><>;(APW+%WeGyNYL
zAG32ac_zSTlP3cFdGa*RJG^dtojgTu_0<RDGXnfG@@T-$cjSoxZz7Kc_?jDO{)frK
zjL-Vywd59`Ey=wA-+??8s1Nrf&jt8E@=Smq3SO=qJO*6a*+@TaN48@;&m@nLw_`ha
zF?qbd>USZ(nLIr}xjkQg61-fv^DFR$6?n~o8qe5xwSOkVeFu6e=b1iwohBIn>fz+O
z@%p8HA|3>YKDRsd?1((W{&p^^JVQH+X+K5#INff$hIV3m(+=%_V)2m&h}i6U`O@r=
zo1GuY!~2xl`NQ;#kJ)LD=Z)^VCO12mZ?4?iuhdQ*^|{`q@mZfdn653r%bl<7!KIwI
z2>?jf?k;tnXZODg0{yW;)JJ8)05*&NX!7t><@Oxyd~lbpej3jP+PC}GFnJ^S6zX$*
zRbNkT_ooSR)62ZQa_O2uJ6?aa6Q-R9E9leU?s~aT<DcVsf79#?P&<3DfB0|mDDB5-
ze;Ij(+|s)eyj(o1@MzifhdKY+?o-wyxB1z|yOG=cZ8YC*+lk!fciXu4KIAqJ-0U1c
zo(zP040$TRPbE(W_+;`-fZt4>CAWCaCeM>wJTv4rAKv2mKDo`8H@=+Q=F=Om!VQb$
zr_IMV-i18I`S!-UlgG&|p1Y7I$t|9J$TI;uhmdCj{6z9xfR8872l!NSTi0*#yoKD>
z{aZXAB)4_@7SCtMZCyWxo!#~dd7SJ0JCeUko*=hy|3{t-@L$PO<YvDUCdf(trvvu4
zAkPHs>`I;u@B!pGa!c=F<n|s1OYceK_8ta{&za=*{s&9%h2-{r2uts^<o13C<M)u;
z`yb5yQ{;(9wcarMuYs4l-m}yvsXv7I{|&g@U#ITW0RTQ$_kJbM+^d|owO%LJF5rIr
z9_4x3*@!%MxAGkM_T(Pzr^t6F58pvO>%G3@soRxLp#EU;#BIvEQa{r8Oyw4zvE&}P
z**PD)T>e}PF6AdSSM&3IhC7Ws`n2*ftcPzRPd}slC+cSzpQn5!`CRaF;XYe|zd}2<
z?#RmFJLDeM6IngKgxuCag&6La<hITWk1yT!8@a99+LC;YEi@l&y_VTopFG8I@z~C7
z-N@4czB74-9L<p1`jh9#r;{H}ZtK~`lb=HFCdh+XKAcN#>)X(Ma@&>Uw*Jb-mu@lp
zT#sef*CXV%&dcmSOK$7BrqTYJ<hJh1_<zZ5UD!<Ozah7EV>gjEliT_>3wQ0X=D)3f
zvwCK8a$CP<@!yF&&h>7lkCNN^JhR_Oo}u3C#K>*k+=rfSaq=|R)%7I5gxuEKJwZO5
z+}0mrc++k7liT{lrR4tvFLzzcr#}6GUPpIP{|<RfCU9bVMQ`)GPst-6E8pGi^}Jum
z<K**r{nnwt%k>_S37^<F%;$9{Z(OQ8)z0nq29f7KSH1=9j0G<j|MApk*VG#V>(|Wy
zmwsvNaP8Mc)x7s0dFD{%Q)&NM^4uZHQ`Emjo}k|Bd=6eNK3{`NdJ~-JdL8X|=%zfp
zuEw(;?bngV$?dt)Hss0mRKI&WJs<*JF5Eq+&kR$2SK4nR_hO~_b2_-YpE^p@`w;aP
zkSEA{lV3@mAvgOo!OO+xUU12W+)1VJ$<R*h7!4PZaN7&iN5+@N^E2ubBUNwV{!E@C
zxA?EIm8L6mwCXdA{|4aY;<*L5#4~h(h8w275YOY)PNGV8>_vT6CI(}>m+?QE;pUDj
zjpu3PUQGF+)L%#*JC^pzuLds{&zry{p7HB6T&w5rB2SW^rP1_WAP-%y`jg4utYCkU
z>2Fs3%xXR0GjKOQRwi&_v-`DW<k9z(+j(4We10j<8-JTzgYi}vf1{MIH2!KSZ!-Q;
zDVGo2OFW~QQeI<xUMa6N&U7Ku-PXzY+){lAT=G9XQ-xubd-c@k0?$WwcO1{TWa2Tl
z2=#-=b7M>S2=WAZjQVlL$EZF-ei3<;`Y8Ez<gq}wcaw($e2&?neT(Ny<X(X1$Wx;=
zKAjlu_vEpYlqbpC_2BhLz46ZA<;wX+PQQuQ|9#E>8rs>4JR0EJRj{+O)357=|EBS=
zdShSmXn+qR_X7OL3ieL`m-3K!USs%SwMO(J+R2=v;YJz%tI4C}3G&;>y@38<@)YB9
zB=ygNm&>;W;1Zw6s~Vpe^_{lX{P)Ibd?0b#dlv3Q<%6mJpo0BRX+QLq+Mi4Pk7j2Q
z?Xw=!`T>J;mzMICroW_=HyfW^%B!|!{HG|l@>xfoyI6Uc@mZfdN}eL$jNBu)daRy2
zoG7&uH9O=P+Buv&bCK#}<foIz0{l|)#D%K2@_##dn0iasKgd1mjlWMG4e;gUu?yC4
zF){n?w&8Wh^J{zq@)WsUzdgarm8)IArCen`*YnQm!?SVM<YgLei22Zm_H#U6cHLbx
zO5+oy-nfmsdI3I!b}|7wHoh7T==UC=_G9FDZ0$B1U!6d1={=bCW3(Tm{xI-z`EU%l
z<U{Ct&4-t%A4{Gi|B>~;MB_iH{&QXz(<|7&jrvIY_Rg}buaoT`74*-6yZ+l$&Hud0
zy%)*DS18YrFEl;#!FVL1c2cxs=j8+HGXegw*|}Wp<8ZfqW}M*~Uj|+-KYyvfE3Id&
z#s%9BtD1(7=)e$*PC5IX-37jWtM$3voSoL|aJQ#ExIS@T$6K!#KG@l5y>535xRjH4
zy`IOFjOM>_gIrZ+ee@a7uM2%*s+JSGPn=4g+g9!9UwluTJbQz7NaxZ1T=F#SU|O2n
z-Xu>osr?Ac)z{=6*NK?Ec3X{4=zBf>VA|P|Jl&+>4kX`)Jo1RzpHF@$d18?AJ(z%#
z$&*j$g))Wu1bKeB0(+iyyYZxkJDk_o9P-GU3bvx1*T@@}DVWIgeny_&RPDsbo5;OK
zHJ-ALNVatm0XZ+JI@M#C&TZR}hi}$!PoSNB$>UK4J5YZtdGvMF$EhE0cIGHQkoxP)
zPFD?g8u|U?S*|Ct^YyIRzg_L%w7M<pI6XdRIrYhJ74FG>YhpkHt#zwy6URfI_p;iz
zen?O9>@>}{HF;!T^7ubge<S(v<l&X2`ibPR#VWM%##<e46&){4eRQGPSwYF`<f&g2
zgf;uT|A2Q!%2J<c0YpmN_PgU7dlLflQbIlTyeGq|xBT3OJb#s@>tos(0xtF&uTwpX
zk9R!vxjq`t<EcN7JhEItnEYn)=v<Astbdm6QS#Uz4R@JhZ$5dF10+%MPaLPm=d_r9
zS2b+$522t+InREi{8ApXEqP==EwH<i4<T<Htnsn>;aG6VhY;WAVfk=A^+_7G``>H9
z!@l_0zYkNN{!R1kSza%%JNw1=9+>_AQlEK5Eu2n6O=jmdjc1sA?Hx6}F|H4NfV|IO
zi4X3oSssYJ?Ws>5sCIVaj=pARxq@}b$C8J+-t89h1bOyL1#6SvKpt75>HUU04c-~|
zv)RCX<tx;uuhjV1b@wHC;wI%=(#{I<80(E5<ektSx%zDf&0ssf+mI)o()f&`em`(I
zzhS<Q<!5dFy(6g4aoh>n?zWSS_ttXt3Hb%&@dMQU&g3_crvv3}4teBT)xXQ@;x+Qr
z51L*J_Y?BQjg{Ny0e=DSjOQ=WTebf%g5h>VN5$0-yngTJi3yVr4qVp_<k@#iulM2L
zlAoFNHQb(z=Qzh1n9sS8`UE?AuXWO$(<|s_Q6FAg!(BtO!<%P(OXY7djCa8$T@8Ww
zFQ-0vxeD$2t;UHEeL7H2b_bVq<z{Ju-lzQm<c*JOdJiWbMV{YK`Kja=le-rSfLXbn
zZuYNI`*t2@flGYqKPb)T7pYIniyg2%=>B@%V#n$6IbYL`$M*+Wz0qM8wV!#X)c#iB
zlHSAvYJ}5yz5e8xb2Z~F{)du>@6q@eA5R|nRPA(RoNhAC^d3t76nSV9wQv2F*BqzF
z=X^?izK@2R;J%-YFIPL;l6SxbF6j!hK3tD{6Y?0__bb$#*NZ&)nF>SHA4ndZrRTRZ
z`SIj&j-whsn>;}~Eau+z<lY-<;5eR`x!`i%LxJ=DF7?T@hHL%C@5wXFXH0W-Tl-!-
zk8`wsv+>fc$n*bE-5~0pKUwsxw?5Rz`2qmz{~TgGrTM&EgYix#j~%5Mc`A9rct7Q1
z7}Rv~DEq?)l0QzKUa0APhWrKc4D+)K`N!l*_W#!-Ur8RjLhV>N?2LxYUDszTM>e{x
z8+o4VR_r`BkjJ*r^wu+7`<tDuG+o!z&hg+Ow5Pd1dpef-^lKXKWz?TX?tRU8kk2$d
z>lr)mPmsr0&dtut<jMOqp1Y~zeMX+)dmimN&6}NnYy8JE+%<RC{PDh1a4>my@+{lm
zFPIMl$)gbs@EA>=H<~;rFN(pojym4?<lzol|NKGwx0?QO1$(Tc?i|M{@;M8r&-Ycs
zR<4$iCwRSEz4}cBJ2iWhFaH}kj{e~rnxMlO_D<xHM>Sk4KYc3LIfD9pUiCZEPMkbB
zLGx{E=I12x#;EF3<TsHgF3|Waq@A?s8&q%C^1sNvv~nchZA*-=uY3&8*AL**Psq*c
z;B+ySdmS2hz3@GoTQNSH8D~H0d+M*NhrX)yd&%~qKHQ)NEZ>Hc$JmZ^qn&Y%)8lgz
z)O*u4-!|mFo5`blX@Wjyy_zPEu-~;W^)FVi|6l4GA6EPCQ~xu0ev#(e70ibaZX~5X
z$$p|jyI<bUIG>wXdiMsGdOi~9pA4ryH&4Tz#Bj$@KbY?gw03+l^$C_AyRL5`53~Pi
z<0OxeXSx2x;`26nn)fw_Fx=(jv7VaH&B<%`()8vJ(|qX0eAtw{(NnMu8=k$$Q%sPR
zpF_zbY&R`FW61LpH9)JkCxA=7HSm3jmJc_O+xrwZ)M~|hgm%JvYCJz;{9hqY1jaW$
zA<s@$VVwFO$YY->=tkaYZ=QFyJ2w8gHF@K!8m^^l5Aq1};S|~#OdcAd<<{D@lZ-#4
zb{6Pv?_%;?M=dATPTfM@$a>~j+JA;T#`Yyl{vmnvO|>(hd<D4Vb2LysJK=%2@G$$6
z_Wqpi;8y3*gmZd3j`6^+wLGk=$?y&(57%k9hqL^gPM+UJ!PZRgl@;vYNqu%7HT)$5
zf6DA{r1n3d{Wr;DtbcG?-S&m)AJYJDBwuSEO>cc5AGQLQ>pl6E3N7tX@;D0uZoAxe
zr19D6AIy9>)!D~=*#o8ZZG!p~+nt`Yb3J)ulP2hQ^0edh_?*|M&#;}c`u}V4$Zr~v
z{yb()RE#cNw`e|WO&%r>u|H||HT}sWOs}<T$CEcUYdklholD5`&+2)Z#`AJBdH5XV
z>rwv%d5HaOtKVKBPw@GE9rZc0!}l7UOx^@8<u>uARt#27y6ng6_Xo`f$lSIqd5q`R
z`t5_rGn;8V?YcY8ILi;ZRc@O|o>;8*&mg~=JT*q`Tuna9ae92tJnEBwsNVA7E%Gem
z*^S41Z}z`Xa31+OQB7}tGtGxQ`PSq)wvU^zK=%iC{edZ3KIQ#=vK<#yJMsH8U28k)
zc^8xCBg(_%*O4dBRj@AYJZSuX$}dsJn@^r5NRWR(p5$|0t5?4v4{`j&%1`G$8qdgu
zYTy}`w{GO=XEdI1%~o$u^7wMqZ>ElS6nXR?sy~zbEb_*S)If)Jy5n-=yQtpQW6pG(
z2m72ysn0y1dcOY5dz(D{tMV|9`J6oQzVZ*re<%0Yt})r(dVTdg#vUxKXP!ibV0D)-
zI$n3^T|F>O?T_Hj2J#5oDJzEukw@9jJd^o(0=T>G0`=$l<oU<799lbm6Ya!5sB$5`
z#&Dk?&ws3j=dYnV-Xst6IgVYwdGZjS3v5R_9r|gya?{k#<Lz|E#^fnpU-o#um*YIx
z=L|J{4~;)BGjEL9=l#@eJSIUNqWw|iw~|LVV1F$6Q{)Nuuf~wSP9E;6;j;VgEhW!#
zoXYCMCi3W~YQXBNE&6Ld<avMh5$!jS=RQ+l{p#W5k#9A_1~A{^<e@!k+yOUM>v7Y_
zqqJlFnFme(y$abK@m?lxWPLb@@%cA-<WU7zSE;*#+`B;i?4EkH12kP3_KU0@=s})J
zs(~T2zb|=`_Z{0aU5AtBd#HX2^=FWW*l)4&{~;Q_a@Wx$>f<bjHmxe<IF0(8=PU4c
zX~*OJ`|~_zDS758ji=R1&E(NHYE)_Ee4yq}h~wl|PIh$M7ZLv3hx+{SYRB^PNb+bP
z+%w6&jWs^E(9UJ#nJ#+Xe<HtyJj>@eR{rOZCo^j2KI&h0oF1R^8TBC+kUre^3%Jxj
z_I~uUSU&4ez@&a_oL!nf+mJ^;Rs)T+)0aH_jp}zHKbAaxxdJN#32+HF{#JXp!|J!0
z)O#GaPtndi^2S#+g2Tw)H~SxIxEt|2{@^%8K4*==ny%#58t!G>x3%#bH9z5X+kW^*
z#;JnOeTGpVTA{kbsUJli;kc8HtDJ3mjt@LT{iWp5z_{zpj#K1w9;V*=P~*9T`(7q*
z{6@jW<R6nK<ps0YZejlXTEYI>xbWS1XZvpVmAjGW_ftFD(*B|3F<vj5laD4(zo+0L
z@=4^0tu+5F-)<!jU8Ctbn)=7cbL>y9N&XUfg!Q4-+aEekk<a;&`YiAJOuyDpO>aDK
zAF-L^J_G!B7t^yp+@HK3dGZ_0;1v0B<R0T`<>9Of_NSPgPt<_*-)<t$KdJd+{q0A{
z6KAWQkB7aN!KGiC;P*YOfARtKSzcdZ#`9b94AW)jz5V`bCmgV|DYzX=6VBNl+^%sy
zk2;R|5>d?`YwwOH&mN%H^&B2_5qZq+cQo1F&E&~VwH$syeVRPCquTGqg7PMLqI>D}
z{sXzk@#-UJXKhq0u3xvC2KX*{J$Y`Z@|kPtj^3tc|75lX?;T1W4PF=I5#}?RMYmmO
z_7|%CU1;Y<@Xl2md-k0T%Dua(Pv4;V#@hz(3GyiWpBwOi1?1tq)&9@qOURSkD!1{R
zpB=Z*itd^RX#Qk>(fsemU7M17d#Rlb8UKj!J(OF0+n+rDi5jqa<2ciE{C_;{PcS`i
z$n5&P-t@drv3BqQ@Xn~WQ+&P<rk#H}juINt@}Q~kyjN)_#`f_}>OVI7e7-P%{Acn!
zpM%d}de=UX<%iGj`cS_Ed1hbDhcV=R$YY-=u=8~adHi*a;S1DHA&=(uyuU<#hv}PC
zUr+uo^7Itd+x()B$+KORCm8=<$zyk^9ag*E1_x=nVu5yQJMt9Ai%w&>L&)RbD;P!l
zCz+ju+COm(-9LpqccJFb8Xc9-H2$FKC({1o<lgzJe@~O)Eik^3@?WXn_C$$)>+KWh
zr5_Rw+<*N>J8AZlS)F)Y(BX0SYwWk|!*F|oyLNNBhI<~<+m}4`xrWW=&^wYm@w@65
zF=~G&&+z_~&8>F}dE|T5Tls&CJj?kfGLKxg7swkgSHGn_XZFWxexAa7_6{zeKV2Nh
zx&}V)+egiL+mU;`-`|(K4|$ILsQKhakvI0$aBn0(g*>sfrfVGemE`%a6@<wjBhSbO
z8n8V~{t9`V&pY@y!OM|H{-eU@sBeFWp0CK-8Xr5qo0Eq)&eNIt2zh)1)iZc+0D0<G
zEeJ<Ze>8cnS>s8^8&4kNyhJ=sa@(b5e|Oa%OMatq&hs2iejj=GP1SFx(ej=nkKCqU
zKbFt;$Wwd{i{V_iePx{e>fz+SlV^B-&m`}1DD&+j4fiJUo{rPwbE2l_yuOR{Fz+yM
zxsGZ%U#OPHoI$;}o(egP>s>}39;yjqb>qz<k8}JsOgsN1PkyZ6S%&)_d7k|rE4SYm
z=LeQ}*?1k0A#z>E*q&x+e;e`?$91=7#XZ#YVXXizX|D$yO`grG-^$fF;BNfzmJV)*
z_0z6!d}D7a+b_$X+szKIi_I9H=g8B6{_T6@`A0S1?7I7jJQkR*8#+wWn|@aHU1)zx
z@;K+CP9g729%IEeggj<?_UA*a56>Y_{7;1;>aQlxGTfd_@O_R`<a7RMdfrdj_4_io
zl&dJ`hy0D<{-=VSA89AUaq>MG#%5?hLzrI|{y@)*1>OE|&7aWCTA&`}jxEWv&3fHM
z$#*ADf2Ck^@<!8hoHk58U@)(*(-rJQev*azl%AJ?OxLC4-arlaZ1Nk)QzJE=pR>RE
zAbGe}3#P3*c-HK5oX5)BGV<gFYX2U_r`hyN6<oq_*F{HqU26PJ4{&!s5-8_;Iz65X
zv)<dD2OU73d|JajhkOiqn$N#>CBMk*ELYH#{8sYD3pL-iC7(^6=&t$mFY<qphoc(q
zV@%iQ<Q^A3{z3gu<WWAqu=sSqg)IHgc;Nco6kO_)=%s1^#msFxI8Kkx8A^Sg<IKBp
z-&pea3I)59C%`4#L?GPhj-#K$@8><N$@3njo!AV`hlgnARkP3MQ+Ja8NS+>``pq<3
zy^cp}x?<lcA4UCE<O%lYw<6z-Jj!_y8;~DD9@<>(T*UkzM;<>yIjcGEQq!-c<#`>(
z=MM75v(#`$+JA;T&j-aDk-tu!-b4fB?U0uzkMa51t&C3xH1u*Fv)we@M`>p#^4w0E
z!8qJ)L%^jz3C?#qjQU96x;u|Ny_edtaA%SycGi4&k@g=Z&$D7aQg?eVl7|BA<08}Z
zMx-~ZxerbMPYw4}+WCPz`J`qrZWG+r2?I6duJ^4S$9kxw>TlzD=}Vqvf8Oft!@;F~
z@B+_YPNqK6S@XFw<8!gu>8Ie|JTEtpM|oZ@V?1Y*=Q!?kBl(NujeP!Y_4CK%i5E2=
zwqyKPkcU2117X_PV5F9ZFbBxlym>p4$6iw5scWb^5M1VO$GBcKLp#Tr{vi$b8}hTs
z8`=N=kbD|>BJkYv4)Qd|A4W5O9wiU6Jg-MPFOw%(POP5%ggmvr#^-hFS2|9Q&spo3
z^5tPm$1(oHh;w?Jw;y@z13iyc9*!W-vAnTZd#97<Pt^FBev;$9i16Q=s88_0%QW&?
z<SCBBSFv0@YkJ-nV;ID3Z-Yzu%&>f-8g$!d)W@jbl>B$I!yD*5$vYjZ<s`}R5W9{x
zb(|ufvorOva~1BueM898FKa&VHrP9XJhz#i@N<~13&=wpUrN%>_2em*=e5aaIZlty
zd7gSNa9-Xw`zL68tbh9zdFC-Saw%<fI!^N;&VG^AA={FBH|Pa-CH4Kt6G=@_n0y3z
zi1#m+&tu6`8)&^Tf#rW1d6x5apP-!wjPv<XN9J3GJi`KO{i6SoCw^1mZ?w}srs>M?
z{%#ZUjmW*F3f3XtjXYPYc6j^Y9R)7!_}D-@emeCY@2AZE6!JX#lNU0*x08ooQ~RHi
z|ARa^M)_pcZ!eRlIFIG&?w;G0flI%-EBn<}PFkqXFavmd<8636%Q@$FU9D!koyZ$G
zq3Jz#Tn;9WbDU}q>c^6&SZ*oz66Dc(jsF4d^ne@4W1DL^yoq)mB~Oo6@FMvu<f*Gw
zZ}rLh<Vp4?H>UnK@;D2!@y;h`dLyi722$URJo%{t%eTGA<IifijFxu*d3Z<V&$ZLz
z&LD3*Pfyg}$tRP?_E#RSQvL1ZSx%&SfciP)iH#N5Jne<#8P2N=s~PWO^7!Ry-}2`d
za48S=o#uzwu7ytIb$x~EIUMh8<2a4_oV`uY`N<b>-$CSAzE8mV)uYM7+vs)O$aGC2
zk9@5Ly3x)<<Q_X9o0C5W?&8n+PIg^?M16=4%==LPgYm4MmoRzlC{1tlohnDJCEtiV
z&viFe9(E=V?WqyBaiJs0!-3}or;x|kkF|L(lgQJ%*SHXmWVpAPoo^IuMgBB-sJDj8
z$5dX9Ji+<!c79ior#@2y)=#J#E$MB&b*sSlb{u#4ood`c5uUFR<T=JOO_S%6XKq(8
zhxe`5k|&y!KSMir8|OT$VR{<8`Q$O)Us(BBLLPZv?YzWre+PH<8}E;-Jaj!t&u@+s
zyR4tT3wea)p@A89AbIBcYG-*j#`ACFG0wv|fZ<+db~qku{gc~_FH>PB>Yq0IoPW58
zJWC$_So3*4`Pbx8K6l%ed>!=r<^Cmdre@d!Oz>9V($7f+*1_#TeU$ep>(kDm<cSXz
zSUH*K?5ykAciXLgxPkh{_1e1w4$^G$9wiTR{I)OcFQ6U!-n-SG^4(~Oe`;4vZ%5jx
z8O!tah^A`?+F74G`>lel$agZ{MeY2Hyf1lZf*RhF<?1l<WG4kyu1+yKSF7H}C$Dy#
zMt#mK>hnFcfOO=(7s%5bf41?T_sLW2S8PW8SLEIY3T&S6S|@8hWLfVuP`@d8GOX!c
zp8-e6L%gxJbR9~b;d<x8Y3B^b>G3&}sL!6S`M_aN??&?QIm+|AE*_|0=eY{}9oh-8
zT@EwsmEiK6G<bhq^Eb(d*4q}2V?E|o8lO5!8pspf^!#qlcpg9=VgL3C^3mk6Z!|yO
zqMZxLv$Svh;Tz0;Z`F_1;Jv3z|Eq>OoOa#-5A%P&^9A)G&ab<SJKLY4=RL&d=4+B~
zO73w1jeIX$wjIc0ywA1%Oh58?gU07!m3v2%NBG>cKl$0@Y1VsIUtLO`zet5gt2u85
zxYW1Fz<ScT)F;^AV721CYn;#Dt-bq#c4B;f7iN5#sL!$;-<f=)ahgAo<(lzp>1ptG
zbetleGl=@oGS$<ZH<CQh`@1-gIh#E8or0^#uQWRxw?T1r+f1{==U>*3ecJe^s@s<O
zcgS;JDws(A19@~~tyk}6xvD!=^Evm9avtVw4KDR(<0WcfJKE_@9{vwAhUMfa^2mOA
z0(pDsoo4zk)W8JVnP&DsQDF7Sz2rIG|DqVXZLZl_rv8rPi^=1hw`}#;ui#RCa$IM<
z1Jm32G)-5S?Y@=g9m%7-F6?^jZ=4agax#)U_M%2)1@qx_a0xfPSo5=%@w~$9T&VfB
zCiVA_=QdaUZ1QKwv*-SQrF~tfZCQ5K5`RJ(qb2bnQH+HhO^48jI_Lg$<?U8gS9KRw
zcNe!RMALy)Ywx}GIXh?nWv{*Oy{8c=gg`)q77-B>=pdrdsD&>YU&KJLRRkXtT6`%C
zLi|C>7wH$%e&6_;W3IhUC16qKuC>Pe8*|Jt$KM=lZLM#wV>SQ5`}vnjXZsv{^WVK6
z%QO5z8~6JL|LA`z!1eE+-YFeE{)YDBafycp|L}ik{kN>2rv`ubpD5s$41NUs&)9vw
zeADVTX281t@@<2E^iw*oPKR&)jlsWV8|bsv*>4;C$q#A$e{1mH0i6Et2P6OYhq2Mf
zx1ZQK@=LbvKVk51+BuHn{KViN+PF@KpBH$Zk>2mUpWmk)|BNY*4-Nj&f6;nBWKI93
z_y1QE;QQzw8T=FDTc`7XH2BB=NeT0&_4B_B{;g4*;ZOXc&i6y3^UquT#|D4N`1~^l
z|2eO3=N)%Hpapxt#jYE@NApWo|6`k%@4LTi@Rxs9@qEYn|EB`ChjjVZR{vd#|Nmht
z``F;$w0O=RH~1&_^z)g6&i5np$N#yl?`IAE(yuC?{4wk2p~2t%vx?{6F!<XB|Iqwd
zmp@-O_>=#p9sia#Yn}<*8mG%&zX$&J04INbbHty&ZvDUfTiS`^`CWrQG5O~7`NZJw
znmzD&AA1<q?QnQ@F>iRc?+!!X&eyAcdu;c^ZM$0FZgspnFJ0WU`_pW_$_@MN{BXBF
z_KSAE8P1#B^y~Gm+06RIaXqvg@21->hMVrTZ-@TytUt8FvEN_Jck4wnU+r)D1Mun=
z=<aqt0J+6twY_exd*GG<tg+knEjnwz(I0lDDoYf?vUR_$I+-phZSsKIUDb4YIAT^K
zFr4=L-GLNYZCA&byG{<1#!Pfp?Pj;=b>^}pLJrJ+bJs5V+3C8OACANEv|IwV=nwt%
z3Zy!;#|>5s$P7)}E_UtpdN=FV?c%sQ3~hIM(ad+7{kq5a7q7nZ_;R{Zy991+cQ|x+
zEmr$**DMd+rf(Og&E^hG(v!@hsw&74Pg_-aZuf^37-+L!U4WyG7q0+i%%MHr9Qxsg
zt2<S_pYOf;7K9mg^V|M7pl?1s-<{TrcD4raVl^B(^hr9+yZH^sCih?}yPNNJx2wK=
zepnrS8d6!oXfeOF*=Zl^xzJ#^!8!?R-gH-w9@_vY1ZS?6caue=U2gZ_)ra@BtBP{F
zsRjZYo_G7U-|yx(Lqojwhh=-+Z-LD`p0Rz1s~6*u<KXd<)uo%|dUbts#5(r9Ja_wj
zkL_^V-?j7pa1_{Szvw_Lq0MmGw422vbagpdW<!#8<7UGV>wRA%Cji<0xY}TM8+XVm
z$f^i9xP$QHq1z72-C-m6dkg0u)+j=RGxQpD$@4?EKkcQ9_GT!Z3aZK{BAwbp|BI)7
z&?$gfNvHDyZE)zjb+cK539)tC<Bsy>`gkK<4*f8!c3TwfRdyC6MGz1>p%n()_Sd`P
zsym{-v{n9`9}lTa7tVVnVn^&nMRTu@i+<Ui)<=*7{AkiwONJBn!K_uGBM(!>_qRJi
zG;538McVY7O)3JJcN<I(Lg3n$BNqcx5&`o?uOT2)jlrb9;0iYGmymedxe@`|$+o#J
z!@1IV)~#2{&7wo37ZVze4l&l|rtDNV$wY(^O&|4h>bVZ`5IAA4P{KIx9l<9MKrJM5
zdl<S__RFUfa+|(*^vX}O0lJafEd}j-v)3o;kJD<Q5BtMzxmw$n<Yslbr+o;P&sXck
zygMws$Vc~KbU({ZKMmb=Y>rVmCJ4bF6N}QkpU%2QBiIViMNZRbX5vyAV2C-J7@Z&1
z_q90gj1VNL^)kP~9HkGZneGotibA#d>A)$7SZTUpdnwqZ#Uf0%KS{o5!5^KYF<V`4
zPa9U=uiDKC5@o&D``z}4=b$c&0Xp<Wfk~4c)%(%ABS>)^Hr;yNF1tDPu@@^48WQ+R
z>(zP<O@8QRtE~W56!a)%pZ#Im#rW5ASVG<E;M)Tn+`(FcavdJD^WzJdUwOjVJ1c~^
zctCN#=;zW%D>)Q9C_%-9Yv;3bSU;bodT4z$*{48rpA~NM5U9}v8h7Hbx(gbX6;{|r
z1O-y_Icy;(f<Nd$@`PnyuUFWnIwEP;u%PQ<ize80?#CarA9<SUhXvz)=3cQNl_7?i
zgT{1-)>aV2hyq(Ds0p2l_hj(p?DFc>=^|g+QCC4pSXs}Puxbi9D~MtqpiH{}j*uI}
zm$SzY6}NGT<2Hf^Zrx%2u;3L>ijzEMe6(En1k$MQHaaMmDptiGtc$`8v02i}#xh7N
z<w;+G1WLqDP@h`?m1$vEt``BT?Q++!&gD;E)c|Oa8o(ypsa2B-z$O(ynkasCs}W2Z
zj$qOj)2$n3fV9d0HsS85np6NbsQ@y{xCwV^^dX}JfE>X#QXG5}lnh9ap+JNW>vpue
z1QNT0eMfHvninUa#B8E&UZ$wa<qezyDs%HC4XDs0twt$eCsPH|&s2eQbv{Y<a|V@8
z&Y<ieR;<G09LgTfp@M@iVAVscb3g?LuM1UI=qnE}y@TKecu+%v#$JC6fbw*Li@=z5
zFl=hBkf-QAKWRl4Dc1ngKwTi5eGPG~6UE%@+8VT89A?*0>Rb%oLN~3Kt=O7$&goCc
z!*02Rq-(&-aAwtZZWqha%sex<A;P$eey5DPD74mxKCGJU4hDF;?-5wo9~wgiPWtIU
z@S%aLLGJ^1spfWfURPjNTkb(S%y-8yPX~`3es(uo_s#RZyA{h-AK&@%&^*N-YCoX9
zrj-#7G;W&rUcbWMBm6zU->dlh0{$N3?;-v!g92PD(@(RxTV-zEO7~}_0u{1jAj3hI
z1o9esLJ<)NS*eDQJ)t*7bp&!lt8;O)fv49Yx*>L`JgfZ(*Y~>Da>TFTQ_Xs)=9q|#
z$JU@59TYk%=#Oy}`B(V|ouDb9?a(dB*s!dR?Jsm%2XUvp6l%TIH~Mz-;u{Uk;Q8(Z
zuYe6pnK#?QBZr%X+74Ol5DwJG#Vj|js<xYMd#A|s>wXTCZnv4mj5yYQ2c89%t6)7}
z8<t)lcJSlxE7i7{vt`=F$5dCA%@Ho!_7@K?FE16FsB?Wl{|f;!6u4QvfVs~*B}Ybv
zL_$34aGalxB>%pJ9|B+5$Pd!C`$tzgfIM71dL-5K;p*Y-W%G1@@!;WuREJR#b|rP7
zBg(_oRVsm4EG4MsU0r>lfKkW64<0oGdKE~!PxoEApQU@mBBK8Fi~Mlcka7>M9y}B%
z#y%j{l<u_~g=;r@Z{64f;vyX2>S46jdqYCthJ@TZ68d1RA3ZLu<vykWcuWEJ-dZYM
zYim$CTI;>G)_ZNO_tx4Tv^5qsTI;>G)_ZNO_tx4T?wZ-5TW$Bd-TGZDhx9RqbZ2#D
zXOQg~1mlc5!b}TD(chmz@@QHokEW13nvo%oW}rOUqf6zBGQL9cXbQ=rDI|}kkZNuQ
z(sckk-6sCSy|T2zbxrhM*F^7aP3*zAi5t>4huqudkbC1Sxi`*|d+Q0zi^ib0sYc2G
z)z=zoHdPrw)v)n+-5qh<0l}s&f02mR$MUodUFH4mck4BWIUII8D1o7Yf7jh`eAvJ-
zUTqis3lUt1OUgAM5_?1Na`lWcOJ1}Ht@uobTmd(m4%$o&lDMC+NL(nEI#~u6DC3a`
zzRY)rK4zXQ1ThCT3(TT~1sAJp#My=h0cpT}AUt{OIoT+Lic*}NmTaI82xpfElyHih
zg?NJO5!DcCn<HSW&LIJErji~#tRQ80P+yTx8pkhH&2SQzoaGYawVn^FeZN^;K7OSh
zuz=IB3Fw2@AVs0TG9m?<(J9c36r+|kJ_1Ro=(A%HPl|v%=CK8khZVqRL~NF`F$t?j
z6-XM_pJQYKgwhxTqO{xtKEjDrM_3Uw#tWT{K#*)_s1jDADv*S#KL@G=II0j|aZmUN
zRf0yS5;Ve#on+8%#eIW++hKJL2EEoOJma2j<EBEX_~OykD{Xg#qj9|3_Xa|Ix_@z$
z2V6_&SRngb_N;|sjP2##+z&6p=1RBR{nmIs0O|b<C$;DVdjSaJUmR&cT0N87{p@zJ
zyp&t9xnW5&$RYrGN%4Hkwzon?+%fz<@3ye%<W^5iamvRNE(PlYN1CmUlmH4yH4*5K
zx{JEM4vtOgo{y;~4o(p0zSVVgh+$iRl#1nvjm8kTbESfM0Sx&T*l1w55fX(G-r~4t
zW7cR{R9&ho2?_@KEG(<zDWG5hqLDIH4FYl(d@e(35BZtp=SXCTQ!fqUpoGf))<gVY
z0}{n}6PFX*cbJyy6iMKp<#0=RHqTROa*nhX_GT`@CFpjj!LUvzpsf6Ad)gY^d6F=0
zs8#9;A$!5BuEPT6yFF>LQszkr1tJ;_;ml?P+APKpR3fW`dbUS!H-P>+<7bzT=$GQ~
z5?KcH@N^r=!O|SZ9N7MG@^QU{<2Kwj6y|9PBHOw8E@FIcQeZ+XO-sO`q019hba^rz
z4FH6CJsPEa9`DZwHMRBxDXqXqB|%1@>e*0%c&$gKyv-x0nX+hdt}Gahn?W2mo;fbg
zw0L9+^9Kj^SP+~G#r(8PI9(3Oo#M08aMx~zb>Ht9G)7~}Nn{CV7-eXlzVWrMHgCN*
zYo6loE&M>tTkl`u?+Skpnx}Yvisz?te-)##k33sGhu174$h;WZfWRpLMnAw)37{cJ
z#%I`vw6b{R{CEa}q>ox2HVJ@7Rtf-`tL_*8jXsI54(e5Px%3qv5694#VzlM?vP1{q
z;y!NX7r1<(VPufRWwcpl!N&0*Xv7oxVGQvx8#tdRz&2bgp41``+Y64FK7yk8QAQ(`
ztyn1!B6}Pgqxh{5|J}ypjVSTkcG)v!XiZjlz<(a{A4JUF{?b=oYv1_tYfs+;KdzQA
zwZ-<wiNB;??03jID81<5SoZxIPV5Anl!!5-wps|I0xsxzbwcm0J~b*=u3q(ee3nlP
z11Og8yeby&97xtd*p~D}IJY|;VJwJYvKg+$XF7Izg@>bB5>=rYR?iSlgThh8DS9wm
zyaZd&0&>?+q%)<D-iX0uU11txDM1O*8ya9iG<%5j=eq->w?<$&RfM<Z%nl*i$o~=*
z5Cfngm7=6S;J$6&divT|-fZ9e>KEG<PqNKD8*I_EU;K+-eeEl6zfqTn<q6Q2zWOum
zn_spbzWl|fP5Y&HzV`ZS@3dcg>#g_Re7}AFwb$Qylf9l6t7pg6gV+ux`pok}h4qT-
zKAglFj%sFEBHjyyE$M%fC>Q0{jY{8uDrF_6N|JZS6Z}ozh*OyWQ7Cyimb*jw7X`2<
zB>zj3MkLM{Wt1rvGKN<6acHwd>^`8h!D)?PizCn&V2(?$*+IILQEF5e&C={1vuAx+
zodME-cEgdW4$+CEXCSR*g#<wi1&`WN_K5yDqEekG(N_1Wu<XT|SH~m3k~ULvZD@e;
zm?p}BsZETog?Hwp;B|)7!<r&7K2|WAM2bnZHpR~d9}QbcK3pON<MzpuFTL~j>u<DI
z7Y{BTMkh||O~;H0+qdknRKL1-6xHdWRKpq1sn-_Od^Ty*X3C8=d!~b~7!u7o=zC;M
zg8h)H)9g>j`Av72Mk?gJ@!hNt+Zf<fm@BB}DMi~nyvS&z0E30g+Q=qRUWa6hNtQ^C
zmPs^+SxQkudb6Y`3Lal<?gleEC7Ch`gm-q^WlDBqBAmA?hc&PV0_qVk%Bld$G$|nm
z9!nsh3x`!;2!zLwybHfdGVG?wDJeTVTJvGCTsP3cNKCdQXD<+R6RS(A8;%RS+%c;-
zMv1aUT9BoRWy(m8Ok?G)Y}&Wq{|a3SOYnXFD{nBp_kB4Li!sCtvlR&WHXLyRbDW-^
zi~$qA-^}-StsNbDcM`_RvW~UaFcxx7UlAAJ$pwNRICW(FF(xiUoUJ1d3|G5C9ugY-
zvbGbY^VY+56~Iu#=S*(aaJTLb$mWU`g+Hk=d@VAy;UxLIV_T?f3b@QflK>G(VOnGq
zK~y4DTG7e;=v+_k1E)uQh>A;5r~wg9+u(EuMu8(DwJeqcXQ{wVDX93@WXQy7v_#J3
zc5w=;%|ZQjUKu0Pqmr{{$HwM@W8NNdQ_~T7f|;BGH{n4Ep368S{Se6GXEaJ6(1vOD
zjFk{XknD+o_H<2(5X5U|{g8YWruOM>$W*OR%XrE9%7&{pX&~WJ(h_Qe25~rkpX_rL
zU<wV2t5Tj$570tFIyC2_^AbxAkZJvD8S^@f$ZgeyIg!DS1LbKFdKXi&C}>7T9`#SM
z@s$uWMUj<@hyYG20$*jOcnosgw-rNT$m<}pZo$KbHC*7b1A+w09dvLc6~`FVD*X$-
zVS&TMBi|U<?e7tR+<0=Hn>HSIP{jkVZ)oyRfy5Zp|GMIcOMo|{An@NkN1`_q>3z3w
zF-OK4h(lMu8ZA0tV+NTkO)B(0^oUbInIRZ}9-xj6Jq}Nb4D-d@KVOX3%ehhb8VX;7
zypAG!=fccZ^&2?|{4DYQ2wpbOmne$dXA4jl>jUj7fjBu>F#$pH@^yuvfm)TG+!<ij
zQ)*U|mF6erz7;C^1Z+FOh|C5R9%<W0$37us_n)nY5x>M}qE%5CdNdUUnzNKy5&oj&
z<5Wv1W{tiE<&=$p;|wRfP1`fmIJyl>I3UDZh>jqDL~?NsxP|Fa3_7R7hyW`7N#N+q
zT}a7AwLowbf(RuCM(i7LkS6S#!fkvVD>_KDl9ZD6`3i0@_Egj$HSh=Hf7kVUMuyZ!
z_IHCcRfSpOH$}B1gPAC{jG`bvEIK8Dlw*wdm#{vDdyIA8<(ZGT8%2n=?F(qx<Ku_5
zVBGO-nAN=s$8xzTvI8eMn~*+-n-lD==i9nV=LL#<7x$GM$4sesv$ppw(9O!8BNs}r
zVN6P?oTU`)WD0GKkTZ8GkQD(yvBtPzK)F^tfT(moNi|_5kVQ2tOhF}Y5=1{`d0<BI
zotG#H1z@63qtVlZGJB2^Y0<B{!qTENCFf_o>k6j{r^pc;UA|+-9JrfXq}s36Wq^l)
z3RzNj7h;cvwJdi^8M2Z`X;&`Jo&9PlE1j9`42ce6M#&RXaSca+OT`t)^^GS+ekE5L
zFNn06El3o}G?LX*&1h*$!FiT9K$WLSdO-}%jkbv>)R9o(XiPl9wW=?oLib;b<w;tQ
zFXy4)nQ#{zkkU*wUPUWbt^gJB#smp!nW++86H8Oct8IrD7Jb&i>d+MJ_LSTcd7}{f
zJgUYDbAMsVWoKX=L{$S(<iO`GN`9%(_sK`E?sAx_L9*M4FNv7|j2&^l$BNlLG90GX
zx{B+RiBNJ{;zSHN4iuySm68{3Ic$f_hYokD;|);kNqB=fpmJFPB*k#%8$mI0nbG-d
z9cOT%S=o3K%mO!M|K=zRmmE0of&i@(lpLe>9~{b(7|HI1W5*)NRVmCN@B$9+xDRW2
zRxw>Bi{p%pz%9dBm8?sX<r|Pif=jEVM9l(gjRjSL7u(SEf7A-Hs(Y$}8e*JMe79V5
zchiKb6#?f53zBbeJI%;YnkOkFf>h>9)n4imz7ZF48Whg<ww#>|Kp7-|bWDS4>%?qS
zk(|@rq^0FL2R<egZ9nDBNL}UOW5?dqNQ5Y&n;0H1R~`CiyW12rh!rPNDQZbVan3w7
zj*dtO>e6n#r)Rr6?(nvHl#(CW#1Cy9FXuaR3BmM3vG2qdtE@_!bPfsh8}vK9;>u2S
z2f$K{O7Sf4PAk$EB%~9V1~>crjeH>{N;wZ~j}ub6Aq4^)_9YOEq@gG^XDz?o>GMy5
z51Y<~WZqre*p+C_FOp{*&Jd6BDU45g5bEQG^sBm-F2*su(LP{jcp<Oo3o-fBhRBhh
zK*!(BJ+9=n^}tHnVeR~_xF|3+ql+9+(qXv4mb`5wxHY}xK~LKk=W$pvFL=G;U8=8h
zSu9&ayk0pQ2u#QWm5j3WWn?fa`BG~7Vt^@xFlTJ20GU>iu+pTup&H_tnJZ*#@EZmv
zyqgY!<u@-QI(R;%sUx16{l(A~NnJ@PTazqi%sr8)hrXjN?#I0jLyDZ^WM;%wI-d@o
z6hL-K9>w=CLL4Ak<!i|LQ0Q|#m#6A1i`;^PHLO!v64J1|0iAYlFpa$t;F}~^xcGgd
zW3nwrc|xxX2dzhZ3L#dNZ7J~Jbu;LH!!u#;H)Jjp5L)h$;TmN`5`U76g2c-+PhN#r
z*`r0FLQ`6Q;&zi<(JPjZUX}U<js{U&u1_%KV4Z@IqBgfU#@XU6gn$(tHlcBB16WD&
zMhaymzcqR*p@1_^h=HPV2-mFG>|9iY1cCyqv7d>6{$@WdBR~u|(<z+nlE~i#j*&x3
zhKuz0VHCn3pzsv+u!NYnCxk1bP0*|wl$jyEEFpICSrnxfUaH73g^K-g)?L<0x;B(?
z{zcqAEdXe%SLw-Y>L$%!xr^gi1Or7hhLPHq17HltcnAmK5oF&Kqe^y|M4Z`_=Z=({
zE2IiIHNpm=(LD;hPH=qXtD>B8TKzf6<n&&Xh>SqoT+-^MStiM@-TVktN8-y!sIC_$
zh>y-7x}|xjF&CE!rV#^93RQZTjGh_PqOURqjC?O=ixkzvInD9&`Eq1xvaxj@bSV0p
z5~oYCg6wO^a-AP#^&m1{b}J^qNQkMO9@E8aMy@>jmC!1px^SYEhoXKWzC;dvQbzQV
zI_21$YSxw}{)EF@KkTc#wtNiEy;k0)3N*k?9&8%!26D?Zudum%-Nf-6iTjF04KrE&
zC6bWt>5~MiIHcGS+*^TTwhblK--FN+>BHO8j#Eh4I`CemUd^D?7Q3fyukp19Wo~4~
zEEy*p#}0iUVVR<?Gy?*sC4mVR{3u_saf_)wJXOVIiQsupaGlM=9b3Vw25I51mMffY
z7uP$nk|aa$^mx3N*|GX!hycqOUEnG<C|?zXc0}|jNA=y{z%{DN!k-&q;D6NzQITXf
z>!w~08m9TM9b#qJ$)QKeEZ~01r_@eJz8Mok2<psYYfG>;v~URu$vJr8>&v3<)DWxe
zk<w>z^aO_O2NN&G4zUs5aTH-wVgKUAMN*wfTbXZ)*;UPtykE4NH*hl=i2`54lH!AC
z<h3G`inK^!$C3LPqeIW(IGaIcDBXgT^-+`x%t?F{DVlNe3`u6IGbXQ%^(#XyIQ~o+
zkF1UCOogTcmsIjYS4H)XNN!rekW&TcayT(zgovz?0QMQLht)-$KMui|LOKh#i2*<>
z-a<1esep7S3(7S6v<@*C<RL?h<M4%Y)i?xFtdUGB*0t016x9!_3RJ3&%fi3_X)C2s
zgx(mNXreYrEWfeGgmNQY;0a{8N7AQg6I|-acrEsY`vMSae3{u9zI0IS4%i2hCJ^<6
z0mH@`J208@bP;^65L+<+izLWqKv?znsU+yh7~Y7Y5;fa?-0>CWA&$a5tRvNBCm|uy
zLhi$Uy+YtG#pwb$y8eNM#lOylF+0`m10M}9mHQV1hJBhtVTJM9(v_$tA=<;fEf}L?
zyT~>a3pt?G=F8riSQ`Aap)WOAdJP_eSsB@&HSM7%V3C}8&)gwsN7l|}LQp!dhl}DE
z)jbsdm{AmnnMoVVIC3do<TS6SfErnVCaWdLOoC-wEjDT;TwJG_3_B0&2(r~ml$F&*
zOWaV_v-XH7@Kv*n9TgwnBrV_7tmJTPqtdnSBws}0!@zQok%0Omex*o0Rw&*}z!K2{
z#x5ixa6CZS!_rYki}E5PDt2+TC$G54d-`onZOA5OI!GM6KILQ5$7El&&vPaMv9kp$
zk{=%X@l>RkHKTyUn{Js_GB4)Ur1VCPE=XC%2}5rE*!3?qZ}gXF$3QlZ<#@<9&9cNr
zLX6Se=f>=I_W>MLWpF5*yn|z1mT(hhIE0O^LdjRW>I;Iets&NkZCsx{s8C5+m=p*w
zet9ApJ(qNW03}(-G@5>~n)Bm=AmISQb^LIkPs0>%y&qy4R9yI~N}m#kvqG@ORZvvb
zaBT>xStZ}uK-_DJU{KB#cM$_hn%Nzeu<f4V7&}nrZmp;oVhy`7YLRyMtKaS#$s?1`
z(MAMZg@-T@)A=&ejFSlhZTrj*>EJpfB4xMIn5Y<!RYbxkI*tuE=OPFk=mj#gKQOl_
z$b33B*}@A|P5dbbeO$Sz6EF%BJxs4d#!wvg4rnkFR*mVQpbp};pl+55>J_OK#<eZ7
zfCHO=t@+=R8}SP4RefTp4lj4?`6qONSG9&DvAKr#t9piBCcI5yEyWFU+2P!fC*JZ6
z=;bOM`jgvaBZkS`wll_Y<@2vjpK4!feicwf${_rSSj<VrJ@da1sHl&3<-@;J`q2^n
zCEX`E2(5b&^~T15%OYO!_5n=zmR|7o_$hA=6er`{!lDgwE;Ko6B`<W1&zqAe_&FI|
zV@7E;faMf8OMu{fU3?r^M2qrXS(WDiMiK2JF{uvU`Nn==U@F?VU<4Oe5{U3+kJl40
zw;WM-E$83TiH=B|b6-|>8o%dL^{%R>;%V%y$_^p>PWX9b0aBbB1ysnV-ej}YhMA(0
zDZrz>S}pQB*Zc@mCD^_YGvJiXfSw4rh$Izntj+~=CL2p$Xc8FIm?Cn^mv~caUB#73
zf)d(cF3E$GMP6)cfg*H7(qI<aGD5|9saAEqB$UbTQIHka175c1H=EtFdlKz(2o605
zos8Aa8N7(4Gdoq!CGk!@^Sq)bXTJ6Tw}(rEBe#l7=^dR!=PZMT2+Ai_x00`9U&W3u
zq*pa$UocP)6<Q^FU`6gxZN~hy^8?{r@ivKV2kT6W=O?!r-NWnTMUavH@}({y0iA*m
zN#`_Ia?Uw*vt(jEmUs?lvX(5M&bYGj$QuW;G(yf4Hn$Vp`m;o-kT@0wk$h121Jzbl
z&93jh1c`Nvb7EBxC#*)5*HOL12kY1XDTR;XMm@4jGQrDF3Pg=$XXI25HY^|FF6JT!
z7O7w^plh~zAWMq5Ct0=<WTnGeP=rmF*_X^>AzFKd!pG0MFGq{jLXFwR78)fdWM4z-
zNZh1C6nuV<kvuXgC2vP$dkjmw@dsh7HiCU<pvncNRXf_5?tGqeH`iH~q2erEG>B{s
zlEm<WQMK#J?idXj%t@^Ql%tQ*LgFje8wQkWh2d)<+Z7>nT%&m$I8`*2MIP`iXdI*C
z%}o6Wb+n1a3Y%5mufT4vQU$OwW1qX4#_05r-7*+x*`6_6pjc6g{8<5#4N~P(vReuZ
z60Uz?K_#jyz~NKJFa*^ZahZ4V_H@)F*C@Y?%_tvBC9H&&qm`G9@sJ-txQc3I#<8ow
zrXuGfbD^8h`|<lDG~IEm%mtfX{}KwBFsL0pi{nAo<JSywk~AyW8#S0hp&Q{Mq+<$U
zO>6qbdG@``N7J<V6~bsJLui~sjvc4=fWN}UMaW?)YK&<S6#S#Ix(d8u(TkECIr+j+
zpwwb=59m4Ah+|}8JdY(G+s_ol?z5Pq8B-1p?9A#+X|L>!oSV2wI?j@pdm8?G6?lMb
z<rkwWn<~~sX$nbH)HuhH-;Y@0h&<~hCaLEa(q;FW(_IN6E=DmH@Lq5%sl|CYjXGUE
z>$fb=*cJXNkv!gJw4N(@<&@g@_%dDff)l$_YdTP(Kp(AJ*auawMYI~xN|aL$t!Zsk
zMtF`cC{gvdHEK&sY`qZzX3$hYKlVTy0VksNrgd%b(6y*FA17<ZTFh4V1$S9ubZ)U}
zHx0STt%dUX7pr@Y8zjyHN~PCLg{GQD2SLR|rCJ0nMMBgt-vOMbNVj!=-OZuhs^1xD
zTfA8upL|&U-W}gj?pW9@S!l>oObA0JfK0y4QdpwWJ;t<tFl1KdIA2H&TAWAfyVIZg
z=5*3#tBxP%t8$;Y!_(PNreuYe`8d!g*_{p}Wn@)j)8UX6V(Tn7A7ZjfrevT^RZ#F*
zY#}qN(FcFaCCUrsWEWM*5RhSvDC8J{iHD(*@v^5(veMnGUg^RX(s%;26H~0<hJj|w
z-89poHeb`Jopmmw>5$Wm-DJXsxgJo`u_AZy*udZB;a8}4_`0Kozf~aUyG;;Mg)+ha
zRi<_kp~NcEBuD0bC6Uts85f8If}fIN-D6!NUpxu~IUT-)li%M7+#>lJJQFQ+N-E<j
z$;qxJzV;!zTwEk115A{Um0cwcW2&P=ULpbhgi=(?v3d>OHp<A5s0_Pg46`fB>Xc0F
zYDx#KxlxbCRgzZ<HErIJwBfEj_Zq0r&Y>cl#s+jOh^5-l6wAy+%KOi<RO=+PuRbJF
zGbYTOvp7TB&R^h67$@QUe)jZ6qJB}64ZEq1i<nfz<m4sGDXZ4)Bw<$CT7h#hR<o(1
z%b~BOm8#ev3~A*Zo9qrcL?yyV0%G$Ay8wd*(iQ*TKR*bk7%UcGF)JQ{Z#R70sors{
zJ?3i8Suu!CB`P=NzGtcVyPX*MN@&ESUJBw-(HiW4&t_D6MRoW%r$fGrh}~aVlR*T*
znFP-7(~$@HY98e|webCf)mH;6)gl%-a+N4pKV5`le=s%WeB;n~oR-VLENCvycO|t#
zgAAt`(r?I4cxCfGi$j0)Z+dP?YQ%U!GY@gd!N7U3ewaPr+(hbZV*T*jwim<Q2EQ|a
z>+zu18^4n%+P=9!=6ipEABwtw@W5A1@J3Yu%})4{s?WptQ_yR#zx{dU97uKHhKt4B
z7DF_0g)<^09$U;0$XmNO;0;(-w7Wf0vo3_B7r4E^kHs}|gSbF*!LKwn7c{m|dnfOj
zU-UeYg1_3{EYO=jX&?IIjoQNR<+rdfC^`@XyA6I{@Iw2-sZN8RrQB>7q5S{<?@yu&
z{xq@u9BT6;_PeWo_213)k?d!T{jvEh?)X!)-u_i<@7I^3rr!APCOh~sZgTs-VD0_-
z<6hCO`YW&n`1Yv%U$XXoeYsSXyK(!U1@!-X|NA?~|6A7Hub;E_f5@(5{5!z;+qvHU
zJJ#N>A6P@qk+k#nKZ1Myx56Krc>B-U5BmD`UwHv5<G(Te@pHP(_Y?k~*bmJ5^_Qhp
z(>VU#onQYl%6})de_=mx?AH&i{TP1(H-8N`q^bA!J!|jRSL}z5ef;tK|CY6X-8%f-
zdwS#7f2Kd5E%^T^ipK4K4KUKg`)@wL1ONL#{%y$L`M>e{{|X9o`<Fk^+J61`_vh9P
zet}y5^XuQoV{YFptb$#=o<Yyre>7_UlDD(#zyDpv|MgM(kFRwkzy87B_yaz)T*vtQ
zi&6XE{z)acUu`*~kGi*}`Auu@>)*U$3uf0RUnh0Se=nC?x%+qcmo>colfSAf>DM3s
zQ+0#!`2Ts-{^lQOd%u42kL&i%KMwt`xcMXab25MO3*_{s`Q+#HI<D`}e*NF5`$zHT
z?Z0R3zxR7=|9{bz^Y`}6t&ZD#U9aDLg2MFQ%jurCpFv~J*xP^i+t%*y==BpLzx5jX
z$NAvfXq(6X&Og+e-}zO&zTykR!SJ8Y+pj;2#<_iCzl+^`OWS`et;#<yms`2}Q8Z>>
zj{nEj{$p$Z<j>U&UalXTAG7ga8Nt2%PmSQjmH*}IXo^z)(yuB0@BXqpHa~{T-$q5B
sx6AJz1l)1gn)>etKdCi;V93xiu0#1d;ZyCee?{B>gd=JVMvu+^1IUyPbpQYW

literal 0
HcmV?d00001

diff --git a/example/network/lwip_iperf/configs/d2000_aarch32_test_lwip_iperf.config b/example/network/lwip_iperf/configs/d2000_aarch32_test_lwip_iperf.config
index 545eea42..93f0c1d3 100644
--- a/example/network/lwip_iperf/configs/d2000_aarch32_test_lwip_iperf.config
+++ b/example/network/lwip_iperf/configs/d2000_aarch32_test_lwip_iperf.config
@@ -54,6 +54,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +100,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -544,6 +546,7 @@ CONFIG_LWIP_PORT_DHCP_PRIORITY=5
 # end of lwip port thread Configuration
 # end of LWIP Freertos Port Configuration
 
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -553,6 +556,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -575,6 +580,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/lwip_iperf/configs/d2000_aarch64_test_lwip_iperf.config b/example/network/lwip_iperf/configs/d2000_aarch64_test_lwip_iperf.config
index 502738e5..c89e2bbe 100644
--- a/example/network/lwip_iperf/configs/d2000_aarch64_test_lwip_iperf.config
+++ b/example/network/lwip_iperf/configs/d2000_aarch64_test_lwip_iperf.config
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -533,6 +535,7 @@ CONFIG_LWIP_PORT_DHCP_PRIORITY=5
 # end of lwip port thread Configuration
 # end of LWIP Freertos Port Configuration
 
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -542,6 +545,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -564,6 +569,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/lwip_iperf/configs/e2000d_aarch32_demo_lwip_iperf.config b/example/network/lwip_iperf/configs/e2000d_aarch32_demo_lwip_iperf.config
index 8d8584b5..5c5515f0 100644
--- a/example/network/lwip_iperf/configs/e2000d_aarch32_demo_lwip_iperf.config
+++ b/example/network/lwip_iperf/configs/e2000d_aarch32_demo_lwip_iperf.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -112,6 +113,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -558,6 +560,7 @@ CONFIG_LWIP_PORT_DHCP_PRIORITY=5
 # end of lwip port thread Configuration
 # end of LWIP Freertos Port Configuration
 
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -567,6 +570,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -589,6 +594,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/lwip_iperf/configs/e2000d_aarch64_demo_lwip_iperf.config b/example/network/lwip_iperf/configs/e2000d_aarch64_demo_lwip_iperf.config
index 34f1b201..7d72acee 100644
--- a/example/network/lwip_iperf/configs/e2000d_aarch64_demo_lwip_iperf.config
+++ b/example/network/lwip_iperf/configs/e2000d_aarch64_demo_lwip_iperf.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -106,6 +107,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -547,6 +549,7 @@ CONFIG_LWIP_PORT_DHCP_PRIORITY=5
 # end of lwip port thread Configuration
 # end of LWIP Freertos Port Configuration
 
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -556,6 +559,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -578,6 +583,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/lwip_iperf/configs/e2000q_aarch32_demo_lwip_iperf.config b/example/network/lwip_iperf/configs/e2000q_aarch32_demo_lwip_iperf.config
index a540fd9d..076bf520 100644
--- a/example/network/lwip_iperf/configs/e2000q_aarch32_demo_lwip_iperf.config
+++ b/example/network/lwip_iperf/configs/e2000q_aarch32_demo_lwip_iperf.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -111,6 +112,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -557,6 +559,7 @@ CONFIG_LWIP_PORT_DHCP_PRIORITY=5
 # end of lwip port thread Configuration
 # end of LWIP Freertos Port Configuration
 
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -566,6 +569,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -588,6 +593,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/lwip_iperf/configs/e2000q_aarch64_demo_lwip_iperf.config b/example/network/lwip_iperf/configs/e2000q_aarch64_demo_lwip_iperf.config
index 23a8058f..d10149fe 100644
--- a/example/network/lwip_iperf/configs/e2000q_aarch64_demo_lwip_iperf.config
+++ b/example/network/lwip_iperf/configs/e2000q_aarch64_demo_lwip_iperf.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -546,6 +548,7 @@ CONFIG_LWIP_PORT_DHCP_PRIORITY=5
 # end of lwip port thread Configuration
 # end of LWIP Freertos Port Configuration
 
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -555,6 +558,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -577,6 +582,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/lwip_iperf/configs/ft2004_aarch32_dsk_lwip_iperf.config b/example/network/lwip_iperf/configs/ft2004_aarch32_dsk_lwip_iperf.config
index a2079705..1ef37928 100644
--- a/example/network/lwip_iperf/configs/ft2004_aarch32_dsk_lwip_iperf.config
+++ b/example/network/lwip_iperf/configs/ft2004_aarch32_dsk_lwip_iperf.config
@@ -54,6 +54,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +100,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -544,6 +546,7 @@ CONFIG_LWIP_PORT_DHCP_PRIORITY=5
 # end of lwip port thread Configuration
 # end of LWIP Freertos Port Configuration
 
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -553,6 +556,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -575,6 +580,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/lwip_iperf/configs/ft2004_aarch64_dsk_lwip_iperf.config b/example/network/lwip_iperf/configs/ft2004_aarch64_dsk_lwip_iperf.config
index 221f6dc9..f7edfe54 100644
--- a/example/network/lwip_iperf/configs/ft2004_aarch64_dsk_lwip_iperf.config
+++ b/example/network/lwip_iperf/configs/ft2004_aarch64_dsk_lwip_iperf.config
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -533,6 +535,7 @@ CONFIG_LWIP_PORT_DHCP_PRIORITY=5
 # end of lwip port thread Configuration
 # end of LWIP Freertos Port Configuration
 
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -542,6 +545,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -564,6 +569,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/lwip_iperf/configs/phytiumpi_aarch32_firefly_lwip_iperf.config b/example/network/lwip_iperf/configs/phytiumpi_aarch32_firefly_lwip_iperf.config
index fb47b17c..4f4bc00f 100644
--- a/example/network/lwip_iperf/configs/phytiumpi_aarch32_firefly_lwip_iperf.config
+++ b/example/network/lwip_iperf/configs/phytiumpi_aarch32_firefly_lwip_iperf.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -110,6 +111,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -556,6 +558,7 @@ CONFIG_LWIP_PORT_DHCP_PRIORITY=5
 # end of lwip port thread Configuration
 # end of LWIP Freertos Port Configuration
 
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -565,6 +568,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -587,6 +592,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/lwip_iperf/configs/phytiumpi_aarch64_firefly_lwip_iperf.config b/example/network/lwip_iperf/configs/phytiumpi_aarch64_firefly_lwip_iperf.config
index c8bdff45..f188359e 100644
--- a/example/network/lwip_iperf/configs/phytiumpi_aarch64_firefly_lwip_iperf.config
+++ b/example/network/lwip_iperf/configs/phytiumpi_aarch64_firefly_lwip_iperf.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -545,6 +547,7 @@ CONFIG_LWIP_PORT_DHCP_PRIORITY=5
 # end of lwip port thread Configuration
 # end of LWIP Freertos Port Configuration
 
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -554,6 +557,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -576,6 +581,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/lwip_iperf/sdkconfig b/example/network/lwip_iperf/sdkconfig
index c8bdff45..f188359e 100644
--- a/example/network/lwip_iperf/sdkconfig
+++ b/example/network/lwip_iperf/sdkconfig
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -545,6 +547,7 @@ CONFIG_LWIP_PORT_DHCP_PRIORITY=5
 # end of lwip port thread Configuration
 # end of LWIP Freertos Port Configuration
 
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -554,6 +557,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -576,6 +581,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/lwip_iperf/sdkconfig.h b/example/network/lwip_iperf/sdkconfig.h
index c5170047..b9dde9a7 100644
--- a/example/network/lwip_iperf/sdkconfig.h
+++ b/example/network/lwip_iperf/sdkconfig.h
@@ -44,6 +44,7 @@
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
 #define CONFIG_SOC_NAME "phytiumpi"
 #define CONFIG_SOC_CORE_NUM 4
 #define CONFIG_F32BIT_MEMORY_ADDRESS 0x80000000
@@ -96,6 +97,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 #define CONFIG_INTERRUPT_ROLE_MASTER
 /* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -477,6 +479,7 @@
 #define CONFIG_LWIP_PORT_DHCP_PRIORITY 5
 /* end of lwip port thread Configuration */
 /* end of LWIP Freertos Port Configuration */
+/* CONFIG_USE_MBEDTLS is not set */
 #define CONFIG_USE_LETTER_SHELL
 
 /* Letter Shell Configuration */
@@ -485,6 +488,8 @@
 #define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
 /* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
@@ -505,6 +510,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/network/lwip_startup/configs/d2000_aarch32_test_lwip_startup.config b/example/network/lwip_startup/configs/d2000_aarch32_test_lwip_startup.config
index 1ff6a289..d58900d6 100644
--- a/example/network/lwip_startup/configs/d2000_aarch32_test_lwip_startup.config
+++ b/example/network/lwip_startup/configs/d2000_aarch32_test_lwip_startup.config
@@ -54,6 +54,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +100,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -544,6 +546,7 @@ CONFIG_LWIP_PORT_DHCP_PRIORITY=5
 # end of lwip port thread Configuration
 # end of LWIP Freertos Port Configuration
 
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -553,6 +556,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -575,6 +580,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/lwip_startup/configs/d2000_aarch64_test_lwip_startup.config b/example/network/lwip_startup/configs/d2000_aarch64_test_lwip_startup.config
index ee31f56e..328002ae 100644
--- a/example/network/lwip_startup/configs/d2000_aarch64_test_lwip_startup.config
+++ b/example/network/lwip_startup/configs/d2000_aarch64_test_lwip_startup.config
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -533,6 +535,7 @@ CONFIG_LWIP_PORT_DHCP_PRIORITY=5
 # end of lwip port thread Configuration
 # end of LWIP Freertos Port Configuration
 
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -542,6 +545,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -564,6 +569,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/lwip_startup/configs/e2000d_aarch32_demo_lwip_startup.config b/example/network/lwip_startup/configs/e2000d_aarch32_demo_lwip_startup.config
index 0d12b462..51be855a 100644
--- a/example/network/lwip_startup/configs/e2000d_aarch32_demo_lwip_startup.config
+++ b/example/network/lwip_startup/configs/e2000d_aarch32_demo_lwip_startup.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -112,6 +113,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -557,6 +559,7 @@ CONFIG_LWIP_PORT_DHCP_PRIORITY=5
 # end of lwip port thread Configuration
 # end of LWIP Freertos Port Configuration
 
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -566,6 +569,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -588,6 +593,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/lwip_startup/configs/e2000d_aarch64_demo_lwip_startup.config b/example/network/lwip_startup/configs/e2000d_aarch64_demo_lwip_startup.config
index c68220f6..e86a2802 100644
--- a/example/network/lwip_startup/configs/e2000d_aarch64_demo_lwip_startup.config
+++ b/example/network/lwip_startup/configs/e2000d_aarch64_demo_lwip_startup.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -106,6 +107,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -546,6 +548,7 @@ CONFIG_LWIP_PORT_DHCP_PRIORITY=5
 # end of lwip port thread Configuration
 # end of LWIP Freertos Port Configuration
 
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -555,6 +558,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -577,6 +582,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/lwip_startup/configs/e2000q_aarch32_demo_lwip_startup.config b/example/network/lwip_startup/configs/e2000q_aarch32_demo_lwip_startup.config
index d6c04967..f6c67bc7 100644
--- a/example/network/lwip_startup/configs/e2000q_aarch32_demo_lwip_startup.config
+++ b/example/network/lwip_startup/configs/e2000q_aarch32_demo_lwip_startup.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -111,6 +112,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -556,6 +558,7 @@ CONFIG_LWIP_PORT_DHCP_PRIORITY=5
 # end of lwip port thread Configuration
 # end of LWIP Freertos Port Configuration
 
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -565,6 +568,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -587,6 +592,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/lwip_startup/configs/e2000q_aarch64_demo_lwip_startup.config b/example/network/lwip_startup/configs/e2000q_aarch64_demo_lwip_startup.config
index 31c14462..95618675 100644
--- a/example/network/lwip_startup/configs/e2000q_aarch64_demo_lwip_startup.config
+++ b/example/network/lwip_startup/configs/e2000q_aarch64_demo_lwip_startup.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -545,6 +547,7 @@ CONFIG_LWIP_PORT_DHCP_PRIORITY=5
 # end of lwip port thread Configuration
 # end of LWIP Freertos Port Configuration
 
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -554,6 +557,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -576,6 +581,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/lwip_startup/configs/ft2004_aarch32_dsk_lwip_startup.config b/example/network/lwip_startup/configs/ft2004_aarch32_dsk_lwip_startup.config
index fa7459c2..8966f383 100644
--- a/example/network/lwip_startup/configs/ft2004_aarch32_dsk_lwip_startup.config
+++ b/example/network/lwip_startup/configs/ft2004_aarch32_dsk_lwip_startup.config
@@ -54,6 +54,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +100,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -544,6 +546,7 @@ CONFIG_LWIP_PORT_DHCP_PRIORITY=5
 # end of lwip port thread Configuration
 # end of LWIP Freertos Port Configuration
 
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -553,6 +556,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -575,6 +580,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/lwip_startup/configs/ft2004_aarch64_dsk_lwip_startup.config b/example/network/lwip_startup/configs/ft2004_aarch64_dsk_lwip_startup.config
index 1dab7e68..94a605a6 100644
--- a/example/network/lwip_startup/configs/ft2004_aarch64_dsk_lwip_startup.config
+++ b/example/network/lwip_startup/configs/ft2004_aarch64_dsk_lwip_startup.config
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -533,6 +535,7 @@ CONFIG_LWIP_PORT_DHCP_PRIORITY=5
 # end of lwip port thread Configuration
 # end of LWIP Freertos Port Configuration
 
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -542,6 +545,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -564,6 +569,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/lwip_startup/configs/phytiumpi_aarch32_firefly_lwip_startup.config b/example/network/lwip_startup/configs/phytiumpi_aarch32_firefly_lwip_startup.config
index ef901467..94b25d90 100644
--- a/example/network/lwip_startup/configs/phytiumpi_aarch32_firefly_lwip_startup.config
+++ b/example/network/lwip_startup/configs/phytiumpi_aarch32_firefly_lwip_startup.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -110,6 +111,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -555,6 +557,7 @@ CONFIG_LWIP_PORT_DHCP_PRIORITY=5
 # end of lwip port thread Configuration
 # end of LWIP Freertos Port Configuration
 
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -564,6 +567,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -586,6 +591,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/lwip_startup/configs/phytiumpi_aarch64_firefly_lwip_startup.config b/example/network/lwip_startup/configs/phytiumpi_aarch64_firefly_lwip_startup.config
index 146d7810..975c00ef 100644
--- a/example/network/lwip_startup/configs/phytiumpi_aarch64_firefly_lwip_startup.config
+++ b/example/network/lwip_startup/configs/phytiumpi_aarch64_firefly_lwip_startup.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -544,6 +546,7 @@ CONFIG_LWIP_PORT_DHCP_PRIORITY=5
 # end of lwip port thread Configuration
 # end of LWIP Freertos Port Configuration
 
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -553,6 +556,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -575,6 +580,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/lwip_startup/sdkconfig b/example/network/lwip_startup/sdkconfig
index 146d7810..975c00ef 100644
--- a/example/network/lwip_startup/sdkconfig
+++ b/example/network/lwip_startup/sdkconfig
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -544,6 +546,7 @@ CONFIG_LWIP_PORT_DHCP_PRIORITY=5
 # end of lwip port thread Configuration
 # end of LWIP Freertos Port Configuration
 
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -553,6 +556,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -575,6 +580,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/lwip_startup/sdkconfig.h b/example/network/lwip_startup/sdkconfig.h
index 6388755d..9fe69c98 100644
--- a/example/network/lwip_startup/sdkconfig.h
+++ b/example/network/lwip_startup/sdkconfig.h
@@ -44,6 +44,7 @@
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
 #define CONFIG_SOC_NAME "phytiumpi"
 #define CONFIG_SOC_CORE_NUM 4
 #define CONFIG_F32BIT_MEMORY_ADDRESS 0x80000000
@@ -96,6 +97,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 #define CONFIG_INTERRUPT_ROLE_MASTER
 /* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -476,6 +478,7 @@
 #define CONFIG_LWIP_PORT_DHCP_PRIORITY 5
 /* end of lwip port thread Configuration */
 /* end of LWIP Freertos Port Configuration */
+/* CONFIG_USE_MBEDTLS is not set */
 #define CONFIG_USE_LETTER_SHELL
 
 /* Letter Shell Configuration */
@@ -484,6 +487,8 @@
 #define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
 /* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
@@ -504,6 +509,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/network/lwip_startup/src/lwip_dhcp_example.c b/example/network/lwip_startup/src/lwip_dhcp_example.c
index 08ae7c3c..81982171 100644
--- a/example/network/lwip_startup/src/lwip_dhcp_example.c
+++ b/example/network/lwip_startup/src/lwip_dhcp_example.c
@@ -123,16 +123,19 @@ static int DhcpService_Is_Sucess()
 {
     struct netif *netif;
     char * ip_addr;
+    int ret = 0;
     for (int i = 0; i < MAC_NUM; i++)
     {
         netif = LwipPortGetByName(board_mac_config[i].lwip_mac_config.name);
         ip_addr = ipaddr_ntoa(&(netif->ip_addr));
 
         if(strcmp(ip_addr,board_mac_config[i].ipaddr) == 0)
-            return 0; 
+            printf("Eth%d dhcp service failed, please check the network configuration and physical connection status.\r\n", i);
+        else
+            ret++;
     }
-   
-    return 1;
+
+    return ret;
 }
 
 void LwipDhcpInitTask(void)
diff --git a/example/network/sockets/udp_multicast/configs/d2000_aarch32_test_udp_multicast.config b/example/network/sockets/udp_multicast/configs/d2000_aarch32_test_udp_multicast.config
index 2e1d8a04..82f16ce1 100644
--- a/example/network/sockets/udp_multicast/configs/d2000_aarch32_test_udp_multicast.config
+++ b/example/network/sockets/udp_multicast/configs/d2000_aarch32_test_udp_multicast.config
@@ -71,6 +71,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -116,6 +117,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -561,6 +563,7 @@ CONFIG_LWIP_PORT_DHCP_PRIORITY=5
 # end of lwip port thread Configuration
 # end of LWIP Freertos Port Configuration
 
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -570,6 +573,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -592,6 +597,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=11
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/sockets/udp_multicast/configs/d2000_aarch64_test_udp_multicast.config b/example/network/sockets/udp_multicast/configs/d2000_aarch64_test_udp_multicast.config
index 1f17ef76..26363a87 100644
--- a/example/network/sockets/udp_multicast/configs/d2000_aarch64_test_udp_multicast.config
+++ b/example/network/sockets/udp_multicast/configs/d2000_aarch64_test_udp_multicast.config
@@ -65,6 +65,7 @@ CONFIG_MAX_XLAT_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -110,6 +111,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -550,6 +552,7 @@ CONFIG_LWIP_PORT_DHCP_PRIORITY=5
 # end of lwip port thread Configuration
 # end of LWIP Freertos Port Configuration
 
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -559,6 +562,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -581,6 +586,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=11
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/sockets/udp_multicast/configs/e2000d_aarch32_demo_udp_multicast.config b/example/network/sockets/udp_multicast/configs/e2000d_aarch32_demo_udp_multicast.config
index db76ff72..ea53593d 100644
--- a/example/network/sockets/udp_multicast/configs/e2000d_aarch32_demo_udp_multicast.config
+++ b/example/network/sockets/udp_multicast/configs/e2000d_aarch32_demo_udp_multicast.config
@@ -70,6 +70,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -129,6 +130,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -574,6 +576,7 @@ CONFIG_LWIP_PORT_DHCP_PRIORITY=5
 # end of lwip port thread Configuration
 # end of LWIP Freertos Port Configuration
 
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -583,6 +586,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -605,6 +610,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=11
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/sockets/udp_multicast/configs/e2000d_aarch64_demo_udp_multicast.config b/example/network/sockets/udp_multicast/configs/e2000d_aarch64_demo_udp_multicast.config
index 897ea773..8b6a7103 100644
--- a/example/network/sockets/udp_multicast/configs/e2000d_aarch64_demo_udp_multicast.config
+++ b/example/network/sockets/udp_multicast/configs/e2000d_aarch64_demo_udp_multicast.config
@@ -64,6 +64,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -123,6 +124,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -563,6 +565,7 @@ CONFIG_LWIP_PORT_DHCP_PRIORITY=5
 # end of lwip port thread Configuration
 # end of LWIP Freertos Port Configuration
 
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -572,6 +575,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -594,6 +599,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=11
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/sockets/udp_multicast/configs/e2000q_aarch32_demo_udp_multicast.config b/example/network/sockets/udp_multicast/configs/e2000q_aarch32_demo_udp_multicast.config
index 09d4844c..31b8c17a 100644
--- a/example/network/sockets/udp_multicast/configs/e2000q_aarch32_demo_udp_multicast.config
+++ b/example/network/sockets/udp_multicast/configs/e2000q_aarch32_demo_udp_multicast.config
@@ -70,6 +70,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -128,6 +129,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -573,6 +575,7 @@ CONFIG_LWIP_PORT_DHCP_PRIORITY=5
 # end of lwip port thread Configuration
 # end of LWIP Freertos Port Configuration
 
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -582,6 +585,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -604,6 +609,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=11
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/sockets/udp_multicast/configs/e2000q_aarch64_demo_udp_multicast.config b/example/network/sockets/udp_multicast/configs/e2000q_aarch64_demo_udp_multicast.config
index 2bb4f2be..fc30f047 100644
--- a/example/network/sockets/udp_multicast/configs/e2000q_aarch64_demo_udp_multicast.config
+++ b/example/network/sockets/udp_multicast/configs/e2000q_aarch64_demo_udp_multicast.config
@@ -64,6 +64,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -122,6 +123,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -562,6 +564,7 @@ CONFIG_LWIP_PORT_DHCP_PRIORITY=5
 # end of lwip port thread Configuration
 # end of LWIP Freertos Port Configuration
 
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -571,6 +574,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -593,6 +598,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=11
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/sockets/udp_multicast/configs/ft2004_aarch32_dsk_udp_multicast.config b/example/network/sockets/udp_multicast/configs/ft2004_aarch32_dsk_udp_multicast.config
index f279e572..c0b7e36c 100644
--- a/example/network/sockets/udp_multicast/configs/ft2004_aarch32_dsk_udp_multicast.config
+++ b/example/network/sockets/udp_multicast/configs/ft2004_aarch32_dsk_udp_multicast.config
@@ -71,6 +71,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -116,6 +117,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -561,6 +563,7 @@ CONFIG_LWIP_PORT_DHCP_PRIORITY=5
 # end of lwip port thread Configuration
 # end of LWIP Freertos Port Configuration
 
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -570,6 +573,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -592,6 +597,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=11
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/sockets/udp_multicast/configs/ft2004_aarch64_dsk_udp_multicast.config b/example/network/sockets/udp_multicast/configs/ft2004_aarch64_dsk_udp_multicast.config
index 5b46e1d1..61104ed0 100644
--- a/example/network/sockets/udp_multicast/configs/ft2004_aarch64_dsk_udp_multicast.config
+++ b/example/network/sockets/udp_multicast/configs/ft2004_aarch64_dsk_udp_multicast.config
@@ -65,6 +65,7 @@ CONFIG_MAX_XLAT_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -110,6 +111,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -550,6 +552,7 @@ CONFIG_LWIP_PORT_DHCP_PRIORITY=5
 # end of lwip port thread Configuration
 # end of LWIP Freertos Port Configuration
 
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -559,6 +562,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -581,6 +586,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=11
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/sockets/udp_multicast/configs/phytiumpi_aarch32_firefly_udp_multicast.config b/example/network/sockets/udp_multicast/configs/phytiumpi_aarch32_firefly_udp_multicast.config
index dc7b2db0..b0e29d24 100644
--- a/example/network/sockets/udp_multicast/configs/phytiumpi_aarch32_firefly_udp_multicast.config
+++ b/example/network/sockets/udp_multicast/configs/phytiumpi_aarch32_firefly_udp_multicast.config
@@ -70,6 +70,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -127,6 +128,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -572,6 +574,7 @@ CONFIG_LWIP_PORT_DHCP_PRIORITY=5
 # end of lwip port thread Configuration
 # end of LWIP Freertos Port Configuration
 
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -581,6 +584,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -603,6 +608,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=11
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/sockets/udp_multicast/configs/phytiumpi_aarch64_firefly_udp_multicast.config b/example/network/sockets/udp_multicast/configs/phytiumpi_aarch64_firefly_udp_multicast.config
index 3e13632e..beb792d9 100644
--- a/example/network/sockets/udp_multicast/configs/phytiumpi_aarch64_firefly_udp_multicast.config
+++ b/example/network/sockets/udp_multicast/configs/phytiumpi_aarch64_firefly_udp_multicast.config
@@ -64,6 +64,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -121,6 +122,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -561,6 +563,7 @@ CONFIG_LWIP_PORT_DHCP_PRIORITY=5
 # end of lwip port thread Configuration
 # end of LWIP Freertos Port Configuration
 
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -570,6 +573,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -592,6 +597,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=11
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/sockets/udp_multicast/sdkconfig b/example/network/sockets/udp_multicast/sdkconfig
index 3e13632e..beb792d9 100644
--- a/example/network/sockets/udp_multicast/sdkconfig
+++ b/example/network/sockets/udp_multicast/sdkconfig
@@ -64,6 +64,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -121,6 +122,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -561,6 +563,7 @@ CONFIG_LWIP_PORT_DHCP_PRIORITY=5
 # end of lwip port thread Configuration
 # end of LWIP Freertos Port Configuration
 
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -570,6 +573,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -592,6 +597,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=11
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/sockets/udp_multicast/sdkconfig.h b/example/network/sockets/udp_multicast/sdkconfig.h
index a0bb68af..8a29ccff 100644
--- a/example/network/sockets/udp_multicast/sdkconfig.h
+++ b/example/network/sockets/udp_multicast/sdkconfig.h
@@ -58,6 +58,7 @@
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
 #define CONFIG_SOC_NAME "phytiumpi"
 #define CONFIG_SOC_CORE_NUM 4
 #define CONFIG_F32BIT_MEMORY_ADDRESS 0x80000000
@@ -110,6 +111,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 #define CONFIG_INTERRUPT_ROLE_MASTER
 /* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -490,6 +492,7 @@
 #define CONFIG_LWIP_PORT_DHCP_PRIORITY 5
 /* end of lwip port thread Configuration */
 /* end of LWIP Freertos Port Configuration */
+/* CONFIG_USE_MBEDTLS is not set */
 #define CONFIG_USE_LETTER_SHELL
 
 /* Letter Shell Configuration */
@@ -498,6 +501,8 @@
 #define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
 /* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
@@ -518,6 +523,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 11
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/network/wlan/configs/e2000d_aarch32_demo_wlan.config b/example/network/wlan/configs/e2000d_aarch32_demo_wlan.config
index 67034f48..21c63db5 100644
--- a/example/network/wlan/configs/e2000d_aarch32_demo_wlan.config
+++ b/example/network/wlan/configs/e2000d_aarch32_demo_wlan.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -112,6 +113,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -543,6 +545,7 @@ CONFIG_LWIP_PORT_DHCP_PRIORITY=5
 # end of lwip port thread Configuration
 # end of LWIP Freertos Port Configuration
 
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -552,6 +555,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -596,6 +601,8 @@ CONFIG_USE_FSL_WIFI=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/wlan/configs/e2000d_aarch64_demo_wlan.config b/example/network/wlan/configs/e2000d_aarch64_demo_wlan.config
index 5fa2e47a..c11a209f 100644
--- a/example/network/wlan/configs/e2000d_aarch64_demo_wlan.config
+++ b/example/network/wlan/configs/e2000d_aarch64_demo_wlan.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -106,6 +107,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -532,6 +534,7 @@ CONFIG_LWIP_PORT_DHCP_PRIORITY=5
 # end of lwip port thread Configuration
 # end of LWIP Freertos Port Configuration
 
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -541,6 +544,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -585,6 +590,8 @@ CONFIG_USE_FSL_WIFI=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/wlan/configs/e2000q_aarch32_demo_wlan.config b/example/network/wlan/configs/e2000q_aarch32_demo_wlan.config
index 020343d5..c2f3b74f 100644
--- a/example/network/wlan/configs/e2000q_aarch32_demo_wlan.config
+++ b/example/network/wlan/configs/e2000q_aarch32_demo_wlan.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -111,6 +112,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -542,6 +544,7 @@ CONFIG_LWIP_PORT_DHCP_PRIORITY=5
 # end of lwip port thread Configuration
 # end of LWIP Freertos Port Configuration
 
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -551,6 +554,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -595,6 +600,8 @@ CONFIG_USE_FSL_WIFI=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/wlan/configs/e2000q_aarch64_demo_wlan.config b/example/network/wlan/configs/e2000q_aarch64_demo_wlan.config
index 107182d3..dcad5c88 100644
--- a/example/network/wlan/configs/e2000q_aarch64_demo_wlan.config
+++ b/example/network/wlan/configs/e2000q_aarch64_demo_wlan.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -531,6 +533,7 @@ CONFIG_LWIP_PORT_DHCP_PRIORITY=5
 # end of lwip port thread Configuration
 # end of LWIP Freertos Port Configuration
 
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -540,6 +543,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -584,6 +589,8 @@ CONFIG_USE_FSL_WIFI=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/wlan/sdkconfig b/example/network/wlan/sdkconfig
index 107182d3..dcad5c88 100644
--- a/example/network/wlan/sdkconfig
+++ b/example/network/wlan/sdkconfig
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -531,6 +533,7 @@ CONFIG_LWIP_PORT_DHCP_PRIORITY=5
 # end of lwip port thread Configuration
 # end of LWIP Freertos Port Configuration
 
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -540,6 +543,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -584,6 +589,8 @@ CONFIG_USE_FSL_WIFI=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/network/wlan/sdkconfig.h b/example/network/wlan/sdkconfig.h
index 5af5f4dc..301ed5e7 100644
--- a/example/network/wlan/sdkconfig.h
+++ b/example/network/wlan/sdkconfig.h
@@ -44,6 +44,7 @@
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
 #define CONFIG_SOC_NAME "e2000"
 #define CONFIG_TARGET_TYPE_NAME "q"
 #define CONFIG_SOC_CORE_NUM 4
@@ -97,6 +98,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 #define CONFIG_INTERRUPT_ROLE_MASTER
 /* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -465,6 +467,7 @@
 #define CONFIG_LWIP_PORT_DHCP_PRIORITY 5
 /* end of lwip port thread Configuration */
 /* end of LWIP Freertos Port Configuration */
+/* CONFIG_USE_MBEDTLS is not set */
 #define CONFIG_USE_LETTER_SHELL
 
 /* Letter Shell Configuration */
@@ -473,6 +476,8 @@
 #define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
 /* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
@@ -510,6 +515,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/peripheral/can/can/configs/d2000_aarch32_test_can.config b/example/peripheral/can/can/configs/d2000_aarch32_test_can.config
index af4c7a51..a70c20cf 100644
--- a/example/peripheral/can/can/configs/d2000_aarch32_test_can.config
+++ b/example/peripheral/can/can/configs/d2000_aarch32_test_can.config
@@ -54,6 +54,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +100,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -295,6 +297,7 @@ CONFIG_FREERTOS_USE_CAN=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -304,6 +307,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -326,6 +331,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/can/can/configs/d2000_aarch64_test_can.config b/example/peripheral/can/can/configs/d2000_aarch64_test_can.config
index 727cde34..91401df1 100644
--- a/example/peripheral/can/can/configs/d2000_aarch64_test_can.config
+++ b/example/peripheral/can/can/configs/d2000_aarch64_test_can.config
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -284,6 +286,7 @@ CONFIG_FREERTOS_USE_CAN=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -293,6 +296,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -315,6 +320,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/can/can/configs/e2000d_aarch32_demo_can.config b/example/peripheral/can/can/configs/e2000d_aarch32_demo_can.config
index b1dc27ab..5331dc5b 100644
--- a/example/peripheral/can/can/configs/e2000d_aarch32_demo_can.config
+++ b/example/peripheral/can/can/configs/e2000d_aarch32_demo_can.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -112,6 +113,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -308,6 +310,7 @@ CONFIG_FREERTOS_USE_CAN=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -317,6 +320,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -339,6 +344,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/can/can/configs/e2000d_aarch64_demo_can.config b/example/peripheral/can/can/configs/e2000d_aarch64_demo_can.config
index dd1e9859..acd3ac41 100644
--- a/example/peripheral/can/can/configs/e2000d_aarch64_demo_can.config
+++ b/example/peripheral/can/can/configs/e2000d_aarch64_demo_can.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -106,6 +107,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -297,6 +299,7 @@ CONFIG_FREERTOS_USE_CAN=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -306,6 +309,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -328,6 +333,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/can/can/configs/e2000q_aarch32_demo_can.config b/example/peripheral/can/can/configs/e2000q_aarch32_demo_can.config
index 419e9874..2273373c 100644
--- a/example/peripheral/can/can/configs/e2000q_aarch32_demo_can.config
+++ b/example/peripheral/can/can/configs/e2000q_aarch32_demo_can.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -111,6 +112,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -307,6 +309,7 @@ CONFIG_FREERTOS_USE_CAN=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -316,6 +319,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -338,6 +343,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/can/can/configs/e2000q_aarch64_demo_can.config b/example/peripheral/can/can/configs/e2000q_aarch64_demo_can.config
index 79a9a100..5069b0c4 100644
--- a/example/peripheral/can/can/configs/e2000q_aarch64_demo_can.config
+++ b/example/peripheral/can/can/configs/e2000q_aarch64_demo_can.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -296,6 +298,7 @@ CONFIG_FREERTOS_USE_CAN=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -305,6 +308,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -327,6 +332,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/can/can/configs/ft2004_aarch32_dsk_can.config b/example/peripheral/can/can/configs/ft2004_aarch32_dsk_can.config
index ece63f38..2a65e5e0 100644
--- a/example/peripheral/can/can/configs/ft2004_aarch32_dsk_can.config
+++ b/example/peripheral/can/can/configs/ft2004_aarch32_dsk_can.config
@@ -54,6 +54,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +100,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -295,6 +297,7 @@ CONFIG_FREERTOS_USE_CAN=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -304,6 +307,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -326,6 +331,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/can/can/configs/ft2004_aarch64_dsk_can.config b/example/peripheral/can/can/configs/ft2004_aarch64_dsk_can.config
index 6a2cb559..0c321d86 100644
--- a/example/peripheral/can/can/configs/ft2004_aarch64_dsk_can.config
+++ b/example/peripheral/can/can/configs/ft2004_aarch64_dsk_can.config
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -284,6 +286,7 @@ CONFIG_FREERTOS_USE_CAN=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -293,6 +296,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -315,6 +320,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/can/can/sdkconfig b/example/peripheral/can/can/sdkconfig
index 6a2cb559..0c321d86 100644
--- a/example/peripheral/can/can/sdkconfig
+++ b/example/peripheral/can/can/sdkconfig
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -284,6 +286,7 @@ CONFIG_FREERTOS_USE_CAN=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -293,6 +296,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -315,6 +320,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/can/can/sdkconfig.h b/example/peripheral/can/can/sdkconfig.h
index 2d422f98..fc817dd3 100644
--- a/example/peripheral/can/can/sdkconfig.h
+++ b/example/peripheral/can/can/sdkconfig.h
@@ -45,6 +45,7 @@
 #define CONFIG_TARGET_FT2004
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
 #define CONFIG_SOC_NAME "ft2004"
 #define CONFIG_SOC_CORE_NUM 4
 #define CONFIG_F32BIT_MEMORY_ADDRESS 0x80000000
@@ -86,6 +87,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 #define CONFIG_INTERRUPT_ROLE_MASTER
 /* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -251,6 +253,7 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
+/* CONFIG_USE_MBEDTLS is not set */
 #define CONFIG_USE_LETTER_SHELL
 
 /* Letter Shell Configuration */
@@ -259,6 +262,8 @@
 #define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
 /* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
@@ -279,6 +284,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/peripheral/can/canfd/configs/e2000d_aarch32_demo_canfd.config b/example/peripheral/can/canfd/configs/e2000d_aarch32_demo_canfd.config
index c5090d06..a4da6e9f 100644
--- a/example/peripheral/can/canfd/configs/e2000d_aarch32_demo_canfd.config
+++ b/example/peripheral/can/canfd/configs/e2000d_aarch32_demo_canfd.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -112,6 +113,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -308,6 +310,7 @@ CONFIG_FREERTOS_USE_CAN=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -317,6 +320,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -339,6 +344,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/can/canfd/configs/e2000d_aarch64_demo_canfd.config b/example/peripheral/can/canfd/configs/e2000d_aarch64_demo_canfd.config
index 7cf83d56..5d309e32 100644
--- a/example/peripheral/can/canfd/configs/e2000d_aarch64_demo_canfd.config
+++ b/example/peripheral/can/canfd/configs/e2000d_aarch64_demo_canfd.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -106,6 +107,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -297,6 +299,7 @@ CONFIG_FREERTOS_USE_CAN=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -306,6 +309,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -328,6 +333,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/can/canfd/configs/e2000q_aarch32_demo_canfd.config b/example/peripheral/can/canfd/configs/e2000q_aarch32_demo_canfd.config
index 10f7b5ad..a6a953da 100644
--- a/example/peripheral/can/canfd/configs/e2000q_aarch32_demo_canfd.config
+++ b/example/peripheral/can/canfd/configs/e2000q_aarch32_demo_canfd.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -111,6 +112,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -307,6 +309,7 @@ CONFIG_FREERTOS_USE_CAN=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -316,6 +319,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -338,6 +343,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/can/canfd/configs/e2000q_aarch64_demo_canfd.config b/example/peripheral/can/canfd/configs/e2000q_aarch64_demo_canfd.config
index b2419bc8..5f8031e0 100644
--- a/example/peripheral/can/canfd/configs/e2000q_aarch64_demo_canfd.config
+++ b/example/peripheral/can/canfd/configs/e2000q_aarch64_demo_canfd.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -296,6 +298,7 @@ CONFIG_FREERTOS_USE_CAN=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -305,6 +308,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -327,6 +332,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/can/canfd/sdkconfig b/example/peripheral/can/canfd/sdkconfig
index b2419bc8..5f8031e0 100644
--- a/example/peripheral/can/canfd/sdkconfig
+++ b/example/peripheral/can/canfd/sdkconfig
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -296,6 +298,7 @@ CONFIG_FREERTOS_USE_CAN=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -305,6 +308,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -327,6 +332,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/can/canfd/sdkconfig.h b/example/peripheral/can/canfd/sdkconfig.h
index 5ad47dbc..022b4deb 100644
--- a/example/peripheral/can/canfd/sdkconfig.h
+++ b/example/peripheral/can/canfd/sdkconfig.h
@@ -44,6 +44,7 @@
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
 #define CONFIG_SOC_NAME "e2000"
 #define CONFIG_TARGET_TYPE_NAME "q"
 #define CONFIG_SOC_CORE_NUM 4
@@ -97,6 +98,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 #define CONFIG_INTERRUPT_ROLE_MASTER
 /* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -262,6 +264,7 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
+/* CONFIG_USE_MBEDTLS is not set */
 #define CONFIG_USE_LETTER_SHELL
 
 /* Letter Shell Configuration */
@@ -270,6 +273,8 @@
 #define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
 /* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
@@ -290,6 +295,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/peripheral/dma/ddma/configs/e2000d_aarch32_demo_ddma.config b/example/peripheral/dma/ddma/configs/e2000d_aarch32_demo_ddma.config
index e48b0683..940fa3b0 100644
--- a/example/peripheral/dma/ddma/configs/e2000d_aarch32_demo_ddma.config
+++ b/example/peripheral/dma/ddma/configs/e2000d_aarch32_demo_ddma.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -112,6 +113,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -310,6 +312,7 @@ CONFIG_FREERTOS_USE_FDDMA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -319,6 +322,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -341,6 +346,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/dma/ddma/configs/e2000d_aarch64_demo_ddma.config b/example/peripheral/dma/ddma/configs/e2000d_aarch64_demo_ddma.config
index 8ad12215..859f8c0f 100644
--- a/example/peripheral/dma/ddma/configs/e2000d_aarch64_demo_ddma.config
+++ b/example/peripheral/dma/ddma/configs/e2000d_aarch64_demo_ddma.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -106,6 +107,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -299,6 +301,7 @@ CONFIG_FREERTOS_USE_FDDMA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -308,6 +311,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -330,6 +335,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/dma/ddma/configs/e2000q_aarch32_demo_ddma.config b/example/peripheral/dma/ddma/configs/e2000q_aarch32_demo_ddma.config
index cc244d57..a47f29e8 100644
--- a/example/peripheral/dma/ddma/configs/e2000q_aarch32_demo_ddma.config
+++ b/example/peripheral/dma/ddma/configs/e2000q_aarch32_demo_ddma.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -111,6 +112,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -309,6 +311,7 @@ CONFIG_FREERTOS_USE_FDDMA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -318,6 +321,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -340,6 +345,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/dma/ddma/configs/e2000q_aarch64_demo_ddma.config b/example/peripheral/dma/ddma/configs/e2000q_aarch64_demo_ddma.config
index 17c350cb..66b48125 100644
--- a/example/peripheral/dma/ddma/configs/e2000q_aarch64_demo_ddma.config
+++ b/example/peripheral/dma/ddma/configs/e2000q_aarch64_demo_ddma.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -298,6 +300,7 @@ CONFIG_FREERTOS_USE_FDDMA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -307,6 +310,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -329,6 +334,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/dma/ddma/configs/phytiumpi_aarch32_firefly_ddma.config b/example/peripheral/dma/ddma/configs/phytiumpi_aarch32_firefly_ddma.config
index 4bf666f8..3b8e4a7a 100644
--- a/example/peripheral/dma/ddma/configs/phytiumpi_aarch32_firefly_ddma.config
+++ b/example/peripheral/dma/ddma/configs/phytiumpi_aarch32_firefly_ddma.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -110,6 +111,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -308,6 +310,7 @@ CONFIG_FREERTOS_USE_FDDMA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -317,6 +320,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -339,6 +344,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/dma/ddma/configs/phytiumpi_aarch64_firefly_ddma.config b/example/peripheral/dma/ddma/configs/phytiumpi_aarch64_firefly_ddma.config
index 844c1b19..5d1d15a3 100644
--- a/example/peripheral/dma/ddma/configs/phytiumpi_aarch64_firefly_ddma.config
+++ b/example/peripheral/dma/ddma/configs/phytiumpi_aarch64_firefly_ddma.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -297,6 +299,7 @@ CONFIG_FREERTOS_USE_FDDMA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -306,6 +309,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -328,6 +333,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/dma/ddma/sdkconfig b/example/peripheral/dma/ddma/sdkconfig
index 844c1b19..5d1d15a3 100644
--- a/example/peripheral/dma/ddma/sdkconfig
+++ b/example/peripheral/dma/ddma/sdkconfig
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -297,6 +299,7 @@ CONFIG_FREERTOS_USE_FDDMA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -306,6 +309,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -328,6 +333,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/dma/ddma/sdkconfig.h b/example/peripheral/dma/ddma/sdkconfig.h
index 47add5b6..ab296493 100644
--- a/example/peripheral/dma/ddma/sdkconfig.h
+++ b/example/peripheral/dma/ddma/sdkconfig.h
@@ -44,6 +44,7 @@
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
 #define CONFIG_SOC_NAME "phytiumpi"
 #define CONFIG_SOC_CORE_NUM 4
 #define CONFIG_F32BIT_MEMORY_ADDRESS 0x80000000
@@ -96,6 +97,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 #define CONFIG_INTERRUPT_ROLE_MASTER
 /* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -263,6 +265,7 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
+/* CONFIG_USE_MBEDTLS is not set */
 #define CONFIG_USE_LETTER_SHELL
 
 /* Letter Shell Configuration */
@@ -271,6 +274,8 @@
 #define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
 /* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
@@ -291,6 +296,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/peripheral/dma/gdma/configs/e2000d_aarch32_demo_gdma.config b/example/peripheral/dma/gdma/configs/e2000d_aarch32_demo_gdma.config
index bf04a4c2..667b0b35 100644
--- a/example/peripheral/dma/gdma/configs/e2000d_aarch32_demo_gdma.config
+++ b/example/peripheral/dma/gdma/configs/e2000d_aarch32_demo_gdma.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -112,6 +113,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -309,6 +311,7 @@ CONFIG_FREERTOS_USE_FGDMA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -318,6 +321,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -340,6 +345,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/dma/gdma/configs/e2000d_aarch64_demo_gdma.config b/example/peripheral/dma/gdma/configs/e2000d_aarch64_demo_gdma.config
index 5528beec..46e36e85 100644
--- a/example/peripheral/dma/gdma/configs/e2000d_aarch64_demo_gdma.config
+++ b/example/peripheral/dma/gdma/configs/e2000d_aarch64_demo_gdma.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -106,6 +107,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -298,6 +300,7 @@ CONFIG_FREERTOS_USE_FGDMA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -307,6 +310,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -329,6 +334,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/dma/gdma/configs/e2000q_aarch32_demo_gdma.config b/example/peripheral/dma/gdma/configs/e2000q_aarch32_demo_gdma.config
index 2cbc9b72..fa6b65ae 100644
--- a/example/peripheral/dma/gdma/configs/e2000q_aarch32_demo_gdma.config
+++ b/example/peripheral/dma/gdma/configs/e2000q_aarch32_demo_gdma.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -111,6 +112,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -308,6 +310,7 @@ CONFIG_FREERTOS_USE_FGDMA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -317,6 +320,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -339,6 +344,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/dma/gdma/configs/e2000q_aarch64_demo_gdma.config b/example/peripheral/dma/gdma/configs/e2000q_aarch64_demo_gdma.config
index 1274d885..8e171576 100644
--- a/example/peripheral/dma/gdma/configs/e2000q_aarch64_demo_gdma.config
+++ b/example/peripheral/dma/gdma/configs/e2000q_aarch64_demo_gdma.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -297,6 +299,7 @@ CONFIG_FREERTOS_USE_FGDMA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -306,6 +309,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -328,6 +333,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/dma/gdma/configs/phytiumpi_aarch32_firefly_gdma.config b/example/peripheral/dma/gdma/configs/phytiumpi_aarch32_firefly_gdma.config
index 2251b569..a28bbece 100644
--- a/example/peripheral/dma/gdma/configs/phytiumpi_aarch32_firefly_gdma.config
+++ b/example/peripheral/dma/gdma/configs/phytiumpi_aarch32_firefly_gdma.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -110,6 +111,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -307,6 +309,7 @@ CONFIG_FREERTOS_USE_FGDMA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -316,6 +319,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -338,6 +343,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/dma/gdma/configs/phytiumpi_aarch64_firefly_gdma.config b/example/peripheral/dma/gdma/configs/phytiumpi_aarch64_firefly_gdma.config
index a4078fe3..f4c6059e 100644
--- a/example/peripheral/dma/gdma/configs/phytiumpi_aarch64_firefly_gdma.config
+++ b/example/peripheral/dma/gdma/configs/phytiumpi_aarch64_firefly_gdma.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -296,6 +298,7 @@ CONFIG_FREERTOS_USE_FGDMA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -305,6 +308,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -327,6 +332,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/dma/gdma/sdkconfig b/example/peripheral/dma/gdma/sdkconfig
index a4078fe3..f4c6059e 100644
--- a/example/peripheral/dma/gdma/sdkconfig
+++ b/example/peripheral/dma/gdma/sdkconfig
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -296,6 +298,7 @@ CONFIG_FREERTOS_USE_FGDMA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -305,6 +308,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -327,6 +332,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/dma/gdma/sdkconfig.h b/example/peripheral/dma/gdma/sdkconfig.h
index 48c4a06b..d19ba9d0 100644
--- a/example/peripheral/dma/gdma/sdkconfig.h
+++ b/example/peripheral/dma/gdma/sdkconfig.h
@@ -44,6 +44,7 @@
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
 #define CONFIG_SOC_NAME "phytiumpi"
 #define CONFIG_SOC_CORE_NUM 4
 #define CONFIG_F32BIT_MEMORY_ADDRESS 0x80000000
@@ -96,6 +97,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 #define CONFIG_INTERRUPT_ROLE_MASTER
 /* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -262,6 +264,7 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
+/* CONFIG_USE_MBEDTLS is not set */
 #define CONFIG_USE_LETTER_SHELL
 
 /* Letter Shell Configuration */
@@ -270,6 +273,8 @@
 #define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
 /* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
@@ -290,6 +295,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/peripheral/gpio/configs/d2000_aarch32_test_gpio.config b/example/peripheral/gpio/configs/d2000_aarch32_test_gpio.config
index acf4fd38..e7ae3c0a 100644
--- a/example/peripheral/gpio/configs/d2000_aarch32_test_gpio.config
+++ b/example/peripheral/gpio/configs/d2000_aarch32_test_gpio.config
@@ -54,6 +54,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +100,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -295,6 +297,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -304,6 +307,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -326,6 +331,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/gpio/configs/d2000_aarch64_test_gpio.config b/example/peripheral/gpio/configs/d2000_aarch64_test_gpio.config
index 4a79bd42..3115ec78 100644
--- a/example/peripheral/gpio/configs/d2000_aarch64_test_gpio.config
+++ b/example/peripheral/gpio/configs/d2000_aarch64_test_gpio.config
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -284,6 +286,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -293,6 +296,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -315,6 +320,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/gpio/configs/e2000d_aarch32_demo_gpio.config b/example/peripheral/gpio/configs/e2000d_aarch32_demo_gpio.config
index 90b6325c..6be8f2b7 100644
--- a/example/peripheral/gpio/configs/e2000d_aarch32_demo_gpio.config
+++ b/example/peripheral/gpio/configs/e2000d_aarch32_demo_gpio.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -112,6 +113,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -308,6 +310,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -317,6 +320,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -339,6 +344,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/gpio/configs/e2000d_aarch64_demo_gpio.config b/example/peripheral/gpio/configs/e2000d_aarch64_demo_gpio.config
index 2a6e0de4..9c1947c3 100644
--- a/example/peripheral/gpio/configs/e2000d_aarch64_demo_gpio.config
+++ b/example/peripheral/gpio/configs/e2000d_aarch64_demo_gpio.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -106,6 +107,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -297,6 +299,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -306,6 +309,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -328,6 +333,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/gpio/configs/e2000q_aarch32_demo_gpio.config b/example/peripheral/gpio/configs/e2000q_aarch32_demo_gpio.config
index 2907ec3e..f9b162ef 100644
--- a/example/peripheral/gpio/configs/e2000q_aarch32_demo_gpio.config
+++ b/example/peripheral/gpio/configs/e2000q_aarch32_demo_gpio.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -111,6 +112,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -307,6 +309,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -316,6 +319,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -338,6 +343,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/gpio/configs/e2000q_aarch64_demo_gpio.config b/example/peripheral/gpio/configs/e2000q_aarch64_demo_gpio.config
index e44db224..4d2b9592 100644
--- a/example/peripheral/gpio/configs/e2000q_aarch64_demo_gpio.config
+++ b/example/peripheral/gpio/configs/e2000q_aarch64_demo_gpio.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -296,6 +298,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -305,6 +308,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -327,6 +332,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/gpio/configs/phytiumpi_aarch32_firefly_gpio.config b/example/peripheral/gpio/configs/phytiumpi_aarch32_firefly_gpio.config
index 2672e501..9c030ad6 100644
--- a/example/peripheral/gpio/configs/phytiumpi_aarch32_firefly_gpio.config
+++ b/example/peripheral/gpio/configs/phytiumpi_aarch32_firefly_gpio.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -110,6 +111,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -306,6 +308,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -315,6 +318,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -337,6 +342,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/gpio/configs/phytiumpi_aarch64_firefly_gpio.config b/example/peripheral/gpio/configs/phytiumpi_aarch64_firefly_gpio.config
index 0ef8fb65..5b2c32b8 100644
--- a/example/peripheral/gpio/configs/phytiumpi_aarch64_firefly_gpio.config
+++ b/example/peripheral/gpio/configs/phytiumpi_aarch64_firefly_gpio.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -295,6 +297,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -304,6 +307,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -326,6 +331,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/gpio/sdkconfig b/example/peripheral/gpio/sdkconfig
index 0ef8fb65..5b2c32b8 100644
--- a/example/peripheral/gpio/sdkconfig
+++ b/example/peripheral/gpio/sdkconfig
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -295,6 +297,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -304,6 +307,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -326,6 +331,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/gpio/sdkconfig.h b/example/peripheral/gpio/sdkconfig.h
index 7215c87e..36a03a19 100644
--- a/example/peripheral/gpio/sdkconfig.h
+++ b/example/peripheral/gpio/sdkconfig.h
@@ -44,6 +44,7 @@
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
 #define CONFIG_SOC_NAME "phytiumpi"
 #define CONFIG_SOC_CORE_NUM 4
 #define CONFIG_F32BIT_MEMORY_ADDRESS 0x80000000
@@ -96,6 +97,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 #define CONFIG_INTERRUPT_ROLE_MASTER
 /* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -261,6 +263,7 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
+/* CONFIG_USE_MBEDTLS is not set */
 #define CONFIG_USE_LETTER_SHELL
 
 /* Letter Shell Configuration */
@@ -269,6 +272,8 @@
 #define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
 /* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
@@ -289,6 +294,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/peripheral/i2c/configs/e2000d_aarch32_demo_i2c.config b/example/peripheral/i2c/configs/e2000d_aarch32_demo_i2c.config
index 7fc449b0..6716f4ba 100644
--- a/example/peripheral/i2c/configs/e2000d_aarch32_demo_i2c.config
+++ b/example/peripheral/i2c/configs/e2000d_aarch32_demo_i2c.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -112,6 +113,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -315,6 +317,7 @@ CONFIG_FREERTOS_USE_MIO=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -324,6 +327,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -346,6 +351,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/i2c/configs/e2000d_aarch64_demo_i2c.config b/example/peripheral/i2c/configs/e2000d_aarch64_demo_i2c.config
index 60d9b26e..a92bfaff 100644
--- a/example/peripheral/i2c/configs/e2000d_aarch64_demo_i2c.config
+++ b/example/peripheral/i2c/configs/e2000d_aarch64_demo_i2c.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -106,6 +107,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -304,6 +306,7 @@ CONFIG_FREERTOS_USE_MIO=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -313,6 +316,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -335,6 +340,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/i2c/configs/e2000q_aarch32_demo_i2c.config b/example/peripheral/i2c/configs/e2000q_aarch32_demo_i2c.config
index 2d3a0947..798ba498 100644
--- a/example/peripheral/i2c/configs/e2000q_aarch32_demo_i2c.config
+++ b/example/peripheral/i2c/configs/e2000q_aarch32_demo_i2c.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -111,6 +112,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -314,6 +316,7 @@ CONFIG_FREERTOS_USE_MIO=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -323,6 +326,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -345,6 +350,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/i2c/configs/e2000q_aarch64_demo_i2c.config b/example/peripheral/i2c/configs/e2000q_aarch64_demo_i2c.config
index 3a83ef6f..073c5980 100644
--- a/example/peripheral/i2c/configs/e2000q_aarch64_demo_i2c.config
+++ b/example/peripheral/i2c/configs/e2000q_aarch64_demo_i2c.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -303,6 +305,7 @@ CONFIG_FREERTOS_USE_MIO=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -312,6 +315,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -334,6 +339,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/i2c/configs/phytiumpi_aarch32_firefly_i2c.config b/example/peripheral/i2c/configs/phytiumpi_aarch32_firefly_i2c.config
index 1d22c969..497363e8 100644
--- a/example/peripheral/i2c/configs/phytiumpi_aarch32_firefly_i2c.config
+++ b/example/peripheral/i2c/configs/phytiumpi_aarch32_firefly_i2c.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -110,6 +111,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -313,6 +315,7 @@ CONFIG_FREERTOS_USE_MIO=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -322,6 +325,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -344,6 +349,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/i2c/configs/phytiumpi_aarch64_firefly_i2c.config b/example/peripheral/i2c/configs/phytiumpi_aarch64_firefly_i2c.config
index 5b884636..7a24c3db 100644
--- a/example/peripheral/i2c/configs/phytiumpi_aarch64_firefly_i2c.config
+++ b/example/peripheral/i2c/configs/phytiumpi_aarch64_firefly_i2c.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -302,6 +304,7 @@ CONFIG_FREERTOS_USE_MIO=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -311,6 +314,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -333,6 +338,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/i2c/sdkconfig b/example/peripheral/i2c/sdkconfig
index 5b884636..7a24c3db 100644
--- a/example/peripheral/i2c/sdkconfig
+++ b/example/peripheral/i2c/sdkconfig
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -302,6 +304,7 @@ CONFIG_FREERTOS_USE_MIO=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -311,6 +314,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -333,6 +338,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/i2c/sdkconfig.h b/example/peripheral/i2c/sdkconfig.h
index 4f87f88b..778c6808 100644
--- a/example/peripheral/i2c/sdkconfig.h
+++ b/example/peripheral/i2c/sdkconfig.h
@@ -44,6 +44,7 @@
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
 #define CONFIG_SOC_NAME "phytiumpi"
 #define CONFIG_SOC_CORE_NUM 4
 #define CONFIG_F32BIT_MEMORY_ADDRESS 0x80000000
@@ -96,6 +97,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 #define CONFIG_INTERRUPT_ROLE_MASTER
 /* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -266,6 +268,7 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
+/* CONFIG_USE_MBEDTLS is not set */
 #define CONFIG_USE_LETTER_SHELL
 
 /* Letter Shell Configuration */
@@ -274,6 +277,8 @@
 #define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
 /* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
@@ -294,6 +299,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/peripheral/i2s/configs/e2000d_aarch32_demo_i2s.config b/example/peripheral/i2s/configs/e2000d_aarch32_demo_i2s.config
index 0eac5c9a..3f95cb89 100644
--- a/example/peripheral/i2s/configs/e2000d_aarch32_demo_i2s.config
+++ b/example/peripheral/i2s/configs/e2000d_aarch32_demo_i2s.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -112,6 +113,7 @@ CONFIG_LOG_NONE=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -325,6 +327,7 @@ CONFIG_FREERTOS_USE_I2S=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -334,6 +337,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -356,6 +361,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/i2s/configs/e2000d_aarch64_demo_i2s.config b/example/peripheral/i2s/configs/e2000d_aarch64_demo_i2s.config
index b7e52842..9b17418e 100644
--- a/example/peripheral/i2s/configs/e2000d_aarch64_demo_i2s.config
+++ b/example/peripheral/i2s/configs/e2000d_aarch64_demo_i2s.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -106,6 +107,7 @@ CONFIG_LOG_NONE=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -314,6 +316,7 @@ CONFIG_FREERTOS_USE_I2S=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -323,6 +326,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -345,6 +350,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/i2s/configs/e2000q_aarch32_demo_i2s.config b/example/peripheral/i2s/configs/e2000q_aarch32_demo_i2s.config
index 836d9de3..d8d1a88f 100644
--- a/example/peripheral/i2s/configs/e2000q_aarch32_demo_i2s.config
+++ b/example/peripheral/i2s/configs/e2000q_aarch32_demo_i2s.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -111,6 +112,7 @@ CONFIG_LOG_NONE=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -324,6 +326,7 @@ CONFIG_FREERTOS_USE_I2S=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -333,6 +336,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -355,6 +360,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/i2s/configs/e2000q_aarch64_demo_i2s.config b/example/peripheral/i2s/configs/e2000q_aarch64_demo_i2s.config
index 5fb12bb7..34b56874 100644
--- a/example/peripheral/i2s/configs/e2000q_aarch64_demo_i2s.config
+++ b/example/peripheral/i2s/configs/e2000q_aarch64_demo_i2s.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_NONE=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -313,6 +315,7 @@ CONFIG_FREERTOS_USE_I2S=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -322,6 +325,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -344,6 +349,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/i2s/sdkconfig b/example/peripheral/i2s/sdkconfig
index 5fb12bb7..34b56874 100644
--- a/example/peripheral/i2s/sdkconfig
+++ b/example/peripheral/i2s/sdkconfig
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_NONE=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -313,6 +315,7 @@ CONFIG_FREERTOS_USE_I2S=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -322,6 +325,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -344,6 +349,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/i2s/sdkconfig.h b/example/peripheral/i2s/sdkconfig.h
index 65954833..d4b5f496 100644
--- a/example/peripheral/i2s/sdkconfig.h
+++ b/example/peripheral/i2s/sdkconfig.h
@@ -44,6 +44,7 @@
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
 #define CONFIG_SOC_NAME "e2000"
 #define CONFIG_TARGET_TYPE_NAME "q"
 #define CONFIG_SOC_CORE_NUM 4
@@ -97,6 +98,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 #define CONFIG_INTERRUPT_ROLE_MASTER
 /* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -275,6 +277,7 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
+/* CONFIG_USE_MBEDTLS is not set */
 #define CONFIG_USE_LETTER_SHELL
 
 /* Letter Shell Configuration */
@@ -283,6 +286,8 @@
 #define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
 /* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
@@ -303,6 +308,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/peripheral/media/lvgl_demo/configs/e2000d_aarch32_demo_media.config b/example/peripheral/media/lvgl_demo/configs/e2000d_aarch32_demo_media.config
index 70536d72..389b715a 100644
--- a/example/peripheral/media/lvgl_demo/configs/e2000d_aarch32_demo_media.config
+++ b/example/peripheral/media/lvgl_demo/configs/e2000d_aarch32_demo_media.config
@@ -39,6 +39,12 @@ CONFIG_ARM_MFLOAT_ABI="hard"
 CONFIG_USE_AARCH64_L1_TO_AARCH32=y
 # end of Arm architecture configuration
 
+#
+# multi-core system deployment framework
+#
+# CONFIG_USE_MSDF is not set
+# end of multi-core system deployment framework
+
 CONFIG_MMU_PAGE_SIZE=0x1000
 CONFIG_FMMU_NUM_L2_TABLES=256
 # end of Arch configuration
@@ -53,6 +59,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -112,6 +119,7 @@ CONFIG_LOG_DEBUG=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -147,13 +155,7 @@ CONFIG_ENABLE_Pl011_UART=y
 # CONFIG_USE_PWM is not set
 # CONFIG_USE_IPC is not set
 CONFIG_USE_MEDIA=y
-
-#
-# Media Configuration
-#
-CONFIG_ENABLE_FDC_DP_USE_LIB=y
-# end of Media Configuration
-
+CONFIG_USE_FMEDIA=y
 # CONFIG_USE_SCMI_MHU is not set
 # CONFIG_USE_I2S is not set
 # CONFIG_USE_I3C is not set
@@ -314,6 +316,7 @@ CONFIG_FREERTOS_USE_MEDIA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -323,6 +326,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -345,6 +350,8 @@ CONFIG_USE_LVGL=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/media/lvgl_demo/configs/e2000d_aarch64_demo_media.config b/example/peripheral/media/lvgl_demo/configs/e2000d_aarch64_demo_media.config
index a81d3100..c3a1f3af 100644
--- a/example/peripheral/media/lvgl_demo/configs/e2000d_aarch64_demo_media.config
+++ b/example/peripheral/media/lvgl_demo/configs/e2000d_aarch64_demo_media.config
@@ -33,6 +33,12 @@ CONFIG_BOOT_WITH_FLUSH_CACHE=y
 # CONFIG_MMU_DEBUG_PRINTS is not set
 # end of Arm architecture configuration
 
+#
+# multi-core system deployment framework
+#
+# CONFIG_USE_MSDF is not set
+# end of multi-core system deployment framework
+
 CONFIG_MMU_PAGE_SIZE=0x1000
 CONFIG_MAX_XLAT_TABLES=256
 # end of Arch configuration
@@ -47,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -106,6 +113,7 @@ CONFIG_LOG_DEBUG=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -141,13 +149,7 @@ CONFIG_ENABLE_Pl011_UART=y
 # CONFIG_USE_PWM is not set
 # CONFIG_USE_IPC is not set
 CONFIG_USE_MEDIA=y
-
-#
-# Media Configuration
-#
-CONFIG_ENABLE_FDC_DP_USE_LIB=y
-# end of Media Configuration
-
+CONFIG_USE_FMEDIA=y
 # CONFIG_USE_SCMI_MHU is not set
 # CONFIG_USE_I2S is not set
 # CONFIG_USE_I3C is not set
@@ -303,6 +305,7 @@ CONFIG_FREERTOS_USE_MEDIA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -312,6 +315,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -334,6 +339,8 @@ CONFIG_USE_LVGL=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/media/lvgl_demo/configs/e2000q_aarch32_demo_media.config b/example/peripheral/media/lvgl_demo/configs/e2000q_aarch32_demo_media.config
index 7f6e8863..31fa0ce9 100644
--- a/example/peripheral/media/lvgl_demo/configs/e2000q_aarch32_demo_media.config
+++ b/example/peripheral/media/lvgl_demo/configs/e2000q_aarch32_demo_media.config
@@ -39,6 +39,12 @@ CONFIG_ARM_MFLOAT_ABI="hard"
 CONFIG_USE_AARCH64_L1_TO_AARCH32=y
 # end of Arm architecture configuration
 
+#
+# multi-core system deployment framework
+#
+# CONFIG_USE_MSDF is not set
+# end of multi-core system deployment framework
+
 CONFIG_MMU_PAGE_SIZE=0x1000
 CONFIG_FMMU_NUM_L2_TABLES=256
 # end of Arch configuration
@@ -53,6 +59,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -111,6 +118,7 @@ CONFIG_LOG_DEBUG=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -146,13 +154,7 @@ CONFIG_ENABLE_Pl011_UART=y
 # CONFIG_USE_PWM is not set
 # CONFIG_USE_IPC is not set
 CONFIG_USE_MEDIA=y
-
-#
-# Media Configuration
-#
-CONFIG_ENABLE_FDC_DP_USE_LIB=y
-# end of Media Configuration
-
+CONFIG_USE_FMEDIA=y
 # CONFIG_USE_SCMI_MHU is not set
 # CONFIG_USE_I2S is not set
 # CONFIG_USE_I3C is not set
@@ -313,6 +315,7 @@ CONFIG_FREERTOS_USE_MEDIA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -322,6 +325,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -344,6 +349,8 @@ CONFIG_USE_LVGL=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/media/lvgl_demo/configs/e2000q_aarch64_demo_media.config b/example/peripheral/media/lvgl_demo/configs/e2000q_aarch64_demo_media.config
index 24f02f8d..6dd80f15 100644
--- a/example/peripheral/media/lvgl_demo/configs/e2000q_aarch64_demo_media.config
+++ b/example/peripheral/media/lvgl_demo/configs/e2000q_aarch64_demo_media.config
@@ -29,10 +29,16 @@ CONFIG_GCC_CODE_MODEL_SMALL=y
 # CONFIG_GCC_CODE_MODEL_LARGE is not set
 # end of Compiler configuration
 
-# CONFIG_BOOT_WITH_FLUSH_CACHE is not set
+CONFIG_BOOT_WITH_FLUSH_CACHE=y
 # CONFIG_MMU_DEBUG_PRINTS is not set
 # end of Arm architecture configuration
 
+#
+# multi-core system deployment framework
+#
+# CONFIG_USE_MSDF is not set
+# end of multi-core system deployment framework
+
 CONFIG_MMU_PAGE_SIZE=0x1000
 CONFIG_MAX_XLAT_TABLES=256
 # end of Arch configuration
@@ -47,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +112,7 @@ CONFIG_LOG_DEBUG=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -140,13 +148,7 @@ CONFIG_ENABLE_Pl011_UART=y
 # CONFIG_USE_PWM is not set
 # CONFIG_USE_IPC is not set
 CONFIG_USE_MEDIA=y
-
-#
-# Media Configuration
-#
-CONFIG_ENABLE_FDC_DP_USE_LIB=y
-# end of Media Configuration
-
+CONFIG_USE_FMEDIA=y
 # CONFIG_USE_SCMI_MHU is not set
 # CONFIG_USE_I2S is not set
 # CONFIG_USE_I3C is not set
@@ -302,6 +304,7 @@ CONFIG_FREERTOS_USE_MEDIA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -311,6 +314,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -333,6 +338,8 @@ CONFIG_USE_LVGL=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/media/lvgl_demo/configs/phytiumpi_aarch32_firefly_media.config b/example/peripheral/media/lvgl_demo/configs/phytiumpi_aarch32_firefly_media.config
index 844e4d6a..13dfcac3 100644
--- a/example/peripheral/media/lvgl_demo/configs/phytiumpi_aarch32_firefly_media.config
+++ b/example/peripheral/media/lvgl_demo/configs/phytiumpi_aarch32_firefly_media.config
@@ -39,6 +39,12 @@ CONFIG_ARM_MFLOAT_ABI="hard"
 CONFIG_USE_AARCH64_L1_TO_AARCH32=y
 # end of Arm architecture configuration
 
+#
+# multi-core system deployment framework
+#
+# CONFIG_USE_MSDF is not set
+# end of multi-core system deployment framework
+
 CONFIG_MMU_PAGE_SIZE=0x1000
 CONFIG_FMMU_NUM_L2_TABLES=256
 # end of Arch configuration
@@ -53,6 +59,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -110,6 +117,7 @@ CONFIG_LOG_DEBUG=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -145,13 +153,7 @@ CONFIG_ENABLE_Pl011_UART=y
 # CONFIG_USE_PWM is not set
 # CONFIG_USE_IPC is not set
 CONFIG_USE_MEDIA=y
-
-#
-# Media Configuration
-#
-CONFIG_ENABLE_FDC_DP_USE_LIB=y
-# end of Media Configuration
-
+CONFIG_USE_FMEDIA=y
 # CONFIG_USE_SCMI_MHU is not set
 # CONFIG_USE_I2S is not set
 # CONFIG_USE_I3C is not set
@@ -312,6 +314,7 @@ CONFIG_FREERTOS_USE_MEDIA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -321,6 +324,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -343,6 +348,8 @@ CONFIG_USE_LVGL=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/media/lvgl_demo/configs/phytiumpi_aarch64_firefly_media.config b/example/peripheral/media/lvgl_demo/configs/phytiumpi_aarch64_firefly_media.config
index 7342ecf5..08dba790 100644
--- a/example/peripheral/media/lvgl_demo/configs/phytiumpi_aarch64_firefly_media.config
+++ b/example/peripheral/media/lvgl_demo/configs/phytiumpi_aarch64_firefly_media.config
@@ -33,6 +33,12 @@ CONFIG_GCC_CODE_MODEL_SMALL=y
 # CONFIG_MMU_DEBUG_PRINTS is not set
 # end of Arm architecture configuration
 
+#
+# multi-core system deployment framework
+#
+# CONFIG_USE_MSDF is not set
+# end of multi-core system deployment framework
+
 CONFIG_MMU_PAGE_SIZE=0x1000
 CONFIG_MAX_XLAT_TABLES=256
 # end of Arch configuration
@@ -47,6 +53,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +111,7 @@ CONFIG_LOG_DEBUG=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -139,13 +147,7 @@ CONFIG_ENABLE_Pl011_UART=y
 # CONFIG_USE_PWM is not set
 # CONFIG_USE_IPC is not set
 CONFIG_USE_MEDIA=y
-
-#
-# Media Configuration
-#
-CONFIG_ENABLE_FDC_DP_USE_LIB=y
-# end of Media Configuration
-
+CONFIG_USE_FMEDIA=y
 # CONFIG_USE_SCMI_MHU is not set
 # CONFIG_USE_I2S is not set
 # CONFIG_USE_I3C is not set
@@ -301,6 +303,7 @@ CONFIG_FREERTOS_USE_MEDIA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -310,6 +313,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -332,6 +337,8 @@ CONFIG_USE_LVGL=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/media/lvgl_demo/sdkconfig b/example/peripheral/media/lvgl_demo/sdkconfig
index 3bba792e..b8030431 100644
--- a/example/peripheral/media/lvgl_demo/sdkconfig
+++ b/example/peripheral/media/lvgl_demo/sdkconfig
@@ -33,6 +33,12 @@ CONFIG_GCC_CODE_MODEL_SMALL=y
 # CONFIG_MMU_DEBUG_PRINTS is not set
 # end of Arm architecture configuration
 
+#
+# multi-core system deployment framework
+#
+# CONFIG_USE_MSDF is not set
+# end of multi-core system deployment framework
+
 CONFIG_MMU_PAGE_SIZE=0x1000
 CONFIG_MAX_XLAT_TABLES=256
 # end of Arch configuration
@@ -141,13 +147,7 @@ CONFIG_ENABLE_Pl011_UART=y
 # CONFIG_USE_PWM is not set
 # CONFIG_USE_IPC is not set
 CONFIG_USE_MEDIA=y
-
-#
-# Media Configuration
-#
-CONFIG_ENABLE_FDC_DP_USE_LIB=y
-# end of Media Configuration
-
+CONFIG_USE_FMEDIA=y
 # CONFIG_USE_SCMI_MHU is not set
 # CONFIG_USE_I2S is not set
 # CONFIG_USE_I3C is not set
@@ -202,7 +202,7 @@ CONFIG_USE_COMPILE_CHAIN=y
 CONFIG_DEFAULT_LINKER_SCRIPT=y
 # CONFIG_USER_DEFINED_LD is not set
 CONFIG_IMAGE_LOAD_ADDRESS=0x80100000
-CONFIG_IMAGE_MAX_LENGTH=0x1000000
+CONFIG_IMAGE_MAX_LENGTH=0x4000000
 CONFIG_HEAP_SIZE=1
 CONFIG_STACK_SIZE=0x400
 # end of Linker Options
@@ -303,7 +303,20 @@ CONFIG_FREERTOS_USE_MEDIA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
-# CONFIG_USE_LETTER_SHELL is not set
+# CONFIG_USE_MBEDTLS is not set
+CONFIG_USE_LETTER_SHELL=y
+
+#
+# Letter Shell Configuration
+#
+CONFIG_LS_PL011_UART=y
+CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
+# CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
+# CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
+# end of Letter Shell Configuration
+
 # CONFIG_USE_AMP is not set
 # CONFIG_USE_YMODEM is not set
 # CONFIG_USE_SFUD is not set
@@ -324,6 +337,8 @@ CONFIG_USE_LVGL=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/media/lvgl_demo/sdkconfig.h b/example/peripheral/media/lvgl_demo/sdkconfig.h
index 641ae46c..1fa21481 100644
--- a/example/peripheral/media/lvgl_demo/sdkconfig.h
+++ b/example/peripheral/media/lvgl_demo/sdkconfig.h
@@ -31,6 +31,11 @@
 /* CONFIG_BOOT_WITH_FLUSH_CACHE is not set */
 /* CONFIG_MMU_DEBUG_PRINTS is not set */
 /* end of Arm architecture configuration */
+
+/* multi-core system deployment framework */
+
+/* CONFIG_USE_MSDF is not set */
+/* end of multi-core system deployment framework */
 #define CONFIG_MMU_PAGE_SIZE 0x1000
 #define CONFIG_MAX_XLAT_TABLES 256
 /* end of Arch configuration */
@@ -130,11 +135,7 @@
 /* CONFIG_USE_PWM is not set */
 /* CONFIG_USE_IPC is not set */
 #define CONFIG_USE_MEDIA
-
-/* Media Configuration */
-
-#define CONFIG_ENABLE_FDC_DP_USE_LIB
-/* end of Media Configuration */
+#define CONFIG_USE_FMEDIA
 /* CONFIG_USE_SCMI_MHU is not set */
 /* CONFIG_USE_I2S is not set */
 /* CONFIG_USE_I3C is not set */
@@ -183,7 +184,7 @@
 #define CONFIG_DEFAULT_LINKER_SCRIPT
 /* CONFIG_USER_DEFINED_LD is not set */
 #define CONFIG_IMAGE_LOAD_ADDRESS 0x80100000
-#define CONFIG_IMAGE_MAX_LENGTH 0x1000000
+#define CONFIG_IMAGE_MAX_LENGTH 0x4000000
 #define CONFIG_HEAP_SIZE 1
 #define CONFIG_STACK_SIZE 0x400
 /* end of Linker Options */
@@ -267,7 +268,18 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
-/* CONFIG_USE_LETTER_SHELL is not set */
+/* CONFIG_USE_MBEDTLS is not set */
+#define CONFIG_USE_LETTER_SHELL
+
+/* Letter Shell Configuration */
+
+#define CONFIG_LS_PL011_UART
+#define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
+/* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
+/* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
+/* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
 /* CONFIG_USE_SFUD is not set */
@@ -287,6 +299,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/peripheral/media/lvgl_demo/src/cmd.c b/example/peripheral/media/lvgl_demo/src/cmd.c
index 34264da1..3305ae8b 100644
--- a/example/peripheral/media/lvgl_demo/src/cmd.c
+++ b/example/peripheral/media/lvgl_demo/src/cmd.c
@@ -32,7 +32,7 @@
 #include "shell_port.h"
 
 #include "lv_demo_create.h"
-
+#include "lv_demo_test.h"
 static void FFreeRTOSMediaCmdUsage(void)
 {
     printf("Usage:\r\n");
diff --git a/example/peripheral/media/lvgl_demo/src/lv_demo_test.c b/example/peripheral/media/lvgl_demo/src/lv_demo_test.c
index 8ec76ed9..42643848 100644
--- a/example/peripheral/media/lvgl_demo/src/lv_demo_test.c
+++ b/example/peripheral/media/lvgl_demo/src/lv_demo_test.c
@@ -40,9 +40,33 @@
 #include "fdp.h"
 #include "fdp_hw.h"
 #include "fdc_hw.h"
+#include "fdcdp_reg.h"
+#include "fdcdp_crtc.h"
 #include "lv_conf.h"
 #include "lv_port_disp.h"
 
+typedef struct
+{
+    u32 bit_depth;
+    u32 bpc;
+    u32 color_depth;
+    u32 clock_mode;
+    u32 color_rep;
+    u32 width;
+    u32 height;
+    u32 multi_mode;
+} FuserCfg;
+
+static const FuserCfg user_cfg = {
+    .bit_depth = 8,
+    .bpc = 8,
+    .color_depth = 32,
+    .clock_mode = 1,
+    .color_rep = 0,
+    .width = 800,
+    .height = 600,
+    .multi_mode = 0/*0:clone, 1 :horz, 2:vert*/
+};
 /************************** Variable Definitions *****************************/
 #define FMEDIA_EVT_INTR(index)             BIT(index)
 #define FMEDIA_CHANNEL_0                    0
@@ -96,9 +120,9 @@ static void FFreeRTOSMediaHpdConnectCallback(void *args, u32 index)
 {
     FASSERT(args != NULL);
     FDcDp *instance_p = (FDcDp *)args;
-    FDpChannelRegRead(instance_p->dp_instance_p[index].config.dp_channe_base_addr, FDP_TX_INTERRUPT); /*clear interrupt*/
+    FDpChannelRegRead(instance_p->dp_instance_p[index].config.dp_channe_base_addr, PHYTIUM_DP_INTERRUPT_STATUS); /*clear interrupt*/
     FFreeRTOSMediaSendEvent(FMEDIA_EVT_INTR(index));
-    instance_p->connect_flg[index] = 1;
+    instance_p->is_initialized[index] = FDCDP_IS_INITIALIZED;
     printf("Dp:%d connect\r\n", index);
 
 }
@@ -114,8 +138,8 @@ static void FFreeRTOSMediaHpdBreakCallback(void *args, u32 index)
 {
     FASSERT(args != NULL);
     FDcDp *instance_p = (FDcDp *)args;
-    FDpChannelRegRead(instance_p->dp_instance_p[index].config.dp_channe_base_addr, FDP_TX_INTERRUPT); /*clear interrupt*/
-    instance_p->connect_flg[index] = 0;
+    FDpChannelRegRead(instance_p->dp_instance_p[index].config.dp_channe_base_addr, PHYTIUM_DP_INTERRUPT_STATUS); /*clear interrupt*/
+    instance_p->is_initialized[index] = FDCDP_NOT_INITIALIZED;
     FFreeRTOSMediaSendEvent(FMEDIA_EVT_INTR(index));
     printf("Dp:%d disconnect\r\n", index);
 }
@@ -131,7 +155,7 @@ static void FFreeRTOSMediaAuxTimeoutCallback(void *args, u32 index)
 {
     FASSERT(args != NULL);
     FDcDp *instance_p = (FDcDp *)args;
-    FDpChannelRegRead(instance_p->dp_instance_p[index].config.dp_channe_base_addr, FDP_TX_INTERRUPT); /*clear interrupt*/
+    FDpChannelRegRead(instance_p->dp_instance_p[index].config.dp_channe_base_addr, PHYTIUM_DP_INTERRUPT_STATUS); /*clear interrupt*/
     printf("Dp:%d aux connect timeout\r\n", index);
 }
 
@@ -146,7 +170,7 @@ static void FFreeRTOSMediaAuxErrorCallback(void *args, u32 index)
 {
     FASSERT(args != NULL);
     FDcDp *instance_p = (FDcDp *)args;
-    FDpChannelRegRead(instance_p->dp_instance_p[index].config.dp_channe_base_addr, FDP_TX_INTERRUPT); /*clear interrupt*/
+    FDpChannelRegRead(instance_p->dp_instance_p[index].config.dp_channe_base_addr, PHYTIUM_DP_INTERRUPT_STATUS); /*clear interrupt*/
     printf("Dp:%d aux connect error\r\n", index);
 }
 
@@ -161,8 +185,6 @@ static void FFreeRTOSMediaIrqSet(FDcDp *instance_p)
     FASSERT(instance_p != NULL);
     u32 cpu_id;
     u32 index;
-    FMediaIntrConfig intr_config;
-    memset(&intr_config, 0, sizeof(intr_config));
 
     GetCpuId(&cpu_id);
     InterruptSetTargetCpus(instance_p->dp_instance_p[0].config.irq_num, cpu_id);/*the dc0 and dc1 have the same num of irq_num*/
@@ -217,18 +239,36 @@ void FFreeRTOSMediaDeviceInit(void)
         start_index = channel;
         end_index = channel + 1;
     }
+    os_media.dcdp_ctrl.multi_mode = user_cfg.multi_mode;
     for (index = start_index; index < end_index; index ++)
     {
-        os_media.dcdp_ctrl.user_config[index].width = 800;
-        os_media.dcdp_ctrl.user_config[index].height = 600;
-        os_media.dcdp_ctrl.user_config[index].refresh_rate = 60;
-        os_media.dcdp_ctrl.user_config[index].color_depth = 32;
-        os_media.dcdp_ctrl.user_config[index].multi_mode = 0;
-        os_media.dcdp_ctrl.user_config[index].fb_phy = (uintptr)static_frame_buffer_address;
-        os_media.dcdp_ctrl.user_config[index].fb_virtual = (uintptr)static_frame_buffer_address ;/*当前例程虚拟地址和物理地址一致，实际需要根据需要进行映射*/
+        FDcDpCfgInitialize(&os_media.dcdp_ctrl,index);
+
+        os_media.dcdp_ctrl.dc_instance_p[index].config = *FDcLookupConfig(index);
+
+        os_media.dcdp_ctrl.dp_instance_p[index].config = *FDpLookupConfig(index);
+
+        os_media.dcdp_ctrl.dp_instance_p[index].trans_config.bit_depth = user_cfg.bit_depth;
+
+        os_media.dcdp_ctrl.dc_instance_p[index].crtc.bpc = user_cfg.bpc;
+
+        os_media.dcdp_ctrl.dc_instance_p[index].color_depth = user_cfg.color_depth;
+
+        os_media.dcdp_ctrl.dp_instance_p[index].trans_config.clock_mode = user_cfg.clock_mode;
+
+        os_media.dcdp_ctrl.dp_instance_p[index].trans_config.color_rep_format = user_cfg.color_rep;
+
+        os_media.dcdp_ctrl.dc_instance_p[index].channel = index;
+
+        os_media.dcdp_ctrl.dc_instance_p[index].fb_addr = (uintptr)static_frame_buffer_address ;/*当前例程虚拟地址和物理地址一致，实际需要根据需要进行映射*/
+
+        os_media.dcdp_ctrl.dc_instance_p[index].fb_virtual = (uintptr)static_frame_buffer_address ;/*当前例程虚拟地址和物理地址一致，实际需要根据需要进行映射*/
+
+        FDcDpGeneralCfgInitial(&os_media.dcdp_ctrl, index);
     }
-    FFreeRTOSMedia *os_config = FFreeRTOSMediaHwInit(channel, &os_media);
-    FASSERT_MSG(NULL == media_event, "Event group exists.");
+
+    FFreeRTOSMedia *os_config  = FFreeRTOSMediaHwInit(&os_media,user_cfg.width, user_cfg.height);
+     FASSERT_MSG(NULL == media_event, "Event group exists.");
     FASSERT_MSG((media_event = xEventGroupCreate()) != NULL, "Create event group failed.");
     FFreeRTOSMediaIrqSet(&os_config->dcdp_ctrl);
     FFreeRTOSMediaIrqAllEnable(&os_config->dcdp_ctrl);
@@ -259,24 +299,26 @@ void FFreeRTOSMediaChannelDeinit(u32 id)
 void FFreeRTOSMediaHpdHandle(void)
 {
     u32 index;
-    u32 ret = FMEDIA_DP_SUCCESS;
+    u32 ret = FDP_SUCCESS;
 
     FFreeRTOSMediaWaitEvent(FMEDIA_EVT_INTR(FMEDIA_CHANNEL_0) | FMEDIA_EVT_INTR(FMEDIA_CHANNEL_1), portMAX_DELAY);
-
+    os_media.dcdp_ctrl.multi_mode = user_cfg.multi_mode;
     for (;;)
     {
         for (index = 0; index < FDCDP_INSTANCE_NUM; index++)
         {
-            if (os_media.dcdp_ctrl.connect_flg[index] == 1)
+            if (os_media.dcdp_ctrl.is_initialized[index] == FDCDP_NOT_INITIALIZED)
             {
-                ret = FDcDpHotPlugConnect(&os_media.dcdp_ctrl, index);
+                FDcDpCfgInitialize(&os_media.dcdp_ctrl, index);
+                ret = FDcDpInitial(&os_media.dcdp_ctrl, index, user_cfg.width, user_cfg.height);
                 FFreeRTOSMediaClearEvent(media_event, FMEDIA_EVT_INTR(index));
-                if (ret == FMEDIA_DP_SUCCESS)
+                if (ret == FDP_SUCCESS)
                 {
-                    printf("Hpd task finish ,  reinit the dp success.\r\n");
+                    printf("Hpd task finish , reinit the dp success.\r\n");
                 }
-                os_media.dcdp_ctrl.connect_flg[index] == 0;
+                os_media.dcdp_ctrl.is_initialized[index] = FDCDP_IS_INITIALIZED;
             }
+
         }
         vTaskDelay(200);
     }
diff --git a/example/peripheral/media/lvgl_indev/configs/e2000d_aarch32_demo_media.config b/example/peripheral/media/lvgl_indev/configs/e2000d_aarch32_demo_media.config
index b67648ed..f4eb97da 100644
--- a/example/peripheral/media/lvgl_indev/configs/e2000d_aarch32_demo_media.config
+++ b/example/peripheral/media/lvgl_indev/configs/e2000d_aarch32_demo_media.config
@@ -39,6 +39,12 @@ CONFIG_ARM_MFLOAT_ABI="hard"
 CONFIG_USE_AARCH64_L1_TO_AARCH32=y
 # end of Arm architecture configuration
 
+#
+# multi-core system deployment framework
+#
+# CONFIG_USE_MSDF is not set
+# end of multi-core system deployment framework
+
 CONFIG_MMU_PAGE_SIZE=0x1000
 CONFIG_FMMU_NUM_L2_TABLES=256
 # end of Arch configuration
@@ -53,6 +59,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -112,6 +119,7 @@ CONFIG_LOG_DEBUG=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -147,13 +155,7 @@ CONFIG_ENABLE_Pl011_UART=y
 # CONFIG_USE_PWM is not set
 # CONFIG_USE_IPC is not set
 CONFIG_USE_MEDIA=y
-
-#
-# Media Configuration
-#
-CONFIG_ENABLE_FDC_DP_USE_LIB=y
-# end of Media Configuration
-
+CONFIG_USE_FMEDIA=y
 # CONFIG_USE_SCMI_MHU is not set
 # CONFIG_USE_I2S is not set
 # CONFIG_USE_I3C is not set
@@ -314,6 +316,7 @@ CONFIG_FREERTOS_USE_MEDIA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -323,6 +326,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -359,6 +364,8 @@ CONFIG_CHERRY_USB_HOST_HID=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/media/lvgl_indev/configs/e2000d_aarch64_demo_media.config b/example/peripheral/media/lvgl_indev/configs/e2000d_aarch64_demo_media.config
index 16568bd4..6e4562ee 100644
--- a/example/peripheral/media/lvgl_indev/configs/e2000d_aarch64_demo_media.config
+++ b/example/peripheral/media/lvgl_indev/configs/e2000d_aarch64_demo_media.config
@@ -29,10 +29,16 @@ CONFIG_GCC_CODE_MODEL_SMALL=y
 # CONFIG_GCC_CODE_MODEL_LARGE is not set
 # end of Compiler configuration
 
-# CONFIG_BOOT_WITH_FLUSH_CACHE is not set
+CONFIG_BOOT_WITH_FLUSH_CACHE=y
 # CONFIG_MMU_DEBUG_PRINTS is not set
 # end of Arm architecture configuration
 
+#
+# multi-core system deployment framework
+#
+# CONFIG_USE_MSDF is not set
+# end of multi-core system deployment framework
+
 CONFIG_MMU_PAGE_SIZE=0x1000
 CONFIG_MAX_XLAT_TABLES=256
 # end of Arch configuration
@@ -47,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -106,6 +113,7 @@ CONFIG_LOG_DEBUG=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -141,13 +149,7 @@ CONFIG_ENABLE_Pl011_UART=y
 # CONFIG_USE_PWM is not set
 # CONFIG_USE_IPC is not set
 CONFIG_USE_MEDIA=y
-
-#
-# Media Configuration
-#
-CONFIG_ENABLE_FDC_DP_USE_LIB=y
-# end of Media Configuration
-
+CONFIG_USE_FMEDIA=y
 # CONFIG_USE_SCMI_MHU is not set
 # CONFIG_USE_I2S is not set
 # CONFIG_USE_I3C is not set
@@ -303,6 +305,7 @@ CONFIG_FREERTOS_USE_MEDIA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -312,6 +315,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -348,6 +353,8 @@ CONFIG_CHERRY_USB_HOST_HID=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/media/lvgl_indev/configs/e2000q_aarch32_demo_media.config b/example/peripheral/media/lvgl_indev/configs/e2000q_aarch32_demo_media.config
index e9631911..ea7dec49 100644
--- a/example/peripheral/media/lvgl_indev/configs/e2000q_aarch32_demo_media.config
+++ b/example/peripheral/media/lvgl_indev/configs/e2000q_aarch32_demo_media.config
@@ -39,6 +39,12 @@ CONFIG_ARM_MFLOAT_ABI="hard"
 CONFIG_USE_AARCH64_L1_TO_AARCH32=y
 # end of Arm architecture configuration
 
+#
+# multi-core system deployment framework
+#
+# CONFIG_USE_MSDF is not set
+# end of multi-core system deployment framework
+
 CONFIG_MMU_PAGE_SIZE=0x1000
 CONFIG_FMMU_NUM_L2_TABLES=256
 # end of Arch configuration
@@ -53,6 +59,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -111,6 +118,7 @@ CONFIG_LOG_DEBUG=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -146,13 +154,7 @@ CONFIG_ENABLE_Pl011_UART=y
 # CONFIG_USE_PWM is not set
 # CONFIG_USE_IPC is not set
 CONFIG_USE_MEDIA=y
-
-#
-# Media Configuration
-#
-CONFIG_ENABLE_FDC_DP_USE_LIB=y
-# end of Media Configuration
-
+CONFIG_USE_FMEDIA=y
 # CONFIG_USE_SCMI_MHU is not set
 # CONFIG_USE_I2S is not set
 # CONFIG_USE_I3C is not set
@@ -313,6 +315,7 @@ CONFIG_FREERTOS_USE_MEDIA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -322,6 +325,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -358,6 +363,8 @@ CONFIG_CHERRY_USB_HOST_HID=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/media/lvgl_indev/configs/e2000q_aarch64_demo_media.config b/example/peripheral/media/lvgl_indev/configs/e2000q_aarch64_demo_media.config
index f890f118..0e8fb8e0 100644
--- a/example/peripheral/media/lvgl_indev/configs/e2000q_aarch64_demo_media.config
+++ b/example/peripheral/media/lvgl_indev/configs/e2000q_aarch64_demo_media.config
@@ -29,10 +29,16 @@ CONFIG_GCC_CODE_MODEL_SMALL=y
 # CONFIG_GCC_CODE_MODEL_LARGE is not set
 # end of Compiler configuration
 
-# CONFIG_BOOT_WITH_FLUSH_CACHE is not set
+CONFIG_BOOT_WITH_FLUSH_CACHE=y
 # CONFIG_MMU_DEBUG_PRINTS is not set
 # end of Arm architecture configuration
 
+#
+# multi-core system deployment framework
+#
+# CONFIG_USE_MSDF is not set
+# end of multi-core system deployment framework
+
 CONFIG_MMU_PAGE_SIZE=0x1000
 CONFIG_MAX_XLAT_TABLES=256
 # end of Arch configuration
@@ -47,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +112,7 @@ CONFIG_LOG_DEBUG=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -140,13 +148,7 @@ CONFIG_ENABLE_Pl011_UART=y
 # CONFIG_USE_PWM is not set
 # CONFIG_USE_IPC is not set
 CONFIG_USE_MEDIA=y
-
-#
-# Media Configuration
-#
-CONFIG_ENABLE_FDC_DP_USE_LIB=y
-# end of Media Configuration
-
+CONFIG_USE_FMEDIA=y
 # CONFIG_USE_SCMI_MHU is not set
 # CONFIG_USE_I2S is not set
 # CONFIG_USE_I3C is not set
@@ -302,6 +304,7 @@ CONFIG_FREERTOS_USE_MEDIA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -311,6 +314,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -347,6 +352,8 @@ CONFIG_CHERRY_USB_HOST_HID=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/media/lvgl_indev/configs/phytiumpi_aarch32_firefly_media.config b/example/peripheral/media/lvgl_indev/configs/phytiumpi_aarch32_firefly_media.config
index c763dc6d..258936e3 100644
--- a/example/peripheral/media/lvgl_indev/configs/phytiumpi_aarch32_firefly_media.config
+++ b/example/peripheral/media/lvgl_indev/configs/phytiumpi_aarch32_firefly_media.config
@@ -39,6 +39,12 @@ CONFIG_ARM_MFLOAT_ABI="hard"
 CONFIG_USE_AARCH64_L1_TO_AARCH32=y
 # end of Arm architecture configuration
 
+#
+# multi-core system deployment framework
+#
+# CONFIG_USE_MSDF is not set
+# end of multi-core system deployment framework
+
 CONFIG_MMU_PAGE_SIZE=0x1000
 CONFIG_FMMU_NUM_L2_TABLES=256
 # end of Arch configuration
@@ -53,6 +59,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -110,6 +117,7 @@ CONFIG_LOG_DEBUG=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -145,13 +153,7 @@ CONFIG_ENABLE_Pl011_UART=y
 # CONFIG_USE_PWM is not set
 # CONFIG_USE_IPC is not set
 CONFIG_USE_MEDIA=y
-
-#
-# Media Configuration
-#
-CONFIG_ENABLE_FDC_DP_USE_LIB=y
-# end of Media Configuration
-
+CONFIG_USE_FMEDIA=y
 # CONFIG_USE_SCMI_MHU is not set
 # CONFIG_USE_I2S is not set
 # CONFIG_USE_I3C is not set
@@ -312,6 +314,7 @@ CONFIG_FREERTOS_USE_MEDIA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -321,6 +324,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -357,6 +362,8 @@ CONFIG_CHERRY_USB_HOST_HID=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/media/lvgl_indev/configs/phytiumpi_aarch64_firefly_media.config b/example/peripheral/media/lvgl_indev/configs/phytiumpi_aarch64_firefly_media.config
index 0844bbec..41d72167 100644
--- a/example/peripheral/media/lvgl_indev/configs/phytiumpi_aarch64_firefly_media.config
+++ b/example/peripheral/media/lvgl_indev/configs/phytiumpi_aarch64_firefly_media.config
@@ -33,6 +33,12 @@ CONFIG_GCC_CODE_MODEL_SMALL=y
 # CONFIG_MMU_DEBUG_PRINTS is not set
 # end of Arm architecture configuration
 
+#
+# multi-core system deployment framework
+#
+# CONFIG_USE_MSDF is not set
+# end of multi-core system deployment framework
+
 CONFIG_MMU_PAGE_SIZE=0x1000
 CONFIG_MAX_XLAT_TABLES=256
 # end of Arch configuration
@@ -47,6 +53,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +111,7 @@ CONFIG_LOG_DEBUG=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -139,13 +147,7 @@ CONFIG_ENABLE_Pl011_UART=y
 # CONFIG_USE_PWM is not set
 # CONFIG_USE_IPC is not set
 CONFIG_USE_MEDIA=y
-
-#
-# Media Configuration
-#
-CONFIG_ENABLE_FDC_DP_USE_LIB=y
-# end of Media Configuration
-
+CONFIG_USE_FMEDIA=y
 # CONFIG_USE_SCMI_MHU is not set
 # CONFIG_USE_I2S is not set
 # CONFIG_USE_I3C is not set
@@ -301,6 +303,7 @@ CONFIG_FREERTOS_USE_MEDIA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -310,6 +313,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -346,6 +351,8 @@ CONFIG_CHERRY_USB_HOST_HID=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/media/lvgl_indev/sdkconfig b/example/peripheral/media/lvgl_indev/sdkconfig
index 6c6e79c1..41d72167 100644
--- a/example/peripheral/media/lvgl_indev/sdkconfig
+++ b/example/peripheral/media/lvgl_indev/sdkconfig
@@ -33,6 +33,12 @@ CONFIG_GCC_CODE_MODEL_SMALL=y
 # CONFIG_MMU_DEBUG_PRINTS is not set
 # end of Arm architecture configuration
 
+#
+# multi-core system deployment framework
+#
+# CONFIG_USE_MSDF is not set
+# end of multi-core system deployment framework
+
 CONFIG_MMU_PAGE_SIZE=0x1000
 CONFIG_MAX_XLAT_TABLES=256
 # end of Arch configuration
@@ -141,13 +147,7 @@ CONFIG_ENABLE_Pl011_UART=y
 # CONFIG_USE_PWM is not set
 # CONFIG_USE_IPC is not set
 CONFIG_USE_MEDIA=y
-
-#
-# Media Configuration
-#
-CONFIG_ENABLE_FDC_DP_USE_LIB=y
-# end of Media Configuration
-
+CONFIG_USE_FMEDIA=y
 # CONFIG_USE_SCMI_MHU is not set
 # CONFIG_USE_I2S is not set
 # CONFIG_USE_I3C is not set
@@ -303,7 +303,20 @@ CONFIG_FREERTOS_USE_MEDIA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
-# CONFIG_USE_LETTER_SHELL is not set
+# CONFIG_USE_MBEDTLS is not set
+CONFIG_USE_LETTER_SHELL=y
+
+#
+# Letter Shell Configuration
+#
+CONFIG_LS_PL011_UART=y
+CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
+# CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
+# CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
+# end of Letter Shell Configuration
+
 # CONFIG_USE_AMP is not set
 # CONFIG_USE_YMODEM is not set
 # CONFIG_USE_SFUD is not set
@@ -338,6 +351,8 @@ CONFIG_CHERRY_USB_HOST_HID=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/media/lvgl_indev/sdkconfig.h b/example/peripheral/media/lvgl_indev/sdkconfig.h
index 45ed91c2..f869c42d 100644
--- a/example/peripheral/media/lvgl_indev/sdkconfig.h
+++ b/example/peripheral/media/lvgl_indev/sdkconfig.h
@@ -31,6 +31,11 @@
 /* CONFIG_BOOT_WITH_FLUSH_CACHE is not set */
 /* CONFIG_MMU_DEBUG_PRINTS is not set */
 /* end of Arm architecture configuration */
+
+/* multi-core system deployment framework */
+
+/* CONFIG_USE_MSDF is not set */
+/* end of multi-core system deployment framework */
 #define CONFIG_MMU_PAGE_SIZE 0x1000
 #define CONFIG_MAX_XLAT_TABLES 256
 /* end of Arch configuration */
@@ -130,11 +135,7 @@
 /* CONFIG_USE_PWM is not set */
 /* CONFIG_USE_IPC is not set */
 #define CONFIG_USE_MEDIA
-
-/* Media Configuration */
-
-#define CONFIG_ENABLE_FDC_DP_USE_LIB
-/* end of Media Configuration */
+#define CONFIG_USE_FMEDIA
 /* CONFIG_USE_SCMI_MHU is not set */
 /* CONFIG_USE_I2S is not set */
 /* CONFIG_USE_I3C is not set */
@@ -267,7 +268,18 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
-/* CONFIG_USE_LETTER_SHELL is not set */
+/* CONFIG_USE_MBEDTLS is not set */
+#define CONFIG_USE_LETTER_SHELL
+
+/* Letter Shell Configuration */
+
+#define CONFIG_LS_PL011_UART
+#define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
+/* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
+/* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
+/* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
 /* CONFIG_USE_SFUD is not set */
@@ -299,6 +311,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/peripheral/media/lvgl_indev/src/cmd.c b/example/peripheral/media/lvgl_indev/src/cmd.c
index 2b90e87e..752836c4 100644
--- a/example/peripheral/media/lvgl_indev/src/cmd.c
+++ b/example/peripheral/media/lvgl_indev/src/cmd.c
@@ -31,7 +31,6 @@
 #include "shell.h"
 #include "shell_port.h"
 
-#include "fdc_common_hw.h"
 #include "fdcdp.h"
 #include "fdp_hw.h"
 
diff --git a/example/peripheral/media/lvgl_indev/src/lv_indev_test.c b/example/peripheral/media/lvgl_indev/src/lv_indev_test.c
index 30c8f713..4ba53c49 100644
--- a/example/peripheral/media/lvgl_indev/src/lv_indev_test.c
+++ b/example/peripheral/media/lvgl_indev/src/lv_indev_test.c
@@ -38,10 +38,33 @@
 #include "fdp_hw.h"
 #include "fdc_hw.h"
 #include "fmedia_os.h"
-
+#include "fdcdp_reg.h"
+#include "fdcdp_crtc.h"
 #include "lv_indev_port.h"
 #include "lv_port_disp.h"
 
+typedef struct
+{
+    u32 bit_depth;
+    u32 bpc;
+    u32 color_depth;
+    u32 clock_mode;
+    u32 color_rep;
+    u32 width;
+    u32 height;
+    u32 multi_mode;
+} FuserCfg;
+
+static const FuserCfg user_cfg = {
+    .bit_depth = 8,
+    .bpc = 8,
+    .color_depth = 32,
+    .clock_mode = 1,
+    .color_rep = 0,
+    .width = 800,
+    .height = 600,
+    .multi_mode = 0/*0:clone, 1 :horz, 2:vert*/
+};
 /************************** Variable Definitions *****************************/
 #define FMEDIA_EVT_INTR(index)             BIT(index)
 #define FMEDIA_CHANNEL_0                    0
@@ -97,9 +120,9 @@ static void FFreeRTOSMediaHpdConnectCallback(void *args, u32 index)
 {
     FASSERT(args != NULL);
     FDcDp *instance_p = (FDcDp *)args;
-    FDpChannelRegRead(instance_p->dp_instance_p[index].config.dp_channe_base_addr, FDP_TX_INTERRUPT); /*clear interrupt*/
+    FDpChannelRegRead(instance_p->dp_instance_p[index].config.dp_channe_base_addr, PHYTIUM_DP_INTERRUPT_STATUS); /*clear interrupt*/
     FFreeRTOSMediaSendEvent(FMEDIA_EVT_INTR(index));
-    instance_p->connect_flg[index] = 1;
+    instance_p->is_initialized[index] = FDCDP_IS_INITIALIZED;
     printf("Dp:%d connect\r\n", index);
 
 }
@@ -115,8 +138,8 @@ static void FFreeRTOSMediaHpdBreakCallback(void *args, u32 index)
 {
     FASSERT(args != NULL);
     FDcDp *instance_p = (FDcDp *)args;
-    FDpChannelRegRead(instance_p->dp_instance_p[index].config.dp_channe_base_addr, FDP_TX_INTERRUPT); /*clear interrupt*/
-    instance_p->connect_flg[index] = 0;
+    FDpChannelRegRead(instance_p->dp_instance_p[index].config.dp_channe_base_addr, PHYTIUM_DP_INTERRUPT_STATUS); /*clear interrupt*/
+    instance_p->is_initialized[index] = FDCDP_NOT_INITIALIZED;
     FFreeRTOSMediaSendEvent(FMEDIA_EVT_INTR(index));
     printf("Dp:%d disconnect\r\n", index);
 }
@@ -132,7 +155,7 @@ static void FFreeRTOSMediaAuxTimeoutCallback(void *args, u32 index)
 {
     FASSERT(args != NULL);
     FDcDp *instance_p = (FDcDp *)args;
-    FDpChannelRegRead(instance_p->dp_instance_p[index].config.dp_channe_base_addr, FDP_TX_INTERRUPT); /*clear interrupt*/
+    FDpChannelRegRead(instance_p->dp_instance_p[index].config.dp_channe_base_addr, PHYTIUM_DP_INTERRUPT_STATUS); /*clear interrupt*/
     printf("Dp:%d aux connect timeout\r\n", index);
 }
 
@@ -147,7 +170,7 @@ static void FFreeRTOSMediaAuxErrorCallback(void *args, u32 index)
 {
     FASSERT(args != NULL);
     FDcDp *instance_p = (FDcDp *)args;
-    FDpChannelRegRead(instance_p->dp_instance_p[index].config.dp_channe_base_addr, FDP_TX_INTERRUPT); /*clear interrupt*/
+    FDpChannelRegRead(instance_p->dp_instance_p[index].config.dp_channe_base_addr, PHYTIUM_DP_INTERRUPT_STATUS); /*clear interrupt*/
     printf("Dp:%d aux connect error\r\n", index);
 }
 
@@ -162,8 +185,6 @@ static void FFreeRTOSMediaIrqSet(FDcDp *instance_p)
     FASSERT(instance_p != NULL);
     u32 cpu_id;
     u32 index;
-    FMediaIntrConfig intr_config;
-    memset(&intr_config, 0, sizeof(intr_config));
 
     GetCpuId(&cpu_id);
     InterruptSetTargetCpus(instance_p->dp_instance_p[0].config.irq_num, cpu_id);/*the dc0 and dc1 have the same num of irq_num*/
@@ -218,17 +239,34 @@ void FFreeRTOSMediaDeviceInit(void)
         start_index = channel;
         end_index = channel + 1;
     }
+    os_media.dcdp_ctrl.multi_mode = user_cfg.multi_mode;
     for (index = start_index; index < end_index; index ++)
     {
-        os_media.dcdp_ctrl.user_config[index].width = 800;
-        os_media.dcdp_ctrl.user_config[index].height = 600;
-        os_media.dcdp_ctrl.user_config[index].refresh_rate = 60;
-        os_media.dcdp_ctrl.user_config[index].color_depth = 32;
-        os_media.dcdp_ctrl.user_config[index].multi_mode = 0;
-        os_media.dcdp_ctrl.user_config[index].fb_phy = (uintptr)static_frame_buffer_address;
-        os_media.dcdp_ctrl.user_config[index].fb_virtual = (uintptr)static_frame_buffer_address ;/*当前例程虚拟地址和物理地址一致，实际需要根据需要进行映射*/
+        FDcDpCfgInitialize(&os_media.dcdp_ctrl,index);
+
+        os_media.dcdp_ctrl.dc_instance_p[index].config = *FDcLookupConfig(index);
+
+        os_media.dcdp_ctrl.dp_instance_p[index].config = *FDpLookupConfig(index);
+
+        os_media.dcdp_ctrl.dp_instance_p[index].trans_config.bit_depth = user_cfg.bit_depth;
+
+        os_media.dcdp_ctrl.dc_instance_p[index].crtc.bpc = user_cfg.bpc;
+
+        os_media.dcdp_ctrl.dc_instance_p[index].color_depth = user_cfg.color_depth;
+
+        os_media.dcdp_ctrl.dp_instance_p[index].trans_config.clock_mode = user_cfg.clock_mode;
+
+        os_media.dcdp_ctrl.dp_instance_p[index].trans_config.color_rep_format = user_cfg.color_rep;
+
+        os_media.dcdp_ctrl.dc_instance_p[index].channel = index;
+
+        os_media.dcdp_ctrl.dc_instance_p[index].fb_addr = (uintptr)static_frame_buffer_address ;/*当前例程虚拟地址和物理地址一致，实际需要根据需要进行映射*/
+
+        os_media.dcdp_ctrl.dc_instance_p[index].fb_virtual = (uintptr)static_frame_buffer_address ;/*当前例程虚拟地址和物理地址一致，实际需要根据需要进行映射*/
+
+        FDcDpGeneralCfgInitial(&os_media.dcdp_ctrl, index);
     }
-    FFreeRTOSMedia *os_config = FFreeRTOSMediaHwInit(channel, &os_media);
+    FFreeRTOSMedia *os_config  = FFreeRTOSMediaHwInit(&os_media,user_cfg.width, user_cfg.height);
     FASSERT_MSG(NULL == media_event, "Event group exists.");
     FASSERT_MSG((media_event = xEventGroupCreate()) != NULL, "Create event group failed.");
     FFreeRTOSMediaIrqSet(&os_config->dcdp_ctrl);
@@ -260,24 +298,26 @@ void FFreeRTOSMediaChannelDeinit(u32 id)
 void FFreeRTOSMediaHpdHandle(void)
 {
  u32 index;
-    u32 ret = FMEDIA_DP_SUCCESS;
+    u32 ret = FDP_SUCCESS;
 
     FFreeRTOSMediaWaitEvent(FMEDIA_EVT_INTR(FMEDIA_CHANNEL_0) | FMEDIA_EVT_INTR(FMEDIA_CHANNEL_1), portMAX_DELAY);
-
+ os_media.dcdp_ctrl.multi_mode = user_cfg.multi_mode;
     for (;;)
     {
         for (index = 0; index < FDCDP_INSTANCE_NUM; index++)
         {
-            if (os_media.dcdp_ctrl.connect_flg[index] == 1)
+            if (os_media.dcdp_ctrl.is_initialized[index] == FDCDP_NOT_INITIALIZED)
             {
-                ret = FDcDpHotPlugConnect(&os_media.dcdp_ctrl, index);
+                FDcDpCfgInitialize(&os_media.dcdp_ctrl, index);
+                ret = FDcDpInitial(&os_media.dcdp_ctrl, index, user_cfg.width, user_cfg.height);
                 FFreeRTOSMediaClearEvent(media_event, FMEDIA_EVT_INTR(index));
-                if (ret == FMEDIA_DP_SUCCESS)
+                if (ret == FDP_SUCCESS)
                 {
-                    printf("Hpd task finish ,  reinit the dp success.\r\n");
+                    printf("Hpd task finish , reinit the dp success.\r\n");
                 }
-                os_media.dcdp_ctrl.connect_flg[index] == 0;
+                os_media.dcdp_ctrl.is_initialized[index] = FDCDP_IS_INITIALIZED;
             }
+
         }
         vTaskDelay(200);
     }
diff --git a/example/peripheral/media/lvgl_ui/configs/e2000d_aarch32_demo_media.config b/example/peripheral/media/lvgl_ui/configs/e2000d_aarch32_demo_media.config
index b67648ed..f4eb97da 100644
--- a/example/peripheral/media/lvgl_ui/configs/e2000d_aarch32_demo_media.config
+++ b/example/peripheral/media/lvgl_ui/configs/e2000d_aarch32_demo_media.config
@@ -39,6 +39,12 @@ CONFIG_ARM_MFLOAT_ABI="hard"
 CONFIG_USE_AARCH64_L1_TO_AARCH32=y
 # end of Arm architecture configuration
 
+#
+# multi-core system deployment framework
+#
+# CONFIG_USE_MSDF is not set
+# end of multi-core system deployment framework
+
 CONFIG_MMU_PAGE_SIZE=0x1000
 CONFIG_FMMU_NUM_L2_TABLES=256
 # end of Arch configuration
@@ -53,6 +59,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -112,6 +119,7 @@ CONFIG_LOG_DEBUG=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -147,13 +155,7 @@ CONFIG_ENABLE_Pl011_UART=y
 # CONFIG_USE_PWM is not set
 # CONFIG_USE_IPC is not set
 CONFIG_USE_MEDIA=y
-
-#
-# Media Configuration
-#
-CONFIG_ENABLE_FDC_DP_USE_LIB=y
-# end of Media Configuration
-
+CONFIG_USE_FMEDIA=y
 # CONFIG_USE_SCMI_MHU is not set
 # CONFIG_USE_I2S is not set
 # CONFIG_USE_I3C is not set
@@ -314,6 +316,7 @@ CONFIG_FREERTOS_USE_MEDIA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -323,6 +326,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -359,6 +364,8 @@ CONFIG_CHERRY_USB_HOST_HID=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/media/lvgl_ui/configs/e2000d_aarch64_demo_media.config b/example/peripheral/media/lvgl_ui/configs/e2000d_aarch64_demo_media.config
index 16568bd4..6e4562ee 100644
--- a/example/peripheral/media/lvgl_ui/configs/e2000d_aarch64_demo_media.config
+++ b/example/peripheral/media/lvgl_ui/configs/e2000d_aarch64_demo_media.config
@@ -29,10 +29,16 @@ CONFIG_GCC_CODE_MODEL_SMALL=y
 # CONFIG_GCC_CODE_MODEL_LARGE is not set
 # end of Compiler configuration
 
-# CONFIG_BOOT_WITH_FLUSH_CACHE is not set
+CONFIG_BOOT_WITH_FLUSH_CACHE=y
 # CONFIG_MMU_DEBUG_PRINTS is not set
 # end of Arm architecture configuration
 
+#
+# multi-core system deployment framework
+#
+# CONFIG_USE_MSDF is not set
+# end of multi-core system deployment framework
+
 CONFIG_MMU_PAGE_SIZE=0x1000
 CONFIG_MAX_XLAT_TABLES=256
 # end of Arch configuration
@@ -47,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -106,6 +113,7 @@ CONFIG_LOG_DEBUG=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -141,13 +149,7 @@ CONFIG_ENABLE_Pl011_UART=y
 # CONFIG_USE_PWM is not set
 # CONFIG_USE_IPC is not set
 CONFIG_USE_MEDIA=y
-
-#
-# Media Configuration
-#
-CONFIG_ENABLE_FDC_DP_USE_LIB=y
-# end of Media Configuration
-
+CONFIG_USE_FMEDIA=y
 # CONFIG_USE_SCMI_MHU is not set
 # CONFIG_USE_I2S is not set
 # CONFIG_USE_I3C is not set
@@ -303,6 +305,7 @@ CONFIG_FREERTOS_USE_MEDIA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -312,6 +315,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -348,6 +353,8 @@ CONFIG_CHERRY_USB_HOST_HID=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/media/lvgl_ui/configs/e2000q_aarch32_demo_media.config b/example/peripheral/media/lvgl_ui/configs/e2000q_aarch32_demo_media.config
index e9631911..ea7dec49 100644
--- a/example/peripheral/media/lvgl_ui/configs/e2000q_aarch32_demo_media.config
+++ b/example/peripheral/media/lvgl_ui/configs/e2000q_aarch32_demo_media.config
@@ -39,6 +39,12 @@ CONFIG_ARM_MFLOAT_ABI="hard"
 CONFIG_USE_AARCH64_L1_TO_AARCH32=y
 # end of Arm architecture configuration
 
+#
+# multi-core system deployment framework
+#
+# CONFIG_USE_MSDF is not set
+# end of multi-core system deployment framework
+
 CONFIG_MMU_PAGE_SIZE=0x1000
 CONFIG_FMMU_NUM_L2_TABLES=256
 # end of Arch configuration
@@ -53,6 +59,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -111,6 +118,7 @@ CONFIG_LOG_DEBUG=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -146,13 +154,7 @@ CONFIG_ENABLE_Pl011_UART=y
 # CONFIG_USE_PWM is not set
 # CONFIG_USE_IPC is not set
 CONFIG_USE_MEDIA=y
-
-#
-# Media Configuration
-#
-CONFIG_ENABLE_FDC_DP_USE_LIB=y
-# end of Media Configuration
-
+CONFIG_USE_FMEDIA=y
 # CONFIG_USE_SCMI_MHU is not set
 # CONFIG_USE_I2S is not set
 # CONFIG_USE_I3C is not set
@@ -313,6 +315,7 @@ CONFIG_FREERTOS_USE_MEDIA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -322,6 +325,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -358,6 +363,8 @@ CONFIG_CHERRY_USB_HOST_HID=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/media/lvgl_ui/configs/e2000q_aarch64_demo_media.config b/example/peripheral/media/lvgl_ui/configs/e2000q_aarch64_demo_media.config
index f890f118..0e8fb8e0 100644
--- a/example/peripheral/media/lvgl_ui/configs/e2000q_aarch64_demo_media.config
+++ b/example/peripheral/media/lvgl_ui/configs/e2000q_aarch64_demo_media.config
@@ -29,10 +29,16 @@ CONFIG_GCC_CODE_MODEL_SMALL=y
 # CONFIG_GCC_CODE_MODEL_LARGE is not set
 # end of Compiler configuration
 
-# CONFIG_BOOT_WITH_FLUSH_CACHE is not set
+CONFIG_BOOT_WITH_FLUSH_CACHE=y
 # CONFIG_MMU_DEBUG_PRINTS is not set
 # end of Arm architecture configuration
 
+#
+# multi-core system deployment framework
+#
+# CONFIG_USE_MSDF is not set
+# end of multi-core system deployment framework
+
 CONFIG_MMU_PAGE_SIZE=0x1000
 CONFIG_MAX_XLAT_TABLES=256
 # end of Arch configuration
@@ -47,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +112,7 @@ CONFIG_LOG_DEBUG=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -140,13 +148,7 @@ CONFIG_ENABLE_Pl011_UART=y
 # CONFIG_USE_PWM is not set
 # CONFIG_USE_IPC is not set
 CONFIG_USE_MEDIA=y
-
-#
-# Media Configuration
-#
-CONFIG_ENABLE_FDC_DP_USE_LIB=y
-# end of Media Configuration
-
+CONFIG_USE_FMEDIA=y
 # CONFIG_USE_SCMI_MHU is not set
 # CONFIG_USE_I2S is not set
 # CONFIG_USE_I3C is not set
@@ -302,6 +304,7 @@ CONFIG_FREERTOS_USE_MEDIA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -311,6 +314,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -347,6 +352,8 @@ CONFIG_CHERRY_USB_HOST_HID=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/media/lvgl_ui/configs/phytiumpi_aarch32_firefly_media.config b/example/peripheral/media/lvgl_ui/configs/phytiumpi_aarch32_firefly_media.config
index c763dc6d..258936e3 100644
--- a/example/peripheral/media/lvgl_ui/configs/phytiumpi_aarch32_firefly_media.config
+++ b/example/peripheral/media/lvgl_ui/configs/phytiumpi_aarch32_firefly_media.config
@@ -39,6 +39,12 @@ CONFIG_ARM_MFLOAT_ABI="hard"
 CONFIG_USE_AARCH64_L1_TO_AARCH32=y
 # end of Arm architecture configuration
 
+#
+# multi-core system deployment framework
+#
+# CONFIG_USE_MSDF is not set
+# end of multi-core system deployment framework
+
 CONFIG_MMU_PAGE_SIZE=0x1000
 CONFIG_FMMU_NUM_L2_TABLES=256
 # end of Arch configuration
@@ -53,6 +59,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -110,6 +117,7 @@ CONFIG_LOG_DEBUG=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -145,13 +153,7 @@ CONFIG_ENABLE_Pl011_UART=y
 # CONFIG_USE_PWM is not set
 # CONFIG_USE_IPC is not set
 CONFIG_USE_MEDIA=y
-
-#
-# Media Configuration
-#
-CONFIG_ENABLE_FDC_DP_USE_LIB=y
-# end of Media Configuration
-
+CONFIG_USE_FMEDIA=y
 # CONFIG_USE_SCMI_MHU is not set
 # CONFIG_USE_I2S is not set
 # CONFIG_USE_I3C is not set
@@ -312,6 +314,7 @@ CONFIG_FREERTOS_USE_MEDIA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -321,6 +324,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -357,6 +362,8 @@ CONFIG_CHERRY_USB_HOST_HID=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/media/lvgl_ui/configs/phytiumpi_aarch64_firefly_media.config b/example/peripheral/media/lvgl_ui/configs/phytiumpi_aarch64_firefly_media.config
index 0844bbec..41d72167 100644
--- a/example/peripheral/media/lvgl_ui/configs/phytiumpi_aarch64_firefly_media.config
+++ b/example/peripheral/media/lvgl_ui/configs/phytiumpi_aarch64_firefly_media.config
@@ -33,6 +33,12 @@ CONFIG_GCC_CODE_MODEL_SMALL=y
 # CONFIG_MMU_DEBUG_PRINTS is not set
 # end of Arm architecture configuration
 
+#
+# multi-core system deployment framework
+#
+# CONFIG_USE_MSDF is not set
+# end of multi-core system deployment framework
+
 CONFIG_MMU_PAGE_SIZE=0x1000
 CONFIG_MAX_XLAT_TABLES=256
 # end of Arch configuration
@@ -47,6 +53,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +111,7 @@ CONFIG_LOG_DEBUG=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -139,13 +147,7 @@ CONFIG_ENABLE_Pl011_UART=y
 # CONFIG_USE_PWM is not set
 # CONFIG_USE_IPC is not set
 CONFIG_USE_MEDIA=y
-
-#
-# Media Configuration
-#
-CONFIG_ENABLE_FDC_DP_USE_LIB=y
-# end of Media Configuration
-
+CONFIG_USE_FMEDIA=y
 # CONFIG_USE_SCMI_MHU is not set
 # CONFIG_USE_I2S is not set
 # CONFIG_USE_I3C is not set
@@ -301,6 +303,7 @@ CONFIG_FREERTOS_USE_MEDIA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -310,6 +313,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -346,6 +351,8 @@ CONFIG_CHERRY_USB_HOST_HID=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/media/lvgl_ui/sdkconfig b/example/peripheral/media/lvgl_ui/sdkconfig
index 0844bbec..41d72167 100644
--- a/example/peripheral/media/lvgl_ui/sdkconfig
+++ b/example/peripheral/media/lvgl_ui/sdkconfig
@@ -33,6 +33,12 @@ CONFIG_GCC_CODE_MODEL_SMALL=y
 # CONFIG_MMU_DEBUG_PRINTS is not set
 # end of Arm architecture configuration
 
+#
+# multi-core system deployment framework
+#
+# CONFIG_USE_MSDF is not set
+# end of multi-core system deployment framework
+
 CONFIG_MMU_PAGE_SIZE=0x1000
 CONFIG_MAX_XLAT_TABLES=256
 # end of Arch configuration
@@ -47,6 +53,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +111,7 @@ CONFIG_LOG_DEBUG=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -139,13 +147,7 @@ CONFIG_ENABLE_Pl011_UART=y
 # CONFIG_USE_PWM is not set
 # CONFIG_USE_IPC is not set
 CONFIG_USE_MEDIA=y
-
-#
-# Media Configuration
-#
-CONFIG_ENABLE_FDC_DP_USE_LIB=y
-# end of Media Configuration
-
+CONFIG_USE_FMEDIA=y
 # CONFIG_USE_SCMI_MHU is not set
 # CONFIG_USE_I2S is not set
 # CONFIG_USE_I3C is not set
@@ -301,6 +303,7 @@ CONFIG_FREERTOS_USE_MEDIA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -310,6 +313,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -346,6 +351,8 @@ CONFIG_CHERRY_USB_HOST_HID=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/media/lvgl_ui/sdkconfig.h b/example/peripheral/media/lvgl_ui/sdkconfig.h
index 65869613..f869c42d 100644
--- a/example/peripheral/media/lvgl_ui/sdkconfig.h
+++ b/example/peripheral/media/lvgl_ui/sdkconfig.h
@@ -31,6 +31,11 @@
 /* CONFIG_BOOT_WITH_FLUSH_CACHE is not set */
 /* CONFIG_MMU_DEBUG_PRINTS is not set */
 /* end of Arm architecture configuration */
+
+/* multi-core system deployment framework */
+
+/* CONFIG_USE_MSDF is not set */
+/* end of multi-core system deployment framework */
 #define CONFIG_MMU_PAGE_SIZE 0x1000
 #define CONFIG_MAX_XLAT_TABLES 256
 /* end of Arch configuration */
@@ -44,6 +49,7 @@
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
 #define CONFIG_SOC_NAME "phytiumpi"
 #define CONFIG_SOC_CORE_NUM 4
 #define CONFIG_F32BIT_MEMORY_ADDRESS 0x80000000
@@ -96,6 +102,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 #define CONFIG_INTERRUPT_ROLE_MASTER
 /* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -128,11 +135,7 @@
 /* CONFIG_USE_PWM is not set */
 /* CONFIG_USE_IPC is not set */
 #define CONFIG_USE_MEDIA
-
-/* Media Configuration */
-
-#define CONFIG_ENABLE_FDC_DP_USE_LIB
-/* end of Media Configuration */
+#define CONFIG_USE_FMEDIA
 /* CONFIG_USE_SCMI_MHU is not set */
 /* CONFIG_USE_I2S is not set */
 /* CONFIG_USE_I3C is not set */
@@ -265,6 +268,7 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
+/* CONFIG_USE_MBEDTLS is not set */
 #define CONFIG_USE_LETTER_SHELL
 
 /* Letter Shell Configuration */
@@ -273,6 +277,8 @@
 #define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
 /* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
@@ -305,6 +311,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/peripheral/media/lvgl_ui/src/cmd.c b/example/peripheral/media/lvgl_ui/src/cmd.c
index 2b90e87e..752836c4 100644
--- a/example/peripheral/media/lvgl_ui/src/cmd.c
+++ b/example/peripheral/media/lvgl_ui/src/cmd.c
@@ -31,7 +31,6 @@
 #include "shell.h"
 #include "shell_port.h"
 
-#include "fdc_common_hw.h"
 #include "fdcdp.h"
 #include "fdp_hw.h"
 
diff --git a/example/peripheral/media/lvgl_ui/src/lv_indev_test.c b/example/peripheral/media/lvgl_ui/src/lv_indev_test.c
index 38ddc78f..bc3c981b 100644
--- a/example/peripheral/media/lvgl_ui/src/lv_indev_test.c
+++ b/example/peripheral/media/lvgl_ui/src/lv_indev_test.c
@@ -41,7 +41,31 @@
 
 #include "lv_indev_port.h"
 #include "lv_port_disp.h"
+#include "fdcdp_reg.h"
+#include "fdcdp_crtc.h"
 
+typedef struct
+{
+    u32 bit_depth;
+    u32 bpc;
+    u32 color_depth;
+    u32 clock_mode;
+    u32 color_rep;
+    u32 width;
+    u32 height;
+    u32 multi_mode;
+} FuserCfg;
+
+static const FuserCfg user_cfg = {
+    .bit_depth = 8,
+    .bpc = 8,
+    .color_depth = 32,
+    .clock_mode = 1,
+    .color_rep = 0,
+    .width = 800,
+    .height = 600,
+    .multi_mode = 0/*0:clone, 1 :horz, 2:vert*/
+};
 /************************** Variable Definitions *****************************/
 #define FMEDIA_EVT_INTR(index)             BIT(index)
 #define FMEDIA_CHANNEL_0                    0
@@ -97,9 +121,9 @@ static void FFreeRTOSMediaHpdConnectCallback(void *args, u32 index)
 {
     FASSERT(args != NULL);
     FDcDp *instance_p = (FDcDp *)args;
-    FDpChannelRegRead(instance_p->dp_instance_p[index].config.dp_channe_base_addr, FDP_TX_INTERRUPT); /*clear interrupt*/
+    FDpChannelRegRead(instance_p->dp_instance_p[index].config.dp_channe_base_addr, PHYTIUM_DP_INTERRUPT_STATUS); /*clear interrupt*/
     FFreeRTOSMediaSendEvent(FMEDIA_EVT_INTR(index));
-    instance_p->connect_flg[index] = 1;
+    instance_p->is_initialized[index] = FDCDP_IS_INITIALIZED;
     printf("Dp:%d connect\r\n", index);
 
 }
@@ -115,8 +139,8 @@ static void FFreeRTOSMediaHpdBreakCallback(void *args, u32 index)
 {
     FASSERT(args != NULL);
     FDcDp *instance_p = (FDcDp *)args;
-    FDpChannelRegRead(instance_p->dp_instance_p[index].config.dp_channe_base_addr, FDP_TX_INTERRUPT); /*clear interrupt*/
-    instance_p->connect_flg[index] = 0;
+    FDpChannelRegRead(instance_p->dp_instance_p[index].config.dp_channe_base_addr, PHYTIUM_DP_INTERRUPT_STATUS); /*clear interrupt*/
+    instance_p->is_initialized[index] = FDCDP_NOT_INITIALIZED;
     FFreeRTOSMediaSendEvent(FMEDIA_EVT_INTR(index));
     printf("Dp:%d disconnect\r\n", index);
 }
@@ -132,7 +156,7 @@ static void FFreeRTOSMediaAuxTimeoutCallback(void *args, u32 index)
 {
     FASSERT(args != NULL);
     FDcDp *instance_p = (FDcDp *)args;
-    FDpChannelRegRead(instance_p->dp_instance_p[index].config.dp_channe_base_addr, FDP_TX_INTERRUPT); /*clear interrupt*/
+    FDpChannelRegRead(instance_p->dp_instance_p[index].config.dp_channe_base_addr, PHYTIUM_DP_INTERRUPT_STATUS); /*clear interrupt*/
     printf("Dp:%d aux connect timeout\r\n", index);
 }
 
@@ -147,7 +171,7 @@ static void FFreeRTOSMediaAuxErrorCallback(void *args, u32 index)
 {
     FASSERT(args != NULL);
     FDcDp *instance_p = (FDcDp *)args;
-    FDpChannelRegRead(instance_p->dp_instance_p[index].config.dp_channe_base_addr, FDP_TX_INTERRUPT); /*clear interrupt*/
+    FDpChannelRegRead(instance_p->dp_instance_p[index].config.dp_channe_base_addr, PHYTIUM_DP_INTERRUPT_STATUS); /*clear interrupt*/
     printf("Dp:%d aux connect error\r\n", index);
 }
 
@@ -162,8 +186,6 @@ static void FFreeRTOSMediaIrqSet(FDcDp *instance_p)
     FASSERT(instance_p != NULL);
     u32 cpu_id;
     u32 index;
-    FMediaIntrConfig intr_config;
-    memset(&intr_config, 0, sizeof(intr_config));
 
     GetCpuId(&cpu_id);
     InterruptSetTargetCpus(instance_p->dp_instance_p[0].config.irq_num, cpu_id);/*the dc0 and dc1 have the same num of irq_num*/
@@ -218,17 +240,34 @@ void FFreeRTOSMediaDeviceInit(void)
         start_index = channel;
         end_index = channel + 1;
     }
+    os_media.dcdp_ctrl.multi_mode = user_cfg.multi_mode;
     for (index = start_index; index < end_index; index ++)
     {
-        os_media.dcdp_ctrl.user_config[index].width = 800;
-        os_media.dcdp_ctrl.user_config[index].height = 600;
-        os_media.dcdp_ctrl.user_config[index].refresh_rate = 60;
-        os_media.dcdp_ctrl.user_config[index].color_depth = 32;
-        os_media.dcdp_ctrl.user_config[index].multi_mode = 0;
-        os_media.dcdp_ctrl.user_config[index].fb_phy = (uintptr)static_frame_buffer_address;
-        os_media.dcdp_ctrl.user_config[index].fb_virtual = (uintptr)static_frame_buffer_address ;/*当前例程虚拟地址和物理地址一致，实际需要根据需要进行映射*/
+       FDcDpCfgInitialize(&os_media.dcdp_ctrl,index);
+
+        os_media.dcdp_ctrl.dc_instance_p[index].config = *FDcLookupConfig(index);
+        
+        os_media.dcdp_ctrl.dp_instance_p[index].config = *FDpLookupConfig(index);
+
+        os_media.dcdp_ctrl.dp_instance_p[index].trans_config.bit_depth = user_cfg.bit_depth;
+
+        os_media.dcdp_ctrl.dc_instance_p[index].crtc.bpc = user_cfg.bpc;
+
+        os_media.dcdp_ctrl.dc_instance_p[index].color_depth = user_cfg.color_depth;
+
+        os_media.dcdp_ctrl.dp_instance_p[index].trans_config.clock_mode = user_cfg.clock_mode;
+
+        os_media.dcdp_ctrl.dp_instance_p[index].trans_config.color_rep_format = user_cfg.color_rep;
+
+        os_media.dcdp_ctrl.dc_instance_p[index].channel = index;
+
+        os_media.dcdp_ctrl.dc_instance_p[index].fb_addr = (uintptr)static_frame_buffer_address ;/*当前例程虚拟地址和物理地址一致，实际需要根据需要进行映射*/
+
+        os_media.dcdp_ctrl.dc_instance_p[index].fb_virtual = (uintptr)static_frame_buffer_address ;/*当前例程虚拟地址和物理地址一致，实际需要根据需要进行映射*/
+
+        FDcDpGeneralCfgInitial(&os_media.dcdp_ctrl, index);
     }
-    FFreeRTOSMedia *os_config = FFreeRTOSMediaHwInit(channel, &os_media);
+    FFreeRTOSMedia *os_config = FFreeRTOSMediaHwInit(&os_media,user_cfg.width, user_cfg.height);
     FASSERT_MSG(NULL == media_event, "Event group exists.");
     FASSERT_MSG((media_event = xEventGroupCreate()) != NULL, "Create event group failed.");
     FFreeRTOSMediaIrqSet(&os_config->dcdp_ctrl);
@@ -259,24 +298,25 @@ void FFreeRTOSMediaChannelDeinit(u32 id)
  */
 void FFreeRTOSMediaHpdHandle(void)
 {
- u32 index;
-    u32 ret = FMEDIA_DP_SUCCESS;
+    u32 index;
+    u32 ret = FDP_SUCCESS;
 
     FFreeRTOSMediaWaitEvent(FMEDIA_EVT_INTR(FMEDIA_CHANNEL_0) | FMEDIA_EVT_INTR(FMEDIA_CHANNEL_1), portMAX_DELAY);
-
+    os_media.dcdp_ctrl.multi_mode = user_cfg.multi_mode;
     for (;;)
     {
         for (index = 0; index < FDCDP_INSTANCE_NUM; index++)
         {
-            if (os_media.dcdp_ctrl.connect_flg[index] == 1)
+            if (os_media.dcdp_ctrl.is_initialized[index] == FDCDP_NOT_INITIALIZED)
             {
-                ret = FDcDpHotPlugConnect(&os_media.dcdp_ctrl, index);
+                FDcDpCfgInitialize(&os_media.dcdp_ctrl, index);
+                ret = FDcDpInitial(&os_media.dcdp_ctrl, index, user_cfg.width, user_cfg.height);
                 FFreeRTOSMediaClearEvent(media_event, FMEDIA_EVT_INTR(index));
-                if (ret == FMEDIA_DP_SUCCESS)
+                if (ret == FDP_SUCCESS)
                 {
                     printf("Hpd task finish ,  reinit the dp success.\r\n");
                 }
-                os_media.dcdp_ctrl.connect_flg[index] == 0;
+                os_media.dcdp_ctrl.is_initialized[index] = FDCDP_IS_INITIALIZED;
             }
         }
         vTaskDelay(200);
diff --git a/example/peripheral/media/media_test/configs/e2000d_aarch32_demo_media.config b/example/peripheral/media/media_test/configs/e2000d_aarch32_demo_media.config
index e1f43cc2..4460b984 100644
--- a/example/peripheral/media/media_test/configs/e2000d_aarch32_demo_media.config
+++ b/example/peripheral/media/media_test/configs/e2000d_aarch32_demo_media.config
@@ -39,6 +39,12 @@ CONFIG_ARM_MFLOAT_ABI="hard"
 CONFIG_USE_AARCH64_L1_TO_AARCH32=y
 # end of Arm architecture configuration
 
+#
+# multi-core system deployment framework
+#
+# CONFIG_USE_MSDF is not set
+# end of multi-core system deployment framework
+
 CONFIG_MMU_PAGE_SIZE=0x1000
 CONFIG_FMMU_NUM_L2_TABLES=256
 # end of Arch configuration
@@ -53,6 +59,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -106,12 +113,13 @@ CONFIG_LOG_DEBUG=y
 # CONFIG_LOG_WARN is not set
 # CONFIG_LOG_ERROR is not set
 # CONFIG_LOG_NONE is not set
-# CONFIG_LOG_EXTRA_INFO is not set
+CONFIG_LOG_EXTRA_INFO=y
 # CONFIG_LOG_DISPALY_CORE_NUM is not set
 # CONFIG_BOOTUP_DEBUG_PRINTS is not set
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -147,13 +155,7 @@ CONFIG_ENABLE_Pl011_UART=y
 # CONFIG_USE_PWM is not set
 # CONFIG_USE_IPC is not set
 CONFIG_USE_MEDIA=y
-
-#
-# Media Configuration
-#
-CONFIG_ENABLE_FDC_DP_USE_LIB=y
-# end of Media Configuration
-
+CONFIG_USE_FMEDIA=y
 # CONFIG_USE_SCMI_MHU is not set
 # CONFIG_USE_I2S is not set
 # CONFIG_USE_I3C is not set
@@ -314,6 +316,7 @@ CONFIG_FREERTOS_USE_MEDIA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -323,6 +326,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -345,6 +350,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/media/media_test/configs/e2000d_aarch64_demo_media.config b/example/peripheral/media/media_test/configs/e2000d_aarch64_demo_media.config
index b85f6aa5..a5982fcb 100644
--- a/example/peripheral/media/media_test/configs/e2000d_aarch64_demo_media.config
+++ b/example/peripheral/media/media_test/configs/e2000d_aarch64_demo_media.config
@@ -29,10 +29,16 @@ CONFIG_GCC_CODE_MODEL_SMALL=y
 # CONFIG_GCC_CODE_MODEL_LARGE is not set
 # end of Compiler configuration
 
-# CONFIG_BOOT_WITH_FLUSH_CACHE is not set
+CONFIG_BOOT_WITH_FLUSH_CACHE=y
 # CONFIG_MMU_DEBUG_PRINTS is not set
 # end of Arm architecture configuration
 
+#
+# multi-core system deployment framework
+#
+# CONFIG_USE_MSDF is not set
+# end of multi-core system deployment framework
+
 CONFIG_MMU_PAGE_SIZE=0x1000
 CONFIG_MAX_XLAT_TABLES=256
 # end of Arch configuration
@@ -47,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -100,12 +107,13 @@ CONFIG_LOG_DEBUG=y
 # CONFIG_LOG_WARN is not set
 # CONFIG_LOG_ERROR is not set
 # CONFIG_LOG_NONE is not set
-# CONFIG_LOG_EXTRA_INFO is not set
+CONFIG_LOG_EXTRA_INFO=y
 # CONFIG_LOG_DISPALY_CORE_NUM is not set
 # CONFIG_BOOTUP_DEBUG_PRINTS is not set
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -141,13 +149,7 @@ CONFIG_ENABLE_Pl011_UART=y
 # CONFIG_USE_PWM is not set
 # CONFIG_USE_IPC is not set
 CONFIG_USE_MEDIA=y
-
-#
-# Media Configuration
-#
-CONFIG_ENABLE_FDC_DP_USE_LIB=y
-# end of Media Configuration
-
+CONFIG_USE_FMEDIA=y
 # CONFIG_USE_SCMI_MHU is not set
 # CONFIG_USE_I2S is not set
 # CONFIG_USE_I3C is not set
@@ -303,6 +305,7 @@ CONFIG_FREERTOS_USE_MEDIA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -312,6 +315,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -334,6 +339,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/media/media_test/configs/e2000q_aarch32_demo_media.config b/example/peripheral/media/media_test/configs/e2000q_aarch32_demo_media.config
index 0cb0a46d..8634dc92 100644
--- a/example/peripheral/media/media_test/configs/e2000q_aarch32_demo_media.config
+++ b/example/peripheral/media/media_test/configs/e2000q_aarch32_demo_media.config
@@ -39,6 +39,12 @@ CONFIG_ARM_MFLOAT_ABI="hard"
 CONFIG_USE_AARCH64_L1_TO_AARCH32=y
 # end of Arm architecture configuration
 
+#
+# multi-core system deployment framework
+#
+# CONFIG_USE_MSDF is not set
+# end of multi-core system deployment framework
+
 CONFIG_MMU_PAGE_SIZE=0x1000
 CONFIG_FMMU_NUM_L2_TABLES=256
 # end of Arch configuration
@@ -53,6 +59,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,12 +112,13 @@ CONFIG_LOG_DEBUG=y
 # CONFIG_LOG_WARN is not set
 # CONFIG_LOG_ERROR is not set
 # CONFIG_LOG_NONE is not set
-# CONFIG_LOG_EXTRA_INFO is not set
+CONFIG_LOG_EXTRA_INFO=y
 # CONFIG_LOG_DISPALY_CORE_NUM is not set
 # CONFIG_BOOTUP_DEBUG_PRINTS is not set
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -146,13 +154,7 @@ CONFIG_ENABLE_Pl011_UART=y
 # CONFIG_USE_PWM is not set
 # CONFIG_USE_IPC is not set
 CONFIG_USE_MEDIA=y
-
-#
-# Media Configuration
-#
-CONFIG_ENABLE_FDC_DP_USE_LIB=y
-# end of Media Configuration
-
+CONFIG_USE_FMEDIA=y
 # CONFIG_USE_SCMI_MHU is not set
 # CONFIG_USE_I2S is not set
 # CONFIG_USE_I3C is not set
@@ -313,6 +315,7 @@ CONFIG_FREERTOS_USE_MEDIA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -322,6 +325,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -344,6 +349,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/media/media_test/configs/e2000q_aarch64_demo_media.config b/example/peripheral/media/media_test/configs/e2000q_aarch64_demo_media.config
index 886a5646..9fc7090c 100644
--- a/example/peripheral/media/media_test/configs/e2000q_aarch64_demo_media.config
+++ b/example/peripheral/media/media_test/configs/e2000q_aarch64_demo_media.config
@@ -29,10 +29,16 @@ CONFIG_GCC_CODE_MODEL_SMALL=y
 # CONFIG_GCC_CODE_MODEL_LARGE is not set
 # end of Compiler configuration
 
-# CONFIG_BOOT_WITH_FLUSH_CACHE is not set
+CONFIG_BOOT_WITH_FLUSH_CACHE=y
 # CONFIG_MMU_DEBUG_PRINTS is not set
 # end of Arm architecture configuration
 
+#
+# multi-core system deployment framework
+#
+# CONFIG_USE_MSDF is not set
+# end of multi-core system deployment framework
+
 CONFIG_MMU_PAGE_SIZE=0x1000
 CONFIG_MAX_XLAT_TABLES=256
 # end of Arch configuration
@@ -47,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -99,12 +106,13 @@ CONFIG_LOG_DEBUG=y
 # CONFIG_LOG_WARN is not set
 # CONFIG_LOG_ERROR is not set
 # CONFIG_LOG_NONE is not set
-# CONFIG_LOG_EXTRA_INFO is not set
+CONFIG_LOG_EXTRA_INFO=y
 # CONFIG_LOG_DISPALY_CORE_NUM is not set
 # CONFIG_BOOTUP_DEBUG_PRINTS is not set
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -140,13 +148,7 @@ CONFIG_ENABLE_Pl011_UART=y
 # CONFIG_USE_PWM is not set
 # CONFIG_USE_IPC is not set
 CONFIG_USE_MEDIA=y
-
-#
-# Media Configuration
-#
-CONFIG_ENABLE_FDC_DP_USE_LIB=y
-# end of Media Configuration
-
+CONFIG_USE_FMEDIA=y
 # CONFIG_USE_SCMI_MHU is not set
 # CONFIG_USE_I2S is not set
 # CONFIG_USE_I3C is not set
@@ -302,6 +304,7 @@ CONFIG_FREERTOS_USE_MEDIA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -311,6 +314,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -333,6 +338,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/media/media_test/configs/phytiumpi_aarch32_firefly_media.config b/example/peripheral/media/media_test/configs/phytiumpi_aarch32_firefly_media.config
index cadc58ad..8effb64c 100644
--- a/example/peripheral/media/media_test/configs/phytiumpi_aarch32_firefly_media.config
+++ b/example/peripheral/media/media_test/configs/phytiumpi_aarch32_firefly_media.config
@@ -39,6 +39,12 @@ CONFIG_ARM_MFLOAT_ABI="hard"
 CONFIG_USE_AARCH64_L1_TO_AARCH32=y
 # end of Arm architecture configuration
 
+#
+# multi-core system deployment framework
+#
+# CONFIG_USE_MSDF is not set
+# end of multi-core system deployment framework
+
 CONFIG_MMU_PAGE_SIZE=0x1000
 CONFIG_FMMU_NUM_L2_TABLES=256
 # end of Arch configuration
@@ -53,6 +59,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,12 +111,13 @@ CONFIG_LOG_DEBUG=y
 # CONFIG_LOG_WARN is not set
 # CONFIG_LOG_ERROR is not set
 # CONFIG_LOG_NONE is not set
-# CONFIG_LOG_EXTRA_INFO is not set
+CONFIG_LOG_EXTRA_INFO=y
 # CONFIG_LOG_DISPALY_CORE_NUM is not set
 # CONFIG_BOOTUP_DEBUG_PRINTS is not set
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -145,13 +153,7 @@ CONFIG_ENABLE_Pl011_UART=y
 # CONFIG_USE_PWM is not set
 # CONFIG_USE_IPC is not set
 CONFIG_USE_MEDIA=y
-
-#
-# Media Configuration
-#
-CONFIG_ENABLE_FDC_DP_USE_LIB=y
-# end of Media Configuration
-
+CONFIG_USE_FMEDIA=y
 # CONFIG_USE_SCMI_MHU is not set
 # CONFIG_USE_I2S is not set
 # CONFIG_USE_I3C is not set
@@ -312,6 +314,7 @@ CONFIG_FREERTOS_USE_MEDIA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -321,6 +324,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -343,6 +348,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/media/media_test/configs/phytiumpi_aarch64_firefly_media.config b/example/peripheral/media/media_test/configs/phytiumpi_aarch64_firefly_media.config
index 7ecbab11..fe4ecbd2 100644
--- a/example/peripheral/media/media_test/configs/phytiumpi_aarch64_firefly_media.config
+++ b/example/peripheral/media/media_test/configs/phytiumpi_aarch64_firefly_media.config
@@ -33,6 +33,12 @@ CONFIG_GCC_CODE_MODEL_SMALL=y
 # CONFIG_MMU_DEBUG_PRINTS is not set
 # end of Arm architecture configuration
 
+#
+# multi-core system deployment framework
+#
+# CONFIG_USE_MSDF is not set
+# end of multi-core system deployment framework
+
 CONFIG_MMU_PAGE_SIZE=0x1000
 CONFIG_MAX_XLAT_TABLES=256
 # end of Arch configuration
@@ -47,6 +53,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -98,12 +105,13 @@ CONFIG_LOG_DEBUG=y
 # CONFIG_LOG_WARN is not set
 # CONFIG_LOG_ERROR is not set
 # CONFIG_LOG_NONE is not set
-# CONFIG_LOG_EXTRA_INFO is not set
+CONFIG_LOG_EXTRA_INFO=y
 # CONFIG_LOG_DISPALY_CORE_NUM is not set
 # CONFIG_BOOTUP_DEBUG_PRINTS is not set
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -139,13 +147,7 @@ CONFIG_ENABLE_Pl011_UART=y
 # CONFIG_USE_PWM is not set
 # CONFIG_USE_IPC is not set
 CONFIG_USE_MEDIA=y
-
-#
-# Media Configuration
-#
-CONFIG_ENABLE_FDC_DP_USE_LIB=y
-# end of Media Configuration
-
+CONFIG_USE_FMEDIA=y
 # CONFIG_USE_SCMI_MHU is not set
 # CONFIG_USE_I2S is not set
 # CONFIG_USE_I3C is not set
@@ -301,6 +303,7 @@ CONFIG_FREERTOS_USE_MEDIA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -310,6 +313,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -332,6 +337,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/media/media_test/sdkconfig b/example/peripheral/media/media_test/sdkconfig
index 75aeebc7..fe4ecbd2 100644
--- a/example/peripheral/media/media_test/sdkconfig
+++ b/example/peripheral/media/media_test/sdkconfig
@@ -33,6 +33,12 @@ CONFIG_GCC_CODE_MODEL_SMALL=y
 # CONFIG_MMU_DEBUG_PRINTS is not set
 # end of Arm architecture configuration
 
+#
+# multi-core system deployment framework
+#
+# CONFIG_USE_MSDF is not set
+# end of multi-core system deployment framework
+
 CONFIG_MMU_PAGE_SIZE=0x1000
 CONFIG_MAX_XLAT_TABLES=256
 # end of Arch configuration
@@ -99,7 +105,7 @@ CONFIG_LOG_DEBUG=y
 # CONFIG_LOG_WARN is not set
 # CONFIG_LOG_ERROR is not set
 # CONFIG_LOG_NONE is not set
-# CONFIG_LOG_EXTRA_INFO is not set
+CONFIG_LOG_EXTRA_INFO=y
 # CONFIG_LOG_DISPALY_CORE_NUM is not set
 # CONFIG_BOOTUP_DEBUG_PRINTS is not set
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
@@ -141,13 +147,7 @@ CONFIG_ENABLE_Pl011_UART=y
 # CONFIG_USE_PWM is not set
 # CONFIG_USE_IPC is not set
 CONFIG_USE_MEDIA=y
-
-#
-# Media Configuration
-#
-CONFIG_ENABLE_FDC_DP_USE_LIB=y
-# end of Media Configuration
-
+CONFIG_USE_FMEDIA=y
 # CONFIG_USE_SCMI_MHU is not set
 # CONFIG_USE_I2S is not set
 # CONFIG_USE_I3C is not set
@@ -303,7 +303,20 @@ CONFIG_FREERTOS_USE_MEDIA=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
-# CONFIG_USE_LETTER_SHELL is not set
+# CONFIG_USE_MBEDTLS is not set
+CONFIG_USE_LETTER_SHELL=y
+
+#
+# Letter Shell Configuration
+#
+CONFIG_LS_PL011_UART=y
+CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
+# CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
+# CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
+# end of Letter Shell Configuration
+
 # CONFIG_USE_AMP is not set
 # CONFIG_USE_YMODEM is not set
 # CONFIG_USE_SFUD is not set
@@ -324,6 +337,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/media/media_test/sdkconfig.h b/example/peripheral/media/media_test/sdkconfig.h
index cf8454b7..96ec5d44 100644
--- a/example/peripheral/media/media_test/sdkconfig.h
+++ b/example/peripheral/media/media_test/sdkconfig.h
@@ -31,6 +31,11 @@
 /* CONFIG_BOOT_WITH_FLUSH_CACHE is not set */
 /* CONFIG_MMU_DEBUG_PRINTS is not set */
 /* end of Arm architecture configuration */
+
+/* multi-core system deployment framework */
+
+/* CONFIG_USE_MSDF is not set */
+/* end of multi-core system deployment framework */
 #define CONFIG_MMU_PAGE_SIZE 0x1000
 #define CONFIG_MAX_XLAT_TABLES 256
 /* end of Arch configuration */
@@ -91,7 +96,7 @@
 /* CONFIG_LOG_WARN is not set */
 /* CONFIG_LOG_ERROR is not set */
 /* CONFIG_LOG_NONE is not set */
-/* CONFIG_LOG_EXTRA_INFO is not set */
+#define CONFIG_LOG_EXTRA_INFO
 /* CONFIG_LOG_DISPALY_CORE_NUM is not set */
 /* CONFIG_BOOTUP_DEBUG_PRINTS is not set */
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
@@ -130,11 +135,7 @@
 /* CONFIG_USE_PWM is not set */
 /* CONFIG_USE_IPC is not set */
 #define CONFIG_USE_MEDIA
-
-/* Media Configuration */
-
-#define CONFIG_ENABLE_FDC_DP_USE_LIB
-/* end of Media Configuration */
+#define CONFIG_USE_FMEDIA
 /* CONFIG_USE_SCMI_MHU is not set */
 /* CONFIG_USE_I2S is not set */
 /* CONFIG_USE_I3C is not set */
@@ -267,7 +268,18 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
-/* CONFIG_USE_LETTER_SHELL is not set */
+/* CONFIG_USE_MBEDTLS is not set */
+#define CONFIG_USE_LETTER_SHELL
+
+/* Letter Shell Configuration */
+
+#define CONFIG_LS_PL011_UART
+#define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
+/* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
+/* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
+/* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
 /* CONFIG_USE_SFUD is not set */
@@ -287,6 +299,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/peripheral/media/media_test/src/cmd_media.c b/example/peripheral/media/media_test/src/cmd_media.c
index ffb7c223..2b1b442a 100644
--- a/example/peripheral/media/media_test/src/cmd_media.c
+++ b/example/peripheral/media/media_test/src/cmd_media.c
@@ -31,7 +31,6 @@
 #include "shell.h"
 #include "shell_port.h"
 
-#include "fdc_common_hw.h"
 #include "media_example.h"
 
 
diff --git a/example/peripheral/media/media_test/src/media_example.c b/example/peripheral/media/media_test/src/media_example.c
index ecc59041..acb8ed00 100644
--- a/example/peripheral/media/media_test/src/media_example.c
+++ b/example/peripheral/media/media_test/src/media_example.c
@@ -40,9 +40,32 @@
 #include "fdcdp.h"
 #include "fdp_hw.h"
 #include "fdp.h"
+#include "fdcdp_reg.h"
 #include"media_example.h"
+#include "fdcdp_crtc.h"
 
+typedef struct
+{
+    u32 bit_depth;
+    u32 bpc;
+    u32 color_depth;
+    u32 clock_mode;
+    u32 color_rep;
+    u32 width;
+    u32 height;
+    u32 multi_mode;
+} FuserCfg;
 
+static const FuserCfg user_cfg = {
+    .bit_depth = 8,
+    .bpc = 8,
+    .color_depth = 32,
+    .clock_mode = 1,
+    .color_rep = 0,
+    .width = 800,
+    .height = 600,
+    .multi_mode = 0/*0:clone, 1 :horz, 2:vert*/
+};
 /************************** Variable Definitions *****************************/
 #define FMEDIA_EVT_INTR(index)             BIT(index)
 #define FMEDIA_CHANNEL_0                    0
@@ -98,14 +121,17 @@ static void FFreeRTOSMediaHpdConnectCallback(void *args, u32 index)
 {
     FASSERT(args != NULL);
     FDcDp *instance_p = (FDcDp *)args;
-    FDpChannelRegRead(instance_p->dp_instance_p[index].config.dp_channe_base_addr, FDP_TX_INTERRUPT); /*clear interrupt*/
+    FDpChannelRegRead(instance_p->dp_instance_p[index].config.dp_channe_base_addr, PHYTIUM_DP_INTERRUPT_STATUS); /*clear interrupt*/
     FFreeRTOSMediaSendEvent(FMEDIA_EVT_INTR(index));
-    instance_p->connect_flg[index] = 1;
+    instance_p->is_initialized[index] = FDCDP_IS_INITIALIZED;
     printf("Dp:%d connect\r\n", index);
 }
 
 /**
  * @name: FFreeRTOSMediaHpdBreakCallback
+ * 
+ * 
+ * 
  * @msg:  the hpd disconnect event
  * @param  {void} *args is the instance of dcdp
  * @param  {u32} index is the channel
@@ -115,8 +141,8 @@ static void FFreeRTOSMediaHpdBreakCallback(void *args, u32 index)
 {
     FASSERT(args != NULL);
     FDcDp *instance_p = (FDcDp *)args;
-    FDpChannelRegRead(instance_p->dp_instance_p[index].config.dp_channe_base_addr, FDP_TX_INTERRUPT); /*clear interrupt*/
-    instance_p->connect_flg[index] = 0;
+    FDpChannelRegRead(instance_p->dp_instance_p[index].config.dp_channe_base_addr, PHYTIUM_DP_INTERRUPT_STATUS); /*clear interrupt*/
+    instance_p->is_initialized[index] = FDCDP_NOT_INITIALIZED;
     FFreeRTOSMediaSendEvent(FMEDIA_EVT_INTR(index));
     printf("Dp:%d disconnect\r\n", index);
 }
@@ -132,7 +158,7 @@ static void FFreeRTOSMediaAuxTimeoutCallback(void *args, u32 index)
 {
     FASSERT(args != NULL);
     FDcDp *instance_p = (FDcDp *)args;
-    FDpChannelRegRead(instance_p->dp_instance_p[index].config.dp_channe_base_addr, FDP_TX_INTERRUPT); /*clear interrupt*/
+    FDpChannelRegRead(instance_p->dp_instance_p[index].config.dp_channe_base_addr, PHYTIUM_DP_INTERRUPT_STATUS); /*clear interrupt*/
     printf("Dp:%d aux connect timeout\r\n", index);
 }
 
@@ -147,7 +173,7 @@ static void FFreeRTOSMediaAuxErrorCallback(void *args, u32 index)
 {
     FASSERT(args != NULL);
     FDcDp *instance_p = (FDcDp *)args;
-    FDpChannelRegRead(instance_p->dp_instance_p[index].config.dp_channe_base_addr, FDP_TX_INTERRUPT); /*clear interrupt*/
+    FDpChannelRegRead(instance_p->dp_instance_p[index].config.dp_channe_base_addr, PHYTIUM_DP_INTERRUPT_STATUS); /*clear interrupt*/
     printf("Dp:%d aux connect error\r\n", index);
 }
 
@@ -201,6 +227,7 @@ static void FDcDpIrqAllEnable(FDcDp *instance_p)
  */
 static void FFreeRTOSMediaInitTask(void)
 {
+    FError ret = FDP_SUCCESS;
     u32 index, start_index, end_index;
 
     /*设置用户参数*/
@@ -215,18 +242,35 @@ static void FFreeRTOSMediaInitTask(void)
         start_index = channel;
         end_index = channel + 1;
     }
+    os_media.dcdp_ctrl.multi_mode = user_cfg.multi_mode;
     for (index = start_index; index < end_index; index ++)
     {
-        os_media.dcdp_ctrl.user_config[index].width = 640;
-        os_media.dcdp_ctrl.user_config[index].height = 480;
-        os_media.dcdp_ctrl.user_config[index].refresh_rate = 60;
-        os_media.dcdp_ctrl.user_config[index].color_depth = 32;
-        os_media.dcdp_ctrl.user_config[index].multi_mode = 0;
-        os_media.dcdp_ctrl.user_config[index].fb_phy = (uintptr)static_frame_buffer_address;
-        os_media.dcdp_ctrl.user_config[index].fb_virtual = (uintptr)static_frame_buffer_address ;/*当前例程虚拟地址和物理地址一致，实际需要根据需要进行映射*/
-    }
+        FDcDpCfgInitialize(&os_media.dcdp_ctrl,index);
+
+        os_media.dcdp_ctrl.dc_instance_p[index].config = *FDcLookupConfig(index);
+        
+        os_media.dcdp_ctrl.dp_instance_p[index].config = *FDpLookupConfig(index);
+
+        os_media.dcdp_ctrl.dp_instance_p[index].trans_config.bit_depth = user_cfg.bit_depth;
+
+        os_media.dcdp_ctrl.dc_instance_p[index].crtc.bpc = user_cfg.bpc;
+
+        os_media.dcdp_ctrl.dc_instance_p[index].color_depth = user_cfg.color_depth;
+
+        os_media.dcdp_ctrl.dp_instance_p[index].trans_config.clock_mode = user_cfg.clock_mode;
 
-    FFreeRTOSMedia *os_config  = FFreeRTOSMediaHwInit(channel, &os_media);
+        os_media.dcdp_ctrl.dp_instance_p[index].trans_config.color_rep_format = user_cfg.color_rep;
+
+        os_media.dcdp_ctrl.dc_instance_p[index].channel = index;
+
+        os_media.dcdp_ctrl.dc_instance_p[index].fb_addr = (uintptr)static_frame_buffer_address ;/*当前例程虚拟地址和物理地址一致，实际需要根据需要进行映射*/
+
+        os_media.dcdp_ctrl.dc_instance_p[index].fb_virtual = (uintptr)static_frame_buffer_address ;/*当前例程虚拟地址和物理地址一致，实际需要根据需要进行映射*/
+
+        FDcDpGeneralCfgInitial(&os_media.dcdp_ctrl, index);
+    }
+    
+    FFreeRTOSMedia *os_config  = FFreeRTOSMediaHwInit(&os_media,user_cfg.width, user_cfg.height);
     FFreeRTOSMediaIrqSet(&os_config->dcdp_ctrl);
     FDcDpIrqAllEnable(&os_config->dcdp_ctrl);
     vTaskDelete(NULL);
@@ -262,7 +306,7 @@ static void PhyFramebufferWrite(FDcCtrl *instance_p, uintptr offset, u32 length,
     u32 Index;
     for (Index = 0; Index < length; Index++)
     {
-        FtOut32(os_media.dcdp_ctrl.user_config->fb_virtual + offset + Index * 4, *((u32 *)(config + Index * 4)));
+        FtOut32(instance_p->fb_virtual + offset + Index * 4, *((u32 *)(config + Index * 4)));
     }
 }
 
@@ -312,7 +356,7 @@ FError FMediaDisplayDemo(void)
         blt_buffer.Green = 0xff;
         blt_buffer.Blue = 0x0;
         blt_buffer.reserve = 0;
-        BltVideoToFill(&instance_p->dc_instance_p[index], &blt_buffer, instance_p->user_config[index].width, instance_p->user_config[index].height);
+        BltVideoToFill(&instance_p->dc_instance_p[index], &blt_buffer, user_cfg.width, user_cfg.height);
     }
 }
 
@@ -322,22 +366,23 @@ static void FFreeRTOSMediaHpdTask(void)
     u32 index;
     u32 ret = 0 ;
     FFreeRTOSMediaWaitEvent(FMEDIA_EVT_INTR(FMEDIA_CHANNEL_0) | FMEDIA_EVT_INTR(FMEDIA_CHANNEL_1), portMAX_DELAY);
-
+    os_media.dcdp_ctrl.multi_mode = user_cfg.multi_mode;
     for (;;)
     {
         for (index = 0; index < FDCDP_INSTANCE_NUM; index++)
         {
-            if (os_media.dcdp_ctrl.connect_flg[index] == 1)
+            if (os_media.dcdp_ctrl.is_initialized[index] == FDCDP_NOT_INITIALIZED)
             {
-                ret = FDcDpHotPlugConnect(&os_media.dcdp_ctrl, index);
+                FDcDpCfgInitialize(&os_media.dcdp_ctrl, index);
+                ret = FDcDpInitial(&os_media.dcdp_ctrl, index, user_cfg.width, user_cfg.height);
                 FFreeRTOSMediaClearEvent(media_event, FMEDIA_EVT_INTR(index));
-                if (ret == FMEDIA_DP_SUCCESS)
+                if (ret == FDP_SUCCESS)
                 {
                     printf("Hpd task finish ,  reinit the dp success.\r\n");
                 }
-
-                os_media.dcdp_ctrl.connect_flg[index] == 0;
+                os_media.dcdp_ctrl.is_initialized[index] = FDCDP_IS_INITIALIZED;
             }
+        
         }
         vTaskDelay(200);
     }
diff --git a/example/peripheral/pwm/configs/e2000d_aarch32_demo_pwm.config b/example/peripheral/pwm/configs/e2000d_aarch32_demo_pwm.config
index e7e87426..766df661 100644
--- a/example/peripheral/pwm/configs/e2000d_aarch32_demo_pwm.config
+++ b/example/peripheral/pwm/configs/e2000d_aarch32_demo_pwm.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -112,6 +113,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -314,6 +316,7 @@ CONFIG_FREERTOS_USE_PWM=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -323,6 +326,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -345,6 +350,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/pwm/configs/e2000d_aarch64_demo_pwm.config b/example/peripheral/pwm/configs/e2000d_aarch64_demo_pwm.config
index c023a8a9..9d4da168 100644
--- a/example/peripheral/pwm/configs/e2000d_aarch64_demo_pwm.config
+++ b/example/peripheral/pwm/configs/e2000d_aarch64_demo_pwm.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -106,6 +107,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -303,6 +305,7 @@ CONFIG_FREERTOS_USE_PWM=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -312,6 +315,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -334,6 +339,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/pwm/configs/e2000q_aarch32_demo_pwm.config b/example/peripheral/pwm/configs/e2000q_aarch32_demo_pwm.config
index 2d0aaf30..8439079a 100644
--- a/example/peripheral/pwm/configs/e2000q_aarch32_demo_pwm.config
+++ b/example/peripheral/pwm/configs/e2000q_aarch32_demo_pwm.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -111,6 +112,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -313,6 +315,7 @@ CONFIG_FREERTOS_USE_PWM=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -322,6 +325,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -344,6 +349,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/pwm/configs/e2000q_aarch64_demo_pwm.config b/example/peripheral/pwm/configs/e2000q_aarch64_demo_pwm.config
index 09991d84..9c2b5aa3 100644
--- a/example/peripheral/pwm/configs/e2000q_aarch64_demo_pwm.config
+++ b/example/peripheral/pwm/configs/e2000q_aarch64_demo_pwm.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -302,6 +304,7 @@ CONFIG_FREERTOS_USE_PWM=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -311,6 +314,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -333,6 +338,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/pwm/configs/phytiumpi_aarch32_firefly_pwm.config b/example/peripheral/pwm/configs/phytiumpi_aarch32_firefly_pwm.config
index f71c8667..00949607 100644
--- a/example/peripheral/pwm/configs/phytiumpi_aarch32_firefly_pwm.config
+++ b/example/peripheral/pwm/configs/phytiumpi_aarch32_firefly_pwm.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -110,6 +111,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -312,6 +314,7 @@ CONFIG_FREERTOS_USE_PWM=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -321,6 +324,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -343,6 +348,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/pwm/configs/phytiumpi_aarch64_firefly_pwm.config b/example/peripheral/pwm/configs/phytiumpi_aarch64_firefly_pwm.config
index 9a8c35ee..b7e66f70 100644
--- a/example/peripheral/pwm/configs/phytiumpi_aarch64_firefly_pwm.config
+++ b/example/peripheral/pwm/configs/phytiumpi_aarch64_firefly_pwm.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -301,6 +303,7 @@ CONFIG_FREERTOS_USE_PWM=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -310,6 +313,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -332,6 +337,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/pwm/sdkconfig b/example/peripheral/pwm/sdkconfig
index 9a8c35ee..b7e66f70 100644
--- a/example/peripheral/pwm/sdkconfig
+++ b/example/peripheral/pwm/sdkconfig
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -301,6 +303,7 @@ CONFIG_FREERTOS_USE_PWM=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -310,6 +313,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -332,6 +337,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/pwm/sdkconfig.h b/example/peripheral/pwm/sdkconfig.h
index d4d266fd..d4d89ace 100644
--- a/example/peripheral/pwm/sdkconfig.h
+++ b/example/peripheral/pwm/sdkconfig.h
@@ -44,6 +44,7 @@
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
 #define CONFIG_SOC_NAME "phytiumpi"
 #define CONFIG_SOC_CORE_NUM 4
 #define CONFIG_F32BIT_MEMORY_ADDRESS 0x80000000
@@ -96,6 +97,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 #define CONFIG_INTERRUPT_ROLE_MASTER
 /* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -265,6 +267,7 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
+/* CONFIG_USE_MBEDTLS is not set */
 #define CONFIG_USE_LETTER_SHELL
 
 /* Letter Shell Configuration */
@@ -273,6 +276,8 @@
 #define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
 /* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
@@ -293,6 +298,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/peripheral/qspi/configs/d2000_aarch32_test_qspi.config b/example/peripheral/qspi/configs/d2000_aarch32_test_qspi.config
index 055a949e..e0fd9634 100644
--- a/example/peripheral/qspi/configs/d2000_aarch32_test_qspi.config
+++ b/example/peripheral/qspi/configs/d2000_aarch32_test_qspi.config
@@ -54,6 +54,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +100,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -301,6 +303,7 @@ CONFIG_FREERTOS_USE_QSPI=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -310,6 +313,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -332,6 +337,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/qspi/configs/d2000_aarch64_test_qspi.config b/example/peripheral/qspi/configs/d2000_aarch64_test_qspi.config
index 49e84af2..a5719225 100644
--- a/example/peripheral/qspi/configs/d2000_aarch64_test_qspi.config
+++ b/example/peripheral/qspi/configs/d2000_aarch64_test_qspi.config
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -290,6 +292,7 @@ CONFIG_FREERTOS_USE_QSPI=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -299,6 +302,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -321,6 +326,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/qspi/configs/e2000d_aarch32_demo_qspi.config b/example/peripheral/qspi/configs/e2000d_aarch32_demo_qspi.config
index 69e25ff7..ea632f80 100644
--- a/example/peripheral/qspi/configs/e2000d_aarch32_demo_qspi.config
+++ b/example/peripheral/qspi/configs/e2000d_aarch32_demo_qspi.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -112,6 +113,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -314,6 +316,7 @@ CONFIG_FREERTOS_USE_QSPI=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -323,6 +326,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -345,6 +350,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/qspi/configs/e2000d_aarch64_demo_qspi.config b/example/peripheral/qspi/configs/e2000d_aarch64_demo_qspi.config
index 1b8ed6fc..f4b57bbd 100644
--- a/example/peripheral/qspi/configs/e2000d_aarch64_demo_qspi.config
+++ b/example/peripheral/qspi/configs/e2000d_aarch64_demo_qspi.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -106,6 +107,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -303,6 +305,7 @@ CONFIG_FREERTOS_USE_QSPI=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -312,6 +315,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -334,6 +339,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/qspi/configs/e2000q_aarch32_demo_qspi.config b/example/peripheral/qspi/configs/e2000q_aarch32_demo_qspi.config
index d8b57bce..97f8f1b7 100644
--- a/example/peripheral/qspi/configs/e2000q_aarch32_demo_qspi.config
+++ b/example/peripheral/qspi/configs/e2000q_aarch32_demo_qspi.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -111,6 +112,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -313,6 +315,7 @@ CONFIG_FREERTOS_USE_QSPI=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -322,6 +325,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -344,6 +349,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/qspi/configs/e2000q_aarch64_demo_qspi.config b/example/peripheral/qspi/configs/e2000q_aarch64_demo_qspi.config
index 2b5da9dd..49a52bc9 100644
--- a/example/peripheral/qspi/configs/e2000q_aarch64_demo_qspi.config
+++ b/example/peripheral/qspi/configs/e2000q_aarch64_demo_qspi.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -302,6 +304,7 @@ CONFIG_FREERTOS_USE_QSPI=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -311,6 +314,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -333,6 +338,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/qspi/configs/ft2004_aarch32_dsk_qspi.config b/example/peripheral/qspi/configs/ft2004_aarch32_dsk_qspi.config
index 52f6d182..48ab86cf 100644
--- a/example/peripheral/qspi/configs/ft2004_aarch32_dsk_qspi.config
+++ b/example/peripheral/qspi/configs/ft2004_aarch32_dsk_qspi.config
@@ -54,6 +54,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +100,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -301,6 +303,7 @@ CONFIG_FREERTOS_USE_QSPI=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -310,6 +313,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -332,6 +337,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/qspi/configs/ft2004_aarch64_dsk_qspi.config b/example/peripheral/qspi/configs/ft2004_aarch64_dsk_qspi.config
index 5b193cd6..9efc0cb6 100644
--- a/example/peripheral/qspi/configs/ft2004_aarch64_dsk_qspi.config
+++ b/example/peripheral/qspi/configs/ft2004_aarch64_dsk_qspi.config
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -290,6 +292,7 @@ CONFIG_FREERTOS_USE_QSPI=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -299,6 +302,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -321,6 +326,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/qspi/configs/phytiumpi_aarch32_firefly_qspi.config b/example/peripheral/qspi/configs/phytiumpi_aarch32_firefly_qspi.config
index d8d48cc1..c407ffa5 100644
--- a/example/peripheral/qspi/configs/phytiumpi_aarch32_firefly_qspi.config
+++ b/example/peripheral/qspi/configs/phytiumpi_aarch32_firefly_qspi.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -110,6 +111,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -312,6 +314,7 @@ CONFIG_FREERTOS_USE_QSPI=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -321,6 +324,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -343,6 +348,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/qspi/configs/phytiumpi_aarch64_firefly_qspi.config b/example/peripheral/qspi/configs/phytiumpi_aarch64_firefly_qspi.config
index 217aa275..db21ed6e 100644
--- a/example/peripheral/qspi/configs/phytiumpi_aarch64_firefly_qspi.config
+++ b/example/peripheral/qspi/configs/phytiumpi_aarch64_firefly_qspi.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -301,6 +303,7 @@ CONFIG_FREERTOS_USE_QSPI=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -310,6 +313,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -332,6 +337,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/qspi/main.c b/example/peripheral/qspi/main.c
index 31e4e911..7c9c08b1 100644
--- a/example/peripheral/qspi/main.c
+++ b/example/peripheral/qspi/main.c
@@ -40,9 +40,9 @@ void QspiExampleTaskEntry()
     FFreeRTOSQspiPolledTaskCreate();
 
     FFreeRTOSQspiIndirectTaskCreate();
-
+#if defined(CONFIG_E2000D_DEMO_BOARD) || defined(CONFIG_E2000Q_DEMO_BOARD)
     FFreeRTOSQspiDualFlashTaskCreate();
-
+#endif
     printf("[test_end]\r\n");
 
     vTaskDelete(NULL);
diff --git a/example/peripheral/qspi/sdkconfig b/example/peripheral/qspi/sdkconfig
index 217aa275..db21ed6e 100644
--- a/example/peripheral/qspi/sdkconfig
+++ b/example/peripheral/qspi/sdkconfig
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -301,6 +303,7 @@ CONFIG_FREERTOS_USE_QSPI=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -310,6 +313,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -332,6 +337,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/qspi/sdkconfig.h b/example/peripheral/qspi/sdkconfig.h
index b1435460..83a24143 100644
--- a/example/peripheral/qspi/sdkconfig.h
+++ b/example/peripheral/qspi/sdkconfig.h
@@ -44,6 +44,7 @@
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
 #define CONFIG_SOC_NAME "phytiumpi"
 #define CONFIG_SOC_CORE_NUM 4
 #define CONFIG_F32BIT_MEMORY_ADDRESS 0x80000000
@@ -96,6 +97,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 #define CONFIG_INTERRUPT_ROLE_MASTER
 /* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -265,6 +267,7 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
+/* CONFIG_USE_MBEDTLS is not set */
 #define CONFIG_USE_LETTER_SHELL
 
 /* Letter Shell Configuration */
@@ -273,6 +276,8 @@
 #define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
 /* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
@@ -293,6 +298,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/peripheral/sdif/configs/e2000d_aarch32_demo_sdif.config b/example/peripheral/sdif/configs/e2000d_aarch32_demo_sdif.config
index f868f81d..6dc0c56e 100644
--- a/example/peripheral/sdif/configs/e2000d_aarch32_demo_sdif.config
+++ b/example/peripheral/sdif/configs/e2000d_aarch32_demo_sdif.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -112,6 +113,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -309,6 +311,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -318,6 +321,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -362,6 +367,8 @@ CONFIG_FSL_SDMMC_ENABLE_MMC=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/sdif/configs/e2000d_aarch64_demo_sdif.config b/example/peripheral/sdif/configs/e2000d_aarch64_demo_sdif.config
index 47e0e796..9819a875 100644
--- a/example/peripheral/sdif/configs/e2000d_aarch64_demo_sdif.config
+++ b/example/peripheral/sdif/configs/e2000d_aarch64_demo_sdif.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -106,6 +107,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -298,6 +300,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -307,6 +310,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -351,6 +356,8 @@ CONFIG_FSL_SDMMC_ENABLE_MMC=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/sdif/configs/e2000q_aarch32_demo_sdif.config b/example/peripheral/sdif/configs/e2000q_aarch32_demo_sdif.config
index e46a6c27..227a1161 100644
--- a/example/peripheral/sdif/configs/e2000q_aarch32_demo_sdif.config
+++ b/example/peripheral/sdif/configs/e2000q_aarch32_demo_sdif.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -111,6 +112,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -308,6 +310,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -317,6 +320,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -361,6 +366,8 @@ CONFIG_FSL_SDMMC_ENABLE_MMC=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/sdif/configs/e2000q_aarch64_demo_sdif.config b/example/peripheral/sdif/configs/e2000q_aarch64_demo_sdif.config
index fed9737b..db164e93 100644
--- a/example/peripheral/sdif/configs/e2000q_aarch64_demo_sdif.config
+++ b/example/peripheral/sdif/configs/e2000q_aarch64_demo_sdif.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -297,6 +299,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -306,6 +309,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -350,6 +355,8 @@ CONFIG_FSL_SDMMC_ENABLE_MMC=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/sdif/sdkconfig b/example/peripheral/sdif/sdkconfig
index fed9737b..db164e93 100644
--- a/example/peripheral/sdif/sdkconfig
+++ b/example/peripheral/sdif/sdkconfig
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -297,6 +299,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -306,6 +309,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -350,6 +355,8 @@ CONFIG_FSL_SDMMC_ENABLE_MMC=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/sdif/sdkconfig.h b/example/peripheral/sdif/sdkconfig.h
index 4904d833..dd682f58 100644
--- a/example/peripheral/sdif/sdkconfig.h
+++ b/example/peripheral/sdif/sdkconfig.h
@@ -44,6 +44,7 @@
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
 #define CONFIG_SOC_NAME "e2000"
 #define CONFIG_TARGET_TYPE_NAME "q"
 #define CONFIG_SOC_CORE_NUM 4
@@ -97,6 +98,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 #define CONFIG_INTERRUPT_ROLE_MASTER
 /* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -263,6 +265,7 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
+/* CONFIG_USE_MBEDTLS is not set */
 #define CONFIG_USE_LETTER_SHELL
 
 /* Letter Shell Configuration */
@@ -271,6 +274,8 @@
 #define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
 /* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
@@ -308,6 +313,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/peripheral/spi/configs/e2000d_aarch32_demo_spi.config b/example/peripheral/spi/configs/e2000d_aarch32_demo_spi.config
index 7f6c795d..27d95d47 100644
--- a/example/peripheral/spi/configs/e2000d_aarch32_demo_spi.config
+++ b/example/peripheral/spi/configs/e2000d_aarch32_demo_spi.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -112,6 +113,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -308,6 +310,7 @@ CONFIG_FREERTOS_USE_FSPIM=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -317,6 +320,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -350,6 +355,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=11
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/spi/configs/e2000d_aarch64_demo_spi.config b/example/peripheral/spi/configs/e2000d_aarch64_demo_spi.config
index f72ab03c..9232e6a7 100644
--- a/example/peripheral/spi/configs/e2000d_aarch64_demo_spi.config
+++ b/example/peripheral/spi/configs/e2000d_aarch64_demo_spi.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -106,6 +107,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -297,6 +299,7 @@ CONFIG_FREERTOS_USE_FSPIM=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -306,6 +309,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -339,6 +344,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=11
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/spi/configs/e2000q_aarch32_demo_spi.config b/example/peripheral/spi/configs/e2000q_aarch32_demo_spi.config
index 70e77fdb..26a02c4a 100644
--- a/example/peripheral/spi/configs/e2000q_aarch32_demo_spi.config
+++ b/example/peripheral/spi/configs/e2000q_aarch32_demo_spi.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -111,6 +112,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -307,6 +309,7 @@ CONFIG_FREERTOS_USE_FSPIM=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -316,6 +319,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -349,6 +354,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=11
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/spi/configs/e2000q_aarch64_demo_spi.config b/example/peripheral/spi/configs/e2000q_aarch64_demo_spi.config
index 1071b17c..41271d54 100644
--- a/example/peripheral/spi/configs/e2000q_aarch64_demo_spi.config
+++ b/example/peripheral/spi/configs/e2000q_aarch64_demo_spi.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -296,6 +298,7 @@ CONFIG_FREERTOS_USE_FSPIM=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -305,6 +308,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -338,6 +343,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=11
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/spi/configs/phytiumpi_aarch32_firefly_spi.config b/example/peripheral/spi/configs/phytiumpi_aarch32_firefly_spi.config
index 9aaf744b..a578b060 100644
--- a/example/peripheral/spi/configs/phytiumpi_aarch32_firefly_spi.config
+++ b/example/peripheral/spi/configs/phytiumpi_aarch32_firefly_spi.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -110,6 +111,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -306,6 +308,7 @@ CONFIG_FREERTOS_USE_FSPIM=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -315,6 +318,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -348,6 +353,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=11
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/spi/configs/phytiumpi_aarch64_firefly_spi.config b/example/peripheral/spi/configs/phytiumpi_aarch64_firefly_spi.config
index da940498..c549c7c9 100644
--- a/example/peripheral/spi/configs/phytiumpi_aarch64_firefly_spi.config
+++ b/example/peripheral/spi/configs/phytiumpi_aarch64_firefly_spi.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -295,6 +297,7 @@ CONFIG_FREERTOS_USE_FSPIM=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -304,6 +307,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -337,6 +342,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=11
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/spi/sdkconfig b/example/peripheral/spi/sdkconfig
index da940498..c549c7c9 100644
--- a/example/peripheral/spi/sdkconfig
+++ b/example/peripheral/spi/sdkconfig
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -295,6 +297,7 @@ CONFIG_FREERTOS_USE_FSPIM=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -304,6 +307,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -337,6 +342,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=11
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/spi/sdkconfig.h b/example/peripheral/spi/sdkconfig.h
index e2da8616..00d2b530 100644
--- a/example/peripheral/spi/sdkconfig.h
+++ b/example/peripheral/spi/sdkconfig.h
@@ -44,6 +44,7 @@
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
 #define CONFIG_SOC_NAME "phytiumpi"
 #define CONFIG_SOC_CORE_NUM 4
 #define CONFIG_F32BIT_MEMORY_ADDRESS 0x80000000
@@ -96,6 +97,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 #define CONFIG_INTERRUPT_ROLE_MASTER
 /* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -261,6 +263,7 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
+/* CONFIG_USE_MBEDTLS is not set */
 #define CONFIG_USE_LETTER_SHELL
 
 /* Letter Shell Configuration */
@@ -269,6 +272,8 @@
 #define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
 /* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
@@ -298,6 +303,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 11
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/peripheral/timer_tacho/configs/e2000d_aarch32_demo_timer.config b/example/peripheral/timer_tacho/configs/e2000d_aarch32_demo_timer.config
index 653168db..633b912d 100644
--- a/example/peripheral/timer_tacho/configs/e2000d_aarch32_demo_timer.config
+++ b/example/peripheral/timer_tacho/configs/e2000d_aarch32_demo_timer.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -112,6 +113,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -314,6 +316,7 @@ CONFIG_FREERTOS_USE_TIMER=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -323,6 +326,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -345,6 +350,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/timer_tacho/configs/e2000d_aarch64_demo_timer.config b/example/peripheral/timer_tacho/configs/e2000d_aarch64_demo_timer.config
index 5bbff85d..e9eb641f 100644
--- a/example/peripheral/timer_tacho/configs/e2000d_aarch64_demo_timer.config
+++ b/example/peripheral/timer_tacho/configs/e2000d_aarch64_demo_timer.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -106,6 +107,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -303,6 +305,7 @@ CONFIG_FREERTOS_USE_TIMER=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -312,6 +315,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -334,6 +339,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/timer_tacho/configs/e2000q_aarch32_demo_timer.config b/example/peripheral/timer_tacho/configs/e2000q_aarch32_demo_timer.config
index 8b2055c4..1d65ad62 100644
--- a/example/peripheral/timer_tacho/configs/e2000q_aarch32_demo_timer.config
+++ b/example/peripheral/timer_tacho/configs/e2000q_aarch32_demo_timer.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -111,6 +112,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -313,6 +315,7 @@ CONFIG_FREERTOS_USE_TIMER=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -322,6 +325,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -344,6 +349,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/timer_tacho/configs/e2000q_aarch64_demo_timer.config b/example/peripheral/timer_tacho/configs/e2000q_aarch64_demo_timer.config
index caa3e1ed..b97ca9c2 100644
--- a/example/peripheral/timer_tacho/configs/e2000q_aarch64_demo_timer.config
+++ b/example/peripheral/timer_tacho/configs/e2000q_aarch64_demo_timer.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -302,6 +304,7 @@ CONFIG_FREERTOS_USE_TIMER=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -311,6 +314,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -333,6 +338,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/timer_tacho/configs/phytiumpi_aarch32_firefly_timer.config b/example/peripheral/timer_tacho/configs/phytiumpi_aarch32_firefly_timer.config
index a9e93281..c3d7ae80 100644
--- a/example/peripheral/timer_tacho/configs/phytiumpi_aarch32_firefly_timer.config
+++ b/example/peripheral/timer_tacho/configs/phytiumpi_aarch32_firefly_timer.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -110,6 +111,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -312,6 +314,7 @@ CONFIG_FREERTOS_USE_TIMER=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -321,6 +324,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -343,6 +348,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/timer_tacho/configs/phytiumpi_aarch64_firefly_timer.config b/example/peripheral/timer_tacho/configs/phytiumpi_aarch64_firefly_timer.config
index a88d7f6b..b11568a7 100644
--- a/example/peripheral/timer_tacho/configs/phytiumpi_aarch64_firefly_timer.config
+++ b/example/peripheral/timer_tacho/configs/phytiumpi_aarch64_firefly_timer.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -301,6 +303,7 @@ CONFIG_FREERTOS_USE_TIMER=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -310,6 +313,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -332,6 +337,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/timer_tacho/sdkconfig b/example/peripheral/timer_tacho/sdkconfig
index a88d7f6b..b11568a7 100644
--- a/example/peripheral/timer_tacho/sdkconfig
+++ b/example/peripheral/timer_tacho/sdkconfig
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -301,6 +303,7 @@ CONFIG_FREERTOS_USE_TIMER=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -310,6 +313,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -332,6 +337,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/timer_tacho/sdkconfig.h b/example/peripheral/timer_tacho/sdkconfig.h
index c9819204..326f14e8 100644
--- a/example/peripheral/timer_tacho/sdkconfig.h
+++ b/example/peripheral/timer_tacho/sdkconfig.h
@@ -44,6 +44,7 @@
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
 #define CONFIG_SOC_NAME "phytiumpi"
 #define CONFIG_SOC_CORE_NUM 4
 #define CONFIG_F32BIT_MEMORY_ADDRESS 0x80000000
@@ -96,6 +97,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 #define CONFIG_INTERRUPT_ROLE_MASTER
 /* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -265,6 +267,7 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
+/* CONFIG_USE_MBEDTLS is not set */
 #define CONFIG_USE_LETTER_SHELL
 
 /* Letter Shell Configuration */
@@ -273,6 +276,8 @@
 #define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
 /* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
@@ -293,6 +298,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/peripheral/usb/pusb2_device/configs/e2000d_aarch32_demo_pusb2.config b/example/peripheral/usb/pusb2_device/configs/e2000d_aarch32_demo_pusb2.config
index 7ca4ca6e..cf24d8b7 100644
--- a/example/peripheral/usb/pusb2_device/configs/e2000d_aarch32_demo_pusb2.config
+++ b/example/peripheral/usb/pusb2_device/configs/e2000d_aarch32_demo_pusb2.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -112,6 +113,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -307,6 +309,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -316,6 +319,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -351,6 +356,8 @@ CONFIG_CHERRY_USB_DEVICE_CDC=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/usb/pusb2_device/configs/e2000d_aarch64_demo_pusb2.config b/example/peripheral/usb/pusb2_device/configs/e2000d_aarch64_demo_pusb2.config
index ba34e331..950f243d 100644
--- a/example/peripheral/usb/pusb2_device/configs/e2000d_aarch64_demo_pusb2.config
+++ b/example/peripheral/usb/pusb2_device/configs/e2000d_aarch64_demo_pusb2.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -106,6 +107,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -296,6 +298,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -305,6 +308,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -340,6 +345,8 @@ CONFIG_CHERRY_USB_DEVICE_CDC=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/usb/pusb2_device/configs/e2000q_aarch32_demo_pusb2.config b/example/peripheral/usb/pusb2_device/configs/e2000q_aarch32_demo_pusb2.config
index 23357541..4213f953 100644
--- a/example/peripheral/usb/pusb2_device/configs/e2000q_aarch32_demo_pusb2.config
+++ b/example/peripheral/usb/pusb2_device/configs/e2000q_aarch32_demo_pusb2.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -111,6 +112,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -306,6 +308,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -315,6 +318,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -350,6 +355,8 @@ CONFIG_CHERRY_USB_DEVICE_CDC=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/usb/pusb2_device/configs/e2000q_aarch64_demo_pusb2.config b/example/peripheral/usb/pusb2_device/configs/e2000q_aarch64_demo_pusb2.config
index f5edb30e..6c464826 100644
--- a/example/peripheral/usb/pusb2_device/configs/e2000q_aarch64_demo_pusb2.config
+++ b/example/peripheral/usb/pusb2_device/configs/e2000q_aarch64_demo_pusb2.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -295,6 +297,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -304,6 +307,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -339,6 +344,8 @@ CONFIG_CHERRY_USB_DEVICE_CDC=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/usb/pusb2_device/main.c b/example/peripheral/usb/pusb2_device/main.c
index de4a11e7..b4b4570b 100644
--- a/example/peripheral/usb/pusb2_device/main.c
+++ b/example/peripheral/usb/pusb2_device/main.c
@@ -26,7 +26,7 @@
 #include <stdio.h>
 #include "FreeRTOS.h"
 #include "fparameters.h"
-
+#include "task.h"
 #include "pusb2_mass_storage_example.h"
 #include "pusb2_virtual_serial_example.h"
 
diff --git a/example/peripheral/usb/pusb2_device/sdkconfig b/example/peripheral/usb/pusb2_device/sdkconfig
index f5edb30e..6c464826 100644
--- a/example/peripheral/usb/pusb2_device/sdkconfig
+++ b/example/peripheral/usb/pusb2_device/sdkconfig
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -295,6 +297,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -304,6 +307,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -339,6 +344,8 @@ CONFIG_CHERRY_USB_DEVICE_CDC=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/usb/pusb2_device/sdkconfig.h b/example/peripheral/usb/pusb2_device/sdkconfig.h
index b55a5d7b..e00ffedf 100644
--- a/example/peripheral/usb/pusb2_device/sdkconfig.h
+++ b/example/peripheral/usb/pusb2_device/sdkconfig.h
@@ -44,6 +44,7 @@
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
 #define CONFIG_SOC_NAME "e2000"
 #define CONFIG_TARGET_TYPE_NAME "q"
 #define CONFIG_SOC_CORE_NUM 4
@@ -97,6 +98,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 #define CONFIG_INTERRUPT_ROLE_MASTER
 /* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -261,6 +263,7 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
+/* CONFIG_USE_MBEDTLS is not set */
 #define CONFIG_USE_LETTER_SHELL
 
 /* Letter Shell Configuration */
@@ -269,6 +272,8 @@
 #define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
 /* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
@@ -300,6 +305,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/peripheral/usb/pusb2_device/src/cmd_pusb2.c b/example/peripheral/usb/pusb2_device/src/cmd_pusb2.c
index 559763cd..81cf27e5 100644
--- a/example/peripheral/usb/pusb2_device/src/cmd_pusb2.c
+++ b/example/peripheral/usb/pusb2_device/src/cmd_pusb2.c
@@ -27,7 +27,7 @@
 #include "sdkconfig.h"
 
 #include "FreeRTOS.h"
-
+#ifdef CONFIG_USE_LETTER_SHELL
 #include "../src/shell.h"
 #include "pusb2_mass_storage_example.h"
 #include "pusb2_virtual_serial_example.h"
@@ -65,4 +65,5 @@ static int USBCmdEntry(int argc, char *argv[])
 
     return ret;
 }
-SHELL_EXPORT_CMD(SHELL_CMD_TYPE(SHELL_TYPE_CMD_MAIN), pusb2, USBCmdEntry, test freertos usb driver);
\ No newline at end of file
+SHELL_EXPORT_CMD(SHELL_CMD_TYPE(SHELL_TYPE_CMD_MAIN), pusb2, USBCmdEntry, test freertos usb driver);
+#endif
\ No newline at end of file
diff --git a/example/peripheral/usb/pusb2_host/configs/phytiumpi_aarch32_firefly_pusb2.config b/example/peripheral/usb/pusb2_host/configs/phytiumpi_aarch32_firefly_pusb2.config
index 74a776ed..0ee123f2 100644
--- a/example/peripheral/usb/pusb2_host/configs/phytiumpi_aarch32_firefly_pusb2.config
+++ b/example/peripheral/usb/pusb2_host/configs/phytiumpi_aarch32_firefly_pusb2.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -110,6 +111,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -305,6 +307,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -314,6 +317,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -350,6 +355,8 @@ CONFIG_CHERRY_USB_HOST_HID=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/usb/pusb2_host/configs/phytiumpi_aarch64_firefly_pusb2.config b/example/peripheral/usb/pusb2_host/configs/phytiumpi_aarch64_firefly_pusb2.config
index 6e284831..9ef4a36a 100644
--- a/example/peripheral/usb/pusb2_host/configs/phytiumpi_aarch64_firefly_pusb2.config
+++ b/example/peripheral/usb/pusb2_host/configs/phytiumpi_aarch64_firefly_pusb2.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -339,6 +344,8 @@ CONFIG_CHERRY_USB_HOST_HID=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/usb/pusb2_host/sdkconfig b/example/peripheral/usb/pusb2_host/sdkconfig
index 6e284831..9ef4a36a 100644
--- a/example/peripheral/usb/pusb2_host/sdkconfig
+++ b/example/peripheral/usb/pusb2_host/sdkconfig
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -339,6 +344,8 @@ CONFIG_CHERRY_USB_HOST_HID=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/usb/pusb2_host/sdkconfig.h b/example/peripheral/usb/pusb2_host/sdkconfig.h
index ba5931f4..5d224c9f 100644
--- a/example/peripheral/usb/pusb2_host/sdkconfig.h
+++ b/example/peripheral/usb/pusb2_host/sdkconfig.h
@@ -44,6 +44,7 @@
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
 #define CONFIG_SOC_NAME "phytiumpi"
 #define CONFIG_SOC_CORE_NUM 4
 #define CONFIG_F32BIT_MEMORY_ADDRESS 0x80000000
@@ -96,6 +97,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 #define CONFIG_INTERRUPT_ROLE_MASTER
 /* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -260,6 +262,7 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
+/* CONFIG_USE_MBEDTLS is not set */
 #define CONFIG_USE_LETTER_SHELL
 
 /* Letter Shell Configuration */
@@ -268,6 +271,8 @@
 #define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
 /* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
@@ -300,6 +305,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/peripheral/usb/xhci_pcie/configs/d2000_aarch32_test_cherry_usb.config b/example/peripheral/usb/xhci_pcie/configs/d2000_aarch32_test_cherry_usb.config
index e3513e68..8a2ae89e 100644
--- a/example/peripheral/usb/xhci_pcie/configs/d2000_aarch32_test_cherry_usb.config
+++ b/example/peripheral/usb/xhci_pcie/configs/d2000_aarch32_test_cherry_usb.config
@@ -54,6 +54,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +100,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -302,6 +304,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -311,6 +314,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -347,6 +352,8 @@ CONFIG_CHERRY_USB_HOST_HID=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/usb/xhci_pcie/configs/d2000_aarch64_test_cherry_usb.config b/example/peripheral/usb/xhci_pcie/configs/d2000_aarch64_test_cherry_usb.config
index 54b3fb8b..e1d37958 100644
--- a/example/peripheral/usb/xhci_pcie/configs/d2000_aarch64_test_cherry_usb.config
+++ b/example/peripheral/usb/xhci_pcie/configs/d2000_aarch64_test_cherry_usb.config
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -291,6 +293,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -300,6 +303,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -336,6 +341,8 @@ CONFIG_CHERRY_USB_HOST_HID=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/usb/xhci_pcie/configs/e2000d_aarch32_demo_cherry_usb.config b/example/peripheral/usb/xhci_pcie/configs/e2000d_aarch32_demo_cherry_usb.config
index 4b83e541..d1c667ea 100644
--- a/example/peripheral/usb/xhci_pcie/configs/e2000d_aarch32_demo_cherry_usb.config
+++ b/example/peripheral/usb/xhci_pcie/configs/e2000d_aarch32_demo_cherry_usb.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -112,6 +113,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -315,6 +317,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -324,6 +327,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -360,6 +365,8 @@ CONFIG_CHERRY_USB_HOST_HID=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/usb/xhci_pcie/configs/e2000d_aarch64_demo_cherry_usb.config b/example/peripheral/usb/xhci_pcie/configs/e2000d_aarch64_demo_cherry_usb.config
index d2c8ffd5..e793f80d 100644
--- a/example/peripheral/usb/xhci_pcie/configs/e2000d_aarch64_demo_cherry_usb.config
+++ b/example/peripheral/usb/xhci_pcie/configs/e2000d_aarch64_demo_cherry_usb.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -106,6 +107,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -304,6 +306,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -313,6 +316,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -349,6 +354,8 @@ CONFIG_CHERRY_USB_HOST_HID=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/usb/xhci_pcie/configs/e2000q_aarch32_demo_cherry_usb.config b/example/peripheral/usb/xhci_pcie/configs/e2000q_aarch32_demo_cherry_usb.config
index 1362725a..3496e4df 100644
--- a/example/peripheral/usb/xhci_pcie/configs/e2000q_aarch32_demo_cherry_usb.config
+++ b/example/peripheral/usb/xhci_pcie/configs/e2000q_aarch32_demo_cherry_usb.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -111,6 +112,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -314,6 +316,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -323,6 +326,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -359,6 +364,8 @@ CONFIG_CHERRY_USB_HOST_HID=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/usb/xhci_pcie/configs/e2000q_aarch64_demo_cherry_usb.config b/example/peripheral/usb/xhci_pcie/configs/e2000q_aarch64_demo_cherry_usb.config
index 3f570181..4c0beb63 100644
--- a/example/peripheral/usb/xhci_pcie/configs/e2000q_aarch64_demo_cherry_usb.config
+++ b/example/peripheral/usb/xhci_pcie/configs/e2000q_aarch64_demo_cherry_usb.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -303,6 +305,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -312,6 +315,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -348,6 +353,8 @@ CONFIG_CHERRY_USB_HOST_HID=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/usb/xhci_pcie/sdkconfig b/example/peripheral/usb/xhci_pcie/sdkconfig
index 3f570181..4c0beb63 100644
--- a/example/peripheral/usb/xhci_pcie/sdkconfig
+++ b/example/peripheral/usb/xhci_pcie/sdkconfig
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -303,6 +305,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -312,6 +315,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -348,6 +353,8 @@ CONFIG_CHERRY_USB_HOST_HID=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/usb/xhci_pcie/sdkconfig.h b/example/peripheral/usb/xhci_pcie/sdkconfig.h
index c86ba48f..a6e76815 100644
--- a/example/peripheral/usb/xhci_pcie/sdkconfig.h
+++ b/example/peripheral/usb/xhci_pcie/sdkconfig.h
@@ -44,6 +44,7 @@
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
 #define CONFIG_SOC_NAME "e2000"
 #define CONFIG_TARGET_TYPE_NAME "q"
 #define CONFIG_SOC_CORE_NUM 4
@@ -97,6 +98,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 #define CONFIG_INTERRUPT_ROLE_MASTER
 /* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -267,6 +269,7 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
+/* CONFIG_USE_MBEDTLS is not set */
 #define CONFIG_USE_LETTER_SHELL
 
 /* Letter Shell Configuration */
@@ -275,6 +278,8 @@
 #define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
 /* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
@@ -307,6 +312,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/peripheral/usb/xhci_platform/configs/e2000d_aarch32_demo_cherry_usb.config b/example/peripheral/usb/xhci_platform/configs/e2000d_aarch32_demo_cherry_usb.config
index a03c1c8c..25215b6f 100644
--- a/example/peripheral/usb/xhci_platform/configs/e2000d_aarch32_demo_cherry_usb.config
+++ b/example/peripheral/usb/xhci_platform/configs/e2000d_aarch32_demo_cherry_usb.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -112,6 +113,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -307,6 +309,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -316,6 +319,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -352,6 +357,8 @@ CONFIG_CHERRY_USB_HOST_HID=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/usb/xhci_platform/configs/e2000d_aarch64_demo_cherry_usb.config b/example/peripheral/usb/xhci_platform/configs/e2000d_aarch64_demo_cherry_usb.config
index 4200f4ee..111eafde 100644
--- a/example/peripheral/usb/xhci_platform/configs/e2000d_aarch64_demo_cherry_usb.config
+++ b/example/peripheral/usb/xhci_platform/configs/e2000d_aarch64_demo_cherry_usb.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -106,6 +107,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -296,6 +298,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -305,6 +308,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -341,6 +346,8 @@ CONFIG_CHERRY_USB_HOST_HID=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/usb/xhci_platform/configs/e2000q_aarch32_demo_cherry_usb.config b/example/peripheral/usb/xhci_platform/configs/e2000q_aarch32_demo_cherry_usb.config
index 0e2a1ff6..aa2456ff 100644
--- a/example/peripheral/usb/xhci_platform/configs/e2000q_aarch32_demo_cherry_usb.config
+++ b/example/peripheral/usb/xhci_platform/configs/e2000q_aarch32_demo_cherry_usb.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -111,6 +112,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -306,6 +308,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -315,6 +318,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -351,6 +356,8 @@ CONFIG_CHERRY_USB_HOST_HID=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/usb/xhci_platform/configs/e2000q_aarch64_demo_cherry_usb.config b/example/peripheral/usb/xhci_platform/configs/e2000q_aarch64_demo_cherry_usb.config
index f9fc25ef..88bc1da7 100644
--- a/example/peripheral/usb/xhci_platform/configs/e2000q_aarch64_demo_cherry_usb.config
+++ b/example/peripheral/usb/xhci_platform/configs/e2000q_aarch64_demo_cherry_usb.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -295,6 +297,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -304,6 +307,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -340,6 +345,8 @@ CONFIG_CHERRY_USB_HOST_HID=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/usb/xhci_platform/configs/phytiumpi_aarch32_firefly_cherry_usb.config b/example/peripheral/usb/xhci_platform/configs/phytiumpi_aarch32_firefly_cherry_usb.config
index 2e4121b2..3f046330 100644
--- a/example/peripheral/usb/xhci_platform/configs/phytiumpi_aarch32_firefly_cherry_usb.config
+++ b/example/peripheral/usb/xhci_platform/configs/phytiumpi_aarch32_firefly_cherry_usb.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -110,6 +111,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -305,6 +307,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -314,6 +317,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -350,6 +355,8 @@ CONFIG_CHERRY_USB_HOST_HID=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/usb/xhci_platform/configs/phytiumpi_aarch64_firefly_cherry_usb.config b/example/peripheral/usb/xhci_platform/configs/phytiumpi_aarch64_firefly_cherry_usb.config
index 06ba4afd..084530d1 100644
--- a/example/peripheral/usb/xhci_platform/configs/phytiumpi_aarch64_firefly_cherry_usb.config
+++ b/example/peripheral/usb/xhci_platform/configs/phytiumpi_aarch64_firefly_cherry_usb.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -339,6 +344,8 @@ CONFIG_CHERRY_USB_HOST_HID=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/usb/xhci_platform/sdkconfig b/example/peripheral/usb/xhci_platform/sdkconfig
index 06ba4afd..084530d1 100644
--- a/example/peripheral/usb/xhci_platform/sdkconfig
+++ b/example/peripheral/usb/xhci_platform/sdkconfig
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -339,6 +344,8 @@ CONFIG_CHERRY_USB_HOST_HID=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/usb/xhci_platform/sdkconfig.h b/example/peripheral/usb/xhci_platform/sdkconfig.h
index c669dea5..ce698dda 100644
--- a/example/peripheral/usb/xhci_platform/sdkconfig.h
+++ b/example/peripheral/usb/xhci_platform/sdkconfig.h
@@ -44,6 +44,7 @@
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
 #define CONFIG_SOC_NAME "phytiumpi"
 #define CONFIG_SOC_CORE_NUM 4
 #define CONFIG_F32BIT_MEMORY_ADDRESS 0x80000000
@@ -96,6 +97,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 #define CONFIG_INTERRUPT_ROLE_MASTER
 /* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -260,6 +262,7 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
+/* CONFIG_USE_MBEDTLS is not set */
 #define CONFIG_USE_LETTER_SHELL
 
 /* Letter Shell Configuration */
@@ -268,6 +271,8 @@
 #define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
 /* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
@@ -300,6 +305,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/peripheral/wdt/configs/d2000_aarch32_test_wdt.config b/example/peripheral/wdt/configs/d2000_aarch32_test_wdt.config
index 7122b7d8..6f1de1f6 100644
--- a/example/peripheral/wdt/configs/d2000_aarch32_test_wdt.config
+++ b/example/peripheral/wdt/configs/d2000_aarch32_test_wdt.config
@@ -54,6 +54,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +100,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -301,6 +303,7 @@ CONFIG_FREERTOS_USE_WDT=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -310,6 +313,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -332,6 +337,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/wdt/configs/d2000_aarch64_test_wdt.config b/example/peripheral/wdt/configs/d2000_aarch64_test_wdt.config
index 18be75e1..7774a649 100644
--- a/example/peripheral/wdt/configs/d2000_aarch64_test_wdt.config
+++ b/example/peripheral/wdt/configs/d2000_aarch64_test_wdt.config
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -290,6 +292,7 @@ CONFIG_FREERTOS_USE_WDT=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -299,6 +302,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -321,6 +326,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/wdt/configs/e2000d_aarch32_demo_wdt.config b/example/peripheral/wdt/configs/e2000d_aarch32_demo_wdt.config
index dda19905..b2dcfa62 100644
--- a/example/peripheral/wdt/configs/e2000d_aarch32_demo_wdt.config
+++ b/example/peripheral/wdt/configs/e2000d_aarch32_demo_wdt.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -112,6 +113,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -314,6 +316,7 @@ CONFIG_FREERTOS_USE_WDT=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -323,6 +326,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -345,6 +350,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/wdt/configs/e2000d_aarch64_demo_wdt.config b/example/peripheral/wdt/configs/e2000d_aarch64_demo_wdt.config
index 4da8e392..309a2acf 100644
--- a/example/peripheral/wdt/configs/e2000d_aarch64_demo_wdt.config
+++ b/example/peripheral/wdt/configs/e2000d_aarch64_demo_wdt.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -106,6 +107,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -303,6 +305,7 @@ CONFIG_FREERTOS_USE_WDT=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -312,6 +315,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -334,6 +339,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/wdt/configs/e2000q_aarch32_demo_wdt.config b/example/peripheral/wdt/configs/e2000q_aarch32_demo_wdt.config
index 8d657e2a..c0df529b 100644
--- a/example/peripheral/wdt/configs/e2000q_aarch32_demo_wdt.config
+++ b/example/peripheral/wdt/configs/e2000q_aarch32_demo_wdt.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -111,6 +112,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -313,6 +315,7 @@ CONFIG_FREERTOS_USE_WDT=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -322,6 +325,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -344,6 +349,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/wdt/configs/e2000q_aarch64_demo_wdt.config b/example/peripheral/wdt/configs/e2000q_aarch64_demo_wdt.config
index 833feaef..1b3e3b56 100644
--- a/example/peripheral/wdt/configs/e2000q_aarch64_demo_wdt.config
+++ b/example/peripheral/wdt/configs/e2000q_aarch64_demo_wdt.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -302,6 +304,7 @@ CONFIG_FREERTOS_USE_WDT=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -311,6 +314,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -333,6 +338,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/wdt/configs/ft2004_aarch32_dsk_wdt.config b/example/peripheral/wdt/configs/ft2004_aarch32_dsk_wdt.config
index 89a3d8c1..8c540548 100644
--- a/example/peripheral/wdt/configs/ft2004_aarch32_dsk_wdt.config
+++ b/example/peripheral/wdt/configs/ft2004_aarch32_dsk_wdt.config
@@ -54,6 +54,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +100,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -301,6 +303,7 @@ CONFIG_FREERTOS_USE_WDT=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -310,6 +313,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -332,6 +337,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/wdt/configs/ft2004_aarch64_dsk_wdt.config b/example/peripheral/wdt/configs/ft2004_aarch64_dsk_wdt.config
index d02eaf72..8d9be2aa 100644
--- a/example/peripheral/wdt/configs/ft2004_aarch64_dsk_wdt.config
+++ b/example/peripheral/wdt/configs/ft2004_aarch64_dsk_wdt.config
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -290,6 +292,7 @@ CONFIG_FREERTOS_USE_WDT=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -299,6 +302,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -321,6 +326,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/wdt/configs/phytiumpi_aarch32_firefly_wdt.config b/example/peripheral/wdt/configs/phytiumpi_aarch32_firefly_wdt.config
index 78b319f6..e47c72f3 100644
--- a/example/peripheral/wdt/configs/phytiumpi_aarch32_firefly_wdt.config
+++ b/example/peripheral/wdt/configs/phytiumpi_aarch32_firefly_wdt.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -110,6 +111,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -312,6 +314,7 @@ CONFIG_FREERTOS_USE_WDT=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -321,6 +324,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -343,6 +348,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/wdt/configs/phytiumpi_aarch64_firefly_wdt.config b/example/peripheral/wdt/configs/phytiumpi_aarch64_firefly_wdt.config
index d5682f4d..6c4234fc 100644
--- a/example/peripheral/wdt/configs/phytiumpi_aarch64_firefly_wdt.config
+++ b/example/peripheral/wdt/configs/phytiumpi_aarch64_firefly_wdt.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -301,6 +303,7 @@ CONFIG_FREERTOS_USE_WDT=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -310,6 +313,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -332,6 +337,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/wdt/sdkconfig b/example/peripheral/wdt/sdkconfig
index d5682f4d..6c4234fc 100644
--- a/example/peripheral/wdt/sdkconfig
+++ b/example/peripheral/wdt/sdkconfig
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -301,6 +303,7 @@ CONFIG_FREERTOS_USE_WDT=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -310,6 +313,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -332,6 +337,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/peripheral/wdt/sdkconfig.h b/example/peripheral/wdt/sdkconfig.h
index 63e89b5d..e482d7f2 100644
--- a/example/peripheral/wdt/sdkconfig.h
+++ b/example/peripheral/wdt/sdkconfig.h
@@ -44,6 +44,7 @@
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
 #define CONFIG_SOC_NAME "phytiumpi"
 #define CONFIG_SOC_CORE_NUM 4
 #define CONFIG_F32BIT_MEMORY_ADDRESS 0x80000000
@@ -96,6 +97,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 #define CONFIG_INTERRUPT_ROLE_MASTER
 /* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -265,6 +267,7 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
+/* CONFIG_USE_MBEDTLS is not set */
 #define CONFIG_USE_LETTER_SHELL
 
 /* Letter Shell Configuration */
@@ -273,6 +276,8 @@
 #define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
 /* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
@@ -293,6 +298,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/storage/fatfs/configs/e2000d_aarch32_demo_fatfs.config b/example/storage/fatfs/configs/e2000d_aarch32_demo_fatfs.config
index 81e5fc2a..b99641bc 100644
--- a/example/storage/fatfs/configs/e2000d_aarch32_demo_fatfs.config
+++ b/example/storage/fatfs/configs/e2000d_aarch32_demo_fatfs.config
@@ -62,6 +62,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -121,6 +122,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -318,6 +320,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -327,6 +330,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -426,6 +431,8 @@ CONFIG_FSL_SDMMC_ENABLE_MMC=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/storage/fatfs/configs/e2000d_aarch64_demo_fatfs.config b/example/storage/fatfs/configs/e2000d_aarch64_demo_fatfs.config
index 2c9bea66..11fcffef 100644
--- a/example/storage/fatfs/configs/e2000d_aarch64_demo_fatfs.config
+++ b/example/storage/fatfs/configs/e2000d_aarch64_demo_fatfs.config
@@ -56,6 +56,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -115,6 +116,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -307,6 +309,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -316,6 +319,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -415,6 +420,8 @@ CONFIG_FSL_SDMMC_ENABLE_MMC=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/storage/fatfs/configs/e2000q_aarch32_demo_fatfs.config b/example/storage/fatfs/configs/e2000q_aarch32_demo_fatfs.config
index 5f105952..8bce75b1 100644
--- a/example/storage/fatfs/configs/e2000q_aarch32_demo_fatfs.config
+++ b/example/storage/fatfs/configs/e2000q_aarch32_demo_fatfs.config
@@ -62,6 +62,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -120,6 +121,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -317,6 +319,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -326,6 +329,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -425,6 +430,8 @@ CONFIG_FSL_SDMMC_ENABLE_MMC=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/storage/fatfs/configs/e2000q_aarch64_demo_fatfs.config b/example/storage/fatfs/configs/e2000q_aarch64_demo_fatfs.config
index 5eed3665..151b57c7 100644
--- a/example/storage/fatfs/configs/e2000q_aarch64_demo_fatfs.config
+++ b/example/storage/fatfs/configs/e2000q_aarch64_demo_fatfs.config
@@ -56,6 +56,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -114,6 +115,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -306,6 +308,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -315,6 +318,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -414,6 +419,8 @@ CONFIG_FSL_SDMMC_ENABLE_MMC=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/storage/fatfs/configs/phytiumpi_aarch32_firefly_fatfs.config b/example/storage/fatfs/configs/phytiumpi_aarch32_firefly_fatfs.config
index 2933f9b3..9b0947d8 100644
--- a/example/storage/fatfs/configs/phytiumpi_aarch32_firefly_fatfs.config
+++ b/example/storage/fatfs/configs/phytiumpi_aarch32_firefly_fatfs.config
@@ -62,6 +62,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -119,6 +120,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -316,6 +318,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -325,6 +328,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -400,6 +405,8 @@ CONFIG_FSL_SDMMC_ENABLE_MMC=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/storage/fatfs/configs/phytiumpi_aarch64_firefly_fatfs.config b/example/storage/fatfs/configs/phytiumpi_aarch64_firefly_fatfs.config
index e3c9e75b..2e80e47a 100644
--- a/example/storage/fatfs/configs/phytiumpi_aarch64_firefly_fatfs.config
+++ b/example/storage/fatfs/configs/phytiumpi_aarch64_firefly_fatfs.config
@@ -56,6 +56,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -113,6 +114,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -305,6 +307,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -314,6 +317,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -389,6 +394,8 @@ CONFIG_FSL_SDMMC_ENABLE_MMC=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/storage/fatfs/sdkconfig b/example/storage/fatfs/sdkconfig
index e3c9e75b..2e80e47a 100644
--- a/example/storage/fatfs/sdkconfig
+++ b/example/storage/fatfs/sdkconfig
@@ -56,6 +56,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -113,6 +114,7 @@ CONFIG_LOG_EXTRA_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -305,6 +307,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -314,6 +317,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -389,6 +394,8 @@ CONFIG_FSL_SDMMC_ENABLE_MMC=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/storage/fatfs/sdkconfig.h b/example/storage/fatfs/sdkconfig.h
index 1c6a14c8..366cc48a 100644
--- a/example/storage/fatfs/sdkconfig.h
+++ b/example/storage/fatfs/sdkconfig.h
@@ -50,6 +50,7 @@
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
 #define CONFIG_SOC_NAME "phytiumpi"
 #define CONFIG_SOC_CORE_NUM 4
 #define CONFIG_F32BIT_MEMORY_ADDRESS 0x80000000
@@ -102,6 +103,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 #define CONFIG_INTERRUPT_ROLE_MASTER
 /* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -268,6 +270,7 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
+/* CONFIG_USE_MBEDTLS is not set */
 #define CONFIG_USE_LETTER_SHELL
 
 /* Letter Shell Configuration */
@@ -276,6 +279,8 @@
 #define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
 /* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
@@ -340,6 +345,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/storage/qspi_spiffs/configs/d2000_aarch32_test_qspi_spiffs.config b/example/storage/qspi_spiffs/configs/d2000_aarch32_test_qspi_spiffs.config
index 4da5f876..3222e43c 100644
--- a/example/storage/qspi_spiffs/configs/d2000_aarch32_test_qspi_spiffs.config
+++ b/example/storage/qspi_spiffs/configs/d2000_aarch32_test_qspi_spiffs.config
@@ -54,6 +54,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +100,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -301,6 +303,7 @@ CONFIG_FREERTOS_USE_QSPI=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -310,6 +313,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -351,6 +356,8 @@ CONFIG_SPIFFS_ON_FQSPI_SFUD=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/storage/qspi_spiffs/configs/d2000_aarch64_test_qspi_spiffs.config b/example/storage/qspi_spiffs/configs/d2000_aarch64_test_qspi_spiffs.config
index 41ec7b25..e175ff0d 100644
--- a/example/storage/qspi_spiffs/configs/d2000_aarch64_test_qspi_spiffs.config
+++ b/example/storage/qspi_spiffs/configs/d2000_aarch64_test_qspi_spiffs.config
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -290,6 +292,7 @@ CONFIG_FREERTOS_USE_QSPI=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -299,6 +302,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -340,6 +345,8 @@ CONFIG_SPIFFS_ON_FQSPI_SFUD=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/storage/qspi_spiffs/configs/e2000d_aarch32_demo_qspi_spiffs.config b/example/storage/qspi_spiffs/configs/e2000d_aarch32_demo_qspi_spiffs.config
index 3aa97215..d31989aa 100644
--- a/example/storage/qspi_spiffs/configs/e2000d_aarch32_demo_qspi_spiffs.config
+++ b/example/storage/qspi_spiffs/configs/e2000d_aarch32_demo_qspi_spiffs.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -112,6 +113,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -314,6 +316,7 @@ CONFIG_FREERTOS_USE_QSPI=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -323,6 +326,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -364,6 +369,8 @@ CONFIG_SPIFFS_ON_FQSPI_SFUD=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/storage/qspi_spiffs/configs/e2000d_aarch64_demo_qspi_spiffs.config b/example/storage/qspi_spiffs/configs/e2000d_aarch64_demo_qspi_spiffs.config
index fda5d31c..6b7aad19 100644
--- a/example/storage/qspi_spiffs/configs/e2000d_aarch64_demo_qspi_spiffs.config
+++ b/example/storage/qspi_spiffs/configs/e2000d_aarch64_demo_qspi_spiffs.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -106,6 +107,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -303,6 +305,7 @@ CONFIG_FREERTOS_USE_QSPI=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -312,6 +315,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -353,6 +358,8 @@ CONFIG_SPIFFS_ON_FQSPI_SFUD=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/storage/qspi_spiffs/configs/e2000q_aarch32_demo_qspi_spiffs.config b/example/storage/qspi_spiffs/configs/e2000q_aarch32_demo_qspi_spiffs.config
index 9ead099f..b0fa43f3 100644
--- a/example/storage/qspi_spiffs/configs/e2000q_aarch32_demo_qspi_spiffs.config
+++ b/example/storage/qspi_spiffs/configs/e2000q_aarch32_demo_qspi_spiffs.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -111,6 +112,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -313,6 +315,7 @@ CONFIG_FREERTOS_USE_QSPI=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -322,6 +325,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -363,6 +368,8 @@ CONFIG_SPIFFS_ON_FQSPI_SFUD=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/storage/qspi_spiffs/configs/e2000q_aarch64_demo_qspi_spiffs.config b/example/storage/qspi_spiffs/configs/e2000q_aarch64_demo_qspi_spiffs.config
index 5df333ea..a471bdca 100644
--- a/example/storage/qspi_spiffs/configs/e2000q_aarch64_demo_qspi_spiffs.config
+++ b/example/storage/qspi_spiffs/configs/e2000q_aarch64_demo_qspi_spiffs.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -302,6 +304,7 @@ CONFIG_FREERTOS_USE_QSPI=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -311,6 +314,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -352,6 +357,8 @@ CONFIG_SPIFFS_ON_FQSPI_SFUD=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/storage/qspi_spiffs/configs/ft2004_aarch32_dsk_qspi_spiffs.config b/example/storage/qspi_spiffs/configs/ft2004_aarch32_dsk_qspi_spiffs.config
index ead46055..dfbe33b9 100644
--- a/example/storage/qspi_spiffs/configs/ft2004_aarch32_dsk_qspi_spiffs.config
+++ b/example/storage/qspi_spiffs/configs/ft2004_aarch32_dsk_qspi_spiffs.config
@@ -54,6 +54,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +100,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -301,6 +303,7 @@ CONFIG_FREERTOS_USE_QSPI=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -310,6 +313,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -351,6 +356,8 @@ CONFIG_SPIFFS_ON_FQSPI_SFUD=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/storage/qspi_spiffs/configs/ft2004_aarch64_dsk_qspi_spiffs.config b/example/storage/qspi_spiffs/configs/ft2004_aarch64_dsk_qspi_spiffs.config
index f4520b95..7bd3de36 100644
--- a/example/storage/qspi_spiffs/configs/ft2004_aarch64_dsk_qspi_spiffs.config
+++ b/example/storage/qspi_spiffs/configs/ft2004_aarch64_dsk_qspi_spiffs.config
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -290,6 +292,7 @@ CONFIG_FREERTOS_USE_QSPI=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -299,6 +302,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -340,6 +345,8 @@ CONFIG_SPIFFS_ON_FQSPI_SFUD=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/storage/qspi_spiffs/configs/phytiumpi_aarch32_firefly_qspi_spiffs.config b/example/storage/qspi_spiffs/configs/phytiumpi_aarch32_firefly_qspi_spiffs.config
index 67abc49b..474fee9c 100644
--- a/example/storage/qspi_spiffs/configs/phytiumpi_aarch32_firefly_qspi_spiffs.config
+++ b/example/storage/qspi_spiffs/configs/phytiumpi_aarch32_firefly_qspi_spiffs.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -110,6 +111,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -312,6 +314,7 @@ CONFIG_FREERTOS_USE_QSPI=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -321,6 +324,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -362,6 +367,8 @@ CONFIG_SPIFFS_ON_FQSPI_SFUD=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/storage/qspi_spiffs/configs/phytiumpi_aarch64_firefly_qspi_spiffs.config b/example/storage/qspi_spiffs/configs/phytiumpi_aarch64_firefly_qspi_spiffs.config
index 74a59d0f..aca964ca 100644
--- a/example/storage/qspi_spiffs/configs/phytiumpi_aarch64_firefly_qspi_spiffs.config
+++ b/example/storage/qspi_spiffs/configs/phytiumpi_aarch64_firefly_qspi_spiffs.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -301,6 +303,7 @@ CONFIG_FREERTOS_USE_QSPI=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -310,6 +313,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -351,6 +356,8 @@ CONFIG_SPIFFS_ON_FQSPI_SFUD=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/storage/qspi_spiffs/sdkconfig b/example/storage/qspi_spiffs/sdkconfig
index 74a59d0f..aca964ca 100644
--- a/example/storage/qspi_spiffs/sdkconfig
+++ b/example/storage/qspi_spiffs/sdkconfig
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -301,6 +303,7 @@ CONFIG_FREERTOS_USE_QSPI=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -310,6 +313,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -351,6 +356,8 @@ CONFIG_SPIFFS_ON_FQSPI_SFUD=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/storage/qspi_spiffs/sdkconfig.h b/example/storage/qspi_spiffs/sdkconfig.h
index 508af194..3d48d14f 100644
--- a/example/storage/qspi_spiffs/sdkconfig.h
+++ b/example/storage/qspi_spiffs/sdkconfig.h
@@ -44,6 +44,7 @@
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
 #define CONFIG_SOC_NAME "phytiumpi"
 #define CONFIG_SOC_CORE_NUM 4
 #define CONFIG_F32BIT_MEMORY_ADDRESS 0x80000000
@@ -96,6 +97,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 #define CONFIG_INTERRUPT_ROLE_MASTER
 /* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -265,6 +267,7 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
+/* CONFIG_USE_MBEDTLS is not set */
 #define CONFIG_USE_LETTER_SHELL
 
 /* Letter Shell Configuration */
@@ -273,6 +276,8 @@
 #define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
 /* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
@@ -308,6 +313,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/storage/spim_spiffs/configs/e2000d_aarch32_demo_spi_spiffs.config b/example/storage/spim_spiffs/configs/e2000d_aarch32_demo_spi_spiffs.config
index 194dfe27..5bac3584 100644
--- a/example/storage/spim_spiffs/configs/e2000d_aarch32_demo_spi_spiffs.config
+++ b/example/storage/spim_spiffs/configs/e2000d_aarch32_demo_spi_spiffs.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -112,6 +113,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -308,6 +310,7 @@ CONFIG_FREERTOS_USE_FSPIM=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -317,6 +320,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -358,6 +363,8 @@ CONFIG_SPIFFS_ON_FSPIM_SFUD=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/storage/spim_spiffs/configs/e2000d_aarch64_demo_spi_spiffs.config b/example/storage/spim_spiffs/configs/e2000d_aarch64_demo_spi_spiffs.config
index 42ae0689..c531be13 100644
--- a/example/storage/spim_spiffs/configs/e2000d_aarch64_demo_spi_spiffs.config
+++ b/example/storage/spim_spiffs/configs/e2000d_aarch64_demo_spi_spiffs.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -106,6 +107,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -297,6 +299,7 @@ CONFIG_FREERTOS_USE_FSPIM=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -306,6 +309,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -347,6 +352,8 @@ CONFIG_SPIFFS_ON_FSPIM_SFUD=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/storage/spim_spiffs/configs/e2000q_aarch32_demo_spi_spiffs.config b/example/storage/spim_spiffs/configs/e2000q_aarch32_demo_spi_spiffs.config
index d34a196f..c8336abd 100644
--- a/example/storage/spim_spiffs/configs/e2000q_aarch32_demo_spi_spiffs.config
+++ b/example/storage/spim_spiffs/configs/e2000q_aarch32_demo_spi_spiffs.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -111,6 +112,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -307,6 +309,7 @@ CONFIG_FREERTOS_USE_FSPIM=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -316,6 +319,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -357,6 +362,8 @@ CONFIG_SPIFFS_ON_FSPIM_SFUD=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/storage/spim_spiffs/configs/e2000q_aarch64_demo_spi_spiffs.config b/example/storage/spim_spiffs/configs/e2000q_aarch64_demo_spi_spiffs.config
index 96b2f120..e126a715 100644
--- a/example/storage/spim_spiffs/configs/e2000q_aarch64_demo_spi_spiffs.config
+++ b/example/storage/spim_spiffs/configs/e2000q_aarch64_demo_spi_spiffs.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -296,6 +298,7 @@ CONFIG_FREERTOS_USE_FSPIM=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -305,6 +308,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -346,6 +351,8 @@ CONFIG_SPIFFS_ON_FSPIM_SFUD=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/storage/spim_spiffs/configs/phytiumpi_aarch32_firefly_spi_spiffs.config b/example/storage/spim_spiffs/configs/phytiumpi_aarch32_firefly_spi_spiffs.config
index 214c1c47..18fb4b0e 100644
--- a/example/storage/spim_spiffs/configs/phytiumpi_aarch32_firefly_spi_spiffs.config
+++ b/example/storage/spim_spiffs/configs/phytiumpi_aarch32_firefly_spi_spiffs.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -110,6 +111,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -306,6 +308,7 @@ CONFIG_FREERTOS_USE_FSPIM=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -315,6 +318,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -356,6 +361,8 @@ CONFIG_SPIFFS_ON_FSPIM_SFUD=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/storage/spim_spiffs/configs/phytiumpi_aarch64_firefly_spi_spiffs.config b/example/storage/spim_spiffs/configs/phytiumpi_aarch64_firefly_spi_spiffs.config
index 1a65b102..df4eb455 100644
--- a/example/storage/spim_spiffs/configs/phytiumpi_aarch64_firefly_spi_spiffs.config
+++ b/example/storage/spim_spiffs/configs/phytiumpi_aarch64_firefly_spi_spiffs.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -295,6 +297,7 @@ CONFIG_FREERTOS_USE_FSPIM=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -304,6 +307,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -345,6 +350,8 @@ CONFIG_SPIFFS_ON_FSPIM_SFUD=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/storage/spim_spiffs/sdkconfig b/example/storage/spim_spiffs/sdkconfig
index 1a65b102..df4eb455 100644
--- a/example/storage/spim_spiffs/sdkconfig
+++ b/example/storage/spim_spiffs/sdkconfig
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -295,6 +297,7 @@ CONFIG_FREERTOS_USE_FSPIM=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -304,6 +307,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -345,6 +350,8 @@ CONFIG_SPIFFS_ON_FSPIM_SFUD=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/storage/spim_spiffs/sdkconfig.h b/example/storage/spim_spiffs/sdkconfig.h
index 5359a0be..bd50c132 100644
--- a/example/storage/spim_spiffs/sdkconfig.h
+++ b/example/storage/spim_spiffs/sdkconfig.h
@@ -44,6 +44,7 @@
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
 #define CONFIG_SOC_NAME "phytiumpi"
 #define CONFIG_SOC_CORE_NUM 4
 #define CONFIG_F32BIT_MEMORY_ADDRESS 0x80000000
@@ -96,6 +97,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 #define CONFIG_INTERRUPT_ROLE_MASTER
 /* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -261,6 +263,7 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
+/* CONFIG_USE_MBEDTLS is not set */
 #define CONFIG_USE_LETTER_SHELL
 
 /* Letter Shell Configuration */
@@ -269,6 +272,8 @@
 #define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
 /* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
@@ -304,6 +309,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/system/amp/README.md b/example/system/amp/README.md
index c7847098..7f37d93e 100644
--- a/example/system/amp/README.md
+++ b/example/system/amp/README.md
@@ -15,7 +15,7 @@
 
 7. 例程介绍：
 
-- `openamp`：本例程演示了如何使用openamp库在多核片上运行。
+- `openamp`：本例程演示了如何使用openamp库在多核上运行。
 - `openamp_for_linux`：本例程演示了如何使用编译好的基于freertos的 openamp例程镜像，在linux系统加载下运行(需要linux系统支持)。
 
 > 注：建议学习顺序：先裸机standalone，再freertos，最后linux。
diff --git a/example/system/amp/openamp/common/openamp_configs.h b/example/system/amp/openamp/common/openamp_configs.h
index 3be1b14d..b67ffa21 100644
--- a/example/system/amp/openamp/common/openamp_configs.h
+++ b/example/system/amp/openamp/common/openamp_configs.h
@@ -13,7 +13,7 @@
  * 
  * FilePath: openamp_configs.h
  * Created Date: 2024-05-06 19:20:51
- * Last Modified: 2024-07-22 14:49:16
+ * Last Modified: 2024-12-02 19:51:28
  * Description:  This file is for
  * 
  * Modify History:
@@ -43,13 +43,20 @@ static u32 remoteproc_online_mask = 0 ;
 #define RPMSG_SERVICE_00_NAME          "rpmsg_service_name_00"
 
 /* 从核发送消息时，需要指定发送的cpu的核号，用来确定软件中断的发送到哪个核上 */
-#ifdef CONFIG_TARGET_E2000D
-#define MASTER_DRIVER_CORE              1 /* 与amp_config.json中的管理（主）核配置保持一致 */
+#if defined(CONFIG_TARGET_E2000D) || defined(CONFIG_TARGET_D2000)
+#define MASTER_DRIVER_CORE              0 /* 与amp_config.json中的管理（主）核配置保持一致 */
 #else
 #define MASTER_DRIVER_CORE              2 /* 与amp_config.json中的管理（主）核配置保持一致 */
 #endif
-/* 主核给从核发送消息时，需要指定接收的cpu的核号，用来确定软件中断的发送到哪个核上，以及主核指定启动镜像在那个核心上运行 */
+
+/* 主核发送消息时，需要指定接收的cpu的核号，用来确定软件中断的发送到哪个核上，以及主核指定启动镜像在那个核心上运行 */
+#if defined(CONFIG_TARGET_D2000)
+#define SLAVE_DEVICE_CORE_00            4
+#elif defined(CONFIG_TARGET_E2000D)
+#define SLAVE_DEVICE_CORE_00            1
+#else
 #define SLAVE_DEVICE_CORE_00            0
+#endif
 
 #ifdef __cplusplus
 }
diff --git a/example/system/amp/openamp/device_core/configs/d2000_aarch32_test_openamp_device_core.config b/example/system/amp/openamp/device_core/configs/d2000_aarch32_test_openamp_device_core.config
index 35211e2f..1d45ac71 100644
--- a/example/system/amp/openamp/device_core/configs/d2000_aarch32_test_openamp_device_core.config
+++ b/example/system/amp/openamp/device_core/configs/d2000_aarch32_test_openamp_device_core.config
@@ -37,6 +37,7 @@ CONFIG_ARM_MFLOAT_ABI="hard"
 # end of Compiler configuration
 
 CONFIG_USE_L3CACHE=y
+# CONFIG_DISABLE_L3CACHE is not set
 # CONFIG_USE_AARCH64_L1_TO_AARCH32 is not set
 # end of Arm architecture configuration
 
@@ -54,6 +55,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +101,7 @@ CONFIG_LOG_DISPALY_CORE_NUM=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 # CONFIG_INTERRUPT_ROLE_MASTER is not set
 CONFIG_INTERRUPT_ROLE_SLAVE=y
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +297,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 # CONFIG_USE_LETTER_SHELL is not set
 CONFIG_USE_AMP=y
 CONFIG_USE_LIBMETAL=y
@@ -327,6 +331,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/amp/openamp/device_core/configs/d2000_aarch64_test_openamp_device_core.config b/example/system/amp/openamp/device_core/configs/d2000_aarch64_test_openamp_device_core.config
index 18bab938..d0a55952 100644
--- a/example/system/amp/openamp/device_core/configs/d2000_aarch64_test_openamp_device_core.config
+++ b/example/system/amp/openamp/device_core/configs/d2000_aarch64_test_openamp_device_core.config
@@ -30,6 +30,7 @@ CONFIG_GCC_CODE_MODEL_SMALL=y
 # end of Compiler configuration
 
 CONFIG_USE_L3CACHE=y
+# CONFIG_DISABLE_L3CACHE is not set
 # CONFIG_BOOT_WITH_FLUSH_CACHE is not set
 # CONFIG_MMU_DEBUG_PRINTS is not set
 # end of Arm architecture configuration
@@ -48,6 +49,7 @@ CONFIG_MAX_XLAT_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +95,7 @@ CONFIG_LOG_DISPALY_CORE_NUM=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 # CONFIG_INTERRUPT_ROLE_MASTER is not set
 CONFIG_INTERRUPT_ROLE_SLAVE=y
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -283,6 +286,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 # CONFIG_USE_LETTER_SHELL is not set
 CONFIG_USE_AMP=y
 CONFIG_USE_LIBMETAL=y
@@ -316,6 +320,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/amp/openamp/device_core/configs/e2000d_aarch32_demo_openamp_device_core.config b/example/system/amp/openamp/device_core/configs/e2000d_aarch32_demo_openamp_device_core.config
index e4a498fa..a76717d6 100644
--- a/example/system/amp/openamp/device_core/configs/e2000d_aarch32_demo_openamp_device_core.config
+++ b/example/system/amp/openamp/device_core/configs/e2000d_aarch32_demo_openamp_device_core.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -112,6 +113,7 @@ CONFIG_LOG_DISPALY_CORE_NUM=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 # CONFIG_INTERRUPT_ROLE_MASTER is not set
 CONFIG_INTERRUPT_ROLE_SLAVE=y
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -307,6 +309,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 # CONFIG_USE_LETTER_SHELL is not set
 CONFIG_USE_AMP=y
 CONFIG_USE_LIBMETAL=y
@@ -340,6 +343,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/amp/openamp/device_core/configs/e2000d_aarch64_demo_openamp_device_core.config b/example/system/amp/openamp/device_core/configs/e2000d_aarch64_demo_openamp_device_core.config
index 6c5a55b2..087f8f28 100644
--- a/example/system/amp/openamp/device_core/configs/e2000d_aarch64_demo_openamp_device_core.config
+++ b/example/system/amp/openamp/device_core/configs/e2000d_aarch64_demo_openamp_device_core.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -106,6 +107,7 @@ CONFIG_LOG_DISPALY_CORE_NUM=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 # CONFIG_INTERRUPT_ROLE_MASTER is not set
 CONFIG_INTERRUPT_ROLE_SLAVE=y
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -296,6 +298,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 # CONFIG_USE_LETTER_SHELL is not set
 CONFIG_USE_AMP=y
 CONFIG_USE_LIBMETAL=y
@@ -329,6 +332,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/amp/openamp/device_core/configs/e2000q_aarch32_demo_openamp_device_core.config b/example/system/amp/openamp/device_core/configs/e2000q_aarch32_demo_openamp_device_core.config
index 716d4b1b..df080ffc 100644
--- a/example/system/amp/openamp/device_core/configs/e2000q_aarch32_demo_openamp_device_core.config
+++ b/example/system/amp/openamp/device_core/configs/e2000q_aarch32_demo_openamp_device_core.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -111,6 +112,7 @@ CONFIG_LOG_DISPALY_CORE_NUM=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 # CONFIG_INTERRUPT_ROLE_MASTER is not set
 CONFIG_INTERRUPT_ROLE_SLAVE=y
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -306,6 +308,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 # CONFIG_USE_LETTER_SHELL is not set
 CONFIG_USE_AMP=y
 CONFIG_USE_LIBMETAL=y
@@ -339,6 +342,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/amp/openamp/device_core/configs/e2000q_aarch64_demo_openamp_device_core.config b/example/system/amp/openamp/device_core/configs/e2000q_aarch64_demo_openamp_device_core.config
index e4d4da2a..07b54827 100644
--- a/example/system/amp/openamp/device_core/configs/e2000q_aarch64_demo_openamp_device_core.config
+++ b/example/system/amp/openamp/device_core/configs/e2000q_aarch64_demo_openamp_device_core.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_DISPALY_CORE_NUM=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 # CONFIG_INTERRUPT_ROLE_MASTER is not set
 CONFIG_INTERRUPT_ROLE_SLAVE=y
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -295,6 +297,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 # CONFIG_USE_LETTER_SHELL is not set
 CONFIG_USE_AMP=y
 CONFIG_USE_LIBMETAL=y
@@ -328,6 +331,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/amp/openamp/device_core/configs/phytiumpi_aarch32_firefly_openamp_device_core.config b/example/system/amp/openamp/device_core/configs/phytiumpi_aarch32_firefly_openamp_device_core.config
index d3c441bf..4f68c26f 100644
--- a/example/system/amp/openamp/device_core/configs/phytiumpi_aarch32_firefly_openamp_device_core.config
+++ b/example/system/amp/openamp/device_core/configs/phytiumpi_aarch32_firefly_openamp_device_core.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -110,6 +111,7 @@ CONFIG_LOG_DISPALY_CORE_NUM=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 # CONFIG_INTERRUPT_ROLE_MASTER is not set
 CONFIG_INTERRUPT_ROLE_SLAVE=y
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -305,6 +307,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 # CONFIG_USE_LETTER_SHELL is not set
 CONFIG_USE_AMP=y
 CONFIG_USE_LIBMETAL=y
@@ -338,6 +341,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/amp/openamp/device_core/configs/phytiumpi_aarch64_firefly_openamp_device_core.config b/example/system/amp/openamp/device_core/configs/phytiumpi_aarch64_firefly_openamp_device_core.config
index 3c397fe8..dd872993 100644
--- a/example/system/amp/openamp/device_core/configs/phytiumpi_aarch64_firefly_openamp_device_core.config
+++ b/example/system/amp/openamp/device_core/configs/phytiumpi_aarch64_firefly_openamp_device_core.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_DISPALY_CORE_NUM=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 # CONFIG_INTERRUPT_ROLE_MASTER is not set
 CONFIG_INTERRUPT_ROLE_SLAVE=y
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 # CONFIG_USE_LETTER_SHELL is not set
 CONFIG_USE_AMP=y
 CONFIG_USE_LIBMETAL=y
@@ -327,6 +330,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/amp/openamp/device_core/sdkconfig b/example/system/amp/openamp/device_core/sdkconfig
index 3c397fe8..07b54827 100644
--- a/example/system/amp/openamp/device_core/sdkconfig
+++ b/example/system/amp/openamp/device_core/sdkconfig
@@ -40,14 +40,16 @@ CONFIG_MAX_XLAT_TABLES=256
 #
 # Soc configuration
 #
-CONFIG_TARGET_PHYTIUMPI=y
-# CONFIG_TARGET_E2000Q is not set
+# CONFIG_TARGET_PHYTIUMPI is not set
+CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_E2000D is not set
 # CONFIG_TARGET_E2000S is not set
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
-CONFIG_SOC_NAME="phytiumpi"
+# CONFIG_TARGET_QEMU_VIRT is not set
+CONFIG_SOC_NAME="e2000"
+CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
 CONFIG_F32BIT_MEMORY_LENGTH=0x80000000
@@ -62,7 +64,7 @@ CONFIG_DEFAULT_DEBUG_PRINT_UART1=y
 #
 # Board Configuration
 #
-CONFIG_BOARD_NAME="firefly"
+CONFIG_BOARD_NAME="demo"
 # CONFIG_USE_SPI_IOPAD is not set
 # CONFIG_USE_GPIO_IOPAD is not set
 # CONFIG_USE_CAN_IOPAD is not set
@@ -72,7 +74,7 @@ CONFIG_BOARD_NAME="firefly"
 # CONFIG_USE_TACHO_IOPAD is not set
 # CONFIG_USE_UART_IOPAD is not set
 # CONFIG_USE_THIRD_PARTY_IOPAD is not set
-CONFIG_FIREFLY_DEMO_BOARD=y
+CONFIG_E2000Q_DEMO_BOARD=y
 
 #
 # IO mux configuration when board start up
@@ -104,6 +106,7 @@ CONFIG_LOG_DISPALY_CORE_NUM=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 # CONFIG_INTERRUPT_ROLE_MASTER is not set
 CONFIG_INTERRUPT_ROLE_SLAVE=y
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +297,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 # CONFIG_USE_LETTER_SHELL is not set
 CONFIG_USE_AMP=y
 CONFIG_USE_LIBMETAL=y
@@ -327,6 +331,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/amp/openamp/device_core/sdkconfig.h b/example/system/amp/openamp/device_core/sdkconfig.h
index 582b2ba4..3b7f29e9 100644
--- a/example/system/amp/openamp/device_core/sdkconfig.h
+++ b/example/system/amp/openamp/device_core/sdkconfig.h
@@ -37,14 +37,16 @@
 
 /* Soc configuration */
 
-#define CONFIG_TARGET_PHYTIUMPI
-/* CONFIG_TARGET_E2000Q is not set */
+/* CONFIG_TARGET_PHYTIUMPI is not set */
+#define CONFIG_TARGET_E2000Q
 /* CONFIG_TARGET_E2000D is not set */
 /* CONFIG_TARGET_E2000S is not set */
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
-#define CONFIG_SOC_NAME "phytiumpi"
+/* CONFIG_TARGET_QEMU_VIRT is not set */
+#define CONFIG_SOC_NAME "e2000"
+#define CONFIG_TARGET_TYPE_NAME "q"
 #define CONFIG_SOC_CORE_NUM 4
 #define CONFIG_F32BIT_MEMORY_ADDRESS 0x80000000
 #define CONFIG_F32BIT_MEMORY_LENGTH 0x80000000
@@ -58,7 +60,7 @@
 
 /* Board Configuration */
 
-#define CONFIG_BOARD_NAME "firefly"
+#define CONFIG_BOARD_NAME "demo"
 /* CONFIG_USE_SPI_IOPAD is not set */
 /* CONFIG_USE_GPIO_IOPAD is not set */
 /* CONFIG_USE_CAN_IOPAD is not set */
@@ -68,7 +70,7 @@
 /* CONFIG_USE_TACHO_IOPAD is not set */
 /* CONFIG_USE_UART_IOPAD is not set */
 /* CONFIG_USE_THIRD_PARTY_IOPAD is not set */
-#define CONFIG_FIREFLY_DEMO_BOARD
+#define CONFIG_E2000Q_DEMO_BOARD
 
 /* IO mux configuration when board start up */
 
@@ -96,6 +98,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 /* CONFIG_INTERRUPT_ROLE_MASTER is not set */
 #define CONFIG_INTERRUPT_ROLE_SLAVE
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -260,6 +263,7 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
+/* CONFIG_USE_MBEDTLS is not set */
 /* CONFIG_USE_LETTER_SHELL is not set */
 #define CONFIG_USE_AMP
 #define CONFIG_USE_LIBMETAL
@@ -290,6 +294,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/system/amp/openamp/driver_core/README.md b/example/system/amp/openamp/driver_core/README.md
index 2c41951f..d4a582f6 100644
--- a/example/system/amp/openamp/driver_core/README.md
+++ b/example/system/amp/openamp/driver_core/README.md
@@ -77,7 +77,7 @@ rpmsg-design:
 
 - 具体使用方法为：
 
-  - 在 /example/system/amp/openamp 对应 目录 下
+  - 在 /example/system/amp/openamp/driver_core 目录 下
   - 执行上述指令
 
 ### 2.3 构建和下载
@@ -102,16 +102,15 @@ rpmsg-design:
 
 #### 用户自定义修改配置项
 
-- 因为多核采用的是脚本自动寻找 `amp_config.json` 文件描述的工程目录，加载配置好的配置项（在目标路径的 configs 目录下），进行编译。所以，需要先保存修改好的配置项到默认配置目录中。
+- 因为多核采用的是脚本自动寻找 `amp_config.json` 文件描述的工程目录，加载配置好的默认配置项（在目标路径的 configs 目录下），进行编译。所以，需要先保存修改好的配置项到默认配置目录中。
 
-- 可以单个进入子工程目录中，单个调试完工程后再组合编译（遇到启动问题，推荐此构建方式排查调试多核启动问题）（注意：aarch32模式单个调试启动需要打开CONFIG_USE_AARCH64_L1_TO_AARCH32）。
+- 可以单个进入工程目录中，单个调试完工程后再组合编译（遇到启动问题，推荐此构建方式排查调试多核启动问题）（注意：aarch32模式单个调试启动需要打开CONFIG_USE_AARCH64_L1_TO_AARCH32）。
 
 > aarch32需要注意的点
 
 ![USE_AARCH64_L1_TO_AARCH32](./fig/OpenAMPConfig0.png)
 
-- 单个工程目录中使用`make backup_kconfig`保存调试好的AARCH32配置到默认配置，别忘了在工程中关闭CONFIG_USE_AARCH64_L1_TO_AARCH32，否则会导致启动失败。
-- 注意：混合异构部署启动中，各个工程都不需要打开（可以看工程的configs目录下凡是aarch32的配置都没打开），否则会导致启动失败，因为bootcode启动阶段已经做了此转换操作。
+- 单个工程目录中使用`make backup_kconfig`保存调试好的AARCH32配置到默认配置，如果是子工程（`amp_config.json`非bootstrap配置项）别忘了在工程中关闭CONFIG_USE_AARCH64_L1_TO_AARCH32，否则会导致启动失败。
 
 #### 编译
 
@@ -151,16 +150,16 @@ rpmsg-design:
 
 2.4 输入 'openamp' 运行openamp 命令程序示例,结果显示为:
 
-![1677585960509](./fig/1677585960509.png)
+![openamp64](./fig/openamp64.png)
 
 - 其中 "openamp auto" 表示命令的完整格式，一次性测试4个demo，红色方框为核2调用函数启动核心0的过程
 
-![20230512192325](./fig/20230512192325.png)
+![openamp64_auto](./fig/openamp64_auto.png)
 
 
 - 其中 "Test Results:Error count =" 表示通信过程中出现错误的次数
 
-![20231017160632](./fig/20231017160632.png)
+![Test64_Results](./fig/Test64_Results.png)
 
 #### aarch32 程序测试 （freeRTOS 间）
 
@@ -190,15 +189,15 @@ rpmsg-design:
 
 2.5 输入 'openamp' 运行openamp 命令程序示例
 
-![20230512195526](./fig/20230512195526.png)
+![openamp32](./fig/openamp32.png)
 
 2.6 输入 'openamp auto' 表示命令的完整格式，一次性测试4个demo
 
-![20230512200435](./fig/20230512200435.png)
+![openamp32_auto](./fig/openamp32_auto.png)
 
 - 其中 "Test Results:Error count =" 表示通信过程中出现错误的次数
 
-![20231017165755](./fig/20231017165755.png)
+![Test32_Results](./fig/Test32_Results.png)
 
 ## 3. 如何解决问题 (Q&A)
 
@@ -214,3 +213,4 @@ rpmsg-design:
 - 2023-05-12 ：v0.1.0 初始化项目
 - 2023-05-31 : v0.1.1 增加自动加载从核elf并启动的功能
 - 2024-07-18 : v0.1.2 完善openamp生命周期管理，修改配置方式
+- 2024-12-03 : v0.1.3 增加新多元异构系统架构支持，完善readme文档
diff --git a/example/system/amp/openamp/driver_core/amp_config.json b/example/system/amp/openamp/driver_core/amp_config.json
index d1806167..4fb9d2fe 100644
--- a/example/system/amp/openamp/driver_core/amp_config.json
+++ b/example/system/amp/openamp/driver_core/amp_config.json
@@ -22,74 +22,50 @@
         {
             "config0":[
                 {
-                    "bootstrap":"0x90120000"
-                },
-                {
-                    "path0":["../device_core",10000,0,"e2000q_aarch64_demo_openamp_device_core.config"],
-                    "path1":["./",2,1,"e2000q_aarch64_demo_openamp_driver_core.config"]
+                    "bootstrap":["./",2,1,"e2000q_aarch64_demo_openamp_driver_core.config"],
+                    "path0":["../device_core",10000,0,"e2000q_aarch64_demo_openamp_device_core.config"]
                 }
             ],
             "config1":[
                 {
-                    "bootstrap":"0x90120000"
-                },
-                {
-                    "path0":["../device_core",10000,0,"e2000q_aarch32_demo_openamp_device_core.config"],
-                    "path1":["./",2,1,"e2000q_aarch32_demo_openamp_driver_core.config"]
+                    "bootstrap":["./",2,1,"e2000q_aarch32_demo_openamp_driver_core.config"],
+                    "path0":["../device_core",10000,0,"e2000q_aarch32_demo_openamp_device_core.config"]
                 }
             ],
             "config2":[
                 {
-                    "bootstrap":"0x90120000"
-                },
-                {
-                    "path0":["../device_core",10000,0,"e2000d_aarch64_demo_openamp_device_core.config"],
-                    "path1":["./",1,1,"e2000d_aarch64_demo_openamp_driver_core.config"]
+                    "bootstrap":["./",0,1,"e2000d_aarch64_demo_openamp_driver_core.config"],
+                    "path0":["../device_core",10000,0,"e2000d_aarch64_demo_openamp_device_core.config"]
                 }
             ],
             "config3":[
                 {
-                    "bootstrap":"0x90120000"
-                },
-                {
-                    "path0":["../device_core",10000,0,"e2000d_aarch32_demo_openamp_device_core.config"],
-                    "path1":["./",1,1,"e2000d_aarch32_demo_openamp_driver_core.config"]
+                    "bootstrap":["./",0,1,"e2000d_aarch32_demo_openamp_driver_core.config"],
+                    "path0":["../device_core",10000,0,"e2000d_aarch32_demo_openamp_device_core.config"]
                 }
             ],
             "config4":[
                 {
-                    "bootstrap":"0x90120000"
-                },
-                {
-                    "path0":["../device_core",10000,0,"phytiumpi_aarch64_firefly_openamp_device_core.config"],
-                    "path1":["./",2,1,"phytiumpi_aarch64_firefly_openamp_driver_core.config"]
+                    "bootstrap":["./",2,1,"phytiumpi_aarch64_firefly_openamp_driver_core.config"],
+                    "path0":["../device_core",10000,0,"phytiumpi_aarch64_firefly_openamp_device_core.config"]
                 }
             ],
             "config5":[
                 {
-                    "bootstrap":"0x90120000"
-                },
-                {
-                    "path0":["../device_core",10000,0,"phytiumpi_aarch32_firefly_openamp_device_core.config"],
-                    "path1":["./",2,1,"phytiumpi_aarch32_firefly_openamp_driver_core.config"]
+                    "bootstrap":["./",2,1,"phytiumpi_aarch32_firefly_openamp_driver_core.config"],
+                    "path0":["../device_core",10000,0,"phytiumpi_aarch32_firefly_openamp_device_core.config"]
                 }
             ],
             "config6":[
                 {
-                    "bootstrap":"0x90120000"
-                },
-                {
-                    "path0":["../device_core",10000,0,"d2000_aarch64_test_openamp_device_core.config"],
-                    "path1":["./",2,1,"d2000_aarch64_test_openamp_driver_core.config"]
+                    "bootstrap":["./",0,1,"d2000_aarch64_test_openamp_driver_core.config"],
+                    "path0":["../device_core",10000,0,"d2000_aarch64_test_openamp_device_core.config"]
                 }
             ],
             "config7":[
                 {
-                    "bootstrap":"0x90120000"
-                },
-                {
-                    "path1":["../device_core",10000,0,"d2000_aarch32_test_openamp_device_core.config"],
-                    "path0":["./",2,1,"d2000_aarch32_test_openamp_driver_core.config"]
+                    "bootstrap":["./",0,1,"d2000_aarch32_test_openamp_driver_core.config"],
+                    "path0":["../device_core",10000,0,"d2000_aarch32_test_openamp_device_core.config"]
                 }
             ]
         }    
diff --git a/example/system/amp/openamp/driver_core/configs/d2000_aarch32_test_openamp_driver_core.config b/example/system/amp/openamp/driver_core/configs/d2000_aarch32_test_openamp_driver_core.config
index 38ec6567..af96a918 100644
--- a/example/system/amp/openamp/driver_core/configs/d2000_aarch32_test_openamp_driver_core.config
+++ b/example/system/amp/openamp/driver_core/configs/d2000_aarch32_test_openamp_driver_core.config
@@ -36,10 +36,20 @@ CONFIG_ARM_MFLOAT_ABI="hard"
 # end of Fpu configuration
 # end of Compiler configuration
 
-# CONFIG_USE_L3CACHE is not set
-# CONFIG_USE_AARCH64_L1_TO_AARCH32 is not set
+CONFIG_USE_L3CACHE=y
+CONFIG_DISABLE_L3CACHE=y
+CONFIG_USE_AARCH64_L1_TO_AARCH32=y
 # end of Arm architecture configuration
 
+#
+# multi-core system deployment framework
+#
+CONFIG_USE_MSDF=y
+CONFIG_MSDF0=y
+# CONFIG_MSDF1 is not set
+CONFIG_MSDF_CORE_ID=0
+# end of multi-core system deployment framework
+
 CONFIG_MMU_PAGE_SIZE=0x1000
 CONFIG_FMMU_NUM_L2_TABLES=256
 # end of Arch configuration
@@ -54,6 +64,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -87,9 +98,9 @@ CONFIG_TARGET_NAME="openamp_driver_core"
 # Sdk common configuration
 #
 CONFIG_ELOG_LINE_BUF_SIZE=0x100
-CONFIG_LOG_VERBOS=y
+# CONFIG_LOG_VERBOS is not set
 # CONFIG_LOG_DEBUG is not set
-# CONFIG_LOG_INFO is not set
+CONFIG_LOG_INFO=y
 # CONFIG_LOG_WARN is not set
 # CONFIG_LOG_ERROR is not set
 # CONFIG_LOG_NONE is not set
@@ -99,6 +110,7 @@ CONFIG_LOG_DISPALY_CORE_NUM=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +306,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +316,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 CONFIG_USE_AMP=y
@@ -337,6 +352,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/amp/openamp/driver_core/configs/d2000_aarch64_test_openamp_driver_core.config b/example/system/amp/openamp/driver_core/configs/d2000_aarch64_test_openamp_driver_core.config
index cab1b7c6..18ca36e8 100644
--- a/example/system/amp/openamp/driver_core/configs/d2000_aarch64_test_openamp_driver_core.config
+++ b/example/system/amp/openamp/driver_core/configs/d2000_aarch64_test_openamp_driver_core.config
@@ -29,11 +29,21 @@ CONFIG_GCC_CODE_MODEL_SMALL=y
 # CONFIG_GCC_CODE_MODEL_LARGE is not set
 # end of Compiler configuration
 
-# CONFIG_USE_L3CACHE is not set
-# CONFIG_BOOT_WITH_FLUSH_CACHE is not set
+CONFIG_USE_L3CACHE=y
+CONFIG_DISABLE_L3CACHE=y
+CONFIG_BOOT_WITH_FLUSH_CACHE=y
 # CONFIG_MMU_DEBUG_PRINTS is not set
 # end of Arm architecture configuration
 
+#
+# multi-core system deployment framework
+#
+CONFIG_USE_MSDF=y
+CONFIG_MSDF0=y
+# CONFIG_MSDF1 is not set
+CONFIG_MSDF_CORE_ID=0
+# end of multi-core system deployment framework
+
 CONFIG_MMU_PAGE_SIZE=0x1000
 CONFIG_MAX_XLAT_TABLES=256
 # end of Arch configuration
@@ -48,6 +58,7 @@ CONFIG_MAX_XLAT_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -81,9 +92,9 @@ CONFIG_TARGET_NAME="openamp_driver_core"
 # Sdk common configuration
 #
 CONFIG_ELOG_LINE_BUF_SIZE=0x100
-CONFIG_LOG_VERBOS=y
+# CONFIG_LOG_VERBOS is not set
 # CONFIG_LOG_DEBUG is not set
-# CONFIG_LOG_INFO is not set
+CONFIG_LOG_INFO=y
 # CONFIG_LOG_WARN is not set
 # CONFIG_LOG_ERROR is not set
 # CONFIG_LOG_NONE is not set
@@ -93,6 +104,7 @@ CONFIG_LOG_DISPALY_CORE_NUM=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -283,6 +295,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -292,6 +305,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 CONFIG_USE_AMP=y
@@ -326,6 +341,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/amp/openamp/driver_core/configs/e2000d_aarch32_demo_openamp_driver_core.config b/example/system/amp/openamp/driver_core/configs/e2000d_aarch32_demo_openamp_driver_core.config
index d7ef0d31..a0102645 100644
--- a/example/system/amp/openamp/driver_core/configs/e2000d_aarch32_demo_openamp_driver_core.config
+++ b/example/system/amp/openamp/driver_core/configs/e2000d_aarch32_demo_openamp_driver_core.config
@@ -36,9 +36,18 @@ CONFIG_ARM_MFLOAT_ABI="hard"
 # end of Fpu configuration
 # end of Compiler configuration
 
-# CONFIG_USE_AARCH64_L1_TO_AARCH32 is not set
+CONFIG_USE_AARCH64_L1_TO_AARCH32=y
 # end of Arm architecture configuration
 
+#
+# multi-core system deployment framework
+#
+CONFIG_USE_MSDF=y
+CONFIG_MSDF0=y
+# CONFIG_MSDF1 is not set
+CONFIG_MSDF_CORE_ID=0
+# end of multi-core system deployment framework
+
 CONFIG_MMU_PAGE_SIZE=0x1000
 CONFIG_FMMU_NUM_L2_TABLES=256
 # end of Arch configuration
@@ -53,6 +62,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -100,9 +110,9 @@ CONFIG_TARGET_NAME="openamp_driver_core"
 # Sdk common configuration
 #
 CONFIG_ELOG_LINE_BUF_SIZE=0x100
-CONFIG_LOG_VERBOS=y
+# CONFIG_LOG_VERBOS is not set
 # CONFIG_LOG_DEBUG is not set
-# CONFIG_LOG_INFO is not set
+CONFIG_LOG_INFO=y
 # CONFIG_LOG_WARN is not set
 # CONFIG_LOG_ERROR is not set
 # CONFIG_LOG_NONE is not set
@@ -112,6 +122,7 @@ CONFIG_LOG_DISPALY_CORE_NUM=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -307,6 +318,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -316,6 +328,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 CONFIG_USE_AMP=y
@@ -350,6 +364,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/amp/openamp/driver_core/configs/e2000d_aarch64_demo_openamp_driver_core.config b/example/system/amp/openamp/driver_core/configs/e2000d_aarch64_demo_openamp_driver_core.config
index cb7802c6..883cd5f5 100644
--- a/example/system/amp/openamp/driver_core/configs/e2000d_aarch64_demo_openamp_driver_core.config
+++ b/example/system/amp/openamp/driver_core/configs/e2000d_aarch64_demo_openamp_driver_core.config
@@ -33,6 +33,15 @@ CONFIG_GCC_CODE_MODEL_SMALL=y
 # CONFIG_MMU_DEBUG_PRINTS is not set
 # end of Arm architecture configuration
 
+#
+# multi-core system deployment framework
+#
+CONFIG_USE_MSDF=y
+CONFIG_MSDF0=y
+# CONFIG_MSDF1 is not set
+CONFIG_MSDF_CORE_ID=0
+# end of multi-core system deployment framework
+
 CONFIG_MMU_PAGE_SIZE=0x1000
 CONFIG_MAX_XLAT_TABLES=256
 # end of Arch configuration
@@ -47,6 +56,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -94,9 +104,9 @@ CONFIG_TARGET_NAME="openamp_driver_core"
 # Sdk common configuration
 #
 CONFIG_ELOG_LINE_BUF_SIZE=0x100
-CONFIG_LOG_VERBOS=y
+# CONFIG_LOG_VERBOS is not set
 # CONFIG_LOG_DEBUG is not set
-# CONFIG_LOG_INFO is not set
+CONFIG_LOG_INFO=y
 # CONFIG_LOG_WARN is not set
 # CONFIG_LOG_ERROR is not set
 # CONFIG_LOG_NONE is not set
@@ -106,6 +116,7 @@ CONFIG_LOG_DISPALY_CORE_NUM=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -296,6 +307,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -305,6 +317,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 CONFIG_USE_AMP=y
@@ -339,6 +353,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/amp/openamp/driver_core/configs/e2000q_aarch32_demo_openamp_driver_core.config b/example/system/amp/openamp/driver_core/configs/e2000q_aarch32_demo_openamp_driver_core.config
index 9ac578fb..17d4c7c1 100644
--- a/example/system/amp/openamp/driver_core/configs/e2000q_aarch32_demo_openamp_driver_core.config
+++ b/example/system/amp/openamp/driver_core/configs/e2000q_aarch32_demo_openamp_driver_core.config
@@ -36,9 +36,18 @@ CONFIG_ARM_MFLOAT_ABI="hard"
 # end of Fpu configuration
 # end of Compiler configuration
 
-# CONFIG_USE_AARCH64_L1_TO_AARCH32 is not set
+CONFIG_USE_AARCH64_L1_TO_AARCH32=y
 # end of Arm architecture configuration
 
+#
+# multi-core system deployment framework
+#
+CONFIG_USE_MSDF=y
+CONFIG_MSDF0=y
+# CONFIG_MSDF1 is not set
+CONFIG_MSDF_CORE_ID=2
+# end of multi-core system deployment framework
+
 CONFIG_MMU_PAGE_SIZE=0x1000
 CONFIG_FMMU_NUM_L2_TABLES=256
 # end of Arch configuration
@@ -53,6 +62,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -99,9 +109,9 @@ CONFIG_TARGET_NAME="openamp_driver_core"
 # Sdk common configuration
 #
 CONFIG_ELOG_LINE_BUF_SIZE=0x100
-CONFIG_LOG_VERBOS=y
+# CONFIG_LOG_VERBOS is not set
 # CONFIG_LOG_DEBUG is not set
-# CONFIG_LOG_INFO is not set
+CONFIG_LOG_INFO=y
 # CONFIG_LOG_WARN is not set
 # CONFIG_LOG_ERROR is not set
 # CONFIG_LOG_NONE is not set
@@ -111,6 +121,7 @@ CONFIG_LOG_DISPALY_CORE_NUM=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -306,6 +317,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -315,6 +327,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 CONFIG_USE_AMP=y
@@ -349,6 +363,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/amp/openamp/driver_core/configs/e2000q_aarch64_demo_openamp_driver_core.config b/example/system/amp/openamp/driver_core/configs/e2000q_aarch64_demo_openamp_driver_core.config
index 65b4dad0..589235d2 100644
--- a/example/system/amp/openamp/driver_core/configs/e2000q_aarch64_demo_openamp_driver_core.config
+++ b/example/system/amp/openamp/driver_core/configs/e2000q_aarch64_demo_openamp_driver_core.config
@@ -33,6 +33,15 @@ CONFIG_GCC_CODE_MODEL_SMALL=y
 # CONFIG_MMU_DEBUG_PRINTS is not set
 # end of Arm architecture configuration
 
+#
+# multi-core system deployment framework
+#
+CONFIG_USE_MSDF=y
+CONFIG_MSDF0=y
+# CONFIG_MSDF1 is not set
+CONFIG_MSDF_CORE_ID=2
+# end of multi-core system deployment framework
+
 CONFIG_MMU_PAGE_SIZE=0x1000
 CONFIG_MAX_XLAT_TABLES=256
 # end of Arch configuration
@@ -47,6 +56,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -93,9 +103,9 @@ CONFIG_TARGET_NAME="openamp_driver_core"
 # Sdk common configuration
 #
 CONFIG_ELOG_LINE_BUF_SIZE=0x100
-CONFIG_LOG_VERBOS=y
+# CONFIG_LOG_VERBOS is not set
 # CONFIG_LOG_DEBUG is not set
-# CONFIG_LOG_INFO is not set
+CONFIG_LOG_INFO=y
 # CONFIG_LOG_WARN is not set
 # CONFIG_LOG_ERROR is not set
 # CONFIG_LOG_NONE is not set
@@ -105,6 +115,7 @@ CONFIG_LOG_DISPALY_CORE_NUM=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -295,6 +306,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -304,6 +316,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 CONFIG_USE_AMP=y
@@ -338,6 +352,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/amp/openamp/driver_core/configs/phytiumpi_aarch32_firefly_openamp_driver_core.config b/example/system/amp/openamp/driver_core/configs/phytiumpi_aarch32_firefly_openamp_driver_core.config
index 9997670f..de426e59 100644
--- a/example/system/amp/openamp/driver_core/configs/phytiumpi_aarch32_firefly_openamp_driver_core.config
+++ b/example/system/amp/openamp/driver_core/configs/phytiumpi_aarch32_firefly_openamp_driver_core.config
@@ -36,9 +36,18 @@ CONFIG_ARM_MFLOAT_ABI="hard"
 # end of Fpu configuration
 # end of Compiler configuration
 
-# CONFIG_USE_AARCH64_L1_TO_AARCH32 is not set
+CONFIG_USE_AARCH64_L1_TO_AARCH32=y
 # end of Arm architecture configuration
 
+#
+# multi-core system deployment framework
+#
+CONFIG_USE_MSDF=y
+CONFIG_MSDF0=y
+# CONFIG_MSDF1 is not set
+CONFIG_MSDF_CORE_ID=2
+# end of multi-core system deployment framework
+
 CONFIG_MMU_PAGE_SIZE=0x1000
 CONFIG_FMMU_NUM_L2_TABLES=256
 # end of Arch configuration
@@ -53,6 +62,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -98,9 +108,9 @@ CONFIG_TARGET_NAME="openamp_driver_core"
 # Sdk common configuration
 #
 CONFIG_ELOG_LINE_BUF_SIZE=0x100
-CONFIG_LOG_VERBOS=y
+# CONFIG_LOG_VERBOS is not set
 # CONFIG_LOG_DEBUG is not set
-# CONFIG_LOG_INFO is not set
+CONFIG_LOG_INFO=y
 # CONFIG_LOG_WARN is not set
 # CONFIG_LOG_ERROR is not set
 # CONFIG_LOG_NONE is not set
@@ -110,6 +120,7 @@ CONFIG_LOG_DISPALY_CORE_NUM=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -305,6 +316,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -314,6 +326,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 CONFIG_USE_AMP=y
@@ -348,6 +362,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/amp/openamp/driver_core/configs/phytiumpi_aarch64_firefly_openamp_driver_core.config b/example/system/amp/openamp/driver_core/configs/phytiumpi_aarch64_firefly_openamp_driver_core.config
index 7424a2d7..bbd999d6 100644
--- a/example/system/amp/openamp/driver_core/configs/phytiumpi_aarch64_firefly_openamp_driver_core.config
+++ b/example/system/amp/openamp/driver_core/configs/phytiumpi_aarch64_firefly_openamp_driver_core.config
@@ -33,6 +33,15 @@ CONFIG_GCC_CODE_MODEL_SMALL=y
 # CONFIG_MMU_DEBUG_PRINTS is not set
 # end of Arm architecture configuration
 
+#
+# multi-core system deployment framework
+#
+CONFIG_USE_MSDF=y
+CONFIG_MSDF0=y
+# CONFIG_MSDF1 is not set
+CONFIG_MSDF_CORE_ID=2
+# end of multi-core system deployment framework
+
 CONFIG_MMU_PAGE_SIZE=0x1000
 CONFIG_MAX_XLAT_TABLES=256
 # end of Arch configuration
@@ -47,6 +56,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -92,9 +102,9 @@ CONFIG_TARGET_NAME="openamp_driver_core"
 # Sdk common configuration
 #
 CONFIG_ELOG_LINE_BUF_SIZE=0x100
-CONFIG_LOG_VERBOS=y
+# CONFIG_LOG_VERBOS is not set
 # CONFIG_LOG_DEBUG is not set
-# CONFIG_LOG_INFO is not set
+CONFIG_LOG_INFO=y
 # CONFIG_LOG_WARN is not set
 # CONFIG_LOG_ERROR is not set
 # CONFIG_LOG_NONE is not set
@@ -104,6 +114,7 @@ CONFIG_LOG_DISPALY_CORE_NUM=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +305,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +315,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 CONFIG_USE_AMP=y
@@ -337,6 +351,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/amp/openamp/driver_core/fig/1677585960509.png b/example/system/amp/openamp/driver_core/fig/1677585960509.png
deleted file mode 100644
index 38ac275275e61d89fb31211a2b7cd2116b561935..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 114715
zcmeFZ1yCK&mOp-RcX#&-!Gi^Nw~M<5ch>}hySux)OVEoGoZt>Y1B4L#&wFp>_rCA#
z{%f;aD^+i%YVO>g>gk@I&pCbioX?q;<(Dl0x~!y(Bme>e0DySi0WYfnvDbh9x$RFk
z`On?qwf4(r00umS7BoB*1SJ3x0|E*I;$;v(`r1jTf4Vo|FB>czJPZOf6eI-V>vd&x
z0Oaci0R;gI0S^lc3l9ek0|g5S2Y`Ub#KOkGz$MT~Tf#$N=X~qx*4T<qLCNFZMnyxb
zskKba#=(`mz%8oc;hB=!v?%f+zP|bU>m5m6$L60}{HF#1kWkPt5U<T5yk3^a06+mC
zpr9Zik)hxrUauhi=>WjMgu$Y~recG|p=9R}QBzM$nwf>8HiqZqQgL>vZ*an!SB?LU
zi%%m8(lm4ZkW$n*x48YX0zig>czsqV41f^e1yE3n{K#>6;_~Z8Yx#k+-qFv=&vC7w
z(Sl`v-L0>fu)X6ai9Y#mQROLTndawiL{MZwxO1QB7@Jdyo*AV~NutU#u>pm@Nau5&
zK*ZD1?j29>I%3cZfanh51;D0jm>HX!V{vd$Vy{DMpjxqS##pfj0)ecz7z4Nd@}Ra{
zn^7jFl;-U62QnP0GK>h+@$J+PQ+0>iLpykTM7_sQBem=PLa1-hd&$>d0Lr8i{wLQ?
zmlHj`{1@#3>8%$F*<pTBy(mHo#?u3lgKtLO2F%078+JVU|G)h@*xija%)VXgomjp7
zwj8=V{(bJpBJm?nm*``V$CI!Z&O<HuuNt%$<hi-q^c#Pi?DhXg1OFJJKco8}DEfz>
z{X<neE&W3d{vikdkb{57!9NVIf0&Mcviko^<^!+My57XyA@L*FbOo002vNXhZ2a_?
z`z!cx=n$}ldRRh!aCb4!*EmjOYI6J15G|h^`lqAf$R$!mJLb|Cz|4={r|shxz%^ns
zSa3IgG5K3#@%x+n<`3TWh3LiH#JTay_U=S4044V}ePQSk#z4yNY7K#f&ZvjRb&KZD
zif?X3^IibM&%yx{8m|v@K>UZI{nJ$H4bc<v$&EgT$`I33H6t1(OT+hP1vzauH<oDL
zb2Zs28~6yG2owz!IsS{coQ1bML+F6w-AnB<MSGi;9l2cf!ZHo>bDcpa(eaVXY<S{i
z8U6I7IKDH9&q>O*@0TBE6t~_&r}5XJ3_80)pK8GZE7qhJR>2&%_Z%m=6FI`qRgdLQ
z`@2sBH`517<N+G~>d#kKHTVIZV~<6>x4m~SfTLf|;}6IVlbSC8%NIcIb8Ix!zhC`w
z0PTXnFe&x<_5~pHM24yzU>to{@d7w~9mv-)z0C7G@S}{^nz7D0RVO*K5t<bVE&Z(9
zI(5Em9IAenad&!wx8#npc$(pU^J5@oPY+6+BWMRc>2o7iNunF`6Y>lOwm2HlrBA?9
z0r|^eRJ{Ur+fA195G~1maQtY9)?tXJ`3CRqrnc#(pU0B#C)y8ULuFS$<!0IhV__(q
zt(N-jzNBgd<+C*j=+U29>!S>y3^jY}#=;qG0S0?J22|OHP+|OnbbfTkAj48(r!hDC
zEawEd1P2PY0*ecy)`bDK@$x#%<i^@2_ZcNU@B7BkZmT85vI}JBF6g+gASEFipA40U
zER!&R>gCyN)05)IMN9h3GpdO!0?k8|B`^E#gi4HqG_UIfY<@f=o%k3J?PyXq4iZ=S
zyiiKmz&0?jt)y$pYF+M~rB^dnOF}k!gC|7!rf6rIxk<Tj1=O2&zao5+{O5)&E(;1%
zy#<z;NN%-%8m2Z<1X`v8J<;=A7K*{-eErvt(#1?|es7L8RoQ;^D&F;~{PYhswGCRk
z3qU7x+4p<1e=i912lt+Om;CJhMz>ZzQ*!Z^h>wE`rSEG}vT++VNf?!*w2%sw230kN
zKI-vtO{vLS4M6#FpyXCiJs`Hq3QX+Gmy+cKCVV|}D*3|+19dy?6`l^Q{ZAx6Jr3fI
zOb7;Dz6U8g>>F@xC6CWyw(D`s_s?>lWl)mUuYb0-7n8LQ(+9%5Azf!unm=N;a1QU8
z6&USH_IF(ONICh+SWjvdn#)TeR__i|j(_NuHnWSxwj@3V?@az4Dav^~!e-(id%khe
zBU6RnieUzcE|4($2UBN=24fOp9{crXSZTY|nSh1^AtSFx;pE5qO}AY0J0Es@Sg!=|
z2Sm7cI(p7fRd0j_BUC#>XP={QsK_FJTx8ymSsuA_kGz{sy@a?G)SP`bEZhN~`aFXx
z9Beic{Km2g?XR603)xxMNYZ6Ah(3xee|!rabc4xd!Z(BS<-Dfi*qzGF2r)Yh+8&-C
z9sYhe%V~Pbs(_TiGDmv*Bm8xSRq-_bP6Yks1uu1?K<5cD)c~^3xWLs#l@qw;;i9MG
zq~{J&7&-v}NRU|u2qegS2aw7Lp2<T>12AO(fVb4SfY(x`K)Bvls7`@Gq3$@eDB2fR
zi<LmQ?@^koD|%aM2@k#nK=Lf3WoIZi2U*X#Cb`!s^4_Rq>cy~6AfUH;sML%Q=8T=j
zRvIt#wKdsLxT74b6HW~x);IVjthXROu<h|MOosWl(BztttDodcCek4L)Jgz9xkVI^
zP-{#^;&Zj|4Q22$YweXIQqs|ZJV1=;*u3ygM>Rw2bTZdNjQwLxvI-o`8Ea%DmRj7a
z3*|EByk4HD1I2rmjboJ}{PsL=A?Y0yd7&0pF-X5upjb;F0od*)Rr$n^;Uxkz8kf@I
za>h045ZP#vppsCbn4P+Vt;S`>h!xcPA{v5t(hup2HWcRyE?xOC+Nd7;G*m&!ACPN`
zD$9|J%Ar^JXq5R#7FusZG@vo7YNDVD3n61-Dvpjvj;o5`h@D2Py`8|sR<D9SobiAD
zq^!H0b$X${u3Ux;fe^@o88ih%LSFc^HR)7nE<i1E5%QTWB9Z`{gM1xHO!rZ%VM-wD
zg#Gz_z-s;r0M(xNb`vg~gbVPXOXm0j*daT70epA?jOzivqsrL}J(j-!2!}RDhn|nr
z$$o8)pxs5RJhpckKNmB;05)EA{Wb2_G0Q*t>QY-{sx$cKLBsaxtoFn1sh)>MU;4F(
zI86+J+mXS=snm0$f&FNJ!riRwUHC6z(0-=ao~E&578lbMJ}tk#*n3>}+&y@%jtF}2
zN4JooKJ&4!=8*LUNa%-baBrdo@c*J39x&}W99f-Q9r?6)p7F5+?~Q0{4l!7~7v4(e
z{-HtFRNzazAf|k%zDD&MI5=Y1L;~%p4z4<dxZNo|GhCpW+?|Z)@z=s`2|bH%iLj@Z
zRvt0#D9AJ)8YOA2rtsTjwVf3N(vZo&BMS14Zm>o}vq~+pNrmui%LH*Z+N-)ntz%zW
zVB?q$MbxP^X+eSlfoQmZp!{5GU}%V!_CnaY`oyFZ%^EIoMN#0Gv??zHMd+I+TCVB+
zUh)8$9QEf(XG7UF9R6$VL`s#WKz4w+an_PPQO8X~RcMIu))bGSt$qMVQe^!=-b=jB
zoxLH4Seh1snpku{WOmPaRfllfz*3L7I2s5nh$YQbuVSuP#F>i`mx$5<Tgjr&6bGkK
zPDyhln4cOQgR1+D${K}f`<H#}mdA*G?XjEedo1I^J6X_cjw57@@Is(iAmmlCXzcpz
z+O@5DTi5J5we7KIz5a{`U9P=_TaA=<89-p2;$<C{-U9<U1_Zpvk-v}ET#h4O{^>|u
zf6>zb?&&<~>Aa}9zo@xWIF7om#4w(xHBWu|IKuudeRR`r&%V|#-AjEZ7TCLx1ELhM
z6HgIRFLEWZ6BBD3mWsQ-yNBGhYSd&tvOh4|Sg3S=SE|L?XvAvl;Xne*luq811bGx{
z0A-028g5w^)~1{yVe+kYHW0=_Bpl^zpnRA!(W&YJ*+=0^TvE2BK$Sq#-mB&DhIF+6
zgt4g2C9CKrI1$AT`2{xF>582~!Y)#=?Pm$CJyWtt74D_EMP}1VT{Nhi6JpId;c}r-
z$~&TMa*h^dd2058_>>S|4$2}*Za<67F{xoM!;2MPWDDEZC9%tx5Z)-Z$|M%qsnZKo
zVyZI|H>~cJAONWnkpMT3x_bOoSwpQ18c~5B;x_OYAL>c+!TRH6=zUV<3&3ad1u&s&
z`DR1afUo8Kg^DIYhgn}I!HWKFc90l?k?l;lZ(|4xW{O^-5-k+G0Ay^8vquz_2r|Y^
zl*)F@TL<98=EA;1onXmBpa<Yq*Dq$k>FG}vY21Qmr?;M6E7cs>L~<}@<*aS(G@#_r
z;hHb+uO)W;HYxQtBs6+;*y6dC$?wC>+cl^*xQ^9RccR#ny3NOsw11=BSKT^Y`C~VR
zXHJo4H=6UWPSo+DgyxG4A2wb9&nBz9{#U;__=Ow+n#nz%?=#OK)}Yqye)6M$Z<ZaN
z#nesCzB#q5#VV166Jhe(wCuXnKWAq5P8|PNy#|8J`>yJraPymvs9U5b4)x3SLNx;c
zSA_pYyWd8-*P&a+^n0oyFv8!Z)I34cjEAU-18dY%I@qaWiR;Itw<mInrjeb&z)NtK
z_jt|2Nslbgfu@MKD}Uhei1h90=b)CY=%0db;a-*U0v~5NU(H&{iNu;cFBL3NY?VFi
zt~QmD{Ytf^@`4R_v-^U_nL$W)Z3}ICrA>8^ZwtsEFhXL0Y(e#tM*XryzTiX8=dt8-
z7%z2_+GAvKr}%UWT3q~RDeH*=$H}5j*sOfSsg)+L2G^Qz3k$#UPPbA}=`VhA_g2yx
zeG7u6fGp_f+R1Ha^fgki8)Zu*exu0yWppe=LsAlCtfH66bwn2z$)*$cbE`U95{sM5
zib*BI#cJ}KWu`_O+hutqvG4mu|6D?s;33LMHTcs+je>Rbc?pogM-iR;3hIb{xoiPj
z>F=^X``fyu^(~njTUm6unBDR?fSwg~8`$4$w6!#_qRbh6_uqNSQHdY)^HUdfjEbp*
zzDJ1LF8H;ZeqnzD1+$eHBPgKeFTr-nwjUW2^#FMq7qw6(%xR<-sB5QB;2z&+@1VQ4
zul;$aHa<O3uPar3Zw;f?n_Vf<{Y!<jy+C9P&pu!0-$M8QY6;h*`Qw)tK&#j@@tWiK
z-Rt~sANt7KcDV6K_5wgry0v)$*g3u~*Sg-`t37i?_9jL?eJK;V?2RM4#%aFu@jS*K
zzrk@7A$sEhZO3wFG^uAtf#_S(qkWjbQ|Q_(M%sv}&4C<qXo&2EDex63ozfgaZAR$d
zwH>CDC-0t=&jW_wVu?tm0&?9SqPuK`uRP#}*AaXl+3KG64Fx@jh=oX>TKMnQu(oWa
zvM)B2K_q@n<=)vS?B%w3nrGt%TG71SA(<x2$)oe_4a@6W_!TMZH*!2_4|bZ~)9F<~
zC~3oyv%73LP<g$c2QZbCNyP4)$<pQ;Fnjb^ZbqO~>$fyUpwJL#d(@PSMmYW}tfCLl
zA91^QPbCN6ju-%o*yB6m+^K~8R<BB*?|l8AI8GfNzh0k_I3ywtILdgu!|^gsnA)l>
zA=5UzQFd%k+p7Ck7zxaDaGsJKs`N3DdJkD1rdHSiFIW{uKIT&2&9h(17;HN?%;?J=
zC9e+b;eEq9%9s^$GNr^<vR^9hNUY9QQpD;TJs(1}Z`QUhP37v{z_W%jvk*Ugd^|RR
zqF>fr<lRxFT0nGY*05aVP>WY7Y5b$Ll4fz<!LrMYu}kJ{F{1JKZbdEK=>aBPO|@!`
zg?tI7*l6Z}v7$uaeG{xtEvQ`UGK>dRLm#?+RK6d?3v&b47b6xXKZh|mlAE4otRMtF
zMy*eMbKHLi(niW;>aT}khq2^&Z{TO1Di+vgg~Vtm`OYIN-56Q>Hdy5*DdF&2jDYhr
z(CHkl0=?NFc$GOzFSz{_H$l%1QZ9veEJI8ZUmT=(4F>LB5c-*M-i$Vov4n8NA!iwf
zaBxxqCno)WN@N~X9elu1@ruJ_%U}%7qC((7ph1AnA}{AG8v9rUT}UodxEM91y&R*z
zmN~P0Ra|ZJhTHvIwbiG-)IMT!F{`*~spFDMW(H}@r0s-PZK_7q0*QWIXX71SSrJgV
zbew0<9NNq+ZQ1k#k3z7Q94?OnO*WXgBxa#-re$Bs(k^5mvEH=qK4kBd%b9W#)25f8
zpy1p?KploCx9Suw`*pq!VSkd)Lzf(1?<11y(c;h~k`~Qns7>+Oi=kg<Rt8rMrpOOa
zwJ!~jipO$`9!RGPtKT}j0A3B{*W+%|AE&&v&yohpn=Z#JZ~496fv<#@1Jqgu9$OZ)
zdYqhMK0CycLHUI?8bUcM4%{aMOk|tCW5&q`$1afGz}!bMXlvCpx>+`!WKPyYR6akg
z`8z^sL^fI3utvcdXNj2&&id051iG36MpOqZiEGa{lZ9@_cW=Mtng$$9r$#h0&ca|0
zR%({%!<xxJ-WW%9(VGF&qnLPtF?oz)+2tsm!^Yw7$4o3Uy!gkoImTH+Y47YdIw$G+
zTZ@Ie*lLAIS^=Gd4}nCV5HqhRq^P>o2z*pzIj)it42HjAh@$)aqLDldAkJ!xuVbzQ
zs9MXdxTasZwY6AOd#I&IluL!A7oYz~ffDjR(=jW``j&FC0%=rA8U0IQmmQGzQ50-s
zI<yt6NUfi>yR2N%l<%VB$wEi#U$u7zJ>6A*6o?;9{z>8l+|w8f+)fp&OA)+G06wux
zrSR^?=!@Kl9aN!b>NF<Dd%W|Vm37N&cLF2mji3+UMl5aM?*{vsI##9SfVru5m;2b?
zCHQiTnVXpgYh_Lzi6Vl-&9e%zc}_u4-=n@bCoj{yf7UbGEr_)k92E{KK(%lOLa8=a
zGB0>R?`ygY*K3-CAXM@-OmxOz^1;L|+_eiPHl472rGeLSddCRY%;_pSKTm3_T4|_*
zi(0H!KB0IrO;y>lE%TtwU@@$Yv9N|o^02UQz;OmlB^9~_E?Tv)d|qfN@`3`I))ZSk
zn8Q@bcc%H~u~@$GNEt<SG$q5_N%n`AqO>X@^(E*FoJH1C8zwtet$n%(c%@0$W%YVh
zR5^W1jAi4_SeZkS?oZx9$l0l-Jn}3fpUBf#|H6dnmSN3K7wf@7Jf_riVm0jy!_6TJ
z<1`ZI^I@EJWGK$A2FBz|#6g@cj_pM`Ew=?avgI(VkUPj$PSu@^_;QE|%{Y(-?KlCM
zEp_GAcubljM*iXPZ|uwDJq2^0Q5hzFRcl?7A(gKp)PT3kUds@@Z7AAsT*2=@!xojC
z!frtx;eTkSvzv|{<@d7$h1Z-C!RA0sGP{(~O|+OxMXuKLG^`~hU?zMmwZ`V!s^zP%
z0~>7#iOZKd(6{wd;BU3HO%Tt#0Qgj+7ooIEmOG&|R^s=N>ti~SOV5&U>)FqZuL9e%
zx;J#GdHbS#<sv}8D2T&L(!9P~!a_;2IVs@>l*{(scE11~hgzJU_LEIx<+HrPn-&+-
ztR=B)(dBP(yzs<^L}1M!Th2ddB~~01QhMGxZ%-6GD7IwXlB=0==4ld#!?h7N*hXo?
zu54*A!`E2B)N4%LCzx6o1BQJ~p>EAJ2Ak=OFQ<uB>we-xDnFN#4-oj(x)T=#@$60a
zjv@Ww^%;mSYIY?hG&a)~w*WyTNtnW~Iv_ic=pk?+&P7Wy3Scd3|JfeE@*#{U!F}!5
zT4L*>+v{5PKRz?Bcm2&<OPIJ!O?pdbn|a4??^o%?4|pr|1>#xQn&<DUqyNM_oIIOk
zUq?8}J+w^NG9OEB9_2P)Eo7V59G>cemIO1ge}46qVhY)GM^Cl34}MR9b6`4%hm}wy
zvZ-xrZzeh%gZ4to`AcM-_2W6VS2L|(^VZ4d^YKPZY10V=fHkxV2IR^}mxYJH`<QaE
z8#Xt4xho>quWp~KbTIU0kxZ(yZ>WbS`XQoz4a1#}Rfk(E4(#Ue6dRwiLgzoJiiEH~
z7@YFTz&efQ2K<f2=Ec%BxKfp!n$JjCu2*+gmI0vrBy|TkoI|MwW%P3zL8+>_LpegY
zA`7o2wj2)cW%o2z48D4{gOnf+QrhRS4s_WIht8G^we4kP5M*rUnh^=VYi4ULo7Op!
z70{}+Cg~ZYM>*>0S)jgu0c0~so<LO1+3J6&w3EJq)dK6w&ix!i(n|MWy%W}(GPqz)
zAl@1lq#0s-M2``llNb2K5d=|$-&XpEmDN~1xI|H4aK*+(o{I`mGmO?JqAN0gCohQo
zgRX~gmCS;RO1ywiyW@eXU#YI5PaH#ihB8x(c+eWEHn$`&$j*@oH&~PN<8q~?pA1_g
zYoMth+lPmSN)w&Lx?hJe3|c<O5cC1+amG<SOP#2yB3aIsoBJ@kXg3U+&$qoVfV7q=
z!>(FN8>S6e8SRxs)m2=^m@x!$h@OF|&nQoytw(sPs3ZYgG;fXG0`P<fQAYXgeeGpd
zPxz`7JdBn(zmr<oWQz!zH!=zsth?Q$>=nf&rA+cG=hwn`EkuX#!$I6rn)7=}3}e89
zVTOi{4r1?q6I~IW15dJ`7eM#L3*dmcG4%piN$hR5JE2h0(lnsTTI~7JvaNEYgOm}T
zgC3{V6>%_IlZyZg+?k4MPPgLLbl47=Nl*;gwkQ4W^M0b4$q4rnWc_;y7is2*7LWNv
zA`W<1j$M4RPR16Ra(=WJ&z<DZy3d%QH!`sJ<7Yl~`_u$rTEAyy1J)OSYI4AZ&kNu#
z(suu0?25Lbd#@-tyPS);-lXg_F9ASwDsT$eT!XFp2j>3wU~c~WUo~3YpEcS$yS$cv
z)@TQpUqu!FtkG(s|6h&vx0q|>e#h=qLaSn96;ef^V~dbR8Owg`Sw__|I@D^m^Z$#v
z1u>ZJl9jxQmLr>HkkRQ12{A6xMpK)%Mhc+@iV80xU+pHd^dnV)C#;kBNQrjjX^4~x
z3p<r0AN=8ZFJr((D)?efaQFo<nfnIE8dQWx6RuIK+<`oj0CPM*;Hf;K&4I7s1W)bQ
zM{1TLzK@ZDag#JS&3WaK)L@ySk1B51GLJ5PM#w=v62dJZngAJ6OzA-(yhg9SKN3tF
zbH#QJ&24$k2xE$5CTe!B6&J43o8WE<d~{b`1;A)3Xm+GDl4r-(aru?w$sHc!H2Lv5
z6tqRhs`h2kSS(C^{~DA;Y-*&Z3JmE*5Le=v6CWd%j8hXD1;%pg)7V8yuN{}0am8aC
zEIw7AwY;bLq>YTjC+WsPR8!oLS08v}80N|n6Wojy=)61QuAVJRQVFJ9Wbta4ZY%NY
z!3^Gm#IwYS5T}Vu$i!VW*N{c5q|dEnfr{YxZhz>gno^BMt!}VxFjP1QOBc($9HO`y
zVllnx{wE)Kk0DvF{KKmcj@$PSt3=_;(ff`Uz;}~pIkeYRz?0D7<5b}{^B2HS;@!ln
za-9BiNjVqI8K3+e-<mFmMrZjr<$U3Q{Oql_97Jxfdo{bNqU*TZ83e0ZyyPS0Wja7v
zgu=9rZRfiv9VW|^(<wbjN4dRP01qosNW<CvqveLy4`F1<IMITe*MKNE#c@1WOODKQ
z6xTnUYMl5I%#wGXf2{$pP^~>S(wWm^MZ@<+uWdKD#thy#Qo`l}*{NT!zD+}3$utw=
z^3*7ubX1UFpS^+Y^WcVqD7uD#9B>~$A8b-a7HkoeRMW>Kb+t=Jg6+diw*ZM6#+$xe
zha$UJ)e73fO4gqy9MVr#hmriG9d1L98%pdnvC{j$-*=+7XgG=X;3~8|2}bVCAp3a~
zFpwGJchUFy66aq4?!7;k(1aca0*ZxpwL1S!<f8<6Kt&S?L-t3U^z20p63)o1QQjEQ
zehvb4gp_<{{RR7eEC>9tJC;;9wL(}MGA%0-4Ax_o;rS<#7eMr5;Olf*T|2%C1~Fq=
zGwy)pwCGKt<hl}T-xDxRhOl3xxWG)QAjJ^uevXF^%)govtWUGr&JnzdkY^v?cX2;=
z6B6|2AVPWCO>sYb^@Wmjo$dO4AdY!LaG1sd$4V(oZS3~Y4*0baML#+m+KmWEE;-OM
zhJhR?Z}_l&-avkEMNdtk^sZgDuB>wFi>cMNbt|5b09p3!Io1yu-EF7mbd`WPP==B7
zh-0>fpY~~XD^kL_aGXqwtFYNV6mQ5ZH6bS-3=nvX^L{*}{{%+9+>#C!R=%?&)0*J?
zK27E&K}%qs-~(ik5U@_iAGSxGDh!dsEJBx@NaT;D_?X?ds?l?B6gsg%KrtV^(4)Z@
z`1u!q;f%W=VhS`yPkX>o`cCUJ!K42R;D?RgtJ(e*d{66H{Q?LHAnSc1ToQV9V_geh
zPW#zgZd~=U8E!tkx=NY7jxGgHqJLpN^?nJsTA(c*o+e{z+yfcP9It#xkZxs1D^WRV
zI)E80Ug^XaCho86mI*Dtp9M*!B#j=b4hu^~he`CsI(fJ|ftiZW>^fVjJrgwBrTl3=
zhET=xW8#RcZs3UAqEuy>GC!zhwcCxiL}XrW+Wq>_vzpy{Ywv!W&9fT=s^ogL(v2p#
za2)HgYh|FLS$=KR>qXNdBIoyLZzV_<xsG;{UbARjv&NJfb9yF-FGmLUn*!?eyNbHp
zRA*=lYJjfIA46C<J4g9`en{wAHf6c9WYyb8Z`;lhKtK;eBm?fA5QO9q>|W3p4FGF4
z-jA;??45d$7Oaxo+4D!&uO%q%o~&J5Y^s}Fe5=1DA|3P~a$5em<WvVhiJb?muD6u^
zHV!mpXFAk$xzc}j%-y$q{2pkoC6=MlTfU$()#4RO>vqj1o(Dw(YXXhwB|c>vnqVB7
z%JVRVe+3Tz9rU<gjW5Qxs2l4j!rmIJ9gTB~4skP94+W8f_=84;;T&P}31|u<btf6j
zqolnRbRs?@dRh=CMPTmQwK!|p`X1NMrAlTZ8PK+Lka$*UWn1EU;ta}Dm=fyh4vOAl
zn<v@+IwX%Yii^3X6L6v9ZH&b)7>75_5HnDG7x*9#@t~x`pcNgyjIQyHu%1nR5(EM1
zCe)W8EbTl;F+Spu9&9lQH*$`88A;gq8zMY*w(rHSL`P%hnb#aIN)qaj2`Dt(_dMmk
z#V8-}0DmYQGo^35B9;3jwf0fa(GlNsjTPEfvXX??)vB&}$HpdqDPkym(aG|Io_Iel
zTXA!j_!}olZOQ2vXZRKb_zQLyFuO}8&t(L#E`*=|H3n3nLp=`~ib<(c9)?ZzqBHoy
zu9=B!z6m@)$|}Gk<^X@7#DEan&+;>6of{DF+s95bPhOp7Pu8TPPzFSLSHRrmOW@O!
zeL-n?&bTFRH0{euI3vKL+t4aVp}W86c>ye`r^ft-K3pA>`>nw{Z1?f*%8uEc*EQ{B
z20OLzC&;Y%`D8ymoJ{CHaSQI6F30TJ^OLTea|0mi?*oZ^S{7(_%Y#_wLH&cO-PD+z
zox2~0oH^6z*+cFuKgv+X&(WUxOthO$^z&s0&+N!xnXo`1L_zksU$Y%2o~@inf-VO%
z49}Gu>-F+z3k}YbLWa>p*Uu)5Y}IuI4{LEuIw`KOfNbGSRq%ab;_wg<`@B?N)vG_)
zHgl!BtP?dg*EvBkcnWs3&W2WyhaHdtam7$O*6<F~vIViE<yFx$V7f&q@TdAQ*)bvQ
zMk56!%`uAm*x3dB#X%#Q7VD}>*d<#rG@!_q<E}J}if!e%K`9*<Pq72hstRoow?)>(
zej`+ya~9q{tNQXu_-{SwpQ3Vd;u#Tb^|OnJ_@8Gls83d4Wv`8+I`^~sT#`h0Lp;Az
zi;~m(HpW(25PDk1b`>NdH*|Vw7;MzinYP{FE?<m0t=YxwC3uh-90vH`H{t~-#I`N}
zq-tA@0k?EU2Lf#U^I$j5n*V#%Bm2)AFMbkmSqs=-H)hw?gF3P8{+9pYcJ9BldrCDO
z_n#Wn`$J7;8S(Z^v$1%v^lfCS8I8@MsnMX|HQ&L1-{r#?XM~UJC$@~il#WDT>$hSX
zgZeGKc)eD_lpZ%Sh%;JARY@vbtyRf%(X$mO=Fs!(u{qT>OtjOdFEs|v=tu^j&mxX#
z8gY{+GqtSRbFU89hh%*r<vL~d%vd=YMkD%UGI+w%__<bAIUfmsc4dPSudR@ot#LQ&
zBlAa5{)w#1iL8Su0h34|Ma)z2`*nuujEM(*t0!F%Phs{dib*EJ`QvI!U4el_zPq#n
zWr&0zHb?}40!wbOQPzR+EWbl!FH@cWb^&tR(_}tL!(x6w(hJ_Y8|x}5I<I8ZdWW8m
z2w4bs6*=+|R!a_tF3b>zf0|y1bAWj`Gz@t@OWSN*WF*y$9+1D&$z9?W(ZOgUV$)pb
zpOMCprpOvVJ@BqvhmE=Z>toOeebv)XIBcmBnd{*<9xI{vTm3xWFD}8nQ4<r|;T9&^
z>EXZ$#k~aI1f|#AH``Sh5wZ-i0swkVUn2qlUO8T``)}%_-<4ATe@jYB|4YT-w~d(p
z9x44_-@OU%q6hbmnPgwbh17?{HJ~OvLfKMhF-3ha#jTGEJ`oP?bo<GWR?UcS@Hn!G
z9TOz02?iuU*h^9RCy2>Nms!C=?^g1R*_K#%%mA&X`bYk87$t9LBuv~uO)JdZ0i9Ct
zEEaY!?FR?tFiDQO;HcohOlOnn_;hhANBOAO+;|*koUg6w#V`zQRN)|#vyNI?XzMn0
zYBr3;tPS+LxJt$pkV1MX2e0ktbK+8%J9!*#zMcP8V;7X#S~<FW{!XHW|7y*H$h4h0
z8@$xMx!F@Sv^i&b&iyXzoO`$atY+5;Ktxss(b{SE8p=!KK#|Y`N-)ieP|5Z105z#(
zJ_gY{q<B&%Fp#j@gS*C41SY7;mla5<<GCrfSkpcO@f;Z5kf=AwlvPHOFdOAZp|D&j
zcITPZa^sKpXiwnrinH)o#zKlyLWYj>+z%U<hIl@VF|dv^wMKP!8z_REj+yH>Q+C@{
zNk*y91-qx7pMLxw?Vd6Sy<$V+*p=?=7zXl);tf#z#;|TdQ|ly%#GqmML@q6&VmfGK
z+ccu@dVu4dmqLsMQ51nNFG*iiO>&`YNsA4~nOo_N9n3ahtS*$ZIzX+WIotLcRsQ6_
zBwQF)7I_e!`YJr@D;o6x8jI6y7TbO-)^8bv`>EAbwq^ZISt#e-?K3I1pCW8Qx{<KL
z6&`R2fv8(3qU>@~xUCtg<M?quGMaG$vA<97GGNmTuiEa_E#EDema;^1<8~?7x$<3V
z)$>gOzcYoUi4JqNw1#~;ryr;PdO0P6+eblipy+v^=weCACXs>;wsiholS#E=Z;ugx
z;Q$iu<)kl!fx3ri*__ibO|kXlNYF2&+<O?uRvml+=-+PMAAc<Sq;d5|Enmn%nI2CB
z!OMiM;whw}1FVOCe3Js!(HjJ5_>xK?5o@635Tu`s*}AZ<8I3`VoFkjNRudI-HEQSD
zR0~zUe*+H-3g#`gxz7ewomi$hTN-j;%L3SyEyzXalH?CYylC;gTw=SnV}YJIeC6*G
zRWxz=bo#{b3HA4~eS}91Y}rzM8`D^v!}J`dNuk5UVbD^XZlVU1kS}kORE<+K9hkeV
zh|DE%inbiw&ZeRo&46kq6>D1TFlucANdOOkb=xR2vCf8-9MD8;)_Pt8pf<p|SEQUu
zWY?H5V0s9O$?D)-*16<r{&F((7o((x()eF&5@4Yvm={_XI@lwfcQ>7PGRt!aS4)g|
zmhj5y6mG=`ZN+;=cF<Pw^T+z5h42Uq>oRz(@@M1(NU@Z3R0A>J2`cXQf>MqiQCbVX
z_i#+3D_*=zR6{UT5$LD<zRNH~WK3Y=*0yLxq8<ShK{W!2+_)<}M!`Ld>!84a;q5>w
z6E3Z9<An;JYO!?nQM)vNij9#1h&#0C_0i1LI}|<<>|@-%E^!id(o$ZDIlPHkU%^o-
z=D}=V*M8Fr;FVO-&Wjibt-GN7W)hLUPxv{|uJy-K+kPe~@?Pruk#@nWA?$jgCBNI}
zj#si?q2}Ks_5Ur+|9`5az3N{aas&aKLT9gJrqH*<51X&w3D_=wJ_|UjAq}_<c>%}<
z4A*;HIR$j!z&*dcf_gS->1A>Ft6*>X-)7|~w~JL{+3e|RY$~zIr7F0z&L(`Rw{=A&
z?eWM6Pqo#_nUI3#u{ai>$$<IAo?>1&3DFnJD<XH*9u@K=DZfo{pJt@RrW|$`aXti!
z8F?QZh!m#;V*<Y<YP~tG%wR6hSH4`czii4*jx4<XU<*M_PVQn3=coV2Fzl#4li@03
zwS~#8m)&c8FK>(%-oAn}4>6QdCNve+ak8fA3FbgbB$yoq+l)8c!7)Wrtu`%6Jj=eM
zt}p=Qo9wq2fcpLPoV>s0yg%Mt_eG7?s?g78x^e#1U%l$Ta(a{LdS7!H()>0p1SVIr
z7-*VKr}ey{xat6u=1d=L7)WLH5th-#VyNT#EV{=GT;I>iCUlJyN+;;or%Rt{1ex}M
z6X5AR0NBieyD_|}I<Egr>f{pnWAu!Hy5rLr$@@%0%9WOTuL!*ko9v#XluwbSd5$;N
zUGwstCi6c{cti%?s%!(lyy;77WF~!&itIIpXt4f!LtvMR+1yaoj;XxVIZ5I$6`|FE
zvx_S-?axSmBnCAdaS8@1P!Vh6tBgdcMn#iy7(ueyyGaUgAILBC8D?nrC>G@WA@nwa
z`X3!r-dn~|w-QAO^z&Hnj_j~?ov1N)a*Q_eQ(>wT!108u)ovfL?I^*Y(ruElS=TU8
z2Qk{H$;$o?DOJV|DT!}}yGNqg?#DHDyXz9a9|JQIE?9W`<j|`u-F>M1bkH#<#J;d!
zJI^qP!9qvi3o-t65_WfoMsEv9XJY95YUP#pAd)1HzOHU1jDsqkh{l4vovCkik2Dbz
z1aC%2KjOl-u?>tWHDtpN=UH5nT^wuJlMyqx;B@QdV=y_=jM9dC_p7Wh9~n)MsgZEU
z3V&y$KStan$?W}QCIBPIrGjm{mEEES@o{$Y$_@Lk+0DStCn=;MnPwj>b}irKC~rI!
za8zSnV+pJKO(x)S|9PUZ$QSXamRRl+h7eJG=?Oh;B680=W65Wt+2pzB@|)a}w8z@A
z$2X-un|k#v0cVd&DITqt{^ghN0vMG7mT#X}A9^NS&Nbr|wKbabqOYvp&qz*`c33gK
zq3CGHVd<<n{%rr2u#p7OR8n18w%?_Id!qDfu&Z4-a*=%%1jPp`XViSYtJUnqqUNt6
zJJnMJ_ytp`1nj9t8iSIG1rwR&94EvFfp8S*@RA-OJZy$vqVi5CqCy2q);^V#`5|sP
z)CUfHY1k)J)7E^Z)0e_2R!%Qt9OGTbTJn?K2Q1u31;zP+e=b3CGki}=bjrQySj<{c
z?{CNLYdtZg;-kFwlSK^nF(Hq^q?|PSa;hV7M@l}OH4_hvqy3b^0WZkP8tfYpn6}h%
z1A{op)R$)aNInHoffB?otEfdq?_mW);}e|s(|Fe0Fd4a>v7Wp;9)iO}2CCy^$ZGtf
zM|+%jTYKu|#M2|;^5(C`t5+}hxIa_Ces03CK~D=PW2)~j;1Es|_%k@vV+9)j85~gm
z1dc;D_O<-KfFn$};r%2i-T5**SvwhW|KlD?Kjd=0i0PGx1tMCCk-#zJJdMcUh_W<H
zq)A*}91?mvbzEM8=*K~*L99CNT;gee!8sd3?_TckstF(aqh9Wjvqg%Zlx!=fl?plQ
z34lxHad$^-Tv};8*)g_qxs#zhip)erOYFTPMagR!(5(GJoQb(cdZMa$4mLY*QgG+=
zxJqVcY&Gt4Chh659K8ne7)UoGIyN>12b393^0_m7E-Ml@^N)o4-+^Ra4&QJMiG*G>
zLli#Cx8lt<r1wqcu%on^<AM^VjF&|GABid6Fl><t5KPBYNg=38Qa2vp-#XBxOmH}p
z5X3Jr*2KV0#k5#RDG%&*up)OxF9cq;EqLa6>$w?Kl@iL1xtqDMgUtC!((y5?-clsR
zpYsKujN5zYBrKW3MYQsmnMCsGnT;9d>tYb_MY7u$O;@>O0Ek1(C<r$2w}t{l*@LP=
z*om()owK|u*3yn=r^=hE@28NQK({DP#ie;!<NTQBLq%LE)V8wGH>6Nn7~47sWp#`B
z`~=6cktl7;DQgzQWLt}`0pFqAIH70VOWhX$@G(&l$D&{ZfBRQ`VvWpMBV#iL^0u;B
zlBEph+RA%^WUaGWoJtz)v{kB*W5#Nfbtnw(QukT=Z@IWNqXX^JADCM1;r>9KVJfzH
zFb7plypmRm8^n?b#QRVdB$FVN_heYFwx$T07jyHvMvhoRL<*upIjYYwN5<T)F~Sm~
z=NGXZw!0bhg^qKz@2z6T?qmD!J-Tnki7cNt2k$I>0`QJ=v6iliZl7WU=FmD%!MpB<
zh%$Ek9808ulePf(blI(pF{y-9QFmzc-EeAF)msLynL-&x*=x#ZN*VWIbE;+?lvp@Y
zY4ZFvfO6AA49|hS)xsayD@6&%c=T=scD|9;tKSY7oWIq$->d52GRJ%vSem+4VLyvh
z`x>?lhrBKo+$h`&t2)u-mB+(&NYCKoS{-0p(VQN+zTea$?Hoj(M$u6=8^}l;PD`ps
zFu>h0_X97T1QvaSQzh=et-D{FK(WV!4b!Pb@88$P#Pys}PG-hZlx(u>oSu_`@O|wI
z_}^F4IW%GXtt{^N{)SfYnj0GZ__mm-^hxbRNP+FnQ014Q;%!g6sqG73^;a(N!eQr0
zZO8jrJ?8~be{pYo>z8)8_R1(u=fxK5cz67#ltya~hJQ%|g{owmDUF48YNR%cdJAWv
zt~}r<&5tg*73W`AX7^n9X{TtVJ3JjIXe;>+scd&x`-}D*KEL;5py$;Kz(RXg5XJ{c
zG5s8t8@)VtlY}J`Vwls_a_Cmh?5^xt=@KGI-&i~>Uwn^KkC9l`NP8@Q59ZB-7_kt=
z$li`Y*8D+5&o^R9G0o7*0M4i$jj0A6XUc9?ZMEVUIxZ3Fcq2?S*3;_gh-ts3!IW*P
zY;k=c#mUQvM6t%I&nYUaTa6C48#YR0QrMM(FHUK2M+Px<C}w?RVwDA(N+Mp26OrJ!
z1ErcYkduYAli2wn^Jc|ym632%ugYMJzpAKyrSrEf)FdOG-t4Q6egQ-Zkq11szJ?{W
z?^udYPRzBdPD%fQafF~hV;n~Mdi-B7F7OwO$9SkQkNp$IgON@ot*gdUqfRR(%J6`A
z<o4*eLx@OZ2}rEUzKsxv%DDNAsI;OVg@L-*pP&P^K8;d;f=<B3B_}1%{?PR6z$MS~
zfwp<>$c>B6Qt$mbZGcJL`1@j}qLI(#wm+F*(i1%KZ10B`^eBn(g{A?!sZhE7d|Rw3
zgOb{0>2npoXDn=V84<2`wKpC7z~oFmlq-myS-^CYx%C@sDq~!|X6$79p;{Pd>p>Gc
z#!;kAi$b8@?kzJ4k6T0c77@RI3*Xk{zrxa@N;r|vilA60y>a8m=x8QLdNr~fMV14l
z79p0}j^@B0dA=sFOA-Y&GSdHRV)OsJXjiu-S0|f~B!qNtyg%`GRUP_Li{F6ibEzUF
zicjjRX~8u(%Qh7Mi8ySCeq?5s8$bnnsBSu7Z#Joib61?Xcg*kyW?kS3;@j^VNj14Q
zN>xvs;C(--Z9o2v`~B#~SH8)PZ)10F<c(7J$(`zJ26OMX(Dk3Dxz1IoI%az+s7JSz
z<;&3vWfP?)5JVqQ2O$OPP^-X_IRY5N6Y&Xu%5PQ?L+K+w6?si^zK<z;^H)o#r+w<w
z-&`}T{^n$0H&|_3$s(S_b$%_SdtH#i^2u{3&Sf(qf)D-k^-d>S4Q+f3Fp7Rpl0i~3
zmY@y-|1Do3DUl1U^;Yd9aFb5u4}{-6I4zalkRQdaFMtX^%Wow@Ovge<-!^WSfOfeL
z0a*LlXOD&zzDkB;iJL#)y#V9|FB*v-lFd5i=qSTHq`LJL2komR&0kZz*U(>${F^{G
z3qH=vtr%{zsQ8er)3FGAdjvQW_%%$ldAI-h#gUCYjg7gsGj)EgM+V<!Hg>%$(=ae7
z=TTkdO9)&p&ev$C|Ftv9Yo7KPm-`<+HSj;>gZTU1u*vw>e5&o#Yq95bv|lbx)7`&>
zo(Xf$m!4O)4_^SD4nImCZSVr<@E-D&19k(*g$|f(uAQz?|E6Tu<pt1d@d9|*P<qX?
z_H*0*f$;*c4)~$}N+mH{_>-&V-%Vbp#M2KFT^uv^tGB;FL}W(|H$$~=QC~3UV9&vX
z|KJNW$N)H#u<qaph#GUNjlvJg1$!AIr<=an7b~zsv-j>si5T&i&&n9ygrM~`8n`vl
zbge6gLyH0IM26ONVMyIb!4k-w`81kS-;L6`Q{RedTys{%&%ed9-zu~%s$_gj=h+i;
zGARv;9<H>67z_>dT9^r27fH`JA4o`S1fiiz(IE5YFCX(hr@XF8c1*#qd|Pd|=@-CY
z)_viXjVPzKF?)7vbIE|Qp1AInjra3|TI*LtLWB@#&mhI{_Th03+`}qqxF<A~sjmfF
z-qV{b#2npsm!!=u()l0KAlQOkgv|u#A|c|1hqUABw0zm(iPOZbcZZ3$5C^I(kw++~
zy{IyP9K#!0QhhNxL3O}(6=2>eQbh|Mt~pUdAv%6waT4ZA6^j=6t&^^UfG%O5p<OJj
z`NUqusuQrYA!r1asXq7wu@SM`ko1&5gll-rD`mA$?C`vgtNgH;p#Vw9b2sbwWJeqZ
z1f5_y-?pS&9-`FB({Ry=7Nfx#i52OWaDGfBIL26_HGAA|#M6^9#YCMAvodq-moqtG
zpF2*&L;jEpQJ9f8nSwD*WLy%1GEQ-#5RZc{gfXJ%qMDFIjo*&=p_G0+o{9Q_mmin}
z#C)%PH1){ailqy>TWl$Zz@GhN<1=S|upb5+Q#OP4*NXe_olde9WVi{aa-JoKo%(}!
z-LL^RJFfgNPL?PFF{@NMO+2r-d9a^38^@$T_C7FuKUFNp;A3mEFu6uk9^3|0Co7x-
zQJ_0tl7%^ebe#M?Z^FC5f=|=|VlDTt(5%$>-|a>G`x5*g>hpg}+$UZDXcuVBhacw0
zx$LWNhw>h<JW&XRV(Z6l3phrZtC8m(_)0<Ny0HOds1J!}m{CTaPq|iyEJ0^<MDHw<
ze6;p7EE<nuBXoGwM*w6}*J5N9W_?M<7@_&8AFQ)wzHd!a_KfWy$+zA6DNrbPu33?d
z?-`rzn;*_%9)!=cQ-ZUWtO-BjS-Q~;S?)phGHq_RY#!&w3RtaVkzA^d@pL+HAs4qw
z7;#&*Eyr!rIdW6^4S-p%rs;pyk5o-s&X8d@IhMx(1Y-|Egw#ia==-VA#NI$I@Fi~d
z<w*D?58|df{kYE%&G%@VW&fQ@e9sKWqyee7?D;?I?xqLA?v-lWa{LAYsBPW9y9rQ%
zZ65b54J{oQyV}VLFI#cH`(}4RwJmP%rg{C&;1K*yC8C|2{KLBd7e+E0w5&&-*rNM~
z@WZvYSCU|(V^67=rMr=-o~aFxm$Q)6u08YC9ls}>Q}uuAAif=XCpLZce4sA4NXGli
ziA?6^7HhiAVJ|wSZ~l8MN$qufwqJHv#nqmF?C_dy-<A7!)Lq@s7~}mMl{3?L?TqOH
zL5BC+YUBVvvPoqB@<dpbU`f&t1DFaox`7~phzF)HX7=50H=LhDFPw_Zf2Wc|gm-A}
z{?kO6UzMQC_Z`8+lXJRU$IVe9lA!W!QhvijD!vDPFVOzT6IpayYtY`=7Rhic8u7rm
zK;a6QvXLuS+*fs`zeE^tFO-4*q(+Ne2p{zhxeH1CSSb|N3+JaMx{f(`?$`?P)5fm!
zZ&ljFzCjZje@It;(DFUp9`vJIT2m6-?oHt4hg0hpaPOUxbo=RkRXHAiFGS?z05`h&
znLpZ|ls7cROR70W!oo%{>{oH&C;32#9|4?f_a*WKk{I~j1fIC%^SP+VS4^ih<W1wT
zrSr2mNZrHnzg4N{-;@;8(qPZCfUKyK)3bfeRH`5T+&dd+iLHSiglhsWXuzvj8{&wG
zML&#7IVr?+0Mya*d(#{FH1;S;)*tNOnbpb#i3#>Jzv_utrIIO?7ct`bL{t4%C1169
zf!B|5oSTcC8DHmyV*JQ8bP{+7d6r&2B~gOETzLWT5-fdP9jj%LI(oDl>LR0a0GxBR
zc^=r#Jk(q_>GA8@EDAZnYBgX<y#4kp4tHG|S7kI}XmEHLAX+{>L#jXiP5#>nY0q>E
z$T9l(4XR-VOAh(v#`187TfUEB*Gd`uezBHZg^mnH&q`srMKyCU9@h>Cci*_U?5N71
zEVgWN8WKNDP<8SX9TEix8*4=YXkv6=SmCQ4!{k^F@Myi@p`w|WJ$mgEIm*b!;KV1k
zvqW0XERCpD22uILbw>Vt*nR2c1nfUa)=F;rxIxjX&V&3C#?rTBI6M`yl_H~vlRAZx
zasn|Mx8lzS1IFbuExBgdX$MSGG~M(OEU*6ea1#oVM@j~yaVGb&FK;XTyQDgrVdf)C
zN`-shJv26M&YAFcCo9*a^jRP9gWc#5WaO%Bm)MZ$nmypmLpv8mrzqVArdysuZGWBR
zwbJ%Y8`rO<z_eAFtLIFs6%;>YF!6rLw^^IfC@d^?jz%zVYC*{kEZ#$G0OEAkr^6?<
zXUgv6Y!WPDXM0CEQ75mdQ8BXh6)NarrsIDjC9&}RCSQ);P|i$9E?N9$tsp}&!3|tq
zjOD)}VEY5fQZHPLA~ywND{-hcp|hB_@8;dZ=)Tg^r03Ip+VbX|{O$$aYu+)}?(MOu
zX}~^5y4&#Hm6*o2r!z0tlpkNsy>rFAs!mruYKaaT_GbH!l02xwphWdUi&AB)SSV=f
z8I(#yfXjP(l8ca<(HL=$8qAsdF#H;}haA~na<H^VEH|HC7r9lJ%{M6;czy*1<vy_9
z&p{1js#fx6498)TA|FcvauwG4P$JpIwI=i{=OXzgu?l&8y95|;CMH+D61WY<$vDK}
zrxA~41%mWNmu0N4x2r-q8R4wmKoC~4<%7ff1eAp|<t=P#OmHf1Gu6UPH_iaE$Ng(w
ztV3eW2R7N7np_dT777Ct*HVbSek0^I>$Y&160@4^XhTR|1f@+)NJ42LoB4hlmd7;N
zvs~NJ$H_RZi1wn<r{+a1=&7PX+DVWv$;=lagV>!&;CL{jZtob_0Je9IIfqZF(oOT4
zPqSPt?w8qB)W&QG<E6&=;1mb)nfGj~*V9&?=nUn<B9s-!zmpbIRectyz!$(ygt8^v
zzn$+(V6{0HQiFqQye9eD0$X@ltk92AXtf+$&GBvF%NjT3J%sWM?&;eF#7Y}tEma2B
z{M9$L(7!67#kIfJ;qZPDVNz3sYLH5$-1SaR-xVZGnf~T!!}FRF?d%=qW%BWk5rm6<
zgJqGQz(kyiJbT*B$u-3>dWFUOVc<BOHu;C;oLK3-<=7qmL`k%(uQ%g__Nr$AeSU|M
zwbO*?&eu*&Ll4^2V%ws{&~dk(x=yuoB4WM<7si-#O(bTwNtyJfvB2i9^5%xs(#M~e
zba)5DPHV0mVaoBA@qc>6+?v{|*b+8}^fj;Qb3LWOa2I#FSrial5v-EyoxKv@-~Xtf
zXPL`^&|*jR?94vu##m#?H>4GdTy+1O7tM}a?=>akmo%3-R88z&Fj>;1o+5FG=L1Y?
zq)2yd;a^g!H24L!($<@o2v_IGCc?IuG>DW`wTbbXpm3I*!Do`q=L{vD^w)jor8|p~
zsj1g2yvRS5iOFrHl~NvT!nu}2V>|Tui$!3Tlu2Fx5(z518-Y=hbg(J;^*E`1E<Lw?
zqSBFFbiFl&uw6)7nZS~(9%URp0lRZEFB)>-K{!O3?5`*~PkGBW4Oqw8>B2O4Iv1r+
z9K+sY*rIPoj=8=yitVl{zT?jS8at})GGCIJ{n34W?b8+W1${N`CbcYkXZu=UlJBRx
z3W8~jm<iEx(-9a|U!sc`uZFwY1ln(JsEb@I*5?=A|M+oRZCPiiv<uD8)mU$Ri&>R?
z**G(&$7C`W_6roG+zq4P|ARA%(5Pbb14Upz6X{W?3Gn;M<1aLF4=5WYZ{y@MiO$sp
zsMnk<5_dJ}FBO)03l;qLrtJ0o+Sw0kn<j}}vI;Ib4q7;ikw2aXuik%6i(xwnWjDF0
z=&j5y!{-zKbQ-1wB4!qo%vXthuM=iL9JwRH=A7KH#GEukM_GzDb6WIHGuPA7G@TEN
z-1@`1?4Gw@FPM#_W54c)Wtcm232I-<*{Zs0M$iKAV*4cAQ6%ydotYunZ@#jl&qe$j
zxrIVp0(0~sd6sA*t-F@klvRDjsqWh`ME9z%Q<i*JDaZ<6^iPnUH??<dPJmS`4-yip
zKap>q;LHSzX46;H7SN-DVB}u_f|>0fiEz!r>eE^ul}zLHTt^3)1&c|OJ{?`Y9jlS#
z=Eam%&`x1aeOteJ!0bcvGhHp4uPPIdh#^0rGCuP7tA<G_DU28maLy#(T8j|}INoMc
zrRn^R_5Wk<tYhM8ygrW>cXxM+yA>(!?(PikUW&WB7T3YuN^u4&HaHXpDeew^mN&cE
zWH<X}_xI$@TAu$VnYlBQlY7rS=brQZejphK-)lA<=K5nHt)!>tIXoe^ExmOMC*{kq
zXLhc+nWRV6b04O?l`VKfS69MVTtnILqPSfc3z``UdUOmnj!ztNdAov$SH{&sWi9PM
zR>k7xXyQrb&BC~r81e<7tYr;}M|w8=8j5n+Rk)c_DCmI;yys<^3*WqBAJkpeHBF$-
zE2z)bY*{1(dbnv2KX&8<#|l~<T$jz9^{y6gtm=hG`MkhpL#GwYiCdqyM!U8=sH%gP
z57vhFHQ?2g5mUK6hou!EAB%@r^w?|)cwjB0@NEz~3Ek7GQ3Q&^DTojY8Ly9TCK8%;
z7ra#V!K>9PTAQUNZV-~uuf`9-gV$1~GIT{j<><}#HRo5Z=VPZJ>!3)sG!E_hTta~`
zZ-K4Ff|k*_^>r7I$Ct=U3KR$$kPD4Pab@Y+DZ?LTf?3tk5U-qShiXh0!IYJ`FvXd3
zrNq?PMt$&Cy%Mp}9=4?XNrjN2(1f-2#X3I&K29Z6ho0x3yrLQHu?n3})6)(76_QG<
z>CQ|Wp9lJ+C7Mdy3I&D<JkN0uCZ}%gHw!9JL(8{N`#ObNS8HnK?S(ID=?XiP<p!r+
z8cS<*mSn@HS@C5CXyn?7Y~p?Q&6bK`LP*`QcsR_d;A9g$6iM|Sw)`MTZcX<ywQMP3
zQ#jTq*KGrvimSp<0U7QN;&0+EiniwgMvl!=1Zqu_m~;;qW9$6=5woX7{iXZtkRITQ
zM_z~_<;QSo7TPuh9!0)|tg*s+RQ<-Y4V`b66k`A!h2AzjGxF}yPPY>{`~3JkWJUZG
zRNBtJpb9Dfg3{G}7Z_sxk^KuQ|A9?i2`?I?+j{zVlw@7;F@o~QK*5EkcPO^F7*&;g
zy;zeUjx+awSCoaenzmolQskO;p=uk0hRaKmw3LRHz$q*e@9FoAl@NZVdzGmMnoY^t
ziI2i+Di)?Ua^8qHPlN*PQ@oKBpNe{jDrMOi<(@ef(LUVOA#R@~J(1;NS~i2K2?byp
zt*LIQyJH(a?1}07XadF9%6`BcQO`NY^rw~@FO&VwhpWqrF0nbrQG}$``$G5MV)Jgt
zb$_Q;y?b`rO218WkS1p7nU}~oLk&P`vJ{h+Q5xeFuME03&Svu1=Nw{MV%eBhAN1V4
z8JYqO^FsLucnHjFwtHKPL7R^x{%`FlDT@BxX2V~o5DU`w$DO;Or6a?{C~59-J<eB5
zWea)(;CeMB(gG5#b7$e!zm*;NNXl#lg;DxcoV3Jc2I7bw`Z+n!rc(CkYMWwe?FL_A
z6eL!WTxERD6aRM(O1M&0yLtWIm4VR~H4{uKJ0BD@d~;6nL}S_bPh0-K_(0^Jw)~&A
z{NHWM`Rv}7{npsXfNdufonfr{NF{l<e?d{hJ}r#va9FW7cszbD);j#1#I}E1;dz&2
zYP-(dDRV~<nRZ|l53uMgSP08NN1$~{9S-r4G2aV=1ic2dl@MV~NXdQTK^u5qisI0A
zYWLE-(N}qKI&^wKc-La5JDk0b6nGXA1t7}*H@;Zr{jbB6A@+l)w{D8d14vQ8<(F69
zPn!*IZ9}tvF1L?VAD4?vuuho^ftLp5K0S?0#!lKVUa{upbO9Fp`y$s-R+JiyF)WHk
zqE_nXL?MU}HUpzo1r@S~D0N7o@5$Qe%@Vk+9Y1uHUR+eU+f&E<p3Hl$W}O;f`ADYw
z!7j?C{N1pF1m6iNv|nlR3UBrEFY2yIhPvIc8D(zimeZs?khXedv8|22%~Eeu1hH)G
z37aZR&jGMx^a37ZO|0%ib-uhdM?TDTV`VPaZrm=pV9<{u&1)W;Rr}A^h{$I!5EEJZ
zptAZ!f0LEod1qm#vj(FLe0{dYmX%+d4Srl|S9I>3scBmyYe@-8zN2v)cim%y#9{>H
zKgJu>Ds<$>YVJUmUpHeT1_cYKKBk)e+L~&bKGu@LR8K@<apN)vRHx*y%Vl5U<ykVh
zSlfP-N=jRoZsv#=Z@qd+2#Rtpqhgg%l_YmWCNm4b@>Xn<>7^6bjxt2{vr;Pa?^M~#
z#2wYE5SfF>vG|$g(uH%4+a;wExe^GvCy8~3sNDx;*__~9cy^y5<q2-B=`6xVxiAOG
zwp2+uh+;3Vp8CVPUviz2u^_Zx*J1Y`h0^SSx))GU37gGhj#^(x6FPeCdACBPp?UXZ
zDv%4C5+a-L&ZV@WI}_JfaJ_71GFaU?m7`|Nvv^%gn-p+<iCBx+{$c=(<|-GNo@mzI
z?-$9r@Xc?61%{t$XYc4c&Pn<zx^2hx^h@sU;MfQ#uCDV+!k;K`e}CX28jCBEvmEt<
z>OHY0MC0m^RR&@?rmGXM$P|diHG1P{jH?4$>Lc1tjtaC75;D@5i{najl-<ER!N-yL
z8z9vi%$|8^J9-7f@(S<Q7aEhU9zzZKZ&>>6rv?SdavyV6YER0+_ffo=(<QCk4VoS)
zpP%Rp5^2d}OeAB9Oc_vxlSI0nPNr{^)&gL*HHzEo3{Nurt*MvcuS=b^?G-lSJSMLt
z)1*@!kv<@$$jd$;79qeNiaGuf`5KmNvg5aSM%03Sm1TFb-7_d}<I&G<h^de=qa{PP
zmBXIQ?HJ9H)=pZg!#4P!9@f@pHZKRkq0f%|1GW1!H)4OR#oyvnv9aduq@~j&>#-~p
z+ncU)QH^%$M6{6S__|?jNt}E<*a#br^{n^#o?H|$e6{YJeuabtH^x(h1GVKGNavaQ
z?8_z&<4m=1v>{zizN+Z3XFX!g?_k+ZMhrU9PoLeIGA?f;e6CQp8MAQ^_sSZB^d6)n
zq36fgwBbaQdX*7scv{bS^+?<7l_1=qV6$jY+i<uQfY%#*zl9PI2_0aHPng3aunsih
zCM(4XHcx3H<lA2j`dST<Uoa;yazov%brK!z8IVrt>$|7vgIB>ujOyW;GR@-iu*XpK
zQmo)?uEd{KmPlV=vv=KAY`GC*@`O$ECrf6Qa><s+GF08QH((n@$GJ!Tf?DFU61$@X
zRPwR)G_G8Kd#W$QTh-nB$>OJm{^I76A6~3s<Tl2<_@BLN1JMW*3oP+RMgs@y;40vT
zfrk9?`ym3f)OO2s3M2?0XJ!PhhqYtHc~cf12){*3aE+jU`62+ukD^l;DOrQ$x&4s1
zKr?KZH6>c`6ZN&c(p3cn=+_U+`tGL}Sgl?+1##{#Tiq4;n&)l*1@-pu<uz#gnuo;Y
zaP#ieTlmYNWyc@yPmfDqw6=r>e`SuCeHhfB%V1&TdEpB{ZUHRW(6;c9At|JDYPYB_
z8YC*()!m(E_+*<*GUdZ?aLp*Kj7%6#BIRIM=u5wp+VmIWnR97v8SVoU`9AJtwXLpX
zSJrQmE=QO#I#%lGXv>gsBomp3vbzvXkPzy((Jyp6xKI;9<e1<aY|mrS!L@)&j2f<0
zA$8!@Lh@}&k0<!UqM0MUl2@Fdu9;}#?GKA36V^?%ELl&wiHe0&cfPHQm1Tb<T)5>7
z;%sLBQ9k0y<t{X>54*y4b?QrbLRwAZBYYHskw!~{i6e}vAy?^FMIi+SyB3HV3*+kg
zszlpF&2GmdM^SSC{c?u&J7^CNp?bknCMFT6(*bgbM|oPRz2H2nM%F~`s@nzCT1IzB
zfr%%NokuuFfpU&C1#Qg54!%<<Uz~E60^j&~BfK;yukSf_iMf^ve<Yjp+q$7v!pDH!
z6EExp#B1Dfv%WM_V-eTsaQ7jw@BTJj4`OWNUCwnUSh17#bl>kjTu4#)wVVqr<Wy7j
zA;=($%QE%;N92I_NE{SWJfY3!LIkN_T3#KAJb9wXS&o{H`nMIR4{RrGp`WHreELH-
zTk62XSAUM@r$RqfF_;k*;oH;js0KjtIYwkz2@RGRfVEZfHklbVD+oKZ9I}R0S;|Or
zgjhu#RGe6W?el=n0eaDwVN2mhd5~DoZwXM=X<V;<Ire@No;XU9JZp`&A(1?&yk_w%
zql;1_eh^hqa237P@&VP6O&_#gMd>i*e3_}DVA-Mo5Ib%cnh2F+u_}hK&A@BZ#OmZ#
zULLD@h)BUw;<e9cVlOCf(HU@^rCQ>Mhz;JazhhDJ@PG}GVA3_lDU#rhrx8<2#n`x%
z^SYlmZkg`UBKhfzYltU<o3h5#^8wjBe7xir(oH2dOf~-cl71?<w82KC)a+b}GFkqY
z1=OZIMqftT8;$S&j@I)hQN81&#*<cfFQSO9Phk4eJ~r0Z=Puehz6#?8fqFWiZbftm
z0AOkwjX$GP5T%dK6ajDU+faKdG%*SyGKQJ1=7AJ-S1fpq+|OxuZRi?~!i_8=V2RWk
zTs%ss^NM@!+u;iI^$RdzlSM0@I0zwP`*#UsV~aX?^cGO1xx}@DGBWnJN0GG8=5&$*
zrPk?im<r0Im!T|bt<5r3EXgy(Gc<np_dFTOL`Euo3+(K0qDocHE8rNU+QP`UTZouq
z>sZS5?{Y8)-a2Wqtww>-j@O#wWE%Lo?zW5*uvd#Oy1Qirt>-i#_bbHF-H5c*k_w?1
zK5S}jK7ZJ>s!4oT0|V=i&VQpF|2%zj)~N?ueCOTaVr&E$x#1Y+*i;#1_t?4nF=4Yb
z@#UhByP|CYND}BVkNWD)-;9?tD~a24$bYO*e|%xiV9KqQ<CYm#MQl6(5IAYD#p89V
z(rA9mXnsn>WC}s;RHhBQ0(}~+&8So|gu^h|0tAHB{^?#<DsWmRo~$4VzG-mc%?p8G
zn$)ah-FZE4K(u8ls5I1(m$kIVn<;fO8Ku*B300U`lzJ=kx88&>tS4zWah7*|nz2#$
z)(G`JW|)?=iJF!XR!y)%M2W<U$1=sZ<_2b)CyM)7I){tX?alJtYSYpiB~(1561ftx
ze_GJ7hX=F@i}UZNosh-0-$)|~vbVve{HEQ^u5KHa)rKr7l{_Ara%=nr)wmXem9x2v
z%9SpFv=PVf!M8i!UeMFop*_O{SeE>IkfkE=yYtDYC(uRjq{=|o)v+rfQ8^Ga^tqV<
zU?`?fEf9bbZ9#GvGWKmeq?jXgobNjFN6%|SgMFmsR?dk5e*02)@T~o^tB9kt(^A0@
zizu+o{~8p}^{ThYH3i?fdF>$Su-f$6CM$wV^_{0X^}>6pU18AyNL+E@&{5oU#^QY0
z062?aJNRv9epZu-!~?!d<y~AIHEC}`^FT4cTw46_QcpaTMLeA2$T5ZkBKvJwUb+C0
zV6A`5l-jf8Wwglpm=~51|1dr-ePN}_);KnL;O6l=<73@yJZeMAYP+?y!frNiS+;Qc
z=C2Rv)-6cGBmRhzE7w4GGL4nKNd)CDrQnmLd$DSR*n0d{7uUv8FYPZt0FvgKzIOJn
zj*c;HG1{F%6!cKky>ek>{G5hiA_X`i*I{2E75HS6M(tD~0?~iO0=8!cxxIS%^EAFv
zj_tDkESg1RqDk?1wd>F!Uq0smNqrMlF$5#Y!&2XO`tw>k?K-1!g_ltah11(td)ZBk
z4pDEUrG8)eJ^>JsH~h;w+P2@QL+edCjnHF}!+i@6%NaXK``%rf7ZU6IeBC<KD{Um=
zd+t3d7NUXSzTcy#X3tzx_928D`|cZW`vpl*b~y-9P~$DdC#g!Sw%O7oE5kfYqp*BM
z<92Y=RzYJSHCCbgo4p<7*TPvI`3z!?rTCm{%G5gc#mbMrYBac}KziLOTE+HYd11JS
zoM!E}0>vexMb>tmsx@-nmi2poqs%k8A=BoS`0C8#CBL}@HSj3)k1N!=4j#}I>s5*v
zZ38Zt42|e2hBhKDKlt=he@e|9ep$1$!BxBqxvuc32r(UXTbZV`2LTn*D76BK%7$}X
zBB1~>rBZ3r6p?_1)m$QLqoSCx&L7_L9-UVk?OJc==+^l8w1z)tE!8XU5FL=WtrhAl
z&K%W*%y<)hIt|q%{HS^0c};I(_E>nq6obq-f57Op?|u4$6ZeqGWQEr>@Xi$&P+?=P
z&Cp%saPkQ6;1gOyvM!1bMC<EUSH|<Mzx`R7psPGJAmfaNO_t+6Hs;)ykl-nBQypj`
zsA#`01(v7AGf$53&vpe8PBPXES0@Trx_L}on8t9CD{tMOq@E?tmpL8bML<;uYm!^k
z+MhGUGlPqem$3E~G4!=w{Tg&h^jkM=mCC9`;$O*EcvB4|*G{5SX6#rm9l<p`EP7_&
zvI!%D>1O#TRgp?l7BytW$fSBbogg=7U+mhC5&(u^+*H<fPcSLvH*nj}3#+PBjpjPk
z%$o2(TNSe)Ig7z<8P2y#2GVIb^u6Rj-%S9Z{m0K*dqpN57XozVc{gt~r(0=ZzHDPh
zMSvzqX+YV}8cdnmV>K4-;+VqbOnQyDQ$rv?LRHr?1FiP6=P0sqH67q|XuLer<^oWj
zU5*4g&ve<BlUY*@!LtEQ9*P{r&bMxUi<BuZHCfVmT@>jD-Sz5Y%WxnOqnG6n?UVJW
zNf?UBGR_KD&i3hyokI>mZlH-8%SlRg0_5BDQx^LC-*<VxvdwSg_x6_7H0ANc(rWPX
zdq%xR#(^AHR;xB2<23UUE9vbw(42j@biz8+S(7{yYa0N^0RhUXt!KXe=Uq~X^U8M3
z*i##O)uVBT%r<=bGZnhY;)B-o<~IZp>GNpI&$$h|XYSFXWA$E<^&av~JjmQl3&dUU
zKY}tgoz9ILPQSG+1${e}1FmL1WGQ8vU$LM|oTj1ca^%bsTtP%}9Mn=zoA^@NEK!3x
z+TqJ7v|~5!RuFZbR_SlI1#DIbE*$v_4vA_OX5`{ec74|V^Yu#JMpTelS{cTMK`dX|
z6Vvke{p)kreI+{w71z}A&s)C3Ps_ybGm^rjeD8zC-Jd#`$s1qGW5V>J&lPS+OHDd+
zc&qJhBQ?583s{ss*D4=*CFnOb6SOnB4PP3|cYpRye@P@9(WD`_AL6cMF15st;TfO8
zX;whff~D3>kT=B1ZWz=FFmSZec3RTzIF9Y#(Wp2Qb=d0UlV6HbcQI@8A-bMGY|4zS
zL<?0Ho)ma_f}iA9SRTvd<`NO`PgN3&4T_D}lPQ<B&1}H|eHfL8Wd-QAIwZy~HP3Fj
zCf;FT^J}viEAipH`q8q9a1XM+TvWTha2EHvFxbCi;7F@)^Hh`aWKo>^8t597;!(&W
zxd5Msm0V;f^glf=U_0to4po(zZx&?OJvCCZrH9Nb$qgc@M%7%jkx|HkUoi9y+8}3N
z40Mu9C<K<#wO5cXxUHxiu5elQ$BW_#^oC-H^k60U{BSUaLh9TYsLrN_hSR)?RP}{+
zy+o`AyrxGh13nb?<s3wBoZsv$te$ZFP}WzP+qY;M1N9W<GiQ*U67$Ik_#x_Y8j_+r
ztI^_qO~qEhEfk%BlvBg^r>PtZO?!4nxaa_4-<0mnyM^jglk~NXIYGN&f&muuP<38q
z+)zuCQ>agoQ^oJnZ^|sBh%gbln`OX02WJywTJln8aP3%gftg05;0JC@6~-wpIWF4t
zH%xPn+h%)il<HV&lW%vkZ2H~;haXQ2uouh8Vk{JUIOz_WEaYiZ=Rc?6T;$e}Es2xC
z<?q4F*z>~6X=#fiYxb7GL&3Ds*LF-7AMm*dH5?Ha=>S->_knj6-<MbU&)L?k<tmmP
z{CG}-Z_d$I?j!8T@-{>#7~H&7dp3e5ihTWp^n;pPf2S-*=JOzB&|p@u=A|=x4YCqu
z&M4=kd8ZBFa!7OI*U3}f%S<GG&Ud`Q)oPw)bGKfCL;>v-HPXG!@Zx$nnS0zc^im~H
z`49$HoX+QLd7zl7Lq-O))nJn)%%Gq+Q3pDDBWZ$SmYIZTy>=?mV65eand0d8kqcbo
zKG3zK*;s9sUBaVcDUH-(%Za8mTc$9Oh>YN|woK;dc=<w-Y2S_4RKLFaQG~3Z%|5*o
z>!B$57DHfzLP%1_%-c_gTX5d=V=RL9QdQI5x148r&;J9K6aS@6#{cjS{|l>;Q?vN&
z?aIclMN4Q=rUreTT5nmM1zS)YQgQ5k4*cmP{3K7mn-G7#RgRx<kv|1S27co{Gb+Vp
z)0<uVX>a(DR`c8M93}87WLf*D##&P6bYRL6{Y$e;1gZuzs0XQjsGc2;_(iBGVc!-(
zPj+dCg>*F>6K>G!%WGlWSGS!62}RBlUVx%*ieff`m{=zY+&1O?%18nq#hYDas6KTX
z#h-Sfhvj#R&P>Kak)usTNI{%xzSv+3VB(Uavf{I7&0R|lwg(oM!GOu#GndopI@li%
zlXp;~f^x5hrTTetQK;_l<ly)bkg-TW?|f@gE|X+0C0d#0m1wll!pu-P7T1orIx#)X
z>yC|F>4KW}TZss+kXxz#-S{~2(+%M)79HDJnk~odb<~`UM+)1iv>tl_i%pf|Aq=?f
z?tB_pzL+MLr+9%Y%vJa1z1|}&XT+h~#e!$9yEaepb)HXrl`-zUt=fcG4HJkq!@O9w
z-nSW=Zl4o~Qt+Xjd;rD*b(WX0y(ReJ6Wr9v(QMAVm^6p8i#c;R*Cml#-Yt(b_-u_w
zS3W6TiNPwAXm#{gTjBOBcsnrzNVqsH>F-P`=ULm9*J7VhG_(#H$UfGaO4{H%^dr{=
ztuJsne8x-*8HrUYAOYufEXTJ}F$uj`=O#N|qcMUVBIW!8yCvk}6MOK5g-EzyXo{*{
zNK<l4tXLtF^h6TJ7o=A=+&`z|bulG@+3-^R_5zO<WQ^6>jd8IW)r$!lO+Cz}c3taa
zl_nIm-*_ra{pAwYxs}vDnjd2~mn!xO%#;8a@<zU@u|;Io+^KZ0`JiPq6dC|nJcCjP
zNJy7yk(2t?Htb|)KTz42B{hWFU*_u=M#SLk8YJz!xJTtul@@hAvx|&Wc{!he${{%~
z)T8iS>$?wl&*^m5{R0<f<jVW~_dY-k?NnpJC40Xy#nDN|LEUHOdQQCDU=Flo$8ke2
z{8qZCz3x23ktIwRFo}|9?rZ4HH`=eP1ON4M8B4NJa79|ZUXvL)<D2C7s>^35FK5xQ
zm=B!k&HLH;HJkRz^Xm*6D|Z>Tk0pco#=!Q$guBt0M&5N)Rs!XaWk7A?+}65XdfRN2
zlmiWZ#zOMIEmbI%82W)NbU%deQM%qb$-si{S(K}Y)Obyx?AtMC0V^nOyF}l$Aw!VY
zA$r3sGW!G)U(BlQ7;e-a_-A1JRN3()A-%KyCfR)y!;x<y@gqfiwYc$0x!3G>KehK+
z@=)W_`kfZsmOYA>c7nBcd2md3K!T}*qh4E;6-$d)jn<9MoAAntr-g1+Ry_kD*h)06
zScPZtJ^{gDlk5~g-n>G5CCzjUa!|asU|F7Er{t{fao;DW7D%rN;?v61KB$~5&4R{D
zVE0u8o2@F3e$vWkFyYYp$hltGX?PFcJm!&RGz{8W0cF?!kgu($F*#le|4LO^QOhFx
zkV>84a;o#<xZQ4jZ)vpu)u<M@@|$UQW%Tq_-uCY1h^5K{X=Ct>1|E5fCs>eE;%5*^
z9P5;$l815{>d3ew<<Pq<j)*?9GB}^QiW=xGxVbj97cMRo{AuJ*x=zp2EIyG*F|)iw
z>!A1#23ykI2Xh%5w1pYg-;~B_i;%>!E@^t*-~o`M$s`--C;GJ7^B>-!7hrA~N<xJA
zAHuat&SCn6{yV1bKxi0OR|T|}!Bnheyt{Im@DqqMfd=rMx2nR>JArR>UEq#V&$vC5
zo6P&EpP+Vokn=~8U%P17g>>upIsw7&BZ9NT2zwtI4ud|5P>^7R=5t8iDPFy892yOI
za69C{;joRsjo`st{9<eY7kfV-t8csH4?lrdqfo9V@%L3()e1${qjGB4HUzFn{oq#w
zZBa+wX`Vn;71=X40#WN*vmQ4?_BL4`l;h{GrhS^3u!lvq^m6WTPzkvbiGnsTPji9;
z&E2sW<waXTD6C=m0OXR*GOIEY*xc$Uw0u~-+7-H#HNTz<(ndi?Z`yk}4IBdBx6aX3
z8gZ+W-bPBM#>w7*+knww*v^&4z0&85cYGl9T~eLzV){EJZ{q`85`ruGOJMoCIr2f>
zr)jxM57l_xb?xD|!KTfvA3jp5UG&=O{FYkjfXyMO4@-Ehwh!mgHRTP~lI`BZX%AdJ
zTEwLl$KM#AJ_~v)5|fxeA^10*yxC|9B}z&FzSw;`d0zhjBj>(X?=8LiT^fDB*A0?2
zN%leY#qDzccEGdvGw!u47Lo1phmXqI%i13Yj@LWceK}XEdqN+&&%iYa8k5FaeOQdx
znJI1FZ7QYnmem7(QDv;iKh+cWCe|9quMcKLzDrkop3h#r3(CR+B+(jxy5J%4A$zaJ
zg*C$&V=l_r#I0rXs=T&0qxmKSy!4K3N2176M<Qi7W6QIf>g1KA%p8Y^%O=2_E}MFi
z6FZU&%VJ2$EWUe%l;tXReD;}x6-iYZ&DEiVy9O+22WkG-B^6QU-2@WeoJOBCO}hG2
zqnMrvCUe07>Fn6z<xe`RY*i2VBlA8erB10r#G(jRU^Z_&FFbD}==SFJWy56(X(^zV
z!}Tt#LLzHQ7JQKX4b;Y0)Zc%=7J~skwr_WTh)*eYI@Vu5zogl}#M}qboV`G9rTWi;
zihMsEvv-_)LOFe2e$&4H3+e*n4QFegqW;*RdY{F?@I*|!Z8iLq)&uNJ@}_)atZX4!
z-<uKwke0RvFFn5zm(!6WC~egz^T2{|BBlFXR!7okS5>Q=8QE?(#OL^nd=xgF8#43~
ze)d19^?nZtx8Eh4<X%q?6R6E{#3yxiT{%Qyz@XtC9|GTt<Va=sMfVnd_3h`mT&ARF
zkyM%$@~AFyR!pqX&>$O@nRI`GVzO0dMaJ_*TPja6Xct<iwdO*M*S5<=XyY1jSk*`S
z@!PFTlk^b>h8r@{c<8oy0ygyCaSNzwQTo_i-K}vn!lw|atbPAOD-Lm<H@tP(>jiP^
zO1zC|x|H+)F-1s#3ywp?Gl}~?Ot$VBeLLXWS$#*X@Z`6ijx*LXT!1{9BCsyPAYAOe
zP1Cfj8oj$)RStw*tp7XXt0TrhCaOG}6D;UC3Mcc`rup7?b676l57@^O@Rq}+45r^4
zBHu-BjTMzI<t9+kQ4*}xzG&H?tF<1lom|vycCxaS?Er){IK_j%rkYV#p$kB=+dBS>
z$#&pqF7Ypr*+5eW6jmk2LP8;x6skli$U=cJ=VlOVl$?}1)9+vwu_Ot#EREG|tp6Ds
z>b+3CmVbc$V`~y34+SGH{BNMyPUyR|hRQ@Kdtnlj)AC{dW&UobH@OIJBqt`m@XYeT
zyhUHd6)WOs$Y^+dNg9$cxx8Ce)y<ID<?a4*&{P+H-bAcAxicRfnF0qYEEDqpR(JA{
z+a9KDD6i3xP?evMI+7W=<2$+)&x}YOu9is$>d{Q%8u5K3y~ism07)?{Uu$Y$xiN4?
z{gWK+jhLb2GiWySGbrQucwSD7xe1M%J@=^jvTs8cgw-!Q!6pY6>$iKST`+G~cMHVU
zl!h<NsI5EXQST9DlF|CCroWk?g)P1u52~4(!qZmd=7iSP!k!vFg{gu|m4kv&O;G4O
zyeWLwaOfXq3YbR<+7|llg9UaXMSZsPt+RsezygqE<A+S+hh<~0ciW`x)p2Qd+Y{rI
z1(mz4p;A+Sna>tN=UGk?_D6ymF9pNgDszp(<$H>Y+ySmxrxQhO43*?>L_vi$!U)zf
z*4bz>+O*30p|yfg5vaqA9~)W4$yL^_3UI&KX!BUKpbik23F3*%?fnQ=N9lr{AaU>*
z6F72YWKG7`_S*Fs44F%nicy%NPlkK{F_=vW4_J|_#5wgQ1rkd7NthqZf(Xov6+^5-
zryhfdmlALhW{B@xVj|U|>hws>bIMQ=tOf~$plD%y&8BS|9cGaC1Kv9Zt(W6n@B1G7
z!`z4eavJ@Q=#Br6z4fn=?;sgGszt9E;;^?PiT%#|z6^5(6KC{J*CN+07z-qmxA$9X
zLvLSjpTyE<f3i03-`)hzCeXiJLFD<D8rrp!K{Ksj<_ke>D$OdMRR)p<7D2Ey02&;K
z%2p~Kk|*8M9yWMFmmW?ngBK*mZL>IY$X|u<-<nnNQ-}drgp$cLp>g3Sj=LV(1o=S)
zswxs#9FpX?NA@QB@FZ)lsbdMm>p19Mfl9e#Q|3u)CP>|L*uOf9;g`L}nRR3&2G&Mv
zv^8g)zW5l|2kLF}(+{j>*Q@u4r2H;EMje-VKwNPl(fFQ&7Ofve-3arVF#MpCT`?pC
zQqL9}>whslIu8{e2i5|6mzMO`VjGh_R3blA16oZPy}@S_9WrWXAd*?V)qB)qUBDer
zt;PN%h0a05G!DWDjtM(HAzrd^0NNO{sDzS-=0b{NwI#@h!0l*;d6)2~verj3r+6by
z<`ZEJ55Fc}E+wumfeyZXk-*c9jxl@X)T08&taf4U51yK=Y1E(%#)SeF262nP1?Lud
zqd?;IpMZpK&v(ei^ydTbp!$B<)03tuC#Ykvdt%Jgs$=FUHp6T${YYeokOXs`P^6pz
zSbmiJa&V+cC+FCOVA!e7@U$1zn>-KnYo~B%RhV<yBHFNK+z{(d5@j=Uebbb7F_RCU
z$VV?miN&1YL#HKf_1Apk*|Couy8heDece3G-GvD1^?WiCy>^|RKne`101rcml}CPo
zLM5S$$CI`8f{4F{BE<)hpPI0hcc@5KAQ&CZ{Ok#lYJPss@li}5EX;}GzD|U?{-G-4
z{m9PG&<nb5MdvMj02cIBS~0u*JxLze3oXxX>xb@H)iDY7@Zh8%QQqfitW4(gX;#Fn
zTTjBmGOANqm}RMR10;iGqxf!MONWT@*26&*e3(p+0{HIP>!KZvxy4dfFYwm_3AL&j
zMvJ^zy2Xnsv@)Sg6<%!%neV!8qPUlsSTtg4=cXcsFy(xl!r>_Hkv3rt&uJASNkzBv
zBW6lB4XA;jLK+yNXM3Rr%nA!M3ZCa#s02R}5i&3k!OQD@_*0!>Ow=q~pI#KO`ZT*M
z++)=-Anp~=Z}8Qrx`APaw}0z?4slO2FsyT~HZ3YF4CNSBs`dld(E1%%l{IJx3moaZ
zGKA!IY)VQvpXZ<z1=!5+U(e7dHL^s$YnpWgtqpgwVNg0lj|wZAT2k7P$T+|~D%2Ae
ztF#izq&JmDcQuF!s_3{*=zMT&wW0m)rY9iSC&eV(Gu9=O-a;40fTx^B*b;@CYq^Rl
zHss7m<Ok`LjEC{|w_$^gfmUn5s~6>py|hwQyVly2e#d<tpgApMAI`=PCXLi?#LIp*
zcxBB^;vQ)wz<!>fvh4gVh$|ZXG-wMYR}ofC<7_mU{h8}EI#)by2>n-@rQ4+2$qHy_
z0x~&ovt#2b46Q1kL0Y&<%VBZ|h@!3|$YMk5z(KC`*3R4yXfAs~dobDMa^|Bv=imN;
zFcvEMJV?Cm<U0rC>7QRQuej1EHL3ui1b|%d>)$b8@%dIDEC-_AkGv@QJ7gI{i3d9I
zd`E8BOqSvC<U1HP-u=~XOYTqQ{K4}Qt|g8-!YDRJ0sR-{M<)tS;f1w8CNQx$7+Gsi
zJ6o0eu<Q8vMT5;&{`Aga_Cwr4?HLctXxgHQ;G9WCTF<@$-bJ40GgZ6c9%UxF3cCGh
z&AjyqYknP~Xp*;=zJkD2*<KecOCbm8sK9OSl)6V)om&>!>J3#&B0GMD!23jMqA?Gt
zn|tX@zAY0sDT72lb~^WBJmG6CD)vL!wft@`2~`2L?`hjQm?x+T^rIa{P64~0ETpX4
z+3V!vWkW`IdEKeP)YG`QAoJJO?7G$Z*XR}E#vknds<eeHKbnc=84@Rr`z&SG;_FDv
zXv2$Hc2<xTD-KPXw~?Rp6bxpD>t^%AVN<I_bs?FGwb9<fdc)6(lQblK<|Zmd_#TBe
zbE?|$!K_6VG|g^ZueqNbj4V~Mowm<6Fm!nmRV_pdagxL)&0Gxpg*&*9>$i%VMXs<m
z+^)HudKDY*6F@IAE@ZVMqYWZ9K$jO@+}{NYXVCPPEey>N;m=%CGzPnv1`hkejv=&M
zj7QC&f>refwQ*>k<pd)2>viEuAVS6$cG63!dQR0Pj3(hFy|W_Y4wfyUlOu|I%Q~@h
zYZ=h?lIp4A-A2i2(TmjjmQ$f*=1GkPp!6-Wq@Q{+q6(ToKOdS((#I^~i<%h{x_C%D
zUb7t`1RZlG4p|rT9jVz=5KVZ?Pji(&!`mdRouA9r;(WbSFxBl(y`Q)dDXFx>ZOOqc
zV7^x^%nJ3z5T<W`;(WShI-0STFa97K+>$l;<n3r+;-!DUbb-2LNEPT7tdV=2v)w_^
zI&Er3T}Z@w(M}#!3D_4u`2GQv%{xXcv*=s1<A`K^nc?}&b>M2dUO#3Ao?sm;K9gMH
z0VF?SXBrJtLo$swMcBuJOxb$UasX^zK@sQ5N?Llg>z~(%YO}$J^`f=HQP5d9O@uM4
zzYy2^ASJEw^*~SP@rHZdq-dchOri?b(Qb8q{kHE=W#-SU61O=*{XN@WiB5xF?0o`Y
z#cQ`eFEDeKiG$a3&_dfdi`_eoSJM)yd(8c(0=Rq6ddaDvYxn%&JC6V>G4GmAN5eux
zP@}ze9&z{3;fL&1>;R~sTt&E2f;C@cyFp%YpmFxe=vuEw{hM*Ml0m<a4^B123-z2$
z!M1|w2-<DCyRGIyRvvd82uRtQoSGQt)^>i^y_MIM=D_t_w&Odq;WQ_n!*jdc*eXT%
zwPvj8%#?G2?Gvq$#z+Od9HXwK4E};5s8cjzsc|C925rAmwj0-6efq9%B(7bg?#E)Q
zuKZb636;MN+z<RloZ?LF8)NIL7I?Fc?mNmk9l5+hunpl)dbx2!#VY_ew$7>jtj3GB
zvQ9(^jjrS9I|cuS8SZ~!E4FT=K#OD>Dg09G5IQ=_3U8)k?aw(z{iY@W-}IxzAfq6l
zuI<Cq-9#5a**4kua+E>20Dt^vIE(!06Q!j60*G_R9c!74g`4B|QCwJ55}f{AA$R_b
zdCFn{fJR7@b+GCPbM~+yJ`=!suSzLbzt(n<>V298kQ~^uBN>qcX9Y(X>>Esb?>cCp
ztRZifq(O~|1X`N`zDkd|>&H?4j0^P~FkZ*8+^!ZfwKIA^gIC~GuL{E)nqPOAvvt+0
ztNdYZn_~y4^OEqC&{EK=Xlni%XEIls&=w{*Jn`8LuTo&2NU&w%yH}HKlagSvVI173
z-1H!-*XU@GzdQFXC+c3jfNJgypT$l;Pbwfyyz1Ud3$CGkv)vXH*jurq17P8kcRw4+
z9%mg(^Pde$(rkD#Bzb{u&joq|8`yBu{U0WT53Yr2@g=5f3{KNGH-pjOCz0KINTK8%
z+n|XU+vW(n8Q-UL{FZmnQBDRuB~Mh^4QKjk)@X4f%WF#!1miCiZ#=|zJvQL#he}Ul
zU~@Wqvp&meQxv?4?1W*g|1y1J!z|TMp~CB12_$d17J|~2SDATel6jhtBZFGN^@xw-
z?CvHrA;6jmj4)!;5jPHVbbHk{XPowkJ{1E{-8MqSFLrk_M+kVoNpNG?Go6X6Gp$=Z
z;W#ax8CXi4fADYKZr@tTv8o=E`P8b%SCCrK!KKF7-CB%hH99beGz1*JUx9bko76{(
z>f%(W!*nNdBzkZrD%*UV2q2L=KQyFicG?oLIGXAi9qA#}iD&nigBT4lHe@Oev>|+c
z*w|M{)dqxQf8!hm-K)njzTQ40T8<rmP$kx8a*(aMeLYvyj%hYCMX!!YIkn#iG2-C7
zXLLIX(2n>aUomO^5p%{dO^P%pqU>doe;k$gO5<p-VI%nElSg-nL*KX73qSikX`Ouo
zoN;4YspeCFMdmY#$!0!v*ZTR3n7+`3V~c(>h6YX)LpQDu@l$}F-uzJ+lhUX_Ka7>+
zG!MrElT<UGN65XhrS!VN6R%tXTfIS^)m+p(qsbgYBY{1MnGS#rjz!zyaH^VD`nRD@
zN(!w?^)wLB*aF%M?j~TD>)czYZYWm@uu!C%n`~nrj0?KP4%O93skG3$&ZM<X3iOfp
zNvXN4fq=R_ciowM_m)WoRbZ5*1A_&8f7*^&*G#QFan;*M9msNN1H<kK=$$f*^ncxB
zH55B`{}wtJ0WRovWX_{W`s^>nff%`)anj>BGRs{%c9<r(hrVs3>zn+j<DM$7GyXvv
z_0akV$-cf;F^<TA;kU$Qg`LmOBf%G#mb|kq=CdbGK0hr7Wd(JS>2*TzRq5Q1R|T^)
z)G=%Jt+$zMM-|f6BnQPys2f!zaDu7+4OH9uA3pf`Klg?If-P|G&gEZF+Ql3F2%3yw
zNipUYKKe@``Ti3?T+%A@1#Np1$K9<cP<F-hs81iVZ1Uulic0YplpQqH?6RhpZQUii
zR*kfc1Z<L8X13N~@Rxxkl#%-@H4tCe!zKP>C$dgqHDruJIze+h>`!_<@2Ok-#;2ma
z-M^qbnK52n_7Gl2oPwRj0{dm0RoF}dcT5o9q^PF^lsmq?o6>t)h$sX@qg)4V83z5y
zB*Gajubf`MqpnP=Uoe}}wX#O=E-e`Uc-@X*#`o@lfU?A#qMs}dS){AL<0vY+q#3*l
z>eb>(`1bY+-_Hh<QCZ`AH8y9db^WdbD`!avAhqO&nT5GiDATdR6u3jOk5FPbd_}zM
zHFd#5Ew%gf1==Mpq}=|vP{i$4Z%HKj(~$ziWQ=fn$n^^Jhwt5vBm1Gb>t5|?VkqYM
zQ*C>p=$H%TxzDBN6xEnr;G&hOy$kY27e?95clztVgjcLaFuDFOlWMKlsZa#+;*T8F
z;je!|eI+M|JKHTzcS5-M_3_FT7bvPZmM9iST$zIK#$*Iofe>}#`x4Y>Q@2ol9jj7Q
zVmANu>6dK8?u&1gHHpN_BTAqVJd3K<6(p%-w0iFym!_agd@nHSOcIqS_V4~h^qg>k
zGmPB$xU-KthFMg%g+6;*swv+?`H26w261e3Q)>2x{9acKL?I~P_DS~6dtt2eY>#Ya
zXMrP%toTMfC8)fY#eGjKZRRy^;+p?bW=PM^_N#xn1`8J=segFuU<J<2A2?qV_Kw&{
z^;U}SAsr(F8m)J#<O0vE4uzj7Zp+;oEaPo{{jIn=lM6hqSNZ+1+yWi0N*ywwGyMKj
zzvlZu)*IHfA!LIIX%%zeVsGt;a5jpX_uEeM6O;LaxB|dn{Tmkq%HKJ6(T2t-NW3sU
zO$DqPy)Xvu?F_$BEUl}OLpqXugrk%ONxh?{Wu)&jFM*TE&#J=LE)3(_KS<Et?M&d0
zGvw;VDcz2-7m%}6XCJY4eEYYUiDZ5T|AE;ifL2&o67hxnZmRLa{4$?0+Ly?g_w{dt
zeW%kG0&#x#gh>iuDYC}M&le~veeSV`Y<ORzAG#i8OC|n%sv7T~-@@y1r;tAkR^EFe
zd89F~6KNUf)2PPFfkPLSG%(jhdY=Wsh_Dl^k4Q1DVQdc=?*3vj@UKiF4Z`PDrN(&H
z=v;0Z<#zo$Vduvn4Rrc9FAmNNYmd|7o3tpL+b_CKA_0k85*z1a+=y;#6ud+PYledz
zY*I%e7ZbfjG+*Exd80D_&NT`DH{u?-14&Bgjw(73J*^K)7jt*r4Nf{ft4wlR9~Ukd
zsxU_vmU;(pzbN|Z?2iXA6g=^#?YaC)h-|$68+mQuZ^eB>#O<o%T?0ARmoeKMHKRhR
zI`?MWdUY=Bhv3oqPcHmlyrKM)3;%0z@J}xMCl~$???M0M!hh<*f9k^jc~A3CUHDI3
z_)lH<e_4-=A}ss(UFK&!S$7S`Q+S^~a&zM!!pDoxw-QKtS&63nO7_Y|D;MobLMOXj
zR@2@TFM6Tzg-u0d4DXMoHHBj2`yLcRTgj>t#cPU5VnX?~)vx8m_#aX|P4dDM`1MZb
zm~8?wL=?We1rlR=fBD2n_BJ+_@NQmU2LAuU%K*&w-@&O4%2wCO$gAErhntWWmn1uD
zXp=n~5fxG6It}I*!1Cd;q@B)VU-RY|ghk>;<-W$}$VQiNMC<n!mwQosnK0<7HZ#*Q
zKKBVy;EJgvs^)w+%yTh9LBvgt{TjaV))c`piX`%RAKx_%E*rvz!%|;6^F#L<1;}5+
zt_75E_%za1U0wT|-^pri$gANT)4*|kDL7i8dw;EG{<#<t!NV<rS)UX;dHH9d36r}=
z77_<tR-WP7W@pEs)WUIuEG)a>-1J)3`G>D{{y=;>ON)lYMQ1L&vXA{vZhI~1VU0fu
zw7d9STV^TIr+Q?(IXLi}MIo(<c!%Pt4Zy%hVjjH&O9GYbkOHm{1)J3tDFl-yi=Sr6
zrP-V!T~xS~Qp8MhjLp`u(7zJpE7A}zC)pa|$40-Jt-N6A6jUbwIcC*QUN-p#Q#g?w
zG+lD(2U`Wj_n)X`ksmT~KE%^?a7}0Dq2%U;nLEg1l7anXIV%(o(9<^q+D959%x10a
z!JY*K((Td3vzzhQy80<```gr9y2yV<+TsMty~X!H_Q|?TP7-2-*GYtpq>Q9e*<GJU
z6&A;JW9iD03?LTFN_(z-*Y2DihK(6$q^y?NXJ^>N;4a>~xbPK7mx3gxR|}6x1FB<h
znk*JOYG9yIXZVCY*EWAwBo;FA_i{^Y&Qf$UD{;MuA6V4sJWVs4G^*rW1L8L$nQqE(
zbGGp*isbsTw0@R_L_SGDJ{tyUE-%O5+PA&V@z`U`n|1%>cq`uG?+0yoJD38a2`1RL
z8pIw=b%4zeoX;hagP&Hzw(lEfpV8AwiX2Ff<XbI{-`Ol+*;U-0s3bPt*dDq_JSuCE
z={e)7jPj0{5mvVDf^pY=WG=HPwrrm)%l*PY0zCuVM=ASqhUE+V0@E$;Ny!?nwXSci
z$5{r~zb3~!!46?zNY)9WWG+e$Ct9#YO9Rt^@>Dc1L!*jE3s>b?DY2`lu?30<NbL4y
zOPub_aA%7ofGe)>j!u&Mvqb5H;!arB7I#2YSSsgIwP&d=Ioqw9*6>6P1fG+X(TR$f
zZ7`)13#QUNhzn9^Zjvmvp)=jO05oncDL3S^4Q~V<k14i-CtJ0dU(iwr_&>>Ta5yU9
zR-vW}HzGgMp=q%Wl@>M_K@ZvTWDN%yK}=1d=@n>>b8qf=_bu(GKX0m~;#Q6eCuyap
zDcD^}p(FhcM_Ll47nBjI$>DfI<V;IRs{e#f4ViBPVRswM5uVX)5Z)qswe!*c*i~G5
z{(?T)Z8cRJQEWG(ylC28%^G}~C?+P+y?Divav9o(%IZ5YzhTRBY&3#LK^#)djpB1_
znek#=p#Ir<i$V5{PN%CL)~0KX(28TJ%z^@ih7+!WC~a|*7f)lmE}xv*`e*D)CAEBz
zvQ(@=ky^*H(8Ac()}mM8k0qXTIO8M?<87UG<c9_MbM$L!M6j@rnJp&)fQpMilY+11
zcG#ze;{%pCJ=9JzhP+O#^4hW!Zp6B6Psr85ny#tA)}TkbPABI($Yr27QV~`{?R_ZU
z2PjwDJ3)R6lA(gE4vlU5k>kYe-SBY7-Iq_PXqBS`tis!Kw8YNU*!oAWHtFP-2OF%l
zvsv|^t!40@rEX9mFs}<!?l^pR!eXIJFRJ6L72~i;b`YIa-IUi8twi!b<pmPf6rp6G
zZ^{+g6LdJ_HD`I*sWjv7U`o2*9BXUlP@jH3UQS{1gRY5a7mRo%aC2uX4V3fd%M@CL
zKVB#AY%yiNCoY(JO<d7Es*@+hutU<E#F+Dsp;}nWVSw5t|Kw+4nWJ3m=udodZBI8i
zR7J*G9>4TeU$ivCQYkiY)X!}B<h%-fWoch<j0bxPP$Pb!Ytc`7P1UOj`sOQ_|9dR;
zbwh5fhE(vA4Ms)+UcE9j;mw3yb-U*M9+n%pB1f17iS{?%Ii^ld<8`%3!Eye_<CKX~
zHZHOTrQnO^QH>enIvWO<QJX}Ny@(AvlWDKVxYLUfCiB*x0P$~Yzn`T;#MoG8dPOCN
zY9P(0mw_R=q7fr(xr++5Aw*spT+P`hYA9;MJMoHUWNFlM;~J}m1ukyZ8rQu^gmyXw
zhKj9fcd@w<77E5mS|rXr6|R??jmK@$jS~&5v4jGpgcX%EQ!mvM?tb_lvB!Q=BU`!+
z3OQp$Xj!WWR88Z(I>7}g{)U;;)TeGk4H`Vr(mf*7%qJZ8Ms|T_f65^7&cAfVpm$`8
z#|dO?1Xxz|_u2*F-SN&6u`0cEeDc9tm2R`-<%?sD3+oY1f>Pr@I{B`;1--ocuGsy2
zJIk@WHV2|7>58c*txE<C0qVThqPi%ejN?6s#3f^JZ6FD;FYE!}o-t*E2m7@siQzx>
z4`XW;tW0u%I<x96;M4YLoN=Q+wb>r%#KBn0{H_)e=2y`9#<$>%F(&#}43XYSrP#*Y
z1MJ&=6%ly1QRd9iqZPmXYYO^n!ui^LF`l}B?ETWs0NT~5wAq%KbVo_JAfggbfBC8h
zw<cPUkR>R=;qxc&D{3zl3|<{7{XTR^;k$@C@A`QaS9PcO^5=Pg%Wz%|9S;R@d*at+
zI^8r!x>!Cx$lMm;V{S}IBBJIxoclg^WX#CSGBqLQ12^ff%r~P2(_`CVoCe_1i0x91
z!lngR)OakHmx*`7agGV%#*1OL46qoJ)st5;A7Ks<5kuzze|(T=aywf*a+U<U2*anV
z6{VCC=)6KUlM_><xCHR)1q%}4AB_lLyEo<NSDY?n>YfnD&y7M`k`f(g6VT+rnshj)
zrbsa^*_|b(9EY6u?C!CFv_9IOCy|bt2x#N8tmVZ{0NY;rjLSB3?*<n$z_+?<{Ujeo
zv<sR8+Pa)zepd9~=?F5LYbs1!$>HxfS@nC+WHc<iSo2LEk}#trN$`3H?Gt1EW{_{A
zuU{zn$Xqk7vW|>1mgHt_;#Q<feCFwGr45l4U+^ybO<+0Wd=pm?!~M;kokXQ3GEECe
z>NduGBJ=;e%I#kocK!>JIM82E6nQ%Dunz_@<%Ge~hkbmKl0}}S?S{s>m&2k%_;|SZ
z{`z{R__*KbF(&WSQ%IC++q3O_+$1zwk%$l5z%_DP9jT-F+2kbAhwkO)<4ePD(b1tf
zs!h%W3Kom%?DQPsh8wKM#m|Mj{>*l+UMXyHGC+C9y}zJ}kSVUCG%_CN7e*ReRjyZL
zmz-aq!%)t9O`1X@`0O9{TO8*T5nZHMb3VX5mE_M6|7xhnL7ooO^Q3U&${Zzm((=|~
z*gQ}5-RWvxy&v{mt8&^|VAv7Y)+=vq=Ew5W(x|r;bGDSM=My2}Jh1?tQ0?ntUlAPi
z=I96OX1t0&qP8CsK9RW*H=h*9&svb_H2P^j>#$w+^P%f7_}h~3)}}H9s}uf0-I{XK
zd@e$GA^8i+zITI^tvKfO<5aqTmi+IhY}+cY_c^06H<xP%>7|Fii}s`9!gB>D=;+~d
zBAXVKz0S*=>qCWPK<;Ap{dxPBhgltGgDOj(RnCRMzEa@E$I@Yf&l1Q1=xG}^EWDb5
z^5aDKd_4^Y-p00J#heJF4Cl;Y<Hmj(W!q*hl3fmRo&uhG3A~fmZLkH1Xz7?E%K+xk
zlQ^%n_8DQ)W;D}=aFp}%ghC3a-{Qw&dnZ3=|M+6pYC9`H1#>-NXgYNoBL52Ib?%@s
zImt~gMlI8assjjYiR8oURAo$%k3^!hB5Y7QE~66BgUt8v>9eNvv{+Y9ps%DHw4_(1
z0J@^=Oa5@8{-Nc~ULTWs;Q3Zf8z2_J{Z{&um_>dLGgl51S4}Fmx|j$w@Iz^jUtfi3
zs8uf$vdB&rHW|<}mKR<6G3r}0J6lz5n@)<7@F!$1Of<}ontscaZLf5^Xu-yP{(}!>
zjmu-!*hc#jMK;8DLHgOf2yr3a<Rr$wLKLf%#zcy3;awYcD^HN_#X-IL<qH!Di*8<x
zgO_kZvGEUM<CL<GJuOX)b#cbCCWaS^r^>_}^(wRywL-y7Ja;D^S@;E<NP#!TPIK(%
ztV?0lx<Ov9HPEK+;PQaT+I8oj2K~SYzspDsCm)3)$|gFL#vY2w><*|AtAQmm(LMfm
zM$Qb&cQI4PB8VqR(P+?LP>ykKfK7n%L(SSxg-*Ouuj$l%YXkT0g_R4e<p0FoTLr}t
zz5TjCke~@NI3&2cYl6GG3^KR|cXxN!;4rwmI|K<b41*-NyN5tF`+Rl2i*tAOzjoEG
zeb-m3x>xn;CH;G!2N~lR_zTay4x|Q3%4I!4?KTFN?;c<D4=$}8lP7gj=u&P%k{{E=
zJG1Ps4T?-gpn@+IYekDJS;7HXh+#98fOM2sN(e?uYSQ3cG}%tL_G92*;ZqB|lh|Wl
zXLjA&^R9VT3uIGVdpvhjjby<(9qQjEpyvldr7w+v_m$jP|KJvBPaiT<4Yo2b_rAe6
z$M7zw0|3G?F`{CTps1~KrOxkiE3e_LqX&=i>d31PqIZ%{<@_JcXUFSbR@$O(JyGbN
zWN4qP{G4EZpTKm5y9YO^S*U$keKM_KCk60!iF*-U+O}USphg@|OwF~bgxhA0U!2m^
zU%eta_?O}RH)UJGhh6}3@H9^x3hOm}C`)oD2=bX2R>tvk#*ft3I{)Az-p0;k=S=?<
z%5Rfa#I7NtNK-Ch@&?tqooEfmLdNvZ@$s~YjZgAezuo9wV*6Wu8fX6HHd!wm_G5qj
z^lm)Y>FP^(Lbub-$n~xcXv;XIzHPkLaDm>$5>C;Sbe`w~>h^%SDu=c?GyW$Ga~WD}
z;*P6GeuRb-qG8VWa^$l6u^3m+-dhJdZ~cHO{8k*cl^=NR_=Q-x|59$Z{vRC1$v?PM
zm--j+M~b#zq-34=YxC|(o$OL9?Zs=!T3=Oq!d3m~VSz8xfh~Q{|KN`5^F!XeLTev_
zgsu>i`2NA2sdNy4P&)9<F6fN5uI4`ce_D2aTzGr_5EYuhM=RsMxrr}gj}&jM1pb5j
zeq6Zt4-VR2xzhhX8-HW!R%^VKt|bn<B|~6=^>4|B<dtSVc_lN`mHlc%e19M|1~yOD
zr<}pSnm>!n5Y5!TWfozUUr-m)_n&o><EZ}z#u>UsGhZq&9z=`;vRDs&5U_aE+4U-p
z#VEy*gByRplZZtm$9*$H8D|zlXg1D3lcCr+B+M}_e0@UReNnF|Y;#Q;z9*eueO~Jv
zYFeG)xQdz5z7t2aRI9;3V<4p@^L}`EBzTI1!8A!jHt4(6$BEKgYzY6Ipw7^2DC87M
z##L3PRNgYfU#_Qn5bNV*KtY#E7)i~_48FlwS4TUD`Thyzuf*%@udy#%Dw5-mYL^ec
zd37WX_57vDaQsaL3%?#ezKzyTY<vXoXgAQocU;j1W;>Q^0M2J7Q__M-4|#aMt8vnc
zlPiA#K$p55306Ok{_p1F!zh#Jnt{I%^cO2gL0wa6;T{t+7007;T0I|ZB+is>=Pzg{
zPtGbtPlxnQFL@#AM_M{gvpbEEdulD6q-iq^os^D@IuV&xS_u3~9C&JKibzkssR2n(
z_v6&SIa&ktM=?a45C8Kd$h-c(wbb1Iub=w=`iuX6H7@_)c-}_4PGG~yH!|V&MhMqO
z-ZF2B8pc9H6IR+_P2>wRJyk15X2t6<9QK-eHwCW}x+?J}@x)a4Nt9xl%*B`0&bG}`
zHa86%2iA=P&04P$7Zv|D?ZcbqQtYO7V>fgf+bI@rGEm(l$6aevr@;+gS-|IVo)iKN
zvjqs6U((e(i9iN2bR(lva%QQLd|Q!a&%TddzPLR0dIS&BTlSCxge`;bAYyujGoqJ?
z&rc1A19G7P&2QX89FpGi@K>D&w}?OI#B9+#;M4>6XY_Q<-CLg?j9l#k+6ESSXd1FG
z(!pw__K=aJ1gix+fvH?(b0*O2QD*Q%7|QPorJ+NAyWgHec|8T$5SLtmD<9#et0rd^
zt#}f00g+2zRXKBW8mf*Nzlza5DA>2~(DOd{71!<C&bO;CTWnW+zpd`WU*|;FzW-%A
z`hxgvp)mj_5XWKu&x4BJhmZ{d6t*4Fgcstp(I36e455aGG1aEC3`yWl=3^0LsKKzK
zjn=C=6WXrwR-u;NnZh?I>!zaOprP+K79xJ}L!M5W!z;_$^3~DWC;<q(tMu$ri0+ud
zM_)e*DR*Z4M*<8(Pwkb!X)YN_E&X(f%k4rvLG=UPZtWUXyTiErFx>&aQF`@{u@h-f
zr!kz}EWaCCX6FR^=3(-#W7b01Kqej$gQO&z3q<fy&Qxc5kmR3#aN5+mQ$A0P{OZ2J
zgPQE+Ka!*7TMX4Y6mk}2qJB0<cr|2xDk{9fMYd21K=fmFQ%uOWQ+vf2HJTqO2XIo2
zc`qb<2Jfr_m+jevV^mmdnzi1DE8k9wvX1csVG7UeB^mv;Hh)1SH3i_9u!VjU2ftPj
zQ8&QC(8}XBE~Z)Pc44&1!AF0&4cp#-(XL@xY*9-HHch=0AGiUocWl`-QZrFg($lY^
zRsKP1-zd-H?l4b6y49FNz5$&vUQM|!LUF(Fqk=8jIOHOC{Aup^t6xpy+xpQO`59G^
zWzy2HV4=5C&;{qtxzW!$HlMmz40pc741(d08;=b9J@OE^r@5BK=}}7SrD6VkO*|uH
zYSmUl3EsEWYgMk^OxZnu0Pa17sYl8_BBBz-qau_umS+dBCbmn<XG!oR!yQw8FGS3?
zd$wX~HyY(*!OPPtTNQ6l2qST>WC4KoUijidYEWkz7O`uwBvzq8S;tTs{>YW(q(^tc
zOU1b$V@v~DZ(W<T4})IcO{13^T@A=ge`SL1M;R75Ls5vZf4pJV=*Yyo11)@h^(%fk
z<9f-&=Z?@F)q3UVMs1Ukbj)*5_$y=CWOl&vr-uKM|9;G*#Y|bZ+v^wQ-ykt@CunUa
zDs%Z8VFAVQNK;m<eyVzUf;)RA9^1ujr!YSxeLdB{{~Ey{`nAMXT)k_&u5qm^V%m$q
z?d(O#wEvCQ#?UHaVUIO`BqAa)^;|uY`5vnA;W^&8ri9%PuCAt$?qTWoDa|ZZboPwd
zXI$6IW1he%oj&*JY{ptY>;|>3gKE44Eyy`t^hpurOUTeOvwNH8=@z&-Q*?BeV5Y#x
zXk6uiF*A@HqRO<4`uN}4Vx8G{lEc3{mQ6`i);_ng688~5&dCOON1tw0ZKlt+<vEUK
z1RM<G(u6kNq%MDQewcF+C6fj1iWkDY5=-!Ka>YM9vJiQgX8H-bT}cDv%}DjiK(Xxk
z`ye3fn;wMlAKa=@y!U1x%<P%v7x8oubT2UOzH%=%lK$X6b6Y1tes5Q~<$H10sQpqQ
zX;>~@r%=jep`jg<!{AwPz9FD`o1D)E@cs%~vrf#YnM|WTprK9r`+)f?ydjHJx{4Jp
zvV-7g0QErv^0@!`62O=e!tUMh)xFyBm3u5X0ishR-&ZZsd=9v42h5c$3>VhW8pA4K
zvhe=sB+J3vnOseH17VE9t!}ALHa;~ipFkGd1ey@%gybax#mWtBUCG-H+?b-$Z=8SB
zoIClqw6Ng4CSwtP1QBlMfT&^x)myrsq)Y2`2^UuaX?xN?N{wskC)A>saMdBB>wNT#
zXl=l$$AVxn(VdN55W6y8hK*x>z9?HDwhuTr%D>#^$R{p@e<il$0}q<03@+6??(F|I
zk8_w6<FIej2u)G(GX7Lq990!usJfE-l3}B7cKN!{zv_xd-%oA4{os&iK)zthPWIk&
z1dw2;>f!4?>~O5TpVe36C=%(?T7MJKt_aIOyU_op30eP4W$dmox-BGm3yeAYLu8O`
z=rN&}Gtv6NasqE_b-@!)50bZ{YsEk$pZ}kDZ>H0W|G_ayHxq4_ZhO(y4{Ktov81~|
z-5pddstpNUV1k*!vGdr-=n~K-gi83UF@Z61Cop9Os3JjD39)~VQp%_YrF!C3X=z!d
z3Nh9^RxDSRwcZ~%NTicl-Xmr-3+Pw3Rr97obv+GG8v&$DP-Mt;hceM!?u*%0T~cke
ze(w~)8a4R6l-`6)7<a>QqBZGbN~d`-5)saN!?$&2w7&!{T(yip+V}_8l6kKeKl0~?
z!iOCiw9)2?ax&V;@6<O;i;9drEDSUu!~n^0S+?3XU#(HsLb}_N>f|*58XNH?^sA^_
zQw>r=3uFO*OwvNDWvNuF#RAbJJ@`|}lkA`?7H-oRXbmYV8$PE$`NPY|{6Dyd?8dhR
zu?YbO<#^$g0i=I*3QX`}_r7MHGVFFuEgpZe0-L%v=~3~ddB#Bmm7i61Q?~o@qvA>B
z^tmqOCk*N-X48{}z}?BB`m4DiaE?ORRB)ae@cgEs^D|USh_~0)AooaXS3~D)icr2l
zE!ToLya-OtOW^D$Ssg#%tbCHcCwql&3uS0CciHUHv(BxCJayjHiSycLPAOAPK%iHL
zsayw%<0@sgwbl#;-lVjrxD&vlAk+@?qdNSB+#lAz+P*b6AUwA{cUix+GL#ruINHB;
zVRYC_^=Nn5_O{1JR5|+e?iKwn@5o7~h%wvtI``3);%s$<xl11Lu4NxLUX8Gi-uP$0
zS$(xbi5>>n9*mSH=%}&vjj`9cu8X)j3yRG^s7I$il9jwG3<6L;HcuFB4}iE*Yn&sL
zuU@KrCG_p%-e&?&<$3NYP)M70%hpu&od`8hg(*;}xb3mVu%|dQ#87gSuM%9e3la4!
z=*>+(!Lpzzv^)rQyhU72*tP<4dCAw>)%zB0Si)6Q#^WM~=O`Y&&4Tp%-OVM4Ztnt_
z<HWlX8All4l6VAm5(Kns{*R@*|8KrASG_>)FK2JBZ6qHl=c{$#+S_g)%TeH=ALSq1
zu*M7QZFgw+7KpvTd`<fY7jJ3|x14t}6cf|h#>ayj-{B4a9wL7W*ap(4zEF9T8#B1!
zxA6L$Hve%x|Ds@yF?K6g82D-Z1eJa1=x(nQgpOn8*#~Ll@C<_1wsxqL{0>x|!n!%v
zV=B?PU0`e!$cA{`s%TFw7YqBueuyUQeV}u(NQ66eKTZq>kkHg#+m5<R4NoBCeraey
zV$=!^EOlH;+~u&Iat=oO;G#(N5M4n3;=Pqvy_^a3tXjPA{{#{PwXQs{R{3gIns8@K
zGx|rWS%%aT<sZza=;noOyHBz+b(9|3XXEg4J&^lLZ34G4SFf`{o7Gj>(|Hj<-<DGv
zp}-#n<jdtV<lja`6)Ic<R(A=j4u4E1eDrauDr_wDuGkPs{^1b{{uSc*EU2pD_!~`z
zVzor$l!rcR?9E4P%o|}P%WH=14Xh!UDkS8{B{Bsjw5$+cqndGbI{heE8(J{rBqt9|
zGvuT~-4WXEcJDlqakC{&3fjEMN~b!d-U-{*Vq&#AMwbdphj!N${3=Rza|&frUdIn7
zcPbb(l?X<Or7dw#GHsy*Nw+|6MIsTrk;8kI?81H4a5@#o?1!V{q6ixXh|mUHxJVFO
zVi~SN?2AuCi|2YQYF%e}>`N1cOH$Y|<}fa&dt8TwWm1`4hnam(m|ezMyDmt(F6#bV
z)ODZqb)RIp*csaLN=qUverip6JVOdmqpZ@(9mV;oeDk%15xX+Y3XAMHryoG4skgJ<
zq`9CmVbHtjRw6uOW#xmb=+kHu$r^Q|*8;OO_uFgndXqO3=se`JtJ!#(XAa+q?$kbr
z*GGb@w@xuV-O3Mair{ry?W-G$$y~u|NnA#MtKX+P7HrRz>(M6VMe&Z!89KzLe#)}=
zQWA*OxY3o+F0*3N(+F8_9tgJS#zf_Z{Q>iMH7Z~eK_${U@VVS7zRQ!ep0CbfKcarV
z0@s?)jh)%p*BLWE8S|2NtaunG<=W`Cc^ndJ#MWc^f^dr3Pb-6KvfO^4rhfQ7f#64X
zXrCbc!(<eP!7|8p$J=YTHs9WpRms!4Jjg$J2Ds?&we8BuCg7TH79Zem(S*@7;ni@_
zVpTuKFEY3{D{EDV>f0-wjUb|dm6)hCJQb-t*%2y1)vZ^G|9G8CDjxkI)MZ#%zN{>k
zagmIZ^P9(>+g^xqg@w3BruQeXxX5xFzt+RpnG}(DT7^cPUCl<iL#kf6Tv$;ezeq}B
zGw*o9w%WlmL?5aAyXALN7Rxs!h9O?F>2Td?x*bnQM{gPOl_xR41OB9}l-!qYW4-M2
z?`v*Ton8CwS)M)Z?ePG6hmqqPk1p{CgL$6A_du@dPi9T6)xsUUoJ%lbjWtRRaSR3i
zDD1x#kpj8zi7eP-#0L~rUWE1DJ_;T9%i}^#UlMw|J@bKTZPOwV+t+wJy=7L)@y@(L
z8hmW4(yh9oh{83iSu&~;5dt%X{{Fq|59}8*^kZbcW>w3-+zbVFrw$aHebu0ZTWpe;
zF_M`ZE{-(Qg-#Zzy->~w4600wmDF{p9I{^z3?nWLJ)tVo*V1*%sWG57I$RhW#y4T|
zi5%wxod6R7UO8iJ41Y5Lnq5K@i`n7O?Y**#nbx7d0%cY+76qKwo>GTS9D@zf9K(-6
zgp%tDBOzFq(is2&yJo+=`2+z~(jHul86uf0o%3gsDA3@uR%$$%x0&1lMzqW6Vet?8
z&(zV|#KxHuZ)CG-rFGR4pC-Rr+RhdHI6z%ACl2%ViEp^T<FPA9Ss~MH$PFNSGWp)c
z`ZrPn`e<H5M&d~%J@o!pGX57_#q|q^+rwQ`$Ff=tgC$L0?Y?$tP(QVuX7O0eiOI%2
z&1j^Ba%UD2BZWS^`QX8b$wOI5_A0EEc6|-QA(O>zT4NE{cu8H=_*l%Uov2XDCwk|;
z(gkhKoIulGz0A~rF@>6$`%Ymf+BJnfBtQ|kuT4Hn<kgr7>Ntmr_;S(3bm|yx7DmrE
zRm%2TxKJUDj#tSkhxqrzXvfouvG?&xsAr_7coTZLVoG6@3uN>Od$4o!@83>h@9AW}
z{k&3D%Q_&7uj0esFy1vy;2~!Sg<<&V#5Ah-TNd+yrrPV;J}uWv7?>g55O-LGm2jc)
z$j$;8Ob~|=%bJ^a>1EBy<-MLAp=@<oTJ*Mg+Q00SP*viXqpA@)!`uofklLX?KeiSP
zZl&zG*;_GTPmusdV>jh>{+75t5-GZ~t^{O`Rg2EdRyEXXYjxw=BP#J-go;#Nln*!>
zkO?>7tRk0u_Y^_slfBMq!=?}GsGT1;G*#~vus0*|vT?|=T&l@7rB%`qeb<(4Pkk&>
z%e!80wf-)V`I7W9hX*d*aU>_;w*V1?OWv0z=DordHfNb{m9rxghS9@>Y%<3TX;VZw
zRP?v6xr@FIeHy*HG?56z+zv+y^Exe4sa0mtUW-I$$<vj@148r$XW`4$ONLd16G@gm
z1I6kl*_5<nU`DU0O6KJ!JlHugHe7{LiLIs+6eXo`=TDbVSy853gT64dA<F#-8lJVV
zi;wOU^DU11Wty~MJWub?A#7zN*QiW1j|-h@<N9@l#So%Z9BT1~ERO5`M5&M$;a!qu
zMvt=(ahD>v;fhgQn*FfsGU@3Ho`<IKjMt3>n<6r3x)K(791Ftin=riTF4`cdVWQO4
zPGh3G0_7&zQItCjpYQ{}!KU$8Zrn7ib6sX>^us-zt4{yqBW~Ml%p#AM>6@(aB2EB)
z#G2wNR$-D@NV0!HmdmEVB8&rmTxciN_yc0~Beq&H^U<9>sMvP{SD9VsQgm(gq3NWn
zcI~<|?~Mn*%O<POiE_8q%@`6j65(5uu9VDJ^1l0d%MmP<q}PvBs4~tA-+QkykPf4|
zxn`2sVAUqsTAJ#zNy@I|LGrU`=8%qd7y|lsS#|S4)IFJ@`wdphvW=2N_V7d9iOXhi
zA<hK*TLg=B4)_p~lPQCc87anCmtKZ45DJjJO`W1iw3%hjwMjk(_S!Twsaz}IjyM&L
zWmMy#mZ?1@3B4XW_QtLMbI+E7fvw%Pr{Zwf^&GkUl}7;SWck6#v6bnL$#wH;<-2EU
zEDL!HDf3EmcnvGlH@glnr5aKK%1!MT-oYszNuH({=qrEYqI)m0ycEE<r>aG2H3u>N
zWJQAn4Y$=}#vi!ED}R?kn~n?7mBQnoo#Hnck#S7Vr1iIv$jE1HsIk1t*<%%1X!3EL
zYFC+^E$*0lwQ5H<b4lAVPsOn|)!pZ^a*cU<S?&D@*${9wd3;Fw>7+p}!mC&tgGE2#
zCxBGOlHiyjm8!=Q(zM8f?191~zvgRUbq*}b;jx0+e$qo5eK7rLIxIx}#n^yUVZ)!k
zXAk{2Xp}J0_Y1WjM~tG+vCNO)9R;CreeHt~xru%~yY5UcZM%<WnDLI8yYzJq)s&LQ
z>-P9DZA#79%TzcVVf5+R2+fCTW0^J1shq_-$7d^VW=;j=^|p7ePA;|at=iZIrhda_
z0*s3ZM-B5Cnzr|lyD2Oj?a8LU+_yhhsk9c*{+<M}b@m~qPDeZ{E>Bp4FE2o)W}nw%
z@36SX#?x$kciSfeU@1?CT{W;d8TDtgG<+uoE@ICnX9nA*aJCQ^E8m4lLbFPbQ6KLD
z&Pz-89OhL5yQ?X0k#>hf&6a+s{<EPbA-&3-`2f?pqCM*5G5ZuX)FH!)xGqaXo+f{o
zV9w+t{&y-8f$0brK@wOlr_4TC@lSA1O!G+#vHXn7`~-Ugj*_uQ0~A&S4rQ2SzHBsb
zk*LGraN07Ajz<k=HDB(Fp$>?c+AgNtHp6!gPtu`Dw>*ky^vj`@7Mit7)*Di^ZsoGD
z{fV7T6!u_QBqd|fWASy7SSsHp>#l%%lTTi2i?$VDxrn!}M3e?V?siV{V5|smo{~?r
z+sGiZi%(yEr;X%hQpF^=@aAuVX#sy=h`;aL_Xe>kVZh2*$&{s4>k*nghwFACNMQ%(
zmXewowHw}=J+5EObqCso{EW8y)x&Dqp=77;CVSd9XYauBO$sH%wQT%HUaJ;_^8etZ
zw8ki#RmR|(FtgEp2D%L@%*)ttuxl}T{K(g<7+X27?O<`1*wX@@8}M2ttuVHsQrarz
zqJ+z_DfJVK?1k;LeA?!)#@clG`6g#6J*h$u3(U_DX`3puwvK(i{}7k?&USs{)EB=A
zDtITwus!7>bPcjw>HKe8W=B%af8jDK{|lGNs;dI|`v2fElWvKCb(fM{w1Z^d5{4>>
zaV95D!>jmCr7IyESkzLqe{D!8^<6oJy9k_a?A^gxP$JTbw5#y;tTWHe1#IqZdiuET
zYJ_hA0y^jMwZ;p?LmMqMSBm03S?t)KLzCcKNzLAksFq?VS<5QGAMXD^z~#!q=NFUV
zwE(cP4;T8)@YM5xYwQe6tJy2-*KL>aJYL?F+#icf1Dg*T*K+l%bTSPBqUFNS4Ksoo
zmG?Ag)DY`<8HprUgCg(NjU-Um7&Y63iJQ}Lm{qGB&xq+$<gU-v!<#<yD*=OQCgIp=
zwWr3%y=l$_c%o5fLMqoxrxF4rRZ{>qmXekmfLH|N{hch|38DQPm7R^YN%Km^6%TfY
z9E}#L<NOW?<SGxdZG)b`TGk$tSQVz|9E?rLX)>6K$Q)rUiPRY%Xl{`gzLE;jClLbr
zS{^qn=zUeF&s_j4@gnolJEWeTtiv{If*XI>+@4o|C~3JT{l@;@PTeG9R&E+7_(Kty
zaq@OOmonR<T4%NmL0l)CyfuSOWr{2$-D1MZ@Xlx*lZ;r=5OYPd&5xGx_FSGL?m|JG
zS1Lt)DUt~}%lfmMv5iU8;Da`WZhY`KC(HO$rMv92C0Vx;e%FbvI%6)P7vlr=X(dbg
zNo{br0EQ{FhQ88R!Y;no9!&D}MOEP|-gkop=#>i}9F^85&hggIutf&&(miIkZbez&
z5nbZ5G}(c%SKsYShzZBoSV&&cL>!YPqww0)AcLcll5q_35vX}z_qWyWqt05oE}1-y
zh`W3<Ns;lq0cm;mA{j7C*b^ZK<x3ySm{NXBnx2TbRwXU%@rjhHfEE&V8h5z*f^{nb
z%X1VZFp7BXuS?;=8v9I@9_Nr^PMsf$11D5&$yeW@(`c>(<*h7SV2j%po^d0Z`(?m|
zQ+<y=@GY?LrOs$O0c9UEVNhd!?w8iAS1&Y^Oyc7LWOX-xlD)8lJ~mOC1S>(06ewV%
zCyyFej({LrKFe@pg17iEwSv>vO@a`lyh@a%>w8{DySfr)dA7z($mS1Bmvaa<#{8|Y
zEZ1n0$!SBK4i@Ib|M+3@t5d1tgeDH$pRpZ~+X3n9`*wG*XRdzww<5@~XTGzlLLi(y
zugX%D3Yb^<R00f|J#^qeT$URYt%E8^B5AK;6w^0|m_p!gj*YYd#ym_jN4e#*qZTYr
zK5jX>-lnA<IWPSho%xM|VS+y3z4@Hw_g?Enrn%r7c3m(&4~?(6tlqon1fY_Shgl3>
zqLUnl^#)kJyUw8^F@|o<<3hxRF$p(QkR?`W8A!_PAMn{*>6H4uwm8<j^nJN7mXZ`w
zvJhj(@DiFq*d~%4uT59u+PdpUZ}@=qD&fFZy$e)3eeal)fRrTKoPTiNL|d@YGIBlA
z09jU!ax1X8mVC)N7lPI(hI}xnWydr*0^|!-DCZe{j8E!_Ro?{$i(3TIsMgT3&y{CN
zj>P{YTNSD^?_!>(<XevvJhy7j9(HQ_ag$0F`}vBOC0uK)T=~X40qD#$)KttgM^dp{
zgr85WX~*h}o3;v;X4T?Pi&uOx>=cpwTHLHeAABI!jc_j`QXy4b8kgCrtwzHal7Xp*
z()hS%)83{lm}uP9lT)*@5G<%AcXCoj>RPzU@&O;h#DGHG(@3aN)$iCLH(R*!@tuM|
zlN9f}2Ym1A+y;*k-_!vAzp^2HKp8n(zT=}yht%~G`e=sxqqLRzHByagBAo^k#?~#E
z0f9JPa)}hVQKZ74q2#6vPFsYuEPdnnhso8S-U|VF3mV!cOQnm9c*VtyX(xQ&wcKg7
zC-d}FuWh-^f?^WB8s?Rb%9MmNP_xdB{7h4wiWXHY#mpaPCk-%#u@F~JREu_tmDa4V
zV1%N>Q!hW*Va9`rD>?JF=g<M|)Ph@71XzHHtobbUeI<j#VwpqxIz~!XS`O=D;DI$s
zwL*_^)gMUD0r5P9hJq5ts;ixdBbm&d)J^sl*|YUlk4P}wJ)JE<-awdV|B;tfm<JrC
zK3i;ROu2BA^D&EIto3?8sSTbSXAB9?6AsX$CyCl6F=IkqA^mF~F{azCX%RO}pr_O3
zkD2<3S_BO#J3n8;im8*)e>u8rW1Q<tqLEZ+?+554Xc+io+Av=~XzWj+jYNkv>$_G)
zij=4Hb+f94-HFRRq>u-+3MsrG99|-j95!}@?u>A753sd77n+L@lu&EZu*k^EBnr1q
z)+U<^H(zS9lyZH>C?ms5?HD%9|IwZDeV*s0xSWmH$>HPC#8@9quc$bxCbMp}@C16Y
z08DX~a7L>_(?u^Ri>^Z>)**mpC!42^>%nqPQ(Mb_dMuHcu}DqYqGkgDoZ&&D$YHU$
zyOSm3W*@&88B_7gxJXH^P5Etx&r2Z_Ybxjw8CqH6GLoKP&DOOQ>^{G895VsQX(&z>
zXT$NTWkYYU)LqVDYF+hNx)--=ZEax9nsf&jtT~B15`*Jq5BD8tuhu+djpA1RV7=T9
zU9R98C#FU3XHx|VlWx1H*XWkT@?AMr-HAR?OGh%xwpemqLNC4c(ur~iI`fcq$_Lpf
z)m4pkE}2TR4I0h!_b~p9d~!{-Hb)82pf#E=tH)XCX1JAx7N@1Efxbq93IE^W7JVL_
zWNm+sP&vIieIjIh1i9*S2nmTMkE(^hXaPQxqpbUoG%G1nGDi`6*^iv|pOT65tA?7A
zhKitNpM>!y7I&ojHYNRJZIhoq5lr7pHhuvSxM|Umxj5q|?+~H|#e1Kch5@Sn+cETA
z<9!=*g}|4_cID}DgVvvPN4eOx@z($K4$+5%SCW5WPQx7ELx4}0+++T0kY`HZgHe<P
zI$^w@``%=>hvE`!xmX>xI(07pq7_|MGS0+O)I<ppTZ9oezf0G>CzFp^deU?2Vm!sa
zp;1R)^%o-uP8vFvGLffs2~PClI4zhR-f>5~lTw)6Gr&`Zs)0xR-rt>VpE?t?2Q4&+
zE9uYEIB<3gCt;cc-s4vax|;`2(#Q!;UB@ZrGvE?r4QenOY^r#_*{Brc(~!hxwxUle
zTWBIb?DZCNowj~6qrAWO>FUG|$JhFv+hwK(2;Nv>W4Sa@4U!<3%AHA<vjOKUQTvy-
z(vgnh&9RF<EVXmF-5$>lG#n!^T<&&@*+;iKXfI-J(m(6#cdO@6B5#JN{~lAwGF^c2
z$hOK=up0ew97Fc~rC>kITV_6u%4yqqN!BuLN~d;a)3)a;`kU0-D(E2WXC-2_2le6u
z{KTX}+SW_574vJSZ;TMj;tj|1%i-niHuBnnOw?qW16iBvTwW9P8XaX%Q~+}we&xZo
zq2yT4m;{hgTouJ$r}P|^9)YMQUqw_n=5N8*Dn1m_AP1%@*m<N$M@?m4FL@3&Cr-Wo
z$6<YrEC>SYn2M=2W;UqRbNWxokT$)`1a}cTJK{`i2w?Z;hPPxbZA|Ysp-BDF5P9<#
z^aSE>-!PkhHt>f4YLVnJGFx6OS==FxYsj5RtOUbo)_Wt1absUx=#Mja&g112yUHxy
zHPh3!d(Ub}Sz=0;Kx~U`*P0#f$m)Ej+|u%gdPB3X*I5_U&-KGR_QBs9Z8_undhM_T
zf~0QB?3Xd~e(OW}dRJRpx>9U#ZTz<*Ewu{k);z7N&?C?uXh1cL&-xOVg3=QtG}s<w
z9=SdCSs@2)UuEwJlDo?bVqK9kidLrTyAD)UI#VPAAa1X94l)=H?AU8nI(Cw$CGE7F
zoe+)1l{-olUF@VG`{j<EMe-Jna?9yV7x{4DqGccd?!xH!O#L^XXQ>QU&2RcDX}fV_
zaphX5ip^JS`&w4;rL|*x!o&}T)=a^a6Od-=?V5Lb`9fmDMGo!bjAt@ttN2|ZD{Hj1
zveoR?y%K<VweyR*U}9XPP@-(<-9N#S`4mQfS50FoMX#jrfM&lO59aD#H?5NRV%u64
zeQ`}xv6pM`i7li@tp-R!+a_^Mi1FfxQ;dLRvWNR4@$*?$2w0_JxCze_axC;B{-4PG
z;(S26I>bFl77}zjay`Ql+n(UYEV#edKZ<?XD-ddsIx-cZGL)o0u4!8e8M?ZeuoPOR
z9tazrf&uY-Ml0+S`nx;XnV4(dRY!wu+RMe711{S>#5v*L41bXtP_>9aBTK{#Fov0z
z(AeDL;u`y~5Pru9DcS*U#X1^ngbAZ0hmu>#1fY-^6^|-5uwk{k?Z&PE(|z{2R{Js&
z6G5~Lvt>EN=5)}$ciBD3eyJdYzAHj%pA|I4i8g><wRm0n^j?i{NBgoWzx4MCu}hoe
z!RTc3&e(P9f>;4gz+O5)x0Z8mtfj=lO0&oLJbzN_eFiX>gg6Z&v@M$mZ9cRU)wW8H
zE5E&~;{a<yDoHc$eI<kR^(3j6N3B-MkiQy5swcPCWGFg9*XYDu<L@u73SlJ>{XJ@^
z46^EISSL0X9r&y^-stLsg~L>nwLO7t>Mx4C29?&f<~7?<b+vDNSGiaPkZvHg{cGFz
zFtTy^$~ogoiwEEDcDpcKOFoC^vd?qG>i|@`xJ0^~lzX~}t$aNV3lBSNn6i-Cd~z-3
z*VeE$&?=ry-NY%MEMy#1IhYrHnu5|PuHs-=rP0g32dq5xrCd?fe>PvP0$5@aRD!zD
zL^kf`sl-hh%(&>+3svb;OPPM<GIMC5Y|<CU*7%;SKi&OW)AtTFYtX#qdRTTXVDq3E
zR~_MQZS$scQKUOZqug1J7%s_>AyC%IP!BO<2ntGJXpZrNB5}W54~J_Wa~!qMx77u(
zsaVSB7wgb5>K4T+Hkk5OTB&*`Fo!XP6o>stck=fOZBgd3`0QpQL^)H5LJTMKSybVp
zRxnmsQiPyug4uznDwF}m7;x%fL`>B>e!2bACa2vm1(GKs)==11uhQrv90RoP&y=B|
z;&OENP9G)&!?UFL;wEnoGt>h}m<ZPNf7UM1B(=7Hi&3-<B4ym8D0R;yu{i~ug8mBk
zd9Ugqrc5oZ6Uq<|Ky`{9N6im9#d)#R8M_rdpjzQb=8H^(5)^A4E%bP_ik3A7wiW_I
z+4dt|Y$aS|*-1iZY}VW`E%{J8LM2}no+8lKW_tC-VQ;H>T7X5;eI#l5-~ZK>$xYqi
zDoMo$fJ$G#cuuN){%foNwP2`)h?j48eVb)Zd=ikeVaeTdV|ycRU?inHJ5`Dk&c1}J
zai6qwZ;b%0)6$UGHtm>9sDg{<qo7We`Fp7mZ?t8+43D#F9PFWsp>UDOsR9m7r_<Z9
zACp;{ptvjr-b!C*&g9MJcOBF1+<WaVz?qG4j?s##wwxOOBG$tdbg;Ur`-`g?(^zdI
zVq46MQr&_(hoEJR5riIYxh4x5`B9qRldEgMi6psEKbF++dRFDTaJpJ|!3H=>uGT70
z-ay++tt-`$Wqqk>Y0bqGPIb!`ty?|I0B4x#VBn7W@a20Eg;)qTNQjv;CJ=u=OM}7u
z6S>0VnUHvNgEQ~;Vu>flM#!?&WLe+sd*Nd`A%JzG&t>&bbJ`<Gch58j4k<TG4!vE;
z$w~mDbrrAGhV=KHblRiUI3A_1=r}p`I=u0YON`>XB0UkEVF$)6Q?{T~DiA?)%=@71
zHe{s;(8Glkma`eP_d$Zcy3h2K0rJ4;x*|`Gesa)BEZLc1oQFLw6|axO(Q9vW%+`9#
z-lGmvgRoTglznrQO}Wl)cBs#&*I<LTlG^Y@pU|Ehph(D=EDs{<3x(P(vBvVbmti!l
zn{!B7Y)v5O=}DfXzt`h9-m|?LpFpFNK@jjBFW>pOft>>CoN^xLRVT4D!A?&Y-^nV@
z-bdN|ld<nukgo^DC;KWTN}6fSlFWMshM9JcetHuK*=k6BU7L?FB%E}`5Hygk!mr}q
zoBpK)9hh5m-K8C(8wVD3R59EF^3SkEiYn)q`9e2Br4Hqnogx*@P3|14YuaWf>U0|u
ze5jAr%&nfOaGk`G$?!zdkDih)Jd5d|w=WCJQK-iiXagDN&J+j91eS<3!?@~s3}fsw
zqm%5XI-SP`6jWpG!oL7VLX`-9om7)c45XC<%%K@y*KiXocKBvWfQNLs{a%_j%ZIq%
z#dm4CUSIu-QH;H)v?(VPMEB%Z;FqHXc1+>V5ft27trza~JW!n?l%FfZ|AYD3;7Zz8
zdm&FspU7pfD82ZYv({SNMH_E5w>uSHsr?kK+PI}Cs>-JTJAzljpk26%M5ZGlehrNz
zw+gslgSFtfo%t;lxroaDWt?dy;MrU#{=tC6sQi1<J6Q^e1)+U{#!uxG)|R(pAfcMK
znR|rlJ&gnn7o6@RG2&v4<Er^kKHpW_z5I++y}d6IcpvMt%t!3^=_;V@nVn1}cnM=!
zEX!GTXPk{4p6TMes%>(N=!f#@wM5qLk)PkeUy;hJ7vySyY%>?bt=!hFfWtFMWmw8~
zMavXD8fLVl+qt6}iU@29`d1tuW0sXx4FzX?oe>Wf9P@E(Y$tni_BS-=PXuhI%{?E8
ziviPMYJn}ITQ>CJf|@sfA!*4*SEJ~!8O0mtqMT_Bc$>;tV12e^-m>Ilzx-H9^E?&#
zr;jY6?ictw?TxI#+o>8;E7Psg;=1j#257Waf&!R*r(TiMezZ9@T!Pap+3U<d)=Y5<
zL~|~$_$gYLX{9%cQ}e_W&B3%YuR{~T!I4U%$9SXo!`4tK%WSN8g)61I_CszWk5x%e
zI&Frl?xv+nSs}S*anEvv;HFy~aH!TcULeD{txbk>Cd2>8dfBJl(t&KP4u2u@rv(ai
z5#*k7&5w6}-Q>HL$iy<3@#}H~k*=W((C(e}jb=}Bv^m#UbZ_YXV+%?On9p^sRRfi$
z=Hf`fb`FhC-C?vlCqqBiQTaC-DT~<K&_M_3TKGMZm*#(J!K0>UmyVOMh*0wq3^0&?
zkgKJN!|j*T2S~Cu27I24Bm3z>X`8xxxsQ}#{t<<XNKxz1ausWmy7YvPxqj_Q_OPDD
z^9kE0Ora5hMO?ZSh1B_n&+?mAZ7j!moYdxj^TmGCe<w`%E&jfRPTD12N!ML30zSM|
zR#ZH<{)21l@csw4N%F$*4~}^B*W~Eyq2{N@UlSjmVqkyQ{RRTy=S)e4V&d+kZ1Q!B
z-{L1J=^g~*+Bi8Xf27Zpdo$P|D=g#8p=%eyeP5T`u6?eCzQi8Qby6)It$#zE*Ntwl
zn^A9C;C<(*p;+j$R`A`E7I<)d)u^ZR69D1y`+QRQOf1!^5Fq7Q;IBaFFO%r<H^P3k
zSuivth!*&ST=O%LIYMoaZ2741bGw5<%=t`Hh>W^&wXiwGWa$!v-p@4WEVG$qdD)M=
z8q#0SnyQ$;E?3V5*NK?dW(ZitdF{eyJ<$4FZDQX+uiZDj@5piFHu>*<RkJn>3qPOK
zz3^LPuC6#Ua*-7b(F)jig=3Wot79%i9j=iNH*5<sU*$G)nQ^`7RNv@O6K#u9NwS}F
zFcDeK>V=+Tuv2R9yb&~8UeDjEIMx(qEnSEt7z{!I<3+;s>EgsRLFZDdDk1NX0_4}K
zo!vj%jX3KMuH=N8zsuWHMq6SK=_>BHMpd6|X8qBV9L!HJ)?Grk$;D9D-Stpzo6{Ct
zx5Basa6XG6&^?J=^wVQ@O5ghu$DPA}2t(^p=cK{o8~hDOAltvv_GV>Bj|5ZH+2kV*
zCZxd5{$`Xde?^jF@K&<Z-b44%_mm(m(&#7QcF);g2y9H$XdKfod-?wKo=<nEMmUkJ
zen-pRR=M=jK>gG|miOc0u@9AAv)wT<E;Xfcb)|{+$58Avv#Ejm8#tWvs4VA8QRm&y
zMHEBgpmVQ2chNQ8MOgGV*!C}b7``T(W2L+MY_EImylAE#TCZ+R#wvXH_RwSqO{0pL
zpNhEjUcI?nDaS%kKly8O6@p724j><w*#E0%Ud?f*!2A!{^pbnu6rZWpPVr<L3Am*l
zXB4oU-AxCLq~HfeCZmoS*jshK6=q}jvYK`g%c?Vm2fqF<2Jv;jJmR!JJz}iVK2>X-
z2YT6UWc^+CiUZm_yRxd>-p$N$SrF7nv-!I>TA$X?WV#S@&Vt%rcCk_#m9NNFrcY*e
z{phdP$kW7saM%Shfq5CPKmtJkff@Z+e?yhK5R6nIJc5DMedIozuz(k5OrWFIgJ{sr
zkWfYRW9pKK5<ad%0@2P=_T4WM;hClf_zKzrDkMa;GTO1=_oesG5wc$Ol;MvF_NXj%
z<)7U%#Jkb7xVoBJ`R_-;`7#_zL^2ejcPM=C(dKeJ=D}dwkWSlpiMk%|Q2n(t{4(NY
zrK!r{lb45g=maV`=i&H&F4fKJ8tet4{Ley`79Mc0dc#Kct}$@=%bhXz0I0$Sq#K3N
z%-sR*3=UW(*I7o3+eHRr8Ss;F0ilPR*_LJ?P>y|;C98xfG9e0S$0T=wYR%H0txrMo
z`nG8?{=BEJ|KRk*{jY0Pz|0-{eP7rX(eOCCCMj?}p{)}zPr#9kjcWQ=8{-Wqvo{Vx
zeuzoOd))Nf%CW9Fm(dQFF{~iJ<6Sr4t_Xpd_rkPEw_6>C7BTBm?>Gn|iNFlXcFPx%
zBI1<J(sTTrhZ>(O8Wh)BQ>*<xCtJlR(LcU?Dqj=r(QaXUB6P4JU>z!RHd~E}H9tYD
z?+F#9)*#)!rKQiXGSB~$BZDeuqbLwzx3jFu7@k+JUH!$1JXOg+vsiFxj!ECu(g;HL
zN_&Q5(ajM36;k>j*Os5Wx25Z}R=G>bV7q3ctQH^2SYm>qf&m0+7;Cdw6`Wv-7wV?E
zIFp4;ySCdCeD3btaQFx3QS9?rCNCvfKqOwSUA6pGQnQjj3?IPL`lPU_f#VlJ#9eBU
z*7}^m>E&;Kw0~_=Yk_Wk&X~34^9=H|=Io39kmLdTQ#M<hAw=IsDp}Ccg%*KNbT*w&
zjgggA>x0f7$|}S+5?eeCBDs_+GV%E{)8U?MII{WBPvw3$CH}Ei)QsnT25K&Uo2+B;
z<*TmhD8XWq$VkvQPuxE^Mtf6hLpmKB?Rdg@6$+RJH~7IPkjg%UZpf|M^r!RZCp^3u
z^(#GP0rxI<qjN@e>lVMf%Obn4v2wpEvE;CSEYFcPtm-IwKg+*wC^G=CIn>sibVme(
zR(PxQ5>m$Bdwo;~nPPvJtTiVIk3^vW6(FV}{PeQ8rQ$hF%U=?SShho2Od(z6a(OJj
zh4GFT6nU)bJa0~M$)Z>f4J;bao|O{s*g`h9?D5@N{(O}sUt#3u$5T^HDZ&<y$M@2n
zZMMQ*JOaMFNnqU0{_H|YxByc)7C$AHh?3&Zu^Z?u0y#-OHe*SdAU%;ppVx9IMYyMx
zu=^(Z-}f*6%4j<GMcDA%owCT)HXj1J?~v6SHxxe+_+7vM&Df@t3aqv#NCTDxDr0sn
z8vPjT(%j_-2vi5{LI9gLqP)0ushjc4$3%<x!Rll>WrAe@eay5Mm9ih6C_G(^*Ta(&
z{KvqZh%{UItgMzi!7^vnDbHw+o+gcsnB(KBc%RRBINky-Oo;*;%M#`-$&8(zsi*mq
zJ0#k~&F0bi{$8tVD&~6J6)UXx?Qfnz`(xON#R?f#r?UHQ8Zqc2V{}t<7aETZ0%))(
zB296Y6z_{3FdatbD{tz%s#0UXW}(k)wzAc-rmxf82~?CbIQ@R2wVPHeBB}Gic2WMU
z$_quO<lY;x#d>S$KyJNkIH(PIfJTaMqK(+f&7J_}K>f;oTWE#URMSmq{_wEo#?I@~
zMLy^_Hg6zCRWWIpGNXg{K%d_5jnYu_1L~=|XO*9m4?3`_BLvcoJlcE<`t#b6&QrGh
za=)ZOKKn(;QYY+=<m7(tK$t>ZOoitUdp;q!V=sXcku#f)#Z7yG$gE=5rN7ZI1`=ap
zq1LbR$TtOm-e3Oyd8-f=6SmomG)yH%Q=mP1CpY%qIIp}W8=+bpGQFedLXcrMSUJw3
zK=eC$y$A&_2UZ~HSxfu9<%?!#lTfVy^jYj^aSeyRP8eZ*|Mn_<hJwBZ0M2c7E^SJg
z)ZOA%A}SeR#l}%<+R9cR<GJr#@O>w{-r8!@ycW^v>$hem%zdO==0-NsTVn3-5NtYM
zRhxs?s<1mgZfHrk>WPK6lKzf%GqEzA_$sFdsb1w2{47q6_KxlI-`J=SCJ$d4o^`MB
zZimGk*fWn<lMrRL&@8j_tc8O_j;wEzH`fpE@>s#9R-4tBzf{opV-J$)Tz_AabDu|i
zN?l>7=d$Jqxj3wvuApI>)<dU_PK(ToBBf|BLMb*yi$dyNC4=y81CVgxECjQ6Siqre
zm6Xe!!Kn2M%W*PP_qx%WkPq0%^O)l8{26JMXZ2OELNhm7>hMBNqblU*80+9k5}mZW
z)px5BDRZgNahaB@Z4&LywiB|*cHY@ZDH}}sq<ou9{jl@)^fyjXEr)>HhMguLJD&^F
zJL13{c@0-FIL^{3170yq=t*wJ-Rm8%UIsd3sPCb}diy6Y|NW%(WvtnIY!XJKcGV^8
zWtHMqz`K$pX_2=+nS`50h!W%K@pVWSBcHnZlV0M{I;VXm)OMm?(3WAKGv5=@ZNDb(
z2Rq0aNGuoxb?L@0t;$^=SXi2%Y+Q7M(;IzZm9BE@Ui;h_F|e++8K72vW%c_@Tc>)T
zjBcsxNC(IDTsI4>^`f4;_(GG}GLL=@`8HO=#ydxA!=LPaYCPLlronnhOH~-n@ymLf
z&7<R5epQP&{CiJv0=tEZKw|e(UQq=>wj1<l(zqPCt1Y=FbhAGNnF6KVPXY*Dko*&^
z*wWR@VGHVPG<@=W%iA5mr1cKXB5i6#1#H^5apnD0eP&a=FCI3EA({=F*~ww7WUGl+
znBZkp(R}4bKEBg9zQ$VslR$AVgW2`z#WQb1PTlV1TUq@d(6~5QDA1}Tx%plJ$1puv
z-nbOH<#5pUpg~V78Fd|Dt35GLa8i2TGGG}lEAmk)h=K0&>$gOOmi!&XQQ(TN$k~=n
zB{<8_s{V<jnFS(09G42uCm+!)(L`j>+R|&z>a`z?Zu`T_l!$5qMQvA6PklL8d(>cS
zx{dy{-BK~_8~TgVXv2!id1e@Kwod8=*drsPw*l{b$i|(;h~wowv^m-&53s=%HDLwB
z#$HWLbf29`wa{|O1mB*TPn52}i%7ZfD^#xk_*vXkc}I3DJj5|;n~6js%t^h$SFsM7
zUg&XQgjPxauqnR%d%{Z!7|BTEl;6H51W3P1J2OsQ|5WZVsnj=XS8-}TMYl*epzVxK
z?`=%y0EVRM7)tjpSEC|Gs3>V`CtgrX5&weL-mmuCPoIu;P9t>c7&NM;jyBG$KBi2!
zAE;-{?|)zjKNDpH^w^k?W{n?;#vf%^^3pPtPey=tc|V#4IZwx>%I!m-J%S&ByX|rg
zYtt;C&!U`eG-sm2u0FFx%?>0`#+Ozy36O4<o)s0Bb#^i5sCsr;FwSd2DDG02NYror
z<1>%Eu20F3Ka|e_1OB>S6qo9n>wAsP2!2_vh`?ZJ_s11&%?=^~ykDbuX(;Pu!HxJ%
zQc0)?$HE-P?c<ZDld~FhbjP72WZx+lt=;T}4m?4ntn?E{r_EVv%8%IXfC2>|8$pnL
zE8&S4-_bkHX~*NW{`^>B<oqnxNqa-^&h^1?<54}i<c>6NzXv8(dvjGA8d-<lbiE$J
zqs$ml8H*rkNe<<(fa}Myu-4OzJpLa9q}&~f6vcz0WG{^``H+`GFT;ge{eN)g4rGOG
z)gEQy46{t7w@A!tV~8CoL`NhiN`dv+zYon!vBOyP(^k{05EyiE<FY2#dsRN8#VIM+
zo&#&JQU~Gyu^H1=uS3VTuARow*f~~8NmG?p;&*~X`R|`d@H)88irY?BqbSrC$a%Ty
z&TM&Ss-)7JG||q)>1H2PuRWa{x@Ni=G%6h^y86Aj{R&OO(Vkr5{gVZ?DI(JQr5Oif
zMaxYyy{@d1px&OjUDL#=Ry#b7i=G@GH<-jjcz;o%6{P=S={DJP8q?jl+l=buZ*mid
z9E>#E8zT8Iawi+YBzFX;=xG_7&iKk!ONH)$?i%Z`sX=2p-?N!c&8ht=8HZW~)f7Gn
z(1I_9%bX@gl{*ckw(g`I_;=@t&TlBH{pZdf`9FZTi$wO-=V2xGo{7e*=H3*Ewt%ig
zFN7huVzmd+O{w!{b0un159>B_i1&98g9f4c`s@279I%%!8$#od_WgpNRxMJ*0JNk)
zCe!64uU2=nW^7ZiLT2woUK_Qvv)z1Z%$$E|D;~wA5oCVNI!s8DqTF@Tr$z|$&?lyf
z5I-X;cVz#$qGwP5d9ktMG$($TVLe7^iYm^Q<EN}$R>-Pr>v#~dv6O?i01}DhVoi?M
zGBf?6z~EA5BkxUKygC`Aq)8DJ#g{f#^Bh0J06`T*Rsq@iNCkuA{!iM|X>`enhF{eF
zCWu^6TNW?8+hX}6iqBXZo6GES1&Qx>&?5$U{ngv~B=%OHY#0rMWsrTJv$Ef2(@Nv<
zWtuA^eLcnmbxnkx*wWwSvngmh36wXsGESpvfvY~aI?yfa=crC29e$eDVvIGnYqMt*
zRrt0hc%wUGY;4u6-FhZ^p!7}FLwww>Sn`*|V#Q1X#vqNxVH-esm;)%mDsl($wh%SW
zNQE)oTV7lv`;0bpYhlZ?u!I{nCUC?2t_%7es4{LlZ|1m9wYl<~O&IP1J2QDXjMUsr
z_1I22j#>U!eSsGgis=OL3V)(26x)PhE^<mu2Dt4U373w`s1sSXlH(mZwzcob>;SPo
z2C@tp(vI3R8wv{$*&WM}{Yh1Og6*SX<&EFbqgHF?>O2VzOAL3>e011Q=5`^EK^OGy
ze8{f{Te|uf%~DOdtu#gp+k8z#Df!SSF;fi#<FwvA4!Q}`RC#HjQguy|BbovlAg}#v
zx%q6vQi$F7SYsce77J=^Yy;unF}6mh>=-c$MqR3b*|3y=5PHhzpb6pL|IBp=%r{Uk
zzns0k7!`>M80i9+EzvoACJ9;VBG>pqt(m0TfJTBIUpkvJDP?yO7hGE_wn<5h(v4)&
z6#2M1NA-?^`Ti|EsSW5tF&(ku-(gi;`VIRZ#JxpSTy4XpO&}0FxVt;SodkD>f&vOH
zT!K4<;O_3Og%wT#!J*J#g~NjdC&4Yr(|rHGR*$+T?>p$(8J)>lXRUqjd+%#!kGIZY
zN{Q!$)A}=8lY}vR*qaiy{-HS)OONz@?s1o+Np<1ER6^|=bCkSpxA%<tC|m}R$u3-p
z3H=pdJ}qfjW#mLDM7^-n-1J^}qTRwp<l$&pp<|>!&Q|?|Q!m!2dd2<>fiRvnQ6>$Z
z&S6z-wk~YMdaFc8R6HHRxs>pi>Ca`abNmkp*9P;3?dKM1O_Ox~Qw0JAz-qsv6ibPM
z;|wS!DZ((*3Vh5sVyRX5_HrNI=-m`UB4;kKD#p7`aeASgDa6%wSC^f>^5s=in!I0s
zmLO#9Xb9JYtT~kf<>2qeYttq7IV=h@217ef-^w7uuaRm-mO2^_*9T4{(FcvXojbmq
z^E4?*WIm>nS9z^r*F|~p>XqhxPfl%73zuH!bnVLtBc>L!dwuUbRTSDx9NG;!%blrx
zDNx4wnxAhB)t&hK=skY5xH&B`!KO@XDzA3esRYl@so<$dy$}sG9}PUsqzZ6m!a_Gc
z&WV#D#BYZ-<d-gmc2i)ytFr<&`Fw7iO}Uf>qt}AA3uZ&T<=e@mmU=}WZgLi6*2>kf
zfTb43IeeoqeJF9pjrr-4_(Z*#kla?RNo&`|V;ivAoLRPDslOuiye*|1h{a?HG*ZdW
zf_pk!v6)Vqyp1QEgjdgw34&Hk)b{`WhFUaUSTtz^hZ>zgq!WeFy-q&=B0)G+h#G~)
zF8in>Gcg@+6MkLZTNIAr_Dn0DD~hFJO=j1jb+$Tl2dq&%`7Cf-Axu7xq&xV356WGo
z9GE`wb%}tMwy0OSysTolYSp6^2s#w*(TyAGii;ki6c<$Z;!><s+iho!5rLH^Pg-sG
z#`1&$`g)jf*vSmKbgb2}>v9{|Y!c->F&~Jb(ylCmb}3goow(&5I@jzQX35b@&aIjC
zOu0PFsnK*l$vq|t{#nT+I$Q3`Zmi!h&e~44g(qMcAN1zrun4rzE()toi`W-4SzgS1
z*TnBJLs1y9dxN*9oqGFeBsrs5rO>rs=sQ}i%h(3ZRj&^=jG|t?$z<Dt2yo`*=5)sB
z+s;DFq1b}>lNejl(d^9**VWN%Xr&H8g+a2{0G?D9QJojDK*a3qu-ioqKYu|)8Z}`6
zRMPpiIGq2>Njpw$10&Do>%6vmDxuX4-n}p1%g_3P4*#1MkFCF=QmBnfn=($IaI3Xv
zzThvWs(A~ie_tHglkI2=TRDdU67OE@Zi?_~>8kVokZC3un0k!kBa^GAXZ5i0kN{Yy
zJuGw1P$#GN2wX(eZl`<M08w8HED;DJbY0DhfIX{drZMVns_CGDR7xw2<NC$r;dy(m
z+??;H9|*t7oY^Jt1KQLWp6!J}ab<mW=GEFxAoG^=^ZKF0)HWYSmthmjI$^K`DnXAs
zE_OA+-x99`PLSgtx4+d^^6ZTqp1h{r$TZ{0hgxRzvr=8N9$HCGg^o(kwr8y!-p`N&
zBDHL4tDh#Je<4D)7HTSSdh9)WHCQ|&V#fO{r$0JY!nsBsXPU+Qm7>fn^dGDML1NeR
zmvsr}O;`_hDc4+?U;(`Ebl{y1HZFC9thfm|IiG<^CXCL58l{Yp&8YG#aA7xe!N`mb
zh!gbF;^3RTQ++#w{t|Q%QD>$F`d!v+;QZ0)_*}hcy#q(Q)uu7g<~<WFO_lmhLT#9j
z9vbpa4gNbbgcx@Bn)U?SD<_HcJI_36A>R=;M3r;a?e>VwM)H>jUsb~x@tE0C8L6JC
z0<L7k8>PEGLuxIGdvaX!(r@tcEiQfuvb))FSS%@Lnt}(lLDP(P#n?)=gvQNdWV0*p
z<?-3cMeasmnHOc6;{tWqyRBILvSl~@`GB#vOap>abq$*DO2X=Iy3bhFfQY(<_(H2u
zt!A9H7#HPyLu!nr+|e~vP^c_|@s2C_t^hPmFQBxP<BKrz%?4WUfbLe<-t$o!=^jg9
zWI72vdv?1#$69o#4sP)TKuJwP;tHPLaEiu+FN@#Ak+>%ijs8fK9OOg)u1p7X(qgQ)
zvHur|+D9&+YJO9eVBw)A2X5)v!gc?G3Lx~+gf*>xsQuv28Ksuh@$M9@&^W$ads0pD
z6IvEgrBybr$LMq1{sKZFsK1&g7WIOImp?!i%_l{MO%Y^liCj-q^wHL_hK111&r<3w
z(}=8+cy!ljMrz8Wj;UAxplhV-En0w7K|47t`(216`Y>>=t^uZJzwPu*r?jAE>b>y<
ztG&g_=lRtIPBRxJV}pML84{a#V<Go=+agS6)u(7-_#)u_hYMQj8kk$Wzi>FDS;eEY
zw4^XDd?lU?3E(mUTId9kt7?vmARDm^Ias+Y8o#_ji$POX$JMjq#qMk+3Zz_j5$X03
z%2vsRN-BM#83c83lR8-TYznu<btF2bwyuf!xpP+6z=1E{BS;l%K8=ojLT7+Xum?$U
z2<6Qau!i<u%WgCo_Ah0rsH{rhZeLH9H8JbKH*oM-fOvZ&jq?7*>R1$>CNZDWO;ko!
z&o#Iej8=FYKk8fAey`F!l7!OM9-tQukJT3ZdH22se5m6-YzAng7_<MLc<n)<Vq<ov
z{ZY`yN?Dq=Ty?*SRI5)G;ZHUb_b(DUB?^I_Q)Z-1Y*yb?dGBuAq`Q7^sbbO9e}2}F
zhP1y>yCuJF*>OCy$l!SoRHfZZ_s6uU0p7*PHKE5*V<xW6+hM!gh-qDU%>u2)KNhd}
z&n)FIQ8(^<qwI9g`=_2QXPM{rfUBd=+SfcNr(R3jXRI`82zEM?+$?TsUCaRziXWop
z!p0b>{)X!x&YUWfE==+>iA1%Wd%v5&Nu%`hn(?SDbdf8C-~qhZQ5a;X0ig__#1K*o
z?&}M)OQBwPr2|?K9%+9Xz`zTd?@<Wz)<3Ya^=aMCki>U~rHg*o8zX!47oAav7q_e%
zud8q?Bx}{+cgy)?T@Y-XYjo<aoEL4ZU9~3k>nXQ(5lX@mlbB(=3Qx`DFSE=N3-3i_
z$(?`(>o_Gk&3X}tJ?giq=d}}=kuFIb=8b%W?FdvmHoMisAVNhj1o)x2hG_~SK1UTS
zb%+4zGz5K_?>OW6vmzzdmh=ENXy?o?^mmuSB<AC1C=74P)AQi?#$goVlov0MTWu+o
zgFK~&z}2-VOdhfpy{;Q~th1kr&x=Q^)r`rjaXF6}pQwI?fJg)|cTO2kxRJr#`McG*
z&-}1Lfj>Ywef)8ft?wKC&ptOBz7c?vP!PJAt<}y}?^;#7P=`#k?f@gxztOwK6^`q#
z`P?{<t|7nzglN1Ng~r;lmYPm)$G=<Un-fqokc*`ANE=*@dbV8I(g9^{c0@|+4i2Cx
z^D;^URZ`i$4FSO{$--lAj+S|o2`Ijg!xVLz$t6MR#muEDW15W}Wi!_lt*aQAvhBvq
z_?mz9_Ol!)HqV_Ne2${lLbL!T;I_M>>e1A9de|KL@5j)jv?AR|P&hy29h^ofQGZ&x
zK4i~~eMLyDNIv%lG&!{l_HQ|enD9({diHi8|M}7x)}pr}oaoQvg={d{fFm9b!c#@q
zA8B*Na+IPEcm1$lOZ4D8nqgO}oUfE|g-m&D{3JHjB2G<{+@!?IKCufG+E2w%++&WQ
z%+y9h<-I6X!(T-)e-r(I++u1mHLj*rxbeO9`fruCVcqV{xK(dZeos|dx2HQ)(r?nm
zy#G>HzwZ6{=l9N6hrvBP{|Hv?i*aY$8ph`UU((OVxtuN^tTX1aNYo$6?mDXy@cAHD
zffPRT5cexwrbnx3$d<eNnqSN$!@h{p2;n$da!_PJumWx7A7K|d()<d7T%73@mV)Vg
zhJTS*5(8FUID`GBWC_xnI)Jrkb94)dwl(1B>ZuB%n2EC%>(<g%ItH=l<Q6!29gFO&
zB-Ap4rtxZy!kL!bK6u$D(G{`25hCG{h4F&9Z!N?SZxXi1`^LpNm1*VfS@kUwfDZ7s
z7G1{NNM7lEJo2I7`9ZPdo#*-suf_4q&H+m{&s3<*lH*;2eoj!*lVzj!7=cg2wjg62
z^u-tTK%&KvAsh3i<IQ1X=>)SvP{FQvY}SoSx|S<p&Bl5QKYza8rj#$W;p@~R9P1Ec
zqhTPHdbIXIBUVNBxksvjl34am)g@f8e71W;fH8s;n^Y}?Reg5tYT+!|aAsf#%2CtS
zkej^-vudaMELJYe9XFlg`N4%D-c+Hs?vE0s{lWeA0+wBTb4ezF0N4je>>x4Q*=q_i
zNT(?rvAsja`IdZj!$~YuN%7R}b2+3rn8=)Rvj$tXY}FAWSSs3VMN+FiUGG%%8jSl?
z;-U5kYT@Dy#Gk?LmbMk(<SDE%fsnkQ{H)F2Is(9JxG<&l@!1(F#hP$fyWA4gjbx{b
z&fmRf2k}kfMxEl85wJJU`b*2-o%To9n_p-&QQ}k@$;|c{C9RTDnvJKm_2GnYZBIs@
zLd60ox=R6i@Uux6opLS_SefK4Qy3&FP`hL0XS?dwcGd7{d!UDqkLu0G82gXfst2M*
z+#<XDWWvZnspxT^lib2d-#2YApjVD_@%=E)vhm4>?U#3o&tfGDebX5tTLBQfA;=|r
zY@&w0_urR7+A>dCg?umZ2Cnx~vmk_gHS;s6V)#iVpnGdqjs`O7z7Sg#fTm7^P1EXG
zgx|{4nqglYdUzwMV0O#htwNb`v!pDwpS<?5zUyqfsC7L1<d^s=k0}zd-+y7Vt`(Wa
z^{PDH@x;;tBDVDH3@)Z#th#ojHtarcu#A$IS{@MYz8@lHXmu@jfR@`Jn^zM2is`hp
zckIn?yUy_2(WHJCm`3caokyTbeo*3k)9$mie@M~BhS8U%y<*md+-KA*)Bd8*YgZMK
z#&yEnQss>^>=b(1$L|uk10E$T%|xfdhguL~CaEZX9hzR^U-a`S>t>`1+nR3%1*lTq
zMf{X;WjC_<zQQBn%`ObO#{ZnTEX_qdNCvMvS@5?3>+5Q!|BH0>=}9n2T7jjdN@I43
zr!79IXo|{D#EFm?I*{8y&B_d~8>b2Gsr_=8a8+(1L)CV5^+ZfaS`&a8w7z)(@?6a)
z1sfiWb>9+l=W3JmS8Hg~5!Ry_8f&u&CLKx%7&vYuc&AZf=u!34=CU)WTU4r?80Xq3
zuGsV!+O%)G-e;<Cjsq_VR(iO^X98>$*&A6+^ct6)ricedhixOk;;uPR$=`?e1DmMk
zWFbK=@x!I4+iG4}TfI;O1Ij+Dtl8qZhzR7AQh2^EtZ74MNtih{GRs3iI5v-w%YZ%4
z2%q=(m`_SsZZ!$Dsa*UOQGnW59*j=X5N#XzqD*-dHPC0o>%q>7S{ka4t_~&fKQ$;8
z&Fv`sa2U*_sF=GDir}5_-ano+%^0sTfEG|q$Ct!gLm&^PA=&DA#ui`W)pNij3-x^h
z<z#)iN5E9gj~1_~adJ#6o)5kzLUc?+xkj}lj8C!qCI^%1#2=s}Q^dJpH_cClYYW~y
z1q;5I-h=h7cZIbV1197=e1*A-q~AVI_lT(n1JcJd-(-Tnfpbk$zh=aL$^hmTvdWQ6
z@or4^eD?iDEy9n^(2_PT<>dc5tsRe=)jJwrdfF%f=rKLLASO9LQJdwPZfH&!NoJfY
z$%9Bbzl8TXc{A#D{i+NN2zShOn^pQNtYB>+eBj@;zG$A^+MZy9Lqb|F^~~XJ`4Eww
zY?y+VF`~TYrAqFe<QG_8y~kq}E5yaB+3>xY-<mxPTfEBJ>LKs&U!-h@$R2nev7Bwn
zlW8vC{JeUkinC6+C0cJPvR+Y7vM3+Dh@D>eXLgaj6{=1|I^ES1rpb4W|LlK@{bt@E
zS&7g*+g$~b>dYR6RjHrtNOx=o3RkVl5{<fzbQyfrwqUNSPFqOEGjA^CEAmPxztmn+
zGN3D0g!%8ZGiAGUEu>p6WSoV+$#><>(;IZ*H@o1(bvN$Vb%<I~dCrL+PFN<Y7CL<>
zqbbD~Ew?Km|8)0XU2vOeneFJ@@vIrZ2OEX5g44Qb`d7E>;@?&pw@wcR&_(Pp>{h3a
zLJM1rD{Yci8L0_r3`9HQMQiYyR2~r?#oi0b@rmHVz>M3+AD@$@jRyI3FN+No8dA?q
zNYFbzradI)VD^mGpPk?7J~W<jl6IKo^$EUWP%*sM13ZGLx~7ly>rdv>daXuMxzw3|
zF0Ni>YigC>{;|s2yxiEhA@b?W_RljBBVVgRq65dHIZIrGqu$-AEgRqy_<rGKLN~Zo
z`Xd7T)BKr$C!Raz^B_y)*RwO>U4()sVc_=f#FZ6xblJA2gp~~u%T&$<1yIJHH<ofl
z=9-@#2vDdH0>5ip7PC};k+danUZDH2VV4gvpf{|YXRNsIQ_asMTL9~DQrC!8w%x6h
zJUJby7KS&&;YHRng20t*^#Z`;aH-{Kv_@dJLZ%6Y=ulVA51rOQdO`RlL{h}vW=p`I
z>rm2R>?|>j=)LAznJ(^f8d$fAoE%F{g~M4_Drpa&k$NE*o>49*>)s?XgSpw_(6{E0
z%+%+^$qPbX*7Cq>9&3Z86}4E=p?R-XCBeTa$&kpVZUz(erYX*n--JEv4<rZ`JlAcs
z3n%`7-BFNFCN$qc!hE7|eEv`;GPM6#@~$*Pk!4%Ie$1P*#M$>yI1MSWr++;jie(zO
zcffy%cp2t&t!8y%#a{O*xH{jH4Dzhcabyjw*Emc7jrO75b{)JCcz~)I;@EQUq@gg>
zOJpmNKkoxrM{Ox$F6^7AwV)EKM)E~XnbozvQsr)hrrsQH#4ptUMG9~QT%QE*FX_JG
z?@~h&xCj(@SD|8zbBhkKqh^)rPODVd+Zls_giURQ{M^xbcU-uPlfRmCRl2w9Q5-oJ
zwH+VMzH;S^M$Uoaz6GT3p42BNrzgY?JXiJ>Q*RV9Q7%e<8c$cXQ2(4q5e+roAm0%8
zvK8SD=rn0Z0({XV@@79*TF>m%S7sd8^-g(b=Vg(w>u`}s_X&=kI)m#mMYnP*vIN0O
zL~N{4e#D5zvv^*`JM+8I!z;8)UT0dO_LVPKz&PUy0VY?vfw#t^zA#d~WV6$4>r1U>
z7Snb(Z5fcSnUR)<DWpN7tSH`MCuR>?*+TIbRwv+bb(;-qC@II(_~f#qT$pp&*l6i^
zh@Tq-+-e7ueTMCh!iW1yce^neXS9qwe?iVTUj*l{-rH`tJ2l&@LZ-+GRTx+%YMF2+
zQGcG<Ok#$5Sbo@yqLJ1F5c`2utSPF*RW~sen*3n~Md3lpFdK;u{cunG2~}eCU{Jcz
zFoXJht0D8S#3-AC4*R}!SxIq1orX<9e;y<*j%o48m_zvQ_6Kc=DsDUIHh&YqDId$w
zXb;?o5nBx7Xoxh)D|my4UAo54<KzSvACvk-<o^%8r&{V6<FGIa06R!@xxvZB@rOvS
zEsAk|T$ZQRG7oB;gi8%zZ?NRgKIj;j%hg2~J@hrEx{Uo(GsG`*L^nUzf9k(jhCgu$
z`WcY41$A7%{MoK4@7l2lfa$z<&FYK0hSv6<iZ``?CRX7_>*I$iKcAsR;}Ki8qvP+r
zN9c1H@UJpQ16X)uv4i|<4lKdnOlONkYVxf#frQ6>^gI0HJ{{zyruF5AD6-6wwnpPl
zMphH>_(lNe%KdsDw|H?hqL9BRXJ+|C-5IR=7MgP;$<LaAWN7WaRr?{aZL*lERT*()
zZ4T>{6rQ>cfNn5XL++%xV#ISSbxT4%@SO&6hBlJ}BUV`T`9)9Bs<YYEA(}t`b{~Pz
z!Yd6q18sscFXDbF9#BpDR1O_0*uNto-a?4i{v*b>$eA%&7Mf+qIKg+V2QtY9+3;1X
z1Jfoo4Yt!;KKWd)v$bz+A%+$Pv}?Fp+=7=8)9T3%1>5Tq2gGNK_f49N?5AIs*I^9<
zPbJDR1q8py1uv^&BX8Q~mN_|?XuH){>Q7_~-a;u`V;W)s<oyD7xBdbw%LR^>HnAba
zRYzHVnXh5s_#N22XK}G<E+>2~*W;>+#wnidP!M=HOkDQWzNDW=!rGb};GNNI7Gz65
z9KvgtuWKD|sXuQD*13Z9=YSuw5_=~MCd&@Mg1~*B*@L!_lLoVV{rSxkQm+@ye_Ahb
zwC_8p=z-3zcLQ!EjdZlQ!_s{o%eSXgW|{nr<Paa>$}TJRGX{~<oIuYzCL0AxGnZfk
z3$iA*3(9YxV9mOrz%Sc<G^4@xiFRNO-ytsN^`D>;!(xA;jQ71GzzWy#_FT1M#ZdV^
z$|Qr8j=IAACrSGl4iYBPAba|gVG(BOqOIW6>zSZdTPDvS<tt1@awt}7EvB>BY{5iX
zA+!{Tf?gSzJDk1KmIGO9{2jAO(LBf-pv6?gIS3_RU`?6=^;s*eCqO7Im?BC!cULjh
zs*cQ{JD5*Ks>ZV;khy{gl(ZU&&(SG;azgA`*A)TBp;H}_27D%ztd-9pooSVy(rlhf
z;OQ*!#*bQC?NxKi9@#7?ScL7#;?uW>H6!Eg6uGuzv96gBawO%uJ_-)WGDiFR#*zf6
z=qr_88yBzX$H~Da*UZ=SqiPOS;i9v{1ty<hkoBb7H8^EB{J4fMi>r#ZyYKiaP5Ne-
zrgi+{cgKHlh5h4?fQ3x(wSbQ^x7CS4HlSrCAg<S?u6aa+n3H8v+2vQ3RJAkI!2oJ)
zUfot#7owe(n<2dy`8Jd4Q~*ikU!+X0?Vlmyu3$U`Yv!Z?#I>%46A2c#e>|z&vZ+sl
zSNHNd2loV8c7b)Si6wn3jZ(3Ukdfco!@DmZbD4)Bv-hC{QF7exsR}^L_M<TbR7<$O
z$;h+P6;|Q7VLr|FYxyM~T74r}fk{TW*l=M~5uroDN?f78>51jun7{ps%O7#DjIAf7
z2i8sG9O|4NLJXodt5&AA^j8gXWOuRhUZlP>*<Vi|zmwtmyvQjm%)lyS(MOyyG(BML
zq;Kr2dwGyu&muu;;j9PgP`!{jJnUfCg#n8~*IrdpTB^m8_^7{!(8DtKi>r2~14fIF
z19<OtqFLSI<Cp&;HlnR!vY~PXXd|ISu}bo%0Zlb}v|9(XQu>`1(q=cX8?mJQ*h=Rl
zPubUt5~Q9SjZL3`VOwOWh@Uk+t?|L5g5B-X^(Qnt7n-k*-4A18Q*(0@le+&@T>8N6
zty^<4gC=Hq1G;nw$4Dasz@EhvN;Em-{$d|Yq}9kQyf!Z@ax9CXkSkG0E6LV}YZRsm
zh{oYD?%->7-&=T4t`kel`;5*U{c%{ZvRW>~Q{Kpq$BL*qt1oRanmlYjDjOq0(1>;T
zTgS)NF5^V?M~XgZ<C*`Zi7ScYu0ivT2&YM9n_d|ka_IA@#@0LIMb@~nkMes)jXPGq
zCz6SD`+#;4eQH0f&Srl#Il->lB>LeU>p$jwNi0Y17p=M|8Yz;~g{i+RW}xt4Zb@p@
zuTP@1TudxKbch`C5*J3-t64@(^;zzrrmW1~<Eq_9^}uwQHPpDJ94im*b|yJd0mJwG
zNh9!!dW*$+VdG<j_O;B_DR@qFGKbaXg9Z2VS3GaI+bK0Hj@AiP>w0s4$@DH-TK+B}
zkEFSi8A_Tkz_=q-WITK=Py)wk3BL)|Uff8J%oE^>&F|LZ6ZEKKps)}EqgoJSkTv6|
zaZ<>4HjebYjMVKkc)m!Qe{iR0EB5EX{@d;pd^@oF{`6jnW?)C(Z+PuV<Nf2WpjPI*
zFODD0t7~ZmK4*+{#hU?8)WA>!R{tJBZ)e1v2y>}#oD=S1J)0NV^w1RfKZ$WeljsEj
zFYYP+2mb>n{C4Mm-E-5+xqkWE1@|Y^rK7tIG@9cs)wbG*Rv%S<FcWQldx$hG+o?r(
zdJhdfe|0f}FA|^BM(r$57gjByKc$6n#4~odp{(NOwTHVX2K$WmUhum><0UP;*i7XE
zsJCp=+#nLml#LeJ!jQ7g0_bD)p$p>-Lafi?R#a2ZdU8pPRRnc8*UYhS%#r+sZ(I^u
zViIfjY0E$MP#97%uc6fNH`P|{;9>{9e^<Y@MU7K)23oOTTJfoq-FSwimyWs$8-Vq3
zWAl5Sh!GyU1$vkYe-xtST|<{Iu-h?5NJi|NcSb%t?W7vFC(p(8SdQr4j|~N7jZq9K
z<vAAS3C-&K8S@$m!(Wqb<5j2243Mhwc*i0YJu0i74;B*~&bt3+=_5;bt3njr%uERG
zI6i*a@-;}o(fWLVSXkl#i7PFUheGu<I<}y8vr(&JR8dhMUP}{9y<g-x?+bF_O@6tC
zhr!yz`ef`dyBoaB8GLB28aDnmH!$gTtx)#d`jF_e*DnYR!`8xl$;8k2C|k&W$n$cT
z)lB|9>Tay|{}k6Al8lcOuMDiKUJ`k2a)ddFkImj=b{wyI;Uu;YymM=*fp8OljUwr`
z7Hm6X0^h!Y;*+{r3mtdkJ}59tXoSYC5aeCY1>yDmC9PLr=6V7zXS%G77Z%gWRKaUR
z4Dxsc#0htt2eumTkP8$hByDFfDvR32?KQB}U;zqzNlM-r_q<8|;zt(UfOlC^kAtnB
zVL}?7Y9}O1i>j-J!5swQ)F2->6PydQWxHX^g2&RcPpaVQWoxf<C6yjEq#G5psGk1k
zE942Mqri8}FLEGIEkRXfR#Cg|b->R<;;?$l7jq>m@cnYL!*V{imlK;m-Qyj<U4e}{
zAvEU$$)8U#;*sJC1Y#mT2COSgXQ3CSn6t#xCj#koi=9v}VdGxc(3)aKrc?Vlv0vC`
zLkfqQx9{1lwaM1BnSr?ah|@7p`&wqrdAiH|ID6B76p-3$7S0^{OePusQ3d-cu`F#G
ziEtb5GfwzHgW@E6_zHTPk&xMVUqc&Et*8~m-RL|YY2wB0F->C~j&k#%7#q58smCD<
zZ8k_OC$U4dmcDDD-<p6CtH90q<zoZl%Nn@tm8djtS4_Wh?vIqZ{)@zq{JXA`s6H|Q
zPhdX3MW+v&!3bk^sfC}W;Ocertak&vxDjzGd=F7isM;2J4;nXk0{ULR?j`t~xiKiY
zI|eUW>1y{kCOavPYWL~pTg<TCG`eF??4k~%F05}98|NcJR8I|r8^-Ol=SKE^o@uvk
z<O}T++>0oj>(8tA);j-zezpGn4jr)m<c{Km_@jiLuJ1t#QT&mA`%P;C@mshGyhNU4
z;`KK-b{V>!uV3-F5AHn>YYCjef6*&Ph+Vb*(P8k|u^Uu$btVldFO)8h9nM(Z2;An@
z8<dp?OU~rEsW+)T5%+-VDXzZ>RsAz}f*x%Vt3MvZf-UuK&8)G3DSWRUZ;}70F`pM}
zYb2<Y@*pVfAXK@!h(qo_KSK`P#4qn8-Y2WPdzZbV!Fx~AY^n+7{W8`Ucu&yFHDvSE
zcJN=Mb|U8$+Ju{3D&Si~;KSR@MO15q<s$W|?Uu>A>V;&!WI3*a%^*huy!K3yLgN%4
zLEXL{eqv^!1A%<T%A}H7LEqsjRk*!t%o(dYt6Q2a*k;!Tv(lc%;<7iXW539;hGEOq
zx*vR1@37H<DxA`(x6}U8Dh!IZ064?G3Q)?yE*lK}?6+2yIfN&>gxa#!zt3pO>3jx<
z8H84Ua2=%lbWFKVePIp#ER+DTbWEFPsc=$l#ZA)Z8;Lym+{~jfKf`LIe99?CcJ`}^
z1Dh2{&Am+@94^6NwRF-LYwY`uOw((^P_fV|7cYMICYSZl=0LY4Vc1tf6fp(HN21k}
z6wr_e%-3sAx^Xu$OD}b<RAa-GqM<KroJOXK3L=-{X0@#I|Bt?0@&5~p@1}Z}#ab(U
z>C0oM{6L+m>V{ms?X$IQ%NL7DR-0UV1Dphz1M*Cp!mP(A8C`jE(%Ln4WB#iq%`7SG
zEH#1cAKiK$B(3gZTV1~+xliq=Zsa_sT5nHaS7>?d=Vw?ny}^}c;ka|&oz8%Gnr!H{
z;iYg-Kfs8WwNwPtnWZ_A8Aw%wCgj#yTVun7k5QQXUx^I9MXX)vpz|hTMH}4$d-coJ
zB|+JLkr-T5R`+!@0?$}+o695@xQkd*_#8-$<2AJope{kClHG14X7A;TLPRI?1rb~(
z?WQSUrykKCRyX+Vkv!qexq#M>)e>1dHCb3-2=&5IJ-v75aqV0RL2FEmlwOl)sU6v%
zx|#jrG$CH%+c4CuwrlYYK=RcJSftK{dW4>vHy}14i&TPO?sKz&r3m<}=TA6h`n$9)
zaJQ31NQuL8O^*<EMH?8&!BQ2#?lzYg!%s*Jn-ZQnT|B`9=<086R75pU(b_R-LXwmX
zt*lN-57|jgnBb@Nj51W#>AI9wc#SFw3VUiWX%Xs9O0)wlIOaxqlK-deX`S=W4sF|q
zs|XN_?Zg!|QXs0&Y8$9B>db9@fn!~$PH_%=xI5BVRL*SoQx*?IQHnxJjzkyNN>};o
zR}I2RUbzVQ1&-y~XZE5CWM;KEmk6BVi0jSNVs#dj&jriH6LjPM2>!t3Fyl(!ui?T<
zXx$>%PHb)3UGtJ%E-_<j9<Imz>mVZ%1yikj93lqQf`QRU_K7k)I9)m5(gp<^gx&_m
zZPWg-dwV~0Q`?FZfrXYmk}n3Y)U36-tSQ@yqvTIlN1Dq{AI(LNa_BC6{yc8M5>`-w
z@?*8W)$}&)XOulJ2cyOT;T=NQ!o)iO=isl4SX58CClE8d6AKGXW~oQdX>zVO?A+$g
zAUCK1`Df~hbYmB+kVyomP*yHDG#kcp*mkzp<6^P#eO0B-<l^F-P%`u~i#xI$uUI?`
z4M{otN8$n(VO`@ZV6e!*sEce61CVy}rsWsEoT+A;saM5wf}$ALkG3N98hRtanebZr
z^RU+KNTRRSExbir9}}=9?dU7z?ItkmSQ$CW0fw2hZda2|6UgO+y6doPCzOg`jHp(J
z(6xV&ntS@FE)DnOZF3jF{B`8t`!u8MWTh2Hd9YvX8+z`o(DnWK<9p5=g1+ozsS|HO
zh)=OZ4Q8Cmo(P*C5?y!hA{`hq$GWyw%A2938fK|Q)Z5d9U4tvYn5~#`etLi1yKGv_
zT+t`e9P8DJ$`M}pq4D0R|8g##XBAk7l`$ysNvf2}Q(_V1K_W7q{+^UbvXl8<1yMAs
z+<37^d~kREs&T{@MkWGY)u%(l`39C*hhjgdE#9a-YvYP(-OP)Y#Ru(|fH-KwlB>p9
zkKH8X9@!-Qbg&wS!p<*-Z+R&xN$k_n5j*v8giXVX6~Mc-wRuy*5j&xpo+(;>8<I@P
z90vRGn_`I}?S9BM*TPGm3M{|cJ0ev$9rAK|#9b8hce5w<JI7K&;>Zqbty+~*S9rAh
zvl**FfWe`09anY6cLv*mZDIiUs?o%|yG{aK;=Z{u*Fe!?vhytK*j+(&QlGh=8Sd&J
zd~U`qSYr#m4})7G*Q7>%E%}N0#@SEx(_PPK+QFqdI8T)C7;{EOZHf^nK5ObROYE4C
z#}<$h`(eP(HXD}&wnmIoZ!)%~EP0O+Qg=et-QKvykuc&8vez|?C!_1AQT*djPZ6c9
zfIDchU@1s`hY+(~0s7|s{x8}_1_aeGg4W%+)c4-{b~b+IFv;jta6Nra)K?UiKP@u<
z7l(BAe;iW!ljFWM0q8~)4%3}f?1Zf$jl9iFTC&h9lgn#W8#R=e&7gx~h40usm)O{A
zri%Hk3|tT^Iy0joUf;ixts$wU;_(AH^|{;c%9%cn{T%ZVEc&LxbE@nM9B-cr)z|8H
zz_J?r>{|u^vmyE-m^wCn129+(aBiQ6lpcidFTso4Ge2lfS`3)nA=91yx^~&xhLv>?
z7Wy-~H@x9SVVi5>ejbffRVjqftX?2DMT~dg&M&igttoefndugh{jq$T8=Ui?2*BF6
zWuX+0Dz~l)xL}e?(eZ7;QOGzr4{YO_Ob3)Zzd`<OS_zLgVoZSyCuG)LBG)HP66epa
zk;_&Sb8F0FHDOA1gPXtVD-R8P_l-pAkYuI{*s_9q__FY8P?6oD+Llxvra}tsc*N{5
z+Z8p4q?F}zEF=ZgqOm~daZ$?+`_8W{^S9p&ypl}USDZ5ytwbB!*f~cN@J#d>L)w-T
z<=7aaEt(xZ<Y7ObQMH^wVD-JhcI7!u?%Ua$T*6Br>?Ef**qwziube7>OWx*I5lWl>
zMIoVZb$3<)LL5vgrVPzzxH>t;wy2DxZPOd4#TSnL@6lnQQxhK<_UPiair^Z)G<=sE
zUXS<vGuqBc6R(WFcq-3a6YU>qGzT>5H#81qvo0~|rpsjq4enXEQLVS<B$*k<>`A+u
zg*C<++eQEIGE?<ygw$@#i&OciCuD`kehYFJ_4n5ULy11^OqF==DsUXd7lu=FtMo73
z^M`FO8vn7>CZS~3hxTJJ|6M$dZ*}UxlZq-0)BK|4(KYZ_-|Yu}$lS!+SF4`=Ci`aQ
z;C`mLcrdu=GUCS$_#5IUWgh`4&ep1HHqsgKPde`QTDz|sgRb|A5RO|q_=O7U8yjoV
zg^|e*MpL*bQyNqL9q{T-j3t)~qg-;0URN4eQvEgb=RxFk#0BCX`J}z2m#UG9(qIq`
zA~CKspi+1+Pv^*Vk34k<D+;S}sgUZxtTpnJ{wZ0om_$D5QD$mv61M?rpoeva0}t|M
zf(QLnh6Y8PH_u4sPky6*H&@I(OLtxs_xwytL)jWG^OkFJ=NgLGB&o>#B74_h$Irkg
z&RYHTPU=FrkA(5x8f52OomUdnR<}r7^c487D_id;QImgB(VI9Oj^H$z+)*)T=uDWk
zQ0AHZ=i)o#pX#zkE8`4|len_|$BXT!$EvK5`(HY#i%<f)NK}I>IDaKO+qNgQCu7XD
zyr3B7<;q%C>hOvGi5Oj~iG<aivrh?;=EgV|eOsl3iTc&#moK0dr$UL4Zeg_PQICjR
zFYP-tFk@hZGbXwDbkqpfaH`Rp5XHT~dUZX^LL0Ven*E*NrrU?mJMO9nA1t^dH=$MX
zLsD-O;G&QY=kvtN<zKUP1!@wLK|<%3=VbuQr@s|gPp{8IXMrN#GqlyAhLNVO)lTK^
zX2L=)#uBDIY9DV93YK@;uiVNIt-bv<ac5)4;gL~4F=xZgmC!$P<&LmzpK_d4gE8dA
z%>NSwiNe@{@_gh#n9{UzaF~SNc_vvB_=a|H8+J+N&cUt%>c!(I8W>tle1cu7wJ~^f
zHX9Do*xl}QEtq@83~a|;9{6}l%~tFrXg89?U_6w2%SqJnc013N7aIa~2iyq6q^N!}
z`~B>uKpU4FxM$%<bZ-G%ZEd_{Xd>57!&cUAURRRtz^yHv(2fum!Z87~)y=QBsK`4;
zZZY&7KSIVKDLfu#@hOXKmd!3SwvtWO8gp~B;u`d~1*B)jl(A#5SRAeKvpL5uk^|b(
z1$^=>XChV{8#b1dyjFad-buCq&gQs;s{9crhJl3rMF!4H%f(H|Rarg3Ez|KuXxiNq
zx%9s@un9hp01^9Z1t(5@soLx9y)GHya~9dBjj2=l#usTd(@MmMNM^s5Ff7N2&xpL1
z8k@J;=Oj2Rgfhh->nthnY_IX?qjm{(n|R+WPJGP!qWi{}*<~w#r@(bb#A$!2Jbo4y
zBU&=KR}23?hBy)|sOjH_hNC>~j?ema*Z*F^OdnhNT{XV8@|l+V_%r_RV)C|d<^Qpn
z9Q^+^lh=Ngu@{m*7^nELNC=b|Q*4XA=)8p=Dm5|fe`4*Db!sV1fj5&i{%LNTn;PjU
zlgKpEs+l*|*rdu0Ca5PV?!cZUcpCxw<^=-?9fmk*3>Gio;|>zkCOxW?1-ys$fs9q&
zjRNSaY;HipW~8u~Cs~n+CuTTOs+Od=ciIrD4kH$d%r+77>aUEiXWsG5@XZ{!pquq~
z;=HizEJdhyLDyjc$1=H~_8mQeW$3RN9-0r`tC28-wAz9lEXL|9*EYMU_wjP!h3B=W
zXj<Ebfe;A{2lrnj=ywJC&RT*Y2%9pQS2Abq1;2WZKXwKr?5CgKi6zGD%4WG!aM-^{
zcJ}{#KP%HWrZn4fzHM>7=QjcOR#lr(3;O3;pl4BhZE`xxPb+HPN}}h*SJWfwp!_+%
zPKK!OLm9fo>EU%Au(;)_0C)vdG;E#vlO2w_h#RvLD|nX++k0CEFhqQ!&I%Ii>MDg#
zkH3bNJQ^~X7}F+g7`c=h)dU!(rT#_I_#a6EMEn0G$yJ*YkBd`>YB?X3p%G2y-WWP}
z9sW0C$Fb53e7R;L!5j^=VDBWOI|Qg(>9O{Y>BhfEzg3?I|9Y5-9xdN?Yl@aK&vj0S
z$MM6y0yQfHI5bRRJ>H<hLM5G;?e8izL`e&;Ti^<85I*S71PF2A1Q!%wIh`bb(Y%WO
z?b`iI5AnOdBG)K?tvbGm(0-r|wU=pq)Y17g>C1>byL*6iFlW}X>c~@;{5s)NQB;Xg
zEtl_LCVXx_Ys#oBk$;w${TR5BF6ps!a=WZRfJJQ2N@?tkNI*+W<q_%s)$)-NKX9%K
z*0_F7iBnirS_Fb;!_%q`nWDTA)T9}I6ljftr0sL3Pf@p)$3QQRtpLCdeYmHmK0EZ%
zFitNWsXB%^+CwqSZ_ogfyvaRx4TzM(q4RcCJ8SiWT{iL7R}ayA!(tTEo>3Dn=rB3o
z2nzqD<jWj{>8$kNXRpAe<bFED<E%*&v|B`ew-Ws9InLYKU#9QkZnl!j7l}f-k4>R0
zSaImTp8wHajYM`|7~iWaG5d4JY?0)1u{1nVK6J#^XgD`VD`)?ZsJ)SVq9Mb5HzQ5?
zO^#(0*+Z89QOdP-5}9=}=r9Xtvjcj4@ZAZ1SOIzO1mEQ6;mI*66vdyMj4Y@oO@n>W
ztg=Aim-W{hd7&fhR^b48Pi0CD4H$evGvSoT@E}#Oz{De8ASm*mks2-{u~BK7rN(v*
zq^#2_eG-h%0o#e-(z66EShtI9WyA#k2Z|zI;l|x-6jY4y!I)4hZ~kgv6u!)<%2`9;
zpj-UWBzLFFiTRdsUs`4!^hw??4dNZu<kh$3;7>F!YvLuw+^GxnyJ@}#6D(R143r4#
zcc|KZ_~?aD!@VTvDiRTWoxs5~zz8Nj+KE#vt5|{%ZOzE7^;AIzr@d2`p|WaIuH8lN
zIH1!4VYXv+MF)8EN4WCX@@Vm~A4Bp>+rP&PH$WFn8x}Y|Q_xw3s~-!kT%-dku)BRQ
z*NTC%X;HC*mksBWCz)S^MU1M<(U1~?_Gw%-spjsewL1RDH7zp61AKHAskdN_hBeka
z0(3vwdqlJV>`F<pTP8jC#y*K%ew0<Dibg>xhZ{8<Jg4N%TadOV+!XLE2ljGH-sj#-
zwt}>ezA+5Stp*Y*l2{*v`#K*qymL?Cz1djzG50p9PLyH-&VfIsyL=|cj260V;!Rqo
zn+3aDB8u%Ge5X&{tD6Q(R&Zv_wU)&5F2&1l8vJosL6+GV9y3vT&YYF_@2zk){gi~s
zU=zPvi+IK{gT#wP9g<0`K3<}>$HKW{7@IG*j_mb`p)HoxlDRnP4!})DD-DmO7J<7K
zD8OhenNa9!>L#IOmfP;m7dvCEg2s|_PvEK8_eRb&^OQq#EfT1xE~J<@jh|iaBS!&d
zVy7h+f<*b8K|nmu8j3gEdUlN<Qj&}mDaK@`?c&@^a+ry?lwi%pK3w4Tm2%SEbPx(P
zHIS#-?^Ib{U9uzU>jNP=R&8+OySCTg@M({I`=GbpXq3dY6tsZLW;RY7`MY=`(fF@~
z)&h2So{N;@xXZj{ZO4*NS*jSn_o*{+T*PfmgGj&)awH2Mt?uGC9br5*X|#Juf3;<y
z=p@6SAbo@KKqrHjb(~$PEL$n6oy*HlygS1#DrE`ZO8;m<ubbpj+?CQ2=;3pI$pw!n
zJI(?9?@C4E1BKR}2s+!|If4a6<;JXF?(yC}FF2uLVA|$qtjg}FRr}I>67tMcQLQM;
zaT2~6mS}3Bv{uYk&ZU5^L}tUyJ-KQNL)1Dh9{X;fN-D-L`-ld1S%|QPU3QZ`k*%Xx
zw3=O}ZLvzwJk@fx6O_fh<@kwr8knO&>h>-ts%<-N)8R*8z>7^?vKh&SFAz(g_#)Cg
zjyU$`jKkf5-ExxyVB7uM?Wa;h)6z)V-pP}UsWTZ;e6{jCM1^_EIq@O%6LT*cvOu$P
z*hv%b^IDa_3m-m0r((4|uQd&IlD+v-AR1X4Jheje)`m-WHxgfeQMjin7J3#%+yI1{
zh_2>~uVk7X4?>LpEU5MGKzFi2x01Z3-jwp8%B4UjojG`v(1vKuNz328@>o=Uhpgn2
zgyPIm?$1_W+$H!3QE*A%9(5wE#ExsCqjI6xIO`v~elBsFL^io?JCxyUcm>6$DXgxl
z2`;Z2srSjIm+Ek^4e0>`Usse0fXJ8#NJe{LE!*&_VLmf<xs&aa<KywJkyNY1#YV@T
zRW~SFk!vvxUo>fp?RM9}Co@B*(yzx2HCT-_;hGioG`wJ+A0rTLED&XPGtG;kouObp
zR?K^)3Mo5Er($aRLxLpqD2m*sA-AnJXgx3MDsf@osamhr=fY-d&sVU%zrTHXbJx3O
zja^iz!MtW~6<PafT7@CCV!0nNU63A|n4^O&hvzyoZvJiEyRhS1eFKW#XXlksWXd<e
zQ`pEyv1OBfeMO?`QyPpm?s;XD=$z!Vpq%4vq~1l+0l^}d3lM9ow{6FER+PITBcZL-
zm7})OM^Bf&@24>5D%Uz_4GFE?+VU@mu;U^=h3q0rv4I?a?S3Y~bG6ko)uD8Ha&q8)
z9=MG^MDT=Qn9$3Zo3`%u*Ao@!Jwr;B0-uD!s?FZp-q6O^naEQBJnapeX4eJPH+_e0
zDk*N5<5w!;zt+%fr?;A;d1)SuDZdaf5vRwqb|II4)G~jJ>enuEt#_S4&K-R*6^eRo
zeJ3}1@NMZ~y1U+yjx!dfUH0dqbh+ep9=6Jjs1dT{D30apwf94?fCf1SYN_q^^@;d+
zt22pTx+U;VP*y{{%NJ`_gLUHypI+-g<?keCnJu&I7^t}|QJ<dn{zYPJznl#F+TDqB
zgDD<ZI9ME?VLSt<x%kro{VK#7SnkMv0hy^61h{Gi{apwDh!e5|t1O4&$>vPNs)+R2
zL4+=DgJ1nPl9{-Ys&TglUA9RMFW*KNl~h12GjRR)-UYAYZMsQU$dC0Qhv=cYF8u){
zBsZc32TTD@N?M$NV787DjQliKp5G3F(`LoLd@?ue*`^%h+s<tl3Rn~A#{M*~wQD{_
zv(;wI?o+Eh2f)vgT(Zcz#CY8PNG~}EG>lpEPMkl7cJ*HHb)CPz6H2>kwWPXl$BAxb
z#}Qb*#Tw?V8<bzgWw+$h`lRg&?^cz$;t5??2{k!Ey_99XyQRBUi&g`;w%=1rpM5sF
zAR6H0fKbvN7#Y^V^z>Qlmt1*uFmO^er;U=nS1na27&Ufa8V^QYPKeD{#c6}zZ=Ty1
zy4@HVaMcuN)C_H2Xtes1$lqjrny>A5CcSS*naeF{$|hmtag^jLO(Iu}*kno2oernM
zNUNY7+h7k72DQN`F@+FH8(3E61QM7mxH{-+h1+MYizTk)c;#HX?x!|b7o27Hdvi2v
zG32(%=jl@Vw>${utl-Jp!%G#SigI}^bCvxv<lFSH)AWkWXtqeI;i?F7hcyG7Pu*KG
zs=5h{kGnU2NV&4@F!;mC#g;ijOi#zX=o?RGPs%p5rCZtKp2Y)>@dTtzNXj<^Z!nQ+
zSm|`@Cta2@TpCgd$*zBgoDOuq?%#AVoQWNUiP7^&)-0XcOJG@AMvYnFHpg>a64waf
zeg_5{usAR`N8Z#58|RUplJXgnf)njSDB|pYJ*=spTcF^h$~~@TJ&E`%XUE<4IpOHF
zVCyy;7bc~Kv~S9A^~WWdyr1UYuB$0l9<6({)vZlycAY+ZYK1S6lX$pWi04*34mO7o
z!sQVR1a)c$!Vu)zSn^A$hMx0`7j)tm4Yig-sEg_^*9+xXbBn|!=Surz<|vswq`Khf
z6VD7yX@V)~MA^2u={@TzGpW1^VJXhpDWd!a_k7mHd;J9<9{*&Tz&?v<wR1-YGLhzt
zBRtnP(r!&DAA=~goxRsX-H^HFjAL{=XPKQ7Kw;YoJL%}*gP}SGS0f7zH_?^kIY<q3
z%nNgslK4qS>#!szrtOlDWs~Yrs{<{8$wo6gthSN_GYL+Hu7`7XC>osst@;YD!HE9I
z@Qf4QOp9SP^WN@yX8rZP<|Vdn9RKiUMfs<X^S>s}qUBLc@oH4esTOfQ3C{v`jiYT>
z>|>IfIFwV}iPV<EP8oAZAQAjV`HA7CXD2CBOy8{wuq-Zzqjl7>bp`H5SNaq&_PwjQ
zk>?C^?p_&*A{yE5hRL)YTuy1((J5RH1}YMptQhXOG4@Y9YT#46$-$sSN>MVg1irsE
znb{iZ1-0Cm)<vb!?4}0%uwdb=4Nhi&2afS1B?t`3KnXHtG|D!;uGVqp;^=udMbHYC
zYkS;<rem?qa?R<srrSVD5DaM{PMO?Q#Ky}X;Zi(>)I%eGccehx$c`h1$_?!%g(@?y
zl=-5B2J3>2K+ef?Z91>XFLBh#C;oIl>49)Ywq4zYPX~fhb4|i(z6Q_ricc_E%=_xv
z7CqOt^dHLW)@X*7n%wJsW?93=)}p8*IH_n{^P~k*cPQ9@+@Eh0;a3|D7f~jd|NKh)
zVhlA}KJH2M=&2gE3P};)uHSUKFr3+1o33Jzj81|v-AxjG)sH|5K-WxgHe9Nr2PDx%
z>~Wv3*d3^Df2XcZ`M&#}JnmwQdwJtr7#SlaWcZjT>j$M}S(LMpEkJ%(nmn4yXk0MG
z-fNd>yN$HmHcG}H;5STLy?<bp<rTF?)5?B<^J4+eiXkxhU1j6tkF0Ox<*FKA*Q_Zt
zuG1M=2&U;NHcQ;9p5C|C=W~&ia2P07yu7p06Ee`qJhSMhXwlIUFI|@sCisC9;+h{C
z>lOK%elicg!hV{KRY0@{kF0Wf_=t=QorSGT<EE|%afvu~uBd5r%H>b`F}n}!_+F+$
zyAa`zkvr_GV8*m;TO-MWMcEKK>Y~WyPm*J<r-U$PO)=j6v4VKFP+!S`Q41(^z2v9X
zG@801C~i6RMRPx5qibO;V>OEDdNYjApQKko!N5!ubjU%wG9jhMa=Ewy0!u*Z$JS8H
z^H!*R#>s}9Qzy?bA(Iz!sN4Z)0FJ28zX<5tzhPM+!yE+S$<okKcWmOuB@^kufeiO?
zS`5OfkM;KV_D|Sje-ua@l&^#QLqpUs9a!lO+!f@A^2D%3+mDav)zikp-2Tz!TB?8`
zf4?jrM%JS9<{Tl#;t>wR<0wIr2+ZD@9EF((G_eXgOq-sBQAb2IKfFz}AnIQd9dwST
zoTRsgu$7?|vHgprpTA=)QNPC12W>&rWiqFVzcTNfX5#C!2a5by8A!frKpiu+AWdoX
zhd)sW_69<3?)M&~*8Uk%pA?A~hT#x8R0Ne0Q~dN%Qb3m|4w3!&jal4w7_<iNLX7#*
z92%PO3F+IdrC*k*&m=^I9<~t{76I=v5Fvwzm+;_|;I9xLH;SJi;eht{21fzce|&pl
zC6*Gyn=PD7amr7#*@%BE%RUC8O87uvW;*>FEt3=&${WtEd62Do!_W@#Zyt}3Ut^X@
z+$r^_C9_s@>BAIg!f|6R7J)PCGgx*apZnPT?Vg38@zg0X>8|fEs*J+ZbyAbv8W-8L
znYq9wHzq*cwJm0bWAn}9<vGj7qdMU(-`%(Vr_Y>k+Dn&8J1A`uuM!dv0y>6L{#S3u
zbX2m0st*KBj6X+e3TaX*zF0#BQlloms2lB~T3eTxQF)x-cyGxVWHO%+oPk2%D74k|
zT`60}2cL|d#r>42S+&z=eZDSbQDEh3q;2Tvrok=LOqH$w`JKAGEmL%>`uh?S&;MXc
zd1=njxVO^<-MCvv19m2Cd#jTB@OSfD!~Y`fEZCy_zP1e_C@I|_-JO!sodXOE4MTS~
zDBV4DgVZn#FvHN@-Cas4t)PH{_<wl6!tebG_dbq$uf5i}uJeuj6n$ckbI~7e?WpHE
z@f$?rg-$Lb<l-{br=1nzqk#|7>(c8R>QhG~@m1k3WQ8%~#8GPHit7|%M9^2(wGLYM
z?r2zC-}9Ed>ls$<`ztoy(8Uw`;t0GDx1QzpkPwK+av4(fE>|xLYosOBEd^MkH_4Hg
zg%gs-^#eA|PZKeWtTSSAi`s;pFCOdGrG~Z=P9Nd*lIbm*@?#^}vgDT*e~7H4j=$EL
z{&W1b2R=@&#Wc;Q2n;5x1Fc_*S@oo3^H(2~NpS>hS)66sS<$8G#KSb{Bo9rMJ-}pj
zbN|W=b4(S%ts>{5PC~Zhcw=Mv_J<bd)=n~cTAR7QI<91@mtI(zp96ZQ`q5W70bn&+
z{`6J-AConYofyVZ{5j51ZHUdj+=y^HPEeS?46c`9w2jui-dQ(U&6nKL*rdzoqxB4$
zt@c1;kXz`xJSlMd?N6k$HI%hM%xJ@qxjjHwQ5aH;n5IwozL>lmbCC-9HBkZ<36{>I
z%Gst}>z{eO_*LRaE+DyehJ-H(?9KW3dCp@x#SXHwu;kCL$yKf-4E*S4Do8q6wCX6y
z${zP_OE*&+q}I>4!98vFQ8P&IrK5Ew=CY;LEmF(z&XyTgrQYHy>d1l%F|gTjBzRdq
znFp7CJ!MioOyIG(MYby{-*VxqN1m&8&aLC%1$k)b_AOw1$)uaT^g<td1iiPy?kv#r
zwSlS8dQisgR(ZJnKKk{erJE_5xU^@wWCr`1;Kqtm^MzFD4u&N=-8%--X8fEMgNn|+
z$YBm_&!y#@m+<zOMW{Lj*oJ2rB&AWXH@+77#`3^ZQ>a(}((kXyJ%#TtETEEV&B)&V
zc~59wMW}H7V>+zmyKM7!`e(KAzdf57HI<8I2bdAVBM$R&K+37pJzI?mvI@ZZm77R;
z&ofh?Njpd-NByCcB%qoopOx4~*@E42S7Sq~Tm$0EMaDuuO_#-L^1173DXZgwzwdV8
zGJw=b$$QT~VycojJZY@W0V+o>Wv{P-m7+F0OV7VPW#K3+Fu+lwrv765y?WZsipJQ$
zK>((Y5rUz4v(lw?Zl|t5*>s?$=I1+_x|Cz20Qu6jh0n`OvZ6L!>`TDtS2}b7MP;*F
zhd&#pSiBKl5A9YLQ#M<@@Gb;Xj~V=SbH{a^qtIdXE7rLwjorH<;w+_9pBXo*TcSVU
zA~%^HL@s`MT-s2y4U5jdHZnIR6p1#e^fgk*&R)+0_s+dqdBk!oAqcR`?}CxhUpY5U
zt5_yR)%Ztlpr^Fy)9EXA1_QzC>u)P`?1SsP^~+QOwbBrwyrSxx)2xjPe9px9>=Y%R
zEWdURyIcLll*y#L=`fBW<|<p*L)2%MqtRIo<L2Kt5U_Jr6<cYo3s~g9k9)}fLsrhC
z3gTfGLQL3E(T89yz@1`U)KR}U=R+B=DSm*xoG0a{Tt$$JbyVks%8&REuL+jY-o)Eo
z;6F>iP<xkw?Q~U&%ZBxm;?=XJ--^sg<N+)=0$EWbf9$PS78T;RDR=~P!=&=w{dn{}
zYpXop9uG}A?)2PPB`N(H3s{@rYQ5LKIC!1gb~S6yyPZq|T~)9(6?Sx((O<)~qE-IL
zJEU&X$`~KilzHWXo0@3ZP_L%3sIK06tNaDFrDaH{R+Ice-o@kHpVw4N4kI~J39)_v
zRl;SOV!<pEFZ%+befy97x})EPY}Unz3#z)M@T`o(w9Fr?zb1=&N2b&GT;?Pej;@XI
z-R@2e$*7#Oh9%k@(K2rb({>$xF<>XxrSMfUSaCMjVO@nrccqF#$&L(rvX+hOXmt%+
z1w5CiS8~Ug_ceQyA~?tGd<?p<omVqWM13l@4i<Z1P||HKiXfGesSFUI0Mgq$SigQ{
zA%J{n7(Zo%&W0Sc!>#8+SB`jqYAtEn;C=(Rp+xvs_-x^Plhg};MM)R;zat7Z2C$fL
z;u0{%v_G56eTLefRe{<kVb4(t-!VkzKm>EMeY+R`ss<*xC1#2pNWUVCYY+)Umks>5
znNY}VL?O$_lV2I77@<NiN8yNqk$PC%>PI6%W|?tRyG2%+&5M5L`T*%R?Rrc6-FhPK
z3!<)6NF&iv^MtS*nQrqFpU<*ZM6TdXBlpUZtCen=C$nnMEw%135<CkM>av?tk;v+v
zXCUoD*HW6U5j%UuO$|)Rqr1fHQ}rlf`MxaZHj}NXe?NMb7v>hN$P(tq%Z>#Sjf<q2
z<Tdy!`rf@qa#yvIbFP~N_();u7V^gWn-j0;t<Zre910Cc7M7U6AhTAD*4T(Ripe?<
zh%c@?6z2{o|6DkB)n;&KxH^?u3DGX3zG~iN-Ys{w_+YdldSPH_a=v_Vr|jNM$5<xY
zZsJ2ieT~fTjM4wFhM@`z>G!*^z)XXoYFAgynBoe3QL5{0_=t_nq03PJS`a<;u$U>l
zJOo1%r&Y@(2ah)m8;9++mJg4~gt6%V&=@m1Oi+#9rZvrHa4)=@PX{Kylb3FOAgN+#
zI&M+IWE7A>(wH^qck0Hfgw0OEC<mVPQl^kqw-Cl^sE~aS+uaLWW%j8^SE;JJ^p~GD
zeXn4<t{0NwYkR$0oF9QkCSva=nwyLQYU*^2>vk+FiD{Th@>}RCwCmN9S}fd1QPKFj
z8NOB8q~#NDJDJpbZ>zd`v(C4<>0IgoAd=dqHnyIPuFf#*Z&5ysPNdsx^@a~qf0*bk
ze+csNy!!s$gWq?z6py7Q{<>|-DmBlYZ)_;lKl5&ABX1;aC@~tMK>RJRYrFM?CQgZC
z`ki@5fx@H4NpA;oyv-I1RQ1R*zqKLx*~_z+zgaYG4#VQSW*%5^*7M!c3VyH89+KG{
zfQRoI*%}Twe$lg4XZ6Oq*5kP|I3>OvAfYJFNe?g~xVNj~S?BY$auona_emDR>2lo8
z1zh9e-X$|DyA0H*EOzPU*0?I+_xjv3ngmWvmP1ww1qKzFC0W0J&ekqKQ%N9)Q1sp!
zA<{!^$p>2XY++b%@l;BHn_u@Om|G-&(9i*zhdk*wbmdL?-b@`IzI1`hn<_Y~P(how
zQsMh!!P%ui-M<@#@W5?sn=@4g7Fk|Ybg#A555Zz|{a2>X@I-T~0534TJMGkt%B%5l
zF}4I*lgU-@OTAV_|9?t?tDXOTwVHwUr)1>7mPs{UAYRv4Rrt!Viz-A4;x)I@MU|k&
zCXSa&QC#c7w(0*oMuDiC8s*OgClQKpj!u-TbI-0f57kt6C%ai?YUED`2CP|Bi^leY
z5qf_v{6Fb{QW`M>W^EwD#_ZM$PE__LYIiO-&d66CCR^qNyuq{pKLdvs!>7|+2ByIj
z8(Xvg*7w9kC!xtUpS0AMejoOVL_LhOzbLmryFqT@Ur4x-?V=o7c^XCip~TQ=+CqsF
zYf8m@<GJHn;f=z0XFcLMG`PpZ)u}!}Q(Z06`U2)ZraoAbGKAx;k3qzyTmZl$^4-T0
zvVXlixh80D<!+&D*K=Y-jZ&W&Z$?uoEd*0$g>l}DTUpctRiB-W)0*NuNmw0znv$~-
zbXw+>Dpod%#mj?bxQhj?h(P0sGnuz^O_T5QPJd05pOF_zJC9Z~z*kjNcSeG<wm=kL
z@hZ%X$NvCw#SI(nFrv*N=7KRPr=T?cxdUIj%1|kCyzj5ZA?%;Ks#kpu-J(W(Mnp(d
ztz7t)4LS|j(5j*=M=f8#+t(M7{v?Am+*w^30-N}@lNp3n1u@6zq{YKMIm=wR{SIH3
zM#)73P$KiI{hvPTZLSrC+C&w4_$==LU!W%XrsjDDbPirF)rqvEMv)*gFudP3^`Ppz
z&8+4@hBHQd0|<aef;t%QQ+>fze+Nrfz4_T|se7c>%8EXZeX)KfM`a#kCYD>3HOmSa
za{Q^HB>+2Ac2WkX>ofVDOrw#Bx^?pg`JnEKluLM-t;5hnxMYuhfNDVtZ;0U`FcL`4
zfd8|UXq(f~SX%AZc2D;$Tx464u)|e*kJ2q9q|ZdQ1ar3DvOLOH&x<`>x;Q$ch_x!)
z{P#G^l<#EE58g0qgr8RN!ltsf+V_5YFzIMTV9lS_s>1>0JNv%dv4>SD=a{n-G3T9T
zDzP^;l!d$S{!;Efs0;Cv1c<0EO$B?8pO-gN1oZU)zQvcj@eyd(Jk0Luc8POUSiW&5
zT8FF2;-6D1{7xg>Xt#4FBZ`Q9@)VsT<^XMP0pTyz9>dwlb>5>Ea;Yba_)*pB5!2zy
z?UFZN08GZi!Mte@alvzvmk@0Ac;uV15(%O#e%*~js-sLeDO7}g=uZ1XP6GXq>gIFN
zf2myUXUx?RV%)&&t*;4lO>(RyIaIO!NoeaMDMEw=;uzjt9ke>d%$cfo(<Eh6qu6pO
z^{8fn?+*T=KEpIZo9`|#3A+w2a0L0GZ@|GSjh3<AU7XxI4OGIjc8n#LPyWrQg%@>Q
z7En%_<}2=`GY7X3^QZx5Z&|g$R6pPGB#@4XNp+Mft8QkOcgH&MzdOQ&5FEx!u|&RA
z*R;M9$@<_TLSVUfukm?jUqcz!&HjsVtI<k>nq*2PNoV_bY_4<qrd=rtd2j=-^Q}K{
zqN1kwQvdcc+O3VntJ`wdc}+F0c{aD9j{f7)P$LO-wIVJ!N+B_dgf^L6h;066`0tIM
zeyGi0MX;5Xna{EjmyoYl$!Be}wiPi&{Eyg<ay7~?!B$L`YjIj<Fa?S4cxfYH%Jb-x
z^Oe`93XsSu9n}VZ`aKN`zMIp@<q&&sj(w(Z1v5sUB>@BKsd;syf|bkpv08vz@K)Vh
z2C(10TR_3MshvTch%mtI7dQF%ctFE$Y?Tq@T-2obIQ0CoU3v4*ySPuGY4h^GE{a)^
z%U6aplo;>goR?clk>T>D&EbqAiWFIS?|5f5rK82sw3y_k#`sDHHd=ShEUwl=y|+YU
zL^ZOjLd;j;!KfAyGA6kyYz`jXTp+$SDMxsV&oGtaaHntjn|9fHcZ_--5el&)*0#!O
z)~tctj*RiaKg_*7(K07Fe|AV2eol5})|bLj!5&+LD4)urz%{qolWgJdPn~Wuv+~|8
z+^hba*ruGEVx@IGWJT&pQP`x5o+rH8<8K);B(*lOI`s+RNoohwVBa_)O#(b5lXPwx
z^)0Q*Tn?qt)alQOM$U8%Rr>XqpDvtfmZ~UnRE>tmM-Esb5V$OPT+B1I<m=XH`^}i#
z*Nn-G$;7XX1;j&M#?Qef9P86c(*unhCwO*R@`{E;j@)W0Vm&c7s=L|Bl6G&@9ux<t
zvPzZbmVn5jjk)OHyfj-=721f3z!>M9ddy4=T=6C3guBLEw-@r>+AYWbCF-NuaEJc)
zRx>VesS2C_kK-B(?$_=|IpB*Q@r?vHLe(wQhG;AUKkY{%esa(Yc|06oJsI#DQP1{i
z+XU9K2T{R&CISN7@4h?U(qpNE=IjmyYDKepMImzO?w}y^RKptAUyE$)x1WBWwsOUK
zWNj{?lrMF5)Zs$8>B#%E&)et<dnsmwlPX^?5vb9^p?!Ji+~7?EUeb>Tj70`Ly0;96
zqu))_*foPe-ymmylN5A=a`8&^E1iKsgLq9#i->ZEV4X7q2Bu{qpA+-6PrR&Q!TC1@
zD4^fVYDpbgd6QXJ;FTiO=*O805xpX0QgAZpM3W+O>t8#}ecQTq+t&102&3AqU533a
z%gpD3EURsv!)2|@Kez{1n4IrvT2qa}fWrQ>k3<WMn(1|XyV+jh&A5U)l8tFzr<M^!
z6X+h`PH+tquzZ<(XrJkQ8{V{j?Ln$IokoXj`nst#61Z?cuhglU=8vhU<Q9C(cekF`
zU@V8-MrN{LaJFa#FG>w)1l;B9S|`YF6cH&$d;`;d^~rcVW#`7UkB~mp%X*)hl0E&f
zDT=kU9r12cq-K;lRX(^Rq^`8nx?=B2TmVnDS|~0O>A5IU0=RrV(yl~n$EP)0kPqi5
zOS>c9PnK{E@;koe;(A^i*yVVZ4-`++u-V<dag-pN>7x@<E#;*GB^Agpq=#(f%<@M)
zBVy6@Yziz5vPQ9tCu)sFxhx1<w`r~XiyAi+uErFg^#15BE3V$TOQfv~B(GMABx{$d
zW_wcgh@#16gsc_{!nV&&c^209=z)Uh_7AH5r{Ks)8RUpjN)5Sx(_J;UlgfjJH(dP+
zvGnq)JXo*8K$CJPH|`71KF(1rdJ2Vr;Q$-AIp0SVo&py!`nv?=IUl%Q+M=)P(;j)A
z8Pw=IdDXAlNkrMvc!t?|t&4xeym1JFP~vuuNxo4mWti2mrAbvSrP}C7Ml<*&)r6;I
z^!?pa$y3?Gzqx<&PvQSVYx*DB>A(JGd(y-I&>kf$?H>H>Rif<xaleXJn^Jb`<|%4c
z-F1fa-P(G)VlsFIH(yro$Ss#6$qQD(;mw6i4T5S%7=WiQ4kh0Tk_TYXEt=ITmqL}v
z&(u*c_67}kQG;vm)^`snmH3)^fS;#kA!=T%jV<bv8mSE{X5!7%V0~rmn>IcZFwgHm
zKJWdzZ!2KsjW+uxQ?~GSy}CwAe6ZsPN}aq{tDp41lok^xMF#XyZ{{ySS^MK_5cQAB
z660sTFy_vK<>CMPZx89OCOkhYQZvpFzlSMk_>k5^Ci8im_M2~QyT|ZNxykG?(e12p
zO8AZ66$B&+n+65nj%L>zxYdCzT3C#|Mumik)zG-+AhaNCJSJ}GmIdwg!UdX{KQB65
z{wPmrOWyUryGHC(t~ZR21dv6l7ktbMK7fJ92Jv9^m&g-Wr$nj8(6dQr$JsxD8lo@e
zQi0=8emJ#Xu13+ekdnTskfhy6GmvCUcO7iY<nY`2IeN@DRz!a$!257Vks={KC=`JU
zC9e@*Nimhzl~$JdI(R?8H1`%l;(7La#&N8D^97@*9U8OOgpHPU$LVwiEAK0Ms>G#-
ztXO3BMQS%9z_8W(+a@lmE{S_3m!DQ1l=PgPtq9CNJ)pj5dYYt@Gnr@B$zvAEuQ-x}
z3&dw!u8p5oQC+5IJpEbccUnV67?cJ`3#h#y5pgSihHdp;dHAX|YEY~Dw2VC|u3+zB
zZ}}#UA&cOH52nWs6l^Qlr$5i7MUE5=@9~yO8hRLheP)?cFTZ*W^}*z}6+K?}SS@}I
zdPH4zTu@`f8r$pyo&~$f$@O(i*7zTe>BokhlA5!eA9F?%Z7+QIaU=fY)GgKDY@tbI
zk)}$o*Q*92;8{+JO$04Yd1sV#kD0YID-!d?TGM_uYW0q&uZBnet1OnH^ov4sIu)(l
zxN;gto_bzIq-(2^>Us`~T1OJ=*`Pns3@%WCibs2F5bpnL!amDMa1OIM&}O)<db*zK
z;oy8PHja$FNExFiec4pOzu3Xiq+@oUM5gZ4UvHX?uJ5L!%*F5<=R@Z@nK(P$<yuzn
zNOj#y#KNy3_nkf88fLxf=Mi+X{>f@jlrhALv0>90DAnL-de-2gu*ds4q?x7B&5wJH
zC)$Cg>0EB3VLgVyd<7IGe0mBGFU(hFkWDSfaD4IFn;$z%23qFE-40z5%Us?)w}2&d
zwDBSPF}d)H{5M@T+Sc!c{4J`Xs;*<=t*Pi9oo2KL85y7=O1n3u>O0g2iw)9Z?W-n~
z9~;nVuESB@=u;!D8;TJ(e~h-ei8^(tkv<uER*@KW*2yq1A2Z`iM8y~h+p^@a<!9B+
zB3y5`4JeLVAkHdNN@cBT$k&wuGM6l)lBPMnrMo6|(eC&wcNklK7*|8A78=?sbZxeb
zDj`JvZ{GBR+_ba$vb^L3O!gLYbC2Ypp9N75g~sbgxClyZa#x`CM4Ga5*rI);p=YjT
zeCxA8$bWWDVem=*S6%*fNjaw!PT4V}-s2*83+%n|_RN*_&|yg8(uL-Y1AyAG;e;a2
z$|x$anHDf)Tl%qlH`@miePDrJ-GtV@gu4@?d43{)lt+-;u&a4t8acPyYs&d?&1ggH
zeZP$*^ims8+M?gltHeSsDkW$urBDROB(v?>;B>{J;pX_JQphQv@!q$k(tmi?#t=~%
z0jR?DMTyNGfk@^+7%DY?nyt20-pD#c^_iQbbk_Yq#J#hB&b2HQ)D*(=V$*Q(q=XUl
zSZ_!&&Su)ywsnuqbZ|vL;<KBuG|5jxQD^!E9GgH({}pdY9WJTM)awM6hZq;o{0f+c
zhr`PPrpe{oq(ghuFy!s`3<M0acLQ{Ap|gu>#|&j0l4hb)I#VC#8p=wm=_Ufk-jtkl
z+DSEoAe85G4GO_?DS?Vp2cRQhg`-vLX2gw<R$pFH*hR&*b0AbXGb}(tlD>t<?>yC+
ztTP2zCG`*vFmlFETUdszmQN<r3e!-{GX0IWZsN^C=iQehDv45}&<_5vHY-@RnUID^
zWgCU97H9D3YsY&Rzax%jv+Vf6%xRm4Csd-VutUbMVIZ?22_JRtV6CmN?Y90SdW3b?
zxVyS$MnA_ow{iItcClr`mFO~?6F~O*ayMmR=9rxaF<vRvF8!Zzr@hZK=mvs^E(BX6
zhrFH%#~Z~)P@=RIm)xs8q`%25J9){bN4?Y^8b^w8GnRnB+Mqd*=BSj;L?9HZU28;C
zi8Sb*@{i~2#be)gbTal^#TsvElrse}!x|+Dh78W&mveS8go(1cYS>Ebgjjd6+4Z|U
zjM~n|76*#!E|Ir+v2-mxRlp{Nj$P86E2ETxuL#1qyMJ99rYGoz7JRFusT+Z0qyEBT
zwtVu|A{}Kc)?-}~hod~T)I5Me(Lb&AB^Tk2&9_%<zmVLk^y|8#>E40w<?QX0Lfo{k
z=)1=|Lnx4vWgQRG^gquDuFw0rzh8b0Z8>{dZt)|RM68t=8@VM>JI}4YwcHS!wpGPN
zU9Oeb1-asFx^zXJ;PY@T3PKG9+TO8n<TDCRw164S8)|E4M7G(jm(O+y`z4`jzs?-4
z&sdKp=guV<$U*u}h-R+}c7>mFZq-7R{~Wb+YB-49ZmA3)&zby+-XF_Df4Hb;7vqq-
zm~!PNl`;Drdc#?tE*J@akt%Mv6I(#n>B1NM0YAkU8s!c{n$~^8jb)9FhcMInla*?<
z$psSpmZk}aeY<X=)%UG@?ZxJf8OZKXN^>s|=a-p4<V*LH-)jaeQw89<hW4qpg(2O9
z)RouAT4PQcBjBUo_K#$DkJl|<PhAl=abtabZO1iGL%Xm0QhkN!?saZ)G-$+gky=Tw
z$NH3d8}SNOO=5iasOS=YCzoPm7Zbftxi1*M`05Wuxoq;DEA)EWuupzq5Z@=qxvSn-
zu+Xwt*^Yoq_?O1VITip{-~}IVn%zaTic$$c1$!xB5!s-_UiVB2IFRSN?41;zx#OAe
z_(U&#c4EDoU})u#UzjbcMs>}oHc0GD=+;&+w)@>5kuje(459O-!|c~QUsnaW%QV2q
zwPfi?X3ieYUaX>ZnsdX;8j^<c&03!UyA9cVTi1ZDe?jnv`Z~>D$95`}5|r#gJ*{m@
zi;hJ}-A-L*w&<X&VZ2<|S~TO8mY{hiFUvZKIbnvpW;e%XS-MGf1#ST6EM<0{MTj+a
zkUh0l@8Rp=X}%zvT(iY4;(b^n)JpbQ<R!pCF$G(!6Rdc7G`84%(ajmQ_{G+X>4HOF
zf>e=Z%8fm>)pro>=v9j2wEval)4yfdCF;q-iMlA%p^t-b1NX|rnnGHe++g(LddR`l
znT9)Mm2gAeWa8msT;&Jm*Ze;8Povq=@+NRzwG!%j)$YRAnDdikB~FV`ozFp3RB4D<
zF5+s3oCprTLs<iyhs1ijUt^jKEUr7Jzk|u;+#L#ge)47~(4A%PF?8xtp@{y6rryhq
zud^TE>g;IJbpAEx=spa-ViB$64HQ}f400o+8g`&{urF{|?vKJ$Gn3c43kWU0S`|Wv
zjQ3alle|I$QUy0=xJshvlx?B1#?+}>$vkA)UwQ1?loc(w6Eu*<TM#1jx<HfIp|LT4
zLf0gYER`hlyf=y60dj$8Aa%VL_^`nAwb$3d-R%TB?iQ}KVodAq2J@a9zy4eVh^D!M
ziCx;V2n$8wk8!<pmYBhgHbY<c_N2GlN=mn_70%k)zn<^f!Mkyb3ue(N@a@}=w`>ya
z@dQF2x%fh9F;z*iKZ(TGCzY~hg*k<=huZ#%ZLQe^s;zTYYu+=16Vv&MmM=AXypMGO
zx_Y(xV~|6`s~Tyo!pKqgL?Ov4uw^_wZ#I$eJ1(Ge?&=vnnflguL3$bKX|^V1{}QUD
zNW5KgSD5&~qo%u?sf&DaREu`Sx!LO{lX~MMx+RKs3Nu=^DCwrp6y;uAe~pcZinDhc
z(K884)jOz1grYA(!PXZV4$yi;uN%cMkc;!1p_FRPkojQK?6MaTUq*k7gn@!cDpl;u
zuZ|Q77^I!~VTTy#FGmf|am3bW+%GKZk&NrmuFi$qYISXoq`OJG2Odbg6jk(_y1r&0
z*9X&qEBFgi8uUz-DcKuV!!xM|bDcf4o~ZRVVtviBIToCH+8V9rf!-NsK4Vr1kf(Hm
z4&ihOdCWu^BFPcu0RqZIh))T_A`wT`H%`6do@;^#QvH|~%U&S~k2cNxxz?DU=bzO-
zl^mqHyfSo-incML=}R<VM->4LRB8IS^84PEo74J0TLMG0WaY}azRwr950Q*Uv=)6c
zl4;y+T-a3CH(wXBr<*MqL%LTeWxcO{eM2G~ca_wm4xQBt(jpf(Lr>aDF}dLt=&MPG
zH6*uZQ@6_)A$gPcE@Sf-7w>#eT&dHp$XDQLw#aSv2(q`<=l?@9Nuo@HU96e&uFj#_
zED|hr=#<dnCo!Xs=<BlsozLM2x;3Lix5%bh*R*bMijA1sv41SkKA<8hw-<w(Oi}KG
zE9k`sdCm7WIoNcnWrjw&<1|Dfvm0@nmiqdL%SKa`R=z#{%<j(<*{Re<V%CZoDS-f`
zBV%$_p}CpcDM<b@&yBUmOPXAeKT9c--`&_$%PnUxsldlJDRLt<YALBXUd6y$PR_$Q
z$mk&jbl2pjgBI1sGGA*~4f6Dr;=**{s-<Gym~IgxtJ-UjhQHzL6Q<W(Tglzk2Q-+q
zhlZw|_-J>``sFT$?orRptG8qlRpZ248D|5H&t?NHa$cu;Pz^?Fh-&4K2nB?)^QS$s
zNYcO$dv1aKaTnTCdqU{`Glun7qlKO8HtXXX?kw8+EQl{=0!t~gF#u%=CJiO*gJGfF
zi4N&dW~j$_!@bz(^=Vuqs(wvW)5iqWgJO1FKR4>?c#7-%V2T{fNeVFSDxQPV1dt`5
z=RTA2Y-r5K+}J6_TCcb$9IwCoTYcG0<$ZO|s&iNLfhPZxR_bU)RMOCsc<9j7llmP7
z)HN+k-r9yGiB8!<H<=tWfGANffekCO@A~w9x;_lPlLrMKa*{{ao#J~Wr_*Sn$Sj=`
zEt?$lBE1c8>4UjYT%E-;rjFxpC~2+N!UC)F+U;#}5wmcOg(bM$Eq5$wmEf()FE~d~
zL$T|5KkKg^k;m9Ssjy$7T)3Z{cxM|$8jf{8jc?kk6H^^yO`8}_KpF*GsyWOU7;`LU
zoqvm7)^LN1JNg&Ga+k4^U4^AI$tVpd>O8J+mDwJ3!9qp2R0iwR>qe#x*abVeAezyw
zr2Svl^a)R}%0^wmntT?L@KSl#_#!Klw;FIr9b2`je|N`(zXX_nL?dFneurwjxIAj4
zG@-<n>B}oTr6~!W45tK${!d7qO*gkb=pyjke*$N&sh=&p9txqa>*l$$`Q#H~_A^<2
zw-aLO--i}CLXM$P9phq=jawlwr7Sp3s(c?Oe0pp6buD_Cn~gzMDPKk4^tW+p{a?f@
zs)Ci7am6W3GWDM#LV@smw-r;Ot@<qRyF+UJ54~lZ2rb(9FB=_>ecOeBAe|wXLEy=M
zf%D_V|65D{<L{>?F<vy9Qt|N;HIj463l|ZS0J?b(^d^$DVnQ4ftf`Iqg`LlG`;eFI
zr_NJR#%4oKt1QVa&AHC7l4`B*;B%SyCU5cT0?WF)t_Ysc<jw~SZYJhsTTidsJ(=l+
z-h!2<@imkCGLyh`i`&m1JcS)tm;+3Nfm|8ku|%icDt@h@*#^v@#d_kOWC@ku#V7KO
zYf_jsK0WDTcLNe;h!X`W;n__d)oyHhtQrzII9YG((<bFFJULby7U1H_tf4tzwqRI{
zaBn}njl2uZh(Z&k%p5>B>TRJlo1dIvg3rf3Nht_V3%b_i97`r`*0!s^5!Vr?KCs#w
zB6=gQBvZ4<y4C2tzWd6EU)UCBg+Lto6ezyxdu(aWU~>MuRl{!){5oEnr+J^%0=)WI
zYkR`uZ{H{jhi;OJESErKdz;;JN75)<w;LrVeymX;R{b#+s7;J2!G?7<ZeD8o0t(<v
z+cAaCf1dp`^d7n0{2Xqs=jR@#F4ZbJ9wgnT<>Xs&6E@B0JSU_R<teU5np+E#B}NIV
zGW(eu=?R@*BqV<A$#4KNM4TsXJ*u`RHLLe5BqTkx;H<PPx^<d%e5NWmU=Zk(3n^LB
z*|Bn_oi1gBafIhl%$v6S?p!O$A1ls9yEN8z<M-8SXmhIzqQs$roEDbpk>mb1_9@Wn
z*+$*8&6#8AS@WVm2G_dDWXI=|RoU+4c4Lx=AyDvu|Fli7LGTV}O_me>3-bj~KTyXJ
z+T*-3jdbzy(>7}|Hs<y!e$Js{`j}+h)><V-l8#;TZ4od3RWkYUVJW4WJib{TDP_I`
z+1h_5>yTCqsNvZr*qdr&4MP$@qvY<6on&!K-T~`-@X8h5;hdhlt*(+z3y~K_9Fsk5
zt(u6E2FIT%Ly5DF$pXB0TZzjE;SlHPz%UnmHm8gUq}kiTccZb0^AuVlg3G{!5Octv
zHcgcRF~~NbU>6uRx~PF@?6w8s=%3oDgO>Bc6nHrFS+XCNJWCAk+5_4Z?OBz5%_kv&
zVu94NZL!2^{~*j0T5~jAT-R(3qVoF!CcAD}+%AIPiPoWqLRrM`{|?xVpWM7Loa}DB
zT?Y}Ib6vN|t$#(0TeOS`6tVbp4K)aL>kVpJM&=|{l)p#8BHx!+mo-ntq*cvBiEAr7
za5CIDOV8+xZCiJUmls+rn!^fjFhYS>XXm`>j>O;G0{-;{xbu)Hp&X{Vabg0l#+)2{
zvU5S;MY=y!evc|MW=vvaQ7Z0k0Y(MChT0ky1yjjWHsy(N=9B8#+k<fhOWuk(paV$(
zF79%<mM)au#WktETsn?<KHs+{z3hdtq*5{Ceyy7<Z|rSkdp54EN~@YnhSoH1{&L7{
zL$m`DS@hSgM2-Rgu`<Zf$gvqCl7?g^;f!dekAUOouBG{+n=6P5W(jp;x}lZ1$SF^b
zc$-~9WviXvWTG{Uy|oNJHlj59W58bQ$2T0Os{D(?@s2otuH(a+J@1;fYSz^XYuLp)
zm(j54QlVSu-Sgj~rJ}1IWDTEfy}BI;z+ky+&q-txl0F9|>X5~cHt~otA_f|=0eWpd
z;hF6LI#ao6(vOS*C?e&MtkJ^+Zb86s>uZ-~I%!3Vod2P9GS}f!9XT%@IT(;iCy<R1
z-q1;btv?~?K`+<%8aYw+IvUrfZzM{$NKt^hbCL<cz%iqtj4Q+%f021pp(QSe(G=Ox
z^UV(3!8h2zr8%hT<>^y(S9SfF6F?Q^o&2ii51WtntHAB;3{EqmCcf?f*tg%xP445?
z&za`#NXE#FoG^0>ZFv$j*Z-k$+=<aB8O3Dl?!b98DZrUQx-3l5#}0@ROTvp0(Piqz
z&zePN_`{&yi>~uu6i2`LhrtFzbW@w!daq|dOmtnHV>2y-?o?C?=K5QEu_0m!yVSAg
zu>v%$rGH+lr5YaD48e>$cyhlwe`3dYVaDf1-qf6WD`=Z8_(O>53+d9AGa<WHQM7Fd
zdvzDOB8y5U*`9hP<q>^;AZ}fnwJCyd($+%^-?ynoktbU|&5Jj>n}AN4&q8f}ox<`S
zzEQPeHxe^F)~`M};tcRE6soAMe@As`swf1o&9eXEl*Y!&<@<wAE=c}9Ow$0aa;{We
z=TM*_8RQx$UVItzYhR-Q>jDxY>Pc7@@!yEdA^7*yK<f&DO~ABUz2Qm{wwv}w*Ucl`
zF`b+_RX`t3aBilioXu1%V2z&J5IsoMT8arxd^hwe4y3YF6WDTFI=tRdv^3LX7;5pJ
zTxN9V2|Xv1=(I(=Bjh{%@rmWkS;XNvPv|^MY8?LXy}unIECXu0qt7I<*h5=4oYt0!
zYxLIx8+C!2Q0tc{-?Q6t{+@%*b<^J?&|Tri0d(tEv9*k7vVaGMCG-?U;e&aCtlGMO
zY`CYkfxhw!6N*Om62Gxal+bBXQtQR&=-WbXy?T{UL>ZS~<hW6#m^gr!Sx8%$nZw|P
zw%5M5eb%gV5x`wUC_;HJQ>i`YvrCa-Xt++5J93Q|TN#V(_cs%;Zr`dvAnDDgFd0Y3
z74Po?a~Hz0S+hA7DDUDgf+R5Q36i*^4hI><(JuJxZlEjH_Lc{M33l$IJlUXo?oR{2
zYC9vboNM7wkx?yBuRbA9_-M;ev{jLErEQ&t#Y8jvb?AykXwY|W^LE}x>Pp|81*qvJ
zCb0Chw^*KdZFdt^-R*7bZ(66Nsp59AnIt*TaG21H*`dx&9wYFb?2hffeDuujns=Pf
zE6g!-hB?QMm`)rEr2sW7Qj(kq1@96nuyQx}XQ*{)<&+N^E_Y<AEh;NhEBF=4yD&1|
zVLm8Q1@DyEStNFllz!|c)wCDq&<|kT2^4ZHoKTe7emJ*rEyvXN>ox?4+w2&Vt;}pD
zbYgy7Ita^*rat+WPKqdYYSDbTrtx1}OGaxlR$T#nQR6_<<+HQKOhs*pt*Y~FtW7ty
z{ea%CWmr1CO%boLo(y_*tSOtQMjZM0%UF_^Y!c)=cHCuO|7&-t^gdmK^b<a{kBnK}
z-3{P0Fi%IPXqh`v6`SOYcoR1_Gb(=#7@`52tM!NwmCOdut;+qupsB?Lx6Vl}GnL3!
z6lObCn6$}Cp)4<WsbRGs=x99mXDjzEzWK=!QRbb1kT<n<`@E%PKIIz&R3pMVB`LQ>
zXE>|TrvyxtJ&?{p4;Ro8RmTe(Vl1Gb(%-akkY+;?g~vvbQGKkL|9T@-UPG`f0L}BZ
z4aK@ZKrKajW4$-mtAX$yH0=G#>8l!vu3m~IPqrYLH7xJzj4*TI0)Tk1T@&%b-eyT{
zPYCZNT9phcypb-dr!F`<H_pARz%}OLY!7#s*-I3b{U6$P?(ohE1r2epF(4zSGArBp
zEO`*rnqS9|sZIVbYGud!hEVv^Y$A6K5zfh{G{ze7cVL$0FVjNIGpEV)4Ic$BL5F-F
zGy*3=z)KwyLf2_38bHj$Y06g<$wD5*gr+=3Ij!7B%eCK7$Ltg4eC0Nznk+Xw9Y!@`
zQgefxmp(y<dd!#d-Bb0m8a`Z>>dp--1nf{#O7T;C7fmqHkLtbA_oRmi3C`V@t!EQ3
z>Q22&Z>POABOLb}+#Y6~V>O-xN>E=;siF(ee>=9U8^f-ljurM|k8UVEymHfk_C`>+
zDV|s8)I`yfrQxk(jEs|)ehzQKQaL)?t0F$;`vSS^?7($G@w0-Ex;6J3SKM9+sexJF
zTty_(vpw{E-47v+IbU|FSP59pDXj8ksLS-wkxR9(RZXJc`$qP0?FvI~zudVTD8Ea<
zfwniKHN31R;NJ!g`7hgzI1O=e_Z&FS8U+qMFyKv&iJfu$0)66(k0*a#(esBacuSg1
z%}duB9|4F%N1E-<Qb{zBW3TNaa#M3Kgr@=l1?c4Y$$1(_{*2Dthcn}lStzocm2=7a
z24~FGwB3ge&=hZ=mvBQ{qn@TYu3*xWwtm|S_SnX(*(P4+%%J18?>v=h&DzehhUK&c
zD*{o=4YOZB`7ME0rlxXT`Q3bvnX{?Zi-bxtU3<UQb0taK3k1nS{3UQEw!2-CPJyX5
zQ9oF$Xn2y-8!jXIlf5eG&Al#5K8Q^@F!#k1-mp$d`_^$$GlS>r1KWCfO}o&vo1tS-
zWx%8-za3YUOI|Dd{G|fH$VL+Py%gm)VMzREbqN!0?(1*VF`0ke>`JZHChMNp*sjMW
ztHn50TySU3SCww3F$wOyJ3rdoazaG#iy{&~o#i>Huy!#VGWs~U&5U|0{S9o+!vjs5
z4cGG5>l^<eKUH=<WBF>bDa>9MDlq}K|8a_tzIK|LF`PVo8M?LtcMc<-7J|^J3lXt`
zZeW~m6qMa|T3EA598B%T?S<{@Oo0H%eLs6EL{w9IvAXqP3P<TSzp-<dQ~XTIk8q~|
zuLic5>hRfE-65{;$4yHDF8`8LlO`=5_GKv(%w7Q5_yNUfrXap#km{rBpPRw%k1-WH
zRA@3r+A5Cj_}Z9-1JAlMss>%qbl(rN&X!0o1A9cd4CG6vesFoa%J!qRYZuTIgnC;o
ztNm<&XOoWlY$0XPa2L|Ohz`-&fsQ;!qzpgr26Nqv(!Co};bV!7rev5?4Ee>JF`cIa
z*%?G|s!V)3Y6^28PPy)K2d-SO0;gTK>(pN?(`9H_j2uhi3ObjlZk=OSav@36<V5-R
zu$=dT^Lub6q)59AJ(jsRdi&@KXRT_CcT6umjMvZoZ;x92PU{5|dR?xWuhgeF5<|!F
z1cvGR=DPleX6fU&Cpezw;}}O}jD5d`^fvk6d-13of;1(?0JZhGy5}|SLx8=<QJq=C
z&0J(zuwCIYS|y8A53J4Numdzcp+f5n?O&c2PQbm@04N&%7p28E90Hw{fg{@<WB>N4
zi_<=6AF&eT*UwfRhRdOpd?c&esA8IxN4Wp4t5?NU$!OyyPz<NUN*TfV0e&UQ%()(F
z@r2vJ`eLi*G=^NC{=6gtpoC9Zf$tWXxZ4~#WUU@NV}8C*`QTlhtlnT*<G2Q%o1s&!
z84NjWM3S>o7pxf8s8e=aK+0-WZO_B21C)hGB4&m&aeG#x_No{O^A9NqqVYk$J#%b8
zLNYI)JukNGK4gVhNJ_;fKJ|rkoxNO5fM=Syv`c0e?ud(du{E?hn<I>KHp=BrpU;z2
z>h02v{GI|bOGSUE`cvdB@qc_-&2_VnyVtf+xp7Aii9WeZf{iQBM5oS*@Dm^8&O@5K
zhf!AIfsR7?2{-hT7uo9^089WO`U#_?V2c$XKh~7wzbysAgMJ-BGy%P5$5bG|PsIKq
z)bE?b%X!*|p>wwbWVT`~TmErLg@z?@4fsf3L+fxxy=GQC`nXU%xw3F2MVR&@i{)~2
za8nRdwO*6&f4mSu(i0)i^j^qoGp-34mHcd%4Nf^0xj)~tWEF$4D$Wc4zL|ohJ7v36
z0j`<=mbaUB4qeR#4s@?)YfY#MWcPed3*+}bcjff=e-4!W8;)<a_dm3*w+4^(_u2cy
zw@uw2o@Muq|Ke}oWd7=}e@1fthxTUk&xc?C`V0zaotNUtQ*3)<ab1RTdDXk6xWTza
zv-FO>H}tj$4F(^b>SXhHBPwBi6;Z~@Ty^M-qJ4QY0fg5<X`{<f0i}wINPJ7{J!86F
zOY1#W=siyB40q-K8voSw_Q%)5IIGz=kACm>XUAplzx)sFx66lat4G)PvZww2rLt=n
z_ZONkuJojaR*1++23SWhn!JE<LoSVPJ@|iUYP<DstNlId8dnp0{=pu;AJhY#Wz&$^
zn|FuvJpPj5)A}J%qxRUcYmxp|=%4I_Q;B-Gn<hu#KhO9YP?}ghAm{dP>E6dT;QE?C
zhVa06`@>g&@x5Tpfg%gb%zaVWMPCF%-CE9W`<&JVFc3F`*&<O^{gN<l;_IwBA-W*L
z&?{ns2`1TUwjk^DRh|x;+_jp|b=_1dy0@20wV{fU1{m30?x`{rD(r7kg6HV9vM9a6
z$*_n=A;b6L2C6A7$EB3Fr84(7!AS(V0AHGS=Gz=l0pe_$EMWQMA7N&+s!pcroO!_;
zvubfhuLYp`lw5)2chgA5cDs9nbgVx*T4y*>-Hd<0WhxuDm+>T28GL>GgXYmnI^re9
z$lEZ)5m4BX!Zm)=9|v;9JX|MyQUFo$lRt*MqbjD#kQJKR`EZq6wmbHWT{#Coi8!@T
zkMWfVqD$JNL1vK-aRj}#qveB)ssgsbJ_;OiaUy^WeY<H=j6vFLZ8oC)Tnpg~hqIdr
zq4HvtkM<k2_{H}40%Pf)y-1}q9WRMqW@@G^I?|TzwA`neIG#?!I%j6&O^#B67r2#c
zpjWLns@Z7NQQo?_XUFKun<^viSiVhEg?^E}Y%|<52xe^!R>Lf$2=Y<HIi7JlfU(We
zC3=4M*|KI3G`(M1w~6c8H53o-KTp+Y&9lchE$8d7DqB|`RK$<<7$e)&Ahau--Cj?_
z;aD_MImr~{jaf`G?;p9#;hnB;b5}TQc9qrmNWQm`R7Uxf>hrI9%9-b<ApA(d+`$dP
zHL0(dxJpJexD`n@z=tE5;mur>R~oZ+KdY%A-^80&n7S(})NTe{!GWK*i>P>UH}Rc1
zcG?x>PWLDL_{s2*=jk>Qs7h~=G`&9`srQAppIXH~>9!c(Oh_{OoaSC^reKq_x0~f`
z9_*ORKC{7?v~O%{?l_rA_odgpgfeoLCpa|@V|c^o>6PBxDBRJ^pEqmszUsgs&I_42
zJ2){~kgG&~^J_5|AUwL9`N@70c73dTaA0%9_FhdpkJct&&QijN*CmDLZ&*^J4VVkp
zbi)s{=W)K(+r1o0c~)>uCX{s7)y*hZ?;_&dexH#{%BJ(WffQ;=zSs6l#5P1Fp$)#2
zKTJbcBBv~;rxi%z_%TfDefCTS(VCLlqFC=X;o2u1>Q{r>1WCSO70KA%vk`h1To#va
z6i9aR)y0B7jr{eE;)@r<lPbfmcrY_-U%h2h`@9L<wv_I%@=V>SZ6wn-DB`|tX>1-?
zs}P&@5@3*Hghk;l0@(~E@l4ct_IeQK4Zg)Y(>V6jjmi^R?q^dot)D7b1MIu7{9Twm
zxXO4uXVq-qD3XV<+6xJo+TT*ML@Eo%>3C?{zOpZH7!p<JZQoP%U<Ik{X_!oJ1@z-g
zY~DR}dTqWbwRD<RuHOQlC5=jAkv$g^4X+Ifh@P)={i@bjkpm`5-wD>_FO?^Em_u>F
zURdaDLQ)aGi)?mL%<B*7xGW(Ds20w<Rmr>KLM1EX)^546ZhL4!>krw_*UY+W@+L-G
zC!hHx9!o=h<d0wbwuUT)jMD|k)}A5n^j^AgFD``tzi@Mv6)8w4nr&aht!Ja-<#y#@
ze@hW<-2CznmUz~ZJBknC*>vtIeh!<c(o)2dAGh<%%@V1cAY^@P{jAY*pKNx}Zd_|K
zu^|3q<k8We+L3oiW?JjF_?~6y%Aa&3@5<`^-3n#}TfPl}EZ#paJ2Ub8j)nbf&b+~i
zvZ4c6OwXRD`RL-@l*vBcufMH%c1u`(?Bg?O(hm`pAYmVHs~=UnOxjreCdqQcn)eI*
zc+f=A$dBrM0sUzw-`Z}nv6i86Eb6}d(c;`q9*n}lJo|UC|C5U-f5#rG+pLH;>^;{}
zu|%Yf_YppekI>!Vx+Ik8Tz4mT>E1BvHg5oYZp|+2v*#iE*Z^y#%XV+ye8o~%Gch_>
zB`GrZaUMIzPf1@*D@pXd=I7QQOs-d3>J1(j=2m277RU?gB0&BYubT%iJx_DWKI=Y9
zEhyc3Oj^;lov692c__xeM1fBjiq%}>%4mkKj}9?-{~S+v<tFB;ytVL@VoT8DV`+9Z
z=O&g%^|D9)qZJMN%aIOBW<1LAw**z+3dABkYT9$YLGHF*FBJA@eWud#a5_5t1PE4Z
z9!oiEwKF|3pk))2-lw3?IRq`!bmsU>JKBBnsm}%p1q@J;+Sds8-f-J_x-FOaJrq8f
zQLnHvr8=T$tecE%wCbX~Ke)yqGI+W9wa_&NFu$UW)(BDYU<_2)L<@TuHuG5UvE{rH
zfYX~@qC3+p<PSD%@@^s4D^}MxrB}>Cl{h1i-ljz5rLQC(!BXC#8VY?0?g^e1?^fdu
z3%`PS#5k}mb=J41QAll9FB(tV{@<R|#d9c)8KfMoT+S>mhl#?V-JzJ}r1ubxPjq%R
zMkaL{5e{1_#P)bi%Jb8&weRcQRAP|AG10{a8J%of)ppD8$6_y*R{}6yZBp;QwzoxS
z545wb#X9iH?%i}t2~&^}+poQI?a)pr{nZjDf9ust_|31yl_&GsyG2%bK)gmf49KmP
z0&{#GId@}i!RrMHs?LHBAHou5I~>TOrK)eNmJGee_4awL9dhL~w0{?TY$Q^tJNX=z
zv>Vb#*AMbzYi!?hiaO!OcOUWtPBkj6JeD~*Het)#11!3B_Cs^1cwFS($oZ(jUKOhV
zfcqCr26?WAyBnT)C5?xB52_7q9O_U~+}ggvTrU*XiATyM`mlMc0UXG^13>BQ<w)3;
z-Kt}F(N@t#L5{JD=|%#_)BVU~-@DuU|Etu;FgT^yO?2N7+rC}xHl2f`jNRePfu79;
z0X;&o_OcxtI7{geIXNvACUoKnT$U8O2me%@RJ9En_C`>vsD-ac)MuD@c(=Pz^QE!r
z83dD7m}hUWE#UG-kK6w`Vt{aKQkyB^&56hvbD@f!yiE;>-{0;}ssUmgbM~A92JuS-
zyrj59Z@+?9={1u-_vtz^USt&nXsm&f3)0D}2p${cF`K+zp6eQxDaaUmyOMp-6Wssk
z>z&KiNNXR|pTv<5Tg-!Ap|a{Vcs=fJu<gxi$T)Wm^<EQvLk+wOHzYJUxtZy(zqX^4
z<7=)?(0#zGn&)_R0kSn6cFKYFsC2q{yBImclJ45}46^)$w)724EjEK+*;Rb`Th_BC
z6Lr^7vHG#jP4~;`p+0e%;_IA)cg(3T#UmO!453?l-@ML^to-JBt?2SR3de57N)OKu
zx9mK_+d#lXz$OjV7fMH#5frP`pzCt{?Q1k(6+wBiK#>0n6lCkY^{CU5*sk{{q^8Hl
zo2bnZz(w+9od>dSgF=;=59Su0@gvBA;pa{UbU-F-^hS_W<ec$BI>zEkTg~lfHkZ&`
zFDEh@;Hm<urA;yJT0G&;+=MTd1t5ZDE-`DQV(;ml{>3lrqqlu9m>A-u2D;<Q8nCja
zO=SD0Hw|N@IAUqsRcAS7^lrlD#R9t5*ENCro02Y^K(?6G^i|jGaE&H&DQT7{6U(T1
z=ba+6irJI_f;zu3AhkrPPA(pvBQ<{&kLHoX3BskH`(LyjthU<;>eY6X=MW)%N#~uc
zjL#uP!)^<%57=F9zzN)^k4eY@6*e~;B_+wtWkHWT60KO%0kAV+k+HGT^9FHyDcxyp
zGcY*!Vw<;(UDcrB%QFUE&5U+mx{h3UgcA@pj>qsg&7;33BZ(5zCOh2v++@zWGUZal
z?IN)f>S$rK>B{5NDZ4}Ss{7f)`_>|<vAdJ1&4l3FHlA6FVVZ5+Wy!J6cKKw1vN?`h
z-WZ_y&_2d~O)ASb6LXx{H$9s2a2?{z0?TUW4tV#+t4*4|^)k>ohgzhbC07ctesTc;
zj-xJ|S!>)I3NS=Vw#YdNmlU&c##XWhgyq1duNY~~LLOwkECZ8VpJHJfdsZxROTE@4
zdYk0s29XWVdo?^cmhBSCpp?9x$wwS*$4`m0S>wen*Gcr_dEzd+<sQgur^k>7ltF_T
z-Q$N!6=KUqjrurC_dSi?wf-;y>S>qmKE3jGc7L~kDjInV#dA&tUou>Vf<*VzxL*%g
zD3qB%`PHrkTo3rNUBTgKGwWjFTOF5z8LfI<WbVn14%gHwGqD7F(;TaY6~b#jRUQ*x
zT0ZQS^EOdZ<xgsvhB>M<FVR2Gp*0!&R?nX-GQ1?ZvB18SBdH8=N0+0{EW(h?Lnu0g
z*d;n{8tWpo;~V?G^4=<{tu}i1rBEoviaV6z?xA>#7KZ={A-GF$_ZD{xt}QM>5+D>W
z?he6eOK~q0D3sD~GtR}nKmR?>&Dl3=%-glbSaZJboX`9{xY@h<24hDqD}z=u)jsz-
zy_^!SOcfl0uI4?RHxc?`<;tHH>kc0!Yw)=+O6%#C{zEaXls%X(hsY(N?QVUYFycvJ
z(Ve?fgQ_{l#GF1S_-bzSbW;X>vveuu;jG^3s)huhdk&42${WO&*=kx0YfmXo1v;7Q
z9AhT)O#t0Ztr~H(&2N#sK8waBvQBXgK^P6ff+~y6oAThGDTIU-^kI2qIcqa1d5F5(
z2Js-zMJ@B_vpfNGp<aK#Y>THtIxUbZ1<U;y1-}-sB<dVsWDQz3e{5rzwUBPVb2)12
zZ0Wce)I4nt!ke+{AvCffu1#iXr3}un*<7wdpoml>mg-cOqR9QCh7#19tt=z+-w{On
z$ppUMpn1sdKek#_gI!LaZ!}^}E@KPb%4Mu=$W`)daqWI*=2AZo7JU>p4pCEn%|$Zj
zw|$%B+e_;3`&6fNbz<9_&t9)GR4D{3Xw}zVN~#_HD0oM!9s<52G>zK{rg1C2<>j$g
zQQzs^Z=Q$08!HC$?lKx#UVh`XlGhSxa<B-*MVHS@2OT%R(=Lh{UxEFEeq@B~hS!_5
zo0)^+A=T!XM$5sW>V=Q<n5vg6K;1YSjdz|~U!7>i<%-P9-JZ4PhurA%@Lu0hBBY>3
zez*IeW{3oFOi=1(<iZ&@lT1HvaA8JssDu7s-}A<<1XB<nH@4@D`ziu(Ulcl|zmyjm
z@!8T`<Fh(6nGUupBq+aKs2`hChnyk0I6r+f{&HXrwP6pm;-qy*cFR$KQKBc9lmJV?
z0O(TLQ<CF*3fq(J@=Dt_6?REJe1Qx%bZ;)dO-5HxxCG(P<E~c|C)a&=z`em%qAlC;
zkzi0gCs?ueC6hVP&odFBlpUQTQI?8a+f!w$l<?~vU7ka{=y|p1#LGOdI*kuoIJ~wz
zioN~!tXX(2jRxxW-?$<-5PxB94#+y`@vrAHl`(l(E#s~T(^|R|ncC=8LQ}@e>y`;|
z9?jeI{sWGQ{SWRL5{~#e)t}DK+XHdheEE)DHO>UlpF4~2s_ayxYvFUcdKEp(YhKPJ
zS*F6?ur{qjkY`d~2kT&0ez6YrhqRuU6t5C?*vd;L0K_*&d{wbSwqA_4+IIYO9p<`;
zB!?<}IswGN(>=OmMZ3tCj{Af-M%AEQ|Dr$GE9SBX^euKw)LiclMYd)Kjiw}{FxVB6
zY4fxWWPqU*0;B-7h_KKTY!O(~o^$uCFwqIy1#LQHh}&uxFW%njRc1Z)_~7k=kQk>8
zGbGv6#OEw4Rq|c4gCyFexOj72qo|KOb-Lm-#jA(YI9o}h?4<w-WtXh;;H4k<Jo^e=
zzXA8(YrE;tAd1jAN2z5+qb_g8F75BigEtP(j(C6P_{g~`u3YUI?)W9l694$JNe@d0
zLST95m6VY@xpW_X2ip&O^WthQ$lgpmEUSf=OJ!ZMA3`Ewc#Y=T!L1;J`L(&C^a{W8
z6wI-R1lWbfcy0vpbxKiWLOX>1U!A@!@v0v9!dOt7jOx)EaP*2chzmr}bB4_S{FPQh
z@gmc_s#6yAE#EjJLW)gD>yalm6h0ZBt!mYdFbKbBfB;A6u?BLj#3rW9wwFE|S->Fl
zp+&qgbBF|;+;i8RE%@mCO#CBZNZu8t6Rdln?m5yGcG#qO_AW(u>P#sWcts~CJT!Mv
zbTZ7?z$R4za^mzAF2bO0S!Lq~N0Y^<lV(hfe(1XrZNDA!RTm&E50vTZjUsKVE)^c7
zY1(;QUNRQJB~{@yq`DKA7<*%hXnA|HZ`NX5du|0j^{Uqlo7Zu^%S3{)8=7YQv|GQ~
zGQvv>*l47a4i=<wWH~`|WGb&j75=V|*2(&z?1|XY++G)Pq}gO^g(pfu&QASTe!@*z
zi-gN2UPG)zM4sBFz021B&O>LjDD~Bl*h*_jv6a3Qhr2Rtg8F=8#bqfGU2;!5$P}>C
z^?9>!#Z^%Bc|asqkA%+icn@J!T9FiargziPXVJh_bR^H`a^wn(NK?mY9G_(_mOF~X
zXobpO-je(kxuT4nWd_Tt_C-=Z^PmJdPQK^vw3kQ~M%bGbeRbQu$tIYvkW~FO;WlTS
zqEK=uu*>yu_<P#Ixj|l#b6=``Un_u4+ljxO&tE_VyAr|dQ{#-nKirh3NpqWLzh&L$
z_P1NB{0}Q&L82%X%r9oDSJO!*IEdYCudDaO_2k$ZR3ng;;U;8?^g&O7Ap=89aXe>f
zg)GO^Y<8TicE;?Ndk4g?N5L;Z0<B*bm0@JHdkzS{oK%GswRO7Q5=t<yDn@$7v$0Xv
zGJ}70MVKXPzvTV}Hf>XaMYHyc?d;+hgm)F0k<@rmH0xo5{hA<6uq*2CSWx8I-->Up
z)T+M=+3W1Ne}Tm4hwwo9*1fgAVfe?J=f563WDAWk&CJKzOk1Id0o|@4&n}BbkB#(1
z5wT~ON`{J(zhJ!YKdi8Yn$W$S+=OC>YObG*7!|fkyn-wk{6$Vq#$po4^%5i_f6VV>
z`Bwr2GscI`6xMezUPoDtNGRSLAmxbNXy%+ykhF{mM;0GvF5}9Ws3Ih(k6{Rie+3Lw
zBP@K_S(E|2NxqrCnaYoL%$Mnj5|#xtw6|h{aoYUN@Kj6G7(%0)XpL>pWi1bFCq8Kb
z-`J-6mGSJx68SXbuMoG^dke%bJE~L~dk;gUEj!aXMKN3Z!Y=ZEo1#m2W18*9>4vR<
z<~=+$(N7iqrq%%mZQx%D7Ym?Rh>dn8U)lJAXl;yE!)9yi=K2$ka%qwQNIVY>;lKc2
zpMYBz`K4)8G-Boef@jMU@h*u;_c;Gw88Fxb1;*G{WL@W`oCXk$eRekPB;}`haF+gC
zr50|J5fv3s1kgv~y|^dkF(>V}jE2)6W+ixvibQmF+V9wHFE1$KC%Tv?CfQrbNEUn<
z`fcAaA5Fzs=^L`POyE5-W>TT9Vjwv^>TV+AH*H5qD4UiAHG7-$6pGUpz#dE|!gSu0
zy0|tq)GdnKgm^oF5MXLiRx7G>`>wV51ycK!^s=<L%$T`@5%JpxYpoAN%53U%<SNBd
zd4PodMt>o=pFmXrrvJ6drz<Btvq6M0pHHrJ_G;I*F`I_dXA_x?vE;&shCYo>l)W*>
zEs%f8^8{%wvCwV+V<158<$39d9Zg)wJZ~z!%$FRCtzj$X-!3$^<X4R5q}9a#9>+LK
z6oG@yiv20Ul-KI7`P@%|4n+1RZ^(^k!lh;>1J&At0}3)&BW%4?r+(APR8sNr7&Nd(
zCauXxyoId0J+dY)7iLwbzqQ)=F~YzJeh28J6jz@b8@BIbb)Hdn)aR6HdBHNkzB3Lc
zKx#bS9bjG5SzyWk117lgC4|^lYIbUKPNcPD?gNVGo|?NHjdb+~23fGZR>=U}SzIx2
z*vYM{7({<&?-aY(cRWslayuy?S7j)eG+WP#AO>IXuh^AqCo$0xb%y$QK3PU=J{ou8
z`GkJGHIBa;@7?X4H)ifD>wi*LU++c~n5wToI+@@}7_OdlI<-btIU5Ej%efr2)Q=Y9
z5`ajI*?un;f8PFwK+xDrIUB`L`PNzKwof?poG>(gy#m@g=#4n_?>dDtMdxlK0gg-5
zw{%u?JalE@<xYPF8Q)`d1z@aZi;wBD*NTC4!UB|o;D?VbZnxpsZr`V5eY0r@Glmz>
z%XPTzYR5~1w3Z4<xuP@iqWFJqhBOp!b9!Zw`-NqWP9?^E#ij_j=AcrHeYr@+pBIOf
zs&^4MrU}j*VE~X&ERCM0UX-rXUv?UrCMb5xtx-A?#SY<cF)hCuqbLRO4uM4*yWBUI
z>Pu|aeF@zZg@sIM)G`V2*J2$U+fC{^*rj5~7#buN{IiD!1w??z;h9!)eh<ceIHhNh
z{Yb_PhlNFL5Sz0Jx;~!6d>L43;`*vJ&}e#{$aDF)o?acFPrfTojbS2pE)<ZVQ_PK(
z6qJ=^_p^JCB(y^!bGc*pUQ^qUk6nVMrdRc$c`6cFzq^8C2*l;*?91w(|4oy!>}UKW
z+}1Td`xWKbn!=juM@EI=QI{HTj0;>6-%o=P%epl&F_kV_&ily@>Fijd(2X5qdIg-W
zY~sOqq!{x1U&CFheA`uf1A!<@rep=2=X95@teGEFs*h2!$5sd}dzHbxdE;}qB&NPE
zx(+k!RIeRE9fCbRtxkdVxlU@%#exB)bI%E7pZD0WQ``oaB<^M>`Zr4;Z+~tvgN|VJ
zj-53`YionmeMmL483za19pQ{qp7{^dNwVY)X_!2jRDADd&J7vPc)L}!YqRsh#8#uT
zPp2I520?c_aaboCg5hXn^H|iLCJ~1rMG<NGLNi5iyt02vO0tf;t!*1`gi!r`sx&&3
ze=0al;y2~?3xvoY0fe)wNui~#h9eqdO&PuJ*05rf!)IIKL|d&0-Q}=mRLUn~{Zlg0
z>9ZicU^QjQx(kWlxCyE~vdQDHJ<zIZtO}INQ^xk|PWz}~UD>PZ27Y7k)8a$FNIY4&
zC?1!G4_{Hlxl`Qd^3R4xfzdP!%rE#|dh!-LQCv^6BsFFy`u4#EReoZ5&XTRlfJg>H
zQOK`-4{xsIg>qi^;CfhcF=n!UZIl@i!fVT3zLn1B)hXogk`>bNfA*hB=;Y7XWvOW`
zJDBj?EHxOiIg|MkP(T@Nh`hp|=i`+&t<a3F2~XyE=ZG!)n?GB~`AiP+JZ|`N%NO?M
zr~~C^lU)&DWdt3jyf17GKI`jvI9H)o^(FEv6a?qYtr(}s;DD2@+{3fU;OY62^r|20
z6o%CsuA>dWd|3jDChzBW4kUk&U{E)L{mCB3Be&sE8Qqc2Eo$LDIM+##diDIDGQ*Oc
zqb`rQ$)AWvWWj!(Y@jG%2z1uj`Um~9k!ZHU%H|)Q3#<`ze22@4lI8gZ`iu2x!;`9g
zFpT4@oVNP_8;^tf&N6cw@tWT!w1}adO?ui+RQXAkHG)p{x8LMzgOVC3vd?Jt`Kk{T
zJz1HSBLsudJfmIOvB$H{71Cp5$X2)g9iO!I@8x77vN>C=G9te24!pEcF)@&X@#S6X
z`P>9KgPS|pSsoSHNvsegn>@d(FK!moJEa;ec#}uo`>%3zet}KxTa(xCRE!Lvxq$>)
zZVJb;gnmj7In1v^PRHZ%)(xwePejh(!`m2@wEZX^;GUF-!(!U@zvU`SswWNoGrcbp
zc6)1?bjGK*Fwzr7l;wd-(QmEDYTgRMw4_gGT|+NQS-~xJH$`bD&!{Rn9@G>P5(+iG
z>riU7=`X)-9?n<=aX_rC;|+pHzUQ}wxujA#*=yn|wZP!ye{1&in_NuTIVtD_8U3FN
zPxKhf!v-u@DIB*TVreT|d5XYy-cqx&F&oS5>!*M)WTVxIoCRkOylM&h*(%^6I*Ran
zo{r(jas7hx{SX<*@vYZ1{%&iPnJ=T|2k0jI@Q%mt%9vHI6Dq$r=8falM1a`|?`8w2
z#(hnF%0e`opck|RB^hg7KZ%4J8rWLz1B>V#-a15$cd&AobLxJ#phJ@y%jfF3dwg^R
z7iq^Y$>ezZ+jvt2W+nrLt?b7C!^*hicgD{K=B$g^ZGKWAw~wH{Wt%{66wd;p#f%A7
zoa2Z}^X~agzIa<TLj{*&Pi#nix8axH{JgDN+D18k5Mkf0N^)}a_R(4nOWyjv6dWBr
zY{(1E+hlGYCf!X<DA!ky$pZL<Q4|q13(`<9Q%Q^x!k`53EZW<<g{yu{k&NM(GqP26
zN=8CS9qiuOIgu@UXS-vorQ<fAS-WwyrXv)`?T6PfUI&=|$<OMO&}AHf`@}e{S3z4y
zHpM>4Kt`|ChEcWnUEF;j3oU2-e4b9<hr16SxmFij%r{p~%~)1n3)l~7MAX&-m}lmb
z;gU_$$zHgAN4QgGgI#@;l``SQf`-Ft4f8ha=nL&>`N|wqlOrB?ZjA<rwEO)04!z5c
zk}YbHQ9;sH6*4G<S}b5gB3S8u49Ge_X4N~7>&hl%OJ`(7qdDiG^#b5c&Edw3!PkGQ
z#(yQRo@Q7{w)snv@*N`p#Wz1j90KDIs<c!qq8_RQQOx+%KiECrrAVO=@sg`vw%27)
z!Gwel`syyKbxvv1PARFBlgg4P%|sA$J58Kcz$0&ec_dJeec_`A${wo;q{Jy5rP=hw
zs&x!8@u8I6PU%}n%D}k5N=$f*$%LWl9Y$?aAX<LeZmx5GWKBCiGzX<nzH(G<bd&9{
z8f;@2<CuIlomKX>GX76#bA524HrU_B`P72F=J59>jL*Itds%&!<Lu86n&feofQ@>0
zzsEpdeo)82lbc+WEEl3aZ~h$q^y`_v+BZm{yjkO3{EHC*uz+u}hNs{;tZodECEXeJ
zb^UjMYIg2VLM9k4xv7vlzM|+dAC}M-TV8;@wFLIdCkp<#ce;774x1deI&C0HUwum6
zU%5aY?*hrX!!H8yt85&P#)*xub~u_DD?gH6h&qmq2C7enuqG0}p6HeBmKWKq$sIz_
z^6*{Qvv&l2h=yB-f~m&G@C#%eM~4q#HmxBpA!x3}4dE9NAUlmLe6h+0HIes@d)=}-
z0}L5y*|pM1-i*%M@5Gma`D+#JJEd23ThU%640?&xdik^4v^JUeTC)JE?A{*Lxft7t
z!uI0Mj-T>{-EHuJR5Sl&iZP?*qvE)=>{FPvx)FNOF?(IjwHWlPb%4?L&#@|8kzl5g
zl^pMKPuxP=cA+W(i;cO$&NxIUFtTvK?3kdk&WINp)%qV+#n`OpAQQso#4MVAYdQ4-
z=Q&p}9>y^p`{3CzEee_e`0k(N>7TZ0M`^Yt_W$yv@u=jQ9P43ynt`cFm5B1h;Qg(V
zND4*~6g+i}OsE!8;aK%8t5m<ZK(XadIpnin7P*>qx84Ctmo__oRqq@<H=wr6@F24=
zw%jae1yshF1b4NUp2$RhI)z5m!0DB`eKPS108{prU5GF|i}NBRos9{Jz*=r46gh+^
zo;ZkWZ>wxd5hU2(<=fT(b$-YK_8nG(1mF=EU5&5ES57V|Cz#TC$w##7`W{{Buy5fw
zQ!W_$sXY!qTb5T7&F>77OSu<yvkQ!{l^kPc17;G^=vSR5W~nG#B2ezTh`w3PuvTM2
zgmN=C-YYjMIHh&hY@e)ri8vX4jFL9ys+Qu}G#?_@?`H1mgrAy^ID5vcNt{mBR=Ffl
zLMAb1Mn)e&J~d^X^r8<!QQRB;G%9j3JG7n7Og?kkC(<<}sn#Yu86S6~+|%gA%c$D1
z1dk>P&KXAn2``Y9N2IeZwS<HZ>cT-Yro1Fpdag;xYdPCs;WZ1|o_<?~w47XG#Y&I9
zZ@qUBJ}Q@1p7g9*LN#TKJ;0~F9^MsN&*JSX9;jYG@TXHw{06x9#y}-XX*J7^adkxA
zKr_ntg#=Euu{&nwxy0!=GdiVD=11-!r6}f6`smUDQ>h^tE0;+#X?4?9mmJP=Pdm9c
zOEE*;@KuwygY8yF$W?Jqp5wU`1t3gA&a3=uTxE|eh-=vNg-248t}`FG`!vIw&wmT^
zvz_Qt4iQV`S}(h2ZHDa?qOtl^ur4e$Z!WxS%hoVk>TtwJK#p~$HC<BPy^F0r+`6mS
zHvEf1d1HF)JBDdG+>_4MJ)zWqSv72|)+=*LVrkaj*dQrkH|qb{xu_=Of6&F*{BsTg
z0j%5g7dbvZ2<k+pu$-E_v_9cpCh2+~N2@NgB7snjqj~!VGL*2G*ND?)lh_qA!CiVz
zQuIIR;$XDu-ltf7q_i7M1@}!G^V=jHrzRGp!spb6CP7PHP9-F`w0xbf{P<F6+X?4~
znGRmEZ!Iuq!Jt2~0v~<W(LjCfk+yNen*q8i4izp=$nURv%TqVwe5@T*OQFgIMyLKs
zJiZf(ZleoJ`>oMAc4=i+ZcSO3KZUjBdxM1st2(V~q#qgRk8HS(B;B3uXRO|@y=KSc
z&VNK40y-vfO<1P&CxVgntbGoB`uZcUIlieVyaNzY2ad8=(1xO1Y)Hj5346cgFqteN
z>!EKVK$Jpf5|;y~7x%&TC!EUCQI@t)_9eoF>tOSPpUO{mXAhls{K?w}bCKav%uhA>
zi{x;s3>?igbufqJQ4NTRjz7(6DueuHZ^UF1{g%l@rgfqi%XV`rdVTp(2qRkF?=z@~
z*oL|w%T~Dq&eG-+O&TBd?&A={Y&*W^b4vlY>bR04`xatym%&LtTWqMZt=D)q+$e>#
zqW3lV*$4@?>%7c3XVMGOZlt*N>X7WYaq!$|udo;Y<2zp9$B?O3uAe_Y(@Y3ZpWC}y
zU2OHsA{LjSbN>2tXmmU<(lV{HczQZ;)QW4(paM&PHh_KR6++aXnRLHro!9i*ggphD
z2_B0@TVMKPd)P|Xv^VgnxTy8SL*6@fC)*gu%m1*zp8MI4HhG91L(RW|7{sAHY$N=0
zTNQ1naq66_iGlORHg=GKN&|wlTyWjjufMC^go99RNbymf%t!izaW<X?Ljv;o+h!xa
zHmaTqJ}6RPdPQK=9A5BkDgheJhgUvNO!k@wI$0sZeXjahhQ1w7RU1j$t;;;R+){p;
z!S6dzreRv;O>J5p_5;CcX6|+>t}@d}IJ$`{^IZ2hQMqE6Lu*^<toRC6`%V<uORkun
z$HKOb&IdTohMaFf$wB5mt%k3701^L^hUq;j?4Cka*Kk~1G>_NOL6@07a2o3o5-K4h
z%4bD*Sv!qheloR#fY6!r(_}kPo|+2jA*`m)o;Zr6Cl~o)JVi5Xq!xYJbx+8rVjO%a
z;4=w0P2g;&w7yw9NR=vg(l8LA<2@(RwY8F?qlJiEPo!E1&0*aR-NGIW^p_wsOpwH`
zIcmuWf2uD|E)U80);LQ63A}Nw9Q_OQBBdkp7q^EfY{rXYBHIC3>(n|<Q4faa`&!mw
zMReL#Qg!h(_8$mL0_kk(=8id_wrHLsoR*<_>X8Y$Csk>3qHAu=CEj{HImDuYk6?@Q
zT|r-RabiZFz#uE~K9Mq$n|rrqp9*5f0q_{AYvs>y5*K)sE)9<Fo>LAIBjRM=`w*u8
zl+Rd$p*rrEc{D-RE=BErg4w>vcb9qK@dI?{E&vVR(ty?kj_c+)&?$KawP7pBqxgw{
zC*TDgXWU%O2ebiDOK<uudlHNda*9{Xhc9tmSz^}lwA(k&e=*X?ssY*?yIc4Y`LBHE
zaX$ASmS-UAgwVozBk7k!39qL{%@<R&>9*O7$JkxY^QzTS&kY0O42N)d$JjLf%w?N#
zyZW)&WW`1Mo$of<P<_wiPh@@~IX#c;bz2a@CLKt?xB5l^8J5y>p8IuKqrt14=ixM8
zm6|98EMnp#scg&y1x!`0H_sN&Pw+}*j!_MFjH^dSimM8sCUc-Jg=_Oxbj<#T93pxs
zLH=+m8;J@hCB6TXd(MAY$D1?F(A(oL0#pJB#edvKnbdxD>>o!qqZ?N-(gqs5W7sik
zUu;h*b>4>gNm|<Ztqd+xVSm4w=ttRO^K2FWq#1Tqrq->bWZ2+ZqpC8n_D$K{*j(8d
zGPh$h)S@-^`m*ykkv@VW)9z++)!&g!Iqy?+5B}w;KL^HDs-fn<m1;<B91!|Vw7EUq
z1!a7mTK`4F*2%7a!nsQdW&Cv@BB0cepJ;;$i_fN)rHs)fC^36y$LB_?IhnWKJYa;<
z;3Xw@7X`8D=3>`8z{zf9hJjpXarAk*R+0y@&|@o0+M1|Cz>e>6e33o2d2zD*iZiJ{
z*{N(;Q!A;qwr=%D8j6xKaTDEq^)2cAHTAFqaCM0cmL;KvT{X+U2;31}fQx@8x>Y-4
zP)RgJ`5aNuF`1e+cZK%{7#T?ytc_$Tz2N?AO^-L{E&%l22eJ9IQr?^8sGfg(=_KKF
zV?KnJVN;uKv1a_y?lf7SuJm=MG&mVMpX(@L8hs`JFkZuu#4lz2F*)_6|9nILIFxc)
zTXO$>8rhuXSIlyc%|U3nvQ(h!h*1@)lw4*T^9b;#B;S5!@ZxFu<-o-RDACMDzfiMt
z?O4=#SEu3I=hla>WEGXN*dx$B<s8EGe$piLcrW3t+MYRGZt{oNUOlrtd8nL&x=USx
z0d+FHFTZJ&;mB~xrj)2B%te0Oa9R+Rt(CQ<a;?PX67vyjMAX`sy?-!nOc%)LuPL+6
zTA7Ed`1}40msg-uOlQGvNG2$BB|*oc@%uW?@I7($jJZS(XPTxFmqlrlQCU1cLMbin
zBd!g~__FAepr|E3(XueDD#DuRj*^QvFz3a{*G~R=rP@=YpOkN}OA9Hni-0j|?SVQc
zsaZ=Dp`a)>8t&)c9lt9w6wuD^iLPiAFotbNpCjB0WdQbHyc^qUp$kGt@Co4<_>d1+
zCJ@ZAJF?-Opm%wlO}AAn_t5SCuWoy$&Nh{weSqj<`#068G+4u)nQ3KWB|*aum$NQ%
zwY##evR6!iaS<W${W_h1>uDL@ogGZ!8}FoXB&8ovMb(|0zgq8k1fq3yZ#QJ4!{0=#
z`P<qt!)8`}tl7d5o57((eOS0ktfdJ^zpQv#X(}11;g+mPQzDkuCswBgQOIQ0dm`nL
z4X{9WC2i2dT?_R2iCx`0z<P&#$$-%#S1R64<$KLX_5}T_X3p#>cb9s2DIWhUKS2?I
z+EJI@ny(nGAF;1mIV(LRV0Znx;-&!CdYJrrlH%))`Q$1N34LKxx+%BU3iZACwOfwv
zh8<3kHHaMF@e>oCXKvf`;lE86`@qSb@vfuwXH2HFhQ`LmD{ilYnbNx!xv*Dw$|zid
zZEYM6wS7l(g&`@_7ZnkKEAKIPmUG3pS7jLs`lG94A@M|q;0;f!6!(ZKoIAUGTTvTX
zs1!!L05whbJUMM1`1PZF+O()AJ%6<oN1jW8sV2L5<`_aug*bzYsVX7E78qymRnm-v
z_xe%KtmpG-pUP!5TP-j90p=-pRdCEdb$t2|S4UB*OiTTN$S%Z9c|w4AuQvuXX_wyg
z#9BP)&#<y>!;7-FuF3JC!G4YA`h{<OuhI6SjkyO!3!mn@vd(lyd?7K7?U!<>y4q$Q
z{8A<XUrGKxWccy|H7Ol%tb`wv|1jP2qXwqc(`SMd;xH+%S4~2n<m9~coaRxQSb{jj
z1pL0a{`RLiRUQSGMP?9*4YvY6U3WNlH|0dV_NPj$_oz({*Z$&qidd9dn!>8EtpNh&
z&;Hhq&SP2OykE^*)Qpj`%Ji~gCv{-<85@*bg}HbhA$k?zg-aT7X&~^^b55fyrem@R
zwnfnu=J}lNlCV7?cb2&6q$SF|>sJSLyAWX$yaFJ#1h(go7!JC-;oa@@@o0@NinZWF
zsz*A%24WG2s9(+wY1a7@WZ2i=?Pvi==M)y&#+TLm8=1)7-p#y4F(GK|keQlW&B^^k
z>zw6;^GYR)*(wz;u%5Ts&n%I3sWwR?L6R{gFNZs(HeNr$F~eKgh{fBmOh;Q8yusH}
z3Bek6)Fs_cks{XBk=#xe-%gQS`2Q|2UHac!2Si`;U)~(NA1Fu(J%5zv{#^VI%kRt0
z@{2e31Me%|Y@4ecK_5!z{^lO&FVN7=Pss0~;7H4KRFea>X2@aCXf`{$;oDdw^pgm_
z^V+K^oGws|X_GKE_b)+)S2sOh<sL~nA{fQ`#W3Y>llAS>3tBo`oULE<<_BwdORkeP
zrH%9XM8rQ?us0cQx=6XRttN~+o|Z2?M*x^H|8#_YD}MS9Yxv*W_mkk|z3u&JqiO^4
z&38;(uc5xO8`<Jd&!*Dn9pm1v2NL)|{L6LSS;4iyz)CqAv?p~H1<U+Gzzk!R(|E|}
z?%413(3J^^7~RjZ!R!Y~dS72(!W&DLHUTtn%n;hp<yG5Ju63>R$1Ay2bHF@bfs~5h
zj<lvT`+88HGkC$W*u>YWwFP89Aj$qVZDVy(RWgfx6Rns%Flgl1QkfO1;rHp3!>$AK
zWY&mS@8KS5H=bzUoJJtA7=$vx{XPym_2|t%0n@z@r2RnJgwGGzyUIuj*o3iQj!)^j
zE!3xTgM?lH=XssT($X`HSjDl`j+9SZShQDWrj*LJPq7rkdG`AfYW8dvxl%Gu(B>n|
zwJWD@kC-`{nr5o-P6j4ik;SX6{g?6i$uM;PJ1>W=QD3c@>J45$8O5OKnLEE6b+C`<
zaf0C7a}f^V!9IOsL<BKI*#PiqA4S&O&db!6qq7fRFyc3Dd0NXwv6Y)E`p11{DMNXD
zes1kdLs0>IzkC9SVj8*93v!Oa=>8!mn^3P?-v|_&#HJW_>twjNjnhrMtg*VrVFR;q
z&1shE=#BA`IoEBHOL%eC3OI{b0E}xVeXjTnjEw3ze4z2sSLf+kYru<0v96fadJep#
zJp+{r$D!O^;^11c<CkoLFFhPR4Y=J~hBW-(%kasDrazZVOY7n9n%Ny~On;oiod&1M
z#OydnExl8eSRMKyJL7@d5l8w(8fi?y_3qFV1Vds{IM7d$ID6fQMy_w?bVl;ETOE-N
z@x2pq*heX-Hs#nVj_@45c=~hV{Sh$(QFL4ueM+Bwy=wjQMz_0G)h4(K6qdJ|D8DC~
zW_-dF(;~<}KcgO{0@LYNbQ)F>eihL#^JM+ZPv*)Ft9hx`pG18dVu^%jB~huy!&fRI
z=PN3rpD+28P#h0@2~5Ckm5!hMe)DJMWeOl&xws3Nu^Z%ZCdJ3iY<`V#U7s4UH3*8`
z!IrMR>WN(QM87DNJ8&2rFXd~!YU&y`Zhk4BVor{t9H6{I9y#s}TQ#^zWftq#(eh;V
zYMj6Ur<b@<F2BkY#?Np*vCT|qaIwS2vB$JmWZUyjHTdtEsPLNJDL3)FYBLCJ-K2MK
zZczT2+>#sctHDX@I2gOpv1Bo`wyC!3SUdLZr1xIh--~c7Bj=$I1{&ZtwFR&9mUirm
zuJ42GmZRx^vd<Sy)a7@}a6^@|XUxrE!HPPMmIDcu{d5=xnV<qw5_1N;wA3Z7`JA-d
zzmt0>Za+qIW7yhN6DI$|T7G057w+;>KDyW2YAkc;^)Sai(NBvpZ6Uij??QbLR!SgK
zjcvG`=qZii7e4N}Kd%e>dcU`^QDblGVAlfmn;4_xl_{Lp26u~QhD33gH;R!eI8A9Z
zce<T_WTuMpEZGD@Sn^m^v^nF~(^%$ikxz_Qn2K`xOI!O>Fa7E*(MMvR>bY4*hr2zN
z{8wvBedJY4D37O-!JRVo&*>m)QqMl?MfGLJ3qiia1P3Xk*!n}7M`R#Nk<CnZY%O$0
z-G#qRi~%G_%t0;1tQ+N2EK)G*m}=^ZgbXY&rVm9JW7aodr6t`hrs-as3h0)<E0jjT
z!OJD4UXph)q#<EXYr31r=977+^9=f8H2FUGd8aOX&z;7)YIPU`YQ)n8yLg&#1Pb<f
z&Nut)OE*x1#5@f@j2a4Rn>FsVDr@vMvEE&x{qi~h7vIJ^B>pWAxoST!iIf4)UHFX6
z^<C7XmZq^6GmdfgYWV48IC$Oi*g3H6B3E+E2w-mg+?QXT^Zz#cHGFC+6njtIXgr%q
zcB0+VOx<P#bY45r$#cnqp4L$<JxT%-DU!MboCEbL#7cHT7;w~*=-Alvq-VS@CN6^-
zbToFVZ*X{iav!J6NFl!4bdgRgw0-h&FehwM-+ILoFI8)hxKNU)B~5ljLNko*@Jc_^
z=ZJa)%?0(u%??GV20!T%g-Lt!pKFPPTyz={Zv7iVEctLe4W@AAA8Mdlgtm54RGM&r
zJ7KuK*}OERgWE!c&|*U#t%Jaqc)jy%cxq#uI?WccZkYbt_bBJ<qUQ?CgX@|iuxMZE
z`i8;7>@iToTA!I+Li7Pja-x5!DvQ8Cn)zKHQar8?E~=hU_xlZF$~(jH(d+y9_~Xm%
z?7uMGwAu5UIe&NFqE%0>@gUPM8NcP!wxTx-6hFGFq(h97L!5qPJ~ZtFnI9Y2{j^wE
z&$W1QEZXkA;Rdn3+xBaq8F)xEsyooYzu{anPBi7KM!WiPX|-z9`z;Y1^BW4O#1ETO
zqh+i0^JXvQiNniPiPGU(MfN=bn~3P2|6y5Uj-|;X<l<Yit(OUo1We507X;u4Gjv49
z1Qp?&wP#Lry)G|hrH^cCq@@#CB)e?}m+@Jc<mgeJG4q!opj?=#*SBP+OM0e%Yl5e{
z2AzWJce<LXBW`OK);@n-bQ5k04=>CC7gf^+HxucH!S&iXeeZSMtU}(@jqiT(Y`03>
zPhM-YcyS|O-dw`Xwo>3^FW}Koib1awiLUaZ*CBj$D7|iKF1i5d;$?}3gVN}&1YSC=
zsH(cCZ~p)M^&Q%8x7lj#Y=a&Sm9OtSC&B<#qmKUfj-8*gbWYkbcI5=$Fm=L);ukJZ
z@_cLFRYL*G!ylz|*9G5IoS`Kwa3AE_qksNu=F5H<-qmq@FjBx=`6w*_hLp^if3!pL
zmx-;5v&(H%`>GR(Dv-l9UUw<h{DX9{flb5umf2pY^DeP$^QN}j?YyQ-r@XB6EPc%#
z(2;_D*sFNn@Z5}kSQCr<4hV?Ea^8?N-m<p&q3K3@p^i;u*baJ9-S?L9V0~`%ZhCSM
zuD*~Wxfkm6_}tc(+)fey|8?MP{9gRc>Fj@4v9B3L|2e*2FZmCP#7*k=muLTB4H!JE
zJt8DbW&guEC;s=i@|<jazVo=S?!)`yulvrkzeBEJF8jK`rRBY~!Cie^U>ZJL%x6$V
zb6cQffDa;QUnGuWtwe2)-$v_|Q9~$M67`Y}znJ^-GDq#}DRlWx9JqeyhgI83>W9Gu
z%&at+uLjMY$h#OHH*m@Y%l{<tcr>rM)wtGSyij1z!0!w6>~(zj!oqJtO~0Q8jgJ}m
zXdAC5HVD%&$trF)V2Xy$1b^jwm0x|p6xNhdG2R#3P}AH%(FXn!ujv*gw;GU*qtg@o
zV}JUH%1T+?r17)1WuU(<|JNMZ*ql)jJg;NgQ~7IK9u+6SGh6hW>DAB&^Yu<$5->l3
zht3aUo2lT4vw8?s*r2n0@}@@<R6nfNbMm=YQ{c0Pv)6yF-`jSsH7#7DDFVJHpDLM0
zU}jmqy709!w>7AP5Jo@4L$j+ZLwEzlhR{W32~@f1FiZ9k)pxILPu3d_mdxL|2q?7F
z0kjR&7Kr|RU-A8knW-}unq462dgI8qkIr#f=F;n0+g0R0`o-hJcXk?xw`+rWLi&a5
z@alx9qU9wc2Mk(+qP-}RlZGBx^Jk1sQVk5Rxm@?iD|yiVdMzCT{gWOy-?Re|+2%<X
za!(I@$AS9sa5iD`l8}{d^+|PH?zLWKaBRXKhG}U{0z%;o;rcFJODsR4OdV%cD*!oO
zO>&WqZwC3(9VH4}Eme+SmgX691@XW^Uhb*{wTsH@WW^1g5<{uZWk-2;SUuPTC&-ed
zsCW!ISiz?Of3$_Lb`D4Ik8u6V*bv+`Z$%Z5+vT(}&1@LF%SM<GoT~lY+U;gT;i9WA
z@g__K#{u$DITE~oF2CpVEu8_uNAWygj6A`k8z+K8^^qc6aM<5p(Z!(!(IXYeu~wF@
z;+jR|A1K+TA#Bf%2!!xTImTb`ZU3XfmI)ubOtCvsK>qxt#S0(LFnzSmVP7V>vkKGp
z6H?CpC2y4SSPocTs0Hj{t=_jja2$IWax+i@0zfx!;ueJyaRto#inQvhd_`1yNgPwm
zRXLgjls^T<!bHfqbE=yONh`)fZ0}{w*BGG7-c*1;_i}@H`O|ARwBz*{vK<_Hol`Un
zNV_fIDOxvbc}<TZYVs8{<4kWc(=}6v67qb=C!9Z9nabKosIK75umNi1U8!B)IGwTy
z$5w4>pt-|q>ku83Wz$8fVqYw$C;NfTP4O4`>kUTVFJpH>VK&t&?X_%_@kVd>WtRhg
z{Wyf5<c^k6^pCYDD360esh+vmm@5Awd~%7q_>l{%lHK}QTwUqWb1r5_j|?8x3`XZ}
z)ol^9<Jn1P?dOg%>|m$5oBp@F2WiyZ!TaR)Le`5jRu&Ak0eTM`*2;Kx;^iFdm5|<$
zXcb0As8r`mkSpHVSMd^v|G3z9suNKS!di~ELs3=B8js~~-YD~xGp6Wwcz;haiKA;P
zOsy>c%@@kKJ;|+?EMk|YUe#vgopO%5w&6TdtAwTI<9w7mZHswZs&9Q0BCI<pB`Rpf
zRC)OQa9DfUGD}MwM@tt$FL?!j{m2H*C9Vp(yte0+<+S!u@4L~z{3Py{1aTrXCfwLo
zXSd)8CL=WWVQ%zMQeiRvnG#@|`toxwS0BmI0iu(_EVhByM`lR+aV1|SkzN$t3wHZ}
zTnXmzwVO45p2Gj`mTCDbD-}mZ`zE&*T1SpC=tp<~)9Kj$wji?^YChR8&wSGuL`*hk
z_A+8VT!{~xDp!v<+JW~O92A?jD!I^HI-NYK@4Oez#FU<sXGo-A!5?1f{}t4d0NU^z
z5jh4IdXCULjWBvv{$Cov@+a;dtBYIgU#YgOoL@@+HecL&d(L#<zWGQ0@of3u+SdM~
z7~K7;>Mv}{o#NWXq~PvNE%cAyTzPoP;;Ig(Gzij>$X)Z#a??%p3Gc?VS=3x>-wWsF
z4AG83Q>~M(PeRo)<e@iZ`bQlP&dyLKheo(ToTE$=uQN~95V~d)-_a$?U6duezX2R6
zV%l{vGijO_HLJuc<yi<}?;DZVl(^9<T;ZT&mo5fdP|3c}bx69eh?&%A;C$mk&Byss
zD%!v7jSet_-Ep+;U$MbvtUwxDawZcdkYLWV8W+>nZbyK93JRI@raRs<9Czy#CrjTC
zM9tcEQc-!)jq`B;lW=R{A;o>slU`j~0s0?w;a+O013Q{8-xnj707bz1WBUG1JcH$9
z^$XDP8+;Cq!G+)aXAG~8@yi&qg;wC+s;k>1q|;V|yGf9DIS`-i-20Xj`PZ*jE67u#
z4KJMpvV&2$w=ARW6uav$oWC%;O}d>{1&T_rjwU5+<+{+$cn^|R++=1N)|5`e03II%
zdpcB+OC6(r*s#z*)#d)rtgLIvYBemiB$L&`<C5xD1XSNuok&NDJ%>ajC)fiVvT5y>
zr2LmdnGdddj_Zz?7I_~Qi+1*31Hxu`?mO0H=qf~!dsAG4f2{80tUX8CM@uSBODZXW
zn=?`r>IEqQ*A;{S?kjr&+Ro-|{1QD8YjuK0w(}P%EaDIA=B4cY@uib&VxLq9s8*WA
z8c8La#ZdMP<i_zb8DBWSHJDL_XlprF1+5k*z6FwQkaR~IEk|{cm_|7=j{d+hL1RD^
z-^P3f|6+`1VG{avnALP=qNy}b_pO#aYb_W~gRd$OSAm~Z&&e@qqVw>9Y?>B1@!_2u
zca<t(irHHOYX=+Iz&!B`+wEd>?QY^yirLo`<JH7&t~Gyab^db}_7i^rkzRNYfGR1C
zx303bIs;?~B9vO_ma4|Winnl1kk?q)ttQ?##ql*`g@U1nihyf+!;yZgtZ}a)s_SRO
z1qUZ2ndEJNZ_g^g{XLMI+*oGp0=&6OIvO&(QC&_Q3N93%98<Xday*on#bu%GDcE@>
z_O*Flv|J!c=T)R;>b>Y&Wl@!n7Dp2#f3{OpiZ-bH9B{wJ=Iv<C0ZrllTxt1k&(}S4
z)|)9<63UyZ_1_vG*FEUIjWWO9eaF$dae1kR<5<~&>DULB7B|;9fyQ~Up(sC%+Idt~
zybQS9Ry{_W_SR-2@AtO=0ztap8=6Z=1X&je^#QL^<+f9THS`-65#8J)enDa~sCC!X
z+-xq(XYdeW^v=HIr@~5j{`nARLR?q8O;a_&Yir1fEL{Ck=P}d0syY0>IOqL8`M$mG
ke>Y?$_rLyq`5zXs?(awBrK`uU|FF7V|1tOn_;2-p0eAr?$^ZZW

diff --git a/example/system/amp/openamp/driver_core/fig/20230512192325.png b/example/system/amp/openamp/driver_core/fig/20230512192325.png
deleted file mode 100644
index 683cdf3f2d2b2b50a7bf928ce6a3e6f7ec738209..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 257953
zcmeFYWpEu$vnF`N%*@P;7F*1c#X4f<BU#MM%uJSLF*7quN6gHO7Tb~~jc?5Sn0sU6
z#_l^CcXuYf>WJ>@=&H=_tf#W7pN#xi{n!Pd%S+2i10Wy(0EoW_;9~<I@%Qe3t^Avi
z|1}AJdw=u+FyJ8<A?KkWC;^Zd5KtHpA434rzb^^(KV$>`dx3?6he3dbf`mZ)`&=3w
z0Qt8-KtVx5LBqkqK*B-8K*2)70U+S9uyHUjaq&_S)U>EImR9fyC@86DGCBCf+|%25
zv{UMrX*s#LKdG8{w*Hkv^w%Pge--@?9shQLf`)*Efra}wB^ZB|K>WRhgoTHKgM#|2
z90~#&27rNy1&d9ALrKNKDW*CHN3Euwl=AZyS3H@9i(A7abzZ_L2+#Dpq?t>-YeVD5
zIsh5!uM!L>48Ui=2cY0HzOVHy<<tR;kGmHFzg)b%#|GFyzp6*v-rh-nwCJ_hWU*4=
zHWVdKr@ZnUdOWQHUPS_J(?_54nm;Dp#=Ir$_Vt%`HWF_T$d<znbC)_E7;`)_MUKOf
zuS@}z!@0k`77q)Xl@E!Kq$U+beH4rSoZIde;r=BUhekU9k$#Lg!wR0@rgJy;q-?9k
z`)!#M<<NaOUC5+i_M6tF#9+FCA3Py!J*s{HP(Iqa^9J={wnun26ej!h+YR!lePAXI
zg`u(+t<9V%244o69U)N*yk&;a(P$M?5{I#@=hh*{8YZb%e@3|5D$=Lm;jV(jZO<~>
z)&1`^%=icFR#<REys)t3<R+@Gx)&3A6ox7l&R9T;6cY>Pj7jXF*id_>q>Ce(`@74H
zjrh9Vp3eb@_hOc_EOF8-ruxuHU<}{YwIaw8uJIvq7fXG;4UWFP1+G3ZPDa^!>fHKZ
z()$e7x=Xf%oq?`dohBqR)fiv~1hw;!5ihR|pgi`@37&W@1NUjtk)3<;C%R&EGP4{V
zvvEY%5x7cl)AZM~I6AIfVL%rbNeiU0Mwl1>VOFVBq~yN7aFw;gDn+*beFkYAtK@JH
z#eqknjJd4W39L#_nc?TsVqNCOEAZ(95FyDRdw*t9>4wvlPCMV%>$`=sS^LpQnJ3%#
zajvppP+8T)h@^c-O3fi!x9Odg|0k}-dT8loNO#P%*rCe+TX{u^>#VfV6|QOl`%zT+
z;gNmS&s1jaAai!2(Y9MsDKa|~{sik~6}-`#Jwt2eb(s3H;VOl|WPVe&93t*OjS(-t
zP*e~&#>bKmpU~11o>oc@mpUb#U1Hn$Xqn`nVaNMDrP4KTqC#C4c495VJ1?ON_IzCb
z?jT?jGF|dg@ESO`F0rXZts?{{mRa>GKFJ?7ilEhaZSp48c^XvAqhStY*xPcyWhv56
z3Tejl(mYfkVk|b#cbC(VNYZo7c>GR8n3q{k+M=1%*>8ulplCga%S(ha9E6Wk^(zzo
z4%0IVAcN{VB2O*<Nkni+rtRzVg^EE6z&M;bSlWXf7hQq62r5WYQFdGw`SmV23;%hY
zCuaB`%@Pw||970@;Hd&V!dTs*HUz44%HQ>kvM`EPDUqVblWnanW<fzER)N9h8cC*d
z{ASR?C#(i0+Xr}~9q56L23T)<nOAjKkVQ=6Gt^T8%;I#Idsk)>?)}K~C%J8pLC&<y
z2xvrI!Ge?$Gkly#2V3x>IyF)6KPTN+5rWik4o{LT^KdD!q8y*<zjqpk+qg{Yd-t_t
z;X+5mZHtj4QJmxw*j!w^zIW!nO0-^3Jc%g#{P_Uby`7MB_l$f1j+cMNd}BQuehWTo
z*m!z(5c2C8T|4USUEjD~CjPGkj8Ci)>8Uv6l<Sx0aI=;^Ma0BfI-wNq(|Y(^g^1=j
zlnrPug?#6OWtg$dI%*+@JNU~eG@;!wwgguS2+Iz-*FlaAV_Fzl?Ua1EY*%2YGR@%n
zNcdGSLGcW~(*@+AA`p}GlNYqRWJJEB`Qzi;2f$$3@B7AM;wu@Q@Owb>`+fZOj#<FH
z4Sf6Eb*|AWs~$`5*W-iHjZ43Lz1O$uo-337e>BjmMr6HVUImTTxFbJs>scXXk0N_O
zpm_*&g2R1u{zg`otIS<vo2*^(EF5ZJvNEtA%?q3X^k^Hty$&U3UXlC&cv=dAp!>=Z
z?_9>Ylw;7NhT439vs-l%-0df<!p8bhF_01?H{|hSiTBgU!T-b^eK9iHdE7i%C+XEe
ztG{#EIe9g@;k&we`t$+dP5c)+{?9>2o5Le&{&&qPC3`(6+okioKGd&O={L+>p#U0m
zR9}81ZucD6-2wS&t{iH}B!MS8L5tAU8cuQPoDIvz$7A=H_VFzCpaeCdvB^+uzh0ND
zl)%WRtUavf3-o`F5|4!XC$FzJPc5&_8D;O(0jMmwCY8;NX*meNb9FqC+yShuICaB&
z<7_I@I)&f2tfuMLX42XBgnr53sy#1yo^1O)uJHS843c3zTsJ!T8I)GHi~w3oiXaer
zlz)@yz%Mvx%fE5!gS}v`!2-7ud4H@hsOhs5awV*g&ED?Z@`=7EEjLRV%egK-zw!=A
z-Z5y8Jj{?kIsB}gxkLs-I;pdani`_RTMrMC52u!5Ob;?sBS-a2H%8>4T$PJ&3rvkP
znf7Udw^~c;MAX%WP2dwNTIJuGifPJnXUW;M9jTJ|Nfc$ABrw*J$VW`@OlH38v-hgd
zZmTe&OmKMG3m44Qo-bV#n$XZvo%!(Ya{kJD+1DB1=~%YXEM+PjmF2ZdQ^8WjX0v#0
zF*ffkH1(iIX$j8!U25nB?2@`&&`<%rVtHHBo~BTls2RfR`hdSO@!q#M>sD2sw;fTo
zHl7DlPSUdCDg@ek`}aq-6U~}FdF};*%im-CahZyCYFoFE4pD0rYEObW_d2eHPnd{^
z;b7a+Xf<F<zs9&a+=3)jQlfh|kuN=dPb3u<Pezb?KDmvKRJ((LpO#*>+Z7fn^7QDJ
z4;qS8F)9q@9>95qE1O}(5?ijOla|7k*jshk{>P{Uh2JjOAlOlLrcak}-gc^3)>~$n
z2kBZM0C%{2y9DgCfu3=Tb$zsj*>%@Jpf1XLh`>;2kmE6fsul9u<5VdPCWc7KB^I0f
zG@j}F6yHx}`p#tJMhgp*_}nu1=3_3(2AX2?>ZpoSj&MZ2Kr!Flbe3wWMiLN@R!zU!
z-~xgCJe=TI6sP3jpWTSjTIfE7dO{=ao`<DLo@n{U<Wa4*>#O;RQ2`>~ONerIInwT(
zm10z``c}1Z%t!Iot3zeUF<kk+X_JO;@hh^PY{2SmLxVp7cbus!hR-!)elj-g&q$rI
z<L+rWglWPrCf4tg8*2RUqa5|bVFlgE)2uc#gpwq6Q;ss{&D;1Z(aSzez;&@X`3w+u
zIZon+jOS^LQvGGeJu-2by#;<wdY`&ODjij{uL6Q$Go8VM@mtNMOVJ?OxJQI%zj%{c
z1C`jKRekfaVo^ZxA6q!JbW4Hbhvch8_n?q9cVcF>rYXt5gv@&?80uIAK8vEq9TO{W
zR@L-LT(wJ9`-7oKy~I82qb14<ENIC&b4FG$%<R;N-IU4YF@~CUVi<Cqz}?t2ONpIJ
zRw8O0=rKCdIQBbdxhevypBOi}#qacugD){ld74cv+Aow|Oa!`Pyv#HeYeFHbkICN{
zVH>x8+=X5H+(}i$R@5PEqqj}UWo|B}5mffVa?EnkpV)kj=^^Q_EM5138|^-*!ZRWH
z3Ul`DH&!D^>GEWQ3y9)NSmpfz7z4XX$sQdzVpR9PyZzu|&O8yqDLCL~_qOpbtzFg7
z%R^`yLaw>etXs@Xr1RX@0Ia5_7qo}ph%^iqQU;DwM|9oZkf{^<Uw2+ytS~4(xXsU$
zcPtAsnJ#Z($7T}|(ljL0=%}I8wyhv9id40@wjYnKQUc}s_i@75V-f5iQ}KErAqL0F
z6i|~nRr)|8!>RtQ(Z7SY4(hSZr@VB^A4&~D(S4+CZRqX1iOkWI5bj1geVXHtD4Dfs
z;SjWCwDx@zndS9uNF!ZYKnct5Ddbu|j1}*AP3d%z`YIxcQ0=b2ZKcu)tnru*?bn-b
zcP6`6B^nSb=~s40Pq!Z;y?7}Q=twglSmsz83WNHK8P~FLNQNd9Y$J9PqMvzO8tf0=
zPgm4Nq&ZL<jt(8b#(EIuq?i<z5ZNc=NG}Y5Ipuyrf=NSCkJQe7`zB;g<Fru`N+7<=
z=eUggsY<z~E1c*&5-zs+`_F({_48?B;c*@AD0iV5GW^G|upXr>a2?(Wv2ab0%7qhp
zZPJ;wFhP78;Z3^z#V~<Sql5(y4Pp*$%d+NLgc{~I>73feMtyGyCgqT;yu{5aI>pDy
zJ0e;tlTfPB`Ykf$JK~i6Nfu`S+gSEgUSu%hpCdoBc?YvR>y2@+z~e==X{EbLhIiP|
z3PJ6f;5dw!Ijf!II4~(BgrkiX!N6Ei%0)f*iIXsJoao2E4SF+bFX!Wnl1JUE0tx}z
z@CTqMBT3%x%M=^Wgi*)yPC4@XOx&N4!)`RIjIO8rnPt3{XO*!hxRC9?Ka+N^M;#gd
zn7#T)+hpW93*)?WN~tN5<i<7nxC@z$Yn*&R88z^p_o+YRf{_I-+C{qU?60a&Hg%_l
z5!_;RbD(k-3<7^Gs;vdXuiMY}I^#jk^*uEULMY}z8z&L7X@Nr}Pq@wfZXd&)i2O5K
zuTiuEmV72I<Qmx8B70z}c&_U#WUq)Xl%ncNNNdg-TJ~Rw6Zv6O>taNZ`ld19;cw9*
zciOzqItHpRFXQSQ4|O)FOjleuigJMwrB4D|;IBig?E5;{eKGLC>KH;5(j$X9(kW`Y
z@IflYe3t#hy*5OcEi$EO-(gdICgJ}Ki}>n1$V4u^@UGT9?$;(^81T?Y`V3B47~cuJ
zWNmBm+FmMR>rwl5j{D$f6E4m#8N$!N*ynBG%C>cJ6cHPVhZ;$(#EI|}&*4@tYe#I0
z!SUEu^3)=_d}g@9NS#x8Y_F0O3Y!n0CxhlOCZ@cmIwtq8@lWuZt_fd^?|>3ck-Rmr
zcTQ?NoravV4PIMJv7XX7ogvdcT`poXEzd5D3t(TVtYV8B;7v(Hb`s6=gtih<fmw#O
z2*+A{DLe+Nth>Q3c5AUzlBq_o1hp31J$3y0d2ymuT1_BGuXkx5DJa7!#!F)iB%y$1
zsGmViI|}#o)~Y%L;J7pCyJW(MrI}Zm59kV!;HhQOMM^5*>6h5cpHyFk3cyR_7&d$0
zL}S@F7GZB0^aD!#990!7_`?v6)kre>OzYBzvS%OJeF*;uG!FNo!Yy98KaJjg06flJ
z85UW-l52gTcq-0H$s~*>HGbz7X}%-9;zCXkx=m$5$z>qP_5EqG?kSLQ5vx;^_|vdn
zudA!`*9YLxf}y7S#vt(}e!=A$&x0WOiiwwp(dS`c?oU)pkuyfTnJGV#m=8^^{z5)?
zq@YRmZo(FF6H4+2pzt!A%X!;&c^CzQQao#mOE*Q4!CbS~SiS^RQ}=79uy9<gQfjps
zw;$qn4!%J?_0maG|0M0oF2NB*oWisuLew9^aWxGVRBvntDgvpE94nuSG8}$1A(MjZ
z_Ds`CY^kArN3-x5sEy?YS?FqBkpx9rl633AG&XK0G#cs*{<6UwE|#?}cr01IK*H??
zW~AYq48_GLmIF;Oeu!dq?+J^x8W+0;hN!7Bd;-icxYE=l#WWo`<`Fm_y{qMk3!`73
z_ruOVZGAh~epykcw1NBsyGqpS217L$txF_kK#||t%L2f!kwxkA`bplm!D0asy-{h{
z#|fM8bCVSNmq*!Sb)y+hMGI2@Iru<8bKp1HAzz+V=twl01*vb2yf03%!I}Yw?+!)u
znY=2R#TDXH&-NDuFXEOUODiKG0k=rR;^Z%O*{#(~AAmF#R9R%=sGt0>EVHs>5>nBQ
zbdetN6Y-qRx#}{M^hFnO{6vzwnT-~<$C>Pp?&h9DflZOWb12bFx%QwXCQQV*AhDJa
zFVI)}?dg;A)zVO3Qxg*~f+B;W0u%g>DXF97%}a+_(hf*dkwn+rE8bkQR47*66x}-G
zQ}4OP$;i`1fUmYocIkaE_+z%7(+;xJ>=b)y&A-j%2Sn1WkgO>lu6!TJf^B~GJp0eR
zz5-{&%FDYFae7@H8kOspj9PdgrE!w1H{MUEPq;nt2K#kg<`vADk&s<5kW$;dy<=}M
zR#(H;s+gZU3RZ**z+cdh!n>CmRnJxt%Gl<NAjqS=a$uL|x?B2rEz9iftX#g)XZT8*
zFoyG(i_ZJBby?P4m*D+ozOf7vzR@UHo@XZEgPE*aUs`;f$l=9mPCSb32&#v0%f^L2
zf{*N<!HmquyeDO?H@5>dO@R$$+z)hzL~i`Ni=&5=Ay9nZ_<hBAFGBfEGb!tCz5tm~
zGLI{|XNpZ2{DMw{$bVKN*0+djTf`ao`{%-j=$Q8_e!{2*pqW=yej?NMrN1R|Fme4Z
zRrM!o4(|cU&R#KS<h}>TQ6qYei#SmS6O6jI@p3w+r)20|A(l1LAN@N>fEHmnWtG|j
zd6sN&L-aCF&<=KF(8*t|(boQ)U5~>5bX9!gySmI;ZRNP!m4kB0N;1c|K++Jej&)Yd
z=SqHjI0PLjZjr!KdyM$(slzPhSrg@5DU&h7jN6|iq&mN<FJn8h=jc7a`DjOAPU=L@
z(J*>)IR<`YG6RflK4l)*hPS^{T<ktT_}&N0Y{zeB<d0Fyn^*^b>z^;*Z&qJ+Fz!A8
zWH;T`-5-F~Xa7ky?F}iUI|KiEx7zL)o@Hw6w5&`|4&k~+-;{J{^Z|0Juw3le*jLn6
z11n;UPvoKldthk<Jtg&GTV4=TaL&jaxj2Qh2_($DlUV|I3U41T;{4$;e65?PH`04#
zXM>yg33c#J(0Xo^#!uT~wZbhk2fNmEp@M@e7iIu0U5wdaZrCl|6Xjg)>2Bzs(KlDo
z{$U!yVP*yGjXJ9#CTrSnF*%HJ$tM+C2sGP2_s<9;4QH#t%)o(4+8sj4SwU<M)r8Gr
z)?kKC#Lrd#gu?-AnfJ$<v>eM*7h`g$))oB>)sApzNZg-3t-pjq`t~F9DLD^>17fAd
zu4q8tSm>^?|BBgZUE#!$lBJ=UJ=ciT<ZqlAg&#Q>{Oj!x(-cgOXbTU1bCe^d471d|
znPnnk<_sNr&{USwSI{UFl;R8o^jJCNP_pv~yw9|L$6(z*;)`#bV*Uvg2lJ0uo#y|9
zu(Gq3n#pk8fA4o*vwscvL@Kglc6qn6b7lW*hl+IY{IixD*B)|p(R7)nPmZ`AZz?WZ
zl+jEmR~(MlVz|4J7#W322pWsBC<apwj8AdH?|gwe@Q=*cJ@SvJxPQcgdcVAX0BTM|
zX0Kkx{1Q^~KLDTCKLB2%U%%G({%#7@|Lvj7c8SN5zSDZ|ba3?~GQ;xrzP#i9ze8w1
z%-82TJQB~`=WT-c4G4Bd@vhuE#f8ElN+(v*W$sTP^eI*^Z~_pI(zGw}wsVZCfm-N3
zgs!&s=H=Su3U#L{V)Zxw&HY>LbFTZ-E71oaNA_Rv_!m6>1&{wJhVn1(@&AVRpiuoI
z`%bLKH>hoA#l(vR^TXH<-TK|YfypFhFxjvmwoyu=V<uO%@f)+rfY;A>=Hi>O+nKJ{
ziy9rH^Zi?-7ucH*fC{NpK=z*nZa-D+l@dZ{+#LGft0;jfd!CycAy#n2K!wHCW6Y}*
z?-n-QFJ6x;I@xWiipgwMm|s!}EXdro8CQF*oz5H%JARG47mmA}blq)K{kq+-Z++hJ
zd%psTBZa;cEnFU5&9?6iMqc%rJ0F2Fmaaw<c6#bgUfR0E--9|o0E=)*M#sHm|KXiB
zeVx&aeBRx6-oU;0i(Bw-6TRtV>HjynIbGZYOmBPu+CARAU8$ZK-+}(RgWvvx^nl8k
zA+}SZ-ZxP%oOio>r`yrmzuQN_ukS}Yzt3h9HY<Od{I)~=_pNT<YuM0x3miTGj}V92
zziX#PM@f60|6KLHW(1s+ihp*lJ&HK0;{Ok=M*qWiej+3Ge%-lm`2buSd;s$E{`FzL
z{~EFXe?yUY^Z#;)ZdY`g>r3D96coyvZ1WyA+?T7UFxL&|@hw7n`F2XUky)A(s)GPm
zqC#m_oT{NC@d%+u@P|hq07$uaA|xxDmzgBZb|YYAYqb5wDBVR8_bQvmk$<`9nzr{N
zf6>z0j}~eZw*Z((jg~uuAp1&<&uHl&+8X9DFUkg@ou8}SCJ`atd#u~~LBj$Et-Qlr
zO-~goS`{05FfkJb=_HyiZjDv8E%Y&UPaWjbPS8v+Hi;x-z(Y%3gNsME&t&Cot4;d?
zxGk0C_FAk5UyJDrXqA+BYs3hsXwqr`stKyoTzAAt>^O@(w~2OH3V<QV^3cM^{q+k{
zQ392!yBVG4R#Z9fb3r8cVOrwJ$bpN4buE6{Q3J)O8SL`ujC&G|Z8vxjA~mDd?-Elz
zLzbxu1n(6NSpVW{#-*1_^^ms2C_(AO8V=}BcsW$|US!qkmm%}jg_Vn93|3z-6YV-Q
zqkg)VXnC5Zk83xT(?mJesuGClXbMKT@*hQ-1}kQbuk7ueMdXxNBz=b@9x|xzPEDWH
zJ(90x%ALLTndi&p)|9DTy3i3e=R8I79K$v~UMmXYWJ3ls+HhrFfa&7oZBKM~1m6f7
z(vi;?6~A4KG@)1Qr6A-_wCnH}J9wrh2q`j)%u$-s4aiP<odQ0oH@?y(s<XbRGcLu&
zceUDXmM>}5j<tMK3{byr*7p>n2C`tSPDmRKm)h}1;9mWyIwT&KV-Ht!o=~IC5kTXE
z(NjBb!o!fs(b31XV_aHn$)P1LhO%Do#LS<^Pp?qibVgxV<Qy-PGBICmwy8s^Q^bOO
znIqim3KgpC7vD=R$c(<)Z5m1*#n*ho2?2W6x7ur(0t}zoXj>jZc-6y0!#Dwxf3mGq
zY1e1HXac>&E8(v_8jQ``pz@7n2!6Ygs^87be<v=TVEL7nKW);K$*`!4?wsF+n@kb~
z3I%@BL&oY34vele7|Jx|<Qg~^m=AuZ2>we?My<UOWI0xJdoF|Z^+<}^PLBy=u=M?1
z*EGXJwc3W`5_?@g0C$5!obsd6J^Zb0PWPBES4dVDL>H4^x9H$T58Pa{PdDDgLrNe0
zj0&&hBCM)O?J{_9vE`L&<}j_=^{iD848r6%rnkYI{IcMV7&zsAvvlNJE9P{idmLwW
zHxv-LywVg*6d(`eNdv7IWa~YVa~V;Z<rcQZ4+^%0v+&X&!a-_kVI3an7Hu>^V+Vhx
z9oR3V>CA4^;`9}-6lfFw&AZ*tHy>KZWl))yzbDm$Jf4<8z-wV|VIdIyOUB%e7;zV}
zzy+H_Nh<{Z{8*O5D^V=!gd!ZhE;ZA!`M25vO9u^(fS21<j#}x;X|8KimQ8#)_-y<V
zSGsOI66-iIQ;p5>_eTHWsg7Xia-6=zH`Qr9WWj6&)ivD<W7%UylJ_+C^bRA1ON>Q(
z*{Wp9&t1i%1-ZMK_s&{IUT7l1$X`{IwpG9@YmW(^TXT%@mFiX%0MLgsu81b$1{TE2
ziO?my&Lz;2kQ9{%7_dYSsdni2={4q)zZ3;@W|EphB{R*XghbzgSwR;Z@PUSdJO{aq
zTZN6zs!%UsQ8?uoT=;y`7xpV%Dq={nc`oqe=5@g#>Bc}rSz0OLHA{w&Y3^TpLYyWE
z9%+%X@{-|_;g;0$w1~7KZJBu`v?9Oql(1lkhK5G&|Lt_kg+(;FgN21f<~lU=I+E)&
z%29PT6I8LcQDt1zjvA^Jgx!^;*=!k?t3m{8ra*Zjr)an*wrWDF13x9V#|i8IgC28~
zmcDrK=1}Av($ck)oEK3<kVWYH<av=eZDq?}n>YZpO51NxH~jd6hSB<91b>?pbJOAi
zL7v&VZUV%GF=6_dAo3|*{pRY)Bklw6wEgL&HKA6A<ggI#A}g-@>3L^kXX9%?ujj_a
zG79I8-Qvshgd78&f*1SjpNz#NTd-hW&tS8Xl&(Kng2d*c<c$?~Tiqqv2S9y8kdZSk
zqi87K2GSjZU51%3#_-a`K4&9fzOWv8zq>~JTvbe$6p8DPf4_;|SKbK%=?GXldC)KD
zbh$xO9g^Btj#$sIYc=+i-9;8RrTKR61+Z(AcfUP;(nYHQi)ESJEhaokyCGZXO|vWS
z)0N{MPb?G-EpWN@^L57Nz@}>C%|f#2LABh$Fv(*VW12&fzHGIuWRz?Lqn0{;IHxFM
zbDHfuEEx!yVsJ7|3u|vh^-oS$1Rg%80I1<o$5DQwlBvEGg&VRv3a9z0==K-mg>Uls
zkh&$ubyFHmLV7FbS%d?uwwGqAPe}T#W`Md=jr66O9a`BqUI~UVEw9`L3{RYa6YwBI
z7z-7@T-P(?1MqPE`~i4HI}G@1XrByjmYRl|^=#K^7pF)}D+0{@^ik8wv`=PlE+Yu5
z%Y>z7>|B06eZviD*-z-ti6_XC1Ri8=J>PpY$uho{R<6YJ;MCN3J`rhk*Hsr++b5hf
zayYYq7gv@AEmZrKmnHr>@!ikdYx#l4aKQLwNUEFGj_)hL^NYs3YWXj9*3E<$K9v)V
z75hxUlQ=a)^~twFJvIYch9Xb6Z+1SsCT4v-2RD=>qg^EfVYg;R6zn!!nktz3F^Z;k
zMG$8fe7M-L5-EWG6HcmCETO_JdQ3fm5|S<3S7>TE-;%9LRBUcVuTX40jdAk40rOpC
zOXzwUgErfMa888PW`{~#0awJIQ<@p%BdGh!+XCx4%4VrQj~V}l1mKVuey8A>6(oJ<
zpGxrb_(tbXQIsAQuq|-j|E0k0wJq3APy#VO2@l}vfHM-E&md=7$ut9zP1~}XRa^)D
ziZQ>GGKsF4V6l-YL2-{%s;K5R3C|)<b!*`stZosiV)$L8^oLf0j}E)VUcwk$nf;1I
z>`E+uaRhmbjZ{Vz8YMkcs@E7ey_?Cv?#i|)bp1F+seq2YD}h0iu`aoyDWx%<&xJcs
z6%x>hm&zf9D>;s<Zb9s{x9xWjF6_44nP}wTXiR{W>eXY4B29%_Z+J=_#cKLov1_hC
zsk2SXM6GTc8Iz?|)DDb5u8f1}qb|_H05E2cEQM&aQ#2cz!;-5m-0>MXaUp(-ut};J
zT1lUOni+VmfmY?v`gO_vTC_k<#&?`(7W8mDo@x#bl^Cgnm`JOdAL^h$O09y;fLXPk
zd>jegXyJ+CTF?dCUS7#+=??TR<NV<f$uzSpRDV+N5|<#eEx*3T5!u$Mv19tt$D##g
zm6%Q~h*Bx?hTXWt`0Q$>d7ajTd%mD(Je=n~o#*lZa>CD4BEm{-#;-#fa)Bdm6Cn2z
zh|HwO|J(wso5A1uqIw>USxR5lF>0tb54^o0LiEmKZPnL!B^^yvzIE;vm>sf7FjZpj
zesJY_T)i7d^YivPO7MNrhAiN;L<!YmAkb!suFigBUF@2eiJ}jDqyuV<$TKTaB8ao|
z617Ut6BsW*s?-76(f6`qaPllG8Eb~E52$Fr+mI3PI2#uo9%C&}hSrPZE^p9{XUo~x
zEcFs3ohzx@^=O!=;OictOl3XC>PEBJ8*f!TFK1^*2i2kjNVz(5c8`-(kAZ%cWJ@3>
z+{on()+@!8_|u7}t?l*~t1=t!>rrPsg>rt%m*1ZvI&O67+!*iTV<B&rE7A-;)d#gG
z*jd(3Ex^V*Et}f-3BYiKx524jh&CUXdUI4G%hLdD%{Xt#)ovNW3~_)|?D^5~l-{|C
z<{5?1xDE}Ea52mR-1bJ*Jb|NO)oxpOhOo<?^42tjMZrZ}lrjnQ1?0cb*^Dq!`f<HR
zk&8^IlScD_Ch2@fI|i%F!I1_qyavn$gjW&Dx9;6mT6KH%lsDha5Fo>vV6K!Tt3@5{
zUEF{SO>&%62I9y~kHNiL^FHOnQVoT1oQ(*q?x3<g@e5WehC~EC7q}4Ef(s*1s^<HR
zI%0yiy-_97o9?5b?@Woi^Hkq4wV}!no{)jYYc&wm9$uI7wC?~2v%x1;$gTSSxd-#3
ziApK%8(Uz|E#YO3cOKvgjE05#WcA6s!Pb&;7?--iSXu|&Y2h(TYAVAyi8<M0TmML}
zoO>!T-FE4z7}&WYo9S#N<{(}%mhKFlQXWQWp)AQwU`c4$k?Q3V!a$Ky)0n{Qd~q>>
zw}nSENmG7gm`#&HK2kNOij(>Cf^b&`w$M4$grgVzu(uiaoV=2uk^xo@I3_?zJ_OIQ
z(P)h67k(eKyQd%<x4<#kV);j5IxJmK$>^8ia=u2a&?l7(#I}VNgnEP-ji};gXRz6H
z75k8?^{YCNXONSbLne!%kWg#xBy_-x^;1UNImAj1mc_Y~O^299W%>H{bKaoLJbWRW
zGfi1e@~(z~CV_D)_Q-5&#pUHlQ-&pdj(7$JnZQx|@Q$RlxBIunj!SLwi#LOsvhTqC
zXd-ymb0yn4rc>kCOyjVzGh8Sv+3%5ql+j#u-{24EbJ;JdtTL)P7N>l~R*>KoYUv*l
z2~DTclH_gDikjU*>+|VNGVlH-PEbyQW)q;*(x`R5P^%1*I(vkAx+TbOE1@zERf8hO
zH|lMv3q)HQ<gB%9n2){7+7<2Hk;l2KK4+FG1FS1a=a4}dtccNzNkNn}W$KX7i&4zR
z(fcwB-O}U?`0D8+ydBSDdOYCOKl0=$t=?BdNJL8(Bp(1LwP6WeEEeMvw+fj$Q#?YB
zzY+2CA5tvMng^l^r}YIIQ|<G?1Drm=n09RsxKrCpBm@fFh~}wN6rns@Hq{`l^_G^k
zXKC%FYnESjZ`NVs+mR16JQoI8YGG97y9F1XS&<9t&K|UXROL%nE*dn@7b_VU)pn=(
zZO_pw^bAtqBr(-vsb$d<t7c$_2~C)9#~faSg2yv!ij%#ZXKqVo%Q}vvHQ#&`%IDAz
zHAc;obM(Jxt0onhk#c1vF9rpZS$v6AHRB)|ypW4^dd&B73;!&e;m3reK%Ij7s^rBM
zo!H6XYBoB*inw2|W+z44Q@28rVS9j&UIrPVcy4bJ6a$ScE@hvuWFZZcu}Xwfyp^cf
z#ERI8>&(Cy2`!p^5_v=ht0cDEy(U}vwq1;ad%wP;B?wvVRV!?<AjluS>%(wEuZrKl
z#{bN~3-L2%o6dqeh!;gic!cy5Y_Al~i7Ir*T07--o8s~y2N7-XfUrN-rbGkpsp~iQ
ziuwUui4}@b#2<-fcI?-*Dqp^aOlHO4A$>R1ICJErKG$N1i=oP8k28i03YuD1T4P?%
z3apokQp`+BSI>2Qvs87l*ep_@^?S~s7(ORa_7kjjcduKqy!fM-6wj@8rdi0a#hw*9
zRU%k13FeZUOKzqPcgC3&=>gGYZZ=+Kxuh_zFo*SQb1s6_V>NiCP@E@<#i~w1V5})b
zoHmOK?LsV}4XBt@Yjl_5+Z>Z&{hO2PIWUicY7Va2Z8&HJWIemExA*HYh&Ldups<3O
zCQ+e&eLdIzY3jW=iF2;8vLcqLQd+fK+v4UYJ!W>tZo*+IMZ&(~$7vDaDGzyuVs>pj
z7GQ*QqPQ}v(iOXv{R}Kt)m^G=-Y%@m(X3)c5teUl$jk91NRV5s3a7CHt}>jTR~toB
ziyeI``QA=BF6cYM`n%kwTS63Oe}cAR`JuSQlO1=Wr&zj5tG_M|Te2Vj23om_o=A)s
zHVYN~8v({1hWTi`u!&IH$>u*nmco;>jm?pq@hWi`xRnwWlHdDAibHn@VTSr3OS86=
zifei**fp3EMX90!1-+1No=dG;_m(M{K~dd?(?FxxjC?XU(q@Y!(6q2$l_hV2=I@UM
zpZA5$D6vz?-zwq%Cl$M?05rE#LA_r-akXd}^>xjBcl?gA>^IDoDhIU`E$#66DCuN3
z#=4(W0Go;(FK<O*czy@z!X62J1P>xl>;AmgHBYh=Or#RmVoZVgC2$N0iZDL9lU3##
zn+BpieK9oJLK*8IsbhId(-7Wqeiw^l(H^na>aKwGFWfUf*T2+V6fO1J{;&kO&DD2A
z>MU7^>k5swE$Otn(z8_@PEe-B$C&K^S8-%wgZHvvc11WJw+j|>P+DGQKy#N`6ZykM
z<O4qt{gw`HGpdaY>a&k|X}c<Ed}Azi_2b{aQ8v5q*(<LeMzL#&Y7^i?KR9x}5ah)C
zn#z9jL!6l5WtUwIpKq5RpYqI1W!3lKn1A1<0om2GVX(LZ+L5!1Hi3LP%s3esI-*d8
z!!E$E%wV`K4F)e-jA>geB9lCEgCC+Ivp$%wwNEuHHiFI7({C9Ga{A?4Q@%=9RN2cd
z>)<MoxGZhVnK&nus*%X}T*}4>{E3|t3efH-86$Ai=BnCH)28N%!E|w9TgqG0IQ>z8
zi`!L!tG!Z&W*iH^EcLl40!z2a1{?hwmp!6)sCj=4@oGUl#%skN`+6bGAMQ|?dK}F-
zitG8J<tkdEtEiJR*sgC`Al+EFSJ(~Vtg#A>azpk;ew!SxAVXgD69OHnvlFO<NkOR}
znqD|oE7sg;*+<_KO^m6t|E6EmH%n;3s^{wLnYJ88=u?~S4YXqsVj=2}SNdVgzM-TI
zOG*umu&|IUr&x%VNsCN@a!|N<$c2HXb}J{{`NohM=aPgu>)|Qia3P`bt278J*wx{W
zr<V0bs~x^+GCK&^SKpPN{yx@1=74333B=75Q$Ax_8J%lorr0W4-$~r9@WJoCsBeMO
zoi-@pai=aA8W5aYcQ@tP>-Jryb<<C>foVGv!8kGHb;o=R<t|ufGRHZ<n(`7zf^L!N
zv40g{?1Tk7Lv8@c##=Uw3C}<o$(~Rq?q$1tbANX)yA+BM7&mrKaS;*<Uwvf8EVfyV
zo;>yl%VE~sTfW+BCfk?WI5yF6sK$Fr<+HBasJQ%zQf-sqoDhS;{hk4QfivtMtvN~w
zssZsD5R{az>LGSa#l%Pxwre`#`zCMX%x)AnTsz_nIVq5?*Jx{8kgfr%?CvaCxV0D$
z5KT+2AvvV0Fg?<?;MR<5vO)9X#);XFG|X4y6tmbtwvSlM={)FPeuFrtQrLMUr3w`#
z&*LhkoV9ecu0YNEF2msSLLOkJ<g%+GJp=*O*=i!rd^0;K6c6PPmdhDQR(qy{f}}u?
zBvVb=2Y}eRZVq%!Pu<$lU-SG`yE80*5K)h*BOFm%V;wUO2)d-}u;sIdKC^a`?~=~W
zGJweLrPSLR6vgL0d$3TBC)hWy^6YeoKe4u$*T)m%r5oZy#1G4yKg2~ci~b7YeghNN
zjRK9j$^t6)R&B3dDj>gdhjmnpG<2%<N^S{{)Hd@n>n?KQtbNmD^s4mFy95bvFfA&q
zV8z;Tk`B+7654uc{&2mDrr~}?8I&u*IDBO?m@Pk5vk%G*vBWYJs#zI!RiC$EIIK-i
zN;wO4$V?qU%R-DAS8q`mLy4UWXhOlkZd%61>C|NC>y|=mPA^RuYG$O><!q!lzexQ{
zD*o91X#-<BS*vUMpyCB(W~h|9)an_<99$DCNypr14&y|)Ke4))gaAL)%uK_srQ1T1
zPz-BK+NljCEEFS=6~n};W+$*A01iWBPaa#AB^31&#Tm26UVv3yM~*dNCwC!M7DPTa
z!Qis8yJtM@rP{RLK+}BIJx0_BRVQ4}NamSAQifI1S!I2!&J_A_-VjosvHSazh1Qzf
zH>-B_&*q<`v^kkY^M9_OUANdKvhw0UJ&Y{z$5Zg;{Z`8<twX1SgD%(^Qxg~1@3E2H
z6L^}FTCDW@0E}X7o5!$vsk9sHjx>YS+6nLg4XAOim)i6iX%X!MrAyw~25~g_l6?EX
zcERTD6jDZBt}{wnIoNgrZ#+NWea!Cwfn~Mfx^VKnAWX}BmJ@xaQ3l)P-1rSyW?k@j
zkm%E_wu1bCz?(_KgBI<U5}D%|rHqo1W}nsqU(pPCJncvVM(HSmqcwKho(LwZilOoq
zUAC2iP78@^b{mTZ&kxqPxJB{lN=D2%zpDS#gP-fSkBLSmt<@V=43!$wt~p<nDVCT*
zBgEoUW<_FTWo2#vX~jcxxTp{@&BunuC7I2SrD3Uy3aLDU;*Q-nb~N+jD=zaKOZ`{1
zE|^S@rsIR>s(2hm*KlH_C+pX>)$1^(-M4<A#F&`HYQy$XD@Nux40dJd8+Nu+Gng6~
z2f1F@YCfT^&oML()X*r{gj?3E{ZheSgSBpBN`qa~S;bQM(p)|QGa9ctc2eyx%5A`M
zty5^fND@a@y0cWhv)U4eIVs*t$-{Eb8FwZh7jy8aWW1*-A51Z3$~?RJ<Zxfp<QI5|
z#{TPDEEN<6`-G|b&t#Fi@06QF2Cyybm)QE2s}+_Tga=yIal@cmtr3dNSClL17~^^l
z#KhoAV57FRHr|wg^sRvbXQeb_BV3^_5}ESkRjO`dKpkb1QMDPQTeS2~vU2s)xq{}G
zu?yOs1>5%b&STKBS+WxlB;h5hsi{a_oFBKBO(fQ>rd?`#sn-I=Qok&=)@&|ez@vb}
z*MS64r&(%hULo9c=8Qo;nwcw4E~VMBb}Xh7DdFp}WKIZW=qaX%)M->{Gs-iAmWfmz
z56vfUo1#Sl;nf_dTs;CvgIL6?k4Dm4%>n8nJ~EHhx*oL6cG8^n<~iplMwVya5zA{2
zrfnjnC{B`5yz)toI57K=*F54y+wHHa%W|$zl+sqa!_2SzL#T8?g3*XoEEss*?y4QJ
zlPs0ZZ>FW%#w=oWWNB0vgfE4Jh*~yl$A*x9Qo-rl>+4ZHvx{p6F{@h2E2o@1C4+4R
z6$5h^J}VYPWs?Kzokq)yZtjqaL=eB#MCxlRC<=-#^YSfr*~XPZicNQmG_a#dCl+tF
zXh1%|dKo|6+28A*ES1<gz=>2SP!BaYA?cn-Hf8o^6RUYnk2>PM+F5Fw@S04#Z=aUY
zql2S+QH~lWCw?jv=vLZ|bbCIfu7Daxjg(4wrmEi@t9?pJOf=~_GHfq?!Pt5QR}gLR
z;8vq__o#lsaj$xqJ&4m{0ryEeAY-zq&xnA0I&IJ15*NfxOm6Hq?T^mkAC*>2n5wI;
zxL>KOgHbYwetFN)U<gX_0GfZqh^s6z*9z4QS@MkIn@|HkUx;6zM0nGg89iK2Pn68B
zDAlUhfLWT%r<v%P(-g|Jq(X+IRIlO>2Rd%4qJM}f##GwPW<$!4h)-fS;MegvXf>K5
z-r~3z$%mQ$aD5IFSWI41S=&0)>@SPKoMx9n%l>IwbDek2+YQWiL{%-@i`Rp};5nhO
z7}ajD`yz=_f+0@9>5MK<L;|vX<whfRX7FjPE>H(OYm>-jpASf*$_69*OeVj=`yPct
zP>m8dq%K3dp^Hg`^ILI9O5oxjrTe+<Q0@FFl=<ukNXq)MNe+c6EhREQg(<~_fx*R5
zQzd<m(H4J?(ViIiH;vYdU@Q>X&s<W4ifCL>Qt@1Slmp#R#fVYY%vk3syhqvpa0%}`
zjrOSKO!-!=?T<T2auE+tv3*`>y3tx}^;U*l5Xu-jEUsj&*0HIHX=0+)Q`|xeed@yH
zCluODnUu?F5Ao9PaxJjVD49x;cb!H!b6@0&N|SqZrN5M5beO8+i<mRg(I~I6k@IpH
zG254Mz=wXb=y*sLv+RnC!Tmw1Ino3+>(cG2h8@I%uGfqoB!}V4kmSUPlipe<FVbtc
z*4)8NohOnq-y-p;fMn1)fE&tI*e&DYiL$xo4_@>tx(v0iVspJ_)c#(6;9<Z17KT+`
zP`Tnh-qC2?5rceoUY|%9F;dq`KB7Nr1`<WU;4o0OI7JX{Z2QD?xHNSsjL1FEytKaM
zQh$va8*c&JW_IM{(3I5p-5&}vkWPobk{Hn<L3AO~)G=zN`XPT!q7&a%M!<uNKoS^?
zTO87@g=i#L9YHL1gtOZNW){=d$O-IoH#o0K!7y=#sFCE%K$z5pX%+%xz>cT#YvD6t
zQLk{+o$6ZUH|-D)8S*=vt%kI1Tz03Kq85v>mOcj*$@}?L@OBd&Vje22Jt69LASzi%
zi5_D{^Dykid{1g8*Ab>#V<u6Dd?379s&UY?bBocqL@{a<EUQUvF(_EmEL5rfww?-1
zTDy!Y@fX%7*hkJPHZ@j%2AJV$h~vzzjc&83`bl#mQWU1G*y$&kP{U57F5Pnhot_+P
z%nM<4+Cp=kD2MgRo0^Fol6^>viw_H&NZi>8&>;t-p7a~787TDoIU&8^H}qX-Y}x2d
z)+e6H?1q=%Iu;%28Qr-_)>)o41aR&!w*b<5GK^AoMXM0m$6{+8jAhcYFIWxrXQ9rc
z5pF+8zs4FMebtqyP-RngW698<%p~DyU%s@puOX>><HYeQSe0Hl+Z#F3K}L%Twk#JV
zq{<lJzLrA&03>662{XDf6&8A`aQfMIsW>*R+MFc*>2lpq!hQvQ-Kw_H{V|eLMs|Fb
zT!OOiXM=k`&2SQ|tJJUqZ(<Z_l0=F5u5sHJ1cuBVAE(Ll3zsdo>-JSaDEsrdN`oad
z4H_L9fft-}pB;DR`I_2jeyf!;PYPFq@2ih4qQ*ktVF7}8gau80RM$tDM31TCZ=;>|
z$>S=THJ8R4+@;nsOM*_-)dze;_8ls$vx#ffWa{vl2auGK=KUeG@H)t|kw`9t?_*$L
z9I+`kH-|F3?P764HVH@~w`Og05_<-(0tbq8%y@gz%$P89Rl>9kY(!c~PIHZ?$BFF5
zAW2S3Jy<B7{^UmN=AX@-QSwoVTrGPCnMO8VU+Nz7zS^VNE;mo)EtgA`Y@9i>wsEh?
zqK23lx~wpGH$vlxWFBh6?^r=NFg5=%g6=bFv%noM0z>jI7C2b)0G=Sb0}nibEu5m|
zmJBN!hONa+H>6k|ECafs-aqr$VR;4?^_dkEHLt3)@V?j*RMPrrfT2Qz8@D;qqo9AG
zlPB*+>cJe@*DWzbRnM{D^3Xm!1)<A6Ny<<LW5hP#1kGlp1V=@BvC}}PD3L!j%mL5O
z^_HC&ttPoRDb+ZK#jce3bGyu%F6}fKw`dnV>)*OzH`kiQ738Zd5QY(8QUm+c%B(4(
zZ88`_YBEB7gi0Mee@g3#TX5?5Tu9$l&T6h9QR!S4@hM4BL*uG+A|)|I?wqa*PD&=Q
z{2E6c=2hGC#E8sv^h-sr^CTwGL#dh?u{1XYCMN~2woSUAvy2csjZ!RjIE@n9loC6Q
zWdB!JYCrk1ufRX`2D?^hMwWbMWU{)_c1BNkf;EZy8%JmP+6t4j$Iw?#^!>y#QWkZP
zf-_mgoR;DUJ9eLuOt$?vAmWNwAONa7{5*|}-)YeFD>AgvuYDrzZQ^`6d(fAZy~~^g
zNv4eXkc*6J+962b=XYwRb*mNeBde;e-+#4nUpDU)o&q(F^obtqG~%w0vQnM6N7uyu
z$P!16&KhhczeTLstj0V%LrvfLI;pZ54j|lgiBvRb5$HuA)?GJb2-sC8VC?G!vB>I>
zegNKce|$~0w3d)Uk9xSVX~-_h40A_D?DV7ur-H^9IMFw@3AuWwn)FV7t%+Nd*AhB5
zUSVo|O$TePC2g_mg$&<ZX-7Q~H!^+0eq$Pw;*~Q?GJQJN3l*i3?Eb?Ble&rcJK1x~
z5HOW)5&T$J+kH*Q*Q69L+@LE&xjFzXJrQKT$V14ZzNZ@<G&e>?+MS$z7-$hBNuISW
z+%i$F<8?2t@porr*DEz!S3c49>2$fAXba3mzi*S!5b`ULA0wflvz_J@tzn@a@9Y{b
z@9@`tp&EE58?&%c8Eo*v8WyIk+21SOEW3TJlO=<t=$A@16f_p=2eUQKw(6Ij7uoy8
zQRs$l6bJK)p`Ov%iY|dhKoTFzTvi^%ZHZd2!gCZxI~?69E8CiL^IV%|h)uR$nb>dE
zI)?=cwigQbsrh~~bl-eDd>@^GVtp`}5)vGGy|gY!%wy22qSF#T(W7PGbWoN_WHqP<
z|I(}{(xqf;l9;Ewg2NF>hYtVfC@_nXIz1WAP?8Pe%x5@Cx7XHewJUQ=nFK0_irNhZ
zf?!>#nnxF-^aq;$P>n|O?YU+(gjEmctRIp}$AnXd@Tn;hXJuKOOd+W1lv>oh;fW8F
zGVbpD&@KAv!94jRszhW0ZC~_IS|s@TFym4LtUP2?+D7V;au6M*z$RiXA3Y_=;&Ix6
zi^H!C`$o7#<<o9yL9E2_q!NG$N6GPk=Rw_T@}%od`6k?V-}Q}HL!Nuh41a$@B|I<t
zhL&}bK6=7$!P-IrA-pIblo3A}{?sC`gQ;G|*~Y?1?6zIJ(okG=F&;eoPV!i!6o%e1
z>>5hzq0fx{JxE`4IQwD*F|0(;^%=>(uLXGRY?qm(w?Uwev&z8ZHe|P@TbD@9{jg+V
z{Q;nk{Gs=P)3fpED$6f(h2L14@xuL8>`OgPsoG__cx>{KLKjkYdswg+ktztxA`eGJ
zIVd2sf;p`6vp$+{pVqiBn<EC*w~kV%qT&8Hw5)2OVZ}e@yNP<5<JY-rwNIVtma0Pw
zWEOC@<jz!NVjj*4Ph=LQrfdtFXoBOn!;-}r-?(X{Ec4Pk9}JKXb1Osq<7|_<Hyb(Q
zX)|BxKSx0&;lChtCL7hgvIt`M=kI!Le~D+Lkq0T3_|qjMDA;S+^#Reb*T`i0&jBid
zKeLx2i=?TN;fu`M<t&M#@Q@E~6!oiy)>6bU_@PS*lJ9BdQj?MA*`>G;$$_bWP?VFJ
z2b#}19SC>0T56N9jph{+L}obCA_~<+2rUyPLYc6c2tK@cHS*~E969h*>i9pEIbcmF
z?xuK#i5`xNP`=zFE#0i)@6L?32#4Io*aWce9=|XCO?@D9B<%IOwb^}I^}*f?#@k|R
zeRKgM{UccXqls#u+?YvCmpqzzADNlMAvoUMVqWO|e6Zs_sBCI>%sV-B8`prQl9)K#
z!9~fu%`|CGUxA%Y^N{00Sf(aw<<}>1^Su0bP4)V(gTDgWU{CK#{q_*m2LR{sZtq@Z
z{F-X!_*-Yx`%KrIkN@ZLop@218>90B@Dba$Rd52B%>Ur#rh0H<!@&+mFgkoW@M`b@
z&?wTffX5SsHT39$Se+$YFGhZ3tYo5;uG%7tSBr%`n!vX;g{tznnP(Ml^^Yw3&s^Xo
zwj4-Lf+7Kz;?y?Q9wfR{ucR*S>Ep%~^*2F{fw|P?;HGL5ixfusG6vT-v{EuQwjY6c
zU)jthGBYUeIXGcd8)*uAd!^<kdwZwnSt-fy*0UlqfZ5x*+p?B*!2jNw#Ir;BTV?e%
z5_<Px^)@dI+nZ+A1RqK5gx68Vd4wdup)H`&;rVrXq^cdmSfQZ~rs_gwVP7Wk{>Sup
z+R7DyOPZo0Q^e)*31(bsX45(XiDZ0}3FI@We>6Xt|H*2~e3x-)%8v{b<A>|WOhe~U
z$y8627sW)-Lk6od@liNUjuTPu;g%-L+n7g-eNDQ;<K_G0za)Tv5I)F<IssxAPHU1u
zKLAM`DDf={Vi+usyRF{vdN%*8dhRsQEO5YxQcmGKL#IrR(<)i9+fpZ*kP3s2wkw<=
zi7YfAV>p?iUZcD%$+abkthq4nxb(;o(*337vsG6y`w4!iR4&Uk5<^b9Qr)ikx;*ZP
zav)fWXU-~qNR>4q_5LIoRN?ktXDC(+_a487Cb%SW|M;=m(AxROY=K2#^q%O=I1(3;
zB;R&#x7)rv>+=tQl|eq`VEhoqO)pFTpH+he!7nPG>m<I7kEWiFWejJVi5h|JTXwEn
zBc{*XiQO9qZ7aW?>e@xgQijl2%DahItH}%N|JcA}msos7sj4-6mxF5CBqRO+SQanh
zu{hN~DWwlOg;>J*qIRZwR7!G$H0}Ly^c~VuvBj~`HTaq*XDHJR%C}9kOrxgb|5P%b
z$3fqTfTR15_7LfYzO!jK+3vbGbFR#c&NV16JQdQ<&XW^-*=Cmo@6@Q0W~Z#za{hyt
zO_x$HK0zm5B79{TLM%>>$_m5^j?uuHpJ8K(>hLsyWhN>ZTHm;|^%LjSHdc#8mHD;v
zv!V(98*g6~6<5<mNwDBf<L=N9w9ydU9U8iEXuN?S!9#+(yC)$yjWp7@ySqygTtgrM
z0)%|S%)_iT4>J${`saJ8Rgd@9t#j_Kz0cY8jN{UY$xQMQw=JZFRJ3%CY=c4Ly;GGd
zGA2^=TWV_n)@tDQmL`%u<5u}}-Wm7w*4LJKl>3}b3K^5sNnw*+DO^eOt?EB;G&zF5
z5vx8(sIZ#%r+iZXH<P~UX9c;T@b?VZ<?Ov(IzI_8%m95`L0Z5)4Ts=jx!c&?3kUZ;
zf`o;hp-NYZz<}hGklx-hVowo<ueMz8a~wE1ZEd|~27=juC<2$59?c9>xnf-F>XW5R
zUN>lE`=K=!k`F*Ok7bhLdgdWSW)~@Tdd%Weh9xjV6ccJQQAc-<B|B(bsM!F;6V}WW
z_#xnO0KnaIQ*Hz{bJHip6CC|C*Q8YJALibT$qk!!8U{*U^~PLP{d?OXtB-e1gZ*l8
zvdYvVZ_kf?$~OQk<e!U~s<BV`IaRBd(B@eZe&{0lc>fF1VN<jYXlw(9F&cHQB43^s
z=2sO+nqVq*tn3(Tu1MO_l-A{RxCS39CTH&sjdRusi{=*!MCrk&_U$cKDhMTx^U4GZ
z11iwv@@m+Xc}QF@Sz?bSA$sDn`ZC|LcK%G%^SK$l3C$F4DP&zL{Aa=jznF7#c5shr
z*Bb*+g>Mv!-#>R{BEiOZA#R$}b5OUv()d3KfQ<hLl(il=(xb-bX|gyS6!t>ZBg?i8
znFpCs+7rnQ9OPsz6V%cq1j9k_j9N`PR}`606gZr8z1V4VlqN-9xKQJ|#Lf}P2VuPI
zZUS^H^v<4v;Q4fgE3j?1c)en{XV;ivVv*STU?PsP)iZmtQq`)EPBunKS@o#euXCZU
z_NkxAJwt$4-_P9~EjC5*0d371lW(#l6nn$c$#D|VIpEBjKnY2FiXZGbfcSwIpJ?jr
zO1^(O164x=3Q`Ux|6Pog`0;KGHdHC<LwnX=s#K}Z5gQ3)vEX9$fQP17)3F`K@{FHx
zW7Kk6q&Vd^&{<lnkqDC!XVY<{X+F~nXCDUR8@aZU#-=loo+J;f*_xtc7n{aV)y<;W
zhNhWy5zNa*Dr;ipW*A{Twe$Su$HdEGzqv_pjuK527hfOO#O5@_{vE#*Zd#GfxZ%%l
zMwGhJi<M-fucg+iqz-6nzb4wy@k!urZueNs5tp~I5X7`a)B&QPC1U~r`ug|uJpUrN
zv*kRRB-s}lVE!e@Z2F1RB@W3EPpyQbU@rzr4GoQ>RCO11=`YT$(#Me4*r2XIu;-fC
zCL$ns2=H<^zjJWFb6v~5ZF4X~fC!0N8Y@wF46V?KIw<;$>M%_yzZCuFJk|k8Z<5l8
z=CiB<iAgGY(N-;%;yzi1N7%g|m~QuCk0L6AZ+mAWpHvb1je~8j(+mV>OEiN{q1t6t
zUidS@Wv(z@MLi_;*jK2i8L0Mi(3m+B7-?_tA0e6lY+<dzer)cDB#FQ?lfc78T#YlH
zSQiARwlc3+POWzJjuLN*Br}nS2#{xvWSpuzEsx{AGhuujB#Kf_<-+P`r|?q5Vuhg_
zcGpcz#}>O9FE67IX8B7q78o_Obs@j|Nqq3WARGDJ%RH518#bhFfx%x1zdEiU3pn;-
zL^%@I$W)DgPt~d)?`>!ncZNG#$90k>w!~==)^Qsxw!39ItKnoARQsTPH88wA-09~%
zoMH6-9OM2i`rXQ>D)7Gue&j)bRyBL>xZVgk+m+R{H?rD>D`W39=0VhIsh-?CERaDL
zcSY#B|3iaotWCyB&S4*ZE#F)DK@f{r8n2;suNt5))N!Wfd4;HD)0{PQ`P6j2>Z|XB
zAsnV=%qjPoK;22JvA4o$mRp}nEoBH~Z6ePqY-ikYB!D@VydrS^-Ddyad)X(cV5I=L
z#>;P~Kt6dsMiI80QGJk-%WUuwUBl6zGV9^;cFWl4Q;3f2PRRa63SK=r=Q46?Q>hqp
zeO_djv?+CX<Mnx~{{iE_c+wg9aZz`D=7+@j2W=?$ZR^{)tDu;lcje!A-Zx&bTYgDC
z@!L%yeOS3~y}Hvpyb<2L8u`-t@NnvJIVtlW{jB~o2H~yr>0=PXnZm0}D=Pse(YHlA
zGJl;PT0fjU6yN-LZ`ea0lDyrsG?G1T^$MBIlqLH(^5u(Jbke{1@%g@eu{vG7uqFKm
zE$;r#<L>j`E$QJ;-L1hVT)#!tvU^|ndk^#7_1{{VZiBnWgw{XE+wZb}?>A+<iT}l{
zWkq!V51Qpj5J~bMla-0+DJHJg<X3s`zH>du9(DCFEnbW;v)$HRd+uLl&z#wh>?ikl
z-u~Ovg2r#ZmHQj%)rj{y-QDK0PIoT{1O6=BdcIn_RX+dyxBQ*tGp4Th)yXe1y5GYD
zUIBw2l6$&ai0KC={yoCR<p0iow7+;gaxHy1it~8-Xddvk^ydSO=N;@~Gx+iPUyki=
zhU>pwNjEG^zw7F<iSuN2JsIDNK5pvX1pmJXni0XPe-Gnl{@>Hj_xO#=N1Z=j=&zpK
z4ow)Xc;5aUHh%|sxMg}D?9M0|{U04M|1*SL7ajb*4%QW;`j_u?f8ZcFeN*+r)GI&o
z#}9A*Kcq;MZ*pS*$@M_1-%H)gB|%`6(Zb)NxytTuNy@N@`iJ)N>~7UG$93@l$MbP{
zi*Vxd>iF2b(~pgdM;_QrH6JZJMFxRaBCAR$$d4pLnbyJAbQu)E8%N@8WFzyIjAPV$
zPfeFsvUCjre~?U0-Cf}a|DcsMeW3Ror|tT$sz?JL2IBu788Q92*n9qW2h}6aBzX8^
z=O46o%I8o0`FGF$L2Ipf>b#%u`v+~e_DO!R`0x+fSzs*Fck+MGE?+!#YcWXdCOx5<
ze_Pf1uP(y>e)y~E;m34`#h!t(M*s2`O7nw&)t)j-tZWoD2ip^=DB`w+ehISoQt|j=
zt*f5m^>y%rlQ9W7Gl6ZK9PZg20}_<6n7CB=LSoi6E6}qWXa!HMJOvu%-SutV&S!=$
zBSKn(>R0(>uotg_&W|{l$T_fW--5r!0+fGxzV%#6Xi@!fSaVuxP!W?YZD!5%>NSo8
zxS<*mkn7&mP77VZ4Dg>eeN&DH5K6ombsZQH-H|VdRBXq*T+qX}LK-*LG`bKrZ&?mF
z+Q2%j_>IfYd4S6;6$k4V_Kjj~d6XXe%m;;97e5UMsC5XQS>u)^sD8qyIN7j|f5!Ri
zPJV3%jr~GZXBlsPk6=>DSIn;6PCUC^TY!T%=y}pF(}q@4&9L#XFr3w1BRce1VGcN1
zJVShD#kUAjb1h(9b2Zu$sr%N$p-FcKuo<gHU}v7^O>qCA6xjG{Xh`1dMtarX5iJs6
zEh+&4aB0BuUQ3mYZ`zgpeFdJ<K?@(w(EZ}+zEv>YxF>Bvf1i=nTy~9l1N6l=oui61
z{}NZ3A9T)d`RrVsw2xN9D03JJ@?eMonyqK~Y5+p`CE<jm0hP@WsFuP2{c;EhuJQFv
z0B6_6S!UjMumrK)0=4Fln8P_K6muw-V~4`$>zG@_6{dE`vmenw=JgA(-dmr`S$_8e
zqAf6qF&^G=4rNqrX>-m4qPRihrA{Y#G?&uXfdfLfU~4TkN=vyiA|7Tk`oPi+$Wgi!
zm}*HFCx#@X{x&~KJ&s1`R}*(x&Wk)|gjMS;DU@A0$hLe~9v&r@QJ}_^JgH^zMxc_U
zG<6_xGD@v(LXKLY(`&X=nVOy8R_s?$Us(;s$^$+W+1afYS{m5P`Kf_lt{lSzO&<c~
z?Q-{uYovJ*kp7EDtSF7$OOw&FdYC(i(R`%N7d{2sF^fOpePlKRGRkdKCk|Q?_Dki1
zbUP6u=IgF7-r#_SRb#Rf@*D_@#a8EjRRMVft72N{uGx0t<we&kTCQpze78_RwVbfT
zeYicO#TljHY*S6^<NUMY!dGO&sdqf5e!{fVULD+E!CV$is<=zAdJSB^Raq3{FZ<*b
zi)E(YXm`0(q{-j3=c4NNrX|(MZbsTnHLM_JLBL(aw&Y{si(E};e<HTEodl_3^Pfao
z;tt#Ooidr%dZQBjoZVtJiM4Z0CpVl#fVl6~z1DXc5E(am`AMBB<EopvkF5>-4WVAs
zvk<pYE^Rni`xK<4-VLNKh?PsTWiY3C*2$pU<o9==#tfvaQ9wxR%?J8I&0E1$A9Lj|
zm>po2R0rXDf9W2TWw{hh5>*<*9Xc-abD}X&mS^WzPcnn}^z@o>g`QQ|r(wxo_=LG{
zud#fw(p84@o6iEf3Wnb<#U3z3+Mdf0qv>PIb~z&UA&RHEUe^6YHNKy}9f@f&JW>`%
z^p_UqTXna&dWrMgDDRtH4~(wOnVMakyH8$8UafH9C)vsRNY+VZ2Cf8%k_kriE7uZU
zLe=@sOy{o=aoKIS%khxXb?epWoQKlf+TQ7puL9O-Vl)r4$Tp;(y@!mRs0G_(!{U%g
zfPm8-alA(yyi0l6?cAkPJC5X5za^qZk$w?p9cJTp#b``1cxAZ!ZAZs*$YwLsf0Zbo
z&-76$LXKXE?3d%0z{|;TIS6^kX*Ik4l#W({g5jD?)^^8?-H0xk_CO(#bf>-4RBhk|
z*XqI#vv}_-#hhGI>Emt=nC0<n_Xe)+=;I#M8>V24Mf&n^b&oYsi@N&Cy8Fs4RH@Ui
zyr_OH3&%*yf_ji1{N{^YIK$#gD6JsueE~wQpsx>EiIWn?+9@h?{~mjRqD$9(;Z6P%
zC1t>Ccqlsn(6rPVt^C*~nf1jT>!<j#`8t@ry~^%_gs#PgNki%Nm5XwU$6z=e)bsuV
zJ|7cR2h)U?G=>>HimfbPoIz~4%A;VsjRvN@8vT72)b0IXf<aM&%jDLQXj$Y%4U8kn
zKAxxCtJ+Oey&A#zp;c(-H*}rXV}qH;{v&OQc^;Z`Gql9^D6E}zl>O%oDJ;LonF=N!
zx%f$f^26*iO;Zw~#j$EW8#1-#thdzG;dtQjn&iWY7fTy8Jsn%NKLgsnuvq1GP+2RK
zcIgk5cF5_dEGwU9XPxxWBA8_5mcpAoq$Vq4W;Z76>8gDG+}LYkxt=|6aArj~h-e7s
zSf1gBX&7V)l!w=uVU8yTk%J)0%vTxQY0pVRHFU5BhF1bt^nQPB2T#zCR^&f+tG)As
zSxyH#p`Z*6UR&DMaKfQVezS1_SGqTmID<MyUE_0zImYYH2WPI&J>cgl3@w(DMQ!j1
z?q0k@ljD#m`fL!%@D@mWkmN(ET))~5!#Fwn4Ui@6S$<`aWOPWy+13~gu|Kv|zjwdB
zUDgPcdl^=`-0YR}C}L(+D4bjSGGcs*Hd<u>qw3e`YF%<%Bd>C8bR2GwsIluc2KW%O
z`97SS+AVQe@TTV5_&bMb<@F-v^K&(oiHZV13u+V2{VTEm<C)TOV2yp6MQO|DB{%&w
z(kbWWCi6M10cx+?@h`$8G0C(B@ZSzqdIj(OUT}hR^6`UfS6z-<Iv8t8PNlo-?y=r&
znCeXsRyz1;=vyIKS(ZnFpE)CN?F6HE)TK;f>_<apYov$<W-c~N;reF3g6Ca0igRc4
z8E2}5>s>dNXM^CTkM>N?#$!qC#>4LpHfLCN&ct!})UaUlbLWHyWH@L-xqG+1JPYfR
z=!Ma0Q?|Eyn?^D3W@ztT2h}6$_!jU2Gs(@0zI<6dH(ZINgy~hcA|2;5gVAR&bK(oI
zgBzoCF+_(Ve75@o(n0K;u7<yIs-2zEiWHTxBlqqRCRv#|+VPxxP?A~+?H!ak9iNuA
zqR|cAaQBt7hZ;439nnBUchVR)-+iXSSXm@d!visQi!Cko+-rV)??W)#8x+NZMYhVt
z2PS8b^Nr;Yb~>yo)oLC3!TvnafTmcyL&`W2J&)@oZo2t|Uktj8*od~919pIFP;RCH
zZ^h1avK>ElgqpOl)UDY0z=9!v0w;4LcY23+QxH@b^SdbxmGzA}I((S50up`5fl9@X
z{sVz^tCfpEJ!Vh><;9r5&vmRf*js%R*W$$xmsG{{Cq|3663soGKufMBQ!hd4dHp1P
z{f`XyGlu-SH<?jhhwCur-o!X0BVt5+*_*`SA2ia!T<02->ZjXTGP?^uI&SZ;lf$=&
zT|>UX_&r-4I^Ram3;)K))o$O*hMlju1`cIPn$6z7so3q$Px~I@H%zg+hAq6{R7}0*
zoho7QLSa+c*=y(?rWH@^tk3zigYCsx7$@djJl-?Aw811!d6K-dx^(cJ2}&D^B#S1L
zpX#n`dK*|;QV;pH{B7QanrrK#S552Or)Z#oCJ1d&(sx`gS7k?82X;pGJiOwbjc7L@
zAhL^Uk)}<OvCQ^VRBTs|h;<??(@St*tW^}_*j!UAcMKNwN7AdFn}B<)s6cntP`7Jn
zC3wGT_UJX^LqpGyuF6Z)XHW=un*8SPK+DU}F6BX!!Z*{uMDi!RwcfT??26F^8QF>R
zKAB^23^u@N_F8ynT#g7|y`OjUS~}EMGS*cancnOFwR&PqQL-^-xv}~z<pw|;I#Rj$
zqCtJGa3mvCB%9KJvBrqTmZ53C)7{FLxC$=9*&$AST!ti24it4VwGksEDp?uFsNEI~
z%gB@&+)oHKT9L{PFk|smfry5R4PpNTStM+Hmkrz?U}GE1yF3Z^hQ5%KoAN<Mg1YNg
zr6~$4k<COCSsBM&3YCgoe2udyT?oF+mwOv7o%)h0e;2&i{di|8=-3IO{mw0Fcv%CD
zi=8;=_zYpD5hePFo6oM4CkUQQ5}g<49$5xhrS><y6bLj+YXVakOIoiC9)MZ|w6BRi
zG{57l=asbL_kv7pJpW}>ZfkRt4a&7lI&$mg25`T4;~y!pw1lF&UO%@B5Lc+B7=_0|
zWX`OW63z^xF`<;VzHUL9Ll%u%C}Uv0pXT~;4?T<VX!LrsxvBvX|B4c_O?zSOIjD^r
zg-h{PdX?DRn%E1<y71BdT;z1TXIuu1B3~&O=s#%BTcuBu)UqY3o$xhIX|iU<HOyUm
z-W#cOlXfQ(tyA9y=Z0ZxC$P#*;0+S<ggiU9Mr>gpvF-LMTXbjYX{wPr>b-4Voi%DP
z8cMbbvR+zwiCzlJl7hP)3(*&EW(|tnFbFOO36F!9f-q;(b~$R={nDax?dp%BvT)+a
z;B-E2k0oRufJ>(<8TZxN3{}<H5yViVNfg88)Ctw?cT8p;eiurW1;$gClG-9Ct{P~@
z{PaniGr$#N<iSMeM^~aD3>wzG=$dhhYhVP*?ED9f)fF{lsKBR_RITfQYF;Dsq}^_d
z)mJrnN?%w@c2JyVw!ZKfeUFA_*`CYIrflQ&Vwa^Y&SC1n@4d)p!8T2>wm)*N@<&0+
znWbqn(x}V2Kx<bW+reng7`dm*5n_}uNFT5YFFU%LFSAa%AK))o)UD5g2s2Cl<1Ve2
zphJu?2*b{!`l?AqnpEB^I?UANl4=)wXw$V+=c-drP3_*Gyag-f%~)=$ZNGs&NGX$I
zsDG6;vX<6;YJ+w`iN9;xe9o7lf7Z7~-e`=FWxHJiLp$%F(a;jygYn{adX)fK^JIvm
zWylY)4X0J!L2ndh6~OJHvayufG~pL}H(v4e*CKD$n7m7Q>1zl{6H3+BWzL!2!~*K}
zlVA=eHEmBc$@dIh<XIN!lQ$Fo!&r0xWAw6<bCTGZCL)<9`8ke4%GQm*$ZA*=?<8BF
z^$|yp88C9G7@C1W(t<aJCuHelUBsl9hZCX5Qg(6=#tlEDT$+>)a{7G+1n?1N&3HA4
z(#Y5;eF^|c$7jz-8&s1`P1z<8_d&>udP6ZI!Y8wWZunuV6T>+CA8Z%+28|V%;Ycx+
z!gqMiSkO{yVC!a#jU{#*(=$4uz~!0%@JUT_m~E=In++sruc%sO0>z%!$~AP7hJ)GR
zR5F_NabjJ}`ss+f2d^%t-&xJ0&lEx|FK?M8lH**3byya)i(~~jih9~p8*VTy^IaYS
zX!eu}k%8T^-=ef^(-frRaBcHi>}sCkriRY|!k5#3KVd4#@c}cZ&3vcq*ZpZ|?0D<d
zaF#2ZU2B0g^K;HVnU^*KWIoI9bt;GMdq{p;iNr4`=d$Rt_SR%9*mkKl8>{O>=i>n<
z0{uq2UN6D6UcHRPG8DbN>OqP`Mk3dPjiD%X2k{-H=K5iLcUzR&MK22Jzh_+N@~2Ph
zyobJdsq49J+8_I&SN)*;uVy))_dgPEQl4;lpZ(Rw{abFu`tjq`uTR&HKzs8-B5(%l
zIDQ`R6G-o^T0n7s<d`fMI&8{;V{lN*Z#6=LlTCVXOm&;n+Ugfa?z53cUzVKhm*s9d
z4xmDb-4FO6xB>smfh@F2y$WGSlglKs*R<JR??679(bGVQ+a^ZFOGjNvlb%E|%4?#C
z8kS|@I?T@pE9f=Iz#eXnVs1uYtE~?3grYr*WfRUJrOwTbi7j+sb+BdSbZ}s0Wedpt
z;1m;co11$RlU!%zM<2Uz(c~6|aumfc)cNrd#%``?8XWsF*XfKkii`srmX_m$q@l-5
z77bSy5V0ZnF_y((BS2$6j}(>Ug+Xg-+FNKjN%ygQyI#I=1YS)$?TibSqh29QcBg?N
zqp{Mq*KdOd2y%wlBm5}H2E_U9)jLtzdEFnDFq~_$OOG;dVwWrggWPVg2R|YR#oYxz
zNwUQDPBLz)IdIz91`sps*g3G5`42CUlXw2l0kwYaIeuz<mf2xkomuLliRDdg1%<1!
zH-1g0;wv!P{$SxDBx%A3nV*Vq%_dL4MB7{Cibins>$J}tFBXkC*DPcnoGf001B|=|
zUpb0{&{QWYA1*!(g!B9yXdvVR2KDMipD4to|E2yh#uW_P4oxYZ4D>=eV<aMVy5+@9
z`?S4Eo$(tjCy@>4crLUkT#=-H&vDk^=Fp<It$kXtf;e^>INI!Tb1XSwWYEyq!9lgr
z>3`6SJ2t)080SA0)_&R$gkqjr>Lg#OxeoSvC>&&W22EhRtSn9%sXe&&3EA0WQXv)a
zR7AVd20|SF>VtyCVSgrlyfz=!e|<~3e3|w6^=Am>!Qk6?3!co0e%jL`C0h`g*0VK%
z8<ky(?Zw!jD9idqVgF^Qw%8tbVF#tkb>JuWHfS(gT1aaKK1WTJ*K-VO%nSn#67ON(
z5y3V4QU7)aa+%K#qtSN#hrvlU?`3)~1erwtbl=xY90G={p<s>v-rdG~QxwpFtJHZD
zLVdWHHiGFHk%<P}65)iFCUGm8b~cpG$Rd;IJMOOts(nsXu7kAu`6#Ll=JvDjvjBD=
zjiB+)OKfQZ)nKFMa!qGrdFvb+xV4a|At(fC2MzU4B@Xy@r)6&<++2`|cSEk8%f)hY
zS~@<$t7aA)2gB@7iy@+MiXtJy!W>O4Y*~M&>wIsR`C|QDYKly$&4VMxPc@=_j0>Tb
z?iyK1F!z?!-G1PhouyAa(uF)hELFaVA*AZ4BD|Q^XLhEJ7Tn)`$R<C*=tJFSmXDg%
zT$~8xm2H?{+-I^gyx~sNsHz7!lM4OL9xq%u1LM;IUdBjX;#}3dHi#R|Gmrxs4%~4l
z>^QM2Sm$bq=1gppXAePLQmwd>>u(o-hmqws=dI|aXDTo8yRq4;Tc<s$DV67pdhe6d
zF5}qA?bymk!J$fnvGuHW%UIW>5lUkbS}B8ClS(S(GG0`Qs~KGdX>bn0AInODl5fH}
zKPi~ojLvuW`?!4qD2&i;CrJ)WPyjJcd`480*h8QSWAtlNk}l18w=PQ^I{j`79j0CD
z#;0PhtKAC+BlEIOR`qES#?2Ph!G0A}x|+|bgfYkpF6c5|f5(PPJPgGNo1uOFQ-;EQ
zmT)F#tDuiXPO@7-$5GazW0GHOxCGwUpCEZG*j#<aBwT*c9Zf_~K0`Dria=gGQ(&sZ
z<JJ8Q8(=TIPJZh{$C&gz0yK+0+Qab96nHjg3b_@wPyLugKblz?&>Dj)N5;)M?aVI4
z@{lAG^t4k(j=y-cuqA5(c~*`qoB1d=G~7z~Gb<z9eb1g1kijv7($~;GB?m|>+j455
zv)ZkZ^Wh{;rD8o3#<<RqpCq`9y(@cunv<yAx(7%`o=Ov8;MOR^`_bB|fcuT757*>m
zpTu$5Nt$03EW-;s&=OeFxmP)legvJ?_B6fkiQf9s03|gdX>MH0O~}O)EVEvEst-><
z$9-;PzBhponudx@bYCV>vm`0t<V$>I<Z(!oxElRZY*fxJ?gEe^@h$tksx==sK?Z{4
z>jjfUhLF<P7h1C_DU*l@h2%JFc|RZbA0f{7`r<A$5`6gH?emxSZoa?w$dVf>9{|`5
z%Y=@bNAVF<ajs(d%DlrlVG%Ju?%^iwoOP=!{r(~<wmb1AI0&qXO)Sw%SXS`6UoT@d
z*Ty&-^u7?<DPm-+3A<2m4AUp_opBkjliC42yN-4XWRMEII_2hX{CCu_GJvU5MHOSP
z8sYY8t5Ta5o>y%8PEFCm%d*v#%Z=|^`6F~oO@~z(qt}hd$W9j*hjG``is}_vxiEz>
zr$2G$q;g)`_{6?$YK${AXAST)<Z=rs<1FxwwQFFlV1YX}iqHsC*l6`tiwI9pW0Dbd
zw~b{(U<D11*}=Q?f{OGJq#(~;8G|Wy&wawW@BBV?st!oJzhHbG$RWo-b+I&{%Mlz-
z`5QIZfycL#w=vi|-6#XW3BnqPaI!K`D)RT7kZpcvLIXZDo>qwr;wuZlHVGa-4m{#(
zpz)s{#>dXv*A8z`#3e#`NqjYX-86}?<y0@{(>wn@5EGkX9_-*rPR{z&C^I<eCR8n+
zB=7XV*jWEnFmKVglNtY$*R+{zPmjJ3FS$pWJig)GltbG_Jx)K5aAKHy^7HQY(+Aau
z-@yyD&^p_$Cf+HNvMEPm(bd{nFIsXD5*L@ztiIgXBn3md!G{O9J`4Az2A*uqur190
ze%F8dWz%kwB&hMfE)vx7$ONnVA>R`mlfy?h(w#sPot_DJKVL-GqtuBr@=4-tl?a1R
zzOQry7)8!!a@cz0Dg}h!MqKXynyBqQe6A9?vpg8D>kQ|tA(wuY{3V??S<Rvewj%tk
z^;jZ~c^|?jn&t+OXFEeS2Bzjiv4uVNrv3`+u+VJ2`ae|~v8nlV$g0m>)e6=JftV<q
zyh-9N>z)hQrfZ)}_P@ta8=B;XH>CmHS?n-e*)JPZ^gEg|WH$$A;L!r=f=XF=E9U9O
z)GRFXOh+*t^D|I3UbP4qb1)7eggB@6_B#}=t3=RgdFN@VDYD|22&huqaw?T|I0ify
zRW7Xh%3hqwt2$XN+r*RjdNk`^*Knh<J*TMC-6bnAs-<yu&CEUU&`H&M9aJ@p@Xh3}
z{(N6S5NlpKVoFl|v()SDdz~>_5%tcDvuZ-GwSCJAd~J6w+=hx{rz6U<=IcuPIy*81
zy!cK^6T%^r6?sXt)H>HrlZWF<c?~%@E_^3cO2pdonm#gD*oDS?i4$8<P-T~MP|Y^u
z4m2n)6opW>FFA}c0m#^B;UL7~M$k=(FhX<entCbt^wny|7kTxx&=s#+Kr_^Ajj-^x
zinx)A$-feVh|3oy3J+~`$T|UV>l#15RJr4c@){$n6S%m}K;Lz}#^|al)2Lsigl#x6
zbwqcL(DnJvQklny#wy>^YNrf?d)Y$1X+#KNwu!H719FKUfs)Xxx}uSOfW14V&i8Dh
zWuuSub~6iU{7|rT6~!*3Le&}(J}V&Ee?{@uk0xU{oG53HTwjC#A=_*YGt!^;H1CrQ
zPYj91UWT*Wcxb(fTke8cSOzMmDWpitju$N##4<a;sI;B+;Z17J+Y<AS#&`nApX5P2
z&1aG~QL`%)n(G<lCQV*6-mj~^e_Q>&Jf3we@0>Q4RF#66&v8G_U?BXtpm>p+KZlb7
z9fN~fSOee}1a-P1YOXsa!1o%vDlCJW^RN1UYkQLx7a(-vmYpf^WO>w}**`snH7~}l
zwnr6!6}rb|!QBUdbQK;wr@woW$5fs7gI|wJE?&(Ok1?a~d+~kP(X`aN)jJsv<Yf{6
zE(X@BFddt(;x)aB>VrY8i`A3f{7A1a)>KijXKx!x5`A8sJw*~i=G3~0LTP=a0u}}o
zKRKqKN!>j{&aV4k4@SP9d$97x)zg{meT^A0;;L;ORn{U{EPP1RBH0DJ&ioshIX8OZ
zG&1Bks)a+dMM+m^(A<bRIBuqwEnLdh6YJ7e<ZmPnjMFSVX@6NC{o+#oT|eqfy+gw`
zf;HpP_MncrHZ^B}q)-l96WMyGkR3_H+4qV(*r!+c_0)oLyND~FomFHqZ6;0azN$0{
zf;z@zSdl_wd}N4q?@B7NPVbU5%|?sI#U^!3s3Cv3L2lQ^-QdQ&br-dk%g0;PcAD-@
z7kTU51>0-N8xOC(iNrqo&9|TlQa0eH+(2eHXPy$q61x1Jq~Jp42JVS_^FAt#b~2Nf
z4FNHVrGS^V*|~(o?uKdS`!+R++p8O6V&ey>Qgmsk_Vl5v8}c7C0Y`=`c7k{_%VOgR
zN(j-Y7IdN)y&Ci6@wm4xJNR;n>Fa3wS?1|V&w6fH#vcD{^>GSh8I~Q}s8d6S@^aQh
z%t7J>Bx>l}d?quT5qY~kQv!;6#Y9yl@E->x{IN~y^<G?~8<6vEeIb@*qWb!rYa-U4
zz$tC-sKQ2>;AR(nV|ae>hL#1KN30R<^SvOiX~S{B$aTHRx8YdSd6|MpeWF{dfg;=%
z3A?E&2H7YG$lbYJzq<&CnlCXu75L7ok8wG~q#Z<y6M02!tcL=xuTHsQGx1)Nua}iK
zVp$9U%T;NXu@=5@m35B-B=1v4xS5Wo!?E-xYku0!ue%9@xh*yW^;2siO5c4n!SmG*
zQIT(UGReRqD?Ur4T98_kW+D9*ZAMNPH|>~A#5{xnY1zc0PVl%k2E0fo1(a4HG$f8z
zulW6fdW&x1AFOjBD^d`REn`~#9vk?EL%0AwK8Dq>LkCaUl1Eo?MX82i!VYe=b6WHw
z=NP@MdW@HLfvTVMvaF^$qC%?2NzXkwtV^`f4$L}d(Ltk<YgxaVvRs$Yrw~MwU90FP
zT(_td-~UX?)u303t#}5&<EKi0`f6C%1Q{MNc97}~@SWZ&PViaUhfYXro}?svI<yk&
z&nFahYC46W;>6%T8%{rq<NJp(p0^(`e%42<j0y5rQqrN->Io7sx^ZZYf2xr{qwtjb
zs^%2rRgnFfkI>cqW_Vk@)<mqCn{<8L-A@|kmVD<eafW2JGhM$XLqV!~eHCn{Ezu|;
zTqYMfSZ_O<-e6z5bRRARahXaX;DCS75?ljCX=%+I76Fwk0-0f#Vga%1TbL!C>TXIz
zL;a-;EG1qqeCHv(f$a8?(VzZ!Rr(V`>R)T$JXO=(P&f%!5ruv|=e*>iaxgq@r~$hc
zu8#I`@tf3F8R&)On!BDtAiXBIX)ko<>p91w1<%?BO@P9dKytSx8jc~BUy;HGH(3KT
zEy}AGGnQM-!I@zr8W1cm+M>ZOm*M-czjq1qotanSndQ8^4Wgu&uZSg##hT*c49Z*~
zHZcL{v`Uh5nL1ZgVLU0sCXK|NP>&kaZ^mN~9OH+r#h#im54EnEKFN*mPE--&)^wYn
zBDG7!&lCfeVRPJ(xot^DmT$<^k5zT!Ykc_qho0o_$|cH@n^`Y7M+Wba9T@7Z&Bm2j
zZ!ff=v5jd+f1RIR&j#bPO74EfCf8zWVX~{XpnO*YT*s{CNpa9v0g>Mb^9~-G{=9E2
zf6fI68Z~>apFtz!Khtqd_FFO9*<f|YShOo`aU?5LzqdIYP8x$4NRn!OH-DwR{E|s5
z`{U_y;Nys&CUTK3X|!o=sl(erB{S~P%B|*wCOU6uhUNY(vQpGO%z?kG>GGk&NmqzD
zHm|u>+fqC)JxSAWP@X2^(ACPVIy8yEThI1DPsl=L89c=LI2jqar$8KP>DB?V(!ayY
zf*hexOM{qabQxEM${`A>bmuR^u;pnq(M_y>D`ohIQVe;Ti}4RRg0DmdO~kgyYe70K
zVa`wo#`gMy`Q`?8{pEp_)03~|o-nbv8!Afb)%}`Oj&Nc<KfXpPA=WI?o!yq2xg6(H
z;TcBJ$8^hY>4i>~eYLpd{CW1*4LR+ztsQBk?e)u5-sa}Ix{+5mWIUO_5^Y$O9;x4+
zV}>NIjWEBCSaK$~HKhK)F#P*YZpS5J#hBk0i!`2+b|Gna{hG5giNfF>;KFaTC}w2r
zFuhM7rD9jieooaisCM60<Z5&-Tn!_aHe)Jb+ZhP6U6wy695CH?LP5TLf@?}?b8m0$
z%AK83&jXvlN&GxF&gE9X>PilT#w-@PLAe}Z?L?eCujwFHnL0n4vC*#Hjhp*)B4SO)
z9<Ul|b6w-nH7&>+SkR~iJ+Sj%(Z{j02o;>nHaNti4eZk*QaZwY{<Z#@Yl`EHvm{N6
zVRd#>?ur|{8w_$yMUB4l^?zkdIih){9&?MYK~US3A8DO??DI;G^eD({rvT~@rYoNI
zNC^)7wD_IZi?4Za1+8Y$r1Z_*ORhzq=hyK}KMJg>8YS|CwSQgPzfq53eJ!zG;VCn*
zTBwsLPdSKIKD$l#adEKkTI>qF<2i}>=;n8s+<p<i<jlwk5NPdv-BGO%s>r=60+08n
zDXhyAKfiwyXkhNf=Y$fA*{n#?)2`u`L~<{GbFl6V|2&qg_%`9OhDx3?sk(L1SD6<h
zQ);6l=jxOyaL@jQYiZPSgM^kduGRCLky<H&FsJ%l><n9*QNzd?8R<C7Ul;T@ITw_r
zN<92&)oRr-S2CK;nMzSF$F5wrUr74M>y;Mgi4`WsLGCeM<NaR7QiK<`(zrcqQl;4y
z^7IqO`9=b-bSROFIb-7laZC%vWUYq386?-W46a$pXL%i&UB%f|*HpRj8Fen3vOEmY
ze(HN4EZMr@Gyp2K04UWzGHj9ae68!pw@WR+?XyPaq>>3imS|2fbeGH|ee?|r(3)2N
z1YG+Jkq;A2?V6St7O%&|B3I|Do1lz<;IKCaKK!*~y1WDm02ID0%`Nw1;f(R`!$Rb}
z=<u37y4#2-&u^6YP>B_Q2Frv-XG_paj|!a31nEHJAGIkmmyuNq*L@DOpQM%-P!Pwt
z2An;|O^u{1S1hl^R#6IfZ{_Asv{JEQJFj4%g1{f`$t$=imBoY*T034xMzaUp(Wpd!
zmn(bbLiLonJhi8w*z2P(Xn0YXQ$L!;L18p+@_nGD{N*kVT^iX@U_lIt$@aRrI+K?T
z(=6V#y|>?#!)fRJ1Tu?X@PjU5??m87vJCR{a^@qUUX6|mOraUal+dV`kGQ1DT!T_J
zl?$TICmF`hUvVJB3N+7_*u=ze3XNejFkq{{7%fQ(F1E!fbFf1dj@y-S`hA(Hb_-m9
zFEPrk8!mjeh=+d(+_ha!tFL-x=;f*ZDZ9+Wzc)}?dB^M%uemdT2FxKTSVyZMc!$>_
zFilQV+XV{J1Z;2L(zsCZF1h`d$_Yf?;w_lA0fdY=8~QzWs@@2?$(^9bp5QJ^5C-+O
zp9RnWpKlXK1;Ud8;$&Gxy{Jz=rFqsyzV$D3uC0hS;oiAw&24huXD>z4C|WN=2KlQu
z^X4Qdj|aTcbCVoSiR}iplqNQBdw~v)VZCQ9?+k`X;@Il#=w8eeiE(&EMcWbXWI4xw
z@Nh5lz*|JmCKq1rP?+sA!}%!8ZJz>=BYpOfD(YpDb$Y+rl{!JIV`j5g6MqE@&wxHK
zDn8jC|NNxs)aSU{AoEt0%5&wI`|L$&IHKpTq<+n$jpsjTF-Ef^e{VTtyb%cbrOWnr
zFAYW$=6YxQIQQeO9#>T96P#Ave7alMY}416i6Qa$>vpOMqvS)0b`KM->&-1o=)SI?
z8Kxc&4EK#7b)56o$*W}PN-~J4zZhc&wDuyxg0KCm%cRNZ+;sa|2aa>dL~_G=;%}b1
zJlqVaJ_>X?Ch%#5`fP<zVqAZ)%V6Gv{uSi$Egovx9eA1UP?EnTQ$ok*19r`PiMTGn
zPkL4gZZh7dEWhAuMjHmRav6g4V{?-&lqqI(&p$&!RP?)gm&EEhLk<>c;*en*7n@S&
zT5zWQoAfjV$%u9Te$W_dtS0Of=7S@(a%v#m`jB!xS;N9XS8|8jt3;vXkr?IRV4Z+%
zbj%}`H~Pdbf20@W|KKBHF^g#7SmNV9kJIza^ie6Ud=gNInPU_P<Q0s_IT^n^ohckt
z2s)3cfHA`i*e0l7?4!y{u`MU?u1emCniji;HPbrBv&cHJCmVl=jmv-)w5m3!WbU*>
zxZ0BW*VswsX2!}RjxJA!{BG{9>;@>mQ+$QKE$i~o{(JL9cWX8Ek2-}){c{HqW&ly2
zJzUBSk9LEcQr`x242i8Ya9MV<vlH%nrx+uFR`?a<-;V9eS#!j$g*(!oXzg|?wBLl%
zQGqnkB6X<5HQYK@MoUar9NOztYp=Tm>h!*cddvH*0_+HD905+h%E3nhp%qa6A(u+}
z8S~Qz>f~I^wiNi+f-kvZUTdB!E#ch$)H8Nx)wbl~Ecu)*EuBH;!#!l9CfSA`b)A+F
z3?UV~N34r0twf!x7fzb0Ky!IV0h*nSKVBify@}tfPG~w)zK!Tt2>Z0u04-Qnl`QB|
z&th;#aB=>L7dq5sQ{@Ez7^8RL$E(@bWQz$4Kig-Bu+wG<!<CG4`D`90H<-3Qsy9jv
z7~Byj@l{ZVh7Y}2$)MCc*(hZZBd<k$9~L8Pnko<mC`Ydmejw=U>*CDZ=4L%@-Kjy6
zsDJb=uYd&Ezj`mXTi$VTyb}B<{l7-3)6*~Sb-H_W+MoROx}PddPwV~!9X^aaIa66&
zf3fge2@aM%?YViH{)4u$68wI5<?S#3w{O1v@P8|4>eCZ$<LU2X*1$_8BLuns{j04%
zGc00~FO&jD=Zn53zBe;kC<u1qmT&9;A`Q(q&bJG(W>&%EXuud$kw^$qU8>UQ=!65N
zpn$o!4&(}_So~rz>x325b;Sn4@ov7}63fWvhY9Gn;sS@#{^q5;s3LxbLH#K3A&vV=
zEP%4=`fG}5GnS)u*($|JCNY)I2B;l1pPS1cINdP3#^A>vYo-=8KDh6!gJ~IBn3kNv
z&XSvo$?<LbT|A!=lJ%0J)EqrhPBG>y!kGH&3!JyIJ$C4r?4AUo62U<awox*IBd1>$
z7`r<k?har7E}d*`5^l2>6!349@%^(nlIhsIY+T%uVp#T*tiryY3ro0cu%8Gnm?vFu
zelcbLSC31b;G&JcoE+_`+mH+&D}ugnG9{l=T!Li6lnt=90m9{J+zfDm&MyWkfzD2C
zY#fsAmUVx&zlma~i=z5{x(3Xui72GX-hJ6V_=orX+GpuwT;aT$<oL1P#k}HM9c|Md
z=FYxKfseG5b2*}2!yLo&4azqFU$Xt8iTUALKHHRGbLy|AIjT1v<P?JE-I9)fxGRhE
zB5eenM)oSp#*bKOj4lp%57MgGcY~^JJePS{o3(IX{+eJiWH6pv{e@?v!WV;qk;`n8
zE6ldPNdwNLS-JW2!ev$4Epw0t3fm-Mm}d*mXIa}YIBdS49qte|T|zZi`HaEb=wIi7
zYx+3cGMDxb>@OQvW(2^0_VFgW3%ceqF1wt#>H$SsoP;oEH)24#C5chpsX&w6FITCJ
zAm&9E1C-aOGx!5c>aCX*oeP++Q*UI&bHLP=xuN%5SFira{^jAU#0jG$5!XOw+=Pyu
zS2hsh{$f<<rV1%qmQFk-@=GS`CpnfycDlZ#DT+puapOjz{ktH`5Qp`-T|bmh<VB&c
zp@SV;Oe$+)g1;(m+E+u1swkuv**v1sj*28?Fv<{&ybO?_O*gVU9;-IlqskHESj13h
z7s1YM9c*1UR_pGc?l*5-3xq5Uxf)PUgwx|2;{2UPw~eAEnk(D#Q|ngTs_>aei`3<j
zvTTa<i7HvncJ8F9c};kcHMz2gBFiNBoZfUURJ~GC4}1pC>dK^oXf+a0lOD~`SNio<
zS=F|?wX2m;_f{Ss8P%zwANg<ngGNCI?(-Hq)k{#(7{#XGn-c8;Q->R@IExD_Vu?&_
zLKKOp@9Y*khEmmHiROvul$16^rjluP-WzGzPvOVEt-0MX7;EiOFW1%mO)dV~>^VNW
z$#!Ef$4rynx&LL4vc;3dsw>BB@L!P)1htLf>4u8mg8t>mOLs0N>Q0|Pl2KPy*9;N?
zgUq3P->38#!ztymd#v~f5H4ujj;FIMl|AT}#s}BcedxY&9QREU>LJC=VK`u38))07
zQ*=en?2xTJdy>PCPPCs&*F_hSB%a(2{!0^^nQue?puOQG{_A&z@nq+2W|f~@1ol6z
z|8i3IttRq2a{Z{VwE6q$pzWUPq*nNIMk81DCu?L}8kRkcs*hT+NM!hye8Q*dd|ZxU
z*{h4}gZ<YHZ^}X&Hx~nNZq994x<4Lkw_lho3iBv*k2JVs9wN{z)JqJqY0SNH$1L_2
zymIoGS8sVIs3RVuhn9mu(9ZAJNIuD)sE@jhzNU?CyfJqG4}7a?^?Vu@OtMi`Z;GWz
zCZqNvTo#d&a*)|TgbxS&ORg{Noi|Hn0$+W|?^}h)IJONL@2Q8s8yok-!KeDqodvt!
zeYoDm|8XI3YWl}dEEZI|G~D4;+Q`@p);0#>@}l{kJ9D!1U4eB2nNd;dmx&&&kh6Q`
zu)}?OGZzS4;7xZe!ewUEsF}uQES>BtzL~T^`AZ!3=oXGB_^c|2|Jj-*@J_CR<8ktB
zUpnrtIX54Pi*0m3QH5)RoFbW*$7elyf@#~TejSYZp)~p|@amtc`<x?r{t4Mxt*eLv
zc_H5d63!OdHTFC=M-t)G+{ngo`LBiVM?{DdrM6w<^6>@<A#N7htIObJ4N#sXbNsUv
zXN)=l?NoMl=y7o!q&5O8vv|ZpMfMpdup$DOMTB&*YaSl-hQ$vF#3u*)pv(%9mFh7Y
z>zgUu0S(5x!OSXw%29Cf;Qp#Nv0AKYlO^9-WOC7j4IAk1#^Z^^Q=#+#agG$6`1E9D
zV{NarS}mkKjLUrUV{68}85wwcj8k20g0JQhn}yZ&hR02C2gpaKF$obaxk-`WD8%dw
z%qB2Ln>_3La<pSsGch95yPf1pyINCTdwsp(*j=4$IhO@MS8b|!E%58%Wpco$Dk`ul
z^23H;OUZ<d(StM)+}@rbQ5Y+vIj+^ZAUy8bkg=V%&^&USw{>0XR`y+HT^YRE@u~D~
zYoyAdZj}nHs-)@BY@?dB!kn6wQW~>R1|ZCF+DHhFsK>Unl4Y7_{M&hmYnL9&!N$gI
z-$8J#zjq^JxpSm(`7Z8=bxImkg{WH|+pfmT+*x$!(+)c%@M2~zh@{i9{v7(g5yqYZ
z&{Dz`a%jqxB`KBCvPsCy(Ea$wd(yZixIodctZ@y5-LBe(GEPkD$H$&rLM@u!?{ZFC
zHgtdPE{*2*IN2c7NJ|<Y6bN;wopE+hRZduDaiG&ZVbxY_^#jzI*df;|n%VQt*YEg^
z{ltB*`7A!*znC#9X@L^IwwI*=@Yb!_KpqF!7Hm&DKW1TRWyL->BR=4pu)ymfL~3dB
zz%UJMCa%>d!F@AnVmjp*^xQ;zaosG$+`vI`>h`lp?Y875|JbBG?B-6*SYoLgVE}T;
z6kP$B3wIGZ_>6@V({{C!PmKJmeK}dVZ@%(}@+79Yx_tcX@tl4guZ_-m3Fa|gS%cyj
zby2L{nV?Qmbh5F;H6zg+mM<B0I+!3T4dW3+=%4dl+o=3mMM=2N_B4K6@ukIX@WUSg
z@)CS^v~bCY>mS!+qwNI^V^=lpY*=a4It;!{T`@?O)Q8are);LrdU_XU?74yk@q{r1
zy@^zf`3BC`(7UBg7e}PZ7FP*X@2EwKRpW~drOk}rS3WiL7`3`G4k|RqZai;JL087F
zJ6_-tB6B<mFLkAWvR@QQ?*F0E{7fj+@T<SD5C!-GH>1)g)L1te-@i&mLgsznO;$$H
z?NV-=EF&g|bgi>C^u&Q7p?vJ8%FrYO0;M0YzcN?P?M0dF2J#(D@7Ihhc57QUa=*!l
z)Gkgjx#6!f#MYmFYYnq|H`Zlrmz=s<f~^)*hm;$N4)D$A#@^RGmZo41i!+9TDzWk+
zvKQ@xjKKy!y%r6<n_NPz>%eu2JYEy<-Iddo08pVuner0rcWOg=TLrwdDAjQXvKN#g
zp6CLu4M`hdiZ+qJl)hDJ4M1S{h=@a_K(*ysi-m1P@Z3VFn8s3>!vmi~^BQG`0$|b{
zXkk-1erjhiqsih}<%rw6mshy#PfXCoefHY%gT!C()cZcmig?rZx3x3db5kFyQ&EM+
z;sjNB8@A?AB~ssk$e2A)6y?`UBxa`_t(HTQYyAm?HJw=Hsjw5TTS8W0ywqA@Z@$rl
z(HKZA$*Ay7G6nC_p^(m)PG#M-Z$(P%Ol&FFh-!^lnfWJAy`a#Bg^pca&YyXTN0;#W
z)>`RBjTAdlu6X&Be)FqBlMzATm!<Cz++XqmBZTWzH*aXa56CU+eDmLrlrNk-tuaW2
zKs7L75bV|7CF24!_;KdsYIK9tiT)uk5SILP1z=Vh4s|={{%mi7)nmBI0ZOfJkqX*w
zZZ>uHGiJ?V8q@ZbYv1eP`I79uf?*0~&QtbR`dIacU6AqF<vwxIqO^W8eQ@qr5$#`X
ziKAfK_S1|t?<7(mfTL3bmkE>asjt$Ch5<8b4L<+8q6r5s5^&OJQ-zTed6vS8xsg+^
z7NcEEP0^PkNUhMpVqU&6n<SZd-R#l<^A1?@O%Zof*f7QWVE3+@iTf5jCK}qFHOUL2
zWQYXxS-c4`3^Ja;uA~b!I4c@{s?(y3(92);3sD(=D@5n;++!>8!kCT&iqH1m!ndy`
z2l!#sUTkf7<-Yz5Vz9j4pp4D!>46Hov`Esr%-XY=ka9iU`Wc^L(7_d5c7HZ_*icYy
z{{q=>`6{I}wnN87WF#HFsG`YYK~`x5HR3%3)o;|c`;vGlv(dTJ-SlZiM3Z7uH8Q{4
z=LDL6fC%Gg5Rus)Un?eAceRjfyiP>jfcF^X_2@plU7Fa__t@q?4<hK*Su@JyOg3rl
z>wNLUShZfj*2NWucWw5tmlZ&>LqTKh>-`TJV6_ESv~x@7&RlHvE>@WEb)%a=ZN7-9
zLo@pC&1ARtw%+zOq5$uoClh8AaBwBD8XjSqG_Fn4nVb~GpH4&o-k*Thd2m>NwZJgO
z88IXWH%H-0;>>P*Va-AyT+A-jcF7+Zr|tf9_l3i3k$zL#;D^e5g3AV*3%=M`!K(h%
zArF0W9xl0T2Kb1u;Z~??$?u!)!4|g_(9dNmQ89Htyv1fDyf^gq+76h&@5gm|a_v3`
zAzW+4@A2cO1J`_XhS(QROd0sy_C}B<Bo|eAe53336H#+{HC}b;P-o}})6ceZo9Rb@
zJ4h<hP2jEove0+#XlIeJ+i`RljfqVkTyFTTdk+04J(v-CV`Hmz7Gb42JdFT^b%U&u
z#GS`}Fdw7DrbWYbMg68o5lLK|=5vk_m=L6CV%31vHRpB*Wx<R8%IzRvm7)Ff@gg}v
zV1`I{7uIgkd&?Gq`9;3BsiqvQiFKgHDwhs)vzMV9+yF6$4$1-c^CiisCVsN2Ufz>b
ztoG0a-RKPa(joGjJq&i&j^9kKR%|DE+kd9L-PJ#z4<{s>Z{0LpFcm?{ijI*B%L1Vp
z$!ZY7s)njJh*?e@dGykNB0^{%{$?x*HVph~9t5P`Q(+rjJy|?6Me&ZT*g7|KD@w-a
z8P_RaL~~Bm{=QKbOQ^Z06XuTClnmVQ&<bHx#-gLaRZ^8i3sJ;c;7cddPmBzz)mjo(
z_@NH`8cedA)BL@^@kAOlFaLf66}{9eW-t7;YJfv3cB`t#8MXPv;F~ts%Bq@MqgMr}
zswahZ-Yb*A7CXSDJBd+j|8$#6tGJctS)4g4zyG<<`Oxl=zF}8dvTAcTuk!yO?yaKY
z_`)b(AVBco4#9&5cL=VH(@o>h&{*Rh2uW~vclU;F+#$F-jYC3^1Pj3>A^&0SUH9p}
z&CFW!a#q!AtvaVx?Qie>Yo$hzj=qq;QC5K&{7d<6K2eoOZ}yUA;oBTz6&=0M)_-W~
z0mW`|{X^dD4(x6_lA;3vL!x#^KQ8;Ez<&Vr@KuD(ok!<O6ziwTU~;m-F=kQpD7>tg
z0R@nj%QIH0oE#3Ye?Lc)z23@!ZuuXYXu`6&wff$oj^u&NpFe?|75U=@Wdx`A^#)0V
zL(aiMOetDX=_bdN09;~rEhh29V-kPSyj3>6i+7!Xx&ghR(?q_MT3&JH+u601w}>|`
zt>o9Vm%|J>UAd)I8m3zwO@6^DQM-;OHTbc_i-->hF7m-O;4hY#5MGaDCAP2VkMbk$
z=^AS*lz1}^@Fwfl+j>0Mcv1O(3mjs-K)hjumf~q%xuUZ*1jhPcy0_%2<!fY+aZOyy
zM3dKS;}QFyVDAkg^-<Lg<!?+0P!0fz=1f@-7@n~aYwH3UJAzT%WUH}KwQ+o|0Q5=P
z#|M;)=5dYU0N7X@i<7v1B+(ycN;IDLT#Y>!p3;sq)%yWNV{@R0&ALMe8Hg-g()>x#
zBu>mW?ejE>6l{1XNiu<XKO$!_B=Uab4fsbQ_=f3F_hQ{-wv}QVvdLN-Q}L_!ES{44
znqtu$KK1<kvbZop*Fxv4(j+~GnD>ujIY@2@7NO*xDa(c<JB=xwR#H6y<$S1535VXe
z2n$G0i22a|-@x=@UX!j|fCcJDS+%JsOLy(1Ya93Q$op3Z<m3Qlp*4`4*|f4y{S=1h
zsCXioj&fPdRirz;otP|1!uO2S_b%Yg;|Jq!t{XIkd)9^<0hW*-w7)c<4htVA#n#q@
zN2p-UMP*XnnLN@_I|s`QlahyKLu=Z*Jc<d=TC&Y~M`-Q<pBpk<@=)X8OYJUFR!iGL
z8!>5jfsT)l&J>-;F>-5Du8XUpscV`C0{;?p-EN2PSZJ+H)N<b3B-7!m0DWEOTRLx`
z<Ht_D%Vf+3)_a&4-XoI9?Jrpx+z9|P4$GkhZ}D*ttw_6LD<E;kk{@)i&&-^EUSGKL
z?6rT0K)LYNXQX@9C$@`D8(jlFmt;aujf5oKN$rSdr@YDaNrh}iuWHbV2LSmRp~Drj
z`F1hoOrM1b8OFGuCWBFOoyaxO>+KtRxHUx~`_8y<S0fLiP#A_~Rvn+HQ<^&-4$>GF
zFfSHi)uJx3A64%fleuVYe}Y>$b=;|Ta9}UjZfKfvQyQQ(Ku_sgWoTUQ{vJXM0F@RN
z*z>La@{NIwY;RDEcEi~M(=n<?hceA{VZ6y(+Izep(VRFNAb!)p2!EmK9D?G-ANx*|
z(Pj!vdCZ=SSnCU*7PGgZ>lLTHb<iZbve}o$WLqNe?9LAh4zVr4o7JL{vrqFd*u|Xm
z*Z+;<&PiOfcgC#5d`PW5ymi|`6j&fQ`$f$Fu4GQ0pH6VVl!mHf;E|YUOjrkEY=amM
z@m~NjAMu$!X9%{!-bb6^S0*uBn&grP+s+^RaBpR%@zqEi%(thhEcV+S(}QRlMCth&
z2HID?$*ML-k`pKpU6CpW;qcjELKe9SVw44Mvv^Z-)`snL6aLH^IE<evss{&8RuwBd
zoj^r}iPvN3C{zKx#iXR<OG6=by7ZrQsdyjrg_*J;tci}zL-aS#p}5}FHa@ockj}-O
zV=-bwFwIt)<J?RwR(^%y{5JrUC3VhF#(cnungsKJ)ot8!E>%nbA-rLWrKGzCs<nzU
z0aIqy(GmQqol)jrFR-l528MQBGS{PR?)d=OTDyj4F~F)iy8I%^*b{eFY~O@g^Vg~d
z9wKa{60iN9un=^;`Pl!;wZ&H^tS`P2JP47Bo~^i<HT*RvH)>cU@?Q~k8w~$oOpwA9
z9hAN%n9WWYcxO40oG>0;nlm}#F~k`|L_B1!bH7*k@vNY(?Pim(UbVpmu#+GDiqVR>
z6I@3@wgH@3?+&UJp6tFsp(t7iv#66_XIPNOrLI9JVs^sfo9+*_&Q0m?zcb9auTr{3
zuKX)va02!sL?3Aby%)t`b}eQ0y?#E|6axncC~3$WOb0y)FOFb`kXN%OyiMoiGMlec
zCRRpSUuTdt2l2$y@zFa1L23j=T)xMyn`|KEL78^~JRTsa1kPF|2oORo$+G(ui>%jO
zZJVU!cid@Z?MRQ#7`E}rguDjncO3%jFHxrAi6GMtVX?(E1&J$KT~p)j1saWYCv~+M
zl4CF79?=r$wYdXq2264EJp21x23mqz9NE(lF-4Z4`>m>N!;?J1Fe~k^Am>qZlkXO%
zVbXP^T@QO=NMKj=`2H~$JX*yrUkPjSg`!AfETxNG9Nha{oHzI0Dp8gns5kcZjg6kq
z)^V!_I`ncB)N-tw>%=Nf!IQc8Q-6kXD-_V~L29FpmQp0fi{_UKLyJbEqWeP@Z*5GF
zoWe@&Z#3}5l-~O-6j>95OS#asZBi*cI?{UlIL_+TVX&}15lI9GIi&7p8wfk|rnVuL
zh7dLjg0x4%)~skt@xv~TKUyk92;Vdn;Fa;|H?+CUqYgA0NS<O!QI823u^C1^8B8^h
z38+m*BQ~Ga78P?S8q8BzxCTr-4&t->wsSdZ%qq1u-wqZ`>;v%pj$9!fUmx4!x5BA@
zZ1s@LL5K^kTlYeystLP8V%TiGc<ZVl`&gj{Hf#^6=sViJCraC*LjmHF+E03mknA`i
zB=&1BXkm=!v_Pk2`RZLitJ7gsP3Z-SqYHH_9RXrjOj6YHumjc|pb@ooxMbZz6Z_hV
zVajN@%d>z2qa1FLv7I{H(XyqGIPjW5o~5|?q8L`XG*C?+WY$`xqyoS|qp-#GFr;}y
zsDFn$lse{AT|4#M5b3X#{kQX?Q6Pcjz~5zHQc%<s_|x9S5)92*SDd92&K#UJAsr#W
z7UzNydU>?lmEI~-9wLZDYrZxcvq~rP`-Q#n1;k&P#~5iBLy{ab<paZ6meqM-9rp??
z<yg7>iT1C_bNRKuM;3dXB|D>dRz3?kZ#N<%F@C>b^wPE-327QbD^0-kA~uQ84%ZtA
zPt)d**vquANEm>hYNiXR&f23YcjI@1q$=v02F$`Z|LwD2zc+Bfj9+?<*`bk6O{-WL
zI+0{J450B{4IY@fwb^6KV5<MXO!I!Mpbry2*ed{^9tVa6<?+gVsACz@KP6%DVAr+d
z*4ob^+M~NnG*{GQafnY25%hqPbPU9(pR))H?G^g4iZse#EL&~HTjqrJDi{7<R*a@b
z`u^!Y2)6jylNc!(LrYMn(iD-icE<?e%U%-Vc%|0)yXyu+#HZk*(=qo*v+G~0835HV
zUT>^OVFBqznoqdLlxtG($BNbgyg?WZ>+_|mZ@qq`-j?I1pLvV)X}{y)c`u{=Ix03T
zU0eM;FI87%DuAFU<r%$QjWO+BHquvYcQ_fdu5qnZA?xa>#=8!a6BOodSRv5)t2&cX
zjZwOH4L7p~-%N7@4HJ^`vJs}u`JTMMt1U4E#*HLmUb)Y|df1+XpY+QnZUs;nnmm_N
zSL#4L{H$y<MZFLRbs7ByfXwy0H@;0ES>SI-8QGd$Hi9RR4K34TY}Hd$inLz%@P4|$
z{iV1Y^-Ag0-QnY7z<+4HS>}kpK8RJlBUgVu|Hi4&380Gmvn_xCGJfKkI$y2!%GC`p
z#8?5@KEbFI8N!{_=suURIpKvwa{fM3Rj8k7C(q!g(4sSB4L)Ouq#8c8<KBZU>5Y*+
zT$sGHLJlQq@{~rbe%RL>AzT+?%w=^0*>5F%V^&-6pHRJ!NpxSOP<E46iXVqs6Lkmd
zCHl6u{U1jTBBOp^-9Hz!2vz-UZ@x!N{*8TjmvSxlZtp*|#aFIDUxR;rY7TnmdK`p!
z9zMUA|MO&Z|H)r2OQeWc47<GN*?!bLy20*p;#SXpWw$~C!!__3z#c-pL$J5m7&&I+
z5;Rd``?jn}yrX$q%I}S?n#!`KP!BjkygsvfR=P<W7mqBuT7Ru$n(yZi0sce7{Ac9y
zCK8xWMLlXKR0r15Xb>#gn2T3v$&+N6lxsT4bWdBMqd<(DWM>k-f~-ougv`g;)Nkb-
zS8ARXKsz}b4@1m1{{47QMb2{f6xQj&%yuF;H^yn`@VYye@t*$~yXnWS<DROIK;zT9
z89q4H4uYDby(1<LBFF+iGe1E(!#<rJAEsWi0zEWC(aH}8h;s&Xt3pK48&sXL7)kx8
zl?X7_r6<ib=TW3Gz%g?$O7F+TUA>C1%lu~MvfZjIEXES7jw|N`x2c@E$lsLVY(2g*
zpOu@oS73gzB|ITQ0=@34aNNJ)sSp$^SY0JvWrHg~ms;^6JDEmfzljWSaf6pPCUg6#
z^%<7LDDqu~`E=Nj%`!r2*IGsN-5-~N%<Pl;5XCT|pQ;<=_m>R?@Vvf~8~f&|vNpC&
z^dWI9l*@TFj4*&kVA-iR!#$5v#e^PFsY*YeDEgV`qhf{k{_KuMS^2L8w>oF*R*rsm
zzmolhn$~eX7}(ccgw6_>fyG|1??%&rx1zX*+Qq>+Jrqt)9E^xIub9SP)Hzk4@al@;
zAWr02Eb>7bEm4{E%Y3)zA~eZLy%+g`<9WwK0|>N9ppbCxg)n_VZW^MP`5S~Z8p2p3
z9+w`C24bqQr!P(m6kZuW?zAr!J8BVHd@pWez>u=<uMzsZf@|$=X+IbYnR$}Dha2QA
z*JblHik*H4<RyJdNhaohZ5UZ7{AN*=j%CK~hoavc@eiPGHBX;DSPJT!@KN!lL3t$-
z`v`t_*%jZoS}iio+o>%XVC`c#6?L=sU6q>z9McFpivf1^xxc7ut+UUoOF*8QVSZ8M
zO(;GwKIIFoHxT)b!!07Z9&NxLEbyh?i2V1kLh1_TB=q~#9=7PU6uM<YYf>;A%(8fW
zLe!THR;YJFQKrqA{**j6`Z(8I2GVW=zv1!&H#%{?Nn@3(%G4D<oc2N%${#!GfChgq
z;#3cJOX^%zwp(P!I~QHh*9%IxtiVfem`xQZyBG(|r&QJTO>KmFH(fHDlvkX`GSUD-
z=!&_wI05+U$W>d7rbrQRliVrQYf@tveyLmyDm?J8XSO@yE4ZlCMf73U0p`&oRYP#y
zjfW-%qFH0`>Bo%P)#2yhz+Em$;nzAy{`9L8dZA^W7*lEyP^3R*v*vpoikls9=C*7n
zw8o#&jf>4Zcx4WpntV^5{@_L_S2hB<$Yw-Vmj2DOP0@3E{`J4ZrYd-jgMyu0{?s2&
zx*DXgCz((nH%36)>VBe;OEOR3ZD&*(+#K6;c~!WrBmTRT&E?(;`gu&3fy4Ixv&S3N
zB5$oOHNxPVsh48CaR0=zb*f6=np;svG2gWorKHF??t_e4jp4gkX8$m3;w<{g&ord<
z_fIZWsey}Z0Z`6v%}QBt)>!0rX<f_G!K<+ZDAeVE;<wO8T%5_}u`NIyHYj2ppD=br
ze<dD*8=J@=-z^k53CP+4PrUb*e`0EQOJXS3=MVt0(CY}C<$s3H%}b88QElSY3nbRu
z_i8z#%~rw^lTwE;%a?1tV^W3RNpt>(mR^YEJM6ipF%ohG|3bY^#@YFod^z_G#4xT3
zmYl0!cLT!~YOB@@TKgvsuA9TdZ(<#|aceGY?Bt25=CB?l$$x?OL*I`_qEvVj4`5{I
z&M3z2Sn<kW?=kgP9Bg@$X<{R}fX2*uvUt0b<2iz;>5wftCaZx&zBi0nPcA3?T$Abd
zgCvYOy3Grl2u5`l)pN_vaRD&%(pOk*J=P2yaz*%Gb4!|S&Ouwb7Zp!GgGN0;EXEC|
zs;*%K0!+_%$~iBoYH3j~DvRWR2YY;6gCg&X96B)%1W<CQwrF@E^Bq&)A!J);EDd0j
z@!9(Edq7mm6>X+b$(-1Db%Y8TPZr*O_>9+|w&cejJgHbhZG!6U(7y?k>WN(rhbC&l
zrG&4`%nW%!-Gm#$aL~cCKj6<x2e*RSKDvr@!^meL?#@hmLB(~TSardVGRd)4KZ|<A
zJdug8QHjd>ZKHD@wC%J906XLB`to>a%o3-RiD{heSCS^Rzujlu#;nO4nAspqAK^kU
z@djWLBl0;}-@`%4<uv6zmn>;w0{;RgnoB13t-qMIM$1jUI$0Ln56ej0IsY`)Ro`ZI
zb=@VJ-Lz5PzU$ciA>Z1s7xn`4V5UsWRBGi*Surdv(~Jwd55DG?7C^NZ!XX&kNPiaR
zdE*J6+&I8Y26qz%2M2{rj!|iSHeY4Vq#c$WV^3}H9~=ANkDq+8u__txN07pB^%FO^
zcD52<>h_70nNglV`zwp1;h3SBL6j)r=)Qa8$3(^yBDOH)f;}7>cD|2Y^x2!+4Z)wZ
zMC))w_90)I*c$XrOb^ej=nGD^WWpQ=%V*<=V1~X(6BHhYrxf-zaqVzknLgASN3?z1
zxRH))I9wDSMLV`)J1FCV%<gD)I$q-0^p99tWMmg>`D4A7{h3LSLd#k^#sZ|)rZF6^
z#&g9U9L^52vvvtP;B8c81GmzZ2~Fg(!jvM%N@R^S`{w=lrT{J`O|>fn#X!nNHKfz7
zOYK(rCdZe~mRxM3+;Op-sezs^O~NmkiO99_KKqe0{B_*CnEO<JAn*!i^z5ZJ)ld7;
zxSOz1S1U%?_J^{k$03rCCSH?-LCJt&H@1Q#U%@zEYaMg+Yqb;QrzvL5uS4k=*K3q5
z$hJ)pZ;_w&8T-b3diAbnt*U41_+ZX5o9S8G(tlEKGfr11Zd(s`vGW^<z7VVFk-vJc
zHE(47TF5!%+6LWb7)rgVVhL`x2(o#W1S^*RzVFAJ0QHow`%Z)X>T3=Ror1zfR@@^0
z=qA`Tu90$~`08t<PSe<jZD_=`<1fFM&)>Xj&TEKMrhTW{Rtc{6qib;h*H2Yn$J`Rl
zZc76{h--0H5p-i|{c6iAjol2BPbfX*V_YyQ;}?wWq?f0IMDoj}KD6+NcSkham24j0
zC>dpxIHOpcfZEwl4Bri1NY_|&UMAw6`}Gg~25^7UsNWhA8pvN7NJ-vTxAjhFZc^DV
zzt)rz=~gC2ZvxY;Z>@`REUkDl=~y<dQRr>gdN*;kszga!L7SK|oJUl0Pip!PJwrBb
z-~^-|-Ejm!o`9a$NlCd4zd71ScW5K2#I)-60mXYdoR|FFu@=*c7HOjv9~Ej;@F~3g
zDMg{z=)|OA=uOCPSw5mM0!lj0N_FF$?cNz;I6RH=OnV+;NSqFc?+3*H+O8zYJ=klT
zSbgJ$4L0E0cnA%xgYzPe!N>>lUGU>;sR{go@`?4mDQDW(HWm{;+fCkUhJ2W%>O>mO
zxGnZmYNl)CK7?LgQ&6T=R36cyJH}rRw$Zn3tObp3at)$6X6D7I_*6Cs1j0iS{QbxS
zKX+ef2psjdVY!<K5qVU*RpThm(Ysc*(lA)P5)x50Lb;2sRd=hbo(aB9%d9oGuVMIj
z*)$R{Aurp98>N(=P>v*4PMUaNPCEi$XliRUuBS-H51W1D?CEi~uvY0hg2Kx@5(k#?
zbSGCvwg~Eb63l^Gwytg?v)>#9O(L6#+zxC!v^Yv*OeHFa6}_6<>hyS#NLI|@jQfa{
zl=mhrdAG5ps~ZXk-`>&0Y!LJGWUt|cgBJ=vd!>=&^Xc!ZIuw4MP^9{b20DL)o*v|Y
z;03J<siugRs^``}KCrJXXB9lxK9`R8Y4Gr$_?ZOfGr`u2P~N&)XVZ8vb#f(WV9z!-
z93t$rlw^K7G$t_3fomCW*qqtkacB41nr&4QFBFf@*mZ+jJUG0jMMxrb-e@JaBJ>9r
zs*JgSp6hpuCGV|V9ATliT?_w6bS<#3aDzI)vKbs@;jl7lVXwT`;$*fM<V}DtUfk}a
zVK6y3*QFf)4WW=G!0a)ovPcoHz(AgJz*(?7zH^xYfwlF$qVvkSHyh6er~QsksxfQ4
z^E7h&4pf$jD5kiK_I_(TDnem@Cgb%jOQT?_tkkZ&<8y2|&UdYt(DCoe<Cz9Lg4i15
z3aQ1<v!xf&56`vgGA89Ge=O1ob%^@Ph>pt`(pf%0yXGsr?%InLv{Lb4gpiE0p7~RI
z#64u0)ibrSX^2-CNA=xDvC;na<FoL^8T%?+Y_W>oFyl_Zaq6#>U<^*C2PijhZ38FI
zDoNI@Fu_`7Og8v!A!#L-zn3jr=aq~_t(m{w&rLo$kw3N4mc|K?b=#R*_xLjKl_>(U
zyd%#3>WB=Z`bo_goW8O!<fswjK*51Ag8x@|7zh5us?dJ&hZ4oOFS0V)7KE0`c_*@8
z5x)5dM@w*47UTX&hRfi2#)<xqm6N9x<&$XxB|AWV-ma^#_3>D}GR!Yil?m*n$F!kx
zGJZ4a`hA8*r~=j$9c||}Lm5irL}rry^jaTW+q2nVS*CbfCXCj{v!*@&HjyFdZR2or
z#Dp$iVb>To+ji$nBp#-98A9}GELVlGlGvs7r_`$TrqHUWjkEJ=YiVzbNrF3#qhM?`
z`pvzk{kVg^ME+kjvrAbzd;<@Dm*1%`J?k91N8ULdbH{P3cF;z-tomtJ<UV>h)z#t{
z9QS^TqB1$4aO;|CJA(D{TTfC(e#_;O9x1Yzd<`rAF1MWMm)M4)0MRD+rQyI(-|A$=
zDu0#RkwaaM=pcPfE9D!1HPb1le<0@9Sz_c33dulyjg3E;00cvS!$7Vx4n`XRdQGHv
zf$qA+f3##{*=!wrI((gay4PmDX$D!vTW(Ur7xRE-5GmR%wecL2dK@E?D>a?X%as!=
z`lvWyYY4p%X=z2+1hyv1>mv8P`Y>v^3B_AoLF0kUQCdp)+EqzVSM|o=DLTC~F!lr|
z)MQG#N_chNvh>lUxymNW1iU2L2!XIr7LID3F6``<%UlfT^n4gI>sZthl{(U$ob_dn
zAm$6e+*cyv6Z)V@Q&u0xyEpYx?RH2;IFp9?XX53Mj2x1IpE2f>{@Pofu4aYhpG@0H
zRP7>4zQD{9cU|@DmyYNBb5&Thc88e88!P1J_8GmF9^Y(ufB(oQ-J8DnRn^SBN#_n0
z!`Qrq`Elkx)xtOiZ7VK=Vr~v9S7x96H_o`L#S}Z>eG;v5Kt^g4nYD=O`VVhPc^eF4
zg+?pizJJD+pADb?sI{t$NsMTXAR%rh>fHwBZS~`pRzAdk=l0?ahf?0lzXmkMiechW
zb+GUmCiiVp!`S!6^~;9-A{QcLh)cJPZ9XK8dX(6cYPF^yG}cbj&FUjZ^Up0RGrFbx
z1l<udBq~ty@PQBN=^EL@zfMOFe(|D3=O$-0<%VzfOm}2)EMvecx}vjk`M;Gs#gEbE
zE{6X^FWF#B9V|Rk2+jXU%~$!(iFX8B8C%$&5p5Mbmv6`Tl|b#4(5tbU_afZ=2?$6^
zBC_G<oxlnXX+PIBJGmH%ah&`dJ~0;?caO{(7c)-|Yaq*3Iim{vY9L==5Copvaov=1
zw>is{Hl2#>m=QYpEGM&!EMMDL#C39^vON3MAa){rZ?r~-@-*kONk68-^j_K$Ch;8n
zgYJ=zmbhJ94k&B3Gbk`U0{e+X?f0N#Oh2Hb`G(lp+YY_9+vlDiHW%~0E3ysc98}qP
zF+d)0_Z!}u)(d%dJTi>!4ZWreZH?OF#a3K;A(&5l=bZOU^b|{PoY7{!5ljE5=<Gc>
zN$-D`!)jCOC+gOxsw6-}xuPpTEP2aLjRhk4#UY9|40SOElDMKw+kH<yX3c9B;}wLN
z?kH_?<JPrNgx6QO9Na~Tb~tE)A<6hWq>*95bl5aRtYt~odQb+M7juv=Z6TG;ODaaC
z31$il>$>;9kgHc3%cqHtwmGuKM;gs1xH!Lf1^F74<msvR=;L)6=>yXcL%N9`EffNR
zC@!CpfXu5-(V5@`-`euE!<$4;8g!IiR(Yn{1vKJwz6zzJ4OjkrPI~32a_58_zbT8d
z#zf7E^ukxa7h_g+6#9fM9VB;ZIbdD?mZjutiC+KZa9f^^i7BFgVMKtUUtaS|HEN{i
ztYrz>F5CHpUSg;rI~oX13gr{u2g!=}n&17lTx8y(R2n}F*uk{Zk*f01V!E<bVKgM{
z!X(5EBfPzbk^pWdNq*Z-PqawQ1H;!u?R}LS<eF`R2>EfN%!3zFVCeuRihM<i6^oIW
zvUq)@(z~VC4W7g1_j@-di2lBRy}qnQ8A2o#gtQqk;rV;(v)sj4<|5O%S;E-y?4Kn{
zVwG|jl@ALo18x-}<^<U^*cN{jn*137-Z?j9Rm{5w9#1L1SAuh?0}ynu+d9iMayvie
zpD`5{_02v^+q;ZHhu22l&(3c@iL1T%ry(1sgvdE(Sb2Nq4WPzeg8kHj`JviH-<mt?
zbSZq;*cPJ$WZgxKV~z$6^J6P1AW}@Vei}A^lF`uyp`zln0-NpxpdVIk>Adnl6@||R
z@-`Qck>NWtNaZ!72J#-qD;Z@3BO{%JYH}!Frjis4ss@#)v6*v-Q|}Q(+i%G^;z(u^
zkT-W(NVjyZO4qCeA=IbDg_zIq`W6p&)MVGLV7dLUQ!i*iRNu~_pPnB`C+Muo>(>8c
zKZO)fEF8g>?wkS1%wnk&XQvS1uB*KiNJRb&y|m1iA3m*lOd_ge?dZ<5L=K(Ly=_O7
z=Oy|KX0Uhg@>c-YEIz5XNBH7rfuwHXgv4QZ7mJ7z(ugP0e^$wUsgO6W-`_x36aMY-
zo5#Mx;8z*%>)bb+>pA*=?EC(!&pv)DoyYU1UjNlk&qjW$`<t&4nzg8O^$R#_L#eju
zC@a%wPmSWu_(eo`^XvzS8sY%?W7bNxocN@Y$1geRg&JLRl6L3(=k(c&nN-3C(+2=R
z3S7N{FFCU+eR$50-G<llFOfW3shzFM@H7Ab7>@rX%(z5$Km4@xocXvzIi_hjP0j--
zS4G8|5e+T|L%9eI<vMQMoEq(zR9k91jA|y43SR5aH{oRTX=pBj<ouqxjHJGA8&_cd
zm<Ox%sC~b50;wdjg|+3+XObNw9KtFwFq%X?<s14A8{S}T>|h%X>K{o<yn*KpKj`5-
zZjwOF)M^7DtFgwig%OqkU}CzwE_PSBCX@bVT;0t<`omHm>xRAUhC}e7Y^DF#=k>>P
zRmsy2{mFW%G8KJ>k13!A!{iZ>;o;QU1n7HZWs)ot5*e5g9(91WoP}@t;@&HhsVocs
zLKFX0^QTcbC{)KHK<ZMESYV>Tp^QeI_>H)Dc{*%5&V=|LQ%46NvAA&{LUTKuhL=Bk
zm>%Oj*Ez;<-P$!^S-_yxV6@VZaTB3P5duWp8-^uUD5^(CsMmP1A_-Jkm;x@M8QI7E
z5<0T_r=^2cuBdu~{w|%LONEEkiw=%p8Lyl?YF@t)CS0gNuPr4}NTedAiQ6P^Lu18>
zw5IOC2$KVQa~dcR1+Wk5mrUWl)mZ+%;?PlN5!XcZr96rOLtNXzNDz}!Xd>H}syid#
zfKp!oD}SAk1T#g%)0S-!nx&R#&He0Ov2Z>)j*jrq9BaVhgA4Sr(zEb%qQ1X$3~#MX
zDzhOdWnqD^u)J}~j*gDWmT&=#p`?YFQ|{>%#%AbF;;iadot=wSfQp$-$tJkzMyMO>
zN+XfV48ckbjGK7^HX%wUOiCTkp+v*yYDBG_=U%V(e%&VxkLL}KCw<)~&#&=+XzkCp
z|8}}h{zGHz-b>WPGhM+o9dI%o(b7W;T`8tU1M@;KLFmL7FNj$LUyzWH(9WUyb~dNe
z|3h1jwX1aa*DNe7d^0^g{b#ns`y|*;TU8TXgxiE%GU&Y1Nf?zfrJvTf_Mts^!Yr9S
z&Ec!-r^Dd8WQ!;8C)fYb9*XXJ9!{j1!HXH~YTBzJQmJZB(53yG+=yVj_F#KC2z1H!
zI17iBzll-<d#a2%uVHLXBIt1}E8tFMFZ~}y+^@LTge6}oSi+?jR)56`2nlM^tj;aU
zPsbY{EREVrxJm^Zki9mY)b_p$nQKYbU11kIW0M9vUDf_}RjC=O&O;2Z(Ec_hBbDNd
zU~&e!;l&(4<PWYjTB|c5*`-pP`WnYhgR?r()bG2dmLp{v50Xl*J$!FPnMG!+DQmZO
zY1-gP4adaB8$vG{F0jJL7v79GRbeHXK$z_kc=vq21}kwe_<!a5C`t0|H#|Gj=E5br
zvgd=w-ZA+Ima<~?aH@kdEF{{(@sT(>k(o}lk>thm111*o5+osc!52fRes-gU8B1jA
z=3$7{132zPIGt%2fSwqPK_|JBT6(=<j=GlRAcMLltaMELHTTteus|Z#DP-z(<JzFI
z#TR|zyQnIW?1N?32H%rMWV%C(CahNT{_|%%Z|5#mpmi}YQm`&u^WpP!xnt&7BuNN8
zi_PZ%n?%+<Mv0qMLw-qKNTa8Dt*Tf!Pz1}cp8Vv|tG3M67@W4cqHadJf?)@>cD0Ef
zpaDcO`Rx%)`?-#aZMLz{wQag?VhGG_h9sJu(IV<-vw(}}UJW_$n;R8qBE1^20dB|>
zjUJ3mqKi!|Nn)_@(uqib93V03<GmZNtos^#6Tax1<y@grsR#T(L0JZ_D8D1k`Hf=3
ztBdV@c4oO7W?UQ%6X<%1gKd_ZALZah_U}HL1osBB{q^>-{Rw1eFcmo=<)IKE<zZ*b
z4Il6X8o{xR!TBtU@&Ily%LJo78FdJCNHj?_DJyk!LinthF!knIqHJ`T6X$JC_EKNh
z^X52j=sxM|E4cak=lR_G5AE!vum9qt&)A30InQkWr{<9O?-iP?g()WvTEW)X_d=5z
z1jwpgfp;P$Fhz|!(&ChbjOS*^aNi2fvE*v?Mv46>P&aSsE*l35+RN2Q!ZNQ?*oll0
z%uZ8E;Dix>NY_P}Tr!~MVH>vT^0R*wVusxX8{^3pRKFTsu+aQfj&|^5iFporG*<o}
zpR4t({Jye-FI%FquJIWQcw$IrUPdd|22oME(|274*_9y5UkW==OT@Tc<Q^>O=##v{
zR(@Q99*t#L?Bt2tTOOPGO?hlf(OHRqe%UpMWkgOV+<nbI(|C%vq2L7pb{j1&alHq6
z1dj0t4pN@r*b%P}*Z{Y{&5XsrW24O0cW{_WHY4)8Zc<VEX#XFn>r&}CK0B2i!OM=Y
zYuO#O?%1suv>~L#{e6D&da0Yv$5A`{hpMTgrk~~f=4}32D<w>-tEkREM7gx4xz?SL
zx?)Brt$`)`ULPTve#*-(<)x3WHjH~E<@Qau^Raw?+(kVkD+L%OFj2QF-{h;Z7|A=}
z<TZp68ahqpb3BGnXR%E`)W^xCLxp=(C@+YKCEr|sNd663=g8TSibPI9ORc{-ZxHvR
zp4Ij?Q;{HC;ByUMouO~3M&;UYW^W@$lkr!hJC1=kOSmUtb}f6r$XT**OoJOSnaM1T
z9cI8vmw@m;b+bgRFs;@h*JHcN*QyR0N{Cs~M+Dm}jc>*|J}#*`9uFQR&L|f^bb>h)
zl-!3?^J?^cmQ8eFh`^<cWpz8^)Hic8aj?ro?1L|-3mwfxD|3VV03zvZ1OxB>rq(ww
zxezaCdOV<sx~54v2r?}+64o=31~1F}ME_Hx`p<Y?=J9%s%_i#ci<z!dU&mrf3!#Nt
z+1OpEKw&W<cO^a$Fs^!y&a=DH4J_2>GpJ70;>;%UOpTOR=AS0^uqF)C@Fvi6!*`lc
zOxBnZU0lx;fR~asVNmF=zeu5KP_KyLnEox%pp6xJ`in0EPPyp4ZoGsM=Gah1$H7O#
z(`3bPx(Xu-5)-?<l@_<+Xpe6Oxl+Z}9&K%BDaOB^lAfxC&{o(i+JXM%RH`{@8ynzP
zzbq;_@FWh95Z~=Nn`t$h_i~{Od|+%^_cp5oW*>{G3AnV>Vl|$ri0GM9`zlnJiajw{
zIuNE(478eYvQdx@sZZ*wpG&sIBz70PYjWCLu0J>Ur4B3)3NdwDj<x~FG4IEan3~3@
zDJ{RS`DrUqr8r#tCy}~18T=9XWA5$PjZ4d2pl{#k#$5Q(&o<8UHffePj<J~7lVz$K
zS-+zj&)Cp#oq4?#K7z*w+W{*AXpYSrPv3VR-o6D^eQyRfD)5ZYm^xL69%TPf)==iV
ztOU$!YxyZ#Zw+B7o7yorFfnb+)ZAwHkdr8otP7<%pQ358?>BM)*0Y#-*<(A%>ETL9
zY^DWrzoknu*ip$_if+%x>M4Wtz~fz$z5#F(bJ;Ga&6PZNXRe?te+<Gn^4`~c<3sTQ
zeq$FpGIdXoq576hQSHS2lI2Xd4A^k<Y_IXJjii%f%XFY!>Dmp<5V0fgR@r!<mPBlJ
zzs2}vU5W7XnynCH_85{;;S!{wLiaRvlY!Km7;IoQfA!N&+=R`R#02r>r1v%8qnDb7
zcdi&QnPbuO1r(_Jq01gY@Rd&vg$n^&<AaW2=_a2|KfWiBcb#%L<x4AojAdkqh<)?5
zR+0yx%(UgdIE2Q*j{@kC2bn_^951?9J_XSJE#^iKlu+t3&3{)&29MwFG|#S0i)q<x
zhEgxrO`KW+U24a~c>1Aol0O?ex#DGi*wMFNTw*H}#8FPNXm=~AU{+zss|PI)jb5j*
zjhFlLhBwW;x7i>M;e>LZ6gW)(E$-@Ydw@y;MWgQsBb3V=$FP+5*q8W`yTKt(D<|pN
zY7>(s(kq!!tv9HhMfC$6jnD_)H@0~s2v_%@&WsPe&h>HIHW7t|g*7mY1#P31p2Q)O
z_Q`AJz}%*z8~8pEc}smW@%TGVKj!b6z0pf?Y{Ly?kIeyp5b!Wk5q&{;pogAd-HiT(
zsZ8s`#&DFfVV(g~0^mz6pZgpwzfCqP8<hV9%Z_u#rxMTV8+KW<k?n`WB;=lLlWSG=
zBno*)p(DMkt<OTRn{GUefc<zhAtgqQyOh5j;M@(1A8F^jfzyiSq+5LOefM_s>l;hg
zt;rO>fdQ6nCj1W4ks0T;Zzawnrbn}5DH9Gw$&#9VI7%_vyBS0>jU!DwTcJcCHa%j!
z*0sEqB71BO_1VUGsTQXf1T)%z&PDc(KOg$p#LlX8SWElrxiz=!jn_gt<#(_RXJxTe
zG}pa4=)))?5{f`fOTd@{D-~rAuZc*dX~y^3;f-pwa>~hvvU_e2DMir{n!u{uZ^J3C
zH{%RU%3DiwZ5`M;!^DCJD@!d!-^F1{*z1kxc<tNm-|>^#wDyf5!Ok;c6~96p40RlR
zL!<&hb;0V{S*j~L%gsl-x3aBGqmZOs-r2wmy;=~JFwrX6<_Apjis_Gcfm9a#Um^~9
zN2MB*^{9%JsmTQwiB#%;_yN6|fPTu0aRu&87QS3Zzb6GX1`JAAN6|b)43nx3GhOyC
z$xpjt-9*yjhrarf*o%CPQk7})<1><}htwN9mNDfAj-F=mxQVo$Yx|rF3qAgLAy8hG
z5s|rcY+Bj{Q<oR81KkH^*@Vl_0*`NKGu!VLs?MK=5gL}J6grh8`y9RfMviAcOLc~7
z>xA6eYRg4CfpfxzIf}v?6-WS@ozvO?VYKaKz6ln#we-J@2lx0oJbxY4z5)EMoeakK
zl<>pycMK`5=XbfdH&c0xzop5)FXw<*W9Ba^N1|2veHcyBWOh|Wi>Tr@Qp~(_3>VcJ
z2AoiMpjOupZOy=%CTPQ3rDv)SfjZWw>Sq6iy~CU^>itARp7QaR!KwiKS^PhFqkKT=
zUgSAbzFOw@+{)4E9<j@MENEo5XF|H^aZY`-s_!5A#JG|5vDhhz2@er~6eA0cZOYc=
z=*N@;r@d6g2cVQ#1{G+P+q0!9gWJw=+g=Xy>;bK>H$Lvy667b8BCgepilT16&NL~`
z#)U*8OL>?*el61iVfJl<1<g!9<a)7~;<4+8L!Pv($QaDTjF<P6GPkwa`N#~F+KKmX
zbHz9HxqS@JB;5aPEqjF-Uk>usEY0KfqooZqh&`>N;+*{<Fnf<6Xo9fYX({?AqE0il
zohIX!$xTl@B>gH$LEoUwyx}F&h>fiSDp~{uaWG!cr>AeSNxphnXlTQ0RW4<@Yx!aF
zTz^wlY)yNixH`{f^Ljapz0rv0u+NzrNep9Yaj%>bLsW67xtNOPaSBd5sbqDs<hw<0
ze6?NU6}8VZxRY<LsS=U;QXtC%>?;RomBHMdO|F0cVcb}^6;%73=^(3F4dlVkiGszP
z^<m%{9LgFz=aRdz<F#Ers!?UcA+@HZ&hVG(jMP$uPzGHf;kzr!iF;9FkS5|JXe~Gw
zr)#6MyBYbn(OTV9ez?Ps#byWl*n`+WO;&MuQ<y!QpaIm{UXD|VRCNAd+kda6WS82Y
z%R%%j*LGv>!PY0`nVQ-<F9|cCVKN!w+BTZS-mjYaED{8__~kgc_MD$e{f;PZnN3ud
zDPg_%4PU=0UQyaIfX6xU=Sm6isE=N<tXy?-cbaf_vpA{Dwy*PdrC;Aesms6B=%wtT
zNzig_eeUsCMP-7-0{fe<TiRkTjQ~o^bu}pECo-$|(j%FUi%=t3<rT+A-r*7I0M+mj
zbQ3tF1I|LJa6<WRmh$jry}158$dK%<Mb}bF9>8J>^&zsAlBELDGL|S#UJjlC0f94n
zcsH5OZOmuUa2000ml<)yBqOSCJu#Pw=9^{7S6OY?U>w8*>_1!%ZS}hd=j=~`?xk?I
z0v6O|Dar?6@-rbhWW);h!ghg&KX7)aSD~Fl;@>w$pMz%WH2&{2kqlMhjC&lketZwT
z#sOdXpBha?@~Ig|Sgf-?=4_GGzz;ueSs=h*ULv9$>}!-B*Om1q6C}2Eiw%lx*m+y3
z8xuGgQ}?2x8@Wks#+P+ckWW5IYsPOC`(>&HctoR<!4y|R;S9ACP~e(^{7Ltr783Gq
zK8rcDme7x*<Qa=i-!OM&6b;>J>%kW=53wewz0O3g^Y*GB2UsN6KywJKpK_tRvZN>B
z11x`odloeKO-Qz3_pdmmxPs{<Y47&X_wk?smjum9-xGTi<4H(e>=Wcl0+M10qvKO*
zTMwfnK?^Gtnemu3RCAZn6N*3H)7*wIaVTqj_j8cF%Tl6x!B!lWTU*E1y)pxuzum6P
z^9=aY!e$05UmfT$JON;?W{kf!=Mi0P+F+sbH*10@M$BEgXX$O8NZ`|Z_}McI6nXpG
z{**0(t=(Ha`dG;A#5UVtL6w|gC_svSn}l*D`K<vHdPU(;dM{{WO6WOV-zu&CW&A2$
zh?$pzIbj7_!QO<TS$=C~1^r5e4AS|8?yic81#@v{*_*+zu@((P6Vx>@?IzUq#YU=K
z#>XYDVw`w5(j@<6F1M!QN&gAU9nc0Mx?eA~wNgW0)@Elqb)8eL_!Rr}m!-EOpODl4
z1ao{!VlM2yiUvpuro9NHo_0uoD{FdnY67DAR#$0c_8#5>k3B&qtdQ8U=T-ae+!s~i
zgD$I^f1+KAT~wuDeP_C_b9Zak5YWmz)t?FBCnJ34k=8IlnS)tP!xb)q{<cIc@_v){
zkNHVZnX6r9@y+b8q}!K@_D`r4pU2~#%nQel>n}FSi!p)Gu@y>GvAgNESd5BI29Bv|
zQQl)Lt3jC;O*yWe&KlL{25hM<pz_mIUFW^^h5X=*7oavXfr(!QgOc^f&(ZO5ExlZ>
zQ~;t>Do>bA<o$P7fdXeuJkZMK*;l?`#~^3R!`pi^)*mYUhVE)oCp@IUu}!vJo=zm8
zW3n=N7y(|&6^qU2^Jwz9w%)ILJx=OAfIIy0$)FKWbT1SS3-_pBJXW6+jw6V~;4BRU
z&<up<#D%|zA`Xj-HwawPAAT^}&Z82}T-B(lB>_3mpWMKy5|-<{t{7_-;$cesVa~^O
z^wjHZC+!&d#=e0+*B-Qz6;6x8vT${qaa^p@Kg&-8cvEbIj<~XPE6Xv~GB)yPFd3qI
ztjG(@`5*tDHKKQ`+(1{ldbTo7IkS<_ew>p1n&4QJE`nPY!(P~0TNc*!JsSf|T7i{I
zRg&je0r|CcL(cDe(kp0Qs%@dG_{P#mw6&Nr<8bYCv!*3?gGS&uPm8E@l1J`c&`-*G
zBo_f!taWQ%P3cdFt4s@_G@p}L-C0K7#nHLRDgE@%kx#-)`L~~r$7~^LLw>Kcq#8d#
zju}_|j0gWivp?N=ZgJ1?F7aKsp1P_^f|GWSuV%!Kz<!d<zod<?X)ANfsKfj48=qwi
zS=UGv(x{`rUY|uAL7(BRkm8v&rt@n0n3DO%6{VFDIt1~8Q2g#qq?KdO0v6WAk2LLq
zU%koK(2HD`agH=yS&&+SY7-Y(RFghhjxn&<FVYvKld&|upc{O8IXwX23%A8!e~Hct
z+V07E-%!@e(*onv=rSxu%?v0QcMmRT*LJqJr=0x8H@5XRh1>NmwhIalxBOaqi|w}i
zqN51HJe=QjTPD56&;0)3hESWW*hCEvKxTpL!npxVg$tAI^KhTpMR3HMU~<XYeIp^T
ze<AWs*uKj~J2!PLH_C)V#i`X*3$>em8<iVlE8YAqDrdYA=*R76`dC>5)yd>m8K3Mf
zqU61zZC;4D-CxXYk3%07b*ni?AS`Zf{@?YazbZI5@G&^>{6Dn+Nu6zfmTrEZ7lvW>
zv+(5LPTL1ncC_*A@#xS7E;%q~xQTY+=)6O{VUma$VgLI))@fhx&B#2y<j~DEx4h&|
zEJf!h9gG3IDCvRNHn_xrW6VQt6h|UB_!yL)J?O!)wJ%`Xudk11l~4DiDjvAI{l~uW
z2xFP6&Ao}mI`~_<rVKk$Vw4O!4~~C2khp|?Rb7-#PQMxh`qaFz>ZX6R+s3>V+@oS_
zI*n(tc(L)U=I0f@({<LzO66Siy-RNS`R5no!^Xe7dn_Zo_5*)u1hOFiKeUw7m;I@x
z@edsK!q>X)XNq^kZ|^=aHobF?Y6Wvbg6*z@0sUr^>$#w8C5p41_V^F77j455OVWaY
zzb|HO1M{TMAlqi23BHZV&9Id}O<_tv+1T+jWhZ6}IyxAIJkG(>pKU@JJ^c#Ic3Pam
zC1?7<jS@E!uQ4|%xgYU@;_#XbVoX_p%2OO1;xV=XiCg8NfO|A$g4umimIkxz=_p&a
zZ+X?P5^n!c{D-D|JXO*1*VM%2nV@JP@J0U1m*$Bvxx+l-tS<sewpqcxx5F|dV@Vdi
ztKg@Py?1`zd`Ixs#ENCo9K-Ef!v0$4(8vs11+Q`!bZ3Qzw2~@nVUb>}AXetr%_Uq%
z2sv+&FG-uixZoD=@n3`Uj;5==vPN&j*V~++-xl_bHQ*KI9xhFz2VwhbxXwZn93OkV
zBAIzDS4+@8&ksd<8h;k^#3caprdh_TP`-MOB@f*oteQ`bwjkz~8KTm?qIp6WQ%Mb-
z2A3Pll0Fs_1@Y9&czo&EU%j~4|752p7YDQ=&0|f_CiLjtIoNj7LJIbbspviDG-`bI
z5+#;&B=!<S{;yqF8U#H4I=A>ovnaWmDo#63kri-2b92xyXk(D-&LzflJLX6c#376H
zORN#DoKzVmy-fc-c7nq;b(G{aljpZQA>+LEwkPP4@v9T3+J^8Y9i-sNZ?i2HdFEH4
z@m~0*AaTiyqkLj9)O2vR74Kl6B~kK=Si8jiETx~r|DU(2(cC&Hi_qoBfN)i7#(En0
zGvhiC+f!%hwpMiTCgJK}MQ^{77EzS<qrpv24PzF3#aZq^qIY|^n37^G3FUdsgm67%
zlV&iog9-j@$}tHn$EZUtW{bM4_U8zIG5WlD^6D_*rJ7s<Xhh;6FtTBA=)RyuMNgQi
z;*JvT9)3g<!{Jlm?_s>JDSRS@Ydu>nBf1E>LPBKM`bvE$cbuHGqOiC+FgSByFA~$3
z>g4k>vacNX!trDcDMJ(imgEJg`G)Pcbz;mNxXlK8vP@Kno@r?af{jRL4=X+2sCW$;
zI8tYc18>*BUm*qNuhQmX?cGA7YBmF5!kn&0W6UzK*^z8@jQjG6_W^++TY_5d9NJD~
zg+2DDs?Q_uo4jlx*vb>7!yUA5siW<Xi`;_Br`=2##c`yX`+m^d=<IdmPgceliQTln
zHc~|{S<bG?t54o;t!MZwZ`zGa+kRMft%^Rg)K?S{ARcxxd7ErxlXZ-X;o4WS`NmGz
zFDV1!BYCSNpTuEXxLJS-7wRd)VKa9{J4-Ji;>45DmIJO3HomWC`nie5Ny{o#83#9^
z6x{>TK+N1wPs>=ri}Rb`U9ICs;bpGPet=6Klf)81hGzQ0PUAQb9_#eez{;qy*`0};
zM?J($NrS}`x?(zeQP}Hku*|V$i<N1*ibI+Z-~5(CgoRc<GmY{2JF`T_#-*wBOmg{k
zdSa?#wuSj~{wG_&U8*b9b}e}t!lYzoUC+ICR#=`6>x*C|exlD#bDS-msrj%?=#28M
zz?3*iNh%DYhVWz8GGksm{_9v{uCgPs7J@&9|D7io925-GJENoQb8vArt$=lY&-AbH
ze5SRl@tV}q$FoROAF$xaYVQ>Z>i%rQT7h=P?&K~WEAS(dmJn`XwGT>va{xnjboNUZ
zHI-vnyxNj+qK)JAz$VK4&z$*#I2&F(DPH+$8kmz(n+f+W@%#jK(l7ltGO{VM1UHlM
zSzb;CY0|Njxf0!$t}k=<Szhz4PK@wS`z-{TvU2%#5E~aUk}nMcg&Jvl-<$WO_L(nb
zhZr`;%s!7TWV&EuNyG09+U|ZLhCYUT0KWXzPk8%GN-nDY56w00%4+F6{y72jqwU^(
z_#OLSvwvDwUq3z5=42oGV82xO$))55P4LWa#A*U`BvTqgv<JINC!4T|M<gy7aEQW0
z!11vd8j(WCIGW$lF?(Zj$V`CO$zBh8HqSxIs9Z%8aFfc}xFgfBo$0UDz#hTh<HJ7=
zV<)u^LOt$-*)Eq(Zs615HTJg*X3@B!;fjr9HlD0v34ct;kOBfo!?U*O)s8QWFLl^?
z^j=ZZ?;W(N6s+;_r(oXWJH)w7J{B7-O$!WdId4=snsBG)vC)hbS^GR0{MC)?`;%zh
zRLCVTM{qgTm0{C<_6hqT&{>jcCofp8E<3QvFLsTR;n%U{sEP#wZZ}XZ`rV<_a0MRe
zb>)Fa`i?^Knbbu39xw$pyk03@g;#pZqf9pvza{VgPudV|qX|^%0U92okiB0!$gQ`Z
zZ*!RJaxh7M5K1F7)bo9a*QF4;LpmLiUuiHiIAYh#$J|D}GBRvfeJcBbaMZR4QbBr;
zs-;NdncAp4SYp#hNSyfAinzNA89d&K5lh8>%Z@qZ_0S##dEb$w;!XG5<9$=WZd*%p
zw@n4g6tYt)9v38iAFBN|u)?+9@1(`iPC9#AK6uR7-|r@6npGZpnBmy{=CteZOUzNo
zjP#}HEBu!2Y&McVAF7@Tz+y{_{)EoMqRDg#SX2oju9G`OWF?y$z8%uykUZy}`2&^X
zu3vQa{kHg#0yXCxnzBJsj-OiLqkt!~z5K-|n)G^Rn!DE)wqufRV{A2FM+_>`#{$mq
zuNUl_vU{`%(gg2%MV3MCuWh+Z2YE6k`G-fAh}$>`<H(B2tSRT@TTfbH^(n*xgKfxQ
zjvIw}wpEHLY~Dw>=iXV8o_~uUA&<_<wnS!6TNx0k@@c7!LI=AQZ=wt}Sl5M_TORN0
zcasC>T(su8DgQMD5xEi=RfHzJ>Yj3rlSZ0au;BitoTJ>%xRI}^%C?E>K(*@3Hv!qj
z)P<Aez8pPP+!s*=-_Z|1WejWzX%3PCrFNCdPT7+y`VF14!uN9MsL8i@YI*CJYzPdK
zNajEP6jq5IFJ{ZO<-utz!ig@F@jk(|8{;Q@r|nD_IO!ll2&}LEg-fI|ELyctN0DiW
z$ONmW(<ExbSt^J$Mj4&3XU$7y!OUsA(zComV{l91jE_Y9apv|S7gODoaiWS8F+HDk
zQ(h;}6MRZq85X9}xL=FS-pJfz8p<>xIEd)FVlc^z{vAhxmS&M5X%LEQ3Zmo=RKp%r
z9^<VveIT<IC`mJJQO0^4t@|Iuon>2858SN*>5%S_?oLVR25E+dp&3HD1nKT>>6&3+
zh@p`j8l+)JNl67H1oi*$70z|ebDb}+U+ouruisktP4ETuC^5aHKZ*Hk^YqSgWF@=Z
zWU%E&puxQ`_hpzpJApzosVqrZhl5CdafDvxW5Z0F9aZ*}lO=A;G>_Dhf6$2^^V-3Y
z8Q@gF{5N#U(Wr$A9_=2EeHjlU*63X)X@e-iMtpiksq^J$n43IeRI3|ETxNeP@k;_;
zlm-=BPJO-1u>ICDDZr}HPO?lWb8jAd6}9z>WxYeV5U^>p&^%Z(+ow#biL=3cO{N0H
z0TVuBC)_r*-u0+O?QtauKXFGxCxrT-Wul-X|2m%-5hx6W(15GOsVSdK%zY6&sb>7-
z6o$M07*g%w6}=KHJPbs!xdFCT?D~F<c=3&+3hrwp(KdFkm}#*V^y2gU@~uF)^AXpU
z@@pYO_V7H-78A9)%4SoRpbRgzoP#28ZY5c4{^OSpbO6<1&?P#KOV=dw#-2pz`R+fI
zG?On+!ZjgDhOft17)!7+>{wWvX~qfXi@&77i}m&04UU4&mMzk0X6*}uDYgRniVIyX
z_b5j@C8Mdb_TGs4#|-`?78aNIz;w*6#(^Q7NJyM;i}pvgA$0$0(5k7?nip4}_KmiJ
zUA>FenCFoiD6!Z)O{(B(_Um~_b=3VX-Fq7uHN)aNl8NICPo#g&;CS#Oq@HGEcGrfB
zIn@G~weyNu)X^E6sZL*CKEqh^Qq(MtSPxG2VxM>AX>$kj+zqvQ#Z0WP<pD^=9;8Lm
z{DjKz$V689A`5ZnTS~Zp)>*xE>v|f+g^sCIhe+_<t?Oh6*KKX7S6?Q<rn;ug@WYu5
z$Mo5*^0lIrl`$P^egYL}(|az+6tK|pu*Len3ew#6x=!oCf(-MGw8G;3SE(+zIpzB|
zwaqCIOLF0gYs$d1snDWPd?`&H{$!|H&Puc(JyFXy6c5|9cm5nv6#{8J&!O(|ciey3
z`|U8>h>G&ZPdq40+`1yS8t~dj-2VhbXR-4;`bh@zXcpCk<8J$WA@zK6a4{q=J3A=&
z{0avKVwN}u^Uu@PMb_8_)s*svg6w$@iaohEI-HK4JZQDqzO|ZJ809fne%$P<ImFZz
z;x)^=#S8AU4L6Kp@5mIKjLt1l3SiOZX|?Sp)KGjiIi`)fQM5E8>%o@O`85_A*X#C6
zbe<(3ZtpUOT@Qj+Fl)0ucMIMU$k}f~mB({ndyULpnw(OR!xx;dc<QrnGo^Thxq=RA
z5njGNxaOWFsv6=R*#R4_8Pr+CO>JDb({}w-k;9s0x<yS8T*eQ>AFMQJ(&|R|z4#?f
z(!bxeM+@rbLjv0vWcu)gBjb`baHC(c+HB-FJT+;9oL+OX;ZSp2E;U#$*IiD=1%Tkw
z(D{fhpDS5d_{*cuUI>pgqgU*;GW)Bj^|&=xu2QF$S&WXdfxB}_sCuc~$v9XY>FX`A
zPEQ>0^{u#f-ceXr(OL?R=MoG0j~e8V9}RTp6QsteNM$dYiRs`f<A{!AX!}{gM29Eb
z$`#f8hc1})Ofw824-K^7+ZBS;TJYmii<;<EBpYO@4zlh0OBrP~H!HDHIiY=cI)?<;
zJ)Y=(j>E8=<^8%*o3~QNVGt+yeZdhh7|g)H+1PbxMczn0vn?}1iazAg$0w(cB<KA)
zPFQ8DyOqTK(>7&@cOjSpIkA<be!->Nz`-^_?znTz>$9!>_%BSM45H{kYG-+$3sk!3
ziuPZ}Y`1fBmJxUQ38T8%;#3}1Cv8n>pB5@~pi*u@*^d@x92Ry=|E*4~>UuBxi&#4g
z6||=7IgQ5PGileHwR`R%z~aZaI3{H8Z$_MQp_IOIv64~1(aF;A94|{SE*&6vWIrB_
z{az7Cb>{cHVmy#$rK3SySOGkW7okJcVsxETQ+6z;oDMvz&rNy}ztO_@LNS}bPdd2A
ztHta<c)a(MLOVJJh_OI`5hD-rDJu_3yBv_<`(Y(+YP$+)DC%IMFh8wqhXCNXu6#G`
zxk|>16CIg}jpHlJJ)9c2SG?EO^--`=6FZ!Z>-2>`zD^(2z>k6F(A7V*|DkML$YGuI
z{C*St{BHa4-OLy6$KCh;uxjq^Kd=A&A|S0}Cp(LWyAmZ*r@e+<X)E=>uQ#W6Jx@%H
z!$O8nA^e@WH@RXxHZmw-1_#F+L6V=R*XC!;ZITH5)j)|>A(atl*<>)ph~cyHO(|j@
z4O?-XXc(K9cpUp+i0;D(1=TnM)xpa@wi<CnTiS$C>p8a1seNA|Js6V@e)Zcc+u+7B
z@)unzm%;czib;jFrvnZ0-iW|Qj)pB<7>$$uFtFGS?(>R~<rFrHsNo@)KXls_=Orug
zauggQiJxKl@uH?WyJP=<-b?vEejw=er`H0{6?&g;zhu05PD1|K`gn^q7M5pH@sED$
z#~x?oxr&6<BCfwGHS^JtbZfAF%Q?<~aSRJ3C(fSBo+52=#Nx5=x@Iw5c$fdKIfv8E
z!@q(hxW!oNTv^|yZ776nZBRqGM;{ce;k8cQ6Fs;!6FxK0W*=iO`||BQJY=Fc|3<mc
zN=`;LW?M_l40xADLM$$Vkq%`wBsuqL&mE2fvZ|V%^U!Lvwh+0@5bGY0?GLiy9idzK
z+g*Mm{-uGTp+uOIqD|Kng+@20j^`bjX1?0zi)q=HuqB1C0-LmtHM!sSh|9@-(f!wL
z-p<rCZ@DdP*dH*)Gj&VbADKfzmf7^dytZ-!h5;vu@;g-=HOM0l$n_om=D+(ix46UI
z&tqeB*Xs)T&db-3$5x4q?2v%XA$DG6va6sdtSM(<a^I>0f8q!x5>9tBG6ubl&Wmbe
zZIGW-hT{hPrMbRvxMaa-QPpjknLr#79Q2_RyMvQJ`+dm@+Yzm1=o%^Q3@bm-R7lrz
zNL3j-BgGO2h1FjvdC!a;=$Xi1tn0G421pnHc&FzVffr!%vNgY97=7>uXer6@MQC!J
zaj#Aqsg)5W(z0O7uMJ@XHy|ZiNghX1l%DEdBTXsBm!A;Gq959dhTA6i5b*S(c_1#$
zL~AXnLt|h{s!xr09J^$v(T5NHGm}HnO!kxm-Dc04*H02RgjgHaa{bP&jVe3?&UW&?
zdiua&z24k{@FHZXtDW^I$@)4{Q(Ps%C$d#WIq`ai9ngS29S|gp$(Fl=dkI}2D1vjw
ziN9U#I4BG7EUkk3%?BcRLse&;=W$o-drg1bF1gfR&<vXB%*9)75*_EYDJ4}o6-Kqy
z2{$a8Kd{3x6ZZq8TZM4dLnZ!3x1RZh=p<XZrw;k?&NlDr4sM1-lC#g;)ab3{Tg+zV
zBz5T)FGD^I&xr*v<*zgAX%vV)GnpSy9f->Gar}p3&{B2Y%jK{_HDP&J5g!}3n0`(A
z$LX7J%dzHWcIw1Rt10iYN>X*q%wpJh2l=L?h7whQS$0mVLw(S#EbJiLd_`CfA9POh
zG>Ge<Q!bE`LXG+KLfP>Da-W)8NX6K0n~Hg|UQ|fY;64S<lf2u;{DwJs#|y;w`7IT4
z|Gmu;an(lNRx6LaxK*ybHiO+AVf`{X=ZU(kYV{{?T=g7eXt1o@`nqKShBmhPk<W!H
z?t@m<8*$D%vL;ZFkUB0~cu$_jD(pTkNdYBbbPmcf1N)t<)nuKggEo`=a{-8K<WeeZ
zj!kC{;7i79>Y{jssgS`z4yYmW*7ZOrn`yILStb<Z&`g3p6okgCg*{UtSJ4NmjEjw@
zNSP*TR67MtDzoVE#ziP|C{t6FHK1l7d*8&EP0DTvH<NDnq&PCxDL%OGU41O^!7O9^
zIwlxMgaw^(VxcWzNcpQ)0@JcK=}Y#;2o3X?W+`Y}8#Hk<_0TRH<UVhKHh(GFwt@zL
zB$<ge?D{`j8#+CtYiHL)u2(X=jwQ3~nb#WdjvwEhvA=A*d5;;t`NcNh+6_b0E?Vp?
z76!`4taUfhEa=#fHuBUica3W5F}n|YxfBI5YKVxmTwk=pGv6a4q3V`0dk#vgh6!2h
z1<fD4=iichZD#`)XsKm6yg=tyKgus={dKS$R<9v%Yt|#z*WA*??n!ZT4E6EJz@J5H
z;W3=YG9<)w?!Jiex40)7>A8U%sOz}(qulwekrnk0rtV1xf;u`K&Apnxo13dGm~i!q
zXbC>C@w5_YAQAm}EY+g?`#2ZXxr*;J<m9}qDIn1nKB>|<1~rRz){Z@S)-z$I7^n5q
z>(3fZNmHZiGzEXs3@OC<Qnfg|g_PD7y|^+oduwX-Met$(F~XX!a%Lt*AoZ9yc|0bq
zQ+taV0@iWYQ+TF*DHgNi)}mXqr1lo)Q>0>^Wxt_IhN>o9M+|hY8$HgEUu+s+OfCS&
zc)BXFE>)TH>UfHN9bzlzH#bq&u=+%?X+C#PZ^2^VgIKIG*P0~zrXJ+$4~h6YqDq<I
zYNBV96?a9HyN#4ld*A4V&-J%?T%ma~RrIFgRg>lfydMEHKazeRwxkv%8-^^zrAnX4
zsNQbc-b`Rvz^x;}PAxTsWV!U}GV^^Z&V10<BFf(R8ti==rx7Ft@nRqC<cF~ffrkkc
zmUneQ$8VZ~DfV&ipEmQ<gq)irAj?o>p-6=Bnw^!+C$XMh%ZpVXWv14VP`SR^*&hsr
z99pkn$};r0oZbGP#~~6FQ|mO*pfxUO%+xLkr}iM>3C|a<#%*OsO-n%k(`x<S_K`*9
zASsgV)zyTr&}9{uCN;J=%Mr$s!(+A2c1fd)G{2cA=Fm<unyIj%Go?v)d}iPmEud9f
zn>~-4tF^zIhS|K1#8aH9A6mK|aDzMrpDo~`r`2LgYPuG?ax{P2cu?l+Wi7sXU}RRp
z>cv4JkM-QYAEmXWWp_6eZ2@Yr!EG^tA>xsSfslw{HG8}QHSQ&d|7>2rZ4UMIWs)3Z
zXT5`d1n=ujP9$q(#lRJtHK%<qz)L4(b?$WAA3yUzbLr%Df|5j1j~1qJj@YF%t+-ch
z6Hu=*W(3T6Tjbt~nPnIj$1>vkD^fGb)bY`ByvB(~DF03icAx_#{~2(mH&ELVuB_P0
z(;L!nVCIhP*TpZ~zS^-E9aYB6!A5(_AcEPQK+PnUHxo_F$@N;;N7|dDkm|E$*D=F-
z{-%n=IM{!ux#J<!Da=Z2AHXa9Mz^}rN-t{vSzqx<YK&}_KsocovChw$QP+cJA(OZD
z3`26ph#Ds~_P}^`Gl<ra&cCDMCZX{JNgwFZ#iC&Hg&x@vP3U9g1zrQ?tY;plttEm?
zarZw1T95FR0~Sm_{OY@HHn^4Xzc~97CMFPaY?oVd$U9~xukVK+jq7s6*OmX$0^@JO
zN6=oFLVFP>O^#^`8zS$XX4$a1W_*Z)wI^}ZXFMz)BAFQrv2A1WkV}7jT9qtXHamV8
zZ~u!nGusr&c)Y03086g++mh+3Gm(Yy_6%yUP11Zfo(ty~Vtp%_kf?NCFZhQ4B{8HX
z6?&y%t`C|7k)y3$5g-RTZ^&J@jkB;Bw%SIpOO5r{U9+a}QB*P_<6a#JCGJ*~$)4cT
zC-ePCHGj-?Q%Z8JJxM;4iR%lA1#^iDt$h%)NDPo$JYR+$&^@ubOYosk@bvWNlpi=-
z<Xp#6ZcUeERCgxOFL>`S9AL3ykj;s&J10ht3wWo7j?2utN{R#lMk`27B7Ao<?DzCs
zeOh^-BCuCS6Y^9`_`CvM>7??16M{uVJ&U?yE#u}%7M@8^M-c1nKlrBKe*&$IjX}yR
zDc65FsJk;&c5p)MY_{^*#kds1)3oes3*I#!m)sykCAwmMx+6ZbxrN@vjYM0_pJv(*
zAK`JAl)j<$7pdb278jONNpaG7JDOQpd^jX_S;X7ZLvgs8)lT(n!fgPn5Q*5ZONlxo
zfXf^M9X0FExkPMJ=4X^6u`#r2Ex!}xaS~j^yG}|Ke+Rb`EkW*!V||MD_57E`S@F(5
zd{K^k(e$Hhy8hWR(sIiPe?CGwT1rhr2wSCs>|#&>5@!yR>VfX6|ID*tH@=Bgl+eEe
zO{>G#;qCRf*LhBw{TN2cIC+gxY0ppLFKo>eIn;Y?6Ub@nIn2F@FwxKI<qnYD#m~tI
z$=}>d;g2jhIrFoclMqPc*U`?my>xEYojMUCgmg2qKL2uf-5Mx9n_vF%xA1|orJ;w#
z6@x3$k6E0|n+=9pGA2<+FfVPR^aX9xv}=hlzwOHS#2CBut%zQ)SyjON;c9m_=3988
zMwBa>PoKm4_~R4LEa80B&pbFA*(o0gZ0sy^yIEh?04H$E=z610&wmvk$bM-GsN~*W
zF;+%?H25=D&<heXF*b30^H!AK-+Ets^k=Y%u$4rmodZ#K2_R|^d;bT+^GSW@XJgAE
zLDd9ZpKVik6J8(}dPoj*lewm~{7-4)pn~ec?A>BVdV&ToFMOjGY^xJ1W^8qfZSgxF
zW0-oR8BX}Z#`hr%dfBAB>`=(Z2RfSRrpuU`EQ^hM4a!k+xy`yB67Wp;C{RqBQFNL>
z5%Q7PfPE?jj3^l<I=lTeD&PqA!3dquIYYZnQm0iXyLhj=eBQi`bBs4k1!#g-J;RdZ
zGLa-=A{>#CJS@zV6m(sNBQ)$%mCw*KkMDD~D#84xIeouP?5v*ms0GkB>?*a8M0Qao
zJRr|4{N2c2YB_)j!`&s5D5Zy6d0tzSw7Z?~=(NKPrvB%7)`G8zUHa$lXQLAQ%T9g~
z5%?|gpb!tCJR`qol4E{jJ|^Gs939Zy^e5Il(AXggtCRQVFo&^G0F6UyGzzf;qg}*r
zZD8Pc=k(waEa0??Xh~roFHkQLEHC+ELg*)_Xtx>p8ufbQ%^@ScYa9h-=Xhdy_^3=_
zk%W%rFjUDo(dBO<%D01Ki{n~|lK^{AoV-IH^Ou4_m7#Z~w+DUK#y#h>HezZr!p~_c
zlEO6hx;0;n1H8?tCvav`JbTx;D8_C^m+yApaZ!D)Eiz=32}+opY*D8m{574X_jLRa
zBH(zTV--GCy^yLyF22(^qNVo@g`}oC(*c(ZN+#8U<cM8tJ!d;wLM`@V$-s{2GvUg|
zQ9d*4yv&ng_!8^~X~LN#_gw4uflO!@DRJ|xC(BOPguRjx-uoGX;M38{DIgJdk7FQF
z$)omt4r4swoTKj^xzgbt7~sE$O1n~UUzUWMGvKk1q<Az2qFz9}3>9HL#eA%bh$~Wd
zRWvMKoXtk80BVxRQzGJBpO#wIWf4JrB-*<EP=Z;BFSmO-vrgTb`1V;}jeq6mW@G(j
zHby`(IbX8v)(l=>RYH50SVrTNvACNnn{ACy(<J9{RO($00GQPwJxMT}m)TM{X=Z&o
z<~s110_+4kZQ7`8xYve@U56=LhB!!bh(G{>knwlQM?izw79Z7bcEM}UGt8?mspLu7
zJIy86?p5|FH@S17>XFab#wkT)c2@2@{8nT80_I>lE=Mz{SnLm#k~pajh(-)P9Z`mc
zcXU)5DIKM-qM;BvGh+CC+95B620oj^`c9uuB5-8F?TF-J*f`|ec8AHfw}%@Ub$=Ie
zqw736yd+VMyh0zHtnty<rhEI%JVU`9$Av|W&GtTck8r3-z~nN~pcA{zPCt2_lXegq
zoVI8|ks7O<IEE32VsWSQ#c|9lCrUBTHNPclr^1)`gzl>_r}xqKvXWrj;~yj8v{|&b
zNxYS3aG|>mph67%rIag-Yuua2Noata@f3&1K{h7pR!lDEu74Ryr-;RMWhEw16EjB%
z{D+dEoI*kOc~Cu7UPy$7GR-a(1e;ka6ARadcL0WG*8D6^1>?YA?x&PBJnO&y%5%%M
z_jr8$`$vZD0z4urvSv>4bghMoZ6*Yqt#}Xa{eL?;VxC{u%S+uaeSkJE-fMz`Ow73N
zY7_6%7RD_YiU#YX2^uQlZYM;GF+ttE`i?OR>V<^C(85qT?cg0IBcXhLg4jGI+VpNF
z9sa(Im!1bCSje8It+v1TwKaR`W&}bXj1SEXfObq9pE9(5v|IEZCUVA)%G`E)j23DD
z$v%!sA&+Qzix_t-3Ry!>+^?rzC;Ds@T=M9)tvl#jOpsG_hiUE<#Qp`LG6&oYrxe}F
z@0jxyN@U<<jf+wcW2+@D%zid7m7j)qpG~g)hf@D3De|fA(fN3%_g(hicfaSy!kQ-w
zfBqY}dH4HE^Us};!@uKy-eo_Otvw4=%`2r&*KsypseqC#{_(d;)T8qthmNfxCl*7=
zR>8}0noVPM)!WvKZgR8E@Gpk6?Q^4cLNbHPtkR(=a+Oy#*>64ww`GMtQ<19Zptw_^
z&!_2!s{(dR?s7KPHi@mpM?S0>C0-0WVq%yWTYJ59ui~S$l`}_$hIl<qLCMp7{lz#K
z0`-T#!siamJ6Rf~!7gsLJ4jy96|z#_koVgIYxaGTO`UC}KAPXeO+rJ}#FbDS=>e3s
zF++t5&@v|g7U#El6c!_yN6cU<8*LwoH{Vqc1?|%`Km4ZqW6FIfsBa<!=;h_<?{hlf
zUevU9bj%eTK2JTCh$Mq$-^oK~>njtfQ-2ql7rwHY(lk;^a=;E;lJVgSZqYHU-r{3P
zr}kZKT*X62n=aEI)t=1BLogj?)A>weAJ4ek&&zmE^LkJB^^6ZZokLBm<rddi${D+I
z-v!{^k2kGeN}Mk&Y5ImrJ822J#=I@k&Yt3P6nCE@X|N=GYhb!^@^xzXO@sOzC^Iw9
zi8@h}alcj$uEb(n%u_U!8FuzqQzNT#mb58krr|eYNRC!dd{3T>**cl=>)+;VRNF`}
z@~z>ovPvf)docb^(<)tn11Y<<)c))Hm&k2-)$f0|TmpDCm^2%H@{Qc70i-=JWYJ>w
zC(-1TN56_Ml<nv@0i318AU+?`GLL`#<9zMY#hlC&Lj7h~TX3G1);S28IaksKA_%wG
z>1~x<C4EmZjqC+J);oxT{(4UN)EI1CNMxOVoyoL78O0nB{y8Ng$SlEW8z&qyJs?-z
zyZ$B4FR|m$W3rvrapx@pBRGF#-GViKN+&@D#*8^|7YN$!Yg9bd%!0kuu9O*i9uB&B
za$K|VjjmF>1_4#-+B>pM5=%di|Cr2GtL8@vofm%C@+(mx@_~>SX^1B?X5Irf`qgJ4
z(bR8moL;_@IfzpJ;;!ybQnOE!a~!sluCmOcc;_{UUGBa<N-@EblCq6?M#fjy5Hlit
zAXF;GLzT3z6o(Q^CKwhYj~mtS+;gM$x?R-FQ2g3MyQskKI0x`biYC8$4Rhd%^~eP;
zG=76Wu-K|+D64)ym0i^avZ}fU35EKjo2^RIjAQvHww(FBp?w!Nxh1@GaFQ-o8rqHl
zGrAC2@tQvGy2KfUc}yG6ozh!g94m2MEcSV~@_Ko5&U<lbO$iS_;g_2uOcVy+!VaGQ
zKPv32M9s*$hca57v25Vog<OmBZw;znn)pC|4l}`eQeL4H4MAH10b@SBL(+_@@(65S
z6?{`_qao-4Un`8>F=J3Z$&(I({>BS388J!^o>ro4)G~E?A?S*0y-)ujwW%4_?6%{{
zFIL;dA2Ea~)%~T2(!XBWt?eaKrGgsZMV!#5P!+zZR<q$rRXRBCTT}(b|KzQ5HHKUV
zID6b<B(;#l)o$B&4vzP3<VDzUv1`GI81P~1h$|6CI--9=&oR2bGTw=1`_|Cd2OkN0
zYfG?qtGT(q?)-A{ODgyktYTeVxzS<XaAeHg5R<B|mP*T#_PLT~o$wN@{VgrG#S{z+
z3X<B^sT1$OL80Y`UW7T?H(Hpvf2c4%6b`&c{9P3iKX4IMmBc+pcA`4JlLQ~(s{>O6
zym7GdZsSz6u`*$e$>+x0a?mn6>)tmGQ|-yljPP8u4o%o}Qag#Qg|2#HN2P7CEDM^7
zp*c85%OeZ3#qUB$+(C+h`Cl&q;AapqDjq?L{u~>r6QRj9acy&taN3DpFtoV6StE2q
z#Y^J7&TNhM1io8~^ftSVP6r0FL|C*ikwbSX&HnTi+rh|<h^m@NrbLR_Vdkub7k6(c
z-tfXXgg%(f4GF{hWN!^)1r*BMZ)dv2aioH;E{GMZ2nVV`6jr6k8+8CR)3Mb>?OMwT
zl2*x5U%*XI$9iGHadrUQ8*krh!ELdEQLDu+)hJKmo`25iuRfLLldM+`w=K}a#?P^x
z<TTs9bgY_?TKxhM<eTQ03Mg#)&}nxNceJR<bvWJtw>IjPa21~vz>^lGRA0_y$*?-4
zz{)7~t3o#e-UlKYj`#S5a{g$IvtQyqejDem<&O>RE;_y0q&h?n_uZiSlU*1p2V>G<
z(SqnLR+(mIiR1^y+9I=k_6-!dTjg(&JpJ)W#jO1gr7?7liieHvEl=AdxkLCM&22*$
zuna9bPaAj4BR^(C+)U1N9QQ=MVssls6rqzs{Z&N|0KKg6To_>R)A7Dza^U*yCz!1?
zT)W^u(&+8vVpYE&?**Z13vR0ye}Zqp%+t*&LDH5_w;g$&_@&C&f0NOLvSs2M5`+{{
z$`vLev8M&@UXL_?UP+s`WdEaX`u9!8gJ3TD#SG?8b?t!BRctqqFD?uJhjZWJ#d$NE
z?`BqXX|*XIO+Lm9MwTw<cdzhRNPBt~>yMmnoB6-8SY8(16nv<!?y&|}ZDRYpEJ`RZ
zcsxgo+iN)$x!zOoyWQZPQl|*vETcH|7ZqyW3+LfU#*Xb-iMt;NQ<97WZ&vCX6CGdV
z!Xlrc{+4p@oJCdkD^NyfOD@DtTugzSbHO=DX=H{Z11oswjv23eePHZptYhMhhA0!;
zks`7D%L!!aHTRIT`m@FWT;I#j{g?N@F<|?AsMeDlx+`mep&x2m^`12z#k<zDch;wr
z$Da1|$tGJI<XvO;vYb%STu3GLK(xjk%l}&ADW0ae_2Kf0uz8`Ed-*p{<crvuicczq
zZZGkf{Vd)E-}}v0W&0I#n{|7n2*p((<YQj8nVx_6*YfQ*7$L4s6OAgBy#d0h!u@tI
zrY0NesF-^Z0n4~6N1OUW$`~}i^_mDjHI*`6gIlJG%PAkLK8P5scat`lz1wnixm*pz
z)xC9@3V(MrbI>{(nF#_dYi<C+s2e!Rl0hiOwxu@xZ^>^auP2~^!!ImB2pfI^a?El6
zsN_Jn`|GGtTdJme{+NI?XJ2C#12x7|VRZ{)86vzwa(;67LvydYX+_hcEk|VOCD<pZ
zc_WT}EjpDd<`BamE{wToIib=-bE%uqVaKrJxl<joZ`a6zxFgtwfmH1c*OlJYM;EjG
zP-~{roQ)^bk30+H@)0h{p>`BJDQHh`pLMLkZt*}XSUXehU&rPVxwKs;r>1`^pG~oE
zya^!Av9`m&r%ymK+5k~}bGb{NCr*zv2<`Sq#Kh)k0%or7R~l5zpdJq%LjI8I)!C-C
z9v`<QkIy>#ZEg$5>FR|#fSx1=|8L<5gBOfxIuf3+5sTgZ>Zo(&x&N3}GZO^q?MhT8
z948ACyKrHqoRBqB+%N^%i?vXF1TVjLD=M2I4<u_XrE>;QzK<y@dS(Qi%y?x?RsgMW
zbcdUGn1Sx2eLR>h-<`*2)R?Tg_B-`o!^hPn7S|_(G1*r?CZ&VPS0~QbKUyvsWk)RV
z0(>}xl6_ccQQ1*>*$uICME58)4s=*QTA(*cXxF=1*b%<|x;dK?07Gb&&3aaP#7INu
z_`)3KoDEIntU8`%`f1*Wk41jPrx|l}a4-wOI3QF}5dG39)mR!;^6dO0G;Bb@Jt$e;
zv{hrN!+(2ci_1MnZZVtyDz+p67tRz4?;=wXcBdwyu?u1?jF2xvf8E=^_dc{^zC{}X
zD&=MK1QSr~wsc&!Ddc0sMm8UaSmi9aby*KA8`N+iywO+MCzZ}f9nyqYM<v<kSb9s(
z->_A$8qwRdb4sWUSr?hLa%Z|gw^ORLn*r|XAX9{Gg>1_78dGnf=^4AqH<VIwE?auy
z1?Ob4&b92JwULGHL>g0H%}IIV>kvr}d+rUNzJ@zK<akh{uc>#EW0V!-Uha^f=pF)N
zP&k`-bN1~8wkV&-lL_77AmxJot;geu#+P%hMi^>rMVaA|*1D1yt<g(!6WF`Kdp@t~
z?eCg7YKl)_n@Ao@($f6l+tj~lsluq!k1ip8=di7JiJHdpoMTctY64o#;6Pom*StWn
zxL7P|v~8*};Xc>8^R?~JY~!9aL1;aOBIb=@P59J2@V9Bq5>YfFDkArTx&`UzwS;A!
zaq*p8lL0p^tB4=&9*0Foz7__N^pM&UU%2@Ce<=APY11T_DoxG$JdQ~aEC+VpqdipP
zDF5(Zd#2OVYVuwt;Hxl+R{yF-1kCFZF<zxmQ3Ll-aLXb&1qhIu7L+!9)zlizTb94D
z<knxLQDc7aU`xTOR0RMWH#YL5O23dJ6lS%L?#0JgQfz+**|*}sOpZ0j#DLkG2jpeN
z-4eTalsq<I?bW3BuCIrElmL^?XvYac&V6D=nAdr4Q;ftN0H*gMYOiqNDP>Wu`WzDe
zuW$GLiNoR+jJIi)VY7Tvo3cCO1Lf=Z)n#wf=lU``j(-HTcBTZ`U$%e$I(LGyH)S#k
z#lt_5(vYO;`#F0LafG}=78Nu(TaQXKz0&Gaisrt5YZ?8qf6}Cb(#2gvX!y+Fw~}4<
zkknWvQ*)FjtO(U7+ohNO_xWZuVQUNER0{>FWVoK+1lZNH*%c}>%^Fa>X+KgiQH^4Z
z|8|0lfM@D!8qFr-3lTCZsmDtRH|!|>R1ro!ySKaI;U|ahzS?G=wGGGD>Py5OW5GGa
zWoDS$(pwtY>|W#lZckv$;Df9Db~^Iy(xih23$fKf+;#7I<+TlGs~GixV09Fi1C0E2
z)Nf~-)D%xUxMA-4o43z*-pMV+0o?u6Qpj4Mrk&C&X0<8hPdjAt#Qs^1nZiS5{Rng0
zp-kX&WbW`!(>F;ocYh&W_xmqf4vZC*SlC_uWT?|v^I9oW$g9S>o;D=hDvldcC`<46
zh%PPmp|2QKMJ9mgA%=ca>OT|$HAj1=jgbCrr|HsReUx?p7sb{aQ%hlWQJ|7g6`QA{
zb1zZ3gCHw>P@7?@2V;-Mp#qak@K~ql___Vhr?xsQ4vNqT3oQK{YN4R{-aC><rFd6^
z_5ByTeAe=KUZnnDM>L2y0Wy*%)fK*Yqp>RcMl8Sld^P0nc%T++nKo^rePgB9*GV-u
z>937PlYkZ)cVv$B(F3eO)G^A5ueSaAx!2{r5MyFd2UN#eqEtpst!;wys|g++)qg0F
z(Cv>M+U7i_#o3BmfCkMw+U}6bBP0K!+cXVH?eRSG*^m9X%P<{eqB2@n!bJ9-6%SFS
z%_4x6da%`2JS0M;q_968q7CY3j5EKBk?K@22K&WSvsJDpeN;?p?G)GOxy;R*8%yq6
zY80ONn#X6+Arq&P03}J{kqOBYj34#BPLqqJA_%pdn$)e#`;3+Yppt_#V%+P}uzd;<
z?6p&tBFn>qy=OUHC)py#{jPsQ;@Jz3vHeCtWgmzv#2j4ekt&AV^*<Y}A&{LWXUjW8
zl2?<^omBlTR*v3YVlWR*1V-9Wso`O4$x;``Sdxp%g;xk;&@ZO?3wl?hUA~g9vB-x|
zM`;@gctn%55BCF}5*XtLtve4!0=~s2$-+XLr8xPX$`#_cB~ud+O?GTIl6LneX`BAy
zQ``$Cnd&3=n(E)zr}agA*D2OMAG-Ea!a#20{M&3z=_!up3kGGZg{j6hLZU}}&*#-@
zEtUwGLsea)udr+=A|u61yqI2=2V2Db3lse&T9|bWi}nlKehdU`ye3wc8j`JU7ish7
zWtHVV$bF1v6A(8OoW}9!c35NV-yQ!eefdf8SMxI^qxr3++kK@))EmnS^o?31Xi|1y
z*40;P(gy~Lq9`=(gu*vG-e24o*$N}%$Sn&bCe=Q?26%JEXxBx#y+fEQ3w_yX2b&D&
zGj#SQs<xPZO+9Gp)ID=nP_51}DX3V>PlPDcf_ND7KlX5>p!*$A0b%ymiGGi{pD}yY
zo%joH(CV6a3i&mAr^aPprgB)ga`UT6O=M<2$a@y=`Z2KdKO2)T{>$M{KU-v&(iE&F
za$=sGS2gc--xp^2ww@y&R2z=Wd8NO4W^w(V^?HUr1l(GpK+^Jf-AT#4Q+_<SYE=5s
z5Qm)gK={ZKpqa>S6K2x*wj<Rl#mQ*_WqiZ+P=OR3iwQqjkA2v%Sfsi9>r)nruIV-}
zT3#Ety;jhA1~EG%+<uHeAjj;`L~R{N{ACjxW_}8A{{6YA6~mm1GLnk^&foXFe&ZQ^
z`D-3SKR8=hl^gUN7QjD>tGq!V7z}=m_ZK=HRnAJ5Xq#g!i-8Y2S{1g-2dLeD^C*PQ
z!xXw0SCD5XRx4iB*X?vXZl|lWVa1@~usK?u{@SMZry)EvDaMN;8qu3kV_d+`Yz6tm
z$LdM;QM*Q|cFi3*glgr>E5;Zw*wA##qEbO+iwDg&^22c<p={W}+X~b-yQJve+7olN
zz;Fi`XJzgA9xzRRRZ)iHRa%8=nHGaM74C(HsiW^*QIhdEdV42M0aZsnMJx<2=XRj_
zv;`{Bs&4mijk9Akb#X;nCezR731{4wkTCh)to@KXrCGvD&0^(Uzt{7|oKW2x>Wnsb
zR`dhoI;(P}Ra|F;@q>QG4cA%E+={2qP93sgl&GW7c>aCXtuoQxa}2D!=v@x3Zu!D(
z=fK2h<IEK*AoenD7Y6l`ZgHSHR4=AzwRFFHYT2l|a*Z@u?t9%nffZCuw6*q)=<UCO
zcaeH#V4_&%wN6<JK*}?}{30AhhZ33hUaYWhMngu8V5cPw3%{CgYNpm%jszkjX*(Ds
zlHyX=$)kvjA}J9gnQ-ZPh#1%b>vmcfA930Ec?Z&mXQd540i>q?LpjK$*+Njhd5qP;
z|MbHb;xf8ATs4`Sa*d?sUYELW-1+6^#-*U|&EElnG$-^Jm3wW1tsR7#fSwYinq!VD
z9jy^s--AXuX}%LtC7|TCce=+jFe~v;z_EfzaP}7?DP}$y96*n&puvsL2u<U`aS4Bf
zT`{D^$*LcgUMz-?#<XD<=QXD>3wrSb4N4f?VMnF$6RV_V&vbk{(7yg!bW@4w4~7Cx
z$;lesHLuKX9@Mfh=@Dwd@;#xc{zU0d>5J11C-O={anqdM%r3oUudBQKttXA)4f56`
z^{@(*+uf#9V_4ACE~b^ov(y3h9J<nm;=8c2`jU$A?Gug<ft0@E=-ZR%VZ0Q&sVU*O
zJ(@)p&gjXxuKL(k#s<|r<P1F^95(hQ%*_TJ7t%uctYx8=_f)GN^YFPCbR<t$?#T0$
z=q?X@${ZAzB)PJ(j@S)+MP#39<hs=@4T^?;q*#N-SB2vroN3Rx+dBEqM`TSfDCHP_
zHyq_&9%Q3p-i4v;(Ydq4V^`4Fo8_zWSdg10Bq^-oT(VV^7B|>2otn}$k5Y35w@$_Z
zv^=KSyD_f*y*u3nJyF(tTJLu8o<2!N2;nx)_`iZAy~9`Wt+UK1aUTPegyd-DLQ}?Q
z^iNUjXbr)?K7qk8*~HR6Xs<^6emr!PmTbODChYE;3kP00-O5Y{k<*$j`Ooo7gHc9a
z@v`CDpS-`w1C{13zc4Vgu0gKdZ$H_~I7S{^8pjxFD4EC^C=Q@jWoi4A=-{)C2p+1?
z{d`ZBF^}J6&uXZ|PydbAz%JkFpv1>658xbU6_^Hi*nNRDT0P9KrD+!#ov+Y{otdaG
znz6dp;2P^|C=YRhB5-3J(e)HiUkMua>E4$A$tHQjI;1h0J}u~D;G-`DA7c|Xu(8aU
z`SE1{Y)tdXylTzY?Sq@Gb2AQc1e*!<jPKwSaRn)f0~^tII97I=p-!Hjqoj`$#alum
zGeV-uZ-n?d7)_XpjzDiu{!BVYms3jQeeFuOtq|D*6M(0bCvU^gPth)4+>+ROQh6}O
zMrluIB!?qdA$NA1n}HD5DUaa|g?qCO;Os&sOi|Q+ksYTpD`%3sC^7}Z7>A4(07NBH
zAx&c$rfl~gqE@_5Bht>yBO~01k|fS9?c^fPDlAA<^Ds7g5UpkmU9!&4X1sM|)*^^%
zMB>DJM#Czh#W1UMo_0<GTu(RTw^CSNKUYo5RL#o>AL-w%XjvuAxV3PMvB2rY0#=UV
z#=Tl)>=LS?ada<D?&sZ`4#|jB(fJEHI8YQBh+iR44-j&-e|**|YABBX7=kHl3<`Ts
zSI&+^5RQh<@qtDYnCB;mp!CjZTBmSNnf}MH)W45^o7=u@JUicc+)v-vh5QOLY>ulH
zTI({2%PLukhL5xH)^gafXc0tA8;T1SxW)((?OZq$9R)Mxqc@~|56*VNvWs7)ll!IG
zltDRIXf4@%cyZRW+Zqh&8ffX@Pg_>==bUPn3J*(XtEY)4PR<6dk^P)x>I$W+1P%+o
z3>yF~1;DeT1O%mu(V`kRxpQr)e-U`u<gBcx-Vo5fMvzm}GKiu)#X(ABF{G?bOr4{x
zeC5t1PWIz2vt*L`eK*-8+04vbRhQBEqq%m^KGxz)*hg-d``?BBr+QOC*>c-Zxyj3q
z;fb@aKW{6uV``i~8Dy3SDbanr{M77518>COPN>=g<8e5t^T<A{hR0k{7aXO9-wi>i
zG_I%_%-*?=O~%MIS78b%(0SX59ORKJCed`(<|_9q1iSfw**wf|@~b$q&DT*eQ8Op8
z4+XGi2zo~-E|hqcMa(`IIV2w!GD;Rc6pGdI@E$wwX!wunVcaDF$wW|zr1s5tT$;X{
zukub~`o!)T3b?h*_)MXVer~SyKH8zS;|)I81x(`qoTPp=8{?bKYp6z7F#a8htbp2q
z=q=fUGJZ|y2J8$uwOjFe;*hCF;<4u?R~2KV#>ivf+d-+|+4x<SVJH<*{5K=ryL39Z
zY<@m$y48oM3^@X`ezObUnT^x9<@lhgmYFBJi~%Rd@l5S0AYM9W;-0d?moI2ck<9e}
zCW%IIv^|7{h^0qCH$_w$ads0)l6z%bOl8y`5bCvYmeRw3>Jk3l@wbN~yf0UYo*#6u
zA1{E*f!-gvdC)a?v8bD~DD#>?d7G~-dPHr;aROX!RcBrUoux&uo`y%PZQ>LY0SU|Y
zQo3E9BTn~YcQksJ{E}I9fGhStP$1F(xwl~dDvO?3wGM>}I;apsQ?WM}r$Hk%Gn0%#
zq$l+5kV~lGo~bY)DuHvooG>9kARIrp5x~Z6nVk0asLA<%cMU9dViRLJwFCR9fN`^B
zv~LOyXl5jklON{FTyo^dqE(k4vh3ol<%?!lBNDzFOr`LpaMe?Yw=t9Jw|JItHKsY;
z<ckmb-ZTQJ<_?A6Obz_#(KnG8Z(S$v<BqGvGJR=o5%$wJSG&`)1KsK*hbZm#GvS7Z
zEkyz&v+ix4k0|LjV!$C8LVk-WeR{6%mW5S5`IDDfPXiZp1Q8iWY)WIv1!Jg6Q!>8^
zzR#xDv0L2%e`6@`5`6p!H+2{PWx+mW4A%6w$~JdB@eddRR(Tqv`~7Y7xo4P8y%>(;
z*G-u~1)Z+Ob^T6w)zUi6B%MJ%&jo91Iyv;GoX*Z0Gm)v$zavA!&W&p{03wcA<mIMT
z6U<)DHe!q4>xEG#^;K#FncJe?s%{4;^iDDZf%2e4SoUj*Ybw1S1kY4amaS)&MSU-K
z&Qp?8XKIJ|Fou*CvD=ID$IVgdYo+<$jZ61mtkMMqfWN##Z}qQJuxu+asqk^c&GNI|
z-v{XSR623@-cifS#(P{g9D&}C^L)`|GnJ6%XsP$xEss|mXBm3P{dZd|SV^BBq$P7;
z@V?JFILNT${TKI|*#O;1JPSU|1*?i#tA?e)WfL?09B)bkfEDDDYOJ&++XDG4b+??}
z!a*dTH6S?R|7PWL`ldxoV3q#EAxPZ%LPb?4c0slCJ4VQVDA#m!F*g1*#}W<HdpzX)
ziIL7<I<xLxX&?Kqq*nhXK>0vr?})$ml~zz;m}BM1hZJ9LoFpe3Nb-r?u}~<g;2U}D
zt}<y(>9x;MGIKLu>0xE_2VP2tBukWaqY-+sHGq+Jp)x))x7E_T*p)su2oB#Q2MrjT
zj-Jyd7<)JW5=}kN<#DfGGwF8gGU9jdG+ULeg^8QrWw>|}+6_LoAhh#J6C0x+d9CHC
zdex7*DBYf;;G||o#*u5!CS3kC@l|y0AN;@8NnWAwi!>N1pV--18u6G-jgduWQY|>y
z0LH|ZeuX;qHYymjNUgc&am3g*?t_{<|3k47FdE=xy(n16vqehF$8!`|hZTy*rCW&}
zs%xL9dOJ**GKuqvv_PfQ_*}g=N6eaSvg%<6t+Q)d`B(z}vuOlZ16@6Q0mB&@m?#(^
zFzFP_Ph2^sTQA;qYMIQy!JEl0K+4SH>FrdiIS5gz*O*M$f*sM})bTN^iX>lV*jl~M
z-k_}rN5f3M7-$Xyl9YWFw4=`wYajZW$rW6|`=PyH1?<mhO;_>_RlGsioqUw<pO!_(
zPx$B>y=8)IMnYKl3L3dIE216jhWGckNl)yH!{QD(o^%N9ca9Snl(v2l7dm8cyLHA1
zo)d7k^9qZuCpO-3FLl&Q;-MHeH4^xlT8o?##)Z1rtV8kxQ~({ulrq;4zUDlK?+BXr
zArvCS$=;69#LnrvA1%Y$v$i?brAhj3euJzun=$8J*n`MRa^1p@7N7ov5(HRXW;+vY
z6rp}MoA7E$m>KG?mRE+O*3!*genR|-wXsoru?_OG=@9g%R%+(eEi9c)Jx`Q@o^vtI
z9zfL_`9hkd33-_blO=-b>?{qF9}mbEGIDy4PSY17d!}l6A&&lpw4N*JWJys9M}(5i
zMPP&It3YW4X64PQw<q^`Fp^HprH!i<%t1QaB0QnpFkDGx)JOexJ2s0$u+}3xo4Z07
zc1kwe%9M{eKp|)NjWoHEwOzwT5cffUO=@J*tUSRg*RJ)*nIO`UJjutt-n8-3)#S0L
zWBP`=#?(fr9CVbWx0Ve$@6X$rcI^Dh-=WvAc4nJE$Iva7r4{Si;kmTLOCsC6p47Zt
zkV~P;<_Rm%;XX~Z4x;~?Nr9@spc8a5cJ`ncPe8tE#MKxE5)sP-@|DhrKA0~_r=jI6
ziogEAy#q%K94{DWkfx(%qvF`fd4+3V0C3h#o9|=Aa_fNjDsMoSp-|(|)K+)jegQQt
zEr{Z=u@(<gvs&-=p0f59L-60Xk~y;)F3Q{DmNY9<q2~w1$3_C#A~T&{^wyV=phg44
zMuR=U&jE7tBtW~wMBN1Sq3>)G83U8G2zT}_F9jiBW06UkSJ#BymQ5JXZ?`>wOmzYc
zNS;!3Rtq8yh2oPAqs;iP@ATHuvqE#uLYDK`RxQ@aowE@;Z10jyTh*V2{~ZY!qB-%#
zK{=ZXg59oXsIe(=s#Df)<Lhf5!Nu2Fd9+Z&oc+en^~@2l%dWSvDFH_<N<jMG`_KeV
zDT}CLa{U`r;KjYLcm_jCazzz0cH4<?t@~y5aSi5b&DqnDDr941cnop@l0&dB+$<Mc
zQG{$vZJ+75F^^TFeh|E&wOxR0JM^%1)y`v@!K{9_Tvs+TM>kAT=~%3}uY#n$-5J{m
z3*8uZEYY%9E)#fCAlPCQFPx<b*#&-bZ~#<^e;=BubxlS{`hHwpDXF<oQikQxs1Gep
z8sUS!p4gqQBo~rzk5@hkcKunLJI8|VI8DH>SDW0juKjlVa<tAfhBPUl0mDG~q7|JH
zn(tW&h0-8LJMqaTY#>iWPM{6Y{)JsWK|t<|JUI)D-Z~Aq^Xru>Pn|<wkNU7PYi)#G
zDVi!#Inf5bk6AT-IgZs+1-Nrp3Cpz3e1F#cQ&Y!l?OOvP=wN3qZs5%+IY-2bSWKr*
zI<~Ex-5C$kt}CE8ag;|3&xn1g6;-9(uur@uxi_8um)yAWr9}{I#S30EpI;$_a9w&_
z(Fzsbml}qdfl#l+&u3TKzK83heLuZzx^h)~jZM)``}zh`@AZ-YK7lz0tzL@<KY87N
zSfx2P&RP`VZX-WgveG$%;4J2IHcGAe;{M~>;##6U74wvD1#^}HjUAE9;^)PWe9}<?
zQsbIiY+b5b&_7nZHTKhACD=Qpd2iy$wNuF~bR2-fIAg2*DnY%4H3$0}`*3B=^>3wF
zYJE&uCrwlA>Vxg3IzpmX5fC$5GrM1N)YdTbfm4F}P??!?yM;!w$0s_ol_QgNNOSOP
zN&n=Pl1DUsu=1E4(0*C=Ka}aik7R#OIP^=`^zCxK{yp#UUer9*t!vT%S~>Pdngq*u
z>>ECIgtDeX1g;G31lfTTZu?2U<MW#7hB6{Q6sgaqzYR%p!PSv&75jVjt&`{H8Q$3a
zudEKU7CvgFChUlzOj=uKvF;J$DlgSM>B!c09QSULem{~IGF$(l^%QYk#{bQmyULrN
zDUD^rkmCURXC(n-SzAh81~z?S7RGcC>H5R`C$Ng`AkiurRNm695lBdDR9Fh3pzeBB
ziFD{e&-o5nCl^|DZ)knr@JSiY{%z`;m!$T~V%Jx{q+<c<HO3F{?AA3*Y78$=LK}zg
z?NbPC=Dqwb2c9JLFqWTs;<_8FO<*Lqtxq83LxlO`QWBWwq`pi_N-qZTHQ2Asg2Xjn
z0W&TA7d*Z(HXg`mn_bj;*q(kkcpWcFXkbCpAM47}D6j7@j)xyHjWe*yAZmQ5=P${E
z0}i<?nsv66YXl#w%4x!T>>WTwkxj$vqb&(mDJOP^WB<?(&#{N!$s}_=Pzz!`>y!iZ
z+$EA<*RS(|+pP6X;%#OBS)?6J_gXoY^rt%WjqTb_+6&sd-5wc=q4Ue9qpDhl9P>;P
z@?t~mpOmm@%2)k4$aBWVRuGIo1jN>S{=Q+e7J?bnl=vyS*tyvk=hpx|E!($pIcsAb
z+i@HSfI^lfGM`=L9eG$~5#`l+B%_C?gm_rCv0*FrE-xBA2t6)hWJ~;MIsH7Rl-M?<
zP;nNIdpA=Y4?}W-By@&aE43m#b|yjBMwHo}D7svRg@s$Y)s40C0e!{%KNR-+U>fJU
z>c8(4iCHMPh)tHUdU!cH#5S7>dd<Jl_SG(&$Eer)By&Nv<%@<bqf=3~xe$tn8Pdrn
zXRqq-r?>wNzudDnKhgBzrEuoB`mem-Ty6DYbZ2eO1@*%0oW<1~_mG2#30;R5SVt^2
z)kr?`-sMN9-*0G{uWxTwvY&W|oPU!xI?vQftY6f_ImY3&|Fj7wctsW;S;qck5q{v!
z$~?1sc(w-HG(RaOado8k=H7ilxk2+3YWlf&RE+m{WUJ^gN3LnXYd_ECQjW9CE$iCs
zvBsn~{rGyAFU<knA&xNNFDpKNV%F#e6P8R&9$(=B?NFq)cjopze0~+Va)~@>`u^!H
zTU=fwMnGG~1;4TA+yO|<ASIu|q$mIm<dqlNa&#s#PNsAqzznl5F*r%15A2Xz@e1>3
zb-OpOd|Ih9U8i6SU2*%WvQzzW_G_#iW%VlXoNS51mMU%>uLH}JGOs!X@!ZSki}_h<
zCY_qYtKlLfaY)LT-tn@m5P0g@__h0d>Nw1l&*j21Cd`z_X*2&z)(khX!Gw)L({~}?
zd0~V%gHUoR7~DaHObQitiv}pIrl!AiG9wq$TGA4}r4-Km3Az19^|xzzgK~Ew+BEn5
zdc;0qss-ngHi`c>zC&=gGg$mTlm=at7BHo$Z(qnt?r~)=)y{t?D!SP?J`3lxD;`ri
zWBTu2sW@*<9Kh&Xxl7@heh&)jlQc=zLZdN3^VCHb1^bocktw9>22#+g0i6TA^7H;!
zx#nJomEU^s(hkdj3OU7!MzcWFvhVYV=&kArNj_NLNa%472*?svk>OCa{r&Lu_vE?s
zV6R1K4;uZ){ZWQaSw{a;p7-aZ?dzE(hB;T7MzV#entesA0a6EdRv&BH`po`^xVMao
z@(tg$=|*~Jl&%5k2I&T=p@*6o8l+Q{?(SAPhM{L@q`PBiR7zw(1qlW9xA}j6zwCGI
zwfDE@^Ru4oS?j*;^E{4`M#%eYwl9>bFZ4Sx7*>C~y6xb{FcnE$?ZVZ_TBCL2j|~j~
z)4**7olmSTLqL!IGwxnxVD0$#4oLLt_EOg`F6=ln^-Q$`2nLZqhBEmUT#Y7;ZkQ}}
z{lfYuB|_!;yz>nSg&ro1FzBpUopkg3Tvm<9=u57z&~$gY{`n2)w<Bf?+Us>HvnnFl
zu;$>jRc0@T8b&f7eB15)@tPpN(kp=1nCvgPYy6U@N=GxddFm{iG20y4Kzq9A1K!rS
zDVQmQD^HLF`JR5y=~^I$!jt>?1nPmp?P;ecapL9^_{mtDr-Wi|vHl&)HT33_$Qpf;
zbGCJr(kN)h9nqbS2BrK|k|B4P<Tkx+l#j8-;N4mm(URvOs^L$H7pXl89IX)a{kI0y
zYYjGd=kf!`B|GHJAJ2q2nMcRbz6(5zKoQ|5vf9jD@6tcMDd9AE<9K~@>si8lMKSsB
zgG)ni*zQyEOMB^!z3clo@>fr}Hy&fTDdB7%e!0lmJXKC;^AbjIZ6%o)=OvSjfeG6A
zzo@}B=vQya!)CW=O1`!+^Nc0)Ps>v(e8Iu-N$S2TVyU<^&G@OCHoDi6QFpd+_^VXY
z_?!h+T7eZ(tGS@dSkUEFL>8A93MRvMuX6vrhMEO<L2Y23r6>`jh@kF8sRo1>pXa0b
z(a#T;?2u}yaH1_;M!RVghQLzvH~6TSGF==eLz=olQa;k$TXn2ahSY=+?QR(uv;mja
zJc5}1fIK*F0QlMcQ?0X%rhaxQVk_~}QqFUo=72b+Z?FaWY*yvLrCQw?5mD-^0frpe
z=)e(i)^=Gqn)w-lP(F<an_-QJ^E1&{WEwqANGwJC+f6xM!Yo^%2WbzBe1(pJTH}#_
z0&5`aWG?HUF1UUgU`EsMDlxra?~YQ{9;T;m1;AwICXj&WlxGaAMIJNwKL&<}@c+@2
ze5l*_`f>Gd*<bnpuw336{)e@5{irK>#7O>DL)Zal&Ew4Jn`^k@Wz+nMvSu`xr5PRr
z>DLD|36Lm%^Ni*<`evv~4+Gx$ZDSgdiabi4%X1m7R2f489z2}6zNUCtCJmNa#wRiH
zn1_NdH%3A)l5M}*{R{GWBil;#M%ta?(5kQlt*F&2y)!hr{W^MDapKKaN0ox>4D|Ko
zr*DG4i}zDak4eY8oD|pXszBDEkKD;V4fI5FV?wPuBwuWz)tS6P@?AxN`cc1$5B-Ct
zvHw8JiVX&7M7#g}X+6sKanjHqC-T<bsNxhAntc9;uh7v#bAX=XXfbCLoBIy?UWZ|v
z%3&KcC{v+_ty-=VL7h~2_|*ay3l8I5*xS&%xQ@+oY>Z+P9DbG;4&2%-TM*(UEk09N
zs=CWZFtcw#aM~CLFy67Sw|$Af%7*=no4;h*if29*>{&D!mg&(0VYIshPOLU0_<GBK
zo3B>yY9r>M;7;<MYVu@==2R}QVz`WN6BSV==ckIrl*})LUwkw@FKV2-pbL=HOP*y_
zq_OVR!?)WJAMgI0=e1XU6o%FTTQJ5thiq=fhg1s-3r82LDzhD%H#lh=@auNtlSC#^
z4O=#e4%t!uig+`HN2Gng;OcXKcRNlN;+V1Vp;j>>R2SV?h>?<xXhYo!nPDWW-D^Vg
z-qDF-!mQP`r+@;zbSY1FF04{y7n@u%b@aV7GxtUv#{i;Qu~?8CH{T$KuwyQp(81@=
zd#G=NJmrW<zRF`2oPTK{GYWh=fX5RD&azB!YKn=w^O?UDgMC~(U>~+bwKk+rp*t-m
z2JNP|9`iEEGMDoVpV~s1bvy6M&3>Tx)tF}vnm^Fzw(rK+kjjguAI@(6q9LFqFfydN
z{wxgPA<;B9AKo*<Qy1{^$z%h@ZNK)NR1~gWO_w<|kU313_<#2h3OZ~aecSjU9!1|f
z=}{S!ztIPwO3CUF6(eJL<RD}fx%qHG6S4#vqr`Y7CMW_4#NwMhxe6E_W(Vy{@&>0@
ziU}6|jgL5Ykcsj4F*Q<{fmcRTH6#yg(~TD8t=NG)S-Q3`-x(L~-~xjgC)XIrE*$7Y
zbNiJ3#jijz*>YABJYgbTN_a+Q6}70Sqs&ppi_8aS{`cjKzB95F#R~1|merF$uK(HF
zvRytdZIQzJK=(SPgUOc1(x|;VJ0ggLbYsF)a^2UH{Js*LwaZS`J632><?$V2qFY!e
z(xCK$z&|gR>o7H%YNx>5PJLvGg6N9md+Uhq4p}9mz^Zf4G_j<BH61KYG75pDfCV8U
z`J=vwzJxjCw!W{-!FJ%$&Ffxnm4K4rADN1X!0||Ruw?bE^m@MN{oC2OpNPO16S|2E
zzIk_ZNc!WuFvj{%uw;@{^ZG=eUrh%a5@cWwBo@F5x^UxRAHD*;410!(*SSpd>9#z-
z*NFad46|{!^bighY;JO2oH9c)I!@<Me<HP!H>p!3;!5b^j`vv7;to0A(gXfhuIK(c
z_j)+zz3EvQ*sf8c;yrqeHX!)T-AO~z*Y)*0&Hu2t0U~X`bx-x)8;yP(ji)U6Hd?Z$
z5ih!U=J*KtxIC<txTTw*J(pDK9I4!;BV}6mtpr^*i(5zbWT^K<E9C{WE}5{X5Y$s<
z!C2k==ahX%C3?Q(^7<83Bwzor;bH+IBv+=77;0LNRAq!sWFENUgn5|eVhj)j<ndr0
zWR0xX4gLr-kXvtm$};*q5vOoPO3ZEt>y}2(ebtsa)2W8a1b$g(Gp|kKXc+}3hd1;w
z&Gb%duIi0ZImlf+3p}1~=ZZ~HlmKDqmLl6bEiv_zLtNu|lyTX^Xd(Ul?#*;h-;kPR
z-|x++S$~uyzbJFKO*TG-l<w}UYNAE$)_Lde-5|p({#X;M+_Ev=oM!~OL2B=0jU5|L
z?>|^!s4_^cF}=bA<V}~<OS+00`1;Q38EnSNDnHom203}-fj^V^wMTR~GZb1!ADbP6
zeg9#-)t9Ub_>KG$c9ph=mE>F=CVim&f}+@u3Hl?cw&~B?k!j$!j`{u-XMokrDzMNc
zU*mXp?}tJg*}{Ri%zdq5SECuivYCuX_l$#zxbs&^zB;)wkv~1KgmW5gG7?u0gM*WF
zm8)r;f-I+-JtJw_p7T4!I*N*td5X|(7Fw+F=wk=`{yD(1DcNT85{$v179%X!2C9HS
zybL$%eel=YaJHXnX2OjbkQXS&S33D44Yxs-@W4O@UwLY$g4`nCT3GHOjDLW;&Ld-0
zvJYdsW3U_AnGA0WR@3|0mti(<-ztm^(s8@*>N3|b>K0KK2qKmX0YddQoSERn4rKi(
zhV2B?1Y>FYB>2r{r<8ht4U_g-;~E{!?1b;kSe1t_a9mV9Ks!2XZ8eUo%uwWKU_k>}
zDCEz2=WTV>bZRHUrrGW4AV5eo8=>8_aWr1|sm%hH#owe=zgG@FZAUnEu<tZ+*mX>w
zYs_CK-M*l1NNfosHWwF=R%4cYd)66Yha>n~G4;OwAiRynEzft|#-2j$b&VVu!ocL5
z;dwL-G@fYNq!r^{T8|*)K&pujMy9#oPU((@+W2w_c3Pi!qR-`qy}Tb};_D1t+C9kw
zGW<Oe%&f5h@*=obJ@RJ4pmYEhp%tO`#QO6(iYbqqH7^m2GY>9bnM+S$Y*L+*dbg%t
zoZ$0K$gX)Bf;4v5k=#LESvP(2zBn`QQv%qRH|Th`v+d8k76XFp+eg|S;<akWH$qi_
zBt=5hq&GF@%~yn~eTWJlp|sZ|o}3bf1F;l&DO=!V<QjK|gcp6<R_z^@3q<C}trd8Z
zP3gdX@TpYkhUI!(b)~8XK{GS3B)!hm64>jfK#?t5Rji-5Zpc5ON6c!F4<qDfj5Yi9
zM2B-mxk``1p7o&Twc=He`L>v%g{Mu^?438qVZA)P3^HWC58L`klN)f<-?6T`yAg_w
z^sE^=_;J`&ZGpGK8JEg<N%hz1xphBA!1B`i<aCpS+=!@oKphAoU<ZTFo(r6O_|#&i
zfdDI6xO{g#SprS%7{Zz3K?YuJ!jE3`V1VVAAF~?C58cgZJ27$|aV;s!Kp>S)oKuFI
zJ)A`PWV~%ODDH0=L0{{VWKOr8tfP^OzZ}M_+8kgK#el{}iAaL#0NeL4e<}9!^xoXi
znG}Y@wLpZBCR~>4m!I99I2hyHA-})9{Q%V9%2cSBnN}T03hacN96r+)4K^$w5cC9;
zPkTBaka8w)gcx}DLdcl%<M<6Y*h78AxGlw7Q)@(9lZ<5;fs9m9q#WL8$)6Bj6MSYV
z2J+mH;+H1x4tn7EevhUuO{s6j)!lV=7dxA~PEQjwnda{kNXE9jEgDGMlNhRzqR(o2
zpctv5{%Ji-pCdz4*?SI$&)==Ua!03<QzPaU3}hAn+_Cq&Jb`B;ueYMV1~}GA*%g|0
zphk8sJe<zh8*Frc+YTDv3NjfkZsm!LzIN)HxnD0TY&fUhaVI#=q~wN{xxz(fR1(X{
z-cFV)pV!8m7y5h7+S>@E^ar9J{1tfP1GkH+E-J#++N4-tOH=A+Y)LoHWnIbBMov=%
z-tsZDeivSaVeMy%)~_?S4Uf8yhn9pS;At0&>UN?<liP;SbX5+%oVtd%EpHeyuoD==
zQnheW=Uzjki0UTqCc41mG4a3N>!sLGsvug$$Bh(4!g_-6)%ytvZV1&oh!_^6M8>78
zJ~88xj1c`8OA1>ow<CSWUHx`!g@*3sQ#XF*Gq`gaiIpw`pZP}e9wENoPYba#^uevZ
zt@$E1eOq@QNk&tJr=>`=Go)sjOWzWSX}`*H%w;zE!C0x!iPzwlZQHzhz~^NGHXrEl
z?j1LJsH)R-&x7mF-<r>Rv<n8s3Ke!+_Kuq7p{M%F^Hmqk7HFcTCFPrburY=iZ|*ND
z`Tl_y|A!SlU<^P8{06@ps47vh;PjGf@@51{qQ-j2wF7spAXHOcWP-zjPQ)Qo5{2_D
zTaIh38ax1KF^!4(APjl$x_wWbL|dh^=DF`yJ10(x^8-NeQc_ROqxPBF_v9S91QGUE
zP?scG(k#kR;9CO^J>$j&^*1a9UHThgTTKghDAeFAl@1pLpI^ICixb#OV6A(Knhd;J
zGn~AGU)OHK*d0CfdFm{mbjm(PD}%+UZHlzbNvs=w(c&IWbEH4F3<5g&(DCIom@#$#
zhV~-DGxWUMi}SCln8|!osL*&_HM4O#h04LJ$rty=Y%57_lAruVE~)Wn4Wgt-g*mq^
z&PLLHw|V;PRlIdkX+D=Ahkm0^w=`qiUFcosr;E#duPGVnl}ZkB8%GTm+0G}1b2ito
z`BhHH{3G{;^;$~i@2@0FftGA;6r)Yum`VNX1~4|D+JZnQe#bw#8&J|_y{occw--K=
zH73N>7O}b{EhB2!pPsVr{_oG;&yU9ZfTq-iM}+*AxKmZ*1KCH5T$!nBMOJ3RY{neQ
zsq-3E@njxFp?Ccwr>9lV>mw!@rq`W*{2A)W?jJ&>9<&!eRiCs66+oJWkCE2DvZVIH
zdQ4|fi90A68v_9|4({)dyG0cm2E=u&f!fS6%E@B;u6saV+k#7*gVGkmWk_!~Mzq0%
zVc?&W+eU)hdiu}$w3$&AUI_e`?Jw*pa>E;sik0{DoavZJ(nnGpntPS`2jH+6v$Uax
zpqCIVvwD&dK7+?43@1#9A*}<q+k4^;PM+Nqm-V5!&jCFLczGmNe2($>YZ(OO_wcgf
zh@q9~wowdep5zIc^%FTRlX{bF#%Jag)(gF6f*Gb)M|ViX1(KYFt$dwdB;%OtiPmLM
z(>3=Urwz?2wbIL{`kWAYm(Fmr@xyuGeQTqRx>AObT!!?2SQE8H*185J_P-Nm-;OoU
z0o=v^!+M;Ax&N^CDL(v8xc&I(68H}*X=dXOc7A;=4MXzQv!PG|k<w%kJfm@De^M!G
z6qFH13u(J)K3G^BRe42<vMvQ%qxMqCu;_)hL`A8=zEm^<Y4NH~s#N_kc*WF|RZmpK
zMqTsrA&4#--B)R-ThI}kiV^d>*Xy%K#y<N(7vW?>hFfNNJQ)_<!~M^Hm}|8PJGpy8
zNN#K%j`Bkp4`>-3f*$eefXyyQ`N18z_p?fyH%VgTuR6Shn@hy4osl@db~C)*I{CvK
zB>?_E&t`3CJwOc<+9c%J^2Cmv=gPv>VfK%Gp*CadwfmLch938qo^7nuO*P?anME;p
z&TT~aYN>8+mReCWIz0T&w$2RHY(DcDRyPvKgYkqso1e8SnMo<}&4;h`)Y7Ig*x7E;
zwjTQIrw5TwOtf>2dCOHMvqL+Q6~qdZu1+Ben#cM#o?DwuHP1=<RSpG}Be`<G(EwAw
zJeHSE^Q(%Rr!^MLybgYJXXu{PCMi+Ua)G<3++HhON<1J<3C{4lDk3XiA1QK3Pqv)>
z4jDZs!^Pxn;68WulF*p*ez*`iyH6+!o^GrPffAR0YpIv&k4od28nE_%Z(?>`NeY<j
zS}(`pcJ-m2b2j>0PmXlA&i~T4m%c5xYMaHXFZ9;FZ;xQFPlNQTBa0cp-r?rDb$0n}
z?Gh2_<=s8=5n@Dxod{j5dB!Z$cGgxeVT5U2!>uukYaoMqYQfWNU*ZQ5P<D;~;T_3-
z_QQrMOKFtQH!pH?k@>YREIooT!!&Tmr${5t>hxoy^`)ROjJPrwD|z1LS>0qmFXhe2
zxJ*2$6zg4TRTf#6PDaFGIqS{G)xvia9{@ryx*W;lx1#|+u5s74VS(0~V)N4N`v$Fx
z&rtb_KYl>2gk{^SVV;!>Ad=TQ6U32PU3A^sFP=lka;%LN$SMhB7*r4hiK5g9UOH!b
zwgCFqy8v>>6FS$2!A}iJYk?}BpoAxf%T8W=Z7$8MedU9@7rGUD99YiKzDiYy^|<2a
zkfX_1L$kK0#J_{LJi8)P4%PIIm|1U!-pa{2zTZOe(N^L#kV858OE+>RHQ~k(*JPBS
zYSW4KnK_wGDt|bCe<mzn(Us(1GdfV=As^m+iYyA(+4JZTyrCuT_|~&!Qnvl%r)|Gy
zpUzgtf{Xj$;ADGkZu+O2>P4mhuo_Wq=uX&$*-GFATWP~L@X-a#x;A=nV8KeIa0|M|
zEjY#)4^HEO+->>JfAn!F1>b!=-d9|&`uzJoWiH6&V(`RbvLHcIWvgknB(?4Fl$V1_
zt4H7^-<3h0mQGqALzEbUsxAqgigMb?{6ug$%uclHR;4aka)+nmrt8P&k|=C=;MB)B
z#dxTiWX`OwcoQa9)IBbGhnObaT?&*bU_<eVNig83_>R(?isxh14Gk7OCV8B&mT10Q
zo8(lj5MY)$yo;-pf&TW|E18+}fOYZJ2EZ#G{qG&C8)%?K@}4Qoe?`gz+F9j15EO7t
zH+<XzqmJUmb1{<f<B4#IqFBHH+rN$J)CT;8h11aum?Ge3rA&wvSP~yHP;XmA)0vFA
zeC!!rx@c{kBdv=dUtvvIXx1m~Y&9u{FKdU@XTBcdyP)RrEz(aWYUxqTwH=KN(WH#f
zIk}X*nSQ?%zCxS@&-lb>?P8g>Y&WslD!uXVoYJO}(%?t2`*TQ)WbqWoJm`}`2211j
zHn+r*lcr`1#vJf$pytdV>#+JDKf@#=#^HMhkHE+lo=s}wJ<zh~SX}IR6GgKCzlg1z
z6AvVdmf~fmuNj?q+xB#@RVd(RgOp@MV4z8z%%_`lDncwtQ%kO7bt*{Q>(V#@9cO;%
zDr2hVl)9x#f3?W_>j$=8iJArqB&K@9*^x>nwq;|X<pvp?9R_r*DOBle%AX+M(fS%h
zJ)Qb|mtu`|K5py(hq^gHpG=B_b|A8f1$%Uky@C->gUGU4D_5P&X!Ua`7lne=7uu!S
zc;8tzE5~x#N5Mw$PFGUI2j)~+368OYvsE|Q4dIP&%G{JJ@9~K)&ak{`tBu~BSFndb
z+k^0hS%aMJ@6?Nh(T1MNt<w3ty;fN3uS9W<hEr%o+w+I0u;a*{w3j2`XhEB<V2m{=
zlzPvAmBy;o&A_Ay+b!Aq_UW8P2$6PNO!dLELw%ez#KE2n_mhPQ&Qxo4US~Wb?`5&!
zc#|hdD{Knv6w`gn%8_w*U!*x$Tlg7D(#vuMD`-Ylho&~B$Yls05{Iee9bVtE-mGV^
zAsTsVMXEf8pRJKF=<ROlH0FTLph;Y-!<@txqtUo@1Q5}RDV(CQj@nigDJW1jTt?La
zm|thwvJ7uLL&BCDHOtA~6Y0aA6@`D(fj+C8mzdU8%;CYGmz`&7<Ek}apwuJ4r*;%y
z<dw#cLZ*JusFfTUV0n?b%BS)YCpa@yNa03TQrQtA^PK^1wdolSw(fg^h?}>*21#Lh
z`H2f{m7`CD$&2D1aM1nX{7iJrWJ7ztE$kj=6lPIH^i-rY9FM?;^FZPMZKSE&B#ZC=
zQRDCb7bDeXbUwSoI0P%h0ckrtM)b{QhMl_M+}5h!5Azt}iyzEnnJ;xX;O?97DA15q
zS65)9!59?Ov4Mjty~E)iXBRe3n>$Zmu1(59z^{>#CTU&zNZOC`1Jm5fQ46me)~_|b
z7V{Ks9!)4jNEt2YM|^m-p_1=1zJjz`9B?-i0r!|z*XIMdQSV#<oqYNemam&O&Lg8^
zV{#{T(N3mDcGVT&I8kJXn=h`5HM-fv3qyTI94TWZo+=SJY~qY3S}$`V_4ZgOKaFh!
z^me^*ZO=8^4JFFm;;GY=cek!M-RiUfXHjz&NU{?Rhmsw5l*Hnp{o}2$*(94&$^OI2
z1{`L8TDkDq2`l1HST0&I!u*UKginjdgJIz#BkI{W$s=*mqRFP@e%cOs)z6~^)Go_m
zn@+s%^$9g+)}M<o=<BF=T36Xm(H8pSbtw7ZW;PJA&nC5QywFaFMuBH8UTL?+m5vcH
z)HMyI+Ct{YogjFfq7`B<<hn&<akKS%x=%bV_veFJzjQ!ey@GTEUU`JfN;)rxG&Yyb
zZw2rT|LN%Otz~aCXXVj&^|crp6uTbytT!_Bp3Q=aFec^=^TO^9Xn>Gs*rg>4BUB*S
zi?m9wg8CE8>b|#OTQk+bA5Ji1dJHx!ub=pAvD-3(+M`vBffA`TwCO*;IPWtENWa>?
zhc35RkJ4MK0>#&>ZL1pq$qloWhSZlbmgd3Jj>*wDLU|5Mlzu>4J)m%CY{64~F92h9
zxVmasVr2DTNEXArY9zYyuu#wKH!<>hsUUf;`>z?SL02)*r|F|ZlNIIi54ep~vcW5t
zg*`(^8--JUZ?l(@kzd^A9@eIgZ(;gcI5j)xP1kR#pt|M8jj(@X%kt}L<nO5U#M3;$
zJ_EYNVkF?oi`S_v8y9;8QNbdn7JafVCMA^Jj^!M=g{di#-TfB-VHu0y1jS`}ajLj0
zWOXbhK@vMsFL$t=o9qN9dKt|WrM=hTE=;XDvKF=-I#MS5)RI$A-O&?FmCuUC_$JgH
zICvZ<&Z@~wR)Nmv*bdFkL3=Fzq+gEl*GGeA`DYrMw7NY7xS2I&1b7*Rivkl!&ndoj
z*;cwM8G?xSJ3AFynwxL4wFLb1>8Bm#SvJ$cJ;L|q;Kvw{ryYh2czu1NX9-AluSFgO
zG0hKJRFJN%7raEcJoBlk@hXg0`K{JQK@B?BEVbg{_9@f1&p+_H1tj}=YoK=0!1)__
z@7t%x{{(gyB`N*r@28D-__QRsVH}CFWbSW#!X4E~OPM*Razz~dq^kQo3``*Y%&pC@
z&m<n0&e$p?rMEP(Z|g4?%HHKA=gUfW<7Q%hC^k4oK11+BtlalhK)`%9Z|I1j3Fvv>
zMo`?Oe|9gx8I!Ls#^&&I#*;f)(fEohLG(MbKh+9VGvDmG!Uh3X;=f(%?0Iek?JBb@
z_Z(x#rk5o3Wy2p!_EE8T0sjI{Ufv#`(LbZaHk?`GJt%?`e(#8-<awxYyRZ8!T_z@m
zrwJpHpJ`OG=R8ou&rP@K+y4jATvQl?#O6Oz<uKB6<$)$U;hBN-2I54jgF*3ybk)OW
z3$jTWA0LwJvimy)%Jey>48q^kFYhd?mnDGAp?h8+Z4W<qxr?G$tP4`lp%80owJn;N
za`ITForG*C_%HJ6BcnO(x6-tTX!^hb0Yyem;(6^i@|+$Yze~_y3ZxW21@VtJh&5@^
zR2&+lP^Q|RDs=FKj-<NReJPjgiG*C>Cf6`~ASCw9!I(4K&f>fk94(J$Rn=zRMhJ4G
z9=FF+&F$>-IMD!~B@9pQ6wtBSdH7i*$t_ODd}$@OQ@hf1PSi=HN8To}XFU2ax49i<
zX|*XN>EXP-(go-Cqx;*{gyAN%IH&C(`etvYr;D-?cX(PVe)ILZe?+zE5wNPauXlAL
zI>B(4%^b8^N40Ekp2zJiE_klI`~DR!{};CC${Noe+b1f?BNK~oO1H+bg_g=n8CmEk
z`w4|Y?TBS>#+5>ZK0_$}!p!Esb^h@ML?s+Joz68sU*Wu`3bHZLaLYUIr>^NthN3;v
zCZH8N*wfG0oV!_f6p48=NhbX-xHG02qM$`Y+DV4n%dh?U*Ip;F&xKFyjs?VeB#Yg=
zlpIdtc+mx@?$GhjkeFD|@h9-SWj0XncYg~Y@|mkhE<K)_p8jU56cAqLIa_}#i#VN5
z-@hN;&;jNamp)+@m?a1m@Gc(7Q$BeLd)>zb>9&1sWID0_pnkC;c&^%>QqTW3^+zdr
zDPoKOupj2oC?Q>C{7nTbYbbWl6Ww{d9CO2NjVJ*C;<#o+@W{S?GE#GzZLHtG`^>{z
zz?ohMoiW5p?u#c5s(PhwP?T8aHYs*N@TDV2pljJ&+Az!gx3POK5Aa%ZO8KBA_E+0!
zUV);E<No`d9G15}6mouBtvUt1WTQ`3OEP?O$mIcl_Tl}n3f^oYm<-7%oU%mpKInfV
zUPJr8@D|=^0s;sLU*U$i*VF!P^~x00u>M9Z7Q?^$V9Yz#8`OUm$1ObG<ZS@5N}f6)
zSd+&)+fSk0Mt*x5ChlcF?R-OvJ*=ybz^xd}GxuaC#23Z=`Tc`14dG;xI?GGOauX`~
z%mne<%&7da7Q1NQIf&Oj${m$}x{%mOncS=3*a7nll8?NzcHrr6R=)pi)jW{DOxf4F
zmqSe}{I=wEZ~RBAA<M&<4v}wU4<&t1Rn8ymCLcwFtCe4GuR$e5f&$E@c8$>Fw6+m$
zk-GLQEOOwTe$5#QZIxBN2W!~YB+x2#%p!IaCG+U~^MNrK*e|f*>fHfI9UPTFGzo0s
zx<gY~gT7KSjX;H)7*ip{k_E3XHe0~GqlB>Vv0xE26&KqP<<`3pe(GDDxgnkGM+lqU
z<zT{LZc@0|pNyA9tq8fm6->R~OWNWA+~x0tpHuUdR)BI^fiRa~xqkGFP{nSei4-(X
z+QpH&wl3;|sCoZY%2D}?b8we|an*TxLvoYXvvgz+t6hU4zP+*<#F>Bl!VT;qfAdo-
z)^w%LGNrxuKdcx<q_D}2g5}ijT0(len-tF}vcrC#{^s?NQP{-Fk4kFw12ukN0nDET
zxD?QM!CBT~fuJ-I$I@vN$Uxn(2C9Gmi44Dr+U9ZQA%H<eMNW5Wt)@afgk@iXnr&Fp
zd|(sbK^uuSW66XmYA@SM-q`>Z)<#CufB->)KKK{oXj$<Bj?1*ba=Oo2S!{o{M8C0}
zDl1Gz_G&J)Cs@?l?qKBY+7L5<+8vLUb!LTd#Tj*sv&w6+1~ZCUk6Kq-Eq>>UkW01?
zRNCHrHMe6Pj4yygpZDq7%|Duqx+`75yBPDC$y)5Jo*ddQ-Hk_{$rf|94U9o6QQOU3
zh~(zevgkS5T3wl|PYu4W?vzI=4WGC)RqYa0LLz!5#UEW_F5j8r%eU`(0>R`$`H2m)
zWA8h*n%-HIT7cF&BIJ9BjMeQ{QM0KN8qn1`M&%|wqVkyj^g)MRJ$DcKKAdSw;)!8|
zDO{g{sC$X9cDKwH7btF#ZmwRy*(=Er$aR19B|(pU_{dlzoiXU(^~3k(CX*|&H)^~d
zG`3=De&sJ1b6#7G!Q83^j<<3_N-w(%1Wi+a+&LK?m^xc<w2FhH^kaP#nTOxBojJZ`
z*ZRZG1)dE_7p1<rEV^ZXCiDv_HcOxGb3U)FW$$-nY5r0US@Vv?yL1x#@*^^VzkMG5
zRb5E}Q#ndjBblyTv=sB1Yk&LAk28gKobRFuQh6Po(dKRzfNk_nlb|VSW6-AbSwyzt
z`>!0ZYR*9_lP2<2x*Q2%DH2O=625eBVuu8a-``)$u>Lyyn0AS)U|nRsY2Y!R+kUG-
zQ+h;u5!`Cz3mI@mpwV!dXc|X5s0^B@){;APn}a3&Fs)a>_8(RUPIvY$igCxa=((5I
zpllYfTz{*6*b}SSx=Gvn+6}3rhQ`R_NH=;SFWLg)bE|J|gOCCr9J;J$35?5&Dpk~{
zB0r4~_OwVJYnEAflik`NqUul}qhjtfk}zbv-6^x?qJ;k0tzXeW(~WfF!Je0==2B4L
zgy8P;Xsq_h`ukI719Rr`Pz$XBCou{pnJ(7Ul8GtP7VmTjt5ugkympD^_!p;nvkL*A
z-!DwfhQ4o*NX<3St2{xT+v*QblMy#DUc;vSwy4Ys=P0lPiXW-*_`TNURl>*qOA7u1
zzpiJ#-b+G%xjFY+u6POcM}GiJec1N9BU!p2B?(N~u`6ucG=EcJS!nr*G8&-3^U@3J
z>MmZ)S>LwIw_Bt><Ot)sh11m|Be*bZRTdGqL5j&f|LHYpR+ASXg-Uc2or({C;v@i{
z7#3K_s>r1xKJy-4u!6K4|2i?BuxY2LElr3gEEd^J@gi9>uyme>AwfFQ2w`z7poXT{
zX7MVOQRPJ_I+(AJIx70+mQVj@qODk)4UMd$GLf)z1!az-FFTj1DB719H{I;)LSEf{
zAnW2=T1#U>qs6MEitrAQwe}qgLAk$3#}>1PT&iS9{vCj|)HUV2!a>R;hivs;DYt0$
z1JDyC1RlJgrL_(l_gv9^W7{sc6Zvr42CYwyA(a5;*%&X;lz*-KN}ox5!<c7&Ut00=
zsi0FoPvUOiT<B!_CwSX$L3$&V#DNl~j-;8iiKU5#ZzvV3+@bLqkc$MouVEy!1P|Aa
zyRG-IEz#(KwSbxiAD`NjGKW3!aQ1xS@ZvhBwWVk(^_!inky%qo68gjM+chs&?x7(N
ztG#xgt2Hq~lI61+N9eAl&YD_h(|m#{O|CM&b(hvnGEs-iM^haIi4)|`Z_qV?#YW_I
znZgU#oil8UlKr>R3MDyd69@6N{iuUL_quXPKD)<H;)<gSo9?XCm|{sk5tkwP)cQ(*
zwnalw)QyTErN<v~`CEckxK@oZooQCBKE~d+Wx7d`<ZcR4UZ$a|d&c8Ph)bEm`N8zW
znP|`wKh0%Zs<rMIi|$!Ukv_11U`Y(Cs4Q+$47M{JTzn?K(x=%TTT&xOZo5lM7v3*K
zyA3bV{LS_O3mGIG*f^oLC+JVZqGxy^_QUxbrF_yY2aC=uFj;sG)%(HnX8kO&vHZdS
zM7IS!^==2#w<_Pjb1#)=oZRymb2qU?ft#iM+HCv}+@m5*1cw<BcXW?`+K*Ef6K1HB
z-A+tk=8GrO2yXXCXRDx!T`!SZc%ar~2YB7~rk|AMN8Zm!n%!i=j{M8@<sEA7-oHBU
z1!p<EhHTB@H&p7xqml7Ymk99x#Dv&T|JTz&p&Os+o^*BeQ>v(Sk;(>QxZzV+8L8sB
z)&a6wNAW8_@d8m2OFg@3x6#yL-%-8T5hftb=a1+YbwN_6OC`h$shvx?=K~d8WwLGV
zKy+Z>3-fB%Bn?v+vwa0oz2Y)nTMf}4Rdycyo0hr(N0oq#M4FR;y&)Lg!QZ{0o_{P)
z3sD4f<9-R{Dgj0}1W?ZKSWktVt+T&JQtZww$wQ=9(lmS4P9<a*eocovwug(iJ9}0(
zTPVPQXWHvNH$a<*P}hM@XaA{^{yF(4=YT%ch?UW1tqJPyIbIj<dW<2H#KI*d1m3{P
z;up2JU?QJDp=USH1@)BbQ72JIVAG4imb~v-FtVimbLeO*pNYXYVNb2Ejp{LCmpj<&
zu%fe|u%a~-=a`^WAr3%KD1CmO+XV0Eb-!*fFBD+rDWY^_84JVGN?8Zo{7rA)@!ho0
z<5^6vA&-G5NmWZuF-Tti?S8Lf&xSN?F`*fL8CpaEP@|L5&hWH~w`>hA5(_LCvrk4I
zVjhxI`qX?Wzl8BN)_$;)Zv{Cb7bGoeaVNL+HEYx?RA}<_lQh5T_Ri7$S%;PC(ZIQ4
zNO%{VyDpNf&<hKrJ{R?3Vx_U!tTbWm3ZD5S-%EaY7$xiN5EsLumW_O~Xq<jh-Uf?4
ze215!LVw;L_x<q+BLz2fN2B`)#yhT^?*Db?N!G0Yy<Ib9TX-SwY!Q3IjJaL>qQGvV
z@>23%q>Q1l`#7BgPppVnD8O0@F;x4&>8C@D(fv#mnQjS}5M)3Rz(DzEf%ifVntd9&
zjoadD<=yM<9~!Kkns80b7DxxR=i1FITp6MY<E;fwdu@|42@T=G670(QHUWk`6&>&S
zviSR$j^93!8DZ2iAD0_`0b2h=zLY7bE8Myv_caJB5Fi@CslY=$ye6s%934g*!}QiA
zPd;qlv+M=rczbyaye7p|oNV4owRLVD?3^;22iLS*l+9EW5)xaWxGr#Z^_ohXb?=vB
zpO|W#(NwPhbbkOkQw1-GLiot4MmUHNTj#kOzK1N!iy019jpSKdbUORKkaT}Rcb1jW
z-I(ce$h?Hr@0GlP&UbVkDvqsEd|$GTcYD7GnoGk)yV4t$e}}E)MY{=mZHcuNJ&}}w
zsO&a9q7qYDCy1dr&As1CT_CIP;O=q1&dHGHhLW=k$r%0*E-P^{Fz+tx`a&&nJF^wB
z@89xMRluPHidYWa0@uq~t;*_NE?@=l!&sc!%k(+0zfn+;5QL-N3|pnnu=_F@3Da{0
zEJkce$$PcP#dDvdoK5b#fdonJ)L*QOqI_t5kOzV6n|OCMi9$3jg$tqL{+z^>PmG<h
z-F_d5Vs{C>Yeg9brm&ftE$u|DN0DQTgS;ehvCBz>J8C}pjpo}t$t`?xn)LUR$5muK
z{^{o@KUpIlJj@#a9J%L+_me2Op+6sG-CW-K!3-LoT}{_^2KuUsTQO^kC&yQgSI2I?
zr!AoYZm2o7vt1T%l4jV2e1<lP?aOEJbZ!Iw<~5mn2#HN&KMyjPb=w#Z*dFexXw5O}
z+S%FU3B}$6+K_6pD+S__VPz2xFjrghf)+EdM%GN9Td2&$bQ^#-rYXFi3p)q-1<V`@
zD6RT=dyPZAgpW(mGlx%|?aA_0Wkn09ll;iDs>o$KL|&2A=o(d+O2u!-ZuDb~OGm9M
z*T*>k%`^_3FYoNF2)JA;A(q#l-a{;ktFk*oJ$@pSo+Q>uRjV)+MVVQDESIny717k5
z0i#K#jEleO(|#Bt*K)3(_&xvBabgm>^U^pE?)XihG<c-AQk`*>uO-QDWAVD3iyfZ1
zrEMQ=JW9xz;%$tvlz21&_u47bF%;*o@Ag@;@<uTT(hKD;{vBUG{o?n5np0w-ggwt_
zA?_?dT#o8Wir>d&N5gBQgHp9>Tm{<YAJTHnZGcrE{WP7kJ2ie@|H|ISdpl_K?fom!
zPa105Pxgg7Eps&8MEOyel}96DO!*i6fajNUA8J%Cf${}eGvnqK+@+}1uS$F31R@y3
zZ|uPEfMHnx&*th)prKz{)k0j3=ChcNDqdu<#2Ed|7&X;GP-0q>C@Ec}#PPGu)?q1<
zWvloJ5RZ+x*|`dGaI)3XeO{{OTa=5bp=)52T$njLLc6d)6TQFI@%8hqBC>tLDdRJ6
zAuR6^`%N$YWP@hsH6Crv+?%^Fdhmy#xD()nTwA6Q{X2CATG5p!8i+4JAis7{kornW
z*{gPNAph4NGom`fCKa3$SUwV_9bTr8uS_qJ&EfF_{ad%iodLZI7NU(MCm-8@$l7@j
z(BdMz?M1)Umb<d~t)@$FCUKUEi4mzqH(~@7dWbep@Urf!{LKz(xv<KCk*ADrY_G@B
zPd(KBm0-H*b4EAZ)dheN?YYm}tpvB)67UVRrfrhLHh5ZF7THJ3b^qMQ+`kxaEAY)R
zYUU12CiM_&e@N@`Le(F}exrNn6549+Md$h?u=dVR!~n(-_=3Vl&h&Jrwhq36dBBJQ
z*<~xc;!z!(e}!1$GO(cZn<*iN#9(Q+49$bfa1%jqe}ORVn@u6P3SBg!B_HjMl+s6z
zpL$&Qeon$_xdC|JE4*G6fv{xFzygY}zSmDjg$}><4;gQ)3r4XX(Ij5&nwo8H6~ym@
z-Z!<bJ`rtC0h>y;5iNXxWG#pE$y{2wFbWeSC8&+5kon0C?u9XkzV^KWbk@%IAdWX1
zqy<Ux7J|^@0V{$G0pi$HVvwr0q)nI%D~jd0Q*{=YY|<PlDJ@lPHol0Sg1KXTIy(7s
z?SXS3E>`F4w{=*7|F$%?<fO@an&!2|-v%@L;OG5e$@c$Y>8Jb{8Rjzi3((>U{o7yh
z;~ib`qmi+pxD6qrtHy>?osrr2<0yzP=tgkU(MFG&G*>pqc1U^HuKZGF_=b9n3zz-O
z+Q%@hqPwAypYo+XVvft&MlqF0RcLsWFiXDXNkO;8JF&jCpyf0aO@ONa&t}kHN$zP+
z5XtYB;^ZbgrYQvT*Z(=_O=s-@(wt|={F#hl-?ZzPqm-#mj``^(#yk1w?`uEw?#AIU
znU{5YgjV-k#3MaOIqqWZqyq116E_afGmlrsX>Wj*>OG0(#OrE&2nkSjKR$w!<Uy5<
z1efneVzgjTIJe|($fSh-;U>U61{$Pc5?pF|SUR(vAkljF?8>F^rvV_u#=Zx_n}A*@
zf5lUbHbSKzG^BO4pm>8~1Wz-66MD5Y+MaDe+EX0IbTBFJ>m41-cY9Wpr<0O5-ggj*
z9j??RI<hk-+7}wC5EOgOo-{#p(P~_OQktzN%VznyZ;zQU-=k}s#!H&zbDnpJknNr5
zN?c}SUAc#j5?Sk+EADFLwy9Ckoh8>a2jf>bB_*2O^1hT`>b>}f_gvIjbUigXvj6_s
zP(^yCpU^A$c6eSkyqzc4788+;X?XcE-Z<HiB#)R)1UIU(>?vk)9;Q{i19{IVl|VNS
za@zRq!R{u}_{nm;l+KCzv)GEj1jqPkCS@3kY&+RxRWN4;SD7doyM~SRKw}x!M*fRy
zsZ}w;c~@?#+38jI$E@D_V|F6*ccR4)&gWv>VcPKackh9GPAP|(ier(JlBxgBJfU{B
zSRUjoKN+G#8<mCR*4HmoFSR8mdglR?joq7{94OnzRF?Ggh|&7=<GV#|Hc^ofY}TAp
z9mNdt;dDpEPAcn%i|WDWldDkv3HK(`h{8VeIqUkkm8pRyUGHitU_>Ix9eKQr>3HYy
zk1S6M)B7{He~iF$|A~P&ZbbP~BfUcvU@s2JqwQU2ACrz@FH9%}wi--`nY96W2pXVX
z9EIJE(kp}774nc#ee3mbiJ>ZUwG*ECSmIW1^|`^@csdqk2kC<y)#b6}vaeS{=I(zL
z86jJuT|pBaq}M+=`yAVyVB!QfD;Nec(k$N@?@fyniW*-SmCSL${>#ubWN(}YD)eQ?
zSvY$%Le8*ijgMzLEbV+EXwr|z*RRMWfCuE%7rpLjiR(`8x~AfcCY9Bys*q0HloJ9_
zx(Z7_JWp3LAv_`qGG`ux<*iv<xbpgI*uFQl#lbmCAE~#<>gogvcPv2_w&-01p(3@0
zM%G`yxD@whPZ9QhCmP+X51gq+NS@{ymJpl{kSy+1Ksczp?ZF5n<e6l95pzpxf?tr*
z-@b}hoMMvnnfS%;<AM~`c3aG%c`RH&pzgFBQOEWMqF-U%_zi-RPmSns@{-)wiIIc*
z8vs}CE1$nRx{Nm<46}o|7lUP>I3Gp+UKKO1^-K&{_gVEqHNV}bf1HVFc8pMBlD-_V
zzLGOXBv}vm_Q|_V*K=C<V*zcDq{I`x8Q4A>APOmqA8HTSq)*mD985VOa8)t*aRnKM
ziKaCEg>CW+r;9Mx+EB)|{A)WctjF9GQ&Tu;$l1+^qxB|JZHFI@O>;+fhY43PS}Hk$
zT_bC+Ti|fAx?j&Xm4~C@sRXj^`%V4@o%_ztqH9-&yYryJOPv+h&Asylx0AEFk~kXq
zEs?o~2fy&f5=e`AvDrG4Yc(wtZ>C5~W5Ovlk~%2l4O<FpmO-%Ch3-|Ht-p}Xlq$v3
zG%+xo9x4Vf&U98jGcl;wk^86AP^f2;u$nxmK1WAR=a&;tIqT5(L}=TR+yeK4@8whT
z2xpzCz?!<JUZYnTfqu(^rt3y-WTNy_@~=S8AX1}jcm8kcELlbdgJV%sBh4r%qQSX_
zf<w&k#SEWl0P!almVbXfO?dlA-iYh;Z`c@&43rXlL|mk@Xmv`Z2la}xm!%86BAH&I
z-LXTon9!;w4*)n_R*-_>^esjwR{FLbG-bqxk4vi++C_rKpn?MTlyRmEFh~BMJknTm
zo|~W3jtYD<lDeWR(3;Ws!XYN((m$S|MYnpThsp{^!))#oSss@kXZA|*lQTM+<iqh|
zKVq1I_A74_%u}*sJIAQSl^O(fc15Z!2+uBFd+;rfJALI;LAS(VIUY_mhe$DZ@oTOV
zY&NL&gdD%M5Ngvuvy%Ju!9W7>VI@ZRz%W8n)iUY2vbaE4x1Dc){&ltXfu~SI!i)B;
z=uOk1{CF#fxn4XKlaNRr@oD%B+p22FdaK-$wm@%=+gEv*+;dL7-TO0!ykw0jy*Fhp
zd-O~htv(-!K4P}Rtp9=GSq|i>Bi~pPs4HUzOFmhTkTAWGBR8&<5+FrxS!5dAdigCY
z()P`dgC|W;%4%h@4)$KUo2YdGpTy<-P9p-NuVHg}m1iHy{ijMT!~%XcWig&3Xcsx<
zviDP_J`ub<1Z6lr5+1ts1#NK6(B8^=foMN-cl8|WiRG8oeC_gG__iU}1xenbv11_4
zlYErI2RBix4)AZPR!PTbyX$ft1&bJ{c=b!x{JyY>3?!qa)Q}FbszpaDZGpkU0Bn%%
zsx=o`mSpu#mWYts$jjwA;t>4}_oAUCfR&`Yi_`sYPxA*oOI-F`L4?gYHbvI4z(!A?
zZnsH%ilvH3pqn6vu^E9!eT|-*hV>OI>OU;Y5PY)G3N*kA0oDyi*I6|+qK_R{xNcs)
zFWN$~ouF^$^1)vVB0N7!M)$b9wdmsVwU6^9<!1eHv`Ncm@&iieYc*r;N5|%<RW3ez
z3%Q;xji8gXEKcw<32u`=YXw%-**MPcH?<`e&|!~AyW#u7-SaYa^ZCNrR3Cy%%>ToB
zV?50sa`-&LCH6Llu0--<7Bj9n1NV2Gqnz;&DK$Cu%Po(tCf5h!yckcs%v|npd2F44
zT@2dhv%Mg(p4Dbv(a+3CKM+CwsuUjmM^0(y5wviwRiFoJa6Not8&0O?Ytrsn9siLS
zvK=(blV`&tc^|IZSa(d!U!-=%XQX4iP$hzgdLys>6e7m%NPkj%Hpty<h41cA5-=)|
zH^s4%wpAMGXnmxE_P7X``5QP4Dx6|$BPmjg(@!tpaaKLrldPRGD);A=&=Bx8;wo*U
zCH@m1Rpx3?(wun_rq)ZB@2tijnkcJn9sP_kQv(iVj!PgeiY~`%kDtOOIW_m#gp1er
z(PjTsDfX?IlXsc0&{+L0ZuX6t<idYb=o$rhTMBE*gTA(YfNn6|c~Zkb){$=D%7*kY
z-%$gxqu3`bvMRRx|3YXrcMi*?#ScRCzsh#OTRjJ`qPy%yO+MiZoB<p}H0;=jruLLK
zxoC#Xi8Qi?O$OW4DK85%>Z{&x&N}UEyLe4OJ~}9=v~@zEEXxWWC<T9K@2>tNaH#)g
z3CCZL)tmv;R*6}j<yEs$5NlwkDsY;^9i+k+7|^}RjE^%`$>dK>%JaHJTHuAr!+ZDj
zYt5i=Mt}$C<g?GO5c^$WlZ^)--R*OH<tV=4M{b|)%D8TrV(QXR8<syUgvJo6GVwC^
zuhk!acQ(QJNoWSYmCy}!4Z>;Xi65nd)OZ&FMdd%Wld{2cVmSTc*?(9Tek60`vp#=A
z$mR@}FS`EyY@?#!e^BS-X2Gg8AH){K&P-Z+YQIF|5!*z?$z7x>+PQ;RokBah@Df<a
z(=dx`bIgfErBFI3mi~wW_?)P#I+8)D%{EWev#72Om=taAj2U-o^Ym~%Oh>td@;T*L
z^BVUjem<_mcp2>+7K(=^+l{jDB4`2ZxVt}#6igNs=O>@%(@+PRYM+|R<^8xA;^|3{
zBw(Da&Odxl;>^=QmtKvB-#>-6eRUy!!8Sglv{5f_vp9ImD4gRt_MKWoigoZ(R59+N
z^DNe-qO!xtv-jKY&fB=Z8u7GkLnD(s{p9muy1x&R*4C8*Vc*(msC}UfJoI@35tTev
z#F6Jtd>rHqEuUXzXycVY^>2^Edv8!*4^40Jq}<$=m4EpRJCvIL(z1AbHSE<yMTP~~
z%eSZxn}rjGt{q-z&*~4|$Mhk!ILkUa6&USCR=_;Q!h1e>4v}3w)OB_)C(O7ud*nfb
z2v*2)T?b~;4MBM<1iAmjRuKRbj-PR7Qvb?*y~NH=iTweK+JR_DveJh<R2!mdu%aeK
zhyKTRi6_w0T(!(0B!fj7nTf@<maOrd`d~)paKQwuxs{rIcy}8NhLy`|BrMYwO19ni
zT9p^Z&dT@Y@-Bp2Dp|l@g-Sc6E?W&nGyKqxUa`Zko^VLaV8Ed@@0LtyzZX6|ECU?4
zT4Iy(3;Ic%A3k_ncKA($y0<erQ8w)-TW&pTZr%GE%nu$7nVX^?jgyD4XgNe$g_Q>?
z&0lbWaIxhxh)j#??e?5H@`i@g)m>17G9b?ot3;&rD?m7Y(?A3#v#A&cw};WZ9hnvY
zN3Rp*H`aC{*`8PO)rL^me=SkkV$RaPdWXeJuo9nMOCC82bx>p57poVjSr9f!+is$(
z^V!=R(;!q0a0ZGCO&c!?yJ$<PO(;>N&=%?dJA`HFJOLafSx!hi?wfO^gHjQb;V$Pv
z69ilxYNFraCfn527|ylh*u(tFw`A9|tlG&jOMXti4(03&%K|t0J)3dXt^lfX`--=c
z<m0wtr9ReF1CeF_x67(%;(t%mv08pvnS?BI_}DdW9m!5Wsc*?suL-Z7dg}113YzfG
zGvpM2BU<tL#nO1}E@K^!3lv0V?lIHz&*OrIUF0TisP7TU9cFF#t{XPObuLEtUqm?9
zal{H>_59tR<KmrFoa*<pp#2NA-(`|#iE3vQiVlR{{D<ZCk8Kuy-@7C!ce}7S_({#-
zd5>eH?d6rd^GwJ<xs3j-0VmA2xRRMjknt(F@N^%mf0cenqRjeB@(z@gydukLZPd!Q
z|JTO|VZct8kJp#e<Q0qV5?L+Q4wxA<!i8!txWT|^tO|bE?EiJ6wVAA?zlq^4LXmfG
zK<ZpKc$S+JXFN8UF}F#&JR(Z;8N)3Y7HY*vo}4X3N4cHSGaKH_)9c)b-zwoP7OKKh
z7WXJ?rfxI#yVs9g(|dS^m*tQIOfrbKXqQsDx%7X9vB8-I%(+*Vx26U91Rap9w-1{9
z0bS&(aE;0W1EwLEHYpAx_l>|kTtT_l+1cEca&vz_*#f3AB%Wt~>TQ%lRBu8|w;C14
zpL@99zRxW@!Dikj+*?JJfgFFOPQUT&)qpaZJBTu)7=RFk2)Yc*7lEgGCmn0NN|I&j
zMc8cb%$Tut{mfYhIzzi-U_9j^H6~sBv_myhsvR?8j^Y5(T$$E6DN&Ien;H$|*NyOR
zSKXL*a~F5&*NQ<c)?WodUPpnAc~W}e|BJY@`f7vuzCOjhxI^&*2`<HpyGsb}9^9d{
zh2rk+4uKGYYjJl;g0^Uj7mBo0o?rim@4MD}H#akPv*ye>dw+Jx1+mw5%pV%8=#qcr
zfJFPG9`m(ShA5?2q?DK|?wU=C<Nn4)kBdl{f&z6;3g0RbMU70DQqAJ76zqhqjm=ac
zuh5&Fh81tG*vrzOkR>HVis7O#C}b^v+g!)o)vN|S*Jwpyd6sGnRwF4*Zlm?MB&yo?
zd|U4xt_xfN9TDML6zh=cj(4gSuo$&agW4OJeFA~CqvV_dRs$FB5NeQbL1d8&#A>NW
zrV;#dd3&3n@XwvM4_sMgZM6=S?Z~M(W=NiibQbr9wwJHx@+%;53@0e6UPY386E4&F
zABG2Ps<@vo7tWto*DerI9h}!i%IYkLhXOqr+^di?jZH*P+oLR_e}AW}A9W{4QleDo
zZcyQ%M=Pl*Dd^HwPxV**QAoF)Uu@0JEz_Rsb>-%;IBJ(3daLoGM;ep9T|3HL{tRJa
z_aI=e_VJ6~ymwLX$7b_m6IMD8;@Ct{uN@1`6?c%d@M7<?$Y|wHBMm0SYR(yKlp;Z!
zc$83JmIX<{ox<!!283fx;$u*)Lkl7!hl*R%tBcyRL_w#dAVJ(^@W47hD_s7&anEA9
zmr!FuTB&$#OCR64#dn6;f-RbuJU}0sYLt@UCvyzJa(8o9?zY$iX@#OaY;<_#J^R4M
z#&f2wF|W9yY1Q~?qVde-i&xXKIqN?f-_*J-Z=0N#_*QHNNpwO{>MSf*0ZlV<ToKCb
z-Vwnn#Y7b;+;ts4+C5cOTt=tDQUBy*R7jk=%QZE$sa<IO%<8KrftDDmT5tB%L~DvW
zWUw`PqBefU<|OgHN<x;C#XAqHi(jrmUY#ZrmZ|PRBrlanUo&}ATL$T2trm8Dl4cHG
z+!DOU0e$DwfDpLA^^&+^Yx!nduoIFCJ!vUztUZRZ4jTr)+4IvVN(rxaI<1#P=#3+-
zZu*4;GR&(06jW32%8gOpu8D^5d@sI&KSrJ^yzMkD6VmayCfvZhFX?y|_}O^cRfH4`
zrwG-CVdPtBH{lnMn7&VXXXI;Dulh+AKdRTS)=~7w`7#9J_3AZ-NeL|4O_V8oFP2Q;
z^m~hT;=q?a|9m}j$wgwc7U=FJkBH8ca{+jVXz4zs?P9;;R_29@IhuEGteRK04#+k;
zV9wnzqiWM|u^*PmK_UfUfkk7#TU+zJdm?N7PO(;>)dYWN=fY&IxR}1dYn>bEQ}*?U
z(KWxRJtk~(YMu<fF`SI@Q)!ZTI~7&ym&x5Ilj70U^B}FkgY~yLj}pee3vP)b126Sj
zH_xtBa1CYrp_GL1>gUP7p>tG$hXiyzSv16UAEZdm5XRQGFDQF91Gj6+?7iDZsOUX<
z<W5}HvNDVXrfWqYFfGfiJl-9bHM;c}J^8Br2+0E6_==JhurE%tkw|Y;rob0<<DLay
z@ir&JTC<;Abzr;zd2M^QxC#!MCD++Q!+*(*(TFz_DP7YIp0$1iAdg>0(X8U6=VU!#
z^kNl>pDKmMiuNRu@pEKtR~NrH>%<7SZu!0?=54bHbb|DhXgj$jjZ%@t>^gZ_lKL&6
zDPd9b4EcUKL7#Jn#DQM%K^71Z`u$(qJ;E!BsA=m{L~Br1--Up`s~EPGc;2Uc_c*Q`
zp^@uT!vOSWKFJDQwi-DdlN(_6w(^RowY}QbnAc!(=fA|Rdowd>mX1c=mKB>#U^x*N
z+v23%*pV$5K>fOC_zH$e#rQ0fb5{PA%j8VvM^EX%GHq%R{~P*=EaMnY@nK`D=+P+R
z#H90L9CtsbO3&CQMR0b?A0_PD6WjPUG7df($KznC?6hwpHQUu!w@Eh^Bu(s+u8s7<
z8Yz`WuVS-CaSS<#uoU;GFwx&~qRxYoxn_0>X2g6Qm#K@Q^YhdYK_xxMC43w7Vg~nY
z6!!1GEeKGhb?hbWxSvFX|8j0hx1re%F()#izKpd^qE5VCaKArt-Dq_O?fHGYQ>Zkv
zs*HWnJbRimcdkfFu3cTM8o*~Nwg79ag7odjdV(N%ixS+6oyTT<LY_1q1GBEXFS?H_
zUOASE47=$l8XN%;#e~V3Bk*`s=hu;cFSki1K4*uyjAXM3PEN*f5=k}<k;4nef8#`_
z4h38-5?9J;ul_#Lfz}<i)O=zBO^sAbY|2?u4tEHKZ>9i5{6djqVDB#ZmN|N$O9Q(*
z7DFwVfXrI__&*FwvB`I8?9#Jh#Wd|8e}&$Eh4iHFXD#Bw$eYh<MiT;b0bN}aM5Zg2
zJ9FTG&6rZ@oX+FYsSk|IWs9egE-kjC=0oswQ7Dl!^q0unekQu<j8*BYXGcd^Q<q_F
zZWuc^L$YTI<=`nt!>Td(RfI1|Xi4Db_eR4Kpb5RWlP5gl3a*dZdL|Todz5O8oYtu^
z?YexsTb~zdTc0;KII(-u>3QTcB)ecfczhP10%%2)x~MrEqWtxmT=B=ryU5<TU)pp1
zvbo`C=syo`s=BU>j2ClW=bpokZ83FO@c)RZiD?NmGe<u=qva{-iOr3@k?^QS1cCjD
ziX($7+1STx(+GUmzmT$eEFVzKasCjZaWca28@5XtNJymW=eN0PZAC8q`!v)J&Fq?Q
z#JiauSM4M?VM4*As+Ak%!4#8;EI3||cb{>g!w551=F$+s{82;SPhx$SW}fH_C)0}s
zMJt*SXG6>PiT3|YiM3b54RjYqBtISk=8M@%MTeCacqy<H1Lt{E9NOEVVDY#!yD1;Y
zNrp$wFPlH=jUH#YA$VOfLjw&a%O!VXJFmPa(~Z46T*6RzX|*l)AdQ+G6Ly#$I&|LI
zAqmIiM&cYM_7-(>66>#x!`wzx;)!>;KP#i}&!PYn47AR~38GLSX&NfEYQ%=~vWIY(
z@N=Vn8NTmyLJN0kOp$e@LSZX}z8HDMP;HXjxSi|H_za{n_sFzR<t2a@Dzl1X)g&+=
zQed$-tGoC?h6sBLd%}-18<Vif#X6#^K_Tf_Jc<T5ovb@1tbJ@wVJu-<Hlp2HqDyzi
zkn|9q?eMp8wM#tS<p?A2X~E%ES2~?m{|K^6m;Qn6g)ckKt(g&x#rK1y#+Hy^s~NA*
zYV*$5eqPcV;xAV>c+6@ga`gDjASJ{_^N3F&W{v;kVuJ2A;fUFR7@<yUA>sMvS7Rkq
z*@knnCcRnd9{czfb2=d|uF#gPM{`fLbpEH&7R0@2HMHXKFx*`iRh^`}2~Swt$^p6a
zIbMobk(MUcs~$>%nxy3~aZ&JYWi2FB#`RyuVCp;D%IEDZ)ho-ZXRct&0(%)6YZ;kC
zmcAelr@)G_791<dVP4x6gzkzL_ulHwZg3r({l&07Uojqg`(5aC3r2v0$!dEhFk_EB
ztgeNQM$yFWeU9l8+l0`e-{ovXEe6>SfFQtnHU`U>>gFh2k*rn(spx`W+&I$xcx7YI
z{9+<gw!mHwK1RgA!5Erz=LyMouoH6j0w?uCrCXdX)*F|&hO%V>Og*6q--@dkn8cXv
zIm=H9c3YS|e+f)&gO1JtGlq5W67xPR|IoiM7`bPn-4s3Z6@bVsm^I^mT}a`!fdT$)
zmPxe0>U&^MsQuQX)|G**M#qmsKig*0{&anCXN%U1#n4vsYzaKl_DyRYNZ7(-D=O&y
z1kY#xEAi6pFC}l1voDhrD`Wc2JWfS}<J00#%~>WBM@;z;BYVjldSmqWdVwtp#k@2H
zsYtDQNEUw5JS9l<^3CdrST*%SWG`HDyq~Z3=FCN}>9p625wpawZ;o!`8UMTlKUt!a
zvZ+&=$p_X$d+%IPzfbs5*#(5%gimN3)6_mJ1xjL<Q;Uh1;M$1F+_-1+pM6bdKOUfF
z{&<p*UIwaXKhzoZ!APy;?k!L)mnx$D!u0$!Osf}8)Oq_2T~Z<#xtleX>`KBZKVvzE
zP_(2k2Gzr;x4jC@w(rNo7Z;k&@qN;d4gJ_JbwuJFV;>a3rsn#ME5(}Z-}#nMau$&q
z1kX4XYw+Wu%cPi~jW(}kD0(~g`_B4AT_0yXEE-4A1C_VWgMs~oX)cqPEo%#Hx@?Od
z4G0#&1yvr?62W{a_QEU2!pajRnP>I!xMjM1OMV@LsJvue=?mX@)URi0$HE?RcDoCi
zWDj!x>TLGuLkEh*`SWAq*gpzfi73>W_%UX%h-R8o&Ob<Kyr+VMz9rfXzVV>zSC#>_
zQyj;ku~_sJ=3C`sgSy)VcU;cQ^BkF|<Ju~;`GdaFQ3{6*K{aKbQ5ZQKKW}^%7~Vl&
zDPj6<mWjdL(|gwk1`+>m@M-5fXX_ytGvDo<!`TrRdl9_shRTn;yHm=oiqdQ@a~a7g
zlrS&5gHZ-)W_Is<v3c1o=ku<ivF1X{Xm%o{wsX!szi2GHbn5uC)+v8xtXk5jyTiYm
zTRFN0#n2iUcF3bo$Nn~#m2P}+e59-2-l+SK8LVx2xg>vtdLSaBc2Ly$N%H6INJHK?
ztxk&cl<Yo_3c*DzI)`CK`njaW3%oO)h_3s*p}{GHpk=z-h><Cz1Ic^Gx#6K3JJCxW
z+-M*$`i1v<`%t4{fryv=J9h_j_&(T*;&YS{rwEH0SE+mov5)o<m(gM^**CAm^Q@_Z
z)VF1fg!y8(>N&d89!Hes>~<aHIx?(br1p5k=|~{HA}<*beC*YHuw*hsQG1|P{k3S1
z`<I%+A)GyYS=Mh#a_jv6xo7QvJkWD;Fd`HDjwr|c1O5?X+Beq>$2^^=WGV2^Z%b|a
zoIR@2_Ud`w@KFZ`{2A7CVC}Gx$W%kX#)A)sL~w^+2QMx4os3r-E`xlyb{_(YW7HlW
zaq@f4vKI5Aw=)Y3q2FNUFKug%3Z$Y5?72^Qh9sI3)Z+SlNm$+fhN*7NN7EjT1Yhtk
zyU*gYuEg`iuozxMV8Xu4W2&%gs6(15oEUir+X|G?aia<Wda`|kYEkPm=MQH{>S(5@
z$a!7?ZYv;idpB>asHZyiB?R`$to3sB-fEJr9eS8NFAQCZ<1%})(6?!onewPA^dIaf
zJ`hEDQ^c{eb(VxWi*q=_Elq2hy(;q>U1h`#XW8}RInOPeusp>KoK*?&G;{7c9o=H%
zEn%jRS8$GXBvAbX;yuwMuCyncf-b5X3#+g&GrB}(8lO&f00?n>_^3Anb|Qc+TCCli
zDHp-tv65Qs7-?&Ttex&`>dHHJRc$1QbpiR^uW;`h`EFS<nDhVX0nSsOKYcMl6N#TU
z<}Jo)2m;buv$cZYg(^eqSRQd)wTO(rb2fQchnJnK%?ddZ;TqN?P3o8j14-kp!XJm>
z+7U!vNo#>`zp6ye6g_ipw=C^%OW_YJth2XbqKO`}^_0C_vm=r^7JQwO8qpY(8(|No
z<M18_SQKD<6!upA1=$8Rd}fMOK-J7-zLJ5~W~i+1Z*1fo7_8`R#3Umfv?)2u8qu{p
zY}R2iR+jBtgkZU>rW*riB`?Acpkb+0&JTat@z(Ew`p)J?{JN#n|6zbQYFINpEymxA
z$+NXh123tMf_d3jF{{SnP(G|Ia=PMWb9@<vu*ELp%NDB!wRQG0D(()+NxEZ9N-+{u
zXSiTyhkc>Q7Xeq;)xh)Z{CWzo-#P5*$D8P_Rd;5&pv~&K#ZhO7_z!;lG@$=561D?t
z<r{A{5%fU89URu(mrgy_(l2=G$AxP-dcIw?BdG@ioa-cEZq}{+_b1}0bK2L;P|FW<
z8)o9C;WI%dNw)bxrAd=XDHA}mc6{-B!oNW5D0feyjOWIUM+<HQO&k4&GM^$heV%%&
z=$AKFul74g-bRrv5)o_6+0E8A290D=m-IUH0QKN5AEm${ceo%qL00gsS5>l^;I@PC
z9R<2;_R&;wQOwTFL7|q_wCMvN-{K-WTB4vMLeWR~@E1z2h+Au|(zk9$JNow5NKBnr
z(wYg1O31lcpMvZW#%aXp@uE=xMDi(b0>xOBL^4~!UR3<73_K99Z4sU8{WF^J0a>Su
z7dd(o^3o(#tt};W!o}hNYrveFZ=(SF$CvW6!%g=+vY)ib8dob+ma%u4O-6si*+d?D
z-~HQDg#U=H2H&5eQfBjpZz;f_FOn_`LGOeQm-^NuZ$^p5>+0vGo@yg=^DVvDE==`i
z4Xyak-?8x*d-OEy%tVEoV2JczFh=*CV&{zuDH}C8uQDjwCBOf!S<v>q!`fEO%mc-&
zGd?>T{^#45&~1--SU_BW8so&+g<gDbO2midmqRlAKc?d?3?k=UaBwWrn4%`hKL>k~
zZJ_T!nd1HgmDE+{`fF&v*`heDyfGNMBbS~V!}2)=f6Q>2tGH3bT4WsWP}=EcfXNuU
zwL8?KeMF!45;K|qlfRqNk-V}=qZYnx(o_1~WD0K<aCJZ1tJSzb%cXwJ$Rkfjj_T*!
z4ysPYwpC@%>XGf|9Ao3HJ~y_`Y#45lnt2G$W?PGr5f3uLu#4~>L^Yf6lJ=oTn-_Bx
z@ym`7gdr$|%P*WUW5<F+L`+}oUmN9c>L=D9WqXNd!k6o=3%>j<m`>Lit7k73J<~+n
zJ;VBqrZ#+2cqg|X(MX-o^V2c0r)i?*gzrp};V|vxuqq#b8Oul6-x&U8$#{@Qgf$te
z>%aZ>rZJpT$m#yo_*P9sLxaW1ij7O}6+m6(%Wae$PH&YCH?#DJrqbH<&sXUdv({c8
z*~XAQk#Wp2v{3G^#*MS)%z#3R#X%<_Qt&W!5uLsrMsZLJ!<W>0trR}ZiWnj~Y}{VN
zo{+1seNzBVs{Bfnxxe{)V92H+neOq#QFzz)pQ=s#poQRH`k>R7luf~P@1OnB-3kqw
zy^@e7U3InV<HezVpGe@ai1nTNOyg!jzl%fub}Hx49<nRdF%Z+f9Z+TCv+J=$b9S%k
z=?<jwfJ!_rv~-=`50rAby9{<1v3Kh~<xVPX(K}6m>B+dYi9{=6x}iBfBp2?2&4xRC
zuWBTmO=r1hd_lkA7p%qMR}r&?)NNytF~8^qz}<ovjmS9F`(WCESc9l}WfdO3>4Y^K
zfen$)^-p*4G{w$A66FwvKkXMjm#ENv`9)O>r6Ow>@uiM!U<gQ-&&y7xpXMFGa+3Zm
zL(>n_AhYtDY65?zd{9s5Jpqy1u$A#!26A%=z<^S}H?vhT#hE>q-8E*P_9}n2+3FE#
z8-clE(ACHrxucFE1ecT52Hf)OnF3$S>f;5TNs5)IQ}mE$&js^BT`+CNBd)P0W7n8<
z%WqY^GCKo{Mw7`(tB~ONCRawz8jGuIaw?#HfpXLV`a(GTL)>Afzhln*mD``#_J@<C
zwFrG@2s-F~H#IO;%1{B-Ake_d4#57JiHlQ#MQ_WPDKe)V24~9+pm&122dA<OwPn%+
zKGftZgdQn|oE<E)!v|l<1&}VJ#x3@3!~DrL1H{iQodY2U2U{rm3I_FQ-qH~?%>t()
zpiCKBfr0UGHG6IKsET;rmDorGOSjGHH_6Wi2{cXj*0e<}FQoWM&h4il@Za0t7KMJl
z=v5#87pU0NTRT4qSe<B>o-pVC(C@cmQN-~AG{g@v=+);k%52l;B5@-djho^vJx;Xl
z%LS6e3;ly<^KxPCZ2Joku9((*_2mPqXgtGQvM<D^h{~W(X*b+sQIJ>c{9x9~J-E%+
zc<SZ0IKA2*GUah!Pz;bDYW{lI?Bh~NcU(6_@(#o+f_u>b2yM>iPDpCooOkl~nB3nC
z=C?&Wug^8vE)Fl+^#9jnIcF@3b&3lHHx^4m?&R9w^nE!MCUilWHr89v)2mTD!f}}5
z<7;8s<-E3oA5W9x$2KUQKjxfGW}SW6$2JRZ)B2?yV^0m-gDLs{;WL4UEE>xDIPOop
z&WnD^#q@r8JpO;k>u<E=tOKNICR;OG!9zBakL_`{q_Y!4AU1yxL)fQlU>E%>MS8px
zEl|U7@i;}C;6Euier!2;P17~|jZ(3!Kb0DHtxkdBYZl>eaAzLp$Js0FdWQAXMp~mH
z1aiQ+P!E^f(xmQ4*Ifo9;H3jQ&U}G{7GqxqH{Q;0X!CT7ZY`HJyh(A`uC9pDsT^*)
z#TpR++X8Ncz@fptpxTe_FU8-?f&tIW%-v+Tw|x+#nufZW$)#$6?xoMlDEYo7RAm(M
zZ?irqWeKrVY%<7jX6~<cb!pu^bVMzzuN-qj0B09>Yn$o?e{^ZcpSzgm1h_K&)D<9i
zlHH(bo>MSx%=1j^?%UX0n{||lsGAY>pls_CPWl`}sN_{Fk8*Es7wsgn!{^}$a?ImA
zKYVXkO=gRbH|Kp|#vC)}K8yaYAEx^pi&J2$Y(BTt35;^wgK%<vQ(J5zel`ZX73I~Q
zB5yk%sJ|xtxIK#$K}XO?tqq#wOFnH1CkB!8)~>@{l&Had)l9)S8BlWUECM=5-7J65
z*#{f|E?HqV%QM!=?y?0bvN*BC6gOZ#$(955<9nRe_oP}Y>DNgEHXTFAJ3{C}ChqF4
zqoai)AZMdH_*qCx8&29f4=wapd;ENZnxkJ{qx=Z5D9M!cLA-`4rwC@hn8eI$J7|Z(
z!x!rg^QLQi(4~Ki_S;oGkDobk5GD+<9IV^*$%!ees+faTI_2w{G?py4=?b|jo5-8H
zrpI*DW%x;9Gq4d72)Vej=`06(g>cgKp_~!LVGt8DEz^D|I}I+Hfo@9@;|*R{LfJSW
z9gQPd&w_`ETu7Y}dcpXt7W;s+ZHGSukQ%pq98(#EU(V}3c!Adnd`a2@Hoym_+34`)
zj@b#75(3|rTVu`~T$+A-V})DHF5$jyTPM9@63Lrb3R^R3!o*yM@nJ;P&hblh;Dq0=
zSyu(^b8}a;`KGZo3m80Zvyqb}T(@Cs#3AOGnf8BEKi?Z;v(ejvQ0uA%-q#(0&}eUl
z#aQtMy{Yl0qSE-bruF<_Lr#F?6w^K73p%aU<7*(M^K$GLrUJ!0dgHk?G{d3Y^@4RX
zBnuo1^|1Eo;=Q>lj$HlCKtvSx*a_n6FK($?lN)gAn#jpq0GVHJ;pjPOzm&vwX!s9<
zDep&6n`{Jn>*TX`YI5UcQTz69oXzf#qP7i;YOfuoajfp@SC{@(S{apaB9x@j6Stw$
zb6Jfm;-9w2GkM+~BuZgr8$c@;;UAb9JltN~&+_RA(UFo1FhF`muq_;4Mis<3Z_WP5
z#mzG}h1-ltfAY`(A9YTyR+o?5iBueYEzNI6u<-^l8qEi#$8)#jaYJC1dfDegyC84V
z%b`spN2++q!p_*a7v`hdTyK);UKSmZwr~A<Tc)6$EoinC3*+u>iXq8}6AM+9e4ZUl
zvU$jIw$oW>caAOcY~!_=BXNcp+Vh%un9yOeji$F+l?ZGuu!ussb0iE=Vw$s`kDpL+
z#k$P_xGb^k*WE1<2)}+o!yTQTANQcNbhw1^?wtLGsa&m}e(QydO?%hnRjJBP>uARd
zIu5#*xOj$srp!?z%~EZen0puE+=Xw}TzTY&Qa>=~6}6Sk!yeY>;gDX4dSjEkNH--=
zRcDTghKyp)f8v}upUao-n~&^<b2&YWsNq)<cb$(5KEoJiW?U6K=&qLjHegp419y5a
z4VS@pJ1>B7w__tlT(+vMW%kVoXr|<Q{d*9eHgGq4!JZFx+^%(g7;`E$7hrm-NOw+U
z8QckN2_yz?8r=fX@Ol*@*SaBjEwprb#WccmjDKWPWrqwQ+SUx?g&I%7>+t#pLwGXq
zy%f25%-vu>WCtjh>e}Rrzqcym;@@OI+<S1Nn9JC)<rqSgYTlAL@$}KICCGQ1?349$
z(LBFmgr8bLw62!AH>c8qJa(Go?mOlJ?a*)MmR)F+C(ybZMb_TEchcM0iaw+Z)8H@m
zZ^eQW^rd{Ga+l$sz8K{cmd=;dp}d#`|A&$EgM}-o^_mkIeAdV()ur@y0zLD)vX9&$
zDkfA3@ehI#MAYFlfc>(TNt=?}IWWq_*SYB1$Si$roc>-^jjUDo8GySJ<*o7Y6t&W#
zvMFuL+T}9b+L}lnDn>2B{jpJ>yIwttUR4xlBbY$gnYNk;tj*YPa9&3Ln^eJ4ugj<t
z+C`f%Xq77l+zjHY^zSULBkJepy8w6?)o`Ap`2a5^ffnvCkJIpGvrr`*GKoAM)2{oP
z8mLZe<oP$h2UEwLRh&+B$O@)MQ=_x~2bo+m#V}?c^@t%9k064vm2vaa-sV5?6lpQH
zt|e9G&hA`95VQB>$J{iA|1cPpl}oq@hSQ$tC5>a?S`(mQbPxmRqPfI-ZasujKwi$Y
zy8417=g}V>WUB9OWqkgN6xDp$A5m{8Z)R8U3m1QqU?ghY%2eIX*OL@tq|p7jNYHA;
zpxxk~F}2&2|3)2a!jjSDVz+!Jb0pp7Q*Hf)Wo%^;@nk+-3WL_qq$B!-gZ2-SXnbMe
zH#5KAtT$%uEZ<v5{U|2!J-w>4@j~gQ+PA$V#8m$`enI?kKy3LN)nn;qil9qWC>&CS
zHhl5zRrFt4`J2Ri;?6^xx6_l6;(YJ4WZ7}g^6p|}_wJ$w;%svl3w{4*T27)kSNQ4@
zi(qIcF=8qhFmSieI+wl!6L>i@*!3W36OA+^T6G#dI(DK*tV6#zY_&YS9qGBJ7Pt<&
zf_t>m<6C-kT0vfIOEi`Tdm)R;&fHKW?@t##NPbu8lHvEKNi9gW4O^*A{EEe?T?w%?
z{iu(A#Zpzfdo_q8F+F4>@&Z9q<9@kph+Zx9tr_p?GVH^drQohCZh2GAFr}4ta?fjN
zu{Jpjr^G<%<rdw#ppzjqhB&M*z_gnr-s~rkI9TFS_tw+}m;#eNr3Bu0p^d9ZvV&1+
zL7=7uh25O8j=J8@m5^BL-rR2Lp>vzErX;9?mBUp#P>_S*Wab$2NG=Li8f*WZqq+9+
zaVODOeh=JR5)AFS_p{dq%G{#I1_3_|dIkclip}w<oS0R=m<Txgox6w|)0{oU$przr
zay#oj<3t4j3#73NJs7hqJ-voeddw6>S#@HEbl)gmNyilZD<mulC=u0n`&JJ4_RHj=
zbL*QzwLXK;x?#8_q$9}U91Jn}V=X{a{A(6EryX$|wECtc-{qPgr#T2mF=Apa-Qx{_
z@MpRsYcw@J$JwF@p_qKDw#mR6tHx%MSKh#c*=TdO<-*X4yM>3<IRYDb<B5>&n-`kl
z%=GAi!|jvo+n1=BvGUBFcWx_<T9=!0`&4z`O_-kXY#`6)<TmTygqw_v4!YUgXL1V(
zZsW@u{Q8j0**mmkka(OAY@a3aQvOm<ocO+P_GAJhHw_>eV9oyh+~I^GS0UMD^mEw>
z@3PW)r^)(wN;IgQyWD8Yg*r6W&S;G@BcCLi5mcs5aCa%J6?M+*Q1j3J%Ik4b;y1<c
zKX&^5$L*f8`Y(*EFKox8Rkm&=j<!e;*G!I>19STq{8`G!+~e%%Of1{*{?4mCQ?|f=
zNs}eqhAeh}_GQB&Mb2A$M^-9BJKNaTwk&3#DvL{pk4LlBtF&Hp_wzm8(t7L(QXs+w
z&SKRJjbA{>UX2S<F{LC-^j%7Jf?B|H{MOt-$IsD3$32bXt)NRA1%@|KF~%Hqv-+G8
z8Bx)_zJ@xMxH@U9&gW4Kz!TtV#Rt+ML}YmPgZFBa_*$1G>CK8|T$_f;BbYKb@>5_{
zvroD+91v<sqC?uc6)f>0T*g)dEuk~Mp%)M>FgC#fsh_czk73$4(qhwbP@ZW77g(~A
z&Y9)b*km`<M827BkP|l)zmp%4EP%tEWuZjoNLy|drseQSV&~{gzW*>pM^#AObH=A7
zMhLL-F^6#7ZJD61$XMZ)pA?@o&mw|e8B?NC7mQZm$cJ!7fY*}MCH_@}+6H(dZMC*D
z@SW+iOh8W0xf1o;K$w2|=_ZGo`>U+dTzi<MEOd9@y=8n~!jzex8FMgis1w+E5p9|p
zX!}yr6T3cZd5CSRo8gtRs3J-95R_?Gv~^Ofa@@4cELWU!c$c%=FxZs$o@&8|(Zef-
zFffmO-75mTJ{wf2()p`>YxAo{h_F!G6WGDG`jC!vM1@$0jsnsy$c-+$C=F7XHw`%x
z36CJ%-Zq{^mZzD$EzyE`zt^`nIQ^(d8k?s6;TrJgi-f(3jKH_Nu*p;;KQ*YOQ)5|8
znDo_mo+l=3@E5z_OQ$NB5KY9eX|gVX;cx|?I%p6KN0`2+3DFcbDAe#jAHXM5QMd!f
zc3t$TXu#-TtMhEB08><&FhEv&V|nOG?ZR^|*IPncTd#5RDKl6-p@`ZIx}IYx0X3Cv
zsx=kLY{b8*cJf=hQ?`8er_;Sec(sc#>HB~zOK)|j#2E6!BjW6&3iY_vS@6r>5$Bd(
zCjNou9s$&~&5OxqbN3%>hA69ZfkJ0vYK9-<+m|iW?QQs5x+W~Hb4_ogCl9EtJpYhz
zgdb~d^NMf4EMU|`#r(*iboXZ6yg?@h#t&#;d7yAMSG|Kr#a|-Y3|xU#DQ}#uq0cQb
zNK<ONpuZbQ*6#LSrx=--19=xC-V>#qnUYJP!DiHiNdGofRwp$v^L(UmnC&Y<@0;JZ
z2>o__vM0Ja`3Z`S6ZS+?8pFGdQ#R0+F?g6a+Eca95i!a(t^)E%39KWY1b2Tj&!*@p
zgmZa;YAOnjn?LW@tl<WBseEQNnzk~I$XDCFLG{azTgUX*Ep3J{V@ge&7jc_@HsYv)
zoE_~KL|1sqCFx9Z;eQd>kw%EMO%#kOuQ(28+IAeZ$Y=5IO@5-5%enoD;4_OfYcf&y
z>H##qd?|t%)P7Pz_)CkLJ>7Pq*2dqopR9nE>_!I5tW>z%Te~g&YsfKxL94Wy>u<V+
z!J~1{1}3<z^`h~`>WzLUq>7a}2gThH-l&B};bkDNvLvAKJN63LX!tmHX4z|lYd*ld
z%ckhrGT>J#X-n(!rG&)R-ygMiHQepu9nalk6&lTY$hJwOxIABeLw)yrCLuXDjPC+c
zS2}q&Q}a%3<;{htkbj|SR(EVySRBu(-itYp<KoPz?W5H)3DG>nrp(64h9xyqabA|5
zkWASc@gebti<V2)8NXgBY+(fe+hvE28y7(<COVd3hG?Hn6m{d@>5ONi>Wl6L&u^Kr
z<4^7^e*Rb+EP&cTBVg;f(;q8n90q+G#uJ-4#_?~MRt}R%LtTtVUGfiaPW(H|Q*)(Y
zZeHgE+Wh6*yjV5cpSJc-(}v+rFZ|Y^4ciuT_myJCuiNU%*K7r+=N_KL#O$+M_Uv6q
zF=bYr=M2VM>N9AB_o5{jwIZ$Of*np~qI2-rQ4#oY<|w3Iky`C94V=VcP4dSwV2*f#
z4Nc>AM777V?@&~ecz9+}%DbT26Yq1Y?*${Kc}_1=9^3+1glnERV7U3Z3XV=lQH*04
z3sPcfh=&BXl&H!`GHi&LYfD*$Bz<W#?D*#eS~@b!GXM|M=u1B$n<{3+yM;GwbkvmF
zg)W-GtqwEW%Ehtw#4*nlQ|8CDX7Rao#&VSL3b3E)V5fbfKH%~PP;0~zX9h*@?@#Bf
z-);Y<c~ag|KDjRz80=rQ%;OL75g06y3nywK{0(w!Z{_1NtWXvHapJAilBJQxhcEj3
z;bF*c=)oU_@A*hAzN%GSX9#ICgxrq;kWaCUGql<*VXPeuMt7>Y#r$2V1xwGt4ArHS
zgcEf+P66u7^VQS+ap6YHORmVyT1D};)s+gBcxSOTDvgKI_kHi(7fI}!n{N0D4Rxd)
zcoY?`ap9^vluUIxe}BI%T{_y64nOK^mt$9-s{z<f-&_Ps=Di^a-;G=4|C40;{Uv~6
zvW^Fd`w9pFKj&c6E2cXl65oyZ4@1aARto(_%;uI+HRW!P;=P@NNFcNQOs$`!b}UeH
zbCU0bKabJ5nR-&Hb0yQck4PKzD7euwbHg>ErV7*KO>7bn7~<hy$o_<dO-^#J*n=5k
z!387jO5rEI`VYf-&y3L8Fm@$)P<|oYe_1P+Zvwu_jM#joYaQY;qoQ-u+C1a$?5LT?
z?+62!7TTw#Z_~WM{SRZ4%6g%R*+eXDvI0^(ADn9PH898Q^g%{Q!MK~Jrr6FN+$cLU
z!eg|L<nGPKq*W#}oH=X9YVPBfS+eq)mk^(FMJcN$xHkZEF!L5ZBowIn#q_d3y#q0n
zsO0#VRf`b!RMt)rOob7|1@@PAd34`@J?c%1ns}bjif`Ps5aR{us}L$%&sh;y3((w|
zk~{IQ695CEg#reKH;-aD2m%t`9Hc!T(nCzGZ9{d-c%94&wPb-!o7-#q{>S;IQt;8J
zMrV5bc9HsdfsSfYeNKEO&H_b8)fB>MszsxhPAsT-Y4F#Gsx`1H2eF9!s-qs5ACg^D
z@N&|Rc{H{?pyvAi@?2MU7j)TQ1E~Q+P3ExpZJl6dt?LTs&(8=(IN0Okh7t|AY|j>2
zTr3qhX<VqC%36zPzAbeNWPK!Q4UVktcKjr<IMMT!i94$vw%ODSHC5Q$7zNFXQ)yeL
z{=zp&aSWkxQQv(jRQn-_21o(3q%qJ1he<i=nrt15Asb}|Jc{=QDw#6X#>7jh$M`d5
zn+XR-(G;Ga>C;6*FFBSR!K!#iG_F*_js)aFRIvXr^55!OG@S(}v<9_!%3QVkHBoEj
zeQehY(stk5MI>6PucN~5`|1e_nu@~Gf-9P+j)!Sj$poE;7YX3E*=ED+Ew$i<<1Lf}
z1yT36|1elJTiihwTFXtHsvw{2?J9HnX@*s)DG3o8P}1;s1&7c#|6vGg%`By+XS3<#
zn{yM*AB1s%BH{)tb{*F%KX^{{<~SDN{04QoqMDS?y&6L@`VQT_=y-FxDGa*Q+MpaF
zgT{_9a{CX!B~PRBP8v&zKDUFZ(9+|;a){-<v8hx39opoV^WS5y?Od+_Z&8zpkQLIF
zqWcZ8vx$6P5?FiBjCZ)iKu=umeim2iuBebo8;{N6A=eA)b5&`KObzQ(RQ46t=%$rV
z%Xqds+h&lpUQs)!U)R3Q{4$^6FHP*q2>f}y86k*|Gqhy!a%Fuf1BOd#G(0%u@{Iho
z=W8ysX?=)pkLNtjj#6JOd$S?n6?s|ZKxW%pSBA!E*kYy$7rB)b@}fLv@v5m~ovczU
zD!(@&*1Bzj?wW+}ezlcrAZX)=?)QW%4aLq@`w7qFa((*LcG&Xi%%}b&HTe_mF|7_~
z|6UnTJ2L^uY?X9AHUmw`PAyRy13p<jDw6N#^K$CV7PX)a`$;9RR;Of?vr)E+*R{K^
z*^g>fZnsNiUI1|fvYv$aAyK8ie&)_po2nR9Hs`r@Bpj5_KN3&lVn)4?YD>m^`}=mP
zIqq*(&wm&%f_zTj7JuYKt(T6H>}^*I@Xq``7%}=sfzP&o!S^S3t#QY-G^VnPP{pa^
zW%qC^wsZBN6o%lr{TlrR$E1DUSi^=#y&~}S3u^hh#UBI*U!I3)mrTB@^gP5AAZWWo
z(AKIda?{%b)m=Y@O}*eEosynu4Iko1GD=`MW&Ef>>F1hxSQ0|s`zxg&W+D-*Swl?D
zcJg`{xv4okbGocY6ZuZ$WQD(e*Aj*WZa8mq)6yo%zGwDffz!_VZO-F*7M-G1n{y0H
z(xj8FLbsj2<QYE;#vLQ$PmMpNM830MbLqI^EIf3mosEA+Qh4fC*__cPJjv-|7hZ@G
zBYg-F*j<&-2+9Thvnc~$g|k3@=>R8?-j#wxu4<V}h*bwi{a_mpEQSqeH4Sr%qJG2q
z#|kICNk_J{ybAVXCAg($a_qvZ(C=OCo;Yc_@oZ5w-(vY-9l`<82@;rtICx&<+C9Cg
zcXfB0*tBJ;5p>7jPu!U;9hz+Ys`N<m4Z2XE5sVW(q)@tg_StIV$Yw{-rn%+bvUc+Y
zm(P#3HPZScN*TA=@xgbq!@ORp6M@;cuZq_1&b<~tDQpJ%oh{^X(etOWYqIQs<xfq5
zdfYS2An7Rag<rJVtBK?gWX9m4(=)qRvG=9uy|B&!M<JTqO<=L|%dDFckm&&CxY;NS
zDKh4{#b63^YO@)f8Fc2M>&$5P)9SWJ-M-(yl#@43#Qjt7s>%V^m_oeR34f7LO9c~G
zk9%C9GMZSNZH?$f-g`}&$ZmLRC09E?lvxG2!8N(ngk&(Ew?dU(gpm4D<8*phKDWo^
zYLt)@Ej0nmaXa8)WYu6VR&+P#k?|$!yjc#3#e8n?C`;Wpk#}_d+E+zc{o*_qM-T{%
znAC*Ndgns{ZSiMD(`Rg~Wp1AtzI&6rg<JADty~8J#DRRL*Oa>x&Gs*qxBP={q*~?c
zJ-S}Hv-okcyHDff94POs5N*;6MJ3qHT%&3k4th%)f6Sj~iK=LuQ^4J{W;Cv?F|%nQ
zjyai#RQAFG6;H(HM@mctyY5$WIEzmB!`&x~A?)V$X;f^s2#AQo13JhjusypIbkL?}
zYx=d-nDZB}m+O{xW1|Q(xS!&j5>BNlRWB+kij6+dDqy(J$&A8^7O*KLD%c{l2v~4z
z$Kb$K2K*xf^EW4IY=O<)^Zqym%<ey>yYa$<S&Ju_D@G}}JPip-n}jlwlsO`xgkLtt
zUW8Jv8$YI4f7K155B~GhZ|f@`GO2~?(j~eeEblD456g06!aB8>ZR_5oLr~Xq+M<sg
zVT?70sfx~Dd-Fk;Z4_J2*F5iXL8nGLXyQTFmnO<m(E;9u|2&hCzzYZlwj!frG;5u_
z8Y?jzGiKSaKK>v!nPa019Dj>QQ9sf(p+ZgOTPz$}y@2Ia`u}Znw@OWo3kvSlB5g7P
ze+>py<=ujdFda<KV|=pRik}xi6!3rtv--5DQ+D49iM20(ayh<WnT+z~bJb%*6ANaA
zLLrttbEHPplBY|r_g4Y!?&xBA1|(xzrJo2ZJAoqE)ml>>+2r2FC31Qrs?3=1XcN{g
zb`+H{1C!&IqWdWN6j>M<el0MxGt_hcABMMeq|DPjYHg_h=@Ioy`Y8nU>)p-qtHU4E
zI7MyvCb|&;8=VPDh$9k!9rj9Oqtkcu;`#CHao^o@{Lj9#N;}Q7E&=;|V`F*5cpoGu
zlSCnV4<21D1CXjf-1X<u9_$c0<ORt+Lpwb`y*5pId&UN%z#QgAvM*M{?g&uD5_`M=
zVQCcb%A90Q)XLh*=KPzSPb+`Xxd<DfU;Y-_uux|>K<WLwp0ymyzSjqI(9Z5i{G3x^
zS(yEvKVLj?+jZGcoi=UeEj`2E`UA<|baN=zDSuO@B=hZo(@baY!<Ex~=RK)VBKqg_
zh%?_Wb@Zx~^dhOyl=%y!RAQNk!`s40?}CCvvW#S{C-clg+=P^Ad8v01@@FpnmFC{s
zO(4r{s)|Ftvs6`MTEQ|FMY0&W=$Hm>9l4Jx*-Y~(^kJ(4=Hw~T#I0UmHFZ7IpcE#-
zaZ81unJ!yK=hBaMse9Gv4(_EwF4#V1Qd&p-h1MS(<Y!*JKEgi{<n6$^`p2s>vCDR;
zUsEdJBBos7W+ZagGL;hlHoD)YtWPvA%vH?Kna+6o1rl)cg@*n}rL--4NPa&~$018e
zCW#=Rlr{{zTuEX_24|tNLBSFRogNu<sJ3o{<&oqe3#!V6s3QPH?=}ETDlHSPWor!8
zu`h@?9+L5LPA5-XAhA||>bGXY#nx|_^3<S^1LqBRJ!sZrduAO08WwZ{PHI(1H#lDB
zdIYj}H%{nzR?7@r&eqJUq-?RV9Z%AW#L+#7XxOvEjqO~t!XD}Gnb@t(R5teh>RT#1
z{s`&3F4OD%IJ`ysTQ~F7bRzjXnxD4K>Qj<<8xQkJ_a_gvQ$TsxJJ;P$AsJ_;wYi;6
z&E_j!fxNyP4f~c}0%?9OsU_t4lw`9NJFNs<xZbtDgs!=7a@R9w&WPez%KQWQu{S3S
z#Wtv?&3mR~rALVv;|M@1uOpq$b29<tA9)hvr(o>~q_MPEGEWo5LekfbefKE?IfrxX
zes&psdkxjAXd;mwTdC-}iP+dzK3#b&E?LK<)ZgT#xjDx<@_7$CN@C)r=+J3cUVq&a
zGs&XA3@Cl>CB0>lGWr^E9$8%<gdBUzxBQQWiXr2`kT9EQH$jUu*CYcoXvR9?zR>F%
zL-D!)ONI3bbN&0N9)#kCI*0HfyUL7;HFR?|)hW)yCn~2yN|O`SZU!#px4+`xV)_jz
zCgiA0uC=M?_`C?bl)rh@``3DWiQMv=Vsfu%@|!IB|FZc0kHQaW_x^#AZY%CEBKusx
za@LTU_p4Q5wSWFU3jfp41ry2pjAJh4iR6NbXUem(KS{nWq}Ov>-#h%oQTasj=1rFw
zMB>hpd)5@H6=a=l;r=Bkc*LRF+bBKoPm})x%UtTkXq<pv%JehOQ)FDv&jc(uVvdb(
zi4tkC^B=}@>Lxej@tvn5!23G^b80njR_wEwFgb+7DI{%zZtR~7CYcv-*axCdUC&zO
z=ELF27#%A=w`ZFzwLNC$1z6wIhtLeHi9m3rl0O2AZ-f<Svh7^0vQh)LzHeXPe+zVW
zy0HqDv$WWaA66iNWl*6HKK(2G|Eag;*zEz;#Y{03c~u3{Ax#6j^Cv7Bc8!Ga`8V=Q
zMrx1-Dsjz{H4KllI+d8_Dn4bE1P7O4!quwxyAWP`jT(PSn{LPO^Pa_t491zq<RwAE
z;Ks+xoL<<>CYz^o#TKAL3fd_h%8)e2wVK9$rcKmYT20s9Md2A?>uS@N`G9?ZPhmDm
z=Ux5Oe)G#SnDov={&%X&+-^d{47`sA`3Ixb_AkeWjO43otI2x~SsaJj6(Qi`!>vt)
zd&y#7TSqxt#q+N?zn}6aZ+*IVciS$>iuIughP`8!?f@sP(P_+B&HN3;rt`DW`Z|&D
zWjg9Pe~OWvi<CH5{s8N%fOA3Gp^#Y%+bqpCg!P(b(BRS}-2Ezqf`sbqYl(HcPirk)
z5CK@Z-EY|jPQP84r<*MG$|JMTCjP?jAgMm`vTnMq>uYRMic#x&g@GFe?418&!j!Ml
zV(W`4cZWGn4B^F|C}|*8^b5`4uY@;`Tr_#xTFxUpo(#v&E4#iqccn(NQ#R9>sadF_
zIMyo_1(P1T%B#1<cZ~>hqmcbhZL%CVW|Y>RAy22_wKw)JohFAZaaXpmrDR9HU(6KV
zg`d{5E4fOGCUYzG612IU>kY3;d3e>g<DyAZ5e@!VC*Fe^HLtWNAimy}W<)hmN5Xer
z-?U@v_4J)*Rx%xnKd5rM*As%hj~l$2TGRFvX!A27sB7O#I}h!fv~jnbTTE2q5;W9i
z%4sMY8T}b(qLZb{#)2>$Kdz5t33*<<<|cja+9T%SdM<tpImcb>^TM=6ou^f~2gb!l
z0S<-fjGY*6c{++*@bG|H!RiAM$z9)P%Kf#rY!KJ5ALeg@AXl#hN-Ec;O?m=XBC+#g
zcJKKjoa_z|Bz_|GsXZr|T@&;Ywqzf??ln-rNL6G<hPVxvkDUt{H30#uQ)(S~BFTgn
zE?0D>*f%oq60<K>f&Ah_o%!a5xu76_O|QT?+e+hxre`27ldGWZK=g0+H!B32BsZ;-
zUB-iYH7^>!0eI%VLR9k{V2L;V5{GR=X2{=&S`Fx%S8aEH;`ishU;etzc+84u&HUZH
z`Y<%^<9hSAz6Y@T=YzsPUDDj&beY6hr7w^ww843CXRK$Rjb>E@8?VRZVk|^eQtd&3
zRXVgP&2h!9Y5qm%zBKJD>8Qv}ll5j7ZuL#A?kGvMJ375Z^mJo+M}qz7nZXLp#j6cM
zs3#NHh&QluTd)=T2NYYy{2QEFYFQCrtcQhA&r5wxKP7(t(HviQ!%3K`iAQhraA-m{
zj`0Pdfqs>isowF{@=GEEU}BAsJ1jhF4h2$m$@=Q0ozF0FKg<t~2MtVTobZdr_3Dyq
z%@;WV5?r~H?j(wlKRo38qoY1p*#u^pWjk%-4Dx)P-$h$|TmruTij+??I9h8%EVXlA
zz1@Fgeu|tsRVUCjzn=O-#Qg4FKHY4xGMU0@(~|8)rIsZn)GzfY_aJ@Aqg0hPRPs`?
z_c+8h-PMV=&{@zt7-8cw&}n7nvyfVEZIy;@F!T(^9ewt_HrEaqRM(ZCPo-vRsjH=G
zsb-)?049HW9hgEZv@Zj6;fI?iW-!?15>5IA<|ZqdC=}5tk2%sCJ*bkj#J^cFZfg8?
zv~6hzUmx}oaY5_4d4*(^>AX2}%Y@tE(_2lr0N?W`Ca6|EQizvOlvNi-^CxLMcci47
zlwL9+2)jY?2jO0#e#w__zNc0}hd1?;Rl)+yy6++H<FJDeUF_N*?Uo9>L`7UBo+o0Z
zT-r31rE9$6;=|LfIbSpDOo*ndYm^=Src#n2^%GPpY0G=1Y0Uc6m@&3C1*bp_89oDz
zwh?|`8A||e%)dWpE(@=>y^uytre-@fyRdp`-S)egN{0?x>0&mJe43>Z#|=IhUjo{5
z5Y9fTbSH^~=LiP!{3(-Sz0<hW16rmo)^}fPd2PFcZPw2i%B}bEY{H?diyw_I8FANK
zYn~aT26@A)Dvr9<d9_9>iJqo6M=dFS1saP*?u%T!yE~k60<aHBKsFjm-b$we@<q%B
zRqRheouGC=@1pJ_5}L<Q^=nvf+RWaO^CBfxs)ja7+jk&AS~nT~Sp+BAJg+-h8SHdw
z7qbcTq8{mJm?tSX!?5fOY(=)*%j0O*dWt<b=tQR)*y?s#HdA%Ft*rHR>t+*s*_(6)
zgm^vYp1?C!nBb($EW;I%x>3{J@gIfd_U}FEI<8rA=@m63-&Jmv5SeYJNvtgnn@50t
zhCXlb=>)Z<gzt_rltuydv;t(Mba*p|8(|!bRP@6>?63Gi(4)St3vVGgRO_9V7IYWg
zues!2JJM^8W9|L0%M!=V4{=D!_a}F^Uf)c!A^THl?)NqH_PW1c3){b(=Wz=ZAs)AG
zS8w=LcsBIH!XQ|DmE3+8BBb*`h{@L(LE#WHy+qV-u0`}Cj_A+cOV>LW=i(v4Wa?Y-
zt0V9QBgITGfuUwWf4jSw;HDYG;V&m&dI}1G{!wHoAO*E8^_5;>xFyJ`@nqZhtjl|r
zVI8Km#53<RkL|CxXy|4jKIvpqAwo4m^s?*I1Q)g;tgnzdHrz|yz0;&+wt?HkKCrLK
zD7nZovTmqeiUnKt4hl&UjUyb<zK!nC21&JY#+1feQ3SocIr!kd0Td^(`KXWTRLf(i
zK3uP;sZAPi5#RPFlG>-Wu-<a6b@&}<OX{>1k`Ep=YZ1fU$LlEmbNj)0Q|xaXdYh(-
z3K#8}^kE@Hb(Hs6RQ5}NamKf4Qnw8HnAU{RkeJDcSUXq3-%nESqeH}g7*ZF@|BlP-
zBkZ&C-rDP^O0?}gADrlozsdZNyAU_Bf@~<^UAb%)8@vDL*wX6yjO(SfYoTX9S#tT&
zywk#mFQ{*Vj6iQ?NU&VsCrvsTz6eNmc~XPj(Lqy6w(Ykqq7I6Z$bX^bRneu=Cw+-c
z(7I(J0u8Qa&y=1~T3Ntcaub~~1xC67a+;F1<2$=oB3K`SrVK^!P1ICY?z|&}aSQ^s
z!V7`a19YiS!D=TTJ$q}^LKJ0WkYiLb+kB-q=I^}G<LR%>+RqB@v|c0sij;fh?hYNd
zMK131Z*W~Y`~)?O*{G|&w0bzus?cyx{j}}MYqAQyD9=s1LeBT&U#C%Et&I@Q(|$RA
zYkc`#*7H;GW&;+gi(0lueC4ik#_xrkqM)JKINy@f?-~!|u1zp@+X4db@;s=sf%mY&
zI*}-iV%?89`r$e={1eE#KQac8=5CA(I@b*d-SzwN!}2}Y{L_MMzl>Y^6u_Lix`FE0
znX8Y#<R%Zn`o;#^5u{8ihSq;wbwT0a8P0c>g!KEHRdIZ)X@uY~V=0Lo(E4L>ZaRG^
zyfC#gb;7$4a@h8Nw4DW0l<(ig=?3Wr>F!t>>F!u!sik3QSyGgi?naQ#-DRnzk?!sg
z6cD5lBn0F4F!Q{I|IGagu6yQ+?>Xml%uW|ZckQH@ta$3^WPL3q%$D?{knjB)G?1_!
zLsPabAoo=BXYZ`zGp~o{bVsGl4Ny{Ehhr1vIe@Ca5(3aG8}+9mps;4CP-P5odgY4q
z#o?STohLD1$k3W1pO~8Lju}1T^_0Qe?!TP<J?7~8m)B3pZp=XeOx}MyY&E~J@D|1i
zz5HrAEqkpf=rzQ52hJ9lySICK+x#I>^i13v0AkQT!OgoX-d%0p$@mXV{~J~Gto;ft
zNi+N3LKAg2UXeC<sI^s*RPOzEXd+2Pn9hXkgM)0Emnc7;&%s78zx97;(vZN}dI!W^
z&7HpY5QgM~xx5{Fo1yv!;!AmMSMIo1Tp=vk=-w;JfT@JrU%kX*78)OrnQv~Xq@+G-
z_1Yrcwl|pT%XB9v+YE!3WwYHTO}*!4Sl0U6El`ArRO7lk-!x6Yl-Dy%eaDAdCYe*2
zK27VK?>9M9rNc;hW5a><WJ^J`@;th|#OKFf7Y`>blH5lx4eebgn?JGqd3SanR$L1o
z{PBhAXGFvo!`g#StT(n1?|yYOpZ$jxAK=^PdF<VNK01%ky}MGe<V7re-a7hJeeA<4
zSZ`&@#YgQ5r~IYgng+K?3Ulrpr)A2jp22W%s2a75{uiNp5Gu8OdAV_)pkKSXN$eYt
z4(e**1UsXvR860jtwQg>rpt5+?nDHKUHA@{K^m&!d0mJHnY$DK*YxHKs8n`a@&Tyq
z@ys@AKk=CM((kq-=r$9CGME49)OJv2fNM`*hWU&cC{XcSw`>vuGmr{osw#@E|6nxJ
zPZ3+fR02g_Z(}uDQMH{J_oNM*+9@0jAZh$rgBro70p2`^)Jc=bjDt!U=O=TkV`p(r
z;7+0OfCv_o^~KHI2faxC&k1d;jIMNDH9%4h^tv!9x6|;;vkmGP=yHKeg9pso7R4~8
z_{vimi^Mxg9MAaGTn|bthBKZ%8-GpK=WBmbL{8O4e3Cg|c-sk33Upd^4kC|WIWq^H
zT^T*Ntn`eQex`ygKV-!dR$eJ+>gcB!jTinR^;^T3!j4>gv31@$ryck06r`|AyxG~V
z`g^ZOhDrqv7aZ8w=BelP2fYr<JBYfCk*lsm)JaHNtOG5{@2z*gV72!eqa44GV<_s~
zzJK0B|3gbqRPwS;Fk%2Be1%zl+AjJfDLFV#PY_~6Gt;5Zl4FYGUeg-<D46$y5$)N3
z)IgFN9DOA5eua<qe7?EbbB4e46kv4RHM31`x1SW2E(RW4IuXiFe$VBV6PijCZ)!`-
zEye=Ip9r>puIIZxI~2-}@`$P__Q4!XcF8S(uAt{O5S3Z+7wG2{wU__AE`L4C?X}Wz
z1`ft~NW=jwzRTocZ+71l@)T)kW@T3qAWRsfHJ>_uEd(&7X+Op|WW#%_mvEh4eXZ|B
z34(Kew2tm7fq7mzS+@Bknb$JJ@7Jx-OuUpH=a2ZzK$dKmz(5u^<C5$+jR8)P_Y)R6
zIQ?~b7Q}e;m3o2@Or|p_s60zP+je;Uy)lN`OD>qIj&}TdYh<ZO5J-!QXhtxG4br=@
za}8yUR;l6(iM`?s0x>D5H=QRG@0WJiY+64F#tFm-m(m>r`SI>7{Ab0{50CLiO1=_@
zOIt;839Un4x@t&NjSGU_RbJ7{!$ZC4*L>v|496^>G%W(z<J&aG);6pCjN5#_ax=Y;
zV#Fd3q*7y$1kPITVW$*0t;&I8v(1QaDH4Y|$u0cU+L-$TFj-1H4l?l?2bng>?JGNb
z??8rCT(2+u)R{u&8j_5(OLu4V_~7_G?I~;KKz#u5J&r)_Kri=u7Jm)2CG}F;s8aHS
zm6t(9kDonDaJHS#W=q+$dtgGrO%SZLQF70Y-MFFglF4Qi%h(3GE74HffOh6>=P>~e
zR8*hYa<sIaYj(T1{pXZR(r8{|^U?`66dAXEdS=R;wi?imabR801dq=82cSqsWVgh%
z5l6F#&Am02;bu0@eWrn_D=d7$dXQ7g?;$ogw0Jeu^0i|DvbA3c4zp$Z53Nm^+-am~
zVYmrvYcMI38@b^LeLAc{br~Ewwfnfu{0qh$^>qC3xsV}0eBq!@qA+&~B(-2Z(|A48
zLmUxni#2*4HwCl-3Srw6=m+Gs<&f2EU7#9_1l<v5XM(Mw<6XaQEyLC{7R9rRRu_ym
zju|A2#aZR;-p0#@rJ+6n*0}jH_);R(GK*{2`0VMtN$9KxUrU^nF_6=?il`3^=agt!
zjS{i^nozse%+)nn4YDR_1!Nj`*TtRRPs2ZeC{Aq<*?UZL_cz~k@+83*p7`?M@nANu
z@ANY*0pag!Xu}Onk;v)rW+vndB8A1@*6YnS8{5D3cR&}>-Dy7fiE{3zk1T0C&^rrT
ztqVhS?ZnpmuRobzt_Og3l7tRVy@XT4#=+}S?M+tJDBXyxEPZo}4F?KG#8MV>;x>az
zQU9W2D6iz!j0vzh$~_x{{ny7nLh0XQ;jI6my(x6_d`LAzKFcXFJ?5p#QPi9dr<sf9
zHq`cPZKC8^AfnS6ORrqoQDs{T(hWb9gmceQGI>0PzVvoXZ(XXuMBlTqJY0O2aFs~N
zVrGa|-+?!oM686h#(#Nl`+BlMOuNhS2QsHL*DNavv7k$i%>5k}K_f@pSf%iCA)+Pp
zm2X;ZPXM?0E8q9VFQ^KA2(|_}_LuA|_?uj^geu)U8d^K+Q|y}}sHi<CKfBjxsWm^`
zr)dc9r@VRk{f!d#Ztte#rs4bRG7qUW+c)Q)7v21dNCWs_{m5I|5UcxCK+E_}trX9m
zyvJ&XgvZ`MM)GaVya+8qj%<#ZqT^i7ZQL8X3qTT1oc0+hIO@b#bsttjCA?SBT0%hG
zH%sLyD{H~CkO$Ir*xVqnQ)*-z1ohBmB+3<bt-kSza>#v;5VfG;{6WyR>iIV~18#Yo
zQ*-F_zKm6dBLF#_AjI-d?|E#NajkpkhkMTHGPj{cF3iuN@5Y`_#z4857AG0)%t`vn
z-J2K}b}1Vjoo{C))LvXs)KEPM;bJdus}@aQY5qvp5?=Tl=ZAPe!j*J*lKBBk?AywG
z*f@6=a*9xA2D2u2e40P~6E#xAV1gsaH<|4F!E6$VyM^p8r=KZYU#RW;8Ln%zBgdW;
zx87VQ>Ghn=tDtbRCm|^gGN>VVJ@U&Ne_i#BaCP65w99}!Bue_uI|1(`Febk(y3v+{
zS0>k0Zv|&p%vvH%Bc&Nnra6-L=2dvPGOK>m_2yB8wKb6t<4S`PuEzW)KD>phFNyKJ
z<r>^Yk~(j^d@JQv;Mxvoj?@-p)#rEEfoCBh8j_YeK^h*}gyVceVw>8X>Oa~+83s01
z*95crAkwn#>D5ahvYxXmpj|ffKQ!7V1H7a@B>f8Hkd8!)QK<2TGfi9P^HTnxG|L_z
zZX(Nwns)DkV%6$;k2y%CW!m9S%TS-}*HWv0JZknCC|a#@hqFDUIVH0{g_b&Q<G5T-
zxM$%Z;#1PsSN&J=r=Nqo5uNsYlAiGCFn&JnG<F}^zk7TaVNDJerKQXh7}gZjcy+_I
zsZO1z4)P{pQ-6d0b>OGxDpbPyq8e)fXL-YmrK}sM0y&)R4sYWn&lhH`pWY)l2XTav
zN^Lb{4<?8+>{*Jcs6v2>7E0<vv_FAf;U@TnOwHK9fq{tt1HO<?SuD=gxBXsUliF-b
z1wTR9SFvXP#JJ+JM2<Y!i7jjei9<u$ILmVg5eP3SVZ1-wupJRfE+%Q9A2H4`f$?oI
zq}IoOUhMq0#iS>5?G_M_a@l?um0hmA9?lSed!P%#HMIeR70nGXw$pQsj1{=BN#MW)
zMQ2ov&KMbF(+RP%vDynh0cW=5T0!7XywJbx3X>&l!n9i!_r#?iRaxVV$G&V8ta?d|
zYoEG%wy#4t5cq`E3ljuqB0Bcal=Pom=0f`gBJ<!#p;17PtvNRN*05Dyb|U%Xo(Vr?
zo?{(~iQi2mV1>v{Ns(@v!y(~p+eXk~ElAKo33Y$RC<NMAbOZh{A6&rj^U00g)xK>^
zb51Q-hq%w0dcQGPkpoMFhOhH1Z3;pOJnQa~K%*7aI!K9}u;?7Zl1BK{W_yW-&w7qg
zND%q=>J1#ciqu9_{KXc%^RtTsf^Kv0X-{i44E2=v<+Y~ONMF#j!*1zf@tse63ZgW(
z8j1n6JZEL$^{n}e#*mPxQ1OT}gGZ6(UD79KwCgK7S&)Zd0&7)+&&UJJ_+y1`9JU=z
zVx%27;j9V#xKPjNeE4J}!9_3+j*hwKf&02xtmslild+*SD*}6>xdEMLy_|7xQ{b-K
zQ-c~35yxbLYLMshaA*Ob)2kz=C7j0jao~8AXa^aI<uUkpZ1S&*EceIzf6g<8zlT_F
zKm8CpdI+$72IP8214A@7fe<R>duF5Q&(#&<Amfvasq&6SqT$<hsaDk#X(*<)f0n^b
zYp8x>oS5o!DUKt@Ix(4WV~(1Pr^8Hm%A^p0r*NY};hZ;XA?B;@A(;r5F7K8jo^D`s
z6q^&9lgR7N97EJo>dK`#;i)og1!U`U0uobUBN;ReL5yY8t9=wrPH>%^62bpQS@4Z9
zg^gXltW<tKALcwP5SI0NP8Rxa82-k66CgY0h_lkfkBT#`O~D>n;EUY(Q|@Hs<|CkY
zGe#}~YYNm2spPI#c~D8;Jji;Xmd>$1+WGl3{OxVc4k|b9!l1nVZs)}1dqbbV*`4Ad
z(i;$_M1{8wJR{&E(G3j9f$@=kf~9`oY!>cN7uVdS5ISZSjaNVEVCB+jtm|TW-^sh!
zy~0P0;2H!flXmf#SvlWYJeL#}R!I$D_g8|8&RN6bS;*U|foq&3ie6dhPG@8yIF?#3
zs(mIiJ$wvaI|h~p9hF73OqRm2!!>x><gFMYo7=`y>JuCN^4YPm3kiypdb{>gUUON$
zQPt)GXQsUMApWLt*s%I0AGnh`hTDDjFHze(yobg^=0c)Vil3zs{_Hhb7*U6(7@J(G
z2=aFqi%t){Y~vSFc)@J@05)@LHtn#;-63qD_3km(9gom+5VVEY+&PgAe7g$PCGE3q
zA~QEOFf`TUjUrL-P+sP7?iUl4wP|*BeVHP=dbt5v00Tey>ELa?;Au?lR%$tmOt5`Z
zZ3Pg?>jF=$c(F*QRI&gP33aTAp-FeYHpnat-<n<f>C?$L|8x{68dX}}uLIzrr_4=2
zTH2RnVC-_AOtLeLQ;ATW^jn$2Ma@)IrNc07a6;?etU!>s?75jt%ZL{!d)-g?Jn`M<
zZ_9|MX++C-f6sV-_Z8yl|G%fZFSd98=AN#a?(e?XpI;%|(&_mme)NW}8w=3AUTA7F
z3;G=s9Y;DDM4WV!09cz=DAn7arqS~{Dm6Q=lB@6k<ubzjG@`s0t*Dvw7*4-7UyEiI
zXC~Qyy^*8vF5Xr<htK2G+01>_fqPz{J6E5#M@nMl$Fnu65g4oHf0wTFZwA_|MgAw%
zSS;U3hC-{-MVi7Dr8sWmjnm4Ir?iBNy=^&XU^2CBWzlT_PwN^0(}`R1IQ>1X8ReHD
z*eNDM9|YE1hoY<T-elN^h!pj`8fSc6f{6d$#tR^G>3Bca-yI7-gABgw{$WZz3lsEF
z9GrZ)|Nh7=Yg>i$t7y{rml3K$Jvn-jQEtZHALhOe;oW>(J}auUm^}!Hy(B#e4UC@p
z4{bEr_ieGocUAmXLp{{)L#>^*W|u7ef}Oe(0~Q*?7cVGzn-dBh85EI2{o;!Z=dZBZ
zx;gPR-<|)-e`YTCb^$e{4ss18eSm~yuN}5Ru=zyHga!JChP#r*7w`87v`y4;-X;Fy
z^8Rjpb7+iCN~Hm0(nnI<8hAJK;ml3UPp&g4IqUsomJ^@@`&Iu2&$@<j^L>qK0(V7w
zl=1r7KB~Jhs|eT@^;b$|HjMtHvs`Ub^A$Qc(@Wd{2~4iolQVs8HtDff@Sg(o8PqSE
z2&njPoU!aw8Lrq&zX6N}ZXB@0TU4-z_I8xU<O9s&0(>TF-<40$|Jzjj^dFi=WIO1H
zbp6WI^pmdU`ejjZiUUd3CYxbP=V(;OOHw1af6mB!Vsm<|%&md6+hXOayb<yt>jGkZ
zefZsR4bpN%%%s@iwy|>Z#l^FJGNTUXV<$x1YTeBl@qL%JG4qFvH0X;L&UuPhudKKO
zh)rgD%I8vc=JMfyD9^vc$&gaqKws0;8}EGl!5&xDu^#NVp3@x4vAl`FG#rUU!*1lv
z0S~8l)YYS2ycFO?NNuTqzzSFjQgA=73;f=rjtVNa``2Z^=Irv?q_Jz`FGa)a_=!e*
zg10Q%wN$!XPSSatk6Px-q)SA_B-28od~u&~GS%f-Y+y^7QBn^!fCGM7zewjK^Q|S8
z73T8aL*E(6te~FTys{(6^Pb|QwE@lV)@jvBM7f!4><&a*!L`<3-9op#%ss0kDu1_5
z{q<=;duCf3zy;R1n_^kT9Jp62xt3Ep!Qb;j#-8#4WYZiQs{igyoYJh$)Ltz~&N@$n
zEj;P@HBIep>|mp){#MUTUO@ATwUxOiiud9+WNl5)$vGa+B}x>Fbdzp;+J;|#lSqTk
zIuJf+`bn}-jFUkNlLZGzHw#_tX#(+0gt#&j9mL&_uHTtCGwnK$=jh@(@$>GDL_3fx
zj|f=?>|ZdwomXKmm#Qbx4SCb@(YaLvM8D_cqLMu|2I4<F%H}eGvB}q)4xP2z8uHuy
zyGpxwH|>-``}2$qLqVb5MWrj4!YX!&18*^6!#0_tB6k=E77z?^&ZwivA``A=2rA*I
zYqf~`q}7`|s1xPEl<VlDfKN>XFbCMQ0Sk;&3k<dJ^=Ne4BN;#@Rx}-~c9ZMExiCbs
zON2BH{j~boseU=X2#olUDdhm))>%6Kh~HE!6`YX*G&bZSo!%Akwh>OYG!^{rVSGy>
z`(r+o>2}tZq-U(aLIsiC`lBP$biC^IZz$IEW<l5dEA7CWU@6N~A^RXLn1?Tm<dP=5
zE{E@r)XOD!T6xGUNgX9!9_UpTknq#?LSNS)c#XV{C@e53ctjaA`!EV?6C)9zRepij
z$KL;u?*<^1dv-R5inXTRs?l$ESm58X_Fn}ih_|0My2^&RJO^Gb@iF28Vq!IRTT~q5
zsi%D&Lgu;|z#4^^-8cLypB-W_TUvOiT)E0c>(O6W#w|rp@v)hxiK1nAAi2%wb|xGh
zjv2aj3y>6Y0YUVAb*Jpkxxn19Jki$CGmL1OE~WR3K7AJ8>jO!lmL*|{F|EB}LaO9G
z;9PoEfm3m-#n|0Cl<qf)Jm&==Dbh7~nen%t`^Nm2al=^gFuUP0uegzp_244totCR>
zFDj=;45YJXm?nLgL9VaiF|6cDrb}6vD$qHb5};XX2~7)m`0~Mm-g|oj^s3O@+3Z|0
zqI<BWH_&)V%C}y#i{thlUhH_m`K-A}b%(XW5?GluFz%rnJPj#XMawVMx)$PIpQaeD
z>LbE6-GP6q2Upt_NQ#1krhGnb{+y4qZ`5u8H?8*a*Y&z#+=X;{iUJ`4*v-0F4K#-t
zoBMbro=?22;RGwWi0-PQb7XB-$uVs7hv&ZIXAx^p%LZ!CoG99fE+=@dfAfG!uMYMI
zQP{#r1DaXPo2){%ss0j#ued`2%4{IP20mlg2nD4o$d1&!SE~>$L3t-<l^v&ew4IUN
zt5$PO3ntvI62A36x)Qhiu+iJ#bL1CzbNeRr-uZA`+r1JxJ8iH-;9q-Zhd}(ZYUPt-
zE3L%Rhd$mIc@cY{aAxQEinXz)Vn$Uz++;kpP#ZU%N)xBo?OmNfOggX){;WAq<ao0X
zMbcTiNv>;L_IWk3?iGZHr_pTF*smIA1czob8w)U{z-r%<<40=al6HZoe;va!eAA^G
zB$CwVrwlXmW?{tMF)n>k0rkY+<cpOkv5{!mF)s+)ZEP@;D2^DmC<pvYZ&C94=V24T
zh0_P;)7k7Yv4@95L0l*vq?#!?SsRuGO|*&naGS$3<Yd~{dQ0u0waL*xleNev<o4q?
zN=>ee1k!w;Z|-*qp_O_cnDN2$M}7IVMZ;m-A(d2mpIOd2NzK-0vvo*mV=|wDTk)E?
zE+N*BKMv+|twNgI>@E@z*%{bIhVYtK&2(*p?scd20Z1sFTkD0f(Mz4(SF7SidkB8J
zY=Cf>%_>|~0Ek7OvV-zph?}QGbKOaPVIVZm<>3xdw|FDkeibp?1YKz7XTQ)#-0i4T
z2DxZC?r-fjd$#t3LZr<A7L)}uAiFlL()ZXE%Q;*<FP57Fle+FErk?H0pI{LA)Tlm)
zgQeJ($Z>c;3aa%2hXP_iUolIBy0G#}H<;<KDuj2Dl10}2Sd@azr9_RjZ1?SA3B_-$
zn~qj}uHtW99LDZYKEj$#dS8tFj&rr5y^#(tPST4!el<$Yd4YcBHRWp3_0m^NFI5W*
z1Ra^WkQrK`s%NH+j{l7w$jl^ngIyn*n6^=IMbEX{Yg>1FaB5MMMK1{$FPUohH1tJ$
z`m;JVpfuE%qjMnW`iktA!P^JLt>Vjn7OZYquiSQB-**4D{I#O*zH|rdTdXoYuT5ts
zZ@)8$5%l;iTipMRTGbVSo`tGi^MV9qy!k#AKp}_OTY2s@deylnn@fDYbJ77QDK@8i
zrrF%hRWxx@^_;4PGiU@JZNHMDvmC3EMZ(bbu-@j8Dd487umT`*i71@0Q8tjK4$*)@
z5CSJGl={6mHPEJN4T^&16HtOVGhrDLkx!BQ8Pk$AM3rrHv_lR`N75gH=w^o4T<74K
zwxP}|U_MsM6IR=mj-aer*f&qnD^6*a*bGL<$KQ+EMPFeY8;=D@(t$fh)49quww7|6
zVt!n#qOMm+q8(9O5gqbf>dyQRX?X~cBs?pr`(&FVRyQ~2@Kh}~*PoJzgApR0xR)+Y
z&P{vYHB4yYjQs`&IZXsk$qJvBKJ@+ZMFS!j)54n>^4F$@fOl`}^*Y%Z<$?8fY{6QL
zN%bt3gK(&u7meviX{XmsQLqa%7W0ttF?i?wH*bvLmUi&!)EEZs3P=HCeF=c=NJ@?L
zplP`4D^Y9tInJXwG}Fh+$CgpLPq;&=D1b-HJjo_Ye${yIIx0R@oDqmw-*Wzr?wv-1
zIgKH2=*DH<SLKb-w8ys9M)rmVBy#F&cUwyQy@$bXb{EmbDiG=4Vgf9Z>TEfUmeNCd
z^#LqxMA0n51Q!>;wr%(1ZprhP9Wt9AwI*}moKUfZL(U-rr6p$JrG*yT<sNd0F;Qr=
ztU_nlUznsxW*th)5J^4r327ROOd((BP2|NZAT6X(3VBU6L0o-3E`9|o!XR9=4Sc6{
z`aNbT00x2QH>gYs%K7UiV*<yH8dpG}cgT7(6q=Xo(afp7KTA?p(P#VUev4X#?Zm3v
z9McHkn6@Hq5$!jg20ZGV=_m`<t2OmPz)Pj_y=afL=6fctxrfndM3-6Xj!p3~1Y0o7
zH?04Kzl&_7i8Am{6z5Qbu=$4q!YgiB7Lnh59s~n#d-9v^FLXyyu^^omNNo>8^MbKD
zL=$GU3KTFEX(CNI$J2HOESduOb$+|Vph$c!lE9_VUtqGocU;obOPyPS^4&uu>K)f@
zXOz4AXp)hzdem3?(bU-}V^M$?wsTxAmMl_P=0i95ElmvMxgEujGvGW-R25^8M1CEV
zfu5@(w8WH?*z9luaAvfjvcFkN_+tjq>Qt}I3Hdb*>ORjDUOZEO`Z}fRRfa1xO}!Uq
zM@RbcGr!h!3mCf6H%9ar{QTVHeiz98U7n@^@|}V6O}{81f}btj+Re2Q6K+{afdv=s
z5vWZqad(mxO_(2xpGx}B&1P-rnBt1Rs&~NpZK@-pQ9f~7QNedM!d-Id0Itb9ZkF0|
zv}$~wn89<}JKIg1v~7;*yt@3}!J)l~qiU>s0EkC&3VKUaooDR#9~#8k?#`q7k&a=s
zxJ&(~_lX`f#norbPRzB)YDoFDy?q?%KPfy8+N8Qha7NzNRIhlFZGq7c7g-D=sm39U
zCUi72+p(e%n>C1WJYfwn5#^3h&{bmc{D86E$ITKSzBX{)RtSEg%vDD7ejn8WAy_Kp
zSHU{b2IzFYj<d}Zsa-=Gxv(5f(I{9%$cKBFv%h52TX}6-@v5RAuJ%7P@+c7@Izn`-
zH$zi-qDswsY~i8!Oa;RdzeUo?9mhML#+eT%QQgbkPpe?BLdUR>&1Tm_6$#ddov7L7
z+8U({4g$Ois8jbw@mKCjF1oD8ZLcsPD=s1J@Vb#EuhhzF^zwY`j$=6$7T&XPH_!0Q
z=9XD$c84jm_rDguK~=W5&JP(xuP0OY;T*pvsa;tdrCt-q87+^(+q&~z#uN&;hMMu#
z?QBkY3gm9YvBxYWONS6%WM-wngPY_xJXqn>lINM>haTiPl(lN$6dkNkm2BX8xzuj0
zvt{>gpH}uE&FqRC|FGaw4pCVWrM?57SpZf!2Bxq_QeX15P9=@9n{z{MwB52Y^ya00
z``i3{zj2u;IgE*D>SBzbkKvkz8-F6I9^Nq-)HH;&J#}#!%H81JT^Kg$O)vy56KVv6
z_k}&~C@f85${XtCg?N28jM+2Lmfn{fW)<&0=Z19bTQ{I8d3~aE>bN?>c4A|_)J!ry
z280~}s?J-BNU6xKap=iX#}l;Q3S_Zl3%dyUyEyUwX4~D4@V21Wc{|nTS>#htcLEvB
zdJglUDLHuw{@gyZu13t8;B<-R!wx2(SG!hhu=OHRj7P?Hd;6&x!vnyVhGV9#N^Lvl
zQSZmMJv|K@Fk2O(-<SO*qxy{zP{_&Ow2>2v*yH-mvq&ANkhv+Jv-#T^U8zH+7hM&t
zGeu{^R>ME`5|c6gaBQ~f+Z-akE!im$C)cnIJGnehATtjToqob$O6cY!Q<l@l9OhG%
z94auG0Qa28k*%)nbbJvlm{|`zOFg4tVNyPM(Q>Opp&UQ#PdD7u7IOA?I>6YvrtQFY
zG)6GWikK|hY(S#Jt6^g~99`)bDsZ51_iJvzz)?C8$;V|uraOZ+ofm1_7}33W8}bBM
zju$HE4;8SgX1_JHq(%m&7GoPZcWsxRq#LN-CS6-bZG<{24q3eMCy!^8BiD^_Q`kzX
ze(Bg+7$boL0)EH*(bB6Z?;#jf)UY&c+tu>Ik~P-k8JXk2u<@0Q0ed`cSbW6E-q7*X
zJM1!N+Rvu(iF&ZUK2O$GUF?Di)CO4v>N3sB=Y<Le$1W{5{e^6`S|l@9X;AE59>aw3
z5pVjE%wkE9iH2~^ijicCO?((>yp4InBV?I%b2?z)Fn(IHf;w5%3^EQ4D;xBqaQtSi
zmz4w=ZO?edgLF|cg)QBXdRlr?il%v#<ePA3wnO1ENw?X5%`WUD&5uE?_4045YL!;U
zS)nM&a_e#H0S^IIJbqiwIps4~>LT^J$(v)bvsyw2`D%gjba8P*>0gs6-)#RjsiwQ_
z_=KHqKFchFlKK(#5%rRssmHf@ODUxZg$%auAU%x{RH^@5h1Knur#Hzq5~j%WV`K_+
zB^fJ?E(M^5+3u%->wybF+Q;9k7XhoMJz*PZahWRZa-f@t1ctxKIq|!V`_op{nUIZO
zlQWYPR`OPrY&0sKRA6u5hO)_hg+gdk$!WJdAXT^(YEZk`Av>G(>`_}qRRfb*4z2ls
z+xLVXfKhXu2z|VC;UN5_EPT!ZM1Ka@BHv+IIW-tM$1a{29SEW>(ipntpHfiWeH6C^
zZfjL>bBjwxh-;%8Sp|`~tVXj+enq)zX1R9pcxCPQ_zw)<)}vWjQCdRgM3*ooTRvLq
zaaKC7T;=LdmLL+n*VFj(=yO(G^YlI1)|R$kqItPZ?g%YXOBOSomMsQekWtCT^OqK=
zjNk2-b8*fB!$NFEQe<N0Sp8It;#7G?QuHhhWZ389jrE@y#A(K}M2m+x0i#?pU@khB
z_>hP6h`U{%)z#_7zTxH$@1eYH5XpV2%GzC$OB`IiBwxf+55C5AFZI*t9Cg|&jr8yt
z^%Mmo#T3yfGptIYwgoH(Wf#LmQM+r2O>-WP#(F+ub6j|eVTAGuSn&({{e7Ljadt?J
zWEeVs)am{(14}h_<RgyN{sY-afHxZ(UM}IO<ytWzXmHZJ*i$%HeJkK{p>Z~gJRmUv
zc2H<UcH7X|@p#yxwn=d5NKE1<sItVx55p&|&0cD8fLWmt6aOC0Kf)<rkeyWx;=7A4
zU7ye_i72`LYElnXC(Q<O*Al=4r<fej#})i0MBV$E3lG?$!N+?E%$8622sV&?a`o~@
zI|xc22l&aPFV}9~U+2J1-@vl|K)$FG(T~J1(8jRaoBmKJW-`z@<}i!Upp+kF`kXZx
z?Bd7Z(-9I?`YF6MQY1Ee-VkQFz5>&jfS(@iF=qbO6_h5W=Wswvi<t_SwX6C-#CAN_
zGhg@Z{jVp$VXRzRG3bVo%Fv0XF9<MjW;NY5h8W4AEzk^;Gnmonm1-&)nQP1vWa(hy
z9+E%Tm>aS~#&+hfwmn$$IvQ{Qx7j#0cp7a>ba|ahmsL|;m^^eE*Lm-#UFpo((`whP
z7Z@2Rh(y#rq+p?jx;{YR{DcJG8L|ru9gj#0SdlgtuL4$-J-N5ZIp{$~X92Lh&&0mw
zoe&NBy(Jf**eRd)IfCkylhLIv4@*=g{~VX;5~+b?&1=^X6V3TgMk3eZlKI%(cvnoV
zh6~roPv~{{Yh41z+L}UmX`O_+^UYz*%1(;3lhBvd1=sn^G7roYPAhVt>g{gGcsNWO
zim+g+P#oB$wl2YJRJStoMRxl@a^oA6foz}068$Jx!!VD?=Ek_#<5JH4B1pPNNb2nu
zZA*}U0(K;TIpG(kA?FLm{oUu@Ipg~KTr<s)GvY0EJZUj+K4Y%CpDx3)^6fMpUuaX7
zxutx=drVw2A?nmctT`un>nsY^TN<um5;x{Gu)+~T7kzdWtSEYI>C%6(z$OuIzV?yb
zin2~Uk+EH+3dd#vazY3iu`q3%sho(m2|m)ue6lHgj!fM3^R!;bd?(blq4{8?TM$DN
zRU`@s=PGP6V&oU-=6t3)UND^VVhfTk=|x#U{&L|y@ck+Z3U22nim0cC*Hb4hS=Ws6
z7M-TrttF*kKdut&kbELXt=WC%zx=fHRB^Z<?BV6)nn-#qckCM>{x9c&=sJ^<LcO>_
zR?Z28v*A@Bw!3w6=WB?dpmX{xc&F#!icPtV9wiJL{<=23h)PG=coC`QW=~t&%@HW!
za4MI_C6NA0mABs3tq-zs+Kl$%CryPO&Q&DFd}0@|afz`y=Q|pt(mwQg#nUkqsoCsg
zH%ZeE%;Z(p3Dlq+Dbvj1<rHlqA-J4D@;^N_IU{s7&j-f&W;5HG54dfipDe7<lalI+
z*0~PyRInXYEMZ2XeS&+$nGK|~r8?TIaq`$DpP3I^I0mMl`D)e2fjy}Ao&>kqj-0~g
zg=TSR!C`N|aV0Q|vTra=p%5N=WFWznpb76I#{jfu`Y|8VPReh%cyc^9FNEQl-4^=G
z09Zn!S$m@g6(IN`QN66T9%~mW&FXB&ApuJ)D*wheP*1kUTX?CQv`$*ZuzM@A>_*Ju
z^2!;s?F(->&^Fw(fSc+sQ!xpKv>0^@4d4-Z$MuItK+M`VPnFiW#O^+XlJxza<}fe%
zse)$Dp4WKx_|8uLWV$qGeH&u&r6J_f`1KX4Y^REoRZptBmdf2sSEseE5417GA6Dnd
zT9LY1UT}vav3tg}KP`6M5~vVl(TImKb|805ijyRB@iwny(+pGlO?P2w2?%}pCfke3
z88*!jIt+gC#<IHG3asv(T&$<P8b*PK`Cf~BxT$*{%2SfL)+V$!Su=H?XME?=;A`@Z
zky&x`jiq7cbZP5cy-TeJ7s`gF$tg!*!%E(2Tb$lH&Z*R`6KCazXmgR5?n&U^^eFb9
z4S83z$2>yec8Q%|ysDv83j#>BPm`%7-$;K@p8puvDzI)(ci$x+gdn8`B&l|<(KN9s
z?R1C5SZBrY`3!nP`z<A3W#xvU`d%2U0{CT>x2DxTy|zkKl3o=xfNpR_pWWy4sY`Ng
za=vv>(FVFMkVT$qY7U5A%#-j(-?TnYXpKg-=<NpU;VbLbh%+<IAS6UP+nNyqDuPU`
zN}fyRp6(?ixX$%$@mMNG;jn%CY<ggvqnb|%pc^QbZy}<;XiYP((_c(f=O-uwod0l1
zjtg1I+fXa#7zXju1mxAQ^*6FHoUG{8RHBgGI$UdoG#jcVCplvHjS`gWDxeo3DJmav
zT0$#EQ!Tsuzi4(Hgs*p=VYX*i{S2J@*$6*zUm&*xy+nC+w?2DJ2mNX`fIBHkgUi&I
zJ&ww0m?7-P<t}8RE^_vb(5#~0-9>Pynw5Dg^c7HN>M8XN-`|*u_yMu*paPd`g!dww
zChc=C#z@$(W-NKcqEniJSrMuO8rq2xI`1^uhJe2qAIokv>ml3f+McBh?OfEz?%0zx
zQ{Ik6GQ}3C**Zl_fG9l{8;jb_A!wfJhlkH=Aup7_@rbIiofog+m7W+50S$4y7`^CC
z3s%ZeS0S6LwwUQcJ%=%ukvgCMY;Zes$#)zyZ?6Vr*Q`6NZ#Q4bzZ!k|Y|SZIlqy(D
zs-#rc4rtX9&FwlFO{;hh1fiQ_=oLmuny?a^iOz#qZn$Lw0}iq#^-3L`X?UyV<$I`@
zd=YnltOixfO-@86@EXPAD}kDzWXW>c$w=LwsUoc43^wM&!J))2w$BvxLJG<dJ%6id
ziG$qPD@8vakKv&67;wJph#TWW;rHhDIL3~R0vF~ZQ}H2F3JL-<t-pnFDO$hz6j15D
z&NT}ChkUPYhdq@IQb88#0gX$-;neBY?U`h{nd@86ec5*NqRUJUXP{XyOaW{~vY7Kz
z&GVUost`;k&KB8UG%S#MIZ<N@343a3C^xo>&cQF6BON&nNckwkU1~C`kW5XHGuadL
zo>Z5cq$tnHjhIldSd~z|0x!#OTr7xjkQG3toHg;V9YmhLQ~~y$%xb@h%+5Lx@J|~%
z%KU0l&LfR?NWMu|Shy#|D&?107<s`$?uM5Zz|Pq_@=PTQVAA~`Ckub#j=&3s&3^I1
zU^<?CHd~TAJtP@jFML@MV43xK!Fyso6K5}#d%r<a3c$c5a>nkjd-<GzbGm%<d?Tf>
zjHay#$_7Q<ep-d-XiDqCUpm|RzS-qm>yBKWG5H<uehSGE5;_uzusA0sj$tP+War25
zgbf7|U0>lI^WJmEJyq+rSP_WnFSiO~93j9Cr5Y>t0sz5!rEkubZkk2=mJQ6*qMD3q
zGt{p&M8WfUSeg;z`x=dtsvH7%D1g~op>q|vjE_3C<v@#9o*Ymk>O-z|4caF|h|_6>
zGppY%-XQuznlf@CaA(O?;-#N2$JWW5v(^kJa&T;v?DlJ^pmq3nUZTe$TqN^%u{yFe
zaNNEG6%dWZzjGtfnJ8*ErT?M&i-zIJ2Z4kUj-hbP<6qs*HC4vniAaE(WBOKW`HdxS
zCu>ZUdQ5#|f0JiSL@fK|<yFd~uq0Oc5TUlttl5?ext5na*poJU(qdfA+QgL=z3KiP
z&v(0>vpQaxOnrzaS~()b8Y$#CHxvwij``A<=g<-LOHH=$p{DeHD=ZcMX6@$d%5=oK
zfk{Y=*W(K=2YADi=o`&3b}RYqPuyeSP6$}z1s}^mk}INKYrs_#Mva@@bx~}Jd8()3
zif?sqA<h3M7!V^iP9Jc|$Dne1b;eZO%9rhBMq%Ogu)fXOX3O4a4V9xUadHV>;V%ky
z&LJ~SKG)U?{rRU?nhTsj1jay#?IchW`n0<@{&0yiq2saA`{S(NM4>xl=E~w_#-kzB
z3wtT_$QdX58lA79)q7$_`wPZ)n=>JqSi_Nk(qvNA2-DW`0zgF|y2?RaSw|{Q>tMLu
z6P8DDnn+aKRXL_dYe}^xqzO+)|6OFm$=tHe%QYk|7B9d#k>DTSyMrS5n2u@xj<)&p
zg|K{7D+JbXAJMdvr~J}VKH48HPGvCQq>lKWD@pbkENJUtPRb3kVx;W)o--U?FEPuj
zafS|C_Ogv?^wzq;u^hM6S-zhlv@8r3c~r8Qv%3<^V*EO$$T`aQhcr!XSx^3#cno?K
zZFiIHS?a5xHPUsS`(oAZ)bNPStHRcN7@Aw!Sc5P1`WZQIw~Li+N}Yv$nL~b)vabns
z5|J$ap2_!^dWc2R)V|<>i+DKYw71gcqv(O36H8(?<#k@=c@D0d47%<>ji%{VF_8tQ
zvPCoD1h#o^qgOB?MfgICbatrD#Z;1NKAn;LR;AHZ-F?eV-XKymn1a|fugXDoe>~iR
zov9dWVz#t6>|K-BerK?t%v-9d^A}{U0mTCQ^d7m7Tn@X<b|PL>*)Lv9H|YPg@qICM
zD!U9GR2E7#<LiO}RJ^wl0IP6U<Lnjw!7b|*KEl?VGkkk&XY{_;(iC9E_u88W!D&nz
z=WnD};Sg`nBdK0jOzYyLyw{GaLfA=i-gUtJ!Lq*xw#Qb50-Y4^TcQ$bD|nTVu#nsl
zlj6d6#Mz_YLb$dBt*ttkmxA9S%=X@p5Vw2sGbD3$d1n_<bvO9s>JYze4u(yikYwW(
zS{%3BvMkGK%XE>?f!IP+DA=`Qv(>^@g%hnY1qHZR3fAy9-qPxH5Hgx1$JzE45I0Md
z=N@54t=*BP<EKpkkK7UvEi_uZwptqQ#g4>c<A5@003E@gBS~Yh#T&mSpV&Nae8g=x
zT-l)fT!rG~OpMKwIvbT5zX&uDp`cJ*Wo;1V%JoxrKN^6)3DI-joP6L1$^n3=$QyHw
z%kZEEFjsrYUtVvkJ&jZS&W_h6)27~&pV3w0>i8~nz+SpUO&>8=vMX<+W8-k}78A~q
zQ+(srzy93+czfs4z3%lXYAct?U!Bpm#IHQJb#f@dW$<%eXwMSIA%f@MBE0;qq$n?r
zst`w6*2GuVk`^IVVSh=~HjF#Ry5>K$*RHPxruP%$Z_CYub!m7=FpwY2&m@JI6<SN`
zTeTRo<&hib<WDNo%#OOEcBjM_b8_MQih0{2jjSF)@RsgxnLq<GdwB80i(Web2Zxyw
z0clvOG2Fd}t;NC-f|;h#!*5|5V;Rkw?5AdK9lJxF)K%u{QjIg@tztFX;oO7{(HiPs
zcpn`(CC|o^v{O2%AIvN|%lPXayQplFDbuXvJGJz8F;w}ifWm});gS5Zda3a8Hqh4T
z;IL)XLFmgHUa1T@Im_jt2+!B<Em9(X&$n$M-HX&c;oKw~<QPN--9T>=XDx!V0z`$P
zyC`+|qdzDhl@J8j>|OGKs!s=8wLKM&r&chHf8!L9j^{DT^PZjA``WBtNK0C+E~XlA
z=LFtHS3|3th=f>EXKz_sPutZ=bSPGC-h1D#XkS^#)q)y}8JLR3w$_pB3b0k%3b57&
z=JzcB4{USBKh30P6&+tfH=+D0D;=u%c^<m%R26j{{-nuu{ODMBRWx2F$<bXOCubwY
zOvL;tHnV+ea}$6l!Pb-g$r_F$|NK~mtg&n(Kw7H+2N$ib_6IdT%#{M-RmY_979L=?
zZ9q?0#e&&+^~NyrMmEl&zKio|f*5c*RbnUGRMbIL<7DaYVp2*<^NrnnL}p0kJxL|(
zu_1L-&hHhgI@`pyxnvnTska~seOuzJr=(iCp`I^ux3*!)k@7|$_BQhtmu<XCL9_7h
zL?F|_`yiM1quu7ScH`97o}X;&yhd`9wjs%{&(J^VB^B(0IIYaR=<oEI<k8GGwRmq2
z@_|lNk^9ck%gLh!O8r8C|G3Sq?vUcGUi#G#DOb)~On29XExzSvOXYg%Pk+^Z&b)dh
zgr+UZ?C93Pf?i9xL7Nn5Fog(b{;n7bv<xA?!eIZX#Yy#7DIvjH)w|_G=alw*1;F!1
z7e>`?j)L=ZtzCJeCa(awDh3tKCg~fVBELYeE`te@)Ot0mpdH(+V9hw5XT*+>;T50;
z<&CSTdWls`XOx?=eCo{?@Khc2Z|+eyGJef_HY%O0V6IiW2!|Ngt}DEEqK;QcJB#=Q
zVm2f>HS1yh#U;u!LkK{Hc{{c$lg0`tc{C}mMUrykVwHWFFj0}+@AuH!lf7S5Uulf^
z4{e-c*Ev}z)VzBr*|6pUo|+F52YV?Xm)^tWdZxn)fp2#a{3WSOoY9MCW?Q++c5YN9
zb?nq@W3;}HN;7i?{2Cgla1Th5)XA(C{l_Dk#xE_RgCDcK!f_9&m;QkVXaCmEMU*Li
zm3;eqe|hi%dCxnHCERWAd-@&w0HJ0JF^V8Yx5wT>FU5E0UHm*}Qu7is8;RqUhJ{Fo
zN7uEq$JrEjp4r3@6^H4e{epr?L#iVjZN^B@85L6KxJGlP6^UD0lvXKQyyFE0H^rpk
zK+*~vOHIz5n(vNQW-z|v3PofbdO9N}-S{CLQ#5Xum?%*e5!OdZ@8{ndG#gO)iJy=s
zm;T@S+EWO;p?4Q0&ed+kOGIT8m$r~u6V`({+W~}8sZ>s7Ji#(my<THjUW%s5M7(c6
z5##i<dZu`+g(S^_e+mNFXmSe#Ry#Ciq!O6<#7SE2XUTeOFwJkY84rStGRGXM6F(g2
zoAfMFCS>@yZe#rP3j<EAy<fQ8##tJw>C5#6#nud_Brj^DHAH{3M>m}R6v5lFHu0f`
z;~q3bM?$NbY^$#2`DrDVp$tYDkcX$^Le<BEE-<1NKe5d}auM%AKh&05veg5!D%L*X
zjhk6c*yk6ES05^_a&#~;GIMcKhfw?t)PfCK@DRK09qxvG9EF!O=a!p3)}FWm7e842
zY24{~hbXgE4?2wN6ag4C3)(sk;TIBw<XA8LXr$(?p5OwgmDk(mwAwoR3@vYI-;XyN
zc|G7BS)33J=p;`Fe)*=FY)s@78BjFS<ggq)ZAZW{dkqEKBS<$YM<oQfs7&d|cr0x*
zDE=CvZgaPC<oIt={o|X(>Tb3@%XZsqm-4n60=i)CFTIK+LkT~#YLXGP1m$S*sy`)x
z{R8P7$23hUZr~{BKgm>Y&+XfVj7Ati!_U0VHlyMxydUFPHIl8tIL%3w0mPBX|Dkn|
zwo}CkMAJ|QjAFS(eJBa{Ir==K58z^WN3X|bj+E_ObV<PO=8RjYA>uO2#<$Y@V1ZY3
z=lF@bh=n3Ls}nWl>0Gu?XEwB}79D$IHS`c}p;%`5LufVKSR%=5i(h27w*r{0Zr4#V
z40jyl6nh&tPAt_Czj?gDs7$aHT{W${^|qC|`%KC^#%6+sa4$|GVBcfR>1917)YZ=Q
zQ}bEs?YdpfVqW;ayfS6v_tVC{s?DN_q>~f48(8=dnnW-bzqOceDh61w%4VVLOtkn+
zGk^<WAZyBa<5K=$z9rcMf_VSBn6l(P=TA*pNfPuS)a%7=Z&Ay(Uq9g?&9scNB(Gw{
zjsTM}Dhd$hEVpL8`IZ!T`)d{6HodmADd*GY2hTT^mb;hz=7Fg-7^<@|Ko|Dgc43+$
zdq_xY%Hh%t_j{hSZX&JrsSBq@sSs5FWrCC*OQRlYLBN&FvZ&fe%qOu8u;$fzBD3ab
zSpYj`AxToX;)`f1u#stY=r%Htq`1d$AG~c)f&DaE&!5<&qZ!Tl{Zh8F&BqbqaMhEP
z*T<}p6j`RUtZ+em>_04vW+E#Tw$G$iv(ze&|53n|2pi~Nk-Bb5=Ws<7FyDzYbE84j
z{yPzxwf$6_d3ATkOQDci*};iU9$zf<+irbNamqGXwV^3u=Pd}==d~W0nvO+F8hK@`
z_P37=OgM>6%39gBUhh+b4_^_Ps&#Rlz)p+N2sD%wG2!%RjYYdv6hdEb%Zn?|Rpq=B
zMGoY>oaT8W40L_z-}r+JyJ|6k5Pi?0p?q3c)A5}(qSu+lLpSQ?{?XDH2I6@Q1PPIh
zAopFSu)Xq$hA*B5?~e2fLb})KKbvbjeP}aF!<P?fCUOZ1tE3T}u~86UaezA;X*r`M
zs`1)AOCVa!ij7M;cE61`Ci)bTX<(38cpcrT=U~*<V%iH@F`lGH*MV)>`-3iMsT$yh
zc$D2{;eJ-k;%0>x^*!0k8?FUgSthPDp)h;x#h7zrZ4x#I`zR&emPirLPNW!Q`N_r3
zuB_R!r{)~K%q+Q1NV~>Qf4n(yAsORl3lqo()@pD@bnnR_giM11QAMgK?%bTzp*G#6
z&io3>T6-vkmFGpW{syd}_-MR?U`x8LaYstf^8{gOm8fYkE`VDB3x)HYoKm$T(Pjr?
z$L&=RgD-;K3xPca69#QlH@QbsHLxMBK<Yp3fMg^dd?TrGE!ET(ws4ViuJVE54u>pf
zJQp}xh|fPuubZh}$(b66BU77_WjnQ{D(_CgcADO%_!7%}!CXg)!K{TGj~9_!%ri};
zonjNv*0F)=BGlqrjNBD5UUayl5SX`pKMId+xC7F*h=bt?lY|1+%yYUm1L}@k+*PgZ
zU*38Db$pl%Hy<RA73O^kAOF{oOVuIAHM{P(an-}%ZZ_PCO-)rKSMigjB5T|Q%d<%1
z{0TAA=9Ek=>Gk;fRCAqB6U1PnxUs$4)2gHk3_kUyw@-gwIu7LASBHy0p1YEWcB&#b
zY)&66egqE4&Vt11_|*%>Z$sjWxnUIM@(8bD?|k>I`z6~RWkh-VF06x~6e8AStltLE
zc7lslvNix4s;b!rj622QB<&8hJlK~QLk~v`;$QhzWs}{`m}&-tv-02>Tmwz$IvrPL
z!GD3_ZEaI;Vq2!l`YvQknS1oA+=~^mh6~LTw_E7PmfX&#rdhagGyy3!8w5(UNLY<D
ze`ihtX#+C%sdTJ1uG&_PYsplQb*PMFRONt>u(YP9XD03n$HKUsT#vNTOduG}<k7-W
zUK&?H&)dQezOub?VrRdI=#DXZ#E0lR`?f=J&IqcvioMz!*11A1KS^j=oI~t9c<Mac
zx09Hh7m69M^%u>l<6Q93od$m*iI-LXLnHS8HZXM|XID$TG(SoIL|=nygAgVy*4uV>
zTKOWp&G98Wub^85sO|_UVA5Ah0rz_8clZpr!`6EF4Z{@bJ$JECQz$fsFF1$jUO@+4
z%=(iPkITUc`dQ{e(=eT;ici;?yF2?>m0cM}l(*KG6h=|?*aZz7t8@;Zbod+ZzLkr$
z2f(RRPSQtavS5W=<n$_tRj*`8MXKuT=#L9VpRcX0K6a}KHo9P_gu~RyboNtWcAg#~
z-4b0dHNQ`F919mGlknMD4dV4&QND3C)fe|IQ9CB@3$xS)7=Ba3*ffpS(j!fKp0+OJ
zXecy!wx)~I=Fr;&m&zezLy|itn#U3^Iy+?CV`Htsyj#ES+Ua)~aaXHnY+kPA6h#s_
zAuoDlwb6nq<+6||uB|ZMeW=0b>#r%O*eU0hhqctB!0Z0ZgH@eo52<nSyPrwzh~vAT
zz^&s3<&#Pu=SPZPKfW)j(FGAgjA#<HR<biWYCs%LVVip&tz3i_10g|OYl#i{jmhCV
zAAo=$+zs1)H+OK(3vUu8m~lzezyQ)48)}M{LEtr=yC;3-Gy~Pexn$8S4>8dP#|G*w
zr`nV?&N=~dS(7#KW1P`qR@6+n0_MKT@MiD&EOQN25P*M7hho0R9Q{f)b(jZyvLpE3
z;=&h+jV0u$f`%Qg8SY_gupTIfJ?f%<cYM2$n2{T{5Kq6DGKM4z5(^_#@|vb<?E5k$
z&*}JHAV!A*6HRZUlhsa-(AHZne(HG|Cz;!=IO#x~2Fb$K+`aITVE-ON+A5;C{(r>1
z=TlSf7w!#6Z_+y|y#$aNx=M%8O9Bam-U*%1QMyv4S3&6|gc1l<P<jVxAyh#?g#Zc)
zD5&4V`466%-<)~gtv7r2p8Lg~bzf^;pKDP5mkB^}Xe8xKQt$94=y?fW)$8u-hiao(
z^u?YeCCFr8&ApmiEdiuZQjv4-wN#dcfI#zT=3Mej?29i)kH!Vv>x*fW&L@-2Vz&0m
zrMH~wEeTA1CIYQcztEHTefBU_^t-eA@&Pf6Y;%!hvxfXeq!}ZtI6WU(lCkeoi>thm
z*L=ywVw~Eq4OxA|e1XcOxGO|qJHSs?fTZ3WwG!;qS|SV}vKo%cmUH@hQR8Y>^yNq(
zwR=V%ND(AfFqpt6E8V)|>>=zV9*eZz8?7ZcE@U)$6_}j=C?DG-4oPr58Jh=dt_iPW
zt?~8DZZxQ~00reRAJEvVhp=@EaCM4>^3L=^cCz$}y?xgm_$eCQdT{{N9atWt%upDJ
z>zL@X4mGX<D)D<)cHp*}vHE*x4L7kExBRBp7CjpcT<KyXj!CcDjKxX_Fa#Z41TJ#k
z^;qYEn|IF-9gJ*dQGa?~JGSZx<wjT?+Vs?qC?!z2N?sr=Tc1Fn0@v<$T&Skli!Zao
zmtWAiel%J0zam`rIN5=%!FJ(n=*D4FVksMaOk{CME|dUy&_*3jBx*@7S?<iyA)7c7
z@psM@E>I=e>u*HL+;|<rVoN~=6_Oc=PuAB`mmcz=n{<5Dy*)-NWbXWiuDfKYHkcBd
z1(4kCk*JiAH>-Q`0;4FG+ktfR)vFWVDUcm0voUG@L0=a>_lw&T;LBk)Tqh57;BCU)
z6<aL9oXEXd)m7_Vb)fSaU9ZZzPnYkpyGZ)Vf~D<n(n)5_CX!ojl0$a&R0wD2f8?k4
zZgsiZ=u$UxGmjL+h3Gqpa!9-p3zejA?7u?(M)3B`O6xF+*-t5fG8sj3q7le-WpmFW
z@Fli$cwfQuv>+1vcguDe!m{IDr&i5S6pQwuPN&VhP#rSD;{!v6SJJ4egq5Rmm6avm
zdYz5>KKlHM4vJQ2^r5zM#=NUq@$Nm#imQ>LnBF*W(rrUj%t8^}s!YQvg`%t&JGr}E
z1d7!nVW;GYjwNS?t`#SKlv|3gn{g1P(ydJ=*6js1ku3{#AGy`H0%{UYF9#cyx2?GM
z&!N_AV#o2UMa>;pNedJ0_xjrF0)uhPa&it5cy15-%`mC<iR5jK?rNWsduz3zf3PIr
z=9zB>wt=;z#Hqtu(>v2QA*b9BWC~r${rovJn?GR0>G|9=`}O@|`MsZ?$In?{dwv}U
zDniaHO-3{+%xQ#AZj6@54^^$S_1;s<1-K_mZsCWkW;5Sag@aO=Mygu<mnwZE;cZ@h
ztofGF_{&{eJyzDJ+5<FPVVXup^yt??>`(AZg&MfJW@jf6XE#F;;VT%=clzOAMpCDZ
z1JG6-{%g2y8FGm>Gn;84_`W7-zi+n8!y8l#@yp^MpW8A_(KnoLP*Ws(G4E-Ej&j%l
zoqrJ^;uhm(n+`2kQ>|RDdrOk8Aw*{Vl)|QYhCh;JU@FJEamoI`EmQ(}`&&P-wW1p;
z83!jQqz=2KwtfRk7e7Hi0X})PYUIF%Z&h#O1EX|Y3WUM()%P57!&bTfBkE0)R1+Ru
z$s;Qm_5I521|h5_J+)*W%%NaSbY(ei@1<X$N(*i%DO{iUa6KoD@#Jpq&Gh}0Io;tf
zv+iUg+12F?;j|isB!pNUhDh$ggi^)mBQl1nbkJ70Y1T?JZ&LF<%Kysx<kpF(P{^r(
z$cURJ*P-l?IvMc!82ii9UQ8{_6EZ%Jb#%dvqe_{v1-&O-wq^}lM$Vy)L%|z;R6veC
zF)L_U-rmiG{&h%W4CJvj@3_PE<K|>Fdn{Ql0^8-|@!(<0!kPPf@k>%4QUxxi0Q0He
zeeO)3%Guhdre)!6;-VTO@b&OB6Em=lwYn$eZ=PRGno~>UcQJ9u;9yp-P~yZ2q9PWR
zWzLE~l5fmyBh!K(YrG^Jm$O@ii`devlE1f#vxP1{;AYYWJYPl09ZiD*C%_(VKB$_I
z=_Hl^h(MiIh5POz>i}T2DeBFB@4XjJDVZzxECw;8(QU8hY60}4&!uW!H%WhM>iN0k
z-vLjr0+9FjT7B~j6n6{?Gj6Nv5FJ@Kdnq<NnWII2xAM)H4W{Vn=ZmT_{hN8($ocy%
z961XG8e$3JyOQxFDRy#yH`~KAdHy4soc41#_y~6jN@eF?$pf0O-g-sX9BwA;M*f_0
zk3Uj9`;Q2?UT{mhd};ANCg=Qre*A6fhyCuf_jK}Hwn8}#s`DcA=#uT){SK)!W2YaX
zn-w2i<Y**3;(@n%27e%dke)Cv%<1wG{vQ!WsrScQ!20PQU;1wt-_D*6_-Ij}dI!Fl
z9F<(PKl|L_=K;}-W|t}R(IqDKI4VdX<|N~{;i!kx(IVana~mk|J<WLu>7OXi4L=$8
z{BY5(C~J~&7!2w8j2qp*oYl_~9RkrXALJ)k>QLV|vTGfKem}L_8z#Jlh4vqir?j^`
zU32^6$+~iMzWKT>I_H+#<`xdo6LK{=fLVw<Z?{mfgBdc}v}bSm&M`Jb_XIPMbNTB6
z@8!M)jF*ihKNE2~&d&wNLer^-H7ADBDSalAwG-1#6Woa`=a=XC>TMmYGQZV&IiD$f
z$aa+)0R`6tudEg;Nm<uL8wHwE$v6p`3XwUzH$WHYv4&}Z!)ijNVxD{a>d2EuJ}%gx
znK0ZkN~2$46gq_zZlHBr5GXR_lb|<2_1Vh&QbNIqQM<lcL5-EsPjY>(T_4zc`t47g
zfXi38U)Xm2qdenD#0E6&JXa<YGbWQRh~vQtoK7d#H)Z&nWC8T;vV1br-V$$wM)miW
z9!#l6P!{zKtkQ!RioBdaLF0ixqkY73+>F|m!5as*o=zeix<{lzwJ!2P&NAmwvVZ9#
zH|8_S&4=@W$d#C8rZbA}J@`8xcO8lQ-5l~w6Ym3nWHyeEkauiKR$r4m;>C+2go+K%
zSefhvX4@qnLB30XYXG=4w^{})hGdgOOp^XsUqiNX_x9~vpB;yEnP@NMU;us&iZgk}
zd~xySZlNYu!k4+VezVSFzN~<Drc)Xz;}jrkp*SOIZql9vmz@+-ahHrZFI-!LwNE{#
z<W$Y2MEUHPMnMCk%HN<mClNU3=Brg=6O|PqHxp5t_E^QDt26f#+EW5ZKFV{h)>mkE
z;5~NX4m?{?dHfJ&(P}I-+b0Z>;~T4^^;FGIV;0E{<rtL6L9W7oI7_Xpv+E4u{+cZQ
zEP+;{C)jAQz#^W~6z?=?wHlZ>+QUL+`zzEikze1gCj$Q;k!$+e&e4OL5{?Y+iN;G<
zlw?1q>0;35;Mh<|-32tN<$-=ltFk6hj}$a+ELh)JedA}tNvV&%WAY+EpxrUd=idta
zrDF7T%_<JOOz^a~rgI!jJ9-Y&!7G?CkYLC+hJVs*M^WnUnBg;pA~!<?2amyuvYqCD
zpbZJZ8hq50Z-Xq?7<Q>3a!h}ov1E$hxw_9XMKsFb^Sh>vW5|vBr~V3puKk>ISAUYL
zWGluxI<tcyz9%&Q((Tm>k2y}2N!8?ivft~SB9fC(_sli1#3p6r-}zv;$$1>B_uqT`
z#B5pZVAFd4w0F6rIAliIF{|%F>sM}WXF>X17jqjJ;0~>1(3qDOPJi<29any-o$-a#
z!W@|Q#hsL+f@HdDEm#hIBw8%2&2&`hI1?16A*q4^kT+YY+QAgD`I@C}n%^jwdMs%8
z$=Up~GImiX%j!9shJQ=p6k5z2ex~;<5nPvFG_yYNxwpMU!n^ch=RPYz-xS|B5<6w<
z&oR<s&<*m)>TxK|VDzsa?oSq`jZlFTi>7aGfzaZXBrB6AslqA|ZL%Zviyo~@sVP8l
z%X}L>QPTKpnlu3lNbcviKLnstLqTt-ieR%T!a|1*i@RN_WK*qbZQsV|N@La<eM%hk
zJ8MfILwzT$c^pTC_ISL%ClK|BoA%4-T^Na_use#o&RNBH(T1V~^iyHwYV`%1mV+u@
z`QbX((TRS(f<(tfV`1*<Gtnki+q)}2LxoL!ZOO}^m{ncO^PIc>mckKZR)eZy3B>*r
zj1(5UkHZ!&FjsVM(JieK)~v{*q%=QU#TxTkEXKMaZrq(MQzkzbSzD{&V9egpQPK^T
z|6U}Y_1jKn_N8xrflfI$nsI-q6Wqm$WdDw$5c3`@?!2(f_Yf0$;Smx)ymiZWT9!|T
zXt?483-m27sm^wmku$<SO<t1KF(i%Tb8BP3qA@rcx5+I9?UY5&mTlhYFBT4z{J_?p
zziI)qNR6LeD-~`)4*kYTE5Qu?M(K{T-~)*uYdY-Ws!{C+4Jx9%N58(5DvXCwU!_Hv
zmq`?$rpBj?n<X=*MCF7Io;kFh2NtPv4b@TZmfIK`>hlqJY_yUEMN_G4UrPT-;AA8u
zt#jL%@p*6P5a0q0{+}f$%^(-+5$pjYJY(eMP6{OD!wxEb9j`suA|9sVn;%9{x*O(g
zFL4N_9?s%};W{38?(BXI?GAKYdxPKh>N2)@H7!2nSuhCZsb6B_NB73@2lkV*iYL5B
zy0dl&>!HJ_^xa?{4X{#Z;OL-nBUfMp)0`$bG#?rWQtez{3ORuXC2eW%1@Ou6)E?9W
zGmr!B4cy1nui<57?%_@Gi4}>W@;%P0P(ziHHkAt6|A?aQaPAhYnd&{BxXh<98C;KK
zYisz5FmQ5MW8;o~0gNKhWeXhSXLPSDxlfR=p|@a@$Rbq%V&tdI;0|4th^YcL`Lbuh
zo2!;@-{`^K>Ai^6tCm=Su+p7{o;#MzwRNb+qk1lR@3<heD>fy(0RSCGXi~Gytfa~`
zr#cZLQD>9mI^cDP&v>hy9C2yUYz4UhH$0|B{4{k39mP1w2mNaSUuCz&lYS)1NRcsQ
z;=U6<sKlDX=IM5qUD7lwvKZ@k<})=mG*D%Wq_=+iQ2wT~7YQAC!|zItK(VhM_{}Ez
zYL#;`8!)8=1Pd0?qXekFEgZb>@L{KsF%2a8AX1j#b((LBa+3+?BkH<k+KW>aNu*}H
zXlg$ZYn?i7lJGW?1sLTbLd5ush-Jq|t#$N;nOSa8razKe6ITAU9&lBHm8ZvsF4mrE
z`Ex2DPfmyHT<U*9_@La|Xl^AhkJH({b|8x?Iezj6pweA8Ewx|5EwIA|oGsCqq!Gf@
zJG_YwZ~^%?Sn#%lf(d?L*TBGZ0B&5p9pJ;X)2$ZQO~G*@8IvCO#+S36c~`vKIZ5S%
z6PLwUCjaL>AG+_rg$-M-S6R+GO_rjOxRJ;ER;W?>Lz?M?vP@?4d)D84J}9w11vI{x
zGdRM<PP{M`+@y2n)VNfyX$FD;epa`p!c~VXuuahpQAu>L+oLv59-g?j_M><joADEF
zNqJKXv%S=3daK;Z$vI-xE!hAj<3j6B%;D%@Zt=Rt9e8VThYr+DvQ;hP(P0sTzi7KE
z*FmjVyj0hU`U&k{>U|bHj;Xz&4xMD}87aOdv4Ro54?D8z+4d3gr@Qvc^u>#l-fx@i
z7e?E9bjV%bwh%7at%#0&s9y;rM>r`+K6u^~=tR$vRVgaur#3uC>#CP}SvO+Wxb0*u
z7IrgA072gR6>JM+0WaUTiJNyj>0sJ?pm!WI5XCh~8b~J}I?0lQjMPz!WP|tFB@b=_
zAAGrX^Xyn{(C1v2G)~lyQ{!bA%<efzH`{yF_L5X){GP0dc`~a!@k1j0I^~poS|Wig
zCk73nyV2*RcFUgJD%%6x!MDLJRCJ{lQLEevzV%)nx?7{sg~(40F*ZI}_Ly2FMCcu>
z?-ubBS~rrLP$CE;qzTtt6AOm)M)AZP#TPS2HdFxo$!1=GgOW#ylB@G07v!?jR5EY5
zydA~;PRxhoRzr*_)R%M9)s%C5_E;VHmb^H0hbH?2InrQbM2xBhcvpCC1af0y|Kfur
z+9JB(=T>vnXi1Fob|6`T2si0*5_+~c=+ojW#Xu{2t=Qo{-S+_rsZ?GpjhAoFa=gHP
zwz_YQrY%?3?qfRdP2)F+;SLgKmdhU~)NdRaxA<(^QY5K_mbaGWz}y_1L;*%tje_=|
zyCO}V@)=h_h<l~5-j)@;RzNdE4ScQ&z7(JWm`Lz8$)LAwYa!m37Izrjj@?qTED2e=
zY23v8@3*1@W-iDt9futruW^Ush&)$YQ1?ID{5pIqpGhs!y1UINVyC-^bbN?liQ+G;
z(>JEmFMc(qK_2HNglDC=4?EtElC$`Zkdp15W*f<vb?|UG2>&P9WYE^##y2<Qo=q1y
zOzh>~R2x|T=MnSX_Z%pP3&yiHK+KYhN#3b&z>s12iHww(#oEyXdNU<YhAln#JvV4q
zG5wy->+0m_u>}KnBC2nciphiLkSaHpK|&%-f~&=48@Db|GY@SpSOt0xp?leS-0#W^
z#{DibO*Xr5EbEkimiKiTF?H~-Rkt)B4J>Z_Gq6$qWRrP&90hMxJy-Rqwla*JJhev$
zL?}e%tV8M)EJdlC$K+%+zf=Lbgh-EKQm>unkHDZj*I8!|jA&QCHUD5Dmz=N^xKtQx
z<tu8R*d3{xPCLY?7?ZBHn44*iBnmvRud>waKc>9F8x5@*2Kcz6X&OSkZ+2qyS}&*Y
zhK6k`i~}SCJ7A9+nyPHp1({>bgGX}=6<kkNw%qnhcQ`g^fTQ|_#Wp@DAhR(@gr~_M
zYg&v(fla%)VC@!XMP5(y74)R-;Aq*~_LxJ|xtFj;9MW@Wq&-7HeLi)?AvhTXEH#(e
zqHk0v%hn%wobHioO@DdO9q{$<Be>KEV4~8D2Ne5V9dUT+pVPYudmfO%v-b2c+X!le
zHfvgtbxdxw=xqy7%U{U1q~!R~r%Dc9WlLZCe<S@*+v_0dQ961Z-oByEZ)IvClJ;%c
z%?vcD_M4ce;%Gf2(+33{hb&aAA06QO9`#_&_MFgCea$p)N#?s-xQ>1|&rW}&U|a}g
zxJo^u-=ayEbICMja9;shT;v6`l^(9%&hATXos$~BqEFqLl#ho@%0RI5xxK-R%z2NH
zfp$pCbBT{Odc`YAn3cc9kKviLuKHfQVMOP_Qt#X%+<ErK{Nw=kQw!ms**EQXoAhgG
z;|!QGP_V@cJH|WV#4JU5t0++0o_Nzk_G*Y4!SJwXMaz72s{qO@$q-GP*K-~?G6dyk
zl4DHawylTsdF0(Zs>5)IFI69@YsUN5)o;&uAj0@P*u@IMG~FP8Zb`^!Ebt93Lz~Ul
zu{|$Rg*iMUp>o0L(#z-5C6c#Vuk@ui@^6Mio25YCV(0Bw!+Hz)J_UTU>90W}ox+TV
zQF-{zAh#^JeNW>(ihTb-e8>KGjc1ML{DKz8*r?utceamKyu1r;M35d3-U{o2v>?7L
zYP6#=+jB?^-jGW$oVDxYQY=>s$t3($C~|Yafrd7tHS4z|;Hx42c$!R0<)<n0io2Ec
zpobTH38`%8fx+ll3Y?fe$b=F#EGbSewOKtia2xDxqR$*Q65r6Uk}<&5Gx|x0{V?__
z@z_S8jB1QrrLC@lQY@-CA#NHvX+6C-I_J`(_b@380{vmC!Z9<?I(7C9ZaBj^KdI(H
z4|n+n8(7Vc_HJ3^<%;FoXLq^ysgqL3K5|h;2Fy;H)^$0!Mz=ditflaLWKz@2PDaEZ
zA8D4-2iM7p)*<R4Plm+oYXc6hPJ{tKpLhH~@+N7+?c7O`)bEJokd!^ls=v*`<*goq
zr{WU@U51k69QLd>bqx(bm<rn40CHdWi1r)lV(TV}?w<8_?Q<#!GfeuJI~4O$lHbZv
zL$m(TLa+ufXR}j0&{eTj)`lD*NYAMGzL=(z_Bpp2=2P+hu=opGG04>Fu<#n}kNQ*Z
zYd7I-oi*bl$=1`zg1+Q-FJH6D{1jimN_LyzJD_f*3VvFso7m9{o*oq;_kGug>fxWh
z(f&;{OX#RO$@OhggN|pB3<Zgk<LUrt7}*Pei)&E;NU3GPt`ThMM_GZNTA3Y$=2v@(
z+fQ|p)w(Nn$(M|jm6|`Qwq~^wcdiwX_+L(fe9^hxz3*JW(R-M*|4=O_yoG$iL%&>A
zGV~(jzPD_vZ)^@zVvC2Pm{e(5<a9LPz)8$Um8tzv5Cc8v&GJ};^i(C=6c~g3KG_L*
zch{k0pxB@*JJd2V4WU|I)4bcXZfhl4<7{hNpM>Lizt~JKs-M6H1w~d;NNJQC$<`-f
z@)780S>ODY;nmMAwHChn@VxEH4f-z)KHWaRf)#2pn*!VsAM&}hJSriT>A`4$MR|SP
zbdG%QdZdczWu&b_scC)(^jpNAyOA?T9KVX5w&*q2_(@hBX}$W()J+F2+uHI+tu$GN
zWmsGNY&7-IVqLfVo~)Yp1MC0FRq?OAUe?Ln5`_BikBR=ZR%~t!8yq$aKN3H~H4YPP
zS~Zml@f8l)?3ZDB+#r(~PhZV7HvHBExtm?5vM^Z%*Uu2k>vpeMp?fUIFIwPFHNeg;
zu_Rt+vw7E}ZvukI&!X5JC0*`!AUYP*4YV@F{@%AkeCE=x&EZCemJ-xE578|btny_k
zhESWfyv`m!*)yoWW%r-ARB$1Tbo~Oyw7fB3-bxAP>qu3|L2EH6vs2C)1XWPUk4#Sl
ztw2M?m&nBSH5GfL*QzB^B&G67!}u&)HVJ5l(wKxzt3<AeQYE!$ibtW^`TkZ`%Fd_^
zg4BY#&&D`QP_tMP*zd&fsaP;0+<~L{jmpfng$ys(t6IvzSPOrCj2wI=a^I{*(z|i7
zz&eM>aL!ibql7AvG@GVw|2a|p$Z}`%!TS3{HOfJo9z^G}Q>hj`)%;)CoV6iqw2jFj
z4=pQ-KfKItGfa524)E(Qif85J+jCJl#Z@8J^PsjuPnwtcqrV~ViiDAGG;Lt=RgxFE
zQCGQolb4icErp`1Ys@vy9A36Rotrq?kK8%Knj~@8TlBqCtG+%YR@AKt?eyicBHvb|
z>xqbD?$9&QJ5QF9B*7Xic2iwfvYngl#DsH6nY3}f*SX$RsI0V5``fUI*qJ9zHC_B^
zPlF~;2If`>m&?*EFP*+s?#^!tpxf@(UzeL45QwR#cmWvQveAstuGST7QZWgky|dzB
zCtHsQ%SD!u$urHVd2a?b%JoAYB8WE+*5|=Vw)y*9UZyS@KD&80Z4C*$mz7e58pkK2
zp<w`ld(@(3_wT2r-WJ6fFRPo=3&{G)qhWmiM}7_K?Jm#-+)Qx=rynXt+s4DPvI5m`
zJ<RS7m0bhnP#p}b2$uzht!DhwK>U^IHt9PNnIxPRcvo+0twq03)mjL0V|eDF)6?eL
ziAV7J$iBlsVU#s5Y-~tUSbYJEfTFp*P;d0?7Ro|qJyiBVcrOk7J8>j#o#0=v%7VRF
zO6|pt61rIJIzz))1L8Q?8OTuwwDhCips$gJEUvfU**}F#p`x8E3pVzvRV&o1%J^ag
zZv+MzhSWiiimtfIj=L^<7hkRIK3CQp0tzxp@ajm(gvH&tdZ^X=UQyIicbdz;d0Jrd
zIh?3V2#pTyu`W_>{RKkEPu`8)Zp?6T9(h#MK&!$VnnlF+%{YLOIJjuMgN0>X>bG;f
zp%W3!ZFi2~im=vy$mg{&wp=VV<5cUfLh#baf}KVlh}R5kMHD(VVY3ReHo5xUdi?BV
zWV99H+&wY(FricN@(5;(nC~-*`LeKQ?i0TI=ypr^^Gz$QJ9Xl|sE_!<7F@{D!b{Kk
z%M9b@8S7;E7U{QX&PP<D8fy9R5oUbp2W>@y2o8`Q=*uS8jqgI}Qxm?1dwcC4qC-uX
z)()@4>C%Z`X~`er=b-~{&^C|wMzq*-3Y8>h4b>79iH!K4OpQHU@<Etk;jH~L*yrj+
z21^Zw_R!66nYOj#(?Xp0%J+j(0_6{t)=t>Fb`e6`V0sFjK=aN$6Z)INEUQcz7mt;_
z^*me4``-4LhC>TMv)U}YkT6*QPqCCJ)mB0$yMb|2)IOK~VQVJ_l@Dhil}MwNQd_2_
zH|7sLTa}r)k^!;_`ubJCPRcEhugfPKQ6{<d7t~ap<yBEKWo?@&uk31}TU7Zr%{y3I
zHlp<em;wV78$W0M^{eqGAbpz7^R=3mw6*2X?0bId4Xc+5Pe+Y1zk$|0Agta;ux}~D
z{mz#K*p;L$Mfzq-=e5a#C-d1Aw@o;>f82Q~caZEKYT`w<A!g<D==v|>23*r<dtA0s
zW)qrZ50jioej<*I-G}i)ubd=2vv(jLpP3MOzoiih4P09d`W-DH3mnqg?`Wxb=+Z91
zN=sN!GX)o$4U?7Cgc&a%NS04cvKqa_s>Lh2lGGV}d}uOi{#&S!{HRq$l};MvOJ+7I
z0(+y=-C8%RQ0w(NvKcL#FOxNBxiuvON_T_ild(zd`jEF7UpPv#LxGU5Zf31|Ai${m
z2Op=gHqg*wmR-iYZ<=_yB00ref0TE__T%RnjAWW4@!v8?)s@`$>y|cJFpr=u1&EPM
z|CD=t`olntP$Zx6bLFLC7Ryd6zyl|i7E7g|o6B6*QiYG%+;<=xLf;Jbb4SC0S}NLS
zYd&2~o;T+C2?)}xJfSF6VuO%P0?u~V0YGI4#pf6Q$chaDlfSpzkEQsvWqVFrl1u4|
zt#6shOuWMZm3MOQ8el?OHKwmh4|2<L<2fbn0GTK#D;$lIW|Ort%AtWq=T7<Bl6fdM
zpWR#p`suxQ3Nf;|{`|+a7i{=2bwl_tw4<}$95m9|Wlqzi99Lt<W0p-Wfyukjrnf6&
zY7dfSFMk^tmi%<IUSr+za<UV5PhxL^*h!i7j*n$N4oxz`+J-Sw65_G`+6)$N=pr>c
zcJuzc(=@dxpa0O!mSjne$F{`S*<`l<wFMxxkyXZ$u^{w+If;TLASwGt0Y&#AoKzkZ
z>BAdVj~ZJ?(P{-+U=Y>GAE{i{L#KuFZG{!Cqd<*y2UKFkT1TR02Ig~B(xhKG|A$^p
z0`7&qzjo54?*FX5q52qPF*TZAgPry&EE$e08$Z|q9ZF^=>81{OIeXbhRtznnh(K@O
zI~Q=iytT&Xpg0}9mCY@`TD2b`Hnl!S9euKPG<xsopUPB{X<^A=vlfJ3%LeVZG8m}Y
zKpbJ0;4~U8{}$?>&AD|%oh${?=yo@3XU`ui6Kj}WYiOU+US`BenEYO*(vpeNUdI39
z!rn1FTO+Vdjekkpf~mv8B7)WHEo-SkYCILoLiFTYSZU@XP4bZ9Hld(OJ~&JEi2T?W
zTGs*|PIv7f;5~M@gnZWpIj;Ape4SwEW(Q1}#mtHpxJ1A3=p|@RzevCph33BbVT0X7
zZA$qv!e3KwpT8u=Pi}qZYP0PLH#KY8AWWQqJG<0xXh46n_3tvtCO;Ge7Bh|vT53!Y
zP3-Y=cnrx><njooDhCppzK=`wa6KiEXPlLPa(mQK%Jcj@%7akiOu0L#0F^0xC<rq{
z^{}YmD^g<I`vGxj4;b2LXbTh8cl90e7MLk2$=A~qEzMsc9;$3utt?{->?eQjBzP#q
z1EeJM>y4<)=4<3AGqB?r)*S$}qgz2XBNAd_GniyKCcB!GGKFK(<v+?OWGLckbkwEs
z4PE**AMxtxoCgdALFa6D0C1N~(S_%Co-#VNc*8TumPfaYyN>n>p<lz@Bl3MghedY*
z<V)I<-5(B$%Pu@s>Ri7TQc3={qFyh@m4?+Y!*QA3A08)`x*v8TzQ4LEUwGDpTC1S~
zNJC_PzMl9(k$cT2qHJdg%yjiT>0Fdl^-jSYN6vc5Z`s1ukteyVPe)Q4NN(i%giKk1
zse#rscY@Z49b5EDetocw8Eq8a6Qxy<bWRgy75A5VD6rD?dP>sVyVIv@J+jL{smu~9
zPjq+PZ)v#MI<W0SXs#;Rg1%@IslFjw!2O~Y3%yM5m^RL<0%ejZHGz6-Cpkw%qax;g
z>v4(so@`dsbk0tnwRKHq3vN+BcZfS(lE>Tr$(kTue5w}z7w(?8M;l#Cr_lJo_5lf-
z&@>HCjx<Wu<V@u}zg4oJwp}W!Dzu=J{(;*=idD$9*@ZSE&+uscgwv{R{GT7pbwgfM
zshZ4By6UwBIPsdgnoo>5s>b^&|2}!?Ff-SZn_q4?-QyuF0NZa@8F;FHzgvZbv)wQb
z`sfH_<#;LOr2Fnm;EZ2M=({H9!M`KMZ=WJm`}FY5V&6XM)ygYYZs*$}&CP6-Hx!!#
zE`$P48c)4HjlJe4FO=|=<O7OUsM0=}Nng#V#Eu_%e0uV)`5(>ik8cCd9qR5s{#Dre
zJK^2^%g4F@5zVQ8c^~aR6L~vFe(Lfu>fy2d$GlfM28}8Q5I%{K{X32KM_+0Qp9C>t
z+!tA;AK1&SGV_o_WGz*??y#-8W8*Mda?TZokvj2x_z26M$N&aA(8F$a)z*q?3L);H
zVXnA6;cv|k{8wZz%$qj$aqN*nVR0p2B%XV?fAqV2X1?Q^|LU`e9Ca`humshnyj&?v
znpgq3zvB|Tl`noRMWb<H(<tNA=Y|HsG{*K7KEYczF1}=7>{o(48!_XSR4HhH`HRZ=
zFy+w9`ed#)1`?PT`=pNH0UlH8@|zFi%av>1_jVEY#@~(V-#eo=WVx<%6#x)AgtDS~
z{|OxSZFv06cJ?dsmsI_UCenrcxNNPG^WcN4$Otm@iO2`&RqZiEH^=jb4_z#33w6kx
z(s6kjIXmU?o-wlZ-k-#*izU_q@Mqj7r-$%QU^6w@BQ;60_S`l~>QQ@+Kh-$Y)B~=t
z)zIcpXAv(FxQ{i!!47r+w<wSl5OSW98VnjxV00hN@3polf_AzH1~fXoq?J13o+N%$
z^Gx??p7V6=NM~5$oraZZpSy1dRHtmN+X;Af7`8K|ZuS3$(7E>eyg}#r*bnuG7D?tj
z_?aVhPNc=cyq<=7Zo|hg|49SK3xt<ywUqf9^n0a9gh5m^W_v%n(xah|f8H)p5axbj
z6kspAzGOm^BJ96`8=I_`d6sWywGF%(dygh#9!BUIapYNreAxCl5#JL2=+}qyoOiWG
zbKnWnUX6Z$AHq{r;cW|B`l~!^b~gL@1PONhKVFsgQb_#BXt+XGwgiQi@bIMX7m~2u
ze<}?LFHU>;d#wA{L)iW-<kh}Iv2S`6xE5Q5#{Gqw`s=4vtcM)vq#{rF!rM8m;vOXH
zNY;wq2sAfZur%ROItJWqLLRP&<>7A1;U$b?d39Rl*O635W9@NbB~+T1gdM>T2-BQ9
zsAFQKBSmrB3c+J5OGzwxtL#?fqm*qDiepjI#Lb7cBx~M2vR`@?y?h)$kz0I^LHgI+
zwbEdmQL~Xq=0$ctoR?9F7S1ZF=98z1Ow^PqOB8e!BwdgR-|{L2*(&Usn$freqVZS0
zc6e3iL2}FSx2~J4f;iF7R1xq@giCzM<cnc$rau#+u`0nYvYf$4opZg3QrN0yg28GS
zP4xO9wxB+zL-jUN$x^=YH2Jz<Xyh2pZa*lmxhh%k6;qW~?MhPwUEY7&UYrLcdYA!j
z^^20K2qW{Gd{d0^@goPTJ^yN4)*@4rqyI!Ek-N5{&sXWxZNkwaTcxvNi>U!2|A7l*
zsmJDzoWIqFgxnaR(g|9LgsWbiJlQvQydl4WnM5ZloaQFP`!Zt0o&&l1?UJprcfkK@
zKDcX|{Q^0wyK`jv{IJ%4#G5(MS`9G7OS=v|(2qM}_Fn4SUfu{mxD~+cv1^c7H<Oj0
zd_E@IHV~9KtV0c};{5s3R7pna7q-_EMb@#(lF|)cT26GaCdZQMe54IYX8;6<{%gFJ
zcxwAvxR;N!(zc)RyWTqU@Ws#>hi258#0G!2dik_|hpuQ(`4RJSL4sJVO>==2gYH;V
z@L2pk)4jeQ42;cRfv<p}SHCHWSEc9`{?X^0M%A-%n<K6JECCFk`hP9iv9$0ODT&Rf
zK8oWPa@Ky=P0}KCMa?VJt$5N*E%d`dXi`)~`?|cZpU}z8rAs%8p7(c*C2Vg5($RLE
zXpFU5?A}B;Yg1h^f<N`A-kWRf+%mims{*7iBN>d4CHqa0M|0I3GC4j@_so5IVEwq6
z$=a=0O;ouNJ)3w{ib-d|Gy>mSAZsHc!%C35?^wbouqcpj4sKl+&qzwM>&HF4cQ|m7
z#O;&O*$G@;3m~jG6o0s=G0^c#y_|IY1r?(YmAmuL;K%i->E~9}A4F4hvGqA__cuWe
zd0}UPsu5m3FPG;>;{L+_u>W`$zPJC*<k7RUhfY5zo<2T)Ch{NAtEl<dUmuHZleu^P
zj1OEo;QQZ+l@WIWg)UCk`y)Vs#H+ZKQvLy#$}p1z(7APwD({Lj*T9#F%P~yjOf~<D
z5bW|!JNXcW14nD@RHn&)M7f=%WR~V->Rvspoj~s7_6lQf=C(8O+B&CWZ>-Q(o&oio
z%(%Md^D(B5o~UV};t;-wabX6xWGh7D;Fd8HJP=vCCx-hZ$=YnM0jnRxP`zh@5Fxlp
z=fZ=<lzFGNLirh;_Z2=<owj?{LJ+RtTIt|XOKR6y*EqCzcIF%)j$FImHEJ4GipBo9
z$Tu3bIHnO2{+d`IJq0Q*C)~svHs;U0NqA=~KWnVRGzJ~zWJ(na;$(220+JYm)_=NB
z<8vZtJTQj3&1;v>UoL%3g-38-U6KMQzDD)nZG71hjubv~&IE51nz@pc6oiXfwD(-|
ztv$aWvICDJ=mJ~AJ~!il1`?VpSgEcJmS0!K1BXxP$dZPm)={kRS=@qG`L?XB^OXK)
zl*H8uNu8`v?kf@*t7n;pTZ^R~&%_kqSI+Xn>cI^jxw{3Sy<6&G&ej2Fso3coTVGt4
z>qum^dTWlxLP(>I#Ph}k-d;UrIxi>}dKbuQvRsj-;!W8xCi{OQO+qRYpu|%iWi?CU
zt~_PZB_@%B-j4mdk+lbbt>h@*n8?c3ErQpcksNY$jx?rmwr1<aHKhwozc^4bmB#O^
z`5rVntke4mHJCN~vLvkKj(pE_hM-@uMN0D%bHO3nFFP%FYR8}+DTvWeB2bT53*%L@
zu%A#b6Y8Z3bLR#^f8q%2!b#=={sLP0;o~1&ngF1HX)@Yd0wF!4mTu*a1V+3^@XZ&=
ze0jOWs(fn}LjnR`UGB9ldD_xwY<S~VjbDZ&IMr0NG&fHzdE`2+!ROlmD^c88#i~tH
z*9&O}$etfA_mF3IDH%}doSTikG!ukK)ve1OjhL*h@a?&Om-7L5vye4eZ+vy;=TqB_
zdP1nepQeD-U+Y{vyV544VIL-kUJ1p6M&Evn3LWWaatWd(w{{Hby&MOV#~YxHFWUKB
zp&I;OSQaKIqc8aB<(b&hT`3VAbpjepQcSV+0BzotwlYJcB~Oe6e2mMgr_E?8d?SVP
zp1tfb>S@*%*U(|;B>NGw>xshOkeHM<;Nq-9MsNphf&<%h*ImQ4yI{4p%EP$nszE{U
z8=6@+cm3;^o6}dze*)W>jkaF+<{z+fORcX|`)Hng`pw<{Cq-$Y#?qZsnQ|N{XrdG7
zY$<U(Z`WXuAv-TjzN69OR%l^hO885V$~NtNW=Y*jP}QHoR!${XY~SS14O4f|ZT9D2
zS81=%D+H&PZ(tvZ_6q_@zt<l%ew~@R<QoWE@uM#<J9lr_`(VpI@gs8ivhP53?!-VZ
zp#50<pD3NLM|*LGu={DHhj?lXg-oE>j?7DWpMphPeo~|`XSxLGT5Eb5dkm<2S;k6R
zh$$Lj)7qrY0op8;()u`tQ}*?phLB8$E773=bkrBeOHdd5L8=5@sf2VmCFWM?`ICi5
zhCy!OEh5}byN8XHW+cuQ)T|m`jgYLvUS4>l?wO%>lXiXN8x3x47n{u?rLk^7#?KM;
zVV!Yv^_9>RZrV3YpxNqd=R%2*NKUgod2I6|S}PQ*ty$#t$O8zD*|HqBF1`Fu&B|J`
z!)Ln0_5$V}ap)_8+QNcWM~IX0!bZ@SsY8ZEM7wV3q`MXtirhhJZfoJIigT*>reEfm
z`v7m3J<52KlHAdlD;4TYw$bv1H~?UpqFLQ>C{gLRbD91xscd)B#Jj8N$_*GN(8nli
z<2c98HP0g~t`*;K-D@YQc$IHmP;fOxsQzs$HM<R?u{olSze+2-xBLsj`s3c12B|oM
z-n58--3bhywCaTC{s3q;r$B}T{I*v0iIZsIFa5b)B$L!O?VV&GRU@k~O5WHD>QQHf
z*!(VdB+PDvDGX%I?YAUgBrwlw+U9Int2uB=CZ-O8T*F9dm#)rWeFck{mZw$ASR|+~
zVT1Rhy_LA9Nu<*$cbAJ^Lnl^FjgT;IfxAWtTKI`GT8kjm+-2KzzI(y%x4m_(+Q2rq
zvSmE0egBm`a*1ZNX`L?lUb)7qbyAp~0x#H$v>qbEP0sRJgI@x}CUaCDB8J1|71@s+
zaPOlC7pB_2hN0LtLDc$@yrFM3a9;fPhEt}>Uu2a5ADPEIKNI=+XL$#%$vRUOB3*UR
z6y}%x4~j=J_D&5KFDw*%$wF+bnF%EqGjvXG8I{O9wilg2k}MlN(nBJ?ya8{>m)V6o
z7h$;7KnATCtq%&6wc+vUnY{}(WS{hjK^`ykbA^+ue%*RVd(Tp&QhP_yKB2yWykyNi
z-C*BK)x|N$Nt6%$ao&x%UhjH}xK2zDs7c_Coo{+Pj%!*pg*1EYikIf@OYZv~#u)#u
z%C8r6<v)3K?{!0M{61fq*BMlwCLT{M_?Ew|UszW@oeu;0PmHp)b}C%_(q^DCaY~#K
z{?@-?``Gx`+>bznJCe7|iLJ-dHC8-^WLD>%mZY+P3DJCF=5B`#cADL!LMD4<bXs+S
zM<fXu+|Vx(VePcv`6EvC`+r2dR)Zs9a7H`S_K6D3Q_m?&hn2Kb`Dt0BM%5?(n(Df$
zbv~S^1XYfzTxPw6rZ+yx(&8`d(8>pN&XQR#NBg?mZK2)aL_ylTT93}ZZy|tVkC$0v
zSwd3C%nn5)dPp`y_6WTr_>$377g!oogNuxU#Z3x0fAw{Z#V31Du(M)lYwG;KXF0(C
zbQCtx;rJUB-`tpfcD;JU)te*fi=nCEFvZ>s6=RVQ5qC%$;^IIzb74L-s;B*_t|&IC
zt)*q?K`bbkR@g~Fv9QQ?Ax5J#H~Yw4s$I)of#{P&x0tm6ty*cqlSla@?a)^RO8&!z
z0Fv0D^y0&jzhv?^oA9u0*oO5nZ>q^Me*L-IG$>@d!m46Bf9<QjJ&tv%{M;97FZ!zL
znO6^!YQD!ZT@JZc-(@o{pHUrPF3*&aXUQpk_`IGV2|l(F*DklMoKr5kfV*jUPSPmz
z*VO~G)IW3u#uq-~6=Y>^OZ8m$;;=B$g%9Z*cIWr;lqQlfjHE-&tW)1fa94s1TqN#(
zgc5ExqwZaGUna5&L8guEUuzmes_}LkA6C8d&YPs7UaP9!(lye6IQGi|p;A(0(qJ<s
ztEN`*zB6=bG6bIH4!fxI*g#UJuI%7|(S}ypKFiZ*CPEeO!7goJ55ZEB-y0ALv*ilz
z8_V4XYtlkNJ&}_Eo390d##I*HieV+NWxC^v$E$}0x3-Wm7B@FPJlH!<i3imD_gDB&
z?nSxSg<Zwglrg4#*rI5#y-D=IH`52${_1O*M?bexCl-zG`8u_-Mqy+41A*mR^Uxln
zUnCD9cRpt2-0OA5Oub#-G!i1b1vOG6!}XE`8-DZIh#_~5w{)elf*xf1TGh;f9IJPp
ztY#ad=)KZ86GU<)IN~;Zn4d_fH??Y*lV!a<N&IX%<c)s0BOq~04?MKcG(9kX0?OI5
z$FA$&?J(c0fSbMf=<amfT2R$)ASmwAR-xwX&f8E4X=bJnv>9G7oEpRIRp8%C46G8K
zTa4R>|7`(E5^<L+j+f~(6F82&<!wTF=lzIVm@{87P}`7C;Tt||etfc<N7{AhH5G4d
zJLI_{nAX->;Dw3(|LY=~?{ZEIe_>XU+UFIL)M_NESO7vZ*-#;<glsJw*MBw)<#^U4
z*7mqDw=5iNFDm4d$}U+y81S)jc_gr*sv+|s<V2g&%0=Tjjc{TrWT97_Yc+^KM-^Oe
zMz<P#Qq>$4I&1o9EGD5*`f+_JY$?#pupyzv<g<n4n>IZ@!!c9oYBgpozO-ab)oaVH
zZw#H{e75)>Q6-vi*fGvlG}t=Z&fpu>Jl(z>YUNLak?nMt5U}y8jk_GI1iQF>H%TcH
zR3A&ZZ@^w{$*#=eAQ+v3MTdyWmxTp%%{G@py;A^M*p>@9Q1e&+284vk)B^IDSz9t_
z%`Z({saN+&Pg0qQ;k0tGmLtip6<hKzm?QQ8$Z-i(sc`3xo8`pQ#I^MwTu{N=$$>_%
zH+Sb!=4ZQPGBIY9H}8UY!LTtgN=QD?{R&pJ^<*RZ+J!%|X*M=F7ZTEPZR1Ep3-YP_
z<!9ffWj`BBeAnW73Pu99Kib8<*!hxIf1M<_nW5u4V*(2AX{vMA(J{hbUu?M(EvM1D
zc&A>aa;`0Gv7B&Cl`PRXTD>pA4{x#kM<jVSj85rtW|c<enY04D7X^n=%|Wv|%ozvd
z5o@J_lDZ;I2DyL62UGK%QQmhQY!a#0hrEN=H*~pPkEf;{bY?^Z8$LxD&8tgRUqp2_
z)`iDPZ;(!=$(-331QYQ{w8g#>9FS)?f5!W<C^jQZqhq(d>)nLfTu(q?%lDAN;H@XE
z>uHVs>%}(DS-*{y?9_xG4-T3*t^K581TYExea{;4u-oiVa`2sRfce9c-%<t|iz3Sx
zTi@WV_(f?yNx!HlQVRRajTfG7@4V?1;tTI?Ofx+&ZB1=qJvO@xSv<~zVpx4+G5sac
z5gK`&yFiS%PN;1fzl0(>7)l#iT?lVsk<@QnVG)j_RyQ^%3fydv>84EeF^oHN1%L!`
zVpM4oWCQ$045oo9Z+kx^*!b1bhF;EjkvE!Rzb!`=G&fiWM7i`4rjm@Q=8e>EL3o}Q
zKwPaySwQ#^>?7DU)p%4>eE;Nm`WQrXfDTY~shFM@6^g}?EVTT@^OAgnIfY|OHCl(4
zCRC2TH-G(H)rfwOPd#?Ki1lhhP^Un1OdU+0q_V!4OOxwK*Vgv1#czc$W%+`BptEU>
z^#?C=ZwQxlPX8qS6veP|^+>N%As^z#$D&o!Tt`*}WKj7vnn-RH6!xdA120~Zen>E$
zK)1DSDwI+Cn3cUu0V}B9bpba>9ari@0yCA5SRP5|*GzBQkWN?7%qdGJNXRyRv;O!!
zp8C78+?ZM3nI~WD>Km{6^r~e+^5GKW@W3`Qzq4s-?gpF!N5ebe9}>}<T_0uJ!#S1+
zQM&9uf%KjY01MN$Kq}2$4M%zf(88Z*8(ZNcg*tF&9JUYGof*Gsw<+Fv!+Yog2<^u{
z4+X{K3vBsn=kpJ2)<78Jnt@{)K6Gw*+VT2(QJG24$1`5G*RCmUEQCZR&qvZ%-L;cw
zQVfo&U#eaV(+qX<?3}l^@;u?W^5`p7+;>j1vE{n{!%s<CCq3lO{FEjW&$Z|HZ5G~y
z$gxR6dBgoX#m-JkV;28#(a<DcVIksurRd5f^|!8_qj}l05a_pcG80!r5hYUR`u~V{
z3j1mlJ^xvF_nnS-8byAwm=_tAI6?MCo{lu{!r;V(mz^7EzsVOD`cY1T36+OdsnEM%
za@CN`Ag)D>0;J?-v)MIkgeYO5&}B!Z7_xN<=Iq2uZ;%lD$A>ZkrS3IK35i*iGW{y(
z?ZZ_d;KEyHK`BL%C&IntzpT7!yc58%EB>KRPNcq3B*x$F#O~w&r#=MRguOUb&yL)T
z(xuKpxz)CrRtTdk5K@v8C@d&0lwH}htn31mKA7u6b7ROf`<!}cr;wC7n=k8JM&gjr
z|0u7$!8Y+r7jI^%CLTt=0qN{TL{)RsNz%n2Lm{PVrSwy$F)8*a{AS|hmb*1B-2s4}
zFXi~r@*@06(j9B^Pu!qyg}oiK1>5z%dj)=K-hlJ}zDDe6zK4CcrMrlk8&vP_5^D<3
z^Jw+1fsE@YkE`K~S*UhA`)zvfhvK}4Es|=$Le2;INK1G9z?CMj4^>l1*rd~)EKA|R
zp|iE%TzZu3pG0A2Y&^Sq0oQH_I{wlY0<<{_CFk?uwpt#Iv+(|_q_JM{&ZEKM?vwB@
zxnEBDcwJAHG*;Po=W1WPzt1VH<+kzL0rS>JQ&D)sqw(QftVkFm?gORK3fWTRXLgA|
zM%x{_K!*hJvp83ydFOTX_0z%b3s$Lb$kSHu7EVfAZ>$|caRb=!I@A|eQhwyQN*8-L
zo1pYVyHiy%h%KWi%^_l;CgtlLLBoo~fO#iD;w%xrp(85_V!_lwT@{-?b6HEvW?4^s
zDkoi52>B1uZy!HRF$8n;>>5A0sjhmix%gYO8T|P{j5$U#qCOIj9uJrN;%^xKrNowP
z#eeCNZoIxBEUE>W01ltf+yFQ3ISs5~jc(fgI+m|2b-NK1CJ4^)5}~#=pR5kV2<&Dq
zL&Ee4CqJA%Zh1|*#=jp``@Yo{(Sd{!Y!Fs|;Zkg+H&du-!>9w~Vl=wY{hK6N6Ov3L
zYIORgcQk<d_e+-t@vM{r!%Bx=OCNj{VgZ^@C~;F`#PA(-oXUxyRb-5%po?R{AT)aA
z;78<Pa*j<ot<g%F9h96p?IdwAKaVzS+Ni4AnGHPhW{z5M4|O|O4OaNDl&Q35d|S%@
zzbTyNcSrvt3K75iFYNrze?)<{4kg}n8tCylyr<GiVo8N}m@`Hl<YiQ(?XqEc?kiO?
zX7D*DK-j=p+?wXV&aABJF=L(H;&B4=haaX|OB4O!#I>kEJ~tQIcOvs;>!b0lQYM7B
zh(155A@iap!sh#GAx1XCpz|r2BsixWr-X}>6kLzpi?{nF{9}Rlx=wS2S4`!pxa<@w
z{X*6_>3|X59c)h7Pz=7|IY!dEHC6C)4JFj9j5+Jr326>}5^4UAsG5epcd?(9s(2=e
zgXBfhd#hSbo6bu^oS~_5UgnfPyEv_DrXxk(hG1pWi#lMe%&(0_mmZF?&5B(rQEO<L
zgqSeIFtpKtPGO#?_%`7C;Y+T>>QyVm(Lq1Av*sJ0G;T@E7mxO?d;Jexal1zcj;)wZ
zbSfqk+TOHNgI8L$omLI$Cz*>#%Ppozhr#$xDsy3>p8+QUT>VRZz~MFEBpLwb1+W~v
z6`u7&7;=kix=mMy@w?@0=h^WQ+YS=*1XjNH!czD)o)!vf4uMANJbqzIPpr+)*pcCr
z=DO<s-Y<+h=NElOOD4I;JXQ_IXl|}|m6{KYeFHO!7}+@U1?R_WE?RgIN5?k;Wa}37
z8!$V9h)pOXhndf)`kiO?9u?pyU+;Y9O+(w3fTKvTJHPZHQt`B4V1TsPtuQDb_(U}s
zwooeBTQ8V*!Tq_Jk&_XafS}>$l;Jo!rwNx{E{4vq+@|r`{9ur9e!vdN-*c5Qg8jAk
z*iC$3Xz<e4?LE8=Z=ev{N~sNb=zjLb%Q&#f_HnBfb9?--H!Rz@WaxS;s0S}W4EY==
z`>0IqwxokHb=A!z^Ts93JTt^l*}J)8Eh;n*zOv*s&h?FTwIEN1p<r{{hiUOm@MMHs
z^z^O#r+Z1P8oEnhLg5M)OP$cK0rZ~~1Q=d$I3~~W@%<@8yyH>altg|ii>nUP|BRkk
z&2z&w3Xdgr>=xbMwuMcM_q<Q4Y|VeRsS)QcL9Ty)Rn24WZnLUkJ@o%J#Xd0O=Cb&K
z`%(w|Fthy5M)iVT!Za>ZKvr-kRgiG_%c4D{T33VeNE-Epb74C5Ra;@NA^7=>_(>Yb
zw-4|Ay6N&{!FgtxJN?Adko*O=3QmKMM)*npqnkA!hQ#TH+IDMb1dXi1^;N<0h;0WI
zC2Wr9IOG4&_TK+&fBzr1s=aD&YHw<k8s)84?VX4awO3*bMX4%k*RD}&mn2A#7(wm5
zN5pK^sNGhLmg?v7CtSDN_qu+6{d8XEhjX6i@wngNc1OvHWZa4DGg>Tr`g1uTBK!|x
ziTs0HQX*B+#Jw)(Pv5m#&f$3?|Mu-&xZXB}R!4N_i?~s1eO~3@{c7@<`G?HP8_1fB
zrGpIodls5DU6<<KAFsIRf|=uz4XKhSOZyb|XKX&-aUUFq#+$plN8fqM{TrQr=pD+F
z{}Hu%>w<lYYT~JU;Js{fuO8$KaXx#T(elc{xHpDm7YaXzc=qogTSR_r_pIpsM{V|u
zj(*_491>HE$(!#iL)dyZEZWIg`Oro_TtN<(WNqbz^*;q&kl{xmVp$&EGetMYgSK3R
zJV)g#2fq$3VOT>~Y>i$h&L(4%apjMZVa<}%QNjK}i@p2+v1JsH&!zxT-^`TG>Fh`V
z>Qt8|{7B-7G%0$Po?m}JzQTEB>3feg4Z%dZAScJP+@yM2Lx0@SfU$nzITqg~dVjb}
zMO7SmlF~Vt?n|Jt5v?~1+=*CBHLFgTJ*bF-4a|D>9BSwmotX!Pc^8f+^<>LiGCX`1
z_m&?X2mdM61H~uwtJf0mFn?|hJ3e4bm&hQ03CMeDXEOe8fv&DrC+8<pgUN^38;jDF
zH^;yJq{RhL40=>R^#ZhHaUP0l@qE?y$ssO#$(DVdE`SG?>d!VNxjVD5IR5fkLPr6m
zq7<$8t%V*v??P)O<F&e>j#-K{c32-;5C7=Pty!S1n1nca5lYnJgeI^r{<QZh7|cA0
zs<b6UbtS`y^lnlO?xknornw}6wX%u#rvMpAe}R#84iTi9a<v6VPQjp){X^?ZeVbI^
z`vHX<k?>c)&dlZXTkCAZUs<6B3YmE~U5zmUdviAG$zyhiJ4mTU7fX3zgQjf{1f!)l
zUM`tH1*J36tv?AcqnGq0HE9fE>8PGSgEw|Rl}gb{Yv$;28I`Pp3jRkT#=OSN#>(H+
zdvEW)Kk~nCL-xx3>bm3n-L(*ebqjtaXRUl0r|4hII1cBlW6kff_ZN2xGkW_IA|*%o
zSd6cXeFIee(QwgsgFe@&4v>{>0#Cew_|rSYJXck07F3pYwmmj;b|C9d*PwnU<R6iB
zmzq48toj>+@UVjL;QJD<htGF1?^Yg7pSdm90_^Ia;FLzqQe8tF<K43DW!0-b2v4FN
z;&i$AM=FI|4`Wu&8kwR^VMvQT(YE4Kw_#=X!E6Vgl@KKDs-0`gw`ysgLXo>0=Y=U_
zXoWPqM|`uYNO4(JoU2Dfm50hf9LktDSg-^J57ECc!--1Eb1A&!UOWKu_fS!i8VgW~
zDCcO>BHlxJ#NMm77=U*-`Ud8PpRrHEo(T)f=I6+TY5jWMwTELG4sdn$Nr)46={>Uc
zw2CE)Ph<c7nZ2E4qO5>Nw%<Mcn{AIJT^rg_N07=ETm=_%FDu%hlUzgY8;o2=^A@_g
zvtr0$B*sL$knJ_&8mY#YeF3Qa`xd+3#ju}Pr(rWQr;h~9pmJFsrRS_Cj*|CYr8`Fg
zRM;!T${*^lSKdBMn0)$L6*(5+^oWI;V-9}hKV)Zq8i%y1zyloHpH|6^%=<R-t31sB
z9Mbc-5t+Y>h8F2(Razr2TiGnVz<|J|eZPF7dwR#%Khi>`IU+!u`@?+}U-qvbWgWKP
zjZQZ^;VpzP=)i<U#N3E}V!ulZ<CfzS0uC{&LX_Q?817Ft#Rz)Hi{BNs4R~VZBO%t0
zf^6!inkFY2*vb~>mlf`LqRkq-iz#+ck~c8a+EQJMgS2Erv6AbNZIDnirmar9qcy*`
z+riL6!p3IhqDL8-laTaF=Iq-ex$PwBlxfhD&_*=`7(jK3cXl#vr7`bsCs$>zJW(sp
zK?V1jYJ6|_w^#E<^&7uq;QI*IBGv6-zTaDRh`J4)tPR|P3d9D*bIA9QJdy%DOF-!D
z^x-K!7xkCKl<oK`&Ko~~y$f9<ohfrub9cS+m{0r}g}V&Tpsh28OKHPTuwB0DD1SLc
za(&_#6$d{@$4knb*2iDgJ8n1BqvI;&s~0;y4{gNV>H75q=JZ6A6={|egAdJI7Yz(i
zw>M}_Q<c<qdzUJL%K)op^TlRU+?~4^v(-^;xsD|j5{~_mj%}fY@DQUuj(h9bLF7VZ
zvFWi>Bm)1k9!D(nEga|8F{;8ce(U@>nX?bDyY@(2<?eo+#zxRcFP+)=vcoELm!|u0
zf`2N-y@@*mKKIeRhq-O_siilnZngTN_lbO-bbU}%NpI0O+bHJ=%VA)!GmoS`5)To8
zX@fch&74!@i@SjB!C~8qP9%4FuOl92Z@Mfn<XaE<_Ml2<$1pYeT5gZg(DO@MN|^8I
z`>i5sPvu2{a3tm#Lj>c7<c{TI5%W;D(F`0#naOjToqX1G33u+Q&-|N1<)$HZ%fJEn
zwp4-!zoB2zFME6F_$s|OIgb?L<+u$nFLU#wNuQ(JYuix)ZUjsVe^jc|m&UnQl2+u#
zmXi^@u`Es&+x>)X&$Rc_ahTMr8a{ZC6UTZ6<Te!jhtQT6D9dhzV~H&TB3pU>`oTZx
zU@32lnO6El%@#`Wh@-0qUiUEPQ~wY?`GCv@cIr#5<7Ov@mo}FCVKGw;3TB_eqIXeL
zPf(mgK22ipt!^wx;*nYwG4iK30JEBB*mFe7p{+kQlooNeeGR$68m>fu0i`M)Bp$xH
zj}kX9wwj5YWc_o(QV!Y$V=bEoe>_f&yYIgEiMONO{5Oasgo=_yvG~ahHn1&#ad?&*
z2T>p%N)FGL;;0zddO!;<wUsp8i?~nGGbc=8I4Wk|{9R!#vZ!*)XR-R~rlE;u6<j_X
zGp++=`q7P+=U+6DGdox`PE8CWc6?~+ZI;k#bsjkr?*{w+Nl;x={N!shEmI9{d3h`o
zt=?nmb7vr{K7Yz}bG(GfNM0t(w+vX?QrT{0Qf%sI+>1U0IyU7S92b(KXgZS?6m(wC
z4jWI&q0<Akf62{?x6ZS!f7;{DNJf1Oh1*i9wPMaX9^s@RL*LN#e&iNhOtp@XR%ejR
zg*~gpK!339hn+}UoXvEBz?Xur+r<r7QE7Xz7DXPk)QF*<Cy{-~k7ts(_bv3{6zYOP
z2Erq7(0l#!{nt-hNp+!|M!8lr52MfDeh>hJy?(&?IJNe`?3vTjQ^N@=__bg3M^x#f
z56$zTnt{bx_p8_+DX*G&4raHN*d{_X6T8w;4V4NqwSyPi;e5zFc&nNIHa5r)z(eJ)
zUc-qf`gn6M%q~4NWp~O7($0{*lB}|U2IsX9#q-xee)Vkj=qYMOkw+>aOc|m^<SE7E
zhYTZa#5_CZIFo`)yN7ewp#fb(B<YuU)?(}X_101++!MBe?e=J=1nIKs)Or=6JGC_X
zf$06$&?XAf-jSA3l(vyvae7^`P_)-x!PT_GeTx=?kPfz9$-U^`pgXCJ2@E#?AixUR
z-MGlO?SclTd~Uvc;!^$k=3S5}@=jzQ|Ie-3I^R$C4=#DM$k>zr3yRSXYlFyMT=#DY
zSbicI%$w}^aXJb0R3H5Dg$ADeP)uNJyeyZJ-#whQ{eL7*b`&{!p{YaMf{|LkSZycj
z6$())KM^4%eJI0qMqT>!E%OlzuLreX-s==MF5wDlrg@!H23jRu9!LQ2pg)!|oh@+m
zDig-l_!_vuZlgy8|Jws(%Z9f|y(=bvp)I{}|M$0CueQeW$I5N|S3QzPO-wI+2aYm`
z`Z?8DB<n{JiE8#k%Ls?ivWz4?D<1hIMF+%EgU-rlLjf1Z$g2v<G^y5QaCOr#OMMgm
zB<`SrZxMcaa&UTjNBvUfv7xL#v-VJKTOr1DV?&I(9;*JS9^L>^bxW5#{3=6x)N(7&
z#EAPuJfAz?&oLyHCj^@oq&+iQ_w~HFzkJ}FV#?cEB$PUJ*2QQ4%)E&ym^qBiaUq}Q
zyk985OE6_f;i9d2)-ID|asK^uPs6}|@Zb=;UH!h^<3f+KT>(rzrKiT}Q*WikD76z@
zlP{kOa@JP7Y)!KGo-;(6AYHu2D}-{$uEGMFk*#e@`nplx?Lyn8uc1DdXo-f4%f?|-
z^a_~8Dd6dK;wv<6>ZZ}dL9IHYEN>krJC&`kTen2xjmllnK4dzGaF4_z<gH92DL!Q#
z2?I?vJ70#>cep_b_E3v%9lSkoqH5jclAdItU%1@8_d7?se1^AKQLJ{~xjqoQL`?~B
z#`qTcRB}ieRX-su#~#obI~gW|ROW3!a~x~BX@(K99=>xLKjUPdG{2)88*@VHF?e6V
z?ZUd&&5UbN^t>!OS?SWzypWEfws`$`Yq++UrL@bAll7~K>9U=}5=+{_i8_^5%MK!F
z5sUOqFPfwH+7ZFQk|MYetkXU>F;<O-Y(j5sQ!a6y1==<grL%Na$&6D5hnNU^J}brZ
z8k{m#2)Wn~ZCeIM`NDQA&JBha`d7;dDz^*|zL3U4yi=upNw#R{6^6>vi`SGU^xKit
z&^U$pb|1gfAY%2B{B_Xr3Pk8|(OJ|<kpYMF{Rr{~`qgXYtk$axE(q3L-;sh+FnvkR
zg(J2nSsU1Uel_c{EK#TyOop+MyJW8=9846qkS@LfOP;xx^*1R3sb0x86=41M+$?-|
zh2N%HjygWfv%#MOQhaTj3LE{Q3uZCGw-JbzH<qZ!Y0|2`2>dDOOyHvh{V-CHDAU~X
z!<YOxt+&KyADiEpoD}APOi*}jGmM@h#w<0Ue1qWp4DdkmOY57(N*P|I+oqnIOmS}D
zxHUQ*sOc=4<9KM0szW63d9_^l7fyB0hOD<f$B><s;5o-Fjk5JG4gcaQKA&_gg_zsw
z0R&6fIlWk)zqORUGwLdtC-#3@jtL^xA?6F(UlVUq1&KtFA%~t27X54w>1if!anDik
z8e&Jh@_){vX3l+&nG`dyj)fI@eMJ5+@3_b>!z^4)*!VK(rk#{AjUR`C9*5prU)R1&
z;(|#{NU%=h9@A#_Y;a9>9_O?hcci_0s@ZtG)4V<{_fR}{s+e{@A=hopEWvz|W{z#`
zk9evjm32)U%@?_wmkzc5@C$t){c^`6W^ymPEi|+QYgFe8G`uh4pZLrAd8CN?BSYBv
z=~v@GPO;3>|B-M<Qh1yfn3W%%@SivP@`VRtp1?3m-3C2!%5(z%?UYhqxas1;pCjPM
zPdp{;UjROKuSAFN$W2{ci$MzT*W!|s7W1?XS1YTzH0QY1r#=nvM7+hHYV~>TDBlQR
zzzd9e(7O3iIbWH6opWoWUVHLEY(n8ng(EkKCoZa~udVz<uJhB_&Y2xFBO>aLsWmKu
zz*5CjUbe8~1HVAE=P+)a|Lm2FopiUpD-~n#sY0%t89Ur^9_^7J+*1Bh%B<5c<AI5!
zV@rMeC;;G`DhF{XoppR{N!4)r&50}ku<!c*9UMffue?3RJ@`z!_P*ef2hOCLF25=l
zrpz+86n`(2p{?@wWz8_zdGxGZ0j3_@YwV7#Yv65E$N03MJ2Y)A%?gTSh<sk&Ax_Ct
za+54-L7dD6G<Swle^_lzq0PHRLG<B)ZC(H#5+R3+ll3kgOf^$a<3UsH!G6Tcl~;Mn
zRMs)dUaqnlobqf*p43Z$;b##fC8BSvSF%9gh_8jAaTxn7B%=b>v66#BdSv<z)Hn-F
zA5&HOWluxO5t{ME&rz`AmmM>ch|8Gn&=@#;!LRr!*1OC111QgzF?5!`tiVV8-#lav
zPR_kDTprM$KdF$ytDDljjC*}YCg(vfqPi!U<X;VTcXkouDYtA_?OPxuwjtu?_uz<q
zoP?t9XkEh>bQ;mxF`}nU46b=z1y0!k(9voyHotTFQCFwD?V(6!W+H6^Q87J28y}W`
zkXf=f^8u$?t{v9ois6VWm*uqWRzj}^<NimY-RjyNHXY=n++iSbVu@!`&e%Mu#}-r3
zlQ{>g2yRliAd1Pe)>!FXObI$T?uxq-H8JDt-`9vRLMpcWnsb2f`F3aP`g@|EoFet}
z*CgF4=G4i7@&=p=8CrZ#C(==th{cWj8?0+*HsjUNe3y|^?CB6xRSdjPFp99}A*ln2
zP>(1RmF&&VN=fbjWCzZMDG{UgK}3s17V||G_}0rzz5PfQuz2RRf@XAAyMBnyQ9U^b
zSOBz&?)YTa?}t2KdLP<QoqA5DVtJ-Po<BD6X3{|{y+UCToLj6VQ2xo=r=rhhEP~Io
z1S##t=c{SkXGgvqGcN#(OS7BUAxK{UIH*)UswWlSi^jfq?=o)2rH(lJB|-I~ucAvm
zIY-x#LcUx?Xtr|ZB9a53N>DLVg?p!AC%Y1ot24S~i-_F@1`e`fjz`hEKci-0!WkO_
zJ@d3=2K}#zRTGtW&=wz{f4Cpm_{ctMXtZ2O!sMZ-5xexGG4m_M7T$nCq#QR)kyYP8
zY|EeRG31GOWg6h8j{L+Asu${|F1;C#OFqIkdg$dQij7)_5($0m_`S$r3*N?Vj(O;C
zmFTxAHQKIq-BaI=i+LAtk23D{;ewbdI-|Q-(uwZr%D5W&|Lqi0SnK+$@#iam-Ab*>
z)NDs#=A-%4`VwING&j;`1YIb!`9xcuB0NpMwt&)HX4S{}5_r~EtiT|Y-<LRIaQ@ll
zOZQ%8oP#Ilh@8Al#Ti*-IOYiATZ31R02tOQUHw~V4(K}qyjQ1X$xcsy^inB**cKdo
zsvzoECI-Z!OW*?8?-)OWP?IGp?FZRE=+TfsU+Lapy<O=iujA`8=+(!l2yX9x>AwG1
z_#xW4EwK5IB;A4B68z+6YB#1N-CIN9bGF8lQsnY99Ghc#Nbi(Vu1T?JN{k}icfvT{
zCMMWi*YZRW*b+$BP=^%Hs{Sa4kUNiqMb|6+@Yb%-PWaTfnoK{n7s+NXoBe+CEV?xx
zU19nEv}iB01v7sor;+k!Ri}VebAO<dWd+ZWJN4<a+w-g!JIl9bCFk?Nla_qfI(mr>
zDJbqRu6wO6Q@M1DHr+ap-Ug~JNT`&D`O?)7--<Q%uu{1aw%I1{cdo|DB~Y1wCxI)$
z;qKM)Q?{|`Umw7qYAaY8^Vw4)w3KqnPB<8&psw@bMc>26u@%F9D=J>CG+2;~$swLT
z<Li%`#2u29>}^UwqN%7gSZhMRsBpeTl|_|BbZ(XXRl9$biTMUxrIQFBi|UG7`4(&i
zc^28YM0S}3NusD&%{QO|k+uO`6bs6vfbYs)h(^SlyFj=H7ZOw&C<gxVn`6yh+pKYI
z)PfZUsm^Yas{(w8wCEt@%75IYxtga19klehO2LQZ6Ow9J<)HX<elmt96<f;9{xjZC
zC*@d*j|<8vH?eM^PJL}QbuCxNR=D2pAcuoTkFXd0R4A=t5S>%qNa~w_j1W^|noc$-
zdhJi}VJ=l`mTtf*1J`>v_l47(1b`C!N~W-hKVu4!D@i>1;(dU0XrM4-sDrp0q}kim
z0m^I@fg43Vcf`XGh@!pf;9}Ck=;91VJv5K38`YE$o?;0k`cG~(bYoR}=ih{q{Toi^
zW4K1*|8D6Mhmhymg3LXQ6=bUyj2Cb-sKQs)9wDQ+GFdD5{=L_*kZc+JS*w;-Z#^y^
z*-#9KHsbv4fw^8OzB?)!jtE?r9{7>;n!fM1U$sHn`P`7Nt~986f1)&tdRM-!a+-$L
zb<yuSuD9*tSS|~GfM#ywqI3XYZBP%TRR|x9jtRxC2aF3hv3bg`seb5<sV@e5rr6Os
zM=V!RAHL=_^@M@zKLvsw@vm3U$#nrq0b2rxzBmLtF~M_XeqXcWR;Q)I{Q=EfgLdJk
zDtroVFr78tgx%A4_(U_%EjewZfu4(Fqty`xLOr4wtaYBTXAm$r{+;Ov;-D>3US!PC
zp5cUwNq?#Y1xe{;Syv~c$U;4_KBn7dO{3AU&{0Jn94dD*pQ9F%td_NZbTOx1)3r58
zD8@*(oHMM+Jogkh*5@%bLnaP;o9Oksc9;w~v{HrDDNMX!Qa~z%$m!~!y%p-&7;on&
zN()y!fNGSZl&T$V=m+QFz4fa06~D_%LX!Mla@U^S<%nn(ED!07aF6?p@nKuG%Ueio
zkIcXJaC=`E=r#?vxE5=7j74Zb;3(y}n3LRVvpYL=JN8|t1N%b&ji&gpSL~v38(rMH
z;s{c9j~Bz3Gz@wCS7k4?aL^9U;J&}6e&nFb1GFj3Fm8m+`3q2HlYpzGdZcZf8^mDb
zH&Y|++&gx7za~UeHeQIe=>)`6>_}DMBR8bdoMf*#VZ!r?f{I@IgRXB2HZ|cX&8C0O
z5$6q0%R3FT?tfRa6eP|l5bx@P2Pl<FXE51wx*}>wIJ2q3A(oT;!;;)}3%!Fe!LqHd
zh8AXwE>M^*vG>bATrZ!!L&<%9qm0|wSe7}W0MUUcP(sCH+`ZkuwRxX!=kOlMsoA2I
zwWh-Oqx&%7Vraa+qk2Md?gh=&(h_+mCCL`kkV=y>@{Jvth`MNehSZ&X@qiU$qFaMQ
z=Y^r4c<1Toh}%chZSLa#e|xIRJHu%_&Lx6>H8PLN_KyMvtBI?C=U8%zDE3CGmOmj8
zb$yDXU8(o25}7pyV*4&`bK&wslnvtTmx2C#(H+oL#c{=zsvw2>Nd&fg!Ne!_U-e+q
zP14HmCh~UaJtsU_0%$H;r)uI)%}BoDE7d2at&hh>V%TS2T0Q0?oPW;!{nD=^AnbF*
zQH<{Qzjr6_>EE|*K6O$a{|Ok@l3u_16Ll}*dl#nr^YV0!vPH&$GW*QxyRr4y?!#3r
zns3lO>$@4W5+7v)g3-iZjeN81H>_aTI|H1|?AK1Kg*JtjuUYa(KUn!E-|7k%r1B>I
zb#J1yOym+WOsb$UN}9IK>U#IShBdxHS~*}>MRKhD*TENQW0kzI{X6kLk~yVm9(7W6
z{mVcU<e2t`4VL>F`5}d_bse2vS|PMo|GU>^rMaJR_pg`R(*H;}aLGST7_3e*%uc2*
zHd`+KlPG-|@}b+@S?mTA_11(T<_mG_Kobfh4oXOVIrsQkBDLw&W8U27rcc@QR?F~X
zFBq_%H_tJ7%Gr=x&3NH7(+EA@-h;+-fF})EuW9~Aa#i9RJIulp^cP_E;Byl6b-E?T
z)~J|Z;3t}@*zD_q>Jy+-|F+Q~sqs6y$cq`7iNkMi%rSRtn~aV_faldOPpivE@4U{^
zq7)eHpys0T#+Z}+WZ1X28Zx&@@!r;FEeWxwNmaTdVE87@U*x3S&ONw5OhzVfvwKJK
zjrMo>cFjb8Ig7+^<l{M-DWu|QT!9z%na9GzX{T{nE9NBIiAqM@`p>fW$2WGRK{F4|
z54t=O@>o|mUeqpAf1s+4vRTdU8}_d{$jn1o#O?iZ*Wr{i`^DSXu1-mLujuHwLuLA<
zf4N1N$48v#<M(V-i*Nvv-g{@gRFR<5_h87g?ug@{DdolPo<dX02U}^$m>f>VyEmu9
zc9lPK+AB8_pUEr^-Md`prjPQ?v9}Z<uqCn3b<9yP1U23dB+}gi8V=Tm*;Rl9*RH@g
zQ<Bu!Bt<2S8vp#|3kaXvd@Frt>iYWx(J*{)8T4ar@KU{5END!*#0L*tFUj@#`6}g*
zbKk)lttoh%PrLGWBEIK)>t?pfD~PbjnvWpfNeEm_pBA?$`WOr_X4D&(unQcImNzma
zv9ue|kYdqrr~G=ynZ_rnNk__D^MtLpNdJ0`8DQ6z?^+1!F=G8Y@wl<h4#^|d8(ii`
z6QybS?OAQ>?6kcFdd;ohv)Q_#YF7J<r)!X9hM}<Wb1uz?+{1=<Xl6F0<}_!T->41!
znGyY_S=b72oj@cUP|L*2co0+S*^73%_St+#Z4EjaE_TM2reIq=S;2k9w*F8DZc6>w
z#?Goznn{azt~v+If-LS3TvY$wyd?OT9XpGeL8hRJVlK#Qg^|g3iAMtT9tqmP68^Mm
zj;+TNH=rxbh|IGLqoCvOyaFrVk8sp-B1>t0Pb=-Lc7+V@Wp{ZlMe#=$gR!H_rt)kf
z82p7ikE4J>g^Yq%KQ3$ANi$U@gPk`kzfcfo2vZhx@oNM;UyJCMu3LZoAk18m2Gq8}
zn9Q(ID-gV8?{TA%qHQo&9^yzh2W|4o5)_2mN@ZGOYGhnUv!^ZF4vu3*R%*|boDT5N
zm$G&!Tvs@G$F!xx#77v1FOFgvz09e!a&QB?&^1d(ySJo(jjzbDI}>4bc`HM@1tP+P
zw89H!u<8Hd2V}JWEczdb|NY=%|Bd_b#sEv~&3&<!6}sGo#h^VET4<*Lxy3iRjiv^$
zV2g3XTvmF&SPi+-9%)M>ea9E%OoA4pXSM&Z<!uzr*B2M04j*p;FBuH$G)Oi1Toc*L
zG8#ngxuIi~^V#l<l()(31b=Q-I(Iu57Qn=)iR?bd0|oPs$pTd4b5ReP_iWdmKXX>b
z$P&G;7D?Luy?k?MB&b+a^%RwF5QG9#?69<ORYk`0A52NcWtke=u8zSUrE_^!dV}6S
z@iq!Ss5(nsKRs{6#kAV#tC9qhZX}Cj$Tq2`+X0U1+!keUuN-%8Qn9r<G$GpFqKQ5%
z_&Y{%?|7N&0XR9k`mGj3<01PMGq@YO(C}_fuH3pC5`t8I4W(P}^sl?;H|9XK=@;`U
z{yDv$x8fh|0$4n7e#d!ga;<2L9^bfPT@`E=I6B>^_0)yYkaHws(h7~l0*egMsIP3b
z<(;N<HAo?ltMh%E<mI~_DkAzEgpP`DcEoq-B`=7`2kbn92FbPsthVO0=Vz8yh3nI=
zANE;5Td@<K5XY#AS8I5G7@fhx0`NuK7aP&CoJ!>ernn{dL}0>)C?PU~w+@zpBJ#V<
zOOpjJl1RUPsu9d~W?M?1G6Au0@*=q&s&hQ96p%sV1~T7^NG7FtFo_*+;F%Qq93HIk
z@J2ta_bcYCCV$M2>Q<_Dl=)3fcy8)lc475xl=Zi?F}|t8^-s4h+gxr1|M&{qadc;1
z1^sX5m6K^)m}(?iHZ;rmD0k%yw+!vfC;lqv>^XMk8%9ak7!!b8v80>qdRy#b7+#oY
zilh55&)5oiVabah`vd{0d?U>U-;I{Wf3_`Z0`kG)J=>hEPlN^O*(G~Q1=ppeR7b~x
z%y^S3a!_UAZ^|6!{eNEg<+t>1{M5J7xrm0=4=pWf2Uk3F|JUl8|G~Kh)_oK<UF>nF
z26c}dFhDFxnZ%Xp$97I-R9WS!%TBW-HfYB=TIBxHZnMU4)>9J9U5j1tx@^)9GYfdl
zT>W&RS3%o~Aq;VctUXin6uYK5zscTmK|*slWh4_NV#PcrUo_Maq{H96i;l+nn8CkC
z9=%xzOZJ^QQ4(DN!hCHn_Y*4D>g#yp-3o{qIx|kAUK|g<r3*0-J==u0e+7J5SU@eA
z<fB(vS<g*0J?{QDmJN(7)d$ASrjzf<WIB8%GgE#TP$oC^v@`uYjQqsK>sjo%K6wK3
z$3fdJf?Nked_#5dD9vjD=-K3RpWo)7n9g_qn#9C6$G?tbg<Z&z-b=1((>kQ%H@P-P
zY8)`m|4H^e2jD!|BDfwTrNX#%8{5e%q7<0SP#dxy+MKw9_8>gpdHeUtw;X=_cm98C
z_(QpltMer>?2mx~W^L5OYH}u5<fE!8*JVD%-xt#UX+>)2v|JIHSWec7UhspKBpF4i
z0Wv!NQMAtR-PU}X-vRr0#xHkb6O&L>%gpmIqoJ{Qaoku3O?uNWw~quU0VoCKvK<=9
zKpm|-uuU@nUPAyPVRUbdduQ(`dbb75J4-6^95#U@b5H6wTxiQ+QN`}WdNCQ3z!muq
zzs|;1pkVKrTQI#*G=tPddsLw5d5TROe??yQI~gO~D5L4fi4bv|H7qQDap<4}HTHSc
zkobt=qjPk{Meua8i+cfikKODp2+|a=x7&m+RBYEs`@1RMYwEW^Ix+QJ{#E*x@k9%x
z*$|79FQt_oy9{SusCGsymxXw*)L#s~D0}kojmwnTlg)8-ignXO*dM7&77A96Z4qvZ
zGDl^`=<;<#&lw5)B=2@3TToyUS;n<pA}OesJk`+oGfQXWP^6ckjyZ3idd>O_I;8=8
zU64+k5l<lo^8OCbO>xhzuq{5H2|aW093WoJdmI>_TRoR)?mHxBLwaR4O}CM9G1o(*
zh~y)LkY*-NYOr%%x2Xk{f86)>kTESn`)b^?HGAK0)+Z|mo3<3)oAt(j=<Rl*o<RRN
zN>9ft=0H2_4DTdMKoW>Ij|bZ*q{S$ZcfJeaOHmI%xX&xMP>KeX{Ea0CgD$tXG&2{n
z4vk+LT#E)R;Txvnks9f5u``;Hh`IM#h1C~H1PU;L1|;^K>sP!Hd*UqTK5D}#dy<0n
zgbc`=u>bP@o!OlaDH|i>b@j||UbKJt=h!S{M49&7I*u$mC$sl_mTxO@xAQsTh%0tE
z`JS;PPj)r~m7r)&uOB;8c<PNdd?eerm2Wx&9qtJ=q{|HBsLjuN?tSDeMnRq9822TE
zjT-h4ToaySKmt)-)3Efj0E4C;daNAbigk=dnal3<NQ=#fG?~cw=7lZ3&x)<0D(56*
zIIt|N%bK>o%A$y1?4$m#D{{O=NY~W|queCw$2vGGnFZzf<G>9S(OOkgVst&WjW&v<
zznRjc<s8zT>%7VrQVM5<SS;K|)fP#Q$NCmkyKdPmNHCMr-aGONik`9hIqbt63FylF
z&k?a66DA6&(6Y4hUW9>+b`QFyRQTx|`*ZVUVkF|S@c}*t{~Bs3Kw7$3k8NIIr*UR1
zNL3B@wf9S{!!gQeWk?;}k;4EY<+@GST#d<gL;Gm<Q<^Qy<1x*TL=2bN-TMmZIqjDc
z{F9YGG>E4sZ5zLe?^V<h3cE^bsdHokrfjvP)sWSPw9BL_PS?a6SELE~{{68Zir>Q(
z8~|0cqB8iB4H(UeD<8D9Bfn}Uyyvb<=%rJUM~5YkMfCj_bQmVsN)<vjEcDY)gsbNT
zODtDruL|QN3E`$G^ccm%KaKro-R$dkAnza;>E|!o!S*n^=&Ccfl(3^y>|{7Ba`2RK
z*`vZ!<{xU?nOD?<b>`LpLpii|2Em=Xfyco~NSBXDy_1sq(7%yQZ5^XFqh;l)4P<;@
zhe>GfS<V?2BfRe7cH7_9+<;v;9whcHE^v>Z)pVRwPX4`|JTiM5efg5-XUyt3#oq4c
zpIUD|xgEZEI{x=%_j$$Tzt8K}@?FpT*iy-##MHyn&Fm|(%4+Ze6(eRZtpy(>Dw||;
z<dU`J`wGTot7WCs@zk)6^%SVtJ^M`hBU9Zyb*50lR@9G}QZQjm*4w8i+~ZMA{xfVT
z00(^&4>>xL^G9C01zA_1TOba=*|<paVGO})yT>?NedS(sN_E^9)A6}iTrB7B*LySU
zFPDHdZJqxrZC~MH?nhQc&GS<Jo*Hia_rQ;3bB(uhows<s<hbAGD8}mXzi<D&c;91o
z?Rv?d&ugZO!Y?WhFa9g}``!P7f28}&Yv}JY?04t2wbg&ptJfD=p9Wrh8ovGxevo<b
z@B4DX!L>I&a+92JYiZN!`}FT4xJ+SSXzeANjmhO#?k`)m<iAgik{loO)d`4n?@C7H
z-STLdBYU!|`#EL#!itIAwS_4!$VhU2g|dS4>U>#y`du~D#&CsP+GwL}c18wJ4~P3O
zs!Jm))l-@+Rn)GSbJUB!P><}M3PT@-AY-t?%{pdcvE#?JVnT%)rf9d$ytdBS&P7gZ
zGrHwt4baUKsCh0zQy%z3XVr`HqBNiG8TL>}Bemfm_EGvu(iUt%W$aZz7`=yatshgN
z&sbJcbMuTJWtaJ!W$gw2R*dK{R{&VcT?lNTH;nus5TcE<n|E`{K3ZAXldaPaFqJJF
zsgVmk&L#rk{4i*KWPkOAFE&=S=1NCz6ea~kAE{mMg;eruCw;G_%E{9PYdBwK%(N)4
zLfuxcmD#|B>;LK+#k5NcO_1hePkL%?95?Fcwf{LC0rORfjw_D6YzakM+lJP;ua}Zm
z>HsMX>}P}7A*z?O+tiAxzdthiP;k4bJQWx}ZKF_mE$DrWrHcRB(+v}{Tb(B@D731L
z9FtKDV9}44C&KxwE%_PZH<+OvneI08lw+F4bLHqT#eA5<p<kFfEcMgJyA+G#8sY*}
zFW^^ChnY>Hc+hz7bf2xB8m7R=JzHT;o4|Dng!ZT4Z+r%$A)UTAIf%ujI5HwR{=9KA
z!2S4Lgicp<gn!qkjc<9&C=Dj<B<>d`O%6?to$%Al+t~|1<|jj2s^d|YeB#DWgX-4Y
zymR*U_>hO;btkkLZ2Kpc_D3>nBkNF}$Z8H%OPt-BGbk86y}V0x&BSh@F^?-=e93+C
z4`2I<4qG363_Esw=jP2JT~a>q$!wky9zAo@i*he|p8SUO8*nj6&)y`ZJ>;U0T>3T3
zXlY6Pe*R+8yC;(vgb7lGp)Kw!YJ+`}=!&{u#YEE&IoTabGn9D;GD|?VMcW<~a_Vx5
zSlQl}acPHxm<xp)m)$KEnJ5`i9~YBfyd@TRBlE7-&5;RBPu9#H9=jH_C%+_5Nbeqo
zG)hW;Ru?F2RzjPFk>wLo6<FQmsdM-5+@~8%eIIw3Fl<B_vuI%n4Qoxw?$Q^l8%l6+
zL1Ay+(l5aufC<1nTNj^p4oFJlbH+53Vk3s{&K?!#;E%XrwVo9JoB_mvtXC6uX2}7y
zyn*8?meedPDcbZ3FhwW(vTvC@WH`APcY3OT>U3<urJV|>oix+FzmO3vNZTGhQyK~b
ze!<y5^3Vn$O*oRszoM7wX4)ynMKa)$wTty|Wlz+~=SXRxMTm*q)NWY*Ys?G1-}Pex
zYz(Sd%M@Q9Ww@P@twpRD%8o;!<gmwT%3`2BvzC>#Z*B|&w3a_&(FEg3dE?V!R_f@-
zY{Xk7_%h_F8g11_2q)O++##drE`%0kYSY`5+90Z)LVWRtcs1mgqtiwGwDssr`#|Y7
zPTKe8p>g_<*>b43Js}>JywmYx_7Oa_%_hdc5*KELZk!Nw)}y7{eMZy2tu;(gf)%mt
z8Eby>s-UzgY~UiWs#VzDYH-KP)u&p7-7RF75|i;LNMG@(VnTCMdP0l~EvW#=OYygd
z!SkuHHTE%R6OL*s4A^t;S$y|5qgo~-8~s!peCcY#E^4vZ;k&*&7+L4Byf!sA6ZRnK
z16#WuY56d-La9<yD|u7VQGJ|JNgn#{(&mHqIbSks+gaCzlW(}gcBHZ=;d<7d9dTeE
z7OvFN!k7A0e9+&Dq&8?Ejc(v?X=VK<GpB$^xSCT1>V;C^@Ch~&DmW~9kaVNIzI-OG
zv2^x3Z#%|6WASgX)w!8Xw9>x-%ZU%{j~49$#`hK)t$kNCJRZOGu75KU{TAi9{7`x(
zH!5aYkD*e@Q3)jxqF1}-zWz=JUgB*qQtHr1&k_#8Cp_Brp!M?Lq50d#PNt2X^7t`@
z#EW~rbz9}GIK8x|kExzHEaq;-+(m$-SAHM{D>Z~BCeia?*i&=zld{vAc@C$~E`7oP
zeOW2ttm(o`+UftxRvMS;$hb-`9VF6U@Bs)rUBdOixEA{Q6{&JyrVSouOzsBV53{lJ
z>K8V-yW9Bjom-llHRvg0d@cQR-9fHWbxY!oBWlD#iA>dYd9R!;TH>6nY~I;FUpKQ#
zMq-RfTohy_G_=>QPx4zE!<^SXrXod-QKRnG8Pe_RbA8GyeJ%>gCi_>OZ_vJ>=7%&`
zc<UCnPUz~k^97<a7jPS>J8`~Ry@}u}LI%dNIuCdK&Kh7}oUODf+tz71u_hL8Po@yU
z_+@Ub5-V2|p^t$fCx=$@SHo6hkO^I4NaOF%7Im3x-nAsZfjEgx!~LY`zT_rz<KeKt
zi2spT#;2m+Nt3BI@>`Fv1ve`JbpW&GV%mlj5Y}0CFITgd5zX}5I`OFSVC&xCyX^a^
z3B1q7->Xlpjc38l-kC*z>lpYSNn74A*)FfajK`Rm;4p7+e*OPzW!d|nVebF0K8B8@
zE2TFCY*yPt4BOh4F5ay+^n+}Ib)MX9c_Ldm^%1+D@f!1yTSsUQ7&73@HJNl2mzl70
zUQjie2!1)t*9Bd62=FXxzdn0MAB4mzKXaW6mg$@oTn==2#2fITjKS##t+HLbB>*+b
zOMA~o5y|1iyBsALrb`QY?gv|1czM^Cy}mq6&1N1}-||EY>ry@Zn9pb@{cmJ$*^;$H
z<mPMd`eu>5M^FH(w_hOL<_(v@KoYh~+G}4!gZ@>3egS-(K04SC7b1;i?yWnK&P<Y4
zI@EKdBrbL&R3c`+PVB{-g70Ok{u~{KCLhXJ95(zalu!Fwlhx@Zo)roqDSfySl&UTB
znbeYIi%$F_JWFLmv#jTfN%OcuT#=5-D>-LtP*ow53j4?Oq1ca^qaD%mIu4A%SpC7k
zEVO6$RIcc&qGQLSOB&f9o~Ed_(OV0PwB*90J`G{e7dsNRy9MPbzAc=?c8X6@C*tTV
z)ac|B;;Z@-p6#Z7OnMxSQ)nphc3L|1vn30jLy0cRiX?sZvs!2d=J(MS{gg@#M$avT
z0w35uUGV(&icasoq-S4$nNw#pL%J}%L(shIq3ubGicKv$w<)U!ke0=}`GT1RqQpwl
z9(lgT73J8RMDQyfeD_i9&E{H{R>O*&`y$E{?!UNn0DvU^_l|A;s-&hK0tE}$wZ%OB
z53gyQNJYacuKKrBH@o&#g3D65h=N%<^>%06af#;{U}V14#RKA#k-JjwKIcoG4iA@z
z6;P!Ki`;s9H>sFWXJxxuGkE;2JEQh5FCniNbgwQ<jCGR(XdhG_Dm-Iy)ZU5DmEB@f
ziZUoX-ZB+yNq-8dWBSfFU_Q_$7^7g*8~E@hQFGXj$HodBB&+Pfi0}vE&UcxLT`fB)
z^eLK*<JP0y8U_CYd&#ZMU$6v3YO?R(9-gxA;}2U(?3?-50QUlyiYYxhBByGhL)cEA
zZ%T06swSiP%u+JSS{d2R4KdhTejI>$oPuLr>E+_DBH73upZp?yM1qn~5(_%3T`c5n
zqoEJE={;A}Bdu?_$$BReiaDw=os*G|(o}&cWj-5<#J*Br5DeEb)RpSA1(w6RFgzDP
zgRBWZ_wA{j9*`8c_>RDOJvl>$<A3!$E^(QG5bh{n?6s7uC~PlMJ+^hT^hRd|P5NXF
zrql|#ekWg;0EyK}CU!U&`@WL(zMam>(RMvxvBD^MXLM@i!DD62R0>GxszM!9SQ{;`
zWiq&r#OGTU&s)z0j#eGFFDz0Yj)DS8#&*XzbiL9lEuMAp#YkN`uqC=~oxIWYaO(X1
zwUl>wiqt$UWvRdA=500OvMJ`7%v)K-j;wxZ!YEOL#<9uF2ZMMvck}=VrIV;kqbiRt
zuo}X#bLr9@$x9?v7W3PUJ-=@|-})x?=g&Y0k3wdD^j~|=CO6&CeZA<1PSqVLGl{ZI
zD*_ikGqWf$9?k-&r@h)N9Pc?j6c+BiFnVeW_nnn_5#3;8qDhtiMtxi}3Su&!sMg2l
z=ZEn9rp+MTCmuo~wb*$E4z+oFCl+QXJv)VW?FEjIy)eAKZ)lX(;3^Va##XURJC0fw
zYe>4%f!QH+gk_lYUQuyamS7IEASYPzSCX8sONVWf4aeO@VYEt&-E|>f(thWv1XWWz
zd*bahH2YFtaOFtLDZ<89#>U|EKQcxLs%$;v+Pf02MfDU4ixZiyzXV>hOzF}Ix=6}z
z(wuf*`Vu<S2Lr2#qzK{@%%T3)f3EFO9*4T<qXRg6V7Sq1LvV`Sr|1Lqv(U|HR%Rpl
zG>&(?6mOjmmbgQ=#iZuamCN%|wh~R=Iv~xEj0r5KMp>1CrVJnDpo?t+{nf4`_LZ^A
zMvA&L{gQ@brvLcXk*;eU`x&1EJADLPPqV+e?E+G3@hKm|8`j)O0n6|4)Rlg5ym?+?
z9`K~L!sQ6<XO>|i=Vke7#`WlKwo380(Ro;bf-|iqJSs$o;|`7b`|aG^k)rVwLZGFn
zciB|QD-$*OcQ9M1i=s=jEaTT9MKQX2E(Q4{s3C0+XQpA!^~=Pux%}&^rDD+G&RxKN
zKl`S`aNUj2o#ULPu*LjoE9@NiBoJkn<xHj959yT9AU{MwIkFg!`4p&#$)yU=Q-=`>
z+i|NqxCUrfLPP%&qG61rKJi$6TyAY6S3lRN2K+aX-Y}8gCTE2AO=`<&LDVS?51VL8
zRf5A%s`(7+{13HqwVjpxVnBwAps_^le!}6UOux%9x2HB0d3M{tCK!1!p_nb1^eXPV
zUd9g*3!IvbuX*PO9^pq=Zg-;AsIW#9#R$`A>ifF(q1$3*W;5CM8a03jyU-l_lo9@E
z!OtnWxE%(yt!TTwa%3^*mk6O1e(Qm1-dE6J0{V^JodZ!U%}5h_RF4DPfkkm=#jnV;
z65cQDv|ovS;s{(KuGn~7P}Zdj1!5XR5xv2ZMStsJ)8UffZ--a)gnFL628}0EQ@07`
zdnOuVlUf~+KrO->>N=OHq7p{fk~={dBwLcC*h(d|2?|j;O<ompaWa8PQ=sQ@(g08_
zN7rbHI*yj`^{Z>jr`_;}Y|MW3l-VH4Tq$(Mw<s|RlUTJ~vY-#|p6vW528Z<4JuoS4
ztvZ$s39_+EZAaBhwMI@Rz{7Z*3*J{p`X+kPRmdfB#%W~5S8grboqP~|6=anEUp$`D
z+)*lkuIM}J_+da0xzm^<4&2=F0UsfeYS7U6LCM(Sgx7S2M8Gm8rji<zB;z(&m^m!|
z$SblMdoG&!##)*!K>-9VaMgpp7uBUcNAf2HHnvPQZ61Z5*i`^#e9a1|<(p_CRAAYw
z1KWkngo)O9t}x@|Oj1FbQre`X9)fh<CriJ3LPmfV(PehaeJ3FsnocmmTEj<|`F|w1
z3u_8lKU!}esk~%Qgk-acrvooGukBhg=VA}|6|M#oz5dVJUtOiA`9SJ|pf<hMKXkXZ
zs~s_8-fYvc8kKev?TKij7xfXfil?)b`qOdYW%ueiyZ(J~FD0I`Uw5scnJ;`xyS)0X
z-c))b9x$dvPxA$9QW*abs6Vb0LJ(q*s$nfIB*)h|BZf;TL5@~4noQ6?y>_vibF`M)
z%HiO@Ov-ARJcXk#xc|<Gk<uw=91pWeBMJKd6kbWYHrM6?YU12KLoG#knV)9Ml;3|G
z*^Ob`QCOhvwH~AdCEDtgpOXYtP`UP~T3baru(K_Ra?tz)Hkme(%YI|CV{YhcpyA3y
zjV;p2bZrzJK$*ekn1tn^RVvZ<RbmAKGG%vu4g>)xM^aB85>&3CejTz5;Ov<N;JEif
z>1XjK!Ovmz%J#C{J9)i5e%{#4I7d$H?FcDFdr{6zYarA0kL}h_(SBbTN4JhI-s6)$
z;B94A{cinogTV7Gxz&cjK*JDrp}a(lE^OXF_r&^}(8hGb`#BQs>AQko74J~JH3S`U
zn<HXRWfza_9g*)lQ;OA4zP?5?oQRndoALVl!V1HVI@fIJX+xO>Y0X^t<{dGsBvsU}
zDRJ%M!CbBLllphsq6b}1X~N{ZnW5F6DeDUg+y>{lhwy9vaXo$fn^Tp>X!jMhfsPxM
zVz&3U;@YuAFI$}MTjDg<sTyu0*{Ja1l&vhX*Y%BDRYUQv`;ETMt?sVDD$)??0)z&<
zsM5<MA_8D6uQwNiaBAc9RXd7*RlbtwkppWuL_9n_aW-ZziMF3<VPQpi>DKt)8W+=6
z+^Z$bX)+YoALOW)YE)lZBLwRJoGrl_K24bXcCb=$sa3t3DkYig7@uGx=tzC{0(&S8
z91Uo)HbNk-=}2LK6>HsD4L4Y`-HMEbs2JWp#drZN%j~T8lI618>;Cg;_y4}<$m|%^
z^D8gc(it^^THvpNZ@u|}^EClFe%f(+D>FQ^B5o2QOpuhBse{p|SHHw%9C*ARt1w*(
zyOtLjC8*3IaMWr3;H$yLhHuII$_4}k)ORPh*M%$@<N|j6DM&F%=aTEV`?Vk&GZ0LZ
zTbkHs)I2RgyxCo7iXWD?Tl*t5&ShNh=Dk#wBv)Hh4*YV3Avey~b=Q09Y05rs`Exnk
zz@y&EHmk|w6J4`EnCr^uoNPs4EJ1u(SfH<@jK-B`+wWihttpD2KIBTVfYc<dn;#<m
z>dmI@e~CDMQqqP|8s{|ZYwDVn{hC%<O}kE`WlAZ+pUiLivHjv=XYuHfC{1ItJ4U|I
zt}_^GCr5~^mVF%=B3q7sX~7SGNkgfn7MG;#%bw+USWeZ8W;0Ft5T`}IW7BLSr2++&
zsIaKlY;n7!Q%qlYAM3|^d+5I>rvg>Eh>)e2GJDZ&P4WksvEOn_xm?~whtu5!_?{b?
z*CPpMqF4f~H*}PQ_3DQYNDX9YAPWmFUoxPEEfrvcoIgBfW)&15f6P2Af%f8Ml?60P
zohutm$Xy+^7_vK6w6JlV1wZA@rY<5t$l42AfK%9llnR|N*(LOzmwvKd30&5LEQl(2
zV+iwu>9Hd)+r@I=cY2^B$dsk3wHAKJ_r`I9(B<K~EPG*WqzriG5^I)%H#UqEhxz6E
zUh5}sS1mymjKKNi6{b{gzs8)&Y<=fCdUJE?@!@c%ceinNS}|#hO+;(H-g;xTQ6e@C
zfZ8~UL_}xAP^7X}-6gYahPd{|L!K7xv=_uEy(MmRMzXMu{tOa*!zLZ{Qjut5`ioJ2
ze*i%#7V;DztW|N@ULV_MB*z&10plu?{H;&MBj5D&%8W`yFt;oAHUFJ{bFQ*tGJOi?
z_~BfU6wCR|_abz9YTsCYm?Z|8@JBoqQ**mr+<SEl2lqrI#*mh)G_l~EkonIV@-?JO
z1Zg-3@F<!q<c^}Cn&gg*K!qI2afbG8-z^rD&-xyJO3h#~gE5%B_Y%<llf`-9m`S1W
zKR3`PyJwH95I(D-A^Om<h9UyTD3`Rp(`(3KNpaSrrh+U{e~+rAVVY?(U0~@2=}$Xl
zLDO;^MBu?{((U~J3bNd!@+~9Ecqc}_D_q4v*lI>a3`u1`1@WneK@b`IqoIqH+y}@E
z8>js+4wZ(YoD7;d%W<2z@2)$L%>5f$i#laM7)Dm?6AF7O1)E3=Q8v<4Y-_?u$4=5`
zrdR7Q6WI($fYR?u6_%-&ExD;Y^yQRN$qGWkByXEvO92il>(9*6C`249Rst7$I6-pS
z!;i<HaAx^|ml2-1ga<oD5FPjCw}s!`8D9wP$KQOLp-T~cEo%E6-^wv(K_cF{zfv=A
zqGeZnSBOR?w9I)F@QSp;MeE?msz~k?KmP7p`r{lsP?9AYV=<R39APMMpdv0!C-LPl
z4far5fcs%aVPjc&1Q%ZU1Y=x*McP5T^j%btAV==VyZ{dkmETJIId%4Q#sm!7W^obx
ziPiA+Sb&*suzq&fpHipZUH64|#}6#60+DwbZJ+lp@*e!61u%@X+FR;E(l5;85X+i_
zq(c|+fj9!GY3AKmXjb=W4#p(nQ*SMy@Nirkl9E;)5j3{$g+Q<&xn*7AxK6nArb$mt
zD2J7U%k)pRM(zq*nh<E%IWnugR;e~wlU<Q7u^H5YJ|jXM)kj$_-TIQME*Q_nceCw6
zwd@=;^B}{dkA=kHzD<uik_=11+y}|l(1|4JI6{wA1Fx?J<){nArP^y=V{z*#wI_rZ
zueE<i4an548q|3&nOj$3tvGErao~Qju?7z1xuHXVGBNMhq6(>h^?q5vF11C__+p#~
zpUY+V2GSo<|H&3`Nt5@;=n#0`+hmSXPmLl+woT_7>Zi2;RAJ1?8}`GW+vMy!fZdNV
zg;|^Z3)wD!JeY*(<kKD+bPk1JYIa*T21vFfLaD;2xTtLuLZ70U6pm(R4i=_M5^`82
z36fTT0MCdn{||F-_0)zJc>ChTi@Q4nD6XZ&-90#gKq0}kP+HvGy|@Mlfdr?xdkG{!
zi$l>GP@(Pj@N{0z%z60DoqO-UuxIwn-fOMTT5()@E`<{@d0Zf3WBFf?Glr(Q>;^!!
z+Y!GT5v{!4)P%E!;#QQOTqht@d8Y!@2mUpM!Bi%@jURzJ%t5zVj<*}YkfINn(jQ--
zB`H7-1gQGN23ReKNVJZe^w|MT3UgLJD5M`lVJizJLPd9aa+=|$Q{}%|Nd&q5%WGr{
zn7JMPe^Ms;pUF*-StCX@6m)mL!>PfXTg0B1eJD`o>6kE;N4&^mIT(szQL}V@Lw7(}
zJ;bw{EmVS;Brqv@=!q*IhCusW=Q%5CxaMkJyFKs_`nk2g8~2CD*4le_mE8V)3++DA
z$rr1pA#0ywZ4Z{lVEyiA=9~~Wwv7#1d__Kuf~P^4unhY@ihxaaXo5=3w`cD$FD^nh
zf925hh>CN#?}#vUl*eQ`av^ePv2NrGsT2N-mw~DA)u4w$f9uL!^=kvYuQvOPq?Jl#
z4j+k91LimuTF~w&A3Nl5v)dFXBHGOxCPdXB7G{tr@yJvuy@n)<yOweAGmvz)6Aw{W
zetX!(Pc15#`!!SK_}?2tv_*@9#gy%+fA?udIHl(~T(`(TS-;+?GeyB+x+%3PVA{0^
zzau>hx)7}=*E{VPn-1F4^fT~&!)*l=wkP^PbntwtsC90uZ7}$(nFr#NSgAbez1Lw~
znOj2r6Fs>IH)}IJwzu0W7L!{5r}a{Y4atqM+WCN^^0Y0_fzVLM<|}`&m_E~0JwAP^
z@|<z{qIW1|0a|lGKVMEmM<ZsB&jC|SHT}F^Z1eFo$~#+JjvoJJ3ayyQEm!f&ysQyU
zCHRP-YInw5UFl%hOLt%CZdGf&^<gP<n)ai6n)pkbO5-cRQcnXQiaofrSIknjRy-qP
zU45xlgl07gh6eTo3q5H$n&T<ROmo|{#n9`d$L^O9?md&b{Sao~<uU0UWrZ`(?|>VU
z4C;a^NZNKc&H5@G+b1d&2b!r~i9-?Ydr9865VS=ZIl>j^tfW)G$2QGJWulKi?ZhZ6
zK+Ukc_;#$Z1y448WQ}$7IQOp#q5=*(|9sCo$@)<YRp!TjA3(Zj^!hO?qRcMCI547J
zOjGr#aiL}k?<$a+lB%(@#BGeOBGBZkw4c&ukw`Lebc+=H+$Z{NO^}b(C%I7V*T%hD
z_&lD)U$HLpWC>5UDIwCUiZ%okkrWHGMz{tMgAfkwEBO$W%c(|=p>JejPzu#l<I(pa
zWfH+@d8|a*AzmGLiGcQLskQG8u`-WK;|%%`1wXGCHYY|k&IYnN3ZL`&<unizg#A_S
zep2KZXMny9!98D0YAl8{-X+6~C<A(AZ#O;d{P1DUcCG!v&6>p)r9cu#o)}_Q=HD-#
z+w=&D;pls{wG05y;~T~f*WD#<{L#2+3JL3)R;7Wo;Ub&hDn+@cHm+`qbcg-3SKu0(
zMn37Gd3VwP<}?oV!$&04+kQ;||JAySPz%fA%$Bx-rD5-lq9Hr4*V@`&J+94OZAVzJ
zyD^t_7NwUo6#8d7Y;NvrKF=5<A>wHf!MO9I5FO+PMILk#De*4T1neK;EHK+ylV`GV
z6oMXY7&U2KQKhc1kY?NVZc&(1)1oiI6M-)HRjQt@h<jUCK19HasXGp)&8#S$v$Av9
z`Jt?)p5vmX3uY}Rhu-M^ZS}j|<6YYpy+9AzkD`Ka2`GDW2PmjyTt9$3$&l);-1$_N
zOx2b`Z2;`dr&8KFxkbtawzAP1omFpR-shHmcr2gAstv!ZWp)-`1^6j7tRB(ax45wc
zi%Rn-wmu|@qo#O8U$bYjYa7a@p!O32ZFJhK;YAw|GWUc+#Sgd4c<qLEz;k|vD0c#c
z8uB7wz;TQLEL%gDq72$k&j8VaxTkEqR}=Y)cWZ<Atwb;#XXMA+JliyMTkUo+-gI7d
zQkG{0!UdUXM`Kp4aYPyj2b{U0BM;CxgO)ofeB6#R=*L@7G}q|pNBmK`@DSzyaJt^z
zMZLl9-ar5MAI^U`S$F^8{QZ?4ymYb!yXg}9)dP!I>4!Hz;diyDh5*3e9Yb%qM*97T
zv9Zs-ACn;89eJ0yEk><z+A%0fVywYR2`D(vX7@qlX#ieiq;4oJM_tSp3U#Ozm~}!)
ztx16}jzyp%kLjHi`%$(+TfYT^xL#MNya^qaFvBT)Jl*x%w$@IYnylxU($u`7G<Z}=
zq&!_#-Gl|kmysDAEFx<CQGktF-X=hb-h*y(a(LO0%|_}K;CIt8scS0t=p&Lcf?^26
zYRYfvVx&yf0{*7=o@Zmuiy%obc+SYv-V^9wtxW@DnZ?(A+=SOh-eu=9r>vHfE<ix(
zmNM;HzQ7{@{aLAZF@0~N=kzHgvq=AH#rudlC^v{g`VZ}}<(Ijx*h8j;#D@+&FWD*S
zd*Ih(xjaukpw5P4Ap61J?Vu|W^|q|e%hHkj&k^0R{2qC2Vj&(7%%<-H9aC;paJ@T7
zI>M8rtESkN3hxhZP+|-4s>Ib>UGozR&0CbNhiy~#8#yqvu&fqoPn~mnS{0DI7~b%P
zZTHhLq65Ly`qNsSpJ7na+9@^vh1f5g%n_eG;xvS^%>>a5+K6?4Ad6M-b!=`8pgeg*
zR5wT<uTV`I17%j&FrP$}$c(~c?b%hb@t_)b4(5`kRZ0Ge)Q4kJhl9)Rcl06fyh|f&
zlih~S+6KGrK5d2NKhh!ezxE2FBT`wkSRaxaxOILN%ocnSot_UeaZ5!!3+jH1rc#vx
z3xzP8t|?0gN$eCRhrCL*aRmHRSaq$z?wIQNg~T~tf9wb&Q%R&l*@TeOwKsS3E5WfC
zli+p#Et0jBgM#pkXDBBtC{oEYbhpN@Nel<FJ%wmnlg~{(jtMOsXzIs!o%#4oYirNF
zFsp?u>`GAA=5MQ(?q6!1GhvC;dsHdh3XY_`r)s_4kh!06@@~luTZB|R5>vvJInN4<
zteupdob@q@*iuF*_%roHqufou<EiSq%{{fIQ;XGGs&V7CO7)3AzigGXDxjtgDE}r;
z8|~7fTx^c-Lp~+6neE+=@k{;7sBZLXO~l#~wE3<re?he0ICnopl0kf{aG`-qA27sF
zX;?#1;y~~`qQaGSm$$o*l~v0}>`gnqmP6ME`o;@p7kcxUkMj?Uo^JL2PG0s&#jxz!
z)Y|w(i(UeL3w6;wD){S(YstfUmbJ>w@Igm9KQIa+>z(81_H6(8lyEekT{?=nkPJvW
zjT_54$PnfVdJ4PTi}i}}!1+qSrlv#AK-Ag`EWutO$qGNNGG1uCuv$}WI`4)73L}IQ
z!rlgw`B-jxUs_9(8Z(ct9nRUC7djm-KP>{UGVQ5U`=VOv_)G3{L{H)f#<R-lS&Wul
zl;+gk&xO7vBGonAJE<uZ!*02X>Gc(I{(6Ymf-VMspZrdvUz;;SyNKVynYj+#=O;z7
zj6KN|6UV6VsRU{ZQg}R=wCDc{b@7}r*p$}!PkzTuK9dZdOo-`pd(UN9EKcq$T{uDY
z$kFvkjCy#y5p5=<ul#R(hXu6o;bkB!-EUf?ObY4J$tXwB7;RolsQzvKQdGIPONG;y
zs;+>~^fVj5Vn0I>oO9vLPx_8x`li*b$w^wHg^&nbxO`L)`}ywXiLbwHNPG)EM+HyC
zS1Rl8QC}fq<Z)?4R2u!C?wvZ|=`wU8cc!!*taztOUmL=RIw^I#ikbpO1e68RESzR4
zyFRynCkfDEW^)D}#W6|F8TZ{Epk3;`+VY^y<<%i26nb3*{Db2ps*~ORVaXDEG9}a0
zuryv#0^MPUAqMeAC-UA?W@gty$X1UkqeYcYB+5?}W8t!JeW*c$&JQFJId=3{mv}mG
zpl_=|)jQs5IXKq!LGX9Ih=q^@7uEE!flOW|9{BNRFVQ)Hu$DkF99IL+g~evAZTi1a
zN3|bPtTA%*_IlH)hP0eW;3vb<%CXiSk=us+`G^nl*+_pAkfOmcaecvNvp{=Dysr-}
zDh|oy`&YxFm%dl7eGk5}i1zj=VE59}(1*@dMI~Q0A?(v#p`EVkQQj>X>woR=)Ewd?
zSp{sH^eUksVEPy?g-P8VuVb3+M>oesPk7#HeY2F6?zhl^4%y0?4iv7Ab?z)y7$8$1
z+j1qxSk?ZlAfU1d7{!n{fe|hvXp_ck`^+(z_9%k0Gj}p^pro)*35lC=`)n=Af5qXE
zx1|REcR=s7Mg45f{u~+MHNA1FFb*G7Y9g11m%Q_AM;V?rb8{;IxwY#)AKZwye3vz1
z-b!jf5hS*idx3HlC5}C*j*Ejk%$XT`G>2{BqJD@EMQV~i<d)kU`}ZN*Z0emJcWCwt
zspPZZTvUsaTRDWZtAZcY=996gdFXPZjj*ZepgGfg`<gkje#LGDdx2QKJKT8#aVMX;
z=UaZ~cODX792$OF^6wqze>g)CDpq>8$9*6&8n>|FjZVq1XiOWj*Q9pujp-ca_iG@a
z*5+nSq*JkEBmBn1dJbLlG$QS>7t_!W!9d!J`M?PVzNybqZ6MHR+)jIl|684rf7SWy
zr#lE6?T)iLD^QR$?CYn>wt`m8@LL9sHOa_p<0EAF(ZqN0#YsslF5wh1V7nuWV^}1!
zxl(e;YRtYbRPXyU(^Q;@J3$l6lE(ms$1gp_9m}^ISJ@h)dx~3+FQN~WRX?rYQ|Jpw
zzS}BVtS(ujD4uY#fe?OcoFey_vbAw*lbsrjwOzP&kQPLJ=`JEqN~$_$Bu^d-f0G?-
zPdTyy7HvA<yX$61r5tJNaB+xk4?ea32>4NTaazJ*d#|>86xaRln{z)7SdP~-Q#Waz
z@_I=j2@Vxl`SQpn3L?y9UWjv^{t)=D!nK@{R0Y$}k_(l%v*iRX>;DEiR4s~GtgX7)
zje%e!afOD`0yD)D<5v^OCR8~wOzE27=kE5~er+v>dL~$#HVdQo^z35c2-AM?5n^(m
zgyG02h$RwxuDU58bzA<Da_D}Z&#LshI*v1MVe7@OH%?E_+fu4t*jqSbFFwmv^X3D(
z%S3wIaAn{76KoB$q-W=9HM)#^?D5+i6HaU|$TQHl%(W(J&Tac6?i$H8;FoDvo)!VM
zp{t_yl3hWkE9tbf63*i02GD6fgDM>6j{|+yFbY;e%}zq`{X=n(5)d*GXrF2+DCQIL
zUQx&{nn$1pvYCuS9HYJ@7u*S(v~y&bK)YPqd^!72U*Y@Sr$f5_LQww7Eqte|tl*WE
zJegI^U(YRzmKV(LQ`==-fj`8Cexn~6>X|j1Mdr>wZ%=&-t?c+Z_g1g_=dW&m)Wy~}
zyPKJj&QERv-G-V|H?Fr2(|vXzqtu(9A#~}=U5GYLIRdS<Y!<x~Cbh1gC!)>(gWg6P
zHHzKDaf5<(e}%b)rWo2XY3Z#-%q`K<6!YMMk-PA@NOoPWevn3k_(*cb3zD+sGBIJM
z4r&_mgj>>|1f=TZ%(IA{uKn|YD;=HH+u`vI>$dQF=Z%6op`<0*@q$pi$OSBM>7W+r
zuRy_V!VQT7ZEKtrqe{*3%RK;_-b|FyG+W|v&4BOZlo$kD#EK!kOt_P&!)Q>r8FMY^
zHt?PBc(}M|bAh~PQfJJ$(_NYfU5qYHM|cQ`A~rfJd8s6yh81Vbd4!b&OtZB$-~7L{
zEBb#yLY+dxW%aGzd?|CN3e>=j<Mf5jThqYuU+7&WFwVE4v6_k=riqgncVtJrGSlxQ
z<`ZXOGjdh;Q)>SU7VGqyi>s1uRE3kAi^}#-YeWy=Q?GJ6XbSn=@!(8-M`H}U$f5fs
z7iu019YZJyVL)7`OA~p6Tj-FS_IKkv9mWzH08QlQxQhfyQ=M*aoa;ZoJy34ejCZG3
z#bnHi#>|`^PAQVpg4?^>H=hlDu6hj0e;i2c=o&9&PlMfZ6ja+)xIE1k83^si4ixiY
zbfxD9e=m?_gp@WCrDZxE6^;WYm~RX9hk%ib1{utoE$dB;IdjdoyvMi1$>Vb4eczG`
z=Cc?YVFwDO-ilEJa*#j_I@*e1GckQiPW2=#y4$*1wnisCo2j|SsgYdwvT)P23C6?T
zhMZ)*IjN&C`A&xZjAhzeo<*s|eM|FtBe8e#Z~gSy3a3BIyQr^Tdv};fy8T$j4^Mh-
zgZ`jGdv%a!M{6)GSrRj2k<24*(F5{vnzOs^9>Sb`;gL?(>Qj$oUCME8sa#Wc0q$eE
z^aBwl=S*@hBczB1@_KH_XAYJrE}0O4IYoheKn{$LvgL6O+3Pzxvt=l1W$|9|+mM?!
z+L80>+pbPH?1p6%Y75jO!^Afp>FsHgPR@h79x9MSA{2KzCXyGW8)m?k($x_a<V*3d
zGEyCw?^f+YE+?p(ex)aMa6MPdsQ;+h)=(&%hG4J}_TsYkrM0hOUhnSQ&Z4hR&jC6R
zTL4ge1O<}bOgtl!T(MB)AYS?`p}4%05qiVyl6YKQjP=$phSXo5Cc13TCYi4SIp)nP
zZ0`syh+R&mC71`yZ#661HEt9&q>U$N#*1V07;GEnIZOq^8%^KDo!BT(&Ghe<=jaQ+
ze(&ojtn#tSxYvDkktHHtrc~BA|AFZUYhSu0Zsg3{u`5QcZckt}QKEZUo><baJu~>S
zoYpC2?>U6*<i?t>?RWE$r>T@<NZG07#?P#ja?9nC%~t7wY9Zka40!go&nAGSdDrgK
z&F(Lo)6uOHU+-t^>&FGl-c0i`Y@WSJAG{n;3PDAcCaBfwPyU@+@?o3jsVN~vbLH?P
zr}Gvn(vD|;IOH_4^tJKl77NtFvKfJk>y%sj?*kH?-WNB(Keek^1z9j)-L@T@x$R9y
zNhy(zNPE{aB0Mj!k0RgNCwO@Tl=h;Dh0IzlPne4z=}1x}T(kD53EPzS!i*L_T#%xq
zn-XJ>-+%W6^()DO=iLOo@vGA|Ayb|?^{en|n#vh)rZ9fBc3Y-#MedQccDHD=Vn4@_
zw#-1{idyHj{p-0eXSW0QANJ_<u%iqxIF`=9j6}>jrR}07I&mqaOtd(~=CX*7K8L0s
zI!x%8QTWt5;c9I1gE|(D8cJZVHFMN|jxUEArEkhJf0c@Q53#806zUY~<N=9+{ZmU+
zEZ6NRYJ~brG1#-`Uw_s8d9KpD<tA!B*lC+=)BOV(tR31)J8%E-y>*Y(Eh$$z9LOXS
zK3|_wgxBkZl@P5=WMGpnd*0RlE6u>Wb;}hfV4zUPLsK`>EO&Wm7@GVnhj}t26+k7F
zhvo~y7p|}#fk3h}$tm(R+;=uZrIz>=^SgH9`n5S~80~05#qV;sJjo5qpRmjR+-hbh
zk(c}YN%%4llWF2|#jD^`yyycC$$jU;pcyXa11z{;bLX~nA^A*z!<AW{^Gz8)g3g2!
z>D$(i>bnpbYYU6}-T!-jE{a_&v{l<Lx3Hnx2COukBjl(DdBk97HML6vzs+aFfYVLf
zaD}p;OT&E5Uq9WdtnGT<$iZK0sqrBf?yx^(jZe{|<FKU)W}yix5-wnP(Unx3m_Fil
zLI5|SD@iC5EeY==;<ztUgSHO+hhrc%uBvH0HulwZyUThpDojS@xAwr0vKv_9?bK};
zgj0pWJ}|bX8z4;&itiO<vON<x?pCb!HJ6hzYWX<J-EJ*P#BJ0W)k#CDMyW?7D&a}n
z?vC>aFXH2&_Xd9qnqks=R+f0Cpx7$ZHUh0C&GzxQlV%EU5iFE@$%~u7@j<Uu)b2g7
zZnG5hv4AbbzE_#i{#j+{^hmVxK%|=ohk;0uie5hW2D|Kt^Tx0%9y}f@OqMC|<_&qk
zQVsT=U-*_{8S%-)Yl;!*$FwzWVH+}8$cQA%2t6u&wQKi7VB1Ejd|qwEhr!Jzer)>5
z;6z}*?lZ(;MjDdI6c)B!*@%%(yGuiBh2MvC(G359Vj%&Y^1~SKGM3Wz9XA6qovOtS
z>?UmatXLK<rac0t@VBj-;`Dl#_MzZtBlyD!ha4j;j3{M;NBj+ogp?Eaw9kBM8q``g
zd36&AtN1vGPAP_IyC5Ob#DWXoTr-;M8JP>s^p6(o$>`V3e4(rzHg>R0@2Ro^|Krpk
zy54u*seP~$v-4J`m``5C+843}V<p^I$&O0rj*ODc!M3g>)u09;2dkFr)A8t+BXUi%
za~`sYHYahj%T$y({T-l9jB+K)wzp5mOrV1_{>R*6fmZAH(zzeE$~beon35Ws0@zD8
zsfPjwffxFs&T#j=S-w(jd9(q$v<Gx3qlXs5Z)o~!8@?%v3P~h38AVJXLrc?~AiS#H
zyaAgs%rSv*KHh=^AsUh_@SaVD`9~jw*VR}EYoxV+wuK*SQu|@cAK1Vz?pM{yA-&YR
zy~t;0ox(!SHaf^!P?J-$5!@sH<)%WSyMOF{>{*oh=I=eR5Y|tsNT{;RlP%TVr*een
zqmem!3S#7VRqEjEu4QxBuZhL(vn0TQrn^^#5C!N@lG9VU_Z}623|kdNkOsIu{vfAy
zA@$(sigpNz?6!G7rtnVvld$BddMCw&EW?gw|0?SQVpPMH#06L;-PfSz>dh9FxEI(<
z3j+qv6VG;Jm<9K)Zx2KzFa3w}8e@HOOVI6r{Sa9@etDs5-y4pjo}p7`K2`W8Cw$DD
zNh&4g$gMnF*Ca}3bF<Gq$qITBN}&;?WjnM~U<BHBX|Qj32q8`&FCL9;uo&T^!8Qw}
z*0Nz0kJ)Ib0)OG02XZswX=EoqDX><yve0&LShtnc57tC$__=F8(^6=$VBTI88@Aif
zh@LV?DVTHhvmbH5Tb8<<Jj*vbE{+N!T?E^<tR7kTaiG|z&VZS52iZn`**k6aj=6Ty
z6g^!NTgJ^r7ixvpchoDEWUuE1Mr|EOt=wpnH!JHNC~y~%wR-C#btk_)y@(cTAtt+4
zg*LOCs9N0QMswEO&#XLzi!J>@JQF4!8!!Ny7=1^1u9fQ;R6uFYeN%HS+Ld~zi=J9I
z^=}*(t)aV-FV0)Nrr(|>7qk>^ZAfk8CXAUP+R(Um)%#YO=@HwI2~%Qzf-P;n9PME`
zM(tUkR{BtgfI`Sy$FQZ$+0B9vt@>daNYI;c<&mdd+-7TS-pJSn9!1?_v(=CyH)-9o
zh`aftLLQ<YF&ZhL!Y4r#PbwH&?P+}OT2R&7VW%v?+s>(E20gXd4f{}CztF#E9<oXE
z)-IrY=%%Rs%4>o&e)q5|RU_=!@=8j>OHt1$p-8=xcd+eC>wAxbq3R25rzKF&P=dP{
z9AWb+v-?8ikbgM~T#jZl+fb%aHXcdzeY;nTcNOZ9i4~5A@u&MV#`-MwM8x)Pp$S(;
z5RdCK$VX=LyGtyOJOs+K6ot<_3E<vyZUA&^U-v=HF{D);ouVmRfEldR3(rn?jLT};
zrNHX1&Zev18y7AS=Z*NP{}!y#x#9G1?*HyR8(TI%e!SFvuiAxEn2vb>-Mm$WZ&Hy=
zYUZ}&l1l-MM$Z{1871!CRshdpIIpUOZ(tuCLnq~-Q1*PQ8ldd$&h`r{@Mw3}dD8U-
z5Ps!d5u{rH(f>0f19Qy?<?lXG)rcd04}boYW3lp&UFUcw^!`5_%b@{}5Ql{REvyb{
z&hazsc4BBkGPKCfVdY0&iEyOC4HJ;|2?=b*@TX-Ku_Buo-voBza~yx}rC?kkPvNCl
zG-1Y@Y-2C)_Fp^f{ex}lf+dP;YOJhQ#XT9odnFWg-8AESdA7;oSCP7piOh*gJ#0{-
zBBJnDZFb|9ruy0R(+A&yY%`2oo%z}PevY7Iw-)|}wGb`hv7U{59t;-|;oao4z_+fs
zT(M4n!xs&sY9c+W^vUA=nfby}Y1(FIKiKA!t`vix^S0e+-TjUJ4S!wI?C9wnF|_q$
zIHNrhi4?v<oA`KaMf`!rP(k&zoN}x{qI+pvG=%HnZs@!tT(gvBAIEuQ%vv~gY-b=A
z`XA1Yqf=%W;46=`;TeM2iu{vPqlR=fCoiaoD5~4~L!=~u$TL>J!+Qv&mN3In!zEc<
zg4*I=gd|C6b0ku!tF?Pa9MOJ!T^>mmoMVUY5VOveNX|qT02aaG6ie~9^Fg*8<V#Wu
z_n{gYJWrI1GGC?>t@RomKFaYt<9;jIZ4QjaiyWiahrcRl!fHuG>@%bhwPJoCQE9?K
z8<2YBVyQ%{Z$djTZo%K>wFm8fzKX4&PX_0)k}RuK-y0Zp!!g9D!Ta44)M>Un!H>@K
zO(^A`%&jwenmwt=qE-hEBc~%&LGz;J9A0Z@`a*W!%idc3c9ryOQc#>raXUL%AOLtN
zJ3eF0m-aO0CP5VBR21Q6HZoEMKWON5UULYdl9GDp%-}o&;UaP_4}MYp+QTE2^d{Yu
zC5!SpED@Z(XitKD`tGy-q4mR9muWo=aT!W;by0aKP`1^Q549sx$ZWGIl69IOpcVL|
zr8_@xu6CU6K2(qu@Lg|R40(TL-V@dg|7ADS$1=eG@@=;aXSV*4f~}Z5R*FduFEWQX
z)z8;Ij`8vCSq_2uVIkAzknR~4Rh-0f{uEMHoMITH;0nn8?$R-6zG0K%K5vO|nOZSb
zto8S`YINz(pHCKy)mp*EIJB_wn3M8~9Nn}p%_ke!0u*;*^>rSwkIeS7X|{ld|L?u}
z|LyQY7CLB9SI(Mm9@nuNpGYHGty)ixGRkH5T-|qJoG-25t#Jzy(#4c~dy+oWT)l_9
zh^TVSP_E;GbsnQ3$hLT=S67LxmL$0}OM)(zN;!_&U3IMsPKk_jE^!SgD$z7~yMIZ>
z+x!sr))0f%(plzFQx!j%P*N64+RN-|7b$@9O%7g#z8vu3rcUCSdtPRp)|xY1OAIZ^
zH;*SuA7<P8^l~}>g+7;BU2$))K+4y%lYHy|FgvSA;sM7qUp<f5eaXB%M^o?w#a@k8
z%{-!|7HEaNi~#gon{lWatj;Gym?cuMoatX;9C_JB`*H{7XCDl>`x&KPEhd~Crjlzx
z3}RwoMigzgA{jdhqd1+#;<T+%P12m<POUER7cye@ON5xs&)eqxq0mI7Rt5=NP)H;s
zqd<SVfXmPBcJqkdT0j9u;4K^01ZMZ>5tkohXDHr=<h}O15$$@u!ol0s+o>hjx>T=c
zY5ztWy|-G)hJGE<_t(_WrOvKul<JP^e;pxa2-U_R2U3qpTf07%1ZrHVXF}7ITw|kS
zd4AnapL-st{%ik7_G@=A;G1(J=kuQrAa2|{&b#Li>e7<R>BuX;g$D-z%WJpY$S0Rh
zyZO({hM0FV3yq6H<wTVSy^LdKcEAfy4gdOVR&FA`#EA;d_%_}vzhw#<bEvuhoh2Id
zx&3!tw{V|Q0g=0zr?7T@Hi83`W|Lz(!z5zcJ?X=PA5WY!VPZKwE8Pimw5P;?Q>_Zg
zscy;Vs&jjV1dPWec>CswC<V(yMpZMC(`JU$KmhtZ%ofq+fYIx+TnIhSFSAIp3l~FM
z^cQ~ic6b3i6$%n|;{kAUYuQ7J`$ovTW<C=m{#`j~dy(2DUoueSI3>R0d2fH~V$U5)
zAlYUg)B)MhraB)4XvI$SAA9MiB=w1i#tOIz0GQ%T_p+rk9<m84@4G<QAK$kwO6B&W
zGV>Yja0)(DVojPJbh8EV6{(OHBK5`**o3On>uCWTZ-ZJx0vAHu^q~Cr14r!pLrt>E
zBCS9_(@dD_mbREKfW~1096+z(ZgZ!-O26UXD90^`7&H?;cQw17kXf2KOVanB?(_e|
z)4+#m>I_Kcv~u9Un;eb;*koB4`4Ob<CnEzs3v+Rm=C{E>MtYsTanJ|c+ssnbFgheh
ztl)%6j>DvoZ)a>@mVu-LXI8q4*X3vPsI8puyRH1TYSuI1sXoE}d0pE6m}B*QBT+X}
zJJ#r~ct9>4k%Ysj1x|6Be?Q*3Byp22!2!=QtnaHYp;A-=b1nNx>_aD@v(@iE1)0h;
zgQfG%Km`for-ok~E{P;U=b6&Wxgx26Ov@!$90sWcPg4W#eyjsJe{7OrxaTsDPl;Pv
zLtic)-*qpShJUgAJ=A`PkVAE}Trx}4U$Lang5jCzlj2wU<<KjHHs-bJs?)_EnSZ0}
z(0zf{zz)n^q>9p7;oPYDfOXqBgfam=@W#b1g78f5E890-o#cb|i7_PrZ!Ix?-<dh)
zR^sv62IFRuY@vB50H){EFjpv%^fX^;o><>PRFS&9%dN)PPcq#uojmHHzp;PRYKtU*
z(WRbTv8b79_MoAx0*6QQJC)%T^CjIs!L3W>%E1nM)0+aK9G%r3hA@$TdGk6~y1=5Y
zOF82U<Jj&s3)?RJ{RTvBXf>x5Q$}a#{BZu#MAzy9!?g0Oqf|5G&euoO%*_U3Vffen
zx6v&{g;x)XNx0!uOl8sq;E;9+`?f%E&1EDKXTXHvRu;yQr~cH+nN^nMp@c2G=<8o<
zIiGnueRk$0(sm_>7J;$wx^La_0or_aHoVP;blfCM_ZvJYUP4FGz2d?gl`P%hol$qo
zoOcg0B>&|--;Kz{EBo*}q?Idw?6`|P;d9fg=DVnrGBWO)^RHT14vz`snMH;jp{;GS
z{BXDqw7$aGu`+R9q+xOzPy5*Ql@Yw_%<>jQ?~OrOOuc8*@FEhz22bT)OL5dhzmf1j
z`_J~bY2~Rfp|Ue9TI4QUntkl7w)q{s6_UQa)bNqKY#M&J&yMs@_`1>Ok7&_i<g7P|
zNdC^`pXQ%IZ&L%XZ28x*b|LQ86b?<Hz1@Bgkp#K9gpbsXfprX;<f0$w><=A*=Ju5W
zOJ7VZ)m3RW9gEC;s{GCyUnoq%E^cNMxExc1q4*-acoiYGGbE2`ND~dGshYXxtHNgo
zE|OVq4Tmfta=&B~K9*PPdGyV5W3fHkLvPo^nfW~x^U}x4H}r2d%<xo@;Qc^Z^OBCK
z6iGSx%-<F+=Zgv5Vhp+#pga%0n)$21oqPL0Z0iQ8yKjMeyMZyfJ@tAfCwHS*CZ&5J
zH?(R&TAN*mtN&~&#26)R25x~bjWTEj(-sH{!1Cw`*78M2LIYytsL_3K2Wkfrb8fyP
z@Ax0<O7;H+rzG`S&s6q+E}mAaig~GR&MBNLl;I(CzdMVU36$`2&ZM5&8C70w$(@(B
zgoi=QpTfK@B3TBJ`qe1cZqmI_OZhs3YhhS4;|i&GUwOGKS*7*@#+~CGrGP6ocJc5(
zoLrzxwNkqvhTZzL$f}A4#5*ZQV`VyYG0-5DZ$Q5W@u-FDT&^0{v#I0W0F@S?wgbng
z9E#aL$&`QjG%&1531W3VHy_%Km0-s%{(DT|@k_GsBw0`IjMMYrVP(V-myby_``Ozl
zt%*MmMSY8k?%NhS-mD3Udj>j@h(hU&g2kW&yWFK>if(JNE4eamKhkM8yHE6f(dizz
zgd6HxdSNBsZ_{6VBUM~X(<3FA(l4DX|IpuG|JZI)s5Pq*6jy4V6RT`vJZbJ<;ezKN
zpZrzae)I$VKrucS@k{dN1Ub4ttpH3yR)B75!29zA3(7o-0&3+66L%G#!^#-?r769(
z5Qh5Eh-Q30Nb8Dsfi`=qDE$7+SbOt5@xmXVR6;NhKPSS&dy{@Fky+=65BNs#mtg(-
z+FskY+o!GVRYta{XY{Dnpk~Fk@gPq;?*Z+CdH$D<sRWcICRZArf1GrcXRHHt=M*fv
zvlZxX>>qyOEv&k{rqB%4h^d>4zY)uwwr7R6(y-F&D~Ddewr(=uHQ+Xln<KZe+UTte
z5Rd0y`V(PKIVx*-9P}+asuBZ+w?8J{ylv&ra7t_11hhcq1kdo>&WENc(XT#yD4zrI
z&V*keOdP6p>2*~fRmFdrntYW%A%Z2*SmdPbH`NNzgAlF3B3`|eDknPtIa0{6`n8)A
zN$Z+2I+0rt8lf{lYP*k{*|hXs#353H!?QB6W2gBd46^5>9F&qm-C!9s)ubN8VCBcN
zL9EyZoAWl-lPhAtR%OGaQU97r3Gc(qvtxonkN0haJ%v~L9wU{UCR3NDlmCx(a_RfS
zhp(B~2V{|#k*go(GXGg5yBBSt8$ivm%N8twp2f(p5CN@eR7wX+p`+Ifaz*%QPC9fI
zbl7P4-##!os<C%no{VCoF!Kjk)UypxdP<7quaIDU0b|_qkyHOjpE-qG5!uCMTEHWN
zC3NS0mOi~;T0No*Dq~dIdx#N+UPN`aep@ShY|R>k?kPQhJev(`ByRmPf1}0gME$1z
z-q{0Kb>9H~%+K4h5UWY09k%ng1mjww*JRf0t9eP#K)W^{GBvj7>#r-WYpH3ZDm=%f
z_Ek_-QzjPVTR*{&BIg#6WJ5P7g5hJ5Lt02fais_>ygD>AEBgv+OmgF^4)@l!Yvw^U
zD#Mr3rSjzb=muM%=AYF^9)rGJCoZ|>c$SDAtF_S{-c&uEG)6koPh-gn-y{?awL#C-
zgN6QS+9<6-fB3HUSfVY)2kdf=-AwE;=;IbEiY|&O8+=6d5RY?!kvq<Cv{}f)(SDP|
zH#v`SuG^mh(q!j#b@{UTbG*{A>T8?1%_3@uJjpu#z}2|7lHUszz)R%ENuo7#x}ZFv
z`{}{Maq;_USjqqNj<1A`J4TFT&cYVjpCK0XUeTum)XV&cQ}_GYdw<~TyH|O*9(v{a
zh<iWdfkokaTqD<gPzZ(~!2$pUm2eRoxmG5UWlCu_UMjmC55U~@A?xt<sgb*eZ;Kux
zx^}8^Yb-BtMHz2yQ<B*@A~=k+@?GZzqH?E@{w;LU*{hD{)jMv4ypV0MK#=DS{`8-2
zLS<mzZrsWZM_(G_kFDj<D`2DDg*E$z4b;N>OvK0Hd7}+VJdC+m#5CvDo?a2Ob@PnJ
zhLJfvwKGpOOFe+$4$}3F-|q$G`pgUer1Z(qLx%IKJ62qRndh!Ij0Qmz@Kp^tQE32=
z|6B6$Oi{N|{o&>YpAaKj@FqFHuFD-2&?y(vAu_ZYXN$bAD~fstekX=Iz;;%MuMQ$j
z;s)nqEFCf_;-3w5Xg?+wl}cuI@b=fZ<b#zGrT`?l;L6qjY+Q`FX7WYDzyPVHn(>7T
ziZ|aFt#BES)P1oLKB5FzU~b(H@FnIeoh7zbOYguP{2n+mWo;(?yaD@7mlTzUxGD{Y
zsZMo5Ha}r+QOJ|2joSF(`BzPwm6F0*w?>4!AcBNnNyG=whIweY#?<*msMBbbt&{q0
zPiB43-&wubm4Bh;w0<im;<J(aYL?Z|W$sdVa=@l_4FfUs#OaMea7~u-d`}v#a(%nY
zxm*10>!yG2x;<(3`BL4(EWi_+ZQ<^XGLipqkW`TVV~%}o_@F7r^1z1r(9rCEI93hm
zIMzO|G(V9G@y)CBe-0ckHH@H5?&)%Tn*)ec4Q<fSh=1w<=wa%y@q=TC1=Q{zSM}Q$
z`y{3^ce<7UY2$x-um!lWt$|ag@ls63^2+3GDUw7p4AKQe#%Rt6Y09N@)4HdtCUDmd
zAK5zNi;5MUkkoNYNt!C{8&N?ytP08}#>rWl9r4o=b_m>YI{8IjQnn2%9F}JU|Np>I
z{y)uTC&L#Ij;Yo+6#a+n`p1D3sUEw1*5`}%vAp~moc`ZE7A=;EKrGxVGlSLaRNM${
zIjzj6->3+(*{Qxy!@4<sdG`6CR*ugtJFStgd*_x_C0yWcYTM=xcYlLGHSUJ~cXL4Q
z+=fD~q0zt&Nf`iVa}sW)yI%fseC<l(m%xO|IYp(dDps2pz1gSBO6{Wb-=2$o&J_N(
zu*tiz&o*Q~s<YxcXJaZO--%vQ%q}Sox+0Lta7prTz6v=$!^Qpx&Of_ji;>Ffp)jw%
z`rYrQ{i$DBfiUZx(eD+<y>8%kFv`C{=40+8m17U8H_??6W(Z%X)GKHsCZBul5I8o7
zdi}x~+0z}WsKIQMe8}K48dUEq(eC|9oY0amTH92r!xGhfm%PJanhlFhiT2+0p`<;^
zGtqH)-SC?4@%iVycNO>3oczB7zW;}l68X4T`Rji;Zoi)YIsEwQ(bS*mj{k5Tov8dk
z{F}V`_2`?`?eE4Kx%vS+Os>^c2n#=Ijn%W@)fIf2{dNCpU3P5OX$}eg%OI8~8Sd{J
zQ*n4X>cPNQPhQ5AA38wntZSR`wKkjIaJIBdj_w0~F)R+z?Di_&zl{3cg_X?vfO7YG
zUEZKa$I(+IN0q^5It_p}2ce<43dEuMY&alPT3Qx!f=UqX5!K3U+LIq(ww(H0=Gytc
zCDWC*KmINKnt{8CdDVJlx_iZ%)_HmzQF+C|aik^Lie|@AhbnP{ChCK#Gvf!k%47(F
zqd7}M;bPiiJ++Xf@g8Q&ORm}ML}P+oX`hroPsJv`&1(%{%WPkT`)556Y8%~->xn)-
zAWIhvpZIB4S7jiR-mUOjG(-AR8qaKWiE<Wk&^7c4Z|GFUw9j}a<BFd)S~fx1b-llO
zQ#_>j&^2h7y(6jh9eL3Jee1rp?AgmTtZ97R2H9_ECa<xAd}_C<qMzSeZPpex`|$k&
zj3s_|aV8*rj9P=zNzRNI`eEwX13u_&(r?Gmd@){nVgrXdm_~AtI-hetTYadCRfo?h
z252WTzncSTaP5Ga$<EX=q8c?{F7oP|mn6^Hgo7e^Nj}Ytjb`nNt3<v-;C@YOpT8l2
zaT<v>ETHti@>a`wu3@JR0qFMjL_=#AyXu=I!%=+#<^ga=+tbqZc9H(QOP_#{&gRe8
zAx(0d!-l;-G$z1bwv6Dy8ex`-e+1L{8LUkI=lk-u1DoK2rVz)Le|X6p-4?OY7A+F9
zj8B9=<b3NN^DA&Ao}9xAXHlR^JeiW|OGnW(Omnughi#fTpO+RQMtaXD98Z!vCun=y
z?hQOIUuaNqbWNC9YITY;6t8A5DE`RmF-oR7&9Ze9U_PXaauw~ehWt>vPpxm0x+nA<
z87%P4MY2e3BAgterWNWRKLNT{G9T`4KFlLy%U|B6=N!iuyH?7y$(4!Yo9ErYt?tcD
z=@+Z|h{H8&bZLxnxf2QKV%~bv2o(d6HefIApg5Fn9g~C!{Wt33O7R?lk*=KEl9B8M
zQ846yY*`*~a{Rs@TT%IM)Ar+K8&v7~tr^Q(JtX9YR8$#ntEGVLE|3H26KfIdZ97C#
zo=8#w0*#SZeTycUkMC^x+jiu!x1I;x%5i}}qSg>edJbOgIu<XQt+oWW>_b&-S1C$l
zP>@J4w17&|BgVz@tf@;q{5`e9JzAfv%(|`PW@b55JceEN>eIN{r^lDvP>M7-N{Za{
zxtG7A4QZ3n-7hasJ6Xw_DWV@4uk8LnPDk+xPmII;JrJHnSxTAUJF8P`jKcZeSk2tr
z(s;lC<}%}?T7hBIh^fqNo0nBbAJVQl8av_NlOamGH2%-Ikb-&7ak4+w3DKRX7!<(3
zOl?JfGNt_YEw2Lu12KT5-lhW6#WN^}hm19y4m@XRXHuZrvxpIP2t=HYiRmpC!Dn)5
z_K;>Xs-n@LhL6px%(n!OT%mvaYPvtZ$J)!WM}@gLavNKk%AS+85EG}4D)Fhsyug{V
znL08=tbBwLgB_-TtXvGdIvp@~ZT-F9GDH|m(dNTj{8)J6k+Z!uH1$_z$_FJ1z^v2J
zWtdg6_x)SmZI-!Ksq9qlwM~oI1y*AASD-O`5k(pP(k|z|%^fQ-uObW}l<=rExS(mZ
za47fN;kDwV(94K<@-NFA|AxZ;EgUYx+_Oaa#>u~?T>P~#->_w5w@n*dWl)F>qkrcG
z{hL7y!rur_6-h?%kG*G+teJlH_3o?_kL~LPx%>E2P!<e8Sej?I(m$xx@FiXnU<*^l
z#pBVCrm3Z|Am3^_c3Y?FmouHkf<)Ce&R*S$E^Jfe6*9_^Fig`*jB@ef+H0#(aSI)2
zEjk;o1-w$zfXi-JxwePJxYE{H9V}1@kuD_Sk$Sy63X%bpY$bFt9msrps<S<dGb&@8
zKNm{=Xo29@v!(i)yX$H1Gosl(h@6Ney_H$h-Rpd4&SYUQBpc9UD()A`e?nX@xkLUn
zut7>IG>@6TBh@$HR;Hit_1g8hy$g&!D#OhF*F*3-dasoO(c`J2KBfN^=EZ9HwjCZ@
zGI8M_1Ptz+v5?g^1s}&t(ii`IE!=J0YGBo4{<Zb!E5&~}!rulDLnGZW#^UTt1f;*u
z7d?l1JFy=@BCCmnq2%S%vDJ@a342r6%nmb~M4By%e6*+LO-FF3uqlb}U7HKtk5(Qz
z_#_)y;ZH8%ha@#=BjhC^Y>E7E08oLIf6m32`@DqoE6!uC7Y%QKUJa_Y0R1J`)1t|5
zS)Mk{tT9&&Z&mVB^@m<-i7Z(cd>B?lLpLbmTq|pTj-LIXqpaAcS6R}-4tF(!T;exB
zYKe;!<l`!wdO`t9H}4}VjyI0(EgarXgVB2EEZ}AlX>7=s9XWoFx8UfXrC0Vb?Z<44
zYsMMb$2RbhUjO`?BaI(q6}d%f5IW>MyN2vWq^#XWEdk}lJ+1rYP+fz2uNI#IfLJWg
z7dcWa>XtVc5hF+T<zkR~{_Mvnk=dWBpPyUtn`}Q>;0M06=#Cz8leMAfKt17D=U4na
zx8KelFrWf9z6xO1G?lhA)KO?4CCS!{;UW~e%iNIewe6OU-mW_lz1ZAB+g-Mpv_1t+
zm3LdXm1T<xPBsw{KlDm8*$i!tW|0Ups%A@$uT0^j%Lm3P2M}nh7cq&^^q$`ZQ+WFY
zzNC+;o*zzV5voTj+Zr8)BXgYo%p6ww9u0u)BV@CW8;vAZDJeA;s_HLPtPn<@4RLRt
zyGS{`7}+i1>LCGlpA(DGa)<}Z&wP?s&lb1gf*i}(hv@#zWn~mh9!FJ?20~h>F-dE8
zYwb4AH0!4`In#fe(xVd0*7bQ<`??FmXqmUKui3X)E_xI&A{1|Jw}BLJS!i23wTZL_
za3M0Bi|vu7q|;NpX&>xm${D(qqJP3!m8+Ex0tyccn3q>;(kH(xF4&Q9<y*V=pDJ}W
z7W!WFyz4599Pzn*py{3-mw?!E)}XJfJUcF)kWDu^o{W8DD8wPn_))kFmMOQyjjr#a
zX0;o9I(Ti0<cD$Rfzw`T{;(V10ifXIy7!VnS5Fy&qR$!ZZ-d5+2EsPAO+PXAm+cC{
zbPz<<FW{S$0mc}6X-4B*8?iF}*=9DNiOF{j(8pP5TNTIwerpRYRmi^$EO_;i<%dQZ
z(kJ6ZnGllqy{}wMOaJ+#p`40a@kI(ont*&j;35r@>)zGb+0JE14{+U@rJb}-)o|f@
z8CuNI1*%eNe^l4Lb?6L~iufnHO_9MrvgvwP%V=Gu7Mo#@jil%Wb<6HIRJJU$hpHY1
z(A-||M0>?Lk5*Mn62T*$WpCc?Q_kL}CZjn8?lQMW!&^m?q*`6}IYVE{D^s1Frn4EI
zpRLB`I93j;@)@dUeoqo=#{|bo@q}3WrS)Er7{u0P&Pp?yc7g2pwa80a8e;7y)qD6K
z*xqF;8YDtkHk66p;LyO0W?o&hwVpwEyS=@O6_uUS3xO0y!Mt}G?1gOeKbCZ1obNJb
zWj$mX&wm^FcHvsjNarIyUIKLCz%Q2hor|+!V^y`K329G{Xw1`}VNjCEEc^+3KGp6p
z>uWtGYoFVr(Ee@PFA4RpXX+lMFl*4Q=CB#k%dl0EXG(D=zT)M2DLM9{wuqyDnLO~k
zcSR{gE@8d<%BfUW|9o(uqtJ`EHzBR@#52ct>p(zpb|o(V72>9svc6E(`;hP<?I>Y-
zyS|p^_Xn-!^Nz9Ca;QFW*7@f=!a2s*<}h>7;5&%$+TgZzd8laK8XHmkr$&A3`D)ze
z4ZPMLkcOet2imodFbF7={X~RyNh;H6IGF1(XX@#gH+~3G>a%>iM&1XvMVLwDr0g}H
z|DxgT8_BMJ`u2M<eMvyd0@D;cvjYS86Y`bQZ|9;wb(S)1pr@r}QcIUFwt<;)*Q5oF
zhCgX<eF|TD!k_E}PobmH1Q6xYk9vwrOwXFX<&lSms37*{l0qGjvHh|Ktju<gB0o)9
zpVwWPEWcQ%Ld*5>4T+ywwAM@J+PKKOS2z3SjG5!A;8*8fVOoMuD&KG7T*{O<Kp<Kj
zy;lXc@axI%#y#4jByONaj=2Mcp_0P1u-P&K&r#A*72ma_Obw#PK`r974HwnRGy@eY
zqs&A~zb5*jf6EXFG2y*>bX+i2H~TBo1~R7lCDBQ<XbA&OEZgd7e86qSL7y!ewC#-;
z&m2>u2&1uZ)E|~zYy-K^Mn6rZm?}914gEt+grpm}wya9F58&mGUk}Y|>dIPme1Jpv
z7&-bp8wFsv^ZXkTuE~{J6prlOPmAS>Y<BKR;T4X<IWS1K1Wi7N*j(-^!cU7(2Bhw-
zP<AS7#iFc5_x-zRPF`R`;23Vexz^V)liOx-Yl_{%$xYUpREoJOp3*YhO54GpZM)b4
z-(Rt;cN+~xkD|s-!UQcdv^&!?COz!#@CShcBIsg*pQph!Yo&<3HsbfK!mWWD35lx#
zAp&_EKk-Hbo*r=s2R)O_IU3K82Pb2U9V(u1NNPD>X%Q>9q(BI^PEz2$c4Kch<`x$t
z%Cr!O(z7l(@kt#TfHG@pK3VHaDC==|{I>*Il@2JrU7vz&mejIwP~f$0Y$kJ7zJncP
zFkO=r8A~6kK3)UP{E#55&_(I4Pkv(K4x!dRZ!rLoy=z4-t3p?AaoDq)3MFOpNh)gL
z4t-Qy;kt1%<$Z}twoUR0bA>$Xcil}J9mW;fzrWFY7l@3rM<CP2cI3Xs;)df+6IbJL
zeVxV`%b+uTOc1U`7w(#=aQg<5wZ1$N^VjhY<M(&rhez*>pS}6|#P$25*UvBC2>ypt
z9=RO-bGP{RKb*Zk)5CYpn4x#iekbsBXxK%h)-0zwtc|-P%byRqgth<M`Ls<D|Dc=X
zc$hHGD7d&*ZZNwMo7iv1N{mg@F}-3rv|B^6>#~Rs8T|Zf6_ELu#CZng^QrLf=<@db
z=ZebN^vbI)UW1!sDc!2uAzXO;i-Sa^4Ol{4q=&KXOe4N1v9z#0i60NNC-*2TeL_{v
znU==A#6d$)D^PWWoPfY#@S4jUPq-5_pG!qGl&R^^$$#C6$IK-i&7^cVyKNNP+_Y5L
zy_34lN-+*xX+V--eim3*!0%-3a<Aw35<Hm>E2}jQN$ebkj-w6xsRj@8h^59wUIuLA
zJ3!fgwIVZe4XBVl1`pNs&s5&~^*hI@x%z*+YnikO3hB1<>`5=gAaWI3=2h-hn-@~t
zPjS+%I1h6#?NwX}*9K3Ty)1d>u3}z_><BAU9?|XTXZ4;W8h6f<NPHe1xUVT?J1l=0
zFcxr}`r<H;WyXXfL;|S{7SW_+<sGIPj_fY9NB_gRqNX~k4hcgt4?Vl(dlj{aqsKb>
zzd!1#DG^Pqtq5+$N)WWQVD(%29ubJS75lI1m-C@0pVCm+Gqt;Af$il@`-I8Fy5}<T
zHzA9~@I<LGmZy3y!YMQm2K@qCHyDjOL4yfTEa_u${hKpWTN_9XJ`nI&Se&(XdcbL;
z(Su{41$Zadx*ih8#fOg~<WROcsMf=VZYzFK7Q-92IrWlmQOF@7Kg7c;t9GxX$O#8@
zs2JsuTHkN=L&*qH^Ey`T$izt#^xD4HyTO*h?w(;AN5MI4sPDHGyJ=HP#zBYPyT&ni
zNAaB$F}G=~%AiNdhR$NAhg2OklTSel8Y<x~T;we}-ry*b@IE*1<4w6X9FQv^9o|h<
zK_?`_Ef)Wi-)zMhjBmY$%omqvj@_n#36KY!THAyBf4m4*Rht@mW8~A*gECOYEyQQQ
zZ6$8_mI(J7rh3Go$TzJlI-qU?1)!Dou4cV{0cjuEuvBYQ8YX71A+0~G+r}K-?SPKy
z&8K3l91XT>oLx93^EHP(R10teHb_!+MgA9aZ}}DF8~*JA(%s!1Lx+;m-3&u_&(KJN
zBHhvr(lr4?w{(Nlz>tE3k_rk6sNc=++3VSVz_ZudYrnf+-fzz9yyE;E2OXf-cr~My
zsR?54-zM>eI$mucYf~mer*U`B3u64d?Wryt>Mi>|a?zXQ=l46AH)HPy2=@OvI9&46
zUVNq%zc<Q9ua^zcu389}vYVS`8EbN|0b2wF!v}Z1KE1;WpnwIb5edR~L#w&w#LWkB
zrFNqpy3llYl4V++qqQ4<YV3sXo?iqhH8;9-4P2ZyPN255QGJ~BoDeak+b2Efz{4tP
z9hm!A=N9j-G_#U_@?e>r&i(kt+cqc#@Lg}R?JPPx!11!KqK&J@J6O5NkXtH|Vca0V
zB^E}ck*-fPtekFr(Oc5;iujp4{vS<lkhm^=xC$uuw4PGt+#u%mj>+4Z-C&KkjstEk
zasohnv@YeHgr>j^Q>eVDgceG5+Ln-~pH?<C0_uY#*-OR2x??*C2@x`Fbt0V`T#1ku
zCWPL6{62nM&v9!@-Ph8d+1Om==gH|F8U)IfYUm=Cl~%TqXOqd^Gj;7Y+d{65Z_}iR
zuo?_BN~k7_Qormq8{48Swm)QTtz^jaxt%86C2jken>NJ@!uP1yNpMFx%+D?(+F>Gl
zyD5g0jJqvU?ZAD<QbNHWI@-<71eS^!|L4c*G_OVr-?yT6?shjS(AEuMN42X(vZXhs
zfh@5@ZyE=(-3kx4TgX2^WCF1*YAzS(vt0|APtt%c%jz2!hdGFgI37YP%PHZadPed}
z?^q@d>j!-GVF%L0QVSXD4o&mRd57#bw&ip!jN~U`5IZ*_d>ecBAw$bu=gagW33E0r
zB3BC|fEr?;2JJo4TG-AA7EH!E>(>|zF5&J%t_lVlZPT)t$ogRjZh0*zw==fVHiHFH
z8K$wbGh87om8%m@*k5!m!Utlxg2975vB(GmgOaqh!T#mYzlPN-6?=_^VuU|Tt`09g
zR%e^3$Gbhl(%~@kjKtXIOx13Gu$~A*)n*t6QZ`<bH>Kj5=V<2N)&Tm9w=OiNgeV9v
zKlR&B3XMou(JEjCl-D`M?AAMDb0kr-Y{}$p^c_Fy832X2W$2oQHUG9R#I?eY(a(S;
zH~`*}{Lz(PbeS6=R+w*HeNqZIsAslRwlv=}t4ykOW=L6XlGxP~Y4CQe(_oTnU!Z)K
zj3KTj=Z%Y*t+7XeB3TSYlU>U8vA0BW=g!(|?)OgEpU**U%)dSdTw@@8>?@gFDJcME
zj5CChqbS{FaHJ_PP1&&ce>KfI!8n$PiL}`NyJ=!+;a6e*Pt&aapQcItzndmPmZs4Z
zLd`SP)CBuocX0vIvl@F`$BX!OxtP(4HoCQ<b-n%*mx#-7>69ZDe>>R2MGOc~iHDXw
zzDtuK*e;vFa;(ek&4v?MWg8xU;KJfBE-p?<DX(|uymWmCF1f>JXb-OBV8TaCObx0~
zv<^=TS96Oqt5-X^CbHK(4b64I{-0^J|F1p<vX<8@?>xTmG%gdUM(4YghRfUjl~`Wn
z&Vew5Z(Z4__x|i>osSWNE=$U$EQhiR6{ef~Fu>;0kzsr}IeUVJ`I5BQZbF%nl<#1j
ztOE@`Sn;KG+lH;FbKPa!0h_xTF}*v~Rc(A)k+`x!rBI9@`E&f3sD9RS2hzJ(lIQyx
zMvj}K5fg&&cU|i_JYFHfyLyTZb3}hl-Z%j+vV)$lIA2&LGkbB%i@Ut9#D4KfS@zDp
zZ%41?PRLGbHhRN;=k%c3cNQAS+Q}pV>3Y5Cm^ck<&ZyqWI_AqNZ?rm0i((X3AQ<)U
z3|A@(3@th5EISUav@zdQNMjuP4`a1`ioTae^Rs3!G+8A+$hLvg{dh*C-)vS45oAbG
z+dX>fpUv>Tnr<SqfQ}Nwyp$&U$`nTwZcDqcDHtj`g|k*Cm(MQu%X+Vq1@xSb0jv7L
zpGmk2Arcukvt8luyK6~5$#l2E_*W^gqeLLL4cDof+>4Wv@o+J-=G$bcpXu;$V}Fkq
zqK-y=HGQq<aaZo~+uJAE8HKS}DI3g5Up&@`LRO=UdxZDJT*6#`h{;x*g`JExb!a4>
zTy*qAOzMqH{`hJLW3YQW|KX;UHH_IDOOq{JBHvZiK~pJuy1MH-OdMAiF@*#_Utsou
zhMhrBtTh59_gVQ#m(AX#Tknk=;oa40=B4HrM8rqhZrdFg!Yrr3#p$9w*RMK&D=Y;x
zLU(<)QSYr}gMU~y$hsaNy&9gcI+E9k*SH^E5LyzxO}TW{&VA;>Q8M48?I!WUY73g}
zJWH*s4dZmXaCz$<ugW`GSHBrsG2%p^$4SJFZX%^xXzyxy7h!#rnxNDE`_#V<Vsg8X
z<j^tba8^)?(eLy($l8h)bb+aBIMjiaQIkX2IJ)nM%kcII@|!E$TbQBKQvvLf7Ch_r
zv@eAu|GWkD27V*bxoCmhxj$}f%R9Cq(3rV0$4{B}Hms(i8i0N?IM3<RRx=03tf-Ec
zjhkEFhFcYjb>}kT)=dY%2NI#M=m*R$B)Y3KAsgJxkk-(7)Z&D^o2#>Y1sbkE{MmB=
zK<L1c!xHxzaV}WHlu=>YYKc9knjHN3BuFM>Pm+WY8yq(_5Iv`riH>QC3e>^arM3;E
zH;#3Z725-WP*3P$!L)7K(=8}Kw(G|$T)84b+rdX&6gaa|xktn#Je52aZsJ)x@8bbq
zmEpk>B5x<aY;3irzle33so=~utDu{%rxO;wXia5XWantOKA)ssv<+73S)u8Vj+bDn
zIKC;d3txbCT*na)&R-_$wndFt`%X(D`-gu?rUoUl{=6rZ(e;S9oTWWpdkzjs+Ilru
z2fh+qmFH12_O?cq{F$=C35Ex^C8>9{-nsYYjlP!zem}%D*0#N<vXuH==3nIDB6pMc
z&g7ZXLUfCrr(tj#cp_!Od7Q^R1eRsTY+wuR(_HKYzcCVU5#pcV0Id2DO~H$#>TD!c
zYkG=xe2gzIeZgN`w;gPQ*O1xiYOr1=Wk(xKS5`_6cg&KLA8$0osDecsk^)~O57lNG
z4d`=S$#U1Q%yIO)>9?-QwFAFcTdlv^_<2%t!VM^$!AuZAy|PSUgi*g&o@d?>seY$r
z_12c2#KyFFQif`Wds2qm6*rf}H*v!!UY{x1o@J-UsFde?bI$F9&XTqJ4}|n;$(wZX
zqZqr8UnVYL(DggSuvhQ0DL6wF(F&SK;I6TdRuh!+b<lqu^tn79ROh|>cLQ#-+x7{Z
zWCMmelhB@Re2&R%MlK0k-<xg68lbp@ZtKj6C-_Ta;O>LP^r1pg+N(|OV%eHH3$5z5
z=Yx#sZLD6Xm!D`zul|T2zvir^1)dOXI*Fryb8ds_5ZUj<u8{qGY9TsU&1BF5t1M5V
zLVF>hgSk&y{(0D?AoO8kD88Tt9xPP%Gp!NWQfPa&;J7vR+>fbQZ9A}F^o5N>%K_^%
z8*AbrV_qf>nvQ!*$*&gE)~*l37Se|opx)VqSSPe#Zi;Qyks4JXwX|TT9tLKW^Rf-v
z4K*oXRcA{RK<tM#jk2R+?3@U&br9EPvD9>ZVr)8Vj&#glqHIxd0>JstU>4ltrgNFQ
zuRpoY0f}Gdwq$@~=OB7IOGPp+I6G*i)geZ<WH;Kvs`VaxNuVGrCX-DzYGyI^EI=-2
z;~HX*Q~v(V(pAX>t~KIMw~e(>@U((`ua~0KH=L0+J@C)liqVoKtmnVGFo|KgFBKzy
zMH33wf_EUV(}Q*&aqn%`rM7Wyc7UHPpiYsiN5q`PEHb7B<Zokp{Y~_3aP>3U-Ok@K
z0!{!cm2sp)ZP5`3`Mssay1{`97Kipu@PzEflr7Gr@au_PctTygz!HCp$i^e?^&Sbj
zUpOMl!qQz?dlE^<<xg*z%I{gj1zvy%{k$3N2(q>#DULL_*O^|2WxbGyglvIn6V_S(
zB~tF90S(gJWzp8()E;Yju*t}?GxIf~47}ZvBxuGO+3aw?$j#_FkH2k6Z#r~go@oXc
zhsipx>wT38=Kgg=RhGY+#SxY;EVcJ%W&zDxX`SWIB%m)X*|^v2S&GSl^?_NWkOo6+
z)Six<F!*@})8~~3&(jEbpjD@|m?T@LupMra>t=whNZXfh<x=HfzEbkkpV8FeJhXQ3
z*d4`#n`|=sZoc(5f~R@G8%<X~cXKVmTMjCb0s0)$(Z^L8Z(O%I>OipkqBEINMjOT*
zm@GZPf#55RWPySlCG8(#wTF`VuLl|}bUrxvbr|GBSI+PE(|ddy^K>VtFh>wPI{BDQ
z>rAhFuf5fbb5lR;5MPAe&t_NG%_p&k?fyDp992Qeh<=JZ@QqFLnLfPkaO2<tqye<f
zx~RrkRou3-d~qmRHyZlMiOB;f35<0Qq-LyW-KN6$$qefgXIvS08BEn&lEEingN4qo
zrBG|Mzyq7NaaV8&E%nBFvoCy;20}8i2s4R<8MM>2;0}CGRQ$P8RVsBqk;wAry|=#>
zEmhuHK*OSqi#3}&T{u~zbjAs?3Bdk)y1Q>QLVC)^{g+ey-iUPH)*1Et^p?$h_fiM<
zTq2rXRo85a6*PWEDFMW+q-BXEs2lr3PaA5nZnqOP+DH;TW}Sb-*fM(;yK&QF@gCoe
zcjFZz>lvkSKN0dFJk6gNq)!5Rwx<@Vn0lX`vMTOA_$*SVGL7Szh4FlHs0h#4>0NAJ
zq<r7;YtFidzg!FbD5v0`-%t`FL*>6HeQAZ8FyP|L0kWi|t)z6UKdp!Y1RT3T<h2Fn
z_Me(<+|rEQN6GEKSc}HFUT9vJp6fK>#_4lRITEO@GYBloOj|ysZYGTLxE(F9R;Jhm
z*7l_Q()3Pi>b_o@xUa1Z&%a*le8tF;>o(!vH}`(%)k<(<g}18E@=ueaJgbl{BL81W
zv+9ZwJAb<eH<a($YC;up-}$U=pX`Z1htTIz%{6EC%WWi%4py#=eACcWqKHL0j_0oA
z&DNr1RGO|~t$0c}G_(@Yd1UM-W-WLBCeb$+REcoEd+DFSbkZ!|1s_!=9{Ysdge3$#
ze{BmpZ^4O#{Oc+FDi&_Oq{#ktCC<TO#<2?hz$Ne#_c;#U24b<;%=%2dF3A?y^p?c(
zD#>l*>{)GcQp|~wKaxzT?9QJ3C%41|f5m?o|3t){nj=*kk$y;L9GdfOjiQPWk$k;;
zEbSH7liGG5IY6&ZpY%h0fKc2Ve+2cpkx3QJ#G+esm(X;w5N&~JuYyx^JkQLSO)F~9
zZcZR-(^#?u2QDR2uF*W&q*ZrY?G~~%VfN!;k?{=H8(p4yJf@d)LJ(ktf0coK(U8kl
zLSH-~DiCyjQ9AJWja}#ewA2~D7~gZ4?f3?1mcS$7OuuJj!sL4Z>cqID2=vN37YrRL
zE7o7)`Te>%=B!3x&e?_G<34s1Z$n|Oa&)Ciw`;pXv}%FArWH1@Qel${nd>ZozV`S!
zZ-Ln{r76-15OT=X2wiD>1qC9elWQw7M}Wd(GU7Lqyb|nsE*3r^Xi0MQ8LSt3?k-I1
zOV)o`e|!KHp2>aRN<6I-*xg*2F{00i^zRcL+;Yq7r+15!emxU75ek`g9zoz)>cq7!
zII4fLbicxDxg91LQ0js}eInhLg;so6#+3+y%NdX|$N3Tiab2A)uW}OmTEBO#-Ff!g
zEDOXpKL_5VhCg%c>6rZWD}rcBa8YA2zpBlE+%1HG2|uIG9#u-jm2*t#OzYmmprS1R
zd7Dv_i7?<EOBv?uEf|YY#>FxFK5>|g#mVI;Yis=!RGQMi+2e~2H+AEkaJ+unXA3=;
zN83?vhZ?v5CCyLuy59-kQL5aLwmEsWFEq@5V?xPhxKk9RyFnRZPLpRnkj)9I-(B7h
znjmgf6<v;kKlI^H3ffWJ6*n0!f*-8%L2UMM{WksraS~dI(g=~i^=0~7QZlCA?s#HH
z61-77nfjff%=yKjGWz8CXAEu`lumTvmg6SlH&OVp^Mz8XUjr=p0j+(&{M2D*;=s3o
zOqq}C`O}HJtnUS61*n5~#c=u`%#Ow+w6<Lc-8~fUfz3PLG;PgSv7(kf>oouQTmp;N
z@(NH-+)K_#uIOKCPd6cDGWq<vM>&C$6CGlxob+BJ8_(`@;O)h6+o#&E!jj<|jHe4P
zC+TmLMfxKfkpt%Ekrs|pJ71fmHLENvg`7uoOrRxI`Has+>tD)V8;%N@cKQCbKg?d4
zk;q9=Zgn-N+e&sVwBhlo-b;fpB)5ZzSP?YSG0)aM6`z3Ab311-1NCz8*_Zf>DG0!o
z)&_|vFZBhFLJ8Uzj_G~P+S3u?iT7Gv(p7g(p;-@cmU|G!oKdp$v`83Vjcst3UkIbm
z1(gjPQKj>H_HQxBtMkrF3~9H<t3$ye9Fx4+TF@!meB58Cu_ZY9ZM;HydAiQ&NpYLc
zw_XJ6fCz_7JPIEb^!)uzB7`NgN%GZ-9(%sNO{7z7Bssj`cT{rBj-u#cE~(vIJU$+~
z+QmS^#q)@!Xu(blk&iR97PifClzbFe%tGU;Ym%@i#Xt~os`?%fUk6LzXS?Poi=^J=
zLSUQpxV;(=@1*SNKzn@n?V;+lbY*Gk_bSPO>_c7UPr@$|e_n3Ceu0<PR|zsBDXB5r
z44I1AeTs^z#%iuuFE0--)pq{Tb5`&D3@lBpa{e>aWYZZ%li705DDC?n22&5<w~aMh
zE-94~=k)sxzR!E2w}Vh+#qobj)Aezv+>6Kl?CaTXk%)Eid8~r>>T1NJ+A2cQS^5G3
z&%RJ1cwGRP`ozUIoNJw64HX(#r3K}Rbn<&D$#`Yv5b>N|)~@Vi?KmsPO?F8N%EL@q
zJ<$J8<_x6||J5O^gx`;`5DI1qqhE>!p-*tR!MqXE-gNgXw<&N=3vBEoAi-Pmf|G}=
zBLF703T|jjwn2qb3dGLzA2P82qW^ZnZQIcfg@TwB+c!~YLAje&B|>yvPa#uVEhJ*x
z1tD5K_L5HEmt8oNQqK4=c1OCRmI?P#tieAo!CkwMGX|%+3&m|;iB57ACh0v`+)Q+B
z@K6EYK&*E>_+K{@M^+iDOP>56^S>T<#recrA5DCCnW}$y_nN&=ew}P!kFWp-;j*_)
zyy};thL{&DQ0ZuV{X@GBY*PV}ixYlTsQBWOk{4J8v&FpXUn6$|6&u%u+rra4#Aljp
zHqvx^FWR~551SBh7uz&|lCa1)j#O#zT#>Rwu^gl3+0W5d_35T7J$r9k^&;V`>UvU@
z%CGFIPKM3;y?wEtKbUP?2nsL8Z#m;ygfyeU`r1?j0fHFbx_ZX8W1;V@oR%q+U31j-
z!hXGL%6u7WcYAxDS05pF>an&9VaZ2Ad{Z?INHQolwKf1vxEni=L@*o3M$Yz!%LN61
z$MKqQv`7=X^Q|t?CrpfkBOp(b=OwJ=eT-6)<#Sl|5Z%i6a~Qn+(T#l3Ou70wG2e_!
zk8^+o>|N@hfajiQ${nQ6wYd2YA#Rla!*LKY?EIL~F{Cgnco5nMxeMH(^0cc~8RSt?
z43Msq(*The>6D~`@oIEsm%0$2Nyp6B(7)m$#zf+-<Y*L?EjoV6g0bcD>jN_ltybDv
z41(naVEVx5;~#-_9ugzAcN9EsKKl(y<so(OLXz3p>^oq_Q2^5F5$U+x(;S6q7zfPJ
z9?HaovFK={d~>}a?&y9Si>)h=Zl`ZLbMQmQ&#f)Se6O@AwPcAJ?+siJ8OO8n=}Dh=
zZvb{<jNdmzZ0L{OqmsPO9c2aqCB^A!+WNjipjV<QsgwjdUiFp**5@P<)bDC}hndFr
zr~MhUUwU9(sin6by~o<GfBQzM?s}l~@>i&Lq&n~F*+pV^uNHh~ld`o9qsr9n))?IP
z(AspGUeSSz6Sx!K8Y<7lQ9Nh65n1*yH}S3frl9aB$J@K`)%vbq&^3%PvV1&FL#~gH
z&U^d()SKuc^=DKMBxFv4tvv`=yurpTo;GJpcFr=B;=4mx^tv5~U0#Sw8?_h6p8#ZQ
zQ&uO~{Ii-LlNQ+jx)U0OOA<ZQ9BDAe7o^5v2(C+4+YdyQe1X*i=+qBO91v_?AI($E
zN!!@#onl&yILWawTbx#HNaYm|-M+MgSA66(oEx<C=Y9@+92Q!8Xip*w1Q~GJy_1}p
zRCIFk%XJUDz`36ygH!_LcGQKAUMpH1o|l^&ZxcZZ!M7p1?RtuBtDe@M2`kz*jDEmJ
zQ(RJgYuvoLFtK~+6=dYO@iz4`(O=f)7suHE?5VQ7U?wp1usaLq_=t7F%aOF$ug4sq
z1AXFhd8)*M1ze3x$=C8e_z5PG;cyRc<Mu}1in*pUKE9iYi`)ENa9%LBT)~0vDw4<D
z?)EWR0h0mSKO`Y|MsP)2l{@MwewiZ9aTcg*-xkZLYIi*^iwz*uFWz(_ldYc=D-~&R
z1NQ>o!Y2>wbXx>3(;CQh3xZ7S2<@6{r_^&SWUx@hxrJ1)tzDr`?PBxcNsVp)FJjCB
zf|&MIo#%8P24>;4jod0<Xj1UE-6)~E&+U}IID2V4EFQe!NthRF(wb`@heK^RLLVf7
zT^ij20yQ7EEE5D5)7>>u2Ylobq*kb5Tl!E2@$1e6oZUA*7dFw`KI?uP=h9@>e10GV
zaJ(+VOwTq5*`U27Woj!TL$SK)5w<1%qgC1i0AEqa!jp*0dqR`9cYVn&`DNq7w~mic
zYs?{0=Iug9*1u$#3#_Ub>z&Z=ed+vR3M$)))kK3czhaX`d%@0A615q-TPnSzB_i`W
z5C2%n<XZ>q4nop6Vpy}}l6Q^nsJwvGa*p+(9g8ohvCYAE+!F-Z6?7)+d34vrbdLju
zAHUAe%nsJoaGUvNv!{+}gM~Hgx3VWB&>Q414m~)CU-%DarM^IL;U>X3WBF|+6@~qg
zv`IQ>-FoQ-A{-;t{YG9Ql+%#S4M)<mDr+?gVZA9#*LB;r(BI-6aSx>>*bgVCOg=SI
zJz8MOgJVWJgplG6YX|03eV&+ij%nm!jY|CKKDC-F^3W(^eYO6>`nk@B=NfoR4C{js
zlK~4)O7Pe7Lfwf@HE^j%xz%0tsm)=Dt$GVl?8FU9^JVWBeQXNqCE3{Adjp!nzpSBD
zgb9nA8m(0u&mn{xuLg3}?^I1u+vSAlRR4^N80A;j8q8DGBj!a)*Q2jQ^H}2D4okY7
z<sDh+BWvzDTbz55-PaR+-P<_9%sW(+A<L*66=vh}GelqZRz+$qmB;1CiNZ_7(O5sV
z-P{`5d@|1JbQ~beCA-6kEmwIVGVz#deP!mvpFm~{r20atBLfClNeF4@54?p3VR-U}
z9^NEs;f-*YK-J|2TWN_{Yto+F(uU+r#59wOos+1Z-$UmvMq$w*n?y6cHdAZbV@~$f
zhB@7KO;1!#+(i~`)R=FJ71GBgIG5jQP-&w~RZZ?cj7$@3N1A6g{jb2O|Gur$UfOsR
zIOT3*#Do(u`x6&YDJy86Svpdg7+8iXciB^f#|*1t$-D@nZfsBVemIfc-u4Un{h0Wj
zjp&dBE<qxsheqA_<VRr52pW0Y(A04pa7<a?IRFGJvVFzT)egSyCZqcZeMZ|ON>!b+
ztLxqM3)zKX;Vjxw&iowfxDuXHuermI7PtU($d!<>_`Ac-lsbEBm>8Lzi|vcsSgA!#
zg9M&5?L<mjS7#9x9_!nDMd?rplsLi9Ns#)vMYtKT3WvmMRgcIMleejh3J^Z<(InV)
zJMgb`aoZ>in&Twns0snOnY9H@0djQu^3uoKlwIJX9WY+`5+-$*`u1>MJt=y#9tz7q
zy1GA6cv=Oog(A5`>N|8<Zob6b2hOK(vx*<+;#2Axs^M*@hi20GR7{fSFs#$6zI;K0
z9xLVo3CS?!&L0*PX+Dm?f$OqJ=~+PinN=kaw&KD@(C{-d6YzMJ^MCAVD++Pn+%4HA
zxz}sCY`W4vr3jl``Oxb9^MQd_FjMB=+9cGeUe3r&%^cBh#pADSCz7aaVHIoo2y=Z?
zEYTE74QUAygS7eTm-;~&$*1!}#H>=Vp2|x%kE;;MJRj3=ile+f3OpF9mmpy;ARKYN
z(>)@k1zcKE$Fc0qaKbt5^gQS*)~5xTQRuwCQe$3cBo~eM_RB8Y{byqxr+AiUKD7Nn
zIgg(wzzs6bbz<l`KAr%IK7@Ot+{M<{)Hxv5FFmhlder1ydO;%M5>#4%X8D_X5V}MM
zVi2j^PoRW#*i}aodqSE6yJcQTt<%>&6}$KKx%z~w4W%Voj#n(<@12Vsyhhrf^IG2c
zGJg5^n{ADrYv-CkbIrPdA8l&B;P8sc8KJRA2%=laeLa|=-`+&!0IgS1=t$3*DudW!
z>h|=?{qq)v6O{QMMgo`l+4h-D^a6_q<?Z&9;U`kl57oyg(H8;AUn4-dw8qEOHJARx
z@a5#bOFLo`6Xx{ouIE?!V0vMyA)dXbyUvQhX|C9o2C^Rs4)OY+z0I3^I#X28jq&ru
zjIlC`U|a65U5~2+<AejLcZRvns_?|@rp5j+p-RGqW>5dVFd3)SNbpP64|;$!@0W#t
zzD=!)(6D)YXQMlRZPCSgNtX4CO=@cOj_vvP*Q-k(cO(6Be{n^8Vx!GDdA_wCo$wU5
zea9r~irBhS+;k@FcW_O9jP)@TJSu8;r_A-9ORNUnrna3|C$9?81z54<$UGBxbVrU-
zCs3?8SAUz0gUU;L^C(!zHu2-0$xmhB{=VVLW$p$0cLy&8ACBCe73#gFq)9mM@@)pV
zPL8iwmS=bY+0^t*@?lms%%HPYNY8moHYLdd60&YdE!?Q`9`DHVB#5FY#d#TzAR!}v
z5I-xX#Zh;-b`z8Qt7$d}&WH$r!!7yGIoo0i+-~BP#<3Y*biZMqpkbPvMM4G#jhpPQ
z#QX@&i*fwl|4bz_0aSEBt|_FGrTt!I=o*A=A4A+}-L!jGEHf}qA;_+cV=`Fo0##we
zHk7f(V~pgTJ55`Y{Bz6mbCXCUZDrP9Z>5D$1M}Sy%AYx}wr(afREYrV`I~d!=!rGO
zG{9Jxuc1Lp0U;!9`6cv=vlu;80$0qr{DSQ$2@2K{BOZO-IUcXfC4PygTbbi%#~uik
zlhfpZgn<j?J5}1Eeb12@HCHe6nYK!2d<{OSv#QeD>yIy<EA8#{4JIB{ncsOA@Y0<9
z$^<nZZ+!&TwfY&lbv*YwJ)DIn_&D)c_dVg5iEg}`8Bn!ts<Lo-hNHndWNJol%UQQ|
zhhKHiC7!%|y#c!-;G2-t!)fsFqct;cU6LI5l}fu^u4RT}R|xy;4trXH)BN@<pLa?|
zo=&jlrXpp%c(c0Jo988}r7Rc{$p=JfHQ$`g@K#nV9BG1HANZ2a369#KD_Tq>S4YTy
z&aHAApMD{BV5t(@#Ck!itlgfF^gnPH`2XMFF8}MfeBkT%<j4Rek~Oiq?Q?1n+Ab=#
zBvQJo(R@M|6%bC)9q9B@H?e0$EP2}b!BCRQ*02XqHLI2{9yd^ZuKM*{D>E;{xV`}v
za@Bz}z3n-LF2ICjaAe2D6<&`ua)>N0=qYTZIQ4Fl7G>7FM+Si}3;g47P4$=+rYhwA
z2jKr3;-n6H)o0-gkL*&RljRdzeL3<npNZfg-veh-yqLIoopJ?|?s3<CNbbYCsNMDs
z)^}WbbelK<xsEvDiBm&&E~=nAIMI+$-iM}~em*N-T|juHh0KTEJ&g(cC%mBJl?}d*
z+<egWEcNEp)#s!^!8BSJs!&<u6IYW}TCB1dPPc^#=yzG@HU-oAh<TRD%0wq3nGW`@
zU^QQumLoDp{EFRmjKqz+)k!FI+QRl8D;b7PDG-TRl@N?-F%#<xdx}g7kOe}#SNqv)
zHJ2D~3wg<!EC@A8Q=G}uC<ZTbimE26NM>!tgvcJ~geX<x!z6e;#pk|a8~DHk@2o4@
zDmMaC+Z2d5!HUM!c~u30R&531N@pK5*Rw@SCYI_vC|Yz)F_*Aif3WOe8I^@S{H?$1
zT40NIP+oUi%IFZdKDLv$dLFIzltn1i^495kmgq~=y!pv^o$<SbQ{!r+;3pa5)HYcM
z{dCzXW(WrJp9I}6Gvx!hS~|PcyP&lZu)*uSOSPFAGf0;8dh6Mqr_2ykkWf#4dPmZh
z29_`d9VMsOoc9o5Nx)p!2l^w9^k?GB1-fnGxHnR0s0+o_w2Q$P4C?ykb}w$Z$%$n*
zW$a{(4d4T6+%#YzGyzSrHRQDwWpuzZYZJ=o*NyY#_W0JVDeDCe)eg;DjQ=_-AzPWj
z7jJdCI`w>_;bxyh7dR8D!!NjuN!yJtn|G>T4kWOLA`T~&=Ivi&(GYMt{WZi(?)V$d
zJ8fgMDhWaQn*cMehBorgBkm7r|M3by1>-6$b_+hzY)fus37V_qugpcUuw5p)bH{7!
zTwgzB)nMxA&b#sEU5DpyQCp~X1JoosL^#%wgI04X7<xxL0%~Fmz@}kjycidt94c}I
zH4}z8v(G??+$65uuHzUVSTLTTiBm)C01B^&;3Nlq0Q-73I8EmZ{1x-9;7gCqWhn19
zfGV#aVA+vJHIx0`Y>tm=PV^|C2!{G2O9RW0TO;k^L%C5u##yV(YY29!31lPc)ly50
zr+b=@_>s~V5?DbXj{I!m7G{HPeABbP0CHaGIofnV$}~KomNNz}nyu>`oh}|;(8WLX
z(|M@O)O@)tNwn@OA>m|u$Y65w{s;M#B|f++s3*Xb_D*}<EG?afip+{#v-mMxv%niy
zsK-ef@+K`}f|uOFGp*w@OG=1N%Z;tYyHH^To}mM0;tMl`v{`wu`MqZ<>9fRznd;d*
z!?tNID>4p>F=5HR&ew-K^!6cym*Gxz?N{AUflgiZ0!3HQ7=*?qm;=4er2pgAB^U}a
zMEWyKnb|IGeU?l<O`1z54pOFQ$1B<U52O1W#TdOHa>^|IYXiW%b%)%Od*^CjyxxFD
zRc>xLFOw=UDL@NAO?*^){0V!+^s2UjB^a){-N&9c-xOqQn+K?BkEJqOjWUi;SLOv3
z>L;*hKXn(IB144t*I=Cy;f(Xl0^3QhK5|0&T6QlUthTgVi8f7V1d>LlMjv~F->m|k
z4nLgSGZJ3~ofQ3#%M9sqKht)Q`EhBOpn&^AK~Eac4iwy)5^2NWL$%fdO1DmhGuvRs
zH5y!qlk>(-de_tBRE&MS52O+}Df*@{%k;Wq!4PS<Ac};ejbZCQz;l$^`}1F#fiD|6
z;VAFaXW#fPc6nH;1LC<(EG2E$2E};8gChM{Wq3U6$V?9(a<0-KYuoHITUq4{HsIOH
z-Co}Dacy0XBIzkboz~WHvy{!OT9TNif{-s1aU98Afw-g)y33@2J09L^eVafNm5t6b
z-H0)tme8MqvNqcv-8uzVR4-yclK~)33&e${PaLrr`$DeR$3VG8d7whe%;!goqb5z6
zEL$JFbp{I_>pT~z^X!D}#g{8vfDQT1W?`nq(^Zz1PkZY~m6s=dRltNg4TeX{fW?F>
zq|lX>RAsgo%f>nZTzH{`pY4WRDLy8AG0?J2o7AF(aEcC;2oRO2i}*{Xi4i^~-G;6a
zIy5u7h?Sw>QWDo4<J^ig4~rfu=9$_-9+n5_z<$q4Z9lhN`pO7bkjA~u4N36f?a^^i
zAsWC-UAA=m)Ck>Y4;!)PR9#Y=%FmlNq$2}4(vz*zTiD2R+v^&s*VO2Bs9-Shyd5lG
z$Tjs*^q|B(K4*DrPO{Y?&shqz4C=hI;UoaTfL4gU(tjTGEG^c<BeFrB3k8{-t^8jZ
zkB$pwRa&4jEVX+$zxQ?09lW*Vop+*bArf7^D%`XpV-61X`+>-bm3=ztX}3fqnc2-d
zzFS#~1Ag;4Cyvo{=>ab$BH<8m^G}*piWVoW7VsmnW1B^EYELu!F-L=4&qb!P+Y2)`
zpf2V#4%0=&=qR+qj)@)qtGM001Nc>S7_BUddsF%f2>Mf+G_@LhP@%kd)}=xGy{b|2
zL%#LP-Uc(CYTcu!dmmMY_ouA1Ajv8Aq@>iUN3q0q7kVmvzc<ws3O*|gJ3pE?Ize?Q
z<~}%+SEHS#Ez781c7ZOfLJN#NrcKV1VFiI6&z|880Ooneh$C2)&^TA^*CkvKwZy5X
z|JEH^3K5>u_qJ+lULUD6r$uVDdL4K-@8oUs4)=DH-~vmgWs2uU28P=t@i<7S4G3dG
zC=h=<x353Gfgg*JL4a*i6xJrWUyuhGThL}1lCDSEfdP+15{7hL3Klg}mV?wfiZT_8
zGQCag$xn^p|6zRoCT|TAKlC%UYBaa~nB;1-?1~JQSS|4xh_?CYHel1H+Y&j6(j5CD
zsw4BY`PaC_Z+Ti5ekELQW$9BT<;LvHb?M~PwuVA!Y>60EpCSDrHb>}~N=l1Q@K5P&
z!Z-PHw^sw2vl|YHpuT^TI(L6{o?vxFeZ667{%JTP4mqZkNQ`sFqtqX=I!T1Ic#f`U
zsw5LaVC?9JDFa~(#Oe-E8pW6&iRLHgf{9cLvo?QnmJr3w|1+(hLEMbvk&CTXA-P^d
zgy8|lPe%{ybGl9I>YXgX_O56ba+3U@C=ydp0u-21XD;LNGc?7ZRnIZy1?vmG!L9!=
z$VSAP{_=JQ5zpZU8R2TGWpiXK$}G;%<>W5&e_gpGSH_)j^z#UET`M)R8h<MrG398k
z7SgmhU5}z=zKkxIjx~qU&_WRP|6vqQ;z8D1#S90+%kQtx&ZbKEW;XLL*cb<5#@zrV
zL8lYwHzS*c(eq)pqleG<QhWW_p9BRG^{;0^iPm)t=O!$%p_q;qo*R)l(|SZJ;+@C3
z0=!7qM=Gn~R=Xq#CPPko%&rv5>lTD}h%l#&&@P3>u(Ujl8cv;SBfhu5ksCRH&z+RO
zhR{0m<T73*YdE0wHqK*>>X!Yl#TvvflN}6-By%9s&}w4V9o0P9IKAF5e<2|$4=p6<
zJXmgVTqsUdVN{9B*CA#)&T@*wETZJ4T>F1fnD=%~AuJ9gtLD9?OTGq?NG-Tsf(iT?
zkx{DfC|04xMRGO(dC4aX>{&3C`+Mw`MwAm18AU~!B+I1Z$e!wURN-DP2ivbyDJshk
zACd~>OaBjpdX1@<(6giDV|#(eyG*%~sn5~@g;Z|@vZ0y@mD9rL(;atr@Cy{XeI<H%
z*Y%-eXSKx|<Qzy9LeDNUqORKU&DT-jdw_wLXq0z#eTQ4itL<jFJ5x9%x}@Q=(q^+n
z^xLPWNCHcg`5Db3Oei1?*JXODQwxsQdqiKYHNV4EfgAgA|AO%jy?|TYBCsy<<ngT6
zj?x|EXxwpITw?K(`;+kA1gr06Mc(8PgVCS;)x1k|IFc0bOu|#RoW8+B*e~E}T4`7Z
z5lDkgZH?IO0Qx=>n0dMe@KiRzrS)(Y&7hiUaxcsdJO`{UqG_2FPG&sq(kOsXMa2%W
z?}P40(!P)I^uGC&DbJPe+Pf2aT0a%vm7Kc#g!ivf7)I>lcpX&_;?rt{=wsysBxg<J
zQ~$%r{g*{y5H8qwYq$5ZY+9-IcbBh(M)ugJ$<^`IQ-@r!?mj3;g4*i?;<BWp#;J0p
zmAb}~;G)MgmfB!D=g6E-j3u#&9Sif7KEhHrwwR$97k`|leASO``Lv&113UumvxAtc
zD%2`mSAR26o*2yT+oyFVMTWxi^T8ZxZ3QalwXm)SwxWNZwU6H+zL%YGN|}|Er<OJg
z=5Os<$xaA#K?bCYOQvYt<*_(tS;r9G(j~}){aYt-igR%l`o-AXwM^6fbCHMIE0l15
z+bf@fjFM;+ON-DX(i?e#dOm3a3x``E!G26RNk3EG0$<laVY(2{gAVTT_S9TV=Y)R@
zpRqx&vn#i6|E7W81u{ZhY!qYks3S`PO-FtHf-p2YIhkl)5yWTq+~qyl+$i#Bw$A$W
z#M)AB(8|836=cidpTfBo4|CmJCd{|pN#<YdIumAAoQ_YBJ!eWpLRop1wt`yK3ldQB
zV$~m+gDy;(Cm5QXy;xX0-aOQ|gfjvXND4ug6Lq)P3e&b1Szf)BS((=7!!I+YgL6aA
zfMEVxapI)FwbVYwcEL!G8QVm5oJYBRo|wByoDApv0!Oha*^%EExWsRGpA2CVO_y>R
zb9fB!(VYhDXX+5!7VAUjbEPCgTkSb2uD_bisAzPNvjBskw*6<!ha{!xMbU;w2)$6w
zizS|o_rLd9g7)-Z<9e3ZwN;Y^sNF}^PR`)KIr7fXq;qNbSDz^*)p?RX+d9v*!fU24
zyq-UlhIuQR_cgZaM8H6-jSX6GaB0r2cDKEgZ~o5~pYxAB9M9cTH4K+9&P)JT-<$^8
z(<`>Lm&8|p(I;x;+`JJ`L5v3Y&TWX&m5l?TiHivvCr{IR%c$V8vSmYYUpe$vFn_ss
zQWi^G30=S%x9V&IxutFlhE{ovigG$JVfEx3KR>-Cw#ti=JNkO=iRo_y{N+kh(=5!0
ztZmoquG<4@_1t+XCRM1jMe3mkesA%X$%(ED@w--ig>ZM4=+`)MFGap5ljE0YAI`z;
zc1m(~9ZEJVH`nk`RR)%=8>yGmdX|IGCN&n_M2+#+Cc?hs1sJKEH8(8j6GdV@B%4%P
ztX9#yRehVMN-C<Gz6TazTP3;hH*alHk}`_{Wm!vGg<L68_DbnuXyTzr>chO1aq`40
zI;RP8wE9yFPq2@BlSyc*sX6-$YOZ-;$!9J`+3yhz=ULp4#$5$=NYW0h!=u|8*{EDv
z@&*HF;~>$lwx6egs%bl`W7gd{_xhQ-s4_LpK84qbMl7ldK~e(=+wUoF1dD;P=e@x+
zu=-3<vK&ov<HzG`WD{uJY&E0dTw<o=`!l9iL>&8FMuuSR*3h4Q({7r=X4}pDVpE9}
z6A9CDnb9vsCb<fXTjvl-9YJl|{gJcQHWTT*GF61?M@rqaR-V`HmdQC1eQ7ea$LSci
z3WK*vZ!!#Tb%qkn7^Nqnuk0yuM5P|e6Eu>=$<mku^C(jdow7(>!;UjeNkqa75@lWX
zEQ2?qqoaQBd5NB^4#f4_-VRCMTJ(FQs+xlr+18mW&~pD~wTWnCUguO?a-LA-MY)tH
z;P&by*N-j1OI;YsCz_-+oKZ?ETTJGExd%PFHtjc1+?}}If>SR=``l$@GuzSPwf$}D
zmGc#!QuCSB&<t#;@#vG+?7{r|DjrnF#omS4ivT2v2Dwi*gz4Sv2GYLlkN@?(kVsoT
zs)hD7T_%FQoABFEkV{wu<j@*w$t9eq`Mj9po?9<Fy=U!B5)f+~cGvYnf`%VRW!p=1
zI@Zy-AL#zKuLI)G&VJ*#e@*)=#e0DTyc`JFbY!ch7Y7()#r4YNwd*ijisyvayc1!G
zbX<bZZOb&<ozVts6Y|r+&ews9g>_Q&5$sFbj2$bQw#NQ$>Bpq5S+feV!Q4GgNzrbz
zA7>({GK!lR%uKl%C(W3i2ID&>b=$;AGz;B;yJ)0P16AfwK#gi|-fEIUvFj_76J~Ns
z^=mTGg(K2x-oJHs!dwpc#W<O3f;tcL0r^b{N1bD)280C(x=&$(@d?HkPzwD`Jx2|P
zqR%<R=j_w=!4kz$w~{w>W@8U$JyGg5RaUy~&)Y2)JCi1?y>}q<+~;uY{AYVVy2K>n
zlm(CW6}Bq(*mbpvsfRNsc*Vqm6jVdsa!THVlzvd*O#?bgUs_v17lb<(k~CY*DMJiJ
zU^Bvvj2n5b%rCM$3|KIR6QGaOQQyld(s)_-lK^gomt!Jr-+m%4;6Z-sqpPMLR^T-G
zEV-*TG$Cs#TRi27FExr+anH$k!t9boEOU(1v+4ZF3eEKHv_4q{anz#Vo3)z;-yWu>
z<@+JdyWqjPz*C>=oW9NXz~^o~>KY80IYHWn0;r(*U(4d1&k=c}<inItYl64Nd9B8?
zDEm$~lp;dL?L=w%X(*E?$T=I4^ubb4sxa7ws}FwP1<%R|1$@*qTnP3JAXqf=Dq`6x
zp2(Zf<zrzrI!fdm8@7&75W2+rLYAi&dmEJ|MDgjuNyGk3k%90x;FbHgHs0NUX(|fS
zK(QZ+)nWScR31s21?nI^0e>@zjvIdi-@9V<)^+!IKyn-~uI+YA8po3Mf=~~ey`4k=
zG1AE?tn5plLl0TYn|*eKAL3CojH!lY)yiLONQ%$7XzDbjluMMaV(5Jc0mESnfF|~!
zIK0%+1^qiyBw;U+f{vilaKZ5ZuH-tm<o)3PspPPB4{&rja`SR~tB=FH*oJdiDBE;f
zp~1zqUwo}pH98qp?8?>J(FD(%P<H~sW<Ss6-7jGGN-l8jRn7XP{({O3tq?`g9)k88
z4Kkdst9AdHpi&Fat59mDN_`RkEq{t-)W}B?dpz>M?5%D~&m2|C0zbk<&%TsByQ9i3
zVSC}=?nt;sK-p_s@KAZ^Jq`F*sUuk2obb=*fKWU}Z=Z+Yc2677DQ2W3x2gvfrCvsl
z7;dOjgh}hjS@98z{!2aVK=wPpj0RFU6V>9)NYfkXj?x=cU2MYCz`8Aum@QuUSszEH
z&dB5fD$$-xB_&3dRn6xxXeEi%77~kndqVJ{LJHajaW^ygoR>v}mTqq&qCvY3t%-##
zx;p>hsm8<8birTMq&}HRCbj4aaQ}yK=TsPN@wfr>2wn^A%V1FSe_o&jtzX1mA}x38
zZtmyizO`v(q&M?GlP+<LRuyBD8gevOa170>veAE!^?vv_ve(DwXdJUH!}8KuK+!u`
zWt;izMkRbJapZ+yPfwp+oU3pG;1E&HX0~aXE*j7|B>+9b`Q|v*kh2($D_cyH$lnH-
z{C$0t)%RkcI5U!mXgb@hA&`F7aum1<?_@ISf4yl>U5#sD*IkEMoTs8a<)W?Kt3|=;
zghBNS;mp7clfjWhl4lNoHB4*##Q%sHb=hbkShs6D;Z6WJli{J&I4ozS*I^GTDH_vE
zZamD9m1NZsFJ<N)1GJtqUw`{h@*f7$a|_Wr`UNR0a7L5g<B=_FTNraaBO<1+iSZWC
zA>7A0pZ>=ytl+pJRC-Uy3(VY?VN<(Yl}%k5AicWD9q6kTq?O6)O6z-Xro*z)TpWjP
zE78P(=kLanMZ-i-XIy3{$JyNrL>))Sug7`CCw#61OPNmUHrL|sN0=bdSf8w{imiUp
zqg%sbZmW*e%YzF8#+I?C&c1Be{Vj^#jFx|hmX(HeXR*b*N?QK$BjW<G3H!074Q6)F
zE}XHp@mKw>+c6(+7of=r&<V$FL)u^?jt?x+txZ^8Vn0db=N7cNUXWu<6BOv@O<(Jm
zrRe9Waj2WE^00qcL3T^qt@O-(GTo$xu-E}!L%UDmI%L2!*7)Iz>nP8YFIYNNr26>m
zA-yRtmP3CTF-He~TA}g1Axv$zrEBvv5{xua2F=>(rwGzXU4Ta2`VQ@yXU=5}(hi(>
zfFSy<6WoAc0h6(qdu?9s&p?yUOjquV!p#qeCO_j%&nyeGCWB}fSSj(DN{!vKc1RoO
zTNjY3fL&Z{u|Hvc_A8J4h{rq`A#8q8VQ5v)_mR@)f(RVEzQMZ`dWfo0e^lH{q5k2t
z(Jf_ZBUEq@oVRbTCQq#wq(qA1c-3=6uFCz*>cctpeLz&<OjKfNVj>k&-gGXq_F#^0
z;wB#~GM=e&<{gncfD#*Hl`c(gSB7!7(Ud-~J4ywC1>OmEZcR-0Rxj>T{L;CNdb{pH
zoJp3A@4H~*60`}4eesFh!NLZLC_a6HX}L)Q?e*jsi7uXPxcFf&J3CK-bo(I70(#U@
zwS^r2VX!H@x1q1h3ll5l<U9bAR2oiIm-`~Qt@MSZOMX~};IHcd2u3SX+<a`EM~N_}
z!EN(>QET(Bf@t%7{Yl>28L=uJ6xb$%Qzx3E>pEnh4>}RcK5c_7%{pLWw0Y)hhgb97
zK`b7vE;^xZaFt@k4>W>Lnnj71Gz7@`Kgwq&!?9488X2MgFz7=T5t;nPHkV9HZdSRZ
zdfYd}%ksiQqZf^w2E!1+s>)9GGqJjil1U1JG?9Z>PyiP|$rA7}2kutH9HP6AmmD75
zGmJ>8Hy@a!Q%r1$iO`%-nO*5WqEB+@D-(uhI%ka{q(23*p7S||GuMW`{SU(v&K>a6
ze->8f)4;bq&`9A;WwSO9pm*72;v9{YRyBAJ2cS+0wob-sECo~K`RG8d1#2XbSqV~R
zZOQt~7)Mpq-&CbALnDn`GJmxKiMhLjLaWfbHPH^A_&yJ6rgFpYwSn#UiTOm7k%C`I
z#)x_5bux6FYScj#bJWG}%6jH9DV^Sj1!so++LP0P+O+Gmm43Q?mlYbaKGBDY)IDC=
zKI92*S8DW~^G{BdWZ^!^Dl=>TQv9vj1?*=h5YG|AZFfM9PD9;RCv6+Y`F`{W`9aRx
zs<KN;^uhYhARi}!2V>lx&P7_keJQ>0MErSej!;>_ONw-cenGS2Ieb6IADaUS4_<>Q
zNW;1^vkQuLs;p*|9XuNK6ioMN(C`koZJ>dhPgnrPVoE(7a$}kk9af9~ya!BPa)=hV
zM;uEGmsdZrI>+<$xwxEy=PmRlTzMnSyv(F_S&r{+PQkBEV_p=wD3+jV`yB;u&?F98
zs}gYuad$m<QiSVjBI?C29b8S0f6fh6TDyefbwFEu_&Qgg@#`|);TR!)S#H0qRi&o@
z;E(=#`D)f*>PIXi=}p#~u%oEIv<xBM{t0WfdfoXxs3|?4=6rwA>{hGW&P^=ofBVXR
zf4JXHDvMC<zJF0gaz(_+KNv*7>^bxwhG}?p8gu(3T}LOXVz<_KEiWDLEt?8zUu^$k
zT8ngyg>=HEwWnz@)NYoQrI$rqNVCMM)vh>)<Qp+F@fSfwQLCHO`-{JMV&(A@`(k91
zpEpuC(-Zah{ASGZT#v9zeYeF<CtZa55~b~q(r$BUP9{>n_=Wnh=0ZOO%(M-UPx0ov
zt(174IA}Sbn05#y=`(e_7;+{fgvq<ydtA%<2`}GjD`F7G=?4wNJ#`J461kHZZ#CLu
z?y*?1Ct5L#M@pgyxpU)V@!Ru?0zO_g?|E5NeH6*{huW$GN6m!^n$gr~E$ek+|Ha^>
z`O0=KlK2-otby^GCb_H<P6Yvn>z2Rv__pQzoGuIGt>+SZ79`GNloZxlYtdUP1YX{B
z_Lo-(nRChCKr|C7z*g8P?~D#RXmv-DB4G3p(?1U*b9Zi~-lRCN*%axTE=j9)WRFqh
z?i~{=G2AXHUY*7nMB?czN+;0&kz<6~iSrxgeyW16V_@$^IaKKbJ^hw>{~G1lFLU>6
zTq8cy!L_k{Iy+j=rH0&}8noWr5@(1<A|J}qzAL+UiYv?w#WrlQX=j{xc1igZo=I&9
z;r%|I7zr{0+lc?OhUnsY^U_`gp0;UyHDb2a{I-4RoL9@dM~IhPXTU}%A13GO{B`H3
z^|;2;#it}UK4#`STNTfp-N#L_#a}cA89z)f&QzoJGdhRf`oUoHu*Y<7O9kbKr5jGe
zzPX-*udyz-LFb5n^GX*(<$smRK6ali{PGR^mN_JEWC>jy4XBS(>JIXQ7U4LV+4Qe6
zZWEA39N(<e<{k2zt_o;GauyI*k5x?>tJgX!*<M^3&6)&FgAem0N`5m-?_l!bWw)M(
z%UekD&w)aWZTuL;Re(rC#)(WOeGo9iAKk(OFYlS~A}CJGRAp<uV_YC=Hh0zJ4pV#F
zo$A6TKAR>8bRVk|>KC%zJ_ys${SQO8gUqr(8_>Stqg_5`U&8FR=xML}v@13PSU&lo
zG+(QIVHKMzunS%b|Md=KGGuaxb-!(lFxTs=N}Z>)TJzQgq)o{wh~+4Mkrq$PpfH)@
z4s=(@aglkUlW66%E_?VXTr&ErUj3+B=R_UGpcu%Gtwm6K@oQcT_QaFXuCKk&q%3?i
z;1WxkR84TWz<d&)>usUh?El5tTSc|`g>RccaVhRnyhxxxaA|RO2n2Tx?q0mOyB2o|
z?nMH@DIT;ykfKEjw6yd${72UMX69hlnzQ%twddY@KXPAUHlvn#3xedrll4<RJzLps
z*$>=Y;z0(amr)_!dAgPj59e&x>#;Y#JTZP?Jc|JW!H8)5rSS_YW(Lvd3DNfW+jq?E
zg*6G20nhdK$wqO|Y#QOrRA#vS-%?uRVX+kVio$z7@IXw6Z-nRj?hK~yQ#71wfO*;}
zZ$5r3q7{51Ee<AMRf^ZlQVGoMykeNoamLfG43%#j*OsG+L~Z7cyhl08$2ie5<a?w=
zkt4CXbCP#zIs9Yz{K%|~8FuhK1JzMUpl_<#<7!Z@*BKu31aCvXp~(l$&#Mh4!fJty
zLg1#v@&i=yhqsYSp0YyF<zbRVl^o7_UdLDpG5bt>iPYbCvVrY_&!hRK;~|$D6GiE3
zA}o9>U*dTp^v1XeRENF((EAp#RWb^@O%#a2ZAx_ax6K@;OP#Cw-R1-i@^=$LHGut?
zW%m$+ho`L7t8^AbXRd+v@N`p9J9jaSt(uV?V&Of7AD_zChUEpp-vq0T^X?+5_h-NU
z8X4jCRGL<^rA&kIo8Vms8|DJ~Yd+9Lc?csSm!L4`VC_u7Ls#<{E-A0}?OT_c;|XwB
zDNc66GCDz(9sf|e;>dy%bNXlU|DS{RLO#R%T365?2|I|@Vxy3LFL7d_fP^*X>b)4&
zYgWoc5k@{H4{F?(rB+FSl+r`4L||r3)NajeElm21*?rT(dP(RyJ`H>+TUpu&r#8+r
zS2Go2{aWX!U$+@kq^?tu041Bt>Ou$oPT^#nZ^Mr{0wfgn>aRT<O>`S?w!6;oSf`}v
zJbIQ05cRy+JW}~*f%rOFU<Su-RcbX-ti1oB+;AfVlChh_sil{Z1d^Z9e`AVp%m(f?
z?=)GUY$pozY-{xUy6l>Tv<Go<`eP4jcfV1=8|@r?I02wj3kE5?)__V^+oM;drt^~$
z9}JD-%cumm#0hJfOG{4~;d8L$b1Syq;wd&&bZ+Rm&iQE&0B&PPm#R0j&l;)adF}u5
zEwl2+s=t{RrnV>lpUj$7Zh$;Cx*DtJ5o?Vr52Q7N+P3`LY1dC~&-1RPh8zWgQJvfl
z*xzzbQH8mLNNYk#6-EQ|mGu1|11AaZ`+l6Ja2scOh!`C?L%7c8b$>|NV}sO$r|hc3
zbSb0s7?#<UoUpW1aT%#?nAB#;vZko()A2ogLQDLKjxj0Nj%%Qg?~)!uonmNa8m@@f
z>l0ukdncw8Y$-nI?6xo>u)d1~kEt`Ab!}FlhP@tzn5CZpO>|l?JFoZYZ><~}Z$p<o
zfJYTFA{}O}gqqWoK79n)y-hGYD_+|P<%(8?S-G!FOdC1XE%5mA9F8!#K7C>lm*bzH
zJFjn_XAF9>FVpAsu<wY8LAYI6@oW1g*-Ia0HBp*xh@WjICzsTPRT-VD+;USq(A-zi
zRyyC}zD@vA@Z^*zqZ~5!`ly(Z$eX2Ng=)M5zhp7Im}GZAQrUi;Yjx`9U0LLPgYRKd
zOHGa@wwk*THMNX3^0AB}Y+PzRHJu;5)gxs_3;EAuj3b9{w>7mss9l(taXS<!xO<TM
zwvE^Pas1@jd(*1Wt-m>nOfGPC7VFSH;Go1*vvo{l?<ST>La3Tjd%o_%2^|Vwb#jYw
zld5Y21bt2RDEX$kI+d9;w<Fc?@D`-`<!`eeHs{<fFZ%w=gf~-P#7x;+P{!YKr^Nue
zGL3DAwBMLYoKY<{<o@)aoyIRav6G*RS`-e;YY?rg8)fl0ovGsjo(iEGY#V*q8r|9j
z4+1yT?TruAQ70x59?Th0y}EQn#K2LI>CW72ya{D*GufV{;n&wMFyU93BA2TbCK0Gu
znOInHt#oSkj^_r6>Gm@y&qO2f*5PFIQ!7;k$_FD!nR9f39_L$_F>dA?ow`4?+v}xu
zqz4_$+p2vAIX{mrV#Xp?t1|=+qM`r}9Nw(4I{PzqY-9Km=e!1CYF~?7=9H%k(iztT
z^0tKX6{-b5>2c12{an>o<MC#qMZR~*G~~0@MPi3DEaj<ud*K;x;{wCn8GVUGF5f|&
zXnx600{qH!wbpEsn$+L1HPd7`>UVJIU&_w2b1aU76YQr=(767>$<iE*FlF!RvSv=|
zO4IsE-mHVh4w!dvr$PCH1w+1#@41%kk>*x!%^X>486JzF5m_{-hJf%p=cs@PP6k^&
zGzqf2;gQ)JoL%&|g(L8vS@k!Jt(2~png>G~P|dIFu3Tl%co{#tb>qd(8xxHz@MvQ$
z3ozRU-+ns4GmcXQmM>7i+nP9ZIM)1cRRU=GAtHjK3xnzFv~IkuvuvR;1s|ZfH9Ar{
zWK?^hfN!ZtG)9v})+>p`iYnf!RFWwZ;Hmv&ed7Sj<vlZr-ogt$NmVei+*S{<nR6m<
zvJ0Bp(5)a;vF>%!VK()qtIGeC)@?6ni9Hw=n25bNu5eS~__Ijnpq}>?ANMd+N`LPB
z2FuwwcbcN#wy&(MMX-5ryu2!|cVf8F!{~=Pnec4XG_a3$_EYZfkaqen@kRyf)CFq0
zJ_2!2W&QwnGu`_>=6)&MsVzR^Q{J5hw3U8xg<g}`+&OO>tUehpuX<mXIM-1Z@d;Ju
zVug}Jlof*rPn91eSZBqj+HE*nSC3tJEqX;R6osns^!)g@m`kH<`D)UZc2xPrOW<IA
zm3F$n5gu34kUe>|YWl}$%W(NNrC75*zooT)9Htyqo_~ezvfT{*&YQiq+S_c@!RlJm
zZ%Ly~5w+}$cd!f$yGs=YhClNG6)#(`{I02ncl~U+83u&omFqVbm-r0j&DE_P%_JKy
zUbgSNe4T?=rN(3Uq-9oH(ILR%k-2s%7TY4b@;!k3^J75?e0vDEabHaa;ce+rGOy<*
zQj03~0OyE(CCbkvlCjchz3B9;^-L(&ITFfO2OmWsCY?!SF7kR^Br~U@kPl|jHXu2)
ztzV{QA?#q@<9DE$-)>U%MVUP0;^S_yl<;;TevMi&6s?Tryf$P#?Q7R+3y=*zmyLP1
zu(hlR?ynOrn=E(@nq9xIU2~L9JKY4TbdR(kT5(H*MH%}_qMbH9Xv~(&29V$;w8o*}
z;VFwwl3|KDVRtRS_tJE!ZO4KZ$FYbN3piq?1OCgtG&8^9^waNWjy~uc{9L;b*1T_S
zne|pNN8mb(Vnq>%29#Y8<cqNo{6!&Smn5itB6wp}T4JJ_Zi}VsN(&l-_NcUO?gVT{
zBwWJ$liRpMG2A^qe@8!sFQSgNm+_BpK-BD<%_YZQ@p=4t|B0~HrnL*R5MiS3I%bn;
zXlKaqWRc?gRj4zf2|Fi+1j3Uh6pOU$w2Xz_W^N0VNxrnr*w{G2V2*>(S8`%j9Pknb
z*TYLs<}WEiYviglo5>SLX9yjkK(8jReQXm2>|oE1%xkdg%oufTTSJcX0eCw}U@VRk
zDUpg65uPs`A6iBgx#3loDGI?wy)(@~A#7zVZcMd-Y>9VkaU1rz#_+g#V?aff9F;eW
zNpeRP-zJ@gV-Yd;j?fOp36NGt%6$G&XAj5zbIu#e@k6jseC;*F5Vtc%HlIDdLEjI9
zC#NyX>IM*pphLCArAxyrL7$5dfM>~_ByHR$1^VXtx?QfeZTceF$b90;T(euuw!m*k
zi82X%C?af|Iy1UvCqJhE?yMvGNiZ^67f|-j*vd$>Rm<nW9CN8P!ipOrfg7)C$5ls>
zGOO9-<am&R2l;Or>)nd$Z|OIyYxp~>jdMn;QpjZ3*rJ5ZVwi5JnD_W1nS(bZA2V!B
zVehcSWHlr(HR=o*JEY=Ajs?_usvCL3tA0y{(oyZN8MKZ5&D(l?$knr(dz`}GK{i_*
z5HCIQXc|q!IB%)z+o07b@p`jg={vmf_w~BqPIhw_KxwX}Wu;-8t11E0YuQz~@rJh~
z#CslFE1l`YlCIr~E?<F~9$u8UUjp|120r>`)=!?%ucPjofOzJy9%{!vw0?knC9BJY
z0~S-sV%zORM{uH}HOPpMByW&KOK=LQ$C3c#ww^iS8v?zsrXXjbzTKR8k?Hlsf@xda
zE;Plhjhr{=>BMcUDxv>;DNz`~k}Ih^2F*dPd*72MF6e-AE|92^_X=xe#eVb&gDT9I
zvj!9Umz!qy0DDZ$b~m0zs(h^QJUT1887Ge7?&Jf;NWZ*zB#F(yto$Y0C`;%gYF>Im
zMpRek7Kf<I3n!_80~ac)4sA7|sB>!s;^J8eIWIH0o~n$$wl%hcz1~xc5G(0zz~_bq
zH8CyV_fHEqx3r>KJAbm(HfyZ46BeG};w3+p2Hn1)_AaF*j^NMp$(M^JJrPl_r0uzh
zHEsVBl=}W@8X%Z`TAJ9@8F<g18n)nDXvfuMgL}$MuMM0kYH6R>Uxv;JB1x4Og!LMW
z8WVB=cZM9HZ8NPBxfgR<+$NWcy);e9$4N7K5b?<=E@7^Fh5eM%E$YiOur7sbNyW|4
z>Onep%u?2l!1gmf8r9#*Q5~`U?9w}o^|5BY!_hE8dWt4nj>GC<yPf^~kmbh1SJd(p
zpEcddwFvyG)PsWG*^fBUIjy&-9@_*YvH@qxj`;X*{aM?_G%?<|beSn?EQ;M@kuMVI
zSev~w>lvHmq3KFlx6|kr+7J|MpQgoAEp#@lZ?z-pExaC6Pn)3T`zVUA%LCp2B0G(J
zNmnrv1JdESe*eExyU|8!JN~ZkzHs_G(Tqv0Vw86_vLM7D-&Rl!MJgXEnp<XtB%`$_
z&l}JWf0p~|X2H>W#<|<<->X-|s>+4Vjwy6nfL3|VXn9C*&wM#s8htaZij@T+pZ#3@
zRCgYxBfVgl?9}TXz4>P7H35L%5&NM0e7F;X+#yjQEyc}4WJZV@X+C_#Fu_iX8v=M4
zZ%Q$a5^tw)!YBaB5v}Z3m3c1aL}Q%zkSAM<spvjc(`=o!4=CUKgd1}c&CX66I?|nD
zNwTUftKXnG=w4R-u`vK^6GLR$Y6-ax1c><!<R7`t1z(9srlVo#yhgJT|87KMwHL=I
zKpHQf;g}{z;g$KC`Wf^Rny%La%vB$&jIkQkSSgIoyDByJTQpt^oCv;SGY%Bx%mFZ#
zim`lPx=W?9o8j#{ll%i;SfkPMHd_5bo<kFQu#CC-5!sm};Af(NcdLLZ)6W$9JrdDw
zQczMsePd`iJ&kQp=LjuF-A75p!+Jib=}+|k-r#$5HFs8>{4#EJnhXJhsH<9D<Y*$Z
zZEF*uy)nwm+KMBW@S|IS(~E1)R;Fv3>TaP{If2(Jq<;qS8TyY5ibsC9qU?)b1#yKc
z5gZwzn`B?NpF&Lfk-w(#YI`O-8*fz;>%5jT)q!kNM09DhH1k8}C3rcBx7c+fb^taR
z-uB~jS^!%uk;ft`JH43@Xw!K5C#}6;aiV-ri`@F^>Ai_>*eH$pAm`hsE>5{ujArX)
z_{*W{^9+L=l`ja;jaak$XV#6Ur8#pa*Jc-Sp~%|IHcwxB6<6uCfeOZbSd_TqcT991
z3q-|9^x;n<zDIO18^9MgYTsNRiiMU7`tx!>3~T}$tK|pg%r&?^J#@Z>m9n_jg*37u
zF|i6EEQ`>c7e8IRm&)cCeWZP9)E$yGf52yq7lQaX3F`&_gWkTr+C+34w>X*hnS|Ij
zcR8#QY`75<E80{REs-Ypn%+tMRCm=lui}g5Lr)xFrX>#QcbFPT_m7P+<-TmZRv&1b
zX$`CgPaI+kEOiR^%w1$N%hl@092A;$U193-G#`Q1WZT5zOK_!ny<EmHMbOCM>a#AM
zvwoOUV}1Gf*%=XZdq=?(WuX-=Y|Embx6k}zShDlv1#7{X8-_3CPAgt(b!R;S8s^p%
zaOG^s(S)f-CjOtXMsN7glL0rIUwPgZIrPQdG1Q)Ta{My>GpF9W6r&0TP6GRB&qz`n
z>;ev!=|Ci0tSSW%{6q2v-j}FA*j0wPQ!;;f%&1`*)kjAe)_GCLh5J(#HEw`+!a3ie
zjQZWIwYv(dp%@^Hg$n4WUo(?KwEOq|C&28>rzVF8?MdTu{Qb1g;~EfkeXVow@Q|zN
ztGAh)De6f|zClwQS8J3&{(fc$8_NZ%v_r;GDyF09fHW8pvAhcY$n>Z~_^SAwQ*$rm
z)(;ryoPBlya1B*FavN#bu5ULuU!VrOUdSG&euIiVn;Q`&_bRQ_;0s`x%kEu2cFJ$A
zS_{W59G`g(5%J=E<s*Ay0xk;H2hdmASSq!=Oq#5ha$O@!4kz%9m}l-wx$gb-|CH+n
zHcVD8a|3SAl7rTon-$30+#l3Wefy2cTBb2lPCo`Th-z5PuUlx-5@Y5I#etPO>T<-a
zVJxiSjrN2&iV1IAWeNJFinnH^3r4VfM0uYf8^ZeJ-?Ls32bd+T3M|M9SmeQWGnAXX
zz<(9_>@VuHasf<xdu<zV@TlJ8QYS9-0Nl{cBSCNHM_E+Rsm0t_JTwp{+!QI|LdIdU
z!DjnT4U432vhqTUDKB}iyW4|Z-rnXjy(J`1UUNo2;Zp>(*(r*6fR1iMqGMUsnA!!L
z!*#z$AohvQi5QnkmViNzM8{66$m2EN^?p(Ng7E)%U)mMr+oVW6t{B<F*HgkT>mf({
zZSzGjW|tW=vcTc9;c1;c)5LZRah)fxkfTIwH7Tti{mN82B9)@W`z-FT#cwVI-r}l<
zvIUde3KXlGa`7;}i+w#e<x6}BX*Rpm7@@nYp6Dxk1MQfNjO6&k1PXa#a_KECBjLdo
zKSZg4+S=I<n)zg<rZ~jY;)7VT{wD*7YG|Afi2XsZ+~3@JhwA=swFji=A6-0K1Q-!d
zEnw%JKOM-@poF<~KjPxR1j@Ta-*4N{T-_n!V)k=Ko&_8QDVjI(9_eL-5THk1Ug-c^
zqmzhnEwPWSyx^M&FhF`d8-@azg*Q7ZU0lH#Q`jNRynj3f;4_X#qfLb2U2Kd5Dic7k
zr1ARih@6Tr@O8@?S>BMW3m@q!O~A8zAGP=dR|Vv3{kuvh(}p0WZ}>(+RzFQ*vTp{l
zDV=tBWMwWYG(QA?R`6Pm3`ZGOjw>j$pZL<8i+_9BpmmuHt?(OIvy`j5GAm&-HT`P4
z%AW{g`OJWdqG#<%M^U-c*g=j_+!dI`V#zpv&Ul$K7dIhOgtL}5WOhnRTkZ2aJip;*
zRYuuw)Jq*OvRS>l6WX>mXfKfN^F@t>h^FuNJ5K=<<%5z#Y?v_>$q5<iJ$&#eOtY}U
zxF%tzwfX?>t?}a00J(aj1Yi^7(rXRZo;0k{qbmH>z06GtVLu*o9>>s|guj)NU3?YC
z!hfC@?;|_T=plnaBAKV*oKF`~Ph=`jX_Gt1)m;Gk?mbhv&9zQU&X=tw>)eGQOuW_^
zMF%Xly5j&$j#<4XQ7S4U&a#Ck<=GVl+~-I=a-Q%9=}!ZBL8=CT^jPc3ki=m!z+4)U
zBACMNSWw4S)2azy;owLl@KBUFiPdaRl2|EKt5l|if{8m(J`?(i2-%ETnGf$MSeX!A
zdHYZ%f1>)h&*RQ8x+~^-=Q?zE@7|$!Hz88mZ0Q%zQ;ut`if$b+mLht%Ip2D6eefSj
zA34^4C=$O>|3m3%YMCoKC6QqMyMoB%3aghz<yA<@#a<1GX%Mwf#GPd+D{_f5o#m&B
z64rTS{DjMIb3{#~z%B~^<@s?3H|jr>;=kc9lzW5qW8~4yGD}*Q91vZ^TvkUyIc*?L
z*<NZdx*XeHI4>_gK0aACFJ89Xnw^b_l#~_*i<XDM{-~?JoPj&wT}7Vrdh3&CXH;N7
zv;Mkv9W9WiKL{qoMS=5Xd4)5I<(Q5!HuZe{n;1}u;)D6nMc>o?bWjPiy)`qty@O-i
zV}AZqIm?gyb;A^e)5ipZQH_|CDEEe4?j>T;^r0FA*@m7ncn}%SV!6m^AC>>=C`WYR
zHSm#D>L^v$CN=c_KFizYm60+Zjy({HniP-!9ITur54-&FgXXI`zU6TA@E|PubF9tT
zE-t%u=<{IB3n8xH+*K5rBDkC)iq!c3xLD`!(_cgBH~y^(hqSSh3Yc%B8ewce2<S7G
z`pFR0QEi4$BE6B)o@X5bDz8t|V*4rTK_Q-VmMF@z(v}NJ)Wb01VfkU1EXAV<c1!<!
zBq=|wd(FdtD9CSH|DnwOheExaB1YY93dxesM>M&FaSG$7*G(=s27Xhd5K%j?`}A<G
zz}NhYj1B*Ec8}#jc>X8yC>&f}B1QLt*&Q0oHsg-V5u3%}V7A9(MR+mt1Nn*B_-SXA
z*2P10fbSQHfxt(3d3WH4XnFbBg&l^cOiwsn?*IABO5>eO!t)0O{QsKL(V|mLcps|w
zFUi4^Ud+~mhf#az|E?4M1U#cA<fT8??CSGbiEd~x9zvXp1e~lliQrrs_5dnZe}VpW
zRv<sVLX6OBg5R7o)+y-2v2Owie}77S;bNxYVP%DSPTAwr|7+#v*j8mX^@Ou7zkGmX
zL1c>P|8gNlUSoDnc@G?{ZU1d2Cmw2^*J3+N2pzZTjWfsk4kTjsdf*8MXn979;c8W#
ze-eA8Lbfs8OTv(-tWZA>O6W=}1i6%j9~w2;$(}tB9Zm5}2C38J0^(hD5>euC*-a*n
zX#d1hk%b;WI5AO`wxzA5ZQdWqG3$_$()=GU<YaWN;AaC^)Xi}Q#D!h0o<}YGDh?Y}
zCZ8=&|JFarBZcoqMR4gP7Yt{hw#yCmT@Q&{^wY4hNz&<zbKODbMV(p9G4pSAEawaV
zb(kfao*CG%&eR$M(0P0}s8C4Emm>4xg2Kn)cGMtJM=%1<o~{U4K9fy)Az6z5O$wgq
zDD`}sfskq?q08}{@!-ki<0H|Vpps_-USi6;VrTlY$rOddk$h+wYtM`;Qu1=koz+EN
zK)0TCj(8x{81Yxvg_=b#z2xiNP!hl`cU_P0axKBi><^p(m2ma!_1>HHM~oR1sD`AM
zoBTVK&RQ&v?Ksmx=3(|~dUVyCW_Aq^1WEQ3OlCMM<%YEV$JUR{x9(q@^5aUMtF5iy
z-o&T&`5;piUDs)jh}r$PP2MDEM6o)10XG@^7h{r_p3bbE`xe!?zXa@mW_lWw*?#r(
zZ?D&qg0m*+q`EEnfv*14R318S$tgq1$Im{NjvAjI7ta~DYyG}=`7A#FAuc|@w2zr3
zF#j*}iz0-5e_Sbik-NVCyMuIZ@=|px#^(C8frME)V}8cN9_}RX4A}7^CmT^cE=Zp-
z7#CTB{|rBia~#Whuk(Usu~|l@Kv2*WtzTh=Sk7ZIrl7H-;g^f>@&jKDEKudgZH0d5
z{tt!W-?x7bzvhcP;leNf<Do&Zf1}09{6qP|Q8xbReUSBFCdzv_dF(M$z?;vr((yBh
zE)=NL1koYq``l)_LjqPk2eLt;>jqwZW9K(czEu%~cFuG4g~F&nsn~?8ehn>;q$Z7S
zkPDLpZj?GqUVZ+n0?JEVzGZemCH-Ke%=76L!!5VKmKA5bA)V)x&;L`A(v5w0p&#`m
zHWNSO=mTq3PZJ*0QU1^w(B{SLg+=kBy?tkmK!ZI}$)#03nfG|738rfl>Hd@(ZS2)?
zstv7L%R!gQZV;|_L7>k*&~W!%3Q3I$bPDf)TB9$x2!O=IKnWQ#l-WP>Me#-G>d$tJ
zU3B=tlZ`X3(ba4(q008ZMCkt&v*x-1Pgg(8{!uT9t!IePd?n8fIHJBk`oeFeo8itW
z%=iFzBoAhnYV}L016EHfz({VhuHom{tTU&nUUP+hD^rrrh<5|Qw+!E$IFvSlx3t#9
z&wg8739XlYRVsnN`{I;kFZRl*rAXt^`A*!Uk&YCxVc~AkU-J}x4*&1fPo=$cRH{Xb
zJ=>bIRyDy>-=7J`fykaJSF5wC2at-Ri4nI$C?O~-?MIE1l@Z0nPsmZ}K&<_6yp*19
zDQ3t0hOx!<m{o#a-xk9Ey)EA;s1mKAbtzBCW&KM&9~f=Oo4c?9y|G-ClMm&!NCbow
z297-BH>(<mGM3$y!$IQ3w9y|wmt4bezoqjCmLLYUJI1wIXiErM`!?2^BDoUZOUMF6
zltH06Bgj~EL(22;mDZt3oEyh;M62ZM7_b<?K*=}iu&Wns;mB=1)RTFtO6XEeg&(X>
zGJjm{`2r9b)pexG6#+dUz~8KkO$jp>671a~Kh<poL4X{tr*J08guGbR28Kgv*<S%c
z5!?J~?(7;)q$LCPt2N={fo)zk)|m2B<**)_cT{n<txH_|@)!M#XrB{FR1f{^9^&#g
zTEDX}#Eb4{{<RV>b;)&hm0y4McI&*vV}9GMZ`^fa-nTCF;>fus+wyYw5|*~gYi+ZP
zchN(9BmD~Pg<Og25}it0r23@5Y#L1h6gXF(vmLey)--aplVi?38En`aWuhhzwT;8u
zsGZa-GUTywlFLy&tec6Lnww}CssPy6yzWXpCndK9R)+yDLyV%!_}Qvii@VTCP-BAA
zcU=qp>UMWVGH&Gv6FC)TPrEha`J0kKZ`~DkgbhZH@j5n1a#H&{c0pzu>6}akb)M*D
zQdUk?xkf|e)y287g2^`e_pjes10FM6DR=70GFyzw<~Fq5>*s;ev>3zu)p#jByX}cK
zw8o||tH?R|2fi5*;<5~gwNi^8o0<vJ(%E0fI#Y#RQA7kD9PfZT6dW81(Y~am7;<oN
zHLim69_0AfdD4ZaDglh@>5`a5Ymb<*r8JPG{950;FxKpP6Lt%h&SZF7QkPrYqUwLk
z{moY&v!%6PzNxE*V*oV75{00XO`tZ4qHvC)QS41G?sTuBOcnHL@vY=vE=j!jwh~zW
zo7s8fx%^vcc+6PS!K$>(6|S!z$~RWHhRlERtWS+|Q~50h8MAQu^$;1BGLS8gf&`#6
zgMp?48AGPac@cW;@$(=yddWTrJQemqx9jnH%UD=M2ncKM3&G1Kq`I{BKNQ!@JB#HX
zFXL4|Pr81&!#=S6HTkD@_w8fDe<)JFhagu9ykz3<M~!ez?uF|DG{w@P5gMa?<<o7L
zMB}12^w_VX1i?uOXezM+t%=mvaq&p_`_>$FuXE%8TORjO`o#OHHqaKOvtdt;UN_@k
zixDLL-?QUC4)F7O2Y~_i(L9%1CpYi~48it}-Xso3C|VXuYURlyocza#w3UyqRqwKE
zcD-kq0ZWsOTbq!I4tdn6P>kT=O-KKQ=aA?&{q$LXd6sW%+j+Cb(TFRfkd+!<YU%T=
z`&TP*=ue7eTL~xM0{$($FWaj7@+0Q&AZIbg-NMlK4S7LrehCN)`l~bZ2?etk`r}Bg
z(1Am_-dba<*PRD0$p><=92XXnK=m0ry`O8J*Bh(7rB{tNQ})shP34S3X`n`S;=k>p
z<7M&=>qoh?4~wjh(_D_G>5d|)1;z#r#sDrQcDp3AF-6t7bED(7?L16fRBPifz1j<@
z5P}JtQtK*`U#s=xncOp*)kn*$IxV8-zV(9c?gF|`55h#^343|*#{dtF2?Os(;tbr`
zfnT_LGMHV6Om~|MkYouPh3r{z>cLq3)yNv>;TI=0_HL5-hsx12hA&^-#Eo++BagEk
z``=#l9S_H!M$Adv8WZAm?BuZ${|TviE(QxPFZmNV!-UdklQAfh1zo3iOG(SNHhp^}
zM63&)2fiLDob_GN+JCXZi{-2P!LBM5EbjQRvvETG+2kc_{!E?K#6<o0#>@sT<_2f2
z`!=pyl?4yD#QV8u-<CI^fuG6$I4HPc;Qq#j(|D9Sdzu$EzD(4`L6AsVT471CAl-T1
z3290v;v4O14Q0QV`O3OZK7$E(YV<^2rfU0l_z`exp6`g}40Kh1S`|JncadvicH&M|
ztd2JHp%+vp`TE`GH*zdla^6>7jaduc@lD9ur4shfI44T98k;fWTvIGi>}20d*VW`%
zed<~5)co28ViQ&droJCOeX9CZN*Ve{H)1EL`@(TON(~a<m#es7ORM^#=bRgj%%`Oy
z+vctZG%#A>>!lKZ4gU^Qh@1S(nrFj}4K2lvE0Od*$FYU;5`55bCJ35#5F`LK)n4Je
zR)7iBEH;qm=(Xg4m9wZ*R2!MAUaL$nIAPA4md%4-N~sd_00DTT`HLy_>o19>_JTJv
z{S=8pvgGjt;acf$(!Sz<OkINkDOG+U67n{4kc?wF`uImNeRuRmg>l!3#3-3&*<!kp
zIK~DPTtP~hqw;V-wefFKOTMy9!wz|jr-=rFFOXj%Gs`+tm_N5p?@h;6Gdm21TYvcL
zJ_vAKhT5<b$h443k(6}W0&@$)wbOsq&9+-nWlr0h;<nCki!b{IocJ)WBae*0r|*n^
zH&5H?w^DUQxrAX~eu5IK^dm^x8|9#5UVSj?T<KZnCf8`i$~qFqxgX2CV&MN!l*+d4
z2l|<z2W=(d;5Gf-M9E<0{v7rSYV%doTH7#w>!z)I<3QC+uM+VljymIY$ubmM%&u80
zf%a)c&o4D<*DJBE6Bjge!e%eDbQJW>XNMDg0-2E@nubbYYRV@AWA6#>WFua33cYW>
z7~&maW&I*7+zdo9*?yL0>^eU6c%SNFGA`>RQ5IIOm}#*VwLj(f<eEWn7s78$rPqT-
zY`St(TMd+I%3BOs0@B>svXBK0+2v$0xxc=2qJyap11`~V9DAlVZ*55U|GYrOQVhO4
z2~-6o=)E3iVJyN*vtnUwp@9=F6n;tRD%8<&(LD+{TQNzcnX}0cq}cZ7Da?1g+@pkb
zi$zgo?7b26jUK)x77!NkU^-@3dW#_uPe>ehhxS*oF8JVT*sQ7E9Du7s`$k>Hs@73$
z-0esS5?^SXBA$0O_w_ueGV<XYotA~9l3w9G$>edG+oo^UFg);AV=c|t+&2qO=42D=
zjNMnvf_4trOf@<>(rF;oOF^SpV(l(6|Nl^&xZ7PCxbH{W+@mKE>p5Ujp+^Z|iVuGY
z9vN_TAR-@kp|yzXy2eb@x#tOn+dQsN86?7UkI+aHsM+3DuDncuPWMb3;fFEljq9*o
z<*G%>%VXMBU0ci0ruJQs$zY-7U<(a?<)fJ>zHhvI|5h+Y@u@4f1u^^8t^55PXS;om
z2K_(B#MfJeo=zw9`Z2S5`gv#;PVyyXN#TcUL;}Cx>!2F9x16Oi_TQYPSGBgTo&T(Z
zZkhAdQQ=Cp+PiDSPKYLCuy(<!e<(G;yuDG4!={7+E>>tu1GNwk+k3ner;j7WFG$oQ
zh|N2!goWg}C#ve~sx0dtiy8%hNjvu(;m%;n4Hr^fIZi7}GB4__&c|J|lZ@^^+#P=G
zECHODqQ=s|foQ%SbhTucaLWfK<y|FnlLX?z4=RCtW#(gYfz2oNN3J?`=kK`uN`AK2
z_KX;IO}J6es@bmen{&BZ1gQ(GT}?wQ@>&VwqD7@$B7H3d+86bIwb@*<bs8hWFuHOf
zK0fWfTU|ihxK~@Jq+2m!iG|tO$wKPnj&%07gZR^i@->*D6x~!3+|AF}$h5U<Ob}fr
zD6`^*E;se-81U^iBdGqz_~Aezlj@vGQ+f-zqqIY|%r76+WkG(bvyR5Eviem@TqFg5
zk5!2b{kP&~o6qV{aZj9L_+9GP@obGIufUl&R)y5ZVXNDBL!iUr*yOgxF;K>b8+FzD
z=H{Io?kLoqLnc>^?^RauYTyPp)^=<NI+9P#_QD#ylwx$BRoCMEdvTnSi7jTx`POr4
zH3~>Joj!Yfe{IGnb{L39;V&cv8C!FkvPNlOYRKBxo+mJk8Ck+)Rr8*Wx&F3AX;Hn=
z8OY@xZ_j*64=OnlkB_0-O|0EmF`<C3#72iOZ2EC3L|;hI_S)gfvM^ZH%nMi--MT2n
zAJzTl22y&}w`TJ{P;xc??AowM+Bd4WJG{U!Rq(TG5OvIGq%X`X(&#dd{9HAG<E70H
zq=iLzNBoXeIQ~{1pMNfZ6D^eacD~&_o%}&%TwzcpDb&K|-p?b*ALoz3`(T_{vr#m#
zts7x)_!!hN#g3(ql6rCSyOI;)?Re@Gk3B7FOd%b=b^9l;n+98M6=0r{M(@vZ9ruK8
zp_-2?r9}2qYx0NZrY;(}Q7l?9^3ljwtVg_@0uXf4s9cTrv7w>z$lUfJMx%!HCQWIs
z=6|$%SKy_$;B12I4V~n%K0qVx2OTM@>k0~jz4K2m)*vL6w%#!?b@`SqYgI<1UtIz(
zvjrpUR)_2+htd$oL1$7Cw^u4r(dbdsdvMF30KBQ0?aFUd$c#9h%n|7>6aq!v`*mN=
z+qA443R+QH3k>PPgkq%gF1;dxv8etmj9vVBuRnJOR%w5$lV$jZW($I>3x3$?*TC&|
zLy$X<j|>9sFW4**F4?DfaOPtjb!d||`#8T0uS0?g>eP8R-NDB58*|Tf<B-h7#b)Y`
zWapj;g;JH=+28CSK_&L2NVn!#ez77u8hw<51jC5Nv-<|>HM+2-*Y=9N*?;#eNzuNd
zC50MmNF@cTF~IteU{-WEBH!O9KC{hjuW8%og@@*HFO+I)#KZpAJHoqT>%zZlbstzv
z({BXQHGSpg(MCl)dH^T6HV~(VIH@qvNMa@_@E=zdqHQxYZ@=aYHm}}o+NG(WYhNFd
zGabn5J}1Y&1Oqm6(Jmf?oP(u;IXP{8CIy%N>^8jRu-!v3^gmNbt^MouPj3{kJteUF
zL44NiO#}tQ5F^LPTBB}b`QEDa;I#0%%yQVk_V~K5C-nMEu>sV$GO+=_kQL|*zcr1b
znzz=O#))pr;Z;_PI#4L=3%t8H7#4bnf@-C*>EP~~6iT^!dxz8^n+4|?5wxa_!9;;o
zm-C3(+Kk=ClRhguBf8&5yYfnwepL8vmgQ(Mmmvuw9e*>6o5>1VodLo$v&|0=<t+tE
z&4|jB_e?wY%*P|rFm-4NRVrE_jHNO7=?H)0etoNSt3;eI#joMl4+9LaqOobXt?Idv
zK|2>?+5)rWIsf-2O1kO$Dtv&Yys?9^uq}R)4@3rsxc?P1hFg0YIyCLO@By5Tkm`t4
zu?@TPLRx+y2mh_TQhG!4Rz5x2nVkT#l}A|RXZqa1$ZGoi=keCETZ$QF&S_<J%w^HJ
zrSo*03B~;~uiqUrdoDllSRxKG#YiAh5#zpbolRfk`U)=#k@e}XR(EyGyE~_$g<HG0
z&Bee$le5)+4Ihc1__fquBj}{Kr(;fxR!tYP$g$PeVu$?yp;QFl6B1K|bY01IiSZQ*
zeN!&WMgEn`pX<W?dHDJ)+lgBBryEmCN5AX%;^cdR&N{CAhU0$5wyc@2&Ze>35b6Ui
z8wp)vc;kNd7UX-p`9i@MGqa0(hVP$}CEZxl91B0W0An3ea){;V#MRgNUM<7Jt!es<
zi3DMi;(`a|`+)J$(FtKusRESSwthEA%%WhdQ#-GwQj`bp3a#e%upS02T5HUU>W9q}
zHXAFWZc)d}Q?Bmy355N-a;M&M&P#j0cNwVZzeb%GmHe#l21SvDpl7;WMe!V|Aw$0r
zP*Sw;X*pu2tN-rMqFxwgceESBR;;k7!gtaBE}<^nZi-mJILd-EBzknep%RanD!tj4
zRL8{`3n6_uXM=~vf?Lr1bF?S@El_A%$gaGs#Z~@nt9jbp!~9tjF5UO7)x|Ha0NObG
z+Ql&-=VB?5p&^)zbWDgfdbSwikl&_D@=Mm7v2;GAk8k@&V{mcs+X@IUtFGoeVSnhx
zquTGwKO3L!HVxr`{lbuoN(T+1NTxGwSRE}Q^ruANA^UlsL26fdKJ%aK`a~uHoAdq}
zU-0RgtUn!;2;JMb!5~dOdVuXelsHSZ2{&O+IM=b2T590Yz5ZEk?R~W1(=ZjFWi1;$
zTa^E(s2CrG$WoHZ4$$iWxP6SJcMv0WC_2>0%A70lnkor>3d$2+zol-Avjfm`)!LZ`
z2r9O>0}XbC-3(QY&3qPPJM;m19c6kh739tt4LR?+cES97Y1l|wG6YAdJ>U%mgxNaG
z(b6PmO9UTQL{(LJBZjVPZrC1FqbA7SZ4;>HF14)39XVnmQgvlGd;(coDNVC=AiMV8
z-lI`oPO=<t;R~!H4!6gUM5@tlllP~TeEs8EQVqRGWUKs^;=$`z7@G31Il%5+VF=->
zR||KYr;tMvH3c7-<HF^5Tsc`;l)@L|s-^7U)LN89@xKXT4og+99EhpvMRd`%M%|4^
zsh(Q3&fg#RY6T5L)DoHkgr}<ebvV@J^hZ-<>!>5*k&@+F={Ogrn$o{;lyeCK<MITk
zZ};u~?Xv%m?wOd^{*Ug}G`6po$eI4l{~z6J66M+KCb?Mu-*s=`R6Zmx{^<K|1ADFQ
zA(7!nSR!7bmcQD7OX#v%t;=&_(CVOeC$%%-C(ny@Fxup!1g(ht3pGLb<5XPq2IyUK
zg}xsWdXcWuJRM@gJ;g!Ge{f(@C*|n2xsJ;hQbvC!39{eOAADR7pu!{s^=mK@+pU`+
zX@&4*7h0N0;{^l#KY0XULSHA0&i-xCXuEgqKCHod*veY{SCEB^Iz>;Co~sY(<f^Z#
zzZU(?9HZewjmvR6XUAVPxBVP=7DgY|WkW=<+c+dpC4rjeTd&e&G#P5aQYRXeO`hpx
zD60k3_=W}GLmDInRR!|YA^Abv8810r!ejP&|A@Hnr@q0MdoNppt{@y9zRVn%DJmSb
zLL2t=#`R%I4bI30@?oUm<++{HQDx2ROMljak&kK35Ca1bNgp|X7_rIvSITHN9ATT~
z7CiQJTJ&=yJBRRWuNVWtaKE;zMA_3`prmUYZCl|Mq$oQ%#(sOhqPw#Gn+2^^-cWq?
zaa>JjK4M52QwfRFpg_NoIR6uw0*3B&T^Pa*OPM?P)yPvPI)@Wc?YH%A{`3gP_ZkUh
zd^Za1JPD=q4zRB`=<xrBBmLH!V7#0ZFP1vv0F#~jc4!95N&P^|R;2Co9J`Ed%IVFj
z7vWYmC)@4nEWNe6)y#Dv^uD)4!yC~Z%md@PkBA+Ea`@O1Ts(jYYhs*ry95=(fR+u-
za_IpbEsDkA<x?>&2Rkn$7>utV?N$KIWxWt|3u}i`<Bww3lmMuD+Lh4e+uQVw&lp+H
zXh)jF)@X*FS!C$>!mKkX706<MNIb<G)`s(;YEH+w)t@(ViBjxpQv!h(u0mkn{`Uzb
zuZNWOLG?D7nuA#ejqVn>9gyW2Oo9RUA+}%}n*V!NGE$9OAn+B2)6{*6`|CSzYRom6
zd<x&&ITT?+I+6ES^H=yFh{-ZESj7&y)}A%KDk7GO$H|=xQa+N;xBI5V=$<}lY_-PU
zW^DR`ix#@i83=2>*)yQI>4K#gzNwPh+7=kP;E6rxRpA*Ak=QDL8=4T58?SMlDfaRj
zarZRDgRdWUKgilK6A8~CGtF+ey4uVYa*WnnK1#&i{8cul;VvX+!Eu-@K}s;L8bK|%
z8h3&WA)Fl>r~IE=yIEI?0c}h}1rDBEGn3&|3rqOlaKj07)V1`uH2k1IJ{v%r9?L6C
zp1U{prbVfkduFx5#b2L2Buj*01RENco%5;_qwQ`Ui(5+|_m<?=Squ4PZ+X4V*$WHS
zS1dQttK}&d<0tOZJSgJ$nx8S}LZGsjMH*fc_uhfN*`~i*@JX;#?V>BRj9aH-<|^yU
zx!Fcr1?RJq2Jk<j2cFPvy*faC>a>3`dQWfLy=k7{sZSuku)Pf=snW(>4c8!xdHVIV
znv23+kubrQaatQ`Fu)8}FX1O$XM{3v>!4v^TG7tKu2|R9XRl7c{K(f#YbJNx&40c&
zhecDp2{jiy3A^$5l{2gf-4-<M=OFebh(*s4G4toUwnyzz<E667i$>;poRq5d4Mn?d
zYUUvP@tRACc37wlCta_)>_Mj`TR3k5G-P_)`EPU+A|o=6=U>ok9<}f+9j<-_QLoo;
zD!08$bFSA9y@kC_XP(~ZnK`lX7REQmXb&oKZL|$!Fd+&td|Y=vW6L!fRirwa%W+mk
zT6!mUr{}*W8hLP5Wu2x6|Eqd0HYtZqOE15Ay-~$~y!wmk0hf@guHfH>KO$&=fc8}f
z8`p+^A_wyFxBfRPD?J@wnkfkg&7IDOq4=0I|M}AzI+ZY1E$tC2e)dwR<u_P9Y?W59
z!9jN`BrxWjziX?wYrgh+FtgbP7SPrQ{=vVRKzMl(ah?&!)f4xLcT$C2N{b;Z<7WEJ
zvxNEY4DMB`?PE^S8G{*8{;<CDK&&kL2Hu#jlTpr#ErwICunR0yxF+_lXF%EGU}`=I
z93?tMy|X<<G#qQ;dYki$R?ZT1p2`^|AS;jWc`2jc?7a2*SwfZjc`+lc#?g*Tv4%#E
zJ;u_xZT}HQ-i+&r90dfY1L~{_&Wjz;j8n}4-G8_Jgg>nP#>_YM{eLLj8-sdP1*9g>
zfx7OJ)4J>t%cjDmNA5lE&QoWtNdaI&fW(yt0jtvlpY?j4<Wk%)5Us?sYH{0p@jsML
z!Z(EsqWu%;-gk-(@g^i7h@E5<TV8`^->NNv%DC=8k&v=R3^u4dzqzkIW>s_fjq)8~
z4lT|e>7DG94+La2oBL-pcxk37BQDc7)=#CVP>cNvcL%QJ7}~X<2Yyh<SaOGpQc7qH
z!Gm4RNyQc$I<rA+!@?(cOc8Xv0MB<AHf1?oSsBC?!;UaL1}hDRR?%iCMQ0x|rCw-z
zh_5bVQ2#Xd+C#4aFgSPwv|R1q5Nh1*)cna^NBrgXsTd=z%tT#T@r4HSivohm;9}H-
z*b;$#`RMl4TEqs;!ZpL>>OtbQrk!?EEuIG4L!A;ctySQ1MqiaIN3c-q_eGi>$Gb)t
zuZp760Mtc`(}b59M1dw1XIjo8VA-nCsyk#w;uWT{eif{uO6_G7x<Rn-^kT`{6op6I
zFDHH^Ws&L5;ipE!fl&2>Y_O~%De>^A5PJ`fucoIjdz&fcmuMOO;s;}3W$Vv<bm_m4
zGRI7g*d)nz=^xMXeE3`M-r8DM+m~!x+?gC$yVp=`^_lAa8G?pS`)Y;YHUm?ua=<&*
zqWtj#N&wzJ<-d`IDGOhr&a3R=;}LT!w*}K!Gq-M^bm0<{&PUmxon}9G95u!n=qvL<
zF><~JsRMr08EU?W-_p!+OO!t^Nw@%UtJZ)U9K#BzP#F+bu#K%yC!0#@<`!ZzRQR!j
zry0cNB5h*5+Fb;)dyDR2#83LR$?v6gf4ae}+mcIY3iyDIlP+h7!}Uf^-1Pj<^*!dg
zztN8G>^Xn`&3`CDfshYuSN~+UYmfLhaVSg|-tTzVRJFZjm`+M7KP&R%K}pcwO5F^A
zIqLp?!C28+pa0wvZei270l>^y>f5(#boeR?7kz2P6Ri<XX<t*Lwlv2%T8lr~_yfw6
z<!xpKe^00z{{1w1`x}o!fK1^2Y|4s-s)$X}eGHla1!hFL3cuL)HB=~+4Dy8WnXe8a
zrU^u5&K6z8XXLqxgIe|2Of{L(TW6$l(M;4SO;S)|<|9ico#dm@^MDHycAY8YgIlo$
zTixA31OER6UwrwrAGjN~&)*4~Rd<??7^)x$7odleROjuVr*7#Mye*7J%DC9fu&Wpf
z>G?aj2|L+qyGWI~UsmY8UY(hCp^t8@=DRP{&7meXL=%_2WOku^IRQ9%`8SfNNTE4R
zjs28goljPlq6wMn^h<KBA<gKBE$4Ezpwk7zp^6GdztwFdTdWn=k^PCOqsRl9Zr|HN
zDx1vTJ6~l&{upx!DE@Uzy1!1x1`wjLAFZ}M288U~j-6n*6rEC0(p1bRf_4#I?--Gb
zh9<rf;RT6}DGBqvccHBss%uM#uk`sbG!s`4mAOKWHP2TLIlZV0SgPxv<HCia1=74a
zt`cpk7f@S*5+U>*mS^N71B}lLPTS~>CCVxf`IOlutM)nd-gM%H0xN`(F2FSRX4U;^
z{Jx1NWbXAp-oNJZ?<AOu!efG+z($`ppsGCfz<gy*_9<I%qbqvNI}<V?%!;HN#7pAe
zm~Fk0yo>1t@MaZnOUKLdUCtIHpOHJXH!)3hBA~pteaDCK%qo&-Elp6&Uz@M_-7?RL
z&U?YU4P4J_Ga*({$}kGm-(+hAEDRjLsaZ{DRoFiDV&wwh1>p9(M+t)Aj|54qct?kn
z$RA?$jN8GTBCg&z0CPiMZK|-w91>Hg-DN|uWyM7xx6Z7^C#VDJh??l_lNcOe|JTv$
zhi{BY0Rc2>FeX?#Bar~l2w&rDK>`PAwDmQCQqL&l_q&5G<6P!ov<XetVa&JICU%i}
zL?$wZt&!OA4~X~~r_gZ@RHo9bD6}29f*7~Wm5A=aZc`A#In>*+-~{USU=jy9e?{=g
zTKoGX?Z!px8!g<GDi_D3zxE@Brk|K^oXnFYP!%$<cj;TU!ruL6F;Qk4EcIP^_^$h*
zJ`k_78$<Wk4}y<Oqc*CDD|%Ghb|zT)wUKQ_VZ3jM>49v<g!eaj|I~_Y?^)Al+WJfU
zA)$O$1=B9P=~h-?0u~LI!<|t`7l6dTZ2+=%Q)Q=^%>}+LGoRG0g-a6{<5Y0XQ+f(p
z`Wu%T-9~b9@b+=k*)k@2zA=T(6%w4krKMT4>d?ptNX8sq_F13-tku&mjkm4TH5+<%
z?i=q?^lzQrDSmD+x;$!^>@}ixJ~|(S5BV|zYZ96(4cw4sNy8`WfmxxY4%7KV5FBCK
zGl2vo(!@2y_g&alw^NzH<rZ2KxJRVgWhc6kmLOvgNOfpB&6y)qkB+G3V4J;BVHA_{
zL*@d_Dbr@n71HMQVfyBhwG1B!B56>WR}Za5%nt-?f(EI5``k6fUBugHQ?UrS6$^!&
z>c40>Pf}=cwR*f|M1RXZR3~60qb{syn`b$4X*)tSDc?BobED1t-X?U}Y;EniWSY0*
zs;@_F%Y-M_9!!+BU_03I&9#&GlGF$nBW<OOz?LVJ>Y6F;er&pvXu~Rn?$W3!J0|S?
zr9&9^rHF~<S6t`q3j(<3)+2W%8VM}GR4}n-woB|@Bw(%GZ=tiH;aLNR8_G^I3&V=r
zaAy!}{KXUAlHOt>Ec9#+lt`&?^sF@W(8-w#<kf8%F%zRw;6gn0Zi1^pX5d0!zN}$@
zUNc!evPnMaJuR^$Q>}w~)+~N=71taePd6<Ewb4V~U95WF0w)^3H&0-LO2_>4r|ve|
zDKm&>Rn8X++h$nd<auhk-T6bN5SN5x4rFj&3U^Th?Y5h|u7a?E2m^%wo8o(oVwh)W
z!JF}ZuRr2=pX<vk!9rX55SuQ-KHkEIWY-Ma292yu2KbN`OS?24=M%<s5i<<E8Ogzc
zBjBQvORoeMr}{t&jr*ec$19=B_eN`c2#bn*ev<ytya|W7+X~#LAH13HYgU(YIcpU4
zGo(tvx9q$$^LQ7v60yr1Iww#qJ#mc+;J}2YNljRrBDBZi4-jdu9MqlJ_4=sTsg&sM
z)*ExU67z0S98ch_jUeH87d+q(QRsvUC6GkL>PqHlhW|JRaO2Acy$dM0>kckX>CXy{
zXgg28lxTRQKwGX>>u;<JH{D%%80G%1#Dn&$z6ZhD5x&m{n+SSDgAy6t?1Xri<=(8?
z0fuJzmATD7WDc89%XN1YKHTJxz=x`)h1EG?B&KAo#`tecSi9NTX4+pSysv6@ao$~_
z#pmTcn~zp9+gMYvI2U*UNr9%!tZGq|xsoQ`@7h22;nq`NM45Fec1c+NDL?(<xVFKr
z+OeTgb`gAdD<O!|R{GhrZWJJ`dL<AUp2-f&_skC@J6K9IfLiIZ75onRs7^7t&nh;%
zPmX`?rTrt7;z>t?<B+RPb9**lZpFKXL2N5Uy8RV3vALv|RwSa7&K$pu_zW%5Y3^QE
zLxC@Yi4>Sx>AO;pLUigYp3>B*C%7K!mFDR9Y8ao{Hc%ms#C%xwD#wFuVXj?g9>+yg
zj2#8qI+YPQ+?(kL9oU)bP#o(pI?GNl@9oz&wF(aQGi3Ot`oGckRzY!e;kz#$Jh($}
zhu{vu9fJEHgENB$ClK7-J-E*>gL`m?B*+Zzkl?`sB>6VA@AkPm=YMKnbahu(b=9is
z?$y2C_j!KL-<vq8KeR8D@?@97WlJq9taYQQ5x*p0(8IH%aNE4(e<+~Txs`xW!LH7Z
zD*mBwPRNtHb8wR@;oYcuc@@c7WAO|1!Ty#HUGr$N2%S-WH@tEIJzu3dAWtu+U*ZSG
zAO2l~Ui~mN|Gu^IA_KZ;B8qn$+3m%J-MB!Lc}g3~g!xvqWZ&5Ydw9M+pl~8B!DED&
z0LvYAUsnj*z*vYuo@hQ~{mf{~wPDAnbZmUff<qFK#wFan#<pxJ(c^IfozCuklg3>3
zSLoVl_kespb8c%%Id{bsNqa8K)0S?YO*25}MgVuIp;mUsnA$@vNIJL;OOhvyBCSJh
zwc*w4btbif_gifN98KkTMld243hX!+5lupNA6&WX5~sYH2!yNc-=Z@OF$7IWF-Y%y
z!EiNi583no%iU1FX!#x55b;1aX4KHj4>4%OnkErBfrw@ol4ZBwF4r}D$Gzt}3R2c4
znxKj&-Dh^D4bgbRoXM4HpgLT@0>XY#zRCJm|8L=$-Phf*|4@9nU;hiZM*k1R+tQ{e
zt<?5+bIbJ7yOD0dA50=ymzvWa1>L$4R;#{R|M%Qt^mgLYuxQ{Rstf@gw$cYL8mn<j
z97FpwBw_EV^4a<eUVf3re<l##y@)IVzxInP{Efqzr^)B#%J+=csTW9FkhYqK0DC1n
z_fJ-@m~l^<@Bhr=shx;}71cX6@>;`(71_sa;di5nK!E#wW|!Wqa{TmPM|)Q>6Ep(q
zNUjZFu^C4B$Fd}7lWZTeTmoY~r`>f%LR1b+Ua4RT)k8pV#sZmYJCm0|8)r7t?uN*3
zhm;~!Cnh?Nw~;(1(W2d_MYV1L(3R>SYx@A0P~>o?C=}0V$x@85V^~kOgwrh1V3>aa
z8feAe`yYz=n&p^jHRz<Y(_OR#Gp1c=w9Qgatma;FWqr_xb+Qaw>Sw0>n6)duH7YwX
z(_;WD#%t7XKHp3nayY3ubBEr)skD|&E~&EZz@9=-7f@}K_XUJU^5uBzd^F8)k%m!d
zF(wG+My>Vls8@uLM7oSp{9=boU}>PZcu3~=x#3QP_u`DY^N*isVHN~EX#;YAt!o$g
zCM?bT<ck$nn`z#@C!MbFVNgTlvsM;uYHr}n{j?&G25!IZf86`h(@xRmeGtz{JX(z0
zG&CDRl&X(U)^Y!h@?dQqDRHOYrO!U{Jg5>*C5d4|_cRz|lI6hqD4R-uEt7iwiDvwu
zrQ<NAIjJGZpM;@AT+BzM)+*0!numQ(k*nF4*V5pmPo3sxL}tqAmwsC>Qg~4;PDr~0
z*9)%PiG^fT#u&e8=yeTNU9`UhVqm{uJiUGs(Xw9k{A2Q`<74>M*x|MT==_6|%{Sm&
z0ScE!&{abf3&z=#NRYOps9i^3_5g9N1bQEJ@_UvsgSYqn-Zm>p2>e4Iy<Oxe>!eln
zazo?Hp|Lx-%pQ5CjTCj>x`E}WMRzg${v|w{SvATle7~78+IUb7;z$}#<zOYw9S6*q
zOa|<HPNT_oW+2RR=UuL)*7C{Du7_9;7iwow+(vYW$12EAj^=T3K00uuQTXNFd`;_I
z&!^^!cyy9xHl@i+b#CVJ$d&z6y|sFhMvbH!0wO_zzB!B(YD{loU`<HqyqkWDnj?9U
zBx$P@5#~9%>jAfV4-xhBt=C0_eXF>vPfCkTg42q&TbXs6rhBOWy3{Hr?(eVHC2=+i
zEfiXMnNccf+-E%IxHJJeE*dmWhU}%|KK~@d%nYZ3I>f1SyW{<2ib@nS-<pRSfA^s%
zVm>w%eY)yN=ThM2ldGuH$<k5iFe$AnHS?;Y&M!E`lvYmGmQTo@RUn!=M+)dchp{un
z<oO-;zsX5jyO)Ibnt+mG{#I2e%er#0k6cbi6V*C$1jd&s>aeS;k)T_oQ)Om}bScY`
zI*Jt7$I?H{9+o$M?KBqKR?nLxF4`7_3=?g*>%2uk!1VR#V}IqK=^_Nj55cxkemG;M
z`N<>$tAo?^yalkd7N-Ys_eWJZsJ{%@<k>uP^pBlL`bKbp9jQwr8u4kfVN~0Y&N`4`
znkN4lY#+YM9X27*rJOyg65GzyaU<ZS-TNc{f!IOKVrIj!=*66J2`QftLMB$(oCoiH
zfj3(Me*{X6V8&~tcWX5oo90b7tgXsVG@lee-M;q!u;Wg{@shpTaV}ufh&OXS@1<2<
zB`dw+N?cyuGSua%3yz$yWN0(2-pU}>;jkO>Y_>REz1Q|WV%=tpzJN0X`MfEgIYG1Q
zOqw0H!BmsAr2mM{lBTN)mApx#i>MhcUk<Ml!k>sLtw1N{jpk*F<OinW%aeXRO~5Wl
zsp?pJQB&tlu}Q1mkoNg(ak%8KId@M8p!je8c$2Vyh7kgQq=7chj8u$|#HIdq#o#ip
zyXRzgqsD~lMgh{;bOwdHEM^zP@nfEE*d#$UBd@DGP7g81HhF+6++XSRS4=?v<oJV=
zarZ1S8v$Eqy&ZE(Yg6_He!+7r&fa{M*qTaghF#iGm?_`+^2EMR+hjQ(i(?cvwgPjl
zyQN<nN+e!di|T~(NX$r@3>TZfQ`Vk9>gY{fdXQ?Yf{jEsO%7*9KNH0gr6->gpJU1-
z4xcv3X-J%T+DY<k7wILjqO$?Y<T9>i<@Wx%8(K6#>&^i^t2K-3IRHz{-T*h{wYw6O
z560br%l*KXu&gDxoNPRvv_X2@)R{{NJiCYgs)+cjg>idRlPTM}lA{}sO4D2fra`A_
zcUf1rskO2FPwC?Om{HRvxDhE5#5RxGZmw%I<mkuS3b8*YAd5tKB$a*%0OG66XzQu3
z4^-*+K|@gmZ>}>pySjTc+E-|65u1X%0ROwqi92FC$%bqZ*77g%IXW#2Tc@zQ>an&2
zdG4_v`<ad`Y^1B+Sfxy?W6!h-c9U^R-qXq*>&FbA1q<36=sSHCSbwW#W*Z8+E+ng@
z!DB?^AhVe;i5PP8N{=B0-7MeZE;cUfO|Vm<gJcx=Ok6yTo_~|rxp5sT3Tdu3&8{Kv
z`?$bbX(zUb<bb>f*Kd_tyW{%2<${-T!1mNR_=-r$(fkD-HhwvN9Pi+JpEa>vggeY3
zMt&A~LYh0y2d*e%aqp!(Q9|?NFOhbs0V{(0b=%F|S89`$&+k)qNrlm5GVvugX6#mB
zEo_5RZ>+R5fL)o$^1csTQypRiLL)68TDiFfl<{5&=$U|il4iMHNThq^%>Wb_@ucM8
zX>M^u9a#>yG7$4?ZOY0c`A*a<k}r5tH!}T#^Aq;YKoKn>Z?)XGZ4gnDLD0U}sQ>r{
z{I0n!m;E;6)KuJ;mH%P3l6ngRj?yHJS~vYQRx&ROukSw;bTbnFPy>yb=~>f#;|H{P
zO19k51J@jyjx(!V?xWY-?dulQN$tmCjp^Pib+4C_<)5YlKXWFK<l{t0xlQu^3!)#(
zv99r^Ux8ZjqG@ZZy-ZsLmqi?|t^h4~2i9n8inl}dA@L%5c|{i+LtqmdvockO=qRjL
zoY}8KY}8l5?>`g^lVg?Wj7$j7L@Vy;)@gnKu)d+cu~Z~5sRR|&@_T{!Z8BDG=>~&H
zjffCpKb%F`Vm$mRXO)aEG;qQ_A}&|>i+xzWHhkt7?-aI~_}Wb!umISrxO~59Mnjq3
zZicbq>ch4#^h%8Qb=enPJoiEOGq;O_L=2Q^cE)*mU}&w2pjqjnpb)zg5wkSRwp-8^
zWtf0=f@^a-p#3|yYrermGtu9pLF5wr3ujFB@kHz)$lRKDYR|xy{RgLg2@}gM-S1u2
z?{;)0p#_Jzk^(kw#T04$N*BGLhE|${J+Y$^p*oH*?P{2PSK;w|i*uawTK;@>`F<4e
zSko`MO`W6XJt?h%<lqR6q>bdD-CKJ6EHDy?%(9bngEe@M>{L!(6H~Bw9VOdU?Haby
zAR%t(5#Br;GPoE6w+NUa!!O+KjADQfXUfcv4tC*DO%%0^$*DT?pUrf`#E*F0`$ju*
z>5Y;d;s9|gC;+^s6yO@1q<#-*<X*fhS-O|}l0k(iS@M2!t$BulGEXrBOUGPL)|H*>
z`?R@E3S4E;3dGGLd!<Lvj?SkaGRPLcB+We6Om$%6zST7%2=Gs(RN#-pcWk~BY2@&B
zxID9udh>%yyHt%fsafo=iTNt`?Lp(vvNTn)>!FWZ(xiQT>jHu*!abm;e;Bx~fH)yr
zjh`B%>)Z-tZ~dA&HWcvoj~JX{QTVnaw1y=t<NlK&tEtqFR72Wl+m*Yp7P)OhOcst`
ztDM+FxMQooIf@$H@7s-dDh@4Kozk{YdrB3i<4A(ZikX<@%~UAthyf{G9y$KKiPf!5
z7L!;~_n&opcvkQlJ5<Q2(0a3MjnIk+^kzbSsC46u1-nF&ixvv;WzeCVj+zX6#9nM}
zbC2sy_R>1>qLW0qt}rRq`=^St<kPge-jlRT=5OfgB0*1eRc@N+mP$>AfC6?~C-H69
z9EIHV#IgCrQ{niHDvg77Wt4(z+iZ+**og7f?9~3zUdvfth$h@+(ohRI%MHM|4Yh=e
z%%<d7d{<wP(L$~(R3>Q-qi`zjjGlc>#~OCxva@55{ecX|8pDjw9v?Dv$>EFCW;y;K
zO@iKZ9Gz8PIc=4q+%csu8cUtF1XrV@U@K4)^ZuHhxl5rm7ZwW~FeH-%`;>UAQaJi8
z8QYzQs`m7rK$=>}2%;Pb<YheOUJ;FCdFN>JQjh^xA`{}NnHdZP^y%;;o&Bap$M@fv
z+`KUwrMRMpN+!3h_qKeYDegh~y3K^#hP-l9ND1XlL6{auB>9*dnt?~qefq@SF&xBF
zP)u=OZ;gg8T+I*E4+mnC=zH*Sz;yZ>VB<#{ku!GCo)r6Z<5RqW&mgPxn7v}Db#hwU
z)pIc>yh5&CUa_!y(G<l@$vit=Ge?<hK{*{u_Q1kJK+f5r%m?}dMyp|0qAf+MwQPX%
z_sz*14X>H4VmCx|N4+(T7(a7WxBGppeTYe;yR-+JdCKe3fZY|Z%F=4ucn4je4htbq
zbE<xrs@aywUG^$+o!DAz#0zPZa5n6Sg=u1J?U}Py6c?$joG~gm#Oq-SN}B2GFT%lm
zTlcasoImk0vu;0M3_k7mf3bR^w9C3T-}{*o^t*KcRJ3>DNR%dH|4tsZOpy8vFQ|c-
zuIWg(@Rgy=zJ)JWqTTT;FNeOC4(?}=S-tHEBLiWl&2h2V>CSbS=28qX;Zd1DSCV@X
zo{-q4RM%4uL^iFkSDTU%l|k9MRFgHD8Ednv+%kdeDogsq;9zwq_v(>e3w24sgdn-+
z^aI5vQ}A{IhzkxKJS5k$Udk7oz{BttE~se~;IQj7`4IDhx_1r50>+Z8%tqFI!NWhu
zpbzIXwHY+IU%flB-S$^R&DZ&+9E;RnV6UN|AXa(jPEJ~KJ=ei3<MZKyjtPvieB?cr
z8uU7xH8gXd`42Rwnijt7aX=>F;2g3fnq~9N8c+*d<!!a&5YBAY@5sb4EVAxqz2tA?
zWztzzC5%Yt;$#;Mk)I`+*3J$|7<9iKcBSHCP{ov+p?0wR^8t%xU{mT>rNO(4l_O~t
z1c8=OK$ytITyP!e?if@5yoeoK`#fOg2uVDnAe|~z6r5G;8IdbHk^9}*$k%AnxAwxo
z@#zW^vyzi?8u;qaA=9&R*I^mu2t$hFV0CP6h<y5NP-jUyO4Z^rETS{b7~T^9Ucu|n
zI)hi@p+OkK5&wx>L$?y*m1M{YsNkdxpNbi`!R$#V&e80<BBZ0=+t7ZwqqJp(TqzY>
zo(H;_Qh}WVfZp!%M0~FG?bCKdXZ9lEP1%jW{OL(|GkxdS?uIO~G+MeaeLX%CH=&JO
zJ<FZQvt;O)@d9_y9PKh9)_Y^qZcdEx>;t1Hbf{Dlx|NA2^l^Uj(+9V#wS(p$4Q>HE
zar=%V`!%4mdoBAJNSdW%mzX8N2d{LH`{sz+;~jSlyiXyCJ()#$qXHX`Gy0bDHU8s?
zS{$!^ZO-~{$$iJLe;TR3w?k3SE&Rvd{0@82^_ZwZzo_gNJn#OAH4nY`o^ji#lk_nx
z3))`Vtn0S!@$kmw1}dZTDZzuTpJ2Z<$hxTmVsQg<D=eAb{k`h-`?&B~Hgo0r)E=?w
zL6AFQwZTfW9^m!;U#Mm|*pmo2Rf+vwoHG(_nn@OOq}jyM1QOKVuA_VC^#|Pb(RVJi
zbP62g2R{XOV!gcm9wY?ry<IN<p~zM1b%@6cI((0IDauwrbtEc{++F-p&p-!HEj9Jr
z`H_<I{Kzi7AA0+$-F2Pn)9&-8WG_Sh>z>rxiH;v-v{Jpjs%i@mF}|xO-5x}6zht9(
z??!0leAkueKejHPTk%vUcgu`r`sFrJ0Z(@d8n;B<?tYGoZ4i8m4za#E-_7P##3S2Z
zS;Q1Bl-h&`Q?#A^iF_~2i=OTEBb>PHt85qt6SXE@H*Pj%{ggp))iYCoAhlK(Xs<@S
zsmS{6{@Ighp`JhY?F#qL+&ipc!>J_B2w=6BJ?1n^J5CEE$tB^Xbf-f6hG`1xhDDfP
zV!wpmy_U{<yzs>->iU20pb2$H#p%n3Ux}?o?KL*GkQLs4%8kA`b>DOQGq3-|t`pC5
zDa|0voMQtY?oPklJ2QmZvj*9*Q#q%kwDy^*|IjsWkNv`T30S2&#i>nlJO{u(8VS*e
z{_Av<G^qFRr=9Zq>7)(`2cp|h2Rc&c6Vql3C{Zh_e2Sy|`>pQX<M!n1zhmxU9&)}-
z=Aq!6EG>MyAc=P5WKaHDK&VdG;pkwSLYeUBp1o^+N@t02G~_Ou7yIq<0Y*nED2@{|
zvm(F1oD4;K@?4maRQeZvy`YT$lHxKn2Zu-7qH!fOCg<BT+x!iv(@e;iPQPk$=B{vZ
z?Jmu4zAQ;<!rpA>0xm|c8@2Cz*)4sbwKtzq+8S0*tnZ*%QX}dMNRkxqkJX9YUpA_r
zRX05Sc;C%eD;#OSn%r?M{b;i1M?^3yL%c)7_iBRssrQq}QxR=(gKkK{%`}@q!rP*w
z>}gW&f-O@nqu2%5nmWYHmYJu5$zaM#F^{O*mrhK{?vV{P603gBf#qd+U9ywy{=pg<
z$w2<`dFq#7A$9G=W$V5595ZiO8fWEDP!an&m{0xhZeCbjLoL4R%_+5WtcKT!jJ-x1
zdrkAHw<t|wZ5y(ze|VPf(+_Y}u<m}hA51{}FwtAM@87z=toZ$c(5&vi(h>Nx`5j)~
zE4pUqyD?eHca}P(%?3s9bQ|f31xoKa^Tlhh%K_;CZ(-Dqo2En(G!z^?w1Y!i9#o=S
z1tnH2W=4mdc|ui|Y-$BhOzCb@zeXh;O+#fQMWc1CLH?dLe#57|X6gsxF}SVIWA&P-
zdpx^c{#5bA)Mo|Tj|O8H%*7G_P2P?)x>}DI%YjRCB|APSMPv8vMfGd<09nz?B_O}4
z<+?$AAJJV>O^+SS3m%^<TN_##S|hv1u~O-}9#~R)nUEHkADIvtpI;@o&>}{c6GG_*
zE@=iZI~?6vbP+Tz@I~~84c5$NjIy8nb%ve+^1B=CSd(41bgS}P3P}-pv4Kzim=|%T
ztA0`S4~#g#hzQ&nM%!ZP=7I!Qn&>Nipd?h#;5dk}-HI4SgpOJ>uK(+_?|G!}*R;(9
z4;CqzDA>SJbfeijR9uZ!ds^rksH<Z7IaB(5PgyKgy?^01gPD3DPdwG&1a)Qt-w)3q
z=7RY6wHH@(U>Z`!-sM2q(ucXAG3$6u)8*A0x{LW;lEI1vesP`JHvd<^KBe#P$n;jX
zJWRM=MVsTyHmAk$Qq21@39xFUTA`wA{;D-)>H7L9C7{-wyF>J)JWUZsPijq2z>kg+
zF33}zb-+TZU2N!xCx#BRvmZ7=CzTP>=sNg0Ztpe>?2t+cgxErm(MHhxX7Ep4&a)Z{
zc#IjZIfY2^053PD$U#lt^zELEL*N885e|K2a^#s#d-B9GGsPqX<s7!c<uxkg(EdNX
z=Y6m{o&;Nmf%V=1zFlbn7^P^9aK$%lLYEZ$pZSnBR~oE_zHkrvgq7|+*;*o8>`F`#
z60f2+Er<I#91~ZDOr(H;d>#V9ah3Ivn8XO1g&3O%mHZJMZ)JI0r(`HQ#!d(pq42xI
zHHSd=aYYAqi9CrdMOCfs^`mX?M-Hz?Ki%b9vDR8dZ!H_ZF|#$P@GjipvV(u3Be5G|
z{PW%+tM(6c<-`b<`dfdM47UKy8WH$(469Yk^*+26{ccgdXqh!mcJ%=S)2jIF!|TMK
zcl7(*ZJzzM5-%l$$u7BSVhE!^SHw$mo{EWJTpKM`@T#NhXg^{IjmLzJpA}>npO`a2
zudQ!_1vjK>s?+8pCYwDO<y2*cXR`cERQ21TbC7tAwx%vIL7gw@pq;v|JIn0g$uJ>g
z<L2Z?(Y@gIj5`3Z-l-AC(M~rIe#4B9k&%p&pJFv-FIt7QEbUk`gp*|1Ai@qxie*;h
z$Jrm&?QTl}=_2hrBB5O?wP7CkZ@T>djd`>V2r*S+yKY(X&6S#O_!H@klKe3j=N8?a
zh%dL5q4#^k@zG~?-+R&Pnp81+8z?KdRajRPXSsd%p%uBI{_wdXE9d#^%q66DJN4fm
zx$&0`xw?J!x8kYeS>^Zqon{FKlnB%%YC(3cx1hq?I)chJ{IeXUTKuyJhYcMJu%p?)
zzZU1s>`7OH9Wn?V@B(%?%!ZIV{0YnZCWXsF@*$X>P3q^K2|?g)GjJN1JQtU`%;DnT
zesFwiO@)o=eY_qlQ2jdw29H$Ken`6Z`IaQg&aVhO;*q^kV;!?Y?EMpE9)@s(?<(Fn
z@wl!StmJ0?nnT<~s4>y1?2H3T%Fo5mqwjm!qNg67S9DzI{yOqH<X$`WdwMKcTs#Wz
z@#RduWW7SU8^nvmbd@uW>PkrMwWtbEMs=433~uW!`2%ZVrC9zf^U_o|MAo~BD*IvO
zX@|WTq&EkjQcOE<x>kzVcHhQVnPIgqo6B&Gb?wnfX>JJiQtwl1cxO(+l_VFLF4?-R
zKl%t?ouSiHP)CiFMC7ISU1cW>o7e=u#5ZQL?t#sx9nR!zJ3-gth4b2-wgs7wj|zW&
z83<Voco^UrL~4aTq#GEN7i=dkm8Hbkz09?UZ|mPWnk>jrp89@qA;tA(KjLEiik~>o
zMPtf>Ud=#Xpk=w#clT3d`MbR4yZkTTZY!}2s|f8RPU+VkdNqZ%AvtZPiyf}N!w1mp
zA~;zthwe{a8c}D-PMIRy<T=@qNwI8uazaC*$O-n&xN*Rz#!%6*i})sL?rT4x#Ab})
zpQ;AsEKC4HeqWOBjzGnS2<50kj)H=Wh|l?|n#!7t(duQk@yeYMk~^gH%(&Pn6}I6{
zT(-BntVH~#{g4*_%(1g9S&P^meu!>+XkyO}W&F0HYAeFxapQ<j0{b~xxR@fnuDVbR
zSNmx!+s1+Bje$JQ^mBE%0m9EedmL{yf3=I<q<Cdz-K>dGH5orrw-zocS&Di1W`IV+
zE83up%DXIfb3grcnw>2QZ7Re^332u(J=bJoT(x%Oa%gjkywN=={~V5BN|W%AQA`+J
zLQy{@9_@Z%=5jL_D662vja8vcX-`JFD_iIh4);p0P{nB%FP^licI%Pxz!>&ch^<U)
zFl3uu&v~GD1&jHkYu(&mX8ApZOoaA#Vn3zYq|YRu@G{CM#!b|9UujkF@W5~ZAD@s7
z#b~Hpm9WK0`Qzd`!murb4_D0U-DYeYY__FGa5QE#mqTAG85MWQ&&+8+t1}gE!po;E
z67I*X0}NX7m(@>c*U8Nkg$U)$enfO?<TivaxA<9Q!A;m(tG)|$d(%%ls0KBWS;ptF
z)en>_NRM7{!JmfhPmJT^nv;NpLjK>bF0KO0JL})~Ks#5~#VfM7-P0K$?`@K4E`}Q{
ziZZARN8T@;g^J_|iQysDm~Qyfqu`@;c9#pb<V9HF%fu#peq5(c?WTbxK_;zWv6-C0
zg`e4f)7F?Z`^>=j7hPWgvkFxZZP`d_o(~FilPxy<vd%MEsYa#=fxqQ8^XzldL)W5I
zM_R6f;z~H<aF%!^6+2x{C9H>hsP+xfRD9@xEZ7XJ93)newvi6;)s93;Qz5f=*$LX(
zarAr6pMnYsr}OGKvtPOM`lW9VU+oPV^*im|1h<pi`eo?|?Ug#ZwMdPPl);(xG2ud^
zwZEEX$R&i2t-Rx6iYDkTjOz^&u^`;b#|SjnnBaPVFKYiR?3$ca0jL{dai5K^MK>;R
zq&->vg4hrwCNb>RR(k<{;%omCMq`%#x=H-TNVV~!C?5%ps}W<KsIfWU42aN+wZrne
zSj=KCPHqhtwY4^wpags{U~BiHC5Z5PLw$`8W_m@3HBqUCH0JZ?5o{RzOqROhyS#3i
zOG`g6c@@i?iq9t9Zn-Yo(wVNOLPgXATq;Jz4pe?k^(u|(spx9bFlpSx?XwNNYVUVr
zU%i7RXiZIK1jtxa5JU<vhG=3UamZ2lfJ|uU#0BvM3Hb^6%$x-e`7A8LFS`RL1oeA_
z@(5Q!7FQ`-W=G;y3<Nj}bLO<h6uNK3pWrRy)p&YxW&rHI2pmdf?~>EM;%B7Gtf)y`
zkBN9srTDYQE$<<CbMU{nI~5*S-0&@!@dqRcuj^_)za~<GTb!AQ<<@dDQK2IJQ<5?b
zW{X-#bTJz61-Q=tNhVP>0XlOU&DJQuB?cA#FA|m?CCn^BHM+p57^9SA=4LkTOkpm9
z$r{7UkxyYQ%mjab6XW9$g-sES;%K`I3BKHd^M(V68k8{eZ$Z1tky4wI75SsL0hOX9
zt6Sbd9rcWgpm|M1GN_-Z+6^16jn^wz)jaFA-m`5NwZa9&^8=wM?J`^+s}-vIytO{=
zRH0Z~?~Tohz`18l`^Gy#-8z_~z6!MnqgRR8BaJ57r=OVM>74k*&&**bNWh{5q86vs
zi8d}hrLeK8S`<?EOEM{4);+avT5(OF%~yV^V3w=P<V@?q-ocn=xyT}K(zM?ww<GPt
zKG!k6C4|%&6rJX9l~Stscd#BVH$7}d`Rj6b2^3*RsI$#4{D(rbL>0WMfe_tVemET$
zlzmu5!{dDy3}J(iA<m7piO5z}_M!03DR9dg^eb=R4xQH6SbNRR`FYu_=_?GDx^Xr7
zy&~+&-_WQT{E!pGegPd8HU@@3S2|IdSsC&8A~C-C{fF^rMIcthOY>MF9tvpM{4m=&
z7#~L{h`!`7<{i(_L8eR`yY3|vAJ0sm_yYBEb~om3%WX5XY&RB=H*};-?HS)@YngHD
zm4WYvd%vZmKomuFc0>tU(GjIqQqu(_f|=9ydS3GiURM0ihy9y^bp3Bi;-d=#|GU*?
zS$Oi<kJPmC`?65T4}*86{0NWkBg<Guso$fo^|Q#wnWa`fxhJiAV0}7bT1mPrST<<X
z0I7)f8XIC@is=WQHo0G0@^&<~&M-*4BDwN*ckPl6aS<jT8p1vi%$NwQ8Rq=QQ+7SV
z@Wj1f@m<Gb*=Pt=C)--;l=frp3}3_9^+YP_XrGm(g$Lo*8vdA<m!ed%gZCB}Eb(39
zPZ`+60K`M$|KEU@NKzmTG)ENh<zeT9*V@rP+|MXLDhuN~8OrfQEv_y-k}$IsWfZ+}
zn%yK<fti?zZ@5&<m%P#?R}*iM&DIsh77e5pJ&F{CcS|^$;bCP4xy<d+p~L9JZ+u;t
zS!l5b$8V(Zl~oUg45d}S_s!1E{=E?vzLa{YCls0gKOsf`??7t*pRPidgb~~D1i$<l
zQ_grBCRjt(`ocvX(XngPbh1m;-I>raeReAHJMatW<Y$m*BIdK^)e2bjp$<=X6;_YL
z^lH{$R;6F*UeKT!sV*v|fM9ovjkI6pnm}%+HQE(%E&L>o`S=!bMUFabCjU5vFHy1?
zJoI0&+x@z+<Xs;?VL{HB!QP|K<X&g1X$DiWyKGcnhd2y0_r5~6WtG&>y8<2w%IjUH
z$teX3+aFKmg_;d0=!=ioyy44PC+Me`YRPe1C^2<F6b5YqU}kme*_E5`+=~0-TJ}Q(
z%9FAxg-|S>{K}znK$J7ymPy@>hQ=0N!<Sy-HSS#jCLeX8n2>1pVw0^<#z#E90P+@c
zF2z`G^+VXe2g2b~)CP{kW5En26vH)~4VAsGMGbO>Rwg8_={>ZgcFd<#&D?Gp5j`3n
z6=w~GCtQVFVoU4TWXHTJb!+$V`s`E11ki(Xd+WFKi<dRtEo^jGZCrppGM>s-fOXZ$
zS_dxs5@C^$-*CC)aC=YR*-@JVc}EBRE0JThiBdXTz8Drsk4KmGYRmL_9y}cH57_0s
zNzstI3Od}?U6%XXk|(+<&B_OEqgC;b6ZNlskFIa-(4#*J(6IAwZL_EFAJ*{%ot+{L
z<OYis&@_LK5G;K%347=6F|?JUww=+m8UiP$7Nb<5*)AhL{SRf-%ZE6036#H8<s9B*
z)WeQh`fp2Xi9omjX(E<&Ac8t<my#_UB@Z5Yh5gy|cv4$XiB8i%Ctl-^ajwHSu6?u#
zWhjvb$49Gf;AG>Ba}a0a1|H@ra~_Hqxxj>uAA+2eT_0Vn8k|Q_v!-Te%?Ifiv$)JL
zzLFZ>Bew$mC143Y)LiEhU4~jf$?=N#5PoT{O**;#4m7k;D_(NEf>~^}K)14gc$Dc_
z{0ovEm}>(&kZ6Q4xvk&7<wSt1-OmYHI(lEO`H*nD<P&3J$rUqGa$JNDT!qm=Rm40G
zA*j>#mthrpl5W&Q*uKt|uuH|=Rd{Oo1*x_CHVH?XT?}nSEcF}H)Dh)pC+)A5NF7O%
z7c)e$xe)oJPLi61KUT(!p}TCp*r2a_j#6HLu-}OaQ;%MjeUu+=7l6%@%JA7U(uz;Y
zCxl-&If-tAhD%sS!r+%o%UfaMf;3v-z*}<HMzZfQ#<^=`if0z&mbJhb*AJ@Jhh|z?
zMyq%YjngCrxy^NCwOuqE91i)FYy(D^Z$((ww=s51P7F5K2z*g!Bj{G~@`f)zIh3u|
zB7(!jzZa5$a!2|+vg){eGji5RQUX4wDHWnt%!Qj_V36PI2_#2Wmt<~4#gcZ>P`aMU
zezCOihk;HU#p({6`WrIDW`lfSN5Og3mBs!zbIV5U<*!(i=9pPjVeq0pDGHgv39iFQ
zOVyI*pTTEn#-Jx1)x@UZXPNf4lQp+NO!{p7q1CF`bVjw}ft^^Y5N5OMqOOWmxtnK}
z35G^Dcbco3c3Gz+1&Vq&9jk1o;a4xXI6{lv`fz<>Aq)T5O<J!xknT(sOW*?@6>d`f
z+*Ek?E|p<Wf=O_!7N!5udoFvTVmakjvQxykLwL*I6^DHlrL?P)?ipq+f53rnW4Tph
z(;0hDS9z|onH5kgd6b%L2;(|JQZOMCHRaHoX;hWNJ=&qD6<4LlU!kzlMxYzooZ@0D
z-4M)ZKyzWS<4En*Sy7k7<WZ(!UrZcTa)kAjm5WNNSm_6uSLn50uE_D0wk#wG9@z;R
zjav6>kJICD8K{OOv@Oq&dagw@K}vZPmNZ9*Hrakg76?OO^(kUX<Gq}^_mFZi!nu>E
zwucghj_x&bSxc?P7O9#wC()U^B#`!qR6C;EId@>Z(Qc_{D9o)ivTUrnr0DvYazkxP
zBY&j0%bxj*3-?UF!HDUpUj0+LBCn{Hyd-1g+lxLPH%K>Ti=<XVnVnwznb~wCiuOE3
z<J7I=oghbF`3T{o>H1L~-=UD1_^LHq;K_d|xZ^9;s*v7?3SQ{iFw`jqFWZ7ITGapA
z9JS^!y4*<Og(M|lmF8kKsXpW*L`{6iI4>xmC24!1Rf1eb(U&gj00MVgR!odezw!~*
z{&XZi<fRw-e0+BykekHi5D@#$x;N8$FNqhJ^yZ;DtB+*_dOZW}t>!HHU<)q9(LF7k
zqR~lATynSGg}!~b_geuOCXs=ezDg_d`FUkOuCUnK_>u`ADsb&A5973-X5ZDn1I^ie
zS`lS&Ei(9P<WW*I%GNevt?$0JQhAz~a2|1YwyM>6L5RxKii!wWUz*LOz`dF$B(7ro
zoreAs*&}NW`(nwL10v5g$}{2|g(2PjrDGlo{0kqklrfuWtB;Vt(7288u5Y?o12=eG
zlzgnNs?#{-EOo=zGX<lX3mc}XW)((&r+K<osy})92Lr-f+}**R)wkq-{I~#!UW9e8
z`^svyHB`@Ek{>50ZkAp7iYsNMCc^|1Yi!igs>}z&0N4r<sLL}yGzz1~YrALIhBWt@
ziQWkn8TklXFRK?h$#k22kkwlFJ}-@Nbkbn)Eh<yxD1*4t%xrFp9*@D+KKuHBZ^D6j
zn%j`0j!X4=Bu?*7@JkWosluRlG9J!S`G%*-D)m)e^hHql1@8VEFJ*564ka})#~}kl
z7i5ZP{i%orcDqjeF4K8WX-G`MK#RH11OJv>cD}Qg{#s1P;18gHU{t=@pb<dVLmTre
z_Ha=Zb*Z9wM7lFl1kumK2%D3Qm#*IS9wNmjc-@WVs9hLSaZt=m@%+b2#Bygb)>Gj}
z=1tj!%hkBhy^e%Tm@se9vz)#}@L_tZ4XI7u7_~Zh%|b{iMJ*1G<QT|vFX1}H=jPg8
zr97LuJ8Ujwb>O_kS{9Ix6M4*_C{v-{{qZ{~N8j7zF_pB;hj5v&cOUzgG^>(?Pl1SI
zqq+EnrN=W}XyhXPxNAO0s!6_`tfGg@V6faTs<{SjI=F!CR3^CdHD_L9vp9T#rwo9c
zFj$}{ocdtlpxFP9w&NcnzRMn$rW;ryqFx1{C5=yJAD!E{fu4J1C2X{YF3k~mX*4XI
z%*c&G<Z!#em8(QzO3*^%>Ez(tApnfPYR8|JeVvr6DEmwGa4CiBFGGy}uR`|=cK42i
zA9kyQ;zA<4C_X#utrLnSfnC8MFKHFy;S3o5O0MsWS^*4}9eICP<XZclaX&VB0)Hx2
zjF~ucrLX(-v4P-iPke#fJWb*GSmad|V8W?!=Yl*hizrC~iI_a%tp>A}@25El6`0m~
zq$>VFq&lWU#&Io41eqtTrW7pE*zqG!)O7r4##971di8vk%^+h4(L8r>Ar0e?o>L2d
zlXXWp<{OLUx^>yZvJk$MqgNU1Vz1KfWN8};WAKm^n^}U(t5qp_+U)UMc;U9GIiSt_
zttp2tJ!rf9@xzIki&bemTc%cud%wr`MP37$X0ycRrTjbwRW=WJIv)r}2j!RaGczw*
zq)h(b&l8$-ca907iNOO!Aj_Wml{=HRLN}G^!5)rCJ!adJwn{QZGkJ&NEFx)KgCWj?
zaczOw!Oy6P3<}MDMTwi4yJ0;R!(Cv!G8e<bDN#4g7*`da=0)BG)@CFw%#tdFg1yJ%
zdqIjjp|)+%=3R0H3a325G3Tp%9zN8dG(S}EwF3je(tG-UZ*UlRjb)sS2UHkL`ALPU
zwa~&Ou^Bb5GdIC{-pFxaSc+9=$$bD6e!|o`C>OUo@OkkzxrN`8AWNJ0y$<1o)Kqiu
z03U)@4Ba99cNy}1j;Wg^E;!srF}Y<bv}GZ4fX>lYP8TI7C7W~Rh08mZ=RizUu-JBf
zFZxN5vdc5Z8a%87<0ZewxX3d_J8EXW-wnQV^laGVpM2!`G?tq0_l~h(UDbr`^q&c;
z7TANQ>Wk=;R;YgiTG8hI9mTxN*@4vh?}eVUNqIwIT&s73wYh$KA1zj+jZa3{%}dVu
zZ~xj$lGrbce@@*FD`GJSv%9^!2N%&^zn=K_#ksyGc;gMhm5n%Z^Y$rB`uYtU68RrW
zQV7GB-_DeVhn9x@X*?=keR9kGCVgf*DmILcUuk_($8hsPNj<uma^qn9TeZ4eC052y
zQ<LVrHSdFn_eohP)~tZGL6sFhn|&S%upJOF3GQt8vHe10_!X*^f$F<4(0+!RH9M<D
z&MXU+>edmf=#yp3kCTV;;>{(c<I_!IvLtO6Gv;78f*~gU(bgb8VV;u}lHmy=c}weV
zSyg2Us0t0OK}uw+zD3+pPUS70-48kFp6){lK<~))Qr--cJPph*JbqJB{;5pxp50bz
zV50nq))+eXX!GUZC-%>6oU^cPrCspr(m%B?wWfZX4>w`R)e!8zZ$PKd-JzbUR2K9!
zxSPTs7PYtM=lqbe@PrFYo5W#NQa3ZmYwU3E52C5`v!y&@cFMXAp*2SgYzGqk?^j?q
zmj*Xc697MH1hO!V>gGgZ|7>K;?}+$d`tz%<>Da9Co(p?alh$hrcVoX`!xMdg8CQRB
zPJt<2kp@NfoPNKqnf;`bTPJ1z!b(`CDpV!K*zY|TBe`Iuhe<E-M$=i5Xl#n;FhCHV
z4I6bF<FCoyHz0YMz}ZiD=TI&oTOw+MvNKwIec7w@)P1cg(tq1a{UMUt-onsUvh_sx
zE&hkjje>orm0#n<Ys>td9&tOK6c|y9UY6GFBDI;C3`pN-wNKg4&U$gAx$JmM%6?>*
z7RcrtUn17Nb+_C{3fy)d`$jU8HgKhNALr<QC@+RpTN?p~kB=(Rt7L?(m?Hx>BbeK|
zSC_amU*625salAvi0>mvfiSCWHL!JqzVMqy{}E7VhTybq0Nt6v4^o-a*JJc2-P={^
zf0()CobA8$7tPGGe|Hd^nFW{y)&yZsSoKCX+V2a8;GXHhK%;wdY~FZ1uYwwT6~hrZ
zCWUTag3P6scNY@%fk1}0<`&y7Xw)xpe8P)unJU+H7Q?pj)cCfvMpy-WKL4SVt}{IA
z5)!0TUo4|#qFs~jAe=3UfxoC2I9#CmN$XON;VI$c-dD597S68&Y4OWr9R#(a4b`@q
zU!915wYhU%H*q@}UA@z<w3ZvtaD_n{&P;Q1WCNnJK#6qDgmqMGLf|81NqPmDjNJku
zHH<G8DOV4Cd``VG))O}P(5HdU_28N>%igDMPp1TK!io_kADQ^y?qJ$Y&pw+q+Tl4>
zbxw%&uLeh2=S(=BKmwi|0d7%8a-Ihl59@iozh687x9`L|#oPXPmS3jb$q65Z#`WD*
zJ`BY5+*bq-Y)N$`mTEXH<8}M=Cx?6lO~LbaC20^wN&5$8Tvs!ds<`9S1*&!#*)8T6
zzzECsWr%5AM<ordngc{Ysh2VgzvHcagR!TA0+FJ_FrDwXd@R11%rLfcv7W3f9PH00
zXMAD{eI`d9=3OyCow6(zFZ6aw|6PAcF(tMeuy3xOZ={lJ8d~c7DEJX~zHmw$OmH6*
z);9Mj`va0J6)N6d=?!^pRnlOfy|^%Wc>H}wffMvK*S*7NxTu`a3=fVyKHu0*l`awO
zeEq@p^{2hR;_gkyA!6`K@KysN&*L(c{LH#Ru%)m!=lb?!%d`zTW5*ywXhAwmh8E_*
zbV{-pgH*KJlI1^zSBXLz4VRUxMPPcCCJQkr?N_da7gHKSBtrR_maVWic5A)tAX0Hv
z;w<#EOY$1sY5P=>s2brfs`zewE$)GT@q}~B6&PsKbgdsgr5%vUDVse)ZELOE|LjA*
z`Iwy+;C&{p4x52zF|@rGv=y?7OQXv54Bn;I9@SpDWNw~x4xjMKCrV@rE8+Gjmshhg
z1}t{2EdRx}-W?zhYQ-TOgqco~_5iH#3j31QV@{WI1{!^PSq@&r&J<F1OMfDr-Kov;
znjg(D`QTm9OpSM$?G9I)Qr(OGY}ik3Qg>NZ_bSFWG;3s*fDDVq8MDYrmo_EAOI|Nv
zx`Ri&>TeT_v?!INy=je#-#1t5mx~T=?`P#o2j;Tu!xUZ~A>`Se_<PH!-2tAXr{{ss
z?<c~P4tkzm0!uyZU*>%LA9KCFFtHZ?fJ$(hiE{~iYPXeWkL$xLF6+~zt6og<WFxl&
z!IaL|IgIMs_0g4^r9{!Hf&)8Uf14$fZ#Mk!LCj?2KY#zlIEY+M4vo?}{cUZxN(=px
zKKWqPZ8LSebHdfpf^NNVZWE@uuXi(RFN_vq9=@^unz`{+UrOq18wNTf%g-FDMf(FI
z6nS8o;y%=MV6@DA=u!-%A~MZ)5#v(F36b`yIgvFzU7?uT9;_5SYoM6%aRNO2K5ik;
z2RnvaA4Z$AKVqlh^CK2k)!XTLpO@3clgaq)0p=1p?fqRJSnok34U_b-%{XPn|Mq3O
z7Ul&)=ZE!w<&p0edwRW+CEfqonHRzVK1;HDP4za!8qsbvw{i0D<l?WqT-^inTn@2*
zfsy^Lr!qH>h-!t@&?%Wxca&&!S0^(?_lh0${57i9djFUfdB^LU^lI|Yr|Hlyv71De
ze{0(wW(K~n{rW_IA&a#Bx*76CxmjslXS+5)He^)yP~u0S@4-Hu|Dv9BV=Qpb+oTu=
zMn?a7G)BwdqysHy#ksx?7}vm}Qk>mmpAkMeT;u4as$?t+pZXZd%pcI?6tJQy>Dh5Z
z=>7$XaHR;@9I-eLj(qCRZMMuXjK;<Zyy*>*x~{t5QAD2ek9st3tfG%jvdD=K%?p!f
zu^xXbY5JP%nYG+bG!Qw`d><3G5V46PvZR!~tkW)#<|IBvFS(Ew(Jj#|pgmTlf~DPM
zCMapNONpn4UdXV2`SZFPGxlrsi?R^w+mC2~sK}meiP8K#C5l)-Uqp(aIfkKw{P8eV
zY|R5Z!x~W(v(HVk%V8FSZkUWr;A+mmCCs#^ucOnAL%Bsoqp;f&x4rf(bJcJ;%T%Xp
z)f|T>D%DduAa2d#FvEFFV8#xgiZWoT-Ffca=o|cTc!%JfGk#+?t*9VlT`kyM=Q*mk
zQTEXnZj?-JQMb>W;joh>ZkYo3AdRVeTI!kDVQ%HbOyS>iHs>eh>`FEjkM^6=p@;Z{
zrsw)TZ;~=U7~%VxR~v+U`h~;8xEh9RAWGwr(dx;8I++Y8@Q%k2gFJ@slkXujriM>i
zQDsfBNFd)J!qqZa#NzMKXy1az66Ta6A@-uoAHka+t)h%5#7fp_)>aqCE3=P{0@*xK
z94vDMH~ZfO6UFaKP02sepS4+4*y*pFFb4DSRm&ULfF1$0^J43=_oJ+_Tob*VtngO)
zvv^@_XS^RXT~e-5RQ<ZhUFxFou{%DUR^vDJXTrQDZM3XlKQWjSxj_N2COamQ>t~NS
zsHhRGqM!oR(t<R0H3`q$@biXj3~S_`sAlIU_4sl6jWLIswO`b+Ys5~t15&xF9oCNv
z!8@1zxhsF@7J-rT@2Qh(jH}IQ3H>^)D!)+p558J>#d<fTx-cI&N*p!GlKpFHBulOY
z#o*OOw`e?LvlP|_!;Mp$p?1aAPm{#R#KlfrkILn+{s?f%A6#MU>2h!<yW{q!)FLMH
z*l{z=3p15W&-D0T!`U{?nxbPLqz$hMX0x5*b6ePKzvX0RZ1rHW^RG;Bu{hGG2n)m`
z9fvO1F&&hPzO~xQ<lmM438lEcbT}``05k1lUV_#T4F$a=*8idC5Kb1hb(#=7HG|d*
z*loyJ@OT6S{QcTS;@$Se7VE`D;L!qw9$&2ty&wY(vb3ZmtE6z%C2-FR90|27GuDJY
zU>k6k8ag5tI`J70`hDspoBVc$q4#ug@50IRHyoflktZ?JN`Gn!VDk36&YQp!t0`}(
zs%1&lq4t}8bzIuW=AVF;Un-$ILJ+CVWR%ZK&y1ze?~t^PQnBZg^Z_W(9_C^eah-Bd
zCN8_ETcP1Iw&CHJm>dh+ox&YViT?2BgBMT=q5;;+`5tQtfKkw?n4SZpu&L`=E7hWZ
zw;n3DPAXAsJn-<v=kCkbg3f~)OUB-}a5jAgQZHBE{ROW=nB&)0*kVJ(v>HJOEX<rH
zfzNRY0chjY!bv5wG9QXdloui|{((Y9On>qny7PWlqCQwVP9~<*a`F3^8#m}uAKhr0
zTiBx7rHCNb{Y-6|J|W4pFLRZUI)vx0)FDQcThTG58E3)L@E0F<A$W@B?l5*R`{1~^
zujhW0%UptNglsh}XyX9)qmRIxC9!ecj>GDcd>%UdR(+1l)4Ja5445GgwHOT&TpB;L
zpvG={&VRlfvbWU-<eT`8YeT!oJ;o~wMtxGD;Kr`eA-~~EqqrN1$3y&vnlHXzg93Ws
z{3s@T`F977fkeDjYsa*NspF-9H;tlUqXb4B4Lr}76Rt#?9L)8etxUPiIOzg&OBGT~
z!wO3+1&J=90}?atuRJY6rw&=w2@6vEn8n?{4huf(aU8I=N4OPF{e(_EHtpytaYfyS
z+Mz8_<}lHRT*2nkk=BxR4W|5e&d0u=#;rkrO^W^MZuKnOoRSWRzD>=Kr6aXs2@__}
zYtrR*Qq&u3=3OyK84jQ9?A`dhoZ6eFyEjWgW03M~7N;JH-n|r9rhr1VF%zo)P_vhR
zPaj0{OAUt>-F1TGUp0)HISScX78%&4@(1!f>%L{jMpd1PXOv$an(4qMdP$4?8))Fi
zQ3oy)9g|g6gKqXjfNnVGwpXpQ`!mk-J4IByfEN|Iq4Z>lE+sKZ3?H}@p&<j2lh`lq
zH8`H2^R9Vu5YzmhVIBWh&VUF%5x#vc*ZXwyCH>8F;@Y2$kHgy|br~bSPSVXk40A?q
ze2ihu)X2krMHMI$w=Og%bEB0jID#*@pPf0wZnn!nbyynYmj-x1<g4`gLdq>ob4tE6
zHfa#kKtP??9hf>jZL`+YBnM@pw*7Flx1u9ByQpT>bNFZYg-pt+t_LH87n|lK>(?lb
zsNUavSlG~cVYXdd@%hwtvnZaO%%v=S&u*AheB_V$aiYnugdz?Z;Vcnb_Sx}&#)$jk
zpXa|{HmaqXy7}MNgr&rkP<%srG-_I6$5hAYAljyAka30FJB9*aTFGz%crqb2DkYJ!
z6On6V629cTvfvLykdJi}h@D%7``ErQx(h)ToZ+I`6_Awtl6?Yb1|JG&^}3%YrK4H5
z==HcLihT-6W`57=m%vBAlRfkj;B<gVtDQK{9FXRk;iLJE*zL!OU_m-nhqmHM>w$sb
z=rB+dd)Pj(q?6PVqyL|Q`RF;LrB>IWF+^;7E?uQx)wmHrv##KVRusyAOdj%sRDD<d
zt3lr735B$uPT|o>VshDxmZM{Gkg9wfka|Q{<das)RFk1z?Hculad)}A*U1xn5zhac
zOM4nNVi@DI!o^}n==SNLbv#oKfoskJKhcj*<lQN%+vyv#Cwex2#ayCU4@jaoljW`}
zys(md?^q!L#dfQq>C|F!>ONv)xoqMqTcJkV&Y*g+wSN{RPC}C}(<N|dCB>m)O6TNE
zsWow?tMs{kr#EKZx~lc@&ZTYmbZ|AR6S+<;x~xHgV5x7s6YB*T68;r2VP{ijHc)}+
z3UdX2Uen=c&dGk)wx#6uElNG4^?X^dDbJ|zio&$Syq(jht<$WW+xHZM=1@ynJDogS
z`K~BUt140_mZfks=rC4NV*g-3!U6V%ahSNxtuWlD4LhF_LO`PokDJZk=(E$U$JaJ%
zQvw)xaN?|KW3k4^VyMKbuo0u-m`jcc3%B8BV<5<$`GBg1=%j-F-qRU1_scj{UxueQ
zv2Q?F<cE|J-bS|x;U7Q@%sdGu%0k^$tv%jL-w8<)q5K8v!`c-7{JcItt<_zg*+0W=
zL43vutwixZ5d+%in2D9nir^7dmv1ul>&wio>}TI<;+G#=40yrlStOD3-p?nx=FJ78
zmT+=zNAC^@iPNY_b8zFCCgYUPZ_PsO>=6_sZ^SMZtB_SJP^=(6KcS>XeV944M#sT+
zFy&thx+TiQDT#T4@=Nm8X{tgqEq4Y4);Q%KLPB-ne@Lde(TX)%mv2$Jr|V|y$oy+&
z@J+xshfqTM^d#U6A&hadC6o8VzeTVcAmZ+*rTUCb64Ba3b0Mb)qw+QEG|vk6%18jp
z!?wHqCFfPOw8c?`Mg+f30%6k(oyAaI>yyRIataVUF*K;#njyBKP>A4vaduXJQFu|m
zrlq?}ItQesrMqE<7`kDGh5<y7knV1zJBAt>X@+hXKtNhb1O*h--{C#?=i)v4PuLf0
zfA)8+^*rEgz$KVQX$~@rNybuRN3F#wV4nGB=;f&kG5SA;%iM%tB<ohu7PB}@vL}6C
z0<%Svwo{DFf?w1)u6=CE+ljg`^|w@*@|g2Oj)&(%4cCOnN*zrTeH_Lwm*RP`TH=CO
zXO6gX#0Ow5Ml~|h5mw*Ew=aw;7fmiSo2e-_=km02K$l#S*4ahL$P{ru+p$#v97dnS
zqQT=xM&Fk&-;(qs_yw664*LG;);i~UVv@p7E3L3EE=mrmp8tkv`0LU171xvwXUDmD
z8;+*3j*#e!F1pBLA@&LTKweiiHi^C9TsQ?8^WSQMCnrqNK`HBHiBMy^6K5*q)eVgF
zAonAz$*+}1lA3j3YH@-$<2SHr;=86yqTt_UXzEMizEob0QM$70H`O<7b@bc#{kbl!
ztSP6ShAK@nLQt*v=(=wlCsiP$SA_lO51}~fiziaJ2mt&7gD{boZBnX&JGsCOsiu^)
z2w&x-Dc=dMelSN+^7BfBNLy^vpeWPeB3#=-josXoSO<h0I$vTGZ6}1jlt24@bHrx5
zP>K+82i$5bG{*#6dl%ypDLmcQI@pVi=V2^()~Urj9Mb(8f5>i0Z^u~=eMF5j9%D4@
z7<DQ|Cm{40ZH9324Qs+E&)a?Oor2DPUDuv<T`{1(i?*Bdag>Mpq*N57Kng3~PC?<s
z_{1w#JKTo+a?aWE*?;5P2C%V^oVDk0JmgPKqlbx*8@_E!GN|2easQd?xun-VOJP5|
zpk--~pv_m9-?NOH+~N{udlM{WEVM=#>N`HGBka?IH8!l`(V(AVOnO~UhsHc24i3Bo
zOJZhGmdIVBtOK?I+DN4r&2vrcVXkyAJW0J-&PqXIONS35r3F6UbEHYKrR|c<F5s6f
z-K*haZ+b_Zvvv}*nM4Ul16YPNjERB-skz!w3v?hpQrJ|D%G=-0%tA4aaKl%C8-qOZ
zTd$Yo9P*3t&OS?=pq4+ndGYNOJkLM;=C6-p|Dm0eUObECRAyCjKHEFXdm585gvrc~
zsqI<Ls)WpU=rh)6?$KZ3hxBcGUdQpflIS)5ZrqCUT(_7Fxo54_6L~uqnS_|LN3KIL
zUJy2%ZK>07*fDO7=kEN>Fq8-obyT{LuD~Iu0Nc^`;RoLJ$%!E2&PJod7rPrQS6Esb
z$A&aM3~`HFvX=;kb^9*Rm^-bFxd<Vk(R`cltP+zNUz-}z;U~BG&xA<~6ZnWVP_K+1
zkk@U&q_+Gc=_2xY@<h_`;*;Yhb6M&BLlY*!{Ok~%!rA|>z2hmx^b&^XG}q*IBnxVs
zQ(@p`pI&Z-r(}`p=!h7i2&VK|cf{S;--YN&SLNj(pJ{HY4g|cv?ccl?5$I8QR~5C8
z=3@?OJcj6UI~aenXyBQHsi4;+up;d7(^c(Pm(|hV9Vkkk2o<or$Wa!ZU_Saa$d4eq
zk$oQwA}Id|26xmU*i1cXw&x)tTpTaSR(*uo{3t4C36m(tG^gUmW>wN(g$>hwY*vo<
zi`!LqJ4UQDaHpv7Z{tLJT5on5T^qF5D;O#axLCJU`w#GzjxOQEpw_B0L=K{&04_X!
z95IIbGj*J!gfbU`?~wPf&i0MXZGJFuvR!=@GRbl?eVbIGr4A|S!_sfwgC0Q;jx_u+
z;w#OQ*B8lnlVjaFD%f@%H02PdQ2v*f+C(;TT7XS8i)OU#tB$Bc?cn&2Hc?*Up(7t;
z;B3gv_Ff^LV%I0Gls`E#q1D7INOs@knxNzw;}j`<_$`52Q$^>dvBw-tmk4khGqPO0
zm3`hwry}V5M`(pZI7a8?yab&yRcIKtv|VnH3NDs5htDxbjfVgPo<ZkWzITTB$?tQ4
zXllq&B^oiz?HK!0?jxx>mk?=BBCE*)vR+N!zwSRxkng=d!|)3NQ{xxE8x*)7DHnMG
zl)_JjQv%|PA(i1iV(w<x@Fiz8@+I?(*;0H5Qe~0u`1oAS5qmB!Fux!mdh+)X!LcOM
zkv0lZtS@<FRPnCj68i_D%(6Z=K$$9!qrDcDWlodgA7sZ7G4Jm1>=CX=(Kwn7=9qv!
zdxYEmuSfWan5n7-GxPP;S_L=){YB=B7jbY#ZD-dDP-43C4BB7P;duLSN~WpRssfFJ
z;iSwt#$YQ3U`n?o0WM#XffOuyhVLYYko+@AWHxz{h6XJsi?T4gC<VRB*tM{*Fu9>9
z#o)52kfBVdkthZBOaHO4D`Dxg8zlKvT_Yo}{a>}oGBK6np}UiBxt9Esyr4gAAFxcI
z=7bXl!`_-Tk+c_h1?<i|!!J?@tJxSu|3qvTl$DEIUP!<O94xG-#U@dTy`UL2ium>s
z$!uyA%m_`C*D*)(5XWAKU-oE}(Eb{5bJ4q$Gfw$|SpTKS^pcMc4MeA{j6B=}OIhB1
z*-JrrGC)&G8M_aI6B$|&wCgy*9`wLDiaYU!4&7Me@PZc11q&Bw6qLfU>FCU~qhoGx
zFr<sj=Ygr?v~+FEk?95`8P5+qv8mYsSgNGa<MSk{Tu3=pWN#JagH*YL{;mCw8~kgY
zg}dn^u)M9J?JdN<c`IE;r5!%`wO!hF$L^?wpcQ+DT=Q!N+c)&vbGI<$(}kc1ovfRP
zkrckjQuBplEh660r1?kVlM(5>p%t~s);Ir2i`{m^G&rsu1@@?0{AC{1m9Shii$Da?
z;Og`&9jVL$CdCscg{ZX@QSGHi2%Npdo#|U4EY8f9Bi~)(LypEIW8EC3`RSbS#33a|
zMo;*6ZSJ6bu`djS!A>mghm7%=0h;B^u*;45@b+O7j@e{d+IZ*1yb-gGVEh~amt1_N
z3JdGxt_rnI>yWIkc8O%5^yRv*sS}8F>)Rpz+pTtO$4z`(uu3IKp)<9tR<MXIyKiwv
zBwgflaieA9jgOBYV|L;cz9MD)ku|@B`9p8%x;d6H5%r3)J`14H2|m9|Uln8;b-Sd-
z<}EWT9c?pXR}*OiKrt+h0lwB!W5=W`#VJavg2s2B-^CcfmP4Fg5PkUB8{mWv;>OF7
zAh2H(Sc|b!gmN`mI0_8#N|wzg>U2kZ#`ESD-4M5n4oU@9O6_Nx&m7txEf&_^DQnFu
zM!e|essh(fN+Dj7@ibd^wwr5(fG!AILROk8Qa*`C3o!;igQ6_e_hzbXuF0-3@#CbV
z;&7u(G*x;GV0(<Ug<e-IIi>&pz&1BFjT>;%>JE?ZJLWO57e}2fv%ftWn6G3yW#HZ-
zEf&+#etrIjRJM{`R%f=-`gXLMbN*+&cVfO&z6sxbJf`2&Q^{id%1Vp&+(bl>{Wcx~
z<A7rsQoT&ObOsDZ4|yUBByW?=KeJy_sW|)Sbx;}lU+}XU=3rzu`++t&m;m$$J7|_!
zdbCW$UA|9ohLWrlrMinF&JVJAV-bPyy{iBn9Z`>8Iy%%V^ld?>SbacS;@zJC$+)3w
zQB28&<)2@@>^->MFNz=zSsk;xLC=z`oR<Q~^@}RW-cFX7DRY^P52F%ZiG#d48vgoq
zBoK#1(!gQ3-D{2xDGnzJfGeQb!xYs5t{+U_a3VVC_bKY;6ib-wn|*N)A1{|6v?&$n
zvdx$M8{7}P5HY&viZ%<F9N86#r(}(lkPlY_3sHRRXLDwUS7K<{+QvDg6Kd+HAX8@z
zKg}@z=m<HVILwyM+a!c#ON21I{R(t01q*iKXs&-MnI9BA1I1+fPGK);@Ezr`wl~a{
zJ+YGih9_7GWxV{v{Pb;JY%wPWOwE}v5QM2`H%YIe6hj)No;8+bZhXp!nItRe0{Agk
zLZ-@0=fY)n_^i?$0N)8ZoI63fwO_uCwyc5xC=`kbvQ1$FQ8Wp85z=!wX|j~#D#&hX
zdu3X>Q%+0@4gq%!M=gB%oD4H^Q8JlCg{bo_=hx2!yZp!QV*%}5lfJ*bM>+N9Ew&9N
z?&8`uf#-iawU1sn*gN>6eeYupG-{@(d=q=h>vaFQr2U~sU1&c<{s)_7q8o%?skvkw
zAx=J)$<1ae?3=J>^K3ODz$>N2k`uNbijeVj!zMyYcr4tb5GGY6q&pQ0Iwpb+3Vx})
zu&GD3o^$mFq7{xbolW%Anj;I-UYGMnN5`{HjAfV&z17S+dGmT!2J2F_-zWa(zPmli
z<!rPcb$il++3o3s!WWl!zOQWijp_|r+19)o*3}KV1Bq(jW|Y;@_EE%Bw#l^9$W}O>
zk521U&?!ZhvK~wdkFrO9!{=7C5hlxkpIZDit|4L7d3g=jrD9;?74Q&p_mGr>?U1r&
zl`EDvvJ^xs26$=1yQmE~-_-mz%s$voXX(FF6tt}grU$ig!SjW6r2}acuR>xtsZIoi
z(mLf5{pLG=D{V<$9E08N)9Cgx>G09x^4Ua8dfAga!2wXqY8Ho9Lr$z?#m&#Yc)%@-
z>7NYFV#SFn-7U%+YiD=hfUpsI>j7TwM+C1jCX3ZZ8R1H(&OGw~Pi5xwf=`Uq-CvH)
z$K^R|H;-nhw0LA~W}8odv!;i_dVdAW{#cZ>>sK5s0UK1s>4&4A=0XoxQVxJmo^%1Z
zb~E;K_FtwPrqm5LhAVtq0be(G7-&@XGdK;glmy!;cnv8P^JXW~ui442xqM6G9x@!&
zZd>D?)XA<{8M4&-Cu(GUxeW%F5aee?2A%;jBk9w#Z1g4o&C7<;*Mvg3!d&9KG09|R
z>Hs5WdEY}pNzIth{pSF6?_FqJM_qwu%I#CIf2Xwn5TlN8$(;ML6`U#<iqleYmajN6
z{A7t)fDK{IWz+fC(#CW9=(K0CJA2TIDx}-)!LJ=%t2Tdeq*)GB%WLUcB{1bC!X&D)
zvOHc^;EQ^u1lKx^u{EV=R65u*b;aiiOgleQg1GZ3$8c6SpBD<KxfvI>9D-kTG_-hd
zcdlUaXwlze>o-4`ZNI5hq9p_1jy$~apY|5}5lK&coAy5F=-ppxIvCVDdbQHr4m#&O
zB?Y6}#z=dMMu(Gk8ey@RRrH!rlT`dX(FOe$ONKqs7OgBw>=&gbHy#$53$M^&L9+vm
zZ!fg`R=N>%mvF_~xY@ADcg<lQE$4n2PYg9vf92Ke5R|jlft|?1BE^caWsk2M<}F+P
z`jAXiCe)DOuSKB`vJ><}Yk)Y|zcAY3fUTOm&Q%vQR6QcS4tI$0Ym|4w&ZmX4j%fVI
zViQTqyU8SMPi1bK96WL)m2{Z@pM0%+lou;QrCUMra5%>3{~4~WjiZ`Zv8&_+8r@^D
zvpa}z@|nHAcxN?cv;I(KspJTAEgraI`LhE5vofu2_fTSBBqF2!yR=-*;Ue<cGJfb0
z_SqNRV(Src(lhfmY`WB9b%T8xOrW(k(R=4h+Zto!n?6;K$`a|mVaBVO5v_`1E{ib_
zxxP%5?fv&<>+M)&)h0G-RRmHh6s@>W+O=__#b6Z59BT&FKpo*;a$m+tf8ebd$`5r7
zL$=)sJvHE%QjbTOW|WSL3p+sxvZtUe0%x%ii5$8j*X1!uNbRuH+*cmYDv`Rq&xhML
zW>X?>9?;|2QybN|v|W?$WDm1vWnzs;0jDG#owNJ+Y{pX}3<J)F>NrzH=^IH!Np#1A
zZ1Ner-dZa8hXgtYnWTOn0U{SID7p4}RH_u@-ujcQVQfpDBJ1adXky8nksBKjUvQ~Y
zkq?Q}8(EB&1unC(qy8H@n95wPSzw1_>$t4iUp8J*OBD;1*@FGHp)I;k;v+A)-k2$Y
zImrm*I!~BaW??Kb>T}E&ytovp@4b2L5Afy9GjZcT$A)00sG%(D@%>yFz(5aYHz!TZ
zB3fAxwYy7Ob{r6CexPZ1kA=V#8B<BmUN!IJ2dHD#9bY%fBop;?{7wMqk8W+DI>a&9
z$+s>cYt{i&zSSSMRm9`7bVZ3+$uswqCkdotGNqn=wodlE**R&RKDbDax-}t(0At}+
zzP(efb)Oo1;^B@!Q@1-po^ZXDP4=cwxKGGZoHwpBxn!whHStj4YgujA`(krh-_~^*
zW};~I`JXDlad%NS_Ya~=yBE3jH=U196WSQ9lkUwk1v+-F{e<+?BrREAIdcM_l@GS*
zdp1_@J>3)SYrOcjWvtDOKn{1%6#fUT?QGz$=kj;Q1h+({Q>lL)2kZs^AW5yF%m@ve
z6}fJr$(s-s+qr0{^g5j62f|X9Hl1Y~qRZO?1b$j5R1s2ikZ9!_1q&{6hTBTgMQ*3g
zk*{dXh75PQuqgGUI=@?zb>#Rkp)#U@s|A(+|Nc)c>i2bQKNj+Dc{DYf8!f{mNIaCS
z_<PEfh4WI=M&G#I%HbwWy#+wu5;c}(CuNRPdmnNI9ey@Eq9u38km^^I9-wmEt(`K;
zVW<D@V3_8u+{2fcQ{4)h$0o#v4`;9#<L2dCs*KH4?h8{;2xKo%D;-`)VZ>8J>?KW%
zcbqRCX2TGhk=9@RpqP)1oT`cZ*6bbnp-ol|92@-2o6Y2NYrUUdyH?O89RKPRla2dk
z@y~a@sc7($T;u{lJ-b1enQLbS=Y3I%p5~SkMAd|+IqE%@j%i(s@P5gn+$M=Y!>1M1
zk5I|*PE(}z%_NpW=@~Qs1i`6S3A&U9b=mEmt5TKSAoft{rdr+lCAJ}I?5w(4=rl8d
zH~l23vT(nSj-UHM;BSp(6+rl_+5-+}+vf|Huq8vs)7ef@;p@YX3YluAOdMA_E@1l`
z)$filK`>@A-DS2oZcyRmZ{7ZD)!sn7s&#&x<hF6yARNs2XRi9eLhBOv7P{d*T=msf
zN&s({WqmCjJ!w{Nj8j-fe-N?zI&bf@vzo(oBpoW|Jzo6td5FI+mOM<+{onOH`s;5t
ztlw;X8U^EXI#ez91weM%aC@etV)Fmt{i#Li6E;W+3MV0*K=7PQONTd|A8Di9o++DI
zp-vlsJ?=&cew)M%VE{ezc(X6@cp3F5xaaknPWGnsjIW`?97a#)-}zfX9@Xoo7rrPZ
z&2@*5DF)T^ZvrVr^!F$CLW81|uA2wHJ@y4-?pcL~eSGd}E^|ZvN<TjQn;#tb53T)T
z?{885Ro~9Z8>W+v?M@Ggc0a*mHQj9dzXg9gK|p?i0js8px9>IdT5vBTqB#g6Yq9LR
zqjf8AWT%JVqM3y!vKcL@+igz)jVRC?E^Eckw+M~y!`trtw`AV&l0!WZ_xdKizj5re
zt?q5nJji|?CRYzb9>?1J=UrKkSzN82ycsn#6oK_@zWv+EqkU(nBapPpYs(7)U3ysi
zN#tyWyRGz*8MxA!8MrFnxE|~e8!NPxbpF!YRD4Hd*MiAKpZvP5>4y_;1AF#Q<Y)oe
z1RQ+<Y0~^Ie|t*Izj#Yv%|nN}a^vdTs%(L{L=Scogt+M>3Uc07TG`&8JSskHfwX+v
z&x+1eG~t_$vfQaT;@VhIvgU^!-Wldp@!YMAw1-BvIx4G=G(op`#Roph1W2Wf$tB#L
zKi5XZX&MKAOgqjAdl|z^jSs2odq=8UAJrPHE}ke<u7QLS?=%7P;!Ob~cYLl$URYx1
zt&pEh7t9*_^RTY<<#DkVRB1mZD8a~HL=fZPR`n4yqV;Xnmk4-<PnU6(6@P$i_wV=o
zD#e~tl-@)K0GJ|on-hb6*69cEFA6j}#Z}_B0*>uHxM=TVDak~rk^<@vSNYBy#~FkI
zRt!Q2ldT(d;xk{rN{y$jRki0DZ$WT^&VTn4H?KDpcs5Inwn8b;aoZ%Knrz?*{7#LP
zIF{PQ4QE!3?4P3;od(9EWH{PpVBXxsS4p%Ri(j$d_O8p_x7sFZuQW<O+S%cB_L*4d
z%Rx#{>kOad=abDPHf@WlHtokNOG|W;9!t!nq<$*~c<<a!`_@CqzA@m(t1YGA$4_Wi
zTiJ~~VLml&@D!wGW-A3Y36MZ88U`xUr;9SNZ_V^3CD^UEb|3use!pD<)AWuK$jQkW
ztz(xL)HMY&#k6~6e^t5@cUrkHM>6udft^{?!VE5z$Ff7nYN$2iEjeKQxkM*-*LEAP
z>uUtRjA5VG{@gd^Ri?P99Ww#eb#!d2;TY$B*qW4%){+x93E0_8T}?1D%Epo`K}U_a
zY2^!AHNbB6?OM=iUAKBkuq_ntHzf&(9cWw`9E3cZY`PzCXo@5Itj*k@Pfh339!BY$
zspeGht#Qzf224C=MfR`Rj{90>qa}{d>V_zyJLy2$?)DIqaS;nTeA4yl>hVtPqn~!K
zI#KA|%nONu#=w+{O`7U}x_fa~i2ziGa%#*1-*I-m=Ga35YhV-(X)a@RI30OYXMfr@
zqF6E|;jyER-zVS39_JV{h)!SfClwXH)ASc#LJ+k?s9BUQh$|qJifnj>i;hGn_*jB`
zoVoTlxpLk^a!=eD?gpjPc?l$nT;;u|fTnZCdV*VWQN{`3=A}eIe9-DY0O@|dGL_U!
zdS>S5?jUFTchc3SGD%%|w=T4-EenUb6_g$VFz_jLn`6D05i)dJiU30Gpf&KZqD!5=
z;Jn#UVxD{LmEXbB1u1z+Ely+ICu&lpV}Mq@X$6Mka8~7}!4;Xv7iIU8U0JBsk`{B-
z<Q?Y@^+p{+F|(6ZS_H9{t=Q+Q8y}aJwIBpZd7Eixds{=%&Z@zHZVb4ZXU9<{gB}qw
zuD{wQ3BJ_QJ;*~Gl}EKeR<rJ6wym$fn)r5gmCU#UE2B5jnvxD0Ra&f2N!vKIwu*&Z
zb|psv2CDjdPx00n{T+P8I_yZ@kg(dN?Io4sSRlx8#{;MV@ogw^krVmg(y48mhlX5f
zjbtF5JeF+3Cmag=+j+Z32crB|lpGpK6EMIhN5_sgrx7N@4%xdFqqxYGkoyAT9j_B<
zRHrCA)J-H!vivIB&J{e8<gwy4b|ZoJt3Ue@<UAsqlf$<w?YTmTaG3Pi|8im2NO>D5
zf;VjV9~!X?o++Q!gf)y8R{M%KtnW&Z%$fqra+t4Wb=0v9-&mPvhVinnG@pr%!Nn&<
z>V<`d*m1MbNA~;6%k*GgIr5Zb!6hs-Xb#SOpoFew$6b*IMQ$Su+vK%-(Pe^%q22t(
zCNz%IqSes3_uT7uku7Whf{ArJS0P~`y*^Y?3dzg?^WqFPqF|XpG=~vf!lA8<SBXA%
zK8@2`$5?4*eMF(5AraG)G}_^o8>~6>V=@coU;yBfx}dY&{S3U8(S!eQdp#f{s^K2r
z{6pZYdd@1aKt7ygp6>DIqqQ9?h%>Xh>YDTS+q^@<kSU@*x0SfBEe%>3U3A&^ES?6h
zBeH&^DjFIgESq1jjN3W5ti_3~*}Ir788R}q*`@t>QDSTdu#(B!d+AJnnjK7F$(ij7
zac*{)<&PajeZNVhouUtxovu5a@*SE1PaKo5d|DS^X9uqF)@LovZVKiJo>N`nD`42w
zXIGEsL%DE|yOcYoYr9=OAS=qT?<eM%o#VC^_glZ}1D9Jmm=b+g7^tE3op4tw)kech
z`XDf07pKG&T+o9nBAcs?sM`0tmk=On7^xghp;XHB0rH7n;*a0nMX(O$)*2ug3zX&f
z`!dJ@R)3xx<uN$k@``RhO3i`%gSx?LY><7OiVG?5l>A;%xa*u@x#CEZ*kM=VguRm8
z(lEC^xS3Fs>~D7`XMwf_Z?%N4cAlsUe9N8l(D)ZzImU_5<Wx{iPv3WcrOfk!@a?vJ
z_x3b-6>2MP-OlPF+Z-?3O+=>~Li9%Zo|`uKhqANIrUENc=aUaft3AL+b(LxKC5zBM
z;yu0Lfg@fISv7s>LXS*{I+gh*{jbMle#%Q?MbxWxro--Sf}YGK<7cB<*IH-3nx3Qu
zW4Fe44(qn_C=6t_PQ2z$Tq`z5eK5PZnMb6*Y1=y{!!oLR-7qEXlf}l}Z`5-cv0e>p
zL`I<K29x+IpoGKEz<6D_wr#v5vn2Px)-#BASg7tVSC=2*433{Zj+$~hYx2Cr{1i<_
z<`U1><ttJJoGDu`7eB|<LVfeG2&uP|wm@ZA-8`~-jhgW)GzS?8Y@nisG(R_e@+V$E
z*5N`5eHShbYoI=Xi5?>oyR*LK(g&cEm@bhOaUY*k^Fo`6{DTz3heZP>g<r;CEe)fR
z_+Lg*%#s19kL#zmY*U8j?be3z731Iy!*i2ri>q*9*BE~5>F$k5CswTH&h^-AIi<)u
zkBIPpzj!$XZl|1}v=N!;exH#C8xepoWAQ-ta9qNw>EF`xuee)5PrhMhrCmiubJA;k
zd^`NVu!fgvgU0P^u!-v*69;85xnV+t4{$<^n3^n2FUc8Ji!L)l`kWrbky1hHx57}U
zb~MFQp&GO!peaIKVS^ihFd_;yhhK4he>I7rWB+6?wM~6^erTTEIgQ8C3Zs8~e89|3
z5zIyFX;ub^$GxAv(uSY^@+@eY&WZAc>?Azr1boS^v=;9SJxM8hKRK$zJEgiwxmQiN
zr*B;I1I#S5Ft@+t`AZ?Uw9&ErJ^I$?K#TV~)rCGmPaPa!Nae<GxABDz)<!n+r6s@k
zM%xw}O(3|<UMYIvhgYt__Jt$?qc_Z%Y51dGprfn6NB2!88y}dH{8mi6J-U;+`^B2h
z(h`D)lZ*1ix72!h!GGGbL6<Y1^(x0=r_$Cjc!EwShk|rsw~B-udAgCTKS7n=8s#8u
zKhO71P}YlIpB-;_bD}C=7TBotG5EK|24Jz%ya%^RbF(ktFEis$Iy1pM!nBdk#ug!t
zc@m1L4wv^cIz>;sIBRet4`KafTDHx(j6Y(}E%wfV$v&1Rbgmwx38|rbpXZWc-zBGR
zS^8K`WOc_HfJREMiH`8=zJ7H1jZ5oKGw6>(&N3K4)u{33{o?4zUBQ_2g*-y!LWG;C
zLTfj3JI~g90J~4?x!+G6y3FB%{gyC4f*^)mFs;!Z_iN<>ugbOgRib!(aSIfo1$2ja
zWSdn?_b{TvUBpn+-WBwo_>_0sfuXe+_Jx1QOTN2amxh3P&5{J^yys%B<+5-px4Wj-
zK51S-aQYh=|5^M45+zp_n)q0jZL|G{CQ)V9*vGba?Kln<saBe%XV&{Z^i?FNUh=!$
z+@DHWFD9e)*TT;>Pw#(BM=!iM&DWrgRB=;VAnUbk!rJD+HBiu(>IjEgQKtAtR%;}%
zh02Mdih=$EjJNI3Xx*D_P>r9?Xal1&%cpoBH_G{QT(<0l{%xNL;@i{`!a~CB!35Ud
zLO<R%S!l9Hr`CGXX+2)o@2T~2nG4(SF{Qbcx2Ym#F_V0rPX{}J=9fzxnfaqyl-I_+
zK)oE&ttlCLj}9>W<~F5`*L7!xPQMxl1uk-tOCN3-VE$1vFoo2g0Y;{|XYA1XOtmI*
zfX!gWWN)X5Yv4v4cr4*XqOyKl;YTn)c6DS#89>dC)7Nln7%3&1%XX6-P(rn@p3eMd
zQ}`S6R|VP0@Lsj~wpi0@%k2vp>(-`e>gsJs%Nm1hh}^Wwg|p&2kvbESYDl%Kr8=*3
zS<nshCo&CBo~rvXNDB$YP5&`8MgMiluQ6LxDPb`*ItDzsqI@CTSQ_*mI^=yN5$*3%
zh|3{bBEPFtHQgZAD$X!_WHII8;CT5i!qaDL)`R?$-YM>klprN|Ls*JhA2iz10<zL<
zGzWDOc>%$lVH*U_$(1yyi@Xg+h4{H7Un*7GCPC^Bei@PVTQD$_#SoXO+_pSW*4!3?
z+uIjyb^6w=YfaOCEvLhW`md>2cHwriS)hJKJ!;JbQ78PZ^<5WRx~;}~an=FCmM&TN
zLRi&IB}1KZr|{pxt~ilg=e6&7FFja*%s4k*(WTv7zD2URp~3kv(3iA4ZlJ~^mo6z`
zszy&F!YqeO?nN-uyW#Gf0HZcfZj1lWPPYv^OLH;NO#(vMuF71wI#&In3FA+F?6?hy
zm)j+nbo30-sN8p6uJf?XeGJv*_`WYL8@77-UD#`yNO$DRZT^<a;jEU&cv7$(pCc>#
zp*F`+)6(~w#?Pu$tL1(m<(Dxux^TP&dnbp_!#U4!X99c7S(Dwocv0RM7Uyq}u%4iR
zq<#FnD?Mjx3rhgm>#J9-ZuGxYkN{Yjk^Z_vQj^Xr&Sv@ySCbAtlPjfpE}o@vvjpd9
zFb3bBNy;=Aa~!4H997-V^^g$XLvWLaIpR2{Rb7MUse6GA*D~lXhEQgjFVDjCfZy-6
zQPoOG2F?3l*_U)`A3()~rEWK|t@=BFue;)f9f>U#g2eV)F#0nf?1`B{Stq}1cl=^1
zr@ZfV!<ub2eOuy;bjE#L#t5HXE{E8c?<t_xsp8+P_7w{-Ap9<_{!#<-GxiQB&cFT)
z$IFMx1dC}+v+FwnYaOgZegl+K_HfnVTv&9+vafZ%Gjvy-S_Q^A`cnCM&HW~R$)0;-
z@qy|lBCSA!VNm=i-`~6%If`of$D+n|AKGEZ_1cO*4Tu?<uUa&P)f|k4f8M_zEu=__
zo(8nN6Yd^ak;v-){e=a0CX)+IH^2&F<cV`3+obDc6+CTq+Bl3~=e!B%SeRD&?(VSV
zh`eGsJ5yA_1UT{rM`q-+iyN_~5T~}!A21G$jP<YH%OBsAEHnvKm<NQ8NZ%QnMOrdm
zM2@x2hkuyOizL8Lj&*8CR!#zvr}8#V+fM?BCzK5`NF2v!^sO%Yl2d;8Z*&#VyN7If
z!15iCy;lbzZR!}GlR6V|(6T(Fb0$bqzqJ%O9=(mI%<4H!K))rlLkV{P<}}o8e2>gP
z`qG_M9~nK1Cav`MI%9d;<{Hja<i#$^M+vLMQxx(SqxLy=x5B=k%l3BkKcm{wi`;$x
zsRR{GFmT4qN{nfFbxK|?<e);MXzY!%LF!Ctw}iJKCCu|7LkY+pD~$}_7T8h^H>F}%
ziRko)o~qe{unw0FV^d^8GadznWqy*FvQvxfS3Zw)V8)qG*Yo>+2{Q5j*~q<(^XpWo
za@h20U3<TU=<xdi!7jn0ui0&DD=uACB1%X_)(0=iNApi^ndD|cdbT*5VxyBV0wR*A
z<JiDXy6Of4>h2_x_xea)oYIT&=j%%PP35SoGTRNKbLf-au3Yp_Fm8e7+VIS)EWr@4
zC%j2Vux{ISukK#sKB_W4CoScdsuujU4oGLQ8^vpz#ZxW?W1C&{nRz(W0F>x#)(%6_
znk^bNJb$`%YAUZ^$Y8v#hjw1I`p0Bd-aXHs@O`rFvY5d!EXgldR6&M+8F|su^7>e<
zQECC(D_IZihm;KJLfoULt1x96+!?rLHgzH}+N8$VusPN1ezbdTlz|inHZt(j5j;C2
z0g5pId2SJog~G4hljZT5hd-5Z@{E!*(FMMA&i*jap81Jq`c+1aul|f{uJcsOf7p_x
z8H0e@{z~9&r4YR)YBz$+u|tu3GJk1-bjCj1rhQBCgPg*iyUhJ4!u(a$1>-rvORGO_
z^n4U2Sw`DgiN-tAa0@|@SwjxZ9b;b-PI`+P8Vu)~i%~40BW3Ujk)tVXa@meEl!>M{
z;Ctu2#!w~L1)~LC(rvNEpmrkE*bDSB_-MUpB&Y9Kr@y2$#AA$Q%TC@?L3(-~=KJog
zlmB1(ws&If)&Mt&oLxnmL`Rz|sgP(_Sah`X_*IJz5X%3?piu|ljjKq&Ou>x^4-Ofn
z6XoK&oH!Jf2T7SyRUeShhv_B*r5j`asE>%0g+Ci;>~^96t%D3lIlRfLW+Ha;x<r#)
zx92E8hiZbD`gEVctZI1PnXPKCDIh|nO@i#g3}rrP$@u8-%Gj`yLJib`T`YZO+jVvi
z>&P^qL!0k0=`v|pnCoyk(v5ZC7jUp{rW!u<CO^xtV3UlUQOj`kL5s0s`Y?3sd=ft>
z_-Nx;hQJ;F=x5FI?dzRKl4l3Te`rqCYgQ(E@-@4=5cBHwlFqDb0SeQ&xcGl}V|YyP
zZ?`-p6WNgD;b`SaZm=4XYG7*E8iqf6aVgksW0~tx=qX(VXejIKP}WRQ5k>it0j(wQ
zK>o>urE&VkFk;^sh*s$S8vf~HPouc4;vdS)Lko7NIj`F87pyM%aj%_obgj%RlSq3L
zNiqttC9(%Mcr{X#q+^#eO8Bu4?*4=gFa}(%D*n>kOBhfU+fbIB`KJ!@?Q;9I&5H_<
zA?YvjfM$aod)1C&=tr)lsE;D3`%`SotsEQLaJXoljNo?2O@^p7BA}0(W~<_}`J|cv
zC_)vM2MvftCjUHoRP$GQEO+CaB`;WRTOY=QYqx18-q!J+_9?Izty5w}VKK%3hZeMP
ztEDqZ!fMrk@wk;`cyB$}v0PKQrE~0QLpjs<Yznz2<%%!%`0^hbOzLlC<vaS53YS!y
zFbcdFv%qz$fIYM2n!#c9>cGvnFD-(;wWeg?faxH2DI?LlMUMRV5$m42e8Jl5o&7s<
z6ym;-%Pk@nCr%mM4%%Me4{3!ljdkX)DVpB@xT@V+)Q$+RmmW-qEp|{?xJ!-1sQl=L
zXV%8LnHLgQbMu7bcY3B?P?9+>3|40Zg@nmv4mk-)y=1;KCoIhoJaOUnOnJ%2FZ~ak
za|_`Ty9AAIQ17Zv2V2a1SgG?IFDUN3IfK8dGge_FAm2=LvxIaj#$`AQM;N6y^+iTv
zpcw$7;^;DqXQGS&r)M8bp<hDbumm&66aB?jcz$X4-4#w#d3`L~9dCqf#{`BRUD6aB
z>~qd8`i<9voJiIuL$>=i%C53S=Z}>~!$MtB$bCrTHZQQ9)>M=9JfcMBIJCsKx;VwH
zhPFU0xUJan*wLibrJzUoD#t3~b3%L{+QvUo^VdY%4ZO4!-OwO9!H{>%C(gtbTi5Ow
z<>vnWDJf#WcUB?ZkXvzsdcHfqRu<779~+Kkq<C&7E7S*J5aCdt(h8~6y!2bp*wMPS
z_}tlI>y=h4gh~TuI)_*JRoF!rVAPLIl<JMhnr{s`hB}~cfA6n)rzUa_91Z&qEvol&
zDdJlvgyx8#?5Kxf-Bvgw_XzMZ1%(*0AbUlJ6!K{$QmDcth2u%6=swgzMK&vc&J}qN
zr>l@3LJXeMC75lM(r6kh{~Onf^vkUZ=n9|Ka&5r-vQ0><KCXT92Slt%O%qpk(a30w
z?*wf(+90p<xlXht08{loMb_|8*NPmPoPD^urf~<Xukdc9sL#W*Y9CzBIE55Mxz#_b
zRIDMO!A%pA_|}bS>+VFw&cQZ8A4fh`)o*V5zb;B_YP^iL^f?Xn;fM_qp1Z|~)euR!
zLZcqZO>(rsQVeiMXZ;5QGWOA4lSh$dhwq^zQpNZFL5Iwi@4D2+$}gL0e>ef{u$kN&
z%AVkr&6g4q(@ko9&YhRzE%(yFD3c50>}4dosa%I!1Jw^1v$W@Fz#Gbzv^lS1S!JFF
z`9TK`s&@@EsiQ{#!y49<3LCnA0#gnmAi(yhoWGZ0mx~b0*m+2R3MIujjyD06A?4!9
zKn(rB_wlr|<?b`}9p?k(D7<;Y9DuoUryzc1OlDTJLUnPSt)C_`cNB2@sTsZ5+;h6q
zlK%XYW3c|)Y43(KapK8DNhKIiM>~#<(U5mY>dgO)!MTL3k^9wn<>I|;P|fAz`s8Pl
z>x6s483e5fHy<GI$Ir3U3K2x(`40{dRd1LrY20D$6XB4vPIg9J#)SNfEp8ub+x;Lx
z)JLh-s}3rBKNfr|C-&FtyGfI!6VIR%mMWm4;-yZnQ1``mbvs9AZaZ3bQOy?!b_ppY
zH@gz5iF$yuxp4!>hTlEF5IZquaL!x)*V*BM{Omp77dr1<gnUuSXTyV-H!Yj@0ej{F
zGaWvX*(bF}6gjuhh(l%MEuV6+j*nm;nE&I%Npi<uCMj!$HoAt=m`1*h0QXM(ii9N5
zHIFeZP&aP|j^-#<jr|ptG*+d2^e}!a`fbE?f<-$^TV43C{`WPgGs?+x=*6ILM4!F~
zYW(F+q*r~xLMuSuF#o)Tr(5V@I+e7=izAQvb;DOWw4;3v$@e8{Mo^g-#(hoeXml&`
z+bhLWV8HMO5fp6J&DJJSuNC}J;lrPJ-*TWG>)(S<ym%vAbQ6>xG-G$lprAzSj13SZ
z>Q#29bZzALsEu>?%Xj`aryrd|sJscgy}&Q^^gVfQlwWRKK1p9U_MSeJ0wf^Lx$EoT
z%$K<xGWE^2XCFJPUwjfu@||J(n^B8n`Kl#$le?6IOqFKm{w_xDZqM>!qa|q|d^{*)
zkf&b%`y+mhTZHjy3zJgyo0m3gFo88~b^^Y+(7;7c=_%#)t*fSO3tv$RE<c9xYD>6-
zC}PE}@{~}6l2nB%BbxN3{TJJ^v|);(uFzF5*emtOC(1x%E%UNCq{d_&JJ_y*c57%P
z!WAL)wtD5)QLg)A&!!*?rO$~TXf=aJF3d?s-Ar7iSrxSGC0L8N3^aJHq^<f`VW>@!
z+-#F#Jc3!TGH0>84V+lSNO@%pWG=*O?SOxvJ5po&8XF0~9K{W!VXS*uF{`reF=;br
z#!uNMc3G9nA8neWxvO@vTd-DFrh#O8SHstv<4zP7U2uS*XYDmh=o`rsRkGUAgL~u1
z>c8I6>O<PDPtTWu$26^*q54Lhpi*pvAK@*Jl2HYS|4k0KQqWmcczYiOS^_Gkzs(wg
zTR5O|6HYjy1iJ6Y@*gM>@i--tQ_PmZ+5wd<mw(KA-OqAf;cu-!z@d@lo{O?sD2n{P
z&wJrYYYF{@#3C0}5FQZ2gPm9e@u8$yGGQwPR)|ANz}2s2=_`FryA51z%={rKIIs*s
zRT3t#uJ<?MXIqRT06ZbMw4h_?0R0?m=w85QO)W&)n$M+lNtBFI<#ObMM_}3_KjH!-
z(bHL7hxilOl!K>a<Uhd!o8wWGEaJ(r`ltkbFp~jnQo29Q8de6^!*3Q8%(dMlu+x^j
zs8L_NH>n`_?BO%*{u@06B^1fA*0fo<seAo6iInMs*zdRxRQaBH++_4_el&UQ)UBdQ
zmy+S9p~t)CH~X+8-1)jWYlL)&T=07wRP`e0W?JG8bM$5IxTj;=ePfB34}!|}rm4(T
zG5CYvaS}v0I<>H&rRb9-eeaA3Z^>Dv!`$W}Io$GTNM}|bK09&7ia{1(jwZ}DOotcG
z#v`amKw2(l@Z?VFv3dDz*B)yfSEg(@@WOhkt+Yj@ls0kX(z!0@Em_8&39g?Rs(u-h
z2f|UWowVNd*b!z1gLW+a5nFYp7{3{?KZ32&*loUHk?cu$Svq3u%WeKhAl?1a#+JAt
zls=JoeaBtE(>f#TAuqMwdAQd6Yi@zM(~Ipf@ca7r94~3)C%)+iH$>(oRaag3OdBG9
zv>*nn%U+!J8wIBy-<)xjJ*PY~Y1rX3!!|nnX463iEgU)2%<{rDZd=wvAi$-|jZ&PG
zoj~SD<$R;sG)07L6h5ik3c3{J^DEx)jg9qG*U?(4&VkZ6J4S_!zQB~4PKn-@_OiRm
zk+GPG>7En02$z>#g;%1smhs%6G}c$&nk6nof0>{d)_g1l?6S^ju>4j&i<0?_JfVAM
zp{4wMkz%s&D@GJ~J@`)%@uji<N~BGztGW;{ek@eIE5V2IPdfCY;eT`pHYR6nql)?5
zdfA9ewT?fcjz-mBa@?<sXR<4iE-FkaG#oU_8P4Luz;l#|(S7ntD__lNx=w36Lul5V
zBs~ZtI=>AAcLrm&e<A@8KPz4q*Kb*UEgOqv_#v_XMI_HneSdVB>}EmOzD~3KAnfu`
zPve3iJ<r`{EN7^0KRc$%Rw^{5cb<Hil;O35E~7*10<ZTs!S>^&Nf|m>E6ZlVe{7TD
zYsl4h-P@E_VXIOhyAQ%1Iv?lN$ESSFz=^AC=@EJq=<GtmLZUAPkA#IEQoblSP%v*t
z;7zV`aFPjUwYawwzBesMAX0b&cPc%Ye@bZe4sNQp^25pXG<J2-v+%$_^rFVD#3>K3
zo&FE4{_8EZYp9Npt>e3cjlfWKxP;z>-}_9fDI2x%>*Vv(dX$CHjOR}Qr*?Dj<;H8}
z%CPgk#RiJ5czYiX|M?N9cEX7Gf!(FrtDu{Cq87r*-9ELy7d;GKRcRI3DQA;PmwROv
zcU02TYblnbA~9-nYHRws@|@>DE7K{&CRsCWqBt@!x?WYWofN~mL}S)g@)=7n{$a_H
zgsnJhe)@nnRe1f^MjIPjESU+ZjCKEc9ZW;i$uR3(<%{W92HrC4)D_F`@|JE#3AZ}m
zlk#zA01Bx+VD&V!F!EnJon`f;LSpF$wwyYcy_PZswYM^@?6-|`p9)-&<Adl2Ygc;c
z)l`M#FMtu%L;Mo<`ebG#XaAuw{#g5@GAORsEYTTa9x%_*pHzp6IUG>X&oFdiU{n1*
z-wq^mG@E1tF7^@Nb@aubWX^yDJ!0CVbn8*m%|s_?QB-yk<j8G@Sjo(h8L4jy8v*|L
z!>Jzw2h2O~)4*T4=)16$pb(m5a?|saMiazDv03R3hMix`N_a|2GjWjncgd)%l(pVb
zl?>9X_8^d->UyrRx?_8od=FukfxFY$w1+JF_!N}vXp^Z81#@q;!9o>NvhX>6dX}8a
zqD}DjGP<>8@Y<(b9hM|A?dQ#UY7LqJ_S)YLYORB;T<d00U49J5k`oW(Z-IyP6vw}v
z>om`(<oWMz6b7h8*?SA>^7C9v9cw(5agnA|Bt+#nQiE-Z9|5-pSC>d?V(tq~o6TSC
z{%b1$YpTwsYuin1m7UUHUO2aCV9zJC=mx4_2}Y+4t#yOO*WX6mFqkI1Tj}ZSxo|II
z@8t&nLj!HMR-UQ7{r3waD`I1L*W5iPqJ6UbV7&CMxjwg#oYzI8WzWT8<Ve*?k+|JF
z5#81_lX-uc(fboggB7-QiK(ax$wcd*AhiB-kXb=qLe9CvHFm|M$cTve$VI^mtGb#!
zxxqv~sHm6cyZiY3(A=D-S<21#we}}mu;}3_h3^Mb7@J8_*yMlyG`Z^z?YLyuH8!+J
zY4_jdu>t|xoH_ZwHLQtrLUi((Dw*VXc*32MqF)Ia8FM(-s|XJ--3NbG&ZC7`>FrLB
zRKf|=dOI%=JisbLmK>M~bzVmvFipwO9k<*{P#A{gH=Y%AwAXQ}{j9%P{?~f_s%`!-
z)Ak*xB~@;rCVjfU38<?b72I*Difqcc1<aWav}(ef$3x@|vn_?aEakX9f~c*VZ&yA*
z<34{fm5HI?<P@c`uL&Z1$;NW33m^#+;uVfMPd7X8=@=aPILY?4otK(GA*A@<_#elU
z#5Uq3YZ4?Em`6pl6*mekst*Vu`%W(s7s)y+WM`$(M@WoxMQpBwkU(3v)-A;++;T0^
zZ%(SBxhB@rw6$$}AG`v5y39Y0R1fVoB<w>7YYe*COG@_h5>seU1RqMV0!wB63jRY|
zx+fohOU2;87I5>kcE#vfEo&|&8}^VSIC}IoU$}Af$b+*slJLFHW5+TuL!v~-cK>OL
zq?R{FV}Wk_;6*0x^Rm|~D}*NA#2n{PRrPohaUG`^O#AiWMcR}qPPKJW^~#8>WzI0O
zZu+)BtaAg^cis3UC5&qA+epjNAwv7YvWY@owj7>syOO7k6Nf8_HD4Pt@vQq^ryXr#
zIDV2Vp88FM%11Ms9=W%ezL+F-Ff$T(EopY|Y|okOxkQd?B4=kn8@B+u@?pq#rxYY)
z#OJ3>NinmsVH~DNh5YX*$LkFL7(+wfDV7D?UAHuCBbf&W0)Jk&w4}?}w6s|Lhqk|G
zbAPw@kLmWCQ(1P;>YGZUd*VfJE<v;qrnBP+)hN4(aottOR?!dd$KEMLZ-6VQEe`Kj
z0%ox&rB6IRu8C_-=x^?JcKiN_R{FJYc#4<u3*JnNUd)8qk5qB&8bKAWQWp8{bwX^f
zn2cO>vl8Ptk9qe~*GV;VSD23rC9di+g4W<RK@UfAgUbe~&jFFdxXj~Kmj{*I)|FPq
zt;>ZBQ}vOqW@Z&uXLPYU)l8HdqhGj(r_W6h;L`DrZwYJ%g~*432WQbWvLm9oc{9og
zWeAl`faH2V8&ykpj?SB{{LFdV#qbx)a3gUAsS*~bb+AMz<MFUm;>UAl8KaCl@W<=f
z^K)ulbR};RI-Rs#sTV>wC1gBWq+>WQ5za=B-2j|;ck)wng9vX*@6Lk&RutAlRh$4t
zOWu62s2@9CIkBPRe`r-c*f;tx>aG6Ws48i$16G=D@#hhqn~^d|gIIEk$pA!y-Z7J_
z0}l8PEpy&-pM|tKX*g==CS`a%WR#RYOr>Kv#Qulx3YC1nXOP6mg^L9Ow;u583U_vg
z6?hMRkwQymY152pH1e3nJzmjbKlELi%J!(${AGwUlu_bDUT?<u?e6o-32_d}+sSh~
za{Y$*VHp)@`@@?|{e!Qt^<VyijB24?`Ob8O%~Av3ekZ3QCe>-G|IpNbITn1boCbk-
zOgjXhRit{Pfj6e6nbS*7Qw>h7?<M|3?DYe>JZih#)-{tw;v6{0bspIrGyp?d0B!td
z4c-VJvXyLlhLuX~qs=@OKn#*HQY*DucF{!8+i={qA@MVrOu3jY)Oon3u~U=^vQbd)
zd<@j8%n5gnH|f+(PKuZUL3Ofb+a;-~b2%%ic{2>enF=ZxPQ^lF8JIFX<kUb-vEB7P
zd-(40q%MTzgPb8YZ<dj1G0n<OtYLWSgpAGtJ?c%iOO3PTO=3HdpF(e6!7c?HuT(QZ
zts52z{Q=F*V-j~VTvHlO-*cq6Je$pdZB8~dV)YGS2EKGz^5xN3*^K9+Xj-ZE`dV#4
zs;|zj4i*O78zrn1NE^ZNnGP14GuOx?MTzE3TABK|$x4Dke-AV3;|4m?wZ)huJ8&|k
zInB`RXF>MKo8T5UJ+5K%CPSKhbBWuahq;;ZVXopLi@B`ZR~pkaX$?BJIX8p}=r2HY
zTHH;JW-OfID1I(eaE3Phl|>rtfM1!|F2cOY_ZLiKt%v$^kL4(FfWp?E0}3GSTxj&5
z&|X&~COuRv#}6E=)X}bhc)6SZ{Qktewdo+N{yoP<POBEkPmmuAiN6}ez&AR16EZ;1
zy!S=v2eku}8Ip%!p_~w(_Ur}Q`j0-o9&^4vHaFGzu1&$-te?M}Xe+<e8KfVgNz(J8
z7M$Jsh`U!A%vX6kt6L|o;C}*A`kKTmp;i$0cqC$61A5u6USQ?1?Ly6_&%k|Hr)ZpD
zOD@Q;tK;b>Ix!JzY6g>7*%KS6a&KvSr`NWW%%4m2Ue7}{r~FvA5c&}WueCgXc>k(_
zC;)|O|L})7McC&q@^|hRc~zKA9ARAk1l1s({c-NVYm5GvfI$0W<mgEo)%oDM?LSsK
zMD3THgic?iDo>NY`*97eX1f+(SVs{NnuJD*qxO%bFpw=tldPHXL%JE42&Ag%7)JpC
ztznv@N!&^Y`{f%it2Yn3t>J?@J>DVOfpu+8&99VgAgP2J*zarG1D6g@@}p>vQjGa4
zkuO5kbO`1No(d-ffHDK{YnCGQoP&buiP?UM+a_$Mm^`24EQ|B}rZ}~LC&rY-@y*GE
z8ObScF&$}UHe84FwdRCM&fUj*rn-TP)#75uKBujJ;h_d*(@i$oYMv*9a7vz+?>?i=
z4rdVy2+W+D;}ut&sZ4n0@Eb|OKQf3<rU3V7v%p@fa$NB;K>+P<h>&ROxK@bxB6NMJ
z7H9cvQ3&7FpcR{oKn<z`S95j0p&_ne)Pr-}5GC<6Je$jDEpt<UzsfvpwwytvtxTc{
zSdLLGl9)iW8TKiD#G|R}#Ujr;v@PiXqI{;5pad8VJ>k%o*KAEgXpfO*<t)rr#@OVG
zyq9UY9rk}?wLkMO<XfG~xK3>2^@>qZKxM)TGL8^@(eF0qR6!U-j-ce9o6c)LkC0c1
zYVA%qQpr4R4;;qHOAO%45bT)76?f~e)B$2Av1SxCRqkD@@$vp19#`7(B`+Pe!2oBT
zf8?{LbwK<oJ3pZ-AGxlf|I^-A2gUJydk&UBfDkmeLvXjCL4yV#+}(As;O_1O2yQd@
z;6Atp9h?x{5*&gqzxVdN+I?GFwg2qa{_(BqzTH(_eNOke_nv!CpT3`uxV-)lh8p6$
zrI!LrcB+!USsGubjoH$oT_kguAfe#kfu?a<+Tfc(9L{7-O?<FU+=}cr6Hg&FgO>*%
zky~pgA};7RG7BgyNb<qN4oqF9H^bW-rbSjDRpR~GOR@U%=!Znab8X)%Q+xCwHv1vn
zMc=nE7>WrPe`U{EWX)<9k^-U5zn=jS+~_di`S|*mcCGCNc1t!R8Q}%%ah)&5M#4D~
zG_2bM9-!!jEY^iOq0%uK2_pP>Njn@Q<23S&+1#it8np7nh;J|vUd=?=QO%B%GN1Pb
z-92HuEQ5k|i7M~&r3mpjXWmLf_B=FQ>oq;3W@2)k>J31Q2dAT)a=kCqLxTWk9`!=E
z+nf>?TN|{>vBR{8;Dv#vBf&zZXag(H!_w`&sIn%FpO9@K2@Z~jO+LjBB&BwPm|tHg
zMtn_wi){6gP(wnR*VYMo3h#ZDz`vXEX=;0m(XzNcm;$OhiB6RSEc`jOfWfVd%sb;q
zXqq2kR%~>h!rjW*ruWYP3KqbF?U3R5UOCFGr<#vk&eyn3nTRbtg|m}R-Uz>^xxb>U
z8H+6SJ7>FoA{}`}bVjd4g`CFNZqr4Un5;Z57)9l#aun>&rizcEi!5Qx0&=}p<ZZx;
z#(Z;`v_kKcYgKg3ZXDeL2i?$!^1-&%1@QN`TD;oBOQGD%w&r)*F6hfFZ}t*&3$xEB
zXL2;umDSzKU`mbChfzP^)-@=BrRx3L+h}vI=hE5290#Og&zQ+0RYj?Bgx6weiv}`o
zn<Z6?@28{l*AYLj40wDwX?;m%-_SIshXK<*B+t)-vORFvsfa-|KL-$!+=Hy`xDr@Q
z`V4Cy^SW^S__r;jvcrH$<|eJ~-nh5hADq!3%#r7dZD-V_(7p({6Y@De&*r3%F^Of}
z={9canfkI`WBElhD-tVt-hu;>K5zF4Els_Ej@w(}&JW@&BOtY>IS0Y-^aTCq75MuW
zq9-|ok_}(F4NzI+7ZB!R)-&eLmA1Ep;<EYm^m-~W<-1sB8r{#|+u_@``o<kso#B9L
zV{8$*p}RUVt;&gJTu#Om32K7y0%FD3#B-H%%@`C)Gi-Q$bcOJzJ_I*Yi1|gvowF;3
zRowtCO8t_JoIO+qguVb@@*FrOpUv;ln}(XEzmYFlN?+~`a!-vjQ^OG_;!?v?s<S2G
z;(9CmOILoRc+!7op3E{h#<;l+j5BR}Uxi`FTQ1EYq7l}h0H20t2|i`~axGn8Zz8hC
z#+bs#h>xNFTh%)P&dk{bR|bJA+u+CLVe?mL!eQU**L9il!{7bbzcWOpV<es|R6*9n
zkI=S9CrrE1do^6&t*4i~N=8$!wLq9X^xOXkD9gchlAa4g6Ba%^C=pXXT_Ar3oEpMC
z*M=ZfYwu5wPqEsXXl@|q%eiW<xBk5Y8;XL%Q=^=}=h?XjD^ky0w$kSPDb#TfS@*z;
zqjQ?8ex72inGU0`eVW5mnAH=;cU@_Lb*-zKl{y$Wu3qAy_IjxGXby~OUsh|(_&Jj7
zDAVXOxr~?G7lLaUq7(<vr%6ZHIIPO9Q>ApUvojUQf{W!0;=U0OH;z$xHK{5DcF>}K
zkk741so)AJM<a_)M@Xe@ND!F$%x2(Pt5e9_f?iwKti!rO)iqTmE!(7ha;^!pmKHYA
zkEQdX+=tp4I5-F2n7GT(Mn}8~P4?Hx^UlP;Gi~fL6uO4|@fVS+xRXoWR4^G*+0#1U
zvD)QniO6BF6?t%HbtMpf`eP_eXhDE|AKyMi*p-#{YqSeCc;fEI^;qB3l#*hP6~ErP
zI03Eg<e9J2wXfCxY^xz(b?wcJX72?k*+r@jDc@(Fj1Z1d4&t6Vbc5HS81S8I)Me?k
zN179hiUOUFsuDZn&)S<u+uzR#_*_1`q#DW3!%QtQA841WZ%rX#z~NUfQCed%<|KmD
zH7=2yavQX2$;EQ6K6Ai!pd$_vD=@l~JsoDvk!yRSo3~YWEwbJ<gKSn~dVhKO9$J26
zj%e$cnxYP$FBunnw-ZRj#y9U_PiQG-*3kb$mO<{8`?lM_gs$4N9m`VtO@~so5)@}R
z8ugsdsmi`*iK$vJimzLPsn2Y{7gY&?<0uIyqm{c?3XA(-o#)j)$xt{spJCtGj(>`K
z>d|gecu#_%5->V*BIv7bs(>9tL?h6)Q9m<g!IW##eJ_9Jp?)}RcPmtK<YMhIE<C7`
zZzrNMmps1iWJr3kcAnU2TUU*Vk#};SS^&DTH6;k)ZXn}QC1SC6WhyBN#s~G(Px46{
zi)VQshkqs?j~nV9#LWiMpnazC<RO<%9flt=wR-90y6zxUB_h*L%%zK`A6t}o(w!9J
zG1sqo(Ztf(=`N_g8xEt5_6kffC1}vS2@2NIr^{v1t}Cxu;_7esA*AG>G}>TN-W5Wf
zw2Z@3(?WvA74vaH;0<U`GPK2yJLcmnYJHa!iksT8uKJ_LPFJBCMht7YHd)KQwv7RD
z$}lb7IUic-G5~@z4gfhjNw(ydzRqV-?@@*F70zUR|EI|#aKjMOhM{)iny2F!bau6>
zalTvWO4ALU*K6~eR;h12464ihg}dbZU1O<&R;QvK!Yg{6ps?>m_@M@ASUO89G?(zx
zA+f5B5dS<s#D|b8nxA4A_x_)Z;{WE4JOj1^l+&(7$6jKUhHa6Wg2%Gyy&nX34mEb8
zcx}+*KDOB$0<QS7_~y^p$)g|0kFGT^z#u-0syT35ZtHh&Zbi8ifxc57J@K&73i0t0
z3ud%Ac)om$gVd5g()<l^mn+wDur%U8Pc>G0P?-gUe%`OX!Cyq=NF*dHm#}8n$1QK_
zQTy0l_SUiYzzWEIY#_P(d-T@mcr9mX<ATlitCiwHwYI*)tLm06kA*D#>e#%}-L9+-
zu2}~e{Ub*vE3paPo$H;c@%<k$9_O@b=I=r>Mc<ignH%#Oec#xp)cO@r?4R($6mn&E
zwgK~Fce?u>^W#zacH>5bVyJVf=r8+yKIYM5{-WO(+s^l7NDw$EV`%uO#kv*ri!D#C
z#tawpg%T>duTNMEXGBzB?gA91UftGWp>a2K;}O#Qcnzca`e#o&b`W>?*qEa(cwmmS
z35ob{YRFRN@mTQW)+jN|3SN1vHm6aySl1j3)C}u){m3+&t@as(*h7jALZycSmTFbg
z?;CGmt0_vb{=>V(uIC_x!7A@QLKxaVa*6-uvh<|EgKV8-v0hK($C2&k()AmXs-?u)
zX8;4k;6(7et1`sS1Y0Brputcv5$o31<cZl&1motWK3r-$cndEUD$ubs=gP<oNewHf
zM#w_eZ4z(McFxLV{HefTANa01%(64OK`^FHhn<J0j96zqK)Hdv#%~M0k^yJyJ{hVh
z3oyL918oEtwmk!!jJ~wLlux9k4*{azr+`#^QMJ`y<?E=f^~Kwck#sqr+<7G2UfQwV
zj(F52v}j8*x)zz^^%&IJ02lGBcP2z!kFUD8Nr3eoB6aU=^#*oXwXZT%&qz#Hqu<;w
z86X+LM5H@l6lPR9wwgjL5;y7);DVHi9{Iygbr7`^PDrNsr(U<HSI5~ut6PI<RFWF<
z39wa!GKO#q3hnvI|7hh%C-3`zquzBWm~8#TXKd#XW9Xp-FY2wD1;Voy4*D7s2-A`w
z$Uz~bb?~UK>GaBHx>rg87KhAZte@)@Hwad)W>p4n%)~+P2(n~9P;He%y+&Oc2Qd_%
z1%%hxX)mCFA30o#k|<}uYi}+Jf$vaS5S1<7{E+67MX53P*v^9LJw_Mar4RsV?1=jj
zqJTFLH*YS(UH4W@s{trsoVOZZ_M7x*S>!2&ZT=j~4Gy-QnyG}Ab|;U3s>fFDU<wAp
zU#k?DQBWxR_j9uhOOo^rk9e`Um^*$M=C^WjTG<VpeiT-YTR3OF9W%vqxv6M#g#P6#
zSgeG_oRePtVbNJKV_q0a(Q<li#cE>T$bWu~`~K_-`DmM?Cl?ODv0Riz{dA3=0!onM
zox#Or@$(WhvarC^QVhAfkBXhY_%vU&AA5Yw#j;Q}(YJYe+TEgGQgi(?4Z8Ry2vIe-
z0$!O`5}kVam8c-d6tK%MNdIj(BsQP%?&#<a(ZM+_nAW_3L542})aFe*&a(Y;bkEex
z(gs;4{2iw$#_NW>chr-l!;y+qvBB~=q{AuAS`D<VFRY?fG7o7!leuo&_9AsA_dBei
zkvlv0l0$f#ojnZ$?B9)HDKD8?WeiudbTUuxE8EO*KQToRb0EHLGZR%uT-@bf5>2O#
z-Cd%(<8F^!yYyp$#d~1JA?d6gq2=2q7F1d#b2AHbx^dJJMcri-Tn^QlEtGM^ScadH
zCP9&<pQm}OuiVz8tQ@m7Sui2W7>P~VvHKpts;?yD18mmcEWASm?U2YvB&4t}RkTB~
z+$PP>6oem2eTbQPUyW7&$x*g8n$tE>AjM#Dwd+}h7uVzoX_iz{msKB8aeg2W4>s}E
zgD+ECBxb%Hqz<N>j_$hMq4!$At~y|%X1tZJHBS>A#T(ajhvM6Qv~lg-l2i6owF}*l
z%DdLE)!xOHJL$SW;$B>sqQcpB6tHXUmFf*4dS}_NU7xuw0s2&Nb^u7RkIGxE@ic5&
z6Snp537=pUWT1FU$buWafqHm33h(C$!eyNKDJZ%CzsDsUnILdzn@CN0^p-V~P@0kC
z!(Vt}I74P?tuC6TW)%RS2POh&=c1+Aaej>oY)z^e$SlPsZ{1vb8d&6gRKDH5tkv#t
z+Z`Yt(CIHykn?bGFn@b;9P88bVc3AzVALGEU{UAB)IjAqOB_D?^Na=;=C=pVv|G1w
z`G6R-^5y=_o{F~jp2f7c3}-Q9o=Y^U=yO%xA&rpxOog$7t(SRNeZQ4tJydUT-ICEw
zYKwWCXjYr>S{{cop)k0g@@t;khiIL>?ZzK1x(rPQe!j~q@-JlLh+YL;1L-Yj5Px$P
z8T;CK^*QK(xeUtSFlF?I^B?vwuIn|7VOQ9<y5VktZH%*TBwBA?Y#;k?wx7XU)pQr^
z)OAuLhb|J!*O@YK{u)x@hc+&T*G{@U13IK0X-I^_-=MAz+j+kjKZb}j&T7O$OnY4M
zh(~D)#U`Bp+s1~6X6#ycR|#2I4icj=$KZg3$t<zOns8d1AcN{sRck-T&z?#I+j<FF
zE;1dK@e!7U%L%PpKn~*cJ0Z#8ufXAIn&Kt(Zf}UpNnslHGRGUaS3(dw6{(^Ya2WEX
zInvgV_<kO~_3i~fYkc}vD%i^srNU=cqmuWaC9A%W<OL$+jIix@Y@$)&5l|~*q@c+`
zz4jLbH2=4+1@PLKiXkBr6~ij2zZbkPPeDb+I=2%8#}z^^iCb2hOjlhOwRPorDyx}Y
z;!H}b7N;?Bsr_1!`L1tV)(k@`DQ}EOjz_9D8WA};KQ!4rjcc(C#&$YJev*2Gshufp
zxu~xlPiX%=dvF)|-A5C4zr78a_b7hEOxMU;3))xllvJq7#a@1WI~%T^`DXE+N7E3s
zP9JDk6htlAWj>kDewe-lgs4)t`-_p6(YUr&3TP}tZ6JCf$Y`2`K;e&L!A*@#Z_mKT
z8B9$nGw2A*!zLZyHZ~sp5T9#Og^LPaL65<PVW#40ul5ALW}*Ajalha9v!+Peu;-i4
z7<pYkG8Nio0#=KD`|mFoPt(<$@`+mHe<9y`sV*b^&+*KfZ1UIA4Y&90<f?{?a$e?V
zSWsI{*kg;?h6*U(doN!rUXc+%#gIN8T)>IEM>s6i-=9c=s?@dqTi}DD6V6CfW^N&0
zP(naDJ&ku()<*n8sik?@PF!)RB|mHFM}pr1TggZNVnVbjBXt?f{=a(yM))b6-K}^U
z-Czf8H8O(0kDsI(-47}_BRg%+gu_>GzNktmtP7Zg6JA{&)m-n<`)!eW?a_Ogq@^`@
zSVk=Sc#K-CJ@uB@h5iABc=Bo8jaeLJ7159d={YFTc^;Ctqtg#B>%3=1$<buiuEDmU
z9aqO!eI!iC?a*2XbNI8lS{;bwh0WstTKn+9*7)TMH*?!Y8p+$qoE@z`+2p)DkEnjK
z7HwPtb4X^n%h*xAfv4$T0grwD!7+a!g1V|Bw(qUh+S79Koy&iimKy(nRD5Wgeh9;L
zPaBO*4XJk!e-76sWu7O6#?d6BUVLa{RClctDQ&0QZcIkTK*<I1v#KC22QFCHoDT9s
z<Zr4$3)eB}ODGrQgJA+o#`2eMsdu@0T`;}x5R*(FIr<gxTI&^@QwV6&ndsW^#Aq*<
zqK<308hEr>KSJbqQ-v^J;#=)nMz-5Up46q6{Py7?_?)r6LD&noi%e=bHenSXmmG#V
zGIV#%cUi82zkZ&81WvDHad#Om1>+Sg)_-jz*)fEpAsHLjRZiMT{%%96r=$hreVz;F
ziS??3Rk)o@4LLv>kyg`JbcnB;YkwcQFY8*EV1|#Fm6jvPuMaPwx7F$=lmf}#i;NDs
zm~y8QvxxvT`YFU^9>B7b0TuZPUv01Wj_cM)jz+I4Z)IMpy?~ikq`s^~_tI^UFZ6r2
z@d2h+4pU*CY4dt3wxHUC{#VsaiBc7b)Wz^7c4IyrjzB1o6`9wOsvHJ`?Y1(KEP6p&
zo1`GFP<;7AQCE4P+xOd+vL@&s1$=>A>hI_W;7ulnQhEMas*Vf`$@C+gN)D-5gtiCk
z*>GFY20gayEn^Lh84of>3)5k><(<Z{36st*o9Cx=9_hn<Mbc(Gbv!j9Dw{UYKzc)C
zP6gzlU@wc2)A!r)O)1Kr9Zbo>T{AmAtTrC_P$S}lhI%IzyS!cu^bwwY<KO5SOK6;|
z82S`uy^OWk0&B2u8}apUc+0i)AD0tUCV5Cx_JC+;Iz+CvwVA4Vo(W}9|3*07bDoKt
zKncu#!lJ-O%8VYYkIEDpE;-!aP?oR`D&1IVdn->r$Zd#Fm$_1<n1e52<)NS&->thG
zZQu8+pn_Au+3-%+G?MxSD~qDVL1!fMRp5ISlGnNC6)j+T)l8IXH*tBenwsIOq?Tz;
zdp3LeOQBeaI52~4Wp|^=dmMS}yt;0ON!@|#25?>^35Eu6@3N;A{3f#*L$?%Bh&h__
zyKbL5$l@H>SW9A`UMbU8+EomND;UnMV=8i9BRL2W&fCWH#8j=>Yf8@I%&57riGydz
z@$3lAn4SS{fm^s#9e;dE0QZrO>dRxnf!PTb%{(fdE`fAlL(*<#vS?pgXCb1r1u+uS
znWe<4Jw_kLS^;cb5K&UhtHmd7p#I^J(woFa_OI?uM`a6xU*8PawdGhN7Jwjv!X$L*
zi%O%TzuAXU$srPhQmIWWqt||>s21-<xddN@RUScN>J2m*m+z{?J7)GH#qcY&(u)Yg
zp%+d%U95e)6}<{P7#U0WXrxaS=2?WrJ@y>EfVHX3-uz<JCOlM^#Bv0RSUj?@frKzC
zds=(VH|~Y=M*6X=zG-bI15k+FU>Grig@5w6cqF%Xa#m{3xa=4KMjNy-*cidV_ArHz
z(hi`H>Lx@>uapE``SEjeS<nFIpmDPLO<;u1v^@L=`zt-l*;@VXCV15jqYlfNYM|p7
zDh*ny#aq>!d?Pz?mq})cjqxUFdA$-V$=@GwWEpWwh8Ku=B*3A_H;u2WHAMBQ#H_WY
zB)nZmOeP3%LK~}L0?E7jL~Au<AdO`+b**xGiEuu<m|EgV+YNP(+ScW6bFbu0DoR#*
z9ZGes`M;hVE}&NkGK9|n=Mb!n0P@PB4JduWXGH*0Sm9{|zfK=fdW7a^!3L+Z?cM=h
zGO<Bai~pLsSo=}jrzy=)@~NkHGrpm23=eU!0|xDGoC#%~L$0mDP~ue144sHk>|Y8L
z(KSPuwpT;yUnFT;@=Eh02I<(dM|8SU>P14u$0G0VdnREVv>d`EDO_CBQS=z(z4Q_d
zi&9skO524px<j3fV+P03&@Y~88uC8g@f~zIOAwFK3YyFg!AV%1F^2+K?pxNc9ugsf
zxD}|{Bx22^T>Hn}H2ZCpi={;tI(FX%Cm8HRr3L4A8TA%=sV@*09O$!J!ZAu@1Rs}x
zG&HXQ;@_&sMRU^(ulIsg_8*IfhCcF4^a-MPU-{l0Md!55*AF<Wtfe_#i}vC$qfRjJ
zxZxnZuqKy(*mCs~6@RCW+7RtU{U)G#_Pay7?x9Gtd6a@~?e7IGqdDel{sq*A(&_@o
zw&Q^)GtnYoX2fyM$+-UyA*n`b1@&wDFUo?xNHNJD#YBZY*qG+%w{wjK9hR6cWeQ96
zbC9<29a0&QR5Fr?BdK&PM;S#OUxM;dm}X>FYWJRi300E*h?*3Ebf`3KdDuBXQCX1!
z!TS@ScKokW?yQ4ym!UnTjpcW?w%1kU#r+TL^Gp|aIj=DgtjIB#&Ui;^q{q`ua<#H3
z1m|ZWe|Xr1jc1-xe{p58cDIU!F0_l*6(8DQ#%u6qan8FlVR|fXv^x~g`ME|aCCg{(
zph`B(k89ZHy~6OqnpU$&HyeVB$`7E0ha41Ny@?yMuHeNaZen0GP`l_%@8!(c<J0p4
z-=Cxyz~7{eDX>UqN-WHLQ<of_#0y5ESbL9a4e9)gBIyKan1eqWEXD2D2-U5F?^bz}
zW3(1E6>z1i7Hvfe{F<wM)xyelGZ*mz!mnTy-t9VK&ProimOZNVJDUrCM3Hq2><c>_
z`|0gtp^T<(_WjGnsS|`j%Agn=^rY%}ZTn<G97Y5o^mug^-qIH;L#{0zdRYNiI%QP8
z&t>6wN|AU7L*$$O%0L33)9-Jp9!xQBp>;Ed*M6=qYi%4k>ldv`5c4VN**eK2c;0h~
z5a?s{{fU(rK+DWMiKM8zc+&9}GLlL^bx1HcZhK4*wm=5n-QHRw>rNzCc7;QgL_Qw!
zAqi3i@;GH7$q6@$yCFgM+<hhYNVS#pI?uvaa$j2>_D`nPgI7K9aUSwEOzW48mzIpH
zPk??F(#}o6jYA7GcxBbQC^#3q5keZK<^{NN#wRR5wGVm}gQ1vEP-#p}VV2p~v}OZs
z77qpK<=frSpFW_4#^ZdyT4L^cBW?jHdCa%abk?>5)rNr|w2Xr~vGK9mkF@pBc61c*
zeCQ`OXxJS3hYWLly<Sr=C^R?QLjugt#D|6J0Jz8N@K^UJvJ*}IU~@MIR~%R5Ag*>y
zJ>g(Vzfh$7{(6Q}=Br5ZKvSdp3k;9XH>M-yNlkX>SgsmeyBN1>F-%MJe0kdAEzQB`
z4-4HU(K6oALDJ-8PM4Kh1a|~Zsx$f5fC|%ly7MpJS`CsFcpa}aniq(*aPYyz3>uRU
z(~#NL+L9Pu;=;QLz4}etRQ2!ru6CR;l38ZH<k>}=%N}%^>~Z{|ghVJGue{SiaZN>@
zb~%`9DT4%XCl_6x*Nq0%&j31BJ?*(C!TxP%Zj{gm;JgBz8ZPq5MYWWf)8W|G;7HdZ
zk;7i>{*_-_buVP?sGkWlz^<T-M8{t%^$oaYLQd7=hB-njhGTpw45*&w?5!~j{i+5`
zVix|ucqb7?uO~iWH$SU1dLaQ0b0WP2SutiSCE8Y*3s<LGx(dvh;ar-XH&$wn&GuKP
zOMk)0Foq!;D+NZpM2w)t)<d?-l8HbqO`T$aJ#>NM%>@brNH_$hpsLRL0=~_WyU^Zl
zm(`n2%7J*qOInB(Z2dK(u$MXv)WJMSct6Bo8JbQ*hS3Q+d_CtqMDLp_6dYy;?{r{l
zcn!2Qbfv(c*Q)Tea+FWgOMXW|sELv`Q~lbKTU9PtQBqRO4~7w8w(!YpN&j$WVu?Qb
z1>wH=GlV2u#kkSOVCiaA&E<0YxbQ9KZZ~`;B%|uU4B(6it5Ketlx!dCFgv<>A;c;V
zhz`0dyS3U~Zx>5>6#F|h;8!z}b@~K57yH{?bGi=OejIubOS#E|-?P807%kl<;!V*V
zlXHNrTI-E$=3wT0zhf@G|4}87Brcz865szIS`uT#jX23Y%?JG!I)pMllJ`4FRI;bV
z#eV$LDLM8lYRaV$B0}t6Bldz!(H?g-n`QE=LQJz-I$Gh&kD@>nRQB@uYNPO8wiHAB
zL%nQchiGzC<vJ~giQobPb~h57(?oaYUqGB5&n}2yopZ~L39p4uxQ5BHV%@wWzS<|+
zz#wB}Gp73QYHL$pkge;baA*-?Juotn-Y8CeYoSj5p7Lqc^@p@=R~9gUD&JY5)|tD3
z*q2|f;T#uI_hSkBbS-yQw5oftJ)&eS=E7*HjlVWvSHJltzT2(dnyavyxR!)?jE--|
zXk@SL06U)H8cNWkDKyLw#e}c4qdqf>5lYX+9$S+bXT~znPxP>+*JTaX;5pI^pFK;U
zV33aW8+&20%8l3GSsn~GP<Ps#!sQ-frE;R2&fZMYGi1Y%;!ZIYNR4q!bh<Qs%yncc
z$B34x<$BdUlW)zaxDgH`ao^YTiKw6Stt=hrfE=DNW%p-2O6(}OXT0{SJyBLvUwfyu
z6vsFXW{EUOG%P(94d-V#d-v0lUe%^q%SOT2#o8h`&0Ihx0;z<wbttYRsn$BVPciuI
zXYoEWON6kcfja;u751(UhxCRkDAhLIAvy%~yL5`T_dPlz2$Kq99`nm}qX#3xRA<>b
zx19NM0#rbGGu-9;w_5=MQRjBQIA!(NJ85Y43Qu}_cDp0ola;rDcUghVBojvr3Z0`z
zi$dNa+%oOP41oTgG<Bq%HJwAG2Xb%>cXu?1Qj0WlFBfe$SDWfFms$MX$+NJLGIqn~
zY+8vP-exZCSaIPCdu>=Fi!WNlF<b_EAbDk%U93NXjf5eC`V*m3=~s(!gdS<Zu@im@
z<s$9^Ol3rhIrZHlR+9*IjY#NM{7AgDxg$h<a7t}|P_MF{@St6fsU6GD17B}qQ%keR
z_fp$E-(V@zxWZpyEL-yYrPYqnaPz|vK{|I6N)yM2<yIT`_zzYV?>7iJ$Xdl|@T4jm
z40Vr!bmj(>#>6SanKyYvW_{nRw&o|Viak&ijF<5~H+cx}X9+{$rJl)z+G?l@Yr?AB
zBxeyt43kXzC45o-c1lDs%@+{nj&pL~qM}>4mABmDC@GViLhH)=>DssR>DOyr5`!c0
zU3E7OHSx!OjZm~oX6M#J>m9}KTiclg;M&X)?t4Go_uPiA?=hH6ILAxJF+0+@Y`OC4
zmXJv2qqTQY70s%2i_?rNw{6Y2w9h&n=Vu2tesM&vNF_-q)Fga3HO=ge3X3hUX!xXq
zFkW&^@Jo(GlUedTh7L3XH=p)u#=*~KNr!nk41TE4rE<$T({7{ShCJat9>HjOFT#t}
zqRDYId}TkY$SY^$|1E){id@lZC!*$>nk+S=4EmFe^7SRj5&me1$M>uZ3pDJcZOUdT
z)M9&nRi$u|28DBZw+!%B=wH{Nu20Jg*QJy5_w-@)>PL4rO?Q%&(bqg*)8c=#gf3#&
zY1l~``+X`HtwboLM+-A}<z$}BwlfG6*drjDVw<0~SE-_6SS)9h!;(cz`=lV>Cenhs
z0MP1Z*~_?Sd_y}@l5Fk2p8<>M;EWNwS@O)IP`ta%Y2C9tX1muI7piTEA%tO(jBaTk
z$F59O@vyysj-Zn;NYpAC2q%j#1n*v!`81b;7)2^&A7!*;#%1rL0JDO1jYKZNA&nwQ
zBWl(H$!y!s8H@QL+KP4yDuT3hx1VWGwW>Ur-Lg27t$z-EuY&SAf-x?RKDvy`!dcj4
z3l1gdh7dN>^%>Xv+6WrvN>219!l8(=;Pf79%P`Cn9s$I*<I&0>PW+r?XUFaw3m$|*
z%VgTl#J-i(9ypAi8X;cqA}hP0g5@fXe#?mLg@PNc;^yl~g5XZewe$1}GxYf8M)Oy#
zS(@}g0Vj&vr|m;uCWtB8&s-0FsR6tXo@^$qm*#}WE?P_>TSOH#Z;SkAlD?teib;5C
z%53;;H`N)?EtIKx0xNG!_(*}$;vN0UGAkzprUuxY$a2w5dplW+pDm*!%#v}rH6Fh4
z=Tzr<%J~4&83r4p0Abg7r+VcXalTVTZP6dQj&Y6bprsd>sji!=mVFpOBN-c^ZacKD
zW(jLn&J)C0%IZ3H4*VFW@w{&^BoN51^4D(gKLY6wf+DH9a?OD%ld6xOH|BVEN8m+k
znnetrhg|oD@2w1LC&BM(tJDiS^*kaqcup%(8Rt=IYoe1^^7}?&k(>5`=*TDpv@#G4
z9V`MjB`dwX=APKt3N&Vq*Gqe(s%%hQo!L}#p4^)#ZrKBA!ApBLScIPyVDWo8*UM*F
zSBbErrw=Un<1xaPj-9{?3x)Tqwq>&UCY~ii{lFrsWc#3Y8(kL0bYMzQORDy3MycQG
zm)|Tu^3j`OyaLiX({uPLr&c5PTk_K^dVM*?C7-=Vhtz>>NNDhhC<k`~`CCfIk9BsN
z3-89d!iFEDUgOj!fc>)+A`{Ir{BAB`2XKQMb2qVDxYCl~3UK~v5T^N=Kwg5*I<2{6
zHD8y*FK|(LT80B{x4U>dg2nYxkkn+f79^&ouo@b-DqtouV)>AAHnb7`K(Vv&cI+%+
z<ON!BD?jn;$1aM!F6Jkz)2C;^%0tG`Gr-~6zZv?%zIyFCf!-vFr1sdT?@%{TJy3b3
zIP2Gxru()}BIUh)IE?hw8)e<l*l<KjR4d)0r0CEXvph=k;mvpceNsjY{aCEKvY+GE
zx6V(h_eeK2p8@m_4p_VSD1QTB)el8y0f`SzdymCNtfykE&j6m=0KcOL&*1=v>%5HC
z7v(n>?UNl}&TtzCU-o-NryE7TSqlGP{ZNG{EUMsNE_H9uaQllkOyjOIH<mr)UNA4M
z^!^|4eEn}!bhJE?5q8$y{-EVFu!q(jwX1v4qT*o#g~F|ORy@&>2hws5k4DaExC|$-
zv=bP%wg6|I`#WrEa_Mmtmg-7tDYxg{{)XBofeaWPdX+!0?Plt0G__j6)bUpRL*l<t
zz{Es$dR!&0J4+=9*oxfY*ggaj7Zj&({sLcD69OH-R*Tjf{WY@<c=de(Yv>`1+fmJf
z^B)0o7`XfR55vV!^;3%lT!jqjXC3)R@1+Lc=t{k8ovZ4Vxf^M#C`b3NV<m>SzaJrB
zzv|o-xo8WUPdz+e<bZ2ITrCEHnT#OLi%aJ404>@|EB`RXag6a%pgK1VE;ly~H#hg6
ze{Ev1N29${>wO8{ajoAR8V9G3^&Fl7gDU|SU6&GlYbIUxOj0Xv7Fw7vK%_AH7N3Z*
zw%>ELgRYkwO}xN2X9u39zXZDR>YS>=y)Bh1@(o<QZ{s3f=$7x9p8-YS?y-0cjgUK-
ztK;AMv4bFIJ23^Z>&N<g`FjDY%a`BO8pI?N>*9@?j}G=Sw5=}3y4rT&=Pl0wv1fq4
zd185HWOZ&!=rf>2|9%)_>aQ5tGvNBJtH#0fttEdt#e(Yf68R6k&wsnICjBemu>Yc1
z47>Ija1me;a0$xz>oV28<MI^n^x#`9HuVhH$aZIcG7uX!dZM^|2HZbb>FkJgi0yJe
z<v+eK&prciYa-4_u$}?@*IF+>S?dI3kp5H%+{(?a7Y=WHJIQULNBxV$W*;jq2w77q
zkO(O~B8ZUaqgJKtX<X_HLe0Wmzn4k6ljfyH^S>({2I|tSK7waPsfG9CWrk`NsrU(O
z%&zc4Y)_T4q}_RrP1(tRp)1&X`(ga-kG-$iBz3W(anGz<w5zmQLrZv^DZk%3!#Y~`
zhg`i-?`=K<Al)yI{pSTc=NT{r$A!ovzH&f7DePPdFt5v$;L;uN&941H$S&+PhWb;H
z#8CdDNjl5)J5CNcT5cFU&gVRB3%K8-QRHI4-|qVEJHfGsmTe*RzQKk{ke|(u$Kb=(
zY6j>Hf+xrJJ>Q6JC6Md=Y6K@D_S~x&VeLtl3oL$Z5G~gTx%STLGvMD}u)jc6>^H7Z
zz&-ji0QQu>Z~^XBZl0l7dx=Y??gDO}0Y(pBx+wbX#U3`6j2_7>p7dS*OKtgWFeh9*
z18%ndUEq+!i|E;hu$MIs&j96TK=+{gf2pDJuoe=fFBO)JF^x6$Q4siQSCE@50~thA
z<0#4`(8||=$nI_U2dcYp`w(FX7ntaIv_1Dx^<Q6K;b*}5#N%AYRJ%xqnw>$&dmTU5
z>?GR=44=E3byvm6{h|c&?vt^P+*70+Lp3$tRvFq`aK9V4K0GgvVhqkDtBjo`QRvC=
z3~<Ljc_-v2Npbbk&cIRW7w`J=P4XMvuKwI4DQ{l+EeAjRhpzurn(N~gz^?yq#cTmZ
ztJXQ}eBoj0I_6RR?;-l>ivhm!->9Aa$H_V9VDq8V<==`Q39D6qP5#=9KLf10=f(2A
zcVmg&Gz5UyDgOKMgW<m(kNjT+8S3L`cREG-w|^x6V~u~ck$>98KRx9izwzQq|M8;#
zM`H@<zmHS@i@6%EDEbZ9Kb6xKm&h?j{kUFN*{+QZ?jMynX3y3&$`X1t9F<c+qP^Da
z#8G%}5j5!=T#4YbABO7v`R?Ok{=v&s?#?pnC3+Ed8TlD4@;#d7G%9~e*M(v!VUq&B
zMgcR@(M8w$MyN0;j~&Q*)g^$Fq!EdM<&v=>R!?lZ>l|}r1=pF_H=(G=F!BiS3^>{2
ze<TLIz6{2CWR!gdocRlEWj##?R0fEcMLrEb15h6tp8+zt;*XRe&j5Kfu?M4sOPe{0
z8C0>$5}Ieg!0k)yaWDN;@o@Q*qF(GEVNCgdzWiTqju+SsXf!&^pZbDuPxF-de^)s4
z5^bxr5|D}cs_{DwN(R~>i~Kx~sZ6%$-RQ^fdBl@AFg7C4g0>vF*It4jX#EA6goVAI
z>!}?2^ni8RC9q2y?ce%h>UB#{CU!z4wb*rJoY=duyF&Q=saW6bgCzT5jM1N-X8`(E
zJb(URK+OpSOsVKJ;pqPJ>FgOscO`2;H_`)p!v7$0%lpCV?rHjgXITvOsk<=%^B;Nt
d*zceA@}FJqpZ@WWfBFB_pZ>2-9{#-a-vB{^HL3sr

diff --git a/example/system/amp/openamp/driver_core/fig/20230512195526.png b/example/system/amp/openamp/driver_core/fig/20230512195526.png
deleted file mode 100644
index bf31250f4ce2a60311d724dd61c4c17230e2c66b..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 114642
zcmeFZ1yp29mnNDxg?r)dR=5}L?vS`sxLaX`ySr0`yA|$*Bu?RpyA&>k+oSvMo_YWM
zr{Ao1r>95yo?MFz&RH1|C-(j#cI^G_cm=<10MKM5Wh4O*5C8zg+XwKv3=n(!?|<z2
zr%L|EYIytgYYzY&9>NeB847|N0ErF(g%0uB4<LT)B-Fpu4fxvy3kMJL4jKv)0^#ks
zG8zE#?Sg=Wgo8kahJ}ZPf`);Dg@gk@z++%xVx!}{$J0z-;CRQz&duZG>gHb8(A<Jc
zMovLR&8nphrsU)j@k~vd7nM@+2>5QCaQ;>!!Q0sUbBq7d+}juATcr@NaBmMq&;d{Y
z2q-8BC`1VOw{I8##M?svItC0T85RXA8#Xy5yNH^4Qu5TaF)RnCinB{yy;H*MIhClY
zYe2)y=Iasw2@2xv^`OuJLV#Dmw;H4;_KPEzyK8OmBXOOhuamFi%C`m!=G|4d-Xi?g
zwi_aS((S^EV~$d-o=yafsBaO@y{03qPN{lk<TAxcD$gqhWPT9sFGd29&sy8JJl%=d
zaE}f<a1W77Pb)r8SKQp3?9Nkcmnm8dWExuJ<>eJx5bAJ$do?KI>L*i7JWRSoOE#Iz
zL>Xln%9vrAHMcOq(+_CffYnz33$cV>#l@|YXUHAw+5MMGhHJyDxLEV+`}LU7XNB(E
z%44xp^LwjD8x-Ha>&NNV1>!mK`W3{E)?qg{3E}6bv%%e$;`K?ze!)G%)V!wJ{ndf3
z_ZtM=dr(6)bAEr{;FZ$_sAl5H-tf@w>GxkP{548{>C#_#_-oeqmpT5gx%IF0;jdNn
zzuG*1;o&bl{Dp`Asd$)B2zksSrl%3+7_svBB5!P7n%_U>u@EmVP07X2Rw$l=M0G+p
zI2Mp^Oa|p9z}B~NA$9RB^@E<56xH*X1OE2t!LQ=evzPTp54+n}fQSDpAk^38^NG-N
zp4=<ol(^<?qfw!EnKrIO-0eE!Wha39N#UaGdu~b1yL9Z}p7k418?{A*ek<U|wxKNb
zdQ|peYLtAPN=Yd|HhkM5h9%=Xw9+jR%J&+D90sW><VwW37~BxL+MTD^K9}0{2k*v#
zaS6Rp4drrlc*HBo9ioZR+N-L7$85u4grMi<OQ>fFJ3o6t<H?n+7io2plkRwuLk646
z8@WUWGPiFQXGYC)eXOHpwHPT4HQ(K*l=MD7G=vR)KPpl82!%9&l(sD|$!qK!r+uDa
z6$j9HK51HGW@VnVB<|1A9%5&Br`8cF*Ix=)io#K;YFW7LptM~$QehF`a|v;%wIKIW
zqZ~sy5#~Vf<3L2wH)C+RUyMD!j6LjM(8LR63DNrlJzoJ9zAkr3LnPyQDMFPU6`>?s
zY~3;+p3h$V?|gX8p9i@QD_#K&uYk!{0BQ^ri2e4F{V1<LSNO&DsqEQ&`#Ix!a!ZNS
zpUY4ErT(H1^#aeZFzw|{5JFFag!M1m1lJm`fW=q9{wpACFkn05ccg@=M7c|yvPWa(
zD}WA`I1j>poxj~Ult`_~X1}4sP#?^#TW__zFoU9-;E1d|ff`P(205mfsW998n_XO7
z1x=uC68d73gIz3_ZGb~{d){djE8Qa%Ly8*DG#76(&2vA_*F4VmdR_k#D-#A4r(mc~
zbT(5a1c0O!xC9D=RsBvS*6f6ZNwehQL0P0}rO;YF5hr1GUex-%keA_<2w)Ovb}U?u
z?3e8XqMK`T8j)d^=?IyR$m$GS*Fpj@7x&0&PIOHzOMG-XI-DTEpQ+AKS;Kwj`Hrl<
zJlAjjmZRX7X8;XQw7pzp^^gNoIibS6B$dI#Rx?3ReYxsQrAaZ)a<xxM>(1QMNI`ho
zfG=QT!FP}$f+CI#;S>vWQt-;2X-oY)ab-<oN5w~Gb`GW172@GIGN2lu4r}0jfpts!
zToO6HEg{AH+pAWS|Fq$_`-6oTV3JMyoJ@GXLM~R=EoA?MJh^)FvOCFV2(<OozV-y#
zc#0idgzLZc`$-aU+NE{+Ogt|XaPb0H?htZOnCDy~nbomkdoUKw4QHXM5xNoYP8!oo
z`Wzgi9s6CvmA|6AEhl_c8?wX%f*=s3A5w6tgwSc|P{#>GX!TYa%=|;4FmWeqNdHqt
zJDBO(am@M97P`px=!EFI+5&M`<>o~d->*5M%`a(R5(((b_D>vKWQAO!RR9PEAKNtZ
z%6{sM?PB^CdL;$XKW(<1F)h?<m<Y_E3Ob91nH(dkvQ8Ya77S9GR!1bG?Fj#TkGq?O
zwU9B+UuIc(#`Vp8TJ0N-5`dHcK+6NEQiB#-*nGbmUCB9a$+L2eL*4mIDhtN6>qv0)
z^2Uq>>53{25)0+?_m&+vZ3Dk)I@wbahI{U@Xul7moo8cys6)qg@jgl(ClGhJN4tJ!
zQzxc(BqST3i|-8aWp3$Rt=h*2C!&Y?9No>SwC&%)nZU1Lpn|36!jHtY#M;^_%D^#m
zU+CRQ(OXE5g(*((oj^jo#o?Ysxn2~Z@DvkP#c2Yjk+cP%j-5pL%d<+yI3(6H#;eh;
zIuLRDS=Yl+_2bSv0ERRGQijF|a4AF61Ms4JY-D*y3Xq`$09F!x0B?5%0mRRK*)F`A
zgs3~?Mxpy!_9-9Lf%#nXP31339X44-Pw?ADg6>wL^T-tn(<)27Jo|H!cFsJbER>?F
ztCH=c*4_;Df>mK!uv=4=Az<z-R~vpb`oZB#Id?F_F(`hcgp2F}oa!4NpjI7%FQ3eM
z+KE+<Jx?F*nxM<YXfzK#!uhn*Xqs3^8=jq`v8rBfro2N2`qqv$ltVL#Re?x9MaMDL
zWaH@LmSeQ+pjkxIvb(#%kCK*<J4s&!ebTbA0{^v>X9rc+R@_^(l(P(r5dd1}l>UWT
zN{0QcGihKV>dmCnL))Luh@#Ac)Hry9Ucy8}>%^%BOFx3NWtsgg$%|hxYT)Ow<VM^T
z3{XZ>6Pm3pvAU2gu@KYtAVv7VLvwu%Pa93PzKsPXHX4DCucDxWqP#wy&<R9V_6tPl
zRQv{Ye5?QC3*T;b`h>I)eiTvqP=2aykwxXHWn|ZUAH+ErlYE{42SWa0ijBh_CxEw)
z!=nUUXP)ilyg7e7)K|H)#1A#MuJ8Bzqxpj2*(<=`|3&Y1Snb1F*fSr=`QA>p(1z2C
zt$%x-?{hAt>nt(XDfs@)y?Bdy1@{!%0^I(E{E~c&AvpP~67}!bJ-s!SR{%ze|B?4A
z;6BQBm;LV_8?5m)eL7Ro!fP|@ZO2>E-_8jVduL=j72(qm%8Ze!m!w1u1up;@7wha1
zO(BAWejTl{87oAW)h$?dy1XmWx<2u^f3odBdcShY1@`2>I~cY1^m~5Bb|>&$_WAg9
zwh>2w9Q&9@;lS-c{$97u8X;Y;6JgEMg$Uz`tjOl*bl5KXN>uz#hK<Ng=X(bsp(DP$
zxh3Dhd@q++9IsQncAdh9U8?O0i`Z*yr>tUmg1VfdHC`|WODgO*ZrUi1$tIooFvq14
zOHdE(-9C-y4-T|m672zE-0cu*q^0pznR#|swSjbHjW`_oUd1V+cbb4&0c}W>P~Xye
zV!T~TO$s+Pc22@HM{VcwL?}8k>7Bw*!tR^&1)<QVfTv<FwFk~&Uj|3@vvCXg2+3){
z5JXC-i@vM<(fr8U@56$4Hht^do;C2`JTh2!F?zuxBc4vA>Co{`h^Yi}38QwOY(l(p
z9Gg-(YU?8fKHI6*HdSbADe|J@u-Xt6(TYi?Vi-m7l1|8^)diJlHopt}HV()_G(KrI
zrFGbjAC5{{H_|2>NdIccNNq#91I?LE9a!6{8*>)ZwC(h(ygg=cJATBuJqE;#3UXW_
zv1cNiM565D+3CZhNFuDAM7lU)Wbb2c2QjjP{^_qXsOw>r_~ESj;jF9usH=UKyPSQZ
zQX)(_Bh~O4k#w}!lE(Kop{?`Ad{-?}p#Bx$?xh|9(}<z{teWuCtq~bz5|3EyX#W5)
zrg&Vh`D=Sdkhf+P_$J3_di+ao$ZCfxZnat9v@+s1B2VOOO=7CtALN^&K<udEb$S4H
z1}r6aGfD~Ww8CIR2kQy9sHm!2_GRtmOk%~;lec|@x)jiCj*fTsk&R^tQ5atXG&B@~
z-NeMVy_BBOQmqkLt2>aAX+LBAgHyBcC!EuW97uDV=#YM!TRxrJlwYpHrS_9CBXTC|
zhg8RbAF88?Ry#e$a9>m|CKNA%Kam9r)<p`i4xa34X2jT#i{Yv4NuR%yq?aZ!;&-Sp
z7Xd2fqtS8X!>vJ;8lhejoRlLDl5DBgJUhHuvaEL5-Ci=Dhl>TB5_%TDl3<T5tvq7g
zk&&nZ8YHPMCvaP2fzAp7=}4sK2!g!BYb-I)EK>8VQlUJn9S!XMS}9#U4_T)WD^RO;
zH~h$;Yp}zMn8w!0FQ=xJI3=P80t|kerfrwHm#m!bvBSWNu)E|pV^4Se6)>i2`C(1f
z;7{O_+W{}@p`+>sZg$-fWrO(0p$=>>RNd!)iEr}XZue~lb`h+ZiRIZ=;MtDl`1^vg
z!QamykAHIP_oBz24KyF24jo$H98ukx!N=Sr3&!2|$SP6IMT5)E9|hbgZKY4Dmt!VC
z5BBb_0QP?`F<3YpUN(bC)O>sRzj#-5fs9*T+L2!YLstJ*!zJXmt{BU7?hoIgB`I%o
z+JB>^G2_Xg)winZ91JB2ID_aY!q`4139yb5Hh_pPj+ooes_$vHGxTB5f1W~BkWs8R
zK%y)Ma)a+yNS<ue52gzb+nuwj-aEDIMB~~EPPGukn8kc-w{FZ4)2LjUTh>@_{EYA3
z1<u^7s%}EQT-5jsN%tPfUqcpK2V|TX{CM~XMX%L@y{qirUCN3+C~2Oau5EfxRKbqi
z$CY@D?;Om)Z#}g)Jl$TRrL`5*5U9;l&<$RCsmur}M#2q7h&;TC^xG-B2vF^#9F%wL
z<k=Uap~nN_;c0|OINL7d=ZZ28Sc@$OHgV$0gXapXB(26vxQlY_bT&YP#f(lD1;7U%
zs|if3C{B5bdIg;*S1}cAjnD63tV2r^8Qw9wUer<aGAtu(U6Z+GH%+Xx+Rir4e;KRW
zD(~}DE2=U#)>dRqF1t#;-eioy%z{5oOgy4OmL$rj77LBqj<xJ;pGA5fsK|47p>U4{
z>IbDV^RXWz){C-heg#YgI78Sqx|%OZ!L)WdB&AqFMRrMAC^%p0t0g%~b{-51DlChZ
z4Yyn}^K2&{p8TWo{-1hhfivw)>?H^F&c#`g<ecXfz$LUg)c23(fcJCWD*##P*5(yp
z=XmuB=-_@(d*KXt1-L}rlPUW*y$Ji4R@ICygOmpiODh857rk33tUN|xt+%b<)pj{A
zCj}A)2#U&auhSEU)6G2i?o5Xg_J;I^F=-KUBc3Nd?1YHCEZ;-Cd~51vcEI(IknO(i
zd<8rWG`Z}$_z9MJ2yF#{Vq*7&Cfj`n*SJW%_=C3XgS!M+YhQK^1w9A|g@~V<`0rOR
zH*BSH&eoJQh<v}7ea=B<E3?hlIvF+4j^XVL%`yR}49~XKgI70j%Trgc<#^JcxGFj=
z$L2*s$4n)DIi*iR{50%vft*W_Md8PnEo7^Jyu^CfR!cwHNRU`d-`5Ap4JW4n49dBG
zH!U0}f@nZ^Lt#R&_W?&0PkL3FA3d+D>R#;?;L|1K2fX2avAw^EZ5|FWZlP??jqIo$
zwsh2*L9MKLDCN-`bJTX78c0=WZndN`nd_{h_zt1oPdBv+O`<7|X3h&<%XXeg5#_Sl
z#umhrq^8F)BuvZRNl_GY+o#D<bDsIegF=rxqlzmic_@Z_S+8ebh~D-QNN5jxa5%K>
z=4NgITRp2Y{ZU_&P6hd@9%!q{y%055!1ACwmw05&-LS@nZ9thd9m2AEGN+Yv<MIx3
zL9<MYom%Z3+0OW8Z3%gguMU(T!<@CIfC&mzN}33xvl>f^qKL1^v1$AkCP%*$8_k*}
zuA0)xLr|sp=tFInhNkG=$a$rRd;o9)|9u|N{O1NUzUWBWRGj`kwYC_J?<SV7Ic4jE
zX&hn0D4}=IVK9@{SFTaZ_hii8FokIZ!il@F&c*Rlq3GCZ9T%fKkArzY<d4p_VWVGT
z%%Es+jiblmN7>m8I}<GKG+l%vOFM?%;f`aADxwExLnj6YDx#@ps+x;vLaM}5P8~^F
zG9F7YpDG+2d#TPhre*Pa(CK!9XPPA(jucgwY*sxp3lBneS@qnq%l5VC*kO|Gs~m`<
zW>s-$)poN@*aF%3#%x)8vZ;Rv6h#qICr)g~s!3T-9V|N+G&J=Y4}<H#zCq6J_^s#`
z5uEGMQz{<(x%7}RlS}SU6J;NW#PIySRl`%5pKinytux|P#1xV#B`=H$TuNctr<R(|
zo5)ccC#)Q8#*s^9k-1RH=hJ&PzXBd#0Sk|<BA$IuvTt6LsyEYokEtQ;jA;zod>8pv
z@Y}XabJB`GC34s`zpc=yokrCDd)#B#yNh#fus7#9H|4QV8O_u1yxR1X4x#6>%9*lZ
z>5r6@$Rln|Z^71%Wi<TmqgBv4fb&zkWNHI^k2_vJm%IYal5skmBnwgqBbU?2%O8~2
zvqH6sRE1Ht@pH&e3-S05nz*AsLPdwue>8-PyzObPDC=oxqif?Ti>bXzk~)f#1nLi*
z9a2}1I;MRXKC2`4;s1tMc0}w@YJq4`F6$=8a^@dkO>4v|5TcWzI<`x|B7^G=RJZrI
z7#`&%fLsQ^P#1QV$mG%JMp;-dxbd3lBzszA8l1@(vEQD~70b#@WY~A+QzJOjuA3RK
zlOn)VGP=VG7{H5fNi0r$3_+-nea~4ExaDklIHCAc{&AEz93p%gUfrO>`-taq0?*~>
zo#`1K`Q!|xmuW7~?ktJApmp!N#tL5GdzXcA$`T#KG(yLeu>d62PgTB~u{=`q+z7)F
z$1Wy<AEPlT7HRqfiZvy9BqBQ2f=MeqQ-LF_VzC3tLh$2obozmsal3<xe6%;V^2zXg
zq<fYoJ)8_W^{ZO(iW(jQHrVbO%GmhW7F3n_I&b?>cI#(N>h@Y&d{0!4#)<qqw#5|U
z5B6;jqt2?*vT_zVrOFF|9fyN`L_uGk(b;l3zHP$?n+9%ev$#k-{gUO@Mz+W@IY!pC
zmWpQ^<U7>NYf{$fA8idAf!uSx^|FoMhh@EBrqkL8cBalW-tW!EMJ62>5HNnBqJIU<
zzxnE}a27{zGs{8589Y~*R#jCjv(a=0q#395m&{?2fk-1TcB_zeG{E8la?e}m&9TBq
z#is0AQZ-YKd@aHVxE8{C+h`!{(uO7ze6<x!o#w=SqN#;3V9?tX>aM=RL?@~CW<Qor
z+XohqEL1MdGH4ibVLT$u9xMO&l;81(UZm_On0pV)Fz~Bd>zWLxEQ(M9xWQgvi0&3-
zARK4#rykhC;$zqi$OGJfRvNp>m|=e35{-!JV*=P*sBtEjQkt<QbE&B1>aO~g<V1|b
z#S&{Q&W#$rx>}IYhLE^?i34rR4>H`1mX<NXsaF7>YRo(ouo&D9rMZ-_gH#vWmQr$(
zj8n&UYJB;nHM?_7my)+P+D9%@<Bp6lqBz~_+!7W_n$=0^|GgSHKkufP#>r=UMSP#1
zPq&uDszH;##rAqHHXs6P4%u`Xpq*5{_rK}Tsi(z$jqX;_f<~{ub(EYwOGTO+oJK1d
zvDtm|QAKjgsk0ujQYEnrow}Wa5-7&wTNA03u|F=4{Be)MIEm*a=IlP)oz%3y)SOfc
z<?;+5*?}$iZ_h|`Fe(envT0>MXXsN$VEk4Zcf)70z*bF65qddtSxhl&5Rqke>*@^=
zaedb9^FHHdxVD2F25ETF=S0xe$pvm-=B=8Td*+%7y`UIPtBb52&0#9#+tYpWnJqtf
zqz<Dvnv!5_rTD>1ky{lL`{4C{nMTqt0>M#7+e$}pf96jO)(_I!+LX#tH9avv=|DMd
zXQd1k=!u8Tmq15js*D=6blVF*OcpYIuesCB+N_YKhcNIJdz`e1esP^m-gb->chc6#
zA4kJhPSu@w<zj#V^-B*%*tHBS?&x_JBd-js({P@D^809^{vyMNwO7E4$uh6sB`+q>
z;8Im~Vm31sT&M1?ECWEkA$A8ioI<GvW&YqWf>Kp;hjN5)MG{_l8^pn#oUWPj{snjB
zASH;s)Ye(dJzchffs+M8puMcjI~m)VMg;tGtsHHzX{{s4H)^%!WIbcFXh%Ig3zSc<
zfE+r>BZ$fwTm66vJLyYUZIHg~%*_a*c7_Mby|CVd!5LE`;l`jK)d2kyTCDhtyuclM
z5JVwvOUWNPJyHiMRut%8vaylpq(IOLr}mEQi2AyfAH)`*>mghzGv}g`AmH8VxToq{
zqO0f~Pgj?z%n&Ocw1NWUl4K0Bb7a5?*5U{RS6KQCvo^4NG5uH<@C4MTW0C=TyMVAN
z1)%`4By*IwrXPOX)$UT_fvA07{&CNDNnPK$Q<#!d#>rG?QhJ=92p~8XI0me*z*hb>
zbbk%q{}o!tr1)O}`}jA&&MzT;`d7d@5G7Oo4X_74|Gxk`%5FMCgKuJv)0A%g1G~5<
zBarrrxg;`>-!@y<U6Jv>3s`j)-6gwngbMr6b`4FG@vl?8Mx94;At_eIMMiU&@df42
z&a-hp_-MXZV#!CEr*}iM@kKZ#;Isae68v{C70I8Q@&jo;O=ZA}v)0pN#ba^OVYVW`
zZi<#Li<9nnB*ZzAH3&H=GvMlyW70VH2g}AhB{lF`Zr7)R0rYLwowJP@(8s<36(`bd
zhC<3!1;0jpvHNX5ry^}Ka8-MRjuGZ>6F_bym~r08l6wtiQY&w91ZKR*n0eLzVzAYb
z+}DsJs|=6hYCdtWYY-u%A2KSNW-m)$bz@3_iG~w>6#MGxN>!Q-l|~#@UwEi|V!(@2
z=Q5t^JHUQ&o=iiE*3MI@O2(*{3~pMcuUFOpia!G#303lfJop2X8$WrGf4e!nVIn4F
z74Wj}XLDa+=kj}K-c@?OynDX41h3yWY#*+t2;Giu-|ps_`tMC<!o@1hExZEy-v8G2
zfAs(L7F6AHBa!>?3Si8eH-7~@zXE1n{KpQHR1IbdCzGlM8aQp*vg?^-1vth(cof#+
zJ>FW+P*Lv7HyixKgyF?<sQ-W$4+D*X!w*IL0h-*2{CJ=EM~FrdV&+V*6EFL<CCw*l
z-`zNIK))3<{Re}O*V$f{NUhhwb+^$8mcJ6;0<VP5hp6QwoJPS*bJ>+qtw(!_YE>|!
zu{^SS!lAg|HM`D1gcL^vA!hwIymchRgYOcKlQwhJ7$^vl6!w0T!I<{fPpCu^y3+^T
zNq*v$J;wO%&&=jDCDmZ!t4w+jl#vq!n60uNbu$p*)mXWx)L7IIR{x}to?0L9=`FxG
zUh#W7mS;whXFG=Df7b%%xcTGHS3rr_3*kyq*b|D-c-*Zs%joUbSAb&J6K^XG>K&nf
z7Rl-Un^|D_CRw%TrB}eRp1>>M>@A4$3WzcC{{vCrVzxKknts!S&LHs}zWzn8Nh`iQ
z7M_?-Loa25^sglMk9&G`d&WeHKR#VhM%2BB2p)tm`sV*f4~zyAhBf^bNKTv96iTim
zspb<N!+0p$S*i=ngbHFT-gZv{{Fkqn6M}W=R-3tkmyz;pqq{Edr*1-merg2B&)cc)
z`)?j(qK=bo-vGkc=XVa1n4mZ*g^9K8F6uttW`dX}hkd&t0m%giTKaGe2l8t^%$sY-
z09UlMRPxU?VC#xXx8B$qpsiccn1qI9?~Y^LfYJSCMs7zjh#h$lDW5QQWAOPc*ixPv
z!HMl;T2zU}8c?(*v+x}$Wv>s<W0W^=pEd-9bg>~FEUbKQNuoW*aXv}nB|(j6p6Ja;
zCm~>+fjelAGEopJhf#<oIhMp9M;4gVyR6x@cMvwVhDSCVGuP$L_oe5KzhKH;5Fr&B
zy{py#IAg2%1@Fo46>u=$`U*Jd5?W**aCl<BdqdV#mCKuCe0~bJtm|gnb=1si-M<1v
zUIE1&zdiFp2A?AQNe+a5&rz2QPLeP*>}VLu94-YUN;k8i7ONb6--GEdT587?Cj3#`
zDHB$9Kdm8^nmoL(Iw&j^6E4vk=j7q;1Y#&Uv1@Ot@=VlfmGYws45dim$G{d@Uc(l-
zMXt;?WqMT2ZnYb2ip;uLx4R4ITFz;{wRgYGd2=gjRB*mU1&qcxu^sEMYGj~enC~{~
z^kS$HkiK>SHxi`_U5DF=ub8#3SYk_zIXn}^!BJm+m;!3`I|@78RHvxFRWrIa28Ob5
zv=8&$1SEEVO_}d4S@d?%S~hb9-l2sfkT7l^;f3bnZJ*H=_AyqkeHvY!+d1|i{<chX
zZ_gi7x00y1eX??Pwyth+_N(refVkg-zzKY_;8Y7hjspXhSDQ-zv>s^5PPM7&a%SAL
z%{(*(o_{gd7R%J^E}PStXz~i9cDrH~&xfLdHG#(P5}&XQOEeBk<9VFGy#z)48SQbu
z9Gy>SQa9F7guOLbIT+;<9pIv`8VDlQ;13!WhI54dibqutr8`b%9xeS@K_{{Y!P9~;
zITB;ruE|;3*5|NpCQUL6(SW+CjmWc7JI4~o6T4rY%oJZ&w_o%Y%RJfkZl5&DC_eUz
zM!<!Jw;>Mq+bFzgrkH`^$1jia5KlB!Se26f$M6iqG1}?H7Uf?8`0~KRq?Ei?@w+?R
z9Y5GDf>u1>JO^Tcf9~Zva!QgC>jji`hQ6ZoHIIK$sk`iOC-4rR-E80Pnb~Je2HvAm
z{U|sUAwhG*^;}_rww0_P;&rvEZQQc4`MMA}5Has$8K5Wr1BbP!u|xcWlO#}bGS(Ts
z=^gwTn+u4|C5z`GlCd_FpFcS*wp@pDR%0MGwN`l$HqDF1;3u0_7Lxfo;~rx6xA%nX
zpa61o2(jI4UsINuJ^|ldtaS5~<w>>_EgCXqK-A}Qm^;x(7G<G)0=s9<Q(g;D5HHmd
z8?#bJodl!O^}6pXp!&^`CXW~Ttr~|s<rir}(K;axLqcJ%NHX`R0EP@!YzDXKn)xWP
z1^VnUbsUCt7P=#@yb%s!^PlaS^UbvvKM|<33FN06yKU=1nbh*=!T)%>kly}a>pKXl
zBN|+B|Jb-<3xG1c0dU>gmCJ$DV2w*FLc)taOH*2TfM6nbtXP!IkuN8q6D25$6~MO{
z&Y+B7H~x18{fX55da#(dFo7p~rgJpQjq}kJ+o6@+E4iB{t-=bDovU=n(PXIY%jrGf
z(k9<Y1Ns4Xu^nn{Q%oyu^dPiwG)SlsXQ}!!UC2di8@By6ZYvw3Em+laUpI#$RCN*b
zF#&DHP$IXM50k8XKGgB)g=8FvpMynNbAl<&D4~~=aD1XiDC7do%zV7iwaE0d++>wi
zvjTZiG?|ynFO4KCLPW*TiLAyqQ3J8fRY%GiIQA@=(uw+#H@bNPi$Quy|B;dyssA@5
zG57B*i9fdjxnHC;R}6zsKT0(5U#@r%n6^^pfR<a=*Sr3GyXWh+Fw2x!jKz<WpxjMC
zc#zSPd8DIYrG`jLM(T+x+Ik=rhW9fTs4Q-Pwk_b8D6TCNizySUOhTmoU8b}miipYR
zYcw+RrDA8kSq&HNXcutoJ+C-3k7XRBI5}k4D9^*7aY?A>;|LwgC_{7Zn=gDURFbq>
z0Z62M31d9~H1xfNh9vO4z3O^#+hbYBK{yn27nqwZ1%$?Hs<uPaL6_+_Eju->aYl3O
zeYvPHw&|Z=FktaqVZfmQ4&=goRt<sI9!#CTK<ga9vx><h+(Ea+KwmT4k2Txpa@xiM
z8Y6j}Fi8GVu${MDI#N1ZLi_=dVvJ&?^HQQ=!?(Ccn6WT6fbj(>87~}7W*3vUo>(T7
zSa17`$8;2bK|RlYL5Hm-7XOVo;Ord|xeLLGf9qPv#S$!dW^W2*@@?_<qh|&7B5Hhw
zakN5_ktC8RsW3b$-7xV;ku9QmS><T%!D>-eP&l4k@AX_)@<$bDDV7VPdR({pjc$Sd
zU+0;kCh@^PnGVt62i?&U;^Q%E$XgxsdNLfqIy*FQ6B@gmG;ToE-h&W$Wo%rbWCL+D
zwjbJM0-|?iYhEJv#d!7{0>T!BTcgxEDB|s8!Z4`Vi;e7+8dGW*i27AQm$SX{Kb(SY
zsqxN>KJ_<&EKgBMzct()qtM35C+$ZYzTXs!b~GmR^tjv39<;Dv>~COY9P3ZDpmCNF
zl%W}>85UG*BZYxbhtUAge*plHzW_V|sBa(Z#6M#`w*M35py-=|gr4><8yF-bE009C
z6DTUL+Clxx38U5#GN(QPPYg0NEI}Y>o*h|$9kiw*6AIMt=>FiKl~lL#Im*^!x8;-z
z<SfG<*X+{W?W-2mT?|^W^+sQ@1DP)C5B9u;6pf%9+?U?W5f%&l$QJELt-?UbG#^Lp
zYRM!RSmkxba~VoiKC{(0uQW!lbSbskOaU2kTZtZH)-T%3|HMov`;?@jg~O-QD~5}&
zzmwxFJZxagn&#7x&g>kn=Qv3W9WD-on(A~N-KT_faht4aoT}x3=l!`OCw6;Q*R-1n
z<kZBUD6`_*p7Z?p>pxfbEIz9Gw(EZy>Ef{-eI7o=VMvCawOO5x2me5O>}-ujj*PNg
zx!$VOG7}Uv4`t;_3BYBA4*-w~lu&xpr_?f~7B?_^7r3W3p^%z?fLqXfP`(yNC+r&t
z95P<e4Sc%7Ecs#eE>aXzxVcoE0uL-IDJrbc%4#_@_Kl;3T2cy>fbERE*sNXzL)StP
zp<!~;RznSK-J(v(iawvchIU7$sliyD#ja@Kycn>;tB81&PH*eh{~xNy75|nV1OIa=
z%6}Bh^2^CII-+I|l$K`^V19}kXh$4&8<$ttEx_`1n%B*zv0`iF!6p0vVF&GpT716D
zA{^t!W&7gHAB3m>=N1fNnm=W%j(*UQTvQ3M;vrb|b}3+7M8pD@H{&1$sGp)z0f>6=
zgUwQ7nH)HZQd!A<aauC~=r+@xRcYm7nihwR>#oW{iu(ArOrDub2X0$+CT`il4J~w*
zkZ3DA2Xw?0l~k36?d(9NKvDj&?2EDNy$J!6C`Pi_i9czRTviro3=gRT$k)mP{LsEd
zW1$|vF8eD0V}W%W6Eg16QAuZvDsq_59_#)`<p|%fb%#0?gP%Kv^Yx*rcEfWkZt%;G
zh#XBT=5>jzT+lUu=U#-2PTGQ=7M3-1bz^-_L9}obEvzZi-|ds<$1QxTzrR%FcaY*~
zqV1*B9J*;XROK2E=lG1N&;o`<(gUD#RoJu0cG8V^Cj_rT1?sl`+yc{dU1*nrtC<wg
zxzNnVHXdK65Lw}5G=#0Vaj6Wk0#UwA`Q6FJtBA2K0#&9$MH@m1sV^}>RL`zyLJm1D
zN0ZO_VCJ9A60sWWD9p;ONywInU`A6p8_#fqt?2syrcL4^Z8Hq2C9(P<6ny<HB^;a+
z0Ao5;fr&LXr;J9U_J~Ib9md2)*b#c0E@}JIJ9gs?x2{6qPwla_lD=O$Yf42T0<p-z
z?)S9_T!LD$eGX3e+1x&!_&$4VQ9@)pE$Y5Q6k8}zs05*anD9B%66P2#oDKy$SH27F
zI=%_UbB6GA(Ls);=J1eH+ELoYiwO~&UNWLRMbAA&7fWJRiBvR@rE}uNoSb-OWJ}%j
zJOXad^cm&R60Gc%adi7`cCSma=ys^*Ii)BmtxrQ-r3JpHWn9O%B&7OwuRYcBogI1r
zx`T#rH@u1@0^DyXyYAvn5F_~9lCoV=V)!<dwkYDI{jB@?jmEc&-~OM=SGV`~1WLNR
zKe+PbO7*_ZM>JkCRXCKS7mXITF8`AGq}{{^hib?_E<W1Cq+~%6Ovvs=j4=-RgeS)~
zwfAKMl$~F6uQw>>S3vC;{VdPIh+8V|GvHxT4l?5q6^0q239N&*`O4`~piE~j&sPSn
z-UXYoks=ANKH5T1l9IZZ!};oW{2|Idtj}P$OkZVTa_eRH76;59p@z3F=g3D0BbNzF
zgLNFQ{{9TJCnXZhhKyy#o8#b^DydeJ9xa}2UtC+@n>C#>^I~<Cmzw@mlm7T2&Bq~E
zds*ntZ)P>;{JCcQV@b`b%v)Xw=y%_RACgyAGmomA)nabTZ&({6fcS_O^t`G-avNqX
zX&9jlS>U*La>v0`VG5O3f@A_^yD3}3QWY#HD2@_M`4m8_<NHPpW&ZwODEij_$WWDW
zLrmtI;_8xUwEKO9)#|#y?@PyohyxPdJlgjv&2S$mJMMQ33bilz0n9fHqO;Hu_(_O+
zm5kNdrrF)3p))pcdb#u#;}=PmM_X0562?XmPeNrz+RW0odO#eD4T3krryX+PTiaxe
zE-_@qjo?{krm`^yI#YhF@yO&`&%vs5Wf)`(%6(E-`56kAhrJl9ohivv&r*<pTZD%%
zV9^6@v~n2jX*ZTp5!n6C;=V2Nk6a#7z8^6+4zgNG_azg4I;NLhrpI0S7hPVawy%KA
zM<sWUzMF22o7`?U8qizn$qeei9qVMPrd$=9Gi{iw_uTBU<l(G^S{)#!7tREN<P)5x
zX@L?k{I-SkFs?nySn1dQlFAdN{>OlH;-A&Wlj+9i`to^;w^;l1BH0MiH>1$Q0$D(*
zGiAD$qb1VY=Iy6}nJcas>6D~c#{BI&GjqQC@P3)WrY+4TjWlvu{9CVrs{1Lq_o5vp
zL%e4L5=8JuUKjf53z*U%97!x^3akPOsc0}Dnjl9d4!Jdn(@|@aah+S`?^ze4-LsAz
z>RDQK>{Man;h?W>gr1{(h<v7S4!~MeV#D)MKB=A>^I+arzzEH<JIAv*^t5prsFHTw
z;&+kjD<IQnf45kOVNY;$cb#BAm22{a<om6qkC4rklGV|zs*iub#WTy3VG!YC%8pv9
zM%8-?pG+MNl?J-gOxdU*`^u82>Z7(=f|$WdkZAf;3Km9f_CZVo-HkC3fr%I$K?OkC
zNO~oxRI#IJ->r<vUD>n3B~+5Op=eOP=pMTcJ*l*T`cVD>#G4N>WFd;4vl)w|^_zm0
zZ^)EvlCGJ|s+@$pdHL9g<u_xiWb*tQ`^#!UWxz_E+8Uug)<gVyUA0x1(^q9<hs5cb
zvnM9fhnjN5^4Y$zge!%mTB6qO0X#Gj-m$J4_>~wOP7xg50OWY{8u&?tv+r}5$x*)h
zY99RqH5!SGggl>`^Q2Qmv_baVf<OqK{fl*w(ZqC8D*Oo1l8B7KChf;`*9@&)F=p9H
z=?`YY^58__)3ys8=Z&0GGjwKV^CuS}-xynmC*VEQD`3=*!GAX|@z9{FNh5Qj_ixw|
zP8axRY^lcyH2f>Jp#BA0`)+J2U;l=!aN+t-;~E*x7da`w6v*Ac9poR7;IAU4S0WY&
zsHsK*hmf;WBK<?k(lAjb@%izHXswj-`H7-|{ZRdwwOo0GlYW9THu#^rxgsjZyzLLV
zZiY_g$!^G5myRnGa#s@p7fhq>j#xO<(t5HZtYvaX1NmfGNeGr$I|quAS27yY_H*$j
z=9(Evs^Ym=Y>eZATgQi$GFv0d@jY48$A@yXnn)uWx|uO?ak<zUSrJ4%?GZECQ8-zD
zoRb*apQR87WE#CO*|dGY(VyR|fTA1n8;V)nud@IbyRQJGhC&~N8*Q<?r*FQ^rb_e5
z3e<Qa0&X#Se37mAYPc-=GjiRII8&cSkQ3!=Qhg!^HMY1spm{_M)OrLx+4IOHV=)S&
zWh}>7PuG-~(k*uQ*eR+t^a+u3h-}AVzlM#w8sT{mR6uMym0t+|ZaM4)DsrSG9}gXx
zm5;ddv$4G8sfp21thl{fNL@K?q^cf4#kO}G8o+UF8BXpdZz5-N!!cWx$<yBF0PrFW
ziL!UF_C~%0o5KN-%y@UXc6qKeT3P3ca@4GJud{KsDo*jY<&;EtQ{5>?qoi#ZrNJo#
zhXSy*6hFRWsu)*^y0g!w;1D>~F|~~G2$|{<yaI6igkJ%d>yhjCmOGh_6`VNdAk=~A
z9A_oF42{xoON1cG0zT=~y&2)La*&;86_9>xaFLK(MdOqG0d7Pie^Zi&{9U8FBGH7;
zJN@RL0{_caHa~8A$HLT^hL27MNb@~_h~(;bm4#k(t~5p>C_IT`Fdv-La_~743v1YD
zrzz8HEmZk6^1<g$JAnv9Jurw$E!(l?^Ev;>bdh2H>Kvv+y)e{N)s<_K#+<qDP(=0B
z1bjgF(dUd4lNsFjF+CQ|aeUTOjsx-BoN-ht6Do+<IWVnRcHw5E0+{|rS(7shqh*T-
zBq)!eh5R~{XuR8-&2CdAB;u9u(-<j80uRMfcZDh;`Dl*<orb`?zsk0PSv;BZ^h!$i
z>RT#vi044O%X(xaA6n1VRy*tH|F1du`7Mu9rEC0`>|3mw<9>2f-cM`HH*K_wdy>&E
z?@7q&bmGo$VJ~-P;k5AX6#%vUV0_mN%X>>d>{hHOfp!}A`Jd8Eb)rZ9OUfkRaLm<e
zyO+>*7>@$EcQFNvWd#GJAH9W=r1p@&zjV{HjH|}PLJl<xJx=tH=OWb=$8`{8t-**`
zpnEgbH7>wl6#gxYm#oxuZ1phmuCVXJq=BwW+iYq(t$;>r9|ab0dYfAHDH0q$JPS;6
zqxLn;{t4J&Cxf3j2f;EtpeGZVvBvKwFDGx0YwmzFQ{5Db9OfN$BWqf0VwgTc?*YL{
z%uHmJbrdG*4yEV#J#h#>6(m9%-+?Dp)wS&g`<u2|WKxPR3W8Nff&8%aDXTP!BG~Cv
zrga4{9=kEIk?lAXOAN5G`HUlYL=ehW<cPE|k!4=$P%Ou#WwuG(Tq+fDv6g3bRWYxC
zC?Qh+dxy8^WW%Mt+`{}w0}%Z2Z?eXO`)64rB<!dDtE`3pMb?C;#k$G=B5U~f^U-s_
zv=4ZT8X3yW+RVZ$q)d@mI6@paM)~&^P!st~qUwb5A<$p6o9GbU0qPJFWf0y`(lQDQ
zi10&MU5xDuU)(6zl>9ujR-9;=YLkB%FixG4)sjgFP+dIML}aHtXI{LHDQ^+yVe!v}
z05QV}1-tbaGlfUj3$d4|SNYqPH)cew?tX8Qb`GLVCu=L6{z6X}K~1cO*T>a1^ZR`U
z5iHsehf4gOTjviTo?@2?D~402XAft)my6Z-0i_kgM4ALaK{@4N(&=N0m9j?jo`$>W
zL6H;yd@4thZ7E$ZkIz=-{5vTTjY&_@9*b4nng#q1B-eN%W64MEB8HNunSCK9)_X(N
z8$;&1b%DAj|MTaPcK*#r!%S}_!?vXDC)BuKVOvkQ`zx{kwzXxj{h!6!`VU3+|9U%r
zens{z%W_9X%;1c}t(%X|<UlJL2>0=>wBRcesvtuH{+1Q)*3gewag$`TPZwDL^dOgV
z*3D)%i)w@?s;s?3x^2`8I<1%H?pHv1(}ZEimm>u3#ZEeXp}jobd#kvS`?&ghkHP!h
zn1;7=5l%iXuA?qJ%`AO>p3NiK@bQ-ydcOe@+yyd!A0GNfG<Bw>R!2~wlA+iS$qh{u
z4(*#y1dNRl@T7>zprABv;b;36N)RXl4&;Uox*_^szoy_XN9ZhS>P67ntnS4&?@KW1
zBV0t0?ssEjxsnC!54fA^DNqmsaaD$*Rik5w*^MAs?A;^<xc21ddJTgcd{!m?$V~q;
zpsk>q&)~%pYx{V3=uY8g%}xjYBDoP%2Z;L)Rlzz{5(n+nKxy_*ryZy(_c==Qqe*VW
z`}MsYWiZ0&{=aoLxJ~9il8JVV|1n={vh!u~?Ie_v$HrGcQ;XLtV2$9J?iGOF^9pDk
zc#1C-TJ|Run$=v`+ukGm`&27#5<zaE#~X)NK*jJ|+IF74r?0sGQr`3XH)l=;r~Q9#
zbcR9}jD9xOryJVpc8Uf@2YmxVWmTnc0_Dd_f&)nn5#JYoAq<n}2~k2zS4h4TWyRPe
z))u4I9=%sS$P!!5tr0V+C%U4cu50d*$py2#Fv^~$Vv}y3^bo2z-XZp4`Kvn`CwC)m
zjVCAVQ)YmZR*`kbrt77YSM=KhW9kztE3VA86OacYb5XeQtFqxRh>7;KBq`irEo|CR
zWEIEN1w;swS@yzAOZOjvcU7-|h&Yn&htX>P$D}-UKZQ?{QH<1TO*h}cwhZA>ehLnT
z>(=g%WMU#LJ#lDOQ`|g@7A7m#5pT)wNwY3ZpIV3;?soe^J-P)c=Bur+Sl9v7EU}-E
z!h$c1*l2Mp*l-Y0L)j>j;A8YW`?4Xl-J&-$pef@hT_i$1mq+36SVxuJVbbWSl8FM`
zG=FT36}YRLK%rsP2kL5sj6xHiGT7}$nQAkf)NPElW~b=dQ>D2pdjSUAS#pdujkPMa
zSA%G&TNahrmOW{GUKlZTa((C&(14F1!hJ163{v`1$|T~V!L|^2HecR>G+(ffb6uf!
zw(fD7hYH?r6%Dq*G)+v1f!|F|K*|H=`8e-$Z*JB$f5zmEpi>{%SnD7zZ7Bh}&`cg~
z#;__badqJ*DKg%1Sy|<HlO1~4>;h)-%B0hs<9g*<nXi@w{O5Zs3U*riI!lGnYO>f>
zX9{UqsigRP1>%21bN02hMj--Kgl3I$8`4lB%wZp%r}7Yx9aqx{p3<?G*eq3i7d;jI
zI=O$6<I*F!-ZE7m#p^S|+8iK2XZj0?C(3aTQHMPQ_)sMy*_>R2J$X<179$cX;TdK5
z%~RxD1$;yCKO9K%f7P98n}5i~Ob9jXM161-+8iI|@$cDw0>7PvBzXHM^n#yvy702J
z`F8w{r^D}(CmX1j{r8um`EMDUPhVaED!Ok+uI5_a`Fr}-2%r=LE8HBanc%=#J)fo?
zePgu-!zU@5zOyTxyD3(zG!s8}5#7>EQ{nbpJP0OD=)+Aba($kpy{Q|j9Jibzp8f7v
z77q|q+6xup7!IQSL4hjv0dkHnX|Xp~;*Euili~FHAyf3LN52)x=#H`3uKE5n#$LoM
z8#yR@!5TmCy`>w?faMNkH~;!()B54pI037rY@!R*5uSDjPNbq{2_r767I6GJw<8yY
zZy$)|^3Sx4XPNA+y`yQ-a1dv$!=pX~AfdSuBgr)DO*Tdk`<fPDog;I+F-hJPxrHd-
z^5CmLrrf^85!;>kIV`W>F+=%L+efJ{{9&@WCD*slpVHR-+)aQ2Wb-6F(KWHA;pHr(
zwQbL|anJ7w=T!9{+QpblCFQH%{x0++HmDJIP9(saTg=H8hn<+%-r4gwqM8c|zDIs9
zjoqPV!<d%lpq-NqqQPcV!oE>~f+Y}n181JNx9Zf7Vqw6&P$urv3^h^#eDp`84n*}s
zB}-T@?B7~wI_996Lo0-kb@W2>T$K~k1YqXmw~u9?Hq}T0K6&FvepX4aD#4P(p$0JJ
zZZr)+0+A04;Y@7Xzpgn#M9;#fxraZBO-?<JmHJi+(rotoS}w0B32t^La`D5d{Sa{P
z?vFk?KH1euqqz3t+FC<RYX0JZzarp*%6J)PLl`+W?~8sSCxws!fZBQaWO^l^&K6D1
z@|*3PNv-T-Hr|fbl%9xH8i`U_A^m$F$%Irdsm53d3md`ko1%gc`7aQc{v53L#qxNP
z=(wNpJaNiqb0?5484jvRzmLY1%uZt?c2P*LQ(mJAN!_x2y{Wy+3q!xob8r%P41JLX
z9}_9TU%b(DG1zMwno|t);^yv_qdWx_*C1AG952QM8b&@=Iy0~Xe@ito5z?ChP?PSz
z#*MQXjj)9G{T%ISR4lx4v`jFRaDpk;^A#+PFV(-mmjvz-&+}quR6bBFrN&~j0pNz8
zeuDNgSj=(7jStK>bV^jcdDw?)zO@9-Fbn3XNvkv8#ZdSp%?dn|tc-*$^=<hPO3nLr
z_FtV6+*6p={-uZibM=tx)ANGY5;IX%;}J<|5F_y2x2(%o06Em{%#bFF*@qgJyY8>*
z`v-B%yT6NFuj34*X6RcauiuA#7=N#X=6Pmos?Ybcvu55-9ol)il4_2LGJM@mWwt>x
z^#@|+1$~rr?ewgx<_C4DS&RJuBykctiyuiL@fqpq8Y=XAW}Dm8$JJPSyGl5&_EWxd
zI@uYLr=sz&I}RomqUkroN%)Ekl6J{osa;M}h<*k+7uw1oa9>J-?3BiKYgFy3e2Z<u
zkA9B?MU}>#sIo}7fvIQIqrWz`O>eju*Ula+E7dEGxnS>OtR+jle~a~q*P-P<Ct!u_
zrnIYnBADwopjg!jJd~JG%Qwt@UR->m`x32<lxoQtHM$UOw<QG^7R__nq=#ZIwFlMr
zZC%GVgy+;=opc*73-W(r8m@H#+q&-t*fZd1&@{{*l=&4$PPo$Q+;V7?9{kcP5Cz&X
z1z8%=c|lf2!Pp;Lh*F+fOt+LY54wfW7!(l7P<dbtjYK<sn$hepmgJKP1LpCm(Tg*d
z%Snc#m&x7I7AF<vI2~GvuQ$gLe1u$FAXgr;+zs}mys+7+{v}iEtK?Vj^_G3_Vj$#a
z!NvWe#`7@zmT)od`Fx-LmT)1zr|;A%5I@)E?`@z@)yV}kD48O*;pbXC8oWPl<*03=
zA{yEP{7f_cMKxW47%pQgtM)5ij*FKUz41%Rwz!!Pc9g}vh~iup@7TV9YHvgvVyChH
z@{xd@uX#$y`lr%zgWlZk{Nu3MOf`Pl&)?AFjmq-&XFOQMOvVy$*xy_K-kN9-KbSE5
zfQlgD!tUNAsqaLIp}PZ14aa6limj#GgrU=MXG1oQ5U`Y^A*`cX?!?+EDP1~jZ5ORR
z(mSiLH@l^M+b)dJR@+Q0&#HXlmAS7mH*V6!`DuNonJV<=vt&%h2VmA!{E};RHKe&)
ziUoTE`j>eqJQ6;qB<S>3yjz|$35&M!0s|Q>85FV7nu>R#cZErG#Rtk#J)T#T(JvYA
znC)xt2GY2_6jgXf#P9bRTX)xVRvM8TH7=HiATKXbO}^K{$v3air&7*!+Gu|#?d8O(
zrzwNCmNjfn5rYd%G_niQ>v~9MlSK9f?HO&{_?fnI_00Nll(mR_x8p~@F81YXBM9v`
z6sE@~Uk!cus$pjug&@J4%x`|Zk%w&*9wmqaS;7ZTWo^~tE`7P9=b*+eVA-d-`1}Fc
z5<L?|QAq`rQQ446_S=u#Z?>~+5~hipnfhtPp{;{nZ}g>F9$z)e>8|L9Pj4X~`Flfl
zyyU6sxHt)56u$$O1Qxf<i6U>fo-Vib(do|g@2cd?pZE67^Y5*F`%J?$70p#vM>fr?
zTg%wFGL&)J>7pyH%ZQYVY@~P+h*H+<0gdDjP{b1#YsYqxOhKBpV6JwX;_e1O@ockw
z<*b;X7{3`}P8FWF9dU{T%#uqF1FXp8dza4l-}pmj8Fq%8K2LzL(2GUqKkyEJsLyoq
zY%GYK1%988OdRUiIx|m9HDhN^1%3W?ZL^Mh!oZLjUPmA5QeYCjSn(DeP;i>$4Q7_n
zp@4Y{3dL_{)QnozFnktius%vH#RqxKm`IK@V9c>ZOJ*eoSEaY$BmKk-Ki0(6+5S4H
zSip!8ffj8>>}5LIunRj{Z}p5^*Tf`Fi(I>a4VQTu6|4#cMXjh=Lbe%CI7Q0-&JaEL
z>|OLNLeB*D{cjft=u@lnV$VsSXt?A(kz^;=Cm(MsQ1L83>wS6b=j0ieTE*q|_%4ag
zUF^c;y$DGy5B_+JxcF{_P?vtw2DEbRO9=Hm*vIW$+b)}(h&H)lI>N<fH%^_8A3q)e
zkKfPS^`ea19_w`WS5W!b{&rnJ0Ds^5m|`^hK}5~46PW@woxXWP+K43*)J6u565#3<
zgc>61S(;f(H}_Vtzx$l;&EgzXJz|BAEq|2RDCN&+p~)l1-W~GshK|3#aDlV<IzazZ
zx6-i^bxcP1HgSs!^#`4bht{Qlph9Vbp^y-jAF~|R*tj<#rJ=?{U6h#b>2#T#7Zos^
z>79IuN5tm5ZbRL9lfJUSmJ-cYOO-4?xu7ps>!M0}hM6oG9TV8EHcH8qepH=!A#O>7
z#_j5boKBZom2Izl&!LzIYqt1~9K7cIuAh$0(mYsTFAKkVpus1<#Ckk?&!vXWsDBk^
zt+xB*I+v@fe&om5cXf>qMw5m=-Ng<S=yHlas=yDis83$~YELJtvyhI$i}D}3;l&2Y
zXN%4ps{E2Rh{N<L-!U~!pe&rrFj;i*ChCHzG3}b6cPY_GGTAogVAF7B_0^>xQ{V0>
zH7m-rRcDfe5iQE_Kz55fl`1B5?pV0it<vG1(sK{W$(f;!Cr<T9$@Fz?+wiSI!Bp+b
z;p8J-tRAkEtkva5Gq*>R_))uOw~N^%e${L}s+*&4rzY9_p+FZ80ZsbY4o^Or7KyAB
z{dbd;Nwo1V_F9SLl#5jcq`|}ghrPFKj&qB)^#m4!EoQQqnVFfT7Be$5Sj^1KtQNMI
zxy8&a2Fqeg7R&OEPb&FxQ>onClcY{=?SIf+wca)77<0{M$lGDzz@$x@nJwg5_phdH
zd!jEHUogMhI}DMmjv4hTo!ZjkSzDUHb^Kyol4UB`)5_iL%;yr!XZ(Wb{123=2NZ`#
z4;^a%dMY|@@cD(n_HT%8L7i9~2Q;RPb52Zcpj8{6l>^-DN>zxXocZi99xS?s7ljQr
zTlg^r);Ot=u^)Sf!mD%bP7j1z5IMiiVP43>cad@6cGFnS;l~*0wykvCc+F^!g=F&&
zYL(8W`8g+?{&{J546jAv&x-3Jo}@iUKrwiSH{`_x-^nh;PTzQ<Dc!Mt5m#O#z<jfT
z{xcG~K$pO)nbt$RThch@y9Y-S9-O=B@)>y=rm7M9vfjEPLsRfpH(zrhA6(C9^~25|
z_eNokmOsSXzx*w!My6zr3dfXCR<(!-X$g)K#C=o_*#i3(WD2*oT_+ig4rU<Xy~=rY
z4K(QkZ>@Tlo~sE=>+i?{l}=i|O3TBRjxb#DW?8o2BmkQJ7dmJ#1(qZ{<`*g7Gp?5L
z<e;-6zGosb$BWi;tgB%j<3UD4wAKFfW`u4Xnu^b>@DClqXYCU+RP0_T#4Ru;F~Op!
zdvAE6Wx;RB8G}hToo4gS(2gM;7}&tHRpKQkh>8iRe;2#;Xs4TgXu>xVpfbb#npued
zCE+0$h*9Ov;YiP<FU6L2{Kq%^w~_HbP%qK<qQB3&-Q!GwG8+BWHejUyW_Cw<1chZy
zKa%gn+GvR8zE8Wzxm^?q8|<~`derjN_xS{8sWgQ$FMb5+bze>i2*`UKiP@Sal6fRc
z?R^*`AIaD4nHxJj8*(Wy5KL?PbS&hw%2ad4$2cud@ju-oE4ib~U|<xfsgk-Wu5*}W
z3Cr_`c|IOK^({gO=M3tD+-ybD@_+yDf_HA;Ez0f>dhJ?3*71Jl=)lRFR5?DWsO+-e
zOv#%(xbA<X*_XY1fb`R!)2zmE>G)KHGj8KQVVO?^#wFw?*@vpUU-hzSoK0IqY1Zj<
z=aomCkDo>7X2#e<-MD^tE9`Z=nht~+jVJm4R8J-^{GUqRhkvEU|GQG-U&;Hg<o&N;
zz5EYK-l+8Nh6xVlU4<**ndk^qE_q`iJ~Cz};m1M01KP_7Fs3BsM7hw0idcHtw4FM<
zG=H`hK0)RoH|T!{3v_GS{|!j`zm{+NpD|wNL=m5GQ~@u{8oj%l*o_@^A3fu2&1wBD
zL^nl#lC59pv86IA8%bN~o>7NBxn(o6I9Af4zmL}3EeLsCTligE>O)Y(9n;B4t9At#
z+1}B6ZP%Pqxm(`R>%+MuK^m)t(TVXqA>t-9Rxfc^Wv&>8r|Ii%7H2fMWm`|OH&zTa
zD~lkIFsJ>V?nol#+G93tsL?OLl7&xL^feg(R%@QBE=L90Pgiq}z)kx4Gx5N|LhUOd
zr(;{0-zPZlP`4(^wt;0Gdtp{bV>@1wj;D=AXB4JvUA-$;=Z(HxI^VQzLwWgI^K03O
zDj^H$8~<I4Ei^Ke<%1KQ8cjy3<2C<N_Mw|`i9_P~l&mQ>R~KvD?~e==F?3+K%&uIv
z_SMPR><T4c<hhoN&Q?%XDR}C-Yztq8T;KO&VqmmW<4YEKb?IjwIP_-Wm|p7ba%0RA
zhS7#dp;j6VVMAJXMPv&mO;X#t3Y@-XWy}!*OD@?d)Gm~QZrNfZF}eVe8IV`(bB~dC
z#9YCx6Qe!!XlJHK`PM2$J87)L)srwxw=aP=dS*Dp4}fIiIgD{{Wn>oxkE+Ku_OKn4
zBm>!fC%hH^8j^Qkt_i2AJ29%~|4dOAvLow+6DI(&QOM%QuNpmLo5|}^->gKsBIPLJ
z{E5|mtW2}e^jN$0?!J)0n{VfQNo*dlcJ`KT@Qk*%V#K+_#I)r98it3G{Pe24BoUBo
z?+HtQdOW^R!G0_hV(itL0H146UbP<6p+Fa(S*}tvzA1=QYf0C>wIQ+n_%L7hOJ;g1
zQ*C@{wyN8KP}ECO#o3DX<xB6fv@MN-L1mTq?{`Y$?p^~8ni34Xjw}7b6glSH&HBsA
z^`~g=thur_&L&NdRH;{*!XzrvSYwIUV&gMZ!DONC*UPzIO4|W2`x>PkK!eLnf2*$>
zaQEfT+I9*%@g6hx66w-uj!5uGsq(Tf5vt)~zlwQ+_r!)LS!0a71Z5mY`>eJFo-cl;
z=@s0@ua99?cw}P4`cx^NphCVPpIk@Nt;IL@ubN)F=yIj;jZIZi42JOaKe*}pXQEy0
zo_F#T=4;~s)ps7}%bKWhdM_jch-5s!LqvHAbSEkVnt@P<pMtY6L}0<CU-G#N#~`p4
z=BX^vQP5dIYZZ-YCaQ3gP|9NhL4q-D<q&!&!-Oti)wPoMXt|z|14r)rR(xAWIhocp
z)8^Hj9D3`^Z=Zr?_QRD_ru8z{Hs`i*WR-*-mQGvXPKMZ@Qgdm0DWwT?&K`)@E%q0Q
zV_L%zL;@!AlG7Yqm^7qRSsuMO(_e`qe5$B97Q3hFmGGvdy*jYMLh+Kh@r*1Q4gwH?
znMh=|w8?cjLa`t*oJp&^6?pY+)C4m&at~q^LDcVN7@Rf^zj8hGwn36T<*l_h3cVrT
z2;K0$gKt%{(R&q%p5MneyopG)$WW>yy|rK4koUA;2X+jOB-CnI_>ME}{r}hNQUpFh
zR;4B0{8+>c0HX<G4rs`qa33PZ#NcvBt3(UWI<q16GiMklC!9QgPf(L0&oz%09V~D_
zkxZ*JUvhGr>pCcT83kPa+L-X%Q#Hna*IwD)TX$%|*yFdN)#C{Snke~sZ3)}#;amS@
z#r=67{P@_v=OS`B+kLw77W{T*(fP+)^kwav)}Fw~LDsk_{D=m1CL<l!J5K;I$YITz
z3dBW%q>#a`4N_m#Pg1l6KHg;d<e0!^%tPZ7*w8qdpER6C%tp5`m3^p#Ow{6<a~WKi
z@7KXZxc7?NS651!8_r1%BhA=6nm|T|a`YTI)aGHl(Fu2%30x=nwwt{C$tb>MWO0YB
z_p<Qzy6yAPi-Zo942M9^6JaXnUGC6!d?L7X67zZO&Cia)Y`X0_@w}2&OS?$!c5Uy(
ziJiSq+<Rft(A=joRmepxiBYYOH<H@WT}j)F*k0E2nN05N%F**?+1#$>EecqhLRLaH
z2eg2$oG|RRdu)K_gwKRyfq#p?*@OPNo&3{>nBmTReNq6jf-00C8$#F4x#dZoif24_
z<-K)>VZfw!rE>|bP9Yj0@gXX$rnS24)YpI)>3rL{vK42I#8yEdw7PrMZE#t;Lfxcv
zi#4h(&-xmrqVY@5u2i{%P$UOFtL4UqDlw-Sar0vlzt5EO$XB4SbzmcR+6|H*zj070
zdfNQoSPi9cQ$g&N4--J;Y|cr4vsp7qi}?_Y1w272ZRp|)4vEuoBF%zCB?KFS8(14I
zJkxV+ntZEMc(-WK;gvUPEPB+yG)egy<_(>DZJov`^|H5f7{$PEI<np^>|`XN$kkTQ
zGbD;c5hk!J)nls?GnDX$IATot9wOg(43+bI7c=4WGd&~7XE8jJbqUWGq(D7m&Jcn}
znx?09)xnXTsi<8GVRRR(B#6Lw_h==t1>fLr8iF!A)x_3vb`O~fGQidu>p^RdUg@7w
z08<j578n@qt0-OV^P7^@Z&AK}&9Pr$G&d1cv~CDFERw7<L&5%-F}eVheE*IB6{gYH
zLn{(ygD(?MN=4RvkaBrl(QA|MUBg?lL)XEOKu_7G>5Ym#ij*ongmtE34X44}SqGwS
zkTst5lNsKL5+_d|8iVdhBTLL||Dg0eJ=A&=71q5-ZoX`T^CF1s7G0+)?`L89{nkwd
z<f$@h;%lUC(5Z?Ead0p(iNT!*6h`Zz(?`OY`8L&G2~15)6BxnF)p8vd*Hx`}jXy1E
zckk#JOne&OK)?{H*S~!cSLYV<JhjE<>mT5w$0UhSytEfU#Psjx%fS@3_vkC6NOwu^
zn9j^R-Jd|xzFq<(2TDSyvFHmcq&J|<>#a<)R4hm{#WFR14D|l!NJK-;6??sN-j<}w
z=M^xEknAJlTdGFMF><NrdURhMHTbbzV+8sPBwA~?!c8=G^0@5lC8P#P?t6JAxX+YT
zg3p_|F+9J>NkwFSBEw@*YxnuXqE$=eyA>GNcz*K(?PBrj!x_-HZa&C;$U)caVCaTr
zlxtmMnA2<P?njTw*us;CLh6dP=RlN5^X0rBc=KVjkyTCDkxM$f`IY&NA(K9@R*q9<
zOck;Dy91t+21^1?mnx-ZNoMP7(ii#=)GlSJz`JQtD;-9aoDM|N{=W5R1f37Bj$8pq
zBX_nE&&QeZwgWHp1bM%93+u(@WA{W|qLM^K8BSwOeX6Bc6O&pzjXhg|79iJ8mB0VZ
zlXNCa#+<fk?ADTsV5*I+*??hC+unarj$J)XZ^EA=R5F<<(5gJN*eYEzP{%D+l5TmJ
z?^uVH-ZZS>do-~X5qrs)f(hcYt#^pa4DGrgj??!zOm`D|1j<GEUUp4~n524eU9R-q
z{D5`kKTu}vn3SBoWB68du2|i;DyVl}_{;7;cGjF2`VHhMmLhbNNrHDb63+GaS~k?$
z8V|NSh=}uEGoxZHRn|KKTcuo|@V<=k4nil3r$S4Z!KFBzqJ{gsq8P8Bg8Mnw+nAl|
zJwJ+88V`Io;~@2dQGfsg`^VEve5;q19;+M_x89T0h&7PKvwe~;on)|`7xmtCy<=w0
znm)Jk-kOV~#WrB~(0BuaY&5sHI115b!nA9+q;jYQCG<O)6Mn~Sqo}Vzdo<*ZX5o(I
z*fdL`%@AA!E6P?+gy|XGF-1>K*sG1R81Nzx5!|Mx#P3ZO8JQ&~&K{jDF&O9-;}e)r
zf*hx(GsoE+<k@`adxuboXRNVe;~u_5ww&sp2voKNWTEH%MIJS5)L#W@wBr~u+wL8j
z$z0U^1Es%?S>4uJ&pzzpl2jKUKPrSv@`+$d!5f>I(<Fu?1Ciq}=1yO-VWUT;bTbqA
z%VXRaf=>aClV)RV9#byILL;b%a2$=eUoutWFnYj=&mx4^$Xrr#f{gV0MC)B%Y&)HN
zhg!bUMYpvG<Q--?xo6zj{|c)<@MpTeTL#A!%JV4NzTbp>+pi2tftO;1ClD9oIV(}e
z$z!`064UZB5CZj^Dhlz^3-i2GfD(rD#T^R+Z^ntHHvz_Ce}a-=e?&$7abE&mYf#GQ
z_yULFDrckeRM&L1y4D-JpRFZ#Iiu~QEUng-P#=-p1~i9hC6mByK@%85RgdyWKjX`g
zkpSYzVoA@W)AveK8K$sy%=~7f@u<U%!kk&h6P@Vz^ih;e-K)X2an(V|VAa!Z>}jFJ
z-4fFrAj!x)$I+)KWT_g<IL;j{DHCWePhoyWHXi-F%&q@*HA}AEm_6}$`Yb3qT&e=l
z7H8XNenP=FCNF6RNnCOpMSzw<%JAk7r$trDV;|2#vYDydpJ?l}-%prscb;3qP0iEr
z`Uh&Q!%GlWneSC)_9`^@$e)UzZVQ)cIl_|Pv}=~Na7`z51^;Jycf^k^_*>ttCer0R
zrz&5EEzkMx_JKy6CePVfhKgs+Yol*a4JtpiB?D~A)=E1&r|HWY*Y@(T-RjP}a}ei-
z%OpW8x-ZuoEiH}Fq+YD?V0tH^8viLO2_Odst0p>5Ie`_9ZYDd}^M=Jw`0}1ca;kT4
z*WIXPTPv~uYjX)U*xq7R+evtwJyL(=P`^y5c3=K;;#;+j$<stlrTr$|5TF4Ug}(>T
zEg6R*r<JNddG1ZMA)ucN`EqJJXCuLGMNHW`77|~e)I-_F|F$puO{{v0p!&}3DOO{4
z?S(+U>9WvzDskOHCW~Tzjw~6#9FKkcnK&0-6Ghej5Qal=HrEWcdvZip!dOK>?r|Z|
zQ&N21&4rDqgt7W^qc$(f!pHaNlNDN|e+a<f6TiRfkaaE$s^uV+?5PhA0!F4{wF9rP
z8qX1katU{O{OgiMy-j1FcYW`wTQBg4kO|KKSRVP5F{r)<)6zaq$=Rsm;sK7i@ORqG
z>2lS7scFjfvf{SaqQZdlpq81|n$B1uvCSok!@;)qiL<eowq3oR(t-dwxvEv{CK+gC
zHEie+U|869z?2=P_Jdk0ZUW|-?3Y~NekiN}12N`h^mg~&s=~E)<p9NPg;HM)ZBP9M
z5x}S_0W^3wSJ|C(BTKb&+Sh$3ckUsX$Mv+>$c8G&Lw&i=L%qpli|bF(8ZY6fIRaJ2
zn{{b@Ea}zvzh5|MC@H;6CbxRN{dETEX_$|SbR?|Taw>fZCa$~m#Lriwr}FYz!hN$#
zBEUdU)1|^Pj^H!l?sPAb@ONiRMdPp0f!$cw;g|Ssl#EbvGz(u#pImX0s7^%pDzoNm
zUhcON5hi**D6JzOvwH@jB<)HMO@?!`K!<33>u?^cb)>spV;@1DR95u@&ePmdQNQn%
zVyAZwtO{4NiRdr6=Mq}#3MD@8gK;`5Y`U9quIF994m~w56r`gqI?PHm#fR>Ng^4@N
z=XmER3dNstj4Ar&t&%E<;eG;cCruK{8|?9IXYTv!)IR}ucO91$>P5<Vg&nDn=!+s?
zwLgVyD<?l04#B1s|FVrIv+yBhgLmcl&8z0wC@t|LJs`6AJllxfR-&VA+{t^v0K({1
zm<oG8XUussOmyJ|u~;{J0NSn1FPcv$vmtZQc|^CC7ekly>@e=?=sIRyaMKKjd$cEH
zSCh3BT%Z~`89ZFDA;R-#i*0oZ+%t@rIKo86pjap9e|S=4QGY3prsv#WB@9_rNb{eC
zQ<!!w&4{{*O`@A?-pozq6eLMaVmpp7;b`t-dPevy<Q89+n2p~&!sI$i*s6(3OReqp
zW5*4Xm8c))6v<+R<ptOttjj3BYnmI=E$u<B7;kPl;^;HgJm$V3X2OuAKW@2Kz^#d^
z$FQW)ZK=UB7x$5P*D68>A<Q_TTIopw8L^ZatmPdIY6|B#C)HP!uWRclxp$S!8*jFS
zFp}7z4spBxf)z0X(P@OB#!!!#nJyp&K5oA%p*kv1op75L*WF!J>tX}Z#S_M`;y6*$
zP-Ce@rSJ_unDUfHF3e-HYlJ;!vW$}WLof9)S1U<k%@upuslT_F%TuK-OQmDo=GBp`
zi4moFq@eIutm06pYeUhi+^1keA+P2&?xTHX2l=gilUscQ=~;rAT^hLm3``BWc|#ba
zd3rUcsx6+2UA@6=jAB=Nhd1(q@vXtEZqGD9hv$!057R4Uvc`n2i!@pZ5;?8TYPB1P
z&E^LDJl4wFs!(df*t7aARN-4hH2j!upjmZ|8KLf}Y@H<1_EKgA^{o&9%hg!j^|-vb
zJWBH>8LU}nuk_!Ql$tnLJZNn(baA-9beAzsn7w=a#3x$AiXW*PQ3YH`nUr6unDR3i
zyhfPtv*wj^)4kJ&u-T+Jae?yWPcl<UQU#8`u(etjSlq4Fj+4aF{(@OV;7`)LVNH2O
zPoQ9bhd?y`!ib@q6-lBXAk10SM{DZX=QMc{mA{^x&_>UHX;1FI=e6g5#<!a`!Da1G
zHhM2!LyI=i@9)z3$nGlKgJP46XYIG=%^>0>di~LYxcCR_#4Go6;DDs?BEeImdK?~;
z&4n#j!~4{lr_eLpfbWn)-NPD3DWkWkH4lR57Vk(DJ&u)8#D>`hUKm<Xq3*;zC>%(6
z@iQ~YaRd>@OknV1L3*g`=R`?m&JtmJW&LF3ENn5EAzYYCN`RyJME>W0ps+QEnNsDG
z|E>n1zF+=L?P5|F@>}W21`FaA^94m(Z=@fXsVc<;XkXfJP<{Vu*&fn=`Ctjz>I6P8
zkUK<FDv3{N>1aM?*LdkIY|O3w++eI>QQG~{uaHQ(92KBSb4lFYZLOuMnvCa&0ZPx$
zvp=E2QQ0G)UCiM?60*)UTKCdJ{Z?TiB$d(Ip<FO3I!z``FfY~Hf@3=1*^pNXDnQZS
z*y!cy$ktH)>crZob~O!pgg9U0P`C~op8&NZO&sKc5#+XDEz4L&8&`Z1)4v!#O`=>U
zt!%G3ef!pB_z<|s3nc7dXg4r1l;8TagUdZG<;$JlzFMh@X&y0Q33ftcm`f>vmfI@y
zAu|179eY7zh}GD8t4z_jRo-f=1v*ZSC*-gB7t6J7nAkJ^V3ya+>+|gB4noS&t9xN+
zd3I5ns{JCN0*gz};pw99yl>307*TO~on<c$n&c|it0SN|zdwij${}#2d-cO{5-};b
z{K{R%J~joE%#>q=P~YbPo?VdSVK)><?l8qcf2}w^jPWe1G9O`~SE$zDR+zY|4Jtcx
z^e*%bZVXw@4LbkI>o~_Q)*fA>FrCQq^H?AjSmc5WC)R_jU%w`BX}7}z81S<LHY`0U
zLOFUErZ9*+JGhmS3E@ZPhKURyRgbvoIpb2P#@dT4Kr)1u(1<_4OMc&(CF^~RwONT5
zws6^)=lAitnpR60nV%2>pzd9mpF#chX~47}6ZMMo0>(UgGMIx)+HNtxmAeqfaBGRZ
zW|oK2OND`KA~Qn*h_S9A1Z4!$(!qUi-^}zmsw)mBbbf>((LGm9s{sb*LpFNGq2BFA
zNRB<BGMj1a6mY5FoV6v81qRlO+B4CQZ$ljE_6=?GVU3zchCMgYynA}lNUl3#6%AiJ
zdCJ)BjQCMMOW;#r9o$&E65SDWjxc*L`LAHGE}dt*9NjF9QzNJ+oLg%de_+l;2G&m1
zYsnmc;sToxTOpa(TYfzSojt+JnmgDSI#!PR6ohB71(<axx!L}<Qh>P`XKW05pN@VT
zAc<<+uPdSXC1+3vbYN^}d{AE5v47VzA8(MPFv@+@sLty=-<udM$LyEtcjKD?QCt}z
zyH!=U*$M)F+*;^9W({q`(W?S9HB8bmj0fcXpcB0y*>rapW0jictre|J+#*KAU5G%t
zfRSJj{IoOsTg9QkU0A7I(ys8x{$DhbU_st@8o<+p*0?vavXL9%GXO}1geJ_br!NXj
z#di1>YH$q--pbxe^vHs9Z|t-vsgAcG0^Ly;FDz6vmd?_8pxh^5Gx{#QoQxxgKR7di
z*jw1=c$7HtD4N4jVUr9k^YjbfT;odO+BeU995~Z3pw9m;QqsPu>))OU>00?m)Kb^2
zAi;hrEbxfmjl@^tRpkSfgnFxLCJCgSV&@vY!_v0|F!eHu335wbzHEHH>99{>;lY8u
znpopcqTnfftW{pwM8paYQ*&9zPD$!&Dx@c-HQuJ{$#fZfbrb$B*Ls$5nPTK7^Uhxj
ztNC{5-~UcYOz@a*u_@AKp!hl(p8u{{@GcfKWdHFzy)t~={6s(ciB)T0|L9EMJ5g@F
z)+BkZHysUK4c<3s>7sU&&Mu9l_dq4pLZ=+pL7^6Bt^0AL<GC)syt3=jWDIbMQFxZ?
ztf3p2VfEo8cmu;@-9!eZ6Q}iE%g1$~sRrkLjo(zn@5%k|#%nX;Rt5fXmMLo?RsjlQ
zP06d?$Jt`*B>zNn9rLz~f_O83U5@M45O-XEm>x-W{=nS~Y!=vD)l`~--6we^!6}Uk
zUZr;i1|}c17d$B2=O`wa7>}+XT5Iy>KxFADnJ_JdK%OXMDD~h5df%l0IQUlo`Im+e
z@yapI)0&&8E6~TM*=TX)Mm|$Zd2@}L@Y!_;x?S3d;3J@nq1Itbt)Z}m>O-k;4Zh~Q
zrv_O>9o;BxB5E^Od=Dt_50qZUe0fTW{{A+dz@LuckTl|M#==zJrX|T{QexlJ8?bo#
zpPc~yAT|;@bvU8aF&Vwb;do7LuQf$ifsPxLJydT7=Y#&6Uaz`xt=0`~Rw;!~l@(4#
z4VpC%ITx;^X6Gm{ZP*sw9Ns_<p>EIu>yo{ZAn5nEi&E0XaED9n$L2-0Z6imnr>tMu
zN-<x{JKHzyX|BKNZ~+04R?N>U@MgV4@S5Uyy1zxdIEXOrSD4iXaGCuXPN&(gD-Y?$
z{Zp{@j^?!{9Rt3qr;{`&g?nLI1`GXQQ4q7pI!;d!s0BCdsFz!Vc+l_dE!&qBQ+fTU
znP~YCK^R&BXBQCaHPWNa9+g8+r&d`>*^;Zg@%fR)vc{PZo^`<XrT_7d8n3!UV?!}J
z_3<>0gQf-%Q=$}#LbB~yT~+6+zfjOY>t2K_$oad}Te{s_>_cGr`P=cm<Um6ZnXc#$
z*6K5nnIEqkA2<*HKwW<Rz&dtM-tc19y3cH9ek>-}zZ&tz<iF%a`&0GWSk*$IV=Ons
zT~^k5Y5x(NsF9WoTjio7M+kk2H2QU)_v&aW&9Qow7aPytncOyip|{exQ)e0|^TQ;t
z#@J*?g6j^|D))L?yg+-V0|lLr&(R|?Jvue_#OyMFRH<~jZ_HR#tj~nd*C7Q9r<BH~
zkbiZdlNzi|Pmg{?Y1JJVf(@$4f<x|uzgV7ZFd%VC<H-Fa!_cM-yPa#^?g)%Jc;H*6
zPYOf|CAd4<^ys>Iykzcm?do6EtHRyV+NJkA%BPm3se3oAla8<>9MN~^`G{~yP-B+y
zum$snQK=-MhN6BZp`86FS-KPn@7((#=+JO6fB%E!`dv{_ns8ZC<I;fwQ2Kddz0Tnw
zlVU?h{+vKUi%}S}nK|?Yb2yfIuEfto?Z|yUVcmFvs4EsLnY*(p`5TBvzGn>5Ww9d;
zNR_SSvNk`To{HwS?|%x2Xm{+!@$-*+QU)gcc)E7Qxo*i@<WTyg4gHtug4^-GQC${t
zRwNAxl<;xcpkTPZ6S{%M=*(ic{FLOSu|#|&_(n&g+!utl4zbk_Gt#V*_@4JA#6G1r
zlgf)6h|XRv{znonttmp9{4<ouve(1iq!X=$!)``b)Z6!G<-yu7jl;~9G>d7gU7G&M
zNCBwf>cqZ_nX4LRv=&n=9FL^FHhZK6J-6N2G{5}V6)5K>#>#7DphNzK`NHsO;5!S2
zA^w!9FQnD}Oshb_1Ur|xnrRM%r6<p{Vi+PrMHCVL8|X_MRb5T&&gj_-;64p@P#!Lx
z#y}s&tWA1S!uS8&+Ha&UkI)XFsIs~>;xWb>9}6rc+6hQI36ZNVV%65$rHNZmSfb`q
z(>vGinfH(;0xf4)NlC*MZfT2Cq500%0cVG`wLqL-aJ0plW>tn5LgcAJpr~F}>ytc)
zdsGcI#vdbF$LLlO1mWikiWu4%hH!-{slGF*WI>If`nF8VPtn+xMhUskE8T(rW(kX{
zK-O66m^xsD^P7y+R-ROtZ>F6yJGgQ55LW&0;u*;utCT*QA9L|zEy;}UkSLP5zxgka
zRWBw@&)1A&CG#RHR8zLzoAMaTj@-zc4K21tNio5$Hm702s+GWnvGz|#!G(oseNh=o
z)HQTxRqfO0z;tBtBnmRVGfs&eOMDa=s+!J|7{4W!CxVYv<RYFVV``c3bt~?sxMlKB
zCl0u6s!|^<pNmr`bgs6R)c{uSw*a8RJBule8Ov)ttvp>AriU|<y$?glU+)h7W7kU{
z>#sohpCGySKmNskcCqu0C69LSW4Z+T)f{a6?B0iUGJo<SpC6Dcls|euasRu&b5!?R
z({?fKbnY8mmf?W0%hGklez1@o&0G7^bSr`0dfvFv8AAnw7koa|vDc}Mz+{7|z(Q!`
zs_hpn+fMIAUn9%blnA+zrs@gD?cAO3k5K=Iy-^27ffN!=Xl%Hti|*%ke%|>)RTXgz
zHVIPfb35ZxIHGOWG;ksz1Pk3OP$`dO)+~A37^!Co^PsB~Zo_Mm0U#qjv^`O$t-0Xz
z&Bv%QP<Nk~W@sy?QN33v^+)Li>ZHsw;-(9c#-JZsj9&EDW|-fJW6yw`s!@Sy^&AoK
zz`M!$O_<nZLw!Tv+M3>WTyrvfHS%+<Lz@Ym_xklzr;OV5G|__Y))VT5j>98Yz4_@3
z8Q^>592UYjmN6?XK2C~J02-J<SX{|Nb0yWW)?(TR&+UAk;Rt_GS&Ny(DZ!AP;Zjh;
z!>@&#Ly4oCuaoCgDDY~h6KtoPc3$Y1-66;c@2Sa@{&jkXZl#csR?Iwb#Tg`T7)S_N
zbVw|Ddqg&(x%s<*domz<b=gwm1a-0Qo)kN~<(PGaNxRTTGal6`AkF|3h?3J^m!Ba0
zIWpb?$h~mE8*>60T=k)Pljct!92Sjk39`?b#~9R28elw1pzLNrc1@^Ovv_a`d~{=#
z7|rnDyDYG4Lko-+z|5UG{`(C5JzT9lMF{GRJTl^awq2eLWS=PlJPeL4JqijHs_|t!
zUQe}Gg#0xW$>4<+HDRkCQIRaCVE~#1Ia5Nlyu9p_6JHu&VJ;O<0g>u@XR35h<A;l3
zx70m~&U<<e7|?g=rL1;OMEUDpX!*8#!#dYB7ett2BQyL2`BHNjSqvF-Oo-VJp7=!-
z6j!n^8<IErNctOw2|W#<P9dYc=kL*Q;WE7n>yK|<w;gB<APXJcz=IW{ud1e>LGq><
z=I^S|%J?!hIQ1YBUx?1%aC;Gv7{s)$T}3iM^5uAivkB~TZTwuWs~S3@svhN+FR4A0
z(@l6)(hVWHHn(aG+2MhP!OL7L)$1<=__VYHaPm6ve`+(02wDXjGl~PYUKfr8do4SM
z#JmCq^h2F$n`q~`2lk$p5KlA%!@HL1)1$+~Q7&L5>)|;@A&={-OhKa<>ru{|qeyNS
zCdBy5`Sx1T4!fEDkW4*dLkr}`mIcS@?XfPF&*aX~6M~8+7UZ@>GWMTd6dLhMRod`n
zGFr-Gx|>A!RRFG20C>kXYpOvvT|WMPNqWIv@L$vuh&rAYM>!oI6pfu{v4tu!>P$!A
zcibhB0ORd%%>o+>tp>vR`&c;cr=_aez1FUDd=lSxG^drEvxS6_<nj8Q1X(Hl-%NSQ
zoa1eHm~T@Q7F|F1v4vw^M{J<vs={k2oegJlq&R-Z<cY<Pq93GNxXrj-ZcdL*9nUOV
zA6mN#LaWMW5*KYzu^FE^M1KY1WwW4lVj)+1YiFGXv{t;LJsTf!IP;L-@a_*IfWw5}
zMhGEJzDo^U1IwFcRd*WYhE>xj0n;wHjoKs`2?dtZ81@8x%-kq?ha{P!N#6kpJm+qh
z^cE2bq=%oay$5RD*4$q!d4re5UCSH+f+*JK0Ry*{=a&jj5k>V4^y`FT>&RLs+BvG6
zXWbVU?;0#N@<09CZNjC`*Pillj^!^{iGMU{%J1G+B0tad1bu-p-+xg=phe(1*0$q#
z%u)e-A_eyf04s@om)#9RGZ*mDEr|V%t?9al*ZF3Wu3l3n!Fcfs1r&~cmYd2Ey95_c
z727k&veStb<JNONCo)58QAh#HepGkHXesllLf-n<mxLm#R;CbWDrzL-`5_G>UV+D~
z7oF)5jdgEo>%bFo;!Lq^C4l2bu#_X3u4#5ZZJH|1!4~Q{7TBtBuciE227uO#DWR5m
zbp=Pg;?bn%5*Y}jX0|a0*vv~nPic|X-_203jR}$f&4Z{<Qxo@^n`l+j`4>2CtLr92
zX;fP<w)l4bIFYrpuvaVb+&()a)aS|4wva9$fs3u0c^iaDAi0k^E^1q(zA-m^uLK=?
z)SCe^r$ObsNoz;PIz^m-&X2q}PnGkhkaYH~^ewl-G6HLi1~)`zZui0tF-!t%&n+vJ
ztD21(OQ<}DiG-S0r^1!>@ae(qBwvaR{OXJ7&B6<y_d+8i^OnTxKKZR>olJ+L+{)#m
z`hoiOM%`QW!|eK&XMsY|YmJ_J>CdRT35M0kDpWjh9xA0&uvucThV4@{xtI*{78j~p
zG@^}kBx4MoB;n@#7^*)}>Z^(k;bvjoyfU6%r=R`&cOzj8cd)Z01&wQNOAbK++r3s{
z7L;g1sPX;Dv-O(w7`Ar4jE9ng-ppa(I}bCf0Pq*~bCi8U$^hRWy|SOuEhK*1x~UmM
z6*bET@>z1F{l3J*Bpe=3P^y?wby1JUyi`Yn`32Nh%;S{B8bK|s;s7-sr$O1>bw=Uq
zAt{BOQZZ+#vb!0rspr1=lRL*Q`e+9Qf$q0&QPmYJK_~L3;58mpT4!32jN~2ge0(pU
zw5(R_7ZXXKU+#62>iO<)$trXQm*ct9oAIw|n{PH%1kK?a0eJ4}j5<K+0GakHfjblC
z0Y#gP9Ks$mc8128>|Xi2+Lnl2i*8$L2P1cmi@$-!cRm68dBnJAgx8D)8|NDXn_P8s
ziAH9>!j&9jg+oN<sKeCbuZ7^a%m_;Wjk8|IPR9Hj!Hug`%qAp)v8#7IQ9gLooGaK5
zAzin-`fCB@6>*k;_Q_kT@0KS7b)A;?)ywPZvtdRr1}MCENL#W#Fu7f?pel*JZG~$_
z8;zX5lOc|X<0Rsq4#`)FhTsjLq9J3Q6G_hW{*$<4ulCWm;MT5?dXchwz<gO=Oi~WM
zi(W&Jff)DK9jQCa`Gb<zvkv0B1dDvMre@Yb$34;8xiL0?kN(Jtw4_7@fFd=Ej|KT_
z^T;#Epacc;{i-K2YbcNhzZci<k8~Xh5q>jHs9xp|Fme2&*a0pWKGq)Kb<?^^bhbfr
z+Q3~T?lX#C$m3~1De<L&7IYGdRIN$}j+~S=^aRe1mRGT$lL}$j$oS5C%tgtnUjq})
zl|abl6_TPw0~~rl@Rm^M*IxUL0eMKPQ3DFBUx^D2rM}S{jzgvcHzc-Jj@6dYJ5C9f
z`0g$<v=I)EWXhT;T!IB@1=`0^IXSrEJgC%ThYN>pT&4_F^0T5-y>#KQd22CTWRX>A
zW6K)c5}Z1{dEUe{Jad3d63;s785T9h7@*)d!}9wA&Byw9(Ky?8ac3qh0!m&)_6;J!
zp!3Ovm@&>YwnGtz*{%4fmu2}zWtj4<H8soui1$`8{r!D@q#h8sMLpArYe5boRlXE{
z5>^>Jb#%Fc-?nex?&#~%P`})#y3L=wO3_2$sdZ@8^znM(!egSJzH)`8Ze9IkS+*f%
z{-b2ehHp1{6`rKs{wDq;5-`|qt(?Kbif7^gz&4@0$$waMSijEKuih(M^6r>c8<?_e
zvYsHu;U}YZroS}I8yOUeM)za<^%S4vV%(I#vhG}DQ0Q;a%43Dk;W=}ltK2;`PDFLk
zs^5X*+N}rejn)Fb*N!OXo~LYn1x7Cq!EkC^9MoYSLLNWON>^03LrYaV#h)m5YPQ=Y
ze(oZ;m<fgim|LY)li>eZGTru8$lI9`E4x^Z;7%ukMWjXV#DbXO3|lZ;@{pd4Gc=1&
zS~c73c3G$U9RE#_rR*(qOq%NSy^F8rxFy29a?@w)Uyx1oKrI{4V})5I!P@u8WRTZx
zgfR~RV=->YFqQvW+2c<pt054w)2gf`EnoT7%?zNK3JnyfqLFQ>c87Ky0&kXrE3W}~
za5VYM5p9zEt;(qG*0_K1$@}DN4&#c|$b)Y0S0D2iv2{;jEB$dBmbj%m0RjWT)8F6_
z(9rY;L1x`e-h$WGgZ5cxPIB5cxi?uX?_znj(l9cU7<@qO<{`tNkl3D4q(h*W%>Kq|
zWRa0`{YP1DivuH*r%e_!xFOpIx2u1iTUjB(3)v_zD~md%yDlHIT_$~fr02i^f^XT@
zMt6alrW5q_xTsnUmbA5^=COmpe1*b^%RP1tONiqhT+YZu%S6x0NhNo@bfyK4z*>os
zUIvxusWMqrATQQ+PHCRsRA&7k-o8}2SX!!C>kqMNa7a}uJ$hYzcZ8_gQx7`C2Z3z$
z)cSi$*ER$m*E_{tjVu`+&07sD;ql^8Xb`i;g%j_Dk%+STQ<qb~3NXI|)_%Lq=IR*6
z6H?7ugCZ<2KjvrIOND%;ZMF55HPVy`3$E0)wmX^x`n#5FrBpI-N&__7ksvqgPnETj
zBF;6dl>}RAz;H}ze$|N7zn+0en;n?gt?GXc$=3}W^e21x@oh9e&GjFsQ1ENZpBov1
z;0Mw3zwu$wyi|vO@p#F<EIxML_y3w)FZSPhP2L@%i$4wrmy7S3So%cQY<*ZmSEspC
zlI?+Wv3=-iE_K^S#}5j<Q_Mgm;lN}E^(PVm7l7~M2AHK)Jp3OhL}-eI4NWf_;7?Yq
zI%#Wh*krY=9IcVyZ)T);@jvg>rg_4juW(<wkO4)t$6zw)M9s<Yk6J^A&0~VDZ=(MV
zH0W&R#QNmu^lTpIAbFL8X*2@jj~qheBSSe>eeh+FclWe&|J*E9$X-8imtBLwPvDvd
zb=+G<&Bva9Cv0EP)Em}O2sG5MQHzuN30+u1-%Jzf^&`U9n00hql5YF+ezU>R0lmI|
zbuw`fF1PB}&rg+ZO%@5(2YLs_wOVnrVF;w9%xtw0zyFK~vEm&bm1a00+-@@8xneg6
zYl4$R;t8u$5#BYrHd-b)U3Y}s2Qz!3iz@=Q4BzPj<ws-R20<M~!eAHj8=s$^vlL+4
zK)T6+<vpBkcQU=RVC9onq8Cat;Qxm|(CxnSFTNu=fU(%>b1a{msLqr33b^a~gk=73
zg)N$-^k@0kcST>o>12>i;VW<YiOWG^RP+4;%%egD!14><Ba&UD67AU&#-Z=vXB^aW
zThZWQm-vuMyNe<rw+G!dp%~Ha%!&Ra_WV$rQ2$B|Mh-+`|A@AcDy(1ch(G&GqT`~}
z+sFn@JI9AK+8$L&`QDi9i=@b|6^@O;_;aJKci`z=$%SR%tHz)V5vs$n50fp3D(P`&
zijQEl(g?A4^hiSdHS?iCHpOF+&&i%@>R=cT;a|20${IteUW(Z9Ds>eOTXFHGY~;~z
zAuW!?l8<+|0T!6d>N?*$@REhrJ^4RS_Bw=5d=t)aMQ|6Ha==M)w+qY_<Q&z7E6S0(
zU{VGGnZ@9buzfseg_SiS-{T)Gb$(yIwKFCL5L@t~je^M-y*`V|J-2p0slB8}V?BPe
zaS{qh+7sWoA>l-H+a^QiU~TJ+bT*7$_uEhR6Os9Yxashj>3`ru!1cwe)BXw~4+YmK
zDlwReiZ&;sjKBESSP_Z8KcNH~!ZE69-5n>FP1K%<|5<J1zH&?0;r&b;*zgzJLAf`5
zwk3I_Lae&>QP_5OBj|_V(e>~7`}h3)-?)hXJ%9h+fB)Wp|4%mv|JL7s>+iq)-@pCe
z|FsbMxBmWHfB&t&|G%xjk%i^IP0DR`(08@*14fL2k$Sp8IWM<T58_C=*-6IFN_NVI
zo3~X;0+-v}mUG@@BV*W>j|ng5BK&w4xvL7ww>?@oCD&5!aN3AFN*FzL$$8>;gMH~`
z4?9$LJz(otP0pR#BklM2gT-*r>+8_%jfl`+&&mV7^S`!p^`A1MfS=zBOs0^-KRWMW
zKct<4?Uf5#mM-G_cn!WZC~GmsmB}M0LPa!B_C_`^3tQ$$xy?jf`4aSFdVnVTEMxGe
zGJNAG5hL@b33b$;-!tobvf$yQ_s)D)%jxpm^3utI{W>0pnnUFgYw(qmSMW7aP1DCz
z)NPR1<dZlKIeISou5iAQ_pJDrJu0l?mj5=;&&wMK_g+^9^6LLNgsYnC*ZC1q-)L0d
z&sz5-#D^DOqcU}v9xVvz^eCH_-!&aZ&#%3|0TTbs?z3tg4l!!Ki!86bNf#k}%SD@R
zW@6lcpnBINAf@BA9h^3=fj$cF1vuFqSr7^l<hUl-92(M}d`?<o(kX;d7-;`>V7p|_
zonRzj4&yluO`mT)hf3l<9xomykz_h{e-fb<ifUU)UN)6QhY-e3lcz*E%G5K2M@9%2
zZgC~8?_I^yHYzOJbn6L0mKvk4RUWX-M_xRI%|3}GX57<NB4o?jnc*>aWU+Tfi>##*
z^U*scp2%g*5zzFyf#43{gbQa@>n(d4;ckD876q`$8(GV+W(UMf88W`(t}`8FZo&Qq
z`-vM?wtsrDm=-c0axHN~H$TN9VAP~Arprnbc1Vn=<xCxUo|+t=a~{#+a&1Yn=xmd7
z&_CH&XTh>aI;BS(U!Ps_?_+PhS0<L~W52s|Kf<D}m<inbjxR;W@Fz1tZX$s{G!@z$
z?~_!V+A^4L>@TE#1{!t&S8tpPOS*_dn#s?KIQ2Bi*J@Arao^2edGN9>3=*W%rPW^<
zHD&T@wZ%GVkooAgRU7P0ZhSJBXdHAk;ACKR$NpL-F(P^}eD?>J;2$XQWlzm($wGRb
z1S5c)d*0;x*KF6j(}@-x%jS^^rs~`t#&*oMjyt}}$PLYIbi831r7x!|==WEFpoOqY
z6p3O)C$5UOkE50P_xUYbZ5aa{F5E(mOJhR<KRm)YHCHpHmg@3`^F$;25Rca`f~Ht1
zDpOtGsUU%1uGV{Y1Bz75TGK=7Yp%R17Jyh`Pq<Ssjat?-Z18T&WJ?<_lvS3qvg=QG
z8G&||4Ey8py(EU5Ty8_tD(XnI3QFls4PF>>tsB)ULyuX;WdumvR!5#!eTSA-z4h$R
zES!GbbML$@@3=}6v(~TQ&rT-b(PAYsq0?l&p-n!O)<x!cdaPZB@Hu`@dr7V@aJW36
znvx3AG!Cxn13K~7<kw+JWV|A{U8JSiDU;Hf4GVt>6{xNN(}A@$X~<IHIo#PF!6##e
z{(x=?9YuXgl8WAN(opn{iLp%~dH+Gx!z~}B+)URtW`e1n_-AeE<lR&-c#>DYh}vDW
z4d;iM#e_=MF@Lqjce<LFRXC&^gTZp*rtPbXI7*f~0nt;2_BmG~?)k-0il_$4FE4ro
zG1P3cMOEiDby>ep4(_m6A^_w3n2Hzn#2Tw_kptc9MIuj6<-jNO+KQ5|SHAu?Z|%)G
z19_^hKB-@1S|Gi!{4u?HNGUxzukFQEl>O=<Z1G5J2&f_c3hnyN>%F!WED+%xgk+xO
zp11WUtismz;RIG38aPxAT|(qY8*}YTBZg>NU7gDd_RpmAq$2N=KMPD~b4v?M+F8uq
zE9ngOCK=@;3jm3lf~zufac!rJ_v>pd9@Lx8tF=vzS%--HfUPYA6zzB0SiMgbA7+Vq
zci~*&>Nozu7Yf7Ie2O_{4YuQ2FNQVV7gE3E`g^r@GkWVKyiz(5!?3c8HR=kc@T~rU
zlIe?8oJ7-NZkc60=#5YHB07?6X=_=ZWCd(Kj_1AVG_T&+oOq86Dx1q41c)gV=>{vV
z%A*&pPVpgpxqF}fMLg|fV6nJik}l7JOCok|#bgacp1LNkC$!Z3&N%}=XyPU2J<&uz
z&tH;dVWffJ-;49}EEVmjNE>!U>P$u``}>iMu-f6&J6j;ow!z&N5nQAwt=wANNgkin
z&Na2AD^Dxd<QmpC7oDl_aI1CbqLrjf;FfajZ}A+I#gXNHZNbim%gN=fDSyoFr|@xH
zB<Zq!5DIwywG9WqA-l{3edlKFb$EeGqC=8x6Mh2IeZ@lWxn8Di2sKlenwbIC57CdJ
zMKw2oy2`~(lE|9gxeSPB$j&_R9hGRi*fuJQ25PM`VrpFZmq5IBIisVlqqXapqm=zD
z)rQCM$GQ1QZFW@@(<ea%I-1j@EcgBXTJwC9jsuhYXi3sXpogpY<(&>YJc}d}|I`Wz
z=B+~v9lhw*W64v5M_OVFAD9ll&&a~)Vm+Mf!^R^E)Gd>YDNT;9iGp>YzV986f=RxQ
zELFl$MLUdk)1)$J!<~ssGxhDau>mvV<8<+jH=ktmn2~S|m~k;7`ms%^7hQViGSZu3
zYq)&WjT%U|uK|1Qdjj?wy(+5$=(LYM10rkeW(tx<7H}$$E`K=;mipJ>OIQdrItCgS
z<(~_6#qeNny-#5u8u{h9OZ-kx1uV5AHrTQ&@7)d<li0O7cvVIhSW{kkQzkM^=<g~m
zcEHS}ms>RRmPJ8Dp5^9WD1Xf1YCp2f<mTl#oUf2-IcQM4cgAAXx%$<$AkY2qA-=2X
z1ny_APnHGck)ffVb^Mm^Dbp0ctGE3@;;!w-Goo8=QzT4sm>gS^M|Th@+$_tY$!A+&
zc<oLR`q_hh9?4~Gj{8qlpt!)>t|1^uzoKECk}fc&oL2kH{_mrygT#gQ?g;yB3>dJa
z7X46QR+ny?4x4eK?dh%38?o``Phl}iD=#_EDZGj6(4F&~+=qTZXa1Z;YN~UAW+*Kq
zL1v!w9KTg?i)SIRDK7hPk(IhTe>3-`_c=W_M<O6;^PIE>{c?as;;K?&z39i?tkrR(
zx_N(X7cdWE(z~{;JpRp)S>DJ+I;j4z*-={$LfdPQwaAR@aI0;RR)xa_EXEFX#$8uD
z<KWl-J=me?xaZbd()EC)W3#7TiXP^fuVH^J@O8Nk7;)YFcMkcCt9?fB=+?L)Yb|Ze
z<%z~?uM+Al^!=8vdox`CKJBjUqQ;I}Vd;Oi$>V>|{PaK75H@`k3U<<!eJ}9h;YCi~
z$k26;S6k5u4juvBEr`ye;3E+P?iy+m;7yWX_WuI~0;3-~+%II}Wx)`M_}&<Wp5Qp>
z@@<Ynva>kQyqX@@4m!m#FyJ_f&39Nb#%s!ql}tlAyY$v1ABF56v=$F8zZ#|_>Zff@
zWeAC`4>>JBIjnMS;pSIm_b(0ygp@^uVfQ!qskSgZt_LqBe-OVw2j;p-vlP=EnKEg@
z6)ZlAPK;_L*7F$B?%t$1PDdGtY$oMvqxA{2L}9~e#~CP6y5VI?Gg=eBb|)ftZT@rw
zH^g-UqcaT^$4v6>t*m}!^Ht@xPI_Y-gI1ZxgfsOC5GpNdi;=c9d;A?Y+V`-7CntzG
zQ7vNfu?^|$$Z2wNQ2v9xY-@C#(vBvt5$|Zt7RGpoTPt)YDWdS9ET8OrY4Z=1;iL6w
zT@-InI*AbDw!rSlwvf1|)R*e!bKwbdkT&mFL1?OlL(gNi)w-_$))%*t;G-I$$c;<}
z<tO+D#;l5H$!Hb16~hh#HU7nrEpb#M@75ZYu1=$R$K#e6^0l`Yv4IQSt-~wy2=wwB
zm9pC3iu8cGoeZcaL~b5PWOE}TC16>8qvv}iog_W37$f1lVENRLwtcK&>Xoi(uUOCs
z&7A9Snqw8IxWkkXKYXIr&ZkF<Ivs7Jtjm0Qq&Ami>XNXQ=0~{rOEj4cl@gun4VWU}
z4BhzjsBErR)TlKN(j@LY&!@3E0`ha4RfXJyu3O`xb3R3OnfF8gOF2M>%0tWfD*Mrv
z+{dMYk}!`j;u@+z(o36?XJv}@bh5rh9zkc|5#`fSzVtmF?wXQ6rGk^1j8RqSZA@Qz
zZ7A-{+pFA`e&4R9X6=p>@(uFERU(DcZegsnrT&fo{l346x$RP<yW3YZy_Lt<>L!DN
zuD0_S#k0Ii=h$y<)<6=4-pl$(HRSiKcE%lUV~BUy+Al}Og$RyxhaMeyxL7))$juL-
z@h*5q8u)tXTZ-Odl69`@=*j!Qly@DGX>Cm_wRSW#>D;1xhbqd<HKg6|5c<p@^)^8-
zw@4WH<jdtbnxUz#CmR#tST~LhH+*u>qUa?OJ7AIg_AWdII;<|K)%iCv=%v%*<-N(7
z+G|XNz;3W<Hq+$1dKoEINjO!-30si4tnVRljpvUUdV(-(#N$32?kPL?DiPtBVqa!j
zv1`x1`)9<eua3l85v=(Zyg6ry`wVuH(15%u0o^65d6h6QZS&?TfcfhxSFsbL-DUj3
zHn$v+&FcFa)?UtmXuTlm;G^+2?bHr&`7Uw(ZsGN)-Bqw{(KnCc0Tol4H}hvQ6r>IE
zo<q2GkOrK{$lyn{ehK^7#7=NsZRPtNnyXtK%v)cYIUdTrHr1!>opDz8)+aJ{S|AdG
zA$y@mrW?C`EH)?lFzOru^6f!wt3svsGodn>ORV@^W5rD7>tVQibrj-fQm4_etqo^l
z-y*}fD?`RC^*hpb54qCN9BB3k4>3z2+IZ+xv2neWX5B#cRN@>d`{N1X1LRSl4eBHX
zl^<mu6DRokI7z!3;xxY#@ATwOq1CZ>BdrcCa*reav)t~Aci%-2ZvXlS<qPjWP~>_s
zqz8J*eT96-NnERdb9tbn!0$DOu!a0GiZB`w?5!^AW3j$}&ve>1PhfKbcuPQ|Z$B~?
ze?+zOX&lU#w(zO7k?*W8KctxEI!;)^*%x_<T0o6;gzi^_`u_hy-dhC45%%xefdIim
zaEAnUf;$9vmw~}u2Z9YwLU4C?*TH6BaCg^%!GjYl!4n91KhE;2a~7xm@A7QAdeNJw
zs;m3gPv7@-xv8h5rpnL16KSO1RHCn~fK$iTSl4QG*JgPZ7ksm4upaZJ_LvjA%#Yn-
z6HJJ*$gOt=-gwLN$gfxipP~PQooN{Yb+s-tG6}MuSX2%3el;_YtK9!XwjUD$zh@eZ
zNdj!WOZl0Y<RM!sh6T1~DhuSG36%wdh2=;k1G^6);C*%|6dDQ8g+NdM05rZP@lXgB
z8omr#*#3*xsnBKXe=Yh&+P$yw|IUdQ@c)pviRXJh`MOl{pI3NpDntL?ygwRy>Uii|
z`_HRi%l~=h(|5o6?$guI*NRX3=Bj>MUz^T8Z~m%6o>4?o>B8>^YQ3*Q+H=vhsrs_B
zoWsODtQ|6WQX=dEOHD>7Bvr{eiN7H6lqCrzV3KPc@a^)C-g<<t+*`-`^?qlbTETF@
z$qlTW0NQ5Zjl<+T$>mRD-7vv>*9z@0`AJ;y<wK=lDw&?mi?ZE*r{g=O`d`6HE?aU4
z8Bd!(9>I5N359S+JAWK_F{|td1J(ydUCT5P2U^FQSV!2bD9;pb*I8Gawcmvz{OnD@
zU~z6$JqeQYHcwo=&b#GTh=(9fhW!#ZONC)B-CRL?Yx|<I717~`p}FuiMN{iN>TdLj
z;Uqoq)R^it_}{%;Cr90`kUildx1XdPr^49eq*Q^E`ke0X48@R(C57EIkgmu1wNHQe
z;XsbDVcOzyZKHr{uWbR(c-^eul;C*EPg1dI6C6L+8TP(O1uN5-P5#sR;2PJHdQyD>
zZE}5DP*r0}yXGZ!cEDrpgn<Wp|IdEK4JHiC;>40BNmkT1POE(X6*s-_bp6aiXMqGz
zq2tu@II)-|+PdCq#S~1C))YtnF1rF-hQOaN508A%H0@oX?MNc;Os1dBs+q#l$upT2
z;DC`bOb@XnnBm3oD(3E4l73WgbtYyoZ4(dsTZE8pykbP@Uc#X1O0I-rLO%aUc>AhU
zMHpXYyLKtFl4fi5?*+qdUbZOp=!gO)Y8ksxD6AG~?*CDuwQ9ERH&QgQ#39SpbM-=l
z%Md7OV1QKtSe-JY%WDQ0j0U_{9<LKH-L+m5>fv(Uz=TWvc<E{u|EMjvuuFAT?7Ku5
zwi$o^$lAnO38~jlW3eX^GOD2LgrB@kbVts-d+}>Do=^B|hjl*m5?nY7z-PitgMpi0
zxC~Nz)}sYp2ZtAs9>BP@oXnSLM6m+ekv%O6v#I9AF(*3BXBbj3qhZ|lp@Dr#;+~P3
z%i&wWw#6H=nW2+w&f2eVw(3SFH3BKUAeT7(A0i^w)w1yk1ftgXEhjlw;|*QkBxi4B
zYvFsxR^E$KN}@LmuEyctPJ&##!RjuSqw^aHGLCg*+&{W)Nh~$Nk=Y53p0u;WXk&l@
zwqdDWNTj^g0Kb@vkotAg5-YVxu~iJB8D>IbHE0&MK^CPxiA!xe#us!H=_VH8J68X6
zJ9H{xqim0BU>ap5G=7q>)V16vE|^L&<yMC$fhXBKZcHSL%y!(N{~IDB>yE7Nz~Zc|
zD;9X;_CsG;rg5@vYFr>^CV{}yd%vh4G-ET(<clZ@*YJxitCfz;%x2Z-VoT1h8>iFf
zUuDw{(p5fvy$}k2<LF&jSaKMQ*i#D!u|+*AHm>MobH6eK7^VFMi-==+Meo^r8I7ZD
z?!#4&6U`M)$(o#};Q685SO#*1W^7?gg%PG27D&toqJZZx5)i;U*{}k_6_!ku`=&*(
z<TJ97vHCbRa7=fkJiIX<BPI#(7C_MQ48_si)s5`sU;IF89Vp`LYt#_YvhTwQdypc}
z;iO5*FRXq_>Q$q^BKIe((mZ!yw$LV%i(nJ*fVzBh%fGcE23etzji#zsaL9XU(`kwt
z?2jfSXBK`9B&}K6p;_f?1q7MOC;G)cYy)4jUspJ@$ET<l9z>64^F6mQ?Mk(;05-xl
zUW>JJ7!FIgEwU5rHv`)R^lRu<D?%zEq64!=A*k)faqNY&%(&~|*uN@s)Nd1?wyN2C
z6(E*3mLX?=t-nqQ3^b5N*^FR7l*1;+nHxuuQbp7!BlW&kot9+OM^fQBR3~l+TefeQ
z`d^aF7%RX)N2%f2MucF#O*t5SiAfS*B!AmZ6kAgMS^STVM~BF+0UnCqL>%gL2>D*F
zHA9@3ZcE$HAC626fnO4!)Kbj$(>NVO3HS@Rf53SU@7D?()nIIWV8r&heQRISt`I+a
zx18p-Q%)mk@8HKuyn|vT*7RqC@c!%yhq3p<Zy0Ud^t0h6bOYlo-5-;db>#K?=RVnc
z*BIOUniVNQ|3lyBnr}#Z?aYHGzK1==%_=V0xm$1w7|l+v+(-Iy82{&$h>Q13jb+1K
z<(-D>AgbVlfrL3ji<SbiVW%XcBV!B{kpqd-z6X8Nq$yzWP$+Pk0Y`eKq}OcaSvr5B
z)ZhHDE>sZxxFl6z_IAknV=>8F0=J=H?OJ&ANCbVBDh>4UmsV_(yh0HUie3R4VXMG*
zaYp~oh*HNbd;SrXQ3T~*L1_fxnju$Yi9Ut%Dh4$?vEsY+9-2(({5@w#?W-V<M31O^
z_UMZ2n*CHFnUBNX250>N-9^-C22!?!T&Y|buJ)ZhH@;|g=H|Iq=z*+&zY{eI2k}gE
z%@0cW0JRU1K;}zah}t-p0Z-w)X<>|Y6{QSR5kLKg_sqbsk`SzUtJ=cmo71l4{0C#X
zA*C$9H>e_ECD@)RQUQAeHeN}?96sxx@uQMNJ1aePATUCQHx=jlY|3E7=Pz;{j2OR&
zjUa6+27P!h1_Ypv8M`?7d&t`vv@Dk!wAi6pW_){J_MklAg+~M(wcbF_&Oxd8Bd7aQ
ziU+~5Dr9`QTT%xWgK;t;l@`w_|40V3ZwED*5NGkFWbz?!D`zqLhlD-x^mF7w+8=g2
z_Gu+0y*ge<v`2w#S1qwU_AYt{?B*ZWmY*tAIv2PV^x0<>JLx%UALKVG2fn%&pVW}o
zxKCkE1W#^bF-&o*Z+D5=KsnQB1$^SK66(Jepnk|x*G=<QVU&}s;7xtGD~{Ex)9l}Y
zCC_-$Bh2?`;=N5uU~Y#BbS?|01U4p*mWqpSy*$Rz16@ux99QJn^Vq*R;N_+NHkoWR
zb!mvKJrY7wRU}neX=Y~he@7mnBE@-4*4{)Oe{e=^mDc^$*?fK_j{%iwHIOhNI9g_m
zvxCiNnKU1Rcu)&dR(Xc%b#u69y#Bn*QChc6en!;*DNvPyTq%9DUzE3+2-u317ZRs4
zseX`@+iJnj)#P!gLb<S=_}$l`i@!9{rAv%QNm}@Ne3+y98X}vF^;)m+f8l6n{@<A$
z|9>l875v`?tm8xfo20QQ@VV$euik1sxV-2W-EaQ$s$2L`@1NkYZ;10OcvnHec!Mf8
zW^_{`B;1850Q-tNUFF|Gm)=M3P8?$@Ngv>|$iw>zD27b{<6Ph8E3rX!L9t+eH>1$u
z?5&@z5OuTfLL9DcL?^%BFY|?UKV_<(Af5$cA)5B!LP;V7wAC?*wsdG+@ni7BW{yq2
zI88v=u7cu(OHgjJnU4GQtID}^E)>-a%bg3VR)z;$W4?S#*|0s8@UP@Kdr7N><c~c-
z@M=JT)WgC(BPoa3SI^U|R_DmqDj;YT5=`pIewDKwjKvf)uE}DWhT0XY899-{VDri2
zc-ic5n<Dr<TPD|OXHI^{xZTTc>7ZWQZQ9U!%UapY@2VN^%g-AUVI-0iIUa-WG)egH
z`F{#LRY64)=fNhwG<F<Ru`V`Iln=xOoP#4Ph{$&?)Q;w-e_%{of8=Nl{iC;!!EeLK
z(Y%toZ!W`W@5@b*w&7>27AZG0?-}<pI7m1I8M?JeI$kEorQ%a<dl8lghv&QJt5(=e
zKg&2arFM~lmo{$sxD)a1oHjz|%VvqblM;*I`$3(BmRG1`nHgO)lH`!?EXj^0Gm7no
z_01gV)ArLM+2h~ha8Z&WZy0!+SXiM&<jj-Yuv5;bQR7vKeZZvh&7>&9tLa~JFEkMe
z{$YQ<F$uo0Ug#L7=UKzmRKw%XhR3tsuCv~bDCXADGFw||F5V~LyTo}TCPMZMV7Cq<
z+D`!-*%HbaMfcsEj=C#dutK5a6q5#%L`2utu`2)cijQxJz*rq=w&zKbV4g;0rP8d4
zQqt2E_^baCI%$@VO3)|0OR*hq_TK@uy|n$SzN&6Mx%eb;fXOaOx>d0Xir0caC!1mb
zKQ1{R?NXhv#=}6MyHVsC@1ID$N8z;<@iv{6lgD$iOtFnjKYT7>s}dF}3j@VQQZ{P_
zaZJxF)KRzeTP!)Bo(<8xPbiGEf(DSB-&^%u8B>Qv97jW|l$TRZFjo%1?AB{l5Ag0B
zNLF9yIRjrX4KL>#pVc+RE3NS7w<+Um@#Linobzu@KYt_#!|D?cCmMbV%)f(*)^&bv
zq}H@oIOg_(cr?yI;4+!Occe7;@ppfY-we~59z^>8%IaEnN@hUtocz8sm8kYU&x;n|
z6K~Cx`JBYoJj|N>Z)WPPD0^lmXPvtD_(ab}#!@EMmx2teb+dynHJA?o<gVckRV%R_
zwr+uDM+3~q0Ip%5!%P?{@%>(Pbb5nUJVvR=5a>vn`z`ldcx&F$v%Bt06kZq90J4I;
zcb`r*vgv4meAAGb?0;Tl=$RfCHog#HkphboS<NtsqxsX^MpWyx{sU+0v-D~)o%bvx
zIB{|Xa=mvurRV6R1&SWQ<mKG^pmbSCeFXYomp;gbgTnji_R3!GU$KcH_2u|KvHOc{
zFj#Se^PVbhTzlm{qd-h>7<r+-*=I+Iu*Su|hS^)u$l#G53kBcZK6q^o^-!0QgD(=R
z41*WkkJC5`xJE9NEN#Mj@P*h2Ex;4)S=_+`>C6w7ljJ;!ru^nwURI10*Ef!QeA?V%
zm1Y+?a}k3hk8oz<>stIBx{x40Wr_R)h^cONEu3|4+LWz9Y`it83}<OgbRxm9<c>4e
zdRinLWj{k`*PN%K+(Dv>9}PQcvcT`B^AF(`eN07I?)Dr6lZgOY8!d!I=t}8w#%TBV
z{2M@10DPFhlF!F91uKo?DGo_xiFW#8LEowZs2BE-t3RE%Zpl41HRb_yGL9?5rs^+=
zkN0b4Vnn&kmaygx7#bPrCdxucMLv>x4jO-Ipf0o7_#$ugSA*ZHr){Y$C89I4RpYac
z&V}*g7DepelzQDbN{;$4Ut|_3O@`Q!C2@6xBYN7K!iBKy%tQwV=jA*v5HH-cb%{$$
zUE`~cip<v<^ukU1V1rYZr1g?<4#{LQog3AR2vDtZa?=vxBR12law*myUf&#}KoPsW
zQM1_nF3Y>~=|c8HGp~RzEV7d&^v@aN@nmGQ6-;7S_t$L30tIM;zt`TX8Us`gtahgb
ziTSdRjDKGt`{(!bmKc>X%<a}v3}h5-@_mHLH%-7_QzAu{{VLx%@?M#<k4WC-MsLNj
zZ+9ZU3iZ5ojVGIS-Yq1IpJqich<aCq5aAML&dw#5&?Wn`?O$|R_I6t7m(+Tg1lJ2N
zN%27GA=pO*i$UR}J2vvND^YJE)iM^E^C3#CAVboR{%jVP33Et0-sLW{M+-{GldxFj
zU=I**uF*swu+xBhU)Gz4(gE_m?pL#=O#HTai~WaT(itgVO1Rf1_qrrP_4cqi-gUPE
zZk4ACwF`gw%l#W~-L5IE`o3kuv!}=%@1;WHHR!mEYS2aK^b~SnTQTYWFB+El)wE}X
zrngL-h|ZG**Rtn*b)_Dwy<>dY(&J~13-}++hvZCZOvi<`ijOkpOYE8ziA?+I4sa#z
zVwYFvC7<DBfJPn9avOS?+#A#wl~CL0Jj&{tefDCQ;enn@yQ4g6flxw?&X6Uo>R8gz
z$z^7w8S{YSjrAbiYLzvqjasr1*C1O@)6xT{=Mb%jLkXP7g3vV}{n34zGs$=A$+XoA
z2#9@~!Bv&XcODeO?MZQzs1skTmIp)-TXfH|@#~3v5}ab%x~!A4)?TIUB18|zuh5yc
zj@YO^bApcZ9u)O%7%}7jPOTpze@Z^e3AO(a7hfI-{P%uvikR!hThB4ibC$_C!pEcL
z{ILLS&uMEGW30m1azhAhoMbxAib%cYEtQ=-&nFC(96CJmcr*OPHfp^`YwjRQhh>`p
zquJxCBk$T8o0~kk&fQ*Y!wl`t12E^|*cTM#6x}%~0eHiVDMd2{sU!7j*^Ir=>xEn1
zZwkr4KJ+53F(H(md%gaQb%vX34!JFE0M+jDWT#VdPPHI<kR6OyF~)V!EU?p|OL#@s
zmlJu^<bY6amZt!r40a{W*t`n$Alu$0TWWA6U7<RgGzpzicoCQOuvJ*UG2?;j(m|zQ
zTytJf)!6la(7_4KdQmXiWCWf$#78F!Fe#6`9zFFZYJ9x^n2JjPfFEkPo^(D%A*2OG
z(a#VM?ryCdcN|{ZSF6RoX>nY%E!3Q=um}h@$7h%JT6!Jy#5XtfpM(Zp@U4Q-SmZyE
z<|S|shN=QdV0TT6!dfm`!r7`G6*f_;&rGn{vXJUsCUXYSije{_FY}~`<*<@lMiz6h
zlU!y2cN4_^D)*3EauFKfHQA;$J6qa5`KaYaI(o=9I>F31KiE8NKYL7a^8^c^tMBwY
z8o2t&R{FhCA^?<QLQJib{M!>p)r5MBGmaT*f^JvojC+pfoB_X|oLlaa6L6kuT9)!8
zi8~!C9g6f({_+JblGXV~$A6M+1|^mk@3+)J5O1t{z^T&ow|zD7F=N1SsLFUB(4{NO
z58#4-@ixINYm>FXwT@o?bQ44x3)g@VAQ%XF!&x%`sIU{A(JY8Z8ei%D>BVXU|EQYg
zCj7ORyJvkuD}cbnDrm??lzl1jN7H<!zVrRc-6S3%U;_FiaJ#U^V6ce&_blXNM^AX#
zROD}U#JFSaub<ZCHXk<Q?(hUg$I_hw587tFtf&4#>x8V&Dd|4hq?5X<@l*OjJ=mO~
z5g$W69Re38$Ze{9Mgsf``F`1hb2-<@T&^blCEHw+^jrFn#!sgD<g8jZw*4HN>L9F%
zQ=Umiq-&-FWka^4DpSD_S)V07X)yzp=v1Vq7}c&u4#N%Jf+NCQ0eH9mmdU=u(U#l@
zi@CAO2;{1bkV!u#^)ssPpj*WvZ+CBy9}OSO;&a|nAp9g}=b=O3!5b$sIL?te3G*H@
z>eV1(pg9&ChwL&780Wl9xzW?{gMl#Z(lY2aU$IjH{cOv0z#QdgstWdBX~wZIr&u@U
z_(|+Av-WXu61_f=Lnfux%PG9p(aF<qb*P;@`WXdIggwo!><vd4bZDkG63t|lk*>N~
zcvTFnhTni)yQ>~Uc&=W*b5cl{{wwg}%8xZRwc&6VxsUJPw6Uw!t9R$#mr;a!&YC?)
z8yIo<#Qmzls@1Eud5K%4cMdUow^y*JKz2D@>~vc=^K}3^4qG{L%7Q7m&PEpvq6t5@
z^*<qgoeTOr8=wg1%5E9h0L^MFO5F<g4cGHXxtuAm&*y40BoKX?_d+z}8K+EVF{6Sx
z@2pSs5(Fj7q}SVo18GMfaJ(KJRX=Ec;@|AtyGylkT$hH;4yEV@M&=@o45keKTE3IR
zegzw~OrpDFAw7>I1fwK|p-VRb?nIN4$$nGKXgJhUoX%O}iJ(?6UM_|}rH@i^JTrgV
z{W4-xVuQxHQV2td?NGwX^+??8p(R{HBo>>2`?NoAC(+=k%*F6FvZ>9LLqZR~uo4$d
z`NP30>aiEsJTcpAB4a|r{s2+ftMKU~^hA7}nH&YRc%I`OehrtI(>lr(r1La8#{*@n
z0!^Rv$#Z9t=PKyWxzEu`t-;~SPO7dI>MBz)r(TEtguV<%!b{mv$dc~amn?Z;YBGZ>
z2?KH{A4kk?(xn*7m>SfTUIL27BQmt);FHG1%78XsZL0)oYFNv9S=I_6J<E!6h#4b{
zfhiPi3fBGKI@*tDukrqLFa3USg#y{JTesq=?9(qWAFJF1Te}@zySAyKuM<)UmYrG=
zQCrF@$7l1{4&cz`5}>%*SgcVv(18!`G9zbK&DT010-4%`XGgaY;J4orCaG+n#2$p&
z>OO$HD1*gohfXdeqo}4)DVMXEV5y#~nlK`iSZJ^?^LV9ME#js=BspVOsopMb={m}?
z0_aJxDrwmET1hdD>@^s{RfHAWBc2*>BfhwtkYbzON;f%BNr_2Awr)hv6O4!kFj#s_
z$9Y`W(&$R9MY%00G<2>I$5sx|V)qOOvg6nVoLO3F%8~nUV6&5rukU|0VUL{uq)#}H
z&PuuumoQD}$3!SiH(w|VwM;s<N`|?uu>JVlsj~lXA<BPs`(qEkWj3xyb8!``Cj<6c
zY?9D*ld4IYp5flNP9w;lOc9FTVs0)fmnp}@yFCs@3-3IRc?eSDS#?h1tfUlimHR%&
zd89d5SCDFHXE<ZUbapP7&Kk(b+r6dJZ^`A7j{CBQnPrUu|IaJxs$2LpzcWC+DUG?V
z2xUVZP6(!5$#XM=U80O-`r-L$P==_sS!;Z9r;bnW(0so@>N$6o)n4}PPnb=U{w@Cl
z!mIG357U_Tus|!^pT$$1<r15I9}ziJmZ?OhX_%=SYQq*1lF9~)4ML&|JYTmCH#Us+
z7Zbr1?MZ2$>SEyFU5YNBDGZz)Lpxm)OT!^Q!aH4%vE6j83X^jZZbbO&Yi(*aDkuqB
zh}1$mvOsi<Ka^|Bx!`D}!sG<pS#WHsPq@=h^)~H>UGFp@tqcD&8`epsE+eSxu2lyo
zTtG2^%dy6CzB2-cNIYg`L>SJf-UQhHfHecvzL*y<XVMxu(Ny+*ehHI-G)wRbYdgG|
zTV-j5F^ud_yQfLnBN9|BaAR;j_<Ky%G-^(J$fjIkF>_J1su+T2TCT3-pWL>N8x(X=
zJ&zTdojU8vB9a=1-?8<C7b048K<VFz$G%Ne7eiU>49Nq&sk!I%*W1qs1H=Opt>1n4
zxRJq<bYCaA%jKfQYxa3j7j4Pn;&>&LPIt*|F%*V-F(LK@yicpnn3cV6M(1x;2jqkJ
zc&4=y!aHqDEuz<OqFcEYki^VJs0P@BHn@*Y-s;L*1Y2pHM{1=rs0?2iMOVEf^Jl3d
zG9B`BsDW={nnCOhf_%PtjGkvP<|G*e=6+kBm@r#T7R!KM(fO4#y1bq>!{yEnr-u`#
z^ynnHPV(=>G>~La(F-vy5=PseNoWjPH*u5mxMb28hei){U^(C!ae%PzO~+cS)v_>S
z-Ov9w;phi%1}cj(9YzlZ%{+kzHNF3}hfo4%QrVi`x5MVrx5D5In|U{9d-5dLr($Y4
zeTG_Lpu%IIyoy$vdS!1Ua<9N>vL_71pb>8o*@<7CK*@T2D`t+p$9yf4(Za_kqmU@_
zMRPW8HtqH(H5Z0a!JMOAK|&H=1?)kstKoyI?@dOf>EuzP>3gCc95S;@QnRVh`FvrH
zFOAe!xwiWNx)crB|F7PmO1eMArMHaD_MWv?T8~9mBAeN;NEbW@Tl`WPW6C3t=Ku{C
zy~%U|&tn#QFuBkP>9<JRgW<n>muxI<1sU;Kfu(9o)H(((W9^b4JWWx3V$R+Dn+fSn
zr4JhvMw;!%`?f-SBkN_H_T-(DJ+Ko{_8+<vZO-ZQ(>zhL3B5~*2KS|C&fkD*PMVW1
zqiUp-m-fa7r^^_^%TKB_Lo)6(H9ELi(+&GHnpw<BQLLO~?FM43<*!njrU;dz<M~FN
z4&Lrv)C+76BZ<+#F6fatI?cde7~e0T@<@yb28{BoEGJzt(Pjp3W{Uo>8hrWv-fKcN
z)pr(3W15PBS6n}?@l{K#M}SAtrZKaN_U@z3^<rhI(`W;dgZU;dSD&dT>OG3OgaS&T
zb(iJ>ehUWJvHV>2CnWl?rgf`0?gtj?LGdzMw|of$smEt*XAP+DBj-W#>D%<X-AmHm
zwcKkV8Slv<9mI}doDctNLe*S*4dQVWX#DJ0wr5(F&td{1XmIRn<yLE}ZiQ`~OR`S@
z_4oB1p*mP2?Z|0EBz)~%si9N_zmc)}jeoKW*N@lOKpgZ9Q>9yt$^v0}70*$Hs~djz
zGr<<4>;9p^nI2{Zp(da`k$iH1ylmuT;cl*^9PJPGDtE<&;g*x@(gc_%6)BFi-kMjN
zEAuUfSZ+-kU+DT`z8A{a5l!hrZFel}tc6l_#&dq0r-@L*!lwzjUQ!#zHp}^|*~C+>
zfsogI*EA*pD}vh=(HqP7C314Flzz{Kv~Jl)GR38uD;Vm$91FvUTjn)Gr@eeUAt>Q7
z;>}5S)2b#`StPkSn!+`Zxr=2jJ)?c{l?wK~9o-WDNaMCDUsMTFs1+>Rq=mm>p)SQH
zE%y6+tu6dM9}~lXC>?g?<`Hgo!WU^32dUeT3Y|zwr<p|0(`+De;OOAE2QX(QQA6O7
z<8i<@T8_@scm_5|Fgu6dq21z1U6aXlhVn<dJ2Z0)Ih-1jZ>%|!7?R(|pn>A=T$hOu
zBp+EaKsw@9igg6%46AK%&BNx~uT=-I1YM*vS|-o0r3I7qKNuJPK%~B5%wRm@nB?X2
zE>}0VL0517>@Ru9cU{26u1$g?9Lds9I-f}`m2g2&WLFnRLDmLCAjacaq4j86OO(+N
zyvq*%&ta(HsN}u++n`!C4gHl8h6}+Okt5bh|8IA_6&-n1RRACKC~X3*D5iBBTa7Mf
zc(&V>()uD|J$(UR=$1YUgU@sbFLR+*p;klG^I^${hkyIg#Gay+gV{(W&0sF%qS6FQ
zEXhTqjbrWM)&7*k8wutFX(p3q=Aw2yMOD+PcPDY84tG<VI%{r4IY~P|m7=Qfg|<^A
z6xGWdFJOg1hbhc!q9g}$S9b2LN}mY#m<5mcD1Q(VhKO7Du(+#8<IfzN`d=Lw9$llW
zw2K_Pb~4jk^%h4Tu~WD^xt)(m&Ip)~q+Ey}Z6fgD3qmgzvWrD*|2#^<GAfz+uo&Lo
zPb9>RX_%%2J|t|(Wxwmbq;Vm|VoST_7IEt77MfG+-@^p7kT4sYFWqIgt^&J2lt<F-
z7PxF>Swx!r<o_6T5S%Vsl&Lvj)yX&Z+8S;*`IWKLlnF`@ggm0ne&bx+^dbERn|MUv
z8~(#~v&xFiR?LeT0~zaOJF4K$6>6_namT7_wN#@0t@XiyFc&8<<0A9o(+J*l-6u2n
z<$^95F3F|ph>^j4OVoGogk&LA`g5@hVZSwA^f^#S%K1kIUkyppBOETd#taMaY;lnn
zWAroR$Fu2rBKf){Lz`~HO3a#)o4TDBq^hd%R35L1fi8Tl&SR`n(y>Z?CX4$Z1G}qo
zCdgx=A}%S<eEaS`j?=VyyQPS2f+B%Jy_PV?Vb5Z^cJ{T3NxYk%;AQ)~A*w=3y}ina
z5e7`mCoD>K<8z|Hdg2(A3yj_f*Dy{2SS|!aauk<s?U<noFymnG^Ce8&p~i^G_DZZ-
z#a2r-D-fI6?6@7zHT)}dNEVKRw=4w`S!xp?Af%LbiX#sFRAKN5B1=l*c*<0BvkK*t
zqv3@4YzI`lav7q;r*Rc7R>|P^v_bI!)(3`^-RO35Ec+_mLy>#FwawYD{@Ufp-&<*-
z8{v3x=QJhCi{>0?I7#V&eE`&1P8pZHR=>~y0$YKmLv$`_iT0+#u18f>7;7eg7(JA!
zm=kAbk{+)h4^ZO#gEegeI*1<^rp?;3!pArITLdSR^@0~-xPY-YQ2xuBjtE<E+56bW
zL{M_Qytl@)9#Q9;e9*Y=&;i)dhd|7ksGD>1fK@Pb=!3zE3`{owv-FgLEW0C)b)4fB
zca_#;+5w%sO@hf_rB7Ozsng^dQ4tyQToTpfstSgm%2TGkfpyE&C(6Zyi~`-Ou})tm
zeR`k|2;{8IhqrEP%OQ(*z*JjdJL|K3x}PsjM=GPsLtk7$HO1($yWR>=!@84?)Yx3u
zXU65kJ|kmT84G!y;U-K1x}>LBQB%l~5+2Bl6xPAvf`KoQ&^Gpok|wiSt)NKH0jZVs
zIoCQ86@~7dQIJ@m@r8E^>~TF5-<O8HO!7-f7UJ?-W16Ez_Ey_vdYFWZyFOzfpG2Xv
z8nTco5^SfDu?A6c61h;4RcsMNT_IeHv(>5WVrbf8FrkSp!|-H*D$^cfNw#`cXx{E;
z_>?uD$C=5vT%-ZY4YCEyOJYx0AADD(6R<)D;-||zgQZI~lN*zSjI3+lL39+zj2<>R
zZqE8DTW&DMENf02e%2mKn4ha9mP9+bfUY$Uvb8pe6~^k`Mk#S7a_2X4R-ldQp`bA8
zIS~J8!ghK(jKZ#2wpnu2aW(yGUO1iDD&L@~-z-O(V>#%mJzIQ34a77=SHQ|)|Ni*r
zjbpz3r1Z(6k3ya{p1`X_>7bPlb*MCIbhzHf)MK+jB~7|`y&TB(ZUH5iBv_n6rSsOc
znz8#G#^9Ir9;uO&Yc??Sd5bzdex?I)WQc2BjRsda*Hntbt?bqZK`dNd6x*~jWmgt!
zqiKL{G&Cz8Vr*LR<;Q;vzCOQxIJPq-RO8Tdx1x4=ZDk&{L6TN@h=~+cuD#&humTX1
zq^U!!aHHJz=8Ls+cypUwYtoOg?O+7od*i2l?4{3Hdy1Ew4A|d7tOPG4Rw80hr%Tkd
z-X0c7XB%Y7ty6pEU1MDNtmJ;S24SO$wT2F<S0f?6U%UIP(Su&griAILO|{g}P$N@1
ziEzKmEJxFO?D%6bRlI2|+n??FpHCDZQ})9gcc+&f1MkcH>1F93<`v0wWCRBs`ntdk
zI7C?qrw^O>frZ^~L}v)LM8(f+r4!3%#kpQ`F+8ahFpam*y}6XRHQ_7lOFc$f#J=v_
zd>`IbX3AZoBC~oo6W>S)A0}MqxD)D9Sswn8+Z<?A{2BnYv8I+G-`$)&L+N)@9C7CK
z@R|~p3b{5=ybScIwPJ29cxH12?kb*Yw6}TbPU*Q$Y@*0TRI^{GT7lGX8;f2qr<MJd
zk(CWYa~$?DvLpVdF~d`-J1!-WmA38^L1ek-I#Q*0NzsK~JC~*we1h-4tm(tPV12i1
zSURq;7=8Mab=^Algwh%|9+RfcuD_rQn(IuE8DrO2f{{DthLAD|nm4#oZdL0?j0gI^
z^}?F%HA!C{VOAXe=s-+>!VkjD!yWm#uYl)a!{~pU7_1vGHEDv;KeDMVm}{I8au!E(
zVH)oPB4Q8<aQ*SG2Nt`#*>d>XkfTXLA!iZ<i*~9sJje+P81Wlu0%+(AjrWQls*se3
zThQdMC<h{uF3a3;!r%(rrcGO3dAr?lR3K3PECUnBdwS@6H8zgTqJ%2yKUTTFutkt+
z-7)DgCZtPcZ%L4mIJTc%nsfAK<uUWft*`)ye5w5?NKt1wa-|4e)UI1~jl6eJGj!II
zm)@9<H6@?$!WA=7tRbxtIGoziK=#iqc^xnhvW%IPwAZlRk`!DJNS0L3BZR}Y!W2$a
z5$;jyww8BpbrAUMc!N=MVgTc*j;+IA1|oNv6dGd5j30lJfBKfPAa9=+5z$zuRoMNR
zmmYM-DP;C&kRc-7e6~@ZnUM*ebHk2P6FP=bu*43@5AkZ$pbmzKWj5;Se$KE==?$Vp
zyM5uAGP4twygomDC&UR+vFrg;=f8i!rEe^Z7y$I+YEp-)t0;&V(S0kFOH?)QR>#GA
zpbwUNq~=p~#7zYV@izav@k(#cT5C&ZsuPh@@LrU?K~ckouVW2PB=!T7HH7`iSnijY
z;y4u(fe(#OUN<N^^cXH}a;+E$Sj<;2rtlmn$tXSLt9O+31Q4&~b)}(bw4GzuS+tZy
z*8~(2L<-57v`N%ZDYYjiY+zI6)tDVY@D_ddvOecwlrRK8k8#X=d9oExcrc+duPjb}
ztxPAkD1JoN{JxUT(f)SSS{!14r9RAn$t1_b|H|k$CE60iZOwMDK==xNuR5d92ns~6
zJ;M8-ginB(p=G@{v!A7bB4?qDXFtp1LAbRqI8~Zovqy^?^Lxqe*Zx$)m4G9AGK!P2
zK&lIw+D+iE3k^yxg#d9KB6xXw%>`d9YM8YSjd)(V%$yGt{s})Kj6W_WU1qpV7&}6!
z*gBlIx&6q~t6hk>w*=mPQQ%-GKO~esc_Gv)y9W6fj)Xk44H)RsI}fbDSIZ2K2A&Mu
zX^nK&<f19!M1Tp?5@_sLU#?63HAY$0wVhUDbuW^>?5a&(s6G>UKT!5ABb!~c#|`a+
z^=ppmAAOsfPKFzGKALLsLdFBhWb>VBZndfo*H%2_>!eio)K!1ql1x~|tJ_WhRJ)h>
zDYJ;|$*-zgrw<y=<c{`dfG0nhR4VdUgmdz19L6$O8wH(a+X@)S-0O_XH0|<T>r=+~
z?TP}71<mW%@|1keB3deLfie@U;GSss&f6AYa#j*8PeJF{WI?M)02#rmasRpm;v=Iq
z5cjI|b4bt*>HqlgLl#zb*wW~oyC^asew$IEFMCF|hkG)xMMlqDBc+9B3AC4a<;9ym
zVjk(5e4eVR3G<wM?#oY%y*B)sLsl){g-^fC=%W2%1Q@F~emOe*--xOH%WM7{uhr{+
z$7I*C#V<*ezacNtMiYy?r0jS7qUQ{LIy!~b_55|jhVMS`={5}hJ{{Ck`OhoIt(w&V
z>t|QbP0w+u_x^{M81-#wtBC|p7Mj5mv{jn>ewv}f8e!(n8JQ_fRGqoDPnnx{uRHjD
ze)3I-opg(CXs+9RW2S^$<f=8f=IFjTHF`;D24)@b+t1`IQxl``{TvsxkN3CbOT@fv
z)QCava^5ubaZM)_O9cb>>F_j|OH^m$%i@P<-D-8Ezd>{P-neF{SYy<i2fg(;V*)i#
zN!W~iz#Z%0Ka={E)G(ITa5Go^D^>GFeDDkeM^YT`nECz~;_OZAiqXkFzbD|GvRh^a
zv+X6jr7I~S?`fh4798TYa`GsOPJ1kJJ3h=2Tv5_RdBhk^33*PxcenaR*!KRhqUz40
z@5NYZ?!})xNujz)-XMv!D_@Jh!1>0Ldol>0oZ}j>WfE8O+MFSF1+ROV>I3!BwL73h
z<pM!6maLkok>g``5RcX0E4W1=b(Nz5-dgS9*GIIx_33c?RhI<P?i@2U&s(3c32$Wk
zYgN85rZ{h~my*I-();ce#QmpmENsF<9U`go)=T|_8P_{=_47e1ckL^7Hnm9?<2F{4
z#idSi1a`siwKB-6P}(zYKtUoO;^W1eahc9h5~~CM;IEW*Ho9Pz(Df{vb6`_sk=_F3
zOrC}Id=4EU*h~(!DV#jMj27^wE&ElLxBO7jx0@t7bSykVA~LU$o0|JIc;T|zmsQdy
z`*~<dAXu)h0en{P_U*cJ+~9P?7Cw&qk(5-OfGakTYA=9Lm@AN>f-W%~{rAINfih9X
zb2*0?v%q7>Pf;Mk)2k#qg+uB5f$=T_<{3f17>QCdy7x{$b@kX?HQJk2AJF5G*UIyg
zdzQ)ur?#|S)&#moe$Lt2s~ge&r(KZk&M(w7{!XvWYZk^2694Lr%n5<Gj3*a6-q-^v
zcp*f1V<l%VXu`UPG<F}LV0qaTzkD96;%~{_tbnYX#*v-pq_y{d75!=cd7Aw3Ha*cd
zi!Y=6H(0U!)6s*Ql)SuSm1v#V+7GElezez$bU<Hlx03iRtEGJ>V5Gq<;*g~4uo?uq
z5t`b>$j|kQCniu#&!a@6PusYppxf(?CEF8iVuW{Qe_H`!pR?)Do=z_BZ;;l4sYe9t
zsKcL@sW(4xNV#sv*4ETwAJz)ubzU94b@|+4obF;E%wG1c=wTC=(@e^xli1{JKqa+v
zpy`P20gj`mwy7-k8!KjNlbqQ@eUECAozM?1+VzPL==1kfcb$6Rkf*0=M7Aw~^K}~e
z^P7bpzUk575rH+HY17C-Tpm18k5ng#5@5~U;3t&g76cpdqwCu9KWO;Vp>dHu&|@a(
zi$x_ds~tF1mQjkNog0|^N;o05`U%j>7Lspe6IP!cnm~DR{AD@S48E_b5v8ivfQ#YU
z4tLT*Z<z>efryScZ$wm5nXw#Mf5hY0*Uew8+l~$hm)}b$bhn$Yl$x^4X>(x#{F_&X
zjWDMNeMwq!Ei&gYCJBlcYKhCT(rs@(A5nmULk+iOiU`>fJpzb`)%c;B&l(Kj<t>%e
zLxNYQ)g-dBhIIx-uq2hr`dS?tXNQb>QP@WpqUXvBLc1=u80nSr2Nifh%Hgh&`$qKv
zJ)84}lcr8W7<-u|t`@GDwVnll%c1b>t!$A|nx_X%=#*C*i0ngG$Cm4VUI9u2epjd}
z$QM$`Rsw1e((?M%BH^SYf~|klw)F^uA}IvQ?b2JHGWq<1K|hYJo$Bpy9530kHv*ol
zeI5CFW8NkEtUp%F)@O>d!l~s8+dHu%NhvO-3K(&-v+DzJc*3~Fg@@xxr>v=dsgzg-
zJkGR(Q%r}qANm-;catylYAGAR`x&II>TQal-6v@y?Gdu6WXa)>F~RtMrywgwQx-!f
zKmz%^7Tvm@K<z`oR|Zfh%b<6c)q=-|Kg7hbx>rC=QE(^N{E}VQu_Y+~SBZ;soXSo$
zo(jP<Vvf3L%~0L{NfooH!i40bYdz$wEApH5s!$CuF?9^n4`0{XilA7&-j*sN>J6QB
zAzB*hf}h<jgW!33!Lno|!UcUPm3oce^LOR#y3kl*iO-th)Al64@*Bs&{v{LUi*m|+
z=aubU5UF>|qqH*ZD!YgXv5t0X34v?^sUKh#=0LFY!|eG*=;3|wcz~qhCz&L)Taa6(
zNKUvUXkxYda!rK~!&9(C|3ejXS<kBx2~IEL2}}yU?_1i*gkA=sZuuTe+T{Uk2W!Fm
zG>sNbrGLnRt}(x}!!^=g8jWP>W@TSB-*zsUPY-nJABd2M)`c9bkZj*b2@y4<Z6|P^
zQY?{v)1@)25UU_Dew+TRRWa@RMzE9pdT3%?<kW0GGTm7<JG&)ctinTk(l^GZ8>-hH
zdwN=v5b%MR&|lP(BS~}%A!pl?!rtMVc3v>CPX(Za*~S<L`@K+5ZGi$+bKInD0?YTH
zmrjY@Dh*zTCiozo(i)#V1`6xM7IZ?j9w>=SSD&RO{sc73Sf>e8wF+F*f|z`?Gv>5e
z-EG-0Htgy!Q&%xLFFrFkNUxWaH+<*3q<T@~_r|d7-XE>Sad-JxWwT-^1dh?qq#!&F
zr*!ZJk*&Kj{^PkVazKYdy69~m9yYvrggiTG2i!*IO=K9VCQMUj42d6DGnziro9e&A
zI@k5B333m>F{^10UFpIYf!$g^{%g+=tUx^9FYD3HeiFAg48Nl~yPrFjpwpGn5`5$-
zAg^sdOr%HS%VFX21}sw8R2_KsHJiq+#9G?v^lAN@xsLFW>=qFSCfuVh5rz!7kI$<(
zWHblsdW4c4v(+(6*Uq;>e=ku-9OnLV=AF_V^`rM?l^J1%S0xslsZ?{lLvVu<&oq6c
z<^#O%hZ8xHUbTt#NZ5HPt8$<_S6-Mpah5{?A{s=Bj=yli<<mj!_WI2U!42Mp{foj}
zuEwDI-3Id=A>`a!F#wy{8;_5UYwt}gjl9`i>?62z|L|U|QbY=w4TZKIN>8+v9Wg0(
z+c%=PEIqOJ&PRoYOpSk{-}?}|RXCyHOUrw?;r;u*cSakOI9{oF6G!cpW1@YON_#-7
zenab2It!^c_Ob56yk`g~h`c`9F-M9Q_M%5;z7wLkGvIxb46mIyhVV@kWL(4`l*}=0
ztKF^AtPe7jb%KcwBPD$mY`Qiz@AIg<!(-}o2<>m=I4tOx^T~({C00BMi`pD$pa~7$
zR>)(DdAu3~^PWzC_@e%)Ws65#Q@{b%LILoE;$#6xV0pE0A>kK^XmITuv$~jpL3NDf
zR2f-}?N&;}>kloYFzVDb&4i5+==KikL*`Z;TQczBr4Kd~`Ai{tba?-C{kF_s&1Bkz
z-ZeG$TvCd(Xe3HPjV0)jgJ_DA-&~gkDFyWo>J_9<4hWLWCp0{z`T9%o)qm1%*l8<4
zyT4R8Zq<7sx->63m#gY4G7;Aw=^8eK7K?;Bj+z*bn~WMV8NfoifgNkWY?Qme)6)u&
z`F$<*qA#sz!fSeX1N_F&z`>b)P=Yd_W4oeZA*f`-q>XutLavSVv!sm!lE22Rae1*m
zE{ikRB$rG;{XMaUU$>DZKnBb%$GHy%_(HBc5Eks-!-=9_Z1DV9mdF$f0^cU3&c@wF
z3@0jTF#i5k{x_oeSxYT{(d=*jHwhQbyV{XO&~Gbfs(J*@J55-CN9;k1N9vC>m8GQ%
zyGG<$xZmp3nqf~YW>^EdKvwhJtwO1BlY}gdpS<>ozT0e^h)o>Z<kz@L&nZ&Tr+;0u
zZsj$C|JoK;pLuOc3~2gb3*&1~OflT5;}stlLGJLIjli08B6@j$IYACvOD*tXps^*t
zY&mT-eLrzp@>k)pignGaO6!KRp2GWIEz1V#-2AJ56V@`%n5;%sLh>r)fF*0V_3P{A
zP%;TG>4;W)37+_rgV)v9%$zmOGj-PWzYaHueN14?s=^WfD)*2sRS#-|Z`JE29uVSc
zGUiBZUn_ym%trEm;UM5}lP30M&af?iLv-}{#8~IC{RFhOLk$t&!)L4O5>i;&LCv)6
zX79KF)DK8}q_rYH7E}vOD5M~C%UinSwfkW%N&?a^vlmzh_yW$u!`@R<rC{<1#KkTP
z#_(XDyk5}kwyZX`Y149VJIAq0JZA2Q$>?d$;57?PGc;A~LDXTP%4ul;07++z3Y0tF
z0Z*VExZS;t>ESoix_V@_${zCQ{I81L#!Zcyqt~1C!TTZ->}`Q2JawDf_lmbu{8U85
zOSVJ2o>Z7T{UV2>D&;pWAafc_?rW2B_{CvnGyZ!DF~a*ItBxKA?KOD9Imwsx#FA!C
zbxv4HPK){ig>{YkVt>q6C7GC0S=wQDF0fCRrrEpkvtWYYK1(Uc`$}g+;OcgxPu$Oe
z);S+|g=A;V1!P0ZA|aXnZH#i=B0EGOpTHJXx-$tkp#JJQkk2c9V&buQbj%U6Wu1l!
z@6Q&p1}BzJERgevSg#k&b;KccRc+)u6_=veyvC#SG<2gA{`1&+4yDST`r3qyz5Q>;
zuk!$xu@sSogvPBfx%%@{*U%_8QqQv$>7JCUNGCPTDAuFsrdiWrHY=_`rYbys^s%?x
zM3|0ET2Wuszbb+I0%*wu>HvLfR7wsPwOcjXv0kx1BvI6eJ-%@>Mg}N8E?Jx%`H7Ju
z<*jfsD}?MQ`eOlT`^<d4AN9sj%ZPN>yRuwfm;Yiww?2fvG+FyQd#EoB_vGz!mTdWI
zDdu}LBOPR=6i2vmpB(Eu@2xTQy`vK1&$^5gV9q*rpbXS5?U<XMWr>1KDmR$hr2Z+D
zvRmV}#(NedoougZnT4%pMzmGM=Y`lN>$#e2yKM>Jfe@|P(Is@WeC_v)Nz2x>ys+wg
zaYEa8XjO&plp9hwpEpxD*te8hld}N7wd0C&gABzyHi6MlC`Dvec@irY(xvgk#|iJ*
z&`ke92-;*gvHj%bX291`tFz%Eoz9prk8CL%qJ|+}vzw_XXJqmjpSE)cAbty>nqYE!
zv3QZm-;SEFKb5d<(Cn|?18J3Q)+5}?wqG@cu%-uVwWS0?)`(Qd&2qVN1PdL>WA#Ug
z+df${qSY4CPW40FGkRKzNL*yBnuJ)7Qw}#fk2wIsb-ZnfH4A?N7BfPfxLw!ynse|3
zMQmg?Ax1e8aZRIGwrLHWKhqV-%rYaRcayu6obuuYz$<{`);?q7=^Tun8@0}F=cTNb
zx|*1EVBI5*`UWW$SI&tKoONX^Fsn6@yNZaw1G-43k^NPu*cVAZMtP``(%|^iDfjQ^
zl6Vs=hc0>;hcpZ+^0SY9%`^O(_blpEDl92*f}*-5<lo{>*{*dhvI9Eyk;ZZ39+6VX
zk~C7tdrP}pdN-c2Rb#b|d+#$#e+QH^gm(YYnY%1r;ebR-!Ap~Xi?^)~uXA0fbRkU{
z#<j^0LW@C&nwL#W^KXA!b*tfuUG{@z2k>WDqhLJZ?mke^#eC_~d*wFDmeZ$`QR7xp
zEC~61n$SQh&PxBBpJbVDf5*%rQ}6JPlVoY1z1vHv-T`8Q)2c&Ux`;HGBH!1jnqxcr
z=_&eItw`cVbHqk;j1;xV@F~a3hUAb;ktFqBS7Pbv19<&-B;m#r^fo8<kP0?I8%tX}
z9sb!pA@Zt~;~^Otk?qOx>f`vP7T75k#1E;U2s;n_+4`^Wns`FTZ@I5J*L%ulriw9r
zgQ;2Ei~J|Xg?4^SWVw1^giq}}?@F^#TSZG~j;;Nnwb^nHmu;euBR41mW8jNsF5|^E
zW<DSouE1dQKmSZvUhka1_+H*r0-W;3wpTxUtIXUT<U;jbL3chE*@cocZT&=sm0eCq
zSP?3Ld!oW}LLd6E9XD)h88>#lb7RKLprE=A^Ov)GV?bt?!gZ9Z+h(4(9o}Y1_gzAf
z<!psdpPnk5+qC)4&Czs$CrC$d@5<^M5FN3GXl4J5`;+^x9y01&t+v)o)@Ko=ovW+l
zP-0L)1wHOnNmKi}`VUAtpx1Ala($U*kFGe#hyy+S6MWX6oC3=McCf(LR6j3{#~?aJ
z;b~umvD_<J=%@2zd6@iZf`hz;fFOz#IP{*+$5aIqBl7DMmO%g@%XxR*><=d&ea2LS
zvpu&ec1w*)E2}|P*y2B{y&k?HqqXYG%;yL{f4D;3Yp1?Gsah^L)2$w#gNkv!>WEaA
zk~ti@V!bZib!s~xCKyJ2;ci4Pl3o7K=E}U>VO?wGY;?TW27Zco-1=EZuzc9T&t0y=
zXy6)mRJQ1h27n-t(I*Q20A|fl2}R;R^O~0uxyQ!8zu5}j^n|58mozji$LQ%!X&Kk}
zOZr~N4j42&e=KX}3v@;boX%u+3Z_dW2L|Nu&+=7bt*Mjae6f_Las2cFJ6=Q0`O*x6
zm)0Lo5|=skf@48Fz4hv_h#|;z&`6%Fc96XjqbR`qLq*)qe^ClQTZ^XCS<3Wk<_jhm
zw*(=JKl6lsHW-a1Nhh6SV4$`%Bru<KzoPW2xVqBe8Ya&nyu(Q>gI@k^+iW)wK3HzE
zT|hfIRa7yW;Yj<io!J^NmT>iOhEDflG;4<+4Qme+P-Isc^RJ)^YcOHV*RI3y)vM1a
zTO6zxQZ4BN%;FvD)d(f7NTQk4=zv;+|LWx+v90_1lE{oM@x+}tg<SBpKHH4isS53s
z3btS}RFNbjJf{PcB{WJOF<sH5+$;gf4Lr9|*aEloe)>7ZjD5L+eTSaUe$=`U6oU*L
zZTtLZuq8!x-_-4F0SVNuY*e1Z`)QB0X?X@2b{n?I!SAjKD0T@H8eFYUY0Pq^U*WQQ
zp-u^96}*`!_|}a(o8^O4W2YjX1nl&LWF9;=ISnc1Y}4a{!3<@I+M<6ZmE3ph1AKyi
zfUFedgBtRL^r)T64C^*Zr595oOd?1H`X_607bA_9g?So1Oc;*#Y!v<9(LA}I3NyW@
zFK9ja9jrJdY7A9L-2;+);$3BN#>~F;*U{`TSqnJrX?-CI+=H_FTN~6SVnS`iO)vOu
zAwxbf*NX4)+(O+G7JpH4Gl*bD5r!v~VlW0(gsPu`uNp!G)!c-T4+;BCc1VOVQ^5Ak
ztI{@;vM>uERZk61jjmu~+c`)By)~>xQ#Caf?3#V{i)+iacM_Jpk0#g$Qk{kS_)tZ;
z%A}+pFeabmAyW2jn+$_?!i>Xp&5`O$oOrQe@zHr?*-@~Lq@7^XL)cu=Qs&RAffFvD
z$~_$8b1Krgg}AfFJ^hs|!-owW^+1uo7dhrc%by!JKIQ+4P(hbiJsI@2uHDZRiN>F_
z&2L?hafdeZoTcH88F2#~@c%#J{vs-_2YTB?NeBcF?ht~zQ#irh-Mz3X+%>_ykiy-y
zfTEyqNpN?!gy0@D1d{xk``zxZC%x{V|ARX|)3f&4=e+xU9;kDdRTXeowp9>k53ddJ
zMK;|Zv`R!Q%FKH)c4)W1AGb;9u3%ZzNSi2QKQ$7o^SJ=)otcD9I<m}!Y*7YrZa{J-
z_E#*@^z?61G0>72oLt_b=SI1StJCsfjWu&I&I2fteUDmUV|r$E7JDyF_(8){FE{95
z4F5qQ>@?^a&+}r$J3YkP{7m=bqOe6_OVhF=U72~u8ClTQ+k2aOf!C($y15#wB+@2+
zA0}2QgpGvSdMF%N+FZjYCnWf9Usrb%w(QQPz4O&~1O`}jOT?zx*MG=~2}foA+bm=2
zfFM{{8yiok+iF-xO+BU|ppYHr#G1**K~EpJemw>{3VzG<EN5X+OITHzRfN>N3A#EU
ziKw@EvQo0Oe^`b)FXwalfLH_R9`5-a3xMiGh#X$hKVRa+9-7C1GZQf~@}s|{!u{fU
zPEtgGwmO#HvDG4jY)6r4$wF?tjr<Rl_+5Frteyu>SRWfsJ5B>u;bUHZasRo}zUXe&
zMjQPkx0E~0(>YR48^S;h%z&QG4fkRvGxQ(-E+KtI>xJ!IEHa(U4IkF%Lf0}?xs1>>
z$Y9p8>Zo!XbxYraFxdOWix94vg)R-OohzLB&nVkDF-!4C&$&XC0*j2wwKrV0A9Y8+
znGA0Y5DA8=#D)T61AVhzSeh1IpKl3}(cF>nT*H=+)#6#-YO=8HVKfUz^&foOk85XB
z30vagB=wp^N*&3+s#`iOP7&cJzllK0YP}I_GfcT&wHJQTx($8c;t7gR$|4gdoOOpA
z*a+L7b^VRRg1$}fu<ry}hgmx>*K`TtRJ7WoINPWivUwbFTGcd4a@iYAo_ZapS}v5`
zvQ(5fI=>-|0xnnKvp1{kJvh`w*Z}-vh~{L~<r%$ef|E>CC~zuC2D2+cNot>^9n04z
zb@Dqs{P(^j2^BomZ6X25huyc76cb7Cdsu{D46ff_nq+$9;gWBqC8{jz#?52itPSp-
zm%?dSiPHxnKh2L}^Vb`R?HKJ)C$Y&l+3b{*m}@nX0nMM$9JUm;Ieh0cD$cz<m?FT;
zS<Kr)O>lgt&-PJY4gmB&CxiKvntQ7jgR|{Sd~)*{hJ0R~lWf|~`(;rz41$#FomOh8
zB%#@{gk3>NnZ*qlGCnR*IOg^!5$sbD*@FY+CJhAi0oYfJTwV9U7b^A{g^}=!E6zIh
z8v}_#_&gyn4UbcGUn%$QOLMhQN6c@b)&dR4(87{Ive#kxy&|(K7LeO}^21Y+bo{x5
zOYZEP$5V`^0U5Q>fy*w;AsOQv%ZG|AgDV5nTSY_0$lWKwMll<o=Or%3w4}ABza?NC
z6^%wik}PJ^U)+$}7!I~!-J592;9-{J<?lG_4#qrYSkF7V<%#lZdz(z<16)aT^57cM
zZ8@EC11Z%deLRQ^`TcpuDkCZ<)`vGU*B5Puw20Mn-vJ5G!Fm18@Ee)c*LiAdPfzso
zT*kB?@OtQ3eb|K^6$<!<GY&ouFNy*assH|mVsRv_Yn|%X9rnj<dju2#E3?z@UQ9)7
z+$V2`-q<!s%4|}`P+?uw1Ejv3L_<PqeO7odeBit+ghhWu4{@>-(AC$>`b13FliDHs
zDh+_>ejtb>Z&Dp0t+oyI+VH)$0Ki?3!HmmX4-XHRMbiFiqyzJDT7@#GD2y^!iYKI)
z%X(??xf`=V+CLRWF4gyBw8-st_xFTIIZtBhY3tHnM&-2N_<+qTi08cv(5`lv-i5|l
zHs5}A@X(=JbIdr89-srVV^*}Eh>tNo#Je>$c~|L=UIV+_4!Sini}N8=LR8ZmlC+7`
zhII^St{RgRlos1%o@-E~H`@<{l|Z@SXD^baU)d(Uipc91+~+2&`<MCM;ez;fn&DET
zoA1HU9jpG(Sb`s3pR>kT-Je>UUyUxDGY*AO57yXRTE?O(5q?tRNqZCZG<CJ*+}tjl
zl$B!iE~V`VhWGRZ25d<e$64RFKp(!?F%3-|@U}O6=YHjw>t}m6!Fn?#)p^v=_tpH(
zETgfL#@AqnYO&(z1n9Z%GyQC+1F7bp=q`4D8a?3VbPJiIN$Qk3c@ML%vkYdmD2(X6
zOoD5OvQM1-j(W#$qfwHX(czqMAZB*RPE0*CeL_wF?fvVV2a6r#$z7hrCi&Z9{XPk0
zkR0s=h2j_cYhV75tY{Vrv966o;W3w4YeqJ#Wv2`U@!whylM0Y`bJO-_5f$*aq={?#
z;!034sXUE3Z>{!6a`JmAk}t+MumKRXj)K}3Rc|t*%8<qXKNR)b)9cgT#!>WV-->N;
zH{bNk%^LRoza6Y$E%Obb{mwZ|BlcFoQ(PYz4wLdiX#`_k6a(H~Zi<7@SkouLO4@A2
zOth{Ru1WVE15XJ<Mde!$u&h;O5y~n=UWh6#3*XH^nw+@5Et*rw8aD);`U^0UM^ll#
zY-*!JG6i(ayojrM<i%mL?B{lxmvAsWGIqVkh75b|RMD;Z*xV!8GMf2tdiHrCKWV?s
zBG;1J#_>|CoVvNGdmExBWo#nw-EL(kk5_)AW%%5AQ?Yq;NCdi@$lu~SJPQ25z?zt}
z{T^S7no{zH)bpM=%;;{t^|Pg0s;a%PfO(!bKREHvhR~T!Ys38>7lx{4-?~Eul|-bf
zP+n;|Z83MME(1g3Fk~iX>T}%DsnjT=LrpHW$jx|+cF;?;+!-DMEd6D$A=GUKa(%p*
zFlIUDNKRTx;Bv!O??FQ%<e^rpC#?8s#^J_<6(7(-Z3w8PII%MpThc>rmuErey^-a@
zpHlP8ySZOw>(s9xb!~3Mw_`fx$W=Dl1Lh!glRq!9$NX&@6}U-`z^IcJa;d5bzeERo
ziMS3onTxhqblQ=&_CUaON6@8M)5K(dI@ttKyIDA)c%t5AK4E(Fy-%<yfIa#&V-ww3
zsn9#lK?#GKoIC4}W^Q52UgaunQ+{}~y@8IinE+3<->{3wj<+J%j3k%t(0W6Gv?Ec^
z;0XelAHV3WAe|+%kzr?a7&}L>FZdU_2Xu7RGfRrcO`pD@`t*M9(2yOZDs=00u^m+y
zNvZbXsKvi-(4owQsaCSn0VP{&8R?dE5=k5`y`TNF+t%2MieMV2Q}R%NgS)WC3`Y8l
zdX<~MePlRZ!-*xiM8HO0DcXd~(&3S$ZY(=hbpG}on+4wlUd$<886g{dCQwTL{<JT)
z-s(c5i3+#USZ1cz7_vr2WjUJO+KU^;xib-ah!72;>?}3Z8$X-qrc=%(wpS*7!x#aJ
z3D#~~y+W#P?^F#QB7?nz{8Vp0IyrshRoxdc<`Q1#CkMO^PQyrWck_rOd)Ks^_C|Lv
zi~N>LjlWxC`+9z}&=GAk?_13-4yYazC0;!##0at<+jCv?*{x|5Z0Mvd2D`AtgMui#
zt2HJd@)X#G>z?38BzsAf_=*5yJqzo~|H}!l+F(#gCN`W<Y)#dIzmW!L6eFq?NJM0G
zqeR1$PK}?>M7nci9a3s}uVC;iZp7#d+n~|mz1YyNe*&9d|360hhwZAN-vXUdgbq7<
zKA^`i;~lH)wnxyr`)9rV-+CXV5tG@I(@&DEsr3em!_}?6>y-?uE;K0Dl}%P}!5pI$
z9s!18qa0pz?xf>0v0A54JKvY%&$cYu0A{;%l%IviT*DkVU6co-Zk5cFeX?9PUDe}}
z9Sjsg7GheQu!IDag-?IAr8F2)(o|s1P;Vr51N~k#Vw4tlV`vx*X9g*$jC;8>j~2Vt
zSsjnO_^eAHrU8$C65<n=BwzQry7@JBo@*o`IBx9Be`97%)nHrcRn_2QE=O`Suo6=$
zc@^c>Azeqr#&M%+Ay)5tGSZlNbt~=~)Dh(%#5YaE#+7ieYDMNA>=!0zo0P_(SAc<d
zm8hY1)dhKw@ZEN|MV6mNSlxs+%&XPf?R8VqM=8Mn$gw_O_^I*rs!m@Nw&7rl?B5F9
z+d*qf7+EJVG-B=x`x|BxY>9jJ*#h-V%^a`3m-(W8A`K$j7rVX#a;w@cvaf66IVj92
zG_M#2H-1#B(%|Bi9<Ea7w{<qy$(>KKoVtaLRlkS3o-iau^O2E@H{_)f+Ni_y6AA9(
z_sk9_)Jb>|q?07M5x4N)h3gBx+yx8%SiWED-R=u(FTR*jaPt-BE|T@TPj!i^hZ;gh
zG+$-f_uJ>1r-f%EN@tkl7P82ZPV#I{bh-QY(+Klp&^M=#N`eB}c!d(tvU-LSOHUic
z4ZF-wFGxuDQPpPnrW)X>Ln#ciC3!Fj@N;Aj$d^H{<7egPph%Z&j~S(Z00ld1z<yxI
z#-der3o^+Vmz1nt@`>Hk=2sLn#V8d&V@P@3N0q`85)fQo{e#;!UWk)LvtbU-Z^ssa
zBUWW+`z!C@A7l~R7b?geGyUPVlfPkoT`OMQNI%UEuR0ssFsUj~5<noKE9?4=M`CUW
zs~nSAX784`y(Dkas(BUTx+xpc6iiI;)*Q>3$L{PnQ66a>5GD3Au5_+uyO7jllvFR{
zKNK?cgDg((Uw{1zwpED2`b`7XV1=uL@GkE1!dW!++|}N{t{o4q8t^E#gxz?L`qw32
z)C{zkDrxEZWn}FnPAHVNN)eDc8O3D3+kO`n?oH21=D|v~RdiIqmYHC6#D;zEh9UJ2
zr0c*UZX@)Tk1Up=j!hG^d?ha_OYf;TE5aXs_KVa0=hOP)^!}ph1nK;i0bkqw!_eg%
zFqH5;-39Vqt<a3qPX{a#FX`z+g2O4WnJuPF!N+HMM{0v^?$=Y)+gE;SfvA5uw+3-O
zGkHmdHuoBkVyYq?b0c2-8hr|bS`3Lmaa*M7Bn@0qj9H@2)1A~)`-3I)26iBIR*^<V
zIWG2#?c{pu8*NB)gni|<RAZtU!&)0B0r(Ts6%{XuZ=%uc`f25r#fl*hxK}91srs2|
z)%j%nr`Mi9scuuXqUv=bp?ouMcE6V0h=r(B%Hn+j$h+I!eM)Cz$Kuc#yzl6cgA$(3
zNddoV!y#K;<}uKhSJ{5<N&R3n|NgdX_9QYO&Bp{R7ltXw`OeCu9S^~glfUz8->t7x
zS(c=F%As$)8z<f}o&CJ}7#oYc?6=q3j#To)=HhJ)NCCp=GqS?Q%1Q34G?116U%_qG
zzN$Ng{16fn{Q7?-i*^4yS<L$1$zo5J{f{<78tixaVxa8_&bqbv5t5-%{^TM|%qlHk
zo89h2?vwm+N47mpVRLY5Ns!+(VX7YtN}tI)HfCz7qGy|S?vEc&ehIx)ucV|TN)GIE
zGCWAsxSUiEWI8i32|8A+3r>xW5vttExKAWN5ojD1^iz8h!$1&2_Kqv}(*Yi{1!VoS
zZ){*k%ZA&vt?okKa^`0Afw2wtM6JA__TzJBk|scT1N%=(0>#zrp_O0^cdB$Ay?ay{
zjC_RWR9$^?n^t&tS<mpu5VFHuEAy1Y+Y#P|>9-Q7--f;{rztxzN&~HzY!0D|Kmwd#
z8dNYpVtgJCB7*+?Uu7YNHZ_oygzKeehTiBXmDAs*LD}9L!morzbxVjEmuBy)4&1r3
zcO(^f{+f{O4}4|R{fo_zF7X$TQ($naKhhiiW%@*&tXb??Ws!a@uu1pJ4~Zsh%#8fP
zQ#hckR|vf+tb=eo$=LjUt^QZ76m4F|<8P6%f_HUh<Ja4r3o^X|`#6DuRc}Uqm(~O`
zH8dBtR4dwft=9W?Yoj^d>?-LN4TaX4`N~H~;E|c2`1vbh%#ar2IKM_$mWMcbXPKb)
zm-ba!o4d8`jIBSai$uO%`4Ve3nwJxGCJ~m#TyoaMc$lhXVs|+e$`Q$YDIxHS{AjCF
z1^uS<atQYLx5e_bW@h4NFEt@&ro90E9GyM551U9R6_PcgsBU0*;5J4bD}5X{LCR)r
z7}8-am=n_;wwC5%MYnz0Td&j3LtEX1BVTR&o5KI*%o_B&D!@1xu$gEPDQn<hJeH?I
z08mh&^V8<}WX7$nj|#<%+2_5!@q*V6(yNg#^DP*D*X0VH-hkav{ZQCs+eTDS<v?V$
z>+DX?^F}BL9g_1pxhZzo<W%FesAx#u`~m8MIDvP|_WC-^#bWb1?GM)x;oE#5$*k+l
zpceBr)2>k>CJ%M>zv~8I_N}Gw7@vW7<7wVzmMSZJrzqvKD2aLIDJHZOa7wt{?nnd3
z3}nRDyT?npw58vYPg?82sk7-S+fIu6_KNaKc4{2>r9d(RM?sQ66)oCssF6NnYjVcS
zW19JDL~U(D$zN=p2I_XbN2Uqf0dTGTXtfD0N})WYPzXU-qSc78^c}J5r`Mam8GZ#}
zHbNwsC>^Q2{1#gBd+9-}`iIteG5EISAvfZJeURrynVA~Dbe2Qw1L{<qgibQkl~#=f
zMLyTl)JUh`hk2Fi)@FU>6l>=5!nfNS<YB;OdOGyE?v>vp^cpKxIKlg!C60to{5Y_9
z&q_(aw#PprZaPS+sBYnfxJpdPCinSQ#L0M)aW~@Dq-tkJpURXmD!Q8{Vg0(B3UZ+m
z<yxixc#x;qE>8J(yK}eA3c8%N&L!zsdu=bXG>DandL5pkw`-2}d18vWQ>-*?R9i@*
zQx$0I|LJa4>{yV7z0+)y<GcxM6d_D^Xout`ljV>Wfj3?@FKfLThvb@984$lgbkfSC
zr01P(b)B&#i`h<P>3TKZ6(*pzXU!`#US775X1$J<0VYOXHn!Q?2df`G%zvY6vMfdh
zc~WTU<25dCyS<%$EieB)`}26Uub?_lVO3bIi4NW035Q-QRpReVsoMn#U{(0^b#W7P
zJQo1l)5GReyZh5F(K6H+fA?(pk7s@+EY!=siNygpIg%6D$XT8-@0g8an1EIm@z`;Z
zoP;!4(ft~DofC`u*jwbP0^y3*Q}9ev8o7M3f$o?BZa)~YC#I#&J0@?6r_VoEA%k4?
zl)Nh}7B9pjW;=xBHr70%fz92kuLdGIK8J|oJl#(kE!KDj=}&YxG_P%B?Z#EZ;=bkC
z{5(2Uo=5=nY&_L{;j`4)5Dx45U1$*X@E=M;kYvKsJmt(--c^+GI&!C5x=HGWjrF}r
zT#NE{3Wz^jDj6j{NSM05$<;u7^fF)`U!PN%`*BWgF~&_bRI=-t;UMp~!<6#jW7-em
zBmsLeM_uAI??TZu1#zG(0-ZqhF?TTgTWbz%z41@n8YTQIPmmU45yw{q#R3at(xTT+
zX(I_nWz85>%CWwNrB-!hiTH-~+gR0fW(YQ05QUmvBkmrX+AAl-mUUARbo_a;O~QcB
zjEbf5DXcxcQaT;@R5A`_PBeYg+D2B*Dtl!!qhb>wQ^cn34r+!*k(9X(Bk^vTQF5f^
zyM7AJDKf@;d!`bEXc()NKARV0cB~U$o7^(RH>g!}s0$at&KFpGf+2Pj9yj)>gOSHI
zd|8}T?>qYh1IFJ6?xvXR-TgB|k2PCg+C;<K;yhS|g$Fb2;Vfho;^|Bi*c5ce=?<7a
zsA*C=U_&U)nepeXi}C*D{Da(v<-+Ouep7S<NSl4iChLvQdKD}I%f_};37JqJBj8bu
zcCpPwux_2NX>r5A;3KPw`o#OVQW+*Cv7|4ApAIa9yT3v5bKejckJ}X?dopq;ha)B}
zZHMRXjcDpExPAQ+61`qk9+4j!t|{9pr5(*_7}5elzkZuNRPi_y=q-6unmQ>r%0lLA
z%4ho~RtU8p9UWLP@5k?8T?nHDI2_|}Ztr5Q*kv)x@oR)@Ob2SP$t8b+?Ky4B_S3Q)
zKch!C@EyFjcI7H<T^4%kXCHLa107t}f!U`%ctlT!7WJ>T20HklmShQ^Wad*55aq!w
z6DDjNtoe|2T;jF<UTVuwnnXB&ZN-equjJ-tlepFbHY*JtH&0PfhP%+%_H<G{pJx4S
zXH{*DTI&`>cm~-UGxNUh{~z3p)G#(&R6N$3V&jH4D@mkqAFPU+Hust&_xNh2Os-_W
zh*Z4Y#xs+~JZlFj@eXW<#`i5^c-0sSeOE)ybM^<NI$Fl->{-lCj05gOZieK?rlv+l
z&HpX<i`%#ItxvtMoE^z}%~|93um^hiMQ4*4Qq*yJ3UauLnUZ+L-28Rbd1u!R0}2dH
z65VnFU#06BGT+?2wVpc*7R$FT-Ha~ix=-b?53$M9T`ZjtE#nl(=EE{pvmAFGO#13M
zs1`Lq$w{>PZSnp57MEgG2(IP2k#Em0u6Ar8kGeJY{LF@h4YqmWSJELrsxBiNoT0;Z
z@5?+njoh2V?3EJOEMYAJmX)`BzDEH@$nD1sns4@-uHH`FiM&68otw>Zjc}F5^YQvm
zCSK)4yA`o4UjSdNJ?y(YZ&KZ4C(H~kSHcH@JMjNemQeZxtc=by*=OQgZt5vg*?O0f
zYfjmz<al?OoFc<vhs2W|-aqdxj6t4atVXobaIz(d)(fLkh**eAg|OC@oqV)_I8&#6
z;33f$Dw}TOlI^~itu?Fr^Dyf4)RAne1<OYNB!=w!ZS4_z8_baMS$LY3_fhJk^xw`q
zKl>J~pXK*YL20*u-|A{{$OCJ^HZ>+)|NL?#!)bRtFH^FBD)@yMB3348inF;0V-3bx
z5<l8hP4Tu!{e@82{U3^dF-Md5KyTyK$lT>K^Cl=?Vap_zXj3EMyGw_Ql=_<Qe<+&T
zI71vh*HTR&R=m-62BV#|Zy7y?ezXl-F;v{Qd)AA!8aJEt-jz>9miR)J{D4^XVk2aO
z{53|dK17X0pY{9?{%dfX{!dp<#%LO*#iuaC1&M9D{FQfdQ3n8t26=?HhlNSzVeOVf
zX>kj+_ar-7N0txnYEF@!%Y+8;QqZ>pQu{v5?LS2yO?wOH=Qbe7ZNJwV{w@_<{dMDF
z)P{RN!<S38-0r3{3rB8>VcrU>C1W4OV_eI*No|-6STPazkK#k`Z<2cB=g0agY6TuJ
zm}MMn17i%Vs$DNPKX||7sIL5h26`lWH-KqWzTrscWw#ch&p6&D2UQn!cf*yt1?3AG
z+v04ken0mlpyaY*S~9GXntG*Y*YELqoONNhqOm3*ccO4&|4Cin9;lv|b~L{udL&8a
zyRz{3A4)%G4o9~!#}cVWecr0V4U5ec<#zuO)`9{@vS)Xbk_}Kcua`kWyf=r%GqSOT
zpql_<FMCsYn$&a|oOkM<fl+UCe2tIM8l6`cDi>n$Cx^KO2EMYccT0|yUfU#~^T(!4
z7??LEw*h4dsA(b;wWO&&5cs1DSSF@k`RMAku3<EIvNdu3`ilK+H>g!tcQ#AI#BjSH
zaQ)^DB{(nA*QD&_drI<Q3U}j5n{CKEas)h=XL6?Q7d6+~-Cm(bzVEMHZ2NcwZS=#=
zv<|fUmP7@3ZqZ*A>`Qai5NwF{-?U-nTV8cUgYV3_8ioKUW)o;z-&Cnj8wzU<`Q%r?
z-w9?OgX*uE@Hu1p{NY|!twPHiY3wd0&SwTZERFwkjM>}XSKj$CYq^@C7n&ee6%n!N
z@7(p614s0~inB$&a-YJ8tkJ8`VSt8#(Zv*|&bXJqz;<<ZprZV^;=wF(!1|G6toR##
z&8no^VwB-?MoaxG>6<K}SIL>L4N?y@++e^>i(FI4IAELFEAIxSW@xFc@nGZ2i3G-1
z<4$nfr=Q$SO5&N1X%tmH>o|2WK0JD*xpOIL&1#WS8ys%EIT0kZ9H`Fb%-4})EqAH2
zIU8)8UtUS>qW@fb30A;mIg%cU3Xulq!5f<j8J%ZB3mb>i<Oc1stDIjCMR-37VE&xs
z29WTVgE-KPH~1Vp3<a*t2x+zwoAnDaZyA-dYr5DMR-!zIt~7kd2>T>dNw03{cxLK7
zRXdEoqDoS9lTghKFnun#P$T+qGE04ZYBt@bA=#l>?(Q-)HsQMGalhqjm6`pCktc)2
zt^GBlKWX(gfQbqF^!T9_Y=FJY)`qi?B6fs71;IDxwcu*#yszzb+;6PZbJ_Cq#rdPj
z{SS#P+1X;r$7APXIjliEIgvHH$x8b1i$}C;Q#L-J*L}$&UP$Rf(2$#R|I4<Q>^|t?
zpdpiU(5`ioQ)tFji&WKu0MusW^2vJU-y_8&?TV>BE)%kFJ%kWD9Demb6<s`eED+VO
zXz%^8EJ4huC^xlU{bu5>Kh3Oiqq&LW*3=E>pLU!dMy9$y!g_EnH1qUyL0Ph{8CQTO
z=mhbzkDK8DV`pzGoAI@R#I-Ih2k(*+NFm@fG;L>Kfbl-0K~k;rg6ebLUadCfs*B^(
zqE~yi+7)eC_CHwSjg56WTUd13IBi%FS%GEaANSTEWf6(KF6U1r$cP`_AA+AjtNk(@
z15?b#q~P}h2>?*aNZ?NhX9NfAIYRX$qWO&X1adFn))2XPqLedQnx*L`CBz<QI*~uq
zpe#<wX1Ps)m7aG)F`c$Bs;!?VzPrd|-zqHc3+;e*s0i@$|3pOVw!Y)_w^TBF(S7I>
zxV7_r;}2MFz1V!6uWVL(wefd7pL-b20kHUzn_Rm6%doyj(CzFnlL}}~xuNFj<WT*g
zrX3-}{zWfG*gCny2lpEC(7Z03H)6<(RB?jp3RRlKDzTIQkiBbPBV#^3gu)noNeYsD
zAN5GkiC~bdEBwCj!Zbb?pH=w=@yH|=F?)`3&1UsDg`dBtptpz{HscYS?!p2P5P|Xe
zU2PFXRblUR?Z#+e2aHE$u1&Wx1C2HXe`eL;6`q_FPEi&VzATZj&Apr)XqC6<;dm1z
z2bZt2>xH7zMxHkr8K%oz7{oc}2Cr&lM_+rsXI1<~yWdGi$aa)aebbn~eKo2v6@dY>
zZ=N;XQB}va{R(X2vpo)~hb%W{i*+j~bfPTWCV6v!8TlB-ZjYJk-%&|@e;Jj^OP3OC
z*0d!Xm0JR7|DhzO8L#1X(z*d!R}aoF>_|}+qEBbT5(<n%cNzDV_unw_5dtg-W6bS}
zX#bo%s^l#0-@pHBR%UI$#N=AK+!D&yV%!f05+SBq*<(iNZg3_LGm{~5bhY$6iA(1h
z4HN;Z)oQdcYD~FT-sZKP*d`qXms?@BS@!~vz|v0O`jgN0W2A=ZgKu<-rPM-`Osr$q
zW*dh>irTt6$1f@iD-KRF=v;m@fXG-e9R|@yrR*?STH;T~h?*JwA1xU<C(%EPrTmN%
z%K2+G1)2T9E|ecW<pL_sJ!`6Z@1e2AI<(HDvqWR$t%(f^)hstAfIe<o^A2sEw`E!%
zseu}KAX2W4MrD4XZEA16z_^WpY?(FndXwVC!b$ffH8g}F-ih~eYS-qS{?Qnw$&fs4
z?P`H`OOkaJkD&7*W}IS#%<D<hKpHa+rN=V_)iMC`13xRfSAIkdyD;9deT^NSkMP|N
z`x>nhId0Bxj)Z^Y6+B(Cpp4Nq<wp^OS8@<{IF1ZaU_!PJ@`3lxcX1qS>~0qea)yw1
zE$J+VN{k%Me7@MX8Ho+)_V)&9B@n*xTHIy~BgV3_Yo_gDD#&JXq!-I!wCnt+M2Wit
z>w|FXhP&4}h#M+k9{~9*8PN?k<z5){?QnG_aiv^la71|h{9&Y}liqS)iou<%9iEu<
z8DGI9RrfJKA0$-9sP!szKf2wrDYTX|9SZlO={?9)uvD#vwo%fnBR&kro5$Ts<&X*<
zw&Q<eZiB`*ujQF0G&h<rg-*^F9yaoPt<8G$Qk4ylW}4qyp<ZX%MxbJQCa8*%w3FBu
zv(LE3chxnRI!Fv%dwR1eZ)h=a&cL^6L+kq8^v{>ofGxV-qa^{i)h@{5rULIN{QrN(
z=|-ARlUa6{IgWKyy-MKcwMU8%jVz|zV!EM<4AfcPrdrJU_%KR`uS=;9GA38D3DV7L
z*|ToNBWMQ#sS9NS`)CG4X_-3p91|%W0S7|+uXN&TT`eY&;R^u-5zSuf;Qvs*TUbK;
zIj-pi)K3r;1~|u-)p7!*?-^{f(L-Aew}biKuuJ6rj}Fo%Q=-)iLK3I=&UJNvkR9GM
zc-r=yPQ{5X^0PwI`V{{Z%|S#9PZ~S1srJTW6BB67(w`a6v>X|Y{I0QXf*u&Uq6(dD
z?Ip?giUe04T%()J7_7KA6kw*4u8--iJYw&l;-~=>h1?hLEPVi5Mniw_E3WZ->&2L4
zfgXAC(^DlS>JsnU49M;P|H|KH4zcz1H8&b0x}sicx?GvNp;B`CSBu*)To(eBU>gB-
zxEMPgKRwvemUiawW9Yqi)~wVgO$+&B5*J0qAMVhl%0-4PnZb^~JVbT9>^BVtq<Rxh
z1OnFXSoQn?t6W`M%QR6m&&Ik_b>+N3v-?ROk+Mo4JK=Kre!F149}j7sz5su)j6FPD
zUwPomoPRV*n*<YG(6;Tkmp?PV1~vH|nnOwDK^m;kkz3Re3#q6<EU7G?V=W<|7K?3h
zo)EL#um`T74Sv%v<O4C^SOsS)+KM!`vT+P2;hX6*gtaaw%dyhOTEm@r^KhQdsGHAV
z-P2(rFN&9?Eg6tSr0x0>U+5=u)x3q%f6p##DUR<8TQ~-SlJB1#Z;SA2>8kVol4~Xz
zn0t*9yrxixW_7X0>utxI{5%?q?Wz+%^zdvK$&DclQm5pk!=YhoCCvgR7$;zR`(Xn&
z!}IVlAH2AvQrj#vN3|Ceed^tv<$3P9>mYi1P|?u707nWv|KYe&UiGIgFzf3tSQ+e_
zxS*Unk*S0RF^5IM2)g||w84o9!{IuKg$%<{<Ao4%9LR%6nC{_DrsovT546<PnFl<z
zhnTKzT_z1RE=iZl{rhhd9B77vcYTnd@r!!v#d?70@rw41%*CnwtjI(T3y{~E>vuT5
zZ$Kd6^2%b~40EO@tz+eLR(OWvYSy101C@+3EAPO5;YJ9%&9_dcP%&_YxeO1R7ETyE
zLcK33xSRv+x`hb0P)?_LNzyO<!x(G#T1?r5m!ISYDNv<erwt`Mj9Yhq7)CH=XfvX^
z?ElJO6!_x)JWndsOUSA^j$VzX-9i{k*D=~yJBbf`Hlrm>m2_*i?-YkpFhg*HUbkrL
z-i)niwq#ScM4Of~C(u^VtMk%QR1QWrJ}Ah!tX#M0zLSiw%Ii|%b_KPmmh({?nG$FI
z7{TDGBj`7E87a*mkb@fw=4haY`a+EFS1guyq*~^uj5@B=E=j3exMP%rKF65NY<H>a
zNx-w$O!AWv-<<REzE+7qbK_&8@d#B}LhY+?qOPdviUeLFlas%h|KH4H|9zV0|4vPQ
zxpsvFTRGGKl<f6b0*4`@Qw=rVD(}4BF$bmy&N~8zR2p68y$m}h-^!Uh`C+S0_z;hJ
zTxu?HF<)tUkflSc0R8$G$Ax&}%!+C<L*M#D3M6`J5hhr4?&T#fss;9=#KK4#E|tEe
z2mXkiMbkgK+N4xW`iR~{rvFed?-kaOn;7q3)mTG|C$}1TKl)OOMp=FRg_5d_P>}Na
z7uZv@-bVDu)3QBRuz8;Sw7utFCcE3+jl1xj#<q7KtqsZfQ#^ocXKXpzGKxa7mac>o
zX8YSXR}q`S=1ZV+r#oO>@L^XhxwoE(fvr7xaMg1;%+TUbYM*vt*A_<FmT9riT1Ey>
zefh?Gvp$c0)tZ2+#94tHzle;-SD!9uc|qceM-5h?+`DQPZ`(gN2tK~yx{@Y0b+2Tm
zFJ@^kOeU}Ravjaewe;RYHL@ApujcC9Oefp|UNH7!1GK~kDLbxAR2{xic#roq?rej`
z*+(W{_I$&=mKw(&p8oeWCKuCr*YUwrWe@C5RhIf~Ve8V(|4^eiTthm-k!NA$Q7Uz!
z*eeX)Y5}l89hwG`z1jz*U~CNN@=fbK_ff0cYY?PTn#H2F_)KGB$AYIPD8cFp!80Bm
zp<MYys>B%h<W)d?XE3Fv8!pMGZ~lp<``bt2h1s1QEPgRRS@oYKb$z1D`jt#nGj@&k
zp0vs_u^%ipp7|F<LU|-v7zsHX!Ilk>rPuMB0S8fljB1c`k*L<yS=WVkwfidbm-U=R
zZ7BEuRTv1D`+x2WZ2hmkz)#xB)}70*fm{k@V4Z)>tC^?UEfudCe!ma>Ho2)>UN#v(
z?^^uHv~JaHbp<43&mKL5gW_mpY}Phz!><zms5452hOmLAJ2BxH#vzT-<rVwHEY{@`
zinVZ33=O@i*;IRy9&{JRCeOc-(Kvw2+hF_M2)3GJS`3#l>%wRHy_*K$*E9aI%8qwN
zB8LPl0ob<7!I9$y&;4X|Ej6We3mii2jw>6!DCq|@6FVyO+3yUPUz@>zhG4&M@$tS`
z58a|`FPb`$!}AXJL_-ljuHsLp+3nz&`qXwaGuB;QiRw*pkD0k<-1IZGJlY#?CLTxH
zNNjrGu23#!F_ZGo$h3h4b&Ueei{Bg{fVrw}4H4;}60Bj1Z!h>gK~w*7oZO8B=C4?m
zzRvMjk{{W=*2cA<9psv78q&vAFy=-U+mDqZSk!^03+mGw&anU@i@J7q9hyapZ`#y1
z!)8qq@Ri&nvr3C|&8I*EIMgt#2P@C?<YAPbJAgv=h~7T-t01rP7ZXRb6bJ9h|Ch68
zk@kJj(gj}@*N!nvo?|0;ql-b@ApW4?%DLXG?kO5y(U>!dQUbUzG#PF#c%DP5C5Mei
zF<o5V_*)J1{PN2D82Q}^K%W}+N?zYjQFy2AAS>LVI2f>z`8)=eof0MaOt$aF($zW)
zpjgpO`uZUGYvVr@EysblDj&yf7n$!l=QH6>pn$y#c_Nlf+8$^!O3^N6<4BAg^B3Fh
zhk?b9JcOrlmj*Uc<qFQi9$vsZRhVhmnt+HhA%WlDg$v`=%-;>d=$}~S#owq_iLdk8
z97|2y`#LkyE*r<>X7~E62Uw92+(fy1UaF<PqAv>QJ7bE%DpMpykL+PZYu;r;T{$CF
zgLd+zJAEH5;SfUO;Y_wa6ZM=FF{tBrDm|5D9DKE#XD(sm-Hh!I3(2mS^~WE6ZPKIL
zaW-EszHzjF=*i^VR_DUyM@jP^3a}($-d&d|+E_c4_k`9+Z^J&9_lAPa1a0T%^}+yA
zVN<8#$}`%(nfb4!tMWCifZne46WjH3`?m2w4b2`gr(6Cn1e`*smaD76Op-R;)UuZJ
zNmXoM;cw-wd<{lHZ=;W?d@R>Le?2x)h8^Flm~}7R@J%Lc__XS>C!8sQ=S~Oi6fi!E
zb3S@|ddfj_AyetF12a}-C8mrCMdK9nEC+?0;D7lDb}B;zF5<<xLHO6s>HpqH;FABp
zHj)n1|I_4{_(%UA_e<aZkLqute_ocNt^e19`%rE@2&;<s#SLCrQsZ|+y;__JsNoOu
z&$8U#-%*a6N;>Olq8)|6ymVAKaKPPr9B7VS*qoU;-VABtU;yg>GfhR1Zv78yO$ksu
zE!^=%vE${~WPC0}rla(t_0iSRJ!8@-Gb4=uYwWw)r8`F-N^|sn<k8C!Vp=GbS5qcq
z+wf)&q}et9c^<(u@@t2bWzUu;@E4iyrbVPpOY4%rWGDYGe*LYA)S0fqvYX<X^0Rlb
z(?p_$(%oGhll`uSE)$#kyl!qT(Ey8yYgI36;_El?OXWE&a`sX=p-TaA4mu(<Rl0mE
z!cBCXn;+e9ZY3g@+wY)k<9cA0u^qF>X9tVX;=uc;LLZ63UooMh1zx@o3*VE;9)Urr
zuB(2{fP*{#CDr6cj*S~;-V(bIn@AP(jDjX{J;w`7+c9&80q$%9#Kpt<;%Kqn(K>HU
zDtXc*xwio3Ep<p)7IILO1ObuYPgg+^z~LRFy_uD`p;h-B#PK}qK}>RXpTRuO8lSKF
zp3WM(ull^bWijmITINF~Me<a1){`LLr*tRbq03>x-rD5RoZ2o!+|H;#mG(f<m%g-Y
z!k-1!#Y8tf2lt#F@=UadSdr?%jm(wW62fi$iHNUUS7!6D3`x)EY=17;5<C}O5mj&a
zaCu8g+PYNakq;k7vr7MrcYsw=Mbft^fSVxXw?f-RFUNDe5kj}c(26yM&;SBozRd1!
z;GxfBRdb7FY&%usq4lFxk1z$(8xx~XWR0sIzP;A4hhOe;#P4~>sQ<C9)Xtu_3=ODo
zVb@Uos<E{snO_Iuq#iY)F=J%xX*<jP?p4n@D8dYOslAlJrS;gC9+GzIfc`q^qO!nf
zaoOY&n%JhVx-LU!6`YB*2wN9&k)F)9ZpgjQU}JSEpgrB0YRokzTl7r;{<Ovzo#8v&
z-<^7a`Yb)WFNyu-7eP7#Y52A`yAFb4`1knnZt}~0?rk#y_PLh3n}F3$o3Y_tHa@`E
zX*`Rrh_cJleB6ymt(+5d^&chEW)xM=<GS(V48H;*7!!r`TA^QBP(hoYd{#}0VEN-7
z{Z1(kCZx?RP{3#(crq3Y1159C7$dtSCQ;S$$yFXDZBmS;XGVTBmXoTm8crv<0|$hC
zpPVza&Gv9Q)Uv?*`8F1;al!a*djq2I;T@%ef@?n!z1^kXgX#e-1plFEbHOxK>}6<T
z{jS7iOBym0aYgsX!1<~(yHtdrtjhS}hU9d_h+sf23<vT(AEzZ2@A*k=A>_dKtzF)%
z&P=qY<;0&@_NM@3+CZlL?>}j2suaKVzw5hpV>-YQN;U+!ON%tAF*L<iS@1H^eYT!Q
z9oD~Jt%$uf!Dg825@U|sX`s$C)2uxe*y|s4biZi2G#f|CMJg{&FOhA7tUeYa4|A9a
zF+#s1ik7{GJRQn+QaxoKL|{Do|Kwd(uQ$T9fm4glXNKZ#iMSeV<w)ZAacGmCHB6tS
zLczIvHHVmuFYYO;@F^Z1Ve(VBd2hn97AE1<z4xQ6fojvVX=TnG^Sp)c`0zgzBd=Fs
z|EOFvh=G4n4nwmugQz1DBr<I9G=qmij=s=7+b#c;#2hkPZ=4;=>@5-3`%pSSD?qZD
zWLDq427W_C_cwOVf@=yesDQHupMu2?gb3h?G((&PMNVLuIR?3w<;z3P?0rXsG~%y2
zxO8m16(%Os<Fq2>nVeNgY!D!c-k_3l0i7u^Gl_b^r^&;(Ls+*(nm}@j(s-Ed)PPg>
zXNe)9syo9yErHF|O)mYQpKY66W2PldVD>-SFs(3<Ruh9%L$GSwZSsF8WoTGk2RN+%
z1URbncpBcAD{w<VrfFevaHFhol&qg67&Bk#v8#Ie&m3}Qf7&v@%2k>{LXM2s8G1Hb
zj(BfM#<LqGFeZ#E2eIgDt6Y6Gh=8j&9HuSyZJx~l-zN6n`AB2rb47M&Kd_(cRX6oX
z7OJc*R_q60#+tr41UE{mw@L9G4kthK@oy7=3x%pkc=Ux(bVh#eB53SKGwb%Mi3n1F
zk7bNLu~s{`^-X#=<4yaC^F)M^*?`kBV`4Kr%elT4o*NX+B3q`f6IF$Hh@&DALA)Vp
zFky4~rK=MQZvv=ND6UN3EMLzLz=Iw9H``r@hP}G+l1!=@={;$>bWR2qE;v}rRj+-%
zV?AZ@Q0!}BFTWKXu_t`MO?pJ#-AebNN75I}$BX)|R-t6a=u}MZ@Fqzhj$$Z)4Y{p7
zAscyF*U1ZeplZEZzYE~@4}Zb>zCPsg)~;{OI-7`4gH_Fswb$Cer&Q?EDwg|JrV60(
z$vHYWa`<l3qgMSJzJ+c5^$n<c?%>to*Ho`UCvjdM#g|P4^cIPzPiim#J@d+_FgPgQ
zTjU(?p!6(~eGx2jy|7?u@pWk1$%^qbVjyymymrx6`snT2J9pX*u5znG)R4Y+TwneP
z1Gp>_P|7Yc7YoVp*Y0H!K2_U3Q6ES_Q&NKW^6Xpr!}L!G2Z?-4x!%{^{rpXB@s2*V
zN`X&YVGa1>P0!~>##@e4!}0W2tePDc)cyL-oz#+C-7ewOBu`2}?iGx}L?Om~r4PFe
zer~JRt1d2^U$Qx-6KeIUOpu<dCTmNV#EFstQ&*YoKJ-&^ew71fSj%}|Iz8ssJY@I<
z^!KOI%&{?|_|cb@ka`!<e)py^3u3{&AY>XD>F|pG_evS4TQ`>(>Bhei&H7fP@<qVN
zLs|*fDu-QxE+Mvn9ZvY|@INKcb|xCCw;R<VvCl8@$d6>K$h-!f&1YBOYZuL5ic5N%
zCi#X=u&tuse_O|=iCqT9p!Fzp(R^uy>Fz<Z#-PpPX8{{Gu6z<14alx(g-(Y4@s;@o
zl)gb%wFUWWc*An}gt^`0?=&)M@m;imN9|`6l<#a63&akF04d75CmmO5B4I{Ni^m1$
zoZgSm;;I*|#6YCNhM$15CecW$UDz6UqdH_TLw~~26H@tC(*AxFFo|PMoh=ep>>`-E
zvd5Qw=ocz&Zt0h^<@fd}Z#-Zf4hc4m8C=hZ$vu5S+s&S~E(5<MhUZk5unOC6Rnk3X
zOFM(UaNR}x`at;fgdfN>SXnP@`ixiX+ur1tU`>)~h?{cB$+2uvTSv5fDoj=r6*E@t
zz^UY<=b}pwGcrTtvL5uer#@a(VC8>%El$Z|F0n$Q#?ErU&f6}o2i{RglQ>8fbaBr|
z``aLWd+5Y*FdR3Tmx9e|7o$@uj9E_HLO1%_zV_{P+k{newk!9@K(cSz!@yeh5M&@e
zGDDW|$iHi|^_VI~o^?{hJSbQ8S@pP&+GKB&50!KNAEv;vmh6SCiQ`t2rsaN`s;Z#;
z{auk59gm6#cdeL;u~*#7RCAKaD$LYg!Y*7Qu4J9Kg1rAY?=|k{0cGWb7V1_X&A|L+
zDKBA{d0a@;Gya^W^6JKLRDpwL7s(ba-V&?`FEsX^s%;g;jdcRP6rT1=7<NH5boVQn
z$*csyIHu=;Vzr*kni)0@Kmgx2%EZy5L8itpV)C?BK!q!cCsYNoG}o`)nb6VA2$K7`
zq^A_yH{oc9LLSHdeq^Y9yt@t7V^n!&>{1wKn;Efm?vr@m_yZGor|-2Ey6bjtApfMu
zWi-g2sh%0>=V&!uq**f70!@6iG|e)C8--t_%G`{fscZECX-%T8JnMPkx@up&Cf&5*
zVv)iHbuo(ccac|pe&bdS<d6^K<j0vq(>wpDR#4{oGt1=8g`~pJk%)%>`h59A^NFRO
zam6+$X<e!qQI$Rxo~55wOu>I34n)H7%ltrw>XSVjQWFwu$`xp}8hbBHQ!XVFL+-ng
zS`}0HqEO*C4di_C8i(G62tgxFAljQnl}og?_+}tR%hwyRc)<{GHU@mCqbujsb`onU
zXvEo5obP)U*v_=upZik{rEB+cUKv*ahr%5vb+t-JJvyc7--Brr_NwKJm{Nr?&=gGs
zKg;+(tr#V9F*?fc(Xy(KhdC~<+Po&xm&5_x^75g9y7Gx}WiMy&I@Di~_8-!Rw!oA}
zR_ZUp+DPi}W^etd#S+ZB(uy0o`-I3@l2-~^u_Z0-mR@gs-v(F=TS|njH8-kS(n_~%
z8!%pZ6fliAd??@V<bu}7aiHC*gTGrJ@{az>GPDrl_o`@Rg9OD;S9<DCT-<G#fnk{@
zV?rQSSKoAmHtw}kvaN;pM4<v4UU&SSQ*}BGZ*ebXLY=c*q(xG7Mk5OmX`G<)yHUR_
z#{i`N9}44LmybU-(R0YX?-FJ`fdzfrvYRi9P=_1%yM~d|LZ^KbN3(SJBHP~@zmJ*w
zkv-9lj7jCuYAUFybHAi|*15KgP8+BWFEBVZimHY+x)!u@8Jv?SETTo)UG9U-aGjIB
zli>s8$y?+tJ$^0W2;7gJO;fRqx>mPQfH@)ug#NmW+ZmOe3Qe5m<HkQpp9M8}4kE3D
z{T=yp;%;cg&Y`QUx@fxiuZ};6@iklV=R})|1QErxw^$UXaRf{IRmsUkNjPw{leZhW
z!`CpFWuD)abeZM2#w1WQ+vJ)MMLjxDd)iSi$doQdL4)Qjlk+Ih4ovoN!irPU5=<7T
z?1QGNTZQwLW#Zy5C1|s{yYo!{I3%+H-U5@Hg(uXLa@2UEKwjYk`TJ5cjbOOx=UM|w
z=s8Wi`mzDQs3GFfWmrMtG}h^EO)W?0cbD61rUkO|Sav7Hv~u2(f~g<J(ze+G?+UD~
z>2k{Ag=gx5&AQD>5$R=}jrJ4b`QphAo3inYpV$fZnH_PrNdlk-c_lw{INjP%Ns#2t
z`=&Ob8t+X)iex~s`Buj7RU0#Em@7?vyF12wMeTToRKrGVw<tynN+O1e;tFl)zrV$i
zpAgkdb&AW-xy`8gWJPzcp5Luy;hTDiXri*m4Fj3`Zc^J}B9u5_>@6Hf9Ae}#g>fAv
z>a*z>(G!-*Gfs{2sl?MH$q=t$w+{IC)oYzm>JUcFoPQ1F>*f0bRQJRtl?>z8hp&Fa
z*eVJl(}qcKbe;Bjf2@`lMDwdrVh)BYx9FzBvE^RKHkcCOOHKIZoE;k&(siFvE-tOC
zI7lzRGd%_K)qLJn7=DD5gIk0`pLL(L_s|fW?yS)ecv&1}K>1%?_fV(HCi||3iBZ!!
z{Ve&Dvy1p90C%I+>%i{?ai(a1@j3%3uRi72>>eDo#8=O=yTjK~oIh=tfmFl!7BTUy
z3sTw%$^P98Wl=P<{U7|lr56g=G@c{OL3R@Fyy~0C^Xdf7#~*8;0(KwhL|xw;Ic9|d
zg^J<6ec!(YSy_W<3edY(HHsSKmIHTs`YkTYH18R#&&erQQJtPDC(r_s+I_TNHMi@z
zS2NrP{Y2$t*r;5S7Y*`}E<Z^}jV`T7ipZz<h7lyztrSxxHvx9iBlE`7uy=voCZ*uR
zi(i#IoG&=QHXS<z0io-cUBO9wFBg8kOOg#B)|<+t#4r$u-Aufq!UFrLkh1e!XzN~a
z74HvSilh~jHK0{21270~?&C|#8*yPjYLcSMnPB4|Y5fzE2-5gjJ5oF7^bPErL&&@S
z?j(_#4hHtY9)wsFxpmjDBPx37EkI4{baprU!h}@y=5g5Xm9#KXD^3XmXXeDx2W7mS
z5oRvzx+a{Mpm>~+_vzxBV*)$zR)t?>-$~@xQs$nX8D(9RVjHouwTC)P?ZgX6{fDxb
zeP4PkDmO2jEbxiR8EygV?zxGVR#_P0FDz_sG~7o(RAlPe$yCYKjK%>v3QIO!gj)7C
z+Jl(sBPWa2?t@DPq&b{q-SKLDQU@*7WI0a1zQwHF`zxfDm?s6{Z`^1U>)`E16*lQR
z5>60GuVwKyq$Mm(P%shR$Y|*dTax4g_uSX~e6cDtQq6=4gCuJ237Y&OD1yVY%jzgW
z3cCRN1!XZ)DfGOwj$O>$us=PknQK4BqfCG=ol<%vw%FgQ$@{c);9Za25fE=vtyh;b
zaj$uN?mphG+8m_ZFlCFR_%?Z(Uat)Hiz#$yKvy^3%~@N-=>heEao-|N^7(hNX+~SS
zq}9#}U5q-7zKcb(t2?7cUp&=GQ3!rBqI3DFaMQqRxMC(eF*^&3=HP);m%3r4g4v2r
zX^d=Jw+I*Knl0cVc{ixRhL@*jTq%x(M_|8yeSWT-B=SgyiEgYYzsnIP2QO%riQPQS
z6JL-=VH%<+mk8#N!jitn-))z-dh%K@5E6(_Q+6TnX0j}2OEv7*Z9Za;f=O6VuuyGb
zqJ{uxxrBx^NrB(t-ee|TWfuZ~?&}%q@{IXm-K^6Q?hwDCSYwp&S<U_nUZnVkBk!Bx
z4B&Er?T33MfW?z`zhqGG-;ah<s1bMAOmB+Ic30H^B$HiUFO1Uwou_69iw*qUycy}D
zRBnQ#RX>P)79JqgtoHjEEmUdYAOFsx?(K>t{`>dH!{HKC?~%vb+Sj3WG|7sIc!Ql6
zUxa>mE=IgkLs>T?5u?gKrsn^g^_NRjTlMTkr&W>W2Oyjlg0|Kco`*WZ?=P9}S~!+z
zSG9&yJpDgP1MTI5z#5md-J_jBWG!OF9Z!?Aw`X|QFWTd)lSAsED7Q&;mtoy^@G?nZ
zr<tr2FBf}|m=L|CZ8NdO;cp_WyVWRX{o>kPVHX{W2pwi(g9YD<rG}`9H?>OqrMfcb
z&Fl0A$<K`!Y#b?NPgfRrt2PS%2Wfxx)z;&M@1j5p6bdcwP~6?UxVr>`OVHqu;Iz2A
zdvObrK!Vfa?i#Gcix*mG3vEA}^Bd>ljB~a3ci*f(U|p=S<~yJHye8`OCuSFoOdK09
zu(NwLrX$Lf%+7TrMRsxjZ&=NmzX$<V;z~>gum6vNYd#g2$14syGd4@+mxM*^O*)rT
zi8-b)e0Oh=$ex5bOA$;@0rGW5O=4g#=v&z;uZ{fz>2p!jj{xt|*bfftC$F0z|7L3G
zn>Npzn0ZEfuB}VQ`u!4XJ#Fl~kQFH9L^v0##yaoVV7cL&JSo)h-ce4QN0=y-j24eM
z@UE@Np1i)uwc;eTFq?%t+Q+utlbfIUUQ~G~?=;kaF7{6zRC1s0ciXIY4-WR>T{wq^
zloVEBdV0G2hg11i-JW^{ld)2V6*+x70{J?5<92R3I<h4WEIHXV-O3z|DLT$NCIgmx
zDrkCIa+ei~-yH1xZc6>}<2hBdI=R%McQVG*b)*$Gq)mTvS~tb==Po{E#Euf)W%5qg
z81g6i>AL_SjfKLrf9=?VDuTwEGvLTk-lol0EE#$5ly4_FG8}du7GBLQKf(Q7moyAT
zHJXe4{O;?rn;S*=nT&=pITRezJUF#UWN!(q+Qxw2uB;A*Pv;vqlUu#%uXyr~K02D{
zg%*)(TQW8-??|*KFk5W(isf{A@#;01;w8GymKF=Co0Et6QebrAu{kWn(eDqach~ca
zvxT(OF!89eu`jPuMzy;M87MLr@%_ba=sGxLbkQs(G2><?U(}>i*75Qg)3hJV1F6U6
zVf}qe**6()wXNlxc5xvTZha%<f0bXvyEBF(>p6`Au!AWrse0D~d0yPn!g6of;xl~G
zJrDiP(<60CfU?%J#QKIczLNQX##d*eYxQQCMz`9!HXnTDj1~qzYJiO_snTQl@40@}
z(PvKTePycysM@Vg#e<X8?h*CI9`)9HG=bcTAcdjX(f@r0pkaJXEfMbfETSR5G1d7q
zdt2{vb|1mI6i7x!{4ucoA^jOE>_phNz_@7Arf7;${b^d@S8FsD`|X-ddbbp2x1or4
zSP3S^GiAG_1z?(tr2J%9+kt9@$Ke01t=YImi`N86K&w?++tkj)jXKn`h8bruOy!4v
zbWiIFJ(!PAb+j65Hiyeg^`+7uthl``n@tx3O`T>-Q5|bt%f2`IiY-LSU$9kA2XnI!
zwhHW^_)XvAk^NC;v|U)2PyI7xqxB7fkRbDBp`(Nvv_|vXn-!^#Zg}+ETRW2@)`M&m
zb#C-5J1&Ic$|$<8H{=sHLrjf3fQ54kR83g2G=Sk>StQyCLkxaZDcjAP(Gg(U9<)B%
z*o<2|$xz%C+%pVHhep;w{+ijX!*vZETlL$~<fw~)xX_0k`w1QJ*qp;LvFd*q8iWk+
zv%kym019cuTDh62M-q+O-0B;f4e@CQ^_R%YwNg+Jm;mkG6Zw^pmwQpD(L@j>$;w&4
zBs2kcWU^ZS6Q{K2u!bCUFB)#_{v<M$o#?nPpglb_<NTCduC2_N*ciDQky<qMxueop
zoDY@o3fgUg63<QHU*q!XCv(3PZ{Q`8m2+dmuF`B|NwS^hd)gtbZKppiLw>r}VggO=
zHva7o^_y-MRmj;?`GzEDcqBm`Mxe3cHO$<jkT#<=0tu+%T&k#1G~+uGmF&=Sbx0`N
zItn1YYE+Hj(6{x_4TeMfev!^UKU7-aLg^Yce9ygAk?sHDU}gS#_uVUj#2c4rJg$mA
zo{0Pdr!8%GTa`5^ybZ;6!_ro1cSID^y>o@Sl*ZZ1#222UWT-V5Sn3gorwF>AQJ5Be
z7p3#JIlB2L&g0VKGxLitV!J&ackT>Lb9YA%*ASAx23lOZPitMY>Z|+)JhP3l-|q3D
zmq2J=RRk@3iUv>PHtSPhFB`RUw|~(iFq)43X64A|qR9mqZ6zu+0;J&qU<-?<E`=dQ
zEEqk{^Skkf2h?<**H$ma;ZsvD3Pk)V@|eI9Rp|K8f8E%e6S_=<!mf-aw-fX2a~;Zd
ztoaP423C*ZSBaVQm#hA+0(!WFW30$r<=X*0+|u01UmOn9yeyB4);5{aZr*Xq_ObRv
z`7LpGZ2oj2+(jbw$U)4ZEw#1=_An$(1`$u{G_yJzHm9pO!(t+@IpS^K_qc|Jua;5O
zwD>MP@unNi63;t+@S1tNVefmtyV~2+Gwp~T>E5FM*jiewjcv#WM6?W5(D%ZNs7tDk
z^2~pzLr>B-zdI~ob{~WVuSCkj)5fY)<L$TaztG%Bo(^Kvy!U8MDkYr#@rqhOJ0h>7
zo(<B+o@%7gON-}Rv^oFE@a!4Q4^xq-Nw5{S9JH3!NVa0TDh^t+Fr%a>)CFqmJCZRJ
zpKkV<Q>oNif{ppl7(`a+@vCBK+IaQHk&E$dTRQxiG8wb%MIkP^V0@4CS@H9Z&CGr?
zPOdyCFhMO%w+v3S!Zi1gdb?S+Zh_p;*wPnY@Wg(0Ww9W|8$F;=(elK=*qZnKz)g3H
zu8Acfvx8p#IQ?lg<r-TTIo4O)+_D94`)RwD%O<f3C%2|%gIp7;!^L@Jj3K(Afj~Z~
zvXK=Tt@n98*#3d*fm%sf7FsGVah)7ng!Kq6oQaH+5~vb|d8ab$lFMHRWpk>P>A{n^
zAKlM**iMw{R~z-z<lbY6{#d3O$==h?lYY3=LP(u4<5&Q@K?Y*OmB2Odw=;($65&UD
zy5ll}Up6VTHQ7A_>V{u`T}EjBh$z=ddR5_8HCAF_gnwxQ3ZGFg<g3Yyu$v+u4SQG0
z<p|MQQ;-y!R2`<$n9D8L|8vD5uEo&~x10MG7OWKh*l2CWFFwJm&a12_3c0Vm6qCsn
zw!@cXyD<I2eI6c8D`6;0jOga6t|H7><1NI*mnzURztNnLnY0#e0N;Cg@)|mtfsJ+k
zT0ZFB5th1jqNuoPPx$0U?Rcz`FJQMb&#xGDxudnIHkf3%FeHc{9;Ypek;p%HxjLgp
z7cbe^zsBSVPH7dEoj*otH|EZLi2j&b<Xl^s=*YXDlBi17O^_hsM2pG(p}FksC1G-#
zHu_%ktLfS=)Xk-P<B&FX+$R)%M8%fz#UrUWh4Sg@elkLKHW9p3N7I4d2FLIY`<8~*
zmhRqHuiZKN-0WM6UWgsG@cK6FxV(Bh_~R?Tr`Fwb(xT`{+2F%Nx)?McUD3&y6uWVm
z?nxy006V)9bR0LulcXO0$U{}j_p)DNw&o23mOwk-&lZWbhAkZqGsSkjqxX|-;esP;
zmyka<*58c{@=vEGQdRr}^=^XQJQ6GCCCH(R0jLqIcD6Wb8A}&evw&5cad@+W1&{^S
zELAvUeAaR~2Z|v|l-Jk5Q{f=O`K2_ua<xlT+tJi=!*q^Rc$gkaTkIj(gEcqW%0DT!
z1vx3FV2kxa70(aH7JDyxxxyB|IQTGMa2iUHDYH&_aHMwl4`LkRrnpQ;cyhahz5!my
zg(mj%PTi>^mv0=mt>+i0fy4~Oq@nRGH&-^X7jt!2@`&-ihvB}E>z2od;Cvxp_KA&V
z3w>}Ai*!Fm9@NB{e2w#&Es5ZS5@?%n?CguLv`?BUeKxP&I~g)IEaBR<Ps9C%E34B4
z9@C(MHZrC2^fu0sfqJ>rBN}7~`PkR$RzDbMUMwRnu=8$hXk7un@)TNM?KRxh!qZUL
zPVDy*vu5Ns3y#?0JOh`L<f20!9xPX0?R4zGO8a3$iRmk6e8(nhuW5_)<A<}FV-H1(
z$gw-ymg9$(u%_vlm-O!_67`CB?TJon^5|HbU?Cp^F08TBV92`FRZHf$B7da%I*Jgn
zkvVi33aJA!&<u-Pw0sD8rj6gB<DN^vmxhPW{zAu(*L=e4?d;D3$JwQIrz67D@Nmy*
zU6cCB*`dI2QLHTkG=Vq<TPao{8F6Y@VyFeRNF)5kNuRI`@eQRcE{A;bcn!W0PO20`
z^GawiS3vJ{9f$5|?nqTk;vJqx?6k(94wy%d4d7zj`Ie?s6Mo|UAuKX=ITpU@LhqKT
z_hDgHvwZ<(`G$V86-to`Fovx<4Ch|AqIM`<4)<v?uVmzKrx8AR^ZMNe9(Dx#)OC7e
zA+vYb?t{1S!~`~4R$n^Bcy9@|F$EK!@lf@IK66-xcn0=bUyi#j{8;7IOFi`mbRVyc
zESMx>rLca0%LC2DL=7r_IUL0a&&T_nFuc(VH`>HCGI!<o6xa4t)zW5*<nv`pkG@q8
z4aNyw<oVvksd$q8B%YA7cE8=}U~)fF6~Bg|ix=5lKL7FC2rY^_a4>5;Ga`99xABxS
z4B`>bCVx)CRrz_rqBu=n2`8Ws&gNIiWKEViB06?L0Lr7Ic2)`IqZ2!mgqLy)Hsvm#
zWLg+A<fO^9;vKIT)Agmh^MQ48b}$TqB(UaM$h0IdxB3|EH#*nCdyG;+skEJXXduk_
z<Rc7pT=0)vC4x<#rO_qjXIZ%4Jxe^xiz9qcw#eET3F8Wc>yJuaq-g~z@<}6ja9T`c
ztSlsuxk|-OO4l!zyNzBl<4}0lxMXbRmO}Sju0El;&+xz)o$)?ZpIuQV<FY9_=X=vS
zJpiJuN$zp<-fIgwGAC^Z(RvKc$m8jRzsCl$pq;xB!iQR$MzP|sqM>U&y>B8`M;R9v
zTbH}@XR-uY?In|A_IhBp5HM#X!zSWeH%)`i`cb8h{<-GOva2cn4qJPTd-7&!SGJWC
z-y4@}`j05A*nTP$Q&#HimJ>KxEOsc`v^4q%Kux}Pi(9GiL0VpMJb4#Mr<ZrzKF_uK
zn=Gd6hL>8pN@WRl6Gd%XQ{|*Eb6dJntDsuTe6-L_uVJC}>$}jAh&${no>o9fSQNZy
zt$91%q-k$ug;_S9E6XwKW+6|21^L(8d<!+`h8jUmfpE3ZULpFPtf-?69yZT1gVpAM
zv+qF^&b-!tw6!%TjVYZz`$@rJG|VsJJ1uvMZpW28+u51t_3D^_w1J*b&sR4vL7V5v
z2Tqy3cj2w;H(q4Q(`oeWt;cAck-&w029<90Gzhk`ibwDr|NVM?lbHe@irjp`_-xU(
zr8pJZY;>QyW0#<~QB15FapFjK?3eL)#KD8@6d`+HkoDFxC42e-ErzqS6(NZhtsSLF
zRSYf-sW0octJuAg5G0VV5sr&&_g)k&HM)E;(y2lR;@6oiENI~@_qr$9OO^r$1svUR
zbN`1Syu<m_NKi6O%MQAG?IJ}!Ge9q{UdBfaOe&OPOb^-2ofU`zIvYhduq&}P$(zP9
zebs0#&SOP5cueaQT-16XpV&;JvY&_dS#b?+J))>`prS@uJ9(!}4f|hpuPEAVrkvFx
zA=uX0DeuDiE(1Ua)9JT5<kT@TQm%c(G^LgT(t2OR<Er+c<=dipg;;ui^&!}x%UGLg
zC@<~{?;iePEM^L&pvfn89xML$NCG8p5=_a2_H%y623hNYp6XqSe9K1DYl^BLb=`>a
z!|@Eu^E!7(#JpJuqj2I@u6coJELE88k&Ss(9hJuDNJg9EbLt6io9LfE{?h+_bN_!H
zKmYxQ@gGL|&;Ky~ef<0%#_7~|j^!$DQCj94iR$C#Fy~9PpnmZtcPL4+6Y_F}HPS6@
zf{lM4rxd%OW3K8F60=ASOj2j0$-jOkdM!I+gAJljvgVd>%O$h<{5YZaX`^Gu()wyW
z)OS-<PE0GiD#U8FB^U`8C1+Ns!sF!C&jS$Zl5s{*b=#-3?`?OF$1j%~rcyef^ZH#2
z?{}0ckwIdq<s_@D7I(sbj1ygb$jvWIfs^c?2B52vD`K2#|5ko!i0j~4wb&r6Bp&~_
zLAubceeS6-t#SH@z{;a%HX6@S-l`@a6rOZVCFTk<%^}0ie9s-wZ?*5V$vNw`cd|~Q
zSEGxlNQI7MS`U*=OlUG<G)Wuyf>;F;V7KFn5;kB3Z;?a%y{02dF46PNKL=yee#thi
zZ-_Sl*zC?&)+b4DklAx#L>+3rqPddw`t-Vqt)^V!Xoqv<rL>qOL;XOP+Y*r5+hdYg
z)pg=Dn`F>j-|ekjYC>Z1-uo%fy*aW)bs_Y4x-WqZv;E%H1b@9n!Dk~OH*DD(vY*Ac
zyPuLJBMfvuHXR6+(|iWKh*{0RNF8R16^c5j<5$S(pbK*5&_2_mnA1myUrnNo7RSp$
z{A-n*tw!d3zSz#(=Fmt&3&*+yFyiB{Ea~^~GPP2EH76nEiAXE^*GyZ@>C0*&TW^>i
zzqi;dHaq{Rlf4MC%XrT2ik3W(;QsJx`#94gM>OlmG4&z7p0tm&<AgNTMZ!Az2XbnL
zU$>rg`D87~Z6dDWin>O|EJ*QmK(i!Uap(U25FaoCo^IJ`l6qubM;)}evLjIFj879<
z1N{889}?e-{f7|{N=sPDJ)~K8Wk$i444>%Zdzibf-TXRsLEdm*@?!l}UsRM^^-ruV
zl?_A;@XK#{l_Gg@?HF?hD{CEykW;L)oTF%0X~8#baj{izrG8o!uT-VGp#s89{jeBT
zwMIX|Jpj)(g|@%w5@}>4U%vQDvkkT11#tC(U(^KO@ZEeM)WQ}t?>$Qp)yP+~EsMl&
zY)mql_c`;MuvgRt`G7A#a0yzR?)7D+Jk1Z|k`#kG@vkcL`Kw*dlUq|?5^(E_C*cOa
zsqKh4mz<e{`xXzehZ-)ORpjZ&gdh3JuQbdV-}$$2d+Et+HM4~#Y8&7=Rh-6bb@!d<
zs8wj0noHPKEj9%|Z{-|#5}hx>0s(W#RlrJYp9RsKou<XcS2Gw8XGX$yEfQ|l`a+?*
zzWuq&^s?2Xm|&7ZIIRfd+;gIR8&cL#Q~3=uZ_|2Dmb%`xULdirhqX%tz6rJXIbs#=
z*?Ivw>(w?%TTk(JqruwoLrIM?F}8~fPP~!L?h+fV0t9(_H?|330<a|ZAKmw#<tDnd
z#r-|HZ9+m>{7S@}j~G9E#KJWgq%<G1Qd7cnQchvlt%bz(52Uw?Q|zPRCS)5|<c+G-
zs(NX6vkk)BtE^2jwqe#amo{18z}MSb=DLEvOwI5MFfd+W73ngmIXMY^vwS1MN55+P
zR)CTSU*DmtYlq_IL<IXzw6%4D5+qo}y9O)Hq)S@*T{(?a|5>*GwcEdd^Wu`&=!fW2
zL!kp11tTc=TQ#GaUigVy>bTvz23US-@rx5=y@y<(hFe+d2OH|JHGK9@zS?+6Az0B+
z-6^Bji2*oyeORA01pJ5vS}Sm~tfVbkAp&rBTp8${Ywa_jncWkc%<z9AjT$+J{}XBO
zy8r)08sY%M|8Jy03a^9=&)S<HDkF@lUiu@&XAgm-bHHb6wZGeJH&<TEJ4X#znWuEu
ze?!DcI?<5&6bWey6Zo)exqDN=UiH~+NHfi5I@F<h$7Z^?BXZ)iTXD20PD7DrhJ~DH
zfDL5DH>dt3nfug>1lHd%?!fsKM_OJ^A8VL4w|}c1-C@&^Z-Bn7<{(F}k>1P3*+q>b
z#&St%OR*`vsrPeD<z+SW6VS2OrC+;2GHt*ds`I%frQo@gK;@}@;31&G#kK<-fe_Xi
z$WIEpsMvA~Y*ft*gGxy=z<C4CQ{BkBQvg*mzr&48-3ZebmSL+OCX?wzXsKtJ|HRw1
z@?~N2?I{qKMyXKh2ESXI6)OKSq7GEcc35+t)1c(69qyW=!&A%_unHp1fosQ6>;1o4
zP;8aG1<xic;GCr1oESZS7?Yt%rJ#@Z-+B)oIjDP%m4}HyaR*39EJ!+G@;zAieaKz=
zRwSm$eBr@X<n5jMzM<d-iR<a$o7XwwccI6<`eNK&OgqpU*aLIUPS(5VG%5X)+MayS
zoFyZ(+~>kuvtL>Vl36unUv5lT1UBp(Ne}1j#*tpOckuMMM>}q;ec<EGTmzKM>~Y<h
zK~IF0UZ|9FR6nmIO?Vc@1Ud`!eqn53x*n8qxA`I5X;0n5n{%~kp+!QKEi~7WJs1`v
z(*LmqMbU#{N~w)hWr5O<`daJE79?kw6Y_IRQVF%B1>I<KjU|({>Hcq%UfIR}i&=^L
z^fYc(d~!qdp;JX*t}#nay09-KF<98YXHEk<&%}ZkM#rhS(D%KVODFDa;WBAM((__D
zHIpNpp#y_$J5Gi_G+Ce%tk|Nwq?*dQi5<ypaN;}57b<etMEAui`R>SZ+W>l#zS#sG
z1IgW{yY0`W^SQx3k&dnVi(Jd9Da`buh~b!$tG*9QL1x=%-S%z`?C@qok@v8kN02FO
zkTyhKEN4=<*8Gh7^0v7{Fnf~)f+b}vR73)&`Yl)Z4r}0Zgt+VuAJoQRV|{&XyJJ-=
zrDU5Ua9M#5NtiKghXq{V%2cFUpU6j6WJ@;@rG*Z&z~2!2fAaH>;<zdMF8Q})4hd+s
zWb1b|YrbIpEpUkQhk4LurI+SqLvl~C_v$!*`@*-G@7$ZY%YqC5!rH`a-->AwnZ@+<
zC9rH@GlKbUYP9rZcicWX<*!=MZ_27AUopNofdF&8^c0l_la7ssCiWdQ8<?74r^_4m
zf;qq^XX_9vKYQ$w&0049Qypl?qDuy=lSHh<hvkriaQD)VAxHqN=#@D^G43*fuGhNl
zJo#raF}#QpSi*`r%kyi>yu67b-tWF<o|M`i3OvH*_F1$4&*8j&+6sP}sm+@2$EKCT
zSdn3kvoz5(M0z@&v;)(K{8<JZ4lMqmSkg=tVV&Bcpe=P-qE`w*V_}^(2d$qkrRTP6
zSJxsNI#J;LNW%96M{$_`Ba2S5HuH4sPPLhcu31CE81j_#mYD!=3>&xPFElzpkrDEw
z{guSU#+=aZ5AUu1l(?;>Qt=d`SoaFfIgKi~0d8jd@p>Xhg01yMdHOma1eRL=T=|nz
z9cRt0X<isD8M)gaxBoI1v)J&>eeqJ;$`z$EDi4zMZ@|q)KXB?&bwgC0+>y_Tm!y}a
zr+=z3X%7Dw(e+HIWTu?#?@QKktpIx*w`c#(|70!mKI<-LYwJ)pAWn8^Kk}{LsYeU~
z<sHT>K_+5LT`^5!;SGvJH1UuGD_##5L!7S4L{`_DNuOWEogiEv?3`Q-#?A4dzjo=A
z#l1e4W2<XD{tkT5RoVN$>H1~kj^@WGA@(LWCcG+(>n`x(>KC&-C>_7&<-u&P8~PIU
zoWBVie$~IGb>7xJS+YRvvt}7#T}zc`FpT@LvhoD}$;4NoNLeGKpkW`#fr_sTL<wkE
zYI){@QvHfdKKhAE7Tlip%dhl~Gnm}5-r+;&-1Nls&KyT3>*)X+*({CXVqbmt(L$sm
zQ8mtmo;DvAO-ft76CW(kAl!eL0T)X-iDnm_dxpbacc9irYpbccc*r&xkZtL!Nx4B4
zJ4~Uz5crTQ%hcbS5L~R*QHUY+q&%N1K|;)}?x!`ToHveJw73q&Vy3#e=XL`$a6^6R
zicL9jl4HUMuj2QK0kMxvQ$@tpt}~n*B9c8sR5dfhCsb4~*tyHi4N+}d-VT?#g|GTe
zSLfoJxwXInW+-irNl>-a#tc>1=v@@t`1cwv#E0m^20<db;m=I&I>XOX`_Nm}LyE3o
z<Xz;C##5~*chfq{-jsObJmEhobr&I}gC)UJFL*V-Cay8_WB82dROOuFBqXZ7k<yCi
zJ4x{WR+++<ba$FL4MA9qL8>{*Z60)4ugSm$(p5TSwD|QqKeP(vV4H{{$(<XM(VJ1M
zF9*4%$-PVVx7e6w5n<C_L}fg8)t{vsF1;?j;-<8cj=QrtuRN~AiaqgJGyl}9XB3u5
z1eosY0^FmA?BG2c1b`KX@l3baJJE0_E9<_3)$X(ALJymt9=u~|>Fwpp<|~0dsG0zO
z@-no{xB5q1+lLW@5r~U3V$Z7u(u}xJy7f6@d@irS`{sYcZYmoiBsUUky+*{RZj+uU
zME51J3g}H(>h3?464#}Mb}YIW$DS+><}Nr_9@M49q<XB-CHt8V<2GWtf%S&84kd1y
z-k?2E5rYliKr|{WqIZ4WX+Jh->N5n?3Q+X}&c<^;9W}$*!)4gGr$Y<T20VtQl9LQ$
z)`@M+40pgIpJ3gaf?FF@HR>!W*J7u4YdcUm%X17|jY{7AwgwH+O-V@QG?9MjD?)q(
zfO{_LRlq)T1T=<?p!&k>cC=Jj;3Ct)P9XhBBl3@ggBRc?<7JCOjXsojb*}f-fc&r<
zvwI?2J{CGI$Jv89i))g^h*6({I`2w#@BmG343)F(MhT?rh<P^a!5b~JMw^csXl*`P
zG_Q_dh)qANmJz^=5vwc55QD8Ym;wPDhP5Y%`G(6}2efY|WzhRJJ+$#Z44ex$*SA3K
zz>ck7+oQ}NFFpb?0Oe`#E``~dejB~9mH+<BXLzgzXWVCD=50J}DOxd#f}*KE)Aa|e
zwU3~O{l;&oH9F|kHNXK@L7Ud~jo)>&?m~rQUM3Zof1fmMFr7JeSeBOz`gDNPe$da`
z-^)XQ%=7dE#O3<oHdt}iP^ULa)c7ioS{>M0{}!m(tJ@Zs@pP$ZFtBD(^zwA8vE>eD
zm!Ia=$e8C8w-~Bbsc}n9<x)ap5;R_c^#@x$g)HfgM*l@0q6$PUfrXpq^+N^y%7H!>
zToRk1)HxgGQ)OLiJ&mj8I&+7JiCz8`v)6SAKh!Us$lZfeMF$y+FK%C2$!<P;dN2*B
zQ554|Zr&MFZkVQyU^c#&)B7?fd-R-w^@qwiF(rni1H0i=K(vZVWqL`CG9lU`Y2NXp
zWs3p;68>A{QrG0e(}k)_J0VN<(&rM3SC=!D%gx`OzhZ2oG38}3x+t*5i!<U%ldKfz
z6DrqltP}5GC<F>&-m(q}#p@6CdFod&`WBYz%mm0*!%fOXlsQ7Kp|h$L^o@n=B56XE
zKOfP5i&+OJA_$Y?LNB}PAUPN8FmkUX)!(lMZ7f-_EQj8+$UINrFS>n_=M_1=9ZX0=
zq_U5~R!cJY4RzyvOC(96*=@SMv2Z!$6G-*`Z;}49gZsXX4h*lL&kPVoeV8M>e$jp-
zP_7H7PfyxMfy<7T$DvNyKm1vo0m<i@I&M5`Z@em#tS2%USc`z>iu9+$?iu<=cJrJ<
zsy0u5!LRsFz7oI^(sdL2hu4FC3Mk#X82@|&bleTM-<1no5C1DWTab~8wwpC?RJ<os
zuf3#RTD;QLNp(@H)}8?{C-;43wznw~Oy$nLlV!iuViDA09ZKra>+i{JD^$qkJT~Fh
zkjs-{!-e-%0a}&1cF1zCOj8Pv5kzzM|9UnozG9kK^RJSnZUmB#LPW$J_!aF$yUJPZ
z#(Ja<MtSRKc#Q_dvi{efyj)1S*;Q%s2l#4U$3ssO$Y5CyTK{lAh_WP+v~Kn4IA<9)
zcb+y~d9C1P4@gWks)&UTGN}yWrKu)U<DdK<_~Q}WV{y?}0dH+>?sjX;rIzZ_yRLn2
z=}yZO_vv~22V>?aq1H?RurfOYz(n^mPTfJC`Q-iK$#T$-3N3}jI+oR*bZ<8P{NRAY
z(|+Nu9G^`23ciePH!7}FCztBRnKS6|fpLSl?4`-;451z$l#I?nvoO~R4RwQf2zj#O
zL9gl6&|>2hqzGp2hfwV??YyPD+j$4S=l|$YYZ^RIfDih?7uE0RJCzyn&aBf5#kpu`
zKA!L~53K|nM+4sjOn)wr;Q>{5q{<p^>Wukk8wMA}y!x%JnumPN8O)QgxS}?fQa1Et
z*^A3ngzXr3E%VcY?3td6d081a*cX^t{LiWWY*^I#Yw>|L`CMx*16{3-^FZH>Gruw0
zgq*+W#$6)mQi|A#a>UXjs-Ip_CFb~*GA<HxR-JGeoHQP=g9H!UIrJuGPwV)0ZW>ey
zE0vjNJtABWC@7{|1btLwkh@H$zS_rVJ{r)bu}9a~X<9p_D)$uXGSQq%y(W{*MbG-?
zMO%eR)>BA605RU&+1w$_$t9olXE)qNZ-d1*$uwDh8>BOdNP2y38YzOU;>HX*LfWXB
z>qpa>mtUT_K1}cZ@3ZThstGw`_N(P}Ymf}AX$<|$wrHImI!-m@kvVma51YDF#^wvb
z0dU8?|F?#C{x2#oVwjsmI$geAt1PyQTd}P+v>sxewCtm;uQUoByai7XURw4x!BBD~
z+NJQVhu`RqHdB(-V(trW;;mllioz*9pi{a^;Gxs<C9RN0!Uh138VN@OT$b@STUEwH
zEkvB2Yw*Z(SC{P^@{R?Bp$o9h4K*8(Sis<V`!T;Fv6%*`GVAG&V79@W8LBH$3fg6B
zM}5ao2i<{AOOqRVpVO<NVVA`swauv=E!IqR%dX{2v=-U@JOwVTkcnOkZ^E1sK@z5R
z-m7zMdGF~S!+MGUca)rAxX*Gm!eken#hkR5xy;TM)mF9?5&9&6lo-a$*%~h4s!Vfi
zPiNSt>TAkRD-Iqj+RVuZ#74EZTQ!&wg0<Y>*IQ3ti?O(~8mFjU@#QCr=>|de<}QG>
zVB&kTGn*uUVXd!iBW@b2MORY^J$bLTgO=g8ko<lTySbuDex^;C#t0kLezm~Vq!VyM
z2sQf;gGAkcLS$mOW@4t6Gnj}ch3QZlIyR^Yl11RbtSz4Gc_q0AOAP*U9bE1;munmu
z4%aD7u}nKoFkA6%ThTrWgc8!lEO>4LYv%a2cGd1i4R85T8=`HzvQVAwen9bB_g3ey
z=+$*+C!-OH#m4%H@|Z_c^mo!nD~jc!X5w&^OmBQ4V$XFjTOX@7Hav*|B)V_?y5PLl
zX{vj&8A-2mi>4q!%I!q!I$-s1e(!n-Lg$}|^VS91>@Ob)Q}tg2@;Hepun2(?pl2tv
z!sFN-ASXOub#Msz*G-lHcghyBPhLw;J&DX>#+mW>aGNg(%fi}>5&}Gr?ly~oA&HsM
zB-!y#6E5$KwWI4NvldpKc^u`k)k8g@2?-Ck)rpkED*fjCl~R%J6UuCfT^nL^1BC<#
zT^y-Ts8<(~5VCFv%Udh!FmG$Pdi`V~UVdssc6P#2^?|69vbK?r$Yw_zsCtxj`qLtv
zj+V*E7pwQ*qOX4C)mf#kJ!O%z!Z`uo)~>vzw(w4eo=#%WoIl)mndJZeZ)wL+%XMm?
zU4<apXxgK}WF-mDLwBR+_OZn!oq{D*(6Hszxuu3`Hgk=j9cErr^dNOd8Fpi$<PdHg
zP;IF;5PnxSyxvv3G}CGlYW<c%Zgl%EW^N|&DO{o}<eK5=tIf<=#KAdl=sZkjyyfBg
zV_lAj91wNSkV$I2i?MDptt%JT3^8yt?E$tT*DsO&XLlb2VEf(c7QaRscSM>$VcOxw
z)-hqo8$B>CVWudH?9ac-s;h@)w|MIs8>(WNQ#Nyy28>-Ig-?@`Ixa>>-xT>8G^m9l
z%DDp~$4x86C5-r3gmpz&IE}G%efE5vvS!_ijXXt#BUE=YRXTG&yBC{;hU-;%wy*Kw
zsp7EzIx%<DA6OL(B)hE+lXG!d@x2zDyAY8#n$5LF`j&hVB8BNrkj5o-Im;=J_O#6I
z1cGt4Hoab%<K;ank`H?3eK$5*?PMZR02d7vo7Mpg8WQqF4mVB2I+UqaQ0ug;=GxgW
zLRYLqgRXt8I{6-HD*d+?8ZFS+fU?v65=D}=9W<<_*Vh4JQLm$|=5c{elK#|mkkE$R
zrO87PBX~`I&;Gx>^vvE`NiH0RyqGzY+#?rkSI&hpBMlrf(%c9K-%@Hv)n3Q%p>}0Y
z@)wMkJdvpm$gE7AU|ghcQDnUHd{Cqs!6}QIXzU;v!`N-AML+&QfRR}@K-i^dLRn_(
z;oKhl0oyR3*ThJ|e%p+EWd@zljs1RUKP)qv=Icp18KT4$uKj#XtDGg^z_*3%uLl#+
z4>ILVPZI0Kb^7oHh|za(#%6_skk)noa5H(+qap0HkI5=^x)g#50ZY@bNKDt{Y<r;m
zQR4uM<+HQqOl4iE&8qV)9JGhV9<;w_8J13HU(9D_Act8KYr!t26-P1tJeKr1yA%a4
zh^PGc@dkc;3P#+<jSUQ-j%piCK*xJB14Wpg^&WAw7$kF%I!Q0a22}c+2?|%uWBhli
z=@Wh>mp#ia`<bpqR!vCbCudoIe`|Can6IZ-yv&oRjz@Y%f_|Bo8C9?b2+@Mg)p<pT
zNoPCGtt$L}MqBsNv13kpnYmQ4qA1&?!W<<pgS5Heqk+`{8%N`LKHGZs@Xt?<h_P%#
zLtf{D_V~)m{XT4bq8<^^D^0m8KEq#)K6=GW)tA#f=;aPPr0&A9C&2*-sr*SB2WmGZ
zQF?6@n>NH+Le`rb6}5!Qp%~tGC?wm$D;gQHTf5!4el3LWph^ERm%n->re+zABKiLg
z^ydw4uTavG^qU!F<W^>7yPYKu0y_%o88dY${za{9``!|XRL>^z<Pzh5txjXAm5_8~
zZTm7U%rbMD%+T~+=n{Cq|4u7#BE)g2YeM)YO-&1ceK1XhJCQ8xRYGLJYnt1^bGTf0
zf;{4wu;Tw<Po~X!%iCpID=srP$aU!#bYQ@8sn|Q!FstRqZKLVdwDO9h(Sl0il+az<
zk@#E9?&w>x1B4XU&hw752^dYc!KJV3?wTpSXYR{B7QG`4-UKS(KyI0`I{>m3Ti*K&
z)Kt#~!`h`EN)N9@8`IqiiL}P^37?uPd$TsZafy+0^)bxlOIZ4V$&Oph&+@ZS;U+t9
zok-%WFr<FX^A`NFUrOfFtbd+zd%JgM=-c{l!di3w9Mn(sR=KCJ%IBf((?f^uH6pfo
zi9&CiImUG>On3tF=5iYa+@brrzBwJ?<$ch98~7AI95&*#BqTg@TX@$f@d*LY*SY2(
zv-k;yM6CB;f8#O;ge>?<TTac()|nj|k%W%4fzDD%wc5vCI7Q^8<~|dd3N$Ljq$o(v
z*E)nSx$zv#jOWZYwtrybTJpWc9|K!-`q3M;#v2<X+|t!*rfH8WnfIlw-}O6sZDH4L
zk*srN(DOKTpUQP)ZROj+a#6v`0OWGh>=$4GJn)8(kI`DkIzN2kc&yDeftg{)I|MvU
zkB6EmNS2c>i3NG?AkiH%V{L;$Bm${<s^hEoA8kjw3}5q0LgzjfJBbi~R!#^eIbx7n
zAtxk;pRDw5+1NB&W3X?SIx6ZnsYdj8iESdaH_aeXOt=mns^pKQDgK31%GWt1F!J1A
z-&2(|{-T8S1<pY$wA!A(4nRxAWbR_v$B?tikfW&h(5~%If)6=UG&r*#RhA&y9V{d}
zM7|l_BI3>tU6tXz8`^QaN6mZ7`78BJf2IQ}JMKvQc|8iVSL8|#&4hmipc#TXoSeBq
zKceK$-OWS?@Sa38uc`}QWWjy|$l@!QQC{X*lZowo!j6bS#0nn|msaTK>`g72n%b{R
zo8eB_%po&??W>&PJNlj%UOI8c0N1g0@22W@W!s=&^AYU)Bl`84G@R%6^TYt*0^r)m
z&79^6+EcEvZjPR54bq;-Bc(lEUPpWj+V|}-JXvHof>wjZ7zNEfJy<J3FX}a(?=#QC
zy3?v}pbux+K^E3t4Q727=}TqDQ}41F6unzY8&)6XtiQgW;_xzcum_OY-@MBWc1SC+
zXQ3of8cZQ_Vd@Vdo^YD3)AF)IlU0F?{LBVK@YI5K{tqwE^#98X`2FAE1zycMw=VNs
z@j*Lz&hL62ZY`t(RtiRJkU^P0S&zt6`VZo$?9*-4t>1l=61k>27?%<mCTNOzJO_5c
z-ge)ISM~#&@iAdrwqmI1wQo~AHn)RTllB|r_>%yy!ud32{;|$y9&_@(7?jkyf*R}(
z5-lA(-tN7o7&zaUUAM4tIo$31glu?vwvM0ypT%tPn6*NJH#vx)dulqsER;jVxImqJ
z&lR%E;HTdH+C>vBwq9!`n(X6xAWde@d4J2l*ww5^Pvd~0mz?R4xsP1TI4K5kD20)$
z4TU{H*1ltY$hVYm$)(Zi)mCGXbD<OGS5?b){l07HWRg^!Gj3zn6f3Bf{&E!@GO*Ok
zT!{D4*?uB+*Im)uFe5?7H#uH04)#Z4sts1i5NT?I=_&knQjWirerV+1XE|#KmivgA
zMl;f~RCCsgwpfzXbW^ki$TM|ez!)&~&YeE}D46k@2{_5}Bu-jVc=%tB0bQ)K4^Ycn
z1Ss;sJ(_<=5WHy-LURPsjT`yP2<bQL+S_a`?rksBQF&^yg=(JXaA7sP!1zH_O105i
zsH4=3cgWC?9q4x6f}meBJ@ANZodu`$I;Pl*YaBsh0Z!10sJ#AXJmks>@4!H;cZ%9?
z?Q`+y)yvIfL;SSZ8f@<TQeX|iXrG%^Y5$Tam$Yzu2+9{YSuvEY<2ScZBY<Ztbjw-8
z?t9F->|8u}JIgw{sOzpqou)t{;I<*V-bZXyZ`S=kLUph*klfRlFZY};7sODdqlxq&
z`#{1N_H*(LQ(v^f-E0Kz5kS2|6KU8GXx1PQa)A)BHs@-872~`NBbX_VFX?fvxa&Nt
z@jm~#I^X(+#q93mS^Uhu#&FQR&!6+N&vPG7-(~(8-VSR$e)sUM{g?dpzjv)U$Lcfz
z6{A&Dt@cWrZ8gb8UUO3$N44M83%CD_7r?R-=&~Ce)|pn-bXE*gHC$`5+}nxJuDs7`
zUIH`4`E!Yy4Tml&)yL`lDUhe*biTDEzT-6DqUoO%Pm1&SKT_QsuYb|KD}HlzXrF(r
z{IB%&FMmJ1H{T@x!w`SFGvEJj{y&Vkx<}-H7^tq`|1frG|8o6@LG!)$lf<VrS<d>8
zPS3Iwflu0>D7#iOUhxy7@&AwZ=dIS+j-h1}Y4Bg*-Dji`Y$=@Hg=6rS?@69?sr*rW
zzoG*orW~x$)B1i%n0hQ>mwf$j-z@l!(sZ*X+J?7d>-%`u?N6bVWtj~5-eJT|bc5ry
zY|R(lmR5~#MdhyDXd)A^*45StJCsKzc7nKNq@49WK^f%lT%CYXkYWEU5f?=K#wc4>
zQ2i{=N^lx%?7d>0QpNFbe`?%c@u?wlaz}iuY@v!YeoXe{HM=H(q<m5|p2L*=V{t>(
znECBILC8GA<8RqfT#g2*)DnKr98)Sh&D2RA1JIws%=d=dnMPA51;3k@iZi-gd03Aa
zbxH%96*9IEp$+5FVJGYmY(?vgKR5GL9wGO`i76A5wv=C56e~Gs=bF$D13*6>>h@&h
z@I_CoRv_`-3iS`2DHdtQ+bKGNIf98d)J|S+@3i&L4&MFi==)bBYM$yysaNp6RQSD?
zGrC<F*9PveV3$!<ASBz(M8>F0!==HAa7x1blBQXk{o+ZvU3f172?kLc=&>jWUl_;D
z3C9&Us$X~EGibE`Qc+|zIuHepa}4Ln-%Jzym4f6;6(;b|Wu{AGyLPNvucdI_+C4MS
z<NCg1^?|dOb0hD|9OOVmFGHdl9UGjd;?|(jm<4dod*_@gcqsF<B$%Ex2!5=yJ@cjx
z6IrEY@(eULxCs2~+W^SAsAw|5UVr)h;cFMCeOvR!P;Y}0K{l{A<YrKnhP!@;gq^MJ
z32(^%Rkl>q4H2KMw}KM7Od4QqZ4nzEyn(mau5|0Nl{t%TCupb4X2k-zIen!oD<x$N
zn7gnC)s0@U`ulxfDBAtq;Hn{Zg!pdQTU!e_hgd|K?m&+d=CC10JG{U0Gz&d?f2F?`
zet|WA0K-Q-bvyuU=ECsfF^+yMiNMTYU)<4|E9K^&yHTLIiJD6^2OyMI7AWsLNMMHF
zOL8EulW>iF?(ucxm7C*?hadyPaQ;{6I4GaL^j3pM-hBTXQc;oEk~FVZYP>TD#?JiO
z6hvkje@Q9}|Ex<ow*V#SYbK!wC6BIymngrRsRpo#z01L&DflI|fyLTz<=po`o7KzR
z;*D{W`GkfXGvq27A6wh7O7~-5jCqBykE(f%(E{qO!)LwOip&7#1@mh<AAH8PQH*bU
zF^1}KR0rv1t8-oZ3svL|0;pL(Z`C1vD86feaq$s>xpo@(Hs0Ro+BJlz>~Ki4eUzQ!
zpoBO;s?C1;m+tGO&7FbP24S^-Q>e|Gqy5J)uOm6v#-tLoZF8z;91ao>1&)lw!XyL{
z*(AY*%QPH@G@b8`@~tgPj*rcaIal5Jl^neR0H+!@Jf3#G1(7C0T3?gj2NCYdL?Kk|
zdpum3QOg4Li>&xuCBpuGU?LgbX>sC4^2>o+8DH)x@mr%Yn`PuLfZBZL<#gOc*zI>U
z3qHN2P7?svf?(@!Q*)(~iPZInRQhVJI%1;XGDTinY)bVueln5i_kx7*%&ngzTdyt~
z7(T890a@0`n-ld>4eOn}OU%FfYc_Gjp0qr(b&*e<H*Pc$2>hXzb+w<t^V{FoW5(Ws
zORLth*Cfy3cW+J0E8nx&+oVOGh`;{rsobsJhQo9GQT+GXyH`6Dg#U0n{Al0mw`I}g
z1#VdXz1M*tsTYf#*Fr+3H5ZzzNu2|(O!wz%DeA;bo)R+&>}+}wXLe@>EZpqu<8q??
znH1mmVPXRjauk`8=bI5Vs|Xj-vGH;|r+_~M5hV%j`xNbSL+TUUcwrFDKmmyssYzL$
zsj$cE&sGsdH0hZkSiia*`c=QK9O{%~BI?LlP&|%iC10~A@@yB=uao+0ItJE$;5W@?
z;w<erI$9|5<g9i=F$0_7*l8=AlueKA@iX;mj=p&f@`D5-gyYit@fxbE!dShc;*)Rf
znmQEjPpmtDjo0>oOTT9Ah$TJu-#KjntQN!qR2TIbM3+@r%t9%h@^xAInJl~MBC#ry
zFz3o&fr#Z#iLJeE?9IJ!-!MQpbiU2qQ_Im63GeC%LJWz-<i}){I?F{<-4G^is|`gA
z;}fqzUUbdX(+m~DVm-uEa13?+=J9>*ZbLUyf|c)u5~Ob?gS~sD+BU5~BsVyiVIC!<
zBwy@O1Rd$Zq|?hlo7g=?yJls^Tdpih?l&S~PD0&P*=d=YN6f=CB8`ig;7lE#f{pJn
zRv~7oE;?Svrqg_-S(#I{x}eD|43J@7!Q9V@=FI+fz3}BT@SO+PASX$zY{fIG-!xXZ
z5^wZx3(1s12drNZn+Jok;2A~11gPybR%{%>Y`4)TctBT?3Efavuy+S`wYQQZPAjO>
zecC48%og<B(DRb0=3#c!RV^xr?))<4a`ci5|A7g`G!SzDpiKi8rnGH*U<;P9_2yrj
z6>I+F*`M?uMtjiH*02%aRD`kryu}r$G(_=|gBo$KoknDwLswEjm$2fKU?}QQMad7}
z3g@WpjOgE(?5JK7YDop21r(FW_56It)kaZP)y88<;N2?L-+twV-7Vh1Bjk4fGZ&36
z=&H}=hYwp1d8quXNfCbC6#F$^rY0E(N>5Hrye-4*7Y6UcEmWKwrLs9MH^f&VnhB6M
z#`ABM57j(}1!2@X0$KmEs?wz6@m!Kc5m-jvBQw~pNn+}1kB5Ns)o+&%(-mT#1K(9B
z70tn3q?IUBclNsNM`gJnt(V+cmun|4x9cYzjW9x<WvSZ9?h9vizP2YR>9wf68V>8b
z^k(?EBxem*(lz*CEidg399p5R=n?6_CG=a=>o#xo)moJaF*!<lH_J-+$u9+pZ=A#K
z6G;4-L2kk1*I#7r`a_}$p?<Y3l&#Zl%X=Mg36}0zwMKQN?hFh$ZGM{~&v`ho<I$2^
z#KaV$N_ei#$eSgUeYz&fEyiN!QHFG0ScS|iy^LtvxxYjLhLP6bMguaRnf6c|^j7Dj
zLi76Q1BNn~O*Dz|?T6+1G&gER?6?Bm<=d-F`i+e$shsLTy*C<?9R|EA5!np&w^lZP
zZ$qVCgL0-30K|;dOc0VPaL3{WU+8-di;(Jv%(LEP^QMQ$bb@EaDR42@1D?@8hAN}Z
zDg9;;Sgw{KIIuHAn|nvFLGP^cy+WW|3+C|Ihp2J&Jf~rSWX2&(NGz|?yNM~;+xHQp
zd2BH8M2n^oaNamY4WMYE73_H=#i7hsL#}zWlb-?AVt76IFzdJ>08XMe$B!HN_o_^c
znDbCD(S{{TazQ!pY%5l)x%n#a71H#l&iU#M8hQ%z=5@Q0kC3ZX`?=+m>zd1#2`|Hp
z^V88bGVY`3mwYGq9@|~;3~v}W-hc<FTXjzWNM-R{r_mNgUB3UtSE9;4F|ZkTE^`?f
z;3s@GHjaLc8|Uy^ZW15%Y<<R-g;-e+!7x0bx_h`1H!mez#e2R~EGfp`;Z)>1F&f&;
z5cQkB=#u&;m?L|4!NRf2*7rF5Yq%H@t;?Nk3Ug+S^FsTPu#x#iqJ;UwA3@hKA5g11
zkUjY2PSMPF7jS=g0Md&-yS6gd!ByA%FQC73rSWdKeMo~X_ABpw=_Im;Zes@HEMCXS
zzN+x>)b7)mZ{>sV$bgzxGJDhQ$3t<gsZdl>-AgY`sLR3J;yP7_!BVt60?IC(@3|x0
zRu@71RU^@~u<0eXd3`m(DR+z7*W6q4JMOtE5giY=tDbhKamSyIRg}1t*DPYoApjyh
zfC(_LFcN$nd>JbDy64Lt{&tYkSjsoj8$(GJ(4vi8^TXYcwN7mV0##M2j)JUO=OM;<
zvM&eQLO=ekI)|Hf2C|4xV{Sj%Cqub2XAE}Q`&ujms6{xNB6YKVO#$dU+ERMP{q+18
zyY}^bzd6!{+@`YTW<6CVj=$lj7>`~nZMhV#Qp;t{8h5w&OP`grao?ZH+A)jtXLN4w
zRT^cc(eSf3-^?<{aU}pN9I_;P+p71`xG(CyYeN>(P9G-Fn8C2zX_;5>eZ+jQ$z!vc
z)=oH^gtC4XzE#wO{m5j=GXI`xBc!}>dwglxLAVyd_r}{6&<FuLe)RsKF{HiPU@AC0
z+dFC2vwj{q4D>V$oFbz*yn3=0JGwHuhC6ZUIaGj1h4}gfcgq#lP)*Kc^jl5HDf~})
zUv;*Ng{=$e?yxnq9TUZfgm-8YM}ZdA4(hCTzegIhf9TN()iYMqB?y$&$iq1_J`1&<
zYUi~t-S8tW)-pXDp9-qm1lrpm?YyX1V&i+8VMGI~a}2Rl6iyewvQifLYh8&TcH<Lb
zyHP7xPPdpUMe6QVd04^ou@RmG-fNp8Jw8jMyIMd(4oz+;^Ka8E3xS~&;97w-yIbb=
ztlMF&yrM@55*bHsCzAb<?^0}HdZasqTV-muNQ%C<4mz;8tL8<hDL&gkfrIMY;o%I(
z9V<G7h$rP*SBBSgI<BS?p|iD}J5hj1!)Fw(6xe!2$)X&oLge!n4T}B&=Z^y`>E1x3
z^9+w|&;7$~FFdoWavcVFmp`&UZr552bmxoO^8S7Cexj0kv>lhvpY&UnO$`h)Kgcmg
z-x56Qi8x0^(Yaoh0?eTKHXDiIC~pPyMdzUVg+0=+nqny3&m*+w#~qX@VZmZGVRIo$
zZ=nFLDel2b<gc-3&@%4L{uuS-Cfu<0kWM5FNALX6`bIG8!~7qHBU-L`cu&Z|Uj7>6
zMp{4hn-hm5OA;?vzmT1rnD0PFYmxBjW)%GOGCUj0H48~eQP8jEh1Qg?5N@Igdpxvf
zyRkgv^JB@pu<i-{QeRU@&XN7BY+g(A4STS8Q;x57^mJH5%<s0b$<pvcinVNw)AN>D
zdT}TzkA3T)dzi0d9u5+E1PKPPIaGuK`lCrHs`TDz14`c6tI9K_a?y{+2Upv2-a|q%
zyBIdzzN0m&o7NAFU`KA&TL-0pS-TB!>a(|i*ZN%_0<K>)T>0tE-j!-UMezf-T)rl-
z4|wBpADv<ASCF6N+7?dt_&bro+&gUUqE4-#zOKhKUo8e3#IUT$_{X}I|1h3fqV7^M
zk75e!%fx!Dv0+B*ybywQ;KeG~B85n%^+Gorai3L~wMUlm1;&Wd?ODgNgQw};oIT$V
z7;gC%FHp7qoLaq@WJ4r2n}_}q&`}7)uMdL+i41p*49H~4)K5g^*=Hk(<D_xdGiB?l
zX(%<BDFmjRrr_MqVh9>CYF<8jd68s7jp)~9D-J7r?bmwKvR5|LcFq&pcU43K!dm7+
zHT%^&OI|fng7|#=r`MKwpK^~)^_Txwd1n<AM-(n-2oi!rfZ)O1-IL(%41>cAgA5D_
z9yB4i!{7u6&H#fm1P?w~AUK01Xz<`cLbBY4-Ku@O_ipXO?%S!Z>aOal?(@s3|N9EF
zgdc+aIHr)zwmAGt_x2X)`fObdiodmee(l(YK0kwMze-0<Q91L@&UK_J%Ir<=*V=XQ
zGP5CZ{M~rUGiZPe;Unc6dfCy4)H?fMpE-wl+8GGp?pgDARZ$xMXIRZ=zaA}D((w9u
zHf^=OlatXC9jiLr&Ma0|==m)Tb`GI^>gHqP1EGqAEE>`!ivu<}DYPkJ`i6?8L!Rma
zjSOE;GjO1%6PIAHb}Xmr_sbsf`s4wS8knjmI-Q;~CnCzY*^2+^wr=NmPC@`k(i1k*
z4p3NU{+hQj*BBV&599O4)qWwD)gn83o#SLd!j}--GBlVeDStVlwZ&yMJ^$HD>wE6z
z(jJf46Z!5zHUJHJY?*uH<4)=??}`pY^_tDMOB4}!CdVXoiT|baLtf_NTC1k!Q0ue+
zl4o|jQv24B56AhaImO!8|HzOQJ6iXhWzxwR_8AG1zAHfT7-MFj<EHMXp0V65Z;l+m
zSk&7%YcPR>Bni-hk|%Dr4O%JEkXKfNj%^aEW=RuZ_HPcm`KEk#?S0ViKzj_)kWpa4
z;TbyA)k&XVE1^sL0We1MSd7bpE^4Pn|M5_pg9f7u4yi-Lq_CuavgN8xNR7Sgl}{Ce
zdM&RUxa)ITln%R&5=V7k{Y}fD?9q!NPBioBZTX1sKr*Al#|@QaqYFAkk-@3c{KFx}
zT6WnoGgmHOk^H%aYc_@0f#F1PnuJMf^9^Gd@#f1BUoAnR(g69+o(S?fM6t;5v&O9l
zmWPEX9=RHyDfP{Ny;gYjXL%T@;Md?p%%0*QozIy9&eRQymjxal`7fTpt=aNLO2(vt
z4x*yCjwu?M#y@!Jz_YSzrX&u!^U5vs#W+0Wp<^_^Ru<jo<55L-v;$0Uw>m$s<}Jd6
z#Gbqj$Lf~Se-isfM4eVNNr_2gBJw!W2!jge{ajkV=tiug?>b7rG8N4eL2AB8?XP4{
z$x5j#53x^U!RQ?&^f3=eQR3u!ZcliLR?LZbv!O1o+g90y;${*MYjM|Eqfhf>1_L@_
zdqY1`W`3FE1VVe0oqAg&>GWI$+W7qi)gF~sGy7CR8wmDRm7b+|Omkeb{p9h7ES3Mm
zdOIVPp9~NXw>GTopb#2()a7Jghz&bD0GU+^W~6xtTi5%bz5;;#gG@2J$0>O%2Q=&u
zE;fh-$Jx#<iS#gl%uKN5%dDy!Mb(aTwO>~9t3}Oax}G8`0H6At+@xn+oq>It0A^8y
zCF5t&E!iX5#yGnYJ+jTrf~acm3JP=C(fmlZy;`Rwp=Uv`hCd^L;roBezQbtLf9G)^
zop{d8#OVj|&5S`kRlnT`4mN(@AWu8=1@<w?zU4_L-E->|YoOLO;e}QY&B5%P@ckK*
z>2H7eao%`}ggwJp{;)~M%eg3(`o^Eca`LTBQ8=+9`^wL;U+oEx8sn=|S1;|38Tu@(
zZP0I)qjPARulB;CAkK3{9Jp~y+a;@uiKzxYnvteU>h74sDxhwkxPgcW<moKMn+QFF
zGF5#Vx^oS3`l{Tl$Mjv9mYIIRdKuakwjy5}&Td#r(%pw47HIS@5b<e*eB<KzRIJ%y
zlz!G9C1<YZj=v0O%N#gpW}6Xc+Z1FHu^G0>fu5XaOFg%>Q2v&oV$lR4-V{O9*-_2*
zePES$I?BDU<_{>m-mB_Iik6R3Pi?#An5l4?dn{Xd9KDB6Gd*@ds;0+BuCHhO$oy>k
zBtS@6dG6<h0FD?{FZ&Q_#pTy`Mu@IfU^TSKc=UE$!><$HaTz7B8bd?$*Ow{Or1WLO
zNT0HTer_cY=ka|ERULtYi1G-D&*-2`4sEZ^YLl1P>A_wRu3C$*+K{+NexBa<t-B^0
zSLL`g6S;1fTcqsfR?T#2ab=#fqjXJvhqG8@WPzr3jZmS^2SMx=1xm$)?4;iqjeVHY
z###>011Z~FHCIhUM<Eh7+++)Lb&U~s*PI$w)mCx20OtmUHgLVfXQL=hh-I5(9M2u}
zUg*dgk*AsIgsw9be+!gA2yK`lGum}Ub==oHk*Q@8%QgAOjzbfn3-)C;i%kOXJDyCZ
z)+?YegX>BqDlro1t=q;;cL}-9kH8oO=rKC>&!$e&cuok^)37S15pzboQ6+W3e}x@J
zfo-TJL@n}H*yWmL)ojdA78yjR7Qnfh7<Uxfw1@<mW{bK3IPPqczD-Y_SFIlr<Z~uH
zSOoz=zM}Zkv=khP!6Ij#;KVe3_T1GtdXAl~O>z5FN#|k--lvR9k5e4rUXTZ;ASdqG
zdMcFLHAOFkA1_cY5-D!NxmunE8Mf5+&Yej3AS~qzUUN|B5>EYCJW}<i?uG>3Sa4Ka
z*|!Y0$+<pn_8k(Wk|<ns&yP(iTlUvS@_vs9q+~O5g7)<S_;_*Tw5wCwIfHZc@H*^G
zn*$c^KQ~EwINzH9u8B+o&wBN0IgUQOZwzPPbHB1_UVb%$;!|K_Zt=AQY#BU?<ck(a
zz1ugiI{k-bHW%N-h~n=jY@ZjYSlMp+?nkn45XjRgjsQ2Wdo_0_^^JQj(l@&i1rygN
zq$f=EOiSE@NMF3SRe;v-8u%uR!3=ojX=&m>{GpRe(!npoq~ACd$c+(2j%-5xN4crQ
z<{(CjTyFXVPy0r3lxg02bekJ^rpao@%D>QdbQ<jch5e*65FS^glDtolsXKtBfq2`w
zRaUJHPRxyda^UEXzA<tK+}KnJsj=D?91%+5t89d&B^{(}#ZK{MfU4=t*QAdR0N)yp
z+9N-+(mtytD%Hk|fT=V!Ti49nP%`!tBrY(xc8q~GXtEKDVCUs0G%}<PT7)uP;^2{=
z@VdG=MGBPQ()<9t&J8go*pjlWQ2i4YC3A2&pU4qG{YgocgJgT$rQ33(!hi}(T~T|q
z@!IzMvC=Aow%e-LeOY-GHJpKH_6K_?W~X-%aCV4Y#q%Nasr~4>YfwDetwZ2_Povbp
z7<ruI5z7&~K@!WRqm*geev1|(t~@6xmZ+85AUdJ1pzZw`fs5l{)*rDX&FK;1sqMdq
zo09@T4<6WH^e5{;>jgYIa&1QA5vr@RgegoW-xM#js0o{;dn#ol-Q!Nq=YX#CJO_rV
zvMHSdEnZa17`pFNou^%y{?6&jopOnYEWrIP4vYPxAUJq7rq+S^2n>GvCYkS2a=zJS
zHVOs<nc6RM2>onoD)6G!x=7!9Nu<vFM0^-Jo{x@@#iTvdwW^JWOD!0b>-Nb4O3tPr
z>KM;<CF+Y!>RjR_c>gj-oM<pC5zPt|dR&HPg_t-v<>djMSX+CBgCk47pz|%eGo8AI
z8G_<Gqvx{!WX_?aY9>Uu%OouK8wiz;KAXGqk7YC(HYb>}3VOjCNLjxUq=p!7ueQ79
zyVmd2Q+Od&kAoD=d_~9MjXqo^3p1Ss<HgwWw!;P)q9*q2()`aWuY`LXXa{1Z>2RL5
z%27}B`Zo_)O<Ps@D)hxCCO^)UveVsbT}=C+oyX|{`Eg#YH`75kj$*W8qwh_O%n=AU
zZ<S3O+MA}9?wUspO+t47M~-A>-PB@~#&3o*+HA6#l2Zk2{(FDwM{Ygm#?ewPx2Br(
zJ2!Ja3KT(m<dYgw(J0xM5npkPEZm8<V6;xUZDTnH9d$T+W9tK%jDZK;-GtwhZ)=e@
z+1r)2v}W@SkxD-W3-0PYzF1AErRJ+JRS;#AUHH*}lX~V#fL1>s5ssx!N%*N12jre`
zw=M_Mxwvf|!_4nzZE~bC;VAcz`1%rSxzqbX2aaF%OEr`%Hdyyy8h&G^PSVpPp)&@7
z;`mO!k<s3O9fJp#!gsD_`s~)Iu+w$TpS;NHJfGphDD7L{jR{_^^jQ?Yqi7RFz2&8)
z1euA|$?&Mfbbutf7RN6iA*gFc2i$U$W#yIU1Xc|hb*(m$%<e(~ND;HMM}9UmHQv0X
zoMTH%gS|tNZFFJT<wUcO@wed?N}{59FPeU*`q6leP<=C!{KU7koZj}<>$bMc%6$Gx
zhiO`8{1C}xf-GOgHmY`bA=xzV1Z662d+L1727Eq_p|^B&Ww_F}qrEq&M{SF{nXG)1
zBBVgh5fOt1)>+|MxcEPwY&1Qclffl$v><(}oWTrEqY2R>eQ_EX0{l(kS?Ejjr^Oal
z`6{E}dsG8y?-&hf)W~<AVYv@ghHV6+qzB`Mw``nl+LNvr(jHGskllC$EuwOu7I$5B
zEK<-rNWoPx!`Li}izh?6@c2o!^Um-oAk(qlR9?M}Rd}=j!p}9>sO%sLUq`=5BktH%
z<m!|nNtH^X4wofKqD$wb@)ys?8HRoJ((9fvKOnqf?w>nz+v5v?RQo+kUIf1Eev-be
z8`{1qRfja921Gm-_>p7<^<6L;BEYMe*7eXJ3v_|OLwn6#!j2|7T$;?*`f8T8Ei>;+
z^XATZ?U8skkix@{u<l`5PBkfYAz!+wav%J+y4A&OamtQ=@lHP);ic_G;{Sef73n&=
zm=A9Am-dquHP6wUdx}qEU3c?>ZKyC7LKo5`WwV59#O1>J`h!A;&BzfB&_pt&CJOO>
zl=oBPV8?GM2Fc<hm(U^6$F{P<g1?=m7<3Xo*s}BpC#HP>Srb!45rdPXjm{1el5+R5
zF!@sl3J#>e>nb&lY*!O=jdj^?V`A%`qU$E^?^{rXmAppD$@wpI1ubS!x|!8Pj_xx}
zjuIJ8cO9K=;K@vVb=85LBVO&ANxjmI>krZPZpf;B>tB!hxHYQ>vsnzObBJ-Nrq73W
zTn5EaL{6duu3K-DKf|#<xa9MuAJUR#KRFA@*HJrKO`4k~N%NX_H%0JOl^7k~^I+KH
z1$Gx$%smRN*A8{YDYU_@bQ{~cj&Vm^VmfwIE1UbSzJuMxnP(AI+u`N+f<mv#Csd_$
zm|hJ$jZ%dqDBm$@HOdn<vK9!45BVnIe(Y`^RcIO&IPd2%hEZ2d&%tIpp*IRD??!{`
zWL66>QcvTfy~7@Lw>Me*@(}Rz&yH($2(t<2#<fSh`Vr>Ara|>~^CNw0T4ENLfu&^e
zE&_qakvRYz$|2s#-aXYFP>H8%MHwBWzKuX9wNHEv_Rn~vC;OX-#-51NR1Azz?cl#+
zaL?^*C1g`KRs21Cs8GBb<HDfUiBg-)H%**gG&%CKVdxGHDaBM^f~e^AlB(3+xjKbp
zwMc3@#jG9fSxOMPe5&G?TNto}HgzzVLvJ_@47v|2tRz`z+V#VP{pSS{zBRcn)NwBs
zL>A|`)$AV_D(;7_2OIkE6WtW9>ozU+5YU?&zc0BQFBnlk)Vw6`Ku1??6IZS2{?T2~
z>(zC7OK^{XFOo{@O;;x?!I(7?>x*L&WIZQlksufkZw<Vy1gYIivT1LSRF%hXk#oiz
zjOgTH2A%bOyX%k8@r!e#0?1eev$rL#qhr(5^;Jgo!Ru5&*KS+v?Y+~aBi$iEV6T>4
znkeVYEUrM>)BXBdfTk*DQ(awJ$BL<G6TDriRKET`n6jGB6!9uwdjD1YordJzPcGV(
zya<%hEI519oL;uP2?H^HDv6mN4MA0B5G+O5C`Zgk)AlnKDm#TCkS%y;QVHT**4yKk
zs|#Tl+b0`3q>8@ZtqnNs?5YCUp;oAxSWer82k8)uwI#rOVwu=;;h=_Ii-2D#I7X9U
zEPE;#m8M_7gOw1NkpVgB+9CBO@kjFIHdt3eDVP76bH759`_&{j_))n<+rDTf=Ey%}
zFe_FiDtwLv4MKGn!q!9w*Hj?sM*b0B8_Oom8a02gVtC$Q$1Mp7DL7GGjz3OOQQ;E!
zvYzgxo~h}SEd1M<`N1B3*Ri8i<Z30(bsa-#04P^jqClH6oaHTv9uM%jQ?!us6?Rc&
zLFSWkxY0ucNp6w_E@`8_D37b<o%whxzk`XAGz6!v#Rt6}wGc?SpU2{SE-UQ#Y$v|{
zm?j(rB`nu;CB2+Bq<3GC%*{Qkxu$#9?bicIbbsKVgL0t#RJ7B=<kUH-6mRr)I|xtb
zH`-jQugo+amlv6~XcL(!@(1=rmNm*Z0pc|`+V{s^XFJ8y&3p6sIRFVLvWe@H%tnXp
z)^z2EFO-^8bUo`pHjV+hZ)KFJqJA~_DGgAG0vwo$9={U2#W)JpP>vVUMz#VpjpEK#
za8GU{zNxa&kw}|QBXpn3)YdvIFKdj|*8`DKR*Iv;-yBa<DI>QQkA>_Mj<k_F(voo^
zFYxU3gC5~hQj&>TTx~&oZcSvTNl<5El}Y##EYFxz2dx!CDXY17`-XKtDi-o!M$97n
zNGcV8i<oKjV7?GNJc{u^eYk7P*1|w{<-=UITf(7oisrII<V&~5uW^iZSgw@eBFu#t
zdU=l2_34%t?bEB~u&=XI+g$Ga`-c}Z7>(?EJsJu!C$n^KXT}>nAqq!@MbaY37jp%U
z<<B8L5Yn)q%C57xfglzrO+3k)pHxSYO`<+~oL-nl>)h1A^oxI3att(AIuIBR<#u#c
zzvI+EMV-1Vo>~ph<!D+UTkiF#=_k53ihW`uiU_3E7a8}z-;ceZ7Nt(|<#m>+BJUUq
z(Fx<>gxDYAus3?LjyASNG*H!jX`JRsr$U1~1LAbzSBt}C9D@N0BRHYqT6XNDNz!>@
zL>PbAxE=FpVG1rbY`2q#-bd{ix5~?YMNqO}j4vgpcA~}PsKy$hKFhXG#nmh`M7#ay
zsRW4{q+U3+*&#>lr;u~)aVJ@Ya5N?GK}&U88T?=9<E-BP0-8yJ+Kgv8KmV!K4^Lt_
zvU(0W<at1{ymO(|l3$dnR*iY~@&#}(ZZ@Y5rxP6C88yaJ{EIaIztYE<(?!0^bofLC
z8At~7PFM(l6AqH&KPJPcGzZ7c=Dl2tNbzX-J6QerlW5zBriYkzpL49wFlV?~Ze#=~
ze9c7}8S|i9M@_H#=_)wYxVeD8*LD`ZUXAjzwNuZBsD3m*@=xIP9aHugo|*sI5}5@_
zDRJ;<%$U2)t18_Y$lJx}w=9ttEYt6Ux%XvWL!Bla-YrRU%w<o1s@{`qAIGy|nJ^v;
zs;^<|b?!AbMoV*k=X|9hNkkJc%uz-g(%=pzm(U^V`JTmOHD6z2sWec<W48j^j$Yop
zy861P8{<pRGu*6&d{(i4)iw1a24}2jdT#ib(=%4o;gOdDL8gUV;A8#rZ|#}+)iYX8
zY|OKK&z(}@V}R|UP60GWwQS(Ld;(dGF=3te`xan8t%zCgComqF4e+AZJ?NXBn)70&
z&~94L{B@<kDBx)c^7I5w=$SkiJpOy+SiEm40bmjDQsLQZ*d_KXU!XogfIq2W#OI@u
zx`)c*R*`aJ4;;j%4Wb^oR>%kmt=vtl^q6nq$Oy7gkA*cyVYcn$-9^!Mwau;^EXbQP
zR+iU7V70S(J-N4qk3{zYW?6l|vt@Te&ZQPV_4lpV2{c=E<)EU`(FA98CN^$rtC~*p
z^PK7=AC!-S<Yj-dMtsuJPseI@_>ra%g&bLVt5R_1Ug<sO4woVD(`Lj1wZz9K(?u$J
zV{egv8;KXbhA^g<!RboI?lI^B;P1c3H%7vzKLK@RIdxw6Ya4kEmrgG@Q82w~?}R6N
zdNl1w<&+NC+%n<WwtKoDJ2iohbtzIM##@=g&Q#WH=4?G-#*LLr(W=-N*C&G4b^`zP
zJ1Jf$6_P$pQ$ls6%uOu)u%wHA<q*0>M<>+-x>N{ax1COF(QQ~DP2}~;AGh#Iy^BM}
z`UZ3~Pd!sQ6lV7uN<_o@8=if8tv)9iDeo}bUbG<Oo4x7a-OW@NUHyePtAo0F9U!?E
zFpV*cD4i#|6{mIW%SfjHJG+oHGziyu%pHuH#E^EkATiYEOi$Z==*{6>Ba6q?<a583
zG+HDx01#Fxm9p9jylg3Qxf@U)4xg;x9dp$}%lV-|4K?J~Flt6*p@k=R%P4-?q*!4m
zwTxGHz_GehR53N;!qLGVy&$9*^hFhC^VxdcrJjz3y|ph$=v)=J@ni*XU)FRb!5Twm
zvB6WtwwOhv>oOG2c!yptA0Y5XBSq7QPvey8vqyT|x${M1CVU`Lc{`09Hn~{5uq{YZ
zlLj)w6+T;mAf2IUwt6n$h+pvXV$8LDBJ!*9t+m9+*5=O4m-Mz-&2JK(Q`>tHI=DlL
zua}QHY^KvCOGvD^hR(qU^dk9IEKbUrtlhS$rsE>nX}Q=pn&dSQ9*<&nWDpzAX{Idu
zFM)tu--Yxbl58o;E3lrL5tfa)%jeoA)y#Q0h<@cAsK1I^@CTlio-Bd}40trBrzWZ*
ziv<@&CW4#k-y&I-=W`?db}29CA>YMFY@*uS9zFMa^A7u7>w#B)^AC$6fNe~8Y`Kp7
zi<^`eu6gg(PJ(8m4ykXLt)wfvDPu&Hf+`;<EW<IiEW~9@C|#<9qG5DExx@c>p&{->
zH&ZPcE6>>#XfN%W9Y)|Vh%53dQUJ_|kaW4ZF)gF!8gG@@GeHmLAtsVCqD{<4`8u6u
zV3=J4S4alqsAJrw4TPhwH<z7eaYv^{N+0Gbl8`Ka0nbJNvuIw%HGDK~E<!M?c(}n~
zSGiw+=Ji+1b!m25CI^C6^_`)8eRwCj6@1{!`8`w!D5k2JMb;VDYuTi>JxS!Hpa&f6
zCG+m`_$Q_&*!O#8T;^O+2x32-#t+Hy3B4LwhnbTz(dHX@6t(ol@vvO~WvHKwJ;ZNu
zV1fG4k88*}unC*$Wb!T1rc^Nz_Y5J)@zW#1naTz^wAZo6p$Di=EVYV@SfI`BEL1J=
z73HYdos)Y<GeNQLH|6iR0e&6u{g%81(+jD%jZz4G_pcm_mEjg3@;7?^``bo|#&rnF
zmT?jJ%b{1nh>r%}gYZ3d!w+(!Bq>F;F)uH<ATEoc3_zU%IF2_tj>`5)RISIptt)+V
z<Dqk6EH~5<ceq?#2B<IdW;9<E--f0!qmfig$MN|3$}J^L-9f#1YLl~E-OLQ&eyRzK
zBUC$H!rZ<d^8XkQ7DpT&5THgsa$uY6(m;96=v+tW-{1#x_>&Y5)&kpopClyJ3R$eZ
zTvy<)&euC>*f#7R6<mx8YqlCQwZ56tTosH|T7XP-{6sJ5<%VQ6yeeJXFEzi)bjAdM
zO`}{Ak0&xpUY5t+7B|%dtCd&FTNX{pO@Gk|sVxEg?bm1&N|d+!`uD!x&#QK3;JLkO
zkvjwZjO!6SV(<b@zZD=vM!NCA+J4{R2V4mlDhq9JLqbhr{ex_r^sFoAmane9cl1d#
zqu&D$fIRT^pts5tnQcJq&=JP5esPL=@@qn(PV|@ta!)WLRU0%_qF)xD5|@2FwOqla
zF9?gqXy**hi;ciLdAbpfu#}k}v^%=`rP;t#I^KQuq&?>#N7ES=gzZ19ke)KN&rYsO
z?yVKC4LT^a#xDOb*uVYmfTBAXn%<gz0^K^e0BB!$a%Q-AQ9k{F^y61DX~rAU#S6>b
z!6BG)fAxtiV%tD${rYYJlJPJ%TlM!*40E%|hxaB`A|ua)c~?`<+WTJT)<=N0u@y)d
z2~@nn^wvXGPfWncGtoAeu=D8u%IU5`=tftC_K0qOe+OL<g_dq%>0C;Xbn{&LB0i)f
zH^XU#xsg@%N4ouYg&G(6ZHssjP|_$5;_HT51|hbHncuR)O5MjS{R1bzpgS9IP$R1T
zpglwt8p1VK_l>9ikO*33>Wvu=XlQw&H&qF`;PRs7@{Nrr5DOp0;ufMDs=oT1`Z3&C
zuL-IaR#Wp^dz6XOv%HN-uei+I<&!IH@e-{1pbo**9Az|`z8uWO3o|J%{`zE7SIv9A
z%FuducIh#&4B1_N(LH021oqjseF$0`!+d0M=r_qU=8q(`di33?pk{jSE}_sHsa^bv
zgbJr{Li`!F%=b)Ng?-s9jCsD5{bqGIVLU&-Jju{6aHDi?#1AVx2@ovVJpsnVTif;&
zpNOJwO`_gFp6vF80KIrmce+;~)PjLcIF&V@Z#hXo^y`V~j}SVi9OCRrnj~L6u0!uA
zWw4_}x_`xFsdz%3dORPkmXj6N0_DiFGBN1*l#1gB+I6E8Lj|JCL%1Ju)H6jkUG2op
z1Q|fw7kw{R6MZ6Ojb1Jwgb*xj{J6WR_;`glbao7>Vq+=+^{g4*bdK)tfr-rB4XJee
z;k(}$z#u!@)#`=x3Ua0pm_;N1jvTkou0$PYP+G$(fVKKKIN9Be4>_vL6Rl&TPbA{b
z;(In2fp6;Nq9f__#k;Px%5p}y9&kuB0@&j>DiI9g+(xf>#~GeoX40(}DBdgj|3{-3
z>6k3Q(NBC@lkTGEkz40pwobA-2s*IlE3r3uy&MF+B=v22$!o!9s^`=3g|AWKJ?+cy
zmrlNv>q$TeW40D99XemklT^xbnK7{HguJvu5?;(fZ5Ad!lCiB3IN&vWN!;?dx$KvV
zU0eL}Fq?RZWTb4DW+1;TfS9JYd{!;-ecs!mSoKiPwzpeeMaFgCsxsQu^xlnDT~a|0
ze76e@XS!`OMBda{KI?MSN+7!GBcoFKu`wd_T4R7M05T?UmU>Q&JIJV&zr_@>7SmWV
zF8X6qvJBuc*5GJ4XB2Csfs;BTwoN`~#Al>O>ERN$MG8%K9YMq`NBX6YVbOklvcc$y
zX07~R!vn7WbBf^q_~O4imT+2ayl_O5yn<HF%x)dZwD>KVkP(iXn3yKhX!TQPUbTUh
ztr%DF!yI;u3Sf%Vg=qsRww?N(LL=u5h75Ie`pfPnsfya8<c#Yt1UBK93-W&=iMox-
z<kT`FLptqEk55^|mOZ-RgqI&Uj0G@{157kvT=jYuh^x9|&vzVrWLMvZ$u6l;H?244
z8T(WNpN-I3U+41;q&X9@<(nLRa@okG)|B&UnD(A74`)=R+qxzLkF3=y2Zkk@*Tm7h
zOJ1LFy|(U-x(^{ARk)W66yZMVJg*sUw9LO9c;v>9KsT1Eq{vr%bw$l24epo^>*)8W
zzvdNpcrkIJC}CapD1O&^1HtzCWlO#$hdfFaO%L}Sc1CTu$5N4w!v=q|rHOWTnY^JN
zym1x!ewRNA5qe)EwyoA=F^tCmRRq?2IDtrBwc6|X@e@a95x*p`z@-uJ4%9*`c%V|C
zmsbgEb)`Rb6`w^T_NXOdhBZg|Q|YleeA)b#$hi)kcZ#Mxuimr1Oh5lIXnHQX{}iq5
zXITeMHgoqY^d+OjSUAsw`#Eg4EE>2kI|QhHRYxtYv$u(#Y{`{7&w5bHGZj6|Jl}Qb
zlvc~p`3^pFiO7a$gX}8>=6dlHr`8c4>|;lF&&beAzWy)m_H%=*b<5o*`e!^2d3}G>
zqCw*s9n#iG8+{7YH|+}eD&}d!U&k($9`wLKCkx=m<>!8rg8gVd+X}4~X$bLl@@)NW
zSZXyz+HTntH;-cm0Se#|%OLyIj0Qz-{J@cLk_)7+tgfDiw+pKF-TDug!+5THbJkSc
z=i%Y%-n_-r&7g6wsIEDJ%jDE7GK7RoWxDhds7zkVZN$mkA|!zH0M=82flG+idisw@
zY&cEjG^RO<$f8+O#n%PAAPT3wzP$QnnxtLxpKCPC5(kG~B03oH$6(d*1wYRGe&#WJ
z2H=ZE-8V;lG03aoigP>+%XW#N*Nlid-^{7Zu^iA&)Ua;?lmH?YJ_j$eTWGP>NRA&4
ze)6W%6u2Vow|qw9>Rj5#hN^I2mDps<Chv7%dVlm=p6OQXy~Tl<d^E=cl^Lj|{h*Uj
z9dS4A-7}u<i#U)ojJ;g{J_HJbB^7(iC_T5>JQ`}`Nn6OI464&-LUTfJ#@5<vIs#e`
z<6axyz1J{f&iWRlFI9A*F%%W7TgBG#T8Doe@=^4BcYB?mLRZw_BWZb(yA%D+W{%c2
zU+;$;YuwrqcH8ePK=nyE3C7wVa*q`LToik$cNPkyuZEB16wDS+eq=Rt<M7d8gEK@*
zFT<wF@8q@&2$r>?ljU~OCqCEnUBxkJX;<@APc$$35Tlh`$tG!OsQr-Uy$!z1qLAbA
zTB^l2cN4@qnZ&WrD?RSjn$wOgMa*Zl+%LCxJ~wk5DGs_+xwGaQHGQr`^=z-#yAs?x
ze&r1yOYWTT7&;b+jRDE0yC5g;-W~mv)sEz$iOQiwjhG5Y7xkEyvStb51_%8TuqP(p
zh%hR8P<a1B6vY$E{p!9ucwW(c^I4kDB8LtGqsebPQ`b)VDUoJYr(5=1^oe=(_yD=3
zw=wc~`5_66bYOJxH_Ig8(o8kcD)!qVkO&pP0{A_4hMXX3>P!CQR|5qD6L$Hv2^vM~
ztR?fWpoo03RKTFzIoPar;y_s)KuP-QXqHt3QmivCLqFDlJE3{<N#Jy1Ub65I9jbYR
zA6VzCI6tqaf|Ly8i@0Ej6n8izDhnKZ00~8y#e11%R?YkR{ifeVyoNpFu#QcE!IZA>
zsMppmcg-1-lpG?SKM#9g4oCQuXg8Ico;biqe=y~3UR-mDzgHB@IWsjbR<~Vd1dQ0~
z)LZ)?S7j%vBQtbY%vi*ziPFs7ZUj>)>jh%EgKKQcJraZc&uSCDpiZq!-f8H%%mytJ
z&YP!yq;!yMdXM6`?YXJa!A}~|{#dT{<YkWi73YF-?s9#cLS3JZ;zICghdI&u-@)p6
zA5Pq$r!axRTIyNLmX4?8R-AwiH$2}=zGuY)o5Dnv1*W{Zy8+Mfd#2g(HAlGgn^yjK
z{VAwUgSYW1z8?)Hl-q2YfL_!7!WB>P;9<;J_;3h+tEtJR4^7{=*agjyMg)dOp1sc*
zHZ5b4i)=X3n$LR$`2?LR=y^??JCQdgKSOM%;4#;C{jLFeng8S!^T4u>s9U5jO-=2<
zUgn5d?NYA|BrbBdL1wIPz9NIrM2=abw_YNq7cQoihFq9rK)vaHerVa{tZb;!AT>R1
zxo)FY?baX%X*6?dsW-O(6$J|Di=Ch<x0TZ;qEk=YN!Uaj6X1>qij!#e)H$(6#n6l5
zz(1|qU+8CcB;@a#ZI(wX{H(Rk3bLLjt)e!MxebN}ZiHPYK5=f^(Fbq8aBpMIYM;df
zKfAcvdDeeBUTgK6A(OWI?P_)8$v-U6+<_eB2gTTyOwa=1zMz#&?2I71+6MKZeT<rD
z3gnp;S!2LQRqmsZ9B%JQ5zgV5#%)noAPrp)ezAxOoQNn)2Eod*QGM<4fCZ4xm}Auf
z%)Yj9Q27Fw2U&MB8I9!4Cu9GyNUv%?LdP*OAM`0nOs*WDQMZ<EV3)=CdDAj@DEeJX
zd`E!k@mQ>q$@J#wa!V&L{{_R-t*#2W;H<=8*YouI#;rix0~5%J-OO^f9od0c+v^n%
zAn0b(ul8C0eY`nxSDWC9Ysn(snje9J`El#EXxI476CMbd3aiBq+0vjC5XL#*&Xh>P
zO4W%|;kx-w|DD%A4wV_+&#_?s5@@6tYVGws(e<33>F<)z(Y8s45XX&yPBPkK=@jJi
z$K3#amA7|hD|uQmVRAK=x))TVm(}~uz{4T<1#)!zi)Wij?hCVTz9CHH7hgRM7ouBh
z0bHnlU`1Ia?NmLKt)JIjw92|0oE<NU@37|Hke<z%hYb2fyq$%tRg&3p@62_AI6_R}
zH`IYC7N253+J#OWC%K0)WNp-@?pXAn$!OjJv#;UHQ3}Q{Bh7@&UP46-AInKycqwr^
zfwVXt5;$+A=Kl+6-2d^s@IU{+HsqJU=NG&0`ai<o{KE=E-!%L^R;LTSc(M2GA6B$9
z$NE1koaA%x{mR|<!+%)U(03hncW%+2?$^Iee>z2y-R0Sh5Qg7>KEt_JgN3^PG%%W9
z*jXCbHpVkbA%Khf45;aB3KsSA1BIOOC2&A0G)@Gqv|eeIL^4GY&*=yXc+SqUG}n$S
z7k*0^E${hZRke`&&CR`?T&%Ul1b#bIa<@3B<x&h%Iw5`2q&s`9eW}lQ`idispf|v?
z$L0PDi+~jk{m&H3*r*34d#s`OfSa~eMnRhiQ>5i&&>BB$E@GD{v@xk{v^To8vZ?lI
zE8t74jz@$d=4~d9es|E;&xw6%2URVry3cy{0saO8Ygr1>S>vMkUI(;CN|%njYOX@Z
zj;JZ?i^2D{%N+)!00F```WqJDuR$M<Yk<_D15l^L)i;fn#-UZ7<4?RA10L5NOW$6;
zbL?1ZoVi3jefuNvNX7QU+&7jrcm5XU)><vIYV(t@kW55*FkgW9AS&M`jygNl&7K3T
zt|9GsxLmtCZ>!-h_^KHxsb``&L;SaJ(f4F-GS61{+YD*v3m5*Ms4VvdZo|%{ZDoP|
zb6y|*<D&rlZSWj6`4@`4i$mhF=I4x@ZkCk|w5R!sa+bRwfwbXq>i(f6_sec2l{d8K
z(sEIjx2ZAHja!nUo4l#QuTujwI2$(ZkH@T@6S2`@un{rYmxk#<(Q&s76LLC)L?US-
zHJt|bSboIm`cQQTNlN_6#C))C8YS+Q%2PaDb<QA`rb)_I5&;8zJQZ=8r{$N4$}9Rs
zrm`IiE=sT6Y5-O^f%c^N1tXRNW&GOk2a5y<8dfcU=KkwEAhd1U((sWIlGVaAxniP`
zS#3plq<ONw-NoL3heDj;k68<iN-9NUN%7sD{mA8?KQ;pF$MSxW_5=*C910EAgo|>+
z-Ts_M7KD6^M3>c%w6Js*R6gXamK3X|ZaWZSvudxT1A-afw%bAWboj`55@i2X{mHp5
zAAB^;x|&X$V}bO>Ar$5(teSbQWS;cU<X|Dwe7l2%xof%SJa}Wu!$2kZ*6iv<%&bT}
zo}g`SzHUv0uc&$tsY{ZrI%lJxYGGisn<ynu7NUuWylgbs@lL^ZiNSKgn_BYrPH_M~
zcVg*^cC==WVhe{}{|Mz~M7t^IDTW-jzoc&<ZuAwh;Yw|`F|g6HB;tLaOEi7F_%&lC
z4pGLH1~$^pxzN14ay?=fiLO}HM)8DIA*<V|N+$Bv#lP53jQ1HeHO8LiF4vmhDHPq9
z*=6rjctB$Y*~}&<$t2f;uiG6vxWsq{P8wn4Mq(LuYOj`Q7bq0^dV<4zx!ZbpV`;-S
z_<7ntXrXf%IYu>0(e!mjt>Z9D`3|A|nqx#y!IGO|eF|Ya2VR}+%|K54B1(MGd}zOb
z>V-LNDt3+@?-MQFOp)iTMjDT4l049JR<AlfC-MN8&JwQif{5WC_G1l29e6LNJ6~L6
zY!g_boI~v2)Rm~@GQe`Dd3KUdH*yuwjO<(Zp*l%sM8)RLHH^p<PHuTtA03PuC@+gX
zO@U{aw82o<927NMe8V%ynbhM5#Pv!y6{MrGj4RnzTMITGZ5IvV{2FyQs1Y%)A1k9Y
zYHRvX0mYNBy0Hf3xpKs>)PY#tCc@`VRV9q^J`wzk(mcHj_z+BfTpQQXAh{U0QK8al
zQcHH;+EBu8jpwvWL=xR-4zR&X$=(=v=dc>G!D?(FpFbTjX1Y0ruH~U?SX(Iw6<gn4
zX5yLC$~c<KFq~qdp1Ky~p%SZSwTQ%81b7t&Z~_BJ(h}w61a?;<xoTY~rZ98?87~K@
z&xYxpL$<9n%WNKk3p46Jzfu1Ojo|;GyZ&2or;h)R!CZsK>y^KiZhOn>aC~_ah)njL
z8E9XixZ)<<w{;k|+FRD|sroXmV%3E1=mCYNc;ngo?!rT@-%E))RR@=ql`g&o-CFvr
zg~!8{h;nn9`3fJ_qDG3&;SW}XZI;A?Ugzi+qFzEzUlAj=hdk}mh}-`6Q0Ji(oC!P3
zk*(Jj)AUt9cJsZxXDtvv&SVhfYt6oYIJeIY-l1MgxR+JeO)X(-x(zV!V{CbuBxUGt
zw#BdJRrn0Bv7OFCeZN$7lf5IpFkYFy`rd_|ec~KkIO500w<Vqq&@Q1RGUK>W!j2sG
z>ePK}{N4cWrK#S(qVxP+LH)dBzERBqeP0K@$-;vf$?V_-0Vn6c%x{5X2I&KW62?s7
zMYy**W|NeB!eL-L0jQA$^aXj2hb;L$XGl4mj@3}E3XsSgQ(XM;huqOR_UtGcWtS}N
zB<(lTnZrQgsIK;AT#DGaZG*u0PFtJLbjn#WxAo;SL#TTFeEYE9Be#$M^@YCAY-~%3
znw2b7q~i#YQ5h`<Lh2vtuH@(f&p}a{F^;#+nY563*$1L3^X^6W0dk*dmhXNxf9t2T
zWau~E+xBI7x-zl)ov+-@Hx4(7AWwALa8cP&Q8|^->ZI&bt-O+?x0hu^k~|kqgtQ$^
znFK|Kq9858LcU*LsIf@iFWVM#^u-pBvx^t15mGNUiPw?KG>JDjF;H5>%BOYW0V?N)
zUqylxVXt(XUHNAofY@^Ft+bqod~xm4`WX6M`#9}>F#@pdB*Ezj@65R6+7O%d)>vb4
zj=@V^C$=g8{276|U`!c7MhzF|xRw6>dx{C#`my&KiaZtSL`gO;O+e0Ig@7E1GzjNr
z0jg>{em==&Ey)5C-^IP;57H9&#lmsuFDTjr@0O%aNZ~`4S0U2OOwEX7XS!q&SXi-k
z&^RUN%ufW#Pcuw=ZK@!@pidF~Z6Y6dU1W4y78G|I9`*IY@3Hn1Yx-Z{>1qet!ysLi
zWNf`~ml@*tm~cn#H0~#9ix~w;J(X?)HTWq~t}BoDCEZm%*6H>YbS_qq_m-jm(y_47
zu}#+fhD3*Wm!a7vjtM)&Km1Y|KjYj*)N0A64eLqc9<_4AFtI6W#ulc$EWC@bR^ne<
zWDI8|@MVvH01oVCA{*$cH)6`bVqT(Zn;KgX*uiP$3LG8CuQnFr=;ulZ7CqLz`_+l}
zjQH-D^FSR>`+5-2`S1~(q7}<{&7o#%>EI4Uy8OkXmcwzKr}a1^O884>-g$=lCR%#_
z8)<5)wyF&nQ#^(S0Y7FfjvH=$naz~hi_IjNnTJ)P#Q&!YBcdi`3O7>%=)#juUcFva
z?9<Ya%HxC~&34(iYYsn=`@Dg7Uh3?r=_0-yt*@kjm(12k!DSZrz~pv4_7^2}C3^>s
zN(X-@f4{@5A%AW+|HHZp5&nnO8u;Z;UyXO8#;@CdST}$FhCEz<=P<+Nhx^ew;QJw8
fXy1$RgUC;9Bd<Av2Y$n@!vEU;!^-^f5A#0&g_=RP

diff --git a/example/system/amp/openamp/driver_core/fig/20230512200435.png b/example/system/amp/openamp/driver_core/fig/20230512200435.png
deleted file mode 100644
index c61f70c440846f6910a7c0eefbe1a1385dbecc8f..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 215850
zcmeEtRZtzl_vXceySux)2X}XO=R$Cogy8ND!QI^x+}$MvF76k1mf!By|K(r%v@iRx
zJylcHXXbp<)zfqOJ2D@uAO8So^3rnB00;;G0OIoid~5(DK70Rn?LQ#@cL<-_AHM<U
zUm%+x&7dGC0FdYqQ0NdJg8<^sK|=j6Y{36+uy9{s;Gv-)|8rRc4FCxV1@U=;gn)p7
zgM>tchJk{GfP@2l!NSDGz(L1_C#T}`#HXO7*3M{WU%{i{;1*Nkk&yE6Zf^V3C;Xg<
zPyNq{_^<Zag@%EJ`wuw!=c54-(4W|lFpv;P05}LpC}<b}ItC^z7C8krB|97yhnN};
zr#P2{x`w8ixl3}&+&s0bn|otZ;>S7w=|2NQhe8L40v<r1{NWEk)U*hd*fnZrVK;{v
za(v^ZxnouJgVubS017CubQ!C(V!rNVIiM%KM#fmRfy3pVs~Wj>T~_l(r6=VOq%-gw
zFB~-Qi#qfHNXCLLk1Y)+SP57t>}=?IKesT@G2*bo5>0-9=h=j1me^`6O{xmQB0T(>
zLgF+BM;(22lg)J62SC3$sMe+ZzCY0+Pg%l;Yi+w(@+3TOqO%oJP>(@WT<+cAhWCrk
zM<(B_4{80KpJ$rMBtcX8Y6Z04*k#sMc+8_-W2k|>#$QI_rQ?WGDX>rXpt4@ZT5#L`
zcaqNh>}V<&r#IKuAwDCR182jLHkv^1q1D%Ej?*}ZM_Qsx9r}-x3>R@@^Gu<KW`KB^
zn(jC~TzqmC{Ow6h=6rG#TE?*nbxvk%n(*&gIz)Ugu+N*7Zx<p$DkP)hpbp|AQwCvi
z+6C%0Y|3+#4R34<&%mbdWE#byhoA1^xJQ9x%LgE_&cUXDd~>jW<W<-FThUz%oM|B}
z0TR5Zv)1F()p`Q2w1V+o+kM-(3sE9MLXQ8>C&=E`-MP(bSIzPSs~F-WjjL{)b;~NA
zjh{rbwegP3n_~|jfd1w9URI%Q`jfKlPW6Kx+Tzfuv=H0c*@N1}<A1J<OzHA`(G^TA
z%bqdje^=#d&V2;#B1vtPe|@L+HwzmK>iq!V<@QC_=LVc43paa2JlXAb)hv=%z|GVM
z#eTo2R61cOt6%%FWy)%)xlDCw$iwUNLj;F4Gj0PM61tJy$jy)Zb4FXcyQD1P+~4Xk
zsEKKEAK!_JKkwWoDylhvi;hOhfw*Uti2|x-8LPPwClodyOmjJjC6=_^6~5HPmq+rw
zU4dIgPbJfz^6{llwg>#TNQSwku}ZgWTSK3oIA|YR3OlaCnWaD9mZw_e3EtbZr6=G`
zFCt8-BsW4)Tv+bg5d<L)5{?YtBR3eaNb`GZP@(W}<b&cj(!0F)RS_wz^TNQ~KjR{E
zV|~k%z3o7e_;bved#{(VN$715?&_<)1B%1=_A)SCIWe%UqVrava(u`!&0{>$-M8Pj
zMD+fqSU#<Fc+1xetC6d|$7v^V*=^t4Y)%S^3=&{2!+H3Hr6ntY{u%oN@TT1I)gm&s
z{R5z-q42Ux@DHR3^X5Y}$bx%YDGSfK7G*d-aTGY1V=JeAT-#bJK6S9Lt^F&HO<#MB
zzDJ1h(pI*Rp&XL2XyfEEh;}@l0G;vXkOAPhZ|(FK-YjoLHUbbhBt=9jEFO=E+f=QO
z`AeOCC$;Zv_c8PX@XP4~@Dlv=If|_y(f=-T5*03ZcnCW0{JbkW=;f~KDEz(D<c;eC
z0A42g05nDK;=X_H`T$%&?df~~Jl>=qOd?It_>wv`Djv5k20JJGAgiyv-xXeeYP{+9
zG|DXFKG3`H%5iE-=wRtg3bpuNApJxvo|ks?8;B^q(^(o3KSb<gx}7pqfIV@*p{dm?
zqeCL%PW1Do9*!{==NXguCu>czMedrI5%Zb_S07|z(sCaTa(fX`QRayL?Wz;cc<+5M
z{V*TcSHaH|-@r{!8n@;U>OP?%uGHezLl{rrZsRdJlT#xhhn4dzxkk<7(J&(hCl!R>
zR1>p?Q!H5zxjoOil9M_Uy^Tmzf9{$)eo<NR`hyOUWTR{>J|V`Ujrj*5+T{$kyAcBt
z^PEyt`4gbQ@}7eyfe0T5HYS4NuRtHDY|s%bn6BCI8g!hRO%2f?TPt+bm-GQ3|H9Bd
zqk$7ZpRLP27mnvH_{%qGb?J;zj#wQsnubr;5q4dv8_(aiYV_BMt2Cze(*}3WbbEl7
z&V{sye4BuUr9<cUn*P<n`Us<#L$kA?_n&8{vi+g~(R2@lY;Z41zjaj|d81M3j+m>O
zjMcQmO@-eL;;lA#Iw$yDxpUfZ14F1|{=`<zv?wm3bwCQk;Jch=)KLjHQ;zmtf~A<Q
zi9)x@cRQ4sfVq!{TOtlCO@X9IGci?`V`XuWe0+vE9zOp1C{tNgW9E1}EC!YHbhw-%
z{zF6S&&9#`&8#*_=CK6w`(W0v@YxAbPqkG72a8O0D~lag%C_a=Aj2L1_doa?p`AEd
zefK|KE9*6KzSC~brF5?2uJBS|rcZsz8YDYH{W3b949tq8>-b?`6EreSA%p(`&{ugJ
z_!5cNARE>COEj01VaDE}&4}HLd!E-%G4op_Hj0`R_gVy|u0n##FG2*5gbpgyMPq|e
zl%fq*uNTDe0R!Nx{S^yWp<2nImS~;+TKD(*q+YGsi=oh*HRALl2Pi^v!6dx#ek?Kz
z6r<>nmdB|V(%3|Q|M&IAp#Djmpw(OrQP+&^qWQw3{5qi0`y}ca4*p}Gq<7yM*$d<t
zJ!!Ja;hjs(r%Bum9w0Uh;=D%fdW9P$=(h6mSL*I)-X2l-E>R7}NI5Qw4^+^Ab}$|D
z84>An#K7AA`GeEbM+sYjE=aMj9E)DZuA<=U;h4UIy1&e~qd{-bOW!~s<y1%2M#~6j
z(xe+>K;i3;F1@F^>x%Kx>`kEUiCWU`_^kd~L<?ZVCAC{jn@Nw%mUp;oh~@b>?gK#c
z2n1WdZWn7+cN<UXHQyj2jK6H31~G`p8CB9M?tIaP_?9<q)SqQJ5=P$850+aR+OME=
z=}TWF`ct;8fDTUbe9apf&A}W}TQ*)hPGe%;H^dF}G2F(U&=({uAk`W_Zr#7!YeM*`
z*@zpd{g2&i+jZE5q#?SxwqufcQ&r}aFN5pQz4el9hm@_Y+gU<QEH@2-V&ctwGpb@X
zBB|Gp3CVt34huXiFIVGbV1ch)RRuZ+?e`5LZ7v6NxAxkJaCLLxYHPKTPB<x>j>QIK
zwkwPHor`|Ed;2Srmg$y>3We0NG3K(024l01p{?JfDKIhydN&2cV39L!3k&(l^)phm
zMzwt(--_OW8+><`roWD}00Pa0myC<F^n*s@6U|v!<~$mzDhmcExK9Np2>xX7{9FzS
zal~u{%gvfR#unbWr|;4Z6NL1ptDI?;#t_Xqa0@oBEE@M+|L7%dK^|>`$0;{bbJ@ON
z+HD@OmsIjs9cgHcJUdI;6P9GESc&h>*Yd5?t!pp4wI4#vhoGt4(y7V$095KZr$M&~
zEG%gwbP=nIfO5`|LyhO$X%kzg4_@?RLzAG|4<}{2!S8$_Ru*PWo`O^l3eh(V7=!B}
z%-b<gCMe;AG0V_(Qo2Vm=j2lm%d}G&X<Cz)y@QVrvo5g4?Pk?$WBwp7M&TTkS~>P*
zYdd8P<6g%2G|G`{pHoH`KXPL=p9;6K*ga6mqxD2p)Ob5}7lr+*yHXL<YB7yGLyC5U
z)C;1T{9D+2vWUSRc!pJ{<K~3BL1LBeb3yFTjwr_~x}Us^<*l4Wu|BL9&^vq@xL$cY
zJSc4@X~r*lO00ECX-qpfc)OO~>rwFGc3l5{(sd2tG))IxY3yRZSHhIN;hbyM^$GHc
z*1DsNT{E=Vquy0d>OIA)z1L^o{WH50HEmRB=v&uSwfX==d;oYsE4nUuTx~HGEtPtv
z4I;}k9*rA~QegwYdU+&gJq+8b+rMizO*7==5+dZ52mC`UqsH0X&P3q~%^8_Dw`tGk
znlQXwBhS$`B%ZFs!1w0bqL(iS)@BOfZwNj%#<VBPlN5CmNZC$a^Dhe^z0qVtFA?Fc
zeOFK*BZ`9w^+U<kJCFYx%I5QKpbU~Bl_xQwhNOp%M>C3YF=)t`q2_+8wL)14_<M%U
z;jg;z6LP5~)r`N5bnAE!JzLZ5o6~QGH91M!^83txe@m{KKFwlDzHg(Oa_JxO1Ma2d
zNQ3ijiX8qVKki5^OQf(m<u2&M1I~?DCJ<cas=P?jNjGQgB*YBf2jD9Issku+?A7(H
z_ih?nU7pAsw(Z{Ol#&s)EUwjxN=v5F%RrLF!%;ys<qHiwaWN`yrUdutG+u=HEmW;r
z-JN<Wv*-h9;cJ?JRLH$(-CG&>J=<N(`8i+XlH~&++W1C#+B>p7vhZT!e3kkr(!9N5
zvVZi#%hz<{K-3slJ4!cqW=IL?_?@65IChEfRxieU;TAmuB9RR)n$Jdp=m$E9dA8$j
zoJPXaeBY?Miyys7-5~0-TYPKeG~tu>RKfPSode;-N(qNN#I)mI?zsydo!o}?%$uxH
zuDxU!CA=wF;fV@ugpz(buqPd2+dp#ROq1z|cW!??7;bRMO6>jnw;%!i(23`vvbOsJ
z9{i>CeL8^(Ig5ga?83Bb-7H9Rt<#^*O}5#n?T%mJfV=C;wSm<Bf*J~q+X8SS7k3l$
z+Jk_;0q092y=)!drgSI(gH-p!9`L{iKdE0$Te>9wWbN%nGTe;4I$N$ZUIDD+h-FYi
zoyQO3=BK-~8Ed}NO|L`bL>N`1YeMD^GOBs_<|xhVOXetz>ypMC4TKM4yPNH4B3hmp
zu6dKm*z`%a>shKXU4zi%xOcy>V;0aFF6V(Q;&yBu^EpOvgmzrT9va7iR?pKlrJ~m!
zgYbSOvN{kQ+^#4M<#~I0_0!^;tQ&Pfj@w*qW2>K;I#rmyENM~*<*36<M#Xw|cc_i8
zBZ$c{q=v`Is5UQm^w0jI_X9ipZ3Y`4WpuhrMJn@iO*c)iH^)7ES7y))Z15)><TZ-M
ziZwgS$(zOX1T#C_%AsbHFgo9&IxU)<eDfs9Y8A(wMCtU8h^P`7Z+3){;;SZQ?yKTs
zFzqK#)O5OipS~jQq)vt6(7iKmkKB?J?#yP8q!7|kzpO)(Pl{xrfGJ5dC@m&QbZiwT
z`)dauCMwRCkF$~#cnC~)K|631m@B4DxT=3#JhbmSv%%E8$2oOg+S_oFzDBJUphsff
zqoj<CQOU7eECq*h|J5_wXH{9AO`Du3#rmY%W=_;l#p~5+;_3ekGbZr19C?^mhONK6
zOOCRXodU8Iz89>A)#Y>S?a?>+x<Y}7UJc@x#>K8CGV{3yH$u`HLW__EIz)Jd_eWh_
z!^_B&NQV?c2ya0v*fYGCGC9Q}>tVl=_ziD|3XF#|S?jImk59gfum~ZiOUOC3w{C$+
z|AkT*)Yg?7af;buH{&oOqIJcOrcv54mqf#)KF_K~u9R2;D+&M(_2cAFqK`<L6XXPD
z5s&NiAAp^<fAf27VLB|#o8`#16xu34)kZIr`Tj}oHVYapg)Nlk+BYZ3c?XF<qvGv!
ze}}!N3O2nUs}~-pT1U4*;)glPYh%vK{TIlW7)Zdv4*-R#jQL!n(W0G}xw!OCU0n1+
zwyM<G14GABR)=83lnC;-O!QM+J+L(TF-}zJ0yrvJdT$}CtO=YSf9j)0p-WdM-MF%$
zujAm;9Q`c{7eb7w5=?;>*jyIJ^W(y}=}$#l)&~Gf#|#go)Bj3+M=hH0d!2mjSZFw9
z_cX2ZU)!Gd{yQp)5$7It{|SBDg<kKjtB}Tgm@P=ey`ab|nvS9J2d9Y@HoWadi<4rP
zvErb2;}p4L&15g`t5c`Pd%B^|NEb4-mQ(bkK7?}HgK|e$Ro1G3yKWZ8Qj2K2K6W#H
zxt#j0uyivQ9zIlxe_TiW*{`Y8MG<U&n!V-)XB-i`#SD6gR2Rd39l!8V&sr*q84E34
zC<>Mt6GAt3{0rEW2-v?GUW9V>UrN&-C9@50rmcWA#!dk!rvWCee(tpzj0<0~(xdFT
z8Z=^BF>y5EnbYPc%yi9XGHJedg_ZWZQ_m0z2QzWYTjVn)=sLdYW!cvQQM{!Vl9g#9
zmlV%-+@Y%GSMe6K5~O$rQF6#5?42wZPQ}qIm5sr%M2!x!ZS2>7Id`&Khz*-=5(3TF
z7PKRQ>l03H9(+5RGYwb5D#V7pY;lo$!Qkl-E=y`ACffayEV*6Dbz`@L^PLcmg~l;m
zhPRZ4Gpwd0TM5oI$8f#J<g48=;WeID#BQC76swbsTrt0`&I_igMUmOf0vi)@-cc`Z
zjh{e)Wxz-Sj%u-?w<W?gx4KNeO!(vel_y@l`P{%uE`F@?zD$`xik{$#E>q>OFAMB)
zm9>3<%$`vRtbG`oX+Or8UviXzQ1<>0a5z!Lzg6J7;93p6?;o7JlGsjCbrp@83A+l-
z=qer6WjpJ%KSu8I)hoQyikeqxaYbEr!Y3S#0A6NqYI0IBFcP{KR5e(W*gYDJK7Za1
z2B_pTHT4)ivO$m$<co1I{)?r-xVWneBh!Fd8i;<~fz%yoI;eu$1<BR$ofOe|Omwgt
zK3_^Y12h)x@!+)QqfBRA5te8Ds%+%LCU}<5*e9Y46}!*v;yE``+iPJ17E<Gg1&?t|
zt?BgB#p+jSm66NJ{j0jC3k^Ue>Lkdb$$L@-Ma62`H<fAm1$_@fuEEKsr4%zc)9Mnh
ztn?E!2sP>O#JH;x-*2EOGl~S}B1~qpZuVDXva<?Q&*RMxus4np?J*|VN2mCIeawlE
z7U{U-dJ|aI@+!L}Ae-_$CvGLgj+4q2tHH@ArS@?8ZYae$JbzMR=!(>$%7HJsA@DWy
z5A?uM`0%u!O`)6C;4Nn)a1l87-SkLFCB+qWtu^YaY6Cwsd~M-W);dh(yc}KU3A;^%
zAK%?;49!MR6lpv;D1-mda$Rn<@Y%1oHfo%pJTw<Mr8ZSmsm_A2jPGbQCb6|Y*t3I4
zcnboZFWT}ty>!>pL}e<r=^DH+7VGucCX)U~S$!;@<}HZq@%|l=&_!!69&hs!|4*Jx
ze4vz&>&ZseSXn|CbH}1Kt)R5KAz0>xA~{oe;+V*34b|_bybzZY-o??_<#a1Jr~B7P
zbw>U!>VWm6lh&BGjgy*pNvWP0L&QY)Jv|djV%O>;CRZ&{*&d>NGP*8FMONQFb%xRk
z306bLoTEA_7dRu3_Z1HtR~qOD67GzcNyjyUolvd!avGkWV)w!eS<ewrvh5>tqBEGV
zV*;nq$JlHqBeiZ?6NE(UB^!m>K7!3U2Nnr*J3R-Co{80KWYD*iYqeaEeXBIw1Hz!M
zb@tlYzMVN>;!K6MTRQ}EaEm(~r#VHNjB3tGegIIoRoe<#OzaAm%=!-VL?c+7M}~?D
zDsM$hPk8RK3FP0?b;uOM0>W`0meTqHlHIuJX3qPEmA}VMElmeSMat0_`q359a<tBF
zmZ8kQIzB<{ka!yyJBV_5pY;*H#Q4x%dF=5M>xKDeYCVw%e3Ana^k}lO6S|0ID}KsN
zgMP=})XimtIeL%L?`zJ^c)i~aOc39BjRZab3bjI@t+1rZHmL(<K$*cync;xelp}K|
zlM=rDdj2Le!aC9-RfP*lkv;(u()V!@8N-o#RqL@66GRb=YXQB7Dq5}+M=TZ#BR#&<
z-mPo;flS&a-Bj(bqxQF_^~!-3!tL|ZY(BX^i;h{U2KY9A6Fr~ixiJFmZ`_W&3{GB>
zH%eSHjWZ+{yEW8GqH?V2Ga7%%Iku)5APnI6k8vSya`Rvouz0VXL6}u)Y@g<wzG;>y
zsJx9F^-;$qn!d%KegN!VgG#s14BpEYUncry&iZ7YFB|R~Zr@inUa137Yj^_%1Fcx2
zZP8aoNfWYNFH>9v$qWDT9P;YK1C3+1zovrdGvoZ9%kmgtZIO<-Vy+VM^TKTDHBLCR
zWh<!JtYrXXmR~)n``X_kxq~S7v!^ryMP5nevcKF<!(5}}O~Ktle#^c5cIry9!z$M)
zAyKP~eG$KBPy&W3T5}7l%FWB0thcrL>rQHc9!vG(7##9%h&r@FEhoO2&qC8}G9igL
zsP(}u!g{8fRA9Xu9+cl6-uxKR&RJxK_*)>dI7<OVK3>l=+Vajhe*Jd&enfx6HKy!#
zoY=#-uW*1bS@1CTOI}POSpR(|&>(~nIDoaMzi*ig%k>yL$$?!v@U8Ii*g|+JX~OaN
zswc?4+r^>bB}8tH!fFG2KhH6Tft}gR$;AB`#n6RY%l2YgoJvAs4mmFyR0Zp#e(uZI
zH|DGrsU2at9i9tA*y)fthodgj_dlGIS5oTWNaL<k6(2R&1N1TMvc*?oCK$wR*C#;;
z<r5MK_zX{u?__#ff57KZ6CGn@CZp2E+65B#RR?WfLHQ{9Zl%C-p|*~N{2wYDZs<HH
zEgL8)d&q*WaW)>>HMYcgYhAEpm{6UsFJJq-RZ=4G)YteIuGpf$Bg2<J82gWY8v5Wm
z{9->aqqe{9u{rOVEpyaZJ0xSMlHcS;Iktyc<dHU?&i$4^TBS=k(s(ejoEkH7PT)0g
z9wS9y`>a?nhGBV9WCkNmd=Mo?e4@OKKlfGXhs#ax%Vmw5F73Rx`*emI?dpPK*=@=8
zu#h{Jk!4_$3&w)=$?=KSb+!)uz;e}H3l?UShXy{k^6%@H`}?qdm$<z5Cy<%30uSWx
z=oKlnPH??z5Qu6gAWM63-+B023apbf*v;WEnNRgj&k=du$(n7PT{jGXnt&KE)_7t@
z?s3y$fwc>W`-^!S60G#s4b0$n2po}>L|ykR9n_woE&(zPVY@!z3|GI4`V-dbT%b4!
z5$+L7l@LYY)E>w9saUx=ZaK@>OX*b#Y6^ccrUK63XuD*J448|<2Gq``ur(50OR~w9
zqdr&>S|bXNj!o2#S!=~<>gQ<R3*lxtLotD?HIyx;y9=--U?{2IDM2Ap5kCTnjNL-&
zcOE&^u|wTsQ8iZC5^>osw_UE_!PK6|XrOTTgbk;$pS#MpL2Y)aBj*-BPT?gdwCe$Z
z-~}faSd``*8w%$};j>=BzC)fWgZzy;Dw{MpB2f$KWBrzU1P$X!Wf*P+uJ-H22_n8K
z2cY|4q^u2Sw_bg_*|PGBsXvv%6aBTs8eCLSk`8!(m!@R1hU9O6K_HAjbIFSSTCN&v
zR&cq$LNldTU!o<Ei-rPT)e;k?aYH1E<JM0QlRC8Mfm=ozTf%8`lU>Xq!r>4KjtRtx
z5&s7O!v^Lc__7=#s&Xc=kA_N_Y%yF04kZRpVa1xdfMFTAfyG*{+?St<!$OhF#MX%G
z&hu%8;f-FE{`^~K0(YEPJ!@JYuysBQddI2h1b#rMq`R&&O00LVONJzd9d&Oy>6~PK
z2<KTX`kkpvXTq143jypr%<2_}n`px6W8IvTaHc=f`U^#kCC!hAFb2N>Rya>73es;7
zkHZT?(kB}iCtR@VRWi^Zy$rXuZ!kaPHJ%hB;Q-$~XbEQtJPsCQ&X#m#IKx!75n+E#
zpG~t}@ATZ8YgIith!F%`#rUy|i6p6EXOS8t>L^b!7RfoXv6=P`$hSK#r}#e)5UK2J
z1I|1Ge*l5{ev0zCw0g3~W6v@Zm3Ly<80o(~A|2wq5BIVOjY}49_&~|IK>Hm_y$mR$
z<+O(4Z!_N8e=g%Zhlx45z7=q|stC4==@5Vw&P`|&mTJ^xBOSCYzNEH!wJEpss3kV7
zR6|MGdm%YWPbbO3cjD9wYtTX-xrVN64Xh;V_}1wwXxC18l(>mIq~0PjVi4AbN2})-
z@VW=IL?CC?QOs-INI--$@F+oUFANpnJTR24)1_uGqHd^W)M?=DtVsR3dGLSpU7C|=
z+y6O7d>a@q$oYj57?m1U20_(0#uX~A#wn}p_S^m`VS5-w?di25J*>ISu8fm7C-4n<
z^g=N+PWr&pZmfuf-+DtyoG5GqdF}CBlyWa9cC9RNMe(Qti(MK#=VgySWwN*cqqVZ8
zu2m&o4pUCS37I6h*pGMeaOJS`N!zmR8`K0)09c{FzS0qI@0rD9@wyLcjxI3a8aI{F
zn(uV{VL{a^Au^(+l~bbo3d+f_6-fur?1maAuUIR9x7#G<`D>`6{g-g_$pk#JBO(^>
zA=Uqm@}MTYkh>`n=lWk6#v1z1Z*uL*^Q6}7XE;xt*r*;B+^*-e6zV2r6m04^mgmA@
zNh;?}sQbbsb&pWY<XW)V5;EalLS@Qq&hk*{#vtewu@KbEKmvh;O~lSUkREL{*XK`o
z=je+xGR75JAdIo^yg2PfHK({pjq8h3MHtG>Lj^9w7+2;RSe)`wr0gs2l=d@I7LNy8
zSGYS*{H81EfplA3Z6o}hrj8FA1wa(-e7bzNm>#Nb&p<-y9=Q@9RD_+)7}uJA#_XI}
z<A%*@!Po0m^-Bo#b_(&=t<EqurGHMF^ZCG~?2k|H)9<kJ9fA&Tq<ht29Pki@pbD?T
zUzosXNO8rid{m@Uj2VPX>NL?q<h@LT5gdp`|MOlvxt_#%5e$FwefJUGDkancGX_Jb
z>Sw6G@8a^B`&{M}p@mWnM*eKDV=?h)Msc>j`v3=);a2k=cj!#if-lQ~sTA%Xfc&%f
z67{=$8}K`6!!7hrlbOdLs=ny!ch<4T4**mCz*7+ESl{Ej-r<JMnqDE3K=cy!N+S?f
z%KEvDxkaSmlqDO36AP-h8spng{1e=^T0T>r&{(89<@<sA_VRh42`XwGD)QuwK#PP(
zgiF``@w<dy2MgzM-{!&(0>?ZBaV~94XSCW9nVROS1Id~EvvHsqwO_ba&`Ih|@gJ3o
zf|n^FLsXKjlfEoeVXarP$KmPH@v;1vfGb!r1)Ku)=qKuLX`}D(^*rkYnNc&TNOalo
z8KZwq_NEUSop<R8c8MnH=Mten+wkuktL;xZ6&?9bN40&eCWB!eeO5<UFDU}Fecg4Z
zT8p}Ya;GyTf2;5WtLGNm0=WGVCb^Rw>v@mQd-=lgSK`B+SF9t(X!b4U`_+B5)aBs>
z#hB##b?%ODjm~(g$^Sf}GUchHkH~LzU}pBMETE&}@&^&NE_?T6XUugvF)XJ$UB+SG
z8fsctaeF!JA1`&+RT!o93t191)BdD`e%q9YRfxjX#Z){EUA>8KJE#zPP1f1tp6^3A
zpbVs?<sKAX*rQZ|^XD8>QW&}N<u|HezA=_bn0nRb%wK^Rw%YC#iXF>izFRt^25&0q
zmG-r22uIM1kyUHSO-rIjUMgQ+6ss@%kqZ=kCFIu8aI@GEJ_+keNa--jse<!4Q85+h
zpV94u(Qj4Zc_I(M-b#ay*2O;|&*Q+&+p?tz#3=hqSFH~>AR5k_mc{_iQD~Y4dVEh}
zx6|o-=$%OOR<c|QQ|rJR4+>~o8H4#*sUQ7V<ncllZK#Np9@@9_+V=bbh#Afu`1_5p
zCoRT<tOfChL>4b6P}{Vn9J!_5*)*tSq0~e5f;R6R!jN+SF!)xH&9T)SzMuB=!)5TX
zwLAGi(6K8boYQPMmRu-2G<>*BQ0oI=!Iw2s-)0b4N3-F|n-E|&Cu`<Rj!&d$?hlf0
zH`aKSHP#8AnOKnGtJ_I^G8Sty)sNGQXIUqE1TV~tF|y$Ez3FbBkch0uodJ8_4VBCp
zEMqvQY@PN?ComQwy?<(3i3z|&Yjlz45-M)JeDN((JO@5vU$v$iIaqs0_S!=hfLUf^
z|GrBlxC|*Vnb&F7EBOvn@i%#5#x%&HeE>42&2{@FYUig)IWx3gtsZY_p?lq5%81NM
zw{(tp<hkr1o^Y@2_1Aq&`~JwuOGUQ6dD@L4({AH!IDEVM;?|D|8T|d*hSXz^W3StI
zpS&i5pCL;zvPFU;;(px*u(|X*pF#EWk8d;d&Wsm@3C;~Hb0bAa5>K4PT{6uLQoX6U
zP$3di^u!othK))8vX{~}%wl>Yd-{q>5E$wAk}=XofxL}lzDyLD?J5zW*Al=+Yi*^n
z#i!P6oa<-NK}0wIWV1bH67*i&Yb1Y{sqrRzlO!FR;qzgKQYG|pTnB0YWks1MoIm+o
zr$x%u&)g%7hF9@VV*FBmj@h=JNf;Dvt_=Ssi)t(wkx*AT)Q)AOW2sq9Z=UO}W+G>t
zj}3EUVTij5<}~Kd#rf5)3HOaqngi?)tI9102+ne&D+IK!d+qr>f9v_MwPH`ErWZuG
zF(sZ_Tm^-E0C0Tci4TpCKL9+9KMuBaAvVw!y|$BFnD7e0t@DyNVfRo7%gCa`>}7`x
zcAW38=Y209fMKqEOwehbZR=tH{UvMNHc+2hr^B9a?#mM}urkgw6w$c)di_#P(UcI)
zZ^TKLm*;g9l-oj;6hwx`qK!23{YEgJ>{rQQnnI2BQE6p`tNvKT5s+Td{0p<qGBEEV
zNUR%avyii!KS~Qk_S0X6g_kI2s&rNd+|$P&PoCsI#ot%y-7B-9@4DJzKH_z7YZBgX
z<O93U<2drWRZ-A~&}NqVBKDS8u@!j<@(aG`ue`oZ7(^b%EzYo#%wTI)_j#~hnx1tv
zTH(qjPSk%d4tV|VqPO<fhn|<0zWc49x2e9j=dL-_H^shZyAJ@U`jZ9P;106BL3w=u
zHsMC=-cO(Yo8-mi>2Q1N1JL^EY+e9A0GA8@AK?G}IXE9V%n$N<->CZlbhLc{`cx!E
z?>IgH$7LUYxcb8vzP^2g&o9W}HTVOtr=xQZy2tr^@oJReS0@R2ZvAvWHUq_z<ftZ!
zp<;wc$)6{iRD|ZwtG^8(`JR80%GOSq(k|!T)fN0{u6`EK5D;O#yZY|k$XqsJ$-$^y
zYL)@GRBC=TnobQ-1#=#O?o*4W@&#dt#n#5uat?vYO@$`Q+Q9m<%}3G`zVXj^g=uLP
zF%4d@cozSc+!r5qu<;>y(ejwj=Eg&Xzg&d}aZlZT8n=T)O6T5GFx6!2OjKB3#J5Xh
zrGxX<k?E*2T+l;beN~c~iNUF*RCc*rXif(*GsJXl5&(=b{r2@s`wvRC5JfCqv%jw7
z@j=%&OXb~n$Q?HiKgOcI$}9S(YR+;sic!bp23OY3p)FW`0M-ojKnPWkQ$(a4X02p6
zN_{`OMrzGW{{(PfGnJ#sO*FM9N@^kQP48Y^eMJ=QG$wn&9Cxs-zt$hEJKySw+!aEs
zdT?e%LoZR?OTe1`-sR2ffIFi_bXdcBgmjMG#L)WJ&!hAtB^#OKCaTrsOW_!V+e-d#
zBbEiXY7Ti2V^$Quf+O{)APmw9doX248j^CAXVlb~B<cwcm3Fb@q$x<Srp*{E2F=3Z
zF-i74sUHDF@4G2IStgbnu)P$OZ{f7~YOJ(UywSY&C$=6tgVw_E*jX~1_^5W|3ptVm
zz|ZT<&)hRrlSA~|q$Vs<>|W29dK~ru0MU~HHU11P60Y_#&*!AGtt`(M+51>C4p?HW
z(6pK`;?_o2sJ)-TLoM0A_@M5kUS)?HW*q$14J-4=AJ_kxm18e}m1<6O=po>?9$^Ri
zlBdzE-9#NV?{F4bM_P^n?yNL``j<p&d#Jg$`f5onbWxJQwS&P;GF1()49c>LB}DoC
z#Rt_Fd!drr*5qOoZifZ*o!l(HpKtWk?=f<2^p=smNX>MS1n4)a*M1Ag4mObKI$s;r
z-Xu0IAkQK<Z@S&%)$oK9QN1;#^&LE&RswfYr@={gL($|dq(%qGwMTmx)S(binJSsR
z8HSLL=}rzD`#97CsSW1uK(R>|7=<{USi1IGSD3J~5^1C~!{;`f`+K|_qj>?Y<m1>}
z8yOwblDF~l4}gYx;wSO&Y>vcEiodYq_)<LLDgMP&(8KQO#GK?#f(&X^x~ldA0MiuA
zFD3`R?Crn7x2o{_^7U@5qu6;0%JGMCaud8AVo18~4qG`*P5^aW$aPr^dlj)Kaq5G9
z0zvp|HI0k%YKPhaTLYXr5>_bN;g4f;2jLiSs(k^h9@ihzeBi(`+GH9s&XdiMYN&Iv
ze}G;=fPBp)_;;&e-;;6zN`fM1(BYYA8R;vCRhJ6ocLJg(7&?AqG*~cb#`P<4Uk4fL
z*s0{xiF+P+`gd7ZPwNyI1_*Jyl+T@=;ITfT7aust4L_`+SFe_~R&78q75w$MB|uOX
zL={V!?cMrrvMVQX+&rC(nR^n0H?HLJ)4m#hTf6#pf`al819K>JNdF)cCeaBQIzkcB
z0$TzC<QzGW<_&IL-3sR&uwTq*yneOLZJF$%P9nTE&|>ckLYB+(u<x}#^LHw@+={mm
zj#r^3m$f=O8xL<ko9s1~FMHu+4S9mtjK{eU)mRTWEadI#ByrPpc4?HCv`>*1y@?>d
zXO29`Gd<O!(<aGw=%~rzX5+RWSOId#?Z=~dEf5|CSa9Vv7jAGjIB4>)cv%#Qcb_U5
zKlE7RL?!bgC8w-<id0#(EF((y1N0p5|LGzunx{6xhkeh$y0Xi<es$#e0FVYG#x>-e
z(5o*<MJTM?chOC^uus&<AKJ&Frjty`(aa=E*(ATs2FewAld0;aT>zk2T?;Z((dr>K
zBMWTad|QO>ti}a;92%Bn+m~QHDQq2i7|w!Lb<E_7rwnZbI#wl7233R@<JVE!+bmkp
z&ik|QkpT3qn*me>M#qj-oJP0?Cx;8+Kd-;ELchsrWsqqJfw=N)W^pOn3-o1+<NUKz
zYrjtmfzg{?C1^UQg~|wvaEzr58gm4_JKTKSTasMc(EYDgL}UrD7-J5WvZlNck`+`|
zRqKhd!iAIXMGnKQ-n!PEZhTms-j(ZkjVHD{q|Y}|-sFXDc^c+??$+2_8LUpSo$6|m
zyfb>L_2xwtp$q?1Pz^gs$>5+hqVTLIiX_jF%>HR@9E-J>=9w8Ts=8h|l4~J9=EC&|
zUW-cUB8ZOlNJ2LxQVsr5oDR{D>5nwYbtQoXFS}TXz$La5?IRbiw8ziF7m417jyv&C
zC|!>3_;pHo3|)C~oM4XBOmL#dTIi+o;kOmJE*rz-X!Vz~>ELuN(bYy6>XblDNLk`|
zjZ0xzsfDMSUj`6MdEwFxFdFMXW*UmtUrx*pE=5`DT=i%@-_c6fzl2lBwOF*TMe)&W
z`#V${9O|Fbj$W99&p~3fT*Bp8StTsfI%+>&Oc?S-mJhY}Tv>CQT~AU2$78BSQ1)am
z{8JQ^pjXYPNexqLl>I^@#uxX$L9a2|PKi}25m?V;D|empNZY9p6~s%3jCWe2va>pO
zCTB+iFjVe6(w#4cW9@z`X$DU2wq`Y!Qww$HFoc-}KAj|mEGKW!3AodiEL71UH1H`l
z)EnVcI8}2ZAewR8FOUO|<(5$P^sN?=ey59j3A<?%=tR8MkZ&s$%XS8FHzS$~G|e6@
zlU4dDl@t$ZFCq`sIB~hjOQ%8N)>B|@h@tJt@l<;evdchkT*i7t`=46+#If8=Xl~_-
zT)<yvf(qVCi^4MZ%WX@UjdOhlckFt9&cW-@I~%8@VkcmS1Qmz8NheTV6GUBvs(w-i
zq=g_@@d+vQ8>XM^IZsDGnIgBp--&KiFWonq#Rnj$Ce)g#8m0O6m2C@WM2_QlbqlCc
zC*gkRan>d)L)4G7&LfI6Jmd%|7{OVm!Jf=9%?AJ6iVlNhf)mdq5Lg;;)NA@GQcN<~
z@D+h*EE0h$aVSKOHjD3m-N=WOZ8fW@l_M-feI1xFiBU2%fR6=@rYjmj7WX#tb$n~Q
z-c+;$nq)gTNVu=<-zV7_4SDN4@i`KA%APv2-OxMTf=zgC4tKTiGgER9pCizNjK{<$
zwEmsXhuDTew5#sH7UB6r2;}2Z+IRV|7gFhlXb#TS>J&y9FJDp99<ctgZS30Jg^qS6
z`308S4MRG2an_+3%n)TXokZ-JEX%Wizp+?GJ3RL<d5>-GPF$d|&|&(rj3sIs|Mrje
z&vo3MBD{68GW}&YX`8|dA692pYVf7j^@X6%S570p4}cRGVYujJk`ea|;>72$u$6Wg
zzQCR#qmsWju<ik&Qk&7TB>=?$9|Wm^F==4Z#t&nNp%M{f&TW)~FKYHZ`RYvOAP#-Z
zw>lRxc=*^>wJ?@}kocm*lt55qMy>X5h$Ya-dPac~OG~&|hecB{u$UmzS_aoYAeMX5
z@BCzjbtLvM)**F~?>wi085uG82>ikUemUWXO#n@?pKhe-H^$0n3Qx$3S>g{H++D%-
z`D&T|f*e@~2YiXa?GV3`DV_*LDY~U?huyiE-S5H7?~q>}&AU+s8cAi|c|QR&>Blr2
zxd^b737WCi#EcS$lQ?MqxD90d+LkMRXFso9dp+%8%-NV@YhJ9ot&*~mmK!j@_FRly
zr_Mz3$Faua)%9WQAN_G&LG>?*ViM{+vg958kkI#X&-(+wF4_}6)yQ+F(t^s<U(5(Z
zJlx#VCO42JNsxtkNnD128)$%Aos3+4xN(1Nq<v4Odu@!{3u-4;^1tI3Ki3jT^=w(L
zP&{o-!S3u485Ewcu{E$%{_CKikkp7h(3txL0bfHwZQ43pI@DR@@Bkkc)l4*zCnVg?
z;rH3pi-+y<(O0pvKYw<a;MCW$1eOZV^csJQd@=pc5=I(}RQRtYJnSTc(j5{Qz)?!^
zjPBv%Ef#0QGiI%?F{CdcNmpS-qpjK!J<pX(2$33HS#QBn@G47&n{rV!>ZS3<P((8L
zn55Mu&={AWSEubUt$HRsiRpgfy9td9A$z-&F2A-*?fz*6m{nI3^%M{eV)T?SuD)`5
zD=-~fpm`Tl23X8kwHzdcGhJPSw3Sl2DnHA{bg^p3Gf57V)P`qZaZzWtre~)rYY<)y
z*eBIZ6_s*7cRxI1m00i6ls&dyUue$G(-5g4sOE7^)glB2e(`GmAN<BUDt4%2rlQpT
z-NCP^SJyY!q?_K}ZRtU`k8Ocl@pdYC1$8FmbRL~Po>|H3@zOawhO4evIxLY9Y1G6F
zduhdmf4ENBPQA4+i{#d7vR&91YjhOpN`_+F7!W!70t*drxtz5+7pp7P(R7`%bk6KH
zYgKg#tTjSy?LqMPJ`f`@qlPdOSVhM%mpq*g@i!+$Q!e`4wnHQm%-mLyb3O=hr!bzW
zOtpU0HV8!u3S+r$I?c`abE%3FRajc4N<zY>X#Q_eGi<qii^jH#TE=^mKHqo6IJSi$
z)RvwcZmHH2ZnF?Oe>)Dz8^uZucaD9jMWOpDrmhgYI@t?rP2f!)1zl{f217u0HPl@^
zQ2M4{bCBvwbbZW=&@w2cNUc7bRr6ixr$>$HiqfI3|2QHC+p0uy;w7CV5TE^&Cfk{$
zeZ%nJ@fwdy$Od`!QVD;!oyvVU-oIEemR-}+-iBhHVwAvA+h(Gv&i{!ObWfT_CrWvJ
zy1!TSuInx8@ecaa6~B0&@^tyTFbvupnJq#RiI0Y^F*03N2G0z%t~Z)z$64(nfus+l
zYP|fPE*!AcrIs^aZB#@`l}V^@YAuXpl9;D<c(S=hk80J%=CekcBB0DLU)_q5O@L9?
zODPQBSQ(TiR6U~i0f?>Uw%dQ4^r|&7Fe7H)^>S+o;q{$~06E9={1uxMGs_l!*h}Uo
zUOU5v!VV(JAE|CYU^J1OK&!mF>yd{whjZcYYM^Z_zZmo)zKj=E(iS9Pnl&C8;W>(Q
zB6^3B<T<RlD;Tpi!~7S)k24l8<L4nudp{SUsruFx%!lH#w^XY$@=CQ`H7$_!9--AC
z;=og>RTwenTcxDFgB--HJ-(%Tk%C!-kQ%n8V@^n2d?blcRiE9>zbuOqA<q4(_me-5
zSE;dIpKz^}yH!o``Bw{@mlA#`EB=%Z(iCGr9{ZLL(J5lj^%S|aY#34mXyVV&wZ`ti
zLk4vSB!sGXgN$j#SNLpR?eM%OB`)fMw4q4zI%B{>hRbjwTES1UxpQ`E9L<*z00<Q&
zdqU{OxmZo6bmP-;KF!%JZ1)cVEnfIp9b4WCXb3FXQ|_jO@|>)Bo8NM~wf-n=^ym8h
za~(e()<ZWL^WW}6lF$gs`uS^5o<`QLw_z90b$6U1f4zAfWn&gogjtmETb6#nl)hQ`
zj}&QE^~SG@RvPA%f`xP!i{=sV2>8L*W_yEl2z^aSU!`C&LZR>6o=zx3Jq_=*m^N)y
z$g=>qYE%~2e@DvnnLYJm`E?O?in+29?mTCYNjhzzsk&z)-31A7Yrmh8^D6K}W3X^{
zrID4ZH`~RU&t+N!w*y8NIMDP;Q>i2nxX@3VlU0NohH$bDfe$N&HX?1j)ZscLIn~X-
zKz~uo?c4pE6mO91>|+^me^3;0wxk6zlw>!)`&M!pA=F^l*7~cKJFh-@->ZJ5dO{hf
zf6f1WdU3NfDjc4~S=rRXd}6pCN=@~MKQ&0$W7%1m<oOqwn>hEUrz;&~KpUMAJG!(K
zjTa5FOWjkJ5OAQxQ{d*^Nky%>saV5awXHsyI9@qbtx3a5x^~<i`X0FsAv&%NHr^sw
z-OGqP-;96Q3cu0ux1CECD*r&#b5PRQ_G6`6teO>n$>4a$p4WycEfu-;d^mec>H0pi
z=Xh%za`OzC7$$>%Pcuh;{F!l7?PMix2RZbrpeI;{o`?LH+aY>JCsny)oHem6D}JG4
ze;NzQ)?&>*U4AQyt5B}`Wmv-pi-S|ENUnVFy!gNxuXWMqrgm*m-NtxG`bp*p@enB9
zp~Z3%#`sOnMy-Lak(KD^c3uuDXK|Q-OG<_)ajgAXu6q5LCL37Fy={1CBT6}PdK+N0
zdi$24qwHK)iSvSAq=sl4UbC?QZ<NMe{aPlF$YZ+4szObM_WQ>W#DyR(;(;pZgXvFx
zlMAdT&-14fox?uJC_MBCu6}YfwtpFg<1|L(L}uafb~Y3~#nTN#NbGjaNfW*6$0S+j
zt!u;W(*ZIoy^^X-IW3pQ7>IPKlFq~{4Tw}7=r^7Wq(KH4-0<~^#S__#deC8A5Nm+>
zZ@)!*8O|Tl_$rnrT{7wnJ6jLqBESYd<A1iFn|Aq5K@&}WWH4dgwtMV@4aDo|S{bf&
zpybE9G;%42<4kjG{ob~UuajRd8ne4FzDg0V2Fv(u&#0ICX`+UA!PN;KRk3RFsbhiC
z8%WYyCVy3TPPKU7!B%%R7O+FKN?H(E+j+*p+*Fx!<}N3&fc^TWpM5Vvxl3&BUbqG3
zWbFz3jHI_Pgani&sLeaIL=>w;nzeO*&gmtjklR%=S*-A7nD;h>OmlskngVB?=b_Cj
zard`P(&sB;^hWCwxG_89Pdp)|&bV(3r4yyGDj8_&R&PdxsaJjmPf^a<AIY9RE8jR0
z_j)zn4s;=;U`loADJE`agqKc?gl=X8+;3)tju&QxZpu`IZl-hp4<e6!oe|?tl2iE^
z=rxe1wm>ZLJXzVWM0ZQ_LgswKd@VmxL8{_oVUJn0(ymWSHnb33%GV9C<GGe<_TC_A
z3RKZ`)b5L3VP_&D8JhM)8Tx}WV9>$4ub8^V-ey@i(h1|{_L942q#B+7h%{jaPs2;}
z<{8QZerqrI{JE+r`dzhL^sa9d^<By%$nj7%aSivPbTCunP8|*2mC3zbx@wPEZ-7fz
zdxsba<S2e%7BPt58qe|NTM>@PTq3l(!)obF%@}XWa`M#7L=s$ARFU;|)-ne9vgNw&
zA-6$^4G+vglf7QWueF}1@aPm@GsnXhERW(YvR@371^C$=(Q=#oST=V9ONUc0v3E{c
zqQ1S~CnpLBZ8gCAMuM5V0TM%5Gpr~_$?kASo48s{y#>|W|11a8O82V#H^do6_X9ZC
z4t~0HwxSrU3n-x6xYFj2NLwGr4@Z|V*6IRN7h=2z!t^sXqiPIgEBIV15Md9H5h~h{
zi<-$Lw|t8D9qJv;ac7-{^{>~_wQTrkE1&LcOk1pHiiG*bYpjiHiCXw#98X>B-kUWg
zb-;M<JTRHLrz-Z#zEJp;$ElpQBgci)vY*vLT9$o=VjEX?zM{!Iw);z6Rnr4=T~_^R
z8`*KsvEm0yQAVL9QYC3$?G<a5Y3^ySXU|$sy7lYroR-Yl$?G{p09XlnnNUo3CNSTJ
zU`<H{b)ZCqqC+yP7+L1s1U3XFLJ_!<Mwev?z6N~79<|C^fSp@MiZSCNb0bm~L_RP>
z=X7>>I@dqpR?n+Y5+Y01%MMNYs+sV;dZ%Zxg;Be$B@~{WUD_QOd59@u-CROYx>N$K
zu-1c^DfCJe@k2GIG%qxfk@_B&Swbey=iInez)$qyLf6CqGhc`MXAJF+e^=RrU&oOw
zswQ+@dt(h@uJCBQtupSGX)CDURGZ1l5!W#}af*;6uZ~cKr}o>cbCwanUCZ&wQk=r`
zTHZalJmn`C_mfdm46}Mmg*WxtqNNRWq3U8$Pxt3r`+68!x-iXoivETi><D|oC!?|?
zwi8>*6xm_!%^tPiWxlT1Fm<Y<1nAY@(Oj{vh%1`E6!M?qfKEVqsV(d9WDS<wcXt<X
zj7CN*5N<|cx(=T?y420|f~DJYZi7^2ILpHxEZ?P7EuvYr_Q%3aGJ21|(MXI5QgzoQ
zh1ey^y1&}G%^h@btUt`YPfO41exY=Jy5#!+K<*ew*y%gV^8j<~(mQc}Z?a5o?7w2S
z*YMX3*@HMw_ngPYJa*<9T1$QGSIS~$M1<}2Dyh(gQmoB%Nv-e~#Hxgwvp6|>ZpY#b
z=40N~Xd*BTcuJ=Y*;SPF|AMl~-XLiCS2fYp?0cN%)Vgk|l?oCE(|(jTFEQcrE7#y7
z9qp);6oPFU{?)Ht@=S=2Heky)fwm-6LQnZ4JeIwWCaOnstO&Gkb2`Fca%T;iiz}?m
zY_cR{{?&;!v5|l4mzu|}79+;WKBvq4`|i8dhd9s&U2nVBQOdFNl!wg|n<zLO=o~~m
zdeq*v?~xbNx_dnlhmmu=J1)}P<Xe_&nzL*b{~Ut*hOer~7^)u4r74+#_$Z|+m`2-S
zu1wjb*?B3q)2h#N{G#dEQ%5w^IFhTm9aE(HpkG(G_?MR&^;z<Fr3htJwY-DvPBYbF
zQ&h5;dFXrg3ADO#AY~lNNNMf@_GazA0kCTA&+5tI$ioEk6>{nY0oAfEF1ze;i&`qV
z{S)T6y1c8Ct2+klDm_lG|B#UH_Kdj+YMSzAmQq<Gz$XKI4bo6y`v8nvR#Q`=8|l)l
z!tipWTJPPMkWx*FD)DH*=E>lk!LwQ+8BK1^JL>vWeI`lT+(2s!!?*b%Vc=|ZN(OYb
zRA1&8r)@QsuIWXS-F9uG1p)D|mz&8AuFo$`{CCTJHgSE-Nl$WBG=ES<O;YP6DsEI@
z_W~!r?Zf-{4WZkN`KB8--6D>$4Ge*rst(+DDs>i*JF)H&O0aYDMsE#%{B>SfsaOIQ
zOr^nOA;4TUmerQC@pMWvUSr3%3f(({kzUgxPY*n87tBnW95)?I!a+67=4*qs{~8yH
z(o*xoHjG&{aWkDnt<9yt>=uie3Sl}75>w{y3=rPRebyY-=KG4=O((JD7MfL12mUg8
z+n^f8l6f?fAIDPK6WlWzM>tvpItlVo@XI~*1c5PaaRx)%1PGU$wysNV7>v+jW0lKE
z94x|<GpzQ#Cf`U;ms#WRYs{^?aAZ&qy$D?AgA+YAY#51G&JpzI7-m~?>i=|E7#Y%R
zXp|*LD5Olu4nDih0A+Sp%?4e%DeP91MPnWpMVP4;b3C87alBnRN{X}|z|Rg!6hh{d
zQUv}6Z&6L)l7f*OegJ&|)QytwJ#QlGdNzG&v)X|{C*`q)C@X`fq`Z2>lKzfY_d>7x
zJMuc+J*NR=fB&3N&TQa!R?g^O=q3u(K1Ebs_x`JdsGQk4;mp>VV(2VBxf-}gY2`CX
z;;{2rrx7MBw{fvy?(e^+*F4Ss;CAV);rpBZ57NFWsIDN&mOvnAu;3Ql-912Xch?)-
z-QC^Yg3HC-9WH)xcXxNoFz<6-&8w+-Kd0)P>aRY#x^}O<WVCpG!+U0-(}X47tqYUv
zC%f~F-pQY)_(A?*)UXC7@(n5|P(hbxY{?t%4u_rx`;E>=u^uTWs`<&DX%#OzU8{t&
z%gFJVp^fzHxNYJwG!%KZOuN#?8cRr8u8SU6{Z>i!RV`d0H+D)+o}F1CaDn&B8rd5&
zvda!9uXDncvp_||K+&xLPpPpse)6x+K5bLS(9se6Fi>w<_oTVt<Zn<|hek%Ub<~@c
z4c*%kFt%@Q6YL^THbdt%6=RpPDYZY67&WoZ4}73hmFxak^!)nc;1Ubcu7*n$Wyyam
zk5aYnJ>NXwj$1gJ^019dfB<y8mgG+N$_+WaIeO!(Rub!Vw>oa~Ecedl@ehKKGki3c
zVec@PtqIIF<9>2o+`I{Np$Vu~7tE{M7Keq<|IXuPnyo5f&>e-!W_)(JccdX{$h9qo
zFLejrIknOAmH}+mpPMX8Ri^c|Nrb8(KC?DHxQ}MI@D^tond4oIIwvOADh+m>>?6}P
z4dcALf_}7URk)^L@Qmi8rj9@D#HUF0(im9J+-|ga4|el!-b_@f53ID7o(Pl2#jD@e
z!}?`aLcg{I+Ign!(|Dp4Ol$n8@Q5#+ftlcqgElJ*a|Aq%QlCyl*dyZV__j&FhDbDn
zUYlmQ9y!&Yya&2uZi6{EVgzGGB0uHf6f|y|;kUVHeH@A{of5})?(fZQU9vd2ifYAp
zJJvcbWy$Keimy+WHV@~UBTx>G`#Qfvl!B|t<hJ|6X`ZI(%ACjW4Qm&O;t7sN?xK%^
zcfto!nWQYG#<agu^fF3PFrF(ZgI)Z@c`K;kU|@OC-%j<Hsaf&)f{ir@7}Kwfd>|eW
zD+wkk+U=L>{#NvsR@ze<<R2#&p2;{wmmd1&0y!iiB$)BrO*9^3pDnYYlnQ65Xu3s3
zOBblk1qO<JG79}w?bTOvpLQI&^|F2qyrKhSnd$yPgx-w2v4414zuABAM9&o0Kqprx
zRk*Yp39%ZV_h7_n(i;}kX{m{FQ2!mFT?(V#0;m0hpbClN7CFbi0#USAUuR=Jg>=U(
z{`uJ09ocvp$REz&_R-g8E~!JD34Ui^mWagX-Y@;zzCGD!Ri;IY?8ps$20_|=^7U4l
zEYwMpaHCYF+W<M<7V`sC;iL*^oK$x`Y3Oobr<k@byS0dB2(%E0>g~r@mUW~Lm|38C
zkDh>1Z!fQrs0$;N)`YmE!Dwlasr<7F!^hG()P_*$BLXP&^_JrNB@4c2m`t8Zx3}G#
zt@2tTani8ddj4?=JY8GNWR!W6oGUR%D?jpxn3?4zn(WpWe#dK=wZKZwC~8-=bp5)5
z&5QJ7MX{oWZt9w~>o>0g9=t|d8pEGN(!{V@HttPdP*?Yu?d|xUVE@@;oY_rQSEevu
z$>LyhT#65M>vxl^d)J$XnD5-QghCB(kv7MhvD}1e;0SKKAE^Br5fP_iO8e$#1`-I)
z8pX~N<_}C(=Q+~Jfui8DV==9zR12tGG8cq4;SV9b`JVFqh1rG1FFGt>K8zQ52-kVY
zD>53c;wbfVIZwAu*}MS#U1Jobg7GbYt#HH6J46nWNr^<EhL!&5d}wjB4tM@ps8t2r
z`oU3eVb;|!6S1RZRWH7Xu+y#?a}gqIWeTV)Gq$lHR-$2ss$qs}cUEIJhTpz8{<xUA
zD#N_EWvK1A>hp10#T;!P1;8F+zC2xDc*=n{naIgtuRq*=79ek+T*y4GW*)VBJ0u^|
z6V$zJCaq4}E*jS47mulQaX|0F8#?8ltNZXv)|hHUvKVMitOqOxm81iN*ub^>=!X{x
zV}il{sV;*HG+=9vkyV~fv><-N*AHhf)xAYgV=!}IBq{u0OyB%{Y2NITmeQ^fE*{}Y
z8OkzUd!MrLw57qjFynO@27ZTS3!nBzzO_z=2FFpbJzhqKQ;FAaj;1j8%pT7ATThOx
za^rhZ20EJLA(ov%nZ5?$^xrt|)ebcZH80wSEic{uU7VV^^=Z$rQQfJ9Hw+#0VOEFi
zZ=tTl!yLT!jT5q}i#NLS*A<)8Ne+g^7WTjr!t}atCN3Ac%hEL_^6Wab11Lc>e-WoN
zf#neeth!Wfd={<s$wh4#OD`o7wYS3DeV*R5sT6XooK6qbOWCTQx|3JkGZf{_4js6@
zo^2Hoqi+mB*=l1C;l&73`|zGb<VSKmrewyl5^<I|GS*q+`Lj4Q!vpNNddbSJMspQh
zS<bi7xESNbS=@W8fc#jyEx!cHFn8N-{v*8IG+?jU(?_JmbfPZjtSs;zCR31n#C+cw
z6K#afP+P7%KYvdJ^;)>1r`>=NpmuAt0E^SDO1qt*iPhh$LX8$d_#S?HvAOhs9olZM
zU70iDYAsbBCZX+^Lq@|q$PJm*YCZNUgf(lCcVyTz1c#?Sgs)1@_5usY>IE%Fp$^E2
z?{gnyE9Yr3x~RW_R4gjqId^XN*&i`+9YeT)j+XeKmBZS;&atm??5dcnI6RFN*$8~v
z(eP>v5er`89dD06-k`#H0FKQ`%&Dw4-ZiPatAsI9Ymb89PA8b%nAG^`8~UYjEGf}i
zX~qnWxu(^F(ncOh!f$$NAbsQ>6dPhLW0h|s3Sbsb1^<5#NvxPiDDnDqD_*82iONMX
zoO~K8gX)S=9tpZCf4>yK3TVsDW<-F!m?+>H7$Tc+(_{kE^H4|XHn)_mj7_Xg7k?aQ
zJ97@F3aJ|Je{=Fkr7xc^yTqF%w>q`4*^m5GqnH3ueT#w#k^s9UR0Dg<%(w>k@h49r
ziK_OOm!JL72Zom?Cq7r%`9W90?p_@U5;pno4=F+7@fGynTubZLsf?rCUQY+qcQY=T
z+VrQyA~`+l7vk|i0K3RX#5?w0QXuL|;L_5zXTwpf_P2{ZIpf7Fxt8FYONpZ;Q~5K*
z^HdXjRL{oj_|zf9a%<hgb$ZJM05w+RwvjNDx<2_uv9vk9@|r((qzI($jvt@Lk4_q6
zyi}SZT1<(4`#%DrTkx0%!?2`u2o8_9R85q23n3)eE}6V%TqIFsnp18hv3j{V_c}yF
zOm_4hhgF>(Y!yS%UV$L7cD_3Y+-P7P>rhgs?WmQf;utQwW~`}4BS}5{V0$eY)qAW@
zugcHsH&=prRr$l_2pT^~Kbnnhu{tNMn8t|xJbD0Yiy9zn$)aQpZ3)$1K#HYmT6oMG
z|9!qSgW1SDjHtIP5<su05Qh#4n6yzJ<sHr<YE{-8leM&Ly`!B~mBykR)Zx5GAnyiP
z?TAS(@*YLPb}Ud>keiAeB1R;Q2L?|&#?eLRulaatCq9{?j$Z7w(yAw<bgA!lG!L;i
zv?6plf*daUJIAjrc<d(Q_}KVSabmuC^Hx`5R&r{~4Uxw<t_5b?PP0VK3OJ-3Gp1Ii
zww`xQoWGet{{$Lm1>oxrJm2T0SDwa`?KiKKFk9g&QD=om@1%i>4@O>gR9D9&9n_~Z
z8D%Q=<JBR7eWyShhkWJ47S?&8dAC<NA6{j8RhBk?nNv&)UAYM}m7OB3Zf*2U5BxvJ
z`iKauK-FI3fD>gM4mO1y1>W}i!Hg>`BLaE7b~|*&SwfEs)}0o&wrgi_3E&?DdZZj;
znUMb%aEa_)+CqBG;go|Zr^e3Cp}E~tK`Pq*ZsF5y#|fH3X~7lRrSqpb2EmR|FRG%F
zkUzr#EoTu<M#aZ(T>Y-;O{edUJW_kY8N;-qnDa@Y=%t3seZ_0>E7%K^G_sC}+#YD@
zJ$MdHL3HU<D>)K*Rzj$X&2pC0wySSBjo-vs$~Z-zp0TLQ=T=)w&pwvTbf6#HavC$b
z4Xib^I99b%7nLU`2bsHrln!{|A)>q`R`op9v!B$lZZOwej`qmfZ*0ai52{pEd_;D$
z76)ysWW8KV+w9&Ro`>Y63{rCSdc%$%W)=(5XPhD2W$Oq*-H}n+sqq0dUr}HR5zm5Y
zCI3N)9{s^k_g8@}YV=syHF~39{FOzr{b4`y6oFxPg^INo=}wY(Jx2KA%hkNW-wnE%
z^=_PGP4hLX4mSJCAvF|nS^y&?DU|@!u3-drQy9znS-~A=v(?P?qDGiNge~dU0+b8u
zLMt>W1;?%>O`k6n$4qjWb6u>3em{RPZqYQYds>fF{OuyH=Bm6_sy#He^dV#bTfn!-
zX8iSH1iM0^+h|b9$YNrNrXB(cb$1JNHLQ}%CJs+jDU8(albxF3&mMp{wbj0xGcxnH
z`uAV#$eA-!>J$&ugpXZiy980k1kgQhZ+l&lfNnzwp0M(KD<$alH#PT$btjW{sFu5C
zfys!rCPM6aw%W`^n~?3OEt-P=GHcv=_Kzqd0cN%|L=imOD~7fbu-)danWHfC0e7k8
zSdT+45qPXBtBqSzKDh+T(n0L?+A6wLLpy9t=W#k`xnl(+Ci^8$Zs3czcaJ^4h=%%G
znO&QLMCmo;7iY!ai=aU@i$a=YTLF&Ub<ErAe-IT)6D4|<{4wvict~BZ)7TEOfMX7f
z2_XQxwM|20i8>OJ47Aik*-xo^%A>g=9^`Sn^bv1nPDaS$WeiP*R6K{OnXW-&ae1je
zpBh^bcQ6Hfm#$S8?$styD2mQe_jhSRH4b7Zwps^7RAhW%OMI<Ju(^FV>@HWAa?HNt
z**<QEDc*M$Zp&gK(1N@1xCjGqFGZ7h6LIa}?6gWuC7;{#wc0vmR=)zLVtG9bs98Gk
zF2%Z_Zfg!f8`9A^kbJ{dkgy&Ubn?GEuO{H+b|16d9*s(!?*Xg(bxy#>R`?hzY?aI}
z`bOK0$+R!8SnJd`&XwdAT$ns9F@$9kzV;#72GlVxlX9<|V5{?|SoHR!)p6Bkq^!^{
zBX6z}uT4!Np-I)qT091GPDa^|f^gZlvW`)D>v(L(pc380-xW6CqZ^2*$LuK|;o7X`
z-{guCTC@zW?(N9-2tP2;($f3xEnFRnck3Sh(sF87OVy~D-<4w!6>GWMq%3Hu<Fr$H
zLN|Fp;Xabcv7xU}#PQr4$K9l4wAX&)nHe)-RQQDV)8?rOWo{z9fvdWl(Su!}Y1zYX
z8jRH?@TmLt#qOOaH?<zg1@J6?N(+fKhLgh3<_#|B@ZviU53|Gv9j;a!HwB4DHZ<)|
z#^^Hfpg)ZbxMkPCv?B<<gqgE(`_BY-(<6Kj#n$xr1t)(4?)58N)ozSLku(yJYr8t?
z#>P>^pS`9fdXs4LaUstyTMNK^kEJJ*IqrwqJnn}%PREBi?z1JIuX6w0r~cftozI4V
z2Kn9g2I|xBPgj36c0<X_+tu}xs8`P;&UYiWs|8v2NKhcq(fo*sK~3>2IsL7P_ZRS(
zdF-3nNg|I`p{@|4xjdqm`PWR}Xh*u^W*eErU3DSv>&rd<t{H{c7Sjhjqnvk_)24`;
zbB`iPch+4`g5o_{$;6_sjltO#7-NCv_>O+oHum>f^snrFFHJ`@1D>r7yGh~o6=l^<
zKbz)yV#R!3Qs?!+mxa}23eyg3cnV<bN4-5`OO*4|2f9M!5Z`{!^ZgxaCak%JNLJT|
z`A){iar3+?#9~AQY=|$oj!0a~J3p8PaQTbL^22kzKgT!Qv+kxj)^`z9cPo+{i@J_k
z?#iYe%#h7D<R$2*SedEVWxKnMy=|C0&cMGB`QU1WsL2@&{h}JTZGVixw=H%$#xh7R
zEuM!8WGKiA{1jT!OQ*@e5}n1pvqsL!%eUet(}AJ0etA-H=jN<Ey!LO|ei3}6@#T-l
zI&;a)!PEDZ5ik>wfyt+|^jiaZeODK~*h_MzYB~=dBk^_e(pN|9=E7T22ygWYtZfm}
z1X(PPXUU8dg>^5o`1Ipy>{<-XG2R(6EDDsC+8~;~h=@L(^J9nKW6k*utLIn+R4ct;
zn`GV<0;x2D>{%=Gb9i<(Z@`M(!=JeRz+MGQI&B#Nleg(pGWShc`>yT-%`?xTGmO{E
z;jY!G*2G3kIW17O1I_h9TRY0?+*vj`acZB&S$bQmvD!$oPu5I%<+ISR$<&7^JRA-8
zoDD>ZF9?RMcrBTD?XgI&ZC_0s3%jq=$#IpXsg?mDa2U_eK4xZdX&4t~I>TQe0T@E1
zTnU3(L}#|cU~R4OE?|W@jOn&sqyms=Dg?r9M1&=p+~XeJs9N^U_W{XKZNb152zp%C
zc2Qd_NUUqWb`D<(M}1{Xu(6s^O7uSn0akuJANRusp7qaqAKs)dr@QF2cM7AN(&p23
zQJ;q_&M^!j+*RA>7ambbTK>7ge*;5Qu3vU-${l0Sltaz7Df_U<XXBe(jWDDfAA@_t
zNYCdakc1m3nrKU&h~!f)g-iHS!q2GFiV3(llHB7Mr*o1fmefk7-RFC;%3G7g$;(Mm
z@!&iqb4e2~LnNy(Q+@N2YrWlYq2qW5Z(TCVijxt{R+sEMBCE+wYeV*Tu1g;c0~_z7
z(%4}-WbULq=Hn*yF1`qh-z%rv^f6N=O|)Pbrl`4>SUep%kt|-{R8%;nR(XBe7L{ut
zY6~?9es$?z3M*VcgVS6fKH6^8H9{QwYl5oQ)JLkM63%9FINS~1aPex`rsk&|bV$`V
z*_6Y4Mke6T6dyDnI|32XGLpFY2&yyIK3MtnNA1@}-<-%wYjGKm@0%rdE^BnGn<GY>
zf)lL^Rd^^m;aTa@Xp4(q)>q0$`B`q47z0(^LPbdaK}fB}cp0_KCmbsp^FPKZ1I2If
z>K!<0k72ddO`vCtv84XC`KXZ~n6xC}zQW?6Eb(E$dYVeQFEUlUeT&%n#(RK3&`_ru
zP{+@Y;n9jW5a^YnTy;{V7N&%$fA3okTf@9`y#k9i?VLzE5+wneZ2I(l{APpCyaz@e
z)Q_$Ha`WBkIF)}m_Ujhs^_p`&xqKu!Ezj{@p}J0>Y#yHZP-gzKz8qT4(6uPysHU#h
z+=COmF2-C#sc`ejm^|brkmtdutNZzqiE+RowHwO=^1@o_sfPNulMgd=NM0`^Mtd?r
zRk5=L*9oAVQ)J>K0U_n(#N&B~Cu<XxF2)>YOvajtd7~Qx16tE}m3A**e(WqkN4+jL
zSgj!d*O~wyPE@HJES6;dBivAQN}w<%rjEXPVQ9H2krbe>ZXmOIcGps!NvOQX%_X@t
z>3F)mJ1U<P^6nJaX(;=R!g;ZOD<z_^_`(rMa;&1LT9qpt&|m+X^aA=%kNdZ>#ALFH
zP;dCCy;9QAcuiz>Q438>c_n1;&(TX2N--ilHp&-5qY1W=ogYHbg#1N66aLSE=SDK?
zZjzyU7ejTw>izJa2cDgUx`pwx`lVUZ$>22QQj*}>TyA-7`Kz5T{v_iWdWu1=5x#A)
zap0|w#y^OhZm_Ozir|FMO&m+q?wO-s#Gg0>eI7>_4V2py>F-`CpA!LdcRWZWI%P}_
zS`y~$F#8Xkj5_qMFMCE_{hbi1#e-Hy{B^t6b7(IF!t=Vjb4?3ACNI%syxnM?DUY=D
z?423&>Lso9YGwy&(<au06L(oZVput8wT{hqnp2;hpStYqfnjILOyQw)jYs<@bGz>J
z*ZWF1l;yd71Zjpn0{-y}Iw`x}S}X^H+jWZqgk&E-Xr^Pg8dWyuHB5wu&4G0OtLBjV
zw>TA`+E=8l>>FO#Jxu@6l7O(@fPiqh0S-XayrdH3ydgR?+jU>BVa+HWMB%EE2o3c&
z3ab5CYv%cfUr*LyeTR#4!U~&?dq<u`N=RDGU*}<0zBDy5tvX*_sx_=QEj46X-r>p#
zVFwl5#|0O+VEJ}aLeE#se@?rtTx?@GKh;($WM*so^d}qA#fz;$gD(abL0cghaQK((
ziY``=1qnQ!I04YVSRkNuz6(f>3z(BXHKX6qxB6M<LWE8<8BK`cp@X8fAFaWWF;j_~
z1^B>`bjF{5h{<vI&%Q5Vjt4453!-5=Xmefh67C($R>7-q3E$gic9+z(-WYv)Xsx<V
zXF3nH{+8^FSODEiHvEZ}8}b&J{0D(ZXY+X*LB3yzFw}gF!G$E+AHebR1wSC9d@;&!
zdpi;NlxU6dM#fmr(mXiV6dvwV>rcGygZ9~Xf^irMkqeg_ZQTp$>lh8$dGuF{%i<BJ
z7FxvqY||r<+X(Q!OXLU~?#>t5a4%)vA)>l$@o?BT8+$KhEJo2*&60k-ymqP4g#k9_
zzKyCK7wW;Xpb>VPf1mE9!`V0c2Z7SrLSGO)7Tq8pqNk=j-`@L>^2vtg7RQK57y<f-
z$kB?LS1aylp-e|tW;?x~r2!uxgS!!y=G?gq1!t5>&o%_)wzQ1uMBm}w6jS0oUbqiC
zu8);;xt;6tRgV@K(saEtIC1MW!<}s#^mWzd+D@&3*&Lf%6vKc5U?xZmyDoyTlcb>(
zfF@4!OPL9E0%HtBG+=9VTxOQ~4Xf)Hv_O;>(quE|kyMgXpoSK4O}>b;%gA&Qz+$U0
z#X4@_JT4rb%Do|2rIOsQ3WR>k?Vx>i{i&KeTI|l)$wH#GmFt542SNSWWT<7)%3;nw
z<*Yq(i)Cf3HrYQB;Wu<OfHG<mSFB1#p%7{=kP{qe<G1QbTf9+a6N-le1Uiz>s?9w%
zGD^S-xl|UKZC*a7WqC0@LQjXyq(4G+JdJ+apAS_uy}O|wG>sTC{GyA#4{AFlh?d&b
zZNy2KHJT)O@Fkhc6CYU3%#CuLwS5R~94)L2L#WVdyN#$QJc>b}$hW$$mNr-7R<)#G
zf{%8P{qTphQkd_P3ca$~7tntbB)*Y(Wj1~BC3>1<OsFL7O4@hlI=1n45+Oo;^9aRv
z-;!L+<DCDK6@yuLc=l6EwKGjoJaygM@$x-FKr!x#<U>>sSc^D2`sbzciCD<`@vvjQ
zaK+SE<a8D3Mm=M;%((h+mA01RnZW)TQ(w@WRjHtU#H4)#eX8=u6eF#(RtD3x5kz@j
zZmms(lj$Ya)hpZRNAtDsUbOYkln3{!l4jxfcjY}swKELq-A?YeP`FCkf)*#}gz-?N
z$Z6w*7@MN`d&e?(X`D$rG3TA*PZtPC`;JiJ$jFezk!v~ay;jG65R{tDWN-A1@+LYT
zRkW%%Cix~(yNjbHz4cmWqlr5r#n+)YprtM|sI3*JsNOWfo*5r|1Htb-A7dt0nzHc&
zr!H4o9{h*(U=Y-^V%8m><M-gkGq;rd6%fU`%g6$p@P>-fKM3*!Y2zlXv9j~x`12;(
zeydV5vKiT$c1e2*@1IW}-a@%_!q(_{IxopaB4=%Z&POl}h8CuL941$_*f(obzxyQ6
z>!KRQ*wg>u{;q-833T{5!(#ksx0ld%vx~7y_u}@RxzNHbah|M9Si!B8rZS1kX=t(*
z-1;ME8;g5ap<x-qdE3^<>IMGEb2Jum{S84X`HD_esN7?;!|z6k%9oacUuVN3|Dte6
zkg@hdFN=s^#tTT~6Vz|j2dVML26@@9ztJqln6wQ`b9(ql+<b|0KK3l79?7q7qDln4
zNSo|weO-Qcr-P$k!L9}R@yB|?{mu7kgRh;m^(#cT0^yFj#&uYgJ{<trG=}eOE4b%=
zETj;o6ha)CcJ9^bCR-0T=?(i9(os(rUEZ1eG0|=6uof0zI__;l=qPUn+jcpzdNajX
zjxrJ5+p}QuTNy~Xh;;wehc{r-eJOeAxT)w{_&5eUjYXfg2kT)+;l`m^YO>SLac6lu
zjnbJfp{USDx>tIOS3v8GX8TE4!YUHau6Ie1O9BE*pn89$P*dfPeyZrd>3qLfnY~ho
z3=ao)<rDB*jZ-U@<`S<HUw0a!JW|D++_BaVk46Q58cY9KPQhr8`e|VN8`JG5swsww
z3}`~M`>kUEe9c`1()RfddkF_}Xv;??TP~=U$M{4ElD(pLv%z@Q0ER4I<h_zy*((wK
zc2l&*T?*Ub@2sB{=HU1AP{mz)CIRJh*1{SGt0d92l;Ovx<Tx{YM-4rH1j+&X;>GNn
zI9}P0wZYidh;_m&&=;OI$<^{u+!Ud|0W-Aen-+AHd5#H}KiULFLjt|YRuKvk(M(qm
ze6Qa=3C-M-Eg!tT*|q;57Il21{y}8zz5zZZv0R|n>ksDKPXqT?{=1_!WtO9dof<0e
zMQ@E&@2@WXF6$u$?L%9_V@Dhq<vo?}rDL}Bu&bb+WsEo8=cJo|5IvjaxkkRlk*oK1
zBhTk+{~+`{(*L(5{pu;%ylsviISEulz-y-aCF3%0f&u+NhB4c`slM>lQ}?WqjkOIH
ziHv~l4|gO~BNGS9cY~fdvbDzp3^(jsN3d)+AQsew)6(}=z2rR;d6=VpJw3;6;-Lq4
zM!YFj%<OtF9<3DZ<Yl%4)lF34$Bb`qulT<y)TNZ66B}+WS*}3f#vz{Zs_F&|$@SC`
zbF&y}!>qU1U?tQlnwg}z2Gj|lasEJ4M&U-`@GCP)cAAn!&FJsYKCOnfRX$*_DA}03
zv%u35t}K}^8nN!`a#pqJ`w*-zdqC9~{mUQvHtpku^2a^$2K3BaeY^O!ZDX&Cu{ij#
zE<3O1W`X;;bzMI?s)CHgv`U4Ek5QL6MND!UZEE}T30yTJ2IppEXQ;oi-KJn)=|8o8
zoXBfxqzv9L?pYsNeD6r}kY~^uOl5Nry-EJlv5>Yb9s|EVQSK4ODK-UvQ2aMk<gZdX
zfTX7iWku4WA~v*F`c1es6vTEWgKuJEx#eX$`e-#vFaI6;^r@Q?Y_r!eQJE^V&2`?w
za?O%#nk!GOr_Ww*m0()kR5NiPlu1M=t%u?l_xSRbI!(=T)YT@Z`=EJJq(-g0)m7)Q
zk*pmpc9+i!O){&~l9ys0627jwGX@_nL1bm|8?{bB(f^VS&lGn8v)<ILX_C3C?U3s(
zb~$m^T~(UGLtaAO{jauFC&_rxeXlr26KS(LHJZP!UPQM}dWP`m++r=M7GL!`y1(6i
z@qk1Nu}Tyo&vCama>%lcNMwJru&K29WU}*^`*ElXQAoDYef)P`UOCs9coVbYPD|$E
zmc$6kG=ot+e|*TiX|vJTt${i$1?-7er9VmeKp@p8ymEYR`v2l2{?C|;|7DdS_`%+H
z6yw`R^YfQaZBAA7x#VnXpFp)dMY0ifsZ@l$iYqakDT)bhs(fQn3tg<F9CX+cp^I6N
z-#G`mIXR555uu{Q21(wS@BfYKthN&rjhIy|Rgw-X-Ppg+OwC!+Fn-#39YuU<*gM5l
zWHHkdY@kSc73cmzn5d_zDgT3LDf{^k;`Z}e?I{g>`R@>=qoTf0@gr$sX`kYGMmP`)
z2NQLRx{9XSuRiP&Leji1Qznt9@xLUQhScIM1>#ZpJT9Zj6LpJxJfgWBt%F&uz)0@p
z5LMpH+1tM=2t>(M-CNXE4RGX56#8$zoc@e|4=3pTR(t+rpc?vVJPP;K*9h+0l}BaS
zn`NBif-?7Chbn7vI|&B{;!1&Njf%Q#ue!e9f5#nE4Kb)3<d|+HIBw3r-}EA8nrH9K
zT3hAvJ+SPJguta@>O9@b4}%3Xz<d<C%WH*3W$d>urnVS_a^s*@vU`;B&Nr3shplH2
z7oN};p1zJd5Es5nU*7%xb29)HcmE?=>VNsU{|$Nd|8Lb|njprDrcUU4_UPpnmH(+I
zr``;_vltG^{yuM=SLu;+&}O3{?BFP*8!i`0$iWd?dsGuz@uL21F>5sXtgZK_`H1~0
z{m#%~te$lZ{{g(^7FoV7Rby{q^Bw%U(3XvfV6nbt?F@6yfha@Yv|1mS5RRqI%flNE
zsPB)F@eba`Fe$T?>FU+4(fs%gbV@FrPU%dz`4DjqJN%KiKeS?7{BroVD|oTNe_auO
zUYKFt)x;_HR22`#uXp_JqrGM_e3&N7r^{G=AGwnkH(h<-PCc3|?O3xRT`j^QY6XRY
z`!v>1HPI8co)>^Uir%FEbI+Wgw8l5il!u_WnsfIPv>ay}Inp(cHzl8!T7i?&b3rp?
zMwvTQWWyhxHuADp$Oks8GXR$HzkW5RU;7%ZWlou9%&<toq@6k((?4!}(r788vjDa%
zu)IEhalId%&qK2DI5a;=KeSTnsAg_o!Vxl*#9f3gx1i5d&^D){luM!)r8XoG*k7sg
zpID^|OAFQt>Db&Qkibi*WG#4U$v(JmRNDBIPZ_oyMg7in8?Tc8Yh-MnIAHE3C?gtn
zDI~z_Ky0xn6_i{|uX@K9+&J}0K6z`|tihp*uUNP=cAqi4a$jYc7C?WBgA0POL^ltg
z@@euqkogB8*~NQ3Aa!Z+wZveW$768R13v}pAre5FHu~3y>8r-t3PFqAbO#d~1AlIU
z%cbcM)Ci*Svc*{>^!yM+)U#GKy{3&&kSV`I=GD1Zijca7>|tblY6ks;&#U4=l#Vm>
zL<c66d>KviFHxYyANpJ)x$A<7?-@v(F?l@R?meQcd4<K<ryKJ1@ai5XYu4TY%f^K?
zhkX6{C4&pw=H2b(oej-h>N+JW%g#18Q(7Pe6)ZlzmWPtQn(8%goUbUQLWDPmL?@>A
zKYiynkGeNLc4L=)ONhEZitYsMT<`xu6ujqtHX5(Ff8T8{1O-2kF9aTE{y_x1d^{iF
z*Cmf{+Y`uOE>ZMp911uaH)&V9genK&TlRd$EF7OFOuCH;MgE!(Qg#>7;Jgijg_)6L
z-#j|RUq~K4`8Dl+qJMg?I>g0C?ptfMdX@6t3tk<2%+48!%C)X1m40(bCsXjT?cs=v
z##aDUmR~ogD~p#@<H9dc(V8TvXvK`VqLPj(>7xS5D4Oa=M>ke)`|2PtvZmIvgjHRV
zD38#u#LNnG)J9iyHI2xn>++lv+$TG3!Di0wv&)hD(7OeSXpSj5OY1v^oTB3k7$_w=
zdzse4^&%Y`M03Jn*9UPTXHcq*uuzLOtf<i&$o&GO8yZEkUE58SMQ+y4k-xg8lR444
zt0x{10`Jd@r8YW=eWTpB!>aePPd^2xU)s<(1QwST@G&4}`-cv%Z1!440lTi<IJI}z
z3n|Zy$@NiLDY7m`afRAae8iHoNVI&b2j`Ih#0)x*;cHq|ga72~`>Eg8cpMfUj49w0
z4qsF?iCTyzDOu>M;Ja!)WA4B|dYq<+GuwjwD(0%z(pmjf7Y%jwec9XEbw(=o!bFTi
z9=zRUGcWjAWaz#RqFfm$imu|ldG*&iRrwF|bUGwXnXLylIf@6;h3v|(<nqvJX~U>@
zYt0iaq<KiheiPPiTbahiNJiD7RU9!)wHu~%XCGtmR<Jq6#H4YMwj$6lPGIRRRFtr0
zQAb~(NTZUAg1h>gIzARa9kPLg7-uvRW2DZIBxjtNs7QaV#phD`)@rY#t!ywanli0z
zNW%ths;43(rL{?##Ie|rWFA`$ZMlFNf&RsP9ifOKy{EtH%YbQ@OYGXWrcT|9O(+r<
zOL{WTpULVKfnOl4=e72<hl~dbR}Why<ctCX_4u2t#ltZE=2sa_R%@&`YP^h&iEK<Z
zjT)cX>hWC}dPN?JVIahXkH|F_a-UsZysnt9KI+FcX4di3PGpg`Pq)BlcK(4u<HgqP
z<5njCOj<Rbe*Fus(kK|rJjE<v>bv^{?j)&7Z9Bu&2a!B2zaLL$EU)uc<t6Z&>v(NX
z!<yQwOB#&Ug>-@dCKGq_l~O+x(u_v=4l?Qd3zIhUN?)tu$IaIs)CSeR+S77&ORFPS
zVy=4MOb$4=fy;ZO8a8s4&Xg)NAI8@$D(c_O(6XF*BN2;}JJu4Oa@klj&4-Js6EPrJ
z{&IZX)}*J6!k)Hj(}AIr#(n%`)RI|}d9Vf8XARP^92YWQmbRV3us6Sn?=|;hj*M$_
z(qw%bW@;g#e)hcvkDhOW1d+=6ttv}d>}&Ukfo2j%vRdA6K2}EnJ}yyP#uMgirCvVm
zPQG7C(IVU2olr3J?@YlGV(Nr?n&5nW>mQr3YNwt0z=wzNYp26-gPJ=Zo`f=IVT8zY
zQG}z@AIe<pXyWPgy!rQ#j%Ewd;l@orl{*H7YBH95aT%J%dfv$nFc%(2ae>7Ox2x8j
zxbTf{XS7;OkL(L8oi44i!T4e4T4{}DRp$4R3{!&wS~TO>dhQEfbvSbk(P^e%Ht5W?
z8mhSIq)RkU9xLwvN)Gh?h^OPNx;a@TiaL-uLElT`f=%P|gDWUvi-{knE)%M#3r;b3
zX07&{GBs(!8<t8})!;JvU+jwYh|c2lEwLg@WQW@$xG}$2LaxA~8a2*zEE{-0XLopU
zj=FtV3bF%LISpfx5IMHEE=-f#1@02*Ir^W^>vtPQDuh^<9B%a3aJ4g=r}0fG{gP;z
zbQMd~@*t*DN_~3nQ~1~AqfJimmRU7PsK5eu_(bt3oXK6r9QO|c>d`f8-18)!OqoJ?
zs>$k^`!2=XTZyP-_K0@Uc*)6w=h<DEaL|mXBTv2|W|;3ff-&j>)iN|&l8s@sI%Sn;
zKDASsEx4UtM=~~z$0`CxoQGEUy=o~mS)7pfCVS)MUrkpiS9#-F1wM(gzcqzAWT$wN
z|3OsFpHYX)43&5)4+lzj7)ySC=HPC<q|4`<dSVYX8%#9ijfF8;%7%HZ2~nua;N&QE
zOw$6X!{rq6v!G`;*JxH^N#g~GqWu(JF3LYT=mi*}d=bI6452UVXTZ|$`N1Tb-7t~K
zB_DUwQSq#ks`qV~m9uJ*$6e+bnP}vCVS9*y(RA7>dA^!+xc)Mgi(WvUg1Gv7&|o$>
z$HjY?Qbk0*@f!}{PigC1_`8s8tsp*+!AJc4!2~C=@KETJzf;IM_=3r|y#M|ojHg;m
zPqYM+eF3gSpFHU~4qR0}MrACCr2i&S#ejTG@6WjyuEzPD>T%NV@E^np(Y=D;yx?)}
zdN;4&@;``Ad!ddG;JvSj>G4PCgW%id?MLR35BSV?`vZL8t^cIoe-Z6cqF)v@#RlR1
zWnIAC)Rbt2t-9`J*r_6$;BA5|o%ppFOt-1wosa0d|1>}d>%73{*!mBGztmx+^hY^K
z?6exD+<2Ut_rvFX{p$rz+J4MuCRT3+w&Vj2p{C%F(cTQv*ptBm6=@7TZ!Y03w;W^i
zQx(!<O6v9p(a=>#N|@CgX+d&tWYF+p4nI>Rd!<jxB7Rl&)k2qUW{l(Ta*Y8sOm}l?
zE^)K)hX!h<ShRBlvq>IZxLJYtaCu#dc1uEpaMv#<T1JKgI_rDrqZJK<+9@SQ$PwbJ
zVp5K=eVbCbVw8GrE*T5b^hduXV$S3E3Q>vHBzv1LD6fZ-Cpzj0cQ*dh#05H<<lMiV
zdXCJh;KXxi;UwZ==%elF7$%0Zt)pwPf42RDI7n_&G$i{2)JU$|zNB^LY4w!sbXjPB
zC~N)`-PHSD-}`CKNE?&7l!*F(nS`V9VuKN2x-;<P7u$P37GZCk0Vgm<V2#v?U@@5Y
z3mFK8%yx7}1Wo;whmH1)szF6en`{RNUaZPqzx|1jbxNVXOO@qZh*1tdyc7J46j|$@
zpDhW)5#UL#%>0gY{%LTmHXhFSjj?pkx!GGaKqv~$D1)?o?)qUQw<QCEeuuY~e~p=H
zfF7~{vfikC969$zF%=)_M!JBc*qM@pr?3g~1TfWDyfn7QAL_S2XLAXzSDi;4dFh~E
z10l%{0At<WwMoUONhSVFK?g+(wAR^nB9vW!7j-%EMp>bMu1iB1@Yh9)wl57wH?0h)
zK4RqxZ*@9k@Fz(86*eN-`z2^wSVf^^sqE(v<*1u4x2m46avTCdOrxo0z9}5z`nSBh
z<eBma{@rLdfD@i-rYI!nbMAjAk+_BAyeaW#h?xw<mguD*>^2#r<nBCGgHF|xXGyt5
z+`DV@MFNc`fSNeij_D3hH1n=kys&k$fMWEimJBfQCdgD^i-qH+pNW{E{;VSsXB%q)
z8al?$rCH|cGCUt=qj@rq-%JZ#>_*CcCe+r85$EcA&@^9IX}GbAqnUjmBEw|p72hM)
zfLvcnRMOBLa$$|g#ZW?vNCy(?PQN_<T6ovVRY-1@f;J46FI*Dfedw}P0I-H@93B67
zyDZYQT%d$mtf`h69uYk=L<~Ne;rPJ~MMYwW-?eL0^k(4fRi$Rp-cWI8^LJ+>ohfB_
zu2mtjZdvT83I+0D*}|oEm(7r;mJT9x5)<~&8mo^3(}aq6cFx9F{m=sg!^SgeIu*9y
zoS?e!vt<7kKu6zW8++(is_7~t5w;)dSCxDb>0&M>oAnYWx;|AiXZLWxImMV~4hT!Z
z#4Kb;O4Jx+UT8+tUm{Ns`;#efU28S(&l{cYK!+P29~|<9Gy?V^@A|@xK{k2M5u6b_
z#Qj0sL=nA8n(NYK8NS!Tn(hKrYhe|My>qC{8@kY*4svMNw}d+lQsoPp8A#H#RJ+fa
z{Q1;i+Fj9Nz~*Uv`0ZyHt-`NC<if*?_#3hnZ^z0F;HbJ5_1nEFfv^&Ec&*Y>8`5}B
zeS<w_s#qO{rd08SELr7`V)j;Y{3*rm@%;WDafTlfPK_9P0m|h~dQA%YY>LA5L?BP1
zZ$J$?U5<%L-rpegmtt(b3?56#0E_*MP}YHU-Y;9&s^2Ur8)jkzClqg6Te;YoI1huu
zdeDG~2i#l6uv6jTENEd)+E62l=EbXK99gZL2)f_G=tIL4okF81za9V<h-Rf=<_#*A
zg;5>Z)dkXLZ573EpV`yBB#T?uh%mI4Albs=imT+x?cwo_LQ`0v2_+git~Pm#`>nDT
ziTIMX8KTop)_MCg7TlwG9Q(y*rn6h_X6vIuzN<YECGOtZ+c6IrthRi}u7sFL(`+t{
z4=RsJ{Sb3-7Veqtm|j^ve&;A?FT!lVjJ6*A*^YFBSKI4juIh3jpgY(ds1<;D?<^YH
ze$m;XKLQ0L?`Rz8Wtc^#e5z{*YuO2#@X49IfL&npIpPq|ACGOG>y;RJ<B)=660ZI8
zjy@4-{m`gF3q9H-F+s!wbK?GuhCs5X@E8savX816Hs%~JZi>5~)8-^X<JZk7njM|I
zt`>dDVyw6jDgUf-d!{8QYAFe(asn4Uk_J%s{kJYLo?oNgj-AghM==7|wA#GNWF2Le
z+9^%c)UUWdS%8)LmM*5G);!xtjKc6rf2RWm>`to=Mg<b$$arm3_z~>i4vDTNmh92r
zHglQ1y5+5_M&Dw&+v6r9hs}pmD@!u9D5714=RN5yMqC7(`hYMqhb<3qNrcvFFdD2T
zZ>ex=8NKOPEeb_HFwU1Pd)tv_supWi+MFZPAwW5^$BUxgUz}Zr^9vx<9jxH}lnu*q
zY`u<}iMgs}QG|=@#YF2!{RrG5mSp|w^?p9nPZx?W;$SzbX3EhT9!^*d9gleU{`|9<
zx{PI<+%Vs9o8Jkr(Ed~I$IG#mq-a`R3(>9Nk02=<W5%X}50xaU(KuI9nK7@s<Gimm
zQM1aRW+|Poyyulq1{@6OnLMqyUmw7gn(JR8PH1LB9gj4=IgNfF%8ZNtMew@8uL(VP
zFj+x!I@0E<aXdinP@&%%pRo*YiY!Snb*;WKoS!gaQxzrO5!T&Eua3_I2yTvgK2QPY
zd!-nI12K2{8LBK(_b&4qZh2a)kYZX(Vv{FAVy`=JTaj2nV-9II4r+Vuu+n1b773Jz
zRIaq7S{Z&C)5H>V7B@BT8QalK!m>H_!BO=l=_=}iOC02#Ih(!(>DnbaEq!0vlg~%o
zYAmri+WT9E8hvW)qv9IGNUGILt7>S;sz}_|_|Q)$IWT0)*pR7O#6bc){3Ip%iWM1e
zp+|flg{i0(<qcUtQy)uNNn(+z7y_v3yfH4RB$SVox-de_C<#1y93~3}(oq$AIeq1W
z<GrYC6vjn0x&|UeU%Ru;2kL&E*s9enZ$tsj<{vVW6n??}exbHKbQ&NfLS=AX8BhLB
z16!jsf@|z56<smKkq8jIk8T22STRJ-j$;3rg;Spk8ler)K<Km#WeEMopZfI3^Z*_s
zzXoObMmoN!t&9GH7-yI?-6JAAG#mnX*{Ar>Mx=aK4&Qxj&=xc2pf8A>&CdX-###ed
z-V^#IrgHyMXMN|ip-xU@4LE2VDUsn1amhC$+$#1~-hZIw7Z{v7)`j~A!Kb4tn6tn`
z!Vrjybz;fG*w9j=W~gpZ3bu4vYx3t4%7WzKl{2kBnqv2ls!eG#XzLXmm9B8k84N*4
z)}&YYyv_iXCrC4#s(wP%zdX|_7bNtG9wTP2sf2{L)}z_SXQvUC2Jp{YvDNR$Iwf`B
zB`4*q#YbC}kZ#<oR+a_6injF{o0r2mlXO<mU*r;5LTMd)yuVxk@q>d9U6T{MzB<js
zck?jD@C6E0l7RK>7HI24kLZ_c^m&jHJh3AXmiE7KP`?+&i)o_AHwh}*rC3)+Y=zlF
zIB^9;f7Myn;d~01iyIrWS5EkI0FY`XA4781^%M{)h#ca(GVckE9`TK_|11jxM`RgZ
zZiH;9Pu>JvU31(Yg9z%qu%6i-{P;*_Uowtw3SHo8RVs{Bx-t~+S^t|bhJLS*GdukZ
zRo(X3RD0X4g}=d_x{8Juuhq6#H@{9sZ0YTpq#OE2KIke*7`XCT^-CIF1K7iFpz<``
zU6}#4rHo=T{m?N1@ot!s$id7wP5QLX!p=;==_7prMSO4vOfOuwOtcY==y*Y-9qgrI
zD-u)|tII`cQ4lg+9wp?!{e1qiwcDK&8tXcTc573I+eG*;i?!)IuDW90pL?P+s4WQU
z-^mg_16TBBY;_x}-pj3*Nv&&qt*(5>;CG82$OgQFi(u3QGJ_4$pK1kul3sZ`>||-0
z1jxO)#TXG`P7j(c(&=>4k1gO9RjsIV-ryfxh*4e~4KU{4jFnO9Vhw?<X)YD@NyYnU
zX^$MfdAvlxxRwC;aOz!Mh_!1gaQyV|#!K}E+@exlFLYzmn48tlmJVDfBK>z3zE+^B
zom2Ut+De^H-MWTlFd90$i8v;IdmdK>phggnQkoUAR3mEH&?N{&uGyAaW4$!W(C7@Q
zSLqX$o11vCrsu`l^sEI>4!Z_df>O*eV@vnTf+TvuPpeO<2~N3^Mjh5!skwTTKC1cM
zAwilzX$uC^_kzDg*`MJB8b5j%PSe8c>Qi`FTnyS&<FX@6w=yt!tf;y}{R(y;$s`{i
zA*;kBtzNRt?FNJMH@4e><X_j9=Jnbg)~_dY8uj%4LBs{7rzw7Co1r4G8E`X<l%u)Q
z=TM(Wa#Z->cMqBOrc7L0OSl@F^a|b{lwKa1S^-|4dwtb+i5{9;54dfe`nAt4<sWFt
z3|MJ3=j-$H6<4;0q|NI_EaYUGn=!%a<L>i_i^Wgq%|>r=x(FScl(*0pSphJQ(1$x$
zM;l0EPE2`KDuSh^^Q<y7If5OJ;}JK${Dw%dWR~YbBeLAo7=H+A@e1#Du=n)ibavK`
z+_2R>RP&f_C~OLfL=G+0(43nssv(chKHdl=cW4rhq$e93einF2`vH{w2N5_psSXlg
za#$;6Nk*mRfH3w9<!z^n8}5+ac&D>38k%%WcbYk;xM&(rUv;-{Qj={6|IDm@b56GV
z&@1k?uGp!sFLGUHk2vid*^hbJnMD*f_yXhpNfWElNQ-FTx8w1bv}`#p_{1?)QQRjT
zb2yMAe8V&iJvoQn9uDrVJCfKOtbwZg1<I5oSYcXQAGCasht<SA$KJQpULv7Yi0(v$
z>!f0kF4KqWL7rPzgrY07_|J=`pL9xz%AslMjm{1yiVW_Kcr2#u8<Co#LMI9bHT5=o
zt<UtJ^5qII%O<;W??jtuFMS11y>w*BwNuO}T4r#7OD(m@5;v(`P3P(J8p#4ym08W*
z5s7n&3_!%3LvxVaE`vrJ61zc`<mxd^T}aRyupwsHxOAOwfB+l(r|aj$x<$Tey4$rP
z7Zw{1TypqeOWSYz<bpzd%ad%i{l5dsYrzIphB{4S1^MWRt#w-wFH#g=Nv;F}@wtUf
z%{W>+KchYd9G7WUxHl9|^7oTi_s5!zYd|lrggsTQ<ahBfyLt4Uz-o6KoYSJp0_#Un
z)wgbwcOk?)X&;R;<o&gr(>={(-Y3Y-@^U$9p3H`Ol`Nll{`7XKm;5wl$VTmqnJqSq
z^|PwS4d_fhC$C-DMk<XNmn!K5YvX7I7;ml-UPIB`pNc%;&~KU-Fw_@M?W<FpJmk)z
zPrQ(?2uhj)trATk@axHwZbx66<m_n5x~2Fr3%|sPl@AH)7q;91=8y49a<SAJl%gua
zto8QRS5I*hVGVS|TWji<$HWvTg&a~kIy0?9evUTy-TYnpODsN}WcUy(@|kEn-1=QR
zbu%_?IGw|bXwMh7H+a^@1T^f>*2P^yvCyWkXY$vFHJ*Jh6yG+14V0k4L3=#K09f0l
z@)Gk-nEfT<nqOrj#sD=L?@PqHON-`NmVB1+XR`j3`O007HL^vqa>qHNAWx(!6`9m|
z!5YhR6k5E1gJ5H}T{}|@j!k;ZPa~wjIOQs|0yEKElBLTMEl8L3X$}yL|Dbhi<N=u$
zzp5Y+o8^qaO1nQ96J4Z%lTUWK{eY0g*xy)B02JM!?O0tT3G?phXO<l)$I>$AO69Aj
ztFKTaFVM76_(~r$;3{@>erXy}FMFrLkd4z>b9x0uHBe}k<=pgZTbWo)s$HmvDSQ8X
z+C7^ybKp=b{{a=lNPr^c8?u#)Wpw;;e<=L5siS#Ii#NdZ&YuvaH*BH44|c@}l{AF!
zyvnri%{93n=-*Y+Cyz5^(_6KC@!^`?WKqmFo76H+UIfb_mQSF#b(ly0W;*z^pNl8+
zgKXK9I%b1q-ZEw%CqRpis68ydzHzPg9?X3o^e}UVoJv%8hwffPX*!w;KQTs2&Xbh@
zgEj_PimyjcV-cCwl7eWYL!%~Qjh%_;5KSBx9cRQuEjiWVC}?@~9`CKcr_Q?olF&9O
zx;lQzZ*SxAPSZsMa%j6Nc@WP?PB*bMJA5eukW(}d0%~YuAa{}?iY3sQ;~VH2lQ@4^
z(YhD|xFlxiNtht-SD$RtilY2WLNuD9{E=Ww4cOgxq`v?s@g4ntI)Fl~iBatJY~eFU
z%~7)kd{Xj%V<qNj(Kq2C1rwe|s^$k&%InqE_cZ*H7a;Hbx@I^(Y+qOvr4&J8&fW#M
z?oN0M6l4$mMoZW7%s`abOUB!5M123|nAxAok4|X8mf%Y=-|xu7EwSD>i-~6sg)^od
z-ERLkds`kH^%))xdbd1XX<Rt*j5X{+SvKaNzOP)>IicO%hJ9KeW1cvkmT%h-#(z+`
z4=kiixsiSLH#H)6-(*=s$hdYU*;?gIZOGuv5cNEzE0J!Qxv*IkHFIiO401}fdLA^h
zv>ru*n&uH6#nvEyMf{4r>)LCT(Bq=Qkk<4<wLD|JZu7m|(549hV8IC^hHv<}2#vLk
z<W>+wCO9c6h?3u52sQXjz9ISN&0f4XcT)E;(f0bSdDFT+>oC@$yri{=7;25Z@8%Do
zb)lqTjjFZ~Q{vID+du;#o6NJ-wKQS7k?~n@>Zjb4>S5FDaZ|R_W`jX#`~Dgqq681Q
zx_}Xvyej=XMwNlWv@U)Rh&!TFw=^b;=Esuz6W@G0ej=CeNJPm&-x7IUZ`-roSHXqm
z{=)YUO}Xzm24TINqx5`xzDi{u-I0pX3p~sfZ4RI%RkXldk;Goe@Gs_vvhA_G_WsYf
zq737+pUtH@1MVO;qzHU>I~noa>F;DuA5(L`70gnoF1<rUvSb1lHo~FUb+uM#UvX4H
zx~%F~@VgM$bAGJThDefPw)dvfX7PcUH?foDI%jGCReu3$f|`DHYdsAsmsipu+z2kF
zq>Fi5tB27IA)y}z!u^<qN3bG&KRtT*JV0Tu0>tAwj;<Y1FK4f}r_@#QZb6<Hf04ix
z{Q!!U%jecFQ{X)R#9es0IFLE4rx0Hxd!VYPH={df>v=H8d(_VS0B}_W2q@f4JG9?x
zrUuG?1Hy)q?+*V5XLl78SM;_Eo{)s#!Civ8TW|~R-ncuBy9Rgn#@!otcX#(7jZ1JR
z!+*}y%$z#kH#K#t`f6YFMOW>;SFiQF&(Cqg6;F_`(2+02NnUH>=jkTbHkQVyBlSNh
z#s;b(?dVbB1v{{Lolm>UT~SYiNU9p>yXW{KEv|s2_BB-{`JRtx^O|_EP8nU8cz1NV
zX0C2&6cfN=L;B!;=%WcVOKgCBcat66^FX6NH8ws-CJkHSGyC(Tz5P^{cYAY7L2DVO
zVO*$=QOapG)@g^ZOlRg!rJSND;541PjGoS^ipU7B+EG&Wvoo@9!0|9C{{ih!J8mUC
zKjjTxxtMA*H8k<NkBqM5F+U4mMDCpAE+Xa|^13-DyXP_0<J4#Yv~D*_>$Xo5qE7!t
zffH>v?@Vch(}r18ix{!Rxerx=GtyTadb`qoy16&2x|1}EyKSB~m!I&2SJ5n#8M_~q
zIMF&x2-mNC)yOZcQO}PynXHg)?9~yg?SjP1@utWZc43kV&UXFqx#YRB5r@;Dt0!kp
z(aP(_;JgGk+Qx@Y0vK1&WHveZYHYe{Y8wJis9rB4;HW@Z$98^E+2Q%uz1cb4Nrb@w
z{GzS3%<mZux4QOicPyK$*_)`3kf*WKS}UVeV+w~5?(H7=c`%lD>Le2vzQho?y@dDp
z;NEM~uVfQj#-v&^iN7&k4fIwSlB~YKI{MWzNU6!zjz^Wq@SChfrHSCQ9L%<zs1F=*
z)<VCiQ56*W*N7_MR=3M@24=hrx6Ud+a(4WO9@v&{p$N^pJrOY+m+2Y*5D(k~vIc|J
z$6uW?_qn@dyr0~e@T+$|D98gneho8i)6LPd$E}XGnBcCC%ClE}(l&0)y=8fw#qmf1
zegRL8s_7RWp~`vGRo;c_w;|z-_-MpU>330!p}A<xMLo`%I&3s<x-@_~dy5;ROJ`yo
z_1@`6a!s%!?6g>uM@{)$DLy?F3fR_fb5tpOy0{-Ys2ucIT!Ygl_T0C>cJ-P3Cp1@!
z0AHwKl+3tnZ42gvo@NklY~+mIicK?))f%Y|8)pb-GiYi3S%xqGePgk=o|C0zG(5z^
zK;u(jIkKe0@Rp(}(frhu&}y*lg+UY}+Q*NNvsO9uiS|jDWb<*I{b7hVw7jS<^4=!F
zif4yJ1DRbLEH*KfDk3I=(KCzh$cbJY;Zg5+w26=(kM(yrtzib82Qz=h=wnkm#BU-1
zoT+5Gjgta!OU2p7eD&Mw7$)qFZT|7IIh%;h+4qpRTGqMKgUC8@UnR^tdMICG?-hpO
zXUhdNRUBy4SbIB`D_dIpcg&aJBUER8Z|oLyVs*{o$~dn#5QB@gGR8}`Ftzd*Ez6ID
z%hsLS|G#V#!09bh|2kOs<FMyl$nTo2;>F=*syj$yZ2P0yE#S$P)`4!ZU1Q|4LL761
ziSxSDwP+bE4qfV3jKLa{k=+k19yNc<Xp$C|efTNyb?;Z}6DpxZcK0#=x0ri8XjSof
z(P-<Mr}+x}?u#XkMwfX?CDCJSIL-|i2GPyB;)Du64E#f(BqH0{Z&VU`UfQnx><ot^
zUCx9Hct>4%G~&{d92NX#hzGbyO1OO$&@Kt{NhAlG-MIw!h+8z=FmAbuTdn@v_49+c
z{%REdgcjZWY0^(B%CbmvGA`If$~j812UktSD?%kwMhp@fjnT3tS{O3=?fg~QL7`6Q
z2*g*0;eD}7%!C19I2O$0Z=D+ZKb-yBShcQ2@V03N9DmV@IQ$qtwPhe28>WyBhXM51
zl<c@OG>obPn_;>0bct59TN5w;K?O_pS4AxvOaML1QX^%nn2f_sDf|SXCpKcpUu)pk
zP<6_XF*r?0R#sJ|^pY9D#ZH-*8U<wv%#j4kHFiXk822SftGErZ+0z~4xmyp%*j>B}
z=4DMyYStJpC)Q%59lQAv!>Y}xh6)Y%>crZ1h*-_l-4!e-qYd@7aA6W<jD%2RM!f+e
zhuArHc!fyy&ps#N53=^eciFM}@6|x`+Y4l+`xv?Vspp-BXTb&q!PV_cDrR)QD1GBA
zOZbDr_GXvDSJK^j@&bnbB)WanShFm%y#d@MJ1+R~^)dw!mA|4>0oldLP#6+-2*LJ6
z3m(D=W8PtwZ75zfgz_IL3F|vQ1-?7{O)vQlDP5X{yE1y2%H|r{X{zWBX}=1MCduc%
zcL*cpmq|?|9VLC{>&4R+RuslWDcssiWYP?Y`2AW3Zf!RbyXs_ygzt8`<@Lpz_Jf%-
z;?9=CXBKfyp=u$T*z@JJleDYf{x<kcM-^!c8UVuk6s%Bkv0Tx`Nl@5YKcQ-lm34I7
zebTv%(5X3h%q&q;eHX^~8Vj5qpf_%22*5|VoW^t(77lKssZ}HXfkmG^BtG{!khJHc
z!B2Zw<25mnPad*J@BLI|HY#MJOc%?;&_Rx=V_p_1kTh9|qw}*rZ}am)%22hTmgGqs
zh9*m2zX9i*t?-lI@RthL{bXZgZ2b|N^9-x-zbg#{Yn<IF25Mr-1BDVRa|w<0(zDSP
z{x9swl9X$9F}krkw};mcl3dST)qyAjLH30O%&&K)-uJ$h&I0{*Rg&+mQaf0%qe%=i
zbyct7H2|6^p~MS|F<l_SBjdh^<5M0wAc*kO4lb@TuwID*n^{h+`iX0PWKZx^>eV-h
zRGeO!w5s%b13<ybx>=XSjbo0>ORj$zHeL~erJ|eW&k@x64ewJ;i6%mV(DCeze(XM*
zE<3~k7^qK0rV#xaul9Gx=D7G|IQ;5O-|ScB%M19qo}Nm*BT$G3r4k3za39x?Zf^s6
zFw{QR?P4$tp10l=D!$SC-mU%4HfOT6V!d%VW9A=}J4Hx}|5w-g#WO}V_N_f@3FW9%
zEcHy+CL;zRmJL%o6tze!Nj#)0@Rdwgn{oGOTY=Y&Z@hZlqJ}z<udlDJ>*0AbH?r~9
zaV80T4<q{Oc%_PL+TQ`rpL#SrEgg;Iwp`aQpVQc1E=Bh{1Y+d9d9<Y+)h0mm0x@h!
zqi<9a<rVAd)Q8zQs$0=9$#UTwj5BJlcL^tayb1g<N}mwn3}`na;@|^n%hU}p`_KyC
zc{c?-!Dkvb+?_ZjW7uJ91778w;^ht3tfbfH*xGn)<piu`x*xCJKxQCZ<v%Ex6)Mx+
z#N6&He6f>bCL<q3x4GlDu=2fc?0A#%XN`AQ9a~+5jYuQSa9E|fN)8q+^%3)gWvCoi
zqC`VuRP}W-ad#+nC3*rJ-my`G9aqm<^QO`smUq}=ZKlI#2gKi!#x<K_$YR&W*q0dC
zN58U{Ys>#U9!Dt>{=isF+vD<`8iy>@qabRgz+Z<M0m9{V&0)&@G9D+Q0nT)(62&|&
zK9VWjCQ5!?i*PdfX$7C5tOmmd4H0OHra1xiK>*|M_&qCXO2WeV0F?Yo46T1qCJ)lr
z;9nZX4U5$aNqLjh^-Ey26-8ZAI!=X?3L_dR*{*;i-MTobR91@(OjKGv_471(-2h2q
zwkIl-4S6CfkTxfg=w9o)3f3&%RCvF|aH!SVJnWFG<TW?u^#c&5fi3fBWHUk(OX-oW
z`00D<(bxL9xl#dN0op3~9Ih+Hip{Xg^@{pwRn~hb<r(5zZ3qu!N_F`P>zc9FPr(~f
zX}T||ZWAK_wCiFpZ4ZpWHR?6CEUV99jJIW1x-4uLNq^0()S!F##)U^ETiQ?%FS5AF
z5)rYUVRq`N7C<|xw3c_AvMyr&32UBGj2U5b+KAZ29I1}4W<)q`{#x%lv0ZB?OJX!v
z%`yWnh`Thk@O^BHdeu(KWL<M_hN21*7+2mi4KwtcnHJ3Z*v?vZW#Ffb-TK8%m42-B
z3|eUu6E}T^km|6$@M8?bYILv7=uqw`iR`%abV-(~j<z~&X(oT|EMielYXB2pEFU-4
z!#Geikjz<xtFMOK2ajGKYfcUut7N5GzD*DS1$LVKK~x|DsY<%;FM#Z>yV{v}%!t|8
ze>dtdOX)*jrdAMqB+DN`(E^hL_K>DzVSo<TTd1cA%w5r{ORoNWE3R5IeBMt5<(^Kk
z(JIUQ#KaJLKfD@W*^5zkAExWIY#ehnq>XpA++e>AACRf!M{9NErmM)YhG~|;ZoCzY
z&|2!WDZHB(UUx6T8CPF5ry<D^7W@;mS*ix~LABBIj`y9Z9cG(u{I&W&sKuBx7r`3Y
z^8z}wj}TzvZ{>CT@?-ME*W?PSnB&MSu6)JV;(}^T=IoL3E@N$xNb5Q}H4kePRUlTF
z89yWjNf|ME7IquHC;rx=)>~VOT`6@!Kwxg*VI%FdIbw1g>_Z4jzd6}ucZ#IjrnBt7
z*N7S(u|f-J2d6o7#6+<#W)OmN`|A@o)o8EH40k`t>3^7Gu51}cY;hdubTZ-`nrjto
z`LA~pLZ^XSHcJtfN!pw6vx-Vut~+uIp4CqySfkrL1ukdhSmTann$vglCUo{I<4~<B
zs3sZrs6;rrU3qg#*IJg%kvO(1G@p_kbow+jP8J7(G|#LmpiIP8e*h;2%v<o3f8cw_
zZ2&2INJ08LXtp^wI_6hN2l5T_oMaO1YFLS=-0aIlWoyo24HX%x44|vRrMiY}+lUh(
z7^MAgzQ^k$D5|BF6iIPCM3b}>824vN$)WZV>ff`A>G(6X$sbJCXLyi&kHz(>S{JbM
z7i!IH^X@|+2s}@4U}UQj*fp2RPq9Yyd6F%EM=<xT3S$Lgzh8^jBP!Hdl;~4WSh>;i
z^K9ggBC*$1;2yQ$YgMI}-QgD%!B~Z$81$iydL>3^^JPE+u0jdQ{w)22DsvZVC47KW
zaG(J-hm?weK@~A8$6mq|Ilj8g^ZXsIp($r%L~AzFaJx%a9@UXtPOJPy-AJ42EIfqi
zULLeK-)%B~r>3j>=ek_x^WEuf%@O9$o9tT<Yn{3VtEt|*Hp91Y7~NHfKx#=#bi;uW
zm7{fU6SV1xXgB4PB+>M2`1Jl$BCV9AtrB`H#8^H~C$47qbrqe0xwA0Vb<T<_m5%f$
zNEQu)EOZsrVAAwGOBZD@H;h&(E@IAk)(??C0fv#@i7|2|bT1k|cb~FVp7iO5W61Vi
zml(gL^uZqiyZxxhx>(qL22rcer-XJ)$m;}MU9R6a2fhoTc^ZRnt=KS?I43C`PXJVZ
z6n|WZSKTb4`F5e3anbHKw6{eLGO&)rsfsJA?bq;#UmE|BoojK-Q2B3}dhtauvDpl5
z+6PZE0Ucdud<Kyo2Gb&t(FM!5#-GlhS)c|61Ee9veH>$m?Q%3k+m;PUc)(Gr^7vXF
zjZJIW8}cn?oiSqUW<mj9PI;frCp7N&K8p&>{^AfGviLWwX*0Fw=DYTo9lv_)zqG<%
z@t2y2dc1JyM(651-HRy4jwUMMW_-PPoEWog+FagKbv$$%mDSXbItFtwPTgGyICPf!
z*7FBuQ>w}?KG?JWT8G!A!6qxp@vMWn3J9LCuAo9|YGx!D<p&Lv*TINt6wdrtF#Nqt
z)?Q9{HJ3I)rnA1M);dbhfW!Lj)pAks<`&)MxHz1e%p^QGT%<2P8#AyIRTQ0#dAkDn
zed1~kKIBsvdR>5Y%o+ahD4%X66MqKM6PM0^jP|i_vL*GxZ%~<3o^5#~7ihN`h3q^K
zf4!rNnA8E}Skoyyu&bvRYj0kv$Ba*uIC}y@iEp_wKr0z1WOpZ8X_{3;(&a7^nIuD?
z#{1OjFI9}2@VNjfBjVAT$Y11qOUi`)gn}jA{AFU=$ESefcWD{Q#oKO=qbv=(Zd>(X
z*-MI92B*bgyK$R^ge|<<qiGWvsTuQ8uLUfqAvvpuA73I4c_!1c`xhKz>yj@2{G~Ht
z;8N$x$?kpo44Ikap66V^bQ^Q}D|H}mMA-`vaW45`xt`?2Ti$3bWN5P)hyv%o>FblL
z-$6C@3z5bq^Y{@*%zba)l-pewB{BlP=u<2k9Gyn;DbJu7uTl0i_a`+i^_^1wM(7iK
zG8S|B7Rm36l}LN5PNt{QL&o<h3Yp%<KzfqVfx~Po>zp4G-w4Z@^~7#7+xl^5Z>Gcd
z&*tsmH3X2_>cCO0>}x-fi{AX=-ga?V>(Uz+^<)%#a8k5nZWJT%X46R<RJlF|$tR=U
z<<;quUjj3t(Ti2Jlt%KbF46|YfRptuowU7}W~Jwfx8uP7PAP9TW{l_AI6=A&WHobO
zTF{<>9Y`KPuSSYHpPSaJS%qRTsmUlr+f{)v`V5N*n6;-06MA;3z1fg|6I7t=cFiMp
zF+7?}n)*tI&R`U;P*SQbP};;G&a<>~KhmRuRTMet<-hSjUP>72cbjs#-n=7yZ|by)
zt7lUwW~SwFSkSaCU9Rg=mA-U+@;`)AEXkj{#VITr<p9doflyA{K8F+<XyP002^kzo
zmo?3XA*W!cX6J;*@5;y1Czvfv?B9HZ5Y^Q2oWlq3;*S38%m%`lrKJQ_05}I))6MdZ
z_TxsQnf-n8oabUh_cJwctIZhHa=X4qJ9g7Apvlh1e(yittFtZuJdWsAjrPw&zdM8U
zLVGC@6b2rCe=wJ6bFEanxTEz$%Zh5BnPEJR_ns5Zip&TDzb*-Qkvm+*&1;pt;awTm
z&R^Vu{L4RA>pel_hZO==W*{@tKEJdWif3(VhRw7#Ak@M041$5h7eADl1M9zB71X&C
z3%5E)Sf_F=l+i7T@k2kUP_V*{(NpZH+lbS_TE;MX)b%Ej_7liX;|mKjZ&GHW1Y^7B
zFY%d=wsdKm(c=<LR=9nx*iR5;p3`HaA{las6$LZsxNt0vn{g8}M&sTeXaPsPj9EI%
zv?`?4iI196#{~ufpu*dQhrj0VMXW1jMsQ^P&7fK3i<?=5&7JT6C$252{y%K(&o;)C
z(VHxotnA}omw_z2*ho`w_MVf}yT{x-(v~9M2=@DhZ@UvH7mxW}Kjz*pze^r8Brx2l
z>iLPzJD}oa_eg86!t~B?iX4D=d7l2X;<Y>#wO9@$0qL~InYTd%4`YuCF{b<M*F2Wn
z(Y+;cO*S=6S*j^I+T64fe1*Z*)kh95O;KCcVuOk5Cvdxy1;3i8*reqRep}oKX?L66
z&xo78in3PG_OZTwWNL%N=*QX0U+;Y%AMJ!Kb+Q`YZ97S#0)#ADP847Le#<q{!@;py
zdGoQc{x`Ta52jc0Ji%5KFLqFwJ#zgKqT<;94O{<$fm&sW-$kgM{H~LWWV*66p#lD#
zNODA^!S}P=@inN?fjbY>);ONvAJU=n+evLc3rW)^@B6LdT$FTv1@G6Bs5@P@EHhZ?
z-y`~iyk+lGQg$d&f(HA+e@R{*v)|;s?<~M?hUO}!CetKGxvcPjM))LcMj3|qS9Akl
z0|y&smRK;lAsa6K_-p#clH98pnT}|>D<10)Z?F87Gac`Wg<jofy6W@PD-y76B53|X
z@hJQKy1Pn4$*{}%zjmgD4;`W{6X!=#e6clnh#$`bUyF5d*t(o2X7O(w5!Yv92wE<^
z^ToZEDWi34+$5RlD2d~(Jr#3iV9*=+(z?S`N$D{XA@Vy1)#O!Fd9U|YGS{A9D{%3_
zu*8uw$3{@m*ck-yqmcjiDFVOIE2h;d-`dT8D?KY=UC#~bu@>0puAP1+H=3(<iD>+P
zm}ei*wmvx)TA3BoZuIh5z(-1gRS)Yw&9ZynM;`U0uBNdd^_SE4b$KyijilND1rqm(
zu_ir1pL+A=YVpbyE~{zUgVFqYEGRUum__$y7X$UMUP1s0{Nrp2MMmArNT{FP@nYWp
z){_XnJI>AjC&f+4CY?(%=SjD4ol=1$oDD@)NeaR%Mp7Xl!;XDE4o{(rrD<vB56WQ>
z<=0QpJ57;S8YAAR5qq3g{pHDc4zF$rPvXIux^vzd*!9u9uI#U}$HmzitcTN(v;3;e
zM^flH+Y$09kt#4-g|8$Ab63m-1{>{jy=s7j8?D-BlwQ|w*%KTwMIH&m%TGY?<Tyvi
z&Dck7z3aY}ESSA?b}iKH9ky{UwyVje!gEwoiX^7x2&HF}dmQjfSyqNI{=Vg#LY;F9
zQ$`a|tc~<T-j>ifAy{EcR<R4bh<BoFFH`l&KX1y=(8MJb#R;@=EDMj5E3JzX3JFJK
z_RfgicQGFQGDA~G5RKlwR8ssZNKq07VYSTm;p)i2CW}?)0p4+;%CS5@J<(Y-d1!s@
zft9>sQXz(+B?KJGSx7Rxz?(alho>6EREY`oWWjyxmCm{d{CD+Q|Ha7UjrPtVr{=OR
z6xrb<phn^Ic&cNPgtR^5#B8g~wO3(Rb^A9_19EOD#Vex&79qv!Sb=_D+{RZ&U?!mZ
zM`_kh_3*f<Yrmb?oK2BdOEF!YlRV!Ac!fdLWlZTJr%_&C^w^;@O>uB_HUo;mhi7J)
zm<7s&p=m|o;eXwytpK`=kE$h+O$)Mj{LaYd@-p4Te~`vx4+NM-RY|h)PC04NQ~Eo<
zcU-1_c2oBb5wMa@Xo!PS5=JmhrzlQAF4fC}j?|bY?t1LF{##O><9jRvy3J0&=F~#U
zZx;o%tCaYURMzQI?=lwFv}>-hM0y!gHaG5{E|L4>@dSKHz6!xdeSdj1a(!p)b9pG2
zy`NnogOo&EG%JP_5(_k3bAD?p<0>uB?l&QG`P~_>0!Zw%U)el>eFSuw@!Aa`x8AJn
z#jjxGFOWWsMW87us2Qx{x%f+!O)EaKv=$<6Zu79!b2&OPLl6lj>Y*W^q$(tzgi1|k
zFT$=d*tG<yqkHngt=94%iZqPYW7|u>RQY({=CZb1newqgn-rI^aA(gx&mzJ5n?mW7
zrlCzwLyS81noirD_$4QZk>RWu;tyyjBMG)cSjI+B9L+Q4Kd3kPMj_+y=$3y_YAP}>
zyLf;0RKLD?kPk3o-<C_lF|9`EjEx`p4rE$LDIZs!POIp0G^f@tc?W%{7$pI{nv`{a
zLC>lol#xuI+|Fg-c`6XhvmK$R>i?dLOj`5Ku6pyXZbdy@36%y+>{=vh2BW2Ee2}y}
z?Ijg4!Bg1In#Z7)6r_bEdO4kXc}1L`)};5hGSN5#LBNF2p12AAHW3IJ3+@y9cZ2t?
zZtL^!#!u&RD-PG1IYh75%PFz&D*Ve+9Nd@utlF~gjj3&H?9rdaM-VHM65BXMS)bhN
zX-u5y3oE|nvu_XjBUUP<eN!fsx>i?*idyR56Vns>rjo!6YMxrHJaFkhDerb<xmIhP
z$0yTWK(fUeq6iW>Gw1zo#&k<%t|gB8a;7QKvie(a%@(>Z(69sGAt4OZ1zkrp@P4|y
z-tb~vZCuhEkFSKZwBO>=n;`=Ae9FyogGW%0sK;Y<20cj5^YA359r1Vlh<KLc2pkpS
zq>n3~V7GO+2CPS`G3)zn?D!RXPqyo3_X<>dQ++|#>Gcu`cFhZ44$8R8NvEXP6KH7*
zQ`9*Xv`V3E0MDB<-@pc}YB|)X80HN7-;~Z%+uwpAhE+}P9PZe7O4M^V<vGh$Hd{g~
zQu?&ZZbp4mHZkL~jsDSbSsxRYhVUpXp^SsQYp-T+u|p$W0)9YE!5uRM!87@?oK{)8
z*<&SVh2^H=kFn}+_Xvou`uTkNXK_CMCP}fQB{$D4i@u)NkAB0>fAkn%-Rj}5UaPT4
zT`rUzoV=VI`6{=@%WQAgo5|UiWfmLZE0XHGDru4wV;1z@Z70qqK0du_;f#O;ky65c
zP&H7<{gnw4LsIM4Uc{vK3YZd_UgpJsn&xDC-6x2Xw+4g7nQf4d23_%bYIni}EvoW}
z9)<Sr!EK*$+yT!a#=5pc=4J<B;>ulv`K-D1j{YF;zOAcHBrzCQ0CgnOU8Eyzi3q9m
z(^(Bm1r52%FfI*c<0df5R0~`koBw)ie1(inc-R~j-7+Q5=iO53*lN49$;e8J<?Uhn
z%Qhra8k%)~HAmj1!|_ZCJOOAhkC?K`^Zuk}bOdL7>dH8H;N1})Uhw1|M_oAOzb{Sj
z_qk%xbI@l{ut1$!=Mj!W{iM_8@J)H#yN055DZ9KzZRI5Xf#A@<hW0)(k1x8(jcaYe
zhCYsPSinf^F!pKypAH`>qjr_5O-DanF@<sg*Y?!_@6q|^hFJ}TC++Yrb4z3k<XQon
zfjY3c&pp*}S6~?HT|ZLM>+Sk(hX80=fe!27PN65mF@Pi5lFVhgctg(uvZHNlaSR67
z5m;Tw7K)x>d?ARFq@9>3WJQtuRNUhh4gK|gczi5C{hoAobB2z1kZs6)Zi}^esmwHB
z;6<B%Y20=c3m>Vemzt&1L@K{}-pe$5nlC6A@i90t?GU4##M5T6!;z42&iF!8^(5CR
z?X>t#4ND*tmr{mG$Y=6*pHnc&C?#@hG<>&lb?=XU3J`|&2vWF%n28Nrf{!E!P;cXL
zKJoeuI}w?Pi`*_TcF#TB9#9L}9x)4YUn%C6_HD5OEz2H;pv#MIO-U&=QZMhd+t2=h
zPN9WP?YwOcL)co=Tc}6g>`*K7<eBu6w^cd_n~RqX>E2a_Yqe89Xp*3Hq|$K2--FIq
z9w>Ht&Y)l^*;H+Kw_TlFwLq1e{1H<rT4OPXK!+>6((;E$_gmzi{*?rPMxmTnVZdsh
z$89oW<TUQp>wC(SS;zfR_D)!(QRK|F)xDWl`34Cj#N|`*#x5eE<<F^K+a?|tl8?j#
zgEvQdM3y!kI_>}^4qK59GlxP6wl516`hewJhH_#FD_0H@6nag}`K2C=n?^yw6DBu|
z3haMSnl}!Rm0EZi%+Hgr^*PFqZ`d+ECN&4^Jm{bWi*Phs9)QB?*T}5xm?KI0gg+su
z$bV#;GKHgsnft7Sj1|Cm5+qtS^r6{KbU>>crz1D*lb6KxBFA*Sv|kGyDoRBWnWi;q
zb-7YDO)1*&{aD_k>_{6NoalLs?yF~?49itqp3YypadsTeQ%O=83W|B$&V@QcNu7MA
z6cpGhT$}sWrf5$(J>FG)A`U&L@F-Fg_*QC$IW6)lFBQfW%`gn4Q+2G<o#@=-H%VEA
z@`;xx^@6Y)LFom4G27G8@uPw*ezDW@CP&*Vf*+oJ&dw9BJny&TZnc*VKc=g9LGXM3
z{YP<|;Cs{aN9y3tyvufd(7!R>sT1GCv)<>J-DPa2YF?p*TlyhWKl+He(x^a#BnsH(
zyWmg4T8tLk<Sv4WGxQd)_uLjZZFThM_Eo2Dn!uWBIDxz6q$yh}ge@^(Uw}KLV7{9(
z)H_q3rVj4cBBAh6+hMs*kdsY_7Y(+CKFzU#bID#~=m!3(LYx6+BU5eaKmn5n4?BY7
zzF%zqmhNqK{TxFOpF!uj7idw1%V~W3DsL5CJ>{ggi*DooKq_@mvTtny5tnDpaDc<1
z-EtwL4bX=pr7^aTg)fL@2CBpt%|><JpAXM>QQ`fm3w3ha1jD{)f+|=0xdhe-FC(4(
zc_s)KJ+;GFf*y2q$xn8b);&~p)poXUGuO5*-Yer1(oHg=pSUWeoC;1-sgMhC()HvR
z5~$S$F-8~1snVU3Kk<7#v0U`mM3|?Yi<j8PXC~H?bA>v7izhU7{Rc&Owv^Oq5UHR%
zwE4Y^s%#0;uuv|xSW#-tUN2(+Zlh4Q&N%$gGGru_HXE|<a5<syQ##P%VsjruVB7td
z+{=;M#KJJ9kNE?dikr<2UPbrLqh$p<;hanru>sY}x|`v$RS5;0VNW_CdcSIns6sdW
z@c=!s4o?@p)4#pFguFz5q>|jaI?SzBOOTDyn(v3wcKCP6@%;`twI(=Z&|WsE*Vn79
z)>tVt!5TPA$`T1Fthmg=Z*?$LRW+91Ey6UV@f^hPaeh8BXInA<2&ZJ;Pyafo2tP7M
zTQ6NNfbN|E<xuYv*8?$r=NUP|qU(xfd|=9Ig$YV73r5o@_YS8|IC4!NB_e`EqQlHi
zQ=<)uwPLpqKDwAm97+g0_%yn-z8QK$8uAXawYX%!V5oCPfL9wdsRPz1gh_5-w#%!{
zmw$kr&D?wX*YKcra4=1U)Ex8Ht6l~6T(Wf6iS>^AX7p&vyO^sPk9iq`b*E)!GHJ~j
zp5a;)ED@8mj4Z7t6s&T>Y7r5CCxw;95~d=fc7wNj&8FcA61^_3A@~isOuZoNqC|tX
zC8SfWtWBUF+Jo*|d%eY#BRtZqZ-b4a2Ny4o%Xyqjta_i;g48b*uT*;$o2g;es%HCU
zns@-4Yj1aUX3>+F*#+NoGMd6qrXr3~RG>fd<z!sHYqS-VWPZP6OeHk5{_d4%=kKlj
zAg8uR?JTWLK}SV3E}i)C2X&oe3CM6{UcT-zrQ&2GzqaiAA#3S+)UBbLYVdEWtu)7*
ze@gEz;2YG;XlI|YRN$2g&oGBUES5c5DB(L$Ut2sloVjRTe4uKUhOl-rhnKk*7sz1#
z95-Y!6-rnI(l=p-&_5+u;I~-WP>JYV)vrMJtCn;xb1y%aNvGtz#LoK45R&%35HG*a
zKmLP~Yx~jsrcm~f>X)<X8+*5Hd~SUFR^9w4{YtE5%{J{ij4%|#^5_IFNGvfcE!}pn
z)ll4-ywA?hv2<Cx)y|~N#xd^Zm>V7}1Y5A;N51e$WMTq9ukw>{C4pDmBCwV)An+Z$
zf5=#M^`ZybS~=CWRZ4nK7X?==-vZ3h%)M{&&}S0_==3+3#_dgkEk>D<I+Y0qLpi9e
zAtH?{wix<^^yaN~n!qdp?CNuk7zS5CdrKa2*>+!nHE}Ick$TP$(~!IcFKeh5Hd_cN
zy-ql|#;4&if>7<Swfoj>SiBU7W5JZ+bshgXet!Tv-d7{(VBOjTU!aKn9~9Z7qYGvs
zVG56LLVO7KjSM?<@n8?tFMa;7H#yQr>?q4xz2V`b{6Q~Q>MeDVX15BXf-YhkBkFmH
zIa6fGL@G6WSX$;wc4g{IW!J~42xuGh*sO<bA8SyrKw^KfbAP(PP=={s5#u|{UT*#=
z*<D6hN(PsPf^v1zTB|%!qkdIsZl+3k+Gx4!x76+C22S)S=ZA-BeE4h48mupRZPdZb
z>K^AGfu+!GloU~a_XG!m^=pEpeQvG8J4ew(-RKkWp+fDi0}m<6nr=HjH$CoZTxQ`o
zsOt9S3wfgtPm%T?lst2Yp;Y!w{*XuBZcJryf($b!(Nyin*lYw(ue6WSnlG7p`h1to
zmV{2|-imjV6USlmuLndiV+_5J7ma$hP4%7c^lYU_oQEg|r&2?XlrLn{{2ROOjC6tN
zvDm36lO@#2569gegO^fFKAiQw)y0P`0&<6|;qd-OrR7peD>YE>3Wvij#2fejpq$>i
zyC3+UgY>x}`bD%~`N7!AFtsC`U$2+Xo7Pl>G8vY9gnybRH77qPNph{ETI|h+ki4eP
z=@zU3^0%c~{05Uwp6tXA{Ph?f2QU8iUDF-d(Jv(^6Gj5=7e0+q%uSp1I|Q=-7_J|!
z6;f~ygpuEsjAb+0UDWf^Hy`Zc@7C*lZpn=9_QP!tU2T$HZL-+=0D@s!Rn*O*CpF!D
zIUQE0IZa{=2|y&Yt2C5n@72u2bEi_+ii7Z!W#s`qIr=f1y8B+Eph<C&9e`=$KPX%w
z_v>|=Q+0luduzjn0@Iu{QKucN)MVk{1(*B3MpYjtG!b?Gpi&S2JkT>1Nl?$wpm6m3
zsuLU)+<mn)$5FFVZ+wgBEy_MOX+Gx&83g)KEAg2L_f^fw=>BI782bNO1Fm)`6En_v
zLT*;}x@fMpsBE5y1j9!&;<9ZesJ7s5R{_`S%-00r^TpFL*0UuVgfY?8D(hPGTdWN`
zKIoO2n6EMquF@20M-#UinGM3cN~3;XQ>x%8ASah15Wc>;<xbJ;(0MDzrEnu@qfiIk
zx_oB>B~%_S2B{+~=^KJb0hg%WT$>vG4rEheC!v-2j{x*X#L=pm53aGncEY9W7H(;)
zdAxbwxIscOozSyLBT9zy%ZApDYjdRz>$tTFXOtArJXY{9j!bX3tl}gMp7u1iV5GfH
zzm=^7-0TCJ)p(J3XH6DWbNF_zRc?w8Yv!GH2!zWay3Hy>oHvc}cVbvp#M#FidG)|R
zt^K2!Jkb)LtpXa>IVP7~-WJc=_7-7(AX|$gr${nO@bE>jOtsT|_0=!*%;ysc_RTx-
zDAVq1cjUFN;5gOacm3gOyLZ79kNd@Yb&E*k{5vt1vkc*Q&916(phBhRc=15gAk<~W
zmrNGpcj1Qx^Kq(JRwG^5e^9MiTnQc*7o*XmdF+j_iw8DyRZdFLIQ7Y3^Jo)5;>PIw
zU+I`J$&;4+KBuJ60BLKQ7)XbbO0SR^MSHpb?tbc*kCWL?C(*kE=6V8z-MSz$@{HtI
z891q9H7RO>^Dnh@aQe$7vu-tOHKE`B@YQ(;=o8Yp?#r9~gVLA%#is*#wO!ZTy|*<M
zKW?ee(rxehsWI!I6rHrVS)E#<e%)2%sttP;=Qxv%l8gS}fXu;2t!p612F5lPe!9T-
zHV(2u-@|6eOW<R?j1_itB#5Cq+~r0OJDbcgle1ripSfCD^D@rkGPeksES9}xB7aX8
z*YA}h21>nkPY}C#5;MO4dW%G>+JtkIPQZvt>E2^0v46;fxil>xlw=V36L%0jv96ZJ
zVD%YjgTF$2?tGl3${T*z{aXX^Zx4&0mDxlykmSj<%OKN1fT5cFZEBrymt<nar9e`F
zWXJHTY--VOWs0))jA3cJVzg-^dY>5Jtc;^QA})cBlk;=#^=5JZF?G1+8t~-Z;hsYg
z7^6o;Sx^Ba@^&5?Oi|Z5_E;s&Xc&VTl?WoTk1TXL%*-VZu>8?IpYei%CZ$eklEW$!
z4<WZh8}#m2Z%($-L-jsP_Dw3qxNp&w#2fyxf<3O^v~DQ}ZQrbU_hlzrc}rtc?8ml|
zZb7U#PUy9{lxwV|QKSzY&o`J*kTMU2e5)x%FINRaQ$MZ`x|g4XG={p$C?y3$+?t(f
z!Y$wzm3<B>!hXoQ$wXy_LfH+FlbtwwrF-}%!^aAsVUIONK_9<8Y<@%v*(arU)DMqi
z4CK^MzUaLB^H@edXMLQY57!Q7=~xEtn#JsFGCLel4<);0U4}yQBL{%*f=;$2dvC>x
z4d2gsBmY&9QQyf_%W`^t`&_6}9j?(=qevljF)2SQJOZN#Qf>>NgR&i6U;a)3dZ-VT
z%S7kY4#GJVg3%ps4UABk3bt?5Tv%fyq{wI6Le(xkh}FWvTeFy>^LNBO<2>+6t$9ok
zm&;hqAaGs9@!`Ti`HY62IBiZm+!FQe+rrqD9wSE#>|1Ab2J_5=54KLj%+tE*x_Y9|
zZQ?~ur#cANqGyRR0_t<K6<+p0z?AvP*J<AiG@lZ7$5C=M&GH~cB9Fs%U4{QomEeEg
zHmzxX;Rz=Y3{?#n&qn=)wReq?AVsPBgTV05)AuD)kjFtP&^QFgc-fL7MXqs<pW~z6
z`omy$C`NT7qO(w6gqT-fpQ8N|uh2U0WAs<CtzyFt`PE8|1Yoieik!6Xa~D#laT4YI
zOc|y`2J&E^7w~y?IgEX-e&J}yS7&b1u&wfG62|7HvY!{66&#BR`a4!1u!l1lqGk<e
z$uY$Crg;~}nP^9@EfHON%C&zNGHCtS>4etXd!}<}aHfN5!_l7Tt2(Nii0>**@0F{;
zCD^(pwg~%C-tl{)2_?bUVS3p@#g2GAf@mI+0v0J<K#(K2wRew@B4S-0F`vFq`8aQR
z@`)%HC(KsJ>>SB5g-rWkgm~1IoTP1SiRnd(Ckdlbz~Xi&L~_`AQ-go`v$iW3(VT9i
zKXYO^>xyQzRngdxVx?emY0Z;c>k(O0_{)AYb{;@+4l)1y@kK`%HBGn}o}T%V8)dlr
z$>U@}&ogA>>800X@COB@fONS9p5~8)kB&<<4T~_#I={23%Bx^Cf3ukH8#U`F2$b7>
zx_g6M7hH>N7H=od-`E&~fO!hT$<7xhn|I%_tob^4^W|m;*z9%Hr=CM<mi-fv#4{4A
zZh){AWXZQ9{UFq#lND||i(`7;$&qY7LfnjEK|IDxaI0aHhCIt2GOm@eBW<GtY2nUT
zAw7N?J8kg>XUt46y30Wn1l(I21^^R~lL-uhqBT{d5e|ze5~lmBs?oAV<tRZ<JkJF@
z4et?CWspON*6HeIlIcB`_M16thq=|Xz*ylK&Fb~UmS!EkZeb(456UGc2uXj+bMF23
z)T}mZ1@N$0%eG9aX7=)Dh3Vf2`Z#QUkJqnr=UhDf<Y3m;(t@O>KApfC#Yra|=%3sM
z11HTEl^aPy?|DXIR=;G2klEVST`n<DME0n3`e1SCf8;{au%Hv*;w3oOBMfe$1=<u4
zLDnMIC!33hhDV!qJ2Jq@VIT24C#ylmzPbFl@gE$N>Zj;l=uZ}|+Aeww0QP39TAa8Q
zTw*AAN%{%@6wm5_p4~v^?^zZ8IYeT;6N|~ImfTsuEYrSVJSh`va-<&ux$yg}la_%N
z=P=^TAQbKxD#DN(=CJhUrA3_T4B1Id^QaC;zFLC%sEV36ho_FK)NH4CAl+>Jksk?X
z(bK6J6j$xcW`YaYQ@k<mx2szm$j1@HA17WX2jpfzZ*6$3^5eT%BecD}#k-m-BUqR2
zNHwn|i8-`Y`c*Z~Y$F{WTy{}-QKUY{gxLA%#T_yBuM=UAHrAT42x6oq>9WUk{XZyQ
zNbp@P_ni|!vd^9IJ6vr8V(t)6M`I}6(PEGOrvUR1%~)L{&jcYC1QGb(oq235R?Gtm
z-|=%6$M*JU3W7&6o-pT!$!lk27{j#_MhO#<nbO%>2jz%5Q%c7}{9UcH>P2dcg}z$9
zlrv8k9ZcXRX|m1k?S~;z7mxWD2`rW;a$^?IU@6;1%hU*TEU9(|mGCXO1nLg2sDDO|
za6RR;M^0d&m&C$<O||aWw`u5i{tWz(zeDKc@`m9AZ6MW8U7jZy?xs#1CY=sOBS48|
zk3j1-?l0knLP7^B2X@8SP+b)3povzoaC?XipgV(SvY$tbXIZEq*SbDMm*$&5<%(yb
zJN9WFC5z82!Cj=ookQi=+WD6_Kpo!m^TX$4FgO*e72HqH5#~2`Av1IG><X$HO9`xV
z+KS+}I-`xTz|rwmvPHpY>o)lnZW>$0ZB;aM62E*&N3W%m^f|Scx#y6~lKu<ozW%--
zi;RHlAC&LAt&&uv%#Ij)i4e__dSAenW_3xb?dQi0r}X{WD-dMl+B-xC$AyZ7*I}r^
zj4pl4#{XivSWm^OAJgXV*k`)*uEAU-u*Fn;JTQn-5P{?ByJue9r!z9OWxs&c9)jG$
z$A@i0kEptZ&Y&NjXB%@|2mVdMR8p%!4Z*$RmG)_>=<)&y!@^H0LpX~u?Z{&<Rgy@e
z@9OA3OKfyXkJA8wWiap}X->V)wH(<)?qiLLf%G7Q*y*O7Q&=;ZZ-@ODw~(p}?z-<Y
zXiizd!e6l}md-KpyG2yja0#R=XszXxd!3R_X5*$}FrKxTu)K&6kg{)V8t5ZYRVxJe
z7uX;5>eE7X&10h4Cc=l5itMDu(+o5>zqU(Dr>J9j6iQCP-{P}DV<VF5l4uQ}&PsL7
zg=Yajf)!J2JFz5*h|UFni9ZS`!(L@l^?o_(n7#876UMVm?<f7ZW?3!q)p5PMSWP9~
zH>^041&Dic#TsN&B-MXIcU3IuSY0HLdr8vpa6?4+;sV8)Ox593LvwKntoIhy7V>m4
zpETPibgf%5-mXOwaY$UU!7y#I#u}<OK;Z%E%g_BBC6heZV(3nNOi+9VvK0;-dKSR2
zCh8dCRY1EfR`9cqggp%eT^Ty4w-yVVXa@?DqC=$(D)zXq@7hDM`G8GqNNYvQo(f2H
zv&{-?1&!zK2Mj5EC&jO(c*AXrK3K(9t<-*VlwXyu2z8BAv?Y-8D2p;xK?oR3x7&)O
z2{%^+_OATw7inOK8|^w!Zwh%>y;!gdVE5am+J2U@ex@}-Lascj3_)WgTRA}`(J3)E
zj<Z*?@#cVLZ+-aM*WF2TK6zMxcaNc8R4+z9ewX9#DWi0Pl>ptg1Vf#>RVBP9#{o`9
zTrc;!-Quv}`tJqPbX6mtN`_7NI!T}31XS_lFqtx}jZlf5rE#DTJjw?*(J8Cw3r;D?
zXyvfscZV+mgSC9~6NFYp@cr{ZH;(#{Vwfs`=XtRdU+vD+v$6MOrCH)qlD1hBgH_1j
z)S0t|MwVs8)<b3Atg_iof@22q@S;sqTd&265CVfSAHpZCDCH($<{38VY$V$3NMrow
z1sU*7BlaU0Gu3%2E{^ws{7k2->uk!$rFwO*dfcQ-*=n>#bb1+LgL2|M-`h%Dx4|u<
zr+4*B^IETHnf?v>T9*0B{p{o^>!(%n9gl4=e?Xa-xp^Hw)}Q8#+q)ANZ3`z;f3pC8
zZ~C&+azrF>e8g+8@oN1(!6vt6^Y9H9_wbsTy^iv<FJt;N@o2qcNv0R1|Nh21P>^`=
zXxA@M4t<Z<c6D#n^MIRjLhviBeMHr6X!}~%?B&=#1GZoYX&akffKyWhJz*aSmDqJm
zwbq%7G9!m@Ru~8$DWaYD9&<(6l1&453havdxfXpIe(yf;f??(S7q5MBh$s|1u$frO
z%F9%%FY-kMfx!o2{g~B#Pky1nCiaRs`E#QAt>xEL_apd+axSl3?faKB%Uv>-OGMDA
z%&SY0bDIdlUtQ|*RkPL;ALy|H>1#M8VV>ot&kD0CSL5#Od&0U0Kx8ejk(fakH;2}o
zxY%%OdeDYPQGd~^dY#ik$5MA6gFFYLF!xx<ov31DaI-hx3InJ>NKFHEtLK}e{F>F(
zF0xpFg>I0mF)zAJf7apNl`U2LZ2#%<6ju+))HQ+7-kqrFy95ziC>YEy8{G1$-gK^w
z>h5_=&}>hY!5|QG7gUH_I`Wp}M^Vq3pr(3|on@KrAE>0J#~R5PYBr_T?}anxtHoJA
z%l)><y@Urm$pQ-1iIA9F*PBT`@jL~EDockQSjEtjkmL9?W`-SR^XG*EO%w5sGl3^v
z%h!UL{$iGHhxeWe8vYFVp_&#HJh$PQGQ}M_@e4a?H*==<{?bG-<mM<r-;0M&u=Xse
zR}zi#rUo34{oV5J`DK)rBsz6ZUpGBI-QRB$=2fqKIc$Q<kx>3FNR0hvxY+z9#3e-T
zEMkY!r7}47_=wsg2A{6HsNHpnbvHd5;~8XTLlAnsRCWGDQ?W@ZF>B3OndjfAb!Vo*
z!#<Kyw@$|QMt^3I2wknfH-E;-ttB9F-3eg0bFb3z-QG#n6KnoD#?f?cE1EFAd%jcs
z9e#c?lyU5;Z98dcbTnL~A=~Dq74J2pC!w;WQ^=r8RwyY8dW3}}`ScHsIC`z<?(fJc
zJVI=RgC>8QZ|a_ecmtRUmJJPQ5o`V}ja5T2mXdQlBKKcJGAu|5!YLPH_ROgNWcXZx
zYwfZ;7b~L04``@V&N;>b!pSuh>00i!NBJ3*4wE$|ah3V`zpD&WXk3YO?^036iJs;k
zFTqZUUV`6Sv~BOj7ugY*Q>BS9f|v^#v=;9ZxMTH<-7G~@2+4b)f4R7_1n3FpN5p=?
zqE5*EIh)b4<O5S{!`0+058f>{MWQ=lK#POtJhL|I_8tPyEv<};0?HX};KcDzD~(7M
z!Z$!`01+n3VE|+PfP!)Op|5a>FM)R`{NF6M8vw_Nj@J(E!5-6f+TNjhGFDLC^=0oB
z>*OH+Y3;WWrwhF5VHtsJQ4R*KI%;G}<~r5~)7qt0;$N8U-?8>m#k7_UPiCC>;*E3X
zSQ@I|u%gFK5gC2Z=CboNwToZS7Dqk56C|8|8L)swF@8!}Ec-wYpyX?u@M=?KW1vi?
zvy7*w<xg~$^T=68#k%K#N9w0hjX<3`YFo7EuHuq&^zc4Lpej0w*NGH#-E(0qvQx*E
zM3nifcUDC4(9@`=3yHvA@wIKC<|TDo^`|HxfKSMC=AKm6*k%|RmQrxMizR2L<a+(p
z{M9d3@d1=0an_A{_Bt=kk(#<eR;`8^M$tR{lU|142v&A9>_<)Mil<h~!p}t|>U+>c
zF@x*Oxd{i{kNva`2zO4L!$#=nm!EqhJ9}Mhktu(!_IJ6lmd72VHlD9_91gH`e?q`Y
z!+$Rc{N%OSk@bg&?o$uuI*)@@V-dO<W&p9rX;GovHy2oN4qmaQfwBaZpWS@N^Aeoj
zEzPRgo0fS9@p@II5?ox&q<}(89R&tE3xUkDGl;NS-K4QyiHQNDq0FL9b>pwj>-c8O
z{rlKR+7i}t#iyBPAUsV7QgD%6Bi*7FYnblj8}mFlOUMNA6laDlrjKthk71K@7z%8P
z<lZ_LIizZ}@L2Bhb$Fj}v$58WLvOCtx#`se++-esU$;R@8Z{iwT}Xv-(t6-?l(v?!
zENuvD0Eguq1{52ZG-YbsZ0Ytc+AOq2d{D)TSZ0pRJ)ibl_@u#A2oY!TH5}b14H0KC
z$jqe9QY~VcWvrDxOOH*o*x5aP5}eSF-e(F7aM{SgfV2v*34lMR*tu~Htt(C@#>a0*
zncC{1jjTL+^R)8Q$nkvjP#}o2mB8((x{)s&bD5*iBI;kJRT#DM%7H5+U{%@*E*J5W
z;F;;T6(cTkngW5%buO+{I%x4E^O)DF{IyqvC=K_RgjP)*e%Ul!R?$1z!mY)aXxYV%
z!=(QQh;ZyS0k2~U-IqTxq?0J4qkyf?KRK4Bi_jWG#lRqxkV_S!%#NUBk!1jLY2iXs
z@no=`t>GXHXO*-FzZ;w)HTX?}rCrdzT9^x)S6BvXB9bQ+f*9uZkTs6^w8g*|teM9w
zO$mm+>>pTB|I6N9Cc{@*L=R~_YQ3V4iOhqpp|(Y3pquBgd(`ifQkgj!vd5;m9{K!8
zf|{f$3)wXlV^ZC>4UW}2NN9Qo!|>VMngZ&$!%%WaB}=5cwX{U+y^NUt<K|i@mHgJm
zHP}0&jL@B5pVL#5k3l4V{>t#wn3ng4vgUALse-j@;{6+d!=%`EGJha4+7=Q<i&2GV
z3}`R|{9%M*xt$2YvMiE9>5Km2c}_k*P46I9+`8^_w~RYo;1Ux#4IYiIRbf(Hck!`F
z92h(|nu>ompuj?sqGZ#e{aF(n=g_neew*!nAA;1FB5O_L(B!Tg(S@1+dzB844jhI1
zm4a5f%C@Hq{F<K3^Qnfa*m<sB<%>8?8Z?=q?_jii!WdDlN#;K&ra?+GuSwoRg+H75
zvBn%V^z;nqqm$o`&~ARVeZsu0(*Utb_?b`o*W7S7x;rjeCZVDorZ2MCk6J}Nk^cbx
z<Xh&SylVIOHQ09yaWeTZS7b11cUJC}#~?@wMRK?9`{HxaxVwWfd?8uvc%Y_{*$^Ku
z60a`P3#cmTnG`5mOh2><FLDg_5i6y%hr*XZGoMYXB0~L?ZV|b%?^3z#l`s>kMJo$B
z)|GJ)e|CeuV3M~WMUDS4Gb{<f$(0r_LQ%^9j;K8*%VURUeN7xhS*6Jcb5CT~X`3s)
zqlpV{A#*A(_Uu!=Doisu$TUfTZh-C7SRN)aw<!(~?tx0+c-0#L|L?QVy8LX>E9W1z
z+L#_9kTE-bYz_#=y?(O2zn|Gl^T?1Uv+?-D5R$w6;&~qa*HYA2raxG~!VrM*jkbWw
zP4Qk;LG<H_uHdj^b&6MuFJP(t>eUaT(}g`7;<@WM?Ryz}r6ajF^fJrookMRvy4G@2
z%@*}XZEWFr(K=d&%j8<lt8PC}Z$I|habDNe(F<qSaTK#%K;}7muJux0lP=rEy=+S@
zmRu1FsPx=i^ILUqNY$|R&63>aBYaj(?|AX)KX>Nk|8-~Hu5%BuWFGz;Vu`)UJbYUj
zV)?*bxTimePn<jB(e+h;YRV^zL-j7#LHLGpa<r+jfO+*q_&Qi=24M`Dq9J;Jf-4|V
zJJ*;~(MO?w@Z&PC9|D)%KPU;imzMSS3%`rQS7Us?_J2^b(@+1P+#Wx^SmDEo`M9us
zSt1@>&mbl@9mu-!XLT6=6J$?eud&e;as$P+RL?)(9e%N?lza>jyXb0bqp5tA_WY1x
z%6Pe{Zuyrda<I=2I+H_ntlkpZZPY%mRqQvJ1WU?_{2#2nRZyKx^z}&+EV#S7y99T)
z;O-pY;O-J2xZA-YxVyW%yF+k?U<c=&GgC8F-&FlCroNhs=cX^ax_Upo*V^mXUfTpS
zQ2>B159auR$C8~$lOQ2OChitz-}0-BhQt8Kq<>bcSP%wnhRhZriS&bpt|2l_RtC@X
zU_*B-7sy%VEP<qFPt|bK(jimQY2V^p!<nZo=;s>xr#vX0USSw<sWl@xdv$G9uR^Kj
zM&|}SfmrjqkDNsy&W6tSB~^0}M#l8_EO|Q%h2Epp(-q}t)s=dKCh96nPlPGgEM$$h
zVEwObwByp68+5vkg?SyVoYG86?BAZb+3f%o3>aTc6unP+b|n9?@1`MM9o~!{G~E_u
z!GWsPBFz=whrPD>$aBtD=F@B~56!=;3rO6Q&8(I>+#G$T*n+=xG)8g@(!^+{&E(?%
zjYeR$fyZS2IntH86m$@3=Tq%>m=yT}-nfgk&?JM1mriWd-s(t#-)l5#fa%n#U<t!t
zm%o5NOh|XJJ>DjX3>j7dB;(jy$lm`!i7NU0iKu%b8XnS^GC=(PZy4Q>nSG)rmd;Mf
zHvtcUT+h&)h%+sduv}AFFw-op6f)-D<y)`8|5|@_x6ZG*u@x%AgT$cptG3>0V<Pp#
zKl(c5g?}ZfnFx{CKn7LgxVLSPxeja8--<TyBK>|QIB`_}0vFp~xo>AtxoQDpiHT>%
znpexNq)94bKqp}~yS@BQuh87GQ6AaNW^=h$R`OO5Xc|0lxh-+~qdhNu?Op$Be>>ap
zSq68^_2hXZ<DlKg&njtkLg4%Up`y3rYn*|wpdVA%>(Ov+qJUQ=FwUFVq|N*=zssBX
zrzG*O67M^s6d&H!Ve)q;d-jH9snZ~sbWQ%Amr-@&d4yKlY0G8#CRGAfO<;uqdF@ff
zx_%|`La>{uTHPkYrG!OO4t%ht2c~B@|M-`Ac<J6~p72JIQ5!%-iS|$W9J6VK^7U$j
zY>i6o3p3vviI^P5y&y|>n>MC8LwVb<ktia0IM0B#Mx(En66F`G4qpMU<~s*LJy(L#
zh%O3J8@E?~v;_c_90CRNf5&OHs+Q?=@BaFLz^(Yhjky9GfCxtxh@iVJCiIq~&p-8P
z#qu#n57+lq0L=jH@_trm_1ypeZ`6o;xXAi2Br!*W^mX?T4#HvS=xuQ=lD&+6Qa4j9
ze=UcHZpYy_pwzs>soKkAVswfNb8aDbWg9X>+LXzF{-GL8YCRTA&pjgYKVWIHB8?>U
z>B-aV*L6sSbseUviUK4Up(bR^;GxlEG={!?|M~@%4xX}&><=_rAT;_j*(dxvgqh+u
zl1cD)!lbYM7ZiFa+hS}kxdf6};f9$!UB=S_`UnXzFUb3NSGFKtsVLdreU)z{gY2u^
zCEQ{1$1jMSxcnDG6e>x@1nw{?u<qN(_{G`%Jik3SdOpS8<fK(T=L)4*5oPAAg$o=?
zkSSb$^~0A#*0ld`88?Wzgp@PD`Y}oHrlf7x_@3z@hr~`TV(g&R&7EPe4cb!+D(-Kv
zK>Qfle^BO2=nGLK4mIJuR?<kN^<-cG70D2qFKIt?p!4Fa;Db-v{}i$zbdP6Z`<p)G
zYZx??OnRddhgT??m`prSma4#NS5}4uzG+9dB+Z{PO2}i^zj@W*goq$@BO^fbZG*X^
z-c1fnjrzn*dtPPJvqd_}8T|%*luo-API#7K^1cfaIf3w`jE~~)Rn}&~uqu85>mfjV
z|8g)2pkTZS{>2vwrzY7Z^f8J*-(>0w23)-B=2WWke^Bu>s)rNZ|3NKj%9_Esz#V?_
zC%;^)d5&FDCg{O2<RVbQA|Ox;psmMoYEsK0YW`NlS{y}$2^*xd`<iSohg4QXlwO#o
z)HJHSm_rMkS#YbW=G)-TVw|b3V5ZjXNUG(ZPCY)C@8D=iDk90d6WPL16WL2i1&I99
z4AO$TgD3lxfo#;`8D!7yOH~9Pv~oPFjF)D>1+(CZFt^ukc4N6;r2WID?GZ+B&-fAO
z0{%FCIJ9dE#G$me0Zu1mK#DA%*uN|pN=4jSxXXeg5v+>ql^}jMDmkzq=cWUn(L{+$
zO;=+f<7t938I;^5elWerFN4Z9QI#jN<ib$Wq(+acb)86v+4{oA?SB5&URJ5Gtt2M!
zsDbQf;ssz=V_UeO5+6lUQF|-FA1dz}-Pn=zFJ5^h>3JYWeu&)21`w_?2LNCtP%fhf
z;$~H2X$zI--ZK>i$y%qHTHG8lDknMB#N>Zo_Cf^DvA~WOig~~AClYnHf~U{Z^TCcf
z>XTfbnH<3<oS}Du0du1UNK!iM0v~N~w|>2T_IOpY3~U=hr@Gd8->jb_OQ#&cQRq0<
zkAz6~IWIt(vJeWyj(+BTdc}31#K&_<NWbYJo41mVG>wU&@x#bPfWK)L7u20#5he-8
zLZSo+_cJ%R_~e->+l;spv|dfQqa@#PLdFn~#%{XjSxgb>vLIljBZdt~v{9CN-`0pk
zz^cE606+5jJP`~EAXQ%-TFa%d9icel^7}aeG9F=Dsv<;+v-EpYAj*35Q=bCnJ4uV-
zqtfCzLw&-b<gouZ+}!uiJ#6sp=a;DT#Lv=u20X58`;r8o_7yF)+oJPeP@;Foyp-!k
z#tp}WELK<~B<lWCt?7&w;dFxZdh$Q0NI$>ux7s9T+_6CCBVKvd!0Wgwfy%E&-X~R%
z6C-WEN^pcu17_4GU8b2&;ugSvL=|{vtM4#2R1{g&qYt&Z{$ULtn1*Hv0d9$`vFN}=
z0S}UWio1-OgY{Ibzh@0w$Ld7G0tu!t?y(U@0DUOfQBP3dz+T6vOH{}w2lXG+9Tght
zd$7nFgbF3(2w|;X!+TV8!o=hRS%|w>47DJ4I&HC1n-$DWv)#a0_)$5~QI(LnklBAx
z8)i8BlS#=P?$x@gSMDX7T3yUh*OEjpDb8sHWQm1lhZaZnVy*}*rD+Oj$Ry)~N`it0
znM6Td>#nhDeEV1nHNy&!)gtqNt9i<eT)bH_`rTu>L|Cl+uguH?Da`GSz?b0}X;sN$
zO*dBFv`|vH{-!8PtSfUemUq?e?A>F;byfL=__qt9=#hHAq)ES+WT_b;`-n|Z`4^kI
z$ly$`J(IdM0P-(2`*QMBtdL|Zm$R1im}bki$gl_<;EekTN7X57sv>sNP$655liM-u
z_z|0%D9(-Uizr7OQdL!P6f88Ff%lWB*wvws+jZ}jmx%Lg?zXYu)4+7*L#56S2kS{q
z2KW-ibbOwW2>35z?bPWScUC%kM5g;mz~WsyTOuF(mh}<#Jmr-*uT|-&8MNO!tKB&O
zyb*b$)M}y%WmhRHPY;ABM0P05rDfd=O^rr&go-~POWHckZ|zh`P*9$<|M=g!9#Ene
zY>A1?Vyh$^`ovF(+Bha>UXih+(MXAsBGfn>xqS|K(2Ao3C!bUuhLk81ys5I35C}PD
zg@|6sD>xx7%EjEt6ULJQJ#OVgZ{<cy8Kb}P)Mf&~0-yZB4Q+SQTBM2FvZh;s&RZBF
zq&JJRLfEB-7r2j{-DQm*4f#0`l7{wz3EV$t9S1YqpifvcXysk0I+#c>SGcL%yKy$(
z7=dibF3mq&#gYYrO2qSAb4lD1yX8q@ehjKN68x)HqFR7DpSF?ieCmU&U?kL66_Y7+
zx%aO}h67&%JF#+z=-yMaS{){a<RMu)`irHxzQM#5HT~waCc0?Z8SKm<4qLp4<2q$c
zoQeYdx}@I;qrTHe5JeD*YShbjSkpvIo9-|_u2dLdP}>3(tC))*K%AKM4TVB6Br&uQ
zBSf3Lv+-)O%aRBbQL0~GsM9Ha34lD1G$H5SgIou4Ibuf;2VHcZ{F(3x<o4Gx^^%!8
zodL=_8BIGN*q7lggKVIECOoE?zSL#N>L4&bCUhkkco7IS?>O$&IA=dp{BJ<0*>}UG
zsPXK_eKsj>VhT&Ri|aZWXx1qNxH&jGD9%L9rY7>oO_2Q3AUVgEmt)~=m)9Yk6?vCa
zA$Jo3siaA8Y7psi)8Fd<n+KtmURb!Zb2V^1hcefj(z*JJu5a9Yo{|1rG(t+UU(spE
zCh;H5hxDV6CU?0U9yOLfX-%bJ!d$^hy(8@)x6M`>x!cM=J<m^fB)dR5nJvyY<a(8W
zPWMeI9gl9cqOOeF?zlx4nxgTAV7-BvW`v{urZ~Pnp4K0)GdN(Yw;#Pn2q6%*_B-UK
z<xpE2Ty(azN2*<#EMJecL@o8BLLlLHV+1F%Lg~iB7LH6&>DM7UQ~@q=QID+eO-Ui-
z?5K1_j_5zZGvyMA1$uUty=1dB*HztlOngL3U0g%cJxdt6r?(N_9@RI;OL`QuIf^%S
zW0rk&!;+HDTg*UG>>|Q(X`fb?)JkT*6qzAK<=`F1^&2EnNURWW=ymw`XoSJ*dF!7;
zXk3oXDMeZ1#S$fFQ>gZt9mx+9Dd)f+$O?$(qIo!R-Id?^`YPe5qsHF0Iscrka=!>L
zD_!_PpvTo2x9pv4i(~WK_9uL>*Zn6Z6!GwfHr=n<+|-JuZvM7rL5-q+j(jF2z1VTP
z#qQ^gG%;5OSyN3bS=zLkwapD?2iui|*(JP0ZV|aN@vuOZ<enmpqR!QCA%!Cz`ZM=2
z8#c6dZ=6q)J5797yXL^+>{G6lo+Dk1uLnE4Cbhc(QsAA?shqL~mleT_MD4id<+ZS#
zQj0Tsq#le>i|OS_h8D%jhvQUD#|ab(p71-mpK_`*g-+0opFh}(c@E1_PP!Q$R~Z_9
zw2fe26y~m{Hb*)ckce)5i}3*UjEK(h#4LS(NHt&=&#`8Ur8k#BcQp#|m48jD7)vgo
z%av1^D3`vS0wLM${I;pL0fz@gokUe3tZUf|WmviiJKS5@W~mP-(WBm7WZ+;viIhG_
z`J~w*ELV$`Et9n7dS3~*y!ul5wUjk>!VE8v<%!wdy005+AY^)n;rYhur#vE3tEpRr
zcs-5b1(XMr4rd?p1#fs2E&B6r8eHTFjhs9KUEcveCXL#YI=rq#%n&&XSVvuS`RKJ7
zH4Q1t=@SWAK=S^EUwtGiENIrDy_R*cSK1#=ES%&y&SquV+_khUZu9R&#|(YT+-?p9
zFLmtS^7?m-GUH?gN{v+}j!CL=3R+;oeLK?T6SZwGAQAJ(UKyt;kCo)v-CJLO$DfyS
zZ2vY>q0e$+7-XutS6;rIIhCqCIMUTQV>NiGl?Q0l;kAU=1;Ag0*Q3jIu3<D*Nz4zr
zbPVCAiB3^e+y9m>D#x&%hA7m&W4+HlxhLLt5BPaeN5cGD_8gvrD)BCy>wgZ5InO62
zN-5t*Vmdus+FlgHErkVG$dh?$g;gu1=-NBgVii~IZLR)sm2|Gpbm})Sa2N}u=u}Y1
zXuss`h`F#J{#`aApBw94XgSEktKqij(9l)!Kg2qpe-FFdimmby$5~zva?6lfC}YV>
zjR;<^p@!`lfF0sNg%KxNUodi?ViftZ-xf6U5<F_plxk8HuOeksBYjJ@OPzAjQJGqR
z6`J;8d>+h%<RR!04BcdCF>z;(!F~_na^|k=e&U;Lhq2@A=a0$!dVz!IqxZ9oGv3YG
z9kq>v^tn@}o-fyIM{8^rmbQ^S{4;l!mR|oQ-#T1NlrjI!t9#5x{9AGPQ0oS`*S2E8
zd(tw-{x*epOH_O_yz{FwOQVMgL6w*^M$EL#NnzOGNXE82M=y>){d#)t-lr(|sHY>h
z$1ARscSwOUQ><Z;P!Y+qc34VG%NRWILYI8^MwNzrS-PiLO%|3VBlA^NqoQ%Xm`I93
zN7W6roU*Vg+V-)&#lC24ZFPAKljlu<ab6)5C4LSh4*F24Fv5(purpD2swr!z3i{2i
zEGQ%X?awq0CB?5K)0k?C6@Ll}ug6^i1)5I#gJ<P9*38*E#n(EALszG{y%C&)z5cz5
z5hczFAFmhN#jwz^(k1luA!vKfJbY&N(Q)TCj1Nml%2xVvMJT$a0`D4(;g@fXG{HUA
zs$Bycx&J|-Q>ytDAr=03Bl=5`LG^WYCVLwMEqIhPm`B~avSB3M7ovbQ92+$jV`WAZ
zm_}3eyI;5+FOTg;6dPEt&yQ-?_U;bd6aKSV+v}0JIWME9P!8p0DEFv)Vp7S`vRU)&
z+HN_MFSSWGOQzAE7KSordSazR&#U=JB-RDRXTpjLMRU6B`a6o$5O?W(B{oRC7NjGa
zf*&VeMNy0*H$no0-7(DH(IHQ^=j_t6uTH+I&cj@vx>9<3ieu`0djRae^IAW#;!ZkA
za~!=OC1p8#?!VZhDx&sBog4xU+n(gBk1hSO+TWF;lml$0bR`|QN9HM4D2v@Zu?i8X
z?~C>%|H1f-ks{aQ8N9wm$P-@s<)E6Mi&bj<&CDkh<yk2qbm$>IU&&I=!b!Fd2$373
zL`w;1Kx<n4dh>MH5+IWI(`pheOY&4(xL7CQjpfg_&zEXEy^LApj4mc=!Bzxxwj}7w
zLS~L>OI_GRCa52Owj#J<G8`O**8aBP?y>vX!fob`zkBX`1+atZ69%;kLs*fMe5_8F
z+U|~kw~EH!hbu*GEdL!YSuXG)K_gyXedGm9|3MRAIPdBF4iyBK@;RnrWfD_1B!*ZH
za(*$IKF?*E%iNAVQtEnAR;)pUvD;#G>46h60u_CPP<oYy@MV9KBXEwvYd%KhDqutE
zE6oO)`v<o=A8e6UHy*ACCt5URy`Fr%0k*E)*jElX@^gDMR1~$rZtYpHQHBo3QU9%S
z<5*cp66f+k#)~pvfuv2QJhwxPHT<;W#yC4x5ky+V_0qQga_+4|SyQ+n0L$uP-)UU-
zM!*b7@j-4~Gdy-Go;Ooe!k_0nGUM^oH{R%!Kp3;?y%#dH%hD-H-snTW#<sTOZH`(i
zeFWtIwbb|B9)kdNBRbWjbJ16&EUl+Z@l6Uarh4&5hfM}rL#*v@OJ$6?2CakriAH@!
zgiql|t3d46teR457;Xm-*o(ERkJN=P-^~PB2&BTNI`|%WeO6jMW*N1$Z@H*ymeOrG
z(MSsIyZoN;1CZM+7V|#;sQSM9Y9pdZc_j*EYu-4RRo4FgK8BR71u#<K@wshp2rY5o
zq_IAm&crhh#vp0QplVYfNPTDc)It~upnPcbIi2>vqCTxrpVDnIjgM<z%$HigkXx+u
zh(eTddr6}?&ST=wGjG>4IHMHWPIpw`lS0kcFt3xsP#iT3+UbB62iFhLi8s(G_2jw;
zeU9InuGr#CI(trZ-<M~oS}rVoOqOik=T6&zdeuE1$EUJ7l=sxgE0D+>baw$_`cgcb
z_9aQc)-Ld8V0e?uNtVlRyS&ktT#T+bMYUninon&~`r)f!`Dv!e+m&hSTRa*<7P&JB
z<LX2rGf`6YFa3vxA;na92V69u#vcDIA4XgCPj!w;a>vULA5xQkPm-*;>v!{dPX}4U
zkS|%rm8<Oy^+f{r5s4DA)Mwg1l93ulpP9eOACF~8kcsa7DqQ%ME>&!0C$6c}_(wnF
zXgg?_wQ^~5xv`XP)&AvX%r<R2I*|S6%yPj@xf9E*XGv+}YD*GG8Xq>(xHD>e0{;gT
z_WFCG?YT(q$<?z6Wu@s#9&M9WHudux;8QT2m$L32ceg_$jU0LX`Rc7bu(2{MZWx8#
z?E9FC7Kwl*ZZv*DGtrW2PE8NPkVnknqA`xHo@zuw*`2o0#2qJhj<d>WQdy`c%XBYq
zdwY+@;|Y<~PdnrqE#U~kg`-)Wt+J$@s*?^=fG*M7RZc`)-z6KqUB4s@V(J|uY~PE^
zN3nUBpiA!9b%73eMi&}Hu;&WBXLJ9W%I#}E1cHy)P?@SqhRc?NVKWZ{nM}g>m!<&S
zTK{b0=9Qc^dowsjT2h=5Yvx|@M}`t@;i@)5Qh4Gq2+;re1J{aiFq_8KK|hNq*pCVP
z4`^6QdgJZ$23wu*+{9YeTx5ib3I0yf9D3UuB#rzuOl{({$gQpBE14Tn{h1P<@I6%J
zo5zRm5<MdKKLo2dJ{hx-yvB3{95S$#&=UCCS^hIUuB7$QKDgB3lvw-sY6V1Zc#L0t
z=)~@jWsR3}>N#ZAuI6-^kLq{@+-vG@rT==UYyYIRv}R{b(OnrvJ@$yc$_}_NE-)fv
z8I+~Xc<hlgQrNBO?pLZeflB@;hZ4egAn>JbiFGuo@#!@5L_5Fo8JqPN<8=K>dixr9
zTD;KY-;6bmyH%~B`#srs<~k>8gxHS897F*XXRB$m0H2Un)cYI;-DP>;NaRvuiPdr9
z-v!<cxyMj^<+zVkA2r)%^76XoWF;=WvRRzE9BTJgA_@h@NA0z`2x_+VP>OAbpcu!S
zCmpZ4hm6Saz0jAsvg>u5{qZ?t=y%<bEs9d!Fk`TFo98K+Yzg-+J#8vQ>0rCOsq)Y9
zr7d*jOertDkJ{^Xb}9h`eww?rHYoADo^|?P7C9=R1(OfuN2>9XpL}c06}LWri<W1N
z<!!+h*R4$>rSxHIk@-%(V+CJk<ris9e7nCpjI|IaUXgM&xt{VP&h21Sz<CVE#GHb8
zTD_v6a0PAg0?N9fS5E^&<L_w8orwulh}hpnAYjwmDvci)dqQFVlpWcU<lVZX%e%`#
z>cj76EM=N5LO0&v2PZIm-XT59O!z4^?IZ}9>#F{Cp@eau?}%P1_+0O-dz-aN5+Ff0
zOzXukUjSnmnt73b{u@rbD_}-gfuo{~F;~xGu`XS!M6<9z*0?pVia)pl7)YkGVwaYi
zJY>6d{o80t?E!biFv$&)Zb4heEVi7%Yq?A?SGlQqiTf40j*TP?c1R=)+jW*~c=6Qd
zstzH1tf}mVUlI-GwsaZH9kA^50xxBop_^G-`xw1Uo4<<%XXlqeX5N?{MqbUQBnL+N
z@a~*oVXv(+@(r*2>(_inDUuQ)&&QWNpfLDFTUp;~jHia*A)X#Z;@N<C^7i@m-`z63
zMEu{oS)s;jz8548i|hUn{6rPAs)5L<?8LEYY=A2xZ}lTLc2rMCrj|y6br1dXohDk%
z(R%Cg6EE*XZr4G~IdV|*#OOR+ra}7!VJe3Ha`uxVQzd1de`7uR8gbY+=5)GW`7S+D
zChMe(>)q<ZnV9<ZUFEI0XXB~;Ce>M?*V=t2l?zLGbrz0T|ExHF0V$Q)LvXtKk5i<-
zq+{L3vc%o*#0Kyj9N<3R?C3OaCOWo9b32!~AM)Az<yF#HY=LK)#w*YI)jgAx<xj_-
zGxyL64TD7O_tqFZH0a~-#cnMFDHQ#yx8g33RKVAMyO%Dy-U@M<ndJdzZIV41{rrS#
zMh^o1DUgKBgHG9w_Xn+6LK1&({FLEPNc^Z`cIvXuvbZIeGM#rO<WzWkX3K~-xt*4M
zkgQgV2jt(<wB$U>4=wwgrL13uhTG;Qt$7C|ey?J4tb^m1$k1-v0tTX6Tr#-=Pj7Pn
z*7iM89!K2|dzIZIPb|h8;7EJ@2gP?sB5xqsM9a`HJv<n5-0*K<RxtKLnO3L(kWoAe
zNW~m)ZdxyLJ1Q|<13fg}ev2bOd(z_NkM(9~cVyVer3Urr0S{n;mdoOtteJ1RVb-b{
zyVk4j`0H9)QrbFpr%uli@Jhdr)R;|bJ{IqPr}s8;Wh5F9H3TVqLo&0kmGO*Da5qk_
z`sClfA|^@7Y@R`=+OTL7I!k12ZM2&-s>Vjy_rpzAjKyYrtWnY_LBvbdPPW9B`;#Y!
zIeKQCdvx$06jJNK$olG0N6(`3RtwEhGWICl%~<Ui2-T41=)t$)NbtdJm07j2F%WUs
zPJryiBDqfr7YzO)SjUzL6(&JqHy>Cv_z(j0QcaKKm?3DglKhxfNy*x}!nmu+Hso#A
z2FM%6AB>fWEV3r^q9$nbEAaZOV(6Qe8aOsR)GUZu{<L{^FXLG*NC%)dVbVsxTCyh3
zzcNGdBPsuZo%X92zsgqfSb22yc26~Utwq9slL!1RRMD#&58W=RC}0E()NxHQ;(HOI
zz(abi7Xbpd#(NAK?hc<S#>*gGo#R*6NvfVnHC>KbrACWMsYUo2!NxeC3@p8JKz2KI
zCZq85RvsBVfP@St5ToXx^>5<~yCvmV<9wu5HGYM|g8j3e<o<oda`4F2BpN1hvu>!E
ze<Y0C)zk805Xq`9vl7yE@HaU)C43aKzAHuKn2>Zfs_#5RRd#fwXrB_=Tt^-i12Ef+
z#pKBBE?TpR1mLv)ph^_VDN1y%^;38`R_ycin)5i27PzeZ#W$-dwDf(vPnx~+!gv`c
z?zSrK_4bt2_qLt}Kbtu%TI@1js)<k%tp(L-ZZwz&^}s<JTxaubT<u8C<4iZMpZ`H=
ze}oyzm9bj5dl<a^{Z!ESgDTcwBy*3EK@*>|zLDcyI9p8&KlWy_goExE)6io+mDY4)
z;MReFj#Q~!U9p%(t8=_)bVB*Sfbl1a(jR+E*S?XkLMs*yiTglnzbgR$;*SR52HL5L
z_iKt!S{ZD)LV=CNCpoyeZWA!?sMV}zzE;$EaLS#X<osRcf*euF38G5Y?HawD{v$;U
zz|EMPUd>(~Ga@BDZi5STIn350YULfcSBDh%b_~wdh`@TK&2|!nl;z4Bha-A9EuV6Z
z>x8_ts6oARNn;v_=%nxAg97%|5z;s7WNWRW@g6t-$f3JQRA#1Yx5fFtiVo^o@H!Dy
zxOX;1evX6u|5|dU{@*2s$#==AVN?CZGOE<G-QfAdG1zjUz0FYh?$K<gvOqYbGV`xz
z(B)lyJ#A)(5HL0A_xM$CHS}R@{n_v&@d)Ljh>-TgCrW@?SC#F=E2oQ}75QkBZNvrU
zTQA9Rn_OW?3q~(-vN2=Up<16=ii2zPXnE@wri(O7x5pLkt1YE_cIA&Cw6%`PzrLh~
zJhDUt>EZHb=Bz)dGtM2jr4<y4sU}<<U;~a|oCf}bYH<_zctV>jNDqvQs`qKs`4?gE
zX%BhG(zA8Zi^Lcw`1f>?#@}BTjfk+;e;Q?z5-<2wk_P-9v>W)UW8r|h{%f$=Iu1bD
zfvY<|b}9p0qg{@_1T`Z68knx`Jn0T(968<{x!J#$5JvJfE#$C_ITKvJKf6Q50ukOm
z=tg$Z#;|6!iEPm`xYtjfi(??^49Mp82?0*aH#dASG&A#-9Hx)ugvy9sVnT0kgGusa
zPq||`ZPp1kf1G=^FZW2hJLDNRT{Sc_^9p2nfKah^_K^5I=HMzdN${dF&t0k&L@<bR
z3bQ{iw5$D;nl=QGCvKu*^)^>UffgGt{=)|dj304JNiB7Z6`Sx+>ubksOZkRPTEt46
zihW<8uelb@?fXx<Hs93_s8$5p4#sBp1>;AIwR*mB*V)!oI5!VAdZMOjAw3O_v@k2M
z;4|ZKc{8hpWk)PM>2hm4d=;qj;7LGxovlujZ$c0E5ZyTgl`~zh&!3WnPy4l0Y-~&2
zUbH?KDXbuLxP_Z)XT{H8dS>BzQ%0&40ilvm@vn>?d2S7<s%0M^Bl{}WP%G;LjSZDe
zBFNW6UvAa<^jp%pgH9g^WBH|)DUw&udns8&s0_6X?JK=@K<A4-720;Pe*;9$T1gr-
z4hQO%rvO;ouNh2u>pi~Oq0d@zq^W!0(jSk5!%maKfmm%g9L*YcM_`)dn%0?)-K4M@
z2~=N;)iLK64==@&gOkw}8h_c)@H)fm2MrA^mRk=*_AObkyexi0=oDlYQwdM2<celD
zv`CqizgmaMVXOWNJ7iu{19vS!TY1;tSO@*evtem&=9G*p!EHX_m<eU6Z*7b(<f~}1
zxv;Y#_UiEGw$ieZmkq&xP)0piT{XV}(t2g$<Y(w>yb_kV%?|a01;n1ZQNv3MN(=OG
zT=yWnf5y-4AJq4o26=<YNyqIZmf1Bm@8Lu3wUOD}VR{x}0s7is>KO^dy?K4e3xAhH
zAKQm*+;l!}r}1b^Dp<q70!+kDmNF5(y)L%+znp$2&vdJ}N@wMP$D|61R*jX0JJkMa
zxGOB?VL8Lc?3qg}c>;`TUuA+Z<imO5?*VViIc9aToqpYh7R|4AK*ap1O=d*n8C+V~
zJyV_OrXCm_8x{z>ncer*I)(nxzAVpK<$6l{EqALm4Aex2rG<StFhG~29)?4<HN(Ad
zRX@u9J}gM$?-D88f4|~vj9p6@K+$yg`S(COqglyiPTQDr=FT9EzE>@L+fL_@b$r7+
zjR$5Isaz0of|q1@T>hQ#c6(gJME4g7<9_-o(Yz+YFUjMS!k^1VBdK!ZWwMYdM=-JO
z|E+1?L*(82S$>GGLGb^Px&POt6{7#3tZ?7+e+FIzCXl{Ioquix+{5knDljHMOkC}T
z?=WaW)+HAkV#;NMR0dt89xAECD0NxjDssGbQI&5pU(vR<Vbh#J0~#9_pKc@01wQsS
zy|-}!fG(Y_+l%QIxUPOBKj;*NVw^TE&}Wc-nIQ7i=)>d%55F|$)>!eH9>bdMK|hVQ
zO1w%wue!3H^>$(3AAY{DgZoN$*o~VCP7Jj#nw)PLxz*}i8WjmszGaI97;Je7mXAlc
zwZBLgqGam|U$CM1a<H)lw;Fie5d=F{dVFCGdL%ta%vm)n^~{c2d<_YW;~f`!YqYB2
zZCzIdR5WG<%u<iMV|V%{5D{co+L+Z<?KXlp<;3{i@@?o9;Ln~|mfcVs)+Hr}7?!w?
z|AWFi7u`w)=8!HA-SAddfS!(0T#;8L&8Rj<051ODFd1WVDHZx(&6s4M_aEj4SIj0$
zHQ0yW*T}oihQ|ft!!rvO)5hYCP#rI@ks4tNyot{3=vuNYvsM=AN+P*tOO2f>j&$=_
zw406zr$Z(zm~{%SQH4@ogs12YFDjjz!H57*LS^<nN>m=MerU<(bp?1~=f%(^&la%U
zIVomKEcVmj*5_a&4`HC!`N0BBJRjP3GCQz5Zz%{;%L5DkgYtcg69If?2mA;1nl|^*
zzq|Sw4-R}kxDE(;>}`Ah59(Q@?QK`#6Y=8B=w+yrW8TRAhZZ2bCawhq{?VHcR)tqS
zU<l1hl9j)Zu-N4&@mQ^~wxS~TQm#>qD<ACfQ?pQ)WKSlRbg7S{6}Sq~4jfwey-yl(
zClE)a3#d+*+Uq-q1{|U@su;+X+sAn}LM_9+yF|)D(GRA{!q;FcZP4Iqwk#<LyGX<Q
zWV-4V#*bfOy5I;Mv~6@7tZMkS`s8xeS6hWCi$Tp%=@xIKR<hEzA3*I38R>W}pF>8r
z(%{AhX)vbP_StFl+KdSpHU(bIG^)Ii&PwWfQ2FIjMDGP>AK}U80wlxkIQy$=sb(vK
z^OxqTsiAQocSonec-3Kq1RxCT@2!+|EySV71hF0bGf|b=Bz*T9taqyk8sqPFNuIOb
z4ry_f31JF5P~^ztXVlY&)$Y|>CS6JQk&TBF*YDVvC%{fc*JD&2H%)UIqxBa2_wt0a
zfkHhy&P(BioJXFAmoTfWBJG#ibcDxgn%lZqn7ZWb&|;^Wm8UH55oJ{;Cj^w6vvhOg
zTrF8IG$y}rl(i&43~bS-cp2D^a0gst)e$?)3MI8)-dw+J05_kE6PmLcgczr@DLd!e
z5VE>0U@-*n3<vnMiOpy1nlGUL%+}}>4rg896tWFG2o;mb(Um!NM`{lv``V(M&1bG}
z3)JK%2>}iK_U7TOoVDdlCK|%JN6js#AC{}-v3{nTO$Z)mF$EQ+?B<s}T>b}z#%>z(
zup4?TT>YcQJnc<={<h*o@tveAop+)+Z!E*A#MjemV$oq7k&tG>lCRlEY>*UNn@QlM
zHWHQND@Z%b<Bz)*lKN1)(GJ5<nQ*H2rO-TUOO)eirTb3p@|&-vSBL9RosN$Pv7AOn
zKFlz<AoRgKiawhll5z@^Gw&0`*JLX_)Ub(0zhm}iP03Cq7FQqeHz3Is(bo3}S#y!j
z`>JIp7Dn&W1G^f}H}k^YsMDZiAWqVwT2Ze_o9lHr&Dt!F8QT(xRq*OvgyWzc#mAU9
z&alwk%j-VCtV=8Ve$Xiw+hcITwm#8D+T3nWnZ3GDkhcBGd%FJWCzVRzh2~*SRNgwy
zr5wYs>{ZTNsHFup3^t+%f$ywpASII{qu+%6#Z^Qtp=q0Ig(TRNCq%rGp_X^zN@=j4
zhC+59?=Og#kuiExz@G;L!H6>XALP|E$NbtBNL1r*l&;yAY>TGVuC7P*0SQlV;`Vu&
zOW(F#DD$6loLS=wu4dBw;Q(_!J)WTfKij0z;z{n}?>y-@2#46+=$HZGc8+c3J`jP}
z_j<8=v%;`LV^WI$IWK3s^MvZV_&D9RANj0G9A=S{j{gTGuk6{G;AfuOAzY!8f}+D5
zl2vPBnu8L4!_obemOGw@#*(nv{xO33s1wjL52txLIo7m4($UX#aoCW@f&aLy3qUF-
zuY?$6u!s9Usq1K7Zy84RhDl!P73_BsZ}0K5^zt`-B{5Wrfb>$FI5~7fI(KX(;nA*C
zRVd_ATGpF&Kh=xY+_o@MY8_fQr8tPIjA>?D58k!M0MY)9E_pcPccCD9R<e5~9X5wg
zdSlL%UYb(R0+&4C^4+<sTv6l&rm3_$X*_afee!3`H0UWr<MsV*Iukk`l|!MR%xti-
zbJpCYN2adw)+l2RuT^HQx(TNO1Km)4(no~CBDFiAC|ZrB`RA2`W12NP*id}-rh36^
zn{HKr0xRb~sF(%GxEJy@wFQ1mK1RmvAJvecre(VoVeZWzn!@9)(mkwYLbZzFMc3}p
z(%9)I{Q^2EjdnzdZ8}De@7L(Ih$qG;|3MMW%8fq=F)Py$je{i8{Be0QE}O8mVXH*|
z<-#Jai2M9?j8<~O!!6f5zD@?v+Kv!#0@|<ydGhO8>(!b^KKxHixjagZ%$cgJ)mgJm
zPqzz${?z?OJKUVjDz;U=EIq2nVH~}vGGe#SFl}BK>RcL-tur%}^rY%W(u>_GwGFgI
zECIE}B+BhaN`lYm>*kgi0C?gJaoQF8DIi=y%~iFPTliPy*ccxVgp0^d#wd|wu(6Ja
z$V|D~mreZ#MTNJcNuW=fVYzPS)IV~^UtXw9A1>}Oi8I+7sgk6kf=91JN!|Xf^+3Rt
zj$kqVfy<Lb=Hhht31#21qAxsg$WWGYME@+(b^SjmnBQl_<r)aFDpX!t&INNS=H8dz
zf1ZMs?Qdn@x|Lg{SGGy5>a~xxW9|Q{6SN23Np?_<yhP^Y?pesaRb`vUj~14i6`QEM
z6CB_~6J${HT%WD9hcFIXuCWTV>X_EJ@-)d^L@_mE|KvaWK&o*-P!LpNTG`iwiUk!m
zQ{S!6$uGf=6L86ogNP4S(`LQ$N$8s;3~t7q4Lr#=nSiwn=Z66Torm=Yu7)RR%AK32
zxZ@u(uWa0Y^Pmi~)m{{Z!`7&sI6+Kqx)w9BhjHHjph%dFNy!R#7W5bhp1nH@wa}Xv
zf!^n+S^BSbAH09=1EK)vBQ}~O{+1e_sRnhLPNTfAxX#Ft!B#C7X$yUPRjBawF@I;L
zW2W4OfXQ5Xot3*C$nk0Slvj^zY8-*cNxx#ys&qvp@69&-t2Gh&U8<8fWoCjpa>XXX
z)tu=0#U+2$MKKRhcI=W3Wi!8QOd8xB*)Pt+hJ(g8<8}*UR=?nPRvYqIHq966$xq<a
z7gL>HBEJ+Qs1{+hIqd#=IVx9il6@Z;+ud!Ws)Xtba(%fh<2CKj+yFDADc8G_;oWce
z^PkrKVX0Zi(l9}|RtoxwV8<=Ne3OH7NQ-?|0I#uPJ=P-W^sN?M|9c&e?GPz-2Uo=F
z0VPgFBXHPG@TEF^n~zoH5Gm{KjpDMQC9^fxO}olo!7lYDoaGiq6w{*?8SVudIgq}7
z8jhk@@ULqNU<o|sC{(SPKejyZZnPtT%ar9RW9Tk#pnpr$?C!!D>J=VN>^VMW<8!F=
z<Nl-DRA;Ff+YIVSfW@>%f$L@`z66!$cj=KaLxCpMVd(abPblnAYvbn4gDa!kMH-%H
zSVMO^D-N<b?5dY1-b(EX3VRYx#E|Cs)Z+?_Me2}>KzOjf_sBqbGfmJDF8uS!s7#T@
z#W{Dfal!{&-cr&&v!+&Zs@=^ru$+p{eSYwd`vafVceP;Bg%#Cr1M`vJfCn_lQGO*H
zTV*eu&Z&DZGtvTDsRH)3!7rrfw-aW{+zk{>-pE8l%p(p;Gabh?7dft{aUdb|pPIUQ
z;-3{uB=?d;0X1Tmarqz7(Bry>qU!vGW%m|<3qSA64r8;%#Y;ow)VaL-;bHZcEAs-1
zQ}+CTlE#8Jg=iQ{Y!8GOaI5{KHRce0A7x?Fv9ECKHyyl5eA^PlD$Mtyj#1r99g}v=
zq-Ci_mx^Y=1-?@GeJBBu+N5TFJ|--qgz@cRS?jDUc3OP=^`P?z%5AMd1!1a{XupeJ
zAySO`a2+neYN`ll_SwRp>e1VyNE~x-S>iW)e2NKk8ClV*emzxPq2+}P1~X-!9cXcQ
zQH*Fpz(?9H&3G3AD{8gFvH6nl*GdjN<b#ujJi6dZ-Z6(!n3rPB&9)a$oKIvMc>U#N
z9Fm(3@NFO!N)_mC6%)EsQ7~_RVu9iyijw=)SEY?oCy$IDJ1xx>hvzl;!Jdgt=ae2d
z$Rgoc9X$(h*Q!CQ4zHV?O~Z{o_10&Hmh~{ULQ!Ne@uL+gF3B&P-${?}D&qkVrtgx}
z12Ar`2pn<Q{83^I|CQd;FV~)qkfJj~dP7z1am?Yyf<b-p{Mw+5N}a?%K=P}mDDExs
z+7kkC7b2E^;jEc{ugj%he{4su<tS%8mjNnH9koeRD^L<D+DF?cJgZA`-WRcQfH1pE
zWX7x#FGdwbRX~b7)yr(r*&^}52!bEA?p>}hRXgVBc6okOSK!>so<{QZfIVdKkmzD|
z5Nwof@|R&&q>x4l9N8V}N-la;z~v5b9pti-5W3KFDGk9#v9PC1HGJ>IS2R&xiY4%U
z7FOV^vNw2mC~n+XzhdOe(QK-Gl1LM<ZA}oVaqshH`wOL$Hhf?zyfe&1EvW#Pc@Zdd
zBqDiDERcV9pS%H@1E){9D3}@A9_U~UH@cBBYPc>mS?kk)l=2N;EhKn<sX|d@PN~m8
zhi^Qsa0=zKkWx5qWgGoP-Zs?Qf67|*Ue0Z@r)SQm7~DI@!Ext0v-@sg<>Q$@Zcv?2
zFe%6GBCOIw1H-Tw`1f{l{FCNAP_epur0SjHc(IU|-g+M6D$D>Jn{knm$OY&)dER9%
zp!h#YGPE9(wbD!*^(P-%iCXF+<=3?J=x^l&qV;P1^F1pX$e6~obqoZq#ke-!msp<T
zC<CCxxr}jLqqAXPFDXu?W&Lf<`an5Yse}90U+l`qLWtJ2N{_8-RQUVGP;r*YVeG)b
zQ|*aUw2o1G!QkSb$dw%SSmdI0E3DK3>vB7Ivw5!Q!5vdW=#R&EZ~U-T^O4A3OcdBj
z&mp|-6_L4sgI8h7!)LzEbd$IV=$V$DkRL6w0-K7se9Me0{Dzg$X2t(_x>)LPlwy&+
z7^~>2e4*rS*1)&I3>pocXtD@{qjmp5=~(`=(9Qw5&I+k}<W?ldFVHsf0*y7)Vac>A
zUG)rLgFCxZci#FMt>WUdO>v4536z(|U6iWoE1+ge@oDYo8V?a@Rmpmzh5Cktc5!`u
z2u~zy%6j2Uj7@D6XjkcR=KA#;+GmNOK;tton!IN+1xvp;;FopA6duxuKGl!kwecri
z{MfGwt*~!}t&aGU^vDbXF#~XHhpMo56<h?!rxh#`B%hBZ17^V%FtO_>KM(1bi^=|^
zikIDPs{VN+u(41k91}?plXR9zH@Z3<&FweHWeGB^evdug$nZV(C-E8kxpZoXTDIkb
zX@ib>9t&dXqQ3;>m^%!^#7*$Ie9yd{qN$uTNb;BbQh!&DvG)x26UU#oR$SCeG(5dx
z+|Ud0UGE@uRy06e_#FS{Q`}fc*ci0RhAZC0Zlt<$jJIbo&Un1&teAPtdPJGHI6Ph-
zQ+LF!Rkx^T_pg;QONN{{Tgz<AZV!A%OIRo!V-Od|nGvHE9YCPR?&8!hzm%Hh#_-S*
zsS58j_sF0o9kr;fUf_6~Yn^<nrd4}F>X353tPMD&xtCX-O=ZE(0%^&+^HCvDgJ6FC
z=+e_z#$|VA!W(MSs0!O)=fOK7kRT@{8!}N#&UZQvSe<{Pc<mjl@vM$ZXqi^nTYQxA
zbaQ)S>%iBtYq=|WkSIznv;#OCev==OS8|LRHPI%58K%cpOrSBR$V+}-g&S#b0oi4~
zAPYJWziP9X(%0k|1b&<F%k1(wYsRK_?*I4p!l1e|;=Nx+ki}&&T572d)^lM#I9~6H
zAfBM<HixxhkPpLMlLmqv2D+#9)Q~l|dwlu*9FEeDA5KfR9m!FA8GQN|Feklf-uoKs
zF(4`Y4lvVR9f?l%Ig=Yogwqt=k0ABpEubf_eL)kyzU=_NLW|#i6L-rIY|v>AIRJ?X
z<0I@Vl5^+Z7C93E23$pbe=NH*p6gaPO}18j_WBIe{F-f@woZqmAKUm~i&<a0{d$hO
zOttp+_l9G?iSnB1zc_%eN*UoE8ZaX*@*ia*JHpK!m4D3in|AMF{4`oGfAa>HJ8!W@
z2CkOx=FS={JUX1FGCD=`W8?J%2X!Hwq+e6dTW@H{X8+W&hUrb&d^ON|k)@)y%<zS0
zKF4Jzai0EW7EWS-iT?Z`5h*Ov#Ep(cKpiEpYnpI^N!Hw2AUdtB)e`kNqUpS<xcvUL
ztq+!)4Cz5fLQOU6L-#?C%H#x;N1aofVH$artUc2D9z|f)853Cl;C9Pq$Cv9%8t)Q0
z9=_P|4zlAkPju1uV{TQ!XH$R&Lld0y$>-hhVlF@g3l$y~eF3_pa=?|CIzxeU$Ly>r
zbuWd_fHLorfPaw<U?QpQx9#(KY9`D^#K2=%>`;xP9l)67Y{@`EnR!u+w+7(H=k<ao
z*&gKP#HmuX3Ws#II@#$PC6JkHi4X5SLhsOV>(Dub1#uP<3@t-*$F(PCCJnUm&mWUl
zJW>7b;}tzQWyyA-+=*j7_7h=jjXN+0oAxFh047FBQi82PhKN1u1b4YnZHC@n)0syF
z3I;%|-w$VD)ms7nI$S^VXJ7SZ(R|C1R9B?tDzS^E)0Ol9lL0nxtFYVFyZ_r4R}av;
zZ9|ybeVcDrg|~6%;zRhfL!a7bD*vh~s%rJhf~%q>A0*4DND<rU>b>yi9-iM^%AEYu
z$C~F&d+dENZgA?32<v#$8%1D$t9QJX2ppo`i(48J<*WeXvG~+1kp((}6-FOrx4hHO
z$8@26?0S1z%r}cD>=x7`v|}n8_K%njzE$}uR>9FoYkG9*n0p_}J4Q_e8eYW`2cHWO
zN)naLIQNc)^Fsfo>)wg)(4I!0yq>ZULRS*EuXxp&81D6QA+s?~)(msfq5ZYlxc4~c
z>;82Qc3TgnXB<xJv~r^9!rah=!hJzEJ_GC3rmi7WBV~DaC~9L*1Y->I!z<O?X@Ajg
zzVH1e>g2`CDI;cNWuNa;K~Bm03U3#pqmm!=2o++<c%RLK&)VA+2?&{Bo-L-^#&O+J
z8Ek%IAg>8=$$$CgdD%K#=vMU|@q{PWGm#SsQ+!2Pv-r)HRq%f2pc10~<+`1n<a$Fq
z``#yz!I6_3NJH*_T)KergRfe>4ur4dR?q{05w?S8@2K^Qs-<I^FVoWQ2&-g%6r-~6
zKzzNcA}9C|@%#2B)*{}XYEkL2zQc3aEzavGE8X>O=YU5>Z~(Y}=C564jExi)8(6)r
ztWlw#6Lx3lgP+7`g7<56#0X#70b2SB32o$OqA}PxZ~`0dv-Jfs9y3-`do_9uishXi
z2YSsfsU#D02PmBvJ72x=eJnyVYcfRn8KAEv2zUzFM9jPtHHq#XO)z?pxZ)%+Bc%sh
zPN9EiTuX{j352<li@e=TMAYigpsHrKsm(uRt_fdf@ys&p=x-?7kEIzgu3C{^t#&mS
zLU+^|TlvAMlclH}^4NI7VfCtXyBkNL?fa8j05)=Qg++btu&%dBAKzd^^Bejvijm{F
ztHH3?y`X&O%lG6~Utu;9S#y?2Z43R%SsP+K9aVj)i6yc!o_uT!OiV18&L8P9!LZk8
z@&Q6!xXsad{P-!qe-7vDYsr?VsIZzVhLW_DX1z3kS&w%lUq~LWzJb)*vsoz1gEyhq
z6o^h{s#+%9ujkI4LSnt}Z0);+8gyszt=X*!>Y^O!Y+*m0f}l3!XgWWL4l)<oiDd~`
zg%mylD%wWje%FGTvjQ-7+xXtR1MVBw*^{qYEP#P=>Qqsv)6cLA=!H>uCq_Q31rPUN
zqb2ZbcaNI~*atm{BtX&cgKjG6?&d-opxl?ZqK2MXFvB60EFh<5UCC3LmPPjSE9XmZ
z#!p0VUKhW3PY55RqqVfnz7l9eXlORa+5}J<s=c`P5B~e%3ruRQl{G#f@iJq4q4il3
z>2vrU8{Z7(4u=ut`u8OGK+m_tumY5VJWrc6oti_{{#ArQBS<gi6dizbROvzuHNu~e
zP!Bm8*dSmF8MU|=k$P=uh6&#=HI3l!#1i<f=OLatb@l2=`X=XtOo<?5iYN(SQd@34
zSHHNMiApGRkEH>+BG11uix3<|SB!SI0#~N3%t%L@`GaPeqsgfKjV#y-rk1G9@2VyK
z%^9M%`1)=oPLo=9a&bmmLZeP3vJ78lW7Hyo^$BNz>XG{uHK_+bUW>V{w=NXDbBrCj
zR3PDk=Zoacz=KLf0xmRLI}N`kkC3LZ&%oZ3$IO60k)j%RIgwA@Gg`^jH|p_*AaVUN
z7|Qg;_RH$18u)!J#{f_bsUCC7+fh!$g?panuT)^SQ2ko5PUBTZ$Fi=~>m2ouvk)A7
zB}VUd>RVxJE1tzf1!EcpXn?5Q_kjjIZ9MjZb+<Mo9T4~RaASn*itGar`hYJ=2e2q>
zzN_lKf~42ugF5i<ai;BT=r(06!_8E&HiYp+QSXf4e54MD&tk|uo7=$|ir!3)TfixY
zu&1eh7loE2$ME%2|3l^$0{K8WdCT3+t-xz@6ds__EPU+JS!f0txag!QH!k1kpN<qA
z>VL&w&2Z@y;!`eYgXV-MRwYN6rIbR{Q6g28xXIt8Hc*#YVQ?>5pS0&`(8L7RtF}~O
za)&?cDRzmhll82yVohZwdSbaSeO-ZRLZcYAE%t8cdqCuA&8==DA)2-l7T}R!t0Z(j
z_1e}Qn5p~5G9!4rn)Zs@<Kns@)p$Ce(>d}e!%z{NufZ7Tert>&fdd^Z;LTX?=CC6t
zaj8by=&lq#7EQ++*#W24``FPP%1)oYbYtU<2K0<6C*P$R<rO+gk;x>5t-Hc&usd=7
zJGF`VXV(L50!Ll?cp1eNQRjS*b1A$;+_eRa$X#$|?j&0v39rx9WJt8eWJdu-XO8SN
z+>{O&xOn~=2H)6{k@IrF>GbZPub_BW%`<`w@{4P&`BZfk0=lN(WtA5u`0Y0rRv9ZO
z364o=Ucw5>9Q1nJTDsj)zvCxbPUT8I<47Uw5O?(oy(P)Tt=hQ1rcZwpg_|Q@JOOz)
ze-z5Uu`-3rkI(N;EyyL2cG%rbKZb9RjeZ)(i2V&WG#_GC!90QI+ajt)@F)XPfOPkM
zCGA0Aq?F2TO23nWT3G609bml)L2^0?GIduZ4VO&1bBeaG%#K2wL$`_vS<czsxkiG{
z_$AJk^jT4)>aF<DoVW2L!eJz9CAe&_x&jLCO@7oLlbA2e^1AVF&DEDrn!U%VPx@;o
z;L?^{$v47oz1nD3DNSD~0qm}J8P6Rci{9qe8Y^?Piy{$XeRtHTtIg}kiSsY4pR1Ss
z_4qn$h2otQXV7|QlbAuSVhI^K+4|8%GWdG@QsAEQWd}VZDWNefgk$VUyAFPGw#h6O
z_}ZcZ6LHpWr|g3%G#(+gS+g2mB*?iM4unx$VVZ+*f*u^VL%Fj^F6N~4N5<}5uK5_o
z_5x)04$ov*m}FQ;muPXP1ffcJtl&GB3Ip)<utvR5xXt<Uc>C3k?-!nmEfmWpt^b3#
zv+AlV?7}O7Ai*KHySuvvcXxMpcM{y)?cf{^a&Wic?he5nf;%Z+d(n$_w4=Rf|HIzz
zSn{knvFG#7MM2~XRWIqKU78FkvF>OPx<|06Bh(0uXd`8T--=Ai`VlgN=(tG>-NGF=
z7cuHW4pJ%pXy>;#>M_<5#fM7zm5qCGEhpgC(;(?(b5LWc51SK2wu^CpvEBI%?z}td
z|9i76c(d!h>Xgy5*zC<#))oN5zqh$R(LtbIT^w`ub=uwAEKb_C^-;47FA8>*3*JvP
z)rO%gtCvYu3Ouwa;3NGwu8XcUp+L~JN^r}o1iQU02Te-q2`%Gd1a4lvpHV#;-G8?f
z4nq7~?Izs1d@=@w^2`1p2EFt^?ijsccN4{oonb>T9*rwX*n)NFzNk~fkG#K7Or}=a
zsx8t-n-*GqUw%Yt`(1}Vl7+^cfuA%+?8A*{K-TPk&&NYVEU7u>y(MJr%Eim(@<ebL
zvghG^T$dl)GKDT+xase|C#}XaP%cRwv)@%D1GQ3r4(F*=DA-%fI8<n}D{9J7F@xWe
z*oyU483wob=XHj_&G3w4I!RKwofkSFpTnjWI}ji;UU}WQhNVfAGmBl`tWU&F)hq9v
z6dmFro9CMfNVMLSqHz5Okw`EbVQ|P`ZD*l{F;VS~^~0hMCK9pgOlxg3Yh+!qRa|Z+
zG_``mxSoLTtPPw{Qt}OXJq>C0sFE0eHv)2-fR%A@&NHth!0wW-ao)1UJa_IpUX$)p
z2`SuuK~r&#0DJXr8sJ+5!Ui^jPOygA=8xeQ$Y50y%U{SlDzL6nft9U1ur$&2c9lwc
zoK+pa&&HZ^Oq%tpmok2ok39d7(TYI|$y?Sr>xkq?tBj}<r*yO?&%zo%SjK;i<0i!m
z=6~$;1tY{v=4opzr?_9%&qt~rX!p30bAmCZh>{hGc59oGBq)<N4R8v4(1L7rYj}(Y
zUyq85cQ=sA_lVeG5Ngz-@#|dP{JG6X=I61)1(DL@vK<OM&;Ll%=C;_Ov-`2%n--uD
z6ZMj37oNkH#=s-cp{lJkAt>u;b7IOx5cXAhC(x=4@&+j7lqa*fi}V<1gJ%LH-Uq;s
zE9FS8LLE*acP!7A8!D_6*^pQ;kc2%D^=5?9K1xF2C8sgbGjod!j9bF?h2YGbBIIf%
zxCRcJZ<4sYy*U~CBb)wzFqlr_XME<(k$z$ST`}|n@N~0?@dhRQcC*^ciTH)jk*~UI
z;97hg*{FFD8Wn*)Pko4ibMuPUg?=4MHi?Ga6U_p6q$qHT!&pdp<}}d_uY6x$H#`qW
z*ecBU=?YF+Pi6(B?)z<3H8rsWS+{62fH*~&O0=2=yXN;UjO`4Vjd~0g%@XTE;%~r8
z!SUIu+(#1E!->|MB|2wQc!QqOUC<p|2uGq|B{MWpKZ3%;LE%O)%{ZAW*YGJ5`eakR
zJ{mF!as;YMVf5eIwbZBWVf#T~uXB@Gew&<HbpN^QCYS7Ul=b)f3n8h*JhScPADi`r
zvL~%RLB<eo5WB%ab<WBWQ17|8MTo*A0MsCrwWeZMJXjvfi%k_dI3gV}Md+wApagjB
z`uLc_s@=ZD&B6OR2R(SPtys*(Lf%t!B&LMi8LNgshO#|RzpG@c!_MGUeH|>hZv3(O
z=O08m=CItkOynzqEMj#4H+&!awW+^|)Spi*2@iPkYqFDIXRa49L(s4i4Da>cbTh{I
z*CD}l2aJCZ3>D<>avh&i2c@m41;@+5STV9^XpPSzd;v1#;N{!LX2j8pZRPXT3ysk^
z#A#czt6_k5-m_-(2OgRwh_Rxr;2}OV-CZUZ(^w6nqsEkKY)bohbT#xuQ_PdLAk<p>
zqz>>w1euVqkwm?{0pEs8*>LJnI)H^0;}?Eeo%-F&OvCqL+-sQAb<xM~Lk!u{<Ok2Z
zbfHHF+D<qllaV0s4F&eWs^Q6z`ch&oY4OcdxPeaSLO(~<>+V%$J$bVw(Ml81%YLys
zrC6fk#%X(e`tep%>gK(3_O^yw^J;t4h>S{8ZG+208`Zo>f<kLph{biIf-Mb=o(sal
zFM_{=A#tQrZtI=FrF3Y@Ez5oGg6gt)B5U2prCC#<G3p;g|C>je^M_$sk3;otLqn<8
zCTH|n*XTj~)9yT?nDG}FAF~ebI_=EpMnPx35E;AHlj2W8nFgxQlv|F`w3cw(o2N*1
zD>9a>o6V4>zaa)J)o{c4m{>1Vj^6Rii^)F-+bcg#jY<8wK$<4vXrMy+&ua-A851h4
ze-O$x66owCp~)KA4-yb+WX??1Y~Sg>$GEsh?$Jw0cP}sUfyPB6%iG}l^!wW!GNgV`
z;ksG$Vcw<6!%6%JfZ=idH8tbl=5y3?<MPBpE6)Qq6{`qivy8W(<tiq_j3%Lr(*-j-
zjx7{HV4FH)ic&y)JO2g&De?vpbX51Tef_a1XqYtSbM0X#K{GZIzIdsy*<D}B5)S>_
zF9$&|x6y)NADh;0e6@MS6cH$mLWdL$i4lM+No;-2ESSgRV*h~TeRGOA42-Xs&*y${
zc`e}N+9_|spC%eJ8+rk^cw76oWmjB$!_07d`A|BMsQL(+*N|1P?zxu8vyI+s_zJ>6
zt?6A%yJVd{J-dLQK^}gtF%^SO@BN&m%rIbEibQhkLJ;vmy^8bqiqri9^e8~S!X=eu
zf}=Dl%u@uwp2r)zMN<;ioEkneBi9KRTTNcZ^?KC_I<_Q#e&~&Bv^A{LM@d46il96w
zL@$s;{1W91_P&exo*<|gNF6h(z0Qn3eAw)Nks#={H;FeuzS=0HJ?EyC?$yD$2B)cD
zX^Y7uhXbvQDOREG38;X8E~W<MNjZ+42a~g$55h(X_7FN(H>Gl8*wcGjnDI!@F_N)B
z-mgD7WtPT<l!t3K$A%!mRTy*n?8<!sP7%0;khl(qJCLHf7&^h{jM<>&{tiqB{J>7h
z|LhC!k-~`1Vl)7uASJ{4hTcXIB_YbbuNx+dBQ7O1v8vHzHjGLFi@#m;@*CHOTwZDY
z8wb4>KS@E&^m0GwlR-NCYK&$;b(_4=lySu<Fh&!UJUT88I-Y$^>^H>tYFq=jHy}M7
zxb9pWLi7^Wh=vrtkz^Sfdk4w8_!ounl#DPcV4wtQ@R@Q;#{A7is;pqj;4#JN`mJT#
zp&|Du!M3Wrt&|jMgR}p}oXDX>#-vU|Pn0F)SmgGnF_1(4+5TFNsKeCaJS>Cn6YTS_
zZT+~dP-5ukCSO`l&*+w4Y1Gs0tKyh`BcyO48?Ni+wDSCO<J0X@0jOS}=>4I7UsVWS
zl`ll}MXT=H&dXEC`tbe5`t<@?!c>+1xu%&$h!8Dd-GG*Zp|-u}EBO#!G!IMa<)V}Q
z!`POnD2B1v09MH{oOnNpZ?AywaOA5H>4d(US7+?Y`RnZ&ZH<!mFF(veq-m-FGpe<#
z=e931(?uaEd+-d2!!~e!q5?6TKQ;UUm~}t=B;S}(%E^uAe_yw=bR!9<nRX*Kjcge9
zq1DFOFQokVv%r3Y=aR~MNs6Y^QYqltQ>0o@DeI?Pd#YK;gQ3drJp-@o6F<4Sef!Go
z8z+TyL`Oe;suy8Xzj!_dklyMEIw7PkqfS!ClOYfd?I~Kf-z`fpp!ih5ta2F3wd`W^
zUp4o|WcsB#T4){lVq!Y_#m;8H6<-k6mfSgp6c$6r-Q!sJ8i6zo)R2fej*M!`zle9U
zmQl?6OA%k!2|Sn$T=QNb={$Aw;eq=aEawS$OZ}ho?o@93M=47R@0P3LXu*>Ois5v+
z3yi2$sPc4CKp#2?NP5rA8+h1A$GOBy*ueSBs~2XgBJ$hzOly0MLP+C!4N%AOWsjOE
znAVCuhyEKLuQ|fv<ltvbrj+4ol0;7V4?^63Ph;h~g2%j0Oa5xJKsIiUr2eDTC@{gZ
zky6ti--wfI*YtD{Y*!}WzL=Rph?2psL0ClAa2aGY`cBiNH2q>5B~$wO7D`5^Rnf;!
zRO-@@@I!qoacj>IK#Od0R*aUS-YIUb*<JxHNyT#Fp%&2|RBbFCq)h-qS$d(<9b$S(
zP#{EiznH`m`ZkRL;1kaWYrnia5%hRjTM(~t^nf3R{Hr(e-r_0pc3vYC82&+gI%N@q
z4xYk@;5?QDr2X$qVzA7ha;Wr=m~?k0O!8HEuMOKA{GC5@D&ux0gStlru{QcX*2hKy
z(Ncr{Vh==Q`G2}1B5UKc)?gnnuDdcOP?+)6y)LAn|AVNh{v@~jPji?5lXT{CUJzVu
zTDRF>QRtfu^<6EXXKf-(0f`C5$Vqd`euOG2ixv|+ZH)0~(r?5rXL5<o!EAL@n}l2H
z=b<RK8#2BG!Js)`6vA_kuN84+5qQfcx8<7LL7UZfwr6GXfQUIJbca?%-G~kg1xn2i
z8t$nO8i7p!vi!i`+Z=|o9tgDC!)k5nkc06yS@KdIY)k8n(r3XrBdyJ!MRn)|B^BQF
zZa9TBK2ilHJ&0=`yj)WZMv3Z*f0y?Tz#S$nfD<lNkiHt`DsMTFmzF(N72g5PqtaSA
zbJ1Pv)&z~|`SD~hR(GDYT|#Cs8`io#wf#6_8=mYGQ10!gkSz?SD$DV{n`~{?ti0xq
z4RB*^)q<9RmTbzFdaC$1-`odkPe8qp1}&lKb3J{gw7wv$l{o>@vZ$+#js#VkcB?O>
zK)EMxN}Q;dFR1Z$I#f2J(#~nes4QNXsnITlp)X%f+gTNnZv5^ae$zH}F20Y2H3q=o
zA$}8f(s+g=Byo&Q?@SDD8FL{>f=|qqW_wwWk#emcRRxHqv*6P{86r5aY2-NcBU@`p
zHDg_xzy5>R`9bV&=;N)nsMO<LI_aw<gOI}rGiy*ZX;3-eyRWIkl<I=5s%=nxfiu`u
zm!h|J<8g*AG?OO^Df={l6!{M#;DePv2-}43b&<-?`V8%6e$Y#=LR=N4K-UK!YEwOD
zK|{#|jMm<3I8s?Hv(;+vc>C3#!HAu(We*0vQ_9?ym&zC1bimxS_B8&PBD2)Vn#Fab
z;LX3VijHm!;Gm)Uf!QW>jwyoNqOCf>YpraxVxeF|<!=2xkf^{OGYh7^@7JmF&ADaz
z>9<{C_;jU`U$(ZYQLT1W3BriJjgF=#RNXQN6Pj_*4shsX(cS9)sQxWZH8=H}ij=6N
z)g2-(1_psV*Dz?oHj!)k<gto+leIT!$yYGwrK?eCzLi&MjhB0!|15m|_+$3-V#+G0
zGq+dagEb&wu!KGPrsY1zV!p%(bn4iJehRMFqs(&!7!cLvS1P@Co}ib4>RSvmB^cru
znDtuCJ#wG5Gu>6h;UI!>k|v(}5kQtD@PT1LpFAj#GS04<qwu2o+{aURE6?JWAVV2e
zgs^wIWJtLO(+oE73voR)9=dwF9jM~ai7Q8<f;tu}Sy#>1TWf13DVnYVlD>HT^eTvY
zECCOV{x+uKOZqsw=U+Jikb7h>?76y5-|Yg;HLD-rU=bfQS^oFh|K_E*$KUi*?36K}
zUAV7gkgIN~qnoCV>y!-wYBfv0^nV;MQGK1%LDE+-V!2s7Yh^=aN|C{>zd|O<zPWdq
zY3sj?5oFgw?`zK<i~^?Hj6uO7nHz3JxfJ6h#(|Ze&~YPLr1eWI$%Uyx&WV?oF9M35
zHeTE?_GmhxEr_(vuP5`aPG3Gs_Q68G7wiZL!OQR`>1DriY>#}oiPW5@&Jr;|;#jI~
zC*RHCr<!?>NsenY?a$1(Br4GuAX@HX?qO@Z2AQ-y+Z5HRs)9(OA%~lfcd=O4)BBJj
zy^f;WNecTnF;=P)5)rVJ%*buN^d%X80`?g9fFClW`P8nb=|cWX4d#Vhw3x$rSX=1u
zHS7z61+tb)h)e_~GnXN!a%Ng}APNs@c!ta!lRA7G?zR693TGmT<u`FTfuEB%MD(e<
zL#y$mk4oA1=i3qc4SRHK=JUf}2nd)I`8vB9VJ#;$_UjRyGZ+`Gt+CnpCR#g;)RR^w
zi~IyqFs$dbn4|nTgu-=R!STKGdIY00)$T$AP9W)zHklnPxY1O`8Sp2trcRr7N+jjd
zdd$E9;fZNq%=NkGyY?@_FFUxnstye*l-Mi^8nw^d^CNr0XEJYrzsMvRRLMXUD2>`m
zwstKBtX`aR+<poJ%Wz4`2UuzbnIW9N+F<d%)RpTXB#T@!>5U*4uQPkSB8&~_IlS5a
zW#Ry+lpbja*XpizhSVi@Yt&p0hUKmjW)#~&;gj+w<BauVkeDGG#Qbb}ntUaWOY-;s
zSOW+3PhbVD<f#d}W^NbH0gel59TYw$P|mS%pL%|H_pFk<LXOfBrzjoWyMTIxpMJ3n
zYZ14kz4r9_hX98(dyt%%9JsIN{wSXbFqHCH?`<b9^x>_r8M;i@tbYyT-Vu!5%uUr`
zD0<U+2@y;4%<h7R6_TCTP1)s-kR%_H@;coV&T-Rfu}k1C`uHn{#0Uw0VFg^#ud?YH
zT8b~lWnuvFT-g8C4K`~X+advCF(h)}?-}f71h@|erFcj_9=?--EUId%*L=dlECR0X
zJ4CT<qvm<UFoX4}8#1)ZvRHQ_?VUSSJzRWjr8k@o9$;B)9;+jtM)?Dk%=Q((?N*#I
z+ux02Vcpaq^a#{AMIV3&<7N`74&2vWA8&NR#OQPoegmCxI<DHxcoMV+m$dW`u`X%I
z?{nqx+}icLGMy7L^|rW+Dhj8@q0uZp>K!H2kAKJ*38uqvT2MrL?@>}Lb%5$)ff|d~
z57*m=I&IajJ{DUAc!qcgK)Ukp<Bp2Pqj3RQt%_`Z7sAf>?^{CYS#DV<P>4<Iqb@5%
zyA9_8I<}L_=lM#+w-8^AA<?^T=Z70}$-wm1KyTb-)1Iu!<3S<iPRS+mO^s7djq;=<
z><sJnmBmHnog}=A>iTNjpVkUiPh5Tc%ousl{~#jQn6+g5zMuZ=&QLm+(8A#@T(b4D
zsI6!^y#ISq;V986-6VDz6C*L0tC@Kr9aS5R^T4Gdn3t>{Q4yBLcm46WXb4=QzodP~
zs~0=!m8ojcII|KyP1idJVVr8b*9ff{R!?X>;)gQPYBcz^@6gcJy;N*s9(>7ri_R<%
z6i>3My<)!^KPou4`!@Ego~v-&YY$?1plE21GlYItlaHKV+D*hG>eiAn&5i%6UP$nc
zKs2KU$Bs*Qti`oqwYPMh(9$yXfT&Z8m_aIG|8_}p_rao;rgNcfe(1(!?v34IanM2^
zeKU#Eo{ws{$22%Ox)d`lDX@P*wa27mw1Dx(`zQmr@qCZBQgn_X%R?>J=I(1&uC)+l
z_aK4&dZC=!^c>B?0#mIWtBDHE*1xrg;gJaE$s*zcgqo}=@Q}hYT}#w%quA6YjLDrf
zXJ4F#CK3=o0GD;!;4iOb$=ebkx#-Che`m?m6%@AB^dW*BM?CF5{d%Z>a(9J?W3Nj)
zEfhei<DW3LW<OB+W-<d8zC)<8neRx7gi+bUxM04|H+bA@1ZvhPT2HaNRiO7ipFznm
z>8J75YL>?@UUaz@ysgtUQ`_SmUTjb^+Bu_rYf?S_uE>b1Wj+ftKnrgo8yS+<->op6
zfKMpYe%{w@mb1Gdi#V(_+TaffrGIzaXYVUymJ_>kIKMvfYT~(C?z~T!!^O38I;^*z
z6kP_hObc~xB1r_Byt=!c4uxQ|<i-xIZo(|J{6>a^@KRnHRJrpZbwgDJZ?`80vb>%`
zIg(Ru3({_^ksKP}>(DQS)u3f?=f|9t^I=f<!b*4F&%N5H5V65U0@Zx&K!IQDx!!Nc
z_3#%77I5Qf%P0VVV|UP*K3Bk}XmGb}w@R#(k!`%oJ76*|%Wsz`3&;FSl>EH!Gya53
zQv^jDMcWwzHf<QLN9c3bhHCchu#t9TTlbtdH1PVLp^oq_oH~A*vf9l;nX+`m*4yh@
z%d<w*gk5AFdNRq)y+9+r7)hQiVl_yAa*p_Q4}s%4i*Cp?j~MB@clKQg%FU7^!|Nr#
z7%)0hN$DnTQt*mBmPK90W_kqILuX1nO%@e#B_+p;f6@v`-w-6%9e7M@8gMKN@d+qU
zy>U3ZEOj+=eoa1$h^u|chaFW4ygx?^E`m|LhK~IH1JgGO6G@r+T~g?qg7D=w#p#(>
z6M}Qu9Us2!+}MDNs*a|XjFlba>5FfZob6PaoI<94=FKq7cgeC|U08(Zd|JZbY6WSk
zZ}-CGHBGDb?hW)0x(-8iUHrvoo)t;^V7pHimIoKK)sm5pGFV%tDw{dujC<t|GNd-n
zFXDsmrp8^w!4b0#OdyKYC{>lTX!zgSNaku&;p0=x<#%}Z85D|6d!}5IQ5b5;<|2=|
zaNp*r_QuRzBdE*VBuB5BYjT_#p)8wM=@(DEUy4DKYPFQWr3u#=kwHy^@P*&al3alk
zLyX8iTsgycpIr586fU`Q7v@{a?Qs2)q`x&Ew)h+cdqIIj+|RPkesJS9%g>;n!oN>y
zTqcFsyghF)P$NhbnYcM`QB2qfA^K+=`}|KNMmCaFWG>ropU>nil)8WvdiXz(uwOg4
zCAd@E^t{AjGIt-FRLHf=$>pcI0rD`FCb7~y4_H`sJGjd2-#$>%jIW5KFba|kJbu5J
z8?=gg*8e(`e@PGlY_vst7&GycXj7JJ>$J|6kQyUu6&|IJrz@`hgc?$9)WlI<DK3jK
zSWF<u+{VJZ0U&)OIRhH<T{856D7M4N%-65vk<TWwBe_9Gu_w<(k)Zt;{5`&-0FR-S
ze-Ok+3wwsd#@*LBu=r;gbd!00ls1?ZZYoD93x@_EKW79@I}0wm9%&6@Hm<5Zp2!CH
zCQ6BtKNCQf>9=Cnf_ryflw_mmSA63@_NWi`=;?l`XrrXjw(F5$3q#ezkhy}plaWbZ
zV`MM*dA^4W8+e<D2JiCxrqw43=!?X?;tzzUz;(@^ybpm%l>F#M_tg7&DwKhDhi7VC
zGdQ<9w!<A&I)hcR55~-}BY;A0YE6eFzKA)`UC6ZkbgZ;%auT+~M*CPCZf0VM;g%IT
z|LCKI!(9UuRXVyg?zO_%M;hFa=%uo}p{qyt7{D6+>@s;g@sK$%!Ob$k=!onkM~8Fn
zo7o*QlKBx_b?Cyx)4fW4dl=7O{?F3~+&{%2Hp&LMdOQO(##3_z+nJH_e4gSjo4S-8
zNdf?=Sh>c)ciIBH<>j^`Ljb2|?b(C$rpP`#w3@(2ly=CZnQR;0>~Vv(gD+`ng~w(?
z)V{Ch#ikN%^6sZO74_Q1z2F*O3V(#jqMJyz2jd_k-pOhx&&59(Yhi<R<}SX?)z|CC
zZvJ>|rxsFHY2|#v6<BWAOxP*Vr1%=D1PKx4z)dx%1HE`8bB0*{h*=m*T+gU)F8zqN
zgQrW&#D6<)-RJPO7Y&N3iKUo5FY*xTOLlg%uVDW=jOfs3(&XdQ!}+)^e??Z|zOMgz
zdGyG9b+61QyvXEU+r!TzT;u-LXz4=qqbVy!nDta>w#N{LSnUCU;uZhBGz`Y*Dd9Fy
z(5G{)E1+7dNXolKgK-Xo=DJ_LL=$KI`UCQ>8OmD=Zh=U*<jC_wj7&2H;oP?}w@%-h
z4}QBmKK*yf?hcJF3YXU(fYsr=+z7oO5Pii*KV(*>>drq1v3#B7sF$V&IN;3y)q37t
z_ubQyE5$O=B~tChff2I2nLyxBv6CXsq6d<;r23{Jzw||0Lo=Xqc)u3sxE=4M$bFDd
z_wVDo{m1RLlm{NacTkXqz{vG^sNqaEv`noT%jn8t%Jm5$eAn1Xypv{LOuu?7tj-+_
zjRl=+HY=LgEZGVG3c@~f<QjVAFrr2o2K;Hbp<fn}NgOIYhbS!+K5iNF7|*S&-DTW2
zF#X7X9@icpNvvKa@L${Z*B$qQC14v29hz6O5;7p$urA(~@yyfHTGatC@Wm`*E`uFl
zBrIQA7@LIZ&zN%1*)gEHtI?eY6P{tWRSFpL1xBOX$v+O=x7ll-QbQf}7TZ8cW4Td_
z8{tpA6{+>KxgTYt@-~kejKVq1Zl1bdRoSJ<fvD$r9HC=Fs?AJ1uo<Gee{MCN{hMzR
z`Yj9+i3yjyTaRn;Gl*|*kmP}ymM!F^&Fm%O{MW6lOqQ4i4%IfJV91P#Z(kIYIv<?S
zxU?W<;x9FDQJ+Mil2kvI{<5N{2T{{wj=lFy4n@t=G1BZSH+jjM0-6t3+qcq;qZ`yc
zD|{`QXR>-F8b_1lAs^jVA~tmf>=PK+P%T{<duX_;wc2(5K^(WJd`wT-XdkOC7$i;2
z$*<*cFoQX(xc0VkgW<JhYSZ~WZqFF+9l7SMD<YC&qb}k9ua(>ni}TSxy#r=-*?j~M
z+L`gDi3F_+&nij2(Kd%ld-5}mugh2_(=+}3fqZti#5l0z5R>u!)2+7D_d#Q`2fD{`
zSvQJ5Fw28|7X-|#^bkL5Jmv9m=+GxfmOaBLMeNMn3?d5_kGd`kxRcD6BgDSP6x2V7
z>Id`)j!$)fr=47bF>(LSJ4PXIIY=KW(WjL>$h8eF4qo;^Exp~WPPLGsmg5G1!f;b3
zU^!?I7Y^oUFR@mH!r8fu=O5Ooth(2%d@#k!){f@iKCKbFpYPE0(~#T8f5a4@H(fym
z*ResbZUrBi!~Y;!glc&~zRy~skaCmFl}<^<KrJf1dI>wpHO{mCSf#fO&j85hV)COk
zMyi!UFKMQ%sTb>xH!J-UlOx<I_E@W@Bc3VNg6of<p`hW{h7b0S&)dk@e-J%yR-e^N
zcOLpb2puJdqBoq1?YmDz_M0J;()BsdUU5r8!IDYA_&Wpk?ILc#R^)rZ>j%Q6aIKTo
zhcL1B#o5*NK;6yX>sz8g196}C@z-~C1f_eqJo>AtDU`FkFWC1T%0VDY)9DG{ghr?3
zkcfr%&{3hGe-Jh%q8T6LZ`%omam{m883uNi9-ZyM75;LK<PyoqJe8%f8mH;sYFtPs
zbLw&}qD3O!rrgkn&<Q=$9a!_dgk_v+7Dd$jI)f^jU5>0sm$uJjPlfA(%PcWkgJ#Op
zJ$3^@_Wg8kb)(Hk0nA-OoVih)!$<#D%46P3pNv0d_nJ17^9e(sx13?-Vhan*Wdree
zMI*A43Ejn)XXFXadDd**DJi_cV-Y58A85N&Rbj1bTO4vs<8eCA>?UC>9oC|ZMqH1)
zw6~v~-};#IgiiFTD_b;Pkdou@MC42u9R%u({*;uG{a*Je%MG3jxQ=UXL4k-6AZ4L}
z!$xW}is{h5WVB0Htd}}tq`l0$rMqC;hN|%{%GN%Yy~1xa1osfqf&hmz2$r>J)*xqH
zoy^_ghzbitXG>-iR+2(zYoAhbfcjaws{VIh@VY%~#w>TsoqLglg+Q{Y>MBy%gATLA
zFEOug*Qnjn4$bmoqm3^GT=S-+s!s`G`uO_mWIF7c_Q3F%a$=a_>xWuRq9SsDUEzGv
z?Q59<^%9n+9KupqhNHciSKJ|!4*-Xgq~>qd^=Cs@B}Ai9#woY6fn}7~eW|Jt$6NWA
zAMCpG(dqHNrI~xtI%U{lHArB=(?#HDaKudQ7advnK(w>sxHY5dr*!uIP-bSSf^BUC
z@p4=g&}J|<^ks1#_&wwfKSR2#%`HGSxyxK_hB=K*jU*S)Z^&u++q5n`bN48R0auKH
z_4mYeBgS{6Ih#H>6|ZPU$162`qd0~=c#!N;PrWur!)A5*ds*EIsP+J!I(CFdqg}?X
zVf836ai;(k>_)JgVa}|O!yPStu%@Kn{a8StsAxp+wBJ@2l#?*rN^>jGNLB7=Dxk>g
znp%@J<<fQ1<t}&v&AT>nBuGyT->uGL_e`{R>BuJ72g|zZmKZ;l7qP^4tr|JTPY+<B
z`;YjU@c%^o{J+Y>{`b^u-O>L5N#1+F`W$AekVpJIP1JGgrwQE%6ib$&7%zc}6(A;k
znP^ZFn7gQU9zguGGl56{s|CiXdu17Sild)tZ_ojLt+V?6!@yKJa?#G9RbqzDVX@5g
z???va7a;USB$`hRjuIUFAd|I~vH2`Kg_{ypww0It=ED_Dd>@xKuLc9gym-j~Dx8`W
z>GvKdDk1uf4?cimN_Y^r`fc{FTjOpCs_GrTq<xJbOQ<%DxBP+I#o{Ailb~OUuw?&K
zOodyEMk(VjvAO=TGhOpIyMakeXWC3Iq}*PZl_A)#5HXQt>~I`?65)hLWH^tXmM1~o
zm}%wp0%324%#yDq!=oAsP;wOL+M_G*RTpSTTuSe0P5CTUbquq8uj%-vU(DB^<T`y1
zu@JH6jmXAAzUFrDM`1`PcgtTgqkM&EcrD#UsTU|~jzOWUj{ewOU&$x$ZSV2Cx&DHu
zfh_Yy{usaIr)RzYy~_VvS+Z>jJr&)ts74BUseyof{wRw(Lzr~|81**`Y)jy9GqsI|
zIQb*uposCvmfS`f&5k|`M2l(R(?_p&qVMJNQ9kfLVe7)>_%!LmHI4la!6-y8e%EM9
zN1dOh>hg?A9@HLm%}L%C$0+N)=0QI*&&gJr=kZX@^<=O*W{WlL-LRGcxTX#TJT)<j
z-}$(#)8!LUG&Q&uYpy5rMV_}MN^$8`BTJ;=&!rJKd^?EyOZMYrRYu?F6m6$2rPU=Y
zO)=1^g?!O-idD~1YB|%GO=zb%^Ng2W9x#Ik0D0|`xlkpsa_G?E{~##Wu6XeoSvDco
z6^4aPqUWt$`jyss?LM6H+sn3a^{;T5^|itHD)(E)YnSn&WZKH8ys6JQCt<zJQJ#kl
zOe&`Oyn0y7hYJM5sOqf;-g7YtQY6}rW9r7E7Sli%Cnu8x&Q0=S8KKP8C3g=`c%zM~
zgnLd}Oru9T=_DPRkHZv_Xn8Mll5nUN&4T<g(kpc~2*F>r?N@*Gc%V`-3W#3MnOW0y
zGwOb!802J2zRhrrP@M3yq$jrWdc=Q+549Pd(>@la^B%yfUp84a@~He$5j56sg>ey+
zM#zqU>Os;ct%mH)lup&KGL5TQg=&!^kM{hqA!vd)YCP+d?ymu-`OH1Mn2o(qwJ}YA
zVDag9NIii#`8vS;5jgPjpO75eeW=K1Afm+yRr<X%5~}6xk>bnxYcj-Jexp);xy%*8
zIlN!Ty8Sk)<_uAu&aF-xtU+~C=Ht1za<2J(4m7Sq_F#SW%2(tZt@*}yHt9LumKdjl
z4~kTw9QhMg-mQwh*pg)&$*SJGd)sMwFqx1Gserb=MvYCP4%VL;>0iB6tm-U8Tu-^Y
zRtfkHaVu{ATp*bkX67NAb^UR$4rvc%lN$cx--WCrP2i#9@X%?v!pei&%H54BM!4bB
zM1^1c#Q4E}RZs)llW-#8$hG6%y<qv4FS%bw(GjQQBR)lmWaSUD&#X!)vFS>_%^`A=
zYM9AMb4T{-fEtu$wV>xbMZWgmqX5=!uO)VwGg-z4J**~i(<4tl4*IFa#Vfxh6YENL
z=TTmT2(!~>Jp<!LdlKmM`h4hMkR+`hNv1V!h!RXzE%VTT)Ai#j&Kd3$AdQhj`&U<x
z9XR$(jiCLm#<ODP+2wp8+5VYB(?@s{c0Zdt6dF3p@ehR9BOPv*3IYV-NH$i`GEi+=
zQ@<Fv)Iq2o6Q^utN)<j}S~L6}=82Ilzc}Ou%=;yB{^Pd4^}X;l#*<$Kd4sknu@^GO
zVR+8U2(0B0UFfIbpFWXT`7Kh5^C7rRUA_pDMN$e1dOn$A4$gWXPBCe+c?R?Az<3;G
zOaNyO)tlb!&SHYRyLigp?ahW?as12Erpt7((C6szB0p(4ZBRf&1t9vSvp@i&wq5^~
z(FR@gtDpI0YNqfCnBy4k>pzI1$j^OwhoN8Q&YJFDe)hmkUCwq?R6iDH@0c$O&6e>^
z)*V>(bts`YtPIMKKiN!GCn;Qvmt+p(1zSBXe~Ps*+pkr6Rp=~|&=eXr)at158K%yd
z^udI$ES4p+?f(4fU`69b5w5bcjxJZ0ZH4cv&_Jer7@(6P5_8OAH)>DHjAAhn1B+Hr
zFL12YCon%6k$6?`sPU;xGp-We{A5F_2f6;HM}>72tN)KYsApOnDEPf#Q!US=Y^!o<
z0fB-HONpM#JRzkvQ`&=~BHprMw;x?JVqIq>-e+$O$8$-CwI*w5>)EzTF3a$z{ZPuR
zbq40K%ZFisMvK-tY3cB8a?s66DI#Ksr|?&Hg%9~Hf<T&*l+WPK{O9f0=ykPQ)eTNo
z)1gC_$TFn+{tt`*o!)XkOBry7VW6ryX$&;U9dQA=Flp|jU!Z?Qd4qyqkQeM<<-pz#
zxT}S$X)RGtWZALmxxXD1x5X#YN4+&QUkrc}8YyXce-fZL>O`g_=#M7C5XwjyTFs~S
z`)aR0)TH9ta<72&?W&<2ocVwdGe0@s1OLH1WRRQK2af~H(itVNk&OIqkl1zta)R&6
zVOH`3l?CEcTH@SUcKL*h=OTg2X8sz7%U)_?9JKigv7&zBjJwh}A5#}Txd7a~?#&nX
zZi-m}Jt7>2B5`y9o#Wtyk(*@IH0qYXaf+1ew)12mn)8}tkiE~P{uMgBjtKgW_Aq4a
zV|W<<7g7d}f^_d7XXQDC>H*+ee+u?F)x4-M&HV6lPb!<4_PbxnEzp&V%eV9;%?d=l
z0@7QtTS|3I0<O@osASjMH{OWAnn16AO$(KdA@9poVB$#NSzm|sqzuxtAFDl?FYY}~
z43gw0cxB!->M3UmHYv;NBsI3s)Oz=wehv9J@52aca}6zm_&A8ovc?FMWpNge7E}<p
z=M}rq5K8lGTB?*kYfi;%?-KegI0v%UGgsWQlaosZV-A4x;NWr9<W#0Cb0ou@gpLkz
zVNgtjleqjMqU;LK=XyV9JlUwIIrYxH62Zr6<Wjn=4l!KTunRv|(rLbkXR(q>CiB$U
zQQS%q%}kGc{&UZ8wlO<5GsQYiaKyl}Ri@q4ziO17bd|>P_8|_~C5G<S;hIcUeX(N^
z*CfG)YV8T6n@V?8v3}ooWi-!E$N2JnQFF>}{qVS!d>=(igg~SlnOiGrx-*TE=_19y
zha^|)sHY$=en;@6=E;*07AEj)>D$!4zCV+k=Jv02S}r;!h=Z#*7c}Zt3tN_RYnguk
z;75b}5~u$=soaAD??ONpkl|JmVNf!M)Hvk%@I7VE`mf9lj`d3sp^ggYk=J~Ngcah8
zF;L6_VQV(lfn^?K$6L%kt9~@<=i|ei;9HyFvOe}D`)vEwD^in_c*{h)#~4NJQ{z%E
z#G-(pqCTiHd3zt!s-gP10|y?vu1w>gXQrF3y|<0f{Ymy0e?_Z0|1<iEh*%I|D$L;=
zFSlrZi~++fCl-cbqr7tEF%B`i`rsSqd52GKd-mxQ#Q{`akhQr2%<f4R#@To}_Rei;
z%(k60eF6oX1nl%{iiYhEqO7g;3#1ZOGZMB{MmQpfY!VDNz>BH2d_|YKst6=gY}>WL
zg0FKxXb3E!<(T6i#$99Bp@LNUG#<o7g1y`*`4NoAx$k3|%|9Nq-E2=8rh&ub_M?ij
zIVOcO0O!TRvN8Dcc#fnbA%uK_L6{c>>gxmt&*>wB6aB-jsIaoqpi*6WIyObT6<~9T
z;w;06*`EfMzV?ApL#!Xz4l>kVldz15?G>2+etyx*LFB{FQSax04oNLl0Tn*Yn525v
zMnXqq_3&#VccCK88}W5;LWGe*L*|OZJvrqENy2woQU|GC<nO(wc1M+C*tV5-z^0le
zSu2CaLeS#L1L<X&-6!kZ^Hx_^KP|C_F!fkOc`REu-i>38gWl&+m}P{;@7r5cBLTmh
zA*`j-I#9Aj3=+i>83oOlFMVQm350Drnf~RkI1FVpgtDc)tWHTh1Ky~>>~J%?E04!M
z{_RN`EA~tbaJ(P!Q)wi}HkVH~hes+QN6Q8dt2Rt3IbK1mHqiKqn})J03ej2aK_uQ@
zaH4_pK>a%zw7Qt;{&w%%P~#e5%4M8W?zZ%Y#2Q|zth!xu8jZdzLbBdA{CD)2wibu!
zm~}?zmz;hbD><B>gQWOpM1G959I3okpXOVzed(sUqVrmBsi*qLBb#kJmp4mmVECnH
zxPykZ*6wP&X$qvN{YlGH|Bb)hAV)cA*zF8y-m*R(6AfXRDj*C;MP&@rY#(jx5#CQa
zQ0~h!{lPx$er-fXLE^{Wz+mU6db516<Kf&-*8d*K_xYPRXnwqLA%DS_V+VXVkO*jV
zm;X^ubD~AjM2YpSTqi=Wza;=qangQ0D#XCH-9&<k!J$oAC++nfeWk6~7qnDrp_&*v
z;6B%5rg-2Q+B?sdOE0d4BRxKXEMO`2he^AXSl-H~X<k35K!eCGdKM^2bAxLGWKfJ5
zQTNiOZ>+R%TczjGz|%F9Kg;eaEu4z2G9}ao03mI5&LDmsooo91y7&OxN&>1Lsmvx&
z(7&ZWAH&DjjvEzGEku;e7%V|q(y5-?GI1_ROE|lTLBc2N!wgycWoMc1LsX_DSB<2Z
zg$-vspd#cxU3B6A&KzaPv})9l(V5Vt|5~(%w<ibL!L&Q^4IC=#B!%}AQY83@kz0=@
z=y0ri-w&-FaStc<747jj4*Ob9arTjyarhmOncGAcH>mMqC1HuolQjq#<oO+q1`*f2
z)r&q8XBaV465kB;z1BVwA#DVfH<nKaLSwLyquTruBQfb?l}MFu7vmW~A)1@|aVwK&
z7L8*%Z$p_8&@?B=x$e*q=aTypFM2~4Vse1xIKlE@eA48}Wl?H7N;Sa$xsBKPe!;i@
zl0u6cGOIh#ZqG7y<3&(^V97WA=3oL;VjeQ<ay?y#J4yK7kynk|vE(m>@9)!mgB*>3
zxO&w?ku`ETZCrr^eA@pIw1`yEeWB70)2aoXDzl^VM@?=<38qPTlDA&@`<#+6Jr&sg
zgHU(<NC+tB*c)-NXi;ZCotLS11en_s*HVgd`sF2m8jhhf-NgpF3Vn>35c{V!UK~m~
zv^jFja;znA_Hs9#mu5zh0a0$;`Pp(jmN7T)b<Ic19V<zqSV6y4tw%}^EamrDktl)=
z<;9s<hcCcZ<9fQanRX;*Yn8a1jh5ePYV#~&lvYNokYe-(OxKyBIH3Bg>X1tmLIkUp
zWF9r4<6Qy6zk~ZwJBM>1;?4_VxU(N~e6CXG#dLA)wbSYD{~+;35ZIu><A@;<&7-SW
zD0Mm`v-~~jY?$VHk-+eE=*+RJX`7;>j~EdWR6J@nOji;wWd~^jglMJJ96=f3%;H-7
z)^v8%1M+YRMVWuCG@@9AkePkRC!8;8w#Qcwcx$M`#v7dINA?GDVCZi6X#peQIK|tm
zrR5uoWjNlnKTPlGDUc*JxB#E-srU;?n&8BuOcW|2d9h&ND=)=YWt~W6B`x860FRc%
zw1w*A(61ZZLKF#fNnyrwUk|{tMa6tta1EZgOeKnz19H+?S+JPgBwU7geUa}m5%{}%
zgLOUGo?e?Nd>FlC<`N@rIuAlHVgNfSbheG^50+w4q7E63+i?OFo0?A>q{ooknVYM&
zhs(*>xGb{ZpO<i8#5l(^%TRj7T)j6L9Xr2{)ozte2lG)?vBXT(ELHT;Abj|HLPmnc
zS4gGAbAFW3H{|XsLH(aAKID8r{<*EvDQ#6%rI6eW(T*j#s!D2yKl3W9D^gZu!PM)n
zVe@Dh=Bie%#>=0G(5&L24L&WiTH(X}dwe-Q39eEEKe+mpyAut3PA+xZ^RhxE<F&sP
zt!K{G4?NJ+9&@-4-*YWha;PR?GH?rTb9rjZpBX;6UeV<|i&$#e`trbhseookS20Wn
z8aI4hhZ@yod!Y57b@`jGXl&)<>*BOeAA`qL=VL{F$*2lHTbwXlQ%s3cG+R6Gebmo#
z0nhk874Q7{`a2?A;ezRv?x2-oS&HoGP7CfNadJ*wj_g>)HAPF47ze2WzKdK5Dvxt@
zr_{jUZqEh!G}X%r)0VI49{A`nWY<#(3KWUFlk%SiJ$08+f}8}3?8%yBo8~n$gZn8@
zw;O@L9;wC61f|t5_rsT$BB%OnPSoZ|-_5SNv{f_R=`pv;@0Q47pAFy_L^uXzqP=?O
zZi~-54o^7ow2vL749D&K(m=nzG({meKjq2Lppd^sGXN|;4W>BW59zMd+45%u$^%$A
zG7KFTHAyEm>khegu}2F5e)|%TqvMA6J0##Jb;;{ZKUA<>5;3=F(c^tRxpL0eG5I!d
zQ=+t89bqC8H6qmOZq2rjS#+NMFmCkyIMC7iI03UIx0>)D1W<@PzFVM!8w{as6&^26
zAcwYD>7f%r_rWWipks=m*`1Y6ssTLnO-1~Td`8<*Pw`b{GxDof*W0~{^jYP_@AWiJ
zQHvu@U6L~#T_E;^<{x7ac@ZL~#81T2C4LR{{qp{%vP@Qw$gWUIlbyy$$cQ!KfKME}
zW(TFNUzogBXnFL2$!FIX;)s!}zBrWfpRRE~Y9z`H>9cEebp#NTsEM})Lkq1Zl(@R-
z8(yG}X4u=+N+RXv-h7N!nCv~8?>?@z9aq{P5mUBsA+gOQH*)bGmMqP-D+<}|#w%Hr
z%A?lNAE;2b1S5W-o{KZOSYO_Ke=|VP`5Z5{=gIwVFYo{Bq_LK+o9}k`UF$u2O@$uE
zfWAeudz~aEH>K64;JDyGO3d3rr_UwUa)7SsS7Y`b?nm{@Z+w}SWX9s5mHV6<-vQI6
zH^a6l<3A5fZgrkaaLss|qdj!ypC0%QN-V({`kaD|E3(sH`u`w$E%o4JSX+<I8fjY+
zE(Q@Z-gAv^!bJZ;fIdWmZs>upR(wC=M|wQCD8>q^5`*QE%u4$?jYw^$Z~^@-aK~2o
zrr7L=k|dLjK8fOCIQ0*)kz^@`gIocQGM#0O`Hq45iGmv%_*`#GbxFt#RCB|;Rh#s@
zb<CVOs*?&ZlUEZ0`o;4IR>CXAAj(zfFPau`6PpvdiaR64!Zk#-LQWe_K=;|##XDq6
z1Gsguf&{vgjnR%%B8DX&Z?7LYg*=vj+Ch2uNG7#VRCsaRlzNA2Xqr;=CrJ?;<Z+92
zu3NKn+Fm(H0v~+r-131O2D}EY1NJq!W<vyQ3q$)Fw!0EC18LIQ+$`1_3at)=MetN-
zlepssKh03PfBKv*r_V$KdHV#lrh)v>K&}AXlOYW|wtMG;%HL*IdNE4(003D}<nVPJ
z!^D-YpJu}h&ZL%nWsan<0+y>tiu@Xo@?{r!I|4ZSmenA|1llz8B#K*S!f4*u@LI6N
z=BidbXQX3f07I!-IM#F53#Ug|v}o)u{*?0sqD3KvB>jab37r_hwW@kzK&D}bcwTG8
zz24U+nAFknOvzeWUDBsfDM^<Ei_AftLez*eEM;=V&zPHiD}u`0by;y@hl|SbGn%$t
zR;fz8m$ljXnmw_>kPKP!3&{%Uvb0jSsjHesCMue}*j|Yz>z1>WW|0d-LuNR6tUr3R
zL-7Os*8#^JLzE74U7Ic5Cn?zWzJC6b+SlXS|FV+%(pF7jB7hD1Yh?{a*^JOocOdP~
z_78J#ANv5qa813S3<+OY5wwWmOjc$SjwyA7h|i@H<DmIromSjdqklGS)@3qq@VKo>
zN;#w1T+>D~bP9x>_iOc?GtQqb8BuGx#qo-6B)O`WvE;^VcPA-Qivm_tOypM5@YDrk
zgT1sE<POgV)4^*om*{pn8Bxg{64;JzhP{b4t=&Sbg*O4JnUR5xA+4>gb>`JQJ#j|J
zK4%-yj(Drt??SFEx2f8wwC1N4JT6|U>905p2^${7+W8^}eE1=quKkjdUZw9?Nf>wo
z9xNRd;r0KHi0sOh+$)M7H0?9|gblxjFFWt6(qO+Q-!;<=v*T&G&HM*6Xfqi|uZ3G+
zL>{P$P>UQF*Tg=q*(G4<bA6^dsX`L9U(62Q`${vFjihr?GMklmRVMGcm1=bp#UYZt
z+Qj9$6YcA|^hmG@d;E=es=qKaM&rygI&Qm&&H*u=q7jp`tkSq`%)@%bN(w%J5j#dO
z0Xlrzr&$+EBC<-Ofany@pIK)@yryAT(!lb^9?e`!$-x8*!)54ZDWx1eg1{Vw6|^r>
zRtQ2kI#VLZ6z;fW+vdmA<L%PLlOf>~<xeTfN!ARMiNBSN_EB5xw|-BTQWAsP^woD3
zE!gS$&Z$QkSSt6WIg0{kUk@7?f);Rkj>kex^yyM{004?!qkg)Oje5axbQi+4(q&&I
zB=BsD(pquTh4&$2y1;4Kn+4u*`(glA*>xLD&>R)C$~B>ZshXY?QV~^Yu6i~C2J_vv
zGFkHNHG#9IAjf59&4Cx)x`W{q@~~!^aJRNouzjubELFoyTeOryRcs}K)=0i;vRaB;
zN?{^bpLEmhA?@DMhadWrKiHN15bT<BHZh!#ftT$Q@u5a(LW>i9+Q-#P+m;ICrp|tP
zrm}gl0cUdD@U$4q_|ceNS{|mD4on)oY<3h7P33c!yb*B6u0-J~N5=wZ?ae%2qCB=d
zKRL;m{ou>2Ids^-{k)ir<;|?=nx<C)k7xUgF$EniIG>j{P$;2Nwl_EVgI)xU-1rtv
zjF8+y`$0jWp-eatGhv<)dpVM7ce%n$d7TDL_4$JoU<2zmFuzL?=zwfr$1tPJ9F`{N
zAsW&&$7+;V9Z-MN5EN;(->787-XNI+|DI#Hr~4*M=unI`Md<~do=4DF{l>L+?OWJ6
z?()ix&Kwm(R5GT|)}~5ihkdP#(C_ien!=7vX96lvxBHG)s!hzk%Qy88g3!i*DKYd7
zTb8a_r^dHH1Y9xK8LF<V*mMy*e`nF@y2bP~qvew$o({}R(k4Sz&}>Xfa=Em$^7nTO
zE36Djpp_d$SZK*g$z5Jq)~!;gxzfHuOC;3z<||_!gteyqZ9&B>9X)IETaK)~xm;Jy
zQTv7xY(d0$zv+0f0lTv>@#OVJWo5$&=w?3wKOfJ-zRao9gQ0a4s3erT;g++|LnQA^
zpoF&d%Zq3-+q1=0?<E@uSP;>#zXzT;L2azi0h+Y&;FSv~j}`f>C@d7D6YX&29daiC
z^SE>)zd7*?)6~377pi%3J#ORhFel1#dH2`N013{2f|IEueFB{l1tN1Ev5y<${mIO+
z_?0WEhxTGY^30Sqc*)l4jdbc4Vp~)+vxC~vmScL5bnn9$iB>u={jXv^7lu;18&)(0
zBns5BEu%aq*Et|~MecAP%jI;3=reK|4K;@qJkIjN;g`S`fa-52JW77pzvqzLuD@U`
zNrJ^ugqgAF#$>A=NGb$<PNh(fv3-fn7Mcjn{T8=+CYKY5ogA*$@ZJj*{fx8jJV<V@
zuY;Bd^_-=xw9U6hYS688N3=ikLnAVGn)m{O3Lg!>&(Mgt;iC}OW8^pU6<);q_>gpt
zh4=B$wYIh!{48M%W7w<7BccYE;^+@88<f>1VsHLba5!oUx+5mMdnSNQIb0*?K`9R3
zUv1oT&{LDlx6;`*D2Lr3_;u&jQQeq!l$~m#!0ULoux7$SHL~|Wx08^?Kqw~qHS_z+
zbpMy2^0V@oy4wpLU)L+hvQ<nSrVM=7nz`;l3n?Yp{=hn?Vcsw*_-+IHZoI$S#1W|a
z$DgoNB26w*D2{qpL^KovF*^byX!dA+v+J$(aVE&Xki8BkT~B~Ndgt@^?Cq*G$3_H>
z@3px*jTE@$q9*wAau2_=8A+)~W23cAmxTNRgeZp*T?Y*a!b=L!ZjkZPXN&MPGv6|j
zhR0lW@2sU26Gq-U)x6KdxzuFmfOcRFmT1(Xa{{U?o9ja4>e)&87;aU54teXovY;Ld
zh+oji#7!<A^-DZXTG<nD9zx^uzkxCBNZDnqwk7URy(IAVisYdSIrNOsqE-&w2XHHJ
z-0dU$77ezniB5>ZF?V_f^yS$SPIZ_b;KAXWSrjw3>pF=R^^N{LP`0ftZ>#by4Ys75
zxpj<X3z}%`imX1a3v%<fz#c%LUsmm#(5|N~KkbN{oYk&YEV!l`lq2!0?U%shwH}g-
zT6*zqXWsb{PoLMKjb1{T0bav4QPVv`&S<X{!}-NIphM=@=0d1uV2KXf(~>c*uFsT$
z!0OoCCj5DTT8Z{^5y6gNciQ-W;q9zr;tHTWO^X$GcXxNU;#OpEcX#(fad(H}FgSy2
zac7D<6n7{xICOdMug&gz$tJtm`D2oq+?nJilXLH!bAI2KN=J~}>92jR0?ZG7tGoZg
zFulbJvt!}{q-ccBlvJs<eEB*Ld+Zi2T%Uby76f&VTuU-T+vU2_^s}bFveuQ(r1&Jg
z^jyg;zVaxzu$oscMvjBH%Sz`V@yR}4?b6(%s^*iW{Q(n6-Aa<us=o`Y1+Jow&3Q(8
zvT}?Kr@}oYq7T=h*aSrh>bDnJVUF>7Rqv7TcaFZjhE;X10*RST_X)^@TR=gA2Ea&d
zk~p#jqN8F?o+QCtdJLTjbMCM?$&)T|a}Mt@$s7fhr7}T>eRD2_dqbY^2iXH)-ZG=@
zecIgX#zQ;nSaoX`&l+YY8rMHatfB1A5<0iU_!d76t=$D|kZX#fQq+aIV#H~0R;smF
zhZE-P80kc+4U#f14GvV`6ITXbHqWI0&USU)p05j7q4dzP|MP@>R(-ayoXe*4D!))+
zk_9~Wi<z4jBAe+mmV6^>p0~qG&nfEy*n7jQ;R~T)uc_61l=5q?-mgO6h!Ax;vsf)s
zsZygFxdpa^M|=Awoo@&C#RktGl5B4BdUGX(E0%}bk}`rAI#8|hAl^6k38(^0q!P`q
zu}&x3i2|fr;1~fSY>Yu=9Gs=NvWfYXUrD&9jUVl-`E!%ib>U1VxY$CCxww`_)&=+x
zxpO>^@Ym3u>hFNb+KO7c&+V24K1_GmP**_MKXRI`%J}tbdH2`7xl%BFBNOChve~~z
zw!&?PpFar`POBu#HLUb4SEDHtw!2HOqOR&-bxqHP$qVcxnMfWk8;0^n{5To;ZLWZC
zt<RFE!AE8<OPXw3s%Bg2I$GX1O6<3%Of|1$Zpb~a>>BSmZ}{=FY+z2fhd;s*_W?lY
zs=XG*p3W8Fwzmck-UKMxsMhk$8=0ql@Ng9~x`VoooMeqT1{IT<{1Qp@&iCm8_~Mt`
zt1RC>F*X+25iUkM(^-wyBdBtYgxVIGPtbukX)=P5pjj_sYXAjnj;XDlel%bF1|MF}
z3e-*)73~qt;c;bfVoAcQ&(x$U8k);ShPZh}7S$=5biIF+PZlrrKmRb^Q)d+LS$6Sh
z>-oCY;nUzai@3|j<8z|&80F}Qe#;l)Y<+m|D4;oc8e^aXV2ZOGj>!(U3FnOBdNDdM
zDKfol1G_?kBLkd3V%8it7zDv=^81E9`sk}O_D`snQb`V8d-gdw)%E*b)qA?V8ua^v
zN(+11Dk5AKs8bgkT}_!LQw4S%=1~-10OABcLD~Qu8LLh;51&PMYbHexrbdWLviac;
z_aFBkphu-VE2onS<3>TC=Rc_Xt`+hMKA(21@b3ea5kshk2!gel7g$PoMHATfqKd!s
zJZ9u3a+1lHIJ4FTvZc#80m)Hz+&zrtm%~*$uKZ_5gxpNo%KYx*t)tSUJN=)iRnc#@
zgZzK<jdEy*&R)OaE|$=CI+y2apQ7*vDW=R%oHEm-=nS;x1Ei(LDyeqEb-#Q4G8(Bp
z9Iip<3Ib{mayPL>hE}T6V2iw99c}hCo^zmi?Y8NQq+G701JILNkA&qk&12kP1>Dv%
z??c(j7o~m=eviZCt&igeD%jqkj|zk(g7B%L@)9T9rv)n{n~l!vpAsq;b)TJwk0$Id
znYoXUU9}FE1QJ`o=HdPs2;_D^mR3$rdtE_XpEg458bh3#$3)+!ONK{yOplQxXL@s1
ztBn^^w$WA*;`ENo;6lG+lu;5ks*-*E#w^yfShEacZpSLewrMpxj}&3l?%IT2vJmnO
zNtcOAw3MO(i~Azzk94{fGa&_KuWs`rc#*b3A<N09p(>`X1Rp}(StSlFgC5YDTfu`<
z@MxlhWn+lvz{8#m&m~EfYT5Uzd}U&4b-9jVUhvd8nKcwRIe~f%VbupzYi#kAE37VU
zY);}`Bs5QJQT~HcL=>VQ9aT|_9&a+^?mwei{2NIN+}qyr&n|pre7tw!chy**4x||!
zxA;oPt`Pm279^G3OdI9e*tyPXoaXj)J*9C{dcoVOza$wc^1W*#kxFaCF7gfMnPZ#*
zj;aN|v2ozRc9ygiZSzOoWIcbrE7HMM@@&IQ;R?Yz>l8obgS`+HTO5JrS{JxeZ@Fef
zoeghb=m%U~ui~as#vFe|$7c@Q2$-&6D4#n9Kg|g~R)B&Qb8^J)SU~JAY?kRHbQvAo
zgG+8T2bG;#Wa-@tUhfqbX?!`*&%e^7Jz^rK?P75zfAk<=L%%y)-FU($_=I>b-{XBA
zB5g_Qcm}`iw3Yjk3~oCR=?uh9+6pJu+e}XFh4d}7QeyA%QV0kv1Uq8`pkSc@Jwfpn
z$1NoGIFpikBi1f8qXG?!s_irlRG$OVEDejpGoA%rs@=KGhUU@5!ZdJ4^oonfX<<h5
zHtN&7lljHm%0U@9OUv%Z+U39uR@Inx=Tlt8ppn&~xYRoDSzHX?8l?q=naCLe9ENOo
zq~arTT_WlB*ZVfQzcW<no8xX;^)xI2^`pMdarU-ucmYQV2iuYU*}DrKJNe{3Hhz>`
z#Hi2S#zri9PObTIACSHdc%GwTOM>!%1C}{sHhnht^}yWq$KQw&T9X1W{9Vzvw0F{m
z(GJ291G$NPI;{#|w64CN1{aP62Ljcsl9uJHxH(4<eZ+SAsCnA9J6f0i@WWwh&mn(g
z(%bq(Za&SuXWz$?$#EMke?%#IgA9!`i^DSfFYt(C^U@1#yo8QUOj2<c?bVP9nJ~ET
zb|V4E{Y7TOWv_RSSJAE;j*qz`&&M0ABK(brtT2>>_2tuy#;nL|3H+?(5uzmAs-fe=
zk19c|-h0=2I0)pL-=MHSoBoW95v4zLm>0FwVZ6OK<mb|??SvvtY=d581AhxloiHUM
z+LPB}>uaeKs}x0ABj&ov+L-I)Rq;%*9~>)KLpe^Yp*LBS*!fb1H^NBEYzov%_c`DA
zEszjTly2hf?HiO=Yd9U2fL<(%T<}(R{g&+BzPFg#tUKBn8>$KkVUN6HC}y40f98Nt
zIr^RoY=^rBQ#g(~B}gjv(Vn*y*c||5_eBM!1GJv^mq-0#E6~8sc@}r&2)2-O{DeYB
z7C(V}x^M7l>lEkykL|-9zW7W~5>R&HGh^z_g?B~~5&$0@@fdyW+B#mg0kb=V0amgj
z;=-sRZM07qL2_*=3}VEMR~5IhfqUz(!7Lvl`#pikd&Wnt7-)+co4QVR3+%Ki#+I(n
z&s{fGn#XXz3bN-FQIs(7%T2z-hri(R2rAP14X3!j_F-oP7eI(xZEp!4tQN3UlW_IJ
zGyK`&S6Z-TEj+C~MJB?#KXOR>xKJ@%)9y0gRL+xQhLP@>0kpI=o1xY0P#mP9$ic|r
z@)}=Vik=t9*V|53eJina$fr?}dIiq&84>RkK1KDgj<{u87ZI>s^6(*0YYQ+3tJM&7
zF=`yF%b7OQi0G#T1UE~j<{z%l!?t@?r04KDq_-rszppMjvYwUVzLsCpd?85{Kv|uY
z8=>06k`Ec;X#EHE`3xBFfb!1!(N`li&xz>nhG)2beeFD%EJ;s$(sT7{qjv7Y9a~Qi
zZ;xvM2NGQ5PS<!?{3d`o7sp%PfX7<k2@jsgL@I-cNkk{d17Ir$1OTjnl2ux_drl&=
z&SGTG!^~@*hoF_K*`kK^s~(I<>Lt-sQ-cLuF0G|AxlT`)-wVGq>+Mot>eYkd6*PXn
z_IKoE&SSa#Wpqpiq@1|6F<vm8YiWAi)zF>6y}D<qn^YexP43jATtB+P&cy!RZ#*zJ
zL+4V&BkxDQ9-?g=uI#?gB>J1c6??#csVzFARz2d{ut$~AY5E#yonbJ<dD<&)nL_e+
zdd6v{bKg>dDzmTie$|oZxj$z*e<h|RCvJP8M8wkTKIwD2{p5zcF_nS<%Zi*z?b)3@
zopj}yPMsd+5|>c8mB4faFtDHHJ3iKa3F8GebK5L<Q$M=|mp1GBD`8eE=OPZmCw5xl
z-)Wa(zRQVTjFHA#BE9-_3SIh1m52S|@(nomtVFu%ef5ojbA@zzb6O?e&8wq!PV<%@
z@GV<EXI<6oUx5PdXSSoRg*ueGhxJ`n$6SaDM?Dg|>@E0x75+j>%28xx7?!#IW^Z#Z
z^ABIlf>iSSJXg6DM$X?8$-jVoKNhZ-2qrxw0odWiO;>HX4G-vz5^4<5c`%uKR|f6*
zL2ZI<eN_$ZXkaEH*7Gw)5sZU`!mpNQK0`!JtPBo6f8*3QH3kXhYs}|gRN*uaU73;3
z*VcuR-aj5GoOpO>|LWBB98h*$biN0WEq_yrA<*h+$O($)i%}fjCX74cvhiDVOJRbM
zxB@PvaBzxD%|zZV{Ov>BX(yE-E@yOeZZ&Y`7*T_``86x5-*)$r%-jgpXXjZP@*MEr
zFRych_5}q{rIb164a<DA=CuCaFza$F%4R0R<`8(ArF15Yoo2TXz+3P!A)nf5SsH%e
zH<mrERfYd&+u46X-T2S9blm^fZn*2qglb~lC1m^FTJESoZo^(&%V@9JdO72Lcc6@V
zn?aELe$)mhkXFFtf<)a~IW4x5=7M1-F`oPblv8J!&wDYR5@2`C)+_QF*|w&D@qqk3
z=%BG(x9K&jMN+R>#YP+8Y~H*PUB&6~Got}iE7{@VNR{A%Qad9G3h%ROH`dyO)k*Z`
z&2vlU^-Slv{DHfcg>ektR)4NueY;EFk0E5039}>EBR$)Qt2HC(2^voO{ulh{9N670
zP5b#dBiYL7KBukh{VATCr$4R#yEzmTm5ONvk+5V0ewb|YP?{RoRVh`Ru%I*Z?R0Ol
zG-<9p?b=zLdm^L5Lj<|j``6~(K(kx7JsjZxCm%k^QI!@C3{73gDMt31Wc6Ju8ZkR%
zdtV-0SvZ7THCEPW@%tYWKv>GKMc`%jZ;!K_*Zhof$cJnuZE5N;YctDs-{!LQHZRQE
z<hB7r_J<pf(Hm1vN;!L{XiKB`>d$X(J(iZ;_^~TSBr8-z2vet%1z=rHUip(C61ZA=
z0|bfS3_Cb)HF<MTgwb0{+5SR?v3yB*N6bjI^wKpLBp;ywb7AjuprfXyBWu{hDwpkb
zr<EI6d}m3dBXBWS;V)IC0S)SOj29`ADNn5NS0SBB!FTatM6ryujhx!f5wS=VI;rDZ
zew`Fa^w|vU3w**`_rv4#DjuKIxvi5n5?t0cBl62nEiL7IR3u5|(`E*)a@No1004dT
z0?2D*V?`1)vV!ryFu{+1M$*<(N`(sUs+SFbW4n9!+I0#3R$5Cm{Vu-HE~p%9dM^af
z;%i*r=;i<}!-$?g2e`}PiKVA&tH~;+Lsvh8iJF0Nwzv!Frb4r7m=0Sd2JZ^BK7#E4
zi(-~1h`%^&iOPdb?d~7RcXm80@cxYbsoCl|a7ul)?`Xuj8VnY`kJRrGzFj3cXpzoe
zVP#E*c}B91t($oMsX0HzKDc4GQBkSOn379PG}<dZ2vLNHG9PhF;m!}!=AQJf9mRuh
zT6TOU+&Bh}qz@_*BIm-s*)%!sH<{Ki%1cRYYaW%IWl~NBZXyUrtcE8<TQD%GmjzT5
zDyIoWmvD2<O(e>^StQJVfl&NNk4NlFj9wP?pBawW?sz3RIH}wZ>-4;Ptus9xUt==S
z@$RY$B*5|NZA^vxxg1>(t*X~VFuD1QUhW;}&axsyeUshxxrTEB%za@@eECD~T@;X>
zkOBec+?4|qKgHVcj{Zql@yEc<?fK3mI3z;M$5bPc?SVYNxU}-sP9d2#ZsQ5>>176-
zkw-&U=2NGBcD{ZxuuZX70kV0l6$r%N8@Ak6MH@XmxEGyH!gtMU<>)n(ud<g#?#Qdf
z^zLH9%dMqIu6ep~Y>tWix?Ch<nF{N%u&v(((3LGW@`wFvSC4*dVSJ+R3XanzY%*kI
zuIRl%^t5@G@^X?{5}`n{JO9<GRD7a|r#dkt;joMuW^4*=Mg$*PgywL<CU}Tb7;<eO
zeiYDe-kPD%pe0*TT(3>#ljNK-;kgNzm_?MFe6NQ{;KB)!3Q2s{V{NkZ<%q_ATH1am
z|6ouHXYV{#Uqk+gO3dVQ9(7>+$%A_rN@)ICb!|~*Z77@;bCzV=Oy$Tw?_tbzGN7@t
zMPHPy$W)(GF!NopxHBXDi`JX2?H_%Jwb7LJ@;@k%L)gaz^@rUnal>h#F)l29LgEN{
z!va6eZkt<4%fd{pEQyl0)v<4nx`f-dp{lX4tVZrGP4YDPs%?BZoY3-a@y}|u7t4S&
z`KQ1X#h81Izrdv=Ddm!q@AN=`?(tj#Wim5;C;US4?2>fL^U6B!oP~q^={Z7fU_mC%
zt@%ViBpre<!AxL)u&?}0(so^vcMZeO{h7|k0L)p<w9OgQDgn>5meUFhW*;w`AA!GW
zve3vOoNlG*NmoT`dFe2|>P!@em9>hL<EIi=4NB}h1K9oFr9MMZP3e|r3rj|kmy9--
zV*Y2nON7yLW}a8<O&%uga_;?)dY6EraG})4_;!K2snbdQf*JXelM2z|F?K@R%N~9U
zb(_LEmx{leY6x<kB)eUHI;+1KeX0~yhf~W7OmM+aO8I1eq~bLBnbd9E6r8es=Ez26
zB2gA&HZp7>!_|l?Hkqm=X;Nqqr<&#c6R~-vHXpv#AV@IOSgKO5y4x>f4Lr52RvPKO
ztLnCOU|HS<(gWT-@Y+oiPpmOdm#p@th9-|#9oQSP2y5N^gJSK&n?dDqC5f@ZU_Z#{
zA@0%3bEfGP21-#wG#;fu$o%lXIRz(EJ|?L$1}ojXdPjppg#+Pw9Iv>*+~;cKF<lfM
z%OoL3a)VxTo~(N@({8L@SySTB-vXL{)$rNBsWGfXOu6P%F^cQeP@0q%@ar)15=fa~
z=i13xN|Wyo6L&h63-*qYp)}$fJU>S%5M2i3qnV#dRBQdoDIyZ*T`DJX>Loc{%2mn5
zO?3<klOLl(PYY^7Z(ja<^|1dM?yAVPyFW4)B&WN)sAw{z=HK^Cq)6q@3|r~Yg?j}{
zNlB|7-2Bi)26U91xE+oD7dx%l6nwfXE3u50cfS5xwoH!I$pAdENquNH^u4Nk=dkb|
zH_3p)<@UX0W7dXutx5`<=Yn5%o7py!x|KDE(KkemWc`<TB=<^v5SW*a0?7+rND@*P
zcHTza(CwBx!dz`ifYW8g^|cX^X(hkG=a(3#ala>c?S{`r>8lrLPlaDQ>Y7%Omiml1
z%BS$)4INRuei2}VaHW#xDpzk_dPVzctFY#-RX3Hfj$ZF;lAUCZ=SGe(<<sQ$Rz|Zl
z%-8X)`DxpdgXnnz1Q&?xW|cUj)(}#Mpt<nI$7kPZuK%_=j7L0QRO~%Hoz$R4(;Sos
zgk!jABn^MJhk56`scn7}kq;F1`|yp;m!G-LvhCr3P$%qt`J8FLnM&t|yY%Fz=j(o`
zi(k4=)aUe`+m0VwOKDd(G-SkXR?+F@AWc_5r$RMATqGqe)1{nfi0Z?a`nJTs$eKfm
z5V7oU{iS=3ykE}X^gF2P8jZ@fI*ru8)4n9>d$JiXJWoC1vOT6P<|SK9pw*ZFHw4&{
z1lu`S<KNu2rD$4{Sg;LxANfi#LcnyLp>;=D=~kV$AjigX%ph!@Xzi>%$ClhSL^3L-
zahbAlcXvD}-2R=GLwP!CH@i#Wy&Ub!j|$A!KK?d}ao1NPC4S4!=Z+~q&a?f2uH&8R
zTULPt4&fu+-Lvsmg&*#!p|OxVTGP?|J%h)C!nws<G`v*T{S*oH-1Ye4A5h;F!F&{N
zHj&2C0OM5~?yYsgeD50Lg_-+e@cl%D$8!&dv3v+w|FCIClo9+RK@^5iAnq?*x|KPS
zaJuUtmm_jp%3NRV?!B!+7qXqkAKwGILtlfAc)k)PI4Z9j3@GAFoNL07;VL4q>NGts
zPT7<^3a3{dvdtfZLjIKH`35^R7<Q#}p5d$kj>;{GH|A4xjkvs>LEE_t(7sDVT7J^I
zT_R}}qvRV3?1zQ)o^Q}HnJx{RW+qLjVhNoenZBU7ZfVc!TH~(%>#k;p^s)ppf9pZt
z;7ras`(@R+UtE9nk4j|fB%?=K<3uOVr@9{Y!CpvJtNwAVo<ML{d-j1W9#7JF`ThNz
z1!K*0I^#r2Rf63!%TeR#=rSZjB)E?LXp?mL_tV@d8?6We8{2(vQk+)Ynn&f9s!q#V
zc31Ywh^3DpyBSp*`-o3U*-L{dZ%oEikU^iV&Q2n6MUzlvh6pG_f+nKfpr2o_`@Kxr
zXx)`2l#(~~mWjIm2vb4{f2S;qbAa9UfY4ZSn=v#%UweW`klQVonv`P|aU?SCfalty
zl&|oMsQx^aO+*fJ-=rGpeCkv24%yVAY&7TJt21X4XW_<$&q?rJNT$3{qzhWm?dK{P
zw_84JCsC*NK{6|hUYFk&eU$xb!5`+Nw_wFa{nF6KyG*1@$wj|;J{J7y`f_6)K+kv-
znj%u+u9sC9=96^3!?$;9o8HyY%a&)F-OuOTp}vLs`|0~V&u1Ih>$p$|VrxmzvuqL-
zP5L%V_lO@cxn)<>y5*X<hXpJ?_74mTS)tgjF>zae;pxj&HR~n-94YN(ljpNZJa@Vp
z$I5WD@3V>DD>C6mEMi*r(ZnZ{8jYFBIdS+oH4M-g-)fE<b3UHyO)sVH6!ObRYoSSa
zU&_0+V`Fnv0td@GsP@;;@|@9=U}C;erT8!{cHwkP<&1N?*oRcN@Ho{VKaAX*H7D2U
z7$i$Yf5|k2kI?nl`+Ws5$}~!tSK*#db?R@*Z?lMgvkjS=<)D!YKcWIvD_#5AufoY$
zh`a6VFX?!X@XYk>Im`zL9uI<g8}B{O3*x6{)IV6BOc8Ix1KH{Spq}FAw#K>F&&n?z
znv#3CCBH;sM$pJ@MCPGx`6855U$W5ma&N5w5UhF)0^*McR*9)2ee)=b@^5H<dXL5i
zV{0e~AObbo*sQ+o3d|=GUyPFLevgal)O<2LC?--Wex>b;y?s5@tr=UE8V-ou+ps1X
z52of7#TamVH5L*z5VDXRjxVW}`B_~e{C7cvr{*;qu1|^#j_s?FkXL7oSpcz-9)|{_
za(6-`+5Cs*L^SN_N=(NS_Jj5&-dMBBCPEjr+_CwkC#&q3t)`3mxV}JC)kH6>n$u|-
z$Wx@<TD`&wgJ5DJf{YRsjLdjcAQ4;f8?tVKgO+Tow&f8;j<ly*eQx&#+_^!IS>^=s
z7#pAA0ac}X=}}jnIK@Y;Igq9F+;URS37&7g(+tdwtm?0YqQ~VGlHpp$r&jts(rdOO
zS8tHxi_=?eU2k{1>PI?IvYzy=@`Dr0jih8r3XzUyGnwC+u|vfx!h{FaEr^qsikX4Z
zj&B}Qzn%31d!I_}jd7g6g||@f&g|xJd?202zDvs1W(I0_Jjc{n2w-p+yGh)A4sMqY
z><$hwE2j>wdYy<sp(C;_B^?$cRVc>U=;D3dIy`*RSk80JmuTSa(0L}mRm>DIcPm!(
z0~MTvr(3vRwR%wsK{x!e1i_+Xvucmk5K$fY^8tN8lJ;JF>Abg_0-Wv4I3SmviAQ3H
zpI+)ca{O)q@}Ua~we1MI*>aZfT+}bF&jqe!SEKtiqAVr*UO!s!^)uB96FSxT42Tae
zS&=dU1}X!fX<9;q5pOGdzowEXMFds4-w5K#5OhFK7|3M0>NQ(-KN3`LX}kaxIi1#J
zb0zX&)izI=oG|cMSX6va9-z6KLHNCv@=&yXUPkw^!muX2d{o@(vvPYjHdW5d_Cjf~
zUk4lkVsR9^N=?lky|mr!3gVPhNXs7I_t;@U(4u*ouYg*#)yqodU<+m;gS(8u$-5|J
z)3Cr0fjQ!do{>Gp$5=X3^IR3ikFwhlaBJZtoS?1BzQOzm*~DCE?f@sfdUaV`2>>4Z
z_TL47ZmUYOH;PBN8G)i3^XWtjYr{Bc7L&>r38O2ZU3hMb$aW3Si5rEVW+2c#>J5_i
z*8N$$TU4q)PHp08s?9iIe%y0p{yV<TCR<%O*;y_20O*038%At0iVNx=RN*-u^XFmi
z>+zmF*zb##2`)A)S3R&RwM^ZsH8+9{t*vS8o!e8#r-=9!2qSf7lK@EBE&_wEkvkLd
zfVg3XA~dp@W4)|*Y?7yOYR$Xg<^>69N>0lRV$GUGyU0m0TN}t>(x?^(bvFPnRVf~a
z2~wx5Q;vk6uAORyBmc8d9&2=@|DD-t9_dDFk1@}6&zDt7)K=Z=(4t!~Ao*UjCZ$a6
zhVM;CjwDI6rmF*$jo?MGuCwV6o}g%76f-I;1%g$HGq_M8(2}v%Ep-{!Ha)e*y8LSA
zOt<Z0;dDaz|LWf8_zgFN1di?-v{kQ8k=MtB+TO3DyK|y0P&)zvx{Px`t)f=PV&HNP
zpoY`5qeEzg6W5Ir2@`C2y`3Js;OSf)Hb~txvAE{xt9)jE4(3R~29xkiT!cdOPcuj;
zd53Jjvnaa`;#8#ie1C$$eNDn4P^2JPz#N5WeG`^KL_d$^Yrfq;zW{h45eR)A`>{VB
z?Lg$U({7|NEM1gix`jCQD7W!VUP*jkeC=~t3}9Y@TgD#s+PSVlWzO+Y@9XX@a4~e`
zViFyTq(wJeA}|`(<Kkfv@||?qpG6t@G89@KUYP*Z?AL`7N?ceLJ2e6?ag75#8Tz}F
zHur%SZ~%6bsf+@J!%YjEOn9I952{?Tin3hiQa_E4bIGw#uceR^d5+sUP;$MNQcK^)
zy^pINYtrr2&2`D<IvD<mY<y($aFh7imy}3*l#Uo<Ug_r7%1n?;@ARNGP%uz{Fs1p9
zz9U2`vCsY9OHt?^S<AiLNv6NMG=s9NfuDonLbpkc1_1Ot_Eh}&t$q^0^J~|FQ`KOh
ztD>WNQ+Z<zcGljKEj;zzVHPviDDLxQxB6sFj%@44{xHuBSK&m_Y{!+vV!|EK0q0e5
z^c_ws1W8hn6*!SfbjXo)p0?+LePbrTRZ4xxz&nzAWau96^>K4+MQWI{Jn^mt6SHo7
z8Lx<znsL_l4fljb>p%(S5x!}Trdsn$w(t^TIy=&*B};&I{B!^c5Ndo;%StE8(fj)T
zP&stbPa&)vVa+#1@Qu>$N)iLWE|;mJG94zHcaPis#Nt)C;CIvijVA<S;dHC5<Z7vl
zx#}QH(9T7SzmIL|+Q5)=hI4(G#Ml&9$>T!rcD}PXn0jF}lk+b&nZ5AS7Ms<yeIgs@
zTp>wU-V&~<09S}^vvA?Bsd{II=$dZ3GcV2Vs-H(?g~DTHMcfa>&-L3#y!LaoCOaJ^
zESi;+*_<X8YpCSpuyFesrW)h<=098`W8}*-0~>2xPg>Wl@katx0%BZkr6+Y7fSA((
z?ZHa8V>{GBQ#&}wXKvrF5^>+@%hTL&G%K8}rizB#D@X;_6U0H#1Q_O9CE*!sg_GO>
zp`MAO(X#+7-t_5#Q}4`bT!<mY9f`p*bT^uHdVI9-;_R7HO&YDL1C9+HwPT_RtIj0{
z?(66g_TyoYEr;vv@|f$Z7+s&>>6|HC8`<@Y^M1i5X5O~=ZbA_1qs+;@zB}Le5V-%O
zL`!+4xMzp<YOQ&qVkkt%eyv@NdWhYwOh;S6Cj*@Lx*RSWx9vacr)*vlr`8hXxbnpi
zIulOUcUz)3Y5;mKMGa9#`LNy~VgS2QHaqB)WhJ`Q4UIb0wn)lK_Xz03BcrHTMm^!~
z1Q&Dw>oV{Us?|g2?E!tVI4d|IrqK_i^Eb-i-SHn(76W@XgIJt#Qeba4S>o+w>4+Fx
z<GWEF8OdBgHCfP)L5G3QIu=f7t099eHVKwgop`#lW5=?#D|CyA=NTZBkb&v?+VzU$
zo%TRKUxA&)@$1z)-l*N*9450s*hNbe;nbgC!uGE?bDQ&HZLwqo`NG_ey0>c~Y`uzZ
z=vX^+#wM2pAvd}OSDWe3(3=BjqP5%7w#$CQZ%S8oA4F+~N^8~Xd7QhfPp`yUL|Nf~
zg1={d$7-8(_+%Cs{~;C+#ydiFgG*s(n=T~7r#QJw2-BJ8txc{4B~<w5>+f4@oj_hx
z)|u4j-8<TBO|F$M(FZdfq5N9ZcA~24Di{|)*A%O30^rLQzvZEI<&uVty2r}J+8z(M
z4CVUF4I}pAzLg7kCi~BwwGD}Z`3dGI3OMW1rVI1jQ&8wCd&<1Lw~05`0!RD6R~0AR
zKEy-OZ(a_|AZE-wqXHDWwfob4MAuiXfY)4*QMV!F6#Jn!i0|<>H?2ds3Nnzm)|J2q
zcpDS#`GN2NsRoHUPd*`38e>1ONFTHdKV&TG>sR)Qc)iDt`}J$9B%L$fx;_m!-I`rd
zyE1CVlVeKkiBxZuZ!wjoSCRHM^5f`#f_Sl=omEX?zzDJTi8AUSdCfgEh>(W4R>*ah
zs{6fZ?^}-U#{ws7TbzmJHuanV3K!ADXrphudrJy=Sz3f0am5jR8Z==zE`37aNw;n>
z<VP~rOZ^BV^I@koO9IWC^Ozhsn}IW!oqAGnf2w*siV{|~GMBuFIGmU;>W1@q|8BLk
zMs37vX-^sn*y*EhX;@TTW%x0Izs|Q^q*?$g%ogWJlvt^>G!2gH5j(z2IJgnEkv>dR
zJ5;U`G#t>$&^Cw}4BE;tvjjCl!@ZsTLh@}pwpg(<)mlhIZOr0IUW-;Zu=mtB^KIMO
zOECV1=Ple^onKI>Nw_TpVxe2uc{x!{ekD<_fb+CJ{t5=SX?SWE5JvPZ*N3w)6%nXq
z0MVoTzIvhjUahFruW>n!G+Z)k^yE(Uh>@5UK8O&;duR3c4bC{}pT04W3F2%vAVYeB
zAIGxFa+uDPr5JK}+^9(KJ1fv3!aO+ATlcCPNS$jMs>#usKRtRAt+3>F6r#%mzC$Tk
z?K^~ggO>))L(|n2FsFL7g_U8)|H&+KucomKU+M}j6D_a$eWJInzLv~gQxk7MW}6pB
z_Br4*Y}RG_8s16X^^}_IvDAwHAJmoqbGb*5?`#D3mVZFGF|@w0StDz<jjRp+XRAcc
zApuY+|8aPMPGh!tMBrYk&viazS#a<51@pIM7*OO%!o7{JSi1vfJx%jO%f67K^>A2j
zwW;jErN&9kBN8%%=uox{Owjl`H&`Y~9W%b7H+9oO*)Zy`6-?r+!culOENEnQrb!sP
zuV^D;N5PbAw)|;vCrebVi_r{%y-wW1%P9j>U#*}W&U)a`oW(h=+jXH0e={vyeo2W}
z;5(YuKeqOn9i>9b^|g&HA|Riujn>=MK$RgfVRFKCadzZ<OqPmNOqPvR>U7kTbnuOJ
za9m&7<nEd=PMew=I5}0HDt{92tk6Qhl9%{R)=p9RL%aB}Y53m_p8kvR)c-z<QunxY
zNvxh9FVl&!!z|7Nkc>&{4iQ9@&0p9$AyLg~d^h8T&(EPC7gGMQCNGhc6`7{a7gg!D
z{a@f~E=O(M^q6>=<ZiIL^MXB^c?c(B|3M84QhqceuGAK>q{}UGL&pAUdWx;4AL69_
zgSupt6MKFBIElH__x}!?<Hz7qH2aJ>roLU(qB!6>6(5J_gtLeXNMes*7>zm>_aG=9
zviOFn#F1XA2QK}pO4_w2Z?SA^Tu`E7ux_ff&NXOc7s6DiWbN~f30_SeVD#~69XO5E
zH1^jJzcK1yGg%jjbN?WG9Mca|WT*t$N~pvuX|-K2;XW}WZN`SUI#+E2lQ=fYUbRGv
ziMhg<xgnXJi#T0JT7ft<PIwNbyGyFOL5g<G+NXJ4pAIY%*THETYB`)KDm;I~1<v3C
zBV>AcGvEW212(hQhh<Yi9GCJUUm5FzaiBXc{h@>k`uz*GHy%TT3h$wUP5wiqxpF4*
z5tR`1xcv{f|3*b@v{NahsLS4fzW@G*cO?YS<*ELG2#fesvgkA~_f_AVV2RfbKfG6L
zCN-Md-&zS00P#xM0>tLPG;gU`>J1dxl;O|(^<CqJDnuNK)@`%StqvI^zb8-F?1%A&
zN*q19`9hxf1cM&j2;-^yO(4oc3)lKU&oQ&wvCmRataYQjey2+OCvoyD1A(VZmpTxr
zS1*;ALa(_jkyM<>yre;Buv$o>5(}R9SnE#b8v<c?Bmlu)`CkVToRBJ47xZyQqfx#*
ziZ-9C$0Dp*I84&3W8mMSh+d~+AA#*q*%I-^;-1G=6w+-3{17v$dKmnKc%1z=b7k^z
z%h)QU=4E2k7fPBxhY$o)^JQkb=@g2-8%|=%kteVBnF!IJLw!0fn`;hi!5+uksMXX(
zNHw0h%#Rr%aiBHNpoB`W2iVPhNy;qkdyIhTw%T(hcB`|(?mP-C3-Y`0rRd^mJkbhx
zMxU8iSfWj(_Enlg6ZGLH#TMVO<(&U%+r^MYqv}abItqeb&1|RYY<R6keOp|JkolAr
z0Tl&N0mdZiNU7F*DxP?={U)ywM!G)!J>)YAe3)`srsF|@!AUt^UUb`*8||9>;kK{E
zcEDJ`?fNHxH~;|nh6B)K1b$y(1cm^AdVSJ_`gjP&0E>b2h`=I%>>pUQ6)3SkP*5K+
zE`Jg0|Fg8$|AV7$;dlEKnUelNfjSIdVbMiw%Fos$R4NCl4Z175RMSaN8*=Y!DDXSP
zRiR}+qi<}&Wx8ezXs(^TdyKdi`#E0qT_*@xcI#|hpG~*IclRp?z@#ab;kI*UynolP
z6h@gEy_-Da6_nxH7%N-RV_ebQ>!;OLO;j!7vHwd6GVXY#tXX8S&0JyfLJ}KGcS>m?
z<XmntG9GhkB;HLEZeLfv+x`ff<ypV2kM{DUh%~1v^DT{>Y~#!c>}5Eaf+zjsR*7#B
zDq_nZMvVcQoP<2@ZI%M+RZd<+<DSP>a<w65(8dHlmIUn>M9u6{1d?8p`^52drCw+^
z$VXDmi-)hlHv$paB1pBI%=?{H`VtI^GXqMrl!SSwv|-tV%&G~D*Z{BGvMGP6kdSzq
zu8`zvW$IhxvbFsYB)2Dw72miXty<gIoYe~t#~_hDmG=(4W{O&{!G(y1@I{Pv`XQe`
zG(9r|mENBgWoeKdk|Pbw$y|7488cPIMi=0>K$j&37JBu!<=j{EDrh%Axks=zR`*sb
zP=7l^ZHmtjBP!LIAbtD}S*ecGC!P)dB&w0*m~PbRD~sOAx0L2#U~gnnYbTjS$Cjhl
z8Qerk40kR;5J;EEsAbw6UAo7dO6SkCnInfF+7dW#yzqo?G>AXi@IpN8oRCgcr$bdL
zW#E0*!P1>T6Ili-mMB-M4V92D0xo<MbfdC){`kw6BCd<YFxjND{TD_d6X2klWsE)U
zs7@n@q&{Vg@eHB++Kuy8x}$#EPIxvp;b%u%=r3Ccjn?s(7DuIU(7F5;w{OwBMEUgs
zooYS*mvRs8wD}(Y@q1H+D?|PG`UZXG=5T|fEDz1c&J7m62T$$RjE9M{v=@EW+AX~g
zUnXMcQS375!lM?>OJWImD9#tEErY!`rT0>_=dL%rm+cML7q+{-53<-oZ{#KFd*59!
z=pWP(nfo1C?c3<lKdAn<(XD6WzsAPfBL6>ixR4ej-djeSJIJ1d-Y~4goI<SHs?#pD
zuY%$(vnTb^lCQ4*dXSHn_-9ZK5hzNbZtln1=b$gs*!D52`ij-eU#q+{S({V^mJ56@
zP}}_cIRbumd)QH`xJ~8~bt};xcjOEdW1r=vI#z1gc;^m2N2!qt&wU9Dv1=`Y^1B!@
z<LK&tv>x)G#P0Oo;9YF4N2zPH!CT`j-_?dZ_4d02^)!#`FPE}iCkk`myr%Zpk^SM5
zlo?%nAsh_-N$BIV@s6^QNuU(q^svV(S|B*L&D+%Knwm0RH>HjpYb*PMLD00!IyYdm
z(ZMuTI#HLD#;%4Soa-bB@x2wz;4W{~4w^fgWN~S%R<0>VSrHhPaAr)oAz^f7=r(r9
z^7I!cCw)DY)&;TioT>Wiuua=On<p>%i$lW}xSjzNI9e_r{(YsG6d94e%RD$S%ZoMr
zw*b6$ow^?iQG?fv&0ou;4ciEfBWZg@lZl5jy^`m7G<l3a$BN$idQ_54#Z1z60?eG3
z1Ta^$9hP7q%BI=Cu!_86ST%B!j1G4U14_BVuHVo+EW+$}QEbeoY!_+v^+AdhWL=Ia
zg@d{1DUh2TO;5FK!XjBFD^skU17T&;8j}N!O!obfCG?P`<6QP2i~cyRfWONF$uD2>
zN_bHY1xkc~*jML+ff=lQ)<^xA1AZ##F*l6;K)ni(m2<LGnyo!Jw~+Yzp3gPoHIezq
zbvDF)v~{}j`g1cjU`luKjHtDmOjp;&e|2e9sVDwyv;dhcIpBDp$PGh)Vd*YXB>!#O
zUs)*V>;@O)C0phT`r+-z_esOMCS*X?9I0KFaj(XAI-|!VjQ}!<?E?xlTd=}6ifk@L
zpus_TXk>gWs&_Qq6y(wus_<Okl&xh-%oC(QzGOUMCeZq}+<xw`+MCl-B^iT-tSg&0
zZ<)lMl6%KP<~b)2FH|tG0{oLeWA$)iw*x6&ckb0)NodoB=pbn2&aaci0AfW~b87(^
z!L^??60$f<)8^W8Q;e|=BitPYuv>1-e#&UV{mNsaDRT`YWXV(v8ICqLI@jm_@nQRx
zNmAj;DvL1Wju3(18JdiI><LD_W;~j$3dC9+XoNh$;XxmWvAqjC8FoD$?X>VarnkVU
z@CyInaYP_Ns8;PuoX$tKj{H)4@PS2V)S-*@u82ZZs|=vy`)M-VSB_rwWnyn~Qs7SU
zqB!^Zbkn;U6125iz?yf>j7yq0st#bSlyD8KED9tsi?N0)mb;~?@G$zR;z&5#$lN-F
z=$%!`i=~gYC%v@lLsptMu(tIi1@M?4^>=J5k<jYP54V>gJ?vc9u3KhkC`l%%*1)aB
znHFudT*I%Jl-3PH0t^0%jkrChwA2&RAC70zN*|?(_BazUg7n7OsYo|a<ojkaf#%ar
znL?!4zb|5<*W7S_YxyyIHzfK@aswFV4m7LKbIfa<x2I9#&BY<I>*vx5R>7Ved`m&P
zFuPV7@4$1FrToQWqA&58S*ue!ml;hQ)Rq|Wq)Ikzeb{1Ge$KH|6tMwMGIi5ty_I5F
zz7j0b8sL@96GiKfYNR+4rs(eVOcl5P7c<-n3CMlAKu*ZHh_*u7G}={lU9&0WPis#t
zO>ndo7Iwoqa?>_dzSX-DbKOc5DOjp%g=NFd*aW-{s9V?&#x$c&ph!S4cWY|z0kzGW
zl9%lYh@t(R{=8isc|CEocoJ@az}pCGpUzXPx+I9@4Xs_Dj}X7q!x*^<_j(bQ#W**t
z5%I^UW+OXYJnrS|i?tgb-LfqF|5wK{$Qt2>R6D(pDdp_f3#}Do?MRiOkYeviRB(fT
zc=-I8C8e|F@Ci5Y<_NZ8e1C{%=XVyUw0v{B5fPBAsni$7?2wKpm@HPwa!<DxsYEs>
z+Pzx7bFB0GgDcLOwBGSHf(FqE>YarL98Zol?~Zi#bD!-u6><_l7IiI=t0=1fK}F*X
z_rKFL&^})?j_eGRKBX9T2Fvc{eY%o5iD3ZyVJi3bo_5@4j5A7O->;(tRXv(><9c;a
zhRDQx3C6FUVpTUY$IPN$cI7y0?b4`U7_lLQ5)HX56b6A3F9@|)eJupFR1)5;Qk0V3
z=B+cFYeZ+^#BN^A&|n15NGWaFmpSX)qn|J*q6m&)CHLLzYQ{|NFijgcI6yXI**kG6
zxiF2w#dlNT7s=Gysujt1p(tjnkw`ZVg}A#uaoq{>x5Cc9D1HUgdYn6$@B8x4kl_Z_
zMy%F5y7G<!YbT8@?v*e{W4hdM4b+nmWLOoc-1NEM;k^i)D-12l3=5|#1c&v7#OlXY
z9bv6{r&jpJS>s}|7xGq4Q&y0w5+#>%&DoOfNuhNbyZS_@wKZkwPXD&K6Z7z4)`{#v
z9OCgy<0(?baWT1{kM5rE+4P}9R`_~EkF+ZEw;mnFMyoW>H{J~3_Zrl>IPZtsJ3X2v
zF(uzyliQKW%YOubS;vktb#~Szs&-xv0KRW3;>=!xi}_a3dDML#q>*#l3PAdY1fHGv
z-;P?2*hr)wq@sLE)exTLK#ElSp(Kg!VEO>G90WtoDtfOYp4<2u_RYZRN>8E;SjwCY
z*~K30REG{h4s!dP5CUC;tPs51@5Lk`W%2bp4@|NnLE2rgjc&vVdbxim6Fd^xCa8Vh
z3dh{EybN0Vf8I>EXv9pjN@dNLco-wNW&D1=cjI~N`>qb?%DGq9mAzu1Xa18T*dj7z
z`K%(IXncAmypUhf0SU6YpI86bwq;Q{(3qGiXRj@90$?+nFFZ2@?84qx60Whh^BNoS
z^6O8XV=?Iq;>mv+NOMmnVAsFPJs5SWcH3_YtX5Y2NJ|^ft=a+gw7;_Oq}RqHPw0_5
zn>0^x@zi{96ft&1sI|xoarqD&cCJDXy-1BETMAC{6WY1l9e7$6Y3FbyUTh?JP-6Yc
zzsUaXfrD90P{}WTAeUrHn)$V#Fd!g>W+P^o$zQ3C;x!8eAGAB(AlCEIPB&}S(H*K|
zFx4W^LejT(^40@MBD}eElK}r%Ft1AE5-2hG`V*_7-30jm?VZu(zJ7YRRrPSpske7o
z?wbe>+avVjEOe^jTE7k?^o_N1ToRT^5XiYHdqP#@(PA^FrNB46gA;2$;~Dd1Y>T?~
zTpF))oe3_>0<e)8pB12klM|hJjA-Ur@-BZBv{(Vv&+pZ;J8GS66LnH3EJl6AjWcb3
zkkq6|po&|7Wn)4!l`aDv7l<5KO)^M7rWAOiqa-S?1GTdb=nT~<aeC>5<4QzkwOFM}
z$f(~FR_9i^w`iyD*l((LKXvz?kWc<Tl`)&~09h&)R9htfa^X<_^LdHONGmJNJhMPJ
zG>Zb`=xu#K?q(dh)A}FO+<f2%Wbp#xl^g3m)coLq%<A)=Yl0+QbGBSPd{)9Xu`>M2
zl?7VyEn||>a#o@)X9&?33YUR0!e?j6$1GKrVc<11FLIpEl{hL~KrC*ze~`CVJHsJQ
zOd!7F1MV_Az_=Xe>&7tVGU@34cM*E%DehTW&R#XT99LwZ9}-U?{$6^@Nqn)l!Lo%S
zV!rH*LnV1%aa?56Icjm~^xLB!FiYLBW-qRZR^G{!<f(!hG1wAy^S!Zlu6~UW&fSVz
z;`8QyXPCPYPo+5?@JGx})0j*l^n1^2)@$HJYfPbXX>jH1I7@sgLfMXYjuhb%&VpPZ
zW<<btkq0fxk`CesB?nD<whH5ZV%GRl)2pz2X<H>RRbk!NiB{n^LVyEAzqGL7!Z5p<
zXRR_5i*>0JQua8St}K&^{|}0ANvCos#~edBnsS7D)TwLS2FHU}VQs$@zx5!cwQbTW
z(5$1g`E9tdA{Up5rysOVRm)yXpPpDkJ9JF=Sb{8KLZ)m!il;gfWDSbn=M>}3Zn=1@
zU>O?KGIB2{yxtgg1a`B|2owo-TD32&9<-%w2dU=F3+w)x-E8B1wWjo*TKb$^kgWLg
z^{M}8&o@Ml^?Yw8$P*(oH)?_zWbyiB<VU>-TO&wPP-bH{>sC&I11N1S73V*wCJg*z
zK}EE<hpe)azn>x%l1!dG?;wjA<yyxJHZS}KRT;b}{z1h080ZCiy?)T*t=|jZZ=dTI
z-?9rUp2=4JLEQ#}pPh?d#6EsHkuPE$kl>wQv|c|t{+iqHRN5Lv`&EY(B4t?69TMdB
zn+bXVB6|#V&uUF7^=FLh8ozoqa`Jyr@!acFM~>X<WU^vMEvWi{&*@*)o*4(mS5pwd
zy|aaX@&~zy8@DgpdBPAx2dO6M9;Xa)q@IG235Q`^hby{%@UV6_a}wOpku`CL9D3bQ
z>e*MLaH+l?Vz*K4AlMooaG!$9#qMQDkXkc8a+-6#pqcvf=7|^E!_n0>O|2p;*u;DS
z<2gy7_hs`1jY7a1OUn)k&AO<o9^txMnE0JaQd0yjLeStRIR4GQ`qT|1=}6@)y)nEV
zx!(F=z%2dRtd*%q0h}9=aO0S}nULX5(QwC~E#H!2P7CyBpRlNF&%>$pl0AWu_U-{)
z5{XTxxWR!=sUs&c9joZ2SFcv78hXI0OItbd2Naj?Z1`MTOdSUtt=~%2&*;K`Rv4$T
zMD>N$N9$Iy{V6PG`X)r$)<hoWZTxy!rf~ol*yma|2PE6Rr5*Op?k3%>E#vGitRweK
zB-7PrMEN67YEs4^xFJiEfq2C8*isDp3izDeceN5{hKlfgkh!54$@1tQAs)w?CbxaA
zomEjm^a6pZ7P8B;-@Ysnt`qIc+^H&o`c$J}4v|+n^`-MqGz5k^Fqg2|a;c0<p@uy%
zv~|)6215IhriyaMO8YhS9=pxkiLn5X&f~Jfj^+#PCgEf6&-)%u($tP67JM!9LYRvW
zhHQhI%#Nx5@@>0x4cq0(o7g^$GMjt-KPa1nUu*QQib2ChE!0OD1g2la_T16ehN4OD
zcqI#tCG7`QiuaZJD%ORrK%#C2`W9j~82otL1PJNTA6MP4uIVME#`dTAS_eOeG&aIb
z>P!t<CrgU4kUN_G#5^m|!chJd4I>tiw6@{RY5J+L!RK>bEQe-pS$QJmPoa^`K6R>x
zIn_-|;kAF@y|d<x+?wGt^n1LS$;OJx$2@}nbqO5(y6sKkaCM`R3TVI7#%v`u&i>KF
zTbTG-%}4ljr@}C%p4IVIh_T{rJ8z`i__s6myvNfikt1%OD%JF`xP4PIXuJ4w;$_gc
z5Zw0pGEKWLbX^h$17cln#K#Dh%qeb+lm;zapb)aD4@m;kGSZ@Cv0FmH)W}~g{krXj
z-lDeT`S=Mi;q$$QT<IeT_Z(I~Y!PC6VxzCYY}bW*@4?{5|9Jhjee@dK_ZnRI-naMm
z4{Gm&eE4%g)Lrjz(o#)3W4Y->w3Uhw{F`lgQ{o3dJAE;I%7bN-LfRLTWgUn?vH16o
zdS=@yJF{lrN+&SFJK{MbHp4sOniu?XofjPU@$FatpiVv-><{zB2_5MoR6>vJI;c|G
z<dmwJA1;ZMRqEx6U+8^S*EmjFN+0wx618*&dKs@^OAH)aRoY<lM2JS$y;#TP7TK!M
zBLm}42+BtX<&+HaO>9x@q;RuONbG~+Q}GX~`@I?xY-N4&9(gbJx_$eedmIEl58inP
zUj`aK8V??WZBMKC-zfdLywV}k>}IfbZ9HYaY?!)M4X?V9czuqaMlkHYHI`l&WKyq9
z68=Pfc1`gbh!xH)yj_cA0e)8~rhmgRwKyM#wcfS?|5e$^PSCk}Fd*#zQD~Zckos!H
zs!Z|P7lC3H%D+2jed)iqfA(t>`JNV4t^L)vwsGyXt$30iY!4O}=D9bh>^#~h^)alQ
z-!xEMZ6x~rm?_d#$khCDZwZ?dfqXn6@s-x$=_TnKH|}Pae!Xx<+2Nke<KnW%QK0Y^
z*uVbnrTD}l{fslRwTTgA+>$g0T#L{puVs(not{2Y2%925iN}eHd^-8LelcGR0_o|$
zChQx`UI9LF2uHM@<?)`KKbv&{Bu`v$pY&*z4LykQRu&kt;{)AY_}o|zYN=%$?Doz}
z%Q_0p&}L3eiyE~;5JHEwTCa>d-;`s<%JS+QYN%}vlGwEQa8A{uMGeOzzQ$#~q1?u6
zn<(=vEBjUo@Q{Lx8?~`uE<ZVTfmzZ!_=Kv3N}A{pY1%m=C2dW4p9BWjLZP%sa_Kg{
zk?$qcx$KgXaR2Ri$C;^l=MxEt(67h)t0J@)(2>xSTtU-CHvA-txLV|IzN~Yd<LyS!
zkuP+|TkFqvP3)BGn##e!{%u^9{U22F_~}Bz1o#B3qI#*i%v*5?&I)8I(eAgF+OdXI
z*@5>~ufJGJ7jY@uNqd(x*W22mTv;6l4s*DODZWsnoMz0#InBTu{4zxRJ?ty1pJg7N
zN?o6;Jk06Ha4bTUrztR23kR$hBp~H@>sqQi$7S+NK4bYx{3X`cu8r5<(v|+#7y3`{
z<BfVh(Emo!HlUFvo4H;E_U|o*#SACfTRIZ_58~b;D6%dJvqg#m3U_yRhr*?BcSzjb
z-QC^Y-QC^YA#o|(Dcs@je1jKn^dh=@&>fM(9Olh)&)(m+){)tNVDc<suEG*5S(H8<
z&dt)4PPGqrpKiXK(iY(a<5QJ!$T43kXy5x<dHnN<ckE^gly}Or2NH?)R1Dj_v|nfc
z_#SrjYX3iV!~fr=3beX$`Cs@}4fppP)0;@ae_*Tsfe{P7VF156zE1Ur=#K3(K9Ple
z+A)5oUhGsKftOEUi?Q<9mb{Uygur7=2SpjJvzj<UGU>o9+OwFY{=hZ<ocwky()o;t
zE1uVX%nKg(MgXTJvn(8IUH3T$#_qjX<8F4HCsP+bMu%kEL1Gr(Y^X@7^+zE*6i6d+
zSp+8+*YnqQ8)jiX9O?5QULd&WE2b1vkmCaLntwXOPf^G0s|E5*T23K9*zGMKdjGUX
z&k5#Tptjc;__uL>5HnDfG!WOKpEpC{Q&~y*^PHk9dZ|*OqRiQ2OT~s*rKAzFxO#J}
zOr`c0Mg30R>b%IG&dAXC*M^aOiA!w6K~Z>iY*fG9>U(4!p&c9sPZ9+Clml*343ggo
zrcdpdAn8w1sc1000jJ7s59X#xHRo0c{z6^64a4>%XxckeVz@eH)nLZi(=0Purk>t7
z(v;MnA82MLf$FCTWeZcM8vYB9HQ~ypio9MrT|<R?&b@kZr949{&U&3I-Ym*nWy&UI
zQ)1qH*L1<&`!RZt;DT*sOPjVe%J+$*C{fQ*NzAxPd%B@~6QLTZwml3^du<Px5n-|k
zSPvN?TS-R@Kxs4>G;xlee~(rEx$!0NB>GYI8|i&s0(4Yrv_-zVLsNf9P=1*EI&At9
zZBpf5{d-ByfbAb+YJ6=8byn8h>RR$caRekOrR`5)+{27F%Qrh7z+ZA@hnilmlo!&x
zlAH=Fs7MF=B6|-V>QKJmE0{DD5M|$i;a^8A*YiAWeeW;N^NPLcE!QKjOS$k`NuyZR
zUdJ#`9^0i51Xgd6`x^Q?rK3TZ)r8ei*JpTIJ#FK_U`dt4tiOb#$Q4iAYj)(+b|<v2
zO{Gmjx7Psy%XS?`a~5Pg?1#_nlG=Z&hUufvftn|&Ho>o2f~RB3wfPP7qWe^>Fp6-z
zu*Jv`INJdcHOH#EdR_tlhwZ<_pZ$kHYTZuKjp1<hN1Sf6t)j0sT8OrI`qRv`MN<dL
zWLK6_S{tPnV=Y2oS<)qFwp`<k<G1h5Z{8(%U;Jx>5k?}vm6bC5yjBFf1=V?o4BJ;r
z{B=rhqkou8VV(g%O~rM3^iyJ~7j{#|w$M*3ClYR-g~%Ea#DLqFm`cu#ilpca%Br=`
z?DHeX{HKy{K@k)(Od1sR73fWRs#cDzx{U6ubG+WN{mT%^3a4nAx*4IYA)Vk@uyvK1
z&`DyKv$y*3dz`u~rv}c!`sBp&v2V$$SBEy2Wmn^o*YEmfQhDF6HD5p)TD6{V0RfCU
z{I7<4`2N(p8*roH4n^J<qY)^Ajczc>%|375o%eQylWpMj=Hcv_e-G-gj8ITF;NlsJ
zHp||zwYXATCYny3SDOX10Q-iuJ%V;LnjGQh>zYUDo-WJY(T-B@TfbyAz^b~MGtbZv
zpzr-<w;;Az<T8gGYJdfMb-YSbChK8@hY!-f>gZ`DapArB2F~F6z7*c;5lK)95HOT-
z)1Js#=1bsAnS3V~1J$mp(VgcNs_ezbrOQUL(k*Dey(V1=2_^~0sRP1(G+@|`N<s;1
zu2eJs+J{y4C%DPy*KnhI%h`=lIffgtHR1>A6{~4^;-GlCMc2masv+W_)Pdd*1~WKA
zR{eu*(3<X~7W7|Zi=JH48wDzO&t1Mp)EtAe5X{QmwBDoj?DY{h!;Z8=qE#6yI$Cr9
zqn2?i5m~Q=@y4cT8ygf8UJ(G5dLrCDi7}&Hk1qzxrc%C^_vm9?*28CKq~Iyjnk@;G
z@#|w;Ys@T@pe!|pa(tKL2<3w3o86|J2_^2$Lv}iGr>ds5BInsbVjw_!gvPM6=ZR#H
z2V=T;nSiISL`J`fx_{3qq_loUDKLP;2&6j-O<4lzjsQa--O<EdD>@qD|EoJP&-p(7
z`mTa1e=nU&eK|FUewqu2e&4AOTy17CKjD|y<hmRfzVI6~$v5_IX(#}>MNq!&$Lsb8
zrVox;?{FXZA)Iq41rz?}mP!FSW;YtFQt3;j$EpQnNLLXLBBfbF4Y^DQ41E3r>$qL^
z3GX2OXjWbVam1Lx3-v|<x2eBJ0$1keHF{-ANsnBb|EUY@GAnk*x|$rQuO1I)QZ;L)
zstZk6J!Zkq&zQI40>+To8d7{IfF9;}8IXA_-=OuRe3$OcN?rIIhO#ui(a-i$H8Q%N
z<#BDM<Z2RC0xcq^>LabNLO}+Jn?etsDQtQ@`w?N(`nd;AXKU%=8`A46xgUROf7~6x
zJYp{UBZ)#$(J9kNGcaa8_9(6K&m4osqF7&N-k>{Z@*8>bSE@uLR7U8J3UW+EyL^73
z@&8?iER_a-i7R_I!$X1dT=?{o`UqJ6uzgtCY;`YSIxql(bl2OpXP%5zQ<`>SrTI%+
zu+JjlijpJQlD+)9WZ&QKLnPv$o}@AlH_^c~_%c;L**&NpOSBK+ZO%^UWXWZJD?@aT
zGIFMTqJk*tMoHqCe?a|4_)6_p7Y{HXo2<Ax)s*u5VWo<2mhQFo@9?yjB36`z1y1%X
zuI=2<HdZC`go&kA#W{g!LBSM}XU#(ZDd!FN;8ek4EWA?_Ig|+Zp7nw}-FL;#Tn8Vt
zU8JedOd5xD6qPIT^My?%a>Sjk^vvClO6sHoVl4nhmzD52=ClbZ!bw7gal{)Hrpvrw
z(<Ij+r&D~>+j%xQMR?NasO5a&W5lXA+vTQ;3qRFse6`C-erzj?j0p}<m79OCSoWDH
zl`gMKhMB(~fyPrx!pj0NK9^3AOYYBURkXWVnKDJ!#fMoJoKS5+qo!sE^p*IMwhSg5
z-BUp!swDu=%0dYDiZw!L{u>g5bwWJDNPsiS|23w%PR7I3sY>q*!Gcs>!B(+}sh+u+
zkYRl?Rr%#lE$zIW=#urH!3mKL>fJGq*}`pih??cs*_P{j0VLi<rimdr?8{!CQ4Es|
z>j?>w#VHSpo{l=D;@k{<)!#esPIDXg7Bwf{G*^;DO@-uf15I)(&HkmT(NaF^A<sM$
z?d^}3!k$;>GhMDt=WFk}j>m35DK+h)2h0GK+Wi#=ptCldT{N1wR$F-|=!VIrm{dCA
z6>DL^%nD8YM&L}eA)HND;gaH$mSuY|hS&B>$W%vzITiTc>PUj=javmO^tnmmIkVv0
z{7i}XxvS!iC)EH`mi{W5<#g(C;mC1vu0B03_EKtHXN#F|*nWOk_mqAu1?kg5$3tr&
zYO0G8J4*IDT-~bT-xrg9BCRTsnZ?DApWxlF8^RPq^myZwe7ZG6{IcrazuTm4Cff^K
zaKDyfdbOP^n8YfLW_JEuBTQks-lOT@1LaX#E;S(uM*t#;j{6C86F@0KUqYgzSTpQ=
zqeb~XrHqvuRWH|0u_RneQ+2jQ2hLV)HkAu58EJSRJn>)%MbZludYdQLG}Iv?x5}W#
zm&_2<#J>({??_o-4~GbY3sA>xTxJuN{^R~UEc5!Xg|FQZ`+3>SLjkirde#Tfoi};S
z@M?F_7`bpYy)~&g;B9jBqi3oG0kYl~<+SSgIpG>Jn~F^6eNDTCwyM0jwL@*N8mm?d
ziy;z&=Ss##%}g%+#!z)8BRyB$65i4<W5Wc|31gB&Y>MYD;<foQU!|F=HC6Zg>t_U;
zZgNrBsBxmXqP18VO{6YB%n^MaPo^r>ae@^nG+_eD&z?hI{Xm1)KFV>j<<{Tq9LJiu
z&!2iT<8ve;I%#y^YeUxfWBc*OO>h^PIYJ`Rmeaz2V&rs074Nr~T|#sZmb^^hUaXW+
z71?IVmaaS~2oVVF#9^OTk^FR<&C;nsQM$9DM`M|$DP6=GR8JAO#N|x{VU{|avYDlt
z5jF563;Yj^hJMJd<F+(*F4`!;vpi<_p0kRUF=lf^qk9qO{@}7;!wM7Jnt^^9%Q1q#
za=2tQ+Nz__o}r|9OtXw7-%plx%Q3?Wkt|8hTp`IJF>AH^l$y_N!$n;q&&XrbDxD<z
ziZ2A3Br1c8vW|JdiTQV%H)}nxzjoUl?kfYdH-MquZEbjlT%XjFPt9H)rQy^NH#LwC
ze%M&fbh$KLu7B)0oVu<`s%jTIVE`-F9<JE0I%&h)!K937wN-GoP+u@Bq>zbt!d+M}
zFhNwh=Q$B<3g%Q$K9}qyp#K0SaK)fA8tVdnr?z%FoJd`*Qm7@c;`UMoIX~cBkEJ;V
z&s<RuNxACbjGcg;HtGDs|CICWT0c50`dC_B5Bo_Lw^tt5%fNYar|+l5EM28%q2?lu
zi5_!XLvR*_otYW-rRn}`9+#lX3@?<Mf~x9nuqz;SaBb*$wQfJzbs)Pg(Wb~_%AbXF
z_G6zH2!us)NH5tTDO{uf^&;Wo(nsv#%?Ns|o0m7z5a7G#g0GBNN)mK=pOlk^Rw_og
zu;8uYJd;rW)YoV_!f!kUpK5Ca@;P@QS>B;In2RrA1-PO~v8Umu5;k39cD!kf&tNIs
zD+4&|OF!mCFS>m{oZ5KIJsBgd^Xhp0w9QJ=Zh`UQ-lSUc!2&Y71r0x0tu;EqKrEeA
zn~`V2;uPPMa)0PRZ4%3_#-7h-q%$JMFw42jwu0(DmHZ$DR%aB>Uqfi6+>r9y#hE*5
z)mo5nW>?q&vWS-t*AQR(0?NdOGA5@A14DG<L}WD6LuVm6iaXTso*7bFJ@tT9TAD5N
zXU~aWRZHy%!q*j8iW@l5Jg!4RezgYngwxqfTIy^>Eloa$hj^BTi1Ji?4=OruKMj6g
zD+S#%l^m~P&&B8YC{USYdnk9_+5%HuOef102V9vhKg0ha52mKf)>YkWg@KJUE$L^4
zD6Ym#ViXnje?Hro-#azx)NkW&Tja79Eyan!X}FBh(%IQ&*Pg4xRC7pJg_mjD!sh(Y
zmd!*TU~=b=@CD{@PTUWZ{4}i>>&9`3Ts>8^Pr*rMi}Wkn4G<@<BhK}(3Aao0dJ3BW
zkERIOAx=llU_-_hG8&5x<P(8ju8q$-a6f<d<oIZX`KU$`PbqVt(af|)kMiXg*?1Cb
zv|?Fp8*dYb$Y`b4v))EL?W7R8^8OF3q}^|)|CdHHUEajhgQ*c6>+(E5LEEO9@@1{f
zTzk4A22!M3h((j|I0k!TRIl<N#~e9#vm07Wqa-p&8Zc+1IrOJ)X|{|lhc36fBz?du
zUEW`@cF?nc_X5nQs$scAo_Hl(0va&}TZVn4g+gnvjbdh+14)8BOx7|4?ivnMx*#Gy
z=$Q3pv8si-^|4NUGb>0k%kl6dQXojy#T_3Lxwexh%)ojmS$Y(JW!Cbe>VZD}97~-P
zM4pq&<LnBmzzJZRS0GwRH>G2~!e(rIST}3EuTAkuu60$HJ<FwSmgMZH%6BZU@SdT2
z?nVfQ3(V@;V3-<ran+u6yi6J5@eocPd_|y>#57ED9vEF7e*dGr_iS*5C0!eNz>s{S
z#lD?ia`(cqo;9Fad^L-t*vRE~uEJE`H^D$!D_J{Yl${v5WkJ5mpvQas$wf0^e8{TW
zHk+f<=}1|}@pROEA$yhEn%tvvuqL$^fgi_`<+vp$7445#YzybvaxDLsp&FpjO?6x{
zs`&!1_(J?zV61+%xBSx;*6-~s^yW4^S6!}EvxE-pm&gJ!I(QpPviMC#R3@%z&}Caj
zZgkk`j}Csb6i1hwTnhF=$T%m%f_ME%G^@wFZdN^O_wW*DEh)^mDkj0g^NxsE1p^9(
zt6+mOJQ8O)f?S_lomd^8rET^DY0lKz;|%**d;a@Aw8KnK1irW|_d^HEBZh2xhH^EE
zbj&&F#CaMLt;=_Ozw2VItVKr?U{{bwv&AAq=FC!Z1~D$*0_MLB-xicif8?2J>4uno
zWm_W>6dBf;i+=w6J^{Q1Ee$GL|Ll565RDX<ktaov=r5XWG=zw3Rz4E^O!H8glxh6i
zuqUPZ-DrR-5wCq1s=bLzT&Ui$%Q#oH{OCTd4rI+cBsyy<w;Xmvp+%yN5_kZotcgd^
zmGhr9YDj<^M>ED{0r`X%bm}}JZB9Q4gO0p~SzWEuQGsDS`d@sY%jq9=ZR$T?=<LO)
z6;*SCUd8+xvZsI`)B;wlJNXO$<|OSAGNg5G5+4}9Z>oNke10vueoes227qnCiyA&C
zjX|Uob2@3-#Q(=So-KmxsJW7%=(_BfIEWcR>CTbtk0QB-e4-l`6G23H*2arPMEk_7
z;TLuJVfra)on3O$@{z(r)!$QpskWkNpY?F=UNwez$?nRqC#Mh5j9`*YkMQoT=(%mI
zW%77Wksk`23;*Ud03DI(;_&}++1SOu@Pj!Yjl&sv_ox%|o+gVm@CcURe@%uTY3-&^
zJ%Wc^D^M~WV8BE}k-w>Qcver+NuBxgXC-~+RcBRKb~Y})6Ck*g&^UE-tHaPB8So6v
zYxYBFwJC7+?1{OX1{tmX^olT#2|aDsg3S-9e2JpN3|tZGX=&7mso19G>>8NFZmHfe
zsx{3+18^9o*om{|o3*b^LWNXmMZXrieh^3N$ik<G_V0go4Brc2CHXjycG`SAeAQGK
z7coett)flnv9Z>IY*;oM*O!acoCurEQ=Lr~HKPGP@(x?|7<M!<ikKzTe?auHn?{;l
z_1%-~ZN0l%c%EJVFT0j=hU$+9{>sDpoWDr#n96n4FW975EJ0|)T3a3m{Raj`L4!%T
zHOqeVGx=YPZEJ_e5AJ=~Kp~+H+oDgkdm;+Ze^FM$MX7j>KfzI-QlUAPOFqWv)uDrK
ztRNbXWqImM=fj&fb+x$wOh8L^6D(UowROzJUJ?{MQ*n1F{8V2JkT`K?DphENSvT;s
zNtGbFj6S(fQPWbo`$<n@cI^>2<<aUmLai<TO6tm~Ox#~^wr$M>r@@|X9ak}+EtNmi
z+Elb|Xb5Hocl}e~dFeTKU)~-=+nIu)NZsp5r|MxmXJvLkF_kr1m$yjgIxSFh7KJPW
zzbqyk5SYeoh+I*+kgqZBQyh29`3KRoqPNLrNz6LTOkv!qyF*@rsrsfZmTPe8uA9ZC
zo(Lhs5HQm>kHD?9zz#OUOuJG%Lv!`3NrWdn{j~kb`7G9?N-Lhz{1%P}y}RdO-b<kT
zf39G$mbHh(-89#I3r-|pH5%kWsMDQN#G?}EW)?f8pS(ly<h#y;2Tn329UhIv5(N>S
z;`xksJ6nI4Y;!RB1||9r!B0S&t_{zNG1-(BILe}%oaK1x>NaRqT&EoG@>S*ZP9zh1
zH5A4;7qbp-eZCsj@fHC|V%s+4-+y%gqG8b@ec9iGu%n5(`djfk+SYY?(lv#Io^Pc`
zKXy>Mw;0d%x)du*aEIwlt%MVIowGU(+2P8cPJJfux|)wz9+Xv6O9CLGV6^Ec8Q2?K
zMV?^Lwfa21UPe#TL-|!dUZi!_N*)tBn-**_Ht~U*xqOIXrb*`#D6SNtn{$gX+FP(3
zz4cUjjbzubE6C*aG0f}nFMEe*?RRcy^}WjGZE=l6415}{T_GIAZ%^fk4g5f<UNO~Y
zJQBPbC{T-PB=<6G>>snl(C7opmLIe0eBK&<+(0R2A=aF#Vp5b>_0NgrnqPAAUg3kW
zv&3dMZ;QE^-N}jJ)CMP}8Cdiyr54s#sUSxD`t`G-_)3z3L?Z>|)2tFipp>(o`ggNU
zmrL|huiRRZuDUv%Npqd5Oz|ojkOpLH&m~oDZR5OLhAB-f4ZU=Sk894SLqm+BHUvY4
zMCH!^E$mve5~#2Mn&w`(Rzc#++K#_hW$EuBuR-G$FkMbkk~s92Dho;Z%_yI!>;HKs
zKNOKpmowM%$~v#@>CJ0C0=Yd#`7nP?a-@f>EtRma13cjRtu&Q@n%aC13E=$s;Z~T|
zfZe$1{oT1o^ZqC(QA~3*(X1Kjlp)Y>PYJlguj9h#&|Ney3mj>%D{C~eI?i$m7#s#*
zwHN7FjFFSsqzL>7GrV5HqQQxnpDgf(etP=Qx9}#Kx3U|KPnvmsIZf+n@lejZ>2s`{
z_dHM9G=Hk;UCb=8z~vM&H7UtmY{E&O9?g^?D>S9hWI!qVriU>#iW%TZxKK!HYWQK+
zMubayPtB8)7y|5bn>A;vBT`fQNQ_Uaoy*w3y(zGEXk(!##WLnz_h#`g<mFjnj^8ty
z;vbs<|6X>$M8`uo7@pz*5v$fx)C$*;{L>CM+-B>V=5%7s8AkUCCXJbmtsbsbIDRk+
z#S4q;c%9HqBH6+$33w;$p}pR%_5>Uz`2=amnNNtn@Ar}E$$8Y~;Td~ggdwSarNtBA
zmce&FuBFUo@g@8A6;N?V%_?C!NtGljsgXA|HhBSs(2T}cZvyz8!INs<gd&Q$?TLBf
zZF={vnCK8}+wZCeI+h~E({ok7d#%mxe-25%sdsl{Vmh0+>BZK-+l1Um8q>ij2F7r^
zF(R%Va$WgxirqbYSWW&12FDEe56s9__G`-6FJ3yj$gj7R>w{UaLDT%;3kCErngn0L
zk(c<%3FZUGsvj2mhrfBtA@1A{dowiRk3AaE>Yb9Kv$wJnkIkNSW!%elI!Vg9^lB^A
zbV`$V3}uT#+=^Zv+|13)K%ZYVQcfdD7()NP0>In|Op*jx<@b`;-_U|Qs(7Zi_*q9o
zd#Z!}&C_KcbXrRoyO3RU>T+)Pex?~JMx}||(Qf}_{J7DaBU@#0O<m&-?T&)^GDrKF
zbCb4nf=_mW`4W3(Ma|YUC<^ee(N0w3K|$4+Hw}yhNRj6Ko|NLKyR<Q;1-kn9Vx1Nf
zML2Z)<L@!C9dmL#JRbd%I_=hW?wF|9d^qhy=E8oUh>}h@^X^=Gm~JHJW;9yNr|zr<
z_xD#dmXHjQcB2~;+woD19MSYhpcthK5~<>8I8d*8mF|Y-3%60^bU>=AUG36b@FGq7
zIFMnk<w-55Zd^6K<CGWDP@_c`_Q<xmvv0N7&?Ml7`vH}S&p(cMLv!6`CvK8|>ELrJ
zq>-~=+Wio0ZMbmkkRy<8QJsg3SJGL?HS)oXBGsAqU!ws3BffBY9kwmgY1tme{^P2b
zr)E1>mEVu86qFikDZDyg&VvUDre9mm5^_$%9)}uErldp$1;j@|!s=$GBnd%62%L~T
z7RXF(0(z>b?TwgmH-VbpG<j@eX?LldtupkORGS+&ZQ5=i3c76@tZ?ilsT_u1_7?rK
z=Mg!z`3QZ^`0vsUxMj22!-R9UWHbT4q&?lLfU*~l|G<=N4(I0n)b_8YuJ{{*%g)d^
zfSkVy^p_)FS{os1Z-&XXbMN|IKGxi*){*&nXLp|xM5BLVC&$I^O%8rnI`sH)TY}Qu
z@j=EZO8410?=Djw29Xn1xt&ldB?v;cThD9<#nTONr$w9DBObxF=(RT9Oa>_DUV;^F
zQH{#U`Z}L<0-baHKxx&M|G>8WqVF}&F_G54`=9g2-)$G6`Y(JHdb&Tqryu?6K8UP|
z6s~>yhcy1aFZ=8Irx#ysAI#6zI8E_%6BkP~I>f*>{jfTL;8L|;G-HWYSP(b(DLOz%
zzn=^51S9GhW!oH0H~+^RYUCdEc)uOjBAz$F@Yw9JJ+7x3_Y{EKLYR-E7e$i~RMh<K
zZ$w6)8pX5d?O7jhBxJY&$bhK%)o?Sr%}f$V5=a!+gsLB9ZBVphNq;v%m%TYwcVvx)
zurJ+l=&-GZJM;#5ihFI}9c;v6y$ET<+#S<sqirF}5?&X2opI8p$6<fLH+DGFEq4P_
zEKd9?Om8lCma<%`;}CA(z^OKElbM%PF(5M=sAE)YAWgX+1}BkjlY|@pyGZDrA%JyP
zI%xwL?-(wDrH3akc*HGOT^?6$>lPQ`JFj+8J8{XnrskXQOdJ*&VU8LF&Z#bhk@^)7
zAV~jX0BNtk5iAL`kj_*2Tz>j)?Ku;m8f`tw@7yxo7Uj-HY_Wtr;-eSf;NGnNz!_QP
z5AE7|^5on~><PX^jQRuT2{UnEjCP9aO4DN~=bonNDYN|4Leb269?Fqzx~?55bk12#
zkx=@IMaeqGrHv5ndY2g_n8*rO`946o^w+{Jp1+eQ)*)dM9&I3BK@e;5wrO6*vI&tb
zb1_?kD)Fn$SrzD$xsz9V$sFcba`Gr43(Ly>ADDXXX(h~mV8fnL2PvN~pEYNf2i}!b
z6O{(oW(?o#jGiOcIcZ-ujDL6Uh{raW?kRq_G2l_`h^MNPlUs-dI^vT3>eNLv9h)+G
z?f~nQ3?kY{By4oeM>ix)w5YNb#I9twljE-P7Q}h|Zck032#R{NX7Ft-b!*R-Y=<dy
zKu4XbM<s#2l=e8ZU_8F$!^4`l*xMJxUaaI?i=nc4&Ag4Q<#J+O`TaUCdsHskTB>al
z){CA`Ip@i~aHxERYtB;!L7X%`D4SR@6$6QM(bS63)1983dS!B4dY}sd<*r`JeahOl
zTF)gA?%G%1$={_xlX@N^Co{@{t64dw4I54SBW>E!w4sK@d?s0FXIRCM2lX^IZvYdw
zlx043f}YclewIU%Gn|j~e6k!(^rFnop$i;%ZUb*wH9?wf1TBv|!okIA`BVtQO2y<c
z76;&1-1T<XA9u9)+v?+|P|nH!M<MlRE!RqYv#lqB+J_gDoSd~)Z}qix7MaSsO&~Hg
zHQ^9%S_Sw<WFdt?=0ZN}KxoQIpu&Yn+}|Xrsq1gvjanM7LCn0;*e)Vv1(n)q%SzSg
zY7NCzOS7~=T^H$^HLf{X)!VeV;%-a+3sxI2E(Q+@5+dO{cocWYnmbhjmuO^~{3UNF
zTRFSg+1K##E!+%$FVvH%0>(zYlJ0KQOl=BrTa^1w_?}3E5e1}f2=>N6!o!Dc+kCLs
z=YZ!hVa7jaSBIs|dT|m-s`HbGYMzijS)SkstE=2|TJ3d%W_`WJdi9Nx6ZFeX%C5g~
zlj{3i?2boMm6T$6qf*pTN-xoso|Z2QbLI{6zd4<^_|dZJs0wpr?27GT;GjjUe2NqN
zW?PgYLL(=L<y<jsRu>r5lcdDfl%o0mY>d|*8FFrYDt>w*;SbL9QZC7lVlD4Hxu`1w
zMd{CMN?j`7ZM|`HxyQvvOk&&6AzLR6Z_Z#MN3^L@db!ZV-)_!dUyv7Ob07H8h%oFh
z(aUP7B!|84ylV8N)o4E|>q8ISxG1&XFg7yI^GaIlp30n5qlOzS!>yQ!J$h*vm@7@d
zNTg-VQaqj?Q!Di~)r30j7Vi#*UBfHb8(pr$x*vH;wc^OSa&@W>aG%u6&OYE_kLoAw
z?e^DKDH*ci9A?(QOsqn7mg#pe`x7b)BERvi3hhO8`j*A2hW+RH{E>A)Sv`qAYG*!!
zE4G)M?5SUjbwZi&ABar<su}z~C{L`E^0z``av|~T-)`jkpzdULI5c7k7inx#YI5=!
zXl3mer)|~%E$xMQ)wZYHa<h%R*1GQ+PP(oq(-v~6I-sVV(XLp|PqXis2Mja2t7Yy|
zzH3TK+Z=4xOtxa>oQF(pYmMyuKV5qo+j%>5DN~O_l%)q*vGl5k3?ZYb5HhAMP3!8|
z%_mX?cKekLxv<V-^9FDT%6b2R>743cl+tSX-w2Am(Yr)LU-|2QC>(xqo(1ha36$^Z
ze*2rg3$FRbx5k%0_wDV|-TGSA%=2&IGvWRo-=CrW^d%Cbp}pL&TFQFXNLYAW)9xGh
zy6Ux=S!39l3ZldSBaJuwOjd+~V`DLBl>G|=|6k)2A&$8H0yP4YbGq8cuf43jjcaW?
z#Z}%-5xeU37Y%cyav$bG6vQQ8YyBPi83t3^_M@B_oSLM9aec&3aDJ^Bb}0F{H0GU5
znzp&T>h-tk{cc_V8Z0?WWW9d<u*9*5{57+QlZG3vbX@~^HQSwLWj6T}bMSfjfEol=
z08ytF_XuzcTMP^OZ2wJ(B1$A9>xsSTsbt&MCfK~EEPuvxOs=RWxM`lhON(Ql&eAXZ
z%EkiAMe%tidt#6N3t~ZzdJ_>9MPppA7kdJJ?d;Y@#l8AAMik2tNu_X;%I2!t5LXQM
zEJ_ylN^KqTP{TIJ3%Kw3KGj+OcvnEoTt+ncz_m^JPU(Ifj|+;fiC?uN)w0>q<(KYL
zu{!?k1@vnx3UZXMGN!CtC)D@bU09cAS>D^@v!R<b8_-1YIxE7`1)R2=eiQkK01%-L
zq(+?WCqU51W9xk2B%+)fS5<eez$jYgF?rU|SI^y!$4QUL;7=ilzMH*H?r8VV>aX8J
zIH8o@bI~{_;ZZzISyJ=^>)t$Lm*3QvP&7{xmanl|=JIdNo&-)r@rL&sGi!M}Xxl6p
zF-l%|*LpMauG%4d4RZzTTRFnPwNyA0*;ny=FV2yFJL(Y4`1JIvIdh6M_R79av3kjS
zA2(;;`?B-?zH#N7k<&s&6;)D57!5$a3FZ_2^>^O-nt%QVz0AB^p!l4o`lVE$KX>R#
z;*JxqV@>O~ZCT1eIDpD)KlbyKcQtmzi1&<ii{r(y!|%<d+~O^bqJ61H{{zERsXp$-
z%YyP~Kg8-DhMTC*>}l4Ll5}G*-cp37PM6`&Mi_%%2qv7T90lh;fXCsDB;}ipj#l%$
z_RYt9eg5)#xj1m*{Q5MzAu`*bGutSRKkARcJ(dGxadDXLzix~h6l^4Mhd5b;RGXA!
zH^27`_{-Fi>;6Hf&MK>dgYfm^b#+htM`_K00~czTV*WbKP$1BvAl^xDX?Y1}S%A43
zE;WjRD&lz_!d0OeUdP$I2jgfCyM2f2O||+Hq5;8aWU&s`VQEAzd%klt5h`!er*B(r
z`=*UNb+dh|UbU=vEq%4>p@ZL}xQKDlna3=&rJ;krTEqrbSnwEG?Ggi?audbj?aJu2
zA9~zswwaJCE+=R=i=g|0KiyC1x~RFWN=AGt&pr*QT|`5h@(YdYsX+-MY9Q?1?uPm}
zce0o!GQTq#vuUyrD@wIXJc5Qo+TB?13DJv4u5wz7B9bPGVAO3Ya=}ql^!%!ossKPY
z<3#_q%Jws`Y0&SMJH>Yv(nu^~pfrnhziRuIa&@trW%Xl$O51CXaW64$kwC=6^&(Y|
zg+2q#(K>W<x6xsmp;mU2h5S-h3k%<n=_dutANCSUd%mM@hCye9%1(SLiS5~H##G$r
zA(y;eDu1Y|Ai(34Gtdq%WoL}@yvi2)#-IyAp46?nsY^-0JTp-J3h7&}#AdDrhGdB+
zV3E7SvbKAHDH+w%V%0B|)aCyHt$mj&KjoX>eG@f4{s_^ZfAuHtkG}tAngk_$>GOx*
z{D~&}U%vsTTN)dHB6^-^AjVpg?N2eY_jZO>fyPV5Y*aRM$i5m>htc>q=sl%;`aHhL
zNEfp26PI17)9!9cF3OOl6*7&?X6e>hadx9Q_0BwwL?Z=fDuqE>UK+BhgJ{?}WkOh*
znlj$BJ23?)@Qk#ZD(L7W9b{~-1n4TR2*+HHSGO-Wi<l%kb$)sftXhq{z_|r=q=v#@
zFJEkT*lGx$DBynb=*`Eab}NxP`^%RF`OZ20uG`i;dZRNIuk4`K((UGTUtergoKr=^
ztxqpkd+I%P!-i~3cv{3mBtT(j<o8NPp=%)fT!(Hf^l69fT^ve-LX1vZnB;ADA3xOO
zgwyZ({D>oYvSv=-Opaj_x<BK_me+A1JGn)8oSAG3J<0E;IQ~%VzO7Wx|A8_4?wt8_
zzo9+TOSijFOwvj!vw~Q#F=M&IyAF80X)&(Et#Cnqvbfl6)eTxJ5Lz4T4g6b|%Ul(2
zsPewSb=Zc%M!qVuS$A5(kJH|Q97kT;dXiswZMq}E*$h`>N%+D;!^g^b)j)K>-&x}g
z?b?3zlv_?*3BHDll7{vqIQX(gK8G?7^BTzq`h>%i#>e+}2R><t+#WeuakVX;cguK~
z0DyJrsY#UGGBq9rA+qNXW8!?CQ$P}I324SDZ+|5uMWLCQ<TJ@Ak&@UWgK__0x2sm^
zA@-1`_O4u@vbpa{Y>gjmpwHm9Wn0P)JG5iIf)?f}<Eih89_$<G7RQfmL^PR8vB_T=
z#qd~jhL1~VDS4L4bDWa?W4ESl3*Pim?)r;>S_z;)o{`e_$Fes~X3-EicgRPSDGARu
znYGDQpnSGveZkM$=sz(0zb*EQQ_C?^-25OGF_{7hIrp<RG{vXI8m;BrQnlK0#9=9e
zpT9l5GmL4Ev34mv)x>CaGp84Y(F{17XI+U<NszCB?TT!?C)-BFgbp42@pK2Jr-cTm
zMTQclUad8RBCIQ+F$PnX8fNLVvJ!*DjQZw8KA8CaVfwrq<vE@CH7-VOb^yLius+j?
z&SEP!@EJtKfwb*$F@uTp8KkhY3bkRTJ%5r8ROUHX$Fn>bVgA5W3T<lUVm_41wvlE|
zgh76O$(vJ%cf>{_dUEPXj!HEj7roq&?bJGz>dQQ;3!m|X^WBNIlRMfDHLsV=SCM~`
zs38RdQ{+{u-uA=EEu;8o_^PO8uH^2toK*V(gkUny^SoJ8`JYSaUc&h|S0oO<x=PY_
z?xPFa36e;WCz&pRj}amze3=2t^DNy~e;bDJyCnfkwsgssb=&uBK$2@*LoCOGwoqF=
zb+7-x7#qn&ty=50NzX7iFP2$6Ok|P*fI-hAFg<JVR3T7C>FjI`tQMiD+~vt~Y^QtU
zdZ2MY6$rnfElptzSL$}Lwq=6ioaBzc_J#IYai#!Y{hN^`X5Cc1AuU<QSP+=68EnaU
zFV^C*McC}8plPGtAHBvxk54!{=Y}{sh&im?$#pE7y1~+JQZ(KL<?Q^Cd!(xvo&O3y
zZ3s)rh5zLi%6a$IQFtu?usWiR6>3?Wmw=8aNjzlm2?OQDEKN@5_0!j@N(?uS-ln%B
zSM_vW7A4KIY5gi=uaDHuS}a9TNEHLKM_!xNPluw8B+=+vo=Nk1C-aL9&Ba!@x2l%X
zhDa<8Ra|RX#as7JqB_uL@P5u2K-w5X27!r<px}hy8Was9J|x0}HnQn?wPL3gw)6Qt
zn6k<c%Em`kWr3whupmMfl$u*aST@!7)aE?4nkJ^j->+$eMzAK^Pl{bW6~9AY?XvjY
z`T}RxGx1IIPY^i!L~c*<&a8QQxQl!Te3%OgX!Eba8o>jHdBw7mc8_x*s)<`)Hio+p
z->x<|?Kv)KxMw@^^lmY;%lNM7eCjd{&(!6Rka<6?jEl5d1C>@Dze;4VGgzd`cG%(?
zMu|($VovJ{4?8q!e@KMw3Qz$|WiROSQU=g}@@(GG9I-E1)+g6ju~jRa)m-H1`Ki_Q
z=5C1V8=Cg7I@680)jV8P$q(h`)6X7fleBKis7Nd#K3En2KTm6!&fu>xnrYiW(X+CP
zlxzgThp0Avn4(E==e7I+UB+eS8dm8;x~wQ}85@cTUMToAmH@KgG<f-Hx2V}kQKSn@
za`h6?8G}RK+IGD=;UA2wt~11eNkhL70f7cI#F^;MwjE_izn3pdZYRrHnEr35q<w9b
zqTX6&fN37nb6OMt3Y%08Rb!3Pag$uU6${p0Jc00gG%NkQHUmg+0)!1Jt<w@~01ULb
zCv5o|P4UJLYx33Qq($Crg{ifNdH%xHe+t6&1hk2>E!C55-l*6&ZpY}-+n_2{MTS=1
zh5Ut@E$Qv_0#SRw#D8GWEbC&8wq@+Z6KzQh?l~WVFE^U{+GzP293e4OL4R+v@r0(}
zjjN|Mo%&*Rpl-1#Jxnv6R;en<p%q(*E8sTK*f5LXMQ`sqzjW#ZShIfXMD{1@@;S*6
zpf{bRcG4$qFdw`n^X8~7g6=CZ9Tr$-om=d5xF%rg{awZI?|L?anPSQOgaVQQOHnoz
zxGL9Lm28Pxtcj+SXDi*1m$Rla>(b7%=9(PazM%%pXXSRy=3wV!s3U=f{gZCpbK=vo
zTtb}7j`QnAEt~ib$<K43V=?=*uChH$gLh134U;}>#n(N9v%5G!G7bF)qN#w{yP*Tz
zfo^Bbbc$v=qWWm`TXW6-CFwPx*!Q0Y^yX7LaIkN>lprTEXcBpD0kte|uH)F_taneh
zzk;#j+<7uYICVPlR1>Cy;mS^E?fBN>MxD7Q6NFdqrpKH$Eb8;{1+1OfS6WcGCoz}Y
znCl|Ox6S&<FI6~TghL#<?yn3v;8VX8;(ed7GNu`1)<vM}W@pL#EbvTFU2-#IBz5q+
z#$iK+*$>a@U5HZo3}ZDf8?NfRRsvQ8j}6(P+(xJ3GD9PH5)4Xc!uhad&;VEFG1Y1?
ztdnIhpC5LF4Phn?em*P;@>;ux*~DMqRNU*T$Vyhdc8f~gj}&r+i6d!2Wi3E@EN=N)
z9Qd<+h0>xs^Txjo8~-?`MJ5_Cq?-?S{wRcAa!0tXdYnzyOyrp2sz2s*hC$^nXt$J9
zni`sCiN^e`7j9-IaTpR?!l)4@K+nFW&RpG_|2!1HzQ<u6mlg!SM-<P9AL(>GlAsu~
zKWx0)K;!$C5<wy($Z|g(x7WMQbo>^_?F$(VF)#LbhCKktFgtRY{_>v9RT|mr6mw5^
z7-*1CgtS!l9_NL~yLsN?8o_9RE?4(iwG&>mW-#ObKwhE3;Wrx;*EVakvE~GaECW7X
zlf@*l$Jriiz4=E{AeAli$jZA{F&ooxjG<IDQ2A;#FVjcF=SV7GVqsWknP7@_u%nVN
z!^Wt=L&x?}Ap#D^wv3r~s&w5;ZnqflK#NRXy|p-_4db~g`!S^&?^=yTD|@`8@GnvW
zH6j$?Dg{T2!zQW~U{tE0QRF``xhDu3CP9>OXyax1^QapQr`k5))!!>uE8~yju-Bhc
zF9@jC{BRj1E}Ioo39UYn$21h&T--dckT&Si`T|CI{5}3ur{NsA+&a#OeXQH;9B0RG
zgk<`NO-GfK#Rt8QPFqxARRiV4dWO-Uv1o4FmyR1j2ZA^tRh(*bXlJ3CJbWE|$P-n_
za-^9~5ter|61Kvy$ll$B@1$b)&?F@SNFC#Uiu~tF8*P?vaJ5RYhM#lIS^Kw@ffX>k
zZqp=rnh^hA8Q0wVm?giZSev!cYK4u?&A51|=W15(Kd%`E3`#p3Dw>8XU-fD08qC-b
zu%=bEfd-6<Q92Ve1W0C@ze|;8Z7kisqFw)ZmHeaj0q(Nru#o*u@}tw2H#4VeT3>lQ
zpKUV7lr`Bu_`dwq2NBC>`S21y7=}|Qj{l*H<x^bfI)QqG<iki<adY*V%VCxJDrILX
z>$EBAZr)^zc5t5k3VP*gZQ-1tla(54XezI(U|{ncyM98QKU+X}b~!cM$DhqP$G6NJ
zYLx!v;5_H<Gn<RnbG%PS(4K38?e0@Aj_QqlQGn(7I*&iS&N#_t_*O9-rfQek8#Kfu
z{HzmMbbd9WE9N+(;<YFm+$KeJ(Wkz6svB1$JygY6k1T9huLc#94Ru2)lQ|r7E=~=R
zc~SUo>jW(X4tC;J{<QzHFkuEO+j4wN3Ux1Ss+o1swXe>XCq$bdT}J}}rVIjAA7Yj~
z^M!Px4ni$Sleq8g)VrX6Ka7YkPQqthDtx+@x^#)a-Re?TZJ2dl_(Dt-OW(sP3G=MA
zK`Jb!-A#LR9}4T9*dl7x8HpK0aC2xaiHnVQW*%Q_Oy59$d5zu;bJWPL8BOee-W<wn
zDWWoV+Z-EreHF@RQD|W{r(tv1SXYN^S-IT9SUP1^V&^*(vCOxRz4G(0;5>Bo!NsTU
zrJLhSG1VW1L&H5AmU>Ls#&O_1U$O6h^-qV0Bm|WairpXc^;A&v(%$10@gnyD41I$T
zOXd90V~i&4FXRKq18eEfOM#kaJ?~c;TNtcQa_t(clYFvztMunYWe`dRD@n#2Ma9uD
z0BAg0$$Y8PcngCqfXP_nDW3VE67bFXk$f}ZF$=D1z-ClhH&$${YZ9goky=PtStek8
zrtha2t_Mlfj}j{-C|u&((VmjwvNyGV?Ei8FgWaO|V^#+m8d?;n*og{cW)9ANXe>?Y
zSxgdq<#YZVo;d;TPXo#nMP>5LRY!*@s@RSa0$W0P4zQ+s$%+kg1smAfbTb^pZdTpI
z^|4tiTix?rTI&HZC3;MukuV6lKIvVV3?+^VPCtwo;9=dP!0sj&@Bby2HveH7<)-uQ
z6U<L~IX~nu4Lo8H5Ux%-<;;`3duP+YwCKnD56tPNr=VlIU)=GS6p%(I!k4|}Vk-8T
znu>v5GyRLUtG&(D?qI49!ih2#VIsQxL0hN|vYH<;*63Gx%chpBn61#Z*6N`IXhvW_
z;tfF}*Mfp5nrt=h*o^KV*Y~=n**@30sgSrmdbl+ftYhJ=NW&qmn^RW|_1vc>;9EOa
zJ8`7XYjF&u{Yu5rh$EOt+<v1@%Ytnfk{0Ns&AZtaKecPpLo5fTWu)|(kE_8~8z)sD
zf{L@3F^qPe-|K0%Zu)RMa|!h5X(FP*p9I)!$psx;$N-;OhK0IuAdgsl7Rnsj*11k6
zt7B$&d8^;ZMI}h5wE52<C}-#3uRJF7uOd8TZWr>4HvJYkX1#D~6+b=uV{K1HK`7=t
z_OCi;fn4^#Z(0Wn8P*Ssg7HV^<|fnW@f-4ZAxEWS{&WKJ!>KcsEqB1l>U7PP%?juQ
z^}{J;-)%(;JI+m`5D1L>dGVU(?!x5v+(k0aRX{m9VN2eI@NywPV=h2QEpo^-Ht4KX
z#?>%GQ5&{eJrmAeTE4=abeXZh>_-<`=VeyIQjf&3CE~j+so3&cZGkp8FfUxZ5lUs#
zmVuJAt-y}K+OarGnY{tIHxRjO6DFKgs@1q-BkDKho{x2n_Nh+RaHL-5r>^bvd}WOH
zvv187jaoCdh7|HeU_PZ=-#oX9{J6_<j2xNohJ2G#8?9#hj!xlm+6JVczQ;j2oLb!d
zP&q(Vg!L^SUzv4MlR_4uOV4{vp`-n@`y0?Y^_s20K_DsGgi8DEW{8ZITF~!~Y|S(&
zpqovFJU?i$iWhvS?dxK=?T#p)k8u3f>(xey?-b?hryn&vay1$qr>$?#nlPNsSYdq7
z3IDzC%JnrCnp1>0`Ha%36iboQNFp??(AHY4NKT57yVSBqpsRGY{Zb&ox5B%_d5zpK
zAjP_33rn9E$E}h@-8|oA9J@*_Md1woH%<1kWI4cw<+>$kzQ*?y33W|)qcpIqMTVW2
zgv)3@AR2t3OgygDVGGk{0jUzYkzNrZoYhDqmfX=`Rq7;;ziA%Z#x?v%!pq5*%!|aM
z$dO_OHEXG9br7~eW=SggLp9}LrvPQ{@)v|~5aP&xU_5Kj(z4@7Bmi}2nG+w)`~d!7
zItk~<x@|Z53OZ&hIvuHX>Mm1DUNrn-EAGA1i`gX7BzOtNjWqtlZ>`fNPy`St7;gK9
zwHE7oWT$71g0PsH9dpulr(A5}*-!Fwk*~7wE~PF*IW|`=6S7Ask_);K74Be{f%xbs
zcH6CxAmmzFsFBz`k!s`x;!bYavo{vcn%}!%iAX)+M%Lbjrq)7>OomwLz?jTt9qkm{
z?ch(2w0s!~;(|nuJtO<t*Y_s~GGb_>$7a<oQMjRodqKNyv!H!Br;%<%N)QnU2J#z7
zE_Y=ixaCnO$#gD(BD<D9H;s9{SyDBxol|$-YngIlrCPMDd^U?^3O3`5nH|Q_mvyEM
zT3Vy}jh%&nHy1Ui^hGdBt3td}p>_;tbO6r5c=$TUx}Zz_g!OZxJ>}R1H0O_6wo(^L
z9qpIL%Y06lTuj_o0WqG7_ZN<n>19DwSDJN7+AhMPmX^8khx)Z>`%IrOqy(ZkyDE6z
zXZz+myw@v%IDyX{^CF+Htyjl)Pd~QMShm~GG#5TSkTWsuTdSU^zD<($Dp`?tbtOtM
z_%F^uUNGS00~Tb>oVTtyW8zkkHRWb)*yf}fgDte8&8Xt;^Q(XPRRu~qwfZ7z;~YY$
zpw4LPw{t`3pejW88*%97;0PK9Cf{C3oW!9_de!7Y1dN?qC>F)i;t||*8sPE@%q!LH
z2AkOGn$63Qp{wziXfUeE`jy~jnn_^!_{MU~cwb+<9Fn`ib%}fn>j4L<j#rmgTfuc$
z=lL++e}TCJA#TZOf0xB*T+4fV?8y}d=^vURD;LlFHMSRNIrsw00~PfoOEhitFM;7@
zu{zvESK&4_usbJbgC#k)6U-#e)^&sUe?(jkEm%t7*=p0qE3@NQ>@@OU%#V$;O&hIW
z>-qb9G$*wATosOp2#5%mjXKaW@@f3zoOoO9|IX&k>TEd~56XG?&LWvN(OA;CeF)Ki
z6qNq$vD;*AcK0OJ@bf6Mr5zG+p94D43awmvQ3*Pw)+X|w<ZO0Dvt8WXZ?UQ*m91N_
zQ|EA4&@=^glf{yoC<L8`vk3PkOMMz|={CQud1-LB7a3Ys>YuAeO~oXKwb5QzqP57d
zV!zVQFxxfUYlJ33Z7E9)l8a?PZ=uP2lFe~G8#k(ZTeit>0MAlLE|K;g>O3W?)fj4M
zV(<aj>hx}y^|fM%c|%L-c*qOuFKUuulcu|<*^JTJ&=)BFv62<Xhq{9YyH99V#|MM$
zqI414z{67B1CrL3KQp`Fz4_T2EypTMRWy!<s&y>sn6zdXMd(w+^Vi;~L80N<)hB|a
z^HTEun8$Xr$(deFw>|YM$%Y&Eu#VkvoxahDlSccEP6z|@arGpy4;~LPc6Ab$`#Y5M
zHDD^D=ywl#lh-OqoWD?GYEiqY*1zUxuq-*&hksj9P8GUU<x6*KU8<J3Zb|>z(aSd?
zJXddFXri*`C@q}?{Mz4;4}pTOEUh?YlPeZ!&v$-+4~A~YpU4&-ZfX7NX7<(9V(mgq
z{A}>|4imD{W|qKe(T#q?fanLak!AtZPm__-EXjkxn&er0Z}V^Uv@;Fki(Jz2S(sDU
z>&H5s%-=IR%bWd1uBw+HGLn0Pu)N)!0~H)(s1ia1eiy2%Hq$0$2GgGunk%35!r$jP
ziK!f<!ZoHWZO*LGvL@AJ$Sam!YH~Z#$_)pOYjf-t8mw6kr^&W)QT)R}5R!Q$$N$EY
zPm&KdxtYp!w@0q0zkE_h>me<roU@zn{sTLbMZ8)lC(Nv-D6uUuqmf=#!}+H}#^MXr
zouZ(WAG6^dUznAms)an~Hw}<tcq>n;j|vsbskzK4T#wD5Jl}rmfWd`GJO?c%nn$G1
z3m0p&3L8nA(lBPRo3beW2AJKZ0hY#y?<B?F$MdGGXDJW?`^RH7*);BIXgQn>G`guE
z)ooUBY#ux#QDJv(VYZqU#%r5#M#(@%HjnK$tA^V_yEcE)&1R|^azfiFpQNgBloJ%U
z(^mR(5K|fO&%$tE3@T@R%<n2`%SYsK?%?=lY_f=)_$lXEo^p{Ey{r1SxC$WP-G20R
z%KC<${S@9&{bZFpzIEO>)H@B9*s6-5jn&l}z=P@0j*DKSi&66$AJtF&Cgii8eb{ch
zdV&|vBY`trj@#q%HlJ`io>klH8VAtgQy`e8<N^^+k(l6qS&l92c`CMS>0eMcPRk6;
zyu9pq1Wv?Mue02+cik1`k?j=X%UgroihcF^B-E~5o^DymoAKf~oI2}H=o*ZX5or_z
zv`1+rMIfLa^QDLSzhbG4+H6N=x>^lc>eA8Jc3L>re!n7ZEOvXfu9cc9Wn@jeER8G6
z?K(w};zcFY!s-wf#}j-!W<m#Q8ol^D<{xL5b^OD>-?%>J7s)E6vRr(cs-qf8F<wc!
zss-T1AlsPSa#qy54>Kif3uAN}ZiZ}dW+BRC)81bd8&flz%Qf`#Tvx7%bYV5qV`vwz
zbcQNm<v+Y-3Y$wiyW{BRaV@iI6#vptf)wM!a_W(z4HjI3r^JibKgnv2cMU$%C-ZRk
zxP4R;Y|F7nE%QNoyosq!Td@jB?7ljojf3o*7k56Ks>23cHhf3z`zdV3KJT}D-{aL?
zDbNtr&$rrNId9hm;bxX6+*@K|S}i3f>w8@8y*}v%)EA$v@2IwtUUE=72AoEvjAKQI
zy8nZ?vy7=D4BIqN+zJ$TcXy|_I|p}niaQi{cXxMpDDIr12Y1(^<zQXDU;AxVvf15a
zlgT7AnLjh{J9%gB=eh68JX8w~la#cI>X*Hx(H9OBL9|gQH7?rVI5aQQZ8ej{fI7{4
zxjs~Hx12EDee!aQDr-f}U*$vmD~)#L_qD<nFj=_vWD7EXQ^~nwGapkFI}-FA>Rp4k
zoRN;Ulja-e3Rdwpm}hv&|Jn&qu*BkNtoH!BbwRabYAiTIBcZVM{qkE1=?lCST~KV;
z;m|#!5MB>-J{nUz%m6t}#-#B53BQ<Mm`t;YXj0nPN7tOH_DXwo$ddb4+@7mHBynY0
z3jatF_fH@6b_h)a3IcI?XI!T#HZ+Ag|JwFBH5(2hsU?qK=#csB{dM_DF~QjXS}!p_
zF{-oHgLMlLEKf%)HzfmjkGzv2(}{Wuy?ZQb2n`sD#zl|h93n$w-OVhXqBbBSG>J&C
zu_E^_oogCJX0vHcp6*{iBhJ2RUmNS3^Oq(CV|{PDi{Y`v^<{Ni?;&7cXfsbS$t$3;
zsf~KdbMco=js106XR^hOYvC;ruYK1-Wc9(_INAM<KRIv9zrv6n+7>&vrxWjLQeE&v
z-dGA6Ogq&hiNy5a`d9PVdNit>G!V9&DYi{g?7IR&0$-OA?G5>lfFngKCa${rliv-B
z07m@+tRFi|jOp)jEm3$h`ZvXl<oDWHm1%ijbJ^+D*->#M=e{>{$B5@02dHPHAMK6*
zS>K77{u7vVbMQoMZEH|KJ6UrO5tIGy&(DqU?!TEzHBKyYbJOmh&2hY#fw8o?m3nYX
zEcztNnY0=@x7LMYLBABjz|>;JWF#VsZ^GhdJJ)A8;VbxrUO$X9#c$l9OZ@l`V#C$!
z_!w<H1{+AcSS6&V-L3z2=WK!fB`QPBi7W#)W-?sWo#V$CL)Yw!eIIg+wYlrXGW?XC
z2?ks6NgHYAjIr9Ot}J3Yr$F77XqO?K=w5!8335@QzStzO%<stExlNy_d2e0e$pOJ*
zma}C`Bn^UTKE>+|#m2S50qe%H20WlCz^Uyg6StR1&G#<7oY#=CAPU@{SZI3n2HcIM
z%Ti^_OCUIM^-@@(L(`==x25s;xqS8Q0h8xPkYZ-9qimhhj)8OiC=Rnb$Ur2%bL;sL
z+&3GcMP?|?UV)?B7h%Z=J}`)zIG;>zEIQz@FAL}=IA3{iWEJGP#g~Q|Yrn!}y(lWu
zslhOCGLuFW6BP55xRM!tO>Yg&vMeR+)+`$qYfr?tmKSG=!5B5{g{)vbh$ANxhZikb
zH<e?o`WydQY9iuE_dec{DNa!ANO5on@r_FU0K<(}Z9YveOrE-xyH_tskJ2GJEI0od
zJ+(b?fKfDmwh2OL<se2rZ=$9d9KE6Rjwfo{0Q<h(w0drR$(>8?LMv}ZoR@5~AR9Ty
z_4rZMLFp0B6*ZNjKa6S^TK)rev#tn<T8_ISnN|-?Lc?J(`$6xsGD}k@IzLmbI3FM^
zIc3|%eQhfs(yogG>7P$iXW6hypotyVzEbwMbl=jX;IxO?6+iTof<%q4fbB#W5F^4>
zaL@~|sn-{waTL)0w4IaM0zWxGX_MtPXzb^{cbgtx<4^Ye=8iX}q!UXEFe?f?4#fxt
zZB}QiQu!>&aE)w_n>nD$#i>06E~G5vB?#|IueKHr_6#zF(&TyYzfD;F6vC9ned}mC
zTZu79FHzEj>a;<jE)_Cp<(IC{hD2cDBsV}E3%e-vnNVDqEgp%9b3BTq$E?FQ({8oY
z-erbhdzcBuwkeZE8;XPWxuRSIGCE6^cWwATg7AP{%ip8*wCd`)S%yp>5QdmZP6!Jk
zi?qH%q6f%yB-4oyHr-U*$M_#?yah7xZ0H~GMLf|zYes)DueGl4W;Mr5t)g%1fqLn=
zv(z|+{gt1!D379mj$3XF9~btD&BZTI>oc0{`Zj=>-(h>Ful2Q#s@@Mo7b6@RK6O}o
zFrbE`t(*CrWmB2b5oBYU)08R9*f$HC|4q(n?!`A+FuhF;Itz)Vscf~1enO-IEafuX
znPo}?TKH;m7<*oOBkz;JXCf;r4D0F)d!xf#U7FVsq9|=;LX;Z~QQ$CzqadN0B%3!G
zqHp(MnLzO4%pkt^v#^k|<iL1_xt_{&Nj`42Sf*jWw5D3qoE;<-VmDNLP&Zhzx{H|y
zlCfG<a?X;n&tb*aw@Mp|xKIgk+^MiQE>tuQ;pAn0K52HVWSFOgC4cC_o3h9cH6Q3)
z+N4a<KWuuJYIMA;QqFK73;&(^=qP*pF^{O^nd78@y|<FDX}#90xgvJ(Y6WQRsZZ3q
z%Na=}^-wtEv67^~O^8*b{(?5P@rKlp8(@}`dw-V}4mNWNb0y4cq8V$q1r_8>R)lz!
zJ=gL-x$yrr5_)PN`em{s&^?`$14`|hEQ#s*A_9UAv)nXO3oI`e?hCRx{0Qjuo>N#h
zzjOKHbQ=7pZdT(Ww-`*|UHLAMufO-5J6tHe%B^m-M2<2W*lWR)Bu>Gl%b6Xkw60`n
z65}9Uz<-r1N$q~A;glNiv)^NhAx-VN(zF9Q-JJj<hWvIeL6I_%Z&tyiL_))Pk}xNM
zGJCc@*`|Hn%;0g(nRwH;csoGkF<PhfV%Dl@r$pSOW5<UARkqfjdZ??C(Xy^?CCTl4
zuc+#0mEkfaf??@9erkm%IK-8YrJVX`S7U>`hHBx!5wNbcT3dN`rmeh!@_fQtI;b^W
zmoaQeaPVgzDGz6F(rjvMgw!&fSu~jJAX3pRx*q2+kODOI=go=gmo<<nm;HKcl7^&5
z82Od(?n=S3+xjL$iTdEy%+KdDKFc3WHes>F*fdG3)_7^2ia0)Z9fXKk80l5bMXlYs
zI@kZ?eEA)4k9x(w#knSl3_pTzf)<JULqXNz8*^ej>+pDMOOoJ%mG*u(ZtJ?N#g2np
zf}+QU{eixfaLL6EIW4x5?%xIkm{hr9p7@K^uw?y6a1Ykkfx0OC&{b+Ri`lf=U~z+=
zmp^TIjY)Q}JYJ^>)eHxun%#8c+oF$(n9MjjHO+EYZ7Vi0R?&lm<=E@z#isoU-<P|x
z*-ULBNd~K8%$QVF62C#2%_1lr{LS<FYg+04Xtr_G>{ip(g&1#-tC0g~WV+Xu#_;lr
zvqg93UPooii_PB|Ph2${=p3$ROc(z$r}T99RxxEUd#A(uL4P(Xz86Tk5s_qnyGSHL
zHQjPxm7wBkGvDybd}~Tv1b@@#@{sdn*+y#h_H`7v=`YG!zqH2LW%kY)b9|^b7SgQ>
zwZm<uN9*ln6FX{UI^pnBSXBK{{kOLMl5STDsv%VSU;5=4&LbfhfoGZI?s*SupktIh
z#Xu$p4nuJNQ4Rtj0>3E~Q9dV*_ZIQ~_6}r9+wtFi&!9hyL8D&V30WJchRIG<ki!by
zo1WiT_XTZLlv(o%HztXjgX&#7ZbumVc^`?xbgow5BDO-?wh~<>09-=!K)HqeDPk>0
z`p5DWOF|b~@Ur|X-H~N;gPb4iM455-8bPXj`-}wf<8JT6d0+p#g~7DvUTO@6kIyb&
z`X#;kv9GSfj<Q+rkpawOe0~M9q-_?@DptYujs@&YK{#RO*Ke-Rs8&baUHLpBOk)nf
zF(cS=>~hUG-?$x0-gZ|;-myt0&;8D82rXE}O@qd}&GrOg0ZSy=&OVn1#Jsdj-yx{s
zu~c=zp`GfQ+C`zNlF?ey?jkhsja-6a8%e(RP3dExvf%w(-hbui00r+W{%5C5fKSeW
zQ&?~x9bm{$_)mSqRqh#v0QvjUY6^WowHPF`WPAqvvR_yYuVoD4CPh)ML!|x;8*T{q
z{IMu1rs?=PJ886{bHe|Cgmk>GmAEn`W3l0(3D=~l*TO(Yk~sB?J!v%<5*mG(4Pxl~
zPtj;7`0LN?I%twX=m2<;U=bq0`yICO@J{wjRz_n8Xqy?%1FJ}tVKnQf%;acl|A$Ys
zUxeaOzIVq0ZONhy<%WU#oO8JhM6xd=nDQTlvB=@07jz;7Wy<R3als|Tr$FxW;`gAG
z<6rz>L7>fdwNT+JUZwt}rQ0D+s7R_jq1IQ4cqSS5hZjAHMT||v%ucqDd4j-MJrC$@
zT8KtE2eX)+_iBqsuJIa@X!$2aCu#h_9lXfuBeYxbr<PE3vo;^{8LT3dB@5RCO+5Zb
zlw|XhSR_PT_CGXB`i<e@?;#rhDhh%?KW1E1$S0FPQ$1K$L!iz2yMR6(%*2y!Q??_s
zpYYj4^B<o%<FI8O<wj`%Pce?Q1{nTP;_tJvFE#iL9dNfZ`yYdRmIzN|V=tE4B0NV4
z;ET6M5ZLT(@rmO-C}oGF-FRKf$ksn3%evVCO4x81rlxeg$lo-+Qkw%pBIscA>7Gh`
z;9xS<o4q0M5lam>Xfp^b5?}h^o0@kg0Dp)bG*uBCIT#!qr8L5A7P~B~2DNPR4Tke}
zXwal_iU6W?Lrt8X4vw1kXwiXf`Qb!%-L*B3fkDY5&T{I$);2~~)3LN>uEoN;JGnl#
zwzLYa;w|AXOlrcj1(lBS8<sI3=q(stB<VA60Ix&eE>$9Dwaz|JBS%VR>C$RR@aE6Z
z*qOikXRxAybvaf+=UyS%hrVbg+}r06cNt^TRm5}my2{=ZF97j=+SsX5Q9_5ooF1u)
zQbK5d-p4yo`4U0oC*<dZXoT?m-2Z~WP=5UiRC5x%UwJsYHcPF#luM8_R%<$!Dv=@J
zy#9_=TuwHda6ntpz)d&8YUBKIMoNxHzC&`op>VJzB4l8}FqPPQV!iIfAXV9#W+6!@
zyWohZ<|YQ157JZv1VP6)BS53ckOspGMN-_se{Ld)(og4XYNd;`^aGNTl`C{M!XxDY
z*`+}MXRVEb=Y5v}!`$y9uiwlR**<B85qFbsTpzv;Z_Xe5aSP>*Flh~`wH`gDq8t`i
zzpxT@m`qBVbu}fq=?W(qRwL<lftmjxXv1Uq#IFedj8pfC2w?&9NVC+?^_x=<1g9yr
zmDmBYvgDYGRGa{vSq*yn>PiR*ax4w6>YpMaKOsn(s0O~=zGBFJMxe@y>{OI^WIKr6
zwP<wM);aFxh{Kr_=g4uT!(<avdrm~yeld~9QHPmHHg|Exrj8J}dHxFmJA9bu`|<!$
z)U0h{TP5H84!q0EKNyMpDkROFZ~*StUoBOJn;;$wz$BOAbR>7Rh|L9H<kFfi&!mZg
za1F=24>5}5F^UxNLR|5@2OxYK;%qbgv+``aSiAb{i_cy60WJu4j4jrT_@noJC0Uj-
z|L{XrWU~M)1OegkrIF+(+|!qj|A2)3=cGyBV4~{!K{Fa-9kkpmHl`5AO&+94?aEdT
z1%W{w5(I*11iDDVNP_PgO>*7V)RD6$+f0w3!|H7to-%?}Ivo7ANo3bK&iM0o7;Y@|
zWbW>3nb&3&ogh2j7pL;Y(bm<^h8d6z7l^=&Z`oiq?}&3P?aVL4&$62wXpgdY&@M;V
z#?I61-&)8fJo1@7-TXJu6!PQphKuBSso>=p?zKDcK=qa7HE5{<C{9mAkpDoWeIweh
z&iq1KAgbr2(n{HUUR%Z1Z-y5?sl)@ROihu(FQ#OgVsF#$4&ntl-Eur;Jy?MdY^J@=
zX5BF3V;|+kCIVZgS}gO>o`kY+Lq5i9p}q!;5RX({`aT)^q6O}TJd=KWQrtd+I_v*4
zOYMKP7X0t682@pV`w`7J$kXTMm7~-ZNa@H`$iU*f&T%mv=xm~v?39{^=4;l9*q=h!
z=n-GVQ9dQPgz=R6XM8MCw&NMZK9}QhI4R8KhO<NbA--`%1^*fzXwpu119I%Ku0aJ=
zYh<Jd^E9nHN-SmZtH^8XtQ6^Yawm=R!mgZ<=nQSoe1?1DycMYgUIZqRyhWdXEaeI0
zQk*~B*=UkyhgMc#NxPt>JHwh(xxMP@1y4Mr?rO&comfW7pe~wlC##rKlO18k?b8#l
zEz`Pi$}7f#4)GqhmNQz8A}F#m!ZWiv)`R7Rh}pg}FZaEz$4KbhSLI!0A+KWNRz}7P
zgw;{(w}yDr0yVGI+AJE9BcG$9e(TM?3hhN=4J0w~7HIcwc8)5O5agr$Zd$A}fCgau
z`-ED0Bv!vOg^VM^*Rz~JR+;$AeA}M~wHbTiVi_Mc>5%xAyAkmp571at^*IF|akU6j
z^H}10;|tXFo{(;>3SL61?h(dm4agmrR>d+W)Y+?WTVoP7=;%1XlK-s~_F<SR_F1*K
ztL3r)A+A(k+GRa^(p8MnI>CLAS+<BnB`=#ZpFCNkat-`&^O~FX-geGWl(;Ie3;_GC
zL<sd<I&ik+!DfRtYskOr`;J{=z1~dpZ~X2`Y5V*p9nW*2zg_9>LEBim%%dX97}CDX
z>h7}8oJ<SIU8t@Di%wYn{*XjOpyyk1gh&q@hvh8aOe5R;TV~jOq$!PqJJjdqy20Mw
z#EcX&LGaT#egU*Pfe$;M9VDDw6HcpM2a8_DXuZ#D2L##}sR48_+$6tE(t!cA+kDA`
zaXG)^G?@&4|6$X=1qA8Q&sMZB&PB{_+h4ibddZfNeHgfs4+We&d_*>=U76^%Rbt_n
ztb8uN6)QW+=1%F$*q+9pVcXwMnev%?7|w&#m05?sI@h@57nxVf*(W*?gTH)TW?6b}
z$sK3aQ^w48Du1=hb3N(Y{0D);92i@HX9r@}QYNan6t#4de7=^ap`t&sttoY<VyCcJ
zm{hJQRF+9o2;Cq}z^@_i1_|e0#v@1>@SVY;R!`03a|&DIAvL(8=DkJa#h?thJ_}4Q
zs!qbWU7UgShnG`YHGehUc&fdy(_i_UQKN`9d=tXRZ!_n}==rIV^saHN*BC2%#Nh~|
zZIPC5v)<3Q1>g4OSHnO=by2`|rcj;!1^c%{!XQ!O6FD7^FO;Txqz|v7mUamHDPAa`
zt}${cja(70>tPz`jq?xUtNP}Ruwe+tt$xM0UR=4-v(4?blrJY?YPr9Tx5i;$=6r_Z
zoE8aP;^p|b#R$9Q^2rpJbr}wit!h>FRh|6@Y%0i?4`k;dDJ6g65`!fnbN&y4<8^{r
za?lUIW`rLP=S6eV^#E(EHbX9k?xr_5Pgf*yD<`QfK}Kx7hm|>nwi^Jmc-Mrc$2C$2
zTK&EnKDb*czQHd)*A-^9E2xFWx5KJ^RhC?fm2`Gmvplg)NpRSl=Lv9W6-)dquGYM(
zNCw4^$N&DG9#flTs9-83>>qf)zVYeBWYlXMBj42Ega1Q9x(7$a66ZYqdhh#u<-EkM
zl$=#Sl!M~+IIF9hQ&bOZ(Ob_hFvJL8+L~~O>HYRZ+)Cz$WsskC9ouhvc{EIXKD}S)
z9TY&3+V|Y^8^_f)V>C#PqU1J`kqZ^Ut8TOM%AKP|bzGfjt((|MBT>Htqz(e2FC9Ne
znY+qx>zdgF#Xmk*R?<&@tQk>Z1Q?ko@Asv?(YKYNEn1)M%F(B3`f!#+mdYbC2R%}{
zxhFXUv~$n4W)a}O^gvneSXum^@jV@S0}<v&?{z+83p7zS;~nt{d51Rrcm=t%C(GTH
zl}VU<e*Esjd<hod{TWy8dO%g*31;SjGOArJxW{i(DW<Qoe1)hfB=s==tu>3tlc}e^
zvrlQOoEnsBMPil<txow<7rdC${3{~2S=;rn<7GpBVinECG_$Em2R-&uJmKzeIWdz4
zMDgvI=oG4so54!-DuX1xFyr?*cJ&Q$S$oSp&yo$<)^o~cN0*LG-Q`MkpU`Y}i!^(C
z42SiTQ|WH0b5@rwNM0Gcx8k;56sV(c95mI{Ml?t^(HY+Q!e!b#<$gDffDytr2?*6F
zn&cgxCEb{A6_|!*cPRIaQEY4WZ)@52<;$xY2)G^12n>krH448XKH3L6!jI_>kR_`-
zGQSxy6`ch=v+2LZF?0~00eWYEDV`!xO|rmQofz7<vCef$pAonE`2AE9^M1En+I)xx
zoiBUs6i5X|stDr#z?7m(e;F>@&2JhM*0AeK!w#U~KHWu|Mbia`hTk@P(54s(D`ME$
zy9OU`xj33FT5o(!YyE;dH}5J*C9bI*HQvlQhR5G<&O*As1><T^y7n$ht~DaY%bZ<W
z!ec>9K%o5K1=Bc!FVy#S&2H;?4%WcwA-4n2%Hh(P=`2R%=?Nqww_q^i8Ij9qfgmWB
z%Te&CJz0<avx^1vd!vlBrO0tK^^U*8>n}Wj^K>~-jh#NM^kYJ@BPa`A?;`l(;vOAk
zA56k{&CJ)KP_wo&lv0pd7RYmxL6QoJ#x(Cv6i%^R?mJFwpXdu+Itz5nE|*{|(cQyK
z32kLe>wLa>B=>qPNYG5`JTZ0p%__O^^K@-&EA6kTogr&|k3#IXfzkCrH~jkTz<WBq
z@+2?P2^pXFQUPh`Myq+C(5wh#pUWb3y(xZrFYkU_)kyD6?E8nZ*}&J+BdUUkX&uLK
zev`>uTHyF$tP|r}ljW$k7+R&{$yDtZ`qrfdwSwds58@%U1ZmUl;qNk9e}xkSeKazZ
z4D3(Se7L5|ag3<r#%fng4fL*XK!7&p?hV@$#g3JzX57>B<J<Xg#^Q(unL2vhk))|a
z%o%7`NtfI4TY}YYTV1M8MK}>sxrF44Yu)S%Mi~+53U;JDZQ_<evzv|fdMA@bjyaov
zIk{Lgu>%=^LDrZ-1AJZZ?H2J?@6WlC&RGHKhn=oDUcRsnpZr_d-H+gywlZOysEi3`
zZUu(S%B^3{FRBOG-n?&o)o{M-DO{C9SRzbkelaOKHcg~)gdryln^iYg=@C+zRpl`%
z1+=z0-F^WVRYmc?M4wMOC@>@ReN82tuf}TI-@U#aw@;cde`kz)4DG%kijzAqXv0fh
zG@T=V3M5}Dk{;Q}DTwu4bb1PFn<}k~M5@*8zK^agJ&i}AF1CMckhf9e1K2UGBF4EW
zegr|;t1J)6Mf`E<f4fh8j@UjFmYp=)_^i*~vBd5_zd9x0@w@c;cOIY21&EW7J(+(m
zJQ1^-x@B@Z_z`suynxn~Yh#_y7+CbTdi^lqLN2K0F*UulueVZK`f|DIGia(etE*V<
zp&{JYxI^V#$DgkI;osbY;gkd-NwT<qO5vgx5KOo0+Y>^ZSA@Fj092KH#U@3p#(Tv+
zt&j@14gA`o&~Oom^C7dcfZ$}6eeUZ<N3tv|_UJgM(J!!AF!3XMp<5v0yAI=oJ8d7f
z4(;)|fsqz}Vrf(E3AB}wbnjmr<>w!s&b<)?9T{PZ$)8x7+c>}nzM&)^l5M{b-jP9j
z1W8V$zth8WJ+l{ES~{S@Z8XTmjPJpSE8!7GIH_>92lBhsMeEN?RoM8cm5RC=se4RM
z-R|7`+g~3VRzhD1hl?D1iK!~vn<hI9n%#p{I?`|lCe4%A9MYT5eQip89isni(BmU;
zrr0wt=*t$!2#XY`SWTnlNSta3muV-yG8b<7K-S^vW&u&MdKskzI}p)Xlc6t5nAm46
zbzqYiA$SWnBRONU9G!%&_kxZZn3H)YsRKkTxx-O~SIrY@G>MQNEcpmd#>4HB=9~Kc
zwXE!Kn7}7U!<M~dr?UmTPAsBEn+;B^&82UVa06|<!$L^xO;04+R+@Q|Te7hMMrLn)
zyut#dU`^q7gz&Xc=*Ednk`~Aa+j+t%X*cGUlBD19i;c=PBx_8T1dw4l`r$Nk?XtH$
z-38;LUJl`fdq0q_>3XOx4v7qZA^2!nwTc}3V;px+o3rS?dyVC=>Jz!Qa&17EOF_&j
z1Uqm)SOI@{H$<Nuao^>*x}uC~B|TsF!#EV6wQpV-&t~Yioh}_S#4okQE3p6S!H?cx
z(mkHke<e*2oDn6*;-nb3+?G4vHxF*Igtb~luSEXIXg+2(rFiWT^=WTm&RMT%E@K|Q
zJ=7pM%b3iGm|)1G%IU9+VrpEh=UMmBvLS7u<?`cSBCwrTV2@l!NE!LUfir3HMC@nC
z2_~CP*YTN+lNG@e>1U7`uX3}JPV(Olh%LE;)o54DGSTZCf`!!(wTh3Nw%!kxYd85|
z^_@=;I&KdPN1C`@863#rM~xRqJ8%#ms~)jD>=(JKC!#2TUw1K|POzHb-8K@&Rb;2?
z=NcJOi<}<ci5qi0bvg7EsfmvkfyX@A%Fz5N0EMsyuScYxz+yPd_%Uxc2fjIQ-mIMq
zK;`rNKKld@DqJ6J&GVRCp^@0uC=N_>mA7bLpRTqtpx6)rNw2B=b}G#=adR<McolW}
z5DDKo;RBJ3JKeX7yj&#Q7TkaGPpm{vaQ{IBh>UT3nt(rlnFbn!9!^Jq?8C#Dky1v6
z$X3`0>370-O(@v*V9<bh<ie4LSM=YvM=9-hYbjzwQ`)MNjgf(bgUJXF;<0}a0D^xI
z-_jk22TT;+0)-2K>15ndzw7<wn#i6EM7tlp=(4tP<P&gsX~%jyVv?IsBCJX2T4c{O
zqmXMuIE!|n+2FCi_myt^X^k2^0o1_6ZKRV@3)r?G2ESq;o^9OJTtErcKj~)UZ9&5(
zqh_-cjs~q~65zqH8p~kVSpi*lBJKXL?a?)7^*BHOG19`Lj7Sz!O%I(Wmbg0+c2LhF
zyO?+AF3BF%ay^&)Y%G$)v3TR)TEq23;jU3ljuySN!`P4B>T}RQHl<YXxwp&Jl61cf
z>`?zStmB6dfEvPB7>e*z)2q=UeIz_key>&3>DB%?jWAd-ZF1*Kaf=q66+8+T#Q9+M
zf@zKU2ccZ|RyzO)Db3SuUg(^{E^`@+f1#ot7m`}~9Ut>z$0<h->*iN~EH#D_VUG3N
zG@q}v1X-P%Hg-d}+4}}5@XsXYZLbKPq2m~#^3WeY)yNT=zgOdLM(NMBJT|#pQ?g-R
zA5Pwe<OtmN-a=grx)|Ln)I|kN7MNQVdZ~YO5%iKiq<*CMOvxU7r?#imOy*RF)`E1Y
z7~ja^MgpACqh`|B9LrohMAh`cOKJ>~8<+@iqY%5U>fRr=t(T}?Ov8L%fsj_O@!3uo
z(7kM~NJl=ae!Jfh+jrKBKe*qYZ|)5%UYEaU>d_2-d9cY{YqQxX12NWS?!R!I{r&^w
zp7+&XXuwmLVWmWyfd||pu%hFPnVe|>s1y;wsal>ojKwr~z4t&jpN{_rH17Xa=4m|n
z?}g^SnIc#(I{Fdsc~dvLv_Th=JcbL1?oxQ<M@It9ewC;0p*w9R@S{^uUiiFd;m4<(
zJ+bW=<shT`a*nufi%$NZ-dg7krv0&#1Ve{Lp<_h5UCLqu+P1;cjt9go(OpMNk#ZxQ
zrUkbAV@c+rdCegpF#>zHpN~I6cecx-)D<xd<opZ|NuEw5H^^T#GdU5ls$g^G(Kf5N
zOe5TEODgksQs`R<PXleAAH+whnq(NsL?zkGX=T;%QBqH(>d{Ku{VMy>9Yy0ko==_b
zA`Vx}`sw<cZ$RF=OPjU0UVhiQPr3I7W&^{F;}fikwwhGiplx=H<r4O~9KvE5lB%4x
zv~rh6O`)sD6gf4SW>Evr^SB!9VU5D+M?H=A=alalU@XaW?504c-sWIPImOM=H^0R<
z{JMy4%1eV&9!}hXZNOg?&vHD7a-+m7d*~;)jGfyr;YsTos9kB1$@FdFMBPNPb%S%e
zJxh{Pw%nipHB5_s2JF&T!MbfvtWIV-iu1$!vf}>(#d`hk9MxKS^u5hc3!{*md*cu3
zn#l=v?{4)c(hz<!?`7OAh7868_Ov{IfQFN)Vm3nA*OunsI{b;hh=SH1<&bGTN}u!8
z&b{eVhtBL*G34h$r{S}hjoYUF=B7VuqKfD~C)>Wnz$q}h_bx%3Kx_jo{EJIZ<)@Ix
z0UPet?i<Ix&{4FZGS7^~F7Jj*kJ@aCkn`Lzl)_zpU)L=WV_U7pFwN>KzZi$nh1`HH
zKc`O%h)gF;5Gya4r!gD#Mp?pe%oVPYvrsGr8K8(K&d=h3?+G+{0ZnwEY4w2goB3h_
z{9r80KGm{ZsQMnn^H*@)^7^r&6{Q#fBTvi4l>LtLS+a?-2W><MR5bJI&cQKJOqm<1
z=<-Eseu&g1QA@TUo;eS`Nh)|=cVU&i?`5U(qjh*e!iyhcYh@+!cWq_#yl%Waa!<IZ
zz~o5;u+#FlGjo7!*SBBxVC3hKa32>Rj>F{&+QA&;$NoIR`jQy;7Sq_x7w4Tzb)jI{
z3pu3_j*_DMKJHn3@K-$_an|2@@6BsCbJ&;SH7q~MeqMNZU#0=A0zJ1Em3F${!fLmY
z&J6AMh_>T?X>47PvL>w#U87HRUJ$!lG-y-7`n!x0Gwx`&;f3QAUC}|wN{ahm%JtLQ
zZD@Nc#jebqZMh>SUC14rphk)dM0d->0#doI1qisE%Ij=ZibIF7RZlqA%uy)I-%+G1
zte%5nkgdw!SlAwIMqLR9*7FnMwD_%d9}frn0kt0z(?T2@J;Itf9x~c%-0EzzH4CV?
z&(&QfJF|W=-iesay&G*`svAx7sivN8HK{}&YJeu!QU0y!0YZB9j{yxE8yusH`BcHf
z^UvpUWy|o)ENz%9CAF#wyGydf=B?K;O9-<iy4+Oht3gWlSg=EOCU4f=8!TTQQZn`Q
zc4%$uv&4Z8?GM)Up!>!;>)}n1p6%oM5jUm_MVqbZa&cG13S*BrCfK@$)x`V6X%C!1
zG~v4NeCcvUP%}K9bC0#(dXi5N`lqIySlu8tMva5O3eh>v0dG$TXgBAOU>ijK=_S@}
zpuE)hnCLK-)uflUzu9EqAfu(N)N5Sa_K5-GnR)9St2-IlOL}df4CkrQv>>$NW9b0A
z`?YKxi4oW^q|wHqo4R!L4c9i#8WYuS2@4{gErXnvho6sJ&mV^Bp>wo@+orPTX)cHm
zdV*>|bD?7whH2v0ApstPGgvmJRl`46G#wSD3Z?vu{ad<_QZC~4j&XSnu5$clnrdPl
zx*G8QLA(K;>)tk5YZ=YUSVH1!52{+}H&PZO;(!b*-6WK&&mYP!YOZ~oAqRwy^N(sH
zg)W2kgj>E}kWbx2ywh%ad!H1ZgWSTmfY+>n)x(cZk^Bu(hLRQ7Tq_6_MpUWbL|}dO
zG_8d!iqV@)J@eOFrXU_rlqL@<?cced|3@sh>k5R~@!b7qRCPhdq?3Mualc@D<eLKW
zoAL3B58;>MW5sr9?~K?%Il}BMxu_>LEtJd4uMdys6TVnZ8%z(Pm45Opbvb;O;;b<9
zzWMJjS>SV{LpZVKyKB?29Tmg4vT!6K81g@i$s~xT9QOU1=b`5&NE|7lW5s+0UMRue
z0<!Q&G-9%(v3JqG_Pgbmje4_4of2W-bB!jer%EfJhDYzFdha);MxmLmf-r_IKke$P
z8|cAE4IegoW!M-}a&1w1%p^vEQ@nHRz1^4iWvEE;gavdx3&Q!@oORx0Mb2`%%|H*0
z*vd+Cj2oJMK;KV{(~vv;gex%oK*#m_0GV%*>MFKrAb?E2KJ$Ln%PH9a4~wIUuW6a8
z5l5Xktd4uki0o1jw#m#hz(2dbGG2Lk&+(Yo){#ozcl>+}pG_8DocbptrOo4PivOvB
za-<7GhxlpuywhyzuW(Al(^R`S37H%rd#pgwtP#cO3O+aZ%WP;VIVE^x8bplZFyT>I
zShjLuhhf6(j)G=Z=Qn`2qq1kb)%5sDnm4@9na#P|nyyjw7M}>FH*%|v{P)F2?!EbP
z4)QR7vInzD!nLX&AdE16mx3V}g1Rt5D!cczrd;qz`)G@#!41V}dGZlK&#h1sSK~!7
z<Y2(=_z{+aH!VIsNqO!Cklttd!@(EvVJ0@!a13q2u#Un+Jdr(^8h!ejo8D*)PHXDO
zvZhB4D0Pm?be4i(A19v%-@}yZ7`+F<?2ukzN6aDhtp?*4yx*R2yvMvBg^8tUFk!<C
z8;8^}Rsoh0T*e9AB$o*w`$umB(dZpUZnJReA|Z`MtNjiWiEeVb)?NY^ispPc*;}yB
za^-Bv#WU@l=?T-LtO`p;o?|m0b=(-K`P2&lUEt(>S+yW6k)vGi-m~m2cOfZ~UtLo9
zX)@ua*TWI*%Eb1FCto;S5v!roSgR^cD^4Bjpe)Ho<N>E@n<gWROroY2*Zh`q*PLFN
zLOPD7)iis)G24B#gNZ3$Ypbx%{FHw+hT&4A6>V4*^;=Yqy>cpy1-~E`UYS3*`JMcn
zZF+vu9oIGQZ^?JnH8>Ht`!Ulzm&(ub7P-&80aHS6QTma4RgB-oEFfH)O<w78adGXt
zM0^il#qHz$^^tNtzuODe+^vQ^O0k-UCV$GW7^!iGtcMWiI8Dp(;Am6tnX8h_NlQc9
zxBp^e^evIUS#Mfj0pp7GE-;2cCMKRX7Ibzcyc=iw_d3Mv=xyTFUjZ|=VA#Bn0-6C^
zd0ud}ea8+U)~H`&9y@<u=va~HQnZwdsFavQ%19pbBl47H!nhYZ-q+Fr&n$hjv?1;L
zV%1lIY5V=?=jjLE`8#my{$sX4*3=7ijnA%#XLlMc#W`h%vD_lDzj-1O%q7b{ToNU%
z*{*i+=7%pm%Bo|UM_+W=Vy*rJtl(3DQa8gXQcb%g7A{mzim?V%4vNaO?}=m=!l;jR
zFcw!fJ5v%N#Knl_kUdKFE!?DI9Jz4k#AtQxy0hL_VLMA6CHY107wWhEi5|wf^172e
ztP29Q4Jr-DwGQaw7$HC;%*zP8uAIHA=u88Um+&gfU8scsXa}%%;rcOv(~&qjO}#k}
zGEmFFev@W0(2w0SB-<M|xO2hJ@A@VWe0mHsQ(FQ=e%ZY23h!cE9Pkm&6kNwBNb{?X
z(nv|h@$^2&B*54PIt|Rv)GgNQn?T`DJstLHbHx%E?0trp4`}m_$>>s`Yt?Xow6T)4
z&;_rF5gtzn5X+ac;ZpS}4ho2flhhk3R}=%pABY3h<RjYvx=MhS0j~1W#3GP1Y7pr6
zQ7)Ane4xCJ#8)IKN|cJ&Om4cn%xRaB<Et^Ph!Z~CD_xDN_I{*8Kk0G0DBhKc==noV
zSF{eiE*}1i%$$06U@^b;gXCw=xed}wjf(Fqn)6E+Tr+>f6XQ233wKC`^Z1h4q>Q@T
zljbx3XrOYFJHM7#AP@&j`J^pAGNy1W>?M0H=8BmSD-*Cv&#}JM!BnV>W(5%+znFFT
z!ii#R#%NKW$=s-XmwZ8F)npQUq$v-;o}H>*x|cc5V~B*f{OFfkIz4Pu^%1A>#3Czp
zv>(Yex3Yw*CQWeHLt%VQ(Pg@?heG*`A0<AULXeeUC~N=m3RYtABxIcyzji<x2t8sK
z7qfI^F}QnazQZn$t#airc{vs1HKncn{#db;f2%1pVUwFCpF$y(O>+JTr{_udzj#Od
zex7O?8q8>KoFmP*HV&E<mKwq&i|;8&Ib=+2spKh;S-SklT$1Lvfov3WTBOj9PI9H)
z--P0qy(2suv_5IKnoq}bn34mh1*}y4gTVWIO|tw*;mfw}yju(HqpvLpY$WADWIcU}
zRm#dWT`q-53f_-kGz0*I(TJznCauRGM%B+e&M3$C>85*F?(_E?!nu+8AA-8S(t_!?
z%Fv*g&J28r9dEx$UNSepJGvD9gW!v<HD#0FleoeR2kgZtjwVab`^G(@6n`dkR)xuD
zPCZT^EGses!(BPqu2u;WyVg+uv~}LilFvU9wy{Rx^8JG#2*kKkN;zZHUj_q_=kt*N
z*4a$uBb)OjwZ;QH@7^rff&|n!ZEkkKjK@uFu8RxlKs&3}+GBUkg@!Fu{j2)z?;l+t
z$iv~EkfugBaiOoin2l-ZjKp?zZ+}zYzjeA@M@-Kt+v<t0o3TwYMY%V`8OvkO{`RX=
z1<K7A*=Or;hq<05A#X!UKqT9-Df42G*zIV~JcV}pMGd$(`~Ku{ch`&Ab}~58^qFrh
zZ4Zt48d3R)B3LYIq)N&=+m4`eX%~xOq8yz73qNOK)+qji2pMOgdCs|gXK(+D-|}ZV
zM=5r*tVBY-9nW>0+p6ADVm|$%;J~jvGMa$_$eOpo+=ts@J6`apE2*RKQPG({B7I$I
z12rlSC-thM!l~$&|EtnwF4dswq)~N;QUFm`TFi>d!nXpe{LN3dE_-~e#|p7xjr$Zd
z`Uux{miUl2*JM4^LikK$hmr0OlFWmIv^|hF#AM=g9P?Evm`2xajFUUXB3Dfdp}4G(
zEJk91<*Rp?+qb_fLWh<F1_}7o5RH+V^83hJE7jEA840J)2`RhB*CxRNwBPvGUy%3L
zNN*fi^-nY!w9h>1nW8g(t^eu%rNhn1wOij<+;j;^Ghntc@?51hbty{9@RfM@-6Ur)
z$<RXwDEO$j?o+KKB9lL}Rpzg%fE%P+H*50)AMyH0%l8IqHlJVEIaD{5(MCXvYLdHo
ztn!O+u6bT#F))!fPa^n(@$VPRzkUW+r%rho-NkQ2LH=P?j0O6odg3sSQzwFMP<k}H
zSQ<NJ#4&0R6BGb5GL{8>SFm!<t-cl0<e%~OxLmCfa6#(1taXs{o8q%h14g5kKhwlz
z1Q%1X=qG3c{Z(Ww5u3-HPdu?gGc`CEfLJo_AQf_HQ<cQ)^x3%qgFZ@Z;@eR|?2GKo
z)M3ryQ0|W5lfk<z=*~0lIxS-R$(fL(?!y?8qux#F4zpVs8S1dLElM8%pwxV!3-8yi
zEryj=z)0};L!VlO#@lMq_x6)z2F~BG!H5OabH-&`E4J(NJpb)Cv9McLPGL(7RwQ9o
z+!ssWBQD4*WsotaS45;Fvz$5|msv>A|IzTG{icLC_SGh+#d_?`O#!BLT;slc!|bs4
z&mHU9sOj3c!!)91tfpjQNnagx3b>?L7U|W`(0T@{-N~4~pTvoSLDOA}2b5pk!y?L)
zt>)oZ^`myPxmmqxlGKE;kv?d2f1$jxD<;Z#jB2RNoO?d1ah!Gm4}J}n0xC5RDT3pv
zKVc1L`9spR&)zMp-PQ=Tpqinlq+%`X_f(5TM;c8r5oI2M8G|P&z9zexou8%vROc=;
zolLcP5C<N<5e>NhYn=HJ;~Li;zSpL}r(teL-GIOI11=TJ<@LB|OD}g2viJ8+qogYK
zepH2v+j=rVX{O?`^-ynow#6GwAXU+440%o?4Vk4ecJXp6%s0EW6u+j&@5$|XYnpBL
zY+kv0Ta55Y<1wU^CjCwk9Asrm<-NnciIjcoPQJS#kkOjWlP&3c!B`>Rxp3{cA!+T_
z4hnV4um_J?+c`|3e3|DLo5IzmdPRoDJ@6c~PyXeh!JOItLc6x$u;qwaZQ|H&X2wn;
zZqVK2?6EcF+|6-0ng8_p+%1kc%Ur==iy3g5x<Sq_#wq9=4%Ev^q&WMuSJk*)e>-=r
z?;{;H14p>eRZeU0PB3Z*okke{AR5#Mgz~$}&bQ|2HTSUH=s&%BU%aq@Y@71M^R1Oh
zyoHUwkpk&D9y;sp5@pn8*`Lt#mY7Wi53*rLQ3X4xDQ-_AF#H0oZOLgl<uN_`hsoxs
zMeUp<g0k!D9I)PFs}Jh4YMx=7e<Is{$2)BdFD>DDX*q3`83Zy3%L^E>4}aUBZisUN
zV{!sLKSgS@)3bf!Rae0$5#pn7DPJqx!Hlbx<K&0!&w7se?8fQnm+)LmE@>j$jx=ST
zEr9v<`t2U7RBF@f!Q}vnIQN45A^8A_$Ix7-N{?5WrRg*(XL!(U3j-%o8+zCU3PF_q
z_Ucr>!D3}+c&=V~u#^7Ov&-!rYm_V0>8@pgPCY8#Vnc?<UrbLf>KS&li&(WS_x&x;
zNIK7!T&}2Ucsn9j8ZN3ZNB5E$alo}K!cWH_;BN!oL+L(3qnYObEhnO}@yp>rs<G*`
zcp*CIdB$!W|7NZuA*>(WcegoQ(-P^O3v>u)izs@XZ!eA3MdAeyZTX~s)o@E{V~R8x
zWOG=vTc^|CmcG`bbkFzulwSz}Xh=$xEgcv7E6b6;*J&QNcA~&|`ZDzW4YC9hk?;;N
z$zgNm)g&M0=$L6h7AUbRt*Tm0`Yqf$xBA&$bi4NFJ6ZLCUi|0X+T|Xz#5Z)XbQ;zt
zYyb}8jES0=k_48=_hq8TXl`TCW8!ZQza5?$lE4*25m|@4bhGVugr1{afhmT3SFjZU
zEXr`0`{{^R6*smKJWNx_eiZShvxgmG)Q8F!-hXc@#75DjeY{$^S9MgQU(s`5_Vb}b
zG%PHYhNpk;2pzrFPg|Xwe~4Efmp`7_o!jc`v=Qc)3U!68SN?-2Gstn>K;D(ypqag(
zuu>`VN@RHIrYFjz&V&|NK_-B<Wk%<Fd<E>}>LjhF=m99J^r*9dE`6R7bE+cbLygq(
zgob;X?hf_1Mb-i@FY9-uNt3t|bg6qCA3rYs4DgQ6-g$dXSa`SX)%K_J8&P>2Y~3Mq
zO^%%@&<KxS-R7$&=Cy6amgiG7U61Cd__rLKaYF=rhBZ(&L@_7h<a^G|omY%+x=YC)
zV!=#{Rx(`Z+S~}<Z=ck3|F?ql|BQqEiv)^+>$PBrepYQI%RjioxaBQM^Nc~Ygvpoc
z=q>yLeU46iI<9p`@ev3f3*74UJ<y@pkmX$Tw|C6DHK54nvpgnz>*$<K0<va%bsGUL
za7M++N{lW%)YItGPfU6<48zT%S7AxHZZpDFbAr%&#G%<zDYf2njqbuk|3TD!d=I>1
zsCjjMEh|yHchNQEbpLiZ)?k$4Q>E`4Fc;`Hhy;);F2I5IphVpQ>K1eK+c2T=fL)@u
zB63GdW5lURvs$3V<en&tzwHeAs+szInvs_4(-0UGbZbt%k?e||<nxX}j*a%!yd|<t
z85dkhZ5R3=HfX&ScCL8j73#%rh41#@nXHc#KhJ~6wCyDXrNLsi$C%UyK1P-+>@h92
zPfCt4d{bAez>mEWFJo(cUlGcyZD1^1GVXNq@*4K}{d$CEI;Q5lOB*~rN~NSk=*TFf
z;~X^wX;4onMnQrT%$4cMT(|`pCYzO4S~6YA;`HhwnRH#%@rQk147ejnSh~;m`%!AW
z6;kB6ar+=Q#yH=74O8=$Z!3Q;>470E{)UsXeY)$IF0w9cEqTrq{@_3^>38mA+4_GF
z(!9s5_0npvF+jC{5JuJYY=e6Y?=hA;p&i$#0oz8smrn}juMS!GMhB^r<RSL~kgcKC
z`{8_`{Fu`|!S{?dq5cM^Jfgl&w@*Yt3W<mu2W4;1%Y2r4Bc*$4sAXkKY?Arhf<`v|
zY}L{61SUl6htshJ)VAVg0maryzE6GK*)@Ufx>h(yyA|mQPu-c}<!#5fQ^auHyzXKF
z=XpFIH~K?%yY1^Af+7mDEB`o?K@}81A)pYVk~?BswyI`wa~+mGlZi$zeNhlpQtOEg
z?|X%Y9GMn??0xtP7`Zl9WG!i_q~z-*U_QDze=jwSG+0_?O#h{DYlV?f<1l@dzj2z<
zB1EP*aoxP0rdE+vB@g%8o+wLJ2DCa#FFPLTXbRy-y#a0RG!J#L-g>Lol`7a}zq7r3
zusVjRxP3^&roh2cMNmp}i!PUaxi{G?qvNadCR{S&PuBy?V$$@n`*n?duj-mIuQ}l=
zMO_~LMPe(hjfQWx-R=CX6Arpw=Zmm$(D)lzBuqqwSL`AMH{f^6f&$<fL!O%QKZtZ6
z*?F#yNf-M<mGpB+nPbjtUk1~fVBWNxowAyUl^BP9u$3wQmesN`mG0*ld(dezzFIoA
zY3h8mA}H}2kA|zuZ9B^PDQDx&wjQd1CZmJ!R0yDc)TXD6AzQZ_Fn__Oit}x<-^bue
z7Qz?hoik0xb6dduyJX-Vg58iG@~2nGwVvNu(1M-X09T!1cM80S-7VGKREsYqpP}e_
zQXjh~;UFV<8oMCY3D9^e4y8<%`#F&QNw|3Pc*`H|`Z(!0sSal*05(RYS-(4BbJpo<
z5vEfu);{{Kys%aAVgCwuKi01YDydi2Ln05sX~>AROw5a|e3M>8dp-4>)WV#9jLx%Z
zciB*^O_Nx+*KnwTo;7*rRcHD7B*W4cGs;1IXfR3`1JM@b01e-y`>D7$3PH`*ozytO
zMR4c<<7X3R=*KpFh<P-BwA4aOw<Pej9esq|<mNsl*}rgFIo|fEPE{9H0uXn${Io_A
zM}tV?x8*Jk2s)BgUNIvsx71DU$fr>D9fOt{-W?lE6yz+q1lIE<@C^>=WjrUFW`W)o
z=*JO*wE|L%IeeR59NZ(PJX@jcVX5<7ZQ{8@EBu`bk7Q?wxmSI`v)0|(n;5i7P}s9f
zIMUom1n@r*afkKU9H{Yrbbmk;1v6fiTLt*cY>E)1FDweyC^m&y6j0P%45aD<b@h)0
z%g?P3NqFn5FK`wXmD$k&zK{v%&o^7WI(dRofw1N}Ei_5OFiBz^5l$??fWu_7w)MP#
za*pr6As^t}z(;wxfz}KC)6--N&2FCeoXO@9*ExbM{w7b6Y@bP-2WVboAnn_^leed$
zY1=}z%4iWuZ5;u2QJuf*9B<z`EzQye-a)X9CN!(&-sYcwzcDE?fh>C=+J*7Fty$o!
zDC6P0W<fUdnB8BzwM>ljIc5hCQ*Z=HNth?UU<pahq7-(`rl9{pOpgyq-)|O7a``3)
z3f+i{%M<^D*ly*j@*&xprPYb@xWVgCugPf50Xf(W*nZY4Htb0@1WE3OI?w#0*hoxl
zMAH(=_q3@47?mU8-$?X3E3kD6Q!blUesBD4uhqqbc<KE^2jWqg@kfOI6A5~rhD4i;
zy=dq7xN6-Y8Ivgm$(ruSx-I(q8v1e$M^D!|Brs|D1@s@4d#ie!JofhC50l}WotM#^
zcVzpVo*nGZplYNUpUZWp(Vxp$(96>y3!nj_EG`3~lSOE%)0DrS(ANOZT_DYxR%$Oe
z751oJ3m=4&y8)`wz0M8Djv=-!)`i-SJ8x$gevtJ&XULgjl))$mpNgV0u}g95M_%&<
zOmu^l9-=4wO~+@Cr!17DiX<g#JuGpEbxS}d?L!9NlKGkuHf5~$K*TYo!+yKpQ|2x&
zDFh)42Go87VWD&9E2{8`xDf<#!59OP&#X(rsmj@JL-X}~ZIUXnfvTKWw1h#qK;@T6
z=@+9Hw)b(%kJNt<BE?S)r<+p^a}V_Nn}6|2n9-%z1&m}*x4wu<ArYLjPCX3h)^?ZU
z3wh2B7$`wS_?aolmOsaf9IVtX*ghO`tT0rY!JsoTGRYXwQ8z`K)j8r0G|E%PPICJn
zn6A}8c@nT6YI9LgAR$9ZW1>&>KFxG)^K+z{g<x7BuRD*aO(V?lacgRU(q&SR1lQ|u
zHx$qi44c#FYwyJnp%OK`(%h@l-q0n)xe6&>`AgUt5>_d&prNDz)$t;;s`p)8yj-k2
zC!vwQFlvyG`F1Vfe@8{JV??^?eVGK=ly6vb=XUWR8Nfv{MMSE)Ma0rTADgX^EXu(y
z8`rLhp}TTv31=-jsY>C4xw8CZ%eyv7uyj|UI3p9w>y@gV5eZEr(%E5%W$HzQ>I~sR
z1`>M0_Z{}e1JUxg1&9QB3lv>HbK?7*g#|r9eR~fP_S-p{h7E}PiSGbFAVAudJYlE|
zFKs;<ZqFbKJ?kg3jz+RvFoP}+S)psV<JK}}W6)75<*s&qcdH&#195z?lyCX8CpRbo
zuZb2#FPoDFTVvduFtS^W2hw(LWcTgoaV-B0o0+&CeP_9aSz$8;Gd$;a3oYILmCHG)
zb@w5B!%)mJ(Gr-*J&?idC!?KI#$&V6F+p%~@K(1o=Z8Zy`hKfYayesjy59$Oi*<9Y
zWw0ERRT(3cN6kX)``T(|7~t*?q~IX33Jm2lLdd3vuv~O?#cL(t%b!9-M^wlu@><<<
z^_5xM`dj|HI?Gju3<j>UdAd7cRSdxXu(6f<iqG{v3YD$NCEBE3HvF+<GuVCX<3Mpj
zsu1=4hPXC(|K3Uy%l&Xmpw?|4vrCg@b7Iy$j3c5n#oDXp%3M{}yhBThW?RB&J-sF#
zmn{H%Wk7<x`-zCT&15xj$yM13NjTW+p_a<e>}5N(Z?#{vf9<e>5>+_r(N4-)E2yga
zb9;LU#aE5`t6ICUu(=3EC`P3XCM`r&qw~M8_fFA~Kwr0Sk`B6)j&0kvZC31bY@=e^
zwrx8d+jhqt+vrpGd%gFZaqj<)aqi3aQV%soy{$d>+N<VVKgTVcvhceUJk_+N*G^AT
zN-?;{<tTcXC4((qMxRKBRnqg;7eZ0QRNG-x6zP0oLqp=t8#oN+rLg4tzg7z6?KSZ9
zDg)aGPZMy|5uHe9LpM>Z67k7KN!dR-eC1+RXTU|S(l23hIE2=O{oq4RI!U7rAW73+
zJ|sDOx!XO2o1~8z$X96uv7*H7)~M1Q=~;Y@gyR?+aOWAZNa*H~fiFd{j84)|FZ1%!
zf=TM=<yLvyJuO$GYoBL7JUD5o`8!B)))gds&Z=}&VV<H~11A>MP|n1Gx;one0xQrh
z3y<%Q+v?nK-?6S~$zHynmXP|o7~pwA2WgAvcJEbd{EC{>X)^3}!6kcQM#F5FK(JAL
zmnDgAq$IWRE!?Bq)Isk@+6VjV2!->#4w1h?G3LW<O1m2dPM!NaxrM8mVU&LHS6zB)
zfS~^3q34ek{!bVAP2{E8tgy5vFvQ;oR50%_P~RN{*ZVV(2Jc{rVIJ|T{=+Iy)TvmW
z+>k$SZP{&+?;^8pMZC;Kd^OT_=^aXst8dPq7+rLzMis=M9D?*ktkqSGqMMVZxZfNf
zb-Ww>aJezbBj9^ClB<_9SvQ+kyqgFVT<YrCefYe%l(@Rk93o+i2PhGK3Q-Xl<mX+k
z`TCVs=H>naD-8MijZl?kPJXf)v72I1w^x8+wXhMD@ej=6FSWT?M!z}~6I|ypiB0uU
zY;;aKL&`5o<BS)Ikk~9(#=SpOFQ4NmKA*p<5)yR;%CvQvjV#*Q?as!9Io;SbYPZ_F
zoi*q+()tdGj?K_SW7r~LbQ%b-j2DjXH~N0x_?ZC(L-&0T^(ycUMor#XimsN&TPXb$
zTkt#RH$9<U4M*Lkwa0nbwBsl~KS0@hKlWdKjGNPhJO{3JpC2iAB&MePgXVw$Xc;sW
zac}1X82X7IYGsrrLuie5=dQ-_pHV|S*9)UKx;7`=Y4QvUcIP(ZIc;gUroT3&@;(?x
zwKNcq&a9s{W@veNG<+5{YrD2`HLqjonT9C9kjztgn}ARe;Z>rm-^$TayJ9m1??aSf
zvQM~MJ|3N4c1M4~PWtctD&xpDH6Pv+a<TymOcm3CakuowAeIt7)jl@?beAV#_M?<v
zDx23W1ku!!Q&CL)9-)(!Nm;&AlWW!eQi5Wkgg6c&W@+GR!<33;X?BUa^ii$cYQ~BL
z##f_H(Wb7uxQG~~ap)o&NQ?ar)`yuh38Rv`gkI&$1^Q7E20<hbMp2N_gsW0m9IGT*
zu@Gw(LX<C8kvv`0$RL5cQG%<X2!ZAP1|?$=f5UtM5ikFN5ne7XpW>C}VX8N)L|2E~
z>K|@zp5r8aH`JBvsBc=Ilu(`#c1rE;$+8V4nrQaF%U{bUmYh#EdWszYQPRUOW(`;4
z7z%W~+RtLR5B$stJMLBOaDd9)w-=>+_Eog*p<$C5m9cXPTJC~%hhNFsbtj+fY9NgJ
zKQJ_{mGW9%CYgC**b8`}wxD~c2>Nn1xufv51}Fo26XR|JdbhB1uvn=871x<*Gkg1W
zA!a!_ql%bAYw_sC2RzM3Lp#d0hG>)j$_W0~$A<~l=sV~e!mAPHxMvg4Na^(Yd6s2w
zI6}mDG>wFAftcka)fG91(Q=F~0WABxOkTy%qlQgy3AzSOSQ+z^rs{L{EZ<kr?&JpM
z`GWT!*d5^w&z_bwl^xZZ`o+YELqf5(m?6}8+s!VsEcQ3WpAELy5ID$6zpd_vQom_r
zbDcm49mW0J5Fy&{-a+R~ULfTT|D+cSXQbq7*0JHhh2>wxs1k?L&h0TV53umh^_C6%
z(LPuee;}=gRe~nApq=ZLqbrHtaW3C&PS}_>DW~D1*<=AUZf+Lopjl38VOim6k;vG}
z;A{SyMJ%ht)=!)eKwLWU_jml*S%1o0+(ctz6)nOL6C}YO*SkQZDiL@GWnZM#NG=i4
zkHe%}SUMgdK7&NP!&JplG%w4Kqg_u9Pz6l-JZ*B%csx~B0y9;R_y=_vDTI$V#8Ppg
z0L`dB1cDK{IAEK^W>aU;8qQlO^vATE>+a%gpW=KTHpEZb*d}yP8dtf`Qr_QBN-$3C
zNe_3H%1z7MKI78)XAi%;B59^Y<RHZrwJX6YD-QPlpaa2j3G2e~yZ!XH`|w4mKF&&J
zhRxVDQTG!zf3mwRABB$EH}V;k7X|%LxKw|dwW&EoLzaM~W42Q859T9*ss1)v?Ge|s
zk2gHZ2^^cPo$V87%shM!mu%1m+q$#iV6g?g+_U2Gf4*U13osRq|8$EFYepSw(qz|Y
zTX?KHX|^A@d2`}`=TpQjg8Q>L%t8BSQa5J!0vYFJWm=j|0bW$Vu?$-@cOMx&%PVP=
z_6?o-ExD`(_N&C|TYxxeTMSqUO!~!k4yapfaxY(U*l{ZC{wisA%fi>6sw9g!fBs5X
z@G|y97cNd1!lHe{Z=IpBcwA7t%}J7g?D8dc?tQnx>ImzQI0pE-7bvTrv`=F@L<-Dr
zyeUfj#erqg+*J<MD0y2pU1pj;?{$4Ub3o%gz%iER9C8HxXZ3B?j870X_hvaS>Y$*C
z4wu80c`#FBHe*+ukdH1=TLw|yt9&7gZvEk}aY>EHJZu5vKzU|cVm=s2n`InPzDMXK
zHNqeFOYT^Z&Odpf2=Z2hh7N0kQNW>VZ}#|}KXTBLq&jsp)+ZFD3iar2X;jFNy}DCi
zqp%n}aL%yn1+cB^v1fT+W|@o^WHg)3x_M`|KU<3c%==qF$DV?rT8E<3WK>=&f_d)M
znO%7Ug;wC?@gr{`N(~g*E-g>a1o%BzRA?8rUreMF27aq&kIdzqUR<GjcscK4mv-yt
z>M&k8>vwguc{dzsRJ=&l3DQW_@QkowVuUl3kC^xqhNr~Bh9pXm=Zc!P@Y-9$3IH!H
z>D;1gu{UboxLQHo*Mc6Xf{Y?x-VXUXTNdt~uT*}gqt$wnT>~548feY@eZO(H?@_Le
zV>IG;JD<jLIO%CT&1*K+yNg#}DX-7Hx^0g&ooceFKfxcjLqH<}Q7N{QoPNPePP@7B
zm)A|B%;>^sJ+J<bvK~au02VC$Zw>+P>-Ny^+NONJ6ZPsuX3IR<E#HAH9{wcBz~@--
zjz1HDhCS*RXSTs+;R;Brg|ui(Z;}awXZ`{`Cb{Mre8nV{PwL(jg%5f{{Zo*e=MJ<l
z1YFKWuHRc?Z1r5mla=1Y2jttpqm-U)DvB$2hoN8R$YHXYg~!u<L58{<_dgH<-pf&t
zH+&uL)M74W5Es+9$$gZavS;u0E*ub|$tj2!3?^t$h*b9%oO@XYqZI4IQFpKrJ2)TS
ztr|8Q4|)_6fT~F2E=sn8nX}8lWl7x<g41`kqX&UB-1U&3dO6tj5UYzd@Q(LL&?1|*
z!Iv4PZKTp#%a(re=F>tWl@j=Pv6g^)9_q*~dUjxz4qXX(2$|Nj*z1xH>Qo$&w|QhT
z6a@2AF|cym^4%-!>>fL%@}d>}RvEn|T4N$J(a<hYr@V(I`7P3%Gp2=O0E$Nz*@~y9
z+RBt?u2B1P{nF-vj5j@9^B-8$PX#pJ2LB5*p+VsQ%FDAp;%~+9^NFj8NGq=jq>02T
zs1eWxI*t}s>fAJHQY<6iOa<ZkZA)dEY}<vWVgEi2Y)|F+eNY8mN6j+AdR07MC3n<G
zpAtKp=5Nq8b62(Sc;H1&k}t%PoXNtq<P>4GwW3%9^%Z)IB{xvZiKGp%j2Z~9`$j13
z_b(_7yozUS@r?zvJ!;Qgzgr34pDU6Y0xOfeA}cO9L^w6!*3sD`cvs<Lb`0Y}qK-{k
zKMead!Y^VZ$!68nyGx$B46uC(FD6-eNa=^dShuThmDS@)Lm<Zj+bFjK%fVO9VKvR^
zVSm2=tf(QIi6Lxv`cdlW#Ub|9F3YZ{>T5b@4}6H)#Xn<R+SH+GiS&77FHF#PR2Da>
z)S0X=+kme^tZ55{(^=hJP7nXJp|ut~M7orQ;E&v3*#FBpYW6Kg1$zBc;8E<olne1~
zRuV*f)@Y4*bBCdNm!x<%_i@<pA>5$MySRQ%O8?O}!r1WA9QywUTiUe+Z~A!Aq6P9c
za6wkaUJ>?v1BF=}04DAN^wGOMd{sUWA@_B31!Gw^v)lP$o>H5D1ojyj#U<bsLO{W2
zuGvf}RIEDS3OdZ9H9NUQz&gv-2-*^!+!pc(*VHE{t;5^42*pRMr*T3}gRPRG-x*cJ
zRgtvE1lm3B&>~O^mZTi~dqb-F`n5cmTzd27rB?fzoT{1)>`v3%LWX<QQJeD&Y$hnk
ztullVqD)VxaLLg_=7)3qL2qxLb<Kjfc?!narkMWKMH8R7+)X{71_n#nsgi4%F(yT=
z+IxB|OLIxKy4Mm16L#3!P7o>O#uExYBsKwBE2I37_~;YUIW}fvEhOar7+(p#`HwR%
zC6frN)Dx}%#Y1Ev&8KZVkr7^}HR1+@k6R5fG%TIMEOg~NaO3fdU$#VCEOhYLNaEeD
ze&gJ%Lsxn#qqCVSHp$S#B<=Twn*+jt5wG;7Q@M@)kilpk{5gJU8>=Vu;@Aps@gzJt
zj&HUU@0#8gRb%;QP7<i<ubb@IGwnVAjVlQOnKmAiU)G%gH3Mry_2GKaCq@^;U%?mW
zQUiiMQB=>kOfc{AzcrO?IHM4${?b=9=_{*;8S;PW#F=h#bWU<Rv1hko`Ua6l_s3Mt
zw#Y3ZbwKb#VLP6u*OBozla6)%0}Hn_kN4~q9d^pr++-dSIK9{J$pUQ%_BNG}%k=m|
z8Wb`<s*yIFf3aTKok|>wa@1J^4{>a+m4<13mdK0U%xIoy9D`$ZbjuhTHa98gro4t@
zZIZ!*9vil1`&dD^O3g>okIfR&i2>+K;DCeT9z*e&#+I!q@Ppb4S1@2Bu|^8Y=OZPh
zk#DskD?I*D*#cVp{N{;g{%I)~Hy12594Q890e_16aVhV1UdnLXDRFJt?zM+PgI73V
z-GoF@pGI^b#DR8B>?DOhJn0F(1T?(@E&TV?w6^Vw(T5sImSO8YD|<ZG;f&`%(U@r2
zUaN1)B5i!IH8lA}=_HD+DH8nCXtKe<tq;4;<hGG9E^kv^@kJ|e_8qm-{7Mz~!AngK
z_3^TzZ$02Ma8MBQZye@38KI#TIq99{$5$<T8_4jA6pD3r@O0Pb{(>0K?lG~tS93I7
z`o*IQi*Fv1TqchPywgr6)q$3s;eOmSj4%D5Y{+U#j4VkOjQj_tM5R)@s8JwvGOlf{
z;w|a$cgSPx>Qkre-p=aj(((8~aOa0nNxrZiXp9Y)BG1{rF~3wqKAcj9Uy~lC^wS+%
zX9(SRI1xI?+qzrjx;Fj#&aQmtW49Pk-2zz7Qe>*HuIu?~vmm)t<}v>+QV$pW<aCa<
zNWsSpAB!2OP|HX!jT`gP`}-JP;4y&^o6>&#!aJg$4}foanVVreumk9KKS`Os)om$i
z=tO?ht<AF2|B_`Y7nddWNU{5d>GMoyj(m>QIdPsnussav+Y}L`;4W)-kAQp+2ON1|
zN5ft>ETrpOp&zTv`5r-g()fF%x;Q}*?^ki=s%tBAidAQ?zz*-nBqw{GJzdx0f$X5L
ztEt+)r|tL@HgjDQ=Z_IZpRy~0zOK=QMFwZ$KSrrto(#O-w$y#XqUg0M@sq|6z6`;l
z!9+BAy*!?hg4M-s(e1zSTxi^L_h6MxV1{oD0V{hXDx2?ENbW8%b#OW>@mNUpT2k4A
zm~4Mk{{w?wqcq)5%I~|y6+b&=H1<()UpV~?uRMTZ!<kmNXnDlw-s#0}fgfx8fl;of
z>}b*66uF3Bfy{m@N-#1(+0-Z-|A^FBrZ2ejR<-Ok>@zG_q)w&#@`GLdtjFf$Q)SY-
zp1flvx3V6vc9!srcVcKm^AuIU7t`v_xv^wJ7mq(GU@U$TcRPejiwmFCuuj>jYmlLo
zO0k4(_hE?h;=;9MR!{ClGb(0oiC}@yAYe1pSZnU{L^;|U6wdNE2yZs}s(z&o<U;E-
zsh(QME?SK|I10c0$n~1o(w}NM!puzL@z_z|F$lHkY_F~g)M=!s2@_j;zEDC@Rx505
zWL(pZ)VSdEWIgIt#JhV0<_Q$(pz#MrNJ9SAV2G1*IeSZ>_Z<Uyz<erEQu~-Cpuv`-
zkRt~$RAqB*8qB}fkD`)}EGfzHN|!+ri|<giyzig$ri`aQ>RGhDU06doc>)L`shV}T
zeiNA~*~oA?f9ErFAwrUJ$hw=&(T1V{^{~vo*Y{z!2Yi<H*s9iQjs3<xHM!@eZNH-6
zLpKeRv345C<~2@x8fVROMMOfqMaHL`BlY5YIIMQK5z;J~Sx-*sA2-Tj?cL)ZF=qHK
z4tX{|E%hXykkF<E(h%R!?q<3bmuu3+4N|c=wysN_%SM_KDB8~)QC=x;^6*E;)L*$B
zZ=#iso)Sjyl)@%VM{nkOW7MC`dwa?Z?sy11Sp-qbM$PkxNxD7P6wYQWw^v{3LqwQ<
zt|{c$W;LM!#F^gq6zevkmG!~Jy=koa%o@<AuhKY|mz`6D*TS>@h(=V33;;TP`;Q$`
zm+@k0ajNCHnxN1_b&<Zj4--s~rK4hrH7-_2I(in4-#TlZ%6XAdy}vuMOKHlqDX#I&
zpllQ+44VKV$}kKI>n8&VXR{OOjH#I&hb(6K+q*Rwa{CYyECg~vP{j2pe&F5oW*=kG
zc;A$?x9W1pyOy`0uT1Wxz(<|q*}Z^1XOYfm=R0d#S}pZfUuDu&uZF!vS=eXto!#q9
z-FmgSGq7a((N*_I$&G~K1!><ZzCOh+uii78yhV~Ua-<4Xfv#WNC=F6DkDE+$NX7Ud
z9PrK_UTg2t(OX-UU5PLxwhMtLuY!S6v-pI_8r)ib=%~4DY&o1xRn77z?EZu-3M*1h
z*Aa(x7Bli_adq#G9%gZX<HtL*d7ZCTm;2F!C+BMfW29GopEYCH^|<PG*^d6f^09Zf
zy+m7_>yx=XqpoU)AAoY(yLM+@5%Hb+aQi;Tph+|G_*pjV?5txV|3XauhInY1*obCZ
z(D0s1)+$yKJw}}(TPrYfkm0+ZfRj{1c=7NkQq_|+vhL2QvyYwzw;FzUL@y*)W-%SP
zPT2*4`43y=vHgb1p~WaBWlht5#FH6m3}&?S_I)<<Tt@WCvbw=TZN#!*8`LM`S^bYD
zx9iEjclP%v2565)zAFZZyNP98irqb<Ra37XJ2CbI=NB_O`t4;-UzLiTuX;U&xr9%u
z<6S2_|0fHDPoFkT(I9NBnNacj8s)`sZqKXP<!;*i;qEb6FZJ2LXLT=OAGxAio+mI)
zBjfJ22WN+Wbv>uM$5G+vQ!UT+t_vv6CwNho<UZr-J8evxwas8(Re3@a)PT(SI}BAV
zB)H1uGiYj$zLFbHon152(F~UMXFKu7>o~~>NfIWW$bVE^^SK`XyY+qdOi;&qbl}C_
z4XkV8_4L}$nS84dI6rcGiuCYXSERVkKKslZ(%|gW-PHih0AP$s>;n)eD&T&opT5In
z4CtsiaaCJ2u<cKwsbf2czTPK_M~hQ1aE1IQ#f4nNck5BB$L~u>GUvlbYM9rA;q`o!
z)#hs;ndFxaiq2QTJvF}gex&ek_#9pF>zhxGJXm`?8<@G>Jr47xJ*xPuPF!B1-GCNd
z<;w4JFaIY;4E8^%E>a24{af8muMYw7{5KDYenB(3$LmQ>yN}*D3Xn>Z-zutOUYg!~
zzS01j-zT@cx@Xg3{;u3!^-f(LokzMeo)y2>rEG3c@BITa<;&`I{*MkB`hQYi5+G;c
zeuvBBi+7ap!%a+}@08a0ZmQk(s}F(vm$B@AZZ+e^<lg(8+Oy?zTKl7C9wY92&B3-$
z#^&TI+Lghw^s@nNTeIrm*Mujh_sM^x#x(y)eZ^p(L=8Kgp5MG;1fA~TLVl(<t@hDv
zcip}5Wqk~#4fAUnw4@C_A68r~UNio;g8#RI|F?qww}SsK8p;1w@c$1AF6(jm`T5GK
zbpfXl>O=t~V{5r(1z^{Ztde7w(#*PU4C)69|IjJM^5opG%`i11ny1cigx2};`tY_V
z&Qp-t&77~}u%l+~)tE)&X?rbbBL)V}jEx15rdR2cdA7a-*=nQR?9m8B$FyrCZuxV6
zf_NP&Lq$``_YGD+5jWHXV=s{V_0pB$f987qUwLDzxxZ!@UqwI}o|S)KM1rsA%b)F^
zA${vhQhOgf#TdFbkwk5T@x_VKET>=xh%jTmO>~R1Y+crPOoIen(sYfswF#%So7b)E
zBhE2QQSG-nBCU0_{C;Vgi6rdWt9HmPuvxB_>D?^k<3d*bKx0UK>rm7Ihz8kA>@{pQ
zkqErS@zRX#O-`S#3DSD`R0M!56x-Y>(+~vO{FvDF=6GD>vtVp_Qt@8i^fKRZ0pA*9
zf^-#^{-Gzj!Mgtyz>l*2<I&>v>{3zxaCW}FsqhT%a@kVW2&uWgqH`sKRQu*$To=|1
zKFFL2yp=hiAB<%Gd-MQ2ld@5m=U6B|$mTVxUU<L6aWcCDM?nov&3p$?6<QdFOl5I{
zsO%CGl}`e7B(~<!G}UlyAh1Q~n!gsu7s@q3M@SIV!|GULzAz=j%)U6X8e<Y~)L=gt
z-Pfr{(1jv(P2u3UHA!Ea+Y@E@4MW{_cejv4ifE#cDi8GKpY3V`el_RZ=DvK^X7#Dc
zP0!1ftV$IdHsB1+x;IG_8Pu%4AGk}G{7n5gZFH>_)e${tN_Bz8syhM}i=fHOQ?o(K
zNsc5~u9={nfXW;cebu@R9EL<{A75n(gqHnI#cc-VUmW;LdAfB!o$o-gHffL|vjTQJ
zvJ(mLYp6m)5tp)24j+zKoAM%<`6u}0Zo_5720&@-bC6jHi-j}snOufT<0lyXTDgE=
zJpma(SFh(u<=IZI=U?`N5*6;&6i<d(V^RE>t-=VMRKv9tR5;ab>1~;sVts6{Z%;Sa
zgny2Czqisij|5|5EQr@WSS)AZ4Y&La)yy)Vp)Fhto{7mMPa^xaoFd<1-R*21FW^3J
zDIv2|NR0x~g#s~6P&;~4!A+`??BoZVl-bmkh>on49s(ILn;TsEe+)?60>eCn&cLnD
zR(LQ!hJo9dg2kfce72>txn?r$F7<aov6RC#2VXBR?U|<NQ(i_~<8xzyOkGB>qj-!Y
z34i@NvH#_A*-1q>aQUY{q7hDQ*9XQ7*bx+H^70NhWtv)YLHupi>^Py14ZiUQkHQpr
zF$030N$@~^rsG2@58^~F(@3@Jnw!S9m5>$TU46zdukn$j+`tgN6q5?tU@lxqMD-Kv
z2%s_;``03*uTLAIrYMUho6b=lx(Ir&{OzMz$RkY~>nOy!(?75y9w8oKrs;oRdG%k}
ze)rKmhVi@*LiC$MD1!DRU?9r@|2UZ2*P*{4Wew^{#lrt#`mP(^E_{`W@#N%frrRpZ
zMXHqjxUJgA=Lb85=W^w1R>N&)L6RGP_7gu}atLu+QxgrrK@-cXCr#ePR4?Koj1!+u
z`=_Gib8h&~)nCtP<(`poYUD~~kkep>C~U2jGSf4tMy){8%eMBo)nV!PauuRp^EhQH
zANQ`Dea>U_g4aTn&B}0%(ptxMYz*vu4Lfk>F<qNRZi_`h)oAUlCUsSl9``%AX|;KP
zA+2(x`WOWcw4rK$srBS-{pN?ylLXI*b9srZJO(kN!Nx@q&(bJE4{c5*n}9Bmoh(a0
z9z9p_S@@MA=1+jIu}(V}QqM%FnVQIN7$=I5yvMVp`{lI%3^$vxdXcheTu!iTK;A?~
zBVvp`?UT;{K&29wLr(bJ?{XNy7Kp<Qfm-Zr+YBYlbaw!9lgitV_hEdzxSA~DBOShc
ze6$h#J?QP_)OG$l+e!uGH7|BOa#Tb@vxxV@aD@R+e!dWf(-w;tCRpb!p+J11i{XI)
z7yN6?8?ajoGSqL@!dlWiI2_7K7ux9x@8iS}oX_DHTQ;Z4b8h1!^!;+hN?*ahrGBql
z!s47#o)L3WL}(P@es(><7gE7mf^D71Ha%|M88$lR=SfiCA|JLvg&%3&K7HIcO@fqj
z9#INt%5G<3PLzgj2vxs1U(DP)>UIPiwU6J$(CB$=*iU3_FlTP8U~Lo$Cl{V-D=7{*
zo4OHeq9(o2ApYqy^#6iO_0tZ4`PAEe!0&qYTk`e82VJ*6lgjR8**!~IJLdkbz!u6S
zRaLRbT0yrQ;ldykV~5828;UHyqWL^zXJg252jaJ+8XT0aZ8C=v617`x@am^<>Yn_X
zTbQM?p{KE}(65|N7P+!N4b32q<}mznY~FOJI)9*Egl{Sq@)v8AB$(^t?>CLISe|y|
zZYl+z=(!#{hz420keuYTwUiw&h$RLFxsAcfoM43CJwiUCT9Cm$Ub_R>#V@}~(;??2
zo%~ULgD>}=6tLN)%z8PE>)uxlE8JCklK3}S#Vz*)LzEG)6v4-xOOu+8etMduIUp=K
zldO9CYO>9~j`jh!@9L&$VRRWJ6FVU8(8Gm^DcucOjkjBV;1od0>*}sALMT`b5#{4S
z9ZokFTV|ieF!#P)swNy9M7+}4jWX~!@eum34KtI$9IijIhST|fWa2;)UTqs;TYQrb
zLGOBLMEd=7g=pN<e<2Lh_H^Nu_Ih@ev0R?^ry6=S3xxL*_u*B-@cK-QergdAiYfN=
z)9os+?Nfw2H;eHvsn_NT2>}fw??p@B&mW6VKNhC-Ep2OEc-RBWlgQ4_rV=*-YCI+S
z2P>eBit@3LT71O`eJClRk`N5TY)#W%PC;v0Ehin-67{|F2yRPx?pPabrxwZxAqqDW
zqf}yI$>%g=lCV<^I0;01B`*&S-aY4wbNU2a^}kg0ch3r+1f+QDFMt7SkKFfjke>#r
zYw@#Ibq|%_HrlI$W#kk1M>?m!UtysU2~p?#mNPeiBb7G<3j`;|NtTuf=VP{~W;*Qy
zEFN&+-@Pf&q{=o*X~@zWEjMc4?0+r#w85EAp{-ugCx}=$;K-b|R^vZEV_NJlYW7hx
z$=z}J_HD?s&Z8n1APCYgb!Q@$n$t1YT-Vh6=rQ73tYL_hQ+{_1A%6F0%suq?PHS_J
z$-R*J)<pYl%O5r#=*BP8{p4Kr5mRM7uH$Og#&4ZeTc>UJNa=-amGV~2R;-z$F&2T!
zV*OZ}ijs8|otR98(1zR8ms<F}Ik0aCsD+-}HBsx@ssWoPUAR^`PBJx1_v2C;K_yIH
zZ0?oa+Xea>LfQz?N16h<D}rm@{51j3W5jPH)*#W_&se_cp3j+`D_ZxtF!KQ3ajyff
z&mEJr3VlQS_PAGRMPv2*OZ8dv_q)P;BrVlD{Bw&!md37Cc5O^C3GnQR^06Hvf5~T}
zKpRDV)N%uh9w?g`3k{i^ZK0tnWOyqKwkJS6HlCL(Q4(JIpm=x=Nh&vIkf&>!=Ha4G
z^GMfu_CwW^%w>ZbqE%hudLlY8GwgBi941XfGD+$8u|I~LPGXtD@OS|~7PwnCAo9~a
z9g7?6OM9fPCLK}Xnd%o2Te2q>^LzF02+hc`-i>zV2@db_fU-|th3?QQ-=Lvn(IJt9
zjgGd32?Ga*yW*}u*UAUMb{#)b&o0f!LcQz2p(kxTBe7;M3W~eiHxBwurG!c(vE||E
z944~kY7toQ-}-W!G7=dx>5I76b;Oh!CA><&(;xK!HF|!lMuk(gs8Nb2$~FqHlvs)$
zfez)ASVg`9jhN0)*hqD<Sm>_9@%<nl^P~2T^HNwRT`&7+On{@n)MTwzc6=svMmb%)
zaWzJDppBaUP|#d_FaH>U&%iT(cVyrcX5TX?Y~AMj8^!Ni74EFi%A<neku2r}4?lb*
zIRZ>=t4r&yKDSI4xM?_8czOeRbV2Z+qBuzA6;w8fDXl<6JX|?39{Weqzgtf;HH#C=
zS6N1~I@$d;3dkEM9O}U(H-<?gF2BEpBkTT&$wvA`DGwPWoGr`IDVc41N=Z4gI5-$T
z@HI8v!pDAM&u39SUBj#NY6d7?ujL)1M@j=vYe$j-3)Grg`nHt@6(A(I-7g6xd5C6r
z@W@}P?}dUXck(kS%}8&K8YUk+-ZIt$z2=AXpu<qYH~sQf2SOszMy^&cSS(h>0<lDg
zcwvmYB!sTd7M*FD2kxT<J9O*t$aI;K0(KpUtncUA{k2&$^{>eozl`d`q)B&_!Z%n<
zR^&N$_#In2rjxcKTe8WU=;<|cSfU@q&vg$5drsJ$u8}X(yvnKgBi?<_w-5W`)_jM`
zKjJ148O{U`<6y2}4m~)(A}*=#cOxJXu<lbquOX`X31PAXhIj<78_VV<MZSg0YKOs}
zATU?scx$I*X_tNP+A8)8(Q<9wq@8tkTiHV;RE@k7e@T6FjjnZ_262?8DWxS|W=(`B
zZJhF-OrJI$P4*$CNe1T+(p?++E({<8@M03T+qQt%79}Sado<;$$z8*u-_Kf!S~_mB
zF}7swt1sxCGw>hSt)Sf(?LSbT9<<M!JNoV_ct02KWx!>YUj?xfAZ-|oVN}At#!)O@
z4nK$@3h$MeA><u^Fm;awMrA0=5rQV&-w&xXA;)vQVB}Ozy`61q3uwtINg+dUF}&5(
zsmPsBFVG-1uOOF<C$GnDEhLMs7VlDNU2<UN>ln%KxzLBmb7rirWGY)r3(%IY;($Nd
z2OP$U5j|NJ@jL^_#E|?NVBY_M86!TC5&i?)Q-}HbP6Ub+FD1>Y#`ucf1TR;S|K1s#
zey&;izC}yQz6xpQsy3@BlgpO$GkY;Q@wa*aX64(<!PI5)oD>%ribP-3!Um_zNe}n0
zTF>SEGEa5B1R<>!$+MjSaMd_$<<QZ`;)KS7ukMD)b{H$}1nXWwIvn$lgN+W)UQD~B
zC``uT^EK8{qwzFfc^nCO=s=uka*gs?XPoe@vdU1k@6&&_qeW8GiM1w!e+n`D0;*97
zrm_l#ed`c?u^X*u%k{h}(>gsV<m~Dsa8|Q-Y?KkRN|q434<~-2k2uaXJO@yz6J%L;
z)MT?Wv0DwU+OkL=#UZ#a;-2_;pdsYLU%Zo`SgS|U_m-rv2$pWO)cW4A&yHp%D;QA}
znY6BAQQMZA4=`IBV5iG#_j}HVJ2)fO205i;#w$=a7hV^OCqi=FsbjbbtMukINSiHt
z9zFSFnvK`V9j@Q~Exs9IjC0<cN+G;ni``AV-0hb(teoAiJtRp4CCb(9b3HG=n*JZj
zH~$O%5Fdyp0b=Ixo&MJk^#R_lCvk6e@9fQm>P(#)b~Qe&!kFBY4vT{Gf)la9Hxo^P
z2Uydg0P7!?>?5q7T94rzN%mwqk}(bEoQIF0!`3f7&M5u;7rG~g7rMwc>|IH|YU6rI
zxNb6Zz<do(!HymA<?kK;!2G9LkrGWDXICv$?Fly{u^InwdnIRFBJdM@&upYq1Odcg
zX(Xev!B)K@%h{~rA$G`fGaN$<W?0d}Sr+$1VX(|5mmp6KMNg#7+g6gNyd~e(M+XtG
zy^_QBwZ@19-%P$F))~;L?rf-U%~6t>37@r_?$IGxiZSEYAgL|e2n$g?ft=Bm-kdX-
zAmOLWukXFvzN>y(^j!59Z>kfyHAIjAu-K90zQm_heRp#e!71c0-S4WydxkTp4=u-z
zV<*!#-Aqy)tFcImU?GWHWq8z6R9t_}N#gn8VrG{PT0Q5~c@(;?$2A(wWm*w4R=GSB
znG{A7UvFnPSDEFo!7G9$znaOK+66sA>;rwjTt{DkuI?P@RhOsk2B&WG#=00?xng>@
zH>nyvGSh~UcP=g_?uQ(AV5pU`)BIFpp3j_Fo1w}P?VCw=7(kKHqAvS5gx`m#QS{1c
z7OSVz*?qx}+p0@#+tGeqzQkawS+b_Brmgi0x_DyS*xuNW9%0h1YPbqI^-`S_1@{~2
zA8=`?jCht=z>OxJk{S4Yiv#PySUY!SW8)<yYfV#iyHb%fUCgh5Vwfdx-B7I>CR_ac
zu@O`e&{O)Le#Z<MmE)-|ce%C*Kz)|HIPil#qg{&(O8Ps_4DPn9N{cm6Qz;1*&0JzF
z*OB$uT1L6jR$ED|Ckq6;m>rM`C;u^F`Bw|2(ZI-Qi48Q*T0S=^YXa@jJqmej;C^)0
zlp640K>X3r{4;-qr@JML_V4m<1MooeP^~yUW3NOZS2z(^|DFO?W-F#4MFju*tsR}n
z@oB?4+#ZWpHdWSba*e2YXRFu(Mw_wfg&L?FZARW7O>fpXF90&Ex;(q>9Y6v(z+XrD
zaCCT(6scAUp*lF=IJ#$PpSs;#R#N*fnhU&}(_{(J$#NE=iao@q3)u)`Cuwejoj@&n
zhK^o-A{>UOfr0)Xr<Ub~KbY)mrlAdpuX^KN_y!7#fDV;8HwEClWQ|^k^7J>jxJdc|
zh%}9h@C3SsM@o9N_H7lO&m+?)*+hS*7YZ!ALtAqHK#);9_df210lk?crSzf5Y<(mH
zSYQJ`a53F$(61A@nE9bz%PP<-@llMakB^IMWu98&<uP@Cuu_s)D2zHTVTK;?q@2Ts
z)3hmF#LBxXmwwbkHG70&5y0MLWpgx$_Ha~l#odTFhvJ+QA`FF5wQ`A$+b5#7fsH3^
zL1Qhi((jynHXlC|i}t3?hyf&kgU`LUX{L)pR;v==Ut)XFZ%Pl-Gmnk#oQfDxF0q%M
zOgGfphU$`$Nma-2ES8#qeZXaf!2C(3N31=BJTKk55Rr3zQnPu}&3hvY9V?q@!a$g@
zr)sf|+HHRPe7hAJ71gVu^>@;ak*<A@dX|B%=v<bw(sSj<v>C`}TF&e@p8`414xnlh
z7nAny3kH1aFb1ZQ?en(C);{FonikpRwMbfT+)nAxc`nPpOt8nfR=&~8A2=!f11pw;
zE!yYl94c*%#TAj4<*H!ApfWh^%@-#>+2{Im;bpnatT%B5Xx-?^#*eL$^YgCX1zXqO
zE0i}ca7K&G0${6P)Ftqhkd;xKPzn>-1}0daOsS66d_0lgy#6{gpZ;~kxtbA2$iU8a
zkN8n4GoZqZz8q-luj)*#Zl}n8dndQ}uxQF;dFW{OJMl?rcx!r^VmK_b@3G5WfIo-N
zUiyX09=idBr2rjUqi}8H@)6~{`%?UiHpFzBwU`XybDS5Gv960XPtW?v<NR)&F*&o*
z2I>CsRR@wMkL|`z@}dnvDJ`vA8N)lR!gW$ms5|K=pFS^7uekzFiH|~7fudohvex=V
zoOnC^@h87mj`{}Px}jEnz5yJK*ICdv>tf?RV$FAxSrBRwX?ENqx7XY(h6DYbV|t|J
z#g}JOf<9a33XYzK+fwVrwq^fO*faIu$&AbZ6@y<ox!u&Mm~Vw~KOZyr{K<sEj6rQs
zN1%L#f?cLwz<kIx=Zj~dQ;!(xg&`SW)1><-5MZiY;t5%vpJTlVUiNp=<EUHjHox|s
zBaB{ynWSC})HGR=k{oPJ&AhyvzzM5<BTz|;#H_GqrR1(_sBKZp(%Wg+AtmCeM0rRY
z`=W2IM=dWLr6Xs}MCC|c8%qPBv0U485d{&`f``*2I?ew03T7R2sH&PT>Ku&|aPqO8
zt;_9toM|~GsptA|x1VrU`0{}=thuB;->>+y*e>l3+aB39#LN9VOwKhHc3?W{0peEm
zY-m6PlaL4Xe_(L1`|slLZvViTE=vaPv?$Y!1qo$2Hc^bV#Mm<kh#DwY*zd-q=zoW)
zYsKWFiWi8yJHDQA&&C+OLae*3{t9_vus^tP(leZl%e7;FTqj(*>MY#Scg`5}N@fo!
za5zI55<ru2gZ~43Y4gLt@2A<0Y%|$xxHTn0T?<-^#!E_VGfOJr?7Jt7cXwME?p_AU
z94&0#CU&mpQrS&9gh#RxkR8Wot5%+5JQtc++3QgU6Z?~CEfBY0qOvFVuDb1i-le%E
zRI_d?Y18Ts2n4l(rsGObx;sfJSi`Sjl<|?+Si^x%4u!5N$)jSO!?cZN0`f&+2A)^E
z-Y`+6{Oz`5&KzOn15O{9L<S1tt$&@>R`r0K`kLnQTgerD)(6WCwJfbQ^xUC~`Kw5j
z`~@x_-Hfz#X-@csffmW6P3bR{?uniGtP)Dt!e<SKmlxGEvS7{5RR+AqA=&_xALgdQ
zmQ~UrT9D)z`H>*3D27n1M{As3))Du@fi362hjmV0u<YS5!Th`@E=>*xi@UFBT_yov
z0ZP0oI5MJiMX%M8w2ems!%(?e^NIt4$FYc7p#=wK{f-_)?)&{tR`UL0#{T22cWh6Z
z-h$=XI%lZf62pERpj7TAm~M(UY&w_3{GL1uiX?s92rUpr#p$6eFAABd7q+bPr7hA;
z`LJvZ{NzxY5?s?)&=sTm;Lx5oSFX3?0i(RSikJ7>x&P!MdKt6a*{OPQW~kFylS{?o
zv`UtEvaRPL5@N)I)jo4g03D&Rg7$W%Lh{Z(uqj{R?M)qwd%z`anymeZ%(<CIK^Of1
z3DuNGQl^NbLRGH$PDD&ak4q_1C|H8IROphfJt6;*#s}|SnivCz(@gz-S~#}7x7W=E
zs=gWb!`XNfbolw9QCiM++ABPqymrD&u1FT=>2A}niMqIO{IJ&6e_*O8+RZuZI^$W>
z{P!HNU!v3Nik{VFd<;8LyA0XpMWqd3mqqZ5TTipoO4}315H82)XZ)!dRu;Ky2RS*I
zOzT;w$ZW8c3ehc_%4BdrUd@wK+mW_coZJ9Tg^ShA6bdVzuJY~$oWjN2)g10I*A~Vh
z6WmK{n@xKC9f;UCV`%UwagX4DNAN}dB3cg@#oSYqmsDNvPy!*R?3qlXRPjff#VnbN
z`8XKLky+nu#JKBSox>v+a-dDF6_3cSCP42r4vbIgdRseM(eIJA1>1b{la?E&ufnVx
zASI%O4shZjkaWp9NV7eb0}l|-e3?B|4=<$pBaLh1g`aw;r@Q|{S317`M*$aDhw-jA
z20`K_a?o!%C($ySf^2=R+((^Ru)ke0#oC%;Du*4;<o3C#fv$9<u1XDnx8^FSbyU|N
z7DV$Eo`_##AeS4~qR;+J&iz{4;Enl=ldS%AjbfBHa9^8sovTNAb=2EfH`$}=Z*DKk
z*`_kL?fxY*Um7RW?LROXfsVF|zlXl#Mac_-f7<9ZH)WXk`!iKgEMj*=M@MSZ%+(9p
z4L_~WpW)x!2z-9z4Q67kMmtZx$pQW*1tB|bPaUz$3Nz@oFKw$x)f#L17HPVBsFh7N
zJ4|x@r^0!2D;xILZL>>b?!bB!X6v=ZVu@DQmFMxQ)Zmc19M4E9x8he@Z}W2Eb1JWC
zxDpzp^GlUR$A#Yt4Zoq=t#n;mBP8ILnsn8V*P@fU<mPkR>!_aE`7~B*vz_6YO$Z#7
zbFhvn_L&Gk0}HV<rbtlbUb;1Ux*@Va9-I`-_b>|ThcqT>H9gB7)^dkUdhlhzYCaqB
zlXT{pp7y+$PK>wqzQU!gb#NR4h6C;BNVOulvBVJHZVnsYmHvpX=y9x|%US-BLtosm
zq(g4K4Q>QI^Qqg8m!6Mb4`zG-(v0;J$HeyYO|3hsRV!weYotPZap$_UfS+SZTz8`T
znmnCP&TG#<j;De^GXFJrzvB1`Kf&yJcx|QjX2k)cY5P%pB4dIMySH6dZ9px?F=-pO
zMua8On;U85g0^m&XzD*u%munZLlN!rY>yf@JP*jxT*3=%Tk3K)H7OU6lHgr10)ExB
zB(_eC<;T)L8wYlwKqc1i3jG<96(P${5$~=y@CCYSjCf2dPA-R->l<^GcuASVBOXj|
zva`OPxRP5IHW#-rWUn&ZHxpoVS0z@8QsXZdNuhuEQvwQAhw98EObZAsCeHVxL-f$Y
z^0v)m9t0XktF&BBa7*<ZU=F5bW#nUOh*DGgJ+JkLN4CxUV6(n?)mDX6v*d{UiS+`8
z8Z&Si<TE7tBX4$isZDS)0A$qZ5<>UKyrX`j(ND)CNoZmmU9l<KDD2hz6yLw(a9?u}
z$C7HwzY!<s5#-zRWgT?@Y<ibI^}g>aL|MIEi`w#~F;4z<^)!!AmfzYX7Rs4AOhFEm
zk^SSK(L+!z%MTfZx>^4);<-311g==hB0+@660qBqY9jj)Qowhb?Yk#eYt`#^aiAb|
zj+@YKWiXWbyJ9aTw8Vnj6W=wPyqJi?CWg&1cGRb2k=evgL!(7wrf+gu9EQkedZPe1
zwL7fY&Ud`X&=DltM%~O>M$ZxA*cJt`@J*Sg-qbJh?;VDPN4nwfwb$Y0UN63|5vMy`
z&U2rvd`~*8dh1|;h!_}r+fF8n>mr00h>n`h8RBa`pT7Aj_!C>{LWOU20r&y3(&3a{
z6K5z9yB#;5-u}fsu23I6xvD|3kS<q>i=DgzT|f;nnkL#`y5vqYI_AljHfd&jN#%<3
zI8AiHZWt--jp^kvG|L&fS|E32ewrDuSSQ>qYrp4irfw<l8mj%MlLoa&vzJZUppvIS
zWfRBMILPHk$PBJRAP-MF_g>Z9K7tCb`Z+v`l!(gop3XD|Kji%uuV0uh|1juI?lS9n
zx>$@~jAdHvieJ5h&wSEs!&+gq@=i-otWA}pCeENtkn_%^>s5HX8fd;nI1{34nn*wF
z@xL`tD=pDN*Q?k*TcWH^Tjbh~T{O9L)JSH~Eq%Oo)>kz!ebxAm`DEYa9c`Kf&DZB`
zxEg$^zkyt@9e{QB1#Y$>Wg5zxmDJW)UqJ^kKU3p<8HsMGCPki;0##Z=f&L3ASv!y_
zO*UE!f_s01-_1VxL>9D>3+}eo?F+*__uA0_cM=5rY9i<vyk-bl&#j5M->$hcNcFCC
zF=nm}_U?|GdhL*0EVOzhWU<!c3|sS_gH@&xQqK?|hB3Xh!P6j69eTdVttBLfi8Dig
ziXTuQOBn@}boHr8)vjLbE@jABkXxKwxDfZ@iA-jY2i@HhWQ|>Ve7v2!_=Pi=gth$x
z6BQO<yu~2$wvN~BXp*GVdgFXHS_cOUjC$@G_mi;*|JY3U@VXwm+G<lAFZ&|AQ>q|d
z2W6jmAz(ln@Dy~v$~o#`c6@ZlF}j-(oyofX#EyvFYjtS)whwB#o@cFQyM*fR?jd=q
zpwQHa91kfE_C81Lae!&>Zr2-mZ6|$x7k&n#YR|5vf?fBo5S13x7%muI;-|3pky}K%
zjRiUjn+0N8Ue~3CBiG_6bkP+}^?UJZPzj}T{k^O>$FA={--<aPRAb?6p4eBJRDp&S
zqZVLY(>FwElC@MZS6ZfCn^xHd$Sd)u9Lv2rI>Ku@g3;kw5N>2{2Z;Fl$kz&Qw@<Uy
zD@Qs;`y1vROw{%OCyDTk>u2dcH#{DYXr+CF!o{XcZsh<?S?HUeJvQmn*F!Sf=hU4O
zFg{^*SH$ZBJ14_pmh}ApN^N%h@1{2YCnlD21iz-JFQsz9$G$PdFL75tJ3&wB+sEyl
zuCJ+6y!&z77z^0REw|{myWK5Kwc@NJN-=`9ONhGSQ9AshO1aa<1XswO5<ceJViemi
z_Nk`Q?G6^j7(J-x(Z2YncWDuUy}UKsNZ{jU?FP+Y%UKHf;cU!>TUG))g+emQ3WjUB
z1_OMt;|zF9$LNYf+r=u}*=Bwf^40NTtO~_UV`<M^;HD}BKlb~X0RSl2o7kNoDn2%6
zE6QiG4NOR>7Hz9rYm67b2C*%#+tR{|e;cSQ&`s|wsz3DozXom}$>-h-!S0TwW-C_f
z+vysY#l_4*|J6KQsSTuw66g_O<&^^XruH9%LTX^%`!Ch^7XP@lINzw}`w3g`q*)!;
zv&e&x<7|-BxU|#OcbB=Ihl<+-&liKgvf~_YcR}C=L3I-=QMFs*tfDr8DY?>0h06wu
zpiy1j7K99h8|;EKG2+hAa$Y~DkQnD@9L!%XfeWBwyqgx9Iisd?bC}$1RO`-6oIGW7
zXk*q~w&>j9ezIg57s{!z$E$*+q5Xc|Rx*ytuoJmx->e^9WDUdLsdjDQN@M8eF5ghr
zOtm!s7-u=So+yfd2qj$IV9WHHbuU?+aN@&0^7aob!@S`dw_fAAkL2B6<XB-zi`$yO
zb*ySs`|Lv0UbWFBIn>~XNu$}>QHl-);LTa4vh4_lI7{>ujf$-NM7bS8>mL{%)<Tw(
zTA1@rir0CH7M`vN?Bo2b&BVq~I|Cw-9ry^ZtbqxU1+Ih@<eLm=y`e%gmPB$xQFup7
zi^;=ly$+Gqfm@1l49P}fHKi8~iG0?Qb>29j4n_mEI$69=pw0rU*>dL+y<7LY!3e~~
z`bWmJkDLyFidLjH=f}&`qvz{M?%cV1SuT*&yS2Qj3u<_QC{Nht)^*)L4K~v=6bl%m
zll%xruA=%Y$m4ko%eTU}Y&iRvJ8;9Jc+rP*Q}?#xOTC*BTS0=$daS$ocJ58d3LZng
zJ5`STt%Aw|c$WRp<8-JM*Hu6nzsb}vPZvUNrB;`Gf7%%4$YvJmrKS9Lw>n|Nh@hA$
zv7tcY_Lk>l)^n|X^I0&cyN4Yw-d&+LFJ+2fi&xwR4&m9Av52I0b%n)n3Fnq|p88x}
zlpEL%^@DI(!L;l9P_8P+A3&&<)^SeNLC##1!RSO|!-9Uty?*jUg(0&o^x6mVCZaJ(
zl6yV5xn@{V=#gtUD?>oKxc27v7-<!<`K&w=P@3O!{cbV1_@NGcLeD45hfC*>&*jOM
z5WS4C2+yOsJ7VwUQ@3|?z403YYw8H+WCc6D#a<d~N}<BDsqwvQF$;U1fP8C$(%;Mn
zs;Nf9+RUtTcdIHY5PQ|I7ap*W|1;{7){gr&@<3g-L_GO<M_8eTaLjIcY-6;T*j6tc
zQ#x6XCh+uCGn_tiU&;D{$VSxgMveF~hx|l$py`HyHXQFdoz87xTpf1o;Q?@VXpaJa
zr=`$U*`ZA=rRBH$RZjAI)MV6xNLGABu8xA4l#mCsHfspK-C;C|PY~T#pc`h4d$Cma
znS>A3e|OYzB|JrdF1h-=EHOdP37#X^whYHE>d1#n28cV1#!7AKdat@ZNA04avQPlK
zTSd<Y=UaWg9tkS^lkVSr$P@Y>dVk?MT4eWsmmtr-3}N7eL3XQOskwE6{*phah`rcG
z<gAop&^fO-KM6l`_7-d8F2<#2ZvH*$^`WMQZu$?*rY<o;kg-wPQGdc0U3=lXWwVO|
zIl4?0KaTQ{3V8^o&|4x8&sb}p4zAgTTuh9QUI43o)53nQji+M#;T~lW_iSBQ9JPQ7
z?&AW&V+b2w#;O5gpf*in7O1PIWN1w7QQIevLzqU2Ye!E4KO`tsP)lsYf1qJa%#WiH
z|HZeAUhzwdUyA?fM<{f=NIDahp%A2J6x$+YxH2S~$5V2k4291_u;ZU7`J+rr_XVz^
zRomxHJ=Yn>{tCT{v?GI_!p$m7u{>kYJkMFhw{oQFvj4-GtFK-`E6^w0u{R?Xar)Kd
z%M0Xna{U4g4B25OgeF+y8fGA<6NTu#Pp8)nMQ60=xbJj6ZA%VqzOyyRX|7d=kGK(!
zzB*Zr$)TPnMBF1hfU9SrH|0M~#*He;{&j@|xW}n%YQ1KivBh6~NMGq}RX49ZSp)QQ
zkEgYYGIYc<nt_}P4k}zzTQ$}tWsy4uN2~j<{Uf!c4RQk%c#W$?X;rE*hi#)NQonL5
z{l2>yg@L_6OKLgk#5`I|W?_a->b`g+y(m>l2nH^z`T>kG;D}4B8)0mV;nJqeng~WO
zI0N0sE=c3GVQ6w;Nugn3$$631V_5;@QgDD^Ikd%5IH=G;DjSF-Tj`(W#dzsOY4XjZ
z8teZdM>TQAB{OS5K;R-aX5sP^rTtmf(DIE@Jmb7dKu6fj_DhD>gt(NOQKrV<XILKE
zp$P}Fz*{tp>P<qeD_e4$al#=Ff0xgpjC97E6mudBhl7H*wd(eRBg=R)&q-F*_+7Vt
zCOgNhqv%WVf{QnQI#@vN?6VX#aoxWu47P|N#}NUT?`GW5y&)@T9^s~T$-*-yqf_DC
zZ8o;S;8Z^Cz9wNMj~#i}5~=qm$tVUvD>P5@I8w@eO2syYJkH~3hI7%zu%t6>a^!!o
z_trg;wO_j+(lic@yIbS#?v1+@?(XjHu7%UMyEX3aRyZ{7?ljPc^CmMVnRzFf=b1ky
znfZNzy^~dSulw3-U1Aeka6}Wc>>FZMG?!jWt697S%Yi+6kZ$=9XHgXHGeo&EulW>j
zv**h(Os&>Q$DZPSA*hj<t~)H{hT5-eU!j}>9mKcXMB;@R2}bq0PAA*vSGHFvOu2s2
zMs_*lyv{_wV^~$VZTZ?6(|^e#Q<sLC?5mt|%!hK=l@CAL^aETFv}$Aq{~$>KfaTbh
z8zXY_&Rq@Ly?FWd@N%88JrH8s@^H(nV9(&~;fV7#;C0HU(DHcO%ipuGPyO&0Y|7NT
zwer{XT^IR>ZhVQ<!A?moRL67|aM<Z_)8{XkXKmz_E45wmr^7LsMca5G`?euYIhz^n
zIEdOkNG^<x+YHy&IFp)Wn^~%bEscL~ooidJJ}B)}pAn~lBRac+Rre7kGg-o@v)Tyg
zLB3)vnr2uE;x0%cxI@n}mNMSrZ;ZWP$1YaCt^+AuHNERe7`o$7tjNGhb(c%K5W?K)
z&4wNW$iec?Z0cE|UJK)@zhv2$?8kTT&)D>~hK4o7`<9;GvcmrwW9ZkEmV1y^`FSmw
z`53||GDrOBxu|U#na;R`?`lE5?#oH;yL#zu2DN@ma(1`F+7k}5ZhN+Gl)I(#c)iQ|
z685m@k!O2x5a8`!I;wK^7c7&}?ZKUp(7h;cqW*r2uaj+|x7BmG;dxqby*BTP{f7Ut
zn0~QakJZE$i(A#K<D870GG@pVFvM^zRW}??H=t1EEKbgQNX;>vG}7s9j(5_+q`WC}
zu*V@W=bS2G-QCZsY%!^kTBUsTB@4mAX_D=AgiTqr+bG$_lFoai#j!if7`<W(6L*~d
zF|TrTl3|a$1J;n5bBS6$xR20!?OPYTSOD6)Z5pLPkE-L+&t%*Cjl?JOwu^Mke^bj2
zKQVqkA4>P@9X#7EpBR<(iQFxG34f-o_IR|5uFg7S`}-HT&p>YR%dMKdf$96?7dL?n
zDqvWq2j&&eqdv~Wy6fHhVK-IR;y*nUaR2bs8Kr9X4`@ktFFbhSgl?Ds4e2N-UyG?{
zJ;<iKMX>TM5+MAm8wMw_PUCo*P;I-jk_675_!}YqO(n7HN5gApLZ(0P$!uF|6QjI6
zo!18<W)AU|m3DnwThqWVKJrKuYCkNx)|WOsJhzhk8AcY!Z?6{=AU2QmCib|!?YjLt
zmj|EPQ(Bc@Jf;$xbPkj<uj*nJGg&bXtkFCAC<k!y8xaNSr_d9w(u>w{We9IBvh7P&
z`ea-gfibIi;?rt4HGg2Hqzak!)azwBQEiy>Czuw_@aLqEUZUjci|VfkSBGD1W0WgB
zG_Aist@+iGF?GZwol}GqZL1dZAb;_!wGg?dM+H-OXwl3FdRH1z50YzLaFX22J!&!d
zSC#y~-C3|YygK5MdFK@lR$fhV^>8hJYj>Wl`j|7?F3&t=KIc9u|I<G4Pa9E`nms(C
zDd8W5rF}Cj$0Xg5x|FQblv3f}@$45cdZ7hEupccGXiWMQT&J^AEw6Sz{xohpPQw42
zQtI}Q67~q7@jg4mwrq7vP+uI(*dvh%rrYaEMm}zBX+pQY`h*Jfyc9gyYdG#4c}cx>
z5XmM_49M}pyXSZ_#vEL<zkJ;3qivo3(=Gw^58Dv4boIZuQ3C%}C0qAJmyi0*{gF^w
z)|W?z_&eJ!b_UJw5YNhP1lHFlz#cy{Ruf8>|AMjUU7TL>@m)y?0*z0SJUuK+1MTi=
zO>eThTJ;6DtarUP|37p)2fDpQc)dN#UhVXAtb4s+m$m}=JGo*$47*$jsn)$c4G6bS
zZqYx%_+j*Bm+nY-&I#4+xi5<XBO=>1{g&%_H!HB^?C8&wkAipkKW!A~|F9Dc(fqq>
z_TL~KhV4XT{XE#5H!g{FdwnwW$J?XUaFo1B&YHr(Klb)?kn8UPB6<36bN_)X|A8#M
z|A8$34fy*HWclyF-+v&>e~14516lq%@b@3c^4|><{(k^jP^V3&z8>!J2XXkf=S=9}
zgt5|N7}i$@A(H78MPOc``W9-Fhubimq8H*>Oib?w^77AE4ZnGLwp)(TXPf!FtVhZ5
zx>64P%%hML{}5nSTx7&Rmf`i>H~3)MRu90f-|SR;&b_dj0=7S8&oax@-_j^=rjU~H
ztM)u78%lBbe^SDil|MIFo(rX)x@-A=puHZ*JO5ntrO+V1+uuU|1xwV`UrR1^4)N8?
zm7^I{QA|bOExQy!ohF`SXUMabanK@6%7#a&<2#>&1z)qFoR>xj8RRQS>=YMG`wO-@
z^cU>AD$(oq{^xFyw7sX5sMU>ECTUKq9w3=eyubISIKK>}s{cVfhw%y9z2eF;=~>A)
zzDfoamVZpvGF6rS1#?vXOeQ+|<as{=HSYg+%C`dF-E_|XVu8=egd)YyrirAz%T?&1
z#hKU`s5sP=HB<$LFw65via`FH!XzUNNHUD6CI$JDl6pLB<H}HWNWVScIvuXVnXTsH
z-l>A?yc+ZN2Ws*}NmtxC)Kv7c<WA;???Zxw$^M}71|b`-U-wobe~6*Nd<>!@|9;R`
zd0r+ysw#07I?!2*`<<|_BMR`vt=BT;c`*%%6i(l-=%-QK&o(?vusv8KI0(YwSl}Hh
zSz8tGJU1OnMnGerYr8qjOU(7D&-IY)Xl(m2q-=fo>8V7+my;3iBy~!n=KWkoFyp)e
zzVQgZ@%V8x2)^+btPb)I`2Q@%$S2?bU;McL7i-G@XV0o-@}s?PXhZ(Po4Vbr1PO|=
z>ncJ&jbRa=7<V^$QJOu2?Xl`diB9=)&E`OYI5lhOj$=b1SJQJOYmQ4*vh}IMz}{=o
z9*UhI>|8hS{?w=SN{O{ASqDqmA7iu!_ijx3%XT*!7a8+UM(KtYREOsBp_;lp-@l@%
z_x!(*mqlgMEj&8!C28<!NHFcfE2n2a@)wLO-7<N$eSvgZrXsZoHKp^Myx)kVe7eAb
zJF#H!c{g8N!?Imxq=5?tW?uUjEN;`h0@Ju|jjTZ{V<JI#`oxkID7~#ZcUfY2Z~gx2
zEVWVucjIAtVTpBmrPx!?*u9P=s6UCl23~bho8xE8yrO*0cR-YKKacN3vo2&-ixLVm
zTr;9)&oEB{Ck4P<^1+dJ>ddOR>%|m*z;zBglH(>rCr@Z_e2*$({@O1+8f9JXxfQwi
zZaS>%!10gt)G+(LzP!;@nM>t+JgpnH^hbLA^xDGWN?Mez1gMBc!U;={3U^971oo~e
zW5;RB`=(_+yfj$47Izvxt+K*5(DjahR;JQOoq^KSOCRX!Y1A!o=gN4i8Nb;F-x46-
zG=-A^MstYw!<mRkH@WvBH#>V;PuB6=NkL*-Kx3E6QC3tG#I>=r-{_kX7YWMBo~7Vh
z6g{)opIN=15uU?oZEyCuf9>G2%&q0l(a_%FmDQeYo2SNLi<!;KN<QyT-D+>e(>G|*
zvV?1!VLC3qas36bzdWtArN2sDrhaVE)$VM<tY5@{n!&2!FTbv$eIk+&{zCIjva@aE
zHRJsU(S!Rd<5SPCy+{3%k*mL8<-W)p1n>UGf5FT@mD&PF$Aa2_;%7cHQ~$(w-S_<N
z?&<b|rYm;l(vehwYJsgw<DSXUvQ0bN%wODr#=T|&t$TT!H0H9*8qKmBqHigJ5Z`tn
zz?+if++Vpz*o&Qb64>;-fUoarj&aDa`sdmlZxlTa&X2e6N9GO2RO>dQ^PlV95-D_|
ztZT#~GD&piBegwymXde{JvNLgMfEB2vSxy`OH#>{qHfX=WjR~()YPulqfiqtTJHP~
zu8@k0?+UY2zhmYkepRP7wKoh(15HKF$nSDK&;I}1;WlE8!;eT5kRQ>t)prc`+eK$o
z(U8cujd84nnuU9I3YLYU>`i^j)4x_)eS@yqFeAh3BntD9?5vk5(yZ6}35m<W$8L=k
zPaR%wqzVoO6MT|E^?d+#i)5G(`(aJWJX4M|Ue3AYk97@eo~pyW9n|b~!+1~09j^}G
z>mVfYdf{;d^4Biox{&eo%B$&|!#*pObh=V<O-P*yoZ<Rt#o@%bz$>Dx7ZTiCLMkfm
zywHPM9XyuR=2w?#Y)`uO`%PB)>+Vq)v!<)m92VP*68a_`U>lAA3H3SRj;2-Aw~xYe
zpDT81yGfHfuc;v=K!O0fIKwww!sc80L5$0XWx6<{?L2U;a@{r-bFj*q{`T$<Ygf0n
zWUaApVH1ewueVv88(t>qngmfKzk3U!TR301!^d`l_H-kMMoJaiV@o5_#Sj=VBvOA>
zsL!1TB7q|GiVKryUdxKP^X?yUk0tyPBV@m?Ha4{ZeH~`<7V+9X2FK)oSeGw_d80LA
zCW^MDjNzkbWjf^ZFi|cEGiv=;J{l?x@i5wd<)bASCp%0ykM{sbs<j#+C&e`@0YM%1
z6&mMrT~@x1#Pv1a7*5kmrcvf-G;oGmguMLHi?;09K4(~It?;+!Yl*CHmFUHKg60s(
z`z}tnt}+~Fb9=XAkRB7}f_X_xLk96EKV$?!(Ibqb%&pW9B!HI!@ztc%8JUYxSC+7f
z4z<dp=mXKb_z)j^s!y``4RP<pvS7W=fc%w4DW82oZdTc1`=^QR-o=#6dTLZ~wOj>Z
z)}-@;ZIuWl>=3<j!%<nHL9O_!Zrz49hNNzTSXKs|sVgtEODmSjsm8Ravq5gG5@+<h
z3V)48qSmyfQTwLl;TArH&U~#Ibw(65M^V{AASy^yeka<OUD4TK;I-XvK@h)ebzPsK
z_GHQXON!DQzomH#OpNWZ(u(uXycWH=vhqhQjKo7BjJ`lK%~<D#bfo1+ZCG|svHUl^
zj$6_;EP8<qvjf<SC}HWg)*sAq<vJ1{yy+_TmgQ?E^)$wKeY<v)&mPP?MlgH9TyXq`
z%Xxl``;RkzsDg~UGvwKX@zvCK*)_hk<2U#F9{5?!iMBcgH`(!DU)b+t@<cRZU)(WY
z8#HX2t@m*S5W<|<$=UT>%-__0i#T!5!)}DkA#zleOIUMsQ#(_1n)o#xZFoc~hz*4;
zcei<lnP~-4|3T)0Pw&#Lo0ZHk&<i7!9GNDu`Sin(Vj3K*DoFDs50T({`yyOQv~L=F
zV4oq^<y()jXTyo)`k7HoIcuS2s&@FITmH*~d{7Es6d!f?z|_&(+`gn=SZ2`4k7y^?
z>eQAJm%FxY#<d4jDXx$<axdKenB&9vGhAI5pAD&F>piJ1L-xz1#I%_-O@rU=iZRo>
z3#ukZ07LV23HupeYhHTu*1+^iXjF5c>DtvzlUG3KujwD~cdbV*R<z$X<=}2_Ye+v;
zl=vt45(tEcU%3q*-EZv$2z`*oO~)D)P<ROCdx(eL1j?(@T4)>n>9(o(+^#SO<b@nx
zUCneU8%u&IX7ADqh%YtS1^SB%wAL78z}24Gp=*Th=FJF7Un>a5eT~SsE5mQbkCskC
zbznK_p{!Hc3lu;+Xzq|2wK=e{pe~y5&9844!Ra*fLn>jv^{O^9QiWpvi2X5l!lDBC
z-$0xocI0h*UfF8lXBXdG^<p}s<>{=e(B!*isP9Pfbk))n$CGe-o)dL+h<3Fh>}yf0
z?C_PYa$C8NiO^20FDR5cBpEq~o+X#9@#K#&US@U{9B3zyn>OfMW$><+5lP^asNWm?
zf1-y(HTxx;%Q}qFmbx&;!_l~%(Q}qMBbJkCX?C}337ve`*1*tWki9ib=Jut%6Ov&~
zGutx+PwyRh3z6WtF<!9PePZ3a^U;~)<`-mo-pb`5!g$fsa@68RH6JnC?^YRfdh<4$
zU6;@{*l~93;9@`c3l=l*;IK0grU~Y&7Ha~1Pd6@$cw1YHT*n!XS1S;b1D2&!Eq%D=
zJa2#Iz99ZfIqK$5snA*WL}aW@d+fB#3ChMvS%$EB*rYfaP4%W4g*+^HZ2eDx_Ye#X
zB{_z><iLVDN%Bk)=?ivT%~Fl4RxgvTB0zsdFstXfe*E~^0MC0TWV$4vDJpRi6HOzF
zZD1E1E=o-tqT{7@O-_c|``1mG(@dGFLcDqnFDLh5quNEMmvSaz69#QxTIh8HHRw_0
zqq*5OG}s{v?z)o$JCIOlh}#oa?H1}8>dikmj<fez4X;BRE{3j}C9Tr3yVKpejn!b|
z(rub56=<(l=i?gK5unx2mxaMx%vLA$b7Iv7B-qd3&bj}hTQ?yg;2ksY`4xgZY}NDq
zZPO)tDl2r~c$Dw42O-04&lhuGEY4nd;!(m%eM8Tb7!S;xe_tHFYmv%H<M#1B_4-l<
z(?v4k;usAkwVvR$(q5mK#~pXMJl6MXvI|eGP?4_Hy0SIs^&XJr(ZN)JtmpP+x^_xe
zs63mLfOgQhhB=*^l;pG@qlw43R`D#SU^uv<54GvGyM$QMv|Pt_L%Y#ojXleWX)^o)
z4dnronHyoqq2%??21FfU*^hJS^|WwbjO?OyYBnE*)+tx(0#CwhTMt4<9~qbG4XbLS
znmwm;n#IlnJq;4076_;PwDEP>0Im2iUl`cPZ?Rtu;+>-;A&#5i!BWydm4CtboTj}h
zeTiI=2JBRIQo^+n0PMG$7cr)wj>2#52y>|R#YVHWw_oLJP=K8(C!)yX_BEb2J{^&B
zKz+ztUwmar;DVjv;fHgMJZ)lhCx>Lx(BS@&A9S)mZJ|KUx9up+ZS@SN%=MfxOQ3Wi
z^t7wFV%26S+}_v|DJ`YS`JB&2GbW9+2pu(4^bZE<4FB=<*paX`?`je#Sv5R8&kM?U
zjYfGX22zUZ@k*s%Q=UAX$N8W!k`~nFY8V)8RMKAHYFy-K?N?<%yVYB&d?y2M1FWHD
z+T!pm^|qnRPG201a)>k@mp_m+NkvzRlUpB;XlT6J)Fuh(jfZYPUsG7=yZS_Dj>|We
zYSRK2-9>A?3IaFJiF1u74(O?5wMnI^>QvBS?l6}-wQ`GQ1to?4rMM1?<S9>}PU9j)
z|2OCdY53h_D|>0Ua=Rm4h>}HoAZVlEG}BefT$N^(BuIN|e8RfvSEzETv0SK!!zr;c
z{FiyUUVtU#GiZS*L&2@n_EwKGew!#>XGCvHX_@2Qf6!TFVN^84C*S!1zkK&)$_vzF
z_f?a+f9H>mEBmr41rM#5+Ui?PHya%EZ%eubEo7XNvdOcQp_oHC^XkYtF~GHbk}eJg
zYdLrQ5=9-B3Snq9$FM%hIp5cMV|PE_%$l+|g{2+4LoO>j3LWo}(^Xt%DO^#?06KEZ
zhsmRIrWX{c9bLU;L9qkJ4Qo}PTPPy!ThcI-b(55?O<w{^O`U5cIyCD>I^-%vz`0G8
zTp`e`sr1{`LzhXx?#8HeN9I16K=Y#Q$q1m&bi3dlDK~r2Gu*y{X7sA1LkwPMlI4sX
zTPmSo<~hjYE@vm$<CVQeP@<y9Q~N7CuZcQEy7ZjxLcR+_1m)OAKG=B?0pnv9gDQQ3
zNJ)@^stJl&Jdcq@>m<{mKuu4~+k`pRn8CtC701c*@CWPH4ZbJ-fa}gp{mj=jv%2Xl
zZuFR|ewi0SNndWRS|SP9LOJ%+{p#`YrWxtyHAs>9h@Lzyrtrq0G0M=96_Y&AaaqN&
zR9!531;bMUyhI-#$Hl8jnoZ0;h|IR{L*+_UDSa(8b39_by~o%WIrPbLyEfaR$TZ!=
zc$0)l2wg};W^{)Tf@4T&1(mbXuIdw@arnci@9M_SSH`~|tf8VyR+~#L(oa7#DhHsG
zCFLxc<a8Pp4?VI<4fr78eqNY7Cddu7?E<{pzhd$E%hf>@fLza(b|2<|2R25(xzYlQ
zKPF5QS&n}$%NarO1;C>xit;&}@i9x4_WsKt##U~5vP0m0xgTvp-^h(*uut9IcItu4
z*~}Q*i{jW@S`|P;)>g)mu5-GIegC=}^?FM7ssoEw%v@|NQ%>*IbVGd-QMBj2xBk}D
zDh#6dPNgY@Nvpk0Mxy25n{L<(;>zzHwu%mSB8J`VzG`83ul9n0%_qGr#{Iyhq%FX%
z0njo$`ArKTrsF7P*7NC!^~F+fT)Q|v@5a5wt8mzLgh{h)ZAzEo2UOyy%sBySrM`1}
zicR9GxY@MW`E&@lQ()6A2D#=pobfjv^ZX%87bxbH8g^;+%iNonMztz&mllp;4PNYf
zD*L4pyTNtaq{*p@-DalwGkX~U(R5I>5`NY(SacBF%)iJ*HRIEuD&1k<tFz0M7fs5e
zYD7A*-OnInFi%^ZFv{O*+<UQ7bF_`x`rvk(|L9)=)VHPdq0b-v>8J?MnF~G|$wLeC
zA|Z-Cbm}QAD2<OW;PV=Cy-EPWm6BfOh=omiP4VQ}Yik|E(U*Z$>*KQ$hctUboHZ-Q
z%L{oqRszG6;lHuo-MdTmqHn@TQm)f-UDXICbmg+kL-u2sbAZl<&r&C<vm)Fs8I>%F
zWSVUOevRw`arTd7xC{08k{@Hb0RcGut8PhP?LQ)yd5S)yrU7W46tSvkt|!(*+CF-+
zBhpE8Fe1NEqRjO-Itvm94Nkzc{Be)BeqdV<rN&(|Krla7{F3BWM5k>c++9J@QP=;%
zUt9h_TN9nJkUqH9M$>bN#hFEm<9ID9cm_OY*<;2`AS4kzi|87S9}#fM{1w?V>YU5U
zfyB#5KGBhEC-E3g()_~HpGoFY^g?GlqK?>nF?Q25^=5Rtc9$!fa428Hx=FsbH8Glf
z?|R-?63Mw>yjdoFSd8#)N6(%;KN?nr$}P?~{!xg!NnT&@Gkfe+dIQ5&InqeElb1Gk
zcOc>*C&~;N@2UYOGQ?Wr6lz5zwGV&k;ym_%5-V8Nt5xel&E@^E03$4@`)t}{(l@Ei
zQ&-HM=T<R^eHJxwLdns~5cN!mzQU74Hw37ziW+00Whzg0CQSmo=R->p!GXV#!&QtD
zQZrJTFuC3ols7F~|76ZT;mp(>_Sx_OE7#-GvuSzHF6(aCVECcWO82wh=`dG_C0Pk-
z4J{geyJlR3?QZo~5J&3qgelO+=5S?j1>xEVQ}?aaz*7+r7YtArOEF~mXuJt8^a|oN
z9>Bik{JQjKZ<Eaik|pI{v<WC@bC&H5Bqfv(D)<k#$vAmx3xvj_`C$nNhvsJ00HZAL
z4753cID4cr4Rjjc4g?vzSFEMZW2iLfF)M7JViA<p5W~w{?8I+wMpSy3DqXa{z*+4V
zVirp@sC-?i6gxqKg#2mzY0e|Z8QJKIz*q4cV9(_BgXNwlF}*Q&2H|9RqQg6iH#6A`
z2gY@n+OGY^u453rV|5yLaOn$sTw8KxQhzJY+#yND6M0B4r_j+cL$(vymQz-=^I+4H
z3j%}3N0tG+c-7f*<<MCn<M_%@uOmIA%zN4dsp*_>P39n+Cm1F*X_&_j$ipaEz8Eh<
z?PV)eTswD<&9whBRLJ^-AMdBd_da7^2^>A(nHo@aK(gj#`K-KG@hZkLl5HDh<jvRQ
z*HseZSc4sI{n7K}^HQuw;;55P*vk3M0e=L$P1H<MD777Fk3Zn^MBiL|XLCN@B$NcG
zRG3UqmgYvHToqy(%1<%UKvRvyDr#cS0hAcJ8#E~>1}--R<hjSIeUYH>x|qpjpmi#B
zv8D25x7u~}wI7X@;W?6^!Ka{!M?tkrFXB;}!9gON@r08jJ_+a4mIScbsi~LQ>RC58
zRxQ><xEI+pc_!<H`dEvE%O#@o?mR<<aFfozbE>4ZT9AHh&@p;_xWhDuUUU%HB6h)B
z4dn|VSI$7>IJ+W@%>Gn>iS>`ELqSNN?l2a-T$j6fGl`OONu$39%5j1k(E^=?6EZZj
zwWEt9aR5BxkKN@<b^ru%{!w+fLyQTVb{-O@i7W<~+M)sj5k|;k=7AJSw_sZa_lTFY
zEwk2L&#H6}_gxLP(u*a6)fWhEB3HGqzM8Z&T^=0_QKRR<226pux_E`7x_XBeltKlK
z$@?%W+aUB8T2D?_3<*i)@(m@y3bg~N^^Q`&Awn%imO<yIKU-Ma<k}on&G&{yHKDW8
zdzQ9e)O0s&joOhG5FCKGMc{<FFs&jPxy2kUrKWpaPvchmGG&)LFE38pQp-KP%x*jT
z;FqWg)$)3{ZO|3Fr-PN&1?C8B6ehH}B#xry*1(GaMoI5j$sO77RI`(vw|j1{TtzEn
zMm0w0{gL-K>mLs^-NohhYSHM%1Yd+O+xiAsVEZq=I8o;XS!i0;1s&qb6uzmKwdSwW
zE@G@f8+EiC@B+4V?69&>K;%AGKk1v^-8rDEY#HNBQT;a=)Lm|Wm_270HE1GLdvNO?
zwdu$EtT|v#b=sB^=vj4Imom0qO5;BG^ax_48u~Gu6x#U_0e`bv9yZ(5H0$vEuAd*X
z?ObFi?(Uy#Enmiy(tI?jf+n(6HRwtUdTq4yFsCp@y<@d3j4<8dz4B$uV?K82@NltK
zYs1gBmd;x12R;D0-7eJcEKYy7P+Oa{;8Q-NRgRmf?g~cHqGpTY^Jt6%ZS(6fHoY?3
zKl%NH%*_yZUS4V<@2Z`#()BXh<CSEs#}gWc1u}D_mb_qaRT*`|^gU6`g$=lt5=i2=
zG5sdBVYd%IY%!*2lbaz<m`niCO)J%$ylAT+Np#CYflWKN%VoL<c0$BT?;TKw`e7LL
zoT<;NH6_<2@!{tS=LL_k<qR3TA;)>BE)HCFPwXsND^bU7O`LSM=)@Z~NmZ&ebJ<ty
ze_BJ4<jZJ`8mfrso8jA!GG#v<dA5}zLpC{y=+u&3>M_dOd0~5$pW?7u*5nH6UB$1w
z<un}~a+IRpR*2u9bmt=##1t{w%S>`V!m?eaEUTO8f#kH(%Gz?i)bo4yWtcOuR*M#{
za<>kVT|V$^;%U41<__s+=&`p3%36JXLXV*y$KxGRx_O5tQe8GU#t9O}<wT_h3SL{s
z0O+htPF+6oZc$5sZJ$f3Ca2%F=zbJEMzw$>=Lv+m5Tcv52wNkucrQE>1s4+bol+$y
zO8te4oTt@1ZU*`WqNYQSC+@W@D#0oDw?)&&3&%vsi%$jpR)f9kUoa&O<EQJHM~}Z?
zoJ4PXC#QB`pUZ^GPvexoV13?A<ADken|s5N#Qd>og~f>Hq4FjJtmPImEZ6Cw>&dCx
z;g%aLYg&6~qLj1M`RTDcaoBr@*3a$}^aBTbEIt8_rGi5{eWW)V@gyT=6D34YhtHA6
zgPndhwHWae<u^6T=!voU!#C=2uG48t!?&CR%REXsG9)Xl!XGV`Dj9M-p)$Ew(vEVa
zTy#?h75z0IgK1?qZR%d=OBgXc^tq)L7IR){q!_A2O+_MH#Z{P|#71PaOMB{6=MuM4
zZM~xjd}l3Wkz!oSc;>qozAzugGwE8%^e7!K>uMDbL+9q{rb#OdX{MjvBW&5eoMhq#
znY&~wr-Ij{4nygV2T`7dK=}*gY*1Uns;b&S^Le{Mb;NMvJ^aIyq9GCj-1jK*u2q|)
zVhC(@5WmLv1Y-Z;Oxwh}mduN|=JrDEZVlW;+wq_7dM*Nm%sLWx166C5bSA=dVv*ku
zziJi@z#8JCKxV=w2x*!K$ui57cI~q|vG1@S?jbyXNN3RV1-{UGqw#BUhWrHsE+wsN
zh6*(8+Xl-O9JsX5Q~K*=t|}*ml$zgF$P86@FOTQ{z%<QQKGko=rAYC3ifXSl$BsE$
z7CrD4ZD?&8lWEyRD)%uhCE<rKPlc-r(`)DaQCV(uLd#3g6}5wkyDNe{fLQi9`@p^d
zFE2HI?wz~OIvBC5blPwAt&~%cl&jF6U$v?LXo%6Xr&h-zj01@64Vord*{dp5W>9wd
z$<>MTFgamucCLaxiv5YWQ4_0;#np4->}iu|TM0}W*Q;x6AVHCQ<2ML-0DUfZUK11M
zTyaK!!*J`rU=UMKhUk_lR>-P6w%$N!%f^NBv}oT95a#9D_s<Zil`9U5Wph$`eS)mY
zO^9GHs(?mVC}ViQfv`0z4p{itEOJxNII74OEJT|%H`|QeTkFGC+o5<#vT?m%Zh6U8
zKmxkIV8e*`VPm&^@rYx~X^=1cwm}<4=9X)%n|a!eE9G!YTt4us^^!sRX%+nV-wTeX
zpr^Qgp-oC3OWp~f?fJxbdsf^qWY`?JeR-&4R|c9l#7s?Dd&_zaCc;zl_CvgN$P!<e
zB*8dAQhM>JqPLqnpV|FfH+23|_ka{T+AY9!>VAk}7i|zIr;}o|SO$_dSjVu)AvG{?
zL2#Q+8!Nftu+I-q)&GWgh%EJ0FI<@w)7fJ7GIjbu*vw}s9A1Ul(6Lanq7_@|(l3O>
zYP{4$eFShefh!`B@^gwv>odFgOKeMnB_(su^PooNEcc$Dvr(l{>fBICJNu?w4r}uY
zqk7wswk}uuzA`n$UohL&(TcKpuqIROcW(G0W}Qla1o7Pm<KQwdb)VB|132>HLiE7c
z&!oSHF*oi^A05A%^+M&R#ic~!Xp1DTPyD>x_=9DWWF(4GPC)I#K4tZ~?N%);XZ3+G
zQr*m6p&Vd7sNSYeMO@7fj_xh==&q_(T}hDK)*-wAr6HDdWLXWaD3EzvBfP}LgNFnn
z8~-}oD&1pYfismp_XXZP=@fCw1C$@5SAj|!HbH{xgZ%m=VSMw{vPR>}k@!(~N8Z9A
zO9>3!vP7`f)KDV1m&UpC3!P2p)H0yOju=c+H|45K5-_F$OkCekCT;z6i1TYhqglDT
zw^VCfvP<$CXm&HJTDB_Ck?jDSfq;92YV5eO#&6bIMun)BG2$GbQA!I$7WjKW=QZD1
z7N`(F;|@;4v0W_(&`m^#@m&C`f#blri^t*k8d8J<Vsbi1nr4XXw+9FI567C$&254g
z-(R`%0MF;0>JPHXn?fJYOJ~048m01@H%XGHM%lEGI{7-ew_38&q(er0rmG@Pd*9os
z*W+=k?p20jZ#iM(ADwUX?8>6baeL#!#}tg5C@ETIV-L4g_tX`%*e=@q^0RXV4|HNQ
z<x-YELL6l@>28GvB{V9Bs}xpZ_miCi6Nx>SZ6r}69BVjcI6GWkxQ=L=@43+J?gta;
z2%M^23@Jldy-r+x?N?)e(5?Nzhi1bMCIfU19AHu#A;H3I@p*U5d}rr@uz{3gm{e9F
zg)_J@I0kly@PYR-Bm|<8+C6%6jHmuq7>N*(VX|(GM;VLYm~OX?AH+#`gwtMXiK6YJ
zor-N(!dvnpMZ`>4q@b6TqkhpMKR9EN)K@^PoOEPJ!mbOz5igs+Dyjb?FYgn4!|PE)
zQ@`u^jxS01roXb#ks60LvXtx6@~$N3mCTUyYwp6+7l>rVy1XogZbVqNk4t@VZkE!J
zY;TS3h0B-$-WADNCP8ZaG3!r+>g2gi&I<>S6!}Ci-lZ5NZ$5zP%#q;^bGXt~j^pK_
z2k7RLg!`Q7dW-%>{AVg_)HK`RBu;qvt)85IdP65(cb7ArzSP}D8?2o5DyC)bECBh#
z5GEk1jKJk1OoJ1OB9}7F+L0biVnS&x>BZ)l!s?4jEG~t~1k%lBkOPAS3mPq2w4+PJ
z9<Ah$?&T$(>Ivb9(l)q0o&GjkprjZjj<abW#(jz`jQDTguUt+c)3dfD{|YM-eXcwd
ze9o5PKGmR53*6SRtTRdbUj=LRi1ugWJeDO8H8|uo^oLFaw7s10!z>&*7cbfu*ON07
zG#)lE;YC=pr@>uwB&ufePh%wO@o3J(!xOUjg95=a&eGEV<w(U=>l73_YJtC#)#@rv
zN9<_|%Y{i*Q;j)cJyQ5HG54flbE<i7*hU&s{V*1GD3y5?nv@|Swiocrk*?NTKmPZ^
z@Qw0F?eZg*K4X4J)4CCj6aEazXdhA+(^R3Fd7e(vD?LWFU6Z>NCc6)5UGZkmT{Q%_
zTOl}|mNREEOZi(TK??Y)Vi`e)NBAfIXh!{iSv3A1_&PKHCvV5)IG+g=^Y?VMa|Q4N
z(cG24U}y*x$|M$IS}*f|ZiQM5VbFiY0~PMDouU*6B_!r9V84yUnt<l&?&c9{-8nXb
zforEeEoOp*I+VqdGgU4vm@@Q`g|Jp9ZeGjGHu-XyEIm~*`94YFItZ18rplw;9Csr)
zp|agDDwV*VP;{P)YWE8j`+09#+u%Ru!5^9$0?IDYs73<)^TD)4a{YC(Z<=}EP@V<a
z9Oda6g{krduD2<lsSo|MW^R|4fGnH1*w*+#ok144@*3c{_q?(y(W0X{k})Cz!y79P
zzEx8x6t0KSKl*e~bJM?ql{ugTDUp<7zV}9UNv3-=liq#5IEcb<;e~P=xOJ`%AARjG
zO)A`PpHs9IZ)9xLKLB@r==f37L6cDxfWXV4WH@?Mxb%vlG&+|A^A{|ASHb)mTP+Q7
zepSGBMDNm0*nT!+wGAk7&@VgavR9>;R1lpHs-%+BsxCo=0>fmpfn)e_XmAq}n=TjY
zBAL6n_rY0+xise|?-OPcPimZ}fghC7dfN#k8NJ230|8XHN{To6RJDy7CkVykcunLw
zE3P^k-GKWLsnwRdFd7WJ#Cn&ym;&;YI47GHzTM+=l|1Hq&lphI^)RaP-p&Wj5i<?v
zh_pYy%=wm^+-YS^4kiyeY@WgVb{H4gs9G~~KA{;HNJE4U_85*jyqobN6eRuK7Y+dv
zG7wEkj&nCb=#b$&!xLc=@NEpNk+7-`g8OI>2b@g_By_IxX<VV)^s(8)R;c(S_?*?@
zH|=k3ce&k2_{n%{d7V)cbdc0*aE52`Rs@pHV}zojedJM5zYmf^dNeIf%@u#j?s1Y*
zBl<ZK_?3C$9D}l?Qdq)SpgB0ZnoiX(&F2Pl#P9Oe6jwd)Xu5`4zqKmyOvTf9?Yg&$
z%W~hVHBFxvEG7lvY3ePvEm>OfWDXi&)n}tcgwG@M@4akCak5rQq--(0$G|5JHg3gw
ziMuhVG%FBiupLaUTYFA>+&Ph+R&cuxf`)XI#8DK})GoJ7VKhwaHW!%)BKRXnCp^oH
zZnJCG1~^=hLKgDxXhr;fggr%@hB;8fAGF=&R!)4?XfC`H^1e;qXnU3n%V*KdNaYVS
z(on26u9$NVQke#0v52}N?im7H@G+gzSV8QCs4V|7Ofd)H#Zo4_fCWCq5-&r$R8V3y
zef<N_aOuZJjqS$LS{ua)5iiGsKi0@y-oBnWXjx9&_w*&xtD%*IEpu#h+6lgC87emC
zV#hM4$dk}BmcDDN^5m7{Fz!Wi<5vH4Gw$xGBa69b7c-@&vf`x-xO1~#P)EDBD;qn^
zIhGRmo@=24bY+O`<DoL}6>R~%vQIA!4#|j6<`^}sSfPIy&(nk^lAycje;8R7fe31r
zmHSlqOdG4^E1AEsCGJ{WedVl4cH8Gz`}Bp;;^7aup&nnG==1g;0lWrO18k@fW0#BL
zU97>%Qsa&nY^95Am?-VC`AQdWgF@qa?v@z)aV$r{CpFIQ_{6ws4E?$gn|VQx2d({b
z&A)WkUc9W=0le2<@_^Hy<6|klqA-<%Q=leq*$#N6_`25UnDZ$#OyjI^Bg55^5VH!D
z!2G*D0`M+C?dtQk)L~pD{!q_DT)aeZu#C-V&=NVte4QR;Ei-S{&lF%JeOcgfyJ}$(
zTb%ginhZ9wSWI10kB4sD+rz~?^tvXUOL2e(N%_6ZGM)V><5l_;?U+89C%~zol1%uU
z=&NUceRYwlaw@CQ0D|b~w|SCzJ#X*G=SoLyu6Ot`(B0lmH!&_H5Bp&bxA-25&Amk)
zrsECv3v(8n$<D1!mhsHG(~d2^?@v+;A4*@#OOEr33dzJAnt+0zrZs^8mQ|~WRzvjE
zR2O8f4Am<V9~9XDuda0OsEJV9)?;U>Mopq%)T=}i%_2j75;4)$^(b5qr%Ts~I_9v7
zcuy!&0@K+X(@plNr}8)d#!_f=Oz%-$=)@EpW*_s5w@4q7fyHtgS6YC+l$G&>P}y%l
zUvtEuy5R_cj^JQdlCcgE$JO0NhJW}%n%9n=w&dL0O%2hWyAa2Wuskk2%z5xYavHWp
zMFFt&W^tWymGv@ZrBucA5^XR*2?yD6A4j@9?vzi|jg4x!`_s$D9;ecid03}!?ULK@
zeC9)hUs&|lhF!U|v9FaFdJU(OIt@Neu~AUpOP;uML{cTA47>PL?8T&df38W4wz|KV
zTNhH>Y}=7p0d{=CJ(4e|s#%*#-~@W^d#hJ$@!shsbiUeoyl^A{gixGpBnoW-0kSX-
zD4Az~wA|hJb(iCP)Lwp5eYbnmS4s<f9+T`Ncm~>OUGcPJ|7p6wFECoDZh<-52V^T$
zCbh0{Bq7>R<$>`>6?eIDKGJsZK3kddQ1K)YK*w70UHY6rJ=A-3PIM#LgqOO?<Y{y|
z<DQRMtFJ9nA5p|Ex^_FNw|+@&(a->90EcJt_}Vm{QfOITot`9AhTmot4CwhXWpRh+
z*N8Ba^}earo-s6;+}kpPUWLmRi){`P<|_q;U0%<-ITkC_T}265@!3mA;pvbTcQLVX
z<lTFDPKo%DsCMRe+l(h`sT(DtZv2V&9!!fI@m2kkoSy|`+7l6TvkH^=YIM<uMwb0j
zX82Qt&FJ$V3}<JjHhVlz;*u0SD%qHh_hvm%w-B5`B25{h>QiJwTi?-$!Bq|>{TNUH
z+LIlOTu1ZSK6A?T03UxqZ4R<XYOW2qdQ8&w@3%AK=szA1qx?ara~GH^(uypG>ef#d
z3|*~hK0!q**5WSrD9+`D2UvuK!=s0s%lr_kY3C9su36GFTT~oXs>h?Et_nX&7-yF$
z;u=_@zU}63e|RgTJR=F{BYI5nm?8;E4)vVmDD?$8MN4^fZRmL+^cZD}vEJ<Yy4_^t
z4=KnKI8JdpQN>9+KDOJLYc6^FE2vmHuD3P=cBgPLF3tgd3$2}6x_T*MY2i;XMDJGJ
z<|86XH%NfnNIp64NL`+?js&e=17}8xcp6m4XTd0&fE<eEXxwx=Omq>S_N77YRPrx4
ztl-1BITvML5s|H&Ws0;;HY`JWaD+fTP-=g{I0il<u<W(z6PrbT_5#)ekhU6hErr#I
zvB>8-NCswA6sXk?!cT#P9H*{MkI7#D1!U~T@cuU(L%>*1Np?>Eou&SMgZ9hJP~;6b
zQSccMeRqNlRp}Nvh|oyAsdhxv`iPeAc27c&YHh=uY7jqIu+`SI7vZh>kqVAltClv8
zVShgM5%V>9x^c2CHEW23i#7-|(D3I;4n_biznb6tY7rU1H+n`uZG=9vm#d-l8kM`R
z_|an&G`6F`b3dF{?E^d!3&((q_A=U)YrO`w{Ff>%6inqk>qs}(&`64U?ynLM=z6=S
zAYG!7wqoXk)<%iS<lU~D*TuX%dZb{t!^6b{fL-L1k7>gM5p#R7rh%dv?CIyUv;Wr@
zb&l~Ob0ke0!m5%bw|`y*sV)t)4?^>SNrLuxyi)XhwKS7Glaxj~Ag_REd|hdS((^8o
zw@_c-r;1-QCR@qY|1TI4e2JOp#OSxuY1PZ0jKO1Xsk`Wqa0`6`Q)UAf-fU6Cf6(cV
z2;YY8{SiMS?dR#DVMd&@NS073ToUWp`Fv^y94F-=JRq!!6`Sd-4!qd`k>6nUB7c$h
zk~5=~UVym%z(v>8wZ`3nj!zy5Eyv)StB;~$)S^SI+XpPY6wg|<ABeqY0e3mlh+(dj
zGAeZlA)Y^ogT*FuqrFpZnA9<-ii{f(!A%4P&`5!ZXXktIK6`=*SQbc{Ct3j88jg^q
z7)Tbxo7kOP{`#1g+BeSrms>WvrtJ}j)#vQyIqXTRIK~KPeT+D{R?V%#I1qPmqn}BR
zxkS*+{OL$}h)6r7cY(!Ehk0<zte)@L$sEf5Xtig@k^~)8M&6GXApYlb40M5mwdTW(
z_jvAd+ZnFuzCxCCcOF6!r{xOY!hk|H3>BV@FZS^}Oq142yXkna@($o+^?@C<R0qD6
zIX%&Awck}Q#w0hnIZWZ&3T?9u9dh*2jE%pf60UK;!>h#^!>$H@zoW(0O8=c$$6+2f
zU+66D&a>2Q^}Atl9b6Rq<sfXryd6L={cQySd3~KB&IVImksggm&7g!MU9IqfoLGd<
zNvdXH#;yKMhjUPWPbYj4xXzcuUII%pz<9tNo89be8cPCY)4(&W3J~Vo&y~+viOXj*
z<uKljHR_2(#t_OdPL%co|5Bu0<R{&MaqG8b8`dr3^x;1F!LJ8hsA5n9ZhV4oIq{H+
zkJ*`aUU>3$qEj6F%`~=d1_=h6ZDZ*+$a0FcQAB#PoSc9{bs#O$$k1Vg??64X71e*<
zkEO4eN1C7{7_anutxCoM1GC~Pouq+S8qdpjpypP3;tzF%YW|Sh-0$=CWOFjEJZ;`m
zU2dR`$MRN_*p|Nc#?L=19c>(NB^l)rGX+QU)ea-be0T6UAinQmBFfP;6PA2y-|CYU
z<!Ji?eXEv-lNB@RVLlYjNPz5$6{{;{C#c;(2MwRk&MSz=)xH2QU9+YfC37XOr4{!t
zX_+YHHU(qLlD#inBM7k6?)uXOnddWQD1Keo=&2yR&r>Y1X_{LIvSN>hrp!=F8K)o}
zU+Zgw{SX1bR2OX`u%CUoOof*3zh+jLLlbtKR>*OXy06X3HghBJI}#k3ZqzHg4X`RJ
z>{Rt@@$~;*?_j<unkzP3qA#6IC~~Q33v-U9QQ-S&l!GeI_e4ONMGZ;FA{yr}={xR`
zP79Yj&%7EI&_HAunJ5$X@aQ<w?U*+T-vmwPQdP~dj3;6>44(1zdH8yUaAnxHGV6_X
zYQ!-<8gmRZ*6YkicV;tzdznWyaf`okbDPO~mh7m!)ZJiVws%yK=uP3W&2AZabSA2J
z)VbKC`Pu{cF%uh(eIE>wPb<~uf@$#H1m$w`9{oZ+5B?JddNh{%in~tnBrEiKj|mi3
z#&H;iL%BJ(y_MS~OC|m1wEXK4P7wB}lA4LJ=Ak>-pJ9*bnND;k<O|lvG(N9_<;2Bs
ztPCwr?6~q;?lP6fS9}mOU3G#|m5dUPa(*`2vK409mqKlVPW~LJn#rbRGqlqk4<cF&
zw2H@vN7;b}zUq~8Iyz3g=G@tvF8-*)W+S{!I(16mS0)m6MP52R?J*!6pE4wN`j@1z
zOh=~@vhJd^4x`me^hAavGz`C0>yi}p_7ghq2o)aZB6>K0n2HomMJbDT_(-;dMTlih
z`f^6r8~Y|>b4_???hc~*UUHmz?+Z77>(M1YU)i3mtdBp2o%`iYVmy{roOaCaiy+<O
zFlwDtd0}&sP09n@kVa>wV^r^$&_m~fP7y^_HEfA3uG6mqR(_{e%9GDv_PQ61rR~Cl
za>g^oIqu#ri0QaaxTy9rbF=a9$R-ZaFs2Tz7B5xG2x9Y1Rr%E!gw9`x`Uy*|PF%Of
zM%wv#_ewSM^?1Z0Bm~HPUOx?dR*q`n9wZ+<LXo;`)JJ4<lSEYqI_*#ojaCrQ<pPPz
z%$7B2)!T4~PLhLYhG;}EtcLnTf9?c;DOxZYM)7HaxFoSX_QJ56mT@HsGtX+6V~n@`
zyK+95J0uY+_nHpwO0jz4_gU;~>^SA^0PEZ?3wGMcVMB-d4APeek7oyXY|lqiM0L;m
z1;V=K$R;tT+Ffs@GQ6BwtO|W7sDUP%`I$}=xhd)eMJ8AK!t$MiqBFK02RXxphG^oA
zTFTC!BB-fyBK+6*At91L)^dtYNj0MU^>n!Y8>f;<qpxyjHeq2#z>+QJBT6~*q|ect
zGdvM=llrqcdW%x4vE9xe&E%?G_Ya}xo&Hk{kx5$J@k+HUK7&9pgh^`)F&X~F0i;Pv
zZ$h$=Y%jE<HtP?9-#F{E3wRQ5Lc0vrBg=AR7~5l)7egoeZG@tBbnSR4O)a|%m5H&Y
z_$TRmnIPAQbk!Sm!#_&l`>7H|#jH~K0xb1tm-l%A`A)j<Urg^tiXBVTw9UnIM=Yp*
zmhcujmbgQ?gcec4o%6)Cti+`usDuUvdwST;uw|P)uPL9mP=pM3*7lGw@8%xtMUcYR
zyDY0pdq+_b3*<>aKtZc&-z~|#3dz!=Y3k({^8!-l9IG8F#)oGLel$s%!twFQg4CR*
z8OrZA32Aq@JYt{S4rlwg-rtr<U>H0U>JJ%jfgge^!4Et2G6xzq8&;%K+(?4ZWIXcG
zp8D+Kg{!?VbWG*qV06P!W4kwybvaEcj4vH-W=%9NGp2C6rI$9^wEIsY^GeL~@$Y8A
zMj5|~>q6_ovA@fjP)k3Tn%%Qok5bg99w<tKdcU)jXqU+GAm1GF7R6X~F7M+8(|j!|
z)x6ZlzEJyC)=B&G8ZH`!<OJgjN3}Hu=i~~8TFW<wfI;d0D%kV$!$oi6@&Pzoq?rc7
znDz3di8Z;imgendxejvM7UYXu<QGF7m+ryz_`0T_<0A_WRcL~kRD)mqkZW{4^W0{o
zW?uaJDsSaf_sP0hXFIJOXQwI|bKP=GM-{|eKnh#WHLrK4KA<UgtlntaaW9(6%<ly=
z@4`h^qoQu$m8_@(4NnMW)5Ym?s;@cbTXwB?Sf%Rd)dlYEi+cVRKOMs{kz<HUD?W`u
z>+i^HIK{gh1)j7qoKk*E4<(|QGI0C?nrmt%X`>~W7?6lxGE|!`2@=u5r@7cQd@|hU
zbnfi<Hq~Iz)ef6Re0H%oL)$freyyp`*;u2rDdGRj0w_8gDOJx;_IW}}HsT}x!MTrZ
z&(Y~B+Ul^@{iC|xAhB-nvHJTjSQ^HN%(+y=A9!hmDql{xKGqu}A0f%#uLnb14O3r|
z?2Ut;QE%|?UyOYyx#se)r$U`iITy2kuO=*v4eQ4bwXNrJhDppjXZxt+1l;smRt-r}
zUGwGIdDE1sC%=4+DkIEPq(Nkt_%s%wE>ku>S8OrbaY50%?TD2uQvS)UQq!>-&rt7P
zBcc2_uIXw`7BZZWdhH$KwfA#{G8#6)Qi75oluP$%fmtRq5Luv`_SxRPP~{A{vevNu
zelk!==}Xgc(Ok=A+E;UmN=x!cf3@cD-2Hl*J47bYabBof#;k90UthL!y^9q>ZtnMP
zcAk{&fxj1@$u6>4YpVIYMZ;p6bXN&1X8DARZq=+4a@OWb#w0a<`EQ_;KjFv4iA&e3
zOV0lxIO2pJ_l@h`jsEi@A@|;U5zWlVTI(2>Bnk7p(d)z^onW4Vsl#zH(bHh1v+~t8
zgUVJxXr@p`PgC@(ylC~Afzc~Chcp>ZtOe5g(OM4~%Y^ug<#fa$Y^jDrA$`j&6!DvD
z(@mUvbDfvy+D0rb+r%OWro2_@oVn`55r0+fXE`%Ly6P^N<i_@rKL5y}|A39p^TXA0
zCiiy0cCUaQV`Lou-OT9TA<OZrqc4x?_v$vf&KSdDj!w>-q^2g~E=4o`LfK|8=83|s
zieA_@5_6&BK%dxMYhF~@m3Edf3<BDWU(LKx0tXF?Xg97)O_V`FyaxiSeVKQm@p&Rm
z^amuFc&Rk)Q2mBuXtF<kD{aE&Lk_$tOur6fFR)+wx~SZ+Rhasf-B3=vKGe0iq((>7
za2k%2zQ7%H+*^Du<e_d2s5;NikIO9-4>`->Vx8(IViRVkdfuM$*KcIAgJUtU8?5c%
z-Jy(!ZW@N-G9I1qHAs_j2-~%v-#~k~Qp4JEcipz@h7z>q^tIpV8b!aGQA2E@f1wZR
z*5%ep3-AM)%+f52e>qOlQu_hdZG1oN<{O372hDJ#!E;6HOEo;}Qe9c9&HZ>$3;T!5
zrsgrTSrC3sbJ40Mv0aXE1Cv??{SV#ZuXq+Q6@1J9899Z)*CVC6xtA;lYFvlY_kh99
z+j@qzjhaY0PRr>~3(<FRkbJ_BMCHh~ll1DHY)TKE?7A{(7SG;{)6E++5m5_%ja-;d
zjV^w7)w(tkfQ=}v@AiCzZs2o=IrMw(cI|lY`KhwVaLDo3Rw}A>b2rWKmQ@wQij*25
zJae=Jt-lz=XXu=f)`^4n+?Ce{{4)$kYy82q;G+F0R*wH$UY7s8+$Sl0ukbHen}oK%
z#z*a^f6oWg%=5b$s_)fP>omk4!M|XvQ}#p?+5TnQi;O&f!CnM8{(>E6Y5WBnk^Bqh
z6w~ri`>y{P68mPDck?<){%8BjJ{#)M|HHggz<Xs4Pygc8{gr=39mjusyyt(Ac2-ew
z1VEQ2NP-7<cMb0D?hNkk4#Az^?t{C_pur)y4n8;u?gV$T?Cb8H{q4Qa={em!-Boq#
zepkijMOgnIlohG@<a)ttoq$|m!=Jte<@o~7+ouBSVByPGlIsA&#NBs@^M|BU(iimo
z@O|y!58z{0!@8~r^qzO__b?9Oc|$1*I&p~ZGozAvue<J>k~z(Vc?xVs>l578{J9@_
zefcVq;n(YPKDPmda3M+zcG?8L<ZqvEzw^iZKrG6c4h;scu%tqLaz=kNrrfwE4cTt|
zaNqg~Dg5Vr+W*f$?0xM~qaXjE(u11y6*kQoi@h=+>*naO$?a_HC`A61N3v5bKQY)P
zR?-2Y*_h_$U)I8OCA7Iy6l#6eh5G~;15<~2QSuK;_9)j|qkg=GAv!{Qx5<;`vG0Xb
zH5-IXpih)2(tb|trp?IDtT<_4N)j4OG>wpp^gnh&MwJBWe&1*<d?ff1!Ub9T+AY+x
z!`$YC=e}<k9*c)0%}Q*_Y1x+CSLDO%8ouew03W@-YFZ1wJD&MG`7~u$W`dGm1AZyU
zahw+j9lZU6s=IqP7xAnNTg);RS$Op~4J6**v@b|F0MP<YIw4M)ZRX3>Rn@~G)S}2;
zdU8=7{^=SUX!;UVZ{~*IaD;@DO*&p{YdjTDEWx<@O9{Gf5ejM<MA>ZLpjw+-8Qeo)
zlkWE#H+|vv8i>2-EemY0Vf#2pSuN&Y9Wzi01*@npR4O%Riz_hphw^3r$Q`gxBZc4d
z&sL<Z3$bK7r!$c)v}~^>3yXh)QTMG4G4k@6ZE;=Br#sV3=Jy7CONPArvA)_K+^EAI
zX_46tx}7*nH`O<({hYso)%hwQOYGz37)?$A9*OBO>qNs@jwSZQdxp(wDn@J4;a{ps
z8FnOQ-<}SnUF{_39aOvckk8n{13M}Be|vuVV>{byoL+;~GICv-hN@K;4icKR0!=yD
z{g?ooPGyai#It$z6?0()38EvOo;o+Teo50!t^-<sOJuq)<1EG~Pi5h%O53j#R9{q$
zIS*PTTnlCAqW64LZ&i>ts|3Z<NhD%hl2}{#oGGp9-{#ZzJ3Mfal9O!KO7iUCX*hK)
zKOx7cHh^w{Wj?1+xazi8Wh2@|<!)MDgKk+svb6(11{=crmth0r=WXKyjt9LcA-RZ~
zH<8g1+&^1}%N>sw_86W<HFaM53RXgP)xcUE3{9xX*3zs<nQ?&709*^Z$}-pd#w)-h
z9lh6$G|7nHVcW{?fn}Jo{rgn8TlD^oPiy#Q41g-VqKvu0NLf{VF`{3mJo3t6MjgP7
z?u<1*lD~ktdyEaAkY1Im)lyJO;y06jzLY1JxwpxxA9+)(w(+W8w{9uJ8=5I!wOv0S
zz5YFKKIy@Zv!nD-pgrkVX-aqdIUe^ZcU-iPoon?oBJNo4I=Cao5<6e7E6<G)q1Eo!
z??ufTL;BUsftB|>@v&mf*4Ss?&KiBFVo8#PKx&k69J%!iA6Ftj<fYl$D~7mh(Y&Q4
zHrJfV`Gf_GJdW!|#oMdmZT0RiQMPkuj{N{N+CA(gCWXh&=F7Q}>Iu7ghMNUo+7h>S
zuYZIG+FmwF#9<>u(%n3ECj%+5$Go;(phP_t9n#T3rutw}H|i@IcN>d*;B<pnHBZeN
zqrjf}GyK{DYFv56{g8o~!RY8<U^?c+|FXca)9>Wx-37j>2~~jn^7W-k^U4d5pvY4*
z0ROF7!B?phTZPuKx?Ni>5|ctv{W|p<=XBds#dxosFwfZepfX<@nBm#77`Jo&Wj%WT
zsU>>I`+hN-5ErRRIlJs0MH39SOH6m4zf#Cv7DY~Z$_-bp!`xPmkeyzX18R=+^i_b6
z(wZM6a^3!e0{dLer){MyeAuq7+I!q{Y<m*Dk^#OfHnxG^U57a`Z;^rl>Uu#n0iG5B
zq%c_V3X{~YaB<PDsVIQb#?MBxBkh5?5*p>rtNdU1WmY@2Q4)S3eV$rs+cS9HrBya+
z>Mh~TAnq8fao}Q*7hptdMB?)DQ($M+nKr{QZFRia&5;`n#56k*_-Vw&c&O`I;XFq9
zVGY9<a9E8ciL1GPVlgJ;GD%3_!4VR;Js|!AT(R?gRl@Ef@_pb5ZRQ0>_z>8V8(MEB
zvyQ9sWwm+@$>p;xct3j{Hq%m2Eeb_~-0r*-h^u4O<z_Y;QkJaUzdNh9uHH7iKbKK=
zj`{h~{~ZGX0w)niFYrlnv~|}IOf<)Bl019W_}z{7B%8!nfztfj-jBYGsy+%z{c+Fx
z<o4t)s_KKnpG|%?1@j}zJ;uVPz)|Xw0cG!Rt@qfBpf^sfDt_2GM%*x#ur7?c0eJ&r
z36kK*AJ|u~H&bMkC5S(>-9Il&#pE!ePNTk?U}*k>665@eL+<wvN;!t`FQUeb6HLjc
zBL4@}aU<yEv>|4AZ#r5tA{8Mguw{AY!f7%(+nWHfSd#$a**O)zJ-2oXE>&W-Bqe*a
z;NS6hA5W{r$(;<;np;2q_lWPfidO4$zL}zp!=PdVM191@jWwb*g|a`_o80w(;w9k|
zu}Xe8u+s7%i`<}U<U&R+pQDH0j{Ck$x;@P}DtjF@U>XT?{>lo>)+&#2%f{sZ8<K?U
z2KIr>GP8)c>^GpMr0~*>VPXDG?oGt`<qxUt#0WI2LiuiN`4QgOEqRR`+)SL4d96jX
zwO|X6z4?pKy#U5JLpn327`U-XB5=hFJ%Tmd>N4Whd7#Tu+*sk{gX<{5H#~$%v^_FY
zmoCrFdI&~s0#HgnTW<KaD|Lo2K^Yo`(hNe*+YSNy`@abKM+Q#Q;REMnzU8F0Au`_B
zU2RjYcctuH@eoIlkDDIc=c(=8Yh{B!^^szC30N%rGObuKlJF<9v<Ax|I1tbh<3qTr
zu`c8*;nG4xw`4zP&`M)x<9mJ+(UQ~v8+=`a)G~bopOZ;YT?_9a4#1;JmUCU~3W_1J
zHd{GM$vVA~f2`rVII`)nMWC>ixInsT#;O`}v5@LQBazMh(0vVk%S4c5by$T?;cfM1
z&Te+%AM>q-x6r;O#sUjXAha!n5RkPFZ!QS+MS+yjDkWd7&|3CDQI$$gu;bue<CSK+
z!AUqV^Cb4$NSPJqF~_=lB(6jHxFah#;`Su|!E!-xhI5oVOSyp$5MFjh+h?{V@fJ+-
zNg(~2{$NT?uZF()QQ4zRXF7oT25e25e%N9-43sUJ9D>XA*qflT*7x3OJD~>iw=xTu
z4tj+zO+)tft?`f-plpUL+^83HJx87%tbu!dQ9Etd;vyD%i69gEV{EsHsCZ*T#k8)5
z)M(Y}2U8w0`b?KkRu|ZS>@Fyk7<%&+jKci>d)Q!=2g;YblJ1AxH^!3HccGT^iH?#}
z>Q!Rv)CK12FJA53$CB>)=|5h8Kjsxodvr@(3qLPge%qu#GW<mycCMc^Fs54C+}tPa
zH#)XN7mKyr-gz<#nL*3X_B&?m<?r~Z$hEUyjkMxQzZ<`)0WVX$ij%2lHX!Rzk{8`6
zZ!ZKB=KqBE4=T#rw%j1-@5X*RkZA2QQFKWHxc$BGAdo}wd}3>*soHMuk@z2!jC4Vb
zK>r~Y+N#ztFQ5lTuJCm)-O-hG@ha`-*=x4zs+iN?1$s2xXJ0s+UUU_oTT-x(Z^7PI
zd-Y6R;MPa<WoWA|2@eXxQgB4sSkTzAfyrcUQmIb6gknr<?Khy!;0@#+^z{=Nxq7DA
z0=R*W+t0+Xx!5fdXOJaYb<QT!#fZmHAK@8?`$tAA4Pb3jP03hZb^*lz{ltGJi)K#T
z)^|pN%?n4ZotHG<m6TjiWqxv8$|q02)iS_soHd74Vo$Fj|CG6{IAi=OK|#_(i7}yY
zkp1{&<jM3$p>$JIBda1-;hT!>wFJwe3n0pwW|hhVcG<Xj-kuau_{Yr>k8Nj1i8`%t
zclprtf)$yz=(i4qmhG~-v-N;oij|3WCFQ&0Q~RP338FamV@?wf(drCSO4F3zWxY5V
ziEl#PWm0c5V(MN_73IiXkZ(4dq(%43G?KbE8w<2tVLn&AH$t(7+|2rXmT;AmaS-z3
zIhB<Cipj{KS(&W@lD&>D!@Fsw_Te#qcdDO{zyESKwi)@fYul@<r|ipG=R?X5b`CX8
z4EElY;~AlPUc5`Jwq1=5--3D(6_yLrukSUd@Q}_}gv3Ac&-IUq;!{s3lV|lrT5lvL
z*YQeaLXogDOBYY$gy&Pa6DVc!?A1r}>BivuhQF;t5BLE49nfZqjn#KIil<H1YukRd
z6%<`hW4C*%7uVCY8wB{3Xgku2U`RsI3faOCJe%Tyw3{QySQGFGvh0pF<l?t!!C@-&
zh_0{c=7W2a4NgZ1g8O0(QzLY(d(@zh_@s+LvY8lx)|Uqu<Smgi{U$EL(e|U57P110
zp4Yf+EZXF2#yxDm#-%Mk_`8HnU)X}A-?QINMi>j$gt@fPz|S6ugSD-F8z1jUgrtrb
z{Ok)=nnCp6I1`kjkbn{$JB_{_(_PP;2m5^)<CBT!xi%VtqCebJI7onRu~e-i+P#~^
z&?7CLt)+nARlvAfy$dgM+qW^ACWS}G=gdcy$mo(+=^b)kIo=C%g9YU?xf+Hm7U1(=
zizie_xL$5c_15b){vN4NzFc<fzTO(MHiiIfUghSmLwLu>*C`E$zbqe-!ES-m*t(h=
zbjUiWo1M3$8>QgnmGGqJmvj};sD<STJ1g>L3~q+FY(G&dD*B2@39WoSsQhp1J1$e9
zrcnue#oJ2mZgibmdEyV_dS3c|Z14x3NE5M6>GgVW#g%{3>&J>J=_q5um`&0oQPTpX
za3K0E++XFaM=mA`*iwl(%dh;Z{U!NF0f8XHHPp5F8k8K)YMb5kuwIo(X|57rt1Yux
zlkIsbm>V2z&_N#;Pt~SIfTVk8iZkfH_ObN+GhdAjm3E&{7tb})ko(nm-$$6X9ai$m
zI=I>?;OoA%Vq3iHvVfQ&n-t;lunx9Gx24frlvE$iM(z3?ZHG7K*wyuwsiddIZ<V4z
zKbYIV^kwf;qgcK5G8NY~`R`OtDbwz?3*rf(3&nRI2L0vEVGTKLsOrxD?I+mzd)CR#
z>K2}W)3EY|oOEJ)4_xPRuiQGF=PBVE3bd5SY=!-CN*CNGzcp`oY5hqM7;RJ=!ln^b
z#wI?%;Q0?q*C5zh%@XLQ+qAM9Xd9Ng84LUKT^(z+IdvBZ42sj;+vCk6r2#k4L}b$1
z&vo}Qj&)zg5VG@Y(*_`(m$C08p4gStd`X<=RMkxC8j+srfAVg01tBq{N@7-7K#`Yc
z-z@e8bPFH89(?y4mqJKxi(%IOHbbZZQw!(TL0JQ8o?*%{!*7bBS;*&(uxHg_CvOup
z3tbG^FLih@8q{m{l9$rkvpnnd6h9>P(REB(WPewJ2d(tAxh-ea7fYuoF#}@Kt|7=v
z;#~x*8xGQutdU|oKi)O=H=NNyS0_J~?=tm{QmmeDZ2oq)kF|WphA_jK4!U&z7^$|l
z0hF>?);&SHF^xHo0ql5Xd4Z@G+x9wx*|;5ui)~FHO_WW+jJCV}n7h{Qd%B~|_hlB&
zvw)IZOc*<WBQ-NNk}Z@r`#q{&K62a3`wbgC&BC|(FdMxtD3C9Rigt;_VJM4pBU(C4
z_^6NaBzNm|#@$J-WHJGtl&|Z~a+@??r#%07ZejUbNLpf)4oY=XwW)5QVs0p${7nEs
zb0}^X1{w0m;n~wiIhzP*3c|fcQ9%`W;%PJDcaA-Q$gq$I%{<#>P#Kx|3*B95)g9(2
z2jG1~HfuR7gw+0G26P`x4bGUfo5Zr1H-#MFcvXQ_AmfY-AT_9rAW6YHdmX)pf~r=I
zqaKsk&?xKl`$WeW`gA<oqak(f^9ZKrokc_|Mfxx{dnBAeJG=cM8$ujKH=L=cOtU$?
zY3G*&CfR1SH(>{nwZ;|X<&PRPM8q_+pnHI{_DvY-A5{FLNb7BH#jDEUtH{IKsdc9`
zvl5v}X)}s%(^;>WzwY|_T4#bIKS$|5s3PZ6>SLIb3cCXR$8rChA#YY|YfXuj=12A_
z2CVkXAin(mr%#fo*g2#1hxvbY{_AJIudxB`%o3HE!Gxbn;K#I8PZ5VMD@?_T!}7v}
zr<f`tS5nQJMw950=QH1?FyAjYIOZkmauG1<wraW8$npc3suy(uNu=cboYl>4&|S(Q
za&-NlVCiAeey5Rz60wAsRlKl5N68WQ-zfisIw5}lpfcPnd*=Ta_<a9Agj+51`%F<J
z$DbuK@!#P^h(BK=@RFlr<wmJ|-X-p`%0s;^AvOm;Z0^_i%u)?oQkB{k0^IA}<JK~r
zV~MIpc|kWbe#(a%QTB$Rp?6nlGoA+eF#c-a#xBsJHqDe6=UQJtRn&?aS(*h6bGiGr
z2>hpH;aVd9CoXV3aT7(mmXBC79v`0%({<%Rx?ZWzny(b>vt;R01`RN>NSG?cK<!jw
z1ky_(_a=P_{N2zdMyD2n!fo-UK(2N6#r%=Dkp4;KTLXYVb=KVukzb&%>!sSv*VEHd
zt?#UO8Aqh0KD-kSS@@OT7NO69uXj<;p6DM`s*-D*zwcFoP?>9lfU?RoXJtE__(-dv
zO?rTR+;ZVJ^SN&(iHMDjv+6`*pDWRlEs1U2r$k)`IlC@fKkC)#TK}%)is|yptvLTJ
zs%(M4Agg4m=|s2ilu}Qdw8%)?Dc`sJ-m#Lw4bAnz#<zen&4tnSYyk6i;|Y??{wp{u
z&f5TzH|KNYXdRUis&+!hV9rkEeIEn;H3aeQ3SW@Txm!(MIz^7i@4P(6zJ7JY_n3Z(
zVB+gZYiFxlpEmd`Xxfp2D<;YM0XD_l`8D^GjN!-1367~H+drttkADeOu{G`Wq+pjL
z<;{xka@jP!Jb|}QrkC4$E29YeP{v<%fWX6*y7)b5LTc_Fn!GI=H!~ZTCj696Gnpzh
zh-oPOOwNkxfwp$Z>k%}O>mExgc-V3gF!rN$g^tA-U-1wy+{iPGahC80K7N^MzK77b
ziy%dFm@h)^`3-+YD=D?U30|tcAnp3(POS{(3wL2jN!LqXXE|+!wibZ!eS+E4{6+pq
zp-^@3a<Dup=YBBfT&f%de&U4S4ZVPM);t7(EOvrh)8DnthEL|EbDKdI7dX5(#guGv
z(GS2HA*5kbs^TS@57CX1?)=ZnTzAsfUu;|zsfEaYy4c7y;nlx6&QzZwE9e%^*Ho=k
z<72|nRad4l@sa5f<Jrc2@`i~~FQT*oi)E_d?1+_Mw#E>1F~!N<F4%Ayd6azYItZ67
z9z}UEn77F()zj9}t;};Rs3Wi1i4Gu9tJJF5v*AawPuBXH2i%VUcQL?1pIZ$Udu$Hg
zg?DDA9Czf5ZK+-a<*5B%?x~Vj@|!>@(Qs*tlB`jhs#HX9req)6>V=>Go^L>Xb@`&|
zd^-rVD&P?W3zk>~OE#+r5k9AUJ-$(vP|8Q=Tq=OPXUJK5_MRW4y0mR+<v0umw6Qo$
z7bH1Jj1N}kfQR;9&-4f>SoH~H7poVsF(;Q@Cl*WWU742HBu$dxC^40>Qp{W<a|i=v
z&DZrY!R{@t-CkYW%C&ec$4l8D+qn`Z<^a6S?se)@xmL#Pf_ob^pj4k(_`7cwl=nT9
zHwV8LaX0bH6Z^-wU4h4aZxG~k*de6N<s>vtcWuwim~jL2@61C|vZzsK<a*+=;$;H#
zj~Xu4Vmf>jcjuYnMjWA(a3$!RscO?Se3mE-t>2UQu{Rx&LLBUWYnb8}d!CW`*BYcJ
zYjuW$4&sZinru6QIa+hQ-E?&mgaU{9z&(dex!*|zE0F*0DoT-96Ih1s)5{UvO5~}^
zmh@+JK6=?=a>IR1l==iu2aV<zS~3)hpM@r425)8c8nk02vXNqs|MQT4xt5t41A~ss
zWz}KBQxG^{xto0CpFB-8?;ykAs?4q<JGAbk>X!UdN~LfwMX(f+v+)|{x4{e^KJ+5v
zho3gM<x`$}wZ}yf<iu(Ky$BTPQ*9`}>r!U{iic8%GmX#@G~Au}Lc>g*qx;QRs7fXA
zFLy;-H!Zqe6moIPuB(u6)8TV$!F2Hli7;pq{^2g}AJiPu>6@<?Y2}#!tyx&(8+?!n
z<A;v07XI^my}5wpF3`6|^v{MGAYfC;m~_9!ZrK(ZII0IzusGPTLaomYZ^+m(SQ+oG
ziwmxAj_BA$Z)`Tl5X*WP;eI%&iE(X_%?Hd~8(9FGt;bfIv;nFoHOV?|B<_vb-i1=C
z4UWlP>yAHOc9S1D+T3xkX53GCz_Kp>WJ04~hoRZIp=3yt&?CY=4{v<PCR8RDggkF4
z_+1reexcQm-od?X)&(YC!uo=El(&zqF8s6oa4!5(H|{ViRVz2{JjRbWC-R8p;GAp`
zPp}v7$`*2Zfl?jruxYG6(&~0&=pHD&+cF&~7Zfk^JRo=n?FX9oOO1A{Q9Ct8dQOL-
zUwGQqJG5jdl%_Hqxj2AARRxXVNj{bteQs?~%@zYg@${||g6@|>0lYKZtEt4^uUzB2
z$jy_AN&e&6dQ2Rp1Xc=At2d1)m032D5tmd~bO?{4Sb>90iKK%MH>3&Mr`N*9&xYW@
zH?ZdO7UqmtbXLVz*Pk_ReU^@lZvs`G-&(bJg`)AmyFwZj8|O<sQL`arTa+#hp9kxk
zWDp3X1fS(rFypVW@1!+F`LuZu6ZW#EU6nB6bqFdK$1DkKVl9m#jABq}=)*8{4(a$T
z=hdWB4X?V<t@SCv_TZ4;d$lQlyt7O8%W>tdR_64vt0DE=fGCuVHmg>SB#S$%5^^^=
zH~@nvR1K~=6r4e&_=(KDSxlu)pnP!83lx8Z244f;AzHqOV4-@Yd20qj_JCq_am}w0
zQ;!t3a$zbHn4*-#()nZ9aC@37TPEOWo@?(4*lJv-&LAb*pdFIDb~@#Xibvi=|7k~~
zkqsS37+Gu9Erby!6Bc$b`uFw~I<kh$t3{#`Xyax*NCJMu`%f&{?o@(%<mu>f7Ax7%
z!Qb2GC@TC%Z!}rPm0MNJ_F#mS3=+!GW(=L=^>#Cz4BD3zIg!*w`Bu?l4Rmzviur1Q
z{G4ApIbdzck)29%%)>i;b4<OKTr|g>0)md+5_S$k-z8AUyBlG<AP$OmLrl{c0PG8{
zHGfjX;h`aTBWMIt5R}q>F1Hr6PmeFH#lo*ItL0X7kcB;s9?qb5jeoOvIzr`$*B%!e
z{ev|?j{J??`fCj14y+q%f&cX<G=!nzuW)A~YO5>WzAs<DZr`2>id4c^oWAwB$Oes`
zA)suK6o<{x?MMkyXxN2`tEZ}BqTMZ_4T;mpV9mwo?#2murpuir@I}{@jtr!^M&Jsv
zqe;#?-)dDY5tx*QsnlpQgy3n7;t<;s42h>X&5fdtVDN*aV%*w(&=s#ld#o9ZV)<GJ
z?Uw%>N(AdO>HHr1I}T*w>$bWMFCS+BG{{j>KsWn!t<K46)wJT_nvGIHi;-c#lNF4^
zQjDPm?J41WaOi^IK4!79P(m|$Me;Ti(c-NW#atoN@zFLCF!+x6;10!X>_U)K6*3-n
z?_RFO&yAGBZJ&x1IqsR&qo>nX%oWDpy-PXcwmU+x4Bb_7k>`7~GU3Ftq`2PWS(u#U
zZ=>c<pTa)94+LAHd^rDQ89T$?`mIP;69dgXs%k%3+V3+G*RLcguKKyaS>Pz>*qmjg
zCo9F+u*=_5AbN8gh)j@|psK#e2(pbgJpW;jMQony(`?<*DxScUy!eC-Y!g$d_sEri
z<Y4XKF|AqiPw=6QV*wBOFUwsEt}Zh3>$96zSp>wn@~g6r<>iPurIO3%JDbv5rZ$tx
zVCbbSDM4g=7`6CvTIz_6RIFqVu;@>)q+^sXq+_plpTA_@NX0xzx981im!)d@jujH5
ze8L{DGXbw?wQhQ!?qUYmkA4Wilq0i;h>HK9qG3)y#K)jbt(KFpd0OUut+u@;6HR(*
zE@@CSEOK<irTSOF;aJX;{_Mkdw`zLsHLmlZ8+5L4@T;?&;GH=t85G`iaILN=7!8J9
z%ktylXUn@}m)R?;E`6LElw^qbiwNyq{Rjp9So0ZhMVg3hf-mDV5KIRB=`^o8f}bn>
zJ_cfU?fI8JZ>9*PMmIf13@)xsi#PVOY`5DaT_w!NUTAozERgpu#g=<L9cU;(-&Su`
zp*!v8<@3Fhs7O0)oo}+?ti!pfujbavItTYXDD~#E{A9x`g#GREHAt@ecE(}IJNGXG
zT)zf=(&wCbJsD?`%@$i2snPqo{yM=*7|)bXR7nU_7%F=yRVV5}d(lCPr1vVbfqe-@
z851ttaBVE*ZAHY<cYbz@^$vIFjwWdp7|DWiXAF(L>Sx%~R;;Vk5?%dYQq2*!=p!?H
zsHa_rAL9f|y9A;qE9IA`*x~dT5B(pFj794UYxjpvu_5%cJuN9j;h@GYhu;eh4%|W^
zPaEE%B+N3?cZV%12*ddrA{=+3dv3p0Z&n?PXz7pYYYgh8Dn~C`z0Q1XS^0^Mf7&HW
ze?f(Ld_sL^IS_ehk4wU#d^6QzyVAbaWKX3-;iBB<B+LG+cR+zS;IpfY-wza&`fL+E
z+Cmkh(|k+?i!3Q{iS<{h{7Ql3#g?YazRfkC%PCK-JW3WDvCgR)q4dl)WO=Sun%v46
z%jHa$vIa}Xn%2fFhPfhBX@5#>l;ryi&^}J~_5KO`xqXE-dhUevA-kx(v^_hqrJ<m*
z{mgp*xBks~-(hV5I57wu&D8S`>Mw{m+W3(w5P>vB<jWNV0if3uP0||fxhPkoH)KHo
zNvAXFAZcvO@Bv2xD89nuMIA@em{ayY&SuNz%Yk~Y$McHmdE1HVU<VxCQ{DNW4~Cie
zs&CWen+mgmX)D<@Y{7*Lp)m65Bk*5!#Ms7JKM$gdUt(Py(=hc3Nw{{qcQZV)39%11
zTb5Xc2|HXA5umxV&&5(yx0C}AgUe*0JVcUrf*24?Dz0HjFE;zy-B-Sgd;r7yjFGrv
z4eNvi(to$9F0yNLYEFrP^~QY~FZhD<5!5E=Lox(YL}g2*s4xe6uN2Ck9osq{UA61X
z+TR4Q7j-J%3%D*%eyV?F3@RKeXqXV0`yI3#SU?suU}?SdY^?E4_&1RBCI7<bv?_;7
zDc=28q~vGE&nY=M2P9jo=X(|FpDx>NMbbt)`x@>@d&S6Vpe4wu;e}#w=ya;yPjreg
zWSsUf`<`W-NEq&Fwf;d>n03ZtlP(<eylEqf4m;oCW8OW<JPUq(1~2S=ePpVA?o&7k
z8Vvk8_>rZ#ZP#j#UiXO|&`+ye$(G5eS<42g)9dDKArcjZmHmUoIvgrQj%T`)fJd<)
zyR%@(HS+W2^>(PV#h$6W)pkZnHHL0JRjrK1MKJDQsYVHbAzmIEstXeh3K0s5j2sFI
z7Uee{-TMSQ5c-RW|Ns7x*7-iC{NVr4%lg4*zp3~SkAkHBgChMfRB*gcm%e>;!v;9j
z{MIstgoKq5d0Lv(B?m$y)ze)?VgcGTYFM=%`b4|>(3N*dhCF0FUzQE5p6Xs3guZZG
z<na_^EBDUvNl2P5^7k<sbE(HJyWLW&I>0#z0M@qJhzeU<NE+7`;Lcms#jP?OmC({r
zKj9$!9n7UX`3D7itXYGuB(ABga#FuX&a{I(sDAtpirKjxF8P?gA4CW<GmVx+T>i_E
zs&GtEVuGG<NRvP9qZi%S56%NH74+g1ta#1ESI4!cF*1tj_i;*Q2G*FMnS9r6Z(#*Y
z0deXU8Iip@kx)-uUNaoP7wSLNp7`ujg{mgbJd5eRWoOEuPDG7@<kejdtSJbW)4OM)
z0dyJT)0oSP!#bVt6RJ0P1R=JE#O`jASw2iBk2O**h9&$&i+QO_HG=0iTyKfF-^;u2
zc#xa7A6ubOBZV1y)|9iSqU!U3%U&PDV*3wXHYfLTTxWK2Tk%vjRN0Vx_kcf?7YIbK
z#qrZ4#u`1g<~IMkEO9gwpSOMT+_S>r04q|lZnbB?8o|H=Tg^;VS?X$=h^EUIix}^)
zMa315E&p_^Hx-fsz1FsD-xEXHI!HZs(~0$$KuB&pnJpd*y*?fcOM!bQzD0_+)HuE(
z@zn3Pdx)GTrJM-OybH(G5jRmCn4;a2B+s`YpUcCe&Vl!!aOJpfaoi}t1$cb>?x=-a
zg3YO3S1P5iwMLygOYzc$!C96dsn@Lyda=riS{+=e*07{kbgMzt=JwT?Rc}vHFMekz
zZ@aU*&UZ_~*h_?nSibfc#8v9~l*ihsFq*b5!NpTE#M|zFJ@H1~@=44nFLkf>&&&iK
zHlB!x&@711e}u-jhLhD6)v`laY}&@P;?&rOooW_S620$ekaGuJHWX;Wu<Y>II-Ua`
zjP@6N5?Q)DKAIbBD2>y$PImq!tGY$e#)E^VbF(T41wSoQb$S#Uzg9qo%Y^)_U`<|1
z-Yvmgr@2W$#Z%uffo<U}p79pHV_t)*<wUN5Ln6`ggOk0mm|4QOUhb#N#Z2ww1XDCr
zBu{!ZsLZ>+yPA_4glx1buD2I1i8Tx3WjZl-7{$2&;xTdEA^aa@3+J{@NR;y$A!giP
z@_^)I0!ra)a$-qYk!k8YQI)n@yH=~o<xCYRqYq5N6Y0At2IQ-Ekxdq@j>5KTHRKwE
zO6eR6^W-Lm7p-pRG#Fjh$@t)Ok{n4)IRsJU9akLmhN$XJ;HF^q?^}`@kMDD}{*#67
z!&ntH^i?e5Q4Pja-N7TB=aXr^Q9J5Yx2x*9+Q0$_qMz`!w(g~m8-(<oqpzj;H<1te
zT(Y>th#~J;YZYumGz)#L^qm2ppj}+#QQm*0phK`<$|%E6Po;3E^&kF087P0J(*3^v
zk`S8zEzVhGF(ar?IHfa^H9O0A(WXd$Byp66j+F#uDdT{fhOhi1p!JM9$+pmSvNl!W
z)jfvi*<Jl}#oMntzh`M)ju#%8#vq%v%$LY7JkJ$;&%tlOOK+D;6=A2gw;Dg-jVFv7
zp1v=a9C(MO<ko5h+Vz=+c5d4UXZZ0VKK174XsQAqZt<$;j7_yptv@Hq#wv~{ma;_;
ze6?xRWeNIFGtHN2&|ih5vXii#dMfq#q7OoguY^2%En<1CPCAteb;2Qh<G!Me_9*te
z{IdU`Ht^kZWkaXqEve1%K#eaSRWR<i<-o+No7Am(2M=f4=EX3(t29&CE{U%|b*>b{
zPliwfNae2Oou_DjWy*g-NDm1e^V-%Herm7jCeM@!ErY?+Kpm>(aWx#Ec_n3xq9fhx
zfPa-?O-Fc-$P|?$KSK1f;2{MX)Ao*m_J%~9%pe1_8sJv{ZL6^mN=r-I$o#Nxq7h1$
zkq_UtB_T*&a04I2f2O(2PLf<N9rkJBTL+~&8+Xz`hhf<zKP!Yi8wAR=?BJ@_wb(+k
znv2hHl+xm3n5y0pzLN^vvIdmMTF>#P71yR8>j>(l*wN+`rbo6~%K$nlK*nY>$9J^X
zsCTA^uT$lo#NnaK?{i{@cWub9N&Djlx3R;4F~q@tcOlMg{3r$cqYIgj{T@Y<Sl2S>
zgwBb55p#7Lhd`QYqk85`FISz_6;e~Lr@W#cvqCMrULfiFFEG#pE!azn(4zFs-?U42
z>k?g;m<ZXR1se)yPkXp?uM_Qpqf>fF@D4U8z9U4zh3lLFc+@?-r-FH9S6Fi@`2`(+
zI)q~7d9Jes5e>l)Iz)V3n?z~kxeM&Gr)r_J&5gFa;wNj#-JbSW_<`CJhJ;W@u9{c$
zJ$;^8d8P>@PvfU1>T;BL+B^wjDx7+kJLRf9BDT)o@MGav`LRv5q0Tq`wRV9zh*><x
z$-8Z2Z82tAiFJ*OoJ+=QU|fZ|jFxaI_2R%QnZjkrG;(Va7d>)f8TUfO;%Fm;DE9QC
z-e4i)di}i6ymeAvTdZCC=pJ`}J__(jjOO5?R@b;~v@!DqB^_x=KMHa7hsD}D;cj&t
z<xz0^(WdZ#^@(YTg4?llQ)Oi@E}$V$C%Cejp+KP)!Wi|Q3>Ht3zq2*3^J)@w;s`mj
zNH{Vc3X1hFgf(O@EX1L+$rG`V$&(Oczg^PH%Z7y>Vx9;kxO2hPZbs*?z7ZcII)+#-
zxoRY5AkIjaHXk$p>|+sP$F&ILEU2RiH6$;gyw<?b0`tY=MYtU_#4McE=ivhQ-8EPQ
zmd1j^xRB9vv^|!@s(#ZaE+r2eZ#~?(8Ton0C$1lN--u1hj#tKJ8l7xJ_o?o!8^#`K
zDK`AJa956W6$3;RQ@k|D^CV}NwSE_=)jT<atK^1xQ5Uo~)|3#F-xLs<oHbrm?C`v(
z8_T&vRcc-7jj)(_|186K^c@RZM~{M~^R~nXAE>YG{yeN)->(;DBGO7Z(t0P!iB-4I
zywL;qmIhfgCa@hTI*PeyQ)rO!Sr~4Ju<lt$tb=ihllREUlnud3vuow<G8$&<F4a+$
zE$?KyT8W{ayUzE&R%&92=iF7jmHMtv4Jqk9-hupT-a3!a3i&Bb&95|BDjFltrI%ya
zV3xI|&O}G0VTj{>CWUeIq$2D?vo^Fe(h%9p(HGI&3s$yB+??tg3CbLORygkNA&TtW
zJ?-uDed4*xIq5&#^6%j+528Ac-7IPeKuTl@X#4IPM9wU%a1{2IShMmx)vZyDvk&QP
zr*K~6<A#_$W2Z7c;u9?tZKwiFZK8Tl=i~RRY#j~3r`Y^mpX^YA-xm`JAWLW;-&AF=
z+b!<B#y3O18aJ9ZiBv}~mLgsDzL4Z;e&S&`Eu5&>iypcyX{(H-jdzenO(Ra>%GYz*
ztGWO+6gWnYvj-NjAWN=0+!3H_r7uNSUCQa)mdBO-AKgo@Up1l|lo)w5`}1T{)C6@(
z^$?JvGd&I#27P_3pch57hkr$ZV5&pxt`hH}5W3;=xaZL&zjy23+J`PvK%o<Qv~sH3
zF&afmyjD5Hex;lzEfx_03nG;-fG*i7tO3rKYon>>@)x?wdu7hM_jRWVys&)dc<mLL
zH&)s|+7p718s5D?#`|iwHQg_Tjer^=DPF@DvunZ;qnW+y0zD#083ok0V(+6%X8~45
z^h-!?r<?l8JSRjs_Mia7@$^^Z1l!pQI)=s;Nn_7r>1z(ow)(@nm^{Pa*3bPxb~5qy
zCs8)^`W4n4zDO_hncsSrIxqu^#@o7ZXKS;K`^OIQP<KLWkR+uZjMAJbITY+Jf^@2u
zR*+O3zTB63FZWjd2u<(w^2;pjYXUz14=#e#Re7!*NmTu*Md$7JJVCujEx*mi>RBH6
zp$fSUk0^9G=^73D)-w&l38@I!82e%{aa6G(Dg7asY8_LXpqJ!v<{f9|MTjp&<U9L^
zsQPY9ddyOOed|VYnppq*cDlE{>|D+FP{5)@Uob9U_F&^kD!x0p?U=V!Fs7iA@=W&e
zVLZ7PZf3zcA=UPT;Cj?&4t|iUn;T^m4tp3ta}6HA1(~q&*5-DI10WOOY0AF|L>|&u
zc`{PF&M1|_mZJm%aNgAoMJVt$=+b@uutlo)c7W!3%E9U=H6v=_80W~swzA7|9&jEo
zu-~#rfTy(*10=v*gP>f;Hm`N(X_e2(bjvrPXT%y#k=`jim=`})H<G%hq8UKx7z{rZ
zqW0O{Etmebnyo3Kl8QvF#<|Spj*d<BOg$J!US&O6O7b(z#0GUOErcSj&7UqB+z4oi
zB2hawPAZk&Jj;#RSq+_n)K|uRr8@|a5m<qHap(<pd*zPuggo7SI19E1Z1;E)4i9*b
z)@t~R$G>`!7YOKoJXfaF(X@7Q%mdB#Ien3D3v-TfZV`#<*u2UnZ7SLXm|CI1@Mj5{
zL7Lgr9v?F2-rd6gESTy)w^INAJ?j5XLt9VW^7JP^;=IuRYgY8VPcXDy6A*MR-sGWr
zki@Fq{UkMy#xza<#bzM`JFOcoIPCa!36Zaj>G%gCG<?j;2`Q5uJ)hypov01X4Bvig
zW?d`eF}6Y-i6lKsd*>R0QHzW-V$wY|EF_!9Ds;47q#=`)5F1|+7J1<Q_-Haf@JBMf
zKpme(;u>}jM{iy-n5$Kkp8RYzXR3pQ(Uy%kPq1YqOPn3Mn(@t5DiiopS%q7KkxhQ&
zZz&EPwms0ds^8Xgv&gWWYM`6_QoB66q>rMnnQB9wA3a-jlg@Ql1z#1XeQaM{KFKhh
zKD%C}=4^a#7XeCA-StdCLFId&0bPI1bsb=8(%o-vwFi{o&gp3#drV4=?*Y^*Sb0}5
zi>WPZ<;g3cY{J-@nx*quO8a+LVXMr!KON_GY8JQo{U}kRDd$AKq-Q>f67*|U{+3Z(
zNlkSs{Rt1#yPI$<b|_p|pupjU!l)eWyRcz0vxz0G8BRJJRtBu+cb}8M=Jn&YPPQI6
zyTA%)uE7SfLZGW~f7={)Z4r*Qh>RLdVqMA~9AG964S!bCuVw>#&d$7_e-*eJ-#xb$
z+4o>QXF|;DC5*QVb*cxr>Hz%eQPPA$lD+QgswW_KQS436HXQvrDW|x!FlLOwA5^hf
zYEngdD=VHgT8{aXaz=c5R?Y_=$1d47m5BZgZenqxmugR0&ZEAWPTIK)nW>YaUg<c|
zJL7!wEfsEqx4`L$ukVgsUyz>8O9k)boG)_gBbhS@4NDmIE3u^z2T9OZR-6z5n4=MG
zc1Np+KktV(WX19(9kpLr$ayZ@i>T<DuBlAsKJ=<BtB@Naf(24X6iS|c(6rl&_0|O0
z*-`w1N?4Y(<4g~=j-6DnP{LXNS<4-Z<RHq(u49@4%27}{>$osy*Gk7I0<wnMl5eoY
zBm+}tCD0^^Ke{)^^!WG^e*WnO?2-rz>FO_*jwtE6nvGT{Rix}m@cih-B9&!Q1BZp(
zyJhN~`?7=(A<wta>Y-66*oC|4w0E;vUOpJ_-q=PQP~r)<o=riD>TXQX;M2&KX=#it
z8MpE;Lr-mouA><1mO$a~z8!uW?v!DhHtqDR>n)6qF?Q-K^$#2<)eE6SUI|FdhNy{r
ziN-XOBo<Lii93&?tTqjf#MCB5*ruPoz|oR&Gf2Dm>9N5J6H6K%kUs1{&R$!lx4p>B
z`u6LyWP08pE4jI<K<8u5E?D)$B<uK6H^<YlS>r)vPINNDWib=vZRx3bEFWtajT%15
zfmrultUZPcCJ;tDV?Q9ur^Q=X{Y3jHIN#GLsxNKU*eEMPKnUxPO>h-~H(XxV=yZRB
zwx+bMZvVjh+zp`L!Qmg&1lld7nZ>-4*-Vc7sw0Y0{30=uCHOS8EY>hr$>N9NpUOp3
zHZJPnueFth42%g`+x&LY6kj<2zKpWI{j^gtaO8qwCWp5c=TcVETHK`hGoJZRw=1_F
zBN=-I{k_W$CA%(P5CQg<f+toCbBT6xeIs*gOZ6PSmFmiJKD`GhLe0Mj$m;|3qXb0Y
z{~&#~ZfNIZa5Z6>ziVpD{9WqE7tXxcCB1f}k)6nRW7OnW@R43Y9Au^9ZF|?^<wlL}
z5K<3&5D|>d=isY)&rU4{-q*A!_aKO=)dQ;K2p&vr0u!a=(u3@2>+`9Xz933GX4p~8
zR9`g<E*Z{>S7&^qxhXU@PL)q74o%PD+CFTG+NREe%->rXiU(8p{G5X47ECaA+pbu4
zs5{Hfa-oMmLpjM^sq{sw715!r9t>9~Rzm^S4`uX8jWi9AAM_;b&!6B-!Ud3GG;yoY
z4Nz#$1d5N&rlM`B+@z`-Ix;?`{5g)tI&NVn;U9)5xs$x?(Ic<R-T{>&)$8c2dOMV{
zeUYRp{*+l<(VdE?Uu4GePj$)JbEt+ydedxN%E<~aGuw;N%IT?`hnNC9YiGy4B4Yc7
z%OfmK=PFGcZ42eoZysVsthp{Ro_5?AeQBZgz_(w<F+{B@#;7XZ`t26Kl}_*xJouN4
zGGMhLKdq;-Od{%oxVRsx#!W<wCGbU9Y_4NohM1TOByPQwrG8O`pqL_pL7B;0pg+mb
zembzo_lIr_Vf5m6WI#&@o78bK2cUWF6R>K{uEVglHWALSk>9P^$YD;+|4(h+#&^jQ
zlC5g*b%BW@f70s@|JeY(F2l#lek`*QhD&RZ5{b<_U69=n>cRXCNbrt)<|T$P5?bLJ
zdIaaTdM?e}`BE~)&4FE8oe67j)w#O{N7CGI5SG4TT@>3v@(IEk!+CA3D94I%6&u8>
zKkK7fX!xh)BbCS&t;K8v*!qY%innAz)W3+FLylo0KihGi-=a^x3$bac7VqnSPj@?t
z;8bq1bm$bW4|}v7l}Xo>J1Hy0k7N1sa_<?BkHo-+pr>VU&SSJz>X^%S*Gg4Py+JKV
z#PmKSRF>u&UrPVmP^{qT>`M8PH}~5@LY1*082DGHh_P_esIlqD^J6}#g!2HC=5$-R
z<iPY0@`><bTJW~)T#A86nrteP2_rg9<os5%+t}$ZJ~ET0xLvhlC6DUQD1BWqkPYr#
z@KUX3bqble2{mvw1iu$25Lzi#O8~As^%5i7L-E~WO2C4=Z0$(-@hwiiCAyg7B#JYX
z5w}nqu`K!5A5Q5I+2V%mSuE{tow#(J6K6t%57SQRa=obJy<B$a9FqRKAMZ{6GZ!$?
z|ETTy3Gq1|8Ak7?^SB>!&jcJft)9L;TAP1q;qrCaGpqEnI!5_$33Z_2$tR2RT5sSq
z$%)itE<@k-rzAtJRth<bvSVwH=kWNo@4laHhI1kEhV}i4x>%SUjbdD!P4~1qVoWAM
zOhYmCN@&)4vWfbKGM)_AGK=wwC-*s=n#(p9y~-kTONpio*h8M;C-MBy4BxD3>-c#m
zj)kbLrQ~^v)6-5@gUWA#?Pf<PVTaAbq|K`c4R<xh`jv}E*hZ=nvXd<fEQy`Iw3L8!
zw2^zAAoJ|m{9UXanQZ*Oh!JsRJ)b7}uR0hW=6$4Mo0lQ3pNV&xI0!!+V>mr1Sn|Wv
zu8GMQ_1vdp%U@tV>lGa!+Qf2enGW(7Hi}V4zm9AnS7lsZ?uDdFn=Pi66$|ev$5lJy
zluE2ITtpdzpFP!!%A_=JM~dY8qOBIITeTt(hAqJj&tAF<ZGQaJIt?)dvZ=ee8SSt4
z79T8eO7bSMlMI3R&UoLx@ug2@uAT>w=9jO0Ho=|a+=Etfwy23}Cc_i3yCdd{pO(j&
zO!X+}_*CM@vZj`&H|URlb_)&A+^pHvqiY!~auLd<s#vdGsFy8*D3^Z!K`VKv&95Z1
zC5VQt@nEr4z$F~$=1X@ujYrN$H4v6V7hX1YdU|mkospVdmxned+Zv^pL^|XF#CchD
zrz})IA9Wg{z({4Y%~@85Ff|7m5FgO1kiuc7`gm(OKzROVul7ldhXk9G2FosoiBa9E
zMJ>tW(~D>@KMS(~zt8X7EWJn`x#|zdVW(_lCO=+|7R+JLDDK{C^FV2Gxf13LGmV8*
zY7gz&9H8-%!ja<o>;sob+V?!Dc<*V6nI8q|XT0}SD@`fxc32dRTR?9r^Z%vpf%Ipy
zOcx-QhYtLGv#2aAcg<VXz>lfbHu2HyGdpoNGzd1-s7fs;xT~c=rav>*Q6o4m0mlXk
zlYfQGXu`S$v`NF0q^LC9l8y^=oB1(L*G}UgDch?nS)vZg^er<XD)e%rP;>j7wDEV=
z2*x<nf=OU6Bh}a`DPQ0uN6Eu2cK6Iy6zIlFo3va^$kny(Y?z7%2Y=QPY5{V=)?N!x
zg*l3x!Urml*JbAo4%)l@muf_g^tV2fScVMBpKAP=E0kV6f_MJ&ceVS5HJqlwEw_5=
zYd0_q@px=C%#ar&mDSJ6Esn+>tUI`f<rXUJWtXw2tZmDdtNE^``HbVwB{d5P$tpiJ
zGc_(=K_{B`tf$M_7k3gAO<I|2DZqp&N3)EnynCHrysHh?8p?XtEu*`Ov(d;qWE@K=
z;2r407@NxPlAdAn7<$oN%p{h#{XP_p(3L|GLeDL0Cgc8HIm^ifQQuH35^kj}keeBr
z3*U=GrxIcms?<E6PLTUj1lN>>^8aWi@84%K&e<!p)K$OPm(Ps%h|Rdcn;6MeNPISF
zRccJdm>nM2^QPv8rX^&(<Utu7e?GTWYO+@mI!>=Kl(DngyU7Th``*S2{br3?pyzC8
z*7W=<cvBY#hPC_JtZTGMw=jbT9fmVhQYC*cP-^gskkj=wqkO!XNvRHTZ*{MyB!DE`
za%S9dl-p2GJ0VuX&uTgVDQkq&Gs%PTfEe-nnE`v6#M$jbN!Tu#;~Ux{L!I+6wC(d<
zx#0bG&}$TGTwBXR@%2oR_z%b|`pr`E&kw&7i2}aUfW_boA@NZj!xqDHQ^*o_bIBO3
z#^AzZGC>o}yqhV{6Ni}cuh(iRuN&RDIxc?R;0DcJH-5O@{V;OPu!2*{C@vdK<P0v=
zl?p;Kt=c>0cBVJnI?hLW=k(V=t7s!BN+152Y!(#Nt@Lt#U>RoUtWxg_IFJhbRi;Zi
z&*y5G)KLA4u*B8IqYrH(0Sp)BIViSSB&Ha4w_UR<U5%&>L?LTjhkjVY|3y{bkALik
z-CcgFYo${&H^1QoY;v~|=9o1(p|?V<Q1dcjg>zw~G$EE2PS}y&JyP6?G+7FjF^|?6
zc7h-m=enx19LA}SiUe|aaGZyoiVGv9r`yXJ5zYWa8?m-(ot03-3X#anKeC%(no9q2
z@~U}ISUHDM5UbuB<(oXkw(|JZLPQwU-=@pr-R}D4azp6kMUams<(T&p*aehlZ%n2+
zP0rn_yA*7RKy8O6<5uz$7JX~!W=Z_psJj0{4Rs9nWYO+RWURn_aSS^Q1-Tz)JTtm0
zkr+)>f+Y%oFSjsw(dtwg<7;b3X{O%0O1l3RD#=1mM$-|o8d9a|3R+r{Z2ef)q&0MN
zmfnZu-mxw066YMslWc`w;=8yeTtCyW5}LZL#=bFeoNaOU41&0zVMmu%27K}k$FYIu
z-pTZe3gWS6%5f0B>J#Vc9C4<|MeNgc*=0H|=sJMU|3}<WPgiRpAi}D!6MZ%KRN?8w
zXmHzS*yzh4mx-5VQN`>9u+0EAe%QaSjMw`|Zf_Gq&!p4-!pHtHk;xa``ew_N?nJ@u
zv|0q3Qp1h)b`GtLt|Iq36C(Anl&e-mB|>p6i_upSdY-P*kR)MFh*^jqf&0$T-0sPF
z8_hEFxI2;KLq0pd(7Kw#a-4Z_2~Y702k)vyssv$gf{2Hy5Fqx%-&fkQq3qTCAe<f<
zk5|0xYnEkch3!wq4c{%T)H;z_iAt1>`;%WcOWOaPdu}}O-?>p$;J=`S8sZM7l!e$0
zFX?pn)l^|Tx9@eYT?oH)JS8NK%*bj08Y<Qvm}dbgNwD)H;<BHZr8^cunlOE-vpbOA
zVfUu_rKpqJHO637gg{wUVmBP2Ox1HFv?@z}Zot6=8O9#c8*yAPrwq+f_#o79RYi3Y
zv9bj#D0t;FvOJX1K?drOkn%p=m(=!AC-A2~%CN2_*%hB(&SZGhZ^(a>;yP!vXW?Fa
z1Ld<he{iCPqsb;?!hEcLG+zr-cEdK5s4ax?(4t2s>~%n|c#WSY93Jh?{kh*|fN)mr
z+RteEC}lWF0@4@x`S~-7AGEZf#=D7l%;fI_Z{WJV6t^slFQpm0`_X;6?s4tj39Mtm
zJF~CKCf7lj;a2A9(BeV4`0aj$S#8wUn5$a$56VP<H!TO&X7LCu0`rHyHHD<+$-w$p
z#caN@lYeZ*QjzLTQ<D7Z{<W2s0D9Z##HsvsjvYkP&)^5KJ`XC!UZYO3BbHA_0A~i>
z2WH08{N`)ow!mpd4-3%W|4F9r%Ajf7WutEy<n;@SyH!Hb<?^0es=~ji#h%Civ%2Wz
z+snHw0~FHX!IUV1aDRw2g=KmYo2MmiLw@xWSVwzys)Ks1!=_B{2wAJXP16Y-(&p0e
zEq!R8zB5M^q;IbXW!I@V#WYEp-R(EXdmu@VZpGpr1evjtp(|*qa58_UNu5Ib@lAD1
zW0fOj9QY#^M(?l3-jL+IfvKVfs2>T`yTa~Xq#GX(@ppe^o8tNhMV)Tpa=Q1wh&!vG
zxPrG&lR$#IyW3#F9fErZ0|N~1F2UX19fA$PZEy=7Ah^3j0t6T=xI=dSTU)gkyIb|u
zce6Khb*AR@be}$5-S6*tx{M&*h*)T2<ktcU=rzPxxx<`;HfWa1;JprY8EAagEgY#4
zH5N%T|0uK46R4;rCY{VIFCmK%eHJ9g&gm>(u<doq>OLNEQ0PiEt_V^GcPd5FVtzUq
z{7Hu5llt2BN!{~M>J7?lZI(7B2eS@t<<I`))e2g*(3bR)Q!PQQ;zx|R)uWq;FHx+6
z#x`EDs6wmZGKv&z!QXY#h)p-zRY?%MYGi+TIvhmUjZX5|6mETe&JFH%KcJ{pJQ|Gk
zPu%ch`QkVn*}Td(Uq|)3KpX7i@;Kh|M-r%H`!Nk_^pydT-|1-S);A+WyS#$dH8@!D
zZLD9&YE)KI5b{OK^9_&n2&ZC$c>Zp#6ybTL<<dY)pCwek8g94T`f16ZMzU;FXlxQ9
znu&BI<m}qS>h+AQ(u7H?*Dn=l;GejgqjO4RUL#imQZY5uw_lpn=vdUJ%USypXD?e{
z2WG1}!DaE(82E*}UA@XM@apzu;0+2GN9k4VqP?k9LaJZwApfRAk}U+xGqPw~y4d`-
zeSfyGI~rdG5NTqy*|7I57%XMJQ~dpGa!3DXU=Z`5iYIjej`}UqjknKHf}qQR_B+o^
z+p(7XZce#JFpk2ch*8!Te&^cGN;=K}etFS(9PmJXv{9d-`-~b9UK~k`JWi!)^nB-H
z&?gZcQ<!#6$5@xZGVHdVMJhnP#`Q%6)jj9D4!ALo=<xYmIxx1=>4Xra!SCxzR!LZK
z6tFqzMeT>*TP*W<-d8qtzQ-uq=)ElREF%N1+T|xI-Z0n#vuMiAYGEm+cIvrxPI5R-
z-^q+I9=0zXFx|NC^$O4Qqi7@d=O1qsXW`m&<UMA3AvTvw@R%w;rJ^%5XdTc-21YEj
z<VIxk{x0efK$}TWGe%@G-&*@)(a+80o4q1SWnt{6Q{uYMkD`JxfC-9|%SJM{6O<FJ
z^-{*Q5bCpW*||K(sZkwI*saiK{{e;X-?LokgEwFym}ss7w9{XFYqA84tYhbkUA4a!
zVkuD8G=3>t)yuXN<vmnfPS~^7N$r^WDo~uf>cqqu?8W}g2XM!ZaOtcQ3$H4?5$uql
ze=2b3#6Dv7<C=Ce5I{w1+Gt$Km(t@a%}5Rwugs3+2+CZGZTMW)D3;K>38f9DWlUl6
zh(%#Yb9A3nsT+aFm0C?Zo0?l2tEf0d5VjGmfzI;wJBDVI`##%kHQ7PS8^g(!47fI|
z(pVOa<Z|7-cs~vSyd732;3$daw#z(EvRdnv`PEJVYlAcfO-;tCcwW_N<o36UQW!tN
z7Ge;G+fVnwn!US|87hr+K{tdS!NF(Jp~DvsM<-Vcff5QXlWezf+)G7sfYSQfnwDd$
zicPzk6g5X7xt1bb9cad)CrY{~%kOi<zl$fSrvDIxzncb!vqy`>beQ#gtDWmjUyaoK
zQm5F1NY{H+{k^d$C9&h{n}iDIv3+f~#WrJHeP%N@x#Ov+b{5{rXmHdvC{V6{vs)~P
zdDu0#fbC>_=;Aqx+;H8j8c5Dw*{JDJn4rO-JpREV$TCG^)r`ub;+6(u-z4*y7}%HY
zd8Wb@_5cVS=<B7fJazIpxfvCiZ}V@MTrL_wg&yk!hG<x~2^Jfyz77FA{<M6QS(sfQ
zoN=5}b@(U^HbqjY8GKHg%;v{KWt=aZ>_otN;N`6GYFv0*$K~w15;eZG0f;5isrD>q
z4U1Uo32ztAa7^$X-!(SJDIFN>j>M<a#0XWS5{z_C`?97<_<lvs%imT)Ph#?_ukqZy
zfLd$0ovQD0qMTlUzv#u|+78o_`(za<wer_aLhVXsK!{rrrh63&u<zLjt9xI+-GT;Z
zbMW|}n(WTF3_RP>0FC|owuJ7ZPou=2eEAAn+6;mw3~5GzSXa+m@6kERa|wHs)`_`)
z2q@-5^C|>>0|x%te~xV0s&6}tSHh-Rwuw5<pX-Y2I@xls8zqS~VYg)c3bsFlt-dm$
z(_f@(6~+Z9nmp6;Cr4k^{h=oB%eXy0_#SNuA$PT!9<c;$1iJ1#F%dzRrUi0~wUv)g
zG(V_G8Z{OySZL8EP?k&l^z@QrKf(_DS@iZy^fek?&=Tq9o7jz3Si{1J`#jgjO4ye&
zV-g@9IhE)VLgQrE4w<eiq)d%hg|UdzgOh8_L&JQq!yLTV*C{PF2ctZoj7B#2HdX4;
z08&tT7Yc_6rj>Ur%Y^8~rRl9%M$vS$ft@0E%j5{zJV-U6<$C`RgcOmO=nxY1b0NQ%
zbr!`k@pfYuC+Di$=%vN1)JR=>#%2t{CvFzR_53KN>Sxr_C)lKH5>tvkxOYD8DZC2c
zm+IGx$DD(ce+7;V%CMaI8Nm}TqI=A=z|6UqKecu{k4m6E$A&dF?X>~BSB?o}kiKwf
zz$0T_r1Hk4N3g<E%?p*wn=7XQMI!EWqZ{Vh&yV;DsB9QHC%<umxyAJ#Gy3xeEIAke
zgh@m(F4B=+9=AN<S|%%ahkdMmeLeM*OhLmB={{Td^6e(m6D~TNg@(Ul#UhoD8`bz`
zx4@~Bb^vv%VNY3;$}AN;B0@I0F=W>tSiig&-fU)TC<HyQAASpRo%j~0i)it106Dt(
z-<iPUq1vD@-q&&WuZAftrjV^=gcGO6Gpe$n`#W2By+E>K$rEPGKZHo@CCck8n_dY0
zy5Uv)u9m^8=nbT>9N4P2f8a4bc=QP&g3%E(b=<6)ru+g@Of6@nv9t^0FROtP*?txM
zv7?}j@Gb}>asttAf-Ff^zvLNTMo7VlOs^k<F4?M|T%KBtq`zMuDpth~LzYKBO^Bwu
zePU<N2%-*sR-M#sB2%s*1Xot;=eek>E-dCveZT5Y1xkO<>WH4+NcN{1SMsh(hc2$>
zc~_aA-AETZ9G4i0QqGmb@rzgt#pzCq124GkhW13u7EK%$MdoG{Vgh)YI{Ba<7}h=<
zA)W<l&R3DBmWh{GD&B|NlpXk=nziFPu}1@4c>Lh-N{1f3BWaea1=ctQHHO^e-Y+_t
zY7Jvb*4tkkwf$&vM(=Op$j&6iiv+&+8HmT|A*Hqh0)&SW$c}~S>AiL2t3PFRh%`+z
z>GEVxJUHYX-|cqcP-zjf?MRh{kEapjZ-V`c+1qh-#0h5%x0QK5zXEDM3Vs3u^`gp_
zZK9Lv0E#It1S*T6NAzEbpy52axiw*VSFq%9h8g=Vbd$*_RXNU;l!B``>YT8w-Gn*y
z1c5D?$VGnx?4!)HoZzm^b^b~V<~`h(vf9%2?`n}DHlM#5WIxa{n>Y3|34msWqHP4Y
zY#vT}X$zYrO3yP2i~?R}{UVlgw#~Fbh2M}*yc%S-<dUMLJ}|MVeo#FhkpYq}Oxc{S
zWRvK8NaK5P0J*J}KuNTMYZvT753mUP{P-JZJ=!<0_T$vs+_~azXJ(f5SF;ffm3}%|
z>ayEf_zqQ7<f7xh&EhF_PPd`4@Zovy+HoH$Zwl-o@8c93TdTZU0u}v4EZ7D#4wVdr
z<2I2iI5l3EUMUpD{D`BKju|N;Wtz7Yb1bGqL8cKmmoRiWDDmNVZ>7vEOtv-_9d&L0
z<?7d0Hc`=f3jY)t4M>91U2!+**WvqnVm>#8!f@WECIm3=71uN^AT~`~EP-?+hv8>*
zD4m)XnyQz0DKR6>dQpyk&#<sUl^!x5(Hw~RtfTQ$S*ERVSE52Ft9Jdu$zKPhp(3t$
zh0?gzx8eR)+C{ZPQPb~gfaV6U9ZSDo!j1~*P!;k^=8fCa6GuYm7u`rOIbL6r=UW!j
z9+G;Rd?|X;2~k}MKk(^(^XF*Dx}O1E64qF$MQp+zj_Tar{Vf53Tvc0{g+mO&(Vy&C
zMv#Bfo?iv4(VpiekeM*&yE(4FP2*D)In}e`Za#7b^4zB`E~!tk$L^k|I{cM-*sV+U
zmugPmn*by9`1m?<7}cM#=Atr`aXE<i`NN^vANfOyJ(S&zm7p?ig=<ywOZHhL5M~C<
zYNGx36}24`Ux(Z=b0eyZ8r6x`k83Xk4f11-M(6PRiKG?cp4FbOuaC-VFiZQZ+n{eG
zX(||Egd?u3oyMZSd0El7-JKxdPUgEQ%7Kp%HCC&%I$LZOTwl@o&n6Dq(Mn_3f3{mm
z_{E(6-pv^{=iVhG6op4f6r`n$LfLv{PLJ(FT%Tm`eD`l5QS<IfL5Hs5O}JkRq`!;?
zgMql>pbviib#5#6W8B@r=cKj^fV{0Pf2laU=|f7qWe3uBKN$%U9EWM2Qk<$E54ngh
zv;(g*vM!SXbClWdl1{-8-$~KGwa#qe?vl4*J`Gbtu4!Fyoy2xic>0v@Ux$qC5zQ7p
zOeYHG0cnaeF||LZ-9-Sb(v|4cw58sT&!kvL&tv`?{ABX|Igse;A{v4lp~&Jo6`}pD
z3UzlYMpw;L`ku|~`&59bp+Vy&ewwKsUnag@XytsLvU&5mtSz<qte6{D@~q>EucN;c
zhr+3jQGo0L-`-fkDrAOOLCxHh?Wr_%#8~*#!d*_Evo#t)(9E<h1j#llXK=+j`?}Q_
zf_eA$__5JuR*kdnK<cEo)V%;8D*BRb9q+K{t5MECyA-y%B$2Kd_3JKFNi>9?P?2X2
zT~-!ck&td=hKfVofnzdBpM4nZYt6fxm0VQpcJyZyXixsQH}2f_I{mV9DpE{>Yjs#=
zo_^Jt>xE@JByg(mu?4=>H(DQa$$8G94~6m8jyO}7i_+yP(bw};Yh$!(8LS!20#vB$
z^%$1E47p<JR0!emTPdr4MCQrNoxE?M$aFb)Ak6if)+v^TJy9JhCB|BNJulxVPR&Dc
z6V!<GBD7XG-l(fax*>c+9hNLKtF)(9y<zs`WlAV4g4ucIRIhWVWs6q(<Z9HiPfV<0
z$AbLIiSIYXF)ukyYud7}ilqv9Yu21MQPm2MZfeHiUFi^Ls@hnGj`5{~y`pN|-hII*
zE*vA#-AvXn*3|HE@M7=n47z-ke{{gdx`~g|cMgP1HJ)~8r_i7~GqhjRy2*b<#pk1S
zlgu-MgJYK&k=uceeh;w2H4h!NV-j+^MM|wNHS3e&r|uvtr}>pTf|=m^FxF_4iVGM;
zKPtplFMXO#4m2_1UcP+&5RvoVVf?*f15!qdc*M%xG4CwS^_2B67p<K9!Qyyo$&%pB
zXy&%_OTp9Nnuq)cy2)A9Vb%jLfisHUc*nKG5c>m;cWI{hdxpRC+Kewxr#O0PU%8|d
zVTfgw*P^9#Ia@z5Xb3>I)Y3WtQ759*ibw_s$Uz_YJ;b8Tb1qjT9*-01D*u>v%6pL1
zvR3zvPF-m}$-oI>d8I>KUl>w7Q{meT?TZ6Q*u=2!_aNhs#R!dbv$0NVRb&9<Gv+Rw
z?rxytT|W=wKFU$LgR7?H`Gh$bnQN93PAO}uj7*JToIWBV8Ngf>CYVnJj<X2f-f#4A
z;UXaHj`(Mjv(3w=mX1@Pm0fk!kU?SY5;N>uW-`MqIWww(R*|+{{wQ2bYRDRzk|_<U
zrhHe$!V}0{#^1m@>&vvK-t~4gGi~&So+Om<)fM+RZrZFPAuLv!9o*y{ShEJ4>LC0U
z+`y!VIiSnS&BTkMA@z>EA0t6z;lmv<L*Z>VF`e9oHxgGSm`FoHGQBwGiDlvxOp$ly
zIHJdVfEX_m>w#GULV+Sm1|T9=&7}cGPv~__0Sk}vj>YliU)A1dGxMez{kD;jE*?5Z
z7dNiF<%-{3&L@C`EY<RfRBDGHQ)aT!t_sY`_<{Jodx$L~E<*mI1N;Jt#lvWEn|Qr%
z&17}s6G#sVZ;iWI`i$lHWprnbpfJUj&2%<I!F-s7-&FKfd6A9gk69x#6e5<=C5?o_
zBR!Go()S+HQ&0dEIx<+prncxt!pMl7J4pDCA$>CE*|G%)qCcfrzhJ_XFep5`?AOZy
z_N`@Yz!#rrAf98X<>^0isnqGMonfKL)8+qd6<>{hwY#C8gjSQ!6^zhSreT}lO!Vqr
zAZX<OYp9}9e@&MaBa6k-5+U;-IvBHdUYeYH(05g=I1!#9bm(hNvu~RQJ0=AQ_)M=1
zGe;<7dzUHcN!y&AowN{S7Z!ISLI4rC{;KpDw8!UOfL@bX>|hoCDKp9gzP!Z}-g-^`
zj|XzcpKpt2yYBFR4-E4s4w(-D0A8=jiQ%E$NIHR0>r2aT|J=r$-AtZ}W0xJmGZiy?
zepd9{65+qo5E@J9e5*|EB8(2|+iTM~C)XY*mkX{fyM`g%V!pE;Q3SaO)y3t2L4D76
zId7q8+n<FCX=pS0LG^g?n#QVnMblJPIe!U!*fe~OSx1km>4kx_(7KGITmhBg8KN0$
zPY!v~Z#HX~FG<|m?*}VP#Yjs?0707=9UoERsw`OW8kO+uqN|S!3hBlLY$MOj$`SqZ
zM4QPk8n^4@pstVO6`Te{d_Z8GXXjX}Bkx*;5JT&X*nz=$vx%Ki(dpY?BlRiYFH=eq
z=u=Vdn9tguJ&!g&N{l+Tq)gifV4amGl$L4ZtT<$f*aZvKoFpc95}~JDj|~(ZwChf>
z%e#ijEfZ#NBL^1;YL_@m9AB+wF)AwQh?Sz1(|(c$ePy1P&%%ji$bds&x|Fr!Ph~x-
zr5IVBh-Urqs|CAZwqoXFN-H52VXHIX<U*4gkh{grf;L<#Ed0);OYHC73a@`;FOy_q
z#gXBs_Q?#l#d{Y!bFJbu&Dfvq1!s^frG<5j!suIhn7;id604e^U`)VqW<oY*>vuKf
zRmI9Qqh?Lk7HN73c~MGTSf)hD+|F-^0PRa7%%t%O%fi1^yBwaJj4L>5?Gtf?x=bO2
zqF{J=L8@|%nz|<T;ykAE_gQLK|D^At7Ngx26{%mkKW!fVwf1a_tBFa`DC%!9C!Ux2
zb41s?aH`x*pa>AmZ7BFAXHi=Ep}{NHa(xp0`*kfcquyp4>#)IOM~lh2@-De=;+KyE
zuN7r$-^6&WG6$?sn(QhO2~$Xw`$<ml@$2g?J?Yl<)~o#ejsv36YaqjIl5#$FX$4w#
zEo3iiuu?}4*W!h_>#Xo**zP?3T62)ercnq7HzlU0Jvlm3@zl@IwhtW32VIiF=Ueo9
zq5}3?Ykm$X@}oo(-*<xwM_lY1HEQ*mR)x+q1EnzeW`~=v$u#i~^J>I{yHm<kc-qx%
z*!>nQOFiXChpj=0;mQ-EWiPXY*~#8Fi4FZVaLZCh!evK-nwsI@e3ZG$C3@|h&ZiWx
zaKK~aj0RL(IyGS~RDpA>><jUaevcfPNb3O_=0OUKS9xRN+~P$g1K6Q))3=6wfmkVG
z%}EhIxtu~lmAT#5Lhd&bb5gk@hLp8?y7+HxY1(-_>x-YIu)fz69()VL?c=EytMF1+
zCu|feS!ObvS?ptS>0cHa&XN!+C-iS`*&7$LkGG3$anrWkTe&H`xOyAg-eQ5)2MX-@
z>$P5B8&1E~=I+a?7fhJ46gIKXFbem7&%2*wc2H!o!S~oBSR?|5q5MOki&Y+Cx+_0M
zI*oO0hu_tc40i6`nKGb*lreZJ5D1wMMVT($&RE$E?~ekkmWR09MMAxZh+2!C)rD1y
z1(gr-wpiSll<I_FS+|ef$#K!c1FYkj?7=wL1suDkWasLOJ-$c&>WocTB2N$G7nq*&
z<x!0n&T&q$e*<+aJw9I)1oZqvVAXeCW;u-~TZWpm?6PHBiDl$3uCmHmmTGb3J}6qB
z`Bj40@`0$os_@*@aVUH!B6Wr`X_ij>AFD011C%$?@<0&X6`uH~>m!`bj-KB39GPki
zd*~_g+Y=XChIrzUyo9xGhL)KhAMCO2E$<Hk-z-ky`V!scw499&Ie#iYH2!9661qM4
zx22eBk3a9O0Cc1e@SCoVBUWe~r#0tY_&qe_^M*&}<EoJ__IWK@PI*H)bV<9EnY-=d
zP&-Uq<r<rc!o<O?byIJzCc8EVYGB;Q%m-CMDkq?7A0=d9QYN@47XC7DX_zuW`nByE
zRSr$bJdEZ(`2Ia52BFS7x<y*+QFbvBb2*cdoHu!M$F_%LTH9~R#)~agC^wT^qWK7i
zhC}puLEjTGiVWKY$m9$gQ~bWWmoE~x-n2Gnl+?R!Ij&6fMArVqZACQP{7Bx;v&RpJ
z9SF$)1SBuCZmCc3S^Q#cNuMiTqVh9l?(<IMztD`HA9Yb1o(DDNEl+>rXxZPZ@3s+U
z&mGJcdIjERZBW{hxHQjo@Vgjz#y7g_@f!wTHpG-W|M-W%CEHAh@T^1+^2$-^134Fo
z_jE%PSPg)>ofiv_lXdY%haO00>>Q5rTM*Z5d8dqN;jYj7s%b_p^IWGleze56Ns*da
z>|g{MY6<<Je*Rwt=Y$uf(fpm%5>=~K#=tg)148Re0gPga7m;wzv%0!7tK_2rvSU%X
zADt9>O7!n8ndv?2lsMc!V2};896(l`qg(`^Kx>b;r<>r`SLO6bBN;27{YT^Br41{8
zbat-zdC_t9tC^Z=DbvF4A3CE4@{C*DP&!@O>(Z`CG;AEP@wR&2DB4-k!0O#46~t(F
zK%7JqoaA&$I8~C_;ie_t%aSGCzhA3ZeI{>$E&Au!E=Ak;vz#_Y#6JX(#k7JF(#AP?
zI9w8-r#>KTSzaLcz0nHOE&=QfKsfG7jB#n&v{{rU7}>F^n<uuY0sd0pPhuY+$=P)J
zme1l+O3__r25xj<O1N4!xvwK1Iv%VOJ%(#%8h!9?GB)Km#Uf+TolCGe8hI!nmDa;;
z$+MvV+CtZWlbL0q=EY#@dJSi9V<uYLT}CT)x=CL7<WkjG{_LX+>j;dF!AS|xEyeph
zYAlMQi8~xfrSq+eMUzf4KHgT3q;#?k2LMOiT3HMBd*m~}L6SK!|F%-Z^hK2P%eCZA
z02youn%ACFa-&4D{&4k6Eo;xq{=@<09p+A(Sp%$P?oLg{6-rptOfF{_LK=}&3=EvG
zpv}6>XBxfQ_;ZhpP<46HY1Q^7Y}c1p<HMr6i@(DX*xV4*{~Tpf6*&hP{nJ_1-6VR)
zB<J_|gjZ%7njA#K(?~TKa&AJ}>vJ!BhRDl;ph4l5DY^&csw@^F$CQVUJwH8iwoKJk
z_f>UsB$>R#+l})Bx<7Aqf0F1ecGm=VQjK_^^{ki)sG&zvvR55V3$s>nwY>5>9I}7$
zPN)WNjZ!mu7g?tsqYYTN=KMSpBL+=qP`9(>#uZPNu7mb!hZ-DRAI=u;F_L#n2c_2z
zA}Nd@RKjbii;TlwStUSG(=w6DI5ABkt95bOOR{OZ6ThwI)Hec`Iq+RL!{&DdJ|PNM
zcJIysBT0JV&l>5U!ciXg({jvnwui@!7PhvvOl!<@mPI1aeC6!3XKPyH7V#3n$_~Li
zEi5_1`X&7k1;1`Io@2tCREq)W*tc$?_*mPfjF`g1z+Tr6FdZBgLUK8^I$<9WXNz-#
z;qhORt1MP_X_$FT%llZfFBB9>A5n00+1pWM1Vq7!dE$u7>OQ9=&oc3$dcf8NNUbC>
zb;CQ}kP?@!D7LYSoG6DMyS<bnZh2+#n!BIaxeZy<&4n6V9vWqqB0!3lpFJa~BXkOA
z+0U1Ww9rC5A-X>4TE!yWWRaPjI#b)J1fu&bX9-Kt`-&?6^WKDJv~F8;YXSZ@5qf`F
z3v4!@_E7+3>6*+$hQC&Q_so8_n~+%}bF)nBsZaOJ`jTANmM%JVXcBI4EKw&AlHFJ}
z{`r&hJwZ*hnNElYyt2B?I+6Powwd0K7418>vRF&<F(N<wA#d`9=xRgU`1g`1L}qdH
zB=ksdHbvaEXy=cYeoim*1fD<D<L&&O*tEm%-$Mt6H{cyp_Au_5&x-|}<Rz(FvbXh9
zF=EGZ!0O-cBAu~y^TnE~`N7#SMeQv_XM$2aH%4)kAj`;&!~zYlZdtpt<>%DyPbm*;
zcxow&t`Kvp+MHE&I-3?~E$L@-BnsY!GzL;eXXZEGPk+Sz@wNoN4oI40eLJ*LwS9D8
z+TLRl8G65xG;eXjJLvU_{^7T$+{^N_0Op9~LsrXQ$hE>wm;QdH-Ahi)-k-~Eqdxnf
zgLZ%azZ^w9&3Tzm!Ujq;-FWeIi_J~_+?F|{i0?6!t}3dzC7XCG%UDDGyy$#vVQ`XM
z0YSFepkJQXC3;Fj{fBOM)YJ5}BB=_4@y}oNKe5XeOYT#uZl#oQ@*Hu7z4>JMs#7Oi
z!mMf{v{B5{8-NrC43bPDDtn=>y)_CGPM3!%Rl3GjU_ONH3o0{Bq~g!$@qI4;Mp8qP
zC8IrPVxZy%D$#fwlk+h=`HtWJAh%KMHq$wJoLDd|ZMb1KN+MA+wVVv@nH1~gDBttt
zJ1ZL~d6$}$c8Q-Um0T4*wKZpf3~qdan_zVsMmQB-UA^(?_HvSbsB4<%HU(~Ni@c|N
zaTGbIDe4Bd|H-BnXh_m(uP5+M7h&^>ie$I>(pZnq{vI{O*21Bd7bN{m2*sA-?hr=8
zi+fMvb@jK@<uz{NkTS5pU*xs;THkueEI4?pWkF=zLff}aud*UWADv51mLqh~n9uc>
z<&#6BrpSXN;IrK$I)&=p4coNLUIFUBC0py7!)li6K4}veqlTh<zEf0NqX>-+Xb^#E
zk;9y`G@W=G!CKInuN_O6j@J{&?w@2XckVo#Wx9zznf+EHH6Hy=vAGNOx7jFCoUPJB
zzczi)3*94XS5Ceg3~l$Zs-@Tbbc&LQk?ASmG3Lg!FXCnSA*_h1xs~5O5{K5>RKl7!
zKxVR{&7}kLuIgI%sG411&;2oWY><E44-lSl<eoG&lj@LIoqk2m@4htVgD+QO`DHAO
zgywgCd^XJ}m$A4t>G?^XHM@`8dfi6_NATtHLZyVJvK#8i<x)usSqD61EIIzrFC$2a
z+tcsuS0+Cm`PFPNh6z$&%aEp#pV3q!`dVsYS+F1-i(MxP5IPg7@GgBbEmS2Ud!7+N
zG+cB&?v4leS~)c9ICXhDQH$#JfyQ#-5WyOWd9Xw@3D;MRWG@4&1D6quJ-m)9Nd@hS
zJ{bMj(9mVTIhu!#J2{&O&W|VnR{dB|+EE3E96Ugc&C$ec%RE-Y-{KhP4T?PuPdm@=
zJga>%-!<|Q{^D=fOE6U|hZpyA%|KO`Y@+6UsS!S+I*@0{UBR8U;Cq3IZYrXWL+z3_
z<zkIn#SHHKYi_`J(wp^jEw2{^@Y#>vJ;UJ~{n@{XE)#!C5um>79RWwPb||BKoTLt9
zM1D?|+7j83)jRpXB{t&qY}(C41MK$qP%1h*vaF%wU*kQp#lF%Wv7OVRSiQL9H%{5h
z1&h=%27X#AX6%%#IJGCEmY7hr9cwm5@-T_qV!XO<E<@7+g9q&!1%3AryU4DgM1>Tu
zUH%IJfmU0;Cg;9!mrm>lvFt?a*|e`6iy!jZx3Vt`eyo4+oLCvlJ}Q7C+_{LI&OkHe
zNxz>eUqEH2>#MTGPb?>mwo4lwoUw!!jFg1$SZQGhzzS4b9fh_xWIxdEBl6(Y;(i~C
zRCB;gQ4g{`l!h=U+<CHXnSTxUbIcX_2Q|VOnsZmFhICXj$hvNexY<~`lty_Ke)?1m
z`oLYhNYreC*%DNl$s&{*9b8t12>bxVFyKuA<mB`>@1;Y=o^!QT^FR~o+9`^SOQ$pO
zh>nJV&y|&$ZClhp5f{Z}9>jr2f>Wmo$eV}%f%5kUkk!v*3pbllm=%(!`mrrk-Sf(l
zHhZ<tJnruXcB%W2SDafa%gxifP%3I8`4IEvvw39wKlyqR>A%zTNkM#NsTWf!W_W`|
z+6oBlC`1vw^nX7ApCbNH-5@J=UB`wHiZxme=>U)DRvBHA-8-2596V8pga~6|ZmR#X
zWi(^~21*>8U2;q423wO=IJOVkXYal6voqVb-T9b$G?UeU3qaV2o6xITTFN>Pe!o|f
ze_QTS9G|X?;oj;l%RxNR_Fa?U4OUp(=KdQ3ihxFaKr+G`&BJ}Tzr{y2ig9)G+uA>b
z${^VA3tUUHef0PG`5(fgWG}o_U$XbLSaSCtLft=v?B4R%yXT++_)%J5G5mt0`)PP3
z4)7nse9{w~8rQqH4TED_uY-bK^MZn2<b&XFBV)MuCP@9|?>+n}g)b;y6yO(7UqJF6
z&i>Rt^=v;(&OLeSU|+j?2RKtVy}B_U28iaKysk+)!M`d9d*NE;K8AO=*LA35<&&S^
zWAEP}XH%-W;oH;Gy4Ql;2%Xo-7f0+n_1Pfj7m>fG)QkTROkbSgQv#4{JuvEa`=K26
zdUx>Rbt1VNSibWldA~iqxh-~kNEu8ydV+8k!~jPJx(00&+#LaW0M&bwJB9vvcUC6|
zm*)3p!)>m9f$DB>2Fk5(mQmm{YRe*w8nyB^E<fd+d~@yTmZ!B@(|3aqvQwo8<^^eT
z^IU$0k4Ot)C=`l3Qn))n>qxlLKD`lEw$_d8w&U4+D@v$ee>u((2;s9@H~MzS&&+z%
zH(7`$ZJ3a=zZaftYmQS%pP#og$P|X#+IgUBG1X)1s`pYf`#RyyY8w}CYgy2wJF5FZ
zab;C7&azj;sF5)Sl@N#ags1{TnyfY2?c-F{04JE_4S`=47WB-0tH+TneCmSHuRcch
zES)OiOZDZMvw7vG;{u&}D-<d+d#8j2><$6wN({(1Mo5(=d&6TTqgK(}P<~-+lh>*z
zfx|Bv-nTTpRHb=<A*wCz%7%rB>XPMv)re-(*!Z6>VQWSH^8xrD>G45PB#&c&2XUC#
zS|vr3vsokXdLkt|U0|j=`0>|0n%!8yPR2}{t@*e0qr2Ga@J|fRmACH%wC0F7Jr+`$
zZPJ^hHbQRK4XvZVR}8}I21>Q<Q<4+KTguO&1l5erd&7EQ^{%D%!5>L69t|>Xx{Ypr
z0k_-0)3}m`wX8*U#3fEU#RU3}O*#EL8XAXR;g6>NodDI+`0in`t(~#b%dVt&J~nlZ
z(lr+UK{e?HM$X|e%r?V$A#Z10551xli-Sx#3<`~SP0f`3hsse`AEK++BOjT?t${(s
zQK&n`_+NvQEG^TV0^_L8giM`+y0*)j9XxDxiU~)SwiVR|!|S_flms*?DaW^4dZ`H@
zu2=~^<!06Cc6gaZqeiK6l6vpLU-8|AuCKQge)TowEIuTH@3+Z|v$EW_V*<u^cGBgR
z{oc~EXNJddWX7R7*2pf8yy~Efvy3$2@XIBl+Bb&={6jFhtM#fQYq_0o$3~2KG5kBc
zRt9BNw1=8hZq+<(pTrr~`_h^0tsUDLYMDM&qr5!~INSK<&z1;Ov!QyD&a(i8FPn0y
zz^30A>;f_;ht0Q)Wnf*AwxAmcTiqw#%%ql+G;5xTyVV0_0coVb?4q$=%T-TDRr{NH
zv5KV<nI~sFX03Cdss^;lLodihS=+>RR$_`Qyc8NcGRo~Z2+ye^eI}6Kg9>p<xsK^j
zg~0u4xVVe^f*)Uw0;jwc<<FQkCVpIZt?UQdi3zVz{Rg*CL8I_uFo`xD!UF9|Hjj!i
zYC4wDMgLRdSW9nuud&U3en*rL^TH~EUy>>Y>`H7oTsnNN2Uh+RMytPk5E81>qe$r<
zx=s9qCURlEHO_)L!}4)1gJP&6O*~C%tK}Rz`<!XT@$cflOj~NW`_%LApZ+ZQJjSml
zYOQz~d}s9F&SeQ8YQ7ztwy&PU&9~_Q<7n9{--KCtvWZ5F;MOjrnxZ%+IxM6h-~%ye
zTxdp-6k?PhB=oPq@v>YOmQ9%)_lqRKoNHw+8BDG7*qILgmUqpTB`H*MKZLKone@{f
zKsW?bNusxe8Isi6<_%kxg@?a(qZibtW?TwSqy6zh6Xdq$8WOL%p%mIY<yP+?l&pOZ
zf2VB|x`<WQ87mVyI@|3DAR@}=RX4|w5U>uN^m2MG9O(1I^5`ooV1!Ru`T%Y-VlBd;
z_<-r%EBULIbek%(MFLMmqxziwsxdLOCO?o#j3KpmmTq2<G36({>56Cnc@Fj(zeV>c
zs*-|;qPl|E`de9a)ur@p8#%TnI?*vZ8%}2kIdD@MmZxhSzViLHMMi!zqL;VjlOEvb
zq<m<*JKqLKIU3r$ZuRh&&j#R!EVx@hhje5xIBfrSP0BFw=Xr=;Z^bP@DGo^;9Qobu
zam;b^&Gg)#S5C1-vM#W`1n#kh^iw{gMHBF*$LhJuJ(l^=#-C3VPQgy|kSz<lsIEAt
zas~MaO6wMvL&Pb6C&g6cu>6V;uUFvI6tc-PJawfF!Ll;%9vz_H+!ItvaUPW7;v>jc
zr}fA0Mj*r#HlJ?I8CbQx#V2aNP2f2tWp&byE7<yCh?2ynr(80+@BQ5I7h*kSBKo)0
z`#>%$SMhWh$kO3f)17&THL`MTOTw?C>*FdWbe-%w=@7e8yLQ?&JJ?Kv>s-Ic<}yl@
zdm{f}Yod>38mVTUDb0(4cc0<>XHxhd0+YX#*yE;wc7R?<%~COoe{?Z3=&B`<HRD&p
zHk%j9Vl&;l#K;QG;1`ZB4Ggt5-3GJc1yT}1AR@M-{MgaS_NN}hpBp+4{R<gO*E$<L
z<j8WM?nb|scE`6fWj#0Aod8o!<<Sd8BABB^j~jhP-SOp^jb>b|ML-O67GM4z@Rcs~
zIWWF~4%%T@#-H%+DqN4ZC{hB&R(H%lqd;kD^(~Ij?HPykROiJom|J_SQhtPOx6&vL
zrLmgT7b$`3RbgTA7A<{g(1tz3AK9u^3ryQ;6Q&bKHFv_!#wEvW*Bv?&>%C)BU!%b2
zHW0;xVJnboPQFW$sn5|;#o?1tyLCwR;v?&#=qHc&%0jmiN{7K+v~1waZCx)Ek_9zj
z(1gsUNY@&1Go_2+nM_u62O38k(*UkB1o*@;m-Wvkao^Cy<8?Xe+iy^|vt579F4Y>9
zY?&(&RemrNSFh$EMFrf^9mz7mwB{a)7r#)t6eBHYDMIre=dRK|ztVU(C!#HV%50fE
zp4+hJJ1cPV#C*NZ&**P(u1^9onVpciY3;u0^t$4RA26AeDjF{|Y4rbQt>t^CH_Zsp
z`?JcU`gAIGw=(|5M#FuLN4`xvL652Dy}I@7Wt!ehN!O4XaVAI>gju$L%GBJXvc|B}
z{>RHQ<XWV2qkXcJv3)0uL$W`H0$(qMfB%K4(+7kaVi^kSozKNoGJHPFLoey1PjR%F
zq#6^JVP2V&Wg_Y2GyI#rVxOg=xC8{T9q1pZtSlW3cEp%fp4Q{?QDXy$E%={INX(GV
zQwwZU?W=1T=Fwc89)@~Gx5)t7oKBE`2!W7qn0f`)2RER^xRTEuMO*E;i^yCV1&-4^
z9p~vf66yQ9m|=eU=ziCiJ^3r!-(nlwfMNnNJ!GXA)urTr*omY?`C8)mV-u`uJ)W!?
zeWTj-j21GAEer8nXOBFZww76H?MD!6i&e&0i*&=be$>0GspPGb$JGt(Wca+(+dlr2
z$&^0|+!{L?EHD#OW!}5cb1X5t8CQn>mgNg6UCLW;(IX)(r*0_!v^w{ZK$CP>u90t~
zCA8_?RE{mvI$sSN6K)Zpr$g-$J6YuO!;%yCvV1k9#W0%uQH7befk}L2+Yw;`5P&Og
zG$U|J3tviQbeE_nunQ#`0#7{8$7|Ep)aDvy?V{@lhH^x!!5<TH1ZLxHe5sH+ol7hZ
zd2z!8I0UD1gD4frD6itp9qgYymxTu@vNLAYrH{91MYNZ#TFTRV>?gJU8s8r*!p@-a
z$5>7$<F3__CZEDqGHAe*^^AJL&40z9dRAj2rkRU;3SF7Z{Q`~l7rS|LdfFZDjHYEP
zSv9RdK5!IB$oGRu+NYg&5r)--=MK6_x~)%|%V>5&K3kY7nV2!uc*n<mEC=hhe&EJl
z((O*(B21s#p2~&11{c-qL?-iJk?11|5;5o*Tw?20ci~X8YOTecAAr`VwEdg8H~cnV
z3vN8D0nNP~-|c-Ct@L=8A-?hVzdF*(Q%jH`SNhBJRYN<wG+IW9h?cF3gVSGpMBSz^
z*Q*gp1_IY)jLYF64>=ysj}v^-m<-Y~m(Mv$U+OQBRanjWO|++N{^-ur6}Uijg&&`)
z5IgvNK3z;AHIW@9i!QF!MFm7V6I@nM;W3MF@6Fn<tYim3ngd)WoWC(-vg()U%Lk`7
ze)_B<(5^SbFgs#(BKp@)*Se((lT34NM}z&ZW}X(*f)u9(YQ+?*#nsaPkp5cO>wlNL
zdHbCP)bo5BBGoc`ABPag$-dPkE<G@|+jxB*_>m3LzmuhA#|W>PYXI^zem(w-{`u$c
zcoh@MG`iUl;Ho~v*~Jq0V5BfaMp&LXcS;~(R#vE+nq~gy{dz4dPfQRhQlsI(<2Ftg
ziN!L+S~+s%zp&RX7UwhQAy#<w*D3TuQ+OzH8HOxlO?Lr)@s!)yXr1F67V_9jpu=^V
zMv3j15YG}QxWvBw<dVBW*c5zTJab4aZzZHN(=@j_!d7Us+Rt}ZHFcG<{{MSrXZBxQ
z*{KIW+>0$}6ks{*)whOORtrPDhP-15cCwPK7jz!#$T`(G(5)z+zhw6QlMmi70`=>e
zdmAr_whN}C7&YWw9gSaNdsUZC;SCDvV!omS)c6{F8hvPfCW!`RUuK0m*Y;%IQcMhc
zGxlcj9Xw}WAYC1MxPWi$Qrq<63oq&7^L3^c@5^*T1^sI_=(T5}iA2Z>KOtVX^#4q4
zFS>D4;PkZa8$5*|C!?&jE4rj|<t`yN#gF!6RV`ilK;3QHC^UbhRr9j(ZRWTx2AaV{
zgnsA_W88v>6><@coHmr@Fp5FNt?o%I*dBkgq;G+R_Ui8bw><a1wRG#MJlU894$dCD
z@Lh}#(1AMov&OFX4wQu2x1(oEf11&ybDkFUPAVhR*q8@t^h;Y(A0`sDd+Wwoq0<>C
z9gJDKcWMe_ZKC=ENMGa|8Pk+SWkM1fA5N6vM=Mo(j}4CcF^w}Gp+7QxlmRS-Hb|X^
zs{XlFN;dK0o0-L2`Rt+0k}LREA_TzLIBcG4+STx^&LW*D)Wu294$<amn8HUIy`8>~
zGy{_~Q!k@w^b9{{(&fCqsz`)fZ5dom1?Z#adrgq41esOpS2ox4|9;-y!8W^}U?8T!
zut#gl;LpbzwZzGNm?ZtSy7}0nJ8n<DFuT4X7KwD(n$#erxgy+4@qoh&+~*WE4xB?f
z@njB1TYOPy0IKTJ`A+Z;=qzbE9byG$ab39VS1j&~t)3_8#S(A8*cfv?^9+_xeQzQ^
zJQhh`lDrPU%4|Er%I4wQh(Y3fRy+{T=?YQl9Al~?R{~}(i2U1|=0j8UwwooFJGD)>
z$?cxdz-A^8%M)IEIx+Yufb(jLZ|NcT@?wsq09JTDa~9ydqqc~bgFRGR{KIDyw6}?B
zmI(2__KK8XDzYgKCAjUQXjlDR<l@yb5{V?7op`Pi#A!SIz`KKbuynN3bhOCm)Iut=
zCr2t$mtTFMT8HHHp#NRIrVxkSonJZ+8D<|5!{{b=w4Z2jG94DTE{08m+v1wM3r{sd
zv8_qd0=Pgm`&YV$vra<gA<WuV+P0m1f2y7b=iFU_8xl!RsyLGb-gj+&Pmd*)uU2q?
zQGKR5-sX%rDV1J=tgVt$CD6aGI>zQyh@wix2G^wM6RsP!<p{NgzvZ|kD|Hg4n-7TI
z=3qxRo%k>cbsdp64b^p~KeBszr)+Q5Or+d{*rX3&PhRJfsvb<T^&}$9DoSfH>a&p(
zbK%p~E>3O#J&^XEFIR~>;UXT60RhAj-h3Lg*xz{B=G<{&d;V>weC*41W{eqDRJFA#
zzP8aCVxwv7TWy%}p|aHCz69O9wb58OWo-H8!IIy(g}83~0)6kDQEJ&xRAI+)z-kc<
z18%5JLban`SQ}$t8a`iDHuG(VR+OzVyF%rSWic(I(Vn4V_$J?L9{xH}Q6y_<oISS8
zzKA`<LuEoQ4L=riY&^bb6%w8Qj<<FP)`De?vc>GktHJvZ;j4<G`JzXO$`~P^zWkRH
z*|hD`WPTa8wxXVAr2;7hnr!Y?b1G8nZ8CGxZ4nu&ImZO<R*z*-YeTmLm;9C?w^zw2
zm!!KVtmlvAefnNA;EGrNYv(lJ?s@^keZkTz`@DvzM%G%+IU^<Kw8i^DTW@-ttTi(2
z^0l|-b!A^0C$h+<IhS4FMw(3cHkFg$KZKjoJIRdbzFQ)Gd*7>^QYwO}Eu+*uzRHbT
z9i;adqjGN+I|WVKhe0jbIU@>VFrI3QdcYvIi_-0hpJZGypzEkM9H%g+Vb{<(a9sQS
zA+u1ghP^rgLy)$)cR{{mF3`H~#M>H*l{DjY5K<z&XRAat0YG$rs<*{yQX<VkcYZ>j
z$1kaWezzA5b-R{IY1!$D*0yl{iQ%ZjGPr1HlW<McTuJzC`ABJk1ZylyZ}&U74vJ0J
z;?GDWGT;0``MKd;9m~4K`y!Dw_k7XJRXbO=L_(Y2Y9g+HgaL?tO(OrVzeSL(p8juI
z(1oPlou6&42y=RmU+Fe<6;BR#Y1SW5Io_+T3fo@%-URPw|3gR~jqIrQUBq7{g^3*F
z{F-I-RWpZp_&={W&fa|ZJaN=I5oA-<$RVDPlY^%bzCU$kr`A;L-H>g|p_dLF3{bw>
za$FyTbpxosIzPNnSLocdE(i(novxL+O*s-D{qgRUZTnS~Be9B@^VG_JsZWcdU|d*V
z!w2^eqn(nx>6&8(`O2s#1=tb~8u8ly$)ukHeR!Y|bK1PPowe5El{yFv(YFVA#=V4Y
z7%Gd>DLMewT7FD?jcJ~CYoHrvD%|aox@rrHHP1&>_5MRvnwsQzdU7?2(pnbdY-s10
zrCLcci_6-aD-LN)WlwyRZfwiyHuZ|d5YHMgv?H{GxBAhMY-}l|czT9Q{Gb$44RX2Y
zZCrk(b0x>7Yj3R4;S={1ikOb<3?M)rWYgN6HU~}Yw}F|U!zLO{T1!3_qvc6dONAvL
zczKOxguA`;knIUp9|`r6+!QAJ9p!hZF+{BqUpoeQi_1-5a#$zoD#Oy&mIU84u2<|)
zwn884A++TEGp<aT;6#2j8;QrMlx9mIefqf1S_iK+vi2U+%)~*^vxyuk_QEn!k{_qv
zaOlvEjd>OFmzVjC@z)%+;<iReB)+oGC4Xf=n;}io3>at>5GRwz1T9e+Bw>j&P&Mh(
zwX(H#I`g?Wq9Ey?@GEb)%9TCg_UP#n4SY3C)BTeiKY-K|1Z1P3>=%_2zvFS7c<9sq
zX~x*_9C&~AWshk62s&uUTAbP=$}eNvHi!~Wv(;c5KXxp4H@2S;^v)L^2cu}?`WdXM
z9r@f!1=cvokm49P26_Q^v0p{yW@I<fHotb+4xJkB59*oJMC~cjn>QgW1yyDOmc!qt
znCUJj;;Fgc5s~Wf6Y!}HYQthCHd>I2V0UkOfS>9a&E`@Plj^chyo6=s2o4?5wnXqC
zy(%^!pZhxdu_)0Xu&A8>!Bag{&FK|1k8pGo>hNvZAw!9H^)&q!o(N;x?$UnDGLdLL
z2U=9EI4YtfGQ}w^xMqrrxzY@!*)nnW-Vdha?HX7+96XyFSPM`8L+B(KewYf{gbS=*
z3ts<PO~>{ALqNVx`iC$wowEH8VU^=`j>j><Jk7B;>tb20b^3hX2R^NkEDKMcCyINf
zs`U;@p25mGoqK|YI*#+3;{8-yp%t&C;4qX$txT2#gZT!^&F5IQcEmA=k$6bpKZG`Y
z;kXY~o%|TBe<w&Huwc1?@$>AsApeQI9ytxIURMId6?s-2yJ6W%`fkna*PUuh<6^BE
ziL`hB5ZqCDdpgvw^-$1pdo#_qsiW(E<x=myT<nq#KLBeN6Jvl1zU90xgW6-g@|Ai4
zOz5wNc-8^#1&7TzMD#)I!#$F?rhNjE!%w?Iyh&H+zddd;umojmD_K{MfjZ4t_(t>4
z=BUU(QpJhAT$N_*cNwJk)7h4@=5KD8$sDOnm%S~bM1>3kEM*dA*{YO1eHSuL5yO|8
zk2z?67eoSig_-6~5&JCVWv}+Z?z%q$l!kH@zItqt(oW4U3#mVFseca$(1fVFrtH3d
zl^H+1%j?vCB<<3AF~6UG5jY9#GF9%Kzq+CJ^ehc<!1hh5UY}jv9y4An_oSMANIDaX
zYP47ESn}mp!`#W4zT>z5fZMD%534u6lge_uNen7k_^6xk+&b?NNcWS<At>pp*?Y+4
z)l#BTNZi9wC25Au4*iSo^@tggn*$*mA?9dytj`rU^ZaQtrdi#jFu4jRadW6}bCRQA
z5^0!s>tx%Zozk>+_V6k!|0MP9EyuAQ&-5CaVyt(_KE}R`*9-m&-4`!!IoR+0%iLaQ
zn54i*{UsS8){O!@$`GUB(cX4A_^-Iy7yjw~--7@B-++B9ZvSVP$vNoNu<akh8T_2&
z_28%?XazoW=io2DU)^#}={dtPb(7lP*<U*7Na*Z8NP2|+L)Z_nJvs&`z0NiE^BR}H
zl&^w_O6*Z3jgN^bc2vah#=5T7denX~?`<_GRD3%4p&i3I7ZNnbauu$z-Im5+QIf*<
zcAD^#V@E8uD)U4vw$iLh{SHvNQNdi#{?n7)uj^{s9D04N4O4=;i##vdhfc2-(S|ZL
zA>Qe7y;?6pY8y)mPTAP$`5!-}*9l(O$=9ddyf(N@F*NnDS8uH3Gv~Kg&^R<&S4$bq
z#wsQe$^T+^<lY6C*=;he^hsGsmnCy?dYe;>W)|SgDSfxFr%3MT09t13z%1Mu#44F}
z@-?y=6!HlvDR4%9gB4A%HNHThwFJf3@3G!!V?TP=ONLU^tK;80b5RZVI&~QN9275f
z{HK$S*xXB&L?{F8TKcR{XL0)Q!68pjV)*&hvAPZzsD7J~iJSAntgMrJ-$Jje^!N`!
z_xk}J_*W+A05YBCjrt%6)i}a$KPN0wcK>F49V_;m!0U8xl$4c04PiL;f#`xt4y58q
zC8yN@Vt&d1o@wE)5SfV*iEsHFG%UeKNqd8cx~SXdkE<5b+M(UW1SwSP2|sk#%!jmo
zE_SFigoaK;sL>c1oDT`7aY)dXq<tA#5(`!j`~ewgKM}p9z6|;msBi!e`bvMK97XU#
zY=6c&kq-HXFwuY}xtEN*m-wHSHq8G|L}XE$vYL6}@_w}eQQ#&n1}^_s>W;pkD~aYC
zj|_%?2)1BT(z-eKQlH*9Ab)s4-A!Dg3nK*8(#YrJK`^)=&3BNhP_*EU9z(e@d`eO*
zp2AfK+)_<RO_iO&@UBa7#@z#HwVCdLR0x4V?I6xSQsN<2^bO{l2M|9>>+=8ZkNW{8
z64T`^N-8pPD*;!~d|MHEtcmn|LPJVL3lD7|3Nn<ZnvD%!U=A4jL1<|r!-lv)Xrf3H
zio!rW3|APe9E*!xO^dkyH^=3)B{*d+dLlgougQba$Rn+WS=MwlHLa++xDq3=YD@~@
zCK6<6X^8<X1?#?rLQyPD{6e9qNH|hRVfXN-|33}y&A*;g6HHX&PZj20SG(ReaD*!=
z;*VQ%k6U@++sw6Y2`y8+@w>u9E_v45%aA^JB{LH4N*LTHa|S<1{Nnpo>I~aVk|ya4
z`}yWg@g>A?;>$F}dhTbRGs-i*L>Gl}9XoI5@5TkNvuP9^uBWG%+t|l-!Us3x)q)Fa
z^-1Q-0-pnDDXTV@j;}Bp`fT<}#OEq>Zsx`cwBlZqZ*Nu*L}JyL#H?cY;c@*~0v~Sn
z$<>dPt1;|B?F?xT|M~M|D&4Q9#bEOrqKsy3u8RFl&UN%HOKZa=9Bj98G-8TlBxUi@
zJ0_Li{vcSmq+syEND)VC)8r^RcFAG2D`!3jw=_w8NH{?oa2J~7uh2KhFG&aG8Xfrp
zh0==rR&iQ2bH}D5vT%=?&Ehg1I;-26l52daP+<sC1U^GJZkG(K`D(PQ@xWGa-C<Ph
zYR=1-SDZ9|<<8oZeIn@3*Hoo{2wUnJvPu=QAX(#+ib5?f@o7thHxCT2$anv_eTDyZ
z`~M}U#sABEVI=ON5;m6g!-*Pgot}&bJ!@1VMCQ;CRq20pca~3Wa9<v$MGBN+1zOy_
zxD+of1gB_%7q{SU1s=2|Sh3*l!M*5%HbsJm;DzGWBEhAb-@e<~+1;6a-t6ojaAxk@
z7w4Y)J?DHsRyFpDg$oZFzK={~aQlj>c*wOZF(!l{YUXddz76a3m?a<UbiB#Eb_{>z
z_po`}_8hHanQZf!sHf!aJ=G<OsWig3gQb+-Cp;w9zNz6Q#Q`0~fwqq{`Z+@nIf0qr
zyc`Qt=;1l2;l}_?pdW9TYiVxVro^kXCQ>hyAWq$v6+3bT36|nit05NpONhsJh>BgJ
z3kHnYvLrEH3-e^qQq<kUWz6sz0rPTXD_g1Smx8KB%;EK?pIQ^rxeQ;rc+abDzi@dU
z9qcJH-Irs>{Te0PO|!x47>h`(%5Lq{B(d3SdL}VyfqeJy9bv%U?URhu-uKMhu{NXJ
zp+nb|RqS_P^+DgSj9O0G*C!~5-l>7mx7xWnV_|vRPio5gxnre5wGX{r!|XSKzpB0R
zHwQKzt*tI29XO3D=MRG89)j&)jnCK}*>xg`w0Z7Vg1oAFyPjGlrf`bTKKg~L)Y<v*
z^Orza_s!i|zL#)D87Gd8<b$m`T_~UZPokIaNL$vi#cCkAwVc82QefEYz;7;=vKG#2
zM5{SGTgwRYqgl2cef<#|-ww<aKal2TYiWVvJ-3=OZ6wQ;(!ye+JWd+Ii%N^oeJI0<
z<%_@X%<W9(ng1n8u;e+bCQ6lJ^m4l5lUZ+S5Q8hJ8pAv`HI<4>r;B5(zew5C{8@US
zJt$!K12jaPD5MC5(~N%_TL+{S*AMnbQLwbjJQf}@P(%=FMjm$WSzPplqrrWRJ6_7R
zB0*P~8*tH{Xw#r{J>Bf!JheIS5ahb!mcvw4T1|*`0!;Ef_EdCE{NAaigO7MQd2$vs
z>M)zrqh+J8dPoOuG!`4>jrePE%4tTiLon?7slH94nh;Y-HS6vA@bQb)pb=y9VYbBu
z{=J&6)t!@SnxMSFh$yKJ&KK272Yb#>4<T0{JG^{H#Thw%5m~=)9mVHkkM@E#(6O$e
ztwU@PCHO;~XZvyo8RhmLEbz`nrEvnEXbgL=Q-^O7_3HYLYw$IRrNF-`H*uwmgzJ_=
z&A!H7xjok*j(}|}x7d)?K9X@4*g-NCPN}s`8AExeg;D`!Rp~}+;oq<%P}ul4FLOvJ
zoLML1IKQ9VBWuE);rfp9^<!jB3R!f?BMw!}JaTLg0tyd%#j>BgGsX`(Ng~|72(QRf
zaO;DY8hn3>tTj}1>Q50P+t{h2GSWV|aY{Y4gRkgSUdYkRl%d4;**^GY=X?6?R-+)L
zOpmTddty*K+XD2Cl#-MxERHQhC2(tsrytDnL`OxVS~8Bed0h_qxyVLBbS|5#Z=8rL
z`m|WrtW!_sn+pz|N>~OK=N&Q+DR6+`i;^LNq&zCt8ZLozq8Inw?|<Bhh!_f2AnC@w
zr&B`Ctms)0mV<}MHBxrS>an-fb;7BIrOW7moc`^R<knQ8F&%Q7&>ai_b*#cG#BZW_
zk%p2mUFDN|lt~wmuu*C@s21m&#$)ql$FQen;Y64G#1y6*g2dK#ibD)3bfDA8oJb{}
zw@n2|qebs23H!Ie(k+!b+pK#Js0Z&B7I#gvL?_O8ILd%B8$itu7tzCIr!i4@N%x6f
zlo9dL{Af<p{gv7lvqps2t}XBm*1o(;r+J>9FHO_w3Yi#tUgZw<V2oyfh7@a7H{3cR
z7A3T3d|VJT{@!dDn_h~gU)Ypzu;jo_LfXtN=kvx7;7;_6TYaw120vDlDLD17&>62l
zWxMnYqg7m7;lB+@N4f*v(sUc*meI0eA@GRA{nwtwMF*qz$fa5CXXjIRLSXM6@dFal
z@sS^+swC`U371(5b6h@~jtRYt5TDw9OH5$}UleA7Xoh0*QkJpT%SHuI!^KszM)fpw
z9|0O`j<`i!%q=uFehbBjXUwpV6#0E28Zi>K3Eh%uUyU<f&j7eV1C#uAXA0@<Xq60x
zA=-odGeP!%nY?qq7~QJUk!Y*FI%F0~lf{@(mYe7dp>KbbHC(k2l=;MHA^#0}iii3s
z7M=g|AK1RquMJEEMiPvx8do8UF(-qraPuy9vk4%Y@N8ya4@>=>RUhR`?~`gjdW|O#
zEhF>VA9H&`r{&GoZUx{Y#{s=JMiadDhEhH=732?poBBLgFA?P<FsJ_9pKXCk0+h^%
zN=VwIum!_AI^ATlw^dEl<D23TPTo9XqS#1%?lh^Q)~4@zfR>JZZwp}#Ls2SSl4pii
z2{xxsDXdkw$%Z+Ol}n^uGSDc~kNOFgh=4DLINNup@e@(5ihvfHB;B|A^qJa@&F;zl
z6uiB0)69v%8xSiWs0#Xri|7)~QI6e+bA;Vgt_^JVMx&M5ixp#L1?mg;y%`yH;K?~$
zov1ec?pOuTkgEw955|k%5NM4jY4BAYKk04aQ9UY+I^An}T6A^4R<Y%=qo8s(<$dx5
z9%N0kHy3pj+T>Zl3Qe=*uXJQnx(6qeW;M5xnxbO#P12&F#kk;eMgO=JH1p?(qgRUt
zzZs=Bx?E8%Rl2vzuLD>25POYUr`WaBORwvATb3t*#DDW8glsH5uQE3y91A#ob}RNK
z0Mcg@SQuVtahI(+&E^ZZt!&`Xzt@j^Y#K|?PX@bw3UWtKQGQickXRyZ&#)50b15DR
zr{fw*Y_@qzk#%qX__<)L@pmCZev4P@437o|4V9wxO?tJXAWHutiuG|EkIPK`rkHZ;
z@^oy?wx_NVADYNzn!4oP!du~TQss|>bQxSzIo98U-5o&S@qSjFT5okcYu-&K;6Cqx
zW!gsWy;ot>iWt*$5hO@7z7%NG)m_6Zi<f*DG4Z}-UJB0RgL32v<er<~ujr95lW*&+
zn`*MGbeigP<$~@PcRQU&QR;%4V7%=8$yzm$Cl=eHydXR{`6=?gJHH!^8}%{QeB2EJ
zc%Ak7s_sKA;zm(iaNjKu@CQo~WwH3FS^LY3mp+ujo=-9dP!}6|Trg<=`(k6E>e@|M
z&)iQBI9?IU)9S1h%WfO2)I%B47alz+Tz@1ux?#G66GLY;5%G=n>>0xs)w?2;na5S#
zW>=+JjMM&gzMOHi|Kxx$06nq>=7@$3_#!`-8cWR&Bui}=+1N$Pu8&vFtG34;OG+Pc
z`0lhl{!C~?>2QcBN=5G^A=#0GbH^o<)FV#W2{TYn`O$(?s_q54U0UvsS))@sB?vIS
z5zS(3_5fv5MRwbfbufsQ3r%o7rYoY(oxMHO{r^7A_etW%=||YVg*7$r6}gXxSE-LA
zeHazH*?9HSU<6Cg#KFUtAQv}n$ZkqWy<u#&PgMyz`RxfaT=U79(u-T4c)F+L?J9aq
zh(KyhO!?~>xQG7t^8FvxzyBi)?!PLW|6|}B9mWg##a*Fx=t1Zg#yiOV!*a+O_Rl)K
z^tjNbpEZ*f)f4WSZrXb==32<Cen|uL$LYh-`$X&p@yCy&J^X?rnB%(Sxphe@BI!D~
zFJ&Cv0)KbEbPYxBKZDtx^%N`Ep8TBak#n1}ZBVu=H@}r)6N;;ywtDZv^KIu>(!J%4
z(m-UngF4Do)+Y5QVPfr-TU%277luwRO?Vd7`vc<xxD;iKr4!NK_w8;)om<t+&M+y8
zo!0rS@x1<3Rj3aWyA0-w!>o=Yl-QB%Ft#u$rluLxS=3haA&AaUPRq3Y)`Vp>`#Y35
zy1FPPz<Z=_+OG{iAG%aC#>0P<P!A+-;Hudbj=JrX!d;ZmYs8<=X<T(3MgKLP55C6r
zuEbtq+7it|R6hs|x9y5cQ}$0IDQ)n!dEHNJZ7h;O479dxxGqZ0JA5&v?v4spVcv-t
zlaPzp<|X1Z)!Cvzm@9eFu@I|ZW|J5|V~P@%MB!)D6Yj+-9_7g2zaIfCqV66(zbmn}
z{BV=02(&%8(2c8w252%gPN?p|I0D&ejRW@85}l5q3{Ev^NNgysw?!qd)HHjr)gsVr
zjOZPH`*whpKs?c6DSt*zeBlRNyWeFZbb`N7p~LND+IMGdf~9x%wn!7shIwQ7;t^2X
z!MR&JD6Y5O<5XhY*kRZWXR4|Mp<738Q#z}kq>bl((8ph={>oFiiO)sGH3_`KVt2Nb
zo`?^Py*^y9#8)-cs|OXHfb;iM;Zdua%Y-kI#;?!7<`&T<fyG_0JYkLV>G9sNhmUM(
z0&7UsfFKG#>GTQPp2SnhDEjmLujTnxlhdUZYrvt&?FB+vM*5X%I0&$)s-ozu#!{=n
z5vAFB%6O|%x+)uL-etV)29LT+^guaF)OG9#>Xxu%%*}Qs)dm`S3xg-#`XQYAju?2k
zgoW=JIfj9)x^5}UmHBM10S3Z+@_8+NH9v2t<cH}uwOX0uIpGs&KB`%S+U1P;)2q#{
zBWf6Cm@=T@(pIh7I8vuv>VmxLk+i44;P48PkSRpTEhC`up;z*V!@vcIVHK?3&mnYi
z;qMAU%fu_kJP4Y9AE~+K%gg7`kw=8qmqhvuh3u)UOWjNXVnCRoZPfGJVJfqW%1f8&
zBOf{VRC}Rd>hWeRZ;lXcxDCQ$fk(TA&csMw%|d;PW5+G?)1=i~%qs}6m9OjIiq37F
zy?H5?whCq<$%e3Vm>}$^e6mF=RNdZ8$FGXCq#$ets)i^s!<K1KbA`wm_+VROs&3B^
z1oj$yGq#vWa81%6E~P$U{dd$Qb}ik-pu%`fz%D2)Jt(<~&#yR2+stLhp1`L?k;QtT
z8Z@azWM4JOz45s*zk=LD%|zFpkkrBuZxDT9>m2BkxxzJVA)7+Xv7Rc`5ky9vloqB;
zs0&dT&T~#cZcU24^TR)*c!og`U9j>B3ri?jBvhA(&O<cA)Jpd2#4tME+=2Cf%R%{H
z>#_elu#R2A{7sV&$%PZD5{NY{xgpo>!Os<LM`+FRA$A)H?LAzl7J9`T#SR8IzwB$9
z?;}^^Pr{|fbHgD&5|-oF&o1wXaqjR|&y6h*+dh2NhWa-9q<Nf#v+<Kt$y^^*oBCT#
zpt<R+*J~!*7Up>C+j88Te&5K!-oTmvtQuF9+r{08eG@n!7~9{Z?0qPhIvQACNOZ4!
z{qxias80n;0Toq41G$r_RCO!2O<omY_;%&J?4e)jW64FeeLY9=qcfCG?TT&yqVh%y
zH}Vv;<_7gf0aslG4<WgwWPz<>HJLJw?RZE2UO+tNOXjI}QrRR4`L@Xb*#2G#Twp8K
z{ddB_t~mqCMq2;|W7!5Geo|S#5Cc~`kB=e(UKA>=A^x_rAaFW<r2Wn@$YPmUu}UN~
z=KP1;Oiz#s7`E9e7^L=)R){;$Y^nJ=FJ!+jn9<r6oyKESJF<m2s$eG`zK^o~&JrG2
z!&kRhL0QhN5u4l6BjuH6Gzf_1j9?`<oVy#%Z`i><uS=h<3#K4@VoK;JV12e5tJq=@
z7%6r9xp1;#L5goZfv=qVp*C~$mGSS(licmWFWnE4Q=6M0ei4jW)cGi7(S+AR53xZk
zPb_;%QSL0-rl5<x|LbL)$=GBw8AEQQ6fu@UYkZF&Xv;j${{}r>XIDkoZR=Zvn?gI(
zwdHR2yd^n*mh!`_7)NP5fpsK;U|h$DJ2mL0<bF>Sq^41zMy1Eh(*;$euFjsV;Gk5p
zd-8Kd>3KD=$x4SAY{042leQ-QK4!>MFH`R4giSDLRd5bSS^WO%LhENv)q{Ns*mrDr
zWLSx?E`q~g{EGceW(UD36-ajsugM0cKx<7oE;m|3Ptc}jDU*elLEz~uV4BM0=_LL|
zsZ3}s$BJlLVXLzXo$Xq#8$CvrySG-TgRS@2!)5I=EX90dI|E6|!$zh<DNnCxJw}pV
zAriR5@@xFpFyGM#Q=qg+Coy2jTDnPkC37VsWi^E{eZI;xHNnwv*FgO_D?~>1_dWlF
zZ1^FK2_V_aSrKyVqq7M`ZoZn2P^7U~BjtXi$Q%XcYD{X01DcxZH)z!{^g~H2hg4Gc
zd#HN*zrG}WCyd!Xaaiz*GCss1RUkdC2let5&5)6@o!GmGaGW7!E9D<FuS+#6Mjng&
zod^l=_YY@Zt>NG3TD&-6(hhS-=EcLl=h-hv?h9_dFf32^EF0rII$<_dVoKbr(`O`F
zEAVh|0Ze!_pm}YF8p=A`jE3rJ#Q~X(#?CR*M6l{o79l)im%fuyQmLzLo0TS(lfTlo
z-m$gq<OKww0LF7}Qg7Ti2rJ$I39<BnfJgFJJYiQ4D^{e?fa;=B9d%Ob)%cZ+hF@rV
z-@BBh;Y7;?Wm~K#c>((!ZU0x3STzQnByjz%;1AXuW;x`|H6`-?>)qK>&>yVRBTVPi
o4`au1`39))Fc|uf`UmR|7Vf{~Z@que2m9xF_kVMh2Y(j+4NO;%fdBvi

diff --git a/example/system/amp/openamp/driver_core/fig/20231017165755.png b/example/system/amp/openamp/driver_core/fig/Test32_Results.png
similarity index 100%
rename from example/system/amp/openamp/driver_core/fig/20231017165755.png
rename to example/system/amp/openamp/driver_core/fig/Test32_Results.png
diff --git a/example/system/amp/openamp/driver_core/fig/20231017160632.png b/example/system/amp/openamp/driver_core/fig/Test64_Results.png
similarity index 100%
rename from example/system/amp/openamp/driver_core/fig/20231017160632.png
rename to example/system/amp/openamp/driver_core/fig/Test64_Results.png
diff --git a/example/system/amp/openamp/driver_core/fig/e2000_aarch32_openamp_startup.png b/example/system/amp/openamp/driver_core/fig/e2000_aarch32_openamp_startup.png
index 4f50f3d124425b8371e2229b0ea639bc1393d504..264403e640fbe7fff78052ebd515118fa0eb796e 100644
GIT binary patch
literal 133687
zcmeFacR*C<wm!Uvrl?5NSWz%nBS~yTR74T<8e6W0<a&+`6R`n_WsIPLlo>Q9USkw<
zhzSG*qaHoyC=o@m%h-Yi7?fC0DK^lE2tw#E-?QGm_Y`JtqW<#T@BY4f{)z!+X3s9~
zyVkRwvhKqV#@n^(){5geyNMIt`%jLuSj=&X$1QE}ldLnXpW;8(e)GqU`On_b_qm6A
z=EiaswofO%H~LS(iihXs9emUOmilg8$ez#2Zx$U~d@jY+b)wD1n<<NLr?mTe?rp!@
z9^rd4{<$hac`YjW`X?uc#|G^3KUI~syj|zRdoDLlJ8xhAQGRuq)1w8qQx?v;^OJ5s
zS<2-KS0~+$yxDht`uy|bCH?bO#6}d}SN&4A{`QaoOQwB)G=0H<z}U;PQc}CBchA)(
z>K>HOuD4Ux+*1Z$?yS4GZ%Gep-}YZW&+=-#=yR&tp?!ibZE7XQ*>-vOqpCjoa9EjJ
zZ%<uRVzGj2?{aC3uG*PiIw7pl$tTB>`(@Q5r_{UC7Dh&{t*O^K`Pp*?2Xywn-;P}9
zR5;B`XO}v&HFwDO+qI2l-g(c@=WnX6_j1G^ZMqrw#H*&hv+68;Bz~iMzQ<?0BKUym
zD?{h`_D!v=p#xQoxmT{cdC8IE#)Uj`(mm*p@38K0eZAjL-8uE{)%5Xrw|&<wG|`8O
zuB)Ec3~c<8j{U^L^|}Ys4sWz@u{C<3RyVJ2D97>VCPz2O(#1CA`5xgVztq+z?%;X{
z%)S_xSKlq-dD)H9XgBTLqRFbFX$uuS_ZMAvsQFyi&$Etx5#^OIrdC<tk58a4wW0oq
zs#8Kk^}_0lX$jgl8r({g@x3M#AN_4y#2v5o+KBog^$+fAi#9bnROjGRCawNxMU}R2
zo3*B(WxpRrJ9DLzPEU>a?R<Xeo<m$|{#Vv%&!eLfG9EAHN_D5>eUydeUaJ4PTs!_|
zP75ydHho^qjIhf4`|dhBsXW(K<ZE~9_IFfUJ?$Hk9XI=|w`U`czi>wJiO0|CKkLuc
z_YGZgGFGdre`CNCr#b#kT=51vao$SxyaX-%aeL+PW9vTPe6@*g&+j)H-dVZWsnF^0
z66=DCt3UdwzOJFzii>Y`YufW&ZmC};gwc1(NWK}8onLcpCMW-8kMMV5<M&<FCwtUx
zr?Z#(<-`P!W9`)M6|L?Xl%n7kyAIoFxuP=4g7Z0AylYO|kt^J{a)X!E?oZAM$sXfj
zrI|Y5_@^;rqCWn>ncJ`>qIl7Yyo%TC6-k>fFX>j8HShau+fluCJB^6j>NfJ+7;e<+
z$izEiI()1dv&Ze-znyHSwz9M@-;<zYcSi5L=jCxB0UX!o>CxZ(Jastd-_ad_d&;pJ
zr^YQyH>Sf8ha+{{`Cpx*+iT~@!+GgNsqC)Bj}!9K$5?WlPt7%U`)zFc9PK?Bi+7xZ
z2P)dJHceTL6BPV!E|)gr*<jBR?oYS!*SJmU#QI;?)01@gxp;sl9u~O;KIFLGU4mm~
zH`FKKPgCD06Fza18W$qXD+EslJwx6Rhite$r{9{^c%S{<T|6JosWUA(+nbm6;Sq~C
zwBp;oI{qP~uNmF91y?Zpu}AH6&zhg-h2&mwjj`Z<S^bgY^pWX5uK!LrjSh~tFX1dU
zy*8!$f*iy9C4}AIf1>13*GUSlvN9{NDmn0??TIC$dvWVBQ^s+9uH;R?B?>yE&`hBx
z=BWP_+b!7&&U<Xrcayo&oOriP!?M+S+|6q(rrdH+`1*dkH64!&w`tp<b#J#x4&}OZ
zS>T-P9-zPjyLfJ^v&D{_&A6P4i`ve_5;ij~=8Vhn7M$>G*H=WWsLa*w#>I=M?{X*n
zin1C{x(3f%cHP~ZMdfrmp7V}RUH#Kgb{8jv)%F?oB!fL%b_pL3PLI+xx`e7b7M-A*
z-m0y2+wd#&pwAw2Z+UBu76#Sx$8iOFg@+<+#T6H?#=5h#a;}^m)T^rh@Oa^2X));G
zeupEA`X~9?ti=&6z_Oz7Ir?mWPWOWx7vB;$yo31kZqMP0FXy@`A8spR&sxoiL*X5C
z)$DDzeX}NBHPov{SZ>@G-McpgD;I9G{F?Fl70O9F+A=Q3R`%zUj@4~<m~*9!ElgY5
za=}A2Esxi7zU>nyPnr{xYsr16KmEbGe80_YSQ_9^|7%ey-D9|kYcgiJbGYa`rY#H5
z+3`1RqFZ_LwdCqzcULZW5N_Xu#Q5`Z8<$uV#H!n^`0ez!mE$C?n|?Wd$Fej?gIl@Y
zW`$!_*e8cMu1ohh&Ya7-lySRU(tjH5yY!2#oTm4!Zn3z!Hj$^>t+3#t0~XH5)$e8%
zbNY#AV_4?nfWj?w9Zm!co$}ol4J~e-Awj*e-t%s8C%k;BW4A8W>XdQA6<n8xk=M>n
za$jQI_ZGJ;@NU0d6&tcza~|!af8HCHJcr%o2Q#+qw&Z+mwC+E}9-pSPrpw<VC*)46
zsT`;Ma!l07?>a8#HtZc%J8D<O;=)J;w{5WvK7#A^c*)wWmc2O5)RNFP!uodL-lG|K
zjC}i6jkH<ocznwTT(=pYSM=M3MT0(X%c*Vc0v=Sj#j|~2(&;vBXIiYxuXn-C|L{j2
zx8&$KE9@*Zy}LZTl#s8<ydST9(uvc!TK6jcbq$WpaN{h$;-ag5oZ(@`jp{IRu<Kvu
zG=84lC!mGe*>c>`=g;EYAJklajD>xG$s2KNdSSKibLIMl*T2je(voAfMBxG5pKW}V
zD`!{G8kxT-_%hr3vBw^LUgWk+yS=FV;tmJJgsfZVUdN4OxubYzZ2VMuWO3c_d`@&7
znK)`;hbf$TVw<lIMEk9pc^Ab7Ez8g9cPL|2^%dB-w@)q(E4INZy*9@Zt9oh~wwam@
zcdDvV%V`A@_V6xqra966Ca#Wo+7G_W8Od?pR<ve}P}YtR*4f=vbfWAzP3qO7OFK<r
zOWW7aHJ=TeKc^R`v&EV$);9Ik?{X7dTrPd^!{bk_)hFK-|J5+(yt}q&OJzn_Etcy3
zvrl}JyWa2Jzu@Tc`0kihQ%<W~dCh|>8#s@+UHxXB{%WXt+|=$T|2n3tUlqrBR79l)
zYPa97dElTebXIysj;VcCl<lR88Odon<X|tqll&<71EnP`cg>wfZYip{!a?6R>>I>|
zj;I*RuTSd|PJE8Na+C$VR#g-~HjQ0^nD=~oO}Tk494pM}f|esb-F4iKo|L#F%Kq3`
z@K|L89ab#fFlkPQszhtG6)yJ9*pi{sKhMO%w%*V6;SpLEy%GY4`;}kE@+f@B>Xfc0
zN;cqwmGS4lO<TgsA8v9*kmg(5ee|sLX?SqoKX8=;9;ATnyDfKhuL`3=%H^@MlUH2!
zZR|ZiE_V0tpL6c~;f-f*tv#|k{LS5m6`E8_;Q(lNtI4lv(YK~Jjb91#j#+Vy({LXo
z1d1!3wlHYi&55qLsK4p#3n!P(zR$LG@ol-Aoo`+Wk7BD$K-}raTCYuShsTBZa-5?*
zF8r@^P&=%o+m|-Pt*VOCxt$xn)aDOwrHN)&)9`+iwkLk`_M&^I4sn}k?HQb%Yh&~r
z6#OIjk&~*(srv;iaaP+pr5CuT4GFBuuupD*uW=%z!<3Car(1D;rCaX*aI~%vcQY2Z
zyc6r*PD}K)=3Ij_KhMCDgl)q2+rG-YbKl;dnq<KR2mID&*Fm>4SSEg4H-PJTS~Jyg
z<_M~PyD4I>=Cwpoq}lGbA}^@dw4Zud<JWJYo~2Vw#nXqaySe**<T^rm?3=zfP?%!Z
z#61?hf9{n<D}Ktmw0X~3_Xm%<;wCNm<mBd&+}Fz<X2khkY%`T}IrEce%+>4fIcqdi
zS5#S!!gcO`_1$!@CApUz)sZMso>e7xpp|TGP@D27pTh@Q_)>+=3c|(?*oyIZVLx4d
zr4QDv{d;kyX)9{c;`uJD1~(lRJ)Fk39<&B|%*eX%I4#q!XtLWfR5>V-N0*euoL4Mn
zH&X5%Y9^BWGyGOuowU*c%O$IdzZ;mBj*7&hn|lM@eoiX8b=XpCP+6=!^=L@g^GD;j
z_DP#(hqJ<;3abyFU}4#+TG|tpZ9DZ$mo-J*Z=~nCd8IpYcu)!_vz6b_3A|&Oboltd
zT2`CIRD72}f0wc>f8MD42H~Mc+d=opsO{yC?uRU_^Yd&FZlKUx-UXA#yIE{{<WU=(
zck5KFw~8GFp2f-z!P&Sidk>HDj6a;BEX?N5LjKX+4OV$ULA^MaOC^n1MzEDlAG`+j
z_tkK>{0mg4@V94zXUnva2{-z4sFSbwm*?O<D%#Fg!7tAh=^9@<i3*fe!$-t*u!g!0
zRB1yKM*b8VIzU(i!y2F2Um1b5(Wdp(rEROqqZ(&)&$8jPyT;^P((;X1YM^&rWLV{v
zuAHXLCso^XmS*R(8nZ~}`F_=YR<{IS_DZqXu%)ry(*2;$hX4Ml*k<P0&qr4*_lwd=
zD6_@d^hD(GNbxiadq<Lg=^GK1`Xanybnun(kX#E+op`6JOV&!Sghtk|QXhz3t8^dk
zmuB8gvwB`lF`ldPY`%2&-nXPMQ8|ls4UIo{7`9vGD!$>_-P7F4ue&*2Zp9Vk+rH$*
zE*Qjm$hz5nsJ?N+SWB4t<xH=T`^$zaSS`Xj$Pb@H)2)H+U<<!|O$d9wrE8D{XB#m8
zyt_YNdOB-k(E&>Q5grt!2bN7W+Ckb^W8S-s&-yvJhSi?5q~7R}+j3N5=8mX`(Re1P
zBE$!5NIS6Ij%(j<*mvH1-?{INGWPOcLMrx$J?FbdyLH~D%BD{}s7NnZj+gH9LETKn
z#;GsqezOuv(YzxlN(%ll_w;^LiD?HcxWAv@KCkA1ur_;!Wa8VZty*u?e|+@=hwqc;
zo?hlzL#HIrj~jJ+84j86`4Udx6Z=iiboPqq*O%jNeOG=ApU2n6IB5Q5^JXaM7R1Ys
zS#za-T8^8UzSqs$-t1tu1)es12mFGs%52R~Id&@cO})PB$Z2+F?!exQ?-^Qm(E;5e
zdnWa#2m6@^{%Vwk-_lyzquKI8$9hnKpOqe?4KS>JIx4(6dI0ckaA+>JCclaHwb@t4
z3i8=w61^R9Su9Y@W#-_#(diHL%d*wCHs5y@YF=SOSIy^WV;2#dO5Hb#r8zohmo+!S
z>xZ0JqTuS?<~_||kj5p2SO(y)wVf<W|3nW&SR*S;7`)?EbBzZWum-a}QAAKstDqE7
zJ;$y`%g27~0H_)as0v?Lsb|_Z+;;<N;8N<6psS%SW>(>Wi7uDo5Ai+pY}5-gO%WmN
zctYc3b{rlvOka8OT`bcL^@Pu$sjX2h!q&kV9hXl;gzL1noMy^t%~|%X0KEWx;JajM
zJfb~SPu`M3sf06F7p;h~;@fh<m_7?{y#5i_{@}g`la&$d0ja(i=fA&vS86$smREsp
zdRN|A)yu0S;k>^Wp)6%ZffICg^~LxU^x?<r`~$Nre3x2v%GlO{L)(O1@*eB{m*%8)
zz;hzjK{-i9*W(B}yLX_m-HJ+uCXc<XpD~D3RsLAD$hzm~y7%)c3dJWVq!ZP)gs<r?
zH3f#|70mI}WjhpzJuT{z?HxEXc*^JY+M2XP9|pVi)kS!XP^fpe66!pFI=!i3;?@E0
zxDZw6UzWq){WaaMsw};ZFMnNZ*Ba+@l`9^t|Ae7UeZtumytTDoR*nsKFr#2o+nYIF
zt++)G55#@xUUBnbkcGJG+n2p2)B4MRJe;jf$};=OK??gsR7q$d+qdyZ-xtxSZ$XrW
zKPtGGgY1Orp+z3!A?yVxqOxE~LCN|EhB~&Va~F-X?V6zDx0bVX)7jf`I9jSxQc-U;
z!8?;G{rG-_n<N0Aih|j53g$%oRxUt9!dv_vOtkEw0Jma;S5f&R@y^sy;?`*LO~gCt
zmMQ)N7!=*$B?Go~J}#ssH$f<y_8h{KpcT>9^0=eRIIeLs+b*!;-RLoL&D-3l{;cKg
zek?$Q-0tpAM4c8iAZE0`1D7>)&6wf7{<^m~-TOsXun)O8UVgGM{xteKrG4%yuMyvG
z(LCui80F8Rg;u`ppKidFo-hp!Ku2JX--LGBs&VhZl`e`*oV6m`MQC!}8*b*HcYDLp
zLR|Oi)+>UK`F`<nxC`Jqb0kL{`O%6&acepO*}L8cSU`ycAjF@b;LG06{QZThEiFo4
z+vC!Dopjn5?#cE@G?aZGeP*dX7w@CHxLdh8Sp<A@#-6ROeunjo?}XC43qCB!>U@&z
zQN0O~Xdk+y!8zfSZRV<S1_7P*?`&6oKb7jmo}X8Zbz7E?Mi1NbS?|2Co>Lr;M_#^e
z(b{imKz_rllulHm);Y#yjBd>ptb1AfiBq4;?VQ_k{l+4~e2ao`F05UL9efrsz^66A
zec@3V1dw4}X%>y@$G|A6oW=c~-+#v@D{g*&T$y)iw3ZbT<tTFdG?rDNZQ(pRP=mn5
zyoc7k3$?VrtQO&%__w<(Sn1XMmW_zlvxf;QI2Fp9yWdh-GNdTvNk;vm-}-rmX13wt
z+t@f3`tR{C+qEN(3m)#<!Hbo6TFfM_^G!<=sL%K&8IER26=69dD%6uomNpxcI^ej_
z>vr+G(bHwv85Gg&sjZFqcnzR+tZWkx4jJ?p0!mn&gYz~xFq0tiPX@=m{U09`&|XhS
zG__DAr$YML+kI^@%BR;>j$^IjuI`6d1JB7K<e+xkBWr+k(m!vHK4j4+hqtxkZuw>5
z+zJiHp2KWBu%_4pKoh5SwxDL2P`w``KjH!w?(D#+8TLxeA8NMYoipdYpWpH%H|kzi
z=dBr!TX%~b_krqu&XznI>33`ftujTA=J!}tynk<iCCbh#Ee8Ef>1y8wSdqeYSb(kA
zgsxqZn+^;GSWmR+N!Gspb<!St>KWI>>)4i8ejU%r{oT}Pp=--ZfBnmvw8?SXdf?h(
zF-lbyZYmnM8~fis4Move|ER@&MPu14MQsY*>35X5*iov+@&F?Zc^G`oj-^*szg3=W
zVqgVyQo;2R!5Kik7Tlz{fQJWXXSX^y^j&K%=A7m&03N$L3X8uk)2kN8=Z$4>z^!wc
zfGzqn@I@$b<MS_st8|1GVKU{Fa-apru*%H1#!NOBQ`S6gD4tJvXz6>jLM2h{z-lO;
z2rPdL;;HYuwYC4d4{6=hyk)=l%Q2mXqE&f$@Cr-pnHiHp7WK7PxLmT_b9d8UHgE*W
z`qB_e7<~cE9)tyut5zPqx1}iX1AQx+ccEl#a?HO2VnZ)MI0^wvHLN#|pFE{gqVHIT
zQN8+Z{N&<~grBn(9k^8)`UUhMZV8$<8c=Ys&bMG44X#RN1bGlR<9h9A!SqZ(kNfgk
zai(YA<jRS)KzqIkQd<FE(CRWrV#T5+h{3o?>*}ssj9QKBPu+bMz{R1T=VNw6Pwo$o
zmsk?E+oyyUG@J1Z;z_!<1(i?d48KdCYlVd`y)Y3Et@t5}U4wH8G|%%`|8`WaMvJi~
z_rs&d>bKE3)5<of_F|g0uwp32F9ZTlaxbZ&l6=lpZ_kLK414<b+siU%9$2?t+2b#V
z>_7Led!Mj4=k+fPb=CJh*uQA+n{h{~uYWYX?zJk^n)o<%pH;(sg@d+>MxB`Ke$tMM
zUyKzi+V2>Uu-Mh(KJY49#LpRN*7r643&JOifV|)ofVMrjq=B?`ta<zC2HKIc6I4B?
z)DA7z09|xsYk&xa5;#9X_h=1u*$Ju3UswBo1@zqXw2OU6WoNVxgie;*w|zhm#)qw6
z3anCh^(Z>xS8}Qb&naM3H|5+*pZA@v;5-hl>VTom9N^kn?{x-t=G)gku?H3U8@NfI
zDy=vPl!_aCC0j9~ZoJ~})*HGf{XKT8TkeI;3jt;Tk9Fh<E>7PcFmwb!?Mv6rc3)P(
zHj$L)S+_pIfGw+~hN{AC-&l4Ul3c#a;pnobXb^xlW8>=Dw^N2+(XWZKj;@LsvoRj+
zoWy5qlJAyW!&IBWbGF~51Dz|KgayWtW7yaB$=z$Wqbp@Vu6U}F-1q?->NqO6f)8x_
zCOc|tMrPcS2WZhya<93Q`|f(nTkKvuK8@-FU+oVW3}pqj!G?Z7l4I8zdTpA+qB<#e
z-)+eTOoS)*7OR@h%EC9eZJoY8;E#GQIA*=mnlYU-I5}`pfG2LxZllR7IrWHjTXU}Z
zL|}}?QKg^=$D=Ncy?e8U3Ui#OqQs|hH5Gi_xw7O_uShpS7hVDI(x4BD1BPxh-uFry
z00a}Oa>IJ*aTlM6+Md9LSv9qFd_snQ)WX8}^}=eKpsO2G(U#+9zjwuzwnz!A^GZlX
zPFN*wxTB8*)W0Ux>%C`q1iJQ{e%k$x)~nY4^HHcgXT0>sX`)ZB?zrV_L;Vg_rxphl
zJY0|rG*^oai><p_UBerzFgwjz`j$^kj^P|_(#E@5s#Ob!UqOF}ZN%=59nBbtyntee
zPPuyI8vC+j;e4NXxZD2BdN!;<!*ME2eX348=^$ayBl|n=#&zm`nVqu)p6U>`YPqX2
zoNy;LEYi3)=&z!K=gDKShfmcIbfH_)2HlwO8XQDi?6NxyX(PPQL%BFVT>u^l3bZ}(
z7?7%QOO0h#Kz%-Ic(4HjBg57%i+A+i_D#p4Eg6hqkl^8OLt_dvP=xK0i?HV6YdJ?P
zK@Y)}bP<LLt6%iVO7x?L0HW#v8vrV3L%zbeHmLxUYyo{c$6o%QtV`jWR`jwMbI-V9
zV}Md{OxgL>-Pqkn_*$5_lQ^$oE53lq(eAKs1VP7J$2(ni=3D(6n*eV`Eg0)y1W*O@
z?-%j>XY{zzN2%taD9nlr*5P=u;?rvK%iJplAPZ*)-4{kwxX0P{q!jkIOoIM|FN0tB
zmmjmHRly8vGR2~BuHtC(D}L(Cz)!-a4d;o$aDe+_P7}OHf7cs_Pp64~hA}GDcyx%x
zt@#>>=8C;de)G%r#qJ{91pq)eR}-@?d=;3<<7eLSu0XUk0td<K1rV>;%Z<17CsuPS
z4*0X~;$}-uSj@m>itqQ|g?Bl(9+#6`$@llbi7*K_#>wteVG4i*!$=<MXC<q1>M=aL
zO<tMgW&;+2*q#f7DkEYPP;g}-c8uV6u&UF$5nrbXXeL%!D$D<&d?lToh@1eGN}Rs5
zAK|jpvuM9$tQl3~Yv2DCm6UAHRi+S&>RnI-_{Aiw?c>x0Z?LjBTNzqW^)w!;sTnit
zy4RUZPwu7z$UHR(d0d(&EAV<_lF|Xs4#2PnX$^*V&b#GF11wDStT835ssj_kV@4Am
zl*l#l>GHptnN&RuO_niBXm&0`$7oy!7#OX+03`SKN{wA>!xacadz%s)vATGp43CM+
zry!7(8z^{1Zsl1VV|1|F`j@$cPtsUl_D$J{Es>tA!}as}z8qf)O&BfJ`N946jaX#^
zjsZ|=ON=~&uJBvqJpZ%vd{C=Bn&q-4b0|N})MPe(WQK@o@*I!-7O`T0d*qG&0aiV)
z<XmqF)``Pot8L$aAr$-$A+=TghDQbtM`8M_DVNIVj>0$}Ooaa}?4`!dV9u><yrL&N
zrUhnc`hcN>snWKh1XcuKTPX@`8+Rl)<1MalW(dLYw%uEyy5_;{bJ%A_F{Wy^+vyo1
zTwlC>PDDLms4=~ApC%=%UKbd8>^2&9CbJS`9+^*|(tk3+&0yIv^l`usiWj9=#oH3W
zgqyTopqp`@ou)qg{m@<<;E)5yo!Ty5BhE4I(qjQ)9aX6Bw|$x#$@r-!e)Ee+S=A|F
zq`wUYuUNCdjKVm0ve<n!rn+$6EvQFU`WB(NMS0K!7eNbbiz5IBp-u9_*G#!ktfl}d
zWusqa2qBT+Y%I8FOQpkIYPMexX3}(sYzBTJSa;OzHmin<eMabSQwabK-?Wuc7=VYE
zGM6HO%(Oq40ib~!MOQ1(*GjFj9v9;Kn+tIvP_I3jHEjLc;k_y>K3<$r+`Wq;W!Y@q
zqP7dZ_{7&+=Q8Ei4^7!pNxs%aL7=w@WLhu<hHWb92O#Z!);uc22+;5p=^gQ?UPk{%
zK}j4@2zGb`J@Erl^3!N8#)^@2ZievnE~YYoah6v7n%KRfp6)!agu?^66*_sHL^lR5
z#acfg%w9`wSv}=S=hNyH?z+}Ph4M_z=r>1;b*+uq0u#V|qxqNcA$ledqa}j72ITtc
zB=5e>F``Pdyx3?0Pmf!=S46Et-m)uwR(P%;=oIrevB0b!S5j9;Q+eG*etO3dEGLp#
zz{LXc?My^Sz>LHJ+v?V^mC?BKo@dwPTqHsysGoEJq82}V1AJ=VA>9uowNtD9A{-;?
zJ=~5WAKWW~x@;Mm)z+sOSzZ_k`s5r9ux@ck364zG2ySh^MOFk~h&*j4FI1FhO6K{a
zFJBwnlE*rKOd9}f@MiwhE#+aEpX%EVhn$lEou&i;w<E&&X0KEX4@M@?Bvq6A>80%*
z1@N-3`?rkEg$d0FEW+`aVgo}d>@aMnF2b{cRt3)E8=74a?gSi0Bu%LZT>SqPMCIR#
zM~a;GK1e1&3`6qZC+$JJBob5%nmaa!*opd{x+?&sSKZE7Hk<_lGynYdoZ{kqBA)<>
zl6;q#b7+XO_Y0_482}=8v@ehKG$`%sSV;u}1N#Jjfgi>8Z2royOJ@x*j#Gz&kX_Y<
zz#nx=SE7)_UOgP!0+mD=;iZmPr};h`?K3E>P9jHFzgB`ezWd&bFnVH62X0(gC@cZ9
zLdyFv1fP@PW)=K+4W}iqrKQi&wSA5Oim~(w33$pVRaR`R&$^&k{{txK8)h9{@j8CJ
z1LJTyy)@h$)j!~YdTa)ew{bts8qo@*b3&uMfBtH0a?a6JeW(58Sh#72Kh_X7LIVPw
z2#m>v#@`JQ*cY2{t~9-yWpOd8p6<v$Vlf0uoSalUn$g4f0^^5AR$XphDv7`vr02$`
z9t-KfPumJE9>cmVAatwWbR~dp3fPw|IO1>}3+RB!1>pl2`#-B+V;Mq>rD8k1EW!^%
zy7+$LLkw_@<0|je_FTC#{hoR#ft&>;*J%B_ne6AvXojG((#)Htu7Iq1DtN*K&#`6<
zUG<pR6^xWClGFtZO?*-Zx^SV#MehAXehp+BO$E>4CT<i2B_KJ-6RTbU&f<0ymngCN
zbm<;B*7XsnuemGBH|WV<m;$U>YQRgR`BiMh{iQfKU|5bUajSGb?QKiFbdM5<`&K$1
zIEa_dipmF`K=#bX{n1U!Sc~5wWW5Xl%w^4*@3{Z)OR^v)pG!KcozT{QGT31W&lIb!
z&maHTvvSlf588avu-g-|)+6pnoMlKR$cgW?UC`I7j#m(6j(pnUc@7vpzsJe?pTY1#
zYtjrtC$`v)bN@H+xh`&BY_l))K0m<r&I|6>x62&=@f|+qxaOE#n|zI!SL@iu3|f^0
z^9&n%w}@q!^a_;={nMC@b~jo%EAuPs%RG-PGZv^kEoA(1<*Nj54Lb@gNr$Ef^-HMd
zNmXZ^wKG8DV;YqII|yM-K{x{_ufE)PgUvN~E@~D@W=d0`zOrAoGA+`>Um@;$U|#u0
z6Bq0UQv`WEBbPFrMYXa@C?9#S*VCv{h3+bJXjkqA-);+XI)3<x*{`Twve2ZCDFSa&
zWc9V@p;}G!dCgh9-a{P6>OK$}H{3i73I)-_0It>_m-r}r+m5Cb6~=raG{BfYLqNIs
z7-lcv;=hu{*T6(;Le2pkY9chG5$*((6%D*3N@STaM(~$luYr94H65|<Q!RL8=;$Lh
z6MUmA+Ko!nYF%5@M4&teg4NGcEg6bx%u|!+&sn{yrt-zU2H%pPf*7z$<gySN&&{gT
z&zp(%s6<!9s6Cfb^R<~{+3XaYX{Hqr`<TarFzFXJYt@)U2EMGW+<fA(pndWRDep)9
zMZ_UcSBTEzRHeNq)SBh)J9Rb@E5OB*Wr`8K#uSqS+83FS3#NT<utw1M%>;o%vz_>`
zJb9bI&tf|fHW7*AjO@0UKT;;7`=`hhQlA95SXyBzPt*HDzX{<LrkY8pG1(MaUNDMF
zC}IgZqpwvx+mhNg8u1D!Qha}iZHVB`PpoOY(euhtUz@FqL91=k_OW_v!wxXyUq%`!
zL&&2UEe&f+vwodSRk|F)M~yTw-tsiL8j?*2{bf`l4M)v>LHCV#*=}Lx*+e@=G!s4Q
z2tg&VenH*{BE}NZ5j%r{n&B~+sgf^2m8{j>_rsb2nJ=%u6guZ%%axXTO;Qu7rO`BQ
z%)S1)n|}-^QAT(wb9P@!)5=A)ppJ|Qjg08>z!{u;6neSnczu^m#1*Q_rRA&>8RD&<
zQt<e#AdH-y*yACcRl0~Gxfqfbvrnd{5{naED-1B=z$gR)p^6~NB$}SJ_<x>Z*q*3f
zbhW&%GiEA34#l>E5eFEWM*3H?iy|&bvB1PS6RZIZjD-d~o>(Hw^&Bk_&q$o*2ZAlf
z6lSFNA{iM|Pqqj52Rtu(fyBvJJH^KnsFsGVi)ncwjsPQ@s-C8_J`rLm>oDx~VFqQ@
z7L0afRG+?AWwe>?q0oCR7h`QqJ;NXeS*NOR;Q0|=x)D_eduW}t?%&-wS+*$eU_gwM
zt^)lPPOYjD1NRZ}-tmF`P?+VM_>?51B-z_Ltcad|=cR8g)q@vAeDk&vr7&KRV<M@e
zA|lDA>Wh$GzLHq>MJSdpqPZ<76KPMT2kqq!95fo^f^pM>JOr8pyJw}<wwRe?2;iM>
z<$tn<Eq`~D*MC`4mQT>$CR|Np;pzmrlO$jf(kC4o-{Xd*#o`XHojsaZt6k;!oy~qT
zK_2OUhV$sb(5uL;ymW_a4#hQ9v?^$bOPaeM+>2-j9{5AXw{JQFpiKReRokjFKc>;t
zo5Y3TBLAm%+mV$dR2U2~ser10wQ?u>M*17Ap~MVwgbXnUI>1P&A1Vs+*O_whUi@gA
z=x>{QA*96s`IFtlNB0sXE#&7Q0SmK<4TuS?NP0nBxW^7ZcIGCSy&CLmY*-aT0xz5a
zAAIZheGfh)A{mcI#2tQ~rFn}xIOM7=tPiB$QUDvC4*YMGvyzZQ6cUE&|E2rXl($HN
z_7_8rO|`U<;6_6_OiyV>#X$>Gs-9ZqEQ93|5Je^qr1!!W>2)$;D<cTTiyS;I$&FVA
zC3vKMQ`gu?;z?}5OuJFKPmZ5xe1^puMy#+=o<rvSjD)XDY`|39zoSjvW~Rktok+-)
zMS{u{T*$OVd9_3a;mde${TbGuYjKm%<cY2UYTaNn(jf@IFRz_7KR#j}Prh>)wX;C_
zgYvv76|a88Xwdsyc)cxLF@(vvG*!`6+y}w>yM@Jq#8W3iplLqNSJkO(?qjCK6{^Yq
zCc2-CEzvKjGWGZ~eU0K`Cu`r?O%<oyI!M$(3EV*#?esxwIx-88c`>2azvda!cQU9w
zASKDhIVCe(TT!8Hzs!wUJ`f|4jRO5U$N;;41dmbECO&YMt0=g?6zBHt!y_H{iqd~&
z1Ug8jpas+p@xP416px(*N-PB{H+Iwmz~G*e{C4ERam+$ybcx^47X3L8NlXZjrh-=&
zTM1^PP*yEcz571{QXNeuEh5+mFCmDg;@dE6`K(BArY2OgQ%acHds}Q^rwz{q9^JD$
z*%3Y2aFwyRJlD3lbD>E0xhs(sYI1({%d0H}g^AT7HQfg-?UkTQ%RmRBd*Ht(F62pE
z)B<ZM?QHN+Suz}U87HmJZ8woPNe5uT)WyJf)5@>w?E&gh<|SxI6HWu+GWd3gnp2RW
zpE{S4CR(0z_X;0V;PqqqqhzLg4ZI>O<K-&Vf8{AS@V*v#hR$-Wn#D`rft%+$ZC?o$
zP)GCAPNYi*xEEQvVR64h5-abB6g_`Xj#L@{HEAoQ$dV%YE47PyB99SKAN%8VUdX9u
ztPT04mQh__ge+*zC}ams1aF2;g0xuqvniGZ4xg1l<63vd?6(v94c8M3??xB(0|LaR
z>;8eYs~_s+vOGhNDbTkh*F11fdwvYY9K<$(y9Z4<A~JKJ?S-cf6r|ClCtZv^+=#u$
z%j&#s4960>=GA1uFQgrQp+7P{nnOIPFgO=DzlRj*k&RpQXG)}C8j%~z%*dEB=LO(}
zxs169!>~B9{E;yx3D+S^fFbAUUlh%IN%*!moJz6$Uat_!4yL8e(T%qeZbDvOt8?nA
z_HS)OR?F8D4vlDrvnum1aYq&@QOD~9+cUDaA-g8ur@Sgv-~^MK7%w6-I77jrWHt|R
zy@-*TN7q-yGXW=$>}dXCk$|+djb@4w#H;Hj8bWmfm4!?dK=Zx*zTV92aEg8TeWo^j
z(#A+_T4P0{Ad-E`nv1;((B}QK95VPyc$(;)Myebd7&2!f1ENSqT3S^ZI&DlY$&Zd0
z`!N*+n-j6TKsUm0ZsHdkUgz;=S<F+o-&D?Ef=C&I$pKSfiI{1y2|;X1niG95_8bD@
zCTO++(<G4Pl6Zhm%^+@)GiMlS!Fe=>^xS}V+?Kj6)r+f0#69w`=LK>Na*m2u@ZM%C
zBkFIukfqYjWIL$SAc^DpEN?0UeL3jM^pMs8zylcaa&IAxo-ss9#YDhNfbkB~Ofcmo
z171M>Y-HSfXK<>^h|1u^Xr|Zm(xd9^ncRi=OT0W=0-Q9QWfN~T(xyvV!EN$29cM6j
zO!`mdUE|~~mGc?~v*~!JMiFL{`)ieT%CelvXS=T|7Kx8M{YKA)Io?G*Qx@m&J?~Bq
zD<-fKZ3;0#GV)e1Z)HTZ+yoFgHY7a?X2ib_T5!LR<=9ar^Bfa~6wqwJ1`V?>-2*As
zpQQ}8Bg*42Z}RfVJr~DF>xDEfFJ7#@1^mM;E*TY=uac)(z&HoojrmkYt4Tpf{$}Rz
zBAL+uj)MPSh&cI~JYKu4!z%%5(27`X*gO4~Hbi&h@wyu3qXK}MVBGC<GD8~4KEwHb
zN!;OOS>+J1nLvhUkp>=X*Qo~?E5X<do>{Wji~!w)JbRH59r3)rBOLhTxs;Y%Z$jcq
zd>9l5L^RHR{-t?tOLJz*>7J=fe+e3=CiRRNcq>jd8b5A>`H!^yTGysBT4M0N03PIf
z^~Zt3<A|;ceo;k`oO%}qP)U3C!RU(ED&)J#jE3MMCrCwAXLk?0mHusKGH3$lA27UI
zQaP-!VE55PO>F9pCSpuwB)V0<=kL?&Wt7RRsARTA%&R0Do=;>S)h`zAQ6ws7>H=~-
zh4d4ATG*!SB1ft1gv1kfG>sW<%~<OgO0_6i$VE<id^_C|;}n3|RK|`YfIFDvj?%Jb
zqBI?;D@^nl?9z%`3<*E<e6lA#BzN^VE+B5ScMHzL0R~&3b*jf5yFI5!(-PcR(-R}w
zWvMztx<GS1DPuNQg&bXxw+)n%;{FK_{`Yo+T_N{9$RwhqkvS3aCi)zvXX7QzFDM%p
z*9aaJdNJq?o(6h@P+XbOq?cn_u!+WCm(vCKBtVhmUw$0|QLt!;T~+TagPEyG?2V@p
zhH}rIF+v;$V9b?Q4x?+#HO$a9RhP}fQJK2!iDhlw%6GYFNn)Vd-$Gh1+eiA((<~tx
zzeploz^?Nz{R%O3>e;}JOIDMxnpZSV1Z)E@v}EG{zKRN11VWPBUJ06mo>TN}K*Q-@
z&YSOe{Q0080AY`h^$Of|gd>?jZ+O7Wp*1E?ow6~Mjof1@L~q__j9Co*?9}IiP0ElH
z%kdcw=3aZ^ge(6%%zwwVo&HNY(~2Gfi;elGG50f4BgD6o0E{>-9GRLiep?7t|AF%D
zAXeP!!`m&nWkMV(D96C15ea|a=MGN)Hl+{O9>s&6?)S@TX(g`=0;X5m)?B*<ZykDT
z87Z*L8wl>1O(8UL^%0y*h;`Wb{hgDm&|u+*ac-yo+7-5PWRYri7MkK>`ol940@wEy
zp~!-N@K&TLeTFM+Qb6SA`Va!k;Kbc9dy+Kk6R11%5RncsPV0ChePm~WUhS!?TKlL6
znBzorHpQ``<u$8QUPAh+P5}-9r{(444Bdf^O>nR8Vg0#t<U+@Lf~g$Ftlm!Zi~h=6
z&M}wKNBsCxuv!wF;iQ$G&7w}sc`hf!04?SJ!8Ulh+1)Qq6;0r_hTgJ&kX)1wZH+8?
zRdT#$oM^xY=jMvh!%Aw%CyNN7k{1Uu1k6isiney5nH+Wh@?Lim)XLyN_ylP$KjW5A
zk``x7f#VI?4A_ZClSQFns?|IvAWS@3M%HX61;07^Q+~ss>YM;YJy&kbJpq6+r|iMn
z@gZ;F$y3I8`?P3$D<a*I5VVZYEh500i%iY5yXJ5lNvBOIfkaMvHE0i%Xl6(!umO$1
zs?arhO>NK7x5;ge^s19)vhhB-5C7AgIta^6k}#8)^*--_t=A1R6c3dn&df{de~mAJ
z8T?gn(U>v`<LqU;`yB+fO*xVL4FT?cQ^mA?-?%8&&rFqFtm|cI5XOQhsEcZ&Nw(%`
z+vx7Wq$^JCXaLB(zc}PZt|epuu34blFg?^&B#y){CbMz@Twr%`Wq$hq75JB6nAh03
zi+Z<({;R8XL&WC2Kb(rlYXNl0l+Aj-d~&r<0}}{lQeBO?Znl#`ig`+#oETN!<6a&G
zi~m~ANll&~Cy#;^<Y>?x)boPOvpeDGPp<Vab>Q9JJHcVZ@Z~)mp{W;rPIRpdf7EzG
zZxF_n1{(=>y*nAe(WtdRuZ2p7ztwaZ@RN{oPSb#r*~I!_%sn{wNd-(0U9cG=eZ2sQ
zhRo!Ura#gbM9$=hXrx*o+o%MORW`i&TRv8evrJ$|a?nKdKwQi(|7Y|%cH#739tCJX
zko3ne^q8fOD61&ANdH@BM-y~`_=DVuxQ$yuVv#!mf^8lj$RU!lnjw_QdFL@!4Rgu`
zC#^|}!FXetJj>cZ^=3>lo5n7Fu&cd-)3xGL8ThObF_l4t<oG}dSiOSv_L8JDc^^NH
z9#b>lKjxh+Xx3;^gn=djvg9~S6J7}7^n=BEfyySsl4G<6!P}CzEQam5BV#h+jg_Po
zBuTV9S(2DwqOT#-&)^A?JOaaYGdttFGwn(j?hwJ<p5Yy~{3f_ZY9Vt>Q-S)d`6`fn
z8zU^%S{S-j6cjFxOV%%Wa0(vcL^?`1QNxrV-!riIMcG(?U;ffKp$zEc`)!M<XTf43
zqs5eC>)c?5iolT;gRHrmw;??|x?4Ha9}YE|JdqCkBF2H_&Er*50eJK|-0GPuDQ;u@
zXgFWL3fWMTY}f5E^yDANp{5f?^=dIvC%Qa=+;#KZd5rZLn0kg;1tw@=khn?a6o?WE
z7Dm%K!v;hOY21$Ey~y?c2N51E>=w<1tN^+qsRO8<##9>5O&O1<FL^gf6yb2~D(Zgu
zNnY?!<xE6is8-Q4OOWI@bvz~s#vuUL=Qr)h*--XY<7jVyBbDAS^}c(6Z-)^Sz<^#)
z=5u7k;cV8+U{ZWG1!UNDbAMFBS8ON}Yqp&2GvE`~R&sYYc~tA2hy#XFK#@H0QWhcQ
zQS<|<7KCU?ao8XMd?7HBSq6SEJB!7BFpIL7phxR73zxU<rhq^Tre6>oB&~`ezj!FB
zg9dCl|Lv)Es}$-q;)ySWqkrYzoHpxWEL=PzITj8WJB93;{L;tkhq^u-OI}>ac0sjZ
zSM0$zNX<GV3eJWrJ$4TiY!8}*Ks4vJC^jQt*Alma>DlyL4|3LXWE|iFO#nlQpo>NB
z04<r%4TO`}lbI8^Fw9`?h1SrxHhCNE>yU8n-WN;8duX6my}9-PbDCo|ibgti$qUAu
z)r4#z7Tf_}$wd$2Px-Z-ag+I9ZSH=FnbK)rU+g*^E;(5fR*oR`dO_@5DHbBnS2Ti2
z*-SPkbv>MkUmoe4Bm)-mmNA!Ye!$E_XndIM=!y2QeP`N3NM(#=)XY0omLEvuKw|#;
zDqoz82!mtPj=VxEE~;p6O1lA#b;S23mM)lq`dFej%I>Fe1*r-l5QJPm_0)d>w$v+&
zy*tXt+J*cOuo1yEW$_QC&nN&ww6u<LvQ+zvK@!4Ks_SIq+n%iD%(1&k(&!(6HpxE^
z_O)q&+=}pp;M#1SG@}6|$d$pFS0<O<MD`7<f?#mSV6+u&zvgueHTk^1B1kDLN9A{{
z4)q9N<+xYjA9BGd@KgMXx^F|`1?)<h38UBai-KMCjneCHB2-Kv{qx{eExuIX=@KH9
z;0rB{4gZ^-NSSOWsUHs>N{$CCkws`J&-@Gbd@<aUd8i^|15SVKL&aNNe{%>vBtEb_
zvh>NxwdcG$iPnk1L$8oovzgLd*NRtE47p+p`FU;w?oKkNBu{6WD0YTR0~-zSqV`*U
zODCkcRPF7`M;jfD(}z=;A+P+O>W(Z2N=r6ZkeYqK0Y;G^FX}T&O8>-*pA26>|Jj-;
zqe<1&r7)h-tf*gG=}M;0(CP77Mc|%PgdE~~1VLfGO=wwBV3S`F&wo+;{hFLxASi+Q
zeTni6iGwIhVJnD*zmGJ74kNXwt#+cv1{*pNHwno&KgH>obu2nqhog&LgUVq>`D-Tj
zhh&;f1i?QxV}v1}nMO{E&~N{dq{ZN&E~P!a>K;=Q3Z{6r+gYFdFbZ-oN4{aWuzcVT
z;@Ls|$c`YVQ09kCzD{WUKsDT-Y~t_83{h2$w&WSjpR9aL#SuMX&B31vdgUvNgqV}N
z<tnGY)j=DN+LQW2cqDtR7<xwt^>N);G&yYuiZgS-mlc3TffqCz5M${^iGa}wi4+jx
zNf{B$d{4??QdXJ&vh32|`5p?uxrQ&oTO43;aRDZUGW1sdZqI4-<tndBWqZIP++ZKb
z6A%qzU1KLiDZZb98kgk8oBtV^CXxn;OcwOPAI;>BOvp;v0>u+A<6)^KnA6i#l;9<b
z-h+Q2uQ{gMMzAvZ`)@2s3<f`$?z~4K(niQk)Cx)$Fff@eH@YYtF$*zGb4@4^i!=K(
zv|=ytUa-*Mn*<gNbCE7d(ISJzBvZ@Z;(Xg1Ddq9iDSyZ)Z^caEZUAB#swO%*@|WZg
z55Q4wQhUkEgJSndUNuvALEGSXxz)IvIalDUTe{B}a`ry;xqIJE{Xma|84RhdOb%$g
z8}BWNgr7->bJ6o!nUG(G)`|%tWuMU0K?sB)hb|bxniDf&d(P_-Fhr<-fG`(0#IG29
z#TrIXl-!lzQ8b-VK6(F4sYB?`W0hD>)DumPys24$`8{oP0{ehsF7bJWd)WxE7sfBR
zBPsl)zp26HYUBJE9)#yTEOi6eER~P=Vk6~xRT_)oVuQ-jp)ilvgZAgy6I!=2$F=%3
z!8n6yC7Hc0(FM59#a+YxD}fKLVnh$d9{1PAD)eu15y55#Sd0j+*Wt)*xF`Aipwd6F
zED0Vo^|);e@b}+pdbhF!qB;jE0rkpFUPQ{z7F4nD9LO^&(HU9@Gndo1_`F?aj4n_U
zWPC7ROs5|_=!LZVkOc#c^x_ptd>$}(y>&XHJTPe0$$m`u0$UZq?-))Ql+}8(gHin%
z42}!nBbLNPAn(It4kG5>0b5TSh5sgK#E`p9+rr;eijfcGHBRPQM52_HxHkjgUjziT
z;Uxouo0%{47Xeuo))U|F{{-egU^GYJ%^2#G*j(V+X`V<ThYy2#W1RcU>=;0-GmF~Q
z4=v0iYK;WSFnux&qm~jh%gNOdhC$h!l+EZ`z`lYmGs?*UJt0U=6gv!`JPL=hc73$S
z5=+?92~4hpvP_CUDYyvoL7he!CS)iO3xcr#{MM*ESbE$`yoGOH;$<*nG`<EHp<MM}
zWDPDpqO9)qwqEFT&uOqLpWZOaXyV0kOne#<0WA|>EJEDnx+AfaDIC_w1JN%#ToGj8
zsBBs84VdnFqfoxv*B4g8WJ>OU2v|2-e5i7t#2bPL0aaq4j?83<xt58<xG>^&Q~VN9
zb(<c6(QVfBwhSI*JPx3otYC<`WH5hUO5iH84-^dYki5J?yw7P)r9YEcX@oCEBMnmK
z$M2OIdC5}5C4-Fkbq(a9UvBaE_0sD?(6{Gt(vg$KTn07O?0k99cGNu#0={5#01_l~
z+pZ&f=0Z3hJ_E;WthJbxQu2%}CshU!Cl5e77zKU-Msv=ueex=pUX$_Ul%dy`0CvmS
zvOK647rI7_n0XP^xxgQ`3%melb>=s&9KH&E<1aw^HTM*NZSmTv%6nP!w1s=$M9#@|
zxLb6UIl1gUhOTQdVpjt<K3on%ZMXiIvM@7Ame})hXN`I5B9v6`vr^W5aMC)IvpilS
z`8jeP1;|+t(=xpvljSOHHo)<cmClT6oH?gM=Y3tRWiAv*oje<nP(@gTk)1B$%Vj(a
zWTUQG_&h}>A-?^S3YG@D2{x!8m^6#NBl+<-#ti;ZNU}Kg4f!efeBUNe`vdr9EAvkn
z1<_PauD?%#O=uEjXAp7&0TL(BEJ)&6;)$!3&wOcFA%{YWwgB`?IWK=xe(?#|NyM!+
zhN+uzQZ)(kVUV|RmNdp(_DI|%hf8(lUy|X|`0oQTmZzx}QhHCv4~d(D7=_4@3x^_v
zmDjCM0p=Ng#c$V%0Lm3&mnQXvEC<BAA(&&5ll<`8-4v!S1kLLDx%R9bC9_FtSK|9&
zx_PgW%;BaJ>zF0ifCT(M8H_hL0vNNkCGq~C?iT{#fvfrJW->EBWbU*;F<#Plhs@7;
zHCkg2V!+D;SZl3h@NW=x<rvhImN;uDa+nYy%a3-+!@qFz(kuBjWRy6GO@Rz~KxCF;
z6qICYIKbm`Fggz1(M)i66SD!0>mg+JQi?6Z|Cn*8HRdCt+rb}%>IbLjZJ70%eoptP
z96cKFx3opBP}^ci{=bG4?TYwMOcO;{U<@sgT^*hjNZz1a=#w5@Yzi(CcbxZrc!xOH
z=JDO@^r*geC_lheCH++^q|Dw;{11p;$diJF#ChB%0y%-oMs5p+0gYT9Q-?^&<Rqa0
zI{mLH!i!E3u6v#%xj8{>WGew+b)^@m9C~s+f&!O8F<|g(K&S@=eDk|3*?b>o?n?#h
zKq2V&86Vg!627IgzyVaf(c|o$WWU#`F?M>egqbzzrw!iLO$HH$&-UmjZS~;MLGP7N
z|CyNU#2e}!^@oi-&<D>8x#^UASUUg3_~QCegk)SgkGeFBfJE*k7~0KnmE->*r;n%l
ztO+F<X~~{7g)@qe)v$;oq<NkA=CX~#_iFqQ`!X@Hi4uek1YYDbdj3#nTxKFre8P~g
zq-3#6f1HPb|F7h@d>{Z5Cz_{5!UV*Gn0;0|EZ(ih4Q!7RGlgdD2`HUZIwBo_ZhePg
z(vjsq%S{6$0;mdRM*<TZtDjnEb>ZKZAp9J{xzg_-otC(qLI$9m0Y&K~O1Gw{_N_)@
zf<(ehQ_EyuH2)>Z@)Cn8AotB#Hc)+%N0e}*{BXIvrI)~n4MT)V8$B0W6u%+<fb24i
zfoVRUTw;bn5;#M0xDbjoiIO-(E+i}%*l0ix@v7_&F{hyyvPEEYc;oL*uAr}&;U2B`
zmLrBb-$&B$<dEJaS5KipqXmn{o#f>~Hg2$BH^$i!Qp!+xn68VRrjXz+Oik!r$!%YV
za3@z1eRPzVgGGiq%PI2;X7S9x)w)-4alm#&Pw;b&kj(vz124pDNgTpVgFSDw$&u$D
z+0wD~cjaufLB@H;sqp-S<g@+y@GD55*j%N_=Sd18O6ND#Hq3$%Fo`qF9XB*MWh~$w
zFB!^)Ak??>!J+GoQ|jGGmhjn?lr6Z-WREYM^TqWx`if9hP>kh2B*!0m(j~DS;s>zw
zK_FszCu}J=Mody0a66$5Z7>IRFVq%{sV_F9w&x$+-C)Jyaao}Q=ib}-W`us2<-;~h
z&o5<UeqW^#d*9o}K;PE2l|ub>`ON$wzZ7vjNvRTUy@p9u=o+Gq3Bz6(UN}>#uZ8GM
zSr0*~pc(M)Oo>d4FAG~?(IONf^XO8&5m2peP~cUJU`v6AtZo#YL-}#Vk>VU-#LxTc
z;v6mDW~I2{Peu5b@q>|Uom7boAs&6yr`WU1m~y?{Bmy$_AqG^6d=7<KQ$U&M7EOPK
z01Dua&Wy7QJQ2SAQYOQ}yY$aCd5#f=rCETpR=GDkhO%MEHxvB3rjv`FD8ws7(vrN7
zu+AEIiz+o?tB7a`iEz#q;)GIQ=z`K^b{qw%*0fuSTuELSZ;#w`_>`<Hne%2s1NH9`
zFS9jwFDA1N7=ET!Gh#B#UnLAqM5yz{P8@s8wMG3LA7nGZD7vu=@R2qM7wY##l58XO
zE;IxJzXP~aqL_0*+0^jIB!BvYnFW)@q@as&-oCUMCzI4I>(pP}MC(XrkTOU_yzjb&
z{8*+rzg~*Njku$aHqsVtYILa1p#%cTg7PZSlUs`dC+O_zi@_<8cNx~vcoTG0T6Qr0
zW0R5cwMX`<zStVhF*}h9QFZ=hf}pgf`&AWh!14;CCSDUGBq{T!ml5i#m7Lycc#$fS
zqy!B}HxPthjdW1b-`Arn(rt}Sxc`1iL&jP{P@3sX%jfo5io9SBX3}rg%*o?}1e4Q{
zt<DmOH4A=%h1u<wu{V(#KpMmSET|k7wnl0J(e4NQ7M46HZ`8p|ugz2}a*#gG4HCdh
zD2uu4Qs&U2DoTs8v!qDm;kUt<LdQ!o@zq_~P|9`KPRkXQQ5KxE^NEa{#PpEB9`SMn
z3-hJkLdKWHu;{bAT7OIP*^Q7>TMa>Q)8)=r38^tnWoQ-kXlIyC;t6TM5{su;oYYF#
zuxS6p${19iPd3J%ejO3Ge~8C&#p1$91?T&8YDr0eAIvsw#SMxQTuuFhp294Nd0r!J
zwZ7hu_A@J9xFYUh<#8baq)ir2i-{d|@MW(QT*;biNP`vDALLL#eWp=a-~~e35{aFj
z?->GSo_^h<^$4>tYAi%)Tka)zvI(m&@0VRV9|q`hlT|+0mk-lpS?b<4G(Zebc7FoC
zieXT^0xmfGKF^*B+U9v%=O%tL%u~VOxHCv*YRO+=vk%|e+Ak}|hB-R&ppYR_Z-UG%
zEptDT#&p`Ufcyp$9?UB2X8Ga5m$i@Korop;Pegf$)JUMIAIr>@vx9n7^&cKj%2}pN
zdAQ%<$Rb$SGaH#c!=4B}`UxLHK%s*hk=&$4%;Ex?4tv7jY)0e`>xm4*lTT+H-yB-&
z7kHh;@`%>>FXBieI4BQJe`BB!6@XA*c<q~8X1~CcjDt}rb)^D{3*0`<DKhuDbC?&P
zvHFMD5(f|i30=e^lzaD5?h89gyq(<8X60PpZ?`h|W|Ig$zR0}KFEI1-r8Et4oH;Vx
zJuTA$14=iq_o@H^uspXE<vk}7I&m0eN}B6nGi<1c7*;6;KNRiTwg>U-Op8HPlc_W+
znqqG9iDl4qG)KCN=;c)z2<xdK+a#4Il9bO0)>C|tv!tyN5t0fmi2%9hkOny$#eIeq
z)lg3o|21ZhLQK=2WzL#<T-#NREGL+KVo}n%^*6q@V43Aj?9o9dJ6SUdyh+reWR-N>
zRxll!DSDm|ooh33F4?*l@+6~v(Qo}&Bl05Gfjs!Oy-8VmAUX{JuR_p}99|9k!>prA
zJ58w__sAMwYRv4Qq5FKYTEgZPd0^-PBCnmD<i5ljhBey)@AlhOu_3E9*Bc&QIb@+j
zU2J^DV>l>2&g#51<M#v{WSM{S+Kovo9iW8i+9_jO2bM;K;BmnsEA?)6=f!@P)=y2c
z;Qmf=u;mV78ep@-FX1ptf=Q+`YI|~GyO*)^7DfHhQH)FI)#SS{X`fcf<aWe$3?ABJ
zRWX?y1~8Qi&+^cub})6+X;y=ib#iH^I~A|l+j*p)Z%7`ttt0oD#CwjyXuD~6B0=@0
z4nVpm3|iz<dB{|#AIzn_uS-~vd$g0joS=OI%S%U21cDnHB8K5KqS4+x_kEuZoOhbU
z8v)nFZNqH{I(#-WvK@>$#1$v)08A+dnI>Q&D$-p!{HNIC18d=uL-lJJo6^x(Il_{Z
zzC0jeoaeZy*{iLdiBwA5$7AU}mYy3mGlP?NG5QCr;RZOcI^$E`Tnz-xkn;DBJbK3H
z=Zv_5bjKMLVLV2KtUhRZXk{Fno!!cGRwrs5)hDk&U;!ekps6vn{V_ELR}`pDXT~WX
zIHlinhq$a-x4Jo}aMMrcEtn_Is;|mO3IL-*ldKSE1$67C>L_ATtnTUu3QFC2yF+=;
z!KWi`#Sf1^wT8*I+_)1^B=+(&ml1XR9#?;ul+7a7FD*);Np3P~6jrQv(=!FC2-ERJ
z7`&e7spq}LYkmfl7Ux~Csj;r6f>cSS=cUOT19g~s8S^E{`BS{D^h7L{O*bwfz!i(X
zT{QV;xSzD+9PMdgBujI0;D37$6akHGweH7k;nj^Z#`sE5YZP_AkxsWdOS}ZPf&wim
zHnH~$7#|r;*A~ui_0sO?oUZk*?x91Kiz$GcFAt|Z)3|U^Ymo?W6>BNB{43Wly#70?
zC3CNIf)%2+W@Mi7%N!2O()mn5OFkH|@@Mg12#MukNCXV&4MtUK^CIVP@%;s+&BDL`
z#<ty{ineVmOM~g*2OC0x$XdzkgKmNitbSZ{kGvf;Qx1{)l>b-4mtn{m43G3K5O&Is
zEjX=>*?DH2>>6?(U(kU;4E)n+<W<j>MT&LC3=ENdqjs@o;sxyAxouPF1P=)O2139M
z-IM+vyVWiC!sdlQEBG`py>WU+{m{!OcM^A?MBb$6Yqah9S3B(I7md|DxO8YT@9?7B
zqDU`bY;eZbU^Y{5kD$1qw--<5dZSazuW8ZZIT=#_-P$!c^Ye^5;pIr2#S*H_JNNB<
zY?m^|PWp-9b2yX=4puMq1~Sf2!h=BW0z?U{Ka9W@LVFs*YFWx|^)&rmPoUKKD8;D6
zrbhB+?dl)l5f9)|4_+5PExCqfmWOx0ONUqBrXx)vHledxdwnB<$kgLFin1x4q&JzO
zer!FYiaIMv`4lJK1k^;#s_z2N%qH)RCR*x701WJ%|4X_L<)4T0{5;BEir?FDy&oTZ
z9{kUyF8q8Ec>O)7->0sqvK-Z4kIm8o72ifCO_f`yEX;NrQhuG<@;vk@SkxF9nn}G2
zM&$*8z;}q16rsQ2e&QfhPRB;D#8T!BWv-BK`$Z2=r4?k2b%mUBVVhBja$_s0(Hl(-
zq+>b>Q;;4N(omsTlo=s74nQKRjD#@6pyk$6>;;Rsy0BmkMcx0fwz>jMJyEfcu-qc&
z=mRVE#Ys+VSzA&h8gua)vsYAN<&Yq0#U}>$_QRxat_?=AP%LE|F&amFCGYz63VEm+
zU3-+9?%Ja6IAA^%uY;tX>cb}=rkH#0Yk#4~kUs_I9ga8{St7D6<qwsg4U!1}h?Ytv
z-E`zxp+k-F1-i={dE!wtRsdFaO(Q!^MYT8a9UCJh<Yzo3yNSL``h0kgle@Km0F8|U
zWe}yTzHmK;X^7f+jdkB)yXST2Ou+|JmcQjwlf&Otq!HP~G$PGsv=YG}swnYkocL{-
zxWo<47zAy0UJMO<kISv#A$Q{O5kJ^R;L(;Q4Y0AZRpw)TBsYu%u4SC~ErZJMSGeiO
ze*{6nM4}@_%)Ebz)QnVD5NrKWBDH^P#~M{%okQ(U=)BYWVR}hdY=V^N$uMCR*}+Ph
zrZ!QMIp$8F`<Uu4mvv(eV`KyzJcKzc&6}Wo?J+q>!SQ!Ik&I3@JYY$bW)@}`@naij
zcm-_E0%2IenH$H^+>zPe_Qr4@f5b7nHrQf_Ik9kfh60cblO+NhP>NA*8s$qMV<;*i
z;|bKY1s4So7q|s1R#qJ8-^CzTuZ9Eb$#C{|82;_uY4K%*Ifx^)pXbfk?@ND3yjP>C
zaFdb!cEiYCINF(p#DZ;8rDpO*l0UL9)VtkbfLD%z7J^ZD#nUz%5JFm+Q^?=Xn}3k;
zz`go`!}rN^Pm?hoMw2+3g6vK2&M~^F7LqftGq6=rd|d>jczR9TjSrvD^m~&U>Fv~1
zrOh65&zVoTz*|q<638-nG3RI6GAWh?8w`MKjRl1dECp~&wqnKk1ilx}$#h?VCj#q4
zrLN;*qK6=f#N)#5R3?2HP`7doZ{#+YtX2t60hM+TV`(>Tr8y?tjR#VGY_V<x(4)Z2
zLSEK~@Y!6!$dGq6oK^UaB^)G}DU)bo#g~?|Pv44z!i-IRlHA}EFOIKue`bSI{ekGM
z2Q>@oEc8Sc_2u}shI81MN@O7<vEtq%(r-@kY2J&auAz9AK!XPX<NIt|?ntrDvdaQ3
zq;(`5p&0?nuveT&9}q_=GkF6HoZs{X-hV-PFV6eKXm_gDbW;tJNcBmcox!@-SrAS^
z@TGOScc8J|ib@4@eS6tCr)(}PKOn%!7~W{2ZieO@JUN>94<jAgXm$!#SjJVwx#l!Z
znrN_~^&z7aSWMP<OhaWdW${rKmb0-lUE+vF7s20O_h8yWy?q&R9mH`?wF81JSvx}N
zrzZYf1s9vd7&G60{Y>#VU}m1MakoFRH(|aADjz!l8Z=RmI&UZzBPseJR6w91u#x1x
z>j0a1lGFy|&+PDbu?C#^M~wKm@VF3PtZT<NA0NRCWe5aeH!jqsbV2@X<9ii4bRrJf
zc5j6|J}fItyN&p6Ie7&fU@$w&uDg3vFxv8tPhI`fP;LU~52@u*jWYyCMz8oaHbeJ!
zK&Ypj=);((02i!nos7v1FoI&-0SP?6Pi}bmRAA+l`I$iBO=VH3UJ&QW#|_BOZa9*%
zt!%uaX91)IW@-Fj$PT%~??(%mtBhRY0ynOqxHDw#(&E=i@Jgp8F=sB<IK>>2l`tx@
z9p3f<VS2t7-zRWYXGJJg$*GXO_I6)e0GlCOs4-C^DUE0Y^EP5&g(w1<nzY@H8{Ro{
z?)&*IPfA<EOMt*lP2OJ;lCHF&bV4ljd?wF;(0AHsRAdN2du@FFg>aQ_1fC7@j3VtQ
zjk*X1<#db1+W=T;T^(5=gO;M(zj-7%gvb~x$tWfS&=j6IFM*<p$_CvjHe)baVYQts
zOB2SiR3l;nY3GVGl<L{AG!YEB4L`lvS+sS5{#4U6uTR>SNcX`D#0kOxs0m)jdvhcw
z?~CQ*F!cGGMvHAn8<=7fs78)3-qw~rApuX{3WcqQmGAqIf$+ra#?PNXC;(rqX~aq5
zG>t!NraI0XamkV6x+!9==Cy>(ut}nygjcr&a3THnt}lm2$-+qnwj%G(%$~0K%w*l%
zt^4!*47caTEbB9Xb+Lg{sa)f{G(cw;R!fvURsN;XX^x<K6{MaHcgshSB66b=JX`Xy
zuj+|w4{R1>{cxYHw5%xxrITEmr7;OPt~nKf_7Ac^H)5@9<EhPSHjYHJyC(GjqX!`I
z2yn7Zi47V%MhwJ0!{(l-H2<(nIwtcXejVA0@zNQv9A{Pj2_$(#^;+E8)MWr1gT{``
z79yU)kh`_V-jQ>n1V8Qr<lA5fLRI9~Ny$6b4N$|agk^V<@i((bCXy_l5Q>r;uczXh
z1-ywaa~K&>n6iQQyBt;OhwCMJ7HK|nQ)(&8Z37FRe`c}6C7dXm&bu~KJ*=iQA=YNh
zQSy8|j^GpCg76$~#PCA(FqMtulLrbAyxqx^gKt9?R#O(95aLBd(KE=5o#Xp0FH6pd
z+jjDs4~+I@s_wp1R4Whom%bqysM8I>!U<VAqW-oArIc3MR7-$&0-IA4eND<p;+c(}
zuA-TO=TLCXMk$?&Nfy|bEO05s$ZkSB-pWOQx9fB^1~v^}hFNg!!HG1M$S*?nCojLO
z*JEfzfdS$sm62t^GYX7j*PJcQe`aOQUX);biW^UzE)&xp1L20nr6~*FfVLA3DHI(+
z!73O?>HnlaWoIDR@-|c;?k*-erC4IDttkWHXVbRjHb#CCVHRRW>!{V0n~goE`>n{U
zSV=goJYP_@j#fL*Lv+~l`}#sk<+-*ZU!w*0Ri4afPSks&fu~GXD=8cCBHv(&F?z*0
zzE~`qv`fsx)|87(X1NAOf*xl53o2*C$4mJJP~^73K7p0VYi*bey2;A+Mj3d9BDci&
zP9S0=N_x|ZT7S{T3)ExwYcJB{i#?J#SB*~FiyK|g#EDYAy&Xqd@?YT@;DI@0_BX-b
zfy=s%^jmJyuds(De`(TIX(-@BmNvD(%`WiKevm*IypoX_=XejED<+539;Pcappo{A
zxOqwPEu`Hn$W^P!MM+dpE|~enP?L8&<6-(<B|nDLnXS>8c<IFcnb{u_3CoaUCs<!g
z8!qc>KS&Pg`P*G}c0WHqU6<gYvi_Jj0H#*0b<5;Th1tl#%w3i}8ZVb9_Ag4<LHJLJ
zzK$=@(m>hILS%NRItlAvRMED`jAAQV%SiEWn<+Zx_;&`8mpU)Cwd=5h&mzb;!uIB+
z@Td$D?lrmAMDvw$XyyP)sGdKLE7<FXZ5foiuoYLp0<WV1ldz=!G)S;RB;wRsn{f(E
zWk0}jKD>!kKk-gg7gI-BdKe^S`12`y-pI>UTJPQSb8_y5qMl*sOi)5OP>Vh}ysaH~
z%P%WiA(N;T?135FDZgX4eYHO@f`tZh{~TLx(kk9!95vUe0M{v>99&HnRWzQ<*HCC9
zjJTRL=M@h#jncnh1Gsnt*R1!iDai<Nbt%j8=PeahqmJXXNTio`BNirl*Lb4$=oOBj
zesLJm3vLKTHUrX4r??jUnbrc?{43UD?~IL~iewLBz$6jvoZ>#u`9!Sp8qw9S3a08E
zWM$yCa_kdyJNAJ&qg=tXoG9`RkcKzy%vhkVhc{X<VsMe$GA+EqnI9eLpXEq5dQN@u
zhL_;icz+T35%?C~ePL%U)2)swIx~a!RuE$k@$88NKHmOZ>V$|@*#a*99nqf6I4-`?
zMymb9d6Y??S4jW4W6bH%|3NGf@?D-X6^x+z9`S)e9S|HV;AW_8ZM5!CIa>A-Vmnus
z%n0&evaE?O(AMhn-cP<7Aw`C}gOS*lL-X0-4ZP_1O6KwaYfAY4j;I^2xalD21T3bm
zY(}AqBs5zR9dovDt|{5r=a^YYd;HsyQ+{Yk|CIrTJL0%m2AKC3ynn3MlH5y<YLWpx
ztAgzbD6eLbX`80+4;VUPn)2bLYiGMJt7yZr<ke#{icdTq2X`h!7GoDvNX3B}o{Y~D
z!MojZb`1=%biK=J;^KmzFi`%^%JL0-v(M_v$7>*u2|>;h(|jeUEY?=$YxuUmDzSS|
zF<H;ayU6~Fo&d)mGMkah&H@QgdV&pLkL25y?&k7sqCrSI^S19d{j~cXtyiu8=c61r
zj~N2C;#Y)4UFaLa`;vQUa~f!x6Olnc1Esw?X#131bQ|CgJ4?yv@;n1N@sbXnX4+N;
zK$z!ty@bZs2$8XSaRW~Yy>5F<E)8N~^o5j6z|2++b5<Vm5TdmR<@qd}nW6FmE}}%P
z^Nx32^8p7kG@^V3poSmC^?~|baF3^PVl<mX6HIOTXRsXlip}$yd$0I5CYo><kn+<{
z5?#}MCn05Lr5c%)67AjyRQhmFQ-v=Lou%c}0=hD-t6JBmsV%6u$Pmn3d~pz`n_St(
z^PHB^g?Irg(l5LVDC*7t#`5F3YUNc4V8&$~OM%u~b~3+5R{0jkVhSYyGdCR!YFu3_
z!x)p{cDmU((l^n(nF~v~?;D(9V|v{)okT_iNqh$9D@eCMF-ip&in$u{qNExgbtJqI
zQ!|uFrSnglys{GDuwFHFj>qURUdR&WaG0m@8Y?QlSXvTIBb{3da>cMRw@I~RTZDOA
zQ_DW!5{+^H-yS9t8yVn+X4J+Q`{o%2nfXZr@x9L$&takC%tJeoNiz+-^v&<t4@9Nr
z`qVjB$p?`_$D>(D?%PiR4i<YYX03LD*SQ4^(C=G9B}9VF^nRXoEYi*^VNC6_qHGp%
zCIdG$Zf2f@s>av8|1Byh*&Yvo=4@EwZa0nCiGx7&o-_4a4mF?a4DWn6#lAes=P<kE
z(;6Enk=VOqdSRkq+bnn?14a18sY-8RSMI)3$0w_is(>=r#jg)DaEWh=S^7Ih(PhbV
z{%3t(>!*D~vIYA^*lf)}!9fC>X4Jqya!+<uPZR}IZ<JksQ}fpjm`XAl1u<}zK3Y$a
zOpV?8FdEHHP#Sp0=S{&++WTI#6_#8#vZ4TujA@N%8q2iMx@y)1Bi>qY)oezBxY0y(
zNC|6#sVBn9;y^*bOijfPu?Z-~FhKzB0L~uL3)d+|uwXU?Gl|+rG-B*kzZZFL_UQ~p
zW>f&a=Y{0k6!T)re+VoMu$`z6AnqkI7*PF<E!hrH50{VE`nIC%Zc64^J76ZxEaP+r
zFY1fr05c6DdA`GPL_bZxd3(&^JZ<Ki&ZWmhcf6SQ$kBQ5)oV7K_jw?V58}r<FGZF;
zc`{47whD%$z&aUD{tl0_nVnq&kjxyEnJ+&7D3H;SKuTZ^r$k0TA;bgmbc^I2vl6Yj
z7`ca3QYRTCg1bZuDj-ZN1y95-!DK}stl{55G&%;U;0A>SJA)C2Y((=^TI*ptRPUTR
z(~=OHeb}wY=+p$fm1QwZXyPZ48Ve-1rz9&wWsMm@5&JA=B*6p`@0PlVO4Kp;h%Z4v
z@N7P-^XGXXxmR4Fiy=pa=_AvBT>o9REw*rEIXK?F1n{}3db)HUo9%?%hoi}(uBgu|
zE3*=-lF2t|$>?4v|59iWl{W!5NYEjLW(sgt2jsQbZUI)~J+|q)$q1=wQgf({rqN=<
z-s!)z3GY>50WF%Kk8$#f91}Tab_Mfo-&D;kU4j5(8pnRol|W3)?x(?Ei}BVgyT+ca
zuioue{u(zbzoB?0+T@XKDfDZFQ}|Hj$Ai*GB0enm-=y`6^1vGlk~jHi-_vc{K0Tgr
z8GIuP0(+9(0~F1%AI`x6wk2->>sbWX<YWb*6<oAFD@HFV)VNyjC@xt$=61m}0V8HK
zmrDwof1dp7m^x(vBf}_9#wH}jpC_+#p1T9(AsEyUhqZu+gY{iC2;&nh$D&ydi5{R7
zoJLXuy>FLcfQGxnL0dR^{g*Xm-uws$RAh%aSIXEEv863ny%IFFexH5G60|4{SRy!V
z)IDj1r`*q(vu-;+4J|D5F)$=q;FC1m33>Kuo(Y6pB4)R~Bknrl33;7#+8EAq#V6E1
zsOkIYGfO_Kc!RLSlXL55WZGg*qzT?dSQuuAfSX*>OB5gji8L>dDK3{vB8DBb(=X7X
zcpZgoUuvhAWyf=jJ92&n5eE}UkFKD(X{T!MO&;&2DCJ|PX#Q`m7Y1erp;YleumKFw
z+;)U_n#7s;f;&<%B=Eu+0wBlld+;HX5^cLbDn1#g=y!V`R1Afx&z$B$AlKU1Wp`Rl
zJ*Z&N*JFntJM*Dh?%|_*=_w4bo}#pF$Rh}GrddoPv>4KvY3C@CExYqzYA1hY9Jlzl
z3AZXJiKDQp9UehX{8kJ~|7kRb@uRUmlt0I$aD{g+k)FH~4kJd<i5dLDN^Y$mPQBNX
zTUJkDKu0sNaM!gSDli%Kqf=V3Jwq3{ju==w0+SQYlrF;wEL}k)dQm!2EO?NaG`4in
zJm0=#FvJunrTdzQCnb10ru3mzoe1<ayJ*rVEg@khm^zcG99QOD8e_QwlP;{Hyu@WG
zq|hM&zOQq)x{;Xq|Lt>}-JF<LfwpQ7z|Vg|BB~!%K_8{yf)5zcCBip}ZCFA622uM4
z^GcxtGb0;ua@tVU-$=>qk+PXQjv}uur5j%ktgb)KfTwJ|io@+d=#_rEvIqxeG(#gj
zqks0d$nv{lgFYBq$+ylHJMvsKhM|TL>p8=D=>(mqkqZ7ds=h<9EI~jGi@5>AzDxd2
zle_1zg{k@x@pbypHC>|g31Km_Mq*4DLx^DY2Jv4Wf0n`B<<Foj*~?(5WOmv$$#Y1j
zvZXRZz~xSSle^yU-M{#)nyG-L5<RonzRBu;1LqO9tKZDiUk$~Q-yItcKOO+-Fi?xg
zO`ti2&PvZn)*}g$mmIj)P?jzeD7U84L>BWW+Sg}Y)w_QcYc7_VPMXj7z2a_<Wg;O%
zh~;=TPBcWVKhCpN$SWc_2H{1_D2Ud-m}M~EK{If6Cw2!mJyQKe3Y?Y(=2IPTJ_Qa6
zd%gb`V9e#(VC2LMyG2oHvNg12oH{&`#$S~62SOWxYq3`k$F@MF1$!}ax-J6aoM1A5
z_xUyBo#67Itfp?<V~QD6&lSXqt_^@cNxs=g?$*SGU?vJetPhG;x<0Ap_C((1hj%BI
z+j8~J(p)!NscA)TsUIf)g@v|btAxdq7}im`h<CFiQV_cmkH1ce#)yq$p#flH!PlM%
z?o;UFxuk(?VWid?*C#tc)pJVi&~gn1N{&p|PTieY7bD0NhUB%32&D!C1viS}{bJrT
z%k9Hp^1w_RjjXvTcF-RW0i@=(wNujp=yjFL9*Rz@*dnL)`ynIqn$OW?Xlc5SgteXo
zvresYW2SRZ9?t&w;5zs%5M7B;R!>L5_+uRG-+5Y(kfMg%ILhG43CZ3t%N-8DB%dAO
z2gH<43idl9XR}~Yb}Q+dbSg{@VghPk;dxOMr1^2+D#2%uZ)}9o532RbHXMg3TN%cQ
z+q+`Biw~UTx-!4sC6t`t;@sXP=X0^U11!K-Z_-w@O|_Br1Jx`gAf?Z6g-yzV<4zc0
zXB2GOIHw6)5v~)%cFv1Y-8lxbs3lHA{xg3Py-1vH6fO3NJ-|-lHgN12iA?l3xPtgs
zgDqVCcCsBL#b!UTq&WlE1?|#+TU2OJnwYT^GL&f-sM%o#O3nl;-^`&g1-S_^2iqQS
zYp|12OqzC+$gnbC2vmy%4lkf}h(zNe{YH?Ne>Rd>*7j{5pq#V#ur*&R)fG}6Ir$Q<
zqgYvM4%4h_gSeka`*y$FeSX0>eV?kG>IQ))bFPRzCZna3$Kd1JblO`0O`#LnP}p$<
z^-2>TwP5cwryvZqak}TP=k|CzebISj0s^UUTEe3g;Z@}#U9&ec9MWBC{@p+a)jHlt
zAL-S=3WDm2U;XlGe}<-s6_t^JwQl-13|qC_RT*ARjKjuUT-yc0Yl1I(yTPr$2-g3c
zycE-83Ny-=$!+8N)+M#Xb5@E9#NeSqh6v5IoxE&DDEZ$r2dUCYr@<rMp0hNYc+aY{
zMLN&-s}PO{$07E6xhV;eD<sD!%vDqRl2qk}^)iVo>|PbdqTl3x5pO5=8-f`dS$+>z
zP`9OSORL86JwHQ2(UY4X;$Y9hs)%emXhk;H(Ei@Lkt_>lx}g!Zyh#>QFA}^@l}NBf
zQ3Yhn!mY$#`9c~G)Q>nlwIsC7qvHwQh72FF5CneU0XLs?f!>Q&vyS&%=Fz-xh}y8z
zkyERco+PR1Ao<g5h5j$ZpfNh5m1KTQ115LKIpBEX4DmJ`ahl=5(s-0PwCa=d_Kkqa
z0=%l7E<1aX>wnpeO;CT4zl%ZtR~jtVVsx)_holA~24!HuKPdE)-YMyD!U@tT0$efZ
z+VBgW5F?Db2$}rxI-F~*dJ5l?*N&+t@;b7{Zk3gc)ywG5`hm|`7NrM$PI>{E{ZN<G
z9+X-#z@eWBIe?7tOJ@n~Fv<AfH)Ql1GH|`YV&S2*V#$J(2j5$Ql8cju<oLgVWXyr=
zE@?hX3V(g58WvQ&1X7r8fpTNg(|y+P09~`uNe(i3gQjVGCc`vbpYy9h{AEH-=z$?#
z6pE%i+yVbjdtV+`WtsN>u!|cdxuRgBNxryX7>I)CYnskzG(Q_REFcq{L{T9H5f5mi
zubE;)i-aCb9hpW+1ow?&YNWDAxPZ!%8b~6d5Q{A5_r31>d7g6)=NvQN=KV~4&ivIN
zJm)#ja^KhWy}k<z@gp&$#*8&Cx$RJjE|fubH8<Dr;-QKBW>HD}7Y!Aj*H_Xtmsr_+
zeoZ60s3xvV3rFi9YbM#{MR23$Cd<P<K5@izK(bRB5b7|bbw_6`9FU1qvExXBP0?Ih
zrxgzH=g%y?Cj)5lW5pcpM_La7OhOFDL}J<%5^7CzwL<lOq0Yz%E!#AQsqMgnCi1%b
zImWVX^0(rMK(v|6x(2r4)kn)!7ZhSd)k|)F+_AP<!Ae^A0We<Vwr*`K0jYXAT<K5N
znr$s~2e)C<Qh3coiA~F-h!XiW%gVa6kRcXS#}XI4aSTkD)Fos372O*{ury*s@ZCys
zbH+>jN%p>is@;`4K@-}<tm#N8h9bPasqo01MtWtTlV!sMloaB@0PBd79K>Sij%k>f
zpZuPQ!%sTnuPWZ1A4En@2V_GcwYvmg4;EnHD#bTB`cC(An|keYja;UybwDU^2WBM~
z_?>U@;VrKji1Si@U???9c2eA^nI?i0OBohGuQ0h}9OF%ruI^_-yA0D)Ra2p{E99Y`
z@@%ftjZV}FvANYv@^6$iexr0ndY@R3IfND!7O7#3Fg+Q`UD+#IWzXlvY_H+8)A=L(
z(IDhcR9h4XI-g9_5o&hfAKa+8!M^ZlH8-H_!Y=^Z`s51`k!HyAl=yk#gBe=7u(WFZ
zN@in$xh&i`-(|HL?8Y@p57_by(te)Cr<+Cm%V^vZneMG$$b8M@rxs)|WKTeiw5^=9
z#cZQ059^$GI07LKwvVcUuc9-rT#Wj_BdzI9dgR@|2Ug8=Yp<emE;)2ndT}$`+Nui)
z9cQzRh@;Y;_P~C`bMi=RT@sm(Pa<nZ^u2ie8wt>lH-55@`G|?+aG1&r4$H$Z^6Ae!
z+aKzF9u=c(fxt9>V|jdeZ&;#4xQEVy<)dOb;;M0j4JZ?pA5vlDTVfe3nG~lJc3nbX
zq-M9){UrKkntSr8tDqkE7^qZ>v)UiI93QxYLv{3eV7aQD&_*-})r9KDz+JuDnD({W
z>tT+D!BxZVZ~A6_)qByLMm_r6^PNDNzYvy1u2sC>)P@aPyBa>E%&15UJ}<z9NAuY7
z^it(OV?0kppv!~DE<P)XDrW3go9vC?d&d4C*AnE}oe5R$0vLnFRE*#k8=<YX`BM6*
z(m=z;V@Q~S8N8mQm9Moy)?%s;84$Tr-$L&s1;WreZWvH<8!JIpUXF%Pmke`*Oi-O~
z(wuCdxfUY+z-g<p<q&uc2Ar@06srvI{S5pfc$AWG@qoebnYQhGUncS)3JsI<!^y&;
z+so-SyBv-zk<w*^=3}Bq{-?~-Ufvef{yk#U@SZhH8$%S>V>>i9k2KtHHTfBHjk#zn
z#h&GYXXdPdt2w#vbYaRoTB1iMjk8{OTgv%t4w0MKs$-24Mz@I0`G=Zo$Bw9KJid@3
zDU4|k<u5)YY8Mh&H0B1%c2N3pe+5K4`Q<qKtaML41S>8>f#BSIAp+b<5xk%eeO#qX
zbt+XcV<Zcb)SFwbR<knCpjwZ&#;6X_kQ2^v6wfyn<(SNTgK;7T<Eu5_&CyOz#YmZV
z<y(N~dVWe;!_kfK0zniYkS2<Iqza2cz?e@1GSbP7Hj<*U`4x)!;YNW{X^WGuenY3s
zl}KS}>Y*$&f_XVm?b_<YjW48Xtx5f@Q0c4jsK|9kg~=@rVoqSDo}^~(1&2er7%Ec5
zdbli2y%hDbx&$Dw7U_$0dVH=0s?QM7M_A;{>9ey?#<u-q1JTVWV4frZ;TMYe{DaXZ
zU`&c996GVmH1%JMl8}6@c@C9_`LAoYPrMafw$!*sp{2nf$Qf7NO*HDYZ`>YVzVZ0Z
z%JwKe5R#Frz7>R7FUmrZ<N>KB`~RX!f{}Bi7+?|J$8fzDW?}!S91%G9iy|}f0`%%>
z#15R}&9neg=oqj>czQ(1Et{4!`uPXkP5qaII~(En{34~Dk=$q_hn6e6*3Wu^6Df`u
zn3XmMi4wa}Dgp^E5mI%r2E#1Qy{qwDJ7xB9ie59IiE|rehIz$*H0uGt`k$A+l(@PZ
z?B_*717T9xHeX{PHGO_81qM%9lvDFr{v-(mcV6_O%$w`N;(qkW3QwS9(>LdMs>8?t
zLS04{Xy=&iC{G4;o>>6rX!6)TKcEV-xBb}x;~g;PDY};mgHi@#pAv(=r}g$;4`qKm
zEF-{t0OhQx^C+7MLX56jEgc*v6#<r=y~!|Xc-qZ7Gr?{e&<8p-U3vuLz)jugN45W*
z*(25uBz_WAd~o@k=Gd!;RSe=M%vc<ru44#=uOUSWJKKzD@O-vzBMt+SH6`=quzGln
z)+jQZHjYx}Une#ovOWPwkfW;WG3&?1$m%*dKh~5PP8m?cZBO|K!Ibl#k%WFjn*4((
zefHIYNp3|8Fv7!9Av)zuY;G7PkfADf9!{nq9m^g<Vi8bv!4_k(Np9XL0$iZP|H8)G
z?%1OMY48cndhJS(L8{EySOmZvM$7l_v#BVorWx44(0#Z#V@%)DLgPVP3v~h9FiI1)
z>!haAj9~c-YnOIRPY-nuCU`QQs%ua$=o!QCx{V2O$`rbp!^G3q^<vg_g4RuK)fJ}6
zU`wSU!7L(8=4hRujCB2`A=jFBux-OUeavX$HV_(Ts&Xbj62;*Y4b8DNrVd)eZOEVS
zIIsubR=QcV7p~Sa*adaJ?eFND3eS5Qi(|ccH6Hj~sq30Rd0QnBJ*1|Ezq5RLNXP>P
z1=%g}AXXd?#PzdBoVZ_Mk(~hebkW32SM}ldT%t(uwHp8&RHptM^7_A=MYi1`U74XY
zk`Ul=gvY*Y3bWW31gHR#L*Fe+fz<}(0g&Y~F_F~mjTo;Q85aH;4!=gyOO2g5%T=SA
z7n|XUA`yT)y_2zJA2(rpd@p8nD7N?M{_g*1%4W<>m1e~9<QcAo`DEmr#|)HRjQtHm
z<$pDYn5T5NH5@D|!QYjNt)#JJ{v!k#@_`GiBlB}T6MdCo@HxH(m=;<exL9>T+bGW}
zASKHAKr)VmLz!UQ%CWU8ga*>&teQk#d@zG~5`;PAnp!0@F)^H)kxGeyv@IH)=V%Sm
z9vEs^4NAzytTH^;6ZaV@Ze4G(rI}4pkwM0c<SL{2sjB$t>^Psuv-635Nk$RWcYj$M
z8$Tn;4e&R!?2tMhZadUd_{{rFG@6vK2g-Spnkk_Mfbc-QAL3M?=A^00=Gu!sE6Guj
zR7Se~71S*&&?jIYHXX=xjZDvx=@t34myuR`fTog!rkhabtfgpE*!P&bOdZmB7TDmb
z?Fi)(Y)wBfT@TaaV0s&#axqZbl8YycPJ(gj!ZJv&fK_mgfh}j8@H}IQjv%T&HI{5}
z|FV?yquQRwOs{Jw*^^pK5m})+t?@D=J#Z&Df-PmjYw{{k&d1rmsT#N2V;FI0CjlFC
z{QQo&<E#_wi1v)EE0_9<uXKkM?i3>3BGt<8$l3u%V~~aSHffOJLBRALo@eE?f4MzH
z?`%E;2<(e>LrTB6oXE^a`&%DeVh2BZyA%Z1)Ir%d45MZQn@7z1X#fSVKs#?b1=Ce9
zJq!QQZ-n|e3$l_Ri1J4MQW!*)&wvqYdSw3gz?IGUB&RkUeYpv_a|+^`H&k-riI+{M
zkRa#(y^UaSd(o4E5aGI_T%rQ6Z0<o!Fw(?GgzY3~#!n(*4#ey@Cs`oEYd>TIH5C>v
z^C3oc14IzSfF^4(QH(+MWlcOR2)q<hVNoWa#J=;r9~@i)VHZeanQ^C(q_`#*F)@<D
zqN1g;lCze9d9&ypBo>Lu>4SYvByAP>@qoRT`PVuSLtfHxB-f{>-(Si20Jkz30jxZ<
zkCo}mn(nOWF=lyQrgzq~K$%wK|B$T*O3@xM&g)Ua=U>fwzJmj4bD--jJQF?N3?f!2
zA%uB5kM&vF`9lFl9ruTgs4ZZct`Bwu53>Tpg@~-o^<#hbwqy%9$<%vWYl4l*ysvH6
zFk`LNcqZ>i2xHXa?S+$PE-?pdk{Pr!p#mtuuey~VZv>Bhe0oCKZA((j5KoOI|3Im{
zF(@ap2Gis9L2h%ofe!^wF&~$tT+cq)TWZR{>+hZ&be>xQQIwP=@z+S!_qk^|rN<Bb
zJo{s~(GX{oG=5AF0=ebzupIIqdTV&%z(2iKN(2xx(_}0*7*WhC+d>w($LG0E{d9|p
z`42>f_hTvzu%Yv^JVRGvbe$KnYmjFw4R(p@Zu-KeJN&@(NSoea)1qZsrGG2il2{i=
zT%O7fZB!mzM2?kNY2i1j7m-4q+*MF6pn)$KTL28AVU(5(n6mqVx69{va4lacJfK*F
zO7o7;&5Gt){Oa~8l`AUAFbS$YFqbI=xOJ<dwo^@965@Ae?_akyu1Ljbr)0Q50xZOv
zoeXS!kdI$o@4l~wMA{TTUrqC9@bwWR=8@$?GUX+C1D1{^qih;sBaoW}X6hWDM{620
zeW6kSt0O0KA?&h{=|h$RqA5p-tGb~AzdAm#ps}D65M4~W0f8`SH7qI|U{3^r`;mF}
zqnr>o-%RQ~)0Z~gX`(=w9&gh-ZCc1otM_ky%Mwa`PJv}F1=b)2gTh&twVwK;=z^TF
z=Fkwc7_}W2?V^GAtRmq%HRgrKe<H&OG8|{(GS-A6>yLXGiEhS`x0Z~I?OJ}EH_{uU
z$fFU6z#R8bmi9$40kA6P-9Pv5qOKm&Wg0<{s6F7Ur`W+GumxQ>I`hrhe$1qUY&cln
z2zBAGS3%o>-YYYt_z}4rkS>1)GZz7Lz$Kdm2?W(#VI~03#_`BiYX3Pm8*Tlt#6v4d
z>rZ|srmt+e%ccjLe927jvT6A;t=PZ8O-iUvLh|GwF14xO)00J7+8jwF7iexdld|qL
z<O5Y!*~C~Hw)dNinAve7(MhNH6<UxlVhf8ah-ZZYb?MBXJxwGbkv9bhLqr;9B&7E_
zVF>xzA_+<4EC~a=ISDC{bCv|x3Xz1wIZMPS=OiSNvxF=+PD1*cbCwVRFY=&7&XN#s
zI)!j}w3x1f=_+s*-+$t>(BS)$5Ou6+J4650Ok!3^%z<b{=bnc@lI8d5m$Q%mlno;^
zk^zlR|6a@~%vDE!Ts6n;9SVjg6*?U48f}&sNEA<?5X4s7-q#cs+=H>?(2|QVdc+uW
zSHQ<bE!nmE%~$tJoo5YKKJy8MMI~^Ib{%29KIoz?8AqFb!E_x=&x7f`p!Gqe`1`+K
zKRIAu=?tJ3EN9K2)sL(dXNU{p?LJIRCmT)#!igEr%wzZ*)7q0K6$v>(b%2d0TnLoe
z6$?~kKFYjx$felyE2isWdKgSE$^Uv~P<(FIphoy|oj^ee9-*u1$PGm@9Dw4uJM7+k
zbsefP_m#pzBzrEh<?3o(s*caG%6xc^09rBxL!47b-J?zKVNxxd1lcCh`p@X`*$Wuu
zCJc!hN!<+jujsTlrXQHDhgP@yJ9!+)h3I;s*`mVyQzl`fN#6PU5xKJEyy<OWcHJ8$
zv7AX6Xp%ufBI;+-e3}HV8Z|E&WFZ|K-C<XgM8~8_B956!b!L*;nRJCeC!|DnArE=-
zJ!_IinDihf5sXRsW0E^PwXlu3*E0-i>OKlwF>&I{QYcu#Bm*!hA6OiwN$g?LxBQHx
zN1%A7x*$S3O(fwv<|e8%nOy!Zt^!Nay)_JD+5a+;Oig6l-yP|g2Cz|H2*C5Tq72X6
zvRe0mQ~Ov3Ft>&Zc`ej}k|JQy6wt-=D|cYAJC<U&OxNZ2_As!e-X2Rmg>8s|;1n?_
zB_+|1D%Jfg0Ka)Zi)11AnfQLyTZjq13Fnk}7aKvtjB7bYV+{l`w!n+}CJWCd`xD=l
z@7;Y-J7WCwPO>!}v+4kHI)=hhWyJ%J{-f1#DV1gv)cXS+SNa(Rt2cYRT^cwf=mlhs
z%IP9QnwAl1=wI{v&m~G>(eWO+Z&RojLbH(>&)YdTxJ~5I-urV(r;rgEdAglT^bH_s
zM!MgtW)UwTGP|EoP`4ze^Uh4leZHl>rUIf3L_DQ5{|GNuO5uKR(WmuXxq4sMm|2uq
zx}urhgcwW7oAqYs=GspwicwIV^a{Tl)Y)^nwdRsmLc4yr^2;A*yROc07q%_1UK_5;
zY5g<4?X_MNAr`_l<ZcNF>|+sbYlqBw%^49xD=R}HLR{?31mClia~RhY{9spDkRTuq
zyoRe%&WN$L2Vi)IFU7oYAv+JW?~co>Dn`)b`kCh{76_YoIHdGPD_J<C=2Awv6Iaom
zNA(tiiCu6e4#u}Iz)?KhePD-Bc|m!=??|$kXO>~!ukuGkZp%vi_ygrv6c5uc!;P0j
z@(8=bIspkH5x|Fj-brO2C}+l>@Rlx(E!=W37wz3dTKKD*khwPf;$`hCRv3V?I-HpU
zTQ7C2U-8x<LFmE;X8h3UneOQ|+cRnq{s~1M_weyp@o0PY<jB1C$m^l7t8FhVs?Ua3
zPRySjkG|(Ns%OyEzQ~o_b27oV<Wkm5vI9T}D_Ou&%sb|^kNO_J!$NW|$q(EZbBaVe
z7Fv9MoW%~|;+2Wc0^!g+MOE2}b`TqKQ4hVX9G_cGet)S$w<1z@4?g<G6k+l#rt4=G
z0mr)xc{GaURyxl)>j}krT{d(29qfPnqoVae!~TYJIJ44o+fvpI47quep3HyA_cgf0
zs{{U;2e!)>5pl-(B@IYQZ=O)q)Kn4)FCltFKk*jY-rT>iY|T;i$Vg{o`~30OJ1WCw
zyHVg^#7jJ4iHNMYYr$b7#eD0Cm*)BBIG3#Gd!u&Q$^%QEi%H&*zQA*DRG#=;lF$6x
z)0QlE5GpsYI3w~{P@er54n`D$+V(nKW;vCmV~WGW`w3C2|6JEm5G?G%;E{Z1drzT%
zj~>XLRjH;8Iri7h0~btzx`{c_<JN?hJuhtQhG0iC0UAq9^pz@pJO%5PSrkU*l{8+S
zB}9y@tF^Ou{q7fj9%0|+xe5O~tD5FGYZPMogkEOk8{hV_bWQ!F$<g8w_hW{sedt7T
zV-~tV`<X^wPgt0a|B#%R0KbPwN;IyVS@R5+X^GFvsL!^j5;rciEIn7?*6@r^leFk*
z9wo28AUP^Nbo8dJaC7!gv5IlNB?p-&y;THr#?ha4Wfx+Yi|2_>Lfz7mY>$T(;<AWO
zxBD7S74LP>T4uc+kgTL^&qIvq^?Cg+J$Re8;pQ~a>c&m6-S>_<3h#X+f?Xg_$S#xt
zzT)8)7C0dPEeSa;{WyEkprmH)zx2C^;6gK=#dVhwIuHJ^;vrsWoJT+xISqP@Igeka
zCkJVP4sk!!x(gHK<u7W-0&B|bqNU*Z2k~)9*>`cNG~0!@A0<T9h0M`k-LE_Gf7-FY
zGs!DhYh4IY3=@3cM>c3Pdn_~u!z-zF`T4}DORHFB0$vpg1;^HOz#2Kiupqycw4&9?
zqh@!K8rizdL5{ryidjR}HlF;CVe{on$qAbpntcwY+2BDq@>9@gwVbZae_vV_XczTP
z>^LR`e+KI>pY^%SspD2=*hN*)Qgfo8`>03N@9&c<WlR_EpSRgbT^r<RE_7MuAKtHi
z@JJ<p9kXp-`eC2L;gG=sJ~C;=qX8rCl20f(fWA3AD^5+BR@x-?&u~#Gh9){rH)a%B
zhDVb3CXDOmZq5@b(^xLz&5PZ)X5Z~L+#D%o%SQ@=!3<H&K1NmZ!5(s!rCC5|$Bn7+
zK}V4X`sJ!;m;Q7rM+ztpZG>C-JDZCvw3bWo9)j0v$5SS^H<&jm1;WuHTbO<paiFwe
zcC3l>JCtUFg!ha`O)Zs{g24cIM9yFQ)@=Rfg^~FiW*@<tWy#hJsjy*zVj;r>S~-&x
zeb?5NsL12J_+foY@9;`;hJBpIQ)rkzGH!HYuH)4#@9r&I#Tuo4?VUb)_h8K6YoFE}
z<*BMzRS{bE_9+Shr}qsTWKx*B<aXb9+aYc)GGdv@EK4=t#B)elhPt6dIlW7&bHUWF
zVpGy8=G0Co%I?`A0d4QfR+7P&Y~t>8LUqX+trtoCS3H+IRFy>udbBATSbAEpIrogG
zg)G=XjAG^ysq7=`)UjZ-Dtci{EV&<CzP-GLtZdIPe;lk}NIlBEwzlzdu7YUcV+Ko>
z`DaU9E65~YCp~<yPeuaDO9}^Je}UH(!T0>b;!)e=DjrZGoG|%X*j*p22keEWFNmrI
zyXR(0z1VTp)Ke4|2P;6wX%7qINQfp(C`_-T<ZKor{(6TAk$0r@SQzOAQK4%&-wE;R
z&E&;L`-2nQ1q3P(*!xfAhb_`i?$@V><<%gM&wt!aW;7%qf`nEn_Dxj^3(>6i=2)2U
zlMw;CXKCv9tOL3js3GIcxE(jHl1kBw{{oBfTp-m_xTgzpDS;))=gi!eewCFLG10N2
z(GgaMb+pY>sHw-pTdgx!)KM|!q!=B#z^TmX&_b)e>_Q}asP-`zq)zKR`V_t5Ea3Wo
z)y!V5ck@pE-Qxt25}1xpd6wR6x@UTaTw7bB%3avUs`MN!txYY9Zqzj1_H?^rDWI-)
zLnh6**;jnN&KWHfTvz&q-p-U$8(LQsUmKm}v#<!Az?GiIE5vopC$h$Na%83T%B8Gn
z_}E3g(g$hQv*hyhqzcP5vvyEV;c17#aSmmf<e4beJuO4sgs4%q<M~3#e4LP#y#mK0
zTST_Szk3hM>G2<&{BXZna82y7*keN<@tZ6?RoQq}n8_l3tP`!ne@%+kX?79a7Cjbu
zu)GJ#TVID)L~93eQS%*yyd<e<q8rfsW4Zb^`(1j}9>3$Xc^O#+FQxZHSS+)kzz6Z&
z_Bm+o`d9X7$VEiCN6ke6G14o4!j^@Ses*J=;vpr)V+l)|?I{R6C!+b?du%7fP?3FY
z=jol{hv9vwIIEm3lC<B6aq~QSNM{>uwa4Q4sqe`LGu~QO+i@3?q;2kP2sghtak>LM
zG45PxDm-%A@~uPLo{f1W*bf;$)OMjDjSU+qY@1fTs%Q8?1b4cP*lDq}F3udj-j%xo
z#mws^kM^ZwK_ACr;rB%UkD@laY|jqx#xF(I0<_tHp!6NVuDIOYuQ^m$Zu{sfcVY7@
ze*LyC5XSh~d-oAupO4G2BzL?02)KcFVcRd=!A>_iNyY!Tn}gK_?b&zz)_eVHrCT}+
z5&sH!!hN5wVidO_tn)t98qXa#h4_(iZ=L%hx<0IMmh`sIwJv?&DnG~{jF-L@YTeI@
zhG%`TK8V{m#U-h}P<=6UIqOy@9$#oC^sl?|$ai$K{g$7|L>y~s?vP$(nF@O5u{!vi
zaM~D6hGp|7Hs5Y^x$~|?jAAacBXjbJ9Tz*!zZOjb+AP{qHiy@b_xO7IEv!{E;KA}`
zFeYBL^Vra%A2oIBLsn+^>oSXkhXtKxAM8f^Z$-<ZN@=mn^&dOkLGJnVBih*|@h!0o
zmR6JW^=ld*l)xTU*n|)hhrqlCSY*%+br$~lUYk?HW30ZN?{R9T)VNntGE6;z0x)KU
z>#Dr8`6yRgyQkX=4WVX<4G&m#-iqQ51po@*y|*v6k|k?s*?GUvvf$mp4+>c$U0Jnu
z-1SmKXR-I0|AHC9#H(F>{Jhs=Nwiei^OR>qOrbw<Ci#ibUyj#yz6C3ofO8$uZu*Wd
z&vWtIuO{2r#3K){BsLcQh-G(6PoZ)_?ll<MdnBf#_+_ts$WMdN1KG18gtc!E>_<E|
zLRzlYC2es7uz-L@wA2y#c~b<hKEJ#s#CB6GHg4UpS0)u%mU}6XAFt}a`PA4yl~!H$
zGZS~9xz+)p(&~ZNdvv>@%SZ3^6NEuCPI>l8JlsJ2P}IWcO~*!czU|pTC|##|(Qc1p
z(D}tKGxDs3tsR1g{Uh}Kw*<X5xjMwNc6@Nyqg4~Aq>69{dPAwV+UEVP6>Z8-{e$c^
z{Aqm`-&vniR%^9^J$MX?nY8xgosif3FSe5aIst9}4DYOuZ%s=@VDQN9IdA{5q}>U;
zE+;cfFU|o{F{Yo(M&;S(5anHn3WBX=C)wtp94PlkSE~!>Buf3|#4+~X!`=QC*t$4>
zz&!X6eVDr2uIjB5pR87@>HR9NxiX#{hCOPYA&{m%yZ6Ip82<@zHWZKMky>-OyymEt
zpek*L{cIAYl?N{EWUh*T`5!5^F;okGkuVTdZle3xQNpF=qQ7saq?7a9roOd*6`Dk<
zs?gci5X$1!73-LyB<uNHe}XZ>dq3Kq9$B<%0?OjCz5wM6-XzL5t~eZopbK<6_v=qD
z&J3gOJ!N+aYD5Axn*4*&f!<mF)@c?a&{Q^aQ66vwY$+U&T3THDjGdY5d5hg^Jz402
z;A=Ud;IhrAPy#1VAE9BbPmd2=YA4WbfHR`9<lAV4n*I?r8f%^!d^MZLxSN@AX6Q6U
zZ-8=-B_$>59BRx&Jg~KEkHG0pmB%aY)28(NgHMsY^xB$2Z$ZdqmmepzOx*Vnp5%PG
z(owLUP&moWI|b0rdydiWv?vyQ#z2qsFT+ml+j77Xx2$W-8A2l%9&++Q2$nbd5j)ig
zNFvW?q5rNyvrc{B9y4KDZ^TaY463K*YeLn`a4$T>s#~$Ba~e0?NWar4B8%=woj^pL
z=s4Y41Y_rtBf)tOur&qO#Cs&E7^27$iTiT04KsF(d|`I&GPZ3*Ej;m26qZ_Gb=7a6
zGLb(ky_1ovOYzU2^u9JME9Ye4miGXth~;;JS%lYCioaeTbb5{->db&s?Q<#$&YV58
z@#|}A8*FSIZm|-o_u@hB<I1fjGuBKZWB^VKlyqOsdY0pn-KIJoi%lv5jF{m-bp}kT
zXPgUWW|pw5yz&ChQ+9gDPT!2Jp}7((MQhi2+mkIsi_5F770ymRiTUUb6JiD|9~p3-
zdv11$$IFsVV26_Lmw;I+FHj&=X^HK@B_(rQ5gI7K3hYsh-8+9Q33BWq&{2gt>m6RH
z%QtWJ;H{TPeUcNlSn=8@UU(W<<X!ppIrqgSv#_F%`1-ZaD;8SBIL|LvwG(`;Xb}jY
zq{02!rM2Zw-+p{D+sjoD4xpzD+c-Z6zr>z#6di=BvCaaWyp0sAMNfTXz)!ByV=uaR
z%fVWu39Af#U%rqgWPcHIGn49#leL{Y60lC-#odl7`@(!5bnh^Hm=l~{vuka`<?KYB
zZ6esx6`;cC^$xu}1ODtbD)i__E?3bp1q6KTjpjab-n|!r1kAH!-^$l|cwWBQs3u^D
z|JBw#&3Scfir4<7_$y(!IbG=(1?-9R4ykf8+t54pp9xz%ioX41{;OsaU0u&RB7CLy
zcf+V=$A1$zj<yGTF6)X3uc%}LGkp6t;2u40z(eWXs+^gguyuHTku{>uGjoE<r+6&+
zL7?|*Y*p3fvt|n<mk{b2nTKi&RWG9vXd<j*c*?2R;}y8O@19}+=CYDzARs+{IG^Y-
z?1#f$_XvXW!>-b^ACb0gowD=csGnfAF4XNQ%wi7#Ef5w0{NFAt>=pD!KYKZIor)(`
zh_JnwAhqgO7#zThC*W#SFfF3hk>-N<niD$DxRjNXxbXIQz~mx=c`dQAb_z_Ps4Dfq
zlLa&s^Mh^O_`WmVO;ZbM_T5blwLel2!#<pU7jffFw1~_>wPwi%0f(ja4~cJ-h7;|c
z<o#7b6oZ6WS9;$rZ<HX^7p>^0gHOV1mVk3*NA^se#&Cr78#I1VWl%H?E|vJhBz4n^
zMVXH5gjq41vBU@xS$gh{*Q1cpQM29Zv4FAFx1qVjY5OvK(3d$oa?8>)Uk=M1FMXD}
z<@x0{f>8&o611_r4bm;ifyXm&3$A&E<c*K+AK7}@Wa~=>G28epb1F)*IDmuRq(buI
z!lJitMIH9JMsm%^>zh2?qvi_P>;fJ#0{H?a&GozPQ6nO+2qau-9y$^Ls`Gj)ml4Tx
z_)G=O5bApd3$NGi_PC)xD|F1uYeUQOMZAFSYw@EpLVb*5$BMD#dBHV>w?02oj)4ZX
zWoOFOt<RjW5C8&<#|khW{$c=kLq~p<fTBEMEj$OcDl(4tw0_nzW|C$;68N2Oal|0n
zuKLpk+IxBBl96bl$w!2Pkw9dTT_m+o93B8_fbMPDezOI5GB6Y;m~kE6>yWpW;q~*i
z0`MD897%borf~o&=uXpeX@5B9F(mlxDh?StmuCqaCcZitU<xk_fGHdNjCidhewMQ%
zPW$tKp>6M^_3sWW9jO!5s&UCRcVHUC2VlLrB(1o$kLpb05M1*pxi+}Y!6_<@s>I7c
z`{D5_+ColsBnu(}K>%QTI9~Vwoh5HNrC*K2M+w5aY&iZh>(uxu5(+;qg`qI!y=E@X
z5f5@MjGWuNW@6FF^@$ybtt?kP$0bULq4$QacT^K&9|8{4`(%3W2eFHf6AG^3hq^=t
za<}HQ&dyQ>>`|o1KaO}wbI~U9Mva{(>((_71N(O5Vux=An7?mcWG$UD9z80gA7%Q8
z%NqQq1qP>9Do||v3w>$dWy^Yh8`h11FKG%7Dk6|+H7;V4ui^ng+Oz8>pCafXBW##U
zV`XOCTq_a5q&+YGCov?$Vf2Zk35P~glR{&fG_@txtgswh6dw#oFz^tIa&4=XCbbIJ
zk~wR$u`Wkan>{ph+tQ3q5=_EFj(v_S!R;DW?V9nZku45r{TXxwjE?6f%is<shkUVS
z8+215HdEGx%eX(llja{$^<aPi1PE{vRj7@M5Dc<(kjxr&0cKEr&GZ0CHX^`;fm$?7
z9gy20sIxU&4y?hQzI_g}FDm@?;M4%cYL3>;u9b$UZ2pSU|LIP~TnqdZpGwOQAJW`g
z8+x_X9njOz9*_#EX`VMN0;CdqpsplGn7oRQ(P`^B!0KJwYttX@qRcWja?DOIK%GSc
zJesRaSb0O9nB<mkYISHROu^>LhV)fQXT=({JZz$xmz=1nPJHB4pL;W%FHJR`JJm9H
zsOu=we2hJZ4C<{8Sxo~A3Xg8Ru4;Ge5i6Xcu7};-(0o{-O$OjJfnWF3Q1=#pOB4M<
z?jY3I`#Xh&&$0KOi#gL4B<)<0!3uHX$g2eRr>U2smq#1SP}{)os7UFXcO<}?fUxTw
zJ6FVPZP@`7kS46-;@(8t$Z8AT)3I`>Ozex3okk^Y_3%D34&8EE;u_xSNd=qTgJ-}f
zXq(`TM^t=J7y^QqjDR*g6+rB>8PZt;Jb$e<y#@?^Y*gH!i3A$Gn#9O?f*_{hgqAL3
zWi)%_2=XSJ5HPYlS!K{Ca2aaC=mpmK12!O64wNT%z^eFLj%s418^M{6`$G|h%S54o
z5sc4L_fetC|7R^w+_@f|!tU(D%7=F|ZfkZ<qT|iy1=J-|PV<dbuGk~m#iYz$n(r#6
z4SKc|6ry*1-qHNmIJCSNRc2u2Jt|KEP|uzV={!piY-c5I{@V4JO-$^cm%fy^n&!4w
z2JCXpsxm{Dur;e}o0YI>+ktfhJElh=6fxrwT~ou6!((n%B|2?yx|7aOLexbM;xdpX
zLlN-higM+_TY&hfzEx%?cI#AgD~VFzd7J3HAQL;&#vk4b^-A;@42;s}M8et_maDL$
z*|M{hL}?gzlQx-sL>;L}EZrk61}m24x%#v=QN8YHCn5-=SDLRim!4{D!+`FpLyk0+
zrSz_CCM?t^>CnN@n@$W1mG(XCzP_cemtO3Cg8Or=T$0n#0D|{aS56-Ye1gO1-aB|5
zxhPgzjEak5P#cD*_6)I}+5;37YF07zTCibq;N~}1w?T^@p9mRq=8H@!QV6+-?mP97
zdyR@3ov25jd%hEh1}bOA^d&DQ9u6IB@P~revps%@y?lDI=Rzx&Yr?j$?+5Lw-Egr3
z2w3Ps=giDQ&-TF%sU?pIUWFhob0L1-{CC=)uIy!L{c3?NX0<6F;rW{XOpo4y&X|E6
zoPg)=tFZx#-Y4wwTCW5=pVqNY{)al(t>8LEVzaR;Pv^qc@>nc}kXjnV{dwtkps-%N
zcIG)6C+?`+nV_8ZGXYv)8OS+f8>Ij8`U`>gv|AA>K$Qbhx9M#X80f?6iIhXlb6f=V
zLJ*|1V4=sI3cZuKI(Uo-xEeFxekv+_G0Q9#Z?GW5(?dsIz$sHEBfWH(>v^=Yf3=b)
z|E-BVV@~vWw4Kie#Ca=QX=^gVasl=;LruCjAvaGR!19gzK}|S;kW+3P>ITXSALPg2
zhNUuU0Nvg1CNFb%ybeZ?DF89zQX>>N;3NZS^k4nPSc5o|dZARZ{qrY!ol}R(G=hX}
zPjikJ^^hKV(gsxdbr5XvSWa>)S}?}1-_!yMknMX4`0HPH9qUBTExik9-0`ethikD5
z)!7|YQ;G4H<1=Ct<^b)+4Bkw@P#IQ5%q@1zj;tB5tM?&bvRS2`Xm&-G*;mIS?Wb<^
zJJlWy&la?EO=UnlFs&>;zHVS<N&tX2U9b5uDaWRVqF7|doAJ`>u5A7_XLHn*56w3f
zgxy_zBb(NBU{sqn23E~<Yfm+R-4YKrh9FEOHC^#s%q&BMhgOFhCzhkHV93a+zxO0y
z#P(PD4sH=Si?eS;*I<ptDi&INh5&ZhUwf4ku-u3m7W=+O=-V_PFjE-@X#%WsJ<-dC
zuEh8X+eUWc<|Q|Xv?tLPT0Aho)i&RzxI7l)TU(SX_4^>>P+^ERMu`nTYPm~}B)3>H
ziWyeBxbl>HfMY}euj;QpvFv67JG~V-zbOc#c*cojCXZ8q_Xs;Gt3r_)*rRvsc$#1j
z80%I(sMim{yql*(j~N|>orIO>#*DzJ@v8BBr*r}!>_jjZ)aP=i5&XdD27o~d3KvQ1
z2je^#1yfobdY_-RvQ9onyW8pLrArGhM%F$!ejwUSM0(UY-uIlVccGc52GJ{YfeeXc
zg!wkvGPJCVQF!B(^1RHND>4<a8N8$<Mror4@K^g7%|dlu2d4Pq3h%x(JhDrVXsPPY
z2m6e-Mg*{}a6i}UqV<1?4IOmI{HHp;RS&E=nvrk#>gcOX-|`yDP!zv8M2MRcNmxgG
zD7=b6m8HV3JOoYVzT;Iu@6U-%{~0nRmhlCIFLPp@gm`Rf5LrCnDtUrR$KZ4=Fr#5v
zKprO5B4~hbM58z@f}N`P>Avt2U6m*LC7BwjzW4Jiy2F(ZQtN_<YD3^{vqG3s8?KV}
zX0*ZT+vm-&56llOL(j)p1d3jo|093Ykf^kdpi5K4=I#S3qUMmOpCUPsn+dWBW}u+A
zpzKu5Ro~NVi}6EHmfAL+UOlybMhuNGoFSa@^(cI*7o)C>W}GPW-++_<y<Ib3+0vZf
zrYS~cRZ{lY4l$>moiThhJ&A38Q0kAYk?F0?3{VLCu3W)d9-8xG9io;f*IjCGx}i+w
zbW9qvs9x5hrU!S>{6XAWtIUT)z@!0Fi57<|`Q5e*Aq|}e8<1`*?00=Fg{znuZ-vpm
zgBDq{_V6CX`&*-h)I+~!n@i1tL*rugATjU_5YwYj#x$nAQukD!Z{c0L$c*!T)*{tI
zj9(GcT2Mss1ege()?!|bQ8Rc&)->jmK(^fSDVaIjc6Tz?n-T*W^Z|~1NOYjb&}@wH
zgs@8|sine}(ZeQcj)M1tlXZX!6StdoOu5x&WVcZ8(~c7?toR!^XSCz6?pY!&$>bh@
zaH4WR<hE%DO8Sj*hPeTufp#xG?q-cT0vou1*OX|pQeFPoZeAwe(5QGlP0AU44xGCh
z_2C5nmSzm5+p?9~UI10b*9OQ_QWmenVF%DkM6Cny=Q7L<bBV+&%qA*$aPhXW)o0?x
zVvzhdgdZ>)V{W*`$A&#)bmKSJH}c#zn+um#{rg&eBWMB#V6*1NWop1RYDJ<UT*3Ij
z$;VonRPuYzrt<0cG2ccpaVt|Zr~Go&gpu8|wu$kBx;-;fTwMHiY_3lt$LTN|>+Qby
z!RG)xi=y*3q~3`j(nHv5HbQ@%K&Z=O0o*SD7?C-!<I~LwJ~KipBJ`)E@m2ZVcFG-V
zk%)HEtEbTusF~Jzc`K3KlW1-u;uC!r*Jt~A-f5KBjwNS&S{ZTG*<3SNOgcW#T_B{7
zAnnt=A4)9M#Er_a&VsN3xB}rGATQ7W5^9>gJ*~JBT%S$Fsk#LApZ0xgxC3a4Petx-
zb}{@tja*lH(c3~i1l?!be9iPvu~-HQr!2~0Op$O$kQkamktz*7ZRm-Fq!i`Z;M@c=
z0gdoG?lv@(ksG#Go(kO1N0;;uBUXTg5Eb*f=qY{A%!uHP$?+P_G$)?OT7nNLJB)Zf
z+disVTHxtwuG%@yKioZe=sZi5+#7<4=i=oD@Tu_l!m%{=-v&Yf>nKF1Zsy`zqJKk?
z)%GxP-c%TF*fZkMm|e9C%3{F~1L{Wurg`t2&9iywAE9n`9R<wG89QNMCTJWTdZ89S
z_%cZ{tbwEmy($*2-D=TK@R|x`iSlGn=a~iVID_LnYf{(Ix$cGN0u3Njg00piN>xuD
zrUMEA&RtR*KHCj%IW9nb)AxsO5uKvT#aHaI(RwRx?6<wf8(nRpk$vFPqA<GfjhP5I
z*F|(hTH6060Udl1d2CpA%X9aF_t&e5qs~}3%`O~3X1t>2hGF3LsU(h#vNN_!NhY|m
zxd$Ms7zxg=vjR#fk+`uG3c1!I1|U@5Ct{YgoyIv?!~|RDA}TTHhrr{Tvw3TDy60UQ
z0eXXI$RQM(h=z`i9rx&dc|IE%wfR%$|9*1h21u>BF!^o3vcvQ9+v`F_+N(R)k3D5B
zEWH%ynusIYC_kqh0555@p;;VT<9ZbzwG>)?h?Ui-_j5<P)uJ4%z(M-2hylc_C@A!S
z$dIM$>BaD}%gQmJ5SmiyA6MB)4|`&8Fw6WqKVW5ZTnb6R>b<R}UUM+Rdz9>>7T-U8
zhzMYv9&YvPVnUS<dc@57nV`SYbGU@Z-*bt=kYiu4h_DG4U-7l6taP%%6c2R4UHf0o
zvjzHE)FM>BL+BWTaDwd(M;h+sgDF4zt)Tc67TF00h;AriCY*S>t}TS5P2AagMPdlG
z`D|BPqFT~8$g8Vic*#rDgI;;X8KS(U^%meIi4>&jH;lkK!i*@lq?2DJ93l>QJ!cFP
zm);Ql$8~ji@2gow9^zD?Yzjl2A%X=f<=+M{8T(L$6_>T3gr$M?yW*Je)1fri(2}WW
z2{$lm>+)gRu?!%|0gEiVWpA?=CaPXM)|3cX*80_eJj8*3IudKsD3MpXB%SOjQb90;
zcN*oeP^3&U$|*+l&{c{wpYLlFPXA~sV2o?hD3~=&XM?9sBJ-_38=~euhXF~AZz;IV
z4GiLHJ^9J%jozC8CI1YyXUxsl4?axi^nW6{^iA@H#xB0|To+NnNRX1vLn296he+_$
zsG;)t-uE+meB2$eecHfW;2e@JxUu(3i~7kU!QkDAk#`e`5Kujt^iSI*XzX;kdh{Rb
zk%I^ETZD#wszZZ{c*!XAhpP9@{j{kLav>7PF2Z8B<L0qy&2~$EMgph_kaj}mkT0Kt
zQCJP#C1(diZmlJ?09l$I-fhOfMCj}uMHF9y+L(V9=4N&FAan!WGJ4`qfmw<&+o(U_
zfuxC<4*b>DvjHL<j&C(m@Hm%dMGQiT!c?8Q<en~CWTEflLucoFV0D3GU^xk9THG7L
z7PNwJz!W+#V-fLG7@Lh#k{IEHBRJGnfM$8On1stL{@n3G`w0bwd9QQ_F*UUmt(ACg
zz9$!Zx^x><&Q8k{PpECTK3W{3uunmQp8U2RuEwNy=Q!Ar>Vf*gcl1g;2Qjlq39Aj*
z5smt1K2O7G0>Xzocj@g@`$SR<W9I1th=R<)0qlm#laXnF=#aaJ1plqLwPf0$89D4+
zXfUaLr8zB&G}&Ftw`6Mppcpm02ZjUDo$!<pS%`Qs_$j5PvEPGt9aW{^Sf$<E!aA67
zH{;9E-3jy#)5T6blyn?%@?d_p{S6R<Tyi{FqbG(L892-n{gOmCLQh05_Uj#FY<C6_
z{sS^QN{a?Wh@)}=23|Ix8qpACzsGmB+6ELY&g4*V{Yk=^Dt*qvYN7DT5v>R5jB{=R
zI=kx03=L))%Ty0e@u#OzBMx2v1kfj!{&NNtx5W_M0En{`XF9->Tm!G35-x!iI3rKA
zv1qd3h$R*L1)qs~@$5QvR|7w8b&&Vy)-}<X#*#^Z)R&Ze3*bP*g~TU_OF)a6{4j#6
z%zr3+)}pZDFD<=AbwBVIOQq<i5rL!*6_+#dQBiNuzt2r+#AP5fsllJAD{0?e#!v>D
zQ+f4awkR3zJ%<n6%O$HiKaOdU`xb`fIh%6{sE(mSWyar-Vg@z-mb0r#w@0wDau85R
z2vkSar~VyEb9&2sEjb4-UBkiS&MxXs9aU;)lD&9C1xnYeFrN50)Iyevj6%X(J^=A9
zJ(HLn9DZl;^}&puNJyLKmowAr+fTT#yV5`K-nix+qBTf9Mn-?^eD7G&g)8PF$RDC`
z6VxSpMlA1Ef8%IZ1_G$hBM(~~Np{v%Bfa$5y-;MUIb8cRteYK;7KldHG#y2=S@q=b
z122nQ`5{fA0ccoeEv_9@b>ux4d2EOm@vC8i+9~hg7JPHjnx@dckl+Bfyiu;wO{>g^
z#Z`RwY+m}|@+&FqL!!J~x@E7)JoxY#Xlani6V<Wvo5L+6(4sX+XwAT6C-^~MaER!u
zr9}tI!V2^1aL!*Jv8jBJqy#Udzp<BCHkd%>Kj7u03Vy41X5I+9JB=+o_d2jDF5o<X
z8_pAyOHqg-_?y8e8oaWm<y-sO+G;)L72=u;ZHCSjI7w2C=;p@WU$2Ja2tZf8$DO@l
zqq?U{50E&nP+MCE_@h`!WcnHPQQDGdgb-3e1aRWy`@TxtWnvO9DpdcA_9e!f4`&p0
z8k4n9_A%RySef^Vxc+m6u=F|&#u$hoSgyX>NF-}UQBN1^a*>Ug3>_zcVhF|A6>t0N
zF&A2=ldQMRQN*j2H8;1LMRf+Vtnf+Fdo%bGKGeEYVaqqi%EhOf8yF(2Bd;&U3$&eh
zH1kSYpoY}iJTA;W=z$Mt7qsYN7ibRn?UnWh_D}zkbylL+(!KRug(o`76hgaSs`$%&
zm8<q6J>+_KIxGoem{W>Gt)w?P1h0!CPwD4$yJ{oT3$#5~g}G+&j2MZD9aX_?>AbC1
zwHDLlTQH=dVM2?U{*x%EJ8M?%K!1Kb05g_+t)j6*-4Ej5D{M6K{?wsZ)S0coC=qri
zn!B`amzF&7M-_C}9JD%I93i9*)tuD#CExSUXYZ~rmP=oe)J*JZ-%PgXvtulSr4&4$
zs7eL+!HLgWze5*5f47KH*cjLrup7~wnU~bjz>e9oeqXEwb+(lZ3tq?3h^gQ+0PD0~
zt2=An;y`~?Y9ttF9wk~rP@OIvG<B%vH@}zOcby-WK<LjI(^#dFzZNS0B)y>#Bjr~)
z-HLxTU!@x+kfjwr>c7vL-=_D9=<-SQJ}2*}0V|MdVd*)ngP(@>=2uUQVeAjpAtbA8
zWSbxN9|E(Qh#Z2l6Wl16mzDw(Lh)VCXIwzqKVjoTVrSA*`(~2$6_bWlP#eaMR%s_~
zr7_8K9=jr_p8TMob`f$fpW+lcMX26sINUmw@w36|;`^;dwYsN;9oXyyy0$|6Ty$?t
zR6k7g(_?jZ=Ghn{9kL)1ypTHpedsyRxpNY!QYrP({Y_;@9J6rTp@n6eb_8QYyK{F+
z0+}FrB~I(@y*>&a32YUcjy=$g)S?O-b~toSIMiI7jqD{XP}6bpXZPHO8&5;%ci{0e
zouYCIoQMWF(rBKo6079ZT5Y@Fg6Dc0V#d>o+~R^gc=y_cMOn|knk%SY&@LAeF0}g0
z(B5}jyW-5Bm9NI^|GvH?=jK@WX7IhU$^TWIANZaTniaJdQxZLI-{~nFo~M24VTEcN
z?awNNE1kLoYHaLFG~FJrd;T!b(D?zu(P|I7qN54pHY(v1r*q{{<fUqFyWWmCZClN0
zPtZ9_=wNkE8<A!@n|TKGND*#!X40pr)Lk^|lDyb?b=7>GCeba0id$(Rru(35r&*xo
zqPMk=R^f0`T;;0Y&?%$%DOt;oPZ=0jq0dDv$UV85hsJ8wv?fgdS?>0i&=E;hOr5i4
zDXR__+gf%?Pr5__Jk)-qu*t#w?A4@fCXZ8CEdXBN=_WKRyDKd(>U-0+gpm|nmHrQD
z9r5ZT|49V{n{?|6%{ruN1w<o0%Nyl~S5s<emZm2@B>K(|#iE9A6l|vf{)QGG^^T`l
zr!*!1FIcAvoD6-wX7PKfgZ|u#syQgVwSO^SASBf>v^*%@(W!ds)F0_pF_I*K6*kO)
z=zo8J$_!gWuZoYBx}*uFCIs2WTyV5A@VjEu?m%rsi-)1tLv66>tBa6P3;)w6H7^Qv
z{Glja<ziR!1U4%m6Z>_aRTZ^YZ4a61W8lM|`0+P*$m%D4qp%z9Hd48(Uwz^|I{qv%
zzo=XGKP0u#5oywnt6nG{NU_$?OL!0)1OVk}kntEO{(ngYpw*#^F9G~T<!-l^rYWr~
z(cQgyp@n+LH}iuX!HaXjky?}||5stg1^K_Z#j1B#dc&edKIy@oFHo`NdsRNnV-G%)
z9sKAMAN({OJon6#9lR$y_<$!pxB_4t4t_~Gc!Mt^>@(dC%Af#+rj}@0hDjyw=W_?h
zgeayTq)vy_hO{>g)ZB(OnqsSInby9>U-NZ6V5n-KgBfCAy-;Nsf}WI9r0pA~C)_)U
zx)!NHB67=|;Bl|ozbU9%)5PLJYu}a|{#MfQat^YlJ5ulL`fBb?rQabD=AqU}xlshY
z__U|blyEcAnTbXfns#ehj7Cr=EqR8&g26(9cDg;E!uZzEs`l&?@BNALLr|@~KIX&e
zkvpp$c~};h<GGZmuB}p8XrSUKa58Wn4ZafGqB)<4kz!{=lzOi$Pts`#T8*1r<di&l
z<JQN(XH#`N?SkRPN&V`R7AtNC0K&5d!JY;mFu)lqXmw9sQweV;Z;V2@LT~LOH)xu*
zzO_g$nantq<&im@P7VB~@+pcUwuGa%s8ds@8l&oRKVNFZ=t8h}Pu+oSnF?@pXJ`Ep
z#>XNshJQ!;1$IF@GT2?)+gs}&J|z&NP(4yENU;zwkfki`eL8aMRoTau|Cs8pzq5b&
z4DwvD=9irer@X`tmnOF*^1oc>|MFi3K4=!LR!#mt$^C|W3KYPJHASm&p)X4RTv$vn
zVO^3Iq#?bR`d{+kQ1%JFt2Cvy2r(Eqn`koGE>vS9A*2=K2&t)-uV!loyJ#8tQr8=x
zh$25isb!;eQ0>N0(3se@M>c;#t}W8lYf;d>c&WSWzpD9%V0M%4V^8IV(BjMxC$o&5
zzq(4Y%$06=mKFbp5A{Cgh>DhUb&~$w`<nfOzy8gej_D0fT+>p@_m2NVKmCi<g*|Z2
zTDX*AEngh<Z^9h*?O<$mmpPRIhPjW~rqhKF^w0epc8agb@37C`$k-MxUGl^E2X=Mw
z1&44<iTDc|Y=Ai&ae6zZ{orV`Au?=<xT~L7_OkncZ=BIpk}!%6YM}gZxjrWh7O&_#
zRl<vBva9E-HS752Pkg`(oi|_ZVIxxNW6QTRGT=-Ww>SFl6XKPEA7ypYH>zo%-0+$8
zPRY$ye7ai^&JA4Xt|W~l-(CztHFRT{ABD@!ya5dha1Gi5iW?nhCpr{mLh>2QAJw_4
zNEQn8Cv3%-N|^g2G8@89>qLLVnBWUgN6TiM%&_eXGeK1H9dB#lXzU{gpiTr$o$G4W
z=zA}=^=gC<JSa>}o#6OHj8}3i2kA6%<5n2o8I%@q8ho4Mi`U;RkgmUih_KIcbG;Qg
z@P3D(2Tb!%+U6{;;RepZ-7$S(n%e;5CV2hf<TYUi<Ew*CX(4nGb#=DA+rtk`obbbI
z<8j(t;(!})V$WSe#kN7;K4Tt*Tq$@<#{!UztBoE>&jB#v=(dk?tVnwG^ghUi`Ev!j
z#auq&PdFl7Ts~FASm8V^t{kbxD1lAw7#L01BIkiqt@R)LXM&dl5m~pK-1aQ-tCcj8
z5k&H7N&u{c!-s4+`|-(Vmzx=u^Y+*K>*~D*1;L!RmF*WfFW@-=Nd=aIa-iWuf-Od#
za4<@55Br!g<zLU7T;cFVcQ9pPOXnFqwjY@+d9iZGKbA@B;VDo0p@)qMudHzv!s}R&
zp1_GZ7xoCh?VI<QCyZgdT`XL`BxH;j<tGWZr9zMR_sm;s=WqF+;F7OVX5a;6F(L{p
zBMx`OSTx}7$7SavOcp9Tae|FA(icu<sL78Tvp?p~>^0SxP+Mth)KKs_$=@il=E0WB
z?q8o(XvP8UjGhj}q`%L*Ma9fIv(5Vnllg5ekdJxCbQgc~>UT8zB;a#~OlO#rn(^aX
zO6Gh!poJnamOIc|sPCAVtC3Db$fUNinX-R1IGQlxo4S!@YR=zWD{1g18#!DzLws$6
zR)TG;6X!}MYE48z(e*PWKpAUoN$OCfk9<s<G2RsJxcDFXXW+;j$$G&$;Q!I+l8-+z
zaU`UZk4-^GnD|@%r*^6g`{7Ge+k=)ChxeQQRUh(WhkfI`+cD#_;TJREtJ$MqiXQvt
zI*f+fOID8mL}p9piXLUkmzf<BY`5IV<E5?lBhiBOj?4@+$v!gGLt=3oG?FA0%k0Rz
z(~!*quL030K~Ta|SMQK9!N2pB53O+BS{gGMvNHthH@&eEMhIc#k4s)4H44T56q~^e
z(*RYQs-G33*LJ+|ZMk}}8$5}8U=J-B1KwCxvq203qL6`#)o{?Kw3&!BRQIgE4E)Zo
z6~R-GrWm#f<UUS1<Y+Q_Ys)c*2|!YIaNPVd<@#3g*rhaurg60}MRGf<THRckEOuMI
zB^^VfnHOd2C&s?N*y+}VGaThh5&xigm{3koAjYqk(vXFpKxPCwL|n?h(8OO<M}R&o
z#nFJl3SR~zs(h$I^z&t)!q9**2bl5C001r8M--+0Eb&j|<g&a3RexEHL|q<{943Pq
zp<yJSaV}wOX-=LXKf~nqoZcjR1BfJCfuj+kh7xyQBJRfNSsKEq_TUz{GBOwI6Po{)
zP$3zHW9XEDcn`1vv~t-j$%l#iWp+W&!~E_X?MO;5j>Z_I$AK{AAdBiGb8Tg0;~2Qj
z3~5rYF_g{rA)CKQ%z2XbXB>rP*(5E+y;y&7yL!3BmW=Z1zG3+rEK!Z}BI@=;Z-(ZV
z#dttQ%fi;kB`%(mKfYlwm>fL-jK!ZEiTmq2&?!4Y%P)l#$SFO#5`Xb~t2?lOoW0CX
zl!8Y{7YVvk@+yr+zBElz&r{d9xwes~9#oga7z?WKwZ7*PnV-n@RIrntNtV@w9X-al
zZvWofT8VVQ`)YRaI5RO%1ZJgaTyL$3(CEH7+fOvv<j<#9Pa{V$u8Bvi*Va>7p?OIv
zDX}ZH9KQ9<xlT9JTAy87Cxz`*D*k3xa9v6xVAzKz4=5AI5EPHc$UC1RG>=(?Nw5u<
z(<ldN#CjNHsBcf7&pi#<V@fm%VF<k9wbD9vN6T?YaQ92dl^;2}Rn|hlciJ!zWwMZM
zM8vLn^LM6q66Vb(vuNcW!VxH2FKE$3CcrXc*e2X*o61Mv!35X<n3spcq~o$~#zX}3
z?qWeYqz2l2=?VSy1o$S3B7d4`!JK+xumb|+pblet5bfX$5hho6)rpJ9(0NfIVfN*T
zYIkH)#9N;80^CNKAsVIwaTsrTO18E19wmpaN|%xn3*l4WaGx$3BUKqtL05-dOJC|z
zF9vNO3*-GaqnRzYp4S=ON+xW>GEFHZ2bXt)Z!S@k+QbNY^^uY<3@MM_sGNBWMrA=^
zS2WZz^0YkxsX6o2($422BS)g>ded+TU-iyRa>e2vtkQVC>+tW2IwRlCa0<YO4^=+~
z?&`hFixk3r^9rxDQ>9bzBr{=Hp@|XnwW8%TG@zV^u)(uK+wzQ-zE6BIVz*{`Cz0G8
zw>TrTY*YDAavDCU#R<%Hyq=YVU6=d_$lsfb;)(i)AUt5TohrS!t+B588?&Q<yQ|3S
zMY5g#8A=b!TrKa%@6$t-R^4Hf&Yj3aD>3MH5msopt)`}U@?S$OOH0Ju5ZL@i*8K7C
zo%@_kORsQJ39?a?xy)8_td7*xj9ZO4!1NyBKe&Nx)gyO(8gP}QX!-6tcVJ-%NMixt
zoIHzkUD=REC~Dq;UV7|(AJ>f7e^R-TkwrxXS@n)j|9)Qz0%0msmIYvnaL?EEeAUX$
z-(9gZ*l<xtM}eEIMH+{9!PlDZEwpayH?rhL=2oX`euf+cfc*Cf`DJuxyu>ibli~=#
zG;JQGzO$NwgIKVm+FF$VOF4_o@lMBwj2q{Z_Aw{+SwO*T>ZHCPn!oe7Nz!Ff4?7#e
zW-kYv@$-F<D{%!@tCWA(%JPudlSlXjqtzb%pI9RGZjh+>2I_UWxnQX%JQhtk5U;bg
z7rNm44aR_@)M82_)H;TZx?p5-zj?JqB&pf7MjFVzLdaBkILoeKbkSgo57UD2Vqo&*
zw0d0kYzWPy`h+d~@yz%Eu>|B_^-t(93~4_}St-t1m}3YG{m>avNMquf1l)4W>m-VR
zmPH`>35ON0fb@$E>Q9S4=RUV0NIDNyIDQQ4|1V$_!%V-Mqg`zJM6rp?<)e~=$f4%i
z`?Isia)v0mjB8`acwMZlgUU6o=g}?#F!cG3HzhA{cx^hpQ~q}@0c>{pg+Anf>7(P!
zM1v3N-$fDVB?%Bkhp%mYB8CtdNwRF1{!87|e7{k?Z1+GrmohEv95)w}@P%sK@s8-H
zB2E-r4!tBAKk)g+&ZOfHX0Qld33Vd}XQ|64wV#%XunzQ0$O73oovP)lC!~N`D&;$1
zp2{c(<muJ=4UIjBfS|I{P^Dppn>!PRw}h=~8+mb~aO$kIHH?klP;5)?8}w5yk_0rw
zZOFK^R@BYE8x4FGt_w^qL)7tgoKG$KofB%y?aZ`Hx|wQ~1G@KkP#nA*WbQcrgqy7&
z;9^OU@X%kwQZVW%u6YfKe9pfpd646k^hxCB#hO+EmWx+DWM5I*JEqaFSCjv2h_Kh{
zuutRoB~MFfApIrg?@j)vk?SXA@JT6sSYY++qkXM4#5@$%S}X(1T%k@94JDxdzeFM_
zmOWFQ^fm0)&SjFcRai80@T}l!E%#_=SBQj}Nwil_qh8Ry-P#61%WY7h!otG!uV=Rx
zRu@b|Wrl&I#qRI7fQC&aw0;DfG#1v6N&{lUvkh5qEx9jAv~oT=emcjaG3K;sQdP~A
z8S1Y4U;eJpT7Z{8KH{NqMGcxXOH+R0TEKNr%#~n)P86c%y50i1-(N6X#5ZrLT{)tz
z5hWJ+;g|1)H5T_m6s5e~v#ps~Ic=(je1L_RGezBtzKzC)ORozmj97w7hrp*(oupj=
zHoH*GQrLSxY@{_o(`}-?qy`ymjgqfv8)9i3mnomoYyWclsU*rbT>Xt<xu>vci6yf}
zX4XeG4RE!b=Gd!;6--c}-iOBya=Wf(J>P*jE5bylkokwQ=&AQ$@dEh4o9CyI%vY2R
zs{bxJq9BiAy}R2F<KcoS;OppE{Ne|iwds4UC~K`-<^aP97F~9-=}5?6V!`{kvkWo8
z$iM{F*39!CS=tUq?%!we8|1z{4SS`!z2x1o=<)|)JlzRh>L*BdVv>qxmo^q8$`5j^
zGM8LwBV?ji1%h5t;N&<9Q7(T9N<~0`VTc-DItKED$R(u*GL?kGgT`u7s2ip~#*dZf
zQXPC7$<qjiTw%W@tQM+iL%yfVc5U%cb$jlu(Z*C&to{fnVTFj=1)fEZ37|%zykV<X
zLFO28>xdU&|3T!OhG8SZ^Eyfu9*94<c95g*LAKzwIo)jbo2hmh1J_FZkK8YFkbFxi
z_QZzdnMYZ2(_>u})I~;jY2}B;{7_Z#r(g=-Bxa@ftvs4AQ0!+oX8|lP<m76`Z7ewb
z_1%VcQVr^bEgO=kZ$ue7?Lk-JqpK>`SOZYM_QW~3JhwvZ?Hc^SgeD!n7%R=?-J4|G
zkK|8d2E(1nlTQys{de1601xXZx8G;E=QT%3#VAtVuo(@O<f0raYxN<Xnf%Yd$e=Qw
zsk^!}rdEWzfpiHfQDsnxJRGI1*B22OR#Mr5M1<oEfnyBVjFQ|OgvztRg6sB4uJGg-
zoI%sew%HJ+=2~c)WZmED6L61$azz|RlwY#hy9BbK*yC`VSbUSvH(rbVx>K|mgu@cw
z@aaoO$(ak#N@@f%uis@xxZ9#%2$kqBzQtbaDd>y1O-~Vt@Hnr?^g1o_kAzGrr$~2_
zDb!l0w#}P>M=o;zAlhy9+4i2b)_JZlm!i_ftg8D&JH~bpjjxI0B$gUY@ojN5=BUY{
zFu}lJktB??MaJR`=qeTaed{V~X%_JO15msqXGR@1Rq;b+nS{XH2jq&D$c!M{num^(
zGM))jQIkwhbuBUSLatMpXs4A#A+X{@!X9Vc-mALgwuU*zI(_mFB-D+%R5COARpJtu
zk<h%&<KE)YCJYLI;TsbI7P26_?8z0^vn(utkVxdXS7p~P3HHWONO34J+T#6F`VhuL
z<4<C??KzPkc1hHQhBi<DiERF;B3Xi7LT?P^a_X5~^2fg6@-;v?nVfbf(Hp?)(%_dA
z4&w#O7@#F>JuQU=8(97=fC@zJwuLUm>inQj&zMY$4SQx>>KNUx)|_U8OD@*%+#n1_
zYdn#1d_3qmV`&Q_TSC{wu;CmOTHN~UNb)_P9HQ~@E`kVIlx5qL*3GY!v{cRt_e%2a
zO!Tv*PSNh6Z@!e}J%0j3^(+mN9J`*x6HpIJM3q}MCH0*b2$VzC9HBf??yrO6tP|_T
z#d#;Df69{J&0oJ;wSM9I<1;ZI_DMp9a6p&n`t<n-U91~Hv9g8HwS~vuJLg)zr{~|S
z+(zubzmlp<Tk4{-DF_2nGFTO4#Ij}T_)kHETQVCYWak;Ys7S6dbgd^*HY?yBbZ(7X
zP>q8vNkP4c06Bg~ER=Wc2u9`;<LXuUadX**bBT8EoS);d2-(2@JP>?uT2)12_DoE=
zQavOjPWzsp2B8zSD1#DUEnn*Y#V;@w)G<Kpe}^0jaA{v)%2hG6O5Rj0XjyS6h~(o(
zUC+PAMK&w~Hq4ailedfEBH)RE(tER&B<WCipvVt#0m>h*M?BlK?baA&`nG3<PnlYE
zqG&9(x0qYqr`51XzisOrKSywc`tV=v_gkpqF$V|9Oc3#1ytD4BVbDlg+tY-p4L}Zp
zF6T^OVU1Haj#B1#A8x+sPRM-AfbYH-Ix_L<VD_A`cg{fBeu;@yWNcRKdh47mQV&U4
z;RNd3hObjYC0-*aD%k2vWQ$D=59UAuEd?zIU&)Zt89x?mCt}CQ{q#;^F=3R|Vl?SN
z*Dnz15>Zz|){sX%TX%U(ud)-R@%})tD8;|78Q0C-d=tpAFrLC|a*k|*idUG!;5j#0
z!Aw!5ul)Mm!APTIO{TVQVtm_g^NyU81TB(*E~0H3hqUh{>h62+h+wWn0HF|r()t+l
zz|w!o(bWw+77b3`^e1G}%<x4Pqx&-n7J5#AG$3Lju#+^o6TDHRlzZylaR-quJ-Xls
zWhlf1e*mS?fp=I0;C!c>$~wloCjf8tz<V16Jb(E~3Nda)5LvK$VQmkeERlKJCOlP)
zDsAh*h?qvnVsCPuJ2S|m2bw6-K58CT>sZuILOWq%5^=DtL14V>%s3Uzl>xelD&4FN
zmY|L0URw1l<T!AD)=VhPk%|doDS5Gp`4^K@>z=0=27<=GJcr@%Mb_Q|=AJg_^X#0<
zen*!4<Vr#k*iQl6ShklUB2>zk6A_J41m}@g+Qyl(6kr`!#WDSC2E9wcq7RXDFQ#&$
zyh3~_`Z8wKJoVb=!bI%A88vpDZ&U7r*mgIC1`5i-=*&;dbLafjlIq5cxbLDX8BD<n
zECaj>gx+GJGdgLU^+MUjx;f-MH<3g!n<dn;u{L)$W%e?6jwOk{aFiJb80=RKZ-~Jx
zyRduq+gG!B3MXhKw2WD@Ax7>c81M|6i{=#hhMi}bFT-*R>jK1Fu5BU@=FZGR3|4Z!
zrCVCFWok;&TSZxZC4{Fllg7tHheEP7^mECq5JA&B!kvJtBT$&nqy8xJSSVIo;?9(`
zSH<rO&K@U!8WCYCXD?wHoJO#3v4v_m2keJaKEOXIT?g+QiA^!-aTa!CXyC7FT!(}d
z(vT2qqt4o3K7_{JjkmIqx0Z~Ir9PfwE}2QR#8=Ub?W#+30Aa4T(D;SSVhfqRY1<RI
ztxXIcG9yRJOV6pDN0F*r{lL|((}(8OlW8#`Ce9`9BkSoV_Q;H=Ltz1A2RDXM=_rTi
z=9a6~Y$zwS+Z!nD(NGFz#7kNvozu=GhqrJT9vv*=>jf<yO||hb(9C=`TbC&~@cY}U
zWpiiC2c<-_As!L$g8`6>36L7S&+B*TqKhx_^(3a>y3a-ii1mIyd-ic_sRaWJlaa_Y
zX7<=PD`00t(@e3{!VIb9m>7gEHu}Gc*8O)aMtEYb?Qc+MVft=QFOZ?vu|@H=K-|0E
z32XN^O*uB5{J-@%q^i75{X3USn3nM0gM9GU-_=OC#vXq1yrHoS<dZOQB2o<ZzC(FN
zCI_Z}Vg|FOtMMCuHkgfr^Urf;WQqw*Q2&oyviPu)KKWPaU4H3Th;i<qF(^<tYv~eN
zDrocqQ(h$SLW}^axTfubRl)`s$WpEs_ZML^zp@(2w2CWI(J+N60<`9@7|*H{T{NRb
z?TEY74A}$27H2@r=eNT9PW^O?3K~DJ&{^%Y2f1{h{(Ke*W~6=&n!ehA4U5RuQf4TD
z<+PHB1X}3;n`oTG<|;fD_@>C+vDBP0Lf|3ABZ{s#i4vzr>T@tqkcd-EBr9t=7*(N3
zbD1WE56`>YUbr|h*sovPFI8N1GSbDyTTR35Tna*M$Yi5NHqSW{n)iT~<L{AZvuPl%
z@!a`=pg{4ka-oZu20z|y#^M~}>*<7P6Fef*)4;X^>!<X~?e|wM9XwK*>u5s*kz)`o
z9~#n=Y1O>C$}WlhL4W97RUWJ;(VndrD*6FY$81MGX9-AtWYMY#m@bY5Pd+uksyv)a
z4=96hY*iI=T#iwAjO={d6O5dIb7W3KiMXV=5k0#}bRs@gleiEo_`vBLz?0KqB&;Fa
zfa7om5m8LNB__PHu>sGADpj17+&LkkL+(@h=I`=4?pABFlNkpU2Hg>VkYQ!`{<qJm
zC^&QW&_*`3w0XD%B#!$R;YF=VUnl#M#I3CZfQ791*_7@g0=!J_L!^;IdJ!)q1z1@b
zg8A|@8Al`S`6>1_lUUBm_7aW^MTcSu4I<vqVbFp|?&lHqZJwJ@a9tUjQrQ#4EM;rp
zywIKYa^N;To@}=3mcHoMSg1+R-IS|zvp}*5&_bvSmWB1ror$4^0nHl?Cm-!g{~n?i
zQV%CB_6i;ORnM5<4zlTH-8ZF(x2;E1Us7>yPUgZ=mc@ZNiiU)NQwS95zS*wfYy$jQ
zGSbYjyoyP?k<Eo)h?%7Y{qanNf1YI|LdK3<rv?4VB6|_IVu`ezDv5JpF8~{K%a1%U
zfhRA&b0xd?63~$9{sDITiigAiqgUxqua!CzDOL9_cCe@pfffAf8%2xR1q0hi^5Us}
z1wL9}ut;(ne%l@J2a$K2I01tpuSpq5tu2*JHMOsie-L4Gj6_Ntp*K>1`iU<$3$@jH
z$jj1Nm?fLMl2)2B3}8*vPjvl}SUEqN<8VhUSYAJrUh!r99|Zhw()ib2`Rcy|R{ekQ
C20N7i

literal 251503
zcmeFYWl&tf*Ecx06Wk#<L4!`vB)CJc!JWYdcTaG4*Wf`0XK<InA;=6C2*I5|fS}3d
z-F<7Tp0~DYtM=J1Z`Hr=hugQ#>C@f6zJ1Q=bI<*|@^=eBq@tj#06;+j08sv2fWPYi
z*?&*}z4AYV{P!gMYyEcsK#YxwM4LxLVFsWQqo5I^{2c)>{2L_N|C9~*zX~Q6HU<tl
z8Y&9zKe{>*0QFx%K|?{sL&HNwN5etKK*L1E0-#`%l97`TQ&3WC>*|3rGINm2IB(jS
zm|0laghlneeLARC1Ps!f*g1q`vIIq>v)%oE{u4+0519Y6yZ_nOzZ)tVItm6R)<2>m
zF#rvKf{ucUiiwK~K*L1CLHS1n5R;H%ko^-(&MIJ;HZLe7t);D_o0`6WnIU8KlTBFG
zJ#@*#)2q2fq@-z(!g}cM8UP;+<=+g^hym{ae*vWp_)kKYC!TjV1}l#YO>V*N!EWD5
zTWtCEHoONbXga%Y=}j4T%4<)BtMmtYarNR$V?73~Ck5QIOl+8yE7P_9@VzGL|KRc$
zFoKn8jtF_z690#&>fP`Dl$ZD9u=|et`+XM|N87zp@E%t^NT#M<UQZ8Hk6K0eKhYdE
zd$J~_Cgn`C6I9MiQ~sdLnmEC6CO-T*K7Qo&5^et_%C7#6dGhG!HsvwF_q$J5+z$;i
zV`G93PZuX1e*vfK&o_2*@6umie%XVH-F5WHJWF@~1rRaFf7H8sGBINcDc<-Ch<U->
zU-R@W$o=G3f8EqyK#S||#nP7(*>{UqNV@-pE9Ae<$K|c)&HZ=e-e16K`{U94i`}Uw
zhkFR&|HAc-k}}4;>dnV(wDE@H{x>h_0{-veT^~kYf&U0U!J_{w)64%d!TjVTsSw|r
z&X2dwe;&MK?*;z?XhMws-%w!amw5Qr{|NjG2o`60%Ke!5j@NSTzd$v%y?u#ygL(1v
z-k<zge}88u*}U-C#r!${V_zZBAGLn?=d8wq|H89#>FyW#5bpbjQ8MmN?JxJsv4+_{
z?XUmL^ncfg`N(d*qd8^Z`CoW0|10eG9d|p+2Oo{I{{n2kUwrw`;{0cE{<CxbvvdBV
z*8XF2{$q3g`78f%2>#=({l{DT|I?MG`+xN8my^0?7DryLdchLCPGoNTBi9Xxr&JoV
zbz9R|K8k*?wyoohpcL8Gqu8^os5*q2RV7!=%%M`nyw#qG+EFPp2DRP}S;LOH-zGP-
zBw6vrNG7cvxcIB6G!yS1`+@V_E&wbVlMVq`xW~U)Xnx-HmXKeyu)g#ykW_W8ng0v0
zo1~zvGx`#+Uc0|b@DQ!L2*kZ*6}qam<bBWJwRgm0+shnC?Z|?zl~yQhXCol08142j
ze<(g<2Vd~s91J)28<K<#hp^z8wNJr0y@emqQ<Q((M;^o4j`AkxTXt0Em?OnvsjHL}
z5t66+6MuX|G7Gz&pb=MopT)9OY=&GGaSukPtry}AXB-IAQ-zytID<NVs`*s6Sjs;v
zCl^BlF(r}O6?WpaIN$Q#OV;c*_sz}+Sy8At-pZ4z{RLQ-2`$r*x~w2s=hPv*wJk6v
zLkR9)fPwzcr3cHzyjaau-aQ=r;F>Sp9lDSHww=)WWB|;7ph(6b<rD~gOgv+o5=rl8
z7Wo6kS7A>d<%s)r8krHpQm1d<u?Z~W`m-X!I4*zdeO2htLD|wi-N$wn(^A5-_=6hD
z1{qAN)Z=&5U~ioEUO4TU7K3qArLC<Y-VB1^qoKDopxgl1m_t`q9NHb~t$K*%eb|s#
z47<ZEN_NfMrSik4HBK|c4X{6RitL3?81==3(8sodyzB=3ym9BqBvo$oI%#O(>Jg}6
z2<NA|zG2vJ_7u-S?DuPoQw&N1NWnUBt!Lim1%E0^<xYJ~rX-dvj@a-N?M~iYoGD6%
zRKGT3vrRq0nsk#;$pRVdt1!Bl?S<-e76&ZF%T+WX!BuL%sMwdvL2-tcF1c9ra!vYF
zZ)Inbp);-7JV=eFnB|8?fmeB&WJTO_%@o><NifsW9ly1N+DD6}a3;#t<w@_#EwkD0
zf_K@I%(D?Knh`ei>4v*LUuGn|TknD0W4Mm)+}<1DN^=bL27QRR+wr>D^yX;?w4_!&
z7!g;Tx2R|SVd5}`hhJi3=%kIx5$U0s16qdZ*xDxsH{1q@314jSdIP-eHd=R=dINfp
zvQ9i6h6Zeo1UBb$DzFeD%`nHVY06IF@FHv(%y~?ME9rzU8kt{m>e?Nz*W`V&^70(<
zc+0dTt01~x<HHO3%o=<K2z<5?^0u4@`Y|b#+~24y_-bvEd>DoFmfR6)SxTm^v`9h2
zw+ix{LMPTrcab}3Cm^F?95#t<RtHO#!X%ep_;Z;{aU!e>K@L*6a!g`N9LZ3+rXXF1
zTKT8kP5;vBq+ITmX5%c2SFUL3&N;<BVk@ecMiqXUXU1lED$dHJ?03hdMa%iAEGkJ4
z>(<js?P4zX2AG`MmxgWN$Vk$K(6?R=y@Y$Tb-yV(no4awh(h-Di1oOaZ`BGc4W&&@
znxDhFd4#A1f3wE)JS`I->dtMqg^44rK|yd0!{`yZ<BAq<*gfa13g2Ma2Bc=Mh{E+4
zGy)W^tt1OlVJBVVkQ|WBaQ7U@-C_3o6%*8yr_q$m*L*Q|l{r2+J<;2wPhHO1UQmH-
zqLV|MVs5+IYR`;E?vJulIHsHa5!Zr`C9tL4(=SzrgL*R>`rmevkS&*ji89`6GPsni
z!bEp6x?i%il1$R}mH_vWk&xrlU+9}FMZ1v?p=&aH3Qu%GWg<z6D={w#uTVSsQHz?>
zUlp76q_M~G?6wAX)&i|qoF0BzYxBWwaxC+05&7bFOcfXWmzIY;DgU68DZ}H7Wd!zO
zewg>pl9Q#J&t8pfY9{Aa7;BzoqgZnIz?v6F0|9Zv!HCQhF^tSm(?Kkw(XBa7-twh>
zA)Gj-KpX)TYDURw<W}uZtZ>x2CUnQ)oy<wo;c6c59bUv)MZLKmr7$rIp15%@xWbQ8
z4G$kcMs-NxSw~&+MZk>elZFOHn&DtFzTvbkmE9k<Zvk-=;dCe6IwtQ1Wk+FAs}(&U
znyu!^-Sf;Z4Fcm7>DQ!i=;M(Gg7r7?0sVIwT*-3ZrJ#Vouz{h0TIR-+U__M-J5=<X
zdS;u5KAu(ypib%=<ac$RO*&_Ls=@K8<YVyd9lE3Wom`d1AT8u&QV=~*e_bv0dg7zY
zPxEl6#cPY_)=`rPB|4{O^W(rC{c#iR_|U@PulK}sDb^ewKeD8PK&nzMd8v_k-z^n&
z>uQp5@(g$qKPjX-3C>VmP7c<}U;spSne8oxWU!Oz_OnErE_!~AF&wWvy&c<me(Ab!
z7Z>!de+NUV{VvqJmAKZIHnn5JXZM}sdCiXd;~NEi+UJ_d;gzt!0*{<!iCp?A(}U*k
zv`V!g+tz-WibGoQ&tBDUjOfQ}B2CAa<>al+M)I9jUZ1lv94l}cHxD(Nd$flsU1c(_
zb@hFXMO3ylzXEa1xC(AJ8KjzU&&)HXU<VJ*ce(V&;vsD5ULH*iY%`AgeOypSQhh9(
za!B^itDP7O#k0a<qL6$`(|lgFHBX)y1NOll5Lnl(lyex4{E*jD9`z_<NI>3|+2)9b
zPyoH3JdBDl3Iu-X@xU=y3xJ=87S?AsRrwrunN5t&q&2xV^uPbY7<ITPVEaP{bs1$P
zbT8KCT1&teu<9+@FK2r5nfpOM<>4>D!sJ5fxQ)v@ELX8)@dDkc>v@&?cu;GV_7uZu
zAP3f0Q*j4sDjC;0*gsA17>#mI;ipH*sPJ9bb@s59ry6e^-;EU48pmGRYi9^d0z7tn
zt70S(^>805`>j@Istq<ZZ(6GcRF9-Rf?|?Kh$7DSbV*+Ki4{3+szPXkhjvSN`=a2f
z+BJ}TOj<G1KRpXIGetu%Q%4qk0a3N951fPT)iGrB*FQ_Cn}fv12g$0Kf47Y)T70+#
zoW_-G)V#6O5zG||a|FsErI$Kh;<Fa&aHi8ZSu{t9vCLYiOfr`ZsR_>VxKA-Wp1FHi
zPqmS2;3hq#Ji*+7W^=AtO3-A=?cpXAK-aliL4bhrn#*9AQ~j58;jAsD?~Xy0`zjP@
zcIZ)xcziplC-NCwdAW291fdC{>ezQ!hIMaYusjdJ3vBm6u(u}*OL)(p*)JAqA9%1B
zo_#Q5-WjSVI@Siy=N)0JKUQr<Dm#9H0GM*x_)bSG26`yD^hi?FfSji7VE)={G~xws
zfl2~GPx+gJZ{ASHUykKfzl<g^QmLbZk%?4Ej9GOQx||{#$uBL>yH^lt;xmUaXB-{+
z-a3mw-GC-5)Ctp}JOR9Z#uo!mE`4Hh%f5|BD%beG0L*-Ww}Z=JOjaj4Fos07Z-}-Y
z)$_&~>WK#Dn-h`qa-$Xdc=&HJZaj@?yH(B{v!9c)(A&wGH1*!Mdikad8#0c)>V4T>
zalOA{_uR_uV)1?>@aX%h<^v<;6_mgg&CPJh9Y$Gq{2yOvBxos)xl{<s#Mbg9*X@@k
zw5LXsZB)&0A#Zg+J+k~FIgX3$e5`u2$O<;8`K7!W0tP2)>HM2o@e0(IQi)=)0yE<O
z8^}J%L6F}xO0OA}*)jvoDD@{dGA<~8FNTtPXZb18P3o$xIjpAhi4xMlRtqd6XGN_>
zIXx}0{s+o|JR9Yi8HNahDp*!BrwhtvQd1ch!Ac~Dt9x%$x)G}(;vWwe1xiBY$(#C-
z#7cUEe_=*DBhIUDE@onizCA2Da-FBDw@s^E@Ln~o@CkwTWCf|Ry(>jN_uEV`;cstt
zQi*hIg;a2I%_EZ%kCPfvkd!~;3B<GwI1F*E%T?}%bUVL1e`+{hE^s7iiosKg%8ATL
zc$M`yYCkYH2%&lwHMj9gkK|E|c<nF!t&L8#1~Ey<ujj~LzWUxa?G(3@a2y%8N}4`c
z6A#X{Aduz5pZ{=>B`ZGe{gq-XVK3=Wl!aMBB^mC6yTS8FZye<LlQlJrDjdIvSdIio
z`Bf=+2n9}qeU;^Zkf+v^L}eL|U!G+sIEMXmjOW)BG~l8SB<|~m@QwU1RVb=IR8BEx
zQ#+a&Yo|gW9<azssrL0lAZwVl_Tu5dp4jJ4YV4?fY`ktdb{SN<X%!UpG1Do!f&8>k
zWClsD=PjX^<cF6&Ol|1g#E^OR1$~P;UxyLWrn2(2`l@#h%GEyWs|xEWhQ2Vr1H#GO
zxCeF(xrQDX89Kd+ln*Sdlc7DIlRu6hd3{zYPc>Jh?fu=O#if<X8m=5Gh}}5#wpv;;
zvtmqt)rZyyuMnfMLQH$Tj(HZB)VZ{=8M~v)&oN|g<qQ!|Ov$&-hucX*E5tBiuc<P9
z%P}T;sp3`_o~vFx9L=Vl7v0<vMwY^!fq9$Yn+HVn*!l#j2^^*iky#W%j}yk?JPKw^
zgg%F2r}bh1&6LFj&pBkeUMA_$95}yT!9OD}J#O0w_Nm;?$j4y#m1x{P#MwMxa<jaX
zt=jtS1V3H$%u`E&6CBZrWl@s1&yVirF^FiG1?k5BEXMt&1)r|3coi=Pw&8)+CqSW4
zY4pI8H0Wu;zOw1KL@f&{;fSE9zRsf$7(I+CkVrL2bT6PqLv$xmcqd78@qg=znY=@u
z`jq9r4;b1tFcfRxZ8NZLujZ>ZEy(OZwARdVjR*SWgWk8s8iN)b?R0fiZWJmgYtuGW
z&cTqmjA=sAeBXy-(=e4n=dK20F%U7aqH!<1Uu(_@=Zr)I9U9RLxxL;8dUCstUp})E
zF9*cHWD5-jTb<x=@=l4d=kj0wj$gJ5!O^Dd^>});Le}+(iAyrGwOl0g`%>_lneGzl
zV10HiGN_j^!vlPvM$(27fBZGdWp@4TX8T90HDOf&+^3kO_UXwt6<omA$q13~NIfp>
zXr`DJS?ksA*{=Cpv=qtV?GXM1e7RxHSj{1&$El6Z;^fRtgQXF3iM;7swQ%q_%g94S
zp=IM({0=)!OSk;tOD1bj&9v&2^gF#!n6m_sXAt|+KzPWcq_qZb*UcKF8)q<m8Nggd
zved9uv*)l#F^IO@p0~Mm{1;H)w#Z@Z4R1b*`rdQ0u5P;}Izm~~#`bI)(k_b7s*cgk
zkbxn{J$Pcs_u`0cW~MqF>Fe5!&j?yFS$hL*jzYp;8bPMwAD}Y~*`;k--EPxoQ19oW
zRedww-lo3*Z>`^nq1CvflyC5VlA`tjU!L<0!oEVB>j&lG&T*B_P4yzSG2cLwH%?ac
zbB&uz_HB5iMAg__uy_%lNcW({a#wQ1B3G+bEq?%8antqb-1c63TU)7Xs|Zlv>Xtkm
z_JE)0(0KletFcwi>}FNrSct!^e)%S@(DV}wb0GLw5h-#bCrk!iY?<!CxaWjT9Wh*s
z4r814M6ujm=j}3Orv;hc{mS_<IjBQ7jMF3MnwV1^9Z%NwR(PLH&cua3n?9R$uK+w+
z>d)R3?m3{zv`Zm8=l66xStMsCc@|;Jj<Bl_6zsJ6@1eqAJ3If#9YWA^#>bg_GaE>l
zS_2dDi8xH;wrZqEYk@RMHm~spld>-?yG053^5m388XMMIDQb=^&7^eM5T$sX8wWxh
z*&k(fz&@`n4JFKr$C3Gj+hMhMa`G3Z87^f)c#dZu4XP0<cpsdwHp_#p&2?p^Rc0h4
zrv}W^^6L-Ag(RJQJ8RcNj+bpqOTK#FPSvgy%~c(>gHpfctwRzyZB!|Z{@M5umg--U
z^#o+NPJ9$J9>rmeZ2-O;WL-{b{vf{tdhJ{E{Z1Fol(b9rT~cyLON*oe*M7YrG2>o>
z%*$L-Zp=E+OhGPwNBD$98?zRxqheH0cJiRG>Q5&wzq33q-1}Yk5~644A2a&8$H93*
zQdY}0;(bQqDU-o21l09)O-RROs9l+=X~)SmjR_Ogb_u!4;h-_zCx@L@bY)em4<omC
z{AX_wMRI4K8QS;zT4|2lk!2Y>H43Yqj#amE<7D1uwi}qE&NZRUjz`0d{6;e*+SaBP
z+~`=|y#1KkQ?EMYgkR*eb8m3le`A9h0=0~`YwJMMN#(y(jl0CJmrrIFhOoUxqmCev
zbh|59*=RdZ7<ND+bu~AD?~pgFy(si#lFdO_@5KL`IFg4%hvU%1Z86Z#xhOGogs9G*
zORcr{%ZUJ_zQt!nWIEKXk4i_8kG;TF;2~8}a(Ew{n$}4=)+b{QsF3BA5;1*(Y}Ml@
zQb<FYqTfQ2Rd$Cey(=sZDRZz!#jOfJ<rOO6GvEvIaSK7h50mZWmSVr(4J>C^Dl?^N
zw6G!&b*}?j7oHLlw`abU-nU&>io=E8SihzgQs?=>*xAr96!Vcbf&^b)SFdqg)fsF?
zJ<2!z%90d&FbSJYKhAb;qwkfm_v@{P`Re)=of;)sn&V#v1%0#H_=^nle)tYP&ZS+f
zE=?NhAs)QSiWdTF)|}qk;lE{fNT;TkZ>8M(@=li41m`|3EMWubp7nfN^MwqFO{GMj
zr)-bQ2E|Z&=Q?U{Ar@!(TtO7on9Sh8Ab?L(6V0|z(3;3*n1A>0NQFYPP;qoV8RLeF
zgEdC)-(ezFJP|GDx^-^!2I)mWB8Dy2c2!W~YjCzjHnz=0m+N(2pX?$ng$T77X}xDD
zR*~A{cX)v^el#`xc7r%~LT*0;3i&|@aOX3_(xCF@&4y$N!TTpppeD8C#J*v9A#OZA
z*F>bi205Zz+%>5o$J|~jHhB3_pQ5#J4S5hUHCA4)d%oYtew#W2F?I$cflREV^4BHQ
zC{+!gZ4M{ScF;Xx9Z^t`s|oA@>tdfb$-hns!keOxl&X$ylj&=&$$;<QGSe-X)>6jP
zC&5JV%H~+2^NQrE7^*m68?PBGOJc;H{aB;KpUlNUGapuGG3p>E8~Mhn)$FOj?9Ep`
zV8e&AcAvPE4vPj45Z6!xto$8Xxl?Gf7NzB~LpOXPhA+?t{pK$q?RNmvo8nuBVuSKH
zDee5`na76aN0>CS;iEfWi@hJ*+8!1Z+A>f1+S<m>2$O?z4U=rBwqxS8`&7Z9<V0(x
zz>h@m%+&QZFe7Gi^5>=m^(Nbu0sruTlUi$6mYRORGIOs7bk8I?o_NCLcz3)WWkMv=
zMaJs>m5ude{8t0~Z&k8%quD{#xpVYy9Dq<>O0#}tf^e|&t}OC4atB={PhZ}mvm-O_
zhM#k}Mx!%r*bw(Ueo>)gx9pNFn3dkR347c^nDgg9!?YKY_dEV9+_|F8c<H1%<^=Oi
zi`7Td!QXLnR~*v%p9mu_mKbplCr_~oFS?RZpbnNX{+=1JSbqUNnM-HBvW+GnU30T!
zb?jUm{W@&RI;v?13Z*qiaVzF@lTr7^Q`r#cmB+Yn2|qvjOneym?p>~?s;TL28iWU=
zmBJM(Nb*4*Waq6NiksKut6(f7xY*RI1}@mu_704&GP<@@s1>ZkIoHFniko8ANy%p#
zbFSr(ALv$zwkx}P7XURrVX<BL&KMI&@3xqcM;p=pPB5}Xzl5iR-M$^=bBRZn;T8uX
zMKp2R)^bFRH8wI0tQnZ`F=ag@9x7L2%)3NjE?W%APp2VeKdUHfZl<(s6Ax>$3#`9%
zPm5PjzS&Z*`-Q=C2!OA1>F(Y#UbVlKS)8~$er)$iGZl0Bvh>1yQw3H(qu<HpOozG3
zptqGA2q{0QfISicw=;sRyYwmbN=t}G4rE#Bz0s-u8?PKzyU3L@Pb@o$_RQYYQXGrA
z!*0c2z)N@%*Q;@qwFc};>5zFUTb8Ub3#UHg_GJ9*pytN$19{Upp&n1ctAhE2Zfn+w
z<_C{Dv;ftL&uq&1dL#B{&(?;!P6Q{$sDoMa(X#6qVAyAS{(K`h1cg1g-Eqn$zz2N8
zI^#V4DFH(<Dz?|w%Z5-SYvcSUlb2v`Xtgiqvcx!^q>=Br+?zbRB(yJ8tIl53CQff*
ze3R{K^}3H*<QyPY?CFo@j5J%GvuDT5WCD7ji9g2n)5{j-d@-j=At!wUt2CiTL`N>E
znxcrAY=Rav?}>D_*+rkjTnEH`I9SmrFx(hnhxSS{t;0$AG%Csfzw(dI$27eSBZ~C^
zgxnVdi~v+RzusirKw4J!+jF0qoYBPanr7bakn^O@P|{)xJT=r>m8K>%T)NAE_GbK-
zLKcwdqZS%kl2)2O)z!}^8Hi+7JTEEj$d1>%1MY5|HS4n{n7y38F=3N8J&R-<tx}p(
zMg1xA<iVfFxVlKk#wb(KSeAI1xmAsN8)O)6=Wtfnq5PfCZoU`sX;mpmTdk|brs)Kz
zergSon!OzkI{qdoK^yS(s-ZfUP%C;P@@HbocF+5{!qzAdB0w01E4)C><u#cxImUQp
z$%PmUXIkY0fK{)A1T5p3n=uS5>t1v|&NaO!ve>#n*@~0oZ|w7`%PVOqz%yE2?gqAH
zYpXLmzwY^PI@xlw?s7)X<Thxw3)PD>hbV<$DXpT}l=2PNFZw2?6PetO6TD5D>ZU4g
z*Z8ipaDs$I$CC>v(|W;0;*Ex6%}k=&T6vLjqBT_L5e1EVD+^F!pBWc(y3x3_G1p0<
z^l^Mo?jfqiB-J49l(Ir|v>~|}36Gjp97&tYWvSpWbx4a~d7;4Ba1eVhH|;w6GKs!z
z=$ffu`ParQ;dI(&Pv=DR(T?f45QkZ3kAStVh%5&Okn^Vy5?OTbu2`?Hg~XxM4<4k%
zlvB>^-3h4H-=PXZ{SgIaCw&og)gj~E@U?I=BaKUZb^5mJkTH$P&#G!QdSUC{d<49N
zNP(G!Tbk`b(=~!YgZ-Y>062uOi&Tpev#DX~xWI(q`~@<(m*#7aseikHKCeEOm5W5A
z&2fHjNn~fVy5T*EPa~VD&+TTRcCz@S$JDHm72Lc04mCnAhCtZFI<wVxwr!olnD^=o
z`uaN3E51&OTzi8|<RoLc>#?SAAbNmDoDxI#C<=Xr-Mg~(8wVSQ+aNny3ardx{5SES
zb#^@dy@s|$ZqAuWYKR!o)TN+NXfz_Dv?y1y-x{gYKkTws3Pn?}y<6^ib=~Yn2^ZkE
zjU;8^y!_L)1h*zlHIa*BK?3Hr0V3Qm&q$fn{%XPV=PPp1ec;-QDz8b*j^%ZujjEE)
zj`PO-5g#AgSR+KDr)mi%32&zlK|uX1Nu0bPBa*NQwvHE}nyiiGR1G<c_)YMxNn&ju
z?p*;l298!OulULzvzl(96NxV`KgXL^vyL%R>JfdKl#i>y=|XqQPGhXd6nS){n6>gR
zuIkY=b^Vs=yZA<L!5MXgUF!F$-}^=g0i-V}?cEio$pHyti+4gf)SA-pMV4%XOJd=>
zaPPDEg4GqE*tPK4S|>@DSjcdjCYH&=_e4|Cog|AJG8=lkOeL$|v9gu3bS0lp(y7Hg
zUgsxgXd8I!xl-@M<UkoX(~mjh#RNX8OLB}4j`wN*i|<Gmo|gLExyG6JZSU@!uj*~*
z`p-;Pfc4X?xA~hRsWGoc{S>L25C+z_YWmIh+`$}~eW$>7We0FI58QO+i;C=qp;j~G
zwm#*J4Ubrx9(fVMp;U)X+Kfv%nyG*=ax}vFR%RaiT#ad;x7Ojg$^B<|KZ7}>TcM?2
z_c#+}plH;g_(`O5!)%tV8>5<sX6?q?z5s1cLEPFz)FcOX*PgJ2YI&wK#5r5AMsQ2N
z=yHrZmcr(=RBL}t3!@F>(5y4;M7xks)ut79qS8A$fzfBlO>^ap=L{apd7<DNz50k}
zoidXIOin@?!{Vj#Y2yRwa~pI_Fb!*g>7ydvgf6v~N-sdu&Br-W)doJf1pSo`scWQq
zOJT<-2Z#P9atwq7t+RKs?;;v^<%8^U)ED3RwXy3|k~L9s{IJBcv*DH<=Y`m0$x?K^
ze_LC~lD49Tn5ca<eu>oZ3;eK5<F8w9D&X_MqeQf;Ke6WDY3L{1;{<xakh+q#)DxZ#
zI@)TLNsN>&Lu4Oi&DyWX+IcmVO|&J(iM~oYyQZ0v*kD@H1yfK{S?%S6%M5sjIR_YH
zXPtNc^z}Im_-c8XO50XJjutq5Yp;WEA5|dk;AXutTkdhI?uu3?`Ef3w^!swqS4*4j
z6;DOx;h0#kHy!gQ&@c?oPC)Xjt{F#t`?*s0QGU%4Fw}~a;qkPG(Lf{$_FYl=<vkjo
zXDpFn7hD@85D$%>qUF6}J~RKR(%WA|LJ)5GS-D>QB0>GLDh|xpsTe_CV1+w^sxFGs
z=)xq&sZKSLC%PIV`8D;O+z$EF^z_)YAuH9cIoxlNXq6!4dYa6fAw5uUnbF7ZScRdv
z%}KwOPjHk+313ppB*E%TGow@N8SXcMbKNIyQ*GimnX}(gp3m`B<!zf~K3{u>#K!NM
zEcmyzfSytZtz$gZyW{%TFbQVpZI@_qJhs8gO_@K0;yG|}kF78Xr$9*ij(?*nVyl}*
zZ>BQ2N+Y?(<=OcChRr$%aelkw!@ks`<#_XnrC1u0n>tOy9nD_n+Ko+S`7P<tL=Qe|
zk5h%M=+-;a+GMM#H%;sKXn<V5_T-aL;O$o^=IP+p+9fbnsf=LSRQM^(SKS}#R#q=&
zYU5IV!wEsslCDz$-=nBJR!O{rs^;C5HJ?%b0_K45oX=J=qx1yyiZ{r`P4WDYu~u=i
zMb>Ur^AJ7OZN#k5E9QzfGjCZ%bDi^FsoPZPC8(qia~b^6Rr|sBTH7?u!3dC>YsNb;
z*t>f#A>Y)*dK8p|Lh{t@LDelS=wADgd@Z*jC0mF9R1j^;&Jb|1%aUwpO)-(>ee`B5
z*)tmMkZTEzs>c)Qb|omcZAW?w+n%R!aT8K%&A8SR2~LHJh9@jVeZ#RfZvbL8D$C8f
zmkH|A4wBE{He)f)dyI*P;MRi*1)PYa0{!dG2^$_xoCUqxO(1+Z&X2Rbtw<NN1nGcU
zD|5v1iD#l7O-`h;9Ji^KKJ$2}nL!DK+S-YQscbO_zmbTEK>gg3eEDQ+kAdfm!e>_j
zBc!bbaZ%MI(9O9;Tgq_(SWZsGUzrx)if5<!442S=!?f!boE76=u77o&$=79Vt$}|i
z_>f|#gpa`$6-HH=>yaaV<fqs&>2r{b4sK=FVax7ov0AIi%{6F(j|q&!XN=H1m4OT)
z7(4NC4o0_Ql<Xab6j92J#ZE?hQq?>{QevdpJg;n)Ss3+RM~usfnt&~A*<5p4GP>68
z?p9MX-A7)qPi6_08w)7T)Ixmq^W&|~ry_aV+URc>!s}|urtnnaRrxHIa*dtTPhBfY
zR-F-kO;Q!z<W(bK1LJq^KS<m9U^!iyV`lBr+CASq(VV^<Y+t{VdrWtDjJ*v~T>m}x
zgYXe{8@%-|Zz8x~=(KMx?=Jux-2WHA{}-Tp)0tHE4f%j<SYaY?TZ8%vJ|e4-<*eUD
z>ZH-6oK9R;iS!^yrJZ@0&C<Gv`784|E9{(t)hG)iLmjozpd30rB17W|!5e)4)^$8W
zs+cAGF>Wpcj}tNxCeGZ9sN3E&Wv3LpD*wvLr7RR3+g>Ss=y;!T4SCMMP$7M@c$QLu
zTQMbrd%Togtlg^_aYXxXx*74d32()YHoo)@Q(C9guk(iz>`k7HwN<svTLiGowyw>N
z2QGTYGW~2K8eMmrgbwZ#%^b{KY&*r<77EfM7n>e@YAoTJ1qVZ9(49DN>+)2&gHzsL
z)P`2ug);4QrW8m{hQXkl9*fldG3&HgnC{6@K3>kv&8fowL!JO0I&b1W#)(*SAER^l
zLgx<8``@+FAp9hS<npEbgfK#DfAJM{&e|E7(+O27;;7Bh3u;)Q7)1}y3>Aq48Y-+Z
zn)RsZFi7tB3X91udw3Vo7+uydr)!-~_AOoMI2>rTuz#{^uf^$-NebpABYk$hG<j&L
zb~r>s`Pms{eB_L`F`Bl@O2xBmBX>1*0EY0F{h2u2wGwAuwro4iE#fWi$VMvTy_BHa
z{cy{2fK!0NoJUxm*y+h@Ni=oE?11_jUm{H1yRL0Hk!Df#j5mtLm7Ggt(y6$;r}ENq
zPis|a0<Km<QIbEj_yJZ#ylNtP4z?e5$tGsb5>*;JC%UzRJU_rMUUT|W+I;>zl`Uhf
z%9!veNEWYFBA!h!@Uki5@{2-yg|fc?I`|4XZvw^nfNlrRJ-Z<f^}<Q<bC(nNqEG4O
zQAiS8u{VLpSS5F~ZR~fD5JdGIr0v%&qGK9#9z^C)t259<v1IXN#uMh0X>lK8*U+FI
z$YcfCrNr!6%#np96MnE8uYpJrH+uh>^Jm|F66fnrg5tI9<Q+8_(6l-SCaImE@qUD+
zfjITd2QPok*c;|u4-(-Gjfbr1;4v#-%@K;%n+sQ7tSRx4smG03I&Hl6-MH?Ra!_wf
zM|f9=4=d3OsuaYv;OqzemNGSWl%GD5VyH9Rnh)>}u8j0s@bpP1&lmZgN{a@fV!Ke@
zO&|3G%8JWfu0q<O_K#Yb;ZEo&8Ek<PD9T>nPLRew%(-z?4OcRAf2Dl#(8ElPx2sFp
z(<i9Sj;4#|X8WAj%@J1DBFK#qmqS-jAM1~Au93TZiI=)=_)l|_Y;xk;6-i#DX~6`_
z6BWOtey*8{xO8XJucejYH|g32<0Vjm%j0&s^fYq+JCHoy{Aph5Caeu`H{am-ozP9T
zHkqG<KwYl;E@;&pWy8T$vSr%=tt_j14@7SY&GSag6A01@4JETHs6ALl>947QoR&l6
zoCpjovU@qwG|9JC@sCKy!1bF=WoHT?f<_XV51FT@7;KB44Ti3fK~OecJ1dagtPIM8
zF1_m6^JDa;hO;>}uaf5bIaB*d17p-qd)43I`Zf533syBZp+vE>N^jzEYZi@&>7D=b
zuYu6qu+I`;(>w!ZJ<`OC#WIz)!W#Ge4g_h+u-E5k(Sz3sGQ%&$POz=D1ydSIKJ^@v
zr<3s}RFE$+q$Q2)D%a}G8MpAl*{=h@I-`t%wk&PRanV%IUbMg^MdK>r%9e6SUE``h
zSO^@HwXE8-Xtq9-cj4W*TH&0muC)qTsCN8?hg$6JU@T_I#4F<DHz&T$79aB>q4n)?
zw?aF_*}0#-Qx*L=(!D7!RlaV}A^THXn^GF&;h7DUgqw&PRX2jM0m{r0JsRqf=i{MS
z^lIT+JzI4_!e_Yg_dZRD^e;xF9__j@IAl5xW`^)lJ0$TL{bXc5_S+%cK~O(#X&t?T
zKyt!`ex*B>VB+H@aN!d$bI6rSGX9-1{(WL;+BAT4lgO1Ie78<vk~4f6yVXF%Y^=Ag
z)ljvl#gw<+X+F}}i`QeC!8#o67yoDc+IsTc`-%91jJ$Pn-n1Gb7PCM6&k!N-^$}g1
zrIdBN$(Ka;zzb>(!EtBNd#eMSx>)7zMMhS0Upt3{-XppX<_KEn+@X6_^y1oCP%R?0
zEw51Otq8<f@TRp*W4*zI8@x12_?*;9^L~NfOuLOA)2wgVOK^hqXMCDqjzsR@{azBu
zwgO2&uJY6iX`aspQcJ%1e}>mYD7muPC@&&fz4;*VOR|`_mof*&T2+|a_UKV~Ovddq
z-8qJ+0tWmid=+pLMkr|;Jo&1SCNbBfABnx_0jpdTG0$H29H$KnT)Ba?VFmBBb;-+h
z;1}&3FJq<ack)&^dg=*&syVe5V&yY@HrB5EIeT?6Disql(p6Kj#No_H8@ArXpfk;?
zn_|$2ON*CSKASfo4>_PlGd2qE`4_?m;SPddoV6r2Ua_6%?&cyqBn3a<8%*kmsiz(_
zU-43M0Co&Lw65%c9xr|Bmr9w%1nYuazV2o`=v2?ts$AgQ?U?w<v|x#NFa;@4E!pHa
z>2m@N6qXk3?(Q?=@)i<<zIFRra#+CA#{Ew>jvH62@?sq|T?{|5E#5dAmx)`9GJX(a
zd*WNkqO6PAk1{FxMT@^-Z3y=9_qV>#0FE{&BGuE=89PhZVQBgUEhkLDpA~!@w7Z41
z%V(mj#$ReFesZ5mNLSvwZqIkh3v??~*hIvpW~{@1oOB%bbMyUCGJmD9;exJo&a2tw
zq@qHJm_M^$siCaVaiXqZ@SbJLrDN={=rTodsx*iEey(e{F&kYI5(!t<@;Nh6)tKs7
z58j-tJB1LxT_k}feAB4x45Y?J<g2T{e!qkb^18$^Cxu#{5SnAw4Ea+#;PmOIrtT%B
z=ehsvd;7<j`3O}{*01ZDU)sp@5<&ezua;GC{y={W9w7NA;g-^3_WH^rJ637o2Nm@_
z7QEQ@I7^(jkbcA>SNyw{W8R;<N*tB?#-J^&iJVgUH8tYQ#PZcKfR)W^j4D#bMP(7a
zrmxE+e8_K+!$^!IU6?wZr}Vp-;Ma)qld~*G>6UTfGQ%2brlYGP3}!*`Q-jk(r*Z70
zkg`(`1;^NwmSmnBFcxA{Y)AF5cKWg4gyO&;Fb1{`%Y10-l`%vo1RAg=l%4y?E(UbI
zz`J)&jISVN?YMpaQ%hiop)_Wqh5PWTa?G*DekwjM^h~>uSVW6<Wj;AogDV5>bFJ#y
z25W>1q-}#evUHF?vjHvB?M&i!Wd1fUO$Pn<+EX){9i_aR1&BA#e#+cJ(^#0sEn)#z
zH+1PqqAF@7h73lRCkgyVY7WopY(Da7M2NhZbw&+yJRhmR1L0>0QIKg~9M=B-XJz&I
z_G5CcL3Q1$<(a8=9}*vY2cGDnnax^)yx6L&^4q-}RMU4LM3+z{zBUG0n)%RKtYyGT
zl0A6hLSVes2SJ$iF+;uD7!TsyE3LQi;2hVGxbB<Zh5~Fc@@Y24GxC{lk#cj3bDPAl
zS#MC~N!+Q%Ev%HHd$++u0<BLG<aRu974Zi7ltNhstA~1zjm{`1>0#X-&hr@(9#OxL
zz~FH4%(Z8Au9Z%YF+^vHr`+JB+;aSA6ow6@S)#zN@?5c~CEd%Toffh_9`>K2J6Pq4
z^oLTsjh7lC>;lnRV{q)74BKdfz0|~1Cntth+o|z-&eC0@`LaE0c7wAi<;E_v8<OJj
z5Y?2Y-K;v%&t`^v7(+WtEi^2kR_uytw9hZ=Q3ruIm^==Re*w3pML0HbY9F7WLKh8x
z0S&K~LVzbQ8gPA*AcQxq>PoE1Y2&1*@2>EjA=W|^$x2#Go)Zm7UN<t>yMRc}o@qJV
zn`dN}&qh60ysbk0N8#T0xIm)kSZ_VmDvh=GZ!p@uB){Y+RWmkOkO3)al?z4E;+AIx
zG238Relhk8Q1Y<Jm+N+FC@`l?F4J}g<SoK%ufhAKTXsFU;^f_{Tg?m#@JVb-bM0w?
zv!?UX@g9^6sd5u3LH8<Zdz##ZYqyDjpH#g->oQ0~t*$URIn@Sd*UgQy)#yzfB|CRw
zfU@I~63aeNfp+F(4Gcnc<yWMf(74N?&V(!az^A4Y;^Ssr+{bJsYn54P*(1S;S(!wJ
zS#q`wLy3LKm%q5lMJj0SJAKZFGzJsdQhu#=BP?6AL`as3zO?{UzZ|c%D|ijYy)X7q
zy)$j%d2LKQgWoB&FaEN~60PHwi!DE;@ax){g?lk9iOV&<YEN19Xex0Yj5=uGOKk71
z(cDdrS>A=gZZeh-c069*Y|y9RApn%Irm0zNJiENd(OV8gmvLHxdIR?t5W8kd=5HQU
z{o<^w5q&*`(<_YZt;XIrGkKB@|ME5o5^b9-z4@5v*HOmc3_9@LR{MKuegnBV!8x*2
zc-p=`E<u)D*T$oy(!f>uB$>|$t%1tnr1lljx#5oW>gG}<ol#Vkt6GpkkF~h2aH@v&
zGW>P0Ma%dKhcF|7M0<}v-#c1pUbz1D^L)~6Sm3Nw&JouEKiJ|5Lj%#7Lh8UG(_^q8
zV?3n&<GVT2r%zFQB(0F^eUnG&<wNZ~-<6x-P}g+|Zi#={?A^~>;M#8oz-q^<rbs#Y
zSJkb!SGzZM9xInoayRZfE`ez4DKkiU8CN$cm5bM}ushG*ZkR7Qe1R=_N%@=UgF7Kn
z@)}+CFU`+w$Uz=aL$D_hbZ2=ehjV}i&^orA$gT=yzxDYjzT+gnmD%*o_=N>v1M~5t
z0mVgOGyKn0TVw6Cp(7DNV&)G`^Y&XkssQB#Ua<QG((>{P;ecTUjY|v|=S@<t+EsH;
zJ&B>QYvxB0&6m+*%>BeaIJYc~8Z-7!Y)jW#oxI{MYm*Fx%J{}<O!dayZba|y?=u|6
zBfz#(PSw$!#h9u}0|B8n*FHbY9c&fFGkzPt?FTwoq|>s=895{sCvl2TYL$fDYj^7h
zM)bU0QJVB3B~1way%K@<X7#lmd&_*G!;Gz2r&ecMtR8H9OWy!uHLPv5Y=(--rkbjx
zp;xm2@G9JUqm#~dNbC09qH*UC{#JfO9kLVt)#yxpgaWn#<o#SmxqLHHUB}mO(N>ys
z>wdp3*uzov-MsCi*bm$^T>pmoh{I96F&=j!ri=+ONa@!{wP)?-Qt8KxnSj0w&H+`X
zZqc}vOw0V8cjhnHZPr>6)p(j-AKiVsnj`7rIJ)h9=(m&XDLN&q=SrJM%jqP`g=>CT
zI@!a(endEiwNi~|YCux<aPcRjHn55esnv?#z7CpSWJ(fZq_0=kv0n&`RBLz8m1*=(
zHCM{30MF;$B5H0;%3T6s;RGWQuj&KuR2BN-z6SI4pV)9!Xc8?BA}1UMUZ<|;L=+V>
zS7Z5tEnKxbod%(wo%z&#ftlSl{gW-OG&{m--0vdgk!MsfrbhTU%{m<3fj;GB+FY>V
z)B%I22%XfG>6~%>sTXd^%d%5BUc;szVIN!OMHu?qVa-|Oyx#g*Tb4eoi6jdLx_<$9
zfEu8iw7_Wuc`YUmhsGo3+ez0?Owg~^pRM<j-_|f}>lUr=&ZW0M-OSS1@H$uPcDmLS
zWi}o91fD6+z+cHjP1l(#!UF>sU)Lzdxv;rwgPo~4t7o@89Mxu{S0{(M7H6!a>~~0C
zjc{A58_d4IcV$@2$pup{a=auIm6zLu0CnhggZ+O_7X9Ji)KYE)y_SrdFY4rF`WJhd
z{H*+QclWKGy+Eo3`(55jCJJP^?wz@OO;Bj#3V9`lsR#X(R_jS{u9LTjm-~pgqK`4T
z(T%3t%@?hm!h}x9pWlKpS$<Lx3)Wczj-L|{Tt0c;<)_A|e*r;AQhh}Qz?-mFc*>Qv
zrl}ZkBU%i?XgLVVHg(F3qQ}nzET{z(4U|FXHuLT0GqEQ!g>kb;hPwG?c)@8Tu@RVK
z)V1`*0(leX7|BOOUcpn7keJ|YLs*l};^b^iNev}%V`k+R&?Q;%=;X=nC3RdHzZE&!
z@6Fa)MX5K^G64E;>FC7__V72>G|fuva{n-!{OFE8WhLoO^IpSmEJ1)Y+0XjGj;;qZ
zqigJ5;l`UIXJ<4wj>P<xaK#}O-Rk6N7pi8LaFt<Wj32X$$Ty>gw>I&pwPy(F<Ks#0
znMkUjJ4zO1+{+WP>?dUO3P`X>RtRSt)I7T;cOfrS+R1*~tpBE<6`;4kzb%vCRegiT
zSlY^T!$Fg7>Tg`L6dqP<pD`usWT|B6v^m8|VQnT&CNn&-oH_Hx%Cyso{5w0<nW}nR
z83FTSd!|#OIa`alK3S;M8UIN<;^qM%o?z-@2ciWK#6U+Dfw|*>I#eS)29Xmtv@+}e
zOtQ_576KH27+N$yW)ivT)eKA5@qS&lX~k9VG=4yUlU=P-j+H=8?$Wo|6Dwacda(Dh
z%*#6I)9y3lwfzN*mHnnB)Pen=uMwIdGI5_VMHFvANlS(&MSlT$pn1?H)6yY-gHsl^
zg0#@unqj=A4bS(GckU1VqK2HBuM<|ucJLpzYI+t}YZeI|GDk{x28D_*4YMaMucn>s
zWHVhdbBE~)z?#(F5q~^1mP)m17|O!2UkSgNyr$3#A&pM`lK5Gjl2C}gy16>Gm3<o#
zQ=Pi{Dnv{B=qtOL>Xdby?deSVh$=q`7O>K9WJWog1S?zUg*9VoHqRK50<mnU)Xw)a
z<;#8}h&X7x9P%M%S^9MG%qdU26hExYT28%`g(<wNmJIt-thpX`!W^!q4R%oG6VppN
zRu-zq6Uo&bvk~pYxwJR5K2x<W-sD{f_EqrJzhE<ixaZ`aOQ+RIm(xv`Eg_MtYw>G?
z(Z|D@1gILdw7Yq%Ec=kK_hqZuaG#-zxS>e5%&R7|?Uij%%m?Hb5lf6zXF>$J?PpIJ
zhOfbL`tkE0R5z7Ac@0pHcsX7ro4w!4!_R4{$mU6iQ9)eaCx&$j*J_Ja{*hB;3pTX3
zPVjm&=2*K<LuOzl5-_CPh6pv#e@W4np`buC8RV6cd7d_)m>(dMOZ~PYof2q&l$`Dz
zxCiw;ulW}&y_uLoeqH1Wl)lNYIZhKfePov4!izknycv9aKNCMz!RMGWb^HsSrvI5Q
zEy&G3;#pAZFW?w&9FswG-mUs{Pv4lW>nda+RR<3_*xuYw4+9q}SvGyiYI6+sDFH#P
z6;h~ZmW33J4T;o$=1vq+4Wv!v<y|ts!%dGiRy^aR;<dltR4#uz8xQ@Xmrc#xz~MAl
z=Eolv>Cltok0_DNqZG4V6%@8adQ@-?C#+Hz#WtH=tJmtVtSo=YyERp`!R&O9w^&`N
zRtK?Q{u~;r856xoX^0Hud>$d?jkz3gKoQ$v;2+VD`jJT8_k|*tJbta#=CZwB%}z+x
z>2Pdf$g@(YnXTGOB!Vfe6gDbTKa<oT(L_U@kk(u<%Nqo3x;&n(9fq$JiO-&-#48r;
zEM>!r{}lPFsSR|h`~`@Ih3d;L_I|3h=vu!3G9HP)vs<BBq|Q1ba3RI4=g{Npt=Byo
zF4kf?8>b<w8avHWH)^y{{*uY_)YTdPgwZo!#~|PsAp%L%9@#EYQ6s1j2^lKv7ViYB
zgvel7m~=GbDoIljyt5{R6PM>xv7hq@9`pPuEE&JIU!<L|wbsj>75Pr%^2;DQO6+*d
zT^NO!1_$^)JQ@`@4VyhgY|n%zVCoZjns(?b1ZsUrO=Z&bsn&#MV*INQUtA=x=-lTd
zjJ^K%Pg8cd3v9_a`i@f5{@dYuKZY%Qz2;KgAW^cxpb_S8-pJ*MiA9T+cje@f+S1tT
zZ_o+w!#s9q&hOhf!M|<p9(}&C9U52XhEyA7JrI{bPuI=bK_Y4Xk0)o@Umk`wI+!#%
zG~4@T7{3ZxF0cM6E&mH>e<}*N`wM{b1SUTM(@!1>YD$6@ZJm59eU1litNPTqHm$!o
z+a?xfHP+39;$VDANtJdgabW-CHB9=VA|s?VU{p$V+-SdIMP$-Qg;&v%Izs#8w(T!~
zwcRzPw#0U<L)K|<BiZ3Z$*I~>tq)(lp#q@F#bV-{ZC4NQ*O>nIS1q%fYxzc3lKG;T
zr<RJ_PW;r^^}J$G(p<m+n<+R8<jFIU)I#C<)~k6P$H!IkXn$suI`e3#Ck>iX%T;BN
zdB0-k`LlOI5X7KXkk#G(s~2)g@!gv|EB6EY7ggASm#RzCX%l1tGU^>@%r(lhIpG&v
zsM6-%Rb4fMzp(4nLDSGQ%W^L?5v51erd^lW5T)J>y9;<iTu-X^#5d<J8C!n4;q@i3
zU05rT=O$U(kmGCI$INtdmyx4tp434QiFtS^&incX$iq9pW+f-xMvwC5mb$00|MHAo
z53E)Y#xnWeC<zkQCTef;g{UN2N(s5qQ{q;_GAT3wDgDHhkuUj%ci>~Ii%$7xhh0*#
zcD-0y(e)G{+Rol3hXn_T5(&XpW4i_}VV|VHmW`SG3#w8i1-!2xI}C+$nm;!J34Ky3
z<9#>~o`4t0GZ|@R<ExJF3N{iuyBqIr^z?G#0yWFW465b2N{!#SraG|5Y1J&$?#wYO
zvsNlkPJX8yFY0WQ6u6XPOx&Ko7#Cr>vO*KCnq#Ndm04A31NBh@CzpSm{L)|K1YYq?
zx@tK`doIDgiR7y~Mv_5QA>Kq?!#Om1gQGY^R#Tjsy6^WUSR3w9nOoYJc@NoyG^CJ@
zTt3lbzKuVF8xE?>ux;A9PHB7Nni^Q)4lgU5O)cs&{k?X8pG1c<Q_l2LMXW6^cdSp3
z+SG5aO&LmBHp8oim+`m>zHJ^09|;$JEzC9IZCTEwkx-OcJ>Q@CouCE5vo<%6kOpMz
zQ>hKP4lVCgj;`~c)$)z7_v&|^1|a*Ealf9N6*lwB8W-yoidkAscMnC-Y)@E%ZHIo?
z6$Sk8E~!cPA@|p@Hym8VG<-h=Z(TJQdSexDEsjiwgFYt_1qmX-<8?guI}%MNbYA(?
zKk+d8<vlY)&2<ct2$EN+*_t(lPV5S5S*ebw{{o)Gc011Ows_i62A__L0v%P!`7Q#E
zr3-jVAZw#X+s+nW6B}F@6sJr(Eea-YoLPm~8Cn6Hk%5i@GLy}Avv``;_Tgj^bn4kQ
zS6NwKl-GS#CgBKPZ<iix%SEw8+PIGK9k;qnOH67@YgxEGceBM?mX^Lj950*RgA@M7
z(HHYYLE@j|OZ0{N_K{7!{_(xzgyW$3Zq@U#6-GYX3Gz^kHv(2G6dXbd;D8KMZx$W2
z1R?s{7!!kx5GEAi;M}V2sGXh4!6jeeJY<udb9KQ<z%b3|pLrLVkv8FUZuj<J7E^OI
zOB33%-LRlRGx}zO@L97<F8`7tLGEdDl9OFp96>UboVSGznPS~4vEXS^0&$ww)0mj!
zy&;f4JEt%-am8-DuE%4)Pe7$D04#iYd|1Z;zZUl31ZJGE_Zpg#-e@K`@*1@M5bkHE
zu3UOUFxF<**spH(zJ4&x=uK>&^hs1Le<2H{9j0VHaYY#I(BTd#@l{VKxkgqpm7ArV
zeHG@A3R@3H8cl<gi_40K=}@MkA+HCfGmxTrRahB4Ysso&;#Z8Sx|Sh9w$k9_rBYBF
z5H>HECBxzR>4Sz^a4laO*L*3%F-gt<P8)&7m`Tb~5G$(|uANq1J2$plI?5iSAA3GC
z%b4g^n!)7>v@w~ddyMW&f7H5akfKf0z1gzT%VlVYBx^&uR*#{}(Koej=M#%An{5v9
z|AV@>Y-?+ayS<@Ei?+Da;_j}S;uhQ;f)k*)Q=qs*Ah<ih0wlP*7Yh!>ibH|oyWNNT
zx}G=B+jGA<UtzBQT64^~#`ujZ^W1dFnFtDLPR<>>3tR9<$fyzQ(sbQILO^;xm0$I#
z@BO!U2V?e>k2!hAo*ZnrK4QcQXFeO5G2S)Sq22M8j637|R*%p6-@ZSdzc^s4CJu>f
zkByJ1Y8{Y_DIKLIDyxV3|5o|^0GuRso4M(%E;88WUcXLV=vujVHEEbFvsr3b%1Nv2
z+u`sz-)fd~!%ly}P*_<*04-tGDg8O3G++XC1zgw-T>lB9dL7!?HoDB8=Cfnv=Rvz{
zf>_w7P8u@~#*+HfMz4GqYhd>461!$Hi<+jqu}Ss!dE69v*Q{S7jql$DGLT7~!kKf!
zKrgVw<*t>TcAYEZdCL?4Iv1v^5^B!Ut`ZBr9MvTgQ)~~c{j&0dJ~KoFT&m&qUUqE1
za&m1Hl(%*8ETr+r`b<SZr9pqAuVZluuhd-;l*zYN#|0&h*68dsHp-xiEv`<%^N_TD
zkpy9k{bT!?ZZA=v!xxPE!&O_phwu90{hMTc2NH_g1QAHB1`U8+quME?)U(q45N$b~
z!!i>gxz2+=?kxt=UTdcQA;Mjgx3W|z%eX}-HDX;nvLjv|#?ASzWio{l9S5ha5wYSb
z*mfcxu$ldd-DIYNUX6l&H7?rjZV=T#@71B9Q6lUh5TVT*4$@?Rr&8`aiO2o@u4mt;
zbah^$=M&OGQ*T5)Qb)-e%*B48SX8|HkusV*+^x;<8TmMkwJPZ;8rD1>_<X%zIJ}Oe
zn)$mhnx);EQKZ3MVwfrz;NCD&n7?M{T7umn;b2xxZflT-Dq6}Gc)C*>CrAT3HN|S#
z`_L>x$$Sf2zj9&v-C3cXyf|-k?0n;#U`YBsz3Pgpq<n3&+smv<!;3z5vn3e=rI=X%
zY#Er5n3F!%oAv$I^$BJPTq4tX4!yhDmeA-bnMFT^x@`t(!DLe#{FT7;IV|73*=Gs_
zmTo=fiH3EJf=MoGnVrhlyJ3rOK=+u_RsYmYzEMEtruzR7l4?RGCFa~8w;MOiFYm!j
z{i0BNJ7JJ|@j;e4CiP^1JJeaMM3bn}%PNGqO?*E`K(cI0h}(>1bZBeC*f#@7`X_lp
z?g)lV6SL=UCD{;)*2Oa``1ZNjF4LM}4LVUdO}h(p`XUNH@KBitWaGSFgjgbrsT??K
zxa3+~TIH2iG8vWI<C#ted<dp-3}h)d0iy#AKEKE9(jEC`F`E3WhpH>4YAF7A_?(60
zLGtHpoM|d#)I{HObe(loD5!8T(PMmThOJPrVEPKYV;hmjmCqryQ|48eizJ`OV9;bS
z8p)K_nrLa3&+Zj(SEfL!n^HQ~5Qr<fh=ED85|$@v7fXehe>@C96V>_B(a-yZl>?U8
zZ6%0+3Kf)@`ZaDKI8JJDw>gVS=4@*b1Lyv!Df9Q9L!s(y>(V5Xs`Be2PseZSa7zFU
zJ9h30Rnkki`=c;SSfi8!0Ag|`8QOL=e!qH@@Zp9*GTTlY$Buo?<k5D6!!o9E#!|g}
zW4w#4M*%@Ir?c_}>B?10tOMh!Uy?n;w{kLkOU(E=fwMwN8!d}*$Lf?h3&2=r5xeFI
z4Y3XJzC@f_A6R9pjl$e5T2{t6gZE<7wNvjqd8Y#h$pJGejE9&6Bqw)CQvbVcTBSFp
z!9Z8k*d~S1)&vy9w3l8e?1>=$nQoRC|LtG~gDG_)MRXzmCdZOvE@h!*X!s+EfGMWW
zzWy8G8$oA;y1>?UQc?<ez89rz`{@(FR^{2-NJGy7j9W_wsxalS#LcsF`E~aMJ;}%m
zAhQ#xMhtbFnp{%ORKR894Vd7avF6s(c<ev+B4hdNGOB7nc^<@`OYH+Mt6FPTJV2dU
zjtf>RG4I+`O*yhWc|N)NF)bcDpZabk)eKXM)seB{K&3KjDG`|wigBIyf5Lgsnf`D}
zOM*fQgeQ8p6Uvr^gTDKa2kzQgcjav<7BGW5iCQ=m5P>&kN{&ZeQk!eN*YRA|AeXaW
zv7ZR@hp@8Mn;x%W_ud=KFM-@CT5DIIm#ojCGNUiueJH(iHI6l=>q*znCX;B&3eO+B
z>|aJ%;Zd;HG|s0mRWDp-Ye9#9h`MK$<57d%&6)#k8TtIKBN2oWYXa^X7RvUjQ<+$G
zljZThadY63kXgQ&qJScq75TBCt#65uH$039yQ&g3{o`XGH31KMAzNVMLSrY{2{u=e
zvGnqw9%$X5qfVyw>{MvHYY&><lRT?x0FUVT5};GgS5THvtY`@G?5@Y*A0<~lFEtJW
zIRHjCOqERm@14%f*OY}@d@86axKNjcLe?d`MdIpSNbCd4P2imqve3h5cVPv~%cOk!
zrT!ZLra&H+7rGX}<8(FHfAvM&6&%t-rc@1jC_d%A8=M^S6X{G62e5dv*c&8(?hX}`
z=jVKbI$A>ZiA@GqS5|gE$S{dT6Y=K!ug20v|KA{6O&<2z9FC%d%sl^XWTmL7e^-M6
znh?9^t;yK<B1g;8EEm^7;p*SY=8g!il*Hs;uL)|x@x;;`yn(8;l!FKj3ot3$$d{Ur
zs=v{FaXdl}6$5xDOGzj7o8iAE5C(nkEpvNwRNB&fbpsPX5``5FyLIcPdaM;Trl!?V
zNb3HD27FfKZ=}Ymfu(P`U*mJGO7}sobEZ3|>`oGd8O<;to2%!#-Or}&Dvu|B!cH|?
zYwgmeT%%mW!s;)rr~QPDyyO+pzyV4AgYy5?NCI44xI%(bY%SVo=OfB%*PQBfk5y`y
z@^BJ7*)Md8&7)>@j~qgD%6M(p2mdY%w^$E0wKEO8DOa|YOjHvOZq=mbJNJ!0h?HC~
zfX=d%q3k{LBR$g8Y=xbVVw`7*6!~_?Xc_~h{hTpeTGhr%>M58w@r38h?o?Q0fy0pN
z8KyCp#fVj-x7+$%h~^8nI<6O*^q4tdJ-z3&og)Xr1-Fv2Ljv=g%oO{eQi~xNkS#Sh
zy70rpWqc1@n#W7}v5K?iHC18>bP;*6^xs@zuH}kO<6}|VPyW4tb4Iv{9qx@bIp-+S
zbl7C*yPW&Ixpf&?ty+ug>3CEUW{q!cDe-@|C4|6zNYZah^qiMj7-;)ZDFdAnZB%|$
zP0@t-Rv1&?5ukB#ZZ@-0?#^?b2|fDodB#zMMB#gBVg~al+AmCOSu%`22K)9gKKG?m
zD!ff?o!{5sV#DyQ<(K}+u&w4~>o`pz+uoRRt!lKb15d@r^VI$_N+?iaFWM&&H<KQB
zb8aNi{gKuH9DG^@?}B$yv9WXH{!}mPXlX~fwz8%xUCT;FPVaV=HWE6w=+P2kBq954
z5M`v23F<sGWoJAiEUA>4r&Li{RATQ)v`}c^Q&)#JTlG0B;9SAO2JZp<0Xd_f2!keU
zOQ%gmghJBc2N;rA8%>kg{nMR#UYDl1PwHiJBb6;)sEe7;1~m|?S&5^Ly@dmgOAJ4z
zFsh|QdodX&dd4<>!L3$4m3*Eid@QhQcM0jyZ>}|zYX_;$@JWhTb%Sp{juXyt$64jB
zSVl#5sf(9Q!h@B-B-=P=@81Dq8z}w0nPHu>m1i*RyKqQZGULM|=<j8FJfyQN>4r4k
zr;X>gNCw+FPc_g-N95nFOM7q7=+jxv{+YR@XT>9Ctb&b`*MY5O($Z&ec<r?5-%)<-
zV`<G0QUlCav_4N_%im?!cWkkVoJx3q*v!GLtea1=-!W9NkM8|-^GZ<Q8TPY)h>{a+
zNGcdjT8FYo>o{kcJXoDq^Q~&U=D@1rzjqi^u6eA{=L(V=k4}5Lu}@-OaG<x~_M7H}
z#K|SnkJ*HjGj$xe5#tte@0jbj<EYgyvp*zgKkII;Y2E<Gx$YL>;(ZR#o(~lA7n61B
z?1PEYJU5M;+KY*dHhaoOd=a<@BK3K#H3jD(4o!EL%)eVWmT6ZsM^Zfe{*ke>l@9~~
zE@`{QIs(aB#EaUWr)Y1_@UPE$yRI&d1X%V<*ah(cW(VSovx<DSk+5#NAfrJ))#n7$
z@lkofTzefsuwZqTwX|zp9Qb6PZ>Rv>Qy8dg_X&G}OCWJjv9I2=7$~l+Z=xM|`MBbX
zO@x=piI~g;C>KM9w-Oq8I)D0K+lVe=Q2w}tw?-QCv+H7_P&l_s66C4;FsTM7e)6~b
z4~1dpIS<~3X}1=ql7xf4U`lFydjDLIW9F;UMcTqFM8!`cTuE;7{!B<ec)3!9iXr=_
zI=E$hh}B>J{LX%3HBcVl=Z|Kt%O!YE319x4WN>2NyJCr0o`WL8dT-;8%w6^gq29A?
zC>UY1r1_C3Pin{Clri~mA2*#|Z=&F!o;0`0lOPUL0Cqy%!l@rZ0<9JY`_N$NesiRt
zc{>y_K21$MIZ!l|h~HsFuMWo4YiVWNsW-nHx$b#V&0-UpuG>Y(*J6IeRU95aLY5wJ
z!zU9aOx*X=If9#CD0HQz{tX`;b5Q}zato{lveB<8(Sv8hFr#ew_|n`t_yp$4e1Pl`
zb>4RL|HfD~a;2kk?aB}oM97l?0=^<=_=@IZlbe&6N9vaIQ@OPPF&_D%gx{Dg&HM>6
zU~17c2|~GjfW~(C`X)~!^6bZl`NhieQTn@LoET3H6?wHCBkO4LyL+FNCoiz{b-bh(
zSdw>2$~h#Ui<Nk$Ch_XSgl&jeosSUdNYg#-W`)bp+q(WY%ZUj69&wuF=gz%}w}5r7
zBrR=&6+mw7wE2FF7hr8Yu=230+Y4CNFbloANU(*j2n6mGY=J4m49ladn<jECZmlZU
zmJLj?>#P!b*WSF8FFfoh$bL0<K&lN<@C&P@sIx`1+MKxn_!(O#><BEn5ELY;?;v@4
z049?P(lL7}&|;Byhw&ekC+iYsg68sYP)agw1r4p@I92@ewxiaZj-V+(V@=HgM|%yZ
z;;BN}dyrsvdJ)kS=`ZpeXE2ZGY@Ms+nojF{XF$&ENTrbQ{*#R@UQQ9URl!1RcTR}K
z^_-3CpX^#Hyl)okZ3?D*J_Uq#>sgV`FElXz7A!4PDy9lCT}Kyx)x(z+bVH6cl8kB7
zL=o-7j4_#0H9U-&$_dx%8Wr0nrUpj7U!lrZ?w{rYnL_<A-bvoLl{-5?>n%(Xkz8ig
zm0PcOe1VM9FaM!PTbOLUcYi<TdR2W0G@YDiB@du9K?Cv?IiaPv_qMmz+x*A}@A*GP
zNJVnedJ`halLQrPFx7tzvaxj0@!AU55neHH`lSH(r8V8fa5$SiMo8o|TZ>mQFaS1=
zg?B*eT4|h3dfr(!AYW?J@5Y$)%|`5;7S5YUf=L+9kpH?1a8zv{GS&&2d}?&VQ<4yi
zXr%mv_ITAPsOKyIBETf3=DfcP?+&8&fB9V!b*IH7^Er|BN3}HM$FOwrL1=k-hLGwc
zgFuAr!b*A#`{!mbUpbTK{I?>$TZpLLEbd_pXX&J}4Vd+1tb2cm`(>==E$a<W^3$3U
zfj(bU!6&j9+M2?5{pE-4c3S<-xgS2)b6EKJC7DI_kKBP~GUk=WxyE_n#1b`lsvfMv
zP;`z@{dXF=`;4!?@saxfw{7G%JEMSl=Cr@FbO^_jmZlt2_!TZ`)flOmm5X7h_PO&-
zo$83}eSHunGnZoi-&fnw-@*7`IZ7Rg6#SnvZEdOQJ|by~^^EMde}Hx6earXYMsh!U
zSYyW(_Mh%CIFlY=_FuxoR%BdbJ*TO?1}L+GF0@xs(B}EWa=G`v@9I`ALkSF=A+1yA
zBwZLq<C$*ha7zA_W(&*I4I8l$)_}k%++TCFf45(m`ph0jNPZ;<p>?$XNv3$2!I?N5
zL7&)kr^b&k^6eY+U0ZFN+&fKGn;eJ~n`m|ORk&+qfTlL49^)d>VqaZVA<w+~o1vos
znEkdnEmO-!5jt3{tl&ygW*RHoc(JNRRIcOJZAWHWy6Q*jBL{ctDH*=+YD>zPCXyR9
zj?CketV?mF?2B$$I7Z^eFF?q{^oGsX_c$KG&GT;e_Q;R4)C`k7uMT%IAG$nKqfByP
zES!$>^P~LeSIfD$)|>g52=yDv78Z|P{E(Tb1Gm-r_KS93`e(f3^~$Cyka(7!_~C2|
zHHh192>$ENZ#VtH1|G~l+QTDm%KjlEci^ic5KmO6IfBz6%S0n?DOY{djJwbD&I3XN
zSYkU`H>I+6pb*<(=Yapa4CdY-o?cj4Ho|Ib$;W<)nv65RH@EL7_a8+iOG?pq*$B8N
zHHdG1I50WMcG(~Xc(RUM)XdX*DKBJH+VJadlNXK;2J-VZ0q>?#EUu2jf^B*`{PSyP
zV&}p&#SZHhM6ZYGK92b7L5PQ0L%4Pw2bwtusY(tt^qmiE@<p@Puqa9<b@L?uA(j|9
zgETlCus?|jUFzRqrA2!p2`X<$YvhL2J~A7@V=_!(cxaAokm`=x+O$qn?2v}3GQYW$
z);z%%9-D6}uw~`O3(mRb`_UTQd8(}f4#jW)(Vc>W$sK8K-I<@m`9GfoFN?ajKw?fC
zuGJES?S}F+{4Vu2ee6L6gPD4^y&D8b2?_EX6yVQa7}gqk5vhVWW^)Gd7LyGRHgESK
zP}0uP3ehY-IMQ}`vcSC0-SwrLK~3EsBN-kM$4%B2Nk`$58Af)VHr*}2M}_)6thj4B
zxGtfB8P;@mtKWblZBBqoAe8+vaNsL4#Od^mUFFY0^Ps>-+Y{B>5KiS$!jL`$x7aYm
zpQ$t_RHBV~jv_HMV+>&_I^y`3-%_4ZmO}(fLT@jCR<+W3h!eAIy2^ZUbQa5EGfMEp
zI++l0W)`C!Hly>SYg&kTqQi|T6kQ=-+hcq1Mg-)z>ANXG5Q6#JRo6%tL8Den<9TG9
zEKDY`yZ#v1^=l#sX3|Rnw8$#p%6z8^u<9%0i_T{={!Ge;*w`3n7S9_mGe{>1_zOeo
zSf0M9tRzab7_DqRM1^hx*VAj6k3z9L*IndSkPxmG7Gc%R)ILiFO1_YH&I`i-ck`3P
zwoKV(yj%|>wu`AX&TJln|0P1qj`SLm=|xx=;L^<k%DkF+>Pu+MqJm>&?3<`%$2b$N
z=3{908<(vEDcMFh#);j8jmLpm>e0b=tRtOBEfppwv71T3+Jg#JUrX8jgT!I_!=`9?
zqgOBaH|Ej7LM!|Vxn4z?xd1?l1$(y!-IxtDLCNU+rJ6>q0kds~l-~!zDO5pZ;sZdL
zqzR|-G(me=j2igy_pDhqcLy}vSRf>E_?>>3*}%h2v6%Uqi=GlX;u2%fdw<#M1UEB(
z+v3v6JyNCj9h5Nqz_=%gJzo1eJqqT_yxMZkf$4LUptHPfE(_N?Q{jFh{iJey&Mz(b
zdv|?B=4?j(QG(+9=aTKau(hAv7l5>{W}P4GvBjhHAO<f{nHAov+4ohK-o*5frkMv7
zfrgR1d{VoW0RZfT^m+7;h0M+u^#~ZPmwDFO_>Gb4QVZsw)iC|o%he{Wj31az=|7ZT
zHL(I<{ug|!+FKP?-4y(z$!~Krb-azsV6b$jCO!eVGTWP$+TzyA3H{M@<qz-h?XRoA
zGbFdxNqT+%1~2mCfs^nt-NB$-hlB8RQx@tj)n(x^ctGuW%_wM}?h7msYX0$*nkU@{
zXC}+l<#d5XfB#42xoerV0}SrUIT;%Rc`VpS8eC9Py%^&N9(UphQk-Ry|A6}q=S{R{
zVU0X%OdfVw<$Xv*qe~wvGViU+DLW*mX{XNpLgYCF`xQM^diGNP9|~C)23XB;GKYM3
zCdE?0&C^RrZW=9k(5SnF7|)ui(Lc*&>80Quw6VVSs8t(zX>9)=%92A+^*s<jyY>gd
zh-+>4fUaN?9UE4UN~Y64;NXb~c_Wj*$_QSXx~{9&h3}^icsVt!$f#~L7X_@hmBql*
z_B9C#BG=n`*U5sbt(?J8Hg#XJ*q)NBP~-E}8P?L4pthz5#=mYI<9l)X$QX!{rTAbe
z@d!EFEO?Fh6K43>=tRvp0}=mdVQH^2LJFKjX_Q{5C^%#~of!P;Ser=mfTWpy7F9I(
zt)>l1v?V}eprXEP8L=HNx#z0gsXC`h(bl<qusFl4y-tlnK=nt5LRy@29_+WAYA!32
zzO3TsuL`6HssWo<=p5H#;SU9rMulPg@|_d{Te(N0Q_}yT)PG{0X@cql+$-IF-$}fA
za&4oq>^k45FEjNm=(+h3Qn*H=ol{F_Y@gU-qL}Cp(nU>;NJEh`7QFhy8H(HXzU*el
ztEbO0dT!{SUB9cN=ErxT0#{kPWB;MdSX%$0joG~N`df1xQsmvY7}9;^>^zseB3?LN
zs|S{B;%WN8-&2?6o`k^ZYd&sGRm?ZdemSc{SUBIxZAvY7Io-1*(zc{`K*+6y{jci<
z3(_A05U0n%V+~?a{JX}Ft%)tHt-eDa_~5*r8O!HS&a+`V44p)24&TODusQtD@R+PK
zB}GO`g2x7xj2nV}*5({3B=ZBA{{>*9RU@~2dRd=cm+oKwyl;a9xmA>5IU_SfT0zwu
z2-=|r9oL2z$VPMHDnFO_%0il@Uy38_!#O=?g_sYmsE^vYseYg4st9dq#nxpH5>J1h
z4#(91niTzFzbtS$)48a-1)$t*q7iFypml`2CW~a}TL@gP#06neD7JCl;!Run<#*AD
zUL41q^W5>tS)iHqT9Al6$PNWbnjjfE<16uI!>IrzO-|S-nFhFjn4SOm*uR3;N{W?4
z;y)C%kKee4j{j}jymDXJZTU6#X#Vna-uvcb;>+Qq$A2idhO5DEOCBUP|3j$_{OGX7
z^LxjgeRN{%vvZ)yPg&!%iOxjUK?>1|e|4DgZ6-6-oiwsLxG2B*!h@rjk4Yh<h}8%C
z#6Pk&2PRz9fz+Kl3{-S@uEE_*wdx1!i{-nH|HdhjFEm35?OUTq;HJO-eDgSEH{U+n
zvRby_|A1I_ZeMjrxavy3&XADQ(tHCI>S7+I$Im#BugL)y6(4EuZJ8R;cTD9hxndt_
zbvDy87bo~VjvXWwYIcSfUj(fmT>R>%ALQg7+|Z$!*?hWn`0AN1uIBdd@wm{8vbN+q
zxBVbnf*$Jnf434WCU5JxR{ikd|7`DoFFG$9iy|8bk9OsD?(@Hfy(~Zaye^=`elO1a
zOXE$^xqI?m@7q6b+mGDMVa*4t9rb$gc?YIcHFZ2G`*v|>%6_6#amG52ewd9JYoD}u
zs>g*Jbn(>v3Vtp4mL?jFu`cr^bK(5VC$#Tv$T_Yw9+xL0P_ZQupjtE8|CRHg{BiJV
z)3Pu0dTb&TU;681R@2kB-m907-T$Fnqy+r>NOeow_xv&YVSDP2+Qv=Q&GwxG@|kwg
zt*Y0-IFRb%OD9<z0Z)q<3J&R1wIR*V5*&Hqu=SQq4ucOU%=$+}%4V=2nRh(ZyqBvh
zl*r8LQ<-_6Q_HS9{ZUa#rmysCZKb9UZ~t-U>Gcg_<_|(lC-E$1OwfNr{>B_6D2pfm
z52Yu`v~0cR90~FtoXzDt1p&%!H#0bfX3GylYFrphu|3z&C`@hpVR>Teu__E?tQw<M
z<@6MiCCWUhQIogBMXAH%b<YMN?P*h)?mU`XD#@GP<<FEC!iUJaA8PLn8)mR4u*gcc
zY!xWR11aC7{`nk^ks8K48suRyOP7bfinx5NJfoR+*LrbYtF7h|CkbstxQ3W(BR6CR
zL$ZMMpIe~7#k}u#&fVYbYvPyT8+e6a!#spWo)4N+v7SU)U7RmZsww4l7yHtPFF?ws
z{47Mst9a2@CO2-Fd%M7So$w!vlLE>ySaC#Sli_ma(i8`ksODKgl0?Q3N8SZp#p>Yo
ze)L`CTG+o#E_hKY_4c{*?)32H1<K}*DD5W5p#~>D`#m+kGB%R+tqbE=E-QaO`YP2K
z>SgKdtf6tOkDUW7BME)(B6D&<pa{3WIoidnk?^kGjqb;Bhu%KQ?Ro(TL4OkQk>U_-
z9Aoxd9C9g2J5|r-#W7CLs2BR*BXK96<93hYW^nhhg<SS;F9J*nu4_&mr<lbk<cwI7
z&+Az7UD)qF5HW9P8;aHECg_^lsTfjDP)JLg7*nKCw&V^o3GM%#Y`fgm+`xDfB4OT4
z$bP{eIfc$7n$}6Aihu1Ay6o<7gfucP7B4e5>S<K7)3zv_R+k6ZVxsq4G57-VbWROL
z;yr%@I6oWt+}Qmv4ziBWk$yNAhs$&Wa?H~5MZOa)*iyIiv8<CsqK~7Im!`e}#p^S}
z8qQ?&*ruduJDcro-}G%aSs$w(!saL(F4svt7J?v&NgOBHIean5-=9Y5_T$M<zp@_F
zfMyt6YE{=;<3iPIgjtd<Ie)5|ylGMGLAv?IZ3so$biKicj#KQ1^Y4<wW-`pPjp(08
zKc}>iZfoL2I=rWq%t|p)&eA7G6Q?cTnnITM@<F#=s2iD$J#qnLI#bO4`Udq}+23op
zy9hmTRZB-m?1ZofUU}w4{1ViZ3&~5|{Wm<mr@Ie$cI|-;`@tnK#pgoNlR6vDdbdlL
zAw|sHg*^^N`V9w%z$mdgXBnOqxF9elUoimr<(yuZ!WqO>)Fx<<w;se{Kh)T8?o!S+
z8IRfX+2=DVff0**EH4)d`Q+nf9K?ibCL9-<J;h-AX4vuWE-`k(j7TU{`XsS-7L1=b
zcG8H)Zcx=wU~xr8g;(4ee!8ubApXayRkW?eD7M1oNWMz~w<e0HMxIzYE8ps1(hzL9
zMVvqnwde~aafMRZaV@LatuPo1z)$k>qkWB_8Q*x>+pLHG$*LE)<DH4{%xX#Iv(3U~
z=!J}&VYi3p1}LvZ9b}(BCh!m!5bi31Ob{B<ff7@`SgCC`7VyN=u}nxr=ES-;!$Ph8
zO{U{i`sI={=L#FeyYXBt#?(K?p=NZ7Gnq8I2WSUWMnZu%E?dpDg%D)oc@jrkuy3Pr
zTyu+6=WMe0=)E&RvWd%&l{*{oC%4Inw)hE8$5<#${;1Ml@WG2XBw?eA23k(Vd|0<y
zqouE}Shn`8-K<1vJl`PGuqD&cvznDnpE34DU}Q3Tf@EFY7ShYsF}Ad@jnf^7JUzQ`
zLDOuh&{`MrP+6q8=+5UirZm20vLK0>L9op^{lVfEeMs37RtZtQ9;N6}_BfU9bZRw#
zs_D1sTtg48@%}?$yXoHd4YFO;;HH^H$9_JYap-A>t!>+|&qrhU;^q@Xl)R0=Xpf`T
z-cPIn@2ze&NX0sg2o$L^I;K~C^ghum3$(3s$R^&M;O4QbZ|30^y;k}tL`A)D>@P$a
zQ{Y(5#_|!}GNszC&0M<8A+|_Nk^F$;jG^f!!I!SsmGowrOxj0BM9o?gzUJ-rbbSxD
zFS0w=auOD=A^B60b8oS_Oqa_L)KcO2ovk#qy6()PbWy)xb-l}Qf;}+g!DMo+1_i$0
zjTO`jbCs(HEy~ns|9y%ctr6$IoU~_f0BTwidS^x0hKoQm(nXLg@3UN<O69Jn^b^d1
zI{9i{>u3DVhZ+q#ZHPbH1QnH%Z^ldp<g;)#20tXiC;M^km48}LWG98i^lO>_l-B)e
za+!U&0VUFtYjOcrhQ7B@HTyZsA@1H~<EuPjoFfGt55NMAu~iLAs^{{1(&~79d{;Us
zGSx5HBh9x}lRW|@XXE&7&)6Lp7L{%jYCtkM@h(r&aeVZ|1=!{RyICsI{n9UurJu>J
z_h~lo>C?zxVD95B7}rfh)};EBZ`uQzM7?Ny-dux~dwymoy}mpd=_<=zBI_cTXq~J@
zCm^$AVEX2XN|6H0?fEnC@~r=lSfB?}3~lFC4e2NxOS#PWLUEO2*+`fDQ@-W;E@wH8
z>eNXXn-NNPKY8n@98;J-F(<FR>m&ptp<;NU_=vDbzW4-t$UVW;T2t2ulckCMKa|$1
zHX)MoYMHsZ7J}&MHlyO2VuMcV+fP2_9NH*DcYFjsv5yWPL$|amFI1iGT$EAQPVT=%
z&ic~}#+L8~+f(F@a+tEQ0_9kBit$SQ*zw7K;881bsE1{LD#BgMh`Md`FJq=UsCm}}
z5zC-yJ2n2C%YMe>Q#dPOEJ0r5uy2psm=cqO^Icj;DM1^mUU)i<a?kSx{$+OjvfPz>
z;FD@3%R99L`{QQkK90Yb6ULgp^Lo3k6Wr7P2CR$klg3kOfrK@N$8;{bstky)2BokF
z*jt3Gt)L{t;RQ_k<6DHi0B~i?nw<`j&>C_w1P;x7w;pLO8;Oh|AEGXnwGXeZLtxwp
zCkil|9ZuhEt%N^&{@zo=m-5-M#Bd+`V`#uV?YY#5%YJ4wSmXtn3t1Jh>^UwSpDjsV
zjGA0{mcZc~vvQuV<NC!v$gd-ygr>ZB7b`j;wB1zeJmOhVt>*sNA&xKl4Gs!PXeu)k
zzy4Ef&3I+CUQhVR9OVy?ltah98~-|)`-Y0MG@)DY;Lxi3mL-MxvwN8dp1PTw%;T?e
zuMA|chPbVk98-w+wF5C&)!8Jolzc6Al`F8G^6f<Zqpcn1iDd5n3TkITHJ7?Rh0%en
z7#*7glhG^b<vok5Fm`3xE1}zy0|XMmbCAtlVgc^y12l$Kmz~wRSkp=JfyseU?-QAv
zJRcya{KvAl$?Bh`a7%OZn2GBj;NGjGIIfUnsJYAkDB6lwMH`?W@IQ*S^HtHF|9^^>
z$G_wMr)WbyI@EpYG|XS-Vvh_kZ{lGxjbgFhjL65*exUw7ffTc5rg>QTs;4WL@0G$W
zsv!vjP<sL?i=EdEnxjTZcuj5eBL|X$Pp3d_78m%j??hJ`PwEl(_Y)3Q{QWllLe|9F
zT1dRRL6rS5#_S_SX?438@LNUa<;#K05A`}N1Imgs6Xs-??Q0aN-oy?K=JW=h&bd2j
z*empcidxk$^R;YY2{n31k4?C-<I^wOfzFl*I|?Q+qUc>y`%(XV>97lVr}r@WNyZyp
z;h9`=@w)`lZ|G6f1968F?@Hc~&#Qh`0CQ@+NB0B>W-CP-`}|H+9!(SrPeZjKLzj=&
zS{M@@PLlMWLPeV+H69TpQYhqC;0&;%ehpds+igqT?fCmj5W!YIU~R0DZdS9Lqet1i
zz1Z`8!G~X>qNL(resaH*y~dS!QPw#bPiaZNYNPAB7^5f7`?{l#fp}^BQWK<xm)>`s
zW!v{=v#~3AM(x%H<5KMoI@gmmWv~{Q{cox4;6L-<R(?073Od3lN4X35P{r*~GG<!r
zqw#xeMv4dMlz43dJY`vBq6KwQwQZ+}(FUl&0A_++h`CQ@>a{ft<zwqdd(`kvLaBkb
zmw$Sn+1@|D9<Yg6nj~(NSchEOB*fD$&V4uC-ig0F9_{flQ1br7l*foQBOqjxQ={G|
z6ujQ&M1L=7>_Ge-K<Yn13_Hy5RDy`@X8Av?gpAa@R;KpW;<!Fo?CRV@sF=R)b5Dd~
zbXfY)<YxUG#@Wm|Gb{??fz&tO@jb~$MSd-N+jwHV-S+sPBmN(X`bV3pRP$H~nkSmr
zjW3~FUb&!1UixyZv};Tz%5OFzRK$u_eyic<exE45QhSU$oBY3sx4CgwpkIYpo)1XT
z)=r<h<I=ikBjuZ&lpMeCJ^ceaf^isg;zPlEBXBq7sn4T0Z;TIFt4pJb36H}0{s@KO
zBTlNjAq`x$W!89OdP5|-uYteg2Rr{2<p$6p$wul4S2fu645P*r5E0<I9KAlTpNIP+
z?Twt510VUG9^{`$!^v&fug@4an|gbOXOPBExYD1|nBo@gSkkGKWd<zTS$}fgt0#Z5
zJBy%|JY-$4`i9?mso4fipF0%xc@|!6x+}j=Gz6$<)Bd_OHo`}$6ddZ>Hw+IbG%HOZ
zFyf&}&Q8va=nfHx*~<h*GYj$se4Y|no^5#Z_kijV)zOX>hjC1m!QN8#?!xgAFwF|>
z>8ERuQkktzJcPvv{m0xsn~wPbQ3Lw?avLFMZMq#1sJM!x%OEa0nUB=llc42KdWu4m
ze*`kKN)TR|yjr#W&%SR1<GkOWS0?TzS4<-dtSwrMtrdwtBjU0cuN1-FJcsGN(<xen
z{fg!f{13&CJE2uSX(vw7r7TT#aBKg9T@#UA*XqLMJMzMH0BQg8h{y3pcn$B^m>hk&
zvY8vsI}jTHc?^yX+vJ*Q?7Is0Uta_@mRhvFq*<K&9gZHs?CRokj9+VVoGP5KG*y6s
z5{+e?Mb!0iP|rx#4hw^s%u<1W8a(E_Zla5eaIXAL-Nujt-<_S^88O^7!WQd%3@?&o
z(xPllgi4PXj|Bb6h6YT$7SwDxad5o|a56dq1D(Dy@}${?`8|70!hg+bLWQQ?iFP5`
zGopoJ*{iicN8k+9IL>yqwq;ECs|2<Y8W}B{10i`K%c5OuzGA-JAs*1Xf(#<$x$QMJ
zKH-xARnKk?HWo;3itNn3rwsa1U&R_gE`qr&qQu>>(#v$kLq=T6-PKM&VcW`R3~Dt}
zb9H9!Ra*YivXGe26kf~uMa`_7Xy;ZZ;O+i}cvmsc9YCsqSy$-D`lQX5xbv4G5N5Bs
zmDix;VNHwu?-nf@9dzQr{_wfT{wtCKV!(Vqw$(BjxH5TKVAB>5;J312kg;O%&@djN
z<Or#|+~+s1uph0^49zx?np{sCR}@Q%J>bGPhj@5t_%D3Ah<1tir|D|^E|cr4*J@jm
zaeIw(jjwopsE>w={%sv8CpQ;Iylz(wsu9BIt$$l7XxHkCb{<|fy@GA2^MmH_V-81f
zBjf#;2a8*uNL2cyJE4H*>kBj%B8-;Jsmmk>^xq3(axAPCfH~a|L4@CMX=z~w2Lj$@
zcG&z|H((Y?A_(%W+fF{mtpc_bub)zJyP1<YLaF)){a2LeGo!l3*7b^9`HUTrCKn0!
zrW0HqFTW@a&|RCUzBlt?<p6BWovpupxaIowM1a~ZfBH=0x~Lt%WoD|cI7pRT6U|;(
z^B>Cm<>Ylkn%UYUM;qOOsW$Tl5=RG-hkmmG#e<hZg((K;(W8IP+VBn62y=&OEfMX8
zT>b&9K92_C0RRVK^(WsceUfYcz^Vy(>k<@O%?|Q^ro4Id=g<gL0Y!ydC)?0@X7Oky
zINaok|DggI1ug_Ba#WUAr}zid)xF*h%-+<r7}{8st}z^Lycy9Sg$u$BBLoIa9sCs1
zxp{D%-jaPUA=93?ksDjUO&S32%?N>oD4L%bbnb}H$%Xi`l?^oaPnd<v<9y83s2TDk
z=x`PFa=r|H2Vn2|KmE$LwP*RA2oye&FYnH{HPBYWE~((Jh3cjNzH2PxhK_wMve;m|
ze<j%&7IOwROkU)hJP#SC_jh(V)-3R@@vtJ^vR^(0Q>Q4qGHLGX61t=>#ao{2E2xgt
zFYa6|E}=qo&!7L+!sfl>NtaC9Bzm-hg6m$~11HZ)waxBz^Ad$|FF;&Zi<8fOz+iO!
zgxs{<W*R@<8|=lxHaWW?J+a~qcf19|8fV|AXmBoJm8*sL>g<9kz{RDPVA%v}0I&`<
z8cUAo-$C!AB4_8fPWZ65uIcA$9-Zfk=5m^8?5^9O$1Rw57FgvIKgFJTA~4F%iE#C0
zKJM#Kt>cD{3XJ;&kwR^(@?n1s`T)7O6&xB0Ub$ayFk36Z!8z1-mA1#)Qv>Qc;74;i
z-%P$OV|Gj-SPkgde>2wl$8aHe<G*em71RwpxR_>gOqKiympS&9YFv|e&yv7acc~lw
zLu&Q_EM0mc=!I_q(Bj6=aaU=})RA*bKVQ$x#0Pj<c(c&}tLK*0@nqfCJ99|Vug!|j
zoXBBaCjRxtupkXWa^w{ew2}|5WwvNVjv~tS1KVBws5mrT0r@q5t5=`1gS^E@x3plu
z2A@BEE=w)~&GHRJ26WiC`*GnK`F}8s)~qHrv*o-_T%j$#%RwN;+^K5UoaMT(75Mf^
zwc*ZPZNq{_ny!eKg5H?5kx|oNvBx5_Xn7E8l*Z~<c0`MT7VZy9zW-3F3*t;_F8$AO
zPDEVXde^*N)s$M7Rz$0`-2Kdxr1aSj6*%1OJINt|Qk9F?(5262A04Qz2@<6m+~ct2
z6NHs#LSvN!u--pjc-T|31pp8HRURL804d28F8O~2mVh_c7n?U4@IoeiZf(rb1e0NF
zWTB@qU@VKYt~=rIyRj!frK0H60d7MTU*JN+u-<;>^6O)B-z3EwYjg5WXw(nO^dA>r
zudgkzE-^;5K5M$QZjfn3SDmBR)R8MiFl!^BU_qUBQ?%Kc51MA=dq9!prup-bMv?Rv
z9s>gey%3T{v)X5pm!i1!G~s9eWQj-XI)eLMhIv$t2_ZqI_>#VG^Z6>_s27<0pjRcD
z*q3OH^dsH9G%U~dd!wxO#f#Jj@x+-gvrQ#4gk>IJUvn&^PYD%$fLpg9V9Vx`c*lQ|
zbaqmh<SCN#UAT4r)NTewpXr&whCQrr6{*T&taGx#Xlmb6y_$yVSi8B}-GE*F+UW#%
z`biqb1>Yl7Lh)rzm3)fS!K1vf=VTRa%oJ@@l;nEXrHeuu91b>!iKYFFJDu4Q8+k1O
zs}YUGIVhih7TxnoEIfC2nY<Tem;lwpe^=i8NT6X;*RI%x>Hrq$=+Gl^dcRonTIcg^
zi_MN`41j-`Y=a}6)w_1W=$I!Au?xX5J4YAMt=&;r$TOzAw#nfa9<Z^}l@5cnyrFaR
z90<Erp<RWWhW==Blj>3{HxH~shmL+mF1zZT;bG6fs}_QMDpxxrh5oT(0$2@767VO(
z&2maJ2Ulr*9U}sNj1f_^hID;hCvZ`Moc|vA2?l1uDQgrITHmjfCfT)upzP}*z?Iza
zCLW!7la8S;<IT7mjF%&5SRT}z6H~OXaHHUu*N?0#ShfdCsqOr?%&CCTkoaJXplZ@6
zV9lGw7#RtQJM8>5FXEHXt{bw?YAV6HYWVX*6Fo+>7f)1@+28Mv3#8+k?2tjSDYH()
zNrE3yduAVU=si*r)&<L@B;8GX4VnY@c_gJP3y$p))EU+9A$%kGzgW^TR@Yc|@lrOj
z*YXZWeJ{O#l=9~f>399FCQ>+TnY_qn$JEjj)dGP$p7EK5t*A;r>s|=HMO0<luWS%i
z(JWm~5}2Ty<l+SWR?9A|3Fe%7N&$w;;$RKSgQVroLx92)B^Hro8~1^qd?<2v3#{dG
znH2Y#&pV0g&SZt<Z?^m$^EyX1*?O-txC$~r9JlX`2;K~dWetJOxV{C=*;@R*oG+|g
zU(>JCy{f4vj=znM=b+KqHjk3lvNH;C?dCPv?)_Ug{2Fqf9cHGZEpPvVl9+&rUF*i{
z49-uc*Zj1nrCsaj60^5B(R9cp#zSp85~vD}9TplFP!t{T5J%7Z1h3IfGw7H8Ov%B=
zha0v{-C1u0OxR>+VqOsoV%M*HKlbqWqcfvQr~IwOnJKcYc64w5lb(4pnjK<!WbR9V
zgx4(I1{95aD0E%UvTD`<tibOpGc72K$0#eexD(4^kfi3W;D&h~5`3)hZBKc~=S$V(
znS5vMvS~OU0o&zLlb=MTu_t}EwJX}M899+Vuo*_cyh2tqD5Ol~u=%n~w4MFqpDqd7
zz6XnSmZ5errA{%CE{Tok#npdH1OCj0K8c0p{T{iL;*>zT5avdC+|^$jMW!PP5=KXk
zb}W_8ma*6>rtbZAUgNpEaz*~uD<OV`Uo~F;h!kX*drgej8}es`F1Oxb<OMDuhzl^J
z8tOpHxP5rqT><CE0bxF8gN`Rl5pIpDRYYuct377?ty_Vso=j$)nI#8v?Z93%SIeHO
zB>jWXzGh_7hETAOchf1y?9Tjwb4cWwT{`4y$wi}f!zEL6ioMtjUItxh&HbB<z<iHG
zW2r<*^kyV|#kO2u(xd}eDGB1K0_s5r&4l9CX%DNL5j{fA%bMyoNd=TmL$-VQ)Y;VA
zl;y%`Acls_H!ZeO#jj8S!<(c4lQ`sb-*-@kQYOc#tB=nLA2He)p3`07lo7z_PMx9i
z7!!L!VZF+U-alxFz@V8PHOSV;B8TRp=0K+NLi&`6yBD!z;Y8^fR1hxPQu_+cHeEu*
z$dXYdU_^43nKfgV^sJUs0Lg%IqE9PlNY4-%*d330PNkV8t|r9|FC|!Q)<4CJam-Hy
zB%L3){}cEmDN^B~!MbZ^mSY=HSv5VX9vpAI#h=v7^gHtBAB{Cs&v7|U>&%@1Q`&6-
zh6--aFo&s#{WzpfQ33B6)VtM^k=5B}qY0YzS|oxvRh=>2k6yk0S*pb@?CNAO0yM8|
zlG=zjPxHo+x4OmJW@t_C`MTqg9$ksMan~i>mayI;^|psK@IhzML;S&@r4#kNN_as)
z7eBT(>lvxFtX&+=ipdv7pPM@?LONshl_hUuPdH;)Wj@!=m(S3u^`N(A+wh2UhWZ~p
z0ymDn%=cawIdz!5cm`5mecI&pk}X6~DK|eJnF#PtBzp~*;0u7!L+1|7`I9^Eq_*>#
zov(!c6(r?mi)3!>Zslt{&$AV*T~2SIQCtM70ZlVw7*HjdG-6>G{0mAGwD!dL_Fl79
z;0YHS#xoA;UH0Dx8kK8m3A?;>NxdRw?q=HI`&as@K<b2t&iyhK9ciIpUw$P{anp}=
zwo1Ju+M;&0cJrIhVRsoVE}3a5L^2WASc%c+SfRe(%8#qoW5jh_$vf*(4~5e16}Wfz
zr;=<MCaj~BjWq?l4V{^sT=zWGa2l#Ssd*w2v+1TPX%1JP9P$~LNm(VSVXvt?D)IE7
z8?0H?lkpGTvOg%@Lv4Sa6KQcNi{fQeQsykV>k9(HQo}8i$<*S*$gO$sw2Lx?&>t;>
z`gDDzVTIpxbpt+e1bSl@0Bid|&gh98^z-#(Vk}~1{k^oWVlv&7&dLaw9cxxGwfHCS
z#<LX0Jm3&eb<PFaFoi<JeE@K-dcIbeX^`mf?*Qnk)`g!uAQoX{m}h3x_7)~YvHJAx
zfW%(~cfsdI^4p=b<48SWq3&paMj6n%L4(wGjc-r)wJb&|nnBe?ZI6RnO1QL8TOGt^
zy>I;-S5>aMUlAEuK-lh`t26wfY$2vSL4oT)y-u-?Uazfawz&={;6v^hm-%$%{!yK)
z_W4Zuig!_|Y3}lF^W@F4PejF$c<1*b*4r>qEkBc!Zo2(0n0M0lfRZ_2Ra!8-QTFCz
zz&_Nci_2PlO3$%yNX8W}x{=c626j0+ZPOdJ$~Xh%C1NojljP#iA6%#AOTI=KFvdM8
zh&UUsmC%<EZfs`l@-v~(Y0y>=jw``7FkbU%J;y)&?c<%tU9sxk3>iMT`NxJXwjL!|
zr7Ap}n~YQ-n7IGP+7bZGXdA?CqUoyHeBvYHYq!@J&|TeZS?|M2)EnLB_K&l<aKUYx
zcX@}wX8E)Xm#-R$ZaYqtIevh~2gMMx#I*fpK2O4iJ-3z#5>@8UJ=grK{GND^>!L=L
z?@^_f1`D>4SezAgnkm>neSw0@PG*?hl$=QkCyO6!o{hb)*q<c&nF4Zz?Pyh!os6<~
zl-z&1={ap&R|`Gt0*X}lsj!*lAl{l7k|p7Gmzg|~(eAP)t?3(i=Gy49oU*9=LVO4P
z*PTZ>9IS?)*(}ryzMoaTDe;^d!-FcTG;}+xiL>Xfg<w9W)`Pc9O;+QYDH~3{XAYDz
z*QtGQy}ukKne1$^&ZN){wANaO<Z1NgUI{0y#Tos^F3Vg{^Q)Zt>KK(>N_5EqLS1js
zFT=-Go#MV}>#Hi_1WshB@#cvtrE`_st4+BTxP&?tAdeR~Agh#&>g-D<BhwnSFPL+d
zv@wK}Jv}p=d(e)W7X-$)D?i|>HU8TqJbXE<Q%aaq=3bVNdf8S|UfA-}l#Y8`PEt|A
z8<>!iiro)rm&%^1t^nmqAmY<-^GV#nTvB_*bp1BpDuaUf4Ie*?bMRrB9LTU*V?Jcd
zquCCX{E*82#r#vxUy<A=g6g8#hLf7=aAz~$q<4`4M)gi?d6IUT^OfxlH0f`#Iq~FU
zE%L&0zsCm;OBNeg`SSxFhV&bA_D+_!-oDl&T;wx5>-hEnd?9ehDVh=X6@5?P_+t96
z+U19yUyu-tI6lnsv`ai#u6z@z-t<UVLg>h$v`TeQ=@ceptthxPFniO~2aM>10b$ED
zhSCeQLqg$-!!3HZbsE@voq~~WoTMHS#N)%&t>U;c|8tyC15{Z8{PGmfhwB0{v?ouP
zx)$yFT4krTu^vbeC>O@H^D&rAc3A<YJBxD=zJsZXY(PH4#A0xDrCgo1$3FN!6xyat
z0R|PJFQtt!r?w4c|9l+(OqwIh#wMa|wUA+=Ld5AJOb936e(m2&1vqCzl+LE>Rzw!(
zGxOeTOP@m%krf<#sUbC{^|M$Tl;2-?yT(I4*SQNNsaU@qRp>zy%{Pc|h;-oz-(%Gy
zSG3CiedXOk1=n8$vyB=~i5O#(A^q~8RW+0RWzVgt(hCxx-<~Gr@qtcLoBxX{_@a`7
zi*m{w7CIHc)bLLznreR%LN1V05mkV#E}>qX*M`=v_apr$5j<3ATlKf&=sb68DR^r%
zSIpPOVXDp$ZIW(9EmuE1%Aarw8vHTGdW3z?rp&@(7v+eg0Z*~v%rsi*OsZQ_(PXC`
zjn8RNkBIH^w#%a<r<v|MfMtLq&~i<9+({qGWG|jnISLtV<G@#Z<F8skV1sQ}o{}y(
z%_cg1K|w3)4Uq)yoZL1<nKXLjWrAb&f2~k`Dr~eo-twp>(1-BVk@<`eKuP^U{O+o)
z08_j;dGe!o{{Q~guN0+;dArg}5hwUsX-nH*RqZgQZc$~nHny}eR_{#IKhV;!#Mie>
zc{TzV*{g;be&3WRa-7iAY;v6~gM+9b-CUUg=XYpLX|IK&N%JF3p8_iX+CjM-9Bzax
zQ^Y&xWS}Yv*Ycykqn0WI3kq`6@mJQWE=cZjsp!rw&u)!QzDet|gI(Z14N3!nthKpH
zR#@PqGs`t6#9~lr6>Q!&xx)j`*foK-&c3k@?xh(#klw_p4`pud>2Qt+*3^+VP6V3N
zFAM&S_JU$swzdC<0s=d0Qm|#!hiCAhS#G1Yx3AGicb%VYrGF`l6USIw<(lO(G$kPT
zsg6~9d~2_~r{ULXz}rJ6vchl(ijJPI;O8(?&zGk+CY&m7-2V>zNgW!VnIy0u$dXw7
zyWp%S$;Q>eU;nplZKYP-0;f2CkzXdCVZ7}e!@Hff#T_<hNP|pyg^DmU=sh}4T55fu
zw%cUPr1xvtw5D&1fzfaFyG-l?s2P!>?9TWXxm7WoFI8HXD#RKU3vkX_9OZ7zC}B)k
z<hv1@?-^biU7wG|HR406y(*aJ6KW^$b&WsT>Ri%Fwj<fkA>?{d8Mh(|zNH3`Z5HCD
z&Qm|S!AI7K2<lGjZSxd}SLj14JDa<^#9PDj3lo@z&-DtbM}j5H&&Arw8rvJ2V+#Iv
zpxf`8FZYy15ebqam5{GaVSE#ls5G8Z$m*uBMtA0BN&&}#v7HXsAa@x>-&v+6kcy}%
z>U5R53$-O<zVn?JZ<e<~NDbJY<OU2B9YEeE{;+kkZ}2$;31;S-Y)ccdWxxaNKi}(B
zkon9sY|BxYIE`lOYSOY!ke3!<@Gi8>1*$rb8fQVJ#WH|#jyA*dXxE~ihx-;_XqP7Y
z8m(Nl5WkA5mql6g=@lO0jlPLl9@dmQ)gJnKV(rQ4sCea7pt-nl28m36Qi6E@9VYK;
zSfgS8bRNLlp9EP3QB1g*jHz@g;}R_5^GOpgAwJ>BT~=sQud>`H8InK4;vQJ2*AG}n
z9=~7*F%svkLe#bFAe?y>@PZ8BdcPw7W|v)IUBWD$!*W1<#;L}d9%Y5{`T?C!D|#z%
z5l}&!Z;$<j*py;&dJ=wWCgYyEb%0~tc|Q3Was0Qixz*)GfTm68%nV<6em)2r(cAsK
zdZQ89V*0IdjYWjfxAtd%Cc+UnOE8ncM^|xNch*RG^xeEHLhAo8cUD1hMc<kyfe7yI
zZjHN!;O-4H4vo7t4#C~s3GULk6WpD~CAc&a2u_m!aPPd#>&$(bs#A6L%YHfMRDJub
zwZ7knTEJ5#8kCskHO2}*-Cwsi9Wf!L#i?7_oY&j4qI0-TY)vzvce>jpZakn4;&#bq
zn`mq@o`_qtjKQQyFABFJ2vACn&R9TBQ6#)GcUSaOVj=u~Cd~X$G@F(y%U(k#q+$_}
ztkmIsd!Sd-q-Ul{pf$aXzY(o(;GL&A2(Q|TMEzO9@Y(Gw(#KOAw1}VY=&!Ul)y1Y?
z@Y2mhI{4451<3ljy2G*pd>in)8wF)>PQ}SJ+yZ9&fJem<TS-wO=z=F{s5~5F|4r4&
z9KJ#F*!ajc(ON+6)AWe0SHmTrvS;Q{oZoD`RK4#{PtX$#x}FOI#!>|fBXnC#N4*UD
z^W^q7UpGIi<OjyL0mN*@O7NF7wdHz5S9B0tQ>=Zo*K44h8V<>~m%--M2l_esH3P&y
z>zccZCkP26ctc}P)nhY&zr}Qn<)v#AlWuktBU*j;`M%$dr>%ip<DqTid6$ep8#4`S
zYf!;T0zbPz@$k_0@x0KExRtx~<OeN|QT2#eLnWGokt2xNxqFHu5`ksRkr=cNvl+D~
za+zfGx88CFmcNC;wwV~oL0z+7<C3#!&bA{2MQv2~Egejyp;;k3=BkKWKI+T?Np>cz
zwQ5GUR8vFaG=HH5(1NbF=ZH&5sil`)zH$$0I{)q4u)!XljzFDwv9i&Y%DXckSjszn
z;dsl5nIa;JoDg{VA@@+@Uc{&udVhbQRis*E@AJM%O`)0F9Z^GSnzCC8ZV<j<MNHvy
zz@$Ses3{`&{Bx+~7ldOoF4XXHfa40#>R#pL2yv-KG;vue^N*;x?fu^Rryl=gkXWI0
zo3#{SIE{VqBCx=G3lTpR5g7ECv^__<Ij-nAX46<e?w-k<OYdZ_+=He@VV!K@)YCp-
zJK6-qaD5k+ZIzO}Tp~*PVG<9m?`sdlY!vfD%AUo+wlW=jJzDfWL@`mage9Y9Ccl<J
z#Kq)qz}u+tYkDK~%NhB0|EJWIzhXs+YnkmP9`03sJO6U~zgZ98g&vB$8hOoAT>t57
z!1}-60>BX3@1E%HP-@7RnmXq3827y9aQ!WC!jZMfdHz7j)pl>yVw^DP37M|z`=F*F
zwbUw333J^u2^P@WzJ6)l5mJW+TvzK{ntTA){5_DZ+uiOCnG0_%dgk2Y*#|`bbqi$M
z{||z}MhoJW+9g_yjTlHgv8I!f%#GK=PDDj`AwQdOykDPyUMttH9lPmP{Icz23*M{?
zDqeUc*8rXkGlIk46^6WW(0030O!W<|*^ZI9krd>)j*+~rT+9EzUf561;k3$p^LoRg
z<@`0U&M-^eWFtNFK_zoR%fgkowYCz_974#6u^a08(DW;I`r~^nZ0Jx{nM@v!^(sd-
zV=StDT703b3qh<l!E9-+tlgZf_e;NQE43fKG7QiDIilCd%-;#SB`*jZg9QIUD|8#g
z-bf4JoYF_NT<85So@O%Cj#|PoqSJgQyZ*F8hKiHh@`z$YU22F*s93@Zr;iqS2bcH?
zKRA!|_v!I_<gKMWLI2eWT#w8YO`&F|bGsH_U%!>+HI9m#5b~V$wN}4q9mS{h)3bVf
zsO_*H%Rr@ZNO`|6i7YxN(D_Hw4>Q8<q)vuFhjMM|i05am9(#$j?%zqx5|CC@I%dKe
znT)i&kh!)bP(2dY_02b$^hphZaC(}*XvQ>bR`goo-0xM*!%z6F?L7w5N{m)!G^|-=
zrs~^2o~%l;8p72_GcNj#i6zklnZ05{>1!x4%{McG^gG*{m3y%)8^DGk1nA&l>ByO^
zpC`Lp#yq-@TBv_AyqYBn9;?;uZ3!^)-XH5Y+MNd+spKMWjJu5*Nvs8R&7dN=g-M&9
zL`$n7`y}F{c4KcM{2JP(Y_0RdpNa2JV1xCou~r`c%t~!bXh`|IA87)FEGI1AX=mkr
zal+)<`|HI(zE*r?Tt4))x#{fw^cwMt67>MRjvJj-X$^MknC|<2f<?{20KbfSk9th^
zlL>&OAlZp)t=PoLN@MV6y)ud6A&#WN`9p;J;k+6@qmci95VGT@59ZUS)o}Me8cW9<
z(2UM}+LLWiE`Ne2CmdfZ@uMl3y)d_zmNuGv8eGVzcSAG(r|XYYoeQi&KFSiN3pX4~
zYoMmbT84Q=dJjmpXg1M)U4HYPtSFa$EBj;jNi)Mr`1mg6a@jLDblsB-pxH7b9h8{$
zoAv`;9I~Kg>HV&mb%~d3(;p7|-%R}ikAB;0HgkPi2Z07lubDpeMq&-nN4R)@%4`2k
zUw_Zo`fI<>Y5J)j2udDn_54*8mMb)UVyrn3-G$m~_H7d`>KI^|9=>Z+S#3N}(Et4+
zayds!<PC^{on%^7c(UZhDP=yLOu$2MxJ`Ez&rx!n@nN&})v{%Cr<$b1v}NAL8}eoj
z{PumhkUm|-R>j9Lnpub&BG{Y%d4(ziI`B<LAsg{SXct`c#lnoo2aQGB=fd`9OPhr=
zVD~==iQ&cf=J(a$Snr+nL!_^#xA<UL(@vh)J-Q}*PPa0iC{?}hKXvicn2*QupWl#{
zzx)G7*?<=oETisXBL{rnAe{XZ)_%Om*S=*R+mcPsez03wt<+cSXs<Ws*G2*?m(in8
zYv&u~n51PfywjwAWoF&TofZJt>NWWTh=1s_sT&BVI1<;05g(lYC0P!?0P<*SG#r!M
zL&9%5WEb7uB{1POAjF+aB6R(TYaA^8pL{{^g6D=5hBFSjQg^HEWth#~-D90~qlwx9
zk_cZj)b0_dHvOh~Vabryd@1Sy7^>d;K_&2xH;%-#dN-IlXpp6=nQ%nV@Q=(*eY%X~
zB}3!ADtDJo)>)D<q@*|BdoeXhFBi>6g^%^1Jyq(A-9N_Cyt!$@2CNl+Acnh;5|7cI
zSQIy4m3OwbPQ$9Sk;6ky9pF`;w&d)`Pz<|gDrK~f4bTE+>Yp()Eo2+z));wCKp)<}
zdS~!D=u<Z%q1_9rNSytk@&|<>&3NtA_ITv#(p!!8o6EDq`1@g2sHR1Z*{4F)2wT(j
z(yzMuUad_ALcr5wYP&~31G(O6NnzJf04%T_Av&_!i3YTI+N&p4V!Puh;|yLq4c#^}
zB-ONA{AyyaU^gQsRioNdZ9hTP;D8=RE}Q@h9b9j+qHheZC08V+p-n;E?`6WLj3A+P
z^Z`?}Lht`#Ol@<YRPn%aJYt=w^spWD8x>i*M#vSjy7^O9aXqWoXlIfg>*Ls(Y}v=T
zjc1L38Kx$}*N0d=Zci3!q{P}jDAN<{_(1CBQ8mBA1Hk4{i3JeNZIz}VP>kyhF?dkP
zsW|!MUM|KKICitv>Ys|RwGlPG&XWU1-Juef&Ln$~y$yfM(@orD5q`MiHJUH`xVuB?
zMa5yJbsqtFxtC_ySks8jVKMA}SJFg@l_TqdZEX!jcEz@+r6Ud{>1#w2F1BI3;9Y+S
zTz4pq`3%xkT%Cc4w|O;)lnPX}qs*E3Q1Kg;H2-eoLs@~o75uY9c5)Pg8{2-Y6D8>~
zi3zsrX$0TiHn*{Cyc#dUuURmieMign<~-Om+eXv6)RF3jP-4!|jMgo6MNo6xAeVxp
zwegAwt)4?!q_Lj}hGeblc^S5$wF(6}D+apOc9Kmi`2QLk_NwlNNcnIIn+zs#h+cte
zUM^J+w=?b_BZ_x+jijPsQ0g^D(Bo)<l7+8pR^|P-rzP;_qPb#V6a0YoAlW(LYF?aQ
zz>oe$M1wXy)kWiWv+LI{(ByTzq}7hMzU(u;Ya+vBxqZ|YN6md}-0{;hGG}WWAlR)L
zI4|oxJGn(LY2VcLdDc_s2c}6_--$vcwt|*StX6lyX8mz3EZ5*##zMcQ%5r^cc5&X5
zBdQR;Q~G_;7|xfY$T(S}bVqakvVVlD+r<Sbku{biCF#^gTu!ZaDjBic#*Hs?P`bw{
z_D`fXHU_bX%4DPfNe@m|DLnb6okhcDkjO2q$@!1rVp~y7?*{R4kbH<R%riFrz>d4&
zGE@^S%*5J+c_la4PsD#}--Ibv7-vQtJIPbUI>o>tz<c9A2$MD*ns&XK$=a|Np(}+T
zWzHP9(S=`n{hWcH&3R9;%#>`LA_gCPWWXh*_R*}uaDLovX1F4AIm42nAu&sPCzZ(d
z%=HGuLF{eKOK->+i+?qk$9?$ogqMD2JYAOW_oyOXAGbh-gXgq+YI3d!gNh>9an@<a
zWU(;e>6vGDw73~ek3!|BzN+C6`_Ko~cvzXQ?d7b816cU$0&3UbE9tQ^G94Mxp3QR3
zO>J0C>#<<%^a{!Fa936DkLuj-vc~>~$|~RFr+2WWty(%@=UvnVQS>7R%%-Z-q?E@J
zRCtNC8_m4sh_>&<jJN7)PBnMtmwmr5!4_wAi~1myK<Bc(RlTk{Pe5$w%-S}oWa(2W
z-44o$ug6j`hFw44+p12x8*}KWp9`Ud$8)8E<i#RX6*Oz!ClK!tjbxK+_$j!}SX__C
zf2%>ni7vfS*zb9zwxszC2X3$n#8*!Cx1q~(V+Z8>SLi!^xVZey5$#_LI91|(lKr~Q
zS3s09*^D1yVexQl8~-ta=3vk#_1i}ij_d?JQQt(ZP@eS9D2E1U2ZGcV#y<F?IiKp;
z>;=u$XwD2%ll2dPw~UE&QEk%xsgdd20qinCWBIAvUu)d^%6UdTb$+&K8KpPMx;M2U
z`2L}P6jqUlQOp78=Wji1d+}M-ZtVK9(!h+A*k_MDGeV*M(oc1hRQMQz$!j^Q!2a4z
z_FS63&RUSQOkjG<Isl%Ib9x_kulQ|hHkn0#lN53mra8Vic;6i%2bxQdj+DXU4Ep>o
zngV}ADZ`#IP}=^l9#NVKV~iU9$vP@CmYjb5f@_bXEbwom-Pfep3;2=nk_(5mbGE<I
z5w^7?sA7;CW1{v&S4DSTy(f0N>s7B@0|cvST`6wN)v0Aimr-nO%Fp&EPaLWQ;VEW7
zzp3d0?M?CILnoaTq}*guJf8~;?J^ximMsfnCL>%0vz`vo{MB%kBP`_(4pwg30AO#Z
zGaZ<>ZOS%dUsMOqKl-t;{0%}d-6y#UGl(Eo)R6MwiB_qywM2ShR$n3#(7!I`8$_+M
zDn$th|MrJb|2x<4=vLr)RoUwex{GV|``4Znb3)W#)$+(3oiWBomKWmE1&wr7E~AWn
z@Ou&Vc8g}y?bUh6obm!`BRLNwT~G7;CqG^>)`@fcrJHX82WGrCt~h?0)gW(k1Ys$t
z5l>*Z4B6DGTUSJEFxH<qm6e^_VRB<~5`z9KVSGgp|HlW3V<z*Qx{qA2=_K>tRH3-D
zQfSm>%$$4nzsH+Jo6&`o7loMB7ZRmoM{8u5Kg9vDn&L~8A*x?K(5Sb})dm~0=L#yK
zMRWRkejy=I4Yz42p<d6LNQssAClBDw2^%o?UZ`v17K?aPx+*4J<e$_xrV~iHG~eA<
zYUX2G`E;+;N0_TK+Sp{pGQ0X!r%~&Z8&moF4*5u{G^pj3?e-VtukI#?q#_Il8ZExN
zkSxBk(icf!<@|DVRc*(j33Ht!Th2C9?>nBw@A)EQ=-cI<h@Uq)#5Dt&-VRlxmW(}1
zugsd=B9peqKA#Q^!Rs~Pl}XPEfPiC{VY#tbU$1@L1YMR{((~P7-y}s*j&ey1w{V1a
zRod#`aFt(eW42X#FxLLieusPPy3Pfr!5_|@w?FfJ!IAeY#U$w(v2skuxvXz+ffAw4
zBa#)KAQxFc(fxTRh$f4cxiT9>!TR1ddE{#Ds1TX%ZW8Nak0Q^|s|m>7@zl|nwn>5;
z_ouUmi$W-r+*;oH8NoII?PtS5>bO$Q{v#yRVzjO+4$l5+u@iQ<eXaC-RpXwKF`3xS
ze^0>0dI70jj=d#O-k3w#j>$A@NSEch(5cJy)%%;ga$jjWt{z=8xJq-Z__-u)SYh<U
z(BA|Ct>_W&b_hS*syjHRGiz+nU{o-uUvA}}47J86wcBggtzBz_c1@%Kb_(rhsj2h7
zjWLCAq6F8w-I}$HRoAWi9#1t=I$8>r-qctC21Wuy!UtE6pZUXa@oX5YODh^CkfE%Y
zt)cp54)eq>@RGW)k-Q~$I~%2;fJ_rth{tPvR@N~P?LN(Z^b?!#HapSaVA7Rj#s_ON
z$4KT9w%@Y1!}+CJbzn7ZdY8tv&NKhJ5ejo37xo=pMtWN&8ji}4Cx{SN_DHVkLl==%
zN7@aXOmB=Kfd>r8sx~A2663F5JVl9$Tb<!4rkruB9y)I!Eb6+rG(Hktv*O{mMDo?u
z=~u!P2XW17Rro(8k@fFtelRA!me^0K@7!7WTOs1N<uhTI7D8b5?+y}1R^cH+k~Ey|
z!^MnYJ!3Itj3Y9wMp}(P?jenpaTXHyqX!Ps9^J`E>)?m3#z@EdPKaj1R@=L7b`6RK
zyq+4A%-SDCx8^wW;H*E~5qGzqm)5Jkklv>6b9>u}_OLzwL^F;r*vq{eyvzLTrR3iu
z!sB>!*PAKKEh*tB%<h~%5e%QBV}+b{sjf~fZzEXv2bJ4@>CBCkPNJt9xh}rgtAqxO
z0AC0Nv5|a;uQajP0n%2ZLNKXapISER-UmaEr{mkSv9Sya$<n@*3_2?bOwp1<Q7JV#
z&QxxyncrE;P7UilF<7$VEPT)Xa&<MzweE60F`x%h4Y3au%U%%lKEepwdweDdtF>H9
zp{FY0>Z9J;+@`4jA6qhAMP4Fp`_3+(hqP0_wt{v;Pb`NT;Rdq|$0y%K0Y`WTSIXg!
z=!=sXa4>4Jw#O&M7QBCA>9zvSUF(@#7iw)QwL{8N^r{VPTx@pHVLJZ5qwU%V3{nw|
zGiEnn!FAc<IT*jfZA<}1SVza-CMs)Jg9TJ~msi+=hHOjUvKG=Cm6S^F?ylfh4LF9h
zX3Af#_yU{a23+2EHH{XoYK1oH3MTMd^Cq~c%t@|X;^(GBQ7!}I>*S-e21dOMoO<^|
zJ{wxVv)+cl!|=$O-~Z73%FT2<#idN)S}}&amx^XL*C)Zo$JB8*8chDV8r!YW^(G%S
z%FoBukeL{h(mkp7_cmLbcZ6vUfIN<?dm*HhOz+i;n!`^{$btOjF|X=SiS%fP>7gGe
z)hc}}vtZU$-q3gkE3#jOmr24mT(qks19VLUzboJznaW}YbO)D@t!eO?tCirbXLNTx
zC0m~Fh0NZ}VJg0X6PBWrZAjaa5y3o~z^*wc0BQ(hP9q*Te{D9pu*D%L|J0E*!J#2E
zTVWPtJ^2}0Jd?nQ7oj8Q$NI1e(sfi3wifCbM&^l&c2xpHfs?t=e_J;po_rBiYtv}E
z&fY|An$5<86t`r1QK9Sy*Rwgl5rh8C{8cJIQ`655=~c{mIpsmYyU&3=%r;c6qXo*M
zF#zOC%1N%vl^d^-C5)(R1Ez^F;Xgwyo<G%f!`z&YMJYr=6NyKz4{LI`ZY!;-oAnH^
zcj<LL*rf5f%c4crXFb`XxqfsoG$gwiCT}UT;<RYCQS<;f&XKY$qO6d9A)*Vyg>>@$
z2O+XZOKQ7{&b2`Y*go4!lIvJwSN9d8MmfK-dUq8XpoM1Nn`XI>7yjo7s<Y-5uk43`
z{_jqj!2~rS@{Rc!sal6>+;7A}XuK3srigpq^*r)kK9lu5r{CokI=}c}bPY}bQTcT1
z_Udpfhb|g{SAw^%vEL>A6klpT4d1_7G)0Eg5yqI`7vX79v~{{R9XtFbEdSQ{sK#X;
zAh-Fp9fZy8(|z=}QO!kwr9I+L7Av0rljHIohPZChW`>RX;bm}4BrOh(lXp!}a=jL-
z&_G<pF%tBa&gMA<n97uUP~TVwZHySgqIqiVQ>tfIvFj1dmaR7BAg&K!dTOpWW<&bO
zmtM!EnBlcb<GqOFYnf5by<u27(OjErhTe#e6{1M0@EV<QT&u8Hj0r~mrAvW>a?m)w
z(Cv?4aYSirA%YPS?$A%k1x5Gka*Q9+*M5LK;niY-BWm!)Gxh7=;!OMQl9Ar10-Jd5
z@UoV(H2L-TevbPH<}l?<<WFg`&vH)m&GTN#`b#5cpTFyj_*6O>X|yf~YE>Oy-21MM
zzZQ5fXOs=%EwHXvRcZq`n42i5V@dfiQ4x9cOlQ9}*y=qXZW|r))t^HOs^~l0qe<WQ
zE3DB`GLaNXsoZI52hHhH9YJ-GY1*~w^_&&<^Fi4lWLHE)vjQ|al4%DAr~_HlNw{Gl
z<NhsHn<ybWNL=oXYe~FLr6OIGl-m4B=WJr=#=St}Y&Ogmtu_y0e_(=|&K$2Vln+-{
zoCJ?Q%N_-k%nEkO0yL5-Ksz$MWLxHzJH{D94FTkRWA^_2uv?Nn@%|^u#8)xO=w=b9
zfB&T4&R;dx-xPCe{+<+>ZI2WWY6kPMubaN>R@<v>V*apLq+g;@$kHAaMQ&E{lR80t
z4c(s*P3eRb)Njm>xg@l462+x_dBA5AnE_^XH64!_^|9lMgKr?n3`IO~UU7}aOME-R
zj?&z=hl=eQF`;?<LrB+w^cpZEe&gQ^mJ-YIobY%J+TnQJp(mbaz$sfzpdCuas+L#d
z3X5;VfM%})WcmEAwFYC*6-<0dH*xm%@R#!Go%%^Pcx$WbmGtdfO?;$Vsx!o6et*O;
zQ59RF5p^|WCuOcZt!)TC%sw7vvRY`*iPy}u7145yv8%xB_MROR7}ptX5bhB(`Jw_U
zP&Xvv`95B(ua+1|yx_Vx#kbu|pdz}&YB`#}w)sA4F~6-X0Q9`TUAAW1W=GK|9%dN`
zlL<tx;(0{qTsJ^cLR#-ruXcZL^r#IOj1Q6;=9iODd|KKi+1zwwbWmCu(|7C^ATc+K
zl9JEq)YDK~B1KV2M<K!`_h^Ksm!%Il{Iaz)vt+^gG>ws29Kop=otHW02W?|&L)RZN
z-MFmJ`8WMOS980oSp)4E?J|kov&HhV#TST2Xgh~cOZ-XHX!g!H>WWakA(eUr{`d9<
zENjf`^ly0+fRDU#z8$h-4sTp3qi(D@OSCNL3)IoSOc2E5gP%p+YRQ(5U=V>*A}5bu
z$|t)HkAEIADIKURcI?RVMTqK>v+C{XgOWi9<r8{RxSd68&0OVlLo}G9nL~u6;wmh1
zbmhu52X3^!%ZHjgb%$#$yq!-ebDmLkx+M$|dwWjWhH~yOpaDj8(?3KnK6}U-+(+{q
z4gdTUXKSM<W$I|MZXoxVO6MXY8u7djuZ}9~<2%SZ>eV%2s$`j{#_%n^oG{_+zR?|#
zw*WUZA2StAiL3RT;CtilDy?cdfhYXpPv)Hl<?pqOHgd_1nq#8_cuZZSkXQ!7h(xR4
z??^w%dpC70W;z;P%!t4x&{}fs$kpayB(HvT#2>=VUG4N2OBw8u>jecBCYz-1L!PL@
z8udbyx$)^&8$5;DW-j~BH1tATjaOOknZDOye#rj2+o-3rInxxOQ8W;}m@EE{KE-7%
zL(cwR9GHUIFD;Jl&Rte{FF&4@9_sR^FhhU7@*cye2l3?BOYIB2^7J~VrTCmfoK6|E
zB*FRU>0zvMWU|&+XLjr+4fN3|7#5w@@jl2xc)Kj}K&t`jg^6q#HO5?Tsp3`VVVOA+
zPzHJfQ8wIvcsPSPjb1{om^+q|i0#&ow-I7wr%BhC$L_V8ao#tHtJe>>$s5Jl{e0!&
z1i$c(z9nI{T8)B?0uDr8JU7Z)zo)z3d{fco3qu=DBRD0&THp3Fcfi-tp_cavjC=o3
ziqCkbLxdRVc7o@whV`wx=B=`O@g@1KbS5^H=S-ACmZ|R07Hgm2IQHT2Q}S<gg9bHY
z;w7Ii=sJG_s?RQ+Yw*`9UfizKs+#XZ1F%n4JMKjWMSrhX(;nWez;L|xU`g2s6CiV`
zQ2Z2bnAM_GGC?#X?74^~F6U^(KHQxtry}!~69an)b&huYh%B5<j?DOpp`ak7Sxp_z
zuYKH-+%(Ux^e?u_W@gH##sH63IvT~=W5!N}vn*NXZ!k-i5YV>o;_iW;i(j)fZsCq4
zZ1@0ePqmOM`jy6pTsl*|v!yil3z=DyVn&A)@I_9hV$qW_HpL5z*%|T~JrqJ;IfIHk
zihOd)s|W=!60uQ=mM{nk8Mym6pj>5j8H}uWZhtXFA0cSWub(f}71i%2g^lpZZx*=N
z$7cs19#l!TB`-kN;#7GTf3Oq(R3|UYBThK7?K*c1JxrxD2oAr68B};%Ro2*#kQ^($
zx6Cj)@_GLwV-Q`lKB0&rV8x_R6zNe*-9>>U#L8#V5KE-skIysNu1;NMLZQ6X6gi9l
zo%O`HfPq8Ol~#TPTQmcm`zpfW)#Z5|%a)$NA5BoYoK4SE5tDs(xRmQGcfL9R$e8r+
zX`LcNS_9j<1820I@m?xVgub9%MSgI`xv`{L2PPLb10az7K`Y-zY!&ByWC|;KA4KMc
z&C6*<jU<=gu0*EyxZ`t>=>5g>`IDCvM;ez#8;)gvNLwHqgStaCJRx&Q-+}asrD4AF
zM-=V&oLf?`t2r${*K9S#>x`K#`gPMmS1WqPFZQ#|mz<$*X013{cD|Eq<VB0VzLDvV
zy3y>|jpdY&B>f;+(~fsWAagZ%)xerko*XVu&Zq>#$uTCmv+6V87F0gW%!>&mDqt0g
z+pL_BtN2Y6u3sN>cbtL`#&7$5NWZzrs3{|yAE~qS4VW4xMBUhosSzt<#=KBosyXPc
z#M^M5KUowY&zBQxU$@O_B`^JTjl~&%Z4sX-^_a^QZCyzAooGlZS!i;Yv~?QpSf1v6
zT$W{`rm9a{<bQYgqQoT}^rO^C&FY;wsD2wQxWq`9T1<_jz7L@wem8@I$eDgar1~ps
z&ZQP@&!kYc5li*B5INmyuAjQpDWpD=w5`34saW^Q_uAFT?2m=%k-J%=2c()2#lz1Y
zo%65r8r**Uhl0W?=naA}Omp(gL(F4(VnT+`&7P6Ahl@pUCw65^X0Tu>G?hNhn3nL@
zhN3coS{SGt0*advY^k#E)6wC&y9M)}&Xl9oXwFKf(nM8@3nTO3S}DBK>ghO^zu|G(
zdDK^G9WpzBNe<%Pw-$TU+l?CsHq6*jDUY|~c1ve0{<sXj%{L%a4isV{sFs2F-t4*1
zr?}l2-Ir*m*_V{M`d%$-U#Q>?yp`%!?B2Vhnh>@oUL+N&cN7h6j{WoB)vbtpUWZH@
zOHmZ?XJp9X{E7h$Z>FS|;!;a?q9pzjzBpITy{nMR)^!vYKRaCEi0?4i{vJ`1IGX8T
z1t3gi!k0zDo_=@L{c3;c+6?LS>Xy?%50#hMrs4yz=L@zLfwm<+txu59){&F=QzDR7
z(PZ$^wLK(3XN9;hg_?%gyUv!cfT-tRYnKg-oX!lmC224Qw7ly_ld7Z(xniTNCMG$N
z5Am`N$>L~eMZXt_?q}9o3;}$rL=Ed#=1+}GjohhcCwEorcWQMUI3pPd4IBqJIRIXS
z<ztDO+-`rfQ?tx0j_5k>(<IHd!0||27D*hQb@uzJ+Z~!0?|=?e&%nmjxW6$+mzi}K
zLr3k9Ra}bRLhnz4pmIBZ`T(s+QFR5nK~7^s7m_c<JG{Qrg%oj@sbm*wlmc{sLWbvG
zHwhpV5<r4VH+K7RvQdtjr04I<@zluhLzK$VX)UKd5g6Cz*pUx1&VIgCvG<nEcjC<Q
z300mGH5Kn;tU{+XKKD6VmiEhja2v378&hYU@It(rSHbDtz;hmKB}q>v!)I4*7uy`m
z><B4SB~1TQhKh=nwLW7}ub1Vfc7QRuwqnrt@O^i34Ji;~YE_2z+8(paygy8AvTJ<l
z2ZSMHj?Gu1F{`8*-;#i<GYou7+(xc|X7niKy$RrUlc8A{8%vO*vdJHui7I!&Pn*(5
z6d=AzT*2W>PcIM{^WEx`WwSZRUbnYj{NR~SKu@ilR#ru_XwN#UN;5vIqL~EAFSDJq
zaGfks#Q8DfS?}o=PVmITpkrvUp5B_Cc22rSo?Pp~8iW!&tv<r1j|Q&ErW!f^`jIg&
zf=F^u(`@kF(ZF%T!W?(h0Y07hQk~|`W&=}D9I$rh!nZmgA@E}?UMV7ycC(TBK$wwS
z&QWJpAW!1jPLIzjaW220;;Hd-){}x!bqZ!`vZzH(%&ez;jk*}>gb@RA+#?yJa$SdD
z+|s2nL&b<NbRm=2=BoMgMS~)8GV^b=*(rWxNo`vvp_5X3!gKgZTDppeMZHa(4{%9;
z@R^q0re@y0*S*<|;Xw<Bu5P*|=V=dgR%y4i^TU|sxRg1Kf2#Dut1IQ>%F=6^<3Obs
z{qKosP3;<#&*=0A^6NO*pL1aP(y<`5{DM!ABhPMZ0~Q@D5IzUMd?nM68)~fGq}#Cu
zHLL2eCpMwsJt6ZpKU5dZ@gd{ham&Wi0*Y2oV?8=pG}Q@57?bRBTQjwZiydor3h|BR
zehvS5O$It%s;{Loi4fDu;*n%$#XniR5@;a%Z42WJ03Yb462zqumz{|iv_9L<=<5Bj
zz=9K*uuFYa26Lt>(g=q=`n{uG=jTofKtp%csE`GXc7<0hYC%6vfwcVNR}<hZGujVw
zJG}W#Fq^l`;cT^1b^%U1{;6=)&!6It%%>lE@UKPw)afuWNxv@@eNQx8?Z@0jzyBfs
zM6@umee6J9G>v&`sv#jm8!+LE{Flf-$iF?aazm331$zjEa+0{V^4CWhw@a`5&g_E`
zHw=37UPUMW*a6F!hWSJTRrfj@$@a!S`)h#ojg%Bh{X+WM5{$1jY_Q<(%xSUA#~3|C
z<K~mDp&?RwcuX{AfVD$~umoN)Yu<&u%q)ZdLHD9i_S`OCv*PgM1FVGv79d+N1UiqX
zKRv^({}}g{k!nHn2eIf~Lzp<T48xp)k)D~A$>#%eL%nJ%Q!T|~DdpOyWh^0@t0n3k
zcOQTaJdu(zIf>oRjteJs4z#CNFEL)JmR8(^X*%b$L>Tii7tFS!!>{rNvrkxytTwJI
z-Q@SkI^YMu*7zhtJk^ZuGmR`01H2LgAiGBQ|NDCQulqmMm+OYx`(2a6>-uj!(-f>n
z7xo6?dG9pw)mL7}%+>Gz5knZ%t17CJHA;X%g`!R8K;H6;ttG7?0;9n?eQfNp6*1Nq
zuBAT%$<!oFIvm1Mge=Na1JgWQWtkYmX!{WCCRAlH0tiN|B1@!WQVq~{MsiU|$U6gN
zB(?t&%bFLDIbKiByk~4viD(QD4HpZU>l@kb{{x0~15c0i`rAyb`Zw!aztJg&bW0=4
z$O-Xd{E2hP*HLA^O}A`vpfbB6mh3g91Tl53LR|LjtkY|VU^Beu--Ktv76tDzWaiOY
zF?T4RO)d=2eJy5DgrvfSCUAq@=7;aYfRW(}-WPkvakFt^F%|zzeh!S0N*1mH4VTlW
zFR_qJFSU!srX~1S|MZ0A)Tx(!{GCIIzpt5op`L7dl-;7iUkSHzl(Akz70L7h`_-fO
zW62K3EDiZyH+AFN91T9whFUeAG298du-n|?$<;9}eNTKZPs+SM?u}VkYgK@DoY-+Q
zDc_VzS<&}5F9$r~e^ab+sr;;f?M7mH@MyJ4>);{jhKvKk)v%p;!<?~(aD+4Z9zIDc
z)<WOx0$w(C!WT6M6>+1pKfs~8ib46>)%)uziWh5JMv{fY@Nk7`eKvw%KP8J9T2fAu
z8G3{;w?3n!`gs)_T_fDhAyXi)S(6dz0N9~6%Zvu_k%r7|@X!;T%Za^ig%gedCik?=
zU=@MFP!sT}xtaC}yF3E1@8dljCU_^p1Pd~xl0RVQc|QWyk5Cq`*sL|RSlZ#Ffi1Qm
z1!D!KmGZ8$9;eU9%7{efl92nWOA4hTD*uu(0q<gQ2a6bGT}YzaJt4fCHE0vkJ&bn$
zx}EnfjIO{pz<ji?%$#4wSy$lmVd4hJ_D9eHEdr7Uh1UAwJ>5?;LRrX8fE<Ivy~ZIc
z^4sYBy`+NYL<X4GhB3~0s{zfIU{w2qep1eiF2!StN@d>7jO>r_8sstRVm6yn)~G5A
z&vD!6ri~wSw5hDsurrfFJkMh0Q2XkWC^_xg%X=0|(&=JP_3*81c$x2TOr{m=IAjo+
z-`!r_Dz~YoRFY?a!JebG*yg)6hSUj}`#nRUgE#zJ9obhA4#jQT!DM5$wBK8mE5h?5
zZ>gYy=VAGPxHw&8oDGeMa9`WoQN!JeIs8t~kw7D<Yzp`;b=$|-&GZ`YI-)zrov;(*
z<%i^rTJ(6UvgI9Z0D-UUK%-rDH0(bJDs3K@HL#RMswNQ~2coUn)TXG1`vben3Xf~_
z_GSG7;k}^7UzX_wrI$w^N;<Tc+AhymF1ic1A5~dg+XyPq9FXMu=4^PYw`?pTlvT}0
zr~>c@(=X6PBldVizp=!f87xX(?^!Fa)BwVLdmZU6sX|fu*uo2vZGo=3Z|$WOk0G7P
z;i=M}T&x^Msf<&|k$h5MhGKb;h)<hxQ`)2wutm$ox>?j)ob|(`N@&?kkg!|eC4bMQ
zhnqQ}Ngrq5yqBq8^7GyYp@~ECjli|^7##*xlcxLf4Cm_hMSutSH=T9<>KMkv4avBf
z?R<9wHu8sxjA*mkqL$`5>L$USB`O1*9K!iMY@tdEi{aH-FrW7`w}lYV5$a91k}+gv
z-N5gIwg)S8)sIUH=aZQU?J^YPAJ%G22o_b;OBX`otl>0Xl<H-sNrVmKOhm_VN0Uz-
zs4&bm+*iR~-R7d4`4_iW1cx7M=3Y__9?^G}jCi&HfCb-YBz8i|%iG-Iut$pJ(~sQ5
zW3g<h1cIx2+f^IBFA0i`*o8@Ru|*2M^dCwYGX;FIYn!F+pdQf0w8^sX%So!WSvdOu
zR4;Es{}LzdWAH-C(8pk+u1ykGAxh>WRe?lXKKxuzA6R+mML%1$tG~UH&$ua5-@sPj
z<wc+lu0+{nE%9D>s-Uonv?*5JOExQ%7NwzOie{LV;$r&#UtYO=JCK-}WVWiR@k6!_
z%P6F}iOnl!{boE9NmwaKas~R)!DT$cEl)sdB0)$|$LK!M2ZDA}o@%}NvV8ux(|TAS
z*VYM6X6^?&`KwU(8gXq~pM6C@VAJa#LWr99@T{^R>6d8dfk=#YFv7H*{=>0rd;g>F
z->X@KK^!$PaVXeC6G}?cUXvT<CU*&F`6*$O9Q0lollkJzH^qfBwnX?^yd+iJNXQDt
z=<Biabjy3i&nDC~>ETsYA>5*oowhh1(ss~HK-Y3TT1a&3qt=8!XZxoJ>)kk%jb5R9
z#wn&0Pf7m`Bb=%=nWVUEOw|TsU)DOfX)Q?1UXxf`(P>=yc%EHr4b>u<-wtc2V&N9y
zYKdz6?7n|-OLSa8#5tW83h&#g0UeO>**ojY1V+ZBNsoN+g9D=*8f#P~f|ZDi4FXTc
z7PGC0J(gs(F~n>4P(ZGkXr^=Q-J_dX<P({(n~CW4twWY_jw;jy-3<;q_fCFP8z%-*
zx(NfS!)8@}U-Su>XM2Cz9OJeDpfZJ;pmD&2Uj#G%z=DXDNBOPe8W7pzEcc7CT@1N+
zrkT53cK148?rMe{8r$O1<XVdhVsq3!35{_D%M6`-SdQ-GcNCkngHv(d4IwoXnn9gu
zLtnuu!%hmKKt%c~Q>0vRD22j_%>XJmkMHR;ifli<k~O9(oJX%fK9uM{5N~2Sw8d^l
z;pvViu~O-<D=v+VFK1(bv8L72SO{C%n;?BkVXn3)zm)$gpO*)SDH)$r&-0uybopQP
zKitXgj#t~@CkS1zSES|r7Ny#k8Dr}NF7=&*vdKja_=n$olQSy~1<~PXG$NmnjSe5H
z%Z+p+au0kHWP2N5cpk*evIAbo!Mj{bCY1b6<0~Rh%re`j{IV0p_LHm9PHj7YpUFR7
z{@z@N*3l1*Ei*Dj;YOJ6x4FmGnfoi~O$*Aa2)?tx`!+?6+g$IV(q)EUw<>nK(X13V
zgK_P%zh>*q1d%!EcDUok^?qQo3ymHuE?6mrKoE$g@ne2YQ+xm`1#SC_>Nq6*1Ibys
zl*l@SkCQ8}4csyhIU9+(DwksyqDX_k9b9M9SXiifUw<JPC|<{;2La^ivAYh1xCToy
zf&5Mrhulen?*L|jXP+np+dD6MzZF;dDxsKc`SK;-H)zI77c}@xZtQ|}<r~^b@+v+k
zi+l~2@3ER*iF?f@ERD>PxJT+FbvZJC<@hEHh<Smk6_ojXiuf~Y?;~VG<}<nOsEv<H
z6eOg%hX(<!<hi&%;vJ;^3JLJKa$PCgUCKv1INfjhsm@eS!cOb;;p(d?aohLQz45ui
z?g53laTj1s@--a<7xOPlSOuYDMOe9f`NNxtVDn_Qziz%8U11rvwmObMfjCk~kgjNt
z`F!kP;ukkuY{Dr=hVHoc;N4nTp8l}B5_n%2SykY8_wSxu*BSu%Ia_=bOC-OKSSyZ7
znPEEHN4Oghv|2;v*D_Dbv>Ms%xo{l2pyRJ|mp+Dz86J1<BQtnNp?ir3G&5+*Dyf1a
ze_eF?C$8gfpJ=Py`eH|r(^PUbu+1ih(~}_k4Eh|6HAz>l%Q>S&ie7paEX#f2PRk#j
zL&T%BySgLjUPTI4e8by~poyufC3e6$!oA*pc9ts@@@CRc*h4CL<ST%^P1*qIot)Tw
zS3pbwo*6%amHZTzDj}0g<*D$PGxrTfNfn9xr#rFKN_SYBMd;>*@2_gu`A9uSEC;kq
zf5~LG9x19d19-ZG1xcbaLKQJXkJ2i_>MMG^(vP%vTzQppI8xv+UKcj`KDLr`yZ^6-
zN3QI&F3o9+N5r1|n{^v-HP+eT+qQPVfvKG&RAy#K6zNApd?c(~{8P;>PQ9&Q!;t~`
zRcG_K>ptT*%G2Kr*!k|~OXG8ja`C%lVEXB@X4NO1Y+6d>gBX(EgZi?VQER^|l8cIu
z4`BJYr%$CPr1Z~U-Hhk(1(>=GS{=8mnRvTT-R(0;M99@h+8SCF@XyuR!HH&^EOrC1
zR{hx_o67D?)AcfQsI{#z)*IwLi`_BE(Uq1W;MX&#HiI-oEQPH^)u6Of(`J6D4FM(I
zohLs<1axX48`$aft;Ql{YJ+eP?Yf&%DHEzVVc!WW_|iU^+G$5#*KTl$-keU?>t}Hm
z7)q&cKNb5@J42CK+@{g(GJRPK`CG8AYs}XB=B|WjJjMrCp^Oj;p#8#q-^WjM^n2{}
z&2;IfLmur?^ktPV<9YQIS9e3trg<9+m})miEhS=>FUGxTUH|&WnN+o}tDGdVe&=1x
z>^33FUPS={Rn`uFcvU7)=doOSFPlWuCh13Q1irmhfy!^V@|G_f#lPTmW{olOzq<PC
zlj%fzi9`#(s{DnEk1X&@EYQ|wZIx}!l9(xIDf;AZ(?pm-$!$yzGsY^BX7KY*b|1YO
z$YQL1$i}}z9yT)VlTc|WVPyOeRN=DzSgWOTRL2%A#+CCeCxbw9BEm4<QoM1KB&F>c
z|DE{@{whab=+Xtg{;w?QwHmxO5U9N&auaV&Po#A$KQ7cItI6-%zt!>D?11Kbw1t<5
zk!lA*_N^A~gWMcT)Hbi;62qR&ky{alHRw*ZKR{V28Q@dsjL7#LSKJJt<9qtY;Wbz?
zKqs)UE>>+td$NP6wlx{MJlg;B6+KX;<y{!g)T&+&d&)$wcIe4<-$aH*ts>zUgWB#n
z;_eJl(Ld>9u@>y&Qir^`!*_>u#5!q)h7r>($tyabyq4JgI^1p)Nw;n<sP%f>Isu4Z
zRd}fJ`IEn=jAxP%OUHz+Y-#*oHgY#(C(Bf;R<0?zI}24?yl!mVOw-C0iZu1=L8eS5
zd>*Q#<c`t7B!y#Mg~KfE>t6%=(8DRF%#JYvb2H?Q`!6Oo!0P=~_FDTS`u9T?0}h^y
z11w0o90w{$C5!`0@>Frh9V{fakp|IAb5Wd10LgniH|xZJdZ8eV!Cx4A{ANG64w{>I
z5=1VWTNZLR_bnv7SUzuPpb|2bMQiF+9x8I+(YI}-nS?8RL3u@wZ0k(WEQeN^M+}yM
z4^@Wq{VeJw@QX8oa3fuDaPh}v1g)Z^--wb2xM+=2kpX)Q#Ngckw}iC<L3PKRnS$0z
znhH4IC6Rshcuu>#(q}i8Re^K?zHuw{20C@De(_-QMkWi|qO`lyB`Sh%^{y!Md2Vj4
z=BKxwQX&TymAf7S!<Bt}6plS-Fm+;`m{TuHOO|O&X69u_8T4N|rhgNnA;3yGQqfm@
zbuL*=Z|Yr$CXL4nKB+NtGDd$nkg4*B-ThESwZ5XZdivIN2nT(}O??oP`(%^}nw3{{
zW$T+DUOLC#I9A{3+pn*~htKASQ-roauW!&s^q@*LCWPkTOtiL@O~?9PuhwbWX?c+o
zT^|O2pP-Cn{5g0C4SS8uJpyJXV<&>rvXhqu^^7W>hKi*A0RDLV55mYJdWe>>s8#F_
zs7e|__~WtmyQYk-TUv7;{*$e1qION&+;;$2&7~sLt3H|Ya5iKs9GDC^L}t`Nk)F(p
zvf-ZQ?S(Mio_y4lVl=X*&^ub)9KTmmIVVBjAkg5`X)j}I9tdg!-m~zTx1opG6f=At
z^QM8ANo;)n$vf^6_B5XOIhH}x6^?u~CPJIwq7y4DV*@A2hf`fJO8xR%c(;FYRMCz2
zg8YXTtm>!$OD1W0NGH}_1bd38j2{+Uo$S$WXZ;6ZUu3XGc-2S~Uaobvi~>|G9irtH
zZva&nOBsnUaNdca#mQH`)4@$1I*9w|#o76wEqIUj_axE?JYua6uQu|S3=j@htXj^p
zu#$tp`LyNjD=bDSBF&Pc@ex=C-30wzgJzEj#U~>viVJ&w!E1f^4)X0_uR@E7TUZ9E
z&7NU@->FO-<NgN$!SU(eObbXs_(|1v(Qqt=<(|ZGdd^gM>Ov@et!*ga9<k1D2CQV<
zsv=^jer~teNi&-7Xjfz`-K!GTI#S7eJ`bzMGc`;p{hgjPueUF3IZA++ddP(<Q)pW!
zS^l`|zir%ga3n0Z^d()sHFEr34@?`gE9VC-e+<ygone&@z&`g^BDN63bW-(E+KNqZ
zh3g9ll##b<O>AekYt~k{DQttZ8~UL@TJw)1dGj9>idhm^s$;%0v&$nOATXqfU^;Hk
zZH)Op2HcE>nlIP!p%ddv0d)=ZnIA&Jsupn~GBj%l?O;9A^7R!H2y{sgEXODc{0d_7
zjkGvraa*#d3Kf#J`QjhMB6>b)+pAZiM^CS`xH7f6R$WY|$kR`^;b#GVrY*XsnU&7E
zNv0T<QlP!g^%N)eIMfSSSB=BDuPP9e)>UpORFalPGr?cZprE~j=m_&>o)bP@Umj^m
zmVp&{BId76@#zXxrZq1tCSApG-}w-ej)D+m&hC75dR4;RLe*;);0wt@u0<8A%PXm}
zAftn1x}SAS!HB^~mI*>?{G1TF?Sn)&%gg}CgQq^L-VGS9J`-V&$3;<ZT}fih6q>X2
zJxMDQiqLV4H?K?rl4FuI&v;LjB5#!__<M@t-#;O(?uG2rOF3sxFY}8r$95}og@=d7
zFIKfOpm0$2jP4x}LA~$w549)a?(XKpD?Dzn)7U92r$(DO8#ZH*0%mo<53$2pw)`Y{
zSebS>!1BCuC}4z{#GRPcJFu$ZMOd-AG;667E?Yd1)RJSQn#XU(VU%>Qf9`un%%PQ>
z&4S3J{gKQEshI)5ZOq~Qh~PtJ4VI&{n7f}6Jn>_0C4@e~(yN8qmMsCmN`dutC8*|R
z5-3Xi#QVNtN)*@UBgmijh&2qO`QZr>d79HG6iLDhh5v|AI-!Sm@4IppQ8<^yR*_ac
zw&`%2o5OT&O94Vr2y<4exx%L=eq}eh1M95fvJ4;hR2mO?_>d|I(qwX!7J<qnzVIFa
znvylc^hCG9PZT1W>{uPTBtKe<F&b5VpBNU9b*2#a`OPc=xbI>t>0LYH7W>xM$45l7
z#xGVw&W(14x|@3x(}sSS)=q|b-;SM}y8|k6odRk5e=O*a#j2{Fxu7re61ae>ZHO)i
zph%UsVM(({Z?6a{A1hj%=SGu444wke4FUYF>wliNT$M<t=Q~o=t|HgeFPRy+1p_IX
zI$7=hSnzW5D#Je4W2vbSJ8h+h41P}oe0Ey&H$B&ynlzwHK<uh1?q<<SG>@P*iDV~R
zCeKaeKNzPF&3&Wz##C9jRU2DmLlK&A#)nG+s+Ck7ypy|CFgL1Y{r;cTq|J6&n7<pC
zL;g*<T0>*paGLJFwSXn*);ICLv_N72lV<$?(1Paw(t?Zhn<)cE>f>8Kjg)M>$?sMG
zTVEv#4n?8uQ{Nk^>iQA&A`76eMnTzF2sgI^-VA{|%6GtmA3yHbUvu~M$P#5~H|9WX
z3@ZGbjk2*yT@(3MCCSZ#89kIBba&jsw66{EqSRw?=2M=wmIPZVG$~dxIA1?n^EN9K
zsB7yp$^(OK>YK~&fe>&LFz3vT%|}BW)g8MKRlBSO+c$X3R52p-$Asb07;nv72rkkr
z4$Yvlqp{G3)+DInf)eDG<)W-B%GQl4{$=gsTe1DS1S^yzSJer@Ll$NB2X_qu>@OJM
z>-rnHGcNJXFFLH+aiE*@@vJO~*LDOdf^CCQ7}v-|F7QFX$|8>;-aHgB>vK)pr-v5v
zlN>BR!P${P_K95h#kZTcp@=cEVETUfj0e;!uP2E$%x`O-8YxXFHj)sWBoI<NsT@1k
z(C4m25Cpz7zI%9AJ!fn;oYSX!puMp+RxKn@&T1oDKz+{wYMutEyq3uc|J$WEylDEn
zfIq!Utg8hOgy<-k#JCr;zX3bK{mkKvBopGuRj9@WHM$>h*lI&0=(#kY*cSqBS$Uec
zKg`;i)6!9Oc(Au_2^Kxe_6Hp-f@0ef47r`y011PRBw!GE5O_UOL6^Le2)`<ymY=3*
z1m(|<pN)K3<0aD#15&bP6A?2&ND1{PpJo*CV@rAVLoB`2cWTuTh;QX$M5uwf#=`dN
zZcaI4g{}^e^iP`J;Mfss5qq!{<~Ix?N#|}1X9xk&*q5pZG05sG5T@T3qb;Y&*ZVQg
z<}C0^!cwQuxB(yC?~u;%7Z+BMi`!`C5q)~*$X)@}pRgw4Q@_01)Xr<N=+;E5hpNlX
zc3+{3bqa9v?!h|KsgQG%Nace$T36YKZoR)oEX^-trfImWC8<O0vb3A*a2G3O^j9*L
zZR2JYjrS<w5PTrk5|P9Ns~us9x)7Rjek}4&{YF=*7;qMz!l)9N;IT%Ss`9h7=%RI|
z`h2K4vC`USuAgMQdpXFB(&|>9m3<`T%h1J%2PKB33S8BY)~xZMCuwfr3?Z-8Z)#+9
z(QYFXZkrhZB?87vfa>A(tJf=p@15tq;Dr)~_$HTVG^yj2UW(d=!tN!^zfjYz`qErq
z<r~QUP<uTa?bt5G*V5I}T=(4@V}w*OjJ}a2IjL5cLloSE+w`3mYcj^rngE&eWfv~y
zYBxF(UShHc$TApI?%E7}DJCS^AY4VsI{!rg&<m1N9hA1k&C1dVz<u9Tkrf0Ev2~wg
zZYRstpH||tnbs4s@}%p)eK)}vC?P8$uz^%A@I+|0qABw^HK!8cgEmkdkr06i!GSz`
zti74b>`DO!(Or5;NytC)O|OB##6G<B$D2xO7Fqf39*9aw)SILCM_7@NTYMr#2d#sD
zVJAqb0LbsRG_51Q85!u>3v&|y?R2_|wcr?TjQsbLt+M?llB+x)hq-@S6e->i<|j*n
zqe>6eZyyEM4v>0}2#vrKt7Pzv<%<)$eixZ`VG+;T2V8w8H7-sBiOuje*G)$pu0ma8
z6=C8HQEc6^nwQaxACT5BH)(7A|7aj6wQwVdQhl~sg*r1(I2A2!{H52bIvU;MB5P>=
zf}4xx`v*N$Im`r3;;q4xb@hW~t;Yg#NTOilxv(3Fh$2QalF|QS?yaKY>VhzBf&~vD
z!QI`Vae}*RH*Sr)dlKB;EoftnHFOg+xJz&+fyOmBfh6DX%bNR{o0+@1+3TFO*FJSt
z?Rwv**ovV&vqevziIqx#`m=m%{LG$zjS1A~&(Ue&!@|Q#n#vTeaYo+vk)MVnKBVB+
zf!1m+9PM4ElSz7*god+!bEm7^tHsJ;>s6_u!!od=3RsN=X>bU~7S>}FWdt4W_r?q|
zUa@)#lR@-df}db@WxAk<EbP)5!l4uIq%UHuC3@3Ri6rl`#=HDu3DsE%3UX{6@Nu~d
z<#8p;u`;wrsUo}PwzK?$B?P;=NCNzsS_O&J1&LIdGE|vPRN{p|(}r)~b1-}&Ho*Uc
z5`yx2RS20PMy;+TicEfqL>K;#1;YEeNrlu0HUDPCqnA55Dohf;@?tYmFJfeTqvxS<
zTt7bBo1xP()3%doIrfPxVMbCZD+yI9=sc=%t-mzgI?sGVj23|SOwWB;=H~T{@!ywL
z-~#h&)7O_R97%kfNTipv;ok0&VY|4(9YiaaE1}O9<--?3L)+p%%%v;-A0vc2r63HI
z8W)E>J*qOCd>|C>A1nYDy9?q%T97}ZK_kj5*nq?Ua95Q6rT}~AM8$4#@R<Ge!1Cy?
zrZ&5t4fF<1R{IB*u87qJW`$+fbOxOoZhxMxWUEoB7gY}z8&u69bI{XXH(dtCCzXg`
z_4hV&v)=b{nyRM(-dCq)?N!OYJ)V&cD@v<QQH!V0Ny~e0=htMh@01+HBG2}=lFP%p
zAMwE?mdb#Q*51aERd_F4)35D<lG9SMZQ1DPnfVhytWkxSHU$3lduj=u+*CiUCHf04
z0NRdA#5x40jlAD~BP6f<!Ryu{C{bxXpx*g)q6gylT|IdEr)dJx6i|BTsOa`mUt1_p
zLsj)ndOB+se$F5&2U;_-THrxUG8N=DXsfTI^u8vlyWq=x0cLu8QAbSrw7Zhhb#-jH
z{fFXT9{gCPrl?RtE(bBHU6N5Ss1c1KAr^-JR^Qeq3XLHbssxkGj#4NT)W(#aH`LcH
za7WmW7hR<2-sDM&xIJ`K5ix`)uaeb{%;j1sW4bU2R(`PRpe=lJUoEzQG}=M`*Pt<r
zx5DPGGNhas6sTHra*+xTcD^Z*zf#T{*|TYOIwVs_AQ{WtZ=V9vdCpB~D3?!(HxPfJ
z63}|78f2y|=<f_Hx}*5XC;|E1LJ35IB-z^j8AT<#m?PRPXlup-!qdUURw=_8wY(Zf
z_1abuM<1M=8<MaysU()u;<J1-gx)2&+;1#roGQ4O(`E~FsP)>DR0X3sn|32`DGRnC
zSe|#w@Den%lk`Pbb*m_EH4fL&1a?_;C5^6)Ol3n4FLO7p9CI$M4V|<lC1srebER!D
z_T^n(zg%HV-W$Ch@De!3F%=lng>n?8BNuhV7zwK^>7IMPku1K`5dc^$xsA5%Ova`H
zUxaAE9sG_hI!}Hb?-vY6R}{GE>L|wmy3veabsD-80=CdMk#7g}S$KRxF|YEq6t1p~
zv{v%RV5;}y89Pr-y{dq6?cR>!@>=1*wzsHzlBY2Hq~mgb3pZE80WY$icR{-%ndDqw
zpH-bP4rA=?mKfsBW{(Xod*<NvPx3%hM0N>#oVGqDDifhM3W05sRbayV&+!e|*j7?h
zYoFxoeNacS*bb)3t47FtF7pL>1ua+aMxI=n^c^RqUM2?W(5?F18E((JPTMK^-Y&N`
z=U$rIM6{G4+Q5rb$#4?8F$^9C!v~CCuhvI~+$a~qEcfmRR&>t8jwT|r`{Z6O*d^4B
zeH{<?H_&Hln;M0Kzqm6Ieo}Vr*w=vQe3o?4982P3lO8)_UsymIAr^Q|)$PtZ?*<U&
z8b2>rPtz;$88P-bZBf9d=K=Cu8QNGKjO>veMYJWr9UdlY*4nImL+jM!T&`|q8d;DD
zr~lX}TanFCgmY}>_eAclB+_!2qajChO5bJhu0Ab`1K#(<ZW0j2VkbAQ#0QktFM!W+
z^?1=642JRV#D4g?CNIP$RR6Fn(^N%h{fDAhltC>EE9sURSlJM?P#WXO2Re&)U0k`3
zSlOuRYmArYqX2aCS8oXPUi7d|*A0+*T1WLx;enH^Eb5PDs}ooCuCm<a-}GJDiZ!(I
z>q+4WD8eo*0Q#Y~Db!OJ%~Y6su14jfq>`;)9*})W!bMMY8*o7KLD#jAU^cn+DG2=>
zkK+7Ef<n<{y5>}^8#785zJDcLGC(=9m$>*>=DQrrS&<#-G`{>Aw_DPAvA7^*PLFBB
z`X|m0DewK*&y?4*+YMA0`*!@&UOV_&CG9vJC)3G{W2H|McuzK5OIm_itQz9}nU3uf
zM0YL&4X=9n`B~9Scvf7Yrds3ftE&0ibee-y!0*?bser2ZDGd*5RuRD<lZ9*i(}FGb
z$?CZt3w#=AEIz-UdzCQ<-;F?(bEz9ukq%sI&9*UleoCeGl)K+>Qz+!U1g%Y^S;IYd
zPqtcT8)vcB5T>Sz#@5Sl7f<*CX6qmt+Xhc}W7nkpDYd2ls_|bAl<E~XUpv3LX;a6~
z))xn`bDP=~260xdy6iYYaig#t&k42f(n~YrT7meE)BMfSgKZyE^MSPuY%9}~?fyjm
zcurigCDYsW_yzGbIhFVOd8p<ejFvhDA$WQiXc?9R=keCTt0|7)@k@Rf!2hc<{CIC3
zswj-DtHqJBN6)p3H%N4R-`0+izQf+vLRofbAE!bvNH36~W5+_j|2}D#gRH09(q6n#
zJWeD#aUTN#M(=i{d2dG*ZvT4G+<I?5BD213j>PbH;4Jx!g#tI|LX(v0_L2*9zuBlY
z9*){IVGtx_;(==HzQnXB9nkjMXu&YGjd_b=$4^a-;9H|BIB*F;mosNs3t!iQuxczN
zt`DP7z%wZccd<qZ4g!D#Xx;!$UE9PGP~Y{9@ZVH34@l=7AgT4oEgTg;_Jg7MIm^_t
zg0Z%yiv)J~-7*^|1*MCUxyIOruD!-5y<KKYPfHYPsH@UK!2jOq`TM{7wPyQ2E=29^
z*37aEy?Ws%!0g^J$L-rHK?(6nPKHqskGI8y=cU?w;L^L-bGVbc$BA3ztE;vzxFRN9
z$;g6Lh<?Ql=qY|3oxYaF9e;?W0n!3vSt+>KX*GkqzzU69fPjRocyLAcs(-zz)Al@k
zD6Pxfs1DfKv?9SU(0*{OpGo2--&b{@&>gr+X>!)?W87GX(e{_K&ZVoEXC7s7GH0f)
zW)(g<?TNigEG4E|PV0tZP$vB1aESCyLf!E1birR1Lr=i%!$+4E(r^SwRkXR6b20RS
z0RtCd;RS0=GxhRGD%16%WiBW7?=pCS)^nisq1M~Y&;;Nq3HzF`S-_3v)l9y8(+s}n
zv9Y;?#!PpYJ6HL!$^D2zd`0+=iF_VIbAy-+4#zDpr$=;7mRw{3p*r9v%t{qQ71BY&
z$D3PZi*YBS)K{9!=Cwazh#B_WnK{pYZ3Q9<%SA}R4s{c$bVjdHOGvUCfV-oq=|(X0
z@iF~$kpR_{>O`$^AZdys+vDS@<E|+D(!?>u`~i&CeM)^^AH-nH?W8-`Xw1PZUEH09
z?gy4PIxzL?&*CVLLQW0%*p|<_FV$)~b_!6C6nD<#(1dbu_rt%txHa}Gj<_X2+*%ri
z?c+9$ChlBqsArqE7ab9}?+9zLIN*uG{?T5c3zZ(kOA8!rHuZeL%%v^2XOl(W$T9^X
zZUuwM740S;w)ogkFI&NG8kQmH94dU+VPQflM|CxE^H%Ku^*D?$8lGh8({YUqpVYIl
z=dGiCy;DvW#J4l`hNsFgj9)mKdFIxJEE&unYjCs_4U#Pz;S+ZPrJ@)!h7_I}EC#{N
z5F#L5ESn&5?{UZ30P2(?9aHQzBCgp$rH^#l=S(&njWxfHk=7FbUPL&ap6MW~oJPXr
zleEJutafwVrrskKw?GHxO*PA>T!Yaw0vGCYbPDCXWk^z04?}Xc*Vp5Fzb~$tC$7Hy
zyN?8fA%kB_>jviDhOB@oYo-R)yDXPE{QOZDDPKL*(gIhO2*2yKYRwA#BHe>zzUy)|
zq3G}A2%#9Y-=x!ZG?}&0FCu}ZKz{8_r#dvdTpe-o*U(q$JryNJ81}5>tK=*E#jq-2
z0Z}KEq%wH6t2pN_a!2e=wwRq;Aqsq3S0B)xF*pF!^c4YOOQ`jiY{VzY{HRZYA42TZ
z`o(oS$^SsQ?Nmp`g|<f0=R*AuF5In-Azhz0mlBWE_0Pf<e^|Rr1-~dpVttH_`dyaQ
zo!UA>g<7@qch7Q~fI2T3?Ko?{$X@?YdXuKJp=@>DsnL)Biilga(@INkc%Rq|*LH<=
zOmID(G4G;Yv3xl`*<_Y&9@9Y3v~32xDOWwNZB<_wrUqOX8x`Oo5m4^>8GFbY52E%*
z(9CW7nHy~lK1pFl`h<a(v(zMyJR1Eo_LJ|Um$+#UT${f%2;bUH>Sph03RtjC*L!f0
zVPEITmjr>0%n<j>i<<W_kcl&k0hs?c+4Keg^)QAJNnGM~7u%MSJ;~DgzZU)aW|Gp?
zH$5s(BfT{-5!nU)LAjs4F$)iCm+JbDG{P8i$8bf`7daK^SqUb&a}5wDonfwdQ-l*+
z)p~l)UJmwp>%_@duD@bu&|O=+!n=cRm6&dyuLjbYJ?vt`+BN}bnrS#}++8?(e&*mB
z!$oK%AV0yI-7whP8II3f8MQh$)7Z_F2E<}VlBWWk>@Tp*@QlmB$mwiB2eY^t5hcW%
zf0Nd+sTw0<WI6e<=@3Pe3?XvWl<dHB70v3xv`kl*uK}MlLV9dfk^A?+4TkFx!xVQZ
zyQ`7Wmu+@?J;q6~;HGQL-2;ce3oCm8NRu{0i<`dNxoF0E$r?tNGdwg-i0I}=!~MTO
z4NlH5Y5-`LdeSXTb@ZiG_QfUOpS<Im{wEvEOEkNyomxA-ZZKte<<hf);hBNP^2W(e
zfMuig(_rLLjbB}|g_(?#?r?^{&!z@xE6OzbV%qg7p!QAW_w|W2_3oVA-&ULEZu>R-
zK5&z+YL&fgp*3cX%xv?<&PIb1_K~WuV_m4I=@pS|P@lZL-?P#n@a5gS`Ei-U>WXvk
zqhUAKkX30|dQ0AxU*Umjmf@i7FE-P=27{#&LxWld`co{$VVv#*z6VW^mbFiswwm#K
z<UV_XFjDZuH7`PCv+6UIH62rL>^xYV8^$$GGJOVWw)Ho2WV)8{T60nzS&SPj+%J?&
z_+al?PtiV)CXU|7m1q}Cw3R7<RnUsKpM0%*`e2-CSn#C7s#Yr%=39~C^UPefyFLu2
z+sn;i#J={}Xe9Efe%eKGasa46`oec-nTq#_2MxAEle;eVT8x)mrui!hvDNC%g4~I*
z*FlY4PHdy}J`RdaXa-?%7ipED!^3VQjCOV8IQ$XWKMPqh-L{LbBh9}x8DGLrhs`ok
zQe0S?JDI!<y+_i1xniwx1;;_kq0QyaL@S(sM+EMokp1Zlgj^Z&Tt**AYO57t|DHGf
zwI(E74eI=GeOy8o2dLwGWBgf`Ai}H1!kymh6^4-2N)~p`#O27jdSk?KI1j{g98T5{
zpG*~hC>P0GQ#Ubg*i`A?SKcVflUX9q;c&0dtnq04x(xUfs|gSpcS11RKkgy<z~w@k
zUN=kEnDPv86LX&eO@4E;PH<ITXjCww>tJA%_`GPNvh!fZqVk>Py4$tW)^fee;?I@b
z*Gi4Se_Vh|90x(GN4WaZVKy~HNoFkQ!hd<1-!8;4$10OIpJ{TfOyu;|m%{`qjZYv4
z1H&HT4dw!Kj(H1wwQ0kK;s=2OJas7;X(P7PPN{)F!e}z7TU{lznH6F_7FDo?#X0=4
z661CxYeK>)xHd0=RX<%7s=~r*qT>`avo7Xc>=(hwbZ#oAAtqy_^LFvC!`$-IeLnKO
zBcJa6-E$*deBw$w<!N+2-x=S~Ak`Y^%Ps}@-~2aolO9Pf+z5imrV2E)_(J+B9xc1}
z6wCwQUqvH>QA3EP9%Me@Ygs39UN>U=8r<B#nO-#EyxN@Ml4f?ZNb|R>W}!nM>i8`w
z0bXapxQWHcSASzr{H~gtP>G9PXPL17=|Db`x!T?IRmWE`qmlJ`tQRA*bxTpU)2Q#N
zqdJFhh)eMPYiv%twXlL<$FuahV~lXWKGMzY0oDEHb4tWvEnM-`#X}84t)#aSu3Nt}
z4@i25FUZ;)%f>0IkdXeijN>xmySMa7&9c)qM|3J{bA4Ad|KSU2Cg`gCs`4HaQG50@
zGr4Rh-VMBP|L&SFnP0ErL2?+vH*XJHz$U@jcHC^C&-Sf_Q4J4p;l)o1SUU)K^yVwB
zbOji1aQXzH*<4#%u47Vk6n1bIz^hfTG;`2Le<2!#wISolae@*i3xJel&tE?M78cC%
zIr`6quKdXYYge`WlF)$4^&oZCz(dhpuhFfES^DpGue9l=#Wh=|@|HN<#)M^Jsp6J6
zU6CyB<4L_Tm3}ZrL|mzg3pT#Sov1gc;Z)80SAaHdNZE0|UK>@g9B^9&cZjB}1?+B3
zt8;6%vwC6>kd)TL*`r&y1bRc?=xL?S;}E?kV^m^<4YI*sbB2AC4^!*=y5-iB-uf%g
z3-e9G=NJB(FhBNk;NNmh*%e>aX}S{F=vLm7F{b8bpu+|KY=?Ko*a6k@h)ZU?aFLp}
zotjA<6&-=Rot7U}9tqg0ADFFdhua{Um<D5HiOD)pu`hybs?~BRm>=|8<|$E;&Bh85
zkhP|W9%wo(q=+IlMUg2&|6j1@Xd33b;Zny24Kp?LBf{m34*z~8RbVQcx>7FkLj`~v
z_b|LnBYz$(;5~dVU6%IdE&YMa|N0Vzr{l}(A8QzI2DTR@+~m*CV!c|!<2PNyM#{}!
zb8jhQDuk^PywU1y^Y|EDyTOCw&$}l5Vu{=9_8O(H{r^#+W6><n`l}PTA(}2XIG>u=
zII6PGK)knK49pA7n?D~3;}Q8hK5!<z*-|F3COvxoq{0MZ_#%d3k2e7|MB(WpA|!fG
zLg!lAf`h%`Ekkpt%T;F}$dUUZ?MCT}cHk)e691L)+uM%aqz%`~_>WXR*9DGBF?v`9
z^rI1y2PHw318mj_k|8sy;2f>10a4^&<MpiM^(mFtX*cY$vGcN5A?+2@+3OD0Gqi_d
z6;!Q0ckO1hbJho!J7f_b^bW$thv03lkZz!RCzLYr&I(7ip#N8f9NEtUR3`H@Lgn`z
zQx;73l0Zck(0Ga{_=j$`goi<I4Qv$);osvYubD2|-o@T&w7O_$N5gMt!3F&c%jXlr
zP5Qp4tw>4gX)9ztxh$m`8#deU&!O)>6t>TnQGZ}VbqOJ%=rGu)4I+cj7X;<h*l7fn
z8{uhW@612hE{gmv<m9BGJR^H|rUc~?Bdy+MH^l~!h~xJ*1vaTD>?%EdvC;=?(%U?w
zFeOJSR22}|y~zP0B}Hd9(;jl9R8yoLRyG*_7k9}!?%H0hUNiGHCqXxN<6|5jdPvCg
z=kv?P3U1W4HOGc0t|&f_uwJ6B$jkHd=P>xw)r?+lEp6@FCsvMP2FdVAjQJc?0X@f_
zfL!woM!JJMf!C+qf~Os2g`!WFc%4t*rZ3OpjR4!VT`|9t1?^8ayq}st5026;z75|9
z+84dFC5wC6^%;I@FB2wdtlbat|I3Rl(deCG$m|YT(X0!Uo}*m7a;p^c-0uCs<?|>K
z*2^1ve!n7CJ@L45NW=daJMAus$o)1Y8P1*SGy3CfDSDK?tvI>KUvHQ4v~UaXuTriH
z9g$Tir>?i7c_PVtCV;Qtg_JYaRgEf6W%@d~7_{>xFigzvhYt^p2MfDG(AU*0Kej$T
zyvlkMr4xDl(XVu=Hp1icemd8_<wSjwYv!s(9DM>A*hYHLSNB%359m&#qQ|amTxleR
ze!Bq!pXM^;<JG2E($J5^^ia2Ceb6MYQs#79)F|m#CQ<u2#9ni-K?b?R|84gw8|w`8
zgS{c0(JE_sOB>7dwK~lz|7LX{c&T}w5fmTVn;O0CQ@Fynd!e1r!Fwu<s}a~ZeS}IU
zeF9%Tu1?6aKV$tr?<V}1GI>R#=x^yW4y@;G|3}wXOY3MQOPLH`LZ+P@46Qs+EIx=Q
zpA<V)C(dnUx-^33B^%z%Pf4Wb`t$(3)OL<T!vg5H%Ye@s;+JB7B|lEiE*FNCpMlAN
z!sqkVA@cG1Xqhjl4XH9EmeiymEgFpsGS4t#Oo8F7!3U8B8Uf|)K--s8+3L8YiKdod
zJK83|Cvc#m)hDwv6+xP_8As<)H*B{Bb`s#8tclg%=tKP*LYw-DuATZZ0(&D&{U!Gq
z*Z-ewXZ+8n3m?WtWN`pSel=OHAc%RYLu6A1e`xS4dpB0Mu?}5z$8Mx21*lWUc$$+*
z`pib5-@R@id8eKfgiOl6%kfOqa}lOpyW!4huM^G^!KGfq531*>t05wHGF-`3lc#8P
zXnAERRYp9%W6_3+$)toNK#9DgfL#&13hC~aTAT2_{Iq2H+;;gRqSe-IDG&lxDlvuv
zO}d*_iG|V7l0Q!e0mM|+RxP@rW}hU{{Djste|X)+geYpwI}~u@CmhxQwmUGtebV#g
z1RGLE-Cba+7YPJdG&q_<em1vEVT;GMT1{IG*}fGe5>iMKyLo+CR8-_zRH&Uk8v7@a
zmVMC<s(6aL&bS{`ZDE-W+S^UYD(-~L2dl+5(`Z`b7FlbtjE>G@-vzX!jbSac>VD8^
z4K$c6oGi>eE&nR9;!8{8*9~`Y<o(AL*sqRXk$pI8SXv_=QZIQf)B3Y&u(#N$*p_q(
znx1K$J6gaJ7RBx}A*gaKneN&5)>+fO;#nFDTfS3*#q8L2(KiW$mkd$mxj8zok5z1q
zT<_^P58D_zBsrHq$qdD9TK5r#R~T8)_wk0OIM<)AcsMHoI{y}YVvc$?ztXfmG{Dbf
z_H$m}Ivx%sJQt!Y<aP)?neXtfB{umyT^tH@{go#-bzn&K_U+VyY3cn_%vy6hXPt@m
zSL5UsW7wL0leIyeZ@sDc_EJUA`XNFcl<+L7_%>HG14#Z5uYWH(KmNmOCtaY`+C=c4
zbLaPmH^u3RKeDJt@a-E?6o(5#-f;ydbO|M3klki*FguWvZ0BikV;FxJMXt(I$A+2Y
z8e3}Fyhe*pyW-E=Q{`4&d#LV5j%0Y$Te{ZMXBRs`4Y$4P<f?U?U|J#;Mn2GlWi;p`
znYq&ESAfI-x7X3j>g-qwNgPk1_S3b+Galx=e4L4AB?6ahd4#v2#Lhi2w-(>mU6(*$
zF>~(Q3YiJ#F5eq5O&(Cd0tGUjph+b4I2zV!Jxca;^00TG5mW2bDTMd}l2s{bC2p6f
zV)?7=9zmH&pS4uL58XI9=K8*}O=HCW3jCOIIzNhr8sZRFPp-jh(e>@lt-8z1nGzVb
z#m~1aqPBjzm1q$l?0YsH9~RM>&~IRLu$NpkIr&*XIFQ%4je)1sLRC<mfXHgnl0MzU
z&X|_PgE%Sw2`1fi+|u$SuUB={B<Vj=<NSRgnptntoa}NSl*(Et+v`-M_4|~xs42X0
z(%@YN)V~2#IWC6rQi>;?ZNly+>kjKf<&$H&JI_s!8}GLz<e8I-TU#2n^!^}*RwnQ-
zT6hLv8&Qo(GWav^;W&fTxb)y5l8IEy7zRIEx4Pm~O{dBJ&g(-2rOG{0R$yv*)Vt+O
z`L;j|Azsd1a*(AMVbt)pkNE>GMuF~UMnV_J)G!Q750B6`+U9QWAa|h4s<qfQI6lm1
z7*q$0Xme@E)o-l{^T~UA@|j#6w)lS2b6`-AuEoGZ1!m!(A5f$Sj?xEH^z38Cw>E{Z
zf&VxXFP&U(erXBKm^Hu#2O23e+iC2Z=&{DO>WQ0~s1pHO)3@Aa-qwb8_z+=IxGjB4
zYj6v=`pwgD@MUbDd*4(m-SIK$>tj**JVwg`B{r7<%x7?V4^}kMBl*Y7l?{p9WpNct
zrIeI3PMk3`={g9!zb2b#^Y~&mF|TjMj&Lnete00<=Ik+9&Gdj9!U;CMi7r6a|LB;Q
z_t4D1Hem80?H9F#7982;1>;?a7xsDNFD4Kt<2Pqi_ZgD#C{4j}TWOzN!7jV@@1z|)
z7U$N0#fQv8k{yo_#|TvRUO6+zrSYib@#wo(5r&cE*5^-8#jDRTj172O{4qqxwe@GW
zIsb62m+M?)>-SK9EuyvK2M+wCS4Hwd$E&lT-qHr3H2sh~X-2Ln_q4iXqzH-zgUrMT
zC+mMGFY27X|DkN8SEq#rQgQ4UvTtPuBh<g>f+v2RenuaAgMD+mv{RTUSKqd*hoU2G
z&ULGv=|7cYLynNf6sk`7W*p5YS?6FUDY_LAyf)q9y@!o&9GXCiD;cz4Awx`7kh8Se
z1*B&EOvXvdoiqDqc<JcS`x_CX&`cqHw$4oSiLape+iL*3r^AM#+e#~;T*a`J8)wuu
zUl2)n2Kf!8B6A)JYd76C<?C^i<ShNyjc*;BoqJM4OdVmlQudvuW@{BVh$EBzJjqea
z*9X?p<jx|`F{d@%ApvaxhL*KW#QOnCtVVak?#q8Q=GjU{+-$M0oBYB!x@!}N6ApqL
zecgp`naCy2lZ**OQ>nB~f=E}_r~j>NiwKX`C0bW%sLnqkdxRpMhT2g}%~7sf*YVH9
zT#2{f_HA4Z!hUr`b&*sBVn<eF@_9Og#jMFCq-0=dE1!LvQNRd7QQ#_yKNv~ky7UcF
zsnBFMY&iXznzb-3HPc-Ye9~?0+{O;tH}a8uN2jJ|?Obp1$;Rt45i`k@eS;=Z?(wQ^
zCzZK-!){?C>I85P)kuPDi@Y%(HT(?<xR(1Z=YQ(SpzP%wwqT>D)7zNpqBN}2qgQA(
z&34o1g*Uc?F^DmLQ6K)|CckqZAvJQPuJK#VG_tG<G6QIquM`<2q^gk*8WJ8xw@8Y+
z?G1q<?d$Kjj=U3wb}<r-dDC<hOPGF$*PgqdyT?qZB^-2QvR$}d2p78HFs1*|Nu?JQ
zbw8>fDu6D%j_SAdYbI-`8BS$bz&&w%n!Hlo!>kI9*#VEt$YB_uyms?`{taw*vG?0M
zNEUM`=96#MS*H1!4Moje4|v;<ZX2Y)<rn>4W?`7>8s<Z7Hi-Jzz|~=IlvTLrh5v@|
zD|Y7E`+ea?bQpM5&TKE*0Bsk_&+nBDamkb%8b3^ZuLMl!Oq>M-9tb@IGapM}6O3n^
zO*tvsX1j-2g3qYQyZ%JY@2`2{btYTD>oVV@Z=VTIkPT=pb&W*%8Ch!m?2h&4*wfpw
z@b8m^FN&epH2D;<>I!VT!JN(q{3t_=Sd{cVC}SIub$_5;zv)BEB>cX<W&8@4K5k)W
zvouzQSJ>28)M_@{X9cZ@#@KmA>_i-gVO@@&Gvn(m_&T{s!y?k9>^a>7)HI(`w$Mdb
z<k{<mY(ecy^PsY(Zb_&O>f{ymN>vIb`u*%%BY`~2_}Q$2Dx;oN2@X8}ca;T`?7M9|
zhP4PYe-%hFCW%)oHDv-UqD!rxYmkrRz|uwsiPf_D#R=Ozh%$P9EY#*dlxLDH!kMc(
zL2DiRyp^jCnpEb$q9#-jzVh6HtM<$)BdreaoVvh9HO26p!mSn7gGl_kUHh<>yy^+Q
z(a4blgEb_9(9hN;30lk3Pw+*LGSsE!v+v)W&_aK$lGbBfC^G$QdtrrQ=g7@UskI)y
z11vzOn&RK4Lwrkx6R)WQ|3evB_+S97NekZ>v}mfr@gy2^pJ6~S1MMGYR|d!P0Z^nq
zE|>aKxQJxyP-Fa4SW|e@+6-|(s7n_HcFaVMDOe3ssiSV=KD?5<<s%u`Lgf^Z>=|IP
zF2|Km%pQq?2REa^ny&oCZJ;_rC@JtCO8Vtr&Gn5)fwQ5?k?05~?nJJ;kT9*OMhT{^
zL{KJ0az0L>J|6e$yMnr2=LO2-^eG<})wOf$EJ?}GqR{247zJ2Px?uJyBR6Ba0R%0Y
z!C-d|D29$12&=!=+1LpML{J4I+uXAR9+#>uE<zL8t(>7}TML_lf5uxmiIf-?@csTR
z{hL)-4F0#hJOMO-FIl|si&is))YXgi|8Sw!to5Uh!U&C^WK6{pXJpUpy(lrQvMFJy
zIg(E`A@O=49+}cwKW<h;ozmclD!u*Qx?rQxvb9S%s|Z;cNlSohLJt1<(Wl;87WS{%
z!>ZYBc93d``0-jnaax&U(me@`AlEc(4;+-FGa|Z9m&tz!r=)*L3VvBm0B(Ee-e>Ow
zSBa#ZzASQqr<dk<Re~Ac83?-c<Q6vExV#e<-foE!lTs|q!cW?OVkVK{t;S&SG>FGH
z+SJ<kZL%o;AxRfml)n>WQKFr}oxPX;tAXX3oOtYQ2*IZPOeJT|dj!XQAycK7rrl(+
zLd**|#rPYGG*;lx_`R9lVr!nMpinXFSeezaZZ~;>Y`I*4YEHGB*vUOe&<6#xyGksP
z>a-Zw9?#oCenwY(2uUNHeO0)}rl3qc3d2dAqk_?v8iZC?IkrIw93F8&GsB9<nKDF2
zP&KMEUn;D_1*DRLgPOpL{xU8(Sw{H930X@vd>(jQ98jN>-#CxPurHgk0;{Q1N@?#(
z_>p)D$ZfL!P#h5j#ju<ik_y;J#$JYS*f`1L(gub#)-R7cqJ|1LKc_DSrumG%git<>
z?|?)S8kwOnN<nGSeu=8LK>|-b$daLrXMO_!C1wxYJpo~JD$aZg=fzsOm#_ib6P2O@
z)YZHp-<N-7Pd+qaH5$V>+4I`T+$$!zI$$nO5YaU<_^2f<+wQ&io;-nP2^W|+)atg>
zQdv?$ul$HmDpTylz1^m{z*fbAoIT^8oY6Q|G09{z0u+3np(lWpe3;6pmn-~LXr<-C
zaX^t=_M$*~76`66sh4uzae}(2#fj7{S(h&79J#<uFjzJl{yM`(+grx`m^cBVrO)Vg
zXO3zX=-!jObDJsSp%cTkl6ei4-QYb)p=G_J9P2lFMeRt6if2w`XRf>1k9GBq^&W&L
zzGTJ-b#z9${Bt+1;c6I($2Z!qcb6$4G{>!+hf?hbvdsgWZbz#($ljwlubSy*1u~tq
z)(r&a)tOht<y;IaTxRhz0bfW&>62+B;eB{BuPwEzfzhg|rEX|iZeY8m@raq892akX
zUyQ7H{!)ZCwDZ<ENf26)zRi-RM3eVT8y>rGO>R$KVqp4~r0qJqW$!oovi~GMyh{AZ
zHMFD#!G1J07^;+M*YzT8+!DF@wc7#g1*DDH#3wK2sGN(8em3|rK`uOM)GR5$f0N1Y
zm<Zdo-jl8QIyll3S4H`S$sKT>YqWX7=~t%-o7@}uW+CZ&m_4!OJ-p((cIrDtMHll!
z#-b(hVa|{om?sdi`;90@Gs^K4>DUt+3fuIBx%fxv+Vl*!3^fpzHE1~x;4-XJ*I`Xd
zA4Ex&KE*YWmY3#sr=uKy5{x@q+NbIM+%H5fL`!uo;KP{dmF5-8EJ~-ju1u3LlvZpT
zs7y;uE}*bm<n@<B2^WMOP`7ST!o$sP`#qN)Xa8)BdyB))lfO}_DLq~0@m7q4l^Hhe
zrgEXj=lJ7wV5+Tb<L$+n*f7m-tz+<l%Z2}*%zr2xlS$btnFy=7ZZcW9wrvf`lka8I
zxJ4~z`4oJoVtU!uBd$raDr=^vZXIPmIs}$h#dE>V%hAL>qaV7~uoc>kST9@%h(N~3
zc_(_6aOKg=VM{9zGSwC3vSvTBD>6l%l?yD^s<}X?jp}?H0H(=&>jgbuXAgiVvT{}w
zB_rXwUDG5P?L_#o!+J#!0iSCuK?TTfP(v<yp$3yZe@;%~dCI`hNZi+5ZHb`ZfBWE7
zlaRo2f<x)Q3!OJMj@Pf(>I{u1IIUdh&Xy>p&uX3<d~tC6Rw$Ak1xK926h-9)QEuv4
zQ1v~v23*JuA@N?T(#Edqh`v00Qt9X_2*Rzw0$HIPgS0>cQ`*6Fp~U?g1BQr1Ia|{{
z2>YO~W2{27L*RssM*?lQ&yM|9`%@r?2rL*sPm!0iIYkUqjAuvm=7Ws@P{lPj^H?>v
z)cbl^NHsivn1LLbqT#DQR<F#UKZ3hXUEM>-*6{0(J&iobAyo*be>60nQ8!+Z?`+q)
zolp&G`4gCFi`nHjUf#Bw<Vc^q$NME&(x{>K`}nq(>*6KpV9`~!wJ@ce@GHL?xK=x$
z+O6e>^Zwi^x^d$Js;0n-ySjkYo~a#-WIPyx-tEnz%jYCENt(+ZrJ4T<p9dr#MLS*{
zfOB8!JCmbsxNmcx!ks+9Cdj=1(XzR-^tCO}V24U@61&z3UCK5Q%X29Dtt_Y40gb0E
zgG4O{*l_5i{^%36iGfRmPMKp~uuT*2tK%R#J@Pr^iJr{SCg#P<(fc$=(7XM7d45?e
zZQrmL8VP0)F7G(af=#}&O@BW@N;nDPP+dOi0jUcsfP*<O^Z>m&rTu0Oe%WE95NBHo
zwq#1Gp^f)*+X*&@tyD`#6B98pQ6jvY_l8#kc>zNOw)UIQ&ICx}Xo&0s;XQM~HL=`U
z%6=+$Nej!E)p3{m(mx#1h}|2rh@o*4!%PP;2DbR)G=abOBL}uVxDzbF-<(WJn;IQ<
zCJNj-OK!)OVwb8N{+O37cU$u?)7ikkFZg#Pf^7wwfHzptQ^D?Jd-%Dvl0LqFDh*_$
z$=j9e0hVC*2A4Z<VBxwL@9}+|o(1pxsGU~4-3P02j;(yl(WP2tjdXe)gK>rd0W_S|
z+T+8mw)Tb%o<GSLjlh~*9=Yz7r=Q$@lt(gfR|z5Bb(tTM0F0CVkaSg1ZamadIdEF*
ztRD3D&~)2zEa$F*ol`LzzRjOlix20m|Dj;~hvHT8kNn@yfB4~_!f(Rg{ksesx&5c|
zA^G=@o{wj5Dh{MStp17p{f+tT@0+_O`OIyxeJP79lezqSja2S?cmAJ*oUeWfl(QAO
z1`;+5BUYc-g$g_iqAiooq(&}4dBrn_nSz4u0XABPKf(e#p_&XI??Zu~7bk_fsz<hk
ztqQS)P1KTr2)0zlg+UMq25#VWwX-fMlpMxXcFrG<U{@IrzEM1Fsr<1m>BRB`zn_4S
zgO&@1%?~*$Is7mSnUH?_4&q}CR^qdtqZb_s-#NDXe-AXbgQZ2O3^Y}bxUT1K9^BQ6
z9#((kR+|)OYcrgkMi>^X;RpLIOS9P0dZsIb^oJRzj{$atP&?KYHOm*=XJ-1akbv!r
zej5u}siRBD8T`p)7T`C|P;MaWaBzQS44V1!W5sX%Q0qsd=I2&^voaR*_foR?Slc_4
zs4>Qu^ewo2dqyah>0e7u7T&KqfYbzEe|`Aj@~`C2V$(%P!AU?C)~WH)6(QDbbV1!f
zSufAF#yik5Ahy{sKzgv$)h#YdB05<S><Go>gHMuIRfB9<OYzg<x*}<99{0&Wu;J{C
zyu^&9Mv0OM*w`#3D=C{?^X|CQQp>g>mwZuZp_&_u`=GxCvw#y0i~3-x8A_{?#Gc&O
zv!gv6wYawT`9?ciY;XrqS!NL4@@7u&!USpWhqL-*NC!c~RVb0aWB{kusx;id3GN?9
z$uh3pv#tggfh8N)7X0nSlk>BqLHzWWk7n~OOPBkn*xPT0KFb7j)a(zjuNMCjosfCv
z_slRGW>2E^C%Tg(fLb5CG2Ke)07{$EAnRuFbCSi57K6T{l}&I9)wUBo*t=0{Gj?@e
z<o?C+w?l0<ol87$RP?vU@u%*>qbJ{sgzuqe5L-X*<dhQTO(5<_*d!sUO|yz*u(Z24
zLZ5uT2dkZHhFVWnPC!tf`XT|op%!@8xpCYjJ=bQIN=52&jo3Wf!0++q*;9fng8>eu
zW`*?w?{zxcWXgi8Wj<Ys?aNyvX((vY_?Mc-JIHJW#qR^4m2;ZP4gVOXa>qBmWsaU2
zw|0tC>MnOR_Ng|W8$`F?fmr1eHeKt+YN+3d_+4{C_XkCLG?978y+EbwZc_SlpjhjB
zJk~c_Bm}7(BiD)}7Wv!08NwcG5;G8!4Gq3&G>&c~%tn^3tFwyNLdr(!ikrElL5A#3
z%`!J@iNA+czST4zC4Z;rDa$DXMyw{2P(CJ~hg@?SwLDxIYltRTtgdQjtPTQIZZ!2<
zl{zLqe4WWllapYb#$CYTu_WS2<c{;`XNmrNdJ5QCR`hunvi&D{WrZC}uI+cy%7%z_
zI_JEidDh=o*7ENysXkvYVTwT=9`tP+Mfd8zaIn}UIkQigc|zAb<V6y!8Rwz)oEeT@
zjpGz6^R`qF(bem6I4AiId66Dlp)Ek(l`e7IeGOg9HeChXWJuV)1ad$teQWaGf;yuc
zqk$3US&jw=jqO)l1gC!pv+!o%sE`kGmBcyH&R<b4pa_U8nplq&YJQ-*cF4QYBndRN
z?675xU7jiNU@2JEL8R=~Cbu`e==UQzkJ5g>c5A9LJ6W@ZC0Y-uo+g&oSX-BDcFfC+
z$0w|mwqgk&Z%I?^a+J+Vn8hmgcK7(0aWa#p)bi*3G7A{VOV;Mi0!&8c?K7RAiWFLJ
zNE3A<31s6SQdNTml1Fvys%u}xTljULsUxjp|Cr24ObLHPXyT%+EV~Ut6AoA&dVW(j
zHR=&YJKc~sA>0QUj4Knm*q=}bV%U1c&^A@@e1NkTkdf<khm-7VqBolmm!;b>EmRQx
z+K|yuJ>C!Ur^g^cmZc(RYjFHW?UBQr!0fpX+VIO46S1w=jQyJT*`gwpI0GxZ`L5YX
zNw3Q2mMW*s&be%70PmzG#>a4lf9Lq8ZRZDs45g|A4<J}zx;*N2K?C{`u1_Z?g+46l
z>H1kic;(snS?Znc>2ruFyS3hmVURl}sg24UH;<q8uV$PI2lRI|W3ndARvEsR&9-Nd
zM^uVwOtE`u;LS<d1+(gTuf}hQkF#bw5V_^`Z1tR{+GA6iScl%lqD`A9li@8G2T-KF
z9QCO(53*}a%wjZ`QBZWj%2GLX6efZ!$^HW~`KPv>zZ4pyc#T>VZ9n2VF?<vF4T7t$
z81+{Sy5_~nwxzq}%$pD{mJz7p-rYj<&b~-vxH@i91H8JnE@`gPQFs|RKlj^ut~%*f
zan?j8GB^m!esblFYAX?-Z{6DYRIfPFbeX;G{Z|>IELfcYfPX1XyiOyz1)gMP-z?l0
zmj)fyQMaDhgIU~a*6TB_u2dJ?n=9L4b~q_ot*zE-8Zl!28W^Y>6}?PriVk7_JM@k_
z?rO;Cl^BwSZ%9jOCwXpE@=upKb8(Je>|i{Vmqg@oi<j33Ujl!s?HsG5-|$#~P+Yti
z8ekD%4*UhRYjvKf$`yu@mmAnwauk<WVI(k3>eKDZ$`(IoTX|MVw_ht&IGTR^H&s$6
zUN>v<)x?Ejz8wDq4s;Z*>ZCZ!`K;Q``OyU0a(?Dbt%@_9!Y18ME<r(*`<V(hc^kk8
zvlM7?)@I>!;w2Aahpe2e6UJYT>FWO+srffCx1K2F^W&s$onvE2ycm=CJfk0Lj3vZW
zo!{v!y6|%J;)CAfVTA{;_z&^HHy)rp&OMZn*dVDNG}&pLa>fcqqufc4ZA0BA4`+>X
z9h!EQ6sM9xcXR+QeX35?Y!f{cI$&Wpc6kc9YQE%VaH&>}t&xj)5E5xIq?bIKAwuat
zS?}&g+_}WE2EMknY@!kOnb>#lusQ8?z3a3mAe8qg<pmBuAJrv6HOOVXEaT-_288^s
z+AIcpLGI!p;VwD07K`20U86Xi<!WJTjC41GC3O2QK5{hQ!xW4Y=XBJ!RX+Llkq`Mg
zU#D8g{4BsLc#~o~K9!<5B0EBr_4Bic6IHM}k(^)h4ppeH-T1o%uhH9DGH$!K+x1S4
z!^04+V4^*Gvz~m6t}2ZbOyN=ZwE!C}O)SIE9s<-*OFf~4Px<rm?U|$ScJWrMXvHd=
z`;CcP*vw`e?LNpWqx0H-ib5n3i_NHTJhs^6y;zw~j#MV2614+|9#nKXJ^#qX|9Xkd
z*P8P8q#2oWQk^r;PV2ZenaYlO$|siA?+NBI-ElxszI{&~@-}rC*>&v0@1_xUNW>{J
zeSAWr4p-0D<k!^=w?yVI8yg5f-NUyB|Jp<!T6gD_vK5gzc>v8E8Fe*0Eheu1vBx7n
zhWUe+AJ#G#Y$B*IVzMlR&42PLb87bvW;|I<ZOmJsA8^h@io-H&+l+9}?YelfC~1SN
zs-ASt7h6~2TUBW(f}(DuLrNN(;0y=8C8<WxUyeQEy$f>PPC_jC&2+uL$-4j~ExzTG
z^}y2}MGL?Z(1tQ0I}^+VcvPoZK!Akm*7%zi)(s6mu&HWH(CW%XsHOOke`4uJ7SN6}
zYF%r1XIf1r#cYm97UB;7#0%Kx0TGUlT<P3KByn?QW`^u-`iL#O8r2P{mp<}#Z27qy
zbhsDv7W7K*>r$_hCaG|?WA5k%h2U^Tc}0roVRqC11rE9Yx20@h@QAE8b^myF&~Vxo
z6VrW2X==qc)@mZE8l`?pV{h7^`9$3lj=k9k=E#B!RKmAp6u6n*NorcIm=}GhG)Taa
z3hjo+X?4=@L;QW`&F{5_){^)NzuH6|y+w?*t*?Kgog*Ok?S6-eR@;?T67%qGnybX|
z@vndD>FgP@cHQahAN|pD`C{F>o{W2184^oTF28Ee5TghR8jCwl`&YpoZ?XnMQoWhd
zNZ-F3K4Q6EQ#vXBD3!0*Zz>@@u3A+_o;05XA?-r_nUPhMSo`yIxnH2dVrV+&t%_t7
z4%6o$E4|Fmp3mfr9I2s>fa~f1P%<2LwQ&B>{F6)Efz<3}r)MSx-p1N~$|1FXXI|WW
zD>~kD(gmPR&e7zW9Jfu1&%3R>$2*x6GjHe*aEhWO8G4f{>k?bg7y&jK(5oPO+XC3?
z!p_tJy}Cs_x4Es@{Q}eXHGZjxG5Ev3ru_Z4EG|}joSp_HR$@Vc;0Pz$e<)P<%h?`w
zz^dUJJJ<Skk=nQ*K9|ns^GpO-jYI%9+i976^xrhjAW^1L!JC>*V&TH>*SykeU5E{p
zw(~lc$(B>$$^}0+7pE13hT$_2M<wpr%vrXi!8-e}85jPf9Y#bCjSEuN?SZ7GFsYPp
z5uU)6XHeVywL8^l`y(4%v2LyLhttUx)2^S^;&+q}PF>mr9p)pWvg;aWq>6Oq&2Q<s
zKz-phJ*qTfwf92~+rSymYr|kW<gbdgUrrp;l*u02tjVbf42yYLCnYKaiUN4;o`JE7
zHtdZ`=p})_DeJXad08?lY6R`Cev3UgM^%d?{<JsgL*C!jq9%)&!=F`m&+nF4ezkRO
z=`{tyX{)5Bv;IS2k&O6ZE}>t4AKW$fDobm#ZfF3?Huy3|n&WzyT692(hbcOejBZ9g
z_$%O`eEnYCXyB_0Zi1T6BtcH&={i!bTAGEvQ$N%T?3UEpm!HG_%EuDSAai#5%lV+U
zuX{5lDStWfv!tes)T1_QyVW!Ku<Y~d?MU=(;e35c9fvxag#FzNPi3PN+<eLmxUeTP
z4^FPCWEp<XY8ywMUU1dsKLW>AsQ{fTt#U2_^*QK@EZ29qDsj~&k3X>kQM&uc+D7D=
zKLx($;<I;~$iYag8k#TN^S*|G)02o`V{`~JZ5#_XZD!<^XRSa!1OnrWsyaR^mh7ld
zZb-W03JrD8SQ9G2vcwG78-L9idn{Q*UHAq%ospEVSd3rbgXc)~N7T7v7qNyq=xAr;
z$G2?eAuaMlJsNSoNg4FS(3X9{GNU`{x@JgD3mOVAKhZbfXFGX3Eqd}h<Ba6I<iz|i
z`3AQ!hr;wJ(#70Q`-Qs=Yot^-ShLSk=kHYz-0~|256PZtNT_}ff|^_yUXTLf8fT+D
zf|Ng<**#|lc?HolbpO+JPBd&a?_F5xR2@1gt}R6gU+^!X_U=kfiEPVX<w=lLv|^A0
zwto6E9GoHPqkkSZ+ugD+x@sz-<;F|Tb-#I(TliqoI^5Z#XR@x2K~Xo|bK~OH8Ro&N
zY65C<dmq=Z@UO}%4G{z4H^NlF&KQ_FqL-q-ZK)=_E<ViXv`!&*-V35?BHrz`V~FLu
zR#P51e1uyX4mt!ab=3(_hyDr$M(%NKr{6wab;e|jh`#hnu1yYl%yvs8X(u3lTcwWX
z4vuKpQK#PvUh4rJdE5Z%Zi;H^%%8cv=u;!Fl|zCsL*_VdzOu<4X8JMeOPM=gZ?(}o
z?<)c>p=*V6EDk?@UmyPqO7~ioDAYLPrN6*~EQ`3sbeTRT6ifD%!u4vC<-T5==Nrrb
zR8`<x+YD^LFMP3R!!4^ecdzkBo%crBPdDeDaUIU5i6QqT6Kl<<r(G1sINs%-n{>=|
zWE70B=NRyCWiSPLMHs+2F*jE790vkpYbY%gQen0X0>-Zk3zI`*i=UCU4lzuCs)t_n
z(b4a=gG+*<yS?gUq031tNJE32L5mdT3Jyy$rSuagsr(GaMvqwWhDQEAG_d^JA(N(l
z^LVZu?!S{-4lTk2^QFv1ugtdYw&u$#b28FV``3V{Ntuxn<WcW;%P|==5(O&B7!C*U
z>?Yn;XF_czde=J>#)H1s2|H(|r&^&TO9_qeGd=3>r}TE|K~sX`KIi1PgWltN9_9EI
z{1MOVP)O<>h!v}jsH?erLq|)u-e13xX>p!yaEoYjuyZo+Lc)WmG_wmamVLdJMOt-|
zycaAnztz9bNAouz?lw}-R8Rz-9SDdC+j^dLku<HnUYMwJo9@wc?Jzc&^GlwUgUL&9
z8B7-ef@xM)@wU`-IPk>Bnt09)Zy&7DqHT=np1<TJu%{MAP3cVL@OZ>uqlNWd4!8Xv
zXcICZd#rWcQ`@tra#gmuF>O^U!w)rEAe_{r375wQ1!m)Ba|Lg`uMnw$Ge>i10ej1D
z4Bgi>a!?nq-x!Q{wcV|N2u?Y!5Hc$V@KN)Y5xznu@6LgGfi9hXb&Jp031y`p;Ly(>
zN~^v!Pei3u%tHHl<Cjfi+BcR=IjVdmVuqj#?*{#G$3M{j`OI~Fl!M*i_Xt#P8?2M8
zHy#S&H~-n&{3}K@VW&D!xUZzVK$E!aUL8N8aSm;=*niHUzB}3!J^|<c4@Fh9eoU_)
zh}AhMy9U?@OY_D_a80r}5v<TS!uyqPtf2TlYTU{tb--bZ?j!CuukgRmqqNMAqQ774
z?G}Rv1kc~j!f*aVK}a3;g?dZ{|A%rEZu=vI_m0<NV!0z+%q=Awi{xvEnsjL1@<MV|
zI(z5PTA(eG|Bk5AAE>7?v72nI;kunDDRyz2iAmHrAY|iUq+FAWs~GdE@*>MtTmW&D
zH=<4I(O4@IUA26Y9Wq?=m;J)E`Zxa`$<y(Av1RMhb{t;0|Gp6mv9%H{>2Kp4w&M{Z
zelI32vVKf&%H`>GgPD8j*45yLcfp|SlT?@L-O;aIUrGgF3{n7=hd1WP%^uvfV(rZ^
zaB9$9Y~Tw`{Net(<Jy10s?J%kx<P~iF*4}6?E5m@(qEd{VDU^U*{HG$7Eccv5k0KY
zc^ojx<qfiW#}maXx;KE=JW*oi-?u{fI^6l()-Gd++f?r~tVKK3cjF@W=Xao)NKajh
z;pUbbN&Y#K8NpSV;tZP&|IXpV021qCBvyX#2I)5J@ztBIfywvnVL2kz6qBz9@eYFx
z&u)^MO>tTb&y1b+lmt!kCTijz|Fqp+@fw+7mQf2*n)0lMOLCM?bE<(kCx+KO#IQ{o
z$A*VGN}wAdZ&czNFHv0Tz>tzbqs|)sx-G7i_0#+Hj=SLRq}yI*rwySthVJ>xKT(>|
z1{Tsj(XxjTI-!ivf1ym4XgLQo<ifZYw|K!WPG!1&FO;SGQ7b=LYqPrbl8wApgz4<^
z8hK=7K2Y${>+=d1x@v~iM2>${;az?8#5JRx$K`vGe}~Ji&QJ5bkS|^_P(ed`lgs`9
z{c<6mn+^RJ+a}S;@c&@%EraU(x;9S|LV~*lcL?ro!QJ8D?yd)i1b26LJ-EBO20a`s
zxI=<lNG4s~Q!^iW-hT4Wy#35{^M$&Ls#S3A+UwfCb*+8&3Mx(PLwd7DZggP{2zL@t
z58_j4I_~keioNEFR$;4=E<HMLc0qzsp*<^QU+~J_=HOcOHP5;PJJ?Pb>0P$2V9__{
zSc7QN%g?;iEzG#Z-E`9ij?&GeqT1FkoEkDG3>7r9thYLIe*~FquV>7=%b9hunDJL_
z^vm*%vkci&bz5s7kp{8Mlas^LvWYt*(649`Ux2FBO6m(r#LGid6DJ6<$Ys7vE~Oil
zVF+9M{+?fiIaMC@4Ry@am!}fQfjv}vOSD#OGw`mm_w`~_vw9aVVa#Lu_Sif56^3Xf
zWdK+{qheBTC)7nAvf@>;*U{->QdvC>x;cw91%cVTwzJn0@jh!5g_PBfW$0fSmOvH(
zI`EZ-k=>BjPepTgU&Tc}=~*mkFE@kya%=4c#AQ3yy({rR!y?!#RT}t6w^J1s>zTlk
z()J9F0YhFF!)g9mhL{Q6;6igU@P@0Eu@}@B`k@Z?qQm?x(nwjkyLSyRP~BrxWL3Rl
z$EX|9B=^){-?(t6D$#2DPQey;B!jXJViVVBJE;9M9Zj$J5tmF4i5!QVwe>ETgdsU~
zXJ@DE%G4=2Scs5aM}X*zsHcd<N_Kg-8CbVcd7YnVW^im0)+9R~;DJ`v88tgwLcVKB
zL(U!{?o1fLTS>+;O>sIJKGZ8um<OZ`3D}=EZC+3-s@FsZqrblwqHu4Cv*<$a;R^^N
z^5jzCU|U?OVOSNxu2xgEf1FD1LO1vQ1(nOhU?18Ny3>5O;9OU=XS#yOAI<QpE^VgK
zf28HBt~Q{~Q9=5G-=~kL9~*@i&IVB;gRBmk%EJgV@k_^Fy$1y2m8wU-zSbKo#&5v$
zTI(8ISRLyoU0beI&hlJ0yQPerV@oj7=cB1W?klloJ_cv(=(I=!&)MSeLud-wd`?CM
zPeONzNBOOtiw<x9Vzf@1&eNr8(QW!nA>u&i%42HvfMD+J-La5Y^xxSWu%sRc8W>BC
z&qk^l$>n66bip1C3=|?-C^|~BE#zN*Pl8Zdr27yx4Tm7BFH=<hc3f^aE_p%%*=J;0
zb1RjbErp;yl7=)wuJ9YtRV-r1H=>>n$qk1N0CAfE%-zTq-t)rK>?N^V_oX-PPmFIU
zgTJ7f1Tl8ITE>4k{Jy{B_Za)q$C1(*zFUThucfE>vC1mvclsx9D=y-Kn?dTs1HKK`
z>38PqR^{g<(T>Z=S<7s(?6M~HU{Xs+SkqlLo@UNxR<U;Mp(dT{=Rl|9-_r_D)(sc+
zSy7u8ty`BJn(b5tPgkor1Quqi@n6knzIECUw{_FrWx!{_?!GFN#rX18Dpgd}<HQpI
zp?J1@_lmbJGC!<DFZ0!TGgMEpR!dUqy9bbd`^~p*A)kYECPIvNffPR!I9Vo?wx78t
zJ6U*R#*UA~a~9)Hith9VocX-4l%7`aR9fzy&JVuE25Q{(oQID6eg|WxTMsoIpE!Pk
z?}g&-h;c4Io&21cz58_Zvs>yR>4sB|M(3OLQ7t|8Dgz;)eF+~+NJBQb<mY9@<=n=D
zo@*|h8Kh%E*oIJ8N&mumXC)WDzuRPalq6UL_OT(y&9r|tBl%=hIG#E22)>CTJ?zqj
zlp2LYUk<*Yoo#A%)r~HZ4F{1fN(JjcVV_|ZpB&#wSi)mP;S|fQkoETo{omh1abavc
z8X<5h$#NRO`)^-M`CsM1W=aUf#%p7JlLOGvER86`Mi|}VWGLL+%pOH<DU|#K)!x$5
z_`%V?pjk^hPc|ScwHdWu+muAfoj%CqO^3K!EI4oJH2L**>&i*<BuwA<b9AFy%<PkI
zjHe7iMC9@vo$}%w40Y?&=ZquTu<)=v)_(n1T{!56rgA{D)pOdRp;Yv9*j5WibhnHR
ztghC^bQexGlO9(VCdc=59<w<3kL(Ydy1$1;GB-#^X#qohmRCcT2b`@ynqGCBvo}l2
zO+S_fYdCV|7H;tw-qK~5^S$lSj5S%bG8d#AB0zY3G$bC07}1-PFcxaYg=p;CKD|()
zs4q^A|7rBn$+??LPEL(!>#;M%0%O<(a}092bItGdo&FNOTdPRbzmi&JVgzA3APmC8
zuDRFb<ivxtQN;rT8|1y~)8F8{(nxu+qm-0!9G$J(QfMoshU8>o)~tJa>$U?fKFwGY
z(5=MA1}xSA6ec)<S(qK~@J>7}>{Ii!W>}nENG>8}#RM8vY!udpe5;`~+TG2Uy{RA^
z#ny$z##t>vkgBP06Ei8fHrJS4xq6+s$RH9r4-)bib}eASt$N{)*ruZ{<fD*sKGiRC
z;vmg0l}VUf(TVFJV=#S>(S}~?oY)0a`RwBBg%s*}vOU{HUgMtnTo`aTbHGRYVGV`L
z0FZJ)hq`W?WD&#Yymbu`r(}%!2@;{nGWs`4*9`IaLKV<m3zm|Fwz?zu$S!5sG`fBK
z=j(K|xpjWI2ujTdSuvpkfNqFqt+xRVb|{Yq=`*_%^RflPe4WkCh2`9<3)bRDd1o^&
zF(MB7NSU1Fiq3F3%85jy2JyG*paj(s+=<8uo?<ROz}w7UP?~BtFbH<1+Qn2|=GecW
zf>E^jI#%i3BE<(YS>GbNF|%(?)~(s4@FBRvNvWC#1wcmpQOhXtmeVs{fA3XhJ+*Fr
z2H#TPXd_htts+|%Q#d+S25770&Pz?Rm`^L5btg)MYq)P-L&~wuqF$LTXP0}uiJUkl
z+L~xr)jYw;)bWH*{TQ!0+dQRLoD8GYakPDSZKKM*WY_4jk$Tc$tv(xkD$OEyhTT|M
zEGWS<V4Q5a!=ruC<V{spC%m~Asl}8BSxEdEr{Jui@G*EB2WsB?ikizX!{1uC*S45>
zVY<+(yukKN5d06vc3m~70XPqd`!TsP(B7_BgsBI;dbL4Qo(mnWDp}_4Y{@cG9V)#C
zS-|25a2sRPvKWth`Q(-Rx)bt|*l(YQyefo$C?QECdzG57lmauiyBU#)#mX|YIYQoQ
zHLa$p*ZNN3bQQ&Pm8!8y&9zcB<$ESaTOGY^Ib14Z{91U5te3K55RAi{H%`Nmj|js8
zWav-rYe#!rk*4I*dR>{8t@;e-XLL5=jl5lnHiQ-9`+a<3rrb=FitQGWU&zBXcUYo+
z1C2p^3umH*9I$1{a@~HvN2TGIP)WSYuSvz)wtAgmEs7FS2qiMzPxy1%0aR~|#%6As
zau-01$ePacHay4eU9_Rim(JjgwBvQ#3C(%dg-7bzlYON$n^y;Pbl9h-!w6+a0WvEM
zaIC;JRgviyU55ODly9hVSaH+ogVPJW-PWG`6{N|y+k1g$k?}O8AZXeEl`3gl?3F2#
zXg7>pY2Gs$Tr*Aqe!mZ%8nEzC@C*Bo)aFAb5nYW#*qLU5;Ds?L-HcL%1tFa4FcYnJ
z=VentsYGSJpu8a6U8i)E0V6rhbu%_aa>o;fO>DJwl+fi*an9owq!f%n6p}J3l$%vV
z+YJC4Fz;1FaUJgyjD2rsvVB4m9xIqtU(I*;;}8my-d2|9&ev7&r`>7($6?LOemUkD
zywVYvg<{@h65c!QjV3|>7Y^?0f>TF)hURKU@4&I&!yoO}HQx{8-_GGZ3pzJu&?MHs
zH7Y>0B10z*9A^iEu;W_`!Sre6jV(tiwQ_R52V^S!$aGBI;jQO*-tae3CZWLOBVRK<
zY$BzGOPwM0$PoRUIz7r&qFCY+2|f`<yUYrxe11P%9ROB$df)e+(o$}V2A*}=+w1+w
zd-*dS83JzvFVp4tC`;7W4T;#V+?3R4`LHx-F4C5I@(*QYa5$`W)=RcTX>V8u1m!t@
zA1rOiXnIw`nUJ9e7_({j8B)aE``GXCuCz%>!)6OH(D29vCIRRA<k2AZHe)fNP$FZ^
z(aq?%1Af9V<)Ce-t2Me?JW|O=VcF~6H$s|drI?+TJYoxCgAR+M{1Fcz`+Uw*<}uNH
z^9w3=HF49f8Lhg-t#{74uLfg`n}Do*k$(B)cvco$b`L=!e2B)nD3y{Ch84L2NS0OX
zj?^8`{-IBe-)!}FNj!2k_MLMT7Oc}@XvJX&4&Ti}MpHXZu?5~(7DrNE1{aELCpD?a
zCZxVjf2YnHub|Qq@>MDW)9}eXh395n(19^mt6xrGxMs;&)>r`PC+QUnL0|F=Dn8PR
zTE3jB0Tp13D6wT|M-e!#n^PZqR5xoMW;RGPwp(CI7Jiwon*}T+8FkETkQOb0!d>>t
zF+Z66&ii~mcs}emP`~^&+|)myV#1wEFG*CEd}Gf*lfp~{@B5f~F($zXCZ%NMWDi&j
zSo}pDCjaQe9(+ZyE0-|f0BKk%-=J<oD;s&{Z7L!qb52e(+SB`>(}xmN{-NAgVk*`#
zqkW4gxNaLg7f;SUNX`8mOXtgY@|qmmp48Am>b%97gudD|#$!JDmb2W&3~C9x#l0oM
ziwZ@mN!42|b5z0aX+xtr91QNC+XUaP8sVL|+agg_;$843`uEdjt4zgoS7Fwfb}Kbn
zW~ro9NIR=+s*)U+s?dyUIIbRHh(x_N-7)H!BjE2AZ_^nWz;9K01kp;v@1FZkqnjqh
z+tY^ACr7qgB8>C!7#c-*97??#FZq~BhbXRp&KahBkyQ;ky<Ar;8$Jbo^CJpHGG6TH
zgI<Xd7;vcWET=I(Gr_ER1@+i8(Lzp5-j-ft5Mw|Y!6_CQ)^I&2MG9A=8To2lma48m
zsnexR-5xWdcg9ZY8+--!>f~)C(TdyUntxUZl1hJ{M^_8g!ULSKIwCx8o!jda3$1U=
z3W|5uBT)=a&!WS6Ej2&<)^efkYNLT2&2JL{NFF)Ty<1oc<>n&>fC$ZcgAdy53N*6n
z6m2w)G;u)Ha?CxtR=ex)d<ppc9mZAgPa%6n|K??h_Vrb0Y0%qFMT$+wh*Gr%lNyjX
zy%tjv10FSIaYce|QY+>tZ}~!mbMhMJqu7_ichQl-Xj#lZx)u;NClH~oaB)sYK#_0g
z8jO|_3s|-b(waTG-kad#P%}mcK?HdTlJ+uNC_%<j3`#2R%o$ndu;h1TSXa@kkLmk3
z_ne3VAqjRwpwChhNIl|}dkv(4pe|p#oV;i8m?}LX(t|OXFX@dn)z%%HhbFIQc|XR>
z4R(WtH8OE&CA33r=cmAt#vwEEWRV7U<?qXDV_so`=otWD=hGHpIEsyXuZwwvB(wcx
z4-&X;-#*;qDY}{Czgjt1fA!)~m_h?2j3>rdB9bre@5w5jw8Ik8WnvAxLp-URpWle3
z$Ox}%zkZGZ7-va*B8207h)$R@Gl^#P#2YQ`dTZ4GrtyI;_oMZ(F3@($LGfaHM7v$J
zf|R+1x?3YosB^~6tiEd6j$`#hG=}<toin7QvA&LY=VW9vh&VezjYN#*WJsHia_Ifi
z^)DzQdLXEnw*Ujd*?Z3u`f2jcT!(gTe_pRXY?edc4a|^XBTI+&Q?SzyR`>xzDe^`n
zr&GP4UROD7`mYubjM7D_-N`Q~;uh-ORa<gB`!oNd#Xx=P1V?Uh)e5aT@M1v<ed;)N
zG)9EVqBNt7F1#tB+Oar~%sIX<nWb_d-vCy3-0>9;$AKJyuKmVLRnKDE4E5JFqpMV?
zHDzB0FYPR+j(h}D>b!&Pi^2s+tU`6eVdDOeQ+w#IORlSKF~{roUDaJ@1LihfpJK6j
z7w58-;ey))E<637_q`h!lI>lrsv%;Q88v)1DN`K9$zi|$SAC&3BtK3Q@?VoG>eJ3@
zF@6|sDZRfisnVlaL`~C4{7N@UykXJ73IQB&W}GESgjZZOx7p5XYiY(_-0XZ8L75(-
zMJ2<$*{;G$*p3<o{u_l4Yb)Zb6wos(<EjLik;}ni>Fe>@LE^V_=7)*T_8+=ax)>C=
z*GF|o1>OnaL=%-vdI5pCV!2!gCXPfu8%kCi-2vZ*&Vb+S@!53de|Xd_RVN*X$uW$5
zOWsBK#<rer3v$VncN-@cTl8GjZMLeSuavxhytpTQcVL<fiw5s?0f-oLlHlkP8i^#d
zK2j(P>R-!w(Es@JN&u2F-on!ew*7snibi(Rgn7o?_~5758sY#{KR0P5f7H?%EX&GN
zOmnt>@1|RW2zV3)P40rTnVp<Eyak(oK>>bG@ciTyI;{)sB!1m=WbHJ3E&_o&<hk#(
zyx}yN2UR{&JoND4f4;lP=3FmqZ}DTYsquDP=ly8M+|Ctm9YDlNvwb`?-Fy25Y`Riu
zpWN=BQ4wBQ?akl3gdK1V<9eS+mp=QxOg-pL46N)bG|Li}km)>An{>2tW0e4f6n&dT
zMyO4}8D)V68Yv%KM)g}<FSGA*rC}adla<g>s-*!W=?o-29JEBNXI-CmZg=nT?Sg)f
zhOTALsI?iqRCotl0hHzBeQZ=2N_Y^NEpU?2E~gxm^_L5*$d)Rl(Hn3ml80wj|Eo32
zv1eqcer4GW00XPBIWg98bFR$-0B+`Y1~SQFM2A^UmG#!IVi@>+D#xfOW@1A4$Hr}o
z0+|r43bhjIwSI8mGT^f|4$#<aXYk_JDasr@QKkEi%UMSkTOE-Jn@#X9@af@LF`&1G
z!!64#Ix<hpGX<FOi;m=&84?(0^P{~Pvw|uA2Qd%je<xM}f4NqJJKdv*8VW}n9GfYa
zJx61X!KDk7ZqVVO9&10~*Kr9Q^tRS{4m_ccI%?y2vI0~4J0B?-rz;eVy@MZVdP^w?
zTeH^rGHd4A{l-cRoD=a1t+c(Q;<TJ+IFP~OE3#tMWFl@D9J+|C*AtuRil`R{>6-7}
zmnyyyX4Mw9{s%FB)_;k#6@Rrx0T&z0UemE;Q~k?veFtQGApKmW<Yi<k!X20IbieP>
z>~arv_T2dRXn#tfU_r9?y+$xxwxJ?%IcLi+!jWd|ojo;|!v4v1b#A>?>RQoo*$N;h
zfdX5%VM?@V)-7R{E-WrPXi5Vbv5WPdN_CLmb06?(m}b5YRW2n?`ya#@WF-GpQvDqP
zWBrfU)>@8xoM2`L97g&mj}P5Ufy(J|(JghWK|vP0v+!#8)O=g}GhOLvhS?nrO9f|g
zX;C;#D*ctxnX6t=qs%r1wGo?o?*NlrH(b&M3Xx~>XQv3)?_wB~McDr!24}zcufXf?
zh!@6zaOYj+;U)bVLpUOlGkJT{(G8s5=WU}6E}_>g5|TP#4|nS9U6hjZezARLWCQrC
z!=w)0a)I!3oWs)BS#fULF0SYHJ^$MXm(GYs-w7{&Bo~6Q=)0`2^C~Z25e-A`H23J4
z-m2O7rJD`Hu@~L?Klj!b-TH&d{YAI_pi+O)tv_?*UUchEYJwNtdeN=_9Eb5mw_bGX
zKWcrv)QSJoIwdc>^}<{Kk8b?m8eA{D^}<{KNgdu7-Fnfj7v1`=UjB<O|0iDli!c8N
zUjF|=zWlTtZFGs%QNe#{C?@^ahGI+jtJ%p}OQrwXP$VDv-B2WY{ofjj)1IL|j2Ax#
zN|V<%v<aEnClH+J%I1?(HuM6#l3}lC7AK#i>)aLQq4RVpMe3d%Rs)(UU=*lj1Klj0
z0q9dhGkl|x7{s&*{i8l<9~3xTH`mg!vSF9)%?GE#Ude(S8T~DvYHbpIoa9;=1=?oi
z<^m$r-{(1Q#sRWqCj&&~3cayOe%~5yywvsk=YN}<@SpmyMDTN(>0Tu77u3ejkDqn{
z;QgKb|IV*Ee_u%Z#PthmargJ_b_a_}&tji`{2oF5giuQ0G?~%zU#7KkjQPajlev9J
z-yMO%Lm&y3%Abfhk=jl?eKOU*?euDiK#1*bpN3v!f!!(^!F@+X!*aq{z>cIYwWP<F
zP|{T@M_&wU7SU(kwCa!oo~y=z(Dw}u-(HScnbO8RjhaEFZ5t*F(_d5**h*!V(<|_B
zRH4zZ7gio)Sx20fs{@b=B49P(kE`?jUnMawe+ItIS}!>dn<1N`G6PsOluKIGy~#JF
zd|wWel*|{{oE5HrJ_;NXzuBHm)I3?tqcGnvZ92G3feyshG-2VUsHAs1j2|8ma&&@z
zMUUVgl_E!h>k*8F*pdu5Tv&XD)Id&7K7@^HPc95uBtFiaC=D35l?A7#*`)6gkh3x9
zzXQPxvKnezX}S&S7bp4UrG}MVXUtBPEMzQI<YzcrC~K3&iSo)d(8l%FLV-|Bs3_Ib
zRqK+q5`0?WxmA=Ap1vdZ(g}`yrVOaVCpanl(HZf3BJ~>6%~P-^a$E7d4&)MF%zkgM
zrh)mb#GP5Zu`_mhQ$RIFMG-4}qbCXhceWlvBCi!G3*0{sg%=GCe)RE`wO%w-1*V~{
zoh51+G~=kwZw8gIcCt1=HM|)R<44=mt>!Y4EoVLL9Ib-klEaq7*4#z5<!74TIo1Jy
zUT0SJh8);tj6c`5=j6Vj6i(hsPJ>CK!Xw>`rQLJtfY*~wHQN`rq-i&-=dK?iak;bp
z37^yOc`Vkq&MbBa^HGahv0_|7=4tAQ)k7j1EbxBg2%`7HlPOJ67BZ_}822EA&r~J~
zIm$ov(~|@U@iER3m8?!@LoY}+5vRs$gEUryfA%=mkb>FUZM+3VEu+_3lW)zTMmJ9D
z=@mrgIcwGXfodVbfLPL<Pz+GMvxPhb6)DF*50!HK-lG^>Zl_%dZ{P45KfB(B?zaEf
z%Lg_2twspI5Zf@#GBki6lstS&1EkVRO~=YBISLrvo*?j_`p0kEx+kEta+B5MtF4yF
zg}7jf^!#ysVnX+o-((J2DR4%DtKCh*HFc7@`1G(wdDJI2I(32c^!m%K5Mv>TI6Kt}
zMb+*=!T*?iC3a%8N*#38{|m~XRU_^sLyw~?m$XshTvz6a4a(HPO$(cv)GAYxc8j+{
zlmsLhcQFvY_@#}lBmo08<1b>1xIGL?M;4l^05Duy{z%ghj^rmJpnxE(Od#C=9Ww&6
z9J^>Ak^1<K8)kbV<HTgd7gg6jQzx^SkNX4t&w_%*P1dzE?US(fZex`-s|e*s-$m4L
z^>MX6YXuk;5W!wnYv9)wFQmKan*stdOAyE->7Czk81$(wIpVT>Yo@QeFUXapIJ(i2
z9y9RlF;|40Z$Bu+U+1H1m)*yhyLHtl+Z9wCo;XIm^|JIPPE}rvot|h6EpNUm{dj|R
zCb_o@s93z+`c$(<Hwv6$%-EQTTOoI6r1VYy%*xe4ABhpyI8}+|n5|A4r(QVfu{C&n
zsGB}74HqW=&qGxR{&9jCZTaOAtE@C>Vy>IN;o>u0(l`rVxV|T)MXW)r?4|Exo<(`%
zsX-ULta2>Z!Nf`@EI$tuKa|1)ol&z{e!`8IcDIVH`9oQ;IKlO?vS_!a^J@cjkkz`&
zZ1j0{@;c=e+>tjg-GVbQ^^VyMthWHWK<q@>@yLPMis-_s=X{=5*lpqEC7rtUlVcC~
z9BY?%KULnrV$=?;BNe@SvKJSBJw-fxRNH(BzEz<jZj^R*m)~(4=*lQ}R1`Ew_0L0T
zkcn`PE^Zh=>i+UehN3Rb@@9U^dWwnx=y~Jc$0uJ;Vj!V@mrQnUT@Pj~ny9}bYs6e<
z)*{d{iQ}pL#~H2hUF|08t(^B+B)#8<(z!8SUx13U#)bnVv7i0C?Qr-`Vf;MdA?Ug*
z8|#<{CGn#EF-RaMgJ@)L0cdhne@1$2*Ln0sK+IeD!4s>Z$+y+u<PQFl&_%YSrD2yd
zY<(i!z}yfq`h4Q|%{>fkHZZ!>>QbgymX}1_PQ2|nRIYO(#u)!R6f+bB;rjkDWwD~S
z<b;{DZI!CN$Ck0Qv=2_n%)`w5l{s8Um<RcIo34F-s)`xJGhQ3sK8-$xzHXFY`5)&q
z=$_VV8k$Prb|^&%Q}xI+TM$IUL-&pAbZiUHUH96=yVT5G+Na-3e>&oZAav{=;wwTl
zBadQodCXh)0C9`E;oNXNBq|X2=eyqj-!@G3A6NnwuM&x#j3<aAXs+uOa@CWvlJ7Ea
zO}|I;ReP~?&DVDnbsGsVS%`bZi0=Nd?aoKBC<(2501|5cIPH+~%5>m$MNuYN@Y5H!
zt}?L4d3^5g4Aq@Gsycl@D&TV7)_|lzlY7^X*6|?7t@LTYEvn$cX!D205GYg!k7cvR
zr3L--&|uPkEa05~IG-#21;Us!V9rTxDCm+Tz4YTWPzr6B7hV3*9#iS(rdK2&-;&My
zt}NDCh>5HTP}73&?6;*aT5aXJbn6o`i{Iu%cRKkhz6)ZinH5}OX9x;9E=LTgA`%@z
zrq&SIoz9Sw6ZwnKxUGLG;F<q8pBF#DC~EbZj&v{Ak8DTy(kGTKno(2w?mwsVlPjF$
zL^-&gRv*0}+5ZiIUy$qt$^PY<=LN}LknCTgxfdk+Q~TrJ;$gfX*`Ma~3zGe5iS>eH
zf9grTAlVC&y&&0tY_Pq!WPfU~y&%~OlD)WOFD}_{*ZT#@UXbjiarqzjJYO1@f7<hW
zL9!Pl`(N^;&x=d;Z*s{Ve^_1OE?rRGpPf{H8Pl&)F*U*`RBbq{MRK+7cISGd$I~7j
z5a=yJ?v+PY^*$yeF;%Wo*?Z+g9AlvJLDotht>#)=1Azt@5ny7A@|DkHu0~E+VJb=P
zG?uVPMe1-Qwp>Fkwf(6(1nwY%8H^AsD#3|i@s>-G|0~J8>v*A|{6UlmjK=D9|A&0x
z^9j};?L)Xn1IA~g$$G7HDQR0SdPF~tE)+j`hLGvrQMlm-vv0nBOM$F|WAXc>p*H0A
zdBfohrx60H|Kx{(T*%NbC|EV(r>~<ZKO$Cstoi(Reg)3`1=VBz3+l1+_k+)41#wyI
zFQ{apUr<J_J25<ofdA_P-*K)ngqs<yqY2*;1L~v2Hp>CSB+pbT`!^CPy5uP2lre5Z
zb%%9uIZ`Pma}(^<hAf|hKL?D&J(MtB?wap~=`CeU0%g3{J`N#BS&O`h_n%Iqp?zyT
zqRkPvXW6YnB?7C`kH@C{!J?NZJ%`xQRm?dTL)t~<kdE~bd1zKomip_IunHG`U>&({
zZzySsk2tQDQcHWNq5Avtj}Xm}yW88lH})KRR5|qzxFFZ+Lx|oY4CR!ko`$+I3!T1A
znv1c1qvb}WXY`Z$-ccdT2>uus<%~FPSZJzAZJ<s0jvcad`Nzha)X^!OVt0x0^D-Jn
zoAKlJituplE8T%i^qWG78<R<gl^P~_+!*c+={82M50hg29fU#ndW!g#F3B?QfJ?VP
z^DUia^*mRB8GP(IztC?~v8FZ3y?0a&V{iB4=jxr8RjkRM2M71;dVg@fF^lPa9hUh%
z_xi)&71&-I4Kq5IV?s`+Y287MS2?g^y$!k1nH;2};@?;WU&h$pVPG>&pS`SAK=<L2
zUG!ZOuU1z2=0v?Y&QVpijV~GTh;f5yOH8$hwDH2VjN==+NOq6_vevkgKAk3;#YKEN
zD(b_Lv5bCDwYiig`1g&DoUq_knjD_$%M7MsU00g5FKdPiow?ns+wuZtmu!F|z1jMX
z3V7L!%l7Ju0%JfYn0bG&%W}3$^9uhKG%+t>62p~XFPjs=hK9m8V)PcQI=n)#r{ZsQ
z!W5s;B6A*{yso683r=1Hs$-xx?YD(;Ql3aeACIJcZPM4zU?XtqOmx=0R!$4^bmN2N
zY|r8RazLAelCOP!BE1aJZW?<W%ZAzeknwbaT+>}xZ1JI1OB3I;a#id&<L7~tC7t9k
zJ~LrJ>2MBGvM_`_*xQ5UvAE^xX1@y@v$}#>d7c&_r7IUEb1yk)lAaqgq$`VN@=g@T
z$ijhyX3;l(i+xE%f^AI<pqCu2C8(T}?%WbPa(ao?$F3!<+svOzSme|W3Do%DmVny%
zb+JY9b?Y<6NbkqAg%rC8qpVUum!7bf+YemhNLEz>FO{f%*^&26R1=9RKBMzX2IL&}
z$?N!Z?RiCQHFOon6;zZqQ!dE1vP;qUi?J*{)}3AK=G;4;RJ(15g)FF-r*5crKz_UY
zY4s1-f3<oav8vA-v!jziy1A9<U-VVNYr1QXpN@F}&XF+5{>?H|jSA&8=dK|EjehwJ
zua;?jtTrKPgo#obErG-pM(#pdUuaZuTwkHLGtVd)eMkrMnSu~tLiX!1DO{7S2RcUQ
zs?PwK;rGyAjX85m#ZiSECvD|osjjQ#=yooqd~zgXR1y;EJef+~pF}QA;ynbHz0UXi
zvX6!uWD@559z$zqMXQ;u|Hc*2rR$@1M(I3+ZaWtBmW`Y_jxI_&0XSAJXngcHYX?D5
z%O`5FUBlJ3`ZyqAzq1-tQI?im!!gNI$E3~f0N@{fuDHCOP1}jy%}h8bh#C}~s9P3p
zTDWKq<x$J?C1E@$98vUCgCt|=Nouw0-JM%()yNB1E>CmIDz!4ZZ7Ll-3li2v>JwtV
zn;hdyp`Ek{lhgE1$9fbP07=ivaRMPoG>kRq#|t0Hiqi_+ma=z{=cXtHr*jw#i+>=l
zY1`pe_|65}D7x#{=f<5j9JOzc_p4oUjOh+L;1V`m@*As0y~g0Y9zkPCsx=>*QI*t^
zQ?^dG{jMe+_^}mZ#8w=4aWCqjOZar*K#3JemCg)m25}lzuRWe7a?zB19B3<4TG=gO
zy-wH8sR0z0cG1^RUsRKm0cY$JET>lCae;_T{1!dEEGM0YFXhKvW+jYC_m)pdR*pSZ
zMYAfD82&2jul)k;7c%8V7qEcb`!IT&pFFJGrtD1f>SRvq-?h;j4u{v$-ju%HcbXSB
z1?-EZ#kkO$n!+{Uv0n~7Z(l~UaE;g992YzTtDRJ)M=yE?g4N(xgwgevkyy9;qct0r
zHdA_Btqdtz>--D9hYi%kq0Sk`NG7>EkfamwqT3dR+ZJ2GHrCb+(`b`8mpH@`wmEd>
zF8#>C-*LSq5;St$z+I>}0aF_G?{9+}^mwh6e11X6&4&?qI9;oA#$%3>Pp$ve$NxLg
zD{%$4TUY?7BlX*s_~6sXV=L2+DruX?duO)Huu>}z`Y0x`M7F8Xe-B<iPOOxVPI2OR
z@}i@sJ~zqMZz8LX8`Bdf6O0~8m2Ob#q10pPYf=0zR185`_Pcx6x_yG)MQnh*?mAM=
z%T`^o>+I8JJ|!1R4A*T}`}Ad?Dv|iTaB7t_3>^@g{S9t>(!Q^e(<3DcUcQq)Zc~ME
zR%&EsCWC%S1^Q_o0u>*kVXzF+g{F#}Geb|Jm)FFudDUD;p_#iHW-7-XP)}WKu*$RA
zXe!)mw$Q6?pX*E`wIphUz=2{dRRGhRj7Tr0AE~-Dx{+tR`1M~2C9xJ8XsJkj4wtU1
zNOHEd{)p2WXBSk$&3W|m-E{})6UxTs9f6*)M&Zf!YIWKTwFGcs%|fF}3RJ|Zp)3_!
z=wvo$yTCN2A?Ii}{{!X7P4t$ytM8n<eXvFnJk+Aca;y+_Qr?E(S=3W`+CThwQ^(gj
z%Jkm&`X^}np3a`@?49ScdA6?)=`7EEN@~egvda;&=uCa(bFAMqP5k#7YtiE_Q^$An
zM9vP%c0V%z>ZAVUo-p>uOJs+)%UWEIG@(60%ojhBG0{BVPo~`@&^~wblWaY4?ejT`
z)6f#7mtZ$T`%$cltA(EYQ0JV%lADo<uh(++nkh~ci`OUh3m>c&{M*3JpA8D#-Kd9(
zgN<EWh@f04XCmKZi&O7gC%M>QZxv$o6Y|f3X;+C}kq)~Xf3^Gl9lI^b9p98=xrWFb
z)1Y13)3?iK1V7Lo#UQnR@_%L=^&7Zr6&S(MOg?<PZ$2pzke<y3a^WtXsL&oECNHRv
zAFgS+W^y20s?QVPyZ(ZLe$<P54*lln9m7~hH+yqo2bS|nEaW}5XV_2p+0cN1f3h@q
zzC+S!6gmG`6S-N{`n8ep;3flj^F36=kFxlv)lBzMH16sYBxLfnA;Q#$ZYA!qMvLIp
z^+;Ccg3c$Z>%YNNn7`U31nd7ejasK`wBt3TOsfmxi6yotiXdeM3Ds$vtEKnEbEl!F
zLf(OEPQY;e*qTWDc9Vr{T(GK>1AFRCcADl_{bp)+T$mk1{oF+#0~ovE=e%!1mGd<<
zLA)3j3{3I^v<Gtpp}A&SPejjIs^nYx3!#f%qnjut{JR?ks}Ed%^-2G3KfFo&<188m
zdM!k>i&6qH!ydV?^{A#qek8k&yj>US{h4YiWc0K~v=dn=bM5P+1Dq!+I-G9LjQk(!
z)0f<ED=&Lo4Z*lw{wLa*<-61EbYl41B0<oSB$O}90o4um*RigD<JMQ1{^wcr=hCk;
zMfq%Dj?D$G3SS=<_87n^y)nS)({bvt<eNERKRMY#4*DT0JMTE&b{$H300H=o^jKhy
z-fJ|G-ssnJLm$QRaFsRxl>c|)sp+3*(H|@S_J$SH2_JJ^cbBcgIV-~O`!1o1`)>Hv
z=qKTgPg<o02C%Nw+uHh>A?h<lJSc+W4YvYM+$ECzUF9ehH}Sp1a-L&d;w_gBe+A;&
ze?t|}Csco&MNxmO{Mc90pR^#s(Kjc??oM&~%tJ@d8bjX!YYr>OSC3P?kN2YaLg;hX
zYpm72q@$j<>bZ5_AVaKzSZ7kc8kI3nk0#Ud$NwAfQ)^3x?Bnz#y+e%-Mn_b@MF^AP
zaW_*y^N!ya_uM5bFu0!(?ggJ-@aYAg{-Y}71)u)4BIE_1{>38X1)u)4BIE_1{-q-1
z1)u(t?57ue`qza2#eMo0h5!E*_sNHF)7h>86DO1p&TvAl2E7YpGcPS)PG<U*P)&8^
z%9+AS`KyktXE^o&!&f?}AzFPp&dJ)^0xu=%>1eL}wfod6-6CCKH7MEF{l;N~9NWF9
zt<z4b1h)4v>`vlQ!+6qfv8XkH=`e~c=zCdn2RQ}~{NG43AP;I|Rx*_ROt5(wKCtDJ
zWz;+QZ)5AWaU&)v7SY@dw-M=`UTH79E4*sR;6@&-aDljED6k<7$zJUDvT^<%K+9sI
z|NoIOw6zDfPM`X*-u=A0g#HCZ*4)EI%s+bpZ5CMe<8{@BJizAYV~;&h`sAdTz$F*L
zK%{DGJ!D3*o0>uncj>TNjqXzVxD91x!6{YJ>$g2^wRE%0&QRL^{)~5|o<YC+qK`vX
zSM?SbtX(J@GY-L*DToV_&jwftRFd_634%XElqm@?ETlNs-0{QP^Taw?ef!|)Cz7D_
zai)`shs1kNP>rg!R;2I58PYmfv<Shzw196Eapcr>a@t>{a2y$_;?$t~Ab`%`twbX=
z1_inTk+lY^!<ia#feD81zR?mN-@D;;_*Hz)oFcWasH?1AsF~$bbON2pM`AZ22D@1-
z%H&voE%nAnj*_`SzZu-Yn+&aUr5Vo1eQtaJ%&W&XQm*4|0cB*6d#Y{CJQkZtQf3Xx
zn^qJ`sO1(TSB9YQniBC*w_!(+_uVy-p`AJDluaUYwDt`M(~hGOC9w*J`I%ydZ;}eF
zOSrWY<L0stmdS_%uM*F+)Y0eDqi|=-l#2`*rh&pJYF9Zt9lW%Cwo9oxng#W<1Vo7V
zI>a$%&#!hXqStQE)cWOZ_#RbO8v3IbGM()Ai&IKg6I)-0A}Fb^B=s++;2H?NE2ow`
zf`NlaL@Pvt7$s>3CYf%3MK0mNILTA<<B#u?`QU1JWiA0D^^DC&xNzF*&+n7AM_NRn
z42?-0NdtgF$JJB!ryU<~<RPc4J|35i;oigRQINDN!e%hr?alMHq$@5qBJ`_;c+p|l
zm&CT3qLG)>RBX~&WvN)iNn)5thRyE;wX(zOI_ARR5P182dGEK#cPe@I&KP;*ln>SI
zx&4p=RhT3ImgH2JXfr^d@7*cy;A2R6Gsn8isAO`LgQfgp)E3dPFR+1W(WZIO$S$J%
zbtz-@6Fgt=z*i>6FQ&7ML{p9SNXaFV+&ejya7keBYKq;*NCrf(Caa=xw`4}H&kWuZ
z=FL-8$w8#$8RhCCr{x$rWh$G!hnXGX5+az^|6B3N6s+c5sKx=odVH>JgxiI*QWocF
zqE0R68}#?nO;uK=z-`-W8M?VMh=d8f6G8kyQnKnsSSUjP@2KKQGiNJX(ry&;vn6~y
z502RK%9*Zc+0FSXNVA3W#;?#&>zt8e4$l`mxRGI{(PpnihCby9D%Vrnx{P^V?Q5q!
zy@>|efWhZOY<j)qjB(p@{U%hK?!&MtPyxJ79Y@D(j^?pdM%U7!4baP5+;54=W~0Bl
z!JRY!zVnv0Dol7(+Auw0Fo;c)#(4r&#VnTbC(p!w*Sgi>`#B5z`DP(og%87+q)z?d
zs3+?k(q)h`13UM(H;gec6q~RpGISZ4RS`<28C3iwwpu)Pv53Htgvlv9MMb5SQa$R}
zPOrs|SLP$j9ihe;wPb>e>Lp6bpcQ1`fX;431!5Jll($)+yyV+5*>4C9+f{hlIWW?A
zgAe>({gO+ZCJ6kODZ%ED45LNfyf>3M#5Ri~gUpluDiU-jPcrF7Zl;LuQ(y-syU0r3
z4gG8gN8jgU4kp-_euHkQ&ogd5*XGe??j#y&%O`>%AqV8v$Pt_W>?h*dII*a_kTVX~
z*ryM-HLcvKeykuVxY7|)$3PhnH{=ocfnrbSa}1lx)>;Rr*BADa>M|wsJf9XEEM7N(
z8POFb)C}}$npGmJgg`GvI8@F7^WXC;iyI+ZTC99a;-a==VQ$zlaaGf9gv1SD-!H#a
z)|IjuxtevH-U-{lF>u@<Yc5V*)<&nlqNQJ7L8nof92eB%gyx|?O8X3OLP$r*96Ay`
zj3tP>#KD#esJCI%f9ui)cz|%@;L^yHIraz^`UGc8X<{r<C_IMu$0rOVzlpDyR~qoF
zGV*cZFfP6)Gv!G)w*Vk?B<oYd9p~BentVTU;|vE@sh(acvx1YVN}VbUIB#Mtl5v~D
z`>cG0?I4J2q;&-9XfPVznn#;>#Fx)%L*J;k3M1hA&4U8*#j(V_W!+mNxr@J5jnghc
z(Jaxa_hx=fIpB0v$b?k9re)_-5a^Mi!7jQ8`an`nuttIh%R1ZXWc#QcY3xtm*l&C!
z`&wgUoNZX&4lt_ioT&nq3$7v<n=O`7$dE)L>*Q&|uuTAo#Usd-m}qP!N}=ZYQ?Sr>
zUh?s2kbbd<C6-vL4RuSj@!jfEyJhhPo7f^ZWp&6|pGpgd2e}tEo(|d!cs*3g9k-Fq
zAvn$XkWUZVo>HE`x(X4v2#P<8%X<|P&Pjvc&@fX{#Mx7(rRFJ&cd%Hi=R~=ifObf6
z!$XUqths1gs2-B6o!&sbre?$te`UcTri3N&dpo6BZ2zBdknP|5C$2*K*Ma&g8}Akm
zZ*9|ho2m{xFfiT>yS1&DkNIRl>}Lg~2Ie#KvdEn~u_ME#Uy}~zn;iOw6Vn(b3Xg0L
zeO#*vUbA0iGvZ&ivZT${tg;7vXVnMP)$%vYeg#OBt5=MI>}K16;j{h4%%hQ%n&MeW
ziBYwf-)8WZUP(VE&JGU-i7?LCL74eLALE%Tqp<becm@mTKPp&{B8ejsj*&Z2nRb(D
zY>TntQQ_Y4yXohsjEm(+(OjI}_E>L}8!qA7C!1b?Nsk5j^m1r*73ew09<8AbD648c
z>PsV{6Hweir<1I0B#lYN0TSBTpXMs9C-yGqdA{$(?pG&~*{kSj31We=kI@26*i(72
zjYz*b?T`;N6$;63YbUVx58F!bc1zHbffmh|>?<>NOyGFGkD(;KqCB&&R8G}ylb-8e
zr2$7_A;`HMont@y+t#h^f>~HwnpsQeYE`UH!oclKMkG>JM-}6<&%0rTI*(Z0t6XR4
zzG+|{Lk-#^vnx@hTUi|wJ`07Y;k_EbiCZ50%uX<&j5peCvE3p%?00TG(^ru7_vGB#
zUM5ngtRfUHqFMDj6IOCRYUh56+o=toYTnGQ=snBItEl$0%~{lHVX5nIH*4ybRJSUL
z&W*NVA-5hORKf$Kt`9!O)$Y}V9Ztsr7Ro!>Iy){Djfv|RE6Razt5R<_o6kd&uHdjJ
zu<2ii^zT@)mDDS1KMa3dTFU!|h6KGBP^%^SWP8Z{5Ees|Ea%fnpC!gD9TbA_kj_aB
z{6=jc_Lh?ZOq23PCNvPutN}sg{+lJ7NmX5Es^49{+vxZw_<L-vYL1ebq^r^TYF<Fu
z6g{V5DS^0-mCYmmF#u-x#O^dYH)tS?+1C~p*y&jwrqD2QhHj1AQJ`S;<|ak(bY!lT
z)qZC{$SKBmA}K|ZzdlbV+~VW9XZRjxWznp>WYtfy$<(pcp2U$8jfQq!eC4H%>R##U
zGqvEB8!c+lh&9`a(K12|F5o3y<=y~yV@)`Yc*-ExW}-;%%}u7`30Yfs*Ec_jlar(%
zQf;4Mo3qT?(c~kt>T$o%wfPZDF(2>Hp$V4Qp33V$Y{R=ul}#v2QguuNL{3nub0EC$
zW)Uss+9XoV60-GO4)2Fbt!42!ZJqYR2lWms^cS2(q|4bTT{&pLR4PllKAuUe!S;P>
zCow#^KA@62?~8dCk^nkfdY7e^ghXh~S}mJN&32-SohF;&>FQZ!`;Y9MI|SpaaEMZu
z{Eu)I1H&_|d}9iy3nV{y*lUPe?EE8RQ!kEOo(NsMAh*6L39~<Y!P05;1R%5KGfE~N
z4Rnu&1s6<;2GMw<x|#$=vq&mkdM3@%U;>RJVvNt2l3A%oKB>dW-;~9z6kIa{cylvx
zD_W@e+0FK{WK2TDSi6Pd+uX_}k#-XCVrgcog0;gFVg!v@i%y4N(+-Y$2qsb&4}F01
zd~OiFsYQ3Cj~ATW5`3&*e)eamN^0m*X|Fe};;w!Hbz!8s=^&t{8P;d<#}btwS$~(*
zc?%V4r`=KTK&oDIrj=-h6gdQ5Sq#P*eJXio$Ghn;Un;*Vb=9k?PhzUqqJz|h!YD|N
z=|p&escLIxNC$Fcew+_nIArO}E43r$5=S($!6P*|*VgH2@yUN2;VBp_P+}+7u&*(+
z8oMON$kW$F@|8Bkg(#cQ0mNoa&AQry#ycjfY<On6GVQ#@XM!_1#sIaBYqNj~6*Rf@
zI!?=BM3~J!QVBdQ^t~u0#19wJ{8!Q`+~U}{7P-DAvA$O`phLEk%o0dJ_%7vy=AzD#
zowp6uU4w&L<oNMW)>+mKeuzm!v$iB_5>_3z2Y9Bx)VP#Z7!u!HEfF3@5|2m{qCS<o
zEtGunZhW10oY4GM2}h<T@hQ^jOZ92c;!tD1cF4TPv)S(>p70`qf;%-3S0KCl`^nlv
z1NU&;5v_|;$MS4mwmxdesOUNtD;U1&<4x8y*dZQQI~^-c+f)`_p>ZkPG-W0SdX!Rs
zK4!}30)KNt@D;aAC0DYDDIif(VoWXAMGwpBkg<COD3Hfup_bp~1{)tJNWH>QGL{E5
zX|6oQETIwIqjo|D>C1WVo%vOR%9_A&oMLW<z&teRmWjEzzr%cih-k$Y?_*a;|D}C<
zab1LD2Zp(AGwsMRC7R~@g`ti*2&=|{hAz)4sR&5JBD5YFg<qL94mEg$b;7fGth5Dg
z!R|~m9ap~7o~R=RbXosxH~2E>Y-v+0W_#hOWUwgTSC42ZIwIezn6ocK`9OCYH@+Vs
z1fh82CoV&JA^~k{l1~m-graiqYCD9xHQG986Z>sC@^@2hyfAHBsw<NkUO_;le{gat
z<>~maZ8NHNIDG^In)x|#wz`#&QuRDKGA>?mJn^zVPiSXgDcb_?>t9eD#FqA?co0sa
z%mf64?0CZ_O<G6`q<z13n>SI1e`-{vsdf&}Xz_@TwIQAX7Y5!^3FCXKySupdSuwxY
zy5049uH_1&WDG*ngO0tMUC2fojx)Kc4QnRb7e@KTE%*<5+9XO{s(ByXvo7;%B&f)!
zVkdQ_`BOj%`BqszKJrxaqOP%#O*u1TK`gucX?rTfTO;ltDh6VUTJp={1MSP`l({g0
zncXr{@~>-vmQKTSh<R+u`yK&L81eabH}iJYWd(INcIpdK^wn5TqP4eHc5j9B!@l~G
zEHjdS#nJRcX~rCzz*&9_`N%I8nogucyL@NZ#ChQ<yoPy@>=3&k0E}tA)V|s?+fiq*
zaJ<j%@?{+JE2L}!T#bLWXYj8+@LvYtg0*<`>-?M*-)Ve}HnZvf5w?MDy*fV?t}vov
znI&A;+NI6uIFGiT>27Wc+l*9~xDNm-qvhz0v2#l1(c5LR2PR<4nkn@F`FWzQtR(ZV
z=kL|cq2Xcr+-^wt!lXkivj}i-Dp@g-RwxZ%FZ2813h4N@KU;}l9mJ>8e~PONyDgB0
z9A_%drzE4eT5*<K?IfqHTh-0aMRKW?Jxs*Bt?3p21?7&q(p|etUa6S4b($F~MwdDl
zcs8+=X#9$v_-7H_iUn9?PxtVND;`CcFVtn>=XtrmDQijYcW;T3rw|^j81#Yj;~f15
zBI#VI^}XB{8W=Z3!5Ix4j4`mV#l9?YGe?Ub|6?R_1vt2T2<<MxiGRRlv(%{rRP&Q?
zCST_UpmNm3Cz3O!m{mF+El}|k1LJYaynM!5_2jnr<K~jLJp>zpE}3J2R$_9vdZP|W
zCOAOy)+?CV)Mp?Fb@sW-*CmnN$>jFt#tgg)=253xB>NEy;y~Y1Z(n*!i*K)8sHCO0
zd?FEQSnr!R-GBei1>wfz-1soI8l|O1gTQa2t#5S|FR`4XtHI<{t2QK8)gX|wN9jvC
zDY~oS7dlwsuyK|>LvPQ|aPDGq-1o%Xm#9i{Tcj+WH?~oBp*t4Id>Fdx95=TQ&B!I)
z%T0QU7CLobR4S~TDyhtr>DqO0H6f?C$2Z6gO>+GH$qszv*x<fsQ##V=A96yfbbKxe
zlq`nn)DCj#xI7+TPP#X-GE6qw+(+4^jf<%Hh&-3`2FNKSTI-c)WC=oSfomHHQFvK-
zIL-@aT0_R@$vsX*sUeKQM1dN2L<P-s^&KEPc_%Yjxe#YYq?5adfn=cY@aKT=oN=%H
zps)zEA=Cnk<f4KtOlUOrbQ1zrv)EOM6})+iD9?7Vv9jBH>(U@V@N88XLm>l2*k#JA
znQZ8{Xz%zhjI!beC7i}6Jj`<5@5Kn*E%D|rpFF`)$FWm+w+a;QlxlnOUUG52wu$(m
zHg+0OU2%TxM1P$zCxiH1)%t?0?k%bMwwB7H_h&%(@>6`_$Y$jkQipk&J^V(w+tujG
zxU3mjvE<qUqzSJBm!kunA8~oU$cbFfuB@7q!G(zBb9O&}l7A%lbJU{e?$TPXM21Ii
zRU$im4b5hIW*0e)SI5o{_PDhXNDO`rM~8}4gtR(!B287!`I3GI4I(T97Ib6LGDs~R
z#7)$dNU^Dw#jR3rN2-9p@oNl^j20GgSprrHIimF#8o+5(VmhA*o8ji>mZ*5U*av#x
z%D-cffF>k9?ta`f-U~5H6lRy$dh28nBSgvhEWSL>`l-e~nQw&vK8+xI-qz|2o`u`T
zWZLo4G;Sd9u#7o{zJ$1~J%isYmj3%l<;Axio||Z0$!=Ot4AE%zZXvLeJwqt(j+=C2
zfpuh%q#t%4E4~(%O;Z8W=K&5qKr{5~Wh1m#tfpSgibmhqT<%Y>yJp-w9HO%;Dw<Yh
zI;ITdY#P=*9^9)|W;fUI`Mv_4<Z+B_`#E3$zo4wjl`~2W=3$|9t7LD>Y#PRYLD9;V
z73a===<jz|?SGG@y|~Bk>2>OZFMesq*%{;@*FMN^r5thJSC61@Bz`cbMnJgPCjs!m
zbCFdg8$jT_Z_@Q>mk9Zi<f}TJh?2-@8bC=s)Wrn9s%BmXDsJ|=dNUg72;JPrtF1ja
zqEV9OzQrN<+7!#va+Dy908zJgvfh#^Y>i}^{$gae<f~-|t^@$d+qHb-%eGqY?s=w(
zqNQ?p;SP~%Xd*=j0kODnRGk^~^VErCRQz4e`<omghctDwqF+!)k}iNH>kc4is?w!x
zU}ZAK6NrZ+q*Av1WZF&7?N!;Gj#_1@s)GKmj+{y=y+iHYcM$E!t9lH^vU$!oIA6)R
z%=?!ZleB;~gzjaa;S~^~sFO;)ZBfWqIFl8(394irDvn2QnTpaqIGS|P;}1&G%F~6+
zZ=(54=eQ~s*A!F=TE^)(J`ry>B($&;&x2SxlbJ8%4tveE`6m{&HV73-C0qd+`8>F&
zYyt(Tte0(m9HlW$QeVKx9)&{e{M`hy<iYW82m{9l8KyvK?p{gW1ySlJJkQ1ZU-ZRZ
zN!1XCsBSv<JA}q?Fo%p$5_8j62z#mGwV@*lgsHovQMioO^zhx`9o-p#pC;}UM(*5K
z9{mmu{0L^kZ-2Ht5*zFa^b{Wdf-1Zb%&qzHwI#hl|I|*loSy;wL^wG+P(|yNkTn&$
z#BNR?st~C2iWHN@Q!=V~{yfnfZJjmEletNeKUxM`7oLhq5bgiq?k%I*_@cjGiWZmR
z))x2T4sCJw1PLBI!QI+Ythl=r3!VfE?(R@51Z#1M7K*jB{XIM{@4I{N|HYM=wPu}n
zGi%O1v-W(?_p`T!vQRzW3{%h_ms#b2Q0KxG;0{fGwCR(*+#{MZ%ebcH5FO+ZFfnKF
z6A#@>U%08~AF2UQR>X&FRkg+|qA6#A49gJwj9dKdWCT?Ay*FInw|c8)B|oT#1tZzH
zU&KB+|5sqBgCS6EIhGp1nlpy>VL7HrX&FNN{Jc2!r~8-Ny0+PtVN>%$fCSaHg*Jx1
zy<r)C^MEZOL-e|fpH?@sK>$mRUjL>{mgiGf)cfm&aFPG8il(ubli1L^eOX=7#5B*H
z%>r%-3Hw&W&w5nP$l!FGgsz`BoWhNO8SQo&2=e8%`xV3T_>l#*NVp9V*3ekiDXjp=
z?LREhGG}}3y)k#*wN*9HgXvRYlseJ$hvWI$RnzbHt?<O3T1gkJs%v~FQdcc12hs(D
ziOeQt<V%X2lGDs^SuldizYXN?@O7Rf7nK53NGH$znXSD}K*wJjFx;wB;~RJID%0M}
z%&*&rHwyz0ARcvh-C6L)yP~XLEC3oM`(FlkU+u<!7kjU>=%K3&u50f$ZAG+&Y9sEr
zB#A>HGj=d5R)evqrt6)4V$G%ca~@c-rmT3o+@Or`+^c5h%Zm;?#Y?SK&4$K#_nXj>
z5G8IZsig<(0zOw_x^8a{C?lu9yzh&!rZI-?(RX{X-HpdO-WR>SU*%9_dsUEuM|Fcq
z&Ti?h$fGI8Og?x|0WZX*)|5w;CS7Z`CAl-*r$))<gp~c$keIO@ID*6Gna)vsJ3BA1
z?}2ZZ%tCuycO8D~F9APsTt{^Y=1HcbO8Vkpu078Hl@gf&G#l#&;e)8UF|V7mauM)&
zEcWaO+r0^gRZ18#4gf!hNf4HI*v&ASO75^$%H>_mm}8X8G!%uW>EsU*C(x@n=oi1^
zaR|$E1*2qVFn=PtIh@Yz;`lH&^iy1ysGxf8MW)Rr-oWqd3l6m*Y=XU=?x<yIpd!4s
zGY&6nu+Jrcbw;pc?Bom6MFkVyaOlnn`ODkEJQ@3k=LX{hpHhFaY0q(TH^r2G&ejie
z>$7?V#;NEI`R+arQ7!kCvTO>EY~AS=FI^YR0AV&Ok?5yEn^16T3odD@(U-W?1$de;
zQ|#DEh)nz)%lGiXA$QgJ@q-46so?cC&3NZ*ss~~*?^e*6n6a7o7?rPx@O<f@rpiTq
z=0IxEZnVrhsWMNK8%|1*UxFf&E1qUb(-<Bms99T(P6%yv54UTng5Kc0^Btfv1nU%_
z4vNVr9T};iK(fjJL6&esTKlIz4o0fG&xv7cjY$5V79J%3UQ(P=^5tGQ48+cdXB{6e
zXeiV+l8U_w`QG%S$5MTgvS+MANCP)Mcqhx3E4W)8c7NzVi=zdSkqYOL7f>3OpTRb7
z^XN_%QyKUai<~a?ovIld{-#UL3mz&{;UfDPD@*P()qMTE>k>a7b$UX~+8qwFjwGA&
zZ-W98SaX`TOwT1ddx2)JxJ#vopj-_}oaW5c_!3^tHPwzBl!QgnxtcjClC)IgZE08Z
zzT&r|Cxe&0V&inpA1sLKvNAC4wOs<#lP-eZ{!P{rl|RK3t9CKJ2Ot-Zt<6*3%KXjt
zb$e4W@VUPYth6JFg#Aedxx2d390b%+C)#Ng^Nc$vwdg|~iNvE+6dm_!+fmJ~IL|sd
zIpflBUQD8gjn$0eTSTWKXJ&$ZES);PCNg;LQJy67wlqVoTrc=;_0!j7qr=8W8|;Te
zB@k7B4x-7uH4C@vwT8GyHSd(Y?pMhXlNcU{4eQJGR*BE>Ec`p$Rnl7+3<@dk$#)s9
zGdW>kAL~?(R{~soE}wB+5U`XEx5J%C;QJbR+-ST<Dx*SS<M~X3WGp01T02QyU60(a
z3tTsgr)%2Aybdi}pQCY&I=A}CNvZOu@W@*o^c>(eV$S53Rv5i}Hsf@Zqh{V8SG*D3
z5;Gp>b}~F`VwNfJ-o~Y4hx^UbFLGJ<$s-^@>_EgzVauR&9o|w}`LtOP<tYxap<*ia
zVlzi{_;p8)Jm6Xp$MerC_#OLyScXi#=j8uk4P5pS{>1+CA69?(^Mf$DZMuuG#_PW2
z-mj*Z_cfs&Zi==O>7%6vZ3M}ZN_A%#iOJDyt<iNXxo-mOUf2<??L-6(m=v|z*TOPW
z+^=XbZ=coK?XOcJUuaV@N8-4AoK>kV=z9LCeK*;8`S<^`67T=LyZ_W5+AOTnyC((o
zb?N=R=a-b+G>vx~cHIvdiLRUc8)0l9EWOH%&H!g76-A#+j*R2<OBw5CZr(jNbFLMD
z2E@#ufoT+r0i)@yDK8o;qkF2<1R&r+s84@dNz;p*@$2PfmN70X5$7TwIq9A;X4L(|
zXQXj%%Gh5!@Wy*g%V(RVeE{)6ff%@%xD7~vQoXVR{$$;Sh(k|N(H_vJ8Unac@x+eA
zn&LQ>^ts^z<u~OkyvNo`XbGVKgwcYbo7~fBwj3K&+b_<puxKk{NrgcsC$iH}eG6qr
zZ6e1X_U_?4*ye_eyWL$1UO1Bh&JQxr#yl&EhM5F{>nlt;j3TL}QbfSqEh`zYlLEO5
zl4TJ!nnJE3_#sRHHDtKje#juh5KpG(Y&%fHvyje%o9~e`=;y--X#PXUP~j0Bl416h
zSKaL%LKYSzWdl)N(o*dVodn5guN`lMECW3Dc2IgQAi6_y8m!-;H0E{*<S$}I_l6nD
z?R8S;xEM^7Fj}p^UIxiY^!CY5(?wp%E1}6p+UoJ|6ty8ypzRh-U9S!Cr|2BYWdsb2
z5K`Dr@#>qr*`JtruDZGTosMxkD<l?i205b%k2Y@NUIps*6(xWH?nItmmXcx+F60Vy
z+V*_*lXN|m62Co>iMcek(jOIT>aZ^I6sG6Sx=o&KWk)xp#n&uqtnKDz9tU@ZRhkv&
zQKyq%+>5)bzpTle&jm_)cH1YIff#@PVS9>OB|PZ#%*C@Dl4ju~dyYxHX)8K$D|FJQ
z@+^qKYm#g76}6eRXsp|3HY4O`bKv7_(mCXkH>F_~9T?>hq)trAVdqridbjx4)MsRn
z9+Kjc8|V;l`b)%M)WkW1r1m8g2I99NDR6}RxcOE0J+mN~&hZgi80t8-IA@%Jp_Jl*
zoT$!ER(8{*eBXAWK8ZMHR@J`n*-JP56G3UdPDy)Bl~=`jB0(dkyxX-Jq=^2x^a@uL
zWEDWVHDZQN2aBgHv?3aSlii)(1#g(`CdUKn#`7B+?k^i}{noi2LWEKbFc)u^>`tPy
zV$MDN8U6D0j`XJCw3w60B$o2x(>q_Mhfy9>bR!Zu_~L_>FA0~O)HdXD(f%wqU^&PB
znRVU9tpdab67AxDJBy)z37_YiEo^9Xvf5T6^>%1zYPR!go>TDZoL|=LBI>Sb5%~5!
zQlLik5-tf8PFgKnokdk#W>xJ*Jtsls`S5Ei2F;#^jInTyhG7pNZ4o{V{KpW=fyM`R
zj#kZsaOlr0he#Io$1(@8kF0n7AH3{u(jwU1cXg}&(M=a`!1df<LmZVhr~rCE(2(z$
zo6REnbVt^*`TTprRi!B?;w5}fs^nu!L!KO^_rw!#k!80(AD7$#o1k5{JdMta2D$bW
zH#o@EeMxP%z8AMR6_myiGR!X&6o_ZCuboV`V7kf~5}>l5Xm!{uukO;Nw&nj<_14S^
zu`byhz*)3t=MLJ0I-*G1^A|1Ym<7*INxW>4RxkC<d7^*7`3BvhhuR>kgP*2fmyPXK
zPGUx(1)F=nCG`H<ooK3RA^_`s9g9n(Wu9u#ED=n-U>$XgUT3GdStiq`lIj#vZ+W{1
zc_`l4YX^|Z55NJ(?P&Zjw#rOz?J26XA7UW_N^(wWdSP87+?w;bJ%u&(-WC<_#W=wx
z$*R-(mWPrW))`@2d>%`ALvAIb<wo-*_lwW#rQHybbYaKoSnUmLbA0kH6aqq9z3Wyj
z3twTBhd#C+Y9Nw(aRLqr_FN1(=%;w*2CIw%vQe1ASwfXT5$CH&ljUPM{0+6hY=sk=
zwAR)o^a)Ee%}o%ep#2P(@cYb(ThXgGYj^@+vb{ZjKNlz5i}dCvL_ZH`tGj~^8zoUO
zKi{`B!j{}QxfkQB0ehsZpp!=DDoJyYixNT)gXY6$psDQF<B7NKY&$B`C4h!x4?^#w
z1d>MMx=#bT)+WM*YD~Z_*Fagu?)<VxNtvVOVf4sVGVm2Mns>2qys}MTH{uNs9!<!N
z**-g$L*oVPev4JXc1g0z2X2w7JsI<sGx>g-uW>i~7YZ_50nks`;eT)NEa`5x!#&k`
zr3mlGij=F7eb2JWjCg@*wrJ3=W{hs0-h1;**#tNq3bd7fHKyd=%*8gRSM}1IDbPK@
zo$Rt+*cvxs*D=leCLD>r^q^LrN@i(B9$<8a1Lt>GRXWs@-=_;!RzYFS(bcDo6&)N&
zHa@CNHvt1?O7cv9Rq9;Utt_0EX%93uarsG}iIbL%#HNaf;!n>d3+o-%ah0rrJja;0
zGFQtDt6zyB0ng9^)N-4n2Tx*`Dh=i(-G6gs)LNC&XCFl-Mo;85i_wfcJKGwx6mfp#
z`Q})g6mO<-!o9ji)1iSA!6EYFoyLXdi@6ZacY%0M<*z&{+??y+)}YoXLCfmO&6@(T
z5RU1G|F9H6o+-Q3zn<}-Gd;qw;g@i!F_u^SfI^K`Gl|T>m+(YGe5F2a97Toh1m&^(
zN&A*JVhMVScGenMnFk+>)a1GnmXj6DtV*0<AcH+?onGYsp8bE*0MeKNq&uh#p4&Ma
z7jmXOC=s5#nr9wWjg^$XP*~F<(aq`e_v9mg)@l5tli(;*_0{Cy<rH{R(lHF(hF@M(
zIAEGY@#Ih7CL^B&L+jH>A~M?0kp3-&Wcl#l27|w=sY+gql6#pv*Y>h!6>n2sAG%x*
zJ(e+BxoUF9XI0DousZF$_GWke0wKt6*3QjwU#w`GVn<9+go}z{*QGRz$dDI~*Ss#$
z)Z}r?%2ad4jfNpPjZ7jPxxgA)`{e|R;6nkgsX~S+GIQ0;)DbSjyOiLu7^}M!1C(&5
z?<5;@d|RSflYjje5`LZ84*CY=V@ld2x`Z$v6@Je83-Mx`ck~Cltbm^}wWEpWbp^PW
zg{K0rrJWv<>^cLWe@JZk$mJe$%-35|IpDIH)y3Qk_%aPe1yC=Zc|ncHG#TqnbCWQZ
z{dh8Ae)H4d_{ryP)V>bpizL*zlypvmQB1Nx9tOQVTl0aliQ*n`!;+Qib9B^aqZ3ZU
zG7weVzk1n|O<otu*XqGzCm}x0$!1lPx*kaDpiTde#ghl#aL;@pjpo&LZ8vwGm-1F<
zrT*t?R&hQk<_c!m=QCSbUi8DM$Pk-sw%zEgK#+H`8jw}NRprK7d2}bNgWy+i-s=5|
zhvg7^MeT)Pxz`c^sK;@l2XLofXwqyi^x+xJ<Q=J^3;xh8-R{O?x^EVxWG2Jz?q>DA
z%>^VKyKQ3Ll2v2@xa`xmt68t1#Y=1ZXk=WZ@a{am^Mq4~;6q$SXB43cD$z&O+EwAL
z)R#+-v-&PA2=Tiyhti*`CmMy#3>HLZ`9r)h2)%)ldC|#+wA1CiMJIBv#+G(wi!14h
zqsnQ#*zZ$3#SQ4TFSkyE8z4!(j|D7)D2;NSnlD=&C@xitiY#ZyMM6tY-GZ*i_Co=L
zu<|)k?Y1!%){}l?%?h6BDo}ReoV^<h?2WcGc1PDq7fe-CkdqBBvZ)cxz>Oau_LO%-
zg+wKf)=@)PbuNm2B9mR8+iWD$XMyldqtL|iGgVr3$8ufWD*34Va*E+-Z?<M|e_-70
z$}}DPsmv4Vz$|r_?#wxV%t`WcAW^b8gX%!{fj|=3xAfVT&+Gz^eeSsCd-f%&bM4BK
zEUGFl4}DxBbx=0CEPO=yXr`ox2+w=TMoGOgeqAW18_m#`yE*ylVFJY!yL_&rA+aML
z#^T;#o!=%F`6xwJtdDo`_Ncb9%o(A*R@?<^sf`*1;Y&&<WVWuR1k@aF69ixihB!GK
zUu}=Ma&$S$tv_LW>cSnu{mxsD?e=VQwMQF0t((!~0%1F!(hXB@JB6o12I+NYG&%P1
zDQUjnBq`Wk?t)Lhx9Z+rTd|flZ$(xQp^5oPH@1$&zl#^m7v)(zO1N2!a_S10^MjeY
zL_-KM*v2O6Emr0Mz0RPgU2iM`Xe@1RpTgl_0S)EcNiUZ4X{A0$w@i$W+?&DUOr1!P
zUMRfEv*904S!f;_eoi9>!uQ_=U`t+!yS3_wZEhtcrO+4pGAgwn|I&5P{OxC^_dm+O
z81{zvK7n|FljtEXjKv>?cW%EOxwcd>kBnf$c}R9wOtY)IL0MLuyGI$FnJ<o3yL2fV
ziMb>1@h9dEw$|sYl8Unh4qrW0zZ^3u9LXjscr`U_&YYL)WoT{^VzSEC6@m@RTYNW*
z&!Jy~Mra#aC2sCjC<yiJqNcgb!h%*GWZg5ud+5}wp?4+6!Z(AHLxEDANwT`!e%wyL
z1nAAaTJo2<fY6TS@Lg()!BsSRo8k?pOw2RkeBRg3euN}<gq?a9eLr#g9cFy(bg_E}
z3)j=Wy0WgZS<+K@&xybKugs}fedp+`YM__AHWPO2c^MM-OHnKbHkLDVbn;5)W+NcM
zJA7X)Sa`CGb`sEp`Z3W8>?60y@6FR}OA9a#Nr1`~!w}o`YakOIm^}zo9lgTbzknd)
z(TJoq*9s{k5PDmzBU&BZlm&%{iMnSYhtLPeN+b6@tIS6Vob0d$(hiZ#UMAu-%U(Ht
z=^raBUKbfp^<pI3sJJ>}DxLp-6i<$^V@WB^l^Ch@FMc60b0K8q<dy>UQof<pixmrj
zN&${8t#j5UE@#Yl&RqpkTOz9Uf=S`;C~>ikbM3?k<NnXR!4lWKcS6Z)VNBnC*JxQ+
z{)a_Z{W)V-Cd4v0Ofk9Xdd_OhrHyXue-wm`{*_Dbom)3<dj6GFW;F6@^V5oEqXjFi
zA*9EF&vPR9D_YfP82Jfdaj@XySYo~UCwxDj#G5(EKN}L#QX1MF9m6a_3(k%@6_lNO
z2n=Hpv_Phgo+Z}>SGiI-(H4+1l21G!Ikb6mrr?6UY=w5Tx9{o4C%n_bc~L7XO=xuc
zt?G&Q89kpCJUf3xF)AOf+0fp`hFIpqTeaL*3<zB26T{c7e|09HEy>JJ{LzwvPbEfq
ze7L!)Hf}dYA^D4CYHYsNa`5oAEwhc9#jGeVG-k%~$C>${%c#8cF6tnqXf49xjOy|T
zqNb^hquY#DFnY{yFFCt?HNDrazqQgnxto{w9+P(uS@WSZMN>~27Z|UVd8Fp}D{`&8
zrE7o?;S}y}{7t<gYU`bBg8zh$&w_|Yh@QAR7K>Ch(9hZq&l2`Ar+1ZjB~S7c`4Nq%
za?kJ%^s}c2=y{H`S-T{)aT>8rB8O$`aJ^ObaJ<Xv_`U=ZB-D0Q+co0_V4aQyGJB67
zTl^oT2=?r?GEh%&5paZwAzeCN1VaWtS=&}6WuT<Y&67Zg8m$RWowLT+GpnnKsa|Em
zGgSqJ8@bai`~SD?w~n8eb;Ml5(N?|P(UvIf{3&i|lEjQoo~pmnFwG4ltxO9mezDSk
z;v}oq440mS>ZYHNnJtPUa*P>=NZxP=SK5v_2ppr}kJe6>S#b(*emw1`r?thzSTK3X
zdyO3Fnj9G&cS`^OjUkO8rBWFWQEjax0Dy%Dz<NBMG%&f2G5h9c|G&g_|9|N*x;rjI
zU9&1*H>0eFu)7rC@%&EzGI1%1y^FbU@AjO~7wy_YDH^M~nFAa2x*IxEh(F9u4{t47
z)hK-=p2b#$rEj3Z&D$m27czg3W%nW$U26s)uQPpaoLZMJU0HfQH#gp6&P~P_2Hi8I
zW(lzRx{~?FT?1JcUPN&ALS7Au@Eit7XwiXbtN9AMxIF_LW;X+EKp8yU^{d9F_(eIr
zR_GPSbP2XZd`EvKpUMcGR0f6)LdEqAbHn|bIrSOZ=l=155{X%6#Vd+&KDurE6Kbgr
z&h~@vrclo8M&B~KWB8X+*<Pmk<;CT6X>U*bsc-Uz1WaBfr#SkGFuPd$l?`Opkz~kP
z3X{~TsVVSGb8@nR)w$r28rDXZ(05Kcu!rxO(yE<*iwli{PP^ZfoQ#|JyVXsx1}VQ=
z5B!4|fvP5r*?<i7$`eNxS@xHb>a$$(RXuzdi`r@=j;yj5=0ktf`_wyuhVjtZ08766
z<#8+Fm9CFgX=JEY?dn+Sp16<qR|qnow#d0__)*`>4-E2!4py>f`h92Qo`-SdGkye*
zI%=Q)?Gz-d!k_aqxit=6U6=j$R^@FGj=%!`XBnqtiRnHEFXFgtxAVqyH`4dfMwHo<
zH&JF|tk08LE7LD+6dUb7{mK-*?a5eZ^EiQ)r#>UFWx(ozHyYiT+vmU7>$ezvn?;=l
z-g@Sb4))(--l*Pp4#@)}<hA?ro=j6JVka+dI`>F7=e{g#Rd}1}scRFN0=4w!x7;&O
zpqJyZN^KO&lcW0UIzsw9z@BjR6}2VXuH$Lu@0@WZzV!^}h&BmCqvWl-@%Wi`-KY2Z
zmZG7-c1=jl>U2maOA6BynkxcR+lYfHIH!HBb$$&b5mP;-^r8()l$|2`A6DzF6MXtV
ztWLMDPux<h&3IA6MGXeD24F|s;;GgG7uf)qdX)0YY@OCd+&2T5!G8MdaNiS`>&KcR
z?Go1sh4w142UU)1rYz-tjn=lF%1zqubl_sz2UG2s`ppV;mH@O2Z!R^ByEs{;$onN_
zwau~nlTPl$P-2jUi^bIj?bgcJ9$b4~?W?K6FcAa5Rz_n$=X>@*>vLsJ8!+yOJRnAc
z+uFcZjG$VJM9CiG2JXHZ-1)+(c4<nj!))s;%F|KZ0(2hA(jIBV>dBuGqVp3Egk}__
z-`ib1YZctHUkICy6+cZTQzMqgI18M9((Y+`l1Ry&nfXQwkDA;XboSC^eYF~^7IV&s
zST3VMn<*}Jg(`73AU1%0pPX1W3GCa0!&GJGywH?TVd@drAdQ}qTK!Kxz%2hW;6H7n
zYoVX0EdM2bAsW7s{7s$rAT%&im4!&loQ%|Lun)Y7M|xN749?~Y6_0H}>Igg$hbZN2
z(AdO7=n~dIWJQ4z@5U#!d2XZyqU15_di_=@vJ$zFaMkD!V>xPgvH{Vn;9HzqU+SND
zB6pTEG5!-AfTBH&(P1ry!;9iHQyOc;osN!Gj40#)XZ&Sp2CdD(qzt<@hnRZKFR>K)
z#*05iKNUTIOq!!4(#vPly*l3L#KYK~Do*Q?MWbKsc^Fz^JiYEAwicj2qx?HXm80U`
z&8C9qE|1&&BD~N_uN~x^-&l7!o5!9!aNuCj-fycnB}ja^EdQ~nCqz;zXM#c;X@<Kb
zsaj3_&FvczKQX5%eAW;M=DZMnH<)4molTvi@sP3GKDKdxN*rG5vb^=&?3Pri5&64|
zxaS;oMPnDe?9Q-zSZw?m@wIyre`UR=lwj^**V+;H)mBVg-uq)>9UzA$Z0+}j89>6m
z!)S@K?T=*<0rT6nR>hH3Lj+6Ezj@*Gzy^0<9EH$_cZ~@&HDcBTL1T2mq}hh5TQp}v
zk@cR811Kp$uvg8(PfYe0p2_*98HJSWd;z4$uXu~2=QVGu{|V_g#dAOh*qQ1;lbA@J
zj->2;{E)Kajv`Q%O7O^a?@s`LBlrIP>^jWn%ayn6z8+4YqLHpE+JbMb(nA~JFg#IA
zi(3PLt_nK2YwuaP1`JH)Hoz$QBug!_9Z4B(NA*mi;SzyY1m4G7rpL?Ey3T$LBL*v;
z{--F1m3;fgQ#o~~nL1judr(`;=2I^ee;gXcH{GPQG`%tirCeFg68<~las1GV{_KA0
zZrZGmM#@%wk$?@T#>WAhjQ?rN4HYG}U#^xnSRt*aX#N_jM9Jg(**FBI32?E!3Z+8%
z^b}Md=lI`o;VwXKA0+Zq@YuWrC5f@A^^D+9-3W_}TyC1B<?~TL%Tv7ON@SiL(78?6
zvU2*ReKP9uL`{BWr6=uOGgdTH=+2tzJ8D8n(*LkLsbweCx6F6k9oN<++~ksGe%ha@
zlE+SPGKxRVglRB1CrUCX6Qc2p6*mqtW;Bfp;)XdB97co>@lL5Tc6W(TaNcm|j1YuL
zA>4J%+%+5byB2t*y$EZeyK%TGL7!baE3Kf?>KUgUoxfQC&nU5!i@o(a;}R!Zk~50Q
z774J^ss8Bw9un1*D#-t;5({RF{S(W6k%1)p$v1<BfxI?8Gg_gXXIhcDrsRURA6k-*
zbZnPTv(L;S^T#Kr#cqN<Wz>D<?eM4b`Zz`5jYaJ}u$ML}lEYH-g>FOMGrl6(Ow_nY
zZeM8UJ`q~Eg#+`WE<IATL$`Tyzwi?pVfk5}IpElNKDRxJp*;6#A;}*g|D=Y7a0~Uf
zLn=}B878UWT8Ta@bM%S6&0#A+2tq2G_}wffd-?Xb=amE6leKGcQ?YHzHt>g?xRrGa
zqsSaP$w1ohHQzt0ZCrWqH|&}MSz*Nc!~z43S^37;)Io%@MJ!~lnKrnwN}D|WAlhy5
zX{&Q3m_bp{P~|ZDOz?=`-h0bdJ0Y$k%ay2h1&T*wXss}sA8!*DzZufY(r50+1#jDO
z`FO-n>OSZPoP?_^J$!a?MiRbtG_va4*bdEN5O8}#{>De6o}f_82)KR9W}E{t*<AI^
zDT42A{Z_AQ<<YFACayx{XM3UWk3163o(x&G7$boE8%8L-tt=V)&sXXA-(=L}@OUSm
zNy{Cak<*;$-LR}%pUm&FjQn1%-&}isN}P1CwKIsvdI<~`7CO(4JU3;xqiW6i*tvkw
z%W|8DAGW<T;Z=PWJz;`gThtb4RRkS#(EpKrAJ}Pio-L>Cqx7ardRufRY&B)8XF|~1
z#P|`{EDlq`3gvIuCL+|hkZDy<x%PKVy%7wVA=f$BcaGgAac^4Ap><7{k5Eei?{zM=
z>lj?t2L0M9!9L|;G%-Bp2johOpXcs#%B1*VQ8y(1h*9~C*CX(DZi}bPzFEz>u5(2T
z#)IlwALq>S$Tg|*H+=I#t{9EAePi$zTs|eboimbZht)Zl{qps^BWv)R*Y;CXD@-bI
zz>dTeIKik+*TEFkdR3TFn!ONTadkd5F2_kuu=n?%@stiVLROEbZ2z7>pYc<s54{SK
za)8<8<r;NJmSS<Xx695OHg&|;O^$IVH55Z+Xr2A(Y(cVJ<>zbzNvG*-N)>^7<VR7F
zxG<d9MB(iTa>J7k)pP!pG!pxU0;3@Pa0|%G<eV11>l;}1VxE;W&-bf=f-wR8V-lxf
zFR{<`*~9d^2_zy2=;pbg+-vu4Un}Ogm74hYJnvBK<-88%;Xih+qce)bIKU~2+JTCz
zxAGf*YDAIHbOz7DAG|oDCc%lh=Urt#Xw%K~Vw;%6W{MCuHw(+{0eboIfVff#@Quao
zSED*K*&N}EY`T)>wLq?wBVVvEPA!W_R!p*U1}qYXVKm{|F)l1|lUCPs|9wA(pZ9!?
zuTZdq6Z1JmPTkV}i?SAJ%*1N$u~nPj@nF%tdMO(x(5YU4#=b07tfIDqsmyeuZsc;#
zgj}!DK+DRr!36%K?n!z=@$woP5k<rCm%4xm(<aw^VDg<hFN#2jt;}8&TVCRjT)+{5
zZ}+eBYszm#y;bghjWs=Br7>FZP_X!+!J{wqi)vbtGD{V47VJ8J7M$F_Ty6&X<{0Hr
z;gpP@R&_$*9clAa`?VuXl&_gy|GUUbhVBB^_~rDTcptHD9<KA2ELDLV&rELVed2Fo
zO(a2>0!iy~E>ugMWDzhx;YCvpO=>V!5+^0pet&TX{pA8bzs1<*RM2Vk>K7Y+)(KXA
z%s2|Wkks;ts+~jaO~)kPv_sE<{;Cl~fkR_2TYlFx(co6TqYHS3<NrB9eI31ATV%0%
zvHq7zIQ_;Apd<Rz;|g$&didtG0s?GaMdNkI)qzp;Yfl-U*TV>>O$0tVaSftF25ahQ
zCbLTg`*!w@q<6@c8*haMle|vGZX=>HdLrFgG$Q<PZW7Jln)yHEMy0#Pp-u5ZKmOn?
zF>Ywdg?qA?X}Z43H`{Dcan;EkRt~kwd`PG?%nq(-q?iySi4W-YN_Z~r{NQSM+g0**
zI8?A81|y@B298bJ6TTv$6&VtYWbz#!{K_)-rXnC-JTKPPveM9zaZW%UHaJ+Y8nWSP
zuBW_)(LR1o%tx5@6CKh%UXNHTLox({IaOAFPOgK-X9jAxFetYEm6ZpWBUyU;qGfXB
z7o)ls{g&3#kj645QCH~7?Iecph5Zb6f6bzyQ`BW8TgOdpCY_XCU)Pz&?M(p?I*58e
zdLsF|7?|P(L&i++?+eXNX?{WkRU1I=|6$3!5ao&Sh7L?w4*%iEsexcQZqaXlof<1r
z7k%LSSqEkI_p&o|bab|B-#iUa`)N=}Y+ISA+jy3iR1T9sv)K;VOM^zU2@mc5%}wDa
z{ty}+EVWAB(!Im`56iKkbJd@U@u9ivhQD7-qCeqpio<Oixn{yM!n+`XxP_3d#EL^)
zZ`CL!Zh{)F7Z%aY;i`$8?5gjdr@Ut66fYN&8M}HG0;-9qkEn6Fks1Q^D4IhW+VJ*w
z*Qu12N<J0qkf+g>zX<)E=r~15P10PcHRpJ}`itri3NgrxmndFx|JVbF7A+$j`HP^M
zeA80jn~R<Gfq42!f{ufz89{{75Wdq!jjdUyr7j<to#y{+jrMq4$G48vNx`g4RIXaC
z=<Vz~&8Nu)9_XvdNJ_~q-$1h)t%J%M%)Z!t6gBHNOu;HmU}b3d2>kPY+28(jOi=5`
zAOe-hdnW_E+l=&o*oqfOJf=UBwuHYbZ)j!?z=tyqe#H@B=VTZ65>I+<7MUDmN*k0{
zrxGw-hAj7>44OIA05Dd5nD^y%F?1rCu4RmS#|BpA4wxD!>kQEZBs;X#8hxqQ(rb3@
zEOjJ7eYU@{&>=J;IjFn)UVm$D5;YUx-}KqtZC^>Ul+K`3qI6VvjE5qx#EoAtA}pz#
zWFkk#S0T{<+q=RZ>GYu#tH34GiFMtNHPy4lEgSLcOr%5R^OY#V)%z@C<Az%ai}dqJ
zj%a84-QrT^T|x`Xp8XFxofO@>8Baxrc>i^+(CC^WOi+Z6@kht~c8nqbp3)dV4T-gW
z-9o}qbjk!MQz0&SUT;6*rh|^y5*gW2cFZ&kjLM!fd+UdkskHz+z3Q^H)@mct8|uK5
zrYb*|Db1+&8Pt)xK>Vw&jFmoQwe%_sw$GQ|8x3ZlpW9ck+<8votjxV2&Ys*dl67cd
zCvWdct@WrB75eVgyG@$s`Rj3raz64%XuE6?Ui>ML=}Yv>il3Iluy(_vOuO{v@GQ%x
zADv1H{o2nW5Rznnme)onI6qmm!d4#aKeK*s+k7=p($MZ13b3#1=v)&NTOZYinrkvI
zI~M;fF*#6a^8KL3mvX+>jm!E5`X3g%e85_lz7hMGM!FuNM-9#{j3YUpR$Zhg=P;-p
zF))tba@&oThKQ#=<%QXz1T)wt<JT$x`Ih>u{=z6ZM?MuYCiY&6-q4n8(DFZwUF#^a
zWEamrdDpo`s$E9)>4!mN=TCy>vOIy9@*=+)j4*Butwnb1m%EjZd<x1eg^af6m8SJ8
zwM%Dm$Vj#klBgLRSWn42w$n14E{VV$C<i`K>7=W?=CUno_VggX(IvF&$Iwx$jwx6t
za12tIsq@h-&qw*wq~*;RQ@hXPRj|Ye%v*HeQ;{i^!U|-F5iwwYf5K3yV9hh3>A?RB
z>$vIAGIsQxVN_A~;cNHR6K;=uvi62^e{nUe`-zWCLSHBUX6;%~c1W%(7{2p+BG;bW
z`a#L5TBram+yVX+{}t=eCeL7+NX+J!q$;;8m*C-2A;<2NpbJ9!J589Zo&<xicYzQG
z?{~;mek;qz3>WRg)l6()y<u4SBEu+cJ&vMTKY~43;<!r9ZRtkNou6n4{>3Kz-TAL|
zsATBSgNJc6)rN25`nktvP@x9n<rtw!Rd=z<V4?t#57En#(bp00Q+_Y&2H$u?1N-e;
zM6Fjw?3ldHpWYIuXQoiN{jh8C?)gWh@g&IW8-<%M>bBaeD^>dAu&ZN&jDxe?0t02b
zr2<7&com~Dd!~F?g-?HpQCPTllW2*F@KmVyc_V0Ff<K$g1Y_3yhB@SryMB=zjyd(#
zr}cPeC>dky`AP-8nfOXmhjD1kiE2w;cIB*9Vr`1f{bpF;?5+dh4!M;cWi=vp+NkS4
z#r7zd$79r+@{tpcBhiD+KEwSjk}c~HTR>D^c^m!_3F+fmDIkCx^JV8Xe69C9llmP_
z^dFW}*~tU^aV>V?WoWxh=FxA@q}V)aP`(n%(>P&+X5FRKq%hO_IvDMV`tJZ-G@Ar0
zQv#A}vUW~7dP-?pDOLF*!m4QI{+5Q~@0Rqq3rd-)f00Buq7t7xhSFceyyE8fF|0UQ
zNAd(<@lELMYd~YG)AX8jIxF}<QW@WRtZgktm%#h*=C`YsO-je$v&UW10g}tvynEKR
zafjJ}3eoOF(P#MWKXd|z^x2d4UZns)U!2`IY_I_;^}BI8uw&msHI79(vBhtXFjtr*
zG>$pXqNN*guOCM|-0i$tJuO<tC_W>~89&<Xjqwoyj-Wu-e<Qt*`K-21Hf@)!MJZaB
z-P%_@TiuNnPuJlR3QJ!QOivaI@E?IoXn@6@Ad?7f@6U4WXY=?PIZCUob?-hmcqpi9
zcWs8&GuDkN(XPQwnMiMEYMnO={41+E^CgCCWqoaD<-Z6fPgzEnJF%g+{9NrruqLRE
z0(`<rYZq38Xqfq<JM|mD*B%R&XOa&OCo1$$J~rC=Lc4n#){-JzD8GriaQbg(3XdU{
zY-!(nSY;f!1G5{ws<$l#7s4Z-mj|RDy0(4&YVo3<geC!}z;XX3W(i9CCgn-STYkij
zW{g5WIac$7&qd8%Lq@EFYtG>6b)R2FpXTU$wQyrGx5b*5M^~NDq6<%x&GDWNh2=t$
z%6+uvj;|j5UvZdXocB~SH+kmaF@Hhl-E48b*Q(d~H>puM+GWqhThg)Wn!r$`e<UDi
zTxlIpyKC2rLFqg+d$cUw8LPEJ3G|>0WBHto7)WXhblBoyHc3GL4Fj7MS;P`X80Ohi
zSJ~eHg0}cuoR~pP{#psq7CcPWO=*Yj`!9sSbDS;&@#_8Y-iD4$rMQLh6a7j7zxYV=
zlpRxZEm@~+)^6g3p#82mkn*KV)3;^);sQ=#i%&EXG1GMQd&o@^uSEUBL`fFfn`4Nz
z%kYEw-;Th|61O#AQ}if}FvuPdHIN*3JOypDJ|p||R2q%^4sX4^op81l?YHlju%q5G
zSRuU`#M&L>$UOvzU4mE_cHIE;b=K+my*50yTG|<-vrfYNNugjPchfGj1j0K9lvA!b
zcJ*$h82K~l*%rTksw(-IQ9+IiPoBs+UQ2MLZ0i-RE8>=pdE0`YS17BFRB@7S!c<U`
z5&c}~jx+XRQ4Zg~e&`M|PQ4vIt};j7{<L&5_T+}3nAdwy2b}7*_F}D%R0R7~xy6{q
zg{2+nmy}F+=5+d<)tS_^(-8OHzcp8<uhY(u?(e7074AC!!_uF7fqUX(-lhB^9~U1Q
z?YcUrXP1^1rSu{TkLGClN)*smcYzUUIA$wCcAP4abVePvF~%DEDlMnw6=tcb7M0q1
zPyQnXsW6#tSH4iahM0Y4IZ5Py&vp2!DKFjnq^I&%;;O@ABOH{XRqT}l>J0fSe607*
z=KHVBYLmKaKA1<EvCSnQBwoV5^J*@@^($+Zuou#TuE#+$k@$9yoLceQ&V-O>`4U^O
z<CMTvK|MjB72k#%E%Q#sY3$6tws(&#pJehEeS;*7)p-x^S6oRpg*XYP0_G1{&QuMQ
z-yYe>f|&%HEGut}%8rUn&!~LLV=WkqW<BZMB=Oy3>BavK4Xj@u1K|1Zon+~$*x%br
zyU&0<)AI-EXak#(s)yQW-9tRmFfKiF2kcZ*#UMItLlzQ&1u(6Z-B(G;?N;H9e76<W
zdfk?A|5m~G5{>*b&Mhc~n5nn%2YJZ@$QAb08w>N4IB#|A{!VX0`ysXl?usTmjP4M9
z?(^GsB3bIuSzM`nF1KES#mZSk4($Z&PU$0iimQ{trnbY&bq~UYzmIw3WInKgi>(|q
z!9y!P+pf>{tse1ezZC^{6eK$YFa%oII9V7dlWBJvf)*0}mYMRch7t=Jeyofty4DoF
zEuJE8nC&kq&wN)tx8YPeIiA@#sw&dA$2|_Nll2NKte>NamJi((KFmpS+qNG#<j(0e
zx9B4<L<%KHq=q>7X|s=7Fpv&(=s#y77GrD6eq)>K9|Z}EaDyw9b}MyH5mBb!0?PlS
zpuYEzeUGV;GoD{ituvdi&!m=0%GivVz#I6TWE%pIq%Gqr6<6IX=Kz#w_w7`KOa@y^
zJtL%B@c->GYN~hjvCgop3t-uyULiQX=!RsKR8Iz+kg|YRsV+GE@>SEyjq2{&XbhY!
z0AA?t?%AsjNu87bu=6MvPVT$Et%RHAWArM{vfkF3Bq5aOKyS3w6vWpIzmM8hJyC5e
zte>v4h7IHYBHen^%7mD%VDd=$e!|~o<-v)5ph4t2DxM%c{C<3qas>3GSS001tiOgf
zC_4ZFYF|7wd@{!MmIN+GdP!-Eakr%{x<Bj5h$j}F1})E0R4kXIKrlY|Z!Yt4^VAr~
z`<OAxLf%D2EYNnTUYgB{c4TzgZgiR-yWqmWFTznz>XERojJXjo#n&eA9~%HYZA1Ok
zu+UkEX@zLmdXw8YgB3#3N^W<5KqyNkFafxZ-#ll+gv46Q>Xhj7WeGAiLQAGn__O1x
zwZYeBtA$nKU|I1RpOQ2;F&W~4rSjE%fLpr6w%eyCAkHv*(6zy7X(L21t>zROlHp_M
zn}};=&3|1*qQfXu5#_ruliN?PL!Ug0Ep{Rx#gf)|v>@z;Xt>%7^4@-NlaHZkv_ehE
zlqc}KVf$)V3*1c?5F1Z?aJ2=Idkt}kOub|o!fkJ{`fS=7gf2q*z*oCOls6A_fkeF$
zAwAYVdWVtYy!?J4g$e$DuPX?YHQKoJ+S>XpwU4Je^aR(GUysxG@$KgS@*k+1%+z@$
zw+(-R!N*87@7*W9i&ax)a1RRVsE>onAe6nJ5sK9u7oT#s%8D}bCi}ZZiAL-aNWuh2
zPBTnA9KC7nn)vP2Knq$GDmOMSzO0117&CrN6TB|2YBTm1Q3%>t7GxszbS`ar^a{+*
zCm*)B1Cq?n_&}!WHwFw;9ooq)FHH}%_U```rHead)L$3Su7rQxBi)s?+JOTa$`%He
z@~mnRZeo}*jo!OR_927&H<pN77z_PgZ4ma@064Wm#DrSl$@%-}*ZGVC>FO64;H`os
zhs5h1>EU14i8H|hf$69;|M(v+0-jFJU^?3rQX`?xV`@D!R!WIBM3#d#C0xP3W2_J4
zo+*a99Yh0<?TKJ%lcB5E=l@_iV$f~QG+!;<*`u^#b4Oz^Z&A#onewq+RK7>v=rGOY
zIKp*!Jj+`%XBc?lU+3{zb!V^7<+Ww-XUaG#CoQ`KBTq%@A^IbIqQD~V)Y6g4+w?aR
zG;lgg&Fk9eK^hw_h{5smSDXvAi&b?XOn}yi$6i{r(^qSC2ppC2)WY;M{!LI?rid;B
z<?w*<+exhPT{e2>K~aJXX0CV{@00o;V?qtBeP}GMAHOjOIO?oG1*zE*NO8}(;^#EH
zo^3LDMYgumv!KOzJT$m&j43<wRH>w@-ZY-%-6Q?Dv&i&yxk>WfINVK^|18=gwSC^S
zjGXOnrihlwVv{|if7u9z10QQMcjklrUa0X(B`6BRx}U!cruDiB9}8POws5*>J(yn?
z66JMWmwU)v8>&)s7}09+?Mff|i8?ES!d1;<c;x!Oe{k4Yqz>0+>x|56j53nn2r>7r
z#*R$%72#F7F@M=BR)=e>M0r$`8dFcR&S+BPMx{p_5}*mZKRNe#)|*Z!36q3EhGV|f
z8#2^P(8MRkPk<FYq(4=~VdcU}e?euN%8`5@L9wG1=djA>_h+;N&&2tC>@O<|P~ok7
zi+E54m2^qDcKqfCz12Ev3VPM0*3YSg3ugX;H8jcLpF}0w`DyYP8*!KblOo<e-HAVF
zTWV-Z(8rqRWRXp<(e`uv<w3?*65cPV)R_Mstt<TPj8?#87q4bsd6}>SmVxyW<v9UC
zQ|81^drxPKS6?kVQvaHn2RphdRs)UxX3$gM{Ph{LY`E%$S=U1g@FpW#cu#MXi{6!e
zRabCS9P&;f&7aZg%uvOd_qe0he<SPEXKldu&KS{Y-LGLXJ1g>mU(cioxo6q(q*tLk
z3_>#=U45%%Z>Qs%Ck8{NJ7gW@Ci)0bsPPVJ7f`Kc3`P_ws%beIv;2O=L39Fz51L3&
zxr)wFrtTwo&si%TF+b~Ng;RaTu#A<zE`lC#Lo7_gQZsyh%q7h;JMre$u)0;V(z8MD
zJkJGb?ld4R*%V6Lx|gsR6<JTl)0FLPm7ZpD>9(Jod)d%ilw^b?^jhI|3C%8>T)SSb
z11N~ZOZvGDk!Hku`Pljfxuvd>HY9hN5Y43Ce)yfe*)|@SRRm~hHT_2HsRnE!O(1-9
z$ldHaR82<I-?==@KZ44YwW78C+(AmaB3xi!BNHdYLn64u$#6;zXj24r8*k;7UD&R_
z5(dCNb#BdmSWyED+dNq<td6Hy*rkK~IQLX0+q{mh&jTN86qEQo$o66w^qKD}BE}#=
zPTlJgSRuQ+sgZ0x6*Z~7N>2)2*daucIJ=+Ig9){2#%Lfr%k;1``LU|toy8l;ZpObf
zP3GPOM1%IE>38Jvl_c3W+Q6$~7JrZIguQ4|y{-TnpBwwjfK5&Fx-hSGR{13@Jhd4(
z|7ty?Wrd*2Tf0dp!X=T_PHs3L-4yw7E^4qeQ1GtJY2`8$=v;CKBey=b@Zh#SUI~2j
z^1HAYQp)MA7AK4SG>=Z>%a9X2+~i*CdTbSb-u&Om2|~b%Ousd^@zrZrdI?jrU>|wu
zAE_ZT(D+rv+J51ek<1sAo(;?V-V?M8durh=4T7=lb{X{hsma?PEk}@2_q>0C8$CAD
zuU2P#5@ts%E%n{}CTH@5v~Qbh`SRtz8K1rSp6+ks{1oNlz6TOE85SvT!7$d)0yzjt
z5;vy*gwp3^|MDiGN<>fec!yczlK_PayQ~Oe$C@Z5fYU;bXthL@OK<Nm_r_nf7+wD5
zwaD5h$pKD=5bKly0Z~y76Os2iM$nc_q#f5~7^yYVI;IbFyl`WV14sD#0i9Bszdttd
zyHpd$r+;%R>!?g@=XHo%o_T5G5q%=>J=7}WFQ70{@r$5zeQjfTcA~Yn{iFuWP9JOT
zBl)4f6?<HsLundEV&>pqye-$UjXv3)H)Xgc^JlYM^$j0Qmd$nM84!}Zna6^?fC1r_
zc^sdO7eKXpPPeWV;^-vl2>xpHrk0KzSFqLVef@QV{a>Ux<%U&YhQwLHUf~bHjDjo<
zO_I1hpYf^SS%ad1XMD?LT6{BCnH5D7YG4oC-PqlV_-|l)aEFA;qjzk#u6e7Of0~lR
zZL9Q64Y|LnDUl#TCga1FlpA|ev%xwaUeBsT7GG(Lnqw888r$sL+ZNUvIZdVVwTo8c
zMo%p}Qy*i)!FGw4$6*mO*ccn#q!87dDI&klE~ittYpf}*xOFYW)S7FS{-(L=P9}q#
zTv?W+Baf;$Cpu1!>4C)bDNzKBH%y?yt#S33{ra8p^NiO<Rg0GudPm^^PUi5bC^4Gx
z>QP{Ieqm;d)M<2<z)kx}Lvvx^-m#+{DlpTOEy7Taln5+;W#za!K{T0&{Y7d;-j}HD
z%KjHpf1UAQ`(CEoo$ph=hsDe5OU8wh0OdOv!j06<D!XN8J=onMy~8yb$LbkPO^OHK
z^jq6*z{ug5Ph(vux6hDw-!a|x2|sYG&eT<^1xWK_4V5KvCbZ`mCt{?Nm=Uns$hvF|
z$Q=?+lYQy`K^dT#z<7N{_jIhkQ}s$J?~_{ayy8@9bG8C<!SdC=Gv;bj_O`kj#>DrA
zY0ETo2~yZR$=#%BnY5!I5glN)nva?lfi+KxFR;)6Yc>MK%{(WY;tZ0EP0CWJH#g}_
z>inXTJ|Q#x)<Ku5({mmeT-Z+t<u^}F@-qm~OmlVui8qYATAOC}xv@i{a?%%cH8<Ke
z6CBDc{SOdfR7-N91|0r)rr=R6M?B`<M$`1gh8cy&kEP*pP<r~>UohJEn!@~(i-5{=
z<ZhEu-W6YEuWXU|Go{&)zeaY^d8&>9&{#k|KDhx)1)`}&n@&h4SA3&3nDjSsX7M`s
zH!_!HIn&?6{DWg2lgV5<-Rd8oB3-Z50{oVXZ5N;wyJIq^Pl;V8g|Ua$)TfCad#=gm
zIw_MxuE`hQ3eEc=t~E`Tu67wbuo04hsi!NqMgMMS_G|WBABL6IL{yQM0_uTF@f&se
zOZ}jF0UXJZ&O~7i0m@8L8!Rm>2!)%I^WqcQHnRZnRyj5Y6fa?`D1WDf$xmQV)l}`(
zr~qk)_||vT!X_RAJ!-qJM$siSd{Y5s1W(^6%K(R4R^b>c`$2d5Wvexf3X~I*&gC?x
z?G^2B&u9sjfAXa(=h=i3yr<r9j<oTQ365*avS$$?QE<CPdQYd9wm~=}OWfk;Mj=_A
zmG71IY17c_5sp_=9<VIq4g-YvmvjlRMK`Hc)X%yA%RIG@^CkJH^re!e=_<W>y&n^q
zq$`Xh+j1riy$!K)b-PVv9XiJq+lNj;f1*wC(pPz-?i~MS=Ad_K7X`kOnt$P{y|Db*
zcx3;?|Au0$JE0tpKWlvnp|<0p6Q8EX=W><aY!sj0CcT?%w=(m16<<u2-qrp8&j6jz
z%676SiM$OJLibx>7UG-D?^eCdmemD*#w}TEpDuDxH@=WDC!uQn1YI%%k}MmNd|@34
zBc;>Q!&g?Q2?7)u7BsD_J=SCe<fAJ*$&P=c)yI&KRC96I0zbVunwFr^;tk9(OO1-p
z6Gt8@c<IXx6e^w-dLHQW;XWxyAMv^w<3Df~QDjNe8h$J9vA{>U+i2c?W#a_Xqyh-w
zN!ZPj`3z&x3@(|QJnYy`RGA@%3orK~JMVfa&)mdYXCf`b%{Sf&0@8cdK8fRmM-|cT
zH4EvxS}(E45Qem`_Oz(ZrdyZ99T_&B;J;SceVg-Mn{rRj$!oB?BzD&R$wn=(19{L5
z6^W-yQdMBJ`r`pqiC_~IYs^3yLbeZ{v%Y*~PS8cpu$Pw@>6^{*M>6~;%_gr@PW@nv
zhX7N0{Csyu*-!ryj})5ItZ;*{EPk9&$bCZ%V8A*#Lqwoq;4u5Bjj&bYV?=pj<wpcD
zww<^+PNq4wfpRkuiQWMbDOVN9ebRV6`OAly(00lF9inKnqkI~>FXD`U@rzgzVG*Wd
zc<QN=B<qvM!y}Pl7<v^!*z5YSmoFx9Ev#9j#`|7SJl4kL_fXR2tvw=rvfc@xqJUi0
zUR{xL`GQp}i=+<^ZDD~ND_<=?WbeFRa@Wu@HM?1n3pBuZVxJfF)znMfG8uA8R@K8J
z)>yc!s)KF(gVMK|i0uBu@~*qdbRzyhvz*QGud|RPs$<w&Os3ue+rw>cTz^bBbjO1D
z^Fd9!MQk&dev%C*uBR?LLt$THpNHJ0r;cl*zAjxYU?6NVdTdh5|K6eG727A*-O_8T
zHD%tvZ;Scu_-bO5cCB&vKEZrM@k+HkJLe$ca&$JwYqj!kv)`^RwBa@VSpiz<C<+sb
zI(JHe2(U!S(|jiX7k6*j76to8{SpFFN;gO&Fm#tnclQv|H3LYuf*?o?-Q6+6zyvci
z(j9^{0@4iv0s?yfw|jqt{qA`_!u8@jkK<bBTE8_wG)PJIHI0yzueX4hs;K^mhCE2+
z*xc8h4~>&Hn!9EnA@ByziO<{Y9%lw5Q#pl0C%(n_F;|XS*Tn}Mz|Eyvyq!7lii$5y
z-<qcMl8Zp+^n$;xfQ>TE4W4GhzuJf>l=IKWJ-a!v^U>xRAWN93&ABzYA)9k$G0vEm
z7&@4e-$77?c4QY0A=IRAdn~Yv!?tRbCtp8HIlmPw2Hj3GSWuXMH90`asDICr_7Vyu
zP76>x|5ul7UuqrDm$>Gh?3BN~bo7>(C9D}F(o`Fs!UAO`OUohqSPOlzjr$(%y8rBS
zgKD^b{Cs>wcEh58Y+Yx7?mhJ=*2T2$Tj|7BlisdQNok6HWxt4=e$imi*pWA%^9O|f
zsz8?PLV?AS=CXYg;(3quX3hzNxjEP#*%Am@bbty}Qf=!X;~A;Q-eeUqIKKyGbw7+a
zo~<L`oR3@5B)3&nFg_29<{m!wR|3UrVnd&k;7Wh_K;WO2(8AR?y@2*6F8Z@cBtz){
zmFq-~qxPrW+*|m(tr!SNh-6t!V>te9C1B2Td;~yT#dVWIZn8aSt5UuXHX5?l&M*^i
zHyZ4@SU2he4f)IUn*(o>wxw^s%frt%9I+;IFPR{R)Sc!{y~xU_cb@21U_SJ}@VkEG
zU}iUKWO;mnz<)!=g?}#TJjeLahU!`JvU0qbp|KH>UA5t9`VM;&p}nN%+6sc-I4aZZ
zPhCP6-1+MC4$`7~Sp8qwq8!!OSX};ij_pP25&SIr>s>qc<gnfVhMJ=fpV9~4o67EA
znGAFBq`)35Ehq9rb(*G|uKm|9gCjMGHoU$YGkKlSC-N`D&*IcrX#a2xmQ{2_TO$j#
z<KvAY?d&X<ilCqOj=}L8Vx6p4Q@#chK+rhi{5W(z`8=_CAN3va#&hQZvdPL5eb1&?
z#O2l-`t!5LzP%B+leg^a8ne^9O7t4JpHW!TVVgR;sJP3Xmp>aL?i3ZiXwD^r!O#4e
zca3CQZ_6}ADGc_@$a0)kdW=jlZqosBOW6n~pN|(-Z*L!FnBQ8vI)<zY2;?E$n-3K@
zZg{h&=Su72To?r0?|-dNQY@pn)l-K0l37wF!$%kqNS?B+<n1H6V4XeSy%jE95EA=F
z+oY{E2vQs4Zke*Ne*7P#Sy6sxbwrT2t+pVbJUwXeDMZZ6K>H=zfR2`eK?@5O%}u8s
z*wA6){*RrQX7FA5N+j5yCTI0*Jf^ACc)}hdjqCh!F{t*;COFu*Y?x56(YeN3r}tL^
z)=C6)El!PJnHd^b|L<GRBRw#0o+*;yvF44+Xp~%*bbx__n)=QM>?3Qd2`62}lWx9}
zT*pcLIH|2Ga-g{DUm1(>qiy;EX=u4)gLtAr1>RKu=Aap)@XG=;WRi~au(vU|c6~yh
zibyI>s-~1&-JWwsCJ{8Zx<kY#IlSEz<&q{8NOhk0m%Y4OwTO_4pLeJ;J`@`dJp~#C
zOU+R_u7gGOZb|S2FcDNvaicS&^(Q){zvD^&Zt%I^N=O7Y>{>9gX$K&G+rx|D02h2g
znGx3?60N#hl{4R59(2Vjb)--U1sHOfKI`8%{BiFZ)^`4q(R%tudW0DiObX@kLr?Vd
zV4Mc}DxcGs06Pfz%)f?j5%sO|)SjOi?N(uq4PxvDmxJ}VNPZ#Z0P>9}*90|n+)VA~
zVLKbIYGwc0h5X~yv3JOmvS<HZ>|A-+@rr#rE?<~ecwBC0fy>?CToTp4_RQq;ESrn;
zDL6XaEkBkgf*>K)L83m@_Wfr-Cui0Mw?l(n$)4mjSHIZl0`kOF!915*Q`i(osizwR
zALDLwOuzp%*E7ymQK(myBrYExicHOuaV^?jNMqvpSp012!s{G(oGb-l)yT&b2;8lA
zbg5df&v`~KaCNk);8OLkk;qkuw;SSz)UORF;Obl=7Za!fLKHl{JG*nPWK$}46e#pm
zT&7AZP!cB4R&Jp)3GTrv8%NT)IF0GGl;G1^!;$(;sdS$`1Vo*BjRpDhuUUPErjPfC
z^yZ~Y0$?`Ao_Q@_t@OK2ne#0`1WcBR4*mbbK>=juGEoiB-x-*4sL}Nau#C~omw){G
ztWfi-(%322-tUWG=^?s4m=&1W4)g8pO0=n$O{;|$M;S*6ieP#%r5l^3Q~B{s?gwow
z`$2O1M)E9c|1s^Ai){D%SGH_ke_5_yriz)Up2;r=opoG&emVr4Iv;`7Eg$^wK<c~^
zRo9hT1pHH$!kTOf5_V+&LQY0FNN0rE6itLq#3O-KXDcZOVn5!Uo?idHRN3S43YBcY
zn;QPcE~8MV7cvpHLMX6rHJQpN5oztJG5)!QX#O2taaO*cg@Gb~rp`wBa5AudDH82#
z|8iozkeR>XrP+!U7S%K<pPv07xgJ$gxHHEH4157Tjo)*WcW-h}UlC&_<6x89SX@%}
z))5SM1W&7r1=N9a`_c8+&bH`9RuQy$BkqvQ3NbYgq5(L7IJl^oP6@-~>M7?maL!*8
zSy-Ck7bpxKvz-NA!D=y|t~7LJEz6g}58QV3PiwigZ3;Z4F8k5nj27y;qr1$fv`k-m
z=V_7NZoj@LGV1ba=Kb~TTrx4f=G1d}>G(_ZK-8I5p_b?No5kM5p+u-;ZePLqJTJ09
zu<GGVApH7x5U*cBROm?#wrxdDO70~0i-jSzbNJ}?8YAPS-@7KRR1CGPn|fe%K|R;g
zT|c1f7O#f(?g*=U{O^r>nW>Kk2I9yo!K42&#?>(ooe?})nB01(&r-rLstSTfm%6O9
z(;`G3yt;h*-;}yVZO8{GXe^zt*5vpbD*c@R&5{f(@ayZmPTHDOX?p2AQFTYRwtFg?
z8upv**ZN^QSotJ4GU&f{R19G|dSuqDP-&xW{Gl*zJwHI%KdwFhJD#g=-P-g8k=p`^
zlv=;cs|iJs-A|{^jeSj%(&*Qjv{1JW$MTjX$KM^i1GNGm^JlCdAY~p53GZG|gd<C8
zAqGCz#yX@Cwn3f5d}&rw1l<QiXwN*=!<xij``DFNdULwE2JqjLX(nFDc2`v-(fvy=
zeZVtaPV>ef5aF47Ps{wg8F^?l&SlB>O(MypH1UBG(Vpddt{3dZ81d1}X1z<lHz>!Q
z-(5L$w&99ZQhM`ja{CJx-TqGo-;UX#UP7F_X(KIZ2S*|N8a?J-+0zw+n!|FYIjGam
zFvWXYXRI_J_k%n|X6ko){*wngQilT{tkEI-oa(Exo!3%JOQEGbD3(7@xDnVvV$K^u
z{Zm<jJa>n0<aT>{9Wp(9z>`TyK?O5nt;{n#dvfX<^5@o@Jaw-N-?+)$UBtvnbm{QO
z?1(uXj{x{HYK-)J5^zGgpTbIyIv5Wo8u%5%w6`rh@ZxkTRG(<r?whA=qCsgrm>g5#
zEvaOhd8w)lGZk3@A`Qn|o1tPrNpEjg{Pm7CD|PuF3%ak^vlm0`q}+4r5B$89{Cw66
zub62^{C6{6RSI;2i7Z2W!{BA!D(5QLj{}x-f%Ov~Y#O-W$-!29=98Oxawi$G{ua+-
zLSA?SChOm(0$r5E*XT03oTa>Ypa1bZp)mGNBPDg$B~qH&V`<;!G|8hq4js?Wa<HL?
z>WVpA0drWrGm0}tE3Zm5Y;*h$GGZ6V3LT{gkhy}CK^-kk<*Tb7j36-iRZ05mg|B#7
z_RCfC(gY09Q`@mjCm-#-?@jOToHR`OQbl<@)yJRil)dl+WDUJUp8v7q9eKN6bqe|k
z_kL_!4Im7bC*bxXN$OkOXRof3PzHKCe4(+)(SO4Tqs!IhT3Oqb)r}aG0`*g|WEh2F
zJ|uSLuzLJWA@F#?r>h%@wxs|weX1jOeYbx2WVzV@<l9sS%ChzxvEpl^P!ub(xYHB&
zq!Ld^WoXf-ww+tLP&#Pv)KO^k{DHYGZ9z4h?0eVK4l)ZBv@RPmf+bC7huMO?!pG5q
zPFijZbci3-x5tzB1*GC~?!vme0VmlO3ua^JrYB;}8u72=uA5DQlegHy+Tdx{KO-A|
zGa9KMGS-popmv5sxAq_r+LYHXct6kue~3-0=bf9hH-fopq>O!vH4Y<7rv+ZeXLVW|
z3kQLMf7H?3-$ZarO+Z9Uuyyoy`5DAyca3z&HTtJ^a(RqZ?0`jDb6h{a5Mi9Dc)tO%
zg&Mo#LY0ToI#<(bgLGQ$^a<B`sSe9rF3Ts%KfXY(Kp31O|G}s4ShO!uebMbZDd=Zz
zN+ERCOG9cWjqho^0#md3P|bd@DxAUKu+Agqjik}h2diI+s-V0P@ge}>E4?L&i8i+^
zK#YR$->$ANRGA4T9rrH`hMTRHQWk8F^d=WOhCWaJx{>8Gi|(+5NPae7<U6{aNfjH~
z#P`Uy{<}qjN~Cn$75cOh*`;xIo&T$4^fDK4q^RhjDY|noF~Si#_LabVv<5H8MaS_(
zMj(I@29>lgqc;|yo6^h>$%?>ot`RM~wyS4MHrlCP85^!@sc~@+&B;4X8%myMlTX{h
zWcgam7$tcJ-DxaXEdT`5Xd&udFFPo&RXSHK|1n8GoPIH66`$0YO0TmkbGin4Vvi3O
zJ8J$q?S-s_oFq+Pdplv!#X9kB6V5aXZPQwp)9kUir8JB^lY=(kG<CJht$+Rln1tJ7
zkkaZ+uZZxuTxyT5_<wb%&jxm9S?LxGhxYfxNqNwMF}=d0Pbot4My9d!WFS-BgII_d
zd;O!j+h=%0$7Qm@kez)ahB91Y(CoEoT-c@OBrH{SpB40fnHcl`Jtqvdbyj9)rii0)
z09FwLJ__bu={w<!qZJTSoTz&x6fC;Fu(m|uR^-xWs$MtTRzBcwWYS54!@tYU1S?mw
zS?JeMjb~mRempb+@_SJR(>ptmWbNJpmH6wmMVCf+T2lkVcvH`BV!;1!fZ&5?UE8uO
z8Oua^V&YEg^vYQ9=IK(iDL+MyP)6!TI}@8D&1VS}TB0Hg8&bDQeb*CiyX*>i^y)JO
z2C}$z)n5BNL?#%I%kj)xBr2-TcAj7vTY`9ml@K10F|!Hzr?n<E(CbV!l;AHd0so86
zWd~Gn0G_)0bVT+jr!t6w#miu;k4;?bxik5{bDRIfFAu`)EM#GZFIv+h!^TQ?Slq+t
zzHidV?{r<RpJFwx)|-qe{qi^^F890Gyw(@Q&}8OtfkfWX$VksC%2C`BW)4^O>?IlJ
zZ-2tq!fWOpYG(8nXP-M)!CXU|owYn_>>ba%dIrXG{d9qiWRXp|V8>*Pnq&g1bcGYN
zdaFm=kIzS5|6Z{ihOQ*k_cgXSIiFPuuQK1v_h4C&!|DnEPcM=eq;;5IzPhF7Ls&7Z
zbkL0s<BG-wq&|7|V`>d#a28enEogHdG<Pf^S9fR@bgbL@tF-ZM|KWoVb&EAhGU+U5
zO4-t-fr|uU5|W#eINCHmRo2Vj&#3!5Si1VVP0)voc-i^T+UFi(m-YffN;id{*OLV{
zI+i~Og)^-&h~zH}DDp7o8$&hxk92W(8F++B$~aV1<uu%6uh_JltHQMAX639-{o>s;
zKMqGu|8lj-DROlaE#QwAT{%UfT@@B|IyR;b^%IPWo7!&iPF}yr(zMUD5PdrQUN)Ha
zMs=&G>!D7G1FG?r6oRo18s2gbdi=LOgiR!`(p=6ZrDPE^8}w^?^hz}W%@)h#bM2_J
zjOge|v2w>}1S){K5xy<>EnUG1cFmx5DG>vKCK_65t(LENCM<w4y!51>b{q<=Rq#@%
zs1sc^y=unXIQ{?<J=9}*+$R|H)JD+)A{@VXw$Gfq^E4Y8_&GX07?smnxL51+Y?XGd
zKe4wx(UzaKuLcTsWV7<n4C8FsrP1ZbDKjL`E~~nGsmY*2n$}i>y)7)7)%}-%@m<+&
z7Y*d6;FWJhr+>b?J2R!9_apFQDIcujez7S%jaz9v=UrxIrbz^mrrByv*1CG8bMK4x
z07<vM(F<skoLVXU)dp>{nUMT;B>ig54~Rc0(!mUt0y3T2G_ee+mt%UE{+lclim_+H
zQWuF?ULOmdHZO8$uTtcA_hRf(ixv|cNA=lz%RJ+CMb<a`%((AG?aoApn5Yi}w}udF
zrq;qDKMP76t?`4`i%iH1J+uo0{3agGA+>@S(!Gt-s{;cQ(<oPqQdUrH7vyI!(w2_s
z8I{SbnSf5J{s#~0BDYZ=@A7H5w7~r{8$u8+wMu<t#q4{VIUk$ns;ge}1SxB)qft#v
zZ~_jD>v=#D26aqlVOlS6Ze<Rzj%(1ajiHTBv7oZLB-0Dn5~&c9iEKJgK1j<0res4d
zo!b(F7lO?$edtR0;V5gm@|D1oe>nAiNqCJqg-5nv6Pp|B_g7E)Ctl-@c=f;f8TTx7
z*fb?VLS9L;U|?X}G=tGtF$8u=2Ofnx1M_kuB6EO8R?}|JHEGSpHP8K9>(g!RXB9zn
zYAP*7wmTM1GM=lZ)Pj)s&p9Onw1wr#+#ao_z~R!%BmBP*H-xt}C?k$1XwZ_pZkPAU
zPEk5fCnJucg_H;Fq!B^qJ!#t*mSgc5l;SomOszrezQs2K6?iYB@Yc<ysl}wwt36r8
zE(0{f2<~u@iEmcm9VH!Q-oVzVdvXX$T_S1HD?AH%DWBMzJkjeL<5md8M~5t?w$7U#
zdqd!W`_&s|ohq!toWD3g@=?CdDfozzwj>P+^P93U$sbmNc-*ctY2cGlwMLD-EIDFQ
zx85@j`{x9e(a+cB4b~HC`f-9_z<pjt^OlV}d?U6w$L)pnNP&`@|A665T^`%?>HCV0
zOuDFTVCz)FG^00hrF$^pa9pIDh0=Qy7ZTjauHG7y*nxasZX}8;tjLV0rH;kS)_}L^
zE!m9Mmq5>-3zw_li8R{X^iIWbdSbeq=TpJ4R=nm;t>91(olI@};chT`y{Z`xs#85Q
zw)phap!9~Kz_LauyW0twp#+~q?>@4hJE3m)r?}j{kw`Tbv8vl>dL||MvY0NkSFK`V
z%tnG*WFn{v!??aT<p0BcGVfTiEX%jHXG0&?NY$>lvKp5|q|5h7?5dhq4%GsAZ#c$$
zpXZvM=6Xyx+XBG#CSg_+u901HF5~8LnmGcYcEPZQJ<#UD<$Ciy*dLz>F<AeR7WsK}
z=F+NZe~1sDm(pKgO=z3LJXZq>(8*#HTqrSXuSd(Ey!?46L*f)a4dyC0gzx;GOiB6Y
z+N&z>F<@hpr8Zb<u2FODbGCDXc^~IhiYxI>Ej8ilL<^e6n%fD2pO{*@GD--e#Mw1W
zRq*h)$l6ujS@;PHh-pvbaSszm40C6HVa6J?BZ=$;wccX>q4VWe1+43XO9Ge~Cv)fj
zOwi!$M!Dm=DK?z?Jatbq9d#6MlX<mYBrZN81rgdM?9jTwP<?tEzw=vQ`ItWC>v4>7
zfh+o+$D#AD66sno9jl{2^hljnU8EXq*JdPeLX~~HFOK48@|?oaRWp}!n0-&ziHCZH
zH`Ha#f*h~ArjFIzBUZs4igm85eQT_@@gx1E<x5#L?-Op`myTfUMM%m?#cDo-9^=8T
zI}Z4B*Ol9Rmf=LPbbFxyOJeQQR|a4RiFkdn1zb&je5C+-2#?W;LAq-pfF!>?_Mi>n
z)Tsy3zb;$W{dr_g=^Ha;qI}@m4woBDv&oXG-6FI~0P$B2UrfZSMt~-A*JWf)DO4pg
zI=ylICM`)C5+ig^461)$70Kan)z{o4_q43NT$#~roeg#c0md};y#{{KONME`{2S;L
z>@Ogc&U(Ne=R7Moe$j<yd*6}Ewv*Qko9={2pX~~jO+rxu!Aw2t4&UtMUmh{H&R2cU
z43DswLI!7E+1W6!D_Jk9QKVMkM#!Jim}_Y3d!|*|9;(c3$Q#4?&q9)iW;JeY+|U*c
zw2Knw)PJ1v@zm=l919#U8H(>1I6C{>gXy@&r>CFt=F>Smr<fh2dDq8M3<yw!S&Br)
z0K%)ivzX^T{v1I#x)As;CIhF!A6D%Iei3*}%~#|(%oY2!W^TedM5}pmO66+j{4qlw
zz<Gj_ml#jQdHu|mk{P<TxnBYb+@fD^q9kmdXh??;SHczqTl`4Pv>-nbD7$Emis(<Z
z0D@Yfqy%Dop3wMTYW|62$R!Kbx^1;zHn&S*fnRS)sM*<JV4G|*PwBm2Wivv*WKUmR
z%PjC&ybAxnytv*BU5fTt%1*th<f%eZ#Pgu{l>fsaSbB!xoIjVQ)2$rtYCm}6#>lw)
zt_^v6iRI=-%Ox7R&)COYeq=BC1#${CBMA_<^{de|@Tubr3$9#5JG$on4`*J`Y#v^u
zUz&W@mP^sFIIei;J<$@^%Z{72I%|rftC2X~4nk<gD!8O344H*-S1z}&$c*!5;Led}
z4d3fAQ&^k$WP9Zey&%AS@=8G8J-yGZBW--VcQ{v8%f2?aLtW3$(o0d`kEeuGsj-D`
zOm-5w(D_pY$jWorUVhc%6Yp2_(e1+l+W}+A2TMnzTqw(h`e7A)hca-W<|NgHpRI}(
zj?1!w$O7oU=y{xB3nE?!7l1WwnvpIs6}C2@hutm0+a({uqe5~ywG@cgUTF(#ome|b
z!iJ=sm&rGcMk#g=gyqQDLO(Fs4K*I?xLW*m_FaSs@(cdUt<Nvn$w2yW`J<i5v<!N>
z*Q>??xu0i;?qASoPNigMC!HhD?JFNzEw^6$w0n1AB4n`R=+XfIO_T-_I%bq=k|w|K
zWp+~0mB`P&jl4O0!N5tpse$GD^rlXNXQaK{aMWd(QFt!0p>p>X&?O0K94;=D!AA8i
zE;)Xg<-<FzK(~cZf`-@xaEeRGBH--F2-qiS_I;$QAYE9da*>R%%=SweP2>7kZMxgm
zfyw;x5X00O(EI$S(?2xY@PUR}M{pbD`p5nWAvZw!ul~+#yjBWqK|~H~zueE!*M1|y
zib@iw7DeCY7Vnpx#x;vH9YK~ZjQ$I7{wkv>;nmfLngg{VQ?l@%+#G3df2mqhVR)^7
zO4O&su~^*j%UMBKzchjrAu-(`2P^Sa(ZdM;6fF9TkQ!vbR5?Y4J+lU<8BF$67r@&o
zD5LBD8Fm||Q(}fuYuy`9gySs{Qo=u055jQWlMVik#$W4Q_6FWC3pK?GLJ}5hRxBRP
z$IHAptB(g`7}HL6@ok@lt#_-b#0wzAx@7;%1-{R6cA^^t-t$zhAimD;!xt5^h6ML!
zm2(t7_HK#`GFAdTcSs9bE>cfod@~WMui0EZa>K^n6}lxH5m~0_6sgjlC0sXn8Siei
ze5$ly!~;I7=nC}C9Y6`>4BRNo&oiCLuO2_-E*QOncz<X;%PTD6K9eAP9nH~~3ZwY!
zN6_Zr4XH`u86;x#+q&p92i7It{*7|1Hvzp@1WExdtMx&R=B6j^;rIGE;CK0ESQ;oH
zZyV`X&Q!e58R@fZ0KWmnl95zd*G0>f)d-LeRmeoaFW(>sX_FT;S;CDgfbglT2!_>}
zfNsR5d@EV%@J5Rw?AT2;+wsmZlFLQ5nL^^gn<EDU{4jbZtT8-mqx<$Gde#zfr|$VM
zY(-#J9)emT(at}zr7yJD+85-0xm~{{VRnv7Z1y!-_6gtxQei4=TieY&OH0aM%x}dt
zN3kL`|M!2qCj|j?ghx!SZU8E!Nd7nzWstlcXe2Uu*UE%nTQ5n!0itJWoR^F>D_>z}
z#P~4J&;9A6aV?j4Nqt>W{`1z0_ORP2Z@4`umVukdjat<Xc3r_HUQxqqbYW^)ao%M{
zswy6~%le;*2E&l9u$3mw{a$vJh2rIyI&G&A_l`Df(PLb8Y2<jA=1qOW)MqPgHyeMb
zsai~!@uw8(V&zO#X}le>YWI01$2{vG!m7Xpy7>U)jb>)Z@Etc0!xfG>KG@E2E%J~$
zON<@=({W!L7p81P%9KnOAkGTMOxX@o#J9)>B;Y#J6DJjxE}@URtFr>XimVB@O)mjC
zV>N=D=YyioIB8avR@`h(e2|z0Oo-kbFfVw!LNxfN%|0ejcG-4vFtxltj6(HzWKIJ%
zLu?2*Ttd+IC(~MlJ*>X5Z%kDEl=yUq4t%Aa#l~>{V<$?T6Y6h^n{@pW&SaUf&EiDl
z`K!GQHa1$t&X9F#6yz%CbaIy6k|4i-qyMFjrYo8sE-;-r-{Oo&l|w&`&0q;d<fVuY
z39D)gOE|M+9Bi;Umnz-;2WH+2u{JHW7c$KtF;gAjUVb9&hEzoBvijGMD5v#QD-B?W
zpH#dNyGwNwmo!FBu<bo`K)a%t{rg#0_2G931g6VF7j_VY{G$Jv7!1in$V<7A`VCFl
zOn$PDlz{FgYYB~L|4dV$L?iMVInM5h)DfrTZYJZYoQ5D}kMdKJ)mws5k^_UF?(Hw(
z&w9c#_R?Bd|I<=1yx@5#Cp2}E4&D76iMW_)6gwz;DwXY|gdkMkaTyaG9+f@IQ?DE{
z$sNiO0D}1N=EUsJVqdLTTqNt<5RO^z1?gmg12L80w!=Q?l<cm&9tj4Y*vLB9J*@fC
zax;kVe>f4J+VPh3yDG=5$G_RHPI~I-0tr^ZgLSe;3qG4(bxcju<5b@S@=4`PcYkrt
z(a6FbZwqvVBMczw#y(zqhXGSsw(y)7ypM$L?)0R%RQOi(KQznGKZWOq0l7<DykeDJ
zA=ZP6>pNsu>IHgrr^ylCHyB$_{zriusAq>$RZTOU4!!y^E-nPoI^zrX%I#FrV%i<H
zN2hTteF<|(Lfd=1A>H*~i2Cpn+k81aq4}*SOA9={Hr2$aQHQEtxhbNWzk}CEI@IT|
zFVFaP=|u%UHY}UZ3&0Qv1roTpRQAfYI|p)wE5XL;M-H4nC{|na`_2xKk+3^0wLLNA
z!ooiEXI+D-j{M>ZTLvzh!mFbk{{Y-11O4<IOs%-MGdMs}FQ^)pL0i1p)E?iahD%pm
zUJ%!H<&L>|o+a5kcj|nOfep7t!Bm?>Ta3NSm-MkZw2RgQRWonT)7;w@0VUsyNzB6-
zjv8z7?&3VN&@rC*H*9ul3V*5fgkt2YPFJJ)b9g?quAb#M*tkx!3nA%w?0&?0<uTLp
zFWi|3d$0+A3S%cRFq_mR8`~#|^czzOJ!tbrp8hRfjc5+3yqsMDJ#73yfyUszyR*zM
zAvJ9Da)DSbucWWH=+DQsDNJ2%KUz4%T9zj{zSUMhLM(r*7@gXcd|C4Z{TNiJIq7yZ
zU%-9+?Rs<kEfC}#dA_{6*`L0;h+FOId&uK>_d#qBM4f5*PF+EfRuzz9%Q(PMXJyJ`
zbRoOPU;JHl1S>XJV{?!)S>&ej_hSMsFBYLTQZd$K%{Y{oeM;eX?6vbJ>`5otj9DhL
zvZzaUTNm*8ZhqjK&P5ly>~$2(;aF|$eVHw$!`!JU#97@c#pR>T%1|Ec>xmO%>=s4p
zWaG{Q=iuYhX!VWIU1!{?VZEK-H;eoF9|~_<j@MzfD^dlp!A=X`--{e_0P@Ts2eWT{
zw500&#r{?EV;NSN9n<!X57dLx6s`k};x&Ij&s~iFcxpELbQn6<pihq9e0DXE>NHae
zS}y3m<yBWjEZoi-!2njMkvT^XU$smscP1n90oi?Somz4NG`KK%Ed1kmGE^lh<)Qo`
zQGM-h@UE!n+GsEu*1JaUP!onS6cZkVPz15>Al~}IskxIPmBt6JL{vJ0`g`@7#VA9C
z6@8LpGR0j#WEt{6D2<S<fC>P~H%?SagXYtNY&JqmtTm&^3!1+cAfvXajI14h*Z!(Y
z-dX;%9^1h=Of|Ox&L)Q~BUt^h>61_MGMg8@M{A$?7+&1NetG9f1ZkP=wpfzbwGe!P
zz!ChrZ<gqed4j3*fP%B*`8xeP=M)R<V)O-RXvuW_cQcfSFU=A|qpNN6x}n=%|7ej0
zr(y2`+Jn%5G*0M)udZk>o+cNEpU0bSCwrCu;k>cKf=CG31~*;<Uxt_kd1%&~p9Qn3
zzkI&2O=;X@)$obSaRrC%AG=m}vE)xqVl|1+e@ecv>{(S#a>tHjV02Tr8Rm@l<njdT
zWKmZwj9z`)A?$p5yTjWFJX}c81s@JSFS;q}t3G$;?F&WUr8wUltn(1>)n^~6xGKJp
z;ISb=W_2d-pdCNQX=a5?xYRlsd#ewOs<*SvgM*(P)3{i&hXcnoKy=4NI)~!+wJjx-
zeuru5LtQ02x&xsSY1|o_J6F%yPt1oQ>DEc*8V$^-geJ_P!ullvr?^47)hSo9{ASTv
zt%~M(xL`#%Dd&^%$j@y14R1YKxAGa)JIu~2`5ndMKbbXpo;nM8y<Rz|6D^U8S7Uzq
zYNOjBaa`Q#G5leB<m{kK=f-Ud8TzV9S!T}AWJAEt^CzFNAL`g2WXX}?EwGn5aXAUS
zTPqIb$7Ragb%j8@Dkqa{iA);C<o5Z1hDP(}1U}@jHh`o=5U|Kq6KHHSS0rBl!bw2@
zkh{ZR1F$kG1465UURy+`TXL`skL3zbxfe0yI*UfDei3{=G8LJhvup4==Sn;ND2Jr*
z_f6jCSFg7;UsZT4P2r^*ohbX<Zl$;@BE~0uwSa+2ZOc)kzw<IKgwosN6gZpY(utjf
zb&PqDBjmPmQJ&}jy5!lqqyCS!U52^t@Q#E*U!$ihf|`=*7c0+6`?W@ba9x^5brTAu
zJ0j#HK2zsWuTTKOZGRjjhK^9qLij0ZUQs2>loz?X#6bC7*2sW1C>K9qBZnFpB2~9j
ze|iwrU}Zk57KQkPo5q6AII_pc`jMzzT#PJ}>`B?P(1=E}a}iu<3z5%@a)Q#~HMm%S
zRfeLWr6~0NEkY=Xm`D&0L;^-ZP;a_J^J^8uhR;3x6Pk8U6eU4GS37KF%U;A<k!qw#
z;bZ~yAlb;Y@m7-T<as5Jjn30o^2aVhERx2aPYC6LGIcGSnDQF6*rbp$3~5d~47+c?
zyf^(HPWrAXkFo70*YLt0@ZVR0pTum_op(2MLo$gf5$=1vVLx^SV%UkBQ_Y9nT#n;y
z_tGb9;{X^BDgLD9uPy#ivzv%loj5))8VjWi70ld8&e{Uq$2wQxVb+9<c|ijGF_FbL
zo~;&U$CnF{3vF--rh#OE?4QwJIGCC^rm1LTgIL|C%zXIQV(v-!=`>aw;J6I2p5BOO
zD|L3?&-jPTwarp*lq|9+>M~sTs?*Bl=#)5)6=%*>%P&|Ij+Uh8imo`*kl--;V4uDT
zHx*jk^|?hfiT-#iT?3ZQ$UG>BOKOibDgrvRFP&o59HPQi2Ny4nQ1i`k#1YfsyOf8{
zz+*~^oV*3CJH>=#nN_9ZXD!O^V(n$7hMxV-1=irTvj(r27R|=kdU6mpaI5qw2(+I@
z6yKljY;SuijxGp4W10)FZD54D?5y!$YN*mnkM=Uk_DQJdSi{K@^M*T9NEo{y)}D!>
zJ+EDV2Z&XDnSY=aFBRZTe9qr}?}QQf?P)b@$>~u*3Duto7hNyvc225sP!LyAuTE<+
z5?{NO2KJlUtjUn+*(QKbtTh(Iz?RYMkkJ$K$2l?;3b|na(Kn!!@T_hdBSo92))}~s
zurJ<sOQsbJk%EdK2v8(`#eU|bQ@C)ppixE`gyE$v&aQ#L#yANWCMei?6*+STfiLVl
z9fJOLEJgC(A)0R=p(Hhak44`|cK@rF902e0PWeMI_VtNuA6y$}Cus#R$K!{NX=A~{
z+Wu3`FJ7~FQhC)f#bU8dFg+}B5pO_;oaVH{&-K=g{cNqovlk9db<7%eF)WOY>C@?d
zKkmK<zg{g)-VMEN$*6l3o3UldQ7&$7z#=HN$HxI=qV$A`E8&caAd58L<JZa!D$yP-
zgKrAgkz;FzWrke#1&Od)lV}re!(;`qhTl_R4p;A|n(KN5S5~XlZkcW@ay;wmYfl-@
zt-gydhgje2*|+pA<}ld?6$uA_abUI@PMVBkpD2jVCG;c8rM71J=CuLnq`Gble%7U`
zgD`=b=>}_BNaM=P3&(a#bT+e5=s0RrpkH80zPSu`%@{}rFqr*>5IR1UkbdXO`?9bt
zeBr_qEYkDIDM%;rO)pc-M655q=&cnT^T-sp*Q*F>LTqk8$DB2V+2PLt9Bv1=bc2Ik
zJ#Sfq7W<45*rw^80pyeEowrN0v=nDWZ0%tP!=wzUg_v_2k#BR9Fs~E$(k;BfM5x5p
ztXPBC2|_(^xjk85RB%Tq-C541E^@ihN^8M8i31>dPX@|Rj0m}Z@_ts%#j&e4$?Fj9
zHX}JCs57+rv^OqUUXNG79qVa@%P*(b{zFt;(xpS9P*}dF`{3EAdb(N4(|Uf5t1*_)
zV7Pf^f0QvtR)}QiSS%@C$I$2v^2h4{-MFen;2!s~CZW+#Ts!6Sdk^)yN{k~sa$xmh
z;|ath@~>UO;7Vp>xkT*M&3;ef3#PM><_p>vhx(_}@pwx7O0TQF3|H7aR+zyT-Up9(
zJhnlAhFy7tAEZE0mofb>CRSL&@gu8-+0r^ZKD5TJ7XZFJ82|lXX#a+|FTZuTSromk
zRY|F;A^entqI$j=E!uRfi5GNC^?g?5ys<_2F{UqjR6n#V`1HAH+pPh-=>5<d^U2hj
zL&NW%Qg`P=sRy26yW~Z7u9oPt_ot|*4}H7T5YK#QFg}w|h+;#1+C;n8iB5ft{OahB
zni<7f=5=lEMSGKFX+q&`$Huw&6e3%z3$I;gv_k<S`kSxe%~`SKv%NZz{&u^VZNRjt
zYq6@n_!sU;=0(9_@{cHQipYqX<|^T(pXe5s0=Kmp|6aXX=vZlR$}LhM7QtKeq>VI_
zt#L@}xylb3@GDXl!m~QC{8*_O95iBwkFC$e6_lPB82{e4DW%*fRvh%H8C(|9y8OJB
zjV=f$oF~WECDq8$&Fj|O4T=+|n!Egl`(xTIU8(p)=KM(c-mbr4;5W_$>Y>)86hz0@
z-RZ#UKlR>Oyv5KsgMz1xO{J!F=_O`5*VN+anbwuDd~#oQ|5ZAvG`9V!g#8a^<d*MS
zU7vR6v_{g<m!z4(`tPQ#_*XP000_nuh$lukx8}f#Ht1|$HBEwMHn1Lt!+ALjIY$k(
zU%c@LgsaYnm3>c8-jEG>v{y_Y#@KHhDJIR+ikgG$0#wjl2GFZ7&St)j-pm9jXl?h2
zZ3FPP*r&0QKnEsj4+{ncy}`!nWFF9#+sqf2%P=-#Y_dhJ_ee|0CM-wxEq<&wFll&u
ztjWe@|C0~2n8zgcZKK_Z_=9S7Kd<=%p!=!h^qhf@8akJ`Ns_d)qI13Jg2-jdepQM*
zKr^1a%CCYF?G_(r*SCw!l$dk5gC8!(&rK7V8+-C9^FFcML&=d@>Lq7S==^rmgF-p0
zqa+xU*O1lp!@~nl?Y0-Xg?lW{7mEx+?|NNRCa)I7RQHUL`{(m;L6nh(6CZf7^P!Kn
zAv<qG(r?#Qd#*rya{K%&-kbYU2JCgBcNgW^bo9WRw=NpKSKk}y-?iZT@O8GSyN!;q
z!_Ttbn1gAV(Y!Jq*~r;`3we^L%i772ul`-W|NqZ)J_DEQ4fhv}uBuK7{I~P2d=IpW
zTqeb&?pRuoJbgaElL?sR^{91La+MaH$O5@SX5|KP#cs*I85XE6cl5&Z=l21Chyb0_
zq)}5DWzmNLt7U;YVeCss1~9(UpTCza^gH674oU&x|9K3$D3Dbh2gHub#R>9;>$KBC
z#RpP$&q!s`F)YNo?x$GM%9;tzW^Y>avLrLDv8iQ4ZFTN}ZeU}wRuhf8G<Ts^^%Wjk
ze{ufabl<6}cq%vgpu^zC`^}~I?dB^CxV?+i&lco1&vNz@-iQKEjK*RT1wfXq=1h@{
zi}U#w{wBH7&D@`9oB?klaDFCPQhtbV9u?ZNZ}8=IJ|WRJb(oWc3AI3S6<qG1@ePx#
zU5YDHWx!0~|Ne(#v9eUbMdFT>u07z7NM=n^qzsW<a(gd3$GxB@Mda;mXHfvAmexB6
z^iM19+v@b~o_d)<z51$m$Ur)!6Hivcnxll{kzn-C@&}CE_byMSn%|Gt^ke`oLnMZ{
z!+JxI)P_uDA+6+|nhi#kT~Pe|a(d9$n8w~+c!c5836J$%+=?O7+Q`@MSou~T%k-DT
zqj*-yJAOovB)_)rFW3wC159<pLpEDvY-$jtw#!*=xFYnbBdp1A#ep81uaY{qBFR2}
z=H>;XE7q(bs%4m|_=zgX`A1SmOKYT`$AG0k6aMo|n}BfUK&;&~URx@^^P2hiaf$Pq
zAT8v*-cW7QkgcPh*?O<W%Y~2nH(INy#it;*x=ypa1!40JjL#KI&ZFL)z}j(6PV!(?
zu7oK_^40-sf7~%D?PaJ;W2ee_O)uukNZ{}!X$pFbJqvn<3QH#b`k6fR9eMP0TyWb%
zhG4!$SzPF)CW~;Ev=OEa9bp?gI{R)g-JL``Hfy`a%Qc7DF83iQcPXrM)ttMT)xAyE
z{t$5@byUDm+g9Rj&}rTbu*9b)FQiOA>TnvpzRsz_e@7eXxSo>}lLLNi8TE46V{ssl
zwpC{F{Jj?~6;#6KG8)-}5Vh6J7R~gjf=RPU`$!A3DBuPT_n*5R`B=ZNDI3Eq>oX<l
zsh|hLVuL3vuy%H~$Zg-`6R5s_53OgkCxE`lfYt~ArgixR>{VVoZH-WhrD@A%Be!a*
z`_{<F@#LdCi4CFGqk~+plg<_N1$D6SWNXXHODt^}vr$s^@kx#vme0K4yLrvZ({&Vt
z=j*sMdO`A#B~|{N^=^Sw*o=0Bw`i6fcs3Xib5wLgE<L3DQ~0S@r`R&ik>Kk6y&z(7
z6I%3LFdUL#JjFspAhMA9j!q1^@<}X-RoJZ{=43qnc#2YGfg(}92Ks#!&wl9TT~z~9
z2L_zfF@^QjYJ4t@t}rsiw>z86#E$9gR-~9(kAgpFNOA^n&p^Oxy)%$%c$QmU9ZXM&
zn`Sy?)}M%CpOYp-LZZYo5Nix`8qqNGf2%OE`s^g_$p=$0H#Io%sQ!^?pANBopo+=f
z1%!Jm9(qszrz^JGD(F8ne~BgsJLXG^QP5xSSX^#7e@g|<%eR#Y4vMmu6YHt5e1F?+
z{r`%xzBDFK%ox<LzA<TBW_Gv#9wLk$jo(mis|FRat<>uL2mB=c{n8tPX`n4EbZqfb
z@k;fM%`DZ`F|=OD+TRb(;Cwgem@qv-m%S`0e?C>GShZTt>C&tj|4*nb?svj<q*I{P
zpD%e~H;Nwzi6!octvUe=xKLE@q}mPrx-*CDKvOeL-`JdbmpP!%L}zQ-!By5~W^YNM
zOWjt{^-zH_-Nq%s&wn#!R5EpLJe?c;QHnkiF{du6hxSfOjAGvMjgXCbjuWcm*~;HH
zL-~RCNIjbo1wNtexgHIrB|7k4%t)!)=?X=l6qR}EUo(<#E~8cZ3R5et8OJ|YL-Wz~
zP-ho?RBML!l($G$!f6zF+wFf<_VPLl{%r>G(-(m^1DR{?lp#@H*hm5hw#Iq2-cGQJ
zNfRN<I(ZH?bRul!f5eMTDVbl<yWG54L*x3kNg>F?=Q`$63Gb^-j}>CyE@LNJf}};7
ze*tNo>dQL9cN)bcYVzbmA5pm<`}x3z`g8j(M;Ctuyg~)n#PiGDX*;B+O0n}D>JA8s
zMK8LJFK>1U=Hi(4-p$w|DS*HoY1zjrW2U*bfBxz~WrJ(q|F(8$m6HC((w?tGtu){2
z0N2CT=e~Pe2W9vtIqtXDrr9LLm{eOBWmqCbg~yTgLDNN}w^|UFh-a~c9Id>X@kN`d
z3RsD6!>#&mEn~7jTT`(vRl$7m8d|yUr93c$>N&1fl*_*ny^edu&UqbV1uQ@K1!xBj
z0=tl~44lskxspeu2KtIkll3Ng8AZGx_2YBw_E`?<mz&LNn8K65?g$i&ndwd&E*UBh
zvQdZ%9<qK{W;+5Cq+(zuNd<UKbpinyDXSh#un$brpZT_z-oI%#-`XPz+x#hT<P%`s
zc*8D`V3rTFn_hRKgWH*K8x3;iSV@L2IGALlus&<k+n3g=J0|;?IbvE-ts~X-qm^)e
z!f}JUS?$q>M!H(~np3CIRV}HBYFkRLa3v@bV1>=97+AVw7E5K4$iHXID=3CobeX|9
zzYQHOM!fK_^=KoE^J=yrzBxW<AwD4&3x&Y7_qgo7O`W0cVw=5jvEar64Pfu(0Gaya
zR!aR6?t!v1@554DczC2Ev&{=u|Evizr3$&BGnN#yq?H4~-5*QBN4%9naO-^@+FA^W
z-?a&UWR~a7Vsffqw==VnIL=tAeqnuUiy!JBnVw%fbNsQ){ro1u_jI#&IQ6#O>gV_D
z8+bqqaK*%Ry=W8!Y>iuF6E}pT$sWBz9U84Joj!KQ%;G0qPdOxs>1Wwjt}ixhczc=m
zB-k`;1Pv(*{lP`7yynq~GDd|sv6|9_sCs_pg&Gjw1os2k1+b&8l<F}j&k#gqCfD%;
zgM~TKpiN71NUN|ARutI6tduzM(5sJ1Ft&T%W!^)_G$q}Wiars2En1{*uZQr*Po|EG
zCgsp8E4f2l+7~!Bg6BhY-}iSZu5m8Jv}|scnbWONJ@6MuRKpE;oXY;0Tx_gCV&3d_
zcj68uOns@rZ2(FZJrir&G)BGPWKKb0W!K0s7dBG8*F>ocLv$Tdp|4(~S7}Pkf~M%)
z8LxoLh+@U0J(I0XNGc!gXwz#dWFoNEDqi8|^Di`!lv9Gk*^JahJX>bXoTra-$-DA)
zuJK((UMGcv>1NEwcGb!6z7|`1o9$0FnDV!EHO$TJ_R92*c6Y!?Ugkz?&F=bfi*Nyu
ziJI;38~9s<3ey(G>fH4XZVcDb?g0Tm5{9oVuA|tYON|*LRbFEaSg#(VFQtQ&VsdD*
z-WF7CLDIdbtgXmHZR~LM)x8J3x3`7`B+cB^2KB}BxA<vSTC>w&_*u6HD5!FNyisdO
zqQuHE4kZBI-l8Ofy0;u_i2vCMUC=E=ql|6de!s<!LaF$lhrpCaRa?{b?QxxICaVNo
z{cEh7Ty=^$Ru;pRfp(u${c`%O3I{6_3wi$&60sL6a?IK;9-_mHRXOi&{pDfUbpfmz
zPmJWHJN&6IS{fj6fo1SdIq%wAbzL#IYX5;2QOfQ793QDG#~LUmCu3O+IIFRNyw-a$
zXT#_}OxUp?%{HuXR+}9&IOFT=p#m>500FCqp?;8Ka<Cm6Z4UyhUR9QP6ijA*E-7t-
zCx-ciyHDLUZ_#wr8@H`L%>@>1v_*A{7OJ1UNS9>YO4)r=;s<d3$Wnd5@Q~{<JTCh<
zBaApv?6?qq7&*I0j|yn8Jh=@{<`0JX^mW=Ib)-IChK<9&ZO<>33zHn<4%RF*<a}z#
zx*cjzB|&v@$BFt(B{NRRj=7(YyR^}hrkPB7K!9I4^F*ITzHcLavdqnZtR46t&T3L9
zPbUArp88wFOwX79x~~4j!b5)TN0sJKESgee?Gk%War1t3G^BBpAe@Gzk22K|RqQOm
zW5$5LSmOLhteZW10iWEKq}={dydrpS@3mb%b~NUJ746P1>J@De_pEM63GA7|x_#>Z
za4@N4ffH{{i|q5EmS&CS9`*h-T7nByLIckRha8>%-{asC!pcBIY6X5~BqPBT9f51#
z>(>RaVPrQ$)0~_&+sx(Mr4e`LZV9O<g&O4JGi`YZ)A7^_+%5`|)?vsNvXr2%G5yNc
zGXnC;!}9I_!%15c&Awwb!{b>1lBd%Nn{Qr26WFZy-nuhah*L1D)8k}0B|Ur`DKJca
zMkKKW14Lg)+tKz&fHK3wq~{Ks*;lPNo1Zv)Z)e7W#%ZO5i(G*wcsw-F^*6FK*?;eU
zBa+&$M~V-(ncEyUF^9hPcb9OzpJohe{5GuBvDo(_k*bN1<Vo3~@!?FD8IIyqCv;Jf
zB&kdeLl{9WrQ}`~W6tRJj{cP`>9Nsq(xXkj=iH~umF$YF6vWPBXHtJ6om);p<^t=y
z^P$MU-Gtv)Fe<wLRyOevF+p~8uSvZJN0MhAe{54;T!dnsPv}n#8x>b^>xh#d*MuVu
z4TtU*&;v#LQ{B{x&z>OgmBDVl;ddJK5g2)bCLmR~xEWCMWY`oJm)q2x<{m-f`MCRN
z<k9U}*^7oRVrtBL&vI)QhtnJNVl)^szZSU17|oU&RSIWtB!PRIKB~El!b6sYpNyrg
z<we0^jp;rlx+Jv4t#4{wrV;ZWK_kP+o+su)#PDPU!=GUh<hz0-Wex!=uHNam%=aH(
zay~|nib-8+W?inl{9+z&7>m`Zrc%$NM7$j(NN}ad^K=2jE$D<g+xHEy-2Mi1wjOI6
z&3jL*8|U#tM#sUTUOdvcj#^C<G*tK>^;HNKo*axb6R@9bcSB$UYQb%PSb#zj78jYo
zZwd9%)VB*qw<4Muy70X7!`*5(@9AdoHfP#5JSamae?==-nYE6tj~!+)>*-#F`fiKw
z^X6AhnOT#zJiU@o_yM$Sp(vE7w%~JeRO?4<Rj1s9lcz0{(Q>&R*NvRQz54pfO(1ZE
zZ3yX*?0hd0x)Kd*1olLgLhWzXU7c<xzFF2LedrVJG&C@b&0{Pf$%&E|w@k6h<VlR{
z{`)#L^>RImbmVi(*@kT+*n1&1W)&>%<Tuyt?5Ii`Rd3uTA(AEf1oIoGo<p*$L#Fy=
zPKeCPE4jM~{$C&Jx-&gM&*D-RF<V6uJDe+e4K8D;Y?LGL#pAszi2!5bQb0GL{e_jd
z-=2<<#^jW{=TJi;gcOz}R7W?AwYQl?b}MniL|FOF&9Bu_LiYtd-b@$DitCU4RR+y(
zO7Q48gqH5E&nV;{`<Re)D%N)b7H!WOwP%>0K7U7LQv=h;Lroxb<HSS06ISh8-BvRL
zU8R7feXSsxU#;uhm;b}@80b2=px-D!=n={;e>KgPqx=LO(ku$I;t?8afL*>>2UtW-
zu#lY_{h}JXiCxzW`*NyOW$fSJZ~XqZuBOR;Teq61Lo<zV5QZt*hc{Zw0Y%#xxz_$E
zor^a18S2>9^^x97(8&C@e(dT+i0sSdg<<IUu#yDrN90`lWl>{}Ta^LKU{Ql%=j)k7
zdmY9F{KC>YB&B^%*kZAir=eu{C4u-XlJ$kKHjDUAhX!d~`ZnYAc3pdFl9R*DK$8WP
z_u764x?EmV24iF<ZNy4w{Qg#LA`xz?5I6Y%EqJVTuyF6|>HR%1eDl|Ax17U}*qGV#
zKOq|z!uEsFN{PS6XxD>Y1F`B3wjsvD(^z2QaCT$_?yer4sFZEG&c=hU);AlC5j3at
zmh+qf@gj_SaG(LVbljDi8`sD%MN!-qV)_`3eJF3{N+4*!L#8jfZbes7s>b&>9lNa}
zr3XWl-Af17Y=|qDo}G1iSI+w>I<(;kPH_7zwp2j%7-$FaUDE|lehp=|bFvLN&5JWq
z{4p${Pos?t;(=M(K?F91hrtg^C~(zd(n@pFt(#wmql0cVk%66?<SCIIt)v!Xp?MHc
zQrT@P14qkGioVZs^luwLv`s}FvLq^ve_+FSg%gyy-4raax~-i9a+pQh%qjl#Hk%Mk
zxacu)altgZlG62wPikv&hEAK!UcDW$<z`A_+;QXF<-p#*6)fpPO5KoSM!+ZX9lVS!
zwU(Y3DBYA}B=3-WcMl0PgWBR52HVZ_Mf&+FEc&WHb)4nRq;>zKkK+#xBhW$i%uPxJ
zf&PF6xzu*%7c;Bea_Hu}cbV&!tDQ_j9*m&IX{fnpPPfjLG~10J^!J;rIFLW>|8Shy
zJiP!jy^=znX)hn~J-x|m8=BYuALjnDtF8C@;)RhyvC`sBaSQI=QrtZd+=5H7;IwFQ
zcPp+5kU(%~(O`k%5TwP6OOZn5dphoSaQ}Z}oN=D-F|Pe&?{%#;*PNdRAcJ4Atx%w`
zJ<y&wR?y@0_HTdHlvp{_6Zj_`=;~@h$x`$U(3n^ZJGD-#CFS(g;vc+7-^M>+^_Sky
zS#3V9QAd9Rt!*!^DCEgqx2c&TnF3p5g2~X7Ga`s(sx@G(`qR;rs}3J-^t4aqS3Zgf
z(Cx~^PL0J=K0hmB<FRRi0o|Znj=%lCQ~lN(L_iUo)Ja0JEjLL+FzU$BF=fHIbhTT6
z`+#A6Y^01NZ%HdPxrAq~P*$ZkM}OXcq4^P~4Yg;#1ztp1H_8Izg#Zd&ug_!G-!UvB
zcRCn7C#y|Ur;~WyEa=|C^a`x(^ayn+2fUsH2MT<z0z3Tju#o79MNoI-n!G-qdi(tx
z{zRLpKAKBi@5M`({7-Ux-?Bg!#W4iC<_ttPimT9)dmht~#~uOCbcfYeRrv4xKF`ml
z%L2BFv!+6!=LmQh_^4??_0_k0>$*Db!Ksv)IIV$FI=~peCi%#a&EGOqN{?T}%eoWF
z<wMBU*Mcf!U+?t%+V~7w7#o+vT+IHfC#_IRqfKLdLU!+c2+Nz6%2x}4AJ?BUOYd$q
zCh#&BP8j6^a>GkZw3&;R{5X?$rvX`cn=^V4r-S1zKk4kO$8Fc?-kb(VMWsfEyvQjJ
z>?>Vp=-$EHI#u~XzJ6-S$*UFtzb4kLbt7v5=!U1r@!rNEaI2`6{)?`%mZOZ<iq;=R
z`6muzyfi}^4+A4z>~bQ?e1?}VY5^=CC2@^_A9=h(ufzP%G4(ls;5bNQYb|Min-l!~
za&OyRM$f001x~uyPwJt_1&xW!iO;rREeP2Sk7VD~?3R6%B&16nd9*hVRh1w#)Z<Ir
zW98o=874ovYwyI%+~)lZXQ()IPS7A7W);mcaN=U!r%c)5qXkY}-Q~8Yw~Mv5A`-xr
z+1AxleEz^^nBYb;x|ZB2BJUKvcZTLmpz8PEx$LjCI7i6rImNGjl_k{uBPT_ETzS0~
znTZtbDoT3ESkNUvFdSDSVhQF7*evk_EooHW70;YD9LR1stU2mI4O7fn^ZlK%^X~WQ
zKM`(wFAzwHGx+*n9>0YDPP12!2yNzF*|eZHfzlIo^)R1hR1IFOW2OV0tg3Tj)kZ4$
z_J-_C)?8Ts!{VjvMx~<;sTI%<t}W~vUMJKN_o2r`dQQd`nD;y$Wz<mOqPEu36HDnr
z)g>^#vQX-^XA%sNtvDM{8#(Ts)a+y)_3HIY>SN(jJHM?n#2Jvmy3JtI)8|wVkX15q
zmlwu<+~FIKsE5%9j-hjuWc6(gYRv4OztqIlaH=WNX|Z<IibOyt_V}SS1$fRArty*o
z02a@D3rPyEoFO;iXVT<%o<deREPjrXFVt$KSxWp!#+3K_q>?n`*W{Xg3<L*iOdaG&
zsMT2J?P3m>FZwHaR$F@YG=O3i`4bAtRktdRyO~_H`{>!<(Xb5uH^vUHcG0|N^o7k@
zFLG*REb?+Ql35yP$qbBA_p_ug&n%iaV;?J(xz1g$vhk_$0+TaO96v`M<P)kxk&~LO
zX(ScNgnn#{`3;cXn*j;Xop+#aTqpvzT5QMW_9>k1Og%yp*KhS`|9#%L1QTxecdBdk
zoTb)870yxb_@~N5xkpouw448+0?he1buF|fm_W?E$>(2Q9f!~0ni6hj+LqQr0vG7*
z=bfgKONGljb8Agwgh+51Q{7Fx7&|data_A4MGaB;{$_kc;Un|OKLaYOBDq;IDT%(N
zSs=!{H`gmqOKi7C1Y^?F6V7PPXcb%d5ACrDldvw}A)P)RRQuYTw-)cEHIYZ|wB-Ly
z&Mj|9uL`r^HF+2DS^9bwdzP@ufDm}9S$B?`nU&8w{EKY{^tU@KNiHT=v2~I6Hc^V3
zY?Z%L4l?LR+*`W*_1>MkCCQ}PL~}cb5A0rQ@<dfDCPB&G*wQwqe_w=q+&)`N4TzG-
zKSHnWyk{Sh!*Vq-u8cTN^=kY<b4pPK#UxNoJ5DvorSP*=u@)ZF_qOrRB|$zJ1|+&w
z-M-zcKW|)b0ZSgtNbeRRBme*6asI#bu*b|SfqSq`AE~y{ctJG!EO|U5&R+U}ihkkO
zHM@sKcb%h<YsT6S^Ki$Pl*&@pg8t86n$tXecX->3)N5ogOLzEy|6ooSieZ;^*BUf!
zO*J1<e?dePXO&SsBe6fdm|3lr*C!Z^$TFtM*-`Vx?0>|DvY3W**PGLmUY1jD+@DrI
zw}gTO_4dZ}IV4MHZ}6PUYxXmtr7nUpE<{K*T}lNFl>$3?G3_{%+BIK)UfGn7XOqHP
zi-$1s34QZ<xWU?q<1pzzXCsp)g?mj$m&A95Jp4E0fY%F^j0C5vOql<$YRnwbUtt;D
zx|w^+tQgZ->6uFKs8IOe(YDxN$9O-tB0-#oT@=<^>67RDfjZQ1(-6J9Vj7BX*+Wfx
z7QLcBVtwbK2Nj2;YQ3!dyV8weaDXD?!;5=UHHcZ<ueR|JYApm^g6j)WpLI%VE)P~F
zfs~YjM%d(Lh74)c99a&((P!w<+s|%%nm&?i;&<D!sr^k9?7W?+!z;c^kwEL;83P8T
zJsSj>8x|h}R&#QMnyN5!a1$Yu+Ep<v`I8c5QE8>Og8>7HCVg28X7!BvChfvL^Yn{(
zW9-}7{YjC$C?`MT9zwUJOmhjp3e3)2KeUl@osTA1t#mR2^g_5TA}Ks(5#1D&Yy*^}
zx}{&Q_v_ydsoO*@G|q5hQ?Q7E%?DNh5Kne@#>?>{jU4TmLXOXYAX@#%bcrdxpQmR&
z6fVaTSB0je$U?HA@u82Z6H)jy12iVOG_GISSzp5=;b|GEpFttKO~&lweM9Z8a{kso
z5|V!G0r)-BOPs&$Inwp=@0lx#Zj5dQOu;@`m)mwg6O$KZD;FP%PfD8{yX#0#{Dd1l
z(Q#&z^QH-tN5serU3!g<76OS|a#&(xI}YR%iEn~Dep8!qNUrMAx|o}n>_6NEJ)aQI
z6>$#)IT3zu9J}?UNWpzy0a_~s7M!xG2H;Ge0^Ls>ac62Vba9$Vc*Xt-zZ$%A&(e70
zs3)2eDoxE+o4sv~`7I96E!pzuF+xv@#tlk))p#RBOIv9$x(UW292{Q;j*UjYbH4f=
zGHWI5)%tOzr59j-D%o$c)7Q0rYg|uLV2DGZ_<d+pjos?_Ev3nILNB%^J!e(?v-dkp
zxpK~juhkq;ovh*BCN0UC{Pil?c`jf`tr}2nyCj1J2ZawnJ?Y=O7BnJp0he$NDfURE
z!cS5&vy)_>aZQNCG4kzKGj8N}W>W~2P)nYb8NgQZW%u_14fLg`IDXtk29w@+zgJfX
z00VX>J9=!n=y!i9)Zw#hYd`2>&N%sbA4f@O-}~5FHnpirgQ*n%;jOY2x2cK;CZ9^7
z&eNw$F*j(f6WL!&=W`J^UjCb~27T|wFb~Ovm0c%-7zZQ1o1`W(mnR^s48f{l=JwpI
zAv{BNVqB#yN}ScpoT!t)WX_3=f(h}rj$f#XqVx0A5P>CK`z3r!bm9iLtmO9ZFVTW@
z+RxJK?$py!|9Cl^s*8E0&Mgig{DiuqtyNWPMvpr&YhTmMKgu4azKDvh#_9Tu4N?ID
z?Io$)HQW~x{wIJc7c&urd)K}2#C2gV0!gZ^&^LzvJZ)syctHXw(h}cY@YW#}s4;<~
zDC<P4jc;!L^XJ(0xrV(m-LeBi1Vhf>H_HIbz8+B4_&MLyINHyTcl0pR3X&C4>gZ#9
zb+CBLRQN~wN`StS`7}5B@Y!)Ityhoi!8|U{m+X>mo%%M_68RBvXIy<@&S=-_Y5uu)
zjLgw1?%piO=0UjUAKHOW&78V!f$t)al&H4!nYG+)1+~XNZ4a{qCK<-)$P{ihzGfN6
zgea0)%_(at_BPJTOdHrb2~TJdQSoD72-RQ$W(vi?+|@5-YSF6Hdc0uw?ps(@^%6vz
ztA|o;<u{g;EeSvKx26{q0od^GXHtE1o#p0|f*2$ekA5j|3~?xwZrP-glHSQa!Q~NW
z-|<my)^%LdA0KYGm|K2h*q{2u?uGHK(pU*SGe8DN$FF8tq^Kt5_*-V~%4p;xB^}p>
zTTH&@(`NBq3-;?!CoSMUA98ktvRM>KDGsEu?4ngY3sUz_pF{hB`Of%1jE{s>FHs4B
z+!#26i7nKq?qcOB@eQ}ho&Znpv^=`5(p(Qwt^7;)<EKg07t(N)OfHht&Hh|zZ&u`>
zi2t(Vli!&Bb6BbTmaYV}!i#Ctn8C-^Q|}DlY>xGsblujZdkKL8Qx7L(uh1wN3=J!E
z`&UP0Q&6=iIllm-;BLKdawF^>6ate;%a;Di$>BkUE!q}5lg51M$m{KN{dNk8XL67u
z%5TlTVu=C6zX>zGIbgwMi#h*vN)LfGw)TE4Q?hL2W7U9`Qp!}PP_{5)MY%ZHVU1=o
zQb;(z_(7GUxX5!b-d0P?L%=2^LEp-pl~E@Lwlj4&x{_=9-H;MGnP@g?$$!AhHxso)
zFGJzabyLsj-3xQZmuaJK`h_RGTnqpPs22f@f+EG$9sq5+UCSYdBgvIh4h)x?6?UPI
z=&ry_tC6kyPwauWlW$(Y6dfh*(5p^bH<@POSFg<tMrlwiVTssj9&~>eSMU0!EuDRK
zC6{fDsT~V4D$G2U8O7GLO!XMp+%DK}U?yM0d>9wUKdQ^d&ENRDisruUI+T%C&xsM@
z5f7(oN=25A^c?F(f?c(1fyaTzCG)*YqwgD!rwdkKra5;6UlfG9daS{NHi1WDpWAxe
zzOa;N{2BRmZ_?9j<&|NcW*#5ydUB?UaS!5i`b_y&d$s9b5BB&d>0KGj4)!zCRAXR;
zf<$pB{e?^5J6XR{@}{izKToKPHRH|)-O?Cqa1rB8H1SE13|j@c`G_nO)2XK%k-Lp~
zs-Udw3!hTSXr-q8yz=JCcQNNV)eD|%e{+iT_6@a?OS(w^a++H5O(ENS4zfI;Ys9YI
zlvleZZhw<R)2?}nhf!OlDw>KSTC(W=!KZ5&O1)I=q)E}}?_qJuf8G7EIc{?HGK^s5
zONVs;lfT3AQPcXA8-9h{_0i})CEXg~q-ue-QJ3Xq&R*g67jG^8me<R42S&?+-?Ef{
z^$%}h>TB*HPMF9GCD=;J)-B!|Q(E*qqGWr5Gc3<daN^|LQD;UNJ!t8PmFX`UCCx&}
z@_8a!2+eiBoOXPt-Qo!iY^>3A(kmNSE&Abbyno4EMmQc<ZtPi9V|-vX@#6YED$&>O
zRmh`nXc_d<p7VD6lTG-_Sl{v`s?>d<atquPWfe3ooTn&270)Rvv%^W(=40p*YOtK>
zpkIc4JBX3-{&}hPoJe?N3I+9zS4AM^Q^Z&;Ij*<(M0OHWc?%Oa82z$9d%y}8+xE4{
zYf+tn{G{;HigmZ3M%B!4h>R>VoIl_s)s3n<1z08b^Rc>do`I>N4%DQSO)c##sbJXY
z-Je%<{pbrxLOb{9V2hXCHbWHqJrd)_X-`IR+CmyupywLyj#y?~aiacvev9xWz(|Ma
zH=#)5U8m`;@UV)^qA&9GwO%$%THorwd8{k8uG5_A$^EeYLp6?yWE7$~J>VXz-<ZBX
zC2V814!8Ws^z%x-WA%7-H={@OfppNuk^{$b=smmKlLWz{>;JG|MUJnk$e6(Ny2+p>
z85XO`V$xmdx19Jo16`Nwybk#!a?~CYk%hLt9>{K6TiD7<*4#pE^%&c2(@1(ZH%}$!
z1*7mVN$4-xli%GFAA?cMG81LA;HRZr`#kAV4BlzbG#RX^p4KORMzmpJ(FAwwK;8L4
z3mqho1E3od&zh7`qxmErPlKWCb$Yu;H;Q-U*9oW#`l|abqOu<ZBf^HR+e&myEniLo
zY_12bChS+Kh$evEg|lgFf@7Vyo->NRSTuCH!WvwMANR`g_0qN--uaX@_e4oJ0IGo)
z*i7|7=QDH(VdELS8Gr6Rgy)4U_!W{Abrr&L!3vsS=h-%ze|>gSs8mQQsV)(M&aN%V
z`v<Qy%um}szRS|pAh`fFMq4XEopwdz>0a=ypANP01)noGFgT9H419G)y=y)Gv73vd
z`=haJ`F#1iXLWtEN1<ri!OSkG<4dLH%Ta=B3bFX}q(03?v_Y^AwUi}x5+=p`T0nT9
zHXYi7`Q<eSiPU3lVBT%}5)RQLUpu<zdzOM-qAY&2Itv;ohnXv~jwsV)<x2~owdG@^
zuyoj7PmT#n3K|iK?OFo?l1<{SmD+YNt_nUJ0p*H9ub2-;z3~h;PD-(p7#;pajZ77`
z7IvhOljNe?3stHh9`zA?Xqn6~!u)k3hrOMv+|YYVX7UULZ@5#pTs9q78c8Tln}N~w
z__AJGK4V*)MHN>Pb2XceFf(1vQ08*+oMo!~?7ymlG&~tv_da2DkM3`6x_Sdwcz`MP
zr92|f_||8n{w7fJo#Y5t-4<Gl7Dl+T?eGTptFo)-@;B-n{3w1!y}Rz%UQLVBpAP4V
zjRynyNKw|IGd{d+Sa;4Q){7$BQdJ!z(Wa))*|1j;7p-!sR4CSf<ZGtrz7CBiopD%d
z5W*MM68ryQS&IMTbg{`!iWgJ20sUTgt4cDBz5S*|QW)X;P0eUjkk-GWW0cr*&T?bQ
z+<z^$R5k~>Uy6!hU@DtAig1S6l7a?S)eD#65KDgwUs<P-IBB>s1z}zL$4gRa&>7gI
z^KxhjH_e|m(Lu*aY@pxU45a*yDanT;VNO3JEOe`>Ru^Rp<30+GiGO_$x^g(xAfQSn
zgJVW_bIRH=>8E$=Wu2cEP39q-ykLhhBg}sL6xzODZ}<9=Gazq#s7lpd94_9XV6g4B
z^q$kkPDGmo6&(zofcST$vTXBEk|%ttsv*ltq64{cg|x1o2E%s-GdlvoWVv-<0nx9-
zl;D8s`V=gA8&i`?a%gkkTnKtTxo?xU>yQ-f+_C^T7l3pEPHuZ1uPtN)77IpfkinVv
z9Q%|i{k!qB_UX1R*6;FV#4c!eQ8Hq~B#kzG*^9o$HlAECuUvO8h{cANtxcfKa(Qw*
z^+6S9OA(2gg%<gGlSF2W5_=qONj<^dy=Te`d5(|F99{-G`&wAng}jn)d4tGfCk$SP
z86-};(n@>7!vA`)0W_8FMIQc;a~i1kMvJ*7glq~%;IbY`q%8UQqG>(N(EfqDc3K}C
zl3Q3g=!SOJgjTG&-an2;X$FlAR@crd08wV9E}6Qyg}a|iFORuYoFc!~7u?aR=_!=;
ze6{v)Ml8H{Jm(L@1{|8_hbdS7-1ZVd<Wde?+gD+Iiin2DL}2}6G5&hjI{ozARW?sQ
zHB%U^0ix2Iw$ZE5Ckgc&&A|%2zH)>Ahc%e}Pu;9?%Zqk$T=DK5D@imQs{hq0Vf2(*
zE@Q5hB`k(M=0Xaijgp4^AO46|++QuwqxOGh+s>$t(XIy1oG}lu4x7$+LyP-7q62Nx
z&-Fm9wt$&%Uowb97lX6!j|8l)Nw;VvaU;{pw(9!taa5aRg@*MT&UEitbs4r_Yw&MP
zb>A&+Wfv-`tB4D7G39FKV3)8s$WQ`-Z+owvP_(j}y=1I<eyy)vr~VfHs&m%N`gIYU
zY98PPJT&sRj6axpvII#5<Y`^^QW7wUe#Crm{MnZglmXq#%z4}3#uA}Yd}yiw+k|~t
z(=@bN5d|}$OUK&0DpaywC6VoMxjfsX3eGkyD!(k?_wK-@Lej$bEbJq6UxLhiMWcI5
zJl|*Y@r;QRiw==gtfx(a{Co?QUucX+F(l3A055|yVbzNb02$beep-A^LuG0|95|~I
z3*cod6YQ^yrN>#P>e_>Je05mbtkTt*w6;s#M!lpkzAwo_ouh*DV>Ht4=La$p8!fAE
zof7=lBpcYmiMRmTo-ka8g+Q;MUh6ZI>zA7)KE2c<e_;2)^2isHM4S|ka=0SMTteKS
z;%0P;1pJY7e@0$$<1uDv0kPZXo*$GmFC=9tA!ulqEQ;H<Rv)cJi6kz6t^Mq=BO861
zTRi4wp<udHn~3Mq){o8CK&9>uXVEoG&Y;Yc+|2=NPY6haMvdHRE93uRg=u;^C{p&W
z*6ox))H&tK^GZQfF=l*B%>oRV$qHRWMNq8UMgv|ZF0s^n+qjq3Oz+#adppnEz$eJ}
zmcw0!7wwjOj%8|GftUNW)&K&py<ErB%MUP8BGDQ+y$Ke_=O5sa$b+AS#)q>Etg=Hz
z{;4$Y!$JdudeT@gt|>bPVb^09m&e4}Df@4nl#<~l#2`2XB&hr^W#k`Rb~UP-99+Rj
z;27vTJ&gDrH>g)02*16qvw2WmurjU2b@8yyZ`r#!XTbkx29`4Y)f37YTjF5o$Px!t
zO_%5wNqcE5Cj36*NB`VLQ=VF$`1b;*@t(pfz6jxO@H2C->JKZqI{IQ1Pg3ZkUIqtj
zyD#H2W@&zi8^M}ZAshF!ipvJosG1<lkH;r}xT0`oZr)&PQeFq!yRHKi-o$h><a3d3
z7}c*Q=7PaI2dNp23Ewg<1_bU^Iie(A!8@|AW|;mjoib%w`&QD1+d)|9FK}bJ4fT2u
zh}eYcEY3EGD)9pCcDv`Y)Zzx*^8Ix4y28w=BJL%0@+fEOM2Ut>yQ+wgUcLcr<RVqF
z_Op|DovDW9Gu3HCq6&u?AKU;UTfFQaqFeB^O|<g7BAu|Gse^;Ou|DJl>1cjL)P`%b
z3~{w>#wpc4;x%U<4~|%?M)XmO(BoRI*rN#9vSIZqvZyT!Z<4q5T<immfz#AUI*w=_
z@7rNGSnx9um+F#Hltb(AQ|kt;xvfBCU4Bl1eTuq5qV`c9VZ4ls`2OqM>YwV&)~^Xg
z_hUh-hnn4`WVO3#N2)x-86?#oR^OY%KRG4Jh#VfMk<!L<lQpExXl||{Br*AIcXel{
zOb#(3kn;@O*v)CK#iU($ORCC#HMBP9Jzi-rHXm-WaOqtlNt>{=cGq%{6G0{!i~3J^
z(C#|pYE}BJ<bJSK<BHXAAq(^a{{JeLn4YAKU=A=(#U+!*tXNibUPAqe$f_jDfq*R6
zXkx}G_fSPX^UH@^dK05|Q~R-msdFqj@9KspUAt+fP5<Ag5=wk{)t3DCMg6P$PZ=*C
zsE`j^hP#_{k>%<w2QFq4le3)r8*SNSFh5YK?JJJw8%)?FYc-#t9|J*r!eKPRRklC6
z4y1JDY?t}3r)^$YLmz+ql0JqMg}q7$Rs4?Ri@k8_|L_Gbe}<UJZG(BKJpMy|zt-A&
zn`Y&G;jP_`L=L>sCs(0_eI159b+)t4Cau7kS%i_BtD2*D6>r@6=Pr&KUWemg+1pl~
z`W3hsIM(Pn@0&yxUs}rQZ&r#6k2NzAW8W5AewX@QIYSQqYU2WMg~;?3#mH;=()b76
zd7P;zPgKo(B+JUW^3s$7Q^HMQS-X*d#N6HA@yyydeIG-17(3(yPcCJz?MJ{F@=lw#
zBhMadZ5kzt!;6M4^z<&p{u%U6PuI`3W{>4bvf4@}#_aVxI72;nqL?v=%WnDxot0gc
zf&%SV^gg*gGY^4oaDyW^L3_8RMFH=yPo7@ojUD|=9z&nm<Z2e&%!a}bZOrXyLB$|Z
z*F3Em(F_90ohJ;`#;%S*ULBck>n6JSj>{gJwa1v{g%;0(raKN(4VtymHNN16cH^Wj
zbB4TeV!TlKm9gmca{)ssy4Us%9+V*A2ICOl5N254Uqkm~(>CjYg{2<Nk>k>aa;(S&
zNEwq~Z)#dhd*P~Jl9H+&+Z*$?_rFI&v*i7a&k|<);7jTH{LZ9Ox=I}qS7$P<65|s;
z+6H7fLFC|?LofUsF^!VO6t;ND89LhYGG1>A4p}qj(#+$&Dt@1zzn%8#A$+-)Mr<8J
zB>Q}4F523(yMuYlFGIqEa^SZvE3JY^4=)P+7OPv%yot~iB}<;={<zRHVM`9BBM$35
ztau)7B#jwq>l@aOBQa1}&tAz7wz8P)&;@eyb7(+Jap1r>lLg}4xBsvvPG)Wp5*F#5
zhiRa=5St6rMyS~$<Kll<P7O?{yNVMLLLq88v^gf>$83K_S2Dt`{)LgW&)WUP6Q|LH
zH6b@^Wqp*vep{lq+5gtFzGQy&A6{|6-EcVl?a1Ay;;|SVSTb=LJ>L;mWfmOaxGF(3
z_UZUk@V;kd+%%rXwB04WEJQD|H}VG$gQfRf?8{ddsUbNpK84bAf&as*7Z5Se<jR|B
z>kSQ8%U9F>Y31s`zIQwSS4qUztW?>dS1n$wR8OnlILS-+_(3*0PAwE%)xW|Thp5jm
z!?6*SnPcN#tUjSkc^oM;ECiTU&(+0BDgf*(1$3RQ?$yo&JQ-h4+B|QD-BcVWu*rN#
z#>*IP?!<dI;MR|wr=X1Git;f?P!ns7O^JP9@<%95Dn#Bds9x5?^muX#(!M6lw1)os
z{E72}NZvt$rsmO0mz{O`0c&gyTK){hj}etSkskk6?Mn7Ge@AVECgwgO{V713{30e2
z#hYOQAc@)nXc+0-TATYQa@|JYOzI7zfYwgnnN}Nr7E(;2wfIRO60Gye*Rp5e40*U7
z#$bB7aC<V-aHH$?*3hBS6q@rNR@Thrp`)NYgy)pTV+Aq#&SZ}DId&<{8q=OOVM6lO
z2+W4EOvi=)G;pK@oJrEvUNn<GaYbkJFG<h+6~86sU!TRhMrZl5C%g$3P|f3(nBiA{
z9ekI>Vfd{~pV84lERg?$jZT~PEI4#xs`+&;$Go26=DcL@kJ2xrazvM3Jbh@3-JA;A
z1ad@^-Q=eVUzDwonH0tnhzyO;80B!eh@hmCPN+b)u`>Fct3460uUafCF_JbtXtQjy
z0iYXMmIaPyPxl}1c`W{26oFPDZoI@a4TDt2bkvX#JKV-(cZc$mPi8L{x*-ryJSr2)
zmB#{=eGt9m?{6LCeHnJgWKnLzHQlT+!|<K(NR-ryHv5cd2*(LK#ZUuVdS(19vAwqX
zUldu$Sd3HKLh6;nFRKWBkVEy#4C%!{4wMw>gg3kyKM49JS(p9QM~UZWA&(fvPRkPw
zgivvrgqYvcbPb?y$?w^86sp2BOkap$T$$HLrWIfu{~y*h-sHAXb}Np2;v0#L`_W=B
zaJ~j~c}>HDzfD2%TV9_YY_>;7!z-^S$RkENe!j@UKDS^XxY8Ted$6!k;|N<geJWe3
z*s+W>X9AtxY!ktXy$~%yA#hELdRYz##6z5|2#yyXLd|B$pCRHp7%$xt6Jot|@`*fh
z$|q1BqV6O96iCuk&^42pin<(z4Jfy-icLLT1NQhFLzuY^V|4N(nDp~F?(-x3&i}qX
zS5TS!W6_-mJ<p?Uq(`6k=Ru1WbbtyUTu;}K4w$nR>bv3!QtBFC*}EE0o~A`%(W-8=
zECx~gva5+9ZEyqQVjuGSEm#uX>nVZxI%0BkfQQ$ZtK&|E3i6z+^+jl@HlJUSy%~9k
zm1Y)58>Xq3_Lei_lF_$0DA5ToG8@}#sS!)hyz<%23-9Q^l<$!8CgFX3fZZmRv%h@&
zeO7fmdT&rd&-7bz8C3LHY=#TO_ciApYgB4-ZXmEg{;dl|O6Ip?@-O2z56^(we22RO
zYZzKD0JzyJ$g0n#`U`;(@XH#12OokcvJfM33IsEGD`s1`V+NfIV+KBu%Nk$-?iyAg
zA?7n-<~Nbo%e7}-?-ansA||~!6Pi7&oGGGNwJtq>zhxcQ_}8;sEThGY4OQTIzG^C!
zNmlVHbcodV*^t}c40gd^?U8gRWAl6SgzkGMH$bf$U(Q@tKXQt1PzXTLxE*gy2QRAV
z0GD9NQ|TjH?7qI}_BTa6j3<?@TEK1X9&mNln|>xvqFxU*(pXgb0p7Tn4>9BbNTV2U
ziC)rb&F^3E<AA@!9WoXu<<Z&EOxBvEj-sG=6q9x<sP;~g_(<*GK2PU;m5N=!_Kt*h
zjk@1fGXUM~L59)^|FtRT;whgyL$!)o%}CQ)r203~fYa@B04>B-oTR^aH5NVW<_)eN
zoJ}e8!z8mEI=@J4l4mq_`1cM;Sf7MV2^8S=dT=Ftujxu%D%oCsX=_tLHrn!3QKrpR
zTksOcwl#3z+t*NAI}fH3{N5GaGMMsG$X4Gc>+?#zTXwrsTKW}S*T<Skybz?p0P~>U
zW|QDbj!*5WUwpLDE3|Gl5%3qL$CDVZV@ln$85uvSzcjz?_NlM2uf21?%$j?04dQ+M
z#R6quLepo}byqjk+EQ>QO2BFmEq^j$wsKsSfXO@aaL_bEF1qHeYj~BJ{^%HH417FM
z%X&jJTc*PCY=7EyKq6bOj0Y<vG&dJ~*?&OlH$G9VCcacNr<gKLBN`xW;!-?+qB!}<
zB|xgRv%w;eXpqiA2b_x6-)!M^!kkF5bVedNK010c7evf^MO(-0I&TGeb5rU{*ha5b
zSK&>R;mKQe%w*=!zCph51#aCMUUZEc20TAL5lD9-KlFtB9e{Z8Q>h@GCwqxvA?IVR
z&VJc>AjdhTyJLEP_xcq%5j+_9sokJAyivBP=1y{Y;Pg+3SqqM6fjLL9hfTds3xBKg
zXEuJo2gwAB#==b;90NIKI^wAdDd)3Pw@T`NdxoyPq}#4?!16|?_>2o{PV8E=Kd7OF
z?`u^4uR~9K^X1`WNG)$3R75G2?Ft)INJjHyE4j6W$s3SY^a*V8Hq@O;+o>FBJl_c=
zu&`wBm2hoO12jWB9^zf$r7of$oT=VN(Y>D{*tdel{n;A^&-e|vQ=>X<bbU)l{f>Ek
zD7)y^d{J~l6A}FR^et+d(s2U(vbPG=zPpMH+BB@(=1sf1V7_*^^N;*&_n*@YtAm;X
zp%hP!gMRLFPum!(YuL0Yb>1NTHX@>t-fR8l=U8Zy#T(sn!I@%<@>CMG;xovHO#NGi
zpyO2ueB(W1`HWp_bb<$9(#4wW0QJk0OmIuZK#;y~QxkDBNRkip%Q|e;UU+^Yz1n!E
z0^#s@ZVU_3of&ei6R~_c@r>=;N=6yA^5i5r_=UrM+5h!JG@eRZrQfx?KwCpSv&`d~
z+^u~&c(2ZjBj$h86BEbZBY}Lq#jwf+g+8Z_(VR>)5OjgT({s}1mVV+;|My(GC?IU6
zOmj@UftWIG)hRDdUQa5e4OCzr?dyB(i<n<2vu+bCB(~Xz5g$lm$(|yUv(aH&$+(%2
zZONV;5a&i!KSPMd`JV6$usQ4&&b`t30XiG{&=W-63I6AI4UC{3uld{CwU|<8eHL^h
z2+bjOFRpz7QVDAge9(L$?hq@1z~_bxJtd6dJQVS7iFG{b&))4=SSRVA8r-J;i*$lF
z%>~l$2kOR;{9y^~H|yHQv=sNY73!#jJZFMvp5*Z2G!S6jyeOqzZOJN#Gi(hnZuOp}
zy$9~Y#Gab7W{@^K_R=~<)ehSRpJN$QOC%uC^gI?r6A;Kin<k^`WdZpFjSaVO1wTLy
z1mas|Ag$8c%*{?+3r*Vrqfm|Q0TEG%vU5w)#)dOMQp7uZ%x!6>Prxzv<SE5VyFuDP
zX<^yqr213RXZGkM4VsG7)IDEBXl++lVeo)HeplCSkmiH@NwB8{vvd0^#$qfN{y!Ew
zN=$C@%->7W71yMtl6o1TDe@^E>Ow5>Kr4O92T<_$sm12z!ufI92FFC5jmp87GQG~l
zE8_~rT;~fb)=qNJrm;0#+oBaF2#R*dGjsBU2s(MDj3*F^59Et~|92Vj<ZpCd<S-w(
zY`S83&r>6FS3xgHZ7)?VZO$kGU)J=PYxS@Y{IEH|k1igi!|XtIV+CvX>&<pn_kC5#
z3+P($9GA=2hwI^E-mQiWOMg|?H3o4D_sy^-Nv&Fx<>V?2eVZkF@@?dx#qo9r>p*X&
zM1e*0-A<~=lcJoo4UM>>a6(4kD$H(xCGXZVk7s3`)ixLB9*Y6m8Xc0dk((Pnom7h>
z@oNnC=g%{+3;QS!)=*!&GlR3!xZa{mWbES&Cv+@^sfQ4glUKeuik<>i>7s??iG1zm
z=eJieRM~8~g>I7zrrDeg$P*%`=f>EwJL+r?R9ldo>=*XVcn9CD3a7Y0&Y2}C_ijk*
zr9*}7=?0Sp$)4Io#7R6A41}<hUM-eg$+h`D2(|b#uRZV;@ip)LW?H}$c7+I@at313
zlTT0`f9R#nO4ZYNYC3~|(WB^vV(oElg-%({gFnmAEAJMQypF6vwZ=A|aLl^*N6U$M
zV4laiDjOi+Kdc5TCxMDQ9n+{x9H-VcSpto-$HC49IpT;w`%WNRr$TkGzw(8>$Kx(v
zu<7yg*p{Ve0cHY+SfS&P&qagglgAgXLw8T9{y6`#ZHj*ZWp|E0*Uz)#_2g>R)YHtx
z1b`uQFe}m*&qj<iarb>0SiiSL_FRZVv<Ok`idv%dtM|scj|iUfS;X536eu*hVq9pL
zo5yid7YKt#XG^}NvHSU_MN$BZp-c)@szGr=d+IK34q=-0#%`fVD|ta=jz78D@MYuc
z>+PH;okwny(PoxIu1g%r@YX!H8p~cQx_0FDZ7xZyt|KAZXxGs5vklq`Zz#@9-yb?Y
zZ54X1xummA8!b8X{I+bF+!lF3E}J}n@PK`Oo_voU)DZk`N&o()U-2=9>)V<SQ@Z8q
zI_ueEU6JL#Q)eyYNy`IFt^~OP&~rblYzF4oJR>V#YmYbgulpD7_++ZpU$e<=&U8ku
zeJ4N7;MY1M`QhT&?$m2TR3@Q<ARic5{d`3^$NH2sw}$Y&3ePQ`_2S0v&i+=_gwowV
zVZfIBgjnR3_Wr8ti&0W{j*R*807G|o{|~0DdAiz}M?pPtoS&z$2KUWsih43oDizVo
zA7Y#LU&(coGYR*!_n;Lx9dVY78u-gav$k8itM~n=c9sUd4h#32M{;*0*U-UMe6LAe
zuD$=p!`jwj{VAxU^;0{Xf0Z37`0VZLMsmhkcJi4r?aEV2(G?hl;(EOaumvC9wqsG9
zY*TBS<SRgm)5Mh2B*U>vGlOZBjjtj2iup*0KM@7Uom$q8FaNFU<2Z!wY&2tqFfo6w
z>k(55IG<dTw4T|5mfz~A7VTwwtT7BsqOE%6@d_N8EH)}m7EG&i;ETecZ{7x`ZvIBf
z{+keBUF9pdH~;y~rd?(@V$zV4Hzu-|&FD8NeK74^H7oBs#V<0|*Mk~(JZW~kPCY7W
z3(O_+y=<UKC(nv@R49AP8#eKac@NW+X$m{IIdwQyOQ%lFL)dT1E%44y_)VGBvr{Y9
z8^2_3=#U+(lZ-9oU_YI#D5C2Rtgs9-#nfX-MNz1&^2o>;<7OsZSucMDwADVCUS@IB
z)s<HIKJ}(_8Z87k^D+AU@;_<*@jUy3cTBiv=PulXegJVyoEMi$nbWk{d<`qsyElDW
zsqKY}4s0P-!{^))G!P_7CZtQ}rPY|1VM!PDOqFYH9Cod5&ilnqA`oU1XVrK9Y!DAt
z>Nh#XwrCFqz=d!TbTGAiP+ZK5#-#anliH6qS)Rr_1E6G4_kJse1TVmV&GCYyWoXsG
z_w+g9GoaaBL|ZB`w#T5S)Y84&le@c(TKFJS*<fR?B@^W#;}4Ly0e4j8t;1PtF|oim
zHyXv4Q^BW*dt(y&k1siQcQa-7X}}-rZ|a&0Y40enR_Q>n<fo%<jI&PDqo{GvoY}<A
z9v@V*R(V?z;52xWj_^A<B~(qVwa?9Gw9hq}B9UEr#njR9<+-1wmy-u(Yq+;z!Obl<
zR+51;t*HDNAdKBf@OaQqvCurg>K;HhnlNMF+I0&uei4Dka1CddIY7q#s<PR*8^ClL
z#IN#qc!mxd_2B15*zg=@1l)EK=%3}ryp>%z=Ep+GDTxh^7xKIMlK6cfde0^_-tCvX
zx$m~zBwu9OM7k-qoaF&yx33`UROuD(H-^cH{;^vIvaJjbB%IhglLiY>f6jyqojl2q
z(EGCAx^Lp}3an$j;Y~l(f<U$pZ+>SW*_D6yzA5`9i;&!d`=i=ECc=ZFg}~agYhF_u
zSvv-xnW#0hG_$ao7uQ+TTI4|-KT~FqIp}I+1Lue9c<O{!Boo_|Q3oYYoQtwNef}?_
zDPwZnq*O>u`m5mWxTr7LSJq#>zQ2S@GbKIWHwu663XssCTUuehNn@-Rsn8a6G}&{S
zqSmhHAjtP&<Dq$G<6XTLY8S7)+^y-q%6atRw#3skj7^SQ;zPr7Z|$MIxN!k2W-mVT
zt;e`NG3!2<P&7g0o$CK`$@vfK+5gaUyxKq5QnlYjCJWm$#`yLf@y9SCoJc^Es34C4
zRBYBZ<xw0nsArfkF@c>US{{*)tue)1F-s&S=#n&sBFox)5TXbNK#y%H#JHu1aK+Wu
zsGfxw37e&sUY!<Xxy6}Tb}VDV+t%6PNBrR>;S=<;saId0d5c&eQgSA?{WcTD+t<0-
zboPS^VopCYb(F1wTbrK~tlTznrrIReuK*f7CAp7qVaNR_(xvdt&5}t6_VM5oguYdU
z29?I^r{%HV$40|*M)<yzDIFI|LCShgSU15olH>Hhm%C0nq{k?n(#*_Foz2{7c|E>}
z!cD}V-XSx%Zz$XD=nOI!LvEGK@3#(C(07vnwjQeGf5M*GSx^dZ;M5!M@rC8Xj<|eq
zMwPucB6sPrq_O&7q~!aWUI*qy**g8PBlofNJKfP<h`;P?##w;>v601c@gl`4d{w|h
z#fH;AlCRe5q8%Ch6v?6f#EsX;jLvE8GlT{1;|^NmvA}BIhq9}pkH&Vslu1$@eWcg+
zD@bwNb@ih)Q0OT;O3M<=p_-+m$aqUYtqM=m9n@BIwjV`R!w>_O_0m^Kfe39xu$oj4
zy4F7WazNjdZl;I+e;RrE5vPSw1QA+8!8IND&_VpsrC!o7(uuIT1T{Nxret$Oy9P<<
zCwI@Or#`EIC(}6&4lm|4r61l5Vz%~Tx+7_NJzS1H(QSDPq|8*cLD^RLJTvh0%R%*3
z<KQ|Dx6gE!nH!SH)ZGq8i(I0zUEMArxUrYb&4E%i>Fl{o+k3cs4CWG{*B+aQ#<INS
zl+#o|XE>w<l!$1v>zPTD9lLWUOSAC!wsPx`&Eh>7-I+Au=bF&OR5GSsn>}q+45r(0
zvK)ON3DC(Ka4T}Q`%0dW@E}#h0f%0~7=*QHbvK$y0$4@03Id07maav1_b*SRP#_1Q
z0YQkE!;i{0ra?7V8>*y$f924uv8u_~u>Ai##s9dRy<7XGk*Y`AMQe!$Dd)@8HEE$Z
zyCwI|6OTAl#8a7*p}1pmh1!ES4!=q6=_FJXF#L@<5$FB)ho{U!p<TDd)xWNDLu)+`
zZqWHfhd8wzrjHAqXz_?J`4O8lgFIRMsg8B%H;IH4`ylJ~*b#&AbF5-B?%To7e~mcK
zm=e{mez}t(Hb56Q_nF9k`RH#8a8DmPBRvfLw4qvS&W*ElXE>AOg@jDi!WHK*IdJcH
zRb+T!>X>1z7tfZoxNcLp<j!TEi_SaVgSSnx{pq?G-u>`qsw_1@a?XqRQK7s-J}$;(
z=GT)+&zOmJ+F*{^aocA}ZJP1zTxYxTYECef>hJtig3na+xJ^DWK+e*2PW!{`+OfET
z1QKEVxqKmE`c9sK^apU=4kPAOD!@9V=ej>_{6m+S1surbmM;V?Ga#Cud=acS#Y9v6
z9rDK_;}7J^o?yLc2#N+M#~>5mxo=h^e}JYsvf_=_mUF)XInhFvQW8bCK1rv;`SAyF
zseK~R`-s#f*}q|;HPIcAh^%bwH)3=(bUH#1yg^Q0Z5rdj6<9P_tv|7tpDiOqi&7Ie
z;d2c)&UT~jW(P*K&dX5JIvoV#DsJ+y)ayq$w5(>Dve-HYIW_Fm&gt=O+j(2E@Kb&N
zVM|Z!(}h&o0At73Kn<OSX`8*hC330Ns3%(JNL5er<92@=El#&7ykuuUX_H~rNdKYe
zrv4$69vD1CM@A81VpU_lRV!fC9I+n=-yM*1LM0t&Rx|L8v&PR$=aPJ8!JdUeqlQ|q
zKwS#(3JJiX&8fo|E*aRu*FP6yj{H@fAMpwNNdUW-@hA`XjRVmKR&dU$iB;OOSjGMp
zwdW-KqIDGigQk-|M{_RN7xOiF-7>H??CB+Md5^A_b@Q3XLMQ_u?<yZ!crpZuP5V{G
z+$+tzOXIRjr?A6rQ%wOq(2vc3%1s}lkS<eQO#e;Rgkf21aGHW>LUy+4<)i~<C|Qcv
zj-wqM*~NGoUO3jKUPs@+Xk!Kbn*Z(@W>LLT_|y|l!T#C}hjG^X&HB|Z8&3-?DS4lC
z*$nPwk<~@l)>FB%4O|;;CTSMR)@QkJ<BINqs9_#LpZSH{C(WI)bB&rbj`sWu=3y4k
z3T*n2gmpxXQHUwaGj~t#wo*JVw~<*AF@&7N1oVju-=#nQ=ohELgjlgyY1(H6<P_8T
zS{Uk7>+RcgyF~!~e^^bey;~=?tUy|8;9Qwv$iB?u*{|txFRxzAi}3%j1|$v)-u(IQ
zTA2U0ynWO`r3e)Fb({%RUufH8CL&QfKTM?z>R&-DWm~u<p<2(FiY1|z*2tZ$g#gx}
z#b$1s#U{}SfU%e*VXL|&&}8_Y#_L0NVPX5DmvO;>DEYlUC_CmujCwRtZ(ICWALv>X
znlr(PLDB^fZRS~t_%<$@<y>Kq<K8?|sj?3YJ4B0`<gTQ^Nyl`l66NsnpRF}nzvm<X
z)@-$^p$j^-OWY|Bw0nWJ&gOU7+R2c2hSbF1nL+1e`tb)(wEizHzQ|FpMCtt$-x;iE
z0+Jvfv9gw4uaLW~v86EaKcPPwBPcAaD9!70Jvd+Owe`uYPNg#?$>CvcPvN#p;u^}I
zT~zPXL&%35*zVx~Gt9M=(;8B+#y_}DNM(M6>Vqwp4PJf+Ehqa$<ZzP-@yJ^41l@21
zwgQ*ZR1A4Uh52ip_aaHWSlnDXXPF=Ae%EzGysaUvZTYuvze^I4rgU1=HYWqP0(qO7
zl9^JUx|E1CJ`bj~NB54PKTKF5tfszI(SbDI1wlBLifT5tto)~6v3GFI7iIP!IS=Wd
zWzFhIjV7P@-YS5TvTdd11|E%CWtTE&o<kV$T;5~K^dtJ8RP8vGPwOZ3k+F>rc<5d1
zk?t<)v@A6h6wMsjCsjbVPS)HfVB({WtB^EwF;JixbLHdK^J3fGjH1Qew9qNHp%50k
z$_{Jdv;Sv0{@Jv~x_Di4-3It4wt4ky>l34#NgH3`k*Wo9P1sWc$K<`#`|9eYvT|lL
zp(nid)x5dtSdW3@@FWFO;uk5lbc+==(oWYQy1v&ImUU?%nZB!X#X6@#tmh=P%TiwP
zy_P?dO65P7BaIqT-*lay6`IUQYHA=ix7c{hKMH@q9fhwt+&+DVa^FMoo@{It{e9Ld
z@6(D&x!ra1b9;jH3w#7{hDv8mw#yI_UIOK)KJsF4cDZmqqy4dC-8)!jGvD~t6~4W-
z#Tv8TWfRY2CHo*D(NZ@!QN5QIHEYrrOIH+ad8X9rwBwcM;&qZ{?-U~5?e{I1(>L$?
z?am(8*`!vZt0vLbV1eH7ZswGcv2AVXTk2%IH=cWGR_n{Y%GdpaG!gs4=9&(w_M`+P
z!)Hl;_(ari9lzH1zvpmF`8jXHG7#c&RjgyqKVxBT+fjq#Xy%>9nhgX`h$v_nqNqx;
zvlZXDSc5qV@4v3CnD5>>rb*wHve+_kbI3-ehD(dzdAlsn%4V0#2ft;GZd7Ocoxu6#
z6dh)krcyDO?kVJrUWvXjq7Y+`1dsQ0%Ln7FK6U1AsFvPm*lRku)mQP-h9Kb_O_*bG
zZLey{S-yvL`!v}<fmNEUcrLSS<oMSI;<oe?b^4T8Y6@DDh@Un;p30tX7I#S0CRm2`
zbyuFs#g(5~L^ov7EB6QF;1^4voooA=BJpi6N?Yk1ElCA11+^Bfqxj;<BY4hEDpnMz
z;aZ(3%>!3|;a1Kx?WC{V<8rf9TpO}jHDq6qFqWD~ff!!*Ytd}FgLbXJ0l`Se%{O#!
zm?az@ybPx;zv(2jlIMmzy?cdwwY=f?zVZ}+vP{~qZCNvAWG;#`TH_Hgxq+SFQ0I-G
zqb&s3lTMlh2JDOYT|m<nYjJigYIdSSGG+kQcOk-m!%N#&`HE7GPISj%@YW59QX&t7
z()2`A3AyKvrVWCpmH))TG?`;cMd93<sV(y-Qx(KBGQu(ZqTfcUoa}e2bc+>Nzl_$N
za$Mx+2p@ow{8g;7<{QK|NjBo_utjAkOeU*7=&PjbRPVqvp;r{rai$LKkdf*W33bk2
z)L}{9F|V(tWxLLznk7kpFJZ<eI1?;7YL<UFd}KcA+!PutZ|(94Gj(X{?!gF%t&eGY
zf;1VIz-52RO%7BL{_oZJ($Dwcum6YHZPj<ooK3+gGH2!4S|Nz1N;aBy(k^-_sQJwn
zFAwqBn1p+_Yddp$=n?vmF;@f$FpmS86$bCj%9dNFR7VM)F^FweC~Vd;_BB#`*^=4k
zgGIF-i^JAH(wq79=Ui6dp-t-Qs|>v7`>n@~W%FHiD|bvSpmoT-US)Xm;J?sEvJ{FK
z-1@G@w9ns`8CR>LTzis&8iS}e<}@H`XzHR)n`3lV1AO_q18)qvJihbCwiVdZ<(1&m
zyr=6-UEbeSrK7}E!`?~G>iiK$ozcxHcp)9Ix=HV6Cia#pE1uTo)hj@#T7HJc?gMY&
zyii6VW$wNhh9j?0QN5itJX9Bjn<;sKOc+OZkdi0byshZat?Jd9NVDe~yWx6{k$lJa
zqvsR6CG#g$gXf<OX8X6jqYZ8|cL3Z0rAI@EBD!V%<@yh&dGEi=Q<U=jafjJl!B2)?
zOq|Q_yqv%I0QUm^d1bc|nv@^Zb8jwTmJ%y~v}l%OI4d@p?Ug*y)ejW+i2odLFjx{&
zX~~q=O{_Mp+S2!Ze&hx_i}MRcUZR-qXR;duciyM?DAqj4G^+W@vGw>C+3ucigDh1f
z8m0&^EwY5|)yaqK&FjHwrT?mPJ3uc{lkPKYuFseGz38hZKy)U0F<Ay)M?Q={v>h<8
z$H>91TPnee!1Gr37CHh;cchi4)VgHDM~K&QQQ5KU%Cq-J=oslADjjkHe$=T2$+jVL
zHHqJGIkYQ0Eloe^uSzjj)@+{lFF!NgWhM3kHl@b@a$XWUNB1lkZ|c%-w=&7Jx-h%u
zp}@^==Gw?SE@Z{w3Rq5w0rL5Y;c02f?4i?%JKGT6kIqVuuaKe&Ul;iQW~I|8G<o;j
zUJSf?$GexuTs6R77H>T8&NAs{iv69AeXFghmaqJd?2*9A+x60Zf!#8<|Lt95pBg(2
z<qq667vl_iA?B7mVD@n1+kh?$p9{Vg0fCF$70v4o>*Bt4YWN}*-UW@ILc=8#aG;P9
zO<=;34!S~>@72U;#_7m#Kdo|9e$LLzS2G?}^223OTXs+Udz()(<5px>Qo9>7W#TBE
zl`9j6*fD#o^PqZ2Q|q|_*Xr@$hVa)k=x%0M?}K|lZ$vHju3+er^{<~Q`SMi>|5CdI
zQXD6^r1x`t(FL38Wx>07=8pLxf$0&qD^@5iw~picB<LOUz!9uB!b?klZ8xl6fSW=n
zuXzIk@6QO0I^$%oV1+JQt$kQTV(l}r(e>Dn+o5<6+}!*kqlZBfnuKOgnRF!yyviQf
zblu6RY3IwBbwve33Nu+azTZ@fZygAwMSCd+Om|E?T1zu$I0ZJ3%<s3s^T;@<ix-i#
zhQQ*^w2(iw8*s!wds(B~iVzC`vq!`Q{j^f(sRzA2<<KpY99TKyE$1G0y3@^LibSWH
zu&Kt6_ZbcH(2%&r3mJ`u_=6PXg!8Vpmpi@S&CBM!KFzEy|3XgvJ#7CU($2E0tuAWU
zNO5Q>THG~(;tnnD6iWyYoZ#--7I$|qE+M#Ead!#s?u7!SQ2LynG0x}n;eG$X+GDJ}
z_gr({>$>WPd2SO8g$|9eOo=@ycG%~=43kzvmCQZ4T{79`V(Yh)_Sb2_jhdW8T|OMT
zzL58c>7H-T`QE8kb_E{FaZf|AG%XiO*@vc}IT~ozDO~^J@b)aW)I!7x)RZ+hQ*p}J
z6(#p%f(F3*5$cgA?M4@0qt#cy9!I;Y%KEi5f%)N;3uc1{uplb@e58(wf2slFXjT$@
zZW?*iY<9siWs6FEli%aFp%{$q>G{RNgy{!Bd-b_ZqJP&rMtdRe0*n<9a#wT_m}64%
zq4j92Wb*})&hDd+H^Zv-11FpzWy5#yL+M6BoL6D$S$Mf{zbTHsF-WaIB%LQ;B}jfG
zz)&W$z42H@<`e{DH2qF4DS|7pqGbM?dZaqbo}Z3JUeCczZJXX0$mg1;r9J0!-zbS&
zUL@f@#T8@MdispHzo^^Uz1-1P)n&=xSheI@x9zZ27P#7KVCP?13>88z7sB74B3ij<
z9yJg$=L$SlNN4+opTr&U@ysDpyLD@6!4$&PVjza_tQO+@T$6#P{&EO9EbYGSIF$lV
zG<v58BgKNhb?+UHG)s|&1&q`uO5=vUeF|_r5#=zQH`95o+;_4vJ1{z~Qt3u-EwOq}
zG~G@h23+485k9VAL{KV*F}f<~QDQ0MKSl0R)M;(mU5KaRw20Mt;|uS@MUMWl9vSOy
z)`l{9;-%ZRJkq7(_4zP?hZdd9+ZO%GF3}$S3BXOW(80mC$<nm?s$WZB37W^R>#w_~
zYI81A!SWt}>Zd57+O_L<+UMz^n@Qz}8Am+s2?mA!O&9=vFA7qgiV~e`$a8FBkZciL
z9R9TEvJ@Bm8?tw*45xlJbE(|<reMq(epJ4rYf_3@|4lB|b*npJB3R#{9=AiF>MSWu
zRoVYta{;4!V&dvrTD3Jc^AK(8sN7Cft#n)45yOUIt2KZ1@7K$UQl%^i+iq#e7@A;Y
zll-2Z@LrYG*0ZYKSAT6e7lq`sf5oGEE|xhS*+Xewa@aRK4TFBUUycqh!u#S=L-kpU
zUY?-_hw8~Fm3Mf8B)<4f2XP|kQbgk6bLPuHBeBq7MLlxhHN8td>C$xBUHxuA;ADG>
zKxGRFG3i8&JjVfn!aJ&R6};-~n04DfEjfhZB;+;!f>XJboMk$(?O83H|5%Z^MUW5n
z_fnRY!+aH2r0T!YaL=bjBRRzfMzKbP>g?_hmOEh}NiGD%Dy5#&<E3#UG0dvZGmqLc
z?qZRNx@ozu_H2mt<7OI$Gima{+*`1?Xl(od(kbP79CVh|n6n^cY@dspy{dPvu`Mun
zfARCJf3pnago=CJsqrh4kvDA9Yo7S6EK?hrBeY-{3;p-n<MT+{Y%R4bc`d4fD`zIU
zG+*>+)ER4xTEQngXr{u9Zc&l`Tz%rl|4;-^c}A+~eJ2;$KTnf-XJ-(P*n@5GjNNe8
zZKp+#NmJ}DRLEmHYcVo1wm+1$&Ld=kUr^AtoEqj;S2}iF{eg-Vmp*GwoRzJ%Rms_Y
zs^}4uOQstYpFTURj=_F4XPs{vT6O_Co$_j?!X`}4&rb3`p4B%kDqZOLtJp<9Kv1}2
z=3l=<Dss+Jv005XX+`#ZvP&1%unbp?9f|3FYl~@sXsG{}W{e}tBAJPZ9_!z>^s#t~
z`kl){Th1tLzsWc_NnU$O!BC{HwoYyBS48P3Qa}YAJthS%w8-r|QgDqEdhzMP)zQBS
zWl;C8vyJAJSFSp6`uE+xq>n-MiY}KXh_dga&}0GrI<5m%1?=7szN5RFEtU(5l?n%p
z8q?P&bK<;8->G;m{hm`s;g_$C?zpt%xhmKCovDVZqkkPKQvdX3S?64ztB&9jvki}Q
zaifJ{yw^WNBs=?=zA1b{P3G9=vuV5L?)U`Y;JG=emYJXVLK9Q>x@sJrbZ~QUan{MV
zz7ln{;PA-8#p$lHUnQ87>MS*BaP$pWJ?gu!v`A`&A_gElO!NBp1j}FOy=jYJpApbO
zq_-+Qh`{QX@dQ}iwhTZ!(B$Q?R`2Mw9OJJ(8-b_YmglcsJ;97nn{r_7qjA*Nd9$JI
z_)+rl6I-k4GsTef^UB?D*j>&%Jidxk6<yrweww?aMzYyx5(-&3_&5)XD=lFiB4M+L
zq)5uX>F5!Qptzla&9YgAR9aDx441H^kv!_cEhLZFZAhU!0q(xU(jznSrHm{(Ha$eE
z?>Id_NoAhL=`p7a&ySL3S6JgGP}Tgq?;%7-J=J5lRsFOryXLs~Yx4ZPY+wz!%nc*U
zgEc*>`Kl-Ge%B&{P53Mo*savAALZ3}*Pbn2`g<ExjC)L)CGbm-W7!En@~XJGRlT%F
zoLrawZO!E(yJzDeL+5If-Q`ynPm4RN!o(%VWC$KrE88-)MUd#kkEt*L3cuhkDDL63
zZVqFNuhL`cYoOOy=i{QDS8he}S1IjR-8A~4S8QTpjPv>w4I^&xHA7}<!MdXX?WG%G
z1|ZsaIcnGB?`Wfo?6FX%&!Ra2t=;<fJrPaomDgEF<M3xFci5hs>c#X&w4sJG(h=VZ
znK^=QLe+;VOQ9$@X}*K=<Ur$DG`ur>@#~X)R;%W7+6RrFD@+GAeTwlni{H+KRIF(6
z%X6Akc;>RDQ$EJ`w)t^H(M#b`3=W#A68U7xa=8zc@|<T=$Q7rkfwfz#1#;``MtsK(
z1pozvads0qrCQQ3%?BwJR=Jz#`cgs>iIOUkhnJv})Iu6Hh&;O{sWonSpmBhEgeC2$
zw!%Li1Cyd<vV<5IIc6+{Ocd?NmMEDD3pC2l_GkY|S6S50a53Hx@33FMQQ8lT$a!@h
z7v)s+IF5d1K;uC$_a92iLtsFFKDtkQyrI8d%GLdS^fG07Mvi2j!xUdGoKB^#g%$;0
zX_Utz4(bv^=Xztvj1rH*krfg`k#w#48?Qz}Rg}S+{<2Z%qWALlk?4FfH*LsxL}xyE
zqPz0@*?w3^N`ZDoVSXy#Q28rdbd+r#k=*l>4C<dhjeHgBRzu9*TL~<J2r-ttV*Jhp
zlpQU~bk7P}fMP{%TPUEWh3p_JK~pZ>MI93UL>wl{QKYzZd367qB;gG5q_g#zL$Zoy
zL&5b+NyCy{jmoub6s${O+udbA+scW!a$fLB2?-dDnI%T#&7@u>(}<wdO6>CljftF<
z(2HHm<FRPg&wYc1u>`^fJ>MdY{H|&rO9ABr8d-XCemX#8b;X6%Air4q$9d3A%I)E*
zY<kHH0fsv7P@=1o8Wx$eY}?W6_TLmOcZ1?rG|{Zzd$Qny!=)`t<AosZW@@^&HE#ey
z=&ex^>r~@fc(=|gyUu9=OHorLA09EFKmBehu*m~+WhG;|)$aa~V-U;45bO~BJ3eYt
zi~ulZd~o3ninMz!U|Odfhw~*yGt4jR1W!_7(*&6JqjQP^oT(C-9K!fZm@76Tp%Dj(
zg}4-?Ny)yv#dyF3@>S7>21HK}S`7IcaZ2Et2BE|h8|S~PIHnWQmRgH8qrQS*ckO*m
z*HQ3rGmcWR{-weSU<snbNuO)7whJu5Q<*sZ$^k*?>V4NVEX(rMhXlxD<v5;>5mP!i
z|Luq*V{~fHa_O_)AA;nD{L7-s{`F*|tjC{Cp2J)u0^e2~@}lBP*S$5WIkrRnh!{au
zcKv-|P7ZW26?jqyOF*hBSxdNr%(Ehidi9|V2%H{^15EM6puDwGV2q7bOAgbQzfKbP
z7f;-vI+A3=iO6mgQ@$XN>EJzT^aN{;R!i9{D_NXkQCA5d{ee|7R-Iz2pIVyT3aK<>
zDm1fa_upBhVyn#xlBW0eD9nXhPUN=dcXs^vpkbV=Y&KHUc_v?vkkMvG`fIh|-h)ZT
zBiYCw+Eh8v<{O?&alt6>c`&(n6UR(xG4Svya@<OT%uihfDnuu9t%t{J7(5V67HIQF
zT2+YNDlg`ZOZ8czul#Q!Jn1v{4$8nlzWy$lFUz9gSI?9R59@QkicRdm5MGpvULH=?
zF83LdEvT^~-1$SQLD7=KvUAhDQ?jdAxt$FPUDIZH1hi(~;@c&w7hX}K76dyn9k}y>
z*SI8sdhywu{~GA4@xRLssZZ?Q#z>55X=uhvjCuxC=Z4-a=JVlJ$5yZ%y6C@rOy4{s
z`9PU<Af-pWpBsw5@R4?s(joEdOaQKNf^bn2GI5;KVtryktUmuwL`i`AWX%66EuFAp
z_`%5rA>8x;o{BIrT3J@oNh2Zf3qA`*W31DNA~ZEX;Z3_~Ck8eN=b%yO@un+`VnoiJ
zpHsX|ZsRPE^VDxbP~m|gvnx&03Lx12`5b9g<)+@41sd{{>H&SQZ20sDzBcCzR=~81
z-Bn7hjBQ72!JgK1o;K5I&WUarNCDm}QV){;uV#;|)lM`S=1b4?Pre}a_SQ;72IpBe
zcYXT_Sjid|oz)mVBfCz8np3HQAswMldbnBDlYc?)Qmt}8=l=7pLcTboLSgJ!g5vwA
zjCF?kIh&*C5K7$Ne2U|fA}d`JMMi5NoYiB6GHDEK_`KOyu;xOJUUaI}J&7-eXZ-t$
zjta?!tXBl?BkYa@4WCvxF9{{vmmSIMI#)oQP`LJXQ%ZIZ3`qJ9*xE#s;@G;1#avM~
zIy7A@CNTYV1}Du!PD@Fx;6qAF4u+0ao}_I%X^Rk5cw?cu9dZ2)XIZ(~g<UhtW~wso
zH1CL{OvErzQ@j5JN|pzM?+7a)EF46w5<3|{sMpE)2)O|^=dS(<>Eq4nWNy+I9ZjM1
zB((A;&L*|0ce8SZr}m|5<*VC$n@-goBo)?dEG`DgL2<B-SHv>8yrsYS9MM3%dY7rN
zKHFVdSSAm08ET&g)_+RySij2HnT0@wyQ}I!8=H<~S(p1PEx?j^yM~$1vz+dX`l7u|
zq>8`XjM3iE3w=q-7k4x&uYCJZqRggeTntXiM9r~LTGS|~X)t5y-8n!v@c&nN3uY_5
zBAKr<NFPf&ly}tTocJ483`Ytkg)S4E8rF@xReOq*zIxXtFANPeN60h`_9&xMRW*M*
zE?H&qo#Vc**4CmeZb%x+_axFl1BeVZ*<gr;bc<<rYe(mQy_sQ~S@#kfTQ3W#0gC6T
zzx^u3XBs}ydix#bgA8?2Z<*0G$wSe&VnTc)%&NjGyPxES>@l|XQto}n1nr}Z<}qn$
z+-vNuXLGzBT`gJwpKt0nfP}=hz`bot*{jqh@CV#wJ%W0I`;DmT{zdXu65B}T#S*VQ
zIpD&M(taG^aXFMD@op!&#TLQ3P$<&&sIPCIB)M9@#yg$EzE*ZARuW_p&&Tkdxyd}w
zzp48}#d*=39&)+-mGlFsbE}huG&WF}#V;{;_5XJGN}aY=KnWLT@Jp1fZqNF-BHiHl
zStr>Q2P5Iu4Km%Ib%$xePJO0RmQHTw!cMR;Yn`Y!io1#LRLQ@5^VjJ6mg1;#&IwCF
zl(l~@6l!B>9gR!qwtdhS+T3`t)p5*u?v0^XD8pQM+h`2%JR1*Pef6$g4__FkI90hd
zVw8MhM8QyxZghD_p4F-xz$ZK$Q!;c)w%=kU9voa<l(S?lfUuI%PzCyn2^>Rh4-dq-
zD0mrkS*>a*mUJ88QwC*xR>lA@T*LYQRvG3);eU++Z{v9rRBcy(oD|T07LBi}Z79oy
zIT?ku`_~^E)U00W*-Cc=L8phpygqcR6<h7Vm=kUWGiK5Hj7_e;GTh#lmpeZ5lFF3s
z&&QRUnDxwE=3uP#*p59k#F($$Jxgta*O&Ha$21}1HOOOtd<A8-(-Ns|5vJ->_M3eQ
zYlBaWg2W@Lw_4IX2zLD`WsT8tJlb@d^w9u^c8$O}{dwhlDrSo&faG-ono$}1RBC27
zfFoj8#T%yKA!`XK9=<Coo>fHBiXLtG_1}~Sd{}!hpyI+(YN%g$WuRPlo<L_fXGGgA
z)alpTli!5rLEU$Gr5_U;nlYeqr_Fnrf>xEl58IGA`9OM4w=*2ekqn&QO>wN%$yBi_
zU(mKoSCb_9J+ZM|CTCJBw*~#h@Oy%)^7a$!E46W7%xndH?^m~74!kod>!P-IpB03F
zy(3jZ>X(~qLd@0LQu%$*&g?AV{^)tTrMLsf#C(o_W?Wwp7>vkS2>S1UryZ+=TJ=Ej
zkDwjR+N{2ssc%u?vmfs(cJFyq5YgQ2?DT^YZnVxE&O#ACyxvwvzivpW@V1F={N<~W
z;rbeh$j3QDAVQO+PeXMbTc3-MkX<}ohBw%#s8jKL*4|4c$QA17xo(BFbNG39O<d9D
zrDsH<^tHVFg@0Pb*(qAehE=b+N1B}6peBXcd&QbpL4Vd3;f4Z#Cp~zW75)yotY;5z
zvj~QA1Fx-(W2Q4|a;9-9AJuXjMlt9q1AcJ7DiV9AUos5r80c|u9B?pe7g(y6gyh&f
zojVx(wKvzxp0Ty_CrA$=o#LnYXTDObKWl2FBif6{2=dq~8VZ*;{iJL;(2x_(E468D
zr^8mum=yQ@z*nT*gsO~{ll;evu_}MmzG$@N#e?e;t)vf`FNO(lo}(8@TngI{yOEZ2
z$jt`2t+ln~hF^nogF|H`Z>7xi+Z_#v9&ajC)IAlZYYgXFm^m@q>KoR%z5K;p&*vZ1
zooH*ocz6K26*wC#M{F9`C?w9atFcve7I>W5E}G~wR9Zy4#vxelWZtuk3f~lObdXGO
z$ewT3ny=R|>~}yO4c0f5utGZ&-B|UxPUZUvNxKN&j!*(S#{4<w{wl8BZAEwt=;l?P
z*fK6v+kjPYsfNd{1}uYjUKHviIdkx|h&8hrujZ0DXIZvyv?XB@wNz1|F{ffL!WMvX
zUujUqoKaN`w0NHEz_wX0fr@E_^FBPj{sPB4xkH_CbgmNgydGV_kKk;xziXLr;8WOy
zeL+==Jax)vl_#nWC@rF!18~bqtVq_z#K`8t6aQw5WIFJNovt+BJT}>)JZ5PRm9_Kb
z6uqHLmoNR~05X;<BRU+bTP+IVTpHupk3AeZ%$?84gQKhehf>Yy7aZ2|z@?pH+=%z3
zKLSCsd6_OQU$m#5g^nfuj?(1_awRlD6V@48!qF%r?Xce)sY?{+pf-i-W6J)-;Xz~J
zgCwYIx2Foz$jF~;5#cQNI_nK;M~1FL&r2R|SWbVdH`YR&QGdB1Ca6R*_>>@8J8dxH
zKVTB6RHWF@5pqkWbe387&aqL?7A6gLdh+Rzq+Fa5%yFdtRr++bmgZsRPo$<JE{_0k
zd`gOUSt->QnFe<`8jn>0HGM?Qk*X&`p3J`vh;!2x5*d8LdIh%r{8M_deltjPq2f>z
z<geJOvdKYZK>JS3ok5Di({GGBlCG<>46Bjn`wwOR#^9il%S<gsS<*<V=~B#R`LUdF
zaFpHY!rGXTv8vIn%?A<NTDTjJJ~bD>QF+crK{jErN^Dx$kQN+07XR#RbtYE288{Xs
zkp0p#WmVj#l#8bx+#5!m3O6J+1(zJ*40#Ir*XNOoqdJ_zk079|%Sm#MMr=qiBEWAh
zL9n^j(xkeVL1F8$CCMZVO+Dnx`q1l!q+jViIr?5LQwH(-?g1;ETC%&h$_jC4EF9XH
z`uhaon#Yb)C94ZGj`!KZhV8YB)lU(+Z=FpLy4g8^R#k5%950(*!p6FYFO4~87ulg|
zt641FI}ro;Wg5~&)_EcON|bl+8Ghx9wHh`cNhX^WqAmn5XIJcQ%H9KLFD`}wCj`N2
zYmKOUo*VA{^UYAM!hv_!g!rV1(^<oOW_t~`_-g_jl$9fvoHt5GgRKtBT&3|@zWCR1
z8f0bC;rgIRQmZR<lH;%*=AruQ;LXBc(6aG#G_~ots8z3<pC#f8xnN94)#OgE>PKHX
zIE7Q3!nqOWzb{n#m)e<v)=+BBRS;5$)L{O^)*AZua9`ARK9?ObEWE(b_=b8R3e%1B
z%^6#K_E&?K=;l1f98JfXvj-}1JesxNcFiAbm93h)6@`}lxv~(Gv+xKGEP*rYFWHHv
z{Vt|>DCz>{TvW2#9rtj8jNPr3p6e33>mAPXzXp@ndwsdrk+q!n5x?0S0^e9wyfOX<
zsF;0oHgXmis3;fR+U7al&UHue6R~A~M%lFduN{S{h93GTZ%Zkjr(CYqOViOHN&T*x
zso@4AvE3pz>ll;IeLU{AG*(-nq)_5u+&d-JH4QYx_a!VXbK)d(o9;p3=0Z;q=IEyz
zFTP3Hr~=xT&n&`1bK3;!CD+MJWV4yL*bCz|a@G+ladfQv207M21p~7JX8K$!jS(yK
zO|^WEkTPh_c-IbT{GJk)wtr1o(*nZ&C8a@{!%%C27>E(+Jo<tBF496D>#AZZG=sL{
zKNP>!p6&|(OYlg3OZ|*}iQ3tOX)}LaJqvo}bE4b0H3KtuD6^u9Hp>ozj+JE*_#et0
z+yI$kUv63(G10D+p334_l>n>hxV<lqoQx7-j1qhLOj5mP`!-QVESB^4u!q}TIS_W$
zQ8?>lkl*O+lprJ3FzOWBT?|u`YBme<44J(Zo5yejU_7E{A(odsbKa!a%%%*apxYAu
zVG#`A5hkvb^xaQvez&FFw)a`%QKW(7ZB8yVj&Iu$7?GJWsB*-s>t+o3ZPDF;IXQM@
z(7PJ;$Ke*zFDhJ-)p_YG^%vFkASU{5yi7_+NJxne0}!2@nYk<MZ1lUo5lLtSn6^t#
zlaZ)dAx}p1r_^0ZYrLv>j<>Nqr>;wR{e1qtilcB^bR>hCjTTZCFUotX@Lhdn{B%nb
z#3`U>2hU({3hSnH1np0c-i&ve6<7PC86DK5C^a<MsDFOgtHM85siAz~YT3k3YSA<9
z)nODf?&K`fVEu{uCWi9#Z%tZy?5v31xr?^JS@4=!+`eOyV}HB6#2VFFyYu;vRvnZh
zd1=etVVxFA2L?Nq*r)A*BFdz!A7k~4b32xemjwxSdd%A6k2h(J&hd!h)Y2~NBpr?x
zaRS5l>=&$tq{(seIxKYv!+d{p`r-2|wP+7ds|NDqYPTOfX7}s^3!IpUQhRo&nGQw^
z3q<YR@pN^|gy+@l$=8rLzrWe*&dv_$Ug$tfAUgQ1`XPboHkAIggqw1_yU=)sBzTPJ
zYlLNCFDAgIt?edLXPJjqngBnu;Xf21tuab{hHQ!NW4XSE311Gb^8<X&MvP85oV}?$
zxAH1%9!yWh8R6|W3#N}|H6(_5L$G`cGTHX4I34|~2bM-t!Pu(yWdAw42^IPfw-7$}
zCA=1sc&aP1jvI~MdGQi=@PYj}-#LibLdL*l^36FH!qQ@6M`jM9^8Jjyw~-8;`OW1F
z#m|t-v4RK-zd!n-x5Sw(>aGo_*!3E=pw{;`6ELF_t2tsAEa$cG&Y?1!APznj$rfSW
zZaw#I+Wyjjm0i1@F`oRG0Rw(7zoMs8Gtx=0Ik}va%8sjy*JY~$B<{7=BAK}%U((7#
zG@K@Vy=>^~IX>nKq_}5(8jGq=q)nE3jS?5CHk^&4gEWu_{gV**v4un^^MCPggH)4E
z3?+t=ES2Zrvq(0#)I-X&BY~@l_3wuLQH}*edqXJH@TLRASu5(LcMfCp-+x<OOxaG<
zaMRQH7`8`_vf%%dP1rO$$WFS~p_FHFy4bI>$l+Be?jM&9s4mI?j!$4`@o>l2pS}zx
zWv3XHpe>&gLyxM|*?Oz2qYJRcNDyEav(Hwhb-gay#W-ZtmG$O>0-lhSY8J0@er~9M
zXy|W=f}FI1SXF18<b3hro#Wixc;C;Lt{T<8#2%vWPNjA_1<r@|x`<~j!bZ9@8Izc$
zGma|vkLdNtO_P}|4L07UQzQDeUDjFKesJBW`P3Yjb9-ikvgnhBX-6`QrUj=kzA9Ut
znW7gt0E$_<<%C=Ep+HS=4i>MuC6MNws1e4WsQu|OvT}z~rJw;z?|$+bujC28@9RLJ
zm8Cms)0+AXhllWASnP#_??AtdO&>gTSP~cAYtqD7QPSiL?!F4Xq4=R%Cg`VPSgv`7
zNhOHc0k0@oy-L${hQlsGVIHaSto#A}dA};Hr871zApZLc(j-It7rrG18l5QO6E@w;
z9uWq=ROw{CA%;Zn$_=LYr^@jBZQm3uSJW;siUfSCqR`X58bc#BlVn7Z>&@UV%?AB!
zV&nWx9FnExV{vG}9yuu*NZsa3I5r9!`wU1)Jmldn9BRDDEpdJ89rtb-;rauR6`M8|
z-~f#q)n0IB@)~Y(1=Y{B?+wH&ctl}}XcS&2_r>T_p_|y)-O?Z&R_xxwt1n0^FjjvG
zN|q?odZl2`BiV)o6rS0+x~;{Qa18Xw<6LZd?Z$sh@CH}iG0J!fej5Jgip(>vEN_yU
zdK`zZtAE}faGz?x*WufPAyA&XpVP&KC}*V8N3-K0#{{3zN?br*N-L(*P?)iNNdr&K
zf{7lQ%Q_{?Bf!4o{s)uOW2q0=5p=UwrV8Bub53cveCoVkL?^K-d<9R$QRG@Y56w^h
zac#WDX}xkOsbhQJftW8=)7;Y1y09Z%gm3kvo&CJ{WcN&`r3q~LeVr(oJb3gUigljh
zq~XXKJDEQCwPaltucCAOtzemz3{sX-D|)5cu5zwlA9w2yEP;~RO+|XmWn|dzK&9<x
zC*Z*M4V9>cg+LX+ZgKw_(k?7Jd)AAaT|>1H3__BWx?xHr3pFopYo9tg);b*s!(8ED
z>`{O9vumNl4W=!;_%3RTupISLnq#hP2%s;RhrGCdj$LZ|LmYvZ4{_przsFVEP4+}h
zO?F3U$B+J)MU`_egmYv5bz1^FA@ZeF9{0)k%9gb3t0*riRcQ4&oKS99YsjXn9~;bp
zrtv2a4&m~PJprg-H}KX%1@j*4D)QbWfrrF?T7YV%&t(+AM6abU7a4e9MXE><%87q!
zZKWRtz?*5L;J1sB&q|k=ezn$;NTj-KwV)qo=p9uUzu5&|so#)$AbKb$#!WZ93hC+f
zi}Iwx*^!(X8kOkiDD{9ry0vw`VO66*Ys8U}y%_K{HT4$H?XK~r7!w&&C#pN<zm7gK
zI?w7ga0Hl5J54Kpcd(}cS+S}3*D#6xw$8*kmLUQ`X@iIG-=*9Cr~>O#qo@*H7WdyI
zD24W1wTk(w@2z6b>p5Gkag)dRcdD$-Iliv7TpO`#Xs^?lqj-%srgN3GcZa<P7MZl5
zp@d}I&dm2n+EbRz)U7P+Vz@16yaglcwh+szS?RdV&PU}YOHqgYeWpH>Lv2##eEZMb
z)?4waq~RK_oC@@i-^T5?z)y5t8Kn|rliTC65mlBGHX&JuoNFEsdi~(gCOip3`}$%@
zNhNV3P_r(pCo&Nl53^4l+WsQ*fm_g9r@g?$VV~WOHBpV~@jnz_CS_!R#@c7DrI`%v
ziy-cnpp@dZ7F97gXz$n<uViYhc4{R~UD_aYe{|g0Gk+j*I9=uUh;4J1!+V%elWp9W
zk0#uAhNStd%+*J1fa=a2Z2_pBCNZPYt73g0&1QmB9hzjqhGmN2{c+SIyo1fs_+2eU
zu(-tmlfFz)y`W_4@Ds@I=(f_--XLChY`CX>qgp8YGA^eG^d?LfK%MiX^kDn$T|tF;
zX|QtzPOvw#U?gmW<HvRR>(7Fc^N#sMMpi}~tt$e}JYwVi@@E%QSC0H<qJ1xix!|1^
z%OmbsImWJ!B0`!mf*xkdk!tm|0HL=3Q1Cjxj1t-9Xi0T^Fg`<Amf<u_uU}m{)O~Xg
z@LO8+>!H-5Vig$OZ{t?tFXAjhk=y1MqEKp6%KG%f2VSQ)FJbttta(wGPtoshbsRw+
z#pe&#Cb?lb6f?uvDWwrcD)aLaG$Y#%nIJijb}5PhCiCFfNWK(SsO{-bcS7rBRueh3
zu?u8lnVK7inu=I2|GeJ7jXELfyT7ftq(P&~Zk?11q~RQQfVcs^*^)g5wk9OZZI=~}
zqfY*QbRX(8V>LKgWvKxwV(G3#on2C)qM49!m-57OLv?Tx3cEe_Yiu?H)xLK6sJ6A+
zvMJn*V<;mLJBn(1fvF8IT1jWOIPle;VK(Y)?hY?-Z}Uv67K;<=fd!8S4nQuVKQ@AQ
zA^+N?RpIwqwJ=){=PZ5((fM2puFuT~K5U|WcUVmjT)X~&_29Q#ex7EO7y(<T6lmK7
zBeI8&<;*=QE(`Uu_26z7;~kWTr73c!Zy-|iBy$4RxhT_0B<?N~A8IB(7QpP^aDceW
zFQ2y%IjRqzTM)l-3|E9yE1rKCAbT(C*G{>QjIG8){#mKAi008EO0?FP`MCVkB|T<n
z5x4J%E`Ca`ijq1&b1W>Hvm9k3h~s&0tBrgPKJk+wBv@ogN?jpN4Ejkx>M}aHNJUE9
zlzHcQF|AwMA$y<`zMlzEryhSnAXDUwDMAgLSAOSLB$O@mOK~+-eIX)t5Kw7dTgiQ1
zFS3HJ3!$SzwQpYNvR?I`N_;BHh7#^&$@+O(tsB(dGoItw%d}~n(u629KK_g&cgE~k
z?f@Y<Wx`men4DI-Dy6NeJ{nZMtDO=LT<OJI^0GzV2NnO4<6(45h7FqiZ8O+7OrJkp
z+(a*#_)^m}ZrSqggp;bh%D##a`$7*O*6~;JReSc+UeF4kGZPUTF-IJAu=GVEYsSgQ
zhWCcE%`BI)gwcv%X@$$m^0~G-LDw+hZw<$&sgfVA-@9wjl(nW+#hz?4(`pi*yUM62
zUkuv5cij;3KBs%K{+3dac{nYzbamZcEMf6S@D{68A2=P1{r0(r&M>J(Hg2_L>1yUp
zi1CnZ<qT~W(*C48G%zPA<t<g>XO+Uq2JEJ&DnK5U6F`Ldy3Er*WR1&;b@qqG>l-Q-
z7iZQ(_msldafH?an`wR@kqK-@cBt0)Z$P|MOGgUH>FtjNGn?mXu;{hllAyrw`Ad2}
zoaurl0u4CFoOHKQg4BCdORM(lXe2ZUlS7+Dz5JJghhRf|Hf(H7DvHjy2mGn}w!^O)
z#_|o=1`n>2*B%aBt(&=;h<A%JOxALaitWm;uxb>Hm)z|PAy<`lEdT;=dYA6dH(xGk
zLZgO8NL?(PN<UBdT5lWF?5)tjqWJ#XWw*v4LgMc}uOwM{IgkA9bH(3P%)5zn>X*SU
z#{+jynP2h}pnZp@P=kYNKE89|p&@wbr2@j(r@>XcLe64IbL^EbS?=JYJGD`(PpVq`
z-c#ye8cUj|%CHje&GUt?2}K-@v`^EtI?=@Vgl?@)@wkUZnt$o}X$vSn76SpoFw^I$
zzj{fr3b>I!7h4Gf+Sr|6O|^FSe6OCz042WtVEeAgIDF=NJ3&rF2!}%E-i(g#du?y9
zdHDQO;i_N@P;aAxO40Du_KGmsn6aqk!_&Q(J!AZ8G0BWuyq9uZ^y_eOKD76|qm%z+
zC#_v*L@8Am;{ZXYh}x>lQxp$)CoUdYtyG2lwgFjvf$w{wRT9ucq$1=eb}+DCCbhbU
z=R$dASI>BZY{knhkn2%31H6)9Z_0{3c5Zc82syORLPoXXo=HZSYF|C8qi9t9UYNHW
z*kP><9$l8V-$Uo2D36&P9gt1Q9pTO|ej^5HYZt12#AMoK6;2&(oifA!dZ{KGKW_Ty
zxM&>6yfZRZWWMvF&O)8p-M~x4NiCR`|5u!dZ2=B57nQ2#Lu&?|gCR}%3Mb1hTGq?U
zfcMd;pa*er($YA)G0Qb7I%^tYq$e=CnkL35$X>p&#;Z9kes5CjDbqi>211lViKQCM
z-*EI-Tjzcz>N8Je$qM+BZ6$!V`%|kzr6$d>oqHp2yox|QNox{~h~!AL$zn0)_QQv$
z>Y?CS7XaZaB9mW(9^OxfCa|imS;F(tj*aJcXM3sKdCi#eY?AqEeEK2T1aD3e((yb4
zdUk~FukZCBG#3kjB4OLIlhON~)(H=~pgS@uaXv(Lx&zS?ldw3dbnSYR6&JH1<LMAk
zR2Iw-p)}5qIs`>m8Mf#P)yIpF#C_Uuz=bRjkNu;+4gXC<+!ED1E~@F;EHlvTBn_l{
zna49nU5V!xQ%V|GLM?PS-QIpra2CkainV3V)8S{pRNMQR7q1|*|1pCzEP^%l@C?Xd
zRyZd%|6Mh(rWpKpK(T>4PTXMX?@OJRTg}2CovB=*0~O_h?ImT!(33@+n?wdygsU_+
zk0;L$WjZWLx=N0_33fH82~t-K$}ye2+7+}Z7r3eee#+{%%Yj8$CQgT<Med9ytJDa~
zzA~51P*7f}{}nGPuaPnSV<eD&ft1|9sUUgklhvXRgoBLBoHt+2{zxbWfQKXjh>hQe
zVkrJoR1~{8nX}Ao%Z?ozO>SemTYT7!<1^v$C_CS5;R*m?`U5l?OHMktn&e-9zA#Ph
zn2a^y{`GI*tM|ZFtv>{4z+%-=3vO4n!}&3i>NCVyy5!bSFm{k%s~YfA<~+G9F-^jU
zb5+94ZCd6qh_t?pm75qgSFU%LawR^sPW6_@bqSziu^UC`>PuNU%^Yj`*ftSA_uhLL
zCnX;cS~bRTxNTXoWLG87iR}lP1eGr<hk9}kHfLCGTxKN!QE;froSev&tA*NkYTtYn
z%>AbZ(=Mpi8;d@|#Z2S<F7j8>-l18V(sw1k8kCNZy4BC3GIRRpJ!zY;3BK~2Dorl}
zIcBB{k=^Wn;lPHe(WmSZ;`XD8>~lqMCF$TKMC4#r?vvHISGAy$a#n+1&Dt7T#d^I=
z@{~QViTFsU!Y!M-%!~>4Ae&5eFGQ4bOhZ<<GFX5LL3G1q*Kbbs>IG(?ieCbL8?1|t
z47=eMvtPU+WgZ?EH0*_&QLBLttX^6w7_?L2b#W)};W&G5yST6zZDBntH5~cHqZ<o!
zA1D}?LV7?QhHqWnH01J|Mn*ue@&pTMDm_voviHcnNXrKcpR*SH5f6v^Y!K1ADfMs}
z<`dTUX?%ASZs+8~IYw`*ZFK|lf9h#fiXB~j?<iYbx7mn)6<=B71-o{Hd<tc(yT&<t
zxuQvSwo}(SJNShUa7t~<Ee#>eCKHk-BFNw_uIdV0^}s_Hh>mPudibI8qd~ku-?;`c
z#RSh1;v}UrZ4+ZM1+8is%UGK+o(3y;7(&%bzA__$uV*SEqVodR;102>$i+BAc~z^E
zs+Y3v@=c$$p0hH_vs>!b0z1`sNLM9cVl|t#A<_+(AezVBri-3jo(`@X8h!0@lQBjv
zR)-ZR-R$+U_N!*#<Fs7OW%gXiQx}-2ip|PkCOX3gpziLgErl)@7Yc5!HD#h*^L+0i
zP~AKca<uAG8~?qg*`DHdv^+kyzLBuA=@h4Z>f<`hf-QPdMS9C7Q%}8&EktfGQE+^G
zM8xNmY7VS3)d}0{z$qm(q1ANz&WgPCiGMFSV0l_0VLm_i#*rj@p_SLf{_E0J-f9c&
zSc|%?LB%PgoNHIe-rXFss!hyo#Ply9k$zXSi;cU5jlCa7Qf_i;<XUamQ@60t7(8GL
zjRR%(KW)0TuK-bz$F5@Bc@iBEAc1~z>v3kR=n*;Ze<(DGDnHo-tJ1K^)ZF#HHO`Zh
zO7Wc<Dm11mWY=}a7!oUOc);R!mGqs#jz>+*Ee6d}s)(;u0%V?w8o6+i*c*Np$$XE?
z{>Uof&&#iHTfgVevI})cC7Hg7iQ%t(qgi*>cF`$8M^8Fq=BirOOjNalX`~xlT_(1O
zw#X}DL9~KpIojk#(z0q{d9Y&fA!#CUe0t<&x;-E<YVMCWSi$ne2+czOC;ks90Jnw)
zpzJ39SDru@i%{Lo<C3p}uM$0awssb#735&AxJQGpU*8wr_gVmdBcqC<wxr!w(jxC&
zw_}?1Woe!R;}30<tUAxLHQb(Gjpeqtl0v5~w59t!o6qdieO@2_L*eRG)BV!;`^I5Y
zQMa?Uorg8Wq;<7=(T9UL$hHnbSmc&wZ|;D*nA;~(Q&#K6UvzBBl_wZ5f!iqA9(*Wd
zhDYKv#hr3?<n&8ic>!wc2gdc}iuv^MHqLaZkNAMKQ)<pa?3w^=yr$#DE`%|=P_s>t
z19!#Q^x&Gd)RCH^KL5u}RwKcpy$SnPxtU4-rGc`_GHJS;tVHvgjK-7Lq?0I4x{Rvi
zchga%Q>HY-+m>o@WrXa9!dzEH*?o!mR_Iemw1WInU)rHFQy7jcOc<cnwVZa-pzUEd
zGGgi%8@C>h3(ex3Y!q=bOZynP;52G<<Mv`KyLiV!1gSbrqB7uYxjkxY;OOJOoWD6&
zkU%24lRh`1gi-nLt;v5T!4V?(55<{8Y+P|mf6o!Nwk~KV9yj&V{8Ii+#25>u0CsAr
z5`}fF5QVJB?FTU5CS@G51H>5_<@O(nNx=taY!OfcyxM`Yxpa1Zx{YaK*lnRyM6*8D
zxlGoIR<xW5|A6ydZDyL)vO1O-f?4zT>LlVR=F9{VH|#8K%(`8ayU}YYo&Fl_(mW{+
zCN6jzFH;zrmCk}U+nq#fwB^Ut0e7q>%Ug;7zzb>w<lBqZxS)T(Hm{x-OOMz#WJN}Y
zjf-224rexKD?Rg?x%!gHC~{j(LbgikKh;j&{LZ3?i8DJaOkgeYR;2w*M>lj-W~{o+
zVp6Id=F|T9%tFg}lzobQNs^2k%6nscRv*(b)p6~8OJN*j{VH5k`xZlEymI-~$7r7*
zMA83zIK%AqB8jLifvB{BhW!PrifBl$Vc84VlhyB?bnbT*QI2I%SWr&JvO*67%sUCE
zzh!#y9?*9Wgg7hFIRUKJY>_pqTH1&l{(cDf-lBBP9=67r78pJnlT#4R!{eYrQh}c=
zUWfb0LZAyAD9*2iq7GOK<P17O_f1SbvWWrC60z+3$A?R(qZ+;)aD7V5psnPvPMzBe
zrzW0LBEAY%bBpx^@tHl+4{IoVfOfO^87$ul<;z$es53ri=$Sks*^&_KQ^`#s^QaR1
z?+ta*1$K=kBqfT^ENkcRv3vOU_bkO{B2%Kjj9u=tHtL3G?1AKevj6EPsr8sSInYtV
z+WVV?Z%_ZSL{XQ#zeIO!D7@SqW?2XMiA0KCdPL>vJCK!mkuiVs{NVOlU+sW7Y&JCV
zR7I|fw0Mmq=gT$-qvg5QrP5!OAo=@EhUIs(joQxmDb=6m7+0$I@R{z63Gk|4=AR;&
z{tt5@%Xf9Bs{qo@WChZkKwp}g7Ni7&tw{q1>Yjq;kbtEkF@`!8J33Qrq*(#>D6N`H
zHv8d7P2&J{NB=*w9~32L;M}UCWx2(XsGD_eLv|-ae=djENnZyrDsFG^OPSps{szzS
zlT}P}H&LcavF9iD@<buL7&YfFV3zk8lvD?6EfkQ(WYAVfKz^4Wl&sJ~E?r2%2d7n3
zgVQcp$H>7_P4DZ-NbIqqXQwimW4}n2;75>ky*&SVh9J976#$FL&~IBy$46N(a1LzR
z%V>6->=%bTtljj?ocCn*8L}+wL9BcWk?45Fro^m|g?@2h84@u172(PSDq}YQNqJuS
zVpRIk?&6#2NUc26-XWBF{S%x7eef<DCIxMrn<_i${r;$$@pBiBPX3coc1Gvi&=Zpu
ze&>n+>v|q)s=7Qb<}Ef2{QG+ptuR`JIjI>7EO^zn3>larA}W#<M!ZpwUu@S&?fcQO
zJ2Ied6aXk|3&|~~8ECj!lRO%fPu%o;^E(etxQh$%mR~F-(gkOa)A-s0tM&(ttrl{e
z#hcQ&<RnE=6@C_C29@}2d|<H#zurcNspi8ilX_(vG<VQRo1jpiNsjZ(H}v7*YWiPt
z*bm}>iBq&D2h$R_Bj0bm$D3&*kT$mQf)}dQ2^<Mn*fNQm58NXw!Qq^fOns&&EZ+@*
zVM|5&spy2QxMR4y#x|z;beh@Np|UPFla&VQHjTwai=#_gtKe|_8RCy6SiIiWNv3|Q
zSt;g&d2d8#C+FTys^iC0)h9JnK_=^12(;eXjyTy>A=)%CzNjzVRS{!N1K^on4|6vw
z5FnU}EC0~ahR<g-O6JzVoBVygS1Fh!Cwu4}U2q+nWDpt-4ptWMR$S5yW4`OC(pHyg
z{4&UwbAv<t^#RF_N<!OFxJLa14$pN@=f9@KzksH%YrpGZw9S4B?KQQeE%;bPk`6|_
zxw>wtSs}{H2Gb-}c;@_y*-PO0mQ^SlIQ*wY9#_=g|Kgkf^P4ZND|TtbBYA3E8mlTv
z=;5Q+q3`oAS<>&nv_Kr|;U^+}Miy<WmjqX@wPfgd;8$IJ7bj(^3>C*loL*|EfT{(h
zvsO_DjWwM<KAJirO)nI_)P+(nT6nM}t^!3x?**7EpiLt@9FNnLe8qprT;sqxUrGA_
z13m(DsLlWyGG3TC$s=S8%}_+0MgqgR*{QDUhQI!YvNIEB9~U1Tofus`#tvr&$>`^%
zqJGrY-;6>bnjX0{SLZ1hnNrE(ntB5&E{LjIew}{?JKFSEK~fR9d}H<;e`oj}3E(Pc
z;dBvLCFY76lxAgLAkaezCy~4T0{HU<S!F*1kFn@MCoN2VXaQiaN4O}~K~qb7Li9oi
zisP<-B!9#kh(HO^$*XOa4ciDBBx6zq>TgQ8tm=Q7>``Bt{TEQJ*bD~75kA)+G5%xt
zrN1~t>X^e@$;l~XFh+u-9`3_Zdo}L(TT#e&ud?`SX*vm01DDrzJrzf|6qSo5khV$R
z`At@Iha;cDTFo6|Zr?5{Qt<9|6Owm2##8pb+(8?x<LpZ%C#2Ac*?bcT-TLM~6*e0f
z4D}a>xwI-j;D3%=Q_U;e{t{>tg2Dp^zIM#WKvHSdaiK|Is=un~jADIvzZQ!&b2-uZ
zCEoM)_QYXvY_!<Y_1e0bdOZlNu{WtM!pHPp3aU~`MM~w#TYtQ?oIrBIJ-f?MtE%Z*
zm_bSdTV5S^1xn_)Rs~6gFWK6Y<HnQrZ?diMJ_*}$d*uYa+!x`a^g-%GTZ~O0jtad^
z*gq%)h&ryAGcA_wc<?^7a*y2!!Brt`x-K<jr&4_hbDhfWP3za!2trd#+@YYUhTEqB
zJ0Xm3ieJaRr7gQM572gMebs+y_jbOS76Pk2xQ%vt1Cd<_*|mn<#iq>!!3^lrfD>`B
z>w5HsT7d7pOQ=p^#q2J#aeB=Qf-BXtSy(bmBxB=t+x>sM;^!s;LlvZETYnjzgGyZ{
z?@XS)WBU1K;T$R!<^79b%huK^@B$Np55cTv%o(Tb>uLK)?eh<Fcfl><kehLFoaB9_
zk7x(S{l68P&(s8(wc_-N1PwYs9X!r<vCE~4Wn+{44Avi-TC|Y%?H3&Nfiqmc#Qq$G
zGcu;*?8n=%C5TvsLwS=q%u{H8B#ZJ))Z9!<{Fvx+AK>mB0s3FpJYCm3pQi@msah+;
zrI6ZC%C^PdQD|$VUQ%nw8iV`ypTE}{m^5%AF}U$%;I#deDL@pC=A~ZZdfes}u@ee%
z<6Ji!19gBPJ<H&bZdIKHt5wR^-ka+7Icwd0-Mm^BSMgP2M?tR~9*LsK1(=nBv6*ZI
zjC0symtUC(rjTkhm(9na9#SaS(J@g~HR?1G-XKJA7~T7Nb)C^ccyb^dH8gK}k@lK)
z()L{;zS!=d(7K2VJeb8bA^P!#s$%{>6jG0(O`HEvG<vfS6q*{s5$?D-MtyCY!JK!)
zcY}n0#`f>D{Y7-0BNPN=73L61vv5Lz-o79G+)baTTamCoUkt{6Cs67fFCXc=V;?F0
zV?x!-h~4Nkk6nm+L#21>+NyB(<B<Mb=q&%IL1Q=R8=6_IlZ#!i*V7m4>C6j7Hsea5
zvNRFs<)1VW9^x4KS_a`$Bs<JxIq(e;Jg5^GV@J<_&iy24plF}ocwX&i$q;Cfu=+zc
zz-`eZn}5nGi|VJ~OPHEXLWQ9h>*#j|8adY#TEHBtf6K~l^_y+^305Cuht5Xh4lkc~
z7Ah8yJb`+5VjQ3=DvIH>U|-pcyIN9cxum_WRZ<1#+ernXDxui4t&GmYMuMBrvH8aB
z=3Y-;G0TMTOkZ6Pn@&!SxD96iPhY_Q`F0i^9vk~S?MwdoFnc}C<{#9WMpb>~0r+%`
zq;kn6j-*!D{QvLgNaGU_O%8-F$4`|Yyl$}RDEC`1!8^CekB5OldhSQ4jBlBlTEIAb
z1gTpqlMENKX7r-vv<CY$hR8aE!3Q)D$@?pz+kwlQXMd{;RynayQ%eJ8B;LZkzwyZr
zIn=}1Q@aCiqPD@zx*$>7SE|5_R_bc4!2-IRT)S4lKCTv1;FD~0^(M{*M4n<PJqX4a
zkKkxfn<60ECA3tc&AFd~lX0Ha3VFCth*N*<OT2}7cvypr1zIAj&bSyuR6Kaz6UUiw
z8No%R`%w^BUC~aLucp7BrMx3=%xs8wYwe~=bnt>%M*aLw#P7T+LhfAUh3las&hVLl
zcC<s_(q8!ap>K7(^AllU5K&m2gS~orlU*_SX}sX*EtHmK=v7<a;y@p>*Dvah)htoc
z@n+!RPn+iPy&<B>_`3oD^`vwzMP8XMi_xesEYJickD6ufB0kSnR;F8tK{VWeh05Ci
z!uU&*@PVF^pDs`v(B+3bJHNC?|I}EjxhCkUyg+l=mCL73sei*_Od2uO!ZBm}g2OHH
zD`8VeIZ)|ln4(+B^-QW~sUwn;OMAXRv;L~kwwVf#_*zdH;U9RT<{HcLyTNPx+--Ua
zCc-Qe;OI~8m7HEY&Ex+#u!O^><3uYuJTY#%d+T(rpjXvxa|%|-;b`C|t-$2lw4qSS
z#(c$&ri#s>02wo|uuT%cz?>A4A@`&bkIQhjGJDpz>qp?#^dZ~qkY+rM^b9{9ejRsM
z>At_ru(>QYQE6MDWE|txZil%Mkq-~PQeAj~?3I8l=;KLwSIMHA{mz2&j2BB3ZK$PZ
zFUWGj_2q>`R4EA6sgn+=_cAFod+mM>rlV)jii`w*JbLr$=GWr^?L#5(&f=%R4*C$;
zWP_}n{Oa3|n_V6)J==bMD(12(rE&WqLKIyl;!g2ewlA3%`X{RM@ly&`)}=I2-sZNk
zT>*=YY@H=iE$*2@JQHZ`eD#JkEvm9#=MHl#FrJT|28TD={BHQv0=-Bz`r^=)$LtCS
zGgCyh-3M+8RM1*xtHh$@WW9xwr}r$x12+dcWsSU!sW7A)&#CMgS}+l5&HWrlHuj<k
z&acqFo`eHNzCx})i}Gfr<Cvu-<Jhz_-oNVMAJ4q{#5Ezkixm^t;4_w3nf;bHF4k+C
z7ArwYeB3(0j$*-adA-45A@I98j>4ugC4%e8-_S&<F3klV`(O`}69a5b2$sFgf*5a<
zpZCY3PKTqYpw6Z6<BUHJc`@Wk^ITYrO8Z9~EkEf&?a8jI1@10(>elp_Kvs1<t<V}T
zJQUCN4UL%cPu%Hv=wM64?<1zyzG0JJMl6ZC#-{8_WiaeqM{DGf>ZIN2z*0(8MIuW9
zLCytyl1eyb8k1AMiIZHOav@f^{qQGarOh}2J2&}cCU;K5WM;-l?@chDR$VqK-ip{m
zc~g}`#V^l80Yr12mI5|$dGkWxywJ`EZO!;|wUllH&DUfoE(bN1%q!zUG~NZShxrsA
zv2SJ|1zPoUQ11qZG`JQvo&#5-&(*W*4Y{6^_yLSD&}t>FU<sR`EtoEK$ttRZ&kW<&
zD)HAJyJ5#8qT*Ys{ov}9c0Lh}_?WFYGSwR}dOH;zO>&MqI8@2hGS}}Wj>0%Orz5!P
zTF?q)+LxvuM9*XO3cVh`_nEkxmn<0h0?t`{w;#~Byd_ZGApw})U4KS{LKbPT%%%B`
zg#DL-vLS<RD2hak7AOQYG6Q%%ujyVF9?pzVA9C6KZD}eWw*ARI^OMpw=ELBpVT*(W
z#_bYo>_Q34Af4C}q11AQmUVSf%#E!ahj0GwrF71Xc{DxC=Fn=)1%nl_(bQe|=R6mx
z|HIr{1;zD6UxNe!!QCyv-CcvbLqj(fw2^K+G@jt@?jg8!<1WD)ch_LSA$S5we#3w2
zt9h83m-*&ps&1XyFSqK}uDj3KXYaMvzBCgD?C?Lo*SOC3;gXT|&4)=VY38CcMW`+z
zxpvX}{*RB`#|m1xk(vE`4Fh|v<74C0#&objYgnv8wNWSsHOh@glXjmSL*!H16nkyD
zQnBD1m4zY~OPLyg3P@<&0Jl|Ua>(EiMW+iX9>1<pr!G2R(cfb*B*m>^PT)FI0e$@1
zvYL=+%t*HJ4b~HH5^C4T?fZIPN@MU<m(~!bB0jq~-XDi$8<VTKqVh3_k8f2RC=g?4
zeM3KXqgDeiC6ycAN<M{{YJgSdcqNGToha78-7SmA<a<!xecvzrby&j3V^n-_@S6MF
z$TURLAi-3?(v0{XT#_p0EF|SRlm<c~nMp7kFziT}+5B`ovU)cX+eZv?UX$jR$0`(u
zB#OL=pR3|?7g`sI4gcygexZ;)pMbab*lEStVURdgsIu_@n>S9~g24{*K<=s=q{aK@
z8egd+e&kTPkIVdrQg^Sd39>Txw&A^10`6gL8viY8dJtxaCIIcRS2M0=;b=LI#L+$@
zH_C@Fy^ys6X}H(1vh|JP2Ui6d$%_tfQe%${B8Vk^_AN;5y`+?3EZ>QKK^(b_k8SmC
z6eeTwlv!90S<Z{dQ#$uJ5fO<s$2$_hD<&2+C&Zj)4<o$cbn3(eKqL*9j-&)4GQH3y
zWJfsB!q^p82x(YqO$ym-$%TPd@tORjwteh2$VlkBjBju6Er4AD69(P<HE>((plLIi
zN2{$*kHv9Jl95t66kM9e=iErTkQ$Zxw!R6>F|{dLJSN@ccl%x*<K!)%c`glZD5bH+
zIh)=%Q3N3&f{F~#fz}yZ;f}H#8g2QJv+Q8}#<Qq<3n<vVnlP6UY;XTA@<l0b2XNW7
zOr{M)7`0%z{D(rpCXXb9!IK(bq>w1f_szJ>1?Mz?VkMlSx3xCI&RQ!W+XBPeiuURH
zK2ereYBf;*CV#+^k}j7nLnJv@S$^NmOhat&_i@7eA&fBy*-<PPdIC8m6H7cg<xgzN
zhTS}@53~l$aP2eG`NNE<Di!}M?O2Ht;y=mN*DjBiOg5s_2Z!uM=@k;{@;DO3#q2hk
zD6y!)L#Z(OgVdn0CG<D(rlt%R#c8InA6ysi)IAGbqJwLqV{k429T(|gH|vxuRFj5N
z!G5CDhtWQDJKdb&m0ABQT94v?q5s<ep`Ad_!JN$gL3_Itxv%{_YVPq=XrViVFU-X^
z?zKe;(Qg1x<`(^TtIv@K1X_={8mWEPn*!`n9#@?l|Dg<s7NK2#R*Mu#{&X6@s_t=`
z^a#&8+a72Ha{HY@XdgP2Ucjt4hEh1hdXir{-f)+D5-S`lD19trw8WmfloA1d^QvpF
zHeKMWH$KN1Gd|(cFX0JbIYe%H#p>PMXHxAJ%KYu|`KPr%Q)`#R%{+*Eed#f3$oR0)
z`GA--hw1M)2&HQ#YJFnj_El?Jcc5bZ0}gRuA9<av;lY;p!w{4<_=zSRTNiKU?e6A9
zYZckH48+^}p(UhZZNAcly1n!y@nKtsiaUY(S85&h;ExT`qvn6%S+oJj%RJ`ZQr~^t
z?Nagkw;weAqSpeJ&dK;q)*11a7gaOGI?mzQDt+!-pI!}hgmkIp1#a*v7{_<>FOMxX
z(XRx{;tZambdBR8EG4WbC#2iP$E3H|pSLRtSm*t^Tz5!HM!4gB?48up!-Sc_=+P2q
zqxTX-)*Z!5xJnq$dq>AKnAjgUFG~q0aZy8RIdVsh2aV+HNoUq<wx09wa_3;p?`<i=
z>S(hvpPTaV%0}e*2(2ha#`*<#F)#-)1dxN3zZw5GVAYq`<4&eaQ(PJb;q1aCO&yqD
z3CV5D?34le-v+8lp(xb3j9TcqwTr|G#Sth?<Tj|muedcy9x|D~czSF6@54nICk$qv
zWS?f0RV!_q!nEiX$M18OObaT!f7$`RCg&7=Y-=VMvPhTn0VDoshX?l?NocdhNY<h?
ziXSGVrT+PSVDUTQONQg-$gIT|m~<4ax&7*;C^Gn&Nmis>R(b$yfSq--oLH?G3d(Op
zDPr>Saapk)TkBnBUabBIhU*%(&ey{=w#Xh=F0Tq&2OYZKw;qb?^B|?@dVieUcMOHp
z(Yj}71dJVMu@CfByep>0wf#l$f@Xsot$Z;dM+RbWDY9HZjfvXuzb9FBaHw5l)M3!5
z((LRq2UA4hzrv`H`rsUe(}5Pvt&$0B>h#@hY&84A9oOcjSHU^^fJy2Ywbd(|CXwU0
zQ#*wX)ra{9dh}r`VLf{PDgFKFE67tk@I8Tl7f<`edTsx2RG-qSUMXi&7KR@!DhVf@
z|AxL?-cq{^T0t$M%oE<aQwql#Rj-nF@n?L;4Br!Aw<F???tP9_XvmaTo_>4%Inm!2
zyQQ;$1-KI978;D#Xcp0X;a4yAO7^V=%kPa#W3kpbiWRRbLCCw{bA2vVEydS*b>cCj
zsh9f&fs>sgra2%|NIIlxyLQ=$&~Ax)Xm&DKulEoW9rg|qMnPq)(f$(<QX;PeCg;&3
zhrgq6%4J85K;cEfYezFG^FhJ^Mk70nETZyMI|giZ8|O{Xg!GZ)Ywu4EBqftI6H<Oz
zl<QR&XP9!IghuJ(DH=YIaLXH%y8ClByEf|TcFw6P^(~sws#xu)eRk<E<q_S@tGw(5
z6I{W}&>$1EKUKFmO{SIOBo^utiHtOG`4!_~E42HEcC&hhjCbTl8c}ds0L#!6$5@g`
z4&XbyU59H3FLFMgfkZUjo{3F3C4Ub0SWl~aJXn8n2@HbS1oQrpqmFGYU8bK0K{9J(
zmPC5YJI!8i--pxhHG5VOleQgT@RB$9*Dz0h@Ow4)Hfrfi#rU=NVvmn80#D&PDI#j4
z&X}+!<n3bS2RZ(tc<ZnC4%48+yP`N;8THas^M7BewQgs6Z>}!(Gg_Sg=AWos6v6$Z
z#9UOti{%HmMHh(ajr#L)<i5*6V=fk_Hjz~VdxWw+ReQ42D9Y=(a7HQ;duu9J0#oRI
zq6D6<CCpdRc{=I4r&%P|o>PSL@PTG=XhEeDQ#$%TB^MjYqYY6y7~xtX#_JRcrAJ!B
zDN<Vp{=eF1$P$s3@!j?lSh9{C_?vH4rpTX5qdt@1bJ(gwm_bkmlf#Nj&q^1Wgj2+S
zDA%cAL5ataR$x28lNoHU`Zxc>&j|VdP<sBn)JaF-byJzC1EG`5lU!~jt0;6~EF`%p
z+1g4W)wT}6ExVx*3BsX%L!ubVQSRHJWNms6>{yPyROukvR{4yBrIJ-7@04VyswOV{
z(S9v6dYs;xCYr}!`a}GZXK{lTtLc4k7XTBN7oO;=EweZ^hlISJ<W6I+;dh+M6#nsp
zx94kJ0D<Rb9%y$ZkI#K6wuv-`mz;c@V?*RZ62Ug04;dvZ{PRm0*oa9|gwv`unpCSg
zDADyS<r0XfTITY}$_ff<ankm_@;{GSgvB^dUkb6T8$+Fq9#0}lHsMvY;kMbUi3+op
zV-6I;M+uDhtKfE~moqTXysmR@gHIK7P9mz?fapR!W3rwPmL8jGKNo5h%yu_gc9@{P
zH+2!$JGvnPlZ^JyG-lyo`Nh%V`9%5lD>NH4GRZGGG_)*hm3}V!<NU@T6D;}TF7;v&
z7814wqvbYeo>B@<%D!bnXO71bw=cclv37tHME7VOEYuX5B$%AWm5wk#iN2_nf~zwC
zRDY`%ysc+fs~ycDOm!*o<NHPBD>qsNnFNZW;|+rvB5^l4NIy!CV(B$1&rj$enMBp}
zB~lN|-oNvr;11CwkfPhLcA1R(a^|9F+t5-C2>_$qjHg{=>@XKIInKOZ)3Pys^m{S5
z2$wli&9*g(8(e4n@Vm#+rHc-!qel+a#H0J23zuG7*-H9Y;Kj{d)2bZXuF>F8Dv)zN
zirXM=DM2XLf!3DHukv=S_fF%i`7vOhMkd6>53+6$;l5O*y189a4{=G5ovt%gP(mnX
zZ#>1UG(^8BwhD0+*$|-&A4;U`$vD(F`rr+`%*{0JqKe4w99djkERg0&h%9Yz?43Lo
zfPFTGo=R^2(SJtQh)}f5+6~jpfqHpZrwmmkOcCye<Ee8~`##$h6PQpLWFXm?;J)@M
z;!d1_>`N1QfSdVNG*^P?*<B|M7p<xzX7+=9)72Op#y+W<avtdt1G^S-U-_FJ8s@E-
z+;X*VV+a#ne^*Vf&t%ZH$>R+^9a1xGB|c#Kbmjc`K#%(>sr^iJMOGEBn5w>phAKBX
zFC#5v1vrr@Xvl+A$f!vcR<wGyBziW*K;N|9d2?x+dw;n09P%eC&gHVvXtHK$#cvyb
zjYefi4g1E}=6enKN-XViNglfgoaZ>z<LGok`CJN?H(~Ih)my&8T5#!rp<&6}Hnus8
zcln`uIIqE?+NlM8EoO6jIVt~R%p+rt!p^+(dw#cVpXC#Dsn`CKZRcIb`o4XxHc(qF
z$b0E{9q#wZo6DsvZol^#z-gx8^o7UM4RGu1Wi)ush%TvUk*K%Do%&dgzn0xTS(Egc
z=^)3FCo{VJgQ{=qHJ8cgTF%>X+j-X<`@_Vm3~x2KeR@ZU^ksg)Vdz?N<eNeJAs94s
zqV&(#=%jvGS-~9gY$R4-L?(Ak$#na2BW!wBzWliM0WY7e)}Y$j)Ko2_Y_-js`yo%#
zzxdw(XpQlQTj}s>6QTIL8q5ayUJlcvH`wd?etFO0bA#zgx#4B!!;vl?2@GJidSAJg
zX3_L8@mf^b-pGagAc{je{6b-d*6jP7({~+`h?=px{WQ_vjAAKSE<8?hx1iY+|7AP_
z=Y{*ki4K=MZj9Q^7tt;Z2P3zy_dg3N_42_<rh-#rKvc=z8xCl&8Yl$#goYgvd)5R~
zqS*mnX-9v@_SPBIsT$)K$ptvW3ljbJD9?hoTZQaZ1ss1&PE}p;FpsWIcSfURM%EB{
zOmVB#C5^ST_bS-gO-VZQtuQA=L49Pi=M4!0Ynw|BCAk>GqeTI4lm)BT^wlZU+f-Xh
z-!+4wVcu>AY(DFl)LhZ&*2z`d26UyzXH2$prB+K8)`z1%_Xp(9L>jqlx*(Zes^ogX
z%Dsa|a3nL(A%*H;zOR*jH&V+sQ$Z>c%Zt2w=X=HVkC#ainiIAn<9t$N9v(7P3tXah
z9enH4mDP^7A-c`q%GH;G@)?)DwxvM(4GBjQ7wnu%LBM3zj>9)vi=qWyHD>xwS<SOR
z?e24$Y-0#IwMmTCOK3K7i_NDtRuQ=C7&0i4_jA&YkuMg7{>9H#os}6oXBxu@PH@oc
zK1qp2J6EQ7TmO`te%6Sz-`grCt4{ejelkIyd)~sAcne<tSfelYiz<j$PGOW@+i+_!
zj>#y8Z)%*>Y{WdG^x3rZyQVUlHN*pGoBAi%2VBcjPx%UMKuLSn^yA2A%U!2*k4`61
z=!V7$6A`|_@XIM>C*%OMkX$KbIt|Kc)?<{2`InnUUEtQcc5X}qS&PA_(feS(MuRtu
z7z?#ZaHK>V4L}<}@Z_%<^ZbV*t3P^qEJKx;L4B3!ayCpA(4=TD!h)U0+PVx_i!vbo
zqLNqF)MW0j$fXl@QINb@%cgZdc|*g>WF5|gl-Tf}ll{H|3;Ou8cqPJ`)V0VFgK5+g
ze7cHxh*rPL%Q5&ay^ey{3A4OkTv?5kDF?SiliSZiHT))g-^cAOxc@#bQINSgTKs+@
zb$aPYH7+(<#6tf{xG{zSpr+yNJ5`%@?*R?Nw(~ZGuT@DbHrp6OK<*bH?KQg*E!T0-
ziMGQxf5xu*ZK%{=<30;oB~^a7adYe9B6;(FC^9h~Y-rVp#m4p~^ZnNPSQaC;Q<7qg
zbtKjRkaYO*cu?$m!_HDPNOb7PhCvb7#Jpzm^zpc6h}<epu~xRg{~E_ipX6?=eb1H_
zZ#619PTQLH7J;cR6f0ZI|7#+mza~%RzJ2CXt3YUC4}{JwVP7#c1lBD$vfd^5uUd)+
z-qg0%-P+?km!GAZRA`<t)Iyw3?wvwXKvR<8c-SUVeQq2;PyT$EdXl~jk(nP8{AJ0X
z-9WZ0GO`9?v>A+aQ!hC_B0Q4--pws~<~=whJbb1>ip7z4?T>l<QVsMjJ=<?PDJrBR
zJ9%&E>=ycoYRve;1TN^Q92hNb9XYSn3XSxCJ?7iX>MJvMF_ofz5HDMTyU4RXy_%{7
z8u<B=U>!h~7ZSzywZ-=nh5wh4|1p!4+?v(e%(t))<(!H=e=&Z*nHkTJMsnngl^JU^
zk`+5UUgJUDp^!P$@iy8>Uzapxe-`U?u$o28J7N?zEA_v5sVF-S1uX+|8=h~N8ZTj+
z=VsQ=Gi0{)kE<jPXb2>&$26qV14-*tLF+M+`#%Qaop<i~V<Pms$vm1}gIv8Cdbr3t
z-0R~icShlT2^Y*?^wa19nMM!>;h23iRJ9><n-M3;i8dtd3D~8B7zWVq_@5rUk=p}j
zC3aB&3JS_A1Ug_RHe@u@C77mR111$zdM?Jcv+9JT^~$|0HgQ&<3lH_5N|VCp#Lkq!
zPHgdL*PmviyiUUnXBcL<@EbZ)OElk;Fse9c2?zPBVk!lBCs{O)Et#Zq$;J4_8kAa6
zXJBXbQx?I2-M&Mw312Exw!!)svFz_6rTquQ>yfzrXNb-t%|tb+a6$Y5=w76C5}I5Y
zI=0(TyMmDfZD?xIIc!mb!TT#f*ht8f41F2ezwW%@i8+l%_9n)PGNDiM#Vv_t2%gY3
zi`FUzyee!nK_O;hgZWjm&_i{DV5{?2$q|!9%n}D!!NvKko`ac+l>7&S+a!wgz7PH{
zO|>)H|8qrjzI@03JatX~v)p*ESbR=HbpD6JX5p22aw@t0X9JjDEmtl0ide-pJGv^+
zzFFKJf<C!W9t>5pne3-P!#D6|a3JLm+h-sdrnj)v-247sv##Oc*%$UR3%v6yK=R4&
zKa{=QrHS2LM4<FH2mX@JP00#oZr@_8Ha-m~x?JMt$8K?mBt(74g}Z}pj-#z&YWtp-
zasD-(>6(BHbT2b9iL#&BG)(eNY*hHuF8(%nOfxt2bH9v``G5Z-?kSv3fHF<urmK{g
zg{#C&G5{+!iRl2Rc7}|B#^gRak5GR0U5#0)43}v4@y+C_2P-|%vxY52SJ5}-H7yMI
z1M)K9v4SWvbWPd_RnzuO_9K#b-?2yq!oB2&?mh2PRbCI;YQr1T0q!2Aa7NiqBx2p}
zv}T;FNU2+y!+;M@BSQ0gyq<BbrL+wyrmb?KKp%UUGAW@Vy^J+2&^A)$#r<Ao$XA;T
z$uJTJQXyPlYIJsX!%r*&#9v1bNHgBpwnh+k&Q|AgQo*r9&qS>*L|i&vJG_bw8>+`u
z`A+u|rm6=2_kjJsBKQAah84l9^upT#|Ijj+Px``S$JHvb$ruSwzc2>+F*F~JTfJ#p
zfde|2vv399%I2D^DJ}}Br+cWV>dlaP7I>^;Nn2=W+pIFu1bpB!gV^#i>U$q6Q8(0O
zOp81_;BsMd9&>oD<`rM6=ZTPazeaWx`Uril)8+1%{tu<8&@t-gL!9)DDlVb<pRin~
zvKh*~SoS~B8&qS=IfpyIU3yB}ZO~CxkZq!j&(4dawZ-EEA>G1WZRcKy^Q#O#xI=yG
z?9w>%wE=zv6JD=(OP4_OiSAanklMe1;?^Yp=5}<u_aaHUw{D9gu^#kCtWSz86ht?(
zFM&X3#=OV5sC1+AFT4<U=UJUiO_#Q?JIWa2BRlNo2B1SslA4`#_c?{Qh1;%)ZSYX(
z@YR^f3te@AQKHUmeng#uK-MgOSpJ6bPl8B7@5_M7xEB$`W)ZT+brH6<vGbQsPMEf_
zrb>ssyE~03kFQl02B8GKMtr8a3NvX&_@_S-@8`OsH(N~WQcpJ;+WQ_Yzs+%Q*7?|6
zu*sBXVI10#d3SAm^rwt&X^7>t7*#IwF$7EaD&9rdBfsuX^xhrD{@!bGr>pOn&;4w5
z_Uh~|sI(H#c<kX-Ol#iAoU&?*Iwx*pYn*Gn%<&KQnn9T;ws?nv@AU%d@g2AN8NZ%=
zwSDDFE1w?HAiBn}iCY$R$jFaP`pf5nq$f6JvMntP%c7C#Z|v{-el6}xHtR$Wr-yur
zX&@0cf$!OxEev*5urD{88x_7U{meqZ6CVdsmth#Y?f_;Jq~}l7|A`b;0^lCqMcPv1
zXp>A-3zTRWK$^Z)eu>ki%BJHm71fVQMo!#t#WX*8dYo`Jh}PKX`TX5z5$>fo4DE7E
z>8M!jd_l_)>Vnm4i`)!8*TdUNAA~O6dm2N+S#7?)bE=&SU#XtuXT;==&*jFlx=swf
z-daAFnCjz6CLdtTNHq=1Wyy1z*q<@M;9iAYa_I>q?YG2~S(?`J6Ij@qi{FO|PpfE0
zu*9iF5}SXP@u+nABwf4elMrRUc)ZxFZ6<eAeNTm-G{5-d;v4mix|Di?OQy(sRm8{Z
zQ^4((nNCa>>$Mzz&F<i<vS`ToRl?=HK%1j;CsNMP+>$1OE>GE&^yyHh*+|p}AQ@*X
zS|0jYF{Tuz)^yzMgzOgEGp7lKF-~7wN+79Mhz`?J!resg1SH17B))k&#FvX-6U5AU
z*ws|4fo`-plg6>z7E}FR72mfsY{5-6aSugMnFS6U-9AaEtlpVJgmQCcXf2>UegOXE
zZ;c!>dn(u&Yukppg3?U%Q)cw7hAkj#Vb4Q;w2ian&dpTKNGgIa+Fa*fPpL}B#Y>nf
z9pYwQul$YB{@IFjssb)?eGB^ry(fZq%)Qhb-8yc*7x>#o-E$UGXXwYNvj52AqJm_U
zNOT-hFAD{`t8jmve_H2z3n^=F)_-Kek>%pF?evie8@EVmg`9HY3!cxqU{v?GNCkN-
z>^A^pAufKXyr5Vq$`FUy#<#SorxQu^b)>4qhNez=k&VF3l}y|-HUn-_<*O*j(pFp)
z6=!<quY_H{EaO`s%_ewch4;&hD67xqGg2@+p6t5LQB`XA@CVKwv$-k_U&ghgCa~7?
zM>&gS45#c~s!ec#$Wdwom#@mu&O-K~i1F8->|`mvYEn~mT%kncYHv(XOJ7pKTG7s@
z$27?)#C^A<F+m(}>*$nZ%_)EfX}u|h$JA+cQ@7%a7eO?8rf}8GN*VVwqga=;s;`}2
zs%~Fz8!%@n%v#U028+wNw3!#lfb+$O)H=6#2E?7V$m9+8>p2Qb<64*l|EZ+xI$jPh
z3srqs6I7!ZlXDH$hRjNt;xPIDP18M3iLQd>ZchotT8v;FM<ieJE`jhcGX=&Bm>Zxe
z4>;<cx&mljgYAu(Oi##fdabAM0+1**S>6XICzMDNWJ@ML<+%omqz@awI{Pt_orzr%
zS9Yt4TkY_YUErHDO@3CC_P^}Uyou7Te|0*3-65;2Biyh&KRh}0HG%HkTO!YfI$QxG
z>~Z4D?%ccc2!YfUGo)~J_HSA!u^^W%=b`U^C?tZ%a9imp<mk}&jFVyRw@>e_cCmhz
zpNc&$@hr65_bgc7yObJ=0Qj6|KDNp0$c-fBwYC8g4c68HhD#7}mS3IuqTa(zdM(kY
zKb93{z+D?^-yUy1I5pMy-VB0IC#nhUc@Wj9-+Uv5mvg5bT{ajqvs+hvq#N0t(@$^H
z1Rrhl-hjeY?Ga!s%EUl&3+lGgT!VEyxZdfA<jqc=`&N>QiGg62V;X%qqL-{x?Oh5@
z_tUWgkyvoI`UD~}$GZLV*J)gv03>McoZ3Xj-K?{`sw8{^I6%bAqerGM4lw(xUaiqy
zT_%GXf(}zic6JVp&SnS&+YG%^afs&{Ej1)P^1XEutPPBcHZPh}E4!}9hkw~gAPdSK
zMBuPbC!`3M=yRpm(64BP(DrsFRMD33bKVE~BZQe)GLA=qG&5YR<#5^RHRkxH6c>B#
zoK_!j>)<DYvuEdkG)W~(f#$k%8X4J0MeLG<Z!H4Vt4@h&i?d4*#Im|MF@@&WWU^(e
z^xiY7w?DM1Er$KhN4m^Zobw=iu&*0fB@^2nDw$)DN<)BZt-&@A87Cm5v}BRA$o#^>
z)p)A*R0!5x95z^=CBxgtuS^OZFXM}~fc)s6W4=Cv8{n0>5};Q(z@Jw7x4b+nnt!#1
zy#MU;ruoRap910`giB+0gf6>+m>zoHI0&j2(dnx*)zF2#DDxJ(=CXDXH;$P#nq+(w
z2dSL^%B{6U9Ay+bwQe18pv9;Br4x*MBe-2xT~5iBP5+^+?WR)Ik4`z;jJ#nY_V`(9
z(?hJ~uDnCPu|Qkm?MHaN3_pJ?*XP-|zsOzat{=LAdykCTPo^yyXYTNn?ntY?TVnB*
zPI17TBB8y&+h`UZ`zN=I+JXE$kWzi`a?jKIBe5yQ|01)$N2WyVbPJElLWWD@^z~`O
zs)C%slJ*md7!h%R@(o@#ImU9+Ip5nqzH0$2u$6|(2|~d7GqdU@iL-|Z^Kc%2dLGzZ
zgt)C1kYz!tk^}6D9X(H}r_x;zNhB;~Pee=w{Ce};X7`8mALhTK=hT0X{|G+)_`C7=
zg^r^4dF;{cZ`S1}rrF2OZ2z+Md-%-$njIgQ>Fw_&X}E%pwF3Q5$n}R4`zQ47;s4m$
z>nXQ)M-DTD{_3`06Nt(TFZBK^j2zv*er6p1-29N7$7L<X4IV*gwldqF+D~iMw*xjt
zrcx{+fi7q1oTi7zfccZ@f~KNzT0VpJd2;_+$A<7@o5{Z4tUekqBo-3{filQLUf$HW
z_-Z_?MoI+AB5fj3#g1_*g-piyb;FcK+u`iq<~{4Z-~Vu$rTK}NEaI%ywVK;*WN02(
zkl<wWR#9`ca$6J-XK`^Fp>gFA=4((p$`$?}$|<{yQltM`-H_7qyQQ9a5e|`kw+whT
zD1-4x-A4FL8DeDPL%M9EuJCDr(a$kB@iF)t{MXO~Fymj6O_q*sb$l_=&-T5EZr-#~
zYK=eNNFsf|+;z|JStkNB9+X#t)OSoP#bO@l^!_T-ex|2)T)L%HF0(h_fzBAA%Khq_
z3%?rBkH3Fa9)>w$V;65TpmsfgdNe`bkf>7;u>S@4;Z1E=_|-~i`#u$Uww*!Vb|{yV
zDx(WCv3Vy53SqfSs1CO<BgGv-T%;1pI<*D8hKQxIr_#i1PVbO3?Y#oMlCzon-R;vw
zV-sh!R4a;ySU;&d@8f9U*{BgAoJpQuLp_41SZ=7k$dSYHe`5D1dkt@1DIX{9dcVlj
z(pq+HtDlQK)u>xuWhAaBU9dav6UC)82?*lS${NK_XofH`OUD3=uu?=t`2#8i(nY+i
zncI=u7Pl$7)xUNdS{?yY{CkzMT>z`($)DGGb~K2^7^`z=7b|MMqo$0dWmzE_|GPuw
zx2uOo=kfd!<&+#>GnViE;)ijm^0%!b6C@2+TBB^;c*Ytbz>2)e3Rwlc^NSE?I6;;^
z-re}jezD+7bquN*FE|+s{f!qbm;j+st=(&~&bJG{TB4+`c@e^AZlZIB$@>q8m{9b{
zmwbrlTVPHgKE2Qr)R7-6{e7Uvt^>S~ZVMl;Bt6ks!d*A`QeOe1=?N+O_$<YrSMYDa
z#mc*eC<5A9vUJT^3h&+`S~RybMn^aaH{fdY1pL`SC%HV=Q<l6AcsH13XGgL~^To~8
z!gA14uliY3lLY%d0LcaLyl|*CSQV=fT&HRK>3dUSZ3a{~MsyfVq5jF^jP!QmPELgA
zjQH^d)!LM(pLPeTo__P6QMcXC0zkvB=yEb^&Om>6&S}x!_g?qd8@y!hFjlTxr=1|6
z)SW+p(DQ#N%v3}Vcgg>uoP4e}oId>zCHO=C%C^xLKiM}w10K1qlEzq`+it(S{WthL
zaq}OF&nJ?d|4?37e!D?YPb&>Sa!dtAF@6ywvwVq5`xwYB4^L3Jp5SIn&x+*a+TYr{
zS^Z5h$v-NOx)3<SInUiNrPkDM&t~2Q)cEyK)`%!aOnIfSQZ8oDMB<jWq?CmTnFM?q
zYz>6Xnx$DC)vsPmpl%uqR_i)c%^CciBFjJ4Yq@l+(Vv^|Pzi5bH^Z3jd*N1r$g#Ip
zC&Se@r<VUeq`$5QW@w=E*AK)sV$M8ks7^`R5Eio3Z+1GRAtU$Hob{943kn#HifP?5
z=$ZNsl=DGK%JHC}o`H|Wbu^5xCce-vAOBj)bVUK0p2!^oQ4ERr?@O@87J*Onw#xB^
zWqr0~<G%b%XJ@z`Sr_9G9h7U0y`)pw$_amoIl^-U7U)cB77%PqO!Dp-(54i5K+s^`
zwp=TXDsL#n3|-ei*M&UfvON7Nu$P^K6$t|j>Cy9u(%=}3mOjQ%a+)~!X-kj(j1Lfj
z`mgCM*@w?fr1ufH)tR1os`FCX$p#76HAYo})7bao6TcR6+m=nOfq%8wj>K41pfv@o
zcV%`KPuZ&Km-B!%dLCWt2$!OTbFD<wE)j&mO7*P+iH=$b!@jLk(Vs8=ZuL%`F)J^%
z2Dh#1FL61S41hCnn5>9O&2XDkq&@4MXG7%hB`|X-`IAFmimhddFZgunYh)*5@QTs-
z1?zoFZc6!zvm!JAbC4pzYWbM}AgzWtz4WV#H)Dy^PywyQQbPic@lOp?C54aQk}##<
zed+#b)82tzO3lQEb>=Fx^?EC(m@c*pRxxCSAR3xt@7C+wa)(3Z*o}KK&$5MO!uRYD
zlQEswCU&+aXpvivdzs3guaE%^t?aFMrh``N7l_<{lc;$HTb)h%xW92Pl6hgx_7~0m
z08$F48I)S8H_{f<cb3tY6nb@O48x}%y06?s{-U&Il(wo|tv6Vh0hL`7Tvr>7%e+PP
zbloAwrK~|Vc7^ry%&qxyD=+urC@fJs^cxGRH&^8eb4mba3S{Fw_nkXc8ttG{)ye!4
zs+TMgA(&WEZH5J{DOdV?cD^SPwRDiZGz)P(f!me8&i&PBarFC7D6aK@qiUbzl+!)D
zb|EFpS1}QXt0sqvmhR}mTME@C#7g|}tX^3DX&eelcyCI%*Ql+-=E|kHkoz+qeO4tf
zmm_ohkjOM6|Gda_iEd_6PK5y{ncer0bWFrN<(=us#{hj}*j;d)bun}HaM-lh76sEU
zerNoahjHZ(m-qb9ZRN|)Kqz+4Y3F^G*7*;bnDglFuPTr?_70mvt8WJQd<)X&U$3&*
zJyQCfjc*k<dFrD*MZ}O*5eZR>PoKH0bnD6E#20vBzO$<j4a>9wVym$#)2@Lz!ls3P
z?Me$;Cx}>VK9$Ol(El|qsvgE3C--sfi|j=)7Q;Kg5WvSg)F`yEvGr)_W!JNcD<0#i
zfuRn`%S?%aY|WkFSygw47g7aljpco&X+ZlI5PO^4NyOG<p7VRhT^!+oGqI!-o~LhS
z*&^B&9{{$Pwz9F#E1JYV$QhJt1VzRWhWUY|y?k@Oc*wCdL{&tk-MvU-rh_ufQ(|9#
zrB^@QLxeR391VX&<{McONY}=n57$j9QU3Omph}jSJ6jfCBWYsncXY7Czr-Z}mKuQf
zuX^63>(I7kPD+EieaPkjI;j=*h9HAUaQ?g67y%;yfNH0m5Kn)KYmaBXs?IC$m=#zq
z#ub!SCX843qhwUI4MK!>|3<@Q#ee&2iU!$(Oqx-hj1}ssHe-7G_<s7d#uaZ~`p_H(
zvcniS#CH60ztm-N+%krNq)@Bez6z{p&TG1_n8<NXxnOX2`xhDhV>Y!YJ^?ln_}Yg6
zO2c^Ssd5OAJS6O|M5(OL#5PTQZ!GgR?|!!Eed1|?w=Igo<MhIS5XTGNLGruY357&5
zYQ*$NllREKDJE)VHvyL@9h#eLK7KWA%7}#-Yz(*8qr<#0hk<|__Qp)L(Sg7jN=ST!
zGAFpc&KCFeSgYDhq0GUFxqjs#2%3jvu8|h3VCK=XrMa&+)5}b~Jo=vNAZ!O0X%zu<
zy>JAx{<gK<$3HI@<Ih_M{&{=9kMr}2_ssN<k4TItVrityv#g1}1)y!rjm3!qyKrJ<
z=)VEz`oC+9RKHGeU!;Dy5<#~&{$-FwvyokRelv*0p8W~>vh|D};nKaqZcj~1S-{cs
zofyQ17h?zec03}mN711+pkw@XMi)r3BmC4u-lcC-K^W8Hq=_eF3dbB4b059%x+R7D
zco@fv5GiJXW{vAz0LM~dva3B%%EGd@bmHdx8<jj(h?j+mIFni|yc55E2G3WF3W~2Q
zeYLw3VahcOH9(v!XbmaJ-;~FCF|!c{&FD`=3G&1@m5X>N0Ar+Y*l6`8Gm~O|cPWR5
zGXHc_)8QMLI;g&D1bA}fO*&cRxJhUFJ?Q6>BGgIF3JsX$M-RPDd6KhgfI&ccHY`(~
z#P;qa<_DU;fYLgjaU`S|mM-EEJv_RWor8h@mQ%&PtS=>%Ua7kJ^=KXqrOYDbICV#T
zs=4hI?{DC_SOA*F$pg$<OzLm>df%Bb6ZV?7YRw)%-OR6(sj|Jh7RP+v$%Zn+|M7P(
zHrv)}QLOjggM1Y4=qOvO;VIms*478iIv8}Jg9(iNXHn8ChS67v9Vc7Nkit!Rp&bRT
z4hwgWd(hdIvtqXL<p1nPXrDv6I41fZ3S~>=myQq3WPFNd)d}1$JMJ*7=;{NyWsu0g
zc4S)evN36kcIFq(B7_kCg_%6&<X5kB-e+P~iHvZ8*Hk5#10C_(sz?e_Wc**XUNASy
zK9`r~+qbl_TvJ}GyT@zZn(X<^Ct&qT6^Ny8>HZJycGGy9iKMY6*4Pw@=Frq5;?WzO
z8~`P3+s*hgsHej_0B=m8=6sD?i)-nM77mzbDXh}8+RmSFblvISABRV{ShJXR9%>5X
z+(4_TmP#8HB;Zn12R#oBv2jsutFW2GbsSG9?E?*6hm~3E2tfV(UXt@eM{!dDHhIq!
znX{y%3HxlOnWoj+Dz>Fu4P(Dq7gchMR1TbY#dlY^&fI_=Bc%dBm>D`&PfE^1++(Q`
zScYl=`a6VGg6F(<DB?M<C*ngY1lB{D?EG{{j$5MFdg1!FcKq8q`0Kk0{)W{vhNdvP
z1wNyS6PvaiEkxt#W_ID3frHmXk^5-}0|{+QiB9#8dnurOoP<dF{!ASft)`$`mb2}?
za^s=>bp;KPc!{Wxl+6~(AY)6!N%CeDG}ETSQs4hj5Zi;Y-gNye{$`|T%%7{VTtjrb
z^l6wV!{S{xEX0v5@v_Z&+VvGQxRr>sHg%D9j(bDr1HFH{0C=#?!!#uRGhMAV=gpFJ
zu>TqLF0z)W+*1(B!ELI<pSsU+qcY`LGdruP)bMB+_zXFDa&Yt4tGcwV?tuCqy6lv<
z%pSfHZmhO5(mP_daCqHeEezT%r1P1^69W3ye5`8^(~z%QWH~vYT;1?Rew+YiNtGp&
z&}wqS3ec^pMfn<RWSy9mwrU5SItGmT4yDmFDW2^reV>a`_}8Qux9qVISwykPJri9I
z4>O4PDNxudNopdzna_vCa7)Q17xnbkWPZx?_*ja%E9(U}PIA*c?8cDb-+#c8v0uF^
z*q2|C!M;Kbf0Je}ST&W~{2_iDW{OSK2GLUS8lwd1M=X#0DpcUe(i*ARv&>!|xy(a|
z9@yBqrK9OPVKXT^7OU;^%mzk(W74*DYi->qo;|GM!Bd8|Ca7QB1TfM)S}g!l=MW%s
z+83chOG=jhaD3I&5|&i`7<3lvx8Ly9GdoxR$%CwJG%Z4`J~sYV;WOG*us?YF-3Uix
zyDmgqYB(W&Hg5YYKJnaMi?wt{kOCcZDVb=UNEp`%m2s%WMVI>LLR~9si*nf`odfEr
z<i%-jj_|+=tORl{{H{sfdd#yT8&$fN_qACbz?>(kbuwsL3xjeHEXn&5#aCL}W?Q4L
z+mJEKz*t81j~tpa2ZSvBn?xFe^YU-iK^Aqu-@~UQI;Pr4k|WvT5{jL_jb8TjK~${&
zI1Uxlv`pKFVnwA?NB8|CDnn~Ik^lqK1K0N@_}ydn%(EqXOM<uRIHsgY>Ex+*#$HsU
zPMhCiKfHa(s2UGgggk_#!w+S7u(e}&P9^riJ!OG5S4f^g3*QabH9pfLcSn(BBPo4Y
z4*q0)tC=F8*QiCRK(w_7o)3o-3FNlt#0?kaP%IkLFWztR?>2s9+3lUEYwzp~TG7(-
z;*9hk7uiS4EO5=jwYFCCVbDZvs&5@kpUeDR;%B2X&#~N4QBB+qgqn|hJb&_dND;}W
zzEzv^CR~oQWmq=agm9@;asULsn+!o|bB!V+6S;pleE8tRDB*t*p<PRfIa*7@mg;yx
z7htuJ6?1MfWpD-B#QLakpE*(3V{crqvs!B7LtXa3MdoUAARYcaXB%h8&aRP<5OGZ{
zZvEwaLKdK>C`M}CD0~y7**PvRP!-6B6{94msJ<5;_iJM=#AhsyaxXrT?fv3bg5X>F
z5^l+k(hLp<hf(u@quvQH$dGv-p)?>_G}8RcX=Sv#LTznl5HJ)^#?{naUTEj5B9q%H
z1Fdjw9B}+!JudJ6rydu%!2FN%ra;q%eWiNCkhPu*iwO&Ta6?Ju0(ldQ<#U@!wDS<P
zHa~T#j|rw6BhbuRRhZR;<GbrUjjw|hhneJ<1AM`Nzsc;J{WPORe^*EoJ*6IVo+lDi
zLN5Unag-~1LmRG*OQ|MLw4XnZB$s)78R5DeP`=hYe5>Bz=2PSN^sh9)yFD!QH;?JS
zZM6$fz1|GBb4tiQ`%#StellYL)HZzI?oO7IgR?%W_)8;A8aUh|l2wsEZTUtLJ;!RG
z6xR;CuL=zwgxUpF8|Hn*nS$B978%}-V6RI)?XDVLa&Pn#s=lmFV{v>eLbcZ5s#yX&
z(MxS5G$_|QFVkSGxO`lBup(X0yjaSOb{KVlhIqA<@VS)CR~B{Y_@Y~lO6*<w6yK@3
zcSZ!};PaW-BN`FwxgV#!JfevmsEGG6kv26MVzz%f_Ftbv@C+NWsd~463P8)iJ>fD3
z5`#n-7RW6x#Q7&l;~IyW#hGUKr=kcYG2^(F4GqESbvvD(`O!QTF{Xv+ap_|5#Ndc)
zq5&FQv_dVMJfedMf?}WE_gDTxIWb-pKD^DQs$Q!s1rc1<b6M$y+#q|Q9Oj&XS8672
zeBW+HKGFscZ?pJp0)tXLWffdZ*D7diwAm6{ypbp3S1aNR3^uhj^d=g{#E=`j5$)7F
zJkKG!d<W4^i?dV7umc>Ln#e|_rF4;W+ht8t?p8t9;ov;(`<Syye6(k=dtP4w8D}u|
zJtyR>Xp-G<8Dg>_*;`^K@SE}lD8iVS4e8Ah9PDO!^)a&Hk>BopT@;QJFQ~TQH&NZa
zm5sh|A&0cd7d!4!c{=AV<&o<aDwBu)Dhvg_rn>Yq?Y^FZUi)jlbmamp@Qdn(6l>E3
zp3d8tRo0f>67=gG>RT2)62C#iet3hHzi!Jc8WCjVOOjlA%?0rgDRKL$yzE>79{q=7
zok1%6vM6ME`bf;3k)(ZMck)6%ti}MT#+$>$q#TD4(u`5C7=0sL-xP(0<mEleH{TnI
z7mDMSyjrVEA(^<LqK{*k`%~j*W^1Pl=aQ~Xq61w2lfw_Nk^c!liNWQ8jvI~JHj3V+
z;V#hNGcnOCyDuOInW*zm;(tx3Lch^&=t8@r0c`2P#pT>KrAz8ARu`om;6|SVm2XQS
zF-r5krPr20$&D$my{j)MXhs(8KWt!>QepN^_Zq^*P#<8wvxa*0$v?8>1~R=n&z)Y^
z%!IIgQiA*iQl@LO#p;qBt>JJGs+uC^Ji1*}0DtS9<&)#i&kiLQ-1!{baso9Ei5wI_
z6$66!W3~TMjJ*+^Wh+`03zekR1?rJ1c0ra+0Hw%In3nZ1jEXWv54Dz!DGEu6dui=;
zUg>el@jQdyiHx0YSuyH7Nq_Q2%`mLuADv99S$3{WUeOtgm%$%oBIZN^gde#7+J99r
z$s3e`FQfe4Z+8WF6Ml311>d0D1kiB)?`zb*c~B75{Rf6C-5SN?Cx1}l_uh*AH;CS9
zhY|hX9)30t6<AMtgU79w=8b{iUGW33=hLnX`}13eAFyeEaBpbD0r-5SbC@%B8E%2N
zCktPPTe~}*0(#QVH@;8$>y+6EaG8$u>zV+Z|L8LkaP)}ajghNw{O}8SlOpMY9fvS_
zA$T`;77*bpYr)hxT88eusi;*1_9b$7)F>GqjD8K13lVL~HfJN>zI5J!whx*Thd=Ca
zV@o1Se#YBD+*W{7s9EKc`y2P3ud-{|n87~Au$>sR*Y3uKq+g4|#VCK$c_}oY8(OQV
zjMfcwH}Zhdz%NLM9~RF4zr{nWWLff<xVF7Ne?;h4dMcm=Or7~JCe^1UlEfI*cHAgJ
z<Q?l%yC}RDHtqy@6AA5|HbQ4hrb%YG+1=k=e|mY@mE5QH_yNkf%%kep@z}7nA(Hz_
z#JR`AhDjBAp|B@H+J!ORvsPvYjfCV;|2SDoXXdkZ1VdKT;}1#3uN@r4mn{iSqE9Et
zM7yCuSFQKnqybnMF{bnr4mV6*Bw=REXI2bJPN|i8YaI$`;b4(Tb|YLpp|>F=Cqcsv
zVwQ1pD*=BIJLLu6jBh`@&bXt#+|aFH0y%aqS10MTe6??{Wv!19Pt<UFRcvuK_!v*Q
zXUDIMn>up`(b^2m?@bK<z;f8w4NVARX>>_R31NPj%}N&jvk?-NCk1a<S){I6VfAWd
z^b<4puO%)X-rtXS%$$)1t_fLdWoAf>H&2J({0UG)GJhO1w;hP@(ABZ%wp}YZ3(C_{
z8ZH>0g3usI)K+C%^qB%=M!I@xHwYZpqm1r;V5j{kb@<HxRWXo?w~rg8uI}WY+$eV*
zfw?nT=Y0=i9)Q@bccXwB;MjC+SHK^R%S0+yZ7mcSpIpENMtV8Y37e$i)m&Di@^Br2
z_#Y{(#Hy)#H+5G1Ivad|&P6j13*wa$qUF}@?m8d<!ll(E`cz!wUfV~SM|=|VASt=<
zRTAdt7QbXIb?|Z`dn$`SpZ>ZmRpsR#A`a<3ad366n45=kipQLk)?Pfg6lSEO>!$c&
zWfS6P0Nx2G;l5Uq#}#^4Y@6;FUL(+*r6bo6tZ8q$;xwwfHWU9JN)q6p(P?yF&X#~m
zIeZ`eLfDekAXKB9xzFg3tliu)d{^TUW%&jKY$^e80VW#8N86-~*GLsW1zB8+ZVtET
zymKq(cZ`xG{>cYzQ4<^wn!@%C2y#&)4(VF^#$HP&L3_>trtu7E-Y&r6P0Q8kugjG`
ztrD*imzxqCd8h{GH{Z$Ir%}oZv=p|EY{qLfu+om5pPtrOyn7HIr)QSOU|J`8kPsX&
z&mkeD3RhtX3vhFnHWPxixl~b^(XDY*I`{D`w~>)8Qc7*q+~*lUUuCoxG`2XbA_E(L
zt%z0JF<%E5cv{ncYNh=1+1FPXSIT74S67$w!L!xbLHnm3DV>dQ@7|B}G%THb3(Cpf
zI)(-HUYTKkc+|nL6K_vh(g(VXu+)pmOm3$9Ek>`ZOF;*f)H!doS|_)6BJ-;7%5=^@
zVsHD6k$T<WC?jm#37#)wT<AL|$CjJl>(8)^Fk~c^rS{&ze?0Fkn^L_Y$9)$SZke*9
zo8d=8Gk$-6WTwD_<6_9VUhhbD!6SZJqeQiS4``y35qydTKfVr8=#U>^asx34DB{?+
z1#~-D;Exua(<PFx`;<MD-sPbcRx(063kE_g19VKMD0BmAdvq=<tXsFo_0|+Y#*;*Q
zW~LYy0aQYh!Uw$5#78aM+b;l&e3~qyno8>Dw((lixrOS7F+)zrJo;{e6zO;Wu-Y?8
zXEC<z=dr%X+YGiu+A^R{Wtx3TnLy_1>7rJR30kK$2y<@RY-^L_n6j7x|LIaU)^=*l
z6xkj|n&NK`z9C+6pULBdvv5a8NpXF76B8{J9)`?RjdS|Y{f!~8yp)UUzP9^6l=cPJ
zZH2Wz<28&G)-@N)cq047i78z{8Zu*S6)n&W3MW36rG}n`r2;#7%u{}fCPcrokzM+7
z_7lr=I1kr8oO-@^$*<dj<jVd9=L$}<uom5YKf)2rZW`Z8m5Bo)K@us@bdx_?+ep`*
ze-CvE0i#^w(aKxnQUsg!HtCl&l{+hsHrGcTaiEbQobC<<IHdExAGhu@<WQ0Mt!qfj
zD9_;;G=z0`#wsXtVR}Sy&LAN?>%)ap3Bx^!lPgsSH14H5^}XEAC^0~N>6;ob$XiR%
zs8&iVa%Vw!^a88;RNfoq_D&kXNbm-u|Cah!#|=`;Z*PWzve6iJVTi=Rh@#55j9&g&
zpdy2K)*$smH8?D75B)e2m<1OU6wLEtlV_Nt>J{&N9V*FP-$%fXA?CwdUCy1h#V&+$
zzur!Da$rh32?BYhftJ^n&Dr(CGgTVp=Fv`35Q^N(*@B6)cD7g{XxV!ns}4e#F?o_+
z)6xD+BQ;ikYpGTYH-#r<D#X}5@Y)P63xc8`IHTDWZ;6tgdTM{`zMj1&?RexiuwDk*
zBRa-E#?YmFa)zpByazC#WHBN&!<~B-mhy#^Bfvzn)1peeV9I#;Joe{g#R$rVoA_wP
zw6~%l2I)vvFE*m2gZidiF9)|M3Q-Ad;ea0VOc1F`&FrN-%q_^RRMXb-Rhvkr0)~4L
znum4=7B`ZNul4&IPBE|pOHx4>pBl8Mm;ScNzRIf#uYUJBGq=WgbraH<C#zlES_`Xz
z7jHzsW~{#2@Om#dRj9RHDT;!b>Lvx`69gs}Zgt(@syu^0DMdNu4`hoE1x_w9vV^ab
zHAnroR{-8D>K(HL;eIxIZNP!rPGc$?%KAUPN~zS@cByzINM2dZcm9?Q61dVQzcF8*
zzq3@|H?}EAuYiXAYB!6JK+^!J3pkAfcwftn<1bcChV6sCywD@3=VWXQbB8;5=IJ#O
znvb-f2bcalu2X9|y4wB;X^PNF42jqQoURj_Mob+#Fg`Hx1o;Q}xovei3u%S|yjM=v
z_v@7M%eBoOUL~?HqeJ#-(2h1tI~x9kUY~&>?jj;->L8%;SrHrY-mPI~!==VL=4N&0
zAbX~EelPZ)eV)Re9P;p2c&pP5Gn~5$0oS%`=I((BzA6y*%8}ZuSXB>bfcBBXsp-@v
z`;Cgzp?`GIL2^F$JW>(grn$jiXeWAfvxq_|{#|sxzEY?Pc78)Ahr;B&zrNk=?J!2k
z$0hPbuZDZoRG*PYX44iX|CZCEy$t(2N0Ez|u<<{gzstk@<n?f<<H)@P>EJC><|BlW
z&Ej5BuWTu>Vsi^unofI4(>~7fZSb~Fub481sd(EidIw!FlCG_+fz8fb8(NlHe6;3G
zvtWB)`C&iJezbfPUp1c`N-P?5y&n6PQIo~?mP*rrOd<5xW1DoaxR-Z@zHpMiOl<rM
zZ4={yc?1r9r7m(j5LT8K?S449xsmTgP)nX8s$`0xrq?Ps@8z1-gfV71veP88<-hmr
z7txGUm*;_k=l&}94zHk7NqrqtQ0(gIKNNC8a|j7qoCl><M0=Pn|CvmwaTZm()w@5x
zL~myU)0Sx703a<iuOULhMJ=@2d1Y;|s>)R*MLVV0r!+2|{^ilsd-Qt!Qbac8ZT28b
zZK4ngE3S}Tl#R!DqWStns>e_rE7I2=tZrMfH_b)iYak{HE>&)nSb=8x;J*>&u|j^7
zC#w@LoL=gjJ3TY)nj@ZX#?{k)Dkky?t^O&+S&8hzk{#O0jey$)@mMb<5=kuSey`d3
zaC)-1EmvY;u#u-vR)9dP$Rl+eF~?MxAH-{zj-=%N>c2)~HHgx84Pt5%6T%yFj4~OG
z@Sgv+pFmE{Q!xBG^ARYreR2Be-n441Y44-guW_2EU|54!5dNsGidR&?gU?|Sy)gGr
z0xDhRQNuYvc`}zT9j^Bj%V<Xw+Va;`v4_p?*DswIlcK^qgha#|G{XcreOr14sYl4l
zico&k&INXmjw4rf*rRVpOBVhQ_TDl!u5Q~BEi*GSGc!A8yUfhY%osB>Gjq($%uI=y
z8DfsviDT#0x$pIp&i9?$>ef5byWQ$PrKP=9wM$ED&oL&AnYV&BgkJ1TKjjvfyr~}_
zU(%j2um)CAuX7W#^c2?!UnO#DQIDC*w%EzSSvNAPDWfu`GHhA34US$_jO`4o{mIk|
z_ii!XM#-+%kU55@8AM{+Wa^s=oePgJ2ho|N^blvDYNL;WhLCm<1R9%&H9eh0IR{$+
z-Vq6;r4dL@6LbY074d!s6~JRQOWPVD%P|UW_5hJe^NAq(p)`+>U^(T!<<WFv&eyM_
zA=vgBB=Ojlbf4Uf6Ux(qD!fcb)3bB4s_UxqYVVp?MArG6uJ<GK>}+&fN;H|V9=R!&
zd-mELf>k_I=5~hLi+x4GsECSqf$e3~aQlN87N}R$D0MXxbQ$7f-e2|_#wSmDY9hyq
z%U%U{hy&4He40U`C-jOjggQD@-fn*Y2QA(4>1ml0{d~vuwe`i!vuJ6h?3Erq_fiYQ
z!tq@u$k)`XZzCa9SEeuZ<Lg9re4be=>nWiau(#4S8&PW!PY>GJE3T4d*dRR)>HMgT
zb-7j4tu>muno6K$M!MxX%mF2<v|eSV0^B!Tw89E9HZ;HXMZ3;HYN21FW&*FkY2lvl
zqSKjIv0X}p2^u&|8wG4Ry(ippSQXSjAh{P<?0s{w-B;eyZ|5Qx*PT)Z9GAK(2~P~N
ztX^u;UQk|!0Ezx@ViDF+sr#0_O8KosW*ynykt)maT%o^+r<VCHw%A3lpM|_NY@bZm
zaK<v%7wc>qZr8vibZ6)vZKC)m(V4^Z8zV;PzD5}-zrQevx3ypT7q`2XWj5I7vwStX
zRPb>L)W|MfeAJxgam34SOBiU`qQ4yLX#aFmEqvF=MW$VHdQbpvtTjIJorLgFZ}vDZ
z*P^WH$kqquzH&)7IkC`k#O_!^b$PGX*sOGV=Nl}M72h)(??-&BB-^E&E(NwXw=_F(
z1u~1S+0jNhU1J`D?Keb3>#Jj(ivi@`-(9vubsc)wNG<7<eZJ=B0ih(ib~CZRYUhYE
zOWIX>oM*3VJ>Cm8v<#X0n*IPhR9@nPtKi3Qco2VJfcJA_%_v_xbnjU^<W*5!Zqdj+
z;{IAP)HhnOw0`WvYL4HEuyQbKxO$%MzH_)ve5+3EwMUZCr0wdo3d+K|Yy1T>LGg(x
znYccCSU6`YHFC^$H<k3W@QieG!&I{nqChG|xAf<ydH=flf%tgeo^!ijRb_5I*$s7J
zU7x-8s?`nz1EgzBe|b862<Un4aoS#-tn41FZ?zxDIn+h^N)_9E9%CO~Et#Lm;-c2P
z#PB8fS?Q_gVMwUW*<sp-+qjNL0)UrcoFBZ-VA#*M?#tS8vXfXl<NRIug~!Ya1Cm4t
zs(?5|+}g#+aGPhiL7PHy6_7so<YE$^q#82l7s`0&8+FLE%a_r`U}0gc0ADY7u)2bf
zNQZ!5La`V=uRzZvRmvvI;1Q;ag--*)eas|nRb00lOa2p)JnJ51*iAx5R#g%$Zw8Lc
zb=KNO-En%Kd&lt(LMY(H3Sa_9Q&6bg)KH}zpRBhsH_S)zoT2MX$|*AlMg)`g?A{0D
z#g+V)?^UQWl~S8?JB1Wo@*J-?%vIv1d$l7wq8;tUqJY$)xopQ1?{`1%FxK8nZ6ISm
z-K=~aZ-i@Uxt=a6j&QTt&P?j_-HI@S+3pYuj&}KrCAa<NaGZs`ejZ^tyGAwToE|t^
zpNbZB*0qdR7&`i?6umjB&i7o|6cb^D_164jNjVBGEXf(l{5b3?{wFuY1yO7KmHCL|
zC+H)?(5{+!*F2&xXoJbbC*idQO6lXnm~#uQ4InK?m4;sT8^ZLwVX*ZTo!PuvbggFM
z#o~?cA1J#u*uN$>+Ic3)i6`_qPpBgfm=<P>?N`3b(E@Xr2Ccs9*JpUcJ((j@xZ!2F
zV8D@^oG<VxCQ~%C%qc{(S6q~lq91FYJI8BH>b68!H`WgG<Bd;-&yJu)aafSJ!aA2?
z3#%kUs+!sNhU2ghkVl0neHyjgtMhI{iJOein)A9y)mNC3$T^x@r=)<T2in!63k!%E
zyeFv5<hpJ&Q>3D{`uA8zu^SzE*+<eh=&6QpJhT^AZNqO9XgO<JTVAwrPbajN6qj>b
zC<~8zs_QU~v$ktD77Mp&NL>WffsxjW3B{)}s#7j-voVgF03w#RSD*!8lpSR8ePF`-
z*7SF5V@_BY8?m{$@wceREET<<GPF^msV34kjuH%xNOUYfjTvhjGYko4Q!VEC>x_dj
zk`g~rW1<I9ZC6Z3Z;pF-k4I@S;A3mBpebNft>0%nZJ`J^!0Ex8bjVBQ)sisOsnk+I
z8V3YOSNH|v+W{=VT3j0eF2`ZG98r^%+@3nwF^^&k(<doAXEGnI{78FMSy44AhrCi9
z4w<nsB2(6>sl0@Ulhx{wIiqBS`h#Lrc=t{2a%rR>9|q!2nbPj9?C0DF(z)1Z$bAB+
zE%^E&Lyl+)*PyJdSqAQH0bg^0>~gujBFD|ly-s};!^pt2_xIQB6o`$jm~rwZsObE2
zF*%u9H9|jkvxLr}i;LvJ328UsvCR1Si~xS{6v@{rJlTna$GA0DdI67^>doxw1p+2@
zq|h4TU093u_VgNlD$@faaZ@3=zBkKtEF2rgooxnNoK{qHl}(7STw5{Y0z@!w735*#
zUoE}<1g^tGn+kO=kx**uW48wJjr^;w*K9RSRM6CDy9rAzXbni0r%fEy$FVX@6Tlyd
z0%$FbnYCnJf4jENmwwR|EZVJ)h?{LSgJFu%X-fM#ukI4fx44aei*4P97`EtzsIIFR
z^QgveSVkv_#q&i$$9@Q6QD%eDiu~PrDIGi~va~BC)B5uHGa3<GpNy;C$Vu88RSx_5
z8Ug`5W`QRAh7k*AHha1W8mLkQ$DsPcNB8B)&&%#Zk1%NB^WF4ab5+c}Pc;VNHsT2~
zZm1JcN|&<c;k5i_43r32HV^FgJ?x(Jc)`w9Oh)v^*$LBdap(ELnY$;7l*Z%6*&6vI
zk?K<RZfL0o`lj;Upfw<Idx>(*kL^GxJtDEY93o{}4#xIC%37Sjieg{4kday{W!%Se
z%-g7tj@;W=9cyz!ZPpNCw9nH1!Wzf+P7G^n`3|tHOl|VHwnIf)t*uAZb*NT$E1I+J
zk24o^x!dSa@Fy^^@qOlDV~9){J2!Xv?!r}|jyrNa`V3k|TdV<zZD5dn`r;ja6{z<7
zCG4O{*PSE6I@M&)TOOoHikS7X%Xg4zbbNaLGcP(EoHuUDaJdGUlS(oD&KebG)0p-k
zmdp+>m~3I9&P+h@TI=O{+Ql#v<eYxkFfleUD!>i}zn~99U;f19${;s(cqnCPrf<{X
zL}veCp^>cCxbl1nopbk1T4txeocK6(X|vrSwly>5Vtx1gV!oL)%mWu;W6ijvnqAgT
z-XHx;4C|qSeha;vdt)PVk*B3DWzA?!Bh+A<TM26!%t1Jgt7vo1w0T4Xl06((#_cdo
z&Z?^pLlB%1u>}Q9^HGq$Bv-8DG96Fr>6*DhLOdBX(oELDMaV!(Dml)3-cn8#8rDBu
zm`yTn)C;AKnr&j$=VTT4J!RhYL%#Jo9uDYIMO$>5V8bo%=e=^M`^<r5Z_}Z-I30|W
zFuTmMZft+)7irbmyfWOsSTa*g#?N>LX&fCF)-20tBil$}<1s;xc!g}6-u^tju-zlh
zX}i$4ENsqzvlA&9iFlRt``7xR;pJiMymG%XZYk=m^mbwd8!*v8=Jlw+0?#nvk~5{J
zh4G8E6_q8W0+L}HZP1;XtZKN(>CINt9v5v?ymSpceVa8Z=n`}SWonWaMJn99HJl)t
zmIX5JQPT3`Q3CIhBJWW==YPe8p@X+sZ4H6lPz;me(!JSG#MDlrT9??k`7{4mHcHBt
zLJESAOXs@<r~o@l98XLk%`KM4K!yMeNgrskP_<!gc(v?>De%0tnTzDBrJm{1+H_R2
z+NH*XJzu@q%C({D5ihA8(rBG0uRpsXCuIS5A;E!q{P-mn|8-Q|G|)=6|73IUTu`R_
zX2^BJ{tsZ*z%U_@wq2M~$|j#%oW3|8Vfnj-JH@fR>i$A|%vOUXX}I(YRLaiW;XqnC
zC%FE$|F*OX9#T&BasU2K>vhB*zz-+3eM#|6<Xz@g?NlinHoEr9#b4~@p#^91?ksn+
z11;MPl~VT`YNeE{f;E<GXt}?9XE<PgO|6chYe62;$Juf#Xu@X$3E3Dv6;ui6O_&KT
zud$FUmU0;gpdBSy;pB<;nam#N-(#7;lpEnyrQK3|=N>5n^}qA25HF#rQhVX{mla`U
zF$VG39JVVS=yZByh;hm80|*!?dZ`j9LP+?E3W&=h6eTHi;*~s1S{vK8SUfLTVVBrj
zw(e_(185mkJL%9-R~Iiie|-%C_=mrt=u#SRv3@!Bi^U)%atE`(|1z=28Hib@h2-ng
za?NFZ?vYn-rol5eV5(!MkW;PQu=!#d=-tx198`A|x8OmFK^{_8gx%nx7gqf+QCo++
z+2$pAFIHo;*+M-{fD_x$Rs+wH{G#y7n(NYYu1@V%@q3S+1+9^JvsQ~4GJIZQN(bgs
zy@H8Rfq0}~`p@kG3YGyLaI6OPhdXDuT6B}k%-o|p;t;9j+F-dO3ywkMJrp9{*{D<l
z<6mk-2S*PMSei5Oj6)2%lwoG}(TZ)_l(rAmoME@CE)RsTO!Qlq>jM0qEZ_3VHR|3;
z@9#p3ud#xwPx`dBB}N3Z!G#t(9P5C|Y?4`Ozw<p3c;h5C;-gMY`JAmpdR3L6^Bl^Q
zwtO9S)W<!};B?q0)I?1y@(sFB{6l1a0zJgSBaA(gwBb#N+9XSn_eVA%zEXhXEM0gE
zBM^-U{le?$S{&_sJn0pths)ja+nNkGW5$UP2PNdQzV8iR@*k~=Kf3Xw!Qd&Hx`7Xm
zLE4lB%cCz~W!X}+mGpWDPu`lCpnvYyEGXZ8jvrKTS+0b<Y~y%8@6wwoe@Rr41G$6A
z0l3<fF-A@1uF{1|5%gBE*?#shY@^e6UW6{xvN|(cBouv>cG2heY;=6hbh>QH@V{b7
zcg$vJCdv=kF3L|(v8P=cCmv^H+-pah-;UDh(>#9~Xc*U;@N?b-S7fM?^meth?{G{0
z8g8YO-gO$&YH@*bu%RM^a^SCaaLiW}DS((`3dW_ZX<%z=krHpgJ4L@4NwJIJ**`5q
zQo0Slc)5ymw%T<_G=BT$z;a4RxVM>iwh3_qp>^BOBuKo4Vw%S)_N)B)quyg6-F^2q
zfZx#^Rnm+q;q&Ufs<9n50+UZHj`)hcXPtZ3$|gP2By?t;S+<@DSv0Y9p(vNO_r?p1
zPbGo@&?=^d?QY4MyGseO+s{AifP1g)CYQRmw#`8U!VG%=fvNdoIL4J<*pnK!$|y!q
z`4LTF9Fcw1U4mA&>#m81{)l7rz?n@nmU6yc!lfbE+~j+ciKv^Vyr<|a-%hNvIlqY(
z$?-E)>G1=8#QcVONBqRZ868EW{dUfgxdLgTM*up9#t|JvTYG&khP~aEW|xUsoBEnw
z#&0>Cw9-tbX5?;FvZMnMw&u*(qv)b0*{TFc1_r!UeB;+AV%H<i!12x!j<pLndB?HN
zE5OkpTAG=IS}n$rfgxZA0lani63MMT(-=m@497sqTb?Si(kxCVGPJg2I&9IC7I{}s
z61%6TdtFx>9t$di8Kt{>BRct-BX>*MFQo5tz{>fkg^)6TkCsO#2`3yHMu;H<b^h`<
z)?}Zk&EZVZb@>{d!lnEfr)4>)W=-UCx0R&stw;5<NjRNR2@>_od0L%uRyCX)&Iia*
z3Q^Kvi>UCF^#U$^sCyqnVG}1T-RbOX_R-vLgsPn<a`3dd3ENg!21}F?$+h}=beUdv
z=O*(Sp0PEDGxQ;j;i~6j75r}5m(#Ho=sz@9^N+G>eATng{o$JOmpqX{^5Zu-{hQy~
zGR?Of5b3{b8qvBKo+zHwfD@Edr|N=T=90TCoTDD$-m`%jCMbgB*{<Vf$4_z6<evf-
z+eD4@7e>-Kw>*T-lWS0F6c=85#Ou6=^<_oI?25l!yJ1g{TNpN-q9J5GZnI4iFduoZ
z&cLoe9VZ^M_4-)m(n(KsM2ySvLUoSr&1BC-?^eM77Wo8!zi~tu-rLEc*s4s6%bV8X
zI9(BSe90(jOCNE`BjN?%_?$Yyp3tLcfHHaMkLEvMEL=<S#a2saZMVTQ_O{fn;Mzgf
z*F$Yfr@df+fK-A2Jz1+vLpzq2d=fI)gBbUT@xDHH=XOG2HUzfTylFvqS5_X$bjYHC
z&Gh@{nuL}5O#U88$u7X+L!29fJtZ5(<imIB8WaNI{adWlWNodMG$!f}VL}~M9h|Wy
zTBF1fc{|RIl4qs5ys`X6Uzd%07JWxBCI%@%Iak%6yjfjIJLz5|4D56P^oJf;I=Lm~
z4E6@hEAc)?IZMt~cd(Jh(drYv)QG~NR}EU4DWcaJQ8wAWYYLg+7l*>i@i#(Kt|F9b
z3z#(pIy*AUH-dD=#6_Fs+Z@S%0P)G%>quS1j@+$lCs)^I*btK87YhL~dD{L5lt(Ma
zkW_5w+y>|o`ep^hZ#@|Xg%t{WQJgCcR@&N6N7wX^xSqasJ*KVNk9`^U11@bV_sv5-
zLU5gGCR|}Q^phtdY&GHe3gUF6QS$G)-r=%K1bs_nejO=y4}RJ1l4rq3ewIFcLALFJ
zF(>8&feZ{YOT<+)9+@-a_fCF3Cs}l<N8VeD-j6)3Ta#8Di8?exY`#nd@ZXM@q1e;D
zRVL^Avm9j^jUtdW<X;hHUL$#UmdWO1=zd<2o4OoG(}b^!y!I!GPTkTRs?fA=`&L_g
z9J;kURp64&syJ;tsCN%3x)OQn5#OgYk*l`sY4vzC+G-o++pLL@$5TCM(*FH2R|c_E
zOwsj(y<`sC`2qD?7Lwp#23$!hYm50nVwqnAPa-qKiTS=6!&gYypQ~{YDjHRz!0WrK
zS=nMzaPN4PIX%-YTCz<B&BLAoQ@3kFsASv>vC<vrg-JSh1nK2ow<)>0xjc<P((Z4$
zg~kKRha`vVTyr_t^S+IzD$Ps;VORoq8YpJk+8ceZSsFC8Q<in^Lt{2_Fz7VNGQ)Xu
zEL@tKRqKzddA$S;%)TbAiH@8YjC1y048)^>z|vf^YVwU68wqVH+i!&6YCjrv%5l-z
zpu6p7^+>}>hoE^idEyVrX2>izbeaZ3HXTUYYkL(G*w-^2J0A)&WVvLD&yyPf^?)kD
zNH$OHXJ$q_UrzdV6i)d}jWIHH^PL2~;1sN*^o<0f0+A)-y9MTk9_;Z%5>m5ox%hk5
z%hl(f4L#Qy>l(N_bPtD2)@v~wTIe#RBXo6UU719`wvShZ*xuj=yM#OgQd8WUSVIk1
z$VFI^f~@<lTk_SwBoEFs?2LO1j~dM+Ru2Yhqa2~XHSkbt1{8>Wa~BV~O32YkQ{p|*
z!2K0Om(dM%_oJ;t37`Gt`0%h~k+C(_{CNKeX10)geR8glX3Qz8%T2Z!bAxX!kb#!~
zTHP!m)ytweds(k0YBb=Jj`j0(MiGS>f4cEdQb)tK8?%vC@!gvI^_KZ9kH(HD#OV3~
z?$wO=8@!DIk%4ozo#&dpm6KTgqoTovJ)@XO$h7ml;O8u^njs>4T=tF@d#2AD_&+@t
znM_ypoJLb^e7^c+uM-T;o_jfjH5WI@mpi<z!#OI|K<9DV<R6kwXsPn^o<J1lm3bj!
z9(uRW(=2^$9al;i#k2`0+Su^sO~4aS@SNZqJ}yxfq>y$jG`63<r+|YvmZ`%1kfU3X
z<6asZo}LqFy+pg3)OSqR)f9EIA#d|qYu<L7PejY#qUsOoo4a_igKMwoE#&P$@ZFL?
zMN_y(Ka#4Kr*xEOsYFDt#hpQMT3f!E*k&WLwmgqx%_J%LJ(C@KZUCq-{c4Uy#moBm
zv&$P3u{RH5Ct8ZoAXu!ze+oj1S*a2WiholYm-S>$Z^irfC(^k1=9E627NcmiE(XWg
zXBa}4*_@S%|0e14zuBUe?{BJ*6SM!~+8js(<n7t%51?l158!2?y7*VrAHYwwKY(W(
zkQ12A<(TI(fe(@)a{2Nv7D4vc&WUzQQ{~z*w&*2!8bp&~I-__IR7=-3jtCUPYQd&F
z;`4K;NkkE17L-Mk^5WBUc%$kZAAFRa=~OyRx>C)(dHz+_Dt7cNA2#2x)^1fQyP42V
z_u2WI`3sxUmuu+WVp32*x>)}qB(p|!KdfJ2T1yjOLzTyvg!qn3@8(=$-@hP#vM#Lt
z#27A`X<$X@pvD2NbiXenA(^3aVsu%jhy_+&J#Eo_(paCVm^@_CWk_A;zMk%pg%r}8
z#N}Q+$6i#dT9{@lp+Z|5A___@u9h{@>st=59%WD&pjVbbHG^W=s<SbdBE3<J)dpzU
z8bPMflf(?I#Mak5#&W>yiaS=YY*}o2SWPk@ygr-4dIkDuCZWsp(?9<8e^aUY-*aKI
zaCP_x5Jr#ketQh_A?Xm{DEzle*4nso-QVeVRh@X=b>QN&y$C+v@3=}PXn$>WG2pTh
z+pX4P?g}}aN8w;i(|F~$1slGF2pbj`%k;Fxo}Y8F5Y0EY<vvkfT%p&CvfPRhAf}&d
z&JPxVkkE%63s~blSb^ToBd0#_BJ-k37PZuXill~cWxC-j9DvXx_yfrOL>l<Mb*J|S
zVE;P+x}E0_fIC10bmBV>J3cmkYE@)Dbq<7b`~iT(*H$NP_VS-T5^3&C17D1Ot-o)5
zC;lJ$nb*hrj}Dw4mVwWO|M*tV<vX#`;piX0&A?OBTgO*H*NAwvK4G>OyZXzmH||bK
zQSd2^V(NG-S+s0kZ89A6@?zU~$6G*+xE0$x_1s2qROFWm^R)YL99otFEg)RDMTrJ(
zb7WR^11J1!uCA-AhILqTmH14Q>-0rSK0*c(Pb#h2aD-$``+=U1YBiXJ$9kjxa!Rod
z9_WpwU+H$4j(|qL>4xt}%boiJ&=fPXG#KCQ?a)s)%iv@p)Kbt@?x@a~sW<Ly37ws#
z!U{lq8+7g&JYY@wTK-0-`>~;6$AQx`V`HCm0<FR-?x9i+Q0GIJ7wqJSaPX-3&ce=*
zNS0(>N;Z4x8`jL8?>A~nd1SN*C@Qa@SIC#w*Z!6b)2YVWJ7l>7!_Pbm=g824uK>K{
z0QrXMChF|4)n~@qs+DIJn~@=(hD8jOx)J0OBxo}wec|h&+Gww!^hYznhahAk!nVz2
z&tu4YGT7j`5uKCTS|&evV-)Db=kZO&sh;Gq&HPlWp<w5wpB&Rs+Qb7wlJufV)oE&J
zc#zi6T2Nfkk2p(ji|&C;TJoCve-hZ@Qyv^PSQFK}PxTqNn3T7l>D*e&xJ+Sm9S<*!
zIj@n$ep21=n8m?%_Q?(_X&5T>M#k|bq(;Zb9I#+8+M=(sG=1@LU`in@nx=+ztmZ6&
zk0b|1W<op9)wjMwol1*_u_Ixc^W{4^XGp0vWW`D3+5Hm1#B4nQwp7K&;&YI`z+2&D
zF>V!|Np1u)jd_{@tAs3F%T;6I=p#h2^sf-$H3+YIlz&LS${<X=h}yVJhNFLPFwq!n
zFDDAB$x7MRCbdERnj05wz$T&PI!-1vlz@)i?gMiR?l!~L63NFFqu&z27fA16ZYd3=
zgA1~)Ao?5n5(2wYJ$+GMhGl_R<{z%@2>TW#a6Um8_~Q@YX!5<#v8RHtXl<Ky&(1)+
zuFhA<aP6Bwlr#5^1#;Jz<c)E&W#3|V00Do4-`t$P$(>1bM%4F9b#8hxfeJmMV1j_A
zUoiDM9?p);i0zh7d#oWXop(j3i4))DbGsA~y0&N%s_NS4&NwuQp_CTS9aImUg>v{G
z6NpcX3?Dzc_Qb3zf0>r3+pL#FBeuvkUraLI$M`%cXK9B=%2X}zlNCMPu{<V6t|6w;
zHK9icJ&jhBrkrk|n}$A=?X%0|82gFdI#;^puUJ6>Qa5NfXd`7z!dD>VeUvq#7Hg2E
zEI|#gt7fO{vd9*VHJKegG}&R2plg8Y_Xn?hw3MjXgoJVfA|PUI8F+0OswilZ0e>42
zZ7i_4n?FKY6}~ySlQhv3_6-^ImQhswX9)S<0nh(pw;Io$T>^)(U_M^%A^rf!+XtAP
za09z!2i^_;06xgK_~b#_0XV<Olml-ANk82)*xf(htt2x&VYvjmG(`C182p&$vehU<
zsFmv18B6TUphEimonxAobrK}9$cI2f7so&sOYU?0_~3PRB0SfhMv(vhviHf!p>ODA
z`-Xenm*~A|#?d>_@gt@OsjqzxCD8vp>UrJXYx^y}?`Btmxd%GDE^YYDbmsyS)0_x>
zl5oeqs(RYeLXZ*-{8hV;6L8FLGD`0qHf&#!f)<qtdq0fFK5jG}DX~es{q&gtE9o}H
z)sDaqGW$9dWhL5Rakz|7s1qWFnK<N!B*{erB75fIljSt<Aw~WN<%_uHOOB?@1wm|w
zajAV-4gGI+m&u63F(nv+cxx-L(a4tGi|?b3MYD5WCR4zT>c}XHlnBDFS003a04s$t
zd%tJB-$7(5Q~wWu-PK5TS69uvEgQLe8^8Vc4`&NYF<Z^Ss?D6icDP7<PYh;>?FVvb
zbOdxbxp_kA1XJl)KK^;@yXnPa*UjRk%?B=zEj@hkX4AyBb`LuhUOF9CG&Ed`lpg%m
zYDL8Qk}GNoSw{2e-jpWYAvxwzYohWd*mY?#;H!AM`UYzIpg{FOgt?dxe=+hje8pJ%
zQ~30@YdfF8kTF{&oU$}2+>CKq{BV;dybP5#IEwKPaBH|4+*q)gtSA|nFnRA;HWNH#
zvotz1t2J*qFjOF=>O`giXu9M{f`QkX|9#zZWDbDYqh`2*>A8u~JQ?3STh?q7*f=Q(
zJ;&K>kv2AOs%<WI5;kCExmCj*_hX{+$H?_>&V&)KMg|u0b^!e482F{x>Y5*>ggR|P
zqb3zeuhH58x9cnxQ8C^5Rm~c<9r%*O)<G<&EM|#NvSD#$y(zh$6e`w6EZV+~9~(Jq
zveW039ze-c`95zV2Bbto?ULI@o0nKJA!e7O*1=QcYo%+ctAH;p79_;N8JQMuZbQ#n
zE6Nl~lVhv4w5|lxHiujBk`?PhbNBC>%ZMZpKznA6no3TH_+k>P2k)jE)zb9leIj1s
zfa3VM4=HBSYl;t~a|bT}JQR5`T7Pb$icGu>Him;D>P?>bBn^!xcmBD>g7W7SwdV_6
z?WTHJR>+c9F4lIHxoKI5h=8L|2jKcSxW@9ZB_9*DRnh~-Si}PnY(2SuV$W0x#6m7Y
z?jqmPYCy;679>*1)RK8i$3moozNeyvi-Z4am0iAvc%)gbE7Cn`cao?57Hz7$Rv#)@
z5{ej=0!ES4?3y*)oYhQIAlH#`>U446u}-4qKPV97tLL9E;_`CE^FE?+czy2DzMZH<
z6itB6zveK0X7=Lf`F^I36ZdJm+~}hr@DBjZA#cD3=zTGn@hhftuybuhaE|%a3crnh
z5o(pfi1Bb@TMj*<&mHds6W3fK363y4HEkR#Z7f;v-k{g=Uq4pfppTh*EBXAWiNaJ`
z_qucYD&Ts4uNQ<fZo&=!NkfFPA?qK2YkJ_XzCVE9lI^bVCsao@<a!tMN8m?Bh!31S
z2YI&3H8MEb@qR6_Brc4y_)lN0(v(e-(M2d-u@%*DHPx^s9;Q4Wq%1!g82p2uc(x%r
zVcI&@uXsoTMgq6Fq?mUz2^=OL@79x>DC#`79X&sJo;mG$h<cB_PiuhGeO^FP``8;Z
zFKL+xwb4$MHE{^>ejKxlw-GKis&%9Wrd;>)jQ*odw03Kv1uCKu5<o!mqz<3FiH^Ju
z#sbyW_`iNG=h)WbkwX`8fdD!;rAPf%{QSht_VwF*Ui6+uo0n8Kl{8Dyb)VvBo#4k2
zn-F$I1*_!!Tjj?F^y5qh;rnRd*~sIstib$4{S24cG*RH9c@k}0SbPWAautQM)IP~3
z?E8`KiB!Cm2B5VvO?m5%F%B1^3C2{qf0U?y7^S~CBW0UEp!_JJ+QPhB)g#7s%(kv}
zC)}-ttV&XOK$GDIqgO-j>G2O^=-Iq-d5U!PjYIRJ*j!lhG(J`e0ojIuR>}P@fW;2O
zvQGSRVB%(^*81Zmm>e3*G@+9Fpa-*D8WriW$ZOVQ9tEO(MP${NkuK*;1_1w@gYN{l
zGs8Jpvv!d-Q^+uW614ZDdM6sbOI~}JABq)t)(kyYQjWx3a4@AQGn*M_zQxBngU6O_
z3hHK3c?$)*C>0Y^ur{-LIxRHvARes#G`M(yNESTZuoWYpIa?^QywCwB+gV~odTL^3
zdTKh*z$Vjc(luQy`HLuK172%(eM*hW7yLWhS<0Q`?V1K29Q@9#*Usj$SvD$0cjUO0
zT4QkeHneg+m6GZNO-xadRrUQ5BDb}e*SCw+h0Y+xkY#SEyY<YuzygD*IHs!WGIi9|
zB+>=K&(R7i-4i^N50Z(>t(vdW$uF4-!o47e;?sQhC2{uz@jpKQA5~kBrtQ@~mZ03w
zn$huP{lL^32qb)R$xD`1t5w}1m>JV^bE8a-<j{!{u%PJ8Fu99>b@T?SZkn*&WYj53
zxzOd!uJ>0OvK0ZI8ZFG!Wlcb)`b$hpPaveGm$7!|QG!ZM>wiLT|Es2S|DJ2sc6;L;
zIDilR1MvL`_6LxxXO!8IPy<w{tcjgT_FEcWye)8Lu&-M;I8?ZwSNE5gql?2)DqvHJ
zpp*u4l_BGu#nT?vei$Oc_-hDcCU>0VMz!G&Kx^O+AgX=-vro^%eWB%^EYkSy+ihV-
z|Hq*34Y$CJ(D?4_Nr&L4jzCF+gpVz!$bt6V<2QRR0(<|2kF{Hlj6Ps{+jDk3MZ*$3
zGIPnNHkl!;HRD_bRrZM0OS#~=h!M3?2jM9Jwppz_xz8$?2E#gd=%Zqx&l1+Ve8Kb@
zh|@I`ni>|4MrcVzu(Hibar8s4Nqbh<syzJoCV6U}h%L3t@qOX)Q^v5Q&Dm87Lk2I1
zwaA+bdp?3ye*me5p8_!mK+dgA-kWs$Pk2~I<fd~4KPNH9Th3~(_InenMqV$vA$V2^
z@kY*%;`(Yi*iqc6p1j&qHdJNyXakq?<3SRy3c}W1iNG7}kz17PfvfkQ<^c;kZ%R9D
zrks!%nMs4Fvgu<RL8R$|F6r$KQGz;prrt@O<hhIdce?|%y&3D?j7~Ujb&2LX4=QwO
z<j_M_X#q{5Mp^5StYseVMKpCRrrL5dZs>*COs<F8v#`$t@|ou2lDGxf3MKH=sx{v$
z1<dddX|l9Yl9<b0c%j%RPz5C|aFl_(58`3jK+LS8cVchZA+B8XA}H4bIKc;CDy|eN
z>A`GB47vW>C2SEf>~V$;`)#drB4YDQfA?j-Mt2f~64d;(H{+r3##r19X<Q<0oFot)
z52k3<GDhAd3pgUjnV8p*d40v;k@GDA&x_dGKf)}@;j?`#-mpv*3M7~W>z%UW9A^P1
zt;K=|`-lxbJUhAu?xCx}Zf3n?{+^?|W%1PfjDHA4%dt6WWwvVjTt2oG{l%v_3@u;z
zmG5@#A^}{J@(vFvBwdILvecP!2*z$N0956!UzhWkiC_30rdhNWb8*jxWqx#Y9;L0u
z>#EiQYz4lB++cDvnF1*DJA}7VJl}vTEuwVuwm_YdlGG+j@^Hv2z@Eu%BShdj7YLPG
z)A3_Ed%JMv1eutBo{_gt?}YDC?lGQ7FUv1x4Y~h3!hAKAaK@nw!H645kE2QyMB5qo
z{pt1oZ_I*ec5mgxQR<`Q<IUG;{o~D1aqDC5<N6Q4vF1MzsuP4z;9jI4gvyUNyIpsB
zi)bFtqyEt#x_rMH^VIfp!jqvwb$`kBv7lmen1%b^f|ej3KDPtXc+{o^(MDsm2lgP7
zqlhnx5qlDH(W$pU9W*JVfn*>$J|0AL=JnF?{T(BXkn2>n(A5!6O-1aC)3OgkEU%GV
zCj`xzU14vxTZ~O~%<?wOBGgU@4WzMorQ<R))W{X=mX>5oI_flP9qX~SoXe!iP#vC=
z?@)CjxxqX`#A0b_{3$Ika~Z>QfTA7DnxRbs_C3K|#t<Gg7}X&yHe1R~Z=PcU$|?*k
zkF=ybwKqLXbI}>x_QAU8EMq$E3C%FXIrE0%2%Id_!j=Xhy^>I;Uas*@_gpSDEZr-+
z8oCyOqCMcsZ?y976qy(wKoR@)z?S}T>!R=DmbJZ~7GVcPqZ9kfVu^q4Un0mMNE#8>
z;tnB=xB8?r43-|8iy~E#l%ti$!uVL^!C!&PLRCS!T5NY|8PVk^weY!KR&Rw{F6S*O
zkoTT(s3PizV}qx){O(Q`=;1s?x<j{}f8@`(Pc0E5t}zs)6J^z`<a1Bu8-uG2U4^ZY
zMN7=Onc~dJMFF*$`WsauMNHUmcQWLQH3v7!ktLYDtVEhLRj#o^+RtId9d0mSGUb!W
zi&-)QEISTNA}?S1d&r^?is4Qcb8lKU=a9$NezjL8qFN+*a@Gym4{)Vts-eVz%V*!j
zuMQ0&h92uTHxAuFigQv7g-rdR7L$niD{IQBSxc0Ua-T0}u&J}Qr!59bk}6IKttGO}
zJMy6uq+FG9{@nF`!7A&LRa_J$kJGb79Z&h}8#?&I{Z)iv?8V=0rCsxiHoM%sulxLg
zoEMjY)e=mBGz?_iCA3o%AhYANA7Z3<fxF77kY9nT>=OmNk9>clZs~@mTCKs9vaMM(
z*JMO#7#;1$Nb_~^NM`g&U}Y6zFzX1FrZC$)Tgn7T35yQSTKwS_5XKqegcG+l$RlPd
z_2#e}IShDX&6>1&{9;*Qv-*HJr{NKlwOfBraa0^JjG1zt9jmq+qS%Hf2MuD<8PY2o
zy^xInI|k-2B)E{-96JPcp+R^slU)`jp@*;$*3zL+sr&L_(U^bb`AiLlLhNKq{AqPx
z+KL-X!l^KW1t?z(1t<7Ak7XR?nqw;FA0|5MsHRmtQ{XU7x0E9|Q<t`hVL~g0!3<e?
zE(_|KJ4__z7^tq-l(NwVhjc<&;cXzPji-mnM^mgRXH6&aRN00V@58dFLlm1bK$>jD
z(+K~JhDN>B59obmaO4_gL!WG5uZr^fI!GNo?5*wa)Ps<y_)&!i4a8A}5BfLDdOdVy
z<0bVC^<z&9urvK0lJzVchi}oHGF(e9sBPqpyZ!EB{Mg8O5mH3q#*L@P(I*OEZ+8F2
z=#L+Go_zGKl&boVk%EQl`bXRv-#P>W9x6@$!%IO?A_^8r0(mL(BX0lUz39vsmTl?2
z$*-ZUou|X#sE}-y8OK~UDtxKJ6SwmyA3Pl~sruGlXr7;S$}msWM;pU@z!(>8N+$Y7
zPUHUNt@gP^yvgIEuDWy-&zvZp!C8-G&cb4O<Oq;T?OW>6=nO&n6Nj;u)lU?44)%v}
zvmabiG81Tyd(gF28Tn(&V)#_2O`Fh%wp_J+oE(j*@{OnKWphxlWDHexG-lo_7&<Mr
zbRWW4uBS3u_oi85cX(i|{*yy`4?MMv4vS;A-(&(b{48FOnhY5Sv?dxhWvVE(8MfeI
zass+n8s!itx<_2oS%MJq-?xc{jbT$Hg-TZ*<2fl|8g6UL75Yr={~Y4~Z-+Q&-QF|R
zE~IOjftCQW8Ta&)zqTg<e!Ls0)a*Cyd8U*mv5iH{QEJnDXuAMx+<*b!%Vyl5Zqxz;
zy8cU{+OJmzfi<?3chEX8X0qGZGY>jC9;~l}lv4%YckBrPlfsfS42UGC5*%WJxQvD1
z=9DrOfAO##KHr@uBWEv{J8;z@g=5mumceb%bl;uw%}tPtyBefv2zwO>f!c&sQ(Kc{
zO0hS?*vbkD_J0Tx38TW_`S1N(PS%N5R{Aw55WS8X?oCG80`mI03&O3&Ok8`q3}8d|
zHTW6)0yp>t>3JD?#H=+}A8Wo?M`WEUX@c$TVx)0>*)AKL+cIX{#Xda-dp_w483zu4
zL+?l9$kW@NLDDGH*RcC@g%_P`%ShA9cRda1DE3JKe9irKqnzoPs>pFLYWWwbOXGcL
z(R*ecZR6JvvK+MiA@f%ZGIB{llaCYnKY%CSKY-U*`;)gByZ=6zlvF+R-rX<&UDNW*
zLL_n9m&xKOA75aC_s@R>X~o|BI;#Qs3o0D4Q@$QcrxMPrn#Qx>Iihe`?2S=PlsRx5
zxJ_r6an7l|#nf;`skIh~f-c`(|Hhc;dq*2=z-7{HSd})#1ZZiT93~0!_3-h>HAo?V
zieV^?ILf0aolfmV+yq2roBQ=1@YB#kj1hc^dzwTM<E8qOXf2$Y9I@uL%I)sqY;akf
zU^#o?5hM+}zpf%knZsx@<(#_b?KlN+j4n2-1w}Jta2H>Ynt!iKY0nC?!m(R*^XS0<
z*in*Qrzc=Wl@PxsLL<-&X2YS=9ihC?fu=IlfTUSR^{iNS^$bz{@&dBe%N;n|kiv1I
zY0DU|`BKV#f+n|`$hw%P=?euGK;siL>42Lulq#_fVz`S+O3vQI$c3;_-u<`L8|7nL
zzp}UuNRZn%iSWl&j;OxOGIywDp`P$kr-s^9e)G)iGwo~4XHK`IJB-A05kSX-ml1-M
zC%L6b|8#FRaeHWH7I@8(aUxZySG+b-qn<vR4*oMM34fi6+Pf&bM_j*Y0S_TBMBs&S
z9amHPj9dF4?WZ&jND><Di0W9<I9{al-2BRndy-o>`UboP*3fOwq-z}=FAJKKd6A<g
zjL9oD3~Uu#f&DE-h9{ozdH@gr&=B3PRjlr|tNW_Q&bGlxq@~(0+V68@qp+>nb0nCU
zpe;l;sr)8wryOCF)R)P5)#NYuRSpvM5HvhJEtwyg$rFc*iraynx_iUBGtCu@X?&8u
zNmU55F?H8LeT&{*p>&DwGX+=)p|!d(9_qCGds`@*8DR}Z-ia+{8NSG3jeZfIg7LJ9
zMi?uE%vjSXhpk@{9Hxq;9k*oKP_T~4_GumvDwQ&Ijxt-aid(RoI$ZuahpRh}&P~*C
zy3ebKL)l6vOx+>a3OQfBBtd9FWGA>FL@as=Q+}Zy$T1Ykrb}^e1=#`j)JO7?I$ija
z>*(c<t!dyndtz6KKJa)gac^{d{10H$iW7yfurl*edms^%*6abLHP3D~g|I$aXnq_9
zJ`eobe&15Z%2nJ9Puyy!+YE^|C@dBQ>$CFMaI}|iYB7gjt_q-^Df39;eOz_D$JHqg
zP<dd#!aAg7;pj=T3rwzw*YRJizpq}RJ49MXkK7QmIw$NbyqATrXnD_n=8%Mu;^4A4
z_(+lhN0j$}qSSs_gVEO2)}?=aG9HI@<SL!5GK3;Qk%e`Td8dtM)E1aw+}AQjS7wr-
zNM$~m?*1vi=$}24Y2ebS=>VLgTx6Jc<02iKR57NL`!rL9(bJ-6yoW|zdn;bwK*vw<
z?V{}%Jq-iOHZ&8+k*Az9DP$beT8#TM;VKna)%bdpV72n=pT;)*SE}(CDcl(Q1AtX0
zdE1*r`5m+QyRX+HS${L8i(Gk~#b8TrKpFO1(%f8vyi<ms?6f909T0L|-jHKn7?&}W
zEFuNXJgLigc9^#CFBy3K-G7Rjx-HF-kfaHJ>?)(QUf;NZayaWs9ZeK2x9wZ`cay)p
z&9?U7E3OFM2tRE-2jAX+t-m?-kJ!DWrRb;nAk<;-_(Jv9<0Tj<1f|vG`<J%Id_G!R
z$rG|u?DmlMHm2IAjF_(WdDGioOx!-g6amkS-})=5G|vLZY`$qLkYdfPVQ+So&!qCC
zFq>90-YY8)K<5$Iyi!<{Hscqk>_&xk$Rz>@Bsyy*lm|+Nq7J?}`~;~|7wUgB`#}8G
z`Kk79ar6fu|Lg22b&}+8VY={=1$5MJ>t;d0-H)-ry&IA({YUS@#iPIwqsteR>uUT@
zgx{4By<LR1P9io*L!6;XeH|5I%Bx+r869m^lkK<q=CHv8$1Lf#G4Y4=<-<;^!>ln8
zV{hcn68H>Qe4()07zUdR*KDzlF<CWTWz>e00N$ZfL5Q>RXSkzHX%)<(;&3HJjsjOQ
z%3vmw2@<aKSir+-hy>mf-46B4gl2|Z6)j3x0;tO#8?Os6e0IF9rm6V*g=ihwK}kB&
zT)5bApNSEuBy-k9F~$@eM!YP^zipmT@3$=OnQ7vW4IWU}%eCeka69!S1^C`wig_Cw
z=ihgC=pO{JYxfM+2yp`dd*cF9P4Ogkf8+3K)VnyyI$2(aligU`6tJ$S7xLE`S#7<n
zQ1^-eHw2fludXO;>zku}pJ$T*(0M<f>jqSa+Hs^QJSU$jBGx=aT=sStPH99v$P50Q
zf+vb?WRjT>s2xwl%}(g1Ru)f&5Yacw&{z9AOtZ+EZ7~pY)fVr$U&wwXGn6uCzu$O~
zR5#tqP=>&$l%(-K++E6NTEfQkDYkG3=TV#3-wf+SXw(!4LN4MTet4BBXXx}Z8u3d`
z9DBX>y%$a#THhjl654BpS$;9Xx%o)6BPqW8MWVi&Sx2LfUvkpk@w|V^jbT5N5^@m0
zK6FQg8rgCLwbuUp(U05$d4+{*N#zk7i(P^3&HmcNkx=zlzl&iKoR5#A;38H}hWR+5
ztr)%{Sup6Z40}65!`X+H+?l%b^;Ri*Q>EA;NN~CaTeZh!`v#YJC^^R*(^3s=6{m1m
zlFne{@PptuE`VjicQ5%d0C{`^rt0RsNVuZ=b-?S<SNk2s=<Ba9k9{^Y+eN*9AvW{o
zB?~m<*4z?(DpJQ+HBuS`DZq6A4`u2bkpD)YjcxzN%PKBEVbF0lM*9i?;R?D5bA=Cb
z!2aiL1@qq>uroL44IlBnE$XA~6#wcy8-bL7d*G)I{V{>VBN8V+??Pk1OU`?cJ>V?}
z5HP1|$Uj-{AgP~BYmZZZUA|WdX+3FqIzi1dBTQw%0ESr>Vo%M2cSeGUEt)g}gl(45
zZ?rVQabhpX==o9vn%1rA`pDpOFlW)*FpRI+-+z^{zQFZyE{rZ8X`orh0s~VEor<S3
z-_6yikaRS!Z;s8Vrl(#vq&C2n%}zxi13?O{i8tr*t*1ece$v~L81X3ld2H=T-JEFG
zd?HN_#*BgPU^K)SU38RL+hHoakb><DzxOOTc|IoLqL(PUs}mBLUYyOW6O!#&;G)(S
z$aaUGo}!xdgEsDa-0yT1Z!!w!g>G7vCX-R$__oozRY^Bn`r~ME<32A3=64YaDRCZd
zKDK_HI|e#!*m6n?6E^P!-dE#h#0Y#D$rQ1ZP!8B0pTEZ+ERmY;LE&SCi7v`Fjs8V1
z%J<`xK*zd&>ju-Z{8Oer;O<`=4b%KPm&A^KL8V53?_9tjH^6@o@X4}@g~(isyQE$w
zjT>RjbMbZ=oYS1c%`BDRq!7J1Jt#(1lp6yl?jbP(fppTOEKG-zS(}43`e`*O=l2)P
z1%-|vLK=w?xGFv9x4K*lLDpnwwAnWU9oq$17)H2MI!(oK$(FgOV@1j^SjNUx;eP@r
z*Z1S*X!-4wxap~M(^}knP2DC<qyc7;AaSSuBmb8*wsw1Y=RwrhMZ_LtDqUGT+3Sf|
za8ZMH((Cr!%}M+bWxM=jSuN+ED5Prtx4n2b_EDYq_9{SNPF&IRn+f8=w;}c=P`WMg
z>(e_*wUgXx%5}NTuY9Q5c@>^b>1<y1hIxYe`yF2@O^P|z2hfyZPv*fk3c{Nfd_hx7
z{_okM$P!3kE(tm=3aaOJ-L@!+Pc$rI9R-A|degtj%Iz+1rX1oPjBZj7C?`EuY!`nx
ze;%}9OV7J3)q~tX7CadjH67z>likJ=c+g2DS7{Am2UwWotr-w>KQ-4zMwsl+^BUP3
z1Zqf$?wrc|NHlt~Hy04fP=iqtik(Diid(gDU@PUkF4arq+M27%aZ<9Y#IhbzbqJgP
zhQxjrxMakDvWi-f=j^k9ub>-tw{jFTv>Q`AEj6e8BoFA{2csxaUAf%s#G))?rE@*h
z$AY}3!Z&kGUi!i!d!Yk~Ny|RWzM+KsZp@8m%#C_LtvZw724p!(@Ts4@nm=w4z_$Ek
zV@dfBgTVi&p@F3$0$+_K@&;bH4)y}zUZFawjX7P`m_m;j`h2r#@GD3vF2d2?)y%Ku
zP*b%LO;(0_*z~Tz<;RdY9wKK_EM@o%v?ZG7-=omXvji3=D1r95iLSus8vn8z;M)}C
z$BtTz*Vwr5?(3cKAlNO}8{i)g1-$3{yX@W(t3zg*(0j8ZND*qY?m4xK<`!ge-TxPV
zD`PvdmE;VTl>Gv$_&#Ix{y1&k)jB|8Ff#I#v$x9m18^^dqZY5P(aa1DU4;O~)t(vP
zuTxLDoH4T_VAIuAYwlO=<;-TI$CrU6K`<bmc7NYlt4lW*<UoOT0ae~y{;Fn2zGXL?
zrV4FJPy2Bw$_ht%h{MQzJiL&c^$>69HaU4FDeYm1JiEOO4ueIO)wB(c`$qJnDO8sA
z8ZA3TC-03Z<t`N<TiJ`6+-bFgNxR;7C^Wu#=zU4v)rRFNQQT<Q)1DbngjPzHn@gCr
z$M~9_Rtu?`0@s+;YnA86ssk;KL`gnH<~o!eX3+aLB%N;gmsqBG`0q1&u^nlDsgv;j
z*T<Jl@wIbeYmb;_9Uyc%U`zlI-UpDh{M%UJzXp}83O{|b>)S+(D**9>Q6o|ii8BCY
zqZ-Hz><wRy&g~1?(?XnJ{xT@5Ip6<nOH#<?@?xI2t-^r6w3ikA2fDb0hTwbMjg9n;
zOAINP+(d`$(i1;|PF{&qYa+X|g;5@l!AbYCY^`*T$=SS&@|8ibtrXvmC8zi3tj9O@
z5W*;Y@FT+J!<@fGBXmBi5pQVU)mb3FRj6tP!{2j|Wo9gN)0bjzHwWS7i_r;8U_a-b
zJ7zVO&LJ?^({&eof?lQ?Gze+h26+4%DAshdidAYdCjq%(WvQ#DMk#&#6y+5F#IxSZ
z@^uof<-G;+H;!n`8VOp+GXwyD?G#TCmxivQ?4rKM(WQ2LM)23?AneWs1IZY_NjqRZ
zO*GW-eqPOYzexBoC^ra1N>_h)?&vBf=^CdEf?^@wVNhEB&SdEt-M=U}HIyFUyyKN|
zxk2AVY!g|?M<(9n2~~xA=8^U72!m}+Vj9+!)EXhqbtcC8Z}Gu%d0z{&@wPO9n|z=y
zB*WxvgrT1B_v$!3*J*&MhrX&;0@F3$;trdMbPl%Wx|)Yz08*t~P!E(@C*T62mgQ4e
zjA~Eh*l(UG+}}nCF9Q_ce-p(wqp0n?iTEpd+y&fze{T9kJW%|kaQ=DGW2l;0&o0mr
z+02A{wu_b-=ZKL6T?N)xnAO17$?0<cl2vg?CBjro8@I{U#VV8~7K8Vq@Sj=7eQyv&
zYAWANWm{{=jm)JkYPAo>Br?6I!=!~4OiBn1xLsnx<7<97KK44qY;}_bLkH3PLC6&z
z-WO3R3sxc%pWl?K>D$6A2mLY=hrhl0ev(M<UpXXwF1X$N7eMa+S4Y#R_f(eg-jzDk
zTy6!^QE|G}LZyo`KM2H_KeeXTAN8maBcFMCPpw};Urm-L41y?jK8Vu}fkFb)T%P};
zx8eWy@=QDAz`qq-wn%@D>6}}l21&6k-V$En<H|u;#>s)opPkd1k8^xjaYgqr{oGP}
zP4Hoj6KhQq5nW0GTVg*@D?hyqB$52YYWwM??(w`>e&NnJUEUmQ)WPIq%6a;X?+|OM
zMWcE;W9AiPTCL}`!gy$Q-e&Mr$e{yGz!r~FK5ixmBYJ*{$#YLTTRnF?J{ByfENuF1
z0n2i~JgHN|Qh1AjD57ch(@Gw+g+Bic7zsvl++?XMPAZghc$Bi&@pMnVQ7;I*?Z54o
z)N{B`g?e(d_Dl#sN1zXGl%oH%Le!^X?4mA^heq{=A|X7!#gz)drMSc`9U=5}FDIyl
zZc%9Rgsy9&n8Y(9@?cQfqGd9**d93nbK~>vZI^Ki#eL1htob3vhoQjwus@Foon-n4
zpui_*)8KJvn_7aCHs-SGT9L0`HjAy&-PZe=MMXxtSSiCLY8rO(lC5z9+&LHaK7-LY
zNB*j%KuE=bfkO*#D64Wq%p%e#pN^-AgQ=0>j%HMbR6#e<rz_pOhM@|RL!imtQvAM3
z@&!D|QQWcN3NvIC)FwTfv-JN)nX2U`H0Ovw1#3L=Sv+O}a=mVi)+UTdIczK$&SU=<
zdv6sKSJ!rn0tqCzyCt{>Yl0Kpou+BrwQ<+r?(VLQySux)d+<PL2oUlf_Fud9#g?k`
zf3@qJvrm0@tJc-5xyE|td}NF<pf;Ikb<}6{!C&=uM(H-#@^heYeWW1A$kj2T>guLk
zTE*NVQ|bhw-&XT+_+r+YRSRo`ZjO8wYs?OOWQFanMq@-=>9YHZ&$KBKWQ1EkjX3%z
z`TLsWB3J(vs}{Dt<(6X4cPu6~B~~wHh*b)m=|1^v7GK;`$1xmCC~*!_{60!kS(Q@w
z5cm5ppy^LmRY0Ju2T{9jnfUeAU#P}c-e%D;d+|=r>M05F*JHJsEy%!4)>n(z(&((E
zn~07|6Gd-Yz;DyywGDT^tGdeMI^6DW6LQ;}hTG9sY_~K01;KSZmP0+@K|*ACHrcWy
z_+Scn=}|s`5$ycXkIy3vKSxPhQ)07AnpQh*0kZR`6UJ>9eCjhbYUZd6+uA!qgyqF7
zDrJ+rLuT(yUDMZ00(cdJJ>>~_6=`!O8Zva~KgS2gcs1a^;*>^f#I?n=yfmBhnvDjw
zeO}?jz}z6B3jJ`i>-+chEoW`9yio-acbN8f5^v}o<^+i&8$#wId>TX9a8h-Xl<D4m
z6hw%Nb#jlU7DdB`MXT<|ezj*{itX9Z=vE5N&}dO%emJgWk;>i~RIG={9i8j0L+pN{
z0p;zUOR^Pwc`ADvPi#I7nsXH1w@q32|DgRB5qs4!kvdVh!_fU`RiHyqc*l}s?&#_N
za;s#Qg?;O&m%d6+br{7Hqt{`~uwT-&X;{O!uHghSzUrrReR$(dTtpmJn#aD)V`r5r
zkk;pv?C`B|v!^0W6Qxb^8t*fjjdR}_vIq4s{63}k7~sb0r_>szAUYK2E%kXQUSn#s
zO4R-|WZv9($dDlQv{Z_*uB9YYoG_;6Sr8!BFw)6(7Zb=ii!102>$s_*_}9ML9hq0B
z8VejTcd?#We2KNb5_DqBBfhF2xwdW#`>K*-DcZ6`qy9%Gkf`psYha!@CFSquaji<E
zM*()>=O{H>BYma{+fV(xjxD%d<Jty`H%Z(CR-!H;sl4tx*iGN|)RVZwC|=G9;F1XS
z9`Aj-lJ9z|G}cyFTb+Wk+0GsYzBQtCF69+1ZIwl;*m`1qXnpV~_J*_4bB&hRlOh0L
zmMOpAZavrP0IAfLRfLkenw0}{ja}4~MlNKW{nV+pjHro+LO5B2s-uI?K8}Hnjj|3t
zg%ZgG0g_G>Op!?<nng3fGhL+i(Z%R++!^#adK_C#Zv^s&Pvy$#l{K^V=9(cDvQGLE
zRLuhj7K+I%i5bZK8`j$@l}(Dm>g;K^Q?HNqZ<YPY!^fYq^}UZ4<F2ey7l>7NmwG{!
zwhVU&mZN%diw_&`EHjSTpT6nN<l2)b)AWr9(@HY^!HShwRNy1x3W7H!YUehGPI2CD
zK^xx#Cy$QM2fnbVbfy2HPD0$hPsjBArXB3>$ccvoZ@kvYK!Y$ED{GsKql`6OCkTw~
z+wgG;pR3qZu`WFC%z?G^uZ0_1LF%|1wy(<farJ668_zE$np^cT6za6F7FSn}zMYRV
za1-P418iR5jk=#u$E0cjjuM)NDR9tbaV&<cmt@<B4_lOLu8^&c#L503tT8Y+ZP)d9
zC?0jHgg4KD?A^Z>B;CI&JYC7w0nHa_nnc5=ZQexVsbYRrD3CYQWqZp~$9Mb^M+h;C
zanm~{eQ%aa=ka*qx~rm0E>7%MSo4wE?0PSzWS51wGN$;ma`NiroAo-LU23_>im^PM
zQNq^6ejJr_)@NrLg?uLO)>Jc`_6&5czEYsRMdWpKs=3t1a}7MhkD6-maQLs8wM6ft
z;P!YSo~-cZ>w~i56)uKDyfg&T?*nBF-T40{*v9e4H70#+8?U@_;qU0wan-Eydsb)p
zI!3TYhd0M2j;Jr~xw5mxOlZ8aJK)CSDb)D)sxdivorQy>H|M{D5O;wTTRT>u2mzRP
z!i008>X)X>T7y)`L7bE}&}>UpGoni~HM43%bIf#Gd-80xju|W2%vzElH4RnG5tE^t
z1R?s)kQ?)D2>m}F-YK>jr7qyB79n~8m9{c>NLv2^-w9N$4EO(lul~&&S8DGKzQg|&
zzJkBs;9E@8yQrkLVYBU#S^Oj9m_ye!yW$kY$c30}S8Y!bwWLPCpnjZf%o)hZKLz3F
z%cdI;EQunci=X5>Tqam(1UP0BN5&-6X}LZvBzfa<ZX)#J_(%l8|KB;c|1~83`?&t!
zd0dOzpXCWv@Ss#}n5Kqv5LZKfPtd6LxH1N{XyV3M(Kr$6TN<iV)z?gR6&Xf14$V@$
z+I3!>6>ki50o67{104<_^qz@Ly=A*}mMjZ_XQ(U=H(k`00exk3Rv1E$ODynoY@Ihh
zUOX9(DO@Qn=<FSnKpQ_?UESW?#I;`UOSSCdS?d%S^L0Z}x?+D-ceiP>4OjODUqbG@
zEnYV*7#SP1i~(M{<P>a^A`v$9hHfBQdNaFse%x^+jjbjXgV{!$tG+MaCdM@oThRIQ
zH{HchWy7fa7`2ECKV{-iHQzDe67zKNp7_1A9xMMjzJ2*^v9|ltc+`<v<Qll*>BiQ-
z+>-1G&;1|QHe2{6g}eW_wkdy&oxm}CyS5en*J~SD^xL(q0nI?03usR4aSa3qG9BMJ
zA?*{UGUzM#VUGviJS%+Y$!8V&#+!kH3|9})OU8jW8Kr5NK&B5jU!!0eHMAAx%l<)f
z>N<b_OyZCQ7GMpfe!-PmWzElAZ!gH;>ckJ2bKRnkyoFM*=X_L1riDMF3;kkPmdFd;
zA5y8S&QVLYt0S4_8D1l4S&I8)7VWxJEdt4Jj!1LHOh%kKzP?-kJcDL(psQBf|M5tX
zdvG?0mz_j3>S91{1vL!`$BT*L>(2g%fyI5oZw$UkIfPqw!yt1Z{IdQYfFJcWFkfQS
z<kOdl^39(JRoJ>AcGM~GqC>aK|M>){(^KngLPycN7FQz&tE-ebwlPKU{Fu(LA!fPy
zaNa9YY#7C-F<MGRN*Wv!%8MJkCY@Yw61)K3idAPeJ>tYtt<@CkE!3EgOnAg@*>&rT
zC3f7a`RE!Q6!Z}Ku^`~(arb-gTVba<Q(y@=Vwb^gH{zD&acVd>phe1UY{0S~6<m@=
zvpDWQfC*Q0n4NR@aZdcbuL+)q$y=`!rKq+g<%@bjDUdZ8<+a^r61(hc-6BK>r=35I
zM~AfQ9lqLTPlW|8r6TmE>M3)KeLdQ;n~jTjj~`j@Ukk3Cb`2#B<*kuld^apLhs(R7
z=)u|ghQfc;vr312bV25T;Y!|v=^~I_dL*xvEzcTrq#KYdWv$aedfPWG>AK^<<9xlS
zTT<8jED7n-!pc3?4IPa(pizqUZic8$4(y~Tn2z@8CyFrN_zru_dv@s+4(U+d?XD`9
zW7g8{)d;9kxV}36D0m{*)hUS`EOowe`=eX(vvG(pc!ZjPn!0LakPLYMLOr2XKVZdj
z4NRU`=R*s|vssR>{gJ|LT<kk!+qzxJF~}x}-;Yrr@8CDrkH;?J_j2=ip7^hUL-b$I
zhnY(lwhaN9wo!Ee+X{+rlSCI4+J5VzHn?mjlnkgDliSA);@L!_Lv1Anf!Jf2Z{;5(
z2Se^4LfaLM79hc`<V~j{%33pFg6RcU)YOOFNN1O|xTwg>k+y&5TK~VywcPIN7n55u
zANA=f_&<9pfXFSFJeMaF`prlybw&$ecp;H^PZmVc`O&eBq-YNG$aQgy#-qr^jqRHM
z(@0b`iq`fM^qzl2wEso?y-MHf%T4d@|2gHXUyi^2y8_qS8~yKpU$fqrcX!`kf1Q{6
z6^i_QV-389{1@XSMV<dvSNUH)FffG!?Wth=xDPOd02i#ZR4T99HS5YM*Z$aAFvPWF
zN)l+%f8<a<Z1}XFk*BY2k`a1{q=F&sU}8M$%55yMl9(0$j{OqP5QwZY#FBjp7X5_K
zM?OT{XT)(Ml|v4{#dxvDV-A;sSneNR^^G>Lo=ov&MkwSC+Cazy3Nc18MVWD!>w2DK
z3xju9AkgTQ5^~SZFhT=A2CKr76Ho6)Dflc>c^~D!pK%S_{{{c?dsCtS)O=5UT2?=_
zh)Y?&W2!BN*?t?R(aHF*$N<}LMmSKr(u@9tVWg#BJh=2{0VtiCJbtP+@=ZD>T(UpT
z(cK>H%Vt6{{H7BJbsNQI$}W3M-&Rcj`+(kh0S!tPECr6Z?eof;M{lE``bW~ZH*#mI
zv&LuZZsZmn-gac?HCCFojrVCR&MDlX(d^;SoYPqF=nnVunAJs+sjwcJ%_m~sK{Rtq
zDewlFQ%{u+(fU=Zqqsj?1&s4sRrKg$UgM^2ex!P}N1RC8gC~t7e1sY-S=?O8O^YRe
zR#2$?oYC;OfuaVAZ^8Ztp4KFei$RvqcdhtokX$HsD=Fcf8_u`Se3cw-UJfTxBkTB=
z%{ssFv+1P7+4dZA-uE+=8~Xis{o+%EdXS`o469oU=13`uIc_v%JNvAhX0$xS&2R4x
zg;_)|U>N&;T-amy{8{CYj7XY-{4Xa%bN6|ENJ)hxdYxg-WgiwY>80-jjr{{|O+Q)z
zaXn%gV-a@y`$9w-JNQk<tF{mJYj4u0d`i{-3tsB~@v1H>WPfMA{1(gq2X5!@x9>-q
zt0#x28Gk9SB=~Lm&dpB7L^?DnhIZh_F?Vttm0rwDj#5`hDE>Oz=mU=VDa!;qZsypg
z_=3Mb8={%M!Z6*uW`zLq8k!bA>7OMk#Y#<n{t@`C52}cAQ>~<|^=qBrO00agNFwX$
zB-L;v{(D{{h2|8^@~Runl3msHET%gz7%HLlEAvWRMeOpr_(jui5C3=1uK6Y*G*s}m
z%-X?ySf1hFs%wcebsOJ*z4Xvn+(#gwp7ff6FD%vb460q&C=wvDK&y?<MH#lgJ8;*n
zpwkee_391lQO!;<SQJb@hOKQBh0i_$o!Cv1jm*KPr4`nZQ-9z811FPWsWIh88TK7@
z0>)uC0Wg8xtUO6M0lzEUnWU|nSjSR}Yy-#oV^u?PzDqn|ey@CuF870o$o_Vuta|N^
zxOqT-9b3EVKl&L*Ui&OF)62GV-qlXI{9-%Y9oN3OMn2MtNj5ksc)!f53eM}xJHx3)
z$%q^Ld9&}SU&^{JRpr<Hyvr~nS9_ML;PiZHt2$)y0&OSam|$;Y`L(FgENT87;d`-M
z6O*|J=3sBgu~&Ml8A<)~<AqNVA5(9sC&%PPeX}%n-Zk{daFk(S`d&Hy@ws<xBJ5=F
zJ}(UWd3JLx_a8XJ-L06|f3NZ1`}l7>{_p%}rZYt*P<Wmlu2@ySH`3yaY2)YZ3%t$$
zt-c>NrsI8K<>+{bGV~kgy6AN|wjN&p2ku#w^s~?*lEF>tW2JEG+(VYD&@cYUxm}x(
zxh|Oq-;6Ohtrk78wj01l?axg}%h?s$b^h?2wY-^P$59(_qQ0VGE<6NcW(WJrnr@S0
zL!)W*VgZeuxFkxKAp=vY{Z3!az6~*x2Q+i;Yk{Z~tavNam|{tfr&Lpb%kp1wc-A1Y
z?|dIOWt}<Bldd){q=2`Bng-X(4)wbEbVd5t$)O`yVcS<zh7b)M;nP}t<Ic}_xGWqI
zO;sQJ!zDh#!yofeuhc$Ncj{V^_Dq!S@YJmOkT+_tB(vO^Xq=Y4M~ebn*Mmf`L=}r%
zLc;yg5$01pd&YrPpNJ56#QLPf8r580j3BS=g-tt)>pDE-zV0S^pOrLJ0OzRCj~^rZ
z`DsK0Ea65#BS#7ib32faX1XI_(oY1`(zR8lQgV9>94tvze=^-X(R@6orwgBmWm%+&
z#!?l$;Kollo&?e>$fkaL198(SR7>PvDi$~_ApvA2q7S=wxH~Am1n&bSm8srMU7k05
zA7pzQl0W7eqkLoC3u^uYw>3%`s`o}nov?@(`FrP4{SRDwti{xynsvM@&yK4!5))Es
zuPb!o9I<hVuw8z9{F3ecb)ctp`?8xqk34u`Nynui${o-^@-R=`e~V7U@;;N;4~at6
zZipMba7VlFbOtJQ24Q^YWQ*Aq7G8iXUUo;K(~SbDdYc-BCpSroxg_k}T&hVBxs{jk
zb8MEhts9%;$m3`G9oW~hqZKp+fAx7E_t4CLU<qODJ2`Ad4-O+V;ZmYO8|8t2m;EQ<
zd0?^ynW0f%be0I;wQQ}BRVstN+ZcPo^6p_~0wCTtaJvi9pfK&>u=%j1xLBitZ3-Fp
zlEi8V)3V(TF+?|%Xgu3o385tx+c-}>#+yN4$8x&rP*h<O0<vlmpK=1I+yhvmo_&9%
zhA1-5<Z(`7bPPzvZQ(hmCYh}2DfAtfUDWjSHfBs(x87-|6}abARn`=M9V#?gR?bbH
zcRHF#7=Ea!jX7A4;J;AxG1zyD3y{^TuNMoIco`WY7ir`5>_PvCyV<R+WPY~2zB`Gk
zyCw)~wnizHvBH2YsE|Nb0hyV1)xU|q_qg?$#Xxvlt&KCR2l0p&zF^^JBw#z3-(Mxr
z<?;@Kd~Qg?>w}IO%}h_j6o{uA1n7D2eKLU4w<lA0s#<aY@97aCT7@``2}i+PWmk1_
z5Gf_xVUP2=(XzBUR|NQr;x_(Pk#f#S=4PxZA*qdLext3BKB93(BM-n?U-dx}D|3!c
zZKX*S(!yWPtAE~W*~Jwr)vQ~2x)u~}b6#(IV1e_+75KFZtZe+lHqoyiWEpTZ(`nfV
z+!?6eIMz;mEzVy4#b{WCsAracnPuBE#z!m3BgN)QJYVX9<e^YmNEIn&I<*GG_72S&
zr)x$Rww*DrKq|w^KIZNWCpoI3m9HGZ)SjMqc`m-z!Y^D}tXTfdkb}W#PDS`-pjN?}
zHq~R=i)J$?RSubOmMmW|yAupM$v3kqYy2HnwB;&SuJj<k<_iaQYi4V@#<ZRj7oXfI
zf%JU=eZEV#cf6KJL^ufa=+qarwc?J=?YNv@v@qgqA^Ag4HcG%}XalkXfl`b$nFyP0
z);Kt<xliw#twta4)DMUj61F_tHEz$qQb{P=PxrSAd7o<5xzggwDGA1K@?=eBAiB7s
z-}do=xjRRA#cL_&(bw0a42?y4?!P_xnCC9{KL7T(J(5K@KFoD%+1U~0SlW>!X^O9$
zg~c``zUee<D0LZaXO8rob}>KvqF72%{VMQNK6O!>uBWNqHiNH0^C;x`iD*9Rhqz{f
zsV<AY#Hx>K_az^XTT_}L({h#l_$4#<qCetC{3c`lWU{f0tJOVHi|n!bWK_J|90+m8
zMI+$FQ8?de-kwsyrJL0<KZFB2IXYH>i(YOfoS$bef|TR~<2U1e>`D2C@Dn=8`XXY@
zm}JhWbp`(AdJJ|Kx9e9XvMK$BfH~5T%JC9M)|63B((UHP``zf9uLL6&s_QG*HYq$Z
z2xW6DOR7hli;3KOXuoByNhPCn>s`)qiOF?!8@mDqJU}4+tcB4OaZH9*V-lo!dsbEF
zQy{fV3*L)fn$%4mr4^6WgZ?m5k_j}yU;~_Ib`_&WT==z<Uo!?Flm7h8k@=hz0ABUQ
zOkQa+H!~r7^4M|azVMkaASD}@pC*<#OGCH;CMFv%aHF^t_|$NWj*J`0vMC73DdiYf
zASpQ)LFbbr<IKPSF!IhM4cg?7JhEEAA5ue)U882=i;;z+1!U`^i+fGEdq>(7OD7!M
zy(%|mVf7}&5e3A6%#(K?mm#8gRKdr}ocsU4q4%?mg=ufnE{R9#5B2+af<7?QrayA`
z+#AIAq2(%ZvgNpy?LLIH{u&B9>3Db2aAwf);&YO&%`!~46&+?=f1%%3d}o{=z`3b$
z)sSKv1&6#7H!Y6md9CH>@D5U?!GWT)?tfHt-<Hs(xh<J8Dp<3{^Kj|nw^+m8eT_;t
zAZmI$U%|ileHj+QI&FXK-mU9W^`YUc+XV`J=rrOG{VaFVW&7LAiH-hpwxMy@4@5C=
z_Z4Ef<+de&?Td78tFEQqLM{&_cRB^f@(>E_Z~XS^{5kGjuib-hqMw$-n(|Rj(Xh9O
zBQ%>4EJ`38H~-a4Qcf<d#$1YqswD6z-N@t5-tULP;w?4sjQH1&`2JjDl{-#EX=7uV
zggLYfH5}axgsB3i$7Jm7IATi)3ZcPM4>mVyBUGx@Aa}>9hzd4M^xf3qRno#p^oe|`
z%q;j^tuE(H?Z6bfr$Ew&l~TnIz5^%j^cpcz_0ciI=GqVMy1;Zy%jxfbpN`y0g-P2M
zebIg`;VGX8TY0!c7STw>Uq;gKQfYPG_{(PiY<QRORo?%h@a2<lS_|Q(=nqNCBFaS|
zI|((7c8FDMIt-<emXWzDK38eM#RWk6IRQ;0)|!V-KC|imiUwWasE3&&AN{MYZghzu
zmYNGl2I5xEU|A3bC|<R8oE2^Y{>?djjCHp-DuE+OaUS!%Fwl)r-!`aCWyMfjw9~D_
zKe_BIZ7F2=$WRvv4>B`C(ch1QPYG5?-xHyU`d5;rB#)_3FEq2SiQMY-9fez0L||a)
zify=VMj$Z9U8LmFZSM|Sb@WsCYOZ#${zQd>LRYqQVaK>{Mtyld80i17_JZ5yaYFGg
zC59OmxtS$UX0G43uT;PSb&lVD<bS>}FAaAxEXS?(>Kqe~17EquV-56TpuBH>$gUu2
zBt9tupJ)0p?^lCMGx1+W&&q@0uNGIA%HQkkucb!q;^>1tuD&lwxjwl)0*}Z3)^6Id
zUi!}L^j!n~A6}(>p-))v^4}2+5gy9oKfG}(emg^tFGzonAa0odUgUq~d;fbU|HqQb
zzxL<+|9dAP^M6%TTNlHutfO8t7*fUNs{VO9`vi9Ww$U+TbBwNA#jG~zynB$%(|ajn
z)?}Og2W}yJ9r=ccbHQgaAqE1%?Qn1^=sSw}S^tTAKHWRsw{>^(awXhUnil=jpSiCH
z9vzqcz?Su8<sS_>51YHTk00K|x00=|{=Zn#T+Qowzj1yahg|Uxm6L!d)l_rU<78pn
z*rppmaw&VKY#GcW&0{U&j~s!7#T)M?iVb7r8hrm<qhUW(M=quA2Pv)YEMWO0&rgmc
zk?r#^(^TqG4HC8_+FcOWd#PL+DM|Qu)1TU>qkl^Za+-x{$%lD*%2zFPeSb}p2Z2PJ
z*lm96HRq9OKyTeTWd<02#k`o?;;aTJ8qro*rM}nk3mL}sc!_5D_1V$nkcDp|3uxa$
zB9c^0C)xBsGSZSqUR&vg_^7$we6rDlE74JC;avF_W2#E^uQ9)*TzP|Bzs5933H{Gi
zr25BH0W>6T`X55?oi2`8b>oykGwNuawyPh7EyA*nwXpCMX^$FN<Tp@u{AbKV&e#4*
zI<v+)((*opjeu}fv|Ih66B7f&@GS77@rR6()!e++#GEny);Trl)GIqHy4!%N+;q#z
zJ&h!U$P*{F^^g96V}b=I69Z)NdzKBVk78yJj{bH{mn7)2+AKsvd<{j}!*UR-mjYT^
z@)B8UysA&MC$97t<kjD`G(X7$cSLKW+>#HRD|Az(G#mrR0y<Iv2{M?3<NkDYY8Z62
zGgi`JFoYi+CQR+XK&yJT4ew1_zyi*sel*Eh7WCQHhIWF6NKjHv4Tq2*u0E`fcu5Iw
z&sTI3$<y<GNJg2udAuw19ZQDCC8u#Kbn)buT;HpHJ=aN<R(ptgm6dK<ZK)L$24bdT
zIsfxS17cAMmzWTQ7&ggOhI}qtS<c}jl~=t2cn6jM>a|g64e~EnCZcF~rm&1}O*ZsG
zLd<>?AA{<&v6aab3Gl;@YCIf{`d4s`==CgC^;}nXlN#1ieJ$XoetN4zHQ3PPQ?VUY
zIVUTbotjk;g^^@T!!RUSOCeO*@L`cSaAU?%Giua?7_tiMD!=pEna?l2zRmmXz9@F`
zKlf#nx2?H4i%==MLL#BUdbNV<S6&-ZuT&45`$=<a(j<vA@$=3z&WADj&@vA@X|GL{
zbyuZ2`zn_?{2#<N(%KccX(*SZel{4c&p|2WlZp)84SI_XsA2)p#|cqqX-cHS*PA~|
zDHvn@<l0n;Yc;U$ki{`6jbUyTE-^}a$5B5wQc5X|<B<eZ=FhLQBq}UmiX7Gm)iPf)
zOR+C9Wt5r}z|~G#L^I3@F{-^zpSA>@qHp_M8I?+8FuGS-tEGW4!z16yJIRnHZ7ZX4
z_wL+Ivq@VukvKwMn?ie)v#aSMO)mq|ErUs9f<u3uW_U(uH>e#cu8S5z`QR>5sno`*
zUzTkoKdcF0`g*B5U5tf%NFg*cH~J|+zcJ3$J9vvBfV9QT?|=E$XVEPCk9MB(p5?qT
zAX<;#7{O%%o-xaO8jaj*I7&27EY@)7?kHF#0L`-GQ{i|j!-qgVx=aP?L6(k}r;)lI
zl)99t2NgaV{CMv~!&(r8U{!4twomC%Q@yOoSN}EdYPRMTnqr=^LvBH@@)$~d9JTcV
zCo5tIm#BORhv}qz`EKhqNVMhe8#VrF?b7WZxYPR0f8cUQ|A9+wTgr*5ZP6akyNFu;
zYDkB6xk9j!WFc###mtaTRzaBPMIA@*u862!W=hs<DEbqPXG2{1NgPYZiqvS4O#hpK
z`eefXXmHSqjj86a+bYXREK31gly7K-POMDbEEU&PNdQD>5G{R_CD<Je=jq0&YO}`c
z`vkK!KXA9+?&U4}y^KucNq!*_=-lvY9~2igG-O4bn6nel;L(1bO*DmIhr))8QPbs3
z&%!AVelI|Dz>nYKzeb<AM>cB?M9F_pGjoHsm(N;|Q@!k<#i5Ju!#j0uB)ga-R_vit
zBF2iv538uueQ1Bx-lH1GV3ZOkK2%#vIarR`#2h%{W)@wNL{d(i8M-)=yE$-LV=!$S
z`BjpBB|Dy?tNFx{s?ZA7cW8}QR>h<1DmIIX5|^wTL;GX0-fXmMZ!J_>>!4BE!Ypc9
zc~73Xu4)>(9*CyT;w@iSSJjP|4ShfrV?2x~9H=KtnZ+PW=O2L3TvR<@)ZW-eRVkI=
zQS1PCH7ZC!XnFL?^tDl3#rCUOHY$A%VKr<f9exF#@Kt!x$5z}#0r92cf`yYh9t{!4
zUSZDY&*tTm%-;4Z2a)@ZHpsN{In5B$f?_OEG@Pk+=z+A5RsCW7D54-ODodSwaE2a8
zz_>#VN52hc#!}Vd<2t5liEhigs$%9Za%}t6b93t~65_GGu=V$SHKM_BSLyABVKu)l
zC@hxm#1E*Q^GbU7MYrZm9b!(>Z@L*;bOQ;{_?DTlVwH+~iT+fOvWcP*>`0-(BvFje
zveQdg3RH>t>6%&wEYHRQBR8v^%^S{GD~j*B!J7!1@+2tUC(2PdFds&EXeZKCMyv1e
zEvCs3$O@hf?p2V+ga$h#J@lKtSOToL!}|ND_-(81_a-ohNPhY0H<cXGb~SCOo&mDP
zpeXCup&HFR<My@$<v00j;>*b~t6y+kCpbz6BVKnp%m#2~D{{@L158iaE7sO4k$RIL
z2#UO*6l9X)l19U^YxR6@i^cW%bfQZFU=$<*9Y8Vsm4u*-g2QT$o75w3vzaiQyVNqL
z92%+j-P%4g2AbDK(N63QoUX7n=_rA&RROfMZ`BC`j+)<#x=l<Q4{%o5n!D`wf~ZFa
zC>13%Pdtd-d6||};<|qxpH~IyDp&SlvyUkyPg*ibUYt#VW>bALx_~O*vNOu6i|1eX
zB6^7ru@(DACY{!Ck5d%1I@QMUSQ9EC-STCw(+EFE=h#-{NKJVe8bQ~D=%ZbSv;-pO
z4rQ{MO(MO`abz#_AEiNRAY%2&tLI>!<3NnVDrRdRkV#bw+LJ)ftXO%5ewHD_X6x?f
zTW1-%Xyd41bA<EG*#3}}G(0Yhl!=l(CN)63@L(i%mcJC1d{ImDQMXMkD=6gtLbKmE
zz`k8ap`_gSZrsR3@Mkc}Pf!JN62`$)gHb|6P^|!M6g5Yx7_NVYcrHDEq1lBZ#Ku|@
zR2jPJ*wFN_v_6q{9urp))+%0QyNpV}e`>Jm)-Ba2KqGesGseoF;Z4Uoo1Fv3q@v}F
z2Lp_RYS(Q}%q4vdqO;6v<da7$J<%j#;BSFmKRGIVnk)5@+;v^EaMi|(n4x-DxjaJP
zB>t#y)9eNUEwdG(o_@7;f>iF0jH<G^lK31stD2H+0M>^jZ#KwILu~;eP3uO{v~4|5
zX9WE>HVox~WcXMCJy3%OzwGc<H4c<lR-~9`{d)2ywTIO$3%Y&Y7i&|s%JYQ)c;yh<
zA;q@dNY_HI3jTz_PLka~_bkEd%wHejQcNOmM!wXF?{HMPr3n_}QGc%b*(Ct<*!`=x
z3UgcW)WX%UK_S=9_|4l5;z62hSvAnhB9hS%K!oVDRV>MRsO7abuGGhEN}HMzq4fia
z5&wi&x(kf7u0dQM=s7n9lvcIqT`3!_H)}_R=`;<&I0F@#OPzKl!hPM^8*Lm*z%{t)
zHj9-H&Gn5AwE6X%f#O(7o?`Y%(M@^LAavgaV*7-597n<V`GX`pJ;rkxi`cbsSjl77
zHBgvXZ6pK79okv;U7_?YHJM=v#K+~r*erepIY>5ham7U-w!FY<lm9&9u;)$oXWOO}
zlNIIifu%AvYRwzd2IgS6s{^2cU#)&~V5&2qQrEGV-!7SGH3{w9HLnA3C-tp0pw{88
zx_*f(C+EJ32AIukVb}&PdUuL6^wtX|TN1FwG|&8fx+?4&EO<|>1{mh$w+su#hawIL
z*9CR74!O8L9~+oKyXLSi#yYlMh|Uj^*>akZB<Y266*$2`ndq2j)uOTNgCJ`xXABrf
zi~MrYmp5c5tbG%IAwCh-m+CAQ#Va-D6~lB~M{f2R?4|0CZWkIlZcIhyd{Z+<hv<Yx
z^Bpog`CiC94=fmBPv|l71ZITzpfm}|G@5FzdAMQGq06d8NhZ_aX%$49^ED;gND;|R
zSIS6n$4Vzeiipd|d8~Un$lIFc0Qr+Qio+k6=lv5G_p8`qxl@nlY;7M>-wQ3E*(B`F
zxHUypyVT69M@Mc6?9o*pW!_<<M2n(|I;ziI(Z%x~QV>6<m75*dkc?z^s@K4pncQg;
z3(P_hHIsM5Mvp4yo6r(uFNkoFk48Q75})!jm8LSwLO+{IQJK5+{B&q|llzD@Wfc?#
zRXyO7T73vH0b+yJfrQU_4jSZS?+nQ>mW8ajpkrA&inQ*gaSt{Jq;(XY!?DED?D@X3
zk1={+N0S!nu%8t>nGwf!LXxqkfiT2h6dkoj+XoCkH{$!7oGJz`K7X#2^&F++O9|?Y
zN!8F}Nn-WXnhf>1rm0M=8|>7ChvE`aNi$R6lmya~9+{fd2<@q2+n`x=a45KB6oPDg
zky8fo&m7Ihpi^05<KfIO@##!PrsoJV=c1;}wfW7IoS{Q<=ZdCdjOYFWLgaFl#msT%
zP*}a&%sQN$w%G@{wQm~R)r4YV1~_q^!O#oQ!OwND@HG@EUr|C8TaWK?z-s$9x8D}Y
z@7hUNfYgE~bozK`>I^Au5(`2n5O-XElv6V7%Oqf)u6T6g&Upgvg_N_CMA%n*q#G)5
zTQcmZpTFLOuG#N43qMlXQrr%!H`Cfa&J?i2DnTBOJ(qGDpRnBM#4%TIWVJC{pbZx+
z#?t!SVYf07PqF7Tq<HTZi!%sBRgLi~xSpI@ITuseC!d9{WMj5(&CuxIIU$pcX=g|e
zD2+Lq!(VpCZ+w&t>hkHcwm6z6B*QBT(cR0CCptJ%)cMlNI3wOdhR6g(0%BLJSjc<2
zu8we*MA7Ix(O#m+9|+zCC}f)-ViZe`pdMLW)!jRQ4lZ08oArC<Tl7TNG;()#?jOc$
z`|(h3()4oblIp5nz=UWhB`^AYzt8VtLkAZ_jK}cM;|c|T$1KI8vrz`+Fqc%|p<=as
zcH`>M<O61KYTlUG`_`Eft5>1wFYi^;3$Hpfpsy+WgSnBd4x~2)3&L@}@hUWsGQ<Vj
znvRafILlgTui<+O;S`rBW&lsMA^b=tdE8;AOQ<NFn#_A^9dSerkLs%^*1W!_NVJnk
z5^+nt-6ZqCB?=Bo>*Wqy$6`g@%mZU`nwdrmX3IJc*X<?=*M+zJ(sIx<uFI5+efKk=
z6ds5%+;{O41C7wg&tZJzjzX3`E%%C&`hAS{&?2Me!#y9~7$Ae^kU<@%f{B{&Qpz9f
zHi&k(i8&e?N}M$nDQDRjt)F-`k!>+B&bgGKT|(^fb0<dnTeS`SPUcBJxKTSX!QL1E
z2%lgD?8E%#Zj6ge&Eb@Yq5)DGmu^041f=ZXnB8r%x*Wmn_9&KRNsfeHczOVf1Ua^*
z{O7Jy1O!!7Tg~%|HkXnN(GnPX1coubk$mk{0O5Tov+A^%f^!Uk=ydk2l;PiQJ?O5e
zL4h553qNau+a{)0<f6O2dDf=(3g`hb<&t3OjQ_5>j&XVQgQhCNr*d&qteBWA!AWmZ
zfg{XJh9;ht@+3uQB&zX&m6a7A0cm5KV;a%+mhNN37tA2yU#T9N!y*gKA35de<(Mm%
z=z`cn^pJ?=6XN0`*GX%{G{w<OI2tN+2L)|R+0~=I_6UNV(44Rig;#FxHSz)c$(*e5
zZLx8&zbcOb6XOr}jn*@WGM)FP0xi6j>jv?;PDvyZ$|?n24og_2e(}Ya6oXd$r2~Bn
z+jTsw3o9#f)MG5kw<w)D)v?!n^fld-M=1sU*T^3}r5YIjJ+z)hIN=cj*4mz~fwh??
zcN1(%jcOsPfUzRNmNE&?X=*vOjPP-ghp{&`@{h5B{<u{(A@ANo_}j?-!}K>Q<e0@+
zBRjXDc9StlT`sE(ZNyG`Ln;7s<7f84<}|+4P%sV31ZQRv&u6-DRH;EK1u=i*)Nh0t
z!e@p|oxI1;U4!$?)P}yc^C7*H@cJR#w(1voi%Uy!EQ-b<RSn5{HiGo|7y`b>xK_n*
ztkXCx6FTBUJYS=oay1(~+R=)Ns^2A-mzwh6!IzZ}UN=`WF?DOoFff7X?Vq4fB;qTh
zMD}1<cN;Yti=$|8Wvt_kSDLkUlQmqEMNzw}8ZmH^g9YE;kksMhd+&gnD$@WlIcx0p
zd=22oS6en~IC!0kOrOxv>Wr@kG920=boFAoUYVJ*k@_>krp?(R-G=Tpf46>Yq6hy2
z2TU+mrX1rnG|F8erv9j`vl+-fFp5Vc*LE0hZXuYHk!ASRSnD$XjsH(?rh<oA2M71?
zP8|q*&lG}~Go}LfMcP_*X4gibQK0_O!u(D8<jp9GkKFx#)TjSH;|<_MIXvr2x8z=E
zZ#Pa{s|<l{P96Dx578f=l+2`F#s@hIcebJ*@9wM+)!zMd>er`O5CcZKBoLF;8If%~
zZ1>vWrM;kmOk`u!HC1gMCR5S{rwvUpYS7V8Dil=p5LI#79kwKY5#Ps7a2lqhKx9_&
zqk3HkJbzMkl<w|5qh#&Z1ITku6Pr&zpFa4~GCTM3+?~8Tet_*7m=55w_&)CHz2<>7
zAKYgydpK>LMIs+xRofqi6q47E`kP;zw+^dU>Zb#rE-oyuboz}LWAqs+QO@rp{}?x=
zn$7$rC5s8F$igM`o0dYJxD&3dQx#0%A9@0Cnx(kLsD9f}6Bc&r(Ll}h<jZh~LF6!#
zP@vSN2sVLbXyPgaDW*6oaS$Wh*Podjp(A046<)<ey|ZMw`@v!{?Nd{+!t9=w=Ih&R
zrRaL&bs4tg7GXVe%|*MR39;6AJPRq>s;(dlHc4NL6`Ru^w;<#`jiJI=GjF3lvUozt
z?G)>|l)vs?-&hBHg!wD6PD@(9gJ^Y~30kg!kY#N>!T{0e9taDHUS|aOjnDkdVZbf?
z#$<&@vD=Ou_odmsqOCs$Ir!Z(9qit39=O^h-7>nHLV9%?Iw-_X&E1u@I#x7|*zskT
zACCq=QS1Z8U}3Ej3>~+Fj)j#TLybuU>)}v^uraz7lA%_-`u*VB6P2mTqBZLfcD#PC
zWZheWf%5Qf{nF^%&bS{le9pJ?CXAuhJeDb6VZ5i5*d_<#P*kO=T6s#kHwMfXT2#@f
zZ`Ayt@TV4}6f<zu(`-cOx6Xuw355kKMqIo6E(-V-37eQ|^GN!&7OAC&6`!V_X{~vm
z1ecy@XT7h0+$q7|QQ77N=0&#LtFIATrl<5v2R{o9iq$yIDUQZ;k;`FjFf3oJMcYgI
zmX`S8x*OQ<Aa`XbRcrVJdd+!|?n)7L!P*sm%hc-I5QMh7iB?(U@IA^?yT1##0i9)T
zLs*E4{M>45m7eO>G<L3Eh#)VwX&KfvtU}UNS2jn}xW!R>GKqC(V=f|q-Oy<-SSCL=
zzyI-enH$}`{DCdI>70q@SJ@>O&ehjW=}M(;N3e$(#ono7$5!$m?Q)=DopdN8rAgp=
zK5rjQ!~2RflRtvRW^)+4h?fz+9EZE)j|@l%E=LE86n*03DtInD+g(EJKudafUx-u-
zc~4nQVu#y~9xPany(KNY*m&%Vd46D@#3;*I5xWshR2{Qg(yq8$+|^`A>%D1QD6RwC
zGyjsH65<Wuf_AitRv#1_NPyPk;MgLo`jYzUiNOT_T%0lqt-uT`>Z3R=6eTXcX;f!q
zw^rf8x`In`Zwpxipk09L5B@IS9w@)zxE5yetXhkXA%$S9hRjiE-B{#IukgXpy|{a-
zuaUa0kAZ7_S(k7pB;;tT`tY2_sIFF(URI}OshMXY$O5C-dcPG^wboMKF`mq_lV>yY
z`E$<qQHDTvlz{3BjP7gJu1V|r!>g;%R@K@L$=kQ$S<yx%b0^{CpR(?oCD>n+^*`T7
zjn2I79dArw-5)C*4<$4ZFvPR>HPgz^BWFiVR!6fPftt<<xy*5XKL@<G7-YO4-C)?=
zBef%6Z`}PrAbG2{>42Z~5^=o*(eIly%LoT+<O3f?Q6KNu=YwCrr7GS*Uh=#Oy%)(o
zJX)Bn{=L|g`0f6I;Zd6I(Zbtd!<#Z$S)_e-m!2KhFTH!TB={m;&mr&vT!D~hWboEi
zSt&<z<Y=YrfLi(e5!WTN_V2l&Ne>zL!<2|1e{G!B4)(@Opszw^(&fl;Mjsl6(x^-c
zyyxOJW$vw4H%*bddLU7xv|mv1ZEi7}_+u30RMz<ZLmbck6_4v?7zKSARVN|Jaq?SV
z1z2%5_F9!Hx?(_-)9j1-8J|ogj@3Bc)=V%cE_=Jthp2iEOD^AGkV+|(K9Y0FqjB^o
z@S<ldR&)js?0#HqDx?Q(awC?S#YfMfp&Kj4_1p4}bYlqe)MhQu@y$78HxW@4Y%|*}
z_IQG=_`3KOT~Zuw2QZ2J5%r@I@t`>J&3!(PCzd7k7p30Zde=^|7x%q!3;U)21t98i
z+)_=dCKR*juKn<&SD`&1uD0n_hlE`If<$a{q0K)mma4gVttSgKx09KLv>e=WaXDmS
zn_>-5i3fUiw(w=P>QkDlG)ePt=`J%a<FlY#(vEI@X-U4Hn1W1<_7n$buu*)}f$aSQ
z2R<_#e$j8BZtJ)vR9txUS|P2O(4UsyS>G}aq6CrDG!wJ~%X0K96Z9%t^u!&l+u~t?
z?GfWe;LC@HMB#e`^;|>7_Z**-)?wlTJDI53+c)%ITQQ)e5-&o=lFJXA5E91;gYw=m
z9TZuOHy)m~N}jtxpzaEcQjHPDi7D7{voLm#o<&kQUANFfW+o+XwQ_qFa5wT^oWw?w
zb1cKQ{++45#z=e|Pv}RqrV*?7LE5zObj@K32iL||@^k#!B<ZYb(|zm)OeLYj8>S}B
zE<Lk4dnZWLO7;fVQsySpa-=T|P@1Igs4DrUo-$ciI)Qe9S>2k7ssqYfP7jByf!BhE
zsFTys46zdo`%NK_soEpWYdmt=ab1KcuXGFN(6GbwuTPaEO<^Pn%0m_DZdHFpliwlV
zUdZ_W60)}=t52Zugn?FFj?WxP)qY%9FfuzstRp9^E4Q8XeaMZ&TN+SrI>06QT5Mk-
z8FDRyX7=WeQI%jv5l#>PNyLd^BCTowW6cHZ{0M0~z`Je`8d=pHJX6ejvAMCQ<G;8u
zT}*3NtR)FZeN)10tKY+tCd+_h#{M~qd|Sp`kglc?#7W0APcI<nUZgl}g?ApGeZ0zd
z6l&Rcq_K!kLK|&60FY7zgDRj`90?ND)O^u~7RhJYTrHA$bm_0;`yA#tSIo#W%`<^(
zN<26=$jbK1s8Jfzp_;>T=puF8QRi0M0oaZ7ZE7vH=lc+%J0k`Y(2S+)kJER87G&y1
zSqKijd~)a2n%8NDYwndL?XENbz%`=Rm_J3LG~H*`p;(=BDeEeQHrVF=7}Na_T}oHS
zS5iG5jcM}5!<>jZ7;Y6rojDH)g}7;E<nnD}DN14pb|z?u6FJJeeG>Xqr?0SV4)EBc
zJ&lY=)LPb`0IxN6pe{mV6&rZ0<%1d`Q^bZ<X(Ah>|BJTE>i>*-<eYqV&cE?zQ!5+#
z4ay0RBW0H!Ug2Zb#A{}QIJH>n50NpR>L+}Mq2~J80*^iD@H6f(g&tfzP(_}L2^!FD
zZj2B7_Q*0NR!*8I1Bc@}@a=sf9Nd3V0Yy4WeA9Q`O1k{e)6wNP%2)H|m-avPVg7$z
ztH|m<y|6CV6}#L|e<w?-Y|69=oByzF^u=legF8x!6G)#%UgZH+kWcNkIOVO(=&aI`
z#xMzADLW6WA<?^3$k(rN_<GSH4-;mFI`!xLXFWifay<0TCg;u7rOQ>6Rn(}vYCioI
zd-=pQXIea_N{`(ta%BEc1@8zEg<I5)+7}UQ>IM%p33X$Iisy<iFJtWl{JPYVcLcTL
zG1>D*;9wW7m;}^}P--mm3E?BGeJK{7BC3zYqdv}S6H{jt>geWG>%t)6rb?%6<I|A{
zDnwVcGhNiLOw~YK+GmL$_in!y@qo9S<YQRD{3#wcQ>=rDQ&nR%EqR{_l0daJCkam$
z@6T-pd>s$nezXbIaa9JkdOzU_+AT0)AJ!AM?W6`*P|20}msauh&uIB0v}s2%<<8Kd
zWx7WGk)0(O@D1v?%p9HeiXuI^D%0Y=!uG8xz8=Jk3%u%oajdRp8?R{+QKbDY8sNy1
zF!JrK%tp6{D*d%e+ASx3ka)GIUG>cKvm<b#05nl+lrc_#vLl1{5OVZD70%Ny5d0dk
z@!%}PT^Qy3xo9?vGvZT_Q!co8mJMK|b`I6;##UPKdM*=YXskR0SZC-;vH>zMQnFKa
ziZz>bpCz*xPmD5S8-D+Z%~ZRiY(JV&x`1rC#ai<2H+&(p8feOf*6~(Gj*XETN8gWB
z)wn|qNEyE9z5;OhWur94M{2!Y<V6IS=CTC6k8=_dulV^>*(?N8iajETjt-Huzk2xS
z7BoQJg}Z3iEz){gN<soU0I<Q<si4L7`gAft6v8;vMXg$?1NkDhG3m{sA%4>H=1&r9
zdjK0)K20=;bSLt*01#j|*`zz`Ops7jZRI0dZ33)J+A;uET<)-;1c?^x8J{1F-f_pF
zO1rVu=g9pXPyE&+_s(V7S;?BoNeA7!2nrk4Znq6Jy0T<W_8Q=BaU3Hsv<MuiFs>JM
zMcc>v<}5LR;1CZ!p?q_F*8MqQ&lJK1O+cF@REPyWF{W@Api@=gn}0PrX^>nWUh}M-
zQhFi$)DTwRK-#l+EqriucHDfYYGal%DraKmsZ5#s)ADdIRhWAHD$t6?EpeTR<5fbg
z_nnOcXbj3@<#Arcj@>}+#NOqeI6#cBTJtcaD-mj;N3Ob|82f~d`XP@e*i%ib-t5<)
z^VQX4<(i!wzJd9;v5|hQ$FX&dUKLDE2kHJqN8If%CIt|}Y=g|SyvhX5H%Ky5nW?5t
z#GbZVo29*Jj@Ho0k`kJ(Z2kvMf7OexUZ~Bkn@dO0)Lm?qJx8Th_qrLSx_}{{u9ijS
zNcIKLZ;fKzAT2k_Z5RPr@)uUfK|_KrpC{(%fU1AU+f=Owo+ZLD!uA&Goa*AEwbzct
zYoc-1YdNeB`h`7c7{tDzc+keG8qV<PNL1{6<DFTmc3_VNeZ_P0M;U<6qURxyBf-RW
zR3u{o))P6el2Y)#=|hUCEDQ^3$;Oxn5c}dpgL&f;M<=F>4vi~Mj3#oK!tg#x={iUe
zXn;*8(sJcnq<O|CF5Bzb1_hrZ6>EbM(C~DlLv>lQ3{8#E0*_N_TO@G-ig-;-ynT$(
z23p?3R|U=0?i}g{wT)Zftg5bRjiRC3subTiimx{{o3Ud#S8<u9LNQe<u_o!&ju)&*
zC6{1JDftcQ$W157v;mn{x|feAtUt{as@ldInQfREm%a`NP;2dh;PBt27erb&5siX4
zMWdzy(Uken*h7Mg2ZP5YIdlEfrzAD1Y1pu$b+F~InY9(<(_3<0;Ha}XjMCs@y;PN=
z3CTMAONVAgJbrOn(M|rSUcTU7#`;taQU$7_a|EL$wiI{)-o+1%uhr!uR(`<aE#(W4
z$TqDXj5Q;YIGRm$o~H9uPf8)JbO@Bph!AoZm84#ILRH?Ts}}Ck&DJ%h(a>4EtMkKV
zHsz?K`&|Xo_qgQSxCDho4-fZjWrq<=r`!dqCw}oXQ&stReLG6lU)|x%;#qihfJuH8
z{U1U7Wg6=L--7xTlt0yaVNKLopH|gQlSDf<a`-&_IeP2o=kTComNjcX2NsxI_crme
zcZn@xN7Et^hlO5aneHnonG_wa)X*`j6br&FS^p>-MmU91A>BudxU*Ciu8}P-mWI0P
zi?#HpHZXU_ru8f-)7Rp-Pm{mYY(*l#eqSQwuF;r66RVaZ0kjez((C9S6QuiQ_QCOf
z1ey;IhQ6?zh4Pi<YN5LHD=)j*qKnJJ^r%8i>X!D+T(!iiV9$<RV)HG5zK@Fynfd_(
z9o=IiUBX{1C4H*KKWv{0pcCh|&1Jcb)YEy{fNk}1Do`f1K+glcp=FC`kR>_4aeD?C
zlPjRm_CVR@Bw*Ui#RC!A2f4!;3Nvc9*jd&&ybe|f?FT9syP`n5TMv6+nkyIDh76Eh
zENOGbm%eO`dN$`<v*UI79vLU!1oB7To#gJvGyzv3X()qSc46TKxu?9W$!HgZ@!X|j
z+fn_}n?h7zc;fy-9J^E~f_va`er|TvWRgY*c6OR7^lWuR&!pYAb9{A}Q(!nkto0kr
z3w9lDtI?GI)XhP_Dg~1;Va%jSqDoR0nO`r9p-jO~JiXFtcr?*rBM82848C<Nwc;=@
zVvupFOCd=<H?rq{NIcFQ-%TKSGnPl9#g#os8uok;n~=a>sch1<Csj@P4k3v*rF!9i
zQfk^lUEe%0z<H7Y&!t-Zj1FqB5wKzdSLHlm*TM{qRk?E+1wnbHEXAVa)}4|gx6Q<$
zhyDsAu`i9a$rp-!-8nsGw_lPabCAvRK8^{{H9kv%S31tq^f>dB^3|ZObi~97Ft2GK
z4$0X%M_9p{sj=iYl)CI#N-{&P_K?|zg3<D_8$tdH3TFOQJ++Hc^|K`upi=Q5HK%Yb
z7+NT<CqT!3FMt*;Qx30*n=p77jpWYW{-D7N!+Sjq(=(Y&nw;_BlgrT49Bq6KrF@Y!
zySG^O3F{WF#w<EJGZzSa&Won#c!nxR7u_A)4PPnY-WP<;L%P~ce@_oMj!hlI2E0@s
zglDI&PEv;wg%sN^GxJo^LW}2DHtC}+-N0TCM9@gUVALUNI#-qTP*I<uWi1a=F#k!{
z*}=?mb|o{8H_>bCar%teikE3pW!9wYxx_=3WUu}b)APs}hC8aw=1V4UW;16%08v07
zry{CS^)NAm)_NJi2Dc@Q>TE?V>eF~OGY0B71#}q}S$}W6(^>$kV0EJBNj`FUzRPT6
znI7Ps8hieU8m4A0xsRuXn}8s@^;?>P^D$4$WL0(Bv*?F*&fyCGme^U!3!3VQd8;V<
z1uS0i=MSyodeGS%ayTFiDVmI$>%2R2SWy6mX;_uIFgC~_k`Tgi^8w%8vQ9S>3gEP)
zJxmm5-u@9pIDZt)#Uuis!pAGYw>*_T(DWlEJ$k9-6YspatWlM{+gK?M49aCuUCfoR
zBA5y+?7ldojkCY2*nUCqHL0v#fgRwC|BSjd0IK1fU|`tWxk)fqq9Q2e^RR9zs5b_V
z(w?Vf_l0w06-eYNbqsdu<iVc<n=Z*Rs`W={A)g?P)c;p|*BRAhx2&Ux6cGd|QbU*C
zdlivhl-@yl7XpG5A&PVey>}6$cj-+)482JW0zxR#rI(Q8#`AsWu5->UYu)qXu5;HV
zKW4wb=G`;z<eAxP@BK^<&B%-pHC{etoOC=*cKBzXz8o<E;5SAt)=b=0D5c;wFWF-X
zIX!NsCwqE!`VL3tYf6fWN{*hm%SmO)uE_drlF$4aAvc@jZT01z74)^Vw0!CnJLP1$
zttlU|<mziv=HtR45<h=TN{wSlSySJBq(!VS+gfL8df#NHW#7%EG}41gtk~7&Bz3P_
z<GBbzHSTS<DUC{(+D%Lw-(UsokKWP#nFh|N_R3>VD}VO|Kf8vEzP*r2ONsa9%?nOs
zCXclqX_y<v_a&Y>2ThVr*~BErICPQBl>lC+OV}=u$J+`vkW0Age+FCPHr8d&Bnb=F
zf0n@S!=+8|@f@C&Gfb&`P2XveCzyBBk-&$B>ppbWAz88yhZ2^IIVl;rz7jKb!|;)y
z&3bpgyxa;8`-hOo1|~v3xHXhSP6St#%CIO3kN;$;58lr20D9Ot;WL->NUFxc15`5_
zP82Kh;E3eJLdn*6ll?3AQ%rl8+obuO$x?Sl#N$tNt!9m?Kj&4dX1$JXbD1)kGCmeM
zZl-hq4YpHx_P%?smS=lJm)_Wx=n%j2V~3GPAKR~?t7iHkYqr9jMsX(%6e???HMTe3
z<g{+?rRwpP87&Rwszi8~@udEgW#}XOy3@V6*yoOzyGUCV>cQXY#yKV>?&um45^7e?
z@bsQdH=Av|DgROy?K<#Y>lLbn&-u2NPeveugQu0qneC&_*nP_I(&U1WZsI5__Qx#F
zDiNOK-#VY)@(kq?_(43X%03<hPklx@n?5^AXQ#nD2aYPyogyo7jC9gVet8jQ!#pM2
zr-yBvWFU|z2`YTT7ta~zU6)}q^nS=3E}`8YS8hAv>pvni+UqXb9cNoX>zBaC;+Ac!
zXO^Jei32fJ=i+1OAzv&K3~_!$@QsM!!NE|mfvH!KXnn(jb1{bsdS?lh%>F@ML575_
zIrkQ;X9Y>`LffoqQ;KUZur+1%_4Rjjx4p7k0xaR7Wc5_p`L~_TSd~|z$(pC6NDb8P
zlb$lV!c7UvmjzCyI)Ye67?pQF2G#EcX>ZLVCoa@rRP?In&%^I4jXRmx2CwrDLIiTQ
zoQhKy@{&Ggx9~fS<JA9X4|Ji#PUpW@D{}v?i+25V$8?#pMy10i*iDb9zQbhgGCYnl
z6-hC8n4mKDJ^DNRzVf76HtO-VB3e*7+Kojq%<aJqb{)gX8hK0YnnTtV&GuRYdi-&<
zM|eF=5qOdC{4BvIj8e5RpomaI+n$bJi3BzK9nI!1Txt(Ba#-Jg!++^*pL}kuNnE5j
z*=BVT-I81(^(9?8UkRr6o#x?}AO#M_x{nGZ$`OuO-hRX{bV9hwUirTj`Qq_FF}aAm
zUJ8}(w(aU=ko3rPP;v4xVM(m<>Dz@(@<_LaNy^&fI9#U|lY%f=y#}#NF8XEt@Lz}o
zN>c^wQYkE;xI_>|$EyKjiv*P#%$ZCRulCWe)sB0wNbZtu{me3}bE_(>=B?!%KU}Vu
z=jsa_9(wRK+co8$u^Pb!x0RSuSLcl5U9K#FnUYC~c0-)$qK`EATiDO&hl>(i%2i6q
z`39_lGsX!XW?hVHggUK>II6~(7A1;Hq6~g6u;$a?=oQsF^)Z>=^!Z^?RVpVRl<byY
z&t(v7%@##qz*E<S9S!h<z7Gx{(8P%pA^xFcf)jVpzN_D*XwVqR%@4Vi78~1v{h~J4
z`sFui_rr%N8XWbx@s8D4B(bZWmjnlF`5VtZSqQ&%7I(V*)TGc?bOY8D#-J$>QG^vD
z!WE!pD&grU4$Ht%+Rbb>Q4C1<X+@H3?D?`-Hz}m*k%z5c%j&7T_M<ZV(>i_n=^2?0
zMJcM7EVl@&<tnRn3^8uMYHtNa^mMLoE0?5JRGIl3ex}R>TIZmtCn_y$GKnlvCjmNU
zrvn|`zKWcAvw~u6KY(K-Jrq^xv~Kx|G+i6_ni$v~zfZDKWaWBD6Ti{J_A$uE7Rt6B
z>Toz9Zk0$=ok&pIBjpe6xZJCg|M0R<&sld0B3<Sj34Boau2<RXL`7oeVV>k|hZraP
z6RgNDU&=o~f)dmt9aFMHvBR<i;nCSPy(3whu}=MxpsQ5K2sh1ZTj3Z&MX~^aWTQ*P
zJ5j0x;aH{_t6~G|WVBvO#EY)%T9HB?HslR;?u9*s(^iu%g;E24uOS=QDh=WqKVwzO
z=-|_%a}oxYrtS+~4~>mzM}#HG?y`1t;t-ZkM}DJfc%r?z%`gx%gZ-m-tO1(>=e@%B
zw2`TenXLPh8K4){AF$Te>|ONgPumM;7Io<sPax_wIX{gHT_Nl*^YBbU$;c)iwAKz(
zdQ%9kZo@zjBdVkuPP<`zqU3j14r5j8j_1p`WhyK;52c)mBz!Hj=Zl2f@Y05yhg+l`
z%P7#XB*+<-2u@?=+h+uZZ5eqEvi-=g(0r?IS$Sjfa!lH1Hd@_To+QG6E^VmIp0r%m
z(jY`1cZi8Z4mZo5nUZD8y*IPGU2bI%@2QM)l&?UG!9yy;DL$32Hbu$mOV3DL#qn9W
zKEz<jrEdxcZep45H3&<qvsJ3s91-fuPsb{U9td<7j2G8~Gn2RzjGX!M-x@i8`cgVd
zCEPao*86TaRWYn1y{3GyJjqp{O^zI^ia5;NG?Nimwd$LKS&f<U9ZrRqmgv_v)h)Gf
zjksv7Ci`EW(SLHas1SYw4XN;2pfJBZ?W5|zLRAn{Ajqf`%a%ufevj9JII)Y|7fMiI
z$s7;OF|<q(TU#<4X-*Y^KV&E^-^q4Q8djXV4~3>kP4yQ>)iNg=S19_E?FMqKDWriM
ztjibdszxS3B<jtu$-4BQM2_+iLk68`BEpyO*%2{#x^U6|js0N^$&J{z|9q;#>)^2C
zSMx*|IvBe~M?}^bB%%!uve7iVa><W_p@YeAkapFn7n*`rfx^t7r+B^uQXNaxzYM!h
zA;~#)y~E}BoB}0hoh{s}9M%9dAniz=H>%&CZJ0^6A~gqMrnFDr!w?9AUw&#1uuxOU
ztUMv>zrt)GQCu-R1Mh?BWe+)>F=S9veZ&2|gQHoTUBEsYqcFUNV={oqUbNCD%<iW}
z*v^^jfuEtxQ>v6)QFYzO9L-jZcl>7YNwlz-SM-g&)si<F=!{m@r?JV>brDMo<cDPZ
zZ@@#o?^AnM+mr0#bEgMK6)QiS#aYI6x`L3#rX5v<1;aCbk*iz>p3XNThe`wX_o969
z(>}|tON|Y#9GVXZDvxg4ZhSD%LiF+VSu`}EDtIgmCMN8*+Z8-s(1}}2EXpr!1D!c@
zlZhrYX`XIjEHd^F2y=6PCHc!|hym&l7%9Lz)L7fdBY%>EICS&e6Fp_JESLJH9M<<w
z+4fxubliwxiGjifHrC{i6T|LbcFs-bELqNf$B^;E`NC-5U$XUe3M>wMZzh`d-|uf9
zZCaXzgjOGpQixQul@AmxqJB2Ul|*BqtcM9Ycv&!AoTE_<=6=Fnz_xb;AqeN#t%<dh
z0B+V7t&;`}_EDLJr24ix`{0)*eY#(7paJ~rp%xSgr&<|`U=v<xs+QPAxzNYRdgzIx
z$7M%KqNv#xXQKN7^uKXsSadgyci7Jlj8}vHoF1#PM*E$tXEJcGl?WAvYsVD!Ilqo0
z*B_C;`1m6q(M7C~z<FD0ZS;iT<(%)&smZ`Y0s)HMO4%~C)T!f7=`H(OrXe{zuFtiM
zlApFC$K4oo9^hO-Gbmr1tIa7oQX*a2j-9q-eQ#6VIh_Gc6%KA)8mlk7Dz4P%fdbWh
ziNNIn<&}ZDvMORA*)n9d<L)VKd)N0pIze0z445Asb;P|>F&Kxm@3_kRj({M;XPt@u
zsqiBAX|8{(V5cW@cBar4qW&CsMCV|8;LB@ESzv!sdo*5Fj9h(S!#i&Z)=%Xv+jJE4
zTFh@2C87!7UX@1GoYpp9JVP=se?e89dKER!dY|EVHeE;LbwplA<bQ(y*BE(?k=Gb`
zowcvC_J3U?Ut{DoMqXp&HAY@z<i83=vSfcaF5EB>^B$O~>p(^i+c4l$^!eViugMXp
z$z|+-jIQ0j)CrrRlkPoXRgH)RyUlT`gkA=ZsvPunCXM84y9G?-Rp96<(d#{feCeVt
zEk0M4na4Cpr1-kbq%kciq?(>Hki%k869B=Ll<oXNhz3}mp8n?LzWd@|k|)`6bY}$(
z2<9L{?yusY6kG$HGYergRh&o0F9=W!_jZUm()Mk-!o~uUx3(sfrAuq>3iA4G*8XZY
zRT>~}hc@#l--`5IISey2oS#GkYEMiiz3q?TU*=EK{A=~^WQmr3w%lMk87{c3wfs=r
zBVEfbO3XLhVd!?wbG2LJDrrU?kepfjV=#lR({8Ry$0i%~d1mCD@y2NrQ@u=$%3oTL
zF;(HMMcXECL(ZpU;vZg0r>wV|y>_uwEa$=%*Oa;RSu)Et7EFf7uF8KM<H(V7%wEwR
zagtLO9313WsVl@<RsNt}LVZCoDi*JxtLW9O#w$8oBiN)RR?G`x4gaXDD9>d+NPb~y
zGD|4Fk^D8gri_}&a#EPQYi@{!c`^gxW$^5~h*>v`HsQi_);pSVMwxMFt{{>#lZ9%i
zw6d(E)<WkFlY&D%E_3;PwkDB@^b5<vt4LT0WVUAe!>88El#GHRuxG*O^IDG529Qg2
zyM~#2URYtg2L~-^g2IrrJbrWJEraEt1@U+qA%3)lF;5X0NpdSGr*f~;d96oC6aT<a
zsA)|RtkOD4Jrg(2Mk6X=IE7E$$b;SVwGW|Ok;&qNi%*#nB?8B3ls=7p-r5jj5fM(C
zS{$(I#l3<hCx1#gH^+)V%V*@&EV{MrQ7ov$t*AQZhI`Vt-v?=e>DEAR5yi_xj7Xq6
z-mNHRosFE=er5&xRCXMDt#kWscQh1qyW!H{zJ>G`wfZzRX?QKV!Wp!20}B;}+YFvi
zAzTxE>mJ;Gx<?YRj8+3d<lkQEE#ECXPn8^s-kcwqWp3!%6A2?vhM|(zx*}mON4`&$
zOh2Avol%XxQ9_VGwy5_W|ILN%{b?vS>476xTeL_8)?okh^OK4K{&53Adbv8T!mTHE
zqQy5pI}m&70ftsn;|r^Qd6Kg?Xlut(j#oVzj7W@Y`q{-S=__AZP$F3R=}A_j3sL}{
zV`<*dPfa)1kUujovv9@}kiN`q$r71r|Dsv9bdUOO!eF}Y!^gu1y==8OxxIqE=6xYC
z1^AW-uC_PZO{*PDtqp3gZ{ZlUt`(ERG7ewEO?LNP@5LyH_DMphn#Fv?_&V~0B&w~s
zq&v-Q4x!)qX&vl#qxn*40weO_6O%<cg%#L|LnYj?KN!#e`XXyVEa`)a$y_WfU6ug`
zZJR~yfHLu+DNPv}c`ddOA6sxACmKMPrqM_QWo50GN-AG;ic;JWJhqO%+SNP%E+Wq)
zW@Q)hKtu^N7(7l;!Xyrh!GqQ$aOp=y2rywb&IZhxPXM>blEffkI<Hh6sYB}x-XAni
zdl$m(oxdblz~XDXwMM8+@F2oDJuJaGDjxAzD!rA}WI?3wRzJ$r=+^tZw{sEutd0f{
z>-ueL0P6%7Z=IM>yOsFB9n(~L-X&{jgqW(#F!d*$$Kj@pV~#m1v3o!{(qUXyJMndp
z^rk_`!50e_C#SNQZh2qIx$==mI@FZ$Umcw!>PifZRA2$y3a|!38;Z9=74r9%<E>+^
zIM&Aa?)HsXif}>ntv>xMfPI^x_BU`n88Y5NAhpkLhBB8rOIwa<_#684k^|j=xDy*<
z0r%;jXf{|eMtg5xMwB+I8!Gn>TOHw^v((@<=(_32r0MUK{4`K|!tUMv_}QA;OY)v-
zZ!DP}Su!7+I1_>IOp%}6y(apUf~b?9=Y^R?bSz0P3`(VNEUzz7Vg;vb-i8d%(K$Zx
zmVU<JP!6mpsG#q5F-mIHfgftxG1pRl9J=Z`!J7V*P4^<)cT6m^Bt6fAO}9yRslpTl
z<=cMouh<^-e}3fne{6;G@DhP=w{+EyY>s3r_F~n@IfUN#V3sVoG%GXNL6hAs8y{77
zF2$d|bNM7#)qUy(NtAfuz6wlYkzo@&{~-arkZ~RLJ~2vI^@GL@H$9!@*3T+=iU!;t
zrNRx|<XvjNr*J=6ga$^e=myin5@1Ip7q5cPWAa7)dZ_(w5|_8mdmXR#13hNh#ik?!
z#@ek}Z($KM;@7u3)KCQHs)yoNlEZC7Nh)jz&M(`Mq%8sd7P@6gei>I}(_1B7ib({5
z3FgonuOATMXpf2*ji?BCg_UaA*fX#sG8e=%C#tdfsx+-@DUmpY!rY#e6$3nd%L<~Z
zY0^|2wOFk56=xhnoORnnNXMNN_Yxf$n0LZ=svebfk_p-5S_7zpv<&PFhnQl-R)wX1
zlZnlcA$_H@aHradmZ~5L-izOA@#)w#9#4v@9x}bRe^(nC5_glB@75XHZ8$}Pn3Y0;
zq2MkED%re3;rT^S%xv`DPI39?fUI<TVY_*c;x`GTuEU{M4K$G<+>On8Tm!AhHn~^y
z0dMMv_n_bizo`Mm9pOi}sx|w?MtaS;Zrq)V9%e{nY<=SZkNRG1W#mGbyLqA}l#ib)
z{xCyD0O14AVop$DPI$$PNO%gvw1M8v17Lo)KNCF%AOOJXyT48Nm#k|37bfNlLS{c`
zuQ?xM<~MVxuikFe@nOa#CDxY=by%B!b>~)Za^}`{{~?or`7n`TEE^mSIC%AQjYnH0
z1p>6w(O5`4KkN)NH{5;0M&NByI!5d~QCp>F&|J<KWB&yzw})L$Md@rJQ0TEXS9pV1
zT`-i`kNoiw@YFeTtV5hHimM~5_B*2TMa};1b_aaWQX-1xavKfU4)g6{rL{!^dfGmW
z(zPPo2P^X=aJsCdJdWz@F35Bnh3dA=8cX&fM@hc_JWEw=KUhGR7$VFh8xlzeCf>er
z$V#Yay=m*-dV^1U%X;Id0Re_x$)PX%l34{`g+G%-HAsa;g*n$l<%}71RFzB!c75O<
z-zZA$qS!OnfT4r>I1fHq@?)@kQN1KW#^@U2Y)W=pBF3`8R9b#*;gyr2wYZ<#JXIOC
z&v9!Fh{ht)uyLwKs_x<BXl1h$;)5j`kcq&g!4Kt~MKr}FI47a23rA<Eb8p?9Wz}R4
zkpc)+gqZy?hVf}R_dTm2l=s`|rSIA_B{KchjA;wX062&S?2mk6#>JwO1j%1U<a$It
zMG-A^q5-^hJEt>P38F&a`moJ0|J$?R735Mng0KVFA_BbVtnIv%7`y~Q7pRG@mgX#w
zw6;jGjfKM|6y^q8pv)h7`(8f1^g#oHz?)}aB-nSx7q~8a!F~qbKm%sb0Qsu0JxCbJ
zZKnzqQ;W*-e9MCs<L%UUNHr!YHXPy-74BM;CnIu;SdRo?LugEQ>$%OEc?nauh}MZv
zqRBS#a;Q<e!MOHPGV~DB>gI^S$RXA9v`&pJ{3x59ny&MC@OPua*h%fXWnCh+WMkiI
z!rT1Axw&iBjs@S52<~+TgL<<d6INf<Vi^OLiP3-&0pO>=W6Z>w5u!79a@S?yRSRf9
zE*emU1`O`v7$@B#fZe>K;9raCx8@7BsgJx6w#?%*_c=%*{+uS#mgLdHWt2~E^*lk@
zK2)7KR;qfi5^>q_a~8ag8bAYnZu4$J8DKf&!r3}y+nQlJ6neuTg{r1I&0!Dc8r1Z(
zYvMXq#l!E#<OvzAd<EI3`L^_wFr+9SLU}OG;*4EG1I{)Gn2EL+F)U)p`)I(^Ry4pQ
z`z8PBMJz)0JPFZxgo$J{;QdU`nPLwbAbM(m1}GVUHO2lRL=YW+d>ZHg`~r-;7>U5B
z0{(i6l-b8vx-a1&I|M$|*+T;`{Et<rFs(c8A{p7*!;Tb==5zN=s+t3CuE#x-G=5z&
zL(&5nIfn^M(-LUPpAgL5_6dfE2CR|JV(9J;&(D3)07=o)65m{Jf1ZNr*4sR_2#<_-
zr!WFPg#W%c>ywvS&{&Hrj}i4FC;|WW?mpMyHjUqY$K`g$(YKyMzYSyJm4fa^dp#%0
z(r?T<dVyffjLZyN`$(;KijK38t*B{hM91h{F>lZ4#aw5-8uZVxf2JsG^#uA`^u3h7
z5I_T{0*!M;QLI-=N0SuG8&^9^utNBs<LdVBcftQ6@`3%S=id&$Wn!{sAk)RxonJ>N
zZ?|3TgFnYZug&EPY0zK9IMM3hmE(ouFd7iiNqlvJ{a15+{`%l6as2Blr|B=^XV{@F
zO6cm-IvVh0DIDb&bR~rbWM?9D+g|_mA=}R<@Tuuv#J^A46TIT~1uQKWNCzGnMwXh(
z{5fj2OUXX0l>RLw7_QR65Ls^V&I8dE*_^yiBH0Z))D$o9&+(yo4lr?s?zf=5hf?qS
znwyffbe?$t9DQaHmU~nOc1n%?b4;vyO4Pp{`&-0>gIO)$PX{&Kt~AbLH~u>pL!Zbd
z@*Whe6<s^{+QHWmd<_x*5rwZI;u?eh$adFBZdd#NQWZh-#|H!bW3>}qe95Uc#(~Gq
z?wF94P2{>psD_8jrCz|(eNk9=ky!1j%le|g)!KWZtvhNr1xNf4zZiQvpOj$@_zt3T
z`6l;FL-2w(MtmoN{`AHhWY-e1{#|CkQV5v03G5nRt5x6J72LMvpa^K3KL4SLU-0O;
ze{@GPGVYsBU9g3TOv{LyJT6kb<+AP)QvvgecLwdsp#ePi0#^&b%m+|f6-4GiC&D>v
z6lL)_cf06E>of3RFtC{&*e?}$ryl33Ne+<^f0YQO@p_1I!}M#~En-5XV%iICp7Trs
z50`QFRFw{&0{>AdW|4)_>ez=`yTU`Y{GFn|eFF%p4PL);L%}>`n=$?MDs%r%&)>d*
z1~i#_(MgR4G-So@{hn!6o`z@X8&)j2_iVUbw%wp8Vm%=%#SEFt0r9*XDsz$^9!jri
zLlruojo1LMMd_0zF5Z;E<B+PebKu~2(8z-!WL_@n1!k>qIiv6(AeacH`r)^6gSMBC
zXAoCJYkM*#yc6V|OFzK8ASf*f>i&5yvSS(fX$QP0i;uE!N5Nh<SQK!BJ3ph$;cK->
z24^G+=kSaMG|sy$i&-Sh?*ZpEp-A|zs<ktsYrWTgxQ>VG|HU;vT;t?*zPQet|DWmy
b%r;2`81L#SY6(*_dCTqt|EOHS=(&FbboN<&

diff --git a/example/system/amp/openamp/driver_core/fig/e2000_aarch64_openamp_startup.png b/example/system/amp/openamp/driver_core/fig/e2000_aarch64_openamp_startup.png
index ece3508b32dd54a48b4d98832cec77edff4549c6..f4ca99edc5a301f64157d4840490b1a58961c476 100644
GIT binary patch
literal 136696
zcmeFacR*C<wm!Uvrl?5NSWz%nBS~yTR74T<8e6W0<a&+`6R`n_WsF!r$_$zluQ7@_
z!~}wZQIDQ;l!&6(Wo$ta7?fC0DK^lE2tw#E-?QGm_Y`JtqW<#T@BY4f{)z!+X3s9~
zyVkRwvi`#l#@n^(){5geyNMIt`%jLuSj=&X!j?Ap$s6Au8;1W_`^_Ia=0AH!-RB<e
zog2ehbo^=Jd!zppq<DCK-k~@BZ>jIr1@HZ={ASUi#pjb<T_@UHx|zKAc5=I~=ic_a
z?Gd&w<DaYJmDeJZu77fBcuc@<|I<~eE82BFviEZ1v<vq2ALUn<IXzl%J9*)(J3r|L
zlqFxTaCOq{%$t4Zr_Vn>QPMweWlVVCebp~@8*UF7uw>fz$I=%J2#mQrD><dBde2;K
zg6={2?0P$8%{^t%<<7cG`<L{v_HF<5^DM8%OFpNo9oon1Qm0mOoNbqfKdS1Zj)a!E
z_4d?7CKM~U_AY5-bk)xE(g~rBPChx7+%KyiIi=j4wlE@MT}{2#$<LlEIH<Gt{dVL+
zr^0DoI=hsat+~U#->z#c^UiyIA%Amqy_X~YX!Fg$Ctfx6omJ=PBk>#6^SwUf6+s70
zUl}sbw{J>q4IQXz%)N5m%```j8yEb@N%x>XzQg(>_4R%~b?4N3*3ie}-S%I%&_o?B
zx~_U&GqCYXI`)$fH|QQrJF>~b#n$MBTHU<9Asok_n;hLBOBdVZ=X-^h{8C$=u#@W@
zF#A$$UVXRl=VdoaqujJ}izcgzrY%(TJWzDqq2_a4KhHY)MWk2!m|A6lKR$uJ)W-Uw
zs!s6@)eEaHrN(RDXmBe{!uOg`eC)Sz;di_?Xv6D=)IYedE!y1ZP@RKMnY8Akl~vlp
z?be!tmi>Mh?aY-<Ix{u=w+s2Ddk=G^`CnP5K97ow&v?9;E7hHe^HCO-d#V2Ga_#t=
zIW4%5+w^(SGeRrx@4xHpr1D%>k+0pOJJ3;W^|WtrcI@nP-kyy({=yl>Cm%nn|Exb(
z-#28*sTi%U{*3`ooaXpDam5?y#Ca>#^WwGi$L*EFkFWoL^VKG}J-^>*cxUBer$VPA
zORNhnt@-Gu`nrZ<D=x0pt!dA9yQO>?A4=aTBk5*vc7DyZnVkHWJ<8vSjo)`wpXyP&
zgU(*cmlNYXj<-|4SG1<<@?-_K*mc-0%axUp7M#zq;@xxFj$G-!jT^kI_CQijaP}Av
zE6vmaCq9iH6Z!E6&fLbW;l+zq=2g6AuSnc-c}cgzta;yO+m7nB$7w|DHn)-I$8e+8
zL?ql9)8S*yn7wZA{_RvdwUwoP`QCUPyEA&{Jui<94&b;xPmlfP=c&Uv|Bmhe+*6L-
zI5lorx-lJ&IvlOr!T;(!-Cny!9?45DN?~^`ejJ~lKE{&cd}^+-+iz3T=V;%l7`)>g
zJWx@NwW-Q#oS>k8b4lBRXM;UQxIf*>U*k5b6Y786Ku^+<=i&jLd|2cb_>kjzcL|D~
z-B2HoKTUa~O!&mjYFvm^uV6eG^bC22AGYE8oOx?n<9+sbckz5Ur_8kEY;UIR$0HVg
zc;&Z!b^Jp}Uo)z23$9@HV~^VDo;5$u3(mdb8g0S-vgRYl=_AvB-0+=n8XX*Or{OF%
zy*8!$mpg{_ix0hj;AF|8u9Fm8Wo1@ERZ`$3+mlO1_u|%PCXeI#T*;e&OSJs3LNkS)
zm}CA|Y`11BIPbAd-%aL9bK>1H4a-*RaW}8Em~zWO;p_YDwsbr$+~)0v*T3B+DTM3N
zWr1^&dw>ED?Bcnt&J{ayHsf+GEowUxOW4fV=(8>-T5!U%U0)HtvNBh@2Ny5AzRR7k
zE6Qp-=^8w5*>!hs7M0WOc-}iMWzA1R*<BnTTH9yXlMME7*~Nc6I6YF==n|stSagzZ
zdaJh9ZNsk6gFbuAy%nuFS{PK%AIBE#6CR4tl~-K68tcx{%DHOx@?KT_hsOyION&7d
z4>%lM)IZVJW*v@b0hSeo&#`9*a=IVlxVV<M;T^=McSjCad^y)m`EYv?d)8`B9uDiE
zt7dPz{hPIMs-a#r!gAxj=-#~{Sh;Yc<=2eYuTW0f(U!3}wz5B;bi8hd!<;K+Y+>5k
zmJ1rHX?dcS^KG9ndD5KdTubgl{pk<d?fY$R!_okU`d^Du=pMsOT$3@&ox?@nIc-^h
z&W^un6Wq#^t|e6$ySs8hgK+!CC&XQd-L%A_AV%G8<!@)ctsEzD-So@xJC>!(HMo`Q
zZB{x~g?@5`<GOU8<IK6NPae11CH<$-zDvK@#%X%r>K22mYZGy%-AW5CDq!J!T>WlV
z(Py4`Hil+C4k+A8*WqNq&?(<-)zISR8N9q#)_dM9?u3<3b?nx~TAe&@xPt5QFyh*|
zN$yLm``+TV2j1<syJBNjYtEyc^v`?alIO6y{7}aBJ(irWjn@6Am=n{K)^zz><OJVo
zHI?JEUyg|!`CZ4w+{S&wYDev^SX>yP;I=Qe!AEf29xqw9&9WD#nOYLkMp)kt-g`6y
zkCAWRs*yJ998YZhfa^Bn^NN1Ev1rieZ9TocUBH71w>Y*BOghu1?M#bR`SmWi`5*r1
z<CYXPXQiEmrgxWzY4Q1*%=>ZLC!IKrt97s9U)SQu3^&e-D=xa~#~B`0+^7yC2fO}d
zPUGj<eF9pjoh`>5d;Toe{Xxy;$5_}0n7k3Uwij0WK3A?^eErLuAuTypOB5c|{n^G>
zxoUO=t&#bggD$hZAA9Vv=S6PIv^$E*FYR<tOvt)*{&n0)mOG1g#l%geM;6x&&*wzf
zkqM&~c9_DcC${<eV3gnLnRiia(6aojey1{8RbPRPd&lJB&|({`((7_8v8tz(VVkMh
zc&Dl=rJPnUVGr*zXPOi3Z{q5hr~Tl|oRJ*oZAELw2xaXEVV&JmMJLLh)1+KIwzSg}
zwzPfyT=Utm`Ez=4I$NyCVr^4j{Vq4b#U<^7A0B^dtv>ax_^*aJ7u>Z)TPrg{Yq3=K
zpMCP1+zo#3{sl*m$9LzfnsQp@%4;56*~ods?(R49%vVFz<EC~$_17_7{i-<5qardT
zP`l%P%>xH*p|jF6VodF`qHHf!^hi$AAqRW;ouo%WA1Ezpxohq;a!XOo6%P8oVgDd5
zWJJYSetlXWfAVwem7^@^wW^}Hv8n75M8D_LYs$^@VOU|#6to=i>FyJD^rXZdRrbfm
zg2yUj`4Pq9jg#hds7kO_Tj65wiYXa7{qsyLY#aPsA0DM;(JMZ1xL^5oERVv6tV!;A
zvScGZSQ&TW+tekj{NW~7EZ2OCyN{l=J`E4<`v<Oez=IU9V~^$T?p2{wNVz<AcJhkN
zzKy--$Hngc{d3M=II`*Nt#wEDguS`vh(eQMDI5UpZZ-KeE&A3Jr}8Ud-f=6gaT@M}
z_&{;R(-tltcXOg^F6wVO`@+ekv+uKgeOz1aX6Kt}VUcXL35Y%OSnIX<?XcKjUygIM
z$A$lO4r+&0bo<hVxJ^}YCbx6Lm)iW{tu#^WY8u{e(vF00-d=R?^kHr@tv!RYb8U>C
zgMxnqJ#tbNId#8?CC+Mlr}P5%)FFXY8TLsn@HI{bcbKxt=S(ZkuXOAEACA=(;%>&`
zmUnXf+o=h@)|_il=I0q$lCVwqe%n`>cmCV^Qxh$?pn%`{>^|gn7R$ts>j!W>&uFGP
z&KyDYZ#PBs)x4G{iZna?R^~15HSMP!*7)^XsAuU^Q}Og+>u&D8AGwZD9{;BA4HTx>
zHF1wc9hiG%(aN9l(zfhf=l<YPSKOo}pPbq<lKXnu!;DzpOKqldE@yx8jJ|sPJ!g$(
z>dGq1QMk_CufCh^wInyqQ5}I2<yloy2U^M2EpJmE>2u^@3ty_xSwYy?0b4O1FYKo)
zuJpmWbzmRPG;KvKT0Gy4)!?SXqKDJ?)`Qj{j~Q7PAE##e6-{<qhAIao^5~M1=nIO)
z>_*DnOU*>0e}>=6tCLnaV7X*f@pl9B(ovCEbaQW@+s{d5w;o$+4JwOurymUoeg0@1
z*FJH}>@ZgNQ(^Vt6D%y-R7-oJvTdiH>9V${`;GKmH?MR@4i8G<WVZ4fI)QgA6OWu2
zSj%d&=!);+>F<)4<<A?H-yl5nXgla08MUMQ(f#0sb$*@=!VMI1%e!FmcsGm9k34FF
z@@}1u@m8^;z_VD{At)QSW$)pUo^eN#m4(^-S;#-Or@<<3`SM<zOIk@ImJw`a(+96b
z{e3meE&n3bDg5mj@7XeSWc-c(9O~pN{^dEikBWA%Rq)I6MY_h<PN4#2)$mbq9ju|Q
z16A74_>n)wgbWZC!O+HM_E$z=ZM11Ub!pqG^2o*+-Lq^s?d~x-X<EJ!O9}L@iwLdU
z+LhC^`J`$`&eH6BR$~_FJm0T6!0MKu%U;PA8@D#rTe=_8+3?>#1>4L#`}ydK<$h5*
z31zleo1Tm~5h0#tVed%vFMT7tQeT8uj1Ia|9-M2zsT1y0b;(-g72n7jR_X)MYnATD
z{nE_4Y1YiEDaLbEp3Rr;-ussnCMajIuA%Yg4#W1ST*Ws$w`ZDL`E@s^%dNPAeA}12
z*ad@F4_P<c57jqL7;6brzMSb5e1F++1*=6^2l?TXD7rPU9c<;7uL+^gw{~4_!Py4P
zzu@lAm!8hr7<7OVe}o4`>49Zajdqas)#&$b<FkHFs$sP!EvYwp<hC4@khwGRVHBPT
zstEA`8&ePNu;beI8}^+y-*@hRql~@$m*9#6q0jlQ(Qdu>>9Xll4=K_MR^X-keNZ=3
zv2prKy5FpXQZ(-<ijsnV%sq1eRbuKv3-0e1cFe1JAgs-v!I}8BYOB_p^dDdSz~TF(
zxo4Jn*3c;l^y5a|UWP;Fd%pOS_{4tGGo8J{`}O6xTi=x*$LI02F%Fu4*}NGFx&`s_
z<JMg1pH|>zrtfw0wl_PN?SW?u-vPhit1?^jQ;waAeN(URI&zv_nLDxf;(LbFU2;IT
z$ev04>A`;HfxjAM;kUGw_Gq@e(6Js;;Af@BX#)(cpN<NzjvfGf8yuR8t;uhqd~NpE
zv4VW|m;`S}TowxybD23fZ*=+t{jzNJt<Cpcg_>8`&{gv}+So<Jrc(EfVrh=f*=6mG
zu=*h<mngV;w|P%97^IP=5X%7kwYHOG>7VF<2yJAA34?dMYOe7B1J+>HCyEFPY88|s
zs^{4CX!$sR9RO8>0af7(EA>qKhWl<n4O~iH;&nCD#mp)^IMF37?l9j&&qlp4(-aZH
zjwduuX2;<%!}OJ>-o-NAP*3;_n%WxGB5WO;(Q)~Nhr3Q|%W0;Z(VS!73eXGC2fj<D
z#v{s8_2exnlu9^*by13FE50o!jOnwm#_Jz(?GNpLFj*PS9+2uwvHl0jcc+vCX?Yds
zrg!C?)xEq*;xG7n5z10l6gWX=S6_@zK_7mi&Ob2A!gr}vr;P0#IJ8aJCGWBBe`!ui
z2RtWY9h8$;bUl`!vwH^{+pVlrX!6+G`Wb^rRppOWi>!N&u6sYPqELK-f;&-dOZb{D
zttl`xuV9X+F596%>}gS#?C8Lm!BalB*VUvZ_%PV5uP)qcghIWil~Csa)agwP6Sp3C
z$HmAx|FRtZ?yu>7Rb}aQV#VuXyVf|Lt6ceL!zT=F>J!Gc;BBq_vT|&=Lm35|+uqFa
zYQ-&jcrf-$_llbjms^OtzJ1wiGOfQ1$ivy%Brmg{yj)?QfGP<sWcxNA>HEVQ^(~09
z@J9s~eTbb<J+#PUJcPXfMN}3nDJa<x&QQnpbnc>Xwq4_O{MK@gZaRBA4o6FMN($<&
zCU|FJr61pqaFYb!Q&BK`PQje;-^vAuNO+6igNc?s6yR2D@G2^QB;J`iO57SvzKM7z
z-7>|00E40%Ofz6x7h;23aubBIY42e?30e_tEss66jN=-&u<ZgX-i;n3*S^h->d#u<
z?#BZ}$nEZd1k`EE2Sktdci^&yt{pSn*I)M*r+dHX3ics4$IDMP#hpQar?k&q?KR^2
zt(qsD2BZ90w9v}8{nL%O(i5hk0q6+K@tcrN+cfSyxY9)t3A0vay9iCLd&A8f^looB
zT8Qgj-3CR_ao;aK4s!uqXO85kBR*O=D0XcpAbZ#Q01GIQ0EGAx6m;49nZLhKwWUVt
zYkOQ;uTxH&!aUg?iH5T8qt7hW=i_{Im-Z;vB#D4;&e(JH)z7e=@tshrcfp4RS)EU@
zJ*qb$6755lG&skfw#{5!&LE(3{+;d0@260`*z@zMv2M%q(dc1&KIfem+H;EIiHOVB
zEn5364ajepmE4JH)H=u5jM1&Rg7q(pKXK~wxt()cZrD^rm~YW?oC|B$VTYcD5AbPC
za9>zt1_5MPSDHnm`Y|wyDra%O=l9>SNs61_pHSwdjn=Y4q8vqTpT@E(v@M)R2Wk+w
z==adNccGT{mo*}s6ZdwP1*^Qe-?9<$diF431*bxJOZQtUONJB$Kgp<H^jkmAkjyq*
zTpJt5LjS$~WxIFAazVp=J9x1YPm7tvb-rn70`(c+B*W1xslqKsM22`$$<k(1Vh0=-
zdfhI5H+s4ZJBuQ^J+-ybAFl<pj+JfVp&^6*LO=<tb8y}U2WApP{>k9jxBugV0@~{d
ziKZ5+<aBUfd%LeKM)~yG#&N7w+}-`i8sIrugdEh4dt?oePWtEV(T6Ph<jD4R+%3N>
zoLiyc*n5PH2i6vQ0BGXW&KA@x6RP)P#7A7f!d)FWHN#%1`9sY%ymRK<_w!qx;zr%e
z>bx!EaqDgo<33Q`&)J%1BmIuepjD>m(fl5(ix2DzuteE;rNyAXDP8T`04q|s4hygq
zo6vPja?^pK0PBe|J;~bFzfRn1Pd($>I33&a%CF-&xxa@REp%;J>92oTlR7zedk<V&
zEJi8H!p%hk_hA3~r=ci1=O4M)uV^frrKnAzJN=F_7duMTSRP=cArFJk*|GGh>bKgH
zO$@AnPAa%QA~*x6*Mgfg7x3`l?Ce&DhQ4dfMW5Ha1;ArZM`7{TWqQ@(_`I<U4!Ctb
z6R<^p2EGU-Ze0GwFqMwbB21>dk`K1v7*?4X+nCAbV#=Dw4aM^b4=sI<R;Wa(9as(J
z6OQGNK|J++x3%_v_aUvDnz!uteL1GnP_!y94_;x3Jv(Dk@S?u<3YRp?y>~bNWg|zR
ztS=3rgwYqk>_J!nxoYK+ds~YFKhU?Lc^6B@CPn`{AU5<8grg9!RKt4XxXDvGCHRhY
z7}cxqrcW;YNccHx(Sci)p<h5B;uf!YqX7j6>wF8=)8MLP#&Qn=XI!rxE0~@M=y88u
zE6()nn_M}u7HH2mL24`D3tC;~NUT`Y1Th#laedu&i&1NE{i(ap0=PKz^L)&X=*j)z
z@e)hIcKejjf@U+GK|G1~wxaUsoZ*-DxmH;C(hC#t(25_j*fl7ZK=VA04R1&0YP1+@
zaz8wJtbQAvGp%fsYA>Z~3oC|V{6Zk`B=?dUD#_<u_4W)O%CM(@zr8GT=E3zFls*1(
z*#2|xy7vi-bKda6P*;85L;Z{Py%~G7`ua!H>t3rut%;9Q_gOvMS2$?9DAb8b?x*ay
zxW!npqWq2n35!`X?gOu)Mf{wRW_@4tzaV_V2*?Xc258%ZOB_gB$J)1_ZloPKJ6_du
zO6|~c4bVkLwg!k$D1q}MbdT0jmmQz7;&rwES3u8APrKNMRCY%DK<H$-ecJ~FVSL#7
zrNAn6SC68jekG@C@SFlhbyLnw`@HXT1?O>Sbq5S><^b2udapCEGvB`U2|cLL-^fk+
zRB6RYpj6!8E7^(>b>kI(x8B%2@$WI)+;T5&SqLx#c&sB=aB2F1fT1G*YNuU0*L_(9
z+eDI|XWjY;1GcP|8mbDne`DEcNK*N3hhxj0qCo)KjE$>n-%c5RMZYG@I<`7`%%(WB
za}uAeNxEBd4O49f&)I&L4s@<`5*8Roj$vOrCU>vhfv%JRx#FoxbmIqXsN<;M3Ocy`
zo9xJK8JV$59-u`-$-VYY?z<Z-Z?Svv#5Af8e6>GhFq9S81{?YTNsd`(=(TAMi|VA@
zeUBv@FcF^ITdZn2D+}M?ws-papg-!ppy&-wYsYlX;N-wX0iL)$yNxEV<n$xfZOysr
z6OJ(!N0ovi43D}n_U_FZD$H>rixQs3)>QCy=c<xVy&~KQU3dk+OM^Zr78ttCc;72+
z01!;9$_?$M$6b8FYkLA0X4TZT@$nh{kqZmsHVCV2ysmCcMO%)a{oWN<+9D;e&MUzc
zIiZ!f;f_5LQ2&|~ulJte5$M`)`Wg2-TCZCF&qty1obl2hr-?eVrsLLg4fQ)!omw1H
z@NhvA&|EDxEVk}ybq#N<#_Tj_>03TEIfiqzSsUkSsa7o@eg*v@wh_BKb~Ixo@&bw>
zI_2t-YwgRDg!6s!;U4?58`!W04aezJ_31kCq=SS(kL>Tf8`r7(Wp>Wud8$L`>J_fa
zFv6YKut?+HpudU^o~Mq-964P>(1mVE8+2pBYj6;;G0W~Sq>b=G59Q+gbOCrIDA4xg
zV?e6LEj5-|0rmN;;lV}>j0{`5EZ)(3`!^knwq`JfLA-~*4UH+xKoPb}F2b6NujL%M
z1U&>>(nT01w0_YitI&@g28gN$YyhaB4fzV=+Qb4(vIX?*JbU?nvMz;hTG7j5%su0Z
zjR8u*F=gjhcVl-S;cKDdPU5_lt@r{aN4vxR5d<A?8}D@4nQ!%PYzDj)xnQh=5kM8h
zzhC(CpV8w=AElayqA)8iSdZhyichP_FLSRLfGnIHbYB=z;T~t(lTz5<G70(<z6^fh
zUw+)0Rs}Px$rOvixr(LDulT7m13w9yHk>C0!vXG#K11*#{atSyKAk4|8OEqo<Iy1&
zx8`dknk)7;`OPmo7Q2gZ7XSd^Tuscn_*GygkDqzRxdPGF2plA@7eKsXE;ruRpIFVU
zSm4jPOIs{CVKD=jDX!mt7vAOEdR$IYCEwozC&DD$7$>_=g((0M3?q50pOvi6DaY~f
zHhE>Dn+;e9VtXzSs*H$HK*5!T*fE0M!KzO0Mtq$npqW@@sVx78@|ARUB60#$Dq;H4
zeuT?X&!YX3v1U|_uYLbpWMYy%SD8#Ks&_#V;1`q7wvSWdy}`=jY-MOg)zf&Wre@5n
z>t1IwJ-M3>AoJA3=W(f?tibDyNlFJiI{?ETq&67dIq#My4X`lPv&NLLst!yDj~PvP
zP$JjFr_29pW>WPuG+D+hq1m|%9iwp_U|_WN0+8I_D<x)~4Obux?QKeI#OmUWGCU?O
zpMpSEZlK^5xs_*ejM2ev>tE&)K1pMJ**9e)wgh^zj?~ZV`*M6KG-0$<=LhxMKVr2F
zI0iteEiv+3eudu}=lP$T=Yv}9(JYs>nM3($rY5uTBQr!yljnH+xA2t%+#_!E53uTa
zCFgoeuudEvTW$Xa456TR2&t{=H#{P6I11BWO}SJ?cNE6?U?Ti)VJ|gq0dsCu;}t#G
zF*Ptt(+3P4OqI45#j_#++e%Sj+t{N)8E<iYGlL0^x9#2v)in=ppT|BkiZNBQ-OkJq
z;rikobHeKZLyhT``!q30^}4{&W4F<;vze73^T>PxmHv|nZU)Pap^pQ8P`oI`D$bS&
zCfuYQ0^N-J><snc?}zl_0EZkr;na5VT5*nXmmUic>!?C~zwOhM2*yu6`I}#O^6F0U
zBmHeKc*U9pW)#N3lf~|<F~x=RZb3b=(zgiBEy{x?xCmNcTO0v62yK!UzGljWVl@Rw
zDVzK<g9(WQXJf%7TPhvyQnUSnFq5W3L^JRc!MdYvw^==0>@z}sn@Rv^*ye4F!T>zP
zl(`fEWTyS03;+$>D7spKzE*0L^|)Z)-&}|bfqL!HtYI784(nB6@$uq};_h7($;)Qz
z7PVdQ#V5YrI+rQ8erU>;O7yiZS`K=fK&Ay#VA$rOegM+$XU(HRi~tQ!k=_x9>SgqQ
z6qLjgg<z-0@+W>kN`4y6MO!hF&dp%H-o;b~FwWAdUlY1l)YF~k6@O$vw?ZecQ|QLP
zrC8?&gxPD!Evu(o>3mwf!d%yRs8F7%8U5y1v97fdTVMj1Z#4fBK19z1VzfkX*MMAK
zo#frOIYv}zmKPgM;OTKo_X@9d$Xj-$&q~jg1f633CKj0W<4Wr4XezI}#82-yg5^Xq
z3%FQ7zMY8(37C;MVB6dpwlNxa-t+9boJ&NA1oe|HK;+_wZ-7tjJEZ%;#CB@cUxZ^s
zy@%UT<b!*KQ<p76v)cAFBg+dTL7$vs0oE-JE5VV;8o{mWx5$d%3z4Vo<b{e7P02ie
z^yTY<TJl)ukEsKI4c^S3y0tts^HY7>;gEAGpwpB9;C4hf-{O^m;lapwnxtxyK26)v
zQ2;Odx_`^qT$s>|z#<%nDK;>a!VbfB>B2o5XjR}mzM<I_;ZDF|MADRsz{USxK~(;&
zc%;Z_--9Fq#4scedeR=mOCmu<qq$>qh+U}fsk;JDde!Z$Wy3ijF!L|$$SE$)C-Mo9
zD9Lw;K97bt`+$Iol>s1fNBi<vPlM9Fj+Im(FtAVX7x+<Z&*rZTyL8q7<2ZE~2-#I#
z2>ekecO?o*%+(_?El^365nk$ub(-(9(LRI1>LhY>^=l=l<9qJC2%{(ZOyH)4g~Adr
zE4aK5L-08nZdSpM*Kk_$T3Y%XTi53}pcqS^;DD!$Qf0-~`mBqJ4L^W_zH!#Em9OL1
zJ24KY(@Vq6QT+oRsK;gic^miBtP!n1Iwv&B`{%F5CgmJk-FMngj)j|d`eO}YBQzk;
z3BZ_KX#Cv}j(xES=StJNSr!+g>gkUDBL+jTgvp7uqZvJnFED<1WYy(nT1hz8AU!ue
z<#=!he%e-W={VMH0ij#-rYiw-Q^3A#!4Ze+ct8hCE(jmM*#BAmTFYQ!EEU`7Wf6WD
z(#7=?A7X%O99Ma#w&$u<>G#w_3FIs&xkl^X%_KipMl%GRm1f>Fbp>SAQ^6A^c#bt=
z=&Hxeu3)5Gk)$qQXyTJP(1i;*A#(30@@pX5XexLPH*upNC;`bqo>=t?a2B_-xI~H7
zr%U&Uv96Cmea&4}zEMy9!W3ZbQUhKh&97o3?k~l`0mE`+iCd-fX>VKVrF#@l+_%#C
zz(KrpR#ZOl1hQv7?vHL-##sCgA?sxbU@mLde#iZXU!nyu`CQUj?S!`elfe#4c&1o&
zeg62zo|U6^d(h^Sirt=&wH~oYV=aR-K~8+9?Sj5ub-aQobL7(&&vU@=`8`h7{|tr~
zT9alFI<duWocq6l&vj|XVw?RT_xS;~cV1AxzFp?{kMHm?$2G^~+U#q@yjssTX3(l6
zm}l77yM-^qq*th1=%2=Hw7XHtS(#s1U*>sanK3}+X(8j6D_<peYuHg}Njf}zdB6C2
zo>X<tSvvzXKBhtWzk?9g6ofN?^6JZtH`rW*=b~njWTrF)>MQ$Yt5PF8{1xK92j-Q3
z6mh|RFh!6zFmfr=SyU^lgz}LGdp(URRp_olhIZv{@a?uBr{jm8nEi^{B@0c;m?H2d
zMOI&X9;($uUC^A<>pjGAtnLG$al_5SpimG!4B%@035k!wx9w<3QDMv%LIaHXGX#{2
zk74!#F77L7d<{&rCgdEzp(a8@8sSbrS<%2tqC}P%V+4N*_8Qm+P}33nKE;AZhK@aA
zGr>2?qTHx7t=6?gO$5qwAXxo8)sms8#ymB7{+!jTYARpsYw#@zDu@BAMJ@}W@!YIR
z{k)lIk4kh!jM|fylCRAi%VwwGOf#*3*vC8`gh{`+S*yk*Fz{tf<(89=1?`hpaCtxK
zFTxLlx<Ygwrz-6|q1G&S-=(t&UkNUrEK`i=HKv#x(7uTHTrll>gEfN2Zzc#FnjOT4
z<;mLweiqw_u!%?<XJog<{E;#t-9JU9kopwJ#nK8(d79oI`b`M0Fx5;#jmf6a@`6!Z
zLJ>>Q8GWtl*_PC{(TG<-k>dJ8Y(oTheqv4Ijh<JI`Pyt-3|eiQwvW}@8g_yq|1#1@
z8A2Y-XlYnmn)T~ss?y~UK5C?i@s_8_)sSpL=r1D^XgF&23%YN_%XSMh&nDV2qM7JX
zM+ho`^$YSw5HXgJj@TIt)C`ZoOqHAlRkBuh-w$gBWWK!qQs|t6ELU0THAzjRmPXUK
zG57lGZvHWxL>b|!%-MY@O)D4Kf;uuLG%}*g17~pZQRwBO<MmxO5m%@xmzJ|mWQezZ
zO2Ol|f-rJ+LXU@ZR_P*&<YGu#%s!c(N-R!vtuVld1)~rMgesgUlW2O@;s1GtVSA!_
z(be+4&X}qEI279sMjT*h8tGrnE{eD$#Q+oQOt1ztFcuo{cw&ew*K@Q$JR@<I9|*P_
zQ<#z7i)3U>J=q@IAMm{F1rjG??G&Ggr&=1iE~e#$I0B4ps(PBz`b3DOti!O^hZ&Sr
zTQS;|QGNPemC<IlheGeQT#U6b^$dj^WWB1sf#*kf=|)r?>Y;Vkx_@`$RN11uLjloF
zx(f7HIJK%q4BSV=dB+9zLt&P4@>7zKl4Nh+up)Z;otM6~R1aPd@y**xl)`vLjESI*
ziijket1m%%`ATBh7ok|bh~~DSOr$-T9<-M`aL_1>3&u@f?jg_|*gY$)w#CdGLjdo5
zEB{k9Z27yJwBgH|vV4N}Hsfj<3s)z|og@K^kUr_y_#QVbEf#lp?d;LSTJ0*&?`-y)
z3Gzt)vz$i{hF(Q%<E1-Xb11H<qE$gdT+-bA;9f*K@W3B3zJ1df0A<RTtlCzc{V|oM
z-Xtyz6Zt>A+m5Uxp~7H@Nd;5|td%?2H`3o|4JGDsN5~L!paYDM`k|sAf4wOe@5PU{
ziT<{^7eZPLkUz;iY;-SC(n5X?60k6v*npVOili6Bg?sGqV`pxH*{i|6#)effB=F){
z@WHo@-~Zr4B9ifVMC_60S(>-FLqo3G!umk^Ed{XQ>A?S1IV%Y{L?K~_{$ILJO?itX
zXn!%}*i=g!0d6#;!}OG9R2;G}rRu3w&N5go0a0Y)Kzc81kzS|bw=sfXoXElB65V)Z
zP`pRVH+7ATB%Z_;%(NS&`{nqF#%EZpVZ;g><vC>D&q(;n#0E^o{X5#!?Pgj`)`<jP
zStO`T!G%m+lvhh+5WbA})}LYhxfVAGO`hl)pw<mGBOQVO{PNma^W!7t@#H&4P&*5x
zKPb<eQt|3Xj0U~Wh1c7{6+@VuOH&nH#eER0zgt)=NIZ2i7@Fo2d{v#o=00XxT%nr$
zZ=(CT*b@DcDpQX?)7L02cCz-J-BfYPt%pP%l)#;Y(M}(<wj;9unHL>${cD~veJ6w3
z15%P~no}~vwG|cG_RHLu<pVJy*(lJzgAB0yNAMUmZQ=rFxr&1Ov{<)yA0F+vPn7;E
z!_h%91udX<i2r32rg-cmP+}=qxv`@j00#Gz<hLUij$;-wqf7jTw&>4+NMb^GG!?wM
z*h(-Pg|cdq>fQetkm_hMX%WFjcnLu?71xGg%jZObGc}=_T~fl--rHjWJ8gU}@aUf1
z$qw(yhO3Ol<+-lSor^`f&s~YEP?PhkUtVn?C`_ytsp&pwX|H%)Y6dzG-2?x<vB6Jb
zBNtdpX=j6m%97!*%Q$I$Zo7%ZNjd-vrY;7?n_7NdZx2w9GA~|3ns6Ejm%+C~)SQA0
z{nWXXG|}>$yI1&_0<Ry-A0;u}Yv2`O8826<{wq(xf%mn@Gh~)))hu4}4%|H7X~!z4
zfI6C=b|PImz`e-Q4U797l300%C+qoxa-_<*uSr`eMV1uFUnyPG6M2k?`q&?@^FmHN
zV{OPUwT$ZeB4j~xMj<<BB6u@&5~Rh-pG~nWaQLhY8rQnBX1|@-Z@8XVcsHu39}plm
zUH1>HUGq>cm*p9HOo6^Nspf%u>ht3;<{-8S+&yT@5uTX?Z7)1^pdgJRJ?UcX;YRE|
zURLLAV>p(OwXY@%ej)Af3;mJt(H!PUg+aN%`8}jak8IqcKT{$F(}>(yW=6)8IWGV&
z%w^0?7>30O<&TUpNw^MS0t`7%|Dq_~OTxFk;Z%y{_XdSfb}%h%j&8h-a1-+KTAfo@
zwSQ|PvRb~LaA-s`oK=~h#vNUxL>;daY|qHvhU}VrpYp0yffGz_V!VjV;0y(elG!}O
z^&&=U9$jA*&jg%2vZMKnMFP^cHkv6$5U;MAXb9B_R2DK-0L}OI`+768BgyvV_nF%C
zNgE@zX^j<)f=Ko$YcBRGK%4i^a>(E-;c23G8mV$<V91<_42U8bX=znu=(I7pBtJT0
z>_=A+Y)-`T0^JD1xrtkBc%8?eWie0Tep5Mv2_j_-CI?J`C1R$*CIqo5X-@RL*n1d=
zo1obSOcPI*OX2}OHG{ZG&YWSS1?SNi(sKjeaa-!PR4=X~5%<U=o)^hA$T>1j!F!vn
z3a`KELY7LqlI);PgCvgYv!baC^yQ#0(?ePh01sfu%e{p(dd3hb6%zq70meH_Gr^RX
z40r+gvypM{ox!OtBPxRvqnTdMOOLFxXL1+fFY)qh32@SImQB3XNSiKc1-IGPbezH9
zG3h^*ca4*~RL*M|%%<a=8bz2*?yptW$;)ykpX<K5SR_93^cy`F=0q3uOj(@6_kue)
zteC(`v?)X{myx%Ec`GBL<tBj0u`%&c5F`G5(1QDgEXR&1ndg`=q=04%HfWfA=^jY2
z{w!s%9Z?>Kd6Sn<?)g|oS}&w=dGTWHE#Mz+u}P@Fe3d-S0>(MuZp^1LT1^T<@;5Vw
z7s-qUa1{IpgT=|u<nh|=9bO4ggI2_9<G$&?v?011kJr^O9~A)91mo_QlNsDd_8HFi
zOJa{K%PNP6%>*(;i!|_fyG}jGSP8~v@XV6EW(4TQ=h=&l=<w(D9pS(y&!x2FdJ_^?
z;=`agAfmDM^V8<JEzOxJr+cO{{UvCenv}C<;H@~-X#BVh=0DQ*Yh9blXo<o50(g+`
z)gK2Ak0rV;_(c`V<<z?{fJ)rEA4XTiRw3U_W;6sBIYBC_I=5%wt@Lj@lR*<W|A67$
z63bzQ1-p+XYGPA&G!bJeBhjt;J%68GFQZImMJ2N}VqPWL@O&cssD3eUk0MbyQx}ly
zDWsp^)511oH#th}AS9l+qp8erYsNaq5UNGVLM~#`<J;+$7^eWtrZRRM0o*|(ca)Yj
z6Q${BU15U9V3$_hVo3O*=aW70!MSV3aRITTy<2b|4lvjPty4Yj`0Y7GnwH?knw}WZ
zE=$!J(gm99Ng1=bD&**jyltSA6!%Yf@V~bk><YQ>Atn(ejm*j5H__)XJsU4!enHu=
zxJK}((2GHD@HEgHgyPDKCcPZff=x6AyPPh<Cjp8i|MKe)h=N5!?5cWa8O%&gVsAW+
zFqC`tj1l560AsGaau{7>u3?6@xw>o~j>^<+Pb_QeR=vwbNfHCq{ua`D**?;Lo@xov
z_$3nQ0(PCB_AA8DDdz$=Em=dtYF^Pe5wH!s(2|J%`zk765eP|idnITNdQQ=^0S%{r
zId8t>@#jNs0E9h0)+=z=6OLpCz2N~fht`-pb;_m?Hgb=y5WRVyF=jFJvs0f7HYr0+
zuE1wFn0xJs6R!LVF#jFbcKR>rOe=aAEH>t!#@x?HjS$yL0x;sVaAa!6_-!Fn{Rhi;
zfLL*>4{x{RmI-mFpd162MkM@wpF24H+vGl6dlV0Py5BErq?Nof2$)`JTXXFeymjcU
zWu(9|Zy>m5Higj0)kknLA=Y8z_jgXMMuUYP#=4#PYggFHkwvQ6S!jxj=?~9H2wdM+
zgdz+6!CR3g_ZhCRNd}Rh>q7`EgA@0_>`BtBPoVD5Lqs~nSgqrY^pTwfdbOvnYTctA
zV2%^f*%Zf$lGm(Gc?s#OIvF?woR(LVGjs<wHbK3<hxO;KkqaH~38r!wvwAztFZwHQ
zImcW^AMxW)!D>lxhLcu$Hj6qj=ee9<1GJR?2ixH3W_M4UDw@D;3%O<gAgL%F+8SB(
zs^mn?IMIL)&dn90hn3WjPZkkEB`*$S2$+}N6m9K9Gdb%1<-P7CsFgv3@Cnjhe#R}K
zBrVRE0>>M&8L$(PCW}JDRI7PjK$v*6jI7yC34U|*r~HON)j0u*dam4<djbGuPT7OC
z<3rxUlc$XH_GwZ0Rz$iZA!r$)TSS007nz!Acg^8Al1`ga0*RdTYS11i(aexeU;`S1
zRUvEjn%bVDZ<E^`=~XAqWaE8uAO5E~br6=DBw;2o>wVq<Tdx~tC>|<DoSB!@{~BKc
zGx)3Ek}+ix#@Wkw_d5t|n{p!g8v@+@riy9(zHv#cpP4GVSl7$aAdCf1P#4)olVr`)
zw$a^#NmrcG(EyNne{tB2TuaCRT(dy8ae9cWNF0e<OlIW*xWMk>%KY^IEATJDFt4$5
z7xf+s{a07(hKS93e>fG9*8=F0$y@Y(`Q&P!3MLTDq`De&-E1cX7xR=hIWeld$GtoX
z7WcKBlbSp~P96m-$kCuXsOJTl=XSx<pIqx<>cG3bcY?!+;mdnCLQ^mLoakB^{;2VW
z-XM%C4Kfn!dUrB_qmk=?UJI2Df2-*-;3pyFoTdRKvx)V=n0s*UlM0w1x?nR#`g#Ep
z4VlRyO@E{>h@8n0(MYvGwo&mOt8IAmw|uM`=a|5b<e&-Yfw<^j{?F)j?8526JPOc&
zAnA``=rKzlQC3lKiT=0Fjwa{=@dvpRv75Gm#3FYB1lv45kV7P8HA5(q^Uh<e8s?M>
zPFj-`gYm{Pd6u<->dly9HjQ2UAXj?@r)$NhGVoa=Vk(0O$?<^_uzCgS?IlTR@;-hX
zJ*H;9f6O~u(5%s-2m?(5WXW-uCcF^D=?9DT0+mgMCC6wDg104aSq$5AN5*8t8!JgG
zNRnuIvLrFVL|;RupTQF(c?5>*W_HGTXWCUR++l*dJ;OR|{Y`L>)I#Q%ssi;{^Hm`E
zHilcQvoLh4C@5SWmuy(_;50nMiF6cyvW6)^zGq<Zi?Xr)zT%~ELK)D>_uCdz&w<56
zMvKYE*So<C6@eoy23d1AZ$o-`Y>#rNKOAZ_c_JP7MT`T<o5!oB0`TZ_xYaXRQtYO<
z(Qv+g6|$iw$*$XD=*d5jLro`)>eXVTPIP$!x$EZn3mEG&F!e063XIpnAaS$IDG((T
zER3deh7E`m(zqSRdy(t?55hfK*e#k1SpjrKQU_2yjj1%An=&3zU-E8}D8k{|Rn-0R
zlf0mz%9)73P_3qCmLSP*>Uc~Nj6(pf&u`k1v!U#*#?jsYM=HHv>V5YB-wq=vfC0Up
z%;(66!`ZBt!KC<X3dpeQ=KiRLuh>u|)@(i3XTT?}t>o@*@~GB35eE#VfFgO~r7S|q
zqv!`!EeO$);;=yi_(EVLvkd%Tb{32MU>0T3%O7pXEL_pLn*stYn0`TUkhnUU{Nkag
zUOr&!g>O%{Tdh#15>I>~9Q`Zz<+RxVW8vZ%NilH1*d=7w<d;6)Fx2(oSn}dRwhO8S
zyJ8Q%L2A|^QE)a~<*{d=V0+Lc1fn^&MX?zHyOy{WOwXq0dXTf8BjW%cYyucc1YIn0
z2WZKBZXle*p3I!Ug<%GBFSLfnwaMFPUx$Qq&;A%P-a`Ym`ptC*nbRDzQ8d!AOI|SM
ztR`d&vEUB)N-laBciOM*jGN5=YD@PtW=f}heX;9wxa4F_ST%yw>jg1$rC5kOU(pCA
zWi#2FlnrnuetD#Gk_=eLTgF_r`2jNzq48n1qbJ+L_MK@DA(b(fQ8VvUS$-gq1Bv<X
zt9)@XA`FgEJMs#x*vO)N$?XO-))C*ESh`>a>SKxCD7&A^6{IMHKoD~M)KmWj*ix@7
z_U<SnYZvlEz(xeul*K=kKBE8#(b787$x`hv21y7{sjicaZ+o(qGso^GNuz%N+9dxx
z$k(O?ax20Xf@`y7(u@X>AXf!tUYT5a6WKSc3WC8QgV9#D{hHS?)a3L2iXf%19F^a(
zI@BY8mE&H8f5-(T!%y)m>b?z$7qBa3CX8OwF9~+lH%hO+iBK_x^v{D<xA;<lr%Q-b
zf-kf*HvDgTB4v`Dq<%bTC^;UmL>8f?Jo_))^Tlva=Anv=4LJR^4-s#5{mmixkodsz
z$kHb#*Piq4Bw8m14ZT8U&1On-T`OKuG31IZ<mb5!xI4+5l02PhqSzTO4Qw>Pi`sAb
zEuE0+QnjxuA8m9jRv%7fhP?8Bsyn&@C@tAsL2C8^2N*?yyr|D8Dg6^KelmOk{by^Y
zj3!l6m%=zov!Z@&l`EM(L#M}U6@hzF5ptOC5d?+#cA;fOflYozJpV=U_iJ))fuIEH
z_a(|RBo3l1g{>e4{yx$SI*imJx7mpv8*J!A+$1F9{1mHW*0Jbd9gZz}4JwBj<*%98
zAChS{5d{C(j1h)>W*RvuLcje-k`{x8x|H_xs(VaLD462eZs&aRLn+9?9QlUf!is@E
zh-U}+BRiKng)l#C@^wP%2dd$LBolu}W{9e4v?b4I{$%B2Dvsz8YYzTY&?{eAB*dKD
zEmt}Htq$6F)SlEI!Xw#h<<L7qsE_NWqRFX4P@I_qzN`Q&3cRS<h!{&ZN(79GPoRJh
zPs)g3=6g~Gld{VEmt~j!&i7CN&NX}y-r@j*i;FNRl%coscY98wFIRb8D%%4V;RgFa
zo`7f&>l!;DO7Z;+)VM@9-u%zVG?6q&WU`<S{%9t5WI|T*Rw$l$84pV>!JM9^q69Bd
z^d9^JdCf81HiDJO-+yCCVlep0bmu(^kv2kRqE=A4fPu+$xlu*wh*^kknrlLVSe)6P
zp%r_9_kx86-z2bLm`ij?iWV6xCYf6P7U$dENGXr6PWeMdc`IfLcLNa1P&Lufk-sE|
zc>s=bliEvO9u&Jz@~WA_3)%+9%dN)U%(((*-O~NWkhAyc&)xfW>IZrx%wR}uWpY5{
z-FR<FB>YT5oQs~<%7pwfv{p<IDf@(`4niOdIds7g)|{9L+jCxzfFVNt1BAK2A%5lH
zE7mZAqU5f4kD}>}^2z&WN*zLf9;?K9qMm4S<W0>2%<pNV6W9k7bBWJ0+{;FQy)b^k
z9ZBIY{Y?!n*BIx=@E|<zVW}IyW~qF{7aJ+pt5R7E7aLTL4uN^R9<;x}p3u5gIj+^O
z3C0;rE6MD2i7vo(F76uoU-5i!6(f2u_PD<`MxlR`O9(bIz+yyjy$(li!#&C82bKPb
zWl8X$smE<&fWQAX)4P==5Y;(Q38+_Y@*+}xwxEiE=RlrOiO$eMn7N#}#pmrZV|0O<
zAmfAiVmkexK`*4;hb$Oqq!+JH;`4yP>#frn<$*z~PWEHM7uco<ddG0epsd!L9gOPF
zU~pUjAF(7Z0(l=Ea}Y824%l|aDEv2GBZk~<-X8X*QjB~cuW>ThA`+#n#Jw2^{}Ldm
zjV~D(+{}ETzX-^(u%5Vn|0gj2L8CbeZ^lrk#O4CmPV+<(IeZw@8{^z(X2$?xomteb
zerRDHQEMbnhUt@O7`2q3Sx&BwFbvA(q-;jl0`?VjnUPKo=m|k`qS#^h<WV@3wd<or
zmRQ1;PGE8+lx0%<Nx?;s59&0^Fd;*M7!ZsF;I~HQ!P4Vi;w^mp5-)=pqwzJs2<7Vk
zB5QE*5oL9+xAj7&drpI0`SgZSMiVcVW8%|@2xyu3ViDpl*By<aOyST*9*BO~;ff#w
zM`g=$Z@_fd8-?=SzP_*$CR1_;M8LYy;zO1DB;F822&fVRbz~+>%(YA;#)T5Mo8p&<
zs@wDkjBc~0w`I^E<8c7xWCcOgC4>3<QUX_zeV|~Fhvemz;(bnYD*c(nN+WzR8flO+
zKW?AY$V-+YE*WIRuWKL={c?-Pua{mIg1$XZkdB-*<}#?MX4lJuwxjN05by<?1CSt@
z+kPF{GZ(}7@EJH}W39!kl#*v;IjJ&;IC%it!6@(xFq(6I?UPr*^qPz(rwqBi1h8Aq
z))mWpaUpBPh?y5roeTV7yTFTZR%d?W%HgZwH~s>oUvp0Z*cPvws=SvqPg}U}P2`+h
zhr2~rnUl-zW9YgTBX%`#)58@o)OPESDGM``WQjd5ch;D<E<#E5J}YJ22PdvaIm_cU
zlAj~zQGlEUF)h;zGFh(DW+NOgS?SEE#+h?Ebl%_9TINE5)XB3E2~~te7}@C}zFfw`
zKsM@{h0jxD65`uGsbFcan_+_rf=RRJJCYwyV9ekji6o2T-;kez&-ZNtwLgGwwkrRm
zQ4me#<of#**n}ogb_O9g5Fl{^&4MJJC7!ri`OKG=6>=z~XbV8Ul=Jd8<rklTokZMP
zW0<-bCsmUm9|n0FXGvqsWsk&Na=27y{v`=MjsHFnV|kitA*J_B+>qEgh*5|bxo{{#
zSb5zF6=0rWSNwLL44_;gc4<;x$Z|l;8-h6|Imr*d-A!TYLeQ+PpKH(BQ8JsPb|tPK
zrknQ~$sBGvv5r}C4M@QMlfig{BY-hmTN3YI-u+@AJa9FC-9l#Ohs~W9D8@_r?vVL8
zuSRR^K@51A0Bfz44E_zGt{j7!(h_G4MGg}pWckr9dH5G@S$ZYEhKv#?u_=%t4~WcC
zjDnI(4F`C94o1fzJDUmaZeli|aXpO8UP`fL_#ZP4wZ?ozbUXNiQ2n4}y$!Qo)6eNX
zm7_-k{+71L6>3`y$^X}oqFoXHiD{zf3XGuzva7=q1IZhd3whF`i%r2L;*Rs)5AP5M
z+dRH|y&l!q4&?{9s>Hu)g_PO53I74n3wctokT{RqL?9<n*~o3dFrbmkW9kqgnVcjP
zKxh6nMR?IE!gbH{BsV9Bjcg?Vtgi9`l|xUiM^NB0C<Y9E4G8t1fNy@6C7bUP%zdd~
zJtzeIKH~$sMZ&jq7C3;aH+r1AljQe0HO5X4mN2s>{j|Z`y2&8I@Yx<6rL7)3I_SL;
z>OT{6op?jtWB#y_2m0W7F*lu(4@>927++jJija&;=TVo25s=8e1Vg(Su5#Qz<n-}W
zpEaQ*BQ4pprf^2_@fsF!gfy>{-(0p)_+E`0VqYdEHc^7m!N5y=M$aGWjLS>}iccEy
zm6R-Y>5ua;@c)$@mk$PD;zaY*2$+DF5VOx|hsC+|xPk3aVy4inJprYYN=Kvv(5>$<
zOgggsXSr#BL;zL6><D0jWA#%DtuE}_5`>>aI9K`|q|*|YQ^)|6GoUD)MCsNP)xOP0
zOprjBX-b*wi{`&1SzcmL1?0Xt%Lb}X@`w^{lpijaxAYPiv0;c%X`|<2i{dxLACO&!
zF)+>NlS|AnNCIa_4i`d^CQ%ZH$c2Oj0~-zKAzqc;VdgaSLbeEu4sZP3$rbb!Gu)%}
z-g3lH=le(+o*dS@<mxFDXtZGQxQo0z$i@v8?8Z1dLP{A557TwA(-acig{cX>E4l3p
z5$@zlqK}RebFj!zX9Z<m!7QE`xLWrrE)Lj%=m~z#5uAB|ao~k`Er~;zX|U&wGCA`6
zqgy++{;r&jHpn>7I2E3skbHJPAASW16q~Cw`8-KMMCtsd+J;#$0w!^Wx#NZgr;G)>
z<0V7c5QO@6J~(uPaZ0^A$r3)hlDrj{ne6eUbH2FVMqd%C3W~A(hvfJ}Pr4+wL)-wC
zJ_tlC@1!jS$B0R418&E+p$+EXo`u?iG4;iU)b{*idm5}*JT5DA;M{vV-;B@?vwYZQ
z>G`FM%<ro-V()v~80g!&wo<6SE}xk{<d-6@Cox6Bt=BNA3Rz3kF=5yX!wY9h^|cVa
zDeECf6*L3hohgxt@nvBvELwyjWFB3rHv+2F4GO%95o{^&kkyT%b0|NqI9i+|jQDw9
zU7Vu@+^l3b{HX~4GJY_UtrIJeA;hDP`V@PX8B?yen?yjye#C%Ek<XzpYYHe6-J<Ew
z5I_Ok(V1~}fhWSZU&>@SXt(~^CeJa#urv#B)++afMN>8m`DTKD*K~5x6NPw%NLrHj
z5!P7)Z&9VhZxazMAra2mLYz<v3|&yV%#NcV#hP|Ykt@jy<L!}~4xf@$C3D`4Z=n8N
z;$^nx?!{!*0mILfYDP?k`KyG%i3oMR*okA0xwfdE<AZD_7)3XB5kAre;X?iX2$F52
z+=Yff;CBFbN)U4{D4QDonB-4?D6?R)m=ts=*4vjh<0O*0Wu5-3n`j;B3{nP(i1%N&
zkRQu5=hsVdxZ!v7(MH;$&5aJ#Ig~&^Sx{ajdU9(~-~^preK9yC@-D+V8gGKGO3Mz$
ze{3>RzV7Hg)fd~sIA$kuF|y9TOc0dTbib<N4Om`b)WmCIgd}DD^fE$ywUX0Y4KGqf
zkd&YS=>~%EtC0>$`uloxMY^rg3HLuhX~<Yh2ud@ZY5Ck<N0ArI!A$zinmKuVkYG|O
zvej84v1Y+furRy*GWI4?14v`Ip9Ph}!q!MFAlm(a-@=jy<&8R+>9v`PMGn%(xj_PW
z31u;NUCJC<R7I(gc9s;0Jp48oQ|Nd}CcdUC8%ntj+hw`3GSY&Rc0Q4jlb9Y7*dtz!
zU}3)0Tgdpb7#4k&SL<(SKD!ZeYO5g#Zo1t0Dj_wdsSK^69_<X%NjxD9SYq)Mi<4Rj
z8y4-KSQ&%r^U0>TGp{28_Yd({u2@_cq2PR<PAw@3@PpZ=t++u^f~%>2&{LQtG0$tH
zt=8B3(SByd3s=NFtUNY2fV9ctX)&>*4!Z1>j4N4l4Qa5#`hy$_sLwPi3%o!`TOzU3
z^SwjB%+s%Xv>ss=Mva9iZOcuAC!4Se^M2W-^I?E4H(BL_efcmwmZk1(Lj%OHB=;xa
zs~85wE8&8}@AK@LplzPFb#CG}!#ouXjyr>7rk4B_Hv8~xt^KlcY?z}X4+<F~^(M&N
z(lYlWX-uar3&?LE;lZrJZk8V|d|CS#-icVk|3s9BNR0%V`mxMhHG6rls{X^{NIA=t
zDGv`g99;wpduAikXV??LM?d~!2q<)LBa)lch*?}f(_v2-l+B3Tp*@jdc<Skl6I()R
z{Q|GESRT<D|3w^W1PA58>2C}aq5=@=3$J~1%j_4Jl5sF9rLI&Uae>>XIZft1caHD^
zG*<r*TjC&MAfbzRgmUj*@_k`PiL;X%+N_%E`|UOc-)t7a#}}FR`2}WvzLcgxjx$H5
zyQgMaU_j~S^<EVq0G8*Lti0z$LMIM`Oi6PcY=#XL;lnD$;D@69+xH@#ooO+sYBH5Z
zMN!O6KCuj%j^;>r5w)T!17STiWSgY&M3VA(!Fq}ha+b6;B0^H3B@rO^9@Zddqqxto
zq8jQ+;=ac0QHW{!v&>mjk88WSk>v!lPb^AYzv0H$7A&*8i9I^#WT$FIfj5a-l&q3Y
z*b1gYGeyr6qH}E_&Lvy-f}dp6FZ!(?YeZh;I*<q7_BSa@4@9RS;8h43k|S$if0%V_
zX{RZ*;~rV#OO2VmeCU3ktd_8OMIIP>fQW17Cb=)MhGEV2z`Ol+S8U8`&Gm+dR}NX|
zP!}7Q@fZ$@kFz>&%lJJ32U+Idymn*KDhDWGx^~Lg-hri2A$VM{$V$1J-FdNJ+J>o#
z7Tn({4z}DuOap9o_$3@>Nf60&M(s#SX!kO9-lC{KDw1&ty_$R%ChgNIncR-JjzL3v
ztS%;#!vLmo;aMJ<ln$njI?ZZuvQ91Sbf@AqdpnQx3k^xbws+({lX%Zj7;QHVPb8?`
z)B#BMgh7jZDi4_o^@F*z_jL&ia*uY>mlL#4V0r1ti9m2eL-;V9Ml{-c=DzRKf%8t4
zcq8DtxNW$N%a5GPjA#dA4spdvJqT0EL8b|qh>CPq4*x0U#K2m(<WT)u#-?;MRt~o$
zr7sVN80R@|ZuV-cXCjpn_wiV|kEQ2E&CKBBU5x$#Yq$Xptj_q9H&+8eGr0WyqmQ03
z`Z*)6Al-3BMJSI^A*&CX9$Fa(XJ@xEoz;n2NA;;I5LkeSDrjm<ZGTLS!4(CnGnui<
z2Ttkt+#xQj)~#vIDctnac?;&rv+Aod5(B`f&?G4YS^?d<DLRUn6sx=Xfr3)E-tKVT
zbMWbiTk*r=Ppx6HEjR826p6h&)n!B-zsJ=dA!W13^-GOZXp)+Y8if_>-SkX>D#CPp
z;RdfKdg^&^@tU6jrNw#|Y;LTpsUTI7>3M1L#y}mWUdDV$a{d%&D?Jg5VbhH?1h``H
zw~HeG4EIxZoTEK0jAUs}4*YNLg(9G_t=9dxExfvM#u#4-YK@}qH`3`=XNi~KR#2cN
z#U}QC0pla1>Dt2itzOzaozu16-92Qeaxn#P^X1{RXBrnSavc%@u3|04mVf2?#n*pF
zwPfy<POw7cwv5cvewo98SvsFBXvqfyR{kvh3n8&Q42ggty}_tzU0%c-F0Q}8v|0G~
z-`KXhyrOLz%hDiv_`!xyAhK5S`k<R&1FIhw-6L-Y&6LCBKIQ+F@MRcs2E!x03xu8W
zV+&4eV|JcdC%cy1#}{;95Ci{o8hO>TWszc?F#|(n->BWJnRo&FcW(PsI>7@1zkv{N
zWB0_r$82-Uy|`r|&<Z{cOmCdtQ9txD%ALd=D3LcQ`WkJ&{?$(V`9))O57G`#<{e&?
zTNUXAj1A7%8q8)2?hzCh^!DP(TyJ!0`86$CJSRiyzgxQoWqzJ<C#)QavsglvdFQ{q
zkL^;%*hxPTd=7_F!NKaK-ay6~N_Y^+U4STo^+yocLTFDzXe~?Gt)8a8>j{*)5UCiI
z(9}rYtX=&hJmLX7>cQ*crzO|W%<}N=cj@p7+<df2#3poB>#lD?5Se-$M^QGVlk_H2
z)Q@d|R8eOoDWBrRn}C{#S@m7unc3vM(L_t#2!MgT^M6VAq5Sg@o}WkgOL6-;Zt&xS
z&x8Ki)P<if0<XUZ_50M7RhFar>#<o{pyJxdq^WWXm4(@EL&~pHTb_qL1&bOZLo=y&
z!Kl3DAn+Y#B}K?@xSu!(mD8~iEU}b%Lzye&+kVl*)2RhnV_hNVT-at*g520jYV<}^
z1L>Gf!W5)Og)~$s7G*{VjsuX0DkDA=F=)B<6nnuUt}ZTEOHubftgEg-Q%_VZBrLbc
zIrhMceQ}Z#Th^8oiN;*K#_Sc9SUDs}TKS2=z5NL3n`?uREEGf8MvTT0SIN76y+R(U
zM%NzYrn|PNI}Vsn#p@ucr~2^8hsoyN``TaVG2~Cd1&5;!MwW<dOZh|PXM<z{0HUN)
zNjD#TR_IV;e1Y!rMxJ;SjTL~^T~o<UQ&H_re8<KJ3HcdM$!?-AlRh8b<K%8FAV6bd
zK^a6Tt1n!SV;Z7%UTfWV*q(VEI#ck$lofCJ)a3AY6=_5^GmS{|8LdPxh%8EY8Y_NV
zCN6P<GX_DMofks`-{W#Cc*vc6eAEy25qPwvNds)`Y?b*~AIS|PfomBjf6Jiq`xS0F
z@*hD^Fp=m;5i{>!A~hq`6~tP9lt}F#JFrI8SLaas6Eg420hnIW6`LR>dNNE{MRu@~
zrm0PoWRAHL=su?U%Vqso!x$L>2M=KmOY<gZUwcemuHg7Po=8Tg8XmADN;3;HjQFvQ
zGrR&eXMr%R;LMHVXzs}DZ+m07k3Zs=T^npM#GF_-JVOCUhRG6v4JgGZH;wWokTDb)
zpYa6h+JZ}hhzr~T7Aq@`^zUMjt5?H;^<+4EI}QK#?zH$a!W_gA+RyW59Pp(-B;Kph
zRJh5=eurUXFC6VmLt?@9sZuj}Bgr4x7wX;aFu*IvKnuYryy9s)4hSKw%qisW7tBA%
zc;H_Bz~TF(xo5~252Hz(O+ogicjp-0R13)&*csTWD84QnQarsT?#72tX!^Zbjr4YE
zs#0f<x#!HMT;Q#zZVhCayqNPdZJ89yf(-^hw#I_O2bKc3C0nuLd;;GK=VZFC#1nya
zqEgp!G0{ViMB;IAPYRR145(YRmN#;nOIE9dr+`X3h_SRAx6vFE?#2TtKekvm0_ag-
zW+5-@L-=g2U}VU<8qO+w#}W<_%#=wqvEob1*=KIWLSe=xKZ$Pei5JJ$x<9kQss2Fp
z)`OY_bryOei~4e0Tf;eQOd+xml2~!?5$QK4=?w41QrA#COQ6Anfbo5{EqAn7XW3<e
z7ScKrj?jz%W!NiDqz{Utl$pE%2F`E#0`I?|ycg$vVzfKeYr3h1Nu>G|&(2`o>nsST
zAo$Wc-8<OWZe^u{xxT&ZoKrRzmLCvcWDIXKQ8z<#4xSuM{D+YaZ8W<CD=g!x;(T)&
zCruPs(E5;33M?jTJf@*CnX>pO3(MKqnJ#g7ql@70uX`|Uq29iXxDMhtr`iF*maH8i
z^-~jnu7XQVVvL#Zzka580x&aA*tpvt*_$w51eK2+01cWbNS!wni<T7q5Go+h5ZFj^
z|8;=PJV|OJ@@IDXyI2Fx{3AwuTv%+dFV?jaTTYB%hB5?#up1X@Q@S93w(-3R9Xb(*
zY`eEY9v_w!rrkz-x178J4ltOVW!K%kDHv^e$EB?KX(%@V^oNx4$i^9hBcoT`TAQH<
zIv~_jPV`|+RDcWC_D;s+1{gsx?tlcI-zPV$d@8VV%KVI{@TRiJ6fcPL<l_e9XEz*4
z*;X}P(X#+j1G6-KFl2|^;rF8j%vDA%v4NY`QrsCbcWLqKBzUFMl9)4>Yn);Z$x0X%
z*$!{}fG|DZOYal7s<R@Ls^oNVUwgZ+Er89CE!3FEk(5TXk$D?2utF4pOikQj#|`hC
zIrshimZzkx;Uz%erY7$%2}xJlP&y$NdOnk9K*&37G%7NLpuILO|6-U*Hv-QFc}9_T
zltx_ygL1mX;%xw|w62b<kU>k)9oRCG971G_m1GnX0%!`)oR>gRMP-BTG@CIPt+3io
zmZkCISgH{*fwXf)8cOwSSegii+=idt>@3>4K!2)fn%5`oOQieY1>yu@0MrDp<GneO
zlJ>{&aTxmiO{2xOqYX^42~;CT7;kG!pWuL}Z-v0t!^-!4$Ut~vcH`$yAQXTv)->WI
zahk@THB%jDj!1LlxNeH*t9dOUGi;LRC*jpC0bEGGz3a>2QL=E7fvw2<Gqa~_J~LT2
zckBK<Kf~?0G0XZaU|nqBR4UgvFAdPyh1L>fPnDlGI@J+$uY!~_VQ%>-QbcZ4yk|>3
z_EkM`-N7w_tRL>Pm6kQdpmdT;vot0l$2F%S(EdRd=tiuSZ9KhY?WU24cGsjFWb^<e
z9sy3aDX~Fg$B2R0XV}~mmF6FoNylVf#IGY;F<v?YmgB6-KY=7~s9uX(o4O2uW6;=<
z*+Rro7;?Av*gJAgmf**IfP5PaL8yxSIx%VI`T=UVm9XqiGX7>3$wZRn6GBmP<MmX0
zvw%0zWey`F3R5=lepjGM{cwXs&mzrdZb~g>xou$K^Uo}HxcHN0(|Olss)yB-CdAr|
zIZB?7#}RzOTM(Y-jTm029;UL9eDXj6g10-Fa`0`)!fMLG6GFU*D0&u|v2%RC<z>kk
zvD;65^MTR6Ox4|YifZLS|I#-^19iF~SU4d|N7Uc;pp?=|n_>y@PGECtqOM69Nj$UB
z(^WK6@Ei)R*(jw`Fv$Y@k_9d$8`({W$6L7w@OGWf#=xfG%P<SBJvfoZ68S~Q{^aGC
z^?D4AC@?_Wq%yKBct(M7?3%Ns`OmD(*^3g4PjTa^(`91XV<6nHxHM(q8_;&bA%&tN
zC|CspDgB=msO$^`Ti%8W#NEY2rxZ(!bv0!m{A}L7!p6uiBGf|6XdShta*MI&bib8(
z6{`rRmFEk}*3oL`d58{seqUcmsXW(J<ZHCxzRHss&53$%H1L$kY9(bOUg8@}F-EUA
z#}|ublXi)D*qU;Y$t>64NYKNqe?jGp_;@Mb0E*l;*e9?ud7TZDK{r|1-Y5glP~?^v
z-w8yFL`iR2QR^?-c!7G%e(gnie6dF|=c>_ZdvT)+nmAF)x3}X+Oa3c713WN?%>E|$
zJ8)Uok$%ff`W5!D<S$LyDh&mE$kL`3xY-3hIsg&~gI6*#V;%3obH(J4+QW2(1~k%s
z5jWE$-$L5Wf?TzlT$BU_<${@C3^jSjGajbzRq|s<nb{hhiI-07pPBt3k+2Loc7pY_
zwBfS8_Jib*p1(a+=MM1m)AjKlD(jDl17K>^TDMHjRG5t%%-m(!qw#WyV*jFq9fJRq
z=<E0bEe(|YEJS9fs*|w(MHX$3$SAg=wTu-1wwa=1j(=wmd8zYKTe}WB^emi=BW!P`
zg+*qNaIeX=CYrC5Lo)|ZLiPM{Y{5P^Y|EhBg|55;7I+;En1m($r$K@pA`z$7*^E<Q
zD*FMJ^WjaT`U!Wcx|ll3(!(Gr!=F#t^G05-(t7WnpObSh6!i>4XMz&Sfm-y*k?rlc
zTYg#D3YkQ$AP>yoPWv6d?W_HP5iB&2`{&qllUDN<<EXh#2e?l8<j@+jsG{*)zJ@{@
zVZ_y}Ij?w_sg(W&8^FaIxn{k8O-V+Gt4m&%KX0k98g(46MIybl8?i9ayT%i}N3V1Q
z^^3!hUT{M&vKf$WI>oi%&$JfE=3lWMdsj@{R3v*4116DZ=M?vO-Y0yu*NCouRWMcW
zAS(m6m1Ccv+p!PK8RZJ5<wTKpfHb^mXU76{J+jGy5rd1|mTBP?&iv>||13wk(R1pH
zH@*bF#`}wikHEL^?h89>nQnDd(b*Ziw}KdZh-XhE@bUKNQYS>L$`){O?}+wn#&PkD
zHd5^;&ZA8Fyh8fV9iz{T{tse_kni%8sbB=v_lOHz-T}d}0&a%d)<)|Nm7`@ZA+~c>
z$&BS5OqMnA1=?DD-utOnBc#Z1cQ6v$dU!q?ynz=TSIJx+U`+}C-w}1=6*nCuoq)yE
zl`SY#k%VSTqGQe$&NU^Q`W!b4X^(qba>@@a>Ay0-a7Ual%K-EKg7=U0T9TXQs3sZE
zvntr0fbwb<nYMZQfq<bSrYRq$T|3u(Sw$O`C9fWvQGD|8IJh$*vKYIVLMjf-@ML_J
z0N(A^b8BIUrR!Z*6B`@!gn{yRR+Vq$n|)SSK3)rXOfYhmnC2^9WwEX@U&FWkRSDgf
z7nAjzyo>C==m~KAA+s5|>@1J~r6<?`_DH^M>25CHCK`maGjIET)6cly(R$VTe?H2A
z^OzxED}F^-)P=qwtS`BjHm8B6IT0BIG*H^RgSJoECAR_ou(OnmF3&Td6EErDX{K#u
z0EBsN*Gp)8jSv~T7dP;f(CfCx<kBD(MqfzD1k7yJFlXf<4<TBMP@d1im>DWB;37)o
zdha;bwI6UGLnF#p0BZPATpy_41^0LwCq}VJG{MxSe+J8;uh=}Vx%Y}|W1<O%0VzNI
zB+)h9cM?)|R;rO%DbenYK&21&HdXl2&{<keEubsYx~g@3n%aVjiwwcs#g_(gy2+Jo
zJkM(xU5FR3BK^X<fTHdUU@Skbt5#l>0A^g)vlM8(Whe7{WR-7m45m;5FmuzvpvKj;
zGK?`9Zl{}#BYhLio4K%*`@X>$Hm27-(@A7Rki=(jzJhcM6r&Vyp_r>7FG{N6QAffX
zF*QS(R675R$tx=X4(nA@=Xs1C<Ap3?4u^Rfud$-?i=`#eG}5`XAXf}6bDLC4wndn?
zHMQ&mF3}kK|LtKiv5^68Xhv;}v2UJXkeQ!25a0V;@f;R9&OEdem^9PSOW*vS{XkS|
zZb+GPm3$B>bUccM<i7nB;9#-WV%BQMd!1j<0R6rtR6-=!Oz-De$0F^#;>XlJE6QdO
zXEJb8;}+&gsA_!e``;oHlkD*TXwHQ;?s3zIoj3?Y?>SS?<xumv&hXAhlI_bQeU7k8
zKCQ8V5{bP#rWYm%w#|YUGEjtXoT~IDcIEE7bbPWJsR}4_UHtkm1DE)=n5DmC6kV1y
z=YQ7swSL++I9sq^gw56r6dWY5X+{kUB==NT^+ZuX^+wtCH#L9lfT<*-Q4j-X>7xx4
z$<)}b52MlS0;Pd>eBK=Nq`mJYTVcs{BP$Bf$e7lMrm;*5t*d5TFygHRSIuT5h?`7A
zhm^1;n0g|tEEW_5%+yr;5SxHv3=;(44&dxzy>Ojk1Pf+UFq5c_L?gyt^?Q-`W}nVr
zWJU$xdtOMsO))Q~{D;8O0NaWB0ODRUg8|jw*plrK`EbQ}t#2#J?xtj(bpvMN%rZ`A
z(4xLb4lvUolIJ@tNA%P5o43at$<t=O>0EkTbjOQ+j~tx`U%h6-d0zn1_#keq^HOBl
zlP9yJYpY;53apdi<nQn(o7vel0Ljcjnfc=Lj{+GT38Vz(a7ttZ6hb@@Pq#?kaVyc9
zi;;UsC3T8HBDhPmpaR0QQt(9V5=2%6!W#Y^M5AMn3T{wXurnBb*hVx@rL`WWL-o!n
zGc5_B*^k|dj809!TUi#vgeHCxDKS8DdrGo0RMwag6tT}@MiNXA@ouS$s6-uekN6S<
z1kdKPI)9!QoO{I;x)^d)m_9Q7#|__Q+hPkxmV@K%G=R@d)zhW>*=#5DJ{(ORbwzz%
zS(%kkl|;TtOGfuX`Ik(CsJscdL6#p@Xr=&XbwFN=?N(ql-ea4-n~ac}CN+oKXc{dx
z?wkHgo3LIL7SN&z`WPp#h%pgkW>+xZ_RZDI(q%bdOyk%ux)O+q+4D3AY%$(?W%t-~
z_0@aa%3tF~<u?@1M4LRaErouqbP5}){CH6MNW_N){hPFYQ66|>LGmUa?R%z8+ovbu
zFN1GnL10gkdw`-j_QQENz_#QKU_FcAnw+E{w1SJ$XT|6xg&J4uoy8^V#@sHLCSb&j
z=8~qM`RA#>j;T`?FfxqtR7`wA+y(MF=eavj9)dv)aaaq8I9T6RgD^h9ax9AFkmvzQ
z!D%EV(ED~7257iD9JGa#H+)%B=FN|AKt*<#bES+u5nJ1G)vG{L>-X80EJ2IXfF**%
zM%|NEc*^~pIqSCL)6haQ9|J>@1wKi`9iL~P>KRYSC1Q5#JL0Y*o{-lmr%hojSA0VK
zgPOjNKC|S*iZ=>NJUO?1My4(1M4F)8goR;-2)M~5y+i>rkVy0LnBtOF5<cvZoqmB9
z#p@_!`%*i_EIXcK+>!Guh&Y%)dUOTNO*>V4Z}NCIMJXRUMe~1iy)ZC42&IY#f(>AZ
z=C&ie(<IK!7u=DGA%Pdq5&$`V|AP;ilxX|?QE^E?MZeqkpkgRgedaV50=d@3EW6Wc
z>LCS#z8*XL*qIO2at|BbOHW~d^%SLbLmokhGtFWWpv92ROgm4JY}uU$Q#<)H<G97W
zO}JG-Ni2m`?etjw#Bb%G^q)p^7(W{8L-}(|3RigN66wh+{s>|eotVKdtmM}D;naIA
zxn=bf26QwN3v*rPp#qapKRTrq+cRX5>xhB1BQQDPOzAS5z|s{&qL-u-#exQzNn=YF
z&GYR`2187NQo6s1cv6D5V@e-d-HAX?vx_E;(h?G8f~hl^$_Zs&+8E27m~>$k<s~jl
zA%zYO@O_=T)s4i=|8Jk;?B>M03ba*w0e=1y5>frA3i>Do7j)2wE)lj_Y{LrjH;URf
zm{$rFm>JoKlhcN({zgh>kK`@naTIZFDc$&TV0HZo20Uf!RUB>yL$37Ookch>qZu0M
z8U3@rMV8+c8}z}@O1^cj*pcU=F$^`7SkD>GODE_=ja1OTQS}{yWeEamSj-I=_Fd9<
zn%uodEKJpph_BO!uIUn_PY8>dH4<aO7(xWAH;VuA__GY|E`J7P$zBFaC9~76Nt#1C
zm93Q-0xoy*o7@e4@BYPa^-KjUmFStp_Dxp*8##~I-Th{s`D!SZ{O;Ir`0)Tphk;r|
zZUW6IbXIysupUW}yyU>WhO%^-K)E%QCbF16(Y`+Gs^0UfSaY$=bkcmr?Gtx<EEDk=
zLM+F#aiSq={Ry6}LS7L`(FiYMMnSaxMK6Q-4w`{;yRbX3>5=L$QsA^SFrVUp^C@sp
z*z5hj0AnuK1|uhC*e!}mldPdF<J4ghH2$KjKM>joT#LDSB&G!_E!c~Z({&LT=LC}h
zyw9&0?*x|zWi@r<9#hPqdafWwbZr3qN%GA`a<?Wf1T#?(Vtr7&()CFxw<q#8KfF7+
z!j`Ldmgc(IN=++zOZ_nEFD$ejTO}->#ITOiMZB9Gk%HKjc>Hx@6h>?u3k?7p3%>SD
zaGy*c&m|6I3nR7GxIWqOs-9D7hn8zFP;z9tcIxiLx)?#GFeI;KL?|^FD7aA!?-%`^
zS#BQ&lLu$oXk^Vzv4j427$7yby`7p4K(DJ@_E2<M#TGfW-wzp?*L;pGLrc?rB&_u$
zn00EE8#A4Q@^JRYht|Vyf#^z%vU(;0#vkKg|IX8TgcLR8#!&`WPH^_dS?+KECi(0L
zKOm-bQn23<IhzHGvRg^tq*GyP5ED@Q3eSt8<(eM{t`>au_{K&U{h(T}Y{PMwvXx<+
zxT7n!ySTtvuB-CvT|&qSF4pZ`ay}QkJHP^b^(Jja+f*A_KTyq50+Ra-SJ)&UJmG`^
zc1FSGO>>&C72!HDY}dSK)t%!Yi(29|<UjK#(Tl|CM$uxQ&;#rwZX?H@k%$D3Lo11Y
zHQ2)CZ>QQpQf&4UOPVuqUC=HKxJ88qrHL6!Aw!sUftnp=pyW)j^35C?Q;?ewbFl3J
zw+1^Y#iVIBi3}?PhCsDQ;P3)khe$Lo(r*NL`DY`EWo_T~0m?ax4_ouKQe7eCk&`ds
zdWw~`<}l5=Hi-L)v~Tyz-RBpK)Ay;`scsN>GUtkz<1$)0c?>?TO{aYY&=fk64TT*?
zP_H!cQ497?a|*%`8>f5zdTx)m(-)mb#v_mlrzI>>5mr?$(lvWC!y#Q-^X~>asMhgD
z`be(^RuEKI{OXri`!h66tf-6#taa1BVd&}=uF9}-VjMQ+;@U0{UK4cL+YN60MX>(o
z<fWJ%Q<zb{Ol}+Bw=StAp0iR^AO;N;GDK*u?c`-MLdpN0IY^aGIs+c@j+~|0#Cukq
zE7EzsUxjcyI1aJj%S}m$Tp>9=VXm6em!v8;w3kU-VfU&~7X2poi#R*E-w@2$$ntxz
zg1RkrTUs@i@A(-Lik{pA5eIt~Rz+mnK`XMkhW7W~jbvFc(+vr)<xR4fdXeCLszib;
ziYg#m7H%c}$`{gjpnk-esU;z89-WByHe~pag&^<)54icH3-n&JnsvPAGLPnkLDYtw
zj+|Pp^dw152g#piEA)RM2941ftt9hf8Zfy-&H=|8XNb4qh|>%Ymd2yZp;e!pw|@jo
z7T{IwblKU9T>r~%Y=-)a{9O$CztSMF7NdKeJ1jL2F(?BI{z0La^iGLK;!l!J5#WkJ
z*M?v4gcxDeMablj*Wp}i)l>MEymm}Ik=KzmcB`yptX@Wc)(?Enu_!(0bJ7dQ?1#Ff
z_Mp^~0S^64$N^-8Uph-@he^f<zagXFkb&zB77Guh6-ySRJow%clw6!NB**^^Bx4R_
zcS-YEQuymb)v%!IC6K~&3zQp^p6;`T2k4rOPV#b-H)xv1XEIE~^|`PH#9t=VgdP~;
zMWJZQ!yWMdwD+X}QC->Aw-}v}j>Hia(<Yj<69xmKAo`3`w}#}i+X)kJ0u#|P;(!BG
zp=oVnE7};NqF^*nI&Dw{=ZP|EqedtU(SV9n92g=Zib0U!erum|@2x7RvQ1vz`#SHd
z_vfV%Zr!@~oPG9Qd+oKDi60F^8pT*+lNvUq=s{UzS95U<KW>`HUlygre=<_xd4457
zbD5RR``6U6TUx^>)8?aeP-Z6C<Argf@g*zGKHhP}I-s#rY7m++q|IAr%p8ynr{cts
z2R0>fX|qx|B$%&R+9%y8__1V;&LfjW0Fe;OHj(Idg{z&Yua+nN4tYkpx^Vq8Hf;wU
zG?CZ6FEEyMO|T<J1fo<5>l)aGUndh)T~LT&RWGakamCtN4NGaE2f%odJK8jm1f=Zg
zNNF%hYc`b7?bU!yOXf8rWi~AvMU=_6mmHl8c?_|jJeIiV)q^3zBo++rnty*V!P2l1
z!FMarXAP72lWf0&s@<9^K@-}<r0Hl<3`zKtn!KaM)wE?XC(D`%NGYU?0oIX5a$t*L
z-lk#0{G|6x9DbTJ-dpm)tWXkiI;aQ|iQY1N-AjOgt8CxYIdFWC*Vt=YjpH({okG;W
z9hj8dly3rW9@+Mm1v{^Vk1e@oDN2g#jNL?VV#&h-=oLDbjAOiBo~!#8rd^ilsk*V4
zvCHG8o=R`d<%SDYLac9fi}V|n8NY$%LwcXslQ@J46&9{xj4(YK&Rv<y>J`oB>P)|W
zbkYUG{Lv!hPgGkZ2xgy5-4QBwp&wkWxxv2hAdw4Dw&D+f9ev6Jh)lJlc}n~|X<@1j
za|~r`qM3{Z`m#{t{D9?ZkQ+BndO((^r|EhcmZpmQhgG{J65U%fhv}Lrs}^K1cu!y&
zX-5&w7PEt@D57Qjkw}<0G<{kY_8lto(hrdz_@vepr!Btsw<%>4y_)GLol8<LPrF&m
zj<)hVLdRKeBl4Jhrag4)|Dw_oTb)Sa<D*EL5p^$?e>DO6an^7486Po{6b@6Ez+q7Y
zT0So`&Gtv;pGV0k3lQk$uPcfx>Ig}cNN@EdNIq(oz^)oE*urFD!e1#d3M_C4lSPWt
z2)iyIFw%Hhn|~60Gvhni<SB@+Jp(E=;jF$4UyhHx!J#^KeM*t8iO^tZ5K|MnAExZ?
z*g&+e-mMYlXc=6!tp3(m%&&YOiqoY}xB5<>Lj4!QvPiXx*PEuWVSQ`MmsA)PsbLod
zsPGt<Eq5<Xc+DEm6Bg)7<FQphG*QK@{c4Sy6@1UyALt!Gp8b4FnYRGOptUJR@Qba`
zRvUb&#;DS3mW9XQFa<IAMv_*6P8L~<DFGxv<Vkf4?MX6(p*U_CQ1TigLsovBEuk*y
zb{3hSX5XYX$wF~0ME;i3Ru#!1@ER;AVTEXxTj2Xy_(kw2<-x^+7R_fGmh)ZMkPlI4
z*f>9wEbQC7kyf$W{pdW|T}G%qE@|X%Vw(2Ku_y+&(~8iZwM-j>71%Q?G}e!_TyWI{
zSyPS4w&r5be8DraRzlUB)OT93$vg_tgA#{2&AB7{eAb35MQqve>fwXxB<1|WwU3AN
zFRMN=hb$?q%^oUWy!X=GaAYxx8zeNrq#xH;fVERlR`-Bt@1(<!;<982&eazp!JU-A
z3;NJ!Wy+MNQWi5<mLN&Fwe7odmgZTU*5joyvO^T)gmWCj`bJRJX5?736R~JtZTxPX
zT^mg?lILB~HsHCwn`qW>P&KqbU<C-IiR>OJ!(tFH`qO}n%zUG*xTtJ?lWcytP@tUJ
z;^xc$XqM*6q_9-64>OHmS`L)E)(3Fm3prb>5zh;yfkurAy*DyUE^(keiJp3*$kYpt
zgtxMkq)Pd4VXC+g`Lb955ZHwDMRR(*uLY`4Z%Id3;><N>XCaMk_{SEkn~}ggj{(9@
z9OerSLz#d!DONb<#0;t8pRAIQ0-d-Im5<#oE4NR)6?3-K(5Grc7zlFKr|w2t)!Mf%
zkFUIVeCLE_NIqbap%-t5qSuSGP$GF?RFnO0X-a~Tb7UJ}3EoF@y#sn-|E?SnDELc5
zW~2q^*WQX8ILDhQ0Fvn#utaEjELBQ2lhNpx9&$DHpJMK8h2!&+Che^FMq9bGlHt{V
z+8&%psl~vgv^hu=--cWfXy6hiRoNA2W^wLah3~2{lTVQKnuVD-uYoG`EB>un4*=HR
zS@?SViZ+m+mk14nNo6{Jg@)AlSutc7JZ5fI#iu!=WDvaj+*cLeTq|bx)0nLA9FuH~
z#W{Y~WfTCRGW`;0=jiPuoC<9@F&E0wq_KUmTN%dQ4rGQ5b4Q;i|9%PtN*RoOS~C6~
z*U^6sCi~+c83E=4C};UC2RaWIwC2-lY2ZNV2(WDFPl8GPQg0Pc1iPtQC(Nmt(<2xM
zZtS`s%KeKc_h0iG@slXygUaW)&K=r0YGFU2Vs?1uiXmja1{W!uY!k*o^VzAva2SxR
zF&S?}Jb~6|g(lr&-N1yL>%<0x*Czl8QdIRk?(|F>S#u@lXNodIDFf4RJCirSm~z%{
z<UzmQHNm0eK06|Jlvn<2wD1rrB&D2@wN-ru5>(~N!%5VnW8On>ECQ-7G)0?il$U?9
z02L_dzi{w2IsP<6ZhT^9{c$wNAZ04n76CAa*7Ab~tSbtsX$CehbRR0tXw%o#QF{>2
zLd=C4hGEN2GuKq=5iEIS)xs8OX=?8<f+yoBy9V`w))<=C4Md2O$I#2{E8V`i7PGk$
zw7F}m`Cys?wv=kNs3KDpj@C)?NN-#;=$&{4+tAE2Kt&z5*D&KuS<dLE(s1}lOMPsk
zsDnv!8{<z{4s78!m0uQ}g)2-1c0t{5_&be7g=hX8iQ`87YApEODXVKhd0Q?MJ>;T=
z?^)hGB;<jNf?VhM5G#%w;s&|FPCO_t-&Fv7I(KA-r+8#RkEJy5wFdwkrc8r5<n=$<
zi)?s8dNM(2I3Yme2+O{343pRw1WW-WsXr)8hSUc60g&V}F_FY(R)klrGz)(Tg<mV~
zrPl78`KnRQi^K3_z68LX`JAz3pVeV|b}eSLDYozD{oVgim(7}*D)oq!&NEaCb4bYf
zG80hlVeM}iD*uZq#QaQkTg%3xGW=bt*-kT-On-zRL*8(KbYza+H$E^S0y@XH0n=jE
z2P#&rP&O*P3XBqEeJl${LZM8sF6CI?8iNLM=d7HDym(^<{Ui+LkZNj~!o);#YC;M*
z2GX%;wVz|sNPB3hV6`|xHh8(^zMgc>$ad?EI$Orx6eSrX%t)#-#-HkL{yaI(=hEza
zu3u761o7TaD`Vp(EcF8X%_KYIiigV%wHH41e;0)&IqZRQo+z?OsBR!UQ0)gh6-;wd
zS7r0#?0{%eRHP{*bNvdcmNlpoa1PrpWP3)ob!6KjzjPR>cLQiDkI=LcD!ZFZv}xSh
z%~&Lcx10nvxNav*xrC;+AK0FUZ8_L>!_N!`VpCG_WY$R#PMuST(JNpToMX_GGfudl
zu}nvhraq05Y*7DlkmpBDHILc6t|ezrDlsKwh4QrOD~$BOmEZ`rR0yw0%RxCG>h`W~
z=pLWG#GxGpY^?LvV!O_hPOc`}GrX>PJjs5uEu?VA5a|}KRzXKsbvveo7v5BwL5c$b
z)4$(kN52D0+{k)o^I1S(pRMj~`0PqN6CZuq>Cik^=+V0-!?>mrlYM>BYKF0S<jfzt
zkpT;4=WVxOdkVI-@Nc~%#24*JN`fHD8#xOh5LGk*Lab?vb9PRNuFauwYRlG_>)|`6
zA+C8<DIYxXb9M<2?fzev5e#c4X;Kg(T$!&YDsXgdJ7R*-OpHv}PQ=XkDOk*bm>uh(
z42baD58gmEd3lQhh*4dIAqZkXleCyLj6w2cHQX!+ycC+kB2Pe>eHZv3EUW;7T_BBR
z#GZze;z~ViV&n;nlDg7T&RPcM&8&CeSR^^8_X;?fxLxAM1NL4N{Mels^70%<(v!5b
z2hofVa65w$z>3tJ9Bp6L_GWF%nE83x_N*;H*`o2k$<c#J(RSMIYmma{e0S-k=I%6`
zgSp<kvr)5D7-GdFgfR2-<DC|^{Hp+=jt71FKh9+{T_5iX>+1-H3lUkF>c@f19ZB|3
zl6m6qWHdG=@xF#$!;H07;hVH;O9Z1H@5~!Lah@GmlT4tU4Jv>VJi@E!L^XKq!_u~-
z-f^Ib8RDri=O0WeuM5puT!HTKnozG9T)>Bnr<jgQqTaVt=C+DL@cP?khF;`SKx8H5
zK>Rft>)YyEMDFo@wq|aG8VzwaX~vHYgkapVUqlw^553nf{<S~6Wgr3wiD@zx8-yrk
z7H%Vn+!Hgs$8OrDWBLP&=XYgO8el_TzT~TpM(g@=`0k#*G1S;4s=MtA+ura)+mg2J
zVO!9$Md@G5u_WaMGMA^cd4nmBRuacbWyt%d?p3&uC$$z5W>do#j4c2LQ4mT?0!-O<
z_SB+jK75wX01YT+p;Eg`y;)QH7{9u6OzE;x5=_EWADGKz0$jgc^Vp>#HWBtalMk%k
z9-FUYv{MpXpaCq{o1L0c|1bx?y2g8d1r2GF{d_s~qrumQjhN4+02))Cce&fbK_rw-
zEo>Na(}0<n74URrbw(hj6u|1p%9sPWEO`2mq<|#KQQ#?7mEc#0#phP%x&YBdw;K=$
z8?A;!g*)VlFyMZ4rrSUd*v;3{^q%cY+uk%$AZ*Lqwx?}@%oe?W^+%Rq2sjOvy=+(m
z8w@gMT~vSi_mT>7`pUz-Ra()N5AC9W_bsErcPh;DPW(uM5hOUyhRawH4zEA1WhAK?
zFTOo*KuqhR6TFaKx0Ey*fe1|VRx`IRvI&4xIj{b?eiv2s7+t0o1P!%^ob#0`co?>z
z3P)wWIWvffbdU@O^BbWm9P%nCJ5YONgx`EhDhD)|KY@vh06O3!n*<4jR$OHw0GN&A
zmaA0$b8a@u`o8gpqiNQk^iFJF+4h!g3!8MwY<t-jzHAZuS9nMX<%w{f?8!%Mo_yJ!
zSz0<DjVBdoE;*CD`Yream6kbc9W2ZHjfTza&;h8VlY{c?Nf)t>*%idGM1iVwrq7-#
zk&sB60)!zVjWZI`N1QMO|7?kbBypC6ZvLEvG=+1P1kVzQgv2>Z#3<(^B#E;GFE>s?
z`igUwU;!`jpd`+c5NErE`Os*wJq6oS;4Hp>$F)!u_`0z4c+F0R{;eFvq>`8d(Xy89
zk8DuJ@6)bip7=2nLTEGwG%W3V$)`{+Mr|yc<~p5>;b{sTigwk`^DH=uZy^)J`lcPP
zY3#WMW5MBh*${d}8*_Ka#{9a>#|P|IbWNG*1XVt};d%K5P>lBMZ?`5iyD14r+kV0J
z9Bk{swl63?=rn)(@1LLSw%;%T=mqmxvnchW%!)I_1@?A-O-UmeP8h;T9?wi;_yU`?
zCrv6E<OJ0LGM-Q&NXRUitt0VKrmaIN#kOCuJr~<zux*n6a%9kKRaJ>FU#=9$D8Wa)
zypq&VWWfPU9JhtsTcEi@HTu4?S%@spMY3G2oeW}JmSe`F3k1-TAQ<eNT9{vLd^_9J
zvTY#SHneV=$A6|~!Q8yGb5M>h(Y~|riN0`$qt4Kz=hh+J$+XY*1KabkEr(zGZZM>V
ztx?U*%Q<bEV71Nh+NPO*T{GR2E5o6^yYzRq`Apj|s%`R?tSoF}#<rPi+W`5mLmB{S
zCo3+$U=oG42}QC&vJLzET84dWL$|gmW5(XLO(@!eR^y<ho1t%GZ%9qLWt-o#4K3Ox
zHErXmwwYYpAoBkQ)7JuM1wl|&Px#n2t7aR|vrQ!0hA?e&r?yes|CQ6lf?VVMV4JvV
zYnwYG#c<nG_|-gxBc*wv!sN<7>Rvrw6JPSaqtl3x%izdDbUyWX`j&)oA#)wtWbSYi
zU?OY#1>1A5t%rZZeSrpICfKQ8*oJj%6H2zRtpDF;(T<cBoK{SZ3o-aoDt5IuD8BTQ
z;UOPO9)Fc@nppQGtcE6H;NFhFsg6os^OX-+B5?ockBQ6bi9{4!OTvcaAhQcY%*=2G
zI*6K~$;{`oX}i1V>BJpg_R#0$L1HXK7-0tfWz=T9<{{}groZ&CTEl$m3;q(b>geWA
zFheNxCZ|Aliv=uT?TmUwy@bS=nK+Z*n(aPy+k=xG1tyu?fmC1D<KLJpbH`&dorKl?
zhi{&b-EuCB$u&WoX`~1(Y>yyS<m)rHpN?mm&`hc+QMVBSjpXrOzE84)fc-ofQZPs0
zW`lbfZNCQFNd^n}CZm^ptydSmB!mQaKDNMXRY!k&ljj5J3nWSldT$;Q<}P4>a_E4N
zF!5Dk>9qSpZ=@ARzIRv<LN+>&bB!q8$#kwuGO|`?9D4K{p?qKV)sgf!S7Gxk_;p%3
zr>=WIS>m~PGQn(Y?(^+{$HO2|W#S*c>>hoLVM_1NSCS5^1}}%{_7y#ZC{Hm*AZ{mQ
ze71RXpQE`yE?jyJ;?*5%pEcmv3rOlx_P7e&E?+zQ;>tXKm`I;XI2d#^NwPp5yT9nF
z=26-e_;rws7VNN-(jP*kghoXBY<1DOP2mzBunIcqKmT56OW!3hZib%*+%h`WkXjbK
zu8Q&5S4`hDyPNsUKE!EZ=O@ePF@1nVHl%+g8Fn_^e0s<q3}x}q;S_fH;i|BB-aABy
zd|i^=)SOA`bM4Z`w#gxmLizOlPeTVqjr9sU3AHUjH}*ra?cnRQWJUSTqKadV!rN<<
z<<@lO&Ln#?6K%!zviDMNn*8cSX7=eDmbURvr0Ledz2M0dwkPc2He6@cIbV=*Dl?hS
zN3Y-$8}iqL_Wd)wp;d+pTnCJ;+7qpMKOM+??z^u!)D1?)Yhc-7_(FMyiBT0jj}*g<
z8q4(WKV~P#``#&TFN`KZf!h{MtQ)+@KT6IkSYd;p7cMMaT6{Hgv@f}g5AKDb(}*nD
zYCdmURuibH9(NHEnq6aN!Fj%(cDlG>HS-2l7uu8P!JdP=u>Q7_@#>n;Gt+|L-7*qh
zoo&<p2D9)GHH?-QsFy*7yrL($5eFP!@S@535BCJg_8)jJ1=Y^Zk9O~JSLM3fyGDE{
z_Do0<gi2_+E)|&b@*3|Ci`T3p$5Y9z;8diSt4cW7uH6h*L8lwn`}q5tUz<Hf@M{gb
z);RT`_1oLBeXmWL7ASfO2j#t|odk84&kpV?RS7#@(2^yU><e9(8nyzwsj({3mER#*
zra=F7<ykUJ>9Rj8Gj!o0pKqE9rL*;hp|zz-I8&BM`Sj9>6~EzP4lsxbihkN<;HTSk
z@$2R|7{1s!+c$ApMNH|5Vlp#DTqC0v^5j}y_4o%OI_&>a5ZXm<UNiAR34G2E*UUM!
zAyA5YAYVrP2D)_nf&`Oz$9BOV8CeERa?B%6B58QC`wgpziwK2R`u67Q?#A&wPXSS1
zxS)9llR@$5o;?KZB=`n@P0I1Dpn3<B-ECw`Mt;!?@Q3t)O|NaLplQeNdO`38)2NbJ
zJT}=q{1xp`&yw!&o5tJj@=#ujrE4v@+?u}lzW642X={~@r7Y2K4b}wx)1kX`Hzx0=
z?wsKF0(MhH@QE#}Oimd@|GItjN76}v!>2|(Z~Q~){Cc~2LmRUW!e)nEldEGjkE%5{
zF71o14;&;`#4nzSplj6&tqUSre043oUxZ3X1+(8bv#kYl{2*J>BgCGPM4^X%h<$us
zQ$hDE%cGI-q*;68aB(C(REPt5oTn2f^`MYKL9`^^@Fj`;lZ^ku%bo%CH4qXO%s;rV
z5ZA!+pyzHuz=}^e720xQZWFQ&{-onYX4AfUXz+aReL>kxgxOxjC0KiRW3HTGHsaTW
z9TDI6-2HfMc60NGm^amESg$?VxBpjfZ7rE&uT5$;Jok$8K=spsINQ}DPuzv)P~4P-
zu7WW%;?*Sdaxz@ld2sb>Ez+>36Mjd5R8mBw732{Rj}>G(YfCf_&((+8cl@UBrGPp4
z7dt})s`iHmPtx3k9kZQQ&2JH*-};WwYU!M)^~bkl4rwkJRuAs#-1CFbqA@=6?q0(`
zK@{3qkWHp3B_UQM3zPLR7IarwtyAGU-7p-<M?8*0@q&JwPsLRqrdtqP;`cOs(9+3X
zPbNQJ#5Znjfyd58LZf$ZaAr`}y_;2RZ{Rg{{+c^fGr#7w+oH2*mrYxo@2)S5!@g-f
z+r-5gM$5i+u%TYiT<CIn@#Fo=9??mOowz#i)WZqm4yYPFQnLppdcZJQ&b???Xr>F3
z4+S6^r$4PG!D-FVTTEdZiV^N68>udd4uso@$gzAXkXyVdFaJqGRj@q|xG-1NrMd95
zMlVk5fp^G0sz%hIP7H9t-omSixLg5e>foWbnB=BlNCoB-cK=N65AX;aKT8$TN_Mom
zrT+VmB#+ZYwF^Sqnnyg)iVw-C*}?crn;*mIN(G<@s@8OSNC7t`7F_zop2j3Aks1cq
z)v|b6x|S9Pb0VyDS<P>dj6_yptBP6vU*1Xc2-wtG5X^4J@CED$jgO{6%)QuI=z@8z
z=pQS%`p?-SasMa&f-c?8<Tit%qrJwr6m<1YWLci5pXhf!DV-fhECf}iXJL`yZln_;
zjs=M($UjUTYv2n03wS7obQj8@$h^>ydJ<_&D5B7+BVTGh+8!mm-JE<vq*-&s1!ml^
zs`pma;Hmm#pGVU|ALj9Yt?u}Z2G(O4<AiRfC3R8!!&!0~p^)WXjWbmWMgfV354l#v
z1|7CTU_mU?d)!K`e_>&zN_P_nkY0T3)W4DhRQJ8~aQCkGVh16iMZ3Ef(+gZ7K^mCg
zwc;%y1fNYt+h=FgbuBGL1o)U9bf8*0Es^w3JG4>{IJWvNL2L1+hTy!2duwZtXxbz)
zeN{ZcpzEthyiHZ57S^J%iEVZR0gjn{^W0vuMU{K~vp!2)m@x~>-@|X+!qQ-3=;X5Y
z_AGs}c&8U$p`@Pfa>Io@zWA!Awf9XzkQ!$Pt3dE$B;}u}SgK-N0lfm!x2$p!48e=J
z#`=kv<1xqkJf)gNJ(7-XCGqFS2CZ6DD~XeRaZXzD-ZcKc=_;osCBTPyPohYF?(?#A
zj3|0_?nm62%NyGjLG}AvYey}eb8?GZ2O%F|_bKr07@XYc?nS9?!X6RtTvQ2Kd3lX6
zv+g`PPY}BCC3cRlaEQi-cJ6>pXH?WjaML{6^9F?ZvRMdPoAKz_t}sssQ~mbKsJ|?2
z(@B4?4R+Ea-49b*zI$NXTLNNMZeDrrxXyN1D%adg9CmEj>n*^#C#q-SvfKMllohv!
z^G;=Db}}Nwg{I7)XLZ)0;gJ2iI_PY`)6j^kB=qrv-_r?$s{e`5c-d>SonR{RPY;Oh
zy_IV|Z1j*+-D}g&Zhdk1EC<Rt8eG-#7aVl}$=l$r@6Hy=flM3Y2`?$v=SJMiG^tT}
z0mM!8$fu9anL7BYas&DWWJ&}xKb+0HDi*(Pp}TFYWm>NZO{>_wDiWzMPfdrm&E(Bm
zkARq=F++nN^GY-_-%c1=O4aexZvF3(4G=<o;=BDW#foHEZ@CT<FMb^H-kHEb(RQos
zR-Gzl)znK5QKop7l&zWb(Xfn)IA$y)gtY26FS|l7=kgW4tHw+|5&EKb)S}?|U7z$C
zkU+Ua?VU{L*YECkKN8-H7Hdw;_qj#5076G#Li+N(-t17M>@m>rwjsOiNv?VkJuj;T
ze<X>gnr6xMc34}NireYXo)@~HjPm(v=WQGYRB8)v-)nGd*o@+ZB=zz%xxmgFcBZ!K
z0qhL~D;AIC1rAv5@!x-mB4H#|qWFHvV@6NeoKJ_rnA$2fq$GAvpER(U?(?i&<4JUl
zJa8lKB3Q8!)YnU>8c)(`b7#6MhXvkgChgzAs}O5E{kQf=!xR2-Tpj(FvR&-a4N}i8
zI2%w;?*q==0UfV7$?*aiK063-s2ulbIeP`2MRZ27?b*Xwptx%-ZyON%-i6QV$cX}{
z+2Na)^yBom(uyt#h6~4PcDf%`Uw+7oWK=S*f!{U*@r&YHj?d|d<mp8ARHfvV`2-*d
zl>l-rrqi9NE$!C7s2bwXI0;&`oMg9X-_2$`ZK&(xWuk0%xc2do$jcRru?9m<H_Ix?
zJ$nvuls3YO8~Go0(NDxPaTvZh<VVl3>w->y>@5^e?!V@>sIHIgvVl3=h^iRZxkEcg
z?IDP%Xv4n#tj~b>oVNY!Nb4!h_oR!^>Of}5Fn3h^`S(*ILL9WCuvWw0JG|os;aX^R
zj!I~J5sjn8PZL<Cn$%~e1La0x5lh^K(I|z(BAzZEPP%-N-T*LoINIIu@N(o+*+=KL
z8T)j2v7?1#SiDFpk8=0QyL4`phvPI_F}IY;uU4KbR&3Jc`_Kv=z8E!e>GaL-u8`9+
zX0Nq0+-qQ;rvuX`H5UK{tP0)jiQM#>!+ih=v?dK@SAu+ttJy{#q{c=Lh+aZ<YT(t4
zhq?&~>xRbqQ^JQs?&;v&k7pOgsI)IE{PA@D9%%nnKusLl;Wv-XBsY@K&UOTi%zg4h
za>vKDRN&#*?%e@~A16`#SWealyZQI?`ty|f4|BTBbk-)_%5J+olLF=7>n)ZH5b%{O
zyh{P~@|cV_BAyHbjHOBUST`_%)$Q-j2AsxnW^sUh%3(QVmFM~Bm#?YMqC-glR4^@!
z2RiLLohSHT`YZ#2<~SxizuG$}cX3X^VkzZ>Ln&qbOhplquXcD@O%45{ctOgqG<L@0
zrxol`agLDq)v1+<e(4)(>gy@trYeo0fBP5?RWwFZL^#cAtm9}PJY^~&vKu|JlnP0T
z@oW%zuC@<-B6xaUM5*$=qc-Uu6~$?kp`JNKUT8vsOA9}?_k5cRJFb2lk)ZdzAJ6Pv
zgHA<uJ>E8RYBSPd9GnczpLthX9a;M0IGjOsw;vEXhqDUTiVrlbuZNc=*}h;EjGlOa
zmLT5nl2=x-yQ)%q&bZtRxqH9VTU32{9!F^C+vrDDYA7;;8Th2<fCLl(;n9x@-THqn
z!p@a=&w`(ul?N@f+CF06o$Pf}7FK2!Qov+IP^zfMDOD1V>g2tC?wzk+94ZLS$IX2!
zqg(G&3tps?xc~a1o`P26xV5-MD+$iOG5RSX2aj={D*|tsX`3JAy4059Sgg;ttj3?T
zoB;sX2<n7$M&J}Hw38<nx=&v@iVz3FaP<!TF6XGma^?M5n;*x;CPEEPC?8EnBSq9H
z!DMMG=vS_qlYeRBG(r-;1=<x*geO9!GX4HvQ{qC8T}KfJxrL=ID4WKzhr(ve=#uM~
z?Cnw2>{y-965^U<9#}qFu3o7O6)Nc)3)-ldZc7G)T;%=$E^)XvMKTsd$cr3RXHtMD
z?OQB1y544P2oQYca~!7OZ>jCIXA^=v?#u~|cs0K2VZb4~ls+fz&lq=7`J0uGUF|)a
zvXrUxM9E9h3o5#`^k>kU9X<B#b-U=hwVd$nrL6clcP;{5dznBkU|gLi4Mcq+0K)m^
zW)oeUYRu#Lx~%$l0L`_VGTvkK`?Gesg@p7tUIQ=@|KBya6QD5xc@=!t4Z$&uFNvpM
zp<w2<HI)ac&bUna)0(<c2ciCxEPfoi)I5Uop(=7WVO2E@)=cqn8jjUS!prX-pkNJL
z31_7qa$CRw1DvQ_5$Fvs+84bU#Z<x@@p+@X^6`S-L_~<)p2@zbO5i6?-!=Bva12h^
zKhxXq&?l<|ZPE`2syO9d9e?vg(@mEE+M<Xq4PSV3epjl(=y8{=o7geiDf>L&abEok
z0+!B@va-$RRM?9hQ~thXyHEc4PiCQ(L@ekm(33tsp5lCnersmw=Ud9W>4k2vZ}SG?
znfuXs_g_UqPv0t~lEK63D9U4bs#JAllJIv&W<NRqatmJmm$C|le4Baq;^Z;-NiHLR
z&4F*RvckaxX_Eb<$3XWv5>~=f%k3i)Gs9wM6(&$%B>+BAtQq<k-!00g0Hr0tOq8uB
z4r+o5>^tCa-R;@>nJY(Fc989(JYZ*@^usen;-KF@fu1aKyU4Gx5X<-7SX8lALY}Dz
zDp@i220Q&DUmp-VC|=+ByG#B6O{MP3lU2o?1Z^0Lm!%(O-iWv?Me_=c<}Wu@lonb9
zQK}YQkGK~=fgb=_r2Qg$8Rz7tTl{&4t3P)Wa<3<xUR9N+AZa<y-w)Fl5%Pfwymt-R
zUNIE)*cJ*!_}X;d_$26j>*NSs<vs|{`S7V~p#D5PzeRtfHq2p0*AhTSkut?Ffk8KH
zU<Mgl&Yt+i_gF{5uYJ!6r+qucAE`n#qsoB=9CQFoYd>!4B?y_@(q?W<jAGp=O;JLn
zeRU~v%8}NuZv9_S9C;`D@7=N#P(Ld#m(@RTy*yCBB3ApwL_GDWDB;DW&$1;8ywp()
zA5Qp!c3~QhYyB|k^wW!VFD-GVN>GN#2Vb9ebN*y6B>9wi#8uvS+GWwAj^`uVNO&A&
zfpJ{HlXb~HPdxE(0!6M-beeESRpH=-xjhqWk!3P8hulm(zo;mNJSR0MsKTeh4tA_)
z3LJxWC;JhFbJTh`Rhyv|)}1%h(7z!`PYI?*m6FnjBn_E^2@U0{CuebZ4A({P$^>`j
z2>{-^#m_))``#18es)E|uuVSCJ$A-0cau-_;aD}bi8==sT{czkL%BKevJ)jitV=<8
z^#%O-x#a+#Z$sQ!s9J=wlpQlEhZ9dwk7)3}0@&ZYK9AiRRZ(;*ytfEF7CdpZzSxD(
z(PDQf&>EmrKKDAak!b+=1uVuBMlsS8526U&$N2gzo-Oekz{OA2F%uZ}F7vjX3h|ZS
z*qQG7iEnim%wJjbBYantTxPRl6ZeOAkCs^+B7pKzUV3<eKud2y+n$nn8PH=;C3>IA
zb6?MELsrDHTHm-{IIc<XSnwHu1%x}(br=N7k+hQdt<nyZvdq`*%l}9{ys|Qug)nqc
zoI~v+56z%e<z3KM$@Fso*0_aXYnq~|;~wS35;V&((E9J%YrEf*W&)*6Q$J6VW)z!Z
zUlnb`I;Exux^!ciNiGa=S-*qhc4CYwGL<{(F#Mf8gDSP15dhV=0|+yMHs>_+?h3-U
zQw>v$fFW}S6ttof5=(Rxc#B7hAI1)Pr4PO>EBqU^#YZoH2h9T(L5JRwAW3tOl;9&s
zf&-%h;6)j*1b0p%>p!4WICT?622|9?<G4{8u2f5+!N;&XeHLOZ1D5%s2ABy*>q$-C
z(P9buW9CEx^7@~5GY)@!lpRpd3N0LG8RH<n*`U3jjP^w<PlD@!s{mhHR_}php0v%0
zM<5~W0f$T={L=L8XkW<<z$*6-q8KuBVBeiFa#4ICK5Reb|J0gCK4A_szJ!81jqqeV
z`Qgzw0@mnx7}6K5uXnG?BTho)jU`>Fk8VN-;E8Ux(;zE`MP%E_?8T}@CJ=6(Q`gcT
zR!}>!_HYbUbQ>#&3zdf&;;uuVsu_dem%TMWQztigJOO~fdwmtYpNme>3z0B$as#q7
z6Ofp-U@1#g-^r*$U!Di_Wi3n6V-oWRNJs&i2;%(~x|{IRW=Fu8&si^fXT<3i1Fj2j
z;_mp3YGBO>l{R_u!W>V@VVh7uN@-EK_V_fvAFl=xBLWtB4^%Jt%PQbmGkjbkiuVJX
zkQ2Yow_alBec5NLdmALOx9(*uQ3cN=07sxz(L;QQ{+!g9DbhrHxw_CcVEAT*cw`IU
z7qCo<d@8a9K{D^Wsms?XIa&0<Hde6D?si!F4DmPngPV_HlLf!A90aWW;J&dfK%gmz
zF4|}Pp#=QJzKcLCC9IEs<El#e<m)*d3bUz(0U5$$VElF;|Fc7d@Vlw;D}5z5bDqY!
zKKu<l&P#Vs;pIWUc~AGJ<t@$`>gVu_Tv`rBc^WVK^7*F$UWEJ})DALICF>R7H{N~!
zOkF(tU8U2#oso4qNN}4D4y&x;)@8^nx3TR|UrR9ero@~2tW&6kk+;QqtRUo^u^7$*
zQhD<UwWSHfIHbPip@GdQqp6@bGdrW=Ld3ee3)Ft`KD{~=W=H@B;w&V1*A>MTb^Q9?
z%}8(cB*3B?LQ|NZT6I;^j?Fqg-AUCSz)Ct~&=IkMkO_XBB{*SOtwT#kc~zrLMUY$G
zyeF9^sEq>mX*29)<?=+`XF9q4FtYXz+R_9mgd!ZEES9J*KkLc;tjkECGy0kA-La;!
zLWF78aSBfU)rW=yn%X-gWbQ{`wY+?-!<Mf+k2}S{K-W%)n>lNGvooa~9G-0>58SO0
zT7`n}$>TR7&VMzWLkw?we^@Zd;tvT0x@f;=)s}fT2>TdZ^wq@CCGMZK6{^&8i}z=w
z?sVC)q4fx~xKCyJc?y64R&+&~+3oVx^WYJ^(WJ$?6gOe>n?YT%zP{_?iB>b<-q~vb
z_rALV(wGBP+EEAIcpdB01tuBK`-f)FE#<J%+2OvroD5Lmel!eCOv+hbo;iDJGd#+e
zcNTsF^9_2>xCv~B&p~3}flf9aENaA2UjE7d!tYl|Xo9<BRc5Zc{9lp(u!2?zwa5J>
z^Wl|~nEgn7{`23;VC+dSH6%min5*5u0Eh#E(4BxR>|m9#hd(JEZI;nfLpE;jmy^>>
zAyCx$045$N6UJ6cSuaJ}A{0I7FAxC0-c9b=s9CBmr|~|BBSgz8{)oC401K?a%=w2^
z^upYpBs*&9?b6qOw%MV82Bh?tGP0lIgPX+CbruX?EVqQt0D+QIwzu!mb`A-auc7lA
zg7x#0?{P=+hS$Pxok9XZo2Oq+z7wsqF*gpk0i$3YLzw`2gOyct)o$=|$&xx7>z4Kc
z8j2DvLg~cU$F~O-i^O!hW^NZWMqkiQ@?25W@w-bB(0ue!;TXod07o%m-K;{1xHfrl
zMK^|L3zrPO1kh%pIih`M?}^23gvU1%<l|CyqnZSuAJ7I~Q{kAD=}tXRH_aWH;n~1a
zYi9iEmpYxfk%m5yj8q|rY3b1t^YEZ045ZeFfX_-vJ^dB02`Yjfe~ItFC}l@$3aN`h
z_|EFrGKiJu6`2LdA*uol7o7X*n`bxP9+v{69lxR@p=GD4;d0G{+^1gru*U?Iu0=uw
z%H4um>d@T181K{f?vd6goMdWDjXG4QTqx7}s2fk8Mj&A^SN7w)0!B1I8RLh3&m{?T
zNskDuX?mgrB`p9|545S3s{Fx?oM=1tGQqdXsJN<d`f3M0IgrRWUqS<OlF`dUvnKYt
zsAsgHb9CvLWtBKd7$>s2<Lh&~B2UglUrM|aM({*DRZDaL6-Auatwnb1Lk;7&#N;`J
z$?8EwW?(6SY&^tiY9Ni|Evv*+I!gRNMwv|yc=LfE)cW+_m@Ko_aE~76!}MEJy0p(K
zif=ETRTDa>jyHsv?EM(j`|FGSo<`ohc4~{nLL<DxEi#AVB8tTX9OH#KyqR8bG^x(v
z=6n>ntFv~+79}ePdex$`_XA>lI)Md=0`Qmn7@6r+ci0Tc7@EvO6~_>$u>Sjx6skrJ
z?%E^EH=eqkl3c&m0a*Mtsj`hLx<o@bjed#4O=h+vaC*8;eJ273q-L#O7(oI=+rjnj
z_@Y$~IHY?)WX~SgnDdDRx{v2-M^gxb7?_sp@6A9G230c<ntFLM-ckNQx6_Ekz<>Z%
zE+9cp6d`!<<dC2Bg`exGJl8K7W8ZZPj3i=f%LH+812~trr`*rPVr9gIDv^V;66*qR
zo_GOtpA?^~H!lIuBYwG7>}UKR%12GEoZem=#fTf@XT=cngmq+K+NY^q2?jXm85IGP
zc51(_zuu@U#t(BE7oMQ(7>iLx83DDzjEy9*2h7Px-~Q|p{`snADY6Bg6-r$YWCG$>
zv=L0L!c2dlONSfb-r8yo$$qXE8Qp`Z1&Bjb5+%%*3mmXgI~zId+F5`Al@3iC;~#W(
z1+7%#>lxA=Ia!MuqJdYe6_vU;s}v;br7&k?6uEvlQEW1>22|o-vdrc5soV7vmsRqe
zJZRP90-b&iF@3F7?NY_G^tVnSYRMx~ax$bOst3(ymUBx<>bJbJx3<QG+Jw}i;xh;F
z>$VRW?{2L&ZN(8Ij(o`cq-XGW0L(N*yIav~ApW_?DNEQ?MCe;@yh=mRh)ztU)W!}R
z4=zFxC$ovoI7NxiV@MPwfjUCB)KyomfnX%j?PLapypAjs%4qE)d*sCW)#xywyUiH;
zpt?ysBrxrW{3l?Wjt>wyB1G(sXI1m8^(Z53ZP}1TE8a&g5<m0;O(Ot7fYH3HKLD-f
z&xjSo^<<qF`YwL`1c9J5dU|tx=E|AFY6KDVMi0%)8*`@Pl2Qa+)Rap9oAa%x5ko5)
zyNyMk^*c^(06(ha1AAgMS}O4yP^_r0^xszUTfVf+@$DRI1lOo>4t^6I@aV>uohtUB
zP8EOmkzWTs2n#E~lnfdv8L^5!v~H~9+WDAdk(}0J&1&Wob5z31J2tFH&@jXsZ3Xax
zK;e61moS<bFH;!d1;Y_7g^^s^<aYPDug)!ALrf>M8;FTctr1KTFpPdpsC`NwD?BDb
zf6^;rmAxI1u)@iEKX?hRTfKoo6Ox63PYk|Q7H`7KxOQr_rnU~bCulLmMBxcQ0F2!k
z(nn06mA-dmSk<SKKZuf`#uZl+?!h_%)!WW=>;0ZrGj8hMn83xdJq~Cjo|x&4F&pM|
zU-tgMgusM|p8J;G&O7lwQNK$F34a-{Wq4W8d_Vp~;+f~<+&pl0$6NlM)}AXidP9f@
z8F+rY>qlrgfcJ|qkQQ&)R@4XFj$%L18Y&BPjQVtQiB~|7{~CRQm%V^O_(FKgNkDm(
zf^GHB0yi3?ON}ohm8z*3)1<tJ(PE2ERCE91)H@E07l7n1hEg``0=QBK+66;mh)RGD
zJzQD9nP`c;^j2_o6QtbWZG#OFc?jTB+T#4>!-bjgLjs+FfuW+1pgIse?6=rq$fMC^
zIxnTfu*1X;AIrRi_2{@!4=Vfo$Gcpo|Gpr!b36210q--i4%j##RdJ@{kn1ggqzL`K
z$!|H(c{rF1<U1Ud*)cVRO?~w6-N=j721Khsr`cW;(BsM;xoBW%$95{imZ@f-kV<>#
z?uimAtcvjf9y~eoVFq!mUf!{~^H!in;*s~=4%o9o*91D!cK_<<qA(5M8;Q|g`mi1R
zlzG(E6nR9QslA<q^P=tSsYT?ZnuuP#L2B+isNJO|iWCC$&M~FSN}YH~C)D;(I*XYZ
z5#z2mX)D&@cZ!HqNW4D+ka=6-;WVMVKr7)om|nt>DR&`itNH?>5@a~vl!VHONiGrw
zAQ%c%9DHUy7>@w(SezOlDyWA*L(K3TSR+wfmlS(Q5DGO-Z!WV#)}c?*5V^3yp9X&P
z{KyTES`0Xz1uXmi?xfb{P?2eLKX7XsqD$M%P>JF)sA&GB!enY1EWSN&K+Lmc#RR{J
z2j0NKM&(hVtWyqvr&qXAFOJ2yH%=^QD%5HOLev}m+^@6Kh+Ibf0B1z{FOX0`3Q9@S
zyr@0N=hA9dd?IIMF6wvf_+#Z5P#$%uEL_*UG4@0mp6fiHH0+AnDh$ejiED`$G`JB&
z1hB3VZuQGzLV36QVnS%r$<=5WS#=|iQ|+3(_};k676fcd2%A8Zqujgz44XEh{4jKk
zARK)+4*ZBm7GO%l3Cw`>0{vScwe!Z*p>6|IPKUr)6+Xy6xdgw#FcVIEZPgG$LLlnk
z8}g3VK=rW=pqV>@nt_SD2A>U{F~~jC4vPGpWq2u)5%WC%)9B<ris+xEr5+e-v;yl`
zW8M%{1)3#o>fE$YFNQpZIO%=&ZUJeRcNH?@LCb1}wsxSye<Q$T?L)<8%KQo))88ti
zAT+h6oy4<bDKnSY<7l<L405psNV1vllMi6o7VC67X(lhQjlJumv_v*=fbr-kFYZ1q
z@CMrrWhMz-%zs4$VvQ$r4pPEvoMk|qWJWxxjq2gtX=xWg$r?u>3vDx3A{n3*d64+z
zonx{7jF!ws6V84XemBgB1Pvav6x{G`oi2`xu2di;*E@{doQG_e!BY$0Q|`CmupMO^
zm>rb}oghEGnxD~`4ZmTYqnQPmi|A~ab+tOHwdL8K+<aicoIN$&D)fh}_t;D~9I7Bn
zC}deGs|cHO>z}0YQbs<L#>?YkJFMYdY?e=&8*wUgqSP8|fjHxYO@P{A8BC;Uu!koO
zM#-OrzS;fm<uou$V-~*{W+{!6RlbP@NgcCidvC@$O5<$ukQ!r?98l?AZp8n2*@RDY
zrhCDWZLOR0vC_nCUiK#R9Ksglk=2omqWi(m^&K_@PdRNIpaWlN-ngC<vKUQ>O)vBu
zpfFy(k1Ohl<aYDf#<<!fnkVMNi6Ls^`0K%jgc%|}hdlf9jI<{(Z1Cp(ehz-eoD{<d
zp^X7V!HDTOQ0B?VG(dF7Cs`t5frNbb%LyslIHL-1vgwl^dW)D_<<lEuo5n{DWIIvj
z#cVze@)-w88CwWhW7C<_&-wBS=4^NU78n%L9;V@hDQcEBsDwtp0b<a&Z4s={!#iXQ
zo5q)Uu3rMHp2MDTjOnwZje_kGHR=Ni6XpLX(SQhX^uNyL!jXiai87POh9*;>HGwpA
ze&~MtWq*;Vd<>UhxIJOwQbNkO@0yRvN+UVK<i)P$BXEW-%c-<rqnaUV&L*NFR~aXN
zz3p>ApT>#hh&*wGleGOfKx%QCvmthBy8whbWLyHY1I;c8U8;2Eh$SWbDSbdN;^Z;0
zhlL;4`Y2~~E%?ow`rN!UR32U~P2WJD;IyxXlOgd5Xe1D4uEt(jjI(k-m41lH^JaY0
zQoErPll5%MUL4L>2-`QoC{BrqCoPqF_r?pQat3i37_B#*q&aGd!21AvA`C&$)Z+lK
zIs+LezIRRVK?^^wX)X^`u))+onw<il)O2ze?1AR?<)Y*4uYK1z({LTZ%Kj69LKdZ?
zb2H@?jAt?eViWc~2ZcRUICvbruXiWk<Z&JS*DRfr&xk{*-R)5lQ3<IBZ-d$@gt@c^
z@h&XZ9n206zcctcT;nB(iP?v?rA4mCtQ4*My!5ZGt*RPP5YB`}l6KLo`n5#?pF+Kb
zHw^OXLxuWu)XqK2jxOlIK!EyBR*h3H=Pk)je0*omVLJ(_y<X5lC;A|O_v}nFkrV?e
z_kkyGXV_Bw!7O>V0nI?ca^P0+#2XR!#wl$>QWKaa)CWMg0pA=<bBYV8-BW3nDQxGW
z5NLg{E=Hcl9#8Sg$GgHl)MJE|eMscEo?BgFXWxBEFqCMMZ#-$oq-J>ADzz>XA2;m!
zysTS8WU-u@ua>vomb0Jhe3Sq`R3@-Y{-(RkvcY>yx($LdrISfh&s|PCQgk($t)}a3
zc@}5niYlq7I`>n)Gk8aXBu~I;m-&%+`1EYuOxAhMLmpNQU+ge@0#TpMrp-{{`;jw<
zJ^)=CEqAuV7C~4>T0l~}LUd`NJB4J$o5@s&3#ccDQ6od%H<T2zX`FRLZ>A&5kShL(
z&LtXOHk6<f8P0@CYMSE|WTz1u$zLrU4i_Rqvzsd0DX5(`3Nu~6evt}uWgNyr3Tw_E
zhQvk;{Eh~}NZZ3ePrTu;3(%CfX6eUL>x$$IG>%qw24CU9SbeSd;h1-OW%Wab2+Oo9
z3f!qD+iS&PY*gn|&C&2)@>k%0uEqzvaLKUa6`BES{7-)xALOM_Ht43Vw{0ZRq!a&f
zGiHj}l0MXjE*pOLRE8mYn3w6f7?F1qH@wsT@SyYgotz&*ucpzxIv9gz`FyE_X-Ma-
z-6!!P2^I;=zz_h@&}-})uSB7~lS$-0C0(z)pb3vvSgt;$UrT>4wp8jSOamdP$3thP
zYLSHN(?`j1TbKUaAC=O_c+u}mXmWt*G@0B~It?+<{nI{7Xl7rYNVSTTdL^u5L7!dY
z!Q@N7$9O%3b$}m@e#gpbA-1$|EZ{WanFY~vYaU6vut3#lpP@8!=6M{Uohf~Q15>=l
zQ#GDer*PtM8auNB<CwL4(U4%1-<0>e*$>l!zH`PjR#@PlRk@$aJG6YhvX#S{^Mf$a
zFU$#Kvz#l9_p|Z0X<reep6%zr5yYjZTv*P}N}(}gdia$A^NYjzV8}~VPPu=`eIGsq
z=gve6ru7iSIWz>q_IlDZ<@}t_Y1WwTNLc58xIRu_Frb+(hmGdaQJU+a9HoI7&x{C=
z5_;Z?g4#vMJ;}qcIlXwgMTq&3gg|W)<7Y#tfwsB-L??sjg{Ifkaq|GW*7|6NAG;n?
z$!2Qp%}(Z{Xd}&Wrs;YiVGI=|By!|afJ{ZFu`~Nk|Ms|M8jZ@mG(s;J(nldujJ>v1
zi1beGzogBR8^>C+qiZkDz|h|Zxd~!Rb~*6-ajA=D2ibI-@cU@ei>VTo7ko}Ue&WXY
z#Y5x-!WU@Gvnb)HL~GIQ+NOv$uEdO|1gB;^g35T;{9{{&u1ip9|6rOfkU~j{>A73i
z19#q4c^XGPI&^p2xfL{>&CbEf^mS%GNcfAYN-X{?$S30bWrVWJrne4>I#<)rO6@)s
zxx*A$@JzeL{QhT%_so7kaI~nFRilJY&7K^Ryb#l4cc~w4+s$~}e>J<y$qjG2@|;j>
zdYEfg@snBpG_ClGF)k^=F7kKAuT$w`ArRv|_`hKMxsvqO4m3#|qA;07QO@wi1k*H%
z-;!KvrLWYiVxbMW;JGjFpxaRuY-fyVmDK&G#WHq?F^jn$XbffFm!Q8#>?L+f&l{ou
z9-1zxaJ5rNFb$>=^IRu3BN-~FT9rSzDu<W)>&egxp~<DNKge+;a)9zDIgATso>v&-
zkhTuYCuuErQWmc<)i8#p=e{KB&h}DL!_rwCr>86hA92Lbh*Ksh|MSPGlmJVgZw!7v
z>!RiVBBGjH6uWj0=|mc<*7^Y0D*p?iF0-_Q3r+sw7s%7NS=uTZlj)MmyFACnYwc{|
zccrl<A1Whi)Rwk~IKsFkrYJ>U=|ct5NM9Kx;XnK<iv>tsnamV%!i+1hO8omTy;ikU
zUNv0)AsQvqHh%bXFMo@dG)dn7#U-&w#)H6RDRUQNpZkpFl224Er_WJN>*;-IA_^yN
zeZF!bv8AO=7>)x1GbYIx<DoIuh9$&L$N)?#bZHY*{_(O>?Y?0wO7qeiobxQvLOztR
zuJs80tpvz48FniFm8$tv`EO36Tlzbu#5&(tO8<+CZ=z%?VXtzTXI?y&U;Mf6d?ma1
z>gT)o>+IsApZCs1fN{9<FXW4tCz5&}pWC4{sNR@MR6anblGpPIV-!LZgMb*WC%#U#
zlK)uaYj829P?ZlbLTgf;qd0c!D+D@Os9+{rh!@DpErbidc=`C&xsg;ELH?!%5*uD$
zxvtwWL0dONN-j*!ZKdF^Q(3BxM)g>iaL)hm97p3n`gM{(FW&7Lu(cREFO0m!=Bkx)
z>w%)ENs=fMtYGmgSWG17q?_2w-UO&MiE6)n?z7)pSz!j#_?UE?ry4XXlzC=b1hKBP
zb$^!fD`R+7GLDo03(>Va5ky+{LXG!RK3}Sg7^Qx5#5$VOGAZ1YBq!Yx%xAf98))IP
zDYAdL$#UT&#y)Sd67~T=cw%MLc4u_)@VA1|-BhZl$lZjuLk35e_MdWCuN|lqXvSDy
zdt6DG>?JA-G;ocjobfjy>Dm~7G5JJGc@_)ds4YsxHIfvxwmXw$BOp^g)$_!*?8p?M
z4%bk_`4W{3q6caAG9_RoQ|L(`Myj|#Nl4{-@zRW@w3F-hk%Vo>d5<MI2DZsxX8+Ph
z5ji#{BJt2g#N}ovWr>oa?3uy-<xdtq=pc($=|3p-hJw8>B_JkG{H?J9pwE{O9(o=D
zO&jma#$Pf#n0-Q`gE7^XAO;I}Q!|y_D8+gpt%6~TQdG+itxm%pnkGr9dh07`Bv&rk
z2yqp|7z(O_=5F5}q}n8>YBeHz7ri4JKGqsBi@l@*oT*&nmm&cBuHplB|6=~o!*dGP
z?+P>GN6q;^v~Tn=5iu0f>jN6Uy+5;mNXKk7SEyEA-d-jTYf@4w?~X~ziX$37tXJ5A
z3p4@w#g;rcHhu~JWZ!O-NoXm6DjUk3#`nIK-Qsp-4{Msu{u(0yCZO6d_H^+D-{p~)
zltYZz0JMK)dOOrC!O>=l7m(--uI(=2&2+@GG8$lg4{FFl5lI$p1Lem-o=>Df{_4S)
z^pal1N9?5ho$(xc`<^8HS?^>r&MwJuGV-=FKi=rSmzqpA2S8X8hb&j<9EG`ZMvs*~
z28z7cuz}ynqmhvA@j)Zh$hLh>@xh;}Zpc(0%_TaRJfpQKVT<bK`c062r(TCFuL3Lu
zGC|n^(G8SK*0a}UMG<l|Kw@jcftVSVbyeAEPj8i^L@{XZek6=byuAdNJs{Di)4&xZ
znfScIgwpd5`--jB-b93jL==`r^)^VWk>*F>peVO(KNfN}sUE^%8Eobjayiy?_n7=}
z3gfGTPU$SXEX~!q^?$LyG7LyEEFcV7oy`SsQTI4n(GQI)+P7m5#KT=!vTaE!(3&iw
zB!_OMI!FQ@Oo#FLL<h^~59zwSIkg6?Qe_$N|9H&YtMOdcWYF=Mn>|EE@|7NO($@mL
zVm>}`idfL}aCuh|P~%1lt{kaGD}i<GI2a9VkxCgRg!AwGXR1hVBC`5M4e83HXQ(A(
zSt-u)IPb_te+}M+r72;~+loK@C|mccaNrFHsr!w!d`Ymy$n(I9#`tF1YqS2Gw)q>M
z|L7xtDceBx51WaN)*mUMVK+2P#mLRjZ{2Z~)Cj-pHPZn~1&`-TTBQxe0fhv}BmBBw
z-ZNGhQ`vvTDdhh!wHk0UqX@U9l#uA+xt{`68~JPgCkUV^Rt+>!!ZdirW~8LN@TNpA
zW0MNq&y;p%j73OONF$M?Q}7mZt6*d2(p)wt*aRjNoR89oq{)QxpUICz?zT3lZC!vb
z;WdQ<Re0NX&+L!Zh{krn3q+u_cspFY|9|1zqV%nmz32Oc$^5zk<TLh|dGL2MTri%K
zIEooEZCOi^jaxU=859zXqZ1D;X)S`I39-UPn)!w;Rxa1e5?`A{12^7IU^3m^>h55i
z6;-958=cQs@?Z&|KV~kG${KIPSd1b#i~waKEOJT4U&WtMQv8P&qzTNmkePxZ!K}P(
z3Od4uU-Lh`pw)Drc}F`e6A@+j-pK=-!OZ8KN=!?s)@+4d%-YFE7rv-<z=)4ZsBcXx
zXklfn-P>!pv4a1s;Y<!`NLeUpynrp9eGPvsWH-@~gb~q#8(o=6_Y!wIL@l$pceLp@
zPq#CaX)^AWY2q}+a`e&F<kI#6v<4)h1Xy@jx}^SpdE^5|ao?2?6-zpgOwcXw_SU0C
zJJTze=6jJ?|C^I2M)p~tYBLqxWi8tu*`OD1heCOb43;t_Hu#YTh3=AmE!8#9R6N2g
zjLN6yOJewEK4)HA7)`OPBxr#gO+s%FaWdnWlL&wn&B%{qoU8K!xj{;+#8d5WJ}qRt
zh#uCyzf{|omQZgfZ>%H7KOpI&yU7U(BrzB1XG!Hxp!-mGys~ng#C3p{q~Re+Fjh-y
zciav^C9#&xO*o(y``!~p?GB9J@1R=%l~p4c^FbX6|41_R$`z$i|I;R%+*XX?L}od%
z&LJoKZvNJir3WWZ(12rLYff(>yB#X?UzSO@9F34>D02#`I<QK};`10yMnkn+S9j?y
z<A3vVhQZzvgNYC@=Hh1FToYS<d2)-KP(iY-k=`AKcr1GG5S1ao(R4DhA_i(RlPg7+
zSsse<f-Ljq*PfMxB2(;SYb7vx0VK=fOeXHDc>cu|@*4@|!SaLLJv3*?nk3F~SLwtW
z=5s>TdTv{GkF_og+5mP_QH=wP26#uAwAR02?5_(ZB%(ORsXS;x*I;cvAUN0CoBt^d
zK!O((=x7{<C(~*p;^J9SA-PGUtCGDUbEFEBB%BrXWVj`af3#b2^??$98i{6C<Nlwa
zP&YI9f{81gek$o;Giwz<<OL7Hx<iAS8$49V9wI4y&;ik;CxV+Z){(%68aNS^x`b9-
zmDd?3<Ft{6!B8J?>OC~?#@E+HLo!M#hDAq=zRR8iWL7Y!h?|osP85!$DuY>Sk_R_m
zJ4D!uOf^p7l_Su_1t+VZh9eKGv;NE-*<=9tyuRqmN{HO&(BIM{F^-GNwiRZ`5%~l9
zLDSc;WoPn+EN@{)GE;m`9nkjDjx-m{X+rvj2F<Jq(d}p`Z@2jXv;d$7)s#?`z;R4E
z6w;XY)+L;V6jU&Y1wxuTCSm~83CzC5w}1@RV))-7s{|a)X7cd6MA?LU$~^r}jE>mL
zc&pgl%s)b7wv8}gobV3->Wk_xE0Tp75!t#>dNH7Uf}o!fA*pz4siX}oa0oj|v#_A2
zr>z0=uz<A5B^RkiGs=d%17Y{am6gP2PNZRhKR!bWP98f`J75s(Ol|m&Jt6zzCg{Df
z+sNY%b}_&=v3nAe6VAc+%noESw}5)u;~22tcNKE`f7Er0u4QV*BHn%{M+j<Ry!c8Q
zlx4<nq!XKMd^_z)<-8&vwG+kF6#Z(CpEjSeok((4ikJrx-R8EI=3}`cJqZWxbP)!$
z&6@iAf+i<rn}9`r<R{SOa^BS@x->GKWU|f6p6<*Xy%<{U2*r-rPI`4n5tz(4MzrR_
zX^_e#lfRhlk}xq=db+xBJ)4k@^rl@C<+aLB17#T9Db}x{cR_atfY0RLq|=QwcF%;x
z&JHbts4v^fQYp&0<EB`2T84L81(F2FThfH(lgy5fYGDki?9bMw`!h|Q;7EebwTv4l
z34*C~GXkBTQ6)3A@PZlVeC6@>ir>R(km*z>^rRhKaNd7Sf}Z&bk^G-gYD@($Cm_Wp
z`f1YsAVUE|9*JRMD?KE^cdiryDKXa4>OnqrUviqO-=9qW2X_4MvWfHk(Abhw1kGv{
z5&=`Q!Q7w+I<y3?Cz7!TMhuxlW1}KTmR7Gle%YG|S7pV#z<rGf%7mp2eIc$eXC_z%
z0aO6<1$5(#q71=Oh}t2oE|4UytFSAbN#mL;)I-1pwm32ZK{0N-=CM&C!7YaQBxFgm
zbbt{dR4|Bn{SX<kY7vxU;G<ye-=(e>3A6=HCtpMMWhtMh%{`CCn!_#Yx3f^r>`7>H
z&G1_%l8^Oy6niRf+k*K({u<Q^iVj%y6~#&o6Xy->7Tc2<LhTCs#Uu>%?Q+WsU0jgC
zwdEbsm13h#l6b;u39+Ulg)_jL8k-!*e#q|1835yV<-`$XW_?P#pT+_)5G5;5SNJB`
zGhIif+!wMDHmmSLnOw`M_sA+ZACvKhaUs+sBsFr2v7ot*F>OOALeil&pNTzE7N?N>
zy<mc&2nLcQH`E3&1;X3*((8===R+E#2i%Px>jTygtx+4eMpn(ZmIEqTe`e1DSx*EC
z>;*?RlK>4x2FARx<Sr-Y*;yvy@Z$(kzv_3^R2%+$)+>A<5Tourp7=XG&ezNTyuOO4
z@YZF!Qa-8aZ2y$YeGmwM9F6F*U&!z%F|$pCP@s`Q)`Ru=&>xr)P{*WZ0JZr5u$5{J
z3^jip{Z#I&%whB9h@w)burmD;4AP7oXBaK~a~iXZG0B*}#~1(&1~9SBZ>OH#FGbK?
zcWSb6M+(x%Le4HLW<bfB4fwH%8);rnqA#~K>CBG;PnjY!@PJs;S;Ms?O38%Y%(TSG
zY{G9W<=XO6Yv__mfT}g6F%#e6x9`zp!`sbyhD^1|1$yZWgpj1g`OxJl=CwJA;CLo?
zLZt3WC*JCV+&Q#8@3P4=;)mn2^O)xP2WF=re=@Shx2!?FbOm#WrD{r!Bv4S3Dg!pn
zV#znNyx=bfeW)xY9=6=<W!$5{PcR)PcDOo7>7rq!amdtEILr7mBmLxaqG3xxomj%^
z5TP3vy@V;?j;nGGsTE%|QKb6%gUbU}_{f<}clDqc@<t-jCc_1Eax9BIBj@y1bE7$I
zZ#G=QiBo7=(*)C~9&IwYr!tzbohP^y!J(PSBP%7#b7(P1+D&Z5qp2&24w?0IS?))9
z1C%B}M&m+%Qi-6X&z;N+uqB0TNzRF~<Jx^tA~0sQn0&J+v@As}bmf^D;ZzfQr;z(Y
zYgdq426Ie!zD63;k4k!SX1^>M?x%5tkJ>LKS0hf>UrWA`;}f4oPPynFZQOpTaEGI?
zo-|guTWE{iv$3pE3$TL>ho!2FO4v3|<a0*g(_WIlWU82{Gckz3PU1#QpH`%fVy5Im
z=qcQyO&U|RJ)X-lRXfUTi`IWCDSOqg3=BT7<+VPONTf4(in-VdM%RszFVX+d7RjjC
z<dtC_?b{!i&Q89521(f+t=i9yX~CM^PXg1W!C~0Ac~Lc9mP6I<k%dxWO1keO94D;&
z4gSnb$rkQ-^LzK-lm;Ix;~<^1RiIl+{#bkPs9>5h`Slf~L21#sXSyZ)y1un64WygV
z)Wl6X{XZIOaL7CqP*li%3Wj=TAOmw7GDP5&0FP?qj{`Fq97jWEjevyw;I0Ds^;C_w
zqDFz>WReY31v60#V4tMyMdN{8RI<iAoBe@xgJpRM1xlct3iiTzUNGAQWj^-wXKO-@
z>=zbhPVNtJESfKLO6$MFMd-GG#^5Zte+c45Yo0H>CWKUdj63>LbC^n6Kv4drpaNzy
zBR;77a`9gztxm8F0;1M$|HE4b%DBp{Ya1lApl>Z<b$|=u0$#={Et3uAgqlKH=p++^
zg547EBpt9gpHh4*8g^9v^Jh)F%Z|9x$btAVo!WHrQSOK-qO2CUBL|M5Ndr(g3LEKt
zn*RdGhTlbz_aPH5;836GVPrlsS4kq33fYTTQzKwyyxc6hGsccCZ8g)9lb}y2Pokyl
zA7mr|$w#kdD);s<=k)OM5ui)&C4(rjfZF(4^74bcCFk->#8K9tyn?juXZuA6ZB5xG
zlC3W0fywY!FQd2IxgoAGAO;5uPZL(#=p}UMVaPVpTVk!EL{0JGN-=5&-3*yiM9sg0
ztX69J)3GnB?hMbeK$vCf`U*ACeUvZc$<$#ImJ$pBU~c$4GL?f=&-N(v0HM|(+7px*
za8k7{ioX!(0YgHE8KyG4O(Hf@3RAgI7ObP%1**VP>K~FrBc!Pi7sz0oh$BjZV1>p+
z7y&QUOp<Qc+@XvoJQf3S3h-YI`$&+MBnmG8mU(w2(+zwOb0>j+6-}YZL@ct$lr1*`
zn4_v0ZdL2!D^q>q7$~?p%h9Vi++H9_A*R<OSkpiJDMk>GZ%yjcp>Ta$|3t#MfqeEL
z8Dloueki5#rTQUWW1o6g=*ag$)|<q3%iwexNd{IR5!mQ@PszC&+Lg0L$nuuNw8DFr
zIB%Z=JY!m?t&AS9G!sAykyOT$D>gIKWvCVjFw-i<6F1jNU8pFCG3*lAu(_u&LE9ut
zWP!z1ZqcNczzsVb3NpBn4g(rL=)euj%qG4Ib$^`wMOGoe<scw20v4U<*IA)P$?l2|
z%?MkhukuXBmazJGpJOio0YQ1QjNr;qs2uk~<vs5<T(ss)C*OvvuW-e1F_4%Lp8t9B
zg~ob+B&YT|DbWsI4&^dW_%VhwOyqFvs&6{{Vca}8cM=*48$!wcLYMYE%s-%nm*zX`
z0wm`!-G7ke4JR;lL#pjz4X`NSIBqj67RD0CHsqt17W66efS=&GLNen;qI%;=E|Vc-
zQ`PmbKBKS%<7a{=^JsnyVknj#D)gT%{dn_yb0b^MV90@u$$6k)tRhqoSb}U5Vv%d+
z+&RVEcO^Ea-$Hw67g#ZkMU!?_b>0sXDViuKa4&`e_fU-P%J(6UYE7B;{KID$V)Yu%
z>%d^IRXxLjUM_z8`<62pTy?gw{px(O{OV_?``agkxIx#Q`bG##tQEJ9<Y}v2O8xk0
z|NQ<6{mCMXT<^MFmTWHs{fnT+ekjKHg{hdWDR=E-cCTi6_Q-59mCbG<U;&W6pp;dO
zS2M|7=e)&CvMc*d*G#xPXl@*6dJRT~J7+sVFOf!HS8ccN3QLA~a-yXn*(pW3CPEw_
zA2?s_Ku?*A6#*9YOIfn{wTw>slI9&Cj&$e^JI|7aMyR=0oJr|yh@KVD6^rlfM4+ZF
z1EGC2p)D6H#!)!!p^{;Qet>g$+<_2!6&b&gJhZu}V7P1<Anb*zspKIqSweBlc*D{*
za8budBikm=Yt4Ys=Bwc=hj|q{u#`5Qxz#1OY;PXc_wN2=IKsT@`sK=@ZM^N)Gxua>
z($Gj@P)lKu4j_<$p{pf(=df5u@`VJFnMouvOIzj&6ZqZ6VLc!sNg|cw=e-I_6&ejU
zfdsEB!gQ#d(fIT=@r@v4LK6Q0Eel|}m=!SLg5<08UHR2l2&<F}yvYmXgR>PE6=KIL
z{)9e(YIbI5@~<ox$mOJ4SrDvwC2>I_yHFY9xmsZ#xLE{n2aZ?6EVFzxO`&XJ&hk_4
z5519d>Tkq`JT$Lh8jE>21fLqU51CvdPOopDUcg%5IB~Uek7~(Lsl&}<4&-lz>V2RX
zLRuKyNh#=4!PL9+cie!~i7nghT!)kt!AJv>Ne`RMPFzoHp-Xclqgae{7dxQdDT@XP
z+~@;p(eVLTq4^oVk2`F4JdX~I14$}bw3qlP%6a6)y3pINvdegoKeRO7v{SOQ(1tBP
z==vdC6e!o8@(tiPyH%A`)~XD7DN`?pQ_=p(o>jhgilJOZ>V|NdAaJqr%e+gl?44r|
zk0qwXIeW}}yB6Uv;6~tJXOK}#klZjEX%yn`B-f<|HlbH#SdCI^l7?-`SX(B*5P!^&
zTd*#A$E}ag$QHy*Q-HXr*3BBU&1I>#Dc|sbkb5yIRu%O`@p*iiWyQa!g#vLOYIaU6
zJyy+_kEjYyqGz>T$7EHuESdRZx7|IrLauG|=^=k0>uQjJQ&6VP4G@bH$vKsXADY|f
zex}PV5R!E!^QI_&6YPwom%};xHvRhwjmLl1<l1k6H}HwO9zle23`>*kDfD90#<FQl
zqquw%Fg`;t8*~NYO@7)E>ihtA@H#2QQE4m#$R$K>;WZFvDu~HYr{j}c#Djobrx6i8
zYeK_#4r#RYMy3cWa-mezUGKZ;yOR&Y@z=~6(#X9iT?^j^HsHW;TN05YM1|$a#=Zqf
zLy0a%VU1tdl|uVw(Q?4Qiu!a#%-kFou3HRVwf^kK5$`d_#bg$q%*6G01x~J~j0Wr*
z<|L4n79*?3aQV$6+unl7(Io>NryTGm8%ofyyRR^DtyuPG?bj3c%Z8H(f6tP>dlrWW
zH)BK&_;Q=o$WZc3;7#~xKs%Ge5JZ)c2no<q0#X5+NT!DoGc@<oxmhL{b=`52)+!B%
zIn;g|Gva`gixF8$k8f1go59;ZM}Ung0uy`rUp;s7S3&T!-Q@pcVlK90p4k0=@36tI
zdQ!r6^S|`a3p;ZX(K@sRp8v;z$MypL$6tW5_=(L;8DiyK)J~kLff6s6(qY>_NfODn
zr}1lF8>CxNhgO|ZHV~=8LPPMsTsiy-F92$d)SZFp(4whE6TjR<a*e0<Qa4$8$>jOf
zUx#*X9d*RGxSYi7&Z)_(CggzTcun*|=y?}>1>uv^@ZSb;7=6X^NE2(iny+QKiS;4(
zGnYN>*8kox=htUkAjB!7V)vg-`ta;Rqa_)L@v{y;f}bWM{*uucxr{gNr83VMf_DZd
zGd3KWa8|6rEYRIyIU?V(WC{jhD&4hsG6yS^Y}XP=BmkGBp*m)O$SA@JQ!}NH@|ZTi
zIl}GTWa<R~)0Uc!B)maSr}VxRt14>lY^dSg9iab(44s*Ls0{>)Gqd8E`?`wTg1y^s
zg@kCDIb?&UMiW5_-ausZ-#sl0`)=p$>e3H^Q2M0S6sIk|_qQo!6X9$%_F;B%JVWzF
z6YJ>v=;+EPtVWkvW_3QV6G+_H@`$xCOlG#5kDDuV+L=*p**g2hS$0@wyKWCoNZav(
zu!$)X{v93!^^5{YlE5(LlUEfN$0&*zHxL#<L)dJId=D6a5yudeiZ7NcTh`OaIrpX)
z>c=a(AfU{VZqsX>GE<&%7PRR?hSV_gL3$tV#~7|_^QB?ix-pZN-Fx-RsK3DMS3eO@
zP|K6{XCRk}4!R_w896iY^u2Z4GqbJ)p);%yEf8jWJcXsl8#?XQ_5kXUkri4r#`WQz
zc%Ki8_Y)nUl{|R|{}kD~my)5j!0|bEojUl8zH(5}l{|UBeeT5sI9QgJc&sFiQ6uRH
zL@MHWtV;bv(!?jbSNm$#<w%{7vOHpd_lG`A6qxaMbMwsIGtB4Is@h}Y-QKE-JOrsz
zE)s(mGv{uYhI|Q2>d3Qc(8*(44wG>hSJ5VV1><t58{0A%F}f}o-J+KbmdSeU3k!cd
z{aFV2E-)hn*${ybUrjPvHN=@&PsGk)8m0u<1GD1f3ZmFjpHxd5fc0j`&y_8CrgQnZ
ztfdM;%C;T9?#>!%*h<W23@D)@<xXp(?y#qzKV+h!Tuut^lG0Hi6iulqV)oh(_Z9S;
z<lam<gFCC~9oLVCG8)_l%%9N=@ZC&C#;y?HM`@TmD`v9DdtYaYLgw>brvGk<?r9QP
jEDwnN>M!s#U}U$;CC$4uaTf4@qlUfp=HCAZS^j?kd>II!

literal 242426
zcmeEsWl$VI(<bf^+#xu@-6g>tf-SnZyDkpF-Q5#h7IzQs4!d}Q>*5v&$>lrweO33~
z&#$MZYNos9nW?UxuIZlsyY}}d9Impwk~|zdJRBVSzXtbr6Heye>_4Ob0{PDn{;mG|
z9S#o-VFkew5uOeX0S_J#5B~269M!)=BK|LIxc^NksA$OONQemkC04<OL-<GVhzJNs
z7^ui-@W@EWh$slCaPVjZghcqncqHgrfDBSHS|J_poQ_o}Jp-dKs1rh`r=Qit#LOcg
zou0kMC*{t|fBg@P;-6Oj=U)G3Cpb6+L?mQ*6x4r0dAxrzICvy@1OyaRR0Kp+WcYtV
zJUC>00zz6kdLAMMDb2-eEp7AEwDcPkUOs-Ej3sGzMvG7Z8BedK=9U#=*>9GAH{h`T
zp&;NP;=z4{d*aiv<9Npv`P~m41c3ylH)^asDQ|@-9Z+9GrVJEA(jO&M4CBRXh&>7Q
zp!Axo3B0Fr;tAzswm~5N$W&SppwJIoFG$@gASl%DW<;`xBS=xsxK3Am_qOXSn-|E5
zX1|7eIk&B*KXr+j5QOe0k8L=gDkH@yVI|&Wp3Fqed&V`dvAB}1|GRr6M50NsY3FU*
z@d|1Ct?6*~40>S%33lkYV<Z2~JX-XACiEfBs>{DCNHWXk7d1=TzPizUOIWJ}sMfZ5
ziCw>Lc}GkMeC}s$(4lwHpwP6cyz#^cF>t2UgOkY(QZ8+jy%L`ZJ<uPbG^M)3bM{{D
zzVrGEXBW08vH2J7mDB;IVjVj##p0{#W8zonq792HO(?r6YYj$^AUax$y~Ruqtz7nq
zs<nR9;mh%jU82?Zl=tE+#o%B3!~d<yC2i|@=eXxjPOqaVAEDy!>09&u0pD?Z-s-T@
z#&+>>umi2Vd0Ue1Hz~ubcIEz1o-zEd4rIn}9~pidn<j45zm8Lw1lY8+vXDno0g4ZQ
zq!IheweL4N-mEX<NRC>X*Af>Yp*2eM{e>guPfo36Mchv6+fk_d(zkFmd@%A^khq|3
zofvvQ3z`4iQ3GXMruA*kn3Omqn%hbw_8Tx^&rr!y;*DbUQ}H0K_q6e><+Kus1rXd9
zk9^K#m+Wca957!c_^||glQJc4prG}po<Z>BbH8~HTfG*50Ak)*uyHtlsC@xqj_>O^
zO@3j~XR(&tji`EbS}VUwDW-Trwm(+-3)k|4>-3g2UPbijFC1EU6-&)cy(3oCL&4h!
z>P?Z26|kRLDW}{d{jwO&gI>rg(zNaMM30Rq(KoVhjycNNpJJ?rBg8t|>89^Gz|?rY
z#(J!1U?zl-bcy{$2zkwc!(y!1d}58nEs7w}80R;W=!(rJ!s5<x!k-3QwgT0ay;3(m
z=6xGF=O(Gmy3QMULz$R=;o1W0Zk69u%^AbGsZuDl4HMfI=Q68kb14BxPHdP78tmUE
zvt$!S4DJ>m2MFJ-3%q3~%?(tv0NXQO$^*vEAC5<sNHiZL)*MTwwEQu}GE=s~eRUdc
zf(K!%yC{TDU44|gV03E1%kpLTQ%?^2Qw{}0T`}|gmz}mzF3rJD!BfUZO{03=6q1c$
zd0Ry{Rz#AreWO5IG3xZzP+IsBBej4CNv5y){DBbc6MMT$lZ=~aYimBCs*gdaKDlZH
zZcy70P~g%Cm%}mi)+R`sjJWowwMZjivb>s7IF0bgAIHB|Ih`$)shr=gB9y(jUYz^}
z(^4n2Jy`LIoVkzZdx+CT(BOft$p-Uqr-(wgh|n?K&X!=&_#wgkrRUS+4APGZF85RO
z`-}Iez0?r?P2}5cl>u~<y2vYy6p7=5eENzhr4n3jJx)yf86y<cBpU1UP;&Mo_NA}k
zI0IxKsoNo)Qr_T|P>sfhzi_#bDlB)Nj`wXkOK;Cnox-c|LA_}fB$(GVis)QjaVCe>
z7m~6?jSSUp<NKTb>o(iac8S2%c%*Cb7<5^$%5NSviBo_t{S7^+h-M5TN}q2mj(9%l
z;3rGU`14twPG$#r{_y^zmpl)>36_oyeDP``d;6mK?N&m4j`6^XGyT@BBov;(Rk0zI
z3GdNU1JAGI+wLahgZYIyuehJpQU5^a*UAsvK--~t(jQ*~Z?fb5C}`V!MnbJ?Snmz%
zoBIQe#ns@q_!d@vNL2>^?)-y0wHwUIkq=!2H=x%n8j?po8I^i%*r&fPh?y03OI<Xt
zBLY3+xc7W=*=XFd9JXoEsxMpobpM{d{zK6hui4<<uR6agfnI%IQmP9JEa3q6O%A}p
z;MMFz&ya1RQ&IyRuzucpgFt*9y2@LwX2x{S2V_`02*3^QOvdjx*K8`2mge2!#Q)S{
z4*yB3CXi-Uc{}NwbBE!|s?(m=dA40!ePU9iv98tfQzM5Im9ZlAxH+67J1b(UjGMvK
z;ed<n+4yRbl*OxudV;`Utw#E`BmXabJXyAFpd>dm=CVdB;xj>PdqX76<p#bD8$YXQ
zq5TCWB9{4|Y$2j&77gZk4e4jP*0_14<W+uJ0-`(7cV8TqBKJN<Jp}}u(PLxwJscKt
z1gW(nKh>RfTEbwOn<&cP11tQCQ$UMj$t{@#@JbiFbS+%-o!t_++lR&avhRI4O7EGI
z-(5oAtec+7kCIA`E&MX|CY)Pzzdx`|HHzzNdh%_wKA5qo7)P4n*nG}y`STj)p$i39
zJe?AqdWk+QZeD;orr%6y>j}>P!i7Hng&SUc&gbhPnf_hbceV2Lp6B8%dffapz}5ZA
z>Y)#<C;QC*EmE#)Az$^=)a9xXwo)vDPZHxN>{ulS%p8}yb9Pa>4_Il60rS*14?N>%
z=luiJU2`2?ON@Nj<e1$UCd_hcb>>0Z8ELI0-Sr7OaVHO}nzb^6F$KpsQGw~A#&){*
zbxdi^C0soHs;(7LieU8FrnYJBvTcZ#23P74q@(zyW$-T?iJ*X$5kWDPk7UclARvqG
zJR~iE1Dr5s){odEqDja_cgX`9z&X0-hW$`9oXnCei~TvyHC$gYb{#*2ZKUEC(6$Jo
zM%R=U)EesX_oE&yMbxKcEjwLl2zPvmY6t!NNytV5E*<lnr50g~5^u@I&a82G#VIr-
z?hEeL;q0qKR?c8v^}dTkO63F~nLTZGk~;-O5&#%pc+_$odm3ViP3lS6uPCqYJO6xI
zf|@)?<gyVHBU44PvT1b?IV?UY)UXpyWAp(1a&!(Y^2XK|)YHR7biYUDRMP(Zgy<b{
zH_l0Nx~1V^o%E)%nQxUnEty!P6bTM%plwQ2kC+37t@sLte*aDP&fsQfxMTW2+Ib7b
z=8m|?tf7(Kx0bSosWHF}QI$j=*Fa5%<*uFs^JgQT)4%|~Mv7?fwzhWlmNUjBMa#cO
zQe+1R#7LCt*mXWn+n{oxM$TQY&LCAQ8r;PHaPFB+T*!kSLOow1F5j@&J{sLX6c`hC
zTFpwoL+!|hnhIT+yRB}~voI@Jr$5|LS*z)URAkj$%loo9U7j?{jqWDW?7a}u!Djs$
zns1liGbVQ%&bDc`6R8-Sedn}1TM}?1-F#51_yfBj+O}*|Y%&}{$hL7RP(Zv;G6L<*
zNhAj1|7O6gHx1Dg*EcdQb9&+X(rWm%-J4;958%%?zWO3ijk#81Q&nm@BXD+(x$l-(
zc7RCvnb`!MY(4|tJCw{kYStgcYNesY5T;}e_N;r2u1=)QSE!SiXPqp}yX|%`({g^V
ziyxNMb@S`A%)pvy%$rQ>qAO^cQC~qtbkvdDAM8zeEJkn<`ovMb%ckl7|89F#dg=XG
zzRL~#uVQMF)jsO?0ZG-mcz@xF@(=#PeZ}O2ltZ=$VR=r&GSfR{PT#rocy4oC-7jU+
z5ca}+`v_JAf}+*yFii%4tRyDOVdcsMXWhR>5fro85V!+iTiAk<L$S5^L8KKkZQIb1
zcrHCGVxJ^me`D-*nFd!;=V&z*d)2;-D90X|wk0g=m|d+8{TwZb@rHA%-;2uuy{B~x
zarS;=47np?`j+M!OVaZaV&M&b@x#{n?bF@6waD#H$tS0mb5BHS$gP^{X8W@1@7L6r
z`Ms<F%_0{8pMiXc0hV5+gi{T-+hp+a^Sj6>GbKp8xD~<H_J?CMLZkBtB-)p+gndD+
zH_!|)-3w=<%N1>snrD&fH3{trVrXZqpY8b}Gv0>;R80&Y=lB?hb7oRm<6$Yo(|5?{
zL_O2f1Id5nwerq)9@gJg!Gt7tecW?7ms%{fDhE_K-cRH^DA1A~3DT#uk~ABP&Wh|S
zhPRW|qrK&XBohTt_iya*^Q|p(d=)efjTBA(P)lxnf5wZGu_85L6y?IxtZCK?ur7*f
zp4N|IoX%*i`dzwGJA}t>?Gx=gDBY^nOfR)!+tdb8Eek3C?SQJ4Wg~iYp9Wh2g@&(#
zDA~1IXJx-6=iJdFGbEr3TbDijFt-i#KDtGCo9<Mj&~yIT2J%ZFtYCtw<EG@LDR`Vp
z-I|fgn$>@iXrR!r{qkTnWml=_txb)Xgrt*4bC<|8X?*q47w_>>&cKp$OcE^oY^nu)
zl8E=c>6y$ktN|v~nigsoc628->Nj?_*0ZQzmLXeCh{0VE->Vg{<6!Waw;(BkGt^8@
zpNk2Yr;Ea`)g(!Ft~Ne~IFg+R2neMibX+Dv>>;AHk7HjIhnhJkLbeVHj*=0cec9Cg
zm7F3&&66x>J+iqpmVk@k0im{E8K(KK0o!YK^ZnZU!A8rkoOj0E0j8E$kf0F8$G>o6
zFMsad+g`pMm*{<i+0=KCB&@!z4E=>;EWB7??mNpM-;fKhgzL)8H|#F<)3zA`HB&Za
ze-@<SY>^(M{Dwy=vZqNfWMVm*M>R^xJh|E}^<b~!-*)DpK-m+_Jge`=H+%1JiD(rE
zoyF6SR#Y9AHvR?fH))L|lcd+!BxApLxP%ud?<Evf5OM`oJv?tDi}-3Ku~6)vT}4vU
zJI`=td}u396{Y(V>g-&dBD~`>RF9Er$Yhy@NoQcbB^ClCXS1)J*Hz>bUgI(4W|kck
zT?#--=%VKICEHKzFzzk7th6*P)O#G;EgQ9P?0MpCcOqD7mq=<(7DQNS@NT7kLROLc
zUJWfn;AJ`&=?SN7xvF;oVwdnN8}z0#=3%jHp@Bs(m;Oj1mQH^p>PyYmHe|&4<vIAf
z%SJZs9qDyB5;`L@ZTNYK*f{#wSBPn*0JKWd^|;^F!YSaY=lMtc<BuF61;M{?vG)?M
z?~V2(P50lP>PQA2|6Hv{p1s<E7q@yPty*0Bn3ZgJTqPu>Pi~1HB&JOqK5NEh>$uVh
zGml_Y=FRa+e66}$JE|c!rfi7+yjNm^-;mTE_LYD$RI~qz+~Br6{XWpQB#|Da<{q-#
zMNR3eC}GoaAb&`-Y21=0+#G?x@w!)Sl%&`=Psax<4|S3l#>yFIkMP05Ka6{q@Q0RV
z(brj}4mB8P<Jfu83b(Z1{1_K7H0I>P26T$brBg0W<v2^At!WwYqFNhn&E;GDzHi3d
z05TpnhY9gv%u`B=8B{?{{rrEB^jmHJ;CZ~NJbw$AnO%GwAOC$BoV|PbXX95x5cB@&
z@9~j`hu;8^TOabE^yLn%a<OP9;>sQwO|g(E%`Mdljy*jgP7IbFyxou7svB>)`H+=q
zvbJ(;7#UICRNjER^D|v(Znn(8-c0FdMGW%KTy@Trat-|N!vpx3!u9Uorwq3u6a<Yh
zz&ZfCM3Lc0?NP1SC#j&1DMyHW5m{|Wj0~lTruvo)jYVN&y9%;R@1LT_uaFU?T8*~u
zEAFAr0)&}W&N`c%51X?vf@x4h@F@??xXCYU--e#N4R;<URpExWkerurbKLjxTHfV~
z*FR@!uGoG$XW36VH#mFg7qHeV6J9^qY}E-Kq-RGE$4v0B-|)`mnoILcEBeO)M7}@p
zSMHLgoQjK}B<gG-Jy_Q0=>oIP^I6baU6UEVhBY-lAje;lC)O8!YS^qtmN3ZDjL(cp
z<~_%bnsFjX;V5uIkJS-_+6Vz`F9R$LzhNB%FHRXQM-3NzKzVIq-24Ttn26w6;LrX!
zo?IWI5~RtZs{W6jf!3U+t+uY1bn{sTK2hLPMShC?a+VKUr1VRvcBaT*;;r9)l>~;a
z9-ZYCs_)zBxozjirj~K^v^0GH#{=h0{ILB^E$kK}J>2QA4VE8bD;taoI$KX;RF3_x
zhX2ChaLs}r!o6%@P(9YXdmMw6hMse`z)Cx3px{vNvo?#Q6p(G?%SZ<2&_tk##TFt_
zCZgPz!<6lL8nFH5yVQeUw7=?uGHNQOzB!PS$MZ=DLRA&mY6yB}+qGF=O6@>r`xr>r
z@1f;+YN6@w7jyj}#*t~@h*{{8D6`B{#Y;#LTPqr)2(le8x1!e%Qwi6{v2WfN&+&ro
zVSs`<XhPj%5N@pmjs1YFNj|wG;7r)5dy0Z7AgT*?FZE5tZpVha>kb-A!Mmh`165%f
z;6mmmFqhJjn7?XKI!2dtP2IECnfkD-GnXZxUpslk?)5^!7sVu3W&cr2kJ-)?rPpfR
z-^bLHqZ=}UoU~{fTI!B>mCS^!f#;zn9`xG@s{`+Nj50?dqA{QpE&apYx#YnWxcj`;
z=ee_2`Yp8QU*_c<-N0<HW49q6o32ib#%060a@dH7X!&Y+*{b`P_}zV}l1}bJk!+~K
zJNNMz14(PB!G1x`Y!bdDmPeAOw-1L#t;)DbM*Pk!Ls23;v9mm%4$jmdks=0}ZYN^q
zzsH_D*`hg7S;~U4MP%hix?MPr9Z8h~qqIPS>>^)=Aphaw(a}AU3+x}SpZtjaINtm=
zHlYpvzWo=j6*blLXh7&aW$E$dU${ExUpP<K-!C1D@6N3M7>3|99^bh8M!q8Y{8^xu
z3(5N(LP8Q_+9(tPgFn#w)i66g{{ExSo6Ep!e#r6if3Nv(9sIW){P$h>zxe}C_nYzg
zf3C-<;m^^JU-$PiFS#LE#lsC$-uaa=ALW)H0?T!n8-H9jz9$*#Ms$~#rBeJFds7jx
zccSTPz_03H!{$(svv`mVl6UdN9g(`tauOofCEsYPY$u><P+Pwb3M%l#^O8CMLB%|$
zv~*LFg|vs+H=}*w$wAsG3&MJOU8K<HQ5af7W-iTZ@9v&a5Fq(J@SAz}YK>1_cfZT0
zA64FJd}a+6G9Ovn@mJuF)lJgI9G94zvP!t+$XJ%;K{5mpzCQ2jsKddKKxby)1*yPO
z0{yhH&>nZ&d0?+awzfv25>hcJ#-!HBB^R8!Daqe^`$0P=H7_C}NPBKHu=ug()L;|3
zZN*$U@-*vJk)yU@Zv5Dla9;xPG?ZELQe)2}?C*SL0#&z|%e^^vEC3`2iyT?BS_*X|
zF4btLbv+DBqwV@Fh*cdP<p@;&!kL%yLCFbR)*uY?YK|PWEp4<0ju?O8^!2V+Ud$8o
zVl~z|4$-lKYASm=bzc2!y1@0xaBce7Mbi2y7lPo|L>S|=K>7fkz#lM{GE@2}bKKoU
zWJU~qot|Cij$kS4pEUuR3Asn_+d}(Jl9rB{e#YCFmT&CKyJV<VkRS@hUf<IOJEOEu
z{Aq6#$TXwM?d=WmCXTC|<Wx5LBpYxO0|rfv%Pz~tqrP-;7b;*JiOFc2lzA&X+4$&n
zo%K9=Q^&WWBsH;L#NA&+TP`;|98CI59BJE$McBdkZ79t?w&jKc+!|pH-7_Rz{NY7t
z(kP24`nOU^O*PBq@AozhHRLhNwrVTg=IGa$({aKwmo{ldtmhSbjf_mTR|RyLx{>bp
za1}CePyQJc|HOvW;wvb$#k$pT!Y=hWdr?Kws3N>jwz=Nyh1x5)MR3Wu#X#(q-t_GI
zNQu3;mT!aPgn?q1=qe~aao>Tr0T!->6=7;?$^yv`4G;^Q-ZT9WFN!}aiI)OWvrXM7
z=D&d~A8cGvvQ&@MLA|qb1BnFtfOSF9fQ?6+C+ksbY(vLOur3lLujVC6LsrT>bccxq
z*f<PmNedim@2kn@lXZlJv@A|mhR{JjqXL39)zws>wX;@&L*tB@VSuj?^^5yjy(9E%
zH9do{C#Dq7L9|aBG}F|IJQ=4;t#?H2Fq3@6`lV%UH7V;>2j)y{hdewt&+O^d%Qg7=
zEyF7CsQB3pKEh!@I2Q7%Q|jCZibHpjXmxoSiP6|YLY79U91Gu_rQ&1c&C)r*a2Q|N
zXCk#cBI)AjihJgzPq9=>jd_;2<wFFsXawvbJc}!n++i{J$ggNoXD&}~t=TBcjOQ<0
zB8GToyfMtieEM_MdI?T`mG^#pBA{G9GNF6+9Ah@kWP9aF@)5HK%e8W?(~`o_JyyM2
zK-U^yVFJrs*T`D<7G+<0!9=DPy=cDK*;#m$Zk)|W+L>>eHI~@dF*k0Gul0g|+t$3U
zUinM~M3!+t|CQ2@rWHR8t7(Ysvd4Fc!Xnk|^HN?El?9`6TToMEu#(bQbX@+JI){bg
z0lI#x8hRfZp&p3{KQZ1<>hIqQB4^y0eiGK|=I<{O%3GY$-Os#Cps$Y|IO|E!8Pdqk
zaWV)G76`E4HYAG=+D6RWuu(Fk7&oQV_r!BHUy?rtaP)V-dT^xWlBX7Vr^zuIhp7C>
zlXS0lTV*X#Q>sW=1XsRKR=GLUPhcr_29oEIyBfU~jY4|W-K-2Qo~M4rwGhFL6|M6b
zP3gbgnKGy?nJ6h9&GuB+ES{cT8P1#a7muNV9BnODFBuKk_H9cmIsv1Vco(%O-~2K1
z-cIaE`3H3e5M<yZ0J`0WjrX=OAdU*0!FJfDj#pmzD*M&$d90gM`~@xtOGMC0ZTFz3
z>?w_nT1py6;xSEubUG7AUuMp}DMzoKn#jR9#BJS6en(ilZADA5`_K;3>A0BIWcI-`
zJ2LPW3!d%WBf8w2YZ7>z0yTlJ_#2dy$-^y936PULTFMHLm;5+h(o|ju!Qb{=m0m<t
z$npbEg{U7%SdgMnPOPLdTVYzn(T(9KHPVrmUK;yRm}YDoclb(qfohh=J1YDT3r#n(
z?l}M>f@7(!PR8W8myI&zKN>7K`9VL0{5HosOX$x<scTK+kiX$G<>NS$wMIv#LPBU%
zx9SyVtSN|RZ^H^}1wC`;ddtHJyh!~2<vBVaz8f#oY?%FvnmT>q5+PFS@2dGLKp79R
z^fZIoALlDB&7wwg>DX=9A2(hnFgQx>b!s=I#wP5IRx<iF5{$5AfKl#pwf((OhxIGo
z24Fpuu|7}m*Fw64&HD{V#GM&0o4vMNmWL5xqzU=x=SES;d7xEXn9&NHVZIjPs;>@u
zbJU^Jsu>vdTXI>81o4n^>}Q-Y<D5?ik<FaL1mz^XV8VQ6IsJ{cX28`(=6TyFGxX{`
zLz{M<01||gDHNHp_S3t9rZ|aTR?<c7#?PwSVKxagWr9vGlWO83_MnMh6}7snuMX_f
z+8vJ<Z|#J!4$Wn+VNCh*-WiXHk>nwD-5=Ax;D4=uX%?QV+7Iw688_(gxb6l&JMJe{
zt8KGB=ZMiq&SBhmn~bnI8F2WJZzia%AhOhyl^>&p?PI5X|3tR#EEuDn;$&cj8z$bM
ztMIP6k<bU-sZWiv+#4!wL@dYLt2n6DBQ|A!q!3}bUTX=N0@boJB^g)11qAs+jnb6d
zhH39k%Y!l`WcYIx2(7%aZUO}sSOnP3N_2*5AntG?+t_OLN#6u%8?0u)lg`L~E{I;j
zwp}S($CBLFUn)F^GSVgho<2XEOXXr91-r|*gdYIx$9xV8gU~u-w5CHICQ5e?=?`Ja
z#AGTWNGg;(3P}c&MZyn1f;{+p4MTSYv%Gcj30dc+d1aRB@c;=AhJ3del@R*tqZ(0z
zrJ8bADQD#9wp3*<MuL@UE;`0%>NIKO$0lbiZ1&3?SMb_X9!Vr|Kw<DgA>*X{uQq^3
zw}#3$c6|4i+qD`@A&BU<J+fAj3QF5Lde+Q@0E@DPJ+tsrs9=5tk3Iox6Q$noz#8z@
zaRHiY@A-DNN%t1LDj&<SQ|q#U<uoB%8dFiHtELHZx8|sCtsc4^$oOV%K|mn_&YUK|
zF#yC}X5FGH>(_|Z|Anh9Ee+a<o4R=%$g6ayL7E$A#CK+6cm7&0j4f`fKMB{hLu|g7
zx^fxgAE=;|(UeJBNwSyaKldGHfO)*Pb=R3!$sVUruw&XF?QE2r^<Qe0iV3({VRs*%
z#W8^*Y-J>pfF!wB%!`^V*<z^1QFOs|)!<R9#a84AcDGBmG>*#>*|N9=`^@9Zkp_U(
z`1(Qjjz<i3EX+lt`Xr@8<8qF?r?sGXnv|v3t}McYHjas#9R9+zlZ+%;iiyN&-I`yV
zbv+ab@4V07@Y8CZK%7gS8}@E404Y7Az7B<NG4V#ECFNTYhI-zDme~;>6#>Tn)Z#r?
zhi%)=8;)kbL<iMZe-F3UKz3Mk_Ir)9G~W)%Rd!a^W0>sS5n_sp0dt~puacm_Qo8<Z
ztkuVQAqjFptrk9$W$1G%YlZb^_?tOdUvJ_<H#u=<+dQzp*M|7d)r3QpX!HGL+eEr4
zRw)DTMOe;w7A7P2OhB4lb9gDsUUwB!xr2YBoKE-9u%3Z&Wf@@}14>sq7|1}#W06;m
zN!(8PGP2vOMg}f8gaXygw<j%Kr<tnXDB((v9#!_Ic~9nxB<izfjBctEohd=<hR3!&
zIM*-*`-4dSL3jJIAhzCxw+fJ>wj90uWd^uLGe~;{FzO}`LU7pbcI0NOnarQxe9JdG
zs~t#ZToICeVmnjTi)y=Z$%?z|x7j8Ez3uyd_HdNOa1c#2`%x{BkozqR$-Dgr${OYV
zM-<XT^Yq1_5Z&(8(jcO7JCXHmUVHdcTR($Js7gKR#=@=uyU4P333lE^-iRY|OA`uU
z7s;3n$7V-U%u3BxGkHYmR8@ar|7OV9i|3*H-1AKMoP|ZE#mH)~PL2RS-FxFhGQ!VS
z6x}wf$ykJS%AXb!^mgObOiglI8-ZtsaX*QnkP4j|RIBE7d*TN@x-LEIC^xyhSAxzw
zn<m;d#m`L#^mI}5l#}5&`{yjB=j^YX59yP<+}>42COPKJc+Z6;A_q0;AF*C{RU+aW
zQZC_DmVd|?-HvKq*)D<Ett`nd`g8yWKO}|)KH#+M<HOf<goauxk-?=o0<D2<{HFy+
z`?w5qyo{q9NuzqKF5|yF$I#ax<dv4(e8CbwE!LH11JD8{JfrBadXjs2YHEEbl22e?
zp?0G(k%jfGGNji9J6>yjD9qRRe_GOi^IlrZZl+4lwIK%Hy~wb%TH_UK?lJ|LPH~bC
z`<>xCZMqCpsYAw%DQZwjp0K^!1%?-OfN{0j?4%!)OU}rOtvCgik+Q`P9TGQ5&(n|d
zQ}2ekTJ)9!0q#Z}^-B+??+vwoOfO-ci1tx;iMF4a?d4Oa8I9IpvbOWaqnCLvL50;a
z@JNJAl7uyip{jkko-UELmO9&;0>1uf>!qrg<pu(t(s9r?dj8fT7r6Nk2F7-5m{jGZ
z02TGr59^PXcLMfy)^)l$*6`w0G44z0RwZn|mTq0i;`Er#mAnr@=Z6?7CbilXfzE2+
z2gm&WrT`B9sXB+_R3ENF%Bit-dxx)_-i~#sT4p<SK(FoipH@}WyRK^Bzi{t&qHk`q
zh{1BLu2Gem<qze9BP9Mu4e9%AnJ`T)6+I-xEfFkx6tE7tp+8V!Xycm+E?a|&Aa^4_
zWKl>|g?LzY>Auj$nbTRyklBFH7)Ss<Gfcwd@QxiR#9LGnKxr{D>k;>`;U1e?ICSSi
zsxmhl+2x5YaRZ;!{kE0auYNTttggujQfYMLY4_36sB^H#Xph?LJ^xAPquuZ>ucMAy
z5rifKuo{z9SG`8Dw~X^^8dqy8<la<N(IZl&>TERJ@Nu#AD@U{|<*d~vyZ<11F1}t_
zX#83$Um+3|u%Bs<EL+jHC!d}>`%(3#jW2SZG^WWmNYyrztzzCpqkQq|$ZS>6`;(Hn
zD_>3NB0Q+6PjK(>vkO!Whw+PI7P(R8Qk(pQpIf>xotbph?lc5xNWVEq#P6bc+`jft
z{KoQBYIM{YmAM`{Xi$(=<SdoHz23mdZ#9ZEj^n+9BTA=@T-1j<Mt&LP4e{$7RqJs@
zRJ+w4lytY%<UkMmBL6yTNsnHacC7~)Em8R?k?XISdY_5vE=w6@*FRX0=gN2BaQJ4}
z#w_nLVuHoa>^|^k^f|@NBFZu@wiAMN>DFKV!iiFMfqAnlSo~d0a%VPHUa>{zs?z`m
z%H3{Yb&L08YhV8T+{T7^qt_fI{c5eXXS!V8N|#Wj))`N{{9?!A3htQi8YAb*(@~0?
zDY80CP57PnFzBvS{$8+`%P(GisZT<$<VY_&<-TCnSNT3%N5HN$rbU~6jYpwcU_QgJ
z-SAI&^&zAhileY5DYl{vx#s3_5NXz8ooYuyHgGyTvcn$!@}#E)>q>b^yEqy_spRRo
zh*uf)g<FCApsC4jC7;$FsIP=}^zas{rNjjKYb$3`eW9sW+7oNU01r4RW3qHKbPj1k
zSfPMJYQRvKZfI0lR%Nv}5!F-#c@v$#V+nKYD4*e3e=_=wdi1D!P;=E%?TECM6LJ!F
zZnGT@o8>!7Q5UzLyF0#+73Mzz)i<qug+OQ<m3t{in@k;mbxZWIJB5iQCoykWAxO10
z%8oNfhy;rWR3S{BwOKu`8^JIwi16es)YkljpSmo!(0Q{gg%qcQw#j}%l*5?)bG=i;
zXQDXf;n@30kH5!%8i4F?D<6IWMPm^k!rm_iS|63p^1m7*{CK~+RMgtu`)dSg-WewH
z*`bru@RCVS9JXEt)M;Ee1F6+_`2vEQE~!HEoI&*y8-s@O4J;<RH*~mS)pRBeh{%Z*
zs4{ZC2Idtds{xK^21dkCmi%HjK3AKKn0lSP7XywjkB9wDf@`skT}L2pd2I?4Pk#^S
z%#{0fLW!|E31+JLnv&w`BL&}^Sin*%hpi!6W-LWDH1%H1%bYjTjYxE-y~n6gFQ(}`
z@3W?8SgY1n3=aBtd@P%ZkW!;f`v8(VE|dJKymJU<`Ioxb23N(0`$Y)~>zIk&0^YND
zn_le;nN51^UUgB%L3YJFgc4tBs@eCR$GZ2nm&>a6R(@YP9KSy+Ucg%8baA==6{uvD
zN+6DH4xO6f;pQ1Y9%1iPN}4y<mK2TR7Tum$Oj1jIbLUF#>;yCHm;6YNy!}nr+4|N5
z*qqfbm;LQ^0xEIp<R6ADDv4lHhlct;#VzP(IA@5zx7AZ6F3?5BK1)0yMlqm*tlZS1
z+4*h!_obaT$wzWe>#W;ApfWZNbJKH-Kjg)#JT00muZ+FlXp`G?o_sKhUD=@mnTtP(
zYvEfaRPd>yR*M5}W=V_*WYZGODzy|Ljw>;gt;a+M+M3d`(N*YhN^E1%Y49r*C-Am7
zSmECVcBatHhTgkU>uc`_PwziWg<3n83rM&`DtX&9uToc&7(uE^HxBCwm08xgrN8Po
zniW>%9<zdru+i_T_$XD4Njw#~Of0)UIh8S&EF~ofme~=tK(WNK)L5{4xeJP|J<F&@
zygUWKN8i{&$WE0%|5VZ9DXo~~u$klFXoo$d8^KvK&iS=*?9J03bZ!5*9yupo7Pu$m
zq8GC1gRtlT+8kg$RbZx7N6c^yt-6a!n;$5aOWtg>v4#*q4FB$0y}ejmKef{;7sY1v
zAAHkm;x*`~2G3Vu7mb<~e*QCE4(zo1jgERpqL+JX`Ak)qp)!K^bEzg@IFjkfD6MvE
zEP*8oQZAPMOOE@&_Cnd$^+(PT$SWqGqHYYwE!-*JSj^ixwX6}PN_4?++QJD<$zrj|
zjKR1o)nQhk1#X-gojYBmv{b2L%y34l#B(-(U2A|@H^zVt{CoXMYo<BF99AM_(QqJD
zYEVc*L-4ggJ<qTuK{raDoe@3+<yt3UlC9**REtWqO6uqf#XyoS`LQ$C8WxPG<g9%=
z2vo6`k&jG$muS>6#M1oT_yM|~t<t)6j+HJ9^VF1Qv5x3MHT#x##Es<UF}T_=lbK2P
zhY;Rql+tbLOe>~U9w0q6buu+IHG-=Et>Xn>6nQc<Fi`8JhN6a%QL<IP_40;EVM#{d
z?<a|v0=)K<gin`~g!e1eh4+&R|8>#-pDgbKKyKMq`}>nAUBFj%n;nS!YHyn%hK$4X
z)-jRetdU%1#u-LW7Lf|EIjffaS2;6!qKGVU83M{@l@pbw^bMgYDwReh?Ya)#b6eIS
zx)0|*r47XCRMsMuZsA`n$V%!kY7k4nPt-2!<Cf2;>?L`+=aeMujTRluzW+X;itLLQ
zTZ_%1O0{9D@-u7arIy~fEj3dSt$xYwH7zbDpG|cqGvwH)h{yYz8d;OckcW9OzXw{M
z_jT0$SZhzjpOOBTxa7FwO*~ajjNgAyGuzcw4x^p0U|(2!bh)c<4f=BMj{CVdfgTZ$
zd&)xlI!*HSa%(}M`;L8OqVLI(Z=IilGfYflLJ30oFDji(G}tb=fA`H2P&1>F6&AvV
zO4NF>ZiA)}H&}sxh+Y2KR3V(axlC)!cJw4JK}BmIQ;$tOryY&DuNU%!s`uvIo-4Xp
zFOaP&_;zfv;V1+@M$@O;#C3N5&^1<*s487nLR4Q>n`-r`f&FtllM8VAGt9aBhn;gl
zHRJgvv&uc`%d&~F>8g$0eIHSC;%1bsvt`4@<5c&JGc5U4_r32Lc?ww5(`_D}n{D6x
z&)yaV5T$+Ng3#FJU#Zn5`98odanz{+Fh;xeiVc&GH*4a-NC~UeZ_%^UBbgPIzX1Yy
zYvoy6P)iIk->c93;WP?xbYOaw(Y6M0nHz|iew~2i<LrgiV#>;00W(}m`7j+|A^O#;
zYnY#%P`4Fd#`>$G!ZPzfe%W6J7zMk6Q=h)g@L+bhO}zCnb>mKVNt!<T&A3kuYKufM
z!SMQ><8p3CIg0s@7-fxJcsM~oW`mh7yTVDZ*^Vzkrw?+XP;Ur%bEP{)5op9nt!5s0
zF?ASsSOsd|c5M}$(@A@PrI){81=%-na-FsC`<ukA%fp8G+MA${0oFj@_Q&zJn&e(5
zY(>C_u1?!8IYc*&cY>hgb)#$NV|#bikb2KGuSDJI+E!*+dn2MRt(p12(8H`n$CF&a
zteyy-_%5qaLe`C0Pkhl}rV6LXWtxcaN{`J=BTb<V@_e?Y0F23vHx&8SH6KDEeM34f
z|BF&@vK%8l$Cpv{`tOF}W|C(L5P=6-enRka%S<owFP84hz;M1XXh2?H$7LPJft3o?
z)Tz5K_TnWe-`k#QvaY>zDNDA=ySi=hLRz$#Z|djbr;4Fn^Ga4UHcT^w(?o|&d_G?$
zaw*pNFi)Th%Qwc2{7xp_2Ar82GChZLItD6B+IL5?Q-ig-EiP(UU8o*DPO-A7)l|9n
zy}^?urh`q|9d65C^>!2z(W1{?aU8lUwJ#QP&xw0zS8o?rqO{N5>}I{4lUe|MmJ;NK
zuyNC`OS@>}L})d7@)&Ezh#FL1>6DG|qnJAeqwOETx6Dq@4+8=ZU!f{VZIqQ%T7uL0
zx(dxqpGs@)1WyFnoOQ6%_0*|C!ytBP>E!3|`ZQwI&d<DA2698RUjs+GOiqpDcR4I3
zo8zEFK!<iKZ{|G1?L}zCfC(rISEhnpNX7WWG1GVP&i7Q-RWd7fvr78#K2lCZz4z}-
zG})9&8jR+4Ax&m!xgVwXqw+V0o$j4*Xd)e@w5-cv9}VJx-udl=^;VdX*F$+C?)>{a
z$t!Up7ZOK?{PnTN{So~LnOLpQt3I%XNVkbaEAk=I<D;%qAa`}4y}l^&9Xw1uR~=AR
zuI#wyM9uc?%YrvH;08cY-1TRyw-iGOE6qEXslLuWV6`Iqz{-`_<&b2yqnroAliNe)
zJDF#1i;g@S6ig`dyhW2@!CF!mC2i!$dOgPiGM7Qik;ihAV(rxy42IoEZ&rtJ)sg4H
zB1Ow0c<LJjVy7<-X=Zs~Bwxm|Z8q3S<j)BYpvQD88Nqi{6};IdA3l0X@`(4&hFC%=
zPV4*BO4*;@I6j4&&#&qQD76Tr5-l$q&JCG%pA!-#Vz-rYR#-V#wJ?2RamR1y<obdG
z5u`Vkcg>gYS<ny)zOGuXU10tcIiceH_WM;9r~hZ7empJvYbKj9DuCfQF#@#{onvXW
zRAt?Ijd6%f>@xpPy57S5Y?c6d4|Ba|32IU9>yP$=G;&J2r?}pedj8qpfe37Ke*}*u
z`l=(D1E3j~5dw(MT26({0nE*_4EL<;JOEXe!bPCb`f0y+;Lxkoh05i?MrT{uC8R^_
z(L{pLqtZv<MyNH((Qwm|v#AN4CXcHeZ30^^@ReC!!<Cf2ux>=aydg_b9+3*MsW+t9
z%!w-Dqq3ZWMyoGO@9Vc__#51#G?;#`{)Kn-cObPNrTEG%<EIBHiTYFDJ8Uee`SU>r
z9_Ze$rFMs?IX4bRQ<IC04WJT#Y-|6GObhEg)VZfsCvq4$Agu{N6jVq1Ohs>nofgxB
z)1$T{s4C^TNyFUmJG*BQy$`kV0b!Iu^DJXK%XQ<Gt4D{*;pqwgTrfJpMlfD)f<gk%
z<55uF`>TaV;a782)}Dm4C(5q5@ZNkSZE-#W(E0P8U`EVpZ42mP?uM&89Ltx2skJ*x
zwf><#?&Z*6s*4&zU*5O6OxKB%ZU8u7GC9O1JCwU8Ms%r?5sBv#t*{k8omT2@Yz6wi
zF$iL3cBH;D+8{~5W3>kog&pky99O<qnpBG(sbE{N!14Nf*TCLs=4PaLyNuA&ep#p-
zu9m;3M|6f<;qpPRKyE0wX?~{<@#HU=G3!Kq##{7hAMLFx5fEh);P4jwG;CE?(nBMF
zWKh2c%0e$_uc;G-Gl#=YB~VpCpQkUM;N|jN=f4=A&Wp$w?!@Fx8m>N}{=47KYt=RR
zSQcq?wuoX%NV=<2qc`<{x1WGPLpg$1O*#~+EPVX2*^rt84A8<+^0VMBW_s)1Wfl#o
zr$Nc`w2E^=y=4DI7_jN$zz*;!cc<*yJu2WXOD8NLj+T}nv!WZSt)4EgG__{dUWywt
zs43dFr_<S#o6_NJ?Mqgu)=<mhGpkqhQ=M#CS4y<%qWzB?7SexYs+z{z0dVm+s};bu
zHqmlBi2q}G$oDVpEA{s8kUL2H$<Zd-1fkx1wY3=!O4-aD>j0~Xz!*MSC?PH)B_uC-
zMog|$*N?~+YR8|Mcla&E+>9ZwA7<XvCZmg@U0|?l(S8tZ%wVxQ)I~r}fMGmY8$_u1
zhMhSoD>pL6*=&Ew?FjI_M&EC+zvM@=T8J$S2yD?2br7$ZI+*ZIm1lfww+WZ1hM;6o
zwDJljT0nzD4#513H88FvCV4gLk9v{fw_nq)6Pj{L=M?jzt<Es|u7E#24A$uZiw<hg
zZrsYvXo-m;NkbJ>ntT`#y|<26RMjIQTGSG{Lh;Q|DV8JbEQh%b?<@AU{1H9XTuu7(
zd)qf0Y68!<+m$^c(F7JlQ?NOiKMy)<q#32NyKuIoH0EQllU$B?RHzQ|8^h9tW=nx5
z%=rVpI`*q41Ye~O7`y-c2`WJ~b(06nrDO$7W!59s;(Lw_A#NdMojNR*Uo>Cf?_w1`
z8LWtJE0|mIdVGPXDI2-3elYD>73(rtE&U+ZffF1{9|)7yVe2}$5y+)fcG3-7Zur7e
zP~*T6ae^_#UX>MmUT{{h_`&mPlBA=b-}se4T|h3K{3RYRP?~O<HV|Q5<iiu)W#U}h
z4iSFn$sN5rS!#J$viX(8RCzE<uzemEw@iX8ex*#AXt?NKYicJE8w7pTBW^9+fE));
zkC)Z!Tpsl^J*Lh&8aZ1-1Zf!v<nF(b!B;gDTb)e8_K`f>I-|e>x07h!El;&pJ}fI*
zRWGw@vr&dmM%3z|U`1PX!e??#%#22{$4wBKN3}{GUrCO_Nri{^qK19Ao+IL7&UDfg
zGncQ$yP$`5#5awY>>w%+q6;{F%50swxcwxMqC;c&^>j52l_8VioNbDS*Q-p`#1a_@
z5nnMm>S<<Yp#3Tdtf~|JS40>7*#%9oj>sGT*K@$;-lh#<95|u5)SPV0n60_YR2Y+}
z$O|jx9L>B)FWY+~ikWh+whVa8OQZW}H@s%mru-u_dkVHF%a1rbl~+_ulvYi;+`eDy
zUVW~IO?!OkV>=$&lSnMbq_VlI!&5LVK&Ho@a-vOL11pzlS^WLJ55Vz|+T!GzA}f*9
zX+NcgJ!DjzE4^O3ko7s8-{{NyLKl$zn&51LQvQgKdyffUc3AC<yzqP7V4DweRFq4t
zwo}!)GAp^ZjV|Jag0)=QmL;ZjJO;tJu8vFP*#bVs0sY!K@2IruohAN^4K7+hdjR+;
zA9$q$d1zCyG*_-&2G1(?_s>d@tK|Eniqz<$Wsyr<y5!WUS5iP+<dmoRBWyL#aGMJU
zRCSiTf=(cjd*`#=LtPG?Vg&A6Y|J{_Ff5K4QHS}7^tMpe^N#lWvkX6oc9x09GBIBr
z^LIiz@F)9{eagC0`ty3x8Tnw?_DpUvH|2nz`f50TC8E1h{(zGQM};ew+`d8Us5R&|
zKFjBkLQG-JV5-_aJ9T}>I3H|a;^C-TVpAhhR$BzK#Qg50k`7s2VQ5iNZgE1qP9vqS
zTT!WqI7vX8Urx!1={K?$*fJxaezV{y{LOIq9(Yf4sPZhgBe+6-yW|sNVF&9deG~=h
zyck+*fr&S(-R$i^O-U}<jZk8Y%LNyVae<?02%o<9LS9U#Kw_||&fZT~H`9$xCj+OB
z>GsBfC88zH)_YwQug}nWZIkoM8XtuBaE&L%MA{Xk1ZKIAyau;|jKX2092{v#VmSSl
zg55@BOHPp;D;ELO=!pS%KfCIc|EUQ*Iq1;@mz{jr@T#;d`4=LmXDqHk_m~!dCmtL<
zo#$+_jX4&}_|%X67mmeIp)45x#A$WjxZ~juF0^a_-H1_zYtyb|-q*mf#(;XDwjyCZ
z_kgKQkf3z#b{Wsisk&h1m%Ii&E8<zL=JlI&>OeK`<=ZV0;8(!LyDG0KluqcT;da%x
zuFlKGqY)5@BGzy<(NpCc3O+{{2;0AY4nI!LfChro)V7Hkp^~hH>QwCri+IBR*d(@b
zH0E7CW+XUT1zq!zJ7WO;M8Xw?Lf_(n)ePe_B)Yg?rsU#k(7Tb`veRhFGx-tvx&^)d
zU_(3PJ#Ed_ju)0Y91fIE4qtKB#i=~cg9ZKt^CICZnkn8zy0q~-j5zti9#J9ns#d?f
zjuu=SFY|pq1H?nwY|4!kzHV1-u8Rga%uc-bY;B`$sThnjDeBQ&w^ALdPKZsQE>rk~
zJ6aNb-7bQ)whvjA0E@L6>Q{J(nYSDRF?S_@C<$2Sk7uYx6&V4&N>p@p*O58G#hdQ#
z+Lg3B^!ppAuqDLpeVa+vh4;hlKdTkB6qn))A}ZVD3$-nYHUP<O*@D)bUDB4OwG0w^
zn$$C*yPHd`pfDhf%Y?qCQw^I$&9ZETa9FQSI*yDm6=poz_(fz1-d2vxj1ge@)nb1a
zHCVhK3QDvMu3lwD43&smmU?#d?CvX20by$C3$&e`EefMfC3uZ>x^?k5-nf!|M;hKp
zjWA>zcjVX@Et*Xn?Ms@0R@Wo4ujVW5<#k63={A<3*4h|&tIFtr#Z;qyEb~vm&}+`5
zyy5Qd#p~(bp`z>veselv&clcwd4Rl4k_7R21DO`sr7eF1Wk+D5G(vh#PU-)Anl9Lr
zC3b1b$V{*}r@cMil!DcjBQ?`hBtf_3@Vq-m*75Us<~$b;rw)PbD#KP@YXb#m4ikM&
z8ByhthI#r!qBp%Ko~4ezHFP&-3kezd`|Y144G;5@Q8eL96R@dM*V0yc!_xt$KU<{}
zBV|fgvrn_;?ABy#y_!lV+Y{r2KP18K$*0A(X;*ZtiOEPU4)d)`^*M%FzSG3cIq(1J
z@3;T%qv-{dvZ-=BU1IU6y$^bPRd#f@Zq_ZeVVkh%DQ|U>n_v}``cwv3Ft_Si^HiW4
zj)}GQrlk9#x7RTd-xe~+`uN9JQ4l*Sh^b4cpGPo=ooUs%Ia~+e9>a!<&i@l-urm_3
zoZk}PZr_IHPFnVjAbAvJqaPyB{zf^Sv>5NYScS=nvEqjaSgQVp=9AisjalP*(5VTf
ztZx?5^3P~H$Bu<1P|(1Y2dz*QLm2PxgHvxVf315wPr){wbRTqUjR_}(3doa{?VjV-
zFN#0T97a_*g-LCb6cP>!!P<X&tgtl6sIWsnPU+q}Vcq5(QeaR*-Y9K0!A0a7k6^=&
z!?W_H4#A>^4|zKNVM~8RYvW<+6SWfcNgwEjhy^9=b__=cOzwXv*;<C#Vy*OJ2|3UT
zbB<+t+LxXYl%C}e02YJ{1XtSv`Z~8`+qeh~`^?Zza1D>FJW=9yCu@x^hmc8q=(|aX
z+*|Sx91!rfxICTN4bq`vqg2^;1G%k3jYh66BVgX@xH^=R>ZKE-u~rpAEy_EJNcnif
zYG&ek_gpC=mVWyi+L39eb!kUNX|M$#d5z@r2~jvZ5}J&5K#rXE%d?0=yqH{J7hb4o
z9rz*Oj9t}b$`|D%_Vv5K{(+1jA5JITWOQ-W={OMBN5BItv9>I7HAUIk?l3M-+t9hV
zJ?2zB7pfy#`|R$Zy|d|&<D4Zi=jCSsvT@ce!2Hc{DZ--GJad|Ws^;&iT%#OQlzNOV
zD<z4g>S?(eL;+fTQ~d>d4{5XC%3G}?of=JZ9i8i+U6v-&HXScm#*LGiXCS{57n`zR
z{6f}zMQPY0Wg1`RqS4ZJAR0uQ|6aqXj;|!Y2RzhgSt!5P<rG2|?)da*$iYrka7gG_
zqHW|mXt5O?H8BN0XXdMUQcMaHBVSeSP->%Q4{??15On^Wwp2?d?Jg~4O~XxCLyl&V
zXFX+hUcO5`&$3x0j+eENtD0r<(p@LLKBK`;L=t;m_nOA}VsqB5_EkS(y#JL8jTqa!
z&S!B+;df}Z$Vd$Pwj~Q2=_o|z5Or03-BEnZJ}x+UE17sv|H$A6v){zxI|WB}YPT0V
z@@dxQaDb~|-jLWnt)@dk-B$C*K1MNnS3uEn6Fa^q{x4Q`;V)w%C9g=Svd8ic8{4Z#
zduu(-yDH9g(LoAd&mBg2hn7l~rgH?C0Gk8>6sL9|BX1LS4SSbS2OgS6UP)X+T!X^U
zO>w=!@-AuLE>O!w$a?{av!ij8$9xGz!3HvUT$M)dU*+^<jNgeCuy8wlAf)>VGK18l
z56Py<2G%<U)<L)Zdu>_M)-|IPnEhN>M^UVvn#VGHHV%#Da_k24j3*<k2zbt;dkbn9
z5YSrl(pAXk7LtfGi+H#uKn61@JmbyYrz{^11^02vVMu?0`#6>8zoFOZIHmh?C8hhg
z`u|T>@ACDNe)X0KqOKjz*2hnn5{Vs#7Dr8VzD4!sy0-&nMuhk{03-<Ex;2GWsQ(R*
zs_$Lm*23XC;3UM?-f^rdPEDbO^;LUPt+G&lCJ(-72h4PeA#&gPS>vH&)bnhvyz(m+
z>d@hhYk4b|53!0>idhRVm0+5yFcUnKe6OKEkGDwNgWX{@bK{IW(%-D8|7-1-F1qQx
zu<B2A!Ub;z=jmKWv?$Y50!2Ju^DTVGI_LIYJ4l|Xy%YDcZ?$H<wl#9!p-{XYYtodw
zI<GZa8`chSUL^QBX=-=elTDt&t236cX-NK^TXc(<=?}2W?PYc<Na^X#<DSXhj{cLx
zx5(AP(X_mvUoGfIh2%eo7)@+lNV3}F&IVcG5`I+#4bU}mhVs9EM<_$?-wPaEIZ1!a
z&Q7moX=YuSH4k0_Ss`782?bY+3(JIUhSzcP=7|enDX<%`5mWK}58D31Eeh|89)&>^
zr35JnK|w&eLsIDmsR0It?qNV`kWvxp?nb(1$bq3jx|?BODCrmmq)Yr<-}ia${R4jA
zd;f&9&pyxDd#|<jQYkc^duAy5Xd;yNdXnYYNOvCBBjy+RlZl4&{;#dD_j#w<{Wp89
zf2C^qm*T*s9ab*WjYpCqaMH%V_39=iMqdQt^S}yY=+Y-&Eoc=lXEIDFb<;k1pgeC%
zBtFl`e=KwbNRv412Xr2n>|-?`-}7KqT=NX?=ZOusj52gZc3Tb(?)3Q`)%Px3CJCcw
zVK`Bqf#mFl4ESR8pNIv9+HL`VUA8=)?t1!}H*uq&4qH`B44l!5?Rx>w;sUW|>8?fn
z8u5*Z25_PeKAH2KAgNq52I;@}v~tr0JIM4DpeeTm)#*2Loi^b${JD?XOaC}}GV61v
zuy;AHl{y~jP95f$=Xap4GB?iVA}by97tpNBuWocOFctG0<mvL9&bo@tSh~b;KdTfm
z&G^{z@G8koU{V=<f(nK%dx6BT1c2BYkKtS^`<ja+jec&}O<>>|kk+9?Q0c+%`j^O*
zo}r|`&igO$M*iN))g0q1P1#NUe)0O!&BphQSl_V>ctIx7NckuFY96j~><6-7UMq)O
zA8$piu(97o!->gq8P=(n$u!wwYl(~m06O+#^{wRoPvVMFN+*lpCb-j`UTTQz!-N#}
z0BL-6?`7<~*}5eUk*4WFYUWwOS5KqI`gdPGuU{o+8xLseQ%#AWfx>CDKdXV1_w{Iq
ztz8qrTxvMelz557zy(l~jG_9E4EE;N`>}4_-1_QqUbf1}@rp8)REV_UZq`nDPMC!H
zrB@F2B*MgT`Qp2XzHmZK_t*9Vnq*Eh;S^)7^OR3-l(HH@Sg3vT@Hlf;1tvij`5Ku_
z^Hk(^?=7S}uIYobwxb%_%)0(`#9`!yuR7hfw4*6hY!z#b&{$&5Dym19=%aRMAHCn0
zL3;Km09_VN@_hO<sVyv-#j;$O*U7CG4x!zbpM@5n)jiE3?}JZ-0Mvw1(9Y9{Z?R@o
zwmSH4OL-(&Y4nNJauHHCV@LWTz0`cq8tAUOw<e6EX<E+hu}eOTW~}hT;mB9Z-Ww!F
zWP<j(S~IO2Jt)_sIiX?ydA=X>HIckbzAojLYXtP|4cYJ+<ClcUbB0YPxekSN^|sn~
z*Osp@eHP}#zxseBRh4#Jk(y8<s@+v8n_jcrSE&FdMK(S#+a~!Z>mLBGMCpRb4(tgw
zWJT*{re?i1mUw=uG4+-0=aqN7XI`{u(h=T9{gcIbMVBrY;1=bL`!X%KaQu~f<W~GT
zm9(z$Fw;O>D`zR}F<PFxjQO6R5+8neV82oCHntYvSzr%a2a3p!!x8fvx@L7StEXOu
zIo3tzSF03AGu{^JYcIac3udcSmfv^l+x#}n-%RCd1Imvj?!y~g_>K5A1Xd}h=US=-
z^hoJ=`blyjD*23&`IL0Lp>Av9N7i;v`mK85t?BemOKEYc>0tpx?4PRY7gNKPGnNI_
zR|2a0oS}G)voBI$#?b+H^aC0mVF6I;{`+n~ZU4egDYYTJ0cLLGs27?ukl*!K`3Oru
z_54Tv>qb+a?18mL-i9R1n%KrXRyD2HwVmn1gpr6at-tF7!iJ0hUP@SBFAM9i58^R;
zS!8qCn`Bj5z*Wu<@wIWfdeOQSIf=c_i&fMOEqdug85OI5Dy%lYEf>BFlCma*ybZ|P
zzqVMjN)bezOaOp?3Ib6BK+&3tr;hfC^jpV8;>`6`#*N^TJ47I43B(!w6y8gSw7OVz
zooO_vtL!%neaz=qo|xvV3rS=JZ0+W^^Sp}43S5BydE-d7>{bV_Z<A@SyDDR}K^I{;
zhKCc(r;>reu&~98gwDw#Y0(N$7MH$5uaF&idC||e+XL#wX9Uh2WL4xt35|Ip&92%n
zI?AG`*jsgd{F;j%JLa|-?)p9m`B+Egk%|T<b?e&AH?Z)}y{=`VJfV(EWG@?l2AvMQ
zy}Pa=s&`Ar36gIybGXv+$3r`fiVh``L)ZGi0We#*l4dB_*sc-VxR23k{XUj6tV<J^
zSW0b@w+7zD+oSULCD~<7&|0*Uj(7VH&(X6({JSnn_VkEPdgcDxO$i~D3jguJ6;c18
zl49|0){o$V2B*6IB9-PCwmhF%b}!|7A+8e$AJ?HrF3r_^Axi9COp7uVWOehiC|O8J
zx*_8=52HFF4zF(*L6HvszMNW0WEAAx^7#8nsZN6@JBO19hvlUA%)Bd^qZ7PA)uwjf
z{d(OaAK6N8=pRs_9b+FacN{M%4Xc^0{`M!WS<3B*s5%+7kG2Aci9q2V<Q=XA%s0mo
zzCe4ImJhO=W;1caTgt;}?YXYG_NE+ZRXq1~T%_Of?~tZL{)2@-4RD+1VR|@dX0=8|
z-bvqHLp9v__WWnIgBJaB-Z8U$N+`Yq{D%jo(_RrCkH$AVPoJ)0ldSzd(<!Efm22Ye
zw}M@8z26w8%jn2Zk*rFWKRp7VKJ1O>&qvLmayIioayY!{&-6T|aVT9U5FkrOfZ1-)
zj*r|LcRES=bvwR_7|kEDe8`Fjf1;AAS|>YA%(ER?#o$ZOe@JW`dwgjTuo^TOhc@})
z0uZx*OC(N)Fs;M1s8{6xA#|oA<c2+Kx`3WgRIt?^)|pUN@snOw&#!Mb|8(xLQ*vL+
zj0%>Znw^8~K-6J}*Ci6eaS9@RME0x*xTWQ4Zx1M%E3Bcbu0<sUo+z{WPiji-%_NNM
zl4fuJ{RHpTW2&OrthiJSAbFCEI&HY%-)(Sv0FEnp{{~d?<0w0|z18y51$Eb*us|=#
z!$i$%-Z-_h+b>@Pd7=;VgpWBhD9!_ETsp$eEv7K8C{ue$5Z`&x`w^Em?=wklepBCB
zhRw*QH4^drq4fysLAqPt=)Jg(h0Obp3L@<Tdh{tNwz)8w8W(C>t>5K_(_&3Uufr0;
ztba@l(mREbxwP-KjjB~lAJ*2r(tyq-WIB9{kJ<jUBi~R|g2CuS06LYc#Kp5)rYu}R
zi?tVJOBLa`qpf`Uaw%2dL*`+vnbeQbI{Tkiqq-g`bi^&<LzD1w#Kv~KNR@jNe~bZ_
zOx?zXJe8J47~PKNV{Q$CpL@7vIp|c_O=sad#B57wgB0KqJXS;&L=bwDUC%(p!MXa$
z$DX_5A9I7@&r$8#FWHz5c^GVOr)ePxdEK>8=+rBmmj!Y*=g_Epeg$$#Ps5j&$#{fe
zfp6f&ruK6mqSNPD<70LIms&>3aDu1J5e9OoSTztrRZ2$m7l{SvGar|A)7YhVRzBHJ
zoCKN?1RQKlpPeC`y>Zt}XKIMcZInzVSAlaiFsnq`jdj9VV=Ja4K)xT*BavQWS25}o
zAvzgr2B>H|{0Go7eTzjZm4~?as&yGI&2gC?Bo=a+H-_Oo9cPV6AE$_0tFF~J5%TN}
z<3(K-hv4z#g{pMunJ?ZY1^d<eIWb)}F!9(#A<s7J8db07L%^hNYf@oM5Z&s5uuhD3
z%{R3znv7R(s1U^sKJ%_#1^-JaL*OiAiU8d_s}-~UW^taUE@K>GCsM4-l-A}y5Z_2|
zBK}jINWmCUOP#Jg(P7_7b6T6ym>X&OL-NUE_74DIv{IjY<!oH~aMCG;2Ho^?uzr{3
z=wW2N-7Ja5M|if#6m+acl_pA#zB*FAef@_l*N<F^8uuOVBOp`xKv30GT`8Pw$2%%8
zQXTC4JE>%*HNN+Jj^Sl|g`hfuD}d@%cw*YnLh5MiQWQPp0XHE>0+m~2aE8t!WeRQ{
zaD<b^qi&#5rDALRyBdBhc$_%W<3xD<!^!P!ku5qJBfm1yP_mGctZdA3hf`Ty@UrzV
z2aasCbLVH_zUocrkSdx}d>DRB2wLaz;h(WVIJBL<wsPrx*s(8@^r?n$$Wbj%nh$yr
z`_e_Y7V<TT@_UV=6&HVYuK#Et&$cxeSeg<c=SlHYBOk)SBM$Cj6(@uXYOW>^zlr+o
z8s;6jS&w!%nZ7LIAzUD0;ncW<K1kYcLBpGRIsuevh&mpTT^78pN|GSJbZY?C-=R^u
z1~RvwF9Ab#LYT@_T(0m)_c}V_2GU+jIkHLy$|m#TlIqk)1$xyr4cCe3#oZ}a=3C$R
z?df1-EWDTSHQ#;Ylh&N59-|6-Y`3qRl`rIW=TO&by%K8bVNTZTR^No(?Num@p>KiJ
z1dMwYA`}%$>qww*hp%iuX)^gHoc<};Ul$7HTHPYrxQeMNnzV%Y6T?{V|HCWG0h<+v
zP}1s+*p!dfqLJ*Xb7@?*F?(vdLQ{(T^zocYyWiW-&i<D~a)yXl$p@W^KwbH4_Lb8C
zb!h*nc1UGyp9BpL$A}u_cbaUOYrV5ky{%<gLuKXX4@sFRa)qG}Q(qj2;At@k5^J<p
zIx%sy@3!yW7CMeERj@A#v1g7qxJcHPC+UQdNNJ}bwQe_SwbQ65ydB^3J@#zNHX_CS
zeleYcMskU*c4POls3a1TF2wSk6Gbh`!0L>?t`ilFx9BEytA>m60%_AyZTwQ|VQKcP
zI);tgD4A2<#pAC_p#y?N*njdj)(s9s88#N&$|-FxTotnQ`Z=Svy&nYa4J;qOh~2&b
zFh?Xla4}<)%P9uW>@UE_n>(VFOOvwRA66~?NQ1y{B!maf9yE6jZ}Oi;29v9H17Hj8
z$~dypaicVY)R{F6QPNUaldee0%yxQ^Q1#n{gR@V6Gt79zUwFh<^4O!iP@OCTy%r#7
zl?N`$ov9#cKxc6Q{f6tanGJZG@X93J+7!}btn!L*mlzmo9T%EVzd>TJTGRVX>WoM3
zI9X$_e5I`ws<S4pF3)j!Bu&Q%{@6LFaMKTwth|GXmWEAD1Oc31614>uiCrg8uK1uA
zAy5A$r_gt`H;D>{hq?x+9CghI9S*BC1D3hN*{Q=6D(K~8AY&gDnp!T6$@)Y6hxCy`
zyWft=JSJcb%54?CD3fS?(}N|AhN->;i_LGm;gdBt{!>Ao(UxTxGj_@Hlw#eup~Ec5
z4;y5x;8Zl%WX2j76oUoS2!^*X3+L5Mvn7gd5hWNn&VQO}E3AUf<jJ}rZ`~#vAkSY9
zKEnK|YLXW3bvKW0c~;Swshzp^oa5kkC^df-1*b*D)GO%;zYpjls%KQHX(_Hu`Qn+U
zl7F)n8v-V6^vlChJedFRh69dMjinSN8MFBN>Qn97vF3b@r*sCpOi7hB&TtTi59n=U
zYV)?Z(W$)fY~TgRyL<Q4BkInYbG-Utih<!DjY;l5ZG<(|h`HBQ4O*Wh49I1E5WkU4
zNu4F)T}6AxI<s-*4*${gY?&;dQRU9$cS#db!5B``@z6ltqm^4aT(u*s$rRXqG+;3)
zg7Fo2)X51lsKFFs8u|g!U+;uWBNm6_Osehb{J=!SY9$x{;i=15mA{quGxGme3&$PY
zR#&IS?##`%KI+h@6p^%?d00KH1~b5p+`&wTIHu^oxKjkEes@q#X{xoxtFu~k7he>;
zT$hUNfKk2XYKrYed!Rl8Kz|ZCKjgM9KS^8${_tK%NfCe*VW#U01q@3UL^NcuIf}w>
z<v(_Nw-Na4S@oX`4gqJf#dn(0ZHkxS+{ThiW;C;EaO<hDhf2e7v48jx)v|W)R7DCX
zJW_Vv2=elNP{~rG?shwYy_$vTpjAtI=##jl#bc&$X6|JpZm_(A?8K~Lc@XXRcsWV9
z#&6QQJo?wErj8p$D?oh<23c61D^lT>WtS_MVZ12kMxW}7VHQ$D_5pGErQ{*hVg_LW
zwO4bI2IUWzXtS@A`8ZXtD~Y}1W*7fqR73Z5lrdd1D;AJgT&>wR5GLIBzJS3jFTbz}
z-B<;#O(AQZnonmZr<9-|x};JKFCr+}T;w&7Hs#bh+*)5g%h}9-m1PsnZ!Q#Gan_r$
zOafAOj6w*V%sPp;=ss)>49Zv+Uu!(d=4gjELW~G(X}d`H>JNINJf-BI9CQ_yQ8FLS
zpJ@+}3eS5hy`wU7N_xBI^zRB2OO3qq|MB<%i8uW=tu2dUK-x+0M}NMo<{DeMM(;6B
zUg~^ouZgl*ATv;D;@ju^16cBU%J5z<Yzv$))4O>@Z}fv}0+7L;TU4-}V|2Qkf5a@?
zfvBqJQY$W@owKU}X#1^+LtefhaP?}d+`l1pTy|^WA&1;6Y9sh1^L}M9C=zn<Jf|OI
za>>$-y`43kK`OrnephKFclZIen?_OC(J(TwLY~o+GNDZJl^$x`mMb}Y(hqp0xK*?M
z<a(WjZg9<X?27=9yjl-@ey3?yCPtYOd9uiqtc^GXOqVh|vzI($+~!{bxuA9^u3irq
z%uBH)apVLG6T99{zS!Rk!<5I@h~LL7E?8@!#>TC%HbiYmiDcmIK!v@QCP6yGoi#{W
zZeh&un=R)h!^o6cu=GNN`NQ$piNM>8<J?qR_l?{#=j%V#6LfOLZ2ws6yyg?MnW)vI
z;xyVv(ZtmfA4Mn*2!-58sf<kOsS7ra8$xNG%kM^;L+{4;=L*H7mG&VKVH)6+r^{_G
z#8Yy@0A(o$xa~Z^)lkN~*HR)vbZa(CeeJv;$1{z86_|V;ZLj+RXM96OE5L@&XG&+t
zSEivRme*ps`4pKbu-4{oHRA#^ei$j@lEs*fIan`CdkMDCF7?qcON|%amXajf`(5=$
zk)rt-p*+d6#bMbpNXM6e;@mp$F?&ybWx%Uy29qQcF0T^SJZBh=qD{}!FcjnbjIMc)
zZe#jmZg&F0er+@Cow4v$1g)Z_^n#=ShT#CGmMX^Ea8a3_jQ+w2r!gbnxRs`QgRBbC
zfiHrKOcjS8H&rCdY;s%WrgVR8+IkXFiQwM2d-I(cp!74m=vU?LPV{tuqBFwCK4sfi
zyMS{_IIDU^X2L)-4Rk)xyrBpi-@LVUg)evv$W<TF=NL54+H>9}`JHEfPx1@MQ@3^9
z|5?&rJ~1XbHXjA7+EwweAcn=Q@ea|_E_?W|9Pakl?W3r8(CJA8^y49ph2y4udNW?4
ztC&0Ixy!Hpx%y$-3#=-n*FT)*vpK#J2xY2@cGFvk-y6WA9SJ{KAGrsaXO?^Pawcoa
zcw{jfEVP$+i{aBSTK<!{1T8G*p(<5!QN8wuknr#SX!@je-J-sCMp;t7axb;=@@Wof
zLIh0WV~TbozFm-^#y|st<86Szf$<lYpJ0}~nDN)^3PDx^k%cWfcyi2g?<HQt0wBjQ
zLT%u~v{q~B)c7A&`XgLo%spm9+Ub+npI=@Tmy?=%3<~+Q{l7k(|9=MkSiDcq9BO6*
zS>YI*+jBJ5=T0?|j7iEx%SHf**Qp4Je8X1Aehe4vCH4O!g}w1gmOF`(@k*8v9Qp0B
zZBb;P&~f<WZb7RDt@#n`P(@M!b-DZXHKq1)WI<E24)v__LFX?c$2*duM4D-#LxpX*
z35o)S_lt}J+6Ej)_b*<9Syt>V#D~GF^i>{cSC1HuVVR<Zc^cDHOc*inoD^<EhJRmW
zM|A&)_dd*!&4)P%gnIYFRcThjhSA<nS!ER2=*%$H_Ni0l_zSC!sI%c>@KXh$6?Lja
zbCZ-&X%RHHzO5EwIJlX@&D4G_2`V~C?{;h^+o^@z6N<^>t`f4h89!RzL+zXzO>qCV
z%dL>o$s>4y`3vgcsDGB9wc2<of&V=jXG-4t3?Siv_{U((U}ya`r*<ik;)2>UW-LtV
z7^zE^nOC4+T|=9Zfbh7ZOE86rZBI9vt4kfml!tf;)2X&%=+LS%pGs0Tm7`2J>J4ug
z%NS!l1de*1k;^N|mQJ%{{+)g0v5|m?4e{JliOPFl36$5ih50KJ>~({N_q6SkaBbe&
zb#{;~>aNUYkJrb(O0K$cky>;%w^FX77LwK%_Z+-bB{lSWp1vOCLomf)VpM2rSZ?k5
zQB6-!!8XxmK%wQY`@cO{ZfR`-oUULj)(z-VqN3wQ)wZ8ciwPUDuEpowqaMnS0dHwy
zriOEkB2;D96BptmT7F4Nj&EW@xd>Ep;-N=!9bDdRqfKuhxYS`)BC1nL%yXa$v8}1;
zJ~u)tPuQW%)Ag+JgIsWS6N#g94py7`h>Wa4+@B`eaRO)DMxp}ans=$Q-nPElx=aeI
zaBdYv{xFqS%R|sKNtbZktGaz-OlC<zWeLHT4)%Gc(5uV<A$<GmIPA<I!Gi$D2pGMV
z0B$Ym)`B6Z=g+{rKSS!H8ByAu`7EQ;vKiaM`r=5^(-3<&x19zcV__zRFM(pDdZ*zJ
z!{sbZ-GsSmtL}66>I#X_lKF$wfd2A(t|Qm78=)=Q+kH%~B?7e?L0Smi25`_=tGs-E
zW1PmhKR_wu!NyD1P3XxupLa@PE`z!Kd28fdA}_{0TeUKvSTRcfnbqJ@R_E7*%=SZC
zwsR%yv*&nkZ8-EsyhD_f3gdH16d#9!fxGe`X4<37GrepTz;!eEUPzH`#>B9jO57fM
zZ{OtR(7cwtQv0sk#xTIIH&ed6GI8o@6!jE<1m~A2vzKV>&R8PPC$6U~@@MY<Fm>4c
z22=fGwTZ84UmshGkbwBQtFjvSOBP|r-yZ1qF7a6N@edlRToc~~8~r%sk5e*M8muEp
zxqGYd-I+kKX)QKhLKBppA})4u(ZnaFU-U+TXyts01fpmsxPX`DO>Fl;MeLLv=VUig
z+4nl{_t2qgpZV_>IoFN<!&5arz=c!okrz8ZnGlY4bjO!{gy&nlfr1FD+G(AYh&)f8
z=8YW$65tqS*uDOI2`u%lH{p9@zOZ+Q$o??8v3g6;SdN%!8Pi+WapIHt6A!D+kM@Qc
zAsH1{8kNl}=c=eR9boP@bqjr0zld3+#n`QglJMFHUM%owIDAZXQRa(z3N4O#`)GE=
zea8<{eHlwsLM|H5?SM72(fx+R$d_6^jy-(tugSgr_dmQ6Zd^o_P>>pXK){0zt9v3B
zsl(Rf!Nt^rU?Blx2sW>_5`9GE<Ku>dld3=@MANfl=gV9#Q_zNHoZ>lA=vLhL2QZ(_
zpw$Q75uwIZ3-*kf!tvt$6O+Mp6p-?`CSlR?#rw&l$#QJDBNoixZQzVT8i`qqJ<ZO(
zOOcbA<Kr2&1ljc<*q-d`84DYTi%7ySa8SCfh^fU=Zd-D9_|SNhY=Eqp?hp9D)GVW)
zYQIy=t8Vg8fgj2p{@b~)WdYsdN3^mzP5`GRk*6mw<DN0YMSB*ny$+3ZWiCX`c2bi>
zT~lYgpE%~~Nj&Xtk#G7i42KoE=6<*_f-3WftLylTM<y3@!)<;t_rJDecOxQs-Wbv*
z$c`P$;FuH&YK|3>F-OF%Zw(KF+rCK8cXmUr^h}*oAGmn8S@<d;vCN~i9USe(#*OuG
z{qe)}@WnZpBV%P&%+xr)%4l%q-HQ#@hH;5@v2iNjZ8%^bWa-vEk<4cb2fOngigwn$
zdc|sT)F-L`fy$b(jZlg1cjG@?vhv^he~$eOJ`TPmg;vGAwzdw|O>^Oz4;L#{L4`H7
zl~AQS;^C&VI#-vf0_`J`umOl2>UKOchG}v7G0itMWmkEP=r?$3mJ!iCaRU4cO$F|{
z{Vxkj40t4`DRE0?ZTl19+Wq&QH$zDo%U!G^4y*9Nk?rc)x7<<UVV@874--umUd>5E
zgLL;IC*uCYqY2g6{-@xo%ZlgfGMVI{H&j^EKmt1H#YfQV*fZl<F7Z?T5qCXExYu0c
zvRJmJODHv56YN9L+MB^()ZI@+VKd65YxsV9n6t_qt|(z&xS|1;D($X>l?%`+;J4|z
z6>BOXtTrE|DPImWa?}5V47jm#xOqmChhO8LeC|t3fCqE9AbU3l1{Y^tvvGT^vWku!
zkM+W<X#tEa9dphz&e8?a!VPAQHQb`mxB$e;c=nNyGMq0q=<~CO4-7J_MTokxRpSDv
zAdg#kvmb@>XMX8IHFhZER9B*Ke~S!2Fg}j8*@^YGtob&u^}wW;tsFo(fkpq-9wC`G
zW$l~#*w>SmU=h|*y#h{AQD<<qX~UgwWpm16r+rpUJ1$v2QZ&(|A$~BR-??j{v(9C5
z#F7s5I`=$T7hSeY_nu#UKs9g8E=Sw4cQuQ~iL7#I*hPlna`3Z4x>fVOOls=LGnx5p
zMl(TVS9=p}hq@7H(r&JDL6o`Y`uF?&k!3nw(2E;7yXM}P>pA~Z_@|N6O)6{i)v)Im
zQmr8nz(h2pK(ciC@QzHT$)70`GH!YtT#NO`C#KXmA)Zz<p+<^`=zBe_bEH>{&!o^K
zk7s=8s9o>gRJeCRmUqsi!rW|X;<j_8SEgQk^!;#T8j{yuK8=w)n)DTSZ|<k9MT%Wq
zD^U>XSbrbmh+$u%u0LSm5Z5wISDSUZ+>x!V@)V`?oUIJK%WuGlQhYDjW}ABE&OO^q
zQA#jUir3A+9CNu~(YbeYsoyY}CwRRhk-B{}H;;#TQdFUrrzKn-TA%7#6(|fzt?5PY
z)RgK&wm>PXg-cI&E5OZQ@iY`Mmr2_E0gF$#peQUPit<%|nton+@Mu!se4E}y)}l9>
z@j+o}a_zn*53NEPny=IXOm^T)o*vB8fK;Jj;Gr*xEb%)CC((xE3!mZtD}H3Cdiga}
z{--po%C)bl@i>fL-NaBBrkX*-qJoI{fXUWgZi=8vLz3E-BR}5bN<#<UY!ge2Nt)|h
z!1IUA6h=g(;faxsx(sFR^wq0EAO%+tJ8+s!CGfF8?<s;z3>k)L>+NtPD)J8sbOc|=
zH(`Q-xCbZaVnu8v!8MF%e|Y*-=7uJ8H)$6<+wIExNU~mRV59^xk|0s#k3AxWQN6&U
z(v5R1o9814Nsx$MXu}87-51%HMjmLq@X+16-E<V3Q5O9{xV$*xjU%hN$M_z1n*>2D
zxM0u9Qn9qOFk%0!;NXFuJMGyoid_!{ECBrPnekh*TuYCeZ+qW$nSXW&Dkk4KUg!$C
z8+^%r<8k&Mo^t?shBWR!Jlm^xcebm6j|ct?*8C0Mk-e(_4^RK{PlzAOzx{GSD#xH=
zQL){(UuqWYOsih7^{`*Wh5{NT_MjKnZ#-L4D)qC8lh8i+6b%VlCt_bf(2v&&j`u7?
zBA+(h){_8VK9+^OL9@;Ly+}c|i!ewuTD5!Zyg5I?2FR)eNX7GTJBe7DTE5YBEcYKL
za{KiD-7{s$Q|8)k0N1;e3wx4dN^?$W?tiL+K`e`_X!@p}PF>*V<%Zr5r6$iA^*R^#
z5A{=aUl&OT;Y@`H9+B4Ny0`w+i%xbWXK`UzPyO{+?dXkSHIFw*>Ug18H2EVwg?lSR
z{=hJ=rxZ;A54Wsgc3Vq;STS7(AsutAs<4$w5Blz1zXq&B5sLPH6#OUeXCv4cie}`W
z_UwG=VyW3-v_{uC32sUM)Y$r*_yFoM!)c@EqMCB}y@!3{g$I**<7C_glWn7TP+Ye9
z{5j6|Ga7SHcbO`Mtna|*$C4rCX{lCN3={n&!yT#@5;!$3#(0<UIc>vVczhqqZHJb|
zx_0(gg1#dpM9hloFCADWJCE}KvpNR|pVBDd8uXk)5#07X>Tx#B=O8>28W(j)YjROO
zMN9+0lz2L^EYFiTKljb}zRT-{3#?fGg;dvc92=ZNX>mK^={Ht5k+?~KEMLI3pma-A
zZCZTYVas<qrKe0mQ4WvkBy_1%d>6kgh~mtQtbMy=zBL&dDkPdpaeArKaap{@e=srh
z6F-{uEr-h(%MK4`P`TcCqNA4J2MQ&lni$My(DSk>Y|mh|!WbbEsbvSVmC#Th9xrI4
zF;!*ZNlj$?iZ0VC+E3xEeac>2P2P?U;{f#puIx?x@vir7tE;nK+0^iUs<O#%z2Ug)
z)_&QM{+-@hPSNMx^zwCY9_99P^qimVk09UqFDgJ^txx&quIM9B7Xj$2SfR@j>3l2q
z4X2FJgb(pD>yRE;*E%57yP9FYUfY}Be_6@%jmX<H^*Sgi2{pMpH${p+_Xq6{k);+N
zoUVC{8Nt$#K66=rMyArWs^+jL$r4{!G`<lkQ>X?A<2rnn?{Dql-8%ZM9XlHv?C3q4
zFaI|2ZeL=eGQh0Ote`%ru%+5=L^@kK)?rB@lI;ui>mjWP##ZhV4w#tyx}eF5D<O}I
zknK=I&ux}m{e;9jrpt+`US~5tFL3Mj#s$Y$g(PIyuzj6Tg2DO3bi56M6YFuFH4B(0
z5glVXf15b-72mQ^rwuVO;Ds41lnFrzyWwPg<`r8<+93&IH~)9j`=YwGa;$nzP#>Ld
zZ&U6>jsw5a-Q#jR6fSsOes(aT*~F@Q!gp9&k{Sq+s@B?Is%)4F^1E3aU27hvRKYWl
zQnx77h6qh+&%qw6-zFdF+uf|`Cbr%V)}NclN~l+q$SKU*nX@T>-#&w%@_azlU|hRA
zg|#}<qXG{LmYjVnl@kM@l2Xidyx!PYXPTB6K#}zIZE@ucBU3?{DNH_@_N{}sENUs~
zn~z+7kl^kGcZr6uL!HPXwb?2x(W-}xKKVKKcrvh3JVijkT=umJq4ksO&H-j;^+C?o
z@e5g!kA@-ET2~(q+Gt9DrR9Z2;X=0135=K~Ut?3(fVb(=woMoRpirwyc9^))g5m2X
zsEDFSN>2SKbHwq^=m03yeTK2f1jN6{`lrV=x3sG|zD}G2V+uQ|h6X2qHx{Am`vEKm
zWoe=yK}qjVY*7vPesK8kOTD{HNT~&eY-F!e`z2>)Nj>ThbH=P5Q3mQ<cmm_C#M&<-
z(%`zE&k7Vmo-X#=)1J8m&^i~I*HmC^mwYHE03$4bf^v7sRhFH(^Of8i+2Vpqpj#|o
z+589nH}HPQ#J+l$-co+p){woJLkw8_wpCM9>?%Ap=Dq3X*RAJuKY!*eZg3A6kn{#@
zcV?-YbS~azTQ&S?tJ!q&vn0^N;a5E}9twt!9&#D9SG*a|RgP1S4<q^GWnH5*!RrVC
zo6}kxS1SAuT`Ov{z9Aqt#AWGCV10i%QZ;s9Uyb9BMsEEsuc`T)O!&_`ErLY52POj}
z{J-rN^^+f-II!vYyf{@k!FiGDXPIPSiA!%XlT6zjwDs6}pc=VtKLF~2&Y6#X)bpNs
zSbEI{NnVzEp9H>6<ij_2UXi)grTJ7J_+sLg6Tfg-EfYl>(la~XCfCyVVbi*bzpa|2
z{lR2&4a31r_4w%8<7d-QimRxDrz<2eBDQhb6b>kH{fm^3b=kkMojd$F_?G(pn=+Bz
z{`tFa$G%x~*X4b^_GQa`Ql(ZVYNG@4IsZxddqgxdVBlGJn)&Zu?yC=Eh&02rg2hG*
z>uc;t5}Ua)<%Lyi#Lgoa3uzk1rWIQ1)=qd>ly3LIf^_Zroc{J)%-`nLi_Y9Z%Px#h
zF0u<&MPT6Witc~Fh#xdc`d~M*aO6`*-dn9v?br4mS%r*Gc<5h(GWJ&S+Gn5t6wQQ=
zO1U*4q^d0wD8>BmrmYSiti}@|QViX}h05pJikfK60sw+cw3GLI?mJe9@YIlgvi$+G
z2A{m3;<so(VNZB84=+fqCdW^&Vr~jb+tW)H)5l~@Yr4$y!G$Tm{<czUM$?*PP2aUq
zRA7$Zrka14Vd{?<_4N92edfYXLRR9i;s3MXo*KOwAp1^{r@>K2k*aUW(r87ar8en-
zgP`ro7T(ujTtM-B$u7nrzAj1{cMsi)?0J;@c!f!)9vK|IE13W${~rdr(Rp%dS2jd?
zCjQ;@IAM_F%?aG8ZLS!Vh9ir_>M?lQs;vZW)R^g!xI_EglCxTloGTnj5*Um^E_Z>_
zJnHUAaffr6%I&b+1=HQP=i<nI5~FFe<xvx_#qYUNDUI8?gCUGec@z6V4po*<O}pq+
zGf|=SsQb)!pg2-HHD@MYyi-r1D)FK_S>$fj@db@&Zls2(NnHxE1tNTA;%?CVr=1AI
zUN2ZaZKBPq%`<8E7U*L|WSl{&-z)ShkKWU}3EC{;4DQ8p(?7`?pvo#4C|vy7k=0BR
zN<5RdYnqtRe6gHdnb{-s5c2&cRu<0I1zu(Ic^;%9me$!ZSTA4}@6@et<k~RLb<T!z
z(GKlzp@CL>;P2VxIzx0;=w%2)tiL$hnAWbFm{a}=)@KuDR$<STrAM<2mQ-z?5-bbw
zAMCTpyrGgO;07RPmUheE7LKybeAOASz@CdI7P87&)YrXw2*~C1)`M23aZhp$J}+%v
zWZ(nEoPKdlD4&w?7!>qD{C_t}{{Pd+Yxw@yVP>3PPWOqAGl@f~c%U8Y-{!7226@R`
zjz?r;EsP>f$}LbeR(<{Dvp;4~WiJ=>bR%pvR6W+07m=5zL~*63oT%bZi!X4Wl=R!q
z8K2Fkhx1}rvg?*j8JESCku7WA%#m5sVizURuEXO=O>6?_p@A4n1%`&WAHg(P_me%`
z<NEWNLEoCJ5I2-nGk_u$;HBp1DWj|E+Y)jCQ|mnX&9zPRm*E`0i<rdi?-|y4QuaFK
zsMd)pNJJ5@to~S48dJ@gwCkbSwug@z`?giji!F?VH0v$q8EVLQ$eR$1-^c4Y)Ok<m
zaU?g8ZJ+Jy{V8qX&Rg6iAy(|9zMlP&Ow_~TJ=4<I<J>WLOwxzzU1@3P4iG>0VW-kp
z`=ap<O?hz@J(XhZXMh}kb3Utm$IC&!<4k1VUuN2kn}4nS;W%7Q=B;X~e-;+Vf1oIi
ztm77RrF`zSxHu_E%JxUYJO5D;`NPaDF$bN^o)>r7Btt88MIK8Z50%duryI4cbryX1
z%Y8<39o{aOABTh24~~1;kNRD%jbi;Rype`1Tw>q;#tblgEU|xRGRfbNOI0D7+1w2J
z+;p(XE0tYtFxh|<@0k$x>NGS4-@rIPNUqG1n#x)#OUJh~S0t&F@E5J)UTP;X4+I#Q
zE78caL*6PH`{SX;SwS?CGiysPddZ+rW+$<PORLWg)-EKQ`2F0@+G-G+&fKv!jd$H2
z<g;}O6IThOKF<9IisVT?QN@8$*`sWz-_ibVu)^?AGESYAr2<=pb0kHa)W)BdNIS+i
zl7H&(fn{D1cjk&+asT-~9fLJd$r%EckVm8i3HQTg3RfbW7?s-_l_zrzV`ml&a8M9q
zXJAnAV%cH<HG_6srScbNhoE$%n3_Yx>ft_6l-TJ<C65%kyaDBC*7nZ&2EWYveg|tk
zs<Q-<U%u#ReYKwq0@K_WEFV!<7O`J0#MLb>^bHZbl=#X+>{(15oDbabZ_vLq@@=Dd
z_oC6HabAq8udSmR!BK5^fV&HDUs-1W+WzGAfm5r0>}Y3sGHMRT>#~cpU(bwKcoO*N
z(W>pX9f(UTHrz6+>Z9rDUW8TTzYlqy<SzoNYiz2odz6~?EaUEthH>`3jf!A0?!L}r
zf(_BlM~z<UXc;>bir?3|MDNm7y+mrB%NMgEJ|;Kn=xlCPI>5!g&i~QyKgxr2^WdgR
z^U~;h0IQ8t`}rb<&HQI%>h+#xeKiXah$w#P1q&5iEMweKxQ#&mYHTH#7}{ImqgZW@
z6&mQ-4V1PdH~vg70Oc|6frDqxO6m)U)Zx$19Rz1Xc{o`I#Fqm69u6A#QM=42)V!OQ
z8qvJBbe1{^hk_aI@_yGWjRoi%DJ>s&^P6cqW!=v7BkgvE&61vDw`^4e3dn#e({%?`
z0q$}=BhvtjKhYo&vH+XNYGt~PMyb~m&J6k~V=5YLy;O^Ix+*HPq@P<nuq*cz<S}|B
zQbho)R3nl#ruITp7-<6S8p9##+*A8euhLUPo_HlYEgwc>om7okELo=L;g2cmMp^I9
ztp}U2Hzu8A)H|Ea)b5PDTO#S&q&F!=v={LFB#jxb(>Z6OnN+UB&d|wXR|S4EifLM5
zn_c;2hkn_wQmIdGMaho2>Mpj8BZs`|j7C*W4)4mDG^+`l)@X%&ki23gR6rkXyb-2g
zCQl&2-E3(0ufN!Og{(E#iJDw7>Fp`jJ`R9~y-GgE2_Gv1tREZ>=)64YbZ#^UJw||A
z`TNTZr(C1^uGltYh=(fAlS1pD91Dm;9zvhpXnoWwNTJaXtImHz`$~Q9P*_gpd>w;+
zj~!RKmZm@4nX`NHb#bR1r=9r4yp_U%SSrjg4R9BlTH?Ksaane_$EnO`oqd$#2#S_?
z%R5^0E!%d6?;`fLJ-G8%<|7-Koi+hP;#Tcag#+35?g-`htFDiJ_^Vo>FaN`{*OJf4
zOkePNWSph0kn_n`u3Y90(@S#?^qxekZ+=%{qYgGjeE=HRRqiCIQ9OC-a8l-l;TaEe
zDftg?@k~1bB3bau;TBSweI8tl%-O~ODv$xj<Hn)7^oUrJXo1Sc>AwX%H*Y?)FGA-#
zt5|(3<cQq{FygcUjDVT3@(4fo$d%@0J~r>_WzVLuu%xC2*9}8?ydl9_PDieT6om-C
z+Da*R#|7@ow$oVWT4-lsg>yF9?ZDsJFJ)6TmoEHWt!pO%wWgxTn2N->7Yi5XfZaDD
zhB7}T#@M4rp1q%^1YSi#J9Jy7qFQe;)d9*(Zrf?@>-4J!vKhUl+|7JxB+yTOPaHji
zAHc!ymFH>&O_zg9z9zg8Ct|x0{sZPQ#C_VTHOGJ(rzo3T%T}RPd+Rv6PqTfF*5Xyi
z$j~)zI)>tP6W9y(k<YdjKW)mWo?P1ba4*u{@?Kv~(*!*4;*ZIb+|L%m0j4mTn7Q15
zkoUXerDgK;;wH0O#x1mycAF|`>bfe<VNHJY=L!e&+RqtgcoKA;rFK%znW@-4BT#YO
zP0a&nQ_J-?nw{T=cpPwpR<SEqC<|c<B+8|E!5s-PkULze5|f>qu4cra%_j8NiFAbm
zxA+)^Xgkk}G^wTt)zTF?0ubici;im-#Sa&eG%giY=i{q+WmcAa$W5NBplqK8u-j}?
zr#U%d>2;-un1UwnbQ)M~I-V@bN|-|b)e|sB?jPEByiMdqr)!P@pSz^rN&bf?@%hiC
zB|iB;(Du#de|R01*1ws<7gu-h4W|Cc&HRU_eSOwZ0h5z9KL}v0(APTs+4=MR$YnjK
zQ+$E{?`YwSJcEau?QwPeq91IW{Noh>SN5w^(0@W>$He;k;^rpMS(^O>*94ooV{RGa
zs;2n?RvWdaja%p=g=k5opbl?Qx%i#&-fvhZAIIhBnKjeR02s<*Pp3Ku`{EFw<3__t
zZ<8IZ;mOE?_x`aEwAn^{>58s<*VLV#Bk}+!m{#Si7@#upt<CySYMTRd+yZIiz7JuY
ztqS6zx%zY&{p@KE>xe<R-e$OA=l>RZ7#RwvYXS!ULPq8d!(-q(VgpR+2&lur2Qq6X
z#NZ*?ww4c>IYmS*Vjr<SFDGXj*~c6nWk5(U6Kv4+ZE!nn{rt1p;jue<*KzmV&hc8_
z=r5M*$@VUpFITWbIfAJ>>E-|MD*a!EV=VW(n2oY^ylKn&tA{l0yjN5>dl)>^acUV*
z-U`EUu37%HSot<!M^Cahi6)7e>y<;yUj_SVrv|SnY}L8LR2Z_eUDGgg7OayTT69er
zBcd?^SI?SZq(!;UUXl%#SNI0h_=FgJ8d6v?s@$~hTx`_3L%21}T^Xn}yFS)&r60^<
zuUiBsG`RKw?<Qh-b>Gvof}RG?-3XSrS5=jw7x>bE3RPZkaqiF6O(fd)D@M4Ij?>m{
zIlw5)H|^WJ)VKVWjf=rXIhxSG!MX%_;_uIH8jgR}-Pkt=y-d54Ub?thyqUadyV|Y4
ze)3u5SYYzy{lOji*K@gvt9J)^;p>;_x9)?<RRr^ChtlD|A4hA+xYnbZADNcfKeCwr
zEt=c>^LWKFuj_8&`uN-VXY`HkrNp5B8o}R?Wv?Z43}$N)+NjU%UbxtyZ5?=zG?jCH
zx+}Z|uL$%dtf^=Se&6+4zR@$o#nEq#L1#`cO=!*~GY<G1^D$ZM#(Oo&zU9fcEq&8R
zT7%+%=09V1YA?sv>OS9H#mQ-&Ztnh_xqK<;yYzSP=*#6``!#v&O}ynj`B=cQ{ofMY
z&EzuWVT4arJxJ+o$)VQs!PJkQ^``M&n#amFq<F(yo2>h2m!N+hQUPCN)INjr<-q)@
zcQu0r)nZjVdUL^r*tsrulri0}->HA19abaVmtWkscit=>W(*%K35#~=7_dc=n@ur3
zQHkTU#V)x-@?V@`X*uIl6$QYFvOLfu<cK7`Ae1G61hYgVV3fjD_*9FK*N$FKomO^T
z0_2+xI@vqD;fNe82AO-&WLyvv%Iwk>;{PHSx=MX_#E2I-Xk(3f>weW<uDa@c&fhP$
z5qW;{8uy#!-SVTJFjv-1`@@vm^dSZArDVt8Cb8-|@k@xo5Ka>o@kQ5MIKa=kzDB(~
z3EavQ&xlWR`q<bicxSYV-KNqas{$OeSU#%os>zi&EnezBJmjTA)!4s_M0GwuF}K$m
zfFq@?@_F+IMzUqoA>vcsIF0xx;Z?bS)E26r1sVmTY@ctBz(J4_>1vZqz0z-g;%!2N
zdD!a)`s$B_an7hM6mRNGjRcQ!f6LIEj@gv0JY#z**ITqn55+)6Z_8)XbB7Gr!5xIZ
zcXrsvStFmLm#}xqjANp*HLLC^VT4WDRU5){@74V82ZT0^KxfNHUaS)MVNX)Kjn$r|
zj<DG1)C_f#o5yXQVIdK5jc3wJ0XHS~;zbk$T961L&2z(jlf3ZTENggIcK&@Kuu2Tb
z{`t+%lIQ)e>t~!@GzsIp2^89UMSEfp=(IaEp!g*>9yc-|4A$rr>N8K?$iF%jdC1d5
zlgmmU?km4g&20Hh2eB;HXGZ!+2xvhm;KZH0@glVZ6kybqG}l4Wj<W~(5RZmx)HyU6
zyqv#4<xi_BB&8{a00e6mF7XwE=0xg7X=Jk$F~+5|cv)fvnn%Pn{Q{2%f*91s#zLjh
zMa%eQcKgY)Wr)KYGuG0DzE=I^w|1+C6J{hzxG-9KsN#^&pmXa%#}XG<f2T%zy}o49
zs9x<C%OdAT{3r}Rzl;O*#n|HnMMVzYuEP<@*P3i1s_CbW%zn0Or@ljOv*|sN@sgU2
z(L$&vEJ|r|XvuuaN6)gM+8BOVt}z-uR7KqydASE-)<$le=xh7|n@3F`=WyFN&)r_J
zZO-I^$s9oUPS597cT3gwf0iWLUuqk(8ArDw7>wZ$To_sBh(C&bd_)tP1e@RGgb5{G
zWxfkmho2|DPBJ-*wGdKVINi<yOf|S1lfwfD3rx`WpwQJT;0<wY&jB*#<ZO~_679Zf
zPXLCjPKE5=pVSC{dw#5_G}d+TsFa72Z3Y+Q3+K+NGp}%=T>8te6B73dXZF(OkQ4p1
z{fiTwy7YoLOex~|`*$Y&QFEC!1nsub?O~&wg~w0b{(TR-DgtKqrhl9r&7QPVr|-Bj
z`6Iv8bR6zu0^_w?A>kFDj+;J@h}44O|HI?^sb%;DaRbH;Kuy!Me^;$Ye@>5boXm}P
z4=X8!=QYp%^xI`FR?g2Yhq+`<r2`$KfgAl2mB=wfWk*Hfl`+hA7XRagr7+G#=X(kn
zeb#`E0j|`g?S`QFf{N$DWrqXNYGP9kmT0{M)`PW$OfH#<5DutlFtXhY<M#b6Ftrbh
zNp&z~cX0q)i$B4-jAVS?Xz~eK0#70@#bJwOSahzzUe?U7!hR)~DcAqcWpsUF!2Hvp
z-U2_m#y;wAMWF&Sfs{bK^iUerv*#U=z!r<~IUmi|yW|JXVs}AV<Eq~h-_mA33MPKT
z1weBAtWqDNiaKz)vX$b8K3JSJ9;=0kEM@Q;I8fB78tmcT>tuN#p#$9$C7K7LmK6_v
zI*CKp97*FEtF0R9IL4vN*;Wj=ys<twyzF+n)$oarKgNjITIOf(ftrlQdYOAuy|Zj2
z_f2z-f(bICRI*$95!=lfiC7ia-@2_eo{{9#Dx7^C6#q?$2&P3AZ>IC(1&8sGz!!S@
zR&1fOiSi17xu5>qIEG%7W1x{pt;iIovcQ8fG2nicV~JVkEhf<z-T%sEg4h0&u3<ot
z{p%-cUO@-QNZO<5lD?Vz9j3>lpx8&6K3XOhS4c9D*AzEE(zX;ik^F3gZ`f7Q(t4K6
z5y4vmGOpDo;ui)kmHBZxr)fToaJGsl;8>nNh?Q_L(1iitKb_P?eCP1$epakZ6tXEe
zHZKHRR99r6S4hQ!P_=ycIEd%8Aq2F0*!}SOgQ51zk|Q+%Lfxv%D0BXoZ>rr`aMJ%6
z`lD_S!ojx0ntEQc9c?y!abt|g+bcUYs00hvj_10J1pfffs)l4U%H(j;WyW8qB}47n
z-wQVg)(8uQNX$we^!+V-P#Ubkr}5BCoFiKfFkYyi&B!G)hsd_CFJj5|&(Xxqd@KLi
z5co!&A<O5*irE+Ehh?K;{ukSFm9wfYmD}qC^F|_k;l3jNq4#&ePlz>vp?VF2t(Xd)
zvMeGjz+M#5S`Adr#yi1fBcKBf(<JV`>7t<Uj}1()4@Sa@YQEJ;UuXYWTg{<U-G7eW
zpCJi&!Pfn42GpYfy8MB}Pha6<5z*g9^~$_EYqaa=H}b{Qk7)h~Vvr=M6=#R8oC$pH
zq+`dl(rxp_ObZnlvDn7oQPOdC-|1)vsu;XnvRgny7!0Ijt8T%A6(bybF!q^$r5?#V
zYW8jFS2$aj>vO**)17KU+Gi0qF_k6U5yHy&2~2$^*2$#lDm1{d0_=~iOO2PjCmI;j
zxj1ab9(92AO@U;n$b5_jLRjtQ=F{(mUFo|tAgwHpJT9sswLw(Zb&3V64tYyt-%um@
z6{!qtiW!>7HX9o6uHaZ~Wc@ime^+AvG^u&kJg#(FAJ(ATfIRfCD`XUQcAdW*S>%3Y
zGydRb#jKvgKgB0&%SC0%^LM2^rxLDC%g|-%XF-JL5CanfB$H+(ljp8!ocMF;b<DMY
z+wb9kI$$S_twnk+U+NPLZL6*#p|Bh-Q+ZnPDgi?m=@o}{A<V25_rd5#YDR$oP{*p-
zN*Lsw*MtjL#+4jWjia2g@%%v|_R7TKeaf~g;@yT#_omP=lGh(*u{2p*-(Zy9#fsMI
zwOA+wC#ncQbRy2OR8mSro+VZP?z>c>nobN2d0B1lfAvL)V3WF2h3J;Dg-i_@jtTM#
zahkaH43tzw0j^!Mb`^ojA@o1|_`NMD)1-16q?|6|9fV>7SFyPT)m+Q59p&N1NG`;z
z)Y&`xdDVXFA6oTzfAw&pK4dwNZ$-J0l`k4?#{Hb%sr~c4WOfnPv_K)Rl%kM5T}>wr
z*Ae^tj{57H#nldxt#2sa3lh`G3!qSSe)uh7AywJ>?aJ^Y9oUG>=eU#|n0dqWT&C6P
z9S6GFnq#4AeEx#_JT;kyU)V`LC}%9}#n_!gE1)PQZP$8pg~hF-bvBX314=m-_vniY
zE_SjRLNj9v`eDFhA(Cyj@_i;saCZGgPeVE99?Jeb%LWnGtJry(iNcdOb_WQuO`#ER
zd8aMLP;K;<@$%==sa0hpU&QZK6X?XSrDZ!1qAXUg&fU9f*q-(22{@SDQ4So+26}K`
zaDOf+*HG;ulgq;3GSP?|y0Jef4@`BQY>{>vgVQ-1xG_@*q$M7?z{Hw17U^vb17uE?
zC6HO%%x<kVqZ^Swl&Qi1YR{yF9bzEk-5o9(?cv3b?a`XYQk#l@{ZQf$#{CcM5d}#k
zBb(T*nOs*6J%L6%OhKfxYw^2(>jS=C-$B%PDA>tz?`w)y$;6yWyB2`svD>FgWIXfu
zVq}RfkKQsgKZxoXHo|(P7-b9xjQ#joJnyfTILzxeP(xR6=w}zvFyB%$`0=M9n@F}5
zK5=vrqkY);Cm&laK?gi;aouV+OQ}=}n>u?sb)k2U<adTsHo~b7Nz=YGf&PJ9aAR)Z
zcjSL~(aHIn5z>Icg*IZb-kO&fLQ0)WvdU@JM^ohULN<*Y;Gf5I8^<j5Bb@&iX=fD|
zRrmgFMClNuB$e(iX{5Vh7*ZMr2BaG$m6q=Afnlf_8l<~nU?`<Kl?I<bXYcv@JJ=`t
zaId{SEAH=oUG05j!ggXX(o8bX$k`zlJ0X8s8D<syi3FGUxEENEgP^N2hj&SeM{Ywi
zm!3<lZwkhgzs?mx%B)uU-#!(2&v*^BOg~1-<D6t`rBaqxXEhP@t0l&X;-xTL?RK$i
z_5Eu7;J;+_==jBxceUA80mUSHdFIgcj~u}8d#tVaA?|W=B15G*IX2?wYcg-%q@3ar
z$Rq5Qn%PcjMNvPpnW<gyV$bm?&V<eBV;xF@gjOAKnrE!vjs2HN0W!W28CGMUhv}6D
zVDwVE6ESO3257@9K&^-Mn)3C+Ay*AzCX!R^=0K>D`7(kGq4D4YO<b$cda{Z^VThB{
z5^%7S|HU>=d~>FD1oh}Tv4uK64BSnWR}p9}SWa1Yz&n<rKfnK8Og7&B%?<+)@SAU$
zj!T5objdu?a@31K?DllXFt-ZEtnA?_o+nNzjpMY(ADt&StJD>uDZJ@DIl}X)t~f&t
zg2S6U;crUuS|*w{-~jTmmeXa~x$qWBHZPUNDW1^)CycIFpV(g(f4KS^*i#NAU3|a;
z)^~KNgq8*TWGQOkmaTXRK+`n_a&)?S#57X!`lsBIW>2ZU5o1pLu&_lcmB{0|&@Q{?
zusL&mbp@(0LP$L8&=umCI!)5_@jF&J(gL9&=O3K8A*Xk8VXJuy^~-VKR|Kz-dJ(%E
z<R1m!{Jr=hj??ytFuCHHuZGZ#d@9c|Tz(**sG~+MA2s8%kCSpIO^z<(=tJ-aB4pn$
zh~8E*`F+c&Y`?d@XT><uR5eDX$Hdwm7&%k!HJd_pj7`awKko+IrJc@L3(u7cXcQ3t
z$_`E@*R97DM-lhyMH>#b$bfyIlogHELT~MxKlc?imj2nf>=BRo^*$)oJ9$M6IQpZc
z<b$Ry?$>~c43U^m{ncN%vr;q?V)T^~gyY&S9!5dgGe=T!simOr!?8iJiaGBj$KV}t
zt5nJ096c@quv?pv&H-n<@bDp+jH6xQLEUwznu@-WC4Iup1)5xp$u-S|n<q@}s7+<f
zSzuE2(bMbbp=&<T4G6a%=d^6QzQ1g*PiiS%tnvPm7(I~CV=2-wZ;FBV^{3$_!*>Vr
zaT@rzcCTtcdfjtdYyxej5P6Pm-Z7AoV~}<~+osvg%=|RHA|2m}TfSlDesp(pbaIG8
z2#gtB?2X<wKuDSF;}@Q*nPqL;HU`-TphK0Gemq8tn!FJ2n&2H3BiY_BSDUpaenP7!
z=j&887aZGO{LL6AH8mHG?;a6ST=v%n7){f^GWB`RD57|hx_K`jBNrJbNb@wPb#wK@
zna@!@C}+!@otE(V^s~j{x_U>(aSdc}nq2$YNvU&iM~T^;z^2A6RQhi!u|T7SN6fOP
z+A$pTDAbSL74J;T*y$eWw!OM@t1qCw=G*j(KL@|y=C)$2?w>NE6aLTA{j78GKIHvE
z(?@s+mGvu2C3r&8dP{HfrK`sydlvI)`?6c+M3nZ!qyEm)7seHf=Qcs!mYemXCmFHR
z_fqR^hL0f3FCR*u>K-jQo>h#04crMC3g}-qbgTulpREY$?_ZbBjoKbu%~T)4e&3c#
zmhmPD?v!NfZ#LYQ^yjQUuVO#9l13xdy5%572V}y}p;SO+3BVM_bz`4*aiEWddsP&O
zRLK0<?ehLY{*;g_dG}sQjy2t^VT%17<41nwHxB+-R-(mRm4EPqD0iD66DU8fSQ7|8
z2itFd(y>%|Lxn0uA=TDm&gWJ_wz(8tvR2#^_H;D<Y?9|>)e!ys{r}FIg0cM7<Bqm_
zddpg}0L+Wu2%q>vHJq-=c0!0L!+I@w&Fst^y5JFHjDYr|96$7YQkN_vBh_g_H#=vM
zDTfsy*MupO7Y5)4F7z#jnbr_c!SBF^4(C#Uh)2xHuvhxLD&i_^9$MZbi8$;7J3=O+
zKC6V%w>D<RxpSz$>*d^WGroNvcIV3B&UrNk_<{NEeQ0w3K|{(2LFxNXFf&q5@<0}4
zB7v)(*K{7KPJAD~nftPCEsQu^=7>L0yBG(|1}brumsTeFJ;zh9oS7yss~Q2;pNdh8
zJ1gh|hJ$b+I3P^0$JD`BF`0)K-wBIix`<*O4lg{@jY*65H7}4A(8hiI4!M&`ie>RN
zyV1ppwG9x7(bem}`l^Nh)R4x!{!!{PO9FH_$<82!EeC|_(F}LYAs$rBqls|&56!k@
z#)a-Zyv%8W+o=S>ev^2+Rvj&5{vVq95=s=$>S*K`ypf;=7KVQ99|JV7$M-f%a2fQH
zR{T8<qL0h(UK=YuA+zz_)TY|s)~jpwdr(WcDCgv+8Z)mC8S`hZl?i#N_A?$KA3(13
zLXf>C7OKH#O=s8jj^Vv1o~QHK!*2_brWMZp45;)rpzTXNef`JU({U39gbS6xUIPF*
z<6_E4u0s_+M<(|(V8F-Up#TTK^!Azfk?XnoSX9Z{`>=MOQ-2lrmnu7F<b~;6q0kYn
z;e(A1lNFFW-m!H=Y=REs{M;z_Z!!uGy^p3}ZimMrKijeuZ@=NE#J}8AXpn>UnDEkC
zMI*PM&}NX2{b;#Jlt0{=pIZ=8^Cw3}g0v35bu-<aKBegqY|YB3C2$&5-=-J4lijxN
zIaQ)wQ)c26%eq$XeuS-Fm1tGbjJxddEh+pnc+1P<@FZ~4;_|{>jp3+0lsH{oPBDE<
zF#>@scHRyK;7PF!w_{Tk550nqew6wTO_=pZi1b`_8~T4}26M}sc7hf@bUD6O>M#r+
z336K~s%_i%**XfFnE5S0)se5{YFTyd@MM)`XYJ+^ydqfv4XUj|a{6Xu1P8;NG`-IP
zj=#<OM1v+z1(}zPTtEgl2azSK&?=e;o6MzzXG!Xa1BK9DJOkm9eGB6Q;bS6DZ}CPd
z)^8yvCLNMt16kZN*o9k)_gMFC&bE|EwEZB9wfpKD8^AJ2j)g&4hYDjdQe%O6J!(fM
zH!rN_qgGW{7S}JF>_nrfy{ew6G$A5be8%Nz1Ub#5FE|zMKIX-04{HJI7#1+l9Hvx@
z-ZZCM_AYT2VQ5lI7`Z9?VCvUzOuKs%WQg*_HW|kMik5UPNmA=w+dARU9?Yz1a_06K
zc;MbnZ+W^U;6xWe5$prsz8WuY;DPh?eD_bk4f_6dmBBlh5OGl1kzUIUDX}6LGUy}I
zH~0_j<yzX7IYVn>D!^5~6j7|%Tti+47QxwRHllV`G;$FPQ@|mZ$nCd@)^joY|NWr~
z$ftHhyzfPp>aI$!;{ckfx^(A%fX0MK)w~^j``Z2<#Rlau1V&7CJje+Id*u*@m^_VT
zGP8I)OUPR!$5T?#O884fKs20ntqG|yZ@;)5uRgE8#5X@^MGus5E6rR^W?t~-a;I%<
zAnFID@bEQ}$hEWwJ+e|#M*mBSvtRd8Q*YG<jj~%A2$dTeg4_?<aF+G8m-YpZR_vrv
zji8vn7>R}`^Tt?9V`l+l3ILc)T#1@_hy3S``7hq^qyvJ|sz;EuriV$A`jez%l`*_6
z@aaC_t1u|Iz;eMzoF_?cIo4;-7xLOItpI!mH1|^D%pdi1kLt;TMt0u&TWTG<eT}L2
z)RPpEuid5lXyS?7cWD8A6QTxhw5eTjYfab9ddeA`R1cX_E~`61!M?rX)rO#v8s4$D
z7t_YnzcaRMFqAa-t!YeEPfx1r=D>yEV7+SYL+{bZ!IWS(gVTDTon9x4-+*HJL~Z{X
z#SOb*<bvOzKjE46f{O-8y3FX}LF32NGN&2y37P9qD0}HIjfAW6k?E3*u*@>n>$cGo
z4hL`BN=j&U`WoR%@!NCTe16MoSNAfST1$NVR{Zp=G(^Xhk@t&OU9CzBDD_kx$7KSC
zFOI$fD`5FVe6Vx-bf!144KWRDtNu{g(sVeqAhpwMZewB=QM#==ScROTsy5^$<4h6I
zg|PpA1(RUp;+))jbpsP)HPGmEg2sbYAXlH4PeqLKmvhAQpLFZ5_^$W8<J*d?hs=)d
zPZukZ4z|(e(lv6VltU!wd1Cjt^$k5Kt$a~?vnv4m6Ug;ayl{rjieNSH1<bi~P6yU~
zWN2QR$58IN8&j3gTUT!tDZ5p!;jVJ6i<?)U$d6%PQ%Lz!$mUkzSZzVubLf+$YP+fT
z^;ikWM5?^JbwE5ku<h9CunNGzZW<^&-QPHKB9dunQH=Zh;lmbooYjeEkcu7?uqht4
zAMx$;kLMZfoNm>dkseH&9Na~k;xJj}-1^`!Jhij3vU;g)GR17jql-B~4*x!6;yVIz
zd&f&&(;j<N*swo6%Rk=vbM(-M7s_$0sO4({vt9r{g!QyspYSAkAJ)BrQDT`I!u4x}
zI7N^Jswc=C>qDaXr>|+k;n?R2qv8u5_AvmwPyVQ4oTG3W4f}fpl~f{p_tMhta1`0E
z)YeyZMcAtJQiwcHH)x5{fJY?9XrSj!Y#p3aPEMf0B&Hl`o`Y^Y>0v{YF~ZlI&>P6m
zw=F${6m-cZ+gFq7b|}Wu&8nqDl8O}@xC*$A6^TzaG1_W#FGfYT*O>R_oC-uXHpEAU
zSmB|+H+B%XwR_=)yk9_|YTT}clVgzvZ9XI9C>ThDN!Em;S%jA}41$?3I2Ym{S%?Sr
zi%9xO8(sQZ+KMz>sUs^E_chs-7U%vHo*d8oPdw?+awy@nL>Ofjrz-==$mxV?zpSO2
z=DV4#lqpK7rS-+M<If2@z2!z>O24mT{9_t6g<J5X1Os!@J{mobM@YH9D)O~gS*kXz
zkVKo<cdmPj2Zz$6VwYuL+Fx$ZI-)hL>R<{ru&whzjP39WMs%pgJ-W#_c4X@q=F17D
z!2fL&X0D$b3>+1qbf%4S6xo^yM)RODGV*B|ix}bbnTDEbr>jH@5a!QLH8^OGppRi#
z&?Tjv6rZ{Ob0aHPz#xXz<vW`rN`xlvUuL>rjWaJR#~1OBaA{^ZL@7n>rt=(3h#Oeb
zkNOnWkUSfjH<WTHlu~auUt}l|mta;9*TS!p*V%H*ByDB&ct_@5FfYb>y#5w?q3A&=
z*!S5Vw-=pG$57j=@s5l8Y~P}E6KjR_*>R6aKh_d```M6b)KfdPgZP$2V4ftYl71$r
z`G5Nq(^MrSr|n11r?Q;L<u%IMR;2iW@_Oon=8Kc69U%O=|6s^lq9MX4l)OA_z4Og3
zE5s5{;GfOXZ=JAScVg<-KOWv0Pc%3JirB87^1st6*|#_t>+DABwv4p%L>!4v$0tcP
zTTro_*8AeRwTzNaj*5`oMQ~w<TIG&yAiUFiI`<lQ1AHB)^uaC=B>T-gGDgvVK#?q=
z%8jSDfK8xA8nOPC+s*Qeku`mam4h`2QKFvN2Q($ca12Ayx1f~V1cm(Y<gj>sd9z@s
zM9yn=_SuW^EQ{pQO#!NXK_#)U?Y}r8VaPJ27{tp};^IaUqG{^J48v;t%^TckRrq8V
z8OI#f*~8;!b2a@cy_Ya==#lP%jl25~4xXVG4J)9{y%x#5);-LVh0r*wZZJJ;Ztq#r
zlO^%qo{AnbnV$Zk`FPP^I5?EB*;1@Iwg6GOI6TBS@PY;j43RuyY{r|H&h9Eh&s`Es
zL#i(Q<(H4ff1ho|h$RU#v-rXfkzJ9V>eQ7wNO<|+V6*sd5fOcUN~n99pm{oZz0q_n
z!<PTWv!F}s6U!5SV4^zVRg&u28$N^D$;)j2q>Z=NprxyZJjfVMNe25@x?dJ><aV+d
z-*C{qlcn8joe37*0ZLkVNwYkBQ=6`cKQhb~m+g<Ciev;plf+|T6E@qDAIGEPvfMw9
zVDAu`2VXGvlxveMb<?trwiK~-?glHShRKAyF1g1@7BgJoh?O$u;9nK>bG>Dd;XgWO
z&to!QbMhcvTjcF)tB1Wz>UFy0d`PShY&b38zSCq52Fatw9Kgw0SrbRH+~Llp6y1Y=
zEE$AJ?iSXBg^9S;6K0Bt5;@7B%z_SaRrf-RWPJ^?8;YToNqBRgNlb{fGry(cj=#oK
zg_*yo;~f_|fu1C`TWmMYUze|!M^atD+o-+MGzIOuAk2Lo0x8DM!%IJNU+f4)+ttQs
z7fEK?B<U$gc9<w9F)Rl8y0;_f1JS3kB?MN?*h9Qbk{?F30p7GVNQ3&C8Ez3F-jFFP
zwu5?5+JjMgWNe5vG2Uk%Jf`CVM7z4um$#kkOJx$H%O+{4&Oil^S=A7)*)zJim0fsa
z@k5t6$NXF|15I4YL~<*nxSAAIZz*M$%kZdps$R}BbMZBj*J8^^L2b55V}vO`Xj#+w
z0|@>{(p<c~@QOLyyfI=zP3sx$K8u7>+O(9J9M&q$7`)Ox6w0mDqMH3#&+>jgS*iyi
zsFIF8nw42c3_OW<49+y)mM%n!W)GIug>NyeAK~mT(t>l=qH+RXA&;CZ^+E)??G3ZR
z!Py#I0B@XR1!eV53?eSfP%TjVmfPKja}Mtwa0s+cn5Vy%f7Vrg@H#urazdB)A-!Fh
zyRAll$xZ!z-0udDnzD42nH7C|4gKLf|4ii%_qADH^n*uw41Z>)n3)(@L0eU^b&=c+
zS5fA9!V0<CNwJZ!_D4nbfy+HV>RGuiWGDJ<GT5$Z+gVQ5Og}g^`<KtAPP<T{7VD7>
zjTq-$>>ncPl*d+9u4{WYplAWL#+R81%NZOtv2?Nr^sENt3ov18$yQAhy9tqfTtJJJ
zzvQS~4B*wNIfY|2b@v;;MP-Jx$o8RSgMxT|pd-@cB=*{Lgxme$oXY4GxPf}Qfe$B3
z)7Bhh6;AYr`}~ghMT;!yQO<|^9KS25oZnlKXQhYeeTlhWRZE8<ImbQqH_sDF_JeDJ
z)_EUjxW{5-157Hv(C3X<kDPnk2gIw_LhBjFCkcrL`Xg;ikswf!nc*81apPCaQHrbF
zPEJQmy^INFqBcJ#_EYlm6}OmV2Q^Cib>Av*EoiN;2katpz>Lk+OH8oB*y>2Qo%--k
z^EC3!x;+!<j*g9K11tQ~fd7TB1Z5gg)o{`ko%drl-zk6lR7%U4Scy>dytJ*&o^117
zc11UNv<(t&qOTx-e1e*jtU_n~LTtgc@r=9vzFc;Udi+|bDyY55`!n4h!7rka5W@=Y
ztOA%oaXw$te{@mh20BZ~Btahi7mxuMCThGfETW}6WrFj^$MZjYx+Y{CVKvjJ*OtDP
z*+UwXmsJKi<}d*`$sDDk!K?(DMy@tAK-YEj+o;zwa7Wvx(a88O$5k3`UbPvClH9N1
z&+<!Rc%LhDPE|>@%4XqQ5ImI*%t#T;`Uva+>*-Wat#;+xTi0gHzIur8J?6+_4!#Bm
zDN)!S)vx$`kK>@QWY2kkq~x_f)-3f7>&6FBR~fZb`*<2*lkUuwsSDi=NSEy8+;l7_
zWiMgHNJ5K4PbXYHe6lzZE&a<x&F~8wP%yYOKTpP`P_m0(IljzhwGGY!W2;QEwYW4X
z#OQfCKK2`GKF7w>qN;MGtVt9-qQXn}E0({B>w(|4)%@5IPP$g)+1MJ3x2_$ric|q=
z3wi-S%ue7<cXhnl3J)6Iu((Y6v2xm-r8@_J^SqC_`3B;rTD5wLl^A#{NH#||&0NZO
z$YAYEy+U0etnw{!y@N4b;UF~;+2Ji^ic@VOdfU9m@Jt90e56WVWT4J1Y!_VJZNz0m
zH-3?fp-Yev{8!aK9nx*f6+O^*o{q5;!R4^CSj4EfW_Rj7&fXE<NVXYF;g=ctLiFL*
zpbYycOv8G4yg4r#Y_0~4<=Q2;c`*~W_ES+PrJ-CDUXu0W*Ab=sJDp(h_VDATofFNx
z6*#lNoT`m^+ltCaCfYfy;$zw$t<ch$B;zTy83H4{i5&d89T4RsejA)8t4C*w#kh$V
zP^7L3iuRuSQvZ~iG^26Es^F5SF{fnWByD}f;4Q~KYbgwgb<NW19^{OQM!qo*FEfGs
zfkS7mNv~DdMeDgT3&*&CqUz2PY(wy`adxdfV^S%F2jcA4MU$yHN<7s}Vw$$WN$M?r
zms`fw4aQb_<oe@lWXsVerhd74y+>86-|&8yuwZ)}eDn8_2KFCI%O3~Zh>R3jM3k&t
z2fX*D%-+belFw#V+G06wBdIx(6H&Na^K;B;8(3xU+F~=6U|Rz064fzaM0xT?{!be>
z37!=M6bW*ah?Fq9yl;x6y84tJG@N3o;9yc4+#+ovZYMa$?`@}X9U(Blzb%$^mvmCS
z%2~LMkwb2Aq`LpwSEPCrTyFH?K%_11riu1tOFJMf4;-YvG1kUyl7HXMM&0|*s>zTO
z8`5G|VRIS$ryUo!cS_UMJ<@i;;+ph5Z)_!9$%oIRa%LL+F^+^w$Zx2~b@@XA8~+-R
zI<~X`_i0^zygL%rx#ZMbr|F7li)7v6ytV_DFQQ6&2Yhw1m=wGa=#2KgCiA=1h%-7<
z3nAfV?m&by-1#V%&KXH!TKPi|xj(Sbj3Ggr2HBCa9=);2Nm`zwHML>y-9IspyZXpE
zPBftOTW&Jg)M3;alZ^XVlQL*wA1=J5!m8+pE?fJ?eBRXOr$Hc69r6q9i`=6psjv8_
z^S+dFmtkrVwK}x?#V4aZsbSDWnH6<;*I9~7lW?X(r<d#T+ea@fx+k$MNamCN8<C0n
z_Vg^R>!B)7x&P2!G5_i0&W6$vx)bqYh@5tA%DgS&kLP4_Qtz&Ns4LgFa>UyaZtz~O
zRIUk1XugpxR#Y#Ro)czAO<1Z6K>CiReVtt~`0Q2A2jK(1n&zT&l%hs8<9_baL@7)~
z)Q_aDj5K8glE*Bm!neUAO;k<zHs~E=8^_$qawk^g{okn`7S>=smsNOW9BTa=0^k2&
zo#AYaosU)K6mYS_y-i=O#8W%WuR2Fx{d09XPDU;*0~t`rOb{8KrVD5Q@w0x`CfC+L
zA^N2YSD}5&v<9sI*D{oIpLZ0ZM*6@Ue^~Klky|+6usQ>7`dQdwoi6!u)VAqHH5R&Z
z><u)O@Dbx+7S2mEGi=0U<xKRR!OX3^Baq&ZPoKb?zN2z{7Sz=|wgqLKqyi<g;6FP1
zSbV2sto{mZ9+r#%$|S7vgkIH$?U#-Kqs9epZ4-EzE5d4ZZQ@}Pb3GPF6V-whMm60D
zi?AsbGlSc)GBDL7kP6g$&F!Me=suG!5lL^?32e@uPDX*|?|2aCmD9ilT5*pWJ;DC*
z)NB8_W?Y79XC(9#<@W3Xha1*o#(Fzn$SNBe?~_A=s!n=X4wKUEXCYD6shU5H8ZE}-
zB+|N=oaP(fs+2J8E-~<UugB?}oVbGaY*#GJyyxqa;^b>usbxQzzObcxLvQ~gd-u;5
zMLrU5-imJ?AHH{$CTQ1aFrJDreZRw~Kc>pib|DBit`ur*sb1i6Rl@LE7*;k-F2zUv
zzB)6K5VkDltY*Pwr@@aa7g3Fx>L4kzR^E!D;Ppgka{Oy_NPm3#iRYpzy<BuMu|HRs
z#OYA*GshNS`<B;aKR^mF;!N8XC}_g=uM`!Q*F6fPmKdSl{!=1}epenV@{J0}bkc_I
zza1@Od^DmSQtJe}65PaDL>_K79xgDu)>F!FD^iNXBmh?$uvf0Z&~Zki>F?y?R7F}Z
zH=HA*nLRNMcM~k0US0H7)?3W48fk)IYlkN+o87hKrM1n)T?^++A{;d*DQnO%NAgJF
z8%X_#K5n*=c8qK@o-^~GEE;Ht3_@Q%ZOI`+9^T|HR1&i6tVwn7rd~JXXvpw(@@ite
z@tmvD*zfj4g8pdiRB17*f!eBbVn|Jn92?7_z!hE8FvF4R{J{oP$_t&(Q4}-eyC(np
zY2M*ITWxSNx4ri|6jX~7!-?%&fj@<{z#bJPP<+f&QNZ(^B;-kaC&P#%63)CD2yt4#
zlk&Jd44J4ZlUo&rMy2PzS`HC2-25Zd{Zdrsm4IUnVr*2k+`OSKzDVo<i%xVjHAzRy
zdnwaY(VR`Is&o60QJZ6HwX!|LlBnZr^{m0t^s%U^TcD7_t1v#b3plv;+-DmWacG~W
z&-756M!y6YBR&iQei~K<v{JmG7scKE-wGg_HicBb5L$Wga2wQhcbgGdvr`GrmRA!x
z&@5M;*k}nzPFY^9)OQ|vyPc=9NzK)yF;K9O8}~AzrZ}5!FE+h8xY?{D|IAT(`>-1!
zO2EQNVz>ZzSz;}738b~7bHS)$gcjbkaG3C5Xm!3PP7(!9tiIhT2=?T5EBAlMC9l`r
zNQj%|-Tgg8x?w0XZak^UX5#pcxx@!bROfT#g~VJszHI+;VX+<N&3TkJ+1b{lQqzQn
zp#&Do&vnX=TYu9uFACg_$<zpvToTrP3lGmTti!G{w60?bS6dOXX+E`z6kRL%7T({6
zP&XYU`@PN_KP&NihQ3rz(&$s^dylqsztCs&&)KI&-M@=7U7G5N+(9Y*PtBVX!X$9o
zuKvYPHk41`dl63cp0^QQ)3b1C9TM7Lp@DSUP8-R#F&h`$U1(WH=kku=tI8s3b}KWQ
z8WTR@&|ZjEp4zR<EEQ@c{HsolMMEOxl#t(c`rFG%Gl32|?PkR~A5;!zPQB9t6<Bnr
zM!rx20Q=tf!ghIu=T13kl>mfnt~9N-StnD)J;du{OT(|Z-LT*sf6K$*RPE+&v3HQ-
zcSFE7PS@yLo3ltt!L&T%(4aLx?Aa?_K6I7^{oV%Wa6w6g1d%{-Xj|=BH&b;|z{JV>
zoE#iVO^@*PvJ`9XFy*8}>c9jYiI>BNO3g>M*B6>U*Wqp^uy#zgRLoh=wiP5Lr(ul_
zR=9D31D~>TYAwdG)mVSX`G6!L{uHsqzoQ31+GgP+GeVJ>nLym<9QkzR3Jlq38V*CT
ziZb~?cKx*xj`$fuX^h_bO2hh-#wvr@Gja$iynIRBl#e-!^S%1-CGyc|ri2q;7O<Wt
zj3eEJeN<7jU$JV77SN7lK5>m3puPRNKC1rhlcd9h?WNvv5riD1-o|Me<oVudV%$7X
z-r|~Wr&Xk}4<=%<QB7vg{>F@pJ5?XyyzFhJ9Z|gagH!76Jf_~3h*g%tB`fKjablFG
z@2w`*CI6Q`7kO&XM5ATH5ve10x~5OSvN~r?(+W*oJ^E}iN9SpusRubxas3aqug9$>
zTc;iU*hh_`S$aq#0Ku;FQ23+;jI-KLIhG5k5*STK?8Z{hA%%UU9<VEawSA=(8j_H(
zIFqYV8GyUjDcFz}T}d~lQTjTA!lN-G&9o0nF~kvX(|RBgD?w~>oLu7_@L1KKa7{-)
zqE*iif>0=M*VM-yk2|WNX_&@`xn$s@vDWu!u%s>o)}<}+uDvu>IP9MjV>Av`r_ivC
zku1+ZGsNN_*rPG_UiTRJey*BMys_x-kYR4~tQZRR6p5bW6hFurm?2L{RRS0|#Z(Ir
zZ%dYs{&pYH!+xi`aJQe`OEZ~aB9^<XQJb(aK3W}S*z#HDhYCJ!GWL7#mR+|6T`)Ke
zy4|rVLJd*phNL~K9xck~ORVnXEu|$*s?Y?%3xNfzHzcX)Y&S*-M-zajv=}4A@W{O{
zi3MP?7|d7d_vDJA_FrqX3QlWtYg<=3s)pyDKml0ou?q`gOp5vdT_vZILAef;SC(uf
zC5@sQ?iS%BTE)^++lXo3D7ZqZaX0AT7$lNMk*<rA#B0tjWoS0FC6_2`DzVHAT3QS;
z0sh4(oT_Xt-$N3O+avlLUpv%0xSW>}QO5AjfW`QKgDu3A7JM^(JkGw`Et)dG0}5Gn
ztwb%16)L=)0%8WjrK_RU3Jh&h5IWA}ltxoJ7T_Wg^oKr<Rj9Pz)vsW%Q?vZi1P{E|
zshRtW>*5Y$*qC0suU1}V-?P^hg~y*zw8~4?2xuf{sEg$<u-9OU(%HooO1eTCNSjW8
zCckpoNlf33UvM;V==xbZb{S@i6=XoyjPkks4tEx?1aY^sXOm_1zCJKT#ns}zwoL6Q
zjh9rc7+^5RwsCbI=4t8pXJZhG2rdXH4xFRGx}F?@J;A^v8>=)WYcx4)c_)2N$053s
z|Mp~pa(`;xTi?*76F;rhk1w>HKL|t?i`8fER%umMeF9kVNN)r;Rg@dq*c(Y*G2s?{
zK9^f@z`CDO$K+kUN}?TD{QTEoO(23*k(aCShuzL!lWIy;<2r2)!x_?ayfH%K*D#|8
zdscP9$kgO{D7G8r)CZqV>aV7~>Y@(s>B!Uxm5ml@Mt-_c!-)q`mEbh=^<%2hG@WHe
zfw?qBVh4x9<<|jurA4|YzANlY&1HPmt?ZQ>W>i0}q-A$QU0~&dovaUbmuD8Skn8-#
zQblHDb!}8FZregQ2BZ=|t=UNC$0?gVN6)M|&!Jui_}%;=NwiLxQL^`)h%1?xQP-bv
z)$I{!Id^pSH$d#!KdEAWut!d2bhD&l@=cOk7qbT;sXW6T)kb3bll#me<oWu^`=80w
zzp-cSmGzIMM%n>zoAkWD(F~|OhP8TE-`K%838<~sh2xc}wMf4Ti_Fis5Dzd6#@Wzc
z##h^V+BX=*g}N&-G*#$Z;!dEahe6)0hrEq{Q{ivp>{cV9_#4w?4~*M}f?l0MTIZ_M
z<86S5U)SoS3#ZlEhZ%U_=N<+s(-j6BE{%I|0?R9_u|8}-G!ToR5AI?QVZic7P)2Ni
zpNF|O(I=~Mq+la!v$*mH^`@l~v(s}SBeJJ0Q-v89>W{rNO(<4L;$W(3xm24iO3myM
zeszZjr7YPt{{W03e&%n(!HG5YC?U@2)WDD_1;P?RGr<}*Pld`=+qDci?>tAP;e1mV
z0g111d!*>99iD?7HSS|C`77DFNxSojBP6uSs_}S@*sYZj<`VFvl@<&E6F6(c%k@<w
z(zPkPNt-ky&g}ar)!rEZD}tl6HRBt|H<AmN=W3qp((-?O0aiK*X|s46StCd^7G`ZF
zC6~6+TNd?5O&9{@7(2Kco4^^FIouAicBjfZ)O^$bI^sj#er;#JcCZy9?8ju^?l{yE
z(>$P!I{Rc~q3D7}wittf9D>%~vVE`ArTtW+Cgax)>vh@5<dBflpF;s^xsVv;(anA2
z1JRu2A7WFope(Vs{6;$t3SLZQc23YDr{oucO^#_<@82Ype${@d0D;T>6i6$xQE-*q
zaWvd0=G_DaCv_Zf_%-roi^d9^t0#QeF$c~ieAuec`mmLd_xy-IyE{J|{J&TJX`8Oq
zwWr-Po6q9Vr1wtT<lq}(tO4}PMl-!%EFw0ME}bP-aYpud%RKlaa<*K*vq&l9%zz(x
zf<1a>?qNE>s=)L}y^h-=C#qjsIhL!57nVl)SB;S+;zlRRFz;k|!!?akLk2oftI~f+
zj;Kubi}j0isfh>!!aU=djQ#4C>vGhmN-a2RCigB+I{`?K>U+2InW_V<AT7P!Ist>A
z?d)wLvyhsL&PJ3NTTrbV#H>lGJnKu<t#hCl&;81!_)8^i`&t1S0?8`4FXUg_Cl|7|
z3o@`$jFn-1%5skc;XT7H=KE-2*Jrv$xj@JXDqZFTO+2FbX@CKB>%P5QU9sZh9jO)>
zC5s(9SX+PTV4vV<np>Ec7ftdZP^f85$X&pGY06D7IjSjEa7Cj<*hCQz5_#U$);nxh
z{Cq{Kxl_fvB3?LGmj${cS~_g2A29it;T&jaJ+V}~Ahe9U&8hdl9)Avax~I)h*qW98
z&h4=IY4Hy_uqFJ(o3DGsAy5eCET9Y%k@V@{Cy$*yvbJK~09BV)^Nq`Hp5QxP&2*hI
zn}QOdU#h}+M&^Z<5Xj+3c*o@kbFvMLZn=1rQ0(Lt6&cF8#s5~{mg<tNDcc?ki!0ej
zxg#(Z@n@vKLv7ij;jH$-)R}W{>2(p3;D`+t`L{#-h|}dCN<lDnnk~K$=hFD}ZLUT&
z<0eeaL^O6YIQsy|0_sK&&5zGmA>0B6WpzdSavR+As$x)kkJ5G<Mbc%F`lS1F3KX7~
zt|*8#QtQ!n`E#!n9%Sw1-|@FZ?z<=jWzhC9@Pp<lM~fUGru}1sBD(LbThn~M`Sr*(
z=`}EZoOh^)BQ;9Dls$s5^wRCccmF1z%=?6fqkL$%^qM9Vz9we=VZ>mH!}(xWdiBf7
zp~P3I;c<O&S2x7%<jmKqMEXuU{?1MNxP8Lo;3PP)8+i4YvGN}p_0hw4a6$V`eze6m
zcn))37dM=nzvUrprha$XfEw9d+`;Q#JWn}Q%ZlP=KOAUKaZNS&W^T;Mu7|R1PR#vd
zA0+niD<U%^kyY-By2T}aK)ch0`_s2!7IGBHhYJD~5oJSe4RAU{X>-LVdu^VT!4O0?
zkCE%`Xeh|_y@|8b3}G12^D1&&-6toQc1|m<)_V`6-EM^tf3*qjR{jrdWj$W-d~6f7
zCnc3!R@qIJg0%%*LRs=RyNzWyKdMi9_5^^F-Wz)E1y2ju2EXW>yt{_fEKQSg`(!LX
z2ex7dLH`b|z9dgxJCdwlsS$t~dgi{GjZQ$#wL7XBtt5bi#$%P#L=?cHPYF8T<7h6}
zqBnT?H^UDL=$ueTYgI=0|Dn<1Dc4tPUxlw=B~X1NFXn7jrd_b;!$|%6fO$(@Q8mH+
z^^$i`sO}kk-nWZj_e{qwG{L-T^^wQ|kwXV;o(a*grdG_}<f<C-u3EtoH+7y?%7#_E
zVmK^wcED0c#3#tC(E6JQ?XIGIHz2m#ZLMGn8wQn@5jMREq*@D?D(RTr3#eQW2H|0P
zEZ%@oO0Ub5M7qXIC#+nlDlbENK{S~nA4;;dWHd&OJJ@RAJ0~~eD@-UHKO6-a{C6#`
zQ^lbL0=jYsW2F++Wve`2UZ`qW`<68>x_H$B%w>2vg)5myr?1US8|dDgR$Pf~8tOrX
zZKr9C(o0rO6l*M92rRl<et8^KSL2ct4ldqIc*5$@#Q)su;8$rIuIh`RR_HY$`VsUe
zO6Qq!5V61Tl)vZwS@|}6z!{{4xMp>7qm5-f69p*8@~{!3P6sjmmu3OY)gHhQTn&|2
zMsept{(2I@1JeNsHO@0rYaU&P-KJj^`u=-nY-jqn*#oJF=*Jb8S5T^8j9LT8Z0iK!
zUMFL8pQ1s)lLb5lDbMq@IWAO*5S*=|&u~88P@W>;3APJ*c=1=fr_+w?yes3IxgEG*
zg)Pb>8-uvTN?M(^k0d(HHpuWmUFjl7yV0DJX#((DM{o{iG;)N>b;S2}Qk=b19Sz`E
z7vM3pp<@`x%EF%;mw+?Pmq}J+@Bk8g#U8&XKjz-0*DM5GOqKuC9;wz*K;g0S9I&7b
z7ej7mlWw0HN?>mCifgz!;HQo2ZH!}%kh;lki^@n-Q(S&eMfHqNLO$}FBr22WT*ue+
zJPcfE5#f9`0OX5r2AZ#)qH<)kSGZG?KH_m4nB3J?ASbW(yrQl|Hh@QGOqgR$J|RAs
zMJ7lde=!n1(>YZ>5%MK!#y7Y-FC5kZ0bMbxo?J`R?Dj~c1gjp>h1K;CnJjb|BpMji
z73RX9qg$>Ct?@1w_T8n7yCo+3@nSsXSBj+!ks$Tsl4+l-li@!-PTXy+jRHgG6LmL5
z$A+Tfuf2tT?4*L?dwo9}^erwJsZ~cCVTC-WyV&>?UwIRR9>@|&Xu<CT^Inq8JS#BK
z2P&A7%Ida{n@$$TyhfvOb|=<8=QayZ=5|HJ3hr~4M<U)|{)s9(zvHwFrhMY;w#alg
z2d-#x7J(}yVn?h>i))rsRDWi!MfpvRu9A;BHz2SleT;s-wv6c7Q>`Rc)mMzwZ_i(;
z-K|;3F+EeXHL0$$L#<BEPW$kFFCc4GKrb44BeU}@PRTqCY%Nmuk79AHI6wJYwH;MS
z8ofEcD;%Vm9=m2ycRy9nbTh_-MeXQl8v9a%hMG&xi;q*DRHgEU`Z*M8T5$v4nKhlW
zOFIlE-fe6IuXniRkEN*N73;1hyeGi%p-VRBsB4Kx?=O?idevx?l0<EcV<Ds@|CHA(
z8MoNB;v`+C=s~OS1N1@|(YMBbdup17e@#2dVK?$X_D>2pQAws!$zz|q`nB2W1=rl}
zIQcQEHcZStb80n~G~p2=p~n9YwvoWKOVvr0a9_Wz;J*Ahz))w`=dWn}A=8uWuVx7D
zBFiMP6Ig};&`gvKWd(1hLXO8@Rt>Xx*Ln`c{kcsLA|deqyaZPdsay`sPPA!CAY&Q+
z{^Ti_|6HerYh44p9#)#5A|ZWul-TeEdSTzs@x}@vj^<q7RX4`t(03`fBsf2tve%9-
zF^Zu~(WFA&Jmj$yDl%)5b8DRjy0&LG8iCz9$&x^|Wf=~h66zn9x)_3tc8GAl(Wq?Q
z>oBI?DR<2_qH07+FvJr-Cg=}Y&xY66{)i<!vI=vk(;+sjUP>WlQSviaHqo){=d(P$
zkdW!g%0?^#0bosW2eFoZ9KpC~cXgY3!_l1j|IlbI!hD3Is+Pv_e<k|8Md&qJ^wM3@
zY<v&r**Ys|Hhc&qk;2w3D`=q@%l?dGlx~`1YpG-(*)o<%HS+12avP?UX>?@ENULe<
z*Dbc@8NJ_bxlCxhW(SL12V|Sdr>W)PVL7yEID$NL<1X^jTDVge?Ocd+kD*`bx^aRh
zQ*;=T%VWtae5IPrCxF!=&FeA4aDd)eV{2Yn;jtyLG^fXR4EY2m9~St6+mXmv`Ea-C
z{F)E*f}J%&U3^EOP0C72ui)}esaiT>a4o=!v_Yt@({&>W>A7QVHKU0C9v#hEIj(w~
z@a12(L$h=1fcbH<LxaV|kC{3ZHAoo3J6LJh=915f-&&EDZ!uWF?wg+)`T>E>>8If@
zmW1T9W{p6JOGeAXpZ&#7l6rnH>0zKsnD~NEZ2T5T0Cp0thaX|-V9Acm2@RA88r!sF
zixqz}Ax-?lN7LZ|A?4LI`RfnS>)Gbx#wR2G=<)!cIQZ;tP)I^#S;ZTv#&6}>4nfF2
z(gYe7$Fm8+;H;G)a@U<g0+G%&mj$9^+~7dy<ucEogz~JRcUp0yWl0n>YoEi8fK})P
zR+j&v2|{(=ZrZrYfU3$KE(kumL(m`mnfiGsHVl5evGgSE935K<ikAAMs<#n$ly3lL
z9urRKW)S{YgRjPtGQb-1=QuL;J0ld}*s?BC!trlO`2DcrwfAM7Qwv37^LQ8Y<@d%S
zuDK0LEL)^s?W(#%;TZ$GB6gNo78>(MXSJ=wx%hL1{sijq3YK&uxv$Ty9>HD=Xw=uK
zG`7&Um6RtJ0nw3T+Sm2u-etgROU}e+*?mf)f>I_MRE99~j5-*#@#}zY?_SS0QLT}C
z=5}6i2fCF4<nY&*?UFk60wxsWpP>1EP^Zf2f6iM_4o@DOJHBhRPw&*dF&iGMYCAvv
z`6BfvkmOlP|7-Bk67ks6Cf59@U39i||BLwYKeTseosOOVp*7!xjPn9k6b)6kM5{`2
zoDw^`U#Bh~i+ouv0RNNz*7XbMdKP~BrQm4cZx;+9t-ZteT%CTMefubLr~TpIhmI~3
ztUYYN?{q)s4D_#|qj-`0kJb>kYue0;@EhCkMb)vlpouIa5PT7Uk(7wzw>;rQP1Beg
z^f_wbqBmj7)N#U2F@$2UwPvB;Y~V{P>6EpSz!cBNhq_ovz0PL6t=BDIdl_@~uf$U>
z#=6?3zNEy=^HyPwXB_*I7(7SG`GV!6XeRzcQ*?|FY}7E7Mtrg1&-m6gO!H72DcCv|
zaHEdp3B042aisQpN5yc1<2+aF`HZE?dF40>(c=qV-1@MR1y2i2uO$0sU*#;Gr8ZKd
zbnXU*JvTEd`D0(1hZ5HrGsJRi7Y<7kN7A(NPa3`b$LY~1Yyr2b#`Fc^E=uHiQ-+V#
zg2po@7{NXjEfV|7xgu3LY20Cz^yW5svM&v>dn+5cet4l8LQ~?(m$ovaCSJ1jv)@DD
zW(uXFF&4>X95{OGzu4LGf;y9P)&*?S^VrS5aZ$@3vETP)kykq42a7FoEq?7$c)}6(
z|H^8VT5T9G>I!$=NBV)ET<;@Sa;y6r@?I*siN7qLfdm@XSHTN~(#$j4cV0w}%6dq-
zashTfTeQ^Y(<E<d82^Xn=ct*<)4JxP>gsTu7mnb{7xMm*#_i28!|@+lhN&)7DTOh#
z|8TX}0IkMKqW7iGz=(5+@$@ci2~*3Q_pf?_Hp|hL<NdHe{&D-VqD~Azq(;1jl*5V9
z{shGeNMUSHBuyqIEGc2~LN_DUHn(rW_(nIpEZK(sriVgNjoENPy^+nxI-pb-QB`Ne
zBO0F(+)~r-Lfr;|gKRh#*bm6Oyw&WrM%0S9y(1x~bLi0ywmu76EaW8*)<8yu_c6Vg
zFZ^d`tWG`&7dwiY=32T)W}=2|zYHxJPRu4l39%uVpM+&<+h3Ah0ZCpBVJOs5mlQId
zgBE3~qD9VVYO|dTy$e$)ZhwoGgJv~G6jX<L3~dwGcRt5RO@9B&+{4W@C6>nK_`$ct
z(?qPg?bg%5$DvLEH^oGdYlfwg%#JT9@T)K5%nxpYCwsVcvau8<;xNUu!8qzj=BlMk
zHv0%RneSip_?ae-D}0bE?~1F0BGJ5W-LA}U1f*MNGYyc+kG^c%7Y-6$K;+eC%^br4
zUVA^5iHw&Y5u;tT^>l56ot$sq6R9l$dvRp5aDLRC(IY5mlnwt(ro?h^^JeJt<;DY)
zSbRpD%zrHN=2a;r#ghzFDZK+&2bcRBMVqkO=T;L*?z7Bx(;Xn`BV6Dw<YO7{IEwQP
zN%3<X;*Oy`F6Hf<pW^oHT+ps=)la>$LrK$wjNuZk&twzO1Q6c!*GLi4mTsOme!`7q
zeH(pYnkvgd<IecMEX!AkG)=y=;ZMsE8x;yyqk?~DEvb83pFAz&^)Ced7iDVG{#L*X
z5}}q@ymO=W1qB6&G+0M)&@<lu*G_4xbi~4`#&aY_ZYp$8VQ65^rCHZUda<pjeZ|fT
zM$uPMNCv3jFDhF!)%s3G>Fu7jyBV;m!RxYAlbBav9muFB9r?M|0+asX9dc^Z-0|K#
zCR8<Wy{o2Cy+oIul=QAMzkw%hN#m@ZI9e-rOmOblqkdS9&@<`PPalCcC*~-RVG3^W
zkkk`%^Qa4t{(^>~LbjToiO&(i+k!bEprAu@8d1Z$w&u%i$Ciq3m`e2d7DI1p6hVKX
zodA5UsCl0%QoYK@R%XU5vGcJkyS?(e=?6k{F#KfP#lr>MU1xrK9)`1Ta=abG=}qh3
z;(RLCgTWL__Y*AQT<UELUj{Zc@V~8LJk%P{DRR)U2`HbFpm*l}_J!AR;jJt6@-o<!
zn!==J$$Jwwk|})$21|soqU^gw%S)GznY(R7#v+o(KA3$SFpm9%C&fMVuGA~YGdJtp
zOK<z$W+;5`<OdP({>h0)!gjfcEJO#Iq5_eK;(5z$(*0eX!-EQGJ)Z+iZ}KS$lzghX
zm{8A+$ClP-O&xW3!YbjPEiu2G==3Y$^>K75FD=ryMJ|uF^Bv0R@6UN(`#2}6*f~uH
zH#ShGMI7X}=F8jmyYNN$9fM2M9!HQlc;=4<y-#;4aQ!YDR8ZnT@Oa$zFUE_1$FGBr
zJI`9LLvCd}4+5n3zrYrHy@v$%JH4loC%d~IN%Xo{wfrio=o5yrs+vTfv1UF>=BqB`
zQLyR0`28l)?mk_5)Uf7MJ)O&>b}}gXRmy{Oo?ak{mQ~1XcWUsGhn`9`ds21d-|CVQ
z;u8W0#XePXB7z}sIt0{#zgIcXl9fuXA4$!>o$}`V4sKuGq*wbqTUHU+H#y`Jgt0HN
z0S2Ed89t`5DQ^r4dxscNv(K>buo|mlgL9f4>2)&rd4Yeu+`|Jd#!P)G%vI(wd`z;1
zUWx@@H|_<@Xnzv`iD<0bvxKNq7VVJo0_Vt`@OwQu_$QbPV)RdPcT^_cojra^fuaX?
z<};%fzge#t2807c3>Ga4@4EBvI-~2)y3V#jcvnI`t<kLfW1YS^4tD!~_a*UWy~*PF
z-r}L#o}&7scyrn-G5{vu>^x?HgW&er3PMqcj2;XBuvgPr!8~2wJLl4Epr7XYt;;Bh
ze#3M%@36~)`9Rb#RaD&GvI8!kINtdWZL_pO8?KzJym<6Zkxp8=>Io1fE#oek4<`C?
zu_3cM2X?*@ol|^nQ!FT0oZ4}Gc+J)|1y>I9+vBv1T`oQGwl8vyi5JvRd&)B!!Rz!@
zs4m$LG$+0l2?$JwkfGObl5&{A!r1}*Q#ESnHga)E5}d8)U%M_mHhdGE`MXYbCZMJq
zjaB+#9t6(u9<5s73LYfhf>YT29fj|NDI0&^r!v>H&ITWnVL`3P25daxqiL5eF_(v^
zkw05SBO;nF_Q{*n$9K+~jtm3TV)(W!#RT{@X5`c~4fK{gKHypxp+hK(oJNvdmkrt3
z8z#TE(WT=l+L1y{6P&eqC48eIP+>=Ti?->zAtOr?)+1ZWKpeeAJ?=NKJ8$?KwU6F0
zt6I=;W?9@pl8*PHE@tU%!tsQlr?0j<vrno}Z}t0u(X)oLMY0TVs4u_}s$~~Ysz_Ip
zT%j?7Voxc9y#sX!{Y(a;XyJYnk(K|JNL6OOGt`BCwJ=}x&|LMB_6-$$RG+OqVk<fi
z%7al2plcd&G@R&OI^If!w=K0LzmAT=k^L=ZctKAE_ZFg<DV@#tvhh5fb`ox`w^C43
zV1%TNDcrVNdY2$95*n9STncQ=eK3$pePw9=DLL*-4lZ_lzpHAd(uEJ3mOmFwZ8MCs
zCWRN+@sPjyLoTgIGT4rRS>~r`<Xv<%5c9iCPX$ILF=&@vHf$ZE<X3My?jj<UOEGn6
zq51^CP39vpT1^Resh$`}FxWnt6eI4|Q5#!=a%NGh?og>ksj^r4cc9)1ZBZ_$-L88o
zv=mp;8hbeKq+W%pA{W&-#b=z0_Y}><>pp45>S9R?aBY5kStq2FG!y%m%O`t+`yvZ8
z=n%DA^wBOHQ(=0A<W-*Og}JliK{%!=H~xLpKuq|{1VeK4W0t|;VcJ2emB@P?m+yH1
z6Dy|JcU9JDaqg<A0=sxRyRSMJGYIb|*#+qQ`Fk}aj<^KQYU<A}j%uH4kijCgLjfQk
z`19dJcj}jH;~UI`4-Q3&bl%oZN;_+)5gS)07QPaJ?-3=2=*e=rxeHnHZz!_g?8xG6
zt8OLxmk5cU#OhXks}aG~DjPFpS2eCZjyy3)&#(n#;3QuWcp66YEgd0x0BCfgWEv^f
ziR2MiQr5k<s^5FSFIv5x`9WI*_uuq{J6oSJ{HvBejVD0)xzab>FSR=B@DG_j6CJS-
z>G$wu#Y<}!>d6_%3%;^oh2m3>B{<U#{)Z+eN|Zm>NWO+!2suD#{#YIVWh5XjB&*kz
zXu>GL<-m@SymQM>31GOx9x)eW--xnvL5>J%7YeEDbuxwR){e>>9>}sI6+E{TYu7V8
zDBM;G5=K|xZIPm!!7RCU;_b#&GgH<Jntr%h6tRqb02#5BW8SXL`!_DJG(=D*;T8sJ
zwg3~n!4V;I#ErG_lu1;zHEXrPX#v#hZvdhNF`_?GSoEP5opy5w4UbS~?n4g50S~d;
znppm1Vnx9l)n{-qoWE5!czzv9i=EPh)HSfp9?_KrCZd%Kx*uIIjGg_57B``E^V{}X
zZP3Cfo~p5N7G|ZS7dKe5n>apIF@Q>Sc=-YSy~aoHUOcFMDQ<A&m&ZxCtW9)$%M+wL
z<E&q}XRs3QWIKhZ#WGS)RyBBB?}n4t>XPXylvzDWh6TC!5v;};VC6EY$nRO<lHS``
z`Nzhr5lPG2Xjt=NKy(9#gt@NDq_1x8tY|XMADywQkU`71!;>FQ5cO5z5UyUL_=dqJ
zCq^q-m4hkU%h3OR;T6iDP!Eerj!h|x&T(S_88I(DH#R}NWIFOzkX>m<@^uZHEU7(T
zlTXhXZIPoh0y)%t4dQ?cwm<1xXoUVBZD$o1g%^ftl#rHALAtwJx;qAD=#CjAhXzHu
zyM~g^p=W56?uMa3x=~O<5dZ7$_3q8?Z*R}#xq8oczV~@#g>nFenGxaom7TrjmEnJS
zSK&NfO`UC>pSbZvN5@htIA1jq(*gGgEcx2k9t~tmI;6r*x!TEK^=U+F$XaBqHldl6
znq$~nPjYs#2dMNyHgIBUlyLMOqcwXt`0rQi#*U-3O|jSSaN~X#96VM~d#=&wW#z1h
z{0Lb}t@PKUNOG-g<<^10mO^;GM1!mr*@HM+7Y=%z&q_*K=avj*oS`+)kW-lpd}k4h
z<l~WG@>98qd?$Af+8zF7n5??AEL+ktCjnHfqq)$het$~=fxPA(pFy<BOh)tYbnu6i
zLWmlytthE0nU6Duv&D3g-P7SsfSj<k{_|YBe<~cdpi4T(hH`I{q9_PGa%Ml&=4!QX
zOj)JX<!VX&!i3M<nhG;vm$~%r)tg`bya}^WfDhhML1j2Wmh@z%)90{1fIFus>ek1E
zo~+GQZ|yKF>&A3hnOKp#?YsMj#&`m`^)KVVs@-vsV1Usd$tb<{`v0e7oW@vUCAynW
z`@VOEZlnFu^$gm)Y)IU&eDb4VS>17g#dT#%3=>A~sXR0FIPT^*vp4mV31&fBQ>1c6
zL|pc8p!=*{AGL`3%UIqV&yL$UKQuHii?uk3;}UXY+;c?Huv2Vk0nEzkq0TcCbVgJ!
zJIWbJQJ+kgD|A2x6>5)cswDDE_VO2`uD8F`_hhdI@OV%@!BZTzej0EZF=6#PXNEN^
zSm&-{2$Vy8KeNO6?aZ_$eMpM)c)j<`rm*kX-*_jO)c=K$2LPvuU*K@6f~iz((v|nA
z%PVnMm^fI{#=8uGjQYR?Lu6SyJrr?vKks~v+c#;I370W3o!%HW33xI3#=D{Zf5E)}
zPpt5s{U5c%D)j-3rtcgbUahfjw?i#gFG<sE%trBwGoIK=NuoJNUKFW)I!tI<Cdc2^
zeyvZ<1_@;lU^Ba?7JJ0~RJ=s!lqW{E?iMT>NkR0h<|UU_Ts@ab0q{s(HUtWEGzt?b
zvvYouG1)qD*^8C;);p$5_QfNddVa&ng-{=28b(d7`8mqN01U}XF!5Y}>GpxAi|ZL8
zXDD5eiXu!`HkMIUNiy`Ci1%@F6k`5@mgu?NtIK6FANLZLQ&ppdh%pVKkxgEmh6Z+9
zR<-f?TdqDBr|-2r+1aJ~s*VAs%FZuBH??BMKR~)^81YO4;k~}H8xGrHUT8=BQNln+
z)AaS|_2Bfbd>sl;K<hzVWz1J(Jt~ZpXFQ+Q$piO?<-aX>gj41%#wct3-yJTXQ-+S{
z?J=0&y!To$OS5%L6fcF|4Rm5(GI0z+U5K{O=wIxeQN5a&xoZ}PEtQhd{X`Y)24JzB
zPaTcfou`5pKUw#lPtRAI0sTHDneZXKT>PyPu<qSIv>|%)49|ORgA!cdCZ&nKbZ*Ok
z**VfUTW~=tBSmv6S61RZ`sH|ZzMY40t9*UO^IL5&RquH-@)c;tvQpHK<@3;h^!&P?
zo#<|F2#O7Ak>-loaVkfAY$xVNavLf6Tok>k6QY4QGddj<Xp!CFzw}<7b_8*V86%6#
zCYx_qI>(%0lBz=CeD2Q124O!X%BQuz{b>O5UFp2JtY(FB8|DYI<N(+CuYaDo5QyDH
z#Ulim!<dWvr&xZ<L|W1ra+U^`{*2Rq>xm3J6uNtu1T)^|)bX^L5T)FMOD@@*a`KOZ
zFEL=4|B??`62<*!6ttYFlV+}^1)1W2x>eHpn7n@Yp~8f21r;p0OVn4yZ#PYLgez$_
z<@q<+dldAr*5F&8VQ#U~XeD=<zOEvlEdtZ5(P}t*6mk>p*5WcCua!!08q89nzlz={
zc6N}Oau^1x7O7Bir^%%5(%o<?ZSetUcb6u*TvPL^MKMDhTLo3)+y^X!yPUhlQHK6J
zt4B@F%j(U_)Q}eg-6<0zFEIA_dj~k>QoSdp4_~FGQ0qIcMBCT>dWpo&6|d=NQH0?8
zzt9ieC}holJmGTy=#xaF0fH&aP&djB$2gpY)s~RaY=R(1WYOg8MyW_Wt@dBS&7ae5
z(h*L-#Xdk}u>fP$B=A5N&0cX<-&tAjsmdVdBBz4J>tBTXJV_1MM6qe{(9g|XJ-%`t
zkYha6h1r_$+WE84qg}`MHK5C&5oYx{vNKXYT)Vssdx)G<vcy(mQw$5$??j;1$5!Ej
z?8yBzLoGQIm#4uIH(g}t2d!4$$6kx@y0}8wDzn<*6{c3<+)3Jx`vbKK1_B*&B4wbl
zTx`4+Ga6c+rbr+34~rkH^ugwAJ98Vfmc|4hX~~oH19&ewN2r8<f)2rP3sefV+vwQY
zFHC0=^YpZr@EL83R2zA$DkEfmf)?)Uboj@{wt2QD`13t9?d$D@{e-SFL>6X9@L-RB
zIAX3l6c~m~RLt@J!4*t)3k)v?qKO3(slG)NbB^R9PLS!`ScgI|%nE%WAj}OAJu=c|
zVnR71mIo&(J%KNH@9S!?yo#!=)1l`Ye_Q^O`wM<Fv&<Up_@C@Kr9v96%r<!0pNK_r
zcbP>ySCZSA!TN@dCDSIO2A-^4O6>1o2!<B$%?{T?l7Qi(5+BPtEOHz|04iLQ`wxvV
zUdq0-weMu!yap5b<({H)!^F2G*nB}Rr)r0YGgJG3eZw5^6kYc*)%8VYipr3nBcbg$
z|6;PzVK()m&C;FN{&kR!&7j6wogb0*0v=)g)|MN98;-|KSu1QFjyGO^A#Im#h?~a^
zIiwkfsq!+M6G!W6ANYz({#ALn^k0MceG^fcB!1y~y_ck{I9h7JXBAwVJq>m(%2scE
zdCY(kXt>Aq@E&NH_=26(O0SR@%`|Xy=5)FDD|N|1&HqX$c_)ib)vVR;YORj1HYn89
zw;`gLfr-_rm!1jPpfa;6bh7<B{nrd0^8NP87^8L{NX-A$WQ))}g=_B24zo%<nDNa>
zC74bpV6q<JL4%b02-R4+FQnC6Zr<jI6!K`e`J5qd^{hKswI-<S0<E0jZt6hN^g=&W
zR|zpYa*hFiapQP@WP;Ps7E`Ag)}x<eb#aPy{d)(C0IE5h^(hy^+j<JfC99g$tg^|J
z-o4kD1UU63O9<LZevH}_R#zr=PO^59jSF3QGNouMTt^*;O^%i~7+)RrvE8LjgU#I?
zQDTfNq$<Bks9#h!7CW4bU+!c0AUdM!MQ_HjzuH&#<ScGk{pzjFQ7>n(o0xZ9ijveL
zf*#uU=@_qyDAL&Nh)JS#emv(?$0lKX4YQ~KU~q;<d)(@`-Yv!mO+5G4@D^Sf))5G{
zXz=sjg-QJbu@Y4_Yltp5#w)sq=L#?ziKkZleQIE&m@Hmnu+`}P(M|6?EpX9N?PpS=
z=&JIegR^`=cG~z={BA-(iaO^0kI!+p;VquaO5j{f+WEvO2i)r<HGJEcg&6e5Dd#Qw
z)6wuk#~8Eye~}hw`@_fbTzdJe!8CFC*;to_^-E_d4*X}mOp!npGuL3Q8~Q9};kd%M
z9HWUeU4C?E+NHdi@vtp^DnHX7zwQg9v?mSIVeH4YhilbRM*De=9DdnlEhj|VtQHF}
z+$R-GWf~kM-f0VTw2o9=OJNvMBDVF}gS!SVSLPfzc>Mdtp`3275JU;)byEk7!(5$l
zFsDPq$dn#78B*=IO5xFp=3uTLGn{_5O4zxo_?`+zJZ}l^#2#TX0hL@XSig!w2^f;T
z`goQ4z!~3~LBcD6z7;HY3(=Del3_e3aDy$hd~`H#F`uAla*{D^+)@?r<*A#N&KN%t
z@qoG&whyQ=EGZ0Ju+FLn&-q)`>=8!mn7M34s5+Bb>c+j4lA+3?^@gqK@sRP9VTqDT
zc<vT!e!85b>a6ysD7~?(Xai3{mAhYtI`sPjwv?P`bs&a#9xNF2v7U!op<QmB8)N#f
z;;0~3;MJA2a54T}wP+>ccjPdF!q8=@zcL7wi8Qapi}QNV+BG<AEabc3ZsUb9Een*J
zoa;OU)cfi7E}HjDWy1?TEL-UIhFY~5a@1luvjAFg(?7rCwhRx=ic|x0jdY*uE5~PP
zugVU>A0f5XCPHhbHx$zfwes$Pr_W?<br$uSEw}d~Vvmue!$7R3QSA2@#|8}rj}FpM
za3|yz_oj5&y$C`V&x+F+t5TWE2>HJ8OKd8zuB~W-(8DT}I>BFkl=_p#SYMDspjG&S
zOEFzm6y=P5?dQ3!y*vj{Np>zE#fyEVh=06+XW7-LY7G=f-@Am(gM?Ue+~0Pv!U~<Z
zLBM{OlFrZs#`ZXLON_)44_IGIKF+(^u*tbLcUQ#67z6tXQn1m8b+gESXud&Adk2nC
zi*~7p(sI-#kFU9{^h>M+^6Ft}RGyGTBB{`Y5o4}PN!KOT#j@`#V|^RlJD1dR^vGl=
zea%`oQz3X&`(lmRB6-%K7ZTVA;8^1+a>=21x$zIH*%S4zccHb({N|tr@S!-%lv_6!
ziA~?zgSvlZ`V2+pNo_QU=4gvOA6u=1#b1mt^qMsDpPk=!j?^Y;E0&j%H&oZ9ImkEi
z=qIpwxXUz#zFZHVv|Zf~s$6dP=oSoqUpsWNz+a5z_WdSJnv++FFXU*vIJo=(Rd5q~
z^lWGHoh%*clu4!SY7u)!{WAn~(RSnInOCKKtiyd@;Hr^i<m8eR+ISZvDf0aQbcS{|
z+wD4D6LcF`AH8aJ(9)#2L^Hlsl;!rPUk<1CT)^sJfiQp(n^u|HejH24QX(wxiXDN`
zWdexxsLhS=b!;p$zAf|)LINU_1}&RVS`Aykn%u9~A^_tSv&DC*C-wx7;?%DSRN}I@
zy_clT-?y*RI&*0R-Hk6iW68Cx<WSxMVY2)xkTSpBybZJSC)t*U9`j)PzsqXdVp!$e
zWEPvkU$t=`RzL7YREiZ{Q;y-qiF86Yq({1!*RS#$zVo|9(%M-zToHPpB;HSnK20vW
zkW<za>1h&5&`OFZchLA?4-Th{$_r1N0xE}-8XRB~=Tf9XJWn4+dIr{tJGfC#s)=WJ
zNRgC{y?J(Rg9bQDkyD$4{1`2lqq{ZZAL-1?i*!9?Jrhn;ZD&SsXgSa_VBW!__^m+Q
z_FZVueIq}Ese&$Yd(ff_Zn;HSP?1TeS!-%CsLL{<Lo3PZ4rFY#zoM34BKnciiZk1>
z3=VQT6J<Ji5%heOo}kmHz%8q5M`M%J5A<eosd?vGjY4wk$ktP;6;dUkjnV6{AYF9y
z2hga7MMAwAxy9J_m+_6mD=uhYTRPC%D}=H?7^^K$v}6R)S=p0hWHku1YM_dZhMaGe
zMn#+u+41QN%ZXAeOL{4pZz2d$8}Pg6wTX1A-WK043Mp{W!{KLuQ;OESImcFqlOIaz
z?<}OQkz#xGKQx5FeNuQ0?l7e|{twcZePT5B`8aoaI?uxHP1(`3J}2dZdcV9U9WW%b
zCyH~n9OhKI4+|)YxMWsz5Pe^ocNyIhFMc0+uaow{7NURq8g9x-ObAWdR_sVDItM(+
zvJmtC10+>p#Mp^+p{}}ikD4g@+>7EM6m8G}1wJ7sRwiGAdAK;&WlUXuKx`vJl1^;R
zK{KwV(H`0ZOAK{(=Z4lDy0nT*7rfotvZkYgtzWHYA8`329@0c93w=0TxD=NfWSNn+
zSTcwQ+VUx^ayWG+zIgMd37UBYiUGT$o|GVm8vIskQr4eGQLvl6zjeZD6({h__nX4f
zV7d>^NRyQW56Fl0>Zg&fOHp<S`OyJ5;nuVS8+BlR)BFUxtH~%{B$DoyJ_24xHi@U1
zpv7milxGgnx$vkcS#w_wXqK($Ca)g)^mXh(USGk<?-k_Q8pE|1d)AqsY>p@=^H+r-
zrfv97F*~jup7UO$mUhJQHP4`+0hT*U->e%~f}xxjafMKuwP~S@UlNDY7Xr^Q8ppDF
zIiJ@!@xQA;0{frLh#`4YT(^_M1&gy1v60ve!wHfTJT0*^5?Ev|{~R@AFm0x29^rKD
z>p}Xbv-HwHbmi6i1cYC~U4>JPk;~F#kvT=HkDgsa@x4;QV>X^QqqPwn?{c=;hhb3K
zSFh$qQbpo(FyR6J&5d`I;~L0r(x~PWbM~TemE=U5R}(MEw+6Ux<Jy*yvz@hNGzA5M
z3twgF`1X3oV0C1a2Q9VWdQzHH>xy9QZ6^Ec2H_<mcT0^5FjS#l%reX;fz&e4v#+~}
ztsQCt`)y^CZ=zP;XwUO|(@--U_Gc_NanHljK$Yh=chRqT$NcypeNkd<(%IMNMd_0|
z@snlxMB#VZdu37*J@GEf?l>AV!p=7j@QLaCRcklhALLy2nUzrIU>7VWe*&@BxS1Qb
z&)v1W@zPBu$grN4lGAVG$y+N|h;}ZimNpiBlxep^XC9;PbzF2L18%5Cm@R7p+Wt5v
zv2C&4Xh@mSXFHRwW8>PyLJNM{H2Y?DwU_1Pg$vCa%~^S$MsPdV?iWtXNHY~R{X=mg
z*NArveo`9!;@&vpoh5h<yH{{oBa?DBrwsPpp&X+FgE;xk7ibqFucsKJhPvFN8hE0;
zoGhq+?lD!5Qt+U~bMS9bT7A(Vh;Vd2P(s~B?PF-dOjT?;JF;N60-P(gx}E8RKwNqJ
zqC&TBr6ngv7CQ50>@gb=&L3wWA&0ciqVlRT)G$R$RU60)I76;4n^~CSC?YjBqpv+S
zWU45b=zHqL@8qQCL#F7ga+^mEuc^SXWhv)Moxr57tMv1~t^UPRW_0=D&XENCXWj(G
za(OtUGIidK+t^g6T?fs_Gr_wQGzXKaCrjivSSHw;9H=@1Dsv+*9q%W{zc;{@+|LR>
z(MF5#<~P1SKktQReLRa=Xm=!_kW>+Qxcinl^-psOl$ZGlUF+;$@lp^e{IHrLcReBD
z;-0uNl$24!4(NnV^fx1y3xmXYKTV59(S|<Tuhtq!IF+#rVAtLo=R&oECM096XvaT0
zuwZ;upVvSleC&T??xUtq-`v1#=`Bt06?t9O;iD>E`^~I2;!YE2v;j}PWC;215p&sK
zAztj4w9SR~MJ5B0_j@Ci5Xil73(Jbd&qj)TDknCyOODHnO)A4}gYkXkkYC<4QpZZ1
zrs~3)%)&J1hlvvj7>gPc>c#=~)~}6b9+QaoRT%3XOD8L9f(gT0C`ooKw_R738S`K_
z>xLKO?%Yvw68qWm8lu!y1TS(`cnqCHTK2^R$LRxYQIh*RK7<Y_bR4M6yYAt=ld@pm
zR$!fR{5kbK&R;?87fefzO;b&vu_6h4qOEVO-FU=@&dwO5+IRx5VqNxdC2UZCrn`t|
zKhKbBX|v42OnA`A=)o7TTJeP6o{Gt@&~Cyir?TPYRtv7;c`qz!9BObUG=(LtWO`n2
zZ>!)D3yrAnCrf6)E&n$yfd4N?D@F9UuL7k9dOu+GHXEP)8?_7EqXLCH4L7Y8@37>Q
zE@$Fs%U$`q4mP#3wLedwcQ+kkKdAAM@UwF^r4#ywDF<TJjbK@+0Nr6sJZvt#X#dJI
z;tuiLMmpUqVDt+lyYqJxotQ3-E=(%TK>*<Mu}0;}`S09IL0j49H`Z5C3jd)c{rUJG
zS}weCGUx4^8miOOHV++lYgcqztVulj8H0NYwZ=6scXhkeFA)zjLlc99jFa?S0{JXk
z2Xds}{6huL+wLRVE#GH2$Ucekfk^A<x4StXRoxClKlUhM8vA;N^y-K?*-r<oXGDyj
z^ht1$u@=dn?(t^j89#`>TBn+)(@bqMm9J%9qO}@ZGjVpFlS#jhu&3hA+EsA+d{%{$
zYOyM%@TO(=>*UXT@5nozmRVl$)7DvQq2Io^#YAj4b@4@U*$wlUsFi@w4c8=Op4e7c
z<pj+HRnyI40D`%1cbmO+Y?gi()^yt9x!^m$l)(6@wE$C--{;-kN8$v6+I9~Ex<$(!
z{Wmwm=8ZB<sJvtI3d;-K$3T;&3_w^9E(~;fH!8#zK&^Pp<Pg&@BB1^i=xm<i<ek1E
zb*_E+j!t1kB$)0nx&!ONR#w=pe!XG|EGzCY9t0^Y?RFO=u4}P|f)tG+#A>N6d7=%<
z@=4{gEi`M6I4vA)3Mbpd8fCmbSiNTbz38ST2F;tt%-1k*RJ-97zgx(v&=aFC*HNfB
z*^$Ipakz6YL?2c(RasAZ2_u<Qt*utfR1g7{X+YBNYiQllyu=OPUwUV{jlF~<1)K1=
zn+8pckwPxo;xf$mq(zmG<Q58++%4oAZ)$SEG`o1@fj>yZER)9itl#$du4{+*uB@X9
zWxY#$5OxR$1#p||0anx0J});4P(y+FoyTSj+b1^b(=DUS%o|l(ds9NH@$AnBx=*^m
zW{!Ir^qN_6(e3)brK?%qDd>Wz)n$r;(-m#ADm>zOe22~iMn+03(tUa(0+~=p3X4lA
ziiW>6LG~K`oW)Z(Yh@w;w^%j@xpnTjxS25e!EZ__wkP`^6V$h(r=<-RhP8S~8Ul%>
z-YTWnjLNN>Smq3Uj*0diF#$UskHRrFARE;e?!39X)n&xWR{yGu0|Ton6JL{?6y`NL
zxv{w)w^EeXJ?-PArb10&vncKvw*rP2Vt9y|<DR*by9BF+Wt$Z$9B|E2wM%U`2Dnlj
zDUQS@GTF;Y6OFIWDh+BgV^aV7l0rEAJp=u;LN-GXp0KmHtcrQhxeXL-U-a7gC5UG(
zw<DF&D;xCKZ{5OnW{3ka1KJrZf3<T(;r+O>W#to;#)a$_5&rG}yyE9>kR&xr46K)P
ztQ=CjX~l#gPu8NZ(T7!SQC4fE;^2>NeHzRK?<YtkrpTIw3tZdJ)?!p)Yd^EK{G<85
zLAd$G-_6_kj5U5%5$QSHtc-IE7+QBr;AEkYxd;?H9_4s?XzLF6)|8;zJAGI+jSw2#
zP}jXITss&K<`S%MRVx$o=nQ=4Rw5Cs(c~621hFApTw~IVu)7Pj8@JvRKZOpUnnCM^
z1~fIF@X(z94EUM2>}6^z7TOyHaU_4dJZWU!bU&vMy$?FW)palet$*YI7g5yX!CIRN
z&&?(BRF)mFl=zcwAo1{)47pj~%CNEb@eK}U;qQD?Xxx$tXr0?O8j(+dv(Si;OWny@
z!ZGM$^4juxg^^WXuYroWrTN4#<4D(67JVtN45nbt9dE)GmFG+U64%G^RlR>B<ZK)A
zd{zKeer|nui>1q|4$=sx{42{>t+b|IPyO)m$W;ZJ+;5+3V}+?-XI)%!=M3-tGuF4<
z=DQKAhsB}4EpfF`c;<L9{~aWFbWuc|=qNcao#Ez}rRhN3{h`vAIw@cMDnoYifINdg
z!EeWN_7tj*@nT=SPUMTLrS6KaH0H3Q%I(RoxwzD<pt)$8`NWYXVn3lEJbB0@d0p?$
zgbb@)3{Qk6DLR_=Y6qj04&6$o=7LKd>SqVE-i)PEZ?0pv^6tlmEG>F0BWTVz&ox*N
zWw&DKblC*Xd$}7TP?>C@BQa%v%alA_v}Ld%RZv%`=D6w#mGpEOkWEZg0K*Lj_1?QQ
zYK_UJ89Q_lMeuSnQbBF%vU@(37D1R(Lw4D_j7-my_}e)1y;Sl2p8rFGBc#MO&}|@H
z1nnj=h{Ko7N>!pYf`h;_sTu*(0ZklNTJTb*Dkl}zTAV}rSMT^L5u4^!=)kl#YW5O4
z=U&lS*P(pVGw+)_%VtIcjM7rL07cla6dk|Z`=IT?DE-tyCj9G!n_UL$^$q8l-_%v7
z@lUR1H|<j1lD*#xNVn)2PhPOK)y4X{rG`jcTi>-(E7$Cbdv}|0)F5VXdNY7L6wdfS
z$Lv6m9@|aWt+Oqrt>Cl4!2hZ{!ttLmcE<*iBoD{-ZC9@<a66ieUJLI!7*9WT?e^7f
zJNwh$QU;gpho7~EXR?o5h_T!$De+(#g&jZq&WeXEB!z5t``fbHjHHhRUTmE;tyRO~
z-1Oc9Ke8^~x|^3t*$gx2OS1mqTg|3~#~wvn6#b+<P5)-WC#xk`Dhig5xA-b~{rHWC
z)F#z#B>(l_>Z(sbri{0L>xI8J{)g7cTDjFpIVs0!^4B^qZN44ltw{%8-~`;t%)m*m
zjOMHW<&NdK#zIczb<@1{LvAa^dS)hpgX~SR6sKygf0^`;dASaEzqJX&PF0N@D?`@)
zYM4S@%-zpTNQwbVqM!t|_rvddbd%e+W^)~k!@Zp6z$(R`s~Qjv*Ad}4{J0CH8UnL~
z38_KK)>43J{k0iPIQV=k-(0JPEln(Eo5Rl$_;}gw7oXZ;)94N08fZk6ze6vFgtr(_
z+OD{EkBrCi1v_B=O&QtpE7L~IkLWnIn9!?<@#gpXtZcLEp%i|VL?T&A+48Zn(o7hw
zEuArlX|SOOTUvs`33;R;|MypHx0Oew+gg$4XL~bu>0)rrdn2|eF}WGtmb)R4>2h88
zGpM>NJ=4Y5UlrCR<7kLv6IQ7oe#vvtaO>JNo)y}kib`n6A|zCxs)%dcfy8+Ao!f(#
zmPpWCF*t(MLI&=be+}{CZ|6>_LE}p}b0cjrsvRnA@ZO@!!=OnUJh?`dsi3IV+#(k)
ze$o~5dlt)I)62g3^36CYp?6k9JT!x#?`7pFztQ=8;)sA<BZdIMg!-5XwXxoTzJ;k|
zDCZS2Gz_xP&nBiB+qOuj@Wv3DS*C<}Q{mTej}s6kkd}GE#!mJ0y&0RrW5BB8&R$U)
z0L;rGm$+-I+%=JH;8^FFJdj1{bG+tjO|!<nor7g6HvDRT8QF>he<PlUUFk{&_!c+*
zHP4WEJ3PX)KFw;2R_X)R`9_&!YZJuh#B~GV&Fbs@90MsL?7aO#)AbL~-hak1CN;~I
zI{cj^MyEhh>D>yOP?(gDi}<R)PIomoy?j=yA-rtv{gV4dp&Y{L;C1IZD0OYoW}s2e
zvihQh&DMBCdE~Vr^Ji?kd8G&QH_;HUPQ?4@97Av(H0guqB|tq&p9>T>%doW8Rf5m%
zaF~b~Fgh#mZ(#yr4`_7v@OLQW*elQr*kU;j>2ancj#(@qp|&F<>)Mcw0L-|CCucU}
zIWYz3!SCbvvx%uCLrR1Bl~>r=b=}&fsZ`2JHcbV_MqS=Mz~G$u4V|ZUIP2+RC1POw
zEh*<o8;s<(2Q9IQt94G{=oed_@!6~fGR&c@O|PBgPP5-8huq6i?o-jDeiEy%SZ7Rn
zNZjc)Py0KHv1!v}lsO_nHlH>jm@co;$O7wMc_U+36iWEM&Q|?3V5;RTH@e2mFOT3$
zrEA(csmao(vlquFffma2gakeAifdDPBIJ~D=kTX=zDK9CE}hS2k)wT2{MZx(ws8OX
z1+_onIg&%MJX`jh+*HFTr9;DM^$aVwgi=~U)D|GJ!jwf3-R)VohV^e^Q`Q;-Z7(E4
z{`BnUyHsGDK23{REs|+zh73z75)DW0&EaCf(p3;X4#!isb9uue8duMT`zi{K=cLAl
zO!q}D@C#gBLPCf;PqJR^Lu{^+87;G@qX<%g{!1O-HWO^CQ~@wubTW$b!W^ONT<!BE
zQ<-D-I}P4i`*#!-^|n%_A0NGir+o${{%*Y$d2}st^-)q%o-BZMueQ~g%&L@9m9s7V
zBEhIt=~K3>`-@}R{&PT~2_k$dI^KI7*LrFzR_C5cQ`(xSVD?d?3Qde)h$D)#j4DHo
zR`3;!g#Dx-j6-bst{L8ba%AC`Xdad%5A+0-jnN>pbg-3rlD@fE8hv0LNbWd<rgdd3
zRWzDG^dL5CXqenrpD+G4^LLltX4ki#g0b>Uq1zjz#`l)mX)@Bz7PN3Va+$s#hdhYo
zDmw0J!j{P^PwKI31)zDQu?;8H%b@?zys(`8Txooau4KJjL-_{QqysF=al5X9*>+d6
z64HN&x|bAWeFpcJmz{q#yw~kbT>GJ#W-zs)CzN_TV)pSu{rc?eLFkJgLEf>HKf3Zh
zt<KNAMfDx}0M(zcqeZf!9XpChghskhoi5X0F?wywC7cd-Rw8m2Q9+Uw3p_*CYFw?C
zsc_j%h^*6O(a)12=Kn*RCG)c^{p+-d+wb1nP0}<`$<;<%TBTLuK{L-|pzbsEo}7l)
zt-Ju#IpT<6T=~0dD29}`)e)yY3%5BA^v=do=`#SoiHMOv=gO9R<^0<rJ<lbD-+?M-
z7_xQwdv&v5H|ICnQugm?D=BICt5Z_n64+>V>BBLNgWudq^Sc5YrG?5x=^Ex77An(!
zM0d5BdX~}@XOZOV)vhGUJ0?w5Osm$ZFPO6K*(*`oG3Y1p&gvVOpRc13tD0DwE?}+n
zm^j*4j3=D3!TIoo>x*p8!um`$KX1>gz!|SOA{{}M96qYSrQf?Vek-G)a!cG2KR1rm
zk8-MIP~5VOg^7DLdIN``G{gH&KQdtJ;(N}sXfO8HYWv`su3ERfsO-E9b<jM_DXTV&
zU^dy}bhPBGIq}tqwC)JP5We89mhg6C&V4%Hn5C_DM87~k6{wDn$rb&Hsxr?zSL!rC
zt#!ihI0eJ8jm?NPrw^`EeBXH3(EkVd=Yyc!c-wQ_Lx|e`eaZmc-OBF$t0%nc-^Gp(
zAuCVZ*Z-j%y*(>x=U&%KdRzo9AXS(_k*Zy<or=K@^UFjI<g_&Zdc4&5bjxO+l`%9Q
ztCgJs41*bz4jOl{A9fk3Mt6X#wXUs|D|OY1TYN(#Ew#LM1RvL6EBUyA%I2R=F7eGf
zbiFH)HQp(etn|ag3KWw($E=WM=S;d~_)o*=CPu}{_Rpy^O!NtHl=ct29I=$fvvc$7
z+uxn@7{|X5&6Cu5HqJEc8fhA@k*Eb5k?s7b{G~Rjk6WIqVt+>ZA{F0*{-_;=2<yiN
zM=#rV=4>NW5sYlV;cnQ}=g#JSW1s4*TGZ&1>ewpRYJV&K4JJ|^I+_xGxiA59;y(Dg
z>)BG<E?c70cjc~auDY?jr35fR_H}U$ZqXDvHs#r+pQP)A{6=Ut0?O-0f(b-I=D)y@
z7!ha>$uOG{k-radF59ApNA(w(fPWH#k2{dmg6_hzId7uN15(qEW;H$>6L}Uj0C1jR
z6}BI=C>4-n$6Vm(31DmHD0O;Po)2V(UnUOp?zo$aJ1;vnQn%K7fR__euX$Df$*?eH
zTtt+|Y6buk@B7mS7YyQg#4c9lc+?;jv((THU1r{JXHqx*)L+NIvR1px*z_Sw@>V@@
z&lvAHSCvBFqxm;?ZaHOY^cG!nd#dm}r?XPnKcyVkJ>J67&aR53nzeh#Z{@jpA(uj5
z`O&;vk0t8WH_P1ams!Ovm-zE_a)bK6Q~$M{rFbNq9b%4Aqa^p%WLDl$Hy?+oVuIuj
zLImTrgU*DJe(E%(**Z<b72RxV<h282@{`yH-EEr}T3lICmSk%C*!oo0Uj+-o4ANE^
zf-{(j#u>h9JO-hVNBNB$%iQEiQ3L&;8q+ix1cIXsxJFxR%%N>XZ@Vz%sv^QiomddT
zmYG+c&&fW^={?E!FR(`_G+eBg(LjrsTFpWxbz-9qo$y56=UWN(Ud1O4*7vq5zh6OH
z4oO#&*ve$_%H_0kmRPi_p6c!IybjUo4UJ%LdNt4$)8X)2B#2v1f1h*F)X`qp-;OT1
zGbDQ8%Xhw!;k!aMhlbXI$C<_yk$lWK;}hy*QAa|iR?H9|_~^td&{6OJEwbH8bmFsI
zX#maR?Ug^Yn_LTWQ7syK8Qq+(sXXoDwqFm_o+iH4X5yow{Noe2FH^G&MOLNXoLk)!
zGN0eL3!fE_UD#rCbAa&?{}_-hCS_#0tMK8Vbc17hmj1OVVS=F+8$s2Qi2B*V`r{F<
z&~o1J`=pj9_m&G$6Xob_T3P_fsHLfjKWk|LtGY5d8G>Ab5iu<alc}tuV+Pznvm(TH
zlNs!P{=8O&xkzJC-Y4ZdgWIUxswiohM@4%!V6*yWWi5azG{;-k<pcX%W%N&5n#S_1
z4-Y}ZLQ5l48jDwXmv59dtER=A+}Yl-uUI72wLMi87(B<FkJ4X2elfwTjQa$HgdZde
z{26`;**JWCr07d=h_`F<NHtItHt&$3l^Pva1&WUa>Ia;*-#%TYUWso(+=F1B<Ovv}
zUaNo4wHgY`jVj4sq>jC6Hf9wjN@U2w&zyQ;|ILL|x4GLf1J`#!O9J(2zCf0D0D}T3
z7_m<aJcqcC4Na2RP8H2G)FKvM+b5RnDHGYrmRQ?o@UV`j2`c0&`~UvhT4nc4Jz)ac
zS$NG)B}G4PM$=%v96F>eJf6zD#qD>tlt)SijCwb|VzwVUr1Q@!;>4WuigU{<eo}JC
zhjFiH1eW>3@Pg~k58oJ7tySlJlJSF^aZbfSkD_ep`FMJ0Fm*WAdO(BW8iR?bHo$~u
z_)o#^cu&L@^gC((_j8>X9fu$7P?b|z-e5?>lAG45`$xp$QFf2n72wFshAz-shF*bg
zk-;+c_W-1_e_PqsBjCD|r(5A}LN_$S0`iEE=BnD*NHJiA#78;X`~tMf)y7M6BS(mi
zjjz61N&~PPbW9yF<6MU15s4T{IVU;8<yue$kUMf_9dPF7;r4y`&wpq^Qvk%C+r5_<
z;mbOyn)-7I654!h&!Zj6!EWx)f18am%j&yk;R-WZzwAlY6F5QZVrIwnmCf1@&$8u*
zFU+OhHPg!u7z1;E8#cNv8urXuT>QQz%__={A8>KYtOK6gtw;TK?4GK?Q<+<J!FfwP
z5XjYMv<spoiSD>vP32*T;!3tB<J(d**U45$VR^n=?-z&}%6d;Vx)~!fMJkA4;mEu`
zd-@2pht0yOH;vlSZ^#UJk`P9qmx5Re8#Z*Uy4{`YM)9@jHFRe|a5hFgrZGK@xANXR
zK}t)3#hWn-+Y<iOe#q8_D;mrMi}ea8DXlk*-xM_BB2~jl5UKAe-n@y54<OOTQ`ya#
zOI&F&^w+<mHL0i6RrfIxeke3?Mtz-`ZWha`-^$G{ASlUKa;ejMim(!&9wvOq235T5
zr1M)d%AXInaAm}*VNvXt=IXo%F8F;m6zrLmd|1}mVDl-=?X*zjsG%wW>sBt|z_POv
zM$U?dl={8Q{duq3Y}@J;^SFV^bNn}fx*l!`+?$dLs#D0lUxXnd-c1h^`suXxaC-yK
z3X*j5<Yv-M5i|q8zQLVAR6-Q55HS>!cLVEL#+{}#z3};F(7?=g(3ut<dMzFsg{Z_V
zn=S>fmGb6j{(oq0=Xl%qZ4g`vHgcntKEdQVGh?xWJFd>?3rj?^Yot_tZ;J_M1lGY=
zk~yiix$*h)8%tl6VeyC9{$PR)@pu!8xeHF-`>m>gz!n4jMX9z`s})SY>O!aILs*7Q
z&7esQU~YMf#q+$(Zdg%aVaD)lGN;IeR)~G^R52OX^mUgWc(vQ==<Gi<tQz`J+a~eq
zy+Ij~!*3ghdKKUWLnDBJiZrwLi#gZSmp$K@?)78oB1cm6PS}bTkNVd1MmIi*3+gC3
zlNcdG8sjb++f33e=RjQ&ewup^HB$LhyXC?81Z*C9!;;_^rjtj!uj4LgdVR3TV%aN%
zQWN)0$NW`ux~rVGvy)8g{G8^ux^~?;Ln-wC%^N)Ic-sfv2}W=+jW&}&rR4->wpmd_
zP*jsxim28&Rko6hOa7dk+f3P!*<Cp;$Watj)ZY#!`_;b1@-Gv)4ECIVr`*nK(#Dcl
zoioamB#wd%tK|opvGR`B)LqMO@c=?5-{9Z+^_QUTpkn<>?Rb*Va|Wxihe45wDy2*x
zWiw|!JF=$i-t@&7>QDR8IXICbX6%DsM&1o}kX)*`;r1<4%PCzQW75)eECbC(EA5&9
zQl@gk(DeEx*JaoBvB5V%bd~-hclAjTXXkv^IWiTK7_J-JViYqO-GG;ntfhZmp#4{_
zHNRC6B|5yHfoU&+a-3@N5uxnO+8AvV%A#(RnV@Xe2%a;w5_VQa!`B#Ya5Axf>C*F%
zUcSq=$~|8j1n0J;ww7a^Obz%Ct!3@%W8SPF*FX+>J^}o!VJSV?2}tV(;1%7-9Dl*H
zYbqvAm8J1+VMAcL1}HS34QmK_<u0_Uu@nq)@3fljctsEVCb=u(_JV6GPUQKkw~*nX
z#D_@W<hvDqFSY*06QXmj#zOA3d_L*zv4GM+@P;*@C;FG`*b7WUmpu#mUP{ncY+U&y
zXZig`Z>s(yE++{pFY26ev8E-?+c<G{;#Hn@X}^ANyzWBO&fSupHCc^%b;clv@x-!J
zHFkW~E22*WmB=rg!4r0Rse^2pi51rKeYE%kG2F#_QBvjuC4wQ5dN%UECkwZw_yALe
zauP@F&j4Y|&xb$Dnh44cD2g0@=DEM5pEVaOG*Pubk13cfMBmIq4?IjwV5p%Y);CN#
zOqcj^394g_d@NOByK=eCz@or}CZwI)e+@gz!BMM6OlUME<Ci4hcr(4psqyRn)h7zP
zdk@u#3TlC`=G!p2ehCm>Pkw}89X2mczTi!DlX~Sd$9<5(S!YWUs};Y6PZ&+ky_h{B
z*sYYgAj^lTXC=7Oc8<8J3BTKLpP{u&cUxS~Ms``5@8l1>eP8QdCk!7hYc)+Ib(@rt
z);q;_Ql(6G*2pG{O>$IuaazWB7y75cw?vBck~PFEKu`|Z$UU?b$hES@F<UsFLQ-M5
zcyVpxeWFpMnN4u%TKl74-p?6;EAi}$oDy~eXg6iB)fK<k&_<F#=~4ObO<S*CjAjQA
z2I$ay)NHrYdH1hHoY|@Sc9+6?_I7g9VD|rFDu9ckiIQt(JJ^%P%szg<%BSG}554(!
zJ??xji<6urz!5hORAusl*zofnk(n`S<&Zy6TjPexVIeJZVAtB!NlhyA-dygBn5#_&
zEvqufHTiQgr__W&$*13j-KN2jJ@2U0Cwxgs6GQJ;Bk{y{`SsVCP+qa+^XV_Bd*PfG
zBX-l%CUs_dYE98DF>N`M`-~rw`;I8gygnm1WdEeMY8r<5-V(Bm7`2Y}t3`!48ovH=
zc@ItJ-Y9d{`?eMA>n!F+kQ_=N?bo2(kZj#_nbE%@*S>H150sWGt3v$>cxXt~yQhEJ
z8pGlIcrc<js_TyRM0nZ`#k3zILAsf=1re+#^=4F|>NmshrL_!cr65!$r{@T|Y~?Ag
z+_BvLGiBcw_#loCc=oB&$>L)0xrH+wAHL?sE4tcoqFPKX1IYuLd~svO$cuvJ><-OP
z<6JRiEk-I0asQ}$Y@rJm<`H~`sgAfq!RtIc7+|JeVs%3!Dc=LFS#$?-Fag6F<LfDw
zxwZrXVeyJ*Qc~Y`NtXRxGY!$PV<8lz@$vq;x?q0LqqOT6zuWR&DPL3vka^EhmLfyZ
zs{JEzHYOklTV^|Qk*g4RDmMGcV4Zy<E|}G(Nh`jirC32PltVSWi`HUrTu%AdL$-Nw
zf`e1tD42JBxM(_QxHoy~pZEfuXE|SE57reUZqii#s?G@r)mAdDm)4HnSri$&#Hl?~
zfTI2UCDXw4`W4o;SPA5a9fq4Qbc=c(rwkQ_TC&aYDE`Ao<V50OHKDpsPMQD8PZsPc
zQ@n4^%u2L7XT14XvUIUHcacfzcQ+eCJ4CudCYMcTtKXuZGg0dB!&!yf46I3VsLC5}
zmS6}x+t6&A8%nj>|HKnB+xR<ZF4Q~0x@z5=RkAv>TrYX-0_I+9hfETfOW>T%-Qo0G
zKL<1l#B|aN6*bSZq=_8hq#8M+0)G1E0kR;=iEE}THj^ajAKnb;HB2<Y>fkI{D<V@W
zU@+B8^=G-BPvg|^3M)%L!-+ex^0m4{nV%(PIfPlIPK`(>Eozz|>W|r$<_9Y4U%q7p
ze~@9J#Tt~$u*lz`%9qO~bwjQx)N)G<k;h`dJkf176=Mxyf^i~Vtwez(Okr`OdlBx|
zV497vWXDmL;r5dy%p6QNneaMS<GD!bv2CoVW$_yej`L(wAZ?ATCg?VL=x&4{70s~k
zjBxgx<ciBVkvtyx8C<%#jbs~I!73r?sxTSRq*7b@h^sM1@3udIiJQ2O<@q+Zeh6|f
z%3~^I)`N(QVln*3-6$^-Fn+_(Q`>7H#x@EKH8s^7`RN9>e7Rj=LS4{!`qI>)+@$9A
zFm$>8fYb&5OM9$r*?=(9g!!t#N3$-!`SqmkJY{P@;jcCt;8#~0cq@u%lB<@*Ba=W2
zdXxA*vw)<61#wQI))Dmd0smZGgYDe>6Wl>Rr(uE_*rs}d?)+W^1Tt_n3py{Mr`t=O
zY_pzPw>9H!Z?^+b8xI2_e2q_idG|rA@tlN#NdsjnaN~>wQ;Dh1@tHd!52<^ONJxoj
zdI>;~TkQg`+84J!`y~crP45&_*K^35vf;wgna$X*jVM%5?=1zJxT6fZuk!OZn(G_J
zeCikrVuwKs<~fGi6#Jr4$4hR}V<+S2GQ>JQ%y_|yXax{|MW$qQQ)=XT3%ZWQZ|?N%
ztX_7d(LCtUcCqJC#wD)kJj3M<4F;jQapX6W2wc7OubI8jifu&#f&`?jWYdR*5$TaL
zGrDxMk~2~-aVj}l4hN}%ie)5I!25m0ZsY}lmp{vWw3g_><V7npBVNW;yWVj1n&8cD
zT%NVlGO}AGiHw-CYs9goiKv(2r1p3@ugkQs=JGqN<551}{kdDS5%hh!Dtk~3;8d(^
zIOXz0>}a}{1Y}~*q06DpQ;zjAOGyFWNV`*;&bNno?NHih^pns!DQEiRj%iXBSPeUm
zN6TKWbZS*9Qj4o8L(rj^?_jVK4}%-`ZtRG=+A9NF&cK|gEJMaIm&t2ze&%!e!wy`u
zklVpfv|1Vb`OftYsY7RgrC`up$~I4&+P`HIk0GzzSR1M89L3&(A*cD5C?%PMI5G6L
z*lM~m65-0(7EBP{YHwkwVJVvYHGZI@uxQPb7)x>l(ITcg9*lKoppvP@S<XC5p)cf!
z5_p{_aZDbRFY3mLMQUyRzBp!t)bKwv5?AC1Sd**1Z92EACB;i|H!s5Hy+Wzd$lz2V
z-9(>L={AXUQLgj-jMc0R0zJj}_^n=bX&nc3GH*X(4(#60uQK8uU+Lc5AnFvm37EKr
z*wM{4Z7;bX@kohku(=QkqJB|cA&cc6<jad(ZFY46L9Cyfe_c%00oM4c?<s~C{PD`%
z)1_!+{~>z#{K%o?eiko~Eyxw~mA5KNaAUWdJ#@`vp0pgyP}iSmo8kB;e^GV=ff!N@
z=+MDubN?^fexi<J2`??PKJq$)<cdjTVhZV@IHFdaE4I9>%tQdBu7OQ6qdob@i8rZ(
zg!;}qD^giuUz}Z9a@>#?w1`QvGBbY4g4!)PULCiW-x@x@(X<5RnSt`&K|q-Tb=(8$
zN>~@G%>|2z*<rUUs-&_mBs>Qgg``p?Jvnb7(S|YejQPq4=biRYc8-SVB_GB%GZ}AP
z>DMFnS9u4*+$SOrzoZ-86?;r_EPU<Co9#^R-i%nY4~o)$1^w|FmDqy*&)=DU?wU7V
zi~q-3o=s)kzpWn?eY8JzqgMCcJ*2yZ<EL!yS28yquSdjl_BVpSuOFXlZbFRSeFi#C
z?oa=bZ7Yfe%W}o(Xs$*@XDrjuN-HobPQ0dR@R%bx4BBpHKqu&4L~KVR>Kr(YXk-NV
zPg1lwt41pehlaieO&3u?e1ppRrA$ym+(ssNt#`E=ue8u2o5s3hvfI~##sy;ca|l*{
z2nVqoJEsMV6A5N;T$8C1<B5OvOVA0*3@<EQT2+oE?Vrb|rY$lXCX}3{`l0m3YoFzi
z%GOAp<OfE)Pi~R?*O!u5#26%gP?xsFFo%5VoiF~B_q<$vrnh$=eRz&0+5)ki+r`M=
z!mDanl|{mQciHRtuKK)23*s{K18QjGOM<vtux>nM*|bB|)|V7(JD&!Bt`}Ac4R=qH
z$3_L~1)C~6yEV%odM`!6P;32C>`BbD2(`p6vpi4k=)#Pb<0rPZgOaU}Qs48Ijke-|
zKaR&@x@v`6dib}Bl*U?2Qm2&U!!yEGKQ{{lu}>im4#Otz0T<z8zJ#%fC3e}E&RWsv
z8i>WKq<}lTXd7W4>NbWUdvIf0h2^{jd83^q3-`NPt**WEV6^;i#LaA+c1kv$X6!Fp
z6sPe^_6}=qUK@$Qw|N82R!x_{?@K1`qmGLGR&?tmGBLD2PG{LYS-{ttlB#_MnOvC+
z_y`>`UMxG<%09{@nCg9T-ykqwUGoS;y+4VC9(NHiOa+dbW5(UwKB@d2xp6$GDZtOL
zR1X(-oquaoDjlfgDKMiXU^>kkzMN&j^p%uV^+{$o`=@(`-h0yOjrC?Bq5ObNS${gy
zL&u$QyhEG~_}4hP;hKA$I1R<eE?GD&x#F#+dxS{YOy`g=b0j4`rB?8E@!<YtqhEq(
zjF0)r{=<`TSBtLIOothLlC#H$7UPuW^0w8@qOcBNY9O|I>cqIlIaCF2GOUy117&2$
z9B44)bsG{jTv<-l!A-VKk7!C+j?W4x*<uX#f;JDhFi$*R2fcdPI1DwQ9+w5pQ4`}F
z<cHTQambDKSxUU@t4J6LB>i-&Fyobn(Hmhe`{Kuyh7>U<P1j|ppzHkfBkOLatI&NS
z^J|{Y-Dr^Lh0B_A2rt90hWr79z1H!{`j3NIJmH~tXO~(2+AS?l)rqZY>Bh&CSsXb)
z$i37e?!=7>9`2}W*sk*o+mRzeF)2H-M=0ThaGAWzbaY~Sx(RXa06yGMM<f8<zmVuu
z94p*7+jyW0S8O3kCZdOhvf97fuy)GT(|FET`o~7lS*oAxXA*{ar)^4n;BNf4%h&LI
zWbW#TZ3CRIvI&eK-O!2u=GNgRr@adO4^3Aee~8=nTCNeyK{(pZY`VR=li36CqlfcG
z)ABtF8XeGAx|{caZkn4Kt5I7@S>N%d<t`fv0bU%~c`x$0hVMGfTWx9ekE4|rluIq%
zjI*KFjtvC=3ba7|DXW#}zPz9=UUmkaZGjsaAheq`D}|wMW+O|-_86=F%TEgj9!#VR
zZe#55q$mp`>aj(c{=yM_N;Qg-h6D5Dc@;AYj}=*7&`esD<LJ8gpyoQ}sd%Yc2f8L@
z>-r}))zU$s!^me}*?C|n(A!D!*|2uu!=<o4EecD7l<-*L5<waZR5h#^PWEEPxPCbX
zJ`R4x`lMuOSwm7;kzIr^yb1b#NdBqL_K&riox|O7lk0LmuP>M*km2rD$hp8#o3tfY
zfZ|U$5wuG(rT^wChOQe->;%qIGdXty6#LpwhEm!txZ@UIbSLfAu~4`@cS==FW;nxw
z+RpKrYCBw%UChg9h;k&xad$QPphoLk>sthwS>)3`YzCWan_#hZG7aX35_&}^&#igW
zI8k8jYn)Fb=Qe`o1_|^km6S{Kw>iR{Y9<YjgmgqIMPBkM?&oa4XS-!#JsOc;j;t1(
zdq2K;0e|}n$gmMQtniY9(ZcZ;*S{C}+ZMT8ydeUmoWFtvC;XP0U+=kTNik<04qY#>
z)orX(t3z5w1(2;YR+sq>xm6^kc;(ZH!uVh{5_{^b)1i&M@^>2LmkWcBlYN~!kgkTH
z_92N?@MObsgKV?Tew&cl_=Ysi!6E-7L?`6)_BqJ~H*bgL$q?G+u9kki;9LuZg#x7d
z_Q8%F<m#LTiYg3SbbLxncl_03bnHmDq19{1ld#`BK6e{uUu6MShfmodsCPz}Spli5
zmjqJNApG3sLBZy;q;BZNzv9VaLK^@qx?qD-eh>F)zCE|l=93?_;vmnT*6nrnRx+Y`
z*(t)AQOulOkz8ZN+MM$u_@^w=o<QnoVX@fv;^}szXszsz^wWqX_So03)O%<BUq-)G
zA}<d<^2@+>c-cb+GA6f#j-j^(zn4101DZV52B{k-7~knoV3wmlamvmEx?T0?+s#A8
zo!7+@()K@Hh5<GT^KIK3R5oLm*8c~4Zy6Nl`)v!700|l(xI=Ic?vUW_jk~+M1_<ub
zxCD0^cM0xJ1C6^waEIK~{cum!)Xcf({4#U?GjsUR{o$>CtGfGLd#|<E-p})l7LHya
zCb+l@g=4FRVlb)fqZ01%6<bY(g@)ygNO63a#Fx1z_zfj%y~w{;O`{@w2t4uIZoeHa
z%OuT+8pAf!kgCyjsl-~mN20lm9s;P<%`qnMRAy)nFFU5w-t)8NuT5IR_SFh8w2^i(
zRfPo{fH>YYT0}kz;}V+S$%bi^ag%80CV$xCvZp|h>1fI$qcKcC5@c|wDbaGwM?TVR
zc?>A+9e{$F*-EFmj`*^^jl6lo_*1iA&>Uis>lq(Hp!^`v1Q}(ElO^A&Jd4hs`M&ZD
z!K-Uw`L0lHeeWVa-{&;NoB-dP?k<qWDd0UZ7ikV5!h8PH7#uT_%r-&12VW}Ov(?!*
zVC7;na$(5BPg(8cH>O*sdD&-*t%Aei5|{cnj+zcT=@?%m^r+=lY+)o$8RT26rKGUI
zQzzyNrP!s)*0=>kF5{%B1SC!REjs=!SDy{<wze58WYe9rMyi!;RWa%QoZb+AkgxiA
z-}LP#;{mZ3Y>j!M8sfav$xyCgC-f97ENU`Yas>TJd@aME(*254lXC9k?mvg3XkLtO
zbwx!_m^pXUs)9o3*CNSA54$0jFQeI&1MgVK*`iy&d2p+hUVI`~I<EI>>FCrF09#ll
zJyN-tsS@U>B}F)r#v)Ycb7O_5`YcG}k-K9yuFZVI1HB#6$#8X9?$CqR6U&5@FVxn(
znHRH+K$weWy)hT(381i=p<vycQzdWl?sbgUrIXlA{A`h6S^TFX4_Ce@&`e_5qA>Zx
z{VPYBDx5W@ou2jN>Vzow6{3!$S$Hk;`HVS7vph_Tw@=Cj$6EbqI%QjVy$t}`2&)s3
zq2{nV+>uAXl@g~!FPu-|3Qe{jiDk}NL=aueJf3UK{Q5UkTp_^u$Di_0HSWI8u%#Ko
zu8B2aW$($5)&w#VsCOQvrpNek)T1t{<xQk1G9KXj<FG7YBXNwo)*Co~g`hiAM<3U>
ze4-xsE^2O;wvqP>7qba~XGvGP>shnmTB=%3g?gaD{wp!QiV~RDiy7gYeW6jAlzd#0
z!!<*Kx$Z^Utjy;ru?ppB_seFsuZ5bR!e}6@tW{M1^Uua7eD!oHMa;s6kM#%}zc|W6
zj-C2KeN0=}I-bQFm&0%2R4M~(Z;D)Sc4DC4^&XTe-R+6n0Jmd-4J1Dn($Fb0l#;yT
zPws*j?!AR+_@utb^2#pBW#$Cen+x~@#+I{G*k-agSaC<~{@AMmTsEbl50`ceW0}Di
zW7?y09~wx~Ta7%}LFJZ7D!o<Q4xk3inc9=cJ_$;e7=!W(m{9cg(4e0(3(I>GCDHc~
zRgM>$Mc3?@eu9m_Lm_EVhVH)64U0^j16oM~ef6r+EjMW94?m2s*1OmN5u{Q?jE@qE
ziq1rSXjw8W#X&Vd>k4lc8z87>eiu}zWV5Z4xSG54VXwrh$%-Qhj6kEFG<Qhq67rd?
zEHL~dNnesuR<Zv`tXTq5DXDdV7M&hax{1}<^?lhvV!8*m31@LbPxGPXDc)E?y->I+
zMSV-Cj=?B0?fT~TP-c_FqEZsa?Gba$2LT~NGXvX23JwTE&GbwXpurI(;a6dcdGBnr
zCUmqW5i)9Bf*B<1Y=T?j;5yek&*;1)I`z2$WAt>iG_%<>Ya8e)lX*H-cc??n*3I{&
z2Je2gYshzUUd>XZq{O7CLZvOM^<GrJbiogMY9W=s-Wt!vbVLVlm`H-ZT_$x8R~hEG
z5DB)EM1&BKs)h~WBe|%dgyAQKRTE^>jabB&O)H}>qHD2%7xPa9yB_R1rfJvwDr6t{
zNT_Q^JcDRr+7r!uof~;!02E<JEHkm%NU*N(CF*4NVM(z2bX<6iwcy4tt<$4X*HEk|
z)!Wdhh*-|;U!YB(5ciJ0Ch=P2gLWWaiiskk2`xnP&UlGVF9bBECzHQ4*h<qb+CVs=
zG;cp=!%&K$RLxK^D|GZh-$Ly@2Km<r`T~AM=wymCv38V#jo6$iK96m)N>2g^P0-Hy
ze#nTf|LGu+$5R=!Mg3cc0l=>J<Xylb-@L#~<%sn}CMG^*28co85FN=m6Gd`HD%X-C
z0I^;cIVPtVu6XgG@ssjt|MpFV65DAdK9i9(A4wW{tVuL{Ugu)@)I7|u8slpykbXI?
zXRo&jF`o!_u~~(>3VRUq*48II)q<IX_S&Ws&GIvNrGj(3`y;r-f)5(I69@ad<U&x&
zDF)nQ8TPR%Yr!7J6O_0rLJ+A2)ec;a;rWfDOSKsqjtj<NJ4Krir`h^t_H=2>AdGTp
zD;Lz3o)kPlS06m8;Rubq%9ou%)}dekYJ*Y*5ELw1Q-A0A1il)UZHuT$pVcy0zGiSk
zHl1F~5vBXMxFW(>wfhce?;s?CQ!}g#M&))igM8R%Rjm*xbSjcC22Ak_*g2tyxw9x=
zw}^7=q-NRAhN~Lvk+`G(ytCgKNSp~8!5uE2EEMurdEXEx8TZ}F#ZoS<O<B0gf_(_K
z&P8ZRuLDfy=9!KHEL(~zt5HjR6#jY-Qz;x2FyoUz8mLdzj2c>avj@j)|LmKJD$2-h
z5E+x0Rks*(e6y6**g2~*?MgvoV%V>=xKlSWX3#FTb#X@FoHY2yfihsLW&`mnY*>K5
zQRwP3OCt>gxSI^QI=w6Lv_3=~!w(mg-N_G~^cW;WRRN}uBK%@YxuFZ>uCk~+2Hy-x
z+FyP7*elfBR0Ux4WrtM2`ih$Iur?O#ZYGLpvPN_5`hx!5;yS}&fRN{ZTY~?SPl0H?
z9p+u5iXOPjoEJ^anQJEM8=!YmAP{D`Xz!8^Q>{w!U?)*Y`jEh|oE#DfctU)}ElP98
zSl`WuivgWg^Cc(8qh!po8U`m2y)*+GVkWI-LszYJul3So#c*YAp!Gq2Ie42<#R-O#
zjtW(z%4EST(Jya#WF6+%Ve5Kv0wgF-C^sW-c8(&xf>of9d7NDJ09A9}WmLf%xLAie
zd2w5!^%)U7=v|1v>=j4;t?5S=(^t-<VNR8!`{Usx1PJ6tN|pg`)HKoLbNd1|Okx4O
zj{JMw26!Oe4W)He_}3k3Me+}1Zxb^RLz;#2&B<8Ciho0$=mwqi#xpUV#Vo8kXD2ZJ
z*)HcKK4qGYS)|%HE!*f4ZhWS?R*^h2FLNEr$aeMqmO-_RPMv<6y)^}wTU9|b@E8MF
zCilxr*`}*HNyEZ(-b9NX$g4IPRKe?EpjjbmIe9UA5Ro21Yso>Eq3OG6pbNEK*IiJ6
z{GH<sZ&lsZ_m73xy%p8eyt(j5rL+?!8wC}iTOQ3EFNc|;Taru6zAYf*TI=xj8!v`W
zQ#iT1Ud8fCnn;DIhAkQjU-5B&LA%*B#91t<$R-=jSxFWiF3!z>tW(Nv$N>`AkW2`z
zdr6&gc#}GQ(jX$NC*OR3z|tv$A}8(_gAywYjn5^@9u6Kv6>TqymJxtjosJoBi)8O%
zX2}mI-x=2|LdVvq=)k(v1;+5NqWYhN)N8*z{TX)Qb5cGDooK7>WIhehH&n+BJ~@fY
zO+2^EIs&qgmnm+J3EZBSleIsgtJjM1<8d-v91_;;Z~ZyEVk~bvZ3-4mxt2~b6YWmK
zcVINF34L@=-<fAWl7<kroO(&!rm@<!a5O}>^l(pj4oJb?LbpVbuwk6fy)cU79dQI}
zSahjQ2>vM)sLw*4D!wXGnknvwjoz5_ZVR+_!ZW_42cGjUX>73C^hf^Iu@n5psdvhR
zPj`ZV(xfo1rfEzO`8#H0Oy#Jv9h9y`#5$e~L`1Kt<pRZ*$;M_b^_X}_7Ixao^2E&|
zI(-tN-5A+!JfVwTNA9+Kb`AM?i_<EIGxQ4$@0ujjjK!Ozt|G@Ayh^NogDg}HdT2##
zKdryOGzbFQ;BM_@DQ8!%wGF?UTWZgFKk>MwYXZZx8XT7DcZevXN-kM2VGYviD$<_K
z0hx@&D@U*qrRypWMz^#Db`kfx-AjvA@7TRhpK57mqnGV7^TTe|VXqHRJ3je1t#xf!
z=xjcwh=sx?DptD4cHR3Fa0hIlc<=m`6ey~3+{RX4O<>1KxwfKQ+-AXR$}|r+PO^#9
zCYmtG*CfNxo^XLbl>VAHL$4-H3rA+eH@voWdIH%wSz@Sb*HH6utT0!%D5g8LX~?Hr
zwLp%uTyQ9BYB5tQO*?>%os-rl%`JUMc#BaB-G|0f;9n4U(0UKubd64TZMjQX+oEn*
zY{l7fqgi7m%dCDwm{)5Gj<9NI(^|Cs&ZP<LJz4~sYEW33S{ZP_9a#>i_-;0`2Q67m
zG&FFOK|+oOvdt#1E4ui@BUEdYU!<gaG9#PLA!JoLAl(tz-%zGua487;ZJ`fg2Fz$)
z3&67WD>qW&teEUBOSYYs$3I(5Q#EEm@NvAJgDPSTPEd=6k?Lip^O5J481e-38cRAj
zvVgj*(x&!U5@elHhy9imN5)xYr|t8TstG<kR5^zC8}xPU6JP8YGIYUymI*3qX?m*e
z3-z=-&(W*ro?LAG>uy!_igndB1>~fo6{@Tc(`ghs97HdELEQE|m5;!N*b5Yuq1L+V
zd5sT8wC4?9=6CA{bgKLRtSoeF=`LewRp^q|^#_LM{1B`!_ZR$8kX<$WJvwiqM7QZ_
z^ihI%Y^~b&@itmO`eJMEW%`Erv)j_kz^UKOK-(Qk)P0QJGs>vfFO!#olY6YSbeRg~
z(h4mkgyWkA>hJvus3Hvg?kVW2K5okt$>RCel*9U`NR+3PCiA`@Sbcs}YLUS;<Asej
zWHP7=eKOf-wuy55wzX5EKSC@GNS}BSrm83(NPAa+b6<T_L~t&gd&StlUsiJc`OEZZ
z49nFSy2j`rD=Sq%*qI6m6aqp~jx9p0HBHtbp_*ac^2eFUYMm<Yv<ql2)ziZxh8VMt
zd)BTm9j-R?m?HJ2!>tJ4T~GVXO&t@GG>oPQZw~RCEQ{xPnPDqT-s^YSR+sXW72I%)
zb{s!@sDa+Hq^OgpTj>_dfat4Ce}1B;3*iXWEKOZ``&NOM2p4gL*<y{nkwH(@7CGIy
zK%jaDR93fWX|Fl4L(r~KQSYrOZfACU?91T=WMQjHH$lGi|H*VRfVs`q8e@U_C4P-n
z?w+FA@}bt=dZ~csI)=eVr*K9&V9t+v=WxuXY;&5|OVG^dymq-HuHgF;wOz)CH-5HU
zAku<mFNpw{r2E!1mRrCx>5bG&^2t`Vjl~6CVvqWO;NYytGS3D9S5jhDEe>vf3uRlz
zL#qQ<_$8Cmk?2KYzVTU9?OY3<2N<X%Ss>bj)7+~k%({cj(7yH3wlE9Dn6kR+LSk1g
zTwSba@MncXQ>QL9A=j6WRmi|<<(%dY{~l^MyXhGqOl9NusZvR7BLngo4b81f))Nvx
zPT#)AU#ndAOd~PbkJ1a?U2Ara#La&;?j^ch7vS9G_q!5g{?(rRkleVJ_TV<eFro%d
z4>Vn&kuUeKIy~V>%fPC=7iUtnveCneTY^0D5=Uk2$VAaoLWI57?GYax`aF;sw-!ZE
z$s0#!IwWm1JIa^wIS!<Jj7Id-Eb3<0>$8WsJ!`cr@9LsgCm;(?*0;3A76u%{_<PXb
z^p>LO1})r(rb+xMI;<ag_3YhNPq@If(MuGpbUTLAi3VK!6~`RL9m07#f<sf%{dG*j
zrdm#J1YemywGQeo2}Hy6uG+XYPbS36d4Q8O#L^foo}{Q*)mw^k@LRQU>*_bIfk@wF
zjo`<WwiK;@>W*o{b_ZF=JCzTPYI~kaf@L;v0yw%+uCwMo>ec`H$P>{~O3fa8s6Sw5
zy&G$p|ET*cUSfF&bbH^x+tF66GMRDJv&?DRAERtzY3ecmKDwadT2&%{S>;ou+=Bb4
ziD3lozZ89K{GcY282j-OLbRYy-U1VIG|LG{ATD$bppV8(qsb(Y#wcruE9{XitDSHF
zD}1BcQ!L3WmSGV7fd@Q8R-$X0%gs)?^7#jmzqz>;Gr9xsX~JejwuZUQ<yMsBiU;t+
znqtG7l1zb#1x?kK4waOWD*Db_z0&Zyy0YwDRv46|UN3Wns`2Je=ECKagO82+hm^^(
z<axTG5XUkfV;|?!hC_pG{S@i`YCGN9`9XT`&Cqzo*qfHmqn_P3vSX6uJMYji53ZxJ
z{|-r}nHSQI;A_)$NTZbU5s~IYt88HrZ261g2smv?tuNp8#&>*R%dA<MOd7sHVU3I6
z?aQ)*uCR2|O&kn7!=+vsl?TVtj}|pC9sYEwMZ-5&Hsi&gl}I7V+cHOEQWRhs%l#-q
z!uCG%v7&nT&G0-qEZuXUkt*oBNk!qxxF<Ypzh{OfS5dl@6|yo$##Fo}QO{QY0A$8G
z{bav|U)Zeuy<$iumMVU8`>e&Z1#b>7OP!V(h?dPY+N*YDEd7*Ow45Qz#}^Ie?Vr+%
z6+VfWh(lmJ-FVGTbm|bFf1f9k-@c}5W$ZLhE<thy9s<l=;`dO@t8-e(I<;PN2xl;`
zwmLcsCHa`q1D_(B#r7*+D+yG_`EIO5DO>$w9=vG7&c$GM5v^N3x7fiz)>wPvDu~ZN
zoQkI|TN8Z$a~=C;EBpdaXP_>WMA9y`$UA<y-bbT}!)7}1VIZlaa>k;h%StfO@!GTj
zd~QM5o?Tmg2RT(4obI+s<Q#tw)!9g(7CU{)pa1o(wD+`k`x@ua-Amj9Pg6<E)W(g)
z)ES=^N=wmzsE<zLHe;oQp5s||3}~cxYRTD?e@yL}^w$Jvn-#^o`jIQ!{ygnGT@Yke
zu(N@AcY7na!3h#x@OEE#<grQcX~z~Xw!Zyw`1!hfxW|pNC5lIu%9+YkHNyIOM=W}3
z!quy})~BDkKByW5>L&Rn<%C3O!17lQqPG9<fc1AzBIVwz!!F_cne58NL76zO=XfS>
z-MxX>MLs(Gq1A3sM|-+sXG4%!FOJQ1g($`e@Ec0P>+<Lxsb`JecbsaO&$P{S;s|o!
z;V$aS{~U8Cdo+3TH^7pqx;wAFabBW)^kj@tfc*M8Yj6|<3_i7U!E;WN+m{=yz=9kN
zM-k>_9p5^cK1M29AsXrFeg6uTxQipxZGHZCxEkZ#PTDCu9P6sJO)Q$@tG{+lmz6`*
zc*;vIV{ZUONSqu$XU6nTI2MW}p<Cy4*mJ=?H*K~BCp(;cg8QhoE1>%;ef!Bz;+are
zWnlm8k!}Buh#_P}c`LW0a_ItFjSbZ7E<Z58Elb!ap0^D4n<jdCcoF`5J3?F=c8h}h
zXGO=uji;_InqG{b(F?lg?T4EA`KBAuBZm_lTB(Ypv_66FX%&)HO^u%_!L+ao+B*WS
zZeUv0ce3S7C-l-B1ayc2+NiW5!NP;RwMCPB7jA#2I@11%x5pC9%vZ;X?<A8EHoq6W
z14upjGild`&krgzWL)KH#Lrgt<*1sL$l`h>eP(^Wx?Iu<R}&ZL^Da4Zn^v{Na!S&Y
zq%Awp*vzd3m1YrDJ4{eH|0`3@>{7K&^5{9DUZ`W~9oxX5k1t4jYxk({{ovT>(NWGl
z%LdA(yAI=dd^UEx*+sSxioVHJ#;WgJBjiTH)5XDHv=h*n0IK|d!7mwcWvIE&BDFgI
z0ML7va*qN6A7yy2xc|7vZO-&@7NpcBeUgW1?U(Y_mCPRYf#dg2o_6wh)Lb)zkRE{h
zLRg+vSLHfd+&%jS_%i>cjLNXkFtY0&1nT7mc;gvu3v{YgI$XMJ25y_~x?E2_rP_y_
z^L_k<OLOi)=|^)#a`R44a%}I!$|u`6q(}{mVB}iMgXiI3;|QDJUmGc-jfP81she1x
zs5^i&i<sDlXWiz3vH5V6xb)QddEpC_ZsOiE={Dn{zU|bfqRGGoTpudV?D~oupLn87
zZFMImu+8?-QBg>_w$sqc-(|4B)0r$Q5!M}Mp_)&^K(($y0pX)-&pl#JU1|X_TQfZ!
zl%ZreKlHBG5c$uPFMlaIUqj?IME;+V;IAz5$|C<)I{1}E{%4i?8X~VD@){!lu95Q^
zBCjFx8X~VD^53*vhjJJ8U2=P>?6Ve)8qm{Hl*^0kn<3npjVcG4r-|A+;$=3Lu<z?6
zO;38Al{=Q3YW2d-Cjqo+@4$mPpVyvxIx%^DlgCuWO*EQ}Ny-=$&7%ecq=%~n*x=UD
zwj&0QR2dRhP`m?a@25@vEZx+VQ405fBF08)D>2!2n20q|BXAh?u{s)$fxAADw{T}r
z%Ga4soNkzVZW;dkC6m80{WR`gxQ4idTHK{ja<zi`Jt7pBqZ-RcYZLqrtrJZb6G-)&
zC&Zwy6%bn3K8N~wn-s)A;3K~I31QydBf&)?Hzs!VscK$XK7zbM`WyCX02(^l7nASp
zL`@&xkN<|si+G+a7Ci5aCBDS0zi+zlw5j0t+6I<N-tLzTQIBvG*PM%e5vqTmOTZ1=
z`A$!-M~+pB#bYmT*iIxI##Pkp%M5LodcZJ3YYEgh;m?9%eA6{|=fzU8E@I=AT2l?=
zwC|d#YnB*Yy?7mtrf+0zi7HhQ5$P-!%BW1zdBzcR0;62oY8#~|>Gx8axnte?3UY}S
zY1oTw4Lj!Fl&$dATJtAZr%l%@PFKrmbz9Hv_Ey*AQ);(}J5p*e9Ef(KVz!~84dBt;
zMk`)ipKWdLZ#;Pqv}6c|lh03_KDH@2iSA{gp^3jyfq(Me>%|cdvZEl%f7FWgPCj|y
zBq0)?k3|ubD{c2HaOtnMedv*w8%IPgaAa4tLOgOA-qWvoua()m-{O36pkKvqDz%nn
z_<1iyd*I3SE8S?uT&W6)OkGy>c%*K_aP8gncmtX{4bz`Bb=NkqdR~y3x_hE@=Oq-S
z^EKP&L^J(X;uo!NDSzgU%r0iPvN$RjzN${SmbOvXSt(3eqy&#{j9{T;0yU9P62k*o
z@;^kR^AuG$^_faiU@5~%%k*ZWcJQSnd~)9&P0g-52lLmu5GtK^Z2wG?^<6WqRb0=P
zgDvdR7YZ8&RD@O0DLKJxwxqQ$j7MaCYj6f%($kLK>>?&YzSAqtb@1;urmfD`*frRr
z=G*vaNPtBADZ4sPrbE;u9+TYDHC!9UG^4kiycb#(jW#Z5M58;xq*VNq+<OcXc|g%p
zp1=5RhAaCyvrA&z5$K<{glT2CVsBJDxQ&g5{62OJdk8g?S;?J-TX14roXOMjj625V
zC9>H`iG9-N@jr|e5K@ANoyVI479W0@ayis%JS>Z}cb9q*t+f+rJpJIis^@)tBV&AP
zlZvNTL=!LizG5HwJDE5J^Ud+Kvl_<C{PDM^a7P4Hi#Iol{#*11X)p(Vjxz9XClVE^
zb;&PcmOGZ4wg#0yk#H9U$o+<5{gr3|Qe_}>5U<o=R<^L4F3?X&p{th5x#!qm>US}=
zdTf8&pZi6E+Eu)%Z^}|g4xK4W=$tL&4L$VYBHEbxYGdl{bfh-mFmHL5yxG`jZ$iL0
zCI{*3;dD(#28JR@y{qUKVMp9$80cV2W?K&eR%UwN{Og<9t?6`xQk{>WcQ&-so9V_l
zjnyZIKdA7d`o_S@%^J*69->b>1$1goZ+;b=+CN6rb{`<>ld&tuNLkaCI7_wR)|E+z
z+r%2K4m6g2%dq9d<^;&?827X9U|%LBR_Khr??`U$Ic1zc%xCx(xlF2Xo@{gU8;ZD*
z>gSR*nU3v=e?B-+mnz<#OH{d3qk0~kn?#>Hj1`3*t^}53l+s2pCR8~T<(4|d_xWV5
z7*Om!((q^UJ7y_i-KGJpveEVDv}G3veTa+TQwf-U;plKm8cTWyQ7o*F#xg&df)SSG
zL#fNBi~=|0jyN{zuG4u+(o25A#gh#XNzZO2{}SE)J&G>ed4r#&FB4><zp)ayCD<Cp
z&oj|~>$*>scA(>n1lpevbSt0u<})*O(D+TB=0!k{L*DDo_94Sl*#ID&3s@g3(9~A8
z4#c|QZ&!iYa%gI9DRrZxWCl@pX4Dl}p6c^owT}}!xVr0*TEm!@IvmIb0T{#70y%&d
z4ze{!S_?PV3g}V&o4bc4%jGHkZMiRw)4;OkZ@1I8Tt0n}4d<XLwDj+^L@X!mep@%&
zclb8nttwWk*wU)3dN1VO!<D*7bMQRWDfPwQ3r*!ZNNJW(3`zUT1eRt>6w&DP*yYP2
zd<LN4x~_JfKRS9NH*~Yloi5<Xs<Ur;P(gnO@D!vI`e@P^4teL8PjMA6sKjp<{4D$m
zmdjU8tlVgvrVPTN-R>1I%WKtXW8cQ{1`o8F_z;sGbrEq)oXGb*a{oD4Xu8epma0hO
zZuN8p=2C|a)CGLT-8;QbJws{n<mWhp-w_-b*&X`jhrIUBa08a(r>QC}n4&#1ovvV{
zY4{r9MYLM_)}d)xdj-G?Ou(5>)En1Ss(1TL^q{+k($vbw7~Alc)jmkLU#AiD<hz^=
zZBrHH(%SGYK^56OOY-Lird)~XfSzi&dW{~nCYv0MG=RLB#-1kDMY#lHhpx%yDlA6~
zA!mzmY5qmfR^Gp1L9AtE30ku3U7I}lx_x+&O05y7Oq5=ODUkt>3ZtMjUOTY~W00q0
zHrx@o%<&*HnFp(#5;A(_X4M$n7KoD8bZZUD+vayC>xVp-+;y4>;;pu*MZRob9SP#E
zEd9u`DscI;Ct@Do^J=ZYn_GGD!qqo?MR)h!5dL2qt%v^zGifCQ1ss?vEfl&)i-3YY
zjzMNSqb2YcIZphD^wJ{78Y8@mi2D&K)yiGyHR<JzTWqtSX{?`Owy1v@WGZ|nOMiBW
z95@*|<5+^5*J{<bVAr1y+s^oargE5M?Q(5i5J7Pflqa&8Sg#}<pZqrUJ%A@pPN_9`
zO(G3LzbpauJ}dgf^=v-Y;8Km~1bF2g0)la0608@*KHl5XnwL7yUe3xi+wy94Mjvyo
z?0lzoWtQDKXZBOzVE=0ACspE~^um-*)&9ik^Uq)d;JPa8E=?9G>q?iZYbu1iV>tHm
zEQasja&U4{IaQT0(pB{1wvYlZ|MWWW$`IH*K5G$LfE(+^{JS6viEOpgyL)aHc(-JL
zcjRV`Oj(Y1&X?fdO`EAS7Tr;SQEl9zP-p&UX-KK0qtd!E$zhQa&9IvN(gC_qB&MSw
zG3(Sy<tp9<l7QvbN=-*h?DcvKzS&LD=5xlAmFIyj>tn)9`IDWSZGcB5aDILGCGzst
zbM)^03O`Z0JIqD)*3PBzZD;VWe+C=NBBI0vfYLtDoz+4$8Doj0uRX>N@P=#ImeIB}
zb9gAyYM5z{fkv}61;vNSDP&nE3tK|#4Q`Xr-v!xU@=2wP@UACs{Zfza*N`!7uLiZL
z3!*l(E$f%rC%xM2C_5dxem_S~m+Yw1lSz5@>6Ry4y{RnUUmDp^k41Sic2HT$Pu?BY
zS+{2^*Z&MOD*uRnIpO{?$V&f?O@>0fC&XP_-K_>c-<QR>4nGJ8&j;|?WG`k%+&G<A
z92K}voXX49p0}^G!0)!G=>^g~uuiNTv91&UIUL(&9evm@CV4Dj^##A<pP{DopK<R7
z!r#T%-?2$EGfL|I>AW4X$2($nhf|22_@L*RcvS79^11K0FMGQ)2={sDV9uAbwec(8
zywuT|iJzFqW4oz0^l4U%Y};E8`SXkW8n3k;xBpg}P3=D**_vM!+pA)GRc!yXEc#0_
zc~xw$itRsM7QHIAe^eH|Dz<-86}>99e}T*Ps@PsVwpWks)nohjtl3wO?H^dPuO8b!
zGG<>rwtwQxzItr`efpxWitSagy(+d>#rCS$Ub~`yrfgojqW@^d=Cv#O4`yusZ|jOq
zo@f}&(PK*_XiQ{TRehjaj(xI;G~dQI;jiTln>X$JKroclyRHSTC!T9UNxDNY8bW9V
z%Yts@^x;lt>p4W8uDPv_N8cg|Yg<jRh>oGH73P{2ZCAN0^(MjaG_&yimnNwoqldLd
zSSuBT47ucY$CKOT6zLHel{<XX5S5|Av`s$z6#(tdim;+q79!hnqU%;~OJg99`_uy$
zO>Q%=ZcnBTMf6%0Jky6$>|(Mbr4VpQD`8Q?Ia&Q?fWQewi>D|1|2X6tA}Egin4{pg
z<wqj8OJ{ZIaH;zn>i(qj#ZLY=)aWw+<qqvP)LGGQsAJtf+v%~m*!?*oCOY%ai^q9e
z>ef}bl9maC6`3}mTk(dB<B|d-SXV`WQ`3VR)<t1p6e1GM!TlH*iUY5&jbvP7Kr+%x
zU2M`;+9*~CIvw+!(9;kRQ<^g^q~pt;OV$j=#~c%(AMMeepx(euwLIfjXCzH{J0sQ8
z@adX9?;55?R6Kt!+Jqy2t{#9ilfV-`g%N-|ZIY@I4EqgM-3KL7s*I(m8mJNPtNS(@
zBT?u#lpfUa+uAelH}sgH>w7xlJKL(I;F}FU&@$bi%NS$Y>O|}!nHwX8PwF=o&Q|&e
z^w_$wa!mV70BI~BZ_s_C_i$f3bw(0CRQ8|WszkuYG_!T6rCRnjz5HkJo^{&rb5%=L
zHVnmA;07=SHiZ(8bUlW4$DtKLM>5%DSJa%QMZbotW`M-WV8b_?SZT3d9b?55hLhKL
zPVFRU_Uew5772t@{*%7z^Ark<hZ<efg3_T(D-#RdSJ@fZxV|KA=xkTeLdhlHyOhV1
zB#kFU`M!8hU)B5zwOza8nGHOzN*~;gl4B5`2a~&e#POBdtg}FNd-68vjkmcE%Eqi`
z?LEXj_MT(c`3fbDXx3L()Ura)7W?73yDda}`k><Y9yyoOaZ?SF0!`*sGg!@yD6`n5
z1`k%kh1KK>i6)S%3>wO0i%t3d&u<MP?dg6N5Gbg(tfFZdg|l@XDhDkgmK>Z3so?73
zYJAfOFvul>yQoyduPT^Lb=5Ui4M;CUB#WSTe9u9IeQ<uwPzLaqozoX~YLGSYUC@!2
z5BT_F_-uIe?I=1j>X|suv1uiUF@L1y@>3ng%4ZD%4Wn4@(&zAO)}IzJ9T1c3K8z;~
zs-hiBc?w_CmoWjfqL#g>^uw&-i}>5`cO4U=KH|a$j}TuWVzd5`$rnQLGQrH`Fq8ya
zGx;y~Xea+1E&m?_TH1dEXEd)cdxhCw<+E3qy=Jrj0@{3q*(=OmVfMe1b+6j&KVLum
zD~f>EZ1$SXUbES2Hv9jFrSY20UbES2Hhaxxui5O?o_)1v|AT#iSJHeX%~#TVCCyjT
zd?n3S(tIV&*Vg&}`FO{xJ^P;??s)A2ymkRz2Z8?mK_FtiC;?%fRq{^4c9%t5I&i5>
zB$-jEs}I(j$|$w*-SvnfPQ}j(cIF~>DlmXNv>7GG17J9lmyUU^yGu5W4NWflON7*h
z31hW_jE(=}o*f?GAe07D6P6jbRTnNvh;x2Tdl-MKXO|P;u^Y+Wy)`)%^&Qd`H8XB!
z@9hj0>*CBZM5XN{{`Fl^DDZHE<wdtz%+uXor!5Sy6y#E9->O6O;`~@NF=r5(oJ}5M
zkfJOPh009gVXyON(2v=rww(Kct8)b*@HZ6x{hQxV%vyTsF)2=04t_0|?_W4CpkE9d
zIys5ifBlBaTKWyOd-WUYX#%Y98_J*fHxz>3OW&UZe4VINuePGO4rZdcwu<BwJ0$cf
zJtyR}PI>MH<tj$R@L}>sn_2BYvDIwgc;M1IRb9u3hRR%s)Dk6W6ga(!grSGQ;tLsL
zc1z}FdMom0JF%M3{N6k_XjU?JF5~jRy6x@-Q<!yM+z4XJ5rlWb$xP}uXrF|P9YyJJ
zBtuF~E29)g<3q1?y@h27HD<GmrV>%VlAubELl2&Xkbb|rVX2vjRex_niW2(Ji1Zcu
zXovt+eDa>AsJuhWa)qviL(S!@q?4{10IVV-HJ`Riu#jAV$5}>X<O}xjG#_>7zmOer
zni4Z4-B~y$Sv+)K63!@9VBj~oU{yWPnW||mMUYOrXsImCHB@bz|GeAVZa&qneu;lm
zHZmh-6wMiLE1eb2iiW~CVDN5Uxqp#hN6CL>HmbAuMyy0&F*wSQ@jK?hCfZS^6?8hz
z*t0K~)L}uW@Q3bk+<Z-yC}yVB+<IB8h8f{eXE0scPDH&%%S^+&Na3myyo&nn5>r$}
zO9pG&@VAX2qp}h2ny{yrbTVNH#B!RBctvK2&9G!-@Pvaux#@JlbV?Wbq}cKBY8SR#
z-3(b8y<rc>9fwRZ>y!DgB$WcRAEua8H{XyL{0ycJ9;{lE;&AAgRBbM4j4H{>TF3Az
zNcs(hr<{97*P*7&gRckTzq(Ey9MdXr6B|A)reU-iK5Qus3)8&R?n(c6ohNo}G-|g9
zVv@y;=313(X7r>U72#_o{En|9k8kb-l!E=Me_!DH5uJ~p8M1S6W&wT69W6tY{^-$d
zpJs1w@IvG;VyAN9gr1Jwb**|SU%`Z?Y^qUO`^F}EvQBMpWJt=&#GEsNO5X~UNM$7J
zERGbV%Q%F#yUU=tJP4kULbK}hf~~9-P`K#}b-NH%bTB1?vdoH);e1O~;4IYM$*R_(
z)!-PLv2XECJ0{VX*-f<poM#`ZL+uI-6~pbNK!U3cGOPWPg|#ef?n!g=eu_t46HMO6
z!nc`|BH>%ypWu+2e;@Hzzy9yAclE6`D~6DNN7+;b;6iA6;I`%@i0o;JY})V8tr^r6
z*!VU?{^0B+QuA#8hk&W%a<!@vpO9fM(jaK+lu%PH+@Q8{&_dG1Jy|vP4JLgbenZ_a
z9M>cZnj7bHD_Ev=)6E(4G3C=lI!&*Z>%^xJlWf^}ELEbJrg^Dj)04O@-{^(J^KU|?
zYdG67!|JRStA)`uDY;<w+Ac*bWE5<e%LY;WvYphMhd@Zlo&p<QVI>AMpQ*jj$)QN0
z9w2r`xy<1CuVT;Qh$$|uQR*}bxT2t>Jr4xC0MI|y?>2{UP#lRx9S)?d)$8h}u@X46
zB{*tdDW-&axbnhrv}AEi?$IWq<Xz#r<}X?j{U|FL_)Pl?`Y|}!dTve%5u<X1#4ElZ
z$vpinNYkFtjF3%L)Ye!sbdRN9>`OXxo;<zYDiie#x_23|ZYk5e<{l>faSZ+w7vM`p
zJ{rZzw;4uyYH$R<ExgsOSkhbR2pl{?xJaJ+H^`K5`=`+-%jn{^-_sR`Y@{a9EDXn4
zfVuB!O&_2ellg{T?AGs`(r1o&y}P&EZ3`0koy&2wmo;y!iV6$fZ#|i2d^tZmzXNc@
zVN8mrw|I_hn^sJ>=9##uU?j8exaa^xdMi9C4aUMer}8|jcR5egk_#gT2<*t0lld`B
zKN0CfcOzF8Mb&W+7rdRB(<5WI1+L)Jwfx9$2GNxsmQqq!jX8a=mY$2k2gfjXTDG;b
znR0D;P;NKx=P{#R9J`|0xbWHJj032NWez~j<KyM>SnW>bu9%<2i8YvK)B!d?|LpEz
zIwp;Y0Lc{Epk6t0|KCtxD)n@H`c135D^+#*<pG{{OHm!t_?B=HAN&Z$1k)T}sTQL^
z+w65e=^Emy=Tj7izBvj{fewb2gBT@eGacE%gVUXKOY@Vn^pgfbPaIDO>n^IvbqPs<
zZEpX!Ko)lH>~cmwk(?zJMz!EYFiR#AHYbN>yQ~TY<O`O}F)IwMf)g-^d_c6hYxO<l
z67yGgr>Z2RdZ}}|#fEma#Km|@*>kWcKZx^_7?AL~VIU>W)^X*c3Q4J8v(|b95rL}U
zt@r+nC*eexCwN%27xN2D6+I<&q_8gi8^p*xOy>TH&@FKc^-+WTSOX=O5RF)sOEgA}
zF-DJ_o6F>7j)rHI>FGr2?|N`Q(tJWoc2&@CCj-UT?}80$;n_uWqX`1B9NuWozR$ad
zj1jyy1n}MIip=yIw5fE)q(hCa{F&J|JktBO@%?`z=KnR(|6g!vj^LR<?=<M^Z>XrJ
zZ@-~ZDnMfc6KvjJAo_=bP-SijfV2k%rlm|J&xZqXg1sAQ@x&#(Y7Gf)ik;AI@AR9a
z?->U#P2cb|#^PzJh?{EDT-sfc5iL%GdF85)Bh)}`_OeRz7|+2jbH&qJH4S3Z#rdS@
zW`Hz#E4V5)(zmU`A4`6uP!I7YajgY6>x#OZ1V3EgB1nFP_Ss<G_WxCKEo7Ahr_OJy
zWoxKpc^u)v8l*|eg|F?nm#z}Gk<D+>-K_C-KhA2=UrI~@R&TsKd=pcJBJSIowiEtZ
zTd`l+#)9R^L+M*PwxE{M{+d>$PLUP<eo#FJz2+<nCL|j`>rv*Ld2G$YOgAe%j~;2o
zLew`|glFk@Gqa;5t12*=>}(YTrlIC}X|4utsV)R)iTW1KTkxc0vZ^v!VL(~V$yf`A
zk`eHxuIO_i4=z-QMl*VtrFyvzs2HblRS+?sb+~et7vKX}gGzYtl-r&INS}zu<@-!j
zq~%7tGVy}&#NMttmBM)!Wn8A$=9XiPS$Hn?VJ3yH-+i`i5F{9RfF1(iH=it)d{3Km
zyDF$R3&Jnq*jyQtW{_>9vWNYE^`oqwCa9X8rNbLVNiJp@;UfkPnHX734|V-}>Y1dw
zL!(^Z7FhA~3vpQLoT<RER2)pQ=Q%zim9wAzd=Ew?$RwMgI5`6J1?o@|CN8QlWpp3D
zT!^XZ0uqx69EN#1i)eMgUuvxv<y`Q_DhQRy2&gG`U8N!rOL;Nf-})@!B{-K>I#Yh6
zsWL;|<l6T_ea6XKqoKs@F%~0eXxc73p_MEC;y&k^O7a;ap#l}CuQ<ySFnBn)1#~f?
zkkJt?pzHzWA5g6W1u(_Z-D_e8U+BH5BkR)bFaLZQTxc2670rOSy3jW8ImCA5louQY
zYX>MSRl&{59e#>;s@hoXTB)5kQ12-rGsRP`K+GbAuAIk=*d_kH;>70>;dJy18(T4a
zdd?YNSj*~e=7*Ybjb(1Uw)MS8Pc@IibV>DbTy*ir=SmxjS|iP@ue(Q>=eSf#*B_?0
z((%2f)qn=6{r-#K1qQ?6_96!6U3Bfa$VomMKL?F~2~&$yU~HDgriQ8uurk<r?MtMY
ziRmfNlFf67Ooce2QpD%+FBx$b$CMQkKJR|8f6ULSeWO&9L2W|Xnrjr!YRy4uEHge}
zY!u10fjy+Ii{%yg%;yl18<mVx)lF~TgI6}JiJ5L{5u$SV4V}f^2c$-f+QR}Xi30+i
z(3%86Vm}+IlcBI&g{Kf>Ka7)0rz~`1IHi)KO6IulI=JEORDHJ`Fy;uN{V1#bU{->f
z-)>+$n^s01d6!DZDp*(14ab@>tfMfLx3jJJjRk{I=P5$rLcR4K%TePgjBl?3TCU|V
z=$+;J5eEn5BBSLi{(?8~IkcOZ)w`+GocU*Q(AFH5HTh{;vRRl3WbMW(9HS{A2IdC{
z%X<b>k6bY*j1MDtP8`@`S{)P4SXJ>edI~#H+G})hkl2s8V=FnIfb^qzJ2U#M@#CqX
zux6;uvCVC|i2|YLW6(|78f=&e8ZPV0r+`j;Im9R$sbc%i7{&3Rv@vz`qmNWsC0zN&
zRTn?v*)=V3oY>2mGRD+P{9t51m};bg11@&ddN=r0kOyRZJ$0gTb*xk#`4VO7cjzpZ
zEtALEjUYQ>Hiq_^dJ0;u!klo{;+P^|0gp?@ni;vrt_#8ew96zxQJogxuBhDb-1dUj
zWzh_!+qoS~D=3U3%+ht)AJR_gJXEsB;5V3fghfPa1sD-Z?%f!uD$%y6$S}C(t6U8a
znh}Qn^mV;`(@8KOyF{~8@5PE7iye-F$~3GxCn_-@DUWkBTlk$vJ$e*{YS<^NwA3iQ
zF3MQauWuy`0p3?${AD?lW--KK%T*z+306Km0VT(Vx0U@1gjU?HDd2_pKy<iY;uet5
z`QYnI^;EE<Xg=0f{+)PcC}cr;4t3v`Yu5++9+UlAj4wZ79){*K1$nI9$5H7?s+!7C
zO`usGk@~f_F&Xpcs~^Z>7iAutn~Eiya8NMvOz^qiYSVJ55%P-uguZ9vpZ5W|Kcy!j
zkHY|g^PlR`VdlU75{S#2VIFW&vF@WAV>%RxsJZIq&-_`&%qp|cI(cX;=>&Z{lApT;
zzMGS-%e*Oa{S$!{mOv;@+(i;R8-Xvq3i9xsPX9?Q2l`lWQa}kfeD1IlnqtQaA9{qJ
z@Y>iCs97G~u!3Kto=HHfj1*b}_^vS|$u;su?&-WjA0s>0lWQS1R1|X3O8FjW{*e+h
zE?{JQfGbfn6n;$OO>s_OGr2AKXmYRAlSHtvNRPl?^vKMxhD5>;tN?$<{D~Hr9<Rq{
zx;%?#n_qmus<ux$tS>lUPxgz|c6|d1mdd$e&DYawpVVMAa;*4B1&I-5&;uY!!>gli
z`EDn>U58p^Ilo=gi%!jLPz*UWzct77Bhh0tgc!w2%nv`zQep<nbcmlRkM>g;*mTZL
zHEnm4{AeRzAO)VOzFkAC1w1U5gawgn(=XOEYLvHcJVrE$-lJ>|1GZNKnRNmZ)U?Ig
z!DaAoh2>>cRbx&i!r41>v`%V$A<2*^rzBX%$|OBDb`<0K2G$1W{ZU)ZYuiRksPY#s
z#o3~2VoTK(MUoikpt&!EnNtC*K}CgZ{?O!~#M!t<82K6!Cq|H&wpGD0wtX==gavD}
zbzlnK$4p8u*f;>7Ho_$6(DEn<hMztnPT?pzw&iDmag3ZZJmLq<yXeUMYa6Nb9^R2o
zj2qI&kB6nn3Ym4^Y!PkuJ>);fDSb8kNo~!@k-%d`feFemMz*p1aE?03uTBS>DA+I_
zm~BWFZdvH#Ubig_lOkc@dr3KT+P-~s_H8WQsw4?UDx@p41`<@_{mUHQOw06C_r*@=
zBv1K9t;-~Bw+?d6ccr1mqgp&hZ`~#5fN4_z+P5oF$HuQ{tl{uQ|3K1pT}3)~zFSDj
zGeO)dS<G`9#+{Eor~X(=EVVw=8iVxQ&wb0Nq(N{o>~Bkv3GK2=mAF`wAj(eEco)H<
zM`imWPh6opzQ1oHu6f$}hO)I@32O~(ocV#yp{DH94`-Q``N7KCWTegM4ssnVE!4FD
zSw!ghIh&sH@LkH=_IrF#r4nk8#U(DN!M5j<T7Gyd&BNR7VCoKT=w%5cC-sTb!v2cP
zMxmz>g?n$&Fh8Wr(6`x`>hoPmw5wz0{+|}vTIuG_BQ;&~Yi-gAE=A6<J!zBc31Z_d
zWrlQ+r98KXHAk}fhH-@&^-Em_2qroJGhXd?2hFixF(Z?>kF<s){ma$q>v!pOPyh~#
z_0xN5=EaR9c)AYJCN|%L$vudCV88}jX3K=zMXr{pz65D%F-r|U`vyktu9}~to7=4)
z1x6&ze?#e8<&R>00MsnG#wTZ#h4E<|a)*D^$Qi6!m><Gs=}Taw*JG9sB2c@EvG|E0
zJ}&*BC%p^&r6_74=bRqEFTdMwS+Tv>Bi3$4!5S>W(&4-1c%l@I-$-f6S0t!~P>(Lf
z^(0~<2?<AI-aF_d7)b{2d%Mi=x<Yuzz-|g(&N;Zmcv&W2y3>@!)wC%!SL&B=mnO^F
z(UV=Z5K&X~Yclv^hzgM{&&0LfL50|8w&vcG0zfAk2`0!9ee;XpAnd`%!e=(T>sHgb
zlG`F@or;=7rWy@8NOcITocNGdxaT}&6=;IACrj$-bYOAK!7fT@pY7(UO!)JUCEIch
z9S#1%A7;FwVIn`w#VS`pKiCdV$*6wl>b~nFuR=O5t_GHUGOuCTUCm*syrk0{ce<^0
zn6J~m)2P)3TD?ae!?Y|Q#TZIQH;vT)sf+Xx!=NCJQN0hUI|d_Rf-TkPyP`po$L$=~
z?Hb=hN1#A+i%lAJmXLOR6rdw%zM;m>i{sY3t+HHW95SKUWXj8HlJ7+GRSP{N%KM4d
zmDVwzFcsf&+dL%z9<>|JL>ux#cCTCIT`^OhGiPV=#<}!fu&I#{;dD?|TT6zb*oHG^
zPW>40GoNhhl;=5FTv^;9a^yqMt$SRCOV;WDCZ}BFndBqicY)%P3I{+jQElqx$sHQ7
zB)1k(_G2HFrc17-v|ZNwSgH0RBD|hc&K`y{_zl{sT>yM;U0OGXR6bq(lxkMM(Mgf=
zA~cqZ6n?UP7!K>EPoAcA8Wd8$3Be4EiTl#ETn$48?nX#+`?aHK&Hz%bEd6=Exre;r
zC4x3xgU#2Clftfi#06_6%A-;(oP4ip4$~3Ca^GA<O#dhutyaPW3SSqOp3E8y+Im-a
zFOtufedsiA;Iy6S8`G`RyzDc@R>5I$iA(((M@@&Fbc`<&dem|&wlET>4Dv13Qc~F9
zsT1>sQtVP?Yuo}NmvPcm0+J^E7M)*^_$9UhOl>Lt2~JD-xOJP;hKy!BF#I~!yEMY}
z!8&%-x&_(Yfl6nu3hZ|bn%f;?8tGba3?fOQSfRCUD0=`+`E9zo-oRk75@Ycj>}Z2u
zBnP9{AHH>ti7(=ZiZ#fF6mAD}?-{Ezs3J7j+}Jjkb4BORO|Uv*R9LeGr?_~^jh1gq
zi+vSJ!+?2WBwU$NZMBdmYSi-KG+X3|h}#M{@l{>QOgCt(6kQITT^ubOy+TZIaTf~5
zRt?2qQrSl(+~X^@nhFaI%iCp?<Vz|m5Sno~IcH0kMV{ubobwV)fHR9dH5$$rT*_R|
zEkhxSUk%O`LmvK7A+oGEXZxTeWRB?r&Kc*5HF=W(N<D|Yp&}DnIx1Y!Q4}>gTr4Y&
z)zGH92{AaHUPSV3N9%a_TBR-C!B}-cY)zAp#8iEa^vyjCg@vyHP<`5EX|s6|*hDiy
zyGC5>c|>TlUB5Rx(qF1MzH!d$`Jfa3EGBJPu?K`&)`HfVfUYWMt*miuH+<U8`T*+0
z8=eokM{6SoHx{LT%#6;T;tDi!@T{}mC?sp;I2|2Cv&J`~8ZAG}CF5(2H@A-YqQ1mo
z@t&MMX*kFC(A5d|q<|=7Oa26qf<%pt*f{iNSxAN>tgFkxvq#87HWzRfeMmr(_Nlf*
z0hwB;?aDgI@29GWmm>M`wH(#?h*Zc5o@`0m-Hu74rnU1`?iiR>z;VmJ><rCsDbz+!
z-4Sh$YUu1nb|4pX<lyVw&XHs_R1(T>sCdj1)}tK9N@t(+!H`PAp5{Y8+Y*0cmcs0d
zn<&{^Bu6>|ijWmBU;71Lf<RpBh@h<!!ZD67Q6(c)LS?{2D*emC-0IWiH5O6neE00R
zh_7)L)hK6nK$bXTW#@wjKf)SVLwd&3ODNm8XpiPzv8YckZe49)p(n6+xbbAG0%~X4
zb2EvloFR!+><9M(hx7J1phOj_dWVLJ+0eP_9jZ}Zw33`8t0)rlR+6JxG{4&#S$!t3
zvJyDMh;j5x3sKUGOUX7bUyKu|42<9RBn_tIRq>F1H;8u8@5GZ*&WlCRlH^;}(^0dx
z=H#5!3h+I79KN;?>ieE(5)9dYu1O~N{6uQ}n2Q2Hu?!@mF66|;V;G>epCFD!Jl{`w
zsvj+{tP`X?7GkS7#q2xjBtG_{GCdS65(nLgHCBAiNAoLEIWpp?Hpo(GK`^aa%6a!#
zB~jJC9VcZ&aIpoDEqjN#(8zd##@U@snwTPDeX3r?Z!4klaXf8FR$7<-;}_Z~yt)b9
zb}HtH^{m}8>s^E|^}Yi5M;VtFt73ERI3yoyl5^8=z7=+4&)!gWcI0MFiM7pC0&@z<
z9jyVpELwP^gCF=P7~z+Sxcbgz=#>menI*)yyNKM)7`e8Rb#AYQ+zUii#_t)rD+q}`
zvsh7#OTW#ajVteAJR6I4rH?oegEGk0*@{cWoxIzbcfY05xn9%mMPyi{1vfTkP1%{w
zj(NLhCFD<4w?Z;z#=!EN2$XI$2C2$7+qVFYKN~=>m6WngNl*{M16iUYBKvTmsCfJN
ze?#TdWFf1ZFfoF$!`X>iL>caBvEj;PkM`ob-4!S;6OHnRq(hLIzp>?U-z{9S?k98i
zfAbg$SiI?G-EZ3~XQNv*bxOfg^2^Vw4p)q&u|hDLI7l0k9<UYTQ$3=X_^=Kt<UWuY
zP0R|$qtXxi(N~k@^q#&@g28>RFs8pet!T3>GqsW5$<XRC%F-)S>{_mFrf>grsD7UQ
zfJimuz?5)sq<OWRtHA!ML!dSGmqNKuA)#BwOP1is;2rOPR9y*YXT{P(a}?Se)Zm-L
z4?jzil_WGiMsjU7)_hnL8Ij0xf(gb!;=naY%*pE^sLi5x>^@PSX7J^`*Q)(it$5=S
zVy7RQ{%j<-G^;y#IOV92loB9j2Bxs!4aNvxf7Ss-nc#7i>yVrCfX{v)@p&wtKbn`7
zByaZ}&Qw|P&eDP{!%S?p1zHHz*|h?$_Vr*uTI<oRH1(*zTy*~jac}t*g%`CABM3?>
z-AYOg(jcYMAq~UO-7_F9sdRUzbPWT{zzp32(mlfrrBc!%t@wL<KE7X{`(Eok=MOmR
z?6vmV*WUZu*B&a`0hN9D;q=OC@!JFq=eO)9Ij`M}wI_*Eoiw&yNVAR7mk#27k!b4V
zUKabNgp$B>P({#Bo@T(ndY!H5Woht^8MMmkuV#WnldD7hG)gTOnc*4u7jaAbvvB0u
z!zzC>z;+ejaf4*S^tUAx|B@=N6AF|LCMonaj#D487%doF3-+e3N(g!WS=zzj&9YXK
z=yq(NA6w`pf6Y3dIk6<240&(UhbDF9AF6ksZ44c?+3l`VxRN84s|qL_D04uYa?&%a
zY1cXO8Y%MEm`!z>ou<-@wH2@9ZbjDgv!PI&gQ9c;VruUd9(h<vy~cYw>S0(I?;b55
z=~rpTL-s=9BD)!<A)(iayM{+C5c%4i`$oXkRGFjV)qbpr#R0}_jo`-ty9tywW97MU
zH^@|28O3+#8UIs#6?vGF6(gfZzquYT$|-+Yu&Tx3{MP!_`U@XPhhAItQgf{{ahw?j
zBc6qTWtp_^She!B?ULwM9bvS!zv+M5<pA)J#v3HfH^oh(CU>%(kY*t~@(<nq0@*zv
z7DHW&6>BthO{OzPFC`<+pOdJ3_#^t6Acs0c&Z{m;QiJz)z|nwoK5yx3n(d(?v}k~{
zL?!fg1K#-A{q8?J@B142-vPM0u-)A-mYMjgzioHVtheO*D)#^FD7;ko-1K*5a}wL+
zFIlx%LU(YVvg7g{oh`4S<1}=@Bu2qr^A`3gErFrCV#M6_TBGIhasE5GJhPe-)hbdU
zLTWmYiYvLFEzo79Z6|5#l{4xWGP_%`MX&x_AdfG}RbxD2DU`=#$xPIm=IxtKdcXRk
z|M1E|=55eY?sWZz;0OeEf(s*0pm85wRke4W036hgPKoq{t_#dRl}_)iS*F1ns)Kqq
z<2h~S_?#m13AS^jXDGz3x#YJ~4eV1xFK_-t9rD}g92qZIlaOkv7#pu+!r^obuKbNv
zaK(-}NIV<2d@_%pETzwP;`uZ(Ekx0cYE(EE=geTE@OEW))LQ3;v!U5K%CgHGfz5Ok
zFeAMw02a<knAw}E*;-EZI<E?tbq7#d;l$|V;@%4$8oZ2FR9U_TnN#mi1kFfyVpd2l
zgR6PZ6!VVcGgyaP8q(>OY^+qD=5c@nA!5?Yw9ou_KJq7Lmt*zPQ^4+{#Cy;w{^R6e
zv+3aaDc7WoJl7k*I+L=jUu)IcJ7;z6>sGJ5bWp&HDgR_g31EouG22N({7?S{mxj;S
zeJ$1dg>TxGQNToCn#3Ia&RX9JXP|y+U5`{1<WBz9(D`dsYec-TQVZZ{!SYZWoa5(^
z@-|&kZ^O>mZDOPLr%0ucQ*FFMx2+gMhDHLx!;G*gXGix!nD0cW<bQaYsKs0dCo%wS
zp}~u#SszOZuI4YJZm9qpEWQG0+DR-k)@~?AbOy~3fVP+rYFz`rreWo?4)HMxzo(0}
zadlV;ma;u037Ui!^E3z3t$}4DZ`^4D6mZHYI22n;S@}Y@#D45hc~GwY&q~-r=GWqS
z4xCc4#qh_(Z(xdxAq+E5wy!x11$|_0By&F_p4E-ws=pM`j|a2MgKUBxC%G_8Z$}5l
zny#+Z03;zZ<g`gXkQ~XmTHR4$2%|R&#vMZYT@$0*g#J3mXtH%9lvVDO>Vr9L-bV$Z
z3tB>|X0nXyDm#M>h4cmztn^*c)n#)-?Vs_<X7;21Spiz*I}t7Of30AYyXEu(Cm>m=
z3oYI1WQ((nPg!C!7(hG>ffr3z3s4Nl3RQh>5I$+>xS#iz?7?cqc{Y0buH2=Q98%#7
zAjANzXsO!M+~%(mPe+r9Eme4^{N*w>U+VA1gnqx+#)RHZv>f^+t}EDEORRGqYAgSH
z(@oPbk(_1H8psHKT)Z;u=WaFFH#aCVYCQi8$hs~|KxDa7B^{^znJniWUd~3G=eAea
zI%{Sa)H9QZ-i-Qn+TCBm#5y!w)#%6$N45veU^cM!to+8OW9<~ZlAjpyvyTT<#zs>c
zRrT9U2omtewN-4lez258<0m#W-uuPoKu#)HTY;|<#}-}<tCv2q+S<9bqX?SLt%Ozs
zChM#D=fU+$6n~kX{aF11rfO(9C(>wehot&;0VTG>+_eWjf8k(_;5KAE%oDz&MD$pi
zX*@y#*{dB-EG4bzp>em0Qtj8=V|eMhat4hKGg7fxeJqC&{jOThJSSC;qT@iZ`K4Nt
zN0{^xmpqXtm$z9$fqv3AMZ{&>f**X<qXyRB@4h`Y^$#nS3VXf)>?yXj$E3DGXKk^^
zsH22A`}r&L@%s^s$@m1})&<XZ?I`rqN+@SG-bf>zp9EQD1iRQoCYAe)Bpub9$L6ZY
z<icJdCJ}Wt{mp9nfeU{lOku*y_`6ND;am6QocS}@tNcnwh4q;O!lvotZ^1#tGv_UZ
z2829he}}u6=$~eXzTEO&ao19B5<`M2?Mal+RFybr%Y*HC^(#5pf4$^39)=aFGZatF
z3BHSCBm(ww6o_USm*rTndALtxY)YX2*i3wUo@!yMT~%nEsT*j52+6@N3hby#MAC6$
zVSX~OuRs%?`2~~er6|o|_W)Z~>#0X?uz7qOH)j-U@P>PEtyC9Lzb6tPU~h4GxS+~y
zRs$Milb>fXplS-aXLA=yxBEVH@R;YFDe%uT<Al%8UB{nC{Pr(+0}iNJiTBZ;TNpUb
z1@Hd~H#EN5mE6?#aL#s(U+p@~QlUQfDI1puhZ#d@9Xt$Fz3ENb3Z~|Sl3K#471l^y
zDV|a-Vd9Hw;k=-~y>mWabUr;T58x+fO+Y~@Bk>h&+RwQ13>5_fIg9LKbJU$<<+xJi
znkO26@A(LQfc^|2+PJYcKTQ4pv`t~)AGJq8>bruC_2(PPioc@+VRrXthoLVoJx7<W
ztoN-}3R3gL$L#fL%?CCM6`^N`1^ZI~0p|C3*Zm;XZ-n>@?`bGYu_ehyABE+%YphHh
zAL_tTEfEr1#CDve{kZ2X>HIH*Mvwo&)cm`?|Mi-0_rmG5Gv7ilfwAZDLSGokRC1f~
zj{-PTpcUNK?Yz&%XpxLU@{z>W@;0ZlZO}Q~8}F2Saluh4bQI0FpUBKw*5bERsVu$*
zuY^^66?850be&6NT0SjgY36bfjN?9+m+({b8q0lWx@(a#{nBd`5T>wuu(-o{_8%Sy
zbp7lnPPb{_yFU7tc0L>%y#gh`mEQ_O15>?_1(N<|gKd%zx#;i}RR|H$l?4wL$lfXB
z=-<s9&|JP`cQ44b!SK2AB3YxHo@zDWR{mtH^(r<-7qWdPZ+YY|Ujt)DR7H#4h)DKk
zJrJx-_FA_rX@9USEB0IFMRA{oY@8%~9m!EOp2eu-|BFsESld;`s>?ad7Wqy;+L^cp
z*|Dbu@T$EM^2wJ=8h(_Szbx#gDPEcIfTytPOy(6iKlbmJq<JaD9*qXitO{g^M67}w
za}%<BpPOS%ej89+b>!zE?^fUD?PXRY4oLjfknkx~KB1v`I5thm-rJ6B4$h<QoJm&C
z4z4m6uqG>XbU(ekh3;h)2GTo9)uR3-m}bXJQ&mXC1RyuEGtSa>lAQnBkEl2i$E=$A
z=iXaespZGV7m3O5$9t48{>ZC@-oZL7^`QXI#`G|}9u+OsF2u};%rrTWbP^75R%QVb
zv(v%}`2~v}u!nKHBvG)89ZgPcsm4mJ%=rez%mh(XP+AB!NcjZUE>zA3DEd3Ppk}O$
zT#i_-ox2L9R_zi&=1g~gI37Q&5gv4+cJZ7;&Y6Mzwoytu>jAKOA5s6z(Dr^*s(*2T
zb+;KDy8p_Ct0BHjACTef?VPZ!M%L_=L6@MaI#HpSRCrUA0>1Skb1#__zIM4fy|XJz
zs-59sG*ZNBqJX`OlH-`~2fs`f_$1GT#y#~Ru|A8)Rf$3^w`iIMEqA{sokMv{#skB|
zPwXc6bdBC@k8w5K;&Zg1H~>Gn#dPG+Zv6hSqXEsQp-sEBR*xM}orlal3GgPa5!Yu`
z5K9|acA)R3<R|H&?6f13bP0RgvrYTMJ(Tv<g(X{A%X(z(5QbEMe06<ad{4Z1wm9Dm
z(1OWkl2wz(9`8(DGnAw0Mtb`mM?B!06wZ&@h;ACyPDI(R04?LRgPMGnFJYmLv}KqT
zSqGb#wl`22@4?~xfau2(!x@9)Q_+Jna+iY#O2#~g{O8rPEs@n^h{_36D;6{;WtV6#
zgU+0UDXc!fnJ~>&adlpo3TA^(XWGBUYj$52=m62)O2nOl|9%|<RNj6rlpjaDE#`dv
zcREnWzvYG$(Er|!F!02r`GC}M{nIE&XQZ4c-ecLcDZ;GWh-a~{rV0DSx5Ig*`sH}O
zrN_gVwzTyKlKDZ0LzPi3!Y`x7&~s9Kq=}zra=jzRL2v)@5BYi|q^eDyIR$Y;74+6a
zIsM>CL&x`3TElE1X;}^HPuY7|>Ku`PlF2jH@+0Oz%q2b6*1rpkn_A8Z(2hoW`oVJ+
zC4abUzqfeb*3~RB5YgisE$>iHKiCQ-uBWG1YqBTd6#kp|ETvGunGxX`koj{-_A(a6
zP0Q0^;_-J^S5Gp&hY?{k>eP&CFkqC~-*dFn^Wcammy`H%7JGQsOwV$k4xxsdOllkz
z2&^U)=nuaX%u2N_oU?nn;^45`)otKgOq_@vFBlatN?mtoa7&-_p*|?u86%zdY#Y|b
zWlG~}#q{f3^g{POqgf<O-X`|?Y2aCao;qi<i9e>J_q2vI;{I)cj{DUi{Kg1b=&hV1
zssg7bn>dKVZ>R;6+Y~E;r=1^`+cLD=zO8q=WR3LTl$~I^O!&HD?&f}(GMI4JO_c+8
zf=6BKTq1RHOCk6<BC+1yGM(aL_yJ?4pP~bQks4Xa`79Tj4F&e$K=b>O8JT;-M*QbQ
zsesGnmW4t=SS!293-CcU0a?O=%?lcpmzL%i`aF>+c`aMX5JfuGP33ieS<54b-dv-4
z5nPY}E4h`nzS|ERmC^mCuXv$sZi;)>-n4_Ed5%|qDGh!?Pf&w*dZsAodj5|m#d@<F
zv*9WfSV?tWmZsqx@|_=khW_n_iC3>L+4v#wF^ziU_pT+RbOv1#af6m}HL&a5FNcU1
znoNlL-?m`2^Z)J4HqDY(K}X<VC)$DbWs=y;r_MEoX${F;s4mIa4`_y$_$p_JukCle
zn1h=(687y;3M}RqxY|zkrxzuMMaAgrF}ejqlmT{d(H}H#k)hhu!GR6xvT0yvBmY}&
z+zM%giR~x)aCt<~#t;_}&DjloWymLRavo)P;b)ww2LZHgCTD7b^=lXD^D*`D2RS6H
z$D2NQL;HrjF3ghm)EY}dvq@UMZ$}ijCb9VmKjN=WY=szFa@$J%xML!A793EEMwJK<
z6^4r8<~3J9TbgqZRiA7`6kDK_frQu+x(TqNNY`j&=y5ld-$UgT`XAm(&dTmlLU4Sx
z`!@6EPtXu_;VxTlcKtLLSdeMl_6d4YpD6m{3j&4U0J>ODiL7ClPaXhS?dXtn0lq0h
zc~!Zt#HEx_+YjLd*&bzIyYoY>&SvZ&_j&cq<dIgmHWhObzhbIOTyB)xZ&tWy3$fk<
zX6~w2hA!?OG`D|a9-0VXX|pEHlce;wv!ge2Mmxddw@n`8YO=2)nwXvw+?;fZ8@Y*r
zpAylq2wq)=cL%e4_<d0peW}O&=4}$&w_1gqZ(rnGJ!0EpH&NG%-f-Bq1CC5C8Sns}
zH`5wE+O}a~286%Y(KwR}8DJZvqm&_bCsQrpfD`b1u%*e|lgY@?TN2<+nkFXIveK-q
zBN~4<l9oN8N)a+T4f>udEtbQANaSNrcvo@4_A8aF>x8Y$&F<oaH_q3%%WgOm-J&cE
zlMLFj8=(BEY$k36xE_1bkkisVA9Q~+T9|a+6e0l>clNVv*1_)DIttYY%#OJs37t)9
zgXFB`BGXp>4%E2eprk#wTeO|!<unOnb4ms31Da?3kLmnX@yJY{4u}D5DMd_`jucbC
zi88hkpCUL8m-Ql@HHQiKR+C7j<vYYM4gO4twH0@#nfsOw_2OD~`mdK_ErY87_%D8*
zNZ)(vygQqqxz&Iz9n3H{HXC9srX^s%RL1CnnOz~;RS#bzcK!qr{G5Ob0V}d1vs(TN
zK2rIYWQE2^JE$2<N@IspS?nu-a+g)q+W{0SnWtONPOm&>3Z}Mq7+JYZ0=<}H%Igsy
zGSS7xt@fH@JU_hVRK?45>543O@NYh}yYZTwHz=|TvZRli<ys%%=%(3kjOifU&cN&t
z&-rCH|9zEk2gtXqtX*B}uJXpte@n){aX1{8;Tr?&S(0)KboI0^Ld?6|h2{$eH{e*_
zkSm$_7lI?eh%Tq*aa(9+vx_(xqJb+|B2XL~xhe<|dPLWq!Y9Mm^1$}ad;CR%#L-1)
zesde$R6=R>=zEv}?>N72KqEvW9azV0iu?WJ=%w35rg?kV4sOsjcCfzPs2>mSJ<Yr;
zi5MSxyGCreAl6lnY8tQ6<L-D*-#|-4J>2H7!EZ!kpg3ue#7m#xDUV9N0ohZZ??j@G
zj~B+!B95%C4@*J04wuSvD(P641w+>vMQ!~!JH_^NQ}`*{*=q=R@UraD8x^+m+9Udm
z{PS*kAEf1AMUJZed(T&ioJy-yrs&Kq$D&Xz2ONEOHIkZ4Tpwz5Q6hJ&{lql~x>r&4
z*3fLztM5JFKRhBd&)A}hD=Z48*d9CuW&h1`X2+)dKY?I{hpfu;dzD%4bId}<o(-vu
z#ptzna!J(0AJBjUbkHqfYLPybrYIXml`$2hMBGuwRa832(W3ybX;6>@hZakY^{yvY
zEJ_B?`Y{B3ceL#)TvILP$?T+V5l}$|omZ&2>~_hoVtY4f%m$Y+nD0;CaKDP77A|bw
zC_8`}N}D>ee*N0I{F@t>QH=6N@lA34bAPrS7d`-4{w|Z@jG@5(mfA(b+14{ZNfaYy
zr2Zjf)ny4HyncKE#%@v<jifdDg=#x!{P6|p82wM|z_>NUA7{=79LEgtV9ox>hq>K3
z@~o?1wf6zd$3Zz=F)gkTz4GjMh(|d+$cI3)UAl~e%+!%@KaQn?1NDqeQenE#VZ&2p
zZl78Hr%aOkdqnfv)NzGQrp6jEHoJU9K2X1+)n~2b7`)+?0I&tSADqTLrz#pE&U@E<
za|XZiUE%p1B$TR$J$bumdk~!+bL{EI<XfQgQ)d!JhdmfiX00eWy!LVWouuzhYHw{F
z^%gH{hvD6zOXY7}?76)6AMj?tC=7ab{&}vb&vPgHR>pdwBc$qMy7a$tBjF>)zsggx
zscS#477lkQ$Fr)=J+DLJuU|7x{MgN1IX!rpbh#C*(ruluU-C}0HX4x)hJ}bivYUo5
zJ5ALFkS)us_3{;p-8%PncgdV35<XB4dY|1dR#+SwnLzb?ILDx*Hhd!Oe`5cH<&Y1{
zzhxkqp*{3!wczX0ec{W&@u2{z&SV+w7rrl?fQjJCZPk>y8UNspme3JiWHh{~Y4G_c
zO&>BIThXD-kx}ddxbWy_r@WGL&m;ZVMmivKN6(_`ysK=PtZ1vba}&R~e@bx6+En4O
zh)M$>IW+9)Lwv(LTQTBzg@vn-REs`l>9w;1w?82@7tSwNZmYs{a?g*g`K-5e6#53<
zj(kiLKYkrhv7*~j^qSuwcdT#i{Ke`Y=a-2k)}BKRy<(X3Bf7INN7X>#@p8IxV+8Va
z3<d0?v@Yn)*Jw-kHw;Py%a&9%es92;8}U}znVZ)}qgndr8!33zBk4>vgUTNXY0;ZO
z)UJXdGv*un{I0T8SqQj2AH*ByxYN8|<8}Lis#D9sR=>Qt090U7Qv1Gjzn`i}n4v1h
zen3uit5WcP;*bS6wAtM?+t(fs`3gb}W5fceW;WBfPLiH(%NSSnri-+wW_tRrO4Viz
z8GT<B?=%!``(7)8P(AHyAVZGtrM~R@8T&6L>PkBqNGmUeq(?7@0M1N&5OQQdtlKoT
zs>tctG^Rk|#EsCsRcmw>os^M7ROD&7pP{Sh91mD2&?;`yC2Ve{oDSbic{OqXTS!aj
zZLc;c!j&vh`$l!uok=1d_e6s9Sa#WV4`b7ed#;SLJqw*wy_c<c^+??X&ywXojrb7p
zyw|?j%3dRg^4C|soE4y@`CMQ)(9bz0pILa*Ca@E?8pxkcXZ-QWe#6sY>aRp+<xu{)
zz(>PNmW#sQBf9WD*iWQLZw2M*{D0}v=@Srrz<T#I)Gj$`j75dvFcx@u^u9bMDK2jE
zT>*xX55nMhO{pY8!CApreya%_=g7$eWq!T+M)ml4nsIhkY8lXg5%lzutl@!yLg^>9
zMc;#he9?sc=s1CW45xC|1KOH*rR*31qvprL4BQ8wsH9aMvp-6aCZhRJ5%c){p!De|
zS<pdaE{hM^$=~_kwVRyO5))%H%}?cmb7g37Wscol(i*E6sTe8i)h6KA*Qd}Lzj<K%
z2Jhc_|A_V9Zvq!P|F<c32NR#^QTb-}7yi&?8xv<FTm`%_|0#mqL+nd`$)6<L{WY=U
z+#WMAB2PAwxGO&2ZzD2k!$lzH>!6To`TL8L4D*~Os1(sur@?2?Ic5n5k&p&BpQl(g
zpmDtb&bF2-|JTg&<M~V=ZA8p%|2O)p&4hC%%hA@j=Ng^`6Q@a<uhz*8qL+v3Nos_~
zR@U;x+AJ~Xt?`!vk~B*LHI65_ewX<U$?6pk@-0<Y>q-r|h*Uikbx~Vrqd+&GxnC-=
zxMA6X5zPi&_h-r-JS*8-73!j5aNF08xR&&~_nKBpwEOB$pM33n_hq6>YcuoO)OErf
z)%f%0m5JEXDbndIkZ87T<#a9?0e^ahJntkoH_J#$0g6fSJY#2O$6?%hLsMfAfH}YU
zkvTo_gYZ$4Vg=OL3iNA``D&$a+h4#=&_m`9m*B_ZB$Rg|R0(l_D$fh}q%9uxXf!Dv
zqH-cPqV2QoMc1DTbtCG(n~XFn?!_QisSe}(U<gZP>8itb^rPADy%DCVK3XR#w`6!@
zTbmqv7`J}_-zE5?oO+mhse-#u_V1<<a|;+}o#0K-DFeWAg<c!+j5waN8w)D>Y~$;Y
znJe;8L+laRw2a4Au25%MQgdnp$B6Xl9|%%BH{td&kw$H@EEjoLlHC<x?#S{fPZsYh
z;SnSuw|;_V?hy|@T9mA|GLh}Hu(4~R@$_hk)x7szOXG*!a8ZKEr>`HVxt_P|lnCxT
zb{3+n6-{wny75^N@)EH4SsEnluh-3P=Pdex``-0OOzMQl!&CZU`p50qU~Yw~^Ct<Y
zE$lbQlzW4APodGdtik?|XA2mzl64RmI`76+a2#tt(ytN{zO?*25OJUZs?V*iH`|nS
z6P=9%tl(EwO!po2<U@U4A4zzALaH?h(%^pREc24`iXf_I99OhkS!E3>2H6jsjjKGA
zPk9Y$y~m#Qc3idw{Tne^Wx7+D7U5v^F+>~*q|9}KnuMjwu-tt-!2GITj;mm_$2@0B
zmwQpxBnb(s;E^Fi-#&YV$L1fuHR=)hXc$Z!5a>bb>27}xtoq662`%|SNLJs>QfX7|
zJ7KdzS(ecRkFYD@AL62J;uU6$T;wKV7Xc&1x-X+Al(U(U7W%?FL_QpeNV<f{n{9(L
z@F%M&r`+f@a@G~DU58%bJL(m>V-Z({DGJxa6jlb)orzZ-bHu?bZ$u)vF1epjg{u%?
za(=6uNnY{e@uPxcph%Z!KQtv$Xni*RP@s*rn1eAk;O%lFoApzjmQ{%_=46B-W>!=$
zUHCJ9uw++R1{?QfEcTFgA30k3kxWEu!kyX-pP?_8O6SxRGjfz7fx=D8R}Yjz7scQc
zwDJW?IFo8RyaI_btz(j=VTr`yBS5T9S3#eHBX?F%5uG9%_^8H4XtbDVQlhtfu-|^7
z0>4;R@lfRVgWs<b0weN%H#!Z;Y-R9IpM&dsmcSX(kNq`S@a#~DiK&dy@;(o?p3IIV
zzWgnkqCP)HHn;sJf3yU2{ipbs!WsytBRn+H<SBY*UmW5r7h3Oad`VQ0yOQajNElJm
zWSed#Ad}46rw~7<5ZZ$%d{!y&@r$Opp|qFDuWhk){d6gBHUXPowjwf~)@t2MZgbin
zn~{ag6I*diCJp#*%p8j(?<L+7(ne=M(Yw4*k&Ns7*Wnrs7wMcCpkK*WB1+5W+XcYc
zR<{$%hG3#H5a!-8di~n$mZW)bAC+|WYld$I<GJog;0{@zjoiIIYZ8s1KT%Si?7Jka
z7NFvqKMD<K;4gq%)VWcu{1wuPOnH7}{><)>7emqg(S<=nc3Bdt97q4=HE1|tF~5nR
z+di>7W`ei;gybssEm|ts23ME^Z#UWtJe;tPs1NXHc+6bvqK%yH)b*sY`kb{Qa~X5`
zEP#I%-V*P_6&=k+8l(Su*tQJ06>7$t?is1GyMi>(_^jZ6|BTh;&O2yZ_rWgZpax9d
zuN+qIwAH!uuE06*VVyCg*=!P*JLgxmLeY^(qEC8@Bw1|Xb(vXVd}Tn_y0r0?b+k6$
z8fqdUQ9M6Ht7O`PK`dpOxh9M@AF&onHkex?f2=R~vJWmczOY(^ijD~wikTBPtC<6h
zhOTM5pvNm#p>1%a)zoXN?)}fo=v+cNer~fd-CMyE3V+efQM;4@|DIq$lS^%?C#Q^a
zq3P?&&3SP>hnh>{R~{AhmYCH%YK^9qL$sS5O?-drvfyL=SDHw;B%zy*O_7PANf+as
zPcz+gL9b)9Y02t<ccE}}f(&L9#_-GB>`LWs5}yWglITi%qsO%@b>FRb!1v61hT2^S
zjfLv3dUzJnyYYr7Xz<RJDp&EpnUJ$>9%s;LcU?K!6)#!LmRr?f7c_ro$nvdsKtmy9
z5azCF-Eb>4eqOolt}~A==r87bciE`>M!YG<i*LKet7`n~)Pg0o=Ah7i^A+zToyY80
zFxXu$D?y@U5fag394%T-Jbd3sHU6fxp*Igd`xEKpgT!|ZqM%3NibF(Bt93S@P77^*
z3R?@gHXQ!ERGCPm3Bnxd*rWt)LIl>LuHp>toqn`(zLlf!yBhKTag`Mv`efzFhN2gg
zd{km`1O(Qj>Mou_9ApVtQp{#L4>oF&jc-fN2;_KkT6K7boO-R)eO9#l@x&>`hU2~1
z8K{Ym{rTXmVPui|*Hm%v230Nk-p|<@CjYTynRUN?9R&C->tt@SQh(8tY1tigqU(FN
z0SMn1h??^YnsphKOA;eeqn?G{21GqMO8rEu-BLkva+K-zFn>mHsNJqH21!Z(xkd15
zq$KBA#7?x^!ef-Dc9O%bTfz%@kNKSl)C<{3;t%bG`M|V#m{Y&LG41BD_&#6gxq#pP
zjsLylYyoN`u$;8CL86U#&YT}fZFn47R?^K)n62S|;1hjp<N&Y3lYcPA(ah$>s9_%4
z9Is;uGYqipweoLE4c=pGTrT6O)e|b|bTb`XWG?FzYkfrSJ*U$FYVy)tk_|H2PWU*k
z&irYc;gF_=_uaRX!d5vGnCxNzB)CZ_DS-X}*b?CKu~|r}FgWosP4KYkR)1Hg8D)n>
za+D?xNOGX%C}Rxe5qKIotXD;&L(gq!?XE3|SibeFO|w7UyI<c6=mZ@B#)$C`H=`yb
ze%ZYay5>R->+8k|BLdGJKR9e0isI$w?B2o2ejI`d#*Vq8T|&hQvr81d+I!G7bT}2L
zz2}{~Qphz6jvA&+Hk|3&!n2GT(o9fLacd#!lwV*oFoYj}!q0hH!d@O0?wR<+=Q@Em
zuVF5?{ur52rwQ=5Iwy8CucqZ&GtzrZv5V}N4mElL`guOt?s(?F@J6V)Do*!;QLRLe
zavAXj88atf{2|$U`Nv}Yf+_70q`QXer(<h*om>~<oMKFA;P$l-=!z8gBNm8X27et{
zldP=yij2b~?puoZlOqy&&Cj}8(yd<4pK@Y6k24&^IL(p<dY0h+&f25G3%V1$%wkSj
zkIU&oOa>SkzVtpA8ew?96<d4RZ{*y$KvHmCn_~~C>4iz8jcVa&gM#KKTqhfgXnb#N
zrZ#h4ToQ@dNi)tQY1xr^4aYEGz-z|<+1IGGj>Z(_1EcYTf*)6eP%-b=FZbVFH=RDi
z@%FI}{LQX%X}TWw29DO?45kgA{z}TE+Fwle<L8Or09?(*ln7?Asp7`V%lV~tf1QE^
z<M=WO`%AN{4Ff2KVutv64t;40E`SI9)5l(zpq^DEJ0`_BvnrB+aU}7=F+L<|jZWKS
z`(r;=fbST`Uj*pj#(qwfRkN_0Q_>`l8C%ZVw`}v>A1uC6E92k>IyDH=+Lfn?Rn~Vf
zmz#`1htFn=D0Sd^nwFl;Mz9Ca2N{VaOE^qp6fM_1O(6-kO}1snXpbg8>X8sfxt%D!
zoWw4rpkpJE?cdIg)Vsz8%e?J6D+XgUJX&EFQ1ZLkqc5O5kyGa1^d!B2*3U!1QPyy%
zYI9rv#N#pbDHd{0UG(!!qF#2u9{^uDR3!c{kGiTS&y0%OnANac(g_K17mQn9i+klX
zYL`{<h7n8j0b2;}RV_fzH{kqCm+#&>3JE+vf54>4flbWSP5gh2r8`IFt>ox1z%x&4
zV7;HaeV^xr`k>ZQow4x5RM(hEC+37827zll$>If!t(mjdj?BK9y?5l*u`6?+7Llau
zLepx48jX;|kpJ-LU%VZC;txxO`_s6`TD@*1<0?L6HZE5tEq&HtH|+Kf6TU7oysqS!
zr5_OcO{f(8Lx1Jq!~UR_M#%igQ8}lk!w3g6?yzRnQZ%V$iaRbw!^Oc6`6~)^Tk(2D
zGZndpPr-?Ww6Ew?tHVbt+U;j;;3=ZZ_MY+#9n-tBd~6)aJhq3Vby=orrvLa*KZd26
zZ#$|SW!TV*ee7p$5pI9{b{fTjCa!ZPBUXoF`jQHP=I()v?Gjuol9eDP+=g#M*}Msp
zd-@`d-`GF?DrYSfD6ZtB4JcU0nsY0YnU;cRW!wa3OT@pJC?E|YcJ?sWp>=HQEpAhJ
zz&^jD%k2PrPA`=v&_5>GGwMXvh+c?eEs7M<x9dQp@?;v2_sTu*b5zD9z=o`Ah(-4H
z!>`&MYey?TNMuSQ8NXmd!=V&&Ps-PIH|lUO&0IW69wE}|Tiv<!jzLh3^uzps+~I5N
zt<78s;qtPP0DNVv_gmj7ir$=}T*=x$Agt;GkyHEAkMP41^!GgxJ6nYlyfYbH^SP{|
zZz;UZk*-7g8gX=GkUowPs`T<c&l!bvZt)5spU>^ud!B{_rUV94=bp(PH+K`3(cSbD
zZ72;=g9wfwo8UMkBf-X&lcgO;c#iLU%l9zJP^#Vkr|7BiKXcC>kBbD<C{(J-(n$Hd
z^_;=huG4gqQt&rJEd^N_rNtX?4&3TPc{6CvHbNBCub+xnmdM7~90C0Eamml_a1@|<
zI@pLz;=6tYzFv#;``trh%D5<kd*5MZt!C>aeMoL55#37!Qq@#-`R2+L27knI+Gx6k
zYgL0}8Q(y@(<iO_M(fwRkUz@TQcM(fa@1SYx`|JwDPFN+5~%r-4LZz~&@>Y-9798-
zj0DSaTCQGZ%-d+DIZIggX*(mvD|y^oU|GN2P57T8A9qF*!ze^zUcHH$BG5MllWsv6
zoZfXz<R5f35nOEVeaT@7I_NF$)xm*jwN-sDtG9s5%N|VA(Gs;fqhIO^ieusRi@E;#
zTmsUgESDtD7&Pa%PXzHDXQOvn^4{h!>Rzrl*SigSSJi5H-gL-NNJk>Up^42E7BXk|
zrM6rrHaHm7b4$E?dpZFFr*4X~6rpow!ScjzE>zGUX;t8q!F;V+_6q*Fal3&(>sP-1
z>}Ot6WX1M5RJI$T0hcP`uSTWMH={QHrJ<udVsjN@*SfjVu_IDSx?fz>WEKRQWEQAL
zc+!;{^jpMIUvt|74JId+Ua^;3c8HlBN+e}Px|^FQHO6F4`EvultCj1=WEY;+e^aKG
zc(_?L3MThz4%lf#OKJ!zE+K{5R%mXnwR`u%$O)r|f^kq<%PI7nYstE(x!t(>4pi{^
z2){;@JF^I1#OR}kR{z^AqM38CQ3$m4l0#uJo@@VL(QRG~PYgoL6u-EMddJny!t%*o
z_n&$~Op69yL;;Z004pk23#(T#t@?7dYe@R9n^^hgJ3{t5>28;XV~_Pw4l~&8jzZW3
zbSxRH6dakQ7e~hbyGb}$hA-o*+bfJ_aVDN-x?`P7=(A84j*3MQ>_9cezGKjo8%$@R
z^F~xq@9Vo+8FSpDA422LWm`<bcn06t)U#A)ekle%*n{LHEOwh){t>wYR0|AL2TWsR
z^u?)-FkG(~wLV+;1jpty?pAlWS`-Y#6`OE{qTPoiEF*@0H8|z(pQ&nUDfYdmfWDOZ
z88WlYps_OTbG4R&@ZT#vNTk>`RJNf^%40_y{b|BlNt7{XLRyySci&KV#T~dj<Z+AG
z>+vDYk&c6%616uCWPj*Kyii{>>@jRd?Ib86BwbpUI<JA?Z0(e`>}DYeCzKlf{(S^;
zX$Y(o8o=Q$j3hi7X0jue;A3r1Cl$Y;lHRnc_jQ8l8lvW#VVY~S*O=pzV$_gx_iNO)
zv_4=|mbG_h@3P}dcoWO}Y|Y@Yt#`bG{WZ_anaJ#K=x_eRgBf8yo6wDh5D6%8AAx~S
z+bF)J+H~-#pAj_?F{?3e>}cS<q+r1(*YWRNqM-MF^aPYF2zLfB!{?bex!Qx+bwg{I
z4Art^Ln{5k-&9`R?ab8^Dv^6S6{7`0wKcb6jj*8ZH*5+WV+Z1+2mZk<HN%B7oiCm&
zu1<Ux2yP*rHzaC4!$!5GQXsn^$^MApl~6BI+0bM6LbLl6k=U#VY#aZnEM8&l%mdX-
z#A?bUhZ1$2Pt<@yl4D9f`_5qPUe9M6DDGrjqIv*#mrzv=mO5bmt^N12Vjs4)^Y6jO
z;o|{^d7Nmqs<e+iX3o5*XiD!F-iC0_OI{TMSL46@dn%oCe~ZH<z9zdmlAG<&N_Ith
zbv-oROWuonZsP0{CLgW*Iv_=q3843-S$v4>xoddj_bAJEKv(&&&N}CcO!CepU^{7=
z?h+W1-y)g96`OaPoHmdPKf0<|c)J>SA68(HyLtRRYP$3Ky^@?y^`B=_?XE>f>Tbuv
zvw7|%#KmVdUQ??tOX}Oorx(?GiH)gRQZ(JH4U4}x6gXnfP6rC~Lpoa3_p+f{<0tXw
zif1nwf73F?)Q=>KX;Y1l^uEIS+QAat+V*}EZ7v#h^<X*&>bo7-A@xgM%^P4`bttyY
z%q_UC!a|auMv`oEifZ`~`PEF)4iLJln)9NREL|uX4guc3wpk5I$PMVc21%GCMFEgz
zjgrhqg+?=7k_Xzle&X&i{k}T`MS<n!tT`Q|s*@^B-9P8QTs+9&o;}>UV>Yg8u;7<A
zA@%)iGx~F_vI7UXzDCCh6A;?<?_dK%ZIR6Qvz+}7vziC(8MdjGwf%zs;jwhRn8m>W
zcHi{}+s!L~6TMbF;+|gc?CWiP`-wq-?vdog!~uEjGF><u0Z)X9<(Evdpd-}>&Ntf|
zb*u0fu?TU@cko4Dr-Ajn*XN%zOOjq@K^e~|O{&LEf<vmWIez>8hDu9F<u+!H?UXRy
zi&wo?Za=?r9o>HQC*f#2^jFPDku)3I$%AQ;WfU~*bF+uMidNTJa03%`M3D{$Ghrsb
znyPnREA*?b=`4^KvXSwznU<Raq)b>uS2%HC)_q;=g7C(ue)>{Wk3|cF9$88fMyxni
z)MLzs>}vM+-nVY78(W!~ZwNGIZiBm|0$l+1wfv;(LKeY>-$5pm!Hf@|)V^h#(k(-p
znGFwCM89v-xFQQn#%UE-Z+r}OiNq5I3Q|CFbJ5KD%>aBkBJGEbUGY2&m$)SSnX`%B
zBLd(&GD}FfE@FkMfrrdz7ijL-dF|r+=Iuz&M{P)38%j&|K@I`k1L))G^O$DO#wU;1
zUU7}e)b$BCw{}A`J89kL4NWlHWK<b@XD#_jv{S)OmAEE<I34x1tJ{=_3#}Sk-lW{S
zO_{j`yllA(NxOO7-~eSdnC7O8GjK<7N@8blvq(V2k$WC#TZ2`+<=?L3G~3)>-)g?U
zbGDgA=7k*v;upQ_c%1+J`T@-=z5B4zU&BJu8cE*d=E}?_->aXiT)2bwSPzl}KJx6o
z9L&$KI_RmsO<H#N53g_dAII%n9(mMs{yR1FxNqTC8h+4fj;D(Q^_x#qX)yVui(h0(
zNgPif*77!~I;UsAI{U00MhO=GNz{y8u@hO9y*k^}+xKuWLx_oG)Yi7N3R1kX9)P+;
zy8RLV^0+tIot3l4E825wb^FFpRBJ7ubwi|(?DO?a%|!EGHB=AsueH}n59Tf`z>Svw
zo}|va(g^d%*s46)(xba&tsr2u>K%&!I{L(v${zo|IdYh?T^gZP`1A5{iK+L5T=l_&
z<I8#2re5=}1YIoU@Of3Yr>=_H(;s~2PkXX=4)%0Io-D`xrgEE-l)*PH((G3o;4l-D
zDx~Ynw)8>7e~Ihs83}y$PdT8o<$s?t`f(9zE`HDO(?&h{KJI&)L~^gD`(q2!_30k^
z;+K|EMKltp`L7()NZyFwezPD}_7!f?NHX<{4Ow1^SswCsg@S_Ml5>~nW#k|9mnMml
z`Nb<{0Fgj}lPpmmDAj(+)k%SSn1vL7Z&)RfETO+7V=UHDip<XDW5rogy_{g3c(|cj
zOE~zPrPh$U{}r=%&P(>I5&eiRA|9AEHfk56{}wy>fSTp}fJ2LottFRK{WJf8+tNxk
z`~U*AXqj(hTF=?F${~L`H6+RG@Xcgy+PqlF#?&o|R-EgkTqCyi3KSaSPe{m8amf}s
z;>K#mEx4&7_ObOvyED-DG*kxV-(WZsGAVbtgY<HYoYsBWh(LaPq>m9wlt>G5xzJJr
zw~9+e2I?w+&BcM|vkW{kgA%>rZZL(k9d;|n=*MHh{BwWRa2M;bzC%XEbw6D>mKt1u
znk394W5+`d5#R1ro8|cnN%g7q3OJ7EGWch?H_i;?9p##s<D(MyWbUQx1!@A{8rRNQ
z);C&I%+qbTB27}6IY;>~V^ZLU!~q$d+8kf!>i!97B-Dz*_}kqtP!nKL)iuYD58lP?
z`Tena@2&uy0@oP$kC!g-t76zmVWr#^Yy}YBi%ns}Pvy(gKquoSgC7JTF(=Q>$uUj_
z<ZWsfm)R?gZBz&M2^ekB&wiLTnGY_7i2C(WnCfJ~(PtEh9U;J9;nK$S>fdOU8{LN=
z8$^k^`0tAVR=PDT1**l^O%v&89@xWRtBFz<))psiRi<a3SrIWEBYx^Z*!Sx<jYr($
zHwZZ|m(HiK`GG%Cn^Fmmp*=`ZqO3n3jbLZ(^~C@c`GH^SK4v}aHB((Y4dL0iO~-{^
z1q-S@Bef4mNVB`#<=f6v@;dVh^J@`Iv;@G%^}!<pVP*HAwTAu3hw25Upvt(o#o~YM
zF0~-)@x)7O+Yb{TZBmd3lM(Jd6^e0YIs}%fWMs5Xikn`#UuEe>pXU271LgbbYVv~E
zqz6$0afjbH6%a#SSZ20lPNMn)N+GpaHY!R}Sh_jwibYF-G$INgaK%*R@rq+eE^Y>u
zL)d&xCTh=uc)BXAm8gQf40cWq#9i~RCAQGWuRAQ+KsQaGODCj<ntviP+SKa4w*BjT
zz3~-K^maH14k7%~+c1&!W35u`Pk7>aqpY>%`=xD79--e@*mE3t>-tPhtMi47C@&fl
z>t66RXH;T#oxD_c>0$9Xk7v5B!;YU#w>WLWkf7L)fi8`DseFq>VVr=SYFlNtdi<sJ
z+lq#}*=mVC4)Z;EU61O0yP&g<dNWC;^%*5cNXJ2O8S9J-4$1__8KD|e_e({&y>nSz
z6q}~A$Ik9$xm>1RnC?je8h-bEWghYE8a9L4s#HbRiFO%VEIPNOq=%jmsl}9?e(JD1
z(v%SyGdd+qjTmKDx2xp^5v=}S0Zeg;NUqck1ne-VUES@Y?<VyYiI~I|d|eZ*f)*Gk
zh4<taCs{_wNvL-o)at*o`Jjwm?=(&qRBgRP@3P%PP<qpt6;ey{x;XwEHNF%3g|53C
zi>a2V9F-|PDcN$>K*wzDq-uX=K3mGV7%JCJXXYm+qbmMI1>6>u6UPDpol70MbAi5n
zt<NxQ&aDpdV%#E$2A;1;>=|cE_||<(qA37Utr<k>Fqh7)&s9c3?8e7VNQ$z{J>UA)
zy>s-HWd_{5gUi;m4U>*LfY=YxW&h?#W8-opGgMXf5;mIk{v;~>HHPstDST^`xID!o
z=s-?nq5;r!*-zZ9fO3aIf}Q3B<{_+K6o~zb8R3%K*`nQ%C}fjwMoee(DQfY`rOSMd
zFREV3=sY2iz^1)*<oXhv{23u&mXh$>*1S?koc3qr*FHxwgKY7`yqIDaxWC4OPf|`|
zHVhqXi<fmd-zC*LoRFa5B6(}C4M~}t{2oY0tK>vdf|>vH-${t=LWQVZmD#JcG22_*
z)ierN-Y`VN`pvgr)XOzNp(@?-?d0+xAIs_mVyBdZ!oG!@*9yudHMu`PGaD7e@1g`G
zIVvzJcB9fE^*zjh{c2kLsT;~g1<`zuZK7fx0F{dwj?pG0(`Jl>dB`ane);qc81o0k
zYO0UPehV1dGzc(Qp#0;XXcJ#R+adB{K^xb{OzRqfVk_5RW?dyPy{`cqH$5if*f-bx
z`fyKBCTB5WRN)IFvjuI!WHKl`xqh3Wy~9fN1F4x&!mRrx*Y%^fSc6TA00Ot~<n#sY
zY4MyCVHc2+ziWymhZDMB%|L1Xr}g_#Ak*ALmz-lmbd)uC%5eGRk|WLS)U3Uut3oZ%
z;4d}96M}p1QH$pD-YTmGa3SG%cq`xGrBZQN`G%Ujqr#9^DtW<_W@n}f!K}wMjqV#6
zr#>q^{xHMFPOE-(qv>gpPXao1Zhc<fvqZN?E1RIkII~oT>UV~0K0Ln2i+t`->Zd7*
zQBM;-X!tmwG=78^zb4Rhs}8uZQl~}ZI*9caH7Y0MRAT{wx@ni(dAkW$btiTo7Pd;-
z4&J)^xy2Dp#Z(o0#K<ZqhO|02A(B-P+G3#*0lpI|K@*b11IWx}%Qh~nA}&@NFO{s8
zgu|?annV*p-_hjgi$k~U4_YyBS*2AZ9S~CuGppN6(r>8%GJuN=BQpsKhm2zSAyIzw
zr9g0O>!U@~QLj>W!#=DE(f1s6;pqN+xj6^wFk=PO45?+B@lWlf?>N3#QZ)uWJb7&4
z#5L*RrkS*~VbAcBG0S^;DR<YL2?2<oZf$p$OQLnP6KZQIl}OK<r0@5C!Os!x+dho@
zBU?B-)E3I_&I7v3coE6cN6~~z)@41>ASi}m3w}Xr2`~!YPh5)X_+6~N<4u*?Ta1Y3
z3Wp2{XVn*Z!-CB!Xb>+x+?>d@{)ZRoKG5_NmNAhJ2fcgS+A}m`NTd}~1r5}t=xozc
zIaiFSvFsx02!em;@~CWB>XnA1vbk~NS2&@w4}lUmcY?L{DlGk*R#i&j;vcda0+{<_
zQN6{1!mu_c^jR>_x%9e<(rVw#<Av2eI^Yfap0HSxl+#;HZdSWV-gj{JpaY$UDZN$=
z_{su&1$QZlLcq!_U!2?5<qKB^2@_DDx1988TF?|YVYv~vT{JhG_57)4^OAtq7#-u5
zYG`XSAhz8$lVLk8<$Hw1aFf&x-=9FZ$6Chu@|1Vt^st46uAA@pRKAebRZBg8f!sI4
zqnCRbe%8*9kuH!eb77+|A{DJzraC$x7cn`rzvqlS)%mW4(!&agi}j9RD>4z#p!ZcL
z#Z1Xp<t1}lpO=<QBGePPFCnOp66SnWp;n7*wM4QgH-P)xAF3hMcv>>+O`1Xgx4^PS
zw>5zY6jRoOzH99PzBzC&wxrFkIJ`6PmkiNQeh~9SJ|$moaM|M30PnV($x2z!49okY
z6iY2iZ&!u4KmD)TBzzE%rbd~4(AN=mv_*2MFyIq{lK4pr-jq*ZUwIyJXYRsK2aB?`
zf!Yf+&(mv`47C9NQ8D1b(BU{;+|G!5L6uB-Rk&qT`|s$h`I3Co<b2TeVj6$+&;Ti<
z=-Gk1AVZ%!S~-B;atn90vRZUQx6o#k&Lys^mXqxHYMi>A!_ll&L&da@SW{y)%SrNE
zk=NB8M>`|J+1qXQ!-w7J#+jhWraTVyr5?p_1GfEyMjCSqpBE3hJr>oNoyt%~q`}SZ
z{KiTyNfSCoNh-x9kuLK4{u$9~$PI9f-Fntw<5u;*WXnxy@s^-~5Yb!6bdmTnhi1>u
ze+p~1K+*WvrN;=}*sWb8a^S3c?8C#x7URq4Bg!rRl9b9{>WZQ92`z!9!Huc<l0AG;
z?INuDb>!=en$4T}7g?|QGg88|qQq$D^z+Ti-F&OcW)O5nEjznbghjg_Ul<Bd2uzlD
z^3qZ-yBLbiXf^aCr8U&{1E`DbM}?sud0rM=+`}6^p5;m<SLsu0Pbe#taGF_qd=0xm
zPQ7gqK%k4vJpoVy6M#s+d$}D_<Y?G5PLMvKz5BiqDB<aF4Dyh=SNtRI=(c?6cEod)
zFxblsL{#@wttP>F_%+fqJXZZVanSJ=1}CZ)%0kVL-ReZ_tx6QXGu#NJhq6q5;gtLN
zEPA#jC)j%4;^m)KKgCY@-X;SHhX3&T=k^m$5~adv)T{{{90^+hdDXyLRd3Z!N-O<m
zKEM)QJm)vK%oJyN{cZ&O2CKckLWD>AWWN*;Ke)eKqfG>U_d<A3%hF0;O;kS7u!Y>f
zxaY~+DW*JLd;6@dVft6Nk1ihai7*(YsbQ^vKZ$m6P_?sJ!N?gTRIz^PQ}od9UAq^^
ztiAJDuS7b9FNAKzh?tL#GH<G4EI7d?ktdo_hAU?Al?BiB<`?8zsr}hqUYJcTE#9c`
zNkKW#Du<R{zGH8!M?KlnzYWK}f;5xx$2d482^{E<E-ls2RtQ8dbo)H3K9`&{iNCP?
zVMp_D<K(+R7H1=|NTR#wx<5D4j~^x2l4qLqNL4K00nNP5c-}fX#YyR7gCkj}m!N{u
zVW_?2SeaE+#mZICb3ev{@5Q!C1>CBeJcpgs4F`&n%I9nU5O?SBDqrs=uemJmvdPYq
zW)8v_pO-NwbHU`WVtuo-H60wnjL-czSxg7}E%4MicXC2i=xZ;O1S+aC;#Yi|W6;vV
zWi5C$pAsbm&iMt}Q2Se1?8-l;36O3mW_XE*TG`CY7}`=8MT>z8Xn$(T_c@n8($8;X
zMAN(~H}Vkmm?)E(Zsl~)1z=+0yBaJ93y(#kTM)_7VYa0B&q2<jHxQU(v!^#W5nY56
zTP#@NUrGqQl&H?M^3qqat2du$t{x{lpoF#MkeZu(UdoFDFPkn$ec{Z?C9`>&ZZkl1
zbWP<>Ae9Dm)n|;G+b;=rc|xc}Hv!NOeY~G6?AmWn8h<CHHL0D`QYw1QSsybg{<?|N
zI_9}hXJ|f_oS^MNw_I*9!9QVjO7s68RPuf)eX$I3TDoVOK%UZ}e9Ifqp;s(G3H=GV
zAAa;1zs1K01=T5lN)KV>%o238krGBq;%abf0+sp9@U$5>D_UnGr$ZzP=5A)}gxq5u
z>g+|%ogLt|=(PEK6GrI#hQkkmX?&)R`cVmm{WHv@Ar@mxi8U>Wu`3;KLR7n7V4hWA
z{RWQ0i!EqTp;vMq^ZZXY;im29)=pI#RK|jY61LM6-e2%&2Nz9^e*dr;s{u8ADLUJV
z?7Z%MdgLaKnu@dtHC+t@7-#h0;=~C;ql)RaT7-06trl5d{U6@Wx+@AV{Psvmr*ue5
zH$$tWv~&;MGYHbDNH@~mJuvhP-Q76@Gn7b3BQ2nQf8KT1eFb;j`xee0&)MfWd+!f^
zP{&$to6208RY}~TUh@g=8|7Vv?9ZCy8#=SYRQuTS*DTEY`Y`mL6Zo)*;$=<s@am`a
zI^{2H|6GCTFg?)lT5v#Qp9Ax$th1MsDDe;e^waf=X5dnKV91Q_dKU3sS(}iMxV5Ae
z{P5Ch(gg8*Qol(O-k(5_X-Rc>Bt|h!#2ok`!86|>mYZIB%7yn^6Bnh*S80{6oY=C$
zB_roHB};C;@Qq6Ojx$=K)$WK7RxC9}$#JE|Oq2?Z3$BZ6Q>IiQo`(OF^z6T~EiF^Y
z+0;lyw87(y7X?v?O6AUSNW#@K9Q<KB_#Q_~UPIUdQ+K5vD{en;qY%rIGeBHrayj{v
zAAyONw)^b_{)bn8R97M^eN%w;?Y_iWKLwB0AM=Jk+rlUe+=8aom`ay|f?_i7P2vQ}
zo2p*kNqlNa9Q4HOY8feBHHc`+mP+PwmPicKo;AD2zdIle$qK)?Fx(SRLZ!cVx7x?{
zNMffe{2ciCgMZgnZq?{(ajRMr!qXbd$F!opnGBpgJz`m(H!7PI5^pBNrq(hIhZPTc
za3O4&izVhSs-EiaT9ul8|3V?<BXkZ-Nqn9bLbHyJE5o}O>0H6(zD=H3EDtpN^}-<v
zWV3ibZCXO`zoznZC8xe!H59BgzViwe#`_)T4*Stkfx*S*hj{;$=&m)0f8m+EAbAdt
zeX2NI^<Z37QCxbChhJ=mE#L-`s(wKsY}hb&l^2-0Lwon{;%F&^Oyiel^Mo;PTfvZf
zX_mqhA&;)sj-<M?TzaE)OiFTAA<GT2&t4_es@Gd!D|vwSLGED35e>m!ya;27tIn~0
z@J^I14iHB$n9>J0DdtqR8kTb}Hh180d$gY|M<)*tfEzHv{_vsLi$G_N4=Y>cB>xgr
zFQbTYv<=^EVE%<VUO)HS#&@bgoFfVj&f6AdkB#Y^QL+i(_@GbHch>Yr1#t$$i*aqH
zDnEEy1Cl%C1u9NG?(n-+^quKjdC`YYgb3ub`$^fWUV8!vGyw@nPVJhZQZZDtR5unL
zW>biz@U|!NnAZ32H$9c_hEr8ohj0yAt@!vloDm@INA{kN8ss}kHIo}v_g9>`7ZKbV
zSm?$j`%8@2{prkNr(Cns>h!AT5$;LbLUbiW3;3}h+4J>wnJf};G%9+5oLS7e*`>{W
zElHSdAM<lE<96FnyS8#haU1ms5^;6v`{MYp^P*-;)vfgyqu%uyz?8WPmR>KWzZ-0g
zTKs(jF~E5?@-8&cw6-xP&7{0BgKU}8dJQ6GUBosk%?WT_bl7B+(FSGfc>NjC^4tks
zI#2y@svDw?vdW|9zP)#Pmt^b}6yz-Ti*UCgWjHHG@3}Mmr<<!lYc8DAg1_)(hwva?
zN`#-e;)Pi)wAgS?x+kMKcG8~rZzkgEfSIDMwXSEQJp@=xK6szk{z5gcTjjfkA78L7
z`E#7lc$cpZKa@~|oziSeGhWh|7~LKmmq`cZv$iLG7!PT+SZ+b)UDeBW6-lr?m4P1W
z+xf}p1OAr#kE`3fewV^EfofuwW22YO&R`IntiAz^t-;7j0K=As%%Cnoay25NTxs)y
znCQ3O%3(8{A*z%;Tw)u1SW+fG7H6<2JFAB|P2nCHFV4(b3+8<H`Dyb@x{)-0`dY_U
zk!GgAyZHFZQ@WE!l8I3DO0l+T2rC^fLGIsBNpEZb|0KD+h^J$6Qtk=kYywC7(KPyq
z+E3#cc58#z3QcOm&g9EFZ*E)QKfcUg-)dZh{YdUSv#-<k$^#W*M>M>RU8b(sOZ#$1
zudjgiExGzW^VN)Msp`nR*l`glFYCEJ(TkeUHvzTt;&uhT69`&a!$~YRL*~QWQ7F~V
zw6qP)$(b-dtR-fYO>g7OgceD>`p!}b2Rb8Tom9_Qtxu)g9X_Snv~05&4sAwuKkp_E
zyvqB^Ad)e~xB8ZEj%+@nA+N|iOlh0YnG0vcxa%*VYI!3_qH4Cmu}!UKAJDgQv1ryv
zrSTT)Bs-YWW4_)>W{B5|_p9<UC_z1WjGMY|vq*eeI0}~Y^MH^4RDhd&Dx`ed)$H`&
z&q8?NyOMF9-DX#XwN*8h7~iHru{CZy2;x*do|0WoupG)Q^qp4dKA^Dp+sy1z^+!{e
zbItBIQOE0<mAM%I%CkTNb6eSC32&0Bzndjd=s`2&W@}vM2<F>swcb(5_x67qG|qZF
zi1E3ZvjunMHMC7aCeqV&%h<;fq<)fA^c$?6@(RpFqU~@^{2*&?T56O%A9*pr8k)M6
z!~Vr)wu|I%9nzGx0`604li!#CZ-3oR2quS5aK4skxck(BE?K=wuBtrfs-ZCoQ|C4P
zVeJVY&ghnP#2Xr7VBw&vVwtoWwB5}iI%dy)Sw<*0QE?wf%WL8ss4X|~Gci~K9E8$A
zI7Ti`XAF>fG@74ysSDCNybcv_Y>BCHO6UHbm|R-KZ(li!a{2|cAB(f8#%c{lcV~5#
z&Dy`ys}gY1=)M2YNQQ_N&$E$GJ8vKhQ*MF}CA(-f7z}J41Afj8=y#xyF<eb;Z!`Nn
z($zD>BnUSYr{)0^>I9oEOZAZNU(EPKhHl%aXohAI&3K@%-i{iBz*Vd72$jXDXzd2{
z_;_+2QY?OTZd#Tc<wY+y_=4O7MDOwl@!Ja{ya{G)$~7+eX|3;6q965*jabj|ryRJ$
z*Ep4O+0Yqe)}_m8kIy^hBSZR`&d1iu)+9j05g>RM=t-EsUDNM)R#|LM4F0wgy_gMO
zJTlY;R?A^FIWS)O%Pt17cK{Xpv|?x)$EPD^t;>rX$;WurLaWUyd)uw_p3&Bs^{(9-
zJ~93#rsh$@#jADd8jZl~N|BiM7XI!0vbi^4k2UZl#^Xgo$gDh6@7JA^ck{Q8DAbSp
zeZpEkgKtX}gpx^BZ$0FftNfAIEkt!KV-5kX`TJQlC_U=1-zm>rC*_9YTLONW^60=L
z7ITjD8Xlasdi1ip#Q_HTy0tAJcSm53FDuWDYuA&k#CU~h+u>^zig;?sXWnw2wZ#rV
zt0?E)3vCETXBgiMp$g*de(0bCqMY>(#yXwrWvrd*OtIoUhA6l+ZS`R>w)5Lcg|t`L
z??T@y7mSP4Th}!f=^KfkrFE9U_D!@wgnNmZWsM3Aw{x=-`6w;5w06-Y&~B7-RcYP(
z;Aa7Kd0(q^*9E`QoQ-_m29ySDT4^6LZMaerYpyLfHzGc>6W_zwTv@B*uq-fNQFGNS
zS>QT%>*kF)G^Cug)t=1PkrCpZ4zy7iqYsv=s)J6f5$SDfTP@P=xpY_iqaPVh^dx2`
z8Zy!)ux*)``LqMlRn?D@eTyV#Z<j-x)F;R4ANl^(ai|@u!2VcmJG5OoLU{9GJNNZ9
zyKke);iLg)gi1g-T)w|m&#1O=`#A5)0sknYtL?OckswN9_IOjAbpL$R)jla|wsMBt
z)U4sPauko6d_c;wRlr$tSsfVoxdB|F&;Y)?G2%+`ZxHRPDwT9%T(B$^bdto#wK%%F
z?jA(J6qEFXljd9I2_IO4X-|Yft;F^7dr@w=4LL3X5^J9X<C>1*^AJig*1OJVT-J@}
zBh2;AuH^>#JuCX*TdPbThSYbFVhSFCmteHx!XuAes5BJ*K3zO*X}Ru`82d_I*=k75
zP>C>XiXmU@f)@6|96i`=b^(=;pu)0Z!H{$ImmHjBE1zk4oDqVDvcC@Zt<8$#eRR&|
zrq&94vdW~kya`lw%h&b$k#DjcbVy15Y2R;A8ARz)xBt;Hk6lBr5dzcrm+DT*IWB-U
zOvJZt^Ch0;^Jjfd!c$l7d>KO(<?|=3H^QxjP-TcdWvqJzed$+I2`cb~#^(2unCtY%
zon>JJ8~F2|L|j>#F=RWteDtI@t^N7T<t4J|xom=VdGP9%x=Uzrmt~R$WQ{-5ym;e=
zS6j7_?;+i|Wz`6JsQty88q8pBmWJw^K3Afh&em-h4a%WW(KGX9hioTonVO#Db}UF}
zR_g2oSGmc!9ft|8fOsTq<0o}D#duF1Z%unMr9#)v)oWR++`__HXl3R6h%8!)--DPw
zN_A;DP_G9U4i(Kd)`gRrpr3&pjlK@2b-xfn{G7Hvp&t)4$=#RwR-E}Iv||P*TCg-R
z`HI84wDNG_{C&B9|H$2>I7#61d(d18lt9Ov^@qejM;nI+dHeU}J@fS2VdY(^e80(g
zmNbz3R9oBWycnbLyxh6jMdsQ3bXI)^#7Kl@?&B}AN6}GOd%}L@iczQ#T(D&Oc!jR6
zQjhjzKc8I%omp%>8(H4s;ZXM>28=3<98=*2*5<Xbqz!Jg;`(eRa0AgK|Il8pt1FN5
zwzq`cp@05t)2y2dq`+UiGT+G<+pAI`X{X4F5@zJ_3R_nOj7IiIG8gpYe*uQd>ptqY
zL-`^eKE6l)3w)a+Arj-6vX1Mzt0mfAmyfkpL&=0u5342xag4aVw!E19@LzPGDLtw7
zU(%6p4S`s8zSrw*c0q4q|Ei#QAZ!b8rl`gb>m=h=$jm$eAJ25&lHPb2)U1}b=~Buw
zIzcMBy|sY^GT>N{eMYfnWMleknCZ+jIJfVf-O}^0=2sJ~pLOSZ_{GO6>H5WMy@I9t
zd156++dRDibUMHx1M;T@6dU+nbz{kC(Fv6$)vsnpT-4>1$!+19alP~~7IaVUU_B80
zzPHjB=Cxl+_v?52r1txEnv)#}CgRN8QSGg{#AbZcy{tU&tdSOgoOu?Za9T4UM=nbO
z;UVXCc!pI-F1p8=<D7U39Ryc(^VuZ+a0FxA{?a`6$@}smQ`{6L+j-V??lx-%>$@>l
zfpld73un#*p4<J3yR^u7%ggwYy-~0>akYrnQmn-tn(9RLx1pv?)j;odh`)9Wg=u7_
zin(;VPigHSVP)KaRB!|g7}yOp5LqsYyzJ4KNx2viPg`hw8V8#4+z@~EC)0Lzu{Bs?
z`$m#9)UjwV%ENEu82C+08M#g=4ySYfE@R#j7*5c9+U<?!@Y=S~bV+EdQGTP(-Ki{n
zp2}T*Nb+o3^wKBGc)S*Kf3fshy+&U|!~BY{w8^2qwz!SJ{<plal1f#)+_huNVw1+T
z+c5*%y@#<Lw3-LmH!&we*9r~$zd4F#->SOLrtpnBmA@NRXU&3jd{jfZCcLV8bp*UV
z7ukiphA=qw$ugc}W@XfgKT&dPF&`F5Jhv?d85V_XYqF=srz#DtMdia%4Su`$@*zrl
zPW74y{lJp!fH>Ha2HcHA;jDpwYHEwf%v8h~R)cVSZSX*JV_%`r0UlPUnfceP&IVCR
zmO9XZ`TT!C-289a-Tz66`W`gKz(aj?e?DU<Y{nY}oi<oZO2lIE&YTa6$4~FwO*LSa
zx#js>to4s}14;#sJdfsYulO1&BRYc8`F)am^>&q5X{8}YBN@6iCz-dhvMI>`fmfK0
z1Pt>YW@#<(*IgC%yj@S<I9mU>wid`-$A0sAXTu~sGMV55#6`7!R_zVSRg0_zC;Ht^
zEL`JNDCCjV$e~--EF>sELS}5ImH3FFg^z0k4xCfWm^ZzV={DpHq#)PelQWrv62Z~7
zvzSfGLrFE8wM$S&XpfOvm$AFnA#-2X>J4`DGe>-U8zoua<^3xn&%p@Wj6YVZUEg1y
zfuCM-*8N>r7vVE8N;azY*zI^7I9aqSwYg!D9#Xn0J1^UtHL=kS%22kPE)zRD=p&Wz
z@YMnj^CB~q(_KOys`uDSaDChfd9bT3H&fnUp12=pYaVCIi&-ekCnrNQzxO7wmSqOU
zz#vbgyk?^UZcQRrU1rVEf(WuD=BZ$ZxJD34_!S;e0ig8PRd~Z(ES*HJibZ3$^6hbw
z$tT+qZ^Hu=e=VrBPsk9(4K8_V>XZ*3KvONiRfX{**$X^b?{Pn@oBM;#RP!7DmRn`(
z<<7oQEN|2Y_E+3G_e(B6c@~z<rdF7M8{7!GIn`+m-O_v79CTFtjKP1O>5xrX4>!ZO
zzOUE)P81m{9~BN(NQu8R=DDa}Q9U&?zC{i{fEJKzgCS!LbUWNLLrMB#*&3$Lga>)R
zrw;@abW>s?^Q;@uJ|B+g&0iV&Nk`8zC5WBgm-BAauN#k1a*8B^?@UoJS%gN{*6dI1
zm>L}u%R9`I*V|ReeOboBcw?a*!34ic?`F3?)y}KArM6-2x*G#Oc9?B`S|J+E=AjRK
z*Wyo4UtsEdL3nnRP_)#!S_j5GvPAh!47_!sT@a4JETuNsP5+5}BGfuvcdxcM89|RB
zl&kA1+;zci!^d#*bi$~i%O-99(r2pp_#-XlF#Ww&vcJ^IZEOSEV*80)Yz}6bG+!Sn
zF8!Lfrps4WGQMuUsnI2<6I<f6_M8WvhYJb%Runo5=?hS8YLKMG+hce(j3;O*vLvb;
zp0c*W*cedVtL|sAfI2>tvQ7|G$x1`ae<k`306v<%`}9GqIZ4gm*7Vt6>>qx`AX4T?
zMKIEz5=@*FuMCTtw@hit=hMd2u_ruH2x*&!s1y7&mH(>_+Lo)Jx{MT3aHwdLY;fmY
z<+z&U;){K<P2G|)F#rCLu1_{eV!7I<4XEKMrTSy{qOcU-c!SXBM8FZ;!kqUnA{1^3
z34|5vr#8{-;%qGw>6N~Y(P6Y8hDoG-{|^H{7fJP1(j5h3K~+WOR!cJWHyonvx^?@2
z=ktO-`<#+UBi9{d7iePpIf!b|#&d^LfJ(8VW^eWGi!>Y@eSju9Ubbuey5Ho~L@v%7
zGsQ%+-^;b%bR%B{eQP?~TOWhofh_1V7+d|2s<RL*b##;oZ`hC0AI;Io$a5h##T&Kd
zOd%T?e@*d7vFtx}e%KfA;9E1PwoNS?o9%Am_?~*l^?TkrXQ~@<woXf@fhD^J+E5QS
zPO)p}z;<)^n-+iTPe#9b_6xkX*KpB-aa8N#mF%2cP{v_mO=0)`T>@YNYHyyM3ApEl
zEj1U+FemfY*1p`F+GbPmdQ!f&N@Js{K>v_%V)rYo6cO!gF5`6e9CfN;o1_<5K{i+S
z1ik$a!``f(!PtDy79aSLYS{GwzbE@Waph8lEw%vWBzP^gXf)rOhL73NsEmG>t~DWY
zG2HBz`t@;qanjr>D(eLLqAIV!ZXw&j{CdnnFo$@jZf>##^9uJKTB~QSrZF1=R^i|_
zcZ!Qtpvm|`DeR?AvW0QFd0P&>eesxY57K<?*Q={vbC!HlkeERHdaib@uuECR+5XgR
z!`pbJN+iYJT)tg3HEb9gy6vU$Do8ceIMC3_)B~=)>_nknm`(`lkU7Q0P&yo?8INOb
zFFDyai$Q)ocyCtFwEV|)f4sH(WsOaA+G(eN#aZo!L>pIJ_ZovZ`?`d4;||xCw?d6J
z`e?B^-w6KSZK~IR8d6ssX+5uiyv`7(5Tief)$1m6%TAV;)*Ml&1Kkd_wwh0%Hu^!)
zI;w8_VMW6<jXQ}G$D%W)04jYWE<v59cXmGaHIY-jJg1c>REcqC9~_Hc?L7CU%C6OM
zWdP*pK^@kPdC{_3hMEE2i=ea2h<bu5S!ikZTE_Au^S;(#s7J>({lLK>qIag!WNXd*
zRWVVa({Ly3xv>5j)2Dew_EO1O63u{+mSTriRSWtZdq>6esWA(_{eyHa{dzXJT7#hz
z81Oxx)!)YCv(MA^UuhAE8nLVvv`Gw4#wOl&=~>zg1a1qCdo|lsd=`0zIg?iP$Ca}x
z`Jw3sWqLFLN*$K!4)oa#pHSthE>CjYheFlNa^JM&8?EDG#|Q0!PIdoAewnB|*X(M;
zGmS7lg9sxa9~j%f#F0)+utk(b)j$ywYlo;)(bM>&Ag_q}945yYe()GaMn3~wr?dGv
zkWbAT#-Z9FgXT4>@hkLZpqt5B`91vtV=vSh%So>G^aGxAiot}fXouwMgM3lZafu{>
zJ=`v}TNp)@b@c9oQS*urT`2-HLUh{sN@LLfF^HyJieF~P=vj(Rs?M)izQDd;u&ii>
ze{Xu$9hwUN<$WvFv8&$DK;%M#;=17^yq+E>SW`y^vWV-~YXlyDuhmzU+dIgj+o0<i
zyN*=T(j7v%Z(Y!>D#3*9Z029@N?|#uTrUGE@<KOuLAhn6i{eA1-udi`iI7)Rb$X;`
z7ETBs<3WutgU)JA<^*>xCr0`=uVf3`tKF;l$_zf+^g5(=-*&+`BgO+js{D&2H$8?o
zO%o5{f7GT@m|WF<%!P<{32XRl@?lcqYb^25&NG^l%cSp4f%h<y%d(MzkIUe4XL-SG
z6;x(@D<?y49qEGQ;yy?D?P45iq6YrfzaX4EMY)l$?`kIS@z^vt*{ZKm=3IQe{VV*l
zC}g5`&F#rILObBFyyC;Qeu|g+(U}Ec6s<Yw3-<82bv7eYlu5)nJ!#T2qT`gPdL8Fo
zN~jrdq}o;u+Y+KtVL-X(&6-!3n9g^+zl^uRr!E(Wb__=<Uk=zrU*Ht3nWpf`O0neG
zn1#tHy(7~b#`gI>=L|ut&VAv(Ra@8c&>$R^k04~>gSx=#S65G5gNzOd(4dvlhQUgy
zg9FXaCSAf6To^^(Ivo3;%u<jpwNDwM;#v=&vE(mjzN@)VbNY2y32`$ECZ|PhaK$$o
zHY|<^=&?x-4NdxCL`P#%=QL60z<C)th%&!3ERs)gi2f7ie#LQ=iyrI1{bi*!ZmqC?
zYsn9~A{FbIC>&k7F@efn0W0lRI2~T~zqGTMoVmy=F0tfNt>vb3o>O_mL&^it^F&`j
zXV=!Diyt&y<b!LQTJ(-E;iU(IouZ~#PR3ox?cqyWHvDZ>_^YV5)nc6E^oBkM$6l|p
z|JfM;)Mg%k6k*yLs5aDL-+G)aK_R$&E_$O|O$!r)_OAeyFm{_uL0wiic7PaM?J&gX
zU7ChKwqO1+SL(AR;_9)-9DstOdY2x=n)`_xkM*ho8AQv!s`p#KR7_J!&8o_;OGV48
z@kM~qZ&xviqO$sJdmbuh@j0q9WYcnDk8j%|fp)3$^4aa2{G6D~--e-50YmAnghf>$
zpKw@=<|^ZazPu`*Ii_^0EthHDo6!3rxnoMmjgbkkuZE^ULc+tqIdQK3*30$g=JA4G
z`Kuo#JS5F%7}+x7Y7!3~Z(`^x{mMEyXX!;R_w%oKcY@hU#uW5%Y#T~%tZ$O0AyM1V
z<-rh+X@D_C`?WAMxcgn&q1sFC%h@gNlzck2bgE7Jjb4@84~;XQr%qzbQ{DU-2ssz+
ztt_ug#E25Fq%2LJ0@f)g%nC-TTYogZ{WVCY^C;0Q$BQGKEBN{hGjv$Xwi5jw;?nif
z+?C3(>`~l8IfP>epN4oq`fthC!&yWCp#h1k%S?LLXkkh2x@1|K^>|{X-MpxpnA6o|
ze{9J<(>vWwr}j~4?rdrCZ_M(O^|^|k`2^Zdf*n(_A!K#w)Jm4ub?-JqYV0%&*9r;y
z_J$-J)E8-QI68f^MSI(CkQ<K85-tB>O!JMELQZ&nqbk2j-dgyzyJd~d{m#tv4HHfV
z+W7i@Ib@phQ*Pnb*^%wQ!}&zmtJoq<FZ<aP8OVSYgdAvcY_nas+oyAPMiX%%3nWzX
z=-kmQDCWZ4P<1g2FBbM^dOKwvW`%TENsjHoJ$OK(MjJQaAZ+dmbDp~JiH%`aZ2Z~s
z3K-r+)Bt#Cp6zIHX2Kg<6Q5p3f$j9B@hh>X^bfyVaspb&z}U~-YxTt&3qe5TY<IkF
zx4nXQv(V*(4!RK<vt#1*L#BO{ouja#uq)YVd6~wNr&`}xk6(a(qLssdVP>^xca)W_
zs%dI<T6zms$t>v8_(IdEzv|m+KGx{f!5V#6bhctdg+5Z^PtHAz5_Yi<Od6YlS@O!W
zirCrM)%wkG-M~tHIc7+By1Bm9-zjCV{Glr`0ZOPYG@#4$z^nNb71RPC|A19_=sKv(
z{<P%?&0vi6V$gy1x6i{3!s1iY2}(O#W$;jadpGjVuL!*!S$K62%CKoloDnn1F<l4H
zWNvlX8UwU$T!1C#pu_CV?NCzQ$K0>`w4rO(cqkIS5u%56HAi>j;wxFr)aEwhrPar8
z;zrZ*i{_u2vz{4oGo8YQ(wt;Wa1Js%0^=tMq##mS2-z@2BXPF5XN1pBb*@i~-raT|
zRkxsDJ^x|Y9^(6}w=8SjPnGLX2kK4u(#&bZp+8PC?Rex-9-$o1|LQRCvM5J|>iR+4
z228VJqU#rADwSJzh1v4!{jzl%6dnKb@z1J>1+2{Xpt2<|Z`|OsigAtOrroIK5T<Y&
zMkA9}p`FX~A7qPy^9|Jr<Sl<q?`m9k^<@lJ>7|pC^csw^%#co9B~t{C`n#hfbjcz|
z2z*v$R{O?*Kuy-j=2^0U;R4j|b5nn$y+X~VgbIxDG*oY|@UnN38mhJh4eI<=Y376`
z4z{zo>KE*DEoIg<#2hOdEtrV`xqF+4M6yCj7<UFtM~CdHs$r*(jjkM<;)Hk84Pr24
zY{_Dw=`E9Wuv!$r_s%TqalPK%*B!Vlo>jToQKQAwL;U~+k^pGLMA&PD?>gCvh2IBd
zI!`o?O}uH7Z-(Mo^ZY)Zyg?7Td~{6wwi0@}wLiZHb(SU;iKKkMk!xKvSHIj`3CF>e
zU{jI}`se7km!REadT!p5+3b5aWv*1{9aOcw9B=jZ1v1lF-OXHN?Hwa3Qeh%l&Qx=Z
z&Mup^BAc!`S?&6Qq<NnC=|2nr@l|(y?Yt0m?L-tW>rNUNlR?b1$gDECQ$LDjd|RJ+
zXWbrCw}kd-T#SyMdu>0(>krV#>UC15Ey)=d@+k(#U~TjQnA9YL^g0u%Yv#n|BHv10
zZY6IdJ~?O>gX|@!35=`%OpzsTZOX1^J$rbr(sWAfq(7C+_8z3*QgTXwzQdUy_@U$5
z`@KJiq%SaaKc$W7ubS-p3(m(9Tmw5mz+P-f(*?0@QSc6KOJWKbOJ&z#$u?hM4t>~W
z3eiV7YGmb24zwkjYz{cD@@`%&^_8HFgL?HV)@95W0hWh@kXflipBySTT#Axb{&_L$
z?~Q%O#DCAJ_XvT2s{~GGKJ8$TNF|Se3yo_lMZs>hQFkb$z^z-BTT=^S!@vJNeIY?j
z_d6^G?a1GGCL=+m(pi^XIxoTM1vkbfz@sZHu;j;9Bet>r!u)A|pxc19#lkW%XDqIE
z)0ynrKT&Lw+EKK)Mc}L*iTGGieOiaCtvZTN&gwDa2GZDI;{t}Z<@;a|^V3@vP&!@E
zoLr36pZzr6*}zf^q10)k+uvpA{&87>mpUJ`SzGx$03D9>MN{d{NU)~C7Cd7yyv#7d
zUcT>A<aYhM+SWuD(l9h|%G)-9G;oe9h#q%HW^&KQH($y&6;Ed<cz_b)_KnYVQ;PMP
zg<KC6b82&+Sh)O(#XDO+&o$8*uuD&O(LgWLi;tmZ7R8{PKytI$KfY_A*f6%`3`$!e
zd9m-0F_U>Vu6`o-=7?R3K1As%tvNS*0aUflNpQlyv-qR&{$1+^h+5}d2Zy&O(FdtN
z{S@h%-ulHg=aw0$Ec=I2OW=!4`6)VdD3kMZJNhis#=>!qMWC666ZkE{Et`Rg2XU`2
z=)x=*705!MV>qKpG<iS}@^Ml=;75mh^XZ=gba118+2tY%^tkn{1vClu*jr@aPO4<4
zk@kVJyTvcuwZ<M-CDQjeeQRSCX<M6NU9Kuk@;CX0(me$h_OH8wzKzIMp7h!pA)dWi
zzTTd)HV3(foUiR|&$7bmvDBuv7c_>?|JuhQUvV^ii}wrQjW!qEDG(PwA#gR6o0G|y
z`@p)sE;6a{ui7@xy@lqEfDvB;7S0vKBr&b}eR^LOoB4HB!{>el!C~hqbrO~whrW$I
zf#>I1@??UyxikmuC<L?+3JNw7ddCYvE&AG1@-f;8h*N!zL^+FDvWgE3opXOnbNvrv
z)iIg2>#-u8`EkD9Hp7~=mVwk-7-h6_f5kUwVQuh@T1E_+MIFQD%G;NV18gKYsyWR2
z!HnDJ^vySbq$8FvkUm5<o%R}DjmS^>4<kVwN^#fqDYZ#|2qM@@)0D9U@O@+Z3VT_{
z+mz}<!{&GCw7z+61%knKKSZ1<FGrLV_5}OdjeJBE**R1}4XteD_Up9$!#&gSSa>^R
z*@%~DUeEE9y7Zdoh0QtYq^aI^CAF292N^X__GJ|mKYC3%^r5s>kaoG3-$$d0s^-i~
zo8VuDWJCQqkUMiyDFp5I`f>I;!~(rg_HwAj+_$aUo_6{2?Zd5$Xk7om`3qn0`O-=e
z)Xc^L!TbI#qF7E`XT}JM^Y`t7&SKr~@bv10npv{wU(bkv)W&vwT8D@#Eg4TOS<IK+
z;J0p>{EU-cJaI#W$F>E9e;7@BvZ}FT?8Li}=l`|^P1JqvMR8#2Hs2uyK~X18HXpr3
zs3h-MOkI9JY$HpOc5LllGl7P|cZ^>gF^p#lNZG*bSYIZ!Wz#pMr-e#I&{huSZTr<I
z<3?kFk0EBENxaCszkfVARO(wARdXWhzpx#et>b|e3-O|ENw>XLWGz0lqZyoe)r0OP
zm;T_sZd=W!xi!m^7g7P2`|aeeo1Q$$w>0!v1l#{byxRicR`9*B+z=bkBKWoD(<g|`
zyHmd@+t)c$6ZioE1l$#W_V~5#9hU{ns=x8jR55NO&+>PDA6<At-_H0@^wEFeqxy(z
zQIod(a9%?_+C09WfLuAL+%EuHw30X*FGRCqrD+hZ)JzWq`2#(#O$n_5^U82SbD15M
zY&tQDR2l9=WPYaKFk-ex+2pHg)rjGhX%r{VB}NE^QsT7bS>@BS!m>7?@p@y!%7%Wr
zP5IWxI=^2k08_%EuHRlqe))yAY0gXyZrr2%P1!7`FT^azFp^13Wv2WElwk0a&{DWp
zMRp^&P-wyaL_6@~XQSNmr5ocZ$q#geu;l*Mb>5TFcKDk!!_ZwDH^pX^*<m^CfySih
zGX$)=Zg#ZU-*G5w-GbyXMFEM3cZ{l3smvC3(}Kde?j)BMPT|KrrbSDe@hf%;HVz>y
z+$^oKSnz<x@ObATG1T;^I5y|LJdfcQQ=5?4ocQ)>nG5%{WtQ6zP2m|sg?z2FC;1wP
zfZD@|YR1%JsFlwpTD&yxx5O}uYgTg8!;Bmk-$9}42dUkH4_*I@MKAOJW)*K`7BJbo
z<(9JeL$_;H#So<DkF&#J-xbzkvd1|*%K(%w$Q{9-jysK|mKXH&9_g`<Jsiu3jem)+
zlE0wc+VU3hqQyO0Kma8w1vMrs!!>=!xmoqY&dji$_ps~@tzy`C^0UO<tHk6%tc_gS
zXmwo7_c3zvNM3)MFoZc)JLv-EyuCXzr?XzI=v7^gQApz&^(b~k<`;=5fSD?a#j59D
zT0(BuUtC&g)yubtUIHrGu&!tB)q6Hu+Q*~qq=oPvt>Hli)8qQaEK)!#v0pOzic%-j
zbGL<KF?LOI)`<{nA~{Iu*YXqJ+3kufe*XO0;9sSmkAX&6XJ7KV$yw{K2TPv#BV75}
zz4kzsAU@pBLeJ)(E7nk8<lXIC&de0mfC}0~R~4zv+vqc<8V}8-jd(+?-<>q!9yhDl
zqh9a<1v`PgdM><v`lq&QflP``h8t;r9B}h}9d#O+OlB?OmqqHOT58|p5nho)zBBHy
zD#hp_LlCOp3p-wZElYK9hvY4g#{#m}G0yUQH|LfLj0`i?E({Q^A_Rfdia~0RSgH0)
z%;htG_hd*ehx-b>^<4YexSy!UGk-XpGQu5Lb(uB=K*ALpbsydGZTE3ZO!UR9^j259
z>aFZuM&s{&*kpp1dB)pRAB@ScUX*>Ngw#K-(V^g6OR)S_isdhDVlM7f|E9kuXzZb*
zbem$@u*8JDVV&1INSH5)g9X76Yx>I3L_Wp4SiVTUfh!$FUpY9|R<LTAh!Fn)ubvVY
z@ph-hEf@quX29FTwfaCEgG!Pg>jXrtgo;t0NyX@8|5hIwu3YMgtNH7A>}S@RjAbTK
z`DjxryQO<?B}zJ7n0~J{C7DUlb7eotAcFr%%4*6$-pvkE(y*?}AoXBc7F6Hx*u7*B
zpKc<^B1wP+EoAh&%oP{LE2Pxh?$;;A)A<AKRAc`zqH_!J=xMH*o>*Dav?^GzuU_?F
zp}TsNGbfL|+m+fERnd{>O{930AE{$j%}tp;e}HY{_nz|o={pXuwfuB&Gt~J8LM*&4
z9oK3Jfto<r-WBhF#JzDepg}ENwDwoPgfz=m(D?i~y>eb{bjcaC4zer|?lf6&o~(DB
zBPZ#8-&sk)7W{6FwsveW+vXiEh(oO6O<3p4eA2sWwny1ubG7B-lEc%w(h_k<foJ`=
zPeGK6i%M1f#0{3hCnB`mFH$XkvKy1?Ce(>UxAUu%#W&2VeYtUURh1YOYQ+h%BDGJm
zfi_p4W*e*f_)zEy<vaRY<4o7;nyORUbJGpcHGi|)eXF(sWG20(Z@!>kzYT-wSo};R
z%XDs77VgLAS(Ik<%Whlz-4xgLek46g8cq5TLruST#(-y%D}oWdV%?3*WE!@rrL8Yv
zh06{jJ@YyMZ(75jNw~InVgOGMF7CXJAjE|$Sg4m^<T#V!OPB;!HtrU#?P;?G=uQHE
zIxJunXxrawls1-ZsbJ1*syI7`DG(PI7}6(m0u3*>bq5xP#@OK(j`cV2^0KZ2<h`zK
zimBK@byyp4>*@-2V+3+ueh4Ry($IOh%wFGq)h7O^*_%4grV$K}pqthRJ{VaVQmq4*
zQH;G*qCYGO4t@%M)23rC(o+@hcG&7(wEP0fM-!ro&0)4=D+a$q8)Inb7+C%k78Q5s
z63Y|x4Go@S`kKH}OG~b+pR}JQ_4CZUjx+MHOo{8<<uV<Y8pk&w^~8SQ(?K@=yL#A^
zdQ&n{X#&0%+smtkg!6brH0+ub)bGjRmj2`T^flK^`u?+mm)VUHH)_9DLA{>?YW~Ae
z^l<VKCO=X?`or{Bg5Uy8rLk%91MHX5PF|;e&pB8;YrY*~;~8^x_l`MioBJ}R{5<dF
z*|&QqP4T}OpRJcyS+IXP3EbDs@c&kSp~&qrI`~ZSMPBBk7{OIV0OhJ~*0l=ZRLes5
z)$<6RuX(?U>w>XXu3pC-?{wY?(QaFPSjTxk{-v=WY<ljOUGx?OLmCCYUOk^?NvUU6
zkV59hSKEk`t$I)8#s2QjYG{MRQbOyK2`sOtY<pMIv>o>aB5dr=x#(vF)CPP<lkXZ-
zWdZo9`SO69|1hjjqn_vHUcdP=*O=L6_5o%i;>&zjT7$iIJvM86T#L`gyUZU&&ps2%
zs;XzX_uTViPr23S{&1NGQFh2;x;ANsb+R7M7>3;lK2sh3);#b5?KfPXyRU)l@m-L0
zi?g9<1^387XPB-H>4)jYP0jBn?}J0b9&LA=b)T1+8Q-bx<5D{{IvTr`;3-SHM`EgR
z{~cO}oB6=R76Sd5UTummDy75P-4dIF7LE#z)bDjSxbgyx@CwD*TDrUnWh0NvOmcEF
zBGYDH(ECe1DO9VL8e86!)%}Oj`kV4{`Lts52fK>h_Neo$;Rl}eFAoGf)T-!O=rh^~
zSNA3oR5ftpjAztH-7xu9-Z-7CI@RG-MM{Y@wLI&w-2Ayx$pxeApGIaid-FyQpCT1E
zf*f90LuaYk)+?hx>t={#6Fey#Wn^G=+h7O{p&i<r>k=l$Z{s5(;<7W=S4o5YY<1pl
z3Ft||URSBp1ni=9E)Y`%LSF{qP!;=+4yyt!-iqx;Iux}EjmUqJK9qIImXh}mwN)g&
zv+FBKHnVBsReGGwh0XI-|A-dPMtAz?&hla0#g2toRI8Gr;I}Iab-E+bVB`&0$<-MP
zQqz{sl8(uDg<_26t5TVAtPB?8f<V|RK8evKtgkH*uG`zj0>2}A1$&X_$b6l^i!WJX
zV#wxr=HsNI4`&)nJ)GE1Yys%i&pB)`(X_jR<Ul%opQ>E&rN7^pJIAFY*zH8?KGe10
z=#eXXQ#fe9W+23?2jTI!u-MSsK~2~7(WFL?m41!Rs4Tj<o~`p&5_X&>Q#Wgl%7)C)
zgvwXLM7$av)vHOy06(Zv+EAz-Yr4O9z+?m=X4mM%ZS%J`-kOo+Nb`M;wRgC>qmiBD
zB;XRQv7y`vw9*Xk-(Am=eGs~NjS!Z+Yhp}*M>@=z#=pqrQe`ji2oRo52RSA!N{>7f
zxg%PBpR2UiH2}?7IpF6H_SQI!pD>VA5PlpsUE{45gmc@{g0bv=|G8|V*%fuQk@pVz
z>oVdXOH_XB9Wfyt$;Wk*>0?|oO-eV3rv9+wCPk4=dJ4By(ach@cBe8b9_8h5I5>T;
zuEH_A1vOTwFnQq&;K);}xWRGCht~cwxE9g-A?8>jeV*QHp(|$*+CC4p5cI&@Fri1m
zp35rof%x-9uUO9PH1ZH<2-RX-Ul<ovK}Ka#-6R_h?KBzlfE-)qi1pUm6=9$W#A1^6
zaVXtzO+1Nr+MV4o86|&Q3h{pKK??A8Mph*B_t$|>7E+_c*76O!GkQmpN15@u^FXa{
z7+opcs^}x&@P;}qIDS5tcbD|LIh&uG?OO*KYH?>TZS1NURDoX@>FU4Eef^8M_X+$4
zU2twCo}~Xf^dTXdn!I`q9l6PWK@|m!W_25%`yH2J6sMsz_x#rnJIR`OA+c=xM8(^*
z`llgqb&~t~;Rg$u_I49bZu|x879sZuS+K#_?$_XOSIxXUi{1X$3tR1)w*Sbp+Bw)g
zK+<GC!L|#M$E`1ACTqRWp6`%4vGOPf-+hu#s{jVU#ASn1fheHU=x8~yC8UGswYvN4
zq5BfbUy9(nRAq|02_M8a1zc||@gPQ>$4B)sO2okb8Ev^Sz9fR(O~$(!npbqDZ*ACV
ze2nOx@G?0Q+o<z^7#j;wB%97^*Ds^OQNfTC7F4Y~ww^Ch!i?o;h67a?1s|XevJP93
znLOZsrN|<&GXTJnAxG~XD>vAhe<I%<W%TUQLMbA@&z^aava1YJC=~E;k-U%3tj#iX
z_p>-cS^y6&Tn*EDe2aDjg3E^MSF0TC^1l1RWX_Cxnk|Ve0WPXaRYwWz^K-_D!~;f`
zF@Dg06x)APR|)ZB=`g@EFT8`|52jcqW=nqBq)>h$8ulsLv=8Nod}jB~mfe^p8m+b7
znXRm=)hn~7d|>2aO~!<AAhXRTtj+=mv~2$Fk#GXh_UfZ@4RhtE$=9LM<p)za+?Wq2
zAWz$a<s)8nWH1w(HdHUy)3IWQ%Me)Lx;@!Q57=p3L0(e&3C^^)p}65x#SFUf8OJA?
z%J5f4xf@26D7?*<B+i8?Kr2H0kTF@t(`+wSB5+<k*j+ds2wwE#|8kUnOAHuQ_$i3z
z)-AGzam0syc;IV7ZbR}n_=1vR^kx~K;|L*=J*h<?s3?(mCPAm%FDFyc$Ft;$2(mbt
zO2`Hp(`uCazPy&c3kHtwnuU9))sq5ROLYyffM+vl@JWrm(nJHZ3GioCaW-#``8*UQ
z?k}_k8oc!D)-|RgJa;iq@a-ju9jiK}m^3n5(@g^0ya<u8_V;LGT9qUJt2LTS(e_Hw
zTRoaUSL3>jB3meA={=EKW7&Tg*<bzZNcxeEVl{gl)a`fiB>m7P8;%%3jUNtHd^ftM
z&tsUSgPRxr)yuRq&skStRT8jNr%A<5zlIp)V}VcBllPH<Wa|@>FOs~K*2O2Sr**5=
ziv*hCFt%0$EkKf*w%%-$m%*f~`iV?S$j00fhYoF`@B_+jDIYfmh-&+h5p0O9m3jDc
z9AHbCqxF`bZQQQ5E4}=r6T>sL$yQR=C)6<q9R8x<<8((~(Q$K+uilb;EMaI;>nU|;
z6}@=7Kn936K4Hh#{JxHiib}=c$Tx5Q<I5K5Lw$8CD8FyA@w=okPx-{uO~M2711)%=
zvFe2z*=?M!%VKcQevZ#?(<+N`zd{e{%p2#f{d{Q~?|J1@G|QnIM;&vhA;Gf4;=8pA
zNyn^|?4;^+{$t+UHf@+U+eRMR`W5NgBg4nDKdL=GnUH<Y0^h=|qmvj;_#E5$(<iwX
z2ZX~JT3`FKWbDAC_HX<&7ZNk>I(!F-?DK-^_5>%7zqC7HZhL}k=x-~1D;bHe)v8zg
zar>Lyvt5qC*4Bq@yrX(=d~U~0?VL3QeJ<}E1#lvD){62gXC{}o2Mr7ctxy@GSW?hM
zIQSM`xx|MP7Tu}~Lp(lb5zJs&<%<s5j}2d1rE4DFq>n{rj*d^Hml62qf4(QBtvxk4
zrET<^KA-*EqK`b8JI~s6o32mDFd&tf6%X1lB*<iIiHz@!`{HMmq}1TE^{z!3#J=W3
zD?;2U?&sS3+q>H-$Pamg1ZlsL6Ih3~=yg->l&fX^MwG3x@z?PVq}cCAW09QhN(YxL
zvv&|^M16eN6yirLV#Fe{T$iW|@`8HvO4UVG!TIL0`i?E^Yu(o4cTZMRr=u$bB*WG2
z-XQcYVb|NUS*Xzu*EIokjrWa&tRE3XDgS7oLX55CD+?|7;~F2iAyWc_umzBN!=TET
zdwi99bAyCa?1u5wE!d7}zG-X41x`pwR*T0AOOWu3`WUiY;X#F1=54d96At1mX}&p~
zF8L3GHchI=o&Kb^5VmgSk2z8!XrZrkI1OO-jsFj$Hhik9;H$2ozF}#iJrGY#ajALY
zH^0Z^Ydh2Ci46|j!!Y7i(p&ef|1bjA5ZP?}_<qJ1utJx|5Vb32pTHFkM9>dlWLrj}
zf;mcBC43|*(HM){ONmHYq0nBH%I?+_sBjinCN|alK%QKmC;3{m`F)DpLHajii3#qP
z#?`+y)s1%qVg_HG$G);3Jo)^2q*6HNEm*)L^y@?YQ~1l&BTVU3Be^1@eIRlJ*aEjo
zoOZr-wn@%z^fR)zw>pxjN_nmga`tFgs}rO=$+>m3Q^K;<8%;862dSiq<ZJ(fU+$VM
zVy_6n=f?fNG0}js{;WKa@8ucZxgTHS8-rJ(yR&j&B^Z8iA5d7*(h}Z#DHH|fcPvp`
zQ|*QH^dfUxo#<3<<aPK4gMmOyKw2;5S%)tAYxhhXZ*wLEZ--_qLKNhP_}OfS)`=mt
z9s!R@xy;$`IaxV*v89hpeeadzigj)S%+^^C3-EEUck)@*dmD$RxMFT##4#I4!1N+h
zo1L1Z&@Zk`_<vFh4T>BSOtW<t+}N6Hv<VB49Q~a=_U8XWzc2`r^d(ckR<_XS)KyL4
zSk*FFG)zZ>%+U;_X=NLnULJ`{c}ci_UC!hWB&*J?3Ddx=srIUX(`47qf?Up@(pPbn
zFQHY{_9vz*n=XVBCwaGC<vz(9I6vhZodD@dWbf+h#DAxDvV9|ptAEB=5w<*@t+m=3
z@*FrlHTV~?g;)Q{P$Uq?E6KIu*DYk*@T*dYeUtCEd9ybgi{Cd%+)pwrtDE24@h$~Z
zx@kDN{W16TnnGD&P)VE#C9EJP?#O5eod$YPekMlzR$!CUI#5GG^Xk~ay0yL8dA<<@
z0or!#&d8n;wKh%>EyyyPZ}DcOxXqq?74LIbe(KS4A*=d#-Nl6a_Jk^W<^eBBao+NE
zpktM6{h(f*QL1r1r`HMPZk&egB87Pgu>|X@tY6i7ntm09U%tNZ%_ux*_r1*=0A5zs
zOEm@FV|iqK_r0DFOFYpeS_<@++*cv}Qo*d4QfQ_HpMwE?vYc?W#SOA|)jEn{075;3
zJ=NcOD8Gb<d@Vj4_}!_-FmDcI;X{0(U{nuCxmksEUZlg&1qMm`==OsygIquVpqPSD
z3qG5{)ndpy#_48Z@rySTBv6sV$?dlEoOFVo<mZ?di%v(D=pc!{e`2VnxV<A|=#Oku
z-y)!YcBuWY`>FphfJfh4{1_x=ljcsEF94%8dJ-L5d$nWp^k;Uek!+1&Ephtgh__bc
zDU8J&!zP|C18~ua#kh_EYD~0NHs;R9W3wdkI&*COgJ<(8tIurmu_LI(*FN8>$Wctb
z$oUWB*0wnG^Pj-E^R~hhld)HC_!m_u6nF%FWO+F$92YOvL?_Qu38;Dv6<@yeaLfNu
zknY@7lSj9{ZU7{G-drcZu=$oQWJ@34t1mN^Ib6#=CZTup_IZNeOZIvsm)~Y}aNXke
zUGrdaF6h`Bv`nROoEZ<LB2kRP2`W?RuwBck=l{^&WAb=Mh(CJJEzt|XJ+Rj$wc%SM
zk&H^P=OD<kD-4C51nKu(?nruVaMrwQ#9zj+w-itr8fhD~LXX<|+?D3FIK#A>q}2GN
z_ur{Wjhno=d~%{F+J%HEchxDhV2)08|Mk_~oyI;n-Sy#8#BwS7Mgi8d)-}E6xwIWP
z2)cFr%5*SY);{L$_5M8<8c4OrpowktEz!M4U)McQv8r+zT&M9?xh&J7<~e3sasL}?
za+B8q*M*Eq{zS5Oy~HcMPauN;ULyBe3t9E&@X*GB7%p(1?HJIkBG0+BAVtJ%b~X<u
zzmV1+CyUK>ze<d+Jne+g1AnZLKK!@;a*Fy+OKjLrpSPSv?_C>rcbTf~&1;R10Og}8
zXNQ1;SqO!>kv+E#w;F#1E@q~Z0+E4Mrxue>4?AjK)_Xi$6ivyKHoa~AJO?0)^Iqvq
zsEPFVdpk>CA|*`==QMwgp-<n+1m#V^GSUtoef9$#xw%Ah@bKC4rK)Gc4Bl_QLPw~a
zXj9`9et<!F8=iw<0JwORodbdJNLJ*u96@vvW)!(k9Fc(&jt>PpmkOx=nJ1UlXU6U`
zcc4Rrr@pCf{eBmY7?*E!1*O$%iKL%wwJzFVVA%M9NN7Ujj6OcT{vb214@de9xdP1w
zu0mX6hX3o$N}5|!*HgcxTI^KEi8bpEoS2qa&9*jAs4=y`bm#ReXdKfk>W;<EUh6Kr
zR<j!Hi*f^d+%f|j>KE}pn-y5(DBQ?|3@MAb!7m~j<L>~C#Q)^_)%Qi$y!MbZWP!Xw
zQ!%{peRGgpJP_RP|BjPg?1OJ$<}fYfnLt`FW$O1~p1w`Q9@SC>$!Ub)5(v<G(^oZb
zvvz7isA*{Ql_3W@Jervru5KFOp4meMV?xbYP-=WziXO#0dRaTUJtcTPUsv{Tj0q%Q
zTfCeM9-F}d+99q_Z}smRPWWixR(ZYR27mQW+HUrKNq@{;s5MzG=L{H)V>8Xs++O~5
zc)_%~&=ZiLv$;PtHnwRh#Z)!S^@@oP33wr5f{tQ{5PcBC(6kOC2&dGXE)P<SGx7dJ
zxm*0tgINAo{xn_5G>AgXe0A9UBA0r~QIjiYcf=cc;_LMYI8){dbi8!j`((3RWLSv}
zo<aH*nCFTq9)C}89c{I+YA<*Cb(2=#?Ne!Ff)*&-&donqY`CGE-R|KPKfb|VVD+Nd
z{I^M8#A@tdH)fmAe7&!+`V0{#y=(jI98=Q==CX8W=7;YYt@9MN5;D!a5&_bxsxw#v
zoY@s+JyjIFIivM24E_GJ48RW?XP_tWieVFm=G0t!@L^YWN=SU-W~hvx&$a(jIK>=p
z_PQy!=0fsMOq-jak)Vdq7RBO9XM>O)5iQ>+VWGQf2}4{71ucKnhi$;Qtpnbu&2W8J
zHr=ODbo>fcC`2?QW^;}JAn_5>(ww3-YE$pi5aM*gX;!lgS%#%XOWnw7ox7fyF+4{g
zfxCi%nwhX_SGNzB@z1nfP)si^)1;;c!z)nyRy(RuE3ltACf3ov%d#Mp=bHJLOCv~q
zcI!07#$cgX4@qKiH7O#mrMDX*#wfs3dIOMTzW8h2=6@L449i(W28@~i+`QwV=U4lu
zYFKN<iK)O<gWEa>W1MkcM(~Ma&HoVhmQQi8L9{1<K#-6S+(WPcg9Qs7+}#Ivo52|z
zg1fs1w-I!33GOZfgN5K8JR~9S&8@9lyPx*My<4^aLO)f%u6|DUIfYJ&qYd<O{We(o
z<M)mPNmbLPZKYj#5rGEq)%zmLh3U}#sLgI~N`!6rf)+s;ogZPL0X<9c0OO7fkSw8U
zn-l}U_fqLI$3>M3lmx8kP40gtfo#a<a=%z_MRO^Vj1Yukb~h=~fmEm~`om16gn*cc
zJ~bd9{oR=Xm+ZT=*F#y(Tu$@|C}~af;~HlxfaY}gWIi{T>tq~)q*=S9!mlS*KbFb$
zygz}C{}zdiJB8{&^D@{YQ?DJNwpfm7n#tEQ{BnU*86D5!TDDxYxUO^n&HM}DpFTj7
z{(j6hP@`aU+NH?z>2#Vya}GGtwB>>Hl8Dt79!ck(dKdKsZ&_VHm)bVh=k)*du9>#m
z{|~QDAcqc-g5o^pFIZ}A)uiq3hxe3Z8VbGelboI&-ykbY7aMb0l)#TL$qy;<?+Oq(
zA~7j2f{4D~!63M9UG(zqYH5G30j7Ct>`Z=ogFcwafH!RjGrZK0nVmn$-%F6$iMX<!
zpqR5Fb9i4kt)R8T;VTH2%mVL(94Dfi4ZBU^H#^qKDY<G!$A^q@!fG6eXTTbEe_POd
z;AApz0Ir=O|61n_E9L8#3p*b3-SPEy)lKW`9J8k6z2-wrx+?-OJ)wZrAA|7pi5ML@
zbgc`5FaT#iEHyHIPT(j8Q%vZEPv5cr>W%NpTxWrzmr;z9q5sqgtEtYzs-!q;5KR(A
z#o@PDgH~Lk7g(b(N#HUsG9EhN-Ll&LC0vutLLNHEQ^-`rG2=|{el56z=Rh^AyBP=k
zaX1#!S;ybh&9hl7JJzJ1IwdO=mJzaA(#Q|QJqFv_4(q!boP~{fzlu#Pwa&(NP>se?
z)=~9u9j|V~TXH!!%A->6cBSu1hF&*a?nPZkp09k9Oa8v}yK1PSG}w%OB`Ll%pi=0c
z3Gt!ncdE1jf@p%uTb0Va?ED_7?*Wyi5h1B76|EoM;+vi6UTKIir5DYqYQW<Ap;@m`
z<VojtT2*UWT>}Cadf{VXQ3YqZd-PQ<Cf&x@jSclRE1R-emju(2=ZGQ$4>sJqX9XO?
z_Z=q9Ry10N(Q*rNWu~;_tXOqp1A({x2;=&qA~+iS7cSAPFAKMq^KcygBtIU8L-Fs@
zMV%scTOkT__{oOu9ZhJ{g|0zW^7kA3`I7r{-wip#*)aoPOUQ?Ui1H5wO*8TlyIfOd
zD7DV@J2duh=ds)#**Y%GyxtCUt60AKMH>@-)zqqf5S+y*5s}(uemh^0;QS-PLYreX
zA1d`8^kbAV;;VC);Kw{YGqYx)?8TD$tFp4|6r!$bkZH~=L|FYCuY3iei=MFgCp01_
zWEwbUhV2opyy7P=rMY^!CBQcR?au6D^VRPWjo|#FcozNO_=EjBzF`Cy{m4JHVVT`8
z3h!4SHL?S6{1!naqB|F`Uc@>b7%6e0?%m#w7Tyiwtm8ce{BCNc9|SFH049_A^hLw`
zqln(|UnFwsSqsioKa<yFOK2cXD>D|hTz&O!O}Ew6`?<Y%a3@9UN!ImIc8y#HY-ZwI
zow~V~zXBJdaggk4!2H^uf*psyX@>Ym%1qKO_-?vfL;FaefO&-NJEA3`ApQQr+U@~6
zsi%1f0J*+FbXP){blZPah6eoG&2gVm{3|4HV=1)f-;Q3i$Z19<8WECHKqY>0cvw9|
zW~3OV5@il4t$C|Zc_jM<E~3vxygxC)Z{_cwLVq=c<kgxvSOoN-d3uu&fk-6#`Ld>q
zJv!hIIE)CaB5$6iZ_W8Ffq@u%$<Jmby~#+bj@io6QEVX8gq}E6!nM)1Lo9=eHTh)#
zX0w*g_1KC=a}I5DlyNz0JbeYD8ZSLn<siFN<L%$EtDomz_G&uQ7h%h1stog_Hzw=2
z(DI~^5fFl-=~Io1GeSu3BN;G@m?mtv6fdCax{JXY2N7)N?XtXzcJ8>as_q2CvueDX
z*SjqT*PCo~kMq%a^+`T95v0yd3QBKosv_{LvN<1bXeKvOhhNS#6Ybu*R$q`eT7a@d
zn=3z@G(A!wib${gj}SiT{zW!!x>pBFcXWAA!dG0>W%OrR;fI7L4U{gOq6Z6DY;zff
z9cner@`d6<0`^#%ye#346;qt^pK0mCQO>RmNJM`l_=&Q&55c1D1o<3{Bpq!|nOV!)
zkx=;c)ciP$tCy-f9g_H7fde686C3ujN_o<ZjH#LBN18c&{UuvKK7PS3h(B3>EP8U3
zhQ7V$qrP#2bi>J_<>$QzMdiA)Y;|w8r23y2uDz5-68#1YtVdWj^Jq6eemAKGuo)6$
zgfCcknq)U)LEmN&NA=cKF<lLXKj<RqTRfkden4nlUJH;uDi5T_{mM{%5|Jb<AZD;{
z<YX<_QGPVF_IGpsTxa|fDYbgHQ;ZoieMdF*{M+&4GM%=}I#h_X%7H;ybo{`nFV>qt
zv-yp~e*nl+=~k6J8hcQ#<1lYp5K{R;-jWD7$Ms`-Sw6ss3tv0SM0xDe&d;V;0_zCV
z*2t8%JZzG^0M4`vgBua!#WvFdz#W&6{lwz8CZhh``5>SSS}eXwXsdU%2>r6YOm>g1
zwYSy_YL`6074zmjf;+r4Dmu{fP#KGr6<{7d#W0y-z33Cg@vHwj;FO$B0{X|t2md@8
z=}@&smiV2IMeA$+{xBa!5j!Y0`dec!hCS@@tEF(%loXEqi_Oog0_P_BR=$1W;ca?)
zGHF0jHZNsLc5~rpm@{KvpCvE~vpP?`I{>f+*Jw|tIjHe!5y_b@Ie!gOktz0B4u?``
zc5GVwsN!GIQ|Ya2nz2rY9noo*m$}+*a^RVuAh549;E}rjFr=ylt0tC<-W<d)6>X2i
zZijaZtdBI$N-~>~n-Fb>s}o?MR$K;Q@dvCAJ&!c?2pys*ryHvJR@XsB!;1JW_FtF-
z(QLgUSQ|<&y^Llrsz#9q*6aMAsal(U<u=m}Md5c@Q|=T`=+wEdk!bqAt#qymEATt0
zlKUmH#GO-KAe{+~8WkBI5U-%}moEPXH+6wsu%L86HvkzkzBb)@y@RYR1Shtkf$d0-
zGpxEnA?!G6c;S>A|E69;2)k%eBkcKi#f$gbot4X;yWsF4&mjR4MGI%{McocvR*dp+
z^I>yLL>p?p8A8%e14!>w;awxN9#17I&x_noA<fxvashR?JIPI(zE<AeGgD{CHR8^1
zD)$2m&YW}GONiO9{hUc-Eu2o{M_4tz;(%}n`OcDG33Q3}D>jPXaLf}lEq8yvZTBTR
zd|SFkBl0znwXy6R9+Y39kYmWD-sCuVOv>Y!u}aXA)Bq67!6d6gdL8KHm)&wfmB!NF
z>m95hSAqMUpUeodzI?lXQ(p@1JQ6(^hA$enWiJrQ`0g(zOtA4ckz^+DW>>nm?XZvY
z50-3X0?or<{8N=Mvwr57hrpN~q_*nC*?7xS4^Epof8Y{@t&b>y%7j-8bJhj0qU(Kq
zM-spA;74qi22A;>iRa%!nIo`Rar*=cwvEN0Yur6ejVpCoENP+vzpX*j3DBIc#eVM@
z$-~r}oU=6ZESO~{w{Td7L!S<hhfe~U`y+Eu@=t*WJ;;N$X#W+sDA$2;JD}*6QdQCz
z@G|q(e@}(qrANN#Sk{;&J;d+z%&Ym8%VOOA9R(`ELzovK`7)es&=z1@+!mjBB{$8U
z7q>y{nGW1DD0Q%CSqs^-%?suseO!}mUAWXsVElRJ=`CSxbc~|@7x+mDSMa^MQ`WB#
z5|h<vHi%&5be{qTl)G*QatZF=em^J6pZ3nhbdoqVJqr#%kr1SQK*eL*-{{r@H&T~I
zFc9kawufW;wKjEzabUZz=8u{MYLhXu-hBMVFS1Cdp*tsr*otBGtsxB?6!-5_Btf(C
z-VUE%6AV8UTZafL-0&Z+l0-|I_mSUR9gYq?di0;H?xuFiKfdZWH(|y!83<((dmhW3
zfBi2WBj4sz`5QVrYV`ylRD{8_tl-tIusaKmT5tOgCU)zbmty1~!H_%)4-m4$!UB#$
zrOz)`Rg5s+L5EU0-m{glT+;Fmz6|&ydiv;<A$gT7?v)|VJMmgneL|bwRd}BcNb8R=
zInnUkpZ%re7cJ?xGNMhc+4u`~b&c<g!L%P<>P2xVG4par?LA_C`hfCE){T2uY4$Ms
z>~;2AKA_o{6bsne3v$VU?_?VE?1y)x4>oX+rNcJ)ztGB=CAs3P6$X9B;O5J>OjV!#
zG%mqiL^m+>cU!^?g6aG(wiu2yDN>$xr6~|5(MJm)fPjfJEe7w2&(3ry->;>&WSY|z
zv<E6H!q%?@aco6e{Gl`8;(UKD&Ksq2o|Jbd_vz|NFE4?0;bzh>r>O}_$1sD#XtF%r
z-7!~O*Vl0`ia&9`{*-odvzvvfep6TcPozEqSJWUtd3?zSGrPdnxiaOq!?@QZ{LvTj
z-O6>-T7GKeA5EUcqZ5s;xp;f4Qed6v-!Ah$AsX*$>35swf_yZH*Nz`J2os+b$_gB>
z&H{T&;6{?~hGZ$ybA-93RmCGdVyH1nO^oo+a95BzOhb%dXxMyN99MWteq;?U@>R55
z`ztz?Yf7)9c^nde6K}INqdZZ3cM6$u>V|fOG^zex>05U?ptx6zZ9|xz(!kd_-zbb$
zaTbPvP3v(_UsgVKTFQUIa7pEU8m!2HTf_k$si00Op(K}UDbBAN#RUIY)<*4Lyw$tr
zT#kxr-CU7b#tyVH{2pZ;cw-#wPjv@E>$erUJrS|#qu8tzPx(6S_<qgF59u5o#4Dt5
z0QK^w4~0IHU)`@>vEyLWH~wTHN}Z}3mi~5ky5i-pp8KMiuk5-sC2}iygBVX=Pf`x6
z-|jHfpBj)Xb4;-(hV2hd#dE{QNIWBE=mbsvZFNfgn<xj#bQ0pShwX)V#)HKYcfMv)
z@%`HUnphcc%6kS>ZNQ96gXonQ!Fc;o&N?l=MJ`VJ`>d2UZ)UA^e%XavB?G5Lv{;-Z
z-;CyHVXAdlk!$-exH`x=wO{SCRZ{w6OelrmVk=o{V${C47QbWfGy*6u#12J4AZ$w3
z)t4_ukG@7T|EM7H`*ydnn~A7GCttb>$%}4ln`w2OplWrE2J4L-x|UxikDHh|t5}PD
zK*sCxd5wc8ckQuM$~;k7F%}A}kxCA4Af5(E3_EP3{2D?Q6e<8!IfpXtdLeJS3g={8
zo3E~~pA#{0RA$WBX5Ey%W%hozuaHFwCo}S!rwS>-8s$()RZVvP7nu3P*ZUm>^6c$1
zsjp`#uU1!1ls`3$d+Vv8EvLFAY!yv;_Y;D;K4cBvrS&^x^|Q)SMWqKMbAYBJm*Gut
zb;P7e67+Niie7r-KCrQ5i@cGJKUJ17f!H_kIx@SLcx64KEj~{Re-W9n`(0uA`HWu4
zYxeXE2h1D~HnpthFOax}8BZr7xS@?$^-jRa(RH~mU-C3<>iqH80<x}|CRZZ)uV%wj
zr@xBd1$s<yeqz2|i#x05YZfr#5`ilVW{MHg|A%4Jz|Q@1RUmWiux|C_1a{5d)GY2t
z(n}{dmYA|ZMnXS`J3iWsGC75VSB%|X1`j8fumqhFUpjhQ&~jA?>6GPcsR>w8TsCNo
z@{|zArCPZCqzZkSexWmd<Ctq-!5Lp2&GTNXdQd{xdICeT$KR>{KaBZmvHvi-oU+3m
zXU!#ilf>h+cl1JxsB5u?Q<w$7xNo&=v_hIgn7h4V?3)dbvmVI1OtS8NZ3g>u(TO^%
zS@RfoEB#LQjAt~z8hpt+T0e;B%Mtl!<g+^}!aw*D8u|Ma*be*DaUWdP1BBy0gRNT#
zwob16m;jhx_nVGet&-u78@T4pCNpx6v|)i~Bt0-FsML9tSmRY%47{`Gh|0Rk_&Ee=
zMyzr%N#}c)o`+B0nrklB_Ppl{PmXmoRTJaLVZ#!Z8uBMKFmUhw8IJeu&GP6d+u)y!
zh2!}RPR;Y1Wt0{xOx`<wUB6?gaAl{XIZV*3TxCDK8!?ReLaq9~boDO}Gu<9QgxQXk
z!&vF9HtXZECde1$Eu^DoC^(g;=;h!6TX)oEPWc|`kC!*-D{s!cY+obJN<ae-9d=RR
z^e4}?&{bS9pv@2ODnw(d)s$1taZcj$#kkRvHXZ+iXShP_n=#m*vbKm$br;r3W#F`9
z)X~=u9PyORsbq2Zc+ZUfN?o~KO{`nEbaKy*4+%1D_yoL89v?7~kldGU4CRltFA}3V
z{kTL1eK8~)YkjSAh}}`^kZS)8FH(uhXn1jzhP(g@>Oo(+iYdfY)#`Y=spcbRg<4s|
zE0jpBSg_-+C;Ds4qFz^V8`*IF^yT*0`FXfRPhONGHd5>Bug-V_Y1Y{%$8Ba1lgN){
zE>+d)eEz)QaJi+}%@(%BuQGpvfD0%AB#Msk^p)zw^y4s{6HP-a;@W7-In0%vpi8gb
z*BMiOJSKEjwR!WSa%=b#>28w<`{whOlQ9@|ht|1=<JO8kzDpKCH<QM`5@#$Wus5q%
z*4Y5E9`&UQ%NAP00>j**8%PN*Thpbz{=i=!!^L-OB<scued`b@;pncN#TC0y@{ILG
z0XNgb$ML$55dW6<F!t&~$KGe>S95(F;<DR6NZX#lf7;~y4hTP<+Lv*Rps=nXZ?-;b
zGJ9Ev^_G>$t`RGpc~V9k*9PJ-HQ4kgs$Zi7(s*}WZT={~XsTa<<p46vso%T3puzcK
zX!lY7cV_@gWTCaT4MP-6K1HzSL-Jc)e%{d3o1Xa%XtqMOz)`O4SZCf9M=<ZV#&aW=
ziWpRunkGNV^F->fw|?F`&MP>y>B=!tLl{$XZ^po#<m&cWWI8JmP$s~1IW4(w84<ox
zwbuxF(m?YPn|Ru|cmMh@N77iHfq_o4BbrQ`mYD8wGDKUMK|STnmHE&A4{a;_|GjN}
zgdJQL@V>UUli!zpi`PTf&P-fa6BPR*d~z1!TELJtYJq3W2mgAFfq0Ab8PzJYv^Of}
z3A{-4L>YU^wg5Js299Iyldk$w4TiDt+1-tXQK^!)Tg{-?Nx2N=-MqN0X6=c+Pjpb(
zzVt7_K7nGDclpR55&J(@^bQ8(lZN-UPd>sQ(%w}-Hn7HLUxGPO`AT}|b(Au#3@g_R
z_<^aEJ-~VU63_i5HkKGkxb2Ogv3dpB>XK+))R&ybB#|EkpUAm~Lc@$2Y3Vu5MU+p~
zYyQsui`WQ!l2?Ckt&?rQX~%^yQR`lzS-SYdgK4M?PUH|UAW<bzxmkWiUSx!+e}F~W
zFy;3?+BC;OqQ&V2o>WPuA~qdcVy4!_q%!|>%!`Qcqr(wQ?k5vW0F4P_yWSPHiDPAL
zN{k?LeZ4Yb7^2s)*UP)?=A#0)@NO2wP2+#L@BD8a8CcEE5C1*Vd;4>H?Db<j`p+fX
z)x}Yt78B}*AG){ikbZpu9FJY;;GC)dlK$f2RcJJL;hTYGCoGFnA|Y41{&B;LrmCp^
zl-%E*=PhC-*#DRCiBEpur`Q0=BP2)UrEO2l9CpqO0iDwZ{c=fkOiqu=TBtcfcAs}^
zcO#A&d-(ZP0A6>ic4xK4ti4`?!OU!vj+3K;jX*hj)Wz3!=1O+!6F<?r2DKVgBfnjw
z&TDp=I0g?&(u!}U64j5Y?Wm6tI(_G&hm-uH1rMCm4WO~=*%52KHjhbO<9Mnlc?rk5
z^XckQgsP%6Br#AQUO6fW$S`!fpuBAW?ERU2w=x>FA2MpeO3%a@w##~nU~pUJyVHiP
z@2yY-c>0FrA9BVx*l)Yuf7bqHn^kzA!H@3+1S|sOaPOCMqQ;h0?E9#hhX#N@7lYs{
zzLQY(_!w1XF9LP*Qjpi?ZyOhEedN)pIr+0Uo7@E|y(EXC*MqnNQ|R#wxh4aT%uuOn
zB8Jtb0$G|amzD$#bQ!pdzS&s)qrpmRQK0RxMI&RKRPWTqxbCoeS)u;G*Ns*wBf$JY
zuK@YBhjU!}1QwyHQQ3HuO2K5p*qzJab%LHTJpcT@7`~wKUhiBT1M9w^<;Q8(2H2af
zVy53)2Osc^n0UDG#Q|U`Z8!f5SRr^n8FqUyVtH`8L}T9@r~xMQcDiit^;T(Oo>c8c
z6SBE5de-sAQ?9$uCm*A;cLZWoek?Xg7*6m_|D7GtP>HdwH6LaKfTas7&0xn)_9EXV
zL9e@e#U_k?HJ`3h7$aNbs!@o5^hw(uPzgK}WIoX2lgpLPaGTD3jUh`)f=+<O7`-E!
z{Vu&iCuCM2TmNt8zsD(#)7L;$db)Gl_7xoX>EFaPemZm8Bxsz{c9;x|@;ATKuY(yb
z(JuXmVOvX=v@1Ct%;T@1MwzJ>bi(*Fj7kl>3Iw^f%v%0capcZ0F$8s~d2dBe?04Ip
zvIhJpDrM?Dj6ux2XdhntIil$oi>iHoDw45-UFkxgfcWuiw85Dy>GSfc*(Ibt75b7J
z>NxvW{JQYT=jlL8sCDxkSMu{V^$pv*kXr$@$^S64jIA3P)wyyUe11Msn<w$CdC4+L
zelg?OAmP@(sR1MAOA`-uE6r=a7pjT&7MGN27w6A!ot8!+wHXl4yKH^sV!xzkz;yWU
z;`qw>4C<B3HHlVl;bCB;V4l||O$)NY1B=~Hva@X=rj8-@fS!|F_EqNw#bIudB#Dxm
z4pBaKkIXyDnE_%xVoa~wUg6EXtMRRpW4Iv{z=dA4{p#!R@u&Ekg1r%w{C6zxD}uiy
zfSn(`pQl<jN&O1`nGp9_{~w04SBCHP3y%|4!;|GHbqDW;VXYN6$QjahCEvR7Oia;!
z8cL3G@oQ_@#C1mk;!sGAsV0@Bsg(ino0a7(-lt*Lli#hVFD_>;hRvF&deQ26!ODL5
z_&9?m-M^}0gGGt$SF7a>X7%QiWKX(sk>WVs7Ph`=oUDvIfy78Zod6pV*O`v@RF2W@
zE%`G!i)cZW`tO`epE=uF{>?zTO?<7Nz5hU0I(0||#!F7h$9K<3mCF0YiaiRLKGxbw
z1lYB7|1^XZb{-K|<SUP^cPgMlygDhXt<0$jlXgj5I5WuYnxeH`-sgESlAynHWblUJ
z2pff;=tNE(2p_&NvxZ7G#IWymQD`E&j^(I-*iWK>b=S@h6Vr@*s#5AXhM(YQDeOYO
z9XwqI_mPh9UHkjBRAKo&AHYOmkW9|`^+($^BzL8kUp0^1!Vp=E1*<uBPAeq~)5TMa
zK@CM*Ga#Km`WI$^T0{;G^KY4k&^!zqQXLEp!D}&V7xr2jsE)Zu$r|VFZjezg>aFgI
zQLW%jMAu~{01FO$=Kf&SVBkksyZ5j@ry|L!@^a`Ww4azW;ozpVY7?ui0w6pSeAsq4
zD^qu0+`TzKoqbb)i4@*`Dls!BV;93<+EaOh>e}X9*LUI2|3V)%hvg?X7$RQOGEu)r
zMWN#p)FGYgqv%umj6OL(%%^94b6co*A3*2&#ZqMH_^uUM_w{7fp&C~oyzY_}*fkxm
zvMfE%)Z7d#C0&jM?2a`Oui1trD7^eI97Hp5QE&D$<EKer?QWBpe~D;=o$2t1ccSa3
zLecd-G4%-XhTtqv)!%BX@2-9V<G%AtkJg(0z9{a?y;r+SYW2&|-29nitN2pb*6Et_
zI9y=ZX4NNoy1;-7fxdEc>Ll86HYBNc*3Yxes?CE(t}?-)99F;M8{5z5rmK7?QXg=1
zK{Ty{X7E4q8pW1c#<hAQrKY|<Q*{nB%oWBLmv2ZpHFIUdzOSBr2#AQ@MS9v~-d#A2
ze^Cdld)E*1r+A#Zt!Iarn*S7Qb#tZE37f(KZ&aJPA`)-Sh|G93YM1>OFAb;(BU4@P
z{Yr>0i24h-p>-|&SA)WZ<8NPRWk;u^l-7;gnf~!z7n3Ed1S6*rr#T5r`OolG&@?RB
z!v@lti((2A@l)mS(FKsYi4o@_ukYM<MHLL}kY&+}Spd~6h(2Y@cxe+}e+a9y=g6@H
zvVW9gZj9E^n|iR=AU4xOK%Ue6TB~w)X3OTAVH?ZTR!tp?5YlcScHQcW0KcX=6DpVR
zL!0JHbD0)}#E+XNGdICs$;bqeB@a7H_=L8Phc@t=ezl^8$MWxK71kb@ioY0NR}ZhP
znJI4Bh+n5690bl)A@Np!X6foS+zT3~UraDZIZ*Bvm&)$q8JqU(hpKfFb?;{2@(prg
z{;Gwx?#~+GzxN(A-&)ukp}B1XP3LvjWJ>b&iYMtDYhRcw4+pJJ8YO$r_CBcQt<z_1
z0Q!+lGNJ}0b$r=eX~jD7cI9#kvLg}6b)ds!lNW9UZJhV_Eok-lZ7GzuicH<w%q8x!
zFZ`0T)$-LjET5??`};=&uNb4?-~e|;@^0Fn2h*jTU0?A+`d5BO1Rn>7!F=4QFU^Dk
zkgxR*1FoNZJLANbk|G)`L8gS|Cpm0n2g@=)1F^+?U|r_gy#<XE)Obq&VF(JTv71~v
zA2)E4uXE8Ebgs~leKJ&ys``6fcfGLnXy*L|V7JyaDGj2N)-u2H+(m!EALzAN9b<@+
z!M&+xv9PEMU~)D=!sA%XQQBoDF7I0X4QJM0dZ13>)XKO3Nq?f$k2xR8ey*sC`judQ
zI5E)A8F<JQnN-M^v(InoA-M$)9B9OlQ61cN&aN5W2bNAp^{Ol`0iN4AeaLp?I`>?3
z%e_@{v2e74C3b`em<>#XFtN`HIC1;P+!i_FHB&28m%8Gog4v5t=nSn}Hi#GJ8qFGl
z@~^Q14K7Yjxl$bd#e@6&?e%ftB$GqhPjul&`do}S+IwbX18wH%?oX(_oNG{GAF$ze
zFD(0A8|y@&mG?qZy=PDUhV__yxkk(dAoCivdd>#>uZ*047@=6>y1Y$HOf4~bDuT(&
zkM`$DPG#g<m)wqBuXY^8{=Kekbn2xU%d@I!FJNsw$97oG??W(-(aK<gPZfJM?1OX?
z<JB`@-W!VNTL}&IbgqEx{60H9_W)-yRofDz?m`<3*Vu%qOVF_;8GwMbK1Mq>7CG?6
z*pr2ZQH4(8?wi7*p7sXqX7+<?OeA^&KzSR6X7XI<9Gr8H8G*j^KR|Bh9xCSVq%Do8
zrTeteysMU`Bjpv2#~WvTC%b|fvuWr$@74&uGH5RMeeL#T<`?TndAfH2(>U7;%ab1W
z_{&}PcQ)-<g1Wl%LZMxvF3#Zsyzy>GG`;+%C6{fe<r0-<n%cE&lCRJ^SUr1@w_?HD
z^9H#t|2I<Y&NmR&$;Ib<=Ew=v;(i{rPq1BU=-QjrG?;`2a`U4YURmKV_${+QLWH@D
zAMiDRO*vCKA=_WfsX<?mYH_6?&BVs49VAM+QY!YAxX#&!egvvxwkDSf+okndVhgeY
zsOEGx;N{3r6na|W7};rZi&=t_BKib<8k>}@$>Ft--qq^SPL~JOAC8>dG+WC?br-I!
z32OIO>FeY=ih@9gK1VW<G|s|rZ{o{;dzvnmZ+Ty6@T;UYDw##6&s953uXC>0lQR@{
z+#alCci*ksEy|$QOQw0sVwtbUicuN3$UR9u4d}+hw!r({W2_|VD6bXmptu~7BGP|r
z`?Id35{vD~E{>6YUFcD(JkQ<cNQIr~C8)0yVq0ROx5*nm!L;dBKcN&>PWld>`a!If
zNLUSzM<k&ri0Q4_*%!Lj;#Io_#A{sC9h4=>JfQ{!r~?bVKgNQe^o+h*4%*x-oUmpZ
z^E++QG%ZykQ<8d75_vQ-9F#f4krc7F8R6qM+S$hClq=f*G8Ce@ygJBCC`A2x)EzUo
z5hjmtoR?W4S8Yb#<tu&XiTs+a)OjTmg=b~VH!*JTbrnKwa0V-Mom}!I;g*!pFE2kM
z%zW@%h3IQKnd+YYeuaXacLi2!OB!0{{>H%_!RrrOGSyeKbO*fx>qvD{HT%+{gLO?i
z1otoeKsmzu3&FFHE+ON${Kjv4)k9r@e~{zPAr(J<mw9`gR}+3mj2a{c@EeQX5=~5I
zASL1c^EpchL_uYVohohSdQF4k#@1TZ-Sum|@vfFT6!6t4$5pEo>Hs-v);Pjj!0g#M
z0Ojk_>Q^-n%Ze{8`GkapeJZK^(l8O3Ts~XF9k!HBO;DhozOJp4K5nUMs$}!+PukX&
zbn&gqp9_2<|GiD6rCCGc?lu=(;|^{0u2UiVTjjim|1eyQg5|}Q#S&Z{E5w-W6Vy%W
zA@<{XtEc`Zn7albTaS?XRe+hP(9lPeCu=i-midNu6+?zj+Ik#Ovt}4mvS6UaDr)Qx
z{!(km#cSSnv+qkShk;~a+YC=^U2pAC$FI*Ho18v=POyuoCzrVy&k)D7inV>9_jrBm
z8_zq(-wH;*scds|oEGWmrmEkTSlc&-<(A~uyHK5Rdh;ZvU+2IoK}}f^tF49mpae;{
zF`a}l843RG1`EGDp-Svgb|$Y<TS0(Cy(atYJiVPtRUUF#Kt0El7w$ZrzBV$nw$feq
zpg?Gix=1&>f6D&Tf^+6oWkiS<%Rw8Jt!t(2DJ(?v>%NCloVQ_8^2|iPPjmGneOcw^
zMb8SM{_Z;h7XxTg^l$rR{)_3(Mcqwx>YWBUkp>5P$Lvu%gv@;N8_=bwK%)ePZJamP
z|55mM%*JN#MWg9T0rz>HT`G_|WK%onl|xCiO%`ilVW_(!H*s(I_>61sacS)$h3tB&
z)2i+F;>cy1L9xLoi!4Kx4nF#}guF(=M?&4*`|i~i3|GHxdI*Ci%%-ts-fGoXq8+DO
zL)2Z0-I4}iT`lVsj1{d#yj@w%foJB1SFV@NJu(2SYPfHq;qCEvCea|%$Fj?ALocmv
zI*8(<7vqX49c+C-8AiA>`ri(K2_@tFZ*U!O-FazvncwGXTBG5=Li*e9$ha>d7Y)w!
zRJbP2NK^2~b)niXJ}xWy#V3v^!qDUC2;m#KRxvJ5@}%4Z3;+4bxFalP)l%^PQQ7&x
z<QL?#wiQNay{1MBv18dV2lU?cirKmHGl{jqqw=i+DsNr%U4?~WLaSf3|B6}!eo)c=
z%k4#p%u0r}1+UDDCC`n6d^rbQ0TT9mMBltVz>L01J!D?3Y8f~2k#Y}WV-FO{P)+bL
zvz7gAx6p65{A=tHHm!MD8~+8}c2vkWB3zB3{TxR!IiV3eY2Kpt+qG2NxSM)pHqJSn
zD<Cg~eW*nkALhdW+sm-D5Oe-|LY>L<**S=rhV?nZkO#<3-LSOATj|yVt@_$v0&amA
zpBjPnp3Jz(3w}>PCshOYAqzq99Q#WyY#0PvI&gS0#W@Io|CnOK5Ke~6bfnt#=<MAU
zT=i_1J7C%D_fNST@$%SOU3RWSn{ig*{Y;PP+)c$|zujyjn;d^gO7I=Z^zeb^`N!rm
zEvM{YCn-d|Kw%v+e<mBM*7XFdivAoP{TABNj#~eIVV5aLzIJ&8ab}9Cid5BHv&|e<
zgz6p5eq(b~Zk9+-oSQy{<FBI;%Tmv}ar1@xrN_~^w26lC7p;$GMIR^XBhy$U#Lr1$
z#oWtTImb;tXzk|gelhdS4Js7#rrEXYqf0PazRS@vZQ*pRs5C$K%>tu+J8L9}O&sY#
za6e<-4?J%?!`y9+l&1WZ1{Bi9pZjOnA4{0gc0vf-pi!afUs^$A1g#V3<4U#QrlmkK
zqpova7(DKrm!krD-Vf!_-^Y5+qAgIQXfh7;%Cx;*{%m8x^aG%?_PbqtV8=H>XR+wa
z;6+fxZP{6HfknlqwuAAC&A(jPY<@t3Syr_lc+u}NHvES^Rc<Rv2JEeg-}spqbv;#|
zeIO}Yu=t~?@fCJeW6XGf3=|$ib)Wo=%FZ5qZvh<m#Zu2Zr<0yMGuvfV_eN%wg?;(G
zV|GCiI~VJBExRiRKTW$H7`eLF)jG%p<AJ4hMWF|NCe~Rbl$~cJYt>|QT!*pH)+8iz
z0i$3#&We$r^=vFOO5DduNYT&w@M2E84?xUc3^LN}6g-~=okJnGF5#2*qcAc+iId^-
z_vG3ankMd%f7gsYV!<WLzP|KoArYsIOCO0L8f9~@!DRfCkR6E*#5vvFHdoQPdrCih
z^rUmBaLL@|yf+k+T$E{XQID`((Fh>#Z>AHmop?E{N7g~z#pHu$z)$wY{{ho8M2Kg9
zb7Tj`@f%>GCb1RPFvCCk6TjobHRerUc727bS@lYz=#QwC$t32?E@QBDV^F>w1PQ4;
zXOf$igUcjvmvnld{3;l|7A4pBrsFkw5iS8fPL3H&jt}F{G&a!ZZ*x3EbmbCvf(_w3
z;Kx%HGuM2+$L)3?RsA<fGD#97F*e(2f$S)44Zlpb?X+&WTGO<*P(Shco;>Cbbb6_P
zM~!Ga0L9K7_`HYrZ*x+7y{)3PLc^UX%6sFCHQtM?At-f$o6sL`$5tFx%BqdSbJVW&
zpz(d>3`&EoQD3%3+K2L`PRl&)LHvzcP7ia@^&TK#OM%Svu`}W%YDKq74PC5C?eH>p
zA8<o{BnFcNG=5t0dX$IN{iZ+Q&=)l{*<^F$GU!qmYFYB39}M;`jnl_j^Kr0lQC{AJ
zhx9E6V&yi*w{B*Te4Y9r7Wxj_F4Q}=+*v)o@jJ#|OGp$KDWE^C8{8+fwIWKH(;BW*
zxki?h6X1Pphm;TNhaVVx`N+al|5ok9H=HwVZEP^n3z+Vfuv=POyxrXTOf)`uUp=^2
zW+Hpu=0YV%u=D5nOxi4sfmYG=wjR_U+9E{oMs7Z%V{ZOsb#i;uA@u@L=96zxo~@(D
z@@ch#-`0U|qMJ*`ZtLRu%T}`f9qPYG+eYX-gnA#M9zFEL0O>Jo-$B<GbT#Lx$@#yg
z^HDy{WXG(<#keIZqFk*{&y6xB8I#auy;ww<*^0rSBWqX|`6xP{QOW^u+Qcb7Y~oxN
zn=1gvfFnBe?@H72zv0;-gB--7DUwa;Pg4}hnBaheVWN|$YwY}^U&jSZ<6Tu7sCzyk
z0)W0x>rhwK{P2tYL#Z}+H@_8!p@mMY!087*WI^{+Lk}>7Y-^-r&TY`HJ!;bhP>^5~
zs^0_<?V??TG7f0tI)t+*<T5%R_y5XRCX3l{j#f=%s=d&DaiVbo^9k}&CNmALMTMwn
zINwk^Z<hHGm+9*DCz;T#I=1D(Y4KtnMg<$^a~-wyY??a^{98t*ZrTvS$X*ASlX%My
zglP(C&?290u7^D~*XKbK9XDfZRl4QmR4>=IH7uxs=AXXnfSVr9B!lwv$K7lzbHlD>
zXDHd-3&Bro9Evu6vrQJNTiO{oEM&CdyTwDB1BM_fCzmiNuXH2Cb+CA_$^7{Hn_R*d
z)+?NFVl4W4bOB%g`aOO>KMQ4Uq(Hicq*jAZTL;61#qM->{NN~v+;Tt!XV-rLh$CV<
zM%kQ|e1Qs1!DAU<U&I%0hD4K)5Gg1>_qXH5Ov{##EfgK?eGuw(Yt;sl%^{jkn9+Tp
zZYx!UF^P{tahpU7XBTG_4FMz*QNOgW|6YjsP+<bnIv07riqfU}q&;}x)7z)$L6CbK
z<D)EfjOb;4YWGpsYA-)=ik;|M$x^LJw88&aFrCe3#)7?^lEfs@(0%)IVM;wC2x7^{
z)-i1SP<WV(!vZ%(TS!f+-qB%=sBfD}ZP(eIlmpwwVcfTSmso-`z*jTVy_;u$%fF5T
zM5YSuNe`L~tD0ipoI`mC(&{p&Lj;uLo}45_UGPgyDq6ka+JU-l#Gu5=^0TMiw)?MI
zZRO-ceA*pdV7P~UL%Wu9b3;(wAY-@Wv!hhDS1G9;-ydpUec$X7DRLO|=@hwR=K`sp
z;GG$rkt54^h&%eobcG(!#@$%xbf$2D%vwNV6Zo4Lkx?6x^DL7K!`O3$_<a}1;kb`#
z%ato}ro0)(h~faJVr!NFYs$y$s+pa>QvFEV5K18Lus&X5<r8i1aPY^9{DD9~K31l1
zsyw_+9NVT8^xpq6RJIZT*Ertb*=U+-dj6#jy|~}cQ~I1_XiN#b&>3|1P4wGQ%V%cz
z`wn{V>38d5Zm#D!-kcZxmD!DxhSNCCKp0)#^>}lC!d08=>g~)Vs+B+r)4_8!e_>pw
zI;Z7cVN@FdB3-w8cOItG(*~*ste(XNMnRxt*7kXxzsC15;GCr|BF`G<12kgXmTO<5
zTwckXL>U%(Kx`VDb3q~c{^c{^dGoA+T;}H1da`Wk7#E|l46f6g*x$ro!9*YI@8fGO
zUo*UAK=(sY8Rq9%dbh1D4z^BaUAxGDDfO%Z>=kd1m5<F@iJprVIDJskJS-nQvTg&_
z3^{qDvjaY{*T7EAK6b-8`x!U2HGhOV2guF>E*7+?h-#jazgWhzDFJu6bk1NI#g0%w
z)|J%cUnYOULwbHTrG3305aOQQzP`ZFGFx>l(A>`T1!=7=E-ZAN?B@`Fvax7J(YuBy
zaO_QQp7O|d@W=m6b<SM<tqf}>Nt3}|hr5l;xv&HKc{Xprz*}<r0Ixiq+A0@_I*A?X
zCBV4Zw$-Ci2vX0{Gaq4u{9Ta~+-KLv^{k8bI2%jG8b9WpUFNEuX)<A?WKX@q>zAB-
zseY^HJCO4zjexU%Q(=LtDKg!JM7GNQ3T`FGzG=|d(EOeq-}#X*5I3tenJ_n6BThBL
zry_N3mvvVDrf~oIBb>^KBT=ksSS5dWufU^=&5b=LX}*?sOUbA@C;bu9fq$%JrlKoU
zl((th9eHOL9Nea)$k97oggsRIy*G#@Nbz^M#LuUCAubG>;*X<6N+hS0XU+mfK6JCL
z&+18%3yJWJa3)r3=Qg&bb~2y09Xm~g8=4F_E;A=IHe@?hnsk{`wIFxyvR+22+u%*>
z>}rF*nopZz4@5a>dcnq~Oam^Im(_MC!-WQ3-xaSATOcoqMH71A2oZb`Qee`E(KlkR
z!t4dB_Yl(+bXuJ{t3XE2*=QxZMxa@HbFC_GFEwaCXji{epOORqzGiWouZcvyh`dEs
zq>gdA`;ER7)+Z2GaA1n9c^mzFctzcs6HNC=xo)X|Ai<O4T&Kh=YDV|aAy}uJ*A_kS
zcVVd6YM`N=r603G$yPj3RW$fthHMmU#g0Xvj5WRRfRcIs#T=Wx{qI~PT>^PP*L<9V
zb#S7bZ1AjNx&J~7!$RU4*2;;xh#mGB)q&9W0_KuM{{&Xu<(~f|A2-N>W}LI2$?W`f
zRLH4gEo<w=W5>&o&E>J_pdJqb@w!#DRH~xkz|NhT*zgg?xMyq*Qq%8N6NQK!HntM;
zy^L9}>a7f1mnA+oN^jn^1_R>1<Mm3fKiqR%|BA~K@}qHF_04eF+ml+PZI9e%c`rnu
zXe-`9TOlJqD4N~p*b<WH&F++t=w$cB%V^w)S7~*PKY^v!yT?|Qn3#h>c9lzuGE&fm
z=pby1V~`t2`Ha**=he&x#N}vI2}ml?P}0+vy{IHo6M#tn55t6V*RZ~AWoi|vP0_Ko
zPI;g~r-#!Rll-oOp!GY&52hN1GLN&~J2GG^01V!K|5Vm1Ei`vEEy<3i>WYp8YMU_&
zJQ`;P{q3++EZE#XF;`80X=-Qk$94Of0GGw}Ka4PF;+%cO8o*6Eae!->{x2C(K_K;5
z&S;X14yaBD;<=U7_)bf3I4OJ0t9flb#XP48<bLPbU<5QV7zT=QuC2K1oY8{d`$e7R
zVGiQM<5LkMTwFx=^U82BFS7e~Li6Lz0;{tE+m)=k<g9qlEfV`SA(o`9cYON`VrhKi
zZYtbFq3~~^$-?v2(^>T<LNP(Si_`<_rpuqOce^ZFo};owKN%E7NNqH3^6;>W4(Hpw
znzHBa#1_3-t%GB4B1020!wT;4f8Sg5u4;nUt^DPt6_Ds1rVjoed!khiORi*Mbfppw
z4!^rpE1;rOkYNhP$lUZ?Ys*^B<$j!``JI|@%eV=r40&?J+v2!CMS1*=MR|ux8V_fy
z<-y9=Kt=YZrCG+|+7x7SbUu8Ml)Z}WA}L&>X@6H4y8<zuyzab~QX2GEOhcqa3xlO@
zoYjr#ZO9$!m!T<${1PT`d-kmXZOEi=-_YA;itr)8fOKqVBvfm1XA@u<*uozVm|pou
zO?@7<CGH-dcCM7cet}b7WlZ6Dh2V$~*L!!-*hv=#5L&I_LjH&0uzo2`O%i(sT<sE-
z2vc`{4Bz-gDEuQ8^T!p7X$61;aN)u_lY8n0oA2D54yklpGA;`Ycyg}TTQlo4>7Z0?
zR=|iViWGY)+%~jbVsw}q=b9Okq_pR=CZrHQ*Q5oI*@=yMbgiJH$Lk;wE_PMY^)j=@
zqRUFABKnr=H%7M7TAs*v%C;1(s-3RSVu?N!Hhl;dUBL3|S@h%V$#dG!^jI|Jh?h3~
zd6e|SDe}hP{JLiTSx?eBkdW;>`z+xNj%DR@s2U(f;0e+{uDwr<7#?XALG3cG?PTaW
zteULwmyeNq=xZPdk2RJ*JAr9>u3WHs*R-W8MeSO6-p|zxG12!I2&fbTe;i#o2Se<g
zmL}l@x^FC>)nbgjk|Pr4wUYH~d(|Q}>Eim*$0wZuL{GhtIZ4g^ABIy;sO%5BPhrp7
zf)|6+%#tTvT01)S;8LzD&lvAQQPBAJph$NJS>-`IlqQAlJX~)X>HdpGsLqkd$$8fG
z>_a~*y1YZ+4~Krrz}G(zDGXKF?3x)8rRRJekzxPL)HUfoBH_MVS-W=MWJcSzx!CH_
zkf8=tkj^!U8nJwE$XZz^&+|;Pw5--y4?!(FGk&nX)`7%Ja;9%Gsm&)MDJd?5rV8rL
zFr+WIr|PRtnbDPrg*_6IiTgu8;IiXpZf#DSb|%wdUb1L#2$b=wYN^nvHmI6O-M2V^
zndM+6+vZuy$MAmdkMZM<>A*vephq`DUC+7uOdhyEzA?K6D4H8)Lfju^Tt=N~!d-F~
zd$u)Bn-&4!MXA+V)GqlEZ_LTfcr<=#V*C#3w1``$?(#;Q1`29|xgD?b|Nb4<IP^lE
zV+%o>-VBp;$sd4vviIlWrt61UAhHxc>muD}aCw6h&lK}n_Vf#rP`h{I_Ata*9H+GD
z?NkJT%lz-~8ciMPHYaskTS3or!}8V^b~WM!^rv$?2|3Ii*0Fo%#%w;1rKM0G27<{H
zTVp4m){eX_%RHr$Zq(!m)_ekeG?&eJMl+tktjE&Ay*F2AOuKFT>y%SrFV+BNP)_Tz
zdD|r9Vg*)0pLcp*ta%?O*U}W*ER1cV_Sbu=5n)wE3Rh*^*n*3(-V}O|?nVV>7DwuH
zb#iBT=@HvYjxCJ~P~-45DU<Sha{UT4u~2Hra)&0~gY@M@0b7%TRd4c)%r~k}2a=!7
zL}REto6q3KoA^2G^R7sm_snKYIxxBr)%j5goof2((f}-=1BBs2@B5}zUkzlRgJ+eu
z^FLG=X?R(7N;I@-FV+M?bOUq~<NWoq*xp0(-}P&;rZ*V?e3=sgLcgxX%v@l8G7EjS
zI#@%ArSXnq$*lPKue5L!sfY$8-=vD??g(g4rkFWIi$D%l%w%SNa;zXL(8sHQo$Cu7
zmP$Mm=khfWqPxfOJ3pfaZka~!mneX6zML&layfplM-gp%?Icy;4VHGcj#=B3(?*wu
z^7HbFZ=GH7AJ*>CHif>Q*xrX)IP3=QO3~B@hEJ2-3Mn146QVij9q$^4(cVXilE+$K
zKKIY&{o7FfM0?a+7nOTESqPA@!d~b;sCCj~nm7;h=h$Eud$mXUO(muMAX=kw5|8(?
zx9e9~KJ9LyzsG>be!Syu##?qrZ<_3C*!p_;Tnem-rkuxdP4_k2$kNR6Ry?^S%tWO>
z1mge%xihmL+=sR>|JeJAmivUKZt;?E=tRRTq@XctvAd*B&k?a~$gS-}5Fmhtjuxfu
z{<FtbG`fG@HEzb5X6HDU|8zdAN41h=D)`I9rIU&YjOYoilJoAQ`1c=B^sz)*KVE{h
z1}ph2(53h<HHVi&G9={qnwAem+d>%w?(7kyKeY8W7}Wi{E2g~GPI^xDyU;+=BWJ8@
zTgGRR>I?g+Uku=y5q_eMWw3zE<mRmnUnhpKzVtdYFtO`=aP*dv9_jh4?$XxQsw(y@
z8;krI6u0U+y1@-W^nzZ5c~qppPPG_noAy<<N$VRHS&ONu-xT|4?rVnVXf@#HwM<Wi
zY$f{?p1m3I>(Rcw%VKrDI@|AVyhJ}65noP@fsWHyQ6X*EEQlJeD#|UPHS!HWrtWlU
z4>bF49|45-m8~AR2Cbc#Rn-7_nbGWgF@x?mc-JcDQn28yTZYc=qy_WUCzqei>T>6b
zZjFN9RD{fm#|YyWeki=-X%T>HW<DRaQ2$_;$73|h3Az8axa>m1rK+JNStL^PP$tfw
z+8G2YvCp50CKj@WJsuOY4BT<9tL5`eXM5!z;RCX7)K1L!x7V@~cP`5ol>?cVjTnn?
zmwCPkh)TSM%`MV`R&#*#y7aGzqTY3#nWZ#hztqoF4DX*)4QT}uK;@d*aNfC+rIT8B
z&-IH-mI}PVjj4)`f!_&{|4#i6Lnn?h0*e6t{nY)ljUC$fYt#hKw5eN)>4#SxX2kaL
z$)wW^O66r}I-=b%tHtT*?Wv8L#kO57(B-sHF!LCgE$<a@UYztg8at;`ua}sr2hVvy
z)zt+eM<U#a`+RI^Gy`kowAgD=U_LuvGq-cBNGskuXWF@Jy-K(KDt@O75}9LpY*5#I
z4)P9;l1Rr_KT~C8<C`Q`UqH`Hd^opcqH;BBn#oI|_I%*V-gIYWU6z>*00Y#v=B2>!
zDX+H~tPOWZl;<L!L<D+4@gvlMKFZdqMRf~g_^Ht{1}WqQcVvv6-AvL%=C8{Hylwm{
zgY|-<>l-*=pvy25`&#3rgLnOt+1PN`(o8yEl*csA=V%YjSAJ^j*3*e;`^Ti5tICl&
zyQXowGgai(;7X;iL0jJeidmoZ$$-9fPNCK1TUtv*;|BOX`r!pzDG{aqgSq9sw=PTS
zk{2RNj1?n`{3?jhyxu&z&*Ws`4u}OuK)em?Q<{&JSJ$o-1aK&&?nUin39Q@?pO<G|
zS-3`>ihB&Uia<Ce#`*uZYMr`}HQ4#H>8P`0k-fY*F+nH0-~dUp!I*9ww`J@kpUzlS
zcC9_Zr|q*h-mKvNyN62?uiUAEK33;C{nyjh1(w2`oWMQKOmJlIwuw4Z-Nt^Sn3Lx7
zF`uu>(yJH~x*A!l0SLTQc1rtltVSc`^^PbtC1>rBh1DfloLE}1|2x%GGPs4A<NUb^
zNL5<9LELsLM#-bGVEddL9&1)s>%e`H+!O;Sy4ZB=oW`UAky8z8r!myYGAYf<=O`8r
z3cDBmFCs1dUqm`4@cf@dO8Q5nfd89FwvJ16{|_SBwNf#;Hue2aA~h*`v)hl3^9j&r
zt{UH17zu7CeH%(rXm2>Nz93sF_+(koL3WDv-&sL(`Pnfnq9{{X$l8(;ZLZ%ulN6GF
zRS3a({j5xL<Ainl1+TOJVd9@0BsSu%vOiheLH*yfYj|@`v!ozPgMAqE)wb1qU10vb
z5U@mb<I4hlj%i3unhV9G$dR~skJo0{pCcDZAHmP&$E#<76iQVD4)q??E}t7+eWw0>
zibk*e@!dBD-FbMezX1o`*A~4`P8<Rflm76Q=4ALF^EFmQ*pZd&EiICcHSq>mrSNC^
zvz0D2(+T-zToccjqBgDVX#A~|`FX1_2<u_qbG%p(k@>*+^QBtRft2**i(*4F^Tr>=
zG6Yq(<^yG*Q<=A~F{CQZ8`@7cOfxLD?-hKb$v9wu)YVhIGCei$7gcKK$yCpQe<qjT
zNf<cQ?pBWGKP>(U*o16TameU$Q+V{d8j-zrZ%BA%t&~VWVI?DWa`9pH%i;=cr%bp{
z=!1IP*)FZZ#v0mAqk^rNYok>SwD><rdyBBRx@c<`_u%eMfC7R$NpL5)7GAhR;SfAH
z!JXh%6ka$432wpN-6a&Bd_U(l?(N;i`TKh}_I}p0)?9PU@s3=svcmLtiq;pzVgVsy
zYjc3nj?^snqWurqArWa&@$t>G(iUUdY|tW;UU79JdZ*E~>7gIp5XkDqz@fZj2F|O;
z14q!i>e)qZ5^B!K4vl)NJC|9L3!#^nGg)%Pum*Ear>>s*)r3$xf^9xK7Vx^#hvC|J
zbJDMgz|>=By^IF8${iD~*`RQ`67Q5F`_`>3Bl=z(k~rjC&;dMZ-U<6t5@PCS&e~n2
zC`s><Hzupc6~=GDZXZgtGvbwd5~Czf1!%vs{46cG%Ov{!8SzwNes~$Nc!M|(G-7Iu
z{Zq+G{USj(D%?UsS~#+BUk%WNC1;J?EPq_lv#16uXyaIpmu>k-*X7sdfb9&|ch^_8
z+pnX^DQaHZjgZH;HE13Jfs0=bJkfe0{h3oi)IDY_{~?&%T#D6*4hRcoWW7c@n5UEl
zO(9F!bgfBz?$k3J+$H5N=_?qW`uzM+K!Qqpe97d}6Pa@33^m2?eWkLBl5VQ<`c#ja
z;tTBdfBEOGlNLJo4IP70BlGCWV=VMOuSqWUwV3cY({NzgaPFO4v|Qegx>#Th&d5{J
zcerw^@ZIf5i|mg^iT1uKq72%(j$16G)A;ESu1g8Bfw?}s5lHM>FtUq`Q^^tpHXt_*
zdRd$nr_9L>8@+-*R=o#}u0#5{%W|K@_3Dk_6u<S-2&}D4+Z@Hu7c|A_7@@J?!yyPT
ze=#DyhM78ity0>2TsE`DO)%3EGcS2Z%5X1ZceI<&IH+3;vc>{Y1I`TyPRU#>uvO7}
zKZ%q`pQpu4o`NIsYwm1`MD=B_f9b!`N=&ZdABAPW{G;~Mea4=JpY7RmU&1p=r&GUD
zBHtRX8vlpD-gEJ!k!AdFbf|xLbolM(V`$IT3*^tz8&z(L<~lfO_3e>=LyuR++h2bN
zB${Nj!dGF=2T|+3Dx4go8IA*4a5yT`aq;;2^9?*ATVp=UXI%uFSX<R3#asY?QlL#C
zgQNk9ZX<rHV8_1@AbQ!-=s;runbBb@TxZY4GY4`ma^@aWGu9ZVl*06yAgygnaxwvS
z?Tq`X;g0qX_3vx%A1V*K7s!<0tgj`01RMX<29tGKlOBLtU8fHulaiK#i7*Q<f(4yV
zFR9f`DB6fli;(1z$?&Nk-OP9zme>NVX2e%lJqbcGq837l<!VNT93De+`ZggjzN6yf
zz(JBSti3q8+G?v}$^trC(LX~mYGiq?3C2R!oCIYYx0>E>F@1M~Vwn~}?oAb_6+#WL
zCI7^CRt*rMi?yr{4TIg%B1c@=wSte%`G8mkMHd=BScs6=7KlbR4|g!mG}hS~SxKFG
z^q_vz;+NebTyTVzsc6B+KgF9T&GG%7u}aHKE2zXf{F;Cd%TluhE$Qd#pn0X`s~!b$
z9M&nA#^B(W2gzY?`tG5SKd4Svek{}7`A?*)Q~28B2I1;!PSIsDr!8Lb{mz=yB9@wA
zgMk4L)?hk8caa>|!cWkuv!UpPTioew>9i!eA#C`mv-LHUwF*XbRsz4QUQ{;ERlVrB
zTpY(j7aoQJ6(Boh1dUdziQ-}V;bM%{^eAe7_$|`nB4W~>y%`K#zzfx|LS-{R&F6sO
zk1m0AFfxFBotZ~Z+(Eb$cu7*r|3vJqsORsG&|*HEkYvVL;zKp^f+VnqW~#^RPOtpV
z7h|JZ;_|Gk6CFM`!%WwtOB^^6CuwOb9<K*`FKQxs>!BgG`2>xdGfVhF7=F1WF?Kn}
z5#D^7F6;+h#70u~L<1~7A@L~=vB{+lV%ojbAoR6Z7#cw>|ITq=s`a2XnWxA$C7Y=Z
z7QA9{jw*+03jA73F5@<zQ=UfBLL->k{l57zt~HAIir_n9M%QY)DOkQOiq*?DC)Z})
z1Xd5GV%IOJgWFfVkDX+Y9V9<UH%J~CyDkt-O2J`{n{T`ni#O~FXqx9rtdTUJ+Lqkh
zaxGn2H3FbGY0>~%_WufgAuw*OuQN8+Y6A%zqevM#aP(Hik;;5VBiC&}3j!`l-d*xO
zHI8HFOQ{9k&hS#LqM1AA1q5z3f?BNa*D#U@1i(LeA7o%szB@Kbt9LmvgZ!)CcgJ(0
zudboab<809g(?ciKVO}6B-9~fF=b~oLp(wJ8AZg5>77jLD;MY9#K^M6m}lk2jT=u^
zEyI)~mVJ^a?R<&ko@5kNeB0JE2j9+=zYU5UiznoXv}UyD_@-T+v_=^RjxXu9r6h}$
z2|fB8c{&}R`Bm82lgOnEhIxovd%?3<0JBY*f_zK4B_NfymZ$#Kmd_WjE-}u*YF{1{
z)0@7{1h`%Na71OTS*`()MOuzUZ~iXMINfTz5UR<$Z<B-jY1!u0SuQxgg!Q%EUvMXb
zPwNTmDA0{{VcInUoI;B~lr9!?El=_1|AwRshGSgIj)^UJ*u?5%oBOT2eNQ;Gs?F?5
z`NWCoLAhh`3KQ(4Dxdcgk3D9EZ>jk+K~x+w{b>FlYE*|`wm&Nbu9PC|Ehetg1l`}#
z0oH=@H=wxdw=FUIEqd50%i224nR?o!?t4Wr&i@do?MZ?X+$#9$i*Z}Sp1d7_4cuD;
z7ObXF4bYNoy<E3ccNUF5s@$ZcsGi$)tckj~SX+v^U-zW>352!EpQfM7A{=yU<!bZq
zICk8$NBaW7h+A^coITE{eAFOgw$S!5b&kZ(yHd6+VbhOgxM6pins;chdhG!<-2Gw|
z$auD3&SJ`k+X8W@FtF2ehDxQbL4^kA8LD0oIULalwqw%3)%%mgwWPg&nq-NV&_uE(
z3&BDF?#?TR%TJv5s|z%>9gCDFAAOXA%0q7FZ)-N6EWP$P@>itAKgALDxtb<;5-lKN
z^Sw>N4jF{?yHnKV(;9irJ`ZKY7^^>{I-)3fkM}yeYIV<nk7p-QiJY#IX?q58c7^2!
zDL<rn2oTPe(o*E`uBb>dl{Hi}L^*noY);qKxCl%hr`o+dp8oCrT`ewD4-&e|pn7K!
zV?QbS8HMu00e<M%3sUXT1d=SHqJmQmp*0nIcSDxUa#a5(Pjv~{kXS3!!l*e|N$1PY
zwzYA**5Qkb-1=<%Q-aWByHo=njfIPVl0JO&OqnuB^1AXKp=CeHzApiw(RAH2`u(oP
zkI5;A*7QGEnoPk#41;<u5ig_!@?cP*p<)R{*(pC<KtLtpbMdEV*RxzbfbN2+)A2T6
z0Ch;;_b0v%F@A_<j<KvRm^AsVJ4j9zGgOyRyO3A7gP<3_DJSe5W@`plipO4=FqDaI
zYG;Y@2oBfA4T`6h1TV-GgUf<5UV!q@zfnonKuT{|?%x;l^8;W-v{Y}5^s<m(`I{+1
zGwyDfa^H^|4|g}r#QfA^J4HMo5$K%brLS9M%hM7EGzDk^My`~eirwNH97JPDZjzFT
zu<&%p1<bQkJiqWpJx&aaB|C6H?b2L;_U3Vyg$(DP1Z+N<R*`H<I)cIXu+WN?**9Wr
zTj@#S{iZqvAOY~0QinBgxJG=`{4XMtI$-!hNGVA1W{9F&(fw4aXQ3mSgG+1n$Crl7
zB6}DWHqn*75;P#_M%6u@<*Cto?95|o5+uSb9q1fD=ADvJGW8+gabN+HPuqo7bkA|V
zZ{Va8N?}?JFDWymbSfX2&?_V#PcH;9+L7ZIVgl&PD6ClQ6Io?{6H|ZK!7$ZvyA&~%
ziXXTyF!x^rmMp+OS67ys2TMIcS~Y+gm>L&C0oa7phR#ArQRKX~9)J5H8-xqPQ0-RK
zqLnji_1>E&NbDu*DoX;Z<Zpc>QhSjf5UL9~szXRLKk0lS`Sb-L?J(t2w21D}AHakX
zOLqQprjIwv#zywWO8!cA%$w8h`)Sbsl>+qtx${h|ebbx1z7Iq$-wY<Yq_b}k5~GWI
z;)#Jv-TlEmQF$<ZS>}J1628Psc?-lg{j(bI(ZI}XL*|&a@25UET{B^5n%w|^1S*mh
zyYUpwmA|5R!#4_k-r1BoC>eJ8q|+nH9O4qoEsFF0^M|~wz}p)$1FE*43NXuvjv+3!
zm^E=*am1U-vL+OQ<}IGu2L?ATYCK2ndg9UF@|XnuaHlp|bx(PPB{~D!N+A~BJ)o`w
z-H7vGO)5lZGuNf=obrHqQoSJhIp4<Es;;$O#eXe;#8dORsZJ@$?S872de_@%s{A~I
zDGSf^B>B#GOGXUu{+sf#4zU>fYL)tO_-?51gqPYhxO8!lVx6(wi&wpU2hI^p{5Q1I
z|J7s2l7Bg6cKlYU*lbS!vB{GJ!uZ5j{r%UJ)@7kFtW&q5cq@6U5)St+7JRX&)>^J1
zIm&LL;52GD;d-M1qMOg~>#SIDm5Qb};&su=)>tAjXEjTy&m(_sHeNr~-|(K(R5FTM
zP-~3QakVQjZf1H=ia`^*-}0^N%vp8kWmOfa`};NPIotxDPF@Ra9IO`C16h-PZW<B0
zC>vTV(}x#JhF0h&N>ZR2rCK}Od;P{}`D@2FKDRVUUDE?jzotl(lSn@ZT0Hobs<_Q^
z9VUn^<lpO@^IR-6MrG7~5)7FQbDSsPO09DG>ZT1%fBq-jI({gZmyG$qVz|j=C@I7q
zf4YsZZ`l@rB5w3TrfVdK&Zwo8SjW7l=L!8I*t_!&*$!LM10+7r(FnSMu{%7V+4tzE
z*xuH~bvHd}s?)P_GgDx(dF=Zg)@-;VO^Vy?%70bgSVO&ETvr}n6bF1}_aD%dRIAJy
ztdeV2zMZpK{VZzP*f064%>SOES~kkGfyZVafrbNMVqyBHsgLQP)Q^zMXV{0T(~_*7
z3n9FT3)Y``Bv-}LRSNgfT%81|P)-ugSxG;f-xDV0l2)0)?ClI%4;k=V(ajrGc#KZt
z^35zwg}{F-Yq|_vNhn#g%r!N|N|t6m%iH=$;ml!5)^0BGW`o_Y_|QEr+Ut4AXD!|!
z*`cZ#bZqgP<%!PaQunV?+K%-r{~>q;wLU)6z660fd+>JteXY}<eePL)`k0n<_A2GL
zcl{s2fyB+pn$c|b9kZDNNR2q+4nJFtRlFgl>u+z(>#;$Joi{2oTv~UN>e0WhtF5W)
zz`<67<uB2h^cgxY@)1vTmKEcamzL9x(+@vdZ5_=)|Ch_;Cc)8W|1qjy4rlhWsOFX;
zSPv`IAg5B0Z^gM^PXq8<Hp1v2%m|)lqku{zh+x6oD8s*GoEHFZS&<PpbK(NKl+#xm
zQde{*sb8HMdJ0Vu8j=Z=u3yGb9AxMU@ntVNl|@LElPi^<<T-sd`|`wDb?Ow=?aW!w
z%bih2$=y|3_W^4?DWPt)%2=CffxDOESSc^g>ChNQwOs5&ET7~*pcl-YpLW8|;z_~{
z&-~*WRh+$va^R%ZX;fudsn?a}ihy~|WMy^(m3Ti4>Kd8fK*C^_&}|~x)J7RtYdUeN
z^UWsSEgXGx;9V!UxjJn|puU>!JBU?{qAcCYj7Vt4ccrdY*Be2gDoZKoch2GpS3wew
z=xnwW=lc+cZ>sZ`QYTHZ%=~nj5=nx87=y(qOXZ)vzlnIu50@zRRd)=GC+`eLgfBW;
z>kWD@0S*%ZMF??0QB}r?iuKcs{1;`RPLcySS;K$`9~{E}5Hcb!R~KtI&h+q_&z({P
z5#LqpMg-iirSuh`CiM_RxrgoTzDq&=2UuYu{tv<RLUEeBY?}KgW!N~9Lz%N&<K#nG
zk)@!yf%AU|I3zxoKGNtoI6nfBR#;3k4^;ZKg8>xQ_;ki=cm<jYNkO;Lb>X63ICUSG
z<s^=4-cO9_;`D1QR()E?$84U^?S-gRD&fSEM1zXBv3w_rzU#V8P{SgrCyK=ov0idy
ze;M=q4vaccj~j3R1}wK4=3I(%Aqce1R*qg_Q#7nY!HtyGF&sXuaC!U%!(B1lbBk5g
z?9*-cdZMLHZj1W#v+4JaRQ#;r`p4oD-XYpaZ4vp6IrTLFa+YSn(x0+%4VP%h{1F*2
z6c*-^1TzCG=K6xLp&bR;2D%%=y>G*gf|O@hJjS~Z6S<v-QX6-Fzt;I>cStQi{)do1
zJ^L!T^~TG%Dt!(5nDtoD^D}m++;DenT#m25Be&a<k-w^S1DKyt(B)x?S=BkYIOa`6
zk+!x!68c#nRq$Y{3Y*1A!z?_S-z}oQlbXBtFNtPR)g$O7u~a_q5|Z0e=a4)A(veO$
z*a+Owt?v1zPSf@I;Um{i#jzsLz=*tR`81!GW5tV1p+hd=&fGvf=IQtEdDcNGIf6*i
zWCH)|&A88VUyh`ht1ZrUwq+ACY&u(gZybBX7t%Axn7bxU7&{@bhL-!&FrK@&FTuqk
ze5&RjQG}((cCi@g;|Bt;B-=Oond;n-f*P>$DWq}36T~2taI@cxuO~!X*bp?J37e}V
zc>(uUK={UZJ?du;ffn^E31J?nO$njA9N&Hz%(c)ljo!-qF?nIvRZEwi7Z7}#3v#Z_
zO4Qe3^T~B8*M-afzE~I{#-RLIry`Jx%(}OdA9$`3lhGO7hioyuYUs5HwoU8d*DTMm
z9%bxq(Giu4B-+=O6VE1CP-cj4l&CCq(1r4>mwT#@5YAT_M)_)aF*!=UTb0(m8*X{d
zT`Ax%{Mk(-LQ(LHK3pt#tagv;jN7^5e`G#Dqdw|`?Y83C<3u(J#99dAT4`PJmRe?*
zwX2tXQch>tU}lBA$3aPEOpG1gI2LEJnkhA309qW3T<`UNJ`-%@wCr@u@KhlE5+c_#
zpaUIdHn2^mxS#E9q1}m6waSndkHYjs>zr+!ByDIgx=q?GS)<BJ<>96@ZQ>s!z}D+w
zrI;A{^<0Ph$~ZAico@D6iETI45n^dzr5GBoL1jEC6W*|e<<P{{!JTz!>Bs5M?Ty1$
zf*m=z%jw8bviUctpy44D=p*eQi|}2HC_9C4)YNU&h?rFWvOCE?$7+N+-)&pM5{Gzm
z8X27`=TCNvY|xYUu1i0Ef>cmRFgG;g80P2LlRp*5eN5(lvgR)dD2R+hVel<exph?*
zO5Rt5ZPBc|Ttu7pHY4Fqv@Btn<&&27+@>yUC^!nH0~`fZ)Dp0_nwFKtoQ%qX7v8pz
zt*i*?b(*lzk2G-yjz$~8uBs)<&T<cb1EA{5<G+n87Q+&OMqdEkfbQfEoywZeHMRDp
zDdHsl+A=FLG644kMf$wbL<*b&e*YZNmaLbx>nF9^0o%W$_gj0%0T=L$%g2x3p8j>4
zshqx8?f=vISa<zYmo)GnLfWlbW3$2`m0J1uW!<;e@!x=E*OKe64A(#DbxVJANNQwZ
z?|0L+2PZ|`^};1H7j7Q|ew3pcx3;(6nA%sgVMdUqOfv_#D0}}73x0P{(Uw5rbU8GR
zbmz$-0IS*Vm}#?hC7wa5`Bx3Ib-DgCe|1Rn>6^W0tp`TcmEs_)P1>Ntk*?E=9KUYM
zN^aNWK^il%{G{(1i%+7*{l*4FL_Y*#0J!-NK@@L{?H=tkEsAyIWBG@Dt;Ab^ua&<y
zSsABOO{>v)GZRFwLvXXEiY4N7u%F`rlx<i)F(N1=a9-`rsq2^1zFgr{6R+U8Mp6-)
zr$!bTs<O|&({ZxRy;`Q;%sXRFWY!<+PbI=QaH+Qn9+#~<!|O1SZITlpkdVei=NzdC
zc#ji<B!sNQjV|}7C1_l_M!C|$y|{4SnVteQE<vXWhDr*xM3os?-u&LhsazB6%bv^<
zYvAL}wb~jda~tXs9M2dMHT>aHeZTSM7tu}go2&AemZ)NXRT}2Ie~9RhG&cGVf%%G3
z`TZ2(cjV7}PRmE@44Kr&^H6ywwW2G-g|{=e;Zn)=mU)N*>y>m$$r+)nYZsNOsI7%z
z^|qr<;B%$el2d)04n)R6Bpo)Bl<ufM30%g(u$&wew5$#ruo3yPb6oCT@mPsv#<1K#
z2)QZoI9Drhz7ZPuQt9W|`@06Ng4J<HT-Q;xhUu6x*T9;zII}k4n17H$sEkK;pPqqC
zR>0<L4=YB$Laybig6^z<ub1SPI9}$t(Hj<=XaJb&%K3>zs9L*yOn9XViW`hBhcIi+
zyguczu9L#hMjfx>CS3H=z(9@4m(dy4-mzop=rboOy{T1<GaSc43U);lv25^~u{^1o
z<IS`fTu9%=SVAwytd$_EpaElKdpi62Z6pSK1f;a$e4eEF#P7o)!+aRNbf&jImq0nG
z{mFz$C_#I1tuu(f;jt+<-~Iv~uH{94`=!PqN;hBPEe-kTTeyvOS+h#3_b|WS*}(Z2
zY4qWcV@{b^aakxZqU|N}ezqXnFd^IEVg5Tu<Uk*`a~|E9B!K*<<D#q&8E^r?l?p~M
zv{LDuj<k7BIhOuqm5FaIor%EKwr~~CKfkm{^TKD1eYv&l1Eih(O~0W04ww3L80u74
zKGe;!0)zcF){5QCGUiWKH91*hsjoSeSY86azp0!rI3l>KJxa@tI&tXLpNqa6dzR3C
zioUAENKOA_ByRqY_`6wf&CzP@MUccOd*feK9qXrpY!!(5*yr9#ZIeyt+^2u0=Xx0;
z%O<NPeI$`Nd;5x7Y2i!Je>g!DPO!TKE(hP2i~~xR0N)|x!S^==v)%o<6a89k@7eHN
ziV!J|jq~yO@1LcA5wWE_FWVKZFBtK~##z8skRA;bJYdeJ;Z3xKQko8W>F>fDbeb%;
zj2-*ttbu<&kqbgsR@xC{_UdK>Oq96JUHUJI1uOcHvg8uZiZpR8)WW?eE7MEHq!x8u
zvXW}K(j_Y+x^1$#yH-4O!;-__P1_Hp*3#f_CONeikF@~5k&?GY`(!PX^~RK<LNIFj
zj}x7wDCbcYa*bsotw3mLKLf2O%LIzVgM(oW{j%@!@}L(*aq9q#4I?r@%Y&hB@#iQ%
zu2fMq2~PCS&?m<phLDaV&q}H%COx5H8daE3H|E~z1>*%MBmO)<Qg7<dOpnP>Q%1oE
z#ybVGc_k9?9VMHzr8uVhfVpY^`-`Kp!Vd8Oz%lz(?FV<MeZA<kgNBeTQk)AEuC&A7
z>so(7?>2G15KrW2jHAxi6|s-A3YS)0`rBg7LKwxCXZ=Y-%dNyz90S-q2Hbz1lI@&v
z>J3Bm?S-55NUm35>4F#B`=A(JE!Fr`@4W`v1ykLufe*=I4B!wMU8Ok6yIV4hjc%Ey
z7S_3&E8sc&nB8OJQg@r0wsIJcGyRJ=hy69TCPt*%VAo%CV&4(5r~0IQ=Ck*uPEFL$
zId5muk5$a&&8w&LRVtcsU$hdFsVURadW*W5*{WG#dK4_!_Dc%cMwa0s*(A9b4`@2=
z9Pir+lHm9+;5TtC`^mY=yXQ&0I%kK&xrNO4YHIaAN}$QoltnB&LTxK4Nk4C<dV614
z!%+`8+;u5T-NqR>*TGT*Nk5c^o&=vyQV;#^f2siBW8j;p`Hk%=VkKEgH&{CXjFTqm
z$MruBis6Ium{dtKvN@<OZM&nPIL@J(cfiNi&o%J8SHUKAl93Fo{}2EGOCBayKVM6p
z<YY~$z4lB<-ukG5&ZJ0Xau%UJz~3cMpDIkc9KxO)NYO%JEPo${KFyuRY9VDB@4niz
zwA$?ae#v}Y<}C=CR21wS99!afv=^JR$5}A$)>2!-G31ZTo*k|^2#@h|De1|SOe8MB
z3+vezFBcsZF7`e0seRnBy&0Nms%{~!I1@ISt+JMZtSuNZz1!92z_Pa>h?;MWv10{f
zCn{cZjTMoK#0U`D@_=?kya&fMBfaLWPG>jrIzZzbKo(d{m`GN6(~RnuL#REDXju;J
zp`nE=tj@8bKyx&aoh(_%O^r3^1lp-{_duMt6KEtpgr3TL7sqA;)NdKtcX&<=i2ql!
z6Rj-%JIR?%ptP`YOX+^`-jr;5?Im`_UXlE#2k)Q+>2l+JKCeT*p0yrGH~NJcZsCAC
zurD>d$nTUxa;z-*)3z90GrN{zkyx}?$A!;jyhv=SnaNs%Ybh$Gvj*6od&w8s)R+(%
zY=MnLZ(z&!s7J?eFV&E1{ku+D^WsGkUo3voZK}R#lCZ=*)f<Sp2ri;x^mFMFP}{J)
zB;ImQ<H}ES;{1bQK!7wLnmNG1Kjf{q-J%Ulub201Y(emUWqA-&`xL9312D>8zu)i?
zw5eI$^5<k+0IG0L9eQVkHw4N)LdWPya7B{iZ}QXIxYCwDP6T=9&=A_6m_bviUl>!$
z<47xfBwK-#h7h6F&Dar`zSekCdwyBrxfy{Jr$;oZOd@k|nYhNvtt9x>>Bwg|z3i4R
zX(q42_0Z#SReQKSu>5P1c)&;0Y0-ZYI4?;X$M@6cdw63tkej-Pz*wJ;l==s@b!*oL
zJSn%^0jhyNVxk(Ch1-SX&eWYLPSu>#9R{VIbLN!lL@J9Lbh!?ewLxz=(u-^3s8GoC
z>4dD16X0Chl3+|F>I23|y?Mu02U<(aLQJ`bd;?Mjch)GepBgtpHLg|Mlt}$q*Fh@5
zb}E2rp!Rl}yJML4C++irHdN5~d9dZEk>~zE*f|DlXi!T$)~>~uV4$g85!iL2RR*nZ
zHO-O%Kmk0)ZPwttCj)XXO&JV?5c1^J>Dh2=+0%|WOlE_>D#SHbv8qLxAB?_zVA-K=
z^I3FP`u=A$k<enx&>}Mkl=L+T=$X7uL7tjjKL0pEvB&?uCz+=z??m)5D3G*Av2uyT
zFO>9?SWp*<xd2p)jzL0eo@6%r)tZA-sarR@n)~*;Bz@{eo-uZ;osnidpz!g*=GN7Y
zmiNh!6AY1)(f&-SJZTfpQkaZfwq#(;hVwAg0}_m3Hb(kAlWjN1fmsUCna2VAhFzRV
zzRZwpME$YYI&DEZ-enYxbbyt$lo!G(p5AUUA~d?*W$A-CM>MbqO^%|EU-I#V7Ddzv
zd&_x#%G33cmb9#UdH$plI^B&Rtuuu#oUXZJGb?;^BZblbnyp1H<<Q7f0YfuFsl<)Y
z;ZF{~M22xw#2X-hWwJYln@sF*eW8Ri_kzDpR;V=oi(*?;L*G!5E_^`=FmKRb9dBb}
zTh}H(Xa9u~QSKjf678HZ4lE*oGe)szJjZ)it<#hs<#s9#wRP_wfNu=3T@Dovz4l^J
z5X*%_tJ|}Hd^d^8#C@ii=zBY*)JAWI8soNzzt(zjzG*`X&!9l<ONusPI4EsG0L*=}
zW^F1IB=qaZl0n9xiFrl;+3Ohci_|<$rba5?{|4J!ljv@=ZP$wW-SW5SI5i9EKeZT|
z{IOC!8thm1k``qJK#q7ty&dNY{ckgt??Z3Q$Y1QW9j_uOWY1P#cJX9qqCfP1K>2Vg
z?LKKE^5K{LhcmkkYKQ_?J5=AYY5BT!3y`T=-eh>0p_JKw6EPTFhgmB$Zb(E*&F`;9
zry%mpaBR3du_SG4K*Im!r#`4%a9j+Hl)XB;-bdLpd}k4NJEW-s2w9^35Q6juOl0L}
zmPDp5JrF>$(U6;<xas@OZ0TV6mu;;&7L9ps`2>oS^*%3=^fG$J=eJ!*ZJA$=*=Elt
zDl9y%=$wC~?K3g6(;K8XFfC=Nd^6OH>SQcc9IPKE@&7_ooXX_BvZbZLBR>M&%FmUF
zj5;?0VYh42r!CrCb<XJ4`W#fa9%n6Yg3WPh7bysun2_iKu~y*GW9GOHiQoPEz?R(W
zuq>olSt+!UZM8_*4=k}YHs-4=lh(O?T^juK_is*b-7<b4_yOk+f%G_0TQWCGh}{Yi
z$KXV<1~{6;>m~N82hX`J_hPjeXbD$`&Mk=|Mx~XCGdn=iPg%ejv(4C|M=M*re)g^w
z*)BNPNUDdmbqG#k{~-v}Mg?poYMgY&K=i2Sz}g9TPEs6hBf%1hRll{#*d`j>jxklM
zbfOH(?IQ-tj-)7>DodVoH8Q-l45FMVZ6wx&i!_Pn6<iWTQ{najvejfnGV=N9e>8qA
zC1SB*DNpa4>5ooh3&-CzQS!$G<{4Um9UO{>*T|ltDo91~7?USf&GzkpTIsP(fw58*
zj;$?HJzWl7?DJf%^m<AsLN@B=4)6WK?|(lp?s#WMy*akWNTQ~Q6Q`tnKU_%As66iV
zv5hJFb6gI9gDTExoW_j+RbpSYS~0(5zm8tj#44%Ub)Du<&1oEy)gemCdp5%WLtTn2
z$<8l9P84+0gBhWXW_Q3;c^BhJqvfJvW<_oBaz`!uNI-1sIi^nE7)0&CwxXdSrZK(7
zCaFk=m5tmM%j+p#V~32>`0>ha;TVdnop4i|ZRgAPS-#%!D~UoO4<C!H5`)O*cgR}A
zq+9$k8|(W*liL!kc4hjI`r-LYZfNzrclmz^SSV&0aq%h#F?n*^GAuk|i~5+i`YLu&
z=`yF~cE(Yuy2u-7PP7Z}+!?)LxE_bw@4@!HQv#{Cli#IRw!Ta0;s;T#A`W)i&YJ8}
zCWIFOh-^{pjill<SE&>hX)t=di||aEoyDwV<9VMmsYTghXFu%=<Flyxn2XT8xjWu%
z_SSU8E+cT(5o1G>jDgph1Ye59`V7*7Z@!vEtc-uq@s6mdXsk0atie_za*g7OBh*)Q
z$A4#0x$b+Tv!eE$)2tq_#EH?O2zy&fZ>roi(KD(8HGRdr)6%zCjxQwhq6Xa13Rt80
zc4DFgOZktmeQS-o#4ew@Gai-}T5PJpe`i)J!h!S3IwPU=h6i*tU-S=!5OLUPfbTKS
zRF*RcZ`XfS9IBYKW$+_Ol2DL%$8@pd=~-nb(|XhNMX^>h9{bF@PoW1MpZ62b))#Z|
z6C0=Q-^5MmnArao@M{#9LgWhJ&nmX1q*J^|BHmtf7t=Hib(L>_6RtePw&oH=_A37G
zXp#S~0=AT2fM4!sel5xoJI+40Jkj7s6pJR)!ayo58aI*v6&tm2U|d4MpzDss(YO>;
z4Ki<}5A0_Z_53EOSqg(pT4&Gts3D3`Q2AUVG36J+VU-O@O}q(U=K?v9sYE7@$@je)
zpn<ic&=<PY&ru`HnEYlTi~bwJ{r-_TTNVns(CYT9l^g>=LWq2_6W<d<^KhcxJ0tw}
zh{Fs-GH8VOvc5+G4TDKRM+G7erSN~3&{f!?vCzb9qy{9};mtnu3M^A?ou}pkI!QGd
zdvGnVXX*R1&P5le#^S~$$J(%hOoiJiF@+@I;J_pwuwkK{)KNM%f^X;PD{8XUKKFrg
z&B23~tMo`OnySjl9-=p=j=cTjEq3MDq^2wWSN$CJA_tNj9n~jvYrT<UZ(yp%WB5MW
zU}Yp?3+3VMEuP>88Ad4@nrc@_{d<O;@6<E&{Fr705m%V;4_LiZBu{sah$xr#*N^AM
z!edz8H7irLVz(JMYQKSJ*#EW+_Z-gvHQX<9a$5H|@W1HRQl+!mtJ(|r@!_bd{~<`_
zwue!XT1Pizb*i_5f0r`XCw*x-Wrw(Pa{O@&d+Q`JDyFQ1EGO0yqF5sL(XcMG?^Z(f
z&<yUFM*S^K%F=(xj*i%L)cQt%m8Z6}if+2b*gzP-(Si>B8pSGaXHz=>eX6Yx49&ii
zqeGTSg3zY%d5kp{&23-GefXnMs?Pr9YNtIoqhQ4u?Wt?sW?WT8wQQx758A`>TO2Dc
zL15ZGyAqj&eqI-UlK>ig;Iyl!1d$rowiHHm06)q|qh+o(YIRtiP9H1=uI6gEA1~$#
zwP(yQ{z+SX(f%oC)1}LffL9AVSNkc|;CqHqHB$YVNUfHORh+!g=*8Q24$x1!Xf=>k
z)3kT4-)R8)XK@DWQQV?atM2lvF@xMQkHHB$pB?!@0r7{?)V$S>y~tFoyGs!5B)$k;
zh*-L04Lh>jWO+gFxY4-PTxSr;WMW5`-C00bmEU`3`{4_&!YrejgZBIW^)L;KH-v|3
zJaYXWher)ZX1d7KbwuB2#HbbY)uixD?)N5i9vWWeEup9AcsD2a8yq{RqPajg|LpGz
zPJ;`Op1q}W)bmCTzI0M2INMJADsMQz;FL|m07aMnhoEql-^kp0lx^ePAHI6OKo?yD
z$z4eHRHDmpHQcx=JvEyX-8AJE8cO~RAFPnql>;VCfk&y+H%X>Kp3OYUx^yKIk|ynn
z$mBRFA>K?ah&$gpJ~|rRbLLWgr8b5H)$40c_VKbg)0i<64C3}wpH<OR9ar%R1+UXu
z4Lo0}iZ{rucdJF-)ES(M9p1y<uFIpYjao|8)h{?mPP(gFGBe^<PEGo&01Xz_PQzH`
z`FbuwbJ?#%4@I_gzSGtp&r$)0{AYDEU>3e%b^$fc8rXR`yPr#n{~%?yY8o6Mn@<!+
z>wyGgwE;MX@Uxpw_Z(s-GAdHfq{d6akqnj$T`qz)XS)<L;u{_L#riw%+i#KNK8gcX
zygl{GgT+(TjjAJv%YXYl(%}AN?N@{VF7~wCPz;g!RfB>&XKu6kJrld<f^&lF(p7WY
z?=QFFXnpDF1LL3FUw$GUsin#}L>`7ZWay7$$me`DGI=bb3}_av-(Gx%YfbnuiZ#T_
zzGS2fE%9Z$*j`*bnFYWcfi#wFTIYzmPV~$0;+r20Cf$wjqGfNeSjVo_QqvXw5w^gj
zMnqk;+fghgbCx{zcp|dG{wWpLHgK*LE*SN1z=64Z9-dw=E>n63$K$-LBQ#;MQ2luB
z@E1f8wv7q~#eA%-K)2v_r&gVEq(I0m@LP}T`ZA#EbT}RulXd`0IrB604A@^d@(+y@
z1GWndC&s+vx46tC8Mz|esvoN>r31*;!?V%lX;G4HvBx@I4VF6&4k(9$1o7gHF4GF=
z0Tmp-bM?C2O}`0qj++0<|Bj^wuG5?aCXy4p)V^^2L-nSj)6Br<=(j8pVSZ6RGJ!)>
z)F>C{GBoW5OoOMd4IQo&FgV{er`;|stF7kPO0>u{t?I4?>y#al{zR52s)qk@^6GS=
zt*SX3OrMhsHVLvT?C}?>OwRqXLR@gegsOag#a@w3OORyqcJi{X*3{>SdSoG9z|Vj#
zN-P67-=@pc@4vutW<k`N$@Bb!@m}qnfGyG*-x&b$wzq45zQ>Y|VU69Xz+la&e$U0i
zE@cB+sw!F)%|bsuMh5A!<|JnNm@ieg{3gXRmR>&uc;b_+B9`h3S(irW=@l7kf(s!^
zi&vH~)yFX?f%-**J`3=BORVe&YpPKHP?#wY^`ULng&~cJ3y>)vwwOV)_%ChQxv)5P
zHK#mn8+P?Qnv9lxf2T|hxHyK=9O{Ustqu)S{3N8vUexkD{1*|p7>8Dyr^8TQTx9c4
zUS@;~YXc|}4bC_2t!EqjCLi7Mq4`w8a`7vJJiK1CSs@B*6Md*Q-Xv^J$1PGxVu@CK
zBcVaA-eHjnZOPed>E4`pHREC-C)#$z)+y8zR>I?4GFw^LsqTwvJ|en%=~H~C;MNft
zn2pP0CY-g%DXBj+S$tWjR45Ya;BI5roi{SB9$A*n*lAq3nShBxKPYK3j8h&cVW^&h
zXzhrrImXIo!L=mxmD({a)p|aIhV`3CSwPqjpJT?noL9P#Ejn6{;NgKGBg!X9yOF^i
zbLPLldiP>+oUAhZb_Uozg5n@`@6T(#m>vsb&El+Zw9yt!1M8Vovci1$!HZg9BK4$)
zA4Cs0=~r#>++u$CrPF>m*a})HOv(`CX1e*)!eL7Mt(=%ZHNmUqx7dKxZ0{pk8KKyB
zDx-J+{O|_f;C1>}iJj7l0QLqZ^fk!K)ezRi(U?MNHHCMtq*H7`EF{wvnCo!X5!JMq
zy~6ytDz~=taiQdL5QAA9|0Tzc+Nt`TdQi4gLqkcVv4#EMC6_Ae9TjSE8XwN&L(pn4
z4rMqrs8Lh@rCXIl@&xvkl<XOH+V%89_52_=bV9MKNZt`W(ssRc8NHv!H$U$wVwuJI
zf!ud1rw)ph(R>7DS}fMqKuwl6@Lveh{scwaD*To;oA<Zmgp(#yrG!wcLj0Jsu!K(3
z<Bm6}rzbz4zBwTen<1zCruv*?iC1u;t2+QxC4_)B>5(5!x~Oz!^IfFI5QNE^6QH`s
zJW-sNeURG4JPpke@~d;l%hiN>+NOJHpM!MjTzqM?-tUlTb7iQ)el#>cebJ5}8pe^s
zbG_~Xr`^vsO!FSr9<jdOn=HN)@_`B}Pm|?Gfn;zl1a2Kx^E?pE)+ifSfUd69=hdh=
zWoG9!W=5P39A`PFs$q15lY^bG2_=Kp2Gnsv<>P*fbNAaJ`{3x8vp28m*!{|a_vxNv
zf(Gd9MN$s0{p6s!+oM*jmi3(X1~8Q?VKkB+*Ik*tttoX~8HD)%ym))Y{dhrH(KMxF
zrYPT<!uOo<<9anObesJ@gu+(DpLc(jbRAjwv6UJiVk4YYg7#m38HNPk|3IJMVfhG0
zTnHUzn1{yIwP?*!pXDwH{maw3MJR8Eh^c7JB=(COPB7xiy6^Uzei$cif5+T58SkO+
z!xx<B`><Y<qJZN!&h0CQZvbLWQOd+XC-?m@W>`^R?=kci<{|MGMr1us%``yWG|k;`
z*7KY|u>Xe77yg3HMO^Zp{sW5v5~3Elhg4yh)VC_N**+sxm>x5yT6h#g?DsMylqgh1
z>L2t9hhl%*4#2wWlqq-ZXa4H5OTr|AzMVN^vk;$}Wqo~%A<URD{qjm1^D)L_i)f~H
za%CyWPZF~aTNT9FR(FUnaDYyQq3(Gs5y$S3d71SqcBJnw$T~kW{bH49<+(MAyc3Rf
z+m}y_zGHyY{xFQvv`XF-8&aGxt1qKxxaBSsYS9K!C>}kFAj3by+2&*^3Yw%b2(c4k
zCP*}jtmZigpP#csRBrwqqmL(6ba{{&u25bcch5P1?=zkBO+J(@lIrFv3y=S<N284v
zAd}}5DO$)Pf3gylp<yOU!Ud`bk-v4OJnzcR#n47fRDyi`D$I1EY#hh!Rhn3uYl$EC
z5)BcV=WX%?&@6}>l(J^W<Clk-{SLkv93=%kT4^3lR7yGuRlFZqgze2wkG$yRB^kOP
z-%2R$gO5u`q~AwqR;Dt{$4a!{7Y79&{y<-bjH=^(r=~5ZehVvTT0E&DH-z33gOyh+
zud~a-MwU_RNe2KkNz^rz&GcW86Qx<BaG2?%Z>H?6;%Hx{CEPDN7meLPe}Gg?l;aw8
zdT6em(LQ6|a_WCHIUxG=f?6b<oKWASRym65g|=47z%p++8$(6)RhI-)jUbf#G8NR<
z_vuDozLOX}-Iyv-w<ENM-ELw{DTFm4YmyxBZN=Dtau5u&s+$^iKHq#H3%ls|Bi7&%
zV}$knFW2an^b82Ayj%f2+}sM6NLmVU(NP2HY?Bw?*-!0e2s9ZP*}nQXP_;}%jEy+_
z6Bt^Ix2SDJrjSZpEGBYuKtW-aflztPG@gM%LhZ4hD7p_m)$-D?K2DON=#D+LA(7}>
zZj)lr9_(8FPBhpRy?w*5mlpOP0=*rZ-NL`mN^^trHqkPH2vN0hoV;eNUJi4tG$O1t
zp?DiD^n%J6xYq5&zjjdJAEwm*B?3%Uw8LZ?D1nYXK({{z*k(f0vMty~VmtJi6#RtA
zV(;II^K|clg~={i{qOSSzjSU5B3amP5CREh62s#R9E+ySB<@AeJ`&n-!}5$c!mrA-
zTH-f7aF3Uw%_Zk<OC6?U4Gbl`=u7ho@Fz1T?Jj){nd+qQv|<ko7y$8TF?-poJS<gx
z49f}Ju+G{xzZ%rKT-#z}R49$xca`|;7{z>IFGsbpPK(pSO-9ZUCT&X&KY(;f+GB_m
zCc_|E%KY~CbNNi8jU^L_MWm(4rWvlV#l$v6mLb(&rRuR_g5?Lmdbp=60m(i=RRf7c
z27{7v;3qni@4F(fpmn*m;f4PY@P-O(Hj@mJYFfK<_YYqz&N*)x_R%|nO}V=!cOI)H
zBSZeY`-q3@C-evV7(IM@2@Vx;McQObAR6XK@NCIENAr%I0UNvYbZWaRtA!=`4MEp-
zh*!+H{m*X3%T`^$QA&B<?Ug0Ojr}I!^<O4E$&o}v%}<vO1k)M+5hEH8QoD_vYDG88
z>q(D|9gmHT{lZsRf`ANHBo38K6(t}{NO&lGBKq1dz95t^@*oVB;g5t$)VxQ4_8sES
z7HKI;tS0o-7TW{tHU)lV<K#P0<TqnVpj3cc63(0E-7#GIa@s7{<pnJ=)=$s>38_&c
zpoBWMVzi*Dbu>?yQV{MJ3YvE}An^zeVD2CqluhEC<K!^NCfe^0;O;j0;Aql>5##Er
zpbEHRM$zM!CrYzP`0?KSPtcBd>1*JI_C&pg5ca-iU>*;%ABkCe$bR)-4dk<hl3`Am
zc!2gt`TnUmJI7YtGOh^e+5Yk~BkKgmfk_fK_AH@ydA(@ML+B_7anX$Y7y^BAQPf9_
z<bSepPekKam<bwZ^U5RraEWn!o0_zdos=eZ&O>5NV$n!_BWzUmIo{U`6JU-wm7Zb-
z^s8}HNO=}N-b|<P-Hc5RON0)y+tnYvr90bfrB+FCS-%pOt`mN`0lO$Sl_2&>q}$IZ
zz7DAMJ(nQP?)`{iP9*=6VR9WyUq7bAoXU-l`{CLmtw}>-_8{JE0LS-$xp6c@L?KGl
zwg70g6a+`8zI><TZvyXTvv<sm&FKP8g6wrW7o9jE^?NA44mjs@_&<OMygvLQSdV9+
zqb;Ph54f6(Rc(k?0Qu-zreN9iDH%pdaR5Vhkm-su=!x#=OiL%KzwmS9@ES(ZQ}TsO
zRN~R9BBDg@hkRxVUx*u~|KtobU0`3-4PcBIYir12H~fgSW6I0%fHR6ASgr0LPJu{}
zi%h{yjE_;k7sq^E7{<=Rfn)vbD9!}jAnR~e@0q=bJ&Pjl=pSpcmw)mnMHrYt3p*aP
zB^GN!rUTf%w<-;D-x;s68Nd-g<5nsG;Tq{^a!W>*_i7~bNsJ<}F*Y)dC(5xZ%q(R=
zZ4OB6;uj>;bmw#EI*&sLP5vgmr7kUR%}A(;>`P_VA5$^7bHO(b^MkY~vg^3YxF<4Z
z+qCx*MXga%HFMm4Q$%PDvRbKd^IK6TA7#*36-YiT)UQCmEbZ;EWkNme?N7xvi~aK`
z5V!ZcO!x#%qRGhEF=!+J8EiZcI0K3j^@qK@?7gI5f#XEh;}dC3*%d<*m_(2Re#oz%
zDUZ0Kt}Hi4$<x)xr$8DYf(OumFZ3gi1ppI)EzYkXc#HIQFMQZFQNOxnv&x@|Y1V1O
zf19}Sji)cDJKNGLC+Mx2%6G=ZhyoIzr<cMXPh&&1CEP6`&f8{GHP7t&TK&JPlJ>8g
z2eF4L84;`eI%3c)tL;Z<5wl28+YUmJPeo2S?M1VUCKK8Tu};+#<%)<9en_#N$m~ro
zkNt;mS<l+LmwkA&pV*@dF>;pl_?O#8R1KTu0Qo3)mD;s1)e0L8Do7~$#!=yykXBOx
z)NYX!B`x>DcsnOlm4A)Y5tx<=mdIL&=omNqA~Til*5gOT?Aa5i)+84{mQTPQdBfOk
z(D`=05$+}`p<k+g81LzJT2jjCvWsphr5aUkT+|%(=VaKK$8;IlS&{zOF3r!^W>6me
z`$nwfZ{=$VnpQ15=Xx*A(o|5ZdN5R)99KcoRCJ)x@XTvI9<ca=C06FF<EuK`XYGU}
z5NDBL_y5zw1D<iUH9plQtR#RcmLSN&?Z3ni#2G96D${i#%am1E8|jN(3Twsj3l8hX
z1wC4wj7@-2HfLe^I<}r-<_iu3o*mih*@%$p>FL;8#e)&lF0zbkJr4<zEVatm+icfg
zO?;CGfC*j0<?F)7O6)%G9f?@B%zOf)?YFUiy}_k5c6(g#<Z13#b#^}lZ6n=$mMXhp
z3u;dr0(3@^8w(zCP^?K*iiypTDARP8*sw&vrH&F43NIRk1Y<NaVTz{gcm#610Koy^
z&$K|c)m!`{DTNZC5tK-<lW2I9X#n2}Od!}bbbzw{PaRtHMdt&6{D10DqTU<&e+qRr
zC+1LABM2c$dEWs3prTf3m<&=WuEuw!KQzIw9@TT5QIIZ<D3g=^9uoSN02Wg~jf&V8
z`?<wz#SWXW@D*kv%8VcK=<E}(NERQ6`q&-AawQ7;7xp0>eG}&iVyN=(w;_nKMr<6x
zg^gmZC`h8)A$~M|VpHQsY({MPM57oWE)Ic8L^_#0SrD@aCVH5{QU$g9*z=G7O)Ghk
z`Y*NFW#s4o5E5QP{zJ%u)=fEF&;(CQGZhI};i~usHvX_~k~gN@u>wh_jtv=e9vr5!
zYSl1GRB890!GIc^rvK^^FTRdjeJ8)^qHcv2`qCGl?p5&v4FdMVQ|QBK|1kIT-(owf
zU?3?Zih|f{Fiz>izTtRGSw=?zc*g<HXFp>H4hjy+zYtG5R(y$Cg}+-%5C<=0ZoeKd
zo{4}bAs*>gMSIxUMic8$w-gDYwDGMvq1lGp%SEdQ-(9v~&&9vv#vp^#+^)TKwY9|p
zKk-7}c9ywmfo1_Rzib}N<4~K-cIsPL-Vv69LR)R()_TQW{yPVojZ`PtdpRQ#h*eMK
z(EB3SVp9wbTP0d9D-}P)+7wA=*&_X&wtu=#VC*3~@TbCw#+BEUdf>l;$crg#-1_uS
zR&%A=J&ahJu033!qVMkJ{TRM-Cp33Y`pFGlb!MjEX2#zw3w+KHv{2L8xy0(`&-rz_
z#=LWLJeB3HZi>X5Y1E8D@Dw8A4=u(%okQT?%R*Z`+*aDcf1evzn<?|vTq~>=NGl2@
zM3vHwTP7?Z(2SQK?yG0@yawV%@R$P|*>lGtkm;aic|AW8C>7gQ$tmTbipn9`U0BQI
z!XwRL1j#8OKo{Vw?>{y|<aFK~lWM>%E-2GNV)7Zt*+{ZRU6tiXxr0sOcTFf{q}M$~
zap66gpw2OsCYY|CcNf&%`nQlGH$@L!sOKbsJ>x(kn=>)Sld5WPXU)q<-e-PKjq>xJ
zHGXRe@;zH)i2ea<-bT+n&@f{?K*K%Vf-IpTr&eIC^?S=#zUq;xWrr7VxSH>ANvX@0
zR+5L($%V1d;Ht_f*vZukZfl4yEf$Y@epaukOTi*oE*0Zhgmtt){-ZkA<Ua8?^hqTg
z;^0psaCwoo@v-UX2i8x$RGk4ch_Ak;?-c6kjoZ9s&Eh_`Wd^1W&p1QVF9NZ--dSCT
zXGh{^aicRYA}b*UXhnGRYD<nMpEWH%rX^T9+j`V%7Msp*-wrPHi-3MFiJM#@vn`z4
zadOSP>hW6e;UbP^YWB|vl~Bi6o$c!16>9=`_y`;29Iwtfnt;)zpSC7lrpLl!x+W4B
zmfWXO;HN6wkt%jto;@dJr+5hKw80#WHg17haSN(m07-qht8LY3zsUz45KVrEz2gZy
z$$Lk6rs4J^29dq}pm_hP@Wl~O#6E93y%vcx>jqt^wWi3B_P0rI<M26bVwEkiN3cd1
z8xXDS5C)%t4DoOV`tsa*mOK7c$A@=LWZlM?pMyXWBHvY!6h$J(ag}Y0T8PXDo&D3E
z-6jA@KI1PYFi%6h*mvn%6&ZZzfic`36o-kL@r5e6h6}`IT~qA*+9Dr0GgLb31vArH
z-i5}sWjPAKm=Kpp#aG+O&zD){o$l7={s!2R47A&iU)SoJ`^NF7t=Qtvsn(71qrqcu
z!p&<6Xly5ST-et_pRm|T<yWhqh~(k+&h@w}6~Ofi_CZ}GokX~#UMhY?vNc<2QlTiR
zB*Ur1^rcMU6}5OolgqSjVAgAoP|r$z$w^e>v&TbtCSd-E_nxaW1xEw(TLaj<HZRIh
zTV17CL9f2%%GFTOm>scG+`*&&-xhv%r^PbNGG^EIDGlsWus`R0hMfOLQmB&E+$2yO
zRK<~xW`yeg!|fPyHMm$G5gvAqxJ@uNfhKS~AP<mz2GWpyA&Ag+hSqSk^3Xcofsip-
z(#Z~pN+3?SA#Q-IvraDciTey=jF+r87JY2UuVjL}4X%k|^Yi{~VBUcOUciBIf&=Se
zs+Xe|oKXOdXSz{7Rn*AXR?+O!_<wji%b+&H?oZPqrD&l@(c%up9g4eqf;$9vZ*g}g
zSaAyu!QEYhLyK!DPN6`T|CimF-PzflcW3rXK4db<%$+B9&i$P8yDod3_I`ZD8~_vX
z&t{RqwN`dnj&Ep}vXnubUJ-VL5>q)<Vm?f-gF78C>KS0-OEMI4k-|f_0cfj`VTA6T
zBmC%J#CI)Whth`Y&IFxE;P{G5NQ5BS40`HW;%WO8yH#s&*?LawY+m6ew*mK;%i65X
zG!~Ufb=x0+HVJ=Z-d0xH*fO;^R<GL1W}oE6(hJd2?qvH}TlJ6qnpd#C8e6~g_vKRZ
zgPRg^f6NiE)vzDEgC1`6oh+m%80AzhFah^rh3Uu%7V8z(Ml2!V)n?nN(keq#2*j?E
zVU5puaJ%k-8VeaXHxm1&B?D!JMf7uW05qOcU#JxPDVv~`XRQOlE+@amW7z(9XhoWY
z<{Txk%}QO!25HQt-Xlv7JMqfnvu}dI*Y?#)vDOtW><JRB1OCu8uT2HVyk4;!QrwVl
z+w!QV(GMlmp{MK8gc{YaVgyoEpJbM{{dZTqCq+geUEY>d1W#{-6^{$=`AoS=24eEx
zrm!RiI!41#UkJ7wEKyZ^&t6S>fws`=3a#-G5G7T!+j=+l<juq7<v7{4ETa4==Xs2Q
zOX5(vKsCFtC>sDtv5X#098ciwZcvq3%hp1dG#=&2kM6*z8%---;wr4MF-QLzPsh^S
zY{RX-D>bJ7Mb5sfoBX=bvcjzbvu^t`9bBcevSHVdEvj4zg?Ls~7p{kS&X^RKv3V>t
zmdUl8hucre8fTh?5SwR|9pwE4#_NaId4>l@cQaSO1?Sg%{VCp4WF+2p)l{A+q`3X~
zjCwUR<X9gDaEEXXa+v<Ph@#<PAEUu<ZXBP`=`?H%?F7A{?zS8CAPGE4BTK*xGKAK*
z{LY-!B4}Sc$ybdtzg7NWOM>V4F}j6Q>f@WUwrU~1H+s`vA_oz&O~AYKDwNh<MMISm
zNonmBYD12$`mQ>$;95LL6hzyi`Xj8c4_Ef$Lwydq3&I@;qaJY<kX_v3w);`VSvtaF
z#$Q4=7xVt{@7sP{oduoEA^LTjIdQX=xl*ldx{IkS8SG`9)Q)V+CTO-qvcNT4fYG?_
z2)8cU)0eO4NpIw)1?gsF39H{Vai`C2j65J(qh*mHqIXxpnrNEQv&W~U&t!m)H+NS*
zJKPtoGLR}yYZsbFjG_dTz%6HpqzZCq%fr0yW}wY(<`2lbOOs2#Kz6Uhw7TkLF%{aO
zgECh0jkG45Hf@h^b(U-afBc7GeGxxSR@Ap7^||JG+Wn#TJ0oiiK0=}$Db@_Dsh{JT
zPaorWj|!COU}1d@`-U&$9^^G$k{NOg3y|+3E97&eh^afF+%mOR)H3XH7AE(sB+$c(
zX6aKqCk14Myzb&=^(xprZ|r>(ICWz*4XvO^NVI1O&2HFz4;H9k+-{%FKbg9*w!@!w
zpQCt=J4q;NnbTzLxOHr@XLolfD)8y#d#+4f@K2$qrtz6$oXIBJ=A$+ha7%l&Z$r(H
z2jd+^Tc}LQ&5r@<WH+w5Klzk~Cl1zN;c_kFxCJeJ_3059x%^L(jU>=w+{toPezbPF
z!;fVs9X9jT=>ZsLA6bkA!~&Qc^@J|-xP6i!p52}%MUFL~V*>dZ%~ZbX!WYDP?Av#R
z3~iz@iC_upu=}P+O>1MzET`)B;bk4zCYL<Oa6LM-Z@te644d6Gb>qSn48cAqI?%f-
zCIMRV0Q34<?C@?{Hfdgy2{r?rr@slevg(vj_*Z5%Qw4Cs?1yBtee`Hq$118W#Wq=V
z{3l2;&XCE)+D*$GvXy|<%%()fqO=o<-v1C9R?h>oW;mGoGZ3>et50ecljE%bBp@AD
zp7qqRH!Rz_ynLV1<UJ$K<=p+853&?Zzo}>X`|=2RaCLKnBXdENV6EkxTtzw`XjWud
zk?8liGc)SaMeF-AtP=29R{3iqd3yq~FAZtjc(P(9rZM2#arKDnv9fEw9lE<lw;?p<
z-9aG!g~)S6BIF*K()7W?>F4Q_p12D{35#{mG?-uqQ+NP!mjpDh+71l4{<S_Mex<5q
zPo`b7XpaM#oDW`f;dM;kTq`Xy#lcMaD0!k(E%Z*GN^y~(PbRtD#C+NuBfWut5+Rd)
zDw!lj(SCrp#A4z-C#da$tZBlOUL9@=-S-pyMe1W6co;fYj#TAIvvB`rbWAaI`vu3E
z<rS*aHT2oe;VcatW3+OIu02UA7EeKi!<08Pls&=*ejDDMNII2cvP0W3Y?mP|pgAZ^
z^zl?Vqm10pE57EmS@`m?rGx`xe)I~5Fz1?0%*3*6Pp26$KMGQ*guS->S_OA-t}D{R
z{2k7D93(2w;(W7%oIEwba$zOZzfjzzEu4_m7(_zz%^asBmKsFU>rO^cb56=Gw9jjA
z-A|k-)N3jnrplwImv!xa?3QsOSrp;=k!mMh=l=Ls9{eVSQL?;6G-)+ED}1j>vT9GF
z{n+?&I0lnodM8-X4?_Ig^VY8waK>KJ&{1wu;-Or?2n(O?_bV+5pH)eZz^fXxEzUW|
zjH)ens1dRTz~<PeN;o@|tJR=(=-a%^BJc}stw?a4M|JZN?4j-(%-~%*o~POlirF-Q
zxf}Kyv|!`T^6ypKD<Jq|<y$B2u=dK~h7OG$sZEjL+GbuB;36mfYQ8p;Pt~{FGkZY}
z=0(NjkFj=~<U_M%#Gn8GW4AAb%l_zZ(etzkfuDQI9Wk{w1hKi$*<<YYp4XLDuiP%{
z#WHHQLLYZJzBpZ#T!y#=n)8{@@u%rRjw|ISoN{7hFZ*#4s(b3+_;`|8bX@j4GpNmN
zs!M8bdu^)H{R*3&%~{@7stK*yh0#p9*Pu@^J72%j?p(B-vnst1LMv^gbKVkQujCF3
zyB7g9*M1Ym6vmxFr>v?qm?731^nZrfkz&--2RQresJwr%OL_%QpRvfM<>q`)W@qUo
zr!0zO*bbJr-b#<tt@5;*+ic%<U<@Eob5$U7GGlESaKIc!L)P4g0~Quz>Y1j64SFoq
z@h0#nj(tj(6t>Bp6?KYvEnA9S%NA|+6yWqr>TB6j<UzNg-&SE+@n2<2!E4##`QOVH
z`MJmcQMTZ7k_|ckmP&QE)Tk|dS+%igrcD`DXzXy^str3&j`shC*Df9BU(;v`+O;mB
zfJ-E0#F?LQwc`<l{J2ncP0CA^XWfcex}}oldB>rxuPFf7wX6)P^DtlU!+<W$H(N_V
z449AXWh=aT?APBG!fCTR!W<;-g5N3#i8-e@$SHm73#1#TTv7TAJQ$Tu)QUwdXOy`b
zBlY&I)=usZP^V1s;`Sa3L4VsmG<sYA>#N%<JZuTLPqQM6qBa!ThJ&TJ*kSl+Obq$U
zCs^9w1<*NDuEXK}*+~SK4d6v|T{+$lOdsVTLu@<3zmiRb)kR6s4mpOulSE59o-qHk
zk<~SUHvdhOv9={?Agy8+YCYY^2v`H@ao9~F(rGi>EcZPw6i;^B&T@Rw_YTODpXpzU
zJKX0>ap7}q_=f!Htxk%9G9>@A%tl>=XNq0GKybyG*?rCM3YndNXC`bVIpibiZ&};b
z$mQ_cYrQO(t8_8JZt)-4+{o1x#ibAH%k<S%<?>ePX;v%mwrSX9^~*Dq-_L!*$uFbi
z!10I9+qL%6i98OP3;mHF7wtF_AJ4dmX_ZM|4R=r&OUJc<x&0EdP48DJT3c`!zYFN)
zznXb7^S(&!z0R3@**RiTat7nT6V)`}rOhu|0A8*y5Ook-cq!u1<0}1AX;W9e3H?Ln
z{ZGs7w|x+vnn%G`-(Mo<A%7BbHpG(F{8Rg=f5o}M-%6f-qW*Dan_e6oni*QNt+JwY
zNXBYG(o|l8E|S)>$gtIF-wY6@zehBm^H+E+jZ#e=M|WBBbUHp5wTj#Hn9LLntA2g5
zQ?mR-2Hf|IZE-?+>ySlp_m{krsoA&QE@o%q%vPsq`TjJBiq$gBmwS-R;yt0n^opbz
z-jURo@^63B3)a>>x@Xq~G!&PiDj7!{x22t}J(ZJl$G*&#BrO=zYa_<1@HCH|_4Utp
zm7<q*Jd}Ec2itjXO>~C`HpDx5rCvVSk!3Tp>p2+45j0mMnDOwhFu$E?tQ{*4SyfUf
zH|;x<66rjKG8YBoC?$T9$QO2|llK{DbAVTuXTvd-(^k5|Ea2ZlsDbuE(P$7>9KtS7
z_4e3F)~e=bvoc*1R`I&e9@MAAkA=i&I<~6^MsJ@|f6C~$wYaR9Wop{I{_!?Jkm5sT
z0`xt@*8X%&o(}wg&xp6i4hX5qt3Qu+hJOlY@DE>FnXw&T7wL{CY-;AtVeFW#Qq=$n
zreQl>71X&^Y>~6*vPw2XPXh{|uEiO(_PJkX%}<qmT)t~(70uu1jPp4X<u=FnG_Et9
z4z)nP!nFc+O+XU$(o+M%NWHajVXlip`i?DYB-TvwzIS8u&nTiz%Nc~X0I<jxY5OA2
z?W}dZ*Y<ToO{cz}`3p>Tix;Js8P8yYt5*r_&x$T<S99~nfP#vK4#GM}ZtbjvopOYW
zxOP|})qTx4pL$kUvu6)P>*Nf%oEP!DIKbRkOHy26N=SI3*El)Lb$wl5oo|geo4MW(
zZEWosMW$)R3lCopNcF|{tjL2X^VLH9IHXe33k)$4J&|4Fxs~F^gDf;ob|OD8Rz)0R
z!$b-DUZdL?M+v%P{}ABVFW6V2^rQa}et+HTww`&`f3chUhp^?|GVttl@HF$_^DX=S
z>HEXy!ROD{-}wF^?7n>ed}F-xefj(8$r%hbQPnk2-{R1pzOIjT7bmfF8*Ld@EuEXe
z4pORKqPyd}Ry%{9bn@5PIu3z2OzSvB5%3ZLxk2kJx_yFkejL!PrKs9z+Xr<e$Kh!@
zR8e1aVG*S8*`4mLR;MtdI++;A8|I*sodFVx66C-K6u{0s&Y*a+L-I+2i@hPeb35-U
zbwSarr?T0hsjj-NWiN>xvx7&M%Z-*GOs1BNg1dZYjL2DcDW4s4^uu%l+=_*Meq-;<
z1VJX}ldx+}+VmQdB@*F1&HSGF+8SBhT5oD6h<fmNS&=E(#{Y&j{prjQJ!dUdz=W$B
z%h|1xjVo#YvQs`YvC%K!WYH<v_wofcuiH*$UNYa|PTYoMu$MFNIu?oaJ587q@~d^2
zi!u$^4^(!EeOdB1!z^AMBT&E1Fqjfm)w9>>A*?ae;}(fA*dvRPU=43^b*ju_ZtzIo
zD;xnMyV?EC-7`>&`S}>(x*{RJWS$?dRyzIF3r~pN)=*{HT?l!|Qu_AjW;QA@&387O
zcrJFh4#$(z7hTML0>7&3=eRJfSp-Xn!bd~|rIl7nBNetSAzhJ#ojB;m%9P?Kbl&hx
zVj15?hr?!29Tv*rk|o)?9Z^$&AC*o_N3s%-f#Yj=w=jEZu<yB2QS|vd$Z36~(gFMx
zPH0iJxlwdj?U!$#-SiIu9~rSw48Qodfb(yj6p_uUb2^1Ia>o`ZYh;QxOABB)^}_tu
zOAmHW2w%*sW&{W?qH3?lwyU~P_NVSFPnJ8i1Dd~&uF8_~PqoKJ!2aAiu0!B<cJK+*
zYmq0s6C)GEy*1u4l}ZJP*Il5-vXLcTDF51`;mLcv{#O-fcns_KvlfKU!Q<Gy>t@gm
zp6{4ZdTd;Fk0il$FNqOowE#$r&R1htK}h`sMpRjF44S86?0dA<H$0v>C@bQFTzs24
z!iLf`Fazr#lwdn_41zg0qyjcSlChx^nQPvn@?!+|6Gd$tf1_%y&EL6d^r7W!k1$u5
zvnSndtBy)V$J!_TOm|p*620A9?PVv2V;I9Vq>QC=zm&xqs2a#1trxf;JuILv>m87q
z=F)8w7NF;fakB4TTK#+7q+Zo>bKfp+GtW!V+G5NUpw89C1w^xm83Arh8lD}>2C`Qk
z4mHALZpAGwVgZvVIzh|qOw4ZkGO6&x9}o1EyjYdXAYRlZD_e08e>R_@BV1FxE;4*H
zs^FIHRTxm6M0<j6QY3H4&T+^Qt_UEtLQwi-HHLj#mvW}OS`J*2onIo;+y0oV^@7#~
zd#TA)-b3Sov9>ki0M<_6?xgMqfw8G(s^-xRqHaytun%IKmJFVr&~*ZR)+;#V%T1Vj
zOtlEU#wH%mY3g$O-^$$Hh+Y;!LS(JuaHJJFkJ73QdRlttK03t2<|32Pdz>5LpiaZ)
z((IM&w}J81CUpx;yv(8q8)Q(qY=qfjlf~pKIFqa_FO6g90RIOMD%2dWEeUyB@!K1J
zAK*+_<FuL-=R!)GRY?<Ff>BzjFKzNH$K<6`OfEASv#oTQ^Hx~^#Yv9LenS@#IHjAU
z_<EVE$$<g`EGV*u8^&}K#^q~gdz3P>rb|mm<rqNS$j5~_W)q=18s;(Ivl~Z1%$hrd
zlzy+rvjso7cWzuURkZX{>r*(%me8!i%niL)mc{&$%ZkOQ8@V9+Kvpukvc_y{_v}o}
zw4ZlW{Z(%Qp)wWg4!AAPMaCR_t*{|HWD!QHO-cvK?WJS_<5(kvh1}75U>&WJlwsqm
zcK1ktQ|xnJVgzUeLo7wS{laRYR-JK)hMaYa9$xE19YjG<w8~s`(H01+GS=pk0`e0b
z4s;vq7!Db%?h~2|AB`6^)QnHWty_rlwSA*@@5)`#W-JJ`{7V%2q1rTZdbTGSVYr7h
z>PSzS9g`3qm|w6oO+K+K^gdv`A?{TrH4@Ws*7&e=LtMn3(kS;=Ux+TPPN|<g-e74+
zHlXaM^k#O;T$QaLqhh1y*|?5I)+7jtf&pV$+_rNwf4W)+6srnTuJMz#(RnKAgEfm_
zfxSG(9rIVOXTprD<SR{UVV%t7oz`z}y<0&XI(Dwe^@>Q9g!_rBJE*x{(6B7sL`G(J
zu%VD82Zz=CLW{M8Jti&GBbl@^6<(s@W|`mO2Z~dHG%(OQtJr&70`P8gsFT))toDRg
zwy#eNYo5Qv=>%lwYML5BsyyjdP{B@H7<Wb8*>BqH-LHBTEr{cTHg3=!sK-GoQiZrX
zEs}@@VG1|<^|21yB~a6BjRwomEFObDSZkJbDdl%f>#kk-&RD{Yy>9(Bi*L0%aBcqv
z?pc(KJO4vKZA|}OW3&^`2daT?DwR8|d7728H<cxO4H+!Y@Fv|aC=I~~s`JI}M)T3+
zLezIyvPIZSHWb@N+Dw1U5icv#UG_LFj%l7K-4F$F8sfMx1&!;N$U?OB=C{P`iWBtJ
z8MOa6eofOSleh$vsWEV|K)=&K2)~yV__+lSKxoxI-5lfnjtp+e{v89bu^`oB5B}Ux
zTgj_c>hqp=2_}>eTIOwk7QD5Al9VNA2Sf-d`}PLW>&XMbtF<6Thp4eI+QM#)Ms^Kg
zm}K<y^?K{2>Wrj)C;(ZmH##`gi6v<y0t5rF(8F+v_}pY;Gui8yAqENh<cRm&tqLNR
zH5$sH&XyQ@ib)@KF?~Ah@xPLzbU)Xdx2+lZAX+WIj+Fg1?qCTPt@A<J1zIuX1`fv<
z&M<+fug-z(^OY1T&<1`+w;9Ipdkw#Q$BDt>?WEN^t1$vm`LaDPtn2Hmetbhts88Hk
zcgJYqAk9*S%$u2ZPKz1w!qnLUopvT4R^)uAGkVb&pixHH%CFuVA8j%?2$(EGX;FVl
z*Ks9jX46%qSr=!Mv(&+-QMW{8II$q<0Ba_m+BFt#%yx08eV?I0!U;(gGS?j@%7W6W
zsrCPbR>wq=+dLxz+h*rQe{9&zdhz&7YlbxS^W#!))HTOcT(z!9WVPL;{YCkzz;hp;
zJCNL%DJDc*C6JO9tZ-`w=`5+U$1ofm0F+dG!fLJGf{l(?^>K1pmu}^suJhNBO{f@$
zxpp890&+?x_`|`L-{dp-AiA+6$QBo;qM#xdl@07sb-4y!n6eG(Ac>+wpy!m}`Jt@}
zQ>8+&SH($FW|(jcr3g*Ho6-7XZ1schu4M1Lw>K(859N+0TU{Y}4OKIYSv$8aj%S>l
zoU?GCrm>v?{Da-^)gt9uL2XV=8jaj`kC0q1{3{nO7wIeU_|4U{A*#w`C84G30#xcO
zT!CY52QKLD0aF#onpxPsS&bJ9;^$47zP6?VIZBHO3&4!LWxI!Gn`jvpH+nf&mmAHB
z$;;Yc;W|{j5B6q9T9p!dA98y7|J)V$&yLpw@_XkW;!cuu;(d2v`YP8>C?P7BTs3~-
zdziSsyq@>sM()@s=;Af)F50_HS|uWr6-@H5uIAANbpX(SsR>$<(I!=`(eR|f_;K~}
z#$f{0%a*rggP$pH__cI)2wG~)u#Gc}V&Gtpzwyk?jPrIf=84MHr2&dN3aW<sti<Jp
zc9~+dc&M?g^QPp=G}_5(jgFwb_sLBz>_3SgGD67r94_8us>*#I8f{NB$R96AKKNCJ
z;eK2`+<6rzg0)5<9-MVEqoKlHoXs^w%}!IBWI=b}Xu~i)4>VpqXem;gW%tyqps08k
z<g3omA_EfOzL>Q=C_mk?{ME#W_yuLU>Z>BP@+Yf&qVjBw&}_^1P19BB=J1|6R))V2
zox_?w!Iqi#d}TzEY`s0crX9cer*!gML#>TJUK%Y~g?*#lEot3N?D{EL&G3P9fExkK
zvOK_MYngQ+h65<Wx4zKU*pIFZ#-l`<j!$9Jz5&e!#4nmW-mGgAPK|kLmt<*9W%VOt
zocGqdjF6U9wZA^PACHi_EWCE;M^tiLM#u#Jk56^(Tx1w7-9?19pHw@C&}rx0#UDBE
zba69}E8B#9dDTcq9<fZUzV(JPhvp-MHt60+&b>_IL}suTGibP@l2h3Vz6{mcD`?w0
zcwHFw3E(+=%PY}d*0G|Z>C_c>do{0AoBqy0$v0gU>kBM<!@V;}G2*G$CyuR0tz|KR
zJ$G8>3g*)|{ni<|@(&@eRkz!2Uub^wfw8q6dY`|ZHGKW6o~tQqquns0Vw0JKQ0g{O
z^pqUlb?`NI(qCt__s?vPWQRh)y3~-BB*eOWK*?%wsz;j4_w*ZHF9|D_jD$Iby&EIP
zS+`JU1Fg%7Eb8hrMSOVIGqDrR`pfJxRKq!`$;!(HzG54&p)OH10gAo0U07Gz;<8om
zO4&22H&%k9&c-ih;8jcI6!M;6{27znxA3o3HsX%T3&61kDR-Hh0EOL`Jw4bGO-YEy
z`Ot6CG8eS!WYRQvz#1FM<2l`(9mN(Xbu0<=&1a#*M6z&UHPjj&P1#j|G3nLa^AE_{
zwThDv8{X9S+9kcSHMBmg?76N+7pd}M*g9wD%eMD`@bRL`bUmMR6g}V@ab)_ZRIR0F
zLw=!(iG#AGB@q026tm2wSVY~ae7B+ru3x2X8Cc8gx{AMcFBBdb;S1H!PF)3dpnc2=
z<Zw;yv}UH^<oD%w(j<?ak^>gm9m^dxgNX2>7w=w%$rp=%TZo=$dES;6l^8<_WUak&
z%Fv6S7WeZ&E?{SH$CuGup}5^aYdMKP>zD-(`eTd~YYhU07D1;}IZ=`M<+%*IKY%q(
zrPotTn+ct!w#AH)jGta^-^xejU<2eaY#p=WcLmO9yq}Td5j_{6WEL}w(=$)Ce~Eq{
zeqH&R-Xr$a?VI&;*BxKkmH3m>^z-sd@1v;s?sLNE_tl3l)<@r~eMzrujW4`kzQho&
zeocN&O8q2mybggo)xYGMK2a|`Ss$nl{zIT|{A<1G_qqM+>=R+@-9Lo0e+ZgscW1Aq
z_V`i^*7YhEEj_k{c>qaa+wEHS;4QC0YbAXMnm{z6xD!p@-zl{IhBS>;p_m4dXpIzu
z)VLxdBqujx(HQv=u(y2W?r7~hAC8M%o#yK1s?4p+OiYj?6JRPvtCfHO4lU4+K?%8!
z^D3~iX!xZ<K8`|_7g_SQ|20E`qu^-y#H&h}^efw@+16^qPk!^UO*8C*pBGjRabyAS
zLse{aPAdAf8F(Itwi>?_3o21r8W&E?hA6>l4)zoU%-YdJ?3NxnW_As<GjA~3`$P$%
zJW?fO%PrO~05P%HjaRba++!>*3th`w51QSze+9I!8t>OJmc2GlcSDFZ9TXDbehszy
zu2s}Av8F~)0eF_aUIudC9%e89h^^h31ty}+lvw_I?EyT-r4ZElbZ!?yo~3}cLbPMp
zDT=SuDI$qgceO7Bu14I0b_+}LI`F7mFvvhzyePG)@jYl`)zz8GtZQ=P!L7WSZ-D#w
z<C8+B+XfiP+UJ<0p7_LrvXAc$PSSJWfiDspok?_X!-Ag`g6D;Htjl#CtzJQ5KZu+>
zM1~qgB>V*%4P(*u70#IEv;gSG$>EA51=60A6&UlrGPLigDWB~|tKKET8lHI+xAIQa
zR<x?KjCYBsgHN^8E7kG_dNhOqN*5z6qMc^r^5!W5oXMIkP#$^>J3p(Dl}1xc(b66i
zhi?T1oDwugeLr+Qgy5u_kN4hPBjBD#X1ZL6y6jODQ1(lhl?odR<~wBD!lhc^E>2Jf
zbSA<UEy4CfqxPkv&x8Q9E<H&4>YK2g{;^=%dR23ORSB8>S_}7Lj`_eI@*NoTY;!=F
zj`qDGccP4fYxUy(B&9$*?AOi2q3;%V>h4K6$eDL1F)`Ium)xVEx=CMhu3Cj#NB%>9
z?2!cv)zu7s9BzU(y+ZH<6i{pEBJ<Q%fvEYn|JLtLhM())A;IKt;hOOzzd%p3z)aJ-
z4V2oS{y=XLDESb-N!YC-{Mq32Gn2=2w#_T&rZUhX=Q1~6j}T9s3z;M7i*%DM^qn>8
zSd=LSBeMpx$uLIOh?G1-s}!CEQO*a&LjFSmZgrjkC(7!4D~C!|rfU0k`cl)-@egtG
z3@*Gfmo(JW&I4{k<UA3iv>N3b&Lc7Ju*95C<k<#Mbd0`*DLe~K?s>OqIOd(uHXPTp
zd9nsB>(@2>G$v6aU*H$a8z-wt(MJMqvLf?n2e_$EP6nkfhVvv$@v|I!Y@(w>+{i`=
zF<fny;XW0XwyJwb&&EL?pCkaS7g>=EV&fA<0Q{^XH*4NhKG4L!+A!sI*);~IT}r_&
z1EASq3s_%TcoZI$6(3+fT1T|5yG(v(w2|xb_K{9=C?l^h>ql^Og9cN$2j)by5;!^a
zn)RS;Q%t)J*`SOZfnkQu8zxsLUhmf})MhX9m$yB+_-@3)qQE?@xpFR?x2Ce{Rz^})
z(_n}vC@5V#lTDk%m0S@g_EUDG;?BqOQz@*i7`tV^&sJyfHp6BXWZi(xsKP2xIDXsX
z&ZoHH=7Q5ZGXBV;e#?*+t~MtU<N|!0q{BJ#oj<$DLfmQ0XWQTU1DP0Nlqz(m@nwh0
zn9w!9R{u=s%1&7>5|(^-8~l_!J=nN>%yZen!CLTkSfR14kZKBF3mHL!xf#El>93Z>
z19nFao;_$++tQpoE4okb*x=99l0u_;nRb~SHHOQPXV%8TS_3b36{KU>;3|VH;Ja7^
zK->S=XmZtM>rQfrfW&C+v3ZZLNJR{lDMc3d*X>dJ5`vfplAYi?GQY%OYz|G1-hs%;
zZsQHNpIJYA{xp1PDkux32zz2gM>b1Anq21f?fi$ZJzt;8068J~5&H78C?8?Gph^dU
z`}oT}V3gJpG;J?#s}i5W0Fec3v!ykvy@hfv{l(LO>hw0UeD_^hk542!@O#B}?}WMj
zLxA%5O<@G-*adw;6=StP99UE*N%=sO_uXFh83UI6*@UWL-Ya(<XlSFOm0X)^)C2Q!
zFgC|2ML{wfp#o+)IYhvVHQBq;$={TISjqbJX0|EhLowdeyODQR!HNX=8L=?qIfN^{
zahKq}!Om+4En_hOirE{yQA*O=!;wU$?;qh-j+hXgSeTs<KpE`_q`q3|$N>6OEu8r0
zR^mlcVkz?~p^i6wb`1o6?qM2m)U?|_ue4{Hq;w9O3drkOZt}5mNBoh_cbt|@g7Xnv
zXB0hdYGuOFscXcp#mcc>)~bJp+%V#nVlX(qwKASr(<fh5Lv3^d3k{+yE3IOdy{C~T
z{yAHHx7uSraW>pG@wQFZRz=|Cd@-I;@Nv@~j5kHko{<$r04`*ju5l9sM&dWUr`nj)
z!YW+3=ESpoCnKH0+*s#Rz{=Q@@>yUg%KvDi#_R76-A|)}b(9GG)x~vWtPPg^Wk`@8
z^)AMIdM=jw6pm?5Tck!m@J>;M)CxVG*nsZCoJl^`KZH;J5U?JIU&0^Lf?V3y{iv<C
z*>^BL>%S#)A_tj$gj_yJfkSGJQo!OOmI)mkH#Hd9trs&J=J~Gsv`Hfj`s#F7NJMQ{
zOylv0&TrhWbvQlMDrY$3Pbwh_<!=wbT+BH4Uxe{#<w>hv_YRRrBJDKBz3724Ee@JC
zW$O7~TDQAoekvVCCz+oepc~szM!IT|3Ol=!{jP^j%Da=&wMM}Wpb(FDA1|bFpy?%X
z*uvENz&+y&=_S)ODfI{R=}>3XFLbP&;z*wfXadFGC8JVYE<>VUM8!Vi4*5KX9m>^z
zUb6<$f6c`3{&nG7aT{Ks3XyN)kMFZ=TZf`28g86JU$4hP-#;Y^(o%Uu5~Vs7Ffl2u
za{f>Pe4ge9#Vt)-|8OGiVoUZ`-8Decbcx8)Ozjj{k7jsGod9fJP93e%kZNPntyKft
z+Wvw)jLVseG`RaY;EwX`)E~vgqIf@G*M^9{L0B@fg{oc-4(+E$i6~!s#^Q8x@>-23
zJg&dKmpE1>grg|jG#Q?*OI9GYxy)Hu?&_;VHaKFE{o5xiU_?wac>0HFk^WDp$i2~c
z2{064-Qow*bQ-ZHrxoO+qn)m&gzLB!i~Y^0($B;{b$|*3F%9e`BokGcFT}RP1uN0#
zP{o=NpT?ouFzc>$v}#1>SOxd247nh@R8TYTf35zO1`7j?=Ifl{nKbUvgQ}<x-GtQT
z#LsWzBIV02inG9)AgkfNeMt}7%B;=fJiO{s4QR2YLPzIpv?jR)fFY6jgN~hyZ@J{?
zM;93vc?uc@t?Qi5?8S<`jYFGG+cM$^Gv@YHwhpp`8G>&7ynB15Cd_^g#(674DkKf{
z%EdLfU!}Q^T-}c(Wp}`CJ)UCGzVO3dHjNSYLY!nh{-%9~Vf?jqj4|4b9~2*mvi&Lb
zn2RmxEh7UA<lxx_<LE5bQ<E!gXSrO7rk%UW^S@F~kJ`;6Ywtd1Io&_`hY+#*74fqy
zWMqkOcH*)zVD>is&&3t}!dKkA$?nggWlMSqoQv1jhe=MHTNeVN=-<s|(l5~Wd@632
zN)U}3npV-9*F7=U_Jh^!31fz}{f*O0p#sjjYVoXW)yfcvQa+Sb;gfdS98GSBr+wz6
z%dq^{@98l``pwf#%356p`deo^^^J9+{qSocNsJ$UHqLOf*fT5?<PaO?%1op{O)G=i
z_apk`=9PMUE^kFTMkpTb#KrdY*Ds$Eg1<!X=hEY4YHNd;)Pl<qL>d2fHz-}@2TD^Y
z=PqY>(r(~exlRHj2Gfuyyn_*T!*;lwYKd$lG(7Gmcqmr)h}9u5jKrG<_uwQVGEWvy
zcU}u5*{|w%0@OTGqkxfgCC-qO-=vpCzL$=f+GclA&y}}UZjEf*cFkLVmVCW+mg77Y
zfa`)k+OUD86r~7tq)Zd(qk@%zTzD8G69NKF^m|1Mq%LH-(_h~_Tdy<wRKDgz`DRKD
z)GB^R&!w<Fn|4{X?VW`s$)%YKxxh7kF;i$vZ4Z=K$&2+7b$+qXwPdRTGSy*-S9`ov
zOG2WXceO-T(mI6Vf5u3IJ+8DErxZ`*$tUE|coG|A@Y6!G+UzrUhpECQOX}q6g&|<S
z6Lcr<D}!%*03MXup}$3BaHRVjKaP3rX_N83J+#~^HwwCWnK1AA;?S1Rl7a4S$v1B>
z3}|hZk0-klMrc{R(yliItfq=uj-?$XI_}oS+jR1fNh>oeIdp+|tV8&tE@)P9bXOK{
z3^o%G$UiG+vx<G<^x^N4ztYi|9!h;62RXQvFP+{KOsMNree3Pmbe5tGKlKK;T+`51
z^}B1g{|VHz<34F<I=%vJl$!z!KcuMI`@mz&ES^<E&tX7yH;7)v-J1>$%!-eo-2%ZB
z{tiaPI#l4`w~~bJ#+bHHI-AE7tj7tgt5X)g)9&^|zj#fM$QUS}O5OVAjhK`;x3m@-
zjy4`s7y<)gykI*++n<|+w>37{v<X>GU#Rrz>GSya@(|GY)exqi|6EXGT8maf;mSom
zHBWIE`>%QDC2=81l#Xxl!%4tvkl=jnn*uxsAAe=*y70?3s@tz>+#jMk=t*RlaJ``d
z9ba()o=+zlYovYq>|JF;5-o8oh$)|*-_3P#zT$$1xL4UH4Z`~|*s%m$l5OdpTn|@E
z<EL*$RSgNuDx>xtd|q#$%1Nu)7I9k(eI?hryfQP)isPEd)4VC}P1K{100b(vqd-Q5
zqbMnz$r(@qVOnBzm4#s0lHQ8bVZpoH*Izoj=(<DOfW3w?&`)D&S#iSe+WS>%rQB@g
z(c0t*x(s#zSV!1CQ^t<=Urrv2Zkm>Bp5i*HP}cz*J>kK7gkD0`J@E3pZbpqHb^36%
zinK}(H5_~<EK1}sWruGX_o;*Vl;O&ZMEay|Gil#RY8#KsUWB~Ma^HB*7HN*Go^ns+
z#j*E0$c?QkQYC#=dP?e4<+Ap8lfzI#JbA;o|7%($=Hjd*6&PL2oM=!eetDkW9ou2t
zKRuUhne8Mp@rDyzMd!1|wKjN;)eE-A{lzBd+lWsgf*z<|_lL!q1e#lSO6Oy=;o7!V
z&oJ*Pqi8)Fruw&KLf!u6^V57eR(>7MEs_V^QiximoQ#Z>PUkQ@FH)B^_3|%c-d)P~
ztGU)+&%R@4{`|0NyH~g*U#Ar!FgrTk%?!qd94+KfuCvqk<9XNc2$03n`Z1y*D6*`O
zQLGN)oi?bEo%J0vWoXZvZjBWPXd$2X`c|X0?T>}o3}PmUp=)zU0pqt<I;SaMeyjI_
zOdMmSpl0bFHQZ1v2+0ey;Z7R{jBtN(Ua7=!S7Rtzm8DK?{&JPq=qOyGGyhS%c)YEX
zOLt;5gG-?(fzoU$PpU4t=hdi#L!IYCFL*i9V3#h*p8Y^y0H+e>Hqb;pHU6Bpg}wC(
z9)@RJ2x%16Fcif!*5JL~$L3eZXcbDH;q#TsX&(B##?$m=xRjP+)N(Kt7eI={1(hDP
zic+u0N7RLCZ@#X#L;sWk6O`m&-_9Kx?JkX=_L)P|OMIzmY^Oe9jz68bWu=FcdI+z!
zisd4s!qG_JJoj#XX0IMBC@;bVek`TMi?pfwi$OMTcQ9|UhY&KXkfO@9m*?Eg3RF{@
zT}zlMA1sS(q!70Rk1NDTn@$dqj87>DyA~M!m8j6Ke1gZ%-R<z$ite>?Jyhxcj>Y=$
zVl=utOR`VSeiN`D`P@l<HfEJSpK$u<n{+wCIiCO&vGLD~U-bNiP4CGv5{7^!PalZz
zIT69b{~#HxU_L|_!)+vgDWz5^U?%?yL4YRZAzAe`u=D?7G4Z+l71rG%c@bV>2W<{w
zLe@3BUX4&C`gnhmwO2ZefG~)`FDDQ~XOD&tDp3q)Owo~!ZgVaMD}9hJVlk4nd)#`R
zNeEtWh_Xu^#Y$_~xXD|ScbKTtQCJr)r~)3t4lY<G^*U}@St$&a3^M{o4~FY(BB@BL
zw+j*B<j6XSHRWnfjqDx2g=x#r=H<~c&usiNR|hABG^MHy=&<DKBMLLp;w(ob>jME@
zwYw1-Bd&|wG9&pKza4yho81wzO||2YMXT{2k6V{PurIcTOQ@k_QT2Gb=bjwX){NNQ
zH2Wry+L0U(t}MJh*~hoN3{mAbr~_@pa?+{^oXr6Ha0N&!0oMv{9*T1yefVxp{C@bs
z40h*v{3S3>U3xRQ`UFMmqQHZZN2`zmvbxj+q^}CJmD|L7o>6I^pXshfG+~y2pz39l
z)oR<1$K?FTL|xgvI6BkjnPLs_#oZ-!TSWdwWcdvdLEg=hTwvsD=vG>InR5qEQzJz8
z_FCb}uUi+y)>p`1MP$cllD0|)JJ;6Ian|KY>m`aku=rDU1fUbtEJEdyBmY9HKf3ft
zw2vmxyj8zSu~c<?5>}Y+*RZ}+7iU2swqqXaQpLn#i`0%J0SomlY2mWV;u>1X0{a#W
zGmA*>IBq7A^%7`kA%xhG?cN3p8#%%UT1a$($5WBb>sr_AcOs&GWO3%;l|gWIaVTA!
zUH5jatZtAIV8wZs;|{u9ftA9t`;GsAxs>}WR<=tVu>1f7$uF{NnAN(1a9eV$vcq$E
z-IjIT4O$HwSy|>PHZUqUTlBP4)RQ~vnCoP;i-OQ)%4Bpn6+hW7i)w(<fcGY6<s2(2
z$#yJd(X(wjrK>KhRABB;fZ<7ZN2YN!I5ScsMz4NWK$K)G)reU@F>TwPBLQ#o>g`lz
z1PP|C$ELI4FM@y}?`7R7Pe-Fa{P8h$5uLhfo<|0z*`%&EA-ok08IYo|*q;%G_cw4R
zYroHcGZDY2E|&3I+2(~y^9{q9St0-qdG<%Yh?>iDqp-8-vUAafk<Q0~PT$`(f1iAY
z77^|D(`d^*9Xul=AFqm|2yvvk^w<gof<U8^v{9`qJk#A-7!ArO0=-bIGky=eHV^8r
zHEdmu-Ud$D=9SuC1kG+(dE~C?71>JBk1{%AXh!AJd{nM!1czZYcY?`(v^ux640q-8
ze6g5$C;yCyKKkPC-6J0nk!NlAFdv2P-@|hY3>UOW$cLNX*jmIlG#yyKSFP-55lH?Z
zLGvJ*h#RRwfq9Hhui4=(0iLhv7>uZaA>L+0pmlWfYzBu8SSqqMlxS)&(AM*rolcy$
z<q7M>bN9)#3ROE$5-3Hd_64E<Yp{{5=Di6jX?9V`i7ZJJvbIK+{IHF7oD?~`)Zy+=
zdiR8GHz+z%vZaGt+ozp=83le^6@L>T^}j{yev@~ccK<^lSDU=GT3_*%QugvjG}L6}
zz9VjiiO1<2TXioRLt!&jOM%^o_|xsn!?ZfbxsC|v2*RuasBf+^=1>wb%!tkbyTuh(
zWW}c~(2DZHAQr-E`u5}OrNw2X@+ws&1NEncA&C;Ar^UxIInt9RnW>E!xycmeq*TUW
zW#?_z2}Pb#2l=Miv8R|WswiJg&oHLPzAN8T0y2@RCr?i_czCmQ=_-Eg4kxWzFL-~5
zlQ5UjE;9UAeK&#?<e}GuKWtJAMf%-pohL1qw$`c<6n(o2AMd)7tZ2cM&1CuDxD_=+
z&bWcJqJUT?wm;a7E2iL0w85mPOHg32Sv5oZ-R0I!o1^|6kJMpXfmU+^TD8c6AAc}y
zbw?vW(Q{|;q**O9J$7}q5ziw?cLc`--8or@71eZ$`LSEvE+X4l@3TTpYB^mA(4(Vu
z)I-4h%b>!yk%|qXk(?jFgL#p;W>ml4VMvV&s3h7%rmA13miyc6KX_Z7F`^rzIXGFs
zFD)J9MN~4tEJxO<xfD@Jgmi2yW;60=N4Fpsb~yXUmz66){wYD{IZu#MoJ?D<)j<qx
zLm069bMH545SLxLzO~Lf3hMGz<}|)N;es>bW7Ce7^hm)$=ko75!0qJ2hSemw=94;1
zDLJJA^N=qI!)E3u23~oU%NLtbZTiDvY;DnLA}fu$f@gw%{$dtKRnnvzpj#2EXVpc^
zmC?w{1qtg}>9-NSOR(^`ctEZpg~zFymMkmjVFrfd(;w}7P^!^qHM8vmA9SJ=2U8<T
z8cY`Bu(59w=E+H>Q98f1NZjFWTbkM3I_c@_AO>PDDdfU=U-&rWvPfbik@3SG9q+@^
z9#hWVX)Tlf3GVHe#}kZh&nI9(JEO)e_@IPIbv6sXM_sJuOqeGs(k>}IYprseA~r+~
zCU8#w?Td|So#(^F+UA)*RSMh0#Z&P`SAkRu2)<oNU-PcxErYx>`iXz_ow@5|PDZPC
zXyHa=rj}RHOZ%}(=AlCZ?XIk%UemED<v?!D97Weug>|jVD188E&W}8ZnS{bJN0=jW
zi-_^k`qI;A4@Wx(|5&->DMweN@klG<;#UaJ-fWvp491}!y9rE{a6xdA0|@4>_v0<4
zd2G>$c$R;LbP7n$=16ye&z_?6*ASaIiAgDUISgBe+B*Wmd&N1iR|1gdHwNsv)uv)F
z#z%AL2iSLGJ{=^BH&x`G1z6YJp3~hlGQ-H1RfiH>yuONAT1ffYE1#2hjI{X@HVWpq
zK2DHdpJH8}c6a=~JYasrH<ye4aAn;DfF1KH6J})=juDR6r=CSDZjtXJX^xz)=crc$
z3?`|T7@0#YvP)botL746*~7#R-u(C)JMY3Jwj@GUw$!V13k)2i74Dgam97D()_&g&
z?OELsD%mnX(K2U3(L3!~*&Kuvb;Jg$$?WEaq?bGCnsEe-Cg3s6J;xkJp240DR4EbU
z4|my88KCA7V|OyG&Z$UdHU6!t+l`;vGig4~LFTnPbBqhpu~cN-4FjQR9tpbVxiLTL
zVd+he?Nt_P3o4%Fk9U1geO!LSTF0hS>H$5g3GGE}F<Voes5p&+u=+kqslNB|(lJD6
zhY#IP_CD>vv(AG0+S=+i+sZT|fmW5@rGfe&63Xyiq{bhbRKXmzNnh+F={$5ON$<mD
z%|xjV1NRPL-ggBGVsmBGn;i+Y3WjV~@UeA2OIP)Nsi#nA*iuq(=8}%D0%W=@-U#GH
zHzTBtctq6U4E4;KZkkj1HM^E#U7!c`KZm{2q(BY1R#gP#y4~ID?uPj(ks#UDvzyOk
zDWOo`fbkG>1nUn|f}UJUPUXxx*pV(DhW1LP(cLs=D5iQpq9$_I$JBmb;fCvLn|k#K
z2e)WxNhART8QkPQF&go|c{@GY`zD5ppAIxhdBDsNP_90eWUa)m_CZQ3J!mnV7(HA0
zwI8gJJZ7S3AZPyTDQRm<Jnu%~=^X8Y&)%lo;*2h^v&8`w*ru-Bams6TBcJt}o^v#^
z&h8@m8K16_;mOM))M={{G`e9qDXjDaU(Q=@xCmjPA9XBy6w3eP)^AYw_?W=r_PgeB
z@}Z%}eIP|>c^9;~b|uu&50hT4618g(HM_P_*Y$qxR=i`S0qF6Dc9#qlF3H7=>lPvd
zryWic>Lsh6i2RMS+OVv)MWV!N-cE5|g~;{+Th{>_iZ#W{2RfncmX2jc6;sSz26|{U
zkg+&l7(mq|4siiJrew(g|IjGM9$lz3_wD<^gbmdm55>y;;Z@|w{YV?S_}9#FX_;%O
z(i>T%uINr=L#Nszs}uTQUR_%ERMQ6Hp%e;AS+4gJ<cwS;Ga~_wP3&tr69#MNZQfn-
zKRy&!7c>CuwJq?Txth#ZAmf4?0d!5U=HMx=cL7*5?mrN8;hHsPSM@n}^+(V9)yivY
zFTUfYW)+^u$tms<ik~cLm1aDi`)FYbhic+KtHD;Kg;C}#JF!vHcx@PwT$Utn=u%{%
z<$<8rZm&6d!<wf7K*X@*ch#`Z6Esaw2wc2pKE*|&UVX~5fK==3<a0Y3CDRmW(@A3K
z&;3|%e`J~vGtK2EFk4ITKuN>Yka3Ojck!XBqlI%J*FV4!!NKY62J=$1WaSl9U6m=_
zN|*ImLyyMbkWzt&sGo&G*B*({tU}3zduN2;_xR?=w^bpf(7Wcu=08olH7kZZFQY{b
zRbk)#l|hB(sV!*HvXrR%<te*FxIv3lY$try2Tbz6Oj$`<o6@GYvDVlAVogDsD_$qd
zK^`7Sob>`e;yPHlt5WbBqO%w~UpRLT{z`rdv8T%yaU}dfYO4uqL;SBTST%Zir~A?&
z-<#xiHHo?KzcG{p%zgm#4SBp|?8usJR(ZjXQ`vDAs5R&PGIEVziRgwPJTCv5rg79#
z)D}y-ne{pVGBHd#FV?POc)rkVA|Rj})6FBIRvgk~=iG?Op~+dYc94Q!qykU!luF%b
zRSnrEW<Gar3~<Bc!<%+}`ws#5PEa#OUPrUS@D#8KzS>Iv_5A*hF|ZH^Za?=~Yz1{a
zjtvy*&8t{713EQcd1vwCB0<H_!(81EOYeapbL$`hQe@~OP;ybT!g8p$RcNeTuLDY_
zs3tzOTs%AZY;b_&`$I<KtQnb)l>ODJ!=g<x&yta~xOs>JFvVMyW#91l`&<TCw|i`#
z<>9@X@>ip*BiyL#W%CBJl*O#>hE6uk^Xd{+Qq~36C*7{b$NfT|;_ye5kG0EVc1UF5
z4VSjo#Izi~-VL~E)py+NYsoKUmN(k5-zW8)N>fj|&5`xkD&djDjjxSwn<+EuZ{_U1
zsx!|Z74i(8veV=w6KQ9P^Wh;-t;O{s!}AQCoir=`Yk6BGT%D?@z?Wy7`>o0gRW)-Q
zNaW_l#Km${02c;UtQRoSR*4zA?u5Ud7>jFeLVn~<J9yOaEmf>5(d&vgs_X}j)djE*
zF2OyXE)B0r3%(qWkH$&4va4MB*xE-G&hX)T&bdPe-!{^Q6R}}g#E}%R5s$BxTpwr`
z4!jNWubd(dA^xDE<UrCr(U37kjza&Itv~Ezk`$*>X}|ZntnddcG4Emj_McgvbXx9z
z;?H8aeb5BwQfC~?<sMjyQK10q`F9ZuKS$_;mSSs5!er8<ncRp{WyJcsddOpfiBp9~
zESvUe*biq#bFLKQ`43c@|A*`IKVfA2$DHQ>6|ONgGAZ!L-?NDp@(+RJ;mtn;4t?Y7
z1n}#wJo75ayY~J5VtrEny*J?>LfF@T2xd30ES{7q-~Z#t(Er_F(f_Ykonn29|8g(!
z;~&ECi`e%`o#lh3_A_Dvs3tl*#;aUSJ<(l}!p)=MRZo(YdXXrFzHN3hi<o#E@u6bp
z<NJm@IT<Pg>Iu|WEMUg}yi{O9sWtMATVE3V#NWxTb|n5tS?~~SSd`&>e=(^@D`GSo
zdGLkw=aYC0&W!n6t8w}3WTks}z7U^wccaR-ln3Sx{H%ICj255^Pf4I68H&z-M;hNK
z-<v}t8vhVegfkw(lYBKWCcj-7F^IEQ5CJB~R-f6n-f4NE6aM!4{jjzDL#W_?A^67p
zeaC#{_df*A)BML2@Vj`;!-SW7-RF&-mzaMD-}eFnE|;IbIsJVVS3O(5{6iRhJpBEC
z^ESe-nc0QcmPbd%KZLpOzn>DSMvQMCdf;~d5N`AT{zITX)tPTePhDlTlB{V#sqPUb
zB?2UZ)9RQ!OY2yJO^0(sCzAMtM}tCx2ZJ@PBXD*zlXj+68o|P@O>LMxw+_R_E0x@>
zx3+-DDOd=N=^^4%>L(#8P_djnk_;Zfk725=Y<`#CW@Fj~O4@iA=ij-YsVMFC&g9u-
z`$%;YosS+@W8`X6D`nV0IKSi`UT`rCM68d}X*SLIi?<oBw?pf#6VwZ*Qr7X^rA-BC
znVLO3HIDWmW>tb=g;U<vS79;E-K1kgu+X!k^OMDF6)TW78Y^LVwO;4yTvnSlvu)Uw
zWf|Et|8A;>mpXb)UxA$^d-qC<Zx}MsJE?|ueELkFhO8{r_ef&h1YeX91h6t)(DEqR
zvl;h7&1n0D>%x`l<2C-X_4#w7TmYZZEvN@zJ<!wDxAe;At*}4qrERh>i4Uv?@)vF&
zeL+%xDSt(`1$@!5FU}XBncg}G2S`_w(2_6sDhZ!eu#epZt2cJ=W1*9iTc(D+L1nSQ
zRDjsgOQjTVCMR1LU`Ub^*++*?h9OkH?O~n3ZY(1$cmEGQb^nzXnVRwe=y+|`nZ^>U
zl_>WvUUnf7`*S84fDb?C=to!~bGh(a#BvjCq<HVIM(;^q7GAfoJ;DDiAV`X>10}3F
zwg0c#<_R921sU!r>85=}<+zolFb&SD>8gtxVNcL>kjXo=-@YvQb<_~`s-K8+SU_P5
zsA<uhh1I@641KzAwzQG}>GW2tfqS9vBZxgevPo@RQ=#CZ<Gxp%CY6mhlZ_D&oVK}~
z*q!5zXb~|AAF>eI%K;Dnd_(7FGH`3A>t0v!4%-o7Cnn-YCywl6Q3yuKO&6dc*?%uZ
z$PY|pNzi1U>Zg3ne%(+!K)?20X8P>EvG<lib+${|C>kUL3m!DMyDwZ8?ykW-xN8XR
zZo%E%T>=XyxCD3CEF5yyJNwL>+VB4MncDBnne+Yls;H-mdMIGseRucO-B)*S@-TRK
zrl?@Sk=EsM($!UFVJalL$w+4hv7&gG)ziIa!-8o<er{n9oXm8}`zwDnS;LM_MNY)3
zV<O^Ot)5jygp`<<L_rwf_sP|CRl_+y5GSlU_Yx5`F93kayZPcl;rs;2>K;%&<=R+g
zX=PYY*r3xIA4SCjlV&!NbN6{VcOp?cCbe0Kk=XhHd>0JYCzXyTR~OZ4;~0=xSLH=%
zmx|CL6qmfz0YaomFKaqslgD9ztYu|2KeM!ef|Fm52?%;N|D%c#bEv^jyrzO?VauHc
zq8d?2nbKc;n^cZO)lyxD%SAhHK3j@dw^UVF31B*xPv;*YjFvbi7<B6<6gM53ZZ37X
z?VQkeTNsKvO)EIF%hH)sK-Q3h6PLs{tsZJBPy9+>+JO`{6N%4OLs6+wt1?zcfYAOU
zTW66e*nFCstw3hWEIXHO##J?arG(LEVFDR{u`k3T|6U_)$9yh+I&0clT_eoq<C!Px
zjjVLS$%(9ZS;m6j9Q9~}>UateMB7DPyLO5^He3||(|#q~z65UCfXBc_Ca=T}2VUTU
z@8vTa;DMGhUfy)z!HnL<X|8+Yr8-I%5QdXeq;&o(ih7&&G!YW5wvLUZj%k4083Coa
z6kI_W>HFSxb)CFV_%btf`P{@#jdYjOxK|9_!|N`|0PWO?4}<9*lpsQ<>dJqW{QEEZ
z=znmvduKc4Giug!+t<5>9G8t92bmE+>D_QW5`7wyNtD@TOyFk^qExrSF?#h95Ea<p
zXt1OJE`j2&fA6sOCU($nXf<D3dVWKBG*7zR-W;q6F$u|_0!a)!H$aOyxg-WaglyoP
zBN)U4xO(+@rn~ffbet6Q%k-6gbnql}@C(f;dK!Kg0<z+2rOy(r|57VU7GrWZA8J%r
zy2u7+I|0e+Ez@H$W|7H>nlnL}w`>`Op4@eJkcGX?L&|Xqyb66ts`w41yYU;UQ`ds^
zBbw?`z<Ng?08NmoQMcm_oqDfeT#pUC11JO`kl8|TKJL+*-0g<YlS~XtB{#4z*2-uX
z-&1+CJ^}6EjyhTBj&tYkHf?F+wb;3`99$pwbnv0OqYxZSNM>}xuTpjRI(Ed(n*c5k
z;PG}#nlFdJj@rNFpmsM+t6Vnkau^*Q{|%*PQ<KA*_vSlWYAw1+FOSs#$NNuVx#Q?*
z*Fo_z1U~FRU&2BG+u2C9le8vNG`k=Mr;F-+`;R>L+V?`D8X5EVkItJD`C&C6L6qxq
zdh`i88k$e!!XkXX&=D!HMn#|kMc!uNeFdRlPlr*^=WV4Po^;orKvK2U5c2>@)&A|P
z=Z~yyPa@>I2d|5o-HU1swTP35;DqxO(%(=7^cq@gbc371Ju;~{#tPYInzsfmlAGN2
z+X>qkS$%0U^7iH}NTktHKSne?YEtW}Y#$xqrPRfAFNng$7VpjG(nX82izOtZHDG+M
z$I8@ZzBM?@E23z-BR5%!14*=g)f|EpZ&qrC+{Eoo8}}wmnYtN_>Ur-hEYi#|e<XS$
z({+URG>axBvgXTQsP5;{e>1PV*j$(4Fq$oR^Of67RZ6+Uh|5L8lTWGe7<VAMs=mcY
ze1e|xY*8^Cqqk4{D+{s}9Mz}M{*T`iEGfo~L76J7{R-DXX;gs<bt!-=P~Pa<A(DNS
zniqTj*DJfs9#8dsN^dDl@e1ice>RL|5r8i*sgqYd2WM2d@SB7zM3OkByfBg_-kow;
zka}V1ociG2aJSW#mHQMgcC*GQ(-qZ&1)X5NdD76^k}15B0Zj6MHVX7ibCgOW2G7ly
zvpx8~Qv<`!>`6a^Y7gq&jRXX!92@7}-Akc{M9_tR7&8ejH{qA7onGn$ges5SOJ1R$
zy$5%wWz0kx2?ffUxTzl>N`i|v0J|E?y0snOzwKp~K89zg;xXj_jB`+=VqkXTL><%E
z>VoPH0{L5#aHE9AiwqyvA@FhgC$HaCLr!W%Hqrz4?w4NbmDNjL0NUy9)zg$*r;pyM
z69Om}DqD)UX(zFF7qW#LHfQyZ9)qd*m;YD}^Y;OatF*^)V=_TRYiAqo1b~t0;oxKQ
z=vweP#RkJ3a87O}t<U9Q2kYKg+yR#&@O@NYauj7O0AsB)x6|m=jP5to0wh|wz*!!<
z%iwap20Ql&Q9Z};z&+_^BT#>N$;=k=JdXNj|5stBtBy>xgr0$3<bF0zs?SZluG#1Q
z3rzbIr-EZDE4feYK35SwtRH#aCWs&neHtCY1Z5+huPYg_K%jQA|B3f+sJlqpy{Dmn
zA_umsD`&@H5@G<1C#lzBj3R8}ODC$o!_lPduiRw}zUsz)X&fPyL3+IHL>jYkoV;-)
z4<Hi}I8((GaBUKl=Dwh1wxMmZv9qXm;y7NJHy<BLH>w^=;e>|{BoE|8xPc>CTS#&P
zYKm<ijvf!(pcG;Y8J7GA@ETjW79uUx0lPKF8qS_gHTBLP=gW4bnoG--+R7M%2cf$A
zqQWenP}gIAAyy;}*i>;AzJ;vR+2?C<`7DTu2x#=SkIN0&JRwe69QyTf@<ygW*PaT;
z8#dG_6TJXVoF7*4nBcguHcBMwTifWQ2?jhYP4XgfwjA`Gm*d33@<o-s?edXLTa~3k
zFtY}-jUxV`bXgPZ@;ruljiy#%AvNz#iZWbMf%PQ1dS))1HYSZfs-PlHne;e=dbGUU
z9Q$;+PL=!-k;jGMf`P0p0EavBWdT(G`JptaEFSh#!>Eu}Zq2wY44w*KyVCoG)H(*r
zy|!@0@su`426H&?#28+Q@&$h`<W7eDuz;YX0?sIM7U_?UQ8TJ=2^d(IQoC!k3~{9l
zgJrtPKV$h;z}|-q_rZo{H8L96bQSw&+vS~5kU&>c<NxC@-8EDQi2IbM<iF!jDzr~;
zbA5ZYAmMCHw;L|@smtAt=|z}aQjD96m$h5_ik?;rv54Zm5v#`(&;6%*ln??bi3HKT
zuk48V{(t{V_W#~h@p%I`*3cG@)}WrJNK|`n{ls4cgJOV-F}#4C_@}Gbl0|IAUEW7R
z|CSrr6EM`JU*=8k_RF5wo5WI(h-S63jej_1$aoftnYW3)>t2lL3WvjrM?{?sf?7&p
z_4m-=t-v;^Gam>syeLZgi?9aQ-A7#Ac5CD`y)NW+4`(9GXR;!jlk*X~s2fr7ducWz
zSDnUALP7@uIWr5s!-YOBu~=TmIITMQKszOM3d4~KE(ryn38mV2MUswjTrz-PXUpsf
zNJm@g`W!bn3p>(ro1&K><ltyi9onC{Bn<GvdtCL3@_2BYI81V8v8VVjHr410t*7!K
z%m#PuMBjMN!fMw;@@}OAZg6wdK_Y#{)!T2ju6%Sk9Z|pfxR=rUEoQGAccXmLH!dpB
zl|NFn^Aq<j+O6Dm$#cfey_`+Xau2D0y+yLn?jkqFI^tGpYkM{?P#=w(L_sCdVMMxi
z%iwbr9~sT@@Sp;zw@TdT5_VFEhU8>rWg)hy8Ch~tuo>hTSRW@WpsO}&XK$#Xu0}`C
zqVk0UzaKA4K{@e&;s&yQpw778DV_WCk8LE=tyz_E+pRpa21_H0BoRy>>8jsQ{Pr!2
zP=?^j;-Mre4K(*f$1y8wD!b7tR5UU74X0vZdEc@FQw!x+E|$OulzqI_+={VlzC6BA
zQ?lwaY5kyXKmvX15z%a=aBYwIh!^sn?FSst;=Cyvho{l!Du*rcezEpIC#@&F06kCG
z<(2EAEV{xbGD+j<Nl(1>$rHTm$OF4rxvZ}ADdmH8?E&a>Ikrz<F95ZAJ#{#J>*NTi
zc(c;l5;b)Uv?}5ggE+|@wMDkt_ZFB6zL}Rg8KkTA5wy)N;TSQJ@fp5`Gs+3dY0%~{
z*BF(9qE0+)*)hnik|bT2DK!T3y=9bSUu07;H%qClXl6eo#bmL1X{rp9=82?Wq>Ori
zPM~YYpld^s*i!VIGo<|qo#`9++1nT<2h(HswZkcL&L|QWiqs|4lwit(m4rykd7%71
z!Nx$mo~b5RezjB**V{$6nTt6X4pVk#lf(~uIhggy0TC)9T<>wCZel~;k`5ac25D0;
zX|c0Jwm{}=K>Xcrs2Un(JpXi=9&p!hsHeeZr<c8-2n1j##pl6Zz_tIj&|=~U^^+pt
zb=|9k_JGOc*W*F>BNW1d%>#5V>=P7}-(&-E+2Vkni<wS`BV=lcUEI`J<xO?vO3SEk
zBmPsH&QmCP)#HwU#^GM{Cw{8!iZmXLTl`42k2vB1?0_f#z8t;R8Bf@k%4bNno7dAy
z|MO8PosrWode5zK7um~@<eHie%4YTnr1x7C!>;qzGnWpIy;iKrnI{FhaLcHGy&)0f
zK@O+CHoWuQc1Nj;A<H~ZlZ`dXS?;K<hx@gI;{5yG2IWYPU<Qv(u&g2hB2an~tUal6
zR|!ufh9w*!{G^i^tVS$o8UScJCYJbEmp{+DRLZ}y;2-{mI0yRk27iZ92$5>D%|Sz_
zq5cxLZoSpd#aUF{c!zgNlW1WdRbj>zGUVr4ezA*-E29JIrr@r&IM~Iq*#<dOb`~7R
zu+rR9Fo9I~CfWE~sUDD}5@xZ!;0^to$0-zw0iN9feDXxX+9{N)69)DHrVbDTJLr$6
z6Q~<fqkM#vjxPQUyzX(Avrkq^ges+{7(T(rna#2%c0UcT89cFFmkknY`%`(Ug~K;t
zYQ2_89rCS&gjz(!l06<XJz9uq7TKfI)X4BRSnQIIdnO<hM>R<(>8GsdPX%cX{Rq#B
zlX1?plu<Shi)beGD)kY5R94SF1;uiXa45|gfBwv~lkPP=PmxNoE_xz9vEFB25n__6
z`iYX>!qD<8Kf4tSwm{RFt<F+j$3yZ!BC9XY_FK5)D7fPpM29Nc`B`N3m<3-s2^l8?
zOy^;%nfy?Fz2;4+K|aB9b3j4k#?;$HPI%rx05CS^J4_cr6@Lfq7^CedkM;L%fqC7w
zi#B_uVW=rd;7(CR;|uZwe%#pJz;#6FU>ig38|unB>2+RvtI3pKgTcg>+PYs9)b3w0
zl~SQSkU??K$FP;mLg`pV?r4$s_6e-_Jwz9N!0CJb52nN=9k&6G*(cjC8`EbdzXbfn
zj=#--3;!X6VqRA-!trvEM?g$1r`gTMwj3=;kOn{@P$c+UQCF~cr~-(l7_JiQHc_?X
zWr?AnoFFfuUcQz~Gf8&_FNA;V3f#~{0WlT#%4ke>Pydt<a6CDlByK9v=PT%B!Mwy2
zGgAk=RGnJ^&mAL3p=CiWGP7X5x7wNc_KmS@4rYd#-1>X%w=$K$45NcdDWy~WFV>R0
zYvvpt-^X32*#Zf}2w-*y>$fv#{{*?4e-(RMPZ2CA-K_~o>%h_Pnu{@~qK(oO;Oy21
z;AK}tC|r$sE4Z{2Gtk_Kj;<m*m4HsSgIeGAY5)Szl!%NxpNEU+TYU@%eBxsV?=QTs
z1!Mb`ev*O(HX0G;?hJ9yUt?`Z@=hK})Yen0D4zZdy|1fi8fNn?dBnSvffSb&lInyB
zf1~d`NegIat)y?Bds;+g#X>oaM`&F_!T#|Q;gm?lfN!|kPC_r9#um5wtZ1VY&T`m%
zA4J7HCP-;U4~<nAXiLS6e?WqQBN8_tjaV<GS8HyBYyT(1H`%^6tEASycc^hQkan25
z^^V@q&`s9XA_J4UUpnrje7<ONb0=WNgr0X%vKgtK&~q#*a4^E^SjFu~9A(^98ym<l
zK2%v=aAR&x0S%!Wo>7<Xe`2#RCxy;X03DW>Q&f)oQ>rT=3B@V#K0?olzN1!-39QlE
zU-%7$N%=0F4{!8#sQqM&Fu2ijtMLlkcmcJHQCdG7?d<@(Q~b(<Ll~_rULs6DrQfJV
zPT3Eg@xAxHg`SCD>7KXRFBli=)r|qOXo60np~k0gRahraSPO=zOsd0^(07G@;NtD2
zVojrMu~z$=KYw{0$yWOfm8h3G(*m#XykI(<1Q|>cfUjl2xhQ$wWm`eEmFB@7gZmTL
za9%mi-7}F`nSm&(vLqA}DL@(lz0Ihx#96(LwvAfRjJaQ*YTf3(Mi@#IAGogNxD6#_
zd7S&wwn9Gjq4UK#lo{9M>XT_AMG71*JWRIFF!{NFD`)V*&Bvtbtt<a`*OEfGJ6#vU
zk3tA0wqNJ&{C<$AuK5^tJPK6$h1MMUs(KkTCZ7L8I5PgIY*8Zq!y()&KSp{>BdQ!i
z@9c$W5cO?>R}X&^d*ABy6h1#O)LuGP9prxe@e*x`uP|Zv+pxZ6ddCtY*kRo1*cPtH
z_T-GHQFW2HyK?J9$91-xe*l^pnu1GRb!ugOKgsU^FCPl4)7zy=NHw=9eU$16!cTjn
z{xIOWu3KYT{@t^f*k?Bwb#Mu%&?IZY1Q;a;(tl4wHvA=*iFJ&LHb47MQPh~dj74+h
zRh1c<@9bQ1u4uQUDcgg?bACDNXIUEP@Z;9P3&NJh16eQQ{#Xu%s@@VhAHPW&*?>-X
zlVK<@^a5_qc!Wwv=-@N=2;Q?{%v}%p;WJTmJ(}v;ld!L%>y_Wd;ceX`aZest{>W=a
zu}#Ed;CWR2H&hj*aI((Wka|Hk6Dhz)^)*O#9?MA)xzS8{gd+P79TI9xoKIgX%SJs&
z@fcaUL|_;$iiLu3X0svQz3=~jORnpsD$ryRZA0UIo?Tc4gMH0TmO2)?hpimxq%Dl1
zs6I&TvDa0?r#p*-<(X&p8J<^l=hjhF4}O!LSQw!cwYKxsR3&*;ka??H3bg&~-t|BN
z+&s05^UA(hfj#!FiM;a%HpTt`zo3=d%Pu7N{yFKPk)(Yz%|ZClptK;tL%o15Mw;Rh
z3SyRC3bQLG&*U!M0S!Y6pa5QT2?h@+=n=?E*jv;xiZ-fiTpg;<w{Ly**a_ReLDTB;
zJpt{oz@VB69<PNgm*berUfEvhcgbouw=Hc&ByB@90r1SkYxIh9hm7V<;oUQUk-lU<
zhc)+<lV!R(Vyn;`UNW&dH~2EV1J|_ao%gJZ;-iR8q?T`^oW>$7Oa4BEas6{9{j36D
zqb;`K0;aS?uZd4b>DCjXDUZ@k7=<$Ss;1=!F`n_xtf$o$OuVIcpdHO2X^6nwWQNwd
zh7u5V{V(h2Xk-4ALU`^LCRl<nvA+sm4Wga_P`ePTNC7r?x3>7&wwKN327n%8qc!RM
zzuDWhuF{kv+;Q#G?C!O?$6IN8b4y4v%Zn@gmL=5!zS;u|jVC2)?jbM+FjBVVB{@x9
z6ErWAtm06#9=AtcekCF{>`C&?@%suW6*nO#oh=3<s&nt<01qR`jFGjBQXu}aH?epb
zsO?-zV)3xOdL}7qsuF-d<ycY-l7gEof^BG?s<Rs_g8t3@#Y5a*1ulxV@VnvvL`S6x
z5ho6+FjMP~7qhf}gq(%b)o87Jz)W~?v(n?2Y!|gtV|N`4n?KhWeBY_@KIAP$@1|Lt
zvl$}0*S`N7U*{)jNNCmo3C;HQid;L2bIXFqepDTVvQ9Ji6KHgIpQbELaZo4*C6X<w
zSIGADfuIYAG@PrWZQq;n+@#{eM`BHnYHXHmWQ?a{Mi)ZI!P2Abw;!%8RwbJP*wNlN
zLh4N?kL7Hr7i=b@lwa$TlP<SKSdd7!aT(Zv%Y$X{u0WysB(upC6ti9wF&-00ucIGf
z6JAe%%ESY4XTI4!ZB@g<9tK7u1H9$iWMX9DM^0IIHKp!9VDQO9@zG-ybUJFqncLU*
z`-YGu<Mtlw-x^G)e-)>|@Q=ZDpgw(;A<HhUGx}hZ>@sf2P6a(Y1QQYHe=W28O(UUE
zAR}hJW>tJRP>U+}>?zC5LrzBwzF_j*jTV1?m$RNVl`kh8S3K>cCDI#UQ*w;Rp|G6+
zub5>+4xdU=d3yTtkz}R#SS_Z#Ae6ZSC~i<2YkWMzbEP%`4L@JTV)-=bfHSKrtkkz)
zAhDl0?23N3unI6oqxbTR51u-sjuTp$8qK*$joqB8_O}9jd0p^>_{Yr7#_ATAIc%0T
zFYM0CeLl*2F`321wS=Ge`$6HC38s9<O;#Q}JewS8qm!=FRe`pl#7;Y;b;cRIGOO79
zH`<9Gl^X-tpv;Ui7xh21gX=3pLyR^jc?@m!{naH!*7oH*#cSQz>az)@sGunbMfXBQ
zb=#&15}OY)JUypr^Wp(m?4E2172DkmtMS{N?|V1FVxSiJcw(*i4NxDkgN8rVr6D{i
z&K@Z65{&@>sSV5lA|y;C%AM<!+?y&Pm;yyW5N560-E9Dcuf%q7%EF_&qxN%)>1<0)
zF=5NcO@h2k5_Ium__QpJZ)Ns}=3!y^q@E_(NIU(O=Ai(y2+JZ+<xUDM%LM~Pj2s&X
z00}m(ridXi#uFqvegMwKlMZnl31I_L@fv00?<{Cpgg^!zYgxqn@!W$%EGYtzpas0)
z>%QpgK5DOKk);)hn#a!2bNiNbtk{Cu_b$G@>(*>fH3CroDtBFm`PQ1E?nNd3hilV2
z)G2&oG4O)^ugQ=anRQZSgCuwJsbOH+4F#G!zI8-y2V-ML4q{Do-g|!1qywHGN%<2P
z*tWu8rTZ_x@+%~kV~K4NEb~ggudX_R*uVw<!Z4Wss0aP8Dm@kEF<@-RZ^d$uS>{FS
zyh|J`DQ_n5Qpb3Vw`k2qIIcgjeC?&VKcM#L=Rofx(HbPi+xdq|&)H6?3G<wKADnI1
zDn?_+-d9e?#vt13j0cNssqN^Qc@(d4Y145w{wyEXU8x&WCe!dFc*WVDpoX>=!Ja}8
zLhP{T=UrzIY$9kjr-m@VM-gvtDqFE;c560%YTt9DZzo$3Hm8O}!GppR_47Ie7&lv9
zC~M-koA!0!ujub&eHBCcWIG-1(-6XhnWC4dNCk@sfQgN9a*rYxLBRk=DR0Ga+tV@=
ziQ)U@S0j>}oo_}LZ7|?hL>H1NCM}Kuu7OyeQ%X%1jAf~e;#W_$Vm|`EkvUVy<<j{?
zf(9YUtZQ}$kLS=DL-K4M!fe6J7mtIl+a67A53G+b0tCE-uNKRxUqOIu1R(>#%uA_j
z!nICE5IflaKZrtqq|28Jx+L_>j}qUUT3ETqxV=N6{L&yvc|D2ODx>Wr4@g5Hy+jt|
z9a(3IhGPLPumVGP);b}%ZWOb}h*r|*)Q&)|RG(V&YOc6oK~+PBn-N0gcAdOf?Qn+l
z5TJ8S2q2u;Hh4UqEuidt-Et8$Hru=D6Y0QnwdwugOCMAW!s({tgX28D=l${nAV=I2
z@ZjWYGqQ_`MtvLT`TTI4a5dim^onSmn5BBRG&yrYcuIgL3u_)FyO+u8kW{~$;mLw0
zvWey6oY-kZfcPo4(l{2yvBMMcx$wro*bX8enBC#*m>xb&=-H7W`xJL;A0+S;xHO3o
zH(+YBqr@B-qIhBgmfxm-G=o-M>$KU~JKA&*lxQXNxD<%)-3$Q2-a7C+w;rYDMCT-q
z`~oIUrBW|+W{Z$s`&&}yOl3pTLAo67r4><YY@gPm&X}$y`|^Tnxh%hTYY*Te$udco
zBti!fLjys){6iSIA&8GdG?$<cElH^{c~L#ens6BPcMg&>7bz(7Lo?_lqc(flp5zhS
zvTCd+tdxl?!{@G-pm_3$xV8i;C2WD8L*0S~*$A+^x?e!CuuH3`h;R-<7O=5nG3oz1
z9N&ulDeVcA<n&Q?pHEa`*`05UGKRR#eqNDgI8h|rO9aPwEV^ebb!os`eBY7pQ4CH~
zq3x+-=0Oq^-Q^V1Y7aQxZ25GKQ;Dp|r3mrHSg3wko@rMpD5rv}vlhm^0XQOA%WXT~
zp|n~64oK9oHR={IRT=zq>O-H?Sw0WBL6SG0e)Ma7;4n61*oq7)N~M?`3Ft?ID%i=)
z+Clsw2Ip&n<zW*2a}=bYvSPF5kx_UUyvM5Nnpt+BNy`qO^tsBOIC4$}hemZT)0i!g
zjc?qRwKtQhA5auYNR=?T>&n)gg%X5iGapy;R3wjAMzRDX^tVu%#CPt~LqEYsK)6A{
z5QBZ`yqUTM|3$6JE$4f(QUUW3n5ira*ZfTBtRryte#bRfN1s^cY*yFN%c{=Uah&4F
z`fH{7aVov?>$|j}$eA71Y}nl7nWWFP1QT3?O9ahxv7}~Eu5(pFwz*B=sm^Fg@Z)>u
z*UMy+C??x_Dm8tGyYd_ZQ(t*l2t*>APv~^jajqop){28|bs~4Q1<V~i1D@|ozLmiF
zuG0??Y|m#pO%!O_%SjM&w0?8I9u!ChQhG40BR<zm`{X2_gzx+XL+y55H=ER)ac4kP
z#z*EUr%7Z%=Q%$r*Jt*jLKl<|#tM$Wda%HY%8iO?_<-U-jZ_;;YYajvY=CrQY0T!u
z1x9<-WB-P7DJ#Gxe?r`eJv|=ZN(Er|q1MGY__Oq3u?YQ~0zg2KTIyfBA+jK)A;Z#&
zK*VM5R&p!%u{YK`R*0&5oYzx;_`wfF<#^z<gpo8;cfNa*;rRVwy^;4c$l0_0Mv7W6
zT(NSuZ+A_z6gy6x!Xn5GIp5KBN}Xy^pDGuddVC%C6cC5f8ar2@FfvK;p)B)hwiH*9
zJ<gZMR*bi3p!--t_`r@{9^i>XCVX%-=S<AjmlgUm!}e4Q9cGxlgB#!x@D}GF2Abju
zd|dh0?4s7usII(s&3m;h^v+`Xn1*D)@gCKu`sn$pooTNK(LrRNhA2rTNuYLg2+#YV
zC16sWNzjb;YRo@5ckKZt5BfkN6VlCBqd=NZ{w>*_uj_x+CSn5(?dS|j#N^6#X|SK1
z7E{O-?2U?-nkk)JnQWW6J>Jk2wfL$`QVD)j-_X9{j5BJ$oA%N(XYX|(F)uJ{sEh|%
z)}Ef}dKVG$E8|MY%(O&XFYe=TPiVu*4K26VyhtGiF<WEhy6a%7?4LTnu?eVsw9xmQ
zY+5vHOfZq?#HyM~Gk1@Z%ruZag$^2+=DjrbQSx+E%Q^tmTPd&h8<=tczbJ)^ZYRrd
zSH?{$L$;+tTL=;v031QAt~HP<yv794G2ITgTpG6tzig*-t)&sey9`$56o<inm9Ye?
z-CiSv0OhMmg{vS-vOvMQ2mtHQ*&gLzfhcY_lK;#Tl#WdeO^xh6l8+pWC7u{4lE!%o
zHNKxZnED@8hO-?*5@to%FV~E{JD@M8pAq0-ct{$)fc8LgozJ$<*^2pqY@as4rrm2K
zgv2Kiz^l(+wV6fWmEm8_RgxL!<B0Xhy}i6?RekAWtW;OEc;=x<RQHEc1cV25j3_%%
zSY{{tqgD}2EM&uz`h?b7HThw@iB_#Z<y&Grp$Nz{0!peu;2eD(=^F#>2Q5+iU*!kk
zuGFc7HL(o52Z4ttdk;90Pzfawe^Joz%8Nf`Qp<kK(xr^T`>i(Zh0T6jvT9}w*UOUq
z#u&X09Z_btq1F%{TRiW+;4@*0XFJ4UkcuC5Nd#A&RNxx0VAagjJKtRB3CmzoU1arS
z245-Hk>-=jWWns7GJ@)0LV~%S?1u>aXa&iX;r9j1py;P+tE`l^L@;-sanKvj8Gal&
zVUHX~I2Z)1@sOWi8Q}FZYJ(V7INg4IS00cJZ-LfRT~>3_3_RP69eu$ac`#_r{!4(C
zo`_f0s>XHOIx!zNY0z=OsU%CUa2!Xuy{XfSSy@UePcg+YY!q?$gtZm~<M0jfI)%X@
zLzX|;+RTm*ACYFUg3RzvCWBQ)s5XY@b+Yom)5HEn-0EEun_BXv_W@_qai{l|8#WM{
z5N)}4=X$4x?dGcC+EXy>+Vgt%aWQe2f>`kk?&jfUp7O8x#e}Ol*3@IV%|I@LbHo+>
z>%NTE6;Z4Qd7p+U3P;H!>kt8Rih6T=qRDQ&YYNYLTsHAhn34{Ue}=1PnT0+GQ70b8
zQs*!!R(S#fMRs3*C<^5W{7=Rz-YwBSK3xD*gy9z0SYm{_Rzh^dO}|M5l2oGqbA11K
zsP})4@4pl&|Apg&P|EiGYW`JrYwf||HUyN?p*`F0B0LY;`RT3yeNBS>A38qN))>ol
zReKk2-?=I^t0Xrt&OFY~<7ujY<mPC$K%c~@iswBk=pY+Y*rx7&O0rZSRjv=ydm(Pu
zrTMDpkobTmxT{xRYLAu0Ngwx?Iq{V)$v}-84p%Yngd#p{Lj6h*p9m%a$Sjf-hl$;)
zVk*`GS4tY>UwS<GC+?rjkq)<vjd_FMqK?1D4+C_R3Pfj_MKE85_QDj)?qs()O%jx8
z?znKEB2D^4+_fCb^#O_J0I}Bi3AT&c_rOJ)PtVq$ij8>so)S@h6<L0723ee=k>)pm
zmk5<f<Pr~}3~Gu{S^I(<x6;??31s9oZwhJmq$yh2_36g?S5|*R4T_e;Ppu;wqU%^U
zTNhc^D<ZA<u~(?(m{^#7)?wTE$_?k>K@9hPSJeG}C&v5)`2XZD{-Nwb|K6p!$W9T~
zaEWtXbXi7YyhZjzQ_V<UEo^mWIa7>BvRV9~I_5N#kv}Z^>0CLF=ZoYhne#8N=f8Lc
z#}yV$97|pCWi~2OA7cu683JQm$V8>-UTKAMJz;k5qh@tSJ$K8fk!UIP=6{4JVZT^^
z-0D@{Ey^(ac18x=m{a|G)@N^}`m`$MTm7o9S7m|eK|7FL*z7aO1(-jHa#{g_5mSqw
z9L0Uv6th{qx|4W7Z!kci{>g{=3wPy#I4MO~+|Yp?4N$@q&V7%UQU}-66{I0bQA>fd
zNz-Awfyyumyiixek514#x2UCm=AjsWPMNDJ+q8Ll(_X4eE3=$(<ZFE#MPDBOAw!ov
z%mQ&?I1@a*7PnX8_<qB8l!F?bW?7ucFV--NUh+uZcEMuhMDcj#Z9jCf5vrBWYl*rI
z-|{|T`r`N?W&lbOei*v+-h1A9V(AcKy`2jlld%tU%V+Xj%%;{la|wtAkZsJQ1zCtn
z2{JtqN;Jg6ZGs=$s`dcaYKcKf3DwqzVl>FFO&AWFG}kH<Y!kO}1sBJEUrX0(#-gjD
z(ObxV8$Oa#!OJhge!<{H`i5MJOxf4tZozRclkH#u6SU4IkuysHNxbsxEpBO5<QG%m
zbm$`NsKT=&4WX^3SrpMrQa1AoIe5Zj=T!G@hdr7?IILh_8pjwE@>s}BLb_=Y-Svvy
z3SEsz@RbA6a_GF`N-qXj<B??eb-ijb8n53pa3<+TJXmG8yf8+1*GVw*%kVSk^tfgo
zEu&V{&U#WqVikNNO}h}d2O^|&CKW@`p*Qp}iNOFz_tzVH6E4NZn!pX;N?%UVCdbF%
zg!0rbCdPgeoQ3jBT!_#hH+F-=j+LyGQ)O2d7S2*UHI2h0Y#esF{;+O@-ym|%|FzQ?
zl<c}V$Cyxz#g7xO)I&~qnBJRlq9bpm`j&=_)B{hn?GPA>|070QN!$Q^2jGw(t|cAw
zUOL8Lex?ZvkX!OqcM$hT6rpSPOR|sla~W@na9&VntD(`gr5QVGAJQ)ATar5{Dt0%r
zuuEb#Yd><fn%2NmbIND;4Sm-Q-``M|Cp91lvA#ubYNL;R(EgeI9>RLss&f7fC4X%w
zJKe6T%b9-OKKs}lco|@(A(o-hQwEvj-s~Cr(e;K^ybzY+jWHaKr}*UO%><*+RGy~<
zyz3#kHXq&o$G7(_0k#duhOv$8@1oRYeenb9V2`n5XG`DAk3Il-41n<jmQs+Xk`t5^
zVH}c@6jXhn)TvE$vdqt9QhOcn;wrWV6%Q0u4&kz5r49lDsXcC;8_WXhljNBE`?(~Z
z?VM@w(4<jegcY@3G1#1bk;JxCWj3HfXFBEx5zeb}%KG@x%3|qaUuG>5X3w0axE;=%
zVeE9F^0Vhp6JvLA#wq-21<yRHWP7Rn!Ttr9$|^$%HI;Xg8I{Y~3`zSYpiq+d-M19u
zqkW?(G7Gj!Y^7Gy@v|Y60}}HEhNPVfE_8XwH-ENgjKRniGPs;2f!j_N$CC;_<etWe
z!=S@v5Y-F~1i+b|7AS4tpt`%Lc#B^n#99Y2ysqjV$DhVIu^sBLYNX+!neI31^rESd
zQS!RAHxr}^T}C>HZ<w@hSYk?yI6M->mm&lDO`vM^JMS#04GO?2E{4|twj3KjxspTR
zh3YRMC4YORkzW(3foSNl2(fwFHho(Gk0h(W*PZenH9_k>q^1g9ZCvNY35pV(x2c2<
z$>U#8SS_o3w_<pJ3*5*f;it~Vf&x+R$(N}I0L2=TJUWC`RgdoKwwR-AFEw<y*%L%O
zg9wh|-IMvBE3WyI$#@Gqp+~x<HCJQvky?aZCZTl+iQ#`yJPfRo+*5f#=!+r#Bt6fZ
z)&57_^4~bq%VcyEUKvgpZt@AR4Q*=p$Tw>YO$z%RIqAN9i}8x6+OFWGDC5{AD>~v<
zL-BPc6<s%IyDzEjNk)FCRr&r7_V4S@$uo_glNKh-eXAQ^t8zO@@iox*lWUG$H5#h2
zjYhJ3#+7NHMnuxSz-245e<RyXGuoRJya@r+r7zGOmW9JtFZA8d^~v=+e!Zi@Ka!aa
zw~LutB^HseIH~2y7fh#~!s{}WAvF1lxYN&cr8T2s-IGP8NGDC%mvN+FfU|J$N{0=I
z@w*hg4_q%_E>A8W0Z?1rPgW`TMrS3rS&qe^tYY+SdY~)DBW*w^#owxk{(-D9`u(pV
ziXJ|V=$VY=%BiM>ocTuFAXvJ7!kMNQh4Ka0hH+l@n)C=tD0~`rbkf98DrZwbA_|}l
zwC(^(;Vb`tx8md+3)k76bkhAY(wdwuWJ&P;I$^C2Se~@z>E=&T%6H&@V3Ik||Eri{
zW6z7Gsp~j5xTs9xUGJyr(_VBW!b`tSOy1}4<6*KSaxT)wJq}}D(j;MsNd`bna)8In
z*J^=(S+fxSq7A3F@ynXmg{zP1u^A0MXaFj(imWO#H<W%We~#IcQm|YXcCt@Uzau{k
zwEIEC9-sk2_~MHs=y02utE13u(C)Q_4V~cveB`TO3q;8t9>y1lnlbn9Q&N+pq{;NA
z-iI<)*QY6%v=uh)Y?u7<OjuJDuZG-qJhIdMcvAfYp`(QA`w2kEr|tWGuSnVS{#!YJ
zH21!<$$7L-cr^H%*j@i!?Dc;W`^q0;fB%QrN%2V`VsC(m-5u`V#J(B_N?|h_+g`{0
zVK~?cYnG<+?3<TnYh12-IF21gqEzXZCCpW=Im+9A4G5bR6}<*Te2s$<-VKlm6oya2
z1e)mCmTRn*!FnxLcW;*0vGzi9-0zS28vo$oh4tu)ti`E|UE$KP%r49WVZFvyb2-1G
zP?hG}(@}_@W1x*}+L^FdXi`aLr(IJ2S<X^@a_MCy7sL7M{-?1kZEQ5_fN_+YZ6PO3
zh{Xi2leyl5RFUNxZB@qjlfKo9u84;)TP4{9z2V$(m4z-~Ad&AOEnf*b;VUZ)5+L7#
zOKgN?U@X)30L9bfB+9JP{81TjbTz$4SC>W-d|tjlrk7KMERigHt+aX{D>4IsmJ*`A
z!c$4SdK29%4%Qs6>{Lut@pHK*W>-Os_%j`d2Rovj&RE2zsn(B^MU^G<)5}PRmrA3t
zu1UikLY%Vp<0&dlY_ass5VPh?DBfm2&*jB6!9Ty(N@6sUkipiYmfxL3Xue1j26*iH
zLcrY<g4&<jYp(0KWvw;lE;(Pm>Z>s(71@rtbT_$5V$VxOPcWu`XAiP5Rq#4IA9k8;
z4ZrB#BX}Q%Wt)#H1gx1%E^sMswqZYWEdkrXZ$XXLhH_N-tClxq+1{Yao$MQj3%`*;
z`Ho0&9iF+2MlpcK<an3Kx)+^ndt3Ysx1N*HS{hDyE|fA(c`}Gbn$mEP1`CZ;F9$>K
ze^-l8{-^#ct#3t5^wu5(uYJ|!IHM}fX6=SL?FGokg_8Rz<J<WCob}WKF7BqhR;%K7
z8&1(k-;ueL-{ur79?1L+<=p-|%F+58%F&sGpd6|{P);r^B?RSQLQsxv=-*JzBn0J*
zHhZheM=lejG*JZ79E&9k(;SFmQ6$uCCm|!mF)4;s+juGhk}0+*DJnAB(MMr=s>Jnp
zkO4^zat*$PG*6HJEmy7!OJ^OdBsw#fAF|1!>Glcn-@B~E!KUb=7~jx!oHAGm<77xx
zfdAet+&BN{PO?h*nU&-wz&rm>i|TL9Xm#1vn5*=agI!g~on_4(QML${-)Fb;*Aq6L
zfAqd+lMLF1|3DKwHGOjP7nRjaSD>tT@HARhCqV?um2AWm%Q+7jQ(E&%1|D`8m-@RV
zXJ<*aOoBr~g8GC$q8YT|LOv5AJh6;+v3B<imha0y5R)>I2lcU8Nt;%dgb31T(-c_z
zb_WD#byykemY=>3(^S5=Az%S#DIRukD~`mX9E=D(+#d`g8121E$*ioE#T@YHJ6Pag
zfB=#jxETMBUiFA(h!bIqyz+Q4Qk3Yl<Z)<(u_dI$LZ2Wh2B++*|8k<?v!Kz`^x*5E
z8p-{}Fxo@J%JZtvV$Z9${cosmvyjOSLh53#aQ@G<kd^~n2t8vwOZV@a=Kfc$NxPya
zX3iR_Z?SY9H|pi$4udA%(X61q3k{T#O678vulxK9%M<pE!w{gZci&uFPU}Iq+vtkU
zvFQ2FopkXCRn;Cw{1PZj+>sHCnIUFopLk-!k;Tw=D`=JE<$gnj)e(M`)*cAt6%CO>
zgqNbucz{_grGce~0UG8UFb(~N>bHm!dPp3Ed>V7!XWV8t<#M7S+?Xfh+#AZPNG-wb
z&sk0Zk>uvGGc>_Td;_0P>7i_3D039n8)<1qaTe8DXo?*$0=}l^@$9}_2}urSmThuJ
zb5&pi-dq{goH}*h_n=^h8CN2N2Sk5?v+ap{tVz16e?Uck$Qv6dA-^yzNk~x|l`_I9
zoQElxSDF8k?M$vh?SVPmQ?kKpsWy{&bi+`4Qb}R?(g)<V;u3J38%L!wXg@i5=A}Kj
z$@Tz-I7w%-f{1w`6W#U}c#J{>+*7m<QuM(wJUg-acPaXJi~6pMzITxL2}0a4$|{UR
zU1ulkxxFL(UTj3I502C6LN(h_O#wK)%CR*kINPk&`?6vzxk(^T4$xu@{1Q8FoAzRX
z^CPcShpw;?e6OyEEv7&(0Y!&2)J>kOW`%~wK+dALM_XoYOi4lfd2%o-#bz@&+}wJB
zZrA&5&DKtNN;oIBqe)RE7VDRyb?L=Ml;r&ZeD^Wlzyq3K5X#l2RFJUJg9VA!ILGA_
ziKhe=zM0z<h}`;vMiVJ*6>$(+Dg06$)awu4ow8A5mCP>`3RWzN`=T^TinrOkf86ly
zlK=d=?ZogL{kQ*=mh&%1|8{JISMF=rSL5a$ZW6%M<%<ExanqHBQDtNEocC0ID=kWJ
zM@;<@Hg<%uD*ozuFj2wY)zPcgkLQuireQDVH)L{oVCU0er7bwgp5vp0`InUM;4Ez9
zOq-xrr{e_Q!rJ;6jdbrNA<0K0T(6V%1m?=ec@Sm~$!7rK!5Ge!tBctK!ClYr7zy!K
zz8?YOiQ9he6Sj|TI+_Li!z2C=$J-Z2pIEsY>H>+*>mooNvoSMt>cZJBz}klwsc%mo
zO~`%L;c6UEAH5$WRr!N$DZ3#*Pc_;hXHs89u`vZld32W98{u$6?&F2NyNU!jN2hgL
zbLR~7h48_6{o^Qi2FAw*;W1;c$%tSD&VGMhS82f+Eo~sZT-PZ{fiFvBm+P7|?t-uN
zPPk!g3o)GYUZh9G3(>=C*U#=KNRK+_!-I$K!0BW8!wcxvqvw}j_q)~m*OE?8a-l_`
zy`8<=mW^L-S5LsRJ-;4<7Bs?vF`9Kt@rVgn#_$t9I&7Xrr02bPiYI9!Gr}siyIQ~K
zU;RwrMOO+#ZE!^lrJvxc2gXzi<2FNqXC5X!2TC(_<zcDXjvn<*s#@Y1WpI*H<JfxN
zBlj#~$D;mRysyPVHBa*Wlj9~(P^%^Uk^kn!yTun@^VR0&`tm7s8LWQu6nlE*fA}Ki
zE+|xXK`b=|o_g?j@U6OgA?oy-e)2S|S*#iWv0VS9gNgi0pUp4k`8Slo*@h&99iH+0
z+$p$q>#Oeby7L4ud=yezn~FX51|_h+IKLVQ8rncIC_sCXM!$8<6Y$CZu-tPBdW04`
z+^3WM_j`nx(OP|T)D4ANU#D<iW9PV?cOJ8^cB6hn>HUUEjZIzI@Spw(IwNUGethv-
z1vsPqB?*T8rCUvXcrgV&U;AZd_)s%7HgHa2F|RpwF4Qpi8>#^Of3D}hsCxf}>v{9V
zqG|pJak5dLA&ic*$fGZjA3Ljm7je;8nk9$}$Ym`RfE4})ohQys1OrUVJ^<&hR=*XZ
zW)NHXfF3^3)*{ewPRU*wLh-}TNV(czEr!x0v%y=YB+P&ZlVpxt+vptG-}tK#Xl4+A
z=|0`+(`~GIh7*loBrB_DBFk|5A}-SxC^<Besm=KFmxg#9*~ff1fxvm_Ffom3R7;}m
zO18cD01RNd!yFrQ3y$P8g1pXU-&uBGIPLKw!!M_a&Aj}WIkJdSD4b7)@y5r@8F%QN
z;|Z12E^O}XskIKcOFmjJodJqu0V=?S_53qm-9}ck?8aracj1Ay!Gl9;y2)-oBPwH#
z{rU$}r0{AF38M~Gym9k8BJ25x{k9(;LllcYrYg0GRlT>_)z#QgWR*>ocW#+U_)%x;
zf=b-&o)MmEtCKwrMC36)22f_e-?OEd6-+?)#qx^C%6op0`srp!c$REq!^uzlec`V3
z2JM|#O?A?H1YxS>T)dwE=o2&BZ)jawh?PI%ja1Hn)~S8*9=%MmyGE&N?HqD0knzVY
z`tCzAaY<vrs}8y;@M5bBAA7YD$YBPTlwuw`qTHx|fkT<%a<g&;W{tghKo~7tZs`Wp
znQ|Opq$2(V^9(-9T@nDlovuNJHXGoE=G;p}IicK-5k2zFEv2e=m%2@6supiS343iy
zXnXiU)JYM&8?ULzgOk}Ud4>E#jt0r@0tCGc=0MP!{U7K}`~Ep&Y2&`(8sRq-<2@vm
zcOt~n9&P43Cig(dl{nsh^3#qkjPJ}*=}Oc7K0nyA?87(4){Mus@LGWn?~eDBSTatU
z)%n@{z3Gw!#y<5{?wCvxwx`_^cso>;(0Jl;zgg!7GF2~jQ(iFRV&yY+v|`|!Hd1KY
zHfqV*SyOcb=N%emq9SX*lruQU>J`4<xG80&*PP?pCp_s(mc7*`r#o%tRh5|g9wsXE
zu~@ypt1+`tS(`reB-;f$;m7X$gLWpfYXPlxK3^rtE}C!mC5Oe8OfLeNtzUGPfpy8I
z2BUz!PukMC)m~xBTYGOL^H_y1u9D<1g6oFkKV02vtm6`n`&y-c&N8T0h<`94lqqe1
zMpka5!T(A_Ce^@7p-cL8zgw6sl*Ji=$6;8mf86hhgp7@(^_ql+|C})I0(JYMlOL3>
zYU9yW!T!U0CbY(tk^6m(s||lH`mZ$n#cvIyMVK*l=2%o(ab2z@5ctfj0sRp>X~GvM
zkxH*3!)KjBP~|g)t5AI?ApL34c8gslvFX^Rv8h5*>zr1jy&}F*9s2!aG&Ox<NMkL7
zbQmW^tb<+D3}rxlu{i^r^McbdHLPN#qP<OQqRB)GW{#uDTic}{W#D~~bW5^SsrG#f
zlDs_cse3hWQVw2VxuXb?;MY-EHGHs1B57l*_gNOS_6;+479c!ZM8=B@1o&wqUftl>
z{kmRq_F}O!pJ;eI7nOR_rD;>$=2)+}N?cppRc;MaR>c3ghOe;6`nH$G&X=zv!{9(l
z>6S+GL&8(T_W(JKkmqJ1ZRN#e5ypWX6?c_cv}d=-PvIHZZLA)%@+&<bu&n}{iSwmD
z5Us*$zm(Xj*C3*NJl5H0fuHh@<oPw}0#+ezfj>fOJoc^P{du)86Cq${+i3~TuMVEF
zTsjcnITo$n6Buzg9J}fkE)>b=Dy}AB%!HRZN*qZ`No`SX_ljxm;aZ@ki=&GQ5Rd;>
z{E^NO-wqXDr_Y(=DE9*<UIU9n??6(Pl=dJB>HV<y6);sZJ#t*4D#MZ=1qq|4j*zoQ
znR`Uu=xrqb@?!qaUz+j<@b7%66tqoY;@$~*;KC>qp)kyt;OHA|kpJwSH(3(|obB;3
z5G6IAU<U8Jh5x2?Ca<&?=gf|tT0sxllEl}!Kh#k5=Eziq%ne5@?bFxMEot~jA$AaR
z2b&(N@}o@J`K}+17UFGlN*9XI)<{MB;rJ>oewyOwm(+@h{-a+!JEQC#<(D@3!HrL5
zNGXPP)I0?qw7cHWPURvenvIrq1Vc<&tk8UBP)QRF<{_wE#)G+iWIz^UPbX0t;Sdg$
zIAzl@EZ9E6M0qNVtrUGf$}Y(+GA@(Va^z-$HUs=mjA36Xuo+-Xea?|=IF_JcT17zQ
zlt#38NO)<xlFlY*`Ui`toW7{dN2Q%9)r{o@M(;ps1K6sNE)m$Z<Q@HwZ4F79pT!EB
z^W|GAaf<A?koH<MKG;ZT*s=$TBfXo*{B9DiqElcU4Xgu5EbE-;AF|NfM=en9a2ibQ
zoY=|7f3qQgHY)JoS+r)<(p=z-@k<M7r8=tt;V)nc?+e~U0>D;%Ie_NYS+C6KplsGg
z$lq1bT4<D+CxR=($zXesto#8}0okqWvvT3RnJB8FA8L(bC$p)`Gjx@~v41T8UYSGl
zs_}(jIFU)o#S4m+oPcHjjW~Rm9tI|@m@MHACdbtd0~{Ja+XCx{JdVc*R^48b6EKAr
z(tm!p==-{QQyGya=L1;cRK#ognx$TgSf*}VOZ8ReCx=PPxlu6pT0!X7@9oX9x<lBT
z>y*(m{Akl;g`xnBPlcpT?FB`1pxW7=!FIf2!+ot>SM9v6Ze3T*o*u157_Mu*VPlke
zAIHq{`*m%UIj;pPg0quM^@H9in*{3Yk!C{xs*t!ylOfO2?E7<V2f0OdRx7L71R<_s
zHJ2EBgVbuT=@c(XcVZ<?4gAEmrR|ZTdQX9duIg|zW$KJr8rc<$s^ZTwN0V5pEbsa{
zXjM;{1*zmxsSIq)4}!{6ri(cvxg>;<FJTD)MWhXKbW$N$mLEa1RDW>ZX|BcqHz4AU
zi&BN2xs?rd$wwk*MR^6{A2SH{!9Y}F#F6p0VyZv2gO24w`ocv5xNW0CXu_=RRoN}b
zY)5I@T6M4Bt*6WE4y$_CVr#OHtD^?=ikSx7P?gs!8NDMOSu_BYWtQo}<dyw>A3CY=
zkS^2NwfN&;c=k+f!;%W5*Xb;0#B*<GnyykiCnDH+a#F&pL@SiH_Sd`12|S#|GkO?D
z8TE^WO}6fP2wSg}ibfCe(iyNBx8H(R9z+U;N+HWOZ?P3E%4=FnC>#VUo7Fy7;^KNX
zm6jC7Ev0I);)%S<58uS6OAJug5srw5)qm{Oc0mAiF8SK6m6bKm3z~J{8qaRK?u@H{
zI9U^Ln0bonmE_Okr=JPIZcR|h%D`rXip=iws+^{Y2ps$h=sV3<tNVne>U7v4p|y6O
zIMmLIRmr$6I8*p+6)`4Rzi4Y%zb<VPyAd!`OKump9vmMaH)`|oL=^=uG~GUQIPBd(
z<yr^#`$Rp9CT^RAnb-r0DdPE+JNhHeY`O!b6;7y$<gA~U{q+-;&&zfVPnHz+yeKmL
zQt(8Lcd+5#=qB6E3QO~qlU+(7JOAo+fAV@!o7#GDL=jX}0@{cPJ){K8n<Z>D?VKhp
zw@1+tTb8VoTX!Q-uE_;gv~UJiSw^CqhJg-!j3&S}j8lQni=P%aCwpmjZ$HQ@Rk?|`
zpYnIRA={<37wlbP3-%2dS}ctVvsp$=KHyOVBRB~wIFBG+{}3cq-K^?ZVwm&g{AHi0
zvNL8#aV2DT-yko32DGo^+?3(c&mMjkF>@(N#@xtJrI-W<GL&aEOJ~-aVl3MprA|I3
z8s|RBC}5~M>(Py%4<4+fNM>@IuS*Dt6SifMW!tX^Cj=LRV#ElsE|VDQ`<O7z<gdlJ
z$J6{hlWug>3#&4Mx+ogMBU|8k+@Dg%Th$AX%Vol+<WJdD7fcT7ZWe5$Ez{!%D@13P
zB6njNlZr>ziLp2n3vzV9Ce{MQH4bXU&GaIs6~BlwmX%FImIF}?7`$a`Yb(33GRtq@
ziqh_c=l9nUCQqRfrt$ULQk+yio>cIsdF!gS;H~hzX2eJ82wZNE-q|!c^O!b=$Tcl=
zM9lp#M`vxdvfJ!wnoNv`u8?|eGx?wt7UFs)9Ai1TW%gkLF<v{@tWLl}LbQZnODMCw
zFvp64p&+@~;1+GVJ56G}{k$;pM6k*6dkyGkEDZ1UV5f31?M#xDA(hJ;WNMq_&o(Gv
zH$^f@%Yx<9k<9wX!%AsUxkPmeWDT9q{T)dv${NI-Pp%eWd4@WXDoVgDCHe^RQs~|f
zp)p2#e<_86qulu;96RHU?)wE7H9E)Y_YY&`(zglyqr5t17oT1}90lp0R3A(IU+leQ
zP#j#dE(!$K;O-LKA-KCc4DRmk5Hz^E1$TFM26wj*B)Bs;<nZmPQ@75oeRl1gd+Yo4
z{#ie!rlxxJ>gm<ptNVF+8c#I|WM2K+uE_J~b%u%Oe&(HSbsmlP-Wuekg>MSXRMh5e
z23SOWWZ0*qoq5EI4{;P0&xfyFzCFt?@3Gs0mTz6PE2qo9_R_unN=@Q_wL3vc|A1Qe
z%fb)vu_=FlePYKKfr_30r?*_DH{vq;Lm-HMZw&YS1DltLn5ntvBgJivTNiYo13iP<
zJbx1bByL40G%Rs#6#;Wf<s)s1hm7T4)@2c>53JI<gYO(lP(5lo%gLT+s&$>{uJ8By
zVtwl!Q2%OsivNW|Pw?BX-xNJ>Bm!yzCV&&?4!uX`d-ri0<8S`m_C(y_sef~XLw~h7
z^gEBk=Lh>|*4o#V!-HQBD2*qThY!SSAH8{V&tVt70jk@433;b^H`g~WI+xG9o^OTs
zH@yb6I{#k#9Qv<{Z2A9~=l|GA{eLjeEOtMO(GUf~srK_cCz>2n7OLP|_!#H=GbcKN
zgRFIRK9TFb`1kyd2^2@w7Yy8YfmE8Eq@I{T>08F{z8-KFq3ufBUdLy`W8_1v2!qJn
z<Z(a9KgxGv43{GBmB6s;>#jF@|0M^Ku3XKFz1)CpL_v#>4#p20=#Mov=l_Ca_@6w=
zxE+*6cY53~-MLY${rp^i*movhg;M8X_QL<wz~#xsyTa%9y+dfdFYB<u*PHN+E8rVM
zIHN$Spk`%QMCp@tcMkGHK-03?cvy-@(R^sb@kW=9`8U_xyXm^`qBLplOH<~&HI=pW
zvkYyL5Ys?K=1?KrsdP!!M`{#I(6`R0J0A^d*(&43)ttr_mpWp+NF8QjeEFN_OJ{6|
zxxV{mUU0b_NW%mICXI;@u|sxKKPOO_M;0-Lo;LPHa1B0Icgm%sNfl+rFut~;LP@Dj
z8PS+oNe^rK_{XT0gQ**@?XRFor-%F^$58K~d|ys*2?Yb;KVXCW-GhgJz<_VuBJepx
zKj#K5EI9!5i-#7T{+aO0uC7jkAK|cKlHxpZg|CQM4{I2t=(6S7T}2k2KTpw-^Q<@K
z6dwSG_Q}h@?3|^;ufF2D)%~ekp$=^cr(q0{`seR{n0qZx^mrX^H5=OU3Bm*M$7^>_
znW%+vIQ6herAcMpHFq&#Q*Ew;oQ*#(%ZWI<&JM^|OUh2xLAxoTHfCB%dz$@1-RFAt
zK%Nn}qAIaxUt6x#Kz!_^9bR%l)FSOhRc#tgy_7n89Y~+4DD!afZy|IQTxzH!<H_V#
zdw3nabV$iZN!aLBlp&l`8%>|fWYg2Co_V<X<Bz+|o@C{zif;oPeWH5C+Frv)UNz^Q
zLhI;TYh&+o-_n+@i5*`xyB@e+!y6yA7nz*Sb`EFvlkXJddD?OC+(3(o1EeivJ|(%-
z?8tDY8jkRE?0}Re>IKCZNo~2BYJoMcN$~8Nrr_T44;<0GtDx8)3#+&H^4e<t1zQr!
zO$>WR_H;I#0joN)w(~DunG`sHGYE~A%1lZYH5x0+N-L!LwrTd`&=_a4_}s;|hBVZx
zRB4mMlkP_6u1lm+jR4IyrNkvrNwI5BoEv<~&FK~(@7!pkHD-$Ryj|9afT4EfDw3tT
z8rpyw9VtF?-M0$&o%L}F^4a~MqNoEMHI=Z`e8ciQh%6Y6PQzSBL$6W$L@bn*UDJ3)
zZx_~lK-gH^5Yg&`DLTbepDSiz!8NRHo9V@EWVgc3-2;-t&f8&i$<Zc7X6?D9-#;c2
z<cZ?knHT-Y(u9FutVqmZTYhuzIXc23jf%$4B!>~_Scd+DL<yh{E+D<Tzr>zS%p7pD
z`_e}B&58Sw%6$4)xw`EEXFlMQ0bqIR>w|pu%-yivY2|v!h-h<BCLP+6p{vLd=4bx;
z8YaQ?B@(+li|w-9J0SR5WButLFq;jrM-Le42T7_23m?aIAL3+1!S<P-UzpMT)4PGi
zA*b<rjzOn@a)>-5gFj$w)k-+KCia5X<;5@8NRCbw5HDU7LyXwJ)Z)<$Trj%FCsutU
z_zk61enp>VcSc01N#&=z!<t);YUbsunx@EHKjFy}$2}wym+En+(LIDA9Viw;!T_hb
z1d=TD`S^Sl(-QO%LY>D6oPe|^e*fWt4*TXM9IH%dmHG^SlgK1UA>qX57**8;$$dkO
zGQ#YlF{D6WR7&nMtv*CX+$X~fmnI^cc({!*3L22nU{=SYk~L06DVEiNAh$ghp*tPy
zDKQRpi!5>xeiLXMtPg9TPU>m^3Phb&@eY3dcn%S4eF$*a4|qd)--0=Oa(N5SMY$(}
z72Fhl-);=*rHE0~T(9M9#?W3sQf@k4Z*SQ0u}?D!o1B>KST~JHV{cIBFnx@H!)LH%
zkf4-PiGttzjwXS-&o!@Iybj$Zu)1E3aOy@ir=Tv!AKHz>fjbIMmuEKt$nmJut_(7c
z9KbssWa|gX80ANobt04>P82|vD_)l;y;(I^EZYUrq*XV1OE+X~CM^^x>Zsb5`^Cjb
z7GoG!+sD25nQC7&2V+`nBN^^7CC{`5zO1sqJ5_RU6r{MV=|CUUNp`KaSh{NAh;$T&
z3Zo&GiwGjKR94>9ttmvXIPnZ<iP~;;3d4uAM|jT^7Df|QOWH9P%Fl5qctsYC6vD6k
zx>xV5+^pIrcYf$#o?TGInl6LA&b%%1h?G;-+kKcvQ2LFP>SVt&%X!z3Zys@e)Dv0=
zt&JBdpy0X9s9k-(<$UAQ{o^I6;(c|KJ-td^Q)8*oFgK<C%q`ig4y!1(C3t(M+_DXm
z=Ppn}Y|G-Sqe-eCXrf_Wyi6T!LLOjXeYq5c18n3o{iY^r_R|kd->jl`4S~$b@s;wM
zJ1GM0liQKhoCm-s+o&TL;IFo#|Kq7Q_o+Lg{<7zC&!1_--*Agy<NeF*!<nDM_oslk
zhwUc)KVTa#z2?}J=LM;{pW2C{zgaq*a#Ug@_8)Pys%35^4t)iD04EL8LaylfyWUQr
z>;>){nG&&>UY48Tba`J8UE8}>=iEks9V2sPM2q{eX{SolvdU>rF3jh5`9^;;?mC`K
zPOfNTr!er5YJ9Oew$sM{5~ZFa`-~`-x?hk7*#=7};Z=3%Q&@`<c7xurPJYo~z5I2|
zCUDaF`9T7LB~&pC7ejiohmSODvi-+UxgsaaK924l#dq()`|Dsg!7b8lTvXE!4!TIJ
z?<*Rd3cck3&`s$iqT&J_gXg&V_=a;`wS`i0s3XpRdE0l}DK>-eMoluCTI3)_97ZtD
z6UEq;x2l8zv$4ub8V&ET79$1M0`G<ND&Ztc%;mA3%GO9(Lk+`ztwQx74l&!5gv}h*
zzIfX$Kxv+8E$=6bExV-`@jauevO=3J+9-jxa*39-g{qV^vQIT%e@~tbo4>ARXyIwg
zJg>kP8y}oPLn}m`9NRDAcf+zrYKr5xB&PtQ1>_i@ge{-w;P8d}ZF`y}>EHS^5VG<(
zE@19ddA8&}GY)x+z33H~NLI=ULDIasLi<4F4XZP=@-sQCnKVpBB&*$`);5g6Xi@Ww
zH$A|He4$}JZNR0~Si*;97DsVDoHcIOBt>%z(aUAzHsj<*coaL6SyFTX8X8D<>U=PM
z7g}rcmz1;*^91{JoLQZeYtqu__;Ab)HO`%LrmO20!0)_p?ZHMHoxAu-sZgb_FWI<l
z=xbNF>TG6C&%Zg0RCSA_(SdVpTI3SN(NiY0*G?oXFdWtOv%-KSRy7z|(s#!bXqhQT
z{K%_YusD7(Ye=LfHPfRr;8=WK+wQuE-!9pt<M-PSTyu||neJPp(;lArLS~NOZAAq=
zu<^;%SXg&BqP~LHmipEXC*d~a$Lv~~z07$RJK5uOFq+jEY?c(@?gM!+i%PiAzBX|N
za}u7l1o(ug)K9-=#g{aP<v=@hVx=G3SUBbKToUTGo}gaa>04<&Ie(Aky>3^iUA9oG
z_R_I#mLreZ?Y`@?-@d;brZM1UIP^S`*=aNx!tgC{T7rXp4lC0N3CCd|xHB&d`ts5S
z72wR6(FCO*`&3goo%o|G)0y(il(x8<jaf%d=n`dUk!v9uxI>+}U!<ev@OPvVQm#B2
zZxnN)Qv0qn*DBRc_hRdM8GLi~=Jv4!<qCCUoJqXrDUz+&;}#_N@j)y4)&*OX0DSXZ
zqTU}yQf&l2Qhfdo9oHJo>+~n*rzsj^`12(5C!Aq{nO!P;(v!xAwrL(4wv!q6POSA~
zAsU#u^=qRp;HxY%=q9sMfz@57SWJ8@PFcLge8Y_b-EC8BRfkds+K0N$EMeW8OCGGr
zER?q-t9Yd3h7t1Wd1D>i*Ej=`jK6cXa=pJk0bC{bHHl0^mhJCn>(3s~8<_9~vW#8o
zKj&8g5^XErcwE(Y5tzmEmx&d+JwxlLBc4q+omgU_&qRmBOX_01Rv@V}hKV(%ilUS%
zC{r^VdX|1xVzI=TdyYYrg-!H4Q*=$J8#G{v?f!a{g*X$zV!Jt=O(?i%c;H&*`6@{}
zH(_t1zFKw9$M7&gxj<93>{Fa*cGYFXVoWz+6VtFPHXM$)og_IoO}gw{e_U90@bzj2
zpKOP4^v)DPGyqVoRg{V%T-{N$e3nYuG4p0mqeRtldRv-n89)F-jzDr9^~Fz?dU$We
z@nL3j);l<ww$OYC%(N(h-B${UbWvjoHq)<vjX|3=%u9JKCAKSAM50idLAkIEgLX{9
zGRIqiHDp?a(FF&$+Jw6jQ+DcuPSQcmfxgP0Q`MuTKM+ccrwqZ^v7?1%K{yK?Zjw21
zMKf7>GR}DMY)~!5LF}`OL<v03>H#;4_;g(C3)OXFdFoeQR0!Is45G2#g+p<@>_#zd
zLZiFWmG8<2sDg6Y$W$zSTi-puH!Y*i@a%-5a}}OIRd*RMFcwrE`_;Qa{{hqZF{MZQ
z9cVzmhR3*A_55y2NtonAspHCPK6ysPN+WVEx0DZ=ihPjHR&oXqslRiNRWD4{U9PBK
zJJZs+Ox4MA0aQKk(oYn4`VN0@gtO<I0H9-GsCvs2OLBz+#(^dFg~>k$`MmLFY%nhk
z2)jb9+|T{n7UmOpSyXw*0fhjAy`Hr-2YAI1RJ7S@Nz5_QO~e-^GioYx-fzVgm(DB>
zIk?Nl^Hma|gVJ4>JZas28Ea%U-IVw#EFE>#b?@Z?D<^|vL(WUJOWCtOSxHR>D*ND|
z%*kfblNh2&uqzx*W@r@m?6dNXj>1s;moQ4lHjJ4FTS|VfW6G>|GWPW7SzRrv@x)W&
zr1tDV$&};_=cif-f8);{vvk+NDcEf-XW@<<CPa#cuy7bI9&52lPOd)i@@mQ{X`Hbd
zIM>bDPP9t`*KHK2O>aA?BxA#t2531}6eOF!8IPM?bFmV|CDrWKsy#-i=v8n|myxYG
zoA+Ak=IZXcZco@Yu~)K?zG`UKgZaH!w2QgOOgLfZx`_A*Tzr9wa92i11@K(76RlQP
z+XI3%j3sDf6!)kuHmzMWYBMKF(r29a_77qG0D)CRDUvOPJ_3r8K^5C2zo*MKIsJb(
zVrC!aTcx_|uaDpSXy+`ikpw|BRKqms+7g@x0+=`u=$_xHM;SZf6zmx2@0)nj6_c$1
zWE-5CC})-%?gZT$H6%1bIol-lXUdJ!aOA{I5=#xebJ+a(vMbm{X;962L4KP0wvjGS
z_X}rkT-)&RY!&cYlZ$<4RVj!vPN{X#57Mi_)LzlT346q+H5`5=-S&-VdQqOLUOif;
zDVgTb%jGV!Ha4^=tUuXx*)eY!T7$p4x<v7oAnTwSj{>eI!InxDxSV%Q!wR+6zBg|+
zzYxtpU)Fn%46k-#=0G`{Jx=x~p`G^J$LPA&iG<dG$$(S`=!T2<V(i7IEzPnRomQ&$
znKYuL`)~%RG1Vy)f_C+Box}6!1Wf>JTY$hUD+l`|dO=D^iBMzcFnX(9K;e!~4m^hq
zC|E@evAN6?&=zY}D1sSQz2;uo4E?%nS6+p?cIsc2BxjzohUbrDJ&noLkjbA@+d?#J
z=5l9@=ZXJo4Uu{kqmbwzFm@*k>+}0Iw_T;gVw{Ql)^hg;7q>=T{9?;?6?l-fK!2F_
z^KxvxQgKSlOPY#0AS;n=gQ2ZUZgP_<1OUn6@_FZY9z^)Nl5wdWyYAHP0eUX6d-LA2
zdF|8^HmtOKOkB@V`?fp8XTBeg6@azDdar4_j`J~ZWm?73kEowoyf{PM!jR(CwxP0N
zzagID*jlt?rFZ&VW~?@UpTK-tIka|BU2K$%mO!p)Umc4gcnvGn3FllV8YON3r@yPd
zJA7mO7$}|+R?EjwrZ|X!iDk(#$%aEm9bkM~P3~HNzM6PGCaiL^)Oes=K2~BbPnUB(
z-ElKL$j^si340-yMv?N{frx7_+rQ&~P#XD9swMxukK7I%VuZG+-Uyo?GS8!w?3;A%
z&sM(+YYokkH%&?1SXgQ)6mdq=kUvqZhzk>Ivsm%p(?79>*}lXI@8;6v<c-N9R2y{j
zl`To2ZO3VpsnKXxslZOl9LL}g<fIO-o~a~0@!REch|o_|z8@!1ek7|Jy{%O_1+z$I
z^gks-vY?AAeX+{*E)n4X+UkB=#_3AZ`m51rrMXIHA@Jg;lvXz3(GmQe%wU0L6S7$}
z(t|yFCwwk5gygcFr!SbC8%ndyc=z-bIO5=$nU|{VM^OEKYb^9WV+U^UHHiZm;;}Tk
zb>GUKL1ieh(MQkY09LMVFI8tL7qLzP<&quh^W()P(8aeiZ8P#iKZmR)t{O-fSW-Ba
z2d~+uIu6=2O6@=CHZ~4_u@VfWDJQ{K0Eg}Tft02>x}?~WN26|{M2Uv1UT^!8nr6Mx
zf;;<kT#Mzautycsi=RbIZB;{E=Q$>(>?+&J9bx=)l8l9wqM8URA|~7Gv;A*aTR<Y&
zi1CSqy5FA0N?QNti$HtL)~ZDdF_#7<)e57f0y>KR4lx$BlM*@wlGrOxJ!W8v4&<p;
z_78kW&c1#|iO&p>ol<Q}8ZW}@_!7r%eOva_obVyECv2*wMx{)Msp7^ahM93<-{R>u
zR-Wsr4KI3nOy_@rd){%AgE-k<S`Mzw$I8#{H+lv?pkmk|bArveR^0GG%&8EA3sTB*
zpKrS07M`5KSg|xlFb-{Dk9@HhDauI(nK%|wJxg#&@lEuY5HrSKt$|G?TJojxbe!J%
zoxuoW9Gv4c%9kDNEI)|-IM&{`(5F-990w%~QussX7I@WBzgx&mm$H^7Z_@AXel0me
zaR9yL3-Ovbu=^mV8EdBw&EF&eFD}^|03~W~{+PGTAk>oFIy&<f{|F)tSb|oxPsK5H
z){|!hq{UXew7*2I33D=xB3&B&{kK5Z9=H{5kjB+WGs%o@`5U-z{>fpL>NN9BLkGsT
zu2K@1okuQ~N21ImkB1!?4vHUxt0{Hcpqy6e@}(55SON8pv2G~Z@~V(8Id>fKi=_<K
zj}98BVwXQ`_J`O8$4+4z@w=`jj^6qF*B5j0MOx8kiN1a*KqRQyrdrbRVw~3KK*&X=
z=d8KUJaRiHL=w-xne2P0S5S|H`66#b{TtWEDw4+)xzsGq)@&k9(Y)q(o$aG%4`!L&
zj4xRC_JY!2oW-ZdYgxTfJIJHhU&U%C(gV!Z`i)|>BF(Qjeo!s7LUTkLAN?q*+BPYL
zn4c=L{5)}<H_yRdPk+!^sp5rG79Aes1Ef=TKDVe)S^Zkdx{lv^bA6yO&{CIJt>;{v
z3H8LOj(9Q;ASGDNiN4W)(HfQrUYT?!bn)KcNU1dYx&}wFq#hFnu0eZFNqVGL-vWqd
z*DjDzcW*>&E;rPs=nFTDxSef`>#}GdUUoK1jzGCGI7z<k=-p>JSlKKW*ncFR_}S2N
z{Y24g_j(BY16KEb@D$MMkN!dR)GQ$T%P;(SrT)+pDI<S%_t2Pr6)*Y>Bc2j|&>Lb!
zo(?nA)uRfDVJh3@_K1wfd}ax)&1p`0Zc?C4^a1LfRS9IESY$|l^1LFRMNllmS@SdQ
ztAhen$bsz(;z=cp=nrkz0N#`G;$7P*3w($dg)d_q3o;bgl!y8|d>Q@o9gXITT63`B
z4Q2UeU|aqjN~zEv?}m+=)UEv)tPOiqlhsvKrAj|x&tgoz>4K>t8;8+U%$gADjzKfA
z!m{w~GY?>)B_U(=(!N<4&Mz>H)Rq#S9IG=yATVNXS&o-xUTJ7gaDSh<R@TU>4}%yF
z7$g3qAKvFd`LbJ>ozXqwo3VV3nU(mRc#&SJS}G#Ff5bz_zI!(aR@d}2UHB7a2nInT
zM4yT<EA{UQ7C9oPQXt%~Bt%DR&4;b%a+WiS%6<~nsjMOPqNL=AD@RmR)fB_Zfq2g0
z*@A1a04nEV>m@{jtS?c#Y(%ExI}mE5M0FGx$d@0(4qFBb2^-F4EqI;#3h0#e47OFn
z2P6&Bi&BI;YTV*MX)2}&0(Dvgx^<s7JGFpUL;%6H-+#c~n;IB3I{ksw73(J>8xHWO
z&zF4I)b$KTswQ4YHCR+TnkzJ!1?3!pAACX7Tj^kiU9P|f`XZxk$7ij>Tr{D{Td~{Q
z;xF70v6hR474qi2DoY+_fFF>JDN1l8Zbwe61o05WtkSe#25pIb<w{`t@#8|zL0pGb
z{kwP69L-T<AY?TaHwtxL29+tJ;yL}A8S&F1s9A9;^vbDX1C?kjdT5oA{yHf;=^w7_
z4GiQ>Lrh0L_>~Cb2wYXZUNmp^K#aR6-fm5(#9x{Y(FN~H>-R`f2n!&^WS_QoT5Ei)
z1-UagpYNs%iSrP@1`wqNYvq~b`>PnO-Q1(xIk-H>a7QYzfrohRydkx~A@Xk!h0V0<
zJ)K4|Km1-ahLf12>+y+poCjb#PKll>Ji^K}t6OjssTtieW7t`(-D;J(YSi{w3^kzW
zOp2F37Z-FjE9ZjS!&NLcr>L)#MzDzOelHWEq6v*^&d=RQ(;6#i8dewrQiday;H(f?
zq~uG?6(6=##&Lbxf6Kyhv!0*3cW$hhp&fP|QC)l1!<N%!j=7ZCBEk|6b1M<^<DeW8
zu5ldgL2J{Btwzo$Z=HUvoFA#0ZK^iVw4NxA(H>1%=6EBzGF^H9naj1eONN2QUQkla
z-|P`*vpWF3)Fps?Yek3FM0n1lH&$w|zTc9fr+FXNURSK?3P?|-Xsc*jK>(A*;r`xd
zm{Zedj>AH{(M(|e2^6PHh~W$pU>A2Ww#1WYTW?NkYT{95prG70Xv$c$bETiwJo9W+
z)ti*rZgH_H)Y)Af5ffK}g|PRn(u0@x8Y07l4BlG{b~z#87#XP61r_q!rfF)NR?ugv
zENK^J38>R~K2a7@3+ohWF|vCcGg651OLXOkIvY;46|Ep6d6AEDa@eHQj09=hX_eqo
zYE8!#vHwOO)>+*SZQ99o{a`4c(LFYvk>;lio1ea+lY2VUUM^9Ukly!-9%Esz5GUoq
zwOVjUBx_mHv_dNhapBWL;uq;}2T{8sacekKZ>f^GS<YjSx=m>xFQwMs(g_&XqSlP7
z+lhSf5?e$&yC*Kfvc^Hyx^6s^a(iISfw8xIvr%uSoG@_PQ|j0+qFQy!PqDTRHoW))
z#^|VymoHwrz8SA=(b4d^=>)n0@7F0E#BPF2C-!GoVh_DfRw|sX$P{Ib0>-DMLk&Zb
z{W^{Fb}4((SZu+eZ=7eD-8QldU}n)vNo;cTh=UUaX`@na9$(ZSAm@BGq*J!g08n=r
zh#wv5*tGba!<Dc#sYU19lydtWlr(w7V0vv9Gnw2ax59^obHrbe8*R2DNEpk#GvqL=
zJ78+d&wi=^D`8@}pQhMFhyMj)$}CLeBG2BwN1!ZD#D7SUXp!b;65?qT=Vg)muhE?k
zsNIjb9gm;frh#x2VBr5kz4w!*cmw-%BK_KN94HM2Ax-ixF#J0(a1ce_k59L!cY7&r
zqHZTyOJMxPI$Z_i21EnmqS_fV3~uIfbpcyCpUp0S@EIf2l_(|Uz7&JVwviM9X?F@R
zFxh{=gm}{w8)cS9TWxI2F&7mIsyls=PHME(?r9E!V3nG!K1qY?pID9I;iRPTeUYa5
zEEz(0NbhInV?G-r<_XYOL#trV(RO2CM=MByqSkK^ivEOEwTP@IT<ib?KW4?#W-g&k
z4x^@NVMY?)kELc#9$)$OOJK}!5|A#%CtQX1SpeJ0CiT6_t=#yrv)e4Z9CLDdMRk90
zoh|D$c6qR-zuF>hFKU73Ox-U<&_Ghq=Y6{5RQoM=(A*9Sb+J-aN4v~m(_*z#n&2rM
z&bTN{(T`n%d9b+vJ=qB=W9tF2Sai|Ff;bFY6P=|l-#v3?@qMI#+9R_xE{Ug-julLc
z1~L}*bPm9pikTpklpkR1Nq@G@TFC8ynS*l`E2SYQq^SDNtzx6s!Z~Q;P@N&&Y13&(
zeEwvxRLiwUY4RB>0f_~H1xK0TA#(0pUeGejvt!Tb^%r=pI9UCg;C9>P7%U21mvA{@
zrDDUz?6E=-Ah`2YSR9Qs^IlXUX$XdA{WxHhOzT%9pYycbHL&L8bbM^*w;Q<5h{K($
z8x5e^ynikOSKqz{zMcSeo<km%hHSEGIyl+Yfo87gbmyc7*46B}>@Zf6B*_1Q+hE0g
zy0UczZ`0a`$zYw9+UHAYYUcTP+eKSe9dM}O+4|asOoQ=EnXRwDo4L#n{AR?;KmF#E
z@edeeR+KWprg-BtOHo&gR)`IWW;rA+azgt^0Vf%UZZY)?I;jdbW29am$52iI3Pbr<
z93)^|4aeem#!*ks8qeIQKPxC~h+Z_PtGtr6s(+{55Ia#)AE7VA$O^Nzae3goIKNQl
z<7dwRCCCL}9vGZG*9mYhzGHfH#Y6leOSQJC)41bTC}Uki)w*(zerO=`o$!wi7Qira
zRUdEycO2)KB-_*Z1W-4K{5+9D2pmT;Zq@7QJ@wH;aT3*Sn5DDpE3(CV(OQxB?fg-S
zLPtgIQ*Yd(%;H8TB}T2wW)k@XIiTE;M7EP?J||P8!p>goJgio(MAOn3t8}(aN7+rs
zA)}mV%52>4Wwdt`^4l6DEWj`bjfiuoVM7bG-#JQ$Erxj759RgjR>XB6F7P_Ps(y+6
z**%nO&|vv$hGDZJB}T8ud%y01k&ww4$~3ifXeZ;>q>$>1{aUWW{Ac4y4Xxpy9}%(E
zI+*SBaJ55b8Ky~}tIL@&#~oLL4m$-ZIV?}fPkS%=@6?i)oMdYqB9lZ#aRp$5y{cuq
zvlWyyVr<eCym$#r%>xZ77_^o$tP2rgWTtB01Ut(S<a4N^sqZ|*0l}&VY`ecg2E7OB
zVF9n2t71>L0{j31=Zb~Su*xplFx}&U9!!!JA4+}tDp?*StA*tZsSfj?;57<#ywp4i
z7@Emf2qR|nej1ygEWRHDONS{bhQHk<av%yZ9MuC07|>G$l>me~9}sm{LVU5^ITmKO
zN!94n5&I#msVR7BU~&1^1+0nOkiq@rrymn{2Y!lwgV_B)m|3l*WY>dUYYdR+_Rf$B
zDYuPw2aV3&!hZBpe=g%&Z&=mgK(k>2kewC7E#=NSt@fExjuS!Lb%!Jwq7r>SjS*?p
zZ*5+eY2M`gAUKZ{w$=1m1odoTlr-Zb+LVbI$X6{?M52F5=nM+S6t~5N<tQIv$)2Ye
zkh%#7!dg;`gQuR^jIdzGVd~uR-6@;5_W@s4LEm>@j^xX)R*GMv7ZZ)ud#6B$D3?SN
z95F5qW9*!%W@m~|ChIpJp}-#mU)-TGlhBOzmkx1l%Tyo}ogX$oaa!w`fpb1(-IF7|
z0s9KTb0>!hbJ<&+eL?UbXy3ntx!9=I%+`*zaS4<EBvieVZ8Rp#er@57Br1Ma^>osn
zd{})_t{4N6R4hURK=9mHmWjmVC`10WY$lx-?1P{R>QK1Ie+0E+sL|2ftjlwj{BBxA
z=VSQvc}CK4!~P6mhPWNi&0uWI4U4;>ma)Db+}5E}8?&<c*Bub2k~TJbOF``BT)f(R
zV1nTfSeZt7xejL*KlX+bJ*jGSve)cJniX82&?n;If)cRQ81xk96~j1a_c210$TE;+
zkBCwfR2ELW10sxSU`7hAKFbpo>in)1R|JYIW>z`S{FIM!qG}?BIeZjs%hYN$nh1C1
zy8$V+c+ga|)Yq_2<$ZGF(X}|QNwCLG?Ac=B#gS8sdyQ_nXa~z?Bk7|1VD=5{XA&rg
zhrp4N``FQJ$k%p7ep+X(b(x5GdE>)8!0i-*XMF#Wl$ljqp0aQRyV-meSc#qY*C~l2
zkV;xhl$MH6NKtstJY*dA<V_Q%va(+N2b~QQmb*sB7ZshO6))GM6L`~>()F&kvwQUB
zr!kU8iR7(N8*QGm^#`1`G)uDPkM>VgbT~vp#caar>MDj-CL)_Vvrll8DcA?-g_X9*
zfsXX)r=1K6llQ4QurKL+%yp50LkXzaTMUy0hGzpidf5k(wAiCEsD_OuXh^>TPaM%%
z3+YA#DF%3S<-eek9ve5hah+{hgtWV5IF)>U0>iJ0;YAG|<i1AOr-ZEo)JH&H^|^7u
zWhkfY5hofEGEyadkH4!2bY#2RHxB4_Otvk+`UWB`OXPg-|CRkXcD|`2??#24V$g1M
z;Y;NQ^`#M$&eF45JG+>!Xg)FDale2XkQk#a*;-?}hTL3~AM6kJq!0d+Xn%qZ+N#2D
zK9y!#BV96Y`)tYpk4kCtS<>9z96xamxi$g*v^W5WN6)Uq8wtm7QD@V=v2^jvqHZ8{
z{31UnWr;JSR0E$E?jkc5UzkUmK&2M7Bx&0_mrh+8%{!C@PGzF4$*f?S06bp@6?8&)
zQ=mf*@R=SY%%wj0{v0T@Kbph}?m51U^wlZyi(kKQNIn(<Ckx3o4st0t8!c;>$&DO&
z@zA^z8c{0USJl|5Wlz~OKpLJAN<4VS=t4aXA6wq%zcI(Spsg_pOgS~N^Q{s75p*qU
zT33afmU235_hK^8`BmvRCvnaKnWQveHpN1}@FpK<I%bP`gK%?0Fg}!dqm`coQ-l(m
z0saZnl!3y#u(fGE>bh4}-)(8h#0N^rRrY#CheH(?Xr!OFR1feCY1YR!;*&|o<c4If
zWY(Wn?TnN%0Xabq7@Hs#NEW*OnEbS2y<<_DVClkQW;QNwp<@AX%$Gm|;EjEfLMel2
zM{LwK9Oo5Ih^B%>Hi-ZlWlxe(***?D!HLjg*%}LXF%v34n5&t20{7D;Wh07qDfsC%
z>`Mu=s;<%)8yVRLh)F)VC6pR7ds+yP{*8+9E<Cp2RWT(I`&fZ0$@ga)ZKZK}Rl)kZ
zqe0)#5~b)P8`Z115mlUzYkcPlHK5x!X7=u1-<kv|eZ!L*C@YS}r`#*C&>WPyxDJT^
z#%=EY)gK9X1$qlmU$`S7?yH^6<$^hXok_eBWZUO@1#0(br~>hfKv3a(iYJA+T7Ey3
zxcCz82#5k0Ymv==G8}(p2+u#~u!b11J2w?rLDC3{UvGHe9@buSL!hHs#Pp!2O{E`D
zD_RhW?318_qxTG>;=W3oO%?n1?XH3Qe&FejN{?tV^Ts-zxi+qo^ZRjRFFgKmSrTH!
z_+<4!L#oE-;u{SIsyT?36pU*tBJ=UleP<~W6sB@0Ntk#c@-he?i6_x=cQ{(NmXmJV
z11&LeLi;<n-FcI$Qud3_j)<b{>iOzIuIjmaQyW}o0bmEosxsXsK?kXb8Y_RmQZ(rl
z(pzAOy1SMiU^L&{S~7SxYB<v5INuKS*KNLnkC1e$*E5}*g4#zaV&p`M3NUNRDichF
zYU!1tsBB*U=0X_y8~yIp+jQ82;_N=x&xM_89n8ky8MWAPmqh)xII&ZT%^diCI~Sl%
z8*3CV`lS}1qEvs!Robi`&wT+#XTr1+A(L5IL<6JB0??tN>?5s9S<^I?#vt0<a_X1g
z;#`#W!LP|QYjP^@<rJWvQ8<66G5*yaH>Wwaw{e5^bhx!e@LbJr&(K<=UVLhh53;W|
zCe(S6SI53}9p8dh+WUTN{ta57X(bIC1jyuP61OdM|CO<!b^5~JP}8O3WAeTvxy=b(
zM2Dff$<`+a|G4U!{x{z4uP)z_v6BlYkhf!#Kf|GKF85ttcqxdOXJYko|Jk1?z}oUb
zzU%lj`wf`h<Nwpaq0_K;B5}qd=Qb`UQ@}q$XEEt2)m~?C_tklm*hlB$kap|t{^!~T
z6AGE*ir7--Jbi~)WX+GZ-l9XJHj3pEThVGWHan#z?Xn3%Osa`oKc9#eRc72`IWj%0
zNa(HIp6U78s1`4pE(R=_y(ts3%!n#$8&FOIsdE#yZUwHj3&Z2@=7HQ<{95kf+a0Vu
zx%Q1c^=q-AyQP?z1QM*Bf1B2TGyZ$n(_8IBA{tHrpiK7SY<j}v+LUi-4=aa-k%YyZ
zL{wkXD-wa7utRQ~H$hB6a*aFQUeHpD<1y*yaBf3Nx%Y%e^e38PagEk+nyqWSj!jTu
z2M4m0kb~ExOu{{y(|{9gN*Wsos$f9oOm9WeVRp2GOE{&}9zi6IOHrsUzb|<BQTzri
zM2miPDA?1GCmV9IZ2UTIj5#(9U3y5$TdQhIf%hxm7o(oJu2qPD5cDaz!jR$Bw6DnD
z+$Vhd6V)_dA3Yq@iw=nSWw<3JQGdY0$)ezPlxv!n!j2DXIq)=Mn&~O4-29NC{7vLr
zNZl2eK;+~wB+~zz5T>5+6Dd&BfZ!p{t$VGyR8e$w@x0~_nDm+QRjCH%sZ3BMrit+!
zmaTPHQ)TLS7e3c?Gf3L3#D&)_)15L1<d5*ncE}UoI_I!_w^=RWOPT8D6#C9632pjc
zeR!Dl#QOO^X(<~x(z?!A)^=md;>sYA<s#Tfu%oLD7d&tZJU0L8V)?5G?G8EjWGZ5V
z65-bcZfhlCb9(bl>|%ylfioOA4Y1iTsHha%6!GlbJBt7zuZ6y)pIuI}&3GlgbTo&b
zWev$`MQ%pq4n=dNQnp)vv?TyjeTF?~-&!%UWpBBwN{2399jwk;z96nNh)|cx4IgSI
z0n08$#*aW2iN{KZ2}|a@$=rY27MfmpnBsdzTzZ1mp-uOJ>%5Qu&~sY`;|Dyx($eYz
zoPBolw>jD^!|G~W@j$E13Vhxl7H3~AGd@c?ezEe0Y3T;%X*dYG`S&U9@!`TjP}SI6
zSVY}`A?Nc(n`XO)vBLpthmGYx#nDIxo7v1vT+_BJJ%X^>a@qOLnMHxr@}1$>#_v1V
z>q49o(h_?DT-%ncLZ)=J!Y<DR_Y-qoD@-%Ok5+Lzb@QM~ezdlm!D@#r##$E~5urA%
z6!y{cDeZweYeQ?ec&e7}wsCB099J~&^-0Yrj#8)6i^$ZnRb{1nq%@Z^)d84}vJG|n
ze0Zq0Aze?-P<HkT<l0)SWj9qE6;Jylv`if^>0id)i}Ow6`d9xp2Q-3R>NIEKZQ?w1
zpm{r?!}c1WSgrpI)$FB4#-OFEQg*->#9H>i_u}tWbXX2S(@a%fpp=fG(sVtOHkY;B
z>r(Okk<zyUtlWZ|u~POXs6H<VOAKU_^<qC+X~UVUv5^oS=hA$hqxf@$zWK1cSrk%D
z%btt$OUYu*E!a3<dycCWp-V+V`_Tx=RpPFt^afKsF{RFK)}H*;%Dbz&Vgsm<nMl>L
zYPHv;Q3DUMI;Ke=j?vZKfWlisR&TC>3tF%p(dzt$?Njydiw~+jJTPk8ebhcx`?$n1
zA1Rf#>OkFy^XbVQp7qCf$mN$EjwXpHxWu(4X9JyDVb?3d56RJQQcv@<W=7SV3MHeI
zc%|Aw4c>>pMsHvgEqv!Uh?0b4wG0fKqYQGDN(fvdtGm@_METsJNc+C=_2S%jg~O{A
z$+7rB#Aibf2m}+u)>qy?^Ikm6VaZ@$`P3_?OC8DsQ?!3y%I8+!u<Njv-As3zyAcLk
zs`EgqgXCF9ZLm0=GEf-F7-YourKrAg{oAYyNPyoaH1tZl*64xQJ-}djLgn4KLWwFZ
znU{US`a4S|*GM%fZ$Xxy*vubO7@@`)V@9jBWR}P&fKdvWfHZ@hbpLa`$pt(5_tbzJ
zbfB#Jgj?fIDIFB+p*Fs*hK*$Gq|6mi+iiPQ;E|A*dueQ=NGQEY2~*+%vpuB9-EW-O
zWs;!4jZl2Ad3`t)coL(axSNBu%UBN=R^3=wW1yn5wz#^MxsBIeX02CN($=kh#MzwL
z7%bF@WZYI!%M!a;fjUWy#_?Av<KG2QN5>a+Q+x{(1~^M)v1@m1K9$v+Z0gc?M@;I|
zSlVV*w9|In#kncfSTh?;7LEF(Ra5|#x=$;4h|F@rqnx8(2(~3wD|62lD^#YyxyIS{
zIMA(?l5F!iGnSku{aWv#iizDKH$kgkG@gD@-R)7Etzuuwef2xUtyq{=iay=-r(2(#
ztsUxeZKb~co6PU8G!@G`;U2E7N-0X={Cn3+TXw{Dc7mz?Gg;@fi#dEn)#Z3W*vC7M
zoTG&FafY^zer>PJT>DbVdgWkeW7B+!o5<u@*$>`Eh>@$kWY2$_Wsk&#*PcGt<mH3C
zL-~hX_X#@u_D%ctlt&8u&C_{c#^+Q*tfb}7{$9a-5WWTa6g);O+<$m;@^6)K`2U{K
zDyAe~kEHtv8$B+3JR_tMdn_WOQ24>X<V{o##wzdrO=$O5r2_2170{ce;%s05M6ZbF
z4sq+PfNbCEO#I$0p}>EUb8|~Z{Y}{`^l#!^0~CW5ke;9j_$&My++Lvn&&emIPqzZ1
zag(l307U|;@I@@*7{Q8IFQW%Pp`9DaSx2wej(>0I!k0h5V9E6j7UqiX?n^BAO90z`
z7s})lvLMUCKc@KKEe!r+ivQ>1!{1fW{;j4Mof+4B@&Y?3EK+L*&U0PI=zEE0;b`-D
zKZ@HsoB+b4!Lpg-EaFt)`I0#eLpfpiafSk?KUT$+n}gcib{$g*?aV|70}LmX(o+c|
zNP6!`_%%+rl7$xfJK8HGL?h*x00}kHg!50!4^GyF+mrDRfb_h|XD1+m>;L4bir@Eh
z(E=w-D2DaYeX&;Oid4^KkcF_lNX2NXGvp1gjT{X+tuyJ53FdjwV&OzKt~6qfTeg=;
znn4`<Y!A!h>Sy|;(7o+ARFf*mnDJk3{IHHX65w2!$cRG`(4X=GC5*lq8>>0*vT*J3
z@f$JnTP)%Jzd2#D;&PDEx>_y(+6}6$qA59q7;W|7qblHrs9+|b7wpsfST+ULsvnEV
zM-!0Z7UIrjnu&pR6g2chWzT4np3k|K*S;p#btHgF1YkE28BhxjKV{&=`}0mqG=vj7
z0d52uB8(td^dQ90P}#wdvD1jB_kgbV%#Xhk{uhw#bt=GMx#>;n%k?RUJQnVymu0t$
zc+xXgkaV$!Q5lGve+MPGGjmj$tLE1$<i+>xjxRSrpzPl&BQe{@olq^P0{80uCbbvj
ze>v${3v)|E9yjXx*e*$69zKgn94uIn>!p1E2EKm-GkfFp`dm1C9XHbV&Af_<=*}~W
z(2&Aj6QTS_G-#a}ZfMrgoI;A3;1z-m5dj^oFby>Vi2Lgl&goPj=n=SQDAcHd9p}v_
z9$Sa@l`eGgj<nwn2Xfbviw%te2iYGSHw-EwLV4o*&|dTvD5MRPrx{M*`+wEq!tMcq
zQzo&Hnm^)uq}PGu#vM%3D6#0+;q6Hr_J|-p1XN~Sm(ScTy<1>HyDnpCJ~D!3-xqY@
z{`3TrK9?)lNoIOEnOI$kF9a6hRg}Q0XM{cCm~RkMTKfD)*H}D#Qkyl{s<YuxO@`<Z
zKXxXi;tjbUA<c2Hs3;{F$<brk2A9$Hmi_bzoNhVZ0<;%EBzeHv#aON{7q7s`s{oeW
zkI7@jsAQ)ROFwYsN4960!xUnNSt3OeKa>x4+zLJeoL5^|EbD>mOUdu`%McO=jvcun
zTnvR^+43;Z#$v(XGkxUDef2D~+)g;zPPs&NX+(`jOws<FkO&+`o)3jXTBqRT&TV>%
zA_Q1-feKW?!7OCLfrmS&>4sYADFkiN3S2WNTC#Bfkf#%H@*_O4QCtiPAnH}&+R5v@
zC8Fzp1%BVVAr$z>6#p^Be@yZJxpsa5|M80dc*TFb;y+&TAFue2SNtbd{3llYCvEvB
zZTZhj6#v#(v1rkctrQdyR=>PnsC~MO7}iJiMfs@NJ0tp2tbS><sEkMz+&Dhm^@uG=
z9yi&Den%1k&rD6{K?)E?zXY+mRFp1=P`*qQ0wTVz6%jrVmhTOWIR1$BH<Z*2m}*dn
zjA1^^C?=_wKK=!PQ~&e(zo3sSPTsSffP_5%{aVrKbS<nq60gQ1i&E#$Tw$FG+TM$N
z01vf`6b_BPmw3Zx`m<;-oCfkB^Qr+N<A(6{P=Ylq*Fh+7NO4;`6nbkK4!skQkR_D@
z$3c>2bu-->rffBl7!6Zv$2y#TlcWQD{5>V)O2$|7AYhz<LmD$KCaxSLV*kz1^9TGR
z?;F-JkKXEP-K9tK5kbs|?%>eOuZxBCd;QO5Ax}t)AMlngd&r)$$p!|>2eE#jpV|e7
zA2<o?ICgYqHFh4lUHV0{uqqm}YxFI&4e<UM>nvv)W`y<vN!r%y{pK0LJ>h6PN?>&N
z<ty%9TGKvS@1bmaey%I^<0OB;tce-G-OwJ}LGBD#_fq*j)ufx8F+`nG66o4QTJ(2L
z)qXZC1Z6m{a9rSUh5V{2MD#R!IVEJtQ7V`^i{98ny$xS8e^NCyvfTn=@+(?!TFR;V
zWcksJR1axwPE}A<acT!v)a5s5r&4Cu%9R}qF04cA<CXT@)}X@)KG=U&Z%}lt`so`0
z2aU}(>V??#+8W2M6XIk0>dK|eTx;k-lx9^jq@`e%!7L4p61hyKeS2$=<tCiqOIatO
z5@XAwUG}`i3TYKJc+wJOQ<dS5<jx(-3^ils+GAoPLtK8GXsVhy>POIQU8#MYDCVuF
zVQ^-#CrGlMtJ}P`R9Ti)*!IMfprNsI`dj71C!2EE!WpF!`ULhwbCK76eE=trhBA+@
zzZq~AWb&mnTF)eWZ`YQoSt0ZejRD%tM0@R=zMXB&<%%(B!hf&)m`Q8O)~lrF<R!M=
zj;@=f^+$EI*yYa27m8G!vkfbb#RZm<)bn_$RSoak6>&hpcG0X`&QJN~xtLWt)pIV?
z8bU89$OY*OsFsL&GuX!dD>pRD$2CS&qX;KAmc`*z%ydxn{I0u6KmF<;X!%8HLg@qG
zA1byTDS-c*aV6w(v)Y;rDUSVpg!k{F{3YYxfpi_Gw)BnKkz2Sl(At#YB@|Jc)CGN2
z7T$q&*$qX_$Wt|QsKoke31qv}X_ZimlFSSMSkwBi_|WYu3#6&iKY(0V{afM41!;^$
z7NFskYT=2!n0ZA!yN>XZCI1?jb6NK(Ap^6Pi)Q+eCrJO}%5r-L=?+UQD7g9knK3wC
zf>czNhMI^WQQ-vldA)j$qqHnWgLy6U6di@L?&>>~46oz}2DholMgpt^fyjX+q-8Hb
z=Mp}4Gts(Y0l7?hsHaa<d635UY5>N3ZnjjAR)fAGw`XpxjsM+}E4OXk`Z-}`>JN1c
zIz&J6`npN9dmS{4Iba-SB+_|EZF&?}{7&n(J4M^C8-W>IqjALv-OFy}7DZA$_!-`$
z5!v9UFsfD?;aoa@wMFqaZUAc8fCgMH69Yp6JHULmZk;i8HBiH}Zjj2CPUOPItl-q8
zjj$Rk&wf>(X+u<0&%xXj$&D(ZJ;kuTIN=npqQI734qpF2=4X>7iK!PWv~$N}kc5#+
zH-0`N&-i-z?Xr5o&?keRv<)LgBO$0s_!1WlXT`UY-y-^=>hi_*l@XI@>T)^f5+Fat
z6S3sc`+v2UyJMdPDm9l>@=WbV2=pV34$-F@%ycz(IwaRL7#1#HU~frt#+<8zg#879
zGX}I0l`<;5=TMHzh8$FLpnGM;gFOHq9h(oT7jw>A4W~Mtz1p{Kn-v2`b*=OruuNYU
zGl6<b0)lT{`opUTTEKIB26jairM<`i$rXI=utb`oz_qV%Zc921mq9eSb9c{Z?+FXS
z$*FYW4P8~h)T@+f;RO0)86$JKq)jsvFG=H|S#DF&NQGZ%XN1$o;^k7DM<uD3PSeUK
zso$!hno^`6YO0dTi!(K+CCU3SDz&WLJz6M0-=p?WkBtvzmEu;Mn=#$l`8^q|lkg4|
z(dlM>95fTD)YChR=CN(G);DR?_Z#Dy+R8#tt-|Jq`LP%Za|KE2Js<-J$vNjwKFKK!
z@?^gB{HUCpDy6_ci;LdKzF}NHutcHeiK)0VPh|cQUTk;I{w?}w4A(P_5jmX5#!CI0
zTuY7_`w}yW0QcF({YHU>OQ*(>)Cl)dwDnl#`_=eK`FsjiCmI1<syU|i#U~34Yv?;9
zeVvqh(%=0%Z^c8kK@fkye)C_GE7%gM5smR&bwlycRnKiSYcCgD3Tyys$2dB6Co4&!
z<>d7+SgVD2Wr(el$+YRMZQuZ`fi|BcPLj_U729jvwtkqQ<Gv<O8UIca8m$^_Vy|uN
zkD~eE*kq_@fk{U5!O$SUl>=R^{JZKtuOx0yQr$f*WO9%iN;#Od7Hmb5=(%k#*67sX
ze~3Q%-^0`R|KVHuy8f}z`m3*&XgD=3+N*9`<y~ly@UWGHgY3@douNU-<5M8F{U_86
zCiCzr$z-SNK+n!Q=QJ9M35mEynv#pLS1*HJCVKZi3}{}4B}>@mV}NEw<>oS~B-^gZ
zj|YflB*f<G43&20v-!a9CAfpI-3X*!ad$RZvpw9*QS?384Vy1D_Vt(7r#*WUMm$jj
z&mZ`Wr{P|MRD@<9c%)s0Gen)QjuSOMcwqXC`J8VX&7UyUTG<;<^;*j>B4^Mxj~>!w
zy05ohbhKXdcw3S%#^=8UT4pC!cS4vsc7ijjoR}OQX(Ijs)3hAT^+TfwrAVKOpcJM^
zEJ{>dO!P0x+xC7^I=r6?UySA3bm}KSDRlZk5>Vj!5MugHWMIpv$Cg%X1Ae)U7SWAh
z(6-Gxe4^uGv2Miq?q>^!2K@E0hw&~~FGjsXWtf+_VtJmPv)6r0`1`}X<{vN%KtLKn
zSvd?SY=7(aA??>UM;k#|!GmYB`;>dfnd6UX_CY}rx%yax((Ak1i7K{N*2|i9x7QlM
z+CN~m{FYLmp*^p6!`~ri77LO-f{};Y5328jCqJGmZt^6_*VTYt;X9<hKVVBQy%Dc*
z1}N*C#4kVB4Bm3g-gTY+Pa$4<G>Jbt%~#@5fS^BMpnZPyKVYSCPao^xi{M*;*Xd94
zH<LeL8H#6rzz*L7o{4&hn`{LidK-FQcqU%k4k2`52+o!g_BnpIJ7vMIVSnCG6!Nu&
zC99wS8zpGsgY6p|?^clvu`N8YqH0|xA4F{Qt}Q6;rHlL5VNQmc73j^ZPtg~UPrDY`
zdcOssJDH~nDob(JLarriiYkndU0;wiwE)v*rxB%QI^I!%Sk7Oiqi`9$&_N-R@7M8f
zg%72-Ai*?#&ksT@tq+#C+WUYHWqfSq&EF7IE+jPdgQQ8blj$s#4OT){t2Rjk?-SHv
z9Ig=oT(HfUBt7eJCK)sp97UL?>44Pj1Y*Z!Z{;~Y%G>2x?fZ1Y$GkK*^5Ru})k%(l
zwyU6FM~zJ+gI}NCB)7m+gLXwqbm#-=q)><(c)<)7TNK~m)H0zoV#5cAgooghZomhC
zsJ^EWNx+WS^&ha;FCPrR_W^vl-H85q-~WI${sHSM{SR3M-%$Q1Cv=z_@ds=H`1-N_
zddqw7?Yg@WTo!yvexG>{_yFk5KOwb;UQn$7RFj?4ZIIcxJuv;yorj09QB2|4)iT8W
zi7%l&m>)6fpPxlC^EumbrmG+e@%gmJfEY#at}(znE#twW;Y8l1&iIrGNK=kg<_N3>
z_S`0#N{SPBey9~lzdyt0I7rk>bTh+P|1pL8VVJf2e1e)a-m`I$NpPPgP#&cO0-1;t
z<IX=00d&&oEL2EbkoS=N?)$!M^3uz+wut@f@IBSxQsw&U<EUi6K9qa$+<g!Nw*6~q
zM-dY&PkXX@<;lzX=u++-3W!rO2+w;4^mfYv2WQ^se{L7=pDql7y!ZZNnL{}-d)E#?
z&UJXB`U8gg&M*AYI)7~b4r2P>8%nBGL|HnG`;X;+|F&1}UDm7QBM9oz>kn9Q*2`j-
zFW(=q`Kh-PeTD9SZRS6A#Q*ud#NeRx>i7eRV&37Jc<;ZIyzNf(IU^u7Z?N<q!T;Ar
zLwq!;0CVVQ<{YY}N>S;{hrjj~9$zGX<@BE||730M|MLB({HN;tm3qOFy-W)xO`58*
zOx^i*rSqgiM%==h+#B{~X4a*=kycX6TapVrE^p7F?zhv}EkALsV12zvMDeNo!Sf;i
z&HyXH(<bMCrT1A@q{%y+VSmR0ydQ7jqx~1<@7T}3VZVF*nzgKJ&+(`}SLHY$_Upb3
zr^hN6HufE-U(dhEYg%mK`gQZ`HP5~n^j|r>ezpDT{ZF5p|1f#Qf0IT2XV64oRr2w;
z9IP6s1R5IuPX6%n51CiwH*wg1TB`hS`eR(GZG?Ym{}cRURnIop@wY<re+I1}`<He0
z&3+61P5>T$KUGuy%YK<cST%6@p#7r#4{2-m`UU>7rU5JmGEA2;O6ctHGfWCwxmd{L
z;`eKTXIVa6E0`t;Z2E2jwpotbRKH&L@%_4=iM0!-zja;z{e%6XACKpWCI6gM|6S$l
zi%|Iq%>Nk@*!{N{{avy3-#_*r@$wm|zXP-X{^9?y&*Jgq-{(L7YyQ2fz`o#L{e}AS
qQFWu?GMWxX^T!Y@4}jMwsDGdT{4e|Wk_UAU|NLiI@bBIJ|2F|#2tVck

diff --git a/example/system/amp/openamp/driver_core/fig/openamp32.png b/example/system/amp/openamp/driver_core/fig/openamp32.png
new file mode 100644
index 0000000000000000000000000000000000000000..f6c0136fb2ec1561b664477b3652839a47febd61
GIT binary patch
literal 85046
zcmeEvd0Z4%x^}U;A`^{U5HX{XWN;zDh$xF*qcIarC)c@dn1CA?H&l$`0*#u)Ax1Gn
zj2aYNGMX7BqA2dtMjhM$jfnx3C8B~OA_`#<=>DGfoT}>T?kY^~%=i87+;9FGhjdq0
zojS|AJWJf$Z@uo)^0}6RAh^6S;<f)21jh}6U>DKc8Gos%_}w7<k5kyxVMG73M?$f1
zXZPeyg58^CZ@f0-4^eh^&P+M*LiqLApXwLyo>7@wa$xqEbRVBLoX_W`&%TlV%%_uY
zgx&Cu-jns$CCL###HU?*@5I1O(|3lStjYY~nU05cUz~XNl?_KOP3sf6$>N{Yh1tSk
z+duOUn;x`|wfMB+8vp*{zX#{PKXd#$r>+l)e&l=n&gzVxGOh%ljPh}{6Y3pi-5DFw
z;1W@HD<XHpp=FQ4y4nj9t4-}y{%mwRH74fgvxOC3^fi7Qz4&6sh`Y}V2AlbPcfa1(
zp<=3`^?Nmseym7{&-mChJgBaA-yT7zZnp8%{XpY$F^?bpnA%tTBmLT?q7OXuF8IUD
z+zrXg8pe$g1k;*O=e_l{Gi%RhhMYdxaJx8jzr8Tmaw*Z`C@aira!?E>%Z~h<yv%s*
z9l<!(yTUu!lsQH)=2zc*q6^gDe^Jn7CIy?$mqfTb8K#+btNb}szx<tV8Zv{#2QG>;
z@KLDK&zj~c6xpuvyo{B0wWby6cQ&70InhrLXah*<<=pjdWk|!In$$n##IOg{Ifhjn
zjSosri(04C^Kn-!cJZG}(>uqSbYr>%tX?`Nza?!A`#l|oA9?(+=JdRrl7x~=TiXdy
zuWbFSeaYsm@OZbonL+xE0fO2VlGD?n!qj5+MZeX}j?5PX+MF7__C)_tUzK%t&ki@c
zsDT6H-#fo8x+XGjg6cTuO%;q8<L6cNDnIgp7ken<`c-2hR=nUd&Q9=m_g=a33q$_y
zL-uMTl6GEb&=0*aKl|2@Z@LHqZHuN0pQrZ}lH$He4`VlDwNtVOk5@jp?Lcq3XxxC|
ziJu;vJ>LJ^dI$D0%Hqnpbh0bjRO;TzS#5HLC*tMIIC~}SaLKh4HglHxdv(bAI5Yk6
zZ-j~khB4(!Teo?)p98x|tGzpElyi~E>-raw9bD(%5!jb+bnLLFX!F`p6PJl|$>VnU
zT8G8i>T{LGuwAHE#*<qSQ5QSvPhWlXMc;x;Lj}X=eYZ---;BIJhK<F8R{iEbsnmsD
z7^N?%H056CDx^Q&jYWs`>05S@FJ12oLrt}w$tVA^>Cnk}ep@u(d9vUWm5(K)!@5ga
zD=sdblf^`M&}ue)C^_eO|8u)Cura*6^2g|gSFz~!P71+doid)S{EWz#z3R#`<EJ^P
zPW!Yhq3q3)E8&&rF`a5d4&B<E=6AwHNb0@i_2ewi_&JV6_e%Yr%nDq*pu5ngKIDhR
zRe8%Emkt+_)@JX>xts91uYGF9;O@JUBm0XxLsE0TFC_biJF7pSsf}}Jh{~ER%Ciry
z`vC)7V%oPpKrmcASaMDOxGwm0OmmfwYpi^g>GR5l2dnXHc6_)n>)3GFvE`t0-q)Kh
z2@QRh4<EBRvVU^GoQ)o)hDp_YM^OFr1$_GN{!3n1Rh^$RZKj>-4ba*N!L%RN)QY2h
za=&SBYlG>p8Vih~l4{c?JC!Y!2PeiG_>uoQ;c!}Odo45hI8<abPoG~nWp3&A&e|XI
z!pElPq`1ysl)2nL+^)$FCJX$<1)r>SOIphhq|nb-86W8aqeuHhL>JE=XcuexKyjAc
z!%Cu)C{!Pt((rd2ZoP4y)jt*&R)*REr+ShV724UZGQrfw{8N)c3Lc+LT-;o!UG$58
zs@lnXQGa(FvswO*LRl;G@mjk`ynpMLy}GqQZ*M*rqXw!j#0rz0&1dX{GFNZw6>KLo
z3{srQ(RJt9Lar!mPRCHj$JiNOExV`-jOpbi#Ol=!YNNZ#iHxD>e7wAP?@yjM!0R6;
z#Cu$9DPSm7E*ibu{7GG=_)E$^n%YPqfz?5HPO-7jITe_w>zd!(kmkgHMVI8W@-3n0
z-ruF&MfbY24Vgb3d(k-dgRas2ll_lA6T53iWocU7?JH|k=i>h8mxcQM(vDFZQgb=T
zcpk?~#jL!@`$2ULDLVxJ|MI@DKFEZ)sqS={osi_x+W!*vn)b2!Lji}32|0xWTN<wJ
zlP;mU=@i||m9AFix^zyXXL7~|&&KYWl9OV(U3qA&eZ>Mfa7kMG-?*stEsmmF%&2vX
zIoLrkj_wq-F~>B8pX17{Xo_GAno=~WPuL5)4%r#>4%5Fn<~}{*D?}OnFQ;!ttm4&-
z$9%1}epbG4>xs`W@OiJ@m>*bo*CB6lCC%;zPs>j#@|icWA%(l<AKf%`Z4$1YfW2ww
zfmiJ+W=&AW6%()gaP1OB2S#@s?Vg2EG$l=+w|_n7R#LESfbjwy$_TF}kD0&3O=$4F
zCryK#o)$-S<Pd3A)S5oDh|ZJ)FbPr4lG1BgUFKJ{7AEdj9?M6{Oe?i+qCIY+yL=Oe
zt*&34u~zd3Lowp!A3X3&f6xg(=w|-GKU!YDi61m(_z0##{{{EM+W0MT7WxER41Klf
z)F(T_=jEgXTb~TorY(q^K3u-)$j0@X3-HAqv;D#!bsO783_Tk6TKz$e==Pg(XfLzf
z^NO|w`$nF-;v>|Ci03tJ`_*@PhaBIuN{HPxSq{@?=~tRJcU`8Kz4VF9Yq#9|_og@f
zq)#;79XrRAVUp3EZM82~cy~<u)72Y7k-mj_kChV?Wek-bbjqCW>?-#32>PNu4NLWF
zzj(|1%T~+bRE!>u@skUrt;^K@KyM2CvB{=Ln^?o4;Cb13^ip!ZkYcHd1@c$SyPdzg
zN-S1CR9YA2-O_ONifwrI%P-ky=_?fSU<<KIMOaK?&d3xSo9Xrc8+)L;%0*Ly{=tn^
z?V`V8x3)?uj6vR7;bUZ;evpGoKE<=(#zQ{;i@w<CtG1F&ud9S#bMuN-K5I48s5Fql
z!dqjaTHIrLMrBR+S?aG6IN4U~jES9NqvdnP9B$N_zLwUc>QXa*@*i7jp?W!!`e$8I
zk(@o{lFHMPstEc}p?aE1)M5;}E(JLLPg^pqJYvdiX)qm?L!E@PhSST89>I3Ci*864
zY8a%pcGEsuzN)SvDBZrIaE{82D0Z1&9+O$U^m>zlVntnhbK<P1XEYAd40#a!{Fc^m
zfV<b)q_Y8s<~SLK$^V*W>SO-5)xIEq5Bq(uuD37P33FY{KVJQCuthn=^2;-+id?-Q
zWx$dSH8+p87dp!S+R%7xkMvjD>a_U1D{`dws`<zBG91i5Zxx^;V|*EVQJ#;vjA0IB
zsvlZLQI@rD{=Fgc!~CciNmCp1&)Zi1zNHtE^Su<V)aq8CPFF{T6`l@`lLMRjMRMIL
zr)Q@-7m`g>N@1l=n+GxVW@9(<zcU8jg3j3-<(TWKj^><J4sP_#axd&fw1bqgFtx9k
z82Tql6)%G_u#p3v%jfQ8W`Df4=TRZHahez$iRDNt%I+!_Bd12yRQ3&NuBoJ?D7<(K
zavS(%slA}6Pn|@y*tZgOv4@JZyy-_kmig2wah~aQ=c4l}iK78U4XetNR^B>myA&@O
zid7Oz0k1i6m0wBjodxzneJgS1Dx$Hgk9e+%vVl1*l@r*YI5D0!-_K9?P>QD7m#|~v
z;!5w5F2^>%B?u~c?mw73Th#$*tU^QNoYx$e8H1Y4ca;&`U#L8MZ?;g8EUejV{9Bq|
zG*xWnP;k=(+vxG(WtI5vVY*b)bHPlE@K3zj5w*2{C{i?^HCBbFYSVJcK#Untr5+~Q
z{i62El{?GLj^~$U8K1Gw2Zc)6t8GAlou}T!whfbqIRUcj&(V%hW@<-!cH>?-71p@e
z8QOzP_q!hbz-LvL0M()~s%&f6oo$d43aeKvhI9HUDE{s@O_TCtjh{TnesVVw_|@aj
z<E5&`hsK~+Xg@anb=92wOV7Waqt>UPqk9_r$zdoBoZWM~s=r#{pOqU?4KE97VY_cU
zWfXnbD0<o^M-Hy2B~x|SDwtqdPo629O8504IAH@9XSWuT{vu^H>JRJIneMOfed+8^
z%?PN9*GnaO>-W3g)Sh()?4EKHEm`O-=crcmlOG(WH`!@na(~LT+OmPr*IZ6X^t)ZE
zUMt;idX+u4=~Hu#ZGG=FH}!lv1ud1U6gGz#y?PdPH0lvVO}zB`w<0v=W(J>5Apvqd
zK=mir^R+d(>9rNYr&AB}$yV_Y-9mIY3_}mixw~#hxW;VVz+PZb3-fN;Fo?DMp7w*(
zJKC?`B~6ct<o^(-jQYG9$X+RCbRV8pG|cF&DCOOX7=iPSZ8jqeFOD@fux9D==+PJx
zq_UTym__yTk7!(I)sCSJaT#l2)}Bvvo!V0HZt<L7;~HKV4O(2ee59SqWH%*uqN)3r
z73M0&!Ggz?tMVL#vIz4%Hh7Ay*WCwMkBYTn@$Xb$KGdwHcePV4)g(Qsm%Fj5F1hg1
zP~H-=47eim(oV5Z_Q!2~m#`b&Se4-0XIDG1ragA%>qj1A%cU|pE)_)G!k!O~{2Uf&
z5_`Xg8XCg7J}1P!v2@OfO*wk8r`$UzW78_YD)=T5lHz{ng1#YvT2|7aVkf8S{PE?-
zmLKc;g!P<9&>QFx`ni`01%6X}V%-lpXvXSed|X|G!7C8e|B$0UO+}%$sI+GJ_Y+Xz
z2sl*03Yio+ReZr8v*L143_cg-u*hLiNEHjJ*46$nLD2fikw{IlmKnuvfpl$Yz#rh{
z7bmk$IYz+~B`!mT{f>!sHExH)uRNl**z<@Uf|7mR2d(_3zktc&+Q>iu{3G5LUWeMQ
z?e$g8tx;^B&bXN0F~9lhwI!&c2bL@l3|~<eq$_j`KT*fpa6hH3{<!W@p+}gjkV;kM
zdx=GRe0kA+*}^N{LB@J2L$_TNvY>mffk~+4*KNLPC&aZcIZlOr$2LxFqOY)4`p{b+
zv=Rh#kW2I>N$JIPxBW67AN5VjO6=fLS)5G0NCdD!Cp^|h2U0tJM8oYmuhJO~vEiqw
zO};B)MOr}v>)%)84LjXX`_MJ5*|>SxbZK4D+eMc<o?wlH9`79zgfW{d>67gSJUgIj
z7+(i*KlT=4&uCsr7;!WD%9_;DD15CX@~viq|GSq*l&t8C5H9Xm-=m+^cW}?4K4#40
zyAGQk=ekTx?;x<CAiCY=pYL+8K~A6N?q=$>y5KDwyxA$idqijmQbiw~ef{Z^1QDQ%
z@qiq~_|NGb@Rlp!0W8D)pZ+zcqP)4KtF!M`IjuoJpYdoG?faeXEdSy3NWVEwUe|@K
zkw5j?S+(YJD@@rvUBfQS^BQ->S=iDl{N+DKeE6QwZJzbFWAz^`Pq}&Z$4k$*a<dz;
zpzDc04b3|fJ=5;X(tEMTA_^`Hb=V<XzBa;Bs2F)l^^!%KV&CaHF5uGV#bZ*py9fh2
zW>5ZoVe=Eh;9HkFZppgW>bd2^-_jSe;-#r2+TQ!pe%hH)Nn37?sdy4?GZR*wES>e<
zp{>sd*TXJjR(oG?*u84g{F^Pu9IzW)^6mJM_uRI16ry_mtG~RaW|;NS(YW^&A%T(t
z-nK(`{VOUwF{}(V)&HgclaTbOd_G8LNA1|q58sVWt>km#<1@iAOM(V<4yzFi&5u0^
zEdfx1)@IzHhN_r_uUsley3n&zmr0&k3(&<X*!tPk!dmPa4a3Xp>kF~mamH|9fR9u6
zvcIp~;@h}|7J83@$5-p~&U+tgCSck=v+(Cr*@?z%@%XvdST=QIKDvM-_Z5u`tRrlb
zuSd@K+1)2L)X+H;bg8QVaFFKh{7b)*CT?DJYW}ZYi%Fjj4XI*>;5wXpId_pa)sEd7
zm(*tC{F{|*4St1XNqg_~?YkUycBxs0^Xy0OduR(KQafqW)`M{`wN6_q2whzXc;g0i
zPJ#dGm*VpcIdj~diZ-q2xnyAI1pvILsh)r@b0AF%^~>e`M{swqwSiwCfEv8BYWCgb
znEb!J{F<)WNWbzrhT-`R&30<W7<^bun&J1TjZL*wigG4}5EPDDB@{d6Zb19`0v*!4
z8;52zYli<%|C%-OtW3Y&ZsYeTW3Vv@A>0v_JSc#uz5}??cmK-&$-d&D<C-q1UvJvt
zn}2To%-8KkczXjU_MBhnJ3fOVj(+C#<68T5p`o7x{FGros%n8D+xU(!<4XUPLkE6*
zBs}XyAuixh;JN%ucegqj3}d=Z7=$ki&)IGKuAsTW$4TYN0-g9<8g~d~F4DigUopJR
zxbH7zC(gNj;ouITN2g8zL{^MM>Qr!aJ&Gaga(xDT`_`BD<~YQ9+N)d=AU(9|X>FwT
z1uWw;%HlYT1PC(fuKdgXC!Q6W5sTFs7bxZ8oz}eKFOQULXEDylXG%=Q-<)s|ShcPC
za9H_~(ucGnkw;_%z4lNL8oYSTS2~9XBqB_|UF92?Jk)v4?Ml<(O(Bg9$qlnU0640W
zK(^(_>V^k4%Bfn_kOAd&$LFBnH(tt&yzli!t7Y(ZiWth~W!;RtLT93W=&ee<{*MKA
zLhSIjf)@6_S+$5l;dQlycj<v6G=7VVbWSqlY#hC>w9Ho{bB2khZ;q+)`6YCAPA(b}
zQ+<^qh0pAY`1sJtI)>@}J$0JZo?oS|GoBUdbRsr*Z?GUNUCAr8$Y6>dp}XBHxq;(@
zhu%tv@c*LyY+)THlz27+(sYJFN3M%CT1q`KPp_C#cUwe5wq;NtN5q_dz$`|tz4HMo
zn!1yZ#v!g0*uKoCV;pVf?=1pqQRi&#8Gik9LS&fW{g=v8<rS9|@7puoA=a_g+B*p%
zqIm=ZIrfx;26kgWLx%om$(78<=SApMkHEUWO&Nd1nb(`y`}!}udDLw^gE(LsXN_C@
zv|(<7*v&lZB&@@m(ihK+%C{E~nyZY5H_F({9v6p40vJ=a#{6&0MXOxYnDGyEp-pY}
zoY;f_Dw*KUE#w9Z#ZzZl8P2~ekSdi7)uD!~WyPAm2@Shg(!vv7&xpWvF9Abg%$W25
zZ9p+ok0a31QX$rp!=yyyI$A!a^Luf0hPM6mF@d#M$VNzSfGx4nA(xP=6v*c@jsj?P
z0@c`L)2#?rCD@ORa;C@Ku|RZXOlTz>RJ1_8Vpy&Oj^z?DxGX3g3yhX`i{Xo@Jk4TH
z>DE>rbgirtKiLCCjTFkvy)Pu;&%4oi3Q2KN8w2Cj)&@o43~Q9?DFDH&aLNR%E}820
zMf<}Q$U(WrQ&AXut@H7FS#qtZ#mL2F&M^xKk?j1yYw^`Y4*x~kJihGsy@#ykQhjqt
z_n`9Rv*CPtl|+s(xipjkCExbI-rJ)hVx&@5_&$ocQES4p67D<=P%u>Dm-r-`>V{6d
z7W8d)ppe^fV^**{O$k=#-&x}-R2W&)a9H0Vxsk11V2&GoE7Ay=`^xk!rxK;=LV|Cy
z;q%NnMd27_R6G*v8ge{t?KeKNu-Y0@!gksEm3Fx|q<R*Dvg91US+{QCs&Y}wt{abi
z^s}5;`Gey`<1lNf517;ovsPKI8aq?i+TqjrcUbv}Q6>8LNmUFKMk@VwM+41UMc-|!
zRt5|GE-5&I5dXZ)g+4YaB|_BB=`+7da}lP`L|`Z+?a6lXDV^njyms!0W@Tj_PD1+p
zyiupSEGYxZ6`TB&@U+UEtD>3<r4zkZX7?Ai&URkKPjV{A4KE+Rz@Cal34l`XTlRPj
zDmgpCy`6-pfhefyjZ_6AwCcw1kAymJnJo;y(Yg&k!VP2k9D9G`(D--X@<c-@rfk;2
zf~wzu4Psup^jtl!TpJPYhU^}pq|gHyz!$VRzPG5V^-fg?^8;7sqDS7|-+mLwqKFK8
z>NWAAO!D#R{RQ0*K&%fkmCAFj*l&8M&mcQt1Mu$qZ*4C2+cl+KM?y|&7l;^SvI;}=
zcza1DaZAo5u1y+(>cgz-X$!q-Brd~WDOvRX^ND8!=izzhXSJDtZD~T{#&0RJ!)s05
z?Yi@TFXE%3Nipe5Iz$XS+5(W*+%xfjN22<wf4m#v3@8oaqX-T=%BJ>jhV#QQWz@(?
zED8KW+4y7Ymp%!LyrvE!tuFjlD0@)8nyQj?(W}jV8kSQ+Cs&~hM@;X#c+U~Ujn{J~
zD{I9JIJTRxmAQW2_MbjB{C(2SE{9g&Y`c79ZimrNhL<{pe%@@1tIwUo#eUI4x(jjH
z>44DpMgfvjd#-kz9d=>$m{fZq>UT5^VjKp=FAb#Qv-R54cEZNjg1e9I6!v2`VI*sp
zyOjC!@PG>5(LSsE_23d1(p=1y_+{0(VGG}@T0}MGo<pdrL>n}*adO>gfkcFsAXCAU
z#h!X*p}mkWedg4br^}vmjHQ#6QX38_o}hAvDlL_=jE|HnxhygK6h#*V4asoBd-!To
z(imZG-c>t|ynT4?56wnj2mb&qe^!>H-0FDSK2HWQc&%qEDt-FS&%yK|n!<?7*UvmF
zgtnEg%<KMGSyjszPXUKV!MOkwW+}&8bbsR9Ug5o$9~&FtRCJyV-<q3grFHCpZ+oEs
z%TB_^Glmxjy}xr;d(<$*;wwfg%j+k^dqh9bc;YDkEwe8!&R-pNdP*=>Y;N#F1CHYx
z$)TU;H+ug$MLqG8!tjP;2<uC_{CFvQ`7=UNYj*r@S&C9AaV|pJ&R#QeQoEWIr&!08
z-7$RS{e@V<NfaJIDVyIpE2!lyzRIFNny-tDSDI0<$ih663)@W=VYl&T5z`w7UVY`G
zQ8y2D5ZYo&C4?PCN(=O&bB^CPo3=P~r$E;#xR^+*!T+;>#?uHSktgTo1@T3GHr~#V
zwmiLam+xM_6f`IQLf2RVcCkZdqazCLl@vl!Q95>Yr%rda>2ID3;!AFD_h!9jgq4i)
zoqy*#j;z+7?r#<=CnM-!i0Kd_QA&XXhu|Y+J0~%y@l^k+_>4-|Hn&HCaPoGmu!_wH
z$LsH+<3f4M@wk^VQ$n2t^b?HPK?BzLx&vq4gW~Ozys(Xwgeucro^1cIf+kQ@f5VGQ
zorPGm>}p>gu;5B-q30>7bwtPs?|a+y4O{ecyJ3@gCU$~1dr|qmR4l?wygQ23WwEhX
z95o3nlR{ob+w@DbM`;bId4p-2{9gVgzlcD<PL(y(kCW&5M-2R?b8NT+{#@yL`?Ark
zwhGnmVB^X4E7u0F2x~@u^c7A=3XXZQs81Lj&6G$`%_pbpkCy^Eiq)||Q_ZSUcOh1c
z`_n4TNzBRi)FF7)_0c^!MB3%LKk|Hw<M+VuF}BaW5FKw9T~jIj=N?i95nqz>AhC|!
z66Rg``$5ZT$kBv2nHhVsUiuGiZQ1G#pFtg73bs(EaJlJ%Zh>^;MsJi;oN;{Wc)tic
zZWh%)D3WgQN?l*y)!|8b$yM`tOp(r(*FAEAZ}>`g_3-A^7<=}f5MF+{iVu{yd*>aw
z?O3n?Ie=6pA(&CooFelM&zg2>b3Zv0bHWS{ej{jc@jk-pw&>91q7>ZITw)pTe6+h~
zAXmUVn=&3m4n@#D5{Q?*ON%)pQda;}e1~2o2@GmH*k0;2vh$;r0_XCTE-4K_74>Wb
zr^k+XWu~$QhZ1YI$KRn$oTWb0f(PkFFS0GD;{5#+3i6N?60n2{D#)dXqa`TwBU&C`
zJMka@$x6jk0whyYDffo1;4tnfHvNuF9l_u8j+bMu%&<6OMkt`06U2NCp#rOPBkN=Q
z$Bm9sph4Ud{-7*0psE+Yufdde(%()r-e!-e(jKnY{UaIBnsG~gq;9Fo#aUDRcMe79
z@$ZS=C}ks3w-9Vun+_uWX2wyy!P0(PydJfl!xQZ`R<ZV{5&V-0e0~zgb@aHoy=Yh&
zSbz7h`>hMA#2#7l@jAzy{tF#~jv*1ERLb{pv2pyeYEI(`Tvb)b3z6qn<Q@N6<o3i7
z<wg~ff`)RIFml4a>HYoF*CS(bMAR~4KnYL|J$RlVk{yF%SX-AGj97*lC^@YMgOMtZ
zEPn&Rh6Q9lvrXSfC4T;SX=`LnV8)+fp-U#1I6-qLXY)iV!g|Bz{;f?vmYsPLHn2$V
zG<(g0bY%Icj3IuuW5+|AfQ5*C*!GFTa4488Dytb#i$>p<g@kdbD<TK>pZADrBjf6S
zV+!ri?0{Vpfva_Avj?S^_ZsJxv4Zi?Tb?-~L&mxZ$^^LYmo9^Qi>LYZwZQy$xp==I
zs(-|UewX6)ONhO#*%UPf<tf79+OarKJk$K9+X+3U&z_9vtSd5ThyIU>X|rxX^=QU}
z7d4>d#IS7JZ@yuB*urlLP$Mkb_Cw;v{nN45Rbx}3Ej8=j3c1{zf<IOok3})Ns66q|
z<I9E@g#)jC*8=-->sfb_PKLD^pWB?OQ0u!~=vf}zN{Aa8vY`Lo;LFWXeJQ;Me1VLq
zpySB60Vg*vDd|EEY<j8hgi~Oeg-n|JAp+JO*Pq*j=-%0`C`17UOb$rjv<0V^M#{|>
z&)3MFe&6Q7vE+-_?1AEWG$qaNKK3Dvc9Y=$j2I30XM9#~G*XQW%u>b$uh{D?);oo<
zDFaHRI>vh~a0{%8kntZg+l|I^AzVoaTQb3}=r5(_h*A|4cBCvXOqg-1b(;zHi}s@1
zI<tRT<oVX1$E(-(6NcQtK|@KGZ_eZkQ+Q%sJ63w>!iE>7C!UI2J2R}r&|EOJv<(ea
z;!^_6MNAf|(<fh<6@{|GvUZyzL5*sA`JCPAFR@V8Ogysi*;q$J(BQ!}cL-iQ{lSYk
zi>Et={(fn9`VpT2UrpJ#^xCKPl>4u|nZ?pEowKy8S#oXivJQFJ0%2PNL-V%1ROE+J
zV@(#)XsqSqi`$J}8;l8HW=2!WI^&d8Fs8m0C(U*ajp#M*l%M<H%wBC!uX}?U1L5&A
z?<TDl`+do#`k_^X`<P#t<@;C)TaMq^<@znpb}-SX_*UsRwP?7ET*(>ZTY1fwQ6Npn
z0%mr-B?TN&7j+&}Oa9a@>MARaXa^oEm#0jWDyN4U7Wj-_%ab?jh?+yba{4=@`ik@M
zII+M7r&u58nftf9@Nj_2gt>02h0Uc?PVEzuIyy~bvcb&WJY{h{R<KxE6<Or>I|x#&
zfsC)4o$}-@(hsAGruETlFQ<}J0zPOHGYq!+04RTwMg-I&lC$owo#UvnHVPS#NquOZ
zrljIOUSe=6U|&)FQ5DR1!a(GxhxeA%6y(Ail?PRRu<_6<g02JYd2*@EVUxY!pNQPa
z6caS4V?Z*+O+8{B|BV32;72jsij1g2?X=<V2uYDVs2p8gpD_6es?akvfNpj>uovpV
zamF#pJK3?VI7^z9?4vH`MBD{rw$>D@R*R$%fl8k^c3H5ji}?VhLY1cqNK~mw0tr`?
zC&Iz^Ub8n8$hDRY4_wR$(eIzIzQOd6^NN~Y&SdJ;kDbYiac*_<OuYi@nMg=b^3W#{
ztk|brARK{q<?xuBL8~F4L3?XX$vR{+d2|9-qy8)fRmA`1CEoCM;vN%2*#Q`&l+4H1
zhd;{WMfbYn2ctLY!H<YFxoXuO*KLh{A!13T6m<KqCai$Qd6Lu{+X~J<apMP+D`K|C
zT@MCEGGu&fINk8~60ue+LFhnir!t+}VYkEe+r@qf236i0m3X$Oi(t5{qd=y~(8n6O
zCd`buOB0zOcI>c1aZ8##1Z%`(QY6|S<x0(M?|Y=lu+FCT80xhlzu%>8nFJYRouWYz
zOa8b@$h|Pl*Cn!)m$lF=%F0gcdh2<Oie~78tYuHOPinLH3U8QGjb@HmqX};{)8m#$
zKc7EG__(&lcB2g_#8r;pDRGUw!%P0Un1c(MQ~*6D(7&nGVIr1t<Pw4&(!3k8v^!$F
z?|yK`a&=$@c?R)9r=l`(@pJ*D1piBWV~h+1wvMf%ZD@#bbmr5Mkywn6XsRIuwr)cp
z^2u{X{Bs2eri6hVFKwkVaN?=w-BZ)_&#E;9Fq?`V4esvM;nkspmqHtNO_!<$mieHj
zW?Ys%sa?mtot;9@`cd6KX!+3P(u-S%ot}4wtYLXElwOMEoc9MM>5?LQA*0MY{ysqn
z?-6;sNBPOp;o}zgBXOwoLyfxUl|@0vP)iDrUr7kOe4LZP8(K%^d<i+7pydRS`Mi3#
zU>jfB)Lmnjzq9a_#FaQdR$S}3)B936RCREQ_X38!)pK?zAMIUwMXE#Rd<<ckTbHNg
z+}-oS>4swHw0wWGe!JTwhP})w+1v(Y%)-X92`ESfw4obb=n>sN;@wv+1<V{i3BeK%
z<}h<0O~JxmhFhzTD59Q<SHy`;$tg)^!*e#-A@o-rR2*!oWBr{vOtasm=ld?<cuCYd
znuIIPc%Y~om$^vgN|m^)EN?RKA*fuTN|ZX)nN%4*O7D#BqClMdg>61XtNrCv)S$og
zn>vZ=z&pmye=+fJ1n{%~d**FExs^q#Nz^!6x3ze1QW_9+Uoe!vl$DEW4SE;aZ?x*T
z&adaT5JqlK`3#VinZF@Wm4LS5aJ<5AQ1Jcv)V9@VgU0c93gpR7A|}+k-u7!1diF}Q
zSMKaf!K@lNuxeO%<dYS{35gX&P?W(dNF`^*aADkjqF8r>qDnSe(I=L8ab!X^;DYu7
za);?*Einalj=J0iD|WUI!4)r$STu-4e!3yrrCx2n@ABIWYBpThxWF2{C}AJVqbMaA
zyge=Dnb<e1;DiY{UHMVCtMBzopLeA4-`l)QoLYIfq!OhImF{$2+F7gm{*hgcj)6;w
ztw1GMv6s{%rlFJI?<PUfVs~S<N~m&%7(>UB#{PB^x&v&xC2SD#8LXc-d;(GiTO<t2
zG0K8K)j`j!ssr|hj2lU>CQiD7>I`*|GJEzpiF`hMC}AQO&+>A$qr&b_>pnuI2G1xK
zeAl25g5KKmjVQ)(%o+-mOj+prC5i)v0|GKppY37&G@Yfs2xN6`ZI&85i(i;nwTM;q
z5@>^o>0Z-oNg!2hRQI+~mM3LUqNw2!LRwpOg>}tHXo!bW1xHblazS<dqe%;0h1lI@
zB(rD4L^QD2iKr-NqiuEW+5YniCkP{?bc~WimSMKQWPZaZfA(NBL2?Pk+U-<PbJXjP
zrJyQ(c<Ik$gq|-;kd<)z;fq6m_8t`RWRO&&$PNP3@bA>mO?nB^64(C3WS=0Swe<Q}
z(w<=AQPf#NtL-hlarwx5H!e9i2&vL2O$hP}cLshHDE&dE&=<rOXvpc{4LIgFCfj4r
z?KBZM5Ou#TX?scaa-U&0S|>$L^r4x~+Y}Gce2C(5O17kpfE%qLkiz$uFH0T44JeNh
zHabdBprn>;%6Ql8>Fh+E(Pl>y^ST@mFw$~Z%(OiA0zt1Y@#u0c5n=e&4jNgQMirf}
z>F7#e(=jI^3eFG+cm<0Y{Hwc-{l?vi)%&+gRq*f?2VLjs>RTYV+dGLsYxbfLQc+$i
zvQMf&tlzzg5olN+0dI_8@6~(qE=e#WY73!azQDfqtZ9paKrLX6z?8VR@JnUo%~1A`
zAyS|yICVRP@;&XW%ijT10A-2&i63wJ?waG^TZ*#1+6*?j)9@m->6rDgh|NKH{GFrm
zsHp?T7mQjQ!E~mCpO&DhyaK?Qq9u{%3~SI5_9Z|-LUPKSyD6-6AKOaW9wvPk%!1Zm
zSvRL@O7Y^E^<feKXv@;;x+3ay5HcpJ;QGl;I*x<@`oEfIqp3i%)^8tQcC?NmkACVM
zbYl6I%q<3{*tKcN^q+g~?DZwKfsLnzyjfKKLoiw%si96KbAzapYlpLig&Hk3U(JxN
zo$=Gv-HD6uClXn*f)p@tvLC+3uU@J5_;Y<OL+>BI;}J~7nqd;+`{Nu_^ylSMT&Ggy
z;tMqDi$WO3ekmq>U%m=QEHggD9lTP#XYn7!CqW}WD0<zNH{W8<DFh#R`100=G134a
zKVs5;HrdVo@YQx39l16dvRXsCZL|G=Ct}so1XNBXY|&}Y!o!=}xB8-zA$2zUsDXRh
zno&DtE~vz#J}vPoL<o`sgLHyb_bClzXvAzpA)iFPcbbOVDxc0!NIL;;#5g);uIfRy
z@>@)wdKT~{mUMgOY(gs>?}M~A5Wvj@^k_3hBPt&%otV1$#}llTi|{cb@HcagF6V&z
zP5_`1rGv@^U-JzfKqvD+6;N4uF?6_=GrS&@NLUEU4lgO{blY$hF~f?^L^dTrEb5ya
zpj9!IrW*rKBL~w#xsEq6ApS^OW3K^U=y-Cs_osx2iP@hxUF2{rj1q4xP$N5jmo?}L
za0#v~NxTzOrih9~pG2Jnl2&L>P#s(x3^Sv5+cg?=mD&Q$4Mb$dd?r7%%zjnsrqw^H
zD(r!1H+m9r&`gflPZ^L5T@RIL4pp?Jzx$u2?Mf`D|3&PVrU(@On*r(nezspj<buwt
z#bJ=A_i`W@C(o=;{>!sxnxJa@`#=4E{+4aHIw)Hw{CoTOHQUF(4;f$){spPAmha6v
zM5`{mAdDnEm48{v$-gvT=HEB}|Bm`(Q;;*I{7=hE)NwZ?eEn|+2n|ruFBlyE@e)3&
zH?*MlQFDy5bINqob0+Rif|e|>s4!E%2yzwmV`c3jQRZS-O<LtXH-_TUsJ1YY2Czg$
zl86vmsGN-@5@>TnBn_olM>H(2`kor!ci_60P}M<iE6KOFqgoM;&>f9~I>o*rJ=g<4
z=0x}yby(pw5c>uf%BK=8ibo#7c@7LlL}2W%nJPRAO+Xg261a1@vs8e4{t+lIQ2OE!
zWJ05H!;BVY!4>d6h%gJN9mD?Bot{|7d-4e+eu7I<XORu7C9k3yYK5YPZbIqw?Yr9x
zTR&qUez9+WGE5jA1E?adZ6f#D=Rlc*B&Vr!&l~(34=`#BZ{rhnf%Pysd#Uz^>+e_t
z2LMxsq6#PW%8Dw)-D+r<BzjzcNOf(k)V<VU1f>UF2*4T#Mw}*Oo~-*T3)PBrM?wPv
zn4EZM{^d$m!C!{5W1POBk(BSX5Nl(4eJS>fyNO`Dcl)i>QZJFPt|%HUzA{Tl`rVWA
z@E^AqgUdL#W|;5(`qH$;_y07he7sLf!{|qn;?l^;r&?zJ6cbZjlO_1K=Qa460|3eA
z_<eyw*sOvB(`7=>qQc|rS0<T=;$2dCt$I{LG3lHLBKc(QHIYvhc#OW%<a6QGu1wOi
zVw}uMdKG|$(qqZ*f>n@~c?uoHbLH6mQ{EJLxumKwBnQui4lGK!J&liQNDfGSPb7p!
zL7RYT;w*wgQ|hqkyF;6rIg3IbAMnm<fV*H=(SGyQeQ~Q%3+2`RW7H4?s4l;Bz`BxN
z(;Z`9U~*iR=-XU3S=Nd(Kk7FB&}NXw(sd#EVCf{BLcinQ%)6|?#LPox-8y+tST~?5
zmza!~&waAPb?Wa6!@72o+HjT<B)m^~d=5w~2eP)J*WC6%Rw($5gS+QHNR12yfyBMp
z<IPTMgw&}dMm{)YXnX*XJlE_Q@I)fIYgF3$1MyBC8vD{Xl9Q>O+`T-7%90IeX^8UP
z)y}xqk`AK>emUvqLZ<5uXrfGMSfM2Vv6r|qlHN~orn<Ho)Mr1li~6m6xsXYifA@0F
zoISMm+v}@po6(~|SMl;7Z!{9(<Q*Y?RW(Yyxp`$1Pmpm%yKRzGKvHY5cO_5@=kwwu
zri9b8@iu37`ai>wqI%{p!x1PcZ$cD*GVqc8uI59p+qOr9r3+h_)I%V&fVoYwhCRo<
zva&tH8c4LTjH8R&t?Eizhu!SV%_CAGSXdoT)I9zCM^l7~KhT&k!7O4uynSC%_RhVL
zgvLu}QvESb;zIJjJ&;wjZY^7%gC~<MgfEAtmcK`jjCN>NVklu8)d7Z_y!Gmp7T&4r
z^BeKQ)H7bn<Q{!b{i!p6q8gY#)^gmxKAC$UQUAlCuFTH|Y(^2w>&spVlkLjQo6FfS
zKwOa&|6bs7A&&`!3hlnNoii(U7Jq3Ml@324E)gCY(R$9Ea6RqL&<R;q<{Wt9=%zzS
z=oaXmXuASdX}Oz>R}Ko!zZ6`!jAZT4Y@2l_oU;-N(Lo-}I>;a<XuuKMJ*8oCe!%A`
z4P~4xJE-P>$2medXrs2v)(kUKkWn8eY?`^3L8Nc!rm&hi^?b3g=>rE9-4S5$iAJ-U
zaa0-nzO91#Tnm-}1O1D&{ba%@ax6Yt3al+kB!Lk!>X}$&0JDoCd2o{<x;8=T3YK*n
z{l#VjV?7XdS+&U$+IF>>c3pehkGKpy;rSr<a%7&k+|5vc8DsGb5*r(2%8TRog;GNZ
z$S*&iP=ZGiae!6Os0l=86CvUUudp3Kjg{8lp<)(<j91>wpVuvCJRGjP<T$G0HR?2I
zzACgLwqTc#!W7?SONi}nWL7AW9K2OkQ<lqxo-Ot62vSKeGU=~oTG|@IhQjUZ4<b8-
zNE(IC9Igqryn4h%?p`W*2vNfllH>_e_<;sIqc9K$Rehhvj#S;uq2do%MpA4+pi8DB
zht8}DUXFNDBEOqs*%--|xdlL0%uKkIkXu$PG7I%SF{Z^$7&8dHsV;m57UShgE(E|Z
zQL9ExJRbIJ>=_j<Yr8>qO^KUnjls;;h6E?tTJwD)?rdBB4%or)+Zb`V|4JNo!kPt#
zP7|>&)T<`InQz3;LCu)t1SKM9dy*W;{wQtZcfSA8SM0|UU{S-Ui3=9OR3Jel=Olm-
zSy*Typ(7IE6Zz^AIb%da?aP2tcwaz^{e7p{6Q?v3j+%J9(SR=4z|uJj(FW<!T2<sm
zYj%GFDn_VtGtSBEcItY{&HO8`b+lGA5v&f4b&N>ex-vfa(EetjG+*l*%N!A_Idpgx
zjBB?e^TCH`0SJx*(<U@isWqN4&otI~>$OiJlXCq0&z0znI?&aQ#BpCPL$q%pT%w2r
z%;X9Kn`Z_j)9S*Se6OE;q%;)1elM_kFtKtdrNGXctOxp`(7?Z1lhS2D8NGAOqd|R>
z$Ge`wC{=LPN?ul+M=}$4a7F@oNL&)uBnH|dyz(ga;f-e$>KN>U<5D;Ce(dJX0_LNl
zVGOyAPgB!&#Pt!nLH`%*bD1W@1vI3MRkp$~uQtW`ObgFMbckj|N(CJ7fG_wV>Y*-z
zmHNqoF`>G3;F%mzI2-IxBZD}kp$)AyM<D8tyz?)Sr<8ZeEQ6Z*hUR~(j|j(}IZN~-
z0j5;zlR2M*{)P+^NnxG-CPS45nyfN3082}_5&>yYvK0I&oGEgBQzWwj-#b|sSKd2g
z5BgS;Aep#?gX+wwpoxr(xE%T3Yqkkx)GIiXNKl50(1_}q@)ztWU;~7i=-9XsD;nm|
zTZFJBII+qjE8e>DpXq(UFCqw>DLY_xrYyta+Z!s5K_^H6;|y(!TT7VOB_X!knQEEX
zB?Hi_3O^3MRla)8?UTbY87u;1H@2)cq&NYQv$cdPKrtR~o5aIWkV0yqnLpx6>Uk_l
z6{;Nz`f2KLT#0kN>j3~;+53){1BSPg1T=S1xU6xW?my8PTp<mrlua(wl+5D&4*dv|
zwq&4SjhP&AnSv2euHIzsN#75&P2PSn?o?yl&WgY*mbm9pOqxMO#}BM9B<0fNrZcBj
zCmU~q`9M&_wB<mYem8QFo7NUlcHSET1Tw{KrTFo|?E>7r?*Pk5Fqt<93qqVooufMB
z?x=*;ga*GV8nLU6==nNlNen{k^?9BKZk8lFI9?j{qUd$UHf0R~ab{i(!3Y^B&hgE#
zRKT@Wl(b&62Cwb91^ksrRB!RcCE}^ue8#aK5axsGU$>)b1vu#n%%8gaSCg}kL1_Y4
zwZ3_-#5B(bL0V8<-rvItp4=sJa*sCCyn^aEeKR}YL9@qsi0TPwHY*U2ts3A#>CA(G
zRH4WAMF>5~&Jm<W5GY7&5lF5b3p|!~8{PHT@<R=<BGdg%Ef+Gjf7(H5)}?Crw0QB=
zc_5>5jG={s70WT|y1X*Cd$K7ri!m|6Wt5uM8^i*fAgVBlWg=0g2?Wpua$0fPGiN-2
zsOnl!=FnS#OKJ+|g#3vCTS*eE;WiH5J)jbDp@v=q74WE%Uc1QqRgsL@K-B~-hPka8
z6+zEbXkS_b1BX2IEC+z7r+F6XfFdQkUjk^EW}CTbwIP4Ip2);GaYSkSFcUSmt~i==
z57YY+dX?Mq^^%I0u)NEd%s6gL3rl0CItK}=ebvt!hxm+s(!bImAo^oot)vk}>?53t
zu%pq^l-7{32600=Z`WERFQiW|a=cM%rcydiaZr5Z(^f9SLjHhhS;=K?8<JQPg=(1+
zLn|>TorhZ7&sb)EkyN$zK~$Y_1_KjtU<nFAOZ$iS?tIq+Ha11)wS=FWB$)Vjwi2n<
zouv|JG#9@{MHfoxP_ODkd|(aDXI_?|PHja($1J#G5Cx<>n2}bH_dtCe0MfazG3MCi
z#<W_FC6DoM<}z!tr^ei>&VT}$CwVl~c$|yuV4&*d1t!M=PDAd6fat6)`%|BZeXZn*
zm*3}1{)BWu7xdrNce*2$c-X}9A8*YrATEZY#+kIolH`o?dUX6LkxVtFOLVu<T6s6z
z0k&QfgRY3Le<plvw?|y|yw+{T2{to<i_L4jI_z=_1nWaZdb<B;sRn6yRU#g%hpc7#
zE$E3@g4HDnaY#O(4g#H1mUJRX;`)Wy$R9TBaOK?a&<Jvih4hz*)i>z>gX!3)79RW5
zFM3%py~M!tIy8B>&}q8?2Oh@Y-4nf;1hGOX+`N@3fP*d`YhNRmY;&*E-6SfbBL?iY
z$cI=(1|PXPNr7RXnAU>Pjg7*`b(twRG*K=LX>5#vLXp_Q!P%r;nW&GL1_6bx6Hdgv
zMD&&xVRJ9HC4K;=-ap~EsTiqRPppj~dzJ=_fytTUmopIg0uK$IyID(8kw~#AyNk{T
zk~#SvHZH7MC7@g-CuE>taA8dX>MDzKT$hjzB@!95I^Ikz&3knHx5~6oQc(pWS5*6;
zeY^!HAtSF<J?{umjj)So{0gkJqQ1!TQIcq8vdUdAwj7?DheTeG&8x|lR-+(g8Ux!5
zQz6qo<)S*53m{0YHDs`CDKjMotaN>pCTrEKW^njgDhI2l`1K($M!ibiQBg<`t`L&q
zvsCzoXeZK9qEuS&W7|z4mLj*6sExRCM1g-k!x7t-ZN^$^y2YMQ^k?Z%lAE;+ePuSH
zT~UUMB&N|y$mwrB?6@B-IeFU&rY!RzhKFmbkZR0vHh;x<)#77{9F1tL`dG6P2m^oH
z37w|pT<87_!~#}mB%z+*Irl|~74DK%X{b}D;ebJ5gfSRa(;b+Mo~hyaKKDH)g?kA8
z!R#DibrUkk;wO4*gfx<xvB?*4l&G|fevf%5;#Z-TD`_UedhNfYgA;BaH_VS2m2P&`
zDB2$_dI}<kEt32==--7OnJ?xoTHsLk+SK2C)dszTbjI6T6k@7<9V!Yz%AhiK{GAV8
z&k1b_t-9q*wi6XP0OM2MjD5iqM0ZHpaaA0_MpBY>b{IvA1T~qY-x*dM<&^`7o^wAA
z&y{NJUFj}ud*e;CcDdh$ti-~5-v^bY3F4whZ6s|i6&9^XsZ$ChwI$}f6rFL(J=4b`
zRY@plN<y~Fj3vI6mlc7L%vF|{?grB0gdU_-)7#RbqzNJ}&obpCppuuHE%h3u^6?0@
z$~2dL<BWW%6)t*}SasF`tt6dH&a{^X%uqmGd9o`+C`RY0NX%yJZ$Jm^kn^i>kTs)D
zwSrB>UQsKhz>sgq@7TyE4^!~76&Nt671}k3>0(OER8zlZ{){E)jFXNc0T!4ZfhgOf
z?%twv=F>%*&Ac3D`R>H&Y@VGGr&|hOwT7a>OVk+jo$CuEfVetnt%_{}Ifrckd;+{~
zHu}7}TL`i@^9__@DqAZVh{T#-6`&c&Qkd-wL0-0AV|wYNz~l+=gsK+}dJz)uUYg5P
zPV<$;V!>r+bHBmsDUb{SYPzI*#Oi?3w|el2AhS!E{g0L}&eMP+A{c}x2y`BK&Q#th
z$=VVqfj7csCR>h)ZA6MUXC5$qGO8~##hF_l0T;CNzLX=>^kz;r=w)XSkJ#<-tln~?
z5S%3@kA(9JMi5=<nZiC4k}JnvCThR4dUfs%4PXbvnJUM$Sz@H7Nir$IJ&MoZb`DlQ
zXei)S$E)6}j+ZiR{pTO;+!21c1waeU0!$1&ioHB2ITDTjnZxb0G9;@E29l&rS3orq
zBokBVS2g94z$!LMsp}v#;dUf~+ZYk^i}4kw&9vjiFm+ELZDA`4Mt0Sl-p9QP;*$OK
zPVd5KaB6;Z<<JFS<x|g0fnre~CYD<-d$Lp3gBW^i)ayB0p;pS5%=~#bAXUkzY^Dn;
zjW>wMlG><RK~@7pq(Sg63K3O9ZOn{%LL_m`%|pzZh~$+#&XGFteqhAZl>#)%z%XVY
z@;Wk`B8E8w?y8!ES<_B@_7=qZOY1n54?#`c=F>g<yyw$W!;eYt1X+ya0@utyNm!<#
z{epvbygpCpIZ45}Z2P2`28JMF(he$VveqOuuGbj6CheneLden0X&pLTu@k(q7ZaMP
zMVFRLHj~9VM7d1(0CG-OqM1QM4(UMFW|G4dqxy=1#G<Ik_Rf$G)wr8b5@k@WA26Mp
zlP$6(`IhjG@VMd&J7n9#n1$G1a=Jq3bV2uHkh(n7r!z|`)u*WXJQtbW$%btPNql+)
zrDBwr>H@W!6CbkP1h$ERLeY8VlB}X>Of{X1NFAH{T#IQGnSkj?4+{n4VZPr2^TwpE
z-39JyrT*R(#V(Sr>vLm+WeEZh6<ar_saEahp6*M^NZKBBQ>Z$K(kzhZAVqqJl&r-z
z5}mj>6jfe;9hu*hQggx4Qn-O+Ss~W^YUH_Zhf_y$@9noaVIT7&ZE-$SA*Lq|(KTZ&
z0S8;JC#ll`RbHUOdJMb)-wG!EpuoGSLeqBmr!Lt@0<S=sE$FlP?B^$+Sz<^1=JJz^
zy<A;BwTCXi7Mho(`v@9A>daW@C$s#$1who4*fa^zrhG^sP1grO6i!s$g~4sg&6-Z4
zm^X$kZKFN(_YzNi0tMdTM{i6b4K|&#)yU+{Ck+epgHWp)zFop|_vWl3ab5q>@6OI5
z@r(5NA*NYvrhWKcsLtd)`udk74zBzl^*rX*WCbst9{Q|s{W(BkjO}e6wJ8xlh2xfK
zj(Qi$<YEgwjCJxFAnJH?bl0NH<^JKYpK!CPgsGz!D)w47q^N=Nw8v64I8#wUsQ_?~
zyPjo|771qF>@@=FLcd5tMNpkQiju^BQ_rUs=;n@>QesGcoXjv$BP5xll2JF~nF$N(
zSpO?RU}^>r)(B;-%($1fL8xsZ!IyA~dCpIf!jAf@+|XiLT`J8tDa@%`bF-#Ka$jRc
z3*in{zuZ<<|0vE|T)C!U<#_*aAUL6>B#LwAcC;1@A*HpaH1@Woo#_1JbrP){)G?)K
zYc<tZmozIPXsH$0Qs&6pf>toWxlpsMG$R{H6`QY6y^N1E&1A(r5r)jPKRDc`sIUde
zXh=dJ@CXIoJ%PkX;FQCg-7N8m_kcElC;^vLcrIFRBDA0)(^EGv6a3rBLs}resnJ@-
zWQx*lSw`H`>a}yn_r4B57pYetU)+IOZOH`PWp0+0kij1FSkyv$_4o%Z1lV+NeH0jr
zO8-Kw5<3ZrQ~~-!rLKn!E7wa>u`Uts+6y_(lC*wNp0gS_RldNkPb8V3TsNxclDHuP
zgPAZO<pvkD+i{8G#PF99@-uZee|KrFtM+S0$d}Lbxs#iQV6$=A6Us^j(&kpXVXi%C
z$_^TLUUa|svEteb<c`gbT$@pGLq{2&g|1buK7T&(S^L#tX=!?|WA%wJHc|!MZiP;f
zt*h60>|{32M)z*pnXYdqwU#R~NL8P;yh(Ip0W-Cj^k8ViN~kB<Ly~@_hE>?FxUrDs
z8rP6PzP|Dc{)@UbnW9=~OoXFtKq5LOLubB@6mf8Of$8xx|2}Bh%StR0NYGSNLFf8b
zXYzLgkHvvNy*81$>n3ww+$`$;>osjqosJ!r1?!XH-%K3T5|s&vy~yZdCVtDoUjEOh
zisGo?!f<M=y0(^jX~P8){6WHF1w*#(-D77U5#53X-JyIe-h+?;k5tejVuF&5th{M#
z&u_qV_yb^?oe|<^6z0HXUh|P>Ff`upgWGL^#(iGCEB0ZjQ3Cr1EA5*%q^=6&`XT2v
z>z0S_tC5%Ow;pUUCg@y1zbj76yijqm7Py1U*GU=Ya&rUeycyeD|3zhN5Vo0rh|QO9
z(~H7ECU$rFW*UJflY%{N&k4hCLoZAgIJ#;LiV%&cNM0}`|9BktE2)?&uXn01+uEJ^
zFlz{<29Wh!H18N_?yHE{nx_i{1x0CFjl2J?+68!pS*#~1_Ul=Cbi8^~YQV98eU;TY
z5;DY|RU5HLTX42Xv7B!6UJS0w<5f`-(qETD@bfoTsX^ZR6Dm770DcXSCMGZj3OY3@
z%vox?1bshUVha3y%|2FoVbYV_Dn=CYfpj?-RIoiHi1@NLoezH|)0WbH$U6RW7D2hA
zcK%8afv14wH4Vp3CPv&=O6`6KdIZZb?XotfP5;~m^B>#fNNyF4(aMgS&DbKGwss(s
znv%#ivT#})!loe8;5H93mg`ts=wYy5DYT93fBir<eM3xZ*xHf}cqsrfr%OI<6?GZ$
z-$er>ispI2<M<Sk5;s#8Kz)O{EMaMepx@v#&W>86ox;LN4YO%fPEG!@?#V_;EH>sz
zH`rM+Ao-{Db54H7pPTpwLD9bvrHZwE;Yc#s`Z4@FqXU_lEs1C`qlcyq?vh?o5!Oo3
zc+<eNGUn4UKhT^|#%zUFy*0ao857WISPGjM5nK7t^~xZajXVDL28X(;R?kGh0d?=Y
zijm+bsH{d7lxrcDD)vfC*yg4cz#P-4)&~7*rqhH5`_lUJOqj_(m|1g^7N}%Q0qDQN
zOpXD8IeuJ>$e4#FnVxe!=A!ce)0kV#%ZlfZ=`}8!nOV?P+u8z^HlEpT_Q?YTlDG>K
z4)iAf3i3pS95-v_F^Onw8Zyr5`A6qT_sX)RZTov>-6(tkQ0A}CqG!#YfDw9{ROAwa
zcD7-tgPC~;PxcMO?`sH7sdv-KsoCO*x?cRGKM!?n29|aLP`aM1Amcvn=mrl9KS+C%
z5u6r5#n%6CA`odZ&4pYI7>$N(H;O_ab*5n?B3Q6@+%}|5J~f}qbrG~ri7Q}!5KZ5c
z1vrf}h0M1k0mR8Ts>uga3Wl9wqI4qg2+ev)Zw&t&q5Pb+uoxI;WbP<Ra6dwgiOI05
z{`q^zK$s=UY&|5+v&G`+doVdRT?fSgHi@v%IT6s0ySMaK;PloJX^JXeD}RiJhj565
zz{gxjV35C!j+F0<!O$O+Pt8V0p){wsQ=19QY$`no*}?V%nWaUwTBh2mxTOj#!SJ)v
zge<ufn~ph3I-;y;4U?6<gUH)R0czxnkj!_@yF{F5t!W09=*C(*U=qDdeF>RaY5qxS
z688ef5u$-(#d=B4=oH&%Cwg5V(h=jVsNYhxPGVD&m5+iy5YV1MbqBS9iml?$ggYek
zzws)uwPe3TaZ{CiA-K#tw``X4qPz^TD_HBsn1O+0vu1%5fJas~P<Em#B}ubO`twrH
zRs0*&&B47kq}fTj*iNyY-<pAw$YSMX4{dhmz4f(B%8#41v4)--sNc7Oj?5Q?Y6ar5
zB3b!=3O^<efedG{z!x%vim+i6b3kL#xwut+Td@~m0YUbcWZGp&IBUKyvv(x{0dyZK
zE-wKIiRTAbqw8>YWzyYTouI+j40th2Q=nJ+M2_#RfnUkfceeyhkQ_MBeKJYajMWK^
zP+amG1y+Y^tV-=vaU@XFZTLIF9RNc@Bg``hH6af0iAq;Ob&df(fc8HLsg9hiKmqBd
znEwyw$Q4!q0$TC#jCs6LgJ|A{RbIm)qkW6>4+Yj(u(1sgp~X~7!3se03bR({ByRd(
z{=xZ^!qUTK87*x8xX0GFfVB+reC&3Vjjw0aJVL;N%wp5OhDNTH|0%DC)<-x<))2UT
zVqgI4`x2Hmgc<o=0;P!rUkxLa)Z6xR(0Mopj8IPvSJ4VGo#ymon3;>B@BW<?@E}tJ
zhoCX!e@+MUyy@!7_hIJDp5dbWKTc*u5n#<eJfz@u?;#>cm&_f3z2vFeA~PolylXSs
z*#Cy&w-xlrTGLe4R8I~%Gp(_ES(!uZ39|LnusG22YfWmc{xHDAC7a>JAa=_81zu5E
z;Tkil34kPdRu^ToR}6v4O#!#kKd1OF=U14&V)3lO3VfBn;srFG5*mE(S^JnKiNHa2
zGDGQk+<beQ9wWrruJE+r*kwi<l(!tl`xMbK3@0Wl_CJNkWJ`RK*YzQ^RZR?@Lcoeh
z+BS%oA|4gA&>6v96%L`s#o~S5WsiP=wg?Gl!=yoWlPS?#8)jLPzaUq@phA`puQEua
zsnV1QggiGmftBQoW7XkgS`eEz)Ld|j&U0vx=xkvL4YC4DJq7b3O>$cq5<>!XTx<bh
zWIDJP%acqYtYIjkYfwl^KJX*VC>M9gAw34#f^$6XiVE(`8%wlgG2Mozis}QAc(-T+
z%}V}1FjNma16iqE^lG7QPs0osGp*n{GxH#=b+X+g;3o+gi1SYZ`;AcZu~5apNlVZ6
zva#V8r3N*M?JT3BS@NrlL<~|4V*`y+K{gSf#T;z#6Of_AET@7h&M;03e5U@QEzx7Y
z8u`aWrV;S}4L$ZNKIqYYzanMgLLhvY=mjempmO|tS9=ZL6K%lPe`6hzIE&g;zE*IF
z1i?kw5z}o{!=;0lqCs^WnJOY|o$3T$p@tkK*&+*1>_Y{YN;s&Pd~xw_nbpj}W>eMR
zlIoBzdB2sP!-adh$7;TOMXyZ~ccRZS&jCPFsj7;ym;Yy47l4t0D9S|TPEK=I-LyjF
z<M4HhWla&Yyu@()SuuB?vVn=9J*MA;V}wKfM9z>{4>l%*<TJo1lipX|+eJj`KaKAz
zTDi;hJ$B+)?Wn{)BAxxD=C-T)d!Sc{J!B>^`}Y$B8FOq+RMNsDs-M^5UL5AiZFD~-
z-z7EZqdE8^2)>wlsG(X3q9JyoB?&Fb%-(7Qc!yNltgN)ZY$;W$I9}P*SK(YaS#1;4
zpi;}Hl)L3R#3`h*wM?*mHhGaTzb)W%NmKuqYn}c2c*MWGGXhA-U%euEK2S>Y3mHsF
z6mdZZ8a|84BxHLY?YQbFLUk<G#s$E&04v9;WANB2JQHMO4qsYS@g(L(i92Aa5Pq<1
zHt~wC!msMwYA&SIHe%osGO+zsC_*6i8rSd|9aAEM{UG(5Z(d#KpX^^U4w4sXi?0&?
z?ka)ynFXjCgb*a&Ut$JoD9~07%X#)!-8daH`p5SYi}v{P>~h&ca)4sI`lRN+N(jX<
zx+ZNVoW!dK5U?~4XujhgoaeS8^E6(Qo@ueFgVk*4fd>hj1#B%zS}8z+!eA`}DB8Sj
z5vl7mxPTSh4?JGBzYR)S>D)gJ(9;E$2s^Pnj`SMyh`}0rZ9KItx+W4lL*($~OK0_O
z)?0`TIAl!F6*`8WsN))3X$09LRHMLvw+aiZS{+-&P<>L>1hD>i)GMrL|M*e60nZMo
z8pdZ`90*sjZ~S9mX_7K9+ZNJl<UBGeBNSckc!K+$^OleH(~%GuCe+7%w_#+&tfPJ1
z16D#bjDU)2TL2v;nwk&cXwh4`h1rFMe!k_>-L2?TkV8`Iw55O=o+IN7W)ovC+3r36
z2(1jF(UA!%l}?UN?=LLfp^5e+R`0SWJqO&+5^L@6!d=(Ib`$+aC+qVL!eM7=7Z{DN
zDGPiutKjHV=42{9t;+IIU&)k*U#<Tsmn#sQ(IsW9_@=)A-77WF_y|;4GAgZR<US|@
zHF2+=#4*-ATs0+`$-=b_T5N22^t#a0I&Z5nZHP|DDO__)SJUvqK7%NJx@)klf31cY
zX$K`AN{_h3oDB`13=>86D6L`6fM85ky!LBntI*Wb6+_TNftlTkTT#^n(cB;rkTh1s
z45$_{`w1m`x9)Zk+9I(7eN|76_f$BGFWI_$6oi0S>ZrmiK(XSVr61A+a=&&gM-SVQ
z3}o+NRu3GOW(Re>VAFYZ0)W<WqlH<fM(mKBAl4*ddu<okTf^pWocGG1_2ngiy00TZ
zYc8|zRsX0JtpPN;;b2v;78fiE^?@a+ajSp))ZY7Ed7{U5$aFIFvVv|Ak_QfaUDYTx
zg-snJSt}0P>N^@LFR^-x^S9`$a&C!MT93N)OWni{cgu}VJ?zjLppjM{gl5?~+!fd;
zhLfO?sF5Btq3i#w_~8$oVok%TNR<KSCZ;Y0v(tYakT;=)h=J4fxlT^8>BG?(_FQS<
z4p@};AC^vkA`RW=&S6XKvx?UUO?0^aZi;_D@0J2g-a+@i9+nE3yRDy<FU<Axwzo1K
z+<I+WCUs+BnndJ#F8e@Ynhe8kC0Od;nb`dn?&biV+hWBRbb)|CKYPQU)|1Xm3tQOr
ztUD(&i<lg#h@B_NO>(Z{5{o3A8ve4AilHH}`rK=cyy}>s%of1eoz%g}5SQ#bF!5@~
ze)e=8rum(4f!?dSl!2{ndsMm&7~l3iHM%gIELm{_)m}Pr!0MNxyI0wh@8GIU^KU*P
z6Ux}v!h^dD30CND_1j1ygFY>{$svF{?jYG(*~bzs8jk1oB3sBUt-@dabHs=5QG@%J
ze9VUQz?4=0IU;;&6HywKmeA@QOdgH*+_rTTMpzBAfABvaQ$Lk{!!LSBcWSKoGrYxj
zD%0K)dCwj8ES6I0`ueV7=b4M}qN&r8@P@>zTjf054zNOmd{(xczeHln(_R%`A1nXe
zJ%?;!M=VHx)xKgRIIMfRhFzFv`P#e9v!qT`%(9|H7?^(|V5cn^Ghu%vb`K_nr(|U0
zI9u))hObm)hpBt4LQDbT*y?RIcv+4a#D?KEsK&Q(w|+%M=T)`1Je||$>q2~1^_t~K
z%6q?WGp$_>7_Mxo|JWNs&gq@276^vX(}WoTRq?!lF@dR+Q?$d{ncJ?h`hGZ(3KZ6(
z6&ccb^v@(Gh@rR&THlSzHVPSK5N5O#mtT`2i-zIl_4S2JB#8T-Gv7?H^d9FC<Sdw4
z5Sl)Bv83M%JHzBHEM2Jf)T9R(3@^e3bXR+5iHpXoB+YzeE)erKE(|4>%!~nKva5Az
zV>`2Myx26CaoY`hB|==K+mVM4^(E9QM@4N6V72vbR4Z9nASz`=UDQ1c_dH$JRp>Nn
ztjEarBOHtVBJ&e+`U8b+k47>Qp?+7dwuH(GPKYzoomYF(cTlNjK8qwzQIPZ2$9W*=
z=QwKoh~{ue`IGHSYilkt{Zd^}P#$^PcQHI+8yo5Ni0+>Y>^H+TtMMv~j!>g26YZec
zQuE{5!=|^iUcoPWyPA(I`l_34Z}s*XqlP_6qUAtLLW9%MaEwYpipd@NpDM1rW<vS8
zS`yKoWg~cJr^P%m$}c|YcbX4XVRDyr_i7jU2nWTS?8mq7dqNGS+dfOFpB!gS8dxe3
z*z_)HJO&Mm-mb3FPvyEv|BC7<gS!jxta{@j<Eh^V)|18yQu9N7>|(<mWTwMI#CSF$
zv9*gz-8(sBXHXU5OHvn$Ejq78BVk2i8}f>-qkOZ!rTAu~UpdPWnf)voRU6XQNDK@p
z8xf8S2!_R#y-2Aw=otK#O-_I@?s*~caP75s#?}9(1`vfRF#J?G6~=Z7_hOEGjFl)c
zwIOOMxw(Zjgd6AItRx@J(_f)cKI^Rr2Z@?d@rNtd&pgYQdH<)|9J>fuCg3~n1c;Zk
zcD(NafyR&zo78U@lKi$${D#UOdEau2wfy{f^~)x;R$(Oxs+1tWlDI{)iy-Q>KT6q=
z3X!%`j8@oiY=|m_Ca1qlU?M6jSFX)U+xR%wrJ)Q^=%n7i{2|O5`Z`An8ec+=MSz8o
zPek()Y;l-6jMc5qfP&wOI(I4oNV4&7BGG2gRQ`U*dAPM}(U8=aQ08fAd{E|ABUM$H
z>{Qlqs6JG323UHZ)>s~Sjdu#G0pNi_ZCGstG^48oN9;Q()XO!+9WDXF8i5^5A<OBo
z{ye?sKs)F3{l`3n8P*IKp{)(WC)~`~FuO1Fvu@`0c2HtIR&QsP`ilCU2J51yHKRkp
zBB6rFS!jhOSkpj8nyDyiq!s^Xtf?*5^cgkvP1P&8Svwg3?zTL||G>h}aT@ot_x|&V
zX9QKA4<U0&F4S6>I;po;hpaF-k54?ZWaH4aNp=LDwPn6YLW81JO-=_@HWR$d<=tZz
zc-WS&HIF4h*+#68mj4)Q3QX{gry|$Ryo+KF%HPagVrQ2_E82r_;FtMoB)I=+BH4@b
zM}WaN5sk<~IXzW=8-a|>p(5{a?%i$u)~u%nizyY;ly)?@PZ;OjM*s#|^H_aGGAj*<
z>@4$@0jo5O={jK$1u9^ee^<~P-67jg@o0Wa;|{^!-Fm`v3vj6At*ZSYD^c`MfI5k&
zWf%3kfA;*bUZ&Q}v8dnK&P^27Z08bG93(|rGxJW#$GdP4`g@%^VMl;FhQtuvWpBk)
z`}&}@Z@cxX0>Ky|@XiCWqsQC#ZAEU?hN(=a`X&t-)^BaFJ#E_bf*J<hv|{PW@rkr;
z^pMxaAGmtpk#HzP1MU!bE}yj@Kq5ympQPM*qq&$kT}+(6DnCckd56+w3VyEd;fHtK
z>Z)X=s;kX@f(S7h6u1at9c`-BIyD;)WTJT&MCEhnLewu`Rt<Gne>aI^mA%?X68<C>
zT0e&H(Au`^b^y*>6LG-Wqc~kl?AL#^CKJe#j}ufJRj^>952Ov6=FZ^PemO;E@6AP(
zYnDBcVFveB&b?W=7!Ku6Ax^3Kp%@a7IOi>^J{(ql#LVytdhMY=Dg`Q<#uZaFe;!&V
z#ui<!>m4{pst~SMpv*ZzS_&y^vc8*&gnv@+UgJ*r-OLGk5<YLR8@HWQ6-?$SO<?j+
z=Q*-ITEi@|{-`7+MO7YD+D}?sxHP+8MST)2Xu?W{v5b|_IniEJ?m@FKIp=u?Us=>X
zCLLBcC+mp1qXVE7^6=cx#^t69`eqEQ37It3QUh|IbY7$-K{UnXzV2{Q0Y9M_%<V8P
zdnt<gkAk%f=$^Jbwj>u#gB+h9v|g>&D;%NqADW(87|c4)xzkN9d{*iUFAT}-dhS_f
zhoC;U8oabtkfx~vs=_Q0wjf<by|Q&vWQR46Mfpm=4Pv?_2ZTFAlR9-pBvfCykx|9e
zAu1#HsV0XqZ>}1D)U#M)J`ts;Qde}@=vK=%IOECnE7u0BdkLujc^V8>qNa4rl9+yA
zoW6539^Z)1H*maZ@!RRP52YKf$(xfYaF#4q^NtvxV7IO+b*IXk${KjuUL4Ad<BV5=
zRy&}hY6o`3>af$J_^QBG`(i%cJBdLtR|KD?|GUsHGJE?wG1ct+AnOX(+hko)bY4?6
zooxao9_O|-`c~W{!P16kuV(I$O$V7#>)kMJl{L$8R%}@I_<ptrh{gJntgSZk0*uAH
zdm7mnrfa4SoTr2S;ofc67+EXt0IM>9J_Z%tilfN;3A13PCK-Bgh&h>IK_&>g3EXTa
zjxyc%7A+uY5#Y`fz+Ys<f!j8uv@2$g5ogNblI|BJeon>t$S>gf_WkzR<mSZS|4XMZ
zY(6oRzs7c9{yHd1FsKrKEeVe3TR<Vu6TE>_O+`-E%wAGx-X=9yeO$%e5vMKY@!!CT
zqWw+>$z1~>9%x)GIdi4MDF{d=V=5)7QYrUaYddfX3MXUp8NO0wR%zTPY5H=1EYu}D
z3lDE@-|CA>#!tj;(1;X(Y{;n8Bpl5|#)#S0!&W%|?bYc-c4PwD>g>CsIEt50H=@`n
z%JvEdO&%MoGbCj(6a(f@-tqF%;X=<VQbm9mmJwzzo2ICd3f|g>j5|SgXCQ?un3Y?{
zSQFaF2+{oV%Ubb^;6~U14g`_p%T-M~Q<E&!U1YK*@jp4+(0paZv?6VP)OMIb1M+8E
zo1dt^n$?(R;KQ8XiG?Y$D^>ZAHZDK3P|QOj(m2T12-V2Q?7ImiT`tm3!*qyI4fTH}
zQazQh3iyl$&+ij_jzNWV%#8=iKER$Z4MmV3{d`Itg`{4XNYYB?%*gLKv4$3J6U)Qq
zb{~;LrlH*=TKVcmZmJYX)#<~FV%Bt07>t^C5<IpgC7Qj7T3dl@vdd7ufkIAzi{mvb
zaWJUN^a1(o?Pf~Cgg_%yjySgFNu+R?XkjyO|Boo8_Gb2B@g$qAnYLDScMH|2y74us
zCd{B*c!}QMX0Ppe6lWi=7PBce^cGbye?%O~4ijm<*w9vK)e`lA&e|B_sZ%|i(RN!j
zePA3^<8Q-z!}`xeRL3n7W14l_tN$jm(Ep)V$Czx~h>K{z5figNak^M{o8|$|1c^z_
z##Qi+Q*0B~K8ENQ$#<0Md!6>{<SbMioBWbCBfYoz3hK`n>uGj|WRVkY88mz8j=}wI
zYR7$gXkcqasUW}d#a_&I3U+*;1un7KF`aZtX=G}83IoDM5-W=4f_&0aTp~>+o2`e%
zN7;E0CFRPD33P~{aw|`M#UqN0Y{WB^BE@G4Wv;1l9-@vsgfsL|(N=PNK?Nd)4L4Y+
zHg$%u8hQPBMHDzbAV3S(ci102DU|Ao=;3B1ZYB9p!!+nkKk2q;5ur~&E@r(<rqNq)
zyv21lC;*CdWEhjx>UOYrh){13A?H&Epao|5Nu2>`>0;ACBZF!4?l<jyn(bP3R1=?&
z7(Im*_edP3j+{B+JNcmVvOkL2EQ~(@$I@hj!m+e0FZ7?Hy02qXc<)b`Z(!{bv7Q+w
zl(~?g7-ufT5jTtc*On@{xwT57?pzn*(1|qXR%T*#ZG?mT*3F+Vr2SdNa1Oc|miT{`
z6`R5&zC>@L=ssh~vS38*q~8$(h*QL1fBLlhj*vZM><y-7;0TJe9n+jGidY)@1YA@1
zzQk&QWy)WrCLu&_2^a-MB70l*H}1h4%<ETWEA||OCfTil;bIE4NLWaJJKW72DzNEG
z&J|^@-ie1|h}q1du!#_?Fu+kj5_T6oZ%7Y7CJi@1Z6<EMsU-&HVNF`(71k}2<~5uk
z0^H0~o2mCcD-;DWXI=?WDBBY>_Jw<tzL>2HZaga+PrL~=m39-tD|U*gc_>qRddo6(
z?FfO#6$NrPkfS;p{5od^XV!vEn??e@;_zgiX1g+9Z(0;&(@e!%I;vn4qx{H(zD_)&
z?Ma~gu9B4-?xwiEAoDE=8yW{G$io>*^6&$N(}J$OnIo+<pfG0094gTtF=-U2AuWK&
zOScndLnV;J6U{K~Gr=2#H{W75FmcQ!7#o{pLNB==nTJ<m;d;Y28-DgO&#*3w$VZaK
zd;$};0vSAU@$@E%Thi*Ybx6P@wp?mqUG0S#AZdpMN*sKVZ>Y*k(h}ikjXa67%T(u?
z2O^AZtrhBJ29GsO4iQijwo)TiSy`%f1nSg5TSnF36{4wRS0VH}A}o=NgDMSBm0_q!
z9_36XrY|7-3DDnEsHvuwPhl~~s<9YF)RVO*KocVMOyAmkENH%S;!4|E4y$`c#K|LS
zaU;z5PM&`<WaKCDoRQE?*6tW0BUoZ5dO}i=bkWHWfFBp<G$>`5XV%L~{UuiHecErR
z`A(?6daZl;PHp(iGhTW+VodU<dg&=NSo2<liD^t=gUbZt)r?A2-f~;{O`ydinx9Bi
z)2HtQqHjg4qngEqas59^OMRNDYsFqQ`2huo(3<>;T?lFeX6h-NM?4**L&=tMsBRgd
z<@6$rWN)s8&ZxQafr5BK!HB1*OZxZ&Yr?3&-ASa?C_3FRgg=QiSgR^{x3Cc;QD3D%
zkc-xSDr9+8Ed$Yz-11K3U8Dn{u^X`fGsg(p?^=^V&%|bmNebGx68aMfqLT)vGW>%N
zI&P^CxhF|u4vQIgi3rUiUNyHF^-WBJI!fa6wk{@3yloxaQp_7Cv<W>(`ch-pH%|=-
zP$%t<hOg9E=;ZrVR(M`$ICLFy(lu3CclSULu2y$M!}kJpH%ktuDpw0lm(Nxv>B-N6
zBE#eyKS=Syf)1pRyD43&8VJ&+U_}X<&cU`kmUIp3oVp(bs{sE3&f7tb7Ak*#P?9bw
zvKRE;@{YexB+q+9F4yvcKv9Ft6vr_y#Y(?j4g#qwXffnC9kAb}=ld>UI?f}G-z)8m
z3{~5B!FsUwg*vaQ&d-7UNH;t1ANJ*SIRI5EP4fhGW~!FyGE><nI0+8{m{SojPe`I)
zp-3IsrhATLd{=N_`bG~^6`l3Q_L_dszm6WvoGF@fW6Qvj1#;PgYMzWQT&?x$neCw}
zL6%mPEt62j*jl-4u$IABu+e-5m`>CTmu25Wm!&D{rJ(ujhIYT&8%3KY`RfOnc3Krm
zo`$ywMYTlm*7QM9%<!b%KyG{kM~=MWB2dbv62<Y_3tXu<e6og-i=;eAH8^4eM;}q&
z2W;(7NaIOkL8(8Y>4FB$6+Ak1pYtYI$eOfirsb=#!>Jnvk&=K4%Z_YaeyKM}6I|1d
z`O1}(qG1I~hxon5xn)wmpA#}<tQ!=YG^T}t)&g_rpaMEmMFSvoVtR)r_8j!HfARBZ
ztj?WUWLT}8t7*IVe=fPU37WIIw-JSuw$4LZ=MwWZ*5GuK!LM>>B9k#yS%#)|tk^T~
z|53~piVCzi_&hc^i`W3_IXsd}J~`cI^m_*YOEl;&5MNF~qRFr)I|B<wSkx<MR4DmE
z3AS`Ckls~DfuLbLHvE0k&Mu4m$uhXxmAq@s2d_x)3{xFp`d7!?7q<CSs2KUOwjGI$
zi?D_BusRh^q~{GvA{OAf(pfVdVJ{i_v$r*4PtZC3a$X@p<SZR?e17=h+NJE}&j1Ja
zbI#qjhnG54lUYIv1mxAoO8Sp1=$)Z$txRyhd>Td)xWlPv7sXKc&|~4|JqjY2I_uH)
z?$YjD?zklj{4qwvVGsayKO0NlX3kDa3a#Y%V?_#W@Ur|`g4G1EWlbWLRDB0=^m`UB
z)!(gj0CcOt>UzP8(Ki!eCuD8I1nXl}@|@N{+y^yv@Qv0>27-U1dLNe0ql23T(JPs8
z8H|TQzq4E=Fep=!S(DD9v}*eTHJpZ$T+|q~77j?ZtV|nfs`}h7IuD%;%W0&37q*;X
z(*q5DD!W~UGm<(Duy(BFYa_e?b%)k0ICL7TL{Ry`mg43BeDrLAG0&c06$!SyTr>5#
zm>8WxTz2|!LH%xRzbrXtjUh(#z>e8uYjT3=(C*iFba?x|nBe(-zl4nFNi&6Sk_Wl8
z7S|2u9?g3{1l*LYFN-qVMGS<k=}put<{|^9I2DSBWH&oopCC8c{YL+s2KkC}1tJ{L
z#?fH;8P{ijL^O{v5N!Lr*_hMMw{o-7;uUIg6O;auT^&~H0f*z1vWW*)ti0|!uW&-C
zd+g8-{lAsi7DjjLXG=EwHMwZ;wlqhocF`1xj$xXu#VYe3ZB4&p8u93$*cvxslTkM<
zioIye*Z6@ZuI5W4ugWfb7Kbw`*9>{gtf^Yd6v|mEH3*%lLBJ+vJW{`L?VtM9M8=B3
zwGw%&VHdMXDG`BtFiozCS@_DOayz(GSiMMD>c^I_X=<r4F=N9;=sPC1ng8}zje!<O
zV7GqJ%TJ}`^#=fDbMcpX5H2v7TB?wy{;yd%1-YnEofw^qQtGAZ#zQc$`6BY#pGHkw
zcK^ja(SKZeeeC=tZi2eY5ri3RovD0=fra#Bc+^(?#+M$f*)y(R;+94j+Z2vm<aXK2
zbmK%tYqD98odonRQ@wd%gc=jfm=AlWmPEQm`%Ikzhy#|q7_E(=fGM<fbmHbWwlqS0
zV!`rBLUl)(md1RwY`vdUM<qkuE~|pe9@~%_O)jdW!Ps4YT@>0WHoTn*9jvHOeaJY4
z(}sU2LN$^67Wl6w1aHn9cc;*hCCxsztBo)d$#!Xw^TZN_l>rxUfFvwWki4X`gs2Ta
zwAP-pOKispWFV16lj|mPNdKVzd(310U25K9YjPmVzl(F83xm;-zz+KVF-BF!Eh<D8
zh(z_85mqwF_wjC-a<isO>erjL_~xHmKl63F5#HXQC>5O_w{Lp?L1QECT=?O1m-+vv
zy>kz%vdZ`P3y7womS~Mycq~$%$5M)Ni)=*?d8x6m$2lpQiK$SD(1__)lnpv3>#@|L
zn{AV_dF(QhB%_WHvMcXLL31+E1iS>A#9%Ne0(+nDZ@u^TU5m=+%sJ<oY5sDEy?HO|
zUGG}I-{<@NHXwzAlTBn*N1?0<dFhF=m`<baX7W+r?<YmV$84%6;qNQHjSZbH&5IoN
z$63tuigt1<zCFzRf3TS`t9Bwfs?VO&qn$+4*C!v9x`(`kP%lkQr0Isd7IBrgxR2m(
z^-%A$Krf}_=N*4w0KRkKl^_Isnbmf{jg_(TVKDd7$xTQlv8htmz)>Y~FvTt2rOAR8
zSS3WzxpBm5*kHW3jldlkpkN|Hx}zo${fKihu=BHqZ&5TTU3&Mo1+R}lx>wWJ6)*?D
zFOF6R#Qg8n%PY%`S<IGtKUrim2_f^dtXE?|kan+na>mHdJ0VT;MZ4`)h&~+9S^L)i
zP|uZ;@OZ;Vb`6Pc9vASBx~072I9Oxc`qe#$Mj)7*ywpb5CNj&u0fC$`q4dqrVxp2T
zfm0*;U;@b=F*oe2F==Xc^{b&SSt9#SB=%}4R3nLO=|X&6kT~<{fJr_98w5cL(z625
z2(<rpt(rHa>(oGs2&7y3MMU%|&}|Ix5hjuK|HXPZT}EOS)``VB%N!N^RRtjI#7Ews
zcyYNM<k0ZTbX;vn)Ive9wUPTJk~5KAS>NbBDO$u8RPf?+Q5-lF0mzx8TT4Bw=fa2q
zY?M_v=!|bWW6m~&L^3GYIh=2pmGq^$L@%vCRO$6!2<Dc@SI#8GiiRO4<jyqy>LOQH
zKfLe$pt|IpB5fyEu_o4CtpjhL%+>$Z7B-Dl1#!^*G>jfr+eGQ&rW>g$c3fNW0IYeZ
zi$e|cb6*+=6bc*8PxH@gVwt|r@234aGx;g4UYpgYsU;?*YI2N!K+Lq$ho)65B>@Xp
zA@xrfkmjT1U^eMpm;!;sMhdr>bd0rINNf|%Me9lUq9{1{N&siPAqvTkYcC(8>o`DQ
zQsz;%UD9F{#ni}Q9ZYaylbF!w+x~lII1`F0!lsoo=#PzfPTEk_uDI!ZA4+s*0fw^N
z#t;h!*DH;k6{Ij>Lg{Oyrdi%xxRsM<T&V#?pGc{EY~4=~C?6%~Dls;6vO(J6tk*(x
zze0SnKsvrG%il>TN04xdgzBcuc4mqek|Lc4cHJ(go(QAt#v^P?`)<UdF?1XSS+a{J
zg^WSYkR7a{#iQ=l2ctkNM4B*xz=3h7s)kO^CDV^sF|wqog@3E$Q~C^&pHVb#W<$)!
zOfo5H&zK2kRlRUE9W0tpCGNXZ)>!6))=@)a(5U#5r?%T3UJ#%VwW$~=N1*g=IS&au
zbrF~Th?`)#XKPaa$RtM)pM5w+*JRigPw$exP)lOFZsj0T7;zPSEb8rgFFvlXK(Pd;
z1EY4KY43NNr>JRh>wD>!&+r7lD-8ZapBj5_fY_wTxXc@&KOO(4s}Lo_SZ%KlVYrsi
zWBy!ceuCTw#)QK*6mGUjhD}+{oAf^#7RM9f!7sv|0%(?PISXE4X_?UEV(&s48wO=_
z#w=5|nB{mRg5yZvIKQdSqXyxg=(I4!3AB{P@V}oGc}U_pEmpD(&8I#$xC*S3H;J5R
zNmNZQ%uiVm-~m}FpsOqdBS?|Q$XZzz6js_kC@;p_Kcht!L}QgBWAp8F>>BhZoCH|K
zG;Q5~Jzlkyf({(r(n>yMDiZ9>D3?$EPyRXWD`Q?}YEqf&S734@g&|L`$Q;#^nIC4v
zf7$w7k}8o=zwbHvK2XJ)D1k^iP85dBr*=_UwYw$fO$Nb+znwlb8};V_@qA>8rh(x8
z1Fr{3c@E<T?=$|NVEyY`cIbS4Wm$U^2VgR?<#-_N_UUL-tNKZm#l3VO7GZe|;MNlT
z^pCiE>%UeyR6kNJypXPXAl;|r@@tBBo6P8Y!;!{O54Q(m!4(N88Dq)z;rw(r)3<8(
z&NmI>@u9e}%#8=(hWh<){_%~Rm_t<HVpE|k6K-)EBonUf8f!@EV79hlU0$TNO$yde
zG{1{Vw~``7Kk31zZc(G6ZiWM-{%_xO!<QL@+fu0<qg-*nL%%I7H;*nCPAu6SDf#C$
zBDU?yUBk1|hD)d`{VI4sLfdr<9%k_{Q?t|oE+ywkcZ296KJIJ{SK~9Je2zVvlR%`v
z-e#={Kar{keynb|rX(}ZB;EX!;jG0|gQRR8QZGu(;RXR!&QQ3P&$0@$3Wr>i!-iU(
zxm%jB{86CVN^FqqzWGbk5@f`S76^-}oVbdnm{OQ}$!xZ4_=1L7OJZ1W;DtQ=eM5+x
z+an*4nto)ycbHn4en)+rY%I9wQe2%ZqR^EDD=nJ72^nv(L1e!~K`mOgCnW}rIxC=?
z>t^d#o=|HRuN%}sVj((Io*0#@2@T@T3%=kNFzNq-sJ8O%Zmigge8`zlM{ZwobL#Md
zj+w1z1au=6({?GDsK`M0kY;#$^aa%oMd1T5X{u)$`laP3cfIItX{9OS#lqC`gQH8C
z%}71Gi2D03Us;K6kuY?jch%ZkWFyG%@&yf$Ji_{b7Y`v|5y?P@GPxOu$U=~q$7x$}
zFgsI^URKnSBbjdwxarEaLK9>V`{}o0pJ-rypKDR7CSL_n_6K_`MEON%{|Lev@WgV`
zH8yN6OwD+q_I>8(Vu)!HTqY*jiL0>F<cOhyb|!9c3X$xQ$dqBToV&VjYyQ<5=7o^q
z?9e4SaR5cw^KQ8)&;e_29`Je{^eF#}gmi1W-WO9=GRHvX&`rx5vWwpC_^Km65{5)k
z_Dmz$iq1}hw-ppau;l(_GLud|wpkMv*R&rzt+QZ|dW*NpCc!!0_q=L?<anwSv^i7^
zJUY}8s}h4I&J}RfuC2AZn)(%xd(G08rq8x53-w>67^=tadi!vRC+uuLI4(`wS+i+o
z*Xj46$0Rx$md(L?Jj5hDC}AP@Ef}KwaV~;;p$=>_n<ejp3rhRyv`0Ef&UnF-$~FkF
zNfV1W3?O?OQVltkS=l7@hY~j!)J}yXZGZinFh{ECMiia_YvZ{3GgD<`b4zUO2Hhb|
z;Mvpf=EMp(A&j==L0D2bypem5p>=U?)!P4rMbPjyPaJqJ`Rp!4&Je-}$HbQ<pc@;y
z!d8!<u5PyA4?7$hagm@;opsF2%Ki4(H-`uZLjkVn)!4G#%jO1f0Z2QsIpETfSyW_D
z(mIxT7AM$(12`v10eWt@p5HxuLtGf#NwP`fV#)X*CdJ4Gk~Ok1uf!|UtNMvp;}u++
z3QjUW2pp!b?AC)f6nQuJX2MW205wIJ-bnX-b-HVGhq0_jTv_Yc@#7KiK<Ur-f7KCB
zfbCQTkZZUlzC)BF;_Jf!R69TR>?8a758ef{Y&;Wv&({+D8)y$p5MZ2^G!OEG`Ki-V
z?*%7n!xV!7%h^Z6ri?iB+PT%$4H#tM!%y`_(il`@_owauVl4H?ww#|h6!4#%(_#9s
zfS#302W)5Se>h}RuA=*_n0Sc{;<RO^!dTW#pvdpq_ytb#8u#~B7B|k~SDJmkMG$9d
zJBHc%j-lV>bNjHp50DuQM_}F%3m51b8ZqpPN8Y}e5`>MefLK#eN<+jzx`@{kgOXh=
ze|fx&F{Ixitx2jr?D(-;;^p<Yu+Df;AlZparUoR;u+VnK^|gFrF(kS-W;&EUFT^ne
z$t+tDlkQ#v3_)?0i?hS1ihmtsAGQ<;NpOuaTVK@pL5gue>oYoa$qOsxrvyWNJ{etz
zlNYRPq+-w%V~;|>NEEP=Dj9-HnyxXTaV%t$6C7cg=-)jqYlnQjpJ}C1x!fHA!7E1q
zz|fbC{}PXE9gFdX<hhYZa;&Ipnl>)r>I`JL*iHE{3G>YSbtm#h&9fbF4AcS(8`lKp
zIr!9`?mO;0#l_atFEDuB3+O|xTm1(slv^mTSXx%RzO<1HM<BvWosM`Y?dx5eZcQJW
zI<Gh<&d-XFY94|WGZcgo_(J(tg+&}(>~kiICS}J~@<VP+owLXtd3qk-=$(rdI^$XO
z+MGQg(XrdS{1e<8)r3UfE$TcV-MqPS{c4rVbU*uVrSS;wNul}Q&MN*-@Q#rIq@5un
z@y4;LvAmOkLAJk_DHqIWCs^hV4XUe9b7*jj$Of`${jmVbcVs;t-zi9BRvury6@uZh
z60Rr+K`T17&1Q1_V&UXelwFt!`ILKCK<pD4piw_tj;{_}i+sruY#K0FQ5&GPp1Az5
z4X=%ll*5DOJMyER3Xq(k9Ds_$ze%p!xnH2ceLBm9*N@qf{Xjwb-{DnGRqxd0cScSL
zu%52YpCRkM2MRF6o%PQhR*m&^YsSdddfLXe43ZDPYJ4u_`2M=wV(@Q(;C^R4glr8v
zn>2db9g|M%j!Ah2VVxjBH)pI(e`;fAn+>}akZT!a{R!vVkgc-9D|#mds{`yA$SY!p
zKW}sDo<KBcUcS3W<_G7jp5ij+feG}+;)2DYa@IRa29(-C7+qX2&+1)eyx+di4j^T1
zhBO{1sc9^()xKeyHVSsm|6!oik&&l{;nMPq`co_bc}EX3uArOmhj)A*!xt!pZrOX>
z_}uuOgrQb)p@>QODUaL#kACAKk7w3{E&~+5_$Vboxns}PyDK^|t7PBa>a_jdmo*!O
zoZOVE+|-e8^pw;O?X2FYvM_$%jYUCH8{8S+FP9ptV&`^hN|Uqr!Y7nWr>iX$I|2bX
zKs;R^wX(UXfeNR{M@37UZx8;9LAACI2>i62`||Zfn+LLG1qQ=0j=MOraTI0RFb4|`
zO62c!sPf%Ay|4D#ETOI6FC;&oJm=bWbZ$=B^-7#>bhqrr)#)Qyl<Zy+D))eh%i^8}
z4;W)*HK9Q{<z!odC_MK3JB`+Gr;>{&cAsX3dfsgKRUwqh<cZ8YAU&mF-yE`eO(z9j
z-^HOmngxO*d-VLKn%^J(HccP$?ib2QyMp#C`}<}{k+Cl#81m|5^+VQ!wyYj2i*J&P
zl<;iy=Fej#9CXGLy6bLkO4sij%AwY|7g@w$wcRzjxmw*h;l#Mn=)_n;OX~;k8vcgv
zds%%KTF*w7qfLKJd|oopL7cy5peJMwWvYG#*|>tGQ6AMg14f$rwn8(fH^vRnjI$Sy
zU!gL_NbTtRT|Pk8qk4-RZnrF?8ji;FF0y+`MtsCGd*x$LA=I_afOd3BiE3G?_+E#b
zm>7#ob0!`)oka^D34~-ppw1?!axn7Cg<%8CJ`1$MJ1)nQ%uJJfhTGy0B)b!B+s8Cu
zg^gF!56OT_w0UB7Kx@NGJ*z)^o-DG-p_tBt+_H_oXLZOHAX)N`$U<t3%H>&Sb4QEu
z>_LCAj02ksGmQ?;n5g?5a|CDR&K#Dbn3?Z_SW(?!nWw4zB#~ZH4WJ2b179<YYuf;3
z+}{5+47LDhx(S~nW|02~>2|E%a~F9&%Vuj<L*=G<Rlte93868*v!?tCwF`=jN5zy$
z2S&;!eOi6I!_GpAp0#l#3$KeyX&t0ScAh!*C(q(btXOMg3=Yll{}2K}=bJk1mFG|h
zj&H6-6kls%haY=ZcA14R#_X3!C`)(Q|4F4#*z&~M|7JF&*2XUFD#GQKwc1H#poYyT
zi#6me{a-SCV%D<vzWIavVqvB@%q-mS7D5@V#+?=LEI5w$YvP;P8If0@YbY{cTh)9;
zrKip+WUUzs2P<wwGB-!ox&DlpXth_T*pDl$$*K+Hi_^P%%;IzO!a#|lxT3UVOlh@@
z1rzhgJa(bIsoq#!Pq~G=8I1+;JkM*Cw)9t;%XVH+ljdpGXLcUVtu>D;UAU_U7#C~4
zlPYpFB*YsoBPe9e7ICrO?;?X>)Q)xJWI%dK(YjK9OTWRF`p!)1D>+XQXA)DJvnMHr
zd`-|*81Gkt?n2Z;pRAdt94mlFs$*yoQ^h_+#U)n!d#!P-)Yx7PxP(J4M8uO$lBiWJ
zHj;;i3S4Rb^cCMLrAIf6(cDx!qOX*Zu@DTp$#oJzFd32Ex=3DuC!l6mheTUypHMJ}
z=CQWWY*>dry!PvwqnRTdghwt7YusSjjg|ban3&^@xLud0Jh7-DWD`PB`=2;C$I&J2
z0#RgaxvR9BWJHMd_L+wedveHsgj`0+mwC~Q2K8BiMqZ{OupjfD_MX0_m1YG;IH~1X
zwTYe!o8O~$V1|GkJfSEK|1bR+!@f~rm2f|s{ktV+*h!}0LU$)zXu>5jda0XzdfCyJ
z4Na}T76=^ID&6F1J)4QI+Ns)2P@<l0e?T1)6dMSVd{5>2>LDLwt5&>ml@lwE+)~8a
z{^4Za&Q`cI)I*2$K$A$t{qR!P_<(j@gAH+;Sh%Y0V=-B=S+O%3=+k6$9Tlm$IsIe*
zj5_0)pC5nDZ!-7gC;brH^8S`}X-N0uyHrR&!z&}Aqjrke^LqV(<~Vf;X_JugRMoB`
zr`e1cvZC1$z#R^0WqwEdgj98~*Io3S!A6>*LWQBd{sMEW1A<Q6TvVd&i8zQ}#M8mF
z+#D43=UH#Pvn)UA5_oL^3mBu#C8@w1mU;f-LIfMD)7omCl^=ai*_Fk6%w_JD!lTFc
z_mKNGY6Vp8J*6b34fI^Sj3<{nk3HV#e+AAI<ZJKfdjqsIaIeOCF>}mecpr@Y<nicE
zc!xd;T0~bks?t)zBX(ZBhrOB<xX4j|qg0pEPMafu8DSoebd_Kyx2zs7U%Z-9%Xhza
z?y<Z;DdC61ORsH8EWfrFmhzr%vk%U4)ct9jBs$EO16)o7&t?xnpB%RnPmQp|A=kQ0
z`&PcDshD-k#qnK9AB$qT$ZvcM0uIN(Z6A<%>hMq2!P{xwO3gZ3FYz*l*B^(soQ|4y
zmjx_nK}*zgGfPMq-EChruQe$T4B)o1sG}`u(dSxhjDdnzmbf5kC>y{v6tp|@bv$uO
zezUX1cTMsIlr1HaRrN%o4_hQ4UZ_2m1N!cl$sT3tfZ?a<D>RheY&Wl4rW+1STd?8W
z&2Vu0EzMWwx)5@wER-zM#*ALfrF-Dya_6C_eYDKr{vL|z$L63o_%{p#-(F-O1n4Za
z_Wov1V$He;C0xM#bGa}d9mF4sU|m~xME?3g`!$nau0M5g(EpSJCGoJ={cZP24@<Wv
z5<G^0(fQv=$b7GyNy{3vQ9;9}x^5R;?Nc5sl@WmX<>QAQLQ1q^eH&Ah^A3fqAwFOv
zsR9lA9OFNm7ez?^2UYqK2zwYQ52&nw&b05xBe|Za^B2%U1f-a=t7FNMqgfN;=LbSZ
zcKNfX`w7QX#phs8fiEGtaq`?9aE|k{H4-79X>@8fE|tSpiY&ZYLs4CF?eQ$WK^m`<
z;LLb#G5HvI>6(`Itvcv#Ax<}kO7F_%!GHc>06wJBpfq9U4Z((J&t?koe(Qm8q0@88
zw`u$Rg7-z$R(FS>yd45|P-L^ptQuG&IkR2zcUwKrM=dxSBH)PBas}h+!8^J>zEGGm
z9RyeYzRwBfBET;9w{rI*Zcprvl&ZDwCsCrypkXLCmsL1K&+S&X14kaaW&|adAbRQA
zs7(#?s<LoBZoRfKfAQ(%V^QfH9oIq1O9-xB0J~c>gk{})Et!%*E9w~D^?X!k5EBR3
zXq&1<HBh=$<6dnTQYspfMU%FDS+Xze{A9R#2&NKpp{h$3HQN0>yPYmrNBPIza?Hx(
zN}qgaT;yh7bWZVeJ<NMXeSgv#{Tt-?YMxC!xoyy{ML}OmP7n67tKunuyUz7g&gYj_
zzjL_c>uK2J^7d(X+H1-ZrN)I<zQ=BZy~o@AHW9CJMj5QZM**)*cBGy?GK&bSaJ_A%
z_eE86iB8%$W>)hf7F<f~8nvXolzu8Q@AVNu(%KWpVnPhjFSeN`eS5FWqT3EW#>o{l
zm$1X_wPj1hq^9&P(`S*Qd;aozPHQVRGap>Zum2Q*kKZSjFM-06zkb83CINTfR?Rht
z!i+&xv^`Zw3aY=V<z5s_p)O>?s{{Mi%n7z;6dA;3Vu6%WF2p*Y%9In9TsVH1S)(+{
z;VevYiX|o`Pml_eIicCEE~q)*Z6T<Cm*#exzi6KvJHI8Na^~Q~J85bReGgGOSQ&`t
z)qADVH`KMUApyrX`N;P5Kw5)@gLg-Sl&u#L?b$5PmX*^UrtSgJt=KMn`hR_Em$`pk
m(ul?^K#YHdi&N+i`sSr4!v;?KSfc+uIOdTDKKb{A<^K(`$%*s;

literal 0
HcmV?d00001

diff --git a/example/system/amp/openamp/driver_core/fig/openamp32_auto.png b/example/system/amp/openamp/driver_core/fig/openamp32_auto.png
new file mode 100644
index 0000000000000000000000000000000000000000..529fe27d5b0658e85998f113c5bae9f3718a9712
GIT binary patch
literal 213806
zcmeFad0Z4%x;|d4E)j_uS5(YsBpF<Y7zv8DUR*P3CpR;0n1CCYh_(tUiqfbP9b*(T
z#Hc~RC8L=!L=+Ww+NdEe&>(R^Wr-UaQBeqsK=<!?Pc2>DU4>@u+~4;z_cMRRKvP|H
z>YVqy=Y5}L)w`pIxixOrnBzFN5yJ=nH^(`j<2c8&4PEh*A!){B{KqA9>X5+y?h=2C
zyR&=pCeG=<ZjTr|=#NnjcTP{)|616!*q>__?*6#!YVrP=rw{u2j&MDD_2A6w2b+C1
z`FiN}fF<8%{$o*+?owRp<qwbd-86k?*on%FdCgj<JvdQv<XMAfn|6C%I&|m*^VrkZ
zd*m8x?~hrt`ueYhGp}6IWE&^eee=VahtDGAAN-&q{bSW%R&F>{_05MByFBlCXiUS7
zryu&@*3J1#emCdIn7Zl=&7P#{+~gy>*$?M!IzRDluMLMUOzROL{ZqTbp~}4M;GNB9
zmQVEOIQmUuH`k7L%YtkBRi^ya7*jiL4997mLraguX_8W-)@k)mLOVKg_E+i=k(WN1
zGik=pDev~^@H}t+T20#AIhS7Op3y%^o9MfIG*@&scIcSR5q*;S&)Vo|uANlDf2Zx`
zN>;UrHEX8_WsMK`alI2)gxf9&p7b!Vc89J{Scm+EhTNQm<?l3ocr@w!Wye^B=jsvt
zJJ%v}Ld#*sn~6bbj{F4{PXD#*xL(U!a)w+7-?yhXx^a9Ff18S5ue163O&2da8+>yv
zU2dZIg*9WF7|g@G*Cw9npEk?IARlDec=xE$(I9P~=^yr_)7YjQU231#zK9U#*s$#j
zLfUXP?}z<q#U6~to-ytFua2IT-<bVLM(X68@ThQacLz?}ApFjWjH2uzzT9l-y~@5)
zdz!1&54k=!>*k>E+H>p+YQA6Aa&zw9RjYL!T#D{rjd-y9M*f^m#_{#M4Ckxo_ME8l
zD0q6Nur%`6oz;G2FLR}T{PyidttxLEX~|#Jam{8^ZHtX_a|^3$H3#=Kh)u5jWp(<`
z-Ggi0YMy@Cv*1D?_u12Ijp^(z-N$#6brVN>u{UcqA=wQ4i$j$*w(YS;xAy$(<*9em
zW@rb*bo1t7cUjNWicb#Ghm6H9cf6e&d~DOojVB)rFtv+$`s7MVPfc~z-fu&^)1Tce
zJiKxJ;)+`t`y7=A$o#3p)eTuYjCbRQ`8k%R&pP8D7O}{K3kd2PHy}aVQJ8Ici=W;b
z%1x|D|3}%q)au(gYq)?8TZScNdd1Ch4$&_iI$Bd4j&Gha-hm5f#^1<*g;`DdIw-%=
zscmAH<V8HtRM#f&z?GtB)p;eQ&wC{{?4|HKV=-V!=8Q2|9NH_1LFTi?;(N0FIJcp0
z&o%q2D1W7Si$hhggKt!RMv@WhYFB!cFQ$)drda(m&)nRpG~Kz~_&Hg5iz^OIim5GI
zndihEvU^*?;xT(;{%_CPF?R0s!n%nETPcPJnxFg3EnSQB%`OyeeQkE-FUilj;y=DS
z7+TMzUUOAlX%Tt)ukgT^`uQj?SPFs_=~x^+mnGk*Y}5Y8bk}+YqcH|!x-r>(?t+Y^
z0bvgH-?iS6e~G&4o4TmJSThL=8^*rZ@mYqZx_ngTv0vAmzwgYMuACeb^DCCqmpx4@
zcHQbu6PSywb2#{PH-3<|_=#W1`JfZ*9hsY^tPfuD#1HE(eNr%gJ+4aU98`U&wf<BP
z)@8*V;qUbgEDJTICvG4!z?rM<XRv(Ll7;76>+ZhF6&1elS6yvwxu~@IQ+ir%>gPhN
za=L%JnO9>raJ62BCLdNlxl$S*myRd(^3;6Uk_}M5)~VtaWA?QF3}-NLG+l#FX|b#;
z?yx`P4Czi6ism6KV1>`Px*=&X+oH^CLR|OMRL!V5i;thEz0H<;)dE=*sd*Y7=Xt&{
zJvZ%U=_~M;Z<U-ELW{nEUGU&IQwN2MUTtmpWND=EO;$gAj0dG}vYVPFjSp9IabY<h
zOA^;gK_`4EAMN6cFKlhWMIBLyJeE%v?KA&Lj66m6?*%*yAFwd8v*O$>G52#y=_v&l
z^E~&uTS>Ih8^7$IW{Ni!_HAr<-(|<d>M~5jB+Z46Tv49EaB8v1GsvN8!FBt{61!`P
zG1+{(EN!i0X=KUaUy~M_F2Bbmu9dE4N-4gqe_9<h%pt08#f@j$0s058bJ~o0qu6sV
zYI}>P=@zlGjGf_7r1@m&O4@GN9&Z(#%nuNe!kPqJIP>l8@;+EE+?vQVr-y4I9XX@x
zwJ#%DxzD}B@eA3Z_r?6C`~5C9;sO$|?Ryn2?$l3rg4Uzi+4_^R9X8M0%c<0y7nnBd
z?z$aeTxsFgyOTG)F>@5IA>XTejg36;mhaz^8^!7yT>G-@tY1f(gqmq*a#9Z!U$&2b
z{AF7@xktR|?SI^jGbKcJT+$~g;7GIBuog4V`>$?rcrM3>#I531RIC3ls|{Wr$!mhA
zai;V|_bz9)pIhF9o4D`hz41399*p5HQDR;$Pm-($a5tqi(g4nGWc}?W`VQ7Vko|Fq
z{&OUj_qGN3Mf{k9#3bj_9bt2f$w3Y*McHR|w;CaN(o@&77iTW?DfK~Y$i2=PhV1WN
z+^ys7a}NCGz0W+)`UkR%cAxnzO8QpL%D?dHFe8?qbv9<wjFac4@}#dK{RbpT-y2R%
zyztIwofEeq=ip`}yWS0iHEg<K^8?u*n>HXjlcz_I5z&$B7^I1j?yL~gwP&Ou$uqfH
zB6;FkgnmB7-sk0L`FZ^jKA@%bv)bLCEN1cH>C>evkr!<)aOKQ@P>6C-zqh2n`|285
zB4$7bmRZpZ#QnW!c-FeqGgUsZ%D<4~Eq=PWEmwPVo;dH#^S!hD6EGW!@|2=yq_jYG
z?GRUlJUNp>q;^<wPFUI59Ucfy^@iBe`Y&mirv2g5h^)JaDz+&%Wj7(gN|DdJLkg0)
zd;b@Lq~)SlJ(a$n@_gI;@wt)La?uwL=k_^(ZmMbu*K0%FuC{i6VL70hKYC7vXZr#y
z@t`6}J#+kj{Iw<NjVu}B)eXXmH))pHpO|9LcXU_ytZadc|E$sWLK2XtZ(&*M!Z8S$
zjAohTJSApAhG}sPEDKvqg_K@~DZYu}gu*JT)&HcB&D6hmWGTxFug4UP!k1f?_&;;W
z=PYsACFPqbJ2Vvj$d#N|$Y^Ty`(JonkH@xJY~I^4);v#2&%9O(sZ8nPgW`p%7AP&-
zu$P?N%c}L^E=B423O6D<Pd+bSvn+7ig|yE+l$KufKP($TJ4-H9Qn=KrY9vlVVdd88
zLuiB8HATvDrc3`SDOAmU=tyQ>N=ZUuQ_FX)uzXX^g01q>iDj|#l`W)vD34S`CX026
z*3!Q=)E%{|R@l5%(-n$BCHF0rnHiSn-bb06JYSS$f$S7{fzn9hX=z8dq&s=(=cS)o
z{}tVFiGCA%*hZGi|AvR%%^r57_=vIQE~vI8nd$6E2}H$8DYM(B-yr_GG<?~6-_=&@
zqWDvw-5CXMP2buH1+)I|TM{id%kEwAc%W*kiI;C`-8R<CNg?0qp%B|}lv4<8iKE0^
zrf8My+$tWCx#_pdr-TI#Yw-cjhhj3z3O)2p`ct`2_)-%Nj|$n7`D<|?EWeaeuC1Tv
z#%*!yFe=i4vz%=$2kr$51uf-Az`>C!Py7v?5Xxm#gp{So7p9qCYGR0I1sUrTZtQA>
zgiQG?n>Sc|8L=5omSik(t#B;%Ik(==JtAu_6&xyB3$yHnPulwC!h4t9Pwo@`aLWxn
z{PgamEdTlbTR2YXK;G16`IRNLZ{dKvXHu|G8ABn$QVCd6eKsR*nhRI@SmBgURZgq%
zs_Ut8b~eBFqDdWAN^v;Sd!*}_Lw<>w_g~^<ao+fokkdsSly)2aO6iPl+12!EEsHm2
z-k-^phQ|&at-qDG`2>eEu)-&m@=@70D(!#v5AMgdb#rU+?5@2mhJ1y^OF>0*lERVM
z({hMXtVWlluczQ+(nLvTL+c?IW~(WIg+_e`=}2nxYHU82FCKjCCOnI|6@^*s_RhD7
z+PHfBSq$TIKG*TcJl~b=`{Pt*y?poxzR&DJ+f+^P8O!Od-p~D-ot)r*`(9iA<Zl;~
z>-P9i7G?e&x*(Is%tawsx#TH)PT$-T!NgME^Tu-nmHA6F_J^wHjR>lh^kQje@-l96
zF!){)voDo5(t_;}kEOKaY9SRNrTT$YG@{|GV3GfDtaLWC*(HUqsaeg=@ul^T<U=ic
zG3K?;yIMS(hUwAuPs0j7+Lh|`KRo9>*JZLnO6ni^AhfCfBDJEf*^P~j*-~gx8AA{D
zw#>UNWd)@{DM|l?UrdvWCiMt?ZC9Fu-9l!wGEe^!dkimG@mIf+-?5)J(Yvzo)XFk>
zb5nL0f8M+)<mb(3scNYCL^x!t%<Z%{`Ep{#W1#}E=dz=vP>AyMX%wBcXeY%we>V4y
zk*`5FN3~gPZq?|f3H7G*mc8db^WZnUn5TE0HaT)5mr)euOSjsB#hu=_FC$ZC!H1#0
z%kqc=1y5O1qD04U*R>yaN3mHL+1&@Y(nukHz`s-c_!@T1fmWO;x6Rda>osOCD$s8%
zuTCnw5Xg5K?N`JZnoZg(+j=fy1?P?B@qRsawGc9au``Ape(GtyO)W0*>AOBW{A=g{
zvryPitE~;~*p7=G5k2epCZnFO;s4xSlfG#s`ptZv6r9}Q&N+Q;JZ1rv_{~)8in`}X
zowH+0k1jph^BG-SH=G`?OUM`A<|o<#=D39FOGdPY^fA8fZrs3SI67Riyol<|fZlwS
zx8Oo?y3n`#l7G(9Y)uTB22oB6oE8L^vzFevs!J18zj7oxOqs0S%0DK5ZE?gOzCPA;
zD~UQ2)adg<Pt%a@h>CKh$Dy#CC$#&&ii|;%<kz9!^6&a^!ws*~K1QE^^$AWe)7-gr
zIN{h|Uty8e>8Xx@T=r<sBh6ZMFrq84IO{$eTXfG(G|F03#!sTK)^26D(y5#sLe=VA
zzmwy2G3@nKm25{RtCBidT^^mdH*{QN09H_$|1Kx4xp&q=`b?wtjoUxl&NnMgKWN2q
zG{enV{by#BosC#~XPzz~!LNI}yBV6}s1IXK#VpdauUSk@$8}X_%f@D3a^;LGsMMn^
zbPhXS%@UxWQ&+F3ep2We>Yj3QGhI5#u+1P&so}?FIdI>;T}+?!n*I9hd#gWW4Ugt~
zf;euK>Xo>4hibNaOk!hfEZ*D{ZG)|!XSw*^bLN^a2#)Mr*}ZQfwK!^TXEx|{XRpVh
z@a`O|*gxy~_Jd5mvzqil?+bBelTWnric5c!i>Fc&b$wHMqCfcs-3?9ClJn?EPNTu)
zySpg(Q#TW>CH<)r)D!r(_%kliZRLr3;iH4I8&Xg*Qb7-Wx^ew4d~s_`%62!dZ|khd
z?-VvXj=r_wmq|O@r!8walgmClyVd*8hTe1Gn%n(#)mTK9{!233?@MVGJGeN<+y9GE
zH_}>dU6t7MP|e-sfZjfhxtXj3@rv>#6C1U;v-Hxbk^Zw>ysvRvBYy6-vwThVOI(+x
zOLCBBZfz!Hu1G%j4D7tiv!BPTXZ<Mjpa;_N?luSRn|b$EXWgCmQagvOGhO?4;J6(D
zDT_9~k&zrS#Dk0MvH8pwCz>sChz*<k@BZ@YnPK+u3sX>=*b%h-@ts6;`l*o2pG~NH
z_HX?wPWwZC>pIpl?t-PNr?ytDx6k+A4Y;~6w~*Fk;LYxu<4IeZq(*ZgfBs-eO4-iz
zGHN@Y4np+m*EY10;{sYVS(_3cdgMA6qRamAzHYIbW?@X{%DTG8Y)dLLUp<HJ;HG8G
z=Kp#!E5VdSU1#k0_v=cgZp?S$N=F(R9(@*4JW5|o5n)wYZF$W6UKbu=C)+u0cDJNj
zYRx9Z6@PoMSr1bU4#q|VL#}kN`tAH%zmj@x-mXzwQTRPad+fhk^sHwATJH=FQN0ko
z*w!3)6HR>9$q8QCby44tb90Qv1o4T-{+WtyCk4ulb8nQPG!T61YiwWaydJjfa@U<c
zY%&Gx&n%k9CTCf<odNTmG)D<E)A*}<_ha7x%8WL=k<ZR%uuvY=RpoLo&0O>C+t0=g
zsIGO|bTMsH16QtS)xZ}0JNVo=R9r?Ng%QXD@~AgvJWXe99$|r|_dY7i(!yCnxE<O}
zDUq2JOkHj&<5HS-bpzV!=l&i3j6un)i!5nATs(EgXdFw<1Kad9HPjfUg78oO*1zIR
zTeg1g)atF&vYj4>=RSO$YvejK&uL)i2HidmEgt1J_s+HVxaLhh+t+}r8cP%BYM!R?
z!0y*VXAjTtsr<IBODA;g8XQi@YrmhvCLcIs7?Q|=ow@g~p`Ex>;mRCMsgzXxE3wB1
ziT|3A{iDO`ukse=u9<jv{wuN0PCH5*INI~i1*Po^<GAM0uEVa5@Xg2eK3M6J0WIo@
zEdSQOQVfeYdesC{c`xtQSBHzY3!7H4+4S;pCoY?c9~Fl}A056&dla1~(lvu0)82;-
zEF)`$xJwbRj;h9f1Cjz=XWcF{AKDaLSDREDKF?RTq-^iE9QWvG_0R!z(vhuv(A$ry
zDJu^cFP@Nm?sqp|Z9H&0Er*ghnKvSGgpIXKum4Md1BXJOW`3U=<qIfRUROn^zAk(@
z*{^O3Wz1a|5@r<@2~#uPiZBilHcF$p?$t#Nu(M7s8WdBJ%frD=@6xSEJ5f#8Tk|_=
z&#zE6%QO4&JsZAY8<p?KUG?CLvvin<+f{aNO7(34P}MwX@vXhzPIsa_HRI`70TI<@
zK=lt(#^<>5)mt_Q9b2_O@1@~^mFubq`bdvv^iR+xMs(W~eG71=H5vPmE>BN5`Jf=G
z4}#~6;mEDR%8pR0y_cnW9GIN6+1H6OF;DpwJ>sSzIqf3l2^qnGHwldCv&uz&V}x>|
z==7yFhOaBX`h?IlpY{<@Uh`1S{X1$2Kw=K47T{*5wFOb#kV$iVqw`94lq~oH1dev}
zIu*ua1R5Xl{5BP$v;143+Pcp?hQ?cHdfAp834mzZRkMU!YEPRwjEnXa3kS_ntk;<N
zqdv>Is0<K5eZuD<HTyc1COHCp`vZS!O*&RRa3`?5HRcru&?Xengk4ZGNTz7>8N(q+
zr3f6_(~n>i9pQ5>&|Jl~u;By%qa!kH@s?7?;wMS9zX0x4ffAgAzdF0@y^3#_Y{Y`{
zqx!^8vhqwk5B~arm8+#9L{C$Ea6WKnXjW|#iXPIfHMu-MDpz0;5r~*72GRKOo*0t{
z)ozrkba}qhxURB-+6Y}WiWJUVK+A4#e<>sp+=l)^A(p1h*G4m6m@&KV&ng-vmIuxz
zXhY6T@heRw09&u=!DkZ+Y8jxoG~UlRnX+48&S)d>sGei)HlT*hGEGw8GhI;_Fmda)
zE_qESRw1+n0jsxQ^#>=r(BQ7urzdUU4DknwFDF#j8a;3BGc}uE;b1sn2rqah&Q?Mb
z7oAnR3X&1s?TotAsuF$)FK&82eQ6R6X8fQBO$y5IO7GuU%8mM`p#r2gy}aSqxRg|P
z<>5;`$(20JZhf3VBC&9d#qImdd4dpTDW6f11_>%~cANkg<g0)TpQ>$z8VPXSlqb;v
z<mv9WxOZPdgQ%F*uox~>s;S_8RBygC;6j{!5#f(f;IJ=I`Fvzd_OqI~RIv$ofB#z-
z^IW<8Z{_3y_dce0S=-2i4%|%Nx4(9pUlHfX1syKgIjL!XYDr;@?@h%%8;EHT*<<6N
zFb^)f&+@>&Az|j%si?82b7i-_OC$P%k?>0ZrGh_9S(u;WyU`I~Y-t_R92)t{M4#nZ
zeK?$^S4JALOz&|a-W&3JU)YvGWk447`{@?_1yDh$6w1aVe)^2BQxOtpY^T~13wVW5
z-S+fb<f>fWoLCX=!^N#!O6RLDDu!~Vmb7D?5MIfUREMa4pmtwaJxrQ*p2k5=33-jU
zL*c<&KW|yw-ss;U;ZPN=Pg=E0T5SGRm=DGtC|BwA8~bwxT8g`L?e4B?&F9Kp3L?va
zQI8GFO*{~Ec$dJgc;BUS$uG;_c({i1@i{j-G$PxP8=igb^eZd!`g7a?I<oov?RYa}
zFYaZjmr|p0b4C%wxNA%;?Vw5Kcoa0jD~J^zrA?b@Ua9`m9k?#jXHIT>s-z>3{F9B>
zl5gbtC8VyM<*XP%>yEaGJ)XZLhwq^V#XReD>>k^bYmc5B^C-HB@S3RsJko*dI;ium
z^e0q7V=(`ggy-znU}(L?oCN{9dQNxll#_S4p&^xG5j#OIezrYx<iecB*m|`tRQl6}
z6yuPBy(RW!v-yr3-s@C6Lpx`-rZwqHx8T@;ZG|JIi|+2a;-0&J;5~TK(&sdGynZ2T
zwJD2g=v}0jN_%_sa%#o9l?3qFhR@sIkLE&}&s;Nd(#8*#bL&`hk&aE&C4KjS!W}B@
zJSBx^WUF~`MP_OdB~AnuDO|Jkz4;eMYQ4EbCH(7AILV8zz7}{1R+B`jQ1@Y@)^%GL
zTsWS=g*^_3<&-fN1be5P&nofCRG`+QaL{eh0ESs*F)MLM22m;i>Fe?Km#JSG@^_~>
zmQFp1(sAw3N8`&EGXQg=2?<z!BPWM^v88uzZevt6K8@fjq39E=pPf_4xDrYo3qmZE
zM)ke^W!aI|nJY35K7E->Nh?@7iJN#(bMp10HIv>6YLPuy+hC;sqiR<3xd_yEAM|K?
zBarl~83wHLj+w4T|L-<!aq7$kv}FOH9|A-oqknX{)^5}HT^|L#gcF01owFdA9%0;m
ziywrLFB*(-$H9WnP?7IFuHE5|0<#~(N1Hqh^r(+-q~42SkIE)d!XX{%`EA-y^2&@%
zb1=L==z5dHh>5<KwsxpOmNl4rxE8G{x$o)P$zfDEABt$D_lRkNIwp?A>()*(&3ORU
zNE5Uq`OU@}5Hj&JE4~jk<?!pSoqx!CzWsDZKKH(Ytt%wti~b0khV7yA3nDwGPw3Ye
zO@;R=&_#HKol<b-ndaxlfXrUEFc-JzXLr)|1uA)h&+_8-S1#oHQNf*10i#&;l8aqw
zda}TDa_O=AAkJ78sL&6H=vzcP4jbT9hoO1C97jmwxRcvfhjKoR<eNwA2(%0y*DiNj
zn2X%=r)6yeijno7s0MosZ^}<M`P>}uafmK7^Gvh>fo{QV#KWSj?Rs!--l$U}KbqnA
z{3sK6Gk14_e{m*4h*dgY>btghRK{CQe7oPYwEZ=`Q<90$9ffIgv-dXW<-*M#pDea%
zqRwm0S!XWXOeLBFH&88m7f&zqKa|c4g;*5fS5xo4YIPKu-@|{YA93E&9fJ-(esk;N
z80puii5S!gRJbR{4lMEIZ>cp}6%V~icOvtSC0<MR0*&wsQ~?=oe<T`IV#7w>UlM9^
z2E&*hHTT7^dt?)pRVZ!NyBwTbIAvgA-Qs5gscRJl1j?arEu2vkD&EzW=xf@dQADMh
zS~9-uW%0{TQ3&t1VY49t5udeX_-@iow;OIZEMZ=)7XeTgD!4L8$wf-+v4jUMlbsQy
z8U>v)Ch*B03$#0C`lAHNN;>iAo<At460<s-A6(AkOhhr(I^q^NT7Z;3_v4GZA+T=*
z-f{2Zrvfo;mG;Dwabxy7*q<Zj(w+*Y*c7Ur@I^0y02wS$J*et+fRB6Ar-E|E>Q1N8
z)*s}>$?z~AFCp65$NcujPGfDQV}1o|MItltmzXaU*Y@<IMJd#9i3NwUf@R>gU8Wqf
zlLIPXjIf5T)op)j8d+8-ZK3QzDOOVV4lFlzUo>Y~{M2a{-ohg)A~Nuz6o1ZROP-78
zt<s&omVlbI`K&<vv}?)I37}4o;9ilgc)kJW6yb@rsVoNz3xUb!KCJ?U!!toa_UX@X
zBNwsWD;@WfS--1xiZ^F|Lw=OFw0)kdEYDx;_<qNuLL#nuHo$&oljti(Bpf0^NZhzz
z;&-x!(CjR*D2AipXxCY$79`T{m;>`!W0=Yh;2)Uc!CmNd(r~Kw7nXywiaa~;P@ckL
z1pTO4z(S=nQu;WscJw#sn1vHxS;E5U91>l^uvJ~U#;9w2AA#=!baD_60YvIFm>XYf
zcR$>TyM{6>NAN$2x$PH~V2U8$nG%MLab;9P<z0<<!|@IqPg@wNolag`S=Au*?X7P0
zWU>QqK3YBN&qFe>Y&1zo<2yM3&!>I7a!L}lh1)gPEHpJff@6O>|GG7NuT!%yC!G73
z<s6T1<jxOB3Md};VdW303v;O@oJ#{S9D!)fjkJ4F)Xl|-&-2GGGG-O+1CYRcR-PZH
ze{Xob-=@q#FL9j)&1ms{8`eK*o3hH29jc4Xw}A^#JNf6uPoky9ijKd~dA#F<<E!3S
z9h%(;oAb9FLuoI|apktW6!zxdbbtPk>okY@dF3u^(CtfqLgjF7I*t^NPAv3xcl*q7
zU{GfqDse+&9^IdDciktb&Ge1?@a(qmn<ox%>)tLOf+CE|8an$VHsv-ti$wxPgwvnJ
zfuGeIs>+8XY<jxAB|?R%C32ib+{o?8pTE&0b;is1fh7!<=1ob+TZl{yZ~>Ld2C=|D
zp4ajCUju6%74JI$Hrd45tKnHl6u35%#(I_<yDt>$zDz1Gj%Ftct+Vi!jJn$=(#=#Z
z1Fwu#AZoqEu9V?VLVuq6NMpZ8`HXF5d+1z(q!}s7*P9Z@a8bYS+q(Vv@qZ|KbV(o^
zSt>3fx{cl9$tF!FI4;;zfI@Dc)QGc9kd7;+h&WnbM=npL6;uGk+CbG<@hHP>cnxK*
zh_y39iwzAqb7RWhTU6r6@4UP-Zt0OdMMStEn)X+(e>x=f=e-_PPe$=8T&Wrz^*bbV
z+YV5rcx$s*I+fLW^XcBB@xF}*qLJ%9*N>gAgv^y*DWiSvVL2V=#LmS#_rK+^PC~FU
zvMKgc#mr5JDMEPo#$`uITVzrl@7}D3X3q2fD}JDL>=1e3W^5m}hp1I(EAtn3wn`1!
zS1$fAjiz6{g<4bkb=CYRUNsSl>P5+`rjE^Z<Y#`q)aW_lqJlhRyFiJXFe!D!Q-622
zQl*ez7<AheL)j!@trC8_zd|Wn0ZN*vhSC;H+iMbp4}_>weVZ?O3V2xDi;#R!&2~6j
z>*8s)Di{y8*LE*nCsA8jn%UhhiLm_uxQ8O^71!cxvubM?F-ob<#)BoFOV}wwO;CWC
zQ|DPg1*NXCfhe8Agr;v1>vDuaQoJGa8?LydEk+D%NF2`#ABPoh=bLsY^&Z+h8jL;d
zi&q>`bG0jahJ1m83&XsKCCJ$hyl#Qe^RCV$3a!~QrDBp)96b#($NK&ptwzvec{mv5
z(B`vyW_7T~Be3Ug=H%1Jf|MV*=)6&PmukL!EM>P8KMI;7KhmK{6208Q4m!X}tBtOW
zeY(?+XEFoklS=J=3eA)#42`*=Sq=RTnnlLqbtaFhJnBhM<xBG@=}Z`3&o7P`Zg#6J
zLD8r=0BWCmRvK|`Vbtm}|F6xiG4sLRUDbbvjs!u3)gwGoQ66Ot7T&N1Jzu}4w@l+9
zwZJyq0lJx<cRitnQDk<S5LPO?PcI+9k@(wDsjw<$M*TZFrKAN0mkXIY_WiVj?qzWd
z=T#Iusc2HnuVs997O)0}iZclNo9u`YcoPL&>2N7W*B!e9(ld(91ZTtU<5#vDl`Nr3
zTu+h}d%&-ZsMG8D+PS9Mk}k0nc3rHv78vP1{j3Q4+E`9R#Nl?u$&~fyXSKVVJ!L~~
zBL?tE*y7j!bRZXgXJ5h!|MIJMA{|+G3oT3cCoij%JX0z{2Q10)S&5Pv#SK=#K_!|M
za8f@x;Qqw@E1~ht@+N?`_FP_TRl+3<39do_OA+Ddg_?l4S_tRKS{K!{io5nNk1H$%
z$a3A*<DZY_+TH)yDVC9$2%#t~8bTyC!Y(pa0A3D1cBj~{ESs}bnfWx7`s<Ve&?2Ks
zt#6W<XHww&YK}q`bD-nUh4%#1<tn3jiZ{;r@&t6mmX|`asZNZV2<zf1LUE%5T#KFz
z?Cjm@tw2I};ds5KeR(b4>}JTqNiACMY3mYl#-FCMW@+G3aqg`{jFxJ1+M;(^A%i;R
zU1H{DHQ`tpV!@-2`X!3}v11?Q_-IV`X-~FA9d^xGpg9UGV_4jBpc+5V2Sh1oLz4*O
zSMPzdCl!P3E2wB)pABz10V9g4+4nw28^odj*DGN;npy%_V(EL|9b4F<8xZz97Hm&+
zPWb$S@|RI_H?CMYMt3uNit+BZubryB1rqvCN35}g8wVHGl}v~XNb28|V3PAam-Nwn
z(Cb3~8AB%_apHA%20BtffF&N0EZ@@=5w6u+cYIS)a^jgVLa4_(C=M!)pNeCBF~4<w
z!_{jE5;CATk~4hGqaS-;c(v!E0j#ZvVp3ZW_*c<j)$kZl!~?*HpI&t%)sc@Mjz79S
z`dMhiWt56a+=gDg)PNfFiu+1j1{cr~1)@8d2_Y;2ME2%O$#?ef1^r6ew{bvIHpIKK
z{H=%|zaL69{5`kd?K7tk@fFRCRR1M|I@2LLfZ!~h29Yetpw1kP_e?ZD#B&F2&IWTk
zI&>8pvTh|B2~mp75a;cj%Ri!`{#HX|xF{?P4(g19#Fb9gMPMq%2DZ*bf}1=FRbd9S
zdK29EO3xo7S{Xjw;Xd`;lpv~hMcSScVx2oQc)A&>f67!sqYrcpE!~VJdi1YjDAX@m
zw*`nm7mgcMo_*n!71bG|61H~W61!asCD`NE&mYad>hI$?aM{7OXb^MLzdqVwe$&r5
zpZnRZw}3U%ZYfWD0YJv*oYU@=o95nlLfFLE!C^sY(Gpbg*endj{>-gte(=$OR<$;G
z|E4#3PB__^+e#fHOKDv_-pi_Lp0^V#T2z(z`*LV0ONZTcRZpgXh!ZmV&!`&byK>)Q
zCJRmUpctwq33d9<qgz3Q3Ti%VeIT;Xn#wHS?}&j#1bY*Wj<4>2<YH5UHqVN_9KK=*
z>LW<<UlsZ*iEeZ{yR$brz?sf$D*{{faa;$$w!Rp3ZU{UiW&*|TxU#&^xJ%FO0Qm%i
zS-<;$fe0M2|A^tsQ{&3T+dj=yhNXKax-;~DlxpB3S$?$!<>YE!l}J3<$k;4-E#Bm!
z`;`w74!^)N5vv|c$K05P-khZwcUDLOu9RMW4MVu~z$%>h5KAWlLMlLz`8p5Z+CpIw
zOOx-*9~`<fWmU~(%n&q1E{<H_k&VgBuML{OU)`VOWLGq&qBRx%eO3v71I!_tK4{Z1
zFa;^uEHLFX=r>jeSa|73(p>m5{N~M|VUYg1k$ZylAUKLS)P3Rr%z0MkKJ}f#(2i}m
z*p|h|SgY)(XJ;`%*q&Qh-N3tA=#;iAI09HSU)MK>yp~iaD8&SAKu1<8rzgH~jjfVA
zn)~#YiiKB-jao5+pi&cckbhZ0Ew<pGm6z|%#f#t}R?=^Jzs=pmw^-)&tkVKtiqHns
zyJfx6SaZu4sc#!tcVIzbE#@@BNrK;-cMjpe9>V$-M|CmS81Z5=69AuUJcb9rWI#9L
zzz)s_Sp5(7uObXE*mfgRDqel`k!C4vSOk^R7G<BPISg=kfXA3_Uu9-p3OYRZS05r=
z0V#q0$bvm|X+z>$33&oAiEjWVuNob@G`Zwa1I&(;-R?ME<}|`L<=1hgQ>A0<)7|*~
zE?8=KpL@_uMC)&9^2GVMKJQ=qiW?qK9+zI`-t;zAixmrUiA_*+r-CU?$wF_%XkPNg
zqbU^k{7R{*MHQZ_d9y{FD_;~~=cnrSy=HfYj#egWVCLIlyAu{ZNT4cj(K0cpY%J$R
zZ+>H8dmRKNq6)5^*aR^=B5YuiRJ1@Bl+|7aB&HqI-Oc6G<-)_e>YNKAfm=cK(0F2c
ztE00_gx1E%Kudi^uTmyPu~Vo4q3;noJG=QI3et&g-Nv2tzhTro3!5_#;20oo3Zop0
z%cX1Us>*)}EqHcUQXKoRw}1uLRn-;_yFZ{}Ab|jM)fr;|z`^E!h_Af-T&DN@Tg_Fr
zW3rsLYAnI}j2*AAE+tFXlFT)@gU|ZU=y+3j61rp0sl|WgpA*%l=qC4$CJ6&T&?^8Y
z6qg7#*^vTciSRkAvJY+se22k0M_^DyD9_LFx`|nQB_7<MtWDN+{Vsf=Tz1}eU9&j`
z!emc3qiql1e!MQ=OF;95!a4R>{^(6r>ZJs^@+!W-u}qG_mvx!Hv{1kX(Sktu@Ic}%
zW2sJHT}<cR`)+O)PWQY>6VB))O2X1UUg!<W#qL9qJ;uqK4W14C@(so2Cq7iVD;-G<
zR;ua$G+|B_%3A)u79dlIj_S?F=J;=69i;e(P>xYY*qK2r4=^3Et|yxi2bJ=C)an@?
z3LB&hOLfYt@X+R#FF|^UAYSN<a56ks=~=%XVP}>>a)piw7$pl%DkImX*MXZ6n7#xi
zYs9y*sWp_fBM#zRdbd>=4Tw=O)jLbk@ZASA=!)yRV;oHyQ$7(I3$bOUY+8MVX(HMe
z?Kbgj_oRW>n=pWvn&j1mY2OiFR<;vb{nM07v_FOYl0LQ1+?&XGwm2@~0wo&8EL6F6
zjn=pRujP|j9BlrNkY`>P{{3%A4EoQr{i_IFc6G!O4LWRqT#;BNWI7RDKW70N;iKj$
zqTBud{0iIEe@5f~z}#qN*9WiB{vT&l{wHw$s{-f$t&y}l8|*W`;^g!9|2yQOe`{vc
ze{TMNmE@+F11aHH`J=~kPZIx+4lw`uTK?$wKRqRCTk(=X=@VY!%%i_OzDaC$)#Oqy
zniMp;piKs(l|4aIJepSg5g@xdZ%Lb1fQIGP<W*mFW8|TFKyGNcw{<Pj2)$>br(~R3
zMo2}*n!Oq<>d?eGqw!1P89n>1d*ctIi_is2^y}_ym(_@e?UJ)#k4m61G^+*Z8L@F#
zGtaKG&Qwn5PT!ru<Oo1AS83T2uvkK}@%nbnMF|q1sQKM8F8O&qOQ8lVB4kRSqbSHM
zcg@KeJk}e8&Mh+`?N1PJybGy%SY{*Gk`LVv1~n$aL*WHL6|E^N_N`6SI)&ymj}+iQ
zo}dmh6$Ajp;}Lg4OO>JV2*gLqFanm5+M(hDKZKe)b>68_3Vj*T)<K~%QRnR%qFYdS
zZ2j^?Gxg1j%Pv=ps=f8tJr%?%6|`Flpoc=Euo1(2N8H=qR^S5I>61t>Q`E0khdP!1
zQN5p;_^BwN6w>^qF|(UimZhfaT#NqB7wZr2dI)TM*4|@})`XSq9CE6*Y8QD-K;-0Z
zGJ1u?Y@&w0?xv@l$+9d}<Y(p4pVa$Y9H-cH>@-NN)#-o{DjU;uk%>4MNyeb-eouI`
zfnvJ~OH+HAm={xs&4}vY+5zj{Sdy?X1n^tZ3HdN>D>W^$L0zKCuFy+jy||<On%?$D
zakOyFTBn6s%Z75}_EE26Yb#MIiMd}Kr^X)>#SUpszkrLw!<4eU4XQ5z*b&ecAhE;~
zp-snMZAftB_3h6w#=@$=xc*cbCBpl_o#iv{E_F~Q#SFYjy}bvmdOM=Rwg`Yqz}^6D
z<^(1U2teczlHHK|0~1C2sc-pJqKRhzNKHt-38NMm`ZuF0zKklxBu;pIC^bLwk8BED
zo9JLD0F7ywaq>IEe7`mIV{RDwPo!4SpH%cLfEYtJM8x~X)V5L4Yh$u_0nJ1LN9mrF
z5SQXevAaa%f-Fa_YQen@ZCs1;ATZA>fyZV9)-?HWK}q=h?+Qr&VwFUL(z*)xzE~w4
z11_<la+fXgO`$zj&tRpb9c3M`9TOLp35GQQCv1+vU7&xTeq>>bl^u@)>15%7BsL~Y
zC~@FOet#}?ME}SrC)A#xWd!z+AjN+5dLp_uZMoRfiKa=@bzg(5^gCrVVV6fA9tWg}
zHI-O@T#>up(6;&WN3zusT2v?h+7{3^m2zvv;3kHGrqjGNH4NTCyoCl&^HAt6ow}EQ
zH?!EXV6%O%)Bs|nhoWG9J_&?t3qu1iAYOjWP|)VaIirb!G`}k@UIe;#|1eiHK>5}4
zs*|4td5$@FWRpO+UKN;k&d3uP(<8JsOBYu_j2xg^zD3d>JSY~j2be2Y-s=FgGiji&
z4m~9ZpP+N{dVWSn1{|hluOWWU>p|6dyiEr{A)0l@L{#8aYRoKLck3(biZIrJr7Zy9
z1f%&fydd%G7!8s8<_z|43$L5J0%Yumc&lcBsOf+<X~;>y3aN>}4gkcNpf)ONk~>-f
z7`~PwcQC<gy$Xpw0no+1+s-jhK^F&8zAbhFsA75<{lC0&{0Ruyj784HkBbz<UqD&)
zGL8q9l8$}yyX9HvmflWteovtuLwyaRm)73#B5Wp4O29j!EsC|no7<0|Vrz<rtR~JR
zID{C2^)6CIkl1i0h#?pzl|P0^F<fE70YzfcXKqO!=3fX(O2@)1(nIdP{y#N+(8SQi
z^2~|<5F6NdA&g5uvEq*chY;_&w9r-R%c#wr{(pK76@8=N7Xuz5pgVAxA?$uVNqyLI
zhp68}T9ByS2qS3n2?BEKLKLuetY0pZ!o#ja3|{&U0!3Qbykcs^gBS=SNx(R@EfvC^
zlYmQ6)>%UfYHKmC=|s6rMAL*rQJDZNGU8c|1b@tk$ToBZb+aBVHPx<9-5y^~+luwU
zkwvX^9qO<(84x$y-H}nP1jfVEGdV;FQ`u&%7MAMhSEPRr@d+Whve#i^{0lLkjPpdN
zUc|p&^`Ll+eS#OFK-czhm={rQ)us(JsJDPy%%mIGsvbXbVF?fXtPd{n1)xkswCGv~
zEHQCARnN0z!-APUh==44Pnqw%U_tL37eED8US11+f9z0h=YBs&j`2=sj*4__5<YE#
z23%nR+%R-ni38x<drUE!eh!fFh#is%62Z{#CQ1ZFl25V7UaRaj%y(+*<xe9Ljs5{Y
zf)TH6o|JxgRoV&aY8saK6~Yip(n%c9P$2bUg{rsJ(UMQnJFcuKH1K~~ncP0IWGT=@
zfQlt$hQ-aen+V#k*ia8F=k4AU`->InSs*qF(iK0Xj)0=Zc|=vvHYk`<s|4bLIG@c!
zC)G+7gMDys2(jB(2bp;4kmR6@6@7HlzGyQkjI^@tIciM%LlDE@U6AUTBcH&M4a{8d
zzga%OaGvUG)|>?$&WCLm|0PLqts-s6ewF)^41@|)o%MGeA!PB>;UduSB|!v6JX2ks
zhYjizuLmonL?5*1fvR5SVJ1c&I9(WY)oNxjgldx6M(5J*%=KJNPg@omA4>)8OCgpT
zi0o$cyenj|Nwpt86a_L#2UOA-O?!&NA|t3%{EPrP7a4y5qiYf6YaPg&I+FjB{(z}e
z;KWJ1Z`=s|sp}(Gq9pUNoY1;-@=|zYg>xj;9cu7a`JfG0%fHWIjZ#IN;TS-I>;wlC
zr>t6i1@MbKYG+zL?p5yZU=*{Ng8kEBS6Qy+d<lR+g?ST5Y-%hlyQ5M)B9AiUWb^%*
zq}n*JbN<5=vWT>SbSB%M?I2x+xcMn$EQcPsK8YAfU~fa%Vb3N8QoI+i=(Uym2)L)V
z22C1YKqDniIun8*5fh<IfmHe|z{VT~mCYTV6qpg`V9*n+P|yHru3?;XiMpktkn<gy
zVIqwx)@!+N)KeB>(>n8TJkM`$3j~E3Q4g9!^HjRm7Ia6|g|?u-j@ritA5QBk;%C)j
zz!lJo|Ci4}I1^d}<<_yYBPo)QcwB3Of{NHd72z?}vlLA~#_lVQ_|dRN;x8m6&w|tD
z03xE_eD~nfR32In{$ot1BsvSJ>rt&D4AgcJSa+(}Jm8&5P~E}Yh$0o3(y8swjftt?
z$)=!uyWdU)cnH&?Ua+1Vt9Q!ycA{U0D@YC)M^rpOF;Y3nx1heEazay$PZy*;R4gR%
z`cM!9*lsy-pvpw_>=8;LREl&g9Fru<H#D>6j_Ecoi|Jtj?N0<R6_i;>j_l6@!YIv%
zKPfw>;fQqS+i@ubhXY9m2bdJu#)m`LaFPxn;Fr~gFF@fiW-y?NFK&OH6t@H=FSY%<
zP9LT=ae#z+5k41h9z+1XbT^BhnEAX+zDgzU68v1$eoG=)xuS3b6Y~xjFP1qW=B=lL
ztx%X&Ifmt#8=#oIMw!&&$P=>INnE9}EauX->}OL;b!N3B-0gxg3JFA-_O_I9glza@
z(w;obmbM}#t`Zk}xWxV1VOKG>1XyhO5LpT$S{4yG)!sW4_=_|Tw_QqjyZmaZ|BSOf
z=0h-M7Ijr(99KG`Fi8Y4AO~^E6huw5*PlqZ%2A|St!2!mv$k^6zb9tMqadcBjeIkK
zVRC2ZfgYh!Sms3bF<^+truX4$=2i~zn_CDC6+T&o@;hksaC9c#RzLGSiKTYSe|ks@
zB>yT^lZU7xYrrl%e8@a7F_jzBehDsg{TzttzGoD7WCSl;0!Pu=zBXKG#;CC9D3?y{
zfWKLokLv97ghAQ{U@cjx5Rs6*${8qJ@5>#4coUs<^?}K0q$faUR2e705WhDpGjv?<
z<)dQ{wrzh=ux8#gSz<Lz5>;{3f}d^*_c8oU*xTH8nIUK=^VB8iOfX&&6-ps3Ei$lK
zN^ZWle9P`MoWiaKS#Oi2N!j%p=T2=KYkuYOfYYQkA}XdfYJY8kW<#=zZ7tHL5y`V|
zsoTN*w4GG6czP3G`DQHoqD^)iq1jFG{1@vi*=-P;N@c(aV^+H>VE>{P@3$iEjOaDY
z_;eCTx@|_;&RbuxZ4;$c0UgaFnHjsQ%ztXpP>AO7Li@%ser1>a7;k=)vN}v5LD8$d
zW=}V}@e(Qe!gGUA3VcPixKWdUQxy!BXAtT4n*&T59`W8F-y}qFYCxh5U1Y%BdW9H8
z&OW0if1)Cg!dc2smXe!A_K_jZtJ={ey6!C+hchVE`MOw?B?Xo;0hsx7Dw})Y8Ul*_
zSxV}TRXs%2MZkhdg+*=Z0u)7Bg-mP+xwoHgS;bHlaS?1+%vQu)Sn^v>m+%iMO%jz0
z1&wNEK+mU^d<}0E@?1tdG`fn>zZGiv=!1$hX8r0c*?3|%W@u;YK+Y7nOV$uGlvm=Q
z{mJq_dIwnpc&6Aeg#m-?s0v0?5wVL&mZC~0_=BQyhrIpEkcXM9#cRVAE={ufm>lE0
zFJlT<(O_d{kf7oTEd!|6p+qH@ZnU!D7(lxN*CYD(#5<70ay;vq%*4`8KLdrryJZ^v
zU(P=pb~Ud7XKZB|8Q59#ge<S+7(r5%Aqyq58x?W|QRqCG-N>y;RGpTJOIqGC+KsyA
z#y+x_Gt-hTKnYJan*Xr;yJ~^#Vj~5KN^%cQcayz}LTT@{5eDdgy@>(u9VmC=8C>bm
zfB73A@wkX3asc1cdN_Q!*+2y`D335{96J#jG09<vbyo9)Y6a^7vtzx~15RvGFGm(K
zCxXofHI2#2M|{j{_8oUK<9b=_Stw@yWM$_8{_HL2Xp#07NxxXt64X3Mq|OqRgjt1`
z#5}2jfs2JQ7PeriA~>*tT>La!JR72?&YbN*(x?1Iq?PmKi;b`<f;uMOF7arN&l0~_
zfu*m^(^f9YDC*$EdXYe-RIug|3X1e(YyT5*z@npxf-K15%TB{YV$;SPa0R8X)F=H}
zHB)sb{e9;6qFRbkDybXNF=~odEgPNfvqL33fsl0Qie?o(T1{7iW<M<;G2~$hY;A=<
ztS0YoxISTSDHFCC_g^Axi=`))z(}Ph>vtzY8l>52D<Y&e6s3ER_!79Gz>sf{d<{tY
zmH2yRdr$^ni(rn1Om2cno19k3_IYiJ4E9zaNfzTva2xt8>o-r}Mcgw$e)>`60wK+1
zS`flqR@5*>hq-?KJf~C-6nZNXgSB2AgOH0#Yshlkkj-!2nJMvGx!NkpTXcjA1Lgho
z%0E$+kSaZFZj<YiqMMObIoLc4-6+)rU&J+#ru6naoZ1n(c2%C*%bNkLN(#`se1N@y
zc!d4Uto+U39}!nipP4b#VPj-vW|05AYDR5^%tYa7jfwGWPv`sT?rbe)f*941#A{)$
zs-gIi$n0H2&nbLi$xMP9<@&ir{J5I$V>H+GUE~TU!`^eV%Xs`f=;meqD@RQ{7W#_F
zE_H6|VlgtnVfbIAF11J9mnZhOGT_-ZqozKf{yo@G6^x9um!ax7xRUA+R_Gg*VPa=t
zC3#svTe@``l~hULjxF-^vN%aDM3cDOwNGjblD<)T<>MGZ4qR24*aBsyNL&XQHH?La
zT!GguCh3IrLOa#=jfIfHz>iCKi2*pAlr5!hR}V;gDqm>K<}!j!wRrm#NNMp@>Q%&e
z^Kx7hnRbfQfcX$hZYGAJhW)O4+;`sk`SL`4A5tqo6DG;%4~z-;zm!|#*8F@`)T&8L
zUj{p@s<9Lw@7K*PDWgL$q=SsXgT{jHNq{zG4PT~wcKZaAKBI#)w7x;}+>rc<$|DyA
z(+LB&VmEm8PL%-WG$hj>7S1R3)>RP6FRXo;lq-<`ECw%jmA<wPIfZwtOhKdsvQxzQ
zUD@L+2SW?ByXgwCUq$gXg0wunpHTFzpmei%KB;N2g>7p2>`~Yi6c9@0%tkF?U(LPL
zg%AEZiFC1)rzjO^6y~{#^%q|}dNKPj3a#Y%Wv5k9Z#RKCbwOtqC!}iVX7P4g%J1E(
zVsF|48e_#BYseNhLST`K9wnqb%{IIane2;=&?U0zA&gkrF`5MN+l`-7zI5dM>ld7y
zNGHy&LlGMWm6ecRecoT&FEO`uZ^w1_!e=<!w!NcvqBCo6cV!27LmsMRpv6>kp~ZEJ
zv@}qQJ_wyyn<@+1#L>^b@}D}1e!pYv+}BApS6L~KiVR0}5Oj0e!DU|_jvzC&!=e)E
zazYymE&0FceBGOHkPDYfd~o&;i5;G_DcBNY^z2>`0qO6`W3Fh}x<OpOk+o6=Q;Czq
z<)RK!iAh#2qJFkjU*?ZvgGlQa$bl=Gguu4jT3^l8T=?Q(S8`F1e~?t^2#46QT^pC!
zgE$yNiPi2=Rb0MKZ|m7N;Y#=E&ZsJtLr*2$L$MiT&@Z=dC54=9oOK@?F3H+M{C)Y2
zd;$PM4tPaiaAco7L4X3z^o8Cd#0ZoO%WAzN+e4$Ix1-^&>&Zzc{skUOco#wR{P!ll
zz50zMoy!5+pzkB8ZaQx<tO3le>}5yP@Q=2CtUP(Flb6x1TQ3XwpYEGqsfXI>37?8r
zd3=1Fgra7T7l9o1qJ<)Qn27$vYpdSG0iH)UK)SEwB}*08rcG9q=Smm|g>IXuViWZb
zsoPbcVw@#X!>iZasH|ja)HsxpLQ-s)lg&3bCq(7Oiv<l0xAGR2t*Ko;o+;R9TS-`w
z*8HiC_5KK188DvDz%37^wQU2YZc9Dh_Svw!)cM~1S|=B6tswimMGcBbnUX)V@$KhZ
z8GtVe_26O@feXz9lptSA(!`X+?*r05uQ8bj%R=&`<QB<BQelij^ir|ZJOf3GxGkAk
z2_0{~$}ez!@fH;}qM_`kd&Wc<aGu#!nHoQ7zB?+#Bx`Pks1b71#KIq!=*^<V9vM<#
z&sOzNlZLcFdQ-fZzQP^bPdQQR<>NYP2XzsWk1Ov!AY#5@+5s#fUb*<L1*F3t@$KbY
zqNE$J+={QHbW-6;;%yM$81pnwFn&2U54(kj)Q=7GAkfqMYonR&5^PWTdX1<&p7?t~
zcZ%%dl%&;3I|x{A<V?E6GbE!*{urf^qB;yK3vJP-{8f;s+w*hsA7p^mj>a#bPL=$y
zvg|$`O}U~xzByrc!-7`3t)`3Kkz%<0s4$V6C7lDZ5o#-jGQATMG)#0mkGk>Mkm=+*
zf~!aR3KVr>C!i;6=QrlHTH)Csr4(tfgGH5S_xE}86E?-njw1NjAc@^FEj9uC?M6{u
z!Nlx0+!((zC|pBqD;o-=7raZ^G)>-RBZ<=4c@S<)4%k1Rus^*Wnel_(g^x&I-E+qN
z|0o8gla-`pi#yd7IR7Cu1rnBaDBwh(^#tq|#EJ#)D_bd<5j2-dN<3YP{>}_Hlv)Kt
zn~wYGLRP{orft)OY0Io>pYqM7Eq?hwqS7QN*&AAHQ|vV;h~7H|Eu8+4#NwwrhcMBl
z%aAGB*8u1k5>VR&xhk8-r9%pD8Ya`X@%iYCzp+?0WrO(}D2s!&SA!7B^K0s$`=$EG
z(8RKa2b4~ge8YA*+T6lMXK5uud>QrxraABXHt5bxNC^3L`HesTzHBZAeSdHF<PH=;
z*Ki~#3CTp8pWrxaX9xgUJn4&mFE)1G#r$u7@lBG0b0Fr?phuy7@ZEwBA2oUcI*_!k
zU<Z&g)zuq=D=I-(UCN|}B!mnB%b*}b4h&H!G~0Qzkw6sNqb?8jG8o3puXKVXfz4cG
z8bx%4Z(O8VupaWu!<pI;I!n@YAyH=bQ`Ta$zk8hN#A#%?fY9m17HA9psR)0QGj|th
zx;FJHfV7BWQw8o#rr*>1JnRC<t6lEj^JXH?LrQc~f{n+HSh;V#0I4I<A*X7lhSn#t
z<B~o}{o!6A1E(i*^#eH2jJ550!S;@d{fnEnJ@mO$$xXeKdF)rRM1YZ}DhOV1HA^kC
zShSsJi9D4uHi(Zd^^jn7njnCr3m13uCe;`fE3^{{y4!Nup+EDoc@XN#+?+c73%daz
zc)Yqm)K<Z=t>l=+CQj!9ZVkkG02!8cm{mxfH0FU#AEqzmWsM%A#srxp$KO7X_1_R)
zJ>$YynZ+Tc1=Mr8=pa{GogQ~_3BaVNP82)^ug$7;34bmqwo;RC&>v!7^Bw0v)<$hY
z!=j-D4s=G(uiOO0)?(A+9g&{Vtgp`6&T6vDiJ#TXI`O$E=LCQ9B`;&=X9m=&uSw}K
z7!BYzS??vjVGsXNebb^${89gP#obVaA(=&6@vo`kYKZP3q<I(x_ndw>xj6rGgG1d>
zn`a`=JY`qH(vkBNS0hWz)g;ME_o&{qylGmqpcg`p#MXYu_zzI-<4Y=FDr|HH83n-K
z2ao|3&L=2Sf^NrJY=i>ivofmZrLQ<GxkY%bmi094AjQK|?pYAI+Qd{a9739}UVA5=
zR|=j10|{_QxR0UNCrW!Aw{(nu;{CNGKrh6oMsu<Cf1eBpb(-udwziU<fWgHSpifH8
zY)(5=$=Z-A325aBcR!q-_r9}YUmGt?L9?6WYb*nD+6%s3-q*0HFzTYsz&a6c1D#G$
zehV670N2po*GSgPw^QLFQx^+*3_c^)+FK$qfI5w_`cDqt;WKS|qJ{8u<UwWBa<7j-
zW96J8z{={or=qiRAlxdV2`S2f)hjR7NsfSP&a~CMrZAiejyPgH9sjiYoGnsL5f)!M
zRq@BqQ*O6FAFSR853dLqFB?F(O_E@<@|+N@25Ha_$oN*gk!9%~1}ubT?8&(jwq0CF
zl&JA;W`_6eMn@5(VLyQxWhk*BtrBHUl<b!5^xz<Rd4xnuS@#-3p~oJP<qTG^bgOI;
zhWxkEVzK~60zR-sR6<FQHZFxFWWia&w@bm%lM^U!00tmxS(QE$ySs+yV@K6i2`)rn
zm-9UyI`Q$XZj=i=4tdCUTUy`}Ja0cDcCDlA$1JuoAI@A-ppz_4nFb&yuYh+!6M+1w
zEilSFu{m4iG2l4Jg9G#ccv{^kuP65}!JIf+FqhHG5oe&)M{!-pYRh78b~O<O;P)yA
ztF)8<kH_VL3shvG4j!up3Bv^&cfLJ1v5(}tMTRi~6sAY??|=>vOh~n@ELV&@pV-|3
zz6fY0yS%Wb#ef8p*^E;bTOUX+^1AoX9^f|Yr8X(=S`R$e0kL5`fveIAiuY(!8>X4p
zu!FGJbLI_#N|RV!Kx~%^4|iOC$rTpl4TE|L#QD?WNWiWJTsYGT(m^=R>|sQ<n}FTP
z`$2Z+kH2T$r^KoCS!KDh6~M=$sqSb<Z(%iFZZvoEj{V9@<Wsb!2u_^?Bd;aOU`V_n
zt3=IV&bw$qakKN@7i(rzv=MDyb&hgiCHg^tTJ3hR{~75tRE)H?Q-vW8#AgLg3SVIZ
zEd)(10k^;d9Qaa|={iedM3@)o?HpkL@?I_|p+G^F{9RH<Ck_%|otSSg*?$h4lIVW`
zS<^zr#vrPz<&CHG6xVqZ>`{V!pTX=$Dw(27{7V)rPuxl*7$U@|aE1JT81<38Zs18v
zHchsmjB0xdt#d+$9U$p@n2wU&WX!L?xq~oM8p)?MED|KnlzsOI%Q~pl!zJFz;kDqO
zFkR5PDnCroKC@P~LUc~R12Or2LWWg5{=ov5hA^?^#tT1{4S^NpO0!1xo2hEgDqrVh
z2Q9n+L;yFSzDC$Ov6has%#>H3Tz<{)*A_%b3%to^tmszQs9{)QHw7btDUF=WNT%Y-
z77QKYc}pwvZ4tm1+OZvHL0+TA!s9?hXa{T)#^PnBPdK_>q_N^~1Ce@>!eRp(0RZIq
zCUGeO3#t!5@lg>NgH=Ou!f&=8I*$T)kiwY-@Al8zYl&_a)(=n2J6Xi0LF)2?f+2E+
z6cN1hVpuP0@DnMykd1@ZRSCJ)TnR+Rz>3B05dt>|(5U&MzY4)5r8#PkYqJKcFrAe^
zCm;u;Ke1Ho#jQ$Qg$e>Gv^fEONbVjCJc(+Mh{h+$9YK!88j2?Xj;P%sSh=vtL6so6
z>V$AT-h+%SMtd&}d(7OxWwd>;>UPLQYBmutOA$$ALD5MJD{;dN2oeD)r@m%t!Hk~?
zs9mvnjxV9l;52Q`3mj$#3No!1u;|E{fbkb59doPwr$LNtcx-IuNbZ|1Zinkqe$m!~
zI^^U>;TR^LHtY%}_O8HUG{3{rRR|(KSetnA6{xBFCJPlV;B%E>`6t$)@_T(gLX1p#
zq;SLn*GgAqTR$+s6|kg=D^l>dp*|dO0FZ1jS3zcghhnas!yu@6HqK2f23T3Muz2h4
z#!2y3a*ELjX7Z{pzni7WC{bH!qL8BaH!w>VIIOGGF3?pWgF(MKlR4DWHX#Nrb7OHc
z=*Mt`(z1qnleENU-GMy~%cvQn776up0vPARV4gg;Lxg#XoFb;sgfzPL7lvwOJQ~5N
z$U3&8uB`yRByF(T+DQWZ4pveY94#gBA_#iE-L@yX%nLYL5sPWP&_wuO>0nEm1u!Rr
zCU3o5KeA8^oo>AU4q5$DVr~~fl=o{P7LzvzZKJgxcNa#{8Z4`z`IXpB2^`H>$s$Bi
zz;woA>R6D(;s_|lCCi3lo0g#aVZF)Je(Wam87A6wJxFdf^sTf@F|R3U9nvmjzr_o@
zbRK@mKby43*nVM(XO-Rm&3wf0CnR~`bdbvfe0`JDcw6!m|39!!tSd!qpCvW^*$bt5
zLjjBwJ^&&yHRB|K6Ca^1lKh7ihr^&`VtnN{;ZZxmd{zxAm)H=|PjlRJ?GoNdsrGiY
z_dWP@;gqR_cy(S<nK~oq$>NH)iT0Pbq&)A~yt6))-?nw>G)Dz}tA_&|foe~V*TuLo
z_+tq<t5(vs9nf|`aAap0(Cq*jm;&iZhe_(1CRAk<0z=8cUs~CBYN;Ybn77^WtV^xp
zjb35`8n}f|Cg>NIvJ$=&*x@05-!sY~pqU*+*F`#=oYF$-1G-5YPi|XM89_WoqWFcg
z&L)rTa}GOR&7Xc#i5JOk7y@<MJtpNmVb8I-DT)@))3dYscvLSni0KF#vC8fY8;CE>
zWZdgR;oWVf&%o}=kVanRN``qBOeXAMpz!%%$VH{66R?*n{BI8tu-SfKzd-+HjtX^?
z0vMFMX2J(4V(p!IaL4lN-tKOO<~V4ov0*Tjw>BwrfJ5n)3wO7|{!+3ZO8k+>!PxUt
z<s}X9N27N<j+u`EGInf0V|5e~U1>eqGPfOdpfk$lCu;Hz+>06z-JW==B?F#?7aW<o
zG5YdnOgv2)X{x-EY2&cR^r}FZdAA!I#PePtp6j_+FXBVlyBgQG&KaUqVcMvPU8q33
z4KSvKFH;~LGDEyK<oCX?Z8enH2LIOC%GLLDx2!#!w*qahh~HNYkl0D<%46QHU@nJn
zKPld`b+;SW9DCv8+8z2<g3VK0@z$lIfV^OgZUywOii}hvRctXJ*a>L}n{0K-5YL?X
z9I?T7>6BzCtH$z}Zs4E=TgF$P?A#HS4b+t_)EXLns+UnCS2K4QRJ;t^45Gv2aNaLo
z8QDJ0XF2cCj1ZW7qw*><6IA}FoC4T76N;V76a`g$?mtTK+ztpfknD1`%%Wg&0I4n?
zHT!Y`ACCqcB{>zsh=Yk_VbL*%?ut8@6bkTmmsmYXp>ENaOBSV1+V@V`#5fzzJmi5+
znN6ZLKqGCe52?YE{zNEp(*Aq`=-a?ZI3N-uWZ{gOuBIpap7yy4;$CcHvFi6fZ#rJ|
zd#BREh9rC9mr}<26(jW`pFbHZeGkc{%*KwqaC*oq<bvtUB{s3aCVy=Y?uCV+Jv7?j
z>#!prWzohrGCCN^G;(<4!M7aO0fz;+I7~fft=!_&nG1No9-yrS6|4kOMu*NyLo^`B
z1{16T6DR%-8Ijc|!1e<2q#$hwkC#lUI*~m#pZVfMvqcWEUbpOQ4da{kuNVhBH$Woy
zoCK@XSSxW>UVM`R*0!bZanol&NK-)sj`$sR*l}i%NPdYxKA`VLELijh6C)=20yM=N
zdhaV^-fmws7~>9nd`n>1W3xU<-FVUOzk2en?h((H4W)G%)d%K|YPfD*)78qa(fFk`
zdRyr|rKICXtzbp30F}RJ4KOFGaeJ*HgYQXDW1zUQ|E*qtLb^Fx`(JYAS=LZ-=()WJ
zqFni7_UnPLkE9|T(A%dmH**cO-mMo1&QmAgY|cCGGTB}n#FY37N)u5e5GaAxWy>M#
z{I-ma=RfTeJCw;&JnK_t;4BKX0*da@+YHtccFJZ{Rc_`pJ7D}sB~{+OgfDI95OVgN
z(K^x7Prj6xrQ+;+djWzV0bb&GD=|rI2@H*_uRB43S3;Eqr5SAbxs3Ud_=fUp?_y&o
zn&@WDXhDZOV(pB(k1oNz8Og?=`5n`iwX~&q6y-tHSkBLYVd`FLn)6Tm#fi)SAKHwR
z83?wN2P_)0477}yadKm<Vf(3<_^sV53K*|6P>)rm!-l}A9WJiGHY7Gh>)PR)U#*D<
zVpY|&VggzHaf#ijDV#3Zof^!J6lOr=vd7YwPPKvL7o|Ihr~H(jHdz0tJ|cEI7T9p;
zGhxeB0LSYDHYt_9PLnjHmy;Uiz6Ee_dXg$E^EmwYvA&p!kpiQZBpv0N&b405WwTgN
z*<F=ZTOKpN*M&#ucPEMIN$t=_H8q7Ol$cTdCNp+UBr<?EA(*`y(gTaX2Y5c*+ueaU
zBtJ7=Lc^oaLKH4trL~m9g>Eq?LbyxQU4_KOp8rvzQ_-sCp})tQ#qRo4(zU)$fNb=V
zaWc9%QtM6n(j0^Vc9eX*DRB&*u70ioIll86Y~3}-leUn3tNL)LzBE}y_|+%G%s6Ry
zz28SWceUgy)F>%M1eauKk{#28Bg=YGWrjp!3yh;z<l%MHw7?zg6^<2*hQr&ObG7|W
zs=R_1d%LQSEElC+MOM4!Mk=ocp<SH$rQyp-Sve~~(C*Y#->)l~%Dk5!6Kz7y5`opY
zof9yxs>r_;QpQVlu?P*Yn=rbnkC6D{qyC}#PzLh?i?W_}J&NQ^I0lG-2^xRWbQ7h7
zc`w|kKCJij7;eE3*oPIVdB*>rJQ96t1}{SVIkvDB={qIm_ic=2$jc4!<pNtP;;AYc
zfUYwEZ=|?W5U~1<xO{_gRtFbWB-R(#rwgbo&^}Wf#G<p3W@-YxOpmHO2<q4N+&a@g
zta~02;J&}M^3bj&WTVX~l444eW?LMS0iYtjn}zoAd!+#|xhl~`=($r;^{*g6T<*Hl
zhvHk*LGlTIj<qtEq9Lk)&m9~SL^URM7e)q;w`1{8QqQZz%AR;6#F^}V$j_bH<?9z$
z2$&V!2O@6Y?y@2TkIGf48{x=aTLPRi<zFx*W&~$+DFw8KxwjZfe-j(#ps1gZu9N}^
zr!*X-ix+)})`EgR6z~-(OokT3rwt)}Mq?l1KJ08?xtO$geeR2bH6WDXd}cTOHV(c%
zH*3PaRjYL!!0?%)t)bM5hX&Yko>ZAl9mVk}9jr2f?n>*p#z}lCUee3xDiXB}(-17G
zbfm<RrFnauUx)mL26J=QgHN-sy@!){c0&UwQPkK*_#XMujO{JJ7&%(wfU1lQ8wSNc
z8@5kWSBbq*ed*eJT=OQMfj>i06ol5k4z36H9rfh8TG%W=AuIAn?ARS)jHE=25~?Fj
zBo1O*8%hWO!Gia}yMTk+6Ifc<(Ohh(G*Q2|H9BBb3HvLh{){9u&k0MS;8>$CFOZq`
zVDO&;XADDydthho{c9c$JZs68^J8iWxANf`On)z$!;tSzFEm0YK5rj+t-xAh{qB|i
zx9@@TCynFbxes6G8o3U|rE9(UjuARVggaw%Tv0`BnKWIy+P>CAHw&}MLWv=F@ZZd!
z0;i^JK=Gl_M<=RL!9kYjr<;6kj`uhR6^C+6De(=JhNE<3$KE2ekie&!dq<o-wsa-<
zhFg))Se7B1rbJCAuXWF~S<~D>7K-_`vL=t<r*>Dyaz_bc+kqV*nr>|t`vzFKN}mE7
z27&8po~E%O*KWe|3UK{&i~bUve+(WgAB?7+gC%?eeE+YVKeq4FmPNMfrv2PhnoCq`
zv}56MGH#wsR~;<`iJfKpeG{0v!!OAb4=>tC<}Jvyz^sL<yGRK{+Ce$pJ3%eBpem4;
z@6H`~!DVI|toSBty=~uG7wHA1pR$cn#HEynjgivY(7Md@ef#Svtl-ZR+cR11Q-lWy
z__IR>t~QNTbg~y{l1vN%1bHFmFP~ndMo~(y-wi}rgg0K%1SK3U^Wg)cC;Im5Y2mR1
zIn>WBqSB)+A!ZND)K#e`Bl8!Ot>Fa=8Cc@}^4T}a7DA9PY9~_AxGf@=sP?m43v=gW
zQULy~OeIx4d_($N6@DD~khjiUA>`mNTY2wDT>o{H^pVyoN_I+W#zgl}VdaFs{Y7$Z
z36FSz5WVM*Bt#E$7PYU(I4VjxGV+$*w6y&-y%Rqx3egFGFtQ6WH7e-L){t<i!%Sv#
zk_usx%o`Co!Wpehum4MdbYxZM*;$QymjU_*NI+Jo5wwi1N(3tKNAea|AV?p!u--I-
zA9I{YG_vLj)_OBa$$*tjZu}@g$MSv&EqHd9xx0K$Eke=(pgl+ic@#jofbb{6o9nK?
z+JioPopV7X&KktDq3&*VIS)l42b`rW^N0tM*_MD9B{3Q8xm$l!d$qGwUSTKIcU$k&
z!eADoiBjiR%2=DVOS~I&0D+FHhw-)NhRO;WE)KTc<FM|mt*6o1*wC!;z3t71Mo#9X
zIPytQ10vFZcH50yFI8?Ps)^xu!r0QjNiSyLfat6yoI2qT6Tzri8d#$%;@@V?n5KOz
z2ve^8;h%EJz*i|bDh0GvGs!TdUlb<q{0{{ild9UnG{;gYB34ec{M>W<0**2aVi%th
z%R|OOI%7U37B6%0etTt2^)Pd{rYNsJha31j?qK!>|J6h7e4b*xb_ncK<sgux@1$TK
zqW*5sskD2{REMwp!*X7?bJ4OQ`2HN$-k7j<hO4TVmj0HS+%1j`r)ewXX(!}Net?w`
zj5}GKfn1|TSV%xBs<G^(62(NZh65>qnkJ}JQTys+CB-`1Qw+QAwPPY~ZADf~f_0^b
zL=zmCtibW(>i<6cv5XWbaG(U;TM|dr6o*R=g@UlWFe)J9h-xNB=v1KixL0L&w~Rpd
zq`^v?JX2?;#yT5U8RP8d_+fsu7MMCbw3Er@g&pgy9lgM)Y$@^!>2)~UJxEt@QY9NM
zP|`@E7hNai`vl2WCYEm_QV)%KIDUb@NUN7rrVRwvAdY6IliOu~#%t_P*x$W4p4WEW
zI!1{-hLaW%B-2-rs9MG;yDJcvP+I`TC}VM-1;v#q!QIYTqe%AiStZs4MCMV*pSN@v
z73l!ex0&Y`vf2??Zp^ccH_h4mEoWhVM*WVbbTAU1Sbw93<qjy3)GRMQB$&SlU_^1#
zFaf4oth-WrBA_Z5qgj?rzz4Ed&XWu+SC&mHW&;o(M-tR@*!i&X2kNvFsRAQ>g--MD
z^J@8Y3-8Jqy*#;7tNaH3hh*4VZ#EM!sudN2s_@V;n<Mz84ytQg>bF6F%U|Fe3;KUk
z?dXLvjxS@Tsw@w?+kGze5!t8bc?-Gkwg>rhDo!7vEXJ&2fF=QN_rcm(&Wt`S28OEJ
z9vf08i!4rvb)&C@H$nEK#K?LwZj8_OS!=r<VfjMF)3fwbaDKapet6nHEAoUVDBYul
zB)N_!RFO>haJfqa<7M(v5)ev$w(O3@r-C<}=t9LD!D(|B1s%%`Q7PCm31x9xal8Oh
zu`sMVy4#0lgjQuEjQ>)cs$ImQC<cdF-Ysi3e?Dx%@I8ujRFWW<=%_@8_HNY;p#_9z
zl)P!x9s@&qAmxbUn8C0fjIC==U6*ed-(0exS>yff$FV?(eQoG+?aQ*Wyb4l^AJ2gz
z8H@kXtFxk1+j@(Ty5)V{Vv!{{LKY@|j@M1h`qYJXK9s{nZFt_rEB3gIh+pp?5vx>_
zklR`qNm8t|r}8U4AEdx6p|X)>X2{so^+a4NL3zc!(%#TgMug^h&Wss6(2=%}7vR_L
z@VGDTv{qB;e<Ux!FCXMHB#$zCsl!#zkQN%DQ~*W<)1(FH1WH>x+8+lfcyRF?;u5nj
zEAH{t#B0zE6}iPV--Dt_vU=wd{05PvN9_5o4@qQ)hX-&Q`u~Z_tHgVOKGA+Zs62{3
z2nR{ye&}@z$NV(gJmFg_cI(LML*Pa7PDtk9=lQgiJgG-(pRjg}FZ*-u?u3O8%82p}
z0_Zj0s+Wa~lu@$TxzEb^w1O-eAd#J97E3GLHTsSHITYQ=$4TT<pe0NS&8ZF+lCIbH
zGCpn+Cn;VS3M@N0Y!I!;avBm!uaFaYlVtx>)XqX(=2~0AuH1Ih@`>26KNQO{B#0P<
zK{?nEf5vc1vOGtFnt2PDGYL6*Q&)9q0@%Cy&erTe<`WR`Cz%Dj*7bS!Eu&7yn%yBG
z4Ynd9q~$YbR*Az7<I;P8JYJD8I{zs8gYX^=NB|3&tCo%Rf!5W+Ha9ojVx3H~{ah@S
z@ml<r)i0R*z}5mQp^vVPDd1AOj!AwTfX=ueghXsE()kl}EG7<uQ#YnMtc-cM0^1mX
zdUj!i{R(qSj7;I<u;T4}i%Xc<U?xZRu}p3}nJO)rEbM}rN0zu-^HgcUzP_%fFJ~S#
zeap!N(Na9#FUcS&*MT=Z*2Ej3P6`&d!2xagAQ(=-8nceJK%x6*Y$cL&T5%oSF@!?H
z$nci@FItIA5I7y}A%HvTQ{+l;UrtI+<NGMonz=49Rme9%WHY_QeJA_dCoDtf#R{w_
z%H~%rw*;oJ#CUQvnA^#IbFio7rUL#X`}cLrOs+Ch3xns(3#L4IEue-q3NW}-H-O>L
zkl~oH58+NI{V6!&JZ`Qdkpgi1Be@mMj>pGf^U|_sBJLx2La9jk=b4OAy_9s*rN^-+
za7lXT_8y8PB)VSUdqEA7x5}O&cdHe7hdj&6nxCYmU~er+5asI*U0+bF%uh((GJ$FA
z7weg@yTs(Nqst)=5?{)E_NQQ1u}vf%)MaJecWeE9$vZ)bLa4y3YA%q?&<Ttu;u1wH
z!c*DP0Tr2ssw7fAo{{HpcTl%r4T2btpD9pOtHwTu&HUR;Dn#<T1+gKrgkSWXLxg*g
zued*n3`c>fCwXcJglH*{9$R{J>Cv9gL{Sb%#Y*$fo_ed|Xb>wfgURgx?FbF^R0T-}
z^V#*_Ko3@<mSLXR(qolhqW+WTe20PUX4XV|Ws<4ty(kTzY{m;u$5X56sYWu{j<S^^
zL)j~Rg0wDZ1GfYq#+f)qI=oe5)xO^TEd%H-gxG&35)e7HESp2WRKXHk-L&F`>8Z~l
zdxE#3L=hDOwB#BKPZmKa*Lva;b1|T;<>LYoo~Hm)iuJYJ8bV^*s~C_-BPp|)l{8&C
zNZ37uR3=IzeO%()3&c^5<N2K8a^Z)#)?0<mh)Ux*P~~Y+h`eHw%C}#oDE@*uqr$~k
z)-({jU##!Mvf)yz5aFM!FI5dnRD+<1Ln|{M+5{bnq{XIx-Gj1hSlvOGQ*xG34q~c<
zuDFGW8G!xUj@l=GCFq%&qY(5}qP}Hnh|8Yd0L$0u)MK~(@cBmc@1YyByZ?-|x!S_;
ztiDH@#hSl3+VjZgHLW@@Tk@EvkfH$qY2v|F@*ETF6_No^;z4>jwS%PyU!+3HQoZ?9
z*B&4GHa2`slJbL$C^T5JKf0(87=hN2IcDJtLv&;+lXT*vje#GQGx*TDsN5V%&XtWK
z)QDO_Er8idtPXX0m+XsxJW4!xtNONo##2)8N@(R)b}OmiLLl5;)mSuMHl!=cCDbTO
zH08nDIo1BDm~<zsO@w=gx+8<lv!kXLI(vFy9bN<1JY{`N$Arv5(5+JCi7FH7s>Z6Y
z&Zd8Tw8Q+0ILA^JrPz5JpsBoq;a+s+PLEJ=vJBp)${Pd_M8R-I&3%MfR;1jELXV(0
zVsryS?^w*z>V5U<_8uy;Q<8YHB6zXJfE|H}omAlQJ3k;Ppm-eBi5KP)6E~M69=57J
zdw?3BN!>JspV^JF7L}2~Nbsq!)|i0lOtAYm4>AP;dk-Kr*4Fb3QvS^RQ8Y;reSxz2
zFEvuJLsVClsYP<d!r`U%_K;MEs~c3}z;7Y%DL<mR5qZ3t!>X__l?Zj^`Nr???0L7~
z_%&-PS@&Fi?bMA_m>7{9uX2P_4xD6dQ%LPmK@i>3ILIjhkSh4SSaZ3d1fpVA!<s{=
zO4>TjmQE$J7um}BiAZ>db&N($lJPji1L`qt29<r13fwaWB(Y;;%+uPIkq5wcf_5(*
z;;j|~u^ri3P`ZwK%(3UDt3MBAuL>Ocu#b7CRkY2Q1_qatW6+g#RIFExTmlv}`r6uJ
z(Zg9cq4$M2{USOoYSAtsvmv|dG4{HmW3GA-uNtdLpH(qEqCDH)l1Ob|f@Bf--YBuh
zZMpH37|=|yqrlc1u^8i3HdiQpQ=^meijHJX+s9IvY&|pd-0Cq9rLWTZTbumy7(Z)r
zm=-8=xkF6IMSJEJ*F}LJ2wdcQ9mn;*@WrjQ#pR&vbm@B?97;5r&}!wFUDVQMsEW8A
zoU0A?UD++%nM7XSX*#V%C6otkom%4O5z!NuVYMwPFk#9lu;N5FlMEsRa?Q8QB%2K-
z@?H@P-CvkuNZ52MYGc&SBiFvl^Y?KCRnC;x{#?W3hD6h(o%`Q9scf*k$C~L$&~hsh
z>3A4VhmQ`<X2xvByXDLYOW=yhIAO~4G5fn?W;<jeL`hOWLhf~Fwk6-ly>j8zm!Q}h
z+41;a1M^NVnc-kf;VjCt@px8o(b0cm#rzCuZaqObJ2xKCIThbQr#ZGS6*`<98a&;M
z*^)Aq_yq=iyaHL5gb<Z@bSeWOa~)E?51U~)Yx8!%A{-)To!RhOQ#U$d53qZI;^ZHb
zvfYjA+d6CVJB1C8qjLYV0=afcPTsLuuzcE|xfPW{f^k}}L0gup^4v${e!;u2qYoFQ
zcW_dqs`9t{0KP?N>@Modsn9#kjjdlB+L`p&TR(p^|0-4qqlsAYmC>XXf`j$=C{T1I
z7W9Guay{yllXtnHGO<?Sk40mo#^_@XB&yqek8Q1a$=iKi=eeI2-Sgzj{m{3Btb7-t
zdLr7A8^09EL!fYY{|q^QlHsb-HBhzcNo-<E)$@}I))n^5CyCUMq{b}cal{@DXyHI`
zXnuhJ^@=*LeH`X>sswV3`oBf|+-+yT!SyTIyqNvt_d}VhMoQUE=6JN?bP!Y?`n3(M
z1h89$q!t_Y4^^WgiRY+qVEb(UAA4^e7uA)m4Ic(^LQS;60TgpF*c}`&XmCI<oy6e=
zL-&_XP%(mHgCpRK0~BhEZB)?kCJrc=nAUU)0YyO(r5q5A3KA0{K^a6r0}6;DbA8X+
z`<zqLDP!*K``-I|um9v1p{P1_hP~HX&%|Yj6cV!9lt|3vnQFTwNAjrbOew%}f5(TT
z&>PyZd?*<Mj&OY1+FH#fDst+q37uNW5tW;X50DUL<993WVoIlJl#K*KIIdO{+zU<V
z6RW)cLmy>kA_B{#*s>)pAoSzC!>`|hxNojWaUZnBdU{g1Q!^5cVsd2S5U{^9MGKIa
z`U?=W&qZjE5cisi6V21k>rskK6VnCffAfU63ERYO((kRrcw%b>*+JEov*>D-eJ`^T
z70BsE5;s~q0Ereiws&siHb-rJ0H^?1lBGU&(*Hq;BdHdOn629i!$hMXi^R!ZGnt$*
z{@Eh5Q_7k$0`^DEzvMLJ^s?XOdz>Hpz?qD(>0^ymUY1H<XV+K9HX+(gDTGN*CkkQ!
zu5o}<Jd0VP;LUo)gBM7qZXA*oEX(m!cFIaF6mLrBcwXKcV7rqYh>oI-3tEiTV40Ii
z)!5uw|6)AnSt<T)`A-@vWzE|AKaO#+R;S2BINkKEYUNYr-b3-N6cfCXhn})HC$zZ9
zZcT01m9ISFBbAhK-@GI7rQC97eHY+XlS2ColiC=cryz4##<5k_L;h3o^Te^>5weqJ
zyb1(IUJmXP2>pqmd0?p0;t_5xe^1=>9ty>(hwUS$8Riv5o;Q?~;Q5!uOLCTwVKkIp
zE)&yyG0!v@v$a1FTVQ__T;;tAx*S=6q!TEmkVaH;Y0BX_Z;bH?x%=IZ=j<0hwkC>@
z+2-AFYT7#egcPb}_-(^pm)3-FgO#(Qloc_#mRu4&BCjLP=B-x2rK5B`++*c0p(FT{
zPmioCgAl79K%9Q?k1=CWgPB<El+-tHx|6j=@>}a@;QsSTP?uzYnb~j_XcrRnq(dS=
zi611()RsOgy-cf+G87~s{YH*2)7~rc$pFG-sEMLxlTL@~W;zTDEPz>n;s7a`*P9Bu
zwMa?ccTBpTYHItlNMpX%KpqF%1^HUpDBL5;k}tzABn#T8$KOn54xQz9{XqJzAk-;d
zQeFAjf6XOTdLaLk;a&^;u!6*lo!{@aZUWWpiqCprXulPz@Z;6xc9NO}#DweZOGRrY
z7V+^_K`1w5I9H+Z`1hyK1wl_9MySy?MFG;+iqZ%>Nz9S6S@a-?*ED}fMCH|a3y$BX
zA~3VGPUZ0TX5>==<zPrCmn0g5O0gQul&YuYq!d+Tq)!pG8G#k=Fk22n>%yH$&0`|6
z3p~b7Ii(S8d7hgseikSxL|KPrN~}|IN#XF-)?KHWQ~n-Z)3YvOxc0LW%A9`lDRMV)
zu1!nUOo(72Rc<sg_K1JWD)^3s^R+Bk<{A=S2a-9b!x&0bh-j)T)53c9OqHEU$q_mp
zhcR}+vSbhfeAC~h4Rk22lt>bZlw2aQ!*VH$3_ii|LqNy>%<MU%TgYV8n6-k4<v)HR
z*!;c1;i7_KE9fm#x1pXk27ozg5WV}a#x<&9a`p&|ngu6JJ?^s=PITNBlMl!)WJWPH
zr;&E);mOAF9<7|*^9g)y-W>U`kw)2i@88fnyY4{QZb)VTF=;iKTpNfKMe<cCmAc=G
z5ZGc+!(=jgk0tXN>O}uv3{Io|OXEc3dO6)l)Fix+FHy+2oF$~AGl4soRZ?@qd;&1S
z+?9k07;PJ5HbKcGklN8$WTc~7LFOX2jbeOIWkC>&+jWl>(Vki)sAJb<;aZ56W2TH^
z3>SwZ5R)v8cqlO$4@d5(Sns$cgWv&DfM7Q!4r#M7sUi||)f9%Z0);>@9d7X3obE|$
z`#eK=)pXbaY=g8*D_MAUN?d2H2x^*ElTk&PInd2WPP*QwnLI%tI%x<#;+iB4qjRz5
z5d>>-6po`Kb-}sQ9<i>7MDbG9u&+dsL~CgsqtI!80-~ToGgs>{o}Vj@O+kPZV|dpv
zLp=EwEUD#7-ss);%=tG_R(|PUvwpWGN~#aU(vkp%Ma2IA3au=LVOe$K2J2`x295qg
zx}Qp8DhA>1MPo{|c^2(ce*xc?OSzQe;}j(-ah?7XC!fwQiyb4$Ftc%@sS(S^Q*F@E
z?HGnLDn7yE3K#2Zk_Jsdx>*FNRR)qMmM282%OHs`x<g_9rE{ryLZ7anumRdT`51NX
z)h^mwSPZU02ql~T;7)>0XA>Uj1v6GabmZMmpHhzdR=ePc?yIx`8Z9z(yTH6d`=Rb}
zh9XaT-W3HU`l3c?pCtVvT4Gt&qj1l9Q}U!F{z6nF4wfde3W7d`SN^82MZ|Dr5tDB0
zqM=4e@yi;kXCfylt>fCYp=PPl5=LcG4wlh90gz7SmW#4c9mR$69Yo#@T=zyoN(RZM
z4*l(+eaA4r4Cz<ChkQ9@g-iMCJ5CUhKV+8B_8$oC8$dNWELS@VJkm^5EDTvvpt6H>
z<^l_Mlk^Z=!U0oA46>x3iJ5r0RuVhg7S3_nh&Q$BUlP@)G1tDm9_xRBHW9C+02Ez>
zoG?qEVrz+xhd{j(gU;wEWERK_JF^ncF7nGTch<^0bVFvB6lng<BH2^Dpr}dAY~{g1
z>H);xW?@>Lq3G11$CM2W{k>3f<e->1OHaG!%DS~)W|E>w@9imsE*@8}kU;;|h~?%2
z{P6C6Cx!)8U6yoH>q#Qb<#rG|XeAUS1v0hMTwOL(8{Y;Il(&sm6p{Oe_8i77l!&i`
zh2snSv_#^te`^1~VTI0{d69{<D96auky>bqwUkgUppw4a*g{MWVnL$4ICk@UB}f7Y
z)6u282tl*tbmT_W%_~U}ZBRng#jczq$eeDO;7%Spnj4rHmRwRy@zIMNlDMVd*BT_!
zF#Q}HMCBaw#`xkZh!4|Gm3lU(dp4y(@@zyYG!D*~B=Rz##ZS^D$V#bk{vlwXfa&W1
z%P?4YfsQT`mwA*}zQ7(Rqz!R4vveq?VvZD}oJ_Od6@&mvL|`=qkAZL7<z^RzA&BZ5
zk|1qjlpGe#^8=FjaJdlUp(KJ4&xo`>wzN<p-+ygn)PI0xtsn*n<4CxkUW1Z|+^6bZ
zDrk<70mWWR)=z(eI0zSCbEA{G2ktof)<$oDG$NqtqEv|A%M{q46h`!Xp>)i62Wf)*
zi4kuE15uQzV*yvnI0;Ky3?Jy+-=fe`KQ>7c5&f!qN$=i<mP7e5lVqy2iB}b01&lNk
zA&;r6Y(qw;cZ_T;HNjcd-D^O_{HC2^C<cuXyRK?u;(c)ER2~({n>PQn#hhXZ6vG-e
z{Z>Y2pYm-z$8sWK(bC7(qs>4P-B$q{3}z_-3UJrh<6%hc5%J!R_MPmTzT#TL^C*S|
zvHNAOX7NZ2aXfMG0eo3=4zu*|1Mi$`X*ft*I^)hMF&Up3r(lX|ZYmYznZ!HOEK}S-
z3b`9`2`57${zmylboxUU7N7TQBMr2P(<BlHhhKSR=qjE`lyUza*+qzJ*O1^bao%yR
zNSi6~!?OmHP5qdkK=jzkm)s<2SebF(;%wrIf&6cR8ms(9rYMpKxuEm}xLESlokAZY
z;Q*Zq?Y1)G+!Rw-nIO;PP-~i;Mpj-W+Ni2a{72xDYMB1~JY`CSBVI}_%T`ud4e{-4
z>MNV1);{xAfrBcyDv;#~^G#4#!;Zi=@|ARC^^nRU<5+kPO+zyRygwYY`)W>XzuT`+
zjOK}|12emRG#q%-zmn+N;%t%}ZQ>SHzRyii#v{+0CgB=#Sly?Zcv3lM<KbMo_4yPl
zV{V>{XWM-i_ey;5DNEf+iZTksITFakD_?g}mWyH=i*4%|OhIk2t*MHyyprpO;Z(9G
zmL?3>z!{wr`=)n$6etAeA?f79etmkii%cDlSZZ?EMe>BeWENew2rl=p1(0{jI7b$e
z5FWeIUl6)0+1W!Z%{iz#v{WKy(8zIodg06pbq8ddDKhXlr%g-1Gew*eGZAz+a_X=3
zqb=aGs=%~WWYH4NX%M24puod4h(b~Lk}Qc3j_7Hk*EYpC>t;*DW&Mts_vl6uguQNf
zW(+erz@pJ*B$w>^W#0TioI@yTnu3=6-tn>d>ZXmmzR$PBz(x0kO3YN_ud2)~-8NF6
z1lq7708u87M=T+>9T26YJAY!P)D0nsK`=~G7&PU~sJ^ks8wh+_9UQ*x<QU4JfD!{f
z*}CyH{|$s&RXgJt6J@fnF<aLJ4OPFax%BHK%O4P~c_;3j>?N!0Nce9u1%bIiKq)Pg
z0o&|2fdKr&W}Re8ma`Bf8$XAony}NC`D<~nNj%Kt-%b=PFidz5X(C953|n5b#!=&M
zn>!V5(lJ?bihv;x)Z5m8<=FN<FEL5wzOA7)04B%x7KD7#_UHP9Ti@lp<2>@4aM0v8
z6q${jJrlM?axXQprD2#LCpH;H5ire5>sD-v#wiV^10`gdrlt>rDpTqXYz*tb`ORNu
z6V%bL0(M2p5dmJ>rjchUz~{1!{Glq`78e(5awtebbid$M+e%3Z67$B*JlRdUQZ;`u
zaaB3Hm(RtP6lBKyY9Ih-ljB=)wk%}vNK5O6y~S-!8=lxUA8w9i$a!N!8YBDiTA3|-
zO15U#;cazMWPydfK{*#J6vBkFx|U`lGxv%ViC>Y56vO-eA}N$Leq%KLuZmf4e&>95
z2;*d4nS0zHvg5A$7FJhW=k7BpX37WrI^UQL$&?yP<+D;SZhnvVo5qLjQ|*Mmbi$P3
zv3px#f?Vvi!j9KbhK~Bj*dVt7(xGz1lT=wnEQjf<H<&d>Y*4nS{~?<<B3@0GMC-$N
znL4RyCnXz1!r}5@K#!hq!<_GM+kxAMX4)xd7;uA=>gPHzPVF)F|M!v!L#Ohj3+!#9
z_<6d+vm>g3h&t1WO(U?NanE%#(EB;C)mAtx`SXqWQDl2GUN}H0v`L0sDr0}?O(%Uq
z{@M-8)yg`jDX*`$5s+{uv+5A0Y`zWgldz*;!L~{)Hygl_+oEPZoa)MBxfZ*njGAL6
zfG}yyx|1nRT0$Ja3dJ{&*?y+&&Py((uYU5OXs^ERRadyH8`x=M1Z!;M?F5S-6xFQ}
z9<4O6L0QKSplwkl-VF3EA5~^NBJ)gs<saC>rsLYL!;1Th;UUDxJhb=U^mTmy#(B@+
zdC2m_y`K=VZS|b5I`a)j8v)SWkYHwP>aB2YAfwZMP&*R65dW8$xo?f;Ik{*hJucp2
zIijG>$srnLhMwr0_W@18OPT2_du;4?au1rzOERy{yWQ}`>aPNq7cF)4`L=I6iorof
zHJGgW*5(tzhSa+kx5@8tOuh^BxQp`b(lSqS^~V~kbo5Y<TiA}k+H9xu2I9#1i=ia#
zj$|c0fgmt0iW_XD{%dZkDQ{>^C(QVfVd&Pnm&}{jv{mn4>Hs%m#IUf?=uJxWGq2G~
zR@o_EicYpw8Cpl_kamRinD*%=6|EuXDU(T=E0$bTZ^dxbt?p2~CMG^HxI8h$;|qF1
zVacaVi6Yc7e(blqev@;x^hdvio>ac)o&82$;li`eq%vU+w}VZEd;F5)@!lHd2gc$q
z8{03Qqv^se*Hy*ey_ww)k!!#CME=SFDLPF1tp(ctj?5GSsqg<h4CpqSc-UX47BJF~
zAu9;9Mq?J<vuSoFDU!2IveryqCdIFzL>6Q;5Ys02ZyM9$;;iQ=UTO6J+k}!mQIl_8
zUF#l%#eOPA8`(LM6@B;k%w@lOhOaZUde5Y3nmRee&M@TM5dt2Y+wZ3<V|(%k7;aQg
zH{R=uHR+$qPvf&$Uw=1cMjguM1Z+{E3bG+Y^hqN(;|0Epav<-A_wG(hnLIE~1pDB8
z%=}RyR>spSN(Mx$R|vn~NE!ogj)A&nw1x}@IGP%nI{SCutVP`wJSk7X4OBE{{sF`~
zJrV=+ntKLgLcu{*$9fiNGIt&?$tjmq*}&Tm(+oswa;IZ)NqGahma2^x0;c96fXk4T
z0KYRuDgf@;_$6;hCJl|;nO5*J{6=AeoPP!dmJNu>X7;@H#99#4{v7s~ZbO2yBzIWQ
zdPsS!OOJt{>Rwt;Fgi@~MHG;(?Wk%)>Ro&^A1uP+^>D(J<UJtI5VjA_f|f>O;7H0$
zeD&>SJL(W*YAzWZQ;D7zDx>V^9Fhn)!zP+6p(Tow(VHlcR|W>KNhH3tRAABx&?UJ%
z7oSPWwpzf%{cyX;Enfy+lrld^@ov%m_S=X?gQZ311d6;i<$HoL;7}AZXKEc6b9i~<
zASga|##3;Y!X;y3+$G*|DX4DzyHlyxb?kCnVD<aD-<nZ-l<#Y!8~9f}mURy4+&}|A
zaz(P#JY7FuX2MFOapQ+chwSr_A%%r_A<Cyqhu9LPL^_j*k9^fKtf>4|k&{~*cvc9&
z(MC+CDIQQZ6vdFj?zo*!+wGkd=j(9iA*saS1FN%^GOk15e~77)iJY#8b2Rz!IF-ID
z%|nF?sCS^#%a3S=Ta+BpysAA%RT2y9m<OTkGDheS*iG2R@n7yl3xzC02MoRZsAn)V
zI3qh3Bb1l2yA2()x}~%iCUT5e@^NHMwUOHtoluc^vzl)%<YHVz>zolUr_EoOUjLUf
zzh9ltzf#08Fm5Ir+khdK2J>w+H=E;_15|hBMs0?X-FL{^%6TW30U(<=mxa8jjJ-t3
z6|wqh%91=5RR>>nB3TMF?Lw5)iF;DWJlXb>`EE;dYt?ko(W!xP_h7xiC@n)oJWIB^
zbk;<8j*+lK?w`+jQ6im5v>?U)t4Xw058%WVnuWRC=jK`J7&FPw41S#h8Q(zD^2(4(
zhnYbRP~pOG%hB^;d{z+mf2~+DQNzRcAkSuTZXuTbER~dru!?w^6M{%jv6+%q&rAt$
zJoA%cv8tFPm}1Si7@PWT-M(F%IniC7c~+=;aINPlX7>rP<Up6ZhnpKINKx5s&4kyO
zpyljfaNG)N1R`xEiq6kC=Nwn3=feA2dqIBra%0;=HfLdZH7qlYvvDtg$(H9z1_rVI
z&O2@mzryBuy!4_puZ`k6vdkR@P%<N5HbpYxNe~S{S{1@9R#>d?dn`S15d4q@6+LW4
z>RaktJzGDa1`Hs6bfWgabb@qX7#yHABh{m0{L4Sa)U9{bT3z;KBFTqgVK8o%NtZ5@
zFlRon#ts~6^r%=Wj7u~HpSJB7=JMTpflIEz&t94YVih~pI1cJ2kT9@_c%JN-v$AdR
z=(!Tn%(81cBtbKuDLk6k!$nEBzDo|(skodhRyf<c<WD8iJvo3<He`RU9wUDTe1q3C
zn@EN&a}54#KSmFh6MJ}C$OElPYOAI;zofZ0zkJXBAS^oW$*Xq$A=@CS9$7v^N5imv
zIP0MqSJ|nrK9EO2CH&j7B#KPJnE|QKnLoSJxvD;v0@$t)lALJ%O7*BQv$$J!-(2L+
zD?ijYuH~?=lWyyp`>~~H(#c(gsb0r~h$5qmy9b}9#LQgYO;BsnVL!?qf<IL<mQ1D{
z)aGV_6J77!_vf~w7$xUXM+0{54Nn<W2{x_Fz%<x4Gu6_9k^!6M#|v-Y9)YYv<q`0~
zf3EQF1%y+?v_+wPP4##-l!EU|e+r;ydVLN@?YjEqg4@}6d<}L~c|mLI*();qO9Za0
zsap$0Un9(Ll?0u#hIF1hbdr>kK|SQ9fh?UgaIO@ch6%}~5VZ>XpRU|;qumwzPWfc7
zQNit;1p$<xgCX-U4RQa1o`(bO%Pq)eTVff?_Y6PO=8z!R08j$X=D?IXT+>6x1d;_P
zMt`AJGL(ktsfnb7x0a#A{Gb41th2fc8(cw|w;PF>!is)Ay~|t062ag?SkLv5m{cvx
zbHZ~9S;QRQ97GP4gVa<0is7~{Uu+E)odG)KGB1c1%t!;WY*_CR_ACt0DK&ZZyG@TD
z?Vi3}5--q51%)t0%bd~%vgpbna7I{$H8b$%>0{(keWQ?DmXjz3^0<4LWD2CbvH|Uz
z>4>=HyH0z;l##re)cNV^^|H7DyYKp+!dpfVv0bjx^baiAO?w{dt>jKy*Vf*kwv@=w
zelt-cRkJy_ONBiRH4WI!^64HDJDa_fFe$VPW`?|KZ6R{Z+SIcl7M}96V)z7Cd0sXB
zwnLh|T}|E0`0%#tFFuwHcKJz0kdS0!E!0$>*Rr~kJ;y$dX7K@DjGYN9A6*oh4~NAI
z<GsNwv>@}W`rPy@6hlljl@J(lBQBoO6bX)`fI$-r%#wnbnL=BPRDw-|B8-FzVu*9=
z-7kIJmR!tp#ZaX_&?CIZo+n>f>^gGC5=}DFBL7I42c5K(Y~|0;ILjq(#Ifb@p5x&U
z%y65Gi3jw$`z4sXtbXFiDVY{AQR)w51xKd5VzZ>XSZyN*b6N8bS}~}ayEY1umfGVH
z3%mel;n&QUE%g@jX6?zGv~+mhkDY{T6N7xAY@zf91!r@afp6?Pty~>z37W(qCb_rd
z>a1kTO?w9Qb0S$;a|iAe5*?b-Go&wk60AL*U?9<%F>?U{^GTiR(HC&@M^mWpO5a(~
zo*@$jdnBD1g|Do<QWeHqtBXt+=b9os&dmC%02uiz{mjWi7M>pE*WPh8<;W@*cmUjC
zz*_Q;uT0yW+H|{>zKgPJ*}&KSVMUOt*joL**|WT35q*8t7cQEta@3(XM*fNkq7so4
z1+0P{=eTvJn+uMCKD62%jO?vd9!(31(r5FuS~5wqf82ua7VR02yv^GVDi)anNCiJ;
zX<+BDKds4`*`sGt?{+1AQ`zKJzYeCY^_eU)<%Q${6g(jcTrWeO5E%j7zi~bbWNDtR
zduvhu+^K?~30_M0^Kf(ZXP@sWvJwD|h+erAFj}>B?Zy*3*)L+)FV^JD+qgG+?8T(u
zzU^?ADpHRoBG`(Cvq%@qYybM+LtMLA3nDEnZ5>P(ubl|B1qgqy9Y|`h8=R50?`7fV
zz-!mdgpT@lZR6JI8T{?bS8#kJB-J1F$2iAZ50aPoTSf+bs%SB&yz?$l4HI&0O|eP*
zYOf{6vi$F=E`6phdOYaB(&6WR5xv)ZWID?G?MyjSF@q?Ha-JOx8$oJJb(uqPT_jR~
z@&Q(5ZZbnIc2sgqV0s}4w=?C-c=qRw4eiOJ5IfK{?kyx=tLTmOsBmr+R82nx`x14J
zFJbItodU*hoV7$-A-MMcl<}F2Q!An$iS*?DvNCPr{w&GMi>t1{`AxW!LV6-pWnq=w
zvHOtykb7^56rx<C6sUSwB&QjH|AaiEoYRMY`<qFCGLmP+AbIk)UQ8sUzi4}P3=#fR
zDeZPQ3gciK)LXz_+BS1e$k#ngA^pMt!_aFP3fB7d&~Q<of>84pV*?t)*Jwd!8kF?(
zv=U@E9-2l)>mkERjh6}aJ#n&>fMATLIgc-v4K{b`nMH8d1R(Reegskn;qHr&gw0bg
zp|u2oDeX~8riQEyB9?nBw}_u{>xwUhFFzXyR*uSMb#_Yjh$XpNW0KZaR<%dM70rB2
z+ppBjw*T(Kh<a|buy^&(-R`7dgutWoOar1AG01r6x!jR)Zhe13tzrynGirZ)?kg5<
zk0gOpL@K7XryFGjq|v0Wc{8SJ#xR#6P&9xBcHmi3aE|fhTo1m|Lq~K{&q%GVEbSH>
zB0w56F>tvr-{d=T2u33pY-+&=jatj{4G{!PeiO#JbZn!2b&#1QUtm11h-K;YWm>5)
zsoEu-tzpRGGsMvfA+dTQcq4=;QV$xuH=ZC?=EJ9(l=n<5#>D>UZB<f`N;Y37%f`i}
zz~{>cQ>>mTpJ7~5vgumt9!ME1l*d2lq^kbmBIJG{%}#3W|9CayNh4itknw))Pm8kz
zuXS>xS@Mr*eACyNsC(OJu|3T~?Hv|ca9V8}oH@IXUt{a=?)cBBn;xBn)d7VQ8osN}
zEv^5vA(+8$Vof~g<cJGti$V4n4}TjB`A}y1vftqgR%v?dytF;HFlWMy6MLigJn0P+
zRYcY;Xnr-bsdf12N6m8wL@c}9#o8Q!(k16AY7P~9mpNy~U+{@gb?xby(JpdQ@`hz;
zd(Qbpcy2wP6ntXsn?nC#4K<@$etCKwhjp;_^Wyk(S=~a+{6n_1edgC1(WfVxnxM`L
zW`-6HJ<;&l-02xzgn4JWOmAtPyXNlG>pLGG+L(q&R%?$nU8N(y&nrS}&-nt;_MNig
z@+f-U#Fk&au<K=sxau<-b4z{L5qWM+YH70{5)lT)>+!XlRrK$OKF3ZkzTCyA-zv}y
zv?}r3RR4L#eNlx05$quHFD1yL%|`q8F%ioyO_<`=NeH#*sfl1Ge_rb^rGwStF@NUw
zdIv%J#}{_OMC;(@4n~LG;8S8Xqzz|u@ui`?Ed}WxI5MwwgKtJ$l77*he@f;m=}Tx{
z&NmY_omuEm>a)X(PW|}X&O6q8yllTv6DGaOv)|Hb*eZ)Ozr|hYwsC6x<+JGI;H90@
z{9b2gr}@$6??zne?-p9iu9f%x{G@(G=E6;NmUv1hWv1WVfy=LncWHHAbLVqS$;I)o
z=8m*G-oUT$u=_sZ@f1g1h#A?O@BptWY`i!%bN|B2hZ-ty-N2b&<rWlwY;SbN;xP`R
zDpy*&FSVxo;C#us>e3L$+_J4nH*p89?A&?6j4V%wBJ*+U4y;&GKNWA|oL09zB`#b2
zR(5FZ8*~R8Z!OQg)?RS;wQ^|dkePmG;LSIV#KEikM$fQOL&NSa_jvT(g8?(r);MA1
zn_OL9m6BSw-6y!hF=%Y`+Ko}Aw-*ZAdaY>~+p_S^%8Xh%Q0I`Dr5B%lpu)(tDfE2c
z@Ha(gJhF{iIQnl{t_p*jHqT+g>Ox%=AH2BA0KdsSA|?b<z9iI_x~K?3H)If{``*rh
z*9xp)xm>cX>x}}>PSjV6s%y#*oHy7bc#OkJ_HBJfrqAu7I@#cuU?Fth9L*o)NlCsQ
zJt8d~cO)<Wop58h&7s|0zp@bgu~sxro<Ak*=3wz6ReyqW;)CZCW&54(AXy59-_H8r
z`kPA;EOw*5M{s%n(c_2A1P$(oUsm56%N88p6_<xcL|pG<`|a@!?2NeeTiqv7P-mXK
z_-X>Yj8Z?!`sac5_XOmIJ{WlO%9~5KOh5bcpM{CEcr|{Iu&cH&yF~bp@5t3zbC14}
zbLV2k!V1TvoA2Fj=el-RW*Pfm$K2Ip@vgVa*!2tgzVeG)OaJf1f8uhsMx_ppFO8?A
zrTc=?`gadtsZo8r3^>M_jh<(dupZIVzsc{`qj#;$gd1lcV3kS=ZtTz#j{<HR#{@eZ
zYWT-V(;vMXoO#zCOWl&=VTHE&x7d?HYb$>gdxo4`yLsp?tay0G>5pCxc4!BpdTMC%
zt89VWj#bX{>}X+Me#tpJqtZfz7v^u3o};WnynJv)&F5_K^xRlD0jGP~nw#ui#f3-<
zU3$Gw+w$58Q;<r+ZfkMvU2~V7*53(ET|8P|j(EbCNLu=6&2fK!c+S_yUKZx;c?Y(c
z?o$)5d+(!vx^LPr*~R5ZJK^}+!hY$|S<W-OodwrXi?c4@Uwv;NZjxyS<HyZ+6t0DJ
z?;PvzKfALKW91OhZGK=&R6s0LAK$09IA=Uu=~tR?_aOK&?tPOt6teHnmZBJ=zYeuX
z8@tqDvrk6cheF`uJD={j{`8tReG`9im1(0p)9KiIo@?{R3;SvZ*uHT_ebE-Sys7cY
zffrVcoIhG|dES@L6<S6@PMCeVh1}g&!NQt#L}@}?CkZ|+`Nz6lS3Jwd*cU#Y5FC!R
z)Z21K&S7W&tNDY4gu?Vs0({)N(LK?v_2t0Rv5p6GEh8`V7+HB-I(GM$!$xI)8#%%^
zO-K%|>=X4-t-CNUv9M`^ZBj$~3Aq{3u@0xrA}58u)OYgJMRn)gkl>x?x46=F%9@*=
zBNsP$3EdO74!rhr2c^%AoK~6Iwmr+a?M$9)by@kw5TT@2?M0{68T75M7TGSGe9bMr
zcjUl;n$jf=jc>`1>!dxWS_Vur!(s2RKezirbxnG}>9bRFo7)HFPB~XRq^(0GpdOEN
z>MhkZ7i^M$Iq=jaxy2#FzdSslARU<n|J?ZPtkT15!7FVyS#_s8R&}XA(&_x2CU}JK
z#boi#%VswUX`ip#SaMHXIk&pz*QBx6Zkw{~`fC3RD;lt7mfmm@!bbZ$)kQaU&3>bG
zyDwI4waLG9p^~8G%MpXzAKJ2~KW9cncRbxGb3+T4CG=i7YQoU?j_UW@#rE#CHub<R
z!6ki@*^HdC_l0fy7WM0!Fw_5cC=vp##_vm<>m+m>ue#)!<`JE;Bi9`456?$w^jz)O
za}Lj$P_tAmy>3hJtjHZHp`+n4yk|oD`Msc&J81rftBd)<$*#~PW6ygl^zoxz3OApd
z6__}W)W6I;V6QJ(iyr$0MipBVMm7=3RlXKt^CL8#iLe+Gz1oA=SbQKtp&~RXaqqWt
zl5da4TZ64i{N~2ix`*Kbv}=7eEy_I_DFOn0UD`+dyKk+#=ikKwn|jjGt6}}zANR=L
z+V+|6gt%;I{&t?fH}u4^JFfO4`j!vXSoih)c2-}AX*bx1R|Va>@#wW77|_I6rOo)G
z!_c78rMN0T2fBCb*VM5R=PA)KHvrcCUb7zWxH<Y!@2K5f>vpI<i5l#4xT_Gk%l^de
zyEWH_QGr!+$T#9r`kx_|>2(w9e!o$F3)m5lajsMyHrkY12pw;n{W<Yz-r?J0>_>$=
z37hgS;8LyXJAZuFS*2Tc2?M6>$c)Wu***e^4hM2We|U`F*4?r%=pY=!bJMBL&MfeC
zRb$Y-UMD_2hOg?Sw#^Sd6&+<0GBX0{0y$y*`Z`vkIKn2@+<wA)@g1*VV`yFPXorl|
z$X!QAyjgrN(7*Hiw4w>wpQgEFzAQ`&a*vMM{>0imdBZW^>iq#(E2L-7)hsME;pAUg
zwT8Xw)uVl%+T!@V+tE%jBTN0MFReN*>2V%(?o;NLd034X_YwKGY`^Mm+pl@mG_y#}
zaBT??GX3zjwXv*}aOsE@ua0)8hz*Sbz#lAmk6yF-@aEa6*UcjHo;*gF=$t*1?Vb*E
z=_GX2JD021Q{8u{*OWz_gC@h$czrij&kxt&U5utAt*QXQNv3{ih7dNHxqY?m*m&=L
zw>sb%`f;+f6}_4{`z3(%w6eEdOmy=zcYW_G8zC&!@FzQmAAiz)=OR3UTL&Iaz8`(F
zsm4}t%4=AaGh@+9hk~21lthO2UeiF^;@kmrgK0X6uUu94s!JJ`p~y+=eTS~?Jut76
z^yb)#`=5E7RFlrit?-Te?S4WfghOLT754gvw}$gQnf6>OyuqR1-E3Qp_p}^3veJQW
z6oeHA`dj|II}lo`@jqS9{^QSm%t~PCf*&^Z8~q8}(vzmQ^lqARPW^kKWei&ss=o}N
zUISZkR{WRIBdoWWOK(zB{kmqSRFGDGf{Vs$9aeL%p5j_&%PPf=eJb)0M>K0`4-5OZ
z0S&ON>rub_E5|qdG&sKFxLGx&PuW&=<Yl2gE&sk>>AhXa^D2?iIF&ZXmDoIQo}~h%
z|C?p*qlL&xwDhc>Gv5-%zEmkx&%C<DH|!SHnji2Wwk)Zv8#zyD)0=>GM|M_zT^=PC
zt!n>?*-r9gK}=fiSBQ`!I%1FH4QpS%H)l_~akFX{u}V3n;bI+a_S^WA{dnu3JNNFo
znoU#>`gynikNI}AlB{Z)G7;Yp7AG-|J{fyXZ{J{l3bk?!f3S+*%9g5>PhuzR3#nX&
z(m!U}4%Nm0+)%~ACptyGUAd(q?@S*&FZ-4?dSWY3WzQm623t&|kEBlR<P#6+lA-k&
zcGKNF+&3xUC1K~=WnNgvIwg&%cNJ^Hu-9!J(!}!Gz52;fd?xz=^`ql)BV!w`na#ch
zl`E_FOM60Gmo48OjNWi`ggLZADRbtpi?T_pLA4+B{e&5f-J%v??rXPTroZLrK0%7V
z-igY|ddmW{lH#q{{^w=A$yVx1k@RE^qe_+C9qb8K&A$2u_;Oe=Y`;gs2VM42pNw!l
zeU4prGo`Ofw>NcDY8XWEJ-c^t>9Wf~<}RBq6dbLckiWnp(sF<0{eV}H0|Ztm>f<}T
z@~<>>WwraM#MKSmfBulFDx)EAo9FAa(TLg;9SPG!!%3tp#gV+HzsA@CDFbWa-T?9#
zNj;fc76aSDXD;nr8N9NaTXe>r{X23k(GxWJ;0kA+T?3szD<NlIUU4G4&{pVmYVGEb
zCda<cMfjcW>-@VHMx5P!ptx4L3}bAg*L+f#3fu<EUv>oc9@T7c&&w)Dttt<{xu%Zw
z*52)}XP(71qfLhTj{M=RQPf++pjaqA9CpX`W@;C#t)6Qv*6&CEX8)15L+818yn;G!
zO{!QH6mEsJVKV}G2GEJ7Hd#X}nB|q(XSS@rhsI@k#zG7Q#;3V-V2jnm04fBj)E;su
zY*goi7V4P8c${e?DRgLZyyCtUi@B?r>r|Jr{!RT>bxR8=L`#}C7!O0P)A+RHhhIDm
zt-E-6)T%}=f2YoY_HP%zRb5)Y(3ftI4Q~p8NBl3m`FQN(enW~<+u;)X(xBoG^y%0w
zS+(4EYYMtz^cvP~b-i<DpjDd|YCa)x<ljE%*816-0@jSTR9^>V`R?o{B%Hk4E4bWs
z4}VJKTCF>}zrpr}melakEeIQ6K1X=e9Gwh1t0VrMajMi*IdmQrw+K&^emS0~^R~xI
zETg7j-S5}*>Use?<i@s%w8J{^o{bHhs5SALw&L=zn^%HHu5R=~_0Ectl_*M#SV2`9
zXA7cQr!-a}DML?zgnX_AcZ1+d1{<T|69-$zd92Q{ret}oO|CSS9sn3=tQAZk4rVrR
zrk-eRENvS})7Mz1J#sH<_%4Z#H6eX2+wYyi@3NVU`^yJZ8{GP(Z5!d%m(8cJZ+wK^
zmOWiT^KRvPe*Z?9C3e=1gZ6Yhlv*T=8{Ee)x4^lpx&QYq0jYHtY(n|&h1%%d)0f9x
zf0L~<hl48}=El+qEwQxC`S=6h5Fs+J`cdv?nss?Q)}nH57Zgs_K+NG^4v0f7He^AQ
zaN(!A^s*T_>d6>rQHs{I9h&uS-%h!xp3K%=$J#@&Nfy*a)dkNiy|=pI$H5Mzx8Kbv
zjrZ;OXkE%__N-00@<B@-o4rKOoP0eftZW!8=oifSsI6Pk@ma6T4;FVxzgsOmtk7r{
zpc7z6f!#4X)R|^2EuHGjBJ=NRO13)N9w|Q{Zk|70^_&^{J3;Y~N(x+#KN;B4A`SI6
zXI@rcDPB~M9j(PV)M9?B;22+8AvV9~Y0(?^)w0GFVQ*f4Rs175)@pX=lvw32Fhie`
zD-P&3`HjUKQI$r6JU&{~y!N4)_9C<XeSA_`DnG+z&OQD9SjY>w-~8D$*c;&+xjnb0
zjt?@&-=>0~|1gw8O}hiHcT#8ud;p~ylADOkK48jH*+BQ)z}%_t!Qtjt$W35kjQF96
zc5i*+-?m6JpKKPD=6ZiwHm&)>dnE}}M`0?G7)^WPV)LL=kDRZxXJy)q6<2To(+;XO
z{B#N<H9iPZh34aWNTbN7*Kh2=JoGi&)B1mP#WQdWD>&<-3vwnzjWVOcmMy%S=$3Hg
zcgNe6RLId-2K{By>LSmH_61?`0JQ$Db7tnJ8~95n4L=?CQ{N@#0=*&1-hKJ>^lT4!
zkM84Pnv!K~ws&Ih`3Z4PZOYxu$0asqFQ{<L-h=K!TT~zOc$D$e^-k)Jd!BsvU=J3R
z?p`PnR^RocLVbYTqxxV){9)clZ8kHWe#h#%Nf=cm9kiilX5|&nuv^10w?NbI)7Wa~
zD<PHwmH>A4%o8tb&d|4wqz|V}c$@zPpRijrUc_nU=X{?n?IuYr?I*lpt}fcyW`o^_
zmX>dRWFrxNfnvgL)tx@uGM-<uQ8+sH4?=Nm_+@Z9^>8P?hTvs*jDFPPph41JvF<pn
zm2=w(asSA_>sQKWUij>!G3A!1u2t=HZU9z<ng^nmRZ)2}ur@v5y?yx3@?G<OC4Hqo
zb!Oejl6*9Qui=z^8#ZeA)%`ZY#G^wr?dc||uisvA3O85eg`bw>i(efVynPTAxr6oE
zla4x<hS$hDFSP`;ogtjyd}Y+AwP1R8rv{BCcWgni+@qc<Ug~LVjeWcF5e^skfkOQP
zTG{F&C6+m>_`tU6vbgy-TWH@U9J5&}J?PH?64SUQvGj%wU2S8+N~;Q7IT7*bLbpq`
zgZ(JutqGicKa5ti7S06nh}REKg)-!G<ltGObwNwgd%=;@qNV==Mqsn1gWhnJAzL@>
z3O&ve=9Cs~KF&P2<Th4sO!8|ow*VM%&SWE1^<OoIP~#M{`7PBehR|PurW0IakAg1n
zs1XDzqNuTeHXpEGh*MovVC6dM(Mr}z0d(+q3qbV|&4~5g;?GIrWHd6PrngY9d`6lS
z5AP0y#0u>!zzk)4?99T<JGb9Gun0Ro9?Q<_3nMONp-9E?|EY5-YRM(MdHr#)8wx~s
z8-|m$^~$da7AqUWoBfE!<^^_z+5U55S3_2(4$}dzG@qb>r)7_pc}=I?MOO=g82*qm
zA!k)Ti*9`}NMtDH>W0FLbzx;}p)5LkcDqk)F2Koc`|jV`6P_;)?-MG9VS+{|rU4!m
z_L{*DXt1h`cBy09F<1*@DQsW^uPId_-9h_+UG0?$Z87ZG4?;0XXcUaBV+~c+5OZ-G
zOqs`MMuwIk4MH>CKktOU)!u~y;xfD5k0g&f?tw)LFbZ1Qmw%h%Em+huHtdhZ<aaZn
z8~qPA9B13@uE*&#QE*w@aXwNw7Wy3i=l%YGi~*#?7a#p(L-s9naSTWf4!hSY;t8IV
zIBO0dB|muW!x4SoZZEiOTIg9C*!8ObhBu8%JiW2#+=Kl>a@w*qud)ia#F?d^`l9Jf
ziwP?`d@!#Q3QP_l`4@hWFmLqVx?<l!i+R=l?QDiOfg)O3AM2O38_l)2iDqm_@!2ze
zewkO)nj&_Y2F!5jv9oaun>_P6Ll`6iXiles(aku?c-rFp>N$mvdbc(5hg`(lS^Gl`
z)@2~uUqpx2zDiAj$5{+aIT8x!sLS*<fN?P|Bh)6e`S*fXpEV7RS|Hru<%a8rfN5<O
zhS&^A_ZiaIp>jM<Fjlu6EuR&JjM~Vs?V?l>ZD%VXM`^PPu^uw`i>BafJ|=W&m)s1_
z9e_ikju1wi$6NVYQ~NoN1*g0wDfxjTj+W3QYVL;9pl_2deCBt817#cz-<-CvwB9#I
ztkU^nybicWtqg^|>M--x?*)CD!t<Ov!;`@-stoC=W6q>T*YF<7W$vxP*N=zU2}cd_
zq!O#()%QGXlfnQSqA;-;da(M-czp3Wdn3#fw_@TjY0!doYqt*;Pz|B7Eb<vSzj5wS
z<afVQ`G{)W@C_+n#E-Ybq8wb3y76H^?Wa_adPPmIUED;|bn?l?om;+r#}Z}K;NL8`
z;p}y{E=w*-!p4x%tE~14<8GU<HT7=C$z+fP|K*HVxkFvwsD(|AX&&f^2AU78xM7nV
z2s6_Bg&&<e>>SsgH|HH(i?43K9%MeQtmB?#Hziaru0zJ203Y@4L|<V_+OjU$--h)Q
zj^!_Gb=>UJvVMP1QTEkt#Z+<sE$Tq?@y1d+;hQWz9PoIEN{LVNd(2sgk)`qHj!RtT
ztGRgFMpJTc7stD5!u*{GaKv!=jl7YYQ=RVF-LeKr4ENY)0aLCw^hJl_GqQ4}rlhL(
z{D#6ThnavZraZa!!65hL)UOQA*oUd}nmQswSUGrX#0YqTNDv6wbNG|YTP-vpKL5|y
zqI2Sdjm5didZF)(tc6fC1*X*8V5Klyrve%s(}HhdLbE;B#ieXa#-er!>G#K457M+B
zx^tz&{M2BqfWLfsXi8WWtp>j6N*zu#mNN{s2gacBeDvrr>fv3X>heD~M*Ojm3Rj<^
zvz>RhUA*e1!9=EHlS}Jxagv1s#Q*9S3|S(Yil?eWl*fG5gcXep021Fwe2GmTxSeVr
zxMm}#3z$b*;$iKnB4mJ7&=aD<JL9GVE-M!tWiz^t8~iMA&*bSS+2!9fcTm4Z>$HWK
zDBe`>9?XECZ=MfM(*!F3Wdj2+A31yFI@&GcGV0$fTsj*2@+n5IGk<2!%(Z)Afko1u
zNwV`OMX~hjcIE5Dj!om;ER=As$g9>{)VF&N#Ex-c<<jI&)&iaKc}{F=qWX_f9+)pL
zSZPB<6T&LKjAob2z3)QTxc1#zL7~aKlfS*<FnGpJ!<ya=?%QZRVe-bt%bss#e{l%q
zBY*U<jS)2flbFoeSlU{~fZo&5E!zJ4;mh7e9nk)t4hP=pZ=18TBaJ^!PQBtVHKhyi
zEFa)HTLsr$nJwbPJ92QstyK;*J#B%f=iXZP(c|-7I|u`89iDc}+3nFo=;QrWVn?C-
z@HjPIAc0@_clam!4*;y*Rb37m&Ns)xvV3+HcW{YeN6oiG&Bs~JtUuj##jg$HbH?6q
ze|hBE{U6$&|7W5bqraTAP6+E<2Pm1td4tg^N9Om=-5)S}?0SLl1kil$gNtF`n4t=t
z?I>^r;jNzzgE}ODc3^`m(d$&y2*>t^LoX28eYyDRthS50L9SsC_<TU%AR?qXkqe1<
zi&HBHoPf>Q6MkN0K|2k`NNmu^cs-x_3`@Rko3p#CfT?~r!U-1qd^{Rg-Qc&lVfB9>
zc7z7}MzToFA<#c%MnEx}b-OLj{i>qw(tbO$us0ILfnj&-a`eb{?BhLaCYFXL<?s4m
zm;?|a*VgbS1hX<sjnNoH)O!FQ8_xQ1GOcpSL#bh4yEw|o62C8r@PJo_oVE<y^R_e0
zwnHm9f+oFrDMry4Ht>l?LUriUvQ@#SR`wB(%KO4UV~N{>(W0~iig+I%HFAK|Z|2gm
z;e)<Td>I+XH?F8VJRZB$8qErLf+reWA0Ot=j@%s$@2)B|7rtdTUh4F$(L!qSa_2#N
zhV>9k{4H`^_&RAnCU%6I1HPULBpTNCs5SuRJiIM+yl}&T0kVWG)BWA4bI=t_&ds4k
zJgtURj@L#;Qw6s_wpU4iV0*9+#*RVY+TaW-#M*igR*xq>Z?bjhOTa~puIjfgTIw_k
z14$}cpHFOe&XU@@+O}`*!02F0guo8A-ZE}N*&r=5ipEfc=vwj`A!PO|#61{i9+;PJ
zNmF3;02z1m!vg?>{JB7_AJSVG+oWyz<qt6D0W#e+-vyvAn>)>D9AgXg*-Gyt39O*U
z?<oV|3BipnEr0o5;i|staS(li0F`4vbvXV@UMORnEY{$Y*4$wuuboHP4-#^(4SO^p
z_!c-G1J_FnW!USzM2v(muB8c_szq=Ld!F52<{Qn`j99nRd~$^nS%@1Ve|OKV(q(P%
znX_i>gxnTZm87<QJOZpbEIyG_fyig`Qr-2w)K0~`iK66526}~rioDdjm{jBLZgC!-
zvwuC|vg$St{NN!g9i04NV8Yy0Zs@|snN!Q3O%N+XNxi;W^u|KQBj|rdLM#p7G0pG#
z1YN(t*H;+?jQJ778KW6av)^9@r#GdDR-Me=ZO08<`(#5zNf$f`LMoUnTCAiv(W=e{
zy0UvHTOaic?kCb$VhH@^OaR<Y#DqHcMfKw5)WL-M^elcnVf2R?3>VP8PCbB~P)2#n
z`5Lvt3TYdkga<CV6=aXLi?6YH-Qz1L+sYXoEUqh!H8c2J7bLrcxlMg(yyp~t=kv^f
z+KWNQ7uw-;sT!;R0Q4U=QUWcpp84fgqKp#hm*DQ|FuVBjCz6Fq&K3XFhE)+0X{{Dv
zp$@Lz0Um-9Eaq)V#2Ua_bJ_tK1RXQ%wGS7b0vnh?Ss(8@ILra8(J9BCU{XSZJn*jK
zF3^6k)3faE<AtZ93e&!wS^5aMbZRf#D<l8LnnKWdw)rpZjK`tJ%*R&w3k%Qo7lahE
zIrDdSRA>H?>iP6&qG%DJ^JK#9yMvJ90uN^$GNAhXVX6z4@8g+D3;F2W*}JGE&_85{
zy2h7Qp^yEh-N4WvK3$Kx6m=+8M^E`0rTa#e26~(;z*H55xkOK<^&KkDj`qiH_y2J0
zW0a`uyKE;4iwAylCBAm?jm0+LVX@pJtv+{1v)^nMJg4A^r|95E8U<}gWc(uckkQ}v
zCN<>g?8wv2a-^;3Z#G}r5kB7>UHV~Mww)gz=zrignX$FM78w@<&*BcfP$q*uwV!X!
z?Cc!OK<OGU;<x=A$j9;<TxSwt;G1`V)2_~XQ}EiYy0X0JxVgA7*@G0lqW7H9f5WmL
z=0sh_LPlfSqdv=t5iU(1wXLib3FK`rWt1e)AYID=i4lp=^T0WovEt_C-pB9TQ}^j@
z`7H3O|KXh=>N2LX!@1oDa%(PNy4*i69W=K^S%1vGDeifh>5T)eqs-Mk)-q1tIg!-h
z;}-JO!YoFaVw`aI-kVQ+s%m4L?qPU_tV7((!Qt;w(m!hN;Y~)rh#Pbub3;I*wOceJ
zZ@K&f^oOvrPd6l-xKAY_5#{T=d)WiZ`s-D|!4euKqK*W)sM<a2%awSpy&qCK#pB#n
z&e<BE43uH2UR|^9z`G5N@_FDuoVrUwf%%p-pTvtS_3n&BE)^pfAAFEtE>Uo#+F~|Q
z3^`3d^V1L1Vx@sGLJN8x@H><dJbosKVFc{Vc(~uQcjPIhfU<4=d0HDYi1Oi)q-Q%u
zd2N!wL$tag`>sD#l53VrN7+Gytn18WbR_5NpZeBeL)YPGb1dmQf|BU2Lm^qY5_2_S
z+nl{pnZ>Xi&6%lqz6F{59^i-TcxVd8ljXm10fUGDsd-m{oH>jtw`8yd0a1W+H0#B6
zxO*ZP43%+cCEcqXfJtfkFPdE@tsBn^#SufI1<opbM+U@SMCHA3tlS}GZ?ruiHek*Y
zWb#83C;JQx1(HLM&qNUPGaiDVp8(n<;IKy8g+KSh!o*l=gv4d9*^m<VwA+lQ8A-&S
za~f7gf58Xd=>bF?qPtp##eg$mDuT{M`x$78FjJ!%ox^i%yhadQP}^f*+k{vG*dsCr
zRat8pqDV*|L4tg8X!Maaf4PP=;3+Rms<!gkEFshkP{Ne<J=ItMf#N4IbPZi4FGo39
z=$Ij_MrVy<a`f1p$_q0O8e8o^ly}rlbcV3@->}o6oB%NDSJzFRSuD$KCbpu8!D`PZ
z!zHDO0o#7#I*F*6SX64!D~^GIg3^XF&jyprviE@E%TFeujtBFJxFNEr(o)hmP$|e@
zBHdzyBX*;?Wz_>th!>3B5F3(LlzaV(qbT`#O|G!}%z}{wHZB5J=`<AV5O3T1_F9~;
z`4KN(B6$qO(64IgW*a={&PibSwDlR);xGf?FD5Un`TQi}VCkV#1T8LUl}}hUn*Ff-
ziZ^fAzlpWTkVbG&)R}htL;_AWT3-m|YgLiYLH*4pxU)-P%n18y`2~*X^!u?Ot?R%p
zh6lskFf<Pk0oVP3^UCY7P+zf}pYo~X?@qZ=#4M2HKB8#mcamxcYyA&RKc4fIG%$?b
zDE(tFHP|=nWwt(6*WA+Eq-jc$ka;$5mHq+65N~g3Y)m65Ec+xBVzYCm24eL2?&|@7
zB@N*+g!AHf7`$;4A|(B{1pC(t+%iVy^lJK%hP3x&B^j`MTJ1TeM*5;e;$sMU0;tP0
zri<$!s)E=hk|aXGC(OXAX1H@52bcX-c5LqbS$t^W#Z^}0jp1K*1&6x4P|E!GDrL~=
zvf+@7%xv?2yaONx7uZSKlkQRlG0E@5T`K}UNiG9X;DqB1pJ6U0j{Mn;NHjYUfThxJ
z$?<S#SLhF94w-xJ#LKi#KDEi27SU&+G1-|clbZefg?T(J2gyP!C5OMs6LR;VL7><h
zM2C^LSbVN;p<8WqCi6M^hfZJyaTQLVI}DXWK0SJGm)x~KX`a8}mbp4TasJ5VS#<(9
zo^970W|p5EMRJWf?rT$`R*wp&u^_sQwL6wnb()d_yWGmuZ$UZ8wb+-Ro~W8#`>86F
z^<fyF@3d^6m$%fx4V*;bSTAt;gV$zdV;BQ1N&mc`!w7Ov`rL1hfj>4i1OEPF>pX%Z
z8m!n5bXikJnm0N13BnX2e1EJN^nyl*ywfseYFHIfZi%!~boOw|cHcD2wyFMQds~LT
zlPD)dIor||OcH1G;;PX4EhAbU+$InRB)R)zF(Svy(?S>YFq-XhRzvSd_+MEZ+PG`+
z&DuSu_q`nXHu<H*bRAni1yMM|kKDdzvFrP^UG1&VzpbNKv@TWd4;#rWNuSn4Ab}`m
zQT=`4g}M^pF~LlT;0|jEfk@i6xg$XYm&XH{pyaKrfqck~2C^&rb?yUJKAY1*POx+*
z%}*Dc_!J^9bKAv_X*6>A5Me=HeQvJm7@o0b!*xgn<{0TLFinCu=VA~@*K8)rMqXU2
z#Crn({K1W{0&puShA!3n_{ux|qdtlt&ZNY*<a@EgJ74HQ6`D(ogn*pA2R+NEzin_0
zG~WhJUa)N)<N2PyUDkGnKpUEdG7Y8vVARAe7l_A)B?+u{6#m~P{(D;)=?hR1Fx(R=
zzRZOba3xKo6u0vst6w9vzi0|kGh3T<@}#RZ0Ty67!}{!<Y(D*U^6zZncr9;a=SW-{
zCNUgX%l9vl>3rXA>cu?biP50z3=Ph48;O(71|QrQU{{4Zb|wxmV}n4+avEAn&R|rb
zOB`36UkT!`)3G5MrjW|Kwb%xd8BE#PC~O>KNBOixWq~Qm$<@+Fx^%=mwlZ9r;bJ8X
zIKI-dDRoA6f5Jj&ux~SC1;jt1kY=_7W>d#Nlrj!ykE#UPz}E;or-q|U0_u+MT2Xg_
zvkY@O2b!xfy>lPUlof`c4__F@+K@m&N?pjDHl`EYV*d<tS)=R@NyR|kbSIGdv-9ya
z&$b-Tk=xw*Lb7sN&#5DM=$7D_w+2_s(5icHG#40Xu^x+`=>?5Lh=eWdN3%9rqDJe!
z&TCeo_mu088OHC`M5=__+jBz;NivK_?ndsl!*`<-%mp^egnTaqYB@aa_q7Cflf-o*
zM2Gl;8QXomOx9oUW$lxUhY7j5vgFT*WlLr9pEhfIm`TaIm`LLtXZ5`<)?09?-+ZpQ
zRZ2&R1V!`<#ns_~x7EH6EAoQs3d(jDtjsGW3qVBds){=yTdm-`T$mBVls0pTck|jc
z^?Q1g`Lfnfu%UN0IZHwt^5MhP*7r`vi{^l2UFAE$EbNGOQqa&V_%2DMsgooHARFp<
zHHoU8f5W8;aSxVx$G{s-0>xpJ!Q3CPX@0%%0-Pn*^_ViU2PT4Mk<&mIP4Tg}RDVrO
z%&pEP`LSS5gX0Vt`Hr;*m}(|ymN7e9*k61%z9(}Z7=OE>+nLTeP1Ga~3=n5u!|sby
z3r6D1KDB3UY!0ctAv0qzc_|kOfnn{ImwKBagRG#5>p(2VTW8PaJ%t9&<1BG7Jky5U
z5lP&c*NN7}mAfjNLy^)*4J9}l6}kJ-HA`y_nJv`kD|oh#TlbFEGaEtecb5WmGGzh6
zjUQ0t_`Q|LbY3hC9rhmFS6qjm8H2u+o_eF%0CiV{x<TRwUMt#gpps2;cTc=c#{85@
zc?g`t8^5bgnuSG7_phjVrvbw^Bbb(IXAj0ZWw!&d&c%jr;?egQtpa^|h6;3w*7fJN
zZ~d*K72ZP1++F}3j5qrOO&>iLgY%3VNn%RBU&%XSxl<IyXKm|K4p^`Oye!NU=rxR_
zDwCBvVuUUYS}+g!$yL>aArVzp7%BRPkU)d29AMl^GF#$|&}OflEM!~Ic24sX4sMF4
zLvGeZ7~rkz?wC&*j)ZACoaza<V(e78<zHTZS7g(+nrSCor%|ra=`J}k(A*ajMktrn
z9gdE;YFVP{NUKwRXcci)6sx%-t(Vx(3wz$U@-sbYT!a3}h{>5{7;MyJvVkkrCd!@m
zgAglh9<pHxwe1>4OX8%<{$>M1xd4*0l9iV#P%Hgk^y_B-Q~LF3e0%jA2{~h1PiyiP
zSa!+#_`=y^EgX%9JhZft!|o|`WP$Ry<$Q&v7HPqf1Guphq-<oU>r1#Pr=9D)1r{)N
z3!T`$s>-1qbk?F%e;66>9+Px{L=m#Tb@Y?Wk6M@kN>(;!XnxJ8@awj}J7r8KVZq5y
zKbYJe%1zMNT3Qas>T-aOE2yyNRx$=$#mGquK;T&NQeW<kG4Ba<TIA_)DiL~N&&;`9
zI{Szm9lPkUTR$XswPzY*kXE#~<u%gn5eCO}S$j_19zM-3NR$TS$ym1wav74uNkyi=
zDA|PE12v}0T=Acv9Y;(k{35r8h^8n5MVASx0sOlgn0YXjB1c$IA+qj{kAtWSuM8%}
zAoIUi4D^nOV<7JNq^<dQ^UzTn{XY5?dkTF^4Rs7!OkGb1rRwmArk&OQcFP7;J0q6~
z#xr0d2{_zf#2_>ufinXk-Mo(n&AjjnpGAdlh@#UMeY@5l;lHkLuldU$&>r`U0PS&j
z+}p5EQFbvP+OsP3&f{GS_F(I!6Nc@aRjf4S=7VK8ZcTDI`>h9yZ^&e<0ZNd~tzhvl
z3#N%R^Z*e91<ULF*#n-7E3fWQZ;6=$MbKcwpEz|1KE>!mjKwMvM5&fRB@L3K2dxi&
z#G_=-JSky0K8{xwt?77W<R++fzAwq=ye8?*;mjmrMyOz>7MI?;@Z{#II?0JDZi`sz
zlHnA=f&Sl1@F1_g8GW9&GddqrQlOR?8%nDLM)RzP%)4$jrWt+43z0iBU6V!bxVwmN
zJRajMX!+cICFc^w>am=JNf^0xo$|w#oY>$yKH%g}baD9(2{4PE{*qW_25XX#BFlFJ
zlg;JKL)m^3w#>ziunIi@F5HctdhSy78}bH2c0Bf``=iBCBu*Z<Ufa=f-qgmy#dk^Y
z?Elzm$m#phOBtO|?{&1z&fgu8O?1~u*cq#*xIgM0Txi9HYW<pfk4|mb{(&H%Ghv+K
ztBg7B-dEfCo9gIka$5s~RD@oH%A~i!BtqQ#q&MiA%nk*cGIKa%;K@9${-6@N2Aw<j
zc(<~NCp{6R&qp8DF1CHIy=c@xEG*h=OA5$nOz!B7fG?_v>Ic3MIX{QU`9?eqQLAlj
zqfT#x8Q050PT#R_JF)B)IDU|twQaAoY=N$LXbPCyT*WP}jiRJax4niI&=F!7h1fQs
z`=HS}5oZ;H5dAYTxnzn*V=cKbBW0`Kt%)=-iCGc|>UG#H3NixlH!mE_1EPrO<O@vX
zN>rMwL-WG0ab4t=!P}!G<!lVbN~GHa5tdj0qE#GjdZ<@19u$50fE!j_26NJ;GpFas
ze?{;<^{lcmR&H0hgp!%dh`l@Yv|QinFd%9{hHP^PF;uZ%7Bq6iFe64PG@4xOiZ1U@
z^V^1DjRyq+{VH{|eCGGwZK!(*=+;Vh{k!vanx5Kee45C|3IzG{p7{~>O~`ZgU~rid
z;q?^_#&-6Ax<H2v$6Hx_99?YnC7FN`<WAs$XiP<OKmv}S;KgB`3g`4kFvV!CoU?m^
zvvSjd2NWH1XX8FP*;9LQWh8uhIk|K^LtzSJsyW7tX3zDS-ZV2Ju*X7i0#pcV@|bpV
zC<MI*tvefrkP5KDdp);L<dQ$7ee#IL3L3w;l<HH*-4aNmrMW~7+cXU<xDLw^120T=
z5eC~|UD4Rc7BS_iA^Q0jzL(Fh9n^Hv@xmlI6nP+eTS?L@p(OLFDOn$;KTNTG!3GK#
zMiNj2E^t%9p_)=2#0xzUNxMjAll6PXIRs+FFydp#wVh=um~Xo`-DQ2w8^XSYRvUTd
zvJ-{dvj_n<^244l_n5#A^CoLmIieAv*D5k78o)6Hb?TuhKQ4W#uONVTkQ*}X+}W~V
zlGl+$(hc-c#x3)<GH6M6o==Srb#0$FjL8G{eaLK4{w&-mO!qxdTNj(39GW$lBbBu`
zuA|UxvoS!R4YYwo3%;5(>na@Wc<+oOFK~Wu|FK2V(y+Yy(48Hxv@rUsgnmdfgc$DL
zBmEP`qbrUsY_!&_fghm08;YKtCgeeVf=@FM52U!%E{m>HtY=o!SNXhHhb`wwkMz#r
z4K))Qe&i;qu<?MIT7R&xsEpzsTB3_C9Mp6SY6e=ElA28-MTLl9n7V7eIYzS1`>~&l
zx+4YVx%C~p9*js+xd#WuaBQd_{%K&{r+|4&++EPU@4K4q0~=`c!@IDx=>bPt1wTb&
zUqk=y_HR$P9)7c>rVBH^x|!aN1TIl~P*T1<zpUd?=x-H1*BEOLb9af!zfZzg_gH3k
z$$Xl~<1zm5OH4VVUI3#uMwDXE_8<WNDDZaD*q9uIdO?-K2xJ3jAA|5Dx3r=gl%|WA
zUDQArnNZ)={ZQ~KSb33X3k*EKXGa&Vv>{DZ&^pKwYFM3UDLM7IbbQah)QcF+lJ9_i
zk<vCBu;A~zCG-pYZc+A<CiwVu-wQp1*XYMLD0lYS#ZUKloBi*_f&F?xSlF4+Nw?&>
z;}v!3aP`*XI;zXoispAh+vlmhbJuT-IGfG@?Yb$~;6w$0X^J};+2lc5!88Y&e=pop
zapo;g(0s@^aOI#mmarrvKS7Ukf4)Am?Gd42ui+|ooN_UbSu!Qv22#S5DUW$Md~m-J
zUJtqm`3c6CeskZ2T>LoE8T2>j8C{{779}A&;Hw&`+IWU3CD)H!-bgchT{0rjz9O|u
z0Eg|SK7MY_oU}%NxMrisq!`&FauOK=22GCd2)8=$BMe}9_ud9_pl^QsIqW6Hh@1r~
zSNt*D*<JpQI7JofdWtWOg;tZPMGB6JRyh+TE*3LW#k~~Eo$jb1BYRbypD^kHHP|pe
zo^nHU8>PxFC<$&(ZsEiyIZZM_rp6&Hnregi%2SQpf=~VRnMB_COK(mpb0Cx4o+Rb;
zxxB5FP$fwWG56k*ISvuQh%WcFgi7T)tn0bw33EOhs6z_RyiAT<j4Vxh8_971K3-w3
z`?~@M&mZ0c7Ka8dc*=Fj_!k~^B2m-WqYhIg*_N4bBWBXV%;aufIk}P>2?STPbA|mc
zV-=7MZrgP-h%~U5J7zVZ+QL-*_5y;(I!cYaX$T%}f#d?af01n>C<87oMCF06F4-bS
zPIEzN-u0{MFQ10iLYp(7*Dc6O@CW)dHB)wMUhC|pq_iX2lHy1PfL`RZy%XZE21U;g
ztkA|@ggb*j^;c)lX7Xp~smU4pp#7r)>Oxt_334<kHmWqpJ{KW;RuILVs2;YjI>Mt>
zB)6Wg2%%&hX>z#c?(Kl%pI6kvJrnKTI4BQkaB)zAz)7s^oKbsRmL}l!)o00Ef@VtZ
zll^ci$!fJb7|Afm`csIZUexW|NZ*jS3qC^_Qt*)#yu(RYxCtWgiG^Ew02m#Z9O}e0
zoLeGxsAjlxTTgD|Nlm>xJG>w%PYCt@sqfRpR>7k;(s<GpxMBXHp&LcUOj2;s+l8Of
zw)DZ8yP(8!H%V?yOJ4sZkyJJ&^Ze43N?{&Mvp@Q91Sw`sbZL}t1;K$lGC+_7iwjoB
zxYv&$U%AwguCaH{E;BJekRorsc|y8U3SMcuK=THN%bf(mM@6S4SeQqxgf{^Lqsi`G
z>agz;&6*L+q~=+~(mCfH1r2AcOBCbkgNKJ=H~C=D8vVbbYKO`jSuQ}ZGGnPjpG&>7
z=<<bG-ZDyj;7S11wvk6_c{aiG4=B+7!V5|obZo+cNN!t^(<DzZSYykUSo3(luJy|j
z#jda`gJ^*Z3M3AJ*8Z!010AO5Cj~dJCs*RzNF@OJI;IQSxi$HO&~0sGxCNUiosZ<R
z1X2Ug{8DRL1t%y&S1lOT=fecvQ#I$6p<#?pr8tB_efL`^^=+Q4=Z6Ddbvbw7Q(iwZ
zxqeaOz{&bFOF?C-cmyg73vmA_Oa7-CRE>&5O7@3U_g_~mhj^mUzreFeN9d;WzyBMJ
zu?jS9lBg1aD57JPy68sz%Mu@2O!%NmQ1gbuYmpr;PM)u$3`Oz@oMfuDYHhCin`!4r
zeiz6W1qmx;=AwC-gS_1Q)cEcyP<>|B;7u8fjV&xJmhr<7LJPhZT1>>W>sVocI*1fF
zKl$mzV+Wlv49z9wjo2aKRYRIXER1GRah=dCBt@vK=ZCq4@O8?#oNSAEp}>Gf|M?Xd
zlXZz3@AI)TGv`j^W`#`K-J&|jMz3wmIXyGW)OhOGU8h*WtGWnr^{(+6R=5zsP!qOu
ztW54OPN@`9A02|bnqML!2gr2Tx9zYEa-`SwUYcqqEOZ_DwZ-!KXvq2WoQJ1Lxh0S#
z*+vCV6XOhIZZ41i=zqo_VFZsAOCssFqBC(XJQnAlB$^+zIcRJQ23bsM9Xsl8QJgz+
zjQRRTo2!fRZ@s>inO8vwiwW0zx3^};jYkwi(zA&p-HDzYVIz$TSS}1os6L5XB~BQ2
zrZZmt<<-p0O0?!q*7MO475t>YV{th_EG|bD?=Uv0PG!ncpU6(>2W~}$<pFiys}7X?
zMA0swWZvQaOr9vR7J^et%tf|3kVM+ZiwXl|;*a<o?j+GVnbkYxD;PRal@xc8$SCBq
z&gRSeY^4PUc~CH{f;S&RV2qub6eCTfn>SS^d84FZiB|mM^|Ouyy)}_Ywu~Hu?<Y|<
zlelA+AbA5Ctw?mev@s?$!ClzxR`zYOlN7zn#mSZxxr;dttsv`k<Ix+EHUGD>T!K1@
zaxbR#JY^plKK02p?>WAV3aaa_<npMu6{cxuCt!xOaV^|s+qqUV>ur<1Nvwcmb{W!&
za2^`K{$`5G7u=N3c_i?Hj=vy|Qzw#8`VkxE@j2j`JkkEoE-0ZigxNj8FY3Tk3Q}P@
zo5`5u0<gKA3xhuKVLlx4C9-y8gbGU!qEnc~+B590ke-6b0TSQP10Vk-^0DC504M+7
zX21mKx#tT9CPfFPpzF77h%v0DgaK=j;y0%W#!eU>l5N^nHk4QLUV=%9zS&Zn@1PmA
zWLONvEheTM(?D`1cYh!%I~+fY|LRXJ?a!TLA~2hoe(6!m_WKI^7C9jUC-Yg7p{dO0
zZPL*Z+&`b%Hr~d0TS1I~Sf#v?v2Q#KKt4`fLezz+3KU?VpxA70{Mi2epY6;VR;(qx
z*4CRT_ZmrVFT_nYm?e%|XE>cqd9HaSbSXbAsfU-wvg@=%Rb3Wo^9&t<h0ODeO=V8@
zsLC<+w~hl7qag&FaLQil(rDI8nuWBqyb^Y1Dw9+-gtVtb9Z`k@-cnE1Cmwtv-bvo7
z#@`O{6-qRlncdap4-zaW`Qq%^-mYfkH#Sa8z<}A(X3w`ASZL5dCfdRydpKq4k~%3Z
zC)ocbGQpCP2%ckl+P0$?{LkL@X2e%yCP?YIt1J8V!cdinuow(&j^Z>iq~q`jmas`A
zzY<(enP?)b{JPtbZIsf0#SzID<U<dsoHk8Dk4S`&K{6Z*XLEX%lh`Y`-`dlOKMjNP
zBP8a`bx?Kk?rUH$xW<WLNunKi-_1~2SYV+=vX}Ugpoh+Ukl&1C1?GH#IwU)^t^?V)
zfF{;`D;b@EE(+0&_|ROE;TO?;(~G5_EzXC8iF@~{+s;a~G542$i)B%p?=Z>U1`#zx
zCc<!jW11S-Vh8TC>>(F&Cxq`mRfyz}!)_Hs5<>Dxb`5);xc{7*@u`X|7crWbjOM)e
z8(R>$PbF!lLQUZPLKej`OrAZHT`<ka{%4bt+mCPs-gj2xQ{lvEU@FuQa>OX6BgW9-
z2i_Nhb}o7;yxXabg=q^BNp#N^R+0nH-s_T3n2K}`A<%;19UO;Q%KagcS-N6s*5#=q
z`@*o+0Hb}c<QtpzFpz{gpInvh$!xcPwk@!DBCkN>-WFT*iwKP8h`?B}9w6Zbr?y5G
zZkUaS)-|IR6TYz5rFrjeq&AT+!EGNm&Bte8xXYA`db8nYE4=F6M*b}zXu<7xmQR6^
z#BPsscF|x*4cx3}xWl|Q6f-pZrq*3sEgJ4Xfz}gAT`b`XiPQvb`c4_y)K6B#SLAOH
z?T#8&%*WC?<J!`Wo*EXW3un~FV_4h^`{)})`bDp*u%Zlo5jycdD|Di2D`mI%u%U{7
zh?b=~fU&M9^ih<Lp()~N5|PB2r45@aeMwdZ7T!umvQaXu5$ScJ_fHbbZ`ENFQd-0=
z&sJbw)IEU8M-`WJL?!=V&;j4ube(OOOb}66d!*s{=Qx646rq5GAdy7FX58~2Q>MHP
z&XN!vg0$4X)%(c|rihsjAZE;&TPG#E=@`+G3r#t!k9H=7=GOrn;AtNs+QFJQHW;DA
z4E;P0nkhEI_lSkbQj!RYVnB3I?H1?NUmFI)ZAyAJ9)WA-TB-l)ZL1|LN`Vmwg_Ko-
zDMPXE6S%^b=q_6cjtQChO7YzamJy{qCY2sY(#A3O9?}jfzZ9p@Dyg|)e%LK@_8d!-
z3g+cvye-hT7~A7lseN#ed3VU^*%X#-{ISG9EY1;H2Iigq%<WX;h?YBLNu>ir;<9pL
z+j5ffF@)h%L(=*Me6K$kkqur%e;1a-Cz-w6Tui2{7&Xf=wo;z9%z|UpxFi@Q?-$8K
zko`i6W?-2*Y)(yNYNYExpY;o4Q`1bFXWI7bX39=R?=8VP2`Q<EJeY*_UvuG7u;}pT
z4Z|+V)4n6aSIn13v}EUqs81Sc7tpquaLQppDJ=h#JqGoNAwqiakj9Q_TN8r(m2Nwb
zFE!>b-1z^y-S}r2sPdGimMn^%rldO`f9@NM*5ri@?*B$|v62jKl1uD{>^8Q>V?iEl
zf7#*0GC13d$TTvA$bW*x_nFEzX7=Y6NL-|#`0O{#6q(mcc2Q8Kd-AHCf5`5edmsKW
z6PKorFn76sEg<@@@7RrVbdK`a_J{D;mHvVdH;7a(#p;~0xLh0x%tP)xc9RA6(d`4j
zm%Mn4O~;8|;$KT#h_@xnj27qTG!`G=|H=dh62N49N>m79e_hMwtw)qGzb}Tog`(Dg
z#c;0WE;-&{WI=;R*pGmROG9&PkbXyy65iI=Dy{Y7*a=;4-yow?{b<^+72X*wFwFe~
z*SYi8ozA;TK^rr&cW+-mWn=(l``)b%9L8x$q?MzH00Ia>-$bk?xzjS+d`2%Y-kNER
z45FDv@}X`Ajw0Nk+MLo$?M?*2%!#F!#!3bgn?!F?OGEz`WIOU~+Gi%tGH-(_>dy|4
z1op-bF-C4YF&b-<q-<I#3Rf}sR*V`W{Ak6<^hJnS0i%Uy)XMe}06iFmd#A(^L^5~H
zx)ccK!9|*F^f4qK(xcf)gCfQ4ToiISts3ngr1?GQ<?9`*zTWll4dI4wwHkic6fxbl
z;^EY#?(y#FFGmKMr-IT%76lU}!kNT<CRv6~tZPRar7)sSjC26ph4eXRIsYHbMne}|
zcW5je>|+M|Oc>QOdl)fLta^$ygc<rD`OGBQIeRX(Ana@zkxn@d=Y7Gze#ifN_5<i*
zvoG>BB5n{PnZ8$i@sCW6#_EGnpTw>tWSP~gWPIh`TXK<7UKk4ApZUTCnxbo;?E-yF
z8+*6YlBTJcDjzimWmk=Cs@_aG+RU8Mn0x<gETmlrqNLfcd#s-NPH}YrduARyVqe%H
z^GIw{cF4Kpftr2FUW~rZOkde!p);P0FMMjLpg~znYUII#?8Cdk`qPoj`;adE#~Gpd
z)bg~9=^_%3^-*4t-K^A|9MOQ^`y%f0e^T5f<HYIv7|Yyn8a80WP<Jph?k92$hC4B=
zhsf28`Nua>nk4f8Wcfz4*)uvKx%rT$LT3+;+rr2FH*<=_89g=WQi7z^5Oc<u_(Vgv
z6j~6&JzUApHpow;@!fFXg9H5Yft>6(WHl^aX?#bC48GS9^{|7csdFf)2%v`IqForz
z{AG`Xuf3W;i5MWu;7;aKG!Pv%@6rgvRL~=8khVY+c{|TkLgP6jO~44@h^Ct!70X;y
z7%uP5<eN%M6_`<7ezjjWl;SD9QGv=C@q=$S|9jEnaxO=W&sb?YCZuUh=CsZTzSq&2
zWv1)KZjt=x82Q19I#OzREhSOu;>%qSWStiNv0p1QGN%)?<ah&1T@Wp7dAf=856Qz5
zmYibj2_FTp6kbXx;@R2fOF-l}#AC%Md4y%1g}F=b!U9vIe;B=G3^D+akIsZsG4Pf_
z#&^2NzF;0xsHC=W1teI@f3Bo)fk@ooUH+{{l>Q_tCdJqj$)+32-acDy-ONf+jm`RQ
znHw{=x<`vi7FZ2e+Axuqo*;)i*qx}#{QQO7&O{X7|1G(l6Nd%0@qrTHf+4>Y-7X0%
zjRG=>r~jYvpABUJ?3;ZkWSN7SPvJMJ1mVzfG5&u&+efLHmpRn`N>3YiyI!}>3p{g#
zQi2$8ulxvaf6?SWZ<FtxMb5KY8i`;kqYM(e3Gc;s6ou_}@ZHrX%9H!5nGi!_rKiIX
zY-IY%I9C0#{tpkf3N0s@&FA=sQy;JKfMi0*Jz!ud)1R4P>bb|TSQnk2DB9LgHUq_y
zz|GhZ(~$bViZK@3$qbl?Jo<h*itag<61KAEN#Cg8>A8t+6rah4#g}9{r07E7Bt?Zq
zuqYEAp~RaZUE7{6auAWK4`iYO0v6IYnKAK<azWq-YR>L^Jc!l3w{=u<OkjE;+y_rt
zoP%nTm^#InnACEn4y42C4oipUn9E_TQV^8rgdn-b3?QjfGJtZyYnEh?(q?1SLm%_4
z-d`=6Vt!uifY_01X-`ID--Y%#lX+){q)l%J+ldQx_x!t9>=&+apXtniVI-G&etyYU
zi=65x_q;D=USb?wZ<*aErg1^y32GCfiTXNn=`Mq(bS!q^i6mu6;pC>wEsIVluo5~-
zc~y#9xmLH=krlSx!gfST-2uDCAAkO{(A|2=k@oNqKeftvwSe(otlOE-dM60`HpO+l
zQQ+B0O^oHNXbj~xw$-j^JF_<9K1fpaEIKZ;bg*B>u8l%u_{^p7S6kW5EjnWl5pY1|
zY4QOkMjnu&dGO53D^7$%UWqzrb4ZgT1^rRjk@j^a-DcGTaG{tcS2Y_sC%Dg7m4_oJ
z6D1UU2io(($EMsuh`CYUBY${n6rpC6>s5R>?2hZr)Gp|~VM)GzKVk^%C2|r*X)pi{
z3b#TZNh3!#XC;QMrUPP4MLR&|vcdJOPY+Y-D4gF_J3ip9+LvUvIhwMCy<TD&HEq#L
zhx#=^eu|;`#<q#sEXWVy86CHG#SRmOlt299-n77D^>o)ULz~7>W-%-es(sCNF8#f4
zV*%GDtav!rb6akltA&86Y(UVt$*PLM@JH}03oBYW-Bsv#<Gb)^v+$>N_r)ad0UoMK
zOwRHpk1FS$4(Af7CgcJriRA_pdse!7e++bXYxdyTS0`t4cUKPTQzA#nu4!pcqK{rB
zXYx?<&Ov9%{P|CtIlm1`f4HC`VpO!s!u0jC>esI=rL4LduLR==CI81KTk39;H!y^3
zjH||ch-OPhH%{R^_u&VI;2z)M8hU*c#Yxu>#Ep=9a>IuG)v|A&D)^&|qVKILE&pzD
zX}ifgYU*?xJt@>mu~*Y1zR<co&G?_Bb(2kWIgSr{fYjE|(=FQjYMpGUW&i)#d-H&*
z%6<QTF*~3X<_L-%O)4h}6;WjCwbV{3_4DL}Ca8g?fQkbsqgEV`DSFHtKrlU5J2y=f
z1xMIU;lP-spfV^5ny3iG%--Mk=XuuJ<JwgBcJ8^qd(VG`u=m<)ul20w^ZvX)uQ!}8
zp_vLqgwMHqkTZa2>P`$k!mko3KqvNxf?<#-%%})`!3d^^0V3M}o<)7I8QuNA20+`S
zwk5OnZz0VF7j%kdWg>g5AK)=;ChY*I_h}+7@fcAt8pLG*W3}r0(^5B?({x<LBV!;3
zo006Ysmx@?4efJk-Tqa%b2{{|tK1{4G;uO)0{BG&tP<?x9@Z-A%M|-n-mR-l-9jVG
zh>Swk{HJ{m-%ErJfCuQ#NL=Kle?ex2NfQN8jVl7MXRDUJ=)Run*q8zf4H?I~;m4fF
z3*HQZULALGnIQP|Pj9>zRR7~lVM4{ppA*kKaPmfTaL|r1{tiO!uytd3?}hhTh@2i5
z+6D=`;=B$J&p~$|?$_jKNPQO`A8&7vP)~qlmSoTQBISMj&pP1I%On=(b-eMRf!7k}
z?!?Y@BFz82Z)h-`X8r;YbY9;uY0>l(_qvdh*0(66Vj*r}b-PxnJ1kMPY}yf#FiK{f
zpt}{F59Hk%u9@#!-!;?HPsO$lG`ssVURBzVy~B)0d^<)Qv-qD!-bxAkjM-x)V@8CU
zn7n$d-ZOg^c5o}E&~CXLdms8JSD($f^tz8Ys?K)m6MN_kC2e65%P(Le_?N=qVJx{l
zw(dyCB|y*lawg`s{Ed2+JpNL~k%@AiwjOK%vS!i+$0`H?6BO=Z+@^#v2!}h-RCdU*
zrkSKUMPh17&^@QfNKCpZr<h3vjmHOMR0@lkCq~~ve!u3v(&}IVqE}aV-voub+>HD`
zUm-brRWPujLN1cWF!e6w$N!pSb(gjs_wIYdqhUU#T<St|!k<uWHhS;z=aw@a%;etp
zy+uIg9}T&r7*6{|BJOzf+VRfg8k!zXm^36CmRgpxO)2v^)7$iU3<=R^So_!(8#XzI
zSoGmvqL#TaP{^d1JK{CkN*B33%}rz2p}ev>=0;NG2|fffd`$y|Bva6N%uv>rXO~NN
za#P<<!HEC4hyAQW+}j_pz)XQ?tJWb0$kmUFBe7xk`NC$Zo$G@WrS9Ql`UvZ@5i!}X
z=jw_h2Nzf@n13nH=FNW(a<#K1ix_Ju=ZD^@4u$zjf9@Wr?TNQ`?Fm}$D#*}qSj_Q&
zgr#^MN`TEMnS>fy;!Tw0fcp>UQAqeS4t_fEvwb7`n9A#Uzb?H-KxN%oWFII9iumr0
zjc{#UC;>gI`tlgZ)6Jmy=y7KAyOIkkM#TeIN0+vx=l+g&ygM-v(wt~9PCV@bMa*no
z5D?#1`8P@<N~W;z@3t;jWNy&1Pq0PhWFxSk-8&h|SA`!w4)ACr+ni2G|38GYJuVV}
z>aSiZ{%F$mXCbAO8%f2_H6DxA9MB$pP=YS87}|do`Z|Lo|G7f{bq$~myi9Cv3G+o&
z<o#}eWrfHcf!h_a3~P6i=rG{cE+3!y=$0%TlD&VU;;5ek_$^YEJ9FK>I^z_0asNh4
zEuZ&YM+TkRGUrfFtKR37udWfIE*5^1dekQB{cq2Nb{eqrTsuKhV`zsktGSynarHx|
z$Z{vg%W<0mEq&%NBZjm&z)hK&^z_R*+_TqM3{Zlt)(*>!7>+4n+i3_PDi8bE{fh68
z+#5)E6rJDeXCl9uQL{pk@snRQeyW)Oe9AumqKquJ$WK;a)_*wwFBl`FN|KOyzPM6p
zFp=eO_uK%?SHNwew_R{^8Qu<-PARu2B!!|jSKaV0`Dz}^&7wKtE7UULRXt-t<qh93
z7027H8_Hjro$1!Cz<l(;9SDK2L00*i6Cuzw?2*{>0%QQaMt_3s@aTP0!K02L_#Jx=
ziXXV&Im)Kp;2&?Y%{Tf`_P(65<P0b^d(*4G#O@sd18JS3-ibN7EiwGL8}{)CZ>qIu
zsBm``qQ*^DtQ>ZyW)*g6#g(p`$|q$Ewb&eW=uTa?+*OK1m1a~O`~J%Ll6IH2?D-pa
zu2zRY_8_4Kh9Opz!y5Q59dG4Za6S};+|k4c<M&tjUgELz34fPi-yG+ZuQpNd(A28K
zG$of1<1fHII>-XS1Z1|jXdHnfj7z_!7>v<2Y^g7DVi%QsUf+q@#k}wN(A(&N4CA`S
z-NJ46g-f>uq}jKcXUruz5RmbGB8?agLvF8gm^NU3$^Lodhs7o<>!w*{BBZ>LXZAd@
zk5FmGE>^{#4eKWyw{}tu`UV3M@0-d4!K~B2`~m-y`~iFdfsucjDBoLz`)0#{zq-sz
z%+96k9Fe=j0$|@c6G*vbhNgd{$Y>EfBH~x8L7>S`yeTs0Q;kL|4&Xa%!A1%OMNT9t
zj&1JB3kp;FyFqJ?%D4lXER1dZ%8%5EtmX&nigL>6z2$8J#oQ*Kj^(c`Y8`S%P>~*u
za4UVwJ}mi^I;lghq5rI1&PhCmKj**AW)I~5iFAlv@+utrgW5ztnPCR$wOS7RpL|=*
zgJ@x2W?(>YXss^XCQ;{qWI#s+>epLWeiXW-0RQmMI?4wXwVduArS5xcTGf8HbV}O7
zY(-Xbe(3e$2FM1;<kSorh%vga3esFb-Sw}3ro0(3@rpfCr2m0sL7aggUI$~uCSJG%
zu><pCq78z1OC`V;GK4kRFYF(HESS~Yw2*Vq*g=rbj@v$Fzsc!qFs!~vWkl((d&wOa
zA9ldApKWS))O<t!jy!2IK$vox=g>M*W-{Kd==XpN2a(8MQdqHvgT(Q$7IKDhBMCJa
z)UWfMkdtEp84k7oQ0mKCC2F$Gn)n`*QenW&EKg^6qT<c<&5B-rb^`PqGzJde2z)S2
zq3%FEgOF=EL1kCX1Pv$ItoIR;{=SS{Y}GsOq>uIP0AciP+m5`w#@lHG-wP^xS=e(!
zbe%HoX<yup%G3>PR0V+_Y<&dt9a8!P0|bna68;H8#bgwoCw?2$kw83e*`pQ}m42G8
z0n7MMT1*jfnvzmiq)sel>X1m22q`^sAg>+SuV<Y{i^}JpK3Tz1fN58Vn{gSLciIV$
z11Wl1{rXfhsgrUMI}*&+4n9dKz-(&)5{+-6bVtZV0TXHGaI@-zgXS9ZH(e}STYHr!
z$d_R0!IVofo&trXD{iGlR~GRA+mndpR@0Qf#<En5t+Fus5S!=0PK!aDsn-5Y5|yT%
zrD5-2l%9$~$k4G%p1%SB4Yx+|dzUuH1dk)9n!SlIc062wTpN98RH|yLSMiX{mj|!*
zBz)im^cuS_hoEvgsOajLoX8INVRh)DrhcmDbx<}1kItG*nJMf6ylQyLqu4u**ybg)
zITJr`nvyatrl+nTM_n%gxErU&KAB-|q#Oa9OSr`Y&yc{2_T3*Umu;GDwkRdg%%||i
zP{-5vLWLiw=LO(}-KK<49%{U`r1ywjPfN>Ug3y_u4Bml&7qK)PuoxY@_JDsP_rAw(
z1hn+oFs*qVt5@ub1;#I)tcXUGR>51PsNlFNLw>iek=7Wbr90{3_)X#M4{a1&Sj6Bq
z^q3`5(mOnDKz4creR;h&<Gw_%1VU=n0BfnJTu*(Gt@8XBB-+G$JNNDpsxX7lON+c;
z78i+9VDt2!b3Yj1v65u4f!HR;qW{Vh&?QTR=zCd%q;tmzRc?<iB7w@@f3N~sJAz+w
zWqu?v%h~!ePh=b*M-f{nB)%#o&-+r|)oD1x7M+I6O9$I9s?xigd?%Hz(sX)~2~5+K
zUC&^BKJyiU=+KqJKT8>S_+CnY>|%;-$iIeRWQJh?&;UmI8$AjOf{gS;H5x;pUX@N_
zbI35rxk$?pq`{ya$3iYqA|zDdYY+q(oD9e^V**VAyc@R;)#V+zH<IRPFkJH;Nc#rk
zHy%@38Nbnqs*-7{rzk)c(X0;tyA!9<P10DH98oMTzL5wER=-A!Hj&>?5z=aFjc}L7
zeT3{Gr%HiFt}*Y(l^E*w|H_s&nJxWyiUwF+MB`J{3vO4vu4=#|N!6K5osJi>&cunn
z+?5}?bP`mZNHSVx>sB3DR8KHh%%h*12s66II#s06^ZeOuYSG7A$akOz`=+~oMOhAW
zu<e571+fo8jx~to=XzL=lZ!5;Ji>pGvdNXwDwSn361;8%+y(+$NH!x$n=g)Z*1xtg
zod202>49j98T{K1MsSzjM~ql4u4b+?TuOTrda*0gyhpFi8)$28n2_C<X4Y&!Uu;%_
z3rjAmORh_yy4~$x-0fe%-A+GR_Enu|86s+<YS6(GpGpePU$#?fDyRVnFhMCxvm&Mu
z-SyLW@0AasVz;{*u`23zt<Ed;KC<JR`f^qPJ6+hdKc|u+34Fev`>ipX#eeMMs>sUk
zI=AnB;*lt5uBb+qLaSNcvPVRFHdFE5vTJ?7zpPUKv#e4RsEt1AnG-!N;CU5s=qzDO
zlVnCQy4uVPnYkz}%Oo~N2Q7Y)IsV9*$<sDu{!*~dtk<AXz&D|&?TK^0)A@r88YbAo
zg6EN`J|3|)McOgSuYY9Wxx9}By|ns6ul|Daw+Xd635IO08&HxJ8DXC$bA<b0m-H9K
z^mi81M#jP0*+8zyxMGj0hy1owG+A*pCB2*6DlEF3A&%;1hL;qtKki07ovr<CAiH_l
zED9=vm(zJ#N65LVbS<U5qJt(VPDUF-+3Zd43K!S=2(LuyRab^1&PU!Q@-%dQHc*ki
z6K~bqY@bI>ECeCmO**n|6wrC&3X*GmBYv(fu0(p)dy8ZP)_j6&J(vI$al8u}@vqvo
zl)^5wA^qj&4UvmKvO_;u=gq3sbO18%CAYQ=3f^W`A9Qi;yoM_oIb}77f(tT}lr3{*
zatAFt`M?INjH<1%iCK?ems(s9{CH#YiO4RAE%l4)uVf_VyxihenGA4u$eW-u_fb4e
zyyUM?^@yl?US55p)>pOk@l?TnP2kxrPIWo=lAXAg;QlwYb;L@zWbqF>bJWc*4|?q6
z>+b}*c<r_`kFvm!p<fKG9<Z{gW|jESr>R;ZR+<aP4c{erg1SR<#SIv$O}@)|$at4y
zoBW>_z+?k0wZZZGNDIa36)(wOIj>v1w;?(Pt}P&=;o7nfYG}yv7$OJ<&+bfZZub4Q
znSJ9(z`L=jDp#SRU-J6av6TRFU~tGFQe4TtfA2IFFy8h?QKol<%4M30eWmaQE*c;D
z&`Et?ydVWo82O7+mzUt^l*`6!-;tlP!{eqh&EetNpys6861OFFZ<9s5xx;#5Ut3z(
zRezJH-kKWr+^ug>RdrnG0<8t@7OegJ0w#wVeT*ph&FLK-PB@%s+AAJ2XZaX^h^^g1
zcFbvE$!@qNzf3I79BTpAfpY4g(+hWujh#K&na7IYdwjvpENR;uG*H7-{L5-_#)-X9
zVJ6rgbNjyS=svRpa5*2Eweq@4Os~`NlZ77cE%^l%XCA%W%bZ1Hq&=Vh;i?+j{erOO
zu~EPr65%o3vE00TIp`VrS3h#=5d84SwMUkFwp@?hos}Ke>)y*k%CZ8OtyWho8)3$r
z+_2)ugtRg7mhz2}4Ys2PF1Wv^9Els4<fMx{xMSRjkgQjQwvA8yZ|*H^s91`#?{>85
zVRGo>zxqC%;o5HWy{B=h%W|t(!e>~~t+e%#%`LvQ0+P${5jRQ~d){K9c3g2w#Y~_T
zMs<9e_Hf)vr|@Axv){}dwP>7K2y6bgB-dB4q|gWtn+}WTI<r$9@$>bjyZNGn%qt;%
z?YF~(=}WWe?(`~ouOzqYS=K-3OLM38xtGV}DB^fOp){x5aoE!5yWSW26^7?+OnMl?
zKG0<7`BUSo>C<%@{?hQ8xA_sSzd29<vBBVwKR!2A?)`xy?e>v#vikxvhzkL8+g+&W
zC1CosD6BVn<+!17*(4TPmU~3H?-oXv=k<3#rnaU_^JLYHxQ2qCW`xzocNdT!JlQWe
z*Iby8d+Xv$pB0S4DYKF|9-Dnid?Qj;cL^GCs%_Lv%u;MEa6E<&cx>1kpZcz}6D;;s
z%pYchL$*9LX`=6rLJOtx)sZ{1#<UlDk6F}dN;khcLDre~W>>`K9Lw@~+d&xJr|?Nq
zu#aVwWlx)`c&m*<()?Erq?(OBG&XkBmz@KIjR%J}j^1ArP!??_gzSGfd~-R)o4wNC
z{cH!pK51K1uXW-bz<v)Q2JMC*Y<gAknQbvB6!#q3G8s<`ge3OAB?vtp1;*^Q=tH4w
zZ~Ie58!p`9kYRW`Wx9j$pUv?FvK3eQtsXniyPU?POv-~Zk52gEs!7EBLfr-Aysd^I
zWzYIvyYLI@6AL>XgZJ&+i&#Km!J3cnqlcwo)|-IayDrPIs`&w=-{ajJeF^NAGH$<1
z=C@;r5UYK=X#E$GUq%05@g8N#@dd5JdMAaopl(lBMOMu*bLA8(F`K5`ZCP=#I-3?B
z_-2t54NnTDVIrIPdKCfZOS2nn7Lld6pn+|9_Kb~RI47zzrs5t_x5L+KhVdp`E4v;o
zv;yCsuBLfAc84dsKc+0*Q8lsY!8y1y?>pp_IR|-0k8ONbeqBL^N`pUjwqV(J%W`1H
zr2HH*=hC9$LEl0VUB);e(eJPPexg@@x*|bw!d3RSoe5L-9AEz$PLK7tf_GdoK`y&x
zn8i}~5QF)wdEK_KS^}lvAr~~;T=42DL00PLpiT5)9cA{o<;=Z0k3U&a-!STm>f9ea
zo5cL!)IrdY`W?$ESrHV*o|OANR<cJL$g%j&lGZofKv9eD>HCSRa3R#*Y3#kqHEwLd
z#aJ~$5G)rzNXzi~<C;DKUZJMk>GBt8SspIJv7v8%I_XX-%o@@F7}|pRvtRZuS1rDY
zDL@~RHa+yrSf$FdSv9A|fla*_y+V}H!Q|e!{L-+c#qd763_p+WEKr^+SM~=DEPB^N
z%WnBspGF8FuRs0pEcQ-#GG@j3T(O0`t)7feuz3^PXVeO|iyusjOi#q6nton6wb#s%
z*bfOk%yxWV)Mm7~WT^UK?TagaKKDgRzY%8EDMwE`VK9He-UBQPqH^(EpZ<1-dSYiK
zARuvJkR?t)caL(qvl_5uyIkGo7Bu(j(*D!Ugrr(O&+sX(LE)uG&OFVsdGo;$2Xb^%
zym`sfACa0W<R|;Nj$F9^bO#^n9QSW`o(_t@HOG#9$Fe)^=-{u8Ro9PHmy9l2j+sQv
zhg~nOr)Br%X123(@44jRh7T`LAfVt^8DF~VWK$U#%U_*VbY}f)8HaqVkQ|-8H0w@y
zH6EiZVg2G4rBe~HZsL$-^x867@7{4)ck}E5jg6@xJ@)(Xis*@<6<CvF55Z(8XML()
zwGMZss;%R#NDFRsD#laph|QZ;aAQ3^-7roQ8J5~yGiLbHhBJY97_jGY2e+2pY&XKL
znbzODxqt5EM;Y0l0Vs%z&A~n~eZ@;r{ujdCiZ34!8?%*PCVIBX7?ns5DCd3E4@=Ri
z@{`_u_nKQ?C6mUxnN#2P?KnKnGLD+>32+Y@fp28+DNNB3Yb!zN-V)bPBZkp<o;|fQ
zHLYPfzM|dZopQWyyGg@c&+c50Fvlb3#VG2T(PuE&aq%sUPyf16)-{DW(h;I{d}tre
zqsdpps+EE5a#mO)ve&S48(DWOQAtL>-g%)l&(9nWcNM*4l-K55xgV>O>~Ph$Zwkk!
zFBy>7%r@t9E;tvTi0|C~%jzq%@r`%2=;C<ItLQ}h<UQ37lN+wUz{WNTgu&`NeYwt`
z<;=j&jh6#-)@vV#1BaIFH$8B6QhbSdz_nBrP)ONBOwdIv%eED0)4--{rDX}N#QG}^
zu^(CWsi;`6cf+CPpZKTi(1c2;D06H8a;a%i#yYqjTav{euEK4gd;DYXZN)dY+2`Dm
zuqtuEObjbsHg&-CY-cJm@UB_|O^C;U;kp58I7cC`<7A+DdE_AN3}~_RV0)jwxXF@3
z3-Pf%W+47FIGZ1XSAr`tYjLlg!s()`315ppocR==CipFB)Ew)X=hLSiGaGH*W5&|#
z0)k#5uPxXwx2>=oAR+3Y=HF(gS$rwlZvD_mXZeS<>`6w5PPoJm4liHKZ}<D|t`Cvf
zZgecY&5V9YZhm*?H;6AX&n#KN>#Ifi+wqok`Q}*S31ud*wZZbq#^rCWyBSValG4Mz
zbMVgdW|+xug2;xXo@`yB-a2ZX-ScGa2oqT!JJpl*QTF;H?~ux&Ta<r$elUl<=@_(C
zwsPx_CrhS#Hi%ELi_SSaG4PP2aH(`bu1}VSCB6_Uv%;Py&T>bf)0z~`7>$XiYHcFY
z&&qmqd+?RCWzgA1Xnw}_mYBT3;|ohJ3J*5u>Ew-Oc3+<_MlEtGBQFQhPrN!?;JOzF
zcI?GnhR$D|c~I^a{6N6XEb~Lz1(s1((_iFwPTcj|f^sM>RJz_LBYDgJ8o~wcXJ~fz
zs<4ia(xVd#N3;X7y8MPi!&3DC@u^R<Aa>QU-l^u4wJl$T;~%oZRONO{XQ<nZY!XWT
zKDWfzQ+?f`L@E%lsO;?|82!EX?U;s)L*A`b@v;}*wS>0+)2n6YdAieC^!-)m3WDak
zGE!!Y3h$xh_m%?8sm!Idi?(~c*j2+WCh29H`zLL?7TBXKci#5vsA&&4jf~svHtOP7
zF{X+=y?7WEN`KhC>83Q#oiGi1G@t(43x{NWm4PLd+log9t^RXNRQA5u2U~+YzPyP*
zZEP~ruqpNPREuex&?EeM^?-YPY-&+X_AAav-@{Tq;x_g?Z>{OGTNv{FkJiF*-2Uq4
zUd*CQCHgiC>|<-kp$h)nHyz~b+-nK1Vf)_0{b2*Ge_S+)ztC^chbU*)rZp8De;DGq
z#_<lS#tP5I#YLy)?^tu=b90k}OP!*{4LlXE9}aPdI-9pjak@*-9RJvLcnEJPM1-aH
zcH7__)S?j7iW|mjE_$b&F&1(8ZE?S?32bprOlzCHx|&McIT!r9cBn2*S7bu+T8ff;
zSuytb^m8v%nNxb5j=l!|Fxy`})JRgL?hAZeN1FZ9%UJbQn(jXkv^Ke@nQizg3*Nra
zT>lKa#;EsK)?N52pc0DBXMBIb*PFg0Vn4j{6|^??4Z@a|GZlJTc_x|`g>H(s>ez!y
zcUsJ3S#5HW+S4V#b$Xt)kUL@3$O^}9X1&K`M0@yS@@c?~E71Pldn`vTeQiX?`|g07
z`ds-VEoZE<C=suIMmWV@++4(<9-^vx`JnhqU!=Xb8lg2`4IUA9b0BKwl<qZ%@1vqb
z`=<$)V6fV`mTjlwQmb+?8FXyu_ibTLLvcd1Q|~^g;&1jAa#P~ndfv<|?Ao$5N8J)J
z{Ama~kRf?vU8i&_b8-t<yOP%$sMi8ELJOF^4i<Z9wyQISxuUW^P2Tan+rJGKXuj_B
zw4euj%K0^aW<{Qhy8aP8m_~ORHN^E(6dKq2EwG828PjXc02J=n0n|iKd~`e0!a@)x
z)#PTr^jSm3q_{mjTf47XD~ss}c1!!?qN?jn1y@{7+kme}Y6z=v{T+rZYjnVMo=|)_
zJW@^60^}$vQb3bHx{Y3yilu<Anw}RbD&n$cU@PVF2#>_wYjEc|LtTKv+7?nM<`hVW
zGx$@F7rXgRbAtZH0)a`~E6SP7M40ujZJ3(0x5J(-oyQ-({~r4hw8v*i@(J;5_zwHZ
zIIoh;s-}jT94FW%D-T2ZHdTSkE7JwnKO(XF7i#4o>q#}sm0tjvOIlpNmiwjtBziQv
zK~g!qhU9`c|2L>AE5P2nxxZ0qiouKW8#X873LLNYi)cojgB2Ltb_yrLD;!X$MQsN{
z&1;MAr5#5Qx|EaSWl6>4Yp6MBYd5ixOXyVk37E{0eHAzd#44Xnhfr;a%RXM!Y_aqE
z)SWig@-ASs7-$ZW<-{LaKRGJ;P{mW5r~~(&{)nv$D+JqqnTa~E^4VMDFU94a8u*c&
zk{)h#O$Btb<X$%0unYD2##tv<z633pwu1?6DE)BWj>tQwP)*Z*r}&va#KehjByEei
zu?ZJa)Hs2`at|wQ6M|>Ct}1TE!-_#l-gt1LGj`L{*SIF8{T)>jMA^DBi=9>Z9hyHL
zNH<B(C3QcMNw8u@^3L5ut`}OntSfiK?de7<HLm=!NfX@zt@@)>GvDZ#^!3i&ZiSb(
zEgBDps|%`iN%S2@O7y5y&&!29lZWr=Kva|yYktO6D%2h<$YipC{K(YlY4komIlHnr
zw^n|ey5<yIG!P{5EDGe@kNW1~@sB)fN0W{c)Q~Y19qh3MS993Z_NDY-ucm0GNj9Gz
z(+8J^WydG!(O!{M{yp<{f0%Ev(;QDIF>SjnVS`kxs+-2vz~IfEf2wG?QhC^&Rn;4%
zvJY<JN9&gGDbkQPp?W7^`nT*llziOe#U~H6STdymI{NHm>&MPnKA^vF>&xo>qzvrE
zkT{dc+Qwf`-^mXR)z<ZI;zA$Cp#&3hO%;;Z3$hLt#GDX|RTiY>h+73ZldMv#fXEP>
z$0Q%bZbnA_xd=4{in3Y=BMpzp${cy&z%;k&8&nUrdK5xdeDZ=X<mRX%OHCcQyqt!q
zh^U!572n;hL9?>|Vs)+IKJ5XJhfN#qpjnfh@xf7}K~F}xHIxC2><5g{6pDAZmJh%&
z8`Y*_fy<+_&rzGq0XsTY-?{r+3;nZ0I}ia`xP@wwqq<R6ZOk|dacSj{yi2$N#VuMm
zgfeFIu6{U=9~)LHdz7&>Myw@5qV{_PDUS-KV*|^Xswb7tm)1T&`3u<sNg4m-dY0q}
zZ7sgu3%5TN!h3Z;TSV1&R9E)(u|AOgT&!<N1;DdkNfFV>?&0T_X-Yt^gk<!3z*-pI
zvXSpKFM1V)(4$qRWlZFZoi2j9Ei@y;I@SYD9a_2A1SL93S9lyX?OwyNFQi*Q{zAeS
zP0L6OTX@yldR`Q7c-Hn}(h+U3<c|b{I!!@7cu?{08cp2FKWQ_tD-*5vc`T{!2gN-%
z^X2h5d$47>sJzhpQ@PlhqgG-qs^eiOBgDSm**7$0aPwiGCt1*z)b}x0AistM7i{$v
z(6rXsTGP%K6eY-%q=IhXPeyx1XenA=!uA$7<8JZ)Z`##OK_3aKty*$Mz1KP><JOKt
z`1!=7lIbMrQ0FCKpvgY4*LQ}scF`@*OhsT}yU}w|BUY8F(0JlHlV?m#u`(yHr<D&Y
z9upN8KWc%BWr51YMAS)NJRZ}Fa{$k|VfZdmMQ{3DXe**$>W^&<D)AR-F-9X{D(~)5
zXK91P-2ivBHiKCWuo*N&-pM>1p+ZB2H+!LaY=i0nF(V7tpZb0^TnRDOLJ9VQRAX2_
zwMOHJluQ)2bQ#Y_H`Tbtbk;Pni<E^*Y`0l`f{rqih~ZP9x1=Y>W;PG=l^FmUI)@0G
zMfyy@!gPyK7%}D?GNYnl8lG|K(Cg_qsi4LqMSX<|)rE4!dtbS>GwTSFoq~7SBO+Yw
zI<VrysP+DTtZQ8m*#{vpXg~b<DJGktwt5By6kk-RNPxgao2bS@hp5ML$7_#^LWTv+
z9FiFux!Tpv3|Eap4J8`ILXP{FH_tv_Ty$)~4kvYuUoUf04Pp{o)c3EuotqI9L1QC}
z>MQp8Ml|!WkzSfu3(JmH9mDfj9Y6M-GnQDaL*qKGRxvS^8e^X2N$WS<grp$X`1S(`
z!Nkv99zER<_{rNDP%RXR!Pt&}Z@SXPGyg!{g(ErTT!8k7w1NeJRBx|mG4m2xRe`lr
z)$Y_S0c{|iWtJ3-nb?H2)I<!gZQ%Ov*7C!9pr)ugqX~FramSg0&~|3r4m4+NNCb9s
zYJ-{%ZVW8;{%+^obLK!_$HwH3w2vea=i4(s`%ybPaTGQe#@%ck^b1}4iH8y{LC7=T
z)8$vRxn<hu(uk+-uxUm57T}1#%IJ0NFT<k7O?3?KJ*9D2wNh|N+P0=~m-~EQBB1P>
zw(Qlo6F~!Ie~9>C)*akQ-7V}2%FoZ3_{ia_u0s8)efnK)<<zHZY&(uxiSGZ9qxT-p
zKnIsqO``DwHT3}4JhtKzDTq(o^CIieko`!I6%wd>_cSfEzg>sV%}0Af^%9I5=KnAu
zVLq!<tylJ{3nPOCt!`;M$0np>Q?sWFDn9U2^3d`8tYByxecgh(pE`<!?A}D>&>hi$
zQWv*kqx4@Mx2Ysds@^XG3cMp$D@JxFOGEQ%?PKBP=cO4KjDzoC;eN!d)qW@aSHkNi
zN_)NsRfI<LscUJWx*yL9W-6n)jGQVtLHE<r)zrL$&w$D29#c&IQOTUI^!wtQA9}2Q
zC1#~<a&pix|DJ_yINOqiiG-En*3WWYGC|!E)>sZ5%%G(%DzI9DEAw<wL@lgq`40M>
zeB5~E@J0H3f%@}$J2*nDXzwMS200m<R>;b?$nuc2Jk?Azj0j0?(j8n<U_xscDX&tf
z+fumhME9p`aq#`#%QJ$k9HZB!bU*Wy&LbkyzQ_n<4|sSijDHBH{6Ad8P`A_1`6Vym
z^ii1<-9|k>Jjv6mV?CJ%tO5Q$V;RIqQ88}z%XXJ|vcsywMX2|gAdocQ8ilOik_j0u
zbqBj!X>^%m!h*PSFZaA~C)w|%D5&O6_XC+9h=dj%Ph&M?nR2h+%A)0crhThHsYE){
z<vnrXqP?AbeEOemf{-aIjxf|3<hn!9Qm~-SX<-IKxO9wP(>kRp_tyK^uIIK<et|6~
z{0L(gjfcuHx{pADQOJJ7pTM+XqU(?TmRIo)ncl@A0}ijLW^Hz|ILb*JJI)1fT2%Hl
zj&!trvqG!;?RQLF+Zmf0@*QR?hHrMGyGWZBHIy2g<-wC}92@uEtRxSM2`hjJS;y2N
zbK@Shx~pH1ucE*ue6Rg3cmKRs6-|8ihDNnbRY9;HoD}h@@5+NOD>q`vaAQ`)#6y8)
zhk`uOMkXl}9#RW8&89UXMbmtj>HJfFKN%)FV?CmN)mq#~Zztas7sVWP_!m#-+07>x
z4Gm&r1#7Tbwm{v1i!G7GSI1=Zy8IISAtwHz<O+4Ri49vfivwQJ#xHi-yGjsD+8a#$
zgNK93e=%taAVcY(TO^X>JOx|}y-rS#JV?=KE2U%3=}~c}<S(dv^kdeUpR-6Jz%hrw
zV<;&=tX~^)9j#|h8e|RlGtsA`PY-UCX4mQJ@;>?OjXlpIB-aF(H$gqE*cp(2H3-Wl
z#3^hNV#^Ob(YPrHpBqirsjSvZWnDj3HOtEa8{;Fg3&N`6=Y^6}fcjuC-fgD-Sovbl
z&}>+5pc-6pqfHCec*rzN{b33V)ES&XzLFIu4MtT#GCmX>jn4u00{((ngGpjx`td}%
zj8FuwXpg5eFHEQ)$={BL9yY$MxhqJF(-VW{GNFUi5Hu;UftCU?@hO-ogNy}Qw?W2r
zIdMhSB+-`1P6^C~YL9Jp!I`J<x+T0${tnLw$bwOpvVZ5*1^cadNc0(V@Zrldp-Mz)
zJ}!wnv;n8fC<@XvN%{19&YH76H9nZx8z$fzp#gCcJV|`7tz}LS@ug@xeViFVj&n;B
zZH)Sj>C->kox3ma#o3NP*=KYt6Of8$_)8jB1DQBvAKofILFK@tB_bwj<(|rC@JAJr
z8c2sI`c`DGLPlAc_zQysCRHFtS*iD8ILBtuLWHL$S+>VBn@-B$b#{pt4vVAzn8<gZ
z)r`SJ*$<<B^Vb4iCDs6EVIZG1$`Z5j(}<)U#iQpKQ~MnPCLHdSh8PqAC&;Cq^iRDb
zh)Jr1Qjp?OMRF=5(MzEy_)UXQ*FfMoq`#(@C$4p$JD%+XV@8L3I?TkmH6Sb8cjS}@
z%8Vhd7a$fvCHHvRDrIpfVm5$YCLIPPuo7kjG*>Y)7Wf99`AW0t5ZoP3)N{ni`;T=#
z9y>rW(<Vx7xvMCvz&`+!@tC5|Ufs*Wt|!s0WWVT^!*2>}ZZmg<XkuEQqb`Ml$DfVO
zA3uQ%D2flPpmP*769F((QuCU%73_Dn_saz@o@|R8^iIMNZ}wt&5k4O18A#LqlqTmL
zGUj@Zz_f<#wlInQZAAmaEHpp)(m|MzgdE#|`>ye4n=KK$B}OH?blTA{k^x#-aMIPb
z@jq(@TOUqe+Mc~E@s~Wh8vs5^uFMR(!(Juq{=wqBln1WO)d=pHsQu}-)XKH{hl=<C
zdx_Di3uSE$NrL3a^i%a8*bX_XnZc!q!|C~LAP8X$m(e&VK*9cV)nDh#ZhqYwUyU?i
z>*W4;<bcJ9depq@nW`=y<{tYjE=YxIPw8sLqNFJJsocu-t9h3O(s&k6re64bDW~>r
znO1Z@Z_=Xr+n1btdy=6;mk#eS<Ir`6kyzld{?kb=E=R3oJ<YZ0SO4qOR@W})FRzAU
z+nJ`v^K){KJoo^Rb)ZDj7Iw(!)wFsh><P{x?it@k4fReHk^&$1*fjgOhmg>*hd)pO
z;rrsu@*Ohgt3LnK<!Hhf8udzEz(O<efg&Hqx>Ogkx&9#ul-3rX787xPgiqmx#IJ(N
zo{500+~HdrHoBVCPrEUyxqBnvyFBPx*yy^mcz7r1idrly1lNAmu?-zFhP7<*b}BMg
zM%pj-^Rc|O%a2j4jdjUsWF{qtFf@SYRJupK<?jt^YsXQw)F_~0U+Q;aE{m+i9V$Gy
zHFP4k#=+V_Qhm~31pPg+YkAQx;X55f9x|Kn<>X>OfdlXU{DE8eCmRNbcDCpb;3x)+
z6LXEYrzMZN-Kp&q*vtLT^R_1n$|4GcA{>dw#s*@t1Ssy7ZCN*bWkXw|Ak~M23Z!hy
zkU!`Jl$BWDSWIDrbQ|d$WC_SlVoodO|HVXe7WnP)0jB@iQ3l>U_(*;OtzxI{{I{ND
zR#qB;6aFMY`iTWN<9f}=q7dB2n)|aa?k4|-c*+8!W;1w4!}zJsyJvss*(pl>QV*}W
zzSo^j{#^F1&v!)0^|~Yl6O`MX1HzvT3I0utLt%5ci*`k1IK;XGx+oEL5*3z%hd*Wr
zCG|jwm^0^O{po`X8+!(MAnI+F87PZ?txNLzj$;Z<J==am%E*6Q$`F_44;$=6keXNL
zNy!VX1l1Igw%n&Z$6fN@1%qVM7LE@7L1*Qn3B~x){h=kZ#b5@aYwyS2IfV@#4Utbj
z{<Ag3qa=8C`Tj--LKgn5_{L+TyeG699{s87S3!?gVD*jl*RCU~bz(BSO7QN+QYlGw
zVVKYxne`osT5V$W$OcMtT*v7@pvDfQaWApw4g1nh7<}L+&3FCa-<IlIdTMmV;KWvD
zin6h(BI9p<SG@;@s;jc?fcUoGq!giL88Ge0e=O{E2>*q_(msbNEI#VMy6<jQpGx)=
zpKdhE{_~lq2XmBTGnPCb29p2Ddk>NxoW7F=o-D5COKvS&Hgyj2^>m4B@PF8?!B&0d
z!FJnC=E7p%CCl3zF4u@t!8y;V%<+!6QUc;q7whq<G?iq0NXq2(c>@ogelY5eN7XWx
zp6YA?Fz749AtT@w9zm<Fy>TbgA2jEQLanukFJtT^*-cwhkpDj}xl_GTyL|zaqfv~#
zoO2QhbN1D-CqJFnFbMkyM+}=U=ruTmCAI@@otAJDkZtS05!kJmDW{AneH>c2bg+NP
zer#$SKuSIH{KTgRPx3KxEM?Em|HV6`unKf;219+ez~SU4iE|M7i<~`d6W7$2PbE)J
z*r>xJAFn#Lan|`95!MNI)u`s+{#b!b9ZMT6GA%tIIxS`si>;p)cv9!KK0GVTHnqwF
z_zMbkL;>wEJ=qH1xI)d+4MlRN{H^>tS_;gXC|ZtD5^Ti0onYKs$7V&x^6S;BZ~}8x
zlQN*)o_`!(MZ-EUSEREliE5AuS^#9NwI(fc0-dWmcEl_ICG7qV_*u6%WGpW4lMxSF
z=J4ob0-}M;aom%^Cb3rZs<!)(Cdp~$IVVh@;a<j%?8~^O?q(bdN2k51Y8zd0oB@f!
z<=*Gme6$JxYY_~IANmAQSi`cBL?h?vO$~N5?|eu~a>AQqv!ximh|rdKhBM<dA#M<g
z-M5EV2_<RJVXp@_%85}iwUgpav|HE_iSW#pbr%^=(}E)oXzPlPJCg-&YH^kmR~No<
z7@{u=FY*kcqhYB!-T8sjPVnQi1m3jQ{DA&l&Kr1Cz0w*0%z@e$*CuIF;baW0Y?||t
zY;nVX8C*$>o@vTntd$i7N<=(vD^4UTUCGgK-`nG{DCFF&eP6!yt-c1kJ8SGnY(DDw
zZJh(tG_4dzTg*~iPCVI;4B8=simc`H!HSVG?rf@;n{F<xK3)ug+a@*ET&F++C9dH|
zTC{w4+7~TfKHs16-Vay>;OLzDHg67#?7FW3HU7|e6*xssVkBNWM=8c8Z4yfrL+~P2
zQN~)NydH27vA}|iV)D4e$_7g{xNYZ<`Y;VO68#WMh2x+I5HTnUbAuR#xt{&BD8(x3
zfcT_f+W>V}Z83RZ1Am0De@OPNyh|aR5$6NI>+c3Lfo|(a+y~Ys`Utft<(S}<s$lZZ
z!?PuI?QfyuCfXk`CzC}Ef2n#J$Y#{gJ|-XDh_0D?k~?tmHz_&tCE8P>6-jy(NjSRC
zcHOEZVS+Xz+zoC$Tt&Ap)8nMA7)5jY9mI3HRId{04WWk*Yy-xa;}C%L&OO58E!c_@
z@@BV_pB&#OC{w<f{^Rl&dV)2pP2iZ3zAxaKe|`A{Z(+wV-CPc<NsCT2lo5}zuY`R=
z^|I<%03M@Z_zo5~wNa!m?9e{;^rv*E<KGG^bKhVzO_#=ZBUU{BrrUzmnlN$HV$YJ2
zUW7oVTdV+Z%L}H69`rS`s!96VZl8aW8h=6h+9~UVa#Xidz!qH%ksZ4#nqL&7<PzH4
z_B_w|&dR?L2@-KAo4e`cU`Sc3JBHL(j<5fb!BPmwLRTVa<HW2!JhyX_NUxqiQBj<=
z#NJL5p!p6;x(%ZCa1rm<=J7b-Mi<Ujb;go>c*%{b>kBMomy3ePwPs%*Cy?f&xX;}0
zzb!Uu-C%@=V`ynz7MyntY>ZN;p&fO=d|dvIHcXWN4^%Jy13uaEGwum5OJx2W!Pf8E
zH+U4|&I-HUW7DWw3LH^SHii&-^wb1ZB)RRl(%ikh@BC5g1c0!`DlB^79aXNAZ`o=0
zWsMUB0MwE<t#N1RAIeiPim}C+#m`U8o4lv9um_oQ4*ur2n<*e$tg%mQw@4cNP2g%f
zY#6Z?4|Ke3i6Ajxs?Pl7gGuS78@V9i7T~RJ11M$9_30i}-2-nUW$r}uP;ZuW?owar
zju5ZmjR!fps`PUt!mumP7D?L*q!~*W+4|(|iEs5cfiq-jd_Z*2GbGlrZkg~gILBen
z{e5^54aP}+YVNHz@@pspY=0-JU(<OoVA=Ux2r9k3RCnNVQQ3xLH_H>x5QaGZMEzf<
zy^#cZ9dNGdwgIjQHg+ul(E|#(rToYqfFL*Nlym?}0C&$)P_E<Y_CpVyN{|ZKE;*E}
zCdT;{DR&LbrNC-dnTL{WKzR0&zfTXlqZp2FnQA&jJmZZy9*>H~W9F!|xAgz8Bgl@<
zOMdvvI#y1wyt-)GL<`>2Pyg&WV(OVs5qX_EqBL~*=Lh{?K=@PPYNwu5v}#f^(j799
zj52l9@}7^!r6O)`;!G2(Z1Gi;5t8>wH5+9^B>J@jR(p~kG3o%Yj3U~1L;AH{`-`7*
zveCU#B0dH>Ki`t<Io3vS`TL3nMaa2K#nHdyEUCo~wD~}8h<$sClX074?mBrdwhpgL
zm7XH94RYKS!;fMq(qY)^)}bq|GfFFul~b2o9tWOC#>3T((<h+(_vm@ZHDP?lm)}gc
zL8MOLr=Pm|nF~bi61SyTD!N8~=1DQD8Y*6750P-0k?oh2MJy;NsDUS=$C!}kQYm0j
z%1+#RuA~i{yhQ~0NEcXrMVkxx-Z4#E@^_i)u<}oNL*hUNRao&XUbmy0S)?NWT`I4;
zad_tFLo$WwR<_*7|BPHooI(gU0?9HTcn6`0u<!Asc`pZSbWU2*uO{H^rZISrjZzFv
z$O!E2$LBQnN%cHqmD2Lb&`HnAaPp#N92+_&gHw4~lmb14>H4r9mm(ykGYSzlb?%Qt
zj|Kcf#5Cp%C7U&XB^ai}yqf?fg@J>dy!6?s_XSLfdku=P<#Y4Zb{+52>}=9ty$5jf
z;HXa1hj*G9a26u|?QiFPaNPr{6>Wsaf7rkR1Z?zE9(f@&BQY9f2%a*o?#nJ+lMANw
zQB~#SzERa(6?$!OcSkEB|9r_q;@;>!{yZF5@GHxOgsj+AQ8Qjh_)CN9hm%pap9p{4
zqst%#4kmN{xzE=<T=Q@gt83eiOLb|ZoY*CE_@4=WeCc)y_6N(`L%5bsDn`Ez@N<}`
zlxirJG9_!8ne&El9IddpoL)CGvvq9WQ;`&Ob!tQ{Hvz+7Wp|&Pq}<=WM4X<_8J>X2
z72DC~Da(rIjV^}sK_e{}WBxC4q_!*pL^2%eG<&k&S!N-uZ^*cF{z%yNIkT5_Tt8>j
zkXVs*pVQAEsexDfnlQ&!k|kOxGof#QcE-Xw2(XN8?%l6D54I`!yH6v+nsN|3QawEv
zQtr&{>UD14PQSb>j+L9^?oD%3e{$}9VZm&bUD1iTX!G)qaPe?pT1R|G+VCOdZBzDo
zNkNi46;7G{CLVaS6~+PRq<4vt?DFoJp8sw5G|EKGchDA%tng=#51;QDYnSM9a~KoY
zF&GREZ7uaf<7JlXBL*r~tH#`0k+Wu0wHcMM>}J}^zL+vgPMfAK383f{e701s2Gtg(
zXYrju|7XzRiE6@zp&lI}9GlGkTil3<1T(}K<Co7cP%s`5)1Yw;Ol->%VA<w?9mtw_
zI^nXKdOW`?U2$T?eRyOU?WnZcN$mq3?J95*n3%CU6S=<UrN3E!bJVl`NRf(q>v5GP
zGh#A33!;#<LM(DQAq^LuCgT>UT>ZmNrqt9cbiGj@q~b{*oXbPhvXWW^RQAiuNz)MB
zpz`LL162qG+fj%2$97~^ZHV^!`i0uJX`TFFK3hB}Zy{lT*7HBhLXW7#@k^0iHHL6u
zyVhGyM7jFQjMyggN9rL&lM(?=(ABEG!N@l3hGhC?GCP~m7<*4-OF>@-6sm#Ev5p>y
zha;bzM*m4H)%ZA>vG4qe7o-3$xNg`08rrH6RT%y;7fw{9w>AD@=0`chG?q^aFd#TY
zz7q_LIg!tw-MK(G6Ew$J>$W_&i(S<tc0|Ts&*DfdvvAm;2xRWy9W@OcHKl>^8z9Tt
z>7M~U-7#&ES&6zoZ;>;y4nR@l4<PrADm_~BOAtE-;dvLC?zCwQHdX%CyFqJXqy89p
zftj_M#+!_ll3E)gmYl45=C*`zGrV<9X4?@ft!D>R<|-l#CTupd1W1g&r#Ci;3^_7#
z!<j8ehu>5BYRH|<W&z-Pr2zt63&#YSylU=mlK;g)V&&?kuJlF?%?K-iIXh$+cV}x%
zIpDCdSz=jUm}nu_ShEk`KpY`V>)Kl1fGkG93&PHzq-W;~|GnB3GyZ&7$Xj%0|E;xv
z1#|MtgNLThZ%2c?RQ`9k(*YhB@nXjJ33nrnR4`~-hxOEVrD<rA3p74*9?cMPRQCNl
zF}w|n;{5uO@&ZlHC&y4*N^`$3;MzqKZ|`IOxkP{inS>LGyev(Bc{`8@YkbBqOGnrc
zX5D8x)}fvf%^;C968>rM@>##ey)W;W*NnSs;RX^DL8H##a~q)GEafj9{f{AvJVL^2
zd?7(w+z+jAj3MxQRP^PG^h5ER2mVmQhQjx%X!x;*@b#rzG4<n%7iSY+CHxV2MQaOl
zK3XILk0i`E<_9S=)j8>2Jo!Enm0u~p8oZjB&L@bhnRN+~%&&r`Vq%W_;(Pao?h_`S
zYTE1IoA(?>mz?tWj=}^Q3&a07FL{;WcE~JZPh(i>tA7dp5Z;jp^BD7(w1>>Q^YZgk
zR&XI>q5va-x1Vc_Ns~5w*6`em#=H=XMb{68^`3-i3`+ZHy88f`=Y)+2_GG>qa;1c2
z`*!Mj7>>v1%+J@TAryvm?2(^IcrY5yYp9vD<VGB~v3Q;)2R`BB2%FO|`oyDWxcjk&
zC{DM{4pm{!hmmQ#iY@)mHgLO9G96nnnY@xrXelM@O`U_b^02$Dz#+YS3fo?czczqQ
z(@9<5M6;QyZ9Gas?#(Mh_H22&l11C|yNPCwVY&4Or$G17v9|yMp9y>&<J8?rWuQ7@
zWC2_S7wu6RSs@mI4#94s7_KUF;sk(szQu$<L1_tQ1?JP_{Eb(b$5gBmWrrbX;15Qt
zwvO$Xx01!RBAK2qQS$Q+eaVz=GfGWgLk?Nu>ND8a08E1Z6-WzlGtfdSJrX_2F;Dwl
za_DuMnz&BEzv2~OloDGxvDH8OZQ~S}3;$6hYN69Gd_mhgXIJ+(7JZJkoTC<|HuH{V
zjXW6haem&gb+G0M8<(eE$c~0k(6ezbEPZ48kUiXkuqP$O8>0{1xqdVA<@R8!E$?;q
zufUOo<C(k@F5SACp~08Wj}z>7(@Z(zgBg(VWM&3box44V{_z5vC%z@@3BEgEf6d0+
z_VPpkjJnADuJTp8gT4H&f|m#89^M_4auk?x=U^v{8h7fpZ@Cg>jhuU7z4Vv;37N3F
zz5g5k9`wnFnA2Z=d}uPDf%#X%Taw+scyV>~sFn-xBAb^KV0p<dTLD%AKG`VppctJZ
zVO*%s&n{CodDHtpoHcyIYvFxr%!TESmxH?uF<1U|TRhqsZLL$5dChT+fhC3<dw=Zs
zQKvd!J~5u<k+gaTals5I3q~UyLSLiF3XF_DeYB`-^QVLlA!Y!Zco$!>XU-!W^@Qaq
zL(SQYxbZv)#a8Qn`!drU$M+u_YF7EysatZ1WKRZL@9Bbp-L2G346S}1|KqUpmm*2=
zr&R*7vSyF!)|VpzHM95_pd6q7j%#56JR{oY{)FcGH$Z)mm<b2kktjSeh|hXYIP>5@
zUGi4KMAGQ$Hpg3UWM-!o#IFE;s;!C92yLc?1%D_q8kqu0NkRwuH;U%s9N>Y9vx&QH
zlh+7B!UX>{t~Ieo{hv%-IcVm&F;8f8rlzBkZh-nAYtyI)5sVjQ@~{zUtWmhw>%8^^
z7w&Cof<c+a_jY`wPj3puxLv1yY^zKImG3VEn#oaYel0vM)CULOhK~m*re6_(zBemx
zyn?{=s2lyjgnWt}WJ;dI<y^ClJ@guE`ZsVusj5fODR?M4$j?DwUuU<>4Y$Xn=6cFL
zCv1SrgA?V9HS-SnS#hD$pH@^jkqfzJH(;FkbJg%Idf7?v#E?J8zL~NUO`(MM@yJzV
z!n!|oz^<%p6)*}x0P_i|xG{2XEqHyR`H=rXsv>}W)wH9(@HdIuboLGDOLG1<i6>go
zL1GMg+?J@Pd`?pa`uHQQk_i)@DP82&*-KbwG0D85{~Bv>D*Pqzgmg~!bm1J-p?PgF
zxlq`G#e_ZxYnB~oCmqEPdjqUvmUFBQ9EjnYPcr~&$xbXlGC${i6Af)~!f%+55Kw*|
z2>KYNet?RwEg^~m(X?df6MME;bQuctu0z9*h#0e{p>1Qoi=^bDIMpBJ*mJ`$C%0t%
z=sq?BKK3i0<hJaA^op=-vFViN(*1sz#XC0a+)p+qWBQ#Uf~|CRnw`hU{~-fPGIFnU
zodRP^mnb{EGi5%LU~f3h66O4FeC8wpTTThTxvmT59mIJR47&oQ6iqWFIq+%|j)NhT
z@VH-hCyNFM`HFMnEoZFFE9-!7P3i9V{Tno{e6<%qAk9BLt4qdE`LVfqi$fOow=)x(
z%*n++e0iR&Ogjz21S*_$%@qg4`E##g+o14jGFAUROh#u5#_kZcO<*E0yxi*O2Yj2Y
zO@_etJ$RQyiUibl-*TrljO&!zJdc==SgFP~1(k3(M$^=eBf#zeAb1>^OA0{5DA%U<
zs$Mv2VG{ocz!r=94bFL+k!3r;*W2>)Y8wstqT<X$5rNZ?9%Ln};Ia{%dHxqBNv{C;
zR%rDD01Du~VO&E2w~Nz^#O9m?R}03kl%H>b331)JF9q_4(e3M!nN0{Uj<U)x&^zt0
zLBh$;=o}}t$F6wm8L)M1n9?(GtaTtp`%dfxygRXZ@d{u}O<f9@=a4@?y_de~ZTtZ^
zAv&jgbF>4XM1e#|b5?j4V%#Z=#uDVSmHpe%e4(j7YL(N1i#IW{cT8=uk`Kew9dcX_
zb}5j+M|`Zxm!sx`2|s^3N68SzS;l^O+lexj?$>|=$u=MuTb{sR9(z0BWpvC-7pZ&H
zn`j`?m<fPK4-QUGiuZ~jtYUn3aSQ=fVr7WVs0asHR?atmG28<(6E2m1!oUb#lOY1%
z!PQ<KpCt`p<1OdSz@D=$lq^QU1TePpirXN6&Iv(79E}D7LbFLjwxI%RgdZa@A?X&$
zsA5D=z>E5dFUN@*tZt@$1|D<tyEM$hH)V8AVDZX0igSWZx|8OuH`m`MGKyfz<mIy7
zO84DDX^+*~k&`h9SpyQZ6o-f^n<1$ec!T=M2Pu)!EpuF|ZJo={FwQB1x~8%JWRMu~
z;~29=MGG2La^`dmvbmp<^}1gpPKSmT1I{O#H3Iww7YO`r>|6n?8b$96Z(AFhXmiI%
zQt+k+L>m<eDayV&9~oy1^H>vq@@Uj0VPYH*(39Th_Uc?*q1goP&<e)2G{uJTo%`+?
zRj1q%vH<a-Kl1ti48PF_%a1bFK5YPf=U^CxD#;1|xN8bJK}~t0@(aw4maD~h3l?T@
z-EAnR0?9bJp4dT5=E8Ug$G9@CUz#|AR3F4(*qCQ*BPqjd9BX9P<iF-bu*=h^C3m#t
zlBCS46d2jZlo-dHieD(Fw906=&K8x$f7WJ$lth}*?pKqra8Gd(^ib7oE?v`{hN_bR
zgMxtwxg4oacp22B{zT`M3$&M<vCs|bsuRYLM#b^LDI7bOIe@}bcR~#Wz(}^_gGoHI
z6!Y^$s|3BP9L#d2NpSA0PvknIU=Z}yNdIZj!d#I#frm6iYbkevo_+KB6P8k6*Q6Ru
z7o93WP*0#>6(cJ&e+r7a_GjWG3=Qw9uNay2s4uTUw2IhP<N9RK?XL9YU=<NVNJ@^X
z`)SItA`VA8`(l*8gM<+Q#q~#13>IZ_w26$7U&;^JsR=eg<Oq7TRJaf!KH`pI1FlC&
z<+;#YdgBnhg;?q(B#ml{$<UI7&keIlAg2+S4UqOH{X?&dvLD(kGYG{;N<S&-dO0ha
z1Qhvm=fW~?5*3-ECJwFjmUMA2#tPA70gV-V&*aSe6=^4=HyD9celgQTE{epcwLqCL
zku+<`B3<ae8JmVtZU|dbKmx2B=H}NjXb6ZJsiFyYS{7lEWqedzfN?DJr96_MW26N@
z7m5b7jUq+!!HqdMvS1o{MIKZ{Le=QK2J1w1HWgpOntD0dT8e!UmSI5u?S@vKiqm-T
zA*ee=!nnT!sWM~vq`V0#?dMg>pL{#cJ|@MjROU~m)2<0*sa))fm<?&J?V>2&)0(5R
zHj*b36lL+07Qgpc>@w;f+JBvpJMkyO*cW+Zt{~@5t@RT=HVvJnMwMrHr}&@CsFjfZ
zS<avyWf_r_5g~-vB`?Z*9#%V?RNI2^nu0Sct}sji6`rD79eXa+D$1gVrxRxbNs*j!
zuCQz2WuomIdiS%F{)mT>&t0)6Zf5g7O`1|{`JU)WK!&h!L3!5g@7rJ4$(q9^niXO~
zhkj>;Ho2P5t=BVA5EqXy3dU3%)1SxZk~=v#713j($Ihu?EL@oM%`x@x>jPwz9P!hm
zY;#u*<m_9tyoLshXG%{A<1`o|y;?-QBc;Wdgynink^e-x&*!dL5HGbY44TKTc0XV-
z{peqzdV?Qkl85x-@4yOLqrspVpD>g6!P4G2GvL>Gcj_`qiIGR)j@E<!0!UIiIw2Vb
z%P$Y!2XbWxc%vBT17Nza<47AA)(+jN>n3I^&A*gKjed?3p+E|h3?sT`&;4U@o3ohK
zJSQtPW3SiB>m?J=MQ=c`a=s}B5ou(I#F*NvM>i`FNw9&IRsIE!EmDR<#Wm0lJ~arn
z(SS9vWlAr$%YX>31rX^d;w<H++%2gZ@+HbXC3IPMN=be4UD*Ll{yncOsmo$u=U%5)
zxPsDiv$p|D*x$mKSM+y=>ML%*%ok&5$Z7l0zy0_(Luy;#*A9D>{gZM#3S73;j9~sU
zlBl4_R=E{%4zi45+H^`S<gxcMV!^u+({hB04kq+>T_M{_+Y)ARK`=Y=Je|tL^CSUO
zV<_=R-_oQ~tzvWbJPVJ(n`P0-npB4ERH5m!f{X%#?4?BmY4Id#Zv@x4fn!4rNJ3zs
zg=H_)P&gb4&MxROWdWg<Xk724Kb{&@#I$rvRKDC&SN#ZEFysU7lz@%KVMbn;h*z$N
zSUe1=GF17Q=tXF-3l9*FLFzLs55x@f!|*U~2|elN=Px$W-)V)-4CGI%pHOZ?8D|!9
zR9+HqA@@spWVzG9`(n`FqL9b-NQ068b^o=J#-8s$8wz!{VXGl=w4|&zpT<^(12nRd
zcMxot69431*ZC-wIRpU=Z-5KMIB!UU5_&bR{yDaDbW`wMQWM+SiLh#_(f1m&pSc)A
zE&;Z^-_0YISa*_;$ympbiX$PxD;GnnGlEfj%%H(eMa03K!9`3Jv!n%J3fx9`bS&CY
z!|NPYt^KBtL2IxvSeh71_*N3o@+Kk>1E=Rx<F&V@hh*}5mbChl%bp<O4)-It&R)Mx
zm_`FyoOHd4F`B-3I)Mc~k@pnXmIwqd;GHwe_E@ny_qBjY%gt>Uf3!-0>28L7qCyH5
z0hqK@5eiyV(caTe0eN&Mgu*5sv8N-{g9E$x!B@xkp=8DQIrYWl`U9G;oVj-)4-Kuj
zM&h1{oF(Ng@N6c5v9pnc7j8R%{Rm>P&-<<;gHCOkb4Y`qLVn^Z)w$?1k1){q@i`Ox
zY<4<`)4d|EADXd{;pt*FLR^yphwZdkWTcn1g?H$JC$FNlxWJOdcM;K)f&>sa(RDWw
z@?6?#4ypf5(d~`R4OSrrMuG5T0{!$`h~5I*wyv`XC9cp9Ykz&(REnEL<)3IZP8{{^
z&NYL?ZY;!oyS$Nt(A23_$((8a(K4F9NrhTmYpdPomyFX?cR5puQ!SErx@JkiQl9F%
z_fN%++WcB<q0(D*q%#RxPM0Zg;StqV&EfrRdZPazM76F}NBRGh78i71M0UeP=H>JW
z2=$~dqSGv|>=VssrIfz)OHolKsZcC?h|cTou2Q;|x(?P?LM@^$k%-_(j)fo&`$f11
zD4-HSiU8+r*%fQQ#@gwgKPQg!!^fr?SxBwNWaa!|Dv&GEip6dUTHBsf9hz#?R30{Y
zaImVKTF?n*ENIi9WKYT%8jR!**s7>h=`{R6q!g1S;mGN0mNnPYw;`VsCSxTpNb45$
z4rTU`;>PbLOfNIv8OsU8@ftCulqQhjt3RO(RDE5R(~B82oA};@YmTNy2?_bEK%x{Z
zdO=fN2P*XS@lu~BCGT55NRZ`q2Qb<$Sve)B6)OIL<y)N;WYh7nmsPM?-j~!gpjq!3
zM||9Q&KSa=5U9qVaztAqe0P@t^m>#NCd%qOH4K|a*?z}nErrS_NZX2_1~y)opj3$1
zqQ~N6WTNevYAAOb^+UMC?$O;SP)i55r4#ODbec$6)qtlKef=~0nvLO9Z<XtODYP93
zErg2*JTt^qN(U{n$t>}?D;7Uou(v%nM0matYL}k&Xf&1jSDzxTgM&6)&76-%({t$u
zF<nBSd)DYO18c$Puyh&*=+qFQi-=(ODH*ZoB|!<~EhH^Q{i_?Swe_pw#z>D%)S2Cv
z&|1p$PWowM;AYrpKS+g$CZmDxbSpgAvM$62Qy8yYnK~;)(OuYH(LL<XVpagt)LAT^
zf6h)bDCf264peg^yIQWLhrx6p3H3Gog70Or$0{c>gr`WqCi^Y&x=V^FVY!)c`%4tj
z25HMo4d+@TOG+T#HQ6g^a-Gt)n5tMm=iIG07=oC>TB&Z!l}`zoZNfr6tM*U$)c+v$
zU)WbMqlvuc%<dfWy3ZHbsc>L-eY2t$`vBNtp#)(b`w0@@l?N|roZA>Oh**K>ZU*wk
zzD&|wa7|H{&Zs5x=Jrt^SeNMKpM9jBq*3k9o@;Zuk?m!2hH35i3IAazizBCo=bQR}
zY(Qi`KtHIO=ck+QjYu0rc&OrZxbUrs@V2+6Rqc0Ukw1{}vy#co)qpV12}<eU<UZCE
zYae@xwu27apXX}<`F32BCq@?%p-g|f;oHlSw(L?DiD3r?`(H>O7cezKy>?pG;cw$1
zXQaw%lD`-sfqC$mU@Pl~Pd4K<xMU50A)ckBiMqC!Jul{bv+7aDF&=T;8XI2nveMl|
zkL5~6M=m8+Fb98%GX~6POZS2vdY&kq(g)X@Z#eUSdM$iVLNey_K?%Zp2O&Oz1*G7g
z#L)(mGZH3baNamF3TH#tO8eq;KS0I-UlU#1@4%zXbA>1cVZ+GB4(vTlrDeHqOZnp+
zVgnw$Y~or-=wPstu;C0=mrEa&hrVk{fqI9J&x*q!)PFJt^^03BnWS?Tz)8j&YWZN~
zge_aSCw;7U2M8!!J3flq-Lj9_irF`)n<P)J8&rTY7nyN4byf=5IZX=Ztw^G|CS&0e
z+GrKlh$@)GD>j<Uq5BOc`->n6;2tH!K*>RI1qfT2=b}(CLwiEo);!_ALDkQKs?P=_
zOwso9So{li1bPm0%CV6?xBeW$R^sPin8TP=-^%APMeUFL6hhsbaqy>&mP8rakY(AN
zhofoQB6<K8Oj?p%O+F9e$c8oU_w5*($1IU!?@eOqCiT<glKYTBMQbQ_l^UvcYiAoz
z0HDkro5HB`jTGeSX}LclkWM-`2n^WZ$ASqNjU3(<%8hM^zi!4O>cjyD*>AFq5h|ay
zFmZODz_W1phB=<k$#Es|<%17&624{%C!~W`8XYDkBV?WvPd1o+{kEQ%E|RtlrEx(o
zW?q^6=_ZTNZ0sk+MuNS5Iv=ZRmOMPd7MafDod{(tZy!eptoO+Shj)(cGR&MK*pE^?
zxX|kB<xtu=!~}k#X(ta5g{*R4IgzJ+WkH+pc}cj{0~9FvmO|xQd?4%+aJ;nG!nh5F
z9cgT~$%|eP;O~he-1P?4m2!22!f_P^uM4b2xu5=L@B$d#3vPgp$Bm9P`Pgt^hriDs
zfcL2Gj>jyel<u*qfqu@Eac@HT?_|^?AZ!S13lJ|IFVhB7dRySO1BBd@OS(*H9QV-b
zw;w*6u1qXeW^)lhxfLjK-9Cr$h~>$}bN&x$>{BjDT>jdRF1ceMOOt_pW=r7)zc)T5
zP1|JefEh^9u`NgXXR(^F^~k)5g=h#O0LgF>&H0Oq8ri;-L`xZuzUX!1>K~cD5j#PR
zw5*zA=0>vt%r~IJ+Hh{KefYDEh0NVQs+R@#W*hn2p?As4-t%Sc@URJMmQXkTREkU@
zBNQ1=4&OcWF0c~OlA>O}N-jS@{&l_PvnfmLp_;0o4Si)Sc}q&|d&8cWVvp9_OoBzI
zdZG`S!>P_x#|Dq+!&3K{x_Wgf2li~0Y%mEOSOj+%O?V6-hq&T2vfP~)(c5Rl4h_y`
zIdxo(H~eG$JMUJHo#*>K^=^+1i8%W~8ye=D{-~3Jw*F##B+H~E%b`~n*>f!?_LRPX
z-`4oFb#evJ-@p*blv}^#ke4%vCxF;3lW$;{>?k_H4T2fjSTU;y*fgs1I_?A?wP+l3
zAdPwIH_QfU<^F4<4|yD03A~3e#N6fI&%OxFF6!+p_=d)PJ4@p>*NhNAMfoqt!jg5K
zDjrGQe@kAs=b@9N<7;sCa;I0b!TqOc-F<a2n<$X=V>jhwie9nEn5Q*__#dNmgx8pd
zJ%y;2wopG>mzXiNYAi7`WlGM&jz=w7P8uBFT+&A~5A3grc*K5YgP&wVPgFO(T8M-L
znvkRsYHTB`?e6EQ9O`SxbgoL<wr&&TZZzZ}$(aslP`a)t&T_+KJ~tR)a?0*JZfw9)
zNi>r;nd2axMoPh&sGHELOZePWEC3~AcMZ6g+qLJlcH~-qgiOh_hvfc}&Z|CGMOq0A
zyi+K7smYF%CfS_L3Hnl!BK(C9Ygk|pQ^@>d7a50kn*87hgE};8<#iW9ipqol#C0B%
zw)^J(uuSK8-*&4OPb8*2Bg}&^=xkEYmly6SR^;%Syv3ONB@Ov*b)?h3Hz9r$Em2k_
z%k3wEpi{IGhG}T#rldxuo6vKU>4zvnlr#(N9NX(I1-0o*$2`oQ+~VZxX8uza8hQn~
z@N^pFCAYJlJ3MWvI~RyC>_?^{>9GJgw4Rb8vHh+fp;T7!M9m{I_G=%2gRnD(vJNQq
z6G|X_DWtQ?Bt}qLX%&z5>wxUdWm5-ChnXBb+-2FewDEjgRL{&u7%E1V1WOSm3^gT9
zL{gM6gHq!`-seDK@Gxmgx8XjIwM5kA;imdU<XZxpyJQ9G5*i>sE-UkX{i9sUgPy$J
zmxU*ISsUdeXjO7{^Wl-pIH`uh@GL3xwDhoVkeL2xI+|knpy3*SJ6W+<B)2Jz9c{6B
z{$s~?nvHS*TUnY_mPi-)LrSA5(upY5)t99VB)zOqDF>CtSY|BE7BzG3($;$LQM5Gb
z`?#r_Ig|0uEVbu*&AisWWceO<y_a}SDYT*q4rA&Vl@zaMgIVY|y9KRfV>THUT2`&3
zcasQROdNwU-)wivGL!Rj54xRb8})8$(V|UiYbvw+gBt<Pk>ja0#bH|XqK=xp_|dE-
zx}5-);}No7Yr)hkNR`jd6V-x?afwQq{83TTVfQrYhFC;}B?W3{k{gloMf?ewUG2$=
z_5U!NItD#!4~Fl+WRe@%oqt#>nUy0kRL0WCdYfrPRs_}P%^RS(sBxkjnAoS*;-knX
zp#CoJC$m3T1Ws)qS`>Ny7x+SP8bw)a+)D`1QcyiUFqvMezRKiCMdY8aHIC0Ouwii&
z8=FsP+@r`*!d@bo+Pg-+^v!tgQx3Xm^SEjIyPEYr!}u_g`U{iFeB?(4%KTa6i0a$p
z|0{=Kd>P(ETlN=Zaq{|THC#y`X4$&scEJx6sw-49MjT%$HA5noJ)kK$jY92)fKxs_
zlT_<REE`GgMVjeIsae9NL-;(%FG%DonA4uLae3E$jy2vHG^YPNM8!(7<rig+#Uf4r
zYwVTREENtX99Y5|`HU`-??Lmyjih;zwIj79B-ReDS7VF5sbty1%Bh1+FWfOUb~f@a
zSx0nbQOyf>X8Z<VJ4NOd=5znp0DegWR3EOYu|;8i+=SiRlwW>X!K4c^A~<c`#Gpy{
zmiz*gM=xWuneZCdwlxbO>w9Rla3tfxtB*6vz%^oT<~X?z>3X5N${21$GF1hHQl4|U
ztno;4LFo0d9+o1Dhxsr_P35buL1W>EwQP@RbfCZO9LPl3*jv1}!K8BDihyd`+wNs4
z$%NR?h2||5YR46~RLorNkvOU&w({dvI)x7ln*C-b)vLb&OEMQJuhgcH$KOB>;T8R;
z0QlO(X*;)pu<a|(Vo!+DcTYJFr-J-Y9^5hRL<ns7>zO$#PcyKS5uB^^TWK!jywu8z
zVb8-8-i=agrO&O<wXfIH#+L%+jl*SI`8+20GRpMx5Xjire(y1&8<I9gWfqik_swy7
zq*wGCUfw|L{RCr;TWR#y#&NJRakH*wvaJOgex~?JHdKl)`eO~RpV>1gaX0Ff{*=N^
zRhs-jg|d?`f;pM(Z!?8_5-Edfn(AoGFr(?}gMpKko#LyTshjNeiBV$${8EFz{#C~J
zcWp-x9MSQ<J3uBrSN=Ge(y~NlSzqE69uD7JK45{R_&E{=>cdyIVo$HjhDqAi)N7r%
zoE;qANF(S{{*8VHZb&}}Afv*w9FHa;6sJ6|Kj0U4Qo9JPzTWCCWbM_oKWJD#!B!ss
z;%`n|gVRApSI1iH6LN1%a5j;a8)e{+H86dTzP+qy`7BqIwvbZmn(m$`rLPmQ#(G*k
zfkp(R=8Xdh<l8aCVnOf%sd6r-t)umg^ieWLR{1BiNNMzCokc?h-7PG6)Sw^2#yW_y
zQu_cc%k%oadTk&gfOf^tVoF&MET%?&{ej8s*WUeKue>MNwib>{&=P#DqH8}FbQd)4
z&^P<r&V;E#NIz-lrFq=brY54@V5XDpzLirLz%14&F3Y?41cu23dC6YiiE8lr90@h@
zvw{M*xMbM8O0MW<0FxP9Yjh{6TSu#xDZO3+GiEJ0yA8Euq1IVmKfhu^x7H+i!<)u3
z(bYb$B({)P0lS;`b^)YdNt&;G2JQ!{VjA1cnM>KDv>!L|x|hkktGUAe&AZPO179}w
zLJZmh8dC;Q5Vwvo`ke)f=C>oP5HwgZzBpjxL|;aPvJ}ZU#>u@xjx`IA#Dx5r&@NMY
zosLdKb_Nm-s5e`hvCF-jWr@mjd3cl^nFnbW(dgX-Dn3Y(jybyC3Dd-am$lLF7$1>Q
zmarV=+n!n}lJKkpd&y5UkZLLYl87n>Iy!s-Nnh{W?N)esn<jkezXro06O_&*DH;1@
z@`~Boua_4rXO0)7uFA(N;E*P7U_P5y$t-avpDUjs`u0p{C*p&(6QVFv{wQu&=wpXi
zkOn-NaT$GVG)G-SvMDOI8a_1~UQp3RT3F40pCn-Jhal??DYW!3(ho+ad1lpCui_z@
z$gP#^q=pgAi~_<17Z@v}P58%AZ+V7K0hy!}DX&1sJ~-k)z*LjL$}a259dBk9y3v#k
zi87NI7Y?>Z*$id*1>^6eG|5K();j+(hQwS3L(+=A{13q2<h(>~5tD(+rfu3LTMoQR
z6Xj-Z9uIjFg;_#sN>G_-bI1H>i)GPrwAoO{%|5n%?40E=oN5N>Fl5c`MohQW9jC7R
zlFdXxE|&LVlkoSu<qs>9@0zgYGeZF?H38L%z7doO*|KTV)BY!)19_?BUk-LHh~|Hp
zgPk{Aup227ZMa6p_uj_VZu?*JOBBh5X5NTh4{5oVjh(Ljj%FQLheY!6vj}LZ?~f%=
z9~VR&CIG9A-d@(6|2us&86~90zijOG2If<4V^@1IBsGWL$n;Hu3p%|a3|ccxTm9d4
zrX7f&R6ApX9GRZDdqYAF11XE$C+xS4(KSkywULgG7#%&E`qx%QzXAnL3z(7T)sWPW
zor)1#MlgD@-|zio*Ie~D-W?^57qR%GrQDuc9cm}0ni}tMQ~rOLWV;YrxhS(dQuV_2
zpJS7f?O4*9L&H+_06_E!TA@fB+Za^hFPeLQzrKKKD{tr#l2cH>_Rnfh7+;3pz9DS=
zC3HHROE_ui^=wW9yNzOE6=Rr_tj}d)>Oms1yGe~8<(?z<|G=s|NeO1nv(3NMGLXag
zqfaG4-D$_1*!&Y41|Uqh{9pi3vW#4>@pe>mo4Y*bo&-?dz@U$Z*@K}1hY^rO&z(Y|
zLCwI<uTiz#3?1H@53UE=C;JFy`C~xG(GamXBxtLw@Xh(&MzDU#HzA{Gvm3x5GJtip
z!)WvWuse8uAD=VTI=B{y@z;6qCNtkj+-|o~7stX?aulI)qDAx(LZr$k**$+jkXPgd
zk0}NV;eWRaAI=dN6ll75pTCP09LVwqYO;MIdk$o4oPQbfH4Rh3?fmaC=6e|9WTO64
z>Nyl!L|7yi*=2YpisORKotGa6>_sQ`g)sdZAj_Pw_psyhEMG1nW%!Ihzu}Lwc(WjJ
z_K?h2waNu#Ip=?TKSR#2&@F1FzL1aYfea2_$kjvRczEk~1Ns?2?hP>KgdH{Ee4i*!
ztHIpvFJRNRN}?+z<sk1FaD#+2zm7BV+i-jGRpx`uVFZa)#b>s~SdTM<yhakNEKA<N
z?dz*2-J59*c$nFGR(Anhd=P?~``d0x0&4gzsE^&iuhDNA7!YqDI$9$0_{QazJ}Vg7
z25q|kHn>gY;oov##{0GH$P{TWFI)?>SJgbrFUC5deI)7PpqC_lV~0LA!DxzMz43bH
zkKuz}WXMG;<ok)M9E6JY+Gn*rLF0*g&3G*(1>Z>|_k;kk(-R7hc}oi!{M3N-=3nh)
zN>3M*ogQ&()J;rOApTKb+$VhNv}Fr2Tt+te1>b-R56p~Vn3dRZQ8eARruXZM??87*
z!!RJ?)YYX|)2OVt`#x|FJMG<0ieYi7u=Wv?Quc)C%YH;<N7G1R{P4k)mA1*rLBssX
zN4AyPohJ2ueTa{#Rt_nuUtscrN|AmoWKhS|41kHOh`*KD+KqnQqmu*)Qx-9`7jO>>
zuA)76`e&(w%%aqmIPK_svAN+C%uP{?G$`Q`Id5q{&V*g#*EPUTp_i6KV>zQW7Y$qm
zjlEa7#vvvnR(+&%6nx)?zhexyF|x*wHfk9F%P%=D|M5nAXa<I6ed8lCZeqx8UC_^w
zfyyK)_z1Cgr`>{ucR`_@AbRc9CxFivpiqB<+7k<+F&PEsXP6i}KI&FxfN3|N>u=`3
z{OVZm)T1^?D@ku`YN1umVAxe2Zc|BXf6R?dM{N)(A`l};t`8wdSo$Bp1tznjct@L%
zuLTSqbGB};YmbY<7#JOSZ}3r?AlUpKO#x!S>JfMhNjn~VRy++3pE=8U#G1?qf*!ug
zM7Kgfy@e@5KTPjn)Hcp;KDE-mLD0`(6Z{$<>m2uQcb*Q40J9NmZB`s28`@1pN|J0-
zKz_lPV$#u$H3NW+1rnsCvLQY8`*2{!Lo2K)vK&jJLT%acNqRKLtUN<9HB8y&0<u(0
z%m(-~F2?VRJWqIytSTnq?g@Wy3QXG~fnb1B4Sxa1DRL^CB<SeT?m5%Hay|+(d3FqL
z3|TyjhGeBb@r@%O!X}!+8Pzv5b6?F2@(_mxFnOGx1BWX?UDVm5o;X+T2P&f#e2poe
zeU$%&e=4HpzwsQHkV;IFWvI(yL?VwO-m=@E1D&WN#$56=JnR`-(}rqw3_L_$NE4_0
zH!~VKx1yUG90;_e7i@(eL!1}hP-py@Zod9xGN(PR7JDPQ#c#9JM%rv84aO(}qZw$~
z@EVeTxg%D_kYRB9A33-H`!y+Eh^7pHtWTbMZkcBTJ;pIf4c7~A+T)R)c;@+ZJ{~~W
zlqgH7>S6!q+#VJvV*-0`Gj0zD=Lx$6%{0K*Z_8QaN6XXe?I9Hc`On7rz?sKo4sza>
z&LICYC6xzJic}iSP0O%48e7HL76zq9qKCnsiTRZ@DTtR2_RDQ6^!+uzB!+!0AChN9
zo5!pYV%m!}A<=HIr>xjWR|@mZOJ{+O_hV_hMN6RW=i)q^`e{aQ|Bw7=GTVuv)+Guv
zV>(S#q%*_ZK_e?V)Ap7FY<0ctv?!qb?fCRG>oO>~AhJDV?YJ2Ca+*VyD>_duj(k%X
zRNz|wf}%+ZzD%p9u#ad8`@ln}LhV3Hb^`Ja<O~mQZhsO)>=dGm%xQL>)=^L<|9h~`
zl*4+j1lM)Q3FI7K4KRZLs!qr&94ayZ8bew&b<Pofn#i2a+}SDvcPKmRJQta`i?!81
zkWbiw2vKS;Y>+XzZODYduEDq`5Y^JbSjTssN5i06o(CL8hXZ?B$>nUy==-{edXZiO
z0*Wr>CIy?YC1(0?dukSVS$~d{E{YOOzYDIPPb6H30QnTtmcw{Pv`KwgXm*=R84$dr
zp!i$9WkgoG8;>jsvMedE=EF*4%a{Uhjl5i6IX^e;uWnLWBNYzW97(|V*;S>g8DX`2
za>+BMrdXMS^Fivd{ELyp^tWpNzm`>R+=8&-eVxfN*KVzPo7oOFw9<;wF3T^WEGh2@
zmCH1hD9KM-G+t`>uv<V3ZKY=rB^vV)uwMZ2L^1W6yRGac#66i=c=9oI{V5HBngwk9
zRJL(YxtO>t8E_nm!8VC%E`!T*QH<a_hloh6w}GC4{{?QzQ0|9&g-`oNpN>8~xKV0E
zIC=B5T72-Jl0bx4QlN0X13nH0o((&BOu*I;YLyatG381th2CpWSeLq;Dbbvb+<}qI
zE<CVRxoac%ob8C)NSZ+`mD$K9xZHjZ$2y}08oBm`ko^X68?2MVl30nNPs0mo?2DuC
zG*QhsTR*H8$1>$dEq>d_MH?C$5%OC7zxK{OuBtj+;|ow2&C4k=B^7FPv<6cWl~694
zd8sk6PjkE<#WXQ*q?m$;8}*cj98$+>L=@B-ttpbE(DK6eHsl4iN||T~sep{AAcS&}
zeV+IIt+n=Lt%cOgxqQx<`3sxPW?$Cj_j}&w`932o;jPg%sF!=tpVK^V|4>+H(3t7X
z1E9`e1h)dbM0@YpZQTXGa^1~{@6jY(zTkCG4tLjI%ZR!DN9LW%#PgLIml{NBF`o)%
zZ&7w@>#gOBpBk8A@%C6Uby2r{*naHk?Zw+$QT+tV9|&*_SBGT)IA@6H!Mguitw@LC
z;kBEO^yodszx80&c}&%o%QD}$vP-}8ge^^$payyJA&*6USBuhMbm<E!v8^Tt+1B-X
z9laumJwlyr`dEgzB?BcB^l}qVwtanGA%{3UpLzJ1>S028PDn*LkFkNDing^vx9C^U
zEp;_2%C)xs1$Y^$IbM9t^J*>qQjq8W4oZE+E@S22D3PJ~1t0ITl<~(Sfg$z6dI|$M
z%UBEGLIEy%ci>afx7!_v^n$vDDp$us)_4bqPEr1|4kR8}*uAhhkY;_juj}G=e*jU5
z8uV1KO#2zFja>8uThJ-9#nrHh=Oa)JC6pV<A1tD#$Mwr^VYVh7aD7QyP(Q!c(!4}`
zA_l>NUppFdo%DAVlZs`P361uHQo#5`eI&TTk>RBx$sh0N*l)hoAKkrVZ7#Z*yyy05
z^Apk+{m<eg?Z6PhLDr(dA+bnT>rO<}?JzUC9d&!!jp=3(3`RCiGn98d#<uq_Ms5M+
z!%#LdhvOCaS`Q`-P04~YUF!p?u_gg&P7dPqDr9QJ%>)!Gp!)AfQaM?^agS!Mo@1%3
zKo^!OrGI-Gs+TYB%f+ZY6fbrYMXV|FFjUzv^J^3%=ex^?gqCAt^s<81Ga!~j%h)R3
zM@*L~MBfC%mcyLSpP{WgjTA7?5mUgF!f)bC)<O7OXgx#=>*(JyKcjLw?o(U|$5~hH
z=fjGEDsVbIzjkC{K<?phRpD1wPDfN<_10u!bxinua;#{^JiD#8DCO~gYcwFx=!5R`
z8kj;A2O^8(K*(v1=&teUOVI;VvalU@Kjl-pX#0eoI~5oi!i--Mub<2o?JJ{XV6E!;
zJxIAut;A1vS^E}XgPs6h&uwu+9oY~>08Ubaw{n!>a4f7H;X}0PyW}U)?q3_T{>k@&
zY!UEu@!k%|lfglidhp|<JruJ=s*pe;Try^l!uhD>KVo`dpwN?1PhPSA&qWH<Qes=t
zfe7l`4VBbM2GZgW^Z0k0vf?CEVRot|uq!Iw36nCvh2Cu@@t>@qnK!?3Dy03#u!7i#
zQC(mW9k7_f^T|)rqkc{ScbT=NX*W>nAXqZ2$pv8SY|Mo>&LRYLzPYb<c*s4-MYMRp
zI$+2%H*2X%wZWHxv+nkLb>XTtoC}%$Y!rqtYA}wci!mlE&d64gp;swN&UC6K<1FfL
zIkK1jIa%P2;Qv39h2}u;TWByvBQ;2ROi^}U#@GabNmL;-uZBrY|C2;~)s7Ndf1H=A
z`jd(#$x)hU0}*oNqB6okX?Z^POf%3OD@H_|A64sam%I{A=sq4^Z#@79S5c*mKoZ?8
zB4L5O@Vz~dA@|2@jCzMC8rsb<vG04j75y=IRr|^emD{!k6+ktfcPVa-SJjxcg2-0+
zn-5AlW$_qpG|rSJJMr?@dKX6swKbwMrU|vo!!TQ0lU@sm%4c0L0cgnrjiOizKQ(sd
zG83FB8cf*N-XBZ)VjNPKLn}6Gq2e_n-CHCJsGnO<7>LkL{c_O*u=EqQZ9K2&0IQh6
z!E!qY%X@Cpm^Bc88*rf~9bTt$ws~U%(ifcm8gYE<1OQz{6CJuB{uV2<5O$e5gm1*@
z(n*Iwk3(aZ|Ad<cgFqMx!gZuO01AN1f_I!7t80a4oi6_39mLPk`~NFa4|52IA!v8Q
zrjbXb7KCphkv9;mrnT9+(vaOlgO>n@SwrMJpAw%v^J(_N4Z}U9F(7q1KIXq>9?=A&
z=!@K<7bBOqrEu)s<H=#+O2Arso?*1s%`JTohke~3*Q&=Qjf;c4@K00Lir7cG$}tsG
zHpb+A?tg9eDvXQBPVWH5!GR<D-<>813b;uP5U59@+)>L50<!+kZYzy?g}YQmH<{X{
zs+1NFQe_5c^P-nmOdIG+B%vRaB6mcvuv*S4GzX(*ltNa_zusSV-V6R*{k~P1HUmtj
z>R+TR0)f3`b`s`a8)zngbgd3|exi|jt?e}cCBnO;D)hjLEjN5?%c%;6ThdCd1b);(
z8BmDA2?fLyovB_ML|=fR!F?)PbDa4=c15*(Y%a8HM+uM{omd8xAzhoi(bU5L-lO}}
zBz@(BWY`}?Zd%O&*KE_Ppr!b~Jn*gB?6gTPcbBXhKCt7dt)2`>Jf0m^G^Xfu#{;a*
zcb~FHl90_CVhQC@JBEyw(k=rQRBn1n>QNAPCh><o*P_WF2E>49BHImL)alU1+|arR
zr353o-J|DEfo<=S*rmFG@4NJ6EX$qd*>RUw%kZ=4r~Q>UgvhmR{?LGn6XwzHEY$-@
zO-vj{VzZr?&M&DnYP5&ceZ1eQq4hUQ@v7EQE$I2V?It=S+|&0M$-X3J8Z_S~1TDIL
zuYB@CSJ?_NFY(h^b6Oa^MbmT*D8>*ovt`6CBBSzAc>=t!h)?iA!WOcQU^JOa9|5Sd
zRs2LPC#M<Od~+oJ!D+#B_ACq&g^fDaw3CgYeWfqACS|0URHNSkHGD@1NOFqgt=-Z#
zfUCc#Z=-$HX>iOYe3285tmWWt1vk>8!dt{YkM69wQ}&?7^}@{4I8q()HH@19I$``7
zF!x6;8C2e-lS}wn4)S;G=Smu72EkyQT<^WW;jj{3_VWy465)zR^s;H*k8+JX`lWYt
zaYF1oM6Y7>)YDw)z;`SePB7&_2QFuvQ3@3wZg*hV*rb0mnjSrPdq&!WMrE$v=TF3~
zJ@js757;#v-$7A6zjQmry*Zxu?pqVQH-Tqk-TRv77j8`bx|JMwl{rhZpMK`>Xpm7z
zFWdNUtC}>xH|3m{)<uh^l7_aa2WR=eJmrg(9dsd*Rv)kU17|Wf2XqDCpko1n-7?-(
z{8amEqjP6>{_%1ark)KA({MGnw#F@6PKL4D9GnKZN|kSf_HuS~Uj=t=&O4;ESzTHd
z6!B%^>y?GL@n8}kYg9xkSzjnUJYiJKT;KLCG@bZy-J6Nn^r{W2mki}=8syo(jJuJJ
zc$c5mV~Syds`tiz;NUBFd{!rDjH8L%S%~gXx?i4^=J@`&J*$eAX-4aeK4d!#>?-<1
zE9QQXwjPZPCwr#ie61T$WmbuT&N`;(vaiajYCraNK6%eDo8A9LE2&{80u*n5u(o)E
zC3M}Bamg{^24$zFH#3Vje>uamBTy`Jd@iTdyvH%k))cy+nf&?Adex#*MRd5k$5Sh|
zd;&i+n6)$w($=pQqCNS3p7a)Tiw|aVeG|-K)R_40!JHsm^V~jJ4cHwqf_Uw+r11>q
z(bb(pOlXeMuwJx(=a>1~XCt0NcHi6;59)1d$hK4d04`KjWG7DE+ZnSsEQ+c~wh^#I
z<TYcikF9A#6Ky4xL36nC`Jt^bLzy<tXVhzRwtHe^x3As>e4=^os~5F#c7;2$XcSy~
z==_2c-tj8{hP!nq!&3ss1aOvu6Dckr=6K2M9z8C4&*{gu=a)}D@Sg9u_EF!Q@#l-Z
z+avums&;g){qDj`oFxJITBmOHxv^d1a0K2gjj%><40gjTv)rpwONKMqVeDxm<xtvW
zV6isRibeg$-&RvO?1YS@E&cKe&Z&(p)NhAchju)XryfJJuKbtbX^h<7?C66FAIra)
zFHG{(U!cvPJIBeGyahQ@(4<b$>r(Gk%P^3#<R8;`&_M|}^)3hWEF3Y!EHFmA$M>Xr
zPlH?F7gl#65N1UdZ=KF_<tAzEW>4Cm>!QqY#nyds>;l!L#?MF(Z&~_!sP$UvF_(EL
z<s!b2wkg!utKRe3i?GU;cy2tKl@w+bp9)2c*QchrP}$&=ehTdUZbRXSvXGj=)b7Bx
zq?$cON~<CFodR#suBFu~UMBKx_1_Q#D4_tHF-V=DdjB0h@}nvJ+gIA-@OMWY7uBgw
zTl}w1z1o{DIipr05~PB<3G751KP>ReB2k4Q{*}@O@<vo{$p#`TVsneLCNX>W_O?=w
z&x`D>*_bRmrrxEoxk3|J@u%a{Hw)kJW-mKtwjh_22xVN(DK+JZwmF&)p3dCtSTFj(
z`&Gw<e<1-<4I$AR1P%>B(8!?ok!ke%SjV~ThJyvKnl?Dz?d3W0CE~?}N7^Xz)X3~$
z7={U59|eyzh!{_DUWR5cmJ+(ekRjce_TB>vDSTdpWZ*@W^7BN;Z=~0(8OH*J1?p%|
zOVSYV6xC0JrUbO9B1F98{|w;WRix1!W$XF{*ek?)BR6<=&C`G>KX!AJDF0k`doy`m
zTK&QYk#V1Pg7RBuUDaTTqAL^f5nCS0qMK$=4n2;J;4puwcl}f@MpvD7ve<`uCB<t;
zlw?NXHuO|?^mb}re|wyGeHh&YQC<M2t&R@3yXO(OYx9ZxN}?SJY4qf`Kf(G7H|(Hl
z;EdU%@w3R^)*EV&R&1OfMqf@#d!A_(#djND);tU^u^#w!t*i%+D7HE#(dLWmAyl@n
z-*{NNf6KRyKm&ta#~>C><76R~lGd_B`)wTq5N1t1o~+pVh#^RmZG2GwXv?oE3z2{v
zjNQ{Ne9p_id;}+^sG%izTTxa^MV@*<`fS@9?vYEYl#s?USA`omcxBCd`^)60H+B0^
z7M7k$dqK1oc8Wi6g9>RN7RTA_tRP|(eXN@HHgNwzLT*d{YjfSOQ+<7;M|rtVOEjMS
z45G6EC^;TocYim?B41YbYE3_!+O@n9q|~b9m|5gV0Su7d`Ru1F{9q2Irr4B^n_!Tj
zbk(nnVA+)2(?yj>XTnma>3F2p5PV;}oaVz&-uXG$mN5k7T33Dht14YWgytnMO)eW|
z(idYOfzoKg1_0sQ&8U_7hG_N4HJZ6|2f<9z2~33Q(e#1BdoNdvY7Ez5?jp{>b5C4*
z_~X}?7>UHp*P0Ouxt*pHOl<D~KE3UuMUy}!5ejr_1MJ1U4W!#;v?Xxw<6YA;Ou8q0
z0QxWc`Tv;-lpW9mB#NUtyM${rDJ{Ghi`C;KnMo>kv?zhj*1Y;3&zH*gnUt)RpABHr
zCb}4PI1BOe=GB2%jm{o9C<0*Ljp&e=T(DJe>)Ju);hoT56Bq3{lH2%_L}D<sFu<Tl
z+PFv=m=r$B!U|hNC_#mcHE-2c7Sdx@dUd(5B=k=>f_XPMGwL*YP?`XDe@ocYosl~3
z<)2+T*~FhoAQtiv3$LfDV&>HMXso=0EsBwWSH1b;`o<lTWWvYDEb~h3)j(ibkkLtg
zq;1ueREEG`zPV=p)q}&b`RhpCU&{+#d;&Nvb^0r<C#XFKB@nKwT_JtR39qlQcA)KN
zR#e!<N-PABb48o=i}bOE5h4h<oZ;=3HgYElA-6+H(-YQw{|8sBAN2mSUm0H0zw=8X
z4!1<rxb!hUTCz^5Xuh<ly3IhB_@j`JzKN3u2)JHzjI}q~)V{3wv;d6ijKJ&HhD$a=
zmA;3nX+1KNx0LRSz3*_#($By$W6MO|yn=wp;%zHll4i~M&{LleEm7aNPO;^)<0knJ
z@)!>3`TNl1p<dfMp3e(CMZzGJx#}=K<lXMBORZ^u(tdXp`J!}9tAHSIwXfD>toByf
zV>6V;W=GYb#q*&p^AaWHKRJ4oA6szkb6V{q5{Dj7R!}5>GxXk^>tHlxZOOU*NIzE;
z_AVVLac<lJ`&}{W>Gbzv>ox_>m`46r5FnmlKyZVvlNj6#rB~~v?a{SvyQsOJl{_TO
zLmIVID`7g7UTVX4h`qU`2iOBbG0nwjLkX~PE|^BOCsGT4k!e-zyUAtUd`oS^Ad+=A
zmCeVt;El|Hq1Gp2&&_|ebbE&`-yQ^*;n`afv)dzF4G<xNwNj{o0Tw82BViPq@F~Z)
zbv;sEo}4p*wlX$XD-+|k2!)?oN%HFRj|=ETf`S<d`d34ONKw)&ki8+zxJzLkPVz8w
z3^;6sCHs|Zspz=+S5rRIlR<@UMw)9?Ewy{;Tp=*As6UJR_U63L1qRx(W9ZasPOD(I
zBK#J-URrW<0-7SgE{T8s7YT!e#b_>bqhZh)FwNh}hs}a@;<#=>r*Unl89uhxrkvcy
zwDOygJNC83g<{tBoo+k2+~FExzcMPt!fF_B9Iez!b&8_`Z`MNQ+BNO0T=Zl1*Jp`f
zvR!9S^k6nl6EbajfYNVSF^XvE{K~^R&cjBuGp4JTg4R5_wty3XMM>M`E(Iy&x4bQL
zmYNwxr&XGRyp%#nJjFbQC~R@-CQ*3J)Tn+pdYhVY?%`9hSt5<w`{L08Y<1P`AR9TK
zk_rDYc{oD8U8zrbHjo;PyrSrX_!$+KMfuO^(mmMcY~A~D5(=-=UQDkWa&uckZ>){<
zG}LwDKc6*V(74Fr6W<-_valND9{qYx)g5YAwTVq{SmC#)CKX2aqJ9gaMbPFzHJdiA
z-mcpl`xD$F7?hxd>^J_Hhmp`qE6(_xEA<;d0oNMqjaniAgC2F+c=i$~I%-!diQ_{D
zzV%fE)u06L3HhdgJ2)zybJnX{IKfXUW(-!C>-J@zyP)!eaU`k`p(aZsu`|aYquo_R
zc3ib`L%sEs6yz<g`7XAr{gDsF)`cdKZcwUaq;#aHjU<1SZf)W(QTw9%8u>I0rB8&G
z(06x4iFgq3{yu$~r;4`z#{5UGPkDa;nh_hhl8EV|ixq#U*Z4z$KUgriUog0{G|KRC
zDIZhbBLg6K%P>=^+;VpB@ueP=U|Ta_!L>E-yxLOD%`Eb7?;;Uq1;v&#OKrap=WC4m
zcx=HFlWOzjaSbBs>nNhm^aCfwo7SbUj#UNDC>oBo<z!GHt;a261FFsiaCzR;uWpre
zR*bcfZt^^S+*?|O)h-=Knqp9vTb8x++Phw@yvq14Xa7%JKoI@wCb27|c5cr{Z48f@
zO06L;-1(e2@zEzkGhHio0aT)+a|2RyF6gM@6b2MD<eS{z2(Ad(6*`?>5}Mj5;`)Mk
zqIWF+wVAT65Ijkv8*{y9<Yf5ugowz9gt*&SXE%$&tbI_?RMGG(S0-*)o0@YS%oL;E
zMwHNT-6e~KbjuFvfMggl915eq4qB&DqePusC@CNO%CSKB?@CV*I*EIK@MF=(kdvYI
zG7eTF)uKBS+fv27mq?{V)Mj8`Rw&EE37N%^Xc@>A)IkprZ6{^Rfg#fWH6Bf4ad=($
z89Nm?C<0(Ib9c?>@U4jPlZk>IsoL&PJK2|+J-dE<;{n9{c<U@wU$pz}8iWPR&Xvkc
z9%Ecl;@L{p^_?ukJy+R1Qo|x|O1`$iMWTb8KQ@?8?LIZz06<SBwyVATlI1py{=3^6
z*+#o`ha}8y#@*I_ZrT$=F*>rQTyE-Wvx%Bo+aMP4CsTUaCIMQN5P!j!|Mai53}-UH
zK`au&k6iYy`wS;j{sVHcuuXDwohq$5^2Rzz)`aLXx`D)_uNGn;1DF-mY<}WVbqy8{
z&@=1H*+)r}E4c;tqo3YKA-efh%K%%;quKiQ&#+l47D^o<oD8uE&CyFSF(QS-&w96B
zbbeTuyHOO3+yvcm?J2F=F+Jk+ckYPPmYSBj4Z1i^H5<T7n;kXASCWq#fwWtpM7bKS
zZuY{34jNxA69Y(<IIaq6dyt(LNqaQd1w<8NcS~brF71TX5u)ho{3F8Rs^>lgb3=8h
z2!X%9#7*ZuL_OS_gaT0Prc1ep@0WBh>cIgNnOm)Uq@)Ok7kM0St%Q^--_c4<%l+H8
zmE<qmuI!PPCO(re><)U+sCkezeOfG#qF}u$I9CQXL;aJeCK~zwSu<bAh5_jfU&%Te
zu>4^;rvsktBc%t-`jF5ID^|}xkh<k}ql<)}9?;JYP#79^qWNVk1R~PuQ)%r~xi$-6
zmq*LyuikR+0||>XjByCyK&ju%00efO{ChzYc;Wtm29qmq30@nN5|$E$744P${jZ(z
z3vDbTOD*o2`{1UHSi5RppRd;!VC^yKPi>+s@GR;_{FQqIIlTL9YHL17uR_<^_*|2J
zw>vcq-kh{3h{mSy1T!h__56ua^slvkJ#c&?L;huc-5}sDC|^E*WfX;iwU}HT<30_;
zVuMK6jXK8$66Vq2%TRpjL<I`-fM|p2ne-X%z7A_gVtgD4>L&@u-IMcPL}p)=9J$x+
z?V)RfX>gjzHFDMSN>;dBn~l|*`BzvP*F{7<(XHAwwr+LO*>f#~22}RIqr4CkV0N%O
z4rUk07;N8nQjR@LYjeGXx<eoyCN>AVU(xY_)x#pNT1%8LT1{yOn~HvK9eeofoP^fa
z%?X}6CC#<lN;1mt&Yq46NhJf$Ygx+<g@XdTs?Sv=$S_i^6%X*SOqkbga>E_@;Kt}`
zLPV^8^;%$k#xCwX@z9VPB!X49Ge7<Sz*;?2)7vFAs-0&?YiGi%wS~I-p6lo;lbmU#
zgIC_SjtuwB{3}lziXz|vq~?e@^O!Z6!(rU%g{$9+QDqlTxw-j2GpiLjfPzsq<|e-=
za<<hCkKSt9_~ebmPsjI5-f|D{%R-{f+Q}SY9rV3jsr2ieDBvD+@&3`=ky<}i6JH%o
zRcmP-{^AcXy*u7LXmaLkvC=guf%WNd+xggeH_R`oa&7Xaz*#P*FSPi?=c+e%l<31h
znNssKSCA_GWFAj}M(x_I{BNspIxcc;Gxyacp;ALnBZ#MgQek9@GJ3fFTE%;<OLUMx
zHK3H_uz6KO`A(wvqs%(2uuWuK6)q8kxGTiewGO>ssTkJDiND(!{ei9EbO?>gmp61m
zqb;$6@%z*nmr*<>^R^rVy7fce^2btxBizBoT=l;6yP4^(<YDtWmCGgP%%rUKSUAht
zc3B<$zNzrUkZkX79u^w_BUmLqMQm!;%v83?sn+@@3h-;hzvY*Z<w<@B<5sHQ8##BH
z+T7~v0tSaAh-EzvVYkQ-ZQku;ZA2GrTAzzp5nsOD?b_s54Idp^I#(b9?aUpIX=?8&
zaqke6Bch;RE5%z7iiEuR<wM(T979ar7SbGsr$V_&Dp;L<w7q~Z54h1-=i?N`U#Cy_
zJe+o3bhp5+*%Fwn+=i(*fXqTv)Dd%K;lLHlhQMYmoHlUeh%qb9ULDU6aw$wQqb<-#
z-Tec>`t<&uZ7(8k`9$WmdA&Y3rY0=NmA9_~NvM^P>1+vp@O~Q&Wltg;E6N^3F|Wk_
z*7iDe%rWAZQ`+$#DKFEu%@-XHzj0()Bb^Tp<?{BxxUG*k@Z)qB^Y`}nOB*PcC8GdI
z_~LQ9wWTsHe~Qy@y$w57!rasRqw|v0V2$TSitCr3dkKBJR6t!jbn>~-!?_{SN1)9i
zpJVa4yu0zi#WgOv`?&h4;Zn_FO00{V4)zJ>YNm-XsifCuLZ>6lDpS+CI&#xaz{0Bc
zc&aF*rKark4kf))4$O&w6UMhW>L;sE*|7R_jxr~}9wA#EsH)u;>vZfG*p9Tp7uap*
zdxgXECQupyu6W@%$2u$rm_KYWM72s2?@6DY*4W`bd^$<bnjpUSyWd@a8$oUlr}s-K
zEbDaxtBQfg!`_TQIricWkW{|!8ocUBNhXV`|2F*E;lA7b%1i#$iKibxIK(5^$__fL
zK`=T#fAkoNx;HKYbL=qaV*+fz*E2mN*venfB~Bz+Y)c(DUEkww{5&Dc#J;tbuxQja
zL}?)4q^DH#EM{GF-WmUEE$+V~7|$Dmsz6GE!R4Xvl7R8#O~aQDNVk4+3WMpbrEJx&
z1)SJZY`Ue!KRxYtVl;anMk=Ek5-)29qdO5>Vw@kL`&#A3G}4uSA|{Kdame5N209Zp
z!VB&Dt-fv*(G>Jlw0|s1?3*HZ3`>L~+C&7Ah)4G&h;~xHvjy!i{+32MR#{-6Be+N%
z2!@;cX2!;|w3)1!(FOBdhbJP+I`m!IKa#(ZBefu`oIn?ZI>**;v*_L~?hF#eTOXvG
zDwwA8jNn<OH=EpqAaj&WN+OJs>|f^uMMIzI&B^WP&7<{C1M3N?{DuNiB$=98ESXqE
zm~;DZ3g}SkHD}#ju!iuN{AyoaxB{I?u%VysMykbL<%zbjtP#T~<w?xU6g3M=H*DX<
z1|65#iGu4WUk<ajotxB%5`d#}xl*K%o*)A|<XyBolQg{nuI_!%Iu$7+jQ1%i#mDzt
zEL30^LF5X;nDaalLJ%#`3u`@WS<g#f!zt88cX(Qq<z>sHsBOu=AA*sVUoqwb^e3Ok
z9-eoz7OJ+=Nu)%pn>GJ0FK-sFb7E*9*0Tx9yZpB9I1=t7Wt-2gZRf(UsxoIaqg?qQ
zPO&D^BT@O*anvZyl&Q=f16|xRcklC|K(2EvL~o3!misn#<%<_tS~=~F;GQPSA#x=w
zo+u5_L*U(l)!L)iY@m(;?7EMImB8=MX$g=qFu?YRpSWb#B~0eH0+)4&c<ZZ1!3f;S
zc1F%FNuxUkE>&dPClY9@W&|e0HEIT}s+*X>JcqSc?3uZ8f9#J{CZ9jogN%=5%l={?
z<Y1{rHQD0*{V8WWiGzC5Hi0K^rd9F~ETal}EZGBmume3bz>s?1_@2?^3<F=N_`{Uc
z;#(GL+`BiC&7e>@$-4RzF>8B6stlHKy6v~p`HYgs9r!Sddk3x{+>F|BkHf(}aV}<}
z3fRvH)(XX%vNn3F<=xiduo~O;5cNa_xGE>Hjl%-zeeBrdKW>Peocngmlj8Sq_K+W#
zMpx)4!*U&pFr8e>cy{GHf#7D(?%0Re@&Iz?rvNX4{P1}#9q@-#xNIMA5bg2UI%yf}
zcI}|qd0dw!sL0qNi+PpVa~f@AXzD~q6_G#L2g&=hrjibNlOn4}Gq*7ehGnh^*+c}7
z+qtt;ZM>*qq`tnoXifaP#w`sdrY#F}K+$gN!}po6oSd8)aG#CUsFlJyTScXkEc<gv
zKa0j(Bv;`EUy<r6v<Dy(;^!!<T&S;qvHh%jvq3cGuv9*eFJ_=DQa=)Viy7h@_J~+R
zv&f;^dv)!)_gRc9Ps^BOwk!w9&}9NTGHGGg`~yjF@sno-S6lv>b6=>Z$Vyu6E)^Mg
zlPhNE*@x+7i5t2)%y#B?yyGzQSXeAcqb}&}f)t0d<3}Kzxmt9yE`VBINnA1)m<u}I
z6Hi3`6UWbycA@ZK8we-XnGR0o2v5wuLJ#=76DL@$4OeS@ug!KN>$<MjR5C;u%jqAM
zHqa#(^shQYhZoVYgRjH@2*Bb7&bbvsSE$Z1iaSO3h07`|BreZy_5N$@%X++W#|IIo
zTk&`b64+wc%}PPL`)fu_-u7wB8}jHz>`XDBZzZ(0`o-7J$=mIaeFQDOM?1-|7P{DA
zvw_Rkz_6PxRxqjNZRTx#mWtRH2`FR|!^`*F{8Nco;aGY<T9R#|subOYEQ$zx-Nrny
zDeyXruAPDLK%`gsd_`-88vz;}T%xGLO<%h4$?UEc%n?wilG)#N-Bt&nZu9{2*qgC!
z+66Dh<Q({>YgA~XZ(zlp^d;}{!KdE6@=j?rMhD#oUVIc@ci%hJ{iD7)Ox{-j7RC%%
zP&iQ<so8HB71g!Syk?N{9d|*E9dsSNy0=E+CiR8wZ(d;JKokY_`8sJe8rt0C&q+%&
zRV|Q>dA4DJk!=%{>%*Ugu;a=$P<Xi|iOYJ9O$yCrRl*0Z?NaOMhJ_m@psY3dgu<=q
zuHU9+c*c%}FOQZeQ3D55UcoYkU2vk^1aTsTm_yv&@CfS@l64*>oY9t4MRcwsA3_-A
zXk3IVef~5uEKkI6!;itXf6;%et_2fSO*9X_)v)S4rNE$V<iEM%4e3VG4d$SQ*rhd@
z**@fCc|%6mynW{4ON+V@^9b0UmvF{fM<brT?wx6k3lQ&?FzFvhg%pzQvEx1i-2RaH
ziC9UZ?aShtwXPMvSJ&G%-y2NVI(1=`*42w&V*@{Q&Iqj426vNQzJT5$)xkGW953gd
z>uENRU3|w4IYIf)jzPmr_)GqSBEMem`#tWvh>XCls#*?c)~dJi!{Hs^C#_vAoaj=@
zQ+EoMbyIvypg7b$20JU0W%PYv*7;BpEV!7~M-~YWUj5j11CiwY1?^BerYk<+YrFJ)
zy_+h)MSPMRb3K_Q2Gyw*+q;g4!Zc#P)&9&Nd~qj?TAPSN?Bq;qI*YBdqYydH@&!3R
zM4e$184O=0(|=rY(O;n<2l#3;=Ll@kwUj7`rnys=K<UxgrC?s-?j+qME1Q*ID5esk
zo@*43GX;cW&}bC??_0XQxX6Y4d{6+D*swAQ(CHG|jcbA?Rtt|1%{Y`K&~Z`DBYT4=
zFI34b%xbuoq(;b470)64MCD2}bf<(rCdTM1`skS5ZsQ^Lbhl`F-EEiCO<-{Ghq`Y^
z2>7xfWptr1OMB-=V&;#UJ;LL8enH*_{Zj?Ae9OBoujgN?X%lkPA_AtYCU1$o5LT3d
z$%(Fl&lZ3IouohANYg3dY5G^bDlfCA#nIXl%C*t&Sl|Bpy-VjaYHZ;)LVlrs90VzZ
zL*VRY{oJoih~P@!NJHCtx!Z%(1CpsZh+&uet0@-$$$UkQ@Un#po*CMZ%8^pqmrqR1
zdgI~v=VP%tM`b;U9aM}eJXLp>Ty*ZJnRIbAW3lvi3Q_r4ub}Q8xC`=W)wEPzE*HP-
zL>@+Pvv3$%z;r#*aD|F6NSvx~`$GnEsboHH@;h6GjOz?9QApewb#Vy5;FMNKRgl6!
z@3b(oC`Ar-9VKMerA6g!zP_Lg^FUlf<>&jG%``H3h^K8X(z%eMq44Sy&h+kt+lMkx
z?B5-7*!YF6@;Sn0$j0}Sr7GZEspfaHf#$&G%CAg$6Qk<LoJsu`pdJi^<Gh@2%R?_`
zSW<^{#CB_NY&WdN&VJ`EZ4iwpcC15m+v}ekC4Fgum~{5(Q-F}PMsCWc{+G9Xv~059
zs?qpR$+q&FoqcAtV0YuN3;<k);%=in0%MlwSwHn?7hE$pcVb`pncU`4Sc`xw41c=}
z3ku>%@{%%#a*~Y&9BH`+O$8{!_fWAzwGMQS8IZe-&WXR<dPBF|XBM4lgLYy$OMzQn
zcJ5nfTOzz39mNRoN-4cSvAf*p7L)5benB-{`$RXAESbUJ>-fawY>q+*098nH24rl=
z@A3s6{}%<oTYi#^hVV!CSUPKFYaEC>UOe4S+JI{%T(R-PzrHvPZXR8|A45og&Du0i
z*|qI2-r0U(SbeKyH4tBH>Pqt3(oZuV?A=%|hc$siXu=OOH9upff3HnLdh!wmLmnJ=
z6?4C;-_94lw}j1r)z=NMRLSHM(ex7@sVGq+$=v7EJpd68hif4L_i_6H2>}Q8<M-~s
zq(FUQbS1H0&gxA&@a})tDLxKW#?iTD=SA6VM4qxK!et*=2WA_5G;C5g-*<2u3$YH~
zK^7@|(rBOfZW5}d6kZQiPdk#6q?BL%;WjvAN<}kpKaE>V)rWGwV;5g%Of7_S?1e&6
zbCaf=q)Jk0QSZ&iMEFK1ITYl?(u6j><hiIRCWQn^3g0`y?zGN>fQv#<@e*D1WpaHV
z$mI9^q<U9I#y}(Oanl{k4F@(4HBjwGt*tu>gd#+s3#=U+#M$0gPki}-gux7HkWXf(
zg}2nP+Tf#LN|Yx)RI%1aYw5n!lK`V;fF!l-c8<qk!5bidd0@m-UL`&zp@NW7XV*)s
z#56xa0$56q$eGDS*Ur#%<8M2As4#e8$k!(58_V)Kag(@Pom0U%0;-G5?`VrVMAnwA
zdL4TdzC7v!aLk@DxIXRZwaLZYedD1azvBZVdH~@*4kE+Trw$a<2c!hWNw%?CKDx;y
zk&%7)n8}J{crB<C7M~drBm9HYq>5Wy)&i)cNhu*U9oacfi8?fi{?Qjy`i}F8e;#we
zICh_4@kVPza)_XzQF!e6U&!r<oB&Ctmt^;a+6}ouEYn6V>TPR`L_#<;`FkRm(-V<;
zDyzP9li~u*iN3ipZFyL-fd;U&7nq#}C0CeyCoagvNkF3$yW4mif)#K~i<U&1(2C_8
z{?Jpz{bBLOmTXveZ8C)4Wi&ZNkQqzG<fEhz-g4IxQksO=7%kdPNPElk$!a9OvzlV@
z(dnxqa1y?%L!eNO$a_1z489@4o>*UVH@Xc`@#7{v5S%cQOs+`<IhkO_^1mH_{J-~S
cYfQJ-Z_awfwC}Qn|2;o!^mCs*8@}>C0qOXls{jB1

literal 0
HcmV?d00001

diff --git a/example/system/amp/openamp/driver_core/fig/openamp64.png b/example/system/amp/openamp/driver_core/fig/openamp64.png
new file mode 100644
index 0000000000000000000000000000000000000000..7657764ff6d1f05655d15c9db35a7db069210957
GIT binary patch
literal 84465
zcmeFad0bU>{y%;I!Cgnq6$SffQiBVHi71GE98G65>g$Xfmbe6_DDHv?7qZbYQ*6l6
zP%v$@DM<pwU9PDiDqPGmaRJ-_lN5yz1n&JlU+?$X?!D)r&CKWf_|5!2e`Rnv_nh~6
zFR$gfta<I#S6Vjf(o7J9mZL}g?*9lvqYnkaVQLc>{G`*-k2c~z&LJ~L4F5kp6K)E(
zzns2Va2UO7^zVlKF~Z^Y$r*c}3%wkBy*Bd8*%g;c_Rc+-;q5)zCHqpw+$$Mv-k*LY
z<ceSP?wl`{Cx`zKpMLSpqk}fj+8KK6QPz?+9ru5Ec1rO}A0IsTR^LUNt^Qe6cv?7M
z|6~4P%eoe^R-aZ~<A49~e+TCupE-V=Q#VeHe&BQD_S($rndgI!MR>P%5Ne&mZcmt6
z*D}23M);+V_pf*m;^rt!sj{@!__5jb`1qJ#P8F7a)X%&sI`VAC@Zx6$quu;2PBS!i
zDxYa=@#dokKb9xNXRfl045+F8dbc1{HQsdm?htdAn1>I3OzkKBkiP9)(Gqt<OZ;HY
zrH_+W)J+^O2$prhE_-UL=Tv8BO+9g}?$*t$G)G~+^-`k6QC4`o!9g(|D?9j0@(T0C
z*9G$guX3+sOV)V7e68y0<G>+?yUz=OSxG^b?2_<q&c?SaUuyg~*bw*nS9Mtd;sY10
zG4fHUF@(L<S}3w#<N4{QggV2pD+_aP4Ew69AkZcd*uklFMNL2R)~Jcup#d?yJ%v~g
zNAHMhS;?kJey4Y3vX^1IQ{eIZU0WC}9-ixyPWkVjhdb=MC_lkr$CR2!wbu`nRAes-
z$!jY3b<R8e-lE*%^sJT@H<JU-xoN(X&@;HH|F*g*OS3udH{7Gseeafz6q45G?wGJ}
zR$={=j1Gdv))loAcj9ApCz%iPej1xP(*+N+%PC}jUfTmvzl_)a+r52Cdb`~^<G|ix
z)t)hL&v7i;TsnJ>i`E<pUFlG5nRV)X`hk**DS9us%&-oh`b);`EvHsa@f8Fbz@*c;
zaczX8H3f0gG;d`<r&!CL@m>AbM$Nm{jP}~Jtn}&U!y>{wu^a*$huuDwRg^cvTXU*y
zeo3%QJ)f~9Jz|4rV>Zh9$5MlxOBRRSxDoV<L&P9VpYF?+bv?bPgP^sIn?7`?4vbBy
z`w2_14^~}ZmbeT9PrbJzbb%=)$bn{fM!&q%cT53sFZk4NHCbkOMhTbB>^WBLTJZ2x
zVQN1t)f~S@#^+nt-%MWdcxOn#<8N;-c4W_P^V<B!xfBIBgp?n`8pNu4*{_?p<dT|Q
z{%BE$)(dY7Y-F!=yi6YoNFE-sA<%#=V7l$fdx!4XP%?e|!~A&nv(2<8*h+^>ALs5c
z6(_vn<5-?K@04%oqUElFU(lfVA&G%**P0kFoR6%`U-1x=ZAw+<7Zs)HHMh>M6a2bu
zeI+@^BYs{ZthAA@29$(hdzdlFLGWwCcZ(sBxh)1cuw`VkLX!Hp1W(mivPJohK{Y>g
zG@K~0e7(_MFkaYKa?$XxMtVh0x$rfn<x3xr#T4*lJ5z=4+Qv1NdYd5I7A%FBY|lN#
z>g1nJ#-~SYePz$BykoTo!}{pXdP_T}^2{a;EjS7}sw`_9s;B<&!$sYQ!kqb{*0f<U
zOTM88zT}H#!JV`Qo+etoVTNGtczpc5s1~i>=<lTevFZ5O&j)`QcJJQ64JEz#erWR|
z`StL@cEO&Rk8gxWoW;w#@Zh6<1?Pqf??227FlX-ypIw|1KIK&pp**uy#=|dh2I08!
z@$1IdgHYC5Ip3yD#ZpO(Y$8-IQ?0hzhx~d*Ll67)B-9NS_jUE@R#fPqd{x<5akW}n
zJ@r=|Q(bh|%|26)Y+fzIM#m{zfTfjq|F$9FpJ}V;eB|EEJ=Z;OHU?$|4#Ba(ZhTqa
zkmr)?*@<cnu>Xt@Td!L5WoOwR3b6*Q!xv||a!yCrWM{>{<t&un7wBl3dLj^Kb=7ST
z_kfSu3&u<*ty8*{*UBHG>t4qByl2`}ap7Vp?Jt_zPx<8aJ2=(po2-6VhzF%_vfVi+
zbc&6><M%jhNaW%kLf|VU=R+&9cepx4WQgA)o`P>k+ep!!Qu|NO&$oObZ%&IByG0L3
z_B+%@bJ7mT7Rt^_K|zt>+Hgy?$AngbG5sx5ise?t{`HRKe?0#D1alo?sgl;|jfIE-
z4aOBkcP=fu8&Ff1vIBcv)Vz9+<jf_{#O|6QT`e_0j!=@;`|md=m<k6qGhX<*!9D9q
z7qz>^7b*0)5nlbnWT856TG6y2mU#PfH4ew=`*EueZrZq|z(ugM-1fn}rQ42v@TyRh
zKh!F8=o>ro(3QBVk%Js!L)*<gTXQS1^~{nSpNiiI<;gamRMH<yVdq$j$?eb*@6}!X
zonkG$-k6)iqJaFpH%cd6U36Cr9=3m(viXI%W3eRjGPVRBd%(iM7u2DLDh$lGEORNc
zc)GY1PanS!=S`iDJXcJ;td6-w!=$NGZF$!!W>B4*<^XS;@&1eNhP3is?jrP^w4k#0
zy@N|U`9@h~Ij%ma)ybJ<Gle4Z*!BH%u5ajr?wB`xI@j;nVf_O+GfcDWL1gtx>uZNL
z4_}|;5W7|#oX|F#YBe}Y=2&ldOE72RRbo5XwI6>tD<~Ji<VGhkD7D<R`GLIYmRYd5
zTXKf)pI5wLN2pMg*8UaKjijLcjy#&RxbGggyu+ibhuYh&4~skAU|^?+O=~A*-<gZ=
zu^!-j%OL9?DDSD(@~u$kq1p`%t9iDeOo!(*cGZaADx*>5qioydi;>6Bbi*C{w^4pB
zg-1Hu`QIm6y-wx*(NSn=s@kE%&B&?sq8B}VkG2%dA8YJs<$uHkm4d<AcFO)3F-Y7B
zv8x9*QX;U1H)ETyOj$U6Yb_^*vOmbvcPf$#ii(iO$ibE2aQl)iIe01MVe$e{ZI*-N
z4=Pa@h5S5ROAU~A#MoUs>;p5+9W|oiOBSVh%n(CBo1=|AjIzNhyJMYU??1QaEq>~a
zwDyF&!7JadxjUCX{Y8~j@=3e1P1aau*vJBZWj?BRB-hTi%TQU!nIHTI{b5;VQ?0T?
z0Lwmj#w5jXv1i>{YkXEUY~nvHb1D3-D%4tpmUyiaL;lS;CG4twn4pvJR26=!T9T^8
zV0op%Kt%OPt(90V$0ko&iM7L}{or4A$*0~gH0JN6k2OLUr0`Od^Tc(OhGT`YUBPl!
zN$FVG#1Q6OR5(|@(EU`6UBc7>5kQ6IQZu9Bu*QwB)Z8}j`^Q#k(r=YBZj};7)Gphm
zbHGz_*Pe<TQG?{eOm)bc-;jT5U-=dPPC3ZCC|_Py7^i%_>agJd>_~}Q*`3Mqfv5bd
zcA0flW3}ywf45zJm^sRqqq3)by%LCsp^Q1x8&Oie_t$c~qJ(u-_tWH`T74ZA#}F6N
zy>3<p@aex3;TnDCKI!V_gy0W74Q8s9Py%?#T^U?uppEHGM;?4wLR$(YWcJ%@zIi5!
zM`@w&$pieADxNcUQ-;K@{8wu^gNmF+C^Nr}#)f6?rb>8^i7`!inEb8+8!7pxoazqk
zvCDn1>!43c9fhiorO=HRJc3XrN?I@0ajP0@1x6kzVsNMYQjVsCbz5S}!b)dtZ!Tyh
z&Y4=(V(mw`FDN%ubz6I!EmJ$idN|ofM?%M^PD<0)$ZsgVv2rE3(uK(o?pC~I#>W?$
z3T6Go3Z!a(7t?B;l-bf#obIaFZ`Vzpr3&vayq$Am%c8P{s7+~<wJ|KVRWwJcN7$b&
zC^9H_E=7p8bCSkND+{i+eEziY+RpJ?77ak6U^F=PU-;P7R9uNvUpa0<XWLioGPTZ_
z%qvuFt{i~87c(*QLD;KP1$AEDa9pVRMy*iOrs$S$`K=QUn|i|ossSOjDW8c_5-;c5
zANJS@49)rHjm8sG&i($?aP7KORpvRWu36mu<V4SI1I3PH*h<lr`A6i=9n=4M;fhw>
z6F0Yq?Ln49tLI%i_v|YsolhBpX-l!Z)xz)Gsol3Qd>YLRx+S)68}jAk%x;IlotiVf
zXxp>=R!)0uVr=#_X_kI0_{sd~(;%Nkr_XB^wegk7{43kY$&Tj8T0H0ss|{2|V^aNE
z&Ry*fF#H8FKN{=Ns_cr_e@-?0jx6i==u;6O$=fM5R4y57KWqnff6FdQ#g?*gDv?Wl
z0o!LP%iPRD=O;{*LN-zQMwDL6>AJA8g;q-elWs7dbXg5QP+=|`h(e{hpgHN{*kcFG
zkP~~&QJu=ClUz=*-7r{=P?h-&`^u?Ln!$WJO=$Q<PMywXaJ(x2*JyB?KW5V@ps8|l
z)eYt+TX|keqVKKJ&U8<54kP_D&GNE1!IUl1(u#E~p74b~vM((ByR;G3?GmSq&X|b(
z_x#M}{6x;2+*}B3kNw<aI6((!Ta;u24lWdgwq9p823S~gbQGSzA~mn9BbfSrwEn5$
zUf8UQZ~Z!6unmZ;h#TV|^cqH6B&&~J_Xr=d;RU<$ro7K2{Z=`VU%T5Uz_1Ce3$qJ9
zNB3NGG#c8f?iZaZYTVMjN3G=b<Oy>eiUQWfrA(=*Fre0LUNt(|Qj_D?pEt&A7J&a7
zEF?YDD*8O{v3{0(WP$HiLAvbVGaFI&#7Iyv-a=ci*W0EPA8KN<!aHi8J{5U_Fb3-_
zXN6hpXoc7CFXZu0-Rz%HC%u`Bv192QE2E;EN+a6xYRjw9=UJtH_zm27cWP_Kqf2AB
zdTvjQIdF)jA~A9n-U0SY{6A}cZHPE)3NQZDL5RperXMoIA~vJ<*VTo%brE7$n;+2U
zTo1S&sNK%{)F)}+biOk9yQHA-;tH|-EnQm-d?w6!<={hi%Ps2DN%O(nzSHe9nT1CG
zwd+f$D8B|>wVES$E_GhK&ta(J$jDOh^J{q5F7~9>^)<HrGi;IeT{d-bkKTil=%QOL
zI0y+W4T^5J<(FdKM>qBDQk-RA(}JoOyTac|FQ{Y9^z!@>C+e#2Q!#oJMs;0kX#@&T
zC5v8dEc6_|rGh@wZs0QmD@X9Tx#q_{K)>8RlWf@<b$NYBLP^)NcMBp0gir2&F5a*l
zxB$Gq`pTGrRW(%CfA&E_$)0UrwiJ?Dvg-A*rn$>2_?!vth?a9ETF$|zeCg5wal_+=
zPpxG4v?1b}qcCwnE`2hv=(VD}jz?J+vge!o@m6)OBy?Z!XoSx<+i#*7k!<qqh7e^~
zkFCwA(cSajvC@(Ef)@J`P@p;+CFe6UeCFp*7Fd0~a_szziM(eq<nXLb?w0y#Ra!H@
zW9Qh>^zAgYFMW(!`xzQcTK84AQQS|X<dXG(sA5kAC7Qj{rV?1--{Q{%)2iW97Z2Fg
zZ&oAPjaU;F-QwMDA!inNPCV}-Y;7L;;@`sGeNz}28T^aaxb;ED-y0y5P8qoNh3FoY
zj=~zdzpnFa5q3N2SV*f$mzoUSUQxQS>zQ8nf|}?3F0k>{=!)@fT{=0(X0TR3Gwn;7
z8omF}_|vqVUH8A!ey)&raDInzk4Kg|3vE{)D@F8}*F=m*2ME;@wta9Rerro~zLCTr
z&U0@~o6PrvDo2D?9CBVK<PBJvgqr&6ZWH~_eRy+x>h_kxppLoIe_z<-s9^MFJ(GXu
zm)F1y6N~fmxmjjd<FM&_bkuq8jk;r0c;Y=f^x(hycm9=Q`Ap?>z!uC-j!efMWk0Rl
z%IAhp&w_^+YV)(b4mTD?UizW&;PA(TX-VUt-t{OwVcOExm=DK`nhbt>=i!z@mCL#<
z=5Mi$miR0zEVSfex#NV1PbqT{l3wUEZGwB*kvsQkp+EcJqvQh9tE=+;1p(7G^~=^v
z3o4fp@&boX;QdgK6J>5fZ0LK=Sr4-bR&k^zB6qgy^&6R%RXBxc#|dntdpm@G_>X*B
zcJ)9^O;*eQPhE@UGrK<C&QIl&=&!T1I@57%<znN9H<L`X27A@tx=DNQ(02aaylw-m
zMM${OIJxqvwQ6dVGIq?gP1lgnM$Ae)ez%|+XJ+xFF_C31F-w6;Gd<J)`~`<`>!XIy
zS+}V&AwHS)cE;#juEXUnsOf#Z;$cnWm;M&+-MWQfY!}yS`Jmu43rs9jNk9mYPK~Uj
zHB=rY=tS9Bpx#(dn_`?=!pGzzcLL7MaN-yN<|zK4nV;GZ9qSMO9scYY+lb%thZe@q
zsLMs+TJ1yN2B<lPu>k%M0DuqvoqyFP*5EPgR_urz>|G<jnliZA(0AfquM+Z3JFNXA
zKk~x5DF>H66WhpX2lhB~`&rv}IW4V<cYJMaM(3{Iy?D-l&Paz*h;D}63mMS3kKmH=
zFz+({SjcN){ICjWz!x;GEYOKxR_5*;94`H9TZjG&joU+(7A)>D;j3=W-H#iekHYro
zi1O;il(NnOLg3?VmVP&88GvAIv@U7-9d$8iZA23qjM|Vi<1c*-#Mr2R=U+9kfw81n
zo}+~8iaRx8O>RG)^Y6%F9G{*;ERR-~b`xT0E~aO_yvQ`dP(mvbSw#J_%Nq+tQ{w=O
zTRPyXcn(z)l7v;>YP!BOzXt%VIdwmkSZ;-WnHYIDkzh6R3v+xP-jNfvU9G>tF0iDz
zP?UX0%8N#a*8m6GmLi7G_&LQ%Yt3{fy0%TW)DEv~B?ySfzD~csGqZwr@RJ0O?e4&e
z!v~~ulHhcsSlihDtIbh;#nX3%`F`v3gK>5~<J9_LdNR)ydk%^AKJrTrA$Y4N=smyf
z(nX-NmX)vmC{}|H0WajkE3K45xCNG+7Y|`z8+#6^`F6%6M7L{lcf{XL5Yfb=Ry<sn
zmA1VlFU3+q65-c-;75Tm9I^E50|F9_!dNCR0v@Pj;+v1Y1t`%q{;d(N6lwl=^a0x|
zHXwyD6)z!NqZ-#dIlwp6MM%H{sjukcb{6sUsMMl~Luy0-^ht(pY}<Uj`o;i*?6t%#
zx_5FN2RRSFkr3|p5#nQxy}H{$FphJ^kmmw2DT2V(Bp(47X0L<5kp_E$1fl7yTa`Y?
zRw1E_#Y)l`j|B88JOcO$RiOOaW_F^;SZ3e_G3(-n)Z2MN6S{g?@Xt9?iDZ;fL`Si3
zs-HOlVA-Mv3?oI*Rn6)TRXLpjS9P|lpa96&a*n&4rjJ5S5R~tP9t%q$0cm1jK?>+%
zmf++>{|99Nc5ZE`t_#RWLrTnH0dk4rMnKIESVCp%;#Swx;jp6;L4xy+vPrdGnU8B2
zMCwvUYA0e5^4bswZ?Bq~;v73#)!O-v)<sdas#TJ}Fy;HGm1%h3Q#V@^#94JeMChf$
z(qk>6YSKvXYmd2!>_3c^t^I>kt)b6M7GC18xa`d>8XF$N!1Bm}1A~zRm!}i7^`%);
zvlFF)K!T5HddXNr2~}2*6}i?du=E~M%jP3+zK_F;LV;u3ur2zza4DA$Ebv=Pu{C>0
z6uu0Z$y)_u0-&>rHFYNU8)@b?ORF4=$LQtO$1HW^C9^_=#I!7Pf&w_Me?v6`^-l6i
z+;6qYHZ@|f_57w<ufHleSg2ZBy7o;5Ib@}aR*46yf!XI{K&UnL7LVL^4|0eF9=}Gc
z9Ep%hkLEaWRMncAAG!#iJL4NGs0>6X(%3)9l`e#5D{^PM7iR?=B{-&Lm4?DsJU3>C
zxGiR#V7bEOE_cG5gv+0l-T{LD%SFdq47wu3(vj*gxb_u?*pw+tFL<qXJG|vp0TcOB
zK91&R!KfJ2@!YobmI5NZXS=1Q8=j#G#L*9;I&3vkfnz4y23Fks`pCV~&ZrqyAt>`%
zXxiRx;4UX*F6yTkn&Q8|;I#kRSBti^5+c5^>UBo^w(9Eg9*=qtid!^Ds|S&0Y2;KM
z(TTF1F>i-AV#kW%CNJa!zS-Y3cGpjz8tS$hDor=i`TqH!YyZ^ETT!vBaz=QW`(Vq3
zuh*=_ln<s}`~{!mlcafAwtZSm-J{i5mTaj#-Z`yR<oOCzaHbBwG4>VHwsz<h{XFUL
z#;C_3i!Ku8`%hlqd^Kd#cLhxZ#3wT;0*RF);@6r}0yXY3c4q7u0YUz2eY#z1WK5^!
zn*Y<JBX>%B2}#uX2>mkj!Ok6t!ljOvPR3^vJ|1<?FZTgv**<lRJJug+l$Kj4<T-3Q
zX*^LE_Dk=A#f#hVTCMdiSHG)M?9pptIr2nM%;WAyN^6eHa}eqdbAYq|Qj|vfQx6;O
zN2%#DPD=a!-(71pxbaBsqJ&uaSms9sneONFFE%lz-^MtzBI=6A+jGW5o^LiDX`?e0
zpu>Yp_)#5;u*p$Km^Ei+vlC@q8pV#LQgmkA)-3;Iv3QpmUc8~C-!2+jLZe1|ul6(G
zCXL5fXh0Qbx;wTP%fBm7^&~^%=Z2IZ)W8lA+?EP3R6AqL6m_R2J!?RE#rDjKFZT%o
zE#RE459@U325b<!NokSkSY(GO6tMtiT6g$GuQRWHa_4Pl;bUY&c=eYeFBDRuG5kiK
zfTPJ<Tck$`!SB8i?e({#h-yD>Uvh+%3hQp=cwWbsGvt06P4*bf@8v@Xy36JZ-i37K
z*hXypZY7N{l@J4A1B!y{uBMkpU^9&ky@E<CewD=-34h{?ubYX`a(fo{9r#iDN5*Sk
z?gy@SiSj={nYbPdJ^z5xHM!^_H7n5d^XMF#bs;}v%a2EA4e-m@h>hgvFRfZQ6{XcT
z9hrZv^|;HQ#A+pA+twttx|AQ#%$Vsq*E=G2K~7oMP7XLjXiqDo?_&gsUgs~KerCXe
zLTr0p1HZx0&2y3pwjH{eD4amO+%I+cCaD^Nv)54K9zFljh|KE@qCAGz{OAl2OW1`q
zueeiDg~gA4Z93hK`{9IC_8>aSU`y%B!~Gt&WbkBzM}xoD2-eP;x3)00%fArNVyGjw
z$Jnj)IAT#gol@6H@N;Eb--)`L$O;@fq0eEC2^j3aXEkfEu(;qaaj&~Q&RSQuBYZ$;
zw`-^h+NBn93K6qUPHvK3a2bi6$18Q?*?C<;ejn6M2>ccm|G}1`p;+%dgnhv-Cf~0%
z9}bT}LxsBbiJKN)r6q^<;QhLlPLUU|BaL}y<g4OlIQ#~Z#UUk&ji2^g-jYqVP)8*y
zVKsl0=TW+RnZGIt3(oMUKv1wc6A~H}25`>YiKT)#!>%{&^p;5wu%~qla9Q2=69;2Y
zR)eRVfM|EUjz1seBE$khT>av}#phd~5?V-Qfd@ZQ{7JR&`E)|k%eU#06U;Wv;Ng_I
zpWYv<f~{D-#Jl834WQHD5@qGCO62i<%(oAY+&K_}Qa+;?Z5Un~UUY$VIBLhY8dNoO
zCo1M&E}==pC(WJ0gPSI;sA5|QL)Ax3@qWaXH40+Yb%pNRmkELt(dVj?i1E}dxafCs
z7u%PqPm?_4bnbH=<vS5^S5FA`eB|#^dCesK8rMQZ))QAs+Mf|#%x~#N;lW+?jo3R(
z-B|19^!Q$h_=|8vfd~$g{w@_IF#Ubz`>@&1Z@h+%Yx6ZswYLK5*^r=o=i^O<7~~P<
zGikQOJZ4=b+}b?U##x4>HL&&Bm>o(_5|xy1XHX@jttykaE*D(4bQZp!e*9~3`@Q5!
z;CLht==X2>-Iaw%FnHC7Me@BTQfN+Oz((o~Sm>z2n~YBO3#DxxRSf&Qh7vgUvmQ$5
z<w`&ozj5?aDnhlTdee%BTRMXvW@)D2lRy7OOnf|ZeG`cq)>9-|DL|Ij?$R#$T5~@0
zS@K8|fR#@6^H!m;r;>b3#(WB2K~X6qdWz*%47C>!Ix>reZU;fmNMW|z7NtXqkBpcs
zQ2_krGOXLEm262;)~3-jD=W;=iX{2D{v;Z8ozHY7UD3EW+vfj(?9=>XY89vwVxRG(
z$R`5@)2|Y}N}d~Yj#+|(0(j~bO|#Rc;VNcQNiAK1zvB%_B;d0N&BB6OkTTe;Vf~r|
zyE~+KM_drwS*Q%Q+w|~K%epd}^Y2px7+)LuAfM{b=oNPT&fpYq7?cu^<{=dq`48!Z
zVhA<PE!>95#mVdKQ`_^)FOA2xgC@7rm)Ey|2S7*WuW99?-n6>r2c>DwTff#lbHeC*
z5!w#Hd4=V`=Bf2{=<4v+vB(BM#AZ91Xr`+0d9jxEdtd%8-$mH_GK!)?pi9{8w8T}u
zm6s5Ru-z@BWNhmPj0+$RvU=z<GSTqsJ@L42H=a?n-5vcGgV$Q8%R&QTENeARWSzze
zUqs<;wL7B97G0juF~?<F2Z})~x&Cvrz|CEMdr7!oqE8<*ZN)_6TE}arqs87a!v~<;
z+c&7WU`Z}h1;=Q&y`Pql-*qqAq<aUv_-EG2NN`B3en8m>TH|!~X&u0XSX}F{snNQw
zsh@A&`sIG4z7ey2>9w=>C&N4h7A?Gxl@g57#^SzPPJMW+&2op>lb`k*lz5?Ie@8mD
zSbdn{lLNKIDSrLEnhA5)v5mti=-{qBn}>H8;JBgGZ~1ep)7I2pbR2pkujAI7yB+#F
z4!zQ1`5?h2h_pP1<CU|`FLaz6a%S!LRI2`T>N?GX_Jol;z0Q3#3_sA0NHz9hDpBMI
z3$vHF9sTR@+IuBw`v|&IcPT7)5QtoQJ)A(+1VwM!6n^VirbX&1QUw9yygoG{<Pcz8
zfAY+YlrriG-ykSvA=I9{%O{_~b0J0fY;)3hA>y}#I(9uf=?_Kse&9r1>m-8aUKHrX
zlf721Wbx#~yian<ro6PWJ<4gC)%=;f#)McsCtY6P=Jt~lH+@5GE#q5FLCoE9^OJmE
zFGpkMe+Ts#cj;s_5_-9<rJm=?%~bgy5@^3R<OC`MHxrB4(vBV3YU20jaues>I)enM
zXQxi!u9yD~$K&uhuV5^O_7EuHs-D2(w5#bM&rn|MersOHqC8a1Ub4zGtEaL$FRI21
z^T(bb3Rib|_hU@<1ig?;E}qc7fJ86fTM!5k7k~WIwINz$dV<x2c?nT7jyKD_BMb^z
zFw|8T^Aqv=v?3An#@czuJ^+WAPrN<>(Z4|ph3aIMW^}?Po1S&@ks&5A8HYCSKSnW<
zU@820QpInQ%~CZ98Q|cLw-^)G&udhajdL%e;PSD};&lxrNmcD4C}{NSjK+AHSmZ?C
zF>&+4s}+&j=ao1)j!FmLy0dp0(PVD009e3!LlLYbJ_;cPdf*73F1ezTD6%r?2nHHc
zf^a0Gim-c@lL$y<NDF>2t7?TfGuR`0QsI&v{y5Z8_Vo2GZG_W6;&al${JHbG-2)jR
z8!@Qn2S!j#V|#Mz96KEdC8x1NW9HWTyrgqj5vCJtwV861O)XlnrkGD@{Z9<XjdHoz
zf2A)^>cc0RUIDJ~q~JG6j#xOBq#2k~?;s1StuLEWxk3!PSv+;1ESobp#cB|GVyH8q
z<c6A-#>r&|0|NSi(5q4*X?zueY!nL~GffGW0%vZf5~-y*+Av=xqmzv89NGe`J>5%1
z+|-Cv%AiS*pe_^=77D5pv7sVXn*+q!EdAv;^>wCXs7Q3L-KA|#w+Kjev0GX7>D6VN
z3cRA#oy@r8YlE5%osRm{!<%MG3>ctj$m+^MqiG&`1p1}MOX*cAz!tC_bw5!wGgb;0
zc)&i6N>~B+l23*5n6{+iV%0SB0x(0(0l`FCz2I7OiT6@ZVsUP7#|s>+9;q?wNIs*$
zs_s{CdC0i{v)Kz>D#M>y_`<P2!2I#>MLf0C*~A)@MCDA)<(>;*NNj(>L<BWO54a{(
zE-y>!A*_@bNQxjA3(nyj_Y$FTtVAVE8Ui}lMnAnM*JQYX?^x!4{$Q}n*0}<X-Bvu!
zHjeLm`0Y)@<KF-~o;7KJS@;d1xR4MR=MnfFH6i!GiCcaAPYwsdPb+#dUQVp39C4!S
z!|i-{laE9`hmI4gXPY`)9C9*XR><!QL)<zcS<%M`;wq76P42~K40Y6FP9_8(p>W04
z0BaI3&h)0rynq<0ybpbcSj4kFBYatJ6!j(qSQs=5I1U~q_CztAqDEYTp)(544R;bm
zcEO&D>lfY@mlmx`QnauJB%+CSlTaB=J5kY%^}VH)<#y<on5BJv<9_TT73Mxu6<4*^
z8p02^*8S6_zwTYRF0VNPh`iIoOaUx`!s{`WbRDqZ!6&Z^I*2=-EMdcK)XG_!lc+V6
zoD&3!c5$p^+{7-N_3)5SQchwA5_6%#_0Svl*3Nr(L>8K)0m-QB2DgoVls*S_qN;&F
zIlAUYSLPpClI`_qcW37!OFOB$8yolf(w7ofb`XZXbFmj<t$Pl^!5?ltSG>(x*syKi
znir_zh9JNr-FKFQ&~w(@=_oV0VUj2M9RKUaEyuRC5l9oHV~!YFmxoa#*~-5vEO+ut
z=K>&|GBo9Ize8<MjN(-eA$By<`LA%B`8SJj!!sYDt$Xpg6BJ2wI9DVpTJ)s6e*n9!
zlJlOvdo3=g*(Rb_oJf`36;(){NzF!UP}^$%xEHFnYPci4{eYUvvC2foK9Pj@cLNR9
z!SM4BXd!VZZu~XlTXP(!ShqUkxP&o9HK6d^MkiqdwwsuY<sHHY9cro-Y(sklJ+0J@
zp5X<J{t&`qTO8Kt{1G#LT8Xg<wLtab<~z;1psQ=R$<QE82erE8+q{cIa5ga(Vy$y&
z^N*~Z=Cai7(F!`ytt05*`R}4Q(DQPa%?KG?;;gF1T~X=pdT16}l;Zovsqh}kO9w1N
zlhTFpU8B2?bGve8IBE-akiVX#q}4I2QS5V!{fwxfr0b98s76Xj;>t3=dCs1KFl+nj
z5X`NBd6yggjGD^%0V~nI6xJ=?e}Xi4+V0JvWMgQLYd@zh3PuUr4(%sZ%-5Gx0@~Me
z(3LI@n--U@%`IMn!Pqv}#lM>%5ajFdgz($jN_e(=WXX9iOZ6QlfumHt?c141b33RC
zVyOPO-$LA0UFPe}!&!^eBz!OfCqIp2{|nb#gs<cl`AOQNaZd2kJGwRg$s}XL7L*_)
z(CW#l-0KJ+kE#rf*xgYWGaYNK|Ah<91k1dri(#uqAhKeCHP1kkS`q~F_SY#)#%K2`
zmRLoUx?=~x`pL%X4=h;Wh%?o+%fRkH#5ETJ6%K|YJ02vYv3mesFM@Ncr<rMNa`<uZ
z@1r1>@#BXh2=oaJ8mK!xk2N04_c#o>CIh7`f2MUOP6`Ye_8EX-L+W2mVq@=m${$D=
zVotkpokAW#O6VsU;)@a)H3_ikGK{fUvJP%Lciot2?H-|v+Gu4D<W%<tY)kpzg|HjP
z_F=h+FJSM>Fa3G!)%_g+{N~vi)sis*oP*nne<MWn3jVP1_}1waB0K>H&HcI^t(SgP
zaK=q2+Dz2NKKUn4?O*@R<<$pvMUyxJ4!vVpY()0v6jheEpZ@Szj-QtxNO|Aqza%UQ
zVI7W&%!<||bHrxb%SV;~cFc00W#;3*7aORVtM>PG0CP>Ma{K*>;4ng2ONM@xfQST}
z&kcBt%`oN!mlv}OP|`xbfj$y%e59;-H8w7#>|W#8(Gs|(=<iqqs~5LeWWu2W#B}tA
z!<%!40mhL}tr)qpX|%kD34;5JLu(ABwc{<47ESS9R#=D0%Xah^Zy#vCThK|##Fgzs
zx?wnmipP%e#oESMH6!%I3`j&>eqEq?ec#I`32uv2u-C-e-#przY^3@kf!sXii=tsk
zEj>Hny!a_)%E9HENXmlu0S-@~O9z{f3)34HBL0i_{x1H`!)P48^pO+hGwb(#QrZaL
zbT0<WbK3__9bU%!b*=dU-`^JX5R@|hORDww&@s=jOZPUNa+upd#ocbip%&531@ch9
zSRg+Zdn3TSJbx|A?evFP^NMJJX@FnEW@&}*%%YJ9%o9=evSgda`&3-?VR~53%cfSc
zVzSpAPTZjR7JIA~0#Q;2nM7X*qJfAuXT@U<Mi@*3Nl9jRKtmrK*%$3Crl6=H{mg6S
z1hMf8pIdlNER|<23ao9)Ui8HIy_2KQ_g;Ffj^R^ra1|JHZ@yYYb=&eW{(G0V8`mKR
z;ljD1ZO_er^ivADFcVYXS#%(oI=r!fsIW$1que|4wF}Gd{E#C8b?};if0-qrj>>B?
z<G+h8iz9?0_4KGhy*+<E@8UscYsl{(eckw_+h4mzoDIluL|2Uzb^r|8szN#84mzV|
z&cIJ%QNFtJrv?Pf>JN9q?#mKVYR3Atx%^Q@Hb+8wt#MYsE<pL5o%D6EFNe}#gSSWD
zbazl-H3cZ!nS2uilNR;f6Lk~yafT7X0wKLYDmU{4o5ZH_7-AP;3DRKR?m--)Ds-D&
zRi*mL0g*Ss2DPoBZ-^a9%u9l`0guFL@l9vV1lf|o-cEX$HdA<F|DiRx&SxX9v9>Hh
zD~g@2?{o#C#jW_$I3!MMs7Xq&pUG?w0}@FYsIqk!oCKe~yV|jm{X!^(P)y33P+}O$
z$UerNn~vW>ky5Mza0FGLiwdYzearRZ^y$YJax4?}NaH&*(9jTh7B%1A-aRpO3&&G!
z=`4-~HCQ5SQBk-Vk^72X0%6IhO@>dRqWD-rO0l+xAnfCXRSI`BN?ed4#CczJe<V~;
zYKq$pd^cyx5f`lwq7q<k&!~AGsI;+njssjPRzQ^@lh|$A^@%jgNW$)Eu=P;YsSPKt
z`2WBk5<TfZiI~y=x8dKObo0N@_OBvK*_Hv#i8urPbBHbf)~uZWz4`x9f|VV^EAu~`
zM)SYh{(m0*^j~ojGF@g>M3rXg<r4gV{+-z%|JGEN|GoMDhpZ%9P*ZLA|JU-8|M!{D
z{~x}wC|eZPAr+6pHT!&sc}2{bV8e3Km4I$Oq1cK2!gOmiGS2*TK;p`#%8Ib8Pg_v~
zK65Trw!oq$Xs=c?gYsAZpcYmNBk`-Lh`_5YshP4+Qd2Z9NqOSU#ofn!v;|eb7{Bnz
zO>CofDIt!^K=dy4;(vy50;^hr6()A6QCkNVjyL=`u?G$H!g2z9f6heP(P5R)@>ZQ!
z5sxlj?xd*9-IOb+#Oy=)m>)#I*iDS`MsxQBQx~Bzotn~3>IE`&AYP@GP`Fj-3XA&3
z2@pd2vc0hFgWL=-B3q!AiVh<Bi6M9l2$i5ur0zt{yN%YRh%|*t3B4~X4heO-NYF&-
z3o8f!2p6Js4d^ecD>9&f)Q{eMbTa`PL<b5>Hd>w%nt*!A(gQDrZaU}003sISE$a^3
z!Y%UCj|*i#-%H%TFt36YaaI7?vc^!y#4^^PrT0NC@9D9M(`KL!;Ri9k_a`~IiEcNZ
zMd2psU>VpQZ}eX&g7mGLnJDcL??sltIUfe5#^ZaTKSIu<Yysf8K54b3>5+H;I_=&h
z?`Fnv4<tdLG1GzXxgHZ!^(Y7I4TcFoZ4^j%lkZ2w!YkNIiXN2&lWx1L@W{rMNftsz
z6FgvS-AyKZ!XO&jA|QItg;%>W$-pXe9AOO~hnInlDm|S124H&WS;q;ncMrVGls~LG
z7@G6Eu;y@h!I@zu=2cP=Ij6Rl`2nN7XbBo&NsV&}4qxpS)!Xy3K>X~uF?X(<b3$(s
zN-SzQi(mpbU80T!Z?9dwwxGLd5>QF=7L%7me@7#FvY;V|WidQB`6Cd2O`55!UItRr
z>aFqqr}qGfQIs8wUTfvci%x$tl2F2XZoS6o1YMVx5kd$B$nz3aya92JH}|tna2{Zn
zz@m}b21$Zn0v>JXJL{bybKe;$OiUwXv~3qZ%_8C>%9zwwd_17S$jv3}i)Lg?kq^Kj
zlm<CYfdHthIh+&b3bG(Hpi-py{o(qMiS-<ZU}+||fWDxvNvhNVLaT0hz~Ii*g{t$!
z?2)#Vy6P9Tu*0lsH%&-tB3-U}0#(Kbp?#mSBem*Tv{L*+LH-$B2|`DC*mOyW%XstC
zXqP>Mmkt;_A)Mjo<i4uMN|ENQ&CiD>1ncm-@4h8ctL8-9Z7W0^qGoQ+Vu*KZX?#J~
z@+~yuP`WR3Ko3f3G~;c@Z)GcTf=~Dj2JjGi%EXd!4x~enYkplI0)O9_7D7@p)`*j~
zxY@D*S=1Hp)Q$d_ke5K)_?f_-f$wVa!(&gP_nX!jER`dX?RsxM-VDn;_;v5W;fFr(
z{1LMj-~xY=9AG%3j9!BrTr$!Qy9-J0p>v0k+A$@vqSr)1LN@fE&j;1y^LELydv6D9
zFp=n+$69C4fxBk3TegU;hy?cNqC5;RQsm&npnVEiIeCF!_@J*k$A&hS_3Wy?EgFxl
zg-8heEWAKeY4i!0+)QEhidLNud?0V^>2eQbRM#{3I}ZMaQc~+%=>Tg`t0sR%)q#+E
z2TMiCkebYZ-`y9uVF`$I^Eek8^oUpP3<0OYZ>bYwTPM9gJpYUdENehjsErfH01rA_
z2O*axE|%HBCp=7(fbLPq!9zt(3ah45lbpkUUR$f`i*OM5J~WC%Tz;>wRjg#0VJ}wo
zvkB}*eH%t=rmh0#S*fWBv7;r4IO8!QPC=cY(5sDKdMmqW-7WM{2rG(rq|sjK^>wLI
z=MPLu2St){I;D#vQMi>pMo+e_b)hx@HM>Nj^a+o`16$fRr&bV}v|GHLI&?i7Sa4v=
ztJ_EbE*r0vsZJ3MwWs|EYC{kSV`|Fq-#_H^wQh|cZb1Vh6X14ncg32xO^qAd&|KQu
z%JM;|>7&4%X>wH%5u<JoByGXp&?J!2$$TZb1+`$v6N?@)=?jJV#(Ppzs#NUv@<JCb
z6iN(0O&}#%Z)rau0zAT4icmqur)BVa63NwoI^o`^c`~kraolkmj3rZAYXn9#kcu2n
zB}FzQm#5Z@+cWRzX3(J7p$*C%{aeE2W^P{XA_TW3xIFbo_3W=`j7TotZ<03tUI!G^
z7ViRx07D13q!7O~zGPe6*fM}yDJD$T(l68E%klz*mk`*2(AyMstacgc0K~$pLib@;
zS`ZIkWPU;{_v)igI9bvC;|Hs=jzpETYPFqCq<3l#c#*!9b25_(Pe&Upq-_Kb5zc2P
zKoD2ed-lQ2EP+%vAak^<J;=g33Q4*d6dtcVc!;dc2m<&Ez(f&{Q$(cMo>wo?Ap`at
zqxPQo3~fWsRkw{YMc)S_5vRKDZFKL=qwQlG&Dp<j*(>ed5S)S{XZ;MB5Mfp$hRCpm
z1H8jeAb`xyxB(JT_tX7H>FofkvInqlkeT2*R&?wYLf@1%Nr#k_cZVQiz~~j`;$EU_
z)}w1HdRU>pyK;~fdcjfW!$hr%>lFs~ztvuHqG*`7I&lDQnVWXKY;fX#T8Lm8&2MKx
zUk*d3cep6d0T64h@vts5fi+tl1)x5tFHJx-Xzw8dy9<Osuv$LCt}6>Hs5Q0B>zmy5
zy$<P#LWrsncz=Wh*SR@bcy%7&*Sax)V)59#f>9ni7=3In<cu{s%EkRgDB}}y-AD#w
z$j1SryDR-bf3{WCah7`II(M~bQlEymxV}*tqP7BZM4hiq+jT<tp1|H&w5H}U(5a-A
z*-*BswTlT{=Twzd%Ghl!<mwX;va<T*ei;c)K-fh<ynt=Mq%gU*g`Hd_(|G_Vjnwi*
zez|SN%+`y>BkK%x;!NVC!szJ!)eB4gBz=^~3q<z6KnDl3CM(9bT5hI2HrW((#pgjh
zi9tS*Sf!=mi1oeP%;r3FBtgGTU9<Mb_W@47AG5U2pd^!9V^YUF4DFo#eLEK?QI>Y^
zSfpoTe+wa_O(iKmCst<_x`%+(vS(-y{FpHnVLu7XEHW#o9aT@z!R1QCYE30fy~Xhd
z)HO6!5uu+L?@ux=U`{+9y0da_aU29IwB!nH2~@U+%BVcb0`r;(e_+N&&_KLI3O5Ah
zYduqhVjKRP(V6%jvpzfAZE36bh4L{krb1=m6W^KBdXN+jFn@^$!ZlS$sDRXa8VK|v
zzdUwVGd<zDOh@3&B)((3JFJ_Y;l&U}RES{&?}js(&1c=>9X9<=f(l|Pi_|N^(7gar
z145vTc}y}pz$F5EM8dm+Ey3h-#uX}pK8BCqDM`;SsR?J=1(2O47al3U_#9v-%NwsE
zB@~Wl)`^mkn7cWFgQg{f^)E|w?31Ck60VQ&4sT>3{-MBvbVEKLL0JAyd|o4K>%PpJ
zK+@XD(&n>mT{ziJm(H|CE72f!wYKsUvm({U!x<A6Xr*QbXNC}$sO6Bcdi_wm{{{*n
zg3MpH=MX{>Vi#~TqG0h9Z$T@6V}Pn5t6N+>U1C|_jWSjMz~DfI6;qKzJ3FF@OB7-a
z*`_hm&qD@J6ijM}JFURII1uh-f|#jQn*xt5@b&D_yM&2J0bfPpJcODW${JBP(^7A2
z`LUc4sZ;Gz8`NKptL|gP&4uF`+Z%J0;8<4aO#Hmhq|9a0Nfo@Rt(<=WD<<(tnIGC-
zor1yUv%UUtvmoLRGp|rWm01QTX;@vq8Bb(O|5>jnjV!_yreXcX3WTVU*+HU^fc!cY
zNhvYVh*K}sjiuCz=OI(33FZrcom#eSejz$BG8n{I>6Gpx^yD&ykQrg6W2pTYuNkj(
ztmiB$Rtn~Mi7b>>5x~+9U^*q;Y<sC^sY+|5J0yQxV(XAbo8r$3Uaqb7lpLTE&5OG~
zs@O9&rEfur>q&mWBl8f`xYke6YQsY@Fm98N(wUQ({!xpHc$m1A&m^!SPDPLT&ojjc
zrUXC)K)$Q$)K!z-w;^=wBI3!dV~lx%MEgh$t7Lo(^!7;|BC`yQ#Fo7_#3{8Oo!O6Y
zeADjE$^-z29)Pnc-c)8qyi6bqNLuMK;OlleiD)gP?#&5^rPkKA22CQE3YQE#51|9?
zBRKF|J6dznZsIuX3BqwY*PFzf7#l%V-VD4*e?wd#$T?Lm78qi@NF+~ruGdy>r|Fq*
zaddj^uB7Pm{c^&;ZUCB}OK9w40yq#W)1U#o;PT3)(cahKqt^urCZoOmQ*`3hs?5{E
z_mjDl_SE4iRP%^E`Q9R~mNmQn7D^LT_CysGx{pj(hg7SUna?-oh04_Z<c6HoLLwFy
z1$^3ov8#U~8bM?YO>_xz-=;jTQLCR1C!f9OD4keTZHG>Yu&I$$Y@7}H$M8X7nVeNp
z7~80vNtQCvD-!EiOVNW1K=>QhGhSbnfLAzyX^jnalpO<@3poWS;`&$qNpLXBhpWej
zPd~H0vnsv(*PJ$f?HI;fI?^Py6tgR!(g7BXL1r8$0pAbuEk#1;sB=Em_wy1gFHi}M
zmfb!Uc>YVaePbqb4WD{~<N=RaomP@wCJrXeDxtEsi((^miJnwD<El@Mv_u6N3k>>#
zd;y~-^-i0mOZ%U97G&77jvX}KT^Zm@uwC_G=zU%}-s|(7rv4k=Z~cC_DAZa)Ohv=%
z$`q+SCIK@f3P+~)(O~X~`OqJ{!3r_!B;Fu1W#us>SHltMhmgvWH7CG+XN^Jb^k5ER
z)l5aPjybC{;*~`86uYtE)Q|(Sk$gogZ>#^OxpHPyhdTu^18R~MOm8V=h|XZ;GATjg
z^%)J`QuB@s*V7u!2`{EypIOa{w!@^wXX&s0m}*TBd!($jqO%85+Y~AhTL~FL4MG+q
zV$0YW=G%XiCBj4|oKB>fZ-CQuA+deYMGiRmR(+4MGKgt4m&$e|nJ@ZOBpgTJB8KnP
zmQ_mYxI9cgWgUthV8$v(ecG;Os*!P3LITqO)gx#0Q_gz7KPmsNJFL2xB&Ud!A5~K2
zs+Mr&rKroC`DUCcK`3_jCdRy|yO-2QIlxAN`ICC95pI^$mlzG4Tds2&YK<X`wKX^k
z2MVcT4U>*3kX5BQ!&}5q8!9JdNhYmKif1hRkn0B5&e(DfWp=B5PZ@$4lD`=#k~919
zZ5P!(6C{vH3xN2G)Tc(v8@Gp^aO;+Wo)ZQu_wfU34JNm!Mny$NT+D}6dPM<BrQvKF
z>Y(rs^0qgb40A<J@hgc`d#*&3fg(vxHzet(MA&w}=^ivhVyx-BQdhhwX9`QJn=^&|
zCaDY1ya!Jbf_6i1ZTuk(*rh8Jk0DAVg1)60Cb^1P{P4?{AzPx=pw}UcLwQ-FL~h=w
z=TQPJFk6DMR{5x$Xw#T%PRpDm%Fza@=8Gva(<^22qZSgQ*D4r^BO>W%im`AupDv<l
ziZorU-W_Acsu2$|5P@WaY1H(F!k`D?&?`u>(N~0pm}+cKOc=W9@S=H)Q^!yeOrDig
zcjQ+EIx(Dk=(9{x?0ez^M>0;*@ANL9BN?lbD-iu<41XqAPIACGvCRP;*~`*AW)?Y6
zq+wFbq(Me{6zX0H&qt(QiSE5<ts%ss-0R2Ql!y7DDR&Bmst2I`QAw*Itjd#E^U^X?
z6$ULWLAt5Bt&<Xnq#_pPk4Q&R8^>SZ{nay)nHGNAfJk$*LzkgHtzG5wx}yt7(S}=)
zmN>~C^RNV8cnJcJ<cQOyctb~COzK&%xUvPT`DWePR>EB|u$PxCf~;%=a2z7<vuW36
zijF_xA!7c?gsbiOyhaRJ#$7*0Kp+k0#JbRmon*DMi}Y)BDdj~|Nk|_obS+03-h+Z%
z!<(YY2&80~@`_Hf#DWmL3amcp1qY>;h0kutApV6AEmUL$t?(ol!_XNf<`ocF*#F$K
z{gyK)f>B@|l9-&hWctn<oCI&Sl`x2(ikuh<l(Jk%j9=rHVIhpzrd8NwwG;F<jGr=@
zMMjRJ0t{NdT9BMNPn|br{7eV4q=W6zOO2rub!Xmc(yZiF1T1nl(qPR%#Hw9Srb_*;
zM<>4K{t9c7{S3};ke(<-m=|iVODZLSNty3_1+pa<#_cumZVr=7X_@>6%$6*S-mRBT
z>pgO28Wo;22Cu=X!uYdXqK~KNug%dhZHh>{cdX{wL#P&Febs=K+Rjp43q3_G7#I*5
zdUrDhOnOblg$8uj>O6H-By^^z_B_`q^^>O6(;8>_P10GZoDP2PZJPR=L3-rv^IidF
z(j?#>RVv}QUd*oYvDSN6weZvGf!qw63RRH&BlCv!5ccM5gXkQ0ZJ;(s>z4034h`x7
zrH2HY&NK89z9xnHZ6CCMMP{{Yv>+tXJQOf*`bOg`))1)CR-ys&5GhwL{CMu!<`7?A
zOhRk<OmJ+0wI~B7c|(R$gOf;6ZbNC<oJPUl*;G|DB{4JsX!b&MDACws%s}i!vqcu2
zV9Eg256OF2%s7k{R6U$B78cH!U-~r^xM<i+)0;sPWv&ZAdIH-7oO+<wW+Pq^de-_u
zhN4St-FR8D@8xvJTwFR6U7zmzVVmV~{`E{64do>D2L-B^T=NOPO)TD7b3SWFAS64@
zJyy(tnpiWS42G6`Gil5n*H1eNqi|TIM_vQyZdT$jC=NhZS+m<y=QGg0SJYv5(U$dN
zr>p>C3fsB@bP2NoBWgFRAU~G{P#h*s?@8IvO{VtAlO9WY7wz%E*xWy-Z~D&Xzx#3U
z<D$p!j3jVRgy@_jsuMzz8Ok4{7H7Qd2yK9Scjgpt_%jKE#J`#SDVK?$o3;95L38q`
zs|Aq5ds2PwKyQ(dtmO|S0)ORRSDjC+B&Sv7%##)t?~xRT$wjK^m4~gQPvwfjyU>@q
zQ(rcd9DfL+@xssRAc8J6!GgneG_g7UDdu6_$a}T5RM@j*ixQ;i4mRK1R8syadQf(x
zW~BLe@1*o?ZGfMH5YTsH0zHK?O4}tFvH(H__O@x_)$LLW&<t2ol%JPh(4rm%g~J=S
zt{p%BwOaChJL)u_K&99Q)uJOHuyX<B3fF`8?=#V9C705LvapfV7^Bnxxh-jVnbqV(
zAtE+WIMl8Dej^>UOVMWD+vf`7S@BS!5K+lmDv&y3FC@uB8XPXYsiME50H*m?RY(I;
z9ObNhQ2x2H$Oh2}QLNqyAOEnOfjn>$Cz2G5Yjr;Kj~RAVqwjfhnxsw>HADKBsgYcY
zb)|X?v_@=tp<$BFlaMr*T90FV@6`~dWZHM4W0iD)h%cmmY3$Kqns!yBLwShe?IV#L
z#<?A4DsaXNk_;t35N-8Q<ok>88@Jv+aesy^XA|nAeZw<({8G1aqa-ZXGW-n)7dO@J
z2B*hC*{X6~`A~}&v@0ilJ!`<=+Wl#VGa)j<+Af7PjXi5b?Yb@nhoH8I3N^sw)QM2!
zHj{d5Je#&&XKKKC2!b+eI7@S>-z_vBKmXONUVV=(d4@#NNHz)5az5m@v=d+=Dj<2?
z0o*GQAnBsbzv9OD>92JSl9dm&JTFA;5QV$|ve*1R73wR@fbwe80Gt=AFRq80O6*8s
z=U(W9?BP;DLG88zmjxv(VIRO+8%3S;;OrKF2d%Ni@EW}xxWuf_wbP&@i0EJP%G(Kr
z-lh=6x>gU-Us)cfJumkY<ew-htrz+*)iElz+gVj<E5B%70AYFW+1M5!2P28Z0Q25D
zr5h@90u<fJ<0AV|)GsJZU;_Dszw?~;L<if)1rkbh&{8SN_evR9g1EOnW=MSnnOf9&
zYBnqc-ADeO?GhiVfY7}q1FrHv+TKEfg4`a)BwhpN&4x}Jbd`3;Y>1k*y*WQ_l#8`R
z%jDC2<m-hEo=y@d+1mU>V{F7YgLw~(bADpihBgA$wb^wOa<}<TSepe$ntpUH*cpQ>
zVfQl+MYiK^CrIt3X&LCOA>2=%VAd)>qcBgb=HdqV3g9`2`acI3{`|bql<E7crVFVG
z@}DC5)9N|>PU`|<>0h*iQ2_V(hQB&ghs)NXIOkQksq12W+i+N4Sr(0xexFE~bQoam
zSnM7JX|=;~`|D<S0uQ7C`W`dr!xX8_0iuih=}^;V2V?rDgaaspC&Up2S|08!G>Ef6
zUPM|=BG6(D7{&0G0KLNeZONk3#&vQ5H#ucqaZ31*kJ`f*^9MZ$yS8i(2^~W8Mh~MQ
z{gIssm>#+^sl}|~EhBc=4FLICH87H*Ss8OJVG)<f675N(nD!-p$<Q?lWHnD1aN@A9
zX}oZjr6t!{G8CQ}26?AvgkL?7Pq-l)<^i)w1F8UC0V8DZG~DBd_hvAw;&Q^~abF-&
zIBEC|E;May(Q2|I(JIJF=o_!WS6uHjY7m0zaNvHit1K=BC)CE*C1-=H%PQ7M`ckNm
z-&r}IYZB{&Q#Bt0rMh2dI#)ghfE@S168k}PXwZ4nXgsoX<Z2FM+AuL*#igPxvmo)<
zA+Cn2i_WvAHb%=}_)7uozkB^-gF`W@t&yHSDk}5~?bS%3q^V>>oU05S4G6k+E~sz?
z895mKrgzh-_S2O@blBHQ-jh+ayuaiZB=?DXDVBF)Turi63>*YBI~@KfU$w^w7iGhF
zLIFS7f{xnu9wZypT~8?K4ey{$C%3EQoFa1pV2_==w+}E+EMN%^=Z<8A65gkw=p-}<
za#9;)aI3w~Pq8i`J%LwKjN=wk7vzGc9)%G^lcOaHS_eUpRBh@6aBh?bTO(qi$ctLJ
z`?l!h$?99grVy37r~{Aft7J=#L?)E10yUlcbOx4bS5f8(CWsZdZ0I{G!i~KU8EY}B
z9R8?7D=U#n<z^zUpo048TwlCX4tESJz;H0|SparyL4}XD!+vj2zl1ehqOzfTig-zd
zK7;EZ<l>ZDk}@UGieekOh`qvEQ8v$Uz`v1FL0cs@TSOhADzZqRDt=FD3rAjKqUxGI
z{vM+53V-ONI9;@6i`5(96sW)sssRMR95RVCJ2d7*pff(n*%?Fo036|=c&p&vkf4zo
z9X!h=(KE~iaV4>2RLo5Os77Wm_eafnZ9jpDni=cy4XqMQHkP2erSfc_zM-e230ZOu
zX9sIgkeMnoCEha_Hd&KZE;W1+l4-d8Vp7l_ffH<5S)}EuJzNS%&@V~TpoXI?0VAR{
zuga0DlA$x&Sn_RS{y>BrFIvNLK#?Xi^+?=d2c=9}^+zuH$Z{;@#{>>4%lyEhI&cTr
zR`OcoXozxzf@&KjhA&pOVhhpFSr?fr5!!p3G4=W6Z;5#?qEaNGc~0t7y5<ZLVscTS
z3rS5>kPd^RGQv?Sxt$Oe8A?9{b(R|0YZ=l1lB@a;yQu%im9)d*b;%{(DUTNQC5azI
zozE!)$ZbW|#21k&eWU&hz2K5eMzjj-pj<K5N-N*5jq36qGkAXhWamicDiE7>g5<qX
zgn~YDd7%tofUDcrRUwl8HW0h}6wpO=;7SQK>0o@zvd$X4z^{}n%b7AD1%J4s>PxOt
z<PezLx<dQsA4W;{;g`TU5MJh}rc=PTsyn~`4SSo+nnoqGP!zCE{WS`JC$pV0UPi-v
z4wu}62ZT$wbjCd7j0XvVM9Qz(M8cM24rxU;2);2VY9Mk5;G9X-3Q4b8MCtgq^E#8X
zkAVx=15dWoP$0=#TN6|^=hG|$SR^lbowS|_*Mnr1EJ(IgKzV`@6!lwW*_0>vxFdLG
zoNdY5jG;k^Ih3Ed63Nql*Z#hsvRJxAWCzl~rPjQOney=&`cFWG%vV%UA9Ij`;lhUE
zKaPheL_~|VICFdufpk8-DC##GM9Tw$0w?w5fHzilPG>TiqMm3|Wd>OSc@w^7_>_wQ
z-{cMvsJr}Ytq_n9%M;%k_f%zRD)sY$ex9qW6}%$zHBQ#$Ch;AVy~G@(LP?u5RbEkb
zyHvkP>aF~V^|LxF&zE&Vh1CjtQLv1)^Cz`(yo1^?Q~Dr3F{W?|c!3R8#d=v28xOWQ
ze2TKVxdeMiYQcd!))N2n3&olf_cQtf+RmiWxs1USH#Gt$F!UWkbX40PwciNtp;%Z+
z;{RGO7!je16DCeJ%_F-I<@_O^5eC#Fo4y9o6p|o^go6QkNbBM42dVq<hW!$hDMZd1
zBDqV1>O38?%Npt=k;Wok(!!}R$$MMKm_U19fMJtZ>}Lk6XpysTCwUraTG^x6Y@jI;
z9L6Be#BOX@X?{rfO!;~3*>9<I!c?r5Tz)+=Cl8jSW7xT;`9M@|<t{4(h$e$*njEz8
zQwvif(Q>f;WG6wEk69}BHsBu2RCqKHa&1Lv7NErv7~V)UDOS)p;v=gtb5hGhx@=MY
zLdo?QTH4GL2(tuz6<K7u#K4ey4MBkR=n)^#`2-|Obk6v7kVQ5;GLDh0gP}KcXoWg2
znmmqW&iAtqY7Bk|@W{5*#yXEYInkGr$v<^K?tSWjawSVRk3E?9=CaBbIFt}oe0;6{
zxlgl5N|+_`gTt5qWi>|kEuWT)#CEPEjPWc&NxfnD_3MzqH|*Xk9Aut=2h(=c(*!Sy
zHYe7|QOy;p*8gX$@E-`D%U==4>LL>2t4hR0io{VSP!7;2AKzc8PNc^v<<3lelA&12
zos4LrP$81+s?7<k3>tV#XZFAy(3Vc4ZOKipp_z|wz@J^iQb#)W>~)Zyw1IKeB{_=b
zE<mISg)Lv+n<g*}D~q1B_x840XN+ifvq)^al5w9DmyuOX1IJ#{ZZ&FFLSEV|G!g6<
z>p}EPB_w8dx$g-$LL2Il-cr#%uf@F>oslunCd<4I$udptD(lpSZM!pJXJwDaB_RkK
z1gFjjXzfcPZ$yiM&0H(2UgR9wg6xJ%8@H{4wUtjP4ceGJI9mgqD$Qdxx$J*79(fNz
zy0Zj4sM`e_=yg~3mqt)`l7;tVeUP?KWnP?oWYz%MaWfy^sh?jaTDg0erVg9n3UG|B
z7mp?#y!(PjIpE9GaIY{0bcl(oA}7!nMqSZy?-AB@t*nE%i|9m_JFQ*EJ)NC{bpUKq
z{fRzJ#`egNh)%3Sd~2%%yo8<)b`=Oqb*+``;3_8M{oq2S5H*f2)kk09%-i`_-FQPN
zK@UewOf7Out)b~Ytgyap@?yVa|5mUo8@bdydO-LaFP-xT5nhkA-ymu=@LO>HnsDz@
zcw-B&f6|8L<}C|23<bH+czB5)`rsM_lY>5H4kp@jiBR1zCb#q!y;a;z!<-T?!Na(-
zhK5THG+b;Ap8yz@>N}zbYx5AvkpwK!TDL^9OlbgeXlwOqZpY#SNKic$z%S{29U;8n
z@1Bk&`C4;?(8&d@vxYDdJPM(8?HBKJ5PNu1PED&(57g)}!<1sVb;0NOr0^J?*_V+-
z0~4m>uu~}ZMV=QI@z_^P+hCigw*}DN2yv<_51@E71NIZ9;<0O2)jSBKoUUl|Q<#Ve
z`iM|<kpq1`V}ZWVp1x8K>g2kb5c(in?Uk$z9{ty;3Zb0&KaK`YSn?>R^?A6!S?ge=
zPCqZo>rq<6B4iLI{m?5tBG#f54?3zt>djW6fj5y&o@&#WrJAW^ODo}X+=|vlFX(QN
zD1-zYbzdLN!R2+gYCKD4gWHPeWU!@Fc7eR<J1e-|V24<iI@&K4>RFW5a61)3EN?l{
ztM8k@n!IzYHh*7f#E_`2G}+6BJPs>3G;>qbMaYVf!!fo^T3rFjaGby4ZZK?uf?Xz)
zB)^kbwA+UpK&@Cx&|X463+9a!%xa<GWs_lds+B_YvMPhJb?wXO9XGnjbeI0n>STa@
zTHF=BtH(|`67r0o<*J8<lGaCU$Py7>XoKtl*e+gOieVzAgi2YndIC}GheWsA@{3sG
zGxde3H6O8dq=qClt?00gKBxox)};tMW!RxNKnZlfsUX*4-;XE-5)Hku?l*K2kyW8e
z?lcf4JQR}z#0`%dKDCkrMSt8tjn;or{7~oVQk2<-id5mjB@0X?SY|~5x2;{X0T%#n
zrU?9(hk3^5;cyOutR47xw6=z*y&MccHj%-<c#T`Hf?(Uq%0%ph%a(t1PS>>5He^WU
z>H8t~TO)fu6(Js|09)C!qU>!qVI2rb(2sWCBAu2D8}v1W+i^dfU>0JRg>8$j_Xa=@
zPMP5A01sz{WVZ!SZ?L}f=Swtj?dZ7h#|t8(#nLGQ*S-+lqY|Q(_I&?d-RyNv1t#sc
zPDq_emT;mw8KRisPCJCWi_o?bf)3t)5zuMoD^DsrsE&iraWASxEB~dwTZR5<H%cdw
z+g~@}un9#^k)R(#_5t<bR{~AQH=%S!#@RDV7I*?}rU{ep&fxU0JY?q~D_k3V;H4cn
z)q8dCFy;mJ`&Mr;pFDei_M|>feow)Mm70n}B2;>r->!bL<*BtS0$F-%+(zg-R>qQz
z0CH|BjM)zJz82|oej}K#+1f>t7J(gny?Vmae2h?F*6V>ZRp;YmiJTSujBvRNe6wwM
z3n&3a!$F)EhM4{=G2otZBI*Fh+u97X=_7kxCq3O>(<+-$)w!9@c8-{ubPj6~;HGv<
zNkggv(W4#DV3f^bZEJnqeQ<Z32)Y4Ha;MGT?cdzkg|%Z_?{*70gUNi}MIhVCzlFd1
zrt0Te1jdKJ@Lb^8$2}cu!OzvkC{^2B)LL%Xm>y?MIPkiYHzWS75m07e;v8HS2C`5O
zjXzD>*>(RrAcf=|oZn&G<B_G#LQ+ecw`plc27QXWN75-YxU{z7Np`O&B28<c3fDXx
zb7m&A2t}GKb*P||#G)P6|NZ<ICf=6M$~mqFLlLo)h-qCv={&NB)(5&Mm6Nsv>W3kn
z<o#J|tJ)RnB<USTWJtZmnsrwnJ<4QS^IXaX>Kw?HL4-zWF?<vWC`Y`cr?o88F#R$=
zs5P6(h7h{wj2bU8du0T^(cnmESqMHevqDrM1Mi1=z>idjttTW9Nru~l^S!*zy!y$V
zx1D2my(iHa>IN_FyXDk}Ss4$1BY+IhrPZWMO&AbY>(Z8Y<=&3eVvu}B1<M>MbF^ny
znDultIfm8MA>s=O|7}cP2N=4pA1t0uPgTv^L5IGeI~-E}WdG8r&#LBjkY#2<$nwb!
zy3`V=U;hKF3<mKNeZ<*P;|HTLv)w=ScAM!wGMTTcX(r{#j6bv0r+%y0SiDf1pY3(H
zG3`mx%r^}nGECW#JEA@_$v(fzar^UZCikZAX_H_!$atRF14%beRs8MA#O;D?Zz8M#
z-ikbB^&hIvkR=J(nY*<Znj)$Ge*c)%i${rp?w(IC2Idkfn5aHv4^HO5J6s*Arw*6Y
zK7CBn&&=>CPlsKCC=6j|Q=4@{`YNbkH-Sv-VHmBmGh}I1ykn{l3f&F5`qmxBv0=xW
zFn8lZd%RR)Oa0*1xc0JsFJa@qTTo5b0+Yx{G-fHtXuLMpkklW=q2ty^u^e$zB?+Q}
zfL0zRQ(*#KG!$%$3=VV8`p(Igm>K>*Gbd|J0oz#1yK?*ws1m~n$>bUH1TES~l{Uje
z<~;mq?|>KoJZ))f0sBM7$epQcYA-@EUlfVYyLkE;uEy^ri7(bOx`h3Z_0qoKMjB5H
zd*y#p$T!wwCBu+mFAj(BK5D|Duq0rN#Sd>LF)BYf{)R4E?kd#nk{DWo!Yte!{TIW0
z(YipBa)i+k$AD!yfd8#P#$3^xG|~eO!yz}c`O`mytey|8MIs-ZL5>Ald&>mE5|Wx6
zwm4B>5eJ?ovB~nP_Vnv{`J+V_|H{~sc&4b!6Bgo;88qO&Ej`KPqP>J3$nVyJ#bWj&
zXpmKVRqObYyL_?~ur)RyPbM9;LOz+zY9mEM3l=Z#Az1!^TyFTBSI~(W+Cu;finak5
zBY6Eyv6G&>Y!CTjV-G1Fn>y147-c&xfAErIb>#_jUU3+Oa~FSM&DT(rzLJ_<4w*kH
z%j?nZ&d!8OXnZg+zw2Jemp6s-PTu9$(GbsTV*IcQrYSE-w3k#AL>7|My68==5RPQ}
z%g{bD7w4-fgHgVTqbmiz8<*m@cPZ=zg#M0Re>>Vn;6%qc+uMQdbGX)_=<f$?I6jna
zN~|8$l}xMbh)nIK*${>ZfB)T!aJ0A5p01w2+}lso-Mk1Z1`PQgb4&p0QK4tw8<C!W
zaJlD%uiT0^><A?nUwf5mN+Dx@VJ-p;PLdAIR{9cFi)V<&kO7T>cMfeP?;eS^uQg%-
zB|)5zgKC$Z^@7Z}0W3lpIi2ru3@P7o^OJ)p_K38eH7{hPfY;+4k-H!VlD;T*VP6j~
z5FNicKbi4{(h;iJeYctpwo#fr5bm~qYqnFvcA8>G8~E9bO@^z7z&>+AtD_L{A*e=O
zQ$OFl6+|=n$~fq4nM0bNV$nR~$pvQFnpbcV1_Fd<W0q9(5@VPI**7Dp*}r=J*uGC&
zN|(J+2KF?qxuh_g)Yj;|wD?Y7?SS=JR_5+p^mp6uo1HSTf8y3J_b<Ht)3jE;%Uuxj
zAYvNxwz8`7IZt`+*u{=5!rodIAbf92rPEnvwe2+DWceQ3x2EvDEUj$!DBEr0$!x+p
zPZ|10jpo<R3U&LLEI%4jlES-4x5+FzmKc8Pf-F-W=>9HFH<H6+>U#P@xI=Hemhmv1
zqbs1u64O1|AKnfLt={qssFn538$Tqy^YSpV-X0P)#d~l+ZU+KF%>5t-;t~8xauAF9
zYr4KPzXw#7a+tnQC|OJ-5~R9(%rzapPsC2-H}P8~URvGzHzO}B$icA-%(lL-JI)b1
z5)bTyl5;}i=M*QcHRm$frDRL(@XA&guZ4v<J`eB6c#~bNzu|SxhM88e9yhfHGH@g*
z>*ix?D%s9b(p5k>n16E=VB@fXT70>L1$tkPe4@r<zC8mBIX;Q^$7zW7M`WZ1JD1E4
zpuU3x1P=bLN94Jb%o0aE(-@m^=N>htReJP6lZys_kN7Uy9y1cxZfi#|0fOvu3U~>u
zC#^@&^ZS6oa5&J;XTA@NxHxPbP)h1-0BDtjCP=ZkB$(zRi!Y!c9#7Kh64Q))dE$J!
zU29@YfM5a)oJ5BNpu3QQL=2Gb&W;Ia`lH^fov-r>yX(H&2HB7p%o2zS)%%pQSy>nD
z*|;0Xn9K-4XKwBJmoer-awqk-H~3-RX0Z3VMqXY}a3RA7+mU+-uRvRyJM_e-VYfv~
z1$r?<nHXl$`+D;U6TyUrMs0Wzf19=ATMdE-5dx`iqkRfb?-GUh04W;M1iI@WS_v?q
z`PHsPex3C<1+s}IgQTTzip3r{AwiZ{-Vq;7QGV{eeVIT)H(DH4WHSxy#qYovYIQ9^
z2U>wML+YgsP)AKq_<i0v-?bw(+^2LYh-?!`HgsQIRcPd6`Y5IA;<7k&2lU?!*>2cU
zb<-U_@eMuyyxjr9N!F4BNoZG7;`%vU_Fb{Mk_e~NfvfPHSu|2cjhe>$R9y5SZPudA
zFxcoL({La_K@2ft`rEAc1wX6cwhA#t^aUaI-DrjR$JHN_sC@<mcujRa^fD3K_iliT
z1Wy`!V&Q0e{vm|#7Y?c6*;>`NGCA<IFEyBb4RN3FefZ;B93Iq#3#SwF3GHCwE|ToL
zh9wmr73%n@B;ftpFhL00$5q`O5$<4i1^FOawM>nfDmXN*)<nJY>u5t{c3S&p1?74K
z#4z3giSA0gGFuXt)`N`R`ii^!2OGfuqq;YuFU|Y3w)pyIB<#0!n0ppO%BmrsgE4N;
z8AFUJ6PdtquoJ;224R8^;JOqGG2MHDundV@+(VP%H%8V(q4!7x$WGHj$uS7xLsu4B
z``a)v{TMKARqk0$RMb7JG^SSqy?$Vow5Vyy%fHl-Uj$_XvK)YnD3Sb_A3#}i6iMyX
z_lXydLIY7t13TJL3zaLYrWH;BOq!eIkVcIdGPPv=W>#-n0uE;RA32YMZsB`1kC#z8
zjR~4>z@9<)>nO06-_yBF{G_8I{G8bITli8Z=Q50*BdjZPMK_{sri<)1$&OU0V)iz$
zJnV1xNrXr0P}^I?X-=P>thyM%>^w(dsNt}QYN?f@0+_$IcTbeKn~+VHYnzN?<@Zth
z_fyk%tm(^4{<P-%r&_e@ZR54>QJF*{M2&Hh?FJ478<#z`)%jbF1<T|`(d-Y%Xp~??
zeT~1{v3ymNP_=Jsju$i$6sBy}3A?SCwpMKmJ<X{~;$NVeGCU_I2L`{pwcFUm4$MAM
zgM><lNuVgMeLW$3O745kw6$QBqrgq8mXxdW5H{42mOa(KIY+nQ17r3Q(r=atp9$f3
ze<%#k)Z$#@mWjE|N|$Av_eH1UKlSRYh}3qjgc5&UBnUQW-{rN2cFK6Vqu_8A{l39J
zA{se1XK5sHI76e<hQP1=d@z?&wn|ikG#K{{?6^-34Q68}!>P`(i?;M<&Ti%^22abX
zFC8hLwCbt!Pl*bM%Lnny*SiH_cIVi7hXD_6%BifKh&-1b7L5YU0W-+)l&C8?iQA6C
z5>V7y%IIe&cOUj0@F2JDkzKB%Fh76XDI=NRp=g}wGb{?4j-ty?*&TQWyv<%dP-Flv
zVGm=3Ah}T|g<oU^%#?YnEI%Y2UtKMlrb@P=P1UxdZYKRt^nSnr?$xeCjvm^)e~1BR
zCHTN!_^)jJK&)~Q9R-~y7(tYwGbQq-{oil_R~A~>b=<Ah72<X*kL0dQGL?c8l9O8U
z!VHn?toX&2M#|Y;<syqB7z<caNg}IowsESDikNKaul$ejBO@c6B0hz1K*h3G8Q7>k
z;TJThqY``}mhvU(-K5?&a^j?)ULEctQ-EV(VxvVX{`+*r7zb@~EAT(#He27fi!u^*
z253b~T(tWa4_Yl4)8=6wa3F0ZaqH0ko^8v;w)A413v1#y?tu=IITX@XFDsp*n5IJK
zq2wHJzY2*4n&BCW%m}CETbj2pngtkii-B~^!*7ZEzdL%9N%Za{9v4a9t1)}z4x(=>
zkY?F~fw7=qE-5pMR|R=E-9c>pGT>wdWl!dDQd?f6COpHIR=(xG#E?$1l5v)%W4!?`
zIEi_KR{9*Rk=fF5l9Q#VxyCi=k4febB!NMh3@s%~p^9Cc)JJ(oer^g`IChTuFZw79
zj_RpYtj0nhtA`6*--LzC)#0qa&-A(Wt2_`at`b)XwhyYmy{Y2#`dv|f+Y8Dq9VjbQ
zTSL68`c2qW<)$LOQ2kqFhgfcDsZfvk7BU9rOuYa*%y$9!5ZyAt^o$~c-4^<Ly?x_E
zfetno?8xR?gjt*A<WrINMEgQ}#%BZcC`Ri^wn&odr^q7d^L-^36O}CqwNff={TdB@
zCeA16;&Zd6(Ht%y7hXl{D4F%z&6Ws_o})Cv_G0Z`Z!;?m<&0qiW9@Jtah9Rcs@Nt-
z1Tbr%1V;2~N_$}p(~%xcz#`gaVTomL#DIR<YMEY5J9ds=fA}0o0vIi?wggIAe0mVN
zxQGP)v8@AHmXIE{jzdG8r$~eqxwg<gxF}l#kWhu7#rf7_oJkW`gX72gtWWXIVe_jH
zPZ=i>X2USaC2f95u0z!3SEzGVu3^lyNuGb8M2O~xfSfRu4-p|ETZY$gqmL(ed%~na
zgnp@Ouxm)P0`ts<k*EC<jhWvx%ox|S{m_2(y7!_re5x65MT|THHLjh^NT=q6G)xI9
zCLRr!vPmgkZFQbHUr&LN&B`7nzX|NLHu?Zh-U%e>0g<68#T63CSl5WbUP6P|S#~5~
zL0o?#ncQ*<4Rndm%Dj9sp*CV?3ZbHe+X{8qa@O~`z`090GVF=zIs||2KW49Pz&p{f
z$suYoH^z|NX6#)d<bk&*ZEFb}{3>@7%~gv2jHH@jPp%{_b-VGGd{(4=p&~JImLeOW
zW>{8F(0kXqn;@f#V(r%$uAYNQ4_Nv9^8bnlokpQ!NozfFu%KmJqrHjgS;{=Yy+uY0
zO3FQ?c&}`n5@TOy*H@;7wCw2(u-!31>-eE8CoMD)Jk))mKSSC(F=rALy^<F`8sW3B
zaQjWp?JQWqgfq!#&en+o^FqUJVWze@!=}aBOeA1mAich=gpqqx)&>e15=mCfLs);5
z&E=%JmWxiW<<O_L;e(c=9;VH)iPhm%5z;^|lz<sD`$>k%+Qi)QnM7eqWsKdDMXxp%
zC}{Y#4kP+39^1j5e!PX~_Xkrxh~+cA-d{_uvz*};g)xq+9f6`|q4~294moqJe)H?h
zqz7sQFl{yhnF!6xnUp~35ifteHH4mj23dx*0Y{bSK)JAj6om$<z0vTiH|n}a5G7n=
zb}Hgy?FK#r>3Uu<Tf<rgqltFhn|Wi_Y(d;jF$IvAQQ9`ty0#elY|DRl|BWDhcBn~o
zzqFfL>a>&y<+TfS_5oe$xrSvA;uj4o9rH$=CI635DPwi1ih6eD*x|G{PV#uOB~N+-
ztmbhS-c9c^H&=L~4+7&;cQ%V+^?^mN73Fn2%3PLuQuR7%x6R6#tV5lr!@=GIN7sQp
zmaPRXqgeet2N;s4ejc6GIR-M{v@6;9<m&EREdSDFN3Us+p{QkguW#Q3390Bu>2uCM
zSWz{QSho2f_#Ro3%`lfZQ#9zVq!6URrPZ0FTu-V2hN^033WUF)rny#wJJuSTxdJ($
zdXMB|O>>u5aEa5<jx8&0W>Q{BwbT6cY#_D}Ir9uH`PeM)ac}N@2Wr)ZGuGBCTHGdB
zz9$kVFm~jjE7MAhO#sTWXET9!XYZ8*i8@XhQnBJ}xryatw0%~3+8Fk5lVKv)(W%dR
z4cZJqdzPl4!)!#~hOnAIxC#iEqc?12NKMf$B_$YrU`B^I)@Heb9WM+z-#=VDmmAk6
z*z?gZrsCJYgsQ4+?fthD;B>WEeuh6&jT&^WiD`d@TLIz8iS?B?YT4kjuALl;vIp6k
zui#bKJGT%mXZa?Als0^K>5K{s!xzRNW~Df7J7;U2nrY`#k?ZO_t^X{+W`Ynl5?I&q
zZe2P#$7YO#?y<pH`yH&I@3VTTey-L;Mss3Ud$uWHvA=2{?sn+!2tfGqL4wX)uzsGv
z4%TnS&S^=5;AZ~<b;ysLFZb%yJjM}X<xDUW*X9;4fjtitlKs00_C7`t88-Gr+H=1s
z`zbwq>|K#8KLbarL0z_^_h}OmZTY9YK<q%nQ1*_}_`+t|d_qPJwHh9x-!vZI+S++a
z`)=+3Sle=mXG{qWpZ_AYX=We2?H=SXN-Uk3S4|GD$r>*t^$`PIGLxC`%?LvY6O}J)
zC8i$sv^rowtto!h;T-J?F9~~_pq8@vO+ZT>E*m$(@F6;p9`Wk;<YE;W=GoeTUe0y$
zbz*$263Mt=e_dtF(wENNbI@lyn*JCX<y{${h6HkH-^s^^{hW9pyia8-Bkam#ha5{Q
z+h+^p;AhYgs`O}mx+4XLEs3FnhSE1*4Y?#5tdouJ(d4Zy($UIGdI1NaC^E$eW3ncV
zJ+m;=QHS&gaol-2Um!I^G_K~VN4pDch5|0^bY*9%Ko_SSWuI+M8c%H>BFfnhydWZ5
zkp=y#uVT&~B>BoHqepJ<dX%0()F&~kOe#DbZLrWU1E83n0rQ#aaE1SNL6=+#I<XZG
zRRq&OB*c!hime++35{F8CM>C5l_|`lKj{oKa}D!Pd@>_%T?S+OFKzWc+H`P&<6sCC
zXNt>9{@?b_KCG%L-{YGX(F`?lv<zQza&TreH7ObOC>Fh64SS|^3@6bHEWy)=BPi(s
zea!3Q7<Qc!uLiz!q3)BfjOGgoBt=Xq7Ns0XAT>cn1tA21bME)I)_yyCuYJ_%_S~8K
z)L(>$efC~^?X}lhzwh_^X)~FH(pD(;C*A4vP;~lo81xvU8IF;ThU3wY5T`71I?>3*
z3>p<;yO?A7-tRZ=nbqS?Wb)1Fe>$V-Eh>Bo9a=Q^F<;IEkdOX)sC&Pf{xMG_-#fV1
zk(gNb<OSElN>2r7Mz=29r`Z34vpH1HLkT<SVh~PQ<+>ybPoCWTW+Rv*?D-ApA2VZT
zUKg<gaDv#7wTJ0|3@$^SW?^;_R%Rte-<8t7T)8cv%!p7~;#Rp5Kqh;WvCD>lX385g
z-bRNXP0`Fmr}r=Py(^%~`H0BXnJ8{D?%*^Xin2bqPEPMATUU`f1IBR8NA|Mt8fn5p
z;ZF_SCSP^(#Oen@L6^Q(WqBT`GOJ@KWTB?V=JfdeT`|{C`Fl?IS>^rKZ2y=kA}}d+
zPGrc$s=U5_NPD<MI*Hl-(dco+<M!lBO}c2r60I@&z%;^?h79tCUn&pmdj76+84qry
z>dW<e5<@pEBUeZd)m}AaJ5s$1=yX+wkj9M?nQ&~q>0zn9ux;A@Md=Z5WH1z+$wFnk
z+Q<OKxcJ_qLL?OCU@PXcST(*ZIJllt&QR-SWI_!U6{2FCVzrCVJYoU>m(i)zoVeBE
zyOz>OL>#i83iw2`6dsLF(ayGDb(Ev!=qG7DkkTuiE#nQ7w@(KtQ@vwGS6T{pDl_bF
zPeEg-3_#5nRm_{dAuZ~|-5udT%)8#&j#xT49R-#{>i1;8+SE(ApS0rNPoWAUjdrNI
zS>7#vH)pdm8mH=JsXZWD^%v3;E$Tix%iO;T!)tdoj9y{RoO1)lwKIz)qHo(8A6hVU
z6!)pPms%Mm+?~B!2L1`TU3pPfE*jEKnk^S=6c3uoagh-S({`WB#OwaurY=$ll$0Yg
z$8KM5GVXXmc$vHmP}FVuRsMhU{s4H|f&qa!Ii!oDskJ37DVD^CcOH3NhNQyF^vr>@
zv1>@XL(wQAw3!7X?H)_Vl$E=uIdPeH-^5ZgEXs@PCDg~OT_xYbe8Y+l21keWwbVw!
z-lK7{mV8>DdwyRG^lJiR$=W~vI?C*5iH)%8LRLmBfDHau8-fMKi5+;>{xOfsW_U2q
zz7c*Vsbc=LP^si?tH&L$)Optp4P8}i{eZkrc&?nH2NO!Lpq6QK?E@AeXT-uhO3NMX
z_?dsQ*+*~hoigZlJOE`*Pu?4fmL`*>S5F}<*m^G~_Y``uOHRngG;oXZt%s}K<DR;<
ztK$f8W|KY--|K62tBF@)w5C~O<5W+dbD_p(tL)5{eVHW#{KC|-`I5bmmmX>%Ck{6p
zh&-O8K&*Anf|QT++p+)_B7WI&u;FJongtxq!-QkhzB5TYy$AGy>`LN|(I_LZIFLCB
zd|+bPJ<m*~B=Bdda*+#3Xb-3}<FD@7b$TP@;4nrj6*~OLaD3HqP_6G`o`K@9exG9x
zzj+FYAL&a|86uB7YNUQ8P+7jt<z+H+48-5*>;U+<#x=|D!R3|YzcHDam`TV4lOt=2
z&|;M_L=!H*qDg3X4nunhkYZ#*%f(lWXI2|r_fBdHO7ihA5O^W6S==gqNjKp`3tpEq
zvw(bd>=y9U5f-K$ahk})Ct&Cmz|JPzfVfuV$3}}95NeSTc9ZuE-Y+talJ8^ueJ9^;
zDCTKClUBh1Q7kVyIkRmKm%uV{{w|ZXOm9vr3)b8WLaP_s5HK2pl78!@yXY`@;>Nc&
zt+;x6v-gS27E=7@2wH|2h6xZpeR1k8W(A@v&*-E%&C;@srbuR<^2e#HmG@g@w4I0B
z=J7D{<1%9ny%o?0Ai>xfrgdSBlPI)R*?Q^@#~l~Uwz1<o<e4gjD;&}^$S|HGQn}PG
ztxJN7L-hgSQ0#dZ0vDq_oiAb|rJ&CWoN2Uen3*s#(^mZlY>faoDcdK_9=2P$ET$PJ
zMYPhL^GWS8C~dC4H*TWvVmF!Tgft=7k7eB2q<JJtjc!01!syNG)vGA(L9&HXc0U5&
zHZ=JF*#I^)*USD60`DMV$ktucX2KT&5vz{qN5ZBG+ZUrKgi}%G@5iwc0JS=CSBm=q
z_OSC%Wn`Q)ExA57c_l>V6osmB{YJ7}KrlDqnpv;mnsK~4p;><bqGAQO_Jktq|E0QP
zV8`z`OfPAqDpix}9$`{dZcIVYyK0sw3)Y^q<Yk}+wWvDqHm2gN(Enkn{(tV&9ljDN
zHwuR?HdqmYgM${p&Ng@b3Ms`Mqv>JM*i65z0{yf<alfp6%vP?QslF+k?kNG$judC^
z4>FQeepNroSbxpIL_G6ILoR}(1J!ogu(_@dIOqJ<`$}}%ajT{gOi}x>Jq&cPc-g*z
zydysfGyc&yHwXc<J6kl=NJZ%ibHv_Zx+Zu|`?>9)&ae?uph{Zn^v&<KD@yX`J-Uz6
z6)m~Sp(}ap^3?ghAQ>QEPcHvp5MB8*>+DupXOW)*j;B6~V!BX}?8XQ(%iL)X|4gPz
zDKBxi#q_%y@dJ7(>J2pfw`-*?vNaGJPDU(wV&=p~i{#`Q)X5s$Wr#e3{MbMYgZer|
zgsic`Aqk01`FSA3Edhco$uH3_ae5=ypf`gTmhNw*tY++?fr@zDO1Z2sNIiTSLKcq@
zI%WGw$xxPDGIRr~>=|7(y!Ew_mkpQ10w9x{(VtRPyi|9qmMjUKf;=MnEMtd1Phulp
z9skVY0MS8zF>(8ZrklDQH^-inIcsloFNoX`Dv9*=dSMh!uv-^?f`W??i}<~8hCJy=
zYnt1_`^CVN$DJxhwYoA8nk_Zr$4s`ea;|PF6x-xri2Gp(B7u5Ht%rXc)&#*pB3=zd
zlVV|ZP-127Tgx)sC`x-k36g#(uTIsN{|~M33}RZ51x<zal_)ua*$f}e@p-QUD~eeV
zQGhnGP+@u_NpK-{>F^b~H7(E|?if&?wKewGZ4yJ#2y}wXn1=A5OG)ZlIqT8GZOz$~
zbVkXFV$=lPcLBX=YN8m2AZ{k8&PcZRa(cuIjU0oNRQe^EW@WhGv~L&Kcu)iz<y=R@
zugBKQ<-??|cb9#Eod%0rZb4tbguUZfH%rH0c#ed!!cTxL`Uljb;saT#TRT1Q)v2yy
zS`lQ$REU6Hj+Ky@9cO<Ryuq%ETr2|vya>m*>YXcBo%o9{IcFlTtave#MWX_a>gs&p
zB)vq0YH;SbX=$7&P#8-jmVC37YtqrvF(tcN)@9n>UKX7+#qp9w<9Y2WdKfl`B^|er
z=-16UwYVW-KB!UHh-+9lr!~Y?PduRyC^j%`Y+(dqL0GxA&w<$ik|jvPTBK~LJ;wHr
zweDNoMaBKxN{ov!o+vK<v5H$bhxkU7a3M&*!g%m(l6G4>sa$yQZ7FqqzN}nWO30;B
zGNLlH(oI@5baU=j^2SgF{@Rf~R~d)A_3*!n@YRC*p$GtVkbnuKA#FI&VKqgsWOS8K
zLA}=aV8Uk~6GY(g9cL#|F0xn;M<rBx8LS9+%xBX!l$J=4YGR;Bp4<RM;HXpg<`d61
z6QU&0%xF&$k+f#Shk-D`l990=D9wKNU|%Nti5um4Ax64F#{1j%#?U9D_U~|vTruL|
zVLP)O>A#7eNEd!1)uHK9EhM2#nz|$ESSKkyv<6NVD~yOcz)X<IU)pnH>8_Ql>`*kY
z5Z{BucEOgDk(KcOMocL$ZJn+d>6NjKX?$wNHIzZJ8&zR4#J&Qj_PmlUXDCM6b%I53
z!YW`^o(=NT79T77ha*j(3s1KFsC&v{Z7~sXx(IrOoK#h2RBj=AQ#0%%dn&MoGAogv
zJX0~l7wY0P6Dj*<AY)mWGq#*<W9*0CbPQirJ!H0jRq@Q|zrOQ8X=!K41dAA?TUGH3
z`wgG9Gm#(TLX4chH!Q;a>*V8eU#i~Hv(MLu5OV(T6^Xz?<l?<)MWhUYtcDM;(oF%Q
zL_bE*vSiUlQf;IvNp*B#WjE)-(g>SB8*k1XdvRUqZBpA9E0tqX7Hw$MN5b}4xuzMJ
z)KrIH2rDyRgUgOYXbGT}<R&c(R_+vH7ZAR^vmr}PFO32`a!hZMK<TzuF4+S%$**14
z-LJG$;L$+&HGg8##X+ccP-I2FKaBn2s9YAuiRLw=jl;{SvW{{#o2QFpUZg-K`<yY1
z|HlFVY~?~tp&~S?dlu5bUog1Bt;qYbm&uQUSi`3R3hI)w`XrCE$LD26y4z+T58Ntl
zy_nB@S~?DHsg=`9Dh~Kd3eC~jDzSdsCQdjX{9USRM%LfLb`vbG$^KHJBlJ`}H~HL@
z3eGlFAYGJ%D!*vQmOU$hOM;}$b*B;ye@oH%{|E9s-H7P|X(v0cUUqR3HZNf`bBD1w
zNyivtzBi@>o{7?%jvG_Bv3R<G#~j_(Ug7_5F*|*wBrV8Vi?_Dcv}Hr9Doj%UkrC+v
zDHoh6oA+$Rn6#;T3PrlurWzxw4VO!c9yz)kaTva9K+XhT@ZFx(Ht+^3OR^m-vID|g
zQQ*AwB|lHn<@B$PKQbsk9|BxIy#}tc;S{2S6xCVMZ)eY$)p<j6(ZnMN>Yp9I^qX$;
zx*@O4a4_UVc&4_4aBldGrhC*S>vM4}TRHu=BGN;3PYelAkpOk`zx`;@;AEbJRY0;K
ziK!fp9Np0G^pr6BX+DsHHmt>%iz3k{7!{o+3_*}`1nBVQ<!^~uP%-~rP05)Ot92J7
zSIGKKi?fFz#&iHV%mKqRP5*Tp^sSL2q@l@strEIf^k4FqN{I4z4UYc*)mp}ue!0x(
z(dX}zmo#xz8+^gt&gM`l{3~G|a2Gj_H>O&Xt1KQY-E!79i{cF%ml+W-7ki@n)=zJ5
z%WRALbEtiB1FJ_`%3?OjaoM%GH8ORlCC}agYhiC9E9H;AP0$o1j(@N4k@j6V7p#O%
zW4E-l<9GY2v1&lL-}un#A$OYtkx?M=(vphI$1{uly$-9fNCYml{k7|I+#B|kO2XF&
z(vxqwA-$iFP|$NDMIug4(|$1#6g+D&uO17EE)JY5;Z1bM>rQ6{IEMe25^c~K3uP0f
zcILFyf(>E3O~T6%DXnfG10+<EStKRC(;>SM(>_1$^xUpzM?vyj{7)#;v;AKDG_oB_
ztC04#!SWxOV)o^LKq|}8+Qk*j;cdBdkyTs%vn<L&7DXBQW_^=6f%et{bJyOqgaNuq
z3P(o$dMPE3^5_Tbl%h~SeyL9F^4itapUa9582E_)Wz=vX8&wlBDXyvt(r|%=9Y1PE
zvVz~G$mCu_s@L`pf4isT8Aa_W0g@=AS3M~fFzo%DZdR$}P5U4{fwHY<ENE3R-;Bjo
zD{C-n0R8784H4F2jY@CfufM*5f=Lek0Qtk?>bd@iWuzK}HF$sp0<Xvpn*QiMo%jdw
zl7w#@%#wiPo}RAc4x=xutsVlIM7lqj(<0LTh#M>r&FRuCb!RHnsip8#)nKfA(R+C0
zIJrVIZ3nu0%S{LGh)M4#0lE;fzmYq}9O#}x$>~a5FIW7ee=T~LG|fch6k`N3<wlB|
zOAAJ}Wr%{gB`$VAFg5{BcrYc;D$JZEHFYd2Ow$+!lpX+y5o*Y76je&u0m!`a(L^Lo
z&!W`-(B;d&TT?wm(tgcrTW|U_M{bQ*W0#?Zqa0$WL=?v*c+fZv=6}|vb!u9ay}9v1
zOvQD!SF78|#VGB#*RN`~`&ZhP)^?GFUwg(;kdzui#&(^ft7a_up+T(_vW0=aAzzF1
zHv@T?A-m84^>4FCK2stTt&xqjUWzk)g6ByovKCg{z<l2`5|9!TWeG@f)Sr&>oCcP}
zeo_gzl?5WL_Lrn-P0to!_lI8*X-zUFn(O<_YwXC&d`C%9;u;m2_2*TV9DS4{+g37#
zB+JtU_o;eIHOnL~<k`uTKy~F>P6BwS#YNMVyF|<MYpu@xN(qex%}cZk07K3+xmML&
zOpgR3x3w=>Fm#c^nP<VevaZDxOKOtA?5}mK_euBXIiCc;30dswPmPMaRn*u{+o_b_
z?4HHa9W%oVUuwU%w$?8twj9ccvqkMW&GL@KYhBOhrDmQQ-5K~4)t1UU)r4;2`+V4q
zkZsfxUbg#ld}sPs6`c@^%fN2fSNw?WY>_K2c^UJ2!P;yP?l29H(>*94+O9+|f$2An
zQc+7v=JxF%E;#eL7d=6#DmRt#BsGQ8k4%ljKIHzZEQ68N_Q{L@*(YRx7vIPz0D;%(
zAGN<WYlckQCOy5pvBxz&wE0CLe5kZzzP>_{Y1ymhR$X32`if?XA}*TDHp1u`3*HyZ
zcFlMV9*z=Kz!q>h0N8ltQF6p}P)|&M@w5!1O<bl)_-Vh!M;l;tV~P7>VE&oS+sNKK
zYPj$CnLLxMV5)ry^Vc@lQq_qS<}9LYB9Eh7-wBltR<@iE7J@~kQF5)jAL!DUgkuCK
zkhk<`)zdN_5EAqPj340#Z#%lsHE;CGN{Jk~zlcC#!vr2ntWFgrRd{Mdst&0+DpYyB
zlLAc(6(S~tI@X#ZveZiaPy02VZv|QW)|7WtvSo~gS-St?BO4PM10^Njp(n~fDMy#*
zq<<Cm@Gv4%nL<(C^$aLUd6Lch>4wn~n(zKmy2|PaGt&RKOd4N4kGw0;1!3R&TI+ZF
zSkXcBKtuW%K3qyZNE^Y_r6Vf?u`XxHDOQel*9k+V!*yzQ{LIeM@RbTsdEn@@7m7Fc
zJzQJMBl&bMT%8!O$-UgCtbFsZMTF~2op8RK)#RTb%i{3wu{Ng(#FMx}b~2IAUCBq7
z`F)0M?MgEVRrT3MI1AI<aD3_2hpG^9w|iJ%{-I-gH%1;(dLuYx9f!OUQ#~<k-uEY;
zk%)KPQBsZOdz4)$me@vC(VW}V2b_s8Sq;!lk%ck+d=apjUXbv{oO72q&<lC%w1o{J
zj3F*bb3nxkdk`!gj8SqpA@W+SPO}?5t(Z`}hVA4R8YAhQNWt|b{Z4!_RtM}_QG@&x
zvt>){AaZx$S|$dV(~m)lDi@2*{v}c6VGS~ejmUJq_R*O5K}$LGWFd;kSPnpA4*VNZ
z1j$RQD@Uk}JYrq@j!<c>rZknO;W-NtCT?1ja9_!dRuNimzmC(Q%X-(#?BP9feM-mx
zMlEu38pN3$Gwiacm8QVEayAp4gBJahHztraVGbnk8+&7}sm-;}p+V*0;2-U`>I@8Q
zqmOi^4V@5PcVc+kT4;l5O~<6~I+c`8Fzc9!Y0(wdg@#x6Ifyly@N;PO$mKq-I`jNU
ziAxj*{X|#y+(9b)cZ=JFW4Kob>NW>F=PgZ@pZ)xYMnSXE+i%o3*jDGWJxX=Y>w!@K
z7C<HhcQqaZX#Fie8bLuofSXP{V6w1N++b+urhV}ggzYJXOeagJF=TJ0DyIYZYu(FU
z|6}rAXyylMV(5O|_!@Hq1#>wT)*L_5XC7WkL5SXFT9%seSv;scsp4;U2xo)n9Zhlf
z;{lgvtS2E-lH;%y)$CeR<}sTQQk>AFIW+aS4=Py;IVDZf)pTt>ss?G2Z7uluMp{bJ
zhH9q&+S~oQCEU-*-63Co`N)*P828_aUv1T~Yn?NtrUe#}kA)V(MHbL7v0MEeC<Jet
zwg9rcq5oN6p^H-7Yvfd-e96e3mMMKz?<XmDiEUZF8Xn%-8e@5Du0-R^1^ILaiHELY
zC_%|I?z2;UJ6_$0jqxjw6{Xr@AG%i>GPM|Z^hxA9Wx=zw7nEOtrQ<6055t+OqNMtR
z1!XN|%i1m+f5!5Z;zmd%z1V9iry*-aQYT)O-pm{x&C~0TZQC&FY)x;ewhI7JjYG2L
zKXCX$UIWe1g;QCI`1=GNl7Pp{o}?-(WVL)F_jJ_bGcHB6En|EXP%Bs%N}>AL6h*WK
zzK~cOw_rPAtgS}Vk^sM*ADS{C@_d;^4fXpw@(wKQ!BI;0=sCX#WLeOZ=BwhVpH=q~
z7)AEt=BTiQ&%O+m%E~iRx7GFrJUhcRV>T3l`Z|x^IN{7GkZLap@ut0QpZx06MIo2Z
zF`Z2ac5(ZU37)IcVR0u6AVk&G+za-RnUje@j@Y1WZM9dh(IF2c*;7FJgQ?JR6k3Ia
z<toi02IL9Ab@CpI0ev@+mYA>B?4l2t89vOW1iv8lCr^ak*5LCB;LX|wsH!a3w$AYL
zYRj%WO1q(q*4DyDvD|vH3hReMT?^C5NGod<sna|i(f;xnI|!gSXk-Je`!spP<-qL9
zy7S*0$^D^)F4r}Mrk5F^I{%UWEj(h~rAW{hbsJva@DYL{gW=diOrpi<COAv6Q{s6n
z<t=n>xBIaGs~$bH)jsRzKNPu=sQFs$jgC*({lf9E>(Xus|2_HW(~oR_IC|;-00VV9
Ai~s-t

literal 0
HcmV?d00001

diff --git a/example/system/amp/openamp/driver_core/fig/openamp64_auto.png b/example/system/amp/openamp/driver_core/fig/openamp64_auto.png
new file mode 100644
index 0000000000000000000000000000000000000000..7a2fe99b856bd9a6d524b1022d14846d85696bcf
GIT binary patch
literal 226121
zcmeEvd0bUx{{LZhmr-&BK}VDN;zD8|%3@#Bv{9+AGj3So5||q*E+E3aXz7qCHfTvG
zm^Ru>k|>HB$~84ag^O7#E`S?gqM{IjEcf^RJkL3IJqK%MzQ5P6`ORM$aL+yGInVN0
z-b>tDW8Y}gvTI905Za6y`TG9|g6&2@u+C|2kDuI{9XTHVu?v|weAxf=O1LfD{d#($
zV6#X!>h;(D7-4ny)QtTvhF(?Qtc(15cIB1Q{qs&`czTYq&$*H@?^;H?kEdS?x#k<a
zJNNI)Q^J0XPrvl;vB8P6c7`5*n!Ti5r-NUgn^LVi-Jp6F`)<a(qu-r=@NDLTBhQ*W
zOZ?jP$3utSd8cH+XNS+f*DpNr+!X1b1*%py#REQTP-!$Lr<{LtY?zH;@i+MM>a6p^
zq4V$QTzwbc4{7VO++Hxbig>|t)mEzoiRT(Gzf$4RDg7@OuL&B{Z{vU0u*VZ0FVG!X
zGylf<9&czB{z?@rOexu?d#|<c`O~}aRCx)wwEn*J|J1p5#vPZd3Wgn=U$S9GsDP(2
ze@NU?mIwRF|FU-}nLd8eawmEki$~a}>)%>U5Bt*>LEhnKE_f<@WeWewb~X;-uekdh
zYlHi={L%uQn>`-CE^uXP{ZDJNZuXs8-zG3S=y-&ugO$ULBZ<S-CtKmmEI(PN`;LwE
zD34W_qw8O-zjJ%f&3iRD+41k4Zu%YR*74EL&)5=}>}jJ8{d;9udhMMH>l7ZgBfGz4
zSHtfI)Yhl&5X!?G8g8dd@e$--ZdM{)e#&zuN)ekV{UXXP<vK5_YAruBsv&&RWjFmm
zMR{x>iu{_Mbg}HQ17;LY>lgCku7e7rI+af+t;>-mo@<=_l;-)j>?@}}ZwB+}G@<Di
zIdwXl!SS6VHm{wOb8nu)-29A9r+^k2PrmNoxccCV$KLfrGViYSuKZm^erl4>ow6<p
zFYr}yf_2G!h&kfss%oQa8&F%bclUF?@G|?tqQ6Pgqkfk-Wfa!_8UFnRS*_;Yoq%ba
zHMx}#*x}<vceSdMLC0&H+K1KN3OKw-5ZZg3-4vi}gZ~X1i6_wAIcp`egc|zO`o~nN
zE^67;r(qqx^?=CA*wI!(@7H?n%6iOay<3?7hL;7)MI!Dq$^Uib>>hl5;gi!vZ{6=3
zpxW#wXd3N<YJcpcI=SbPwMNz6=zg0S{vEZ7FUbjWtcnBH#imZFtyDev6k|UsMOT~a
zJ5Y83_`O4;9d)E_^o2QCjZ;s4nUcBCXR9DxcF5UHx*9in^oVnvbUB-B1dsQ%sos^f
z;ycZ}Tk2hzF9@Tt-f~woiaSDBE&sx_O;e-s-e*5}X+q=e6pS6)Fx)1z6*R+iH8i4a
zuD7`!eSt2n8g>hJ-rZ`)l-hXJlUmjF^Lt_%1O0WCNs+Vg4zOS1|JkT)h&ZPWEBV4o
zh{z~E{BwxE?sQQFJ?Fvt`Vg0{f_hEkWBNO%Lr#b4w)0<|qJdNR%HZ#lgThKGF$4Hx
z@@uQ5!F=QJ6Ib0G+UM|VHXj;0biR8wt4QOwc6}*L&$yHo^|hJzu5?*^z-p-Vh{!VW
z@8h((8SYVn`jp)DWw!mZY?1a`Hg$2&K7*6#qFXLn2?^ELp9T6yJ8t>8<Z?wqeAa4h
zzpf?ODmE>WgLFB&!d9ji)_0A0^7wK^!SIvyHIE$9n+YQ^s_W9qBJktV@UhK=UgNh^
z(%(1^dSOu2a6UKVF837#JW7ggYt+^Cr3t0Z=k6Cqc!f<Kcs^dW92+`bUqe;Qpz2!M
zt$RF9DBZK|>o!7io2dB>ZYjrG<Snn{b0)M?o66f+0q0$UPy5iN17e584x3uV?rB5B
z4QpZI!aVxRz~Z-x^E(||jYoU6*SiPtRu!)#bYJ*%xc9f)Z`bBzr)Yh;2^EW9>$$a6
zNPY{U*TdswBOV4V_Qj@vt0p<jJUhdCLBV9<3T^pSV-{RWntC$Ozp<<T(OH{abq&+1
z<z{}TF6vSA?exyCe5NfLe3k~2)_wKe%7g3om0seDCz=isOfxonr%m-&-GAvf@i9TW
zdf3#(Uc36wvZdW9G#t@^<|T*SE+J<Zx=*}dFKlfU`pRF!K6qCc5gGim$GG)DCqD8L
z%BBoj`*L*8Dr+Im;?wo+t>@lNJ|5C`(v{{zw^x>Jaz5MpVNk35*8`hfkFFf=(zUal
zI%C9OD|Ki~`AceTKYpV5Y1&TbgDX4C6Y>u)=s51#h%!5&{hH%tbH`52Z$5C*Gbe2c
zVxpP}+djD%zqO5b!&V#|DJvRX9cYvJVQ|&((8?or>x6u-Rmp7y_1i8J{myT^Jw9!F
z8)0y#yy<TiH9sb3Joo<AUtSY4%-SpxELX)@ZT=y$s({ug=4a&Mo?G8Y$))*UeK+9^
z@9%%hzp}2FX*eCQ1+$YQ%erUzPph`_x#8Wb@X5uxf*g;d&4dwGerz@*?AZ`n(m1Gh
zJxx!Tw$uUh;Y4xsA@A=z+D53hU$>?4J8Yw+-iwNgba`0rIAP*b%dLdumpf0J;98z}
z?-3nSJsy9WQm7rfy1-8mFm2Pmc34_iwTzBr96o`MLfuZ5y9nygkL<Fa<X}rq$*hgY
zo9%S-R+f%VA=+^QZ540l!f*MNG%=rKr{?~D=e1Zd)A`wUekz{|^pEjEn6AmP9#geg
zv+;JameyeJhC8=u?;Yys*UjVZq0&k^!AIfbD%etJkExY9X7sepH*AE8h*?P|?ibeJ
z%q*ESI<nk8X6gNx1nmn0FI==5w?4|B&brN23Gpep2)HXoD_pMQ)vl8kR_$H!q_)|B
zzlM1_v=%guvAvfM4nDh3%R-d|gaGN3+a<^O9c)aXsJ#4KX;`=Sw5dGCse4iz^hN;=
z(nv&PCy%day!1B3A2jpR`ln<q+4x)d*bC+nzwQsMHDBiK(3ViRR`(=lhtoaZXLBiJ
z!bABU`Q*3!t9ELY+pIh4;knqmMtn16NXwxsW8bb8^3PbU{k$OZ;<_n^m%gC3wb_9^
zuCc?c?YnH2R>xbvwKk)R^Y^cu_nR}qY9ykY*B*v=HR~(bXFSQjiVq9<%{3dVM_^Nw
zxw1efetEg8U2vH6uWcO%F4AldSz5Tb=Y(&%*>yjmc?ofEsP%}$PcEgFccBpYM7yQm
zk6z{^__mX~r1tgF3!!XnL{n<N*d^MFX8e`U0$py5{4M{gxmljKPxm4vT-RI&$NMK~
zT`r&Z>%?Ll?_U18r)$c(32K^)>DjM_Ylo{!DeFKM(a>XgGog5D?1-@eOTDg(=THq5
zH-=JLS?fGtLC+Ljc5eMorMf$zUnfQ0Pl|ufPFPTs>;2@OK2h7{@GW+MC9Q<woFh_R
zG%Bn%d%Vz|B8JfTIVH(!8|h4RYM-L38&=g;5D<~=O~1J_tCI4oQ`ji%x?8Q=5>r0+
zkaSLByRaHb?<>Xco5ZMo;_17h@sY!YAvil<uyJ^jp2GA0UjEUZnLp=d@3TgLr}X^h
zOBX5iT2{XL<B8VqK1Ggm#7;=_-hARdHdjg^Tmnlkh=(v`75=r~&6tGfHZE^R{M`hs
zcA7>bS3Fsly>EM)VEa9FHFGE-iSX?+=+nR$UWe-O7#o7sNQ`AlxL1mA>BM)ReuoN^
zQ~Z0wohZ`0eC#pXD>fj7(UvTE!y93VhTjbB=92?_LhXeFJdp7fy<N^Bo*tQ2Jkh@v
zcTInI$}N7rZE*Wm>y2-$Y=qEziA!{!lzK{LvZoHal@R9pDdJ<#h#N@9?{^e5<Lofx
zc?Bz;h~<#Dl+4Ey$M3fi&KEDi6YdETgch^zRCym?jf75(l_WDB3A2Lo+yeLsRcQFP
z+3ZBUuUy3oVwM#=)HWKOy2!jAUhXT;`oyYcS@45gsYEhTgRH;aTMVcAHzv4a5<m8+
z@JP|!%JsFCt^QEK(ayd&z|NwAf*Np}Ij;INeI#;%paL7gw+l-lb*w(Y>NbHfOK@@~
z1aCwcfSp?#YU%?r_8}#vEY7GzaVwzqN2(95i(OM&FV<EP>~@q-s`JQtRvT9HBQnZP
zsH{?DfY*j>99Z3BYO0-j6fbSi!%h31)<toSSTUeAn?PxzZ~z4>t%~X&edQju`ca6`
z`^5N|pT+V8)*`AVwt{a5%uS@ob6MHiFDTeO>zVj?Uut!{#G$j_pI1C4EQU>Q<iLT!
z$bl=;u@)l+%$k~$Bozb_ytUIy$EZrFvVyG0sdk~RkAEGTj{zyeo`n^M9$as|VO#Wz
zVNxz1Sm?W!Vr%x0D1521Qnm`3gaf6Ql4|R<uDA9zwp&_lr8!P7w;^V!H7}VJAta_{
znHv<)$kYBBs?hpQ@<=*pvdT8wqQ3LAuAqhNh@=Dy)l19PzRS{gR=Q}Lbg1Ui+X5d0
zdL`^FX5MuTvQoeOO?|CcIqEw#GjWZec58(b$EaFU`(sz(D?5B+C6$2+&kqySf6!OD
z5T32bo9$YX9dL|3D_f=6jPMoDjoBe?i`gexu5h*My}35R)z8cB;Y+^`Khb*dH9<{B
zs@0IXH>}jDQ<h%zSmSbZ%UA&u`APwf<{mEANKwykOK&3}((BPJEnW2jRUnRi64i05
zh6)@r**37^_TJ2gWnEA+tVU4gy-2&=anLRsWG==}F*MchVBs0RwPTC7v=t)$9=y?A
z#Y$sIk<EpO|Ej*eyyw$CgJZ)7%k?1k>1=H(B05vHGy457TXw9dZu3G;;JX8z)VqHA
zLRG(2Ri(X^&iBv9&I8jDx1wTMZHMqO@9~z4d*jw($_G=>c+vaBBxxR&Z=V)Z|8xzO
zC0lCGc1~*>d7%;&9PDai-q3Dy6e7GHOgg$L>RCwmC7K?8^7!@}|IObQHWv_|%%liJ
zt&fP`YDEduxU1Niv1bGX`K|TtcEeVaPRq66r%9Rj%6bdQ)cFYgI`r|*9Z6WMS5C!e
zQQ;JI&#w>cz(PukbH(~YjZ$}K!kjm(HlNa*te^XHpTfn99p$<K4ZAw4kKGW<ktc&<
zo^{VGtIeEmCDb21G5%px>$ZMNQ5qe%?^f9)ydOhNmrk?=9R_}XqwSDpBjk$`V&!9*
zFBN3EUnscLT$6qm<ID=<E1qr79UXb0<#?oxc2s~43ohkHwHjfQwU97t&dio4%e&gD
zM^Py{D|TzPUy4|~%L*&mP}+YN4ebdm$!O0tzAD_L<~R!tsNzg_$M$0V?+W=r$m+eJ
z@$*7T5o%zE2yRaW7^<Dc^l=yPU4~9gdbU@3<@T(~uMY?UE#O?|C-rw1TPqG?Hz_UB
z9*^ueg(8;tRE**)9%sjXe(!xd;WK1Ic=cBzFBVavG3-{~fMY3JTc<|}!5_R6?eW)R
zh-yFUP@2g~h4puG-EZQ{Db$GAN0U7U^Lx2JBKLM|zTjO*S617y@w<~eTw99jhxG;&
z1=n3qFN?rtst&z|N-TbrO~o+ZKk>!aO-mWop2htJeVYEM=Em0ttt<Yx#PC09*fkG_
zUU*FDnni03Ek?I4>g<aJ8CxzNo8{%3u?ZW=v7g(vwkh7%&|*Zv4To`8KUd2oVB6x7
z+g>RMXsO9^n&%mjw=lQdxw93{5Zcp<==)YYp~&FEr86&hEiA&e=P~G84BdPisbJf&
zo0h@})XRO-mT#7-AvljzrLNHno(|8ti7KXb#b{phqccD(VHefD;Yvjn7C-v7>wGu%
z$CFaogW7pRbY-iK_J7s}$=(Y{Et>qjTrkkMwYA2v;9@}Qq1M<Q)ms~I#NyzcQr}td
zbz)oJ$@<&K3amP#&(RnYFvN<_YSv(3alxNs-*$PHy{>*om{(}G8>k9eq!#)VBIbZT
zxk-N6egt+NkF-ta=64NwGssa0{0<fWA-dwBSnoZB1HtxMpKlV6hQ*+vf=QB_w0Y5W
zT5@O)KB`}36L}Fk(&&{V#)_Nauv<tL{Yw{XzUaTa4V!AA)`qBr)%;PON9poa{;Fv8
zv1kV!E<q6MOceF8bLO6!3gT3q6IyhBPb&!6(>ev%uj%)>m8KV~!P8C<f<vPBiI<}6
z1$FG2!!@rAT7023DxpPG7I=J_;!moDFQ5~WUOo~D<E}S#kN2tEY|;+W`(stG70Z`+
zmS)yY9FKhPUUuH<Bp%<#eD^r>-k}hb^6_JBz=mOUVZ|3&hof$M+riaCccNnc^%9yy
zeA3)2I=p$(ifXo%lp%BWkDB87lr3u%#A@n`T(>V11Sz7=GfE=HQ@7xf@2OpEU#37O
z#s5s+i*6M=5pmZ{2zGz!XJ2(gEBzYRLPXXJS4uvZ5mv%)=~mI<T@AME9j0xnbFq2$
zuvGj-7@|M~2g!eviV~Rq-V40h?B_RLOUHHN4NSH70vg2rPN26Z6=IM_RLrE=67!68
zm2hkGQ5$C&lH9;H<Y0CfdXlK5d^dwCDea9iiJSU@>y|FU57STV6}R6jPV>&y-a+z!
z+V<wxuPs7?!BYYj$@iH^p*d~2w#FN<(8(yt7?t81O4~ZB7?ybrC2+3i+zg?Y(`Of3
z2)^U!r&NS$PxYo1PquWyj;(9Svj)nGzWP~AeBASVl2}v5KQgcNU@L*AS2X9|x=*|4
zTdnxaXUQW?09HCV$XkV)UWVjjGUij*3W`ei?iTdrRt&XAT*h5}KbLL?LCy$aw!SS&
zhZG+fF<GJj_}yh#E>Wx4lBBFnre{`Olq(lW^6W*ojxtBtOa@)rGeW)hbVIr#b8!Zy
z_yexdcsZ?ln!e9?s#LdklOKX&?7da!Rr1_e`WbK3Qn=VVnr5f`_b0cp5B{DvB$0s6
ze!v<`2x@Brr?FYX`Zb4kcTDw+xG1)>P#JXG{NzfT`f{4{A5#PvUl;ng0DBAutJe8@
zl}*4=?AdOuLMkuuA0i*79misqV7Lygy^Y8Fr?(eWTp5pT2Tg99uWxPv)P#=AU(?D(
zy=hJDkA|i>Z~dC~%xO>bXu*T?O5LHvsSWi=#dzyj!&4wcZ04hhX6oT5rL+mL=w8=h
z|Eu2@*bDn#MNw1;w4Zx-U(#xysw)UY*zOimI>zDg@8sbKQ!=v9@ar@2gikk~QMBJ3
z{b!ZOTAQmv6JacCHBMxm#!4SV;qB!+qJ}NHBB4{R{kD!2gXr@7=4Dsrgs;E5B+NI-
zyDyryVxn=Q(~UFHV(*yY15obm7t~77rIZ^5$7r{Gyf2}^c|Y2u`@LTIkhL-rtdeRT
zQ#OLuIGufR2QUtS(6v^ZZPz)ceU-TN>w`#rBWC^FduN}|Uvm>!wD59vYA{M0i~DUk
zz43Uv<yPubU-TcGbg|PwYdW@AeVF2tLv<yoz5_j43iH;njl(AB@UA_H!#a9dZz%I!
z{^FW_adnrhhu+HXv^DpB$AQ*EueDx2STGABbuZ$0Wi^1C7dy=hIlFdz8dZNfJ5O_?
zJz>O7kMrNWh9AgBq%!+3l_&~=h1pA7j{Rj=-NVv-2MD@Te`Rjo;3Mq>r5;WoYl5OT
ztqr?#JWD5a6{&)NabBO65OM^tu0OfwMM@d<gl`cPvk+=e{?$`2;JJ{Ze3_U$9tqaq
zPR{2h{h|2bk3kGOWVyjad39D#_E@!w#gk9+KhG_nGGJ8)l+$FZ`7?Qq39))^x_*H-
zc9@*B`CDphY2IsbHKbz8?avE*JghZY{~gqG+?7+&Na*!#E%_~`+8dEThqWOmQ5m?M
zRLqvPdPLiaKb+4?nt$gk5~N<8JHO{3RJ@MkaoC(UFcw353Y2iwOyF_a_4JSzC@*%s
zGe0CeA62sfCYff<R95Fj)p$|Cn3JR5pJUzKO4|Jh4~8O)Ldc~rp3uI4M6bY85C{+#
zf8vX^Aqoq)daj2MHRD9fynDjnkcC5?gwa1KMIw!x>gFH+B#@<k1UU(a{vBE<R43E5
zq!Ttp+r!3N4>5_!IFfkqIK@bUuIRy}%HO3lO4TG}fI~jpqDfjm-?lgh=UznN)#Hic
zbycOw)s7JqH2QWyV|<@j<V4>wDRI&D%1HV13P%b}j$_inx9;3MTbj&G761!bZzzJ5
z#782eKo1<@(-kLF5&^dOw1dEo;PAW>3Br+rD#GqrHsU$XkQV%4HmVik%wUh~PK8T$
z_~TGV+0)0f%oeACl>5=a{FU9h-GfTS8mR0a45ygJ{Nz?Rb~+MD&JxT>leocqfWlz~
zWTmR7O~p)olua#Kv8Gr+Y5h;^oItr;?7z~NC->zOO{oA^bP5$JeZ<1CBrS!Cxhs){
z)isn)sahe1-7KCuRGz~SCQ>yBJu%c7kdvaOC3A9Fz<_{$$PZ{_5EInbv&UB>$VRc?
zSvKpnQ3{-uNF`ETE3{$0PC+Lb-8r-cSbMrRpnIsBvZ|y^q*9(Z0ISWYP)Jy)Z=BJC
zv5}Bmtq@7ITl(_}>g!C&@HPgS(Ke@81f;syo$QA6nsSt*DVJ$`FDo|X#^9Dir=vdg
z<aQ$^1`JT-zox24qn(c)fpV$wN_w>sU<=re`kyG886$-YJYXM3C9HslDW^kuOj}xc
zsd`%D!u#We#(>~rL}C}6im&iq>M1PF?T);_!RnDRv(C?{wWiRd?pJu#|9n7WqX)WF
zst;NC!m&TV{PFNbJhhCoi8z!*^_iOeLwmrGq~f+}F8U&<i^u@iq{`)0%qjk+sgxLq
zcOzUXJdbnSLxje$5|uP*2<TuQ{q&|>lc7AmXPN(n!@>4j=LtA=+wwG9Grr%^_csrV
ze`l;4@=r8rfLZt*p}3F`m*metPJo(_>yV_a-hQWs0pTYXJ!!5c)m9BZ>HK6nAKsMA
z$QRLZV)blo$4maF0%nE0Srp>Z8Oe$?vn(-!xJu+Xt!v3yRXz2XQwRY_C|u-cgq~zg
zf>MI1ZLZ1>h#^$t(3RDI4$b<K@MV2a)SD2XW6&(%ICzxU3&nJb8mZz==!~NC!)yeB
zA2)k0tzUFkTw1g$7u_`nB%+CSn@|}oI#bb&^}VH)<#Ocbn5F%EVlVfV3Ugl?6<6if
z8p013hk^U1zwKGIF25B5i2O6JX#-dSh1a7kb@p2L`17{~1;iasmayU4wzZSyBx((%
z=LLbHT^uVJx3LRnKRM!^oSW1U$hs6NTo1kVaP9mLhG(Nm8jym@ZgBhPr|EN0C#oI<
zl%rEYbX7s-k{pkxySvyG>l~%(t~&PZr2~>ybrgoKywn@9)<dh{;Eh|)mu#~WHf%c(
z_cB%75CpiT`^>Tudd-?Q9c4xrO!6e}6MxyX<@mOC0z!`?opQy{x?(Oxl5PE}=jKfw
za6VxEjg~`GkM=*(4#g;5<v`UC>HIgi&4Sy-xZ#;k(bm26;z^1mI-W1iKVEluZeO7n
z<^5jlwn{I!`|Q`*qh_0gUU3ptc2`s*dG_rhKd9~Hf7}~YTVuE*!BGhdXqd>@Cz28W
zZlJ+B9CqO`Eu@<aiW`4J^WGdQD%P#ZI3Zz7Q4J_MzsW|}fbAwGV|mB0!ADxi1>4De
z?a|Xp+vFZrX#0l{7Te;mM(0mG;>fjWrJCl{0#%Ni@3rcRuCD4fLxZ#!-1d%7tFBhT
zImB2{o95DumsvZ_eyPjT6?CARM$o|vK0tAx*VV3x2pR2TO{&JusPsD@nS~am_<nIJ
ze1!7SA>GjAbYZ-6boX&C*Uk<@ZNUQa*Q;#MhSEN>Y}GF^LI9$IQs>L(sYXgk;;M4r
z`F8GtFl+mo5X`NB`B!Zppr&%cYZcm;!n(x=Pv*t8L-LYK$;Qy0Hy)&g2cv{-f%cOs
z=IcwV0PX8F_*z%1&5O&{=9MhLU~HRb@7GNb2=aAwLfGAHr99isTynufS91^bLK+sS
zvMrbGYdabh!~ouMy@R-|rrgJqhqF4VN%(jMPJSB4ffsMs3*YEl<fmwl#yP=D@95U}
zr2v%BoGmCpNTAh|TeaUBKpvwqG-7vaVf1vYwSgBewiI;pqb|)|Jsgo03#@qtn%ssU
zn0NQ4(la>hUd<A#h%#5~09ZdcSp9*8E39#*YImvF9f-JQLWS$Dv}DJFgfw;y!0SbD
zZt^rUHO-Gc3w|@Irx18~<8T6f=AZd!$Am>MVU4T#9)}^9WuTN7%rx!9Nr555J_9hU
zO8bjeZ0y}k{ew_kFm#UNxXvL@1>w+7dWbJdWYi?UrpqwKV#zwV{k(Ofr#U`F7u9xE
zPvle&y|$%(^77nU#}8n+i7#OPs{=k9bNygP0Ka*5Mzv&20K4G!;%9`2-oYE2jdw_|
z6yXUtXdcz?a9H|H;aL}<IC1+tpU}Pqr%oSS|LxT^hjv91hXRM*@oY9C`*Vw{N?p%v
zJf7?8AqZ05_tnn{;UTQUQJGcgF#d^HTX{8e31G)8_gU6>;!UxEnzj01KP$DHja23K
z{S(1qgz`2F{VD+w2{xY>@C=(_%t`7K%cQjXLcbM!gLva3HEygrHnsd=GxaD5TvPlv
ztbsL)TZe0Lr~ok?z2RtL?rVT?6i_Qh-`UjYKEedS{l%g+hSJ)J*2&>hJeL*KWAd^c
z{gu0iI_wq{QZjL6djrHx$56?b(LPw)IICuao}A&Z=<e0G1*+HgyLyV?wnzngPptdh
z)BPzLsxK1A&27P~qJ}9M9Z~Rg?}+o_r_?Ejmv1II5bpyVoj{ik)*=_CH!ei{p7;JP
zz3!&bj9>cH2J@Nq`#vwT#Wy{S!SdYpiA~2>@qV3Zf5i8<M?D0kjNePO9&bA48FuO6
z=F?X5ny9$Tg@lgw#Rb;DSRg+Zdn3TSymTYm<;=$H`Ng!rWWX<Cv$WD@X7LCF=1C}f
z>2kE=y(=$yyPj()XzZ3vtzyMwk9(ZBLGw+0ysoxN-$ACX3PCgw(dMpr#t9KaXdo%c
z><(z?<IDrmo?;4$8qxz^D<_DJZ`iz|^J1wyD?G5S1$)sG7xYPqzR+jsje3Sp#lcmm
z$-6zanCi9_qy6?TcO2I-7vaMB;%zT3c=}T+x-b*dR)!x+p$@Ma5Ea%aw9UJxzjjf@
zy&rQ$pblOW@Gr9@)KNukR{ZzT<*|fNq@EsCsJ9m^;9b0vr8@sNpYClo;O<_hh;soM
z*66B<z@V*0C@0)O7u3ud_(?3v*Hrx!QuvH*7BcUu;b>>68A;7p-*#6&t<2#_NRK!>
z1K0&9pL3J;2K#U*4K{d7^i6jw1FWVHWjn1;Qebj;pFL5xQ6Fa*AuJFHB*YW!uqk8R
z@)=?mVF}V;-tIvhVpQmEbTTT{PY#H@y=btNc@2Godc^oG;XH>IYw;~+%{=YHVQ;70
zw22g+SpHF5p53{~8>}r$(25e9n>(F=XmKg|A{L2L95qP^_A{C7VL&4B%$)|Rd>sZS
z!MoosM^>_5l-HWYq`V0whM|n?qv^Hz#61)##VP<tPzBl>0hMa*IDM8r{lp@UWx^h*
zSvdm@4UuP2``z8$6VtYEJk^#i;#g3FCBhsPg_}|HCJK59ge4<5HvSS7#b*Yj6l;qJ
z!U0}brEo{4#1*xZ;ldt`xQ5#*aUAqP?vzY>xj!V}QU^xOb3>(#y>lGka<Kxc3|Yi(
zldn(g(~ThPo_WiS|8ZT|%>SJa5<ThPiI~y^x8XNWy7|wu{j11Q=4HUfB%A^NKE#$L
zSQP*H)xQmW=^uNQ7BreHFueYqX*B=Y_W%9pr~itRu%%guwoljFKKOrr%WRO}G?nE)
zH~)W;m1GWTstfynEid`Mp9%f{@QuYeqOcCBcofAQ@FwOJF=v8R%Sl%P(j$aoC-#d1
z_9VO@9gw*4snaCk7}lq)tOcJrk1AVWQ4_RRu9-oJuU}AW6NQoZHB?04)t0m@y--pM
zG%rbc;@!pF$9=j5RlpeEu*uEMqjo8ij><svF7@Ic0Pn@BmRzxey40wx0}IC+ew^5Y
zhI&y20lvQi^8^q()m#ZJZ_;@c@#x~^PH`O~p#^Vl#~eWUm>)#I*iDS`M058fYtqt~
zPEGA5^#YkX5U)~8DBNmvg%5AuM5ynCvRT`|?jUUYBrgMu$kwQ(qJxNjVhA1sLM3LM
z$oY5Cx-=+>(EBpskWi<K1WgQmVFLo7Qg;QVYe0WlU6C<Pq<-}7V~GT85PQhF9JD+o
zGy(OJr3YRL2mt5A03sISi7v9)87fvb3eryq<qsYv9bA-O$-DYMw#2FGnOH^~T6&+<
z@tz*5I3)sgh|=!(KA-32CAr+{fx=DD;c~D$-Wj+`1nHYJGf~<h-iuxW=fYetHJ&{T
zy$m^z@`Zrsdhe?%OOL$&muU|tdA8Jydn^e8jh+sC&&`;a>ZiG2Z!k;%YNJ59YkfW?
z7GB|gQuL@Im~{JPMVXscCF=+oP4Iv*^|zVu34>_Ji-0IS7hdhEWEHE-afJ2UTen^X
zI;!kw$~%DRrDvZY#NI>jGE@Js`fzCOOG4byu)?#iX&Jk)GICB`@5aZB_97?0g(Wr4
zJ~(WROH?2Cs{-+}V@Kb+cHRcPMJTZt%UJ{yxakUYEO>kE`i+I%wUdBKn!nijOgIpB
z8uVl_A;q#79(=|ms`43TDyx@))U;-6yx*BUKw=c<1f$nl^=kN;Z$}VHc+Z`;IGw<G
zc{w43P=LH3QN^1O=Xm!Z>jdWmb_pyRscmfg<l)jQz@rUax!xu+Z{-MK;yzMF+ji-T
zY$86Qj7fdPXI_;WbcAF?$=Il%0&j#<AOPwb4(Akf?vkJtL8aW+C!gN9K4fA8$06ui
z>RUj6r>;qw)B!@PZh63vF4TppcgO6Jwv_ssSLCq6xUIUdX+m;y>2fs_s4_kn?fcXn
zY1KW@O7RT^`DaKK2ptu3r%M~E=JprS_Irjb^%^oEjN#|>eO0$rBF$NzpASt4*5P;E
zeMh8L&55|*UWhnC&D`9@3L0PG1)lGr8Hdt+xfOa)hDI~qcKlYhA}4r<-C_U_p_iUm
zGR}&02=W@=7Kp&#FQ&DS+>$loq%Cf?UVtp>nrGT3XoqdM0@}s{0(%C2Aj=O|pF;0<
zUo)^&G9w-PB%WxAWgh&t=a8@?pSWMftOd9LxM;^%hBM0OJ=n@VW8YC%A^9V8?l4k2
zrbJfuo=8YYg<Xj~=u1Jh1-xCd?BV+X8?+?)=C;<(ebBBMj?2Q?ib!COF3Q6IBSmaW
z2JJJDl~We_h7JCvi#oKGUeB)jyW;WKT8M<e&%%pDl}4X{$;}kitZ3Wi&?owhJzd`e
z8R>i$pW`e|C?z@ENe5ViS~UeLst<)cJX|J9hSX*Sy#7c)e*&d{5b5S~E;Q&7Z`|_-
zr^0us4P#p;e>|+<td=W$Q5z?g0Ui_<2_cszF4nVyPr7L*0o`LD2M-lFDXf}KO>z$Z
zd26jvUxb6e51>&b;_`d%HDV>}8TMjTKZn3>)VE=@X6h<%o|Q2*K|M;6h|?S=;#A;q
z(l*O&HsHOS7WH?~M<J{z-jPgurT5-4L!Cb`IUN*9%IOSU9Erkh=wtL^+ZtngQ?pAX
zN}qHqI<%!jD{2J+60pV7rla$@z`{dY#%?14xE#DzraDD5)Lxb&C=Wp-jHx!m@1Xyg
z8{L{c*@6Z}7QpRd9Dp@(ml`(;`x#)#Ak_3Vz@2GwRT2@Se$TdfKHzW2637S$c`c<i
zwO}Mld-C56%s1YXno@1Vey=F92POv(O$<O;Amu()v!*eYB2<v^X&L;Uh@&!4C%$nv
zj%%$Mcft%~$&}V?!H5P@k>jbP$cE(d#GRLE#_gGZED<zlc4&igNB`!4Z~{E8u@{2d
z6I`AcwhT0^)L+pNSW_N<uK)^ak9Pq?fU09k1LM}mmu`z4Qx0$|#e}l@WpaF39x-_c
zfgK6GO;N`h`w><^EQ}Spzjm!P@$g0Fr=U)~{<JerR&@XP!D^=<Q6;Tfj^35u4AHa-
zc!j=|b25{Q&P1zpq-_LQOU`E}<O^5T>+$$@wm_;IkU84b0lXUpg(Src3Xj(TJVe%J
z1OfbIV4?`fDI(I$&#M7+$bdb^sJ&1Ol(_2hpx(n8B2GE)w|)5Tu?}k6IR_Uld&BV^
z!6qnj)&t0d2(xS%BEuXGu#%rZ0GXY20VJaSr$<lI9RaJd1h8+=Gr_}3dMLg^T?#Py
z*v|Y*E4o7vF<{h+#**G*)A{L*6+KN*-_9Ilg<f#f1xf4TW~IvYuXR^!C>kaLdMtoj
zjV+w7s%-d2ix5ns`E4gC%V8+Y?eJJDK&-jO!@AG})@-#Ffcl`mGy&D1y@w3!J`e&X
z@(~tYSztj;sbwDD=B@92L`f7vRE@y<BP6)O&DCMy)w_XT>%stvC1dgnN4hCs^pQV~
z86fCJMcKRF3T1pkt{cf<3<Wq~<hNaX>___8R-=wHG&>kyP2sM>C-rT5i|ZGaA!;ii
zM^yOQeY;KyKM>eEo7U8P20E3rGMma)<#sWF>zo>8m3r*99CGzJ2wA=Q<Uu_WoPe<5
zK)ir$z@#v_wuK~xss8}ed0+{%U9re7H_w>adXaf#g`rNGNt{%WTOVD&xYSqDM~S>h
zWdDnFa6oIaa(vt6jie!vq7Ay{{WzY)AfHRDlGAX+`d;41<~(#HLBCClTYLFqfYTqv
zEbTiuS?kh_)G?1jJLh1(E+xs7r9C_z>E6swN62VxY3hTdn(QLi5U^VI4DE>@GtvUo
zSAdyCW(BpQnh6THT!~mMtAwevIR1dThO8<g^b_O#NX7-siDyH1R?RDkg<yr8T%kFE
z%KT6nnNL|@eskduOyL<Ch*wDAhM;^7Ges!2>cfmK#P^u><<V|S+kOmzuvgNcvhcaj
z%xOJI3I~|Kq(fn{DkOw;=raujdXZnQ-qlh`xGu|@L);nPG2Ycit$TqNLl{vZh7r7*
z&SVnLxx`y-eqDkJVk(Q&E5gvd3{e9@pp1S-GCRN}0((TlyF+xrFN!Dl)RRG<37U(i
zB|X37=A3C4Ffm7D3S6$Z^dev<%bTqxB@~WlR)~_2g1Xp%gC-}0^)E|wER&)360VQ&
z4sT^6{-MBvbVI%xPFViVd|o4K>%PpBK+;O_L3?{nwo{}t#mOZa#IBZCo^op%52s03
zD3_Y4>=;5^qLxF(>g^-(ej6x+2x{EhfkOyIh+V+#h{DBFJO#P@jRC6s*R;NVrc}4k
z6J@LbfWd(ZE1@EXe0D?=mng(CvQ49>Uw{mrD45g~ciI5=;y}1p2{~n~+7x(vp^tmV
zKBY`d3iv7#=ONV8P}YdTnU;2I%jF72q)xL)ZBTzXVRRoWZZ8_o*xo>L5gf}Tor$0S
zrIfjBK4k>2YOl|~fEAPYq{z5P0!nFW^ln<GNjcPa>O%ZsDZNnZybNhreg7HHWlMjk
zRFr1gQEJ^lu>v7#WOkG&Bp|;|MN&!(G$rMEs2fZZ8ZQENs@s<Ma&%H;Fo?0zDGg2m
zmnnqI2rC^!?MHJ%bE8uOXHl_IFwaX;B%!oQo_+w+sVwy@RcTFhhxC6gv2{qJjg+4C
zRakTFDSd!SN++DmY{Z^1D}6(zSBmRNe!(s42-CP$PSNVZLNPEdlaJAvla&5x>&o~b
zsF=(oup&-Hw*@aT#R#SZKm<U(t18r0lRq{ibnGJH$(`ejd4fbcvzApdJ_CCDlmd}i
z4~;}Xur|adtv{XFPjP(H?#{{t0Eiv}4+L*2t1@0sAPY!dW$(4uQ6UkngVcRv0%EDP
zbq=6O1XJOXf#)G~Ab$i0erG{zPTox%hdn_!PUm@&coSnI7?n2zFVSa+3j{f*s>K3B
zj2DaKDfjjA%I%aU7wD{Q-nuU-`uwn*@UI(y=I0U`2bcg3#L8r70599Wab=X}4e021
zg@VZ_Prp=!c(pp~jPS!`E~PznSSr;#)TcfQ=W1EA8}6VqL1j-=QK9?DbajYowyg0&
zGhV1nJ6ITta%XFaSX><N#j;=$&F5*p)T|NljebdJ1ht&wdW+~1Tp6A?OAn5woV#Q#
zomf<DhfayG*;Xnx&IbKs*kG|t&MGO4ZNw!@ndlXXb*!c6!5$#|4eJ@NuUfz>oWQik
zhFa?#1E^$Rc30xP5*$poan1O!>1VfhF-kB0HK&cQBg2?WN1CLT(&z-Jbbt<HkQK{G
zz>k7_%8(FRE1XXa{XGQT%Tz+6Wp{uDp8t|<A0o2`9P@FL(@N6I#K9z6B{b~qqSy#2
z4ECbh8CQL>l@k?YEHLN`@&$~V)XH{CmkzvOC+K0%4E`>QjV%X!X+eR`o1yo4<#@mM
z_p<tLh(#L?!bPD@7osg5R$s1n6W|gs{!utG73M=H%!h&C4OWU-C-DY}U?|3rTn$I0
zA3`ciuQ>tsJ8KMz%KkyDnrTq13n#&OM!b@!o?<sPj2d!aHj=N1?tSC`X=OMwYQk(J
zf}*u1y^WM1+JTkJqy&lAr%`!I$3{my+&<emVI{QdlSe|jmEj}0fyRF(w(*$a57;B+
z4hEe)klKJ)2Z_a4$Pj7}T=<&nf}mR`pr)vo2osrb3Xx`k%F(8xh}gd9A_ts$uc2po
zImEPDNo6~d%olws5>6m+5ySTy-D*SYxMHsUl(i~;j2UY<>i6wxX?V;~Cqqb}^)h<o
zjQ)nR-uF+2f7c&1x|k%Vh?E~yQo~hsVTPAt9QzbB;!FubvAYj3=0)AT<i3UjY$TXJ
zX?JXKv!uSnXyD*#aV9HhsI{uOtgXRWI8aCxYnXIQfvhUc8Qvm>+E4{4OB&I=QT^1{
z4Q`w@=N{_Wt(HAy2xdr{f22s>i3(raE*bkwkU%Ca0OBuFpPD6Y)Dw1SqiDXt%6<I6
zio@g<)u<>K!Nt5;rB@W7R1S4e_y>90lep?+>cQI3^p!-aJzpxyK#?S;3zBqHBFwwr
zbPvEen2W^7`-`;TOkrttbEYsvCyffwaPvS9o+Jb<hThcpLmIFv*C-xClt=`9T}w=I
zBWCfFuV001iClwTtoxf2#-Y3{QzCENq~uWoEiiL}vRwJ7f@ss2Y&OemB+AhSs^&}E
z9qE-a`B5E-(aRN##1WD7GsRdqhff#LG)0;&Chv|hV@<f%5)gr8gK5;1hC-zT;ZQ0_
zvC%gO3o+H$UYIa+(_zK)8K;h+B$zxasqW}s73jop?xDYBl43s)A2^b6l3rK3fP!SK
zkz9f3FQfX9U^yuP=fyS$bY!ne^O#xWK#_(?F_Q)v=}{Q>N_ajZ^-2`)MQ#lt7Ue!g
zmW2C?nNW~2+$j{Q9)tErC9S5gD$irhOW+fu!l14VNH^7Y6;c9`RK&vk;pr%9<M<1F
zv}Q&M)532b5ZT!B$W`c1%UAh4?kNIN<lz>iB~G%(JS@Q%UV*?PIpTCJ+0cm>lX?{{
zt|CRVS$DRTa#sxO<)z_}m5l(7gK?&6Yg#zBH0byv9wO$So^Z9jfY*p2%ed=71O(D>
zPOJ;9+(}kDyGXxAky2hfm4x&a9BFtD3UUqaiYg<Jl3~g#3ds@+LX;}7%Agk<lyVk6
zyCH-4XF{}4krlMUQ(O!~VVIa#Kw#0p^F8`6XHEno!8{}}IdRGKn?EEO-fXMJLZloy
zF%&5Eav?Fk&DzWjVZ=7M!Y-?wptqs<g2^nBDBVaZz@X(T2g#{-S9oKZFBLFL3fLZ{
z)EGKZ_vWu5%}QQHz#?}c4b}`qtn&3_D!lJ{dU7xKSBOjTRoT5mdZH9zUaY$*sgwjJ
zXRZ7OWJ@lL+k4RcTqc>)CgmNNE$JA&TPdAZdgQEqRCtmZye6j#<Ii%5KAxVxHAlg;
zDPrHl<F!4GpjwFaRSQ<Cqpqe7dWv!|Fd#IP?q)QY^s<TzP3W%GyDO?lC`?iLd9G0E
zCrztgYMkXeNnxdOI{3r)Y3g$ZY3BPEJOUa?lYo0v841VrCV{^d&*a{_QU1NJ0m#j{
zQ=tk{kU9Ugp2GgzZ4jN~t_{@YaA@<f_0XW6P<lu(>pVj*VJ|7%Z~LUf8+ul|ObbFH
z%|ik6wof#^B91_f<`NB%he*AC@$&f|tsuU<n1t2}nBdq#Q&9#?@}>->h9r}s+=jBb
zb8LgZH>;}1N@B<Y&@6@MP@=KKn1R@7EIPrI0Zbo~_pq387%Ql{*<>s#nz5j4FBG_F
z*tFAILK9`4JwSQ_+XQTSqSt07UJ-iE^g)KAOKsYCS#sdjbjVy>IUC)O?z6Go@>stH
zCXI%2lJOr3R4=*V9d?&kytC$f=|~_X3(Y-N%z>I%OO$$tmVP^F^gX99Ite3jSfxka
z0O)R3(rZv0fUdG^x2N8FkY%r^<L=@u>&Hx40mKxxbpz04t{E6nzF7tNxom*qFmd`Y
z>qlyzJnyljchLcVsLuN^ee?I;|J|R1AH$!m96{io2+=u5R40TaGn79@F3xz>8rlF4
z@69RM@F59<#J`*K1(%7Sn>G2cAUk=Cs|Aq5dtQC+P#=+yEawj;0)O?ru6l2^B&Stv
z$CDNo?~xRT)?TXVRm^3gTX~}JF7&1DHI&aJ#~*@dy!>Dtbf~2!Sa6tvCN{@E#XPAW
z@vyFr3VXU7QGztx%Iuq4NXkFOkIOS_M>L-3lbpV-9q@Ay0{VV*pu12`X}cst7C@-L
zK4wk4`dx+sGy|3t7vvWdwr)T{;pnEVYsW8mtB!o%j@c|AP${-SW6=>1*tvjmrPJX@
zkC^DRA(v8wvapeq8KblSeOprZDyzwfLPTt$aHw0wBU=TuOK~Fa?Q@0k?06_qh^S;a
z6-b4#7n1cu8XP9Qsp7w(0QU0<nL9Q@8j#{BXXP`gT~Zd=AQ~Zx)m!1SAGb4*2T9M7
z6pT|%0rZa<c2%bDd3&0qP7^gl`j^&LUy602dJMEi%zB}7C7mZBc^<VMNBcZvevZ?=
z7agml3q<@~>X!m@D{EIpI+RB!-p-8dIL_rLQ-RZ5lw>IRfoQIeqQAcg-*M~xk`89*
z<!nN2<ZpN;k6-FnZIXoL+JwCW;o=tZ-Qe_CC|gyns~D>DfOh4iy|cWA)E(S+Gz%gl
ztnE@%+swUI)UNAVcm!&Ts89n;PMrvY+-7ngnP-#N>r4x{06|b@4X0}*^}B^u;}?w0
z?%nVBk{3uMjbxJ`E$2;sOFIE3q5_h~J;1$^0Fo|F{1rFGPk*^<kgR;D?j<2=hbZI)
zkiG2p8KJ)Bs!(2y^1^ws=F)nosi;Q?JNH8;WDl1L3Ub^ETo#nDgaZI;LE{*2C^soM
zr#0X~apo9aji(itnDxGK26O}w{YzeXJE73q0-{(q8X)?sm&fVA%l!oTCrXOLB5$TT
zM#Xjut15Zr7ugFSEblWL+XCcZB#{_k-W^iAp)w~x(VaXla*jm(jKTyakayV17d<Ch
znLjR&P@;pDk)nL>)Ip_)dmCc>8!E}vqTXG$VIe3!@(*m6*k}ZV?jsp+Rs7NX77`4|
z?bn#ZYry>3&}oCN((afIQM0zU;>V5QV(rl~`QiZidSQd7lLSh(W<QY`8!^sc-UH+8
zp4+vdjevD+cHM^DZGjEeW?^QFPtOP2k;c8KF_?8E(viEJAhnmKWuTpma6fs1nX3GZ
z#5^&XiyQP;0M9|x|2e$q!An95rtfbwT}V}s{}j=mT+iusxeJJ;f6)%cAP-)k`ioUf
znBF=R=e!Ya3L3J^a94FySy>j1lm4Gem~<Fm?O5y@1!=XTu?OpCxC0L)1Nt64cw?&6
z<^a*f^-QQX(Mps41>pe7;R%sxfR=~Z2~FZGkQb3wlL)kk1EUz;64q4pFAYDVS*I`H
zrlig<Ne%NS(OAzPl_2c$vOOep2+<oQjE3|f3llIUbY*huStVPB@30sE^0jJWBt^3_
z=32rcF0C%wok%eqN_|tHYZS<8o-p9VVPD&9(JWmXuCt^nI{O;ron8=r^*}!7hRm1;
z%q9(}0?6D9*L$bo9ydOm!K{iaKxVV!zCfaI(y&`xXj;>{?PP1BRgjg?w;n^TIo-2u
z5`t=V=uwH2UR(-JsLgIl&IZ?)Rj!ltrBENgw`u{`BvuBe%0324b-&JZu3|I*Ij%z_
z_Jioqpzx;Acx36w^<2iZVPd=nmx}hxg2ZiyxEij9UtmpbjFw9E=R(+j_x{HQhhkK7
zBRyqQROsL3S0jaz+R_cNPI~BQK+uizK}9Rb$U*g2rJFWtKV2(AhkdQ&JsDNU`%At-
z`aW@QgXNtVSCb0@0|(_~lfxh7tCkqy;v6_n7{E{FpriJE2J4OLZYGrWfp^g6Q`?Q?
zoFel8U{_Dx-xruC7O(_|aYr&j2_KMAbP}2bIT;&daI3wqPO~l{J%L9HjN=wk7vzGc
zZbcD9lcOcd84i*s2DPaZz_~FzSe%G~A}?yg-M2?4Pp`gZrhJX<t8`1QL?)E10%e{1
z6b6=QS5f8(CWr~RZ0JfO!i}X68EY{bIs8$FR^P#w%FRSxK?U`Tc|Lfj1f~Tuvk=3<
zz-J`$Eg0dWEwJAkj9)?=m#A#&o+1Vqq0itt2)Q`JElHUYXhrI#E@G*$R-D6g9Pn?X
zRM1?B%^XpOsERBSsEXf<+QN}Hn5eq!kAHyZyMaG+N}Miov&H0%a0*mlN237*z#KA(
zq~j(tCj#y8mz<q3v@gIBZU%1^+#3=!l1GPUxg>gqxgf42mW+y-=^u@e8O;4rc3xXf
zV4`NK-M*z&BFn}SjBcqS$GczXX=y^1p2yk28WhZNl2W`qLtv9N*~q1aFG4a6w_HpH
z^he+Xb5<5<dCCu$0VL>~ENf81QI?p}wC0U+<mwdYj5d>e+n7HPA;*j3SPm%Cgr;W3
z9<?%*Nvr?JMITv?W%w}xnVAP=;0~~@^lOcyAu13G8rvu_e6e9G))D=jb&<Iep{2JO
zQ=d=yj+pl%Dn$~S=cG<U*PKB@wDtz*LUMB>NQcVWFv3x*^h$Ur{SeeyYGgB&Y~hNN
z@dvva|Bn-ChjSTmfJrEiCjJzRTZtb;ozE#=<hG*M#21k&{i1%4UT|p^BU%M^G+a?_
zqLuI4&gk-PGkAXhWamicDxl6jN%Gz(LO~z7qDT*5fUDcy>JUkP8;IQl2GB)K;3^3<
zX{C8jx6Ty3z^{~|mosHR3Z{{+K4yH$)do2PCbw>&{qsLYN%zUuFsdc*%44!l0pA(j
z`J->y+ho=>MnVh40qcyv#sJ{Sax{#WM)i@^71v;|FwQKajhZ%Z*3yt5NFw=-Tjny?
z`R9Re8k1xYIR=j;Q<RRMqsQ6g0}Nci9(b~ah5|{}nwy}qIloWm#Ugph>%?IuTn|!M
zvLM+~0p$rsP}F}JmQ6*1w=05Y#@W_C4WU7aIaH9f3dz%d*S%R-RU%y?vLk8WQfpqz
zO!@c>{U@M8jn|BzK8-;J3>P*Ozi~W7A=6Z~&W_`QNGtw}OQL?WO0+y6C~$H=4tQf_
z=X55MDe8%~Fw7ubAaBCg4x4f*;M+WZfx64T)(Qa$v3}y4;-0E?Eu?-v(9iP>YXz^U
z@dhXBa+COuhP|XQ$Ot9fm}TS@Rlm#VH_3erA2EGaJHzv3pESa11->Ha##s21nmFD;
z?U*Tjke?V+I0d}G469<gtO=9^+Z;YcS>0TMJtVj0z#UVGfBg%^niKak`T%Wb(&${p
zV2Ya>ffE?|jvzWl+aI;x2<~C9u#&|8<zO%(LKi1Ytll(_>_QCZ5BZERpdQ)uHHoG$
z$H4$SB=_)^gVg;*(|!qtDMZd1BDqV1>ijZfmnqaqB8^21ki)5Mkb{f~wD+L~A{P6Z
z!75th?AuA6Mw(WZC^j=_iUfyI>1Sd$Hmo#1Bz&g+c`ey*X>`I=u8~}R-LfVRk)&hT
zxhMNTRBko$-he?gO%B@lsfB3@wx4WckdIla?`^<6n5po{AmrMM(kwuWB`~~^Xi{uI
z<A{%Jgqf3CCeme#3l>SP$I#Mdo<Nu-=&R^Orb|@}xz`i~Xpa){0iDl(6tc*MM~`D<
z>tN_D1zMrPizbg_J?EPslfDS>$hOqXI*)42=u7FzKlMQFePM-iB}+I#cX@YNRcjnJ
zh$=q2G4T8s*(4>*68Rxv%m2Ivqx+tBn{ct6D+y!tKq#p+EWdsoGWdqYdxe9{bMRpD
zj(W1-MbYNO6geupB8~O`87urp!sqf=#Id@Fg!rlwagic%lnImrG|I>KSE>^!aZ0%}
z6KA8NSjwG@XrfRdlI*G*6IdBE@Q%Xlfjgi%okrf0n_NT55WNPVJCkKimO9e0XQ_kq
zybX-2F6pCa?gB)bP}uVId(#AlVP(;?{NCPP?u-%bZo<X3D;f7maT!_FG;!=D?>0uw
zO2|vIg(iai)NVx2G=#+LE)P5hM`%VpQd%nV=e4*OqcbuZ+GJTbAz3D?U1gfuux)oH
z?5r&DxFiH&hTv2f0l9ri<c-KNu$gOx$%~vrTad+Y$>X*au(tYB>J8~MqV$cOLY7+#
z^Mo{eHfbIklgs{h<B^XLq}xfrgZf>tfnIn0U|9rpCs}w;)(86z7?~HRWX|%U9XIRQ
zy@mzlqLsUwcIs;rV4$sF(E~3YSvq+4g->(Am#JmIHzUv?Caw`Vfxa;6nu2?eu+F)v
z9^x*d6ItFg$4+~?*aa&9*rfUs{WTfeBSRuOu>$d}y#nwOdOp}yAS~rvC)vSOPRRe!
zo=PFcIJz`%WrZ_OyI*zVO`!zctYtB^kkXeMn(nU^HIz?Y?3?1(7ItMLmbylJg}pQ2
zydQ}0O04}RQLBO9f%Dg#dzZo+TY&wOJTy0dS-?>!$c4tkOZ><uHz4U8^ciz7k)KP1
z>V`47u8-)g;;MbkCg}=1jJqImG1qX(g@%i{;S&I(Qhi7CU~Ls5Ig)@STIZ5PmMKj@
z4$ZAz8y(pqh6L3w0{A6=tRRFJ{QWOuNxszzA#_TiL$*I7!J`mb-(m3qE3t<s<<ztq
zl|YSdGqkC?I~ToAObUzPnSD7)G%#U04m*WnU*rXG5s!I8yA8H^N?QQ!jS#20_82l8
zGhjcVEg7?Rb?xIo%IS&|e}RdZpo|DLE^?sHrzunx+EZ5QL7iMt6G9neE5DNE!K42=
zRUwo!|JTvL2}_>lI$VGYoT&~*+Vl&e4Irg8EJ6lh(igqbOoGju%Qh;`R-uVEkwczp
z)0m~2wscEd;VayV+(s`bZjdO11RQf+AI-t#^>=FB%VvYyis)pBu1xO&dD~}Ju;UOb
zHA@{WmkRYP%4)ft3L%!aob282U0_XC9<M7nP!{1I<xG>k-2d6!!Xq;`M_q!f2ss>M
z+oaVMkOIf~TdpeB=Fei1<oA+_cY8Ctu~%0tC1@|9pM}Ov6wJz@;q@lNu2d_9=w)>V
zW$W^nQ95oEk?HmWq1DL%`?R<#eb$Vbk{R-XAm^%whLYT$nvo?U{w@!)2VlEoO&NxX
zm=Z?Hnl%%MV(%aAxaDWD#;5HEQ)@nAj--YpHLd8djXtaZ`&Og~{KBw9X@C;wfHQ(z
z8ytG{H1wkS-_c1#R)t1#r-3lxp_n8fc3AANsZ}H>dU*piTK`4yL%q9waaKDjQiTPV
zF4UHyr&b(r*VHu|Z~@?Eiot(*lCOCQ4(A}qT7Zv7$!myO%E16+6B+!o$GG)I5NvZ<
znTVZm+476db>5fOjtr^XeKvBxHL~Y3BE$m~U@m)BoU`pVtOFql`swaFq|=gNhQ6k7
zJNCzu%tGv{ur2&%9{}{=lnK5L@Ngzbc5?vr2GdJ_wL}Kjj*bg|ydW}KESoZD?aR?U
zs~}ow$@lNw%~I!7VA6i;gtVDt2`9RfA&MDhvqQ+g1Z^uJ=<uUg0G(#O@}#nZ>Nxlu
z52ISQ^;_z*RT#MMR@tP{aQo{995$ioDH8N$$UdMxd`qDT`7V^s$T)ju=|Xp)&17Nn
z-5H!7mWS*-WQA*$H@vh1r+TjGGnaXRz1j9X=96dX&z{`(`R^%MwMtfTNQ6o+^WD{7
zZ+U7ei$Ip%GPe=B(!^NO79i&q!szWV?`xet=XXNm4RgCl(ju^cuh&fYC4WXJFw^xw
znyL$MvP8}benGg}6~5VKyai<c(Qpvwg(0RtOANSQI1v>9<n7IdS^KG_u9K2(uXeTB
zs4Cn{7Yj#BSvrTQ2yhFFr6eO&f#}hKXE4%iv9>q8?g6;FlClg<a+}2O4<<IVXYE*r
z-7X<#F_|ye3uIgQ*RT)XHTrorf$<?QJP&yGaleeU;Ok^&lqzp7YAQFZNsl!p9C+Nz
zpArAwa40h{aSkpE16iminxCfabUwHeq>%i>3p$Q_HloZ9)`VtnQ`eFV`V8_O$*0la
zlG}<WS-hf%eR2a;6!*)RGc%z@DAHu9Lj|2A7VWV9?^iz)Kn#60iou-@hazGp5!3qq
z(s^VFtq-&}R8HCxs2_%OlJ{qwxoTIajih%Rks;a8*RH$%^l28;n&(nBQ0G9l3?ej2
z8et<zKsjQ7lGd`GhUuI2NnK+j*$_e(ol)aOX0INBuTfbOS{BCC%&ZVq$iPRTZtx=&
z)D46LBFS(|aK4Af*|DGBd*4pI>m!NAP(NgGzb&UXW@kM4od7aG*S3?cG-p6uxl8Ll
z(D!zv7K7w7D(L1&nWH7UqESgllVez&tRns{;lDNM>i|Pn^n=CIDXFS?S}D*M6o*5~
zpDbS*^;wO%9b}oA5VCx-l_IqS>ev4OD}zD&L?3as)cC=u$#VRs-fm09M<(-CW12}t
z3ggdg^={ZIHWn||736pvZAN>NH1oAyM20EPyeH~2lkD?Yj@zGaHn}(dK$`@!LB{jU
z9z?o%M#bM=Ox!NW{3hl$!CTQ!S>=bSS7l2=c8%Ry4^5R+e}8yJ>cu0)KzGj<mjd$$
z6--ngvIi$~;2lm@HB*O4YM<WP>1StnSER!(K@^6tu&K>HDSZ`Gu$x0B_9%?j*%`95
zI^H_X8-?yBU4841;@GfYO*D4nLVLVaVov?w*0`3kegm-a-!H5oYk^5*BpS06WHerz
zYf9>m;?QyHqgal(xrzi)?}2DLS5Jirw3kt^Emm30JLfYeM`C99Jz!4OvI4eh-3R*k
zA5bNR5z>=q8YjrnMyll*9(vBhpZ0sb^5L|l4$yL0moZ{zT3p>FNal+o@%fj|yuj7?
zJtXnP21b{#9J1c>H*72O#IRTXCxv{~ZmSrEjPNE9-bYP16qW>xvAFSeGNba7<8NsA
zawnmFm&DK#49vpa(SKGg5UmSjDMuI$aST|N1Nh$xWXzR)NFzPqC>(M_TmABf(5vS|
zYmvwYXOUxp*4`$8u!N*0hb>MNSj2%ROKj4Om7jjSu6`PR=`V~eiD!zsI$;qWnLz^{
znbVWB_VP>UvHsn<u~^J<1XX&~UZZt<#Z`Z@6tXqum9HlqwM9Oe!)hbNLkkx#?kVX0
zfLw0aoHx*k8QN0-3yQV@7$bQ6)nF$*dD$NF#l{{|GA3=NJuu1^TK?cA>D84d%z49V
zB+gxY!j!LJQ2I)4c{OCg$ZU_NySvyCE}_}sqyp#t0=5+>@8n;78x8UN=9-PwFim+`
zqP?V{AhL*@)<th}1K~(de;L|W&&By>$`F)qV(ChOAH=5m?q3Rf0b!uE$6t@N6FAXv
z&UQzzeU8>y760v!8OMjxO^MZGbS3R-3nG)_G&8~w;qSkH1&;P6+S4@?n0x!l`rDUa
z#egB-(-;$gdQ|ASkA|lg9A54|;TxBd4Ld@~#n)1$no`J^pP7pQgOj8~vz5Mt)#4eV
zF~qAGjC?~|>UWPM^Vb^TMM)6n<DlAQVZESd+yE9~7&(RSu@0%&a{KecDE5f7p17B@
zQ^D);jL2J<3rSxTyRff^6^f4EoS)2iL+J?BEWX>A4z@{}JrM3TeQV}Z!+e@zM;r9z
zjLoX+N5DR_L93$(@gb;2&S_sIZUxaye`Or>=FB14zhcom<H-ePo10f~5(WZ<9x+QQ
zdy6qlg5EbHx#hol{+Pc{b4r(`Q3m!jxw&LuHW^!^_m<;3fwcqHXL-4+UGd+{zi)Qx
z#DPg$zdpF=?oZR&`Yg9c%!7z&^!tWYRls@5^TsT;Zaw$CWdXtu=2SX`Wme}X`z9;)
zn7=gx-%Hole2+5UHlEKWtasN#|ESUY);Xd6Ad}@sLrPM37wI-x#mAGv?p)N%ln1(g
zfYXh5225Q~*%*H4t+z6sq;qry6j@@rr})9!A))Pi?g4drz4K;INbkI2E?IB;M@{h@
z(x2ObfDrR2$clIbzmgopqW)Uv0SkIUWhs~G3x$%!L=r)&D@NZ?;QK`EM1B*$RpO=9
ze|$Ug;=)`UyTEKK`?}*Cu^{olJ}4zOG=5G=^4i8c1~yL7)eWnHPF>cbqFnDM_w;y^
zT@K&!I%m^NE4ABgxq%EELCU%X*qTbWvy^l-5DtyMI|i`v+(B}DxrBvEUyppE)@^|$
z0}MGniTB6Ki1$Ziqy^iRE(oB$gVj92<8Mkto+~LVaa1ymF&lU8QKMb0L?6`J%kcMz
z?;`IpBXRAvb`ldH$S$XXm%w_`N(4RMPZ$h`1MQ53%E%WDoeco3lF<Yy5tjt?jv8!P
zd;taVc#>9^m}cb56YJgWMsrO91QS34JtU=A<k%MBCEc9`6Hxm{rB}N^;T3jQe78-q
zAu*Vx5EW|hu3)pWKH9xmH;^%z5rV?p+Vd}C%!TAl8fa<o!@SL4?{$N`yuf85!w2(`
z8-Q0Jugx8L@{755MN0*GF+-UcX7a~M^9d6{i-tyBSTTQ_b>rI(h6fP>sqdn_i_Yv4
zh4=s|@^22^b+VHAM_h}1yC`o8<bF&BNlV`qi#>2cf-JFqM|?WP@N?Jg%LEd-k>ju;
zn`vS%UI}BUHFX3XXba8^sh2iE9o0VP_xb02){c;IpHieCvP~dG)qPEMk%o`y(^Tih
z<+11vD8C!B-7u%>rdxgP6MEq#ivxs{ti|<pGt^m|w0;hkeK%NLNrY4Cz*YLpEFPgp
zjcUhxS6=caZPwyM7;N;_({La_K@2fX`unW+1wX6c_6A~#=nH~Lp&n&m{&Dq(WNM!Q
z0bW~E0KH7a_I;Y*BEgf!l2|y(l79%{`$hh>JX@>&PEQVe>uVWiUsK#Cd>=l1hr@%q
za^ZAhKA{~<+(nX|m$9Vcqe2}&BMErlc1#e${Be!$jtF-!yMlZWty-qWOcfj&S5u<i
zg>|$cGCQpUvx4&60%92NfJApCUYR+GOYT8NZGFR4|A7tQ|54o=(U<Ifnp%AQGZOaO
zI?g+XA!XH&ufQ0$<cuLk)f1V(aj+1<CkA1HH{iMy3o+e$g0T2UF77Ey@f)qzM3D%P
zou`G8V-UoLt}Qb4w_#%XF<{&pxo0&uqV8d(F})J#^#iLUM@=)l{41UKMNl>%%K^xU
z63LJG0hG5wk<?OspLpRYG?2J+U?&S|q2bC#(+Z~mCe3YfNTWs!nOd@bGpjc(0SB|<
zkDSLrxA228kC#z8H3_nBz>-1u>nO0gH|bm^#^5m#eok!qEqtkya~Vd@8rGG0q8m{T
z(?#~3WI-x4V)iz%JS=bbd4xymP+MBW$xfeMthyM%>^w(esNt}QYN?5%0+_#dcTbeK
zn~+V{*EWgM8|M3IhmX_Jcf|E$CVz7C{R=tT^|tYH_h^_zB1DaGk}U=f1snT4bu|TB
zjtA?>i=x>dkkKf?i253TvtaoeO+ur6TXwvliC|#LW}md!nrUm5x6qTFswDmeswrV7
zL~>y82V1+1S!~7ZBV|aabeIH+;@US8!lvYXWJg;I;F&0J)2b!q>U@L^^`vD_^>5D6
zZTi5Ny@d3e^@Ps^dVeSk&y?d_<CclJ%}ST$ocBei<3IK4Oo-GLu7nbQT_gy$H`*pF
zDBK=#v{S~@9R-IO(eIo55Yfo7IZGpn!x<W-W(0ou=YzSNVXH(nNQQCW#E$#?&|o%p
zGMwrhyJ${-=Imy!V(?2@^<^XUC#~^R`lmz%#N{J8W6tiPZm{xtd|RK&T8PMV>0!}j
zt}$Q+Ii7Nvq;1Dw2`FkUW%Rd@yPx|#@E~^{l3lK~u%KYvX$_g*p=g}s{aO?>9Yrgb
z@_X<Mc%Qv|EGp7N<uQh#Q7468WChHWd8>6lCZAYSBbufXy@PB;TNvAlx@eXEqR(Rv
zaIbOlKXxSXpuY-dCHTO9_gm%gSgdjo9R-~y7(tYyGbQq-{ob($R~A~>_1vwM$j2;?
z<gQG5Dg}qcC%55+86wx2@QZb}hO@icUN4HEDP&D0iLAoe#%bP0#AMw-!~Y1E85!X;
z@hOBuMl5?H0~@2i@C_Q=$q;-YmhvI#-Q+%Ia^j?)UK3`orvR(ZH9E=BivKp<V2pz{
zxrs76<2IY#x4mH`>Q&H+mbhq-E*&;mFxte|+~7dkR^ry7|2^BBi>>R;Iv1wIaohtP
zCUYpHtyxw!#bBBWorlu%!2KFXG|&vsFvyH>YQC;jYfYm7gKja9j(PGOasPKmZ`O+5
zos#suF=mgUNfm7c_UZOuV00*$OUlgRRY4w3w-Ot_>>R12?5S~_)Rq^i2`{jvRiOL5
z7}7~rGIr8*Y*4`kCn<mMD(_>pWP3v=xqqzWWGQN{aZUQ;k~suPU{EGQOG#H`#4b+m
zYj{V#E(Wr&dXDiY`WhG<HB+frjfJr1k~Iv<SPH{J=9)0p-)H(<2aP-sbWRdi3APVL
zpS^9w>Gi#4{B18AZs|~Yk+C(zt46<>JJoPg5q~%Ow~-xUg|3Z(dd#<w(OuNK-hdqz
z*aLisZkeEc!61U&9{PKId}2j`4mKAo$mVi{S+nKjU77z}`$9{`XA|@&M(at@Ns{WP
z$s*~i1ErUe3|kUvrBvGbH5&R%oKMol=Vnc#I9xzqconUq^sLuz=0s@h*3t-DinV*Z
z&#W{IXABz{Q-=eIvkZ+^gKdID05cUzU_`GLv=_!O9qCa7ETU}|mROcX4Ctq=(bKDG
z$IkT~2%iH<0He+IHb6;>PY*&D7m>g}wsj=S64Jv~aA>G^7m2VUDNmOJQ9y|j9Z2Ln
zInK8d<4l^kG8{kFXZ;2595%lO;wj@K!fpd5xunf6$#sa@{08criE9`$ZPL#_z_B>r
znZBE;e254Uy=8bUH~M&vw<k;*MCg}s4K|KMD=^Q@7<uw9QIqv;(~NOh+Yk9yuXrzV
z!)G+(O^A`O*ofH4jC5*GO2d?3#KfcFGHg-?ueN%3g|DZ;$ZTbg)V~Srv}XDM&)*3o
z=>d_UDa92M$ym{d!BRql*jW}NU_o4eBAHxw2Mu(I&&s@fvY<9%VG3d3t4f5>BC<xw
zAZ1Qda%;>1dpLJVM}{RaU4h`w{l_fT4R|LSHaSF1=EfL$w;4-U2>rlYlD6dp4t|xp
ziR>yxe@0Txuq0QKmb%6GOFk>ozEGJIIm;j$Va%|snV|Hp6*oaf6~)@GRb4+1lOC}0
z`Q`r=4?2xP$5IC+a<Cw0TqD1UDOt)q$Gt_57?hNINb%mVaY~GRg<an;HKb*)-yIX=
zjvvZ$_Jt;ahk79N0i?Z?awk#ID`nBs;oggiw%_L5&cYQ;IFpR#%$+zeFJ$Z%X3Cp0
zY+fwSL<05&((Btw8M(*E+Q1~qig^O-kMen(RM#f_%vuh8Y9BUuIqG5Z92>O)uZoZc
z`a%hqL9?G{s4P#+t(Zv^rZmRbEe#*rOrW6Q*E)<Svv|x0d-{piqTe4(`5>0h^m>0S
zxlVVMTNK7vudxP-nuX>)9v`t2)-67GGOzJ%X3_&S0+=>yfJ}tu<xEPTl!%wV-Wo#5
zKZ7ho+JU1=bf7#~L5hBO)ZS?N)oT>pBZv|%Gdm69V~&GffOI{tn8mS{!6>2~_hH_c
zwObH(Q%nIQW|X`QwW2MCGTZXE?!OVF%nsFx?w1x*%Q!71LV4XHg?&JgdcNRN63UWP
zOglPjv#YKFE?S6RWUO==Hz_Rne}qb@R-`H_*_mU9lixTsGUQ25fYsdY!@KDN=H?1d
z^uYoJ4hmi<qF8-k@mt0DosKb=rCwCMPTp;{awaQK=jm{;^uSScU{|xXAZHY-yypNz
z@{6BGVRep%%s1^y7CyO(I~U8p6xq>nO)?baOz)NLn;;<-{WN{fg~uzZ2NBD*00iI6
zB{>Xpi8Dop?n(+lGF)1PNy_!4nqa6J?M#927nC*EYI4VlGn*@r18Q(fIo={~c_o)P
z4eivX@^%*Gl~g+|NY4Rc3z0L=&{B@i@*MZ>{*_RxR-HAqUXkNA!SX$cIDzUBN3KmP
z)iehv%aY9m-kqga4kYS0WypvXXU<Km7%lI!(#y=Shnox&xsFbK)@zVw09vv%1qEg!
z`Zk2s1j1E7z#P3{D?@6Eb}6aB=mRr4%<*>1tt@z9(E0xH()qmDcERpXf7X_~1twH=
zm4oMBQ-RZ!WBI8*q#8BoTod>G1#Sg|Cnwfd{>WuR%AGq~73T~#H($Z4uyk%ATF&y#
z1SxI$?$Q|*7KSg3LCi{V@^;RqJT>jkUqr5}cQ^f5g4qNiY$UL*<6XLTwo_+}fbOx%
zPW~Ol(f66WR9`1kB4cBcvnAUUu-IQU5cfL{v<4u2`Cvg|E|@+~U`NxpW8t(ULvXWv
zfePeD&X*fIHJ@>WSUD5S#I<=POJL6fg=D{Of~Aj9M249?k^I~*&iRENK9;UXx(C3~
z%21ar=za1;M05UWZxB1sFy!%QY&${b3tP(b2^l%mWO#^v(`>whsq>Wl-CBNF-g1d&
zObJ$B{VcU<W*@uj8e}z6ES)v3o*Y)2JzhxeD+an`CNtsN;i^(5DqqxAOg$`Vb-;j{
zQv7PdINBFp5|%bWZS>|h0c{kxY}^RLo9IMJ#H%;S#VT^HyMq<IoSWq9#Q0jJl5xSo
z`l^_v1I|CRQf519{}>wOSrxwz3FOj#lTW<%An8z8->SA6*p=xWa&&FYpDmDspFu~c
zR-*MOjuafWB!&(eO5c9te?>G{A9ky6z_FCAt<%xUOMV##p(rxN2xEFp8cSwjmbC)u
z58}A<6}~`fh{#;cNr`qB+7bm^*y-w>sRHe7c9egam^_}^K17tW9C$%QwjvAqRbR!N
zJxKDEQARWG?s}S@K-4EOt4uCB6RpzGF9V>MPbIFJFa!VXq9VBzbYc@8stBfmNQebz
z6<aru5;C`dO;}RBDmO5X{-iL_%r(p}>G_Pjbs3E9zqIYgXw$(7j)NhLI8$6+vfhF$
z6u(BIKN;PQqlD8J#h{0nli`@tkq4HB06AqjrW5U4jG$2{PZv{tm~nT@ftik-pvgDK
z^;UBACTe`iGPEf6v3#7-a6a02yq!y#Ysi~XJ>5IzhJ@<IFMaBL@rJ#D=+=hw6kT`U
zNvD1uTG$cy+vAq?zAjO+H&1MSOCp%cdvem|ZyB*OtBpJZaI`!j>j1+6nXwGHnuR5c
zuxRJ9;LhrX52e=vml-*$EcsD+WKSe}3u2cq1e!^2%=|T~Y$!ytbaeXLPu)7(7Z<!P
z$Ld@rKV+Q2X>lpi`rtS@V@BC$g|X8>3^(w|-j{tw3Rp<|snTKmlLD?-{VH70g&*{=
zJQJ%jrE5seLe(SYIF9Qa@)VuFKgs^BbiUPueajFL2ucgaFw4Z^tZp_?dw4)NiCMP6
zm~rICZR#)e)_rqZq79ZjFoVOC!7`{R`=x8G+urM3lKkop>b^YdzRWXe6|q7b_4KL<
z-$2#-1l_KlA!P84k|W{xcA>>m`cvwZ!^<}hTc6CV=qxBy=1&`FFA*2N8ZK)Ig&1tj
zVkWD`(}JUkq;iH{H*+R5SVi^L+c<?99>Ty8lQG~jXDZb!+oAAXD`_VpAF}@~!zYST
zxHLXVJNr86cR5N&PsdvUN-s^e<n<QZJ|mMdJ$KBUm8RxQWoG-^L1r-Y9)Jd3R1P2d
z%J`sz`<j7)nDwl#0kU*pI?7NEY2Fh7Yg<R@eNx7Mm_!x4%;``SGn=OP{W6-JIdQ6D
zrhW$O((?;xMaxYeBg))w#lvggE)c!E3(`w^_%|?$C8Tfbt6p2$&xi9=bSssJ61tX6
zQwIJY^zF(DQex2%cG8k^u|eXXSuie=TZ6Ri{E+;*2W@L3^ahgBE5+}dL<{0h6Bb?;
zTm~TOw!NtNOPAfSr#;c5b$UAC;wZFMbV~{)@L{Li)uKr%xJ+*!iTB$;*d3Bak+U{a
z@JQ>f$e2=M_tY#~)iiHnrKMR^6Ra0ct0w6x8U^wVYd)AUI+UNKJP`CAgHKk>caJmg
z9SQ+{O@>&Ku;is6OGZoRFr_J^M8txT!M}7Mm|&bd15cShX7bp~9?W!Z1l*1&Ts*~7
z(0;14+;OBXdS*7z#W~6g<Zoopm7e`-xE2Yu=r-5TV>xt26v(5L?ijA0vd}kd@Hbu5
zZmqBYt`wO1y`gDoL9%R;QwR#SF_)8b3Y(xyj@BRy+%A3V$x@yFn@{&P8vvi#h;soM
z)=IA$TCx_@G-ca3J*TfA(%{cl)RLurDcT-3-ukwAOa|bk$7_j+!wCm+98W?ZmKV$f
zl#lS+A^;X3evxvJ^dECH1#>hL5{^0cok8O1954oC7m;NR?J_bH2O=lIJc_*RCNokg
zx&JU!xf}~gmL5=HX@Avy@2xF>gM%0?b?C?xnKqWvxj?P&Wt@Q=Z<lkZ;nz$c@FRU`
zEVIZXjvAp~$*4?Y#PYHrbM(UJjOYOPbAzv$#*xD-iGO23W@02E3o|*QrpQvPlKU8d
z%d-s-+O+-{FBwZQqM>EtD~2+v4W2uV#)6c5Ob7%`II$_bD*i~nfQRPvS^D%7#Is|s
zfUAx$G3{Zu$eH*u2)#09XQQ9vxR!0hc8fAN)IuZd7rrxazlb<WypN%MuYOvY!_|D=
zS_=Y1j+k_E&$a^`0=sv&Ak5xtK`k>Tr(JO}uo+~jUaTNsP7I3puO_C8kqw^w;470>
z8ap&a?~@~22=mTCXqk7NfsLLqX)mJ!(UT`PH!#iOcbStS8F|Xqh*%<8+nKO!-tZ<q
zE+f{^sem~E2u7N>VG4_SsUWk-(yDwr7+sDtE*NcN&rRr=(uqNyP`ISUCd2$3p~|KI
z(uxSMIP^RqT#BuCS;NI(Q|602ky2*P$}rQYY?u=6mEv1E5v36rPKxwNOAgzwdMt(+
zCq%R~oi&7Zaf_dC+mvsj?89!ebSI>M+;}hJ)FuN*;-WblkhU;7d7I=a%FiH?LMgHz
zVc*s->Il&Ql4>4{{0=hSfy9t+I|DWoybyp`jU4?5*i`6y-iJguC1n0#Tq_)=R+l@g
zbpzRA=c3BcIA>ULW8LI9fXqn>)!^&r#dHDTxe3-xqQR~i*Xsn#`apn+CBwCm60HCC
z`iemqe#Xu8BE0laHKF2l236(66bQZR$r4wb4C^dv6%d%UdK`E?Lva=wfAFI5|8z3C
zd=XS`Bp<p^CkY4+A2fS*x0#7+1hp>2fQQ9kGyJyR(9iG@-TQ_=^Sx%cQ{$m1&`q!p
zR;ddze-<rC#iM!@^ZKiCBF8fmHRNnSI?!#Wg3UAihErmbXf4od$E%t`W{QS?Hh9Aw
zY@SHpfZmaj;ov`E=LR6)u9gY|<s~6qL5|4iZ!`pdGW@&#s1aeK_X$0uwZeG#bzu^c
ze6q>(DQFB98m|FYGUDN+#nx~#fWDsC{z1_??mu2<zt-z4@H?2}>6fCsyHI<PjnUo`
z=1w*I+bMdNa;>gD#HB0b2aKVp&%yAwGPJsg)<E8HqQ#P_&73^ZA}Xp3eX>g36-b@|
zer$=p?k#6oqhyC9>)52p0v#d-KAjOZ%WRfSt>PH;8u*26wpBt_Gw-2Z5_nw+xh#2*
zn(#Day?A6zr+oicouL$c$uJG5vuDn#;iGTZdD(VJUI0XLGv}ui=d3h(RWUK16QD;#
zf6KhXCllC+cgN2tTp+mp#}Y}!iRR~ch|S58ZYuWtGVi$*oH$u94dh%9aUv9v)7$D(
zLAXJOHv9%<9!4I---OSQsXG!;2V6oN1cIl@pw*>~(2`Okzsy7`EBDon1!9{R40C_(
z14$r9q3+~AXKMoCAUVGpfF|XE+3lAVWo}xPtRr=PV^e~N-;3EP+Ke?hYeQ_(4l3C*
z<ezy>8^Bzq0ru0DI(sdA{Q290f}0A}l}I^)(F}*DTYY86nqmr$D6lqCKw&oJB*B5$
z7d_TwmemqrvB%?`J3{kY2+WE`1}DgfX%PQ;5TVbNcMd;UU-N(1d-J%ct~7u6vWN?)
z2{vwk*o}dn;DSK~6~RPX^cM}u+Z|Ccief;cEbgF4p~Tom0S%LgqTrIzbSnWxK@kNP
zM5BU+1W{xc!3Jd&L7?jWKIhz96jg<>XXZCE?>qj}pAKNvty|}w^E}UYJ4Q}t<gBPY
zYJ$FZE$K~j*K3bM(0-f1IwRWNvZyHw8hH#-K+atf&5GfI^B=Br<VF!}my>5Xzx1vX
z;lqGFgY#}-($K|M-bMNX3ij@k6wDoi#dECAyPAR6qJIZ_RQn5c$!_g2=I4Sw6I)?q
z#aM_4y__V#F?)sI_sARUvq8>0Fv#=3sUl(fj(a<GNjc+Mv&}P>S)(ExRo*M*0UaV*
z+2BlZ)6zIg3&U6-vgGbo&PgYGT)n;ZdA;W+_3vVlhR8ne;^w__si=lw^RT4cE-3o7
zOOWL?WerlJFo<giT;6IWucJJn6J#4`Kk4ce*n%*))+}YIfzV};M%N_eF1g1T|8&j!
z*1klwuk)_RxY*+<#YNv+QVS<izEKfW2m)eZI_22}oa*99<-~)BIkfb7TN#)`kxMxw
zL}k%RuPN0~skvK88$$^Ei`!=PEQh@H%Kul0uU+JRNCZHYkbs%QA#F(M7Dm=9F?|Fe
zs4p7FuD*VmLIhmmAAL-|$lCdE1fkMlu+3na&cQf9OGHT3$UqS~=LSdwM-_H&I_3Gs
zf|P_bGny&Fl2$X~LoH!~IU{2pC@lT{yg8%&tQg<<gQ%w~#Qg2YBrp0)_jB>GaogVe
zU{t~}S=7Jy%%TteTdYHkkJ<$#lu=XT-S6}eeC#TrWa%nKL}8$rAd|kuWPi@d?K}Ly
zXkaG3=PBC-BPaE&g#X`=DaF?IzT8XrVp3xSFU>fI(pXfZN|_AaUqGq7D*JF5*+|Rp
zF$+#e1vHsw)_NVy$94;6xC!*;&bAlc4%yVvOiU@w1YaR>vyx_%-v#YW>0$3`B84^N
zbw%<MD;3S~h1wMzB2xCwh>T@s&KNm6PV~FDTV}hXV)#=1;v0)S{`J6^oSa^QMp%Tk
zN>{}{*uU_qoss-lF2uMsN%m6|f83bs`+3D-6SH3~!sPse8i9g^NX7fwj7TvAvI085
zA_W<YQu;BBmW3|vkx=cbq@>DvGuZ8ZV9pdreYW2`zT>$kr>D?1u`8Biz)>1#)VV_T
z2+=J(sR@T*5muV{8k}~dEm{ImOX4lfGnKw6*e<|)JE7sI=w9lM@W_dShytZDUU}+g
za8NvU<%7RyC&Qy*;xT{k<0@;Q9b{QCWX_~pSt2Y>zAg<BPB@&3YRPA_d7(C%7cr1Y
zKBsQR{~rwiaLm`rDU^sNwSNIM@OLa+;h&-R9Sap71??O@Wk5k~z)`b}<NSQmVqFz&
z&|+bf#)gmwWC`D7OO8@;AL1<Fl}}4|o0e+Py`(TjUy#xq)$fY8UfisiPfSZT%NHFz
zZGVcw@|yfUUoW#O@Zln#*J8mr&ecL)6tuGZJY<K@Y)4!YC~fiqk~RE4Wu5=uK+jXz
zG37|wIhIx@syHb&Z}kMG4r6wbvWe>c-Y5w=J4zqSRd?Y=^Yjlq=2*6Vh58?QCFlwP
z9Y)q2_SRi<+Kz#%s?|yTKWLGzg~|nG%AqqyuqPdSJA^D<9OtTAR;ztnYI;QLa@b+$
z?m}|rBq9BKlL|-V4Hjh|lQGK<5OcK|&UgKh=Mi-|>gU|4*6HaW;OePz;CiWDf`_rh
zItzGr>GCDLqMI{k-G)*BQlBlq_FdH%er;+m2A_z|uI)%TSNll^?@`5BpOb4@=k#}p
zqz80Qdq{vX5}<a?!wVa1HgYGdOGFzI7|Y>yR`ifkH+#QQzL6tsxWmR=n<e^8bw;N~
z41uxq3gF?bN<Zwiu5gWI2a_|zyJNY)xkBW3c5(F(#Av*LXy$-zn#zBb0e!3Md&0<#
zNnJT~GwZ*NcO?_$k_MT@zqRJE)-RO_J<NWZ9o)oOZO{exeUwO0_|IDXfP0H}yj~R@
zbd^mu!awcx&8&FsonogL_+ln{cJIRWw%E26Ywi3tH84D~OIpl9(Js3>wNgyoX-V_z
zhF<tpBrEA3JzU+vAd&sGP)9gh^Vn1}oyN2@r+dlS3Um!H_nT~2F?_J5Au<4xSKLX7
z=F{1W{fBO0Xc7?@+8*>$w0px$DcgCM7Wd?T`bNI`g0vEPev6Tai|gQiF%lFsYhM0$
zj6H4`%_i{nt*`FiFGP;vzmJJ#UDgG&iCjAqTdI)_q5d^#{TSMqR=+_5q^KlKl9cvu
z+Ug{1+SjZo_3iU$JSfjM{s+?Z9RIBSX=D@2u1wn7Y{Y-0VY4q91QIMqy^GwGhqtBr
z!mBp_4K1n*S`>NcYx0{k9cceK!`#T%rZAu)C39rp*IUSWlv_VwQVO7c@)i}gOHh5-
zO_A||K{n-osdKpCjoLwEl2lcN#Nk2~w$J$ZjZ*w>At)F9hgU>eIDcm%bhe`IOaT(e
zqgQ!R%wYJ{*YvtfrB`tugz127JKKU5-{8Yod}^r&qZ^?5cdlv{*4jBLgS7tmm)~G8
ziN+sD{^<1SIsb@xq(+KDCXrZ!2UrWi%e7kv|7e5?`3Lrr6yIpWoPbw+v{3RL##)H1
z7!I05ls<{mrbK*(FIWp{PQ}eq<w~{k)Izwcswp~OtR8MTPO8vY$CS5U<(rPYBSyU=
z2k5Jy{f&#CnDTZAIj2i@y`1qA^^3NLse?1&>ZWdiOumuYZ&!ygvSW-kV{U<y9bk-2
z0Vmv;l6w`#E)kl#=Ut8H$S@%H08os8A-9oLDR~FL^Gc_KMAGyZK>hDOd*-mKVz|)p
zV~%a@)@gP<;-j=(1{;oih`|z(6qm?@#$_=5b4OXHbc^z9Zv2N=;Y&8FRT<=BmzG)T
z6`xYP)A32GdyB-cGfreAr8FU9Q)iFjMZwP-lt>|K4D{9fwTOQ+jGGy<4@x*AeRvH=
zDC&{bv0kz>ozDHFBw7mtH&E|)wge={M3Dlr(S2nW_i1pYZRLSva4Ql-TKzsJ$InZc
z{_sykT$7ktn)p7`8q3mR4@fRboTEZje_By?)}MG}+jho~WPZBHeX2NI!92;Ya_?kv
zpsIP1xEgt=H!>GW-x9UyFIw-PlOQx^G|$}AAjp|7VpYvI=#gN_ZSBG9MsARD=7}^Z
zh`bgJTT%@g%(-gWUY#g??(<0jI98kF7IahLw+f7{)Q_P2X2lZb?ilNQ_49Vi>T10Z
z?|d*L9%Z&CHj5L9pgvF1HpdoB=!N(cr7V?cswujS&-pNo5M|Uem-*@Q_|B-G3wyv8
zmj%0Fu6Th>wn!DXF_h`OAZ=D7?l2C|eTB7who5A<B)OtyXZxCW(+)Uu+>4%|&C1+V
z@{{afIQ<7*<1mLjSI;~c8MaSi1kgS~1FQ;<xr7AX`}*$Zs*f%b)3%9EFAnxN$A^Yr
zWWooe9rgM)iKgXO>|6Y72k|SK$%;60HXDS|GiG|$lugYz1`kCEn;nr+nZYvy#KudH
z5@L6i7pD5*sSTqcF5@Kp-+ddMjtxd-FHuw(rI#IwBYE$5TiwZvxhL7BxqiV+U)x+w
zs1pO`y0Efw%>`WF14svhE!Q9mp$nu@knb6d=u)rMcPOAh9O+Tl(=r($Bv=L5Kb+6^
z%nFpRny^fQ$o2blg9QrPCh%CIJC&GJ&YP!fR*BRcZzmn^#6asX6{1WC<zA~{k)=f9
z|L?v{=Tku>zcr<0363$7AeOe+bbJ5mMkDMN+~2_jFi=R=*2Jiv?LQbr$y6GqDBpKB
zC<&Rt>VEpdsD<X!KXO+Io4F|Jvru7j{wmV0fER?h_lwq&vkY|5_CSOB=xi%&JWqpQ
zTGFmXM(E3#b4pi=cKJOuq(fe?)Ms%o!FIb8s61>!#DW`#%&$~eb4xyz16PF%*reF1
zlb3&J)CP*{+&uG1KEvdvlVs7h9KAUe5Hs)z*~PeiT9Xbl^AT!e?IO)2RHe>#%KfVm
z3Mjr**@sFZ;wi-_qx6e+lJ>h^lvX2h%DNB#!mDDI{i^Z@p9qw94C_ouk$Og&LNUiS
zl8PqwR6gL0gvl^K1?>c0Lv&%V8FguO`0~fkqUk_BGC#1vie-ok!g8cy*^fn*4)!R~
zoDhDkU0r5hdRkFX1Yw-KpwX4iL^7_=9&+#2B$dFfZI$p((UfdyR}d+>aV`@Jm{Z+@
zBvvk(O^a;zeESA5hmDfybp0lv@B^1}<b$gKk<ku-V~+SYxCoM#Rt1hw-sJc8w8z^C
zksVA^u?$ZPgqgTTPr`L2ztu%_`1Y&hw5WK!tJ3U6COJ<*D8A3rAj;ww`H7@fDuGWX
z9-?#(YWipIUrpSE<*3Z}4??ZkQEOpABbA2-|8)FRS%D$j=z@x9Lxl*ha$z`ayWj>>
zPsgb5Dl91#!mMmD%Ay*!glsF!&Z9@u`ggeNu3L5d@2BYz6PHpPR0~~|=MGfapSt+E
z@EVFRBbDJm=enh-==z&~s7`2>R{L+=9E{a@wMVY*Y5lMZKmy2!;PS>h2wMMEk9JTb
zAV5v0eZypCr}%=wotuB_|A5#Ya+UF9$u)-Lt%P#Q5Pz+5*sK2EjY;6l59=U959!N$
z%xE&^k_A@g-Zoo>L&+G{+l<RnIr%6zY7Zzp{T7yBtgiC<wXTp>#Z_VE7RhT@(|mpA
zmQTPrg+cHD8B#Ne9LpH5*)R~99LLfG+dThW7S1Zh!@p&hJzd$?F`nBfu-Y?DJZc;#
zL`_91R2&&MC5<KehE@u3hs82VbWSS0LNrX`iT;K&t_Cj@?@ac;3^A4%&K|G!?^V{!
z_#V_et7D9`8KNuyfyy1K?SeMU?u;gDTI;dYRFoxDKYbRRyy{K^(-;L6KDfAD)<({j
zUGvU{?_)5`??K+<CHZG#Lc6dMR2F@d1q6%Rn0H@3^S%d1-|ChAU`L*6twf;2H;bOl
zwd<As=ej#_(c>Rg4iZ=@Vo7jt(+gyhnlRnQ#22T{v#qnoe@Ee1g{R4Wvyo2ct|*|d
za8K-tPX~l4G)Be_4m9?$+2dD~mXg~?*OasE=lu$QdOw@_*{BfVSmdTQT4|TIpwz`y
zAWJ2wtmV=8%=#4jnA_3);eZ%Rq0ri&Q9m!CX`L3&LN(ft3W`h&W~b`~=H2V}11zbT
zmbux{`+ZAc_}m*$e1wlli_FZ3X+D@<h;hOW_6u94w8^eGu`aJAFSP9+xu2jS((Vy>
z^-v~>G()D%Hrq7x&o9R{q@%g+dt!*!Pb+Q6EbxG#_vnA~`*MK*v&Bw+al0UW!W2Om
z{KR+L0X<9HavI4j)em{chB!7~m}_y+LkN-4?9(~|<7IZA2B&%Lj%wO!<@+)_z1kH(
zpPbi?o9MUUuiG$j*!=4i81<2uRbkS%AZ0K4v7{Fw@ysQA@&9qLJ0YLQ$m6mOH=r(^
zqL}ZzD#NAi7~h6C3A`*5%`CYZFFSg^cNfk1V7=O@%B=Ua%St-d)-!$U`f_li=n%OR
zdH2)nyLvRcO+)%V1-OH@7@^}Eg%IlxlpZ^SBuWg0i2n<cJ&D0Q^QAbw3gF5p4NIb&
z4Cxwqc8?;<dCm=QXEH*DP%!r$p*Dbp(7#7b!<FhGY9lmdvviHNm|xw+Jn^32-9nr=
zIoCqw&iJD7zJ*vhBn@LNgBWBk<(*SYKfi6Dv=0#7pQ_YfHb}=@Q<Arb%|?VcoIEBQ
z_`npio0uLvWqM=oPF)&Ggg(5zqR%|q(A@k!7fbj#?}eJ6rq;k~L#&wz8@PB<wzZ>)
zI-0NfH^Ve~ieVB5=Hne&c?ex>$G32=w8kIzH=OPNQKr?i$Bc((1(e5PqN%SkJsMA?
zT2QLe^`Jivl*O}GZ7>yJD;C#QU4ucWSZEw`LlP)N$L!lktLrL9dY86<<*tE0tfyC|
zNIMSNcIw;MO?6U!lwJ$vNBsui%^%i>JRG*xF1%t^=2$(pH>qKROhaC=`g(epQa2PE
z=leL$&k6fl*IVf|&D=X}Dp;O{E^ZW>qi~g^Ll)a6sg^0Rj&&aU?ex0N(-V~5fGlfr
zX2%l$x77s6(Dv--wCi6!{HU1a5h5>`Oc}E7qs{SzN;vzm7;|U4{ZAc=Y5bDr?OMSp
zt*X{n>FB#wwrUG?wGMq1mZjPt0*lzK6!fd=dtV8zs20VNK(RXQfKEUX(jcV4KK65E
zaTxFi%22~Bs;kB;dmIji4x`}(1-IN|(+EtHb)&#jtW&L{I09dnK=sfeXa0-mA5C8w
z>xYY>YwQqst0a&KXOYfin7r`4u=uv%!Q128<YvAW-9j#$d}<j~{-VOa^^aOxwNqaL
zpkPM-QqmeKP+9$Pj6rdUa_7x^&012Q20i*VzvcSe*h6|OT`p;1{qZ8#GMlv6X{Bz-
z57UQ&G-2cv)F<s_`<RRMt;^UO)?IN2`s6-m{mt?C@0{sv|M<>ypuS)n+Bfz}e6TaS
z%!MuO<L9^4_7|G2RgP-;wdUB$x^Xa%Oz&@y-2TmuQG2gtpcPp-u>Bo+<&p3cbTv7W
z_Q)+Qmi@x`VR{DsuNz)$M%sn|L%4*g{&vNpf)N$9-xj%A)*W{bzA;pz{T+*px$RBg
zrarmNkyDJFh7%8yW-4-%vzvFw_*F&*uf5?i$G(@~uQxyuJQx=}=8N`!l#EF4J->}U
z>^BSF>mf-0@tvtK-N?7KhsM2Vb}Kd*DaQ?3bz{^ZeL?z<o4wH_jd&P*L;8g=e;4+F
zdeTKG-p<t#wqNqGC~?~}lizfkJwactJ%W={dX-ndq}AvRddUk{^`R@bYX8SK5edF)
zluM<x{@V|6ckKP^YL3<6ZXL;uA5y3*sNUO@@;yenf+E(o-3BW`QG9(GSuUEMZGMr{
z{8P=b(NEmO>nRGk7U|G>LRv3rM|^G`Z?3>XfO+-?d+*pY2O?5eO|%$a6=>wR#%KU_
zti@MqO8hLd%fjLxX1Oc~G&FQskl}1ms5^Pf(e<mF=3?2|Bsc6%jLA%&lIf4tfhBde
z{c-l4?t-JcfrY$BTFN8qhvQDgz+5+PK;Gr2_Oh>>gyO%^Ep70w)Po`GsETgvwa*>6
zTJ>Ev7|F`tebL*gZHW9@LqHk5hg;$0%e%8{8{B<0p6lgC>4mC^Bh;@3K)NGosn5f{
zUqT0+)ArhQ7nET}-KZ&7+#s(h1kG+4v?fUhOnQg!_0}~-=pueq6|9)IBO)I+;T-N#
zegAOZc~^=?%6n7^Ay-Swl5l;#-apd^7<%dYJ15M$2}z%2{QYQXr6A-ry&W8!Gr0ed
z^@bLK<?EbQ<(@A&<k|cyyYB<feR<}Hke+mW&aZ3UG8fW^CAEJUJ^ruZyFZ*Wv6pb>
z<&X`1lOuG~3v&zJ3yUo}{nb_*-xACChaZ)OWyVai!I^Hms^@YSoe&?llYf6QbOL0v
zD_VQnuYSwia!<m#-wDPETl4*bO_qBFZKJPtJ6(C!f|Y~g!tBP^2eNN3GT_ookH<C5
z_#z{luQx1kwGk4U&$2bLw=t#MPABTL_@CHfXvui9CBwexZ)h*ESY$4Iyu7v~qE=<s
zY5V4V++_b&JmSaQoi1nW*?%Q|WJ`~#X}DC25}Q43-{kv^-$vWu$ik$pYm@h1aSN99
z!AIo_J0st>xb(xLwBXC=Y07ue0g;S9huFb}VH=A`=p+0vwz<}&85@)G5AoOu>{(e^
zmxMp(n;V{j?2@KWgn(21Et2^f4=f*HR&e^Ow9nf3<GaoIvU1lu_sH^uDH6Ft`^vst
z*v@wp<23%1W&bYBZkdn1FxdNUuD;+pyQ;C@Qu<HV#f$nG?OdTF_!cK^d*)g9^}U>4
z=`+LU*R6Uv<YiARlH4cOcOLW*#>8B`Y&CG;eckl$FKsKjvTsmYS)LX4)YBssz2Y|(
zx;ZRwS%!Y6^}XiWjdSeE)|=()1LKoExb&Hozj8HMQPRZjlkCg2fOb?~lQ#GB&z<^b
z2TY0+ZaungGHTlhx08J|jy7YxkC%55bThfMi=lyQH_7k0_Ai%aKDKBu5BGU#ne3F>
z4OR1~iae79FHkCSeLlN#(k7<6fNR_)?_pPTdv}hv?&Pwb``13a`DA0I^$9&x@u~Yg
z-O~5PxeIfW*Y?i*F<^*rCfBFka)(=6=n?P2%-em7@KiYbHT-Dn*_IMh;fIXMQRmhg
z4tIKHVK#n~m9Rbc8hr!W-gk1`T6e|uQWHgS<=z)78?M-6NA|Fa%W*wu0{6wc4m*;p
zDoqQF(j!MV*N$&%J2ZB<<Fo!w^*=owmbD<*IF2s+!|+A3%GL)Ij9yrBqM|)C(fdS+
z-vGMRf@SO?k8A4#%6iRNo3nA?9C_abwhd0XD+&P7{W`_%WNjWjLCLjSjykVuxSh7-
zEkwWBMq0*-%WwR%a^wrumaJ}Wnd09lZll)*EpN_ee>?p|%9Ba9WfSQo{8#i79L;Sb
zTQY;Tc}B~x$MyBo@#ykj4h(8G3zpwe?l#8Wqnx+TMk_kz?9&OkJ5%=`*@HdyZ(D8~
z?VRkMGgBB?a8(%PU9tv<pF>2STw7agIv#d<mUnW;^b66)c^&H>n|c4Hw@z&=)c_T_
z6)T(S=fco+r~Dh4@1`N%qhh<IUre`X$)|_#!>p209~>vAP!lK~zI4o5;A9vwFJUis
z|EQ^DjuYlwN!P4%wgXt#%n-1Ba>tWW?k8K?grgeX6dmXRWzukhZ;R5i%3`vyz|w~)
z0YY*Xi|Fq4bFTiTBaqR#J@9huOAp>O*^M~MY)?!;(!C6(dDQI$=SF!YZ8ko3G2Q#N
z<FHP9l)Jm)<iWQEtI;n%^fhlWa+$TQ<)-tL%<qoR=`IZO_`Qoo>!1lqsbB9%*1@A2
zx93jg&AATdLQHtlpzP3X!Ix9+E?iZ0y<rZNSdsYj$>Bj?9XWcXtvvRS=gm*C&^@eN
zehe6oW0i_36k7{V`TkCjo1>EYGTNn2X<oUtVB6Dc)uRSFN`kkxki0TsUDc*FCz|`X
zd=%Sr^5HWpt%RKmGWYEco#Wt13%|U^YqV_1?Qz1vCw69I@hsd5vUeG$J2@`H=HlhH
zX(4-WEtC(MFm2?br+*Y2`z35W<6d*bGs8WqsD}_|7vqw7eS?7x9bWQF^jy+`z-otp
z2_9BHv+mfZ49dIwAnwK8lcghW`RRw`4$3~_xnxqPuwv2E+}6rDb>`vwo%)4LU0ya5
z2J}_Fds(FyTePO9Pv!+&fBK(wPzrqGHaelSf7ZS}!p<L$^`(2i;=$R7&7bf>q2sr7
zPF?(RYvx7RlNUSp#L01cPeN@Tc2W4zWB01?sj!T1>(!tWqL0Tideowllkvw)ggn#z
z>2t;M!T!fN*VAW-Rfu%FrCko90VZma59b6_S1s#?{H>nD_xC(L<mEf`Q3|f$o7`ly
zQ&*#D9EeCp#<U0XBF%8;s&csK$AGND1cNK)t<7Pz^f0krG^ULm&wADEJ?T3mmv+M~
zQU8fmZ{G|0Ui+uoOfH)-e1*7O&KPqsCeh98>ffWCE+dg=p@D@HPDOMGw9e8#5dX3;
zsOK#QJjNbB7w3NHac#zFUFpS9L`+BBm->u#07WI0*PcJz&>$77F*`rCpC#3#bR>KH
z{P$>ns#f&9WSI4`JJt&#Jfa5;+?;fDFJ=dKpEsV|m4pJ)Pmg|haa(u^>mzIipm1Z`
zgW@B4o+~$24y0ZJpTEw#(zCbT5kY#9w)3}~y(TJ4ougu@bBfxZ`XRZu&ThRo0_%Cp
zwZJt3o)v6B-S6i15PG6I+>^R(tetPk+MC|GyRef@I<Xh4Y=wS^;xs?lib_!12K?Q?
zBDgP=G?u2Q3YHy^n}o;oJf2htpJwscoM?8x2hLDMl)FRH6XRex>v?LhVK-D34}CCL
zN4+up&<I-zoVls!t6d^#b3!gW?_-4VgE+QDa1yg@v+^*+{&?5HP+9m{*X^#jfQ36$
z$8P+pjGIqP=U%@{A0cG!>9Lpo9%m1vNO@n~_(rhF(s2BSmYL`#`{(*zh!F2H9wC{L
zeZ=IV+$!{9R%b>k`ecr4-<?*l$^_3l9>CDCSgMn&>SeXN-Q?jJG#lvjmbN|FrqMWw
z?K8AOJ<kT}zf4+?ITROhjdlc+1?#K5D|y{nyJWbNFZ-&DEdmSa>986>KNw$Sw`OPC
zZuewgWWKOZk$xRr;52CqcQhUNnX852vgP`aPI#dbGUsJ!*7qndE$HTFkITE9-eb*}
zEUmw`#nH=(pfuAkYyV%q4&~=C+b}#)_DoFmrF(PNA$pwr`aU0!Ro6_~H2nLxw*^{6
ztBmN&XN!pMk!l}zcEOmig_BT=$gKGe_TtWH>Tyv9MwC2$8wd87;OFRS5!B1JGI1&6
zPcr=*dYnjEHkfsH+4`^ib<e09yEEHDS;rJu?(Fc5_~fXM4vg6VOEmoMP?sQw@HqUV
zp;=1}>^FSxrCx&iEEJO=3t5GQ+4bmfUww~-N=g$+O!5XyOHO$9-3$MQ>o?gtiZMDW
z+lrfSbE~^xj6%aL)hsD!PkyqGPRLz!f=8Wyrfs}CrurR!XLa(a^@(LK&FN9K+Vtq#
zG|#&0-e-MG(edsz3&bMHt9O}=+55#9R*2c7?m<(#hPRmu7dc@?`8Y3{mBV@myC>M6
z&3CvsUGd4M!vBiBtwS&L#nQqLNV?O!VZr)b@8UzAX9MUxREyf_=`;J^a`@}TZG~4d
z@{{QMHVhTQtWPF95o@a2lA2Rr?@9EZAUF=fqmG#d_Vh!}mv7}n^~K?48`;gS&*7Rw
zFZ^4RkbXR{;4+3DD;BRYtnv-)YahYO9<Ng#*WPcO)HuYqD5)EY8~1_w9#)24W>br%
z)Udi`x^2qV_aVN-zYB$xioJjSloxmDLAUlS7?J637h6(|e&~m8Y{|}feg}gBtVicY
zmkF~|>BLKM4=?d@x`J{Et)q07`(k%M?|O0;byaL##|)>fj%Ec4Y9FEC5RZM$KgIUo
zo3?~z8ZIb9&`<;wu45G{{s((oPwHpH2Z3%kiZb`)^wL38OW-?rhnBoE&K05ScQD@R
zyXY;!qtRgG#U~M{s%ZhKqbXMf;!&?~+Bn~?vwkLOjTVRD&b$_BLftd(r%e$$n_fs9
z6?@UbHdi{3YzA0diF1swzsT3{ao>G>bhPl?BN}hGe)(i!Nm%BHCAVi~($uI7C(?k~
z4==Ns!QOev&m&IXcF+l#;je4xeVO*$k9S<Vx4P-;P$6oJBI;@C%5LJhh~n#;n)mLk
zdCMnEsGWHt|E0?Vul>|wY~E_O=+|6R+>7&V4W-oCVk*}5`+!SxX|2~Tp^br!Xg2YY
z(l3YWo~J%LyT{HyXZ-wBh{V6mEmstW+4O(UKZor%n5jL+_e&!>_c;zPhXk*^>2kLD
zo7K$~xm#0<PsH0=VDQp^wTYsQ&E-7j<TMT{47k-3M)&jfC_<^8*%vLIzi#%5FE62k
z9VcA{&fU=uf1=q4l{g32wm1ireZBR>xhMQs4qn^fI?$|Jh}KIA7-!_$-qTqjjRQ+-
z-m`63zyCsz6;c)+rtce(e%-sdg?H7M&TUH;b}ju(Zoc5o8tEU=wN6BJ-%mKZd8~T~
z&1IAmNAxGfMXa~M@Cl81+Si|^E5Bqk{&>QQ!tPd`eai1~^G_Lj?j-RVG5f1acVla_
z`Ac1M8z~=Yw%*WtR(EwA<;T&&#wu-&wwE*p{2{9Dm_)}{vg0{3h}?G$<&tY7#FC;X
z9`nA{@2D(i#7}(u{4`7mb-gcOK8Ee`i%pLL<BxsY&!OsDz7bx#*O1~#mbw$9VvNnK
z<e`Ze31KKuDt@MmSXSr`JO3*W`RM%d%O?oG?33NXeCSrs^q%{l|3vF!I_3i1@rG{L
z<%Z2WCfj;%k{>Rh&^e%>LH>T}^=ry0-^o!}o1YF3Vt+c5EzKzOI(R`UzRx_iNIVc>
zwptfQLqtpW_>GuDQKRcrpBitQ_O|fFZ7SKuKPFQjdT%!V`P*||)_hca!p*nh#1m}G
zFWmwPY!sK~=IBtZ!zV~={mrhbkFQO^pRwW8+U$)OI?&X?Q+}x`yrq}-q#BFVXMqbB
z1zQU2{J`Ba!J6tzpH`rHG2R``gudOy%T;W^wrZky&(ACknuN=Bb~yDm#?X!ND12CV
z6qj4Ruw<=rav1Z%<gvXj|H^Q6=y2(~VFNC^Cu=iPQJs1GKWf+5+N;4-XXxFOHnDuh
z01UU424J-_QF`^FFB)}GId1l7>pQ&w_^T{{3sj-tq-_yvfbI9pSL@<4cdVLu>?6(N
zU4P<HJv2nDRy(w8NSrYFFrHYNxg{n?IM&eOibP@P<TnwkJw*IB;&BdA8r^AHAoRUT
z-wr0P_#$xBd~7J~?sQ|oTT{NyjJTXM<^7}&;;{VXOpV<gB(drn9k(lSl(^oi`*wWX
zrgGkWu?JBxi%z}MUwOLGZB?(OZ_bA<fb-Yjgn?_R!Jx)m`jHBlV}Ma_CoY|d^6S%l
zO}yZw{5MoL?X=DR1RmfiMFf@BuYjk9aWI2m9>q<}w9#9vKD+66V49`%;)C9Ai)b>Y
z)<~aHxEiI)Ski2TQnfQm9=Q-A2>R1g-lkG}4}>A>rI9&aL4NN)hF76%Qh}(7{}wU=
zn9n-{@bS=APactXImJDT_q8HE_7~fi9|k{f^_+9%d>}tj)s`SBDc-<Q!Gm8Lj)Lla
zv<e=j_zLA4_7FC3Q1seYc>BILjdbWc-!Me4uQ}>|VJHT%8=Ld5t0F#bb=g#Z9DGu+
ze^V|yw1OU;s2E*)XEfDZY7kSvyJ|nk%kK)nB7P?!Rq0>5i`%=}v(>5qr3Df2_6;o{
z+Jh#Jid7K-6_%2wr^)N<&;p4f6$)!yGcxLZZ&NaTn!?kPB0IHmKb%p*D>i;5l}E?6
zJuRg<|8%J}x8g_5&iR)?bN9&q^u!kv{@O<%7^T8KZc)j~WE_b&cfBu|4w>*3>wB$3
zIefI@{MVn(>V8)TRJ(lFvwK6uuK(lXtWo+SK3>6yoaUBU%jcXe<%93Sfa+y9ixj;$
ze3ZA&<oLcmhxLT0t4Xo`cHQreW@r;1sJWf=y0%_~jd11FCdckRa8Qo8w-30b?<EiC
zs1rZoB=~FwI~Zq3{~59W`NRiFL0`!TKA3?)Ab@4JU<Rv3Voxes)d$#%<@}%<RJj8i
zg-VDawId7H>Cq!i<1#b}mJgkJ36bpkSK{2A|6IbEoWrih`<~nUz7T?$ZQVN}2>tDc
zPM1^Y2D>!>^iJBNCbmO3Z`+aVBLda2SDqeGVoRvI82E(_>m3V*EgkK=e_CSZ`vrAx
z<z_S|0}LHOAb*?9iq;-tOA|?;9&JdARlqY;y$mK3YetOI&$fTJns8i{((Dp;c{J|9
z-B6An8TKvRHhi|%yLTElgMFz=K(BU50x=U9c0P07`kM^iC+OtN+rm=E?OSKr+Meo$
z;y-^#N<@YY)l7U2#ZjGk$6_Zhw-oLK7#l`=cq}m#;%=f4L5-F*FL<yIM#H@53IwWB
zehi$!U$&T@eR`;MPHHJCAvV3(e-ShF3E=sAVC4orDmSC%M5TD3|0_>>PdL+sKOZ@1
z2HL<ylI&`-E8?EQ`h+?B)&51rVC&Wr`RJmOJeu1Q8vBRZRpFoMEKl;)@hHe0Yj(ag
zP)P6ZE31sKZ75)1)0mj_xtSNFYulcFbNsq)C+??o3t8)a&%gTX3Z0La7vwsh3dnGF
z*zkDM!?s#t4}?}OO^JxMxTq5{PwdadiTkdlK8~AnG0@cVzQ0gMJA6T1-|(0~3w!4v
zJ%(;fXxE<y6YhRtiA$Gnxp?<BmJ@yP<G&gkR#dV!GiYmK%!|HRF(;L{=BIr>%ed^x
z(R0In^6R(l6*L9z5<X(U6HQ&IJHSSpeJ82>(}zjD1&?ut5$)88&=&0O@Ez`0E)7~*
zjP&d-UNLn;hgWzd9dpSodtaO+@Xz@8kd&{tW>Q0tx^=*q_TABba!lNjVJ7trxT>-R
zebO(U*idPGdIW28Mx-8m67evoffyJuJ#t*7ffQ<w+!cZ24Ug%i7hkEUZP->^naCjb
ziZHv}+T>^%=p(xbhyx^t9m%gG&q|mM%12P0w@1bZqQ}e#dX$$;04y)ZInMzg+%Iel
zHTuM|wmxV$Z1z7-mH9XARPMoq!)d!6F+GpQUMt<5?Vmr6-sr^r`c?fuLg7xM@ukc6
z^%Rao4=gSpzQ2#qb8yAoOM}U<u>T4#5B&%GymV`8u2otY1klG}Q}BeZfQJOUN2up5
z$FLU73MwAsX~tchIsRDyg$_?XoEZ0Z$P7(OKa45h!Y^+#SU2QF(1K(^APyn-Y@*zg
z07u(M5%f&^d0bgw?H$)S_Jnr@4neH5FwV|acZW9(L!^twcs;t#F#u4lDPdZU5wLB<
zFq@z*Z-*}?Fn}p(e#Qihz75B}%*(!WviwszmkI0m(rH1~<tG>zp1vJ0#IdnoZWyLh
zE-{&i7mvD1AnqfeR_2dKDU8hBe_RYb6x%_F8bNTqTXNesG;XZ1J^R%9q2sEzGDkXN
zyd!;md`P4n4x5hWhPpvK-Sydb_>m=IX#s|4`3|lH4lr<THm#YUhrB7mo|c3)b0<I-
ze;`OW;`BR>gTnV=%Hee}8eqf0+)@*2Vbf=_tLA5<ykGzLX6hup-jlT`2kTRd^~2|_
ze2Y*C+TLs4OQ7+qhvD+%LYK_1ld0#P=j|8~zWX_5TiY`-+e0mnW$RNT2Q)5B5a<EN
z!<(6McZ6`qArhe2!bOb$aLuk>9%QG3v4G5eM~mh1Bpe=fD;32jp4jOetQ+=VA5?`>
zInB^AYrT((e=zBO@{6k8!Y~|;BlT<wF)#8kCUAQ}2C5$i^p&<LF;4hdSmLrWCoEO9
z-y#CJ^Y4pq{A20<ZW@JtHZ4<T`Q@iyT*UOW<e*r=VUuxj;{425JpOtTX(Gqs-1EmA
z(h{=!tN$d@AbEkV-A9K_@Y(tU2yqAV2#a%J_I;Z^i+`O(%#(ys#8@Me*;Q1Ku)`4l
z((fX}+63EW{#EbTmJOSyBfWSD_N^$uATQVsSL45?Y=iHGKq?{Fobj4CtFi=~O|&%I
zWxvj%IqI=GY&+e&@kJ5pv`7LZV&2WWmEJ=_An@6m?HW(g0}ZMxD_&@1Xe`Uu6@FZL
zpw4juds?s>ZHDh3-B0M^-zvERW)q{w+FLMg42mEF;I*=?(nLMaf~_DTb%cyKQP9iK
z`xa(c^t~2>SCU*y+#QDM<C~@Jh=4DC$iGPNx;BE1qUHUT?sw@<kMt}ff0~GDNSQW5
z5vb%nM_!W1;!U{|ZP~8$Q>@~^M%Wh91P!)@Bfu+gDH|>rOV!;~mzWnDaA@gcS(=PG
z=C|bcE~9|{F<6LUcEhIK%gOuz*9L;mUbAzh<&9y(A5{|Xh!a>|qN-&jUQ7GvhmN|N
z+~Ymp5~6-dX`5)4-{>M=ck@$B#_%X{@<QBA#U+;oEff3e39bg6-ZFidHZZ6%e}g$r
zrD21;@$_Q2brN{}BV*XLrAM9=>v9|&G_4Xu9u&^R(e*CA1vvGsLxEw6ySD_0Mg7UW
z-<lI=fyJzv7>Tn|=D)-exhXX9H@k8>HQN3npCB%<?I*;HRDO2n4&>Dh6EBzSHb$ob
z8*J>Xn#Vvr359z<^J{l1xEa>MI;qI_!KQgm4A2u5cX3p=HDGnO*^J5JNMX8sa#_{*
z4Uh4Vm5fLrv}Xfj2<Q?xkcm|QYD@iIjFnc7^J&{X79H57$_+2)Om_!e0;TJtfw{Mu
z`><+V@w>s^IoB-aCiWJLf#gSQJv|n;=vR;g)MvAb*g>Rs*4eQS%Kfm8)Lm3$3od*+
zNdS_5JDT}bNuF#TL_aFc1UL<&{)vj>$*`HX<bI^g6NBV2=@)^`tW8ec7VWYii@;UD
zw5+|P@#`+k*s*XD%FjQ%=wm4CEKJX^Z{Hnm;>YIp9e>v)Ud1*|PhxvGpXwzXtb1-Y
zslmzjVhiJe9Sh~HE0GU~UAKH+a3-+;XP_FYnd4YL$T!~rRhY%a%^1*6Hwu^TPU2P?
z3MV>=%`Ja434CW%tu5Cg=j5%ipkkBS-t}`c7@x#g9o*^w#-1vHvGjhMiNAyAY@W_E
zKMxNSOJ9HL?&tAV$cTsXI~I!`F9V1p?>F1$0-79r)l+0&?mae|(1yp^0psxml{Lko
z=W7GqS1WKfb>M}~Yx9$AL7QD6u!<#~mGaL#Z&T4n$H;M3z5sqkd(zP~{N+|G2yZ}}
zpSs^m@NelUQ0p-I;Vo~6jhL2#d0}>@bm;6!jUO85;DP8XeMdktJ<smV_HV*kbo^9F
z<0Z(;ajw6vOPs@BKkeI&!j*lN?}@_#&~H$KH$YA*J~U=EZUzTuiz%0#qY2Z$pK|}F
zY`8>#MxD0WwRLk)6WmvsN=4FHG!M#bI9j$(XFBtQhAhlg#zYJVb|CkOfKvo7^PaPL
zpl^9#Y8@NqQ~AkSvY9W@J~F=7Ohqq0N8jHs_Z2s=bIs?$g;|h{PA2=8lsMV<KG$%E
zw)C6hKwlNw1I`7}PyfCpb45j%O>u5C=Tw2eyJz#!(4_>oFGhob(v1!3iN}HhLpV}Y
z9y>rJd~;q0tyODJ@!%T$g!q>43kUm$#aFCF|FSuncv^6|VdL5U{lhPATUb#4_Q;Em
z%;e|R{(h806@!s?ocmfPXY@zZ$1jci903m)(*|qmHe7<?01rjWE*FDf^tQw1#PE$G
z!)XlgC#wgugT4wM5npPP{18NilTqLrvo6-+%D$u7wbuZb6g%sH`ZOq7^A|T3zeJaj
z4SbtZs=5Nin%#088;6Jt4;<4OMO#gh{d3pQ@k_Jku0EW+UzEImc)8s}$9l*9V{|9$
z`g+{%@A1g4t&NkWcQbx2!7qJAElv3{mJ`eAKA3~@))V||Ehw2Sc!UHSqFPv(@vetd
zH}E>5cB;hfK}B$UPPYyqkFmq&?U8L8Fy^z%*^JdLADBC)Jv@=PdhAXlp)Gm|%7Pj)
z+b;WDXv$SHW@1@}TmGb>4e6<3Ohw^?PXOtX{YHn|(!wcm%*(Yit*$4&SP_$nT(JHY
zu|$gXvo>%9>6e#`GHmUi%Wz24khH}16TZQ)B5FOU2W;!^4bqPaZGBVAPc`w2F@$B+
zsQ9na+dPw2<IDSDEFjyUM^XJkB!rCs$i6sEIVkoKBg>){O_kNAfR}l7cbJkO@3|23
zmg94p*`I=MRuu^JMzF;T?jLL30d!$?3~A`gi$K;Ma&Srs!O?>$AxM9&vSfgk5}z1)
z2|!ee8_>O@dMIU7SbOQiI4$I!d4oyT28PoS7Y`lJP9;8;RTUlxcr5+<S3+1Kz(%kS
zPB2dJ0;ZS(rcq1I!fXbU0no!H!>K#;gb>0fG(_Cb;zV@KxBT<_bUy$bp~pzD@1TMh
z6VwCd&iHmf+8j0mp2?uFC6`3jK`N2)e)-}vsdUC&6CphYSF+m+iV)Q!L{DO529AGv
z__3?x&?Iq7ZV{x$DYf?|)!2YuDDXwraX)DpfE5zX2@eb_f0v$U27l5TWS1<Wv9Alp
z5gJZ2=R&L;`ZWB)F&|(c?%&iQISq6VLt{)Y@`~;@-5D(kW;C8iPaq;oIzZI>dn6dI
zd&hIsTF+5T-a@sHI$TE&)QI7a&SU?fu12j4uU7QalYVqxF<4?Au_jpK0v3ZN+o5U$
z!lL+;19=23TI-4jHk<6Vo#z)yPlnp-FrS3&uTme)Z(7qy38Z!klNZG)1^iHC#!qbm
zbE2hm%g1x8Q<<F*;i*c+j;MQ)X1g>p{pBSj5|WIC9jVfPjIbAW4SWb$#dAjNqy09!
zq!chgZM>xOQ5XFv<qGT<B9_HiU`)^>r*W-uXui|s_>r8*dR3gm7T3MrOU_)}Xn=~D
z4SQ$4{Pi7+MFo`-cV|pfIXi)sG=OPwG^fY-R7JydlMlT_Vb91G49leL()XNB$T4Y~
zVN630nQ2h7CFbF={`sKsPE#*|_{|^nMi=wntc$VTu7<=612=qtsP&>j2<tGQvSJ{F
z=g)5RRTBmRag0=wb(Xgc@XNpal*wgC{l-;<ok0`VX^iJkv1x1Kcd^q<)%Ox+BC8mH
z2m+qKGx+f?$^Wi!O`{Q{@mISD;))UN#WCIa+m^kzoFB6e+;<a6`}7xNowV_w_TWT*
z3YY<oeFawGzfF@fOtwO<;WRzFC+7twj;QM24j7;LW5`(dWFf(~YH;{xb&kRpaiC&h
zl-AuPJC%>iXZXKmK8p)CKHfny$Np?ww+b8v<G3&;r_u7hA@iz|<hwI$<d^Q+)s#Kn
z<|p70o=J!VcpWPauk6pc?V#OhTr$Rs(OWa+5~p*7*-eXcYiX9vrwUN08G2#<#C!RD
z*J^50JTG3Jo88*oJ9~~&42D5Cjl@YTmpM*HZAixL^f$iuW}vHeplfwTb5uOFtS8k6
zQ8V28HHP^bym}6L{fQlu#ImUi(O9`UmX3Gn{OshBWNd&Cz=Y#{$#b!`Mwf!#OwW14
zW|Dkc9iydIZ+rawdi1Oz`iznq0VW|IDTa6(s{dq0sQakRgRJlNVjZ(6*P*Jo8dKPR
z93^BoZ_lM|*_?hrT^R4J@t5`s*{l<U#k0?iqgEQnaRw}}{EbmUG1}Iu-1QDAD<>rv
zI);f?rEK(e6LN{xGwSp|jxzot)J3&h64^w#c8PRB%C{k@CWjVxH|O`qbU>P6sgHCR
z?$)&8%_OkvNg#2szTT5#e`*&AtoW=4WZ=TvrVB|gx@zL6sGgWehBZ`rkXAzLVvO;@
zYE-&aq|KYy3-+v^FpnN}OA7>HQP=|c-<)e6EkuzeRhF~EE_(#ILyjf6;d0j`FnkL}
z)Ra8ly=QeJO;`qXRO7=?QbU%sqGe>VA4b%mJlD;VDF-Yae@6rYqI?o8IP>Lo8(F3Z
zensh1K}@($#0g!2O)jx}`#~2wO{e$?_=1>M@)j>Y`0~D^Mc_h1C(9<Z5kX(&C+T2b
zz0J?VA5zuOBUMj4e^0F36^Dpfdm>v^Q>+{^eY`_u9LJ<6OZWfDCcUz^(N0Vm-Y3OO
zN(7xOq#!weqLiU<t_Cz0mxgcf0;B;b)s4iC)>^o(dox0Moe|PZv`|oUa@6h^hC%js
zlS=K@tOzt&c&^+4ATFU%1(z@1eWBC=J138P)XjSnaTU{Y#L5SpE1Ajh5K*l}90-)Z
z+RjeJan!Uh*-&+-wr8#~36&kz;;u1?uyYuCX^UseBQXldDR7M?+3UMz?bQ*uZ8ez(
z{_vbMJyH5%0#$^?&0fGVX`I0(7m#$bUR{;e$=dC5YS@UCtEAdaKh35Rd@O>N5}+JF
z45?+QIrf?aUDk-R@tX)`m^{{l_6KWzZ8p^B!1outNR{n!I912(3eYH3--K+)#BgB?
z{b?leWhY`%M~q);r{idtXo-;wz6oOEildzEpq*0V9WsyR1uo&^8F#)jzuAP1Ul{XL
zM9gF~TI<}FD@QcY7l|ZjJ{@6P;4H8{HavEf5r>yin}zDQBP;tewkyqF*57h-sDkcr
zZ8l@$3QDdqNp*R*&u+8hAgKnsz^K<I>?$CyUb@f4M%#9JUp5gA+}4Kt1*z%3DE9dY
z&dRnwU)i0{Z<^|17z**Y`#>&*Ya0c*IfS&RO#xqNI}zpi9Q$b1jh?#^k~_xod6AiL
z^vQbar{#Ot^upO;)dX$U9!+WK7;bmCQ-Xb_uwa}U?glap0J0?Zz+LL8?KRL}|4y$q
z_B7?cN+dNFdheDT&P)lbpLAkAYJH$A$Y$_?Tm4b{G%@q`c4A&&PEiXvT1%!F_-tZR
z`$wgf#*3UEo|85}oV+oxRQeB?Gz=Ym_9;44K2Bxar3_LAEZi(o*3~<DrDBEsg4i2y
z?`VUMhrqjaLIZ{wByak1;b#&{b$<QZxna8LWv};=ARY9Ekq4X5Ml~KMy4PJvgGA2|
z?KvH`8uOS2tkZzvJ2Db+d|T|=Sw$$d@DEq%31<K*OMqY7C>%a-`t$$sz7-n%Il-Px
zZ#BjkV|upcB(|XjV@|ujMc2eV<qBt2NAV4ew8271jrY&3&q1)LmH}L=;<E4yv;S$F
zb;Yb+GR2P$k9pskvT7g4AxZll%ScX6@+-BFQD8B229mYB<ENc{0}zy;L0OZ8bn90?
zYTOITp02m~3(2%Xi<yI_se*0KK8KGyaq<mrHW0ob^?ZTuj)>OoqG-KNe;)V}THaTa
zD(5&PY6kgfKs-HbOxEGJo-e1_>tUp)amj@DDs7Kej_U5QaCSi>l*P?`7(s1SuJ_XX
z`gb`j`zmsr{e|vcWQ+ng7av`1TRbMYBm@6R@A$U8s~*<vzliL&sop@xBl}Ehnge6P
zF{er^_4fXpytlgnc@mRReD7+<XDyV>GZVQ)EL4)ESkQSUO&<Qu=UPMYq1Xi9#yt-w
zF#Jg%Zdm_p60j+;do2tt5IM-GAlv_!HBo78D6`Ie4c8Cd{;L{^w{Y_~6IKp>xS{8!
z)csqbf_bv^_1Iga5Bz%1l_{jGgZ-0l%R5xQ7cKH<<jbMqp9L%RDWW)J<`){TT>BR?
z<=9U~1Y=^Ry7v=oH<&M<)@O0a&b?r0>`9Bx;1mP!DrEjxYvS<;U5}LnF)++VT|mob
zCOt`qEyis&uV;?@VGk24TgY<_%SBQP($p4}BWQI%*Bf1YFSPJRIvrrV+E2*Dfl2il
zomKWI7e^VDFr*m-mP?O*^-ZxnwIt)KW;f|Cqj`rf%%odQ!hHBDvA3g9SWloT_edr-
zzG|Xb!C6@T#)$PSFi^2CpRQ!qil8yq8FKrD_tf8}Lv5{njlOBjUqR97+?W^N|3K2P
ztI_?Lv)n1~XzB$tV;kXwqvmZnt8q<wmi!Ze_{SrIjRY&W?58!rwR08%r4vRmJ6p-d
zvfA(n8Le$p5}92MAk0D&Oa(jX$ZZz%ald$z2p;HT=Lh9jJegD1AHP%myU4tzegq0j
z#G;~;0gvp6noCcQV-q%m7R%#sS6!IR=AO~c#AXkez>5;X&xpfM#VOHY_ck*B0L$2t
zBp*5eN=!*CdbL<$|2Vp{HloT-)LC@aA^);i+1JwzebaHfnf;fMHWHlKW;tTG*`~fq
zUBv3D4;J|6Qajo<u{WIlh;xX3#O)-x6N#M(1HQB@`lhs>(33S(cC^aIu|Z{Ik*mKW
zyj+UEYJN1H0&|R2a-mA#gz|G><NY=YFiz*Dh!g@bk0PhkA}>_HTB{4sqB>!(`J&F0
zIyI(XB!XuZHKbFk7|hNaNjxrnv*t0yv4omIj8wER<FeYnqJ9@*)sL4$RoikM*uO+h
zAgQN?*aYrcdVm#QU>Wf4v-@^SQ@?*!ri%yfF?6jQFempkhV?7i3oyA+P7;pgaw230
z&b@_tdLl*umL+zi(&C0;;hmfLFSwS9lie6Efp`Hlz2lNmK|AZ9qkl(jbz?UT5csA;
z7!d>Mz5PVv579JY-{ZTzw6&V#A^uOvL>X6Wxx=~)!s@k^wtn91$L%sEZ^hB~L~9$b
z(A5K{U1_;VgVXBmyg6i|`y5`LLtEb)OlmcS2)%E6Jc3AOP=ZFRf+c9kC??1?c&%u?
zk6;~jIUrjxekDsU-puCqj@n*!6us=}_(!v(B%T}5-X|&e`}i3Z9Qs9$*lK<vbc}*N
zsd7UrETX}Tnk6a3!IYZ3*dG!krKepQBuK=1PSfq8&sOpZSp&XHd>3*T<UKUgl0p6m
zD@LiY5n;znz1Mn4kb_M@@>@+DXvs@bBoVyG$=ky~h;vFL`wRos`IkZ?5sVE+5GK)i
zlpu+w-jkXuh)R9P)<<R<IK(fAt4!uN)W0il0qaSWS;G(kC|j44!KZJ~?*C@A`{U(x
zD@8|8IGz~p%k}5hcU-W>eP&4rM;boTz5&1f^n|VwWaHLqDo%{s0f95vt&>-*ug6<h
z+ESlRb-Lpqf4$^MYb<s!K{`ibIM6&3bS2;Z9BI%x{d#J|!z^5j#@zb-C@~!_^+_cK
z%5-J?kFWyC80^p8?DooTt%u7LN9nZL84@@6r6qZ@!Nv`co`3GjQO9b~{`GlH<yU0!
z&<XpVF(~_Be`)|nz)FU-Q0S{nnIuo!`)b-KmTlg9`XlGfWCu94Z1{tH2mRLA!Lt`S
znVnm0PsPBo(<`wykDUulw&mGknT&3pSb3oF!EY*EbUL+ONn>ErXgkZ6_BM<-&*<*k
z6ZgbUwc$c6GI63pli3o(W|nM)9Q*C`T^zzpe1?(iVEMp-5PT{PTeM(eG{i;U7wGZa
z_RrxHV{!(J(cM+KV!1vdur)#mXqx)dx6Wys55W5V9x{G9hi(n&d+U2?qM#{A3IU&*
z`{rzyDE-<z1VQqljvbnyJ`H<hAh(jC=JfOr!kwu84m2UlTmpa(MR2Pk^VjqjL@SI@
zb^x<fTir|>W&xz46R~Uew2v^mdh(_#G#siWLdd2?pc^q|;u!P^&?SOn7_t`<fuc&}
z1Di<BeG?^*OpyHNb=EpD<c?Xu5<Ul^B@``82$6G*{O~5n<z5TbFbk#ASGE~Fk~Cpz
zJI}zzY0u_11`)&}WFJ+toEyp@IoRDvCU#=Wpz;%~wsu6_9KSK+eMs<#oYnL>i577L
z?WQ3IBo1nRds^M~^d<j`{m;$Aedj~WO?I-(g64))8A}d+R+2s`SpF8=dAM$4t~6MP
zpWpTwbzk;Fz_28%I+22NwFo_1q>j@2?$}+}XsQTqv|@{&63#0^xIo>_7Fpk31G~RM
z3R;NLClW&1>TJZPFcJcc8)3Hxy%j0F*zPLX^op_vNiQ=!9gnmJIT&HmEvh&WJxg9-
z`!DX^$`rH^RFeX&h)sHkG4A|Tw97%is<o({B8h@b4x>fB=X#;`-YE$eIW1C_xfrX2
zD=nnAe5FKZY8lDodc{w~v%$sda61zHcL{xBrYGzN`=7(65(Ef<wlqZIj&w9i2f^ke
zn6*OI5PSnN0`g|ygyL>?s>XEkoTd9`nKCO(Sa`)a_5T@uf@cg|YV@?;{%&tz_TPrt
z5vl~k)Pun4;y??qwWR?ds8b~SCVv{qZVfKWlHJ-8^)tB(;l|7@rgIXz(Xdn7I18v+
z$UHFz-K*kHvI@j*_1>PX*kpsD>*qGkt*nMuWKDY7z5YH@Esz8eT)hGTl`Q<%+blae
ze7ON+Zs%%7AFK&>YR?c;bu0YLyA|J%Y&(O>OFhqiTTut20pQTE?Bx<aNhwjhoha9J
zXO(_h`1_j6<P<^ti9Zv;ENKv#tbOEBGIP$E=NNq7ZQcN5?YD$T!d>lu4B=xxu=qZ!
z|I7d$3h*wB*$zMA>G@<qt8bm)Z*}6q20dYC@E+L$P<hDnGuByO)Ltl!JFk5&l6*)U
zau1Vv1K$boB+!A5niUe;xIyPN#H&or|C;G<gUVrY&!1CFZ@7&agV7`n1x!*!-~H%#
zy<+D>Yg^U_yr1)qD1C?^M?bFDf&cnvv&U|Nk*!`A#nT%s{(lq}Kb<4n1V1-zW#a{M
z?LT(_B>U&LV&xmS+yTB|9iFkw^olfq>coCX9y`Vd9g~L6qlyq~Loe8@ihO^*TcbA5
zEm%dB;qONUFjLX4+W&uoCogvnCEPgE-=^j<9v0}Ev~C^)2C^S3EI6+{^;s0bN!s3j
z;UYDfJf~(#0V7hN<0+Z7l6l{WImku}_U~z%I56rwO90pYnwUwv`G<5@+huynK>{EV
zPJE~iqksU6J>dC2REJF{82aL;<!>Dak^O~4*yjNP>4hrhRAO2O)#ZxM$$16l+vF32
z1%d{WS+mf5L>+QEr5Fddr)8u|ZNTw^G%89>SKNq4a5hScjpLMn6)A7C@8}3^GF4xT
zM5ig;$%;XeuSkD&wmPl1MlT!iE>BPyeWIj56ccK+LJFTZItt9RUtdQti*py5ZJ_+m
zDpRI7RhEYA3NsXxGfjV5#=qMuYBfFW3CSSk-jYntb~U#-4?&c$6vF9S?&hozS5mg$
z<DYbd5Gi|8XXr^{@O+01@}YOnc^Dk<K_awKpC=&)+K&K5R;G_X{=EPP3Z6B>`tu{v
zFhAKr6vm;FSe-|9Ojk<<5t252$<jkI3jjNTkh=f5FS<?cf^5Vc;uD^}JA178R5Anb
zaW3)dbC~PkC&!T~FPx7OlGi5BEMt~aT!kJPP<HYdrp0YGYSvU9#^8G1Hk+Esf>5|&
z`@)QUgNk@^2^qp9y6v9^<M<ASlWo7K7RD|mOG<(Vq&9%NUvXP%a-Uh1TLW-^5St5j
zMy1p?17;v~ro)2)M(r--S4X=8GJei+>N9jhK2iu0OJO2)vr0P9tA<sRw`lQ?YF@8Q
z>*$CnA*(UT#0k73+|Al}E&fW|FR2W_L~)47FoF$L3Ad!8L?xD#BECJbSdS6&8;T>4
zv!uD0lE1=?mTywzK!iV;T`}U5G>twRkk1Zl0*ol)gd8TwV84SZ8;LC#HpnLfXpqm@
z!kZ{D0bTDUc!Ej()9OcTb=qE?AI{LSeiHrF_($-~NBn&6?e^xALP5-2`Qo<w_{tWR
z>*VC;Q*_l?F1Ot%K;$H0`~iRWuxf~CVfN?D^`qbBJ*%sG%}HEqC{!i=SdwRwttUy_
z;g7)VPxP}UJS&I4bH7|2ZGsd{VTgyZ*;JPt?$h)OjdoJH^|yG@SIRZ$c^c;UTHg0y
zF2vhQ>b{owH{Rl*B;>0@0WZCv82}quR4VLM>JQMibD9b+?!kA^X@YXH;12i+7hA}4
zWM|M<oAGpn*+4Q}v&aKhzL##bvX4sMCfOESj$}Vzb)0<`Cg8sCQR-?Wm%gI^kXF*k
z;>1C8$Z*gakgS3=sX>_0ekE{OJ|^MHI6IdoF&@cp_(iD%l@L|$VzV7&?sN^qoK{u4
zQ#_7@Jz?iDd$Ef9qQP8ZOz<{IC+o2B+F<#*I!3tag3Kdi>ub6y72lWxqb%D7nu4jL
zG)+afX!{&8XVR^IEeo$`gm=-f3HgI{qSk0hRCVpoA|5;{R%TaVjj5RdXX@E4lN`4+
zXL=Nvk`O>*{=+MWn4ehWfn<+wUo#iPIAPb3h;~>YEy$oWH41pBEaRMYm;9X-m!>#F
zNJwT$ffSWGgB--*vHnTUBJwsmS^h58IveqrF`E>*8Gx`+a}kE7=o3o2ux0m^)%DbH
zO0HXM*mwVQK!zJ~K)?>8j1wMMwU1ubTQ~jI`qi*38P<hYk)l_aHMtil*-VQ5JKTb{
zwuA|Gdx?@HPI~?z+BUfRF;~a+gBYRVwKGU~a>BMBJt3kLmhPXylCEAsC(32iHDjMy
zY9T7vq%aD@EO<=T(XdvUH(MVk`myFx$-+{3d)@O(|JpQ7kbg!Fjlq^LhHr3UV77OT
znkmpO$&g6086wRBw<wZ+qSbha8Tej+2S!07<xWw|6Ng0@mT4kc6iJRq+We0ubKIDj
zrS@^L|FMF*M37Zchex^Ou@otRE6%bWU<mMXDE|^oc50Z>7M&a!v4<ikR{|KL@|<Fd
zpk~EkvdYR^Wl{w---EaW|7$Y^mJTE)DxhdD&AyXK_GX~?@#B0|^@`kwK~l^OWeUno
zRBUe4Qa?1l2t^o1pc1(T8N@DmGwcd{P<<3`UIeNODO+kl{0iX1W<)f2=ua5ztwT;;
zWKD-Xhu06HvPH_-Fs8@}HmR{9Gb=VBRP@3~y~C5}l?Fl3>NBIj`egSXb>Z?|CK~^U
zwgg2d2SPt39*?gR?Qz!uj~+Y`!|~{IAF-I78JWxx^`lbmHjw^3`+@hSuflh8yS?gB
zO6#3|o3;7@^<x=n8l%!Q6Q#B$9x)8zF)c16+hk@og|{WYv2YV+CCcPEeJOSY{zl*$
z5JoUJTbUII8k~gPD8{_5DbUDP!2R%|>puJouZmgr^~cX3a(m!F<n-=3yYcz#CIQfm
zz2BC1?B?i9?l;Mtr2|vO{0<8MDt+6_YT82e0&}3rt7b_&1mOqR^~D2pxf1nD{Se<F
zf#b<n3eS6oMK~#@!D{@jW)+1(*ly4pP^64%Q29HSxi@xJS{aE1D8OX>@F6Wm$v${z
z?5u2WmS2BY2mv*ao%fF!ei_rJ!#$y^APp2_vStGV^s%EIq(ujlGq79Wb1Wt-cGm6!
zJyG}ZfrMtsrJbP&+?mAOje1T?CSx9&^^>zEPwPUM*=z)T3>=7HYb$jNA#Rnk|6<&|
zm94pBhtCI@6Qr{(gSy{+acAS%O_2Wa5Qu<3z&R<!2eBBidlY<T*&#=ZaS=sFN95t{
z`IHk&Z?KU(F^i~u4tP&=yW^osl=e2AOztGdAx2Zxm>{;>+X-hVFE@M0y<1s3<XNC)
zm>S0_T4xJZ=0D92ZsMcc0~;UoeUykaS4x>z#sFW*c8IYzzh{J$tW`yxlZ)DeUhYUM
z;j`kR3BA%I&qxx;pE58sq5w<ghlijgmVX4PHDeN__ge&?lCqVCb64}w2GK%>xu*pj
zB~L~lyN^%~>`%YEH-TLADE47Lws66UJoEkL>u@C|xzs*7Z#2eyD(JzE{j`jT2eyw?
zqz14E31hw;6JZN+CTd9+%<+EWvvQ+{Yx>aOLT2yqS5NO1rLinbRc5pt2eoMg=uy^3
zx=4MXdJB|7m?|@0JQf%V?~=?5yhsQhoR$*U&&S3IephaF-$JY5Aqx$4Sa;1z-ogwO
zNW)^6T8BAdz^P6)Ib>PFA}&rnMywO-JAS?Gya?(&`L|>HUf3qu<RE^kZvCQ+5ljYS
zLdD<tty_=Oz|%44%N?V}Z<G0cb{*kUWKtwcrj51RtUY3Yg!5PQBvQ-@e`_&TP-EEF
z>gV;w`R0F?^GzX9Mzth0=n}CHBbH-nF^m_DE?%?|Vxt)9_F2jWrB4ue!t!hok3dlq
z4DGY7OM#gIDoindLi!;ViRv6%!y1Qc;lwM7d6)KGa0uyOyP!^|Bl;PPi^z_g#^vS>
zWLb#WHh1=6mKz7vBQBU=jmyhGH%zb}>{?72k;KoXoK=hcXJGWT(Njs4<tB5Qc^Dlt
zd*a|BA+o~+M~ng_+ZoVISY8AoDp(i=*ba0!nfu@==Wf;-Sf|_+0<}pnP?J=BQi?-J
zyAHo@I`Je~9Gf|gC5L0oXSN3IiB&LD6wSsyjH0L6kIAoev;vMgTIcbtexB+h_5tE}
zf?I8>*M1ZlQC$R6V`~I^#|Fv84IR^0=aygNjxbu{#tD$=<p<x$Kz<U$^BRLvWOOUK
zzj5jZn)upI{jU05FcDc`3CnolslaK#1K)-liR)RPC6n|lwcq>!1|EJJeJ||I?r_bM
zIo=wg3|ubwDLz<E_Ito(V~cKms|U$t%dZ1uSK@OKok|n;5sJKClMk=HWHcdP2uT`b
z_A`^Zb6y02xnu{4j7wfD<9Q7<bg_>UV_B6P3534DByyJr^YRq(e_Z@&&ijZP1O(um
zwoJ)bf<~hN7%5X3Iu3gE7<1kx9B{xSJp3r@GTU$7mCL+dwywM8>3YNj498c8ITLHd
zKJDwV%p3$>B6Q{6@eX0R*ObGV8L1vtNMa)5lq6}8`kI*=m{TW6Jgm(D>`(;5PdjG#
z**Qxs>Z)1*wK0YUbnG&W8E`U*CdrgoWOOonJ~A}{r3KQT9%N60T85lyx*k4q7ZhcN
z8I>Z~ufczwd(-tuZw)|&o@|BT|N5liG|g~i7{=Yc>`A7zVy<|3#KRN}pb+m$J1dgD
z!F3V+B)Z5VCi+4R4G?Lv?isDk&j9H;gUITnKK&nyj+(7^JT_{n{?NPkb9=xLGh)(r
zCO$&g35S=Hk2d-|-mHVFkIg^yCPr*@ig!my=fT}MMa_eQ>+3w{>Ifv$le}0o-N9K5
zXa*~pC9{j#cum5cRtNB1AzRHhvE0FTDQ1SIA0Jq-bmD*snt{Gr$#|-~2Z|mKz5x|X
z^Ln_2_46Gv{;!^UV!?5f#*v(3ujQ5D#|Hm!p@T8_M#}b|BV`l82u@0YRWCMO(Joh`
zJtP!;V-k4@Pj&5HU2OsOj)(u32gc+S7$E%3d>}1ngz|z3v?H8{^3H@E9b+t!p?arL
z3iD{}uxA;n!|c^Dn}ncJG98KMB+Qr7pr#}~#1?pJZ?M=THc_A|5A+?f89nsq9*ir&
z63=Dl%io1N6vC7_nUz1Yh`~hhsK<H89gZ+svPK(yE`-02iwL9HDLfuwq{8j$G1gX_
zXAymq&@VX5i>zD}g{o<@TwRQmN+L+`Iu;QuDjwBR)h1CJ7&#$(+?#k($~%5_Jn0V^
z%Bd0#KKQ*O*!HjqLNnpKSA2ubf(tS!!ycSyP^Riw7=*Q+s>w|8eX?6py4YwdTtRmJ
z_;^EQVoUYP+tsO+jL`<u;WWQ);5)A<_vTE5qI1XECp&F~Z!31?hy%Ut+YeAUQQOY4
zz?_x0F}JsQG0C8@Ap4k@wgn&>wX>rNlQqaFx!$pm8>AxeqjRdI<J*{P*$+wHHP)Vw
z4~Y3XXQd%?0r&nw(|vgI2sBpk<Ja~0nRw#YO#G{E1CwM(<HehkbKWPXaJ!SfRTj&l
zSAs=YtlvNDOH8?tzEe}5y@O(HTrIh`KJ$c8ie#f2xp6K9c{Ze!EyzlrRpAdEZh#f+
zXMyyI<hJHtZ$~e6uVdlt@#Mqc%3>6J7nM|Q1eMyNq!g+2vF-!vw<KO9qI1zQvGTzi
zYerLQG*Qey6E*Dt7mJ(L&T={g@9k=SWV$D(r!Z{Jn&Gi+&C8o_z+}ccd+tXN<$GK@
z8B|}!kj>t}4t8f9$$o52(<`sq6o}(ugWAUa@{)+Xo#o-XIM)iHesFi^d4-}E3e^B{
zj4r#1JX*;b#tLLZ<_W?hA;nBeBFw@{V6Tcn2h=%j@^}05NLA&(qPRsCGblN~kS2|t
zg<{dcCS_cFN1`+s+{JG!be?W@KS1f%2_{Bb+Sgn8P>n*&DgKaI&mw*CU@lV(z~GrT
zh*DooSpXEw(cwu$v8$4~@EJb2S80d2<rxAxlu|cQea`-dX<8+JU)9k-1;tM`NaF??
zD>UU&iZ2`IBK%U!d4Y2<n<_B1S2Fp{5{yd?IJ$Sb%`rRG{bEH>Va#om`&zcs>a+to
z{`Vu14=mXSEyR~X*O_P0VVPWgQxxHi-1vutt?-Ozp$YCeGX+@2U}C(qcjk`)@CVj*
zA}XG;48&8LHs3x$nH5~;$<tU7^Qrid6oFj@E{<$n=%Ln;!=SYjTS`~7+*xPLJcQJn
zf94%2`}#LsVTu2zLMhOg-cfkdo<VPXXP9>r&7uF(d}rd}J2R=x=MmY`1Glm9TU2r#
zzUxo}YFn?ey*hdMa42{zvD~Hy$u0UOc2`o9lIxGhDp>ekYI%kI>T*F)rr!y>$bByG
zrgIWBIrD8pv&IPreGIm7RXhjk?7_(<3%bs_u)DLCH|J-N%drx)<IU|bwf<Rv9WU#%
z%Y2DBL`i}6Kuwr2kE_8e6Y37mrcCdqPlUYu6!)Wb4biy?{$dbRYF%CqIH3R~M=pB$
zN1-d)6Gdd)j$eFxXN}}#U3mGv%|}Phtdwl2))~Xo?^YX&Pe)8FW4cQEhDhe}A1VDO
z<_zmk`?MG-f?yCqp>`~`j?LGsc)=GUN%zP$m1Tp+PAe4y!u9#;KrlLj61WBi2b(>i
zK#atw%#~)Y!;(SM{8S%h{tR#$mer|FnCeP4*M&^{jTOy*jTKFZx1J``rK`&1O;i7R
zO}(QDxe|HLVj9f5x%xs^;bAbbA=Mm}0^ouHE$AFN7Gnf9LwBB;^Ds00k6P98@KpHU
zLMMqaQfIAX8@xW>g9-HCdlNC$WyDmM{xxlo8b*(kU*G40rb9|2(^9atF8urr^MV9{
zuV!9|?tLt1BI)(gj+Uf%k!Q546FWj%;e|%whhO2H64Z3oYu$pz^@N9@Q7=l?wSDq&
zQhg#%9Ikno6Ff9_lDC0y=lYY(tgoUuM<V!IUFwswUV?GLx2;3;UOubH5j6^^-f}+?
zVor3}s5*V+&ioXJX)sLUf<+SlnI~+fT{ewyzrHUzob0G!QzajX=rRIe)9ub^cI+%b
z2tL+2w#(qH5?I#j?DNNzYzxWqJ4K%#d_oCx#e0d6dHOb4nJJ~+>6PnSDl$Z-GV`Qn
zt+-NyD`h7A@F$8VSvktP_~>eq`BuBqF1+5*(4|NTO(-6w>>9BDIawzue32`A#c<!q
zk_sg^A~^FtfFEt+6~%j?=w}^?P<q--52_F2rZy9lcCsar6~m7~AC*w7;wC$!U^=Bq
zMUvdmE}%ekl>K58d5?7t*c1g=1mJ*)&jM6<dr2`kq6N%&soPdswHn7sI%QzTXmQc;
zA}*`LL*q3KUMZeNY~7i;3zIhT9G(UU_<>DB2WBxWd_}6#t>ZNvbU+@3#w&#-`2dl?
zM1TS>JKB7r$IKOnj`Mga%=_IeG^N}S4R|<IX(GZcHrVWMI+^II4B93$-heMz`G|gh
z^aAK_|0&y8pyVx?Z5))R5d~s*X#5X$%&dkklwn}1{Zk1p%s`RSf=SS<1=DU%wqrkr
zgpGhc7&olZ-i&Pq=f%SyzO{LIK!Gm%lcuRE%9Ul@jFhwVwYJo5uyXyLXmb+yN`xru
zw3M~KV}I`2T|;}srcTNJV~WZv(iA<a1g$SS;Eh8pcUgYDPQ6pC%_cGTn=DEOAViEQ
z(Z+@LP1}|h<`^M{LBh-{(1i7d;N`W!q}kN%M2R2sDbQN=uX}^BCmo;j>zcRB@iZeM
zGkW}A!+Flie-+05!x=FgltwI|uPr~@@|fI#ZC`#!DSBjlM7|O%nw{tZ$Yg(awvNQ~
zqoi6e{jXS*xUqAK1=3>*1S?OC79Tu(m1#kYQCE@cR%a*@7}5Zrd~E>mDFqDe|CcAe
z9P5RM=4&6Y<YysqZa_67RN-VUynM24w|g>T-<f3`(hU}SNM0Lk_)N)tvCgNz+A8Yj
zuHL`tdKebuUB`n@vmc$#13i^~t{8Q1wOd5~99>j|ptv|DY>4`oO!Mp~h~u8VCTT3n
z!8@K2pa02pvZYP9)2@Hn6dmXxV1_%e{HNHW^sKU&Y{b)~ch2jJ=q|-qYqPK+R|k(e
z@*tQhIbpWhXi8eF$jH~c#mHsWHYO4I?l{?Rd;H$TqLm>n+^Z>W&z(&6DPzK4Q|`hk
z@|fb05*M1Zg{R;JB{w%n##8KqEXZ<lRS;=++}H0Sh}+4|jV@7vgCY7J?CKGWaN3!o
zd6A;m3I?mrsWX>UTQdcS1v~lBcFuu8a4fjk1iFf8*9T`WFMD5m7oYyWr;Ar<8ssA>
z;+9d2Nek$n#j|Ss+{yoif@c|40ne3JCr1+%?_HqF`zpDT)p3wfctWIC3idv~3wl>@
zYf0H!gt(nL?&6Ehn<1;ZN;RuQf}+F$7$iy9{4jDNVPx!?i>1z2PCR3q1s@e%{~&yU
zQ$GsPI^$k*L{zx|>$A9W+wxBG^9fKm&Y-s8<Sf}EzvTJdkW>kc3rl6W!~G%CJV!%H
z)A=o5Ne4K*(h7D^Tko0U+2B)U$3g1(*E84;!2371<f6QQca_s&RQw{VlLoqv2KqiG
zAvlfilN+||rE8Jc{)%NJWO6>`WeWMkXRa28%a92>FZ9R@9jzUY?i+Cbx50hrcA($8
zqavZ0L1LkS1Mllj9?_wbfKpb{NxY|aCOd3CGTZFx-?xzl3n2d?=bulOjv$=&QtuP@
zb$590?+VMC97phQV&>SyhQnzM-=XWjTA{dT5;9}ksc&O9vDjf*MNE@kOZ9j=A!OP|
z&g;fK<imnmyYPxxnPc^Kg~UC4G4RfM=U6#6x13VifbfUfC6b#JsQ9BF{?rfvuP312
zLnQ}l30$w83KDi<z{3x6AF@4JqVBVF_?W+GF{~kZ0%(gpLS_(rZ0eTIO|`%s9N98b
zZ&vraG-|o38E-61OS|bj3SQX3D0iS~6?=HsYif!N#wVyklCYlrfh#DK5Gv22<G4Gy
zYnhw9-(jB&@5;RTcQ3BG*&Am;hj-etVLZ~2vO*}NxVS^5a8IW;7SH#@)Pqlq#kgP|
z)o}qV?K3RWnh79vx~#b0FaZ7sF#r&cLJ`C?UueCo;u5S8HzNkukRBR&wZ53Epi&m2
z)JQIf00syUR7eM$0`OWKeAMPuzT>Gf+%<svnRV6vZ#<<1|8Ldnn3`<DW={`j`sa$+
zOB8(qd#d#f+@4A+5x|fW0TdDZg^3Q*#rOgKx32wp;t`QKwOk@MtVxSh68k$*#ONO|
zDFOR44HKMm)oHum{KGxJb#wmE3D;%rHXeSejx@_u{zKzCI;F^l0nE>o*eMx|fC(>;
zTv#xn7cGxdiZK$YmAQKinxK7@WBO*4^UsWO98EjsZ`tE`@DFu9ig&sA)57dN;R+qU
zD1(|1iFYhtTeBi-RooJ)ec(dbAf+`8b5cZXyRWAtRX_@n&HSmMkZ6cLw@MH^Y|>tq
z`ZXhrX?itOF{$Mi?&u6hM!oNCD%=?tI%R@~x8jfB6hN@fWEIhYJ%rBFiOQp6+n$y(
z8|coaD#mJphY%PqF@KkpOb1+H>3zWzt^yQQ3>v9gkS!$wp4}T-$vGPzAFny|!oT&8
z_;>{)a++IaEuV8%^nfS~s9uJhNzv<-gbg_Moo#>YcGBzGdfdNcSX^SRQf+eV?gIyr
zk_A;2_^e)X7Jwl6M@m)p3`S4nH8%IRnfM?n=qs5MF1@qDHj)MKswGGfN2C)QkOh8B
z*EY?O#(0`3ykw8lDaLMEDaCs(dDW|&-@HS#uOeNBuSJLAq9C0lP8^kK>5&{Es`D9v
zG>6Qxh(Po4^4gM!+T%s!<O#lrTQXUjhG=o6LHdMRAiywU*mrWzVum?HPAMY&N4e$v
zpd0AWxdD#!7-(c5X;w>3MgK2*Zyr!pxwii=MrS=qjv&~pNgXE?6H#>QF^4)T_3a$z
z64O8v1w|25*q{}eDSE6FL2&5kId75!iUTOy&~N}YW|^oAPN0bhf{YvX@4BC7tv#+y
z+S?g_{pSFCuf6tK&wB3rzOK)8?zhY$0P0tj`}v5Hqg8jV9?iMdoXI1h{TtTNM!Ig#
zKrIP1x@<4%JL4qbk?+bkr@XqzhZgrrTygLB9i3B1&1eXlS^MX9Z=d~U4w)#4(cO41
z%R`H+M#pbp?3iO)Fe{^!+TwPJvv2bCz;$ue<IR|v_zZ3p-O!9BEj_+4W5^erO+cbj
z{M)0ct))e#Jv64j68S~uc{uhrJBzHHrNvg@hxV<wH}uN-MOG2t#$f41?5r`e1?wcw
z=OUzZ1B0LCjx>&0_WABshgq}3d#H%vD<LY{%aLAsNuZcV6zW7oa`^6cm>6g#40tMd
zi_9Z40P2O)%~R@pUSHWm(Dq}9?@cQ^4o~oQM$~Q6e39HLMIVnhO*w|JKcsytP>q|8
zS0-^Z@ms%IREIHGL|B(qHN1;Y%Oo*x4jusFU6=bTm-5_Q7klX!7PZ^)#~`kQr|^T2
zfzs?<N|Js}ngwv?E89pg9tjDqGqQcNvZO4o<B_;I8E@etN5yF1o6+p$(myt6XiSEj
z(UIYL6X*95>P;vvA%k^HWSRS@KcdLz?b>S-TosM3f!mO8CT+XF$R^_CleVqVJQ{oa
zaWOg&V=^izCN%`#HS3hLiZ~;Y;LA5LcXW5)50{+1c;9i_xl3fc<N%*U576W;J*hlM
zU6`6F&%j4PjmFqtX?aUJzzf$!y?YHIYDV(d5}@dbx^489@V^`geh^kUT<l{!MhO*a
zTbKM!Mt92fipiXXz?bE4m+>7-*<9T^C2BW0W6tvd7)E>=Q22LT#@Q?K$#zpgiE<1&
zM{xCrTb$CfQe(yOUGO_@4nm^?HHDV6_NZ6{YXvJeLr+hDq+BvMsq%FVJ3nh*2+(YL
z%n+_R5^T*ZC|YgbRfKQLJYTgR{+3ZSo*)}dW>od;d@^#`^<)ys`U}^#`HGjM>Rd<Q
z$4to9D36ggXg@X?_;FL}^^wU7PvQ=Q8hEtwgP6SoTrl+kw|R|#FD|OFxx4qA5klDn
z)r5|jLp~-_B2>Dh$7+QiK%^hgM3-7(fC0BO#v0<69`bv6s*22aorb;CPhNHYBUa9I
zAJ)Ha7?DV!@_94^5VMzN)aJrB4Qk5r()o&w>Ueh>Vcwm}IezIAIW=2xJ0ySUOn2bw
zFN8%~g;iJF=dvP?o+Fe9zwy2zcHVCH?&Ol5NYiL$duT5$O|Jn#NO(Fx;bz@jpV4=2
z76(V;=aro%-}vUi7i!zWnCa$nA9Czaj2@EgwOb#iF1EwMiN+$^PCgo#v-Ecq@;zbS
z^}2D_eB&^_(hbIZDpNESw^(%jcpiyIiAQ>@RWFRwY0OFtmekT?TigRLdopsCCHjb%
zYQ)%R0Bln!L+MKBF7gr7pzviCy{=7Og(!#px0n$+&6=$$VxaY=8Vb@uc1@FxqqS#e
zo>eFnlxG5{UD!t~Bw%yLpblCM%i$t_Mwk2$g!p<n%0jrw>T_EMY?+mpx;D833v{fx
z(ANW+BU)Nbj))mOI(FP}DheSf&(YAi@%XYAM0~ip3{bo7x7_T1uiR|xRIL4=#}du{
zVqQ2CK<R{5oM8Y!kw`)@b2jO_pwUqVyzevY);#ai#BU1iGizG1P;PAa!O14(>V$W{
zHF&Fx)cDB)ll)Oi**LH;^YvkZfBWGC8CJ#QGdTa>@$N0Co~;pU5NgI|zCejA%UJbc
z63;l_Pn1FZ=cAZJ<d>mdl36BEaz0ZynOT36I%vN3=C4dh68vy|z+5BaRO9xkE8U4p
zLLHi!RZ9<4`9i^|Tmpa0F>nra8E>k5{Rc4Hdx3x5e*oICxtFbWdsRjQ0L<q<2R|Q9
zn;V0Fn-L!FKBX<xA!9@Dxd4#C6A|Y01~Jw4(?fm_(=|U8r`?>g0E#@>4xy@N=es+V
zn$6@B6+2Ft<$o5{Sne$fPZi0Bnjy&MC7{;OVp^95+o{r@=xh;hI@e{u<<m)t!IJjs
z1!p;N2|h`0`@*#6T5Y)N>Y|9fjG;}Mo&Vh_IL@@`tpxSps~7fz?G=8cqY&S(qtiw2
z5#fXPqK%gH9(rMqZ#Pa`RmB~XBcdt`RBAxB3(vz`v|e*e*)gGk`70CDGp<L~W+bBd
zg*MpO@EeMC>Tt~~nmf1E#Ty$PYjWXn#eevY&{jkp+o$|sdl-m37E;amD`fT=QD4rp
zlSkJ*D!xqA5%5RkkB11&j<t)mhQAX~=!Z!gxuA>>^o0hGvZNW~<a^@UPptlSRz+W!
z_&pxgXndW!3c{8A%o*X0Zc`fB7ofc}Wx+V<%XY<gFP+Vl&u2Ag$X5l}nIbKwcQXNr
z>JlLu-%;OLsWDNwEEWV5^;Iah_SUkmSV_P==^ERNUlOpf7q27{uR}daBCDv<zF~(a
z!qmjWi@>!)&=$vIj>qbEiIEyaY*`%{g_foEJY%;7)YfKs4HAR{pU=YZQuF>p&>H#m
z#Ds|W7^>0Q8iHWAxzXlE*d>Ch<Ct;b%6^E~T6<+mu$YY@7eUS5X+>2;?=5+QGIwV5
z+v~tbqQe4Kd>ke4YmDt|){+JiM?Sks5L#Swyl=Z>)7OJ>c~9<_GJosn=(pk1WvL;-
z`IWzGXT|1v1tER*4_jgXmJo4rnQ3#C<v)8ay@X6mzQ39?BeZ!$;>_U7Zc)xDag#Wh
zt|ayT3(nRS5AHpWHbM6eLT=1l+gaJM&bMBWzn6wTXY)p@uD~Nham*dVwQ=da`n}`c
za^&h$^|?pDzFg^qv$wuvM4f;BiMd->UisA8Vi>qXq?AHEE8Y8@L5>k8FD+N3bnK?~
zi(Zq`|HP)eaS2&7wzLjXZ+la~tzJ+&PIr;Js7KkvUTp!uH@?t@%J3mowYcB*zfiup
zc>j*C+6a^5D##A)Fy#3mm1DT$c`XHR*$!HgQvugAfX|BBnhMXTi8E7upO1KL`K+Zq
z`V5VS1-drwvX!v5Lvbqkp>5mRwGF$(Ow^-qfqa5%!Q_yq%fEkP2m7(P=l$DG$G1E^
zcI!88Db2`b?cvfKp7>dbcJ|IiejcYi)wA$@=Y&?i-u7WyBwf#6r#|rwPhQcHDeGH*
zdT4X5(_ukqe|YeK4`&CrGt5s{q45BvP~yZ1v$y8is8lZvi^&?*O6Wdnfx}y!eX9jG
zw+oYegL15e@j2JdJpWPdaKZfL<feCU{@U;8xX^v-B}n_nFCSLo)Y+>0sEkN2zfnDe
zKGV+MUnsosKu-Ae^3b+-JfRKqIsf`3paE_D@1Dvi%$Wl-x+oCC{cBD1)I5)XyE`M_
z6y`1X5){9I^I}hbG8hVi6W3=KtC}N8C+t!#rJ3V;_K45I+m$`CH~TdJjSx+R;yHQj
z9=FV|N5S9e88Gzgn3Vo?$kMED2t*<}x+5*-?TYfn4=5I0vweu#2apcz>92K-!53nW
zm?q;?bXDuN)2){mXn_01LurOb(&pL0ZLHVyD6xgD{mMC<#8;X_Cq(+R89i{4f9y^@
z3493)*W*igdyO1*D&}JR$5wx{LvWV#6paQqRBK0HhA&8Ng@2c#*ee{5KYGNfBYc7k
za7WP`14Ts9$QLjLf}9(nwcDFkjz>%F`Ww~NOqQ`(tz}PJ<%d^#?Ew!5<WkqH%EQ(p
zcU9c`-09kY%<NOSam$c?wwZ1ru4r11+t(vO^+E&ct^`G<bA<7)(i0v*Uyk_U3KsM=
zVfy0i3eUY^?xK<-U~cuUX%lwF#82LFWbMm1qqx{#b03~K64xGp#^Ps-G=5b}7n{UN
zQA|DWCqfL$uDmFeEgc{=e6)6lvkI35tZJhOt?0AIE7(Snvh4W?r5*18x$L`>#Bb*X
zArIOMH35IPj!4#T@%Z#mzk6X0f8c=@x?pb0*kb_{2_=S_(Id6p5|1R$&n9YWXmq8T
zT)MLLp2L6uTyH%|*%&$D{`E{7o00ggubv58VAcI}Ve?`0_oTFeL6=01+U+Z`R=Gwm
zvfa^f(2_b&-J0k>$&bTe4!<(+!-+SJLYyPY%OY^O9#~sX52w@51%EeTxnmBltHFy4
zFhZ01TXH)0nN_c%7uI?96qgC}7wmHI@#&pXk4wjtPm5f>OEh=;h;}2nHg2>wHG~J#
zgv(||=)8w7trUcLwya%=JA*gY-e|?S_S^2+cD{O{G#rGb9cvLho2zK4N?IG4=yf>w
zv*Cg;$lC3%C!fPf_brRNz3q5?5se04nv$Qo_T`L3A3H&HEw;9DVpi&t^%;+`%$@rz
zV^JX<o&qWCQl{V<6MWR$vP!;;DIFZq#jE(3Z|SL8JOde9_uUJNdrw79NpB;X?)u0#
zaSyb{?xNGeTREM&U2KUJRQA2yL$ViV-3Y5lFR{X`F(CiUXSXLGu(tFzG6v$JL$2?l
zm5a+}S8m|t0@_lh7i&knUVX6Hz`F+>L&!*8HrGi8{90Jh2I$vX*T8w&HXQS+EVwW#
z!};9vXpA0vRODD&$@?JKp<Hfu^H_1k2|Mgu4dqfCf<htHO}zPj-1siT92e=@EM%r?
zQ=PY}ha|2_pAlZy-Kl!jJ4YeH{S;oJ;>3seO7vZrNRMuL&1thHoz95lyX4g>J$295
z*_tp~A=br}0Y#EytETcN-~75F!fGvb4)a13LZ--VNel9>Z-F4vu`FSpw&{evQ{}1h
zIyFd!eCE`blYecz>R$6ZF)9rmA{=z;z1q}8R^Z=9kBC2-tUCaL$=K#E#mcqT(x;&{
z?sn*cdS59^4M1M+LQ1(e@79x2q=U^H>+CWfpBG^#<guD|(8rT=Qas(kN739N+ZB<2
z6XM)$B4`^x&HRz8#~A)v+})+td?QJ_-PyBn3TU=X&MXl`)^loLA4Mpl$|EJniqBck
z{S-@1iwj?#=qOUlr%rbJCVNA#6MT<IC-Xpm>_W4=z8}2i$CKs$9O`mDLtV5Czif2;
zJsD`c1*#T_{!(_{qo3c|)pt4O1!xyecA=e5M*3>Q7<I})-@6(oV{^0%?yT;k*ij|b
z0v9v-7F9|=;%Wih6YRBO@fhxSy59qSS?2;8kIP~(c2NiSK?-1x=aO`+j-(0~dhXcN
zp*SwfdqiW`_6c5o_S=P#%&CTteX@a_X8uw{s2QEe&N9e~dO{6eIX86?HXT5`nZA&9
z*J+Ehk?u}AzVku8IpE!x{gCYQrhW>vD%M<agg01lbqjWRQzr`uaIo23VkNNk!}j6&
zr32Ue7{+S2{j+C@->KZffg0Rj=`Ls!O1iB2Sd>Mw@?==`;RKbRI>t)&Fz8~0Bg(Ip
zUi+kGbrC#KREli=;kbdx?~JQDW|XUNK;c&AhM@2)FIzB^_MMDD&73gP6SAq5hkSHW
z3>g7`=6l)&B+0VT)mfzFe5P9d%u^Nbi8zDr4`2t$WFaAks&3SIkI;%ihjhG}pRjTP
z!C_j>%ipkh__liJtMZ5ibX(!NpuL^?3uGFdi>~)8&lO7%r|*<}Yv4M^v{(*U=u+fz
zbdg;X#qy4@7XwyQaA1;mzSp|#e5W3Pj~;L*qamrLgqtf@wY{GfnE-JUwJt8C6{sf(
zn8rNoFUwvQ^~-@B?;Nrfb+p*(AP(th8+y8iUR1jjUErOP1gc-fGpN0D!Kw)+3Q|^)
zJj~Ob#*568jXn>vz)WcuByKLf!;b_@9T(OpqTF1A;yCRDH80o_7c#Kw#tL_RT0Ocy
z?b?7{DmGMxT|g1-isg$Y0WR2r2&OMJ9S|(q){0W1_H3!MMSHJscKDMDv3jSb5?+=<
zAC8yonca4Hu;+FGTdadgxuKUwd)bPbq*`<`MCDO2o;Rp;^2eimUV6le(CfJq)16k7
zNQH4y#h$2;=7Jdw#zIldzxDVru7Q)92_<a|TN1TdbkD8LwsXJdZzEju4IIx9fP#g0
zl)oP*p~jLgMQy{XlNP{sP&EYI49DEC%G}gt=iRFJb+NM;P2_65KCY2AyzGfGZ?Ld(
z_oMLOzC+{H&dsQ>O~K>rXumE+@vi{3RvDdE5v^-$DdN}I4?aj`7`s!$9O9l7@fT9}
z>spkdRBjzEjJ#F4Zqc1n7_{;?s2xdr@GXgU)OlIncuCjp$_UC)`Lf+6zAH!6^jP}C
zAMeT)zF&<zvAxyl2gRtR1TUrC+bHbzn-{5Wc<9xRL}sey{k~Z46e%sTLmTlWMr7}v
zvILtf&ia8&E$Ii`k&vGI_<XiKvuFo)RaA?#PQn)Vece#ryyO*Z+R?9uT)s3>D7l#D
zp?I~L?9<VT1Z+KSx$qC%m+!O#Y$GDy3?3M}rlT-&HHsOx%u*{kgA~?R`ab_rHM8iv
zO7y`)b!or2v!9)MZiQ9EnVtQI#{SqB!8^%aDhVHKRBp$g#RfEHb*~je3rk~<KF$FP
z<nSxsQNP5vfE99*<B(O5iJcn?$%gPDr6H_%A9QK7`&*rhTs#)84(6qaL7B^E?;Zy#
z_;yx>vIxc%Dt4$|#?4*e5p=GCD0C$kWx~+8xu#8tS1H@~JxvYWxV`nrzF2LgMsc{N
zv!LluU;UuV7!G)M`1HV6?a(sgu!4|_-jDoT(@UI%2-k1W7@5CkZwDcMAwUJJhD3Ny
zLjw^Ek)X)h#)Y$X8kMoa#(Q2XUW^KEos<+X*pK!>U(%IcI&G;}!m8WYc4WB*j@KgA
zfmR*k3Yfama1O0U3`{L^4pHmI4yo7TVPN${bkERu>O<dW-3N<5Di;kJlnW&^ym%DD
zUD0mxWAVxNO6oGq@7|U?OoeG(D8l=#4J${`9%pOi=I8|0NGZUzl3KbR{jh-evs9r`
zm$+=dc@0X-pUa&^zCka=)|3-Pi&;4)%*P#(+$FA2V-xe;(U@lT=H)C~?+sFLHk*~*
z>xuI#eN`kB-ma`XO@)J+vN2BSs$k;^oA+28s<G(Uq9H?Nq{TZC4Fy~cdk(*HsRb(F
zyar6pZ=76#i3DCU*5mYFx?sQBxE*b$7rLcuZePKs1%>ba#&89$Vx?VIPoFp4hXtJ2
z)cZ$t&~b@j;^DB9=wYoZqGudE)C|RUT3vkunnLj}+b2KHxkhDbPIDDYXX>!^bkK$c
zMWwMW$XDDwGqj@D9;c(LI|u@r-j_XIskq|deDOj4s_t(&r$nL+C{Pt%`c4A{%ne^K
zIEh)%EL6E=If}+?#gL6u#=-m}`#$=0w>`djv}|lx`;svoPnd++@JB(rws)vrdZU$v
zca`6lZAUj^>*)vR*@_h@_#or%kEmi#hJf0P$tXcb=Uz}_vVw|+>cz-aRdHPeP0FYq
zdlgz+YIk}w3i~63?OnBru?B8eOx7-nH^^HVU5VYW12tV6Bb}}(ZFsd?aCAuyN^?6Q
zWblpU73+2RDgm|k*96|E2nC`bWT3@z5|!KAhu4mtwX{!f;o27!d#IhU3-ueSa^>w7
zahKC#_@QBrarvv*&<C;6@7Yn4wmkKSt^-CP->zkQAUu*cIbj8<3(3EBN_r`>N;%-6
zvmT!_C)0D?SaW@Zyb{7<?Q3}hi9NEO{8?};u0yLYDp<*jik9}$`N!fW?I4!xc|1O+
zF3w(1L)V84FqFgZX?#+3R~p{%IocN;@I<8I(F2nXd{qDNC4jzC)18&1Qo9a|PtAE$
zgLXYiO6Kia$3sPFL|Bi3B4gzjU((mrJxA1jJ7?M@du#zvda;%OhkH{?W8RGH2l<Ti
zO^rS0i=WtCti6*#-%Q!ugZi=?clCq(5UNTSj7NFsS8;;0VTa6$LqT77;SAG2K!MMM
zf2E!?D_K#!AKW(&ee6MpZpDdp@#f;p9S%YS)=-h6dW2Wt^X8rvyMJP-MnjSYtg{#y
zKz#-*i@K<i9WdV%jR?)gmPWuG#CAyKKfdvRIs@nnO^yrV2fylZT$iP?%nmV!f*M9_
zMws?d7^-%5CMIA%<;(_XMH6W+tOvqW(ex9aQ1+@pHCp9iQ>Hy1e>$p0)a^+3Z3}ka
zS}1)>l%)64WhAKHvg7Ya#&2a;5Z$wAMl;eq%88;iecEI1B{3U&!bE@;qTqEM^$wUI
zXh8{8->T9PtwC7Evb5DlJjiuO6G8decS-KMLSq`cX{DkK>#7hj9R-gvEn)k*c(wFJ
z(#b}!wfVpp;zffYvN*NuZaClObuz}=xk**LLiy?lwC%F-%XsiS#v;x8_2}WF9|@|A
zSxNMC<87IRHy4<ovIK+kjdRSNbm(^-^5e}M{-F2IwKVx<1zZnBX~J2t*<M_6rD}HL
z;s=w3_Q=NA<WjA^CAQNmJipZ1hX+HB#X>W*niu*#aGCArB9yGJ`aJc179XooPo5s<
zG(qRD;BGknuCJ}6{e#6xwB?a`PueRP9%#^bZ5vGq+6U$mBH&|@xn!@Ovang26KN3G
z1f^KJ*gdVTR#B_rlUm3LsKP~!>Oof|w!UoAZE2K@$Sy<~)@pRE+=|%Hd1$jXmkQYs
zo8>mkXI0WoQ-E<WYZs$>p||Av1iG}M?6DXa93pi?-fzRb=3K`>f;kl9_Jq%}IHm?g
zM<3<Pf=bXJ*ytluKZ_G^ZrVYm%_rd6meNrp((IpGe&b02bk(<WLh~-UZ?zUm5>1m-
za5o|mb?3S-XlO_cZ|Cb5Mx(SjgrMHatLVBi*cf8^+LixKu+$rnoutco3mf(i6jr8S
zlyMK!YBc%iR+y-{{fK(k-2cD#A;KK94`R>kSFvYIx~66?ElzCv9prr-Y=Ag?7Dsi_
z#C0FlmU{;jy}-J>SZX6jM~<FVNh9bVHxe<asrp)VTQ^kpE_|afr_)J>;_k_wsqwAn
z-Puu`z@ABTh(T>*kA-BtB&@Yidt3VV&1mzFox0RZ+!hMGSdLL$uOSb_`#9n4L7CB7
ziaN$-IDCb|seTnZ`kM0<Q*wTQA4hi1-q?Z0w5QksYwnCm!l)CE1Mf#sa}uQ0x3T4k
zYZ#o*HmlRo{#{uSiFr%y57X)L4R(mD(BL~3wvXF?C#Ml(7YZW>0od;=^!NZcGaqsb
zULD-N`Fh0G@A8`qv=m}aYjN0({_fnt%}4`aab_-0+PEN;JTxD8qh=T$mgRKlz;h9=
z7GLU(AtDBSvi~T=x9EH~@`v;Zo{Q{yUlVo&-R!fca(xbz@+p|sA>RZotE1`JkqE9O
zKE9~in6|jG59YbV(OV<xLiP<=(UIn>QK#<tPnwm}oOb)zSYUWA1_@6-u&a$Qv{UxG
zuNO2wDNqf#ydd@SC`6#{NZd3@;KR6p{0pOPb_+RI&?_sOFba{Dfrz{gorh%LYhCYC
zBr1YUDK9v26WS>Yen(rcSgL8(HJ&flhASwd<tRFA+wSd*c^NfP?BG$u_)yhg9B&%a
z;<jeZ7a08091udWD_JFTF)uf195gj(xAe_;O_PdVp8)Akg}L@UN`6{H{adCg!{n_#
z_dF>uFs;*f^47X2AP^8I*HC0he=7SEYabPhO69djHI?DP1JU}Cwi@Pxddr=K7|YXr
zZA)B-Rzj}<5Nd3@Ki`gDMu+EY-5!?Y`GD|!!_lh?Qt!H5dk0^$Yru#|CI*9aYPewX
ztFAUQ3-?%}-c`)p5L*x5iYpG9q#KOopDP`cwDk`^H=;LwRk=ZQ<CHGwsfcs%c?;id
z$+|2jrMnJ#I;v>*U=B%(hueLcBvG%UK(uR^4(q)m(4z9WfM9Eq<ZQ+-C3&7~1Hp^T
z!2dP5fAnj$5PME)Hlk(!a&#V-=*`-Ri`W0wsUuwT!Gc+!yc%&XFSF>4!R5D={&sM6
z9)C1|tsD#8hcwhS8~E1%_jauX(sCI086fK-2P^OY(A;b~zHf1|#SVD8rBOZ!O?s8i
zXobs+X9de>31l}j?+I1G)jy##!RJwb^gUqB0Oni^g>6>Y#uSqKune*RnZp;1WsUGr
zrM|Snv91C$&HQPk6l=TW?zJ}|L--V0%9`aoO**;PP%Hc7Ln$uobZ^|ic7auF;!gW#
zLBM(Wa?V!ejT2CP+F)5PKvxY-Tbb8HPo!O9H;6I?ghx=9$W%Ar_lfDh{1+$*#4!Xf
zW#uX>Z7Z}b=M}|`*{vzziGdgkx}2l2AdNE|6Vxx*cs#CE-XJZZcX;xNn4_m^F^y#F
z$%v@dH_qucuDQBlyqppM^M1x^2~v;Y{))9|=Dx6kR=gG%0e8xh_^cze)o-4N9=?(8
zlo^c&>FHhUa&9MNq0E4x3G3ag+e%bX<kpb=4<x&aF)%lRE-|G9#J5W2$N5%*MY)5e
z|0wgf_&;+kN)FI{J2B4zk3gKK!+i-f6I4Bhc4agJaTu~!DT$Pn>3gSmpy5X2ZL~Y&
zbpi*9uW)fQo)q?__Shsz0#;gOsiz)s3MGuV@o%4y2I0{e<1!htjxp+Ds`M{e>JibT
zTwXxY9tuy$hdm_!3t@Gw1BRY>PImD{F2!rCJA%jmfjDn2GKQ*vb765|Bm@mk@G71P
zeL)f)8qyg4vf4A&J3gq-{*||Lp?SzSgk3@}G)+d-iVcJ_Bw|W_{FUgzDY+;{Ses&H
z*b7eBwU87OYzDhouLh9%0EX?Nrj!Y!K4GnB(r!_&Wh(nbG>gaA%G6#``-lq~G7dq~
z!#Xb{#4N`t)wQ`s-`X7Dg`_wxtuPTWj9kr{-dvq^hV<S0hmrW<lmBM%15(ALOdmR<
zvI2iMLEA<z!AL)aei_a&9uEc$u6j`)BHx0+;A>IS&IFmK8@f$oX&8$n)cLY)6nd}R
zQ>{m=YMWNaJW6D`LcEfNpb+gaG(}#me?7laoLnZPhISklP&bV9{o0oL_!9Dr^|&#j
zr66$<(A?Xdc4rFFWh2N?E@oQ1MpVrG&Zi=;i~NJI+6ynH&E4pDtfrcAqThT#b}T`P
zzCcy)5m^36@y$?6VWnx-^aCtTYR-4au>?+2{B0smnH(2|)AVWpeh_A|p7uw>KA6=I
zE~V)N9jm$77sK*Odp*jN@-qkk2KawKAq7e?-a_v*Mbx^Z3#|n4m;m$q(v;(XO+5Xt
z@`Gj6W0(JU>;T2c%?PdSw*0JIKbBudktfbJh@b-pOXlieRG552u>hGgLfE3p%@^i&
z0bLNQ9nGI0+{Xh7yW-VdmL^-V%?NV>^XVgrY?z&3y2LBsEP=xx#RfFu{Hh%0zuhPW
z;h~`df{oI#wzXe>MPv^aqa?%Zpb#qtxhB`_P`C(L@TC*Nqs$^*LJsK&c}Dpux_=G5
z+c$N`{5Bp1nm>Z-Cs~rgEos=0+&AH7Lc0K~CYUC|SmpWs{lYugOw=dlMaMnq))7u8
zibG}i4T2)`E4WkICy{#y$+W1r2MeRAYun1v3O@PUU~98~O#QIapv0R+u}Waz$|i86
z6uG<L1HOj@HAYNW0uvyQ@?)HZ&yNN!z1+1ixO^P&nqFNb9tT5lcu#&%=`e4hEtr?@
z&UR@1slSZ#3HP|V^~gl>J9rli%6y^!3O0=#58)tnw%4Yh5FMrFI(%sOdNr0;vxcy)
zqNjFpjAG6UpYHR6P5plWzlv^X-EGD@XK}^hx{bXOSaNVbCcD_rZV4)BIW-B-g$K!B
z-@MvEZBuxE$6|mOb39ITi8y(BLXmoE^Bxbtm46>7z2si^9P?U>9@&DdO_%+wK^TZz
zcH`pxmG@lt*<2Z}=~4%n3ukf*2tX_t;t-*HFE2e|XF$;-5r>#FWOMC$cdM(8nR6RI
z{m|`DJgo4F7QO?uTOS4bUv@eE1UIV2mDzd8`7XBtD}9*~YM-<3g~b^`b*sk;?YF~z
zI$>z#Rhon3ocm;VySc9y_&RsSAiEW-@T8f$TMIs5;9Y%;O$|V#5obj6Y>)EK*C|H3
zKp9c~B<|#`?vwK>$&LBv*86JOl4nl&hwGmfpB}B4op-PQ@nv^H`#?;vcTOPSIiYvD
zZ+JW08WG`@_KTGFqTMP6foXrl5QQ4srE{cFma4}A-&V*Tv^Jo1P+~!Z<J2TOc#W;#
z;5R%-P@$x#*7Hb4txY9gI<wUN=`@ihag@hC1nNw7U!6c3A+hnJN^3<8&44@c*oM&<
zrR+~qa3BDK%cotg9LD^ux=Xt!i>eeDY^_=Ut+nGOmv_k~E~oZ+)3^}tvyu<FxZUYi
z*>%in_@zF>zyL=oOHJr2u@z<=uSwZAzph(=7b4$g5>V(b)dzgP?aQcdG7rgmZ8jRi
zR2vgQ$=hC<d0(CJNaZFXmGlMa-uFc$Fz)uoH6ly?tudGVr(5Ae8N)}#pPdE|?;RfJ
zd&FSTl3<@^k)8tC(BU_S&_kpK#H+rE5uv4ftta{1oN({@if&kVZ%@<ZK*Kn?EF*4Y
zZ%7w)`KQ`Nw32v!L|M~h1(kVr3<TBvwVZQS>$XAewVt$YtWRSj^elbnBx+H7-C40d
z=Ubyt67yGmXd`he1LSJx&xUCWM>5@Ty)|`erCe^6)>>!g9?zn+C@OEfTSIT@!dsd{
z*@aj93U|(-ga@w<lpVPJNtcj&oq^iG`ZFcfDS6eF>v*h2T*BjWj|kJ`7!oY%U>xzx
zyba(rw<ml8v76}m3PR3f1gJjl(inQNe-|e^L}?Y?>xf>P%prvg9&qBrWk*w^V#mFc
zO~eX7R&htnrA+`^i>HC?_faf8%n*i=ughW}jFybrtVC<`kIU}V99^T^H<Takn^T=L
zfC6-xH+<t(WoBQei_2?&c(Hh6%@3n1LQXR)ZkfM{MLxbIVmkF$%?Qhu{s@ZOObQ=&
z{oIQh4L9T0TzFKFt~d$?)gLIJV_Mqog?HMAhnEvmiZ+gq5U>fSkELS~Qw->b0WZ-J
zI*8smVfwPm;;Y;O^02s^BM((+4mVWW`l`<P)ztDmU61mwqK?X$e{!{c|Fn2cPb5*6
zw1HV4&wI+Hz?u&aG%cts5vBIr04Rw2OR<_1fFf;n-VeL86|o|Km3kGqq?U$iyO*B;
zIHgw5g?30GntbC-8&t~J#QsC)CLXz(S-dp}v1+FKM?;ITVbaF*y#NxMCWB5uur+`t
zjC)RqHSK9y9emmo2Z%PDEIs74LGh|-$o!=J3Ucj;O-!MpE#jVBct{Z(Rd!;kCw^uv
z5=EYXbW8V`KF5<bIr{C76ogVX_w<Aft3XrXk(eO^xi=brefT{Kw-=e7;{RK?%L)%^
zJL*qs)m?tja+N$4Kx#(G<R)%b6Y2j*oHDOzdL0DD?`r$xunz!na3T=fmWQp7KR6{^
z*%t6M*#~3+5-gjD+o-qkpB;F;|M8l?%qK>L+yf}UM`+wUZ`S$Pd<`38F*_AC#knO`
zch?WN-+Rld53Y}sDh+VuHu_X<(fmXdIJcTI0s|2b&TT%?_kKwC2&{jRRZ$1~Gls_!
zU2g09VRyf9#D0OwELwkivXyPz)C^*d;#OvO4baQjU+|MaU)c9+<Q3wCx*z%y&4~Xt
z)`Y#L$3?ihFTtZ=+wsC=9hwd|wX$s|1;O|}%?H>nE}c<;*}n!{w^qGH=p=fq_HeW+
z)V9*|6fg7OW&R(z_@v_yHKe$iyy;2nPi1u$+P>gi{8kbD!z&``xr^v#@!`wLT<_br
z7GmGUQ!4R43F!}aL#~O-je`qu(Wr0Uic)+tg|bvoK+e8C4q4H3Rc$?7`USgD+OKJ+
z)Ys!;h{k3Rnwv|lik?WkM1a+mJi<6O{&}CZv;$mAa83x?#h`5+ClL^;Sxd_KEkUF(
zm)UtQL8c1~{5JpwcgUU|-gTj+%jv(Ux}t@flAx$s%{b{45jJhv<&{2+xEXNsYA-yV
zSW&R=ee9uE-6iZ*%6ve2(Dm4p@a?Tl>cH#dq6gFbF$*~7e8AI}#9oD?A3|#wOVEcB
zwrfW(m>P1UFT<O}oz(Q49$A~=PtTZc>mtu)u=d8JTX=|;?Z-orKNe7(06h3cD-@pV
z6gItC>MPQwGERMXWvuM33;DIbQfNl~H}~4yXv}e$T{It$GaUly3?k85he3zOfkso8
zT^@%^dCGtTw}uh=RolWmIU|0<>4l1$MVr<P39f}Wdp$O>Ai{r>c^MIG-*>%H<*>+^
zgZqdN)lp43X<|f3K6X67(6@?k1%v2uDDnRZ30?U2sjF@%hAgR@z?eS_700tH=^YMR
z<8e)SRxlL127dp^nyE*gpcR9AXiH>=0PIX=Oig(*V(8@54{O&8IYV!UE~QdGqVK-E
z6)xR+pGv37eB-=@aV=D7j;#C`zO>teu}6iGw<k=8pvxR<Ou^0n5q0519dB*#Zi;xg
zx}?Jclmyoj4+MTYL14^(aVHI&>MeCnMpw-62fMpjFP!L(gliVog)8!E?!M!-ow0XC
z${h>cmC@-{rDgsHRg&645?u}*obo45!z-e1)RlF-TIFzM(8*Xlf(0U#b>sJ6_Lu1S
z(KRP!BB&bwfJV*}Y9;I|zLb3T&zcH!VJx1Mv2CY*pP3!Ih=3+m<C%669vkDaE1OSK
z4Zd<wgKH-!2AGY$wpp{sB>uhHiOJN-^hyH8#!jjhed1btm7I^;l2ViBJ162#*cyxb
z*S%|40W(7En-awjyYzi()#!}C^1*0>9KUt<z}=J^r@&F9-H1oSrVVtbxG8G^2SiA7
z>fJ4^H&_eUy)89OYmRS2`5X1D4fbi{U)H(Q^$@(zYP$5_8}MM+jZ@3owAzvYPLJ;)
zpKnK14zF}xRFDiY{q7l^ZGC#R@^yNZQmOHTL`8h!!%+e|&x8R)HM+v)LGr@c*j(kp
zM3QA&sIZcn%9e83;@jBom`rZZ+}o((^>f04mZ~r1bm2xb&6+M5B+3^3`1ev0Bsn(7
zKX8221T@oi({BgN*rAJ2nXyRdK0vz_*w;sozxreL3#iJ9%2zW4WMS^B#_5f`w(nNG
z#D39G^vSIda%drKQdqygco}tVH~q1umghtgk2y-Y$Sy+ZfzkrGDH5>liJQ}rTX)eo
zn4oNx@wm$(=TK(?V*EcMLw?(#)wH0?tU4aA`Kc(uZAeQ&HVc9h1#uaa@k$y$i%Zzc
z@rqZavzQHm-SgRk4?7$Uys{K~V9I~muVE8{ucq4RJ6|kDQ)Xj-ebzsXwibi~yz0n<
z1PCTPioOH(-0=BMGY1d*IS>WUDsoBM9!*X5%?3qR9hIweCPFh&<5e_{y0uKba(IOm
zm2$O|uPFso>PrAhqC|6gF{^7)hDO-3<jUH12x8z>8U5qQ)4F1@{REb^pr9D7!;|#6
z3)mKD3-{f1w?YgRttLt-WgV?GiXWwrM&Q0cOQr)^Ifr4@S%L|ka#wmEWgoi}wKNF#
zjo8fn!-^<>(X4tFBm{AMHAo;4)7hR+{2i)ZduKvP@#=%e`}OgbbQZ)VWtkXi$$@Hr
z2T%=FGdqk?riYzGG{p1s-fnD16>Z7G9_&@H8)e6fO;`AbwX%CmwY`m{qIS5mzO1f)
zZ22VsD0@$?z|@Zc&#%^vbycqzyH&~DivIrW!r7w#G_Z?gHHD~#K=&-$LhhHm=a9)2
z9xuECVs!NW=v-wF-J<OQ89Ha9X;Sp&>hH;z#T2<vbc#bMPFXSAbkqk>A}3@v9Lqws
zfB<Bn;bb<(%KYQZD*rVG03k902@wsE099!^!BRpb6H@6jbHWI}^6s#^klWkz36`sL
z2gx8Z5#3F$UU)4*YmB$Tl5t)CnM3|p|K~t_e$E;o#dc%by97PB?H9Dd5!(dr(4Y!m
z>!|;snN^RdlUiL*{0bwxy<fCrQ3eyFnROu=jv_i6@+ED!4H@2Gvwx*0)KbM2d*=8-
zPYU-kDJ?t#Jp!x8h(IqGq9Sa$M}YI-C}@C$*3!{mlfD-wY4-ja0&ffOFI5_p_~Fn~
z8!59{RDlKQx1SB#$`J4C6gQGo{AqREULBZBp1GPt1R50I(&Ynl8}Vj9R%54&;oNjl
z3uJ1o$Pt7I*Mc5o!2uzj54H9-5Gj%r9ON4E=;l9;P9*D=DRZMI6X0_!8As<a{VcF#
z%r7X?ha_FRD;x~^s0Zo&y`JND27M9J@lwS~=z)!I7RI@-^!75o{<2q_`0`$pJ7W=K
z`~a2cbM7Qp)c$Zy@@Qz!e{Lg?{2HG|QcZ!X$F333jfmM6P`IeDbRB*3P`8r;V6$Pz
z1-ubs!+H}#=x#c@skDq(at#=L48jw7LFNkgExTH4HHt+=QxsZ2o%k)<0_-pPJ9EiP
zXC9uA-kgWWEbyCWCE|IoFYIGwWmeHX+GuWJ{^x>*naLf^R@0KS&#glKCuclO%B_26
zhZ5SXg;PtXx?SALeFlD<k=C-<Hr1B^tvv^f5v($+vhNEKXFdsf2gdDi>nLkztO#NV
z#KsA@to8#0LVtA)d@1nWI{F!KJt(w?ExypT0fnUY{DP1r`G@Cib<tMRj+ms+jFfb3
zL-FQfCwL!21_w-s(p<U1y`2?=ZllzSSXvwK%IadL!HdhmdTY-(K)ZE-#pvQ4ky+%o
z{FD!qZT(KxvLm~hM7sL|@>)U!8r$vzq>zLBM;7nc!nor8NXv%tL;)~S;FVa>dX+-Q
z)<F0@+R-PR0(I}5N-lMWKaU6}@#id@1NgJru4rV~k(-dKjwn8`cHNJkA_o(8&t3Io
zsLLQ0q(^yl8VQ{XXTgPI>CK~?b-lkRYI_57<l{SM7%niOl0CkA&ER3ue_NZ8i56gV
zKHuea$~zafZUfWK!iN(%A+*H4ALORq-{OCo^Zyu8yi`!JR<L)0+=&}m&`>fR#^&K|
z$srKz5;i#C?SZ5yW#~pgc;qY)2X4jDrIn!CsoL3p1zm3o#xuiSlN5ni*fuNJ*RTrK
z$hArh`x@4oT!CcSQR88_5McM94R@CXc*T131&cs&lIW3^<OJ#_e+_cRXE9N1cAkE+
z#TS{tS{>-mmFr&}HAf0*6Nyi6K(!`rTRK4|y-ipEKHrg9|8l26)+AD73g^Z=OI`u{
z<R#v-+@t#V+mfL0^|tSk8X24k()RDzR2qEM(+vfnx!WJCO)}3A`^wM-AS}EXdYSN8
zm*9RXcocPeL$O82033Ti&E7)-|Nisv?zvZxVi1|!1vW@w-j^xeg4=#7$cMf*7k?90
z=Y>Mf@xYF6)s4MpC&Z7RGQ)jXv$62V{-}r@-DPK|tCtm-pC$JKyNXN<?;PFn96nhN
zh>PA=%ubQdXU!(JbH9761KBXMKTO*CoyQ;g3nPtCgfM9LuC9C~=-f9Xo`7%U4F*$#
zTI7PwS5YxbZnT_y*lJ|)H`6BEcih=Y7!M){xjJFkyd(*}M*=RkJqxL}k+d^ovPMA1
z;!pXuop!Z3r|4ZE5x4Y;<pd{;c-0S>clGl&Gmh`wA2S-d9L@|lL~u7~l?>^LAcGXl
z2^0aF9mc8OZ3zS6>oXh#?=Qbf>>{(J^cCLMsWUxX)YBIBn5n52*9eiR%Kc)aZ)HSV
zsgyRNx?Cvpp98`nQ@gX-w;^(n_(orX*e75!_`%y@2P*c6sg5&X_8Ha%#7H7=y>otN
zxAc;d*sN*HkNRBjlhfH)RN2!M?&=2kHu7u)vRAzPa6NEydc4aE<+n40!d&)$a@LEr
zOOriDYhPM<Wzl=ZyE-_1e+p;n503<9pwar0nB!_FN3Vett2mjkouNG9n@h?E%ZKgd
zAUQvL0(7E~r1c_TPbeXIh~&y7iXy4t8GF%Odf+2eeV9CUvJ<4Gt0exPfGrHu|2Lj~
zUBvRHeRQ-Rloj?mEN9Ys2@i7BkuP7SG(&$2Mh8*KztjI#22p<Ds<|KWa>nokdL~Y&
zBkWh@U|kQ&dn~CxI6p_5ZTc1=64(%8K3P{qd~+B)?mOO$Y@7|s;h}dg`3F}8ytiEG
zo(C37L2J3UhVDxDA>Xni4CiMEcBW^4uLiMdDAAp1uji(Vs8gQ+NtscYJ5~gea*Pfl
zJ4`$vA^%J3O4+L`ntf!(B_{GU<3j>x=nm-4aOrB$osuJTF}wXWaqT2{4oXU!K`2F^
zgFRUPEFA=~S;)%3XtdZ7thtfJ(5z}(*?;F3(Un(SRjSFs)ixv`cKU7rAfkB}obfK2
zpB_~wIiU5jW0OtCR{$1rJibIHQ2}myMA%#I0b#e{8q8w&K&m>ha}axt7mn<PTdFg>
z66>7~{4Hj?N8Y*pS0vH|S+<7NkF%m(%ki24*t*jx&u)BEV%p4b*bXa3ZeBa#h^ZDv
z@V1p_S1>D#i^nT~!R|QHVzT1g@IjaCFk+I<4rFWczsR5$jJ~UPoNyBvo!;+P%Y3Gd
zW=Kk}=LnIM!3jn{RW~~xOH5ncxufm9XiN#|#i1NGl7Qru2qZby5wr^7q0zKkMfGKe
zb-w9yfIk+lb|RL->7DC*%|#h_Xpih`?|jEk(Lk_gaH{HjLpb7rgO`CG!hWA9<LEV#
z5_(M1O>wDIYr{S(ozreEK}ElSg^1CB^|`kk<OsgQx%(N}lHr0`2FOj}F(P5K{UQ)&
zj>Qn(OXI%`7fA)N^Ws}H_21-@yyPz))y)c}%U|ok%XoYhBqWy^^vIG2V-Wr#R_**_
z=I~CU4Gz|isC(VW-P!LN!Gq9e&}|K<$v`x}gyCPutn8<QOg?INX_x>zW<r)<^a9^v
zy|*N+H+fX_pECU0azaT8y@2;H#Z)%=0jwf?v!@L*2Zc0A1L@*)*mml`H8_6vAs@`9
zEi-|Qj1GvM_6Y3<7JV^mS$C$^X<%Rv?Ao#z^xRKJ`;fU580}E@{H&GhXtU!9SY^q?
zBc1H+2Hy_K`nQ^L{xppU#m-V=<9S$X&smsh0e5%cQf&!Ord{tLd*?WGVt5^J=tq^7
z4%t}T$2^3S8g=vql8Hpa$o7PSWX1}56+=)*D5#vjoIB}i2;meVmbe9ivWuh=5tt<g
z-`Kl4nOK%$cM8<hVt<_<`#e!VF!Tj<Q)guHKDF4hcgH@(o5@t->1S`*O2Pp#Uq~Jr
zU?kbg=^ZAt`KD5jED`kGo0(0B5=C})oreafl}SQ`!FeJ8lny2OTAv|??}nPb$s@OD
z^ZDDD>r3#atcZAjncQ(nr8;;!QVSA){GK=Z=;QqDtSJgqM3E3^r9Ha@+fZfiZEJuJ
zy&PJpXLGLgJ_T^;VJo7+1k9Y|3OWwX72buK1dMwHa?4Y>j(q-~90CRxS2qKwX%Kh-
zf(Sf8FXBLd93u>vQolju#t55nvJKBM;53_Mm^1&lYic~sH|R!t5QL8KRH9*u_>Y8B
ze}}biF(`(zeNrwCKa^o(4s5~h{u+G?iiFW28!-q&Q-w9u3XX669MKf?b(*Tt4B|qn
zv@PH>WNaF;!SS!tJKh~M7PHN7<8^4p#u{KnwXN8`SAtq}V%@j0N6281AT0?hlRO5N
zYQXzj{OOAR7Lgfiv>&k^x4xfFEk>={AgUz3jgj8XR4+dpZFYajOidt8-aFTNvlg>r
zSSP+^MvM7dLI}t*U?LjYn5UFzd*XO2#5fS|j>ZHRqOkWfM8t@|xbyGQmryH)MDTwk
zW4n}qBDGm<WnRui>sNGW??pl5VbF#@R+832;<_C0kWhq$x%LL29q>rxGe61_c&k1a
zKsahh%L84sv>Ktr@F&=x_A|>M)iw0Bc?U#DI0sl0*J5b*?08jkoXyG;XrKH{w1|A0
zoJHDHL`g9ru4&VC+)<W#qvx{d2`4?-rB<6Rarn_;?Is1!Fo>>P=Ui;~(tePogcyKO
ziCaTZRMxKjh`w(mr9}LnhX`!+#I7s4Rd_%_1{ycUJ!IXy%P6a)FA7L1K4~~&H1=RX
z8d*XNH3rRLG9b;#j!vF6-vo!rd-!ypXwUDzA{as(sr4O%R3aLB5CqYd+Rrp~ATP8C
z(&4lo3wb8Q-(#(G-BQDbDAbbRF*Glfi<B{I^3L#~$`NVcM|dGKknOV)XG88?sn0!r
z$Cesdyd|`GUci^gegX1?00VOHTC-^$A|l#ioM$mVg?W_k#}@AM05BYFfmOkm+!T%V
zM3;g%;%&5flQKY1%sW>K6L{huKRWIQJ`5FuL?B~HC!v@8g{rZZ8odBp$hEaMhTL;O
zv91FjhkG?^<Nq$E@=dhVf7LFm`uQe0!BjFa?2J)Fiz|@l(&ttfGI(l;bw`+Fa|&$}
zpU1*1g>r~Y<5p;QQe;Dw;#WuLsaVo$NO3Jt^0L7-Sez%EkmU{u1j0f73)a~d5hq9W
zXf|BSsOo68D-wdPo;eHBgADOD9yy9~&>p^*qxO8w`E|Z5yGObx*5Xp4tQ#Kb(!@0u
z-`tFxV`<tF@n&#!`p$)A668&~#d%{9kO9J3e~uMLJsFfSd{<A!*B#ysaNTar9>>|O
z7Y@vQk-=xihWb2lduziCijKKAbI7`v!+KO&3rn5O1$7)`t@_L73=rPYIFSbY5JKpV
z?2-5IK#-3uDq(68@T?}Z{D^uW&*?#fQLZ5@H2HeN*HJKv?lL78wzs`(yIAFJWtMLv
zPxMha&_s#FQ=D4Wc;(Hf%D|B&2sy9p0~8S``jukJ2~Ab2vz#6?0Mp9d3+?gW0vl0L
zKB#fbP1%HzX4IhgmMq6@yE3pl%Px|-<wpH?S~;Ha=&2V+JteGAMES#fty7zd=mdgC
z0&vs>q*!LdF|;)T4J@F6e3WZ+;sVxI2R!XfB(xwp5cuz_KQtppxj3@jTTRJ8NMmx>
zCBjru7>%_1GXe`4^yC4@;j5Nc+NS!(MuHX79Gk-InrNHzkOd?aP(*?;p~nmvq-$*#
z{#|^kGMsZ5&GHOJ28?EHkQIb0P$Y<hAyiPHrG7uK{j7qC|Aa_m;hL-d`E`72E#InV
zg)W{>B^Lpc_`o>&$1IEJ$eupaaqEJ2>2&fhquKC*z~oN_J2D%XAf<3NA`oT4Lq19d
zSuUt;*1J~Z_jk=dff;XW*&i>A(Lux+P0*aOtZ|j%w2=5M10-VX9drKCT5J~?(tq|W
zih(l=1`;TkfVD<1^a|II!b74tvz1P|_-G%Mt*B!PhvI;4c9fN8-ccVf19bMYk>ezt
z$5o=JEuWJWSHXf_dQ$Yy)+IM8C<i3{OI{(YVUcynXDqph_r!d}B*KX4Qo1j9j~$(R
zCRz*2zAd$}DeL<w0ZXO@?7%Hp^0D`o=`SBpaJIX?58i^em$k>1f$$6-^H(g90lNTm
zjI%pJPTJn@%sBX@rJ-X6+uei~y^)iaOkvN^wut*m#wVSd!-AIBUP~fN0YYCk0m$j7
zD;t1WiWn<k%3`f=^M9^W88Z+Y>!DMCGLf<l^iKd;N*?NL5gsl3$)O7P3Y2O93{yiL
z`ox@WDeZ@pZKOv&2|HMm#&mXKn_1{dJe@2~K*S5sBNpi}EDwxI9Tvm5`Lt@XGiolN
zX1iJuK})q6SFiH%eWEmuk(za80}tLLx{W{;qUO4-DRu&Po+IIoKQ5Zc@OUh2a&N%<
zMTzJ;QW5|~4UminI~hdJ7f<w{AXDDO+<Mk(p}?M;Uy%ajfM1p`i_}uJjt`pYzFf?4
z1M+(S&5#j>Dki4t3vll!tB~JYYLrJb{5(1d0thp75-rM1_<X#0mpEcA);9j`qzx{P
zCY#P^{$PS3V&@QI_fj5mq=?c^g&o>B743+MSi@jMji)|evjG?<JcI0L=`IdBr&_PW
znI<GI!U-IK4!_EMSwWV^V<}xb_3qww-vG8I(u#6dRU!ZB_&sUjk*0X{kw8sD(;ogW
z3zSMwc8{tmQ1R5L>O`ldC6NH$wU_5#vuLp<NL2`ckdL%dCEYv~8*t|`S~&E42K?XU
z1I#FiK`iEn2olzb3PMH{X87w8s3J@mRy9*_Imo9_S;B@3h>c?BvGzXe2Z`7z9s&9b
zfZ{T%;oBI3T5h!xLrT{y-B`o9Pb`Xxp4T+J@y?F1Qjw_1HQM<m(O2k1UELzO7TWV(
z5baQ@r*DA|-gKK?#PvzUCJy{=CEqybZ7h-$=&|ApiRR5%mRoI+f0_+Wm55g5WG8q^
z4Wgki9#}HD&(v%ddqw1N%XDzcT2tPpts`fJi}MXrNS2;s1)xXaGK>$X0e(alC;qn|
z<XYj3hb|?H@u7ydy(M<IbpMI-1%y|E%_UK+L;CO$hNJ`rL9vrK(xCHu$CJv+_whlH
z1WBT+3Fsa2z%LxO*{Lx@pNpEM(c>K6M$nXe?pHp~S)%D=d)}7Ck?!AlMNCJg{hVQ#
zm^iILc!Fsxm%eFF(-L~rQJx${z3CeDP)vi}Mb4B!!kJRTVlB%>gK)<@=gU+Ijpj)|
z@Smt6<?&2iCDb{5`o@u7)<SeM9Tf}vRD2jD0AM>=l4gfaLsoiR5XA+V?=KP7bsajL
zrXs$ov~5HhtDX7G88|DgwM|*U$9klBVeWS_314LsbejwepvASSu;4>o@4Qe!TJazB
z;YqcOG0vN2Qlnl?Ps1{88^|DeZn9o7uT3~;5C?7^HC{CVpL2LD$L`a<1g>uv$}-eC
zK*x!lRW=wa;x|Oo3_@{$3Rw*7C}jhkVQYs#wUlWzH;()W9Zw?*2&ANMgYgI-#5cOo
zsK6-coAnE9ghFfMkZ}6d_|~1@Q(xmJgVLT64`Y}kPCvp1CA>$UcvLf|w>gC8*Y3TK
ze9+neLso063oC`10U=_UhG_Nh5e?YqQybEVa<0R%H*PivJJY^wxtD(duU%B3P=0)|
zZrs(}X2Qzrmf-IOU^j6ucnPp=8I?r8-<tC>r1t+GHs^aHq&cY#qMAYVrC}ySm8NOq
z2C-|ZBwDHrmnW9Ft{Ybb=o07{UtPL2#TY}BQ8KfL{T8Cpxh;aaU=%yh069Iah3vtC
z+4MWhD_et}eZ*3{8)@q)y%)Pgvx)5SlKTUNBbHn1TsPh#TM7&GLr3a1Q+$IJY9Rx?
z>{Y`xwNn<bFqL`guaT*idmGjKqPdhpcICx%l0H3ySh-g)Kx&pn@gTiX(F&+&u$ROI
z4ZXZ;cDUv;`8b}T@9#^jaQ1MLf3c6HU6vWaUiZ0;ve+qI)dFbV^5?OnI!CCPSyDPS
zaRDQKhjbzok9a()7p)G8PlG<A5Dy6?PU%7}%AE!sh(Rd$mni|^AJYJZg#F06J)>wO
z7JkHZ2v#8m<`LS|j70diBxqdfjOJB+Kq1Qw2{;*(kQjfK*uJRAWFh#v(F74sF_IDY
zaJ02Ta6L8nheo{EoA}q3W%R&OJUvL?`vdd*I>u?u3cP~IADO*W3k;$**o0<-MK|@(
zUqJ4rFq8u;wo=HmVf>t6+*<c*Wz?TX#ClV5bu!2a78K(xexdx`r#<bz$Xr01x(L@b
zk%>1h|Csp#IEYa1;CsrY2=Bre5{?>2;;CM0#|V7ANwdAZmEVBB27K_2P-xPzgT&Y%
z_gy|V&t#&&CIDZKjvfv&t$-Zex{-S-7ZycY3FAfoRO3h9vku3++<!V+EP`)fPWxkG
ztaiJ+6EV;~gT23Ft@Ad7)oYK<cQ|aLO0r^c+C~KbKjHWrZa>njv8kmvMA^ZCiqSM#
z!Buf|1L4~Z^7`~DKtqE-%@mX2!q&rRP~HTX5TIwXjbnTZ8z7XLr_}kFWAlZp1*Fj^
z=QG`!@;RvGa0#>EzLje%D9q7ElhWVKo7Ylf9@#-+l)Ea4Vz_DC2@c??G%bPuDcyx7
zkXksbkpE$&F{I2@cYzK3gHd+97582|?Ck4T;GYd1GmMFne*OgIT#1|G{U0E#j5@L1
z4_YGb3oN*8IL5RnWn&XkYi$uAo8Yb0kXS}-D_*wo1?R$)TADD>v_BdB!;s%&4_$!f
zY*Oe0M+#F^$$t>Bt`b{_P+(i5B9u-r!mSXSnc+69-ZzMDd9N<Ud4y2jVsXSY&a;)d
zB4{Sc0Z~tFDoGcvCNOc(a#K;ftBt&jyq7*KfImhwYe>Ju2h;&?Bci^APH3Jc$Mk1C
zQ?tVe`5*r5r*;Mf2%6LTNvJ_w{HQ}~U9_kHygNx6awzForw|4efs|X&J@QE@8WBs!
zUVV*Z@$xNf=8EC;YQrGKxs<7*sX6GI9m<5g?MY!h!LziMR`}W9@#6Wk(Y^SG89m;*
zN-I-$-6%=YT8owdl;|=)Lo39~G`ciXf1!E))^E-8pHE(Vy5>1esBxQO{)-5rnD4IG
z(pZrH!<0@7;T-A)Ssh!Hr;z2(N4+hJhf^}?5R;+sae?VrplmKpgjUrd-8k$LXQ}HX
z@p?M}$%N^e<ikG;-FY(1-jCgeRU#U0IXqm!_D4mG?x%Z5HaWj4urbEn8jyd6%wg7~
zG3bW?uprsJZ?2CJ|A{5pG{$L7D&nyS*SZEGrk6)DDhn=*LJ#|ShQ^m~HhVcRje-T8
z^e>Y<Bh`kQW0u6-WfSr&ghpD{c(d_?k*1#oA;^ac2-y9Ni5*fo2I@?-_5y}}9RrUe
z+>03h%7-f04hqWN^=5b#my>N@d9B?Yl1Fqu=$AFxDBZGT<`NbUU@?S%?J<#Bt@Y(P
za5P-J_y7Df09J;?nZcLc1cMYaF8HLWjqI2})7xTpfhCWDGz2AfcVtRrO8+{sWzSkx
z79%#tmrP5F+5T`nbe*QM(4s?rYpk}Ofu8w1JtNuuLb`8K?$AVyhB1c1b)GOu4ewO+
zuSU|OW;2qdSY>g3Hwb=W(u2M;{ZxUM2HNhMn*(NM^K?q=M$veOOMwT}V5b3f>YQn(
zn-3ed?VdIH70vqg*C&TR5jBNjP)d*pu=^;z;9HXCo3^i;iu|OE(-XRgE~G!adzu8~
ztPiUz&ggGm({Po`$f{fLoJtahSK0GEE6V1PeMy(BOUtaS$xSUqXpy`m-KcxNmV^vI
zf?-Qs%!Z$sS$LB1THl0cHzF23YCv1=?bETy1#9vzoi`*A_mJS_XTMz-xhu$^O^(;j
zO<gpq2M`tZSSrNBpsZ3<ITN5WhOK8Q*`%;xqS*#EZqPOmz#<9Zb?d=S)2BzUfKO&?
z?)tuDiZkkPOXdP*8S5Y>2es#iB^yM_uS+ykPd40HPu+gACO&oG;Wx*IUuIl1qqRzD
z&8Har;elhP>5g_1%m3k{;lt#b@p9H@kRIqSo^XPbc0|v{qg_z;L3(%d!6~3F;GP`v
zD|<m&v#71h!b_O?hdSOKw6J?&b|KSYL2yJX9ApoY|3Yd)AP>Jk78|<~=u1N-4P6pL
zI5&QDM*2}@Cnniu_<yafi3XJQkU6u1_m|)%r7RZ^SroJNNEq|ecDy8JpwMsSU_Mx(
zEt|-4QE6RqHe@12Wn1E^M*H2U?>Lv`437`R#lE{_T0P}K29O)@Z+2!sf`n1Me4N8(
z5MF5%CrV;;;1o=|+%pBU7yI?z&wRbjm?Jbg^2A-{L77=qU`zU_x2}Ow;V9|W%ly}H
z=LNB3m=;NMOviIT>=CBsNyPG+!d1Anqi0@Ge3LywxO$y6%5|dC##JbmA`|jBJ;mek
z?Z#<R)i5HevVf(1k#t603~xDhw8q;&aIe{m2h-T_8w$hVQpcLy#NDu!F+_<$_US@X
z?fd`bFwC#Q;m$U0Yk!7-LLW<yiIH+W$+@A?%oc@SB)8rmT|VpvbJfw%*{u{p{EZer
zqrVsAXgp{G8|%6kos3cQ1YguH?9Wn&5(_<rDO?`eLba!v*xO8VKOMmXtk$IY7PT!|
zwjlZmm?6cY*{nTZtYlCZ%i4Eo4aryKsVHh5YZZ~7X#9foVc0R*@nYfzc`CwG-H=No
z1IMwz+-dA^^}>4|ZGuFD|K;fIS=q79w{+krWAYD{cI-ze1%5;P>F0$V9e<5*(*vJh
zT-3EFXAX8iOuP}h-DCKf(O5mtn)q|bqyUjCh%C}MU}scctfcL{BCWDCvSP*<uBzZt
z{AaWPupLf8NT2<~R@j4dHQmC2KGQjnX+Kq+6~5o~C_K3D(0H|Tv*ojv_DF&I^=Q8?
zOzOo8ExDvqp{~^LN8~G(ECz(i;}8%op%4BtyL6g+OP)C|jpUJYA93>1azzRz27b|N
zu$kYK2U*38Ej*8J$EG#$N~w2{p!W2?b?X(FyjlBZoVJe$4RBG9vY|L^Ql5E_2y=*g
zBIXsT`+;tvq-PX#m~^S8$!E(#ZRL5dmgiV8@pgKze($)q9C^z^OPfDCExeed3R9S>
z<aK%pvraynr`~S}EMe+ESVPsbMoj^x+v4Y8k`r`2%vnNUZBFuqA04wJF|QRW1E{@V
zbJo1y7f)|RN{j5!Moi<8Hfg4{H~($({=d0q9m5c8t}oZ$yebW=<I`4uJs49EQ6PdX
z9DUK0?ijF&Gi|U7P#4Fw^*R4K8Ks&Sw7d#OziX1`JZKxFMi+Kg@TkEG2rw5`nS?ys
zVlO3T=5if;^WR1q>3PN|Xdy8b%nW-oll%WBjOS6ezepIbZHZ2xEh2-joO}MG+*g_#
zxA=`U?<P^Ta+3X!-}`*VLYYrTuBw6+R(7tyf=c>AfmQz)e1X}ZwZJ4mF`;fLh>1cZ
z9$fTLtD$%Os5%{?K%nwrx@9zbX!5|!hnfE1eg2oL-s4*vcfE~U+;l&}zb+09XuT19
z+UuJ6y`&OYGq$w8o&qhgpU@se%8cr*@*G8DcC<@u)(mFt7UXRJx?(M?_RgjCCa=$D
zPs2XS&Gm>)+OP-|P7;{oI~UW2M;c8XB8_G9mcC4R42w4#vk%kyyqM6y-TUb?wm{*<
z%q3>j7B2@~yFFjNldrXvRvsvjScD=KMDb@yk?MC85MtTG@Y?jOYH`;!W{Pri{rb}+
z>BhH_(c?!D=}>zoBl?w~>{yZjZe-{f)5KwVhLPtGI&4IIn!Ot{y)kOcdk%`mjLA?R
znf;7;w(q<Jb6dt93jnxLnp0W&Ms+9{y+$0Z)~Dj0AV^lV%QrZGX^$yiV+?g#^%ADm
zej>647&pUUVD2Seu*(6|tdx2HdAT0m<>;dK+JSWw{-nB|tZB?LLB%uopvoo>gKvlz
zF$(>a)7-NVaw6K0Xp)ihev$fH+tNbs+qW$4_O|2V*mO#M>RK99+d&N|*Z7X;;#Ew`
zYb_>k)ZYkr_rl`dQ}M_)E-wax%r<(#xLg}3p#>^yLk99K&Sf`(meEc?pH4ONc<}RV
zHb~MF)+AyE7?2ZW4@`9}7Bs@F)F<mR9-n};j&3F%s3L!C7PRa>_G(Wwl>@@DX(Z`l
zEIb=6(cv*K*TV(~-eW8Y(&46nZE;s_AO~-y7i&knUVV^3i<oDam?92C%$Xug%Q<4@
zO!w-UmE>Y70Q#oDW!Lh55X)u{TccOC?Q(1rkf^@lPe8p*`T-{~i|_{_drDJk$LhM>
zh-)7;q_mdN2<a=4W8hFDevY3cwO>nvL)B)B>Ahqd-8B(3O*Bb!lH)wO!M4yTFLShR
zs*W?@c+Bxw{VtsuoJPBry5p=n36)=#)Yu0*GeH%Lhr=%k5RPwCowuq7IKiyh1-@xr
zcZ9D~uU4!}ZS;Iy8j8>K)B$~p;xW4>8FqV^4MtbCg<k$UO9{sR2Is&+uY~%r0DU;H
zF*s?#X*y2^69KdD=(~&rg9+MrG5DA?m7%wn42`4_7ukh<&Uzw2c^vY9Ow*5<7@o^X
zY%Qzrn{K^Ri=5e%!7D}U9ZPyJb(Q7X!^!`2R0;IsC~(+4bO^VY46j8Lf78uW(uQlN
zf9#7oUbZLxJ<Lo-JRAtwVS_(y+}6cR#?|KObmF?{=XI_tCckPndx)T;9^{*YTH3rZ
zZY~)&|Dk`q1pZh0Xy!^B=V;`E80dVZ0O!I2?0~T<vFG0Es<Ei7<#03Dpi~tQE}>|4
zwr4P^Rr4JSdiM`oNBps>^@uZSEFQG{!x+|xp`~{r4J}cp)@$vlzu*^CXHKU<%2|mr
z5-AR6uEnz5HjvI`{`Y4F8UmJzGj}*(Vb?vE3pO%>1pVlvU&5aW%+<OYkZsH!lT0+B
zdQaU;=hw!a0eYVu$ThY&8vy<VU6R@!1UzCCYV4Md-(%tq$oFUsVp1p6fTGk%)bR}T
z`E2+C7h*oQAtxJ}nWjHtq<QCt;Em?g8It0e3>G4Q=rMgU!0vyY_cL!eRE5ychCD(T
ztHFm)lzXO1dVOUNfor)ws~RiBFVr*3z5e`b2-iu(Bj2Dm)6WNu*S67=a8>aCk$$6m
zkM)5Q6ldOR=uuK)6LAs(pI`4V%&x*in630;28|}*HnJ`DpJS$r2vf-+!sp7T=>}B0
z6kSki2)Ca=L937wl1-VVCJ>5(wpzHkF?-|Sbd0HVK6j>7`+;@J$rdWl>hW^KO)S%_
zhmMAn;t2Vs4Tv<uAX+#-8tTYv5zK=QxvsBI6AKWU<S_j@J-HG8J)kyYvThAA+@hUf
z(c)s(fYb`FU>x~g_>RrNKDf!~<QcsN*VxEIUZ|MDx=0L3x^{6+iG#&~ao^6t2-zJn
zz3*2u%|(=R3WUj6Ft6s8q~3pl0AE}324#w53YtU@3s~`S6x5~iV}>QU6Vt&pMzfS{
zYXKyU3c-|QkKAa3CNcVPDxU%A=K<fZp!Nq=S@{W*wxy*;eJ$xGxD1kvz>H=Nk0m@}
zq)8g5_5t#^RkG}XT7dglI0xqDtlU$bBc@x_(l^nwwFo{ZmcFh9%(y8BJS+|hP=4oB
zaMv2f=M|n&6KAFpy_Dq;-%B{_ry$iw`EAd6J`PabVyL1$zc*lYl9Z~MJ0@LI^N5Dl
zA-&k8y1aD$uz2tIpgwQ}=BCak)X#mwbB>f{!H|?Vts+`C6;;Hqu^$XLt@!Mef3a63
zz`PO5pLmJ7&utVRz*H<Sktt5PYzX5a?wUKbz3;tm)5PbQx;UE*jYd-hUY3}*wrQ8_
z(%hqAJE(9N=lgk__EgWpL$*w&t#0<)<_wvCUqB9U%1<$>P?=3UEX}-bkBm<OLj8+<
zcffR~U4)F1J;F%OUzqy`BY?WwT4TODQ@jqTyb9+q&!2}hUDg4B9+RxZKBCFj^BZ6X
zsIdqei6$mt;d%6t<Ph$?h(!TKe4^JNx0b>}Qh&)pWpGZ7HNeJQeL{dvB&fj{?VSo`
zn#+b^@vt=%&NA-3M}iiP1S;y-rI&QI1yCJ*uw5W0lM3HN2_GVJWZrg6tC6i3vQZrm
zYl|#Mh(8F{rEvy`aaUj7Q4pd0@EH!wyh47s&I;3V3%K`^0R13;yau#siolz+?f!f_
zq-4o!&9O*HtxVM^6ZSi`9*51}v$q5GfB0;heNW&t=h|BY%UC)ruT88phYh&?@%i13
zJB|9~1YKS6VpMSJq@;kse%(k%Hma!>x-l=ucuepw7vDEInXvF>$^lwzfU1xM!GsKy
z|8c+7KZmPNput3E3I))lfOLXX7b=L7wt_p&HrMj6>w1Vi{jpyRtJNg#HgDtWsNOHd
z)|4xfk!)}NGry>@{;yW#o45MSod}k`Q5lMSiTBen=;g5TWfSDlG%U1X;l!oZt^MCy
zuE3l+_Vf$g(lxiQz$%T7_x{Fk1=)hw6p3WHwCP~#$Bi49B!c$$?Us13AvYtU?L4v@
zCToBXDGCDHlRocrK8ud$&L%CCoq6Qnpf_%THv^HKgv?~+1rTka^B!V`BFwY(p|aNd
zTfSw3zJ_8#77A`Mw0z?kpoONr00b!q0mGjPSRg^%p?1K4*TS(`zyVnpg_xJ?&<7O$
zo%*7(t@<igC=?)gfJc%PKIq_&yFa3e0e7fwLPIb?X)VWZ5qa?D?PE?6vxK67AQfpw
z*yNG=3iIvVOI=oWf6F-~lC1gIc&Zf}$xO*PF7=b!4#ly+AoV;Mq@WnI@z6zng(sf?
zO}UmNt?KW?JPOWn!VLAH5=Jyfcn0+-EmC-7*zO@j%YQcNiw<RH%v$9^P6BEld20Yo
zPC^iV6a$nqmAJ~{_$mkFPOWDxVfjO#K6Y{9Lky0%I31gMMWhEk`~Jn`n}6atu+S?h
zoXUC6CXgFGO3_16ehyduoVn<py4IW-L)vvT?;(U{s~C*S5fsQpB6a~|0cpSh?#`AZ
zF0BVO1D=AB*D+iB7Jr70oAFHCzRBLu>jb+p%`6GYpU(<o7X&tk=rfSaaXe;Cz|%|f
zMp<P(T5*hlL!^%L9{v2zt|nYQ=Je>plA5GcM}P%Sf9e5xJ%;(wwK?f;-W_p^fe|jH
zZHa7m09n8tPy2{&rjs-$#Crg~{>D0{1>iEYGt>y&KMXzn=`v;pXu}MqBcpG@Wr-*L
z$R543J-M77EdSO3uIT**utb1XL^BuQo_JNgvYt6R@PIM-HDKlr-HL+<J_9iYn_0&g
zF20}tAqE&K@xM23S1W`7$P#|8I_g~?;#na1|My}Zk37~05qV~B|Bw7=GOdu?17M@n
z^Ll2_Lg#^;9hzYS+=$jjef^0!`QuSphj6n6D)d?Dr^G1`HYklVu&dAa%Jj70Ed(oP
zyH()%_|s7}xuR7Dmn$@e^(~m_2?Ggj0i&GxPnsn&j~=+Cp}(7;U2h0}@4MaLHo}}P
z4k?CM_oe4DXLvKPcjMdWX^B$fMhBDr7WwZ`gQO$MgQK3;k{lW%4~!!|Fd*+}9n2jA
zG~NW`8<TkRr)ZV`fPa`RfMN3_C=Ty<LRsV1;+J{>#JB-^o{typ&&Le8^rErA)n;sN
zQWbS~3(CGag4Ueuh@)&SOpAJPv<NCSnn9EUkzjruZldW9TR$1mD==5-AW`fM6S~>}
z)`(Jpk^uI;Z%I`T!Bp6b0TOD%JKt*^g^SVeaHP(^u~UFyW0`*Bf9bN-R@x7#5~oFb
zcE`f+#Lz#!9Ywhoxgx47?ju*o{2HA5+g#wkc`g8iwcDEP!2(lSvA8b_?eAwA0a)m)
z|Ld{&CSwo-y_sQnFBKsIqpq@%6xMV_T1@X|Lih5VM2ut4w_yIgwb{vI1(p;UbZ-}H
zT2d@kM)Kp|nRD2_9`GC1N4H)wod16f)(2C<17Ecx-mZD`{6E|-a63{mC>YIB!b$7Y
zD=(~K^ipK@((Ea8L4B{r^6IEu8`VoG^*3_{*GMET%27YQ1Uc&H1VaifHUG>SQa@sp
zX3WsXKsNG+bcW`=ChQ2h*=JAX`W(=B7k5`r%V{qBaq<!<)V*fhqeQWJwj#Z#*QLR0
zfV>gbFFl%`9r+x5Bh|z0#VIEv&I8RSo9)Wz$t&x&dCr~9<Xcmgyu|dgXlOO@dVSC)
z*euDo*?!lni#)I&v=xx4mlvdd9%Vn)YDeOxN!Sz1CJA`YWm)adB-H14xHctTTz%N2
zPTzP&VKNE;69M25a2qB&ckOH!kxXKpz04nqJPxOGgqV`YCmE}ljfWWIqmJFMpr~{m
zW!#4=DCPI4l`83O&Kxp5qjcE-bVOKes1LhL0;_*YbgI-)`Km}b3Wt&l%U|Aldek3*
zPa?wPZm*>ee1ivOem%<EgNzHwwUxYFULb?4l*04TnP?XqJz9tRM}zZ4Q7KTqkNjNI
zOPop2{PS_Hg}L8?Y&3sQN*hcd#7Smoc#rCa2I3oI`lG$diXaOxe~0@<EN+uofhkCb
zf7z5<Q_E1=?VsLsVC(>psL<%I*RH=&UCofuo5hX#Ugqs`Q4Egd>0yjjZhn4r#qv{4
zOqAb!HilqVG~dG=#?EhtVy}dtYv71*5#-q5{@czzPop67-Tiuul;qq0|EW_5)LRUr
z9}gTKCQepcUo|7{JVk#W%gM|Bw@w`a-bxB#R@*a10tBF`p&hB!Nk(SXW`uVsAK%W{
z=2^@H%;PCd!|m=dZcBR&OF8jijAxqW(*#qlk+z>SbOVk?fVhuglu_9eVhIT0F0);;
zmXc)4)Xo1b13y@;+m;)8dA(lFE>yWbon1h#^Z$QKa_y;8q#*5%tQK+svWQIu?LX%l
zi5hd7t4Mby1JDuZ+#X0$K2HrQYAuPhFN<iLhmd9O@kP`HL^`oN>J=5Tn1$qYj%3<9
zI$G$!ThRRf$C(jwmtgT1kwLb9^gUn=izHJao!Er^H!N)JmMqWc(-x`l5M#hDZAeC!
zT`zuP?EhmJ`)p$c?UOYB;0eSeE`P>J0^vlSbztG;Xvue>>CJrJ_AI7E)c4(D4Ls_g
z%Na5vlz+8!0G41%OxZ=FBs|+a0zGst2hM?o`(a*D+?d^(5+2<LkA(}{I5A9nE<8iU
zdwG{I;hnrp?(g$a7mk*G9s|((Ys!GNM#tMcNob(J*vxW10uO5%@tDcrDHc}Frcl{D
ztxmLVoT3j>@jFJk7aOva5Nlz;VVpC&{^GQQKAt?a7fcxR5sZ2AooD+I?p>DKe*MCJ
zQO13szc}{oiM^t$f=PUtR9+^TmmCpIj6Rkak3JZypMg0g-l2%;Yz5gPdiZxd$qp5t
z<qB2+c?LwJ4rMsx>#0Bl?8EDdEq{8d{fH^p$V54xhd`+Y2I;<dtV0d4>1pUYB9aHs
z;RSztLi>TI8Y?{25B>Yi9`u0zH(JrWCn4*8t1l{~90N4tDNWTVSXbip%kz}X26eyx
zjn2;~CzAG>q0R~qX}t|bAf{U~@KsmtX&rGfexgp02`weIBQ3%8Z-K#xIdh+8JLWEh
z18JuvNjD|hv#7DMKY_21pvA-=B%-ahM*V#9J^#uiqF;N&VScWnGk(qd+_{7&Z3u@N
z@Q5jz|0%2m#4tY>UGG<(OH*GYEINIsv{9rigCf`x*hr;h*)Ft4hhR=Yo&#CT(LZSt
zV*a#S>4o^21p!6G(IP2727b!NUmek1IGd>{i?2DhR-+pUaxMMOW$t>Dw?;RuTSej4
zLi?ZL7zuoO2i`koTof=_ks~k%uSggsFVf~&c`VzNBur!wG0%BTvcfwfudhOTECwSk
z@D{`u;zLCi)u!VC!HXls=OJ3R#yk9oz3{#+se|)9>94m5IqXq^^h?z5ED%^%$k><K
z8-x&H#v^@jLk=Q7j>`<I@h0#x#!&M4PL9TdgjU+b7`+Bp6j=oAQ2Gy9+_`dlMmU3<
zvuiVc46u>S;Qsz^HYK2kdAjw`>kvnDar(}RjOiApB+oX0F`w8mHcMD_(t=CntEz^;
z8|;`HR+*c+?7Um`zAknQ19I8p^t6C*2AZiUAt*n!ZiO6+n4$RQ65^aJ1-o(qA+(q`
zfYiB44cjPzh~Bs=d$vQT{ax%ZIswr_QKws;LfUq{dS(*4dnvw6E@C*IJUIzk*!uvm
zE_S;3AU|Yq!1O_x(aIGhn9DggO08gO4(wUg#ZH44mv2KN14EMU))C*Li+4n3fwdC<
zauY9hNitoSnGdATZA=m(kquP`-jAZBcydK(V@rx&W)B_N&m*$Cjlu{>;iCM|43$qV
z%B*JJAdqd!0*c+qofw#1K_G786U`XD4iYTek$r!WAHkgW6X9o#ad<+0yNnSDq%{F*
zQqy7S5i9shIM!bL&c6qnlIK}L^+H(%#Y@F5yk*Rl97D-sUh(@(`c2Bm-<%4xU2kL(
zu790Vfo<$!J@2qE>Gua1CGnb2iT+)N3M}P4p+J?*WB7!oj>~vTB2#N$@AO|EEg(LA
z8SSZLy)gr*DFcJ?$N>#eQPyW3FI@H~<`cV};ahQq8I>dCa~F&wI!#_5;=KKLayHBk
zuF5Lfhq4$HQ<w=IkNd$H4e}8upIIU;nG8M5cbV*a9wpZa7wR2I3x?p^spmyI-H&Bg
zUKAiDl>KqFEl%3(t$8-W0T2GTQ6Bh<I$T4rgZ(!X|A<XCftK7dORa>O<vXQbNvz+1
zy9YV-Q~q^LW`aA-`~BGck2sf?S@g!>^4r+s@!6uK>|V_EOoDWOkrzVvXJU_d2<{_H
zy+RmbgBhlb5l3c|3YocxS(D%pVQL^lH76Niro`Z~+wR%Iq)-|TSu6|Qt<6Y8xCaxc
zv0^RfocRPJUd#rj9hWX&`7j%Ay8ShA?WBmv#FElx5w;86hkQ9_tMbMPRKGUZP@uYY
zh0I^KMF+VZfikpX9FS>3RAMeTufxHg4M!ZgwcB4$J_oi;#F#7?dB=V|b686;E`a8_
zB_%F)J0>&YIBG)%3wt)B0Fza+i&#nvD$MD0k_(alyC)LjzIDh(QoWDt`)s}l3sV{S
z73fa{=13U+b<E0sV%$5N3hgcp6R-&Vyn!K7#=wBVvAQS;21NB3WigTe)~dA)FRW+=
zfEFW9R(Q@W9IHdwswaD3g{IvGnsJ@7q{M*{+Uhq?L?iDP(GFx?$3ib3B;d#5p4G)0
zBOMVVvxuM*u8JAd;a)|tNPa(Ah|1+Wak)fXKKlX25@kPeo&ZJm>SBp)M3G+ouASN0
ze<%_?7hVj#Oz{(!s0_E97VuxiLlXS&p2|QBoaEI2TZxKoN+I~wkWaE5FbaXS;8Kw7
z`rBAa`t8A#&>T_8^S;^0WHU4CGMJBi(t^;m7Xh`Dp%=mDgYDfWF13<nG%f6HJ`+KV
z2BsTQPKqq5$e`aZlfiH?G>@f&i5U!hTEg;ebuCu<TYMkfT5{tKj?<@5;FW9eS+J2n
zhVPD!EZcz_6(~{D|DELkPm$ftaP|P&^Cz%p8zv~9ag8PzWW?CXaXfWM(!F!_zK&jo
z*CdOEC~qSFJR%@|-sA9}F^mx15fr8M#se~kAgtN+e6*N1_bj|AEX=`G9rORScjjSH
zo$0pUfZ!}Gwo@F_8ckxN9ElQ?L63=Tx;1oP&vA$*VvJxSS}Le0BB&j?v~lP*CK?np
zgQibwL@^jg%4ixV#3@D`fEWYPqJj_v8S1Y0{r289>~EvV)91P8xzFvtY@$@vuB!dL
z!&<*Jv^M~bhQDO2Cx}wtMq+WOnvZBKoYg2Ovy(R;f&i?bOkIJ{L&T|`9~=&KdpRdz
zeblPgK_W1o7E!tJgFOoV8nn#2EM16ZbU#-W1+kHtB9o<ixf>75!sq+eObSyby2Jpl
z?)qcIBn~!+=%nZOT5Zi7f)Z?=x<!-oG?~@nK=8)cQiPlvhf;-jS^mDD1ghx_f^w{G
z7RcAg5o&N=hb$<ksP>dmz9#{)5VKa*PY{?aJQ)5oXoPgvHRxADDf;Cb1)uG4<oBQ}
ztM4x)Z^b${PBqjRByOnT1iNy>n_+zrfXU<B$>&v0Jnqpn1tk{K7n3Fb-5TFa*nh-8
z{@o=ohZNav^4YC%aui#0)9paY^LT?OE<zcy<L9pf7^5Ry0Q{1igAr#3E%QHAEn1)6
zmf$5+LFCNrBJmg$KI@UTca#71<KVxf_0vCN!UoK*XbB~zl7z;G<)#;Q`Q3VFnF$$3
z&iB!{P&#Nxe^=Fr0AdY^Yupkkb`k)Q{^kvK4j~|Djbu!ZlxWJWwo?3_$gRds=3w#V
zju@@Ufki602m1|Oq)1PQxQXg!0)nHp_|((>j2^LCiy0B$+t(Z;5NPKXNWLWLdZfNB
zb{XX%hn8%*)2F&bjW1t(zwn2E&)ae^pCKF}CWD|04zXfCD;$@Ca_#X9j?ayn_@)~#
zxFHVbU%(#vc_Ve@$`i$r9?BJxtr^ur8&0(t^8B>$-(?{Kb8a8SHuLO=qNOm1QNR;E
zg-)YlN+oiaGV&4c3TA(e`tijjX7lyLjCP6)(hmkMn1M2;|H%Cq<WD|V#<T8?t(5f@
zl7aeZ94f^L!w0n|h#h%kL42KcDOn^01s|BUzMHL%d}&E|POZgLT66}Iy++N$XHCnm
zqi5xlwyvgYa`w>X9Op#}J~cA7GJ~{(#mUP9ZfZ&F{#}BWy-KPq+fDgKA@DDWGY_S1
z`u(c~!X=4@yzLB(YveDn#A2NLqWF=9>8cOfGV1t>6mes)3|ffT9*PY~|27@I=26N;
z%A!17xEbVSngO*)k5!D*?_V@TSKhfZ{=mA}ha%b1h(eq=6$!h35kWTgwA1ZAc9}Lj
zClWMSQMYv)tQz1ccC%~Y7B|F;z!QpkEn)cntCNeYO_a5i(8p$zJ=vQPgY6<`C;2%B
z4QU^@gaGmGyvqT;?$%F-O^P14t>3gp0)q&Rymido*cPpV2&o9$>aFoOT_I6&z|i(i
zwPhU*e1Ri=WRm-yoD+C>b88y%r4Wcfr5qnx*oQKpgO8u#aKD(}Xq23?jriLMFGWn~
zVFu0#q>tIMXJ(8-5R}U+NcYsLfe^HE*0mH*`N+^%Eqr!WQH3Wt+OIz0Mt8`X@Kz$r
z;WcNWyYuY#=M1wcTSEYExAnVn`u+CAe3sS)mpeIip@9>0Lvr%!qU{;2`_|Xs_pm0T
zbSK?gh1clGvLCXTOr+-2)=+kimgz*2b>s{Gao+inp?#FVE_&mUofS3aYLoW1I@BwK
zdovlb!YCZwcOy9JWKsfK>4{e3FE>G2BLg~s(kNl$pf)zdQh3{g^tF@cd8=tyj!(np
z^@thm2s@tfYSe9#tH%((`p`Ki48HSlwm~Mn^E^7?*q@``pbaAyl7;JLoy#Zeiv(7M
zuVN)B`~tR3QTgdJ_6)$+0D!o1@3(%JAKtYCMr<5Vlv(aQ=Dw<)7;tbdGRlY`7+-Hl
znzg-f1w7aaxcsXd_y5e|=iP!~<D*x_GNNpK#aa?G&A`=$kv{zcgt8!T;m)vY7Y<Xd
zH3AQj1RX|nlGtVRCs!i8($)KP!RDvZqJE;>t=MIB(&tw<wjb1a`x_w%%Q&-jW!wnh
zJY!JU^#VR0Yy7FsxmWv%H|YX6#{L&+%=ZlF|L&-3dvRo_@^9l<8QC~9m>0guqld|R
zLtl1W#UFQ#x`w*Th5t@{(A++;UZ`RsG-bO!&{Ta_1I{(YEcSXGZmRP6tP9Tu*d{4^
z9xRlT>wu%rfu^HU6SO}O5cWsE!4{~Gzgy)_;n4_ZSi9@ZbCL7D$UC|2?}-67Z*{~_
zN*@6e$Wm!a+GMFV{Wrqt@}N8&wONWABC{)7yyvdC@Noi@b#f$!PW3lquA?dp&A*5V
z8)A-P(Kan8@j~K@U5sA+tqR0R)D9ngb8FqwZz0E2q7#lHZ;mk5*u!i8JIA`P#lcu3
zVn0V;`N(ME`EcJ!Iu|}D-}=KxZZR3YrQJhniq&HGg8xx5Qk0<7Nk3^$dQn2@P^@k|
z$Cwh^@XQnU2jbCt1Q>braH>n69Q$IVv)2=0N1C1aesTS|kQE+RaHj{lnkhMh``O37
zkm8t5gG2w60n$cxZ{N@2{Zi}2Re?4rrboyG2;#xZnl?}!nU+>(u09`E!k-I{94oQ>
z{OPIoJT|o#_?(^?2=8cM4*RbiI8sn)&V;MFJBV{0Efk7=EM<Uqnd%wBp|{O@H~Dgl
zkppTRQhou|G*4uB>ZXG}Q1@yQ2Nnne4lX3YYCq%yT>Gx=(~!BKpR+&g1pk|KxsDUH
z(8IF>`m}qlh(*ajSvm~Tgg20eXXaU=RtHLXaP>caRB0(_oHur~Yh=^<fhIUtO^2$Y
zxKKe{VTL+ULn%I05I?_L!~dP)M5SDGJ6wgVI;=7f2x$lQh(Xy*X`HgySV{?UWwMK%
ztX}Wna`r}yO<PUfOB|b5@M_iy;bEA?{^!jEgyCtact@HWxa;;S!ch<^X2d|XCnUC}
zp@5Jc6Q+L=z#VO#;WyFHRaMTEk)oUuWu>1&!?X}cawu*w(CgtLDIzzpW2(*{;h;5>
zvaClJ)w4{$H1%scz+C>%m>d$dVTGL0?aJ*oxN+%O<-Bh?+ESS%G?rSc8GL=<dxcnw
zaL)cCAJ&S@KJYaWJQ@Pndi<~(`0KqhUmM&^ouiP7^7EfQVCY27Ks(vnYWuV4=&JV=
zGl{Bn;)po<FbkjF@D5FKK2)DYQ$v(k?u{4aT?sxNQcsFR^Pvq5MN{*vXDZieIiNJG
zEbDv`8Bfc;i_@3<dOb&2Tikf4gd_>JdY1Ewq3YW!G}<ExWi1RJ)!7*Gh`ASY+8Npb
zf{cA=rL_n24|<P9U<Pts^}awKTT%IxMeU?mzopu$v#GE9CAwC9+JiZnx{M*27*kWa
z7?NP?+v2(bpRI?aREs=I63JmU>JSJ@ksn!9*M>GSqcZavs2nsJVnO4>!#$E5b}cI^
z5zPHH0N3GLqg#}(p0L-w^j@Qt+s9pO5!a)_o%(Q|j>O!$1cd(0Mk)si_58U@O|0=J
zulrkm+*~9C)Ca$eYh$abIa;!Xn(N$<W>!q3>D@x8Jy@g>u{{u>hCG%gV!}syIP2P<
z<YO7qQWXKYmhpq`I7x2Tviyfs;+HF?YE60WqN_5m<P@I8@i=wR$P;vwf_*16$3<@F
zafjTvyJF_e!|<L8Qdl*QD?S9_MiPB!CfhTPRAi&HiIpSa@IQNcJXm`)2quDgp0jhl
z3*AAI{g3>$<93v=2s2fQeI#x6CaE<KGPdp+;8r?P7bNiU_iU@6%5h`%xY2mSW5fBq
z8yb6U{`-y%XgcsuZl`8%dGBoVlHzXRznjoTNixhw$TNmn#IV)0Z9y{l!giw-#Vcb@
z=p?_y=OQ^8=Xb59wt29_QyJ9iW<c{N+|*FUSN3Fw;gB8D<NBSnsIW!}y>Anz@piix
z+yP))IEYBUQoisA1o|M$d+BgxTJq4)#)g<ZIgnRzG1VIn7@Q-1la<QhSLftKPxM0;
zDXC<0w%W7qL%ZDs^N)8#_5#MgTh90yJto#ZAci54tO_#6N5uM7tlk}QXUx35uN@hB
zhh#Ptt*lQrhm)xnz2Dgtd+_$@Jl+cq_ae5{BO3d+mtXO_jutrblZGj}LkI|qv9|VW
zjV@ubr1WZGJ&Z~;uqZn6MwabzGi!P=2~g<J#Xyt*a+Jw(5!mFmlx&|G-+lDMf#p_f
zi&n3>4<2io>aCRKC#XJt<mA17xOLZC_&mh+=+iDcJi<0+-UI&&*S!!^j-kf8Jn$IJ
z5;Ma{ptiRb8>-|CH1J{#VQoH!CYeG?qQt?@N5A-EP#dqXN%+vy6YqNU*mcD8v3`s?
zb#@}RG&ZMU-<-qr;ojoKm8%nT{U~20Wyv40Mt1&(e?Gu3{}bx$#`RwYZN$ovliS$7
z`rC$O?UWs((jE@IyCtbFBq1VejqaGc8}qqcQwQ0!K($^=C$N0Vgl;!ya&{^veP4eO
zy#D;9mwF?-ZQcV9q`nI&Q|zVp__oc7b+3Vv*~p}kq}+(&<c}8ICQQEt{0DJUKnE8<
z$n0zyVxjwA&}Q_i2}hclUbTWUk&A_NkY*m<_tR5(iR0fhIL=RmbkX{LQF+sm#rdbV
z#Xn>#6nq+a$8#<z4uwcn*_1SWI07iBlJmi^+>>g^3^C@^U`_fwJ-6XVGZOKC?K}8t
zCsf5Oew1ors6+J+P95eoQ+IpRM$YxK#Fg{Hze&U0s_j+Q2Lva!xOTkAHrtOXsp{N+
z!XaKrWWB)AX1$TQ6o$S+mKnGbnVg=(@H~^AiEbuS0YM`AB0U^c*d(@>Kpeds6$<cc
z7exkFgV@N6^UyqDtHjL3*+0n;OYskd-H|l)_C+v{en%hq7-KrM8^cLWp}b=3cV>ew
zPp3cHpFn71OkGX%7WjTif~L@>NMpIc^J$<l!-|kpFC1Yt!l5S-k-jn4-Ic1b^2f8A
zN+Fflh9E3bT+{+X`)7zhcu^Rd;)k^gjU-eCCIe-K48|BlCD}fp0y-(JjJVyft%Sc%
zc6#7eRGEKV`Ksh^YKjwdCephVZd|s$Ui6=GFL>%^tmVhl^wPCQt|aP)EUnyY+F@!A
zeoR~-oc+*gJN{qU^Rad7knoBqfN2Lm`8?&oP~~fLhtvzcVH$N!EZiOcp?SNo>{7>r
z#o5{t3wHsUkj=Y|!7FVeZM9GKz1?kcL^tK)6^^wp@}523)?{#v>{ai!^=o0xGie&6
z&aej7xlLtGvb4%@G*gLM$PM*MngoI!>`p6GMv^6ZDFsO2rbEKX<ppenz3}GD8nVKZ
zd2Y^+3YZ(B(@-7Pfo)~0S*lkhCbb4$(^{$9Et6Z-pBeR|Z`u#&5J(NdRuJFi=On?v
zZ8e-dSD3Ra6mp1}J>_4165;EqP%x<D|ChAECAQ`sr7<vXulQ(-<xg*z<e>A8*KwbU
zkWQ&L=@*2>q}|v^x6)MW79QEsy>bNIF<ke-RiU|J-+Q$4eZT|w=9|1K1*#>I%9}*7
zE8S-!eg13Y(4WXcdVCkf_igiKZfzgar;mefbCF=2U?5Wz)hhX`nCz#OwRaCM=+ijJ
zMm1UvaipuV@`>M6n)%-2Tb?dnNuP(54k7%PyhW#{dKHvm1JK8k$HWjq5WvW<JW)I|
zk=70)2UWa`IJl+5aXZeBq3p0Bh^WO_Pnq`VfiCk}y@&1a<Aj+MoOsdo7a`r+*`*`d
zLZXzCM2v6?5D+)C2OaT&r1mkPf!UgMX?%YpR+?#VJw?#0o-WJMPlv4z`T&G7^eqpE
zY^|74xCG9ENkpT1<jRy31dGX4+9^2hT=>?5(>(h~RS*-ymCAV!Ue;z6#mlZ;SnQq}
zgxQ8eW>(L|wH?HrMH6jNtOo+&OcFq9{g-jZFxWYjc6QdY#QlMQov2wfcSz04d3AX%
zM03pK4XGEAT_KBGDD|VYJ?yX@L~&P=R5eikA8tR724M){tLVn)k7Ox|d)WDic<jxW
z9&?{q*dJo0VUsE-TZzA!*+LvBzGsFNVn@E&K5jNPE{nb!q{fLf3rfnf(>~tju@&K}
z^pL*A3{}D&aRY0B44c8O-f%sAy5a6XL@}wJLx>!S%iVpKxS3=we~o8TNkkK;9twDA
z=mx9C8ux&D^uqh2YO7!ozT6&MDdY?1LTey9wfp)}P8tId9Tsz96+EHMCYT&@uX`(@
zUJ}EFLa%aO<!TIU^sF$Nj$qWKhg4&bq^{xQ?FMalj2k;YH<u0D#r?6gTg6-BZ&~`3
zAA*=``z@2lAS*bQgX2b{X#ZgsnKH4d>_qqiO00R*5{qt4Cze99`*QmC>gF}a7We+$
zDT3}qv(JJgDjv;qkg>2gvjyPR0p4h`7NkpJZ<`k_HzHO~4==Jy{^R<<DqCz>WY$QK
zKA!)PELOoU=K6~8qcEb<pb}xdPhZdK%F)r{OZJD1`>F($HZ$G%u3+nC+Gb!Jynk97
zL|LPY(8H0)#hw<CJxmKFW&lpf#5wM~=g~6V2~lHU?P%0N>gcT3F^j9?ue{Je$kvJ_
z@g&&9i$YUDh?m2Ux5p`I-T-rk+61{Uop)jPHKIvREO(}iKZo0<gI;}275Uff4Mb`5
zP%R=&jJ8|_-L%*sV+5M41!wSyT#4a_P<h*n_JT6J1CF7lmOwfqN?-bgy-v?@(fV&Y
z+B;`F=47QdnzlJJ@a<24DlJOOrI$cVBD!y3DV3E|D0E=>StR`|ZExzq*#VpM43k53
zoOU2to?rnoRrX^ZrR=s1=WfI>R-p+?jpZ$+KIF|i+4uypV0l(<JTl$qLf1x`ddV;b
z|0*=mO<HQu->&b}QEN<CJORZV5)^1kQ$LoeNoDB)hg#x<!lxaCCAwM6YH1h#hPJi;
zS^D5lnJ+DN3r2)0O8!91*r{goFV|4+*w11d<nf4RLSIU7ysf41Ni3qp@_=?V0yQ!B
zcDA~3l4ml)XirbX@mrZhboAcSCC^6@3MW@e1&u1Wm7B*=on-XEce$Rp9wyw0{<2F@
zDk_;6kNF<+CshdEjkrmd`Z_G2KyhxMWpcib8s9_OUfbq+VN>b%8C&<-CPcJpFrx5@
z!Zq!Kgta~|x`JXSOfwy|?WbzF5ByIF&0rM9a_9x?dZ!+4dPc+3N3_Q>Ars?U4i!g*
zuw>X0tw>oz<A|94bh8YOyWpF6P)iQp`bosuro8CE-FseOYG4u4f&P)c-~u5bE^rbE
zJX9;wZpGlsS`<Zy4m8SUqEak$WEcUfsH>a-3Rua)Ownp#J!fi@$TYYpEosGf@41`x
zJAkRs({Ho!r$RAW$^jWRD?WaGkTfV7_lxjHYB1s9o%J9asY_wMCMj?uoelg0mF92=
z0r2hPOeN0ox_mNj^$|58bxh~D?pPMcNyUL}ByvbO9oV>(kOwLjB#}SZ`8gA$(n$fD
z=`Kx8ly7A+PlM%wxR&Ct!l4Eeqh_uau-lXaY$;ZtDs&2@wJ%(_&<qPTxt|+wS-Svm
ziYDF)ZA-PG5hF_yJhhc7@}HBRZ#zS@8{EnOg9L_CEElPo7kx%Y8b4oNa3NpaEQdg3
z%%!qytd(m+#omvGr2$>k?6*kB(gdc?#d^)WPTN4zn2ij$%aI9_&#RHsRzJ5<717Md
zuN<yr)CK;h{O^*;On~V8bKX2T#lJKidAwC)`Mzt=6ZZCi0zKgw#79vvK2pnik)A-d
zQ&@#ya2P_`;*6vN#@sY~#N_#CL{3tAV$p&Q{N77a5u8l5re~>zdg@g>?eT@d7}^h6
zN*lDoMlW*cpO)-!ax6oD11dJLa6b2RDbYtR)f%BMWpGt>5G6L#(nh3a(qsrJg$5U#
za5G{g&$S5*d1i%HN!x11DD~HQ8}qYL$Y?FQORw~gQ7Cc22`Y6c1kG9A)u8{jU=s15
zrO9da>uP2m{)?L6g^oNV?pF|<QXNAChA9zRrJj_NKd9Lw)Nqpi!8Ex{sxqnn5QPv+
zA80ASZetug&}@?xLio9ag4;0sm%|ewF)}YueUpe|sphuoUtih{(1xKy1C&Wnz8$J}
zxE-MpOWE#9ZX|uvqXzadfw+t4u~#VFp~AufIIuOdmQ$GVO9rLfgLm;5@9ZjYgmJ=k
z$sSgHpW!0)k|b97{*8mI)dh%8>LQk-*}aRjmyy>eZBY-$;vVhfH#D8)H>JOQ)vxMT
zAvG!y6n9_FdgDY{p;0mv*LB-EC?DS05p~2d?Tl9!rVsQCmFcmA98^hAz*`DWy2*Mq
z+WQXFcK|M>c1lxGIa0;wTdd`C9I=jpR+{xjM?Y0TXbC|8$d$9qhF_fR#7>yd!hAd?
zK#?K5b!&rdM2)i-#e^dzl?Ms}A>Jt`J{DI>TzgYe8viJ;tK-usx5c0waab#U{u9Np
zuip~^wsXBso2z9&TSEL^*Tn?{C&YqiD?O^Q)LG_s`RbYEnKyC0F1L4C^J>K&X2qc9
zXLy&drfQH8KK`?Ec*3iSe=URNdA&ZvdIhO|FWZO3;DkQ~-Dq$;wj-E}#AnJZchj-Y
z1X7$JQP7}|o8!*oXkq?V#?}1Fwt0i#_|sP@zluj>YhrHugq>)LZV=i@2GL^BWZ$FY
zEpi8*JeBd}@UDolnr|_Cav3srp*>7KyK;nwE+;tN>vaX&<~s;wK09J8B#ttxp7cP7
z%3V8|O2W~DmJ`Cmt!n<#;bWeAXZhjQ3*8b94ehb1dHC5Ah#))IltQgBa)q3n)U<;w
z3;#DT9O~bIE1;wIj=W=AvQo0g|6cn|n|B~Fn*BGKUt5n(tnEM&53Pvo7@gr}&74ql
zt`7-_Sul4W$im!zj_2Sq6E~FXi{1ajppMjeL|uY+fvO5@deZ!9%gpZz-G)OO(+9h7
zRN7l!eVi21y32=Zrx&BoA;N>K7&KmWJPD}iN?b6F{ODLx-Kh6iaK?Sy><Wm8Bm0n?
zBqL~gw;SE!vNuLmU<$h~X!^kPwYi=5;P3yJHmWH(#YZ369HxagL(c2gQD<8r;o8~T
zB<+2thAww=HO?e!_(D4F*2G>3El8(XCdDN3y)<u8V8oXzXO-onZxv9%_;+zu@Yv;G
zb<CM}I(>g5)3#iVWV4-28IU~r9J(-OyZ7pQ7<01-2&ly9Xwk#)nA^!59=1MO8+vPT
zZm}@3sA5LswG|}MXpX)Cmp`O!wl(uUX}`$txfV11)PvQHS`}xehT1p^4&N!q$+)z(
z>l?fKm+4$YSMbjr_%>*jHt})3Ifu&tWy1T1vjcreamR@xn!P9HRC|Dp9)=YWaUCol
zjODPX!G!ZO3nTkBUm}ly<2QUz`!jDMq#R>U5s`={(=8z$*idmBt+`KkyO`eyYZvT9
z_yVz_g`_y*?s>0vnO!|;dEMP?{PF<?&G=Z;bI%$$+us$56X5|DJt#a-y(9&RX?F&L
z;sYzYkNu*HC%gr<|NM9qhsThj6PlI?1x>TAN_q)5s|R~ht>ho-Rd@4;-kSX}<#`e#
z>y|^s)@;V9faxcEp#x+oW$4RJ7#*DbG_}6_MjfQ1IBD=@pzv`QaFF?%{lk_S0hU2u
zbWE`Q+N<l$h>$uAKPf<uKZS4#(rmG01(4w%tHzz$ilHywRdYXD1Rl>>EF>*!sw%Qe
z1-+#pDR9riHly2RD`7rlBceDJB`}$|+LK;LhKzqLN7!i}_>l{RzLNXy+$q{ug|MXF
zyVF0}kTM3ODklHIrJJdR$7X(i;qS={ZYPtOvB43s$(=a!&3~P=<lH`oItyo$AYo8F
zOf(I$uhPyGhg8;X7$x7?@nR86>y?qO%|0`oMkAkp$!ihPpS=A|fQT^d&Q5-wgmtR?
z5unozi4Iwz!VeG$UB4alFl-0UGC?}$iinUSxC<cBG}4C_cbT0|7m#~WnAlZgfn#B6
zNO6_c+!HHzqUs8oV1Hc43{7eKi)$_WIn{GCI4!XCup=InvH!+|X6EK>;~}CD4Vaup
z;~Sp4_Bt|#^KI$AFoIh)8Y)#y5)rp*L}NV<&@mgX7^qZP)awq7i1edVV|i1l%qZX5
zi9)3+?JQdcWvu`zQwyH*AyqYrpPh6G!)}Ng?Ga32jlTtCk|w}wp-(DF(k>jJsv-rD
z37J?zl#9fwxQH4BB_`F7KxKvp+r*TUj->FePbduxLBVNZNw<9}3jna1OlO#-(%Xmw
zP?d_?ZjPP)+Xc5E;!q{y3Iyx~2<9;gRUvfBYXvR<OE?c`5UhRjWtwdpG<Nhmc+1jL
z`yIXRNM2Ne37tXuu3pV|vfAhL!o^;^Fr;%0Z#=O%C?9+FTQBk&*RKuDf8q3#{T8y*
zas<R{6xnJjOwdaseC1zGcZ(ThqDW{!Bf&a?I-sX2R;vnG5|U>4pKsa#_Vn2QbXmA`
zR7=ZV6D$9AzH8!~e0tWc6~cGxW41ntjQ3N%+`J(@g~Y4}me6s7;+dpw>PiT42q>4o
zswvzN_=0aUC{pnjN@k@^o#oaM7q(;(&Ik}58oP2)0o{i&v@QC}0qM|VV^CX{9`Jta
zg-e3!j*fhLI%3Sie)1(bDJ=H4Cce1h8FmC1XRrT_f^c&FBE)R({j=7ml|2K_H$_?G
zy}fJr$=MW(rEF>*@o%4z&Pdup*ZKP?v7d0kumJ!Ey5&W9s2hWn{Nr))w!x?#$o`SB
zyRpI+aLOjCze;ZRkBVo)d_6bAf0*s**h@2~7Jb~d^ToqSHJASVp3-@DT5D6~MI(<-
zpe8^WaJiGND?kUY;@H7uE1RN}rXt#&jbz5@t(gKucB1UIg+m98m1j!SAOW&0$i<-2
zFi6!$lD3wb2;C0eM10zL|F1phJ-58|&BwVVCHW`s)>By~ow8QV|JW|H;HG+$0os|w
z!Q*tIr@%ZvvmgTI6orPt?}Ia|)sPWUfGwE6DxN2rsJmO3=1J)m-o{E*=vOYP1>twz
z7Xhi2#{b;xIfN6$LT0`L@CE$z+ZV5iMcz1;E#oep=HY>T2s~15m^K^f(nkc}qmSD_
z({!N54J=caaW48z<Iq?0Ylm5MF(+;OrPWRS=oVJJB#t;0=bwLE3mAeqA-D-9<V4KY
z#+11W&Z!%K^7#B_aPMr11jC99RX6hYZL1p+9E+ezo<uBa)$yyp=;oyKZ?lCsJfUOf
zJ&lAa-tWafP3F70Vk)>mhU1)v<=!{X)_1C^pe<?r;dRSa0gVU%CtQn2QTFh^Umbt#
zG{JKgXYAjw_i#10<c%66Dq;|1Hq<pGI1-%Ya_%f`0YYXe=>@Iy_wa2>LSo`NI&S4v
z?XiACMsrShb+uH6qhdc{c7;HabKK%vCXvr|lR|(h%fwfE3t;cYjtU(OJXGz4fhQJ)
zG?moH^YzQ)P`glFk?^wGlVf_MhP!Ary2^G}=bKWAxAjxkfh|?@b}jYip2BHHayGSI
zSKuGtua2v@`hWAt90=3t>0y788Z}VccUG%&TwdP)1F19Y5QeUtSC@p#YcTR?y$Bqq
zR%nfb1j0?+5%(LPn0#71S0>q56XrBs#gt))yU>NB(V@?lY>HA6@{RJ9Dj%m=UCAkI
zu!zBF8*Vo$PM)N`Rki&{p`^aYHR_06e*VNiN`lcM@N`jT3~Wbs3v}(^U8HLkT|{la
z$qd%wCI9kc>bT|=@+YdGtI)Pon(H1%%|2+-3{09r3h-?nsK1Q~G}12wd}wCsjfs_!
zLetMT^4gvH0ov8u0m}9_hrc7c+4pbXA>q&+V(@lW65^H+yMvkqA+b=6vty_4#im?T
z(WEno`ca)NJ2eYOMeiiTfrWZu{-Met>Du1^`v5T_kw~^5p#)Kcp29hHMAzTd<4rnD
zZ>XZq+ZTU1?|oPMFt0U{fr80lGWsvu30K;ku4Bh!qrMy9$$&fP<7+47I!WT#Dk;>a
zTK6R+HsJml>1|ZGYab`^OxMa3B48?Oy%1q=r}TlYQnuHq%s=hy9i?S^z^!Wb5Cp?J
zb1Z~x!YmyosUizcc<PARQf}Ue-U{O292M22Zv|DX&MaSDk6|x=$wE?=c@0d5h>Ni<
z`?lQy&sr67ZGHJ@ZPhk99f#!CmAn=mm>Sdy!_VRK5VLG~y+0G6<*Es-{G#ZegVP2o
zHFNMR=H!d9KUQRmxDr1F(`6g}NaA>uKJFTd3)yF3%ovqB!k0A_!_G3@a_Q6qu#Qv}
z3}DPsbz((0mhJE!_IU98pcK0M@JJD&$*&@x*M9|mH834Ro|m_Ikd5COes@B2Ae}~x
zh{ULSRxV^zh8+|+QL?FbEZoks!kGma%!XO?C&WIhKN~gDx88w7(%J-*%7+nAPs11-
z`!I3C`Adz4+#m~Qaq}mZ5HW?JueN3c)-5<Y1^F8kRh;t8uZdl9?ZS7b$q)%p$DzLt
z%RLr1-7R4ihUIW|j@wO`pD>>pepJ(+9Wj4!N#_o31t&;|j#NLMi>9=~76e%Fptx+R
zzNw_?6Y##k>0l6x(bDGD%9Zf50OQ%7as5FvLzZ;dd4P|Tzk41**clxwqD>?*mIzmO
zsIBRyJK1MLPNsZ0A$Q+2&&FR`5F>kbutLVyf(_u^s3H%$fTOYf&f~*E>^52jZngQV
z*WIWbk)J0!{gj&X3o6PsUf7k?4c|#cPm)c5DYRl`=@6SQ<R;^HVF^>SclUuz5;Z?g
zy>5r>+x{#m-K8f({dXO4zsB2MPrHsb^F3Ux`_JBe;}9_I%x?`l(E<uq0w7_#5#H)G
zWzWDP|7^T3vDbbIj2681keSy{cI8Pl&ZahGOGu1v5tTz3HL)|})*RSCkUi*sn;du;
z24}LSjkYzF*Wb1MriAtJ-q8i>4P~W*-lmc1MO~dJ6g{A*ChlIB8pjk<n9nOcs)-LP
zt$LCCeY_avYzar4-&Hg9aA0f9Mc;TqMcG-ZYV&_v99+ppa!Yj<gcO?^D!?%doS&cV
zf8P=0^7ZVTA~WY%9X>LTgL2un)L3l_wL9P=Y|F&LjQ(gJ>b|4SDv1NC)~pG*j85$6
zacLV7>_~MNt_cBGasod1?ob*0jzZasxv+zv6$53SsuM8Av5rHXJ7)~%QbOi82Q7+2
z;oQ?+((3j=;}fIu-<VzL;22cFHn-aettl-PE`KOSnf3>W38d$%S~~3)!bg0IX}ZH%
zqt#W6&B3Q~F0Hj_`HRvK26hVGu>Usw>6&R0!ZB+05D$ZY|6N)?+}`Oo*SBYrsZjN4
z806AuRTE7{ChdpP@9o6Odv7&7;12P$TPY8z7ZZz9Bq7dos61^=*{LBGFq&4lDwL0D
z6+NZar3t5??bWCrJU6wS00h?f>_~%1L-qmUit5K1vJ_L@HRlkW*Z?oU<I<~xfvZ8%
zHyByO%vP1d)qkfC)6^qca=R~y-(-q!S&HQtvT1QrTBq7hk>p0?e&d^ES1jjV064Z&
z^=#X7!8Po22}vFH(880C(zh`A9KQHk$O<*u1kiu9#JO_*9#vE&Gm1v}llQQsIc}e@
zfT~4h=syHe<3`JCEul13FEbtCKJU>oRrq~WU<gJWd1x=#$Vije{L{lc0DW^BKEr}q
zhD{vp{2HW@I91Q|#7Njma%auuBz6a(UXMTTenn=Z)QBmbYUmvT6dIWJ%PL<pl{Jmm
zS*(Gq$cG3<T#Y4PCz%CPQFk3diuF_aM`W9oTS-{~?$oVJoCmpZ*8>}074rr-v!3kg
zu6{@ex5%PgA%!u)0TbrMlo}(Zhz+z2+RB_()$|pEXoYYvh4ki9$LP=yu(Ur+f^9Y~
z97=3`JpR!9qYcPZ!5IyfgxLBSHPfU3kXO+u6Kp58S(c{f)e0L}E>-ULz$`#j_kT%e
z-N5jkwoa)Cm!I5f0Rof2JQ{Xm)NgZu2#)DbrS>?kw95kkm{srn;!cH9{twf6A!@ud
z<ESPR!k9+FkV}e^l)s4$O``}6{GGmHd370?KCMeTcD^z{gy1sx2ZytmBhdh&*!JpU
z!+;YEW>WQqNqUF|yDsj292v_m{meE@as=2;Qa^cSAyt(E&sgcD-TFD&EjRksiZg|C
zft5jp7}P}}F6+Ye&t&Z&whYr+S)c?&srY%99JD8BJ2D2igS~OLczWTQcZqnr`i&D?
zB2m37YYaYB<-PmXe@@=odGAuVfX?ol)o%2|;kP^$q&h-<J3s&6x<s$xZeTM5Iw0MV
zNOm)!5Qhv(zR>;!KF8SblJZQu?FAcGjheU!5;8H5X74H~!KF(M5s!nJwkU`<;U#;T
zy?R3Paf-*!U;>9h3j>e}QCfTtc%cEK3**p$J+3vk`_QZ<fe|nSJU9LXsII=)1~}S>
z<!`!+s=mGx*ZD=NlMafaipBH#Qx2HMQps!LK-3w{a_CL|DswUK{)L*{6TSx!-IJs>
z(bX%jJ$S&X5Ky;xo?)`W5vUgY`uI**hfawA1vW9JiLffOk3os)WwxX-(t;H;0e^gN
zEMDB9K+>8<46nz|nU>`{xJF>Idrq72CQxZf__hjsaT|@YT9B`1;*!ZQsauGbajd!9
zmg6doiuaJ)V%a0XLVjiqvwt|WEq&CDfL=nzqJXC%Mf&>tms{4BT>7Iz%gOa~uJN7n
z=%*-nBLObf&8cryv}%E1@voP*rM7j2rOUftdY5?<7z&PD7Ofk2zR=!`|2^VKcYKmo
z`Q+WVC()-!zCNlQeD2cmUk{v}PX<$MYo~#Co)+$fHIi5}d+=Ooq?{LQlz`Y$AJOpc
zrVGK`v(a`3?z-uaa<KQ6K8lT>dnX*Fo!wag@>Q$i4uvTLL~+o4zF#spLzp_r_D?Ti
z05WX)Z!r%X(nBF%iEK+H@&0P20XjbRk<C1V1aRUlM{V3~aPlVqpkq5{l1h{Ok}+Fl
z7J{B*p8F{K%(oNv&H2eUv2ze);<~+oG-Tb6Sf7Tbt2YgoS-J}e5dB}1P%qZgj>2Av
z@Dl!{TjN<2dNR1B_tg|a`~g8o-oYfgvx5My?%rIMce-oFJ`XTV`1z|~-;y<N$aU~w
zqMn|W-|gf1Xtvg=p<wCds-z4h^WnDK5}T5W^nYYb5}UN|USTIaatimU#@~NcgnO*Q
zbWW*<fj~k=!v&@UI`PfF_Prk{zzenwryuv^f_Lq>w53=N&-N!U0sv#CW(l9?#vKW`
zmJ{+YV)hWhLNzf}T&Iom-V96O1^e=_QC@U(4+SgB*Y}V@0P7QhBi>i@F=?1!>xjv_
za#+*D(Qu^=LI+j?%hd3=qzzUh4Ip}rD~0-y$D`M7Tk2_Fu=V7OMEe#78e`I96Npw0
zaphn&Cu;-64a@gr4sPWbS9>z&O~w31IxM&-rO~QX7Uv}+Z5cJ`9yz30X-haw`%4OJ
zEtsLS*m}(X=w084{6vE3SNb34GH7l?xABD6q!teK`YgUr>pznet@STmrTrn-I`8N$
zIJ>lWgAjvp5NrEV10yJh!tOA3Fvd^-gR^HEyA!XSHC3!bbeNz#>cXe_(~HmhYU8V$
z%WolU8&kb;P&2Zbydg_FRM^mghAbuwili}$-$1tKN)VM0CMt?IV|7E8>oKQD>0o<X
z?M_uWC`VKqKf!eLd<%x{6jH%42DK`5vfYneH3^b=9fqoDt=Eo=^&>S4>HK`u$Q3LD
zRL4zMyJQi!WUa&WgdT<{t^EiaVSIUH2A_}T0csTi3m*UgsyShWFG0Fr=o`DWg|(+p
z|MC5YH(|UJgFi*AyoKR=tZsN*orv$E76R}e4u8jZ3gh<P9AK$=dC@%xZgp5Una~=j
z^er8@giR>VO=$d4o{Xy^CQ#JPzr&hM_*EvW<C`nannBt`@-Zf~fHdI>ss8o}@R4y9
zkm;aF7K95%QTWPNAJy=(&<pFpR}Le>me&vu<UA(hqY`bN2)i<_|CqH8IXosi*_?1y
zF09##_D<>#2$G*Lfp+!QCr6Gh?-+u+{H%4Q<e9!AUXk#Pvm*&%EVw$5{Kem=d9X${
zgSA$>DkOo#{6WnukU)2Z+Qnf)0iaEFd?d#Aayz}@oF`b@|KCOaPu)dUjWx+{;xBN6
ze)?;B*-(#xw^}FehKompD-~?_XZG-bMf1-2hSY;S>?WOUuY+MWd*e^F941Aofs&R^
z4f5#Ow|0?02ItamHUG!!GqPz9nK5UQEwa_rKfMtaO53%M6eEiY2_-wOJ?PMRVF`$f
zNI^W8j>b+ZwN%c|?w&LLY!l`8W9C5pHWJ26NA_0Wc*E)v?xbxyHw<ex&>a=x!lx2<
zLxSio)~*iZ+>jq#QMyLuB!j&i+IbwMeI5jPsq;$Yvrs%z1AhCR6Y#ue_)+$k+`un8
z$&gg%?^Fm@h2Dy^EU*7#<@W0*&%E5{#n0nF3Vt`w?Zvky_W=F$vBZ;<KlJw217L=T
z*hZXl2sgiXkEuI!lO$et&aWlE>%Ytzca!JtY=gh|wfey5%zu~P#Jj@V@3TW--G!&8
z$3x+lOp;M<>oGsU=;3di&XR9PqG>~oJ==n8J6T6og`sHScpbKAo9RH+eQebvu5>??
z(#(sVabu=}m4MUg;G64z2dNf!b1-5Bl9fWu<F8#jJ+wL2$K&d{KREkRd%e+eP3@L1
zSp!)I>nw7Vr*GS)y87$`M~mNCKl?V`FZ|cBoWzKa7-f9Bf^ns!D!X-*3>dQa&>c8J
zlyJ$brh66SMn65FI#=LY$gR7E-MZ_K4E=oqF|A14*&$p|%Kb=<CJiuQ<w#M~aqCLm
zPmsD}X5kJ?FokcmS<*1QD!(b+c1%N`ZF3)7U(_SDUUL;Me%KupGwMQ8o)Px0Ep`5-
zy!@?=>(jVPEYUPbv;PZPQQ0<p?Bf~Ke*tIqOR)vPVj}+NVWQxa|7yt9IYOw+BAl{u
zV#Q0sJ9<gRWM7Ic{zWCc*x2z>*4_^39iH)t;VoW#CKsB^DIntl!6ax<<l7PyEX}Sz
zx49_4P}%sGoDwTK`vU}awf9?qI&1tS(r`j#NwQpuNzvBHQjMdJ{kQ2)7bA(bKUb(}
zZ$JT&flfzsPg3TU`YMG0QmXh010710Z4!M~Q$QBPw-zswb|IHPR9{zUW62MtmD^O?
zs||ajutU~6zsr+cG;7RZPttn<&R}3F5;ATb1#eZMDDL40YfW*UoB}F+jbIiQ_+TfR
znV)k;3vU!|HJZ%P6%<Jrq!YvYXjoUH3B2QN4CJltjlq7MmRqM5w-_ux%u-#l<+jU!
z<Vn7n&(iZ@Ik}}#fvuC~t!k&F%+TuQ=at%R_6wjn?g{i6Uypq!+5Xk8!TzZwGb7^!
zs%!{|^p|GY7KBVT`%mUEw~{UxCD=DEeXEn1i?^(G2rz~S#@QjIE~#lHY$p?tGLrU(
zBV-P-ghsMGw2!21(YqT<!OViYD+J#YUN}4n`*NQi1A<TB9AmZ;Mze}`xx_%m+s3R+
zU&dx>s)vTLS!-lVSDoN%%*r)mb*<l11XFyiIL^4qC4ZWa-8aok;GLHg<P~ZQv`olT
zKU5Ge%G_-JM59Q^w-ltPnHI+|l3A1&UD9Iz6|inK=Mv;6Mdg<&C)bxfAWvRkYwhzl
z&*1H|e(I<?SW|_hP5^8*S@O&u$A;KgF`{uSbcL@QeVEWaLeMHFnVCk_GBnO*yUzOH
zA1DdKpFMmk+oB;YfmynWbf+(CGHC3G>rq@ct3+KI_s*F#6v&0Zj)Fe+_WEIOR0xM2
zMxPXVWU~5J_s_jvysfghQ(u4K^lBT$?Z_3NxChi#EPk<)0ZgDq6z$yncl0tUQlia^
zzs4qy6}c^wNW}#Q1r@El*HYj!?Rx-Et$j9$>!6{&Q1ks|6^I;~lDYJYfnrp4A}h4u
z4+UC^L{A=#%CXJ8t~*1}da6`ar{_TjAimIMvH+kg;)}Y~rB{it<;8)GTSkThqj*nQ
z8Qph1D9wLB)YY!fJBr2Zdj~9eCx_;+b-8@O^qOAkC)I3^KjK<k`54gD=r*28d1+;W
z{!uVVg+fb0fFFCk&Z-o%=o*fY`4fNJLQ<o^*v8gmFe@9o4^<giSQfp?+x`)HbcXT7
zY>!HfoI><Mx<1jtlepbr3wWyg=)ozpYF=|Ia(W|eMJ@S}v$N0e>liRg22k&o@43S!
zh2?PlKlC-8Cw*ZX?>j&&Xw;|1-FU%?N0Oy+Ym#p7otbe#E1sc1Ra9jqkzX<E*oJ(F
znDt;2hE2jsOo!42c1-LV`y3i-N*i4=viRz04-aiY?jQs3Ej~MiKt!ZYhG07`c|jPx
z0O``7#JaS>9=_H0^cO=RN+tXN+=LI&X4cfrx>mL^&#R%P*(q7L!4zG|{Pkt8FdtLD
zBHDMbqJ2L*)H>nN5!S@U_AsZ*sV9KZZm8WQYKPygsUde5><G49(Cu35p}W8p2Yl{V
zFsPjLKze7zWg7Q$EF_5wax6CwXWBN=WKZ)c5WX3MN)k|xV50RvlRdt!mA19gml3Y1
zyb8XjLgWTg$;0jhpoqwU&B#x{&p^xwylT?WKZ0J}okEg%gpl&A^BUeIrB^b5?oXyt
zBMz_R_xG&6z>29*W?*KV{$#*Wcb5_Guro2bH)94ZY`h$?o@rs8l;<PDach?mX+}g~
z-_CQLAT*=iAGDHjCnD60!_rGnVfV*IP{Y2xezXyOf+d~-*<Bi~?bx-~hB!}c>wf4b
z?D<84uImFl8k23m)rBJP9DzGXk4k8y`e!Bkd-)B~b;6);xk+WU0$I@ZjkO)f_jp;f
z(7rfn$)QtsCiBI6l3R8YjPG>lfM}#GW3$gBcfB#z-*ST;5fonK!W-<V$p#Se;o=xQ
z(IC`M?nY(wyEE$rWb=X74lRU-2R)6R80OJ#07`&P4vyIohQFi<8t9<@X0;o2z6M;l
zNdl2sV3FB)$7J#E7jtHIHcmNAcCo>+<Q;pTv(qK3r{l`S{U*zG>gctzBlG)+&N(y>
z3j1G#rpX1H-N_a^<YU?pmdwsBIe1Iu>Q`r4JlPDos1n%EefA%RymU`duFWrB>BQom
zb*+2>FexL<{sSl7NS61>&WrlDuABX0Y&*LR)*J+AgrLDeZybA0JsmT@FOTo`S<Pi0
zc5~a}@`yqgU}~1dh)NpzTaatDE~_osrh3gn^IK@iOf6-$2|bb*3>`WnXf=f>+>wLc
z-%(p4gu{a$?CEx#Zt2b_$kf?^4EcG*473gab`~0vZ0)k+_oP~rSIulh3$Yag(YUOd
z>WTT1J=d*4kpU6iO=5H5Gm<}&v`Hta8zaU=mQ(QJfjb8yd)F}!_j{1q;Nbzs7gk_H
z-Ygc>TI`DRf}cK>_G~8&Z781_NyP*sRo5z<B4HN&#KnU+J|D!72c*_kv5$+$3EH2(
zq*Hd*tz86tBz|t`ex1zo3+avakyL36=5u%;9;pnwK_EL5j-&b5D{wq-yg5G<1r4QE
zEf)ErgwSJ+h23dfQ2gdOJAx7N1DLdpc4^M<eQwYP+AsQkZP9a(M%i-!F|`E6Yy{)2
z2!$kPPhuMs5FyfK)YuFA7?E!@C$h*0{iu;6A#D4c2@q})k->?>%vBsAxhW#oDl#6r
zuVvS+)8<KTfX1T#YO)(R@8?x}fu*W~a?@(5+A|)t>;qN*fjtC7IC{X5_RwFUb+o7c
zXGwW09#!U1q{jp{-eflS;l7g0zck33|9|5jp0l}SCLh`TkLt6l6#Va%mtTG9i+>MW
G`hNh}Y!vbU

literal 0
HcmV?d00001

diff --git a/example/system/amp/openamp/driver_core/sdkconfig b/example/system/amp/openamp/driver_core/sdkconfig
index 7424a2d7..589235d2 100644
--- a/example/system/amp/openamp/driver_core/sdkconfig
+++ b/example/system/amp/openamp/driver_core/sdkconfig
@@ -33,6 +33,15 @@ CONFIG_GCC_CODE_MODEL_SMALL=y
 # CONFIG_MMU_DEBUG_PRINTS is not set
 # end of Arm architecture configuration
 
+#
+# multi-core system deployment framework
+#
+CONFIG_USE_MSDF=y
+CONFIG_MSDF0=y
+# CONFIG_MSDF1 is not set
+CONFIG_MSDF_CORE_ID=2
+# end of multi-core system deployment framework
+
 CONFIG_MMU_PAGE_SIZE=0x1000
 CONFIG_MAX_XLAT_TABLES=256
 # end of Arch configuration
@@ -40,14 +49,16 @@ CONFIG_MAX_XLAT_TABLES=256
 #
 # Soc configuration
 #
-CONFIG_TARGET_PHYTIUMPI=y
-# CONFIG_TARGET_E2000Q is not set
+# CONFIG_TARGET_PHYTIUMPI is not set
+CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_E2000D is not set
 # CONFIG_TARGET_E2000S is not set
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
-CONFIG_SOC_NAME="phytiumpi"
+# CONFIG_TARGET_QEMU_VIRT is not set
+CONFIG_SOC_NAME="e2000"
+CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
 CONFIG_F32BIT_MEMORY_LENGTH=0x80000000
@@ -62,7 +73,7 @@ CONFIG_DEFAULT_DEBUG_PRINT_UART1=y
 #
 # Board Configuration
 #
-CONFIG_BOARD_NAME="firefly"
+CONFIG_BOARD_NAME="demo"
 # CONFIG_USE_SPI_IOPAD is not set
 # CONFIG_USE_GPIO_IOPAD is not set
 # CONFIG_USE_CAN_IOPAD is not set
@@ -72,7 +83,7 @@ CONFIG_BOARD_NAME="firefly"
 # CONFIG_USE_TACHO_IOPAD is not set
 # CONFIG_USE_UART_IOPAD is not set
 # CONFIG_USE_THIRD_PARTY_IOPAD is not set
-CONFIG_FIREFLY_DEMO_BOARD=y
+CONFIG_E2000Q_DEMO_BOARD=y
 
 #
 # IO mux configuration when board start up
@@ -92,9 +103,9 @@ CONFIG_TARGET_NAME="openamp_driver_core"
 # Sdk common configuration
 #
 CONFIG_ELOG_LINE_BUF_SIZE=0x100
-CONFIG_LOG_VERBOS=y
+# CONFIG_LOG_VERBOS is not set
 # CONFIG_LOG_DEBUG is not set
-# CONFIG_LOG_INFO is not set
+CONFIG_LOG_INFO=y
 # CONFIG_LOG_WARN is not set
 # CONFIG_LOG_ERROR is not set
 # CONFIG_LOG_NONE is not set
@@ -104,6 +115,7 @@ CONFIG_LOG_DISPALY_CORE_NUM=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +306,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +316,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 CONFIG_USE_AMP=y
@@ -337,6 +352,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/amp/openamp/driver_core/sdkconfig.h b/example/system/amp/openamp/driver_core/sdkconfig.h
index f42d8a10..b84bdc5c 100644
--- a/example/system/amp/openamp/driver_core/sdkconfig.h
+++ b/example/system/amp/openamp/driver_core/sdkconfig.h
@@ -31,20 +31,30 @@
 /* CONFIG_BOOT_WITH_FLUSH_CACHE is not set */
 /* CONFIG_MMU_DEBUG_PRINTS is not set */
 /* end of Arm architecture configuration */
+
+/* multi-core system deployment framework */
+
+#define CONFIG_USE_MSDF
+#define CONFIG_MSDF0
+/* CONFIG_MSDF1 is not set */
+#define CONFIG_MSDF_CORE_ID 2
+/* end of multi-core system deployment framework */
 #define CONFIG_MMU_PAGE_SIZE 0x1000
 #define CONFIG_MAX_XLAT_TABLES 256
 /* end of Arch configuration */
 
 /* Soc configuration */
 
-#define CONFIG_TARGET_PHYTIUMPI
-/* CONFIG_TARGET_E2000Q is not set */
+/* CONFIG_TARGET_PHYTIUMPI is not set */
+#define CONFIG_TARGET_E2000Q
 /* CONFIG_TARGET_E2000D is not set */
 /* CONFIG_TARGET_E2000S is not set */
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
-#define CONFIG_SOC_NAME "phytiumpi"
+/* CONFIG_TARGET_QEMU_VIRT is not set */
+#define CONFIG_SOC_NAME "e2000"
+#define CONFIG_TARGET_TYPE_NAME "q"
 #define CONFIG_SOC_CORE_NUM 4
 #define CONFIG_F32BIT_MEMORY_ADDRESS 0x80000000
 #define CONFIG_F32BIT_MEMORY_LENGTH 0x80000000
@@ -58,7 +68,7 @@
 
 /* Board Configuration */
 
-#define CONFIG_BOARD_NAME "firefly"
+#define CONFIG_BOARD_NAME "demo"
 /* CONFIG_USE_SPI_IOPAD is not set */
 /* CONFIG_USE_GPIO_IOPAD is not set */
 /* CONFIG_USE_CAN_IOPAD is not set */
@@ -68,7 +78,7 @@
 /* CONFIG_USE_TACHO_IOPAD is not set */
 /* CONFIG_USE_UART_IOPAD is not set */
 /* CONFIG_USE_THIRD_PARTY_IOPAD is not set */
-#define CONFIG_FIREFLY_DEMO_BOARD
+#define CONFIG_E2000Q_DEMO_BOARD
 
 /* IO mux configuration when board start up */
 
@@ -84,9 +94,9 @@
 /* Sdk common configuration */
 
 #define CONFIG_ELOG_LINE_BUF_SIZE 0x100
-#define CONFIG_LOG_VERBOS
+/* CONFIG_LOG_VERBOS is not set */
 /* CONFIG_LOG_DEBUG is not set */
-/* CONFIG_LOG_INFO is not set */
+#define CONFIG_LOG_INFO
 /* CONFIG_LOG_WARN is not set */
 /* CONFIG_LOG_ERROR is not set */
 /* CONFIG_LOG_NONE is not set */
@@ -96,6 +106,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 #define CONFIG_INTERRUPT_ROLE_MASTER
 /* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -260,6 +271,7 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
+/* CONFIG_USE_MBEDTLS is not set */
 #define CONFIG_USE_LETTER_SHELL
 
 /* Letter Shell Configuration */
@@ -268,6 +280,8 @@
 #define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
 /* end of Letter Shell Configuration */
 #define CONFIG_USE_AMP
 #define CONFIG_USE_LIBMETAL
@@ -298,6 +312,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/system/amp/openamp_for_linux/configs/d2000_aarch32_test_openamp_for_linux.config b/example/system/amp/openamp_for_linux/configs/d2000_aarch32_test_openamp_for_linux.config
index 728eb581..e002ca12 100644
--- a/example/system/amp/openamp_for_linux/configs/d2000_aarch32_test_openamp_for_linux.config
+++ b/example/system/amp/openamp_for_linux/configs/d2000_aarch32_test_openamp_for_linux.config
@@ -49,6 +49,7 @@ CONFIG_ARM_MFLOAT_ABI="hard"
 # end of Compiler configuration
 
 CONFIG_USE_L3CACHE=y
+# CONFIG_DISABLE_L3CACHE is not set
 CONFIG_USE_AARCH64_L1_TO_AARCH32=y
 # end of Arm architecture configuration
 
@@ -66,6 +67,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -110,6 +112,7 @@ CONFIG_LOG_DISPALY_CORE_NUM=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 # CONFIG_INTERRUPT_ROLE_MASTER is not set
 CONFIG_INTERRUPT_ROLE_SLAVE=y
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -305,6 +308,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -314,6 +318,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 CONFIG_USE_AMP=y
@@ -348,6 +354,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/amp/openamp_for_linux/configs/d2000_aarch64_test_openamp_for_linux.config b/example/system/amp/openamp_for_linux/configs/d2000_aarch64_test_openamp_for_linux.config
index 6d35a91a..c3616af0 100644
--- a/example/system/amp/openamp_for_linux/configs/d2000_aarch64_test_openamp_for_linux.config
+++ b/example/system/amp/openamp_for_linux/configs/d2000_aarch64_test_openamp_for_linux.config
@@ -42,6 +42,7 @@ CONFIG_GCC_CODE_MODEL_SMALL=y
 # end of Compiler configuration
 
 CONFIG_USE_L3CACHE=y
+# CONFIG_DISABLE_L3CACHE is not set
 CONFIG_BOOT_WITH_FLUSH_CACHE=y
 # CONFIG_MMU_DEBUG_PRINTS is not set
 # end of Arm architecture configuration
@@ -60,6 +61,7 @@ CONFIG_MAX_XLAT_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +106,7 @@ CONFIG_LOG_DISPALY_CORE_NUM=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 # CONFIG_INTERRUPT_ROLE_MASTER is not set
 CONFIG_INTERRUPT_ROLE_SLAVE=y
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +297,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +307,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 CONFIG_USE_AMP=y
@@ -337,6 +343,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/amp/openamp_for_linux/configs/e2000d_aarch32_demo_openamp_for_linux.config b/example/system/amp/openamp_for_linux/configs/e2000d_aarch32_demo_openamp_for_linux.config
index 76ddadfe..00896c35 100644
--- a/example/system/amp/openamp_for_linux/configs/e2000d_aarch32_demo_openamp_for_linux.config
+++ b/example/system/amp/openamp_for_linux/configs/e2000d_aarch32_demo_openamp_for_linux.config
@@ -65,6 +65,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -123,6 +124,7 @@ CONFIG_LOG_DISPALY_CORE_NUM=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 # CONFIG_INTERRUPT_ROLE_MASTER is not set
 CONFIG_INTERRUPT_ROLE_SLAVE=y
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -318,6 +320,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 # CONFIG_USE_LETTER_SHELL is not set
 CONFIG_USE_AMP=y
 CONFIG_USE_LIBMETAL=y
@@ -351,6 +354,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/amp/openamp_for_linux/configs/e2000d_aarch64_demo_openamp_for_linux.config b/example/system/amp/openamp_for_linux/configs/e2000d_aarch64_demo_openamp_for_linux.config
index 7e36a4fd..9cc5ab63 100644
--- a/example/system/amp/openamp_for_linux/configs/e2000d_aarch64_demo_openamp_for_linux.config
+++ b/example/system/amp/openamp_for_linux/configs/e2000d_aarch64_demo_openamp_for_linux.config
@@ -59,6 +59,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -117,6 +118,7 @@ CONFIG_LOG_DISPALY_CORE_NUM=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 # CONFIG_INTERRUPT_ROLE_MASTER is not set
 CONFIG_INTERRUPT_ROLE_SLAVE=y
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -307,6 +309,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 # CONFIG_USE_LETTER_SHELL is not set
 CONFIG_USE_AMP=y
 CONFIG_USE_LIBMETAL=y
@@ -340,6 +343,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/amp/openamp_for_linux/configs/e2000q_aarch32_demo_openamp_for_linux.config b/example/system/amp/openamp_for_linux/configs/e2000q_aarch32_demo_openamp_for_linux.config
index 74a3be1e..0a8894e4 100644
--- a/example/system/amp/openamp_for_linux/configs/e2000q_aarch32_demo_openamp_for_linux.config
+++ b/example/system/amp/openamp_for_linux/configs/e2000q_aarch32_demo_openamp_for_linux.config
@@ -65,6 +65,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -122,6 +123,7 @@ CONFIG_LOG_DISPALY_CORE_NUM=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 # CONFIG_INTERRUPT_ROLE_MASTER is not set
 CONFIG_INTERRUPT_ROLE_SLAVE=y
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -317,6 +319,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 # CONFIG_USE_LETTER_SHELL is not set
 CONFIG_USE_AMP=y
 CONFIG_USE_LIBMETAL=y
@@ -350,6 +353,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/amp/openamp_for_linux/configs/e2000q_aarch64_demo_openamp_for_linux.config b/example/system/amp/openamp_for_linux/configs/e2000q_aarch64_demo_openamp_for_linux.config
index fc3a1cd4..f3189862 100644
--- a/example/system/amp/openamp_for_linux/configs/e2000q_aarch64_demo_openamp_for_linux.config
+++ b/example/system/amp/openamp_for_linux/configs/e2000q_aarch64_demo_openamp_for_linux.config
@@ -59,6 +59,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -116,6 +117,7 @@ CONFIG_LOG_DISPALY_CORE_NUM=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 # CONFIG_INTERRUPT_ROLE_MASTER is not set
 CONFIG_INTERRUPT_ROLE_SLAVE=y
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -306,6 +308,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 # CONFIG_USE_LETTER_SHELL is not set
 CONFIG_USE_AMP=y
 CONFIG_USE_LIBMETAL=y
@@ -339,6 +342,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/amp/openamp_for_linux/configs/phytiumpi_aarch32_firefly_openamp_for_linux.config b/example/system/amp/openamp_for_linux/configs/phytiumpi_aarch32_firefly_openamp_for_linux.config
index b313b29b..bf455e36 100644
--- a/example/system/amp/openamp_for_linux/configs/phytiumpi_aarch32_firefly_openamp_for_linux.config
+++ b/example/system/amp/openamp_for_linux/configs/phytiumpi_aarch32_firefly_openamp_for_linux.config
@@ -65,6 +65,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -121,6 +122,7 @@ CONFIG_LOG_DISPALY_CORE_NUM=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 # CONFIG_INTERRUPT_ROLE_MASTER is not set
 CONFIG_INTERRUPT_ROLE_SLAVE=y
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -316,6 +318,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 # CONFIG_USE_LETTER_SHELL is not set
 CONFIG_USE_AMP=y
 CONFIG_USE_LIBMETAL=y
@@ -349,6 +352,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/amp/openamp_for_linux/configs/phytiumpi_aarch64_firefly_openamp_for_linux.config b/example/system/amp/openamp_for_linux/configs/phytiumpi_aarch64_firefly_openamp_for_linux.config
index c0a9827f..0179b718 100644
--- a/example/system/amp/openamp_for_linux/configs/phytiumpi_aarch64_firefly_openamp_for_linux.config
+++ b/example/system/amp/openamp_for_linux/configs/phytiumpi_aarch64_firefly_openamp_for_linux.config
@@ -59,6 +59,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -115,6 +116,7 @@ CONFIG_LOG_DISPALY_CORE_NUM=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 # CONFIG_INTERRUPT_ROLE_MASTER is not set
 CONFIG_INTERRUPT_ROLE_SLAVE=y
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -305,6 +307,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 # CONFIG_USE_LETTER_SHELL is not set
 CONFIG_USE_AMP=y
 CONFIG_USE_LIBMETAL=y
@@ -338,6 +341,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/amp/openamp_for_linux/sdkconfig b/example/system/amp/openamp_for_linux/sdkconfig
index c0a9827f..0179b718 100644
--- a/example/system/amp/openamp_for_linux/sdkconfig
+++ b/example/system/amp/openamp_for_linux/sdkconfig
@@ -59,6 +59,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -115,6 +116,7 @@ CONFIG_LOG_DISPALY_CORE_NUM=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 # CONFIG_INTERRUPT_ROLE_MASTER is not set
 CONFIG_INTERRUPT_ROLE_SLAVE=y
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -305,6 +307,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 # CONFIG_USE_LETTER_SHELL is not set
 CONFIG_USE_AMP=y
 CONFIG_USE_LIBMETAL=y
@@ -338,6 +341,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/amp/openamp_for_linux/sdkconfig.h b/example/system/amp/openamp_for_linux/sdkconfig.h
index 920019b6..ac218029 100644
--- a/example/system/amp/openamp_for_linux/sdkconfig.h
+++ b/example/system/amp/openamp_for_linux/sdkconfig.h
@@ -51,6 +51,7 @@
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
 #define CONFIG_SOC_NAME "phytiumpi"
 #define CONFIG_SOC_CORE_NUM 4
 #define CONFIG_F32BIT_MEMORY_ADDRESS 0x80000000
@@ -102,6 +103,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 /* CONFIG_INTERRUPT_ROLE_MASTER is not set */
 #define CONFIG_INTERRUPT_ROLE_SLAVE
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -266,6 +268,7 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
+/* CONFIG_USE_MBEDTLS is not set */
 /* CONFIG_USE_LETTER_SHELL is not set */
 #define CONFIG_USE_AMP
 #define CONFIG_USE_LIBMETAL
@@ -296,6 +299,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/system/atomic/configs/d2000_aarch32_test_atomic.config b/example/system/atomic/configs/d2000_aarch32_test_atomic.config
index b332984c..e5abdf96 100644
--- a/example/system/atomic/configs/d2000_aarch32_test_atomic.config
+++ b/example/system/atomic/configs/d2000_aarch32_test_atomic.config
@@ -54,6 +54,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +100,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/atomic/configs/d2000_aarch64_test_atomic.config b/example/system/atomic/configs/d2000_aarch64_test_atomic.config
index ef039282..dfb2140b 100644
--- a/example/system/atomic/configs/d2000_aarch64_test_atomic.config
+++ b/example/system/atomic/configs/d2000_aarch64_test_atomic.config
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -283,6 +285,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -292,6 +295,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -314,6 +319,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/atomic/configs/e2000d_aarch32_demo_atomic.config b/example/system/atomic/configs/e2000d_aarch32_demo_atomic.config
index 91add3d9..5aef7fcd 100644
--- a/example/system/atomic/configs/e2000d_aarch32_demo_atomic.config
+++ b/example/system/atomic/configs/e2000d_aarch32_demo_atomic.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -112,6 +113,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -307,6 +309,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -316,6 +319,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -338,6 +343,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/atomic/configs/e2000d_aarch64_demo_atomic.config b/example/system/atomic/configs/e2000d_aarch64_demo_atomic.config
index 47fa205c..ffe9085a 100644
--- a/example/system/atomic/configs/e2000d_aarch64_demo_atomic.config
+++ b/example/system/atomic/configs/e2000d_aarch64_demo_atomic.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -106,6 +107,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -296,6 +298,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -305,6 +308,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -327,6 +332,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/atomic/configs/e2000q_aarch32_demo_atomic.config b/example/system/atomic/configs/e2000q_aarch32_demo_atomic.config
index 5b178f15..ae8bd5ef 100644
--- a/example/system/atomic/configs/e2000q_aarch32_demo_atomic.config
+++ b/example/system/atomic/configs/e2000q_aarch32_demo_atomic.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -111,6 +112,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -306,6 +308,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -315,6 +318,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -337,6 +342,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/atomic/configs/e2000q_aarch64_demo_atomic.config b/example/system/atomic/configs/e2000q_aarch64_demo_atomic.config
index 20e15e13..73d87cdc 100644
--- a/example/system/atomic/configs/e2000q_aarch64_demo_atomic.config
+++ b/example/system/atomic/configs/e2000q_aarch64_demo_atomic.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -295,6 +297,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -304,6 +307,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -326,6 +331,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/atomic/configs/ft2004_aarch32_dsk_atomic.config b/example/system/atomic/configs/ft2004_aarch32_dsk_atomic.config
index 7ab3be54..ba6f80c5 100644
--- a/example/system/atomic/configs/ft2004_aarch32_dsk_atomic.config
+++ b/example/system/atomic/configs/ft2004_aarch32_dsk_atomic.config
@@ -54,6 +54,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +100,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/atomic/configs/ft2004_aarch64_dsk_atomic.config b/example/system/atomic/configs/ft2004_aarch64_dsk_atomic.config
index 90313de4..c8b84730 100644
--- a/example/system/atomic/configs/ft2004_aarch64_dsk_atomic.config
+++ b/example/system/atomic/configs/ft2004_aarch64_dsk_atomic.config
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -283,6 +285,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -292,6 +295,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -314,6 +319,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/atomic/configs/phytiumpi_aarch32_firefly_atomic.config b/example/system/atomic/configs/phytiumpi_aarch32_firefly_atomic.config
index 4699d7e3..f27e930a 100644
--- a/example/system/atomic/configs/phytiumpi_aarch32_firefly_atomic.config
+++ b/example/system/atomic/configs/phytiumpi_aarch32_firefly_atomic.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -110,6 +111,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -305,6 +307,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -314,6 +317,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -336,6 +341,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/atomic/configs/phytiumpi_aarch64_firefly_atomic.config b/example/system/atomic/configs/phytiumpi_aarch64_firefly_atomic.config
index 3a8bb2a0..a02ed21b 100644
--- a/example/system/atomic/configs/phytiumpi_aarch64_firefly_atomic.config
+++ b/example/system/atomic/configs/phytiumpi_aarch64_firefly_atomic.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/atomic/sdkconfig b/example/system/atomic/sdkconfig
index 3a8bb2a0..a02ed21b 100644
--- a/example/system/atomic/sdkconfig
+++ b/example/system/atomic/sdkconfig
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/atomic/sdkconfig.h b/example/system/atomic/sdkconfig.h
index 055a9d68..155847e0 100644
--- a/example/system/atomic/sdkconfig.h
+++ b/example/system/atomic/sdkconfig.h
@@ -44,6 +44,7 @@
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
 #define CONFIG_SOC_NAME "phytiumpi"
 #define CONFIG_SOC_CORE_NUM 4
 #define CONFIG_F32BIT_MEMORY_ADDRESS 0x80000000
@@ -96,6 +97,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 #define CONFIG_INTERRUPT_ROLE_MASTER
 /* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -260,6 +262,7 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
+/* CONFIG_USE_MBEDTLS is not set */
 #define CONFIG_USE_LETTER_SHELL
 
 /* Letter Shell Configuration */
@@ -268,6 +271,8 @@
 #define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
 /* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
@@ -288,6 +293,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/system/exception_debug/configs/d2000_aarch32_test_exception.config b/example/system/exception_debug/configs/d2000_aarch32_test_exception.config
index 08fbfb18..324299b3 100644
--- a/example/system/exception_debug/configs/d2000_aarch32_test_exception.config
+++ b/example/system/exception_debug/configs/d2000_aarch32_test_exception.config
@@ -54,6 +54,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +100,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/exception_debug/configs/d2000_aarch64_test_exception.config b/example/system/exception_debug/configs/d2000_aarch64_test_exception.config
index 05fb1021..1e8f8247 100644
--- a/example/system/exception_debug/configs/d2000_aarch64_test_exception.config
+++ b/example/system/exception_debug/configs/d2000_aarch64_test_exception.config
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -283,6 +285,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -292,6 +295,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -314,6 +319,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/exception_debug/configs/e2000d_aarch32_demo_exception.config b/example/system/exception_debug/configs/e2000d_aarch32_demo_exception.config
index 7d9a4840..8a0cb558 100644
--- a/example/system/exception_debug/configs/e2000d_aarch32_demo_exception.config
+++ b/example/system/exception_debug/configs/e2000d_aarch32_demo_exception.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -112,6 +113,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -307,6 +309,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -316,6 +319,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -338,6 +343,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/exception_debug/configs/e2000d_aarch64_demo_exception.config b/example/system/exception_debug/configs/e2000d_aarch64_demo_exception.config
index 698b25cd..da1acd09 100644
--- a/example/system/exception_debug/configs/e2000d_aarch64_demo_exception.config
+++ b/example/system/exception_debug/configs/e2000d_aarch64_demo_exception.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -106,6 +107,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -296,6 +298,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -305,6 +308,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -327,6 +332,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/exception_debug/configs/e2000q_aarch32_demo_exception.config b/example/system/exception_debug/configs/e2000q_aarch32_demo_exception.config
index 4287be33..a9e60822 100644
--- a/example/system/exception_debug/configs/e2000q_aarch32_demo_exception.config
+++ b/example/system/exception_debug/configs/e2000q_aarch32_demo_exception.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -111,6 +112,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -306,6 +308,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -315,6 +318,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -337,6 +342,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/exception_debug/configs/e2000q_aarch64_demo_exception.config b/example/system/exception_debug/configs/e2000q_aarch64_demo_exception.config
index 8c39c708..a3324391 100644
--- a/example/system/exception_debug/configs/e2000q_aarch64_demo_exception.config
+++ b/example/system/exception_debug/configs/e2000q_aarch64_demo_exception.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -295,6 +297,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -304,6 +307,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -326,6 +331,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/exception_debug/configs/ft2004_aarch32_dsk_exception.config b/example/system/exception_debug/configs/ft2004_aarch32_dsk_exception.config
index a7b2027e..dce07ce0 100644
--- a/example/system/exception_debug/configs/ft2004_aarch32_dsk_exception.config
+++ b/example/system/exception_debug/configs/ft2004_aarch32_dsk_exception.config
@@ -54,6 +54,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +100,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/exception_debug/configs/ft2004_aarch64_dsk_exception.config b/example/system/exception_debug/configs/ft2004_aarch64_dsk_exception.config
index 5cd69a2c..61c89fe1 100644
--- a/example/system/exception_debug/configs/ft2004_aarch64_dsk_exception.config
+++ b/example/system/exception_debug/configs/ft2004_aarch64_dsk_exception.config
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -283,6 +285,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -292,6 +295,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -314,6 +319,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/exception_debug/configs/phytiumpi_aarch32_firefly_exception.config b/example/system/exception_debug/configs/phytiumpi_aarch32_firefly_exception.config
index 29d26718..1a802516 100644
--- a/example/system/exception_debug/configs/phytiumpi_aarch32_firefly_exception.config
+++ b/example/system/exception_debug/configs/phytiumpi_aarch32_firefly_exception.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -110,6 +111,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -305,6 +307,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -314,6 +317,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -336,6 +341,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/exception_debug/configs/phytiumpi_aarch64_firefly_exception.config b/example/system/exception_debug/configs/phytiumpi_aarch64_firefly_exception.config
index fec85a7d..7e53da0b 100644
--- a/example/system/exception_debug/configs/phytiumpi_aarch64_firefly_exception.config
+++ b/example/system/exception_debug/configs/phytiumpi_aarch64_firefly_exception.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/exception_debug/main.c b/example/system/exception_debug/main.c
index ddea33a7..7c0af23f 100644
--- a/example/system/exception_debug/main.c
+++ b/example/system/exception_debug/main.c
@@ -26,21 +26,23 @@
 #include "FreeRTOS.h"
 #include "task.h"
 #include "ftypes.h"
+#include "sdkconfig.h"
+#ifdef CONFIG_USE_LETTER_SHELL
 #include "shell.h"
 #include "shell_port.h"
-#include "sdkconfig.h"
+#endif
 
 int main()
 {
     printf("Exception debug func, FT Date: %s, Time: %s\n", __DATE__, __TIME__);
     BaseType_t xReturn = pdPASS;
-
+#ifdef CONFIG_USE_LETTER_SHELL
     xReturn = LSUserShellTask();
     if (xReturn != pdPASS)
     {
         goto FAIL_EXIT;
     }
-
+#endif
     vTaskStartScheduler(); /* 启动任务，开启调度 */
 
     while (1); /* 正常不会执行到这里 */
diff --git a/example/system/exception_debug/sdkconfig b/example/system/exception_debug/sdkconfig
index fec85a7d..7e53da0b 100644
--- a/example/system/exception_debug/sdkconfig
+++ b/example/system/exception_debug/sdkconfig
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/exception_debug/sdkconfig.h b/example/system/exception_debug/sdkconfig.h
index bbdb95a3..4a414252 100644
--- a/example/system/exception_debug/sdkconfig.h
+++ b/example/system/exception_debug/sdkconfig.h
@@ -44,6 +44,7 @@
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
 #define CONFIG_SOC_NAME "phytiumpi"
 #define CONFIG_SOC_CORE_NUM 4
 #define CONFIG_F32BIT_MEMORY_ADDRESS 0x80000000
@@ -96,6 +97,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 #define CONFIG_INTERRUPT_ROLE_MASTER
 /* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -260,6 +262,7 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
+/* CONFIG_USE_MBEDTLS is not set */
 #define CONFIG_USE_LETTER_SHELL
 
 /* Letter Shell Configuration */
@@ -268,6 +271,8 @@
 #define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
 /* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
@@ -288,6 +293,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/system/exception_debug/src/exception_test.c b/example/system/exception_debug/src/exception_test.c
index e0924605..dfd01725 100644
--- a/example/system/exception_debug/src/exception_test.c
+++ b/example/system/exception_debug/src/exception_test.c
@@ -26,8 +26,6 @@
 #include "FreeRTOS.h"
 #include "task.h"
 #include "ftypes.h"
-#include "shell.h"
-#include "shell_port.h"
 #include "fmmu.h"
 #include "fio.h"
 #include "fkernel.h"
diff --git a/example/system/nested_interrupt/configs/d2000_aarch32_test_nested_interrupt.config b/example/system/nested_interrupt/configs/d2000_aarch32_test_nested_interrupt.config
index 8e74d092..370ae368 100644
--- a/example/system/nested_interrupt/configs/d2000_aarch32_test_nested_interrupt.config
+++ b/example/system/nested_interrupt/configs/d2000_aarch32_test_nested_interrupt.config
@@ -54,6 +54,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +100,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=12
diff --git a/example/system/nested_interrupt/configs/d2000_aarch64_test_nested_interrupt.config b/example/system/nested_interrupt/configs/d2000_aarch64_test_nested_interrupt.config
index 7d2ebfd4..50f7a731 100644
--- a/example/system/nested_interrupt/configs/d2000_aarch64_test_nested_interrupt.config
+++ b/example/system/nested_interrupt/configs/d2000_aarch64_test_nested_interrupt.config
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -283,6 +285,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -292,6 +295,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -314,6 +319,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=12
diff --git a/example/system/nested_interrupt/configs/e2000d_aarch32_demo_nested_interrupt.config b/example/system/nested_interrupt/configs/e2000d_aarch32_demo_nested_interrupt.config
index 0d9c870f..7c406ffb 100644
--- a/example/system/nested_interrupt/configs/e2000d_aarch32_demo_nested_interrupt.config
+++ b/example/system/nested_interrupt/configs/e2000d_aarch32_demo_nested_interrupt.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -112,6 +113,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -307,6 +309,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -316,6 +319,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -338,6 +343,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=12
diff --git a/example/system/nested_interrupt/configs/e2000d_aarch64_demo_nested_interrupt.config b/example/system/nested_interrupt/configs/e2000d_aarch64_demo_nested_interrupt.config
index 842ea2d3..df091e98 100644
--- a/example/system/nested_interrupt/configs/e2000d_aarch64_demo_nested_interrupt.config
+++ b/example/system/nested_interrupt/configs/e2000d_aarch64_demo_nested_interrupt.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -106,6 +107,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -296,6 +298,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -305,6 +308,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -327,6 +332,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=12
diff --git a/example/system/nested_interrupt/configs/e2000q_aarch32_demo_nested_interrupt.config b/example/system/nested_interrupt/configs/e2000q_aarch32_demo_nested_interrupt.config
index d29de091..8945e2b5 100644
--- a/example/system/nested_interrupt/configs/e2000q_aarch32_demo_nested_interrupt.config
+++ b/example/system/nested_interrupt/configs/e2000q_aarch32_demo_nested_interrupt.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -111,6 +112,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -306,6 +308,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -315,6 +318,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -337,6 +342,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=12
diff --git a/example/system/nested_interrupt/configs/e2000q_aarch64_demo_nested_interrupt.config b/example/system/nested_interrupt/configs/e2000q_aarch64_demo_nested_interrupt.config
index aae5a4c3..c3e686f2 100644
--- a/example/system/nested_interrupt/configs/e2000q_aarch64_demo_nested_interrupt.config
+++ b/example/system/nested_interrupt/configs/e2000q_aarch64_demo_nested_interrupt.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -295,6 +297,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -304,6 +307,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -326,6 +331,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=12
diff --git a/example/system/nested_interrupt/configs/ft2004_aarch32_dsk_nested_interrupt.config b/example/system/nested_interrupt/configs/ft2004_aarch32_dsk_nested_interrupt.config
index 13b42c87..7344a3bd 100644
--- a/example/system/nested_interrupt/configs/ft2004_aarch32_dsk_nested_interrupt.config
+++ b/example/system/nested_interrupt/configs/ft2004_aarch32_dsk_nested_interrupt.config
@@ -54,6 +54,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +100,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=12
diff --git a/example/system/nested_interrupt/configs/ft2004_aarch64_dsk_nested_interrupt.config b/example/system/nested_interrupt/configs/ft2004_aarch64_dsk_nested_interrupt.config
index 9cbc14ae..04aaa46c 100644
--- a/example/system/nested_interrupt/configs/ft2004_aarch64_dsk_nested_interrupt.config
+++ b/example/system/nested_interrupt/configs/ft2004_aarch64_dsk_nested_interrupt.config
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -283,6 +285,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -292,6 +295,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -314,6 +319,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=12
diff --git a/example/system/nested_interrupt/configs/phytiumpi_aarch32_firefly_nested_interrupt.config b/example/system/nested_interrupt/configs/phytiumpi_aarch32_firefly_nested_interrupt.config
index 3bb78fa2..74883e5c 100644
--- a/example/system/nested_interrupt/configs/phytiumpi_aarch32_firefly_nested_interrupt.config
+++ b/example/system/nested_interrupt/configs/phytiumpi_aarch32_firefly_nested_interrupt.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -110,6 +111,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -305,6 +307,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -314,6 +317,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -336,6 +341,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=12
diff --git a/example/system/nested_interrupt/configs/phytiumpi_aarch64_firefly_nested_interrupt.config b/example/system/nested_interrupt/configs/phytiumpi_aarch64_firefly_nested_interrupt.config
index 122b2756..ba0286c9 100644
--- a/example/system/nested_interrupt/configs/phytiumpi_aarch64_firefly_nested_interrupt.config
+++ b/example/system/nested_interrupt/configs/phytiumpi_aarch64_firefly_nested_interrupt.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=12
diff --git a/example/system/nested_interrupt/sdkconfig b/example/system/nested_interrupt/sdkconfig
index 122b2756..ba0286c9 100644
--- a/example/system/nested_interrupt/sdkconfig
+++ b/example/system/nested_interrupt/sdkconfig
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_INFO=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_BACKTRACE=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=12
diff --git a/example/system/nested_interrupt/sdkconfig.h b/example/system/nested_interrupt/sdkconfig.h
index be79bfc6..a329beef 100644
--- a/example/system/nested_interrupt/sdkconfig.h
+++ b/example/system/nested_interrupt/sdkconfig.h
@@ -44,6 +44,7 @@
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
 #define CONFIG_SOC_NAME "phytiumpi"
 #define CONFIG_SOC_CORE_NUM 4
 #define CONFIG_F32BIT_MEMORY_ADDRESS 0x80000000
@@ -96,6 +97,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 #define CONFIG_INTERRUPT_ROLE_MASTER
 /* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -260,6 +262,7 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
+/* CONFIG_USE_MBEDTLS is not set */
 #define CONFIG_USE_LETTER_SHELL
 
 /* Letter Shell Configuration */
@@ -268,6 +271,8 @@
 #define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
 /* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
@@ -288,6 +293,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 12
diff --git a/example/system/posix/configs/d2000_aarch32_test_posix.config b/example/system/posix/configs/d2000_aarch32_test_posix.config
index 5dc3b9af..5cc92888 100644
--- a/example/system/posix/configs/d2000_aarch32_test_posix.config
+++ b/example/system/posix/configs/d2000_aarch32_test_posix.config
@@ -54,6 +54,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +100,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/posix/configs/d2000_aarch64_test_posix.config b/example/system/posix/configs/d2000_aarch64_test_posix.config
index b435d242..755eb1a3 100644
--- a/example/system/posix/configs/d2000_aarch64_test_posix.config
+++ b/example/system/posix/configs/d2000_aarch64_test_posix.config
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -283,6 +285,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -292,6 +295,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -314,6 +319,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/posix/configs/e2000d_aarch32_demo_posix.config b/example/system/posix/configs/e2000d_aarch32_demo_posix.config
index 2bf97f67..275d34b5 100644
--- a/example/system/posix/configs/e2000d_aarch32_demo_posix.config
+++ b/example/system/posix/configs/e2000d_aarch32_demo_posix.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -112,6 +113,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -307,6 +309,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -316,6 +319,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -338,6 +343,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/posix/configs/e2000d_aarch64_demo_posix.config b/example/system/posix/configs/e2000d_aarch64_demo_posix.config
index 202e764c..5acd32cb 100644
--- a/example/system/posix/configs/e2000d_aarch64_demo_posix.config
+++ b/example/system/posix/configs/e2000d_aarch64_demo_posix.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -106,6 +107,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -296,6 +298,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -305,6 +308,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -327,6 +332,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/posix/configs/e2000q_aarch32_demo_posix.config b/example/system/posix/configs/e2000q_aarch32_demo_posix.config
index 89873c71..1f67e751 100644
--- a/example/system/posix/configs/e2000q_aarch32_demo_posix.config
+++ b/example/system/posix/configs/e2000q_aarch32_demo_posix.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -111,6 +112,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -306,6 +308,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -315,6 +318,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -337,6 +342,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/posix/configs/e2000q_aarch64_demo_posix.config b/example/system/posix/configs/e2000q_aarch64_demo_posix.config
index 975b13fe..0a25eb6a 100644
--- a/example/system/posix/configs/e2000q_aarch64_demo_posix.config
+++ b/example/system/posix/configs/e2000q_aarch64_demo_posix.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -295,6 +297,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -304,6 +307,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -326,6 +331,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/posix/configs/ft2004_aarch32_dsk_posix.config b/example/system/posix/configs/ft2004_aarch32_dsk_posix.config
index df473e0a..314a17ef 100644
--- a/example/system/posix/configs/ft2004_aarch32_dsk_posix.config
+++ b/example/system/posix/configs/ft2004_aarch32_dsk_posix.config
@@ -54,6 +54,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +100,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/posix/configs/ft2004_aarch64_dsk_posix.config b/example/system/posix/configs/ft2004_aarch64_dsk_posix.config
index 1617e7b4..07a0765e 100644
--- a/example/system/posix/configs/ft2004_aarch64_dsk_posix.config
+++ b/example/system/posix/configs/ft2004_aarch64_dsk_posix.config
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -283,6 +285,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -292,6 +295,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -314,6 +319,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/posix/configs/phytiumpi_aarch32_firefly_posix.config b/example/system/posix/configs/phytiumpi_aarch32_firefly_posix.config
index 1ca1fe1b..d97b691c 100644
--- a/example/system/posix/configs/phytiumpi_aarch32_firefly_posix.config
+++ b/example/system/posix/configs/phytiumpi_aarch32_firefly_posix.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -110,6 +111,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -305,6 +307,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -314,6 +317,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -336,6 +341,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/posix/configs/phytiumpi_aarch64_firefly_posix.config b/example/system/posix/configs/phytiumpi_aarch64_firefly_posix.config
index 991065f0..66ff1d4e 100644
--- a/example/system/posix/configs/phytiumpi_aarch64_firefly_posix.config
+++ b/example/system/posix/configs/phytiumpi_aarch64_firefly_posix.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/posix/sdkconfig b/example/system/posix/sdkconfig
index 991065f0..66ff1d4e 100644
--- a/example/system/posix/sdkconfig
+++ b/example/system/posix/sdkconfig
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/system/posix/sdkconfig.h b/example/system/posix/sdkconfig.h
index 7e83fee2..937b2796 100644
--- a/example/system/posix/sdkconfig.h
+++ b/example/system/posix/sdkconfig.h
@@ -44,6 +44,7 @@
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
 #define CONFIG_SOC_NAME "phytiumpi"
 #define CONFIG_SOC_CORE_NUM 4
 #define CONFIG_F32BIT_MEMORY_ADDRESS 0x80000000
@@ -96,6 +97,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 #define CONFIG_INTERRUPT_ROLE_MASTER
 /* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -260,6 +262,7 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
+/* CONFIG_USE_MBEDTLS is not set */
 #define CONFIG_USE_LETTER_SHELL
 
 /* Letter Shell Configuration */
@@ -268,6 +271,8 @@
 #define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
 /* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
@@ -288,6 +293,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/example/template/configs/d2000_aarch32_test_eg.config b/example/template/configs/d2000_aarch32_test_eg.config
index 4c5ef7a9..87a407ff 100644
--- a/example/template/configs/d2000_aarch32_test_eg.config
+++ b/example/template/configs/d2000_aarch32_test_eg.config
@@ -54,6 +54,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +100,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/template/configs/d2000_aarch64_test_eg.config b/example/template/configs/d2000_aarch64_test_eg.config
index 05404329..3cf1014e 100644
--- a/example/template/configs/d2000_aarch64_test_eg.config
+++ b/example/template/configs/d2000_aarch64_test_eg.config
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 # CONFIG_TARGET_FT2004 is not set
 CONFIG_TARGET_D2000=y
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="d2000"
 CONFIG_SOC_CORE_NUM=8
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -283,6 +285,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -292,6 +295,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -314,6 +319,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/template/configs/e2000d_aarch32_demo_eg.config b/example/template/configs/e2000d_aarch32_demo_eg.config
index 70831ce9..fd0eab4d 100644
--- a/example/template/configs/e2000d_aarch32_demo_eg.config
+++ b/example/template/configs/e2000d_aarch32_demo_eg.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -112,6 +113,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -307,6 +309,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -316,6 +319,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -338,6 +343,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/template/configs/e2000d_aarch64_demo_eg.config b/example/template/configs/e2000d_aarch64_demo_eg.config
index c6b3a233..8d9cd967 100644
--- a/example/template/configs/e2000d_aarch64_demo_eg.config
+++ b/example/template/configs/e2000d_aarch64_demo_eg.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000D=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="d"
 CONFIG_SOC_CORE_NUM=2
@@ -106,6 +107,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -296,6 +298,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -305,6 +308,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -327,6 +332,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/template/configs/e2000q_aarch32_demo_eg.config b/example/template/configs/e2000q_aarch32_demo_eg.config
index b42aeeed..e24dfce4 100644
--- a/example/template/configs/e2000q_aarch32_demo_eg.config
+++ b/example/template/configs/e2000q_aarch32_demo_eg.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -111,6 +112,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -306,6 +308,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -315,6 +318,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -337,6 +342,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/template/configs/e2000q_aarch64_demo_eg.config b/example/template/configs/e2000q_aarch64_demo_eg.config
index 96bcba6e..08c2e997 100644
--- a/example/template/configs/e2000q_aarch64_demo_eg.config
+++ b/example/template/configs/e2000q_aarch64_demo_eg.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_E2000Q=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="e2000"
 CONFIG_TARGET_TYPE_NAME="q"
 CONFIG_SOC_CORE_NUM=4
@@ -105,6 +106,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -295,6 +297,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -304,6 +307,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -326,6 +331,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/template/configs/ft2004_aarch32_dsk_eg.config b/example/template/configs/ft2004_aarch32_dsk_eg.config
index e57bf0a3..5beaaa18 100644
--- a/example/template/configs/ft2004_aarch32_dsk_eg.config
+++ b/example/template/configs/ft2004_aarch32_dsk_eg.config
@@ -54,6 +54,7 @@ CONFIG_FMMU_NUM_L2_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -99,6 +100,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/template/configs/ft2004_aarch64_dsk_eg.config b/example/template/configs/ft2004_aarch64_dsk_eg.config
index b86d6286..1efdb7f1 100644
--- a/example/template/configs/ft2004_aarch64_dsk_eg.config
+++ b/example/template/configs/ft2004_aarch64_dsk_eg.config
@@ -48,6 +48,7 @@ CONFIG_MAX_XLAT_TABLES=256
 CONFIG_TARGET_FT2004=y
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="ft2004"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -93,6 +94,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -283,6 +285,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -292,6 +295,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -314,6 +319,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/template/configs/phytiumpi_aarch32_firefly_eg.config b/example/template/configs/phytiumpi_aarch32_firefly_eg.config
index f8ccbfb9..62b34a3c 100644
--- a/example/template/configs/phytiumpi_aarch32_firefly_eg.config
+++ b/example/template/configs/phytiumpi_aarch32_firefly_eg.config
@@ -53,6 +53,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -110,6 +111,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -305,6 +307,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -314,6 +317,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -336,6 +341,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/template/configs/phytiumpi_aarch64_firefly_eg.config b/example/template/configs/phytiumpi_aarch64_firefly_eg.config
index 0cc866a6..91b20200 100644
--- a/example/template/configs/phytiumpi_aarch64_firefly_eg.config
+++ b/example/template/configs/phytiumpi_aarch64_firefly_eg.config
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/template/sdkconfig b/example/template/sdkconfig
index 0cc866a6..91b20200 100644
--- a/example/template/sdkconfig
+++ b/example/template/sdkconfig
@@ -47,6 +47,7 @@ CONFIG_TARGET_PHYTIUMPI=y
 # CONFIG_TARGET_FT2004 is not set
 # CONFIG_TARGET_D2000 is not set
 # CONFIG_TARGET_PD2308 is not set
+# CONFIG_TARGET_QEMU_VIRT is not set
 CONFIG_SOC_NAME="phytiumpi"
 CONFIG_SOC_CORE_NUM=4
 CONFIG_F32BIT_MEMORY_ADDRESS=0x80000000
@@ -104,6 +105,7 @@ CONFIG_LOG_ERROR=y
 CONFIG_USE_DEFAULT_INTERRUPT_CONFIG=y
 CONFIG_INTERRUPT_ROLE_MASTER=y
 # CONFIG_INTERRUPT_ROLE_SLAVE is not set
+# CONFIG_INTERRUPT_ROLE_NONE is not set
 # end of Sdk common configuration
 
 #
@@ -294,6 +296,7 @@ CONFIG_FREERTOS_USE_UART=y
 # Third-party configuration
 #
 # CONFIG_USE_LWIP is not set
+# CONFIG_USE_MBEDTLS is not set
 CONFIG_USE_LETTER_SHELL=y
 
 #
@@ -303,6 +306,8 @@ CONFIG_LS_PL011_UART=y
 CONFIG_DEFAULT_LETTER_SHELL_USE_UART1=y
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set
 # CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set
+CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE=y
+# CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set
 # end of Letter Shell Configuration
 
 # CONFIG_USE_AMP is not set
@@ -325,6 +330,8 @@ CONFIG_USE_TLSF=y
 #
 CONFIG_FREERTOS_OPTIMIZED_SCHEDULER=y
 CONFIG_FREERTOS_HZ=1000
+CONFIG_NON_SECURE_PHYSICAL_TIMER=y
+# CONFIG_NON_SECURE_VIRTUAL_TIMER is not set
 CONFIG_FREERTOS_MAX_PRIORITIES=32
 CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES=13
 CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES=11
diff --git a/example/template/sdkconfig.h b/example/template/sdkconfig.h
index a23c6172..92fcfd5d 100644
--- a/example/template/sdkconfig.h
+++ b/example/template/sdkconfig.h
@@ -44,6 +44,7 @@
 /* CONFIG_TARGET_FT2004 is not set */
 /* CONFIG_TARGET_D2000 is not set */
 /* CONFIG_TARGET_PD2308 is not set */
+/* CONFIG_TARGET_QEMU_VIRT is not set */
 #define CONFIG_SOC_NAME "phytiumpi"
 #define CONFIG_SOC_CORE_NUM 4
 #define CONFIG_F32BIT_MEMORY_ADDRESS 0x80000000
@@ -96,6 +97,7 @@
 #define CONFIG_USE_DEFAULT_INTERRUPT_CONFIG
 #define CONFIG_INTERRUPT_ROLE_MASTER
 /* CONFIG_INTERRUPT_ROLE_SLAVE is not set */
+/* CONFIG_INTERRUPT_ROLE_NONE is not set */
 /* end of Sdk common configuration */
 
 /* Drivers configuration */
@@ -260,6 +262,7 @@
 /* Third-party configuration */
 
 /* CONFIG_USE_LWIP is not set */
+/* CONFIG_USE_MBEDTLS is not set */
 #define CONFIG_USE_LETTER_SHELL
 
 /* Letter Shell Configuration */
@@ -268,6 +271,8 @@
 #define CONFIG_DEFAULT_LETTER_SHELL_USE_UART1
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART0 is not set */
 /* CONFIG_DEFAULT_LETTER_SHELL_USE_UART2 is not set */
+#define CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
+/* CONFIG_LETTER_SHELL_UART_POLLED_MODE is not set */
 /* end of Letter Shell Configuration */
 /* CONFIG_USE_AMP is not set */
 /* CONFIG_USE_YMODEM is not set */
@@ -288,6 +293,8 @@
 
 #define CONFIG_FREERTOS_OPTIMIZED_SCHEDULER
 #define CONFIG_FREERTOS_HZ 1000
+#define CONFIG_NON_SECURE_PHYSICAL_TIMER
+/* CONFIG_NON_SECURE_VIRTUAL_TIMER is not set */
 #define CONFIG_FREERTOS_MAX_PRIORITIES 32
 #define CONFIG_FREERTOS_KERNEL_INTERRUPT_PRIORITIES 13
 #define CONFIG_FREERTOS_MAX_API_CALL_INTERRUPT_PRIORITIES 11
diff --git a/install.py b/install.py
index ecbbfed7..d54482f6 100755
--- a/install.py
+++ b/install.py
@@ -36,7 +36,7 @@ freertos_sdk_path = install_path
 print("Standalone SDK at {}".format(freertos_sdk_path))
 
 # Add standalone sdk
-standalone_sdk_v="c38dcff60bf78f1612429c3d80c3e1bc962dd462"
+standalone_sdk_v="78f82a7628b393e58cd7b9b77112d08fc75b4f9b"
 if (install_platform == windows_x64):
     standalone_path=freertos_sdk_path  + '\\standalone'
 else:
diff --git a/third-party/freertos/freertos.kconfig b/third-party/freertos/freertos.kconfig
index 3ce031c9..f983bd84 100644
--- a/third-party/freertos/freertos.kconfig
+++ b/third-party/freertos/freertos.kconfig
@@ -15,7 +15,22 @@ menu "FreeRTOS Kernel Configuration"
         default 1000
         help
             Select the tick rate at which FreeRTOS does pre-emptive context switching.
-    
+
+    choice
+        prompt "Freertos tick interrupt source"
+        default NON_SECURE_PHYSICAL_TIMER
+
+    config NON_SECURE_PHYSICAL_TIMER
+        bool "Non-secure Physical Timer"
+        help
+            "Use the Physical Timer for timing operations."
+
+    config NON_SECURE_VIRTUAL_TIMER
+        bool "Non-secure Virtual Timer"
+        help
+            "Use the Virtual Timer for timing operations."
+    endchoice
+
     config FREERTOS_MAX_PRIORITIES
         int "Max task priority"
         range 1 32
diff --git a/third-party/freertos/portable/GCC/ft_platform/aarch64/port.c b/third-party/freertos/portable/GCC/ft_platform/aarch64/port.c
index 718c3ff5..7f56dd7b 100644
--- a/third-party/freertos/portable/GCC/ft_platform/aarch64/port.c
+++ b/third-party/freertos/portable/GCC/ft_platform/aarch64/port.c
@@ -129,6 +129,16 @@ point is zero. */
 #define portMAX_8_BIT_VALUE							( ( uint8_t ) 0xff )
 #define portBIT_0_SET								( ( uint8_t ) 0x01 )
 
+/* Let the user override the pre-loading of the initial LR with the address of
+ * prvTaskExitError() in case it messes up unwinding of the stack in the
+ * debugger. */
+#ifdef configTASK_RETURN_ADDRESS
+    #define portTASK_RETURN_ADDRESS    configTASK_RETURN_ADDRESS
+#else
+    #define portTASK_RETURN_ADDRESS    prvTaskExitError
+#endif
+
+
 /*-----------------------------------------------------------*/
 
 /*
@@ -137,6 +147,11 @@ point is zero. */
  */
 extern void vPortRestoreTaskContext(void);
 
+/*
+ * Used to catch tasks that attempt to return from their implementing function.
+ */
+static void prvTaskExitError( void );
+
 /*-----------------------------------------------------------*/
 
 /* A variable is used to keep track of the critical section nesting.  This
@@ -243,7 +258,7 @@ StackType_t *pxPortInitialiseStack(StackType_t *pxTopOfStack, TaskFunction_t pxC
     pxTopOfStack--;
     *pxTopOfStack = (StackType_t)0x00; /* XZR - has no effect, used so there are an even number of registers. */
     pxTopOfStack--;
-    *pxTopOfStack = (StackType_t)0x00; /* R30 - procedure call link register. */
+    *pxTopOfStack = (StackType_t)portTASK_RETURN_ADDRESS; /* R30 - procedure call link register. */
     pxTopOfStack--;
 
     *pxTopOfStack = portINITIAL_PSTATE;
@@ -286,6 +301,23 @@ StackType_t *pxPortInitialiseStack(StackType_t *pxTopOfStack, TaskFunction_t pxC
 
     return pxTopOfStack;
 }
+
+static void prvTaskExitError( void )
+{
+    /* A function that implements a task must not exit or attempt to return to
+     * its caller as there is nothing to return to.  If a task wants to exit it
+     * should instead call vTaskDelete( NULL ).
+     *
+     * Artificially force an assert() to be triggered if configASSERT() is
+     * defined, then stop here so application writers can catch the error. */
+    configASSERT( ullCriticalNesting == ~0UL );
+    portDISABLE_INTERRUPTS();
+
+    for( ; ; )
+    {
+    }
+}
+
 /*-----------------------------------------------------------*/
 
 BaseType_t xPortStartScheduler(void)
diff --git a/third-party/freertos/portable/freertos_configs.c b/third-party/freertos/portable/freertos_configs.c
index 1504217e..6361ee2b 100644
--- a/third-party/freertos/portable/freertos_configs.c
+++ b/third-party/freertos/portable/freertos_configs.c
@@ -36,7 +36,15 @@
 #include "fcpu_info.h"
 #include "fassert.h"
 #include "fexception.h"
+#include "sdkconfig.h"
 
+#ifdef CONFIG_NON_SECURE_PHYSICAL_TIMER
+    #define USING_GENERIC_TIMER_ID GENERIC_TIMER_ID0
+    #define USING_GENERIC_TIMER_IRQ_ID GENERIC_TIMER_NS_IRQ_NUM
+#elif defined CONFIG_NON_SECURE_VIRTUAL_TIMER
+    #define USING_GENERIC_TIMER_ID GENERIC_TIMER_ID1
+    #define USING_GENERIC_TIMER_IRQ_ID GENERIC_VTIMER_IRQ_NUM
+#endif
 
 static volatile u32 is_in_irq = 0 ;
 
@@ -75,24 +83,24 @@ static u32 cntfrq; /* System frequency */
 void vConfigureTickInterrupt(void)
 {
     /* Disable the timer */
-    GenericTimerStop(GENERIC_TIMER_ID0);
+    GenericTimerStop(USING_GENERIC_TIMER_ID);
     /* Get system frequency */
     cntfrq = GenericTimerFrequecy();
 
     /* Set tick rate */
-    GenericTimerSetTimerValue(GENERIC_TIMER_ID0, cntfrq / configTICK_RATE_HZ);
-    GenericTimerInterruptEnable(GENERIC_TIMER_ID0);
+    GenericTimerSetTimerValue(USING_GENERIC_TIMER_ID, cntfrq / configTICK_RATE_HZ);
+    GenericTimerInterruptEnable(USING_GENERIC_TIMER_ID);
 
     /* Set as the lowest priority */
-    InterruptSetPriority(GENERIC_TIMER_NS_IRQ_NUM, configKERNEL_INTERRUPT_PRIORITY);
-    InterruptUmask(GENERIC_TIMER_NS_IRQ_NUM);
+    InterruptSetPriority(USING_GENERIC_TIMER_IRQ_ID, configKERNEL_INTERRUPT_PRIORITY);
+    InterruptUmask(USING_GENERIC_TIMER_IRQ_ID);
 
-    GenericTimerStart(GENERIC_TIMER_ID0);
+    GenericTimerStart(USING_GENERIC_TIMER_ID);
 }
 
 void vClearTickInterrupt(void)
 {
-    GenericTimerSetTimerValue(GENERIC_TIMER_ID0, cntfrq / configTICK_RATE_HZ);
+    GenericTimerSetTimerValue(USING_GENERIC_TIMER_ID, cntfrq / configTICK_RATE_HZ);
 }
 
 volatile unsigned int gCpuRuntime;
@@ -107,7 +115,7 @@ void vApplicationInterruptHandler(uint32_t ulICCIAR)
     ulInterruptID = ulICCIAR & 0x3FFUL;
 
     /* call handler function */
-    if (ulInterruptID == GENERIC_TIMER_NS_IRQ_NUM)
+    if (ulInterruptID == USING_GENERIC_TIMER_IRQ_ID)
     {
         /* Generic Timer */
         gCpuRuntime++;
diff --git a/third-party/include.mk b/third-party/include.mk
index 810c17e9..2c2f264d 100644
--- a/third-party/include.mk
+++ b/third-party/include.mk
@@ -51,3 +51,7 @@ endif
 ifdef CONFIG_USE_CHERRY_USB
 include $(SDK_DIR)/third-party/cherryusb/include.mk
 endif
+
+ifdef CONFIG_USE_MBEDTLS
+include $(FREERTOS_SDK_DIR)/third-party/mbedtls-3.6/include.mk
+endif
diff --git a/third-party/letter-shell-3.1/Kconfig b/third-party/letter-shell-3.1/Kconfig
index 2f9a2c7e..6247101f 100644
--- a/third-party/letter-shell-3.1/Kconfig
+++ b/third-party/letter-shell-3.1/Kconfig
@@ -27,4 +27,19 @@ menu "Letter Shell Configuration"
         endif
 
     endchoice # LETTER_SHELL_USART_TYPE
+
+    choice
+        prompt "Uart Mode"
+        default LETTER_SHELL_UART_INTERRUPT_MODE
+
+    config LETTER_SHELL_UART_INTERRUPT_MODE
+        bool "Interrupt Mode"
+        help
+            "Use the interrupt mode for letter shell."
+
+    config LETTER_SHELL_UART_POLLED_MODE
+        bool "Polled Mode"
+        help
+            "Use the polled mode for letter shell ."
+    endchoice
 endmenu
\ No newline at end of file
diff --git a/third-party/letter-shell-3.1/port/pl011/fpl011_os_port.c b/third-party/letter-shell-3.1/port/pl011/fpl011_os_port.c
index 2e6c7e5e..fbfcc535 100644
--- a/third-party/letter-shell-3.1/port/pl011/fpl011_os_port.c
+++ b/third-party/letter-shell-3.1/port/pl011/fpl011_os_port.c
@@ -49,7 +49,7 @@ static char data[64];
 #endif
 
 extern void FtFreertosUartIntrInit(FtFreertosUart *uart_p);
-
+#ifdef CONFIG_LETTER_SHELL_UART_INTERRUPT_MODE
 /**
  * @brief 用户shell写
  *
@@ -57,7 +57,6 @@ extern void FtFreertosUartIntrInit(FtFreertosUart *uart_p);
  */
 void LSUserShellWrite(char data)
 {
-    // FtFreertosUartBlcokingSend(&os_uart1, &data, 1);
     FPl011Send(&os_uart1.bsp_uart, &data, 1);
 }
 
@@ -101,3 +100,57 @@ void LSSerialWaitLoop(void)
     }
     vTaskDelete(NULL);
 }
+
+#elif defined CONFIG_LETTER_SHELL_UART_POLLED_MODE
+
+#define LS_UART_WAIT_LOOP_DELAY 5
+    /**
+ * @brief 用户shell写
+ *
+ * @param data 数据
+ */
+void LSUserShellWrite(char data)
+{
+    FPl011BlockSend(&os_uart1.bsp_uart, (u8 *)&data, 1);
+}
+
+/**
+ * @brief 用户shell读
+ *
+ * @param data 数据
+ * @return char 状态
+ */
+signed char LSUserShellRead(char *data)
+{
+    u32 length = 0;
+    length = FPl011Receive(&os_uart1.bsp_uart,(u8 *)data,1);
+    return (length > 0)? 1:0;
+}
+
+void LSSerialConfig(void)
+{
+    s32 ret = FT_SUCCESS;
+    const FPl011Config * config_p;
+    FPl011Config config_value;
+    memset(&os_uart1.bsp_uart, 0, sizeof(os_uart1.bsp_uart));
+    config_p = FPl011LookupConfig(LETTER_SHELL_UART_ID) ;
+    memcpy(&config_value, config_p, sizeof(FPl011Config)); 
+    /* 初始化PL011 */
+    ret = FPl011CfgInitialize(&os_uart1.bsp_uart, &config_value);
+    FASSERT(FT_SUCCESS == ret);
+    FPl011SetOptions(&os_uart1.bsp_uart, FPL011_OPTION_UARTEN | FPL011_OPTION_RXEN | FPL011_OPTION_TXEN | FPL011_OPTION_FIFOEN );
+}
+
+void LSSerialWaitLoop(void)
+{
+    char buf;
+    while (TRUE)
+    {
+        buf = FPl011BlockReceive(&os_uart1.bsp_uart);
+        shellHandler(&shell_object, buf);
+        vTaskDelay(LS_UART_WAIT_LOOP_DELAY);
+    }
+}
+#endif
+
+
diff --git a/third-party/lvgl-8.3/port/lv_port_disp.c b/third-party/lvgl-8.3/port/lv_port_disp.c
index f4b77c5d..d654bcc7 100644
--- a/third-party/lvgl-8.3/port/lv_port_disp.c
+++ b/third-party/lvgl-8.3/port/lv_port_disp.c
@@ -58,12 +58,12 @@ void FMediaDispFramebuffer(FDcDp *instance)
   
     if ((rtt_fbp[0] == NULL))
     {
-        rtt_fbp[0] = (lv_color_int_t *)instance->user_config[0].fb_virtual;
-        multi_mode = instance->user_config[0].multi_mode;
+        rtt_fbp[0] = (lv_color_int_t *)instance->dc_instance_p[0].fb_virtual;
+        multi_mode = instance->dc_instance_p[0].fb_virtual;
     }
     else
     {
-        rtt_fbp[1] = (lv_color_int_t *)instance->user_config[1].fb_virtual;
+        rtt_fbp[1] = (lv_color_int_t *) instance->dc_instance_p[1].fb_virtual;
     }
     return;
 
diff --git a/third-party/mbedtls-3.6/Kconfig b/third-party/mbedtls-3.6/Kconfig
new file mode 100644
index 00000000..b832fe10
--- /dev/null
+++ b/third-party/mbedtls-3.6/Kconfig
@@ -0,0 +1,3 @@
+menu "MBEDTLS Freertos Port Configuration"
+ 
+endmenu
\ No newline at end of file
diff --git a/third-party/mbedtls-3.6/include.mk b/third-party/mbedtls-3.6/include.mk
new file mode 100644
index 00000000..611e3493
--- /dev/null
+++ b/third-party/mbedtls-3.6/include.mk
@@ -0,0 +1,14 @@
+ifdef CONFIG_USE_MBEDTLS
+
+THIRDP_CUR_DIR := $(FREERTOS_SDK_DIR)/third-party
+
+# src files
+BUILD_INC_PATH_DIR += $(THIRDP_CUR_DIR)/mbedtls-3.6
+BUILD_INC_PATH_DIR += $(THIRDP_CUR_DIR)/mbedtls-3.6/include
+BUILD_INC_PATH_DIR += $(THIRDP_CUR_DIR)/mbedtls-3.6/include/mbedtls
+BUILD_INC_PATH_DIR += $(THIRDP_CUR_DIR)/mbedtls-3.6/library
+BUILD_INC_PATH_DIR += $(THIRDP_CUR_DIR)/mbedtls-3.6/ports
+BUILD_INC_PATH_DIR += $(THIRDP_CUR_DIR)/mbedtls-3.6/ports/inc
+BUILD_INC_PATH_DIR += $(THIRDP_CUR_DIR)/mbedtls-3.6/ports/src
+
+endif #CONFIG_USE_MBEDTLS
\ No newline at end of file
diff --git a/third-party/mbedtls-3.6/include/.gitignore b/third-party/mbedtls-3.6/include/.gitignore
new file mode 100644
index 00000000..bf67d02e
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/.gitignore
@@ -0,0 +1,4 @@
+Makefile
+*.sln
+*.vcxproj
+mbedtls/check_config
diff --git a/third-party/mbedtls-3.6/include/CMakeLists.txt b/third-party/mbedtls-3.6/include/CMakeLists.txt
new file mode 100644
index 00000000..c2f2bd4e
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/CMakeLists.txt
@@ -0,0 +1,16 @@
+option(INSTALL_MBEDTLS_HEADERS "Install mbed TLS headers." ON)
+
+if(INSTALL_MBEDTLS_HEADERS)
+
+    file(GLOB headers "mbedtls/*.h")
+
+    install(FILES ${headers}
+        DESTINATION include/mbedtls
+        PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
+
+endif(INSTALL_MBEDTLS_HEADERS)
+
+# Make config.h available in an out-of-source build. ssl-opt.sh requires it.
+if (ENABLE_TESTING AND NOT ${CMAKE_CURRENT_BINARY_DIR} STREQUAL ${CMAKE_CURRENT_SOURCE_DIR})
+    link_to_source(mbedtls)
+endif()
diff --git a/third-party/mbedtls-3.6/include/mbedtls/aes.h b/third-party/mbedtls-3.6/include/mbedtls/aes.h
new file mode 100644
index 00000000..a187796b
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/aes.h
@@ -0,0 +1,443 @@
+/**
+ * \file aes.h
+ *
+ * \brief   The Advanced Encryption Standard (AES) specifies a FIPS-approved
+ *          cryptographic algorithm that can be used to protect electronic
+ *          data.
+ *
+ *          The AES algorithm is a symmetric block cipher that can
+ *          encrypt and decrypt information. For more information, see
+ *          <em>FIPS Publication 197: Advanced Encryption Standard</em> and
+ *          <em>ISO/IEC 18033-2:2006: Information technology -- Security
+ *          techniques -- Encryption algorithms -- Part 2: Asymmetric
+ *          ciphers</em>.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#ifndef MBEDTLS_AES_H
+#define MBEDTLS_AES_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+/* padlock.c and aesni.c rely on these values! */
+#define MBEDTLS_AES_ENCRYPT     1 /**< AES encryption. */
+#define MBEDTLS_AES_DECRYPT     0 /**< AES decryption. */
+
+/* Error codes in range 0x0020-0x0022 */
+#define MBEDTLS_ERR_AES_INVALID_KEY_LENGTH                -0x0020  /**< Invalid key length. */
+#define MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH              -0x0022  /**< Invalid data input length. */
+
+/* Error codes in range 0x0023-0x0025 */
+#define MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE               -0x0023  /**< Feature not available. For example, an unsupported AES key size. */
+#define MBEDTLS_ERR_AES_HW_ACCEL_FAILED                   -0x0025  /**< AES hardware accelerator failed. */
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+#if !defined(MBEDTLS_AES_ALT)
+// Regular implementation
+//
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief The AES context-type definition.
+ */
+typedef struct
+{
+    int nr;                     /*!< The number of rounds. */
+    uint32_t *rk;               /*!< AES round keys. */
+    uint32_t buf[68];           /*!< Unaligned data buffer. This buffer can
+                                     hold 32 extra Bytes, which can be used for
+                                     one of the following purposes:
+                                     <ul><li>Alignment if VIA padlock is
+                                             used.</li>
+                                     <li>Simplifying key expansion in the 256-bit
+                                         case by generating an extra round key.
+                                         </li></ul> */
+}
+mbedtls_aes_context;
+
+/**
+ * \brief          This function initializes the specified AES context.
+ *
+ *                 It must be the first API called before using
+ *                 the context.
+ *
+ * \param ctx      The AES context to initialize.
+ */
+void mbedtls_aes_init( mbedtls_aes_context *ctx );
+
+/**
+ * \brief          This function releases and clears the specified AES context.
+ *
+ * \param ctx      The AES context to clear.
+ */
+void mbedtls_aes_free( mbedtls_aes_context *ctx );
+
+/**
+ * \brief          This function sets the encryption key.
+ *
+ * \param ctx      The AES context to which the key should be bound.
+ * \param key      The encryption key.
+ * \param keybits  The size of data passed in bits. Valid options are:
+ *                 <ul><li>128 bits</li>
+ *                 <li>192 bits</li>
+ *                 <li>256 bits</li></ul>
+ *
+ * \return         \c 0 on success or #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH
+ *                 on failure.
+ */
+int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
+                    unsigned int keybits );
+
+/**
+ * \brief          This function sets the decryption key.
+ *
+ * \param ctx      The AES context to which the key should be bound.
+ * \param key      The decryption key.
+ * \param keybits  The size of data passed. Valid options are:
+ *                 <ul><li>128 bits</li>
+ *                 <li>192 bits</li>
+ *                 <li>256 bits</li></ul>
+ *
+ * \return         \c 0 on success, or #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
+ */
+int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
+                    unsigned int keybits );
+
+/**
+ * \brief          This function performs an AES single-block encryption or
+ *                 decryption operation.
+ *
+ *                 It performs the operation defined in the \p mode parameter
+ *                 (encrypt or decrypt), on the input data buffer defined in
+ *                 the \p input parameter.
+ *
+ *                 mbedtls_aes_init(), and either mbedtls_aes_setkey_enc() or
+ *                 mbedtls_aes_setkey_dec() must be called before the first
+ *                 call to this API with the same context.
+ *
+ * \param ctx      The AES context to use for encryption or decryption.
+ * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
+ *                 #MBEDTLS_AES_DECRYPT.
+ * \param input    The 16-Byte buffer holding the input data.
+ * \param output   The 16-Byte buffer holding the output data.
+
+ * \return         \c 0 on success.
+ */
+int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
+                    int mode,
+                    const unsigned char input[16],
+                    unsigned char output[16] );
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/**
+ * \brief  This function performs an AES-CBC encryption or decryption operation
+ *         on full blocks.
+ *
+ *         It performs the operation defined in the \p mode
+ *         parameter (encrypt/decrypt), on the input data buffer defined in
+ *         the \p input parameter.
+ *
+ *         It can be called as many times as needed, until all the input
+ *         data is processed. mbedtls_aes_init(), and either
+ *         mbedtls_aes_setkey_enc() or mbedtls_aes_setkey_dec() must be called
+ *         before the first call to this API with the same context.
+ *
+ * \note   This function operates on aligned blocks, that is, the input size
+ *         must be a multiple of the AES block size of 16 Bytes.
+ *
+ * \note   Upon exit, the content of the IV is updated so that you can
+ *         call the same function again on the next
+ *         block(s) of data and get the same result as if it was
+ *         encrypted in one call. This allows a "streaming" usage.
+ *         If you need to retain the contents of the IV, you should
+ *         either save it manually or use the cipher module instead.
+ *
+ *
+ * \param ctx      The AES context to use for encryption or decryption.
+ * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
+ *                 #MBEDTLS_AES_DECRYPT.
+ * \param length   The length of the input data in Bytes. This must be a
+ *                 multiple of the block size (16 Bytes).
+ * \param iv       Initialization vector (updated after use).
+ * \param input    The buffer holding the input data.
+ * \param output   The buffer holding the output data.
+ *
+ * \return         \c 0 on success, or #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH
+ *                 on failure.
+ */
+int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
+                    int mode,
+                    size_t length,
+                    unsigned char iv[16],
+                    const unsigned char *input,
+                    unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/**
+ * \brief This function performs an AES-CFB128 encryption or decryption
+ *        operation.
+ *
+ *        It performs the operation defined in the \p mode
+ *        parameter (encrypt or decrypt), on the input data buffer
+ *        defined in the \p input parameter.
+ *
+ *        For CFB, you must set up the context with mbedtls_aes_setkey_enc(),
+ *        regardless of whether you are performing an encryption or decryption
+ *        operation, that is, regardless of the \p mode parameter. This is
+ *        because CFB mode uses the same key schedule for encryption and
+ *        decryption.
+ *
+ * \note  Upon exit, the content of the IV is updated so that you can
+ *        call the same function again on the next
+ *        block(s) of data and get the same result as if it was
+ *        encrypted in one call. This allows a "streaming" usage.
+ *        If you need to retain the contents of the
+ *        IV, you must either save it manually or use the cipher
+ *        module instead.
+ *
+ *
+ * \param ctx      The AES context to use for encryption or decryption.
+ * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
+ *                 #MBEDTLS_AES_DECRYPT.
+ * \param length   The length of the input data.
+ * \param iv_off   The offset in IV (updated after use).
+ * \param iv       The initialization vector (updated after use).
+ * \param input    The buffer holding the input data.
+ * \param output   The buffer holding the output data.
+ *
+ * \return         \c 0 on success.
+ */
+int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
+                       int mode,
+                       size_t length,
+                       size_t *iv_off,
+                       unsigned char iv[16],
+                       const unsigned char *input,
+                       unsigned char *output );
+
+/**
+ * \brief This function performs an AES-CFB8 encryption or decryption
+ *        operation.
+ *
+ *        It performs the operation defined in the \p mode
+ *        parameter (encrypt/decrypt), on the input data buffer defined
+ *        in the \p input parameter.
+ *
+ *        Due to the nature of CFB, you must use the same key schedule for
+ *        both encryption and decryption operations. Therefore, you must
+ *        use the context initialized with mbedtls_aes_setkey_enc() for
+ *        both #MBEDTLS_AES_ENCRYPT and #MBEDTLS_AES_DECRYPT.
+ *
+ * \note  Upon exit, the content of the IV is updated so that you can
+ *        call the same function again on the next
+ *        block(s) of data and get the same result as if it was
+ *        encrypted in one call. This allows a "streaming" usage.
+ *        If you need to retain the contents of the
+ *        IV, you should either save it manually or use the cipher
+ *        module instead.
+ *
+ *
+ * \param ctx      The AES context to use for encryption or decryption.
+ * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
+ *                 #MBEDTLS_AES_DECRYPT
+ * \param length   The length of the input data.
+ * \param iv       The initialization vector (updated after use).
+ * \param input    The buffer holding the input data.
+ * \param output   The buffer holding the output data.
+ *
+ * \return         \c 0 on success.
+ */
+int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
+                    int mode,
+                    size_t length,
+                    unsigned char iv[16],
+                    const unsigned char *input,
+                    unsigned char *output );
+#endif /*MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/**
+ * \brief      This function performs an AES-CTR encryption or decryption
+ *             operation.
+ *
+ *             This function performs the operation defined in the \p mode
+ *             parameter (encrypt/decrypt), on the input data buffer
+ *             defined in the \p input parameter.
+ *
+ *             Due to the nature of CTR, you must use the same key schedule
+ *             for both encryption and decryption operations. Therefore, you
+ *             must use the context initialized with mbedtls_aes_setkey_enc()
+ *             for both #MBEDTLS_AES_ENCRYPT and #MBEDTLS_AES_DECRYPT.
+ *
+ * \warning    You must keep the maximum use of your counter in mind.
+ *
+ * \param ctx              The AES context to use for encryption or decryption.
+ * \param length           The length of the input data.
+ * \param nc_off           The offset in the current \p stream_block, for
+ *                         resuming within the current cipher stream. The
+ *                         offset pointer should be 0 at the start of a stream.
+ * \param nonce_counter    The 128-bit nonce and counter.
+ * \param stream_block     The saved stream block for resuming. This is
+ *                         overwritten by the function.
+ * \param input            The buffer holding the input data.
+ * \param output           The buffer holding the output data.
+ *
+ * \return     \c 0 on success.
+ */
+int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
+                       size_t length,
+                       size_t *nc_off,
+                       unsigned char nonce_counter[16],
+                       unsigned char stream_block[16],
+                       const unsigned char *input,
+                       unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+/**
+ * \brief           Internal AES block encryption function. This is only
+ *                  exposed to allow overriding it using
+ *                  \c MBEDTLS_AES_ENCRYPT_ALT.
+ *
+ * \param ctx       The AES context to use for encryption.
+ * \param input     The plaintext block.
+ * \param output    The output (ciphertext) block.
+ *
+ * \return          \c 0 on success.
+ */
+int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
+                                  const unsigned char input[16],
+                                  unsigned char output[16] );
+
+/**
+ * \brief           Internal AES block decryption function. This is only
+ *                  exposed to allow overriding it using see
+ *                  \c MBEDTLS_AES_DECRYPT_ALT.
+ *
+ * \param ctx       The AES context to use for decryption.
+ * \param input     The ciphertext block.
+ * \param output    The output (plaintext) block.
+ *
+ * \return          \c 0 on success.
+ */
+int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
+                                  const unsigned char input[16],
+                                  unsigned char output[16] );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief           Deprecated internal AES block encryption function
+ *                  without return value.
+ *
+ * \deprecated      Superseded by mbedtls_aes_encrypt_ext() in 2.5.0.
+ *
+ * \param ctx       The AES context to use for encryption.
+ * \param input     Plaintext block.
+ * \param output    Output (ciphertext) block.
+ */
+MBEDTLS_DEPRECATED void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
+                                             const unsigned char input[16],
+                                             unsigned char output[16] );
+
+/**
+ * \brief           Deprecated internal AES block decryption function
+ *                  without return value.
+ *
+ * \deprecated      Superseded by mbedtls_aes_decrypt_ext() in 2.5.0.
+ *
+ * \param ctx       The AES context to use for decryption.
+ * \param input     Ciphertext block.
+ * \param output    Output (plaintext) block.
+ */
+MBEDTLS_DEPRECATED void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
+                                             const unsigned char input[16],
+                                             unsigned char output[16] );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+#ifdef __cplusplus
+}
+#endif
+
+#else  /* MBEDTLS_AES_ALT */
+#include "aes_alt.h"
+#endif /* MBEDTLS_AES_ALT */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          Checkup routine.
+ *
+ * \return         \c 0 on success, or \c 1 on failure.
+ */
+int mbedtls_aes_self_test( int verbose );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* aes.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/aesni.h b/third-party/mbedtls-3.6/include/mbedtls/aesni.h
new file mode 100644
index 00000000..845da74e
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/aesni.h
@@ -0,0 +1,143 @@
+/**
+ * \file aesni.h
+ *
+ * \brief AES-NI for hardware AES acceleration on some Intel processors
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_AESNI_H
+#define MBEDTLS_AESNI_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "aes.h"
+
+#define MBEDTLS_AESNI_AES      0x02000000u
+#define MBEDTLS_AESNI_CLMUL    0x00000002u
+
+#if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) &&  \
+    ( defined(__amd64__) || defined(__x86_64__) )   &&  \
+    ! defined(MBEDTLS_HAVE_X86_64)
+#define MBEDTLS_HAVE_X86_64
+#endif
+
+#if defined(MBEDTLS_HAVE_X86_64)
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          AES-NI features detection routine
+ *
+ * \param what     The feature to detect
+ *                 (MBEDTLS_AESNI_AES or MBEDTLS_AESNI_CLMUL)
+ *
+ * \return         1 if CPU has support for the feature, 0 otherwise
+ */
+int mbedtls_aesni_has_support( unsigned int what );
+
+/**
+ * \brief          AES-NI AES-ECB block en(de)cryption
+ *
+ * \param ctx      AES context
+ * \param mode     MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
+ * \param input    16-byte input block
+ * \param output   16-byte output block
+ *
+ * \return         0 on success (cannot fail)
+ */
+int mbedtls_aesni_crypt_ecb( mbedtls_aes_context *ctx,
+                     int mode,
+                     const unsigned char input[16],
+                     unsigned char output[16] );
+
+/**
+ * \brief          GCM multiplication: c = a * b in GF(2^128)
+ *
+ * \param c        Result
+ * \param a        First operand
+ * \param b        Second operand
+ *
+ * \note           Both operands and result are bit strings interpreted as
+ *                 elements of GF(2^128) as per the GCM spec.
+ */
+void mbedtls_aesni_gcm_mult( unsigned char c[16],
+                     const unsigned char a[16],
+                     const unsigned char b[16] );
+
+/**
+ * \brief           Compute decryption round keys from encryption round keys
+ *
+ * \param invkey    Round keys for the equivalent inverse cipher
+ * \param fwdkey    Original round keys (for encryption)
+ * \param nr        Number of rounds (that is, number of round keys minus one)
+ */
+void mbedtls_aesni_inverse_key( unsigned char *invkey,
+                        const unsigned char *fwdkey, int nr );
+
+/**
+ * \brief           Perform key expansion (for encryption)
+ *
+ * \param rk        Destination buffer where the round keys are written
+ * \param key       Encryption key
+ * \param bits      Key size in bits (must be 128, 192 or 256)
+ *
+ * \return          0 if successful, or MBEDTLS_ERR_AES_INVALID_KEY_LENGTH
+ */
+int mbedtls_aesni_setkey_enc( unsigned char *rk,
+                      const unsigned char *key,
+                      size_t bits );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_HAVE_X86_64 */
+
+#endif /* MBEDTLS_AESNI_H */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/arc4.h b/third-party/mbedtls-3.6/include/mbedtls/arc4.h
new file mode 100644
index 00000000..50b6f483
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/arc4.h
@@ -0,0 +1,174 @@
+/**
+ * \file arc4.h
+ *
+ * \brief The ARCFOUR stream cipher
+ *
+ * \warning   ARC4 is considered a weak cipher and its use constitutes a
+ *            security risk. We recommend considering stronger ciphers instead.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ *
+ */
+#ifndef MBEDTLS_ARC4_H
+#define MBEDTLS_ARC4_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+
+#define MBEDTLS_ERR_ARC4_HW_ACCEL_FAILED                  -0x0019  /**< ARC4 hardware accelerator failed. */
+
+#if !defined(MBEDTLS_ARC4_ALT)
+// Regular implementation
+//
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief     ARC4 context structure
+ *
+ * \warning   ARC4 is considered a weak cipher and its use constitutes a
+ *            security risk. We recommend considering stronger ciphers instead.
+ *
+ */
+typedef struct
+{
+    int x;                      /*!< permutation index */
+    int y;                      /*!< permutation index */
+    unsigned char m[256];       /*!< permutation table */
+}
+mbedtls_arc4_context;
+
+/**
+ * \brief          Initialize ARC4 context
+ *
+ * \param ctx      ARC4 context to be initialized
+ *
+ * \warning        ARC4 is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ *
+ */
+void mbedtls_arc4_init( mbedtls_arc4_context *ctx );
+
+/**
+ * \brief          Clear ARC4 context
+ *
+ * \param ctx      ARC4 context to be cleared
+ *
+ * \warning        ARC4 is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ *
+ */
+void mbedtls_arc4_free( mbedtls_arc4_context *ctx );
+
+/**
+ * \brief          ARC4 key schedule
+ *
+ * \param ctx      ARC4 context to be setup
+ * \param key      the secret key
+ * \param keylen   length of the key, in bytes
+ *
+ * \warning        ARC4 is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ *
+ */
+void mbedtls_arc4_setup( mbedtls_arc4_context *ctx, const unsigned char *key,
+                 unsigned int keylen );
+
+/**
+ * \brief          ARC4 cipher function
+ *
+ * \param ctx      ARC4 context
+ * \param length   length of the input data
+ * \param input    buffer holding the input data
+ * \param output   buffer for the output data
+ *
+ * \return         0 if successful
+ *
+ * \warning        ARC4 is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ *
+ */
+int mbedtls_arc4_crypt( mbedtls_arc4_context *ctx, size_t length, const unsigned char *input,
+                unsigned char *output );
+
+#ifdef __cplusplus
+}
+#endif
+
+#else  /* MBEDTLS_ARC4_ALT */
+#include "arc4_alt.h"
+#endif /* MBEDTLS_ARC4_ALT */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ *
+ * \warning        ARC4 is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ *
+ */
+int mbedtls_arc4_self_test( int verbose );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* arc4.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/asn1.h b/third-party/mbedtls-3.6/include/mbedtls/asn1.h
new file mode 100644
index 00000000..0e596bca
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/asn1.h
@@ -0,0 +1,383 @@
+/**
+ * \file asn1.h
+ *
+ * \brief Generic ASN.1 parsing
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_ASN1_H
+#define MBEDTLS_ASN1_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+
+#if defined(MBEDTLS_BIGNUM_C)
+#include "bignum.h"
+#endif
+
+/**
+ * \addtogroup asn1_module
+ * \{
+ */
+
+/**
+ * \name ASN1 Error codes
+ * These error codes are OR'ed to X509 error codes for
+ * higher error granularity.
+ * ASN1 is a standard to specify data structures.
+ * \{
+ */
+#define MBEDTLS_ERR_ASN1_OUT_OF_DATA                      -0x0060  /**< Out of data when parsing an ASN1 data structure. */
+#define MBEDTLS_ERR_ASN1_UNEXPECTED_TAG                   -0x0062  /**< ASN1 tag was of an unexpected value. */
+#define MBEDTLS_ERR_ASN1_INVALID_LENGTH                   -0x0064  /**< Error when trying to determine the length or invalid length. */
+#define MBEDTLS_ERR_ASN1_LENGTH_MISMATCH                  -0x0066  /**< Actual length differs from expected length. */
+#define MBEDTLS_ERR_ASN1_INVALID_DATA                     -0x0068  /**< Data is invalid. (not used) */
+#define MBEDTLS_ERR_ASN1_ALLOC_FAILED                     -0x006A  /**< Memory allocation failed */
+#define MBEDTLS_ERR_ASN1_BUF_TOO_SMALL                    -0x006C  /**< Buffer too small when writing ASN.1 data structure. */
+
+/* \} name */
+
+/**
+ * \name DER constants
+ * These constants comply with the DER encoded ASN.1 type tags.
+ * DER encoding uses hexadecimal representation.
+ * An example DER sequence is:\n
+ * - 0x02 -- tag indicating INTEGER
+ * - 0x01 -- length in octets
+ * - 0x05 -- value
+ * Such sequences are typically read into \c ::mbedtls_x509_buf.
+ * \{
+ */
+#define MBEDTLS_ASN1_BOOLEAN                 0x01
+#define MBEDTLS_ASN1_INTEGER                 0x02
+#define MBEDTLS_ASN1_BIT_STRING              0x03
+#define MBEDTLS_ASN1_OCTET_STRING            0x04
+#define MBEDTLS_ASN1_NULL                    0x05
+#define MBEDTLS_ASN1_OID                     0x06
+#define MBEDTLS_ASN1_UTF8_STRING             0x0C
+#define MBEDTLS_ASN1_SEQUENCE                0x10
+#define MBEDTLS_ASN1_SET                     0x11
+#define MBEDTLS_ASN1_PRINTABLE_STRING        0x13
+#define MBEDTLS_ASN1_T61_STRING              0x14
+#define MBEDTLS_ASN1_IA5_STRING              0x16
+#define MBEDTLS_ASN1_UTC_TIME                0x17
+#define MBEDTLS_ASN1_GENERALIZED_TIME        0x18
+#define MBEDTLS_ASN1_UNIVERSAL_STRING        0x1C
+#define MBEDTLS_ASN1_BMP_STRING              0x1E
+#define MBEDTLS_ASN1_PRIMITIVE               0x00
+#define MBEDTLS_ASN1_CONSTRUCTED             0x20
+#define MBEDTLS_ASN1_CONTEXT_SPECIFIC        0x80
+
+/*
+ * Bit masks for each of the components of an ASN.1 tag as specified in
+ * ITU X.690 (08/2015), section 8.1 "General rules for encoding",
+ * paragraph 8.1.2.2:
+ *
+ * Bit  8     7   6   5          1
+ *     +-------+-----+------------+
+ *     | Class | P/C | Tag number |
+ *     +-------+-----+------------+
+ */
+#define MBEDTLS_ASN1_TAG_CLASS_MASK          0xC0
+#define MBEDTLS_ASN1_TAG_PC_MASK             0x20
+#define MBEDTLS_ASN1_TAG_VALUE_MASK          0x1F
+
+/* \} name */
+/* \} addtogroup asn1_module */
+
+/** Returns the size of the binary string, without the trailing \\0 */
+#define MBEDTLS_OID_SIZE(x) (sizeof(x) - 1)
+
+/**
+ * Compares an mbedtls_asn1_buf structure to a reference OID.
+ *
+ * Only works for 'defined' oid_str values (MBEDTLS_OID_HMAC_SHA1), you cannot use a
+ * 'unsigned char *oid' here!
+ */
+#define MBEDTLS_OID_CMP(oid_str, oid_buf)                                   \
+        ( ( MBEDTLS_OID_SIZE(oid_str) != (oid_buf)->len ) ||                \
+          memcmp( (oid_str), (oid_buf)->p, (oid_buf)->len) != 0 )
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \name Functions to parse ASN.1 data structures
+ * \{
+ */
+
+/**
+ * Type-length-value structure that allows for ASN1 using DER.
+ */
+typedef struct mbedtls_asn1_buf
+{
+    int tag;                /**< ASN1 type, e.g. MBEDTLS_ASN1_UTF8_STRING. */
+    size_t len;             /**< ASN1 length, in octets. */
+    unsigned char *p;       /**< ASN1 data, e.g. in ASCII. */
+}
+mbedtls_asn1_buf;
+
+/**
+ * Container for ASN1 bit strings.
+ */
+typedef struct mbedtls_asn1_bitstring
+{
+    size_t len;                 /**< ASN1 length, in octets. */
+    unsigned char unused_bits;  /**< Number of unused bits at the end of the string */
+    unsigned char *p;           /**< Raw ASN1 data for the bit string */
+}
+mbedtls_asn1_bitstring;
+
+/**
+ * Container for a sequence of ASN.1 items
+ */
+typedef struct mbedtls_asn1_sequence
+{
+    mbedtls_asn1_buf buf;                   /**< Buffer containing the given ASN.1 item. */
+    struct mbedtls_asn1_sequence *next;    /**< The next entry in the sequence. */
+}
+mbedtls_asn1_sequence;
+
+/**
+ * Container for a sequence or list of 'named' ASN.1 data items
+ */
+typedef struct mbedtls_asn1_named_data
+{
+    mbedtls_asn1_buf oid;                   /**< The object identifier. */
+    mbedtls_asn1_buf val;                   /**< The named value. */
+    struct mbedtls_asn1_named_data *next;  /**< The next entry in the sequence. */
+    unsigned char next_merged;      /**< Merge next item into the current one? */
+}
+mbedtls_asn1_named_data;
+
+/**
+ * \brief       Get the length of an ASN.1 element.
+ *              Updates the pointer to immediately behind the length.
+ *
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param len   The variable that will receive the value
+ *
+ * \return      0 if successful, MBEDTLS_ERR_ASN1_OUT_OF_DATA on reaching
+ *              end of data, MBEDTLS_ERR_ASN1_INVALID_LENGTH if length is
+ *              unparseable.
+ */
+int mbedtls_asn1_get_len( unsigned char **p,
+                  const unsigned char *end,
+                  size_t *len );
+
+/**
+ * \brief       Get the tag and length of the tag. Check for the requested tag.
+ *              Updates the pointer to immediately behind the tag and length.
+ *
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param len   The variable that will receive the length
+ * \param tag   The expected tag
+ *
+ * \return      0 if successful, MBEDTLS_ERR_ASN1_UNEXPECTED_TAG if tag did
+ *              not match requested tag, or another specific ASN.1 error code.
+ */
+int mbedtls_asn1_get_tag( unsigned char **p,
+                  const unsigned char *end,
+                  size_t *len, int tag );
+
+/**
+ * \brief       Retrieve a boolean ASN.1 tag and its value.
+ *              Updates the pointer to immediately behind the full tag.
+ *
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param val   The variable that will receive the value
+ *
+ * \return      0 if successful or a specific ASN.1 error code.
+ */
+int mbedtls_asn1_get_bool( unsigned char **p,
+                   const unsigned char *end,
+                   int *val );
+
+/**
+ * \brief       Retrieve an integer ASN.1 tag and its value.
+ *              Updates the pointer to immediately behind the full tag.
+ *
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param val   The variable that will receive the value
+ *
+ * \return      0 if successful or a specific ASN.1 error code.
+ */
+int mbedtls_asn1_get_int( unsigned char **p,
+                  const unsigned char *end,
+                  int *val );
+
+/**
+ * \brief       Retrieve a bitstring ASN.1 tag and its value.
+ *              Updates the pointer to immediately behind the full tag.
+ *
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param bs    The variable that will receive the value
+ *
+ * \return      0 if successful or a specific ASN.1 error code.
+ */
+int mbedtls_asn1_get_bitstring( unsigned char **p, const unsigned char *end,
+                        mbedtls_asn1_bitstring *bs);
+
+/**
+ * \brief       Retrieve a bitstring ASN.1 tag without unused bits and its
+ *              value.
+ *              Updates the pointer to the beginning of the bit/octet string.
+ *
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param len   Length of the actual bit/octect string in bytes
+ *
+ * \return      0 if successful or a specific ASN.1 error code.
+ */
+int mbedtls_asn1_get_bitstring_null( unsigned char **p, const unsigned char *end,
+                             size_t *len );
+
+/**
+ * \brief       Parses and splits an ASN.1 "SEQUENCE OF <tag>"
+ *              Updated the pointer to immediately behind the full sequence tag.
+ *
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param cur   First variable in the chain to fill
+ * \param tag   Type of sequence
+ *
+ * \return      0 if successful or a specific ASN.1 error code.
+ */
+int mbedtls_asn1_get_sequence_of( unsigned char **p,
+                          const unsigned char *end,
+                          mbedtls_asn1_sequence *cur,
+                          int tag);
+
+#if defined(MBEDTLS_BIGNUM_C)
+/**
+ * \brief       Retrieve a MPI value from an integer ASN.1 tag.
+ *              Updates the pointer to immediately behind the full tag.
+ *
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param X     The MPI that will receive the value
+ *
+ * \return      0 if successful or a specific ASN.1 or MPI error code.
+ */
+int mbedtls_asn1_get_mpi( unsigned char **p,
+                  const unsigned char *end,
+                  mbedtls_mpi *X );
+#endif /* MBEDTLS_BIGNUM_C */
+
+/**
+ * \brief       Retrieve an AlgorithmIdentifier ASN.1 sequence.
+ *              Updates the pointer to immediately behind the full
+ *              AlgorithmIdentifier.
+ *
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param alg   The buffer to receive the OID
+ * \param params The buffer to receive the params (if any)
+ *
+ * \return      0 if successful or a specific ASN.1 or MPI error code.
+ */
+int mbedtls_asn1_get_alg( unsigned char **p,
+                  const unsigned char *end,
+                  mbedtls_asn1_buf *alg, mbedtls_asn1_buf *params );
+
+/**
+ * \brief       Retrieve an AlgorithmIdentifier ASN.1 sequence with NULL or no
+ *              params.
+ *              Updates the pointer to immediately behind the full
+ *              AlgorithmIdentifier.
+ *
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param alg   The buffer to receive the OID
+ *
+ * \return      0 if successful or a specific ASN.1 or MPI error code.
+ */
+int mbedtls_asn1_get_alg_null( unsigned char **p,
+                       const unsigned char *end,
+                       mbedtls_asn1_buf *alg );
+
+/**
+ * \brief       Find a specific named_data entry in a sequence or list based on
+ *              the OID.
+ *
+ * \param list  The list to seek through
+ * \param oid   The OID to look for
+ * \param len   Size of the OID
+ *
+ * \return      NULL if not found, or a pointer to the existing entry.
+ */
+mbedtls_asn1_named_data *mbedtls_asn1_find_named_data( mbedtls_asn1_named_data *list,
+                                       const char *oid, size_t len );
+
+/**
+ * \brief       Free a mbedtls_asn1_named_data entry
+ *
+ * \param entry The named data entry to free
+ */
+void mbedtls_asn1_free_named_data( mbedtls_asn1_named_data *entry );
+
+/**
+ * \brief       Free all entries in a mbedtls_asn1_named_data list
+ *              Head will be set to NULL
+ *
+ * \param head  Pointer to the head of the list of named data entries to free
+ */
+void mbedtls_asn1_free_named_data_list( mbedtls_asn1_named_data **head );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* asn1.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/asn1write.h b/third-party/mbedtls-3.6/include/mbedtls/asn1write.h
new file mode 100644
index 00000000..93c570a4
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/asn1write.h
@@ -0,0 +1,274 @@
+/**
+ * \file asn1write.h
+ *
+ * \brief ASN.1 buffer writing functionality
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_ASN1_WRITE_H
+#define MBEDTLS_ASN1_WRITE_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "asn1.h"
+
+#define MBEDTLS_ASN1_CHK_ADD(g, f) do { if( ( ret = f ) < 0 ) return( ret ); else   \
+                                g += ret; } while( 0 )
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief           Write a length field in ASN.1 format
+ *                  Note: function works backwards in data buffer
+ *
+ * \param p         reference to current position pointer
+ * \param start     start of the buffer (for bounds-checking)
+ * \param len       the length to write
+ *
+ * \return          the length written or a negative error code
+ */
+int mbedtls_asn1_write_len( unsigned char **p, unsigned char *start, size_t len );
+
+/**
+ * \brief           Write a ASN.1 tag in ASN.1 format
+ *                  Note: function works backwards in data buffer
+ *
+ * \param p         reference to current position pointer
+ * \param start     start of the buffer (for bounds-checking)
+ * \param tag       the tag to write
+ *
+ * \return          the length written or a negative error code
+ */
+int mbedtls_asn1_write_tag( unsigned char **p, unsigned char *start,
+                    unsigned char tag );
+
+/**
+ * \brief           Write raw buffer data
+ *                  Note: function works backwards in data buffer
+ *
+ * \param p         reference to current position pointer
+ * \param start     start of the buffer (for bounds-checking)
+ * \param buf       data buffer to write
+ * \param size      length of the data buffer
+ *
+ * \return          the length written or a negative error code
+ */
+int mbedtls_asn1_write_raw_buffer( unsigned char **p, unsigned char *start,
+                           const unsigned char *buf, size_t size );
+
+#if defined(MBEDTLS_BIGNUM_C)
+/**
+ * \brief           Write a big number (MBEDTLS_ASN1_INTEGER) in ASN.1 format
+ *                  Note: function works backwards in data buffer
+ *
+ * \param p         reference to current position pointer
+ * \param start     start of the buffer (for bounds-checking)
+ * \param X         the MPI to write
+ *
+ * \return          the length written or a negative error code
+ */
+int mbedtls_asn1_write_mpi( unsigned char **p, unsigned char *start, const mbedtls_mpi *X );
+#endif /* MBEDTLS_BIGNUM_C */
+
+/**
+ * \brief           Write a NULL tag (MBEDTLS_ASN1_NULL) with zero data in ASN.1 format
+ *                  Note: function works backwards in data buffer
+ *
+ * \param p         reference to current position pointer
+ * \param start     start of the buffer (for bounds-checking)
+ *
+ * \return          the length written or a negative error code
+ */
+int mbedtls_asn1_write_null( unsigned char **p, unsigned char *start );
+
+/**
+ * \brief           Write an OID tag (MBEDTLS_ASN1_OID) and data in ASN.1 format
+ *                  Note: function works backwards in data buffer
+ *
+ * \param p         reference to current position pointer
+ * \param start     start of the buffer (for bounds-checking)
+ * \param oid       the OID to write
+ * \param oid_len   length of the OID
+ *
+ * \return          the length written or a negative error code
+ */
+int mbedtls_asn1_write_oid( unsigned char **p, unsigned char *start,
+                    const char *oid, size_t oid_len );
+
+/**
+ * \brief           Write an AlgorithmIdentifier sequence in ASN.1 format
+ *                  Note: function works backwards in data buffer
+ *
+ * \param p         reference to current position pointer
+ * \param start     start of the buffer (for bounds-checking)
+ * \param oid       the OID of the algorithm
+ * \param oid_len   length of the OID
+ * \param par_len   length of parameters, which must be already written.
+ *                  If 0, NULL parameters are added
+ *
+ * \return          the length written or a negative error code
+ */
+int mbedtls_asn1_write_algorithm_identifier( unsigned char **p, unsigned char *start,
+                                     const char *oid, size_t oid_len,
+                                     size_t par_len );
+
+/**
+ * \brief           Write a boolean tag (MBEDTLS_ASN1_BOOLEAN) and value in ASN.1 format
+ *                  Note: function works backwards in data buffer
+ *
+ * \param p         reference to current position pointer
+ * \param start     start of the buffer (for bounds-checking)
+ * \param boolean   0 or 1
+ *
+ * \return          the length written or a negative error code
+ */
+int mbedtls_asn1_write_bool( unsigned char **p, unsigned char *start, int boolean );
+
+/**
+ * \brief           Write an int tag (MBEDTLS_ASN1_INTEGER) and value in ASN.1 format
+ *                  Note: function works backwards in data buffer
+ *
+ * \param p         reference to current position pointer
+ * \param start     start of the buffer (for bounds-checking)
+ * \param val       the integer value
+ *
+ * \return          the length written or a negative error code
+ */
+int mbedtls_asn1_write_int( unsigned char **p, unsigned char *start, int val );
+
+/**
+ * \brief           Write a printable string tag (MBEDTLS_ASN1_PRINTABLE_STRING) and
+ *                  value in ASN.1 format
+ *                  Note: function works backwards in data buffer
+ *
+ * \param p         reference to current position pointer
+ * \param start     start of the buffer (for bounds-checking)
+ * \param text      the text to write
+ * \param text_len  length of the text
+ *
+ * \return          the length written or a negative error code
+ */
+int mbedtls_asn1_write_printable_string( unsigned char **p, unsigned char *start,
+                                 const char *text, size_t text_len );
+
+/**
+ * \brief           Write an IA5 string tag (MBEDTLS_ASN1_IA5_STRING) and
+ *                  value in ASN.1 format
+ *                  Note: function works backwards in data buffer
+ *
+ * \param p         reference to current position pointer
+ * \param start     start of the buffer (for bounds-checking)
+ * \param text      the text to write
+ * \param text_len  length of the text
+ *
+ * \return          the length written or a negative error code
+ */
+int mbedtls_asn1_write_ia5_string( unsigned char **p, unsigned char *start,
+                           const char *text, size_t text_len );
+
+/**
+ * \brief           Write a bitstring tag (#MBEDTLS_ASN1_BIT_STRING) and
+ *                  value in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param buf       The bitstring to write.
+ * \param bits      The total number of bits in the bitstring.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_asn1_write_bitstring( unsigned char **p, unsigned char *start,
+                          const unsigned char *buf, size_t bits );
+
+/**
+ * \brief           Write an octet string tag (#MBEDTLS_ASN1_OCTET_STRING)
+ *                  and value in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         reference to current position pointer
+ * \param start     start of the buffer (for bounds-checking)
+ * \param buf       data buffer to write
+ * \param size      length of the data buffer
+ *
+ * \return          the length written or a negative error code
+ */
+int mbedtls_asn1_write_octet_string( unsigned char **p, unsigned char *start,
+                             const unsigned char *buf, size_t size );
+
+/**
+ * \brief           Create or find a specific named_data entry for writing in a
+ *                  sequence or list based on the OID. If not already in there,
+ *                  a new entry is added to the head of the list.
+ *                  Warning: Destructive behaviour for the val data!
+ *
+ * \param list      Pointer to the location of the head of the list to seek
+ *                  through (will be updated in case of a new entry)
+ * \param oid       The OID to look for
+ * \param oid_len   Size of the OID
+ * \param val       Data to store (can be NULL if you want to fill it by hand)
+ * \param val_len   Minimum length of the data buffer needed
+ *
+ * \return      NULL if if there was a memory allocation error, or a pointer
+ *              to the new / existing entry.
+ */
+mbedtls_asn1_named_data *mbedtls_asn1_store_named_data( mbedtls_asn1_named_data **list,
+                                        const char *oid, size_t oid_len,
+                                        const unsigned char *val,
+                                        size_t val_len );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_ASN1_WRITE_H */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/base64.h b/third-party/mbedtls-3.6/include/mbedtls/base64.h
new file mode 100644
index 00000000..f30be4ac
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/base64.h
@@ -0,0 +1,120 @@
+/**
+ * \file base64.h
+ *
+ * \brief RFC 1521 base64 encoding/decoding
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_BASE64_H
+#define MBEDTLS_BASE64_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+
+#define MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL               -0x002A  /**< Output buffer too small. */
+#define MBEDTLS_ERR_BASE64_INVALID_CHARACTER              -0x002C  /**< Invalid character in input. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          Encode a buffer into base64 format
+ *
+ * \param dst      destination buffer
+ * \param dlen     size of the destination buffer
+ * \param olen     number of bytes written
+ * \param src      source buffer
+ * \param slen     amount of data to be encoded
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL.
+ *                 *olen is always updated to reflect the amount
+ *                 of data that has (or would have) been written.
+ *                 If that length cannot be represented, then no data is
+ *                 written to the buffer and *olen is set to the maximum
+ *                 length representable as a size_t.
+ *
+ * \note           Call this function with dlen = 0 to obtain the
+ *                 required buffer size in *olen
+ */
+int mbedtls_base64_encode( unsigned char *dst, size_t dlen, size_t *olen,
+                   const unsigned char *src, size_t slen );
+
+/**
+ * \brief          Decode a base64-formatted buffer
+ *
+ * \param dst      destination buffer (can be NULL for checking size)
+ * \param dlen     size of the destination buffer
+ * \param olen     number of bytes written
+ * \param src      source buffer
+ * \param slen     amount of data to be decoded
+ *
+ * \return         0 if successful, MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL, or
+ *                 MBEDTLS_ERR_BASE64_INVALID_CHARACTER if the input data is
+ *                 not correct. *olen is always updated to reflect the amount
+ *                 of data that has (or would have) been written.
+ *
+ * \note           Call this function with *dst = NULL or dlen = 0 to obtain
+ *                 the required buffer size in *olen
+ */
+int mbedtls_base64_decode( unsigned char *dst, size_t dlen, size_t *olen,
+                   const unsigned char *src, size_t slen );
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ */
+int mbedtls_base64_self_test( int verbose );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* base64.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/bignum.h b/third-party/mbedtls-3.6/include/mbedtls/bignum.h
new file mode 100644
index 00000000..a2fa3bda
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/bignum.h
@@ -0,0 +1,809 @@
+/**
+ * \file bignum.h
+ *
+ * \brief Multi-precision integer library
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_BIGNUM_H
+#define MBEDTLS_BIGNUM_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+#if defined(MBEDTLS_FS_IO)
+#include <stdio.h>
+#endif
+
+#define MBEDTLS_ERR_MPI_FILE_IO_ERROR                     -0x0002  /**< An error occurred while reading from or writing to a file. */
+#define MBEDTLS_ERR_MPI_BAD_INPUT_DATA                    -0x0004  /**< Bad input parameters to function. */
+#define MBEDTLS_ERR_MPI_INVALID_CHARACTER                 -0x0006  /**< There is an invalid character in the digit string. */
+#define MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL                  -0x0008  /**< The buffer is too small to write to. */
+#define MBEDTLS_ERR_MPI_NEGATIVE_VALUE                    -0x000A  /**< The input arguments are negative or result in illegal output. */
+#define MBEDTLS_ERR_MPI_DIVISION_BY_ZERO                  -0x000C  /**< The input argument for division is zero, which is not allowed. */
+#define MBEDTLS_ERR_MPI_NOT_ACCEPTABLE                    -0x000E  /**< The input arguments are not acceptable. */
+#define MBEDTLS_ERR_MPI_ALLOC_FAILED                      -0x0010  /**< Memory allocation failed. */
+
+#define MBEDTLS_MPI_CHK(f) do { if( ( ret = f ) != 0 ) goto cleanup; } while( 0 )
+
+/*
+ * Maximum size MPIs are allowed to grow to in number of limbs.
+ */
+#define MBEDTLS_MPI_MAX_LIMBS                             10000
+
+#if !defined(MBEDTLS_MPI_WINDOW_SIZE)
+/*
+ * Maximum window size used for modular exponentiation. Default: 6
+ * Minimum value: 1. Maximum value: 6.
+ *
+ * Result is an array of ( 2 ** MBEDTLS_MPI_WINDOW_SIZE ) MPIs used
+ * for the sliding window calculation. (So 64 by default)
+ *
+ * Reduction in size, reduces speed.
+ */
+#define MBEDTLS_MPI_WINDOW_SIZE                           6        /**< Maximum window size used. */
+#endif /* !MBEDTLS_MPI_WINDOW_SIZE */
+
+#if !defined(MBEDTLS_MPI_MAX_SIZE)
+/*
+ * Maximum size of MPIs allowed in bits and bytes for user-MPIs.
+ * ( Default: 512 bytes => 4096 bits, Maximum tested: 2048 bytes => 16384 bits )
+ *
+ * Note: Calculations can temporarily result in larger MPIs. So the number
+ * of limbs required (MBEDTLS_MPI_MAX_LIMBS) is higher.
+ */
+#define MBEDTLS_MPI_MAX_SIZE                              1024     /**< Maximum number of bytes for usable MPIs. */
+#endif /* !MBEDTLS_MPI_MAX_SIZE */
+
+#define MBEDTLS_MPI_MAX_BITS                              ( 8 * MBEDTLS_MPI_MAX_SIZE )    /**< Maximum number of bits for usable MPIs. */
+
+/*
+ * When reading from files with mbedtls_mpi_read_file() and writing to files with
+ * mbedtls_mpi_write_file() the buffer should have space
+ * for a (short) label, the MPI (in the provided radix), the newline
+ * characters and the '\0'.
+ *
+ * By default we assume at least a 10 char label, a minimum radix of 10
+ * (decimal) and a maximum of 4096 bit numbers (1234 decimal chars).
+ * Autosized at compile time for at least a 10 char label, a minimum radix
+ * of 10 (decimal) for a number of MBEDTLS_MPI_MAX_BITS size.
+ *
+ * This used to be statically sized to 1250 for a maximum of 4096 bit
+ * numbers (1234 decimal chars).
+ *
+ * Calculate using the formula:
+ *  MBEDTLS_MPI_RW_BUFFER_SIZE = ceil(MBEDTLS_MPI_MAX_BITS / ln(10) * ln(2)) +
+ *                                LabelSize + 6
+ */
+#define MBEDTLS_MPI_MAX_BITS_SCALE100          ( 100 * MBEDTLS_MPI_MAX_BITS )
+#define MBEDTLS_LN_2_DIV_LN_10_SCALE100                 332
+#define MBEDTLS_MPI_RW_BUFFER_SIZE             ( ((MBEDTLS_MPI_MAX_BITS_SCALE100 + MBEDTLS_LN_2_DIV_LN_10_SCALE100 - 1) / MBEDTLS_LN_2_DIV_LN_10_SCALE100) + 10 + 6 )
+
+/*
+ * Define the base integer type, architecture-wise.
+ *
+ * 32 or 64-bit integer types can be forced regardless of the underlying
+ * architecture by defining MBEDTLS_HAVE_INT32 or MBEDTLS_HAVE_INT64
+ * respectively and undefining MBEDTLS_HAVE_ASM.
+ *
+ * Double-width integers (e.g. 128-bit in 64-bit architectures) can be
+ * disabled by defining MBEDTLS_NO_UDBL_DIVISION.
+ */
+#if !defined(MBEDTLS_HAVE_INT32)
+    #if defined(_MSC_VER) && defined(_M_AMD64)
+        /* Always choose 64-bit when using MSC */
+        #if !defined(MBEDTLS_HAVE_INT64)
+            #define MBEDTLS_HAVE_INT64
+        #endif /* !MBEDTLS_HAVE_INT64 */
+        typedef  int64_t mbedtls_mpi_sint;
+        typedef uint64_t mbedtls_mpi_uint;
+    #elif defined(__GNUC__) && (                         \
+        defined(__amd64__) || defined(__x86_64__)     || \
+        defined(__ppc64__) || defined(__powerpc64__)  || \
+        defined(__ia64__)  || defined(__alpha__)      || \
+        ( defined(__sparc__) && defined(__arch64__) ) || \
+        defined(__s390x__) || defined(__mips64) )
+        #if !defined(MBEDTLS_HAVE_INT64)
+            #define MBEDTLS_HAVE_INT64
+        #endif /* MBEDTLS_HAVE_INT64 */
+        typedef  int64_t mbedtls_mpi_sint;
+        typedef uint64_t mbedtls_mpi_uint;
+        #if !defined(MBEDTLS_NO_UDBL_DIVISION)
+            /* mbedtls_t_udbl defined as 128-bit unsigned int */
+            typedef unsigned int mbedtls_t_udbl __attribute__((mode(TI)));
+            #define MBEDTLS_HAVE_UDBL
+        #endif /* !MBEDTLS_NO_UDBL_DIVISION */
+    #elif defined(__ARMCC_VERSION) && defined(__aarch64__)
+        /*
+         * __ARMCC_VERSION is defined for both armcc and armclang and
+         * __aarch64__ is only defined by armclang when compiling 64-bit code
+         */
+        #if !defined(MBEDTLS_HAVE_INT64)
+            #define MBEDTLS_HAVE_INT64
+        #endif /* !MBEDTLS_HAVE_INT64 */
+        typedef  int64_t mbedtls_mpi_sint;
+        typedef uint64_t mbedtls_mpi_uint;
+        #if !defined(MBEDTLS_NO_UDBL_DIVISION)
+            /* mbedtls_t_udbl defined as 128-bit unsigned int */
+            typedef __uint128_t mbedtls_t_udbl;
+            #define MBEDTLS_HAVE_UDBL
+        #endif /* !MBEDTLS_NO_UDBL_DIVISION */
+    #elif defined(MBEDTLS_HAVE_INT64)
+        /* Force 64-bit integers with unknown compiler */
+        typedef  int64_t mbedtls_mpi_sint;
+        typedef uint64_t mbedtls_mpi_uint;
+    #endif
+#endif /* !MBEDTLS_HAVE_INT32 */
+
+#if !defined(MBEDTLS_HAVE_INT64)
+    /* Default to 32-bit compilation */
+    #if !defined(MBEDTLS_HAVE_INT32)
+        #define MBEDTLS_HAVE_INT32
+    #endif /* !MBEDTLS_HAVE_INT32 */
+    typedef  int32_t mbedtls_mpi_sint;
+    typedef uint32_t mbedtls_mpi_uint;
+    #if !defined(MBEDTLS_NO_UDBL_DIVISION)
+        typedef uint64_t mbedtls_t_udbl;
+        #define MBEDTLS_HAVE_UDBL
+    #endif /* !MBEDTLS_NO_UDBL_DIVISION */
+#endif /* !MBEDTLS_HAVE_INT64 */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          MPI structure
+ */
+typedef struct
+{
+    int s;              /*!<  Sign: -1 if the mpi is negative, 1 otherwise */
+    size_t n;           /*!<  total # of limbs  */
+    mbedtls_mpi_uint *p;          /*!<  pointer to limbs  */
+}
+mbedtls_mpi;
+
+/**
+ * \brief           Initialize one MPI (make internal references valid)
+ *                  This just makes it ready to be set or freed,
+ *                  but does not define a value for the MPI.
+ *
+ * \param X         One MPI to initialize.
+ */
+void mbedtls_mpi_init( mbedtls_mpi *X );
+
+/**
+ * \brief          Unallocate one MPI
+ *
+ * \param X        One MPI to unallocate.
+ */
+void mbedtls_mpi_free( mbedtls_mpi *X );
+
+/**
+ * \brief          Enlarge to the specified number of limbs
+ *
+ * \param X        MPI to grow
+ * \param nblimbs  The target number of limbs
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ */
+int mbedtls_mpi_grow( mbedtls_mpi *X, size_t nblimbs );
+
+/**
+ * \brief          Resize down, keeping at least the specified number of limbs
+ *
+ * \param X        MPI to shrink
+ * \param nblimbs  The minimum number of limbs to keep
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ */
+int mbedtls_mpi_shrink( mbedtls_mpi *X, size_t nblimbs );
+
+/**
+ * \brief          Copy the contents of Y into X
+ *
+ * \param X        Destination MPI
+ * \param Y        Source MPI
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ */
+int mbedtls_mpi_copy( mbedtls_mpi *X, const mbedtls_mpi *Y );
+
+/**
+ * \brief          Swap the contents of X and Y
+ *
+ * \param X        First MPI value
+ * \param Y        Second MPI value
+ */
+void mbedtls_mpi_swap( mbedtls_mpi *X, mbedtls_mpi *Y );
+
+/**
+ * \brief          Safe conditional assignement X = Y if assign is 1
+ *
+ * \param X        MPI to conditionally assign to
+ * \param Y        Value to be assigned
+ * \param assign   1: perform the assignment, 0: keep X's original value
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
+ *
+ * \note           This function is equivalent to
+ *                      if( assign ) mbedtls_mpi_copy( X, Y );
+ *                 except that it avoids leaking any information about whether
+ *                 the assignment was done or not (the above code may leak
+ *                 information through branch prediction and/or memory access
+ *                 patterns analysis).
+ */
+int mbedtls_mpi_safe_cond_assign( mbedtls_mpi *X, const mbedtls_mpi *Y, unsigned char assign );
+
+/**
+ * \brief          Safe conditional swap X <-> Y if swap is 1
+ *
+ * \param X        First mbedtls_mpi value
+ * \param Y        Second mbedtls_mpi value
+ * \param assign   1: perform the swap, 0: keep X and Y's original values
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
+ *
+ * \note           This function is equivalent to
+ *                      if( assign ) mbedtls_mpi_swap( X, Y );
+ *                 except that it avoids leaking any information about whether
+ *                 the assignment was done or not (the above code may leak
+ *                 information through branch prediction and/or memory access
+ *                 patterns analysis).
+ */
+int mbedtls_mpi_safe_cond_swap( mbedtls_mpi *X, mbedtls_mpi *Y, unsigned char assign );
+
+/**
+ * \brief          Set value from integer
+ *
+ * \param X        MPI to set
+ * \param z        Value to use
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ */
+int mbedtls_mpi_lset( mbedtls_mpi *X, mbedtls_mpi_sint z );
+
+/**
+ * \brief          Get a specific bit from X
+ *
+ * \param X        MPI to use
+ * \param pos      Zero-based index of the bit in X
+ *
+ * \return         Either a 0 or a 1
+ */
+int mbedtls_mpi_get_bit( const mbedtls_mpi *X, size_t pos );
+
+/**
+ * \brief          Set a bit of X to a specific value of 0 or 1
+ *
+ * \note           Will grow X if necessary to set a bit to 1 in a not yet
+ *                 existing limb. Will not grow if bit should be set to 0
+ *
+ * \param X        MPI to use
+ * \param pos      Zero-based index of the bit in X
+ * \param val      The value to set the bit to (0 or 1)
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
+ *                 MBEDTLS_ERR_MPI_BAD_INPUT_DATA if val is not 0 or 1
+ */
+int mbedtls_mpi_set_bit( mbedtls_mpi *X, size_t pos, unsigned char val );
+
+/**
+ * \brief          Return the number of zero-bits before the least significant
+ *                 '1' bit
+ *
+ * Note: Thus also the zero-based index of the least significant '1' bit
+ *
+ * \param X        MPI to use
+ */
+size_t mbedtls_mpi_lsb( const mbedtls_mpi *X );
+
+/**
+ * \brief          Return the number of bits up to and including the most
+ *                 significant '1' bit'
+ *
+ * Note: Thus also the one-based index of the most significant '1' bit
+ *
+ * \param X        MPI to use
+ */
+size_t mbedtls_mpi_bitlen( const mbedtls_mpi *X );
+
+/**
+ * \brief          Return the total size in bytes
+ *
+ * \param X        MPI to use
+ */
+size_t mbedtls_mpi_size( const mbedtls_mpi *X );
+
+/**
+ * \brief          Import from an ASCII string
+ *
+ * \param X        Destination MPI
+ * \param radix    Input numeric base
+ * \param s        Null-terminated string buffer
+ *
+ * \return         0 if successful, or a MBEDTLS_ERR_MPI_XXX error code
+ */
+int mbedtls_mpi_read_string( mbedtls_mpi *X, int radix, const char *s );
+
+/**
+ * \brief          Export into an ASCII string
+ *
+ * \param X        Source MPI
+ * \param radix    Output numeric base
+ * \param buf      Buffer to write the string to
+ * \param buflen   Length of buf
+ * \param olen     Length of the string written, including final NUL byte
+ *
+ * \return         0 if successful, or a MBEDTLS_ERR_MPI_XXX error code.
+ *                 *olen is always updated to reflect the amount
+ *                 of data that has (or would have) been written.
+ *
+ * \note           Call this function with buflen = 0 to obtain the
+ *                 minimum required buffer size in *olen.
+ */
+int mbedtls_mpi_write_string( const mbedtls_mpi *X, int radix,
+                              char *buf, size_t buflen, size_t *olen );
+
+#if defined(MBEDTLS_FS_IO)
+/**
+ * \brief          Read MPI from a line in an opened file
+ *
+ * \param X        Destination MPI
+ * \param radix    Input numeric base
+ * \param fin      Input file handle
+ *
+ * \return         0 if successful, MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if
+ *                 the file read buffer is too small or a
+ *                 MBEDTLS_ERR_MPI_XXX error code
+ *
+ * \note           On success, this function advances the file stream
+ *                 to the end of the current line or to EOF.
+ *
+ *                 The function returns 0 on an empty line.
+ *
+ *                 Leading whitespaces are ignored, as is a
+ *                 '0x' prefix for radix 16.
+ *
+ */
+int mbedtls_mpi_read_file( mbedtls_mpi *X, int radix, FILE *fin );
+
+/**
+ * \brief          Write X into an opened file, or stdout if fout is NULL
+ *
+ * \param p        Prefix, can be NULL
+ * \param X        Source MPI
+ * \param radix    Output numeric base
+ * \param fout     Output file handle (can be NULL)
+ *
+ * \return         0 if successful, or a MBEDTLS_ERR_MPI_XXX error code
+ *
+ * \note           Set fout == NULL to print X on the console.
+ */
+int mbedtls_mpi_write_file( const char *p, const mbedtls_mpi *X, int radix, FILE *fout );
+#endif /* MBEDTLS_FS_IO */
+
+/**
+ * \brief          Import X from unsigned binary data, big endian
+ *
+ * \param X        Destination MPI
+ * \param buf      Input buffer
+ * \param buflen   Input buffer size
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ */
+int mbedtls_mpi_read_binary( mbedtls_mpi *X, const unsigned char *buf, size_t buflen );
+
+/**
+ * \brief          Export X into unsigned binary data, big endian.
+ *                 Always fills the whole buffer, which will start with zeros
+ *                 if the number is smaller.
+ *
+ * \param X        Source MPI
+ * \param buf      Output buffer
+ * \param buflen   Output buffer size
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if buf isn't large enough
+ */
+int mbedtls_mpi_write_binary( const mbedtls_mpi *X, unsigned char *buf, size_t buflen );
+
+/**
+ * \brief          Left-shift: X <<= count
+ *
+ * \param X        MPI to shift
+ * \param count    Amount to shift
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ */
+int mbedtls_mpi_shift_l( mbedtls_mpi *X, size_t count );
+
+/**
+ * \brief          Right-shift: X >>= count
+ *
+ * \param X        MPI to shift
+ * \param count    Amount to shift
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ */
+int mbedtls_mpi_shift_r( mbedtls_mpi *X, size_t count );
+
+/**
+ * \brief          Compare unsigned values
+ *
+ * \param X        Left-hand MPI
+ * \param Y        Right-hand MPI
+ *
+ * \return         1 if |X| is greater than |Y|,
+ *                -1 if |X| is lesser  than |Y| or
+ *                 0 if |X| is equal to |Y|
+ */
+int mbedtls_mpi_cmp_abs( const mbedtls_mpi *X, const mbedtls_mpi *Y );
+
+/**
+ * \brief          Compare signed values
+ *
+ * \param X        Left-hand MPI
+ * \param Y        Right-hand MPI
+ *
+ * \return         1 if X is greater than Y,
+ *                -1 if X is lesser  than Y or
+ *                 0 if X is equal to Y
+ */
+int mbedtls_mpi_cmp_mpi( const mbedtls_mpi *X, const mbedtls_mpi *Y );
+
+/**
+ * \brief          Check if an MPI is less than the other in constant time.
+ *
+ * \param X        The left-hand MPI. This must point to an initialized MPI
+ *                 with the same allocated length as Y.
+ * \param Y        The right-hand MPI. This must point to an initialized MPI
+ *                 with the same allocated length as X.
+ * \param ret      The result of the comparison:
+ *                 \c 1 if \p X is less than \p Y.
+ *                 \c 0 if \p X is greater than or equal to \p Y.
+ *
+ * \return         0 on success.
+ * \return         MBEDTLS_ERR_MPI_BAD_INPUT_DATA if the allocated length of
+ *                 the two input MPIs is not the same.
+ */
+int mbedtls_mpi_lt_mpi_ct( const mbedtls_mpi *X, const mbedtls_mpi *Y,
+        unsigned *ret );
+
+/**
+ * \brief          Compare signed values
+ *
+ * \param X        Left-hand MPI
+ * \param z        The integer value to compare to
+ *
+ * \return         1 if X is greater than z,
+ *                -1 if X is lesser  than z or
+ *                 0 if X is equal to z
+ */
+int mbedtls_mpi_cmp_int( const mbedtls_mpi *X, mbedtls_mpi_sint z );
+
+/**
+ * \brief          Unsigned addition: X = |A| + |B|
+ *
+ * \param X        Destination MPI
+ * \param A        Left-hand MPI
+ * \param B        Right-hand MPI
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ */
+int mbedtls_mpi_add_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B );
+
+/**
+ * \brief          Unsigned subtraction: X = |A| - |B|
+ *
+ * \param X        Destination MPI
+ * \param A        Left-hand MPI
+ * \param B        Right-hand MPI
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_MPI_NEGATIVE_VALUE if B is greater than A
+ */
+int mbedtls_mpi_sub_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B );
+
+/**
+ * \brief          Signed addition: X = A + B
+ *
+ * \param X        Destination MPI
+ * \param A        Left-hand MPI
+ * \param B        Right-hand MPI
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ */
+int mbedtls_mpi_add_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B );
+
+/**
+ * \brief          Signed subtraction: X = A - B
+ *
+ * \param X        Destination MPI
+ * \param A        Left-hand MPI
+ * \param B        Right-hand MPI
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ */
+int mbedtls_mpi_sub_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B );
+
+/**
+ * \brief          Signed addition: X = A + b
+ *
+ * \param X        Destination MPI
+ * \param A        Left-hand MPI
+ * \param b        The integer value to add
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ */
+int mbedtls_mpi_add_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b );
+
+/**
+ * \brief          Signed subtraction: X = A - b
+ *
+ * \param X        Destination MPI
+ * \param A        Left-hand MPI
+ * \param b        The integer value to subtract
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ */
+int mbedtls_mpi_sub_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b );
+
+/**
+ * \brief          Baseline multiplication: X = A * B
+ *
+ * \param X        Destination MPI
+ * \param A        Left-hand MPI
+ * \param B        Right-hand MPI
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ */
+int mbedtls_mpi_mul_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B );
+
+/**
+ * \brief          Baseline multiplication: X = A * b
+ *
+ * \param X        Destination MPI
+ * \param A        Left-hand MPI
+ * \param b        The unsigned integer value to multiply with
+ *
+ * \note           b is unsigned
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ */
+int mbedtls_mpi_mul_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_uint b );
+
+/**
+ * \brief          Division by mbedtls_mpi: A = Q * B + R
+ *
+ * \param Q        Destination MPI for the quotient
+ * \param R        Destination MPI for the rest value
+ * \param A        Left-hand MPI
+ * \param B        Right-hand MPI
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
+ *                 MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if B == 0
+ *
+ * \note           Either Q or R can be NULL.
+ */
+int mbedtls_mpi_div_mpi( mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A, const mbedtls_mpi *B );
+
+/**
+ * \brief          Division by int: A = Q * b + R
+ *
+ * \param Q        Destination MPI for the quotient
+ * \param R        Destination MPI for the rest value
+ * \param A        Left-hand MPI
+ * \param b        Integer to divide by
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
+ *                 MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if b == 0
+ *
+ * \note           Either Q or R can be NULL.
+ */
+int mbedtls_mpi_div_int( mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A, mbedtls_mpi_sint b );
+
+/**
+ * \brief          Modulo: R = A mod B
+ *
+ * \param R        Destination MPI for the rest value
+ * \param A        Left-hand MPI
+ * \param B        Right-hand MPI
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
+ *                 MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if B == 0,
+ *                 MBEDTLS_ERR_MPI_NEGATIVE_VALUE if B < 0
+ */
+int mbedtls_mpi_mod_mpi( mbedtls_mpi *R, const mbedtls_mpi *A, const mbedtls_mpi *B );
+
+/**
+ * \brief          Modulo: r = A mod b
+ *
+ * \param r        Destination mbedtls_mpi_uint
+ * \param A        Left-hand MPI
+ * \param b        Integer to divide by
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
+ *                 MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if b == 0,
+ *                 MBEDTLS_ERR_MPI_NEGATIVE_VALUE if b < 0
+ */
+int mbedtls_mpi_mod_int( mbedtls_mpi_uint *r, const mbedtls_mpi *A, mbedtls_mpi_sint b );
+
+/**
+ * \brief          Sliding-window exponentiation: X = A^E mod N
+ *
+ * \param X        Destination MPI
+ * \param A        Left-hand MPI
+ * \param E        Exponent MPI
+ * \param N        Modular MPI
+ * \param _RR      Speed-up MPI used for recalculations
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
+ *                 MBEDTLS_ERR_MPI_BAD_INPUT_DATA if N is negative or even or
+ *                 if E is negative
+ *
+ * \note           _RR is used to avoid re-computing R*R mod N across
+ *                 multiple calls, which speeds up things a bit. It can
+ *                 be set to NULL if the extra performance is unneeded.
+ */
+int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *E, const mbedtls_mpi *N, mbedtls_mpi *_RR );
+
+/**
+ * \brief          Fill an MPI X with size bytes of random
+ *
+ * \param X        Destination MPI
+ * \param size     Size in bytes
+ * \param f_rng    RNG function
+ * \param p_rng    RNG parameter
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ *
+ * \note           The bytes obtained from the PRNG are interpreted
+ *                 as a big-endian representation of an MPI; this can
+ *                 be relevant in applications like deterministic ECDSA.
+ */
+int mbedtls_mpi_fill_random( mbedtls_mpi *X, size_t size,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng );
+
+/**
+ * \brief          Greatest common divisor: G = gcd(A, B)
+ *
+ * \param G        Destination MPI
+ * \param A        Left-hand MPI
+ * \param B        Right-hand MPI
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ */
+int mbedtls_mpi_gcd( mbedtls_mpi *G, const mbedtls_mpi *A, const mbedtls_mpi *B );
+
+/**
+ * \brief          Modular inverse: X = A^-1 mod N
+ *
+ * \param X        Destination MPI
+ * \param A        Left-hand MPI
+ * \param N        Right-hand MPI
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
+ *                 MBEDTLS_ERR_MPI_BAD_INPUT_DATA if N is <= 1,
+                   MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if A has no inverse mod N.
+ */
+int mbedtls_mpi_inv_mod( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *N );
+
+/**
+ * \brief          Miller-Rabin primality test
+ *
+ * \param X        MPI to check
+ * \param f_rng    RNG function
+ * \param p_rng    RNG parameter
+ *
+ * \return         0 if successful (probably prime),
+ *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
+ *                 MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if X is not prime
+ */
+int mbedtls_mpi_is_prime( const mbedtls_mpi *X,
+                  int (*f_rng)(void *, unsigned char *, size_t),
+                  void *p_rng );
+
+/**
+ * \brief          Prime number generation
+ *
+ * \param X        Destination MPI
+ * \param nbits    Required size of X in bits
+ *                 ( 3 <= nbits <= MBEDTLS_MPI_MAX_BITS )
+ * \param dh_flag  If 1, then (X-1)/2 will be prime too
+ * \param f_rng    RNG function
+ * \param p_rng    RNG parameter
+ *
+ * \return         0 if successful (probably prime),
+ *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
+ *                 MBEDTLS_ERR_MPI_BAD_INPUT_DATA if nbits is < 3
+ */
+int mbedtls_mpi_gen_prime( mbedtls_mpi *X, size_t nbits, int dh_flag,
+                   int (*f_rng)(void *, unsigned char *, size_t),
+                   void *p_rng );
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ */
+int mbedtls_mpi_self_test( int verbose );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* bignum.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/blowfish.h b/third-party/mbedtls-3.6/include/mbedtls/blowfish.h
new file mode 100644
index 00000000..60017af3
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/blowfish.h
@@ -0,0 +1,230 @@
+/**
+ * \file blowfish.h
+ *
+ * \brief Blowfish block cipher
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_BLOWFISH_H
+#define MBEDTLS_BLOWFISH_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+#define MBEDTLS_BLOWFISH_ENCRYPT     1
+#define MBEDTLS_BLOWFISH_DECRYPT     0
+#define MBEDTLS_BLOWFISH_MAX_KEY_BITS     448
+#define MBEDTLS_BLOWFISH_MIN_KEY_BITS     32
+#define MBEDTLS_BLOWFISH_ROUNDS      16         /**< Rounds to use. When increasing this value, make sure to extend the initialisation vectors */
+#define MBEDTLS_BLOWFISH_BLOCKSIZE   8          /* Blowfish uses 64 bit blocks */
+
+#define MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH                -0x0016  /**< Invalid key length. */
+#define MBEDTLS_ERR_BLOWFISH_HW_ACCEL_FAILED                   -0x0017  /**< Blowfish hardware accelerator failed. */
+#define MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH              -0x0018  /**< Invalid data input length. */
+
+#if !defined(MBEDTLS_BLOWFISH_ALT)
+// Regular implementation
+//
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          Blowfish context structure
+ */
+typedef struct
+{
+    uint32_t P[MBEDTLS_BLOWFISH_ROUNDS + 2];    /*!<  Blowfish round keys    */
+    uint32_t S[4][256];                 /*!<  key dependent S-boxes  */
+}
+mbedtls_blowfish_context;
+
+/**
+ * \brief          Initialize Blowfish context
+ *
+ * \param ctx      Blowfish context to be initialized
+ */
+void mbedtls_blowfish_init( mbedtls_blowfish_context *ctx );
+
+/**
+ * \brief          Clear Blowfish context
+ *
+ * \param ctx      Blowfish context to be cleared
+ */
+void mbedtls_blowfish_free( mbedtls_blowfish_context *ctx );
+
+/**
+ * \brief          Blowfish key schedule
+ *
+ * \param ctx      Blowfish context to be initialized
+ * \param key      encryption key
+ * \param keybits  must be between 32 and 448 bits
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH
+ */
+int mbedtls_blowfish_setkey( mbedtls_blowfish_context *ctx, const unsigned char *key,
+                     unsigned int keybits );
+
+/**
+ * \brief          Blowfish-ECB block encryption/decryption
+ *
+ * \param ctx      Blowfish context
+ * \param mode     MBEDTLS_BLOWFISH_ENCRYPT or MBEDTLS_BLOWFISH_DECRYPT
+ * \param input    8-byte input block
+ * \param output   8-byte output block
+ *
+ * \return         0 if successful
+ */
+int mbedtls_blowfish_crypt_ecb( mbedtls_blowfish_context *ctx,
+                        int mode,
+                        const unsigned char input[MBEDTLS_BLOWFISH_BLOCKSIZE],
+                        unsigned char output[MBEDTLS_BLOWFISH_BLOCKSIZE] );
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/**
+ * \brief          Blowfish-CBC buffer encryption/decryption
+ *                 Length should be a multiple of the block
+ *                 size (8 bytes)
+ *
+ * \note           Upon exit, the content of the IV is updated so that you can
+ *                 call the function same function again on the following
+ *                 block(s) of data and get the same result as if it was
+ *                 encrypted in one call. This allows a "streaming" usage.
+ *                 If on the other hand you need to retain the contents of the
+ *                 IV, you should either save it manually or use the cipher
+ *                 module instead.
+ *
+ * \param ctx      Blowfish context
+ * \param mode     MBEDTLS_BLOWFISH_ENCRYPT or MBEDTLS_BLOWFISH_DECRYPT
+ * \param length   length of the input data
+ * \param iv       initialization vector (updated after use)
+ * \param input    buffer holding the input data
+ * \param output   buffer holding the output data
+ *
+ * \return         0 if successful, or
+ *                 MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH
+ */
+int mbedtls_blowfish_crypt_cbc( mbedtls_blowfish_context *ctx,
+                        int mode,
+                        size_t length,
+                        unsigned char iv[MBEDTLS_BLOWFISH_BLOCKSIZE],
+                        const unsigned char *input,
+                        unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/**
+ * \brief          Blowfish CFB buffer encryption/decryption.
+ *
+ * \note           Upon exit, the content of the IV is updated so that you can
+ *                 call the function same function again on the following
+ *                 block(s) of data and get the same result as if it was
+ *                 encrypted in one call. This allows a "streaming" usage.
+ *                 If on the other hand you need to retain the contents of the
+ *                 IV, you should either save it manually or use the cipher
+ *                 module instead.
+ *
+ * \param ctx      Blowfish context
+ * \param mode     MBEDTLS_BLOWFISH_ENCRYPT or MBEDTLS_BLOWFISH_DECRYPT
+ * \param length   length of the input data
+ * \param iv_off   offset in IV (updated after use)
+ * \param iv       initialization vector (updated after use)
+ * \param input    buffer holding the input data
+ * \param output   buffer holding the output data
+ *
+ * \return         0 if successful
+ */
+int mbedtls_blowfish_crypt_cfb64( mbedtls_blowfish_context *ctx,
+                          int mode,
+                          size_t length,
+                          size_t *iv_off,
+                          unsigned char iv[MBEDTLS_BLOWFISH_BLOCKSIZE],
+                          const unsigned char *input,
+                          unsigned char *output );
+#endif /*MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/**
+ * \brief               Blowfish-CTR buffer encryption/decryption
+ *
+ * Warning: You have to keep the maximum use of your counter in mind!
+ *
+ * \param ctx           Blowfish context
+ * \param length        The length of the data
+ * \param nc_off        The offset in the current stream_block (for resuming
+ *                      within current cipher stream). The offset pointer to
+ *                      should be 0 at the start of a stream.
+ * \param nonce_counter The 64-bit nonce and counter.
+ * \param stream_block  The saved stream-block for resuming. Is overwritten
+ *                      by the function.
+ * \param input         The input data stream
+ * \param output        The output data stream
+ *
+ * \return         0 if successful
+ */
+int mbedtls_blowfish_crypt_ctr( mbedtls_blowfish_context *ctx,
+                        size_t length,
+                        size_t *nc_off,
+                        unsigned char nonce_counter[MBEDTLS_BLOWFISH_BLOCKSIZE],
+                        unsigned char stream_block[MBEDTLS_BLOWFISH_BLOCKSIZE],
+                        const unsigned char *input,
+                        unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#ifdef __cplusplus
+}
+#endif
+
+#else  /* MBEDTLS_BLOWFISH_ALT */
+#include "blowfish_alt.h"
+#endif /* MBEDTLS_BLOWFISH_ALT */
+
+#endif /* blowfish.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/bn_mul.h b/third-party/mbedtls-3.6/include/mbedtls/bn_mul.h
new file mode 100644
index 00000000..d0b10223
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/bn_mul.h
@@ -0,0 +1,924 @@
+/**
+ * \file bn_mul.h
+ *
+ * \brief Multi-precision integer library
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+/*
+ *      Multiply source vector [s] with b, add result
+ *       to destination vector [d] and set carry c.
+ *
+ *      Currently supports:
+ *
+ *         . IA-32 (386+)         . AMD64 / EM64T
+ *         . IA-32 (SSE2)         . Motorola 68000
+ *         . PowerPC, 32-bit      . MicroBlaze
+ *         . PowerPC, 64-bit      . TriCore
+ *         . SPARC v8             . ARM v3+
+ *         . Alpha                . MIPS32
+ *         . C, longlong          . C, generic
+ */
+#ifndef MBEDTLS_BN_MUL_H
+#define MBEDTLS_BN_MUL_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "bignum.h"
+
+#if defined(MBEDTLS_HAVE_ASM)
+
+#ifndef asm
+#define asm __asm
+#endif
+
+/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
+#if defined(__GNUC__) && \
+    ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 )
+
+/*
+ * Disable use of the i386 assembly code below if option -O0, to disable all
+ * compiler optimisations, is passed, detected with __OPTIMIZE__
+ * This is done as the number of registers used in the assembly code doesn't
+ * work with the -O0 option.
+ */
+#if defined(__i386__) && defined(__OPTIMIZE__)
+
+#define MULADDC_INIT                        \
+    asm(                                    \
+        "movl   %%ebx, %0           \n\t"   \
+        "movl   %5, %%esi           \n\t"   \
+        "movl   %6, %%edi           \n\t"   \
+        "movl   %7, %%ecx           \n\t"   \
+        "movl   %8, %%ebx           \n\t"
+
+#define MULADDC_CORE                        \
+        "lodsl                      \n\t"   \
+        "mull   %%ebx               \n\t"   \
+        "addl   %%ecx,   %%eax      \n\t"   \
+        "adcl   $0,      %%edx      \n\t"   \
+        "addl   (%%edi), %%eax      \n\t"   \
+        "adcl   $0,      %%edx      \n\t"   \
+        "movl   %%edx,   %%ecx      \n\t"   \
+        "stosl                      \n\t"
+
+#if defined(MBEDTLS_HAVE_SSE2)
+
+#define MULADDC_HUIT                            \
+        "movd     %%ecx,     %%mm1      \n\t"   \
+        "movd     %%ebx,     %%mm0      \n\t"   \
+        "movd     (%%edi),   %%mm3      \n\t"   \
+        "paddq    %%mm3,     %%mm1      \n\t"   \
+        "movd     (%%esi),   %%mm2      \n\t"   \
+        "pmuludq  %%mm0,     %%mm2      \n\t"   \
+        "movd     4(%%esi),  %%mm4      \n\t"   \
+        "pmuludq  %%mm0,     %%mm4      \n\t"   \
+        "movd     8(%%esi),  %%mm6      \n\t"   \
+        "pmuludq  %%mm0,     %%mm6      \n\t"   \
+        "movd     12(%%esi), %%mm7      \n\t"   \
+        "pmuludq  %%mm0,     %%mm7      \n\t"   \
+        "paddq    %%mm2,     %%mm1      \n\t"   \
+        "movd     4(%%edi),  %%mm3      \n\t"   \
+        "paddq    %%mm4,     %%mm3      \n\t"   \
+        "movd     8(%%edi),  %%mm5      \n\t"   \
+        "paddq    %%mm6,     %%mm5      \n\t"   \
+        "movd     12(%%edi), %%mm4      \n\t"   \
+        "paddq    %%mm4,     %%mm7      \n\t"   \
+        "movd     %%mm1,     (%%edi)    \n\t"   \
+        "movd     16(%%esi), %%mm2      \n\t"   \
+        "pmuludq  %%mm0,     %%mm2      \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "movd     20(%%esi), %%mm4      \n\t"   \
+        "pmuludq  %%mm0,     %%mm4      \n\t"   \
+        "paddq    %%mm3,     %%mm1      \n\t"   \
+        "movd     24(%%esi), %%mm6      \n\t"   \
+        "pmuludq  %%mm0,     %%mm6      \n\t"   \
+        "movd     %%mm1,     4(%%edi)   \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "movd     28(%%esi), %%mm3      \n\t"   \
+        "pmuludq  %%mm0,     %%mm3      \n\t"   \
+        "paddq    %%mm5,     %%mm1      \n\t"   \
+        "movd     16(%%edi), %%mm5      \n\t"   \
+        "paddq    %%mm5,     %%mm2      \n\t"   \
+        "movd     %%mm1,     8(%%edi)   \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "paddq    %%mm7,     %%mm1      \n\t"   \
+        "movd     20(%%edi), %%mm5      \n\t"   \
+        "paddq    %%mm5,     %%mm4      \n\t"   \
+        "movd     %%mm1,     12(%%edi)  \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "paddq    %%mm2,     %%mm1      \n\t"   \
+        "movd     24(%%edi), %%mm5      \n\t"   \
+        "paddq    %%mm5,     %%mm6      \n\t"   \
+        "movd     %%mm1,     16(%%edi)  \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "paddq    %%mm4,     %%mm1      \n\t"   \
+        "movd     28(%%edi), %%mm5      \n\t"   \
+        "paddq    %%mm5,     %%mm3      \n\t"   \
+        "movd     %%mm1,     20(%%edi)  \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "paddq    %%mm6,     %%mm1      \n\t"   \
+        "movd     %%mm1,     24(%%edi)  \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "paddq    %%mm3,     %%mm1      \n\t"   \
+        "movd     %%mm1,     28(%%edi)  \n\t"   \
+        "addl     $32,       %%edi      \n\t"   \
+        "addl     $32,       %%esi      \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "movd     %%mm1,     %%ecx      \n\t"
+
+#define MULADDC_STOP                    \
+        "emms                   \n\t"   \
+        "movl   %4, %%ebx       \n\t"   \
+        "movl   %%ecx, %1       \n\t"   \
+        "movl   %%edi, %2       \n\t"   \
+        "movl   %%esi, %3       \n\t"   \
+        : "=m" (t), "=m" (c), "=m" (d), "=m" (s)        \
+        : "m" (t), "m" (s), "m" (d), "m" (c), "m" (b)   \
+        : "eax", "ebx", "ecx", "edx", "esi", "edi"      \
+    );
+
+#else
+
+#define MULADDC_STOP                    \
+        "movl   %4, %%ebx       \n\t"   \
+        "movl   %%ecx, %1       \n\t"   \
+        "movl   %%edi, %2       \n\t"   \
+        "movl   %%esi, %3       \n\t"   \
+        : "=m" (t), "=m" (c), "=m" (d), "=m" (s)        \
+        : "m" (t), "m" (s), "m" (d), "m" (c), "m" (b)   \
+        : "eax", "ebx", "ecx", "edx", "esi", "edi"      \
+    );
+#endif /* SSE2 */
+#endif /* i386 */
+
+#if defined(__amd64__) || defined (__x86_64__)
+
+#define MULADDC_INIT                        \
+    asm(                                    \
+        "xorq   %%r8, %%r8\n"
+
+#define MULADDC_CORE                        \
+        "movq   (%%rsi), %%rax\n"           \
+        "mulq   %%rbx\n"                    \
+        "addq   $8, %%rsi\n"                \
+        "addq   %%rcx, %%rax\n"             \
+        "movq   %%r8, %%rcx\n"              \
+        "adcq   $0, %%rdx\n"                \
+        "nop    \n"                         \
+        "addq   %%rax, (%%rdi)\n"           \
+        "adcq   %%rdx, %%rcx\n"             \
+        "addq   $8, %%rdi\n"
+
+#define MULADDC_STOP                        \
+        : "+c" (c), "+D" (d), "+S" (s)      \
+        : "b" (b)                           \
+        : "rax", "rdx", "r8"                \
+    );
+
+#endif /* AMD64 */
+
+#if defined(__mc68020__) || defined(__mcpu32__)
+
+#define MULADDC_INIT                    \
+    asm(                                \
+        "movl   %3, %%a2        \n\t"   \
+        "movl   %4, %%a3        \n\t"   \
+        "movl   %5, %%d3        \n\t"   \
+        "movl   %6, %%d2        \n\t"   \
+        "moveq  #0, %%d0        \n\t"
+
+#define MULADDC_CORE                    \
+        "movel  %%a2@+, %%d1    \n\t"   \
+        "mulul  %%d2, %%d4:%%d1 \n\t"   \
+        "addl   %%d3, %%d1      \n\t"   \
+        "addxl  %%d0, %%d4      \n\t"   \
+        "moveq  #0,   %%d3      \n\t"   \
+        "addl   %%d1, %%a3@+    \n\t"   \
+        "addxl  %%d4, %%d3      \n\t"
+
+#define MULADDC_STOP                    \
+        "movl   %%d3, %0        \n\t"   \
+        "movl   %%a3, %1        \n\t"   \
+        "movl   %%a2, %2        \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)              \
+        : "m" (s), "m" (d), "m" (c), "m" (b)        \
+        : "d0", "d1", "d2", "d3", "d4", "a2", "a3"  \
+    );
+
+#define MULADDC_HUIT                        \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d4:%%d1  \n\t"   \
+        "addxl  %%d3,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d4       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d3:%%d1  \n\t"   \
+        "addxl  %%d4,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d3       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d4:%%d1  \n\t"   \
+        "addxl  %%d3,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d4       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d3:%%d1  \n\t"   \
+        "addxl  %%d4,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d3       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d4:%%d1  \n\t"   \
+        "addxl  %%d3,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d4       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d3:%%d1  \n\t"   \
+        "addxl  %%d4,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d3       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d4:%%d1  \n\t"   \
+        "addxl  %%d3,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d4       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d3:%%d1  \n\t"   \
+        "addxl  %%d4,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d3       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "addxl  %%d0,    %%d3       \n\t"
+
+#endif /* MC68000 */
+
+#if defined(__powerpc64__) || defined(__ppc64__)
+
+#if defined(__MACH__) && defined(__APPLE__)
+
+#define MULADDC_INIT                        \
+    asm(                                    \
+        "ld     r3, %3              \n\t"   \
+        "ld     r4, %4              \n\t"   \
+        "ld     r5, %5              \n\t"   \
+        "ld     r6, %6              \n\t"   \
+        "addi   r3, r3, -8          \n\t"   \
+        "addi   r4, r4, -8          \n\t"   \
+        "addic  r5, r5,  0          \n\t"
+
+#define MULADDC_CORE                        \
+        "ldu    r7, 8(r3)           \n\t"   \
+        "mulld  r8, r7, r6          \n\t"   \
+        "mulhdu r9, r7, r6          \n\t"   \
+        "adde   r8, r8, r5          \n\t"   \
+        "ld     r7, 8(r4)           \n\t"   \
+        "addze  r5, r9              \n\t"   \
+        "addc   r8, r8, r7          \n\t"   \
+        "stdu   r8, 8(r4)           \n\t"
+
+#define MULADDC_STOP                        \
+        "addze  r5, r5              \n\t"   \
+        "addi   r4, r4, 8           \n\t"   \
+        "addi   r3, r3, 8           \n\t"   \
+        "std    r5, %0              \n\t"   \
+        "std    r4, %1              \n\t"   \
+        "std    r3, %2              \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)              \
+        : "m" (s), "m" (d), "m" (c), "m" (b)        \
+        : "r3", "r4", "r5", "r6", "r7", "r8", "r9"  \
+    );
+
+
+#else /* __MACH__ && __APPLE__ */
+
+#define MULADDC_INIT                        \
+    asm(                                    \
+        "ld     %%r3, %3            \n\t"   \
+        "ld     %%r4, %4            \n\t"   \
+        "ld     %%r5, %5            \n\t"   \
+        "ld     %%r6, %6            \n\t"   \
+        "addi   %%r3, %%r3, -8      \n\t"   \
+        "addi   %%r4, %%r4, -8      \n\t"   \
+        "addic  %%r5, %%r5,  0      \n\t"
+
+#define MULADDC_CORE                        \
+        "ldu    %%r7, 8(%%r3)       \n\t"   \
+        "mulld  %%r8, %%r7, %%r6    \n\t"   \
+        "mulhdu %%r9, %%r7, %%r6    \n\t"   \
+        "adde   %%r8, %%r8, %%r5    \n\t"   \
+        "ld     %%r7, 8(%%r4)       \n\t"   \
+        "addze  %%r5, %%r9          \n\t"   \
+        "addc   %%r8, %%r8, %%r7    \n\t"   \
+        "stdu   %%r8, 8(%%r4)       \n\t"
+
+#define MULADDC_STOP                        \
+        "addze  %%r5, %%r5          \n\t"   \
+        "addi   %%r4, %%r4, 8       \n\t"   \
+        "addi   %%r3, %%r3, 8       \n\t"   \
+        "std    %%r5, %0            \n\t"   \
+        "std    %%r4, %1            \n\t"   \
+        "std    %%r3, %2            \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)              \
+        : "m" (s), "m" (d), "m" (c), "m" (b)        \
+        : "r3", "r4", "r5", "r6", "r7", "r8", "r9"  \
+    );
+
+#endif /* __MACH__ && __APPLE__ */
+
+#elif defined(__powerpc__) || defined(__ppc__) /* end PPC64/begin PPC32  */
+
+#if defined(__MACH__) && defined(__APPLE__)
+
+#define MULADDC_INIT                    \
+    asm(                                \
+        "lwz    r3, %3          \n\t"   \
+        "lwz    r4, %4          \n\t"   \
+        "lwz    r5, %5          \n\t"   \
+        "lwz    r6, %6          \n\t"   \
+        "addi   r3, r3, -4      \n\t"   \
+        "addi   r4, r4, -4      \n\t"   \
+        "addic  r5, r5,  0      \n\t"
+
+#define MULADDC_CORE                    \
+        "lwzu   r7, 4(r3)       \n\t"   \
+        "mullw  r8, r7, r6      \n\t"   \
+        "mulhwu r9, r7, r6      \n\t"   \
+        "adde   r8, r8, r5      \n\t"   \
+        "lwz    r7, 4(r4)       \n\t"   \
+        "addze  r5, r9          \n\t"   \
+        "addc   r8, r8, r7      \n\t"   \
+        "stwu   r8, 4(r4)       \n\t"
+
+#define MULADDC_STOP                    \
+        "addze  r5, r5          \n\t"   \
+        "addi   r4, r4, 4       \n\t"   \
+        "addi   r3, r3, 4       \n\t"   \
+        "stw    r5, %0          \n\t"   \
+        "stw    r4, %1          \n\t"   \
+        "stw    r3, %2          \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)              \
+        : "m" (s), "m" (d), "m" (c), "m" (b)        \
+        : "r3", "r4", "r5", "r6", "r7", "r8", "r9"  \
+    );
+
+#else /* __MACH__ && __APPLE__ */
+
+#define MULADDC_INIT                        \
+    asm(                                    \
+        "lwz    %%r3, %3            \n\t"   \
+        "lwz    %%r4, %4            \n\t"   \
+        "lwz    %%r5, %5            \n\t"   \
+        "lwz    %%r6, %6            \n\t"   \
+        "addi   %%r3, %%r3, -4      \n\t"   \
+        "addi   %%r4, %%r4, -4      \n\t"   \
+        "addic  %%r5, %%r5,  0      \n\t"
+
+#define MULADDC_CORE                        \
+        "lwzu   %%r7, 4(%%r3)       \n\t"   \
+        "mullw  %%r8, %%r7, %%r6    \n\t"   \
+        "mulhwu %%r9, %%r7, %%r6    \n\t"   \
+        "adde   %%r8, %%r8, %%r5    \n\t"   \
+        "lwz    %%r7, 4(%%r4)       \n\t"   \
+        "addze  %%r5, %%r9          \n\t"   \
+        "addc   %%r8, %%r8, %%r7    \n\t"   \
+        "stwu   %%r8, 4(%%r4)       \n\t"
+
+#define MULADDC_STOP                        \
+        "addze  %%r5, %%r5          \n\t"   \
+        "addi   %%r4, %%r4, 4       \n\t"   \
+        "addi   %%r3, %%r3, 4       \n\t"   \
+        "stw    %%r5, %0            \n\t"   \
+        "stw    %%r4, %1            \n\t"   \
+        "stw    %%r3, %2            \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)              \
+        : "m" (s), "m" (d), "m" (c), "m" (b)        \
+        : "r3", "r4", "r5", "r6", "r7", "r8", "r9"  \
+    );
+
+#endif /* __MACH__ && __APPLE__ */
+
+#endif /* PPC32 */
+
+/*
+ * The Sparc(64) assembly is reported to be broken.
+ * Disable it for now, until we're able to fix it.
+ */
+#if 0 && defined(__sparc__)
+#if defined(__sparc64__)
+
+#define MULADDC_INIT                                    \
+    asm(                                                \
+                "ldx     %3, %%o0               \n\t"   \
+                "ldx     %4, %%o1               \n\t"   \
+                "ld      %5, %%o2               \n\t"   \
+                "ld      %6, %%o3               \n\t"
+
+#define MULADDC_CORE                                    \
+                "ld      [%%o0], %%o4           \n\t"   \
+                "inc     4, %%o0                \n\t"   \
+                "ld      [%%o1], %%o5           \n\t"   \
+                "umul    %%o3, %%o4, %%o4       \n\t"   \
+                "addcc   %%o4, %%o2, %%o4       \n\t"   \
+                "rd      %%y, %%g1              \n\t"   \
+                "addx    %%g1, 0, %%g1          \n\t"   \
+                "addcc   %%o4, %%o5, %%o4       \n\t"   \
+                "st      %%o4, [%%o1]           \n\t"   \
+                "addx    %%g1, 0, %%o2          \n\t"   \
+                "inc     4, %%o1                \n\t"
+
+        #define MULADDC_STOP                            \
+                "st      %%o2, %0               \n\t"   \
+                "stx     %%o1, %1               \n\t"   \
+                "stx     %%o0, %2               \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)          \
+        : "m" (s), "m" (d), "m" (c), "m" (b)    \
+        : "g1", "o0", "o1", "o2", "o3", "o4",   \
+          "o5"                                  \
+        );
+
+#else /* __sparc64__ */
+
+#define MULADDC_INIT                                    \
+    asm(                                                \
+                "ld      %3, %%o0               \n\t"   \
+                "ld      %4, %%o1               \n\t"   \
+                "ld      %5, %%o2               \n\t"   \
+                "ld      %6, %%o3               \n\t"
+
+#define MULADDC_CORE                                    \
+                "ld      [%%o0], %%o4           \n\t"   \
+                "inc     4, %%o0                \n\t"   \
+                "ld      [%%o1], %%o5           \n\t"   \
+                "umul    %%o3, %%o4, %%o4       \n\t"   \
+                "addcc   %%o4, %%o2, %%o4       \n\t"   \
+                "rd      %%y, %%g1              \n\t"   \
+                "addx    %%g1, 0, %%g1          \n\t"   \
+                "addcc   %%o4, %%o5, %%o4       \n\t"   \
+                "st      %%o4, [%%o1]           \n\t"   \
+                "addx    %%g1, 0, %%o2          \n\t"   \
+                "inc     4, %%o1                \n\t"
+
+#define MULADDC_STOP                                    \
+                "st      %%o2, %0               \n\t"   \
+                "st      %%o1, %1               \n\t"   \
+                "st      %%o0, %2               \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)          \
+        : "m" (s), "m" (d), "m" (c), "m" (b)    \
+        : "g1", "o0", "o1", "o2", "o3", "o4",   \
+          "o5"                                  \
+        );
+
+#endif /* __sparc64__ */
+#endif /* __sparc__ */
+
+#if defined(__microblaze__) || defined(microblaze)
+
+#define MULADDC_INIT                    \
+    asm(                                \
+        "lwi   r3,   %3         \n\t"   \
+        "lwi   r4,   %4         \n\t"   \
+        "lwi   r5,   %5         \n\t"   \
+        "lwi   r6,   %6         \n\t"   \
+        "andi  r7,   r6, 0xffff \n\t"   \
+        "bsrli r6,   r6, 16     \n\t"
+
+#define MULADDC_CORE                    \
+        "lhui  r8,   r3,   0    \n\t"   \
+        "addi  r3,   r3,   2    \n\t"   \
+        "lhui  r9,   r3,   0    \n\t"   \
+        "addi  r3,   r3,   2    \n\t"   \
+        "mul   r10,  r9,  r6    \n\t"   \
+        "mul   r11,  r8,  r7    \n\t"   \
+        "mul   r12,  r9,  r7    \n\t"   \
+        "mul   r13,  r8,  r6    \n\t"   \
+        "bsrli  r8, r10,  16    \n\t"   \
+        "bsrli  r9, r11,  16    \n\t"   \
+        "add   r13, r13,  r8    \n\t"   \
+        "add   r13, r13,  r9    \n\t"   \
+        "bslli r10, r10,  16    \n\t"   \
+        "bslli r11, r11,  16    \n\t"   \
+        "add   r12, r12, r10    \n\t"   \
+        "addc  r13, r13,  r0    \n\t"   \
+        "add   r12, r12, r11    \n\t"   \
+        "addc  r13, r13,  r0    \n\t"   \
+        "lwi   r10,  r4,   0    \n\t"   \
+        "add   r12, r12, r10    \n\t"   \
+        "addc  r13, r13,  r0    \n\t"   \
+        "add   r12, r12,  r5    \n\t"   \
+        "addc   r5, r13,  r0    \n\t"   \
+        "swi   r12,  r4,   0    \n\t"   \
+        "addi   r4,  r4,   4    \n\t"
+
+#define MULADDC_STOP                    \
+        "swi   r5,   %0         \n\t"   \
+        "swi   r4,   %1         \n\t"   \
+        "swi   r3,   %2         \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)              \
+        : "m" (s), "m" (d), "m" (c), "m" (b)        \
+        : "r3", "r4", "r5", "r6", "r7", "r8",       \
+          "r9", "r10", "r11", "r12", "r13"          \
+    );
+
+#endif /* MicroBlaze */
+
+#if defined(__tricore__)
+
+#define MULADDC_INIT                            \
+    asm(                                        \
+        "ld.a   %%a2, %3                \n\t"   \
+        "ld.a   %%a3, %4                \n\t"   \
+        "ld.w   %%d4, %5                \n\t"   \
+        "ld.w   %%d1, %6                \n\t"   \
+        "xor    %%d5, %%d5              \n\t"
+
+#define MULADDC_CORE                            \
+        "ld.w   %%d0,   [%%a2+]         \n\t"   \
+        "madd.u %%e2, %%e4, %%d0, %%d1  \n\t"   \
+        "ld.w   %%d0,   [%%a3]          \n\t"   \
+        "addx   %%d2,    %%d2,  %%d0    \n\t"   \
+        "addc   %%d3,    %%d3,    0     \n\t"   \
+        "mov    %%d4,    %%d3           \n\t"   \
+        "st.w  [%%a3+],  %%d2           \n\t"
+
+#define MULADDC_STOP                            \
+        "st.w   %0, %%d4                \n\t"   \
+        "st.a   %1, %%a3                \n\t"   \
+        "st.a   %2, %%a2                \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)          \
+        : "m" (s), "m" (d), "m" (c), "m" (b)    \
+        : "d0", "d1", "e2", "d4", "a2", "a3"    \
+    );
+
+#endif /* TriCore */
+
+/*
+ * gcc -O0 by default uses r7 for the frame pointer, so it complains about our
+ * use of r7 below, unless -fomit-frame-pointer is passed. Unfortunately,
+ * passing that option is not easy when building with yotta.
+ *
+ * On the other hand, -fomit-frame-pointer is implied by any -Ox options with
+ * x !=0, which we can detect using __OPTIMIZE__ (which is also defined by
+ * clang and armcc5 under the same conditions).
+ *
+ * So, only use the optimized assembly below for optimized build, which avoids
+ * the build error and is pretty reasonable anyway.
+ */
+#if defined(__GNUC__) && !defined(__OPTIMIZE__)
+#define MULADDC_CANNOT_USE_R7
+#endif
+
+#if defined(__arm__) && !defined(MULADDC_CANNOT_USE_R7)
+
+#if defined(__thumb__) && !defined(__thumb2__)
+
+#define MULADDC_INIT                                    \
+    asm(                                                \
+            "ldr    r0, %3                      \n\t"   \
+            "ldr    r1, %4                      \n\t"   \
+            "ldr    r2, %5                      \n\t"   \
+            "ldr    r3, %6                      \n\t"   \
+            "lsr    r7, r3, #16                 \n\t"   \
+            "mov    r9, r7                      \n\t"   \
+            "lsl    r7, r3, #16                 \n\t"   \
+            "lsr    r7, r7, #16                 \n\t"   \
+            "mov    r8, r7                      \n\t"
+
+#define MULADDC_CORE                                    \
+            "ldmia  r0!, {r6}                   \n\t"   \
+            "lsr    r7, r6, #16                 \n\t"   \
+            "lsl    r6, r6, #16                 \n\t"   \
+            "lsr    r6, r6, #16                 \n\t"   \
+            "mov    r4, r8                      \n\t"   \
+            "mul    r4, r6                      \n\t"   \
+            "mov    r3, r9                      \n\t"   \
+            "mul    r6, r3                      \n\t"   \
+            "mov    r5, r9                      \n\t"   \
+            "mul    r5, r7                      \n\t"   \
+            "mov    r3, r8                      \n\t"   \
+            "mul    r7, r3                      \n\t"   \
+            "lsr    r3, r6, #16                 \n\t"   \
+            "add    r5, r5, r3                  \n\t"   \
+            "lsr    r3, r7, #16                 \n\t"   \
+            "add    r5, r5, r3                  \n\t"   \
+            "add    r4, r4, r2                  \n\t"   \
+            "mov    r2, #0                      \n\t"   \
+            "adc    r5, r2                      \n\t"   \
+            "lsl    r3, r6, #16                 \n\t"   \
+            "add    r4, r4, r3                  \n\t"   \
+            "adc    r5, r2                      \n\t"   \
+            "lsl    r3, r7, #16                 \n\t"   \
+            "add    r4, r4, r3                  \n\t"   \
+            "adc    r5, r2                      \n\t"   \
+            "ldr    r3, [r1]                    \n\t"   \
+            "add    r4, r4, r3                  \n\t"   \
+            "adc    r2, r5                      \n\t"   \
+            "stmia  r1!, {r4}                   \n\t"
+
+#define MULADDC_STOP                                    \
+            "str    r2, %0                      \n\t"   \
+            "str    r1, %1                      \n\t"   \
+            "str    r0, %2                      \n\t"   \
+         : "=m" (c),  "=m" (d), "=m" (s)        \
+         : "m" (s), "m" (d), "m" (c), "m" (b)   \
+         : "r0", "r1", "r2", "r3", "r4", "r5",  \
+           "r6", "r7", "r8", "r9", "cc"         \
+         );
+
+#else
+
+#define MULADDC_INIT                                    \
+    asm(                                                \
+            "ldr    r0, %3                      \n\t"   \
+            "ldr    r1, %4                      \n\t"   \
+            "ldr    r2, %5                      \n\t"   \
+            "ldr    r3, %6                      \n\t"
+
+#define MULADDC_CORE                                    \
+            "ldr    r4, [r0], #4                \n\t"   \
+            "mov    r5, #0                      \n\t"   \
+            "ldr    r6, [r1]                    \n\t"   \
+            "umlal  r2, r5, r3, r4              \n\t"   \
+            "adds   r7, r6, r2                  \n\t"   \
+            "adc    r2, r5, #0                  \n\t"   \
+            "str    r7, [r1], #4                \n\t"
+
+#define MULADDC_STOP                                    \
+            "str    r2, %0                      \n\t"   \
+            "str    r1, %1                      \n\t"   \
+            "str    r0, %2                      \n\t"   \
+         : "=m" (c),  "=m" (d), "=m" (s)        \
+         : "m" (s), "m" (d), "m" (c), "m" (b)   \
+         : "r0", "r1", "r2", "r3", "r4", "r5",  \
+           "r6", "r7", "cc"                     \
+         );
+
+#endif /* Thumb */
+
+#endif /* ARMv3 */
+
+#if defined(__alpha__)
+
+#define MULADDC_INIT                    \
+    asm(                                \
+        "ldq    $1, %3          \n\t"   \
+        "ldq    $2, %4          \n\t"   \
+        "ldq    $3, %5          \n\t"   \
+        "ldq    $4, %6          \n\t"
+
+#define MULADDC_CORE                    \
+        "ldq    $6,  0($1)      \n\t"   \
+        "addq   $1,  8, $1      \n\t"   \
+        "mulq   $6, $4, $7      \n\t"   \
+        "umulh  $6, $4, $6      \n\t"   \
+        "addq   $7, $3, $7      \n\t"   \
+        "cmpult $7, $3, $3      \n\t"   \
+        "ldq    $5,  0($2)      \n\t"   \
+        "addq   $7, $5, $7      \n\t"   \
+        "cmpult $7, $5, $5      \n\t"   \
+        "stq    $7,  0($2)      \n\t"   \
+        "addq   $2,  8, $2      \n\t"   \
+        "addq   $6, $3, $3      \n\t"   \
+        "addq   $5, $3, $3      \n\t"
+
+#define MULADDC_STOP                                    \
+        "stq    $3, %0          \n\t"   \
+        "stq    $2, %1          \n\t"   \
+        "stq    $1, %2          \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)              \
+        : "m" (s), "m" (d), "m" (c), "m" (b)        \
+        : "$1", "$2", "$3", "$4", "$5", "$6", "$7"  \
+    );
+#endif /* Alpha */
+
+#if defined(__mips__) && !defined(__mips64)
+
+#define MULADDC_INIT                    \
+    asm(                                \
+        "lw     $10, %3         \n\t"   \
+        "lw     $11, %4         \n\t"   \
+        "lw     $12, %5         \n\t"   \
+        "lw     $13, %6         \n\t"
+
+#define MULADDC_CORE                    \
+        "lw     $14, 0($10)     \n\t"   \
+        "multu  $13, $14        \n\t"   \
+        "addi   $10, $10, 4     \n\t"   \
+        "mflo   $14             \n\t"   \
+        "mfhi   $9              \n\t"   \
+        "addu   $14, $12, $14   \n\t"   \
+        "lw     $15, 0($11)     \n\t"   \
+        "sltu   $12, $14, $12   \n\t"   \
+        "addu   $15, $14, $15   \n\t"   \
+        "sltu   $14, $15, $14   \n\t"   \
+        "addu   $12, $12, $9    \n\t"   \
+        "sw     $15, 0($11)     \n\t"   \
+        "addu   $12, $12, $14   \n\t"   \
+        "addi   $11, $11, 4     \n\t"
+
+#define MULADDC_STOP                    \
+        "sw     $12, %0         \n\t"   \
+        "sw     $11, %1         \n\t"   \
+        "sw     $10, %2         \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)                      \
+        : "m" (s), "m" (d), "m" (c), "m" (b)                \
+        : "$9", "$10", "$11", "$12", "$13", "$14", "$15", "lo", "hi" \
+    );
+
+#endif /* MIPS */
+#endif /* GNUC */
+
+#if (defined(_MSC_VER) && defined(_M_IX86)) || defined(__WATCOMC__)
+
+#define MULADDC_INIT                            \
+    __asm   mov     esi, s                      \
+    __asm   mov     edi, d                      \
+    __asm   mov     ecx, c                      \
+    __asm   mov     ebx, b
+
+#define MULADDC_CORE                            \
+    __asm   lodsd                               \
+    __asm   mul     ebx                         \
+    __asm   add     eax, ecx                    \
+    __asm   adc     edx, 0                      \
+    __asm   add     eax, [edi]                  \
+    __asm   adc     edx, 0                      \
+    __asm   mov     ecx, edx                    \
+    __asm   stosd
+
+#if defined(MBEDTLS_HAVE_SSE2)
+
+#define EMIT __asm _emit
+
+#define MULADDC_HUIT                            \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0xC9             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0xC3             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x1F             \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xCB             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x16             \
+    EMIT 0x0F  EMIT 0xF4  EMIT 0xD0             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x66  EMIT 0x04  \
+    EMIT 0x0F  EMIT 0xF4  EMIT 0xE0             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x76  EMIT 0x08  \
+    EMIT 0x0F  EMIT 0xF4  EMIT 0xF0             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x7E  EMIT 0x0C  \
+    EMIT 0x0F  EMIT 0xF4  EMIT 0xF8             \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xCA             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x5F  EMIT 0x04  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xDC             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x6F  EMIT 0x08  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xEE             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x67  EMIT 0x0C  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xFC             \
+    EMIT 0x0F  EMIT 0x7E  EMIT 0x0F             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x56  EMIT 0x10  \
+    EMIT 0x0F  EMIT 0xF4  EMIT 0xD0             \
+    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x66  EMIT 0x14  \
+    EMIT 0x0F  EMIT 0xF4  EMIT 0xE0             \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xCB             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x76  EMIT 0x18  \
+    EMIT 0x0F  EMIT 0xF4  EMIT 0xF0             \
+    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x04  \
+    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x5E  EMIT 0x1C  \
+    EMIT 0x0F  EMIT 0xF4  EMIT 0xD8             \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xCD             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x6F  EMIT 0x10  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xD5             \
+    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x08  \
+    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xCF             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x6F  EMIT 0x14  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xE5             \
+    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x0C  \
+    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xCA             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x6F  EMIT 0x18  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xF5             \
+    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x10  \
+    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xCC             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x6F  EMIT 0x1C  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xDD             \
+    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x14  \
+    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xCE             \
+    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x18  \
+    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xCB             \
+    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x1C  \
+    EMIT 0x83  EMIT 0xC7  EMIT 0x20             \
+    EMIT 0x83  EMIT 0xC6  EMIT 0x20             \
+    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
+    EMIT 0x0F  EMIT 0x7E  EMIT 0xC9
+
+#define MULADDC_STOP                            \
+    EMIT 0x0F  EMIT 0x77                        \
+    __asm   mov     c, ecx                      \
+    __asm   mov     d, edi                      \
+    __asm   mov     s, esi                      \
+
+#else
+
+#define MULADDC_STOP                            \
+    __asm   mov     c, ecx                      \
+    __asm   mov     d, edi                      \
+    __asm   mov     s, esi                      \
+
+#endif /* SSE2 */
+#endif /* MSVC */
+
+#endif /* MBEDTLS_HAVE_ASM */
+
+#if !defined(MULADDC_CORE)
+#if defined(MBEDTLS_HAVE_UDBL)
+
+#define MULADDC_INIT                    \
+{                                       \
+    mbedtls_t_udbl r;                           \
+    mbedtls_mpi_uint r0, r1;
+
+#define MULADDC_CORE                    \
+    r   = *(s++) * (mbedtls_t_udbl) b;          \
+    r0  = (mbedtls_mpi_uint) r;                   \
+    r1  = (mbedtls_mpi_uint)( r >> biL );         \
+    r0 += c;  r1 += (r0 <  c);          \
+    r0 += *d; r1 += (r0 < *d);          \
+    c = r1; *(d++) = r0;
+
+#define MULADDC_STOP                    \
+}
+
+#else
+#define MULADDC_INIT                    \
+{                                       \
+    mbedtls_mpi_uint s0, s1, b0, b1;              \
+    mbedtls_mpi_uint r0, r1, rx, ry;              \
+    b0 = ( b << biH ) >> biH;           \
+    b1 = ( b >> biH );
+
+#define MULADDC_CORE                    \
+    s0 = ( *s << biH ) >> biH;          \
+    s1 = ( *s >> biH ); s++;            \
+    rx = s0 * b1; r0 = s0 * b0;         \
+    ry = s1 * b0; r1 = s1 * b1;         \
+    r1 += ( rx >> biH );                \
+    r1 += ( ry >> biH );                \
+    rx <<= biH; ry <<= biH;             \
+    r0 += rx; r1 += (r0 < rx);          \
+    r0 += ry; r1 += (r0 < ry);          \
+    r0 +=  c; r1 += (r0 <  c);          \
+    r0 += *d; r1 += (r0 < *d);          \
+    c = r1; *(d++) = r0;
+
+#define MULADDC_STOP                    \
+}
+
+#endif /* C (generic)  */
+#endif /* C (longlong) */
+
+#endif /* bn_mul.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/camellia.h b/third-party/mbedtls-3.6/include/mbedtls/camellia.h
new file mode 100644
index 00000000..1ed0ca4b
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/camellia.h
@@ -0,0 +1,262 @@
+/**
+ * \file camellia.h
+ *
+ * \brief Camellia block cipher
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_CAMELLIA_H
+#define MBEDTLS_CAMELLIA_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+#define MBEDTLS_CAMELLIA_ENCRYPT     1
+#define MBEDTLS_CAMELLIA_DECRYPT     0
+
+#define MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH           -0x0024  /**< Invalid key length. */
+#define MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH         -0x0026  /**< Invalid data input length. */
+#define MBEDTLS_ERR_CAMELLIA_HW_ACCEL_FAILED              -0x0027  /**< Camellia hardware accelerator failed. */
+
+#if !defined(MBEDTLS_CAMELLIA_ALT)
+// Regular implementation
+//
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          CAMELLIA context structure
+ */
+typedef struct
+{
+    int nr;                     /*!<  number of rounds  */
+    uint32_t rk[68];            /*!<  CAMELLIA round keys    */
+}
+mbedtls_camellia_context;
+
+/**
+ * \brief          Initialize CAMELLIA context
+ *
+ * \param ctx      CAMELLIA context to be initialized
+ */
+void mbedtls_camellia_init( mbedtls_camellia_context *ctx );
+
+/**
+ * \brief          Clear CAMELLIA context
+ *
+ * \param ctx      CAMELLIA context to be cleared
+ */
+void mbedtls_camellia_free( mbedtls_camellia_context *ctx );
+
+/**
+ * \brief          CAMELLIA key schedule (encryption)
+ *
+ * \param ctx      CAMELLIA context to be initialized
+ * \param key      encryption key
+ * \param keybits  must be 128, 192 or 256
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH
+ */
+int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx, const unsigned char *key,
+                         unsigned int keybits );
+
+/**
+ * \brief          CAMELLIA key schedule (decryption)
+ *
+ * \param ctx      CAMELLIA context to be initialized
+ * \param key      decryption key
+ * \param keybits  must be 128, 192 or 256
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH
+ */
+int mbedtls_camellia_setkey_dec( mbedtls_camellia_context *ctx, const unsigned char *key,
+                         unsigned int keybits );
+
+/**
+ * \brief          CAMELLIA-ECB block encryption/decryption
+ *
+ * \param ctx      CAMELLIA context
+ * \param mode     MBEDTLS_CAMELLIA_ENCRYPT or MBEDTLS_CAMELLIA_DECRYPT
+ * \param input    16-byte input block
+ * \param output   16-byte output block
+ *
+ * \return         0 if successful
+ */
+int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx,
+                    int mode,
+                    const unsigned char input[16],
+                    unsigned char output[16] );
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/**
+ * \brief          CAMELLIA-CBC buffer encryption/decryption
+ *                 Length should be a multiple of the block
+ *                 size (16 bytes)
+ *
+ * \note           Upon exit, the content of the IV is updated so that you can
+ *                 call the function same function again on the following
+ *                 block(s) of data and get the same result as if it was
+ *                 encrypted in one call. This allows a "streaming" usage.
+ *                 If on the other hand you need to retain the contents of the
+ *                 IV, you should either save it manually or use the cipher
+ *                 module instead.
+ *
+ * \param ctx      CAMELLIA context
+ * \param mode     MBEDTLS_CAMELLIA_ENCRYPT or MBEDTLS_CAMELLIA_DECRYPT
+ * \param length   length of the input data
+ * \param iv       initialization vector (updated after use)
+ * \param input    buffer holding the input data
+ * \param output   buffer holding the output data
+ *
+ * \return         0 if successful, or
+ *                 MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH
+ */
+int mbedtls_camellia_crypt_cbc( mbedtls_camellia_context *ctx,
+                    int mode,
+                    size_t length,
+                    unsigned char iv[16],
+                    const unsigned char *input,
+                    unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/**
+ * \brief          CAMELLIA-CFB128 buffer encryption/decryption
+ *
+ * Note: Due to the nature of CFB you should use the same key schedule for
+ * both encryption and decryption. So a context initialized with
+ * mbedtls_camellia_setkey_enc() for both MBEDTLS_CAMELLIA_ENCRYPT and CAMELLIE_DECRYPT.
+ *
+ * \note           Upon exit, the content of the IV is updated so that you can
+ *                 call the function same function again on the following
+ *                 block(s) of data and get the same result as if it was
+ *                 encrypted in one call. This allows a "streaming" usage.
+ *                 If on the other hand you need to retain the contents of the
+ *                 IV, you should either save it manually or use the cipher
+ *                 module instead.
+ *
+ * \param ctx      CAMELLIA context
+ * \param mode     MBEDTLS_CAMELLIA_ENCRYPT or MBEDTLS_CAMELLIA_DECRYPT
+ * \param length   length of the input data
+ * \param iv_off   offset in IV (updated after use)
+ * \param iv       initialization vector (updated after use)
+ * \param input    buffer holding the input data
+ * \param output   buffer holding the output data
+ *
+ * \return         0 if successful, or
+ *                 MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH
+ */
+int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx,
+                       int mode,
+                       size_t length,
+                       size_t *iv_off,
+                       unsigned char iv[16],
+                       const unsigned char *input,
+                       unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/**
+ * \brief               CAMELLIA-CTR buffer encryption/decryption
+ *
+ * Warning: You have to keep the maximum use of your counter in mind!
+ *
+ * Note: Due to the nature of CTR you should use the same key schedule for
+ * both encryption and decryption. So a context initialized with
+ * mbedtls_camellia_setkey_enc() for both MBEDTLS_CAMELLIA_ENCRYPT and MBEDTLS_CAMELLIA_DECRYPT.
+ *
+ * \param ctx           CAMELLIA context
+ * \param length        The length of the data
+ * \param nc_off        The offset in the current stream_block (for resuming
+ *                      within current cipher stream). The offset pointer to
+ *                      should be 0 at the start of a stream.
+ * \param nonce_counter The 128-bit nonce and counter.
+ * \param stream_block  The saved stream-block for resuming. Is overwritten
+ *                      by the function.
+ * \param input         The input data stream
+ * \param output        The output data stream
+ *
+ * \return         0 if successful
+ */
+int mbedtls_camellia_crypt_ctr( mbedtls_camellia_context *ctx,
+                       size_t length,
+                       size_t *nc_off,
+                       unsigned char nonce_counter[16],
+                       unsigned char stream_block[16],
+                       const unsigned char *input,
+                       unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#ifdef __cplusplus
+}
+#endif
+
+#else  /* MBEDTLS_CAMELLIA_ALT */
+#include "camellia_alt.h"
+#endif /* MBEDTLS_CAMELLIA_ALT */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ */
+int mbedtls_camellia_self_test( int verbose );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* camellia.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/ccm.h b/third-party/mbedtls-3.6/include/mbedtls/ccm.h
new file mode 100644
index 00000000..80cc1f68
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/ccm.h
@@ -0,0 +1,207 @@
+/**
+ * \file ccm.h
+ *
+ * \brief CCM combines Counter mode encryption with CBC-MAC authentication
+ *        for 128-bit block ciphers.
+ *
+ * Input to CCM includes the following elements:
+ * <ul><li>Payload - data that is both authenticated and encrypted.</li>
+ * <li>Associated data (Adata) - data that is authenticated but not
+ * encrypted, For example, a header.</li>
+ * <li>Nonce - A unique value that is assigned to the payload and the
+ * associated data.</li></ul>
+ *
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#ifndef MBEDTLS_CCM_H
+#define MBEDTLS_CCM_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "cipher.h"
+
+#define MBEDTLS_ERR_CCM_BAD_INPUT       -0x000D /**< Bad input parameters to the function. */
+#define MBEDTLS_ERR_CCM_AUTH_FAILED     -0x000F /**< Authenticated decryption failed. */
+#define MBEDTLS_ERR_CCM_HW_ACCEL_FAILED -0x0011 /**< CCM hardware accelerator failed. */
+
+#if !defined(MBEDTLS_CCM_ALT)
+// Regular implementation
+//
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief    The CCM context-type definition. The CCM context is passed
+ *           to the APIs called.
+ */
+typedef struct {
+    mbedtls_cipher_context_t cipher_ctx;    /*!< The cipher context used. */
+}
+mbedtls_ccm_context;
+
+/**
+ * \brief           This function initializes the specified CCM context,
+ *                  to make references valid, and prepare the context
+ *                  for mbedtls_ccm_setkey() or mbedtls_ccm_free().
+ *
+ * \param ctx       The CCM context to initialize.
+ */
+void mbedtls_ccm_init( mbedtls_ccm_context *ctx );
+
+/**
+ * \brief           This function initializes the CCM context set in the
+ *                  \p ctx parameter and sets the encryption key.
+ *
+ * \param ctx       The CCM context to initialize.
+ * \param cipher    The 128-bit block cipher to use.
+ * \param key       The encryption key.
+ * \param keybits   The key size in bits. This must be acceptable by the cipher.
+ *
+ * \return          \c 0 on success, or a cipher-specific error code.
+ */
+int mbedtls_ccm_setkey( mbedtls_ccm_context *ctx,
+                        mbedtls_cipher_id_t cipher,
+                        const unsigned char *key,
+                        unsigned int keybits );
+
+/**
+ * \brief   This function releases and clears the specified CCM context
+ *          and underlying cipher sub-context.
+ *
+ * \param ctx       The CCM context to clear.
+ */
+void mbedtls_ccm_free( mbedtls_ccm_context *ctx );
+
+/**
+ * \brief           This function encrypts a buffer using CCM.
+ *
+ * \param ctx       The CCM context to use for encryption.
+ * \param length    The length of the input data in Bytes.
+ * \param iv        Initialization vector (nonce).
+ * \param iv_len    The length of the IV in Bytes: 7, 8, 9, 10, 11, 12, or 13.
+ * \param add       The additional data field.
+ * \param add_len   The length of additional data in Bytes.
+ *                  Must be less than 2^16 - 2^8.
+ * \param input     The buffer holding the input data.
+ * \param output    The buffer holding the output data.
+ *                  Must be at least \p length Bytes wide.
+ * \param tag       The buffer holding the tag.
+ * \param tag_len   The length of the tag to generate in Bytes:
+ *                  4, 6, 8, 10, 12, 14 or 16.
+ *
+ * \note            The tag is written to a separate buffer. To concatenate
+ *                  the \p tag with the \p output, as done in <em>RFC-3610:
+ *                  Counter with CBC-MAC (CCM)</em>, use
+ *                  \p tag = \p output + \p length, and make sure that the
+ *                  output buffer is at least \p length + \p tag_len wide.
+ *
+ * \return          \c 0 on success.
+ */
+int mbedtls_ccm_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length,
+                         const unsigned char *iv, size_t iv_len,
+                         const unsigned char *add, size_t add_len,
+                         const unsigned char *input, unsigned char *output,
+                         unsigned char *tag, size_t tag_len );
+
+/**
+ * \brief           This function performs a CCM authenticated decryption of a
+ *                  buffer.
+ *
+ * \param ctx       The CCM context to use for decryption.
+ * \param length    The length of the input data in Bytes.
+ * \param iv        Initialization vector.
+ * \param iv_len    The length of the IV in Bytes: 7, 8, 9, 10, 11, 12, or 13.
+ * \param add       The additional data field.
+ * \param add_len   The length of additional data in Bytes.
+ *                  Must be less than 2^16 - 2^8.
+ * \param input     The buffer holding the input data.
+ * \param output    The buffer holding the output data.
+ *                  Must be at least \p length Bytes wide.
+ * \param tag       The buffer holding the tag.
+ * \param tag_len   The length of the tag in Bytes.
+ *                  4, 6, 8, 10, 12, 14 or 16.
+ *
+ * \return          0 if successful and authenticated, or
+ *                  #MBEDTLS_ERR_CCM_AUTH_FAILED if the tag does not match.
+ */
+int mbedtls_ccm_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
+                      const unsigned char *iv, size_t iv_len,
+                      const unsigned char *add, size_t add_len,
+                      const unsigned char *input, unsigned char *output,
+                      const unsigned char *tag, size_t tag_len );
+
+#ifdef __cplusplus
+}
+#endif
+
+#else  /* MBEDTLS_CCM_ALT */
+#include "ccm_alt.h"
+#endif /* MBEDTLS_CCM_ALT */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+/**
+ * \brief          The CCM checkup routine.
+ *
+ * \return         \c 0 on success, or \c 1 on failure.
+ */
+int mbedtls_ccm_self_test( int verbose );
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_CCM_H */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/certs.h b/third-party/mbedtls-3.6/include/mbedtls/certs.h
new file mode 100644
index 00000000..86722884
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/certs.h
@@ -0,0 +1,131 @@
+/**
+ * \file certs.h
+ *
+ * \brief Sample certificates and DHM parameters for testing
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_CERTS_H
+#define MBEDTLS_CERTS_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+/* Concatenation of all CA certificates in PEM format if available */
+extern const char   mbedtls_test_cas_pem[];
+extern const size_t mbedtls_test_cas_pem_len;
+#endif
+
+/* List of all CA certificates, terminated by NULL */
+extern const char * mbedtls_test_cas[];
+extern const size_t mbedtls_test_cas_len[];
+
+/*
+ * Convenience for users who just want a certificate:
+ * RSA by default, or ECDSA if RSA is not available
+ */
+extern const char * mbedtls_test_ca_crt;
+extern const size_t mbedtls_test_ca_crt_len;
+extern const char * mbedtls_test_ca_key;
+extern const size_t mbedtls_test_ca_key_len;
+extern const char * mbedtls_test_ca_pwd;
+extern const size_t mbedtls_test_ca_pwd_len;
+extern const char * mbedtls_test_srv_crt;
+extern const size_t mbedtls_test_srv_crt_len;
+extern const char * mbedtls_test_srv_key;
+extern const size_t mbedtls_test_srv_key_len;
+extern const char * mbedtls_test_cli_crt;
+extern const size_t mbedtls_test_cli_crt_len;
+extern const char * mbedtls_test_cli_key;
+extern const size_t mbedtls_test_cli_key_len;
+
+#if defined(MBEDTLS_ECDSA_C)
+extern const char   mbedtls_test_ca_crt_ec[];
+extern const size_t mbedtls_test_ca_crt_ec_len;
+extern const char   mbedtls_test_ca_key_ec[];
+extern const size_t mbedtls_test_ca_key_ec_len;
+extern const char   mbedtls_test_ca_pwd_ec[];
+extern const size_t mbedtls_test_ca_pwd_ec_len;
+extern const char   mbedtls_test_srv_crt_ec[];
+extern const size_t mbedtls_test_srv_crt_ec_len;
+extern const char   mbedtls_test_srv_key_ec[];
+extern const size_t mbedtls_test_srv_key_ec_len;
+extern const char   mbedtls_test_cli_crt_ec[];
+extern const size_t mbedtls_test_cli_crt_ec_len;
+extern const char   mbedtls_test_cli_key_ec[];
+extern const size_t mbedtls_test_cli_key_ec_len;
+#endif
+
+#if defined(MBEDTLS_RSA_C)
+extern const char   mbedtls_test_ca_crt_rsa[];
+extern const size_t mbedtls_test_ca_crt_rsa_len;
+extern const char   mbedtls_test_ca_key_rsa[];
+extern const size_t mbedtls_test_ca_key_rsa_len;
+extern const char   mbedtls_test_ca_pwd_rsa[];
+extern const size_t mbedtls_test_ca_pwd_rsa_len;
+extern const char   mbedtls_test_srv_crt_rsa[];
+extern const size_t mbedtls_test_srv_crt_rsa_len;
+extern const char   mbedtls_test_srv_key_rsa[];
+extern const size_t mbedtls_test_srv_key_rsa_len;
+extern const char   mbedtls_test_cli_crt_rsa[];
+extern const size_t mbedtls_test_cli_crt_rsa_len;
+extern const char   mbedtls_test_cli_key_rsa[];
+extern const size_t mbedtls_test_cli_key_rsa_len;
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* certs.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/check_config.h b/third-party/mbedtls-3.6/include/mbedtls/check_config.h
new file mode 100644
index 00000000..654c6ba5
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/check_config.h
@@ -0,0 +1,753 @@
+/**
+ * \file check_config.h
+ *
+ * \brief Consistency checks for configuration options
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+/*
+ * It is recommended to include this file from your config.h
+ * in order to catch dependency issues early.
+ */
+
+#ifndef MBEDTLS_CHECK_CONFIG_H
+#define MBEDTLS_CHECK_CONFIG_H
+
+/*
+ * We assume CHAR_BIT is 8 in many places. In practice, this is true on our
+ * target platforms, so not an issue, but let's just be extra sure.
+ */
+#include <limits.h>
+#if CHAR_BIT != 8
+#error "mbed TLS requires a platform with 8-bit chars"
+#endif
+
+#if defined(_WIN32)
+#if !defined(MBEDTLS_PLATFORM_C)
+#error "MBEDTLS_PLATFORM_C is required on Windows"
+#endif
+
+/* Fix the config here. Not convenient to put an #ifdef _WIN32 in config.h as
+ * it would confuse config.pl. */
+#if !defined(MBEDTLS_PLATFORM_SNPRINTF_ALT) && \
+    !defined(MBEDTLS_PLATFORM_SNPRINTF_MACRO)
+#define MBEDTLS_PLATFORM_SNPRINTF_ALT
+#endif
+#endif /* _WIN32 */
+
+#if defined(TARGET_LIKE_MBED) && \
+    ( defined(MBEDTLS_NET_C) || defined(MBEDTLS_TIMING_C) )
+#error "The NET and TIMING modules are not available for mbed OS - please use the network and timing functions provided by mbed OS"
+#endif
+
+#if defined(MBEDTLS_DEPRECATED_WARNING) && \
+    !defined(__GNUC__) && !defined(__clang__)
+#error "MBEDTLS_DEPRECATED_WARNING only works with GCC and Clang"
+#endif
+
+#if defined(MBEDTLS_HAVE_TIME_DATE) && !defined(MBEDTLS_HAVE_TIME)
+#error "MBEDTLS_HAVE_TIME_DATE without MBEDTLS_HAVE_TIME does not make sense"
+#endif
+
+#if defined(MBEDTLS_AESNI_C) && !defined(MBEDTLS_HAVE_ASM)
+#error "MBEDTLS_AESNI_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_CTR_DRBG_C) && !defined(MBEDTLS_AES_C)
+#error "MBEDTLS_CTR_DRBG_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_DHM_C) && !defined(MBEDTLS_BIGNUM_C)
+#error "MBEDTLS_DHM_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT) && !defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+#error "MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_CMAC_C) && \
+    !defined(MBEDTLS_AES_C) && !defined(MBEDTLS_DES_C)
+#error "MBEDTLS_CMAC_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECDH_C) && !defined(MBEDTLS_ECP_C)
+#error "MBEDTLS_ECDH_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECDSA_C) &&            \
+    ( !defined(MBEDTLS_ECP_C) ||           \
+      !defined(MBEDTLS_ASN1_PARSE_C) ||    \
+      !defined(MBEDTLS_ASN1_WRITE_C) )
+#error "MBEDTLS_ECDSA_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECJPAKE_C) &&           \
+    ( !defined(MBEDTLS_ECP_C) || !defined(MBEDTLS_MD_C) )
+#error "MBEDTLS_ECJPAKE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC) && !defined(MBEDTLS_HMAC_DRBG_C)
+#error "MBEDTLS_ECDSA_DETERMINISTIC defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECP_C) && ( !defined(MBEDTLS_BIGNUM_C) || (    \
+    !defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) &&                  \
+    !defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) &&                  \
+    !defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) &&                  \
+    !defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) &&                  \
+    !defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) &&                  \
+    !defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)   &&                  \
+    !defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)   &&                  \
+    !defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)   &&                  \
+    !defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) &&                  \
+    !defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) &&                  \
+    !defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) &&                  \
+    !defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) ) )
+#error "MBEDTLS_ECP_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECP_C) && !(            \
+    defined(MBEDTLS_ECP_ALT) ||             \
+    defined(MBEDTLS_CTR_DRBG_C) ||          \
+    defined(MBEDTLS_HMAC_DRBG_C) ||         \
+    defined(MBEDTLS_SHA512_C) ||            \
+    defined(MBEDTLS_SHA256_C) ||            \
+    defined(MBEDTLS_ECP_NO_INTERNAL_RNG))
+#error "MBEDTLS_ECP_C requires a DRBG or SHA-2 module unless MBEDTLS_ECP_NO_INTERNAL_RNG is defined or an alternative implementation is used"
+#endif
+
+#if defined(MBEDTLS_PK_PARSE_C) && !defined(MBEDTLS_ASN1_PARSE_C)
+#error "MBEDTLS_PK_PARSE_C defined, but not all prerequesites"
+#endif
+
+#if defined(MBEDTLS_ENTROPY_C) && (!defined(MBEDTLS_SHA512_C) &&      \
+                                    !defined(MBEDTLS_SHA256_C))
+#error "MBEDTLS_ENTROPY_C defined, but not all prerequisites"
+#endif
+#if defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_SHA512_C) &&         \
+    defined(MBEDTLS_CTR_DRBG_ENTROPY_LEN) && (MBEDTLS_CTR_DRBG_ENTROPY_LEN > 64)
+#error "MBEDTLS_CTR_DRBG_ENTROPY_LEN value too high"
+#endif
+#if defined(MBEDTLS_ENTROPY_C) &&                                            \
+    ( !defined(MBEDTLS_SHA512_C) || defined(MBEDTLS_ENTROPY_FORCE_SHA256) ) \
+    && defined(MBEDTLS_CTR_DRBG_ENTROPY_LEN) && (MBEDTLS_CTR_DRBG_ENTROPY_LEN > 32)
+#error "MBEDTLS_CTR_DRBG_ENTROPY_LEN value too high"
+#endif
+#if defined(MBEDTLS_ENTROPY_C) && \
+    defined(MBEDTLS_ENTROPY_FORCE_SHA256) && !defined(MBEDTLS_SHA256_C)
+#error "MBEDTLS_ENTROPY_FORCE_SHA256 defined, but not all prerequisites"
+#endif
+
+#if defined(__has_feature)
+#if __has_feature(memory_sanitizer)
+#define MBEDTLS_HAS_MEMSAN
+#endif
+#endif
+#if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN) &&  !defined(MBEDTLS_HAS_MEMSAN)
+#error "MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN requires building with MemorySanitizer"
+#endif
+#undef MBEDTLS_HAS_MEMSAN
+
+#if defined(MBEDTLS_TEST_NULL_ENTROPY) && \
+    ( !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES) )
+#error "MBEDTLS_TEST_NULL_ENTROPY defined, but not all prerequisites"
+#endif
+#if defined(MBEDTLS_TEST_NULL_ENTROPY) && \
+     ( defined(MBEDTLS_ENTROPY_NV_SEED) || defined(MBEDTLS_ENTROPY_HARDWARE_ALT) || \
+    defined(MBEDTLS_HAVEGE_C) )
+#error "MBEDTLS_TEST_NULL_ENTROPY defined, but entropy sources too"
+#endif
+
+#if defined(MBEDTLS_GCM_C) && (                                        \
+        !defined(MBEDTLS_AES_C) && !defined(MBEDTLS_CAMELLIA_C) )
+#error "MBEDTLS_GCM_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
+#error "MBEDTLS_ECP_RANDOMIZE_JAC_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECP_ADD_MIXED_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
+#error "MBEDTLS_ECP_ADD_MIXED_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
+#error "MBEDTLS_ECP_DOUBLE_JAC_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
+#error "MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
+#error "MBEDTLS_ECP_NORMALIZE_JAC_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
+#error "MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
+#error "MBEDTLS_ECP_RANDOMIZE_MXZ_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
+#error "MBEDTLS_ECP_NORMALIZE_MXZ_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_HAVEGE_C) && !defined(MBEDTLS_TIMING_C)
+#error "MBEDTLS_HAVEGE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_HMAC_DRBG_C) && !defined(MBEDTLS_MD_C)
+#error "MBEDTLS_HMAC_DRBG_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) &&                 \
+    ( !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) )
+#error "MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) &&                 \
+    ( !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) )
+#error "MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) && !defined(MBEDTLS_DHM_C)
+#error "MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) &&                     \
+    !defined(MBEDTLS_ECDH_C)
+#error "MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) &&                   \
+    ( !defined(MBEDTLS_DHM_C) || !defined(MBEDTLS_RSA_C) ||           \
+      !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_PKCS1_V15) )
+#error "MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) &&                 \
+    ( !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_RSA_C) ||          \
+      !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_PKCS1_V15) )
+#error "MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) &&                 \
+    ( !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_ECDSA_C) ||          \
+      !defined(MBEDTLS_X509_CRT_PARSE_C) )
+#error "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) &&                   \
+    ( !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \
+      !defined(MBEDTLS_PKCS1_V15) )
+#error "MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) &&                       \
+    ( !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \
+      !defined(MBEDTLS_PKCS1_V15) )
+#error "MBEDTLS_KEY_EXCHANGE_RSA_ENABLED defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) &&                    \
+    ( !defined(MBEDTLS_ECJPAKE_C) || !defined(MBEDTLS_SHA256_C) ||      \
+      !defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) )
+#error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) &&                          \
+    ( !defined(MBEDTLS_PLATFORM_C) || !defined(MBEDTLS_PLATFORM_MEMORY) )
+#error "MBEDTLS_MEMORY_BUFFER_ALLOC_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_MEMORY_BACKTRACE) && !defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
+#error "MBEDTLS_MEMORY_BACKTRACE defined, but not all prerequesites"
+#endif
+
+#if defined(MBEDTLS_MEMORY_DEBUG) && !defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
+#error "MBEDTLS_MEMORY_DEBUG defined, but not all prerequesites"
+#endif
+
+#if defined(MBEDTLS_PADLOCK_C) && !defined(MBEDTLS_HAVE_ASM)
+#error "MBEDTLS_PADLOCK_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PEM_PARSE_C) && !defined(MBEDTLS_BASE64_C)
+#error "MBEDTLS_PEM_PARSE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PEM_WRITE_C) && !defined(MBEDTLS_BASE64_C)
+#error "MBEDTLS_PEM_WRITE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PK_C) && \
+    ( !defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_ECP_C) )
+#error "MBEDTLS_PK_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PK_PARSE_C) && !defined(MBEDTLS_PK_C)
+#error "MBEDTLS_PK_PARSE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PK_WRITE_C) && !defined(MBEDTLS_PK_C)
+#error "MBEDTLS_PK_WRITE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PKCS11_C) && !defined(MBEDTLS_PK_C)
+#error "MBEDTLS_PKCS11_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_EXIT_ALT) && !defined(MBEDTLS_PLATFORM_C)
+#error "MBEDTLS_PLATFORM_EXIT_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_EXIT_MACRO) && !defined(MBEDTLS_PLATFORM_C)
+#error "MBEDTLS_PLATFORM_EXIT_MACRO defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_EXIT_MACRO) &&\
+    ( defined(MBEDTLS_PLATFORM_STD_EXIT) ||\
+        defined(MBEDTLS_PLATFORM_EXIT_ALT) )
+#error "MBEDTLS_PLATFORM_EXIT_MACRO and MBEDTLS_PLATFORM_STD_EXIT/MBEDTLS_PLATFORM_EXIT_ALT cannot be defined simultaneously"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_TIME_ALT) &&\
+    ( !defined(MBEDTLS_PLATFORM_C) ||\
+        !defined(MBEDTLS_HAVE_TIME) )
+#error "MBEDTLS_PLATFORM_TIME_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_TIME_MACRO) &&\
+    ( !defined(MBEDTLS_PLATFORM_C) ||\
+        !defined(MBEDTLS_HAVE_TIME) )
+#error "MBEDTLS_PLATFORM_TIME_MACRO defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_TIME_TYPE_MACRO) &&\
+    ( !defined(MBEDTLS_PLATFORM_C) ||\
+        !defined(MBEDTLS_HAVE_TIME) )
+#error "MBEDTLS_PLATFORM_TIME_TYPE_MACRO defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_TIME_MACRO) &&\
+    ( defined(MBEDTLS_PLATFORM_STD_TIME) ||\
+        defined(MBEDTLS_PLATFORM_TIME_ALT) )
+#error "MBEDTLS_PLATFORM_TIME_MACRO and MBEDTLS_PLATFORM_STD_TIME/MBEDTLS_PLATFORM_TIME_ALT cannot be defined simultaneously"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_TIME_TYPE_MACRO) &&\
+    ( defined(MBEDTLS_PLATFORM_STD_TIME) ||\
+        defined(MBEDTLS_PLATFORM_TIME_ALT) )
+#error "MBEDTLS_PLATFORM_TIME_TYPE_MACRO and MBEDTLS_PLATFORM_STD_TIME/MBEDTLS_PLATFORM_TIME_ALT cannot be defined simultaneously"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_FPRINTF_ALT) && !defined(MBEDTLS_PLATFORM_C)
+#error "MBEDTLS_PLATFORM_FPRINTF_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_FPRINTF_MACRO) && !defined(MBEDTLS_PLATFORM_C)
+#error "MBEDTLS_PLATFORM_FPRINTF_MACRO defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_FPRINTF_MACRO) &&\
+    ( defined(MBEDTLS_PLATFORM_STD_FPRINTF) ||\
+        defined(MBEDTLS_PLATFORM_FPRINTF_ALT) )
+#error "MBEDTLS_PLATFORM_FPRINTF_MACRO and MBEDTLS_PLATFORM_STD_FPRINTF/MBEDTLS_PLATFORM_FPRINTF_ALT cannot be defined simultaneously"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_FREE_MACRO) &&\
+    ( !defined(MBEDTLS_PLATFORM_C) || !defined(MBEDTLS_PLATFORM_MEMORY) )
+#error "MBEDTLS_PLATFORM_FREE_MACRO defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_FREE_MACRO) &&\
+    defined(MBEDTLS_PLATFORM_STD_FREE)
+#error "MBEDTLS_PLATFORM_FREE_MACRO and MBEDTLS_PLATFORM_STD_FREE cannot be defined simultaneously"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_FREE_MACRO) && !defined(MBEDTLS_PLATFORM_CALLOC_MACRO)
+#error "MBEDTLS_PLATFORM_CALLOC_MACRO must be defined if MBEDTLS_PLATFORM_FREE_MACRO is"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_CALLOC_MACRO) &&\
+    ( !defined(MBEDTLS_PLATFORM_C) || !defined(MBEDTLS_PLATFORM_MEMORY) )
+#error "MBEDTLS_PLATFORM_CALLOC_MACRO defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_CALLOC_MACRO) &&\
+    defined(MBEDTLS_PLATFORM_STD_CALLOC)
+#error "MBEDTLS_PLATFORM_CALLOC_MACRO and MBEDTLS_PLATFORM_STD_CALLOC cannot be defined simultaneously"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_CALLOC_MACRO) && !defined(MBEDTLS_PLATFORM_FREE_MACRO)
+#error "MBEDTLS_PLATFORM_FREE_MACRO must be defined if MBEDTLS_PLATFORM_CALLOC_MACRO is"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_MEMORY) && !defined(MBEDTLS_PLATFORM_C)
+#error "MBEDTLS_PLATFORM_MEMORY defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_PRINTF_ALT) && !defined(MBEDTLS_PLATFORM_C)
+#error "MBEDTLS_PLATFORM_PRINTF_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_PRINTF_MACRO) && !defined(MBEDTLS_PLATFORM_C)
+#error "MBEDTLS_PLATFORM_PRINTF_MACRO defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_PRINTF_MACRO) &&\
+    ( defined(MBEDTLS_PLATFORM_STD_PRINTF) ||\
+        defined(MBEDTLS_PLATFORM_PRINTF_ALT) )
+#error "MBEDTLS_PLATFORM_PRINTF_MACRO and MBEDTLS_PLATFORM_STD_PRINTF/MBEDTLS_PLATFORM_PRINTF_ALT cannot be defined simultaneously"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_SNPRINTF_ALT) && !defined(MBEDTLS_PLATFORM_C)
+#error "MBEDTLS_PLATFORM_SNPRINTF_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_SNPRINTF_MACRO) && !defined(MBEDTLS_PLATFORM_C)
+#error "MBEDTLS_PLATFORM_SNPRINTF_MACRO defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_SNPRINTF_MACRO) &&\
+    ( defined(MBEDTLS_PLATFORM_STD_SNPRINTF) ||\
+        defined(MBEDTLS_PLATFORM_SNPRINTF_ALT) )
+#error "MBEDTLS_PLATFORM_SNPRINTF_MACRO and MBEDTLS_PLATFORM_STD_SNPRINTF/MBEDTLS_PLATFORM_SNPRINTF_ALT cannot be defined simultaneously"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_STD_MEM_HDR) &&\
+    !defined(MBEDTLS_PLATFORM_NO_STD_FUNCTIONS)
+#error "MBEDTLS_PLATFORM_STD_MEM_HDR defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_STD_CALLOC) && !defined(MBEDTLS_PLATFORM_MEMORY)
+#error "MBEDTLS_PLATFORM_STD_CALLOC defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_STD_CALLOC) && !defined(MBEDTLS_PLATFORM_MEMORY)
+#error "MBEDTLS_PLATFORM_STD_CALLOC defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_STD_FREE) && !defined(MBEDTLS_PLATFORM_MEMORY)
+#error "MBEDTLS_PLATFORM_STD_FREE defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_STD_EXIT) &&\
+    !defined(MBEDTLS_PLATFORM_EXIT_ALT)
+#error "MBEDTLS_PLATFORM_STD_EXIT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_STD_TIME) &&\
+    ( !defined(MBEDTLS_PLATFORM_TIME_ALT) ||\
+        !defined(MBEDTLS_HAVE_TIME) )
+#error "MBEDTLS_PLATFORM_STD_TIME defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_STD_FPRINTF) &&\
+    !defined(MBEDTLS_PLATFORM_FPRINTF_ALT)
+#error "MBEDTLS_PLATFORM_STD_FPRINTF defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_STD_PRINTF) &&\
+    !defined(MBEDTLS_PLATFORM_PRINTF_ALT)
+#error "MBEDTLS_PLATFORM_STD_PRINTF defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_STD_SNPRINTF) &&\
+    !defined(MBEDTLS_PLATFORM_SNPRINTF_ALT)
+#error "MBEDTLS_PLATFORM_STD_SNPRINTF defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ENTROPY_NV_SEED) &&\
+    ( !defined(MBEDTLS_PLATFORM_C) || !defined(MBEDTLS_ENTROPY_C) )
+#error "MBEDTLS_ENTROPY_NV_SEED defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_NV_SEED_ALT) &&\
+    !defined(MBEDTLS_ENTROPY_NV_SEED)
+#error "MBEDTLS_PLATFORM_NV_SEED_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_STD_NV_SEED_READ) &&\
+    !defined(MBEDTLS_PLATFORM_NV_SEED_ALT)
+#error "MBEDTLS_PLATFORM_STD_NV_SEED_READ defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_STD_NV_SEED_WRITE) &&\
+    !defined(MBEDTLS_PLATFORM_NV_SEED_ALT)
+#error "MBEDTLS_PLATFORM_STD_NV_SEED_WRITE defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_NV_SEED_READ_MACRO) &&\
+    ( defined(MBEDTLS_PLATFORM_STD_NV_SEED_READ) ||\
+      defined(MBEDTLS_PLATFORM_NV_SEED_ALT) )
+#error "MBEDTLS_PLATFORM_NV_SEED_READ_MACRO and MBEDTLS_PLATFORM_STD_NV_SEED_READ cannot be defined simultaneously"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO) &&\
+    ( defined(MBEDTLS_PLATFORM_STD_NV_SEED_WRITE) ||\
+      defined(MBEDTLS_PLATFORM_NV_SEED_ALT) )
+#error "MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO and MBEDTLS_PLATFORM_STD_NV_SEED_WRITE cannot be defined simultaneously"
+#endif
+
+#if defined(MBEDTLS_RSA_C) && ( !defined(MBEDTLS_BIGNUM_C) ||         \
+    !defined(MBEDTLS_OID_C) )
+#error "MBEDTLS_RSA_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_RSA_C) && ( !defined(MBEDTLS_PKCS1_V21) &&         \
+    !defined(MBEDTLS_PKCS1_V15) )
+#error "MBEDTLS_RSA_C defined, but none of the PKCS1 versions enabled"
+#endif
+
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) &&                        \
+    ( !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_PKCS1_V21) )
+#error "MBEDTLS_X509_RSASSA_PSS_SUPPORT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) && ( !defined(MBEDTLS_MD5_C) ||     \
+    !defined(MBEDTLS_SHA1_C) )
+#error "MBEDTLS_SSL_PROTO_SSL3 defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1) && ( !defined(MBEDTLS_MD5_C) ||     \
+    !defined(MBEDTLS_SHA1_C) )
+#error "MBEDTLS_SSL_PROTO_TLS1 defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1) && ( !defined(MBEDTLS_MD5_C) ||     \
+    !defined(MBEDTLS_SHA1_C) )
+#error "MBEDTLS_SSL_PROTO_TLS1_1 defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && ( !defined(MBEDTLS_SHA1_C) &&     \
+    !defined(MBEDTLS_SHA256_C) && !defined(MBEDTLS_SHA512_C) )
+#error "MBEDTLS_SSL_PROTO_TLS1_2 defined, but not all prerequisites"
+#endif
+
+#if (defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) ||  \
+     defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)) && \
+    !(defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) ||                          \
+      defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                      \
+      defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                    \
+      defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||                  \
+      defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||                     \
+      defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) ||                   \
+      defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) ||                          \
+      defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) ||                      \
+      defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) ||                      \
+      defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) ||                    \
+      defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) )
+#error "One or more versions of the TLS protocol are enabled " \
+        "but no key exchange methods defined with MBEDTLS_KEY_EXCHANGE_xxxx"
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)     && \
+    !defined(MBEDTLS_SSL_PROTO_TLS1_1)  && \
+    !defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#error "MBEDTLS_SSL_PROTO_DTLS defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_CLI_C) && !defined(MBEDTLS_SSL_TLS_C)
+#error "MBEDTLS_SSL_CLI_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_TLS_C) && ( !defined(MBEDTLS_CIPHER_C) ||     \
+    !defined(MBEDTLS_MD_C) )
+#error "MBEDTLS_SSL_TLS_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_SRV_C) && !defined(MBEDTLS_SSL_TLS_C)
+#error "MBEDTLS_SSL_SRV_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_TLS_C) && (!defined(MBEDTLS_SSL_PROTO_SSL3) && \
+    !defined(MBEDTLS_SSL_PROTO_TLS1) && !defined(MBEDTLS_SSL_PROTO_TLS1_1) && \
+    !defined(MBEDTLS_SSL_PROTO_TLS1_2))
+#error "MBEDTLS_SSL_TLS_C defined, but no protocols are active"
+#endif
+
+#if defined(MBEDTLS_SSL_TLS_C) && (defined(MBEDTLS_SSL_PROTO_SSL3) && \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1) && !defined(MBEDTLS_SSL_PROTO_TLS1))
+#error "Illegal protocol selection"
+#endif
+
+#if defined(MBEDTLS_SSL_TLS_C) && (defined(MBEDTLS_SSL_PROTO_TLS1) && \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2) && !defined(MBEDTLS_SSL_PROTO_TLS1_1))
+#error "Illegal protocol selection"
+#endif
+
+#if defined(MBEDTLS_SSL_TLS_C) && (defined(MBEDTLS_SSL_PROTO_SSL3) && \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2) && (!defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    !defined(MBEDTLS_SSL_PROTO_TLS1_1)))
+#error "Illegal protocol selection"
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && !defined(MBEDTLS_SSL_PROTO_DTLS)
+#error "MBEDTLS_SSL_DTLS_HELLO_VERIFY  defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && \
+    !defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
+#error "MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE  defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) &&                              \
+    ( !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) )
+#error "MBEDTLS_SSL_DTLS_ANTI_REPLAY  defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) &&                              \
+    ( !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) )
+#error "MBEDTLS_SSL_DTLS_BADMAC_LIMIT  defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) &&   \
+    !defined(MBEDTLS_SSL_PROTO_TLS1)   &&      \
+    !defined(MBEDTLS_SSL_PROTO_TLS1_1) &&      \
+    !defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#error "MBEDTLS_SSL_ENCRYPT_THEN_MAC defined, but not all prerequsites"
+#endif
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \
+    !defined(MBEDTLS_SSL_PROTO_TLS1)   &&          \
+    !defined(MBEDTLS_SSL_PROTO_TLS1_1) &&          \
+    !defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#error "MBEDTLS_SSL_EXTENDED_MASTER_SECRET defined, but not all prerequsites"
+#endif
+
+#if defined(MBEDTLS_SSL_TICKET_C) && !defined(MBEDTLS_CIPHER_C)
+#error "MBEDTLS_SSL_TICKET_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) && \
+    !defined(MBEDTLS_SSL_PROTO_SSL3) && !defined(MBEDTLS_SSL_PROTO_TLS1)
+#error "MBEDTLS_SSL_CBC_RECORD_SPLITTING defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \
+        !defined(MBEDTLS_X509_CRT_PARSE_C)
+#error "MBEDTLS_SSL_SERVER_NAME_INDICATION defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_THREADING_PTHREAD)
+#if !defined(MBEDTLS_THREADING_C) || defined(MBEDTLS_THREADING_IMPL)
+#error "MBEDTLS_THREADING_PTHREAD defined, but not all prerequisites"
+#endif
+#define MBEDTLS_THREADING_IMPL
+#endif
+
+#if defined(MBEDTLS_THREADING_ALT)
+#if !defined(MBEDTLS_THREADING_C) || defined(MBEDTLS_THREADING_IMPL)
+#error "MBEDTLS_THREADING_ALT defined, but not all prerequisites"
+#endif
+#define MBEDTLS_THREADING_IMPL
+#endif
+
+#if defined(MBEDTLS_THREADING_C) && !defined(MBEDTLS_THREADING_IMPL)
+#error "MBEDTLS_THREADING_C defined, single threading implementation required"
+#endif
+#undef MBEDTLS_THREADING_IMPL
+
+#if defined(MBEDTLS_VERSION_FEATURES) && !defined(MBEDTLS_VERSION_C)
+#error "MBEDTLS_VERSION_FEATURES defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_X509_USE_C) && ( !defined(MBEDTLS_BIGNUM_C) ||  \
+    !defined(MBEDTLS_OID_C) || !defined(MBEDTLS_ASN1_PARSE_C) ||      \
+    !defined(MBEDTLS_PK_PARSE_C) )
+#error "MBEDTLS_X509_USE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_X509_CREATE_C) && ( !defined(MBEDTLS_BIGNUM_C) ||  \
+    !defined(MBEDTLS_OID_C) || !defined(MBEDTLS_ASN1_WRITE_C) ||       \
+    !defined(MBEDTLS_PK_WRITE_C) )
+#error "MBEDTLS_X509_CREATE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_CERTS_C) && !defined(MBEDTLS_X509_USE_C)
+#error "MBEDTLS_CERTS_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && ( !defined(MBEDTLS_X509_USE_C) )
+#error "MBEDTLS_X509_CRT_PARSE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_X509_CRL_PARSE_C) && ( !defined(MBEDTLS_X509_USE_C) )
+#error "MBEDTLS_X509_CRL_PARSE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_X509_CSR_PARSE_C) && ( !defined(MBEDTLS_X509_USE_C) )
+#error "MBEDTLS_X509_CSR_PARSE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_X509_CRT_WRITE_C) && ( !defined(MBEDTLS_X509_CREATE_C) )
+#error "MBEDTLS_X509_CRT_WRITE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_X509_CSR_WRITE_C) && ( !defined(MBEDTLS_X509_CREATE_C) )
+#error "MBEDTLS_X509_CSR_WRITE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_HAVE_INT32) && defined(MBEDTLS_HAVE_INT64)
+#error "MBEDTLS_HAVE_INT32 and MBEDTLS_HAVE_INT64 cannot be defined simultaneously"
+#endif /* MBEDTLS_HAVE_INT32 && MBEDTLS_HAVE_INT64 */
+
+#if ( defined(MBEDTLS_HAVE_INT32) || defined(MBEDTLS_HAVE_INT64) ) && \
+    defined(MBEDTLS_HAVE_ASM)
+#error "MBEDTLS_HAVE_INT32/MBEDTLS_HAVE_INT64 and MBEDTLS_HAVE_ASM cannot be defined simultaneously"
+#endif /* (MBEDTLS_HAVE_INT32 || MBEDTLS_HAVE_INT64) && MBEDTLS_HAVE_ASM */
+
+/*
+ * Avoid warning from -pedantic. This is a convenient place for this
+ * workaround since this is included by every single file before the
+ * #if defined(MBEDTLS_xxx_C) that results in empty translation units.
+ */
+typedef int mbedtls_iso_c_forbids_empty_translation_units;
+
+#endif /* MBEDTLS_CHECK_CONFIG_H */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/cipher.h b/third-party/mbedtls-3.6/include/mbedtls/cipher.h
new file mode 100644
index 00000000..7f40b7ec
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/cipher.h
@@ -0,0 +1,777 @@
+/**
+ * \file cipher.h
+ *
+ * \brief The generic cipher wrapper.
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#ifndef MBEDTLS_CIPHER_H
+#define MBEDTLS_CIPHER_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C)
+#define MBEDTLS_CIPHER_MODE_AEAD
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#define MBEDTLS_CIPHER_MODE_WITH_PADDING
+#endif
+
+#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
+#define MBEDTLS_CIPHER_MODE_STREAM
+#endif
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+#define MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE  -0x6080  /**< The selected feature is not available. */
+#define MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA       -0x6100  /**< Bad input parameters. */
+#define MBEDTLS_ERR_CIPHER_ALLOC_FAILED         -0x6180  /**< Failed to allocate memory. */
+#define MBEDTLS_ERR_CIPHER_INVALID_PADDING      -0x6200  /**< Input data contains invalid padding and is rejected. */
+#define MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED  -0x6280  /**< Decryption of block requires a full block. */
+#define MBEDTLS_ERR_CIPHER_AUTH_FAILED          -0x6300  /**< Authentication failed (for AEAD modes). */
+#define MBEDTLS_ERR_CIPHER_INVALID_CONTEXT      -0x6380  /**< The context is invalid. For example, because it was freed. */
+#define MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED      -0x6400  /**< Cipher hardware accelerator failed. */
+
+#define MBEDTLS_CIPHER_VARIABLE_IV_LEN     0x01    /**< Cipher accepts IVs of variable length. */
+#define MBEDTLS_CIPHER_VARIABLE_KEY_LEN    0x02    /**< Cipher accepts keys of variable length. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief     An enumeration of supported ciphers.
+ *
+ * \warning   ARC4 and DES are considered weak ciphers and their use
+ *            constitutes a security risk. We recommend considering stronger
+ *            ciphers instead.
+ */
+typedef enum {
+    MBEDTLS_CIPHER_ID_NONE = 0,
+    MBEDTLS_CIPHER_ID_NULL,
+    MBEDTLS_CIPHER_ID_AES,
+    MBEDTLS_CIPHER_ID_DES,
+    MBEDTLS_CIPHER_ID_3DES,
+    MBEDTLS_CIPHER_ID_CAMELLIA,
+    MBEDTLS_CIPHER_ID_BLOWFISH,
+    MBEDTLS_CIPHER_ID_ARC4,
+} mbedtls_cipher_id_t;
+
+/**
+ * \brief     An enumeration of supported (cipher, mode) pairs.
+ *
+ * \warning   ARC4 and DES are considered weak ciphers and their use
+ *            constitutes a security risk. We recommend considering stronger
+ *            ciphers instead.
+ */
+typedef enum {
+    MBEDTLS_CIPHER_NONE = 0,
+    MBEDTLS_CIPHER_NULL,
+    MBEDTLS_CIPHER_AES_128_ECB,
+    MBEDTLS_CIPHER_AES_192_ECB,
+    MBEDTLS_CIPHER_AES_256_ECB,
+    MBEDTLS_CIPHER_AES_128_CBC,
+    MBEDTLS_CIPHER_AES_192_CBC,
+    MBEDTLS_CIPHER_AES_256_CBC,
+    MBEDTLS_CIPHER_AES_128_CFB128,
+    MBEDTLS_CIPHER_AES_192_CFB128,
+    MBEDTLS_CIPHER_AES_256_CFB128,
+    MBEDTLS_CIPHER_AES_128_CTR,
+    MBEDTLS_CIPHER_AES_192_CTR,
+    MBEDTLS_CIPHER_AES_256_CTR,
+    MBEDTLS_CIPHER_AES_128_GCM,
+    MBEDTLS_CIPHER_AES_192_GCM,
+    MBEDTLS_CIPHER_AES_256_GCM,
+    MBEDTLS_CIPHER_CAMELLIA_128_ECB,
+    MBEDTLS_CIPHER_CAMELLIA_192_ECB,
+    MBEDTLS_CIPHER_CAMELLIA_256_ECB,
+    MBEDTLS_CIPHER_CAMELLIA_128_CBC,
+    MBEDTLS_CIPHER_CAMELLIA_192_CBC,
+    MBEDTLS_CIPHER_CAMELLIA_256_CBC,
+    MBEDTLS_CIPHER_CAMELLIA_128_CFB128,
+    MBEDTLS_CIPHER_CAMELLIA_192_CFB128,
+    MBEDTLS_CIPHER_CAMELLIA_256_CFB128,
+    MBEDTLS_CIPHER_CAMELLIA_128_CTR,
+    MBEDTLS_CIPHER_CAMELLIA_192_CTR,
+    MBEDTLS_CIPHER_CAMELLIA_256_CTR,
+    MBEDTLS_CIPHER_CAMELLIA_128_GCM,
+    MBEDTLS_CIPHER_CAMELLIA_192_GCM,
+    MBEDTLS_CIPHER_CAMELLIA_256_GCM,
+    MBEDTLS_CIPHER_DES_ECB,
+    MBEDTLS_CIPHER_DES_CBC,
+    MBEDTLS_CIPHER_DES_EDE_ECB,
+    MBEDTLS_CIPHER_DES_EDE_CBC,
+    MBEDTLS_CIPHER_DES_EDE3_ECB,
+    MBEDTLS_CIPHER_DES_EDE3_CBC,
+    MBEDTLS_CIPHER_BLOWFISH_ECB,
+    MBEDTLS_CIPHER_BLOWFISH_CBC,
+    MBEDTLS_CIPHER_BLOWFISH_CFB64,
+    MBEDTLS_CIPHER_BLOWFISH_CTR,
+    MBEDTLS_CIPHER_ARC4_128,
+    MBEDTLS_CIPHER_AES_128_CCM,
+    MBEDTLS_CIPHER_AES_192_CCM,
+    MBEDTLS_CIPHER_AES_256_CCM,
+    MBEDTLS_CIPHER_CAMELLIA_128_CCM,
+    MBEDTLS_CIPHER_CAMELLIA_192_CCM,
+    MBEDTLS_CIPHER_CAMELLIA_256_CCM,
+} mbedtls_cipher_type_t;
+
+/** Supported cipher modes. */
+typedef enum {
+    MBEDTLS_MODE_NONE = 0,
+    MBEDTLS_MODE_ECB,
+    MBEDTLS_MODE_CBC,
+    MBEDTLS_MODE_CFB,
+    MBEDTLS_MODE_OFB, /* Unused! */
+    MBEDTLS_MODE_CTR,
+    MBEDTLS_MODE_GCM,
+    MBEDTLS_MODE_STREAM,
+    MBEDTLS_MODE_CCM,
+} mbedtls_cipher_mode_t;
+
+/** Supported cipher padding types. */
+typedef enum {
+    MBEDTLS_PADDING_PKCS7 = 0,     /**< PKCS7 padding (default).        */
+    MBEDTLS_PADDING_ONE_AND_ZEROS, /**< ISO/IEC 7816-4 padding.         */
+    MBEDTLS_PADDING_ZEROS_AND_LEN, /**< ANSI X.923 padding.             */
+    MBEDTLS_PADDING_ZEROS,         /**< zero padding (not reversible). */
+    MBEDTLS_PADDING_NONE,          /**< never pad (full blocks only).   */
+} mbedtls_cipher_padding_t;
+
+/** Type of operation. */
+typedef enum {
+    MBEDTLS_OPERATION_NONE = -1,
+    MBEDTLS_DECRYPT = 0,
+    MBEDTLS_ENCRYPT,
+} mbedtls_operation_t;
+
+enum {
+    /** Undefined key length. */
+    MBEDTLS_KEY_LENGTH_NONE = 0,
+    /** Key length, in bits (including parity), for DES keys. */
+    MBEDTLS_KEY_LENGTH_DES  = 64,
+    /** Key length in bits, including parity, for DES in two-key EDE. */
+    MBEDTLS_KEY_LENGTH_DES_EDE = 128,
+    /** Key length in bits, including parity, for DES in three-key EDE. */
+    MBEDTLS_KEY_LENGTH_DES_EDE3 = 192,
+};
+
+/** Maximum length of any IV, in Bytes. */
+#define MBEDTLS_MAX_IV_LENGTH      16
+/** Maximum block size of any cipher, in Bytes. */
+#define MBEDTLS_MAX_BLOCK_LENGTH   16
+
+/**
+ * Base cipher information (opaque struct).
+ */
+typedef struct mbedtls_cipher_base_t mbedtls_cipher_base_t;
+
+/**
+ * CMAC context (opaque struct).
+ */
+typedef struct mbedtls_cmac_context_t mbedtls_cmac_context_t;
+
+/**
+ * Cipher information. Allows calling cipher functions
+ * in a generic way.
+ */
+typedef struct {
+    /** Full cipher identifier. For example,
+     * MBEDTLS_CIPHER_AES_256_CBC.
+     */
+    mbedtls_cipher_type_t type;
+
+    /** The cipher mode. For example, MBEDTLS_MODE_CBC. */
+    mbedtls_cipher_mode_t mode;
+
+    /** The cipher key length, in bits. This is the
+     * default length for variable sized ciphers.
+     * Includes parity bits for ciphers like DES.
+     */
+    unsigned int key_bitlen;
+
+    /** Name of the cipher. */
+    const char * name;
+
+    /** IV or nonce size, in Bytes.
+     * For ciphers that accept variable IV sizes,
+     * this is the recommended size.
+     */
+    unsigned int iv_size;
+
+    /** Flags to set. For example, if the cipher supports variable IV sizes or variable key sizes. */
+    int flags;
+
+    /** The block size, in Bytes. */
+    unsigned int block_size;
+
+    /** Struct for base cipher information and functions. */
+    const mbedtls_cipher_base_t *base;
+
+} mbedtls_cipher_info_t;
+
+/**
+ * Generic cipher context.
+ */
+typedef struct {
+    /** Information about the associated cipher. */
+    const mbedtls_cipher_info_t *cipher_info;
+
+    /** Key length to use. */
+    int key_bitlen;
+
+    /** Operation that the key of the context has been
+     * initialized for.
+     */
+    mbedtls_operation_t operation;
+
+#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
+    /** Padding functions to use, if relevant for
+     * the specific cipher mode.
+     */
+    void (*add_padding)( unsigned char *output, size_t olen, size_t data_len );
+    int (*get_padding)( unsigned char *input, size_t ilen, size_t *data_len );
+#endif
+
+    /** Buffer for input that has not been processed yet. */
+    unsigned char unprocessed_data[MBEDTLS_MAX_BLOCK_LENGTH];
+
+    /** Number of Bytes that have not been processed yet. */
+    size_t unprocessed_len;
+
+    /** Current IV or NONCE_COUNTER for CTR-mode. */
+    unsigned char iv[MBEDTLS_MAX_IV_LENGTH];
+
+    /** IV size in Bytes, for ciphers with variable-length IVs. */
+    size_t iv_size;
+
+    /** The cipher-specific context. */
+    void *cipher_ctx;
+
+#if defined(MBEDTLS_CMAC_C)
+    /** CMAC-specific context. */
+    mbedtls_cmac_context_t *cmac_ctx;
+#endif
+} mbedtls_cipher_context_t;
+
+/**
+ * \brief This function retrieves the list of ciphers supported by the generic
+ * cipher module.
+ *
+ * \return      A statically-allocated array of ciphers. The last entry
+ *              is zero.
+ */
+const int *mbedtls_cipher_list( void );
+
+/**
+ * \brief               This function retrieves the cipher-information
+ *                      structure associated with the given cipher name.
+ *
+ * \param cipher_name   Name of the cipher to search for.
+ *
+ * \return              The cipher information structure associated with the
+ *                      given \p cipher_name, or NULL if not found.
+ */
+const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string( const char *cipher_name );
+
+/**
+ * \brief               This function retrieves the cipher-information
+ *                      structure associated with the given cipher type.
+ *
+ * \param cipher_type   Type of the cipher to search for.
+ *
+ * \return              The cipher information structure associated with the
+ *                      given \p cipher_type, or NULL if not found.
+ */
+const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type( const mbedtls_cipher_type_t cipher_type );
+
+/**
+ * \brief               This function retrieves the cipher-information
+ *                      structure associated with the given cipher ID,
+ *                      key size and mode.
+ *
+ * \param cipher_id     The ID of the cipher to search for. For example,
+ *                      #MBEDTLS_CIPHER_ID_AES.
+ * \param key_bitlen    The length of the key in bits.
+ * \param mode          The cipher mode. For example, #MBEDTLS_MODE_CBC.
+ *
+ * \return              The cipher information structure associated with the
+ *                      given \p cipher_id, or NULL if not found.
+ */
+const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values( const mbedtls_cipher_id_t cipher_id,
+                                              int key_bitlen,
+                                              const mbedtls_cipher_mode_t mode );
+
+/**
+ * \brief               This function initializes a \p cipher_context as NONE.
+ */
+void mbedtls_cipher_init( mbedtls_cipher_context_t *ctx );
+
+/**
+ * \brief               This function frees and clears the cipher-specific
+ *                      context of \p ctx. Freeing \p ctx itself remains the
+ *                      responsibility of the caller.
+ */
+void mbedtls_cipher_free( mbedtls_cipher_context_t *ctx );
+
+
+/**
+ * \brief               This function initializes and fills the cipher-context
+ *                      structure with the appropriate values. It also clears
+ *                      the structure.
+ *
+ * \param ctx           The context to initialize. May not be NULL.
+ * \param cipher_info   The cipher to use.
+ *
+ * \return              \c 0 on success,
+ *                      #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on parameter failure,
+ *                      #MBEDTLS_ERR_CIPHER_ALLOC_FAILED if allocation of the
+ *                      cipher-specific context failed.
+ *
+ * \internal Currently, the function also clears the structure.
+ * In future versions, the caller will be required to call
+ * mbedtls_cipher_init() on the structure first.
+ */
+int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx, const mbedtls_cipher_info_t *cipher_info );
+
+/**
+ * \brief        This function returns the block size of the given cipher.
+ *
+ * \param ctx    The context of the cipher. Must be initialized.
+ *
+ * \return       The size of the blocks of the cipher, or zero if \p ctx
+ *               has not been initialized.
+ */
+static inline unsigned int mbedtls_cipher_get_block_size( const mbedtls_cipher_context_t *ctx )
+{
+    if( NULL == ctx || NULL == ctx->cipher_info )
+        return 0;
+
+    return ctx->cipher_info->block_size;
+}
+
+/**
+ * \brief        This function returns the mode of operation for
+ *               the cipher. For example, MBEDTLS_MODE_CBC.
+ *
+ * \param ctx    The context of the cipher. Must be initialized.
+ *
+ * \return       The mode of operation, or #MBEDTLS_MODE_NONE if
+ *               \p ctx has not been initialized.
+ */
+static inline mbedtls_cipher_mode_t mbedtls_cipher_get_cipher_mode( const mbedtls_cipher_context_t *ctx )
+{
+    if( NULL == ctx || NULL == ctx->cipher_info )
+        return MBEDTLS_MODE_NONE;
+
+    return ctx->cipher_info->mode;
+}
+
+/**
+ * \brief       This function returns the size of the IV or nonce
+ *              of the cipher, in Bytes.
+ *
+ * \param ctx   The context of the cipher. Must be initialized.
+ *
+ * \return      <ul><li>If no IV has been set: the recommended IV size.
+ *              0 for ciphers not using IV or nonce.</li>
+ *              <li>If IV has already been set: the actual size.</li></ul>
+ */
+static inline int mbedtls_cipher_get_iv_size( const mbedtls_cipher_context_t *ctx )
+{
+    if( NULL == ctx || NULL == ctx->cipher_info )
+        return 0;
+
+    if( ctx->iv_size != 0 )
+        return (int) ctx->iv_size;
+
+    return (int) ctx->cipher_info->iv_size;
+}
+
+/**
+ * \brief               This function returns the type of the given cipher.
+ *
+ * \param ctx           The context of the cipher. Must be initialized.
+ *
+ * \return              The type of the cipher, or #MBEDTLS_CIPHER_NONE if
+ *                      \p ctx has not been initialized.
+ */
+static inline mbedtls_cipher_type_t mbedtls_cipher_get_type( const mbedtls_cipher_context_t *ctx )
+{
+    if( NULL == ctx || NULL == ctx->cipher_info )
+        return MBEDTLS_CIPHER_NONE;
+
+    return ctx->cipher_info->type;
+}
+
+/**
+ * \brief               This function returns the name of the given cipher
+ *                      as a string.
+ *
+ * \param ctx           The context of the cipher. Must be initialized.
+ *
+ * \return              The name of the cipher, or NULL if \p ctx has not
+ *                      been not initialized.
+ */
+static inline const char *mbedtls_cipher_get_name( const mbedtls_cipher_context_t *ctx )
+{
+    if( NULL == ctx || NULL == ctx->cipher_info )
+        return 0;
+
+    return ctx->cipher_info->name;
+}
+
+/**
+ * \brief               This function returns the key length of the cipher.
+ *
+ * \param ctx           The context of the cipher. Must be initialized.
+ *
+ * \return              The key length of the cipher in bits, or
+ *                      #MBEDTLS_KEY_LENGTH_NONE if ctx \p has not been
+ *                      initialized.
+ */
+static inline int mbedtls_cipher_get_key_bitlen( const mbedtls_cipher_context_t *ctx )
+{
+    if( NULL == ctx || NULL == ctx->cipher_info )
+        return MBEDTLS_KEY_LENGTH_NONE;
+
+    return (int) ctx->cipher_info->key_bitlen;
+}
+
+/**
+ * \brief          This function returns the operation of the given cipher.
+ *
+ * \param ctx      The context of the cipher. Must be initialized.
+ *
+ * \return         The type of operation: #MBEDTLS_ENCRYPT or
+ *                 #MBEDTLS_DECRYPT, or #MBEDTLS_OPERATION_NONE if \p ctx
+ *                 has not been initialized.
+ */
+static inline mbedtls_operation_t mbedtls_cipher_get_operation( const mbedtls_cipher_context_t *ctx )
+{
+    if( NULL == ctx || NULL == ctx->cipher_info )
+        return MBEDTLS_OPERATION_NONE;
+
+    return ctx->operation;
+}
+
+/**
+ * \brief               This function sets the key to use with the given context.
+ *
+ * \param ctx           The generic cipher context. May not be NULL. Must have
+ *                      been initialized using mbedtls_cipher_info_from_type()
+ *                      or mbedtls_cipher_info_from_string().
+ * \param key           The key to use.
+ * \param key_bitlen    The key length to use, in bits.
+ * \param operation     The operation that the key will be used for:
+ *                      #MBEDTLS_ENCRYPT or #MBEDTLS_DECRYPT.
+ *
+ * \returns             \c 0 on success, #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA if
+ *                      parameter verification fails, or a cipher-specific
+ *                      error code.
+ */
+int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx, const unsigned char *key,
+                   int key_bitlen, const mbedtls_operation_t operation );
+
+#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
+/**
+ * \brief               This function sets the padding mode, for cipher modes
+ *                      that use padding.
+ *
+ *                      The default passing mode is PKCS7 padding.
+ *
+ * \param ctx           The generic cipher context.
+ * \param mode          The padding mode.
+ *
+ * \returns             \c 0 on success, #MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE
+ *                      if the selected padding mode is not supported, or
+ *                      #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA if the cipher mode
+ *                      does not support padding.
+ */
+int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx, mbedtls_cipher_padding_t mode );
+#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
+
+/**
+ * \brief           This function sets the initialization vector (IV)
+ *                  or nonce.
+ *
+ * \param ctx       The generic cipher context.
+ * \param iv        The IV to use, or NONCE_COUNTER for CTR-mode ciphers.
+ * \param iv_len    The IV length for ciphers with variable-size IV.
+ *                  This parameter is discarded by ciphers with fixed-size IV.
+ *
+ * \returns         \c 0 on success, or #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+ *
+ * \note            Some ciphers do not use IVs nor nonce. For these
+ *                  ciphers, this function has no effect.
+ */
+int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx,
+                   const unsigned char *iv, size_t iv_len );
+
+/**
+ * \brief         This function resets the cipher state.
+ *
+ * \param ctx     The generic cipher context.
+ *
+ * \returns       \c 0 on success, #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+ *                if parameter verification fails.
+ */
+int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx );
+
+#if defined(MBEDTLS_GCM_C)
+/**
+ * \brief               This function adds additional data for AEAD ciphers.
+ *                      Only supported with GCM. Must be called
+ *                      exactly once, after mbedtls_cipher_reset().
+ *
+ * \param ctx           The generic cipher context.
+ * \param ad            The additional data to use.
+ * \param ad_len        the Length of \p ad.
+ *
+ * \return              \c 0 on success, or a specific error code on failure.
+ */
+int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx,
+                      const unsigned char *ad, size_t ad_len );
+#endif /* MBEDTLS_GCM_C */
+
+/**
+ * \brief               The generic cipher update function. It encrypts or
+ *                      decrypts using the given cipher context. Writes as
+ *                      many block-sized blocks of data as possible to output.
+ *                      Any data that cannot be written immediately is either
+ *                      added to the next block, or flushed when
+ *                      mbedtls_cipher_finish() is called.
+ *                      Exception: For MBEDTLS_MODE_ECB, expects a single block
+ *                      in size. For example, 16 Bytes for AES.
+ *
+ * \param ctx           The generic cipher context.
+ * \param input         The buffer holding the input data.
+ * \param ilen          The length of the input data.
+ * \param output        The buffer for the output data. Must be able to hold at
+ *                      least \p ilen + block_size. Must not be the same buffer
+ *                      as input.
+ * \param olen          The length of the output data, to be updated with the
+ *                      actual number of Bytes written.
+ *
+ * \returns             \c 0 on success, #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA if
+ *                      parameter verification fails,
+ *                      #MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE on an
+ *                      unsupported mode for a cipher, or a cipher-specific
+ *                      error code.
+ *
+ * \note                If the underlying cipher is GCM, all calls to this
+ *                      function, except the last one before
+ *                      mbedtls_cipher_finish(). Must have \p ilen as a
+ *                      multiple of the block_size.
+ */
+int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *input,
+                   size_t ilen, unsigned char *output, size_t *olen );
+
+/**
+ * \brief               The generic cipher finalization function. If data still
+ *                      needs to be flushed from an incomplete block, the data
+ *                      contained in it is padded to the size of
+ *                      the last block, and written to the \p output buffer.
+ *
+ * \param ctx           The generic cipher context.
+ * \param output        The buffer to write data to. Needs block_size available.
+ * \param olen          The length of the data written to the \p output buffer.
+ *
+ * \returns             \c 0 on success, #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA if
+ *                      parameter verification fails,
+ *                      #MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED if decryption
+ *                      expected a full block but was not provided one,
+ *                      #MBEDTLS_ERR_CIPHER_INVALID_PADDING on invalid padding
+ *                      while decrypting, or a cipher-specific error code
+ *                      on failure for any other reason.
+ */
+int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx,
+                   unsigned char *output, size_t *olen );
+
+#if defined(MBEDTLS_GCM_C)
+/**
+ * \brief               This function writes a tag for AEAD ciphers.
+ *                      Only supported with GCM.
+ *                      Must be called after mbedtls_cipher_finish().
+ *
+ * \param ctx           The generic cipher context.
+ * \param tag           The buffer to write the tag to.
+ * \param tag_len       The length of the tag to write.
+ *
+ * \return              \c 0 on success, or a specific error code on failure.
+ */
+int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx,
+                      unsigned char *tag, size_t tag_len );
+
+/**
+ * \brief               This function checks the tag for AEAD ciphers.
+ *                      Only supported with GCM.
+ *                      Must be called after mbedtls_cipher_finish().
+ *
+ * \param ctx           The generic cipher context.
+ * \param tag           The buffer holding the tag.
+ * \param tag_len       The length of the tag to check.
+ *
+ * \return              \c 0 on success, or a specific error code on failure.
+ */
+int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx,
+                      const unsigned char *tag, size_t tag_len );
+#endif /* MBEDTLS_GCM_C */
+
+/**
+ * \brief               The generic all-in-one encryption/decryption function,
+ *                      for all ciphers except AEAD constructs.
+ *
+ * \param ctx           The generic cipher context.
+ * \param iv            The IV to use, or NONCE_COUNTER for CTR-mode ciphers.
+ * \param iv_len        The IV length for ciphers with variable-size IV.
+ *                      This parameter is discarded by ciphers with fixed-size
+ *                      IV.
+ * \param input         The buffer holding the input data.
+ * \param ilen          The length of the input data.
+ * \param output        The buffer for the output data. Must be able to hold at
+ *                      least \p ilen + block_size. Must not be the same buffer
+ *                      as input.
+ * \param olen          The length of the output data, to be updated with the
+ *                      actual number of Bytes written.
+ *
+ * \note                Some ciphers do not use IVs nor nonce. For these
+ *                      ciphers, use \p iv = NULL and \p iv_len = 0.
+ *
+ * \returns             \c 0 on success, or
+ *                      #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, or
+ *                      #MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED if decryption
+ *                      expected a full block but was not provided one, or
+ *                      #MBEDTLS_ERR_CIPHER_INVALID_PADDING on invalid padding
+ *                      while decrypting, or a cipher-specific error code on
+ *                      failure for any other reason.
+ */
+int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx,
+                  const unsigned char *iv, size_t iv_len,
+                  const unsigned char *input, size_t ilen,
+                  unsigned char *output, size_t *olen );
+
+#if defined(MBEDTLS_CIPHER_MODE_AEAD)
+/**
+ * \brief               The generic autenticated encryption (AEAD) function.
+ *
+ * \param ctx           The generic cipher context.
+ * \param iv            The IV to use, or NONCE_COUNTER for CTR-mode ciphers.
+ * \param iv_len        The IV length for ciphers with variable-size IV.
+ *                      This parameter is discarded by ciphers with fixed-size IV.
+ * \param ad            The additional data to authenticate.
+ * \param ad_len        The length of \p ad.
+ * \param input         The buffer holding the input data.
+ * \param ilen          The length of the input data.
+ * \param output        The buffer for the output data.
+ *                      Must be able to hold at least \p ilen.
+ * \param olen          The length of the output data, to be updated with the
+ *                      actual number of Bytes written.
+ * \param tag           The buffer for the authentication tag.
+ * \param tag_len       The desired length of the authentication tag.
+ *
+ * \returns             \c 0 on success, or
+ *                      #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, or
+ *                      a cipher-specific error code.
+ */
+int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx,
+                         const unsigned char *iv, size_t iv_len,
+                         const unsigned char *ad, size_t ad_len,
+                         const unsigned char *input, size_t ilen,
+                         unsigned char *output, size_t *olen,
+                         unsigned char *tag, size_t tag_len );
+
+/**
+ * \brief               The generic autenticated decryption (AEAD) function.
+ *
+ * \param ctx           The generic cipher context.
+ * \param iv            The IV to use, or NONCE_COUNTER for CTR-mode ciphers.
+ * \param iv_len        The IV length for ciphers with variable-size IV.
+ *                      This parameter is discarded by ciphers with fixed-size IV.
+ * \param ad            The additional data to be authenticated.
+ * \param ad_len        The length of \p ad.
+ * \param input         The buffer holding the input data.
+ * \param ilen          The length of the input data.
+ * \param output        The buffer for the output data.
+ *                      Must be able to hold at least \p ilen.
+ * \param olen          The length of the output data, to be updated with the
+ *                      actual number of Bytes written.
+ * \param tag           The buffer holding the authentication tag.
+ * \param tag_len       The length of the authentication tag.
+ *
+ * \returns             \c 0 on success, or
+ *                      #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, or
+ *                      #MBEDTLS_ERR_CIPHER_AUTH_FAILED if data is not authentic,
+ *                      or a cipher-specific error code on failure for any other reason.
+ *
+ * \note                If the data is not authentic, then the output buffer
+ *                      is zeroed out to prevent the unauthentic plaintext being
+ *                      used, making this interface safer.
+ */
+int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx,
+                         const unsigned char *iv, size_t iv_len,
+                         const unsigned char *ad, size_t ad_len,
+                         const unsigned char *input, size_t ilen,
+                         unsigned char *output, size_t *olen,
+                         const unsigned char *tag, size_t tag_len );
+#endif /* MBEDTLS_CIPHER_MODE_AEAD */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_CIPHER_H */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/cipher_internal.h b/third-party/mbedtls-3.6/include/mbedtls/cipher_internal.h
new file mode 100644
index 00000000..758cf95a
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/cipher_internal.h
@@ -0,0 +1,135 @@
+/**
+ * \file cipher_internal.h
+ *
+ * \brief Cipher wrappers.
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_CIPHER_WRAP_H
+#define MBEDTLS_CIPHER_WRAP_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "cipher.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Base cipher information. The non-mode specific functions and values.
+ */
+struct mbedtls_cipher_base_t
+{
+    /** Base Cipher type (e.g. MBEDTLS_CIPHER_ID_AES) */
+    mbedtls_cipher_id_t cipher;
+
+    /** Encrypt using ECB */
+    int (*ecb_func)( void *ctx, mbedtls_operation_t mode,
+                     const unsigned char *input, unsigned char *output );
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    /** Encrypt using CBC */
+    int (*cbc_func)( void *ctx, mbedtls_operation_t mode, size_t length,
+                     unsigned char *iv, const unsigned char *input,
+                     unsigned char *output );
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    /** Encrypt using CFB (Full length) */
+    int (*cfb_func)( void *ctx, mbedtls_operation_t mode, size_t length, size_t *iv_off,
+                     unsigned char *iv, const unsigned char *input,
+                     unsigned char *output );
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    /** Encrypt using CTR */
+    int (*ctr_func)( void *ctx, size_t length, size_t *nc_off,
+                     unsigned char *nonce_counter, unsigned char *stream_block,
+                     const unsigned char *input, unsigned char *output );
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    /** Encrypt using STREAM */
+    int (*stream_func)( void *ctx, size_t length,
+                        const unsigned char *input, unsigned char *output );
+#endif
+
+    /** Set key for encryption purposes */
+    int (*setkey_enc_func)( void *ctx, const unsigned char *key,
+                            unsigned int key_bitlen );
+
+    /** Set key for decryption purposes */
+    int (*setkey_dec_func)( void *ctx, const unsigned char *key,
+                            unsigned int key_bitlen);
+
+    /** Allocate a new context */
+    void * (*ctx_alloc_func)( void );
+
+    /** Free the given context */
+    void (*ctx_free_func)( void *ctx );
+
+};
+
+typedef struct
+{
+    mbedtls_cipher_type_t type;
+    const mbedtls_cipher_info_t *info;
+} mbedtls_cipher_definition_t;
+
+extern const mbedtls_cipher_definition_t mbedtls_cipher_definitions[];
+
+extern int mbedtls_cipher_supported[];
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_CIPHER_WRAP_H */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/cmac.h b/third-party/mbedtls-3.6/include/mbedtls/cmac.h
new file mode 100644
index 00000000..dbfc1bbf
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/cmac.h
@@ -0,0 +1,239 @@
+/**
+ * \file cmac.h
+ *
+ * \brief The Cipher-based Message Authentication Code (CMAC) Mode for
+ *        Authentication.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#ifndef MBEDTLS_CMAC_H
+#define MBEDTLS_CMAC_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "cipher.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED -0x007A  /**< CMAC hardware accelerator failed. */
+
+#define MBEDTLS_AES_BLOCK_SIZE          16
+#define MBEDTLS_DES3_BLOCK_SIZE         8
+
+#if defined(MBEDTLS_AES_C)
+#define MBEDTLS_CIPHER_BLKSIZE_MAX      16  /* The longest block used by CMAC is that of AES. */
+#else
+#define MBEDTLS_CIPHER_BLKSIZE_MAX      8   /* The longest block used by CMAC is that of 3DES. */
+#endif
+
+#if !defined(MBEDTLS_CMAC_ALT)
+
+/**
+ * The CMAC context structure.
+ */
+struct mbedtls_cmac_context_t
+{
+    /** The internal state of the CMAC algorithm.  */
+    unsigned char       state[MBEDTLS_CIPHER_BLKSIZE_MAX];
+
+    /** Unprocessed data - either data that was not block aligned and is still
+     *  pending processing, or the final block. */
+    unsigned char       unprocessed_block[MBEDTLS_CIPHER_BLKSIZE_MAX];
+
+    /** The length of data pending processing. */
+    size_t              unprocessed_len;
+};
+
+/**
+ * \brief               This function sets the CMAC key, and prepares to authenticate
+ *                      the input data.
+ *                      Must be called with an initialized cipher context.
+ *
+ * \param ctx           The cipher context used for the CMAC operation, initialized
+ *                      as one of the following types:<ul>
+ *                      <li>MBEDTLS_CIPHER_AES_128_ECB</li>
+ *                      <li>MBEDTLS_CIPHER_AES_192_ECB</li>
+ *                      <li>MBEDTLS_CIPHER_AES_256_ECB</li>
+ *                      <li>MBEDTLS_CIPHER_DES_EDE3_ECB</li></ul>
+ * \param key           The CMAC key.
+ * \param keybits       The length of the CMAC key in bits.
+ *                      Must be supported by the cipher.
+ *
+ * \return              \c 0 on success, or a cipher-specific error code.
+ */
+int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx,
+                                const unsigned char *key, size_t keybits );
+
+/**
+ * \brief               This function feeds an input buffer into an ongoing CMAC
+ *                      computation.
+ *
+ *                      It is called between mbedtls_cipher_cmac_starts() or
+ *                      mbedtls_cipher_cmac_reset(), and mbedtls_cipher_cmac_finish().
+ *                      Can be called repeatedly.
+ *
+ * \param ctx           The cipher context used for the CMAC operation.
+ * \param input         The buffer holding the input data.
+ * \param ilen          The length of the input data.
+ *
+ * \returns             \c 0 on success, or #MBEDTLS_ERR_MD_BAD_INPUT_DATA
+ *                      if parameter verification fails.
+ */
+int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx,
+                                const unsigned char *input, size_t ilen );
+
+/**
+ * \brief               This function finishes the CMAC operation, and writes
+ *                      the result to the output buffer.
+ *
+ *                      It is called after mbedtls_cipher_cmac_update().
+ *                      It can be followed by mbedtls_cipher_cmac_reset() and
+ *                      mbedtls_cipher_cmac_update(), or mbedtls_cipher_free().
+ *
+ * \param ctx           The cipher context used for the CMAC operation.
+ * \param output        The output buffer for the CMAC checksum result.
+ *
+ * \returns             \c 0 on success, or #MBEDTLS_ERR_MD_BAD_INPUT_DATA
+ *                      if parameter verification fails.
+ */
+int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx,
+                                unsigned char *output );
+
+/**
+ * \brief               This function prepares the authentication of another
+ *                      message with the same key as the previous CMAC
+ *                      operation.
+ *
+ *                      It is called after mbedtls_cipher_cmac_finish()
+ *                      and before mbedtls_cipher_cmac_update().
+ *
+ * \param ctx           The cipher context used for the CMAC operation.
+ *
+ * \returns             \c 0 on success, or #MBEDTLS_ERR_MD_BAD_INPUT_DATA
+ *                      if parameter verification fails.
+ */
+int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx );
+
+/**
+ * \brief               This function calculates the full generic CMAC
+ *                      on the input buffer with the provided key.
+ *
+ *                      The function allocates the context, performs the
+ *                      calculation, and frees the context.
+ *
+ *                      The CMAC result is calculated as
+ *                      output = generic CMAC(cmac key, input buffer).
+ *
+ *
+ * \param cipher_info   The cipher information.
+ * \param key           The CMAC key.
+ * \param keylen        The length of the CMAC key in bits.
+ * \param input         The buffer holding the input data.
+ * \param ilen          The length of the input data.
+ * \param output        The buffer for the generic CMAC result.
+ *
+ * \returns             \c 0 on success, or #MBEDTLS_ERR_MD_BAD_INPUT_DATA
+ *                      if parameter verification fails.
+ */
+int mbedtls_cipher_cmac( const mbedtls_cipher_info_t *cipher_info,
+                         const unsigned char *key, size_t keylen,
+                         const unsigned char *input, size_t ilen,
+                         unsigned char *output );
+
+#if defined(MBEDTLS_AES_C)
+/**
+ * \brief           This function implements the AES-CMAC-PRF-128 pseudorandom
+ *                  function, as defined in
+ *                  <em>RFC-4615: The Advanced Encryption Standard-Cipher-based
+ *                  Message Authentication Code-Pseudo-Random Function-128
+ *                  (AES-CMAC-PRF-128) Algorithm for the Internet Key
+ *                  Exchange Protocol (IKE).</em>
+ *
+ * \param key       The key to use.
+ * \param key_len   The key length in Bytes.
+ * \param input     The buffer holding the input data.
+ * \param in_len    The length of the input data in Bytes.
+ * \param output    The buffer holding the generated 16 Bytes of
+ *                  pseudorandom output.
+ *
+ * \return          \c 0 on success.
+ */
+int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_len,
+                              const unsigned char *input, size_t in_len,
+                              unsigned char output[16] );
+#endif /* MBEDTLS_AES_C */
+
+#ifdef __cplusplus
+}
+#endif
+
+#else  /* !MBEDTLS_CMAC_ALT */
+#include "cmac_alt.h"
+#endif /* !MBEDTLS_CMAC_ALT */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if defined(MBEDTLS_SELF_TEST) && ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C) )
+/**
+ * \brief          The CMAC checkup routine.
+ *
+ * \return         \c 0 on success, or \c 1 on failure.
+ */
+int mbedtls_cmac_self_test( int verbose );
+#endif /* MBEDTLS_SELF_TEST && ( MBEDTLS_AES_C || MBEDTLS_DES_C ) */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_CMAC_H */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/compat-1.3.h b/third-party/mbedtls-3.6/include/mbedtls/compat-1.3.h
new file mode 100644
index 00000000..b0103cc8
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/compat-1.3.h
@@ -0,0 +1,2555 @@
+/**
+ * \file compat-1.3.h
+ *
+ * \brief Compatibility definitions for using mbed TLS with client code written
+ *  for the PolarSSL naming conventions.
+ *
+ * \deprecated Use the new names directly instead
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
+
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#warning "Including compat-1.3.h is deprecated"
+#endif
+
+#ifndef MBEDTLS_COMPAT13_H
+#define MBEDTLS_COMPAT13_H
+
+/*
+ * config.h options
+ */
+#if defined MBEDTLS_AESNI_C
+#define POLARSSL_AESNI_C MBEDTLS_AESNI_C
+#endif
+#if defined MBEDTLS_AES_ALT
+#define POLARSSL_AES_ALT MBEDTLS_AES_ALT
+#endif
+#if defined MBEDTLS_AES_C
+#define POLARSSL_AES_C MBEDTLS_AES_C
+#endif
+#if defined MBEDTLS_AES_ROM_TABLES
+#define POLARSSL_AES_ROM_TABLES MBEDTLS_AES_ROM_TABLES
+#endif
+#if defined MBEDTLS_ARC4_ALT
+#define POLARSSL_ARC4_ALT MBEDTLS_ARC4_ALT
+#endif
+#if defined MBEDTLS_ARC4_C
+#define POLARSSL_ARC4_C MBEDTLS_ARC4_C
+#endif
+#if defined MBEDTLS_ASN1_PARSE_C
+#define POLARSSL_ASN1_PARSE_C MBEDTLS_ASN1_PARSE_C
+#endif
+#if defined MBEDTLS_ASN1_WRITE_C
+#define POLARSSL_ASN1_WRITE_C MBEDTLS_ASN1_WRITE_C
+#endif
+#if defined MBEDTLS_BASE64_C
+#define POLARSSL_BASE64_C MBEDTLS_BASE64_C
+#endif
+#if defined MBEDTLS_BIGNUM_C
+#define POLARSSL_BIGNUM_C MBEDTLS_BIGNUM_C
+#endif
+#if defined MBEDTLS_BLOWFISH_ALT
+#define POLARSSL_BLOWFISH_ALT MBEDTLS_BLOWFISH_ALT
+#endif
+#if defined MBEDTLS_BLOWFISH_C
+#define POLARSSL_BLOWFISH_C MBEDTLS_BLOWFISH_C
+#endif
+#if defined MBEDTLS_CAMELLIA_ALT
+#define POLARSSL_CAMELLIA_ALT MBEDTLS_CAMELLIA_ALT
+#endif
+#if defined MBEDTLS_CAMELLIA_C
+#define POLARSSL_CAMELLIA_C MBEDTLS_CAMELLIA_C
+#endif
+#if defined MBEDTLS_CAMELLIA_SMALL_MEMORY
+#define POLARSSL_CAMELLIA_SMALL_MEMORY MBEDTLS_CAMELLIA_SMALL_MEMORY
+#endif
+#if defined MBEDTLS_CCM_C
+#define POLARSSL_CCM_C MBEDTLS_CCM_C
+#endif
+#if defined MBEDTLS_CERTS_C
+#define POLARSSL_CERTS_C MBEDTLS_CERTS_C
+#endif
+#if defined MBEDTLS_CIPHER_C
+#define POLARSSL_CIPHER_C MBEDTLS_CIPHER_C
+#endif
+#if defined MBEDTLS_CIPHER_MODE_CBC
+#define POLARSSL_CIPHER_MODE_CBC MBEDTLS_CIPHER_MODE_CBC
+#endif
+#if defined MBEDTLS_CIPHER_MODE_CFB
+#define POLARSSL_CIPHER_MODE_CFB MBEDTLS_CIPHER_MODE_CFB
+#endif
+#if defined MBEDTLS_CIPHER_MODE_CTR
+#define POLARSSL_CIPHER_MODE_CTR MBEDTLS_CIPHER_MODE_CTR
+#endif
+#if defined MBEDTLS_CIPHER_NULL_CIPHER
+#define POLARSSL_CIPHER_NULL_CIPHER MBEDTLS_CIPHER_NULL_CIPHER
+#endif
+#if defined MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
+#define POLARSSL_CIPHER_PADDING_ONE_AND_ZEROS MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
+#endif
+#if defined MBEDTLS_CIPHER_PADDING_PKCS7
+#define POLARSSL_CIPHER_PADDING_PKCS7 MBEDTLS_CIPHER_PADDING_PKCS7
+#endif
+#if defined MBEDTLS_CIPHER_PADDING_ZEROS
+#define POLARSSL_CIPHER_PADDING_ZEROS MBEDTLS_CIPHER_PADDING_ZEROS
+#endif
+#if defined MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
+#define POLARSSL_CIPHER_PADDING_ZEROS_AND_LEN MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
+#endif
+#if defined MBEDTLS_CTR_DRBG_C
+#define POLARSSL_CTR_DRBG_C MBEDTLS_CTR_DRBG_C
+#endif
+#if defined MBEDTLS_DEBUG_C
+#define POLARSSL_DEBUG_C MBEDTLS_DEBUG_C
+#endif
+#if defined MBEDTLS_DEPRECATED_REMOVED
+#define POLARSSL_DEPRECATED_REMOVED MBEDTLS_DEPRECATED_REMOVED
+#endif
+#if defined MBEDTLS_DEPRECATED_WARNING
+#define POLARSSL_DEPRECATED_WARNING MBEDTLS_DEPRECATED_WARNING
+#endif
+#if defined MBEDTLS_DES_ALT
+#define POLARSSL_DES_ALT MBEDTLS_DES_ALT
+#endif
+#if defined MBEDTLS_DES_C
+#define POLARSSL_DES_C MBEDTLS_DES_C
+#endif
+#if defined MBEDTLS_DHM_C
+#define POLARSSL_DHM_C MBEDTLS_DHM_C
+#endif
+#if defined MBEDTLS_ECDH_C
+#define POLARSSL_ECDH_C MBEDTLS_ECDH_C
+#endif
+#if defined MBEDTLS_ECDSA_C
+#define POLARSSL_ECDSA_C MBEDTLS_ECDSA_C
+#endif
+#if defined MBEDTLS_ECDSA_DETERMINISTIC
+#define POLARSSL_ECDSA_DETERMINISTIC MBEDTLS_ECDSA_DETERMINISTIC
+#endif
+#if defined MBEDTLS_ECP_C
+#define POLARSSL_ECP_C MBEDTLS_ECP_C
+#endif
+#if defined MBEDTLS_ECP_DP_BP256R1_ENABLED
+#define POLARSSL_ECP_DP_BP256R1_ENABLED MBEDTLS_ECP_DP_BP256R1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_BP384R1_ENABLED
+#define POLARSSL_ECP_DP_BP384R1_ENABLED MBEDTLS_ECP_DP_BP384R1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_BP512R1_ENABLED
+#define POLARSSL_ECP_DP_BP512R1_ENABLED MBEDTLS_ECP_DP_BP512R1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_CURVE25519_ENABLED
+#define POLARSSL_ECP_DP_M255_ENABLED MBEDTLS_ECP_DP_CURVE25519_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_SECP192K1_ENABLED
+#define POLARSSL_ECP_DP_SECP192K1_ENABLED MBEDTLS_ECP_DP_SECP192K1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_SECP192R1_ENABLED
+#define POLARSSL_ECP_DP_SECP192R1_ENABLED MBEDTLS_ECP_DP_SECP192R1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_SECP224K1_ENABLED
+#define POLARSSL_ECP_DP_SECP224K1_ENABLED MBEDTLS_ECP_DP_SECP224K1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_SECP224R1_ENABLED
+#define POLARSSL_ECP_DP_SECP224R1_ENABLED MBEDTLS_ECP_DP_SECP224R1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_SECP256K1_ENABLED
+#define POLARSSL_ECP_DP_SECP256K1_ENABLED MBEDTLS_ECP_DP_SECP256K1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_SECP256R1_ENABLED
+#define POLARSSL_ECP_DP_SECP256R1_ENABLED MBEDTLS_ECP_DP_SECP256R1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_SECP384R1_ENABLED
+#define POLARSSL_ECP_DP_SECP384R1_ENABLED MBEDTLS_ECP_DP_SECP384R1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_SECP521R1_ENABLED
+#define POLARSSL_ECP_DP_SECP521R1_ENABLED MBEDTLS_ECP_DP_SECP521R1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_FIXED_POINT_OPTIM
+#define POLARSSL_ECP_FIXED_POINT_OPTIM MBEDTLS_ECP_FIXED_POINT_OPTIM
+#endif
+#if defined MBEDTLS_ECP_MAX_BITS
+#define POLARSSL_ECP_MAX_BITS MBEDTLS_ECP_MAX_BITS
+#endif
+#if defined MBEDTLS_ECP_NIST_OPTIM
+#define POLARSSL_ECP_NIST_OPTIM MBEDTLS_ECP_NIST_OPTIM
+#endif
+#if defined MBEDTLS_ECP_WINDOW_SIZE
+#define POLARSSL_ECP_WINDOW_SIZE MBEDTLS_ECP_WINDOW_SIZE
+#endif
+#if defined MBEDTLS_ENABLE_WEAK_CIPHERSUITES
+#define POLARSSL_ENABLE_WEAK_CIPHERSUITES MBEDTLS_ENABLE_WEAK_CIPHERSUITES
+#endif
+#if defined MBEDTLS_ENTROPY_C
+#define POLARSSL_ENTROPY_C MBEDTLS_ENTROPY_C
+#endif
+#if defined MBEDTLS_ENTROPY_FORCE_SHA256
+#define POLARSSL_ENTROPY_FORCE_SHA256 MBEDTLS_ENTROPY_FORCE_SHA256
+#endif
+#if defined MBEDTLS_ERROR_C
+#define POLARSSL_ERROR_C MBEDTLS_ERROR_C
+#endif
+#if defined MBEDTLS_ERROR_STRERROR_DUMMY
+#define POLARSSL_ERROR_STRERROR_DUMMY MBEDTLS_ERROR_STRERROR_DUMMY
+#endif
+#if defined MBEDTLS_FS_IO
+#define POLARSSL_FS_IO MBEDTLS_FS_IO
+#endif
+#if defined MBEDTLS_GCM_C
+#define POLARSSL_GCM_C MBEDTLS_GCM_C
+#endif
+#if defined MBEDTLS_GENPRIME
+#define POLARSSL_GENPRIME MBEDTLS_GENPRIME
+#endif
+#if defined MBEDTLS_HAVEGE_C
+#define POLARSSL_HAVEGE_C MBEDTLS_HAVEGE_C
+#endif
+#if defined MBEDTLS_HAVE_ASM
+#define POLARSSL_HAVE_ASM MBEDTLS_HAVE_ASM
+#endif
+#if defined MBEDTLS_HAVE_SSE2
+#define POLARSSL_HAVE_SSE2 MBEDTLS_HAVE_SSE2
+#endif
+#if defined MBEDTLS_HAVE_TIME
+#define POLARSSL_HAVE_TIME MBEDTLS_HAVE_TIME
+#endif
+#if defined MBEDTLS_HMAC_DRBG_C
+#define POLARSSL_HMAC_DRBG_C MBEDTLS_HMAC_DRBG_C
+#endif
+#if defined MBEDTLS_HMAC_DRBG_MAX_INPUT
+#define POLARSSL_HMAC_DRBG_MAX_INPUT MBEDTLS_HMAC_DRBG_MAX_INPUT
+#endif
+#if defined MBEDTLS_HMAC_DRBG_MAX_REQUEST
+#define POLARSSL_HMAC_DRBG_MAX_REQUEST MBEDTLS_HMAC_DRBG_MAX_REQUEST
+#endif
+#if defined MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT
+#define POLARSSL_HMAC_DRBG_MAX_SEED_INPUT MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT
+#endif
+#if defined MBEDTLS_HMAC_DRBG_RESEED_INTERVAL
+#define POLARSSL_HMAC_DRBG_RESEED_INTERVAL MBEDTLS_HMAC_DRBG_RESEED_INTERVAL
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
+#define POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
+#define POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+#define POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+#define POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+#define POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+#define POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
+#define POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
+#define POLARSSL_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+#define POLARSSL_KEY_EXCHANGE_RSA_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
+#define POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
+#endif
+#if defined MBEDTLS_MD2_ALT
+#define POLARSSL_MD2_ALT MBEDTLS_MD2_ALT
+#endif
+#if defined MBEDTLS_MD2_C
+#define POLARSSL_MD2_C MBEDTLS_MD2_C
+#endif
+#if defined MBEDTLS_MD2_PROCESS_ALT
+#define POLARSSL_MD2_PROCESS_ALT MBEDTLS_MD2_PROCESS_ALT
+#endif
+#if defined MBEDTLS_MD4_ALT
+#define POLARSSL_MD4_ALT MBEDTLS_MD4_ALT
+#endif
+#if defined MBEDTLS_MD4_C
+#define POLARSSL_MD4_C MBEDTLS_MD4_C
+#endif
+#if defined MBEDTLS_MD4_PROCESS_ALT
+#define POLARSSL_MD4_PROCESS_ALT MBEDTLS_MD4_PROCESS_ALT
+#endif
+#if defined MBEDTLS_MD5_ALT
+#define POLARSSL_MD5_ALT MBEDTLS_MD5_ALT
+#endif
+#if defined MBEDTLS_MD5_C
+#define POLARSSL_MD5_C MBEDTLS_MD5_C
+#endif
+#if defined MBEDTLS_MD5_PROCESS_ALT
+#define POLARSSL_MD5_PROCESS_ALT MBEDTLS_MD5_PROCESS_ALT
+#endif
+#if defined MBEDTLS_MD_C
+#define POLARSSL_MD_C MBEDTLS_MD_C
+#endif
+#if defined MBEDTLS_MEMORY_ALIGN_MULTIPLE
+#define POLARSSL_MEMORY_ALIGN_MULTIPLE MBEDTLS_MEMORY_ALIGN_MULTIPLE
+#endif
+#if defined MBEDTLS_MEMORY_BACKTRACE
+#define POLARSSL_MEMORY_BACKTRACE MBEDTLS_MEMORY_BACKTRACE
+#endif
+#if defined MBEDTLS_MEMORY_BUFFER_ALLOC_C
+#define POLARSSL_MEMORY_BUFFER_ALLOC_C MBEDTLS_MEMORY_BUFFER_ALLOC_C
+#endif
+#if defined MBEDTLS_MEMORY_DEBUG
+#define POLARSSL_MEMORY_DEBUG MBEDTLS_MEMORY_DEBUG
+#endif
+#if defined MBEDTLS_MPI_MAX_SIZE
+#define POLARSSL_MPI_MAX_SIZE MBEDTLS_MPI_MAX_SIZE
+#endif
+#if defined MBEDTLS_MPI_WINDOW_SIZE
+#define POLARSSL_MPI_WINDOW_SIZE MBEDTLS_MPI_WINDOW_SIZE
+#endif
+#if defined MBEDTLS_NET_C
+#define POLARSSL_NET_C MBEDTLS_NET_C
+#endif
+#if defined MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
+#define POLARSSL_NO_DEFAULT_ENTROPY_SOURCES MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
+#endif
+#if defined MBEDTLS_NO_PLATFORM_ENTROPY
+#define POLARSSL_NO_PLATFORM_ENTROPY MBEDTLS_NO_PLATFORM_ENTROPY
+#endif
+#if defined MBEDTLS_OID_C
+#define POLARSSL_OID_C MBEDTLS_OID_C
+#endif
+#if defined MBEDTLS_PADLOCK_C
+#define POLARSSL_PADLOCK_C MBEDTLS_PADLOCK_C
+#endif
+#if defined MBEDTLS_PEM_PARSE_C
+#define POLARSSL_PEM_PARSE_C MBEDTLS_PEM_PARSE_C
+#endif
+#if defined MBEDTLS_PEM_WRITE_C
+#define POLARSSL_PEM_WRITE_C MBEDTLS_PEM_WRITE_C
+#endif
+#if defined MBEDTLS_PKCS11_C
+#define POLARSSL_PKCS11_C MBEDTLS_PKCS11_C
+#endif
+#if defined MBEDTLS_PKCS12_C
+#define POLARSSL_PKCS12_C MBEDTLS_PKCS12_C
+#endif
+#if defined MBEDTLS_PKCS1_V15
+#define POLARSSL_PKCS1_V15 MBEDTLS_PKCS1_V15
+#endif
+#if defined MBEDTLS_PKCS1_V21
+#define POLARSSL_PKCS1_V21 MBEDTLS_PKCS1_V21
+#endif
+#if defined MBEDTLS_PKCS5_C
+#define POLARSSL_PKCS5_C MBEDTLS_PKCS5_C
+#endif
+#if defined MBEDTLS_PK_C
+#define POLARSSL_PK_C MBEDTLS_PK_C
+#endif
+#if defined MBEDTLS_PK_PARSE_C
+#define POLARSSL_PK_PARSE_C MBEDTLS_PK_PARSE_C
+#endif
+#if defined MBEDTLS_PK_PARSE_EC_EXTENDED
+#define POLARSSL_PK_PARSE_EC_EXTENDED MBEDTLS_PK_PARSE_EC_EXTENDED
+#endif
+#if defined MBEDTLS_PK_RSA_ALT_SUPPORT
+#define POLARSSL_PK_RSA_ALT_SUPPORT MBEDTLS_PK_RSA_ALT_SUPPORT
+#endif
+#if defined MBEDTLS_PK_WRITE_C
+#define POLARSSL_PK_WRITE_C MBEDTLS_PK_WRITE_C
+#endif
+#if defined MBEDTLS_PLATFORM_C
+#define POLARSSL_PLATFORM_C MBEDTLS_PLATFORM_C
+#endif
+#if defined MBEDTLS_PLATFORM_EXIT_ALT
+#define POLARSSL_PLATFORM_EXIT_ALT MBEDTLS_PLATFORM_EXIT_ALT
+#endif
+#if defined MBEDTLS_PLATFORM_EXIT_MACRO
+#define POLARSSL_PLATFORM_EXIT_MACRO MBEDTLS_PLATFORM_EXIT_MACRO
+#endif
+#if defined MBEDTLS_PLATFORM_FPRINTF_ALT
+#define POLARSSL_PLATFORM_FPRINTF_ALT MBEDTLS_PLATFORM_FPRINTF_ALT
+#endif
+#if defined MBEDTLS_PLATFORM_FPRINTF_MACRO
+#define POLARSSL_PLATFORM_FPRINTF_MACRO MBEDTLS_PLATFORM_FPRINTF_MACRO
+#endif
+#if defined MBEDTLS_PLATFORM_FREE_MACRO
+#define POLARSSL_PLATFORM_FREE_MACRO MBEDTLS_PLATFORM_FREE_MACRO
+#endif
+#if defined MBEDTLS_PLATFORM_MEMORY
+#define POLARSSL_PLATFORM_MEMORY MBEDTLS_PLATFORM_MEMORY
+#endif
+#if defined MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
+#define POLARSSL_PLATFORM_NO_STD_FUNCTIONS MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
+#endif
+#if defined MBEDTLS_PLATFORM_PRINTF_ALT
+#define POLARSSL_PLATFORM_PRINTF_ALT MBEDTLS_PLATFORM_PRINTF_ALT
+#endif
+#if defined MBEDTLS_PLATFORM_PRINTF_MACRO
+#define POLARSSL_PLATFORM_PRINTF_MACRO MBEDTLS_PLATFORM_PRINTF_MACRO
+#endif
+#if defined MBEDTLS_PLATFORM_SNPRINTF_ALT
+#define POLARSSL_PLATFORM_SNPRINTF_ALT MBEDTLS_PLATFORM_SNPRINTF_ALT
+#endif
+#if defined MBEDTLS_PLATFORM_SNPRINTF_MACRO
+#define POLARSSL_PLATFORM_SNPRINTF_MACRO MBEDTLS_PLATFORM_SNPRINTF_MACRO
+#endif
+#if defined MBEDTLS_PLATFORM_STD_EXIT
+#define POLARSSL_PLATFORM_STD_EXIT MBEDTLS_PLATFORM_STD_EXIT
+#endif
+#if defined MBEDTLS_PLATFORM_STD_FPRINTF
+#define POLARSSL_PLATFORM_STD_FPRINTF MBEDTLS_PLATFORM_STD_FPRINTF
+#endif
+#if defined MBEDTLS_PLATFORM_STD_FREE
+#define POLARSSL_PLATFORM_STD_FREE MBEDTLS_PLATFORM_STD_FREE
+#endif
+#if defined MBEDTLS_PLATFORM_STD_MEM_HDR
+#define POLARSSL_PLATFORM_STD_MEM_HDR MBEDTLS_PLATFORM_STD_MEM_HDR
+#endif
+#if defined MBEDTLS_PLATFORM_STD_PRINTF
+#define POLARSSL_PLATFORM_STD_PRINTF MBEDTLS_PLATFORM_STD_PRINTF
+#endif
+#if defined MBEDTLS_PLATFORM_STD_SNPRINTF
+#define POLARSSL_PLATFORM_STD_SNPRINTF MBEDTLS_PLATFORM_STD_SNPRINTF
+#endif
+#if defined MBEDTLS_PSK_MAX_LEN
+#define POLARSSL_PSK_MAX_LEN MBEDTLS_PSK_MAX_LEN
+#endif
+#if defined MBEDTLS_REMOVE_ARC4_CIPHERSUITES
+#define POLARSSL_REMOVE_ARC4_CIPHERSUITES MBEDTLS_REMOVE_ARC4_CIPHERSUITES
+#endif
+#if defined MBEDTLS_RIPEMD160_ALT
+#define POLARSSL_RIPEMD160_ALT MBEDTLS_RIPEMD160_ALT
+#endif
+#if defined MBEDTLS_RIPEMD160_C
+#define POLARSSL_RIPEMD160_C MBEDTLS_RIPEMD160_C
+#endif
+#if defined MBEDTLS_RIPEMD160_PROCESS_ALT
+#define POLARSSL_RIPEMD160_PROCESS_ALT MBEDTLS_RIPEMD160_PROCESS_ALT
+#endif
+#if defined MBEDTLS_RSA_C
+#define POLARSSL_RSA_C MBEDTLS_RSA_C
+#endif
+#if defined MBEDTLS_RSA_NO_CRT
+#define POLARSSL_RSA_NO_CRT MBEDTLS_RSA_NO_CRT
+#endif
+#if defined MBEDTLS_SELF_TEST
+#define POLARSSL_SELF_TEST MBEDTLS_SELF_TEST
+#endif
+#if defined MBEDTLS_SHA1_ALT
+#define POLARSSL_SHA1_ALT MBEDTLS_SHA1_ALT
+#endif
+#if defined MBEDTLS_SHA1_C
+#define POLARSSL_SHA1_C MBEDTLS_SHA1_C
+#endif
+#if defined MBEDTLS_SHA1_PROCESS_ALT
+#define POLARSSL_SHA1_PROCESS_ALT MBEDTLS_SHA1_PROCESS_ALT
+#endif
+#if defined MBEDTLS_SHA256_ALT
+#define POLARSSL_SHA256_ALT MBEDTLS_SHA256_ALT
+#endif
+#if defined MBEDTLS_SHA256_C
+#define POLARSSL_SHA256_C MBEDTLS_SHA256_C
+#endif
+#if defined MBEDTLS_SHA256_PROCESS_ALT
+#define POLARSSL_SHA256_PROCESS_ALT MBEDTLS_SHA256_PROCESS_ALT
+#endif
+#if defined MBEDTLS_SHA512_ALT
+#define POLARSSL_SHA512_ALT MBEDTLS_SHA512_ALT
+#endif
+#if defined MBEDTLS_SHA512_C
+#define POLARSSL_SHA512_C MBEDTLS_SHA512_C
+#endif
+#if defined MBEDTLS_SHA512_PROCESS_ALT
+#define POLARSSL_SHA512_PROCESS_ALT MBEDTLS_SHA512_PROCESS_ALT
+#endif
+#if defined MBEDTLS_SSL_ALL_ALERT_MESSAGES
+#define POLARSSL_SSL_ALL_ALERT_MESSAGES MBEDTLS_SSL_ALL_ALERT_MESSAGES
+#endif
+#if defined MBEDTLS_SSL_ALPN
+#define POLARSSL_SSL_ALPN MBEDTLS_SSL_ALPN
+#endif
+#if defined MBEDTLS_SSL_CACHE_C
+#define POLARSSL_SSL_CACHE_C MBEDTLS_SSL_CACHE_C
+#endif
+#if defined MBEDTLS_SSL_CBC_RECORD_SPLITTING
+#define POLARSSL_SSL_CBC_RECORD_SPLITTING MBEDTLS_SSL_CBC_RECORD_SPLITTING
+#endif
+#if defined MBEDTLS_SSL_CLI_C
+#define POLARSSL_SSL_CLI_C MBEDTLS_SSL_CLI_C
+#endif
+#if defined MBEDTLS_SSL_COOKIE_C
+#define POLARSSL_SSL_COOKIE_C MBEDTLS_SSL_COOKIE_C
+#endif
+#if defined MBEDTLS_SSL_COOKIE_TIMEOUT
+#define POLARSSL_SSL_COOKIE_TIMEOUT MBEDTLS_SSL_COOKIE_TIMEOUT
+#endif
+#if defined MBEDTLS_SSL_DEBUG_ALL
+#define POLARSSL_SSL_DEBUG_ALL MBEDTLS_SSL_DEBUG_ALL
+#endif
+#if defined MBEDTLS_SSL_DTLS_ANTI_REPLAY
+#define POLARSSL_SSL_DTLS_ANTI_REPLAY MBEDTLS_SSL_DTLS_ANTI_REPLAY
+#endif
+#if defined MBEDTLS_SSL_DTLS_BADMAC_LIMIT
+#define POLARSSL_SSL_DTLS_BADMAC_LIMIT MBEDTLS_SSL_DTLS_BADMAC_LIMIT
+#endif
+#if defined MBEDTLS_SSL_DTLS_HELLO_VERIFY
+#define POLARSSL_SSL_DTLS_HELLO_VERIFY MBEDTLS_SSL_DTLS_HELLO_VERIFY
+#endif
+#if defined MBEDTLS_SSL_ENCRYPT_THEN_MAC
+#define POLARSSL_SSL_ENCRYPT_THEN_MAC MBEDTLS_SSL_ENCRYPT_THEN_MAC
+#endif
+#if defined MBEDTLS_SSL_EXTENDED_MASTER_SECRET
+#define POLARSSL_SSL_EXTENDED_MASTER_SECRET MBEDTLS_SSL_EXTENDED_MASTER_SECRET
+#endif
+#if defined MBEDTLS_SSL_FALLBACK_SCSV
+#define POLARSSL_SSL_FALLBACK_SCSV MBEDTLS_SSL_FALLBACK_SCSV
+#endif
+#if defined MBEDTLS_SSL_HW_RECORD_ACCEL
+#define POLARSSL_SSL_HW_RECORD_ACCEL MBEDTLS_SSL_HW_RECORD_ACCEL
+#endif
+#if defined MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+#define POLARSSL_SSL_MAX_FRAGMENT_LENGTH MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+#endif
+#if defined MBEDTLS_SSL_PROTO_DTLS
+#define POLARSSL_SSL_PROTO_DTLS MBEDTLS_SSL_PROTO_DTLS
+#endif
+#if defined MBEDTLS_SSL_PROTO_SSL3
+#define POLARSSL_SSL_PROTO_SSL3 MBEDTLS_SSL_PROTO_SSL3
+#endif
+#if defined MBEDTLS_SSL_PROTO_TLS1
+#define POLARSSL_SSL_PROTO_TLS1 MBEDTLS_SSL_PROTO_TLS1
+#endif
+#if defined MBEDTLS_SSL_PROTO_TLS1_1
+#define POLARSSL_SSL_PROTO_TLS1_1 MBEDTLS_SSL_PROTO_TLS1_1
+#endif
+#if defined MBEDTLS_SSL_PROTO_TLS1_2
+#define POLARSSL_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_2
+#endif
+#if defined MBEDTLS_SSL_RENEGOTIATION
+#define POLARSSL_SSL_RENEGOTIATION MBEDTLS_SSL_RENEGOTIATION
+#endif
+#if defined MBEDTLS_SSL_SERVER_NAME_INDICATION
+#define POLARSSL_SSL_SERVER_NAME_INDICATION MBEDTLS_SSL_SERVER_NAME_INDICATION
+#endif
+#if defined MBEDTLS_SSL_SESSION_TICKETS
+#define POLARSSL_SSL_SESSION_TICKETS MBEDTLS_SSL_SESSION_TICKETS
+#endif
+#if defined MBEDTLS_SSL_SRV_C
+#define POLARSSL_SSL_SRV_C MBEDTLS_SSL_SRV_C
+#endif
+#if defined MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE
+#define POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE
+#endif
+#if defined MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
+#define POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
+#endif
+#if defined MBEDTLS_SSL_TLS_C
+#define POLARSSL_SSL_TLS_C MBEDTLS_SSL_TLS_C
+#endif
+#if defined MBEDTLS_SSL_TRUNCATED_HMAC
+#define POLARSSL_SSL_TRUNCATED_HMAC MBEDTLS_SSL_TRUNCATED_HMAC
+#endif
+#if defined MBEDTLS_THREADING_ALT
+#define POLARSSL_THREADING_ALT MBEDTLS_THREADING_ALT
+#endif
+#if defined MBEDTLS_THREADING_C
+#define POLARSSL_THREADING_C MBEDTLS_THREADING_C
+#endif
+#if defined MBEDTLS_THREADING_PTHREAD
+#define POLARSSL_THREADING_PTHREAD MBEDTLS_THREADING_PTHREAD
+#endif
+#if defined MBEDTLS_TIMING_ALT
+#define POLARSSL_TIMING_ALT MBEDTLS_TIMING_ALT
+#endif
+#if defined MBEDTLS_TIMING_C
+#define POLARSSL_TIMING_C MBEDTLS_TIMING_C
+#endif
+#if defined MBEDTLS_VERSION_C
+#define POLARSSL_VERSION_C MBEDTLS_VERSION_C
+#endif
+#if defined MBEDTLS_VERSION_FEATURES
+#define POLARSSL_VERSION_FEATURES MBEDTLS_VERSION_FEATURES
+#endif
+#if defined MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
+#define POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3 MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
+#endif
+#if defined MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
+#define POLARSSL_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
+#endif
+#if defined MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
+#define POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
+#endif
+#if defined MBEDTLS_X509_CHECK_KEY_USAGE
+#define POLARSSL_X509_CHECK_KEY_USAGE MBEDTLS_X509_CHECK_KEY_USAGE
+#endif
+#if defined MBEDTLS_X509_CREATE_C
+#define POLARSSL_X509_CREATE_C MBEDTLS_X509_CREATE_C
+#endif
+#if defined MBEDTLS_X509_CRL_PARSE_C
+#define POLARSSL_X509_CRL_PARSE_C MBEDTLS_X509_CRL_PARSE_C
+#endif
+#if defined MBEDTLS_X509_CRT_PARSE_C
+#define POLARSSL_X509_CRT_PARSE_C MBEDTLS_X509_CRT_PARSE_C
+#endif
+#if defined MBEDTLS_X509_CRT_WRITE_C
+#define POLARSSL_X509_CRT_WRITE_C MBEDTLS_X509_CRT_WRITE_C
+#endif
+#if defined MBEDTLS_X509_CSR_PARSE_C
+#define POLARSSL_X509_CSR_PARSE_C MBEDTLS_X509_CSR_PARSE_C
+#endif
+#if defined MBEDTLS_X509_CSR_WRITE_C
+#define POLARSSL_X509_CSR_WRITE_C MBEDTLS_X509_CSR_WRITE_C
+#endif
+#if defined MBEDTLS_X509_MAX_INTERMEDIATE_CA
+#define POLARSSL_X509_MAX_INTERMEDIATE_CA MBEDTLS_X509_MAX_INTERMEDIATE_CA
+#endif
+#if defined MBEDTLS_X509_RSASSA_PSS_SUPPORT
+#define POLARSSL_X509_RSASSA_PSS_SUPPORT MBEDTLS_X509_RSASSA_PSS_SUPPORT
+#endif
+#if defined MBEDTLS_X509_USE_C
+#define POLARSSL_X509_USE_C MBEDTLS_X509_USE_C
+#endif
+#if defined MBEDTLS_XTEA_ALT
+#define POLARSSL_XTEA_ALT MBEDTLS_XTEA_ALT
+#endif
+#if defined MBEDTLS_XTEA_C
+#define POLARSSL_XTEA_C MBEDTLS_XTEA_C
+#endif
+#if defined MBEDTLS_ZLIB_SUPPORT
+#define POLARSSL_ZLIB_SUPPORT MBEDTLS_ZLIB_SUPPORT
+#endif
+
+/*
+ * Misc names (macros, types, functions, enum constants...)
+ */
+#define AES_DECRYPT MBEDTLS_AES_DECRYPT
+#define AES_ENCRYPT MBEDTLS_AES_ENCRYPT
+#define ASN1_BIT_STRING MBEDTLS_ASN1_BIT_STRING
+#define ASN1_BMP_STRING MBEDTLS_ASN1_BMP_STRING
+#define ASN1_BOOLEAN MBEDTLS_ASN1_BOOLEAN
+#define ASN1_CHK_ADD MBEDTLS_ASN1_CHK_ADD
+#define ASN1_CONSTRUCTED MBEDTLS_ASN1_CONSTRUCTED
+#define ASN1_CONTEXT_SPECIFIC MBEDTLS_ASN1_CONTEXT_SPECIFIC
+#define ASN1_GENERALIZED_TIME MBEDTLS_ASN1_GENERALIZED_TIME
+#define ASN1_IA5_STRING MBEDTLS_ASN1_IA5_STRING
+#define ASN1_INTEGER MBEDTLS_ASN1_INTEGER
+#define ASN1_NULL MBEDTLS_ASN1_NULL
+#define ASN1_OCTET_STRING MBEDTLS_ASN1_OCTET_STRING
+#define ASN1_OID MBEDTLS_ASN1_OID
+#define ASN1_PRIMITIVE MBEDTLS_ASN1_PRIMITIVE
+#define ASN1_PRINTABLE_STRING MBEDTLS_ASN1_PRINTABLE_STRING
+#define ASN1_SEQUENCE MBEDTLS_ASN1_SEQUENCE
+#define ASN1_SET MBEDTLS_ASN1_SET
+#define ASN1_T61_STRING MBEDTLS_ASN1_T61_STRING
+#define ASN1_UNIVERSAL_STRING MBEDTLS_ASN1_UNIVERSAL_STRING
+#define ASN1_UTC_TIME MBEDTLS_ASN1_UTC_TIME
+#define ASN1_UTF8_STRING MBEDTLS_ASN1_UTF8_STRING
+#define BADCERT_CN_MISMATCH MBEDTLS_X509_BADCERT_CN_MISMATCH
+#define BADCERT_EXPIRED MBEDTLS_X509_BADCERT_EXPIRED
+#define BADCERT_FUTURE MBEDTLS_X509_BADCERT_FUTURE
+#define BADCERT_MISSING MBEDTLS_X509_BADCERT_MISSING
+#define BADCERT_NOT_TRUSTED MBEDTLS_X509_BADCERT_NOT_TRUSTED
+#define BADCERT_OTHER MBEDTLS_X509_BADCERT_OTHER
+#define BADCERT_REVOKED MBEDTLS_X509_BADCERT_REVOKED
+#define BADCERT_SKIP_VERIFY MBEDTLS_X509_BADCERT_SKIP_VERIFY
+#define BADCRL_EXPIRED MBEDTLS_X509_BADCRL_EXPIRED
+#define BADCRL_FUTURE MBEDTLS_X509_BADCRL_FUTURE
+#define BADCRL_NOT_TRUSTED MBEDTLS_X509_BADCRL_NOT_TRUSTED
+#define BLOWFISH_BLOCKSIZE MBEDTLS_BLOWFISH_BLOCKSIZE
+#define BLOWFISH_DECRYPT MBEDTLS_BLOWFISH_DECRYPT
+#define BLOWFISH_ENCRYPT MBEDTLS_BLOWFISH_ENCRYPT
+#define BLOWFISH_MAX_KEY MBEDTLS_BLOWFISH_MAX_KEY_BITS
+#define BLOWFISH_MIN_KEY MBEDTLS_BLOWFISH_MIN_KEY_BITS
+#define BLOWFISH_ROUNDS MBEDTLS_BLOWFISH_ROUNDS
+#define CAMELLIA_DECRYPT MBEDTLS_CAMELLIA_DECRYPT
+#define CAMELLIA_ENCRYPT MBEDTLS_CAMELLIA_ENCRYPT
+#define COLLECT_SIZE MBEDTLS_HAVEGE_COLLECT_SIZE
+#define CTR_DRBG_BLOCKSIZE MBEDTLS_CTR_DRBG_BLOCKSIZE
+#define CTR_DRBG_ENTROPY_LEN MBEDTLS_CTR_DRBG_ENTROPY_LEN
+#define CTR_DRBG_KEYBITS MBEDTLS_CTR_DRBG_KEYBITS
+#define CTR_DRBG_KEYSIZE MBEDTLS_CTR_DRBG_KEYSIZE
+#define CTR_DRBG_MAX_INPUT MBEDTLS_CTR_DRBG_MAX_INPUT
+#define CTR_DRBG_MAX_REQUEST MBEDTLS_CTR_DRBG_MAX_REQUEST
+#define CTR_DRBG_MAX_SEED_INPUT MBEDTLS_CTR_DRBG_MAX_SEED_INPUT
+#define CTR_DRBG_PR_OFF MBEDTLS_CTR_DRBG_PR_OFF
+#define CTR_DRBG_PR_ON MBEDTLS_CTR_DRBG_PR_ON
+#define CTR_DRBG_RESEED_INTERVAL MBEDTLS_CTR_DRBG_RESEED_INTERVAL
+#define CTR_DRBG_SEEDLEN MBEDTLS_CTR_DRBG_SEEDLEN
+#define DEPRECATED MBEDTLS_DEPRECATED
+#define DES_DECRYPT MBEDTLS_DES_DECRYPT
+#define DES_ENCRYPT MBEDTLS_DES_ENCRYPT
+#define DES_KEY_SIZE MBEDTLS_DES_KEY_SIZE
+#define ENTROPY_BLOCK_SIZE MBEDTLS_ENTROPY_BLOCK_SIZE
+#define ENTROPY_MAX_GATHER MBEDTLS_ENTROPY_MAX_GATHER
+#define ENTROPY_MAX_SEED_SIZE MBEDTLS_ENTROPY_MAX_SEED_SIZE
+#define ENTROPY_MAX_SOURCES MBEDTLS_ENTROPY_MAX_SOURCES
+#define ENTROPY_MIN_HARDCLOCK MBEDTLS_ENTROPY_MIN_HARDCLOCK
+#define ENTROPY_MIN_HAVEGE MBEDTLS_ENTROPY_MIN_HAVEGE
+#define ENTROPY_MIN_PLATFORM MBEDTLS_ENTROPY_MIN_PLATFORM
+#define ENTROPY_SOURCE_MANUAL MBEDTLS_ENTROPY_SOURCE_MANUAL
+#define EXT_AUTHORITY_KEY_IDENTIFIER MBEDTLS_X509_EXT_AUTHORITY_KEY_IDENTIFIER
+#define EXT_BASIC_CONSTRAINTS MBEDTLS_X509_EXT_BASIC_CONSTRAINTS
+#define EXT_CERTIFICATE_POLICIES MBEDTLS_X509_EXT_CERTIFICATE_POLICIES
+#define EXT_CRL_DISTRIBUTION_POINTS MBEDTLS_X509_EXT_CRL_DISTRIBUTION_POINTS
+#define EXT_EXTENDED_KEY_USAGE MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE
+#define EXT_FRESHEST_CRL MBEDTLS_X509_EXT_FRESHEST_CRL
+#define EXT_INIHIBIT_ANYPOLICY MBEDTLS_X509_EXT_INIHIBIT_ANYPOLICY
+#define EXT_ISSUER_ALT_NAME MBEDTLS_X509_EXT_ISSUER_ALT_NAME
+#define EXT_KEY_USAGE MBEDTLS_X509_EXT_KEY_USAGE
+#define EXT_NAME_CONSTRAINTS MBEDTLS_X509_EXT_NAME_CONSTRAINTS
+#define EXT_NS_CERT_TYPE MBEDTLS_X509_EXT_NS_CERT_TYPE
+#define EXT_POLICY_CONSTRAINTS MBEDTLS_X509_EXT_POLICY_CONSTRAINTS
+#define EXT_POLICY_MAPPINGS MBEDTLS_X509_EXT_POLICY_MAPPINGS
+#define EXT_SUBJECT_ALT_NAME MBEDTLS_X509_EXT_SUBJECT_ALT_NAME
+#define EXT_SUBJECT_DIRECTORY_ATTRS MBEDTLS_X509_EXT_SUBJECT_DIRECTORY_ATTRS
+#define EXT_SUBJECT_KEY_IDENTIFIER MBEDTLS_X509_EXT_SUBJECT_KEY_IDENTIFIER
+#define GCM_DECRYPT MBEDTLS_GCM_DECRYPT
+#define GCM_ENCRYPT MBEDTLS_GCM_ENCRYPT
+#define KU_CRL_SIGN MBEDTLS_X509_KU_CRL_SIGN
+#define KU_DATA_ENCIPHERMENT MBEDTLS_X509_KU_DATA_ENCIPHERMENT
+#define KU_DIGITAL_SIGNATURE MBEDTLS_X509_KU_DIGITAL_SIGNATURE
+#define KU_KEY_AGREEMENT MBEDTLS_X509_KU_KEY_AGREEMENT
+#define KU_KEY_CERT_SIGN MBEDTLS_X509_KU_KEY_CERT_SIGN
+#define KU_KEY_ENCIPHERMENT MBEDTLS_X509_KU_KEY_ENCIPHERMENT
+#define KU_NON_REPUDIATION MBEDTLS_X509_KU_NON_REPUDIATION
+#define LN_2_DIV_LN_10_SCALE100 MBEDTLS_LN_2_DIV_LN_10_SCALE100
+#define MEMORY_VERIFY_ALLOC MBEDTLS_MEMORY_VERIFY_ALLOC
+#define MEMORY_VERIFY_ALWAYS MBEDTLS_MEMORY_VERIFY_ALWAYS
+#define MEMORY_VERIFY_FREE MBEDTLS_MEMORY_VERIFY_FREE
+#define MEMORY_VERIFY_NONE MBEDTLS_MEMORY_VERIFY_NONE
+#define MPI_CHK MBEDTLS_MPI_CHK
+#define NET_PROTO_TCP MBEDTLS_NET_PROTO_TCP
+#define NET_PROTO_UDP MBEDTLS_NET_PROTO_UDP
+#define NS_CERT_TYPE_EMAIL MBEDTLS_X509_NS_CERT_TYPE_EMAIL
+#define NS_CERT_TYPE_EMAIL_CA MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA
+#define NS_CERT_TYPE_OBJECT_SIGNING MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING
+#define NS_CERT_TYPE_OBJECT_SIGNING_CA MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA
+#define NS_CERT_TYPE_RESERVED MBEDTLS_X509_NS_CERT_TYPE_RESERVED
+#define NS_CERT_TYPE_SSL_CA MBEDTLS_X509_NS_CERT_TYPE_SSL_CA
+#define NS_CERT_TYPE_SSL_CLIENT MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT
+#define NS_CERT_TYPE_SSL_SERVER MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER
+#define OID_ANSI_X9_62 MBEDTLS_OID_ANSI_X9_62
+#define OID_ANSI_X9_62_FIELD_TYPE MBEDTLS_OID_ANSI_X9_62_FIELD_TYPE
+#define OID_ANSI_X9_62_PRIME_FIELD MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD
+#define OID_ANSI_X9_62_SIG MBEDTLS_OID_ANSI_X9_62_SIG
+#define OID_ANSI_X9_62_SIG_SHA2 MBEDTLS_OID_ANSI_X9_62_SIG_SHA2
+#define OID_ANY_EXTENDED_KEY_USAGE MBEDTLS_OID_ANY_EXTENDED_KEY_USAGE
+#define OID_AT MBEDTLS_OID_AT
+#define OID_AT_CN MBEDTLS_OID_AT_CN
+#define OID_AT_COUNTRY MBEDTLS_OID_AT_COUNTRY
+#define OID_AT_DN_QUALIFIER MBEDTLS_OID_AT_DN_QUALIFIER
+#define OID_AT_GENERATION_QUALIFIER MBEDTLS_OID_AT_GENERATION_QUALIFIER
+#define OID_AT_GIVEN_NAME MBEDTLS_OID_AT_GIVEN_NAME
+#define OID_AT_INITIALS MBEDTLS_OID_AT_INITIALS
+#define OID_AT_LOCALITY MBEDTLS_OID_AT_LOCALITY
+#define OID_AT_ORGANIZATION MBEDTLS_OID_AT_ORGANIZATION
+#define OID_AT_ORG_UNIT MBEDTLS_OID_AT_ORG_UNIT
+#define OID_AT_POSTAL_ADDRESS MBEDTLS_OID_AT_POSTAL_ADDRESS
+#define OID_AT_POSTAL_CODE MBEDTLS_OID_AT_POSTAL_CODE
+#define OID_AT_PSEUDONYM MBEDTLS_OID_AT_PSEUDONYM
+#define OID_AT_SERIAL_NUMBER MBEDTLS_OID_AT_SERIAL_NUMBER
+#define OID_AT_STATE MBEDTLS_OID_AT_STATE
+#define OID_AT_SUR_NAME MBEDTLS_OID_AT_SUR_NAME
+#define OID_AT_TITLE MBEDTLS_OID_AT_TITLE
+#define OID_AT_UNIQUE_IDENTIFIER MBEDTLS_OID_AT_UNIQUE_IDENTIFIER
+#define OID_AUTHORITY_KEY_IDENTIFIER MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER
+#define OID_BASIC_CONSTRAINTS MBEDTLS_OID_BASIC_CONSTRAINTS
+#define OID_CERTICOM MBEDTLS_OID_CERTICOM
+#define OID_CERTIFICATE_POLICIES MBEDTLS_OID_CERTIFICATE_POLICIES
+#define OID_CLIENT_AUTH MBEDTLS_OID_CLIENT_AUTH
+#define OID_CMP MBEDTLS_OID_CMP
+#define OID_CODE_SIGNING MBEDTLS_OID_CODE_SIGNING
+#define OID_COUNTRY_US MBEDTLS_OID_COUNTRY_US
+#define OID_CRL_DISTRIBUTION_POINTS MBEDTLS_OID_CRL_DISTRIBUTION_POINTS
+#define OID_CRL_NUMBER MBEDTLS_OID_CRL_NUMBER
+#define OID_DES_CBC MBEDTLS_OID_DES_CBC
+#define OID_DES_EDE3_CBC MBEDTLS_OID_DES_EDE3_CBC
+#define OID_DIGEST_ALG_MD2 MBEDTLS_OID_DIGEST_ALG_MD2
+#define OID_DIGEST_ALG_MD4 MBEDTLS_OID_DIGEST_ALG_MD4
+#define OID_DIGEST_ALG_MD5 MBEDTLS_OID_DIGEST_ALG_MD5
+#define OID_DIGEST_ALG_SHA1 MBEDTLS_OID_DIGEST_ALG_SHA1
+#define OID_DIGEST_ALG_SHA224 MBEDTLS_OID_DIGEST_ALG_SHA224
+#define OID_DIGEST_ALG_SHA256 MBEDTLS_OID_DIGEST_ALG_SHA256
+#define OID_DIGEST_ALG_SHA384 MBEDTLS_OID_DIGEST_ALG_SHA384
+#define OID_DIGEST_ALG_SHA512 MBEDTLS_OID_DIGEST_ALG_SHA512
+#define OID_DOMAIN_COMPONENT MBEDTLS_OID_DOMAIN_COMPONENT
+#define OID_ECDSA_SHA1 MBEDTLS_OID_ECDSA_SHA1
+#define OID_ECDSA_SHA224 MBEDTLS_OID_ECDSA_SHA224
+#define OID_ECDSA_SHA256 MBEDTLS_OID_ECDSA_SHA256
+#define OID_ECDSA_SHA384 MBEDTLS_OID_ECDSA_SHA384
+#define OID_ECDSA_SHA512 MBEDTLS_OID_ECDSA_SHA512
+#define OID_EC_ALG_ECDH MBEDTLS_OID_EC_ALG_ECDH
+#define OID_EC_ALG_UNRESTRICTED MBEDTLS_OID_EC_ALG_UNRESTRICTED
+#define OID_EC_BRAINPOOL_V1 MBEDTLS_OID_EC_BRAINPOOL_V1
+#define OID_EC_GRP_BP256R1 MBEDTLS_OID_EC_GRP_BP256R1
+#define OID_EC_GRP_BP384R1 MBEDTLS_OID_EC_GRP_BP384R1
+#define OID_EC_GRP_BP512R1 MBEDTLS_OID_EC_GRP_BP512R1
+#define OID_EC_GRP_SECP192K1 MBEDTLS_OID_EC_GRP_SECP192K1
+#define OID_EC_GRP_SECP192R1 MBEDTLS_OID_EC_GRP_SECP192R1
+#define OID_EC_GRP_SECP224K1 MBEDTLS_OID_EC_GRP_SECP224K1
+#define OID_EC_GRP_SECP224R1 MBEDTLS_OID_EC_GRP_SECP224R1
+#define OID_EC_GRP_SECP256K1 MBEDTLS_OID_EC_GRP_SECP256K1
+#define OID_EC_GRP_SECP256R1 MBEDTLS_OID_EC_GRP_SECP256R1
+#define OID_EC_GRP_SECP384R1 MBEDTLS_OID_EC_GRP_SECP384R1
+#define OID_EC_GRP_SECP521R1 MBEDTLS_OID_EC_GRP_SECP521R1
+#define OID_EMAIL_PROTECTION MBEDTLS_OID_EMAIL_PROTECTION
+#define OID_EXTENDED_KEY_USAGE MBEDTLS_OID_EXTENDED_KEY_USAGE
+#define OID_FRESHEST_CRL MBEDTLS_OID_FRESHEST_CRL
+#define OID_GOV MBEDTLS_OID_GOV
+#define OID_HMAC_SHA1 MBEDTLS_OID_HMAC_SHA1
+#define OID_ID_CE MBEDTLS_OID_ID_CE
+#define OID_INIHIBIT_ANYPOLICY MBEDTLS_OID_INIHIBIT_ANYPOLICY
+#define OID_ISO_CCITT_DS MBEDTLS_OID_ISO_CCITT_DS
+#define OID_ISO_IDENTIFIED_ORG MBEDTLS_OID_ISO_IDENTIFIED_ORG
+#define OID_ISO_ITU_COUNTRY MBEDTLS_OID_ISO_ITU_COUNTRY
+#define OID_ISO_ITU_US_ORG MBEDTLS_OID_ISO_ITU_US_ORG
+#define OID_ISO_MEMBER_BODIES MBEDTLS_OID_ISO_MEMBER_BODIES
+#define OID_ISSUER_ALT_NAME MBEDTLS_OID_ISSUER_ALT_NAME
+#define OID_KEY_USAGE MBEDTLS_OID_KEY_USAGE
+#define OID_KP MBEDTLS_OID_KP
+#define OID_MGF1 MBEDTLS_OID_MGF1
+#define OID_NAME_CONSTRAINTS MBEDTLS_OID_NAME_CONSTRAINTS
+#define OID_NETSCAPE MBEDTLS_OID_NETSCAPE
+#define OID_NS_BASE_URL MBEDTLS_OID_NS_BASE_URL
+#define OID_NS_CA_POLICY_URL MBEDTLS_OID_NS_CA_POLICY_URL
+#define OID_NS_CA_REVOCATION_URL MBEDTLS_OID_NS_CA_REVOCATION_URL
+#define OID_NS_CERT MBEDTLS_OID_NS_CERT
+#define OID_NS_CERT_SEQUENCE MBEDTLS_OID_NS_CERT_SEQUENCE
+#define OID_NS_CERT_TYPE MBEDTLS_OID_NS_CERT_TYPE
+#define OID_NS_COMMENT MBEDTLS_OID_NS_COMMENT
+#define OID_NS_DATA_TYPE MBEDTLS_OID_NS_DATA_TYPE
+#define OID_NS_RENEWAL_URL MBEDTLS_OID_NS_RENEWAL_URL
+#define OID_NS_REVOCATION_URL MBEDTLS_OID_NS_REVOCATION_URL
+#define OID_NS_SSL_SERVER_NAME MBEDTLS_OID_NS_SSL_SERVER_NAME
+#define OID_OCSP_SIGNING MBEDTLS_OID_OCSP_SIGNING
+#define OID_OIW_SECSIG MBEDTLS_OID_OIW_SECSIG
+#define OID_OIW_SECSIG_ALG MBEDTLS_OID_OIW_SECSIG_ALG
+#define OID_OIW_SECSIG_SHA1 MBEDTLS_OID_OIW_SECSIG_SHA1
+#define OID_ORGANIZATION MBEDTLS_OID_ORGANIZATION
+#define OID_ORG_ANSI_X9_62 MBEDTLS_OID_ORG_ANSI_X9_62
+#define OID_ORG_CERTICOM MBEDTLS_OID_ORG_CERTICOM
+#define OID_ORG_DOD MBEDTLS_OID_ORG_DOD
+#define OID_ORG_GOV MBEDTLS_OID_ORG_GOV
+#define OID_ORG_NETSCAPE MBEDTLS_OID_ORG_NETSCAPE
+#define OID_ORG_OIW MBEDTLS_OID_ORG_OIW
+#define OID_ORG_RSA_DATA_SECURITY MBEDTLS_OID_ORG_RSA_DATA_SECURITY
+#define OID_ORG_TELETRUST MBEDTLS_OID_ORG_TELETRUST
+#define OID_PKCS MBEDTLS_OID_PKCS
+#define OID_PKCS1 MBEDTLS_OID_PKCS1
+#define OID_PKCS12 MBEDTLS_OID_PKCS12
+#define OID_PKCS12_PBE MBEDTLS_OID_PKCS12_PBE
+#define OID_PKCS12_PBE_SHA1_DES2_EDE_CBC MBEDTLS_OID_PKCS12_PBE_SHA1_DES2_EDE_CBC
+#define OID_PKCS12_PBE_SHA1_DES3_EDE_CBC MBEDTLS_OID_PKCS12_PBE_SHA1_DES3_EDE_CBC
+#define OID_PKCS12_PBE_SHA1_RC2_128_CBC MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_128_CBC
+#define OID_PKCS12_PBE_SHA1_RC2_40_CBC MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_40_CBC
+#define OID_PKCS12_PBE_SHA1_RC4_128 MBEDTLS_OID_PKCS12_PBE_SHA1_RC4_128
+#define OID_PKCS12_PBE_SHA1_RC4_40 MBEDTLS_OID_PKCS12_PBE_SHA1_RC4_40
+#define OID_PKCS1_MD2 MBEDTLS_OID_PKCS1_MD2
+#define OID_PKCS1_MD4 MBEDTLS_OID_PKCS1_MD4
+#define OID_PKCS1_MD5 MBEDTLS_OID_PKCS1_MD5
+#define OID_PKCS1_RSA MBEDTLS_OID_PKCS1_RSA
+#define OID_PKCS1_SHA1 MBEDTLS_OID_PKCS1_SHA1
+#define OID_PKCS1_SHA224 MBEDTLS_OID_PKCS1_SHA224
+#define OID_PKCS1_SHA256 MBEDTLS_OID_PKCS1_SHA256
+#define OID_PKCS1_SHA384 MBEDTLS_OID_PKCS1_SHA384
+#define OID_PKCS1_SHA512 MBEDTLS_OID_PKCS1_SHA512
+#define OID_PKCS5 MBEDTLS_OID_PKCS5
+#define OID_PKCS5_PBES2 MBEDTLS_OID_PKCS5_PBES2
+#define OID_PKCS5_PBE_MD2_DES_CBC MBEDTLS_OID_PKCS5_PBE_MD2_DES_CBC
+#define OID_PKCS5_PBE_MD2_RC2_CBC MBEDTLS_OID_PKCS5_PBE_MD2_RC2_CBC
+#define OID_PKCS5_PBE_MD5_DES_CBC MBEDTLS_OID_PKCS5_PBE_MD5_DES_CBC
+#define OID_PKCS5_PBE_MD5_RC2_CBC MBEDTLS_OID_PKCS5_PBE_MD5_RC2_CBC
+#define OID_PKCS5_PBE_SHA1_DES_CBC MBEDTLS_OID_PKCS5_PBE_SHA1_DES_CBC
+#define OID_PKCS5_PBE_SHA1_RC2_CBC MBEDTLS_OID_PKCS5_PBE_SHA1_RC2_CBC
+#define OID_PKCS5_PBKDF2 MBEDTLS_OID_PKCS5_PBKDF2
+#define OID_PKCS5_PBMAC1 MBEDTLS_OID_PKCS5_PBMAC1
+#define OID_PKCS9 MBEDTLS_OID_PKCS9
+#define OID_PKCS9_CSR_EXT_REQ MBEDTLS_OID_PKCS9_CSR_EXT_REQ
+#define OID_PKCS9_EMAIL MBEDTLS_OID_PKCS9_EMAIL
+#define OID_PKIX MBEDTLS_OID_PKIX
+#define OID_POLICY_CONSTRAINTS MBEDTLS_OID_POLICY_CONSTRAINTS
+#define OID_POLICY_MAPPINGS MBEDTLS_OID_POLICY_MAPPINGS
+#define OID_PRIVATE_KEY_USAGE_PERIOD MBEDTLS_OID_PRIVATE_KEY_USAGE_PERIOD
+#define OID_RSASSA_PSS MBEDTLS_OID_RSASSA_PSS
+#define OID_RSA_COMPANY MBEDTLS_OID_RSA_COMPANY
+#define OID_RSA_SHA_OBS MBEDTLS_OID_RSA_SHA_OBS
+#define OID_SERVER_AUTH MBEDTLS_OID_SERVER_AUTH
+#define OID_SIZE MBEDTLS_OID_SIZE
+#define OID_SUBJECT_ALT_NAME MBEDTLS_OID_SUBJECT_ALT_NAME
+#define OID_SUBJECT_DIRECTORY_ATTRS MBEDTLS_OID_SUBJECT_DIRECTORY_ATTRS
+#define OID_SUBJECT_KEY_IDENTIFIER MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER
+#define OID_TELETRUST MBEDTLS_OID_TELETRUST
+#define OID_TIME_STAMPING MBEDTLS_OID_TIME_STAMPING
+#define PADLOCK_ACE MBEDTLS_PADLOCK_ACE
+#define PADLOCK_ALIGN16 MBEDTLS_PADLOCK_ALIGN16
+#define PADLOCK_PHE MBEDTLS_PADLOCK_PHE
+#define PADLOCK_PMM MBEDTLS_PADLOCK_PMM
+#define PADLOCK_RNG MBEDTLS_PADLOCK_RNG
+#define PKCS12_DERIVE_IV MBEDTLS_PKCS12_DERIVE_IV
+#define PKCS12_DERIVE_KEY MBEDTLS_PKCS12_DERIVE_KEY
+#define PKCS12_DERIVE_MAC_KEY MBEDTLS_PKCS12_DERIVE_MAC_KEY
+#define PKCS12_PBE_DECRYPT MBEDTLS_PKCS12_PBE_DECRYPT
+#define PKCS12_PBE_ENCRYPT MBEDTLS_PKCS12_PBE_ENCRYPT
+#define PKCS5_DECRYPT MBEDTLS_PKCS5_DECRYPT
+#define PKCS5_ENCRYPT MBEDTLS_PKCS5_ENCRYPT
+#define POLARSSL_AESNI_AES MBEDTLS_AESNI_AES
+#define POLARSSL_AESNI_CLMUL MBEDTLS_AESNI_CLMUL
+#define POLARSSL_AESNI_H MBEDTLS_AESNI_H
+#define POLARSSL_AES_H MBEDTLS_AES_H
+#define POLARSSL_ARC4_H MBEDTLS_ARC4_H
+#define POLARSSL_ASN1_H MBEDTLS_ASN1_H
+#define POLARSSL_ASN1_WRITE_H MBEDTLS_ASN1_WRITE_H
+#define POLARSSL_BASE64_H MBEDTLS_BASE64_H
+#define POLARSSL_BIGNUM_H MBEDTLS_BIGNUM_H
+#define POLARSSL_BLOWFISH_H MBEDTLS_BLOWFISH_H
+#define POLARSSL_BN_MUL_H MBEDTLS_BN_MUL_H
+#define POLARSSL_CAMELLIA_H MBEDTLS_CAMELLIA_H
+#define POLARSSL_CCM_H MBEDTLS_CCM_H
+#define POLARSSL_CERTS_H MBEDTLS_CERTS_H
+#define POLARSSL_CHECK_CONFIG_H MBEDTLS_CHECK_CONFIG_H
+#define POLARSSL_CIPHERSUITE_NODTLS MBEDTLS_CIPHERSUITE_NODTLS
+#define POLARSSL_CIPHERSUITE_SHORT_TAG MBEDTLS_CIPHERSUITE_SHORT_TAG
+#define POLARSSL_CIPHERSUITE_WEAK MBEDTLS_CIPHERSUITE_WEAK
+#define POLARSSL_CIPHER_AES_128_CBC MBEDTLS_CIPHER_AES_128_CBC
+#define POLARSSL_CIPHER_AES_128_CCM MBEDTLS_CIPHER_AES_128_CCM
+#define POLARSSL_CIPHER_AES_128_CFB128 MBEDTLS_CIPHER_AES_128_CFB128
+#define POLARSSL_CIPHER_AES_128_CTR MBEDTLS_CIPHER_AES_128_CTR
+#define POLARSSL_CIPHER_AES_128_ECB MBEDTLS_CIPHER_AES_128_ECB
+#define POLARSSL_CIPHER_AES_128_GCM MBEDTLS_CIPHER_AES_128_GCM
+#define POLARSSL_CIPHER_AES_192_CBC MBEDTLS_CIPHER_AES_192_CBC
+#define POLARSSL_CIPHER_AES_192_CCM MBEDTLS_CIPHER_AES_192_CCM
+#define POLARSSL_CIPHER_AES_192_CFB128 MBEDTLS_CIPHER_AES_192_CFB128
+#define POLARSSL_CIPHER_AES_192_CTR MBEDTLS_CIPHER_AES_192_CTR
+#define POLARSSL_CIPHER_AES_192_ECB MBEDTLS_CIPHER_AES_192_ECB
+#define POLARSSL_CIPHER_AES_192_GCM MBEDTLS_CIPHER_AES_192_GCM
+#define POLARSSL_CIPHER_AES_256_CBC MBEDTLS_CIPHER_AES_256_CBC
+#define POLARSSL_CIPHER_AES_256_CCM MBEDTLS_CIPHER_AES_256_CCM
+#define POLARSSL_CIPHER_AES_256_CFB128 MBEDTLS_CIPHER_AES_256_CFB128
+#define POLARSSL_CIPHER_AES_256_CTR MBEDTLS_CIPHER_AES_256_CTR
+#define POLARSSL_CIPHER_AES_256_ECB MBEDTLS_CIPHER_AES_256_ECB
+#define POLARSSL_CIPHER_AES_256_GCM MBEDTLS_CIPHER_AES_256_GCM
+#define POLARSSL_CIPHER_ARC4_128 MBEDTLS_CIPHER_ARC4_128
+#define POLARSSL_CIPHER_BLOWFISH_CBC MBEDTLS_CIPHER_BLOWFISH_CBC
+#define POLARSSL_CIPHER_BLOWFISH_CFB64 MBEDTLS_CIPHER_BLOWFISH_CFB64
+#define POLARSSL_CIPHER_BLOWFISH_CTR MBEDTLS_CIPHER_BLOWFISH_CTR
+#define POLARSSL_CIPHER_BLOWFISH_ECB MBEDTLS_CIPHER_BLOWFISH_ECB
+#define POLARSSL_CIPHER_CAMELLIA_128_CBC MBEDTLS_CIPHER_CAMELLIA_128_CBC
+#define POLARSSL_CIPHER_CAMELLIA_128_CCM MBEDTLS_CIPHER_CAMELLIA_128_CCM
+#define POLARSSL_CIPHER_CAMELLIA_128_CFB128 MBEDTLS_CIPHER_CAMELLIA_128_CFB128
+#define POLARSSL_CIPHER_CAMELLIA_128_CTR MBEDTLS_CIPHER_CAMELLIA_128_CTR
+#define POLARSSL_CIPHER_CAMELLIA_128_ECB MBEDTLS_CIPHER_CAMELLIA_128_ECB
+#define POLARSSL_CIPHER_CAMELLIA_128_GCM MBEDTLS_CIPHER_CAMELLIA_128_GCM
+#define POLARSSL_CIPHER_CAMELLIA_192_CBC MBEDTLS_CIPHER_CAMELLIA_192_CBC
+#define POLARSSL_CIPHER_CAMELLIA_192_CCM MBEDTLS_CIPHER_CAMELLIA_192_CCM
+#define POLARSSL_CIPHER_CAMELLIA_192_CFB128 MBEDTLS_CIPHER_CAMELLIA_192_CFB128
+#define POLARSSL_CIPHER_CAMELLIA_192_CTR MBEDTLS_CIPHER_CAMELLIA_192_CTR
+#define POLARSSL_CIPHER_CAMELLIA_192_ECB MBEDTLS_CIPHER_CAMELLIA_192_ECB
+#define POLARSSL_CIPHER_CAMELLIA_192_GCM MBEDTLS_CIPHER_CAMELLIA_192_GCM
+#define POLARSSL_CIPHER_CAMELLIA_256_CBC MBEDTLS_CIPHER_CAMELLIA_256_CBC
+#define POLARSSL_CIPHER_CAMELLIA_256_CCM MBEDTLS_CIPHER_CAMELLIA_256_CCM
+#define POLARSSL_CIPHER_CAMELLIA_256_CFB128 MBEDTLS_CIPHER_CAMELLIA_256_CFB128
+#define POLARSSL_CIPHER_CAMELLIA_256_CTR MBEDTLS_CIPHER_CAMELLIA_256_CTR
+#define POLARSSL_CIPHER_CAMELLIA_256_ECB MBEDTLS_CIPHER_CAMELLIA_256_ECB
+#define POLARSSL_CIPHER_CAMELLIA_256_GCM MBEDTLS_CIPHER_CAMELLIA_256_GCM
+#define POLARSSL_CIPHER_DES_CBC MBEDTLS_CIPHER_DES_CBC
+#define POLARSSL_CIPHER_DES_ECB MBEDTLS_CIPHER_DES_ECB
+#define POLARSSL_CIPHER_DES_EDE3_CBC MBEDTLS_CIPHER_DES_EDE3_CBC
+#define POLARSSL_CIPHER_DES_EDE3_ECB MBEDTLS_CIPHER_DES_EDE3_ECB
+#define POLARSSL_CIPHER_DES_EDE_CBC MBEDTLS_CIPHER_DES_EDE_CBC
+#define POLARSSL_CIPHER_DES_EDE_ECB MBEDTLS_CIPHER_DES_EDE_ECB
+#define POLARSSL_CIPHER_H MBEDTLS_CIPHER_H
+#define POLARSSL_CIPHER_ID_3DES MBEDTLS_CIPHER_ID_3DES
+#define POLARSSL_CIPHER_ID_AES MBEDTLS_CIPHER_ID_AES
+#define POLARSSL_CIPHER_ID_ARC4 MBEDTLS_CIPHER_ID_ARC4
+#define POLARSSL_CIPHER_ID_BLOWFISH MBEDTLS_CIPHER_ID_BLOWFISH
+#define POLARSSL_CIPHER_ID_CAMELLIA MBEDTLS_CIPHER_ID_CAMELLIA
+#define POLARSSL_CIPHER_ID_DES MBEDTLS_CIPHER_ID_DES
+#define POLARSSL_CIPHER_ID_NONE MBEDTLS_CIPHER_ID_NONE
+#define POLARSSL_CIPHER_ID_NULL MBEDTLS_CIPHER_ID_NULL
+#define POLARSSL_CIPHER_MODE_AEAD MBEDTLS_CIPHER_MODE_AEAD
+#define POLARSSL_CIPHER_MODE_STREAM MBEDTLS_CIPHER_MODE_STREAM
+#define POLARSSL_CIPHER_MODE_WITH_PADDING MBEDTLS_CIPHER_MODE_WITH_PADDING
+#define POLARSSL_CIPHER_NONE MBEDTLS_CIPHER_NONE
+#define POLARSSL_CIPHER_NULL MBEDTLS_CIPHER_NULL
+#define POLARSSL_CIPHER_VARIABLE_IV_LEN MBEDTLS_CIPHER_VARIABLE_IV_LEN
+#define POLARSSL_CIPHER_VARIABLE_KEY_LEN MBEDTLS_CIPHER_VARIABLE_KEY_LEN
+#define POLARSSL_CIPHER_WRAP_H MBEDTLS_CIPHER_WRAP_H
+#define POLARSSL_CONFIG_H MBEDTLS_CONFIG_H
+#define POLARSSL_CTR_DRBG_H MBEDTLS_CTR_DRBG_H
+#define POLARSSL_DEBUG_H MBEDTLS_DEBUG_H
+#define POLARSSL_DECRYPT MBEDTLS_DECRYPT
+#define POLARSSL_DES_H MBEDTLS_DES_H
+#define POLARSSL_DHM_H MBEDTLS_DHM_H
+#define POLARSSL_DHM_RFC3526_MODP_2048_G MBEDTLS_DHM_RFC3526_MODP_2048_G
+#define POLARSSL_DHM_RFC3526_MODP_2048_P MBEDTLS_DHM_RFC3526_MODP_2048_P
+#define POLARSSL_DHM_RFC3526_MODP_3072_G MBEDTLS_DHM_RFC3526_MODP_3072_G
+#define POLARSSL_DHM_RFC3526_MODP_3072_P MBEDTLS_DHM_RFC3526_MODP_3072_P
+#define POLARSSL_DHM_RFC5114_MODP_2048_G MBEDTLS_DHM_RFC5114_MODP_2048_G
+#define POLARSSL_DHM_RFC5114_MODP_2048_P MBEDTLS_DHM_RFC5114_MODP_2048_P
+#define POLARSSL_ECDH_H MBEDTLS_ECDH_H
+#define POLARSSL_ECDH_OURS MBEDTLS_ECDH_OURS
+#define POLARSSL_ECDH_THEIRS MBEDTLS_ECDH_THEIRS
+#define POLARSSL_ECDSA_H MBEDTLS_ECDSA_H
+#define POLARSSL_ECP_DP_BP256R1 MBEDTLS_ECP_DP_BP256R1
+#define POLARSSL_ECP_DP_BP384R1 MBEDTLS_ECP_DP_BP384R1
+#define POLARSSL_ECP_DP_BP512R1 MBEDTLS_ECP_DP_BP512R1
+#define POLARSSL_ECP_DP_M255 MBEDTLS_ECP_DP_CURVE25519
+#define POLARSSL_ECP_DP_MAX MBEDTLS_ECP_DP_MAX
+#define POLARSSL_ECP_DP_NONE MBEDTLS_ECP_DP_NONE
+#define POLARSSL_ECP_DP_SECP192K1 MBEDTLS_ECP_DP_SECP192K1
+#define POLARSSL_ECP_DP_SECP192R1 MBEDTLS_ECP_DP_SECP192R1
+#define POLARSSL_ECP_DP_SECP224K1 MBEDTLS_ECP_DP_SECP224K1
+#define POLARSSL_ECP_DP_SECP224R1 MBEDTLS_ECP_DP_SECP224R1
+#define POLARSSL_ECP_DP_SECP256K1 MBEDTLS_ECP_DP_SECP256K1
+#define POLARSSL_ECP_DP_SECP256R1 MBEDTLS_ECP_DP_SECP256R1
+#define POLARSSL_ECP_DP_SECP384R1 MBEDTLS_ECP_DP_SECP384R1
+#define POLARSSL_ECP_DP_SECP521R1 MBEDTLS_ECP_DP_SECP521R1
+#define POLARSSL_ECP_H MBEDTLS_ECP_H
+#define POLARSSL_ECP_MAX_BYTES MBEDTLS_ECP_MAX_BYTES
+#define POLARSSL_ECP_MAX_PT_LEN MBEDTLS_ECP_MAX_PT_LEN
+#define POLARSSL_ECP_PF_COMPRESSED MBEDTLS_ECP_PF_COMPRESSED
+#define POLARSSL_ECP_PF_UNCOMPRESSED MBEDTLS_ECP_PF_UNCOMPRESSED
+#define POLARSSL_ECP_TLS_NAMED_CURVE MBEDTLS_ECP_TLS_NAMED_CURVE
+#define POLARSSL_ENCRYPT MBEDTLS_ENCRYPT
+#define POLARSSL_ENTROPY_H MBEDTLS_ENTROPY_H
+#define POLARSSL_ENTROPY_POLL_H MBEDTLS_ENTROPY_POLL_H
+#define POLARSSL_ENTROPY_SHA256_ACCUMULATOR MBEDTLS_ENTROPY_SHA256_ACCUMULATOR
+#define POLARSSL_ENTROPY_SHA512_ACCUMULATOR MBEDTLS_ENTROPY_SHA512_ACCUMULATOR
+#define POLARSSL_ERROR_H MBEDTLS_ERROR_H
+#define POLARSSL_ERR_AES_INVALID_INPUT_LENGTH MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH
+#define POLARSSL_ERR_AES_INVALID_KEY_LENGTH MBEDTLS_ERR_AES_INVALID_KEY_LENGTH
+#define POLARSSL_ERR_ASN1_BUF_TOO_SMALL MBEDTLS_ERR_ASN1_BUF_TOO_SMALL
+#define POLARSSL_ERR_ASN1_INVALID_DATA MBEDTLS_ERR_ASN1_INVALID_DATA
+#define POLARSSL_ERR_ASN1_INVALID_LENGTH MBEDTLS_ERR_ASN1_INVALID_LENGTH
+#define POLARSSL_ERR_ASN1_LENGTH_MISMATCH MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
+#define POLARSSL_ERR_ASN1_MALLOC_FAILED MBEDTLS_ERR_ASN1_ALLOC_FAILED
+#define POLARSSL_ERR_ASN1_OUT_OF_DATA MBEDTLS_ERR_ASN1_OUT_OF_DATA
+#define POLARSSL_ERR_ASN1_UNEXPECTED_TAG MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+#define POLARSSL_ERR_BASE64_BUFFER_TOO_SMALL MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL
+#define POLARSSL_ERR_BASE64_INVALID_CHARACTER MBEDTLS_ERR_BASE64_INVALID_CHARACTER
+#define POLARSSL_ERR_BLOWFISH_INVALID_INPUT_LENGTH MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH
+#define POLARSSL_ERR_BLOWFISH_INVALID_KEY_LENGTH MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH
+#define POLARSSL_ERR_CAMELLIA_INVALID_INPUT_LENGTH MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH
+#define POLARSSL_ERR_CAMELLIA_INVALID_KEY_LENGTH MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH
+#define POLARSSL_ERR_CCM_AUTH_FAILED MBEDTLS_ERR_CCM_AUTH_FAILED
+#define POLARSSL_ERR_CCM_BAD_INPUT MBEDTLS_ERR_CCM_BAD_INPUT
+#define POLARSSL_ERR_CIPHER_ALLOC_FAILED MBEDTLS_ERR_CIPHER_ALLOC_FAILED
+#define POLARSSL_ERR_CIPHER_AUTH_FAILED MBEDTLS_ERR_CIPHER_AUTH_FAILED
+#define POLARSSL_ERR_CIPHER_BAD_INPUT_DATA MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+#define POLARSSL_ERR_CIPHER_FEATURE_UNAVAILABLE MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_CIPHER_FULL_BLOCK_EXPECTED MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED
+#define POLARSSL_ERR_CIPHER_INVALID_PADDING MBEDTLS_ERR_CIPHER_INVALID_PADDING
+#define POLARSSL_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED
+#define POLARSSL_ERR_CTR_DRBG_FILE_IO_ERROR MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR
+#define POLARSSL_ERR_CTR_DRBG_INPUT_TOO_BIG MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG
+#define POLARSSL_ERR_CTR_DRBG_REQUEST_TOO_BIG MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG
+#define POLARSSL_ERR_DES_INVALID_INPUT_LENGTH MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH
+#define POLARSSL_ERR_DHM_BAD_INPUT_DATA MBEDTLS_ERR_DHM_BAD_INPUT_DATA
+#define POLARSSL_ERR_DHM_CALC_SECRET_FAILED MBEDTLS_ERR_DHM_CALC_SECRET_FAILED
+#define POLARSSL_ERR_DHM_FILE_IO_ERROR MBEDTLS_ERR_DHM_FILE_IO_ERROR
+#define POLARSSL_ERR_DHM_INVALID_FORMAT MBEDTLS_ERR_DHM_INVALID_FORMAT
+#define POLARSSL_ERR_DHM_MAKE_PARAMS_FAILED MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED
+#define POLARSSL_ERR_DHM_MAKE_PUBLIC_FAILED MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED
+#define POLARSSL_ERR_DHM_MALLOC_FAILED MBEDTLS_ERR_DHM_ALLOC_FAILED
+#define POLARSSL_ERR_DHM_READ_PARAMS_FAILED MBEDTLS_ERR_DHM_READ_PARAMS_FAILED
+#define POLARSSL_ERR_DHM_READ_PUBLIC_FAILED MBEDTLS_ERR_DHM_READ_PUBLIC_FAILED
+#define POLARSSL_ERR_ECP_BAD_INPUT_DATA MBEDTLS_ERR_ECP_BAD_INPUT_DATA
+#define POLARSSL_ERR_ECP_BUFFER_TOO_SMALL MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+#define POLARSSL_ERR_ECP_FEATURE_UNAVAILABLE MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_ECP_INVALID_KEY MBEDTLS_ERR_ECP_INVALID_KEY
+#define POLARSSL_ERR_ECP_MALLOC_FAILED MBEDTLS_ERR_ECP_ALLOC_FAILED
+#define POLARSSL_ERR_ECP_RANDOM_FAILED MBEDTLS_ERR_ECP_RANDOM_FAILED
+#define POLARSSL_ERR_ECP_SIG_LEN_MISMATCH MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH
+#define POLARSSL_ERR_ECP_VERIFY_FAILED MBEDTLS_ERR_ECP_VERIFY_FAILED
+#define POLARSSL_ERR_ENTROPY_FILE_IO_ERROR MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR
+#define POLARSSL_ERR_ENTROPY_MAX_SOURCES MBEDTLS_ERR_ENTROPY_MAX_SOURCES
+#define POLARSSL_ERR_ENTROPY_NO_SOURCES_DEFINED MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED
+#define POLARSSL_ERR_ENTROPY_SOURCE_FAILED MBEDTLS_ERR_ENTROPY_SOURCE_FAILED
+#define POLARSSL_ERR_GCM_AUTH_FAILED MBEDTLS_ERR_GCM_AUTH_FAILED
+#define POLARSSL_ERR_GCM_BAD_INPUT MBEDTLS_ERR_GCM_BAD_INPUT
+#define POLARSSL_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
+#define POLARSSL_ERR_HMAC_DRBG_FILE_IO_ERROR MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR
+#define POLARSSL_ERR_HMAC_DRBG_INPUT_TOO_BIG MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG
+#define POLARSSL_ERR_HMAC_DRBG_REQUEST_TOO_BIG MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG
+#define POLARSSL_ERR_MD_ALLOC_FAILED MBEDTLS_ERR_MD_ALLOC_FAILED
+#define POLARSSL_ERR_MD_BAD_INPUT_DATA MBEDTLS_ERR_MD_BAD_INPUT_DATA
+#define POLARSSL_ERR_MD_FEATURE_UNAVAILABLE MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_MD_FILE_IO_ERROR MBEDTLS_ERR_MD_FILE_IO_ERROR
+#define POLARSSL_ERR_MPI_BAD_INPUT_DATA MBEDTLS_ERR_MPI_BAD_INPUT_DATA
+#define POLARSSL_ERR_MPI_BUFFER_TOO_SMALL MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL
+#define POLARSSL_ERR_MPI_DIVISION_BY_ZERO MBEDTLS_ERR_MPI_DIVISION_BY_ZERO
+#define POLARSSL_ERR_MPI_FILE_IO_ERROR MBEDTLS_ERR_MPI_FILE_IO_ERROR
+#define POLARSSL_ERR_MPI_INVALID_CHARACTER MBEDTLS_ERR_MPI_INVALID_CHARACTER
+#define POLARSSL_ERR_MPI_MALLOC_FAILED MBEDTLS_ERR_MPI_ALLOC_FAILED
+#define POLARSSL_ERR_MPI_NEGATIVE_VALUE MBEDTLS_ERR_MPI_NEGATIVE_VALUE
+#define POLARSSL_ERR_MPI_NOT_ACCEPTABLE MBEDTLS_ERR_MPI_NOT_ACCEPTABLE
+#define POLARSSL_ERR_NET_ACCEPT_FAILED MBEDTLS_ERR_NET_ACCEPT_FAILED
+#define POLARSSL_ERR_NET_BIND_FAILED MBEDTLS_ERR_NET_BIND_FAILED
+#define POLARSSL_ERR_NET_CONNECT_FAILED MBEDTLS_ERR_NET_CONNECT_FAILED
+#define POLARSSL_ERR_NET_CONN_RESET MBEDTLS_ERR_NET_CONN_RESET
+#define POLARSSL_ERR_NET_LISTEN_FAILED MBEDTLS_ERR_NET_LISTEN_FAILED
+#define POLARSSL_ERR_NET_RECV_FAILED MBEDTLS_ERR_NET_RECV_FAILED
+#define POLARSSL_ERR_NET_SEND_FAILED MBEDTLS_ERR_NET_SEND_FAILED
+#define POLARSSL_ERR_NET_SOCKET_FAILED MBEDTLS_ERR_NET_SOCKET_FAILED
+#define POLARSSL_ERR_NET_TIMEOUT MBEDTLS_ERR_SSL_TIMEOUT
+#define POLARSSL_ERR_NET_UNKNOWN_HOST MBEDTLS_ERR_NET_UNKNOWN_HOST
+#define POLARSSL_ERR_NET_WANT_READ MBEDTLS_ERR_SSL_WANT_READ
+#define POLARSSL_ERR_NET_WANT_WRITE MBEDTLS_ERR_SSL_WANT_WRITE
+#define POLARSSL_ERR_OID_BUF_TOO_SMALL MBEDTLS_ERR_OID_BUF_TOO_SMALL
+#define POLARSSL_ERR_OID_NOT_FOUND MBEDTLS_ERR_OID_NOT_FOUND
+#define POLARSSL_ERR_PADLOCK_DATA_MISALIGNED MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED
+#define POLARSSL_ERR_PEM_BAD_INPUT_DATA MBEDTLS_ERR_PEM_BAD_INPUT_DATA
+#define POLARSSL_ERR_PEM_FEATURE_UNAVAILABLE MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_PEM_INVALID_DATA MBEDTLS_ERR_PEM_INVALID_DATA
+#define POLARSSL_ERR_PEM_INVALID_ENC_IV MBEDTLS_ERR_PEM_INVALID_ENC_IV
+#define POLARSSL_ERR_PEM_MALLOC_FAILED MBEDTLS_ERR_PEM_ALLOC_FAILED
+#define POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT
+#define POLARSSL_ERR_PEM_PASSWORD_MISMATCH MBEDTLS_ERR_PEM_PASSWORD_MISMATCH
+#define POLARSSL_ERR_PEM_PASSWORD_REQUIRED MBEDTLS_ERR_PEM_PASSWORD_REQUIRED
+#define POLARSSL_ERR_PEM_UNKNOWN_ENC_ALG MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG
+#define POLARSSL_ERR_PKCS12_BAD_INPUT_DATA MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA
+#define POLARSSL_ERR_PKCS12_FEATURE_UNAVAILABLE MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_PKCS12_PASSWORD_MISMATCH MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH
+#define POLARSSL_ERR_PKCS12_PBE_INVALID_FORMAT MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT
+#define POLARSSL_ERR_PKCS5_BAD_INPUT_DATA MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA
+#define POLARSSL_ERR_PKCS5_FEATURE_UNAVAILABLE MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_PKCS5_INVALID_FORMAT MBEDTLS_ERR_PKCS5_INVALID_FORMAT
+#define POLARSSL_ERR_PKCS5_PASSWORD_MISMATCH MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH
+#define POLARSSL_ERR_PK_BAD_INPUT_DATA MBEDTLS_ERR_PK_BAD_INPUT_DATA
+#define POLARSSL_ERR_PK_FEATURE_UNAVAILABLE MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_PK_FILE_IO_ERROR MBEDTLS_ERR_PK_FILE_IO_ERROR
+#define POLARSSL_ERR_PK_INVALID_ALG MBEDTLS_ERR_PK_INVALID_ALG
+#define POLARSSL_ERR_PK_INVALID_PUBKEY MBEDTLS_ERR_PK_INVALID_PUBKEY
+#define POLARSSL_ERR_PK_KEY_INVALID_FORMAT MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+#define POLARSSL_ERR_PK_KEY_INVALID_VERSION MBEDTLS_ERR_PK_KEY_INVALID_VERSION
+#define POLARSSL_ERR_PK_MALLOC_FAILED MBEDTLS_ERR_PK_ALLOC_FAILED
+#define POLARSSL_ERR_PK_PASSWORD_MISMATCH MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+#define POLARSSL_ERR_PK_PASSWORD_REQUIRED MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+#define POLARSSL_ERR_PK_SIG_LEN_MISMATCH MBEDTLS_ERR_PK_SIG_LEN_MISMATCH
+#define POLARSSL_ERR_PK_TYPE_MISMATCH MBEDTLS_ERR_PK_TYPE_MISMATCH
+#define POLARSSL_ERR_PK_UNKNOWN_NAMED_CURVE MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE
+#define POLARSSL_ERR_PK_UNKNOWN_PK_ALG MBEDTLS_ERR_PK_UNKNOWN_PK_ALG
+#define POLARSSL_ERR_RSA_BAD_INPUT_DATA MBEDTLS_ERR_RSA_BAD_INPUT_DATA
+#define POLARSSL_ERR_RSA_INVALID_PADDING MBEDTLS_ERR_RSA_INVALID_PADDING
+#define POLARSSL_ERR_RSA_KEY_CHECK_FAILED MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
+#define POLARSSL_ERR_RSA_KEY_GEN_FAILED MBEDTLS_ERR_RSA_KEY_GEN_FAILED
+#define POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE
+#define POLARSSL_ERR_RSA_PRIVATE_FAILED MBEDTLS_ERR_RSA_PRIVATE_FAILED
+#define POLARSSL_ERR_RSA_PUBLIC_FAILED MBEDTLS_ERR_RSA_PUBLIC_FAILED
+#define POLARSSL_ERR_RSA_RNG_FAILED MBEDTLS_ERR_RSA_RNG_FAILED
+#define POLARSSL_ERR_RSA_VERIFY_FAILED MBEDTLS_ERR_RSA_VERIFY_FAILED
+#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE
+#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST
+#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY
+#define POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC
+#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
+#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
+#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS
+#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP
+#define POLARSSL_ERR_SSL_BAD_HS_FINISHED MBEDTLS_ERR_SSL_BAD_HS_FINISHED
+#define POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET
+#define POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION
+#define POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO
+#define POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO_DONE MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE
+#define POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE
+#define POLARSSL_ERR_SSL_BAD_INPUT_DATA MBEDTLS_ERR_SSL_BAD_INPUT_DATA
+#define POLARSSL_ERR_SSL_BUFFER_TOO_SMALL MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL
+#define POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED
+#define POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED
+#define POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE
+#define POLARSSL_ERR_SSL_COMPRESSION_FAILED MBEDTLS_ERR_SSL_COMPRESSION_FAILED
+#define POLARSSL_ERR_SSL_CONN_EOF MBEDTLS_ERR_SSL_CONN_EOF
+#define POLARSSL_ERR_SSL_COUNTER_WRAPPING MBEDTLS_ERR_SSL_COUNTER_WRAPPING
+#define POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE
+#define POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_SSL_HELLO_VERIFY_REQUIRED MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
+#define POLARSSL_ERR_SSL_HW_ACCEL_FAILED MBEDTLS_ERR_SSL_HW_ACCEL_FAILED
+#define POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH
+#define POLARSSL_ERR_SSL_INTERNAL_ERROR MBEDTLS_ERR_SSL_INTERNAL_ERROR
+#define POLARSSL_ERR_SSL_INVALID_MAC MBEDTLS_ERR_SSL_INVALID_MAC
+#define POLARSSL_ERR_SSL_INVALID_RECORD MBEDTLS_ERR_SSL_INVALID_RECORD
+#define POLARSSL_ERR_SSL_MALLOC_FAILED MBEDTLS_ERR_SSL_ALLOC_FAILED
+#define POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN
+#define POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE
+#define POLARSSL_ERR_SSL_NO_RNG MBEDTLS_ERR_SSL_NO_RNG
+#define POLARSSL_ERR_SSL_NO_USABLE_CIPHERSUITE MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE
+#define POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY
+#define POLARSSL_ERR_SSL_PEER_VERIFY_FAILED MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED
+#define POLARSSL_ERR_SSL_PK_TYPE_MISMATCH MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH
+#define POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED
+#define POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED
+#define POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE
+#define POLARSSL_ERR_SSL_UNKNOWN_CIPHER MBEDTLS_ERR_SSL_UNKNOWN_CIPHER
+#define POLARSSL_ERR_SSL_UNKNOWN_IDENTITY MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY
+#define POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO
+#define POLARSSL_ERR_THREADING_BAD_INPUT_DATA MBEDTLS_ERR_THREADING_BAD_INPUT_DATA
+#define POLARSSL_ERR_THREADING_FEATURE_UNAVAILABLE MBEDTLS_ERR_THREADING_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_THREADING_MUTEX_ERROR MBEDTLS_ERR_THREADING_MUTEX_ERROR
+#define POLARSSL_ERR_X509_BAD_INPUT_DATA MBEDTLS_ERR_X509_BAD_INPUT_DATA
+#define POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT
+#define POLARSSL_ERR_X509_CERT_VERIFY_FAILED MBEDTLS_ERR_X509_CERT_VERIFY_FAILED
+#define POLARSSL_ERR_X509_FEATURE_UNAVAILABLE MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_X509_FILE_IO_ERROR MBEDTLS_ERR_X509_FILE_IO_ERROR
+#define POLARSSL_ERR_X509_INVALID_ALG MBEDTLS_ERR_X509_INVALID_ALG
+#define POLARSSL_ERR_X509_INVALID_DATE MBEDTLS_ERR_X509_INVALID_DATE
+#define POLARSSL_ERR_X509_INVALID_EXTENSIONS MBEDTLS_ERR_X509_INVALID_EXTENSIONS
+#define POLARSSL_ERR_X509_INVALID_FORMAT MBEDTLS_ERR_X509_INVALID_FORMAT
+#define POLARSSL_ERR_X509_INVALID_NAME MBEDTLS_ERR_X509_INVALID_NAME
+#define POLARSSL_ERR_X509_INVALID_SERIAL MBEDTLS_ERR_X509_INVALID_SERIAL
+#define POLARSSL_ERR_X509_INVALID_SIGNATURE MBEDTLS_ERR_X509_INVALID_SIGNATURE
+#define POLARSSL_ERR_X509_INVALID_VERSION MBEDTLS_ERR_X509_INVALID_VERSION
+#define POLARSSL_ERR_X509_MALLOC_FAILED MBEDTLS_ERR_X509_ALLOC_FAILED
+#define POLARSSL_ERR_X509_SIG_MISMATCH MBEDTLS_ERR_X509_SIG_MISMATCH
+#define POLARSSL_ERR_X509_UNKNOWN_OID MBEDTLS_ERR_X509_UNKNOWN_OID
+#define POLARSSL_ERR_X509_UNKNOWN_SIG_ALG MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG
+#define POLARSSL_ERR_X509_UNKNOWN_VERSION MBEDTLS_ERR_X509_UNKNOWN_VERSION
+#define POLARSSL_ERR_XTEA_INVALID_INPUT_LENGTH MBEDTLS_ERR_XTEA_INVALID_INPUT_LENGTH
+#define POLARSSL_GCM_H MBEDTLS_GCM_H
+#define POLARSSL_HAVEGE_H MBEDTLS_HAVEGE_H
+#define POLARSSL_HAVE_INT32 MBEDTLS_HAVE_INT32
+#define POLARSSL_HAVE_INT64 MBEDTLS_HAVE_INT64
+#define POLARSSL_HAVE_UDBL MBEDTLS_HAVE_UDBL
+#define POLARSSL_HAVE_X86 MBEDTLS_HAVE_X86
+#define POLARSSL_HAVE_X86_64 MBEDTLS_HAVE_X86_64
+#define POLARSSL_HMAC_DRBG_H MBEDTLS_HMAC_DRBG_H
+#define POLARSSL_HMAC_DRBG_PR_OFF MBEDTLS_HMAC_DRBG_PR_OFF
+#define POLARSSL_HMAC_DRBG_PR_ON MBEDTLS_HMAC_DRBG_PR_ON
+#define POLARSSL_KEY_EXCHANGE_DHE_PSK MBEDTLS_KEY_EXCHANGE_DHE_PSK
+#define POLARSSL_KEY_EXCHANGE_DHE_RSA MBEDTLS_KEY_EXCHANGE_DHE_RSA
+#define POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
+#define POLARSSL_KEY_EXCHANGE_ECDHE_PSK MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
+#define POLARSSL_KEY_EXCHANGE_ECDHE_RSA MBEDTLS_KEY_EXCHANGE_ECDHE_RSA
+#define POLARSSL_KEY_EXCHANGE_ECDH_ECDSA MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA
+#define POLARSSL_KEY_EXCHANGE_ECDH_RSA MBEDTLS_KEY_EXCHANGE_ECDH_RSA
+#define POLARSSL_KEY_EXCHANGE_NONE MBEDTLS_KEY_EXCHANGE_NONE
+#define POLARSSL_KEY_EXCHANGE_PSK MBEDTLS_KEY_EXCHANGE_PSK
+#define POLARSSL_KEY_EXCHANGE_RSA MBEDTLS_KEY_EXCHANGE_RSA
+#define POLARSSL_KEY_EXCHANGE_RSA_PSK MBEDTLS_KEY_EXCHANGE_RSA_PSK
+#define POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED
+#define POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED
+#define POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED
+#define POLARSSL_KEY_LENGTH_DES MBEDTLS_KEY_LENGTH_DES
+#define POLARSSL_KEY_LENGTH_DES_EDE MBEDTLS_KEY_LENGTH_DES_EDE
+#define POLARSSL_KEY_LENGTH_DES_EDE3 MBEDTLS_KEY_LENGTH_DES_EDE3
+#define POLARSSL_KEY_LENGTH_NONE MBEDTLS_KEY_LENGTH_NONE
+#define POLARSSL_MAX_BLOCK_LENGTH MBEDTLS_MAX_BLOCK_LENGTH
+#define POLARSSL_MAX_IV_LENGTH MBEDTLS_MAX_IV_LENGTH
+#define POLARSSL_MD2_H MBEDTLS_MD2_H
+#define POLARSSL_MD4_H MBEDTLS_MD4_H
+#define POLARSSL_MD5_H MBEDTLS_MD5_H
+#define POLARSSL_MD_H MBEDTLS_MD_H
+#define POLARSSL_MD_MAX_SIZE MBEDTLS_MD_MAX_SIZE
+#define POLARSSL_MD_MD2 MBEDTLS_MD_MD2
+#define POLARSSL_MD_MD4 MBEDTLS_MD_MD4
+#define POLARSSL_MD_MD5 MBEDTLS_MD_MD5
+#define POLARSSL_MD_NONE MBEDTLS_MD_NONE
+#define POLARSSL_MD_RIPEMD160 MBEDTLS_MD_RIPEMD160
+#define POLARSSL_MD_SHA1 MBEDTLS_MD_SHA1
+#define POLARSSL_MD_SHA224 MBEDTLS_MD_SHA224
+#define POLARSSL_MD_SHA256 MBEDTLS_MD_SHA256
+#define POLARSSL_MD_SHA384 MBEDTLS_MD_SHA384
+#define POLARSSL_MD_SHA512 MBEDTLS_MD_SHA512
+#define POLARSSL_MD_WRAP_H MBEDTLS_MD_WRAP_H
+#define POLARSSL_MEMORY_BUFFER_ALLOC_H MBEDTLS_MEMORY_BUFFER_ALLOC_H
+#define POLARSSL_MODE_CBC MBEDTLS_MODE_CBC
+#define POLARSSL_MODE_CCM MBEDTLS_MODE_CCM
+#define POLARSSL_MODE_CFB MBEDTLS_MODE_CFB
+#define POLARSSL_MODE_CTR MBEDTLS_MODE_CTR
+#define POLARSSL_MODE_ECB MBEDTLS_MODE_ECB
+#define POLARSSL_MODE_GCM MBEDTLS_MODE_GCM
+#define POLARSSL_MODE_NONE MBEDTLS_MODE_NONE
+#define POLARSSL_MODE_OFB MBEDTLS_MODE_OFB
+#define POLARSSL_MODE_STREAM MBEDTLS_MODE_STREAM
+#define POLARSSL_MPI_MAX_BITS MBEDTLS_MPI_MAX_BITS
+#define POLARSSL_MPI_MAX_BITS_SCALE100 MBEDTLS_MPI_MAX_BITS_SCALE100
+#define POLARSSL_MPI_MAX_LIMBS MBEDTLS_MPI_MAX_LIMBS
+#define POLARSSL_MPI_RW_BUFFER_SIZE MBEDTLS_MPI_RW_BUFFER_SIZE
+#define POLARSSL_NET_H MBEDTLS_NET_SOCKETS_H
+#define POLARSSL_NET_LISTEN_BACKLOG MBEDTLS_NET_LISTEN_BACKLOG
+#define POLARSSL_OID_H MBEDTLS_OID_H
+#define POLARSSL_OPERATION_NONE MBEDTLS_OPERATION_NONE
+#define POLARSSL_PADDING_NONE MBEDTLS_PADDING_NONE
+#define POLARSSL_PADDING_ONE_AND_ZEROS MBEDTLS_PADDING_ONE_AND_ZEROS
+#define POLARSSL_PADDING_PKCS7 MBEDTLS_PADDING_PKCS7
+#define POLARSSL_PADDING_ZEROS MBEDTLS_PADDING_ZEROS
+#define POLARSSL_PADDING_ZEROS_AND_LEN MBEDTLS_PADDING_ZEROS_AND_LEN
+#define POLARSSL_PADLOCK_H MBEDTLS_PADLOCK_H
+#define POLARSSL_PEM_H MBEDTLS_PEM_H
+#define POLARSSL_PKCS11_H MBEDTLS_PKCS11_H
+#define POLARSSL_PKCS12_H MBEDTLS_PKCS12_H
+#define POLARSSL_PKCS5_H MBEDTLS_PKCS5_H
+#define POLARSSL_PK_DEBUG_ECP MBEDTLS_PK_DEBUG_ECP
+#define POLARSSL_PK_DEBUG_MAX_ITEMS MBEDTLS_PK_DEBUG_MAX_ITEMS
+#define POLARSSL_PK_DEBUG_MPI MBEDTLS_PK_DEBUG_MPI
+#define POLARSSL_PK_DEBUG_NONE MBEDTLS_PK_DEBUG_NONE
+#define POLARSSL_PK_ECDSA MBEDTLS_PK_ECDSA
+#define POLARSSL_PK_ECKEY MBEDTLS_PK_ECKEY
+#define POLARSSL_PK_ECKEY_DH MBEDTLS_PK_ECKEY_DH
+#define POLARSSL_PK_H MBEDTLS_PK_H
+#define POLARSSL_PK_NONE MBEDTLS_PK_NONE
+#define POLARSSL_PK_RSA MBEDTLS_PK_RSA
+#define POLARSSL_PK_RSASSA_PSS MBEDTLS_PK_RSASSA_PSS
+#define POLARSSL_PK_RSA_ALT MBEDTLS_PK_RSA_ALT
+#define POLARSSL_PK_WRAP_H MBEDTLS_PK_WRAP_H
+#define POLARSSL_PLATFORM_H MBEDTLS_PLATFORM_H
+#define POLARSSL_PREMASTER_SIZE MBEDTLS_PREMASTER_SIZE
+#define POLARSSL_RIPEMD160_H MBEDTLS_RIPEMD160_H
+#define POLARSSL_RSA_H MBEDTLS_RSA_H
+#define POLARSSL_SHA1_H MBEDTLS_SHA1_H
+#define POLARSSL_SHA256_H MBEDTLS_SHA256_H
+#define POLARSSL_SHA512_H MBEDTLS_SHA512_H
+#define POLARSSL_SSL_CACHE_H MBEDTLS_SSL_CACHE_H
+#define POLARSSL_SSL_CIPHERSUITES_H MBEDTLS_SSL_CIPHERSUITES_H
+#define POLARSSL_SSL_COOKIE_H MBEDTLS_SSL_COOKIE_H
+#define POLARSSL_SSL_H MBEDTLS_SSL_H
+#define POLARSSL_THREADING_H MBEDTLS_THREADING_H
+#define POLARSSL_THREADING_IMPL MBEDTLS_THREADING_IMPL
+#define POLARSSL_TIMING_H MBEDTLS_TIMING_H
+#define POLARSSL_VERSION_H MBEDTLS_VERSION_H
+#define POLARSSL_VERSION_MAJOR MBEDTLS_VERSION_MAJOR
+#define POLARSSL_VERSION_MINOR MBEDTLS_VERSION_MINOR
+#define POLARSSL_VERSION_NUMBER MBEDTLS_VERSION_NUMBER
+#define POLARSSL_VERSION_PATCH MBEDTLS_VERSION_PATCH
+#define POLARSSL_VERSION_STRING MBEDTLS_VERSION_STRING
+#define POLARSSL_VERSION_STRING_FULL MBEDTLS_VERSION_STRING_FULL
+#define POLARSSL_X509_CRL_H MBEDTLS_X509_CRL_H
+#define POLARSSL_X509_CRT_H MBEDTLS_X509_CRT_H
+#define POLARSSL_X509_CSR_H MBEDTLS_X509_CSR_H
+#define POLARSSL_X509_H MBEDTLS_X509_H
+#define POLARSSL_XTEA_H MBEDTLS_XTEA_H
+#define RSA_CRYPT MBEDTLS_RSA_CRYPT
+#define RSA_PKCS_V15 MBEDTLS_RSA_PKCS_V15
+#define RSA_PKCS_V21 MBEDTLS_RSA_PKCS_V21
+#define RSA_PRIVATE MBEDTLS_RSA_PRIVATE
+#define RSA_PUBLIC MBEDTLS_RSA_PUBLIC
+#define RSA_SALT_LEN_ANY MBEDTLS_RSA_SALT_LEN_ANY
+#define RSA_SIGN MBEDTLS_RSA_SIGN
+#define SSL_ALERT_LEVEL_FATAL MBEDTLS_SSL_ALERT_LEVEL_FATAL
+#define SSL_ALERT_LEVEL_WARNING MBEDTLS_SSL_ALERT_LEVEL_WARNING
+#define SSL_ALERT_MSG_ACCESS_DENIED MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED
+#define SSL_ALERT_MSG_BAD_CERT MBEDTLS_SSL_ALERT_MSG_BAD_CERT
+#define SSL_ALERT_MSG_BAD_RECORD_MAC MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC
+#define SSL_ALERT_MSG_CERT_EXPIRED MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED
+#define SSL_ALERT_MSG_CERT_REVOKED MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED
+#define SSL_ALERT_MSG_CERT_UNKNOWN MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN
+#define SSL_ALERT_MSG_CLOSE_NOTIFY MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY
+#define SSL_ALERT_MSG_DECODE_ERROR MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR
+#define SSL_ALERT_MSG_DECOMPRESSION_FAILURE MBEDTLS_SSL_ALERT_MSG_DECOMPRESSION_FAILURE
+#define SSL_ALERT_MSG_DECRYPTION_FAILED MBEDTLS_SSL_ALERT_MSG_DECRYPTION_FAILED
+#define SSL_ALERT_MSG_DECRYPT_ERROR MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR
+#define SSL_ALERT_MSG_EXPORT_RESTRICTION MBEDTLS_SSL_ALERT_MSG_EXPORT_RESTRICTION
+#define SSL_ALERT_MSG_HANDSHAKE_FAILURE MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE
+#define SSL_ALERT_MSG_ILLEGAL_PARAMETER MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER
+#define SSL_ALERT_MSG_INAPROPRIATE_FALLBACK MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK
+#define SSL_ALERT_MSG_INSUFFICIENT_SECURITY MBEDTLS_SSL_ALERT_MSG_INSUFFICIENT_SECURITY
+#define SSL_ALERT_MSG_INTERNAL_ERROR MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR
+#define SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL
+#define SSL_ALERT_MSG_NO_CERT MBEDTLS_SSL_ALERT_MSG_NO_CERT
+#define SSL_ALERT_MSG_NO_RENEGOTIATION MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION
+#define SSL_ALERT_MSG_PROTOCOL_VERSION MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION
+#define SSL_ALERT_MSG_RECORD_OVERFLOW MBEDTLS_SSL_ALERT_MSG_RECORD_OVERFLOW
+#define SSL_ALERT_MSG_UNEXPECTED_MESSAGE MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE
+#define SSL_ALERT_MSG_UNKNOWN_CA MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA
+#define SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY
+#define SSL_ALERT_MSG_UNRECOGNIZED_NAME MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME
+#define SSL_ALERT_MSG_UNSUPPORTED_CERT MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
+#define SSL_ALERT_MSG_UNSUPPORTED_EXT MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT
+#define SSL_ALERT_MSG_USER_CANCELED MBEDTLS_SSL_ALERT_MSG_USER_CANCELED
+#define SSL_ANTI_REPLAY_DISABLED MBEDTLS_SSL_ANTI_REPLAY_DISABLED
+#define SSL_ANTI_REPLAY_ENABLED MBEDTLS_SSL_ANTI_REPLAY_ENABLED
+#define SSL_ARC4_DISABLED MBEDTLS_SSL_ARC4_DISABLED
+#define SSL_ARC4_ENABLED MBEDTLS_SSL_ARC4_ENABLED
+#define SSL_BUFFER_LEN MBEDTLS_SSL_BUFFER_LEN
+#define SSL_CACHE_DEFAULT_MAX_ENTRIES MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES
+#define SSL_CACHE_DEFAULT_TIMEOUT MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT
+#define SSL_CBC_RECORD_SPLITTING_DISABLED MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED
+#define SSL_CBC_RECORD_SPLITTING_ENABLED MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED
+#define SSL_CERTIFICATE_REQUEST MBEDTLS_SSL_CERTIFICATE_REQUEST
+#define SSL_CERTIFICATE_VERIFY MBEDTLS_SSL_CERTIFICATE_VERIFY
+#define SSL_CERT_TYPE_ECDSA_SIGN MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN
+#define SSL_CERT_TYPE_RSA_SIGN MBEDTLS_SSL_CERT_TYPE_RSA_SIGN
+#define SSL_CHANNEL_INBOUND MBEDTLS_SSL_CHANNEL_INBOUND
+#define SSL_CHANNEL_OUTBOUND MBEDTLS_SSL_CHANNEL_OUTBOUND
+#define SSL_CIPHERSUITES MBEDTLS_SSL_CIPHERSUITES
+#define SSL_CLIENT_CERTIFICATE MBEDTLS_SSL_CLIENT_CERTIFICATE
+#define SSL_CLIENT_CHANGE_CIPHER_SPEC MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC
+#define SSL_CLIENT_FINISHED MBEDTLS_SSL_CLIENT_FINISHED
+#define SSL_CLIENT_HELLO MBEDTLS_SSL_CLIENT_HELLO
+#define SSL_CLIENT_KEY_EXCHANGE MBEDTLS_SSL_CLIENT_KEY_EXCHANGE
+#define SSL_COMPRESSION_ADD MBEDTLS_SSL_COMPRESSION_ADD
+#define SSL_COMPRESS_DEFLATE MBEDTLS_SSL_COMPRESS_DEFLATE
+#define SSL_COMPRESS_NULL MBEDTLS_SSL_COMPRESS_NULL
+#define SSL_DEBUG_BUF MBEDTLS_SSL_DEBUG_BUF
+#define SSL_DEBUG_CRT MBEDTLS_SSL_DEBUG_CRT
+#define SSL_DEBUG_ECP MBEDTLS_SSL_DEBUG_ECP
+#define SSL_DEBUG_MPI MBEDTLS_SSL_DEBUG_MPI
+#define SSL_DEBUG_MSG MBEDTLS_SSL_DEBUG_MSG
+#define SSL_DEBUG_RET MBEDTLS_SSL_DEBUG_RET
+#define SSL_DEFAULT_TICKET_LIFETIME MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME
+#define SSL_DTLS_TIMEOUT_DFL_MAX MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX
+#define SSL_DTLS_TIMEOUT_DFL_MIN MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN
+#define SSL_EMPTY_RENEGOTIATION_INFO MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO
+#define SSL_ETM_DISABLED MBEDTLS_SSL_ETM_DISABLED
+#define SSL_ETM_ENABLED MBEDTLS_SSL_ETM_ENABLED
+#define SSL_EXTENDED_MS_DISABLED MBEDTLS_SSL_EXTENDED_MS_DISABLED
+#define SSL_EXTENDED_MS_ENABLED MBEDTLS_SSL_EXTENDED_MS_ENABLED
+#define SSL_FALLBACK_SCSV MBEDTLS_SSL_FALLBACK_SCSV
+#define SSL_FLUSH_BUFFERS MBEDTLS_SSL_FLUSH_BUFFERS
+#define SSL_HANDSHAKE_OVER MBEDTLS_SSL_HANDSHAKE_OVER
+#define SSL_HANDSHAKE_WRAPUP MBEDTLS_SSL_HANDSHAKE_WRAPUP
+#define SSL_HASH_MD5 MBEDTLS_SSL_HASH_MD5
+#define SSL_HASH_NONE MBEDTLS_SSL_HASH_NONE
+#define SSL_HASH_SHA1 MBEDTLS_SSL_HASH_SHA1
+#define SSL_HASH_SHA224 MBEDTLS_SSL_HASH_SHA224
+#define SSL_HASH_SHA256 MBEDTLS_SSL_HASH_SHA256
+#define SSL_HASH_SHA384 MBEDTLS_SSL_HASH_SHA384
+#define SSL_HASH_SHA512 MBEDTLS_SSL_HASH_SHA512
+#define SSL_HELLO_REQUEST MBEDTLS_SSL_HELLO_REQUEST
+#define SSL_HS_CERTIFICATE MBEDTLS_SSL_HS_CERTIFICATE
+#define SSL_HS_CERTIFICATE_REQUEST MBEDTLS_SSL_HS_CERTIFICATE_REQUEST
+#define SSL_HS_CERTIFICATE_VERIFY MBEDTLS_SSL_HS_CERTIFICATE_VERIFY
+#define SSL_HS_CLIENT_HELLO MBEDTLS_SSL_HS_CLIENT_HELLO
+#define SSL_HS_CLIENT_KEY_EXCHANGE MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE
+#define SSL_HS_FINISHED MBEDTLS_SSL_HS_FINISHED
+#define SSL_HS_HELLO_REQUEST MBEDTLS_SSL_HS_HELLO_REQUEST
+#define SSL_HS_HELLO_VERIFY_REQUEST MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST
+#define SSL_HS_NEW_SESSION_TICKET MBEDTLS_SSL_HS_NEW_SESSION_TICKET
+#define SSL_HS_SERVER_HELLO MBEDTLS_SSL_HS_SERVER_HELLO
+#define SSL_HS_SERVER_HELLO_DONE MBEDTLS_SSL_HS_SERVER_HELLO_DONE
+#define SSL_HS_SERVER_KEY_EXCHANGE MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE
+#define SSL_INITIAL_HANDSHAKE MBEDTLS_SSL_INITIAL_HANDSHAKE
+#define SSL_IS_CLIENT MBEDTLS_SSL_IS_CLIENT
+#define SSL_IS_FALLBACK MBEDTLS_SSL_IS_FALLBACK
+#define SSL_IS_NOT_FALLBACK MBEDTLS_SSL_IS_NOT_FALLBACK
+#define SSL_IS_SERVER MBEDTLS_SSL_IS_SERVER
+#define SSL_LEGACY_ALLOW_RENEGOTIATION MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION
+#define SSL_LEGACY_BREAK_HANDSHAKE MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE
+#define SSL_LEGACY_NO_RENEGOTIATION MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION
+#define SSL_LEGACY_RENEGOTIATION MBEDTLS_SSL_LEGACY_RENEGOTIATION
+#define SSL_MAC_ADD MBEDTLS_SSL_MAC_ADD
+#define SSL_MAJOR_VERSION_3 MBEDTLS_SSL_MAJOR_VERSION_3
+#define SSL_MAX_CONTENT_LEN MBEDTLS_SSL_MAX_CONTENT_LEN
+#define SSL_MAX_FRAG_LEN_1024 MBEDTLS_SSL_MAX_FRAG_LEN_1024
+#define SSL_MAX_FRAG_LEN_2048 MBEDTLS_SSL_MAX_FRAG_LEN_2048
+#define SSL_MAX_FRAG_LEN_4096 MBEDTLS_SSL_MAX_FRAG_LEN_4096
+#define SSL_MAX_FRAG_LEN_512 MBEDTLS_SSL_MAX_FRAG_LEN_512
+#define SSL_MAX_FRAG_LEN_INVALID MBEDTLS_SSL_MAX_FRAG_LEN_INVALID
+#define SSL_MAX_FRAG_LEN_NONE MBEDTLS_SSL_MAX_FRAG_LEN_NONE
+#define SSL_MAX_MAJOR_VERSION MBEDTLS_SSL_MAX_MAJOR_VERSION
+#define SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MAX_MINOR_VERSION
+#define SSL_MINOR_VERSION_0 MBEDTLS_SSL_MINOR_VERSION_0
+#define SSL_MINOR_VERSION_1 MBEDTLS_SSL_MINOR_VERSION_1
+#define SSL_MINOR_VERSION_2 MBEDTLS_SSL_MINOR_VERSION_2
+#define SSL_MINOR_VERSION_3 MBEDTLS_SSL_MINOR_VERSION_3
+#define SSL_MIN_MAJOR_VERSION MBEDTLS_SSL_MIN_MAJOR_VERSION
+#define SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MIN_MINOR_VERSION
+#define SSL_MSG_ALERT MBEDTLS_SSL_MSG_ALERT
+#define SSL_MSG_APPLICATION_DATA MBEDTLS_SSL_MSG_APPLICATION_DATA
+#define SSL_MSG_CHANGE_CIPHER_SPEC MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC
+#define SSL_MSG_HANDSHAKE MBEDTLS_SSL_MSG_HANDSHAKE
+#define SSL_PADDING_ADD MBEDTLS_SSL_PADDING_ADD
+#define SSL_RENEGOTIATION MBEDTLS_SSL_RENEGOTIATION
+#define SSL_RENEGOTIATION_DISABLED MBEDTLS_SSL_RENEGOTIATION_DISABLED
+#define SSL_RENEGOTIATION_DONE MBEDTLS_SSL_RENEGOTIATION_DONE
+#define SSL_RENEGOTIATION_ENABLED MBEDTLS_SSL_RENEGOTIATION_ENABLED
+#define SSL_RENEGOTIATION_NOT_ENFORCED MBEDTLS_SSL_RENEGOTIATION_NOT_ENFORCED
+#define SSL_RENEGOTIATION_PENDING MBEDTLS_SSL_RENEGOTIATION_PENDING
+#define SSL_RENEGO_MAX_RECORDS_DEFAULT MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT
+#define SSL_RETRANS_FINISHED MBEDTLS_SSL_RETRANS_FINISHED
+#define SSL_RETRANS_PREPARING MBEDTLS_SSL_RETRANS_PREPARING
+#define SSL_RETRANS_SENDING MBEDTLS_SSL_RETRANS_SENDING
+#define SSL_RETRANS_WAITING MBEDTLS_SSL_RETRANS_WAITING
+#define SSL_SECURE_RENEGOTIATION MBEDTLS_SSL_SECURE_RENEGOTIATION
+#define SSL_SERVER_CERTIFICATE MBEDTLS_SSL_SERVER_CERTIFICATE
+#define SSL_SERVER_CHANGE_CIPHER_SPEC MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC
+#define SSL_SERVER_FINISHED MBEDTLS_SSL_SERVER_FINISHED
+#define SSL_SERVER_HELLO MBEDTLS_SSL_SERVER_HELLO
+#define SSL_SERVER_HELLO_DONE MBEDTLS_SSL_SERVER_HELLO_DONE
+#define SSL_SERVER_HELLO_VERIFY_REQUEST_SENT MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT
+#define SSL_SERVER_KEY_EXCHANGE MBEDTLS_SSL_SERVER_KEY_EXCHANGE
+#define SSL_SERVER_NEW_SESSION_TICKET MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET
+#define SSL_SESSION_TICKETS_DISABLED MBEDTLS_SSL_SESSION_TICKETS_DISABLED
+#define SSL_SESSION_TICKETS_ENABLED MBEDTLS_SSL_SESSION_TICKETS_ENABLED
+#define SSL_SIG_ANON MBEDTLS_SSL_SIG_ANON
+#define SSL_SIG_ECDSA MBEDTLS_SSL_SIG_ECDSA
+#define SSL_SIG_RSA MBEDTLS_SSL_SIG_RSA
+#define SSL_TRANSPORT_DATAGRAM MBEDTLS_SSL_TRANSPORT_DATAGRAM
+#define SSL_TRANSPORT_STREAM MBEDTLS_SSL_TRANSPORT_STREAM
+#define SSL_TRUNCATED_HMAC_LEN MBEDTLS_SSL_TRUNCATED_HMAC_LEN
+#define SSL_TRUNC_HMAC_DISABLED MBEDTLS_SSL_TRUNC_HMAC_DISABLED
+#define SSL_TRUNC_HMAC_ENABLED MBEDTLS_SSL_TRUNC_HMAC_ENABLED
+#define SSL_VERIFY_DATA_MAX_LEN MBEDTLS_SSL_VERIFY_DATA_MAX_LEN
+#define SSL_VERIFY_NONE MBEDTLS_SSL_VERIFY_NONE
+#define SSL_VERIFY_OPTIONAL MBEDTLS_SSL_VERIFY_OPTIONAL
+#define SSL_VERIFY_REQUIRED MBEDTLS_SSL_VERIFY_REQUIRED
+#define TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
+#define TLS_DHE_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA
+#define TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
+#define TLS_DHE_PSK_WITH_AES_128_CCM MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM
+#define TLS_DHE_PSK_WITH_AES_128_CCM_8 MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM_8
+#define TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
+#define TLS_DHE_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA
+#define TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
+#define TLS_DHE_PSK_WITH_AES_256_CCM MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM
+#define TLS_DHE_PSK_WITH_AES_256_CCM_8 MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM_8
+#define TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
+#define TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256
+#define TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
+#define TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384
+#define TLS_DHE_PSK_WITH_NULL_SHA MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA
+#define TLS_DHE_PSK_WITH_NULL_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256
+#define TLS_DHE_PSK_WITH_NULL_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384
+#define TLS_DHE_PSK_WITH_RC4_128_SHA MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA
+#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
+#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
+#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+#define TLS_DHE_RSA_WITH_AES_128_CCM MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM
+#define TLS_DHE_RSA_WITH_AES_128_CCM_8 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM_8
+#define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
+#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
+#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
+#define TLS_DHE_RSA_WITH_AES_256_CCM MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM
+#define TLS_DHE_RSA_WITH_AES_256_CCM_8 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM_8
+#define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+#define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
+#define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
+#define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
+#define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
+#define TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
+#define TLS_DHE_RSA_WITH_DES_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA
+#define TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
+#define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+#define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+#define TLS_ECDHE_ECDSA_WITH_AES_128_CCM MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM
+#define TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
+#define TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+#define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+#define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
+#define TLS_ECDHE_ECDSA_WITH_AES_256_CCM MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM
+#define TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8
+#define TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+#define TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
+#define TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
+#define TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
+#define TLS_ECDHE_ECDSA_WITH_NULL_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA
+#define TLS_ECDHE_ECDSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
+#define TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
+#define TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
+#define TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
+#define TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
+#define TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
+#define TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
+#define TLS_ECDHE_PSK_WITH_NULL_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA
+#define TLS_ECDHE_PSK_WITH_NULL_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256
+#define TLS_ECDHE_PSK_WITH_NULL_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384
+#define TLS_ECDHE_PSK_WITH_RC4_128_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
+#define TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+#define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+#define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+#define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+#define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+#define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+#define TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+#define TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
+#define TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
+#define TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
+#define TLS_ECDHE_RSA_WITH_NULL_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA
+#define TLS_ECDHE_RSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA
+#define TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
+#define TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
+#define TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
+#define TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
+#define TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
+#define TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
+#define TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
+#define TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
+#define TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
+#define TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
+#define TLS_ECDH_ECDSA_WITH_NULL_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA
+#define TLS_ECDH_ECDSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
+#define TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
+#define TLS_ECDH_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
+#define TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
+#define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
+#define TLS_ECDH_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
+#define TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
+#define TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
+#define TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
+#define TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384
+#define TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
+#define TLS_ECDH_RSA_WITH_NULL_SHA MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA
+#define TLS_ECDH_RSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA
+#define TLS_EXT_ALPN MBEDTLS_TLS_EXT_ALPN
+#define TLS_EXT_ENCRYPT_THEN_MAC MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC
+#define TLS_EXT_EXTENDED_MASTER_SECRET MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET
+#define TLS_EXT_MAX_FRAGMENT_LENGTH MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH
+#define TLS_EXT_RENEGOTIATION_INFO MBEDTLS_TLS_EXT_RENEGOTIATION_INFO
+#define TLS_EXT_SERVERNAME MBEDTLS_TLS_EXT_SERVERNAME
+#define TLS_EXT_SERVERNAME_HOSTNAME MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME
+#define TLS_EXT_SESSION_TICKET MBEDTLS_TLS_EXT_SESSION_TICKET
+#define TLS_EXT_SIG_ALG MBEDTLS_TLS_EXT_SIG_ALG
+#define TLS_EXT_SUPPORTED_ELLIPTIC_CURVES MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES
+#define TLS_EXT_SUPPORTED_POINT_FORMATS MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS
+#define TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT
+#define TLS_EXT_TRUNCATED_HMAC MBEDTLS_TLS_EXT_TRUNCATED_HMAC
+#define TLS_PSK_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
+#define TLS_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
+#define TLS_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256
+#define TLS_PSK_WITH_AES_128_CCM MBEDTLS_TLS_PSK_WITH_AES_128_CCM
+#define TLS_PSK_WITH_AES_128_CCM_8 MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8
+#define TLS_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256
+#define TLS_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA
+#define TLS_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384
+#define TLS_PSK_WITH_AES_256_CCM MBEDTLS_TLS_PSK_WITH_AES_256_CCM
+#define TLS_PSK_WITH_AES_256_CCM_8 MBEDTLS_TLS_PSK_WITH_AES_256_CCM_8
+#define TLS_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384
+#define TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
+#define TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
+#define TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384
+#define TLS_PSK_WITH_NULL_SHA MBEDTLS_TLS_PSK_WITH_NULL_SHA
+#define TLS_PSK_WITH_NULL_SHA256 MBEDTLS_TLS_PSK_WITH_NULL_SHA256
+#define TLS_PSK_WITH_NULL_SHA384 MBEDTLS_TLS_PSK_WITH_NULL_SHA384
+#define TLS_PSK_WITH_RC4_128_SHA MBEDTLS_TLS_PSK_WITH_RC4_128_SHA
+#define TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
+#define TLS_RSA_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA
+#define TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
+#define TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
+#define TLS_RSA_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA
+#define TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
+#define TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
+#define TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256
+#define TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384
+#define TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384
+#define TLS_RSA_PSK_WITH_NULL_SHA MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA
+#define TLS_RSA_PSK_WITH_NULL_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256
+#define TLS_RSA_PSK_WITH_NULL_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384
+#define TLS_RSA_PSK_WITH_RC4_128_SHA MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
+#define TLS_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA
+#define TLS_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA
+#define TLS_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256
+#define TLS_RSA_WITH_AES_128_CCM MBEDTLS_TLS_RSA_WITH_AES_128_CCM
+#define TLS_RSA_WITH_AES_128_CCM_8 MBEDTLS_TLS_RSA_WITH_AES_128_CCM_8
+#define TLS_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256
+#define TLS_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA
+#define TLS_RSA_WITH_AES_256_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256
+#define TLS_RSA_WITH_AES_256_CCM MBEDTLS_TLS_RSA_WITH_AES_256_CCM
+#define TLS_RSA_WITH_AES_256_CCM_8 MBEDTLS_TLS_RSA_WITH_AES_256_CCM_8
+#define TLS_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384
+#define TLS_RSA_WITH_CAMELLIA_128_CBC_SHA MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
+#define TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
+#define TLS_RSA_WITH_CAMELLIA_256_CBC_SHA MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
+#define TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
+#define TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
+#define TLS_RSA_WITH_DES_CBC_SHA MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA
+#define TLS_RSA_WITH_NULL_MD5 MBEDTLS_TLS_RSA_WITH_NULL_MD5
+#define TLS_RSA_WITH_NULL_SHA MBEDTLS_TLS_RSA_WITH_NULL_SHA
+#define TLS_RSA_WITH_NULL_SHA256 MBEDTLS_TLS_RSA_WITH_NULL_SHA256
+#define TLS_RSA_WITH_RC4_128_MD5 MBEDTLS_TLS_RSA_WITH_RC4_128_MD5
+#define TLS_RSA_WITH_RC4_128_SHA MBEDTLS_TLS_RSA_WITH_RC4_128_SHA
+#define X509_CRT_VERSION_1 MBEDTLS_X509_CRT_VERSION_1
+#define X509_CRT_VERSION_2 MBEDTLS_X509_CRT_VERSION_2
+#define X509_CRT_VERSION_3 MBEDTLS_X509_CRT_VERSION_3
+#define X509_FORMAT_DER MBEDTLS_X509_FORMAT_DER
+#define X509_FORMAT_PEM MBEDTLS_X509_FORMAT_PEM
+#define X509_MAX_DN_NAME_SIZE MBEDTLS_X509_MAX_DN_NAME_SIZE
+#define X509_RFC5280_MAX_SERIAL_LEN MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN
+#define X509_RFC5280_UTC_TIME_LEN MBEDTLS_X509_RFC5280_UTC_TIME_LEN
+#define XTEA_DECRYPT MBEDTLS_XTEA_DECRYPT
+#define XTEA_ENCRYPT MBEDTLS_XTEA_ENCRYPT
+#define _asn1_bitstring mbedtls_asn1_bitstring
+#define _asn1_buf mbedtls_asn1_buf
+#define _asn1_named_data mbedtls_asn1_named_data
+#define _asn1_sequence mbedtls_asn1_sequence
+#define _ssl_cache_context mbedtls_ssl_cache_context
+#define _ssl_cache_entry mbedtls_ssl_cache_entry
+#define _ssl_ciphersuite_t mbedtls_ssl_ciphersuite_t
+#define _ssl_context mbedtls_ssl_context
+#define _ssl_flight_item mbedtls_ssl_flight_item
+#define _ssl_handshake_params mbedtls_ssl_handshake_params
+#define _ssl_key_cert mbedtls_ssl_key_cert
+#define _ssl_premaster_secret mbedtls_ssl_premaster_secret
+#define _ssl_session mbedtls_ssl_session
+#define _ssl_transform mbedtls_ssl_transform
+#define _x509_crl mbedtls_x509_crl
+#define _x509_crl_entry mbedtls_x509_crl_entry
+#define _x509_crt mbedtls_x509_crt
+#define _x509_csr mbedtls_x509_csr
+#define _x509_time mbedtls_x509_time
+#define _x509write_cert mbedtls_x509write_cert
+#define _x509write_csr mbedtls_x509write_csr
+#define aes_context mbedtls_aes_context
+#define aes_crypt_cbc mbedtls_aes_crypt_cbc
+#define aes_crypt_cfb128 mbedtls_aes_crypt_cfb128
+#define aes_crypt_cfb8 mbedtls_aes_crypt_cfb8
+#define aes_crypt_ctr mbedtls_aes_crypt_ctr
+#define aes_crypt_ecb mbedtls_aes_crypt_ecb
+#define aes_free mbedtls_aes_free
+#define aes_init mbedtls_aes_init
+#define aes_self_test mbedtls_aes_self_test
+#define aes_setkey_dec mbedtls_aes_setkey_dec
+#define aes_setkey_enc mbedtls_aes_setkey_enc
+#define aesni_crypt_ecb mbedtls_aesni_crypt_ecb
+#define aesni_gcm_mult mbedtls_aesni_gcm_mult
+#define aesni_inverse_key mbedtls_aesni_inverse_key
+#define aesni_setkey_enc mbedtls_aesni_setkey_enc
+#define aesni_supports mbedtls_aesni_has_support
+#define alarmed mbedtls_timing_alarmed
+#define arc4_context mbedtls_arc4_context
+#define arc4_crypt mbedtls_arc4_crypt
+#define arc4_free mbedtls_arc4_free
+#define arc4_init mbedtls_arc4_init
+#define arc4_self_test mbedtls_arc4_self_test
+#define arc4_setup mbedtls_arc4_setup
+#define asn1_bitstring mbedtls_asn1_bitstring
+#define asn1_buf mbedtls_asn1_buf
+#define asn1_find_named_data mbedtls_asn1_find_named_data
+#define asn1_free_named_data mbedtls_asn1_free_named_data
+#define asn1_free_named_data_list mbedtls_asn1_free_named_data_list
+#define asn1_get_alg mbedtls_asn1_get_alg
+#define asn1_get_alg_null mbedtls_asn1_get_alg_null
+#define asn1_get_bitstring mbedtls_asn1_get_bitstring
+#define asn1_get_bitstring_null mbedtls_asn1_get_bitstring_null
+#define asn1_get_bool mbedtls_asn1_get_bool
+#define asn1_get_int mbedtls_asn1_get_int
+#define asn1_get_len mbedtls_asn1_get_len
+#define asn1_get_mpi mbedtls_asn1_get_mpi
+#define asn1_get_sequence_of mbedtls_asn1_get_sequence_of
+#define asn1_get_tag mbedtls_asn1_get_tag
+#define asn1_named_data mbedtls_asn1_named_data
+#define asn1_sequence mbedtls_asn1_sequence
+#define asn1_store_named_data mbedtls_asn1_store_named_data
+#define asn1_write_algorithm_identifier mbedtls_asn1_write_algorithm_identifier
+#define asn1_write_bitstring mbedtls_asn1_write_bitstring
+#define asn1_write_bool mbedtls_asn1_write_bool
+#define asn1_write_ia5_string mbedtls_asn1_write_ia5_string
+#define asn1_write_int mbedtls_asn1_write_int
+#define asn1_write_len mbedtls_asn1_write_len
+#define asn1_write_mpi mbedtls_asn1_write_mpi
+#define asn1_write_null mbedtls_asn1_write_null
+#define asn1_write_octet_string mbedtls_asn1_write_octet_string
+#define asn1_write_oid mbedtls_asn1_write_oid
+#define asn1_write_printable_string mbedtls_asn1_write_printable_string
+#define asn1_write_raw_buffer mbedtls_asn1_write_raw_buffer
+#define asn1_write_tag mbedtls_asn1_write_tag
+#define base64_decode mbedtls_base64_decode
+#define base64_encode mbedtls_base64_encode
+#define base64_self_test mbedtls_base64_self_test
+#define blowfish_context mbedtls_blowfish_context
+#define blowfish_crypt_cbc mbedtls_blowfish_crypt_cbc
+#define blowfish_crypt_cfb64 mbedtls_blowfish_crypt_cfb64
+#define blowfish_crypt_ctr mbedtls_blowfish_crypt_ctr
+#define blowfish_crypt_ecb mbedtls_blowfish_crypt_ecb
+#define blowfish_free mbedtls_blowfish_free
+#define blowfish_init mbedtls_blowfish_init
+#define blowfish_setkey mbedtls_blowfish_setkey
+#define camellia_context mbedtls_camellia_context
+#define camellia_crypt_cbc mbedtls_camellia_crypt_cbc
+#define camellia_crypt_cfb128 mbedtls_camellia_crypt_cfb128
+#define camellia_crypt_ctr mbedtls_camellia_crypt_ctr
+#define camellia_crypt_ecb mbedtls_camellia_crypt_ecb
+#define camellia_free mbedtls_camellia_free
+#define camellia_init mbedtls_camellia_init
+#define camellia_self_test mbedtls_camellia_self_test
+#define camellia_setkey_dec mbedtls_camellia_setkey_dec
+#define camellia_setkey_enc mbedtls_camellia_setkey_enc
+#define ccm_auth_decrypt mbedtls_ccm_auth_decrypt
+#define ccm_context mbedtls_ccm_context
+#define ccm_encrypt_and_tag mbedtls_ccm_encrypt_and_tag
+#define ccm_free mbedtls_ccm_free
+#define ccm_init mbedtls_ccm_init
+#define ccm_self_test mbedtls_ccm_self_test
+#define cipher_auth_decrypt mbedtls_cipher_auth_decrypt
+#define cipher_auth_encrypt mbedtls_cipher_auth_encrypt
+#define cipher_base_t mbedtls_cipher_base_t
+#define cipher_check_tag mbedtls_cipher_check_tag
+#define cipher_context_t mbedtls_cipher_context_t
+#define cipher_crypt mbedtls_cipher_crypt
+#define cipher_definition_t mbedtls_cipher_definition_t
+#define cipher_definitions mbedtls_cipher_definitions
+#define cipher_finish mbedtls_cipher_finish
+#define cipher_free mbedtls_cipher_free
+#define cipher_get_block_size mbedtls_cipher_get_block_size
+#define cipher_get_cipher_mode mbedtls_cipher_get_cipher_mode
+#define cipher_get_iv_size mbedtls_cipher_get_iv_size
+#define cipher_get_key_size mbedtls_cipher_get_key_bitlen
+#define cipher_get_name mbedtls_cipher_get_name
+#define cipher_get_operation mbedtls_cipher_get_operation
+#define cipher_get_type mbedtls_cipher_get_type
+#define cipher_id_t mbedtls_cipher_id_t
+#define cipher_info_from_string mbedtls_cipher_info_from_string
+#define cipher_info_from_type mbedtls_cipher_info_from_type
+#define cipher_info_from_values mbedtls_cipher_info_from_values
+#define cipher_info_t mbedtls_cipher_info_t
+#define cipher_init mbedtls_cipher_init
+#define cipher_init_ctx mbedtls_cipher_setup
+#define cipher_list mbedtls_cipher_list
+#define cipher_mode_t mbedtls_cipher_mode_t
+#define cipher_padding_t mbedtls_cipher_padding_t
+#define cipher_reset mbedtls_cipher_reset
+#define cipher_set_iv mbedtls_cipher_set_iv
+#define cipher_set_padding_mode mbedtls_cipher_set_padding_mode
+#define cipher_setkey mbedtls_cipher_setkey
+#define cipher_type_t mbedtls_cipher_type_t
+#define cipher_update mbedtls_cipher_update
+#define cipher_update_ad mbedtls_cipher_update_ad
+#define cipher_write_tag mbedtls_cipher_write_tag
+#define ctr_drbg_context mbedtls_ctr_drbg_context
+#define ctr_drbg_free mbedtls_ctr_drbg_free
+#define ctr_drbg_init mbedtls_ctr_drbg_init
+#define ctr_drbg_random mbedtls_ctr_drbg_random
+#define ctr_drbg_random_with_add mbedtls_ctr_drbg_random_with_add
+#define ctr_drbg_reseed mbedtls_ctr_drbg_reseed
+#define ctr_drbg_self_test mbedtls_ctr_drbg_self_test
+#define ctr_drbg_set_entropy_len mbedtls_ctr_drbg_set_entropy_len
+#define ctr_drbg_set_prediction_resistance mbedtls_ctr_drbg_set_prediction_resistance
+#define ctr_drbg_set_reseed_interval mbedtls_ctr_drbg_set_reseed_interval
+#define ctr_drbg_update mbedtls_ctr_drbg_update
+#define ctr_drbg_update_seed_file mbedtls_ctr_drbg_update_seed_file
+#define ctr_drbg_write_seed_file mbedtls_ctr_drbg_write_seed_file
+#define debug_print_buf mbedtls_debug_print_buf
+#define debug_print_crt mbedtls_debug_print_crt
+#define debug_print_ecp mbedtls_debug_print_ecp
+#define debug_print_mpi mbedtls_debug_print_mpi
+#define debug_print_msg mbedtls_debug_print_msg
+#define debug_print_ret mbedtls_debug_print_ret
+#define debug_set_threshold mbedtls_debug_set_threshold
+#define des3_context mbedtls_des3_context
+#define des3_crypt_cbc mbedtls_des3_crypt_cbc
+#define des3_crypt_ecb mbedtls_des3_crypt_ecb
+#define des3_free mbedtls_des3_free
+#define des3_init mbedtls_des3_init
+#define des3_set2key_dec mbedtls_des3_set2key_dec
+#define des3_set2key_enc mbedtls_des3_set2key_enc
+#define des3_set3key_dec mbedtls_des3_set3key_dec
+#define des3_set3key_enc mbedtls_des3_set3key_enc
+#define des_context mbedtls_des_context
+#define des_crypt_cbc mbedtls_des_crypt_cbc
+#define des_crypt_ecb mbedtls_des_crypt_ecb
+#define des_free mbedtls_des_free
+#define des_init mbedtls_des_init
+#define des_key_check_key_parity mbedtls_des_key_check_key_parity
+#define des_key_check_weak mbedtls_des_key_check_weak
+#define des_key_set_parity mbedtls_des_key_set_parity
+#define des_self_test mbedtls_des_self_test
+#define des_setkey_dec mbedtls_des_setkey_dec
+#define des_setkey_enc mbedtls_des_setkey_enc
+#define dhm_calc_secret mbedtls_dhm_calc_secret
+#define dhm_context mbedtls_dhm_context
+#define dhm_free mbedtls_dhm_free
+#define dhm_init mbedtls_dhm_init
+#define dhm_make_params mbedtls_dhm_make_params
+#define dhm_make_public mbedtls_dhm_make_public
+#define dhm_parse_dhm mbedtls_dhm_parse_dhm
+#define dhm_parse_dhmfile mbedtls_dhm_parse_dhmfile
+#define dhm_read_params mbedtls_dhm_read_params
+#define dhm_read_public mbedtls_dhm_read_public
+#define dhm_self_test mbedtls_dhm_self_test
+#define ecdh_calc_secret mbedtls_ecdh_calc_secret
+#define ecdh_compute_shared mbedtls_ecdh_compute_shared
+#define ecdh_context mbedtls_ecdh_context
+#define ecdh_free mbedtls_ecdh_free
+#define ecdh_gen_public mbedtls_ecdh_gen_public
+#define ecdh_get_params mbedtls_ecdh_get_params
+#define ecdh_init mbedtls_ecdh_init
+#define ecdh_make_params mbedtls_ecdh_make_params
+#define ecdh_make_public mbedtls_ecdh_make_public
+#define ecdh_read_params mbedtls_ecdh_read_params
+#define ecdh_read_public mbedtls_ecdh_read_public
+#define ecdh_side mbedtls_ecdh_side
+#define ecdsa_context mbedtls_ecdsa_context
+#define ecdsa_free mbedtls_ecdsa_free
+#define ecdsa_from_keypair mbedtls_ecdsa_from_keypair
+#define ecdsa_genkey mbedtls_ecdsa_genkey
+#define ecdsa_info mbedtls_ecdsa_info
+#define ecdsa_init mbedtls_ecdsa_init
+#define ecdsa_read_signature mbedtls_ecdsa_read_signature
+#define ecdsa_sign mbedtls_ecdsa_sign
+#define ecdsa_sign_det mbedtls_ecdsa_sign_det
+#define ecdsa_verify mbedtls_ecdsa_verify
+#define ecdsa_write_signature mbedtls_ecdsa_write_signature
+#define ecdsa_write_signature_det mbedtls_ecdsa_write_signature_det
+#define eckey_info mbedtls_eckey_info
+#define eckeydh_info mbedtls_eckeydh_info
+#define ecp_check_privkey mbedtls_ecp_check_privkey
+#define ecp_check_pub_priv mbedtls_ecp_check_pub_priv
+#define ecp_check_pubkey mbedtls_ecp_check_pubkey
+#define ecp_copy mbedtls_ecp_copy
+#define ecp_curve_info mbedtls_ecp_curve_info
+#define ecp_curve_info_from_grp_id mbedtls_ecp_curve_info_from_grp_id
+#define ecp_curve_info_from_name mbedtls_ecp_curve_info_from_name
+#define ecp_curve_info_from_tls_id mbedtls_ecp_curve_info_from_tls_id
+#define ecp_curve_list mbedtls_ecp_curve_list
+#define ecp_gen_key mbedtls_ecp_gen_key
+#define ecp_gen_keypair mbedtls_ecp_gen_keypair
+#define ecp_group mbedtls_ecp_group
+#define ecp_group_copy mbedtls_ecp_group_copy
+#define ecp_group_free mbedtls_ecp_group_free
+#define ecp_group_id mbedtls_ecp_group_id
+#define ecp_group_init mbedtls_ecp_group_init
+#define ecp_grp_id_list mbedtls_ecp_grp_id_list
+#define ecp_is_zero mbedtls_ecp_is_zero
+#define ecp_keypair mbedtls_ecp_keypair
+#define ecp_keypair_free mbedtls_ecp_keypair_free
+#define ecp_keypair_init mbedtls_ecp_keypair_init
+#define ecp_mul mbedtls_ecp_mul
+#define ecp_point mbedtls_ecp_point
+#define ecp_point_free mbedtls_ecp_point_free
+#define ecp_point_init mbedtls_ecp_point_init
+#define ecp_point_read_binary mbedtls_ecp_point_read_binary
+#define ecp_point_read_string mbedtls_ecp_point_read_string
+#define ecp_point_write_binary mbedtls_ecp_point_write_binary
+#define ecp_self_test mbedtls_ecp_self_test
+#define ecp_set_zero mbedtls_ecp_set_zero
+#define ecp_tls_read_group mbedtls_ecp_tls_read_group
+#define ecp_tls_read_point mbedtls_ecp_tls_read_point
+#define ecp_tls_write_group mbedtls_ecp_tls_write_group
+#define ecp_tls_write_point mbedtls_ecp_tls_write_point
+#define ecp_use_known_dp mbedtls_ecp_group_load
+#define entropy_add_source mbedtls_entropy_add_source
+#define entropy_context mbedtls_entropy_context
+#define entropy_free mbedtls_entropy_free
+#define entropy_func mbedtls_entropy_func
+#define entropy_gather mbedtls_entropy_gather
+#define entropy_init mbedtls_entropy_init
+#define entropy_self_test mbedtls_entropy_self_test
+#define entropy_update_manual mbedtls_entropy_update_manual
+#define entropy_update_seed_file mbedtls_entropy_update_seed_file
+#define entropy_write_seed_file mbedtls_entropy_write_seed_file
+#define error_strerror mbedtls_strerror
+#define f_source_ptr mbedtls_entropy_f_source_ptr
+#define gcm_auth_decrypt mbedtls_gcm_auth_decrypt
+#define gcm_context mbedtls_gcm_context
+#define gcm_crypt_and_tag mbedtls_gcm_crypt_and_tag
+#define gcm_finish mbedtls_gcm_finish
+#define gcm_free mbedtls_gcm_free
+#define gcm_init mbedtls_gcm_init
+#define gcm_self_test mbedtls_gcm_self_test
+#define gcm_starts mbedtls_gcm_starts
+#define gcm_update mbedtls_gcm_update
+#define get_timer mbedtls_timing_get_timer
+#define hardclock mbedtls_timing_hardclock
+#define hardclock_poll mbedtls_hardclock_poll
+#define havege_free mbedtls_havege_free
+#define havege_init mbedtls_havege_init
+#define havege_poll mbedtls_havege_poll
+#define havege_random mbedtls_havege_random
+#define havege_state mbedtls_havege_state
+#define hmac_drbg_context mbedtls_hmac_drbg_context
+#define hmac_drbg_free mbedtls_hmac_drbg_free
+#define hmac_drbg_init mbedtls_hmac_drbg_init
+#define hmac_drbg_random mbedtls_hmac_drbg_random
+#define hmac_drbg_random_with_add mbedtls_hmac_drbg_random_with_add
+#define hmac_drbg_reseed mbedtls_hmac_drbg_reseed
+#define hmac_drbg_self_test mbedtls_hmac_drbg_self_test
+#define hmac_drbg_set_entropy_len mbedtls_hmac_drbg_set_entropy_len
+#define hmac_drbg_set_prediction_resistance mbedtls_hmac_drbg_set_prediction_resistance
+#define hmac_drbg_set_reseed_interval mbedtls_hmac_drbg_set_reseed_interval
+#define hmac_drbg_update mbedtls_hmac_drbg_update
+#define hmac_drbg_update_seed_file mbedtls_hmac_drbg_update_seed_file
+#define hmac_drbg_write_seed_file mbedtls_hmac_drbg_write_seed_file
+#define hr_time mbedtls_timing_hr_time
+#define key_exchange_type_t mbedtls_key_exchange_type_t
+#define md mbedtls_md
+#define md2 mbedtls_md2
+#define md2_context mbedtls_md2_context
+#define md2_finish mbedtls_md2_finish
+#define md2_free mbedtls_md2_free
+#define md2_info mbedtls_md2_info
+#define md2_init mbedtls_md2_init
+#define md2_process mbedtls_md2_process
+#define md2_self_test mbedtls_md2_self_test
+#define md2_starts mbedtls_md2_starts
+#define md2_update mbedtls_md2_update
+#define md4 mbedtls_md4
+#define md4_context mbedtls_md4_context
+#define md4_finish mbedtls_md4_finish
+#define md4_free mbedtls_md4_free
+#define md4_info mbedtls_md4_info
+#define md4_init mbedtls_md4_init
+#define md4_process mbedtls_md4_process
+#define md4_self_test mbedtls_md4_self_test
+#define md4_starts mbedtls_md4_starts
+#define md4_update mbedtls_md4_update
+#define md5 mbedtls_md5
+#define md5_context mbedtls_md5_context
+#define md5_finish mbedtls_md5_finish
+#define md5_free mbedtls_md5_free
+#define md5_info mbedtls_md5_info
+#define md5_init mbedtls_md5_init
+#define md5_process mbedtls_md5_process
+#define md5_self_test mbedtls_md5_self_test
+#define md5_starts mbedtls_md5_starts
+#define md5_update mbedtls_md5_update
+#define md_context_t mbedtls_md_context_t
+#define md_file mbedtls_md_file
+#define md_finish mbedtls_md_finish
+#define md_free mbedtls_md_free
+#define md_get_name mbedtls_md_get_name
+#define md_get_size mbedtls_md_get_size
+#define md_get_type mbedtls_md_get_type
+#define md_hmac mbedtls_md_hmac
+#define md_hmac_finish mbedtls_md_hmac_finish
+#define md_hmac_reset mbedtls_md_hmac_reset
+#define md_hmac_starts mbedtls_md_hmac_starts
+#define md_hmac_update mbedtls_md_hmac_update
+#define md_info_from_string mbedtls_md_info_from_string
+#define md_info_from_type mbedtls_md_info_from_type
+#define md_info_t mbedtls_md_info_t
+#define md_init mbedtls_md_init
+#define md_init_ctx mbedtls_md_init_ctx
+#define md_list mbedtls_md_list
+#define md_process mbedtls_md_process
+#define md_starts mbedtls_md_starts
+#define md_type_t mbedtls_md_type_t
+#define md_update mbedtls_md_update
+#define memory_buffer_alloc_cur_get mbedtls_memory_buffer_alloc_cur_get
+#define memory_buffer_alloc_free mbedtls_memory_buffer_alloc_free
+#define memory_buffer_alloc_init mbedtls_memory_buffer_alloc_init
+#define memory_buffer_alloc_max_get mbedtls_memory_buffer_alloc_max_get
+#define memory_buffer_alloc_max_reset mbedtls_memory_buffer_alloc_max_reset
+#define memory_buffer_alloc_self_test mbedtls_memory_buffer_alloc_self_test
+#define memory_buffer_alloc_status mbedtls_memory_buffer_alloc_status
+#define memory_buffer_alloc_verify mbedtls_memory_buffer_alloc_verify
+#define memory_buffer_set_verify mbedtls_memory_buffer_set_verify
+#define mpi mbedtls_mpi
+#define mpi_add_abs mbedtls_mpi_add_abs
+#define mpi_add_int mbedtls_mpi_add_int
+#define mpi_add_mpi mbedtls_mpi_add_mpi
+#define mpi_cmp_abs mbedtls_mpi_cmp_abs
+#define mpi_cmp_int mbedtls_mpi_cmp_int
+#define mpi_cmp_mpi mbedtls_mpi_cmp_mpi
+#define mpi_copy mbedtls_mpi_copy
+#define mpi_div_int mbedtls_mpi_div_int
+#define mpi_div_mpi mbedtls_mpi_div_mpi
+#define mpi_exp_mod mbedtls_mpi_exp_mod
+#define mpi_fill_random mbedtls_mpi_fill_random
+#define mpi_free mbedtls_mpi_free
+#define mpi_gcd mbedtls_mpi_gcd
+#define mpi_gen_prime mbedtls_mpi_gen_prime
+#define mpi_get_bit mbedtls_mpi_get_bit
+#define mpi_grow mbedtls_mpi_grow
+#define mpi_init mbedtls_mpi_init
+#define mpi_inv_mod mbedtls_mpi_inv_mod
+#define mpi_is_prime mbedtls_mpi_is_prime
+#define mpi_lsb mbedtls_mpi_lsb
+#define mpi_lset mbedtls_mpi_lset
+#define mpi_mod_int mbedtls_mpi_mod_int
+#define mpi_mod_mpi mbedtls_mpi_mod_mpi
+#define mpi_msb mbedtls_mpi_bitlen
+#define mpi_mul_int mbedtls_mpi_mul_int
+#define mpi_mul_mpi mbedtls_mpi_mul_mpi
+#define mpi_read_binary mbedtls_mpi_read_binary
+#define mpi_read_file mbedtls_mpi_read_file
+#define mpi_read_string mbedtls_mpi_read_string
+#define mpi_safe_cond_assign mbedtls_mpi_safe_cond_assign
+#define mpi_safe_cond_swap mbedtls_mpi_safe_cond_swap
+#define mpi_self_test mbedtls_mpi_self_test
+#define mpi_set_bit mbedtls_mpi_set_bit
+#define mpi_shift_l mbedtls_mpi_shift_l
+#define mpi_shift_r mbedtls_mpi_shift_r
+#define mpi_shrink mbedtls_mpi_shrink
+#define mpi_size mbedtls_mpi_size
+#define mpi_sub_abs mbedtls_mpi_sub_abs
+#define mpi_sub_int mbedtls_mpi_sub_int
+#define mpi_sub_mpi mbedtls_mpi_sub_mpi
+#define mpi_swap mbedtls_mpi_swap
+#define mpi_write_binary mbedtls_mpi_write_binary
+#define mpi_write_file mbedtls_mpi_write_file
+#define mpi_write_string mbedtls_mpi_write_string
+#define net_accept mbedtls_net_accept
+#define net_bind mbedtls_net_bind
+#define net_close mbedtls_net_free
+#define net_connect mbedtls_net_connect
+#define net_recv mbedtls_net_recv
+#define net_recv_timeout mbedtls_net_recv_timeout
+#define net_send mbedtls_net_send
+#define net_set_block mbedtls_net_set_block
+#define net_set_nonblock mbedtls_net_set_nonblock
+#define net_usleep mbedtls_net_usleep
+#define oid_descriptor_t mbedtls_oid_descriptor_t
+#define oid_get_attr_short_name mbedtls_oid_get_attr_short_name
+#define oid_get_cipher_alg mbedtls_oid_get_cipher_alg
+#define oid_get_ec_grp mbedtls_oid_get_ec_grp
+#define oid_get_extended_key_usage mbedtls_oid_get_extended_key_usage
+#define oid_get_md_alg mbedtls_oid_get_md_alg
+#define oid_get_numeric_string mbedtls_oid_get_numeric_string
+#define oid_get_oid_by_ec_grp mbedtls_oid_get_oid_by_ec_grp
+#define oid_get_oid_by_md mbedtls_oid_get_oid_by_md
+#define oid_get_oid_by_pk_alg mbedtls_oid_get_oid_by_pk_alg
+#define oid_get_oid_by_sig_alg mbedtls_oid_get_oid_by_sig_alg
+#define oid_get_pk_alg mbedtls_oid_get_pk_alg
+#define oid_get_pkcs12_pbe_alg mbedtls_oid_get_pkcs12_pbe_alg
+#define oid_get_sig_alg mbedtls_oid_get_sig_alg
+#define oid_get_sig_alg_desc mbedtls_oid_get_sig_alg_desc
+#define oid_get_x509_ext_type mbedtls_oid_get_x509_ext_type
+#define operation_t mbedtls_operation_t
+#define padlock_supports mbedtls_padlock_has_support
+#define padlock_xcryptcbc mbedtls_padlock_xcryptcbc
+#define padlock_xcryptecb mbedtls_padlock_xcryptecb
+#define pem_context mbedtls_pem_context
+#define pem_free mbedtls_pem_free
+#define pem_init mbedtls_pem_init
+#define pem_read_buffer mbedtls_pem_read_buffer
+#define pem_write_buffer mbedtls_pem_write_buffer
+#define pk_can_do mbedtls_pk_can_do
+#define pk_check_pair mbedtls_pk_check_pair
+#define pk_context mbedtls_pk_context
+#define pk_debug mbedtls_pk_debug
+#define pk_debug_item mbedtls_pk_debug_item
+#define pk_debug_type mbedtls_pk_debug_type
+#define pk_decrypt mbedtls_pk_decrypt
+#define pk_ec mbedtls_pk_ec
+#define pk_encrypt mbedtls_pk_encrypt
+#define pk_free mbedtls_pk_free
+#define pk_get_len mbedtls_pk_get_len
+#define pk_get_name mbedtls_pk_get_name
+#define pk_get_size mbedtls_pk_get_bitlen
+#define pk_get_type mbedtls_pk_get_type
+#define pk_info_from_type mbedtls_pk_info_from_type
+#define pk_info_t mbedtls_pk_info_t
+#define pk_init mbedtls_pk_init
+#define pk_init_ctx mbedtls_pk_setup
+#define pk_init_ctx_rsa_alt mbedtls_pk_setup_rsa_alt
+#define pk_load_file mbedtls_pk_load_file
+#define pk_parse_key mbedtls_pk_parse_key
+#define pk_parse_keyfile mbedtls_pk_parse_keyfile
+#define pk_parse_public_key mbedtls_pk_parse_public_key
+#define pk_parse_public_keyfile mbedtls_pk_parse_public_keyfile
+#define pk_parse_subpubkey mbedtls_pk_parse_subpubkey
+#define pk_rsa mbedtls_pk_rsa
+#define pk_rsa_alt_decrypt_func mbedtls_pk_rsa_alt_decrypt_func
+#define pk_rsa_alt_key_len_func mbedtls_pk_rsa_alt_key_len_func
+#define pk_rsa_alt_sign_func mbedtls_pk_rsa_alt_sign_func
+#define pk_rsassa_pss_options mbedtls_pk_rsassa_pss_options
+#define pk_sign mbedtls_pk_sign
+#define pk_type_t mbedtls_pk_type_t
+#define pk_verify mbedtls_pk_verify
+#define pk_verify_ext mbedtls_pk_verify_ext
+#define pk_write_key_der mbedtls_pk_write_key_der
+#define pk_write_key_pem mbedtls_pk_write_key_pem
+#define pk_write_pubkey mbedtls_pk_write_pubkey
+#define pk_write_pubkey_der mbedtls_pk_write_pubkey_der
+#define pk_write_pubkey_pem mbedtls_pk_write_pubkey_pem
+#define pkcs11_context mbedtls_pkcs11_context
+#define pkcs11_decrypt mbedtls_pkcs11_decrypt
+#define pkcs11_priv_key_free mbedtls_pkcs11_priv_key_free
+#define pkcs11_priv_key_init mbedtls_pkcs11_priv_key_bind
+#define pkcs11_sign mbedtls_pkcs11_sign
+#define pkcs11_x509_cert_init mbedtls_pkcs11_x509_cert_bind
+#define pkcs12_derivation mbedtls_pkcs12_derivation
+#define pkcs12_pbe mbedtls_pkcs12_pbe
+#define pkcs12_pbe_sha1_rc4_128 mbedtls_pkcs12_pbe_sha1_rc4_128
+#define pkcs5_pbes2 mbedtls_pkcs5_pbes2
+#define pkcs5_pbkdf2_hmac mbedtls_pkcs5_pbkdf2_hmac
+#define pkcs5_self_test mbedtls_pkcs5_self_test
+#define platform_entropy_poll mbedtls_platform_entropy_poll
+#define platform_set_exit mbedtls_platform_set_exit
+#define platform_set_fprintf mbedtls_platform_set_fprintf
+#define platform_set_printf mbedtls_platform_set_printf
+#define platform_set_snprintf mbedtls_platform_set_snprintf
+#define polarssl_exit mbedtls_exit
+#define polarssl_fprintf mbedtls_fprintf
+#define polarssl_free mbedtls_free
+#define polarssl_mutex_free mbedtls_mutex_free
+#define polarssl_mutex_init mbedtls_mutex_init
+#define polarssl_mutex_lock mbedtls_mutex_lock
+#define polarssl_mutex_unlock mbedtls_mutex_unlock
+#define polarssl_printf mbedtls_printf
+#define polarssl_snprintf mbedtls_snprintf
+#define polarssl_strerror mbedtls_strerror
+#define ripemd160 mbedtls_ripemd160
+#define ripemd160_context mbedtls_ripemd160_context
+#define ripemd160_finish mbedtls_ripemd160_finish
+#define ripemd160_free mbedtls_ripemd160_free
+#define ripemd160_info mbedtls_ripemd160_info
+#define ripemd160_init mbedtls_ripemd160_init
+#define ripemd160_process mbedtls_ripemd160_process
+#define ripemd160_self_test mbedtls_ripemd160_self_test
+#define ripemd160_starts mbedtls_ripemd160_starts
+#define ripemd160_update mbedtls_ripemd160_update
+#define rsa_alt_context mbedtls_rsa_alt_context
+#define rsa_alt_info mbedtls_rsa_alt_info
+#define rsa_check_privkey mbedtls_rsa_check_privkey
+#define rsa_check_pub_priv mbedtls_rsa_check_pub_priv
+#define rsa_check_pubkey mbedtls_rsa_check_pubkey
+#define rsa_context mbedtls_rsa_context
+#define rsa_copy mbedtls_rsa_copy
+#define rsa_free mbedtls_rsa_free
+#define rsa_gen_key mbedtls_rsa_gen_key
+#define rsa_info mbedtls_rsa_info
+#define rsa_init mbedtls_rsa_init
+#define rsa_pkcs1_decrypt mbedtls_rsa_pkcs1_decrypt
+#define rsa_pkcs1_encrypt mbedtls_rsa_pkcs1_encrypt
+#define rsa_pkcs1_sign mbedtls_rsa_pkcs1_sign
+#define rsa_pkcs1_verify mbedtls_rsa_pkcs1_verify
+#define rsa_private mbedtls_rsa_private
+#define rsa_public mbedtls_rsa_public
+#define rsa_rsaes_oaep_decrypt mbedtls_rsa_rsaes_oaep_decrypt
+#define rsa_rsaes_oaep_encrypt mbedtls_rsa_rsaes_oaep_encrypt
+#define rsa_rsaes_pkcs1_v15_decrypt mbedtls_rsa_rsaes_pkcs1_v15_decrypt
+#define rsa_rsaes_pkcs1_v15_encrypt mbedtls_rsa_rsaes_pkcs1_v15_encrypt
+#define rsa_rsassa_pkcs1_v15_sign mbedtls_rsa_rsassa_pkcs1_v15_sign
+#define rsa_rsassa_pkcs1_v15_verify mbedtls_rsa_rsassa_pkcs1_v15_verify
+#define rsa_rsassa_pss_sign mbedtls_rsa_rsassa_pss_sign
+#define rsa_rsassa_pss_verify mbedtls_rsa_rsassa_pss_verify
+#define rsa_rsassa_pss_verify_ext mbedtls_rsa_rsassa_pss_verify_ext
+#define rsa_self_test mbedtls_rsa_self_test
+#define rsa_set_padding mbedtls_rsa_set_padding
+#define safer_memcmp mbedtls_ssl_safer_memcmp
+#define set_alarm mbedtls_set_alarm
+#define sha1 mbedtls_sha1
+#define sha1_context mbedtls_sha1_context
+#define sha1_finish mbedtls_sha1_finish
+#define sha1_free mbedtls_sha1_free
+#define sha1_info mbedtls_sha1_info
+#define sha1_init mbedtls_sha1_init
+#define sha1_process mbedtls_sha1_process
+#define sha1_self_test mbedtls_sha1_self_test
+#define sha1_starts mbedtls_sha1_starts
+#define sha1_update mbedtls_sha1_update
+#define sha224_info mbedtls_sha224_info
+#define sha256 mbedtls_sha256
+#define sha256_context mbedtls_sha256_context
+#define sha256_finish mbedtls_sha256_finish
+#define sha256_free mbedtls_sha256_free
+#define sha256_info mbedtls_sha256_info
+#define sha256_init mbedtls_sha256_init
+#define sha256_process mbedtls_sha256_process
+#define sha256_self_test mbedtls_sha256_self_test
+#define sha256_starts mbedtls_sha256_starts
+#define sha256_update mbedtls_sha256_update
+#define sha384_info mbedtls_sha384_info
+#define sha512 mbedtls_sha512
+#define sha512_context mbedtls_sha512_context
+#define sha512_finish mbedtls_sha512_finish
+#define sha512_free mbedtls_sha512_free
+#define sha512_info mbedtls_sha512_info
+#define sha512_init mbedtls_sha512_init
+#define sha512_process mbedtls_sha512_process
+#define sha512_self_test mbedtls_sha512_self_test
+#define sha512_starts mbedtls_sha512_starts
+#define sha512_update mbedtls_sha512_update
+#define source_state mbedtls_entropy_source_state
+#define ssl_cache_context mbedtls_ssl_cache_context
+#define ssl_cache_entry mbedtls_ssl_cache_entry
+#define ssl_cache_free mbedtls_ssl_cache_free
+#define ssl_cache_get mbedtls_ssl_cache_get
+#define ssl_cache_init mbedtls_ssl_cache_init
+#define ssl_cache_set mbedtls_ssl_cache_set
+#define ssl_cache_set_max_entries mbedtls_ssl_cache_set_max_entries
+#define ssl_cache_set_timeout mbedtls_ssl_cache_set_timeout
+#define ssl_check_cert_usage mbedtls_ssl_check_cert_usage
+#define ssl_ciphersuite_from_id mbedtls_ssl_ciphersuite_from_id
+#define ssl_ciphersuite_from_string mbedtls_ssl_ciphersuite_from_string
+#define ssl_ciphersuite_t mbedtls_ssl_ciphersuite_t
+#define ssl_ciphersuite_uses_ec mbedtls_ssl_ciphersuite_uses_ec
+#define ssl_ciphersuite_uses_psk mbedtls_ssl_ciphersuite_uses_psk
+#define ssl_close_notify mbedtls_ssl_close_notify
+#define ssl_context mbedtls_ssl_context
+#define ssl_cookie_check mbedtls_ssl_cookie_check
+#define ssl_cookie_check_t mbedtls_ssl_cookie_check_t
+#define ssl_cookie_ctx mbedtls_ssl_cookie_ctx
+#define ssl_cookie_free mbedtls_ssl_cookie_free
+#define ssl_cookie_init mbedtls_ssl_cookie_init
+#define ssl_cookie_set_timeout mbedtls_ssl_cookie_set_timeout
+#define ssl_cookie_setup mbedtls_ssl_cookie_setup
+#define ssl_cookie_write mbedtls_ssl_cookie_write
+#define ssl_cookie_write_t mbedtls_ssl_cookie_write_t
+#define ssl_derive_keys mbedtls_ssl_derive_keys
+#define ssl_dtls_replay_check mbedtls_ssl_dtls_replay_check
+#define ssl_dtls_replay_update mbedtls_ssl_dtls_replay_update
+#define ssl_fetch_input mbedtls_ssl_fetch_input
+#define ssl_flight_item mbedtls_ssl_flight_item
+#define ssl_flush_output mbedtls_ssl_flush_output
+#define ssl_free mbedtls_ssl_free
+#define ssl_get_alpn_protocol mbedtls_ssl_get_alpn_protocol
+#define ssl_get_bytes_avail mbedtls_ssl_get_bytes_avail
+#define ssl_get_ciphersuite mbedtls_ssl_get_ciphersuite
+#define ssl_get_ciphersuite_id mbedtls_ssl_get_ciphersuite_id
+#define ssl_get_ciphersuite_name mbedtls_ssl_get_ciphersuite_name
+#define ssl_get_ciphersuite_sig_pk_alg mbedtls_ssl_get_ciphersuite_sig_pk_alg
+#define ssl_get_peer_cert mbedtls_ssl_get_peer_cert
+#define ssl_get_record_expansion mbedtls_ssl_get_record_expansion
+#define ssl_get_session mbedtls_ssl_get_session
+#define ssl_get_verify_result mbedtls_ssl_get_verify_result
+#define ssl_get_version mbedtls_ssl_get_version
+#define ssl_handshake mbedtls_ssl_handshake
+#define ssl_handshake_client_step mbedtls_ssl_handshake_client_step
+#define ssl_handshake_free mbedtls_ssl_handshake_free
+#define ssl_handshake_params mbedtls_ssl_handshake_params
+#define ssl_handshake_server_step mbedtls_ssl_handshake_server_step
+#define ssl_handshake_step mbedtls_ssl_handshake_step
+#define ssl_handshake_wrapup mbedtls_ssl_handshake_wrapup
+#define ssl_hdr_len mbedtls_ssl_hdr_len
+#define ssl_hs_hdr_len mbedtls_ssl_hs_hdr_len
+#define ssl_hw_record_activate mbedtls_ssl_hw_record_activate
+#define ssl_hw_record_finish mbedtls_ssl_hw_record_finish
+#define ssl_hw_record_init mbedtls_ssl_hw_record_init
+#define ssl_hw_record_read mbedtls_ssl_hw_record_read
+#define ssl_hw_record_reset mbedtls_ssl_hw_record_reset
+#define ssl_hw_record_write mbedtls_ssl_hw_record_write
+#define ssl_init mbedtls_ssl_init
+#define ssl_key_cert mbedtls_ssl_key_cert
+#define ssl_legacy_renegotiation mbedtls_ssl_conf_legacy_renegotiation
+#define ssl_list_ciphersuites mbedtls_ssl_list_ciphersuites
+#define ssl_md_alg_from_hash mbedtls_ssl_md_alg_from_hash
+#define ssl_optimize_checksum mbedtls_ssl_optimize_checksum
+#define ssl_own_cert mbedtls_ssl_own_cert
+#define ssl_own_key mbedtls_ssl_own_key
+#define ssl_parse_certificate mbedtls_ssl_parse_certificate
+#define ssl_parse_change_cipher_spec mbedtls_ssl_parse_change_cipher_spec
+#define ssl_parse_finished mbedtls_ssl_parse_finished
+#define ssl_pk_alg_from_sig mbedtls_ssl_pk_alg_from_sig
+#define ssl_pkcs11_decrypt mbedtls_ssl_pkcs11_decrypt
+#define ssl_pkcs11_key_len mbedtls_ssl_pkcs11_key_len
+#define ssl_pkcs11_sign mbedtls_ssl_pkcs11_sign
+#define ssl_psk_derive_premaster mbedtls_ssl_psk_derive_premaster
+#define ssl_read mbedtls_ssl_read
+#define ssl_read_record mbedtls_ssl_read_record
+#define ssl_read_version mbedtls_ssl_read_version
+#define ssl_recv_flight_completed mbedtls_ssl_recv_flight_completed
+#define ssl_renegotiate mbedtls_ssl_renegotiate
+#define ssl_resend mbedtls_ssl_resend
+#define ssl_reset_checksum mbedtls_ssl_reset_checksum
+#define ssl_send_alert_message mbedtls_ssl_send_alert_message
+#define ssl_send_fatal_handshake_failure mbedtls_ssl_send_fatal_handshake_failure
+#define ssl_send_flight_completed mbedtls_ssl_send_flight_completed
+#define ssl_session mbedtls_ssl_session
+#define ssl_session_free mbedtls_ssl_session_free
+#define ssl_session_init mbedtls_ssl_session_init
+#define ssl_session_reset mbedtls_ssl_session_reset
+#define ssl_set_alpn_protocols mbedtls_ssl_conf_alpn_protocols
+#define ssl_set_arc4_support mbedtls_ssl_conf_arc4_support
+#define ssl_set_authmode mbedtls_ssl_conf_authmode
+#define ssl_set_bio mbedtls_ssl_set_bio
+#define ssl_set_ca_chain mbedtls_ssl_conf_ca_chain
+#define ssl_set_cbc_record_splitting mbedtls_ssl_conf_cbc_record_splitting
+#define ssl_set_ciphersuites mbedtls_ssl_conf_ciphersuites
+#define ssl_set_ciphersuites_for_version mbedtls_ssl_conf_ciphersuites_for_version
+#define ssl_set_client_transport_id mbedtls_ssl_set_client_transport_id
+#define ssl_set_curves mbedtls_ssl_conf_curves
+#define ssl_set_dbg mbedtls_ssl_conf_dbg
+#define ssl_set_dh_param mbedtls_ssl_conf_dh_param
+#define ssl_set_dh_param_ctx mbedtls_ssl_conf_dh_param_ctx
+#define ssl_set_dtls_anti_replay mbedtls_ssl_conf_dtls_anti_replay
+#define ssl_set_dtls_badmac_limit mbedtls_ssl_conf_dtls_badmac_limit
+#define ssl_set_dtls_cookies mbedtls_ssl_conf_dtls_cookies
+#define ssl_set_encrypt_then_mac mbedtls_ssl_conf_encrypt_then_mac
+#define ssl_set_endpoint mbedtls_ssl_conf_endpoint
+#define ssl_set_extended_master_secret mbedtls_ssl_conf_extended_master_secret
+#define ssl_set_fallback mbedtls_ssl_conf_fallback
+#define ssl_set_handshake_timeout mbedtls_ssl_conf_handshake_timeout
+#define ssl_set_hostname mbedtls_ssl_set_hostname
+#define ssl_set_max_frag_len mbedtls_ssl_conf_max_frag_len
+#define ssl_set_max_version mbedtls_ssl_conf_max_version
+#define ssl_set_min_version mbedtls_ssl_conf_min_version
+#define ssl_set_own_cert mbedtls_ssl_conf_own_cert
+#define ssl_set_psk mbedtls_ssl_conf_psk
+#define ssl_set_psk_cb mbedtls_ssl_conf_psk_cb
+#define ssl_set_renegotiation mbedtls_ssl_conf_renegotiation
+#define ssl_set_renegotiation_enforced mbedtls_ssl_conf_renegotiation_enforced
+#define ssl_set_renegotiation_period mbedtls_ssl_conf_renegotiation_period
+#define ssl_set_rng mbedtls_ssl_conf_rng
+#define ssl_set_session mbedtls_ssl_set_session
+#define ssl_set_session_cache mbedtls_ssl_conf_session_cache
+#define ssl_set_session_tickets mbedtls_ssl_conf_session_tickets
+#define ssl_set_sni mbedtls_ssl_conf_sni
+#define ssl_set_transport mbedtls_ssl_conf_transport
+#define ssl_set_truncated_hmac mbedtls_ssl_conf_truncated_hmac
+#define ssl_set_verify mbedtls_ssl_conf_verify
+#define ssl_sig_from_pk mbedtls_ssl_sig_from_pk
+#define ssl_states mbedtls_ssl_states
+#define ssl_transform mbedtls_ssl_transform
+#define ssl_transform_free mbedtls_ssl_transform_free
+#define ssl_write mbedtls_ssl_write
+#define ssl_write_certificate mbedtls_ssl_write_certificate
+#define ssl_write_change_cipher_spec mbedtls_ssl_write_change_cipher_spec
+#define ssl_write_finished mbedtls_ssl_write_finished
+#define ssl_write_record mbedtls_ssl_write_record
+#define ssl_write_version mbedtls_ssl_write_version
+#define supported_ciphers mbedtls_cipher_supported
+#define t_sint mbedtls_mpi_sint
+#define t_udbl mbedtls_t_udbl
+#define t_uint mbedtls_mpi_uint
+#define test_ca_crt mbedtls_test_ca_crt
+#define test_ca_crt_ec mbedtls_test_ca_crt_ec
+#define test_ca_crt_rsa mbedtls_test_ca_crt_rsa
+#define test_ca_key mbedtls_test_ca_key
+#define test_ca_key_ec mbedtls_test_ca_key_ec
+#define test_ca_key_rsa mbedtls_test_ca_key_rsa
+#define test_ca_list mbedtls_test_cas_pem
+#define test_ca_pwd mbedtls_test_ca_pwd
+#define test_ca_pwd_ec mbedtls_test_ca_pwd_ec
+#define test_ca_pwd_rsa mbedtls_test_ca_pwd_rsa
+#define test_cli_crt mbedtls_test_cli_crt
+#define test_cli_crt_ec mbedtls_test_cli_crt_ec
+#define test_cli_crt_rsa mbedtls_test_cli_crt_rsa
+#define test_cli_key mbedtls_test_cli_key
+#define test_cli_key_ec mbedtls_test_cli_key_ec
+#define test_cli_key_rsa mbedtls_test_cli_key_rsa
+#define test_srv_crt mbedtls_test_srv_crt
+#define test_srv_crt_ec mbedtls_test_srv_crt_ec
+#define test_srv_crt_rsa mbedtls_test_srv_crt_rsa
+#define test_srv_key mbedtls_test_srv_key
+#define test_srv_key_ec mbedtls_test_srv_key_ec
+#define test_srv_key_rsa mbedtls_test_srv_key_rsa
+#define threading_mutex_t mbedtls_threading_mutex_t
+#define threading_set_alt mbedtls_threading_set_alt
+#define timing_self_test mbedtls_timing_self_test
+#define version_check_feature mbedtls_version_check_feature
+#define version_get_number mbedtls_version_get_number
+#define version_get_string mbedtls_version_get_string
+#define version_get_string_full mbedtls_version_get_string_full
+#define x509_bitstring mbedtls_x509_bitstring
+#define x509_buf mbedtls_x509_buf
+#define x509_crl mbedtls_x509_crl
+#define x509_crl_entry mbedtls_x509_crl_entry
+#define x509_crl_free mbedtls_x509_crl_free
+#define x509_crl_info mbedtls_x509_crl_info
+#define x509_crl_init mbedtls_x509_crl_init
+#define x509_crl_parse mbedtls_x509_crl_parse
+#define x509_crl_parse_der mbedtls_x509_crl_parse_der
+#define x509_crl_parse_file mbedtls_x509_crl_parse_file
+#define x509_crt mbedtls_x509_crt
+#define x509_crt_check_extended_key_usage mbedtls_x509_crt_check_extended_key_usage
+#define x509_crt_check_key_usage mbedtls_x509_crt_check_key_usage
+#define x509_crt_free mbedtls_x509_crt_free
+#define x509_crt_info mbedtls_x509_crt_info
+#define x509_crt_init mbedtls_x509_crt_init
+#define x509_crt_parse mbedtls_x509_crt_parse
+#define x509_crt_parse_der mbedtls_x509_crt_parse_der
+#define x509_crt_parse_file mbedtls_x509_crt_parse_file
+#define x509_crt_parse_path mbedtls_x509_crt_parse_path
+#define x509_crt_revoked mbedtls_x509_crt_is_revoked
+#define x509_crt_verify mbedtls_x509_crt_verify
+#define x509_csr mbedtls_x509_csr
+#define x509_csr_free mbedtls_x509_csr_free
+#define x509_csr_info mbedtls_x509_csr_info
+#define x509_csr_init mbedtls_x509_csr_init
+#define x509_csr_parse mbedtls_x509_csr_parse
+#define x509_csr_parse_der mbedtls_x509_csr_parse_der
+#define x509_csr_parse_file mbedtls_x509_csr_parse_file
+#define x509_dn_gets mbedtls_x509_dn_gets
+#define x509_get_alg mbedtls_x509_get_alg
+#define x509_get_alg_null mbedtls_x509_get_alg_null
+#define x509_get_ext mbedtls_x509_get_ext
+#define x509_get_name mbedtls_x509_get_name
+#define x509_get_rsassa_pss_params mbedtls_x509_get_rsassa_pss_params
+#define x509_get_serial mbedtls_x509_get_serial
+#define x509_get_sig mbedtls_x509_get_sig
+#define x509_get_sig_alg mbedtls_x509_get_sig_alg
+#define x509_get_time mbedtls_x509_get_time
+#define x509_key_size_helper mbedtls_x509_key_size_helper
+#define x509_name mbedtls_x509_name
+#define x509_self_test mbedtls_x509_self_test
+#define x509_sequence mbedtls_x509_sequence
+#define x509_serial_gets mbedtls_x509_serial_gets
+#define x509_set_extension mbedtls_x509_set_extension
+#define x509_sig_alg_gets mbedtls_x509_sig_alg_gets
+#define x509_string_to_names mbedtls_x509_string_to_names
+#define x509_time mbedtls_x509_time
+#define x509_time_expired mbedtls_x509_time_is_past
+#define x509_time_future mbedtls_x509_time_is_future
+#define x509_write_extensions mbedtls_x509_write_extensions
+#define x509_write_names mbedtls_x509_write_names
+#define x509_write_sig mbedtls_x509_write_sig
+#define x509write_cert mbedtls_x509write_cert
+#define x509write_crt_der mbedtls_x509write_crt_der
+#define x509write_crt_free mbedtls_x509write_crt_free
+#define x509write_crt_init mbedtls_x509write_crt_init
+#define x509write_crt_pem mbedtls_x509write_crt_pem
+#define x509write_crt_set_authority_key_identifier mbedtls_x509write_crt_set_authority_key_identifier
+#define x509write_crt_set_basic_constraints mbedtls_x509write_crt_set_basic_constraints
+#define x509write_crt_set_extension mbedtls_x509write_crt_set_extension
+#define x509write_crt_set_issuer_key mbedtls_x509write_crt_set_issuer_key
+#define x509write_crt_set_issuer_name mbedtls_x509write_crt_set_issuer_name
+#define x509write_crt_set_key_usage mbedtls_x509write_crt_set_key_usage
+#define x509write_crt_set_md_alg mbedtls_x509write_crt_set_md_alg
+#define x509write_crt_set_ns_cert_type mbedtls_x509write_crt_set_ns_cert_type
+#define x509write_crt_set_serial mbedtls_x509write_crt_set_serial
+#define x509write_crt_set_subject_key mbedtls_x509write_crt_set_subject_key
+#define x509write_crt_set_subject_key_identifier mbedtls_x509write_crt_set_subject_key_identifier
+#define x509write_crt_set_subject_name mbedtls_x509write_crt_set_subject_name
+#define x509write_crt_set_validity mbedtls_x509write_crt_set_validity
+#define x509write_crt_set_version mbedtls_x509write_crt_set_version
+#define x509write_csr mbedtls_x509write_csr
+#define x509write_csr_der mbedtls_x509write_csr_der
+#define x509write_csr_free mbedtls_x509write_csr_free
+#define x509write_csr_init mbedtls_x509write_csr_init
+#define x509write_csr_pem mbedtls_x509write_csr_pem
+#define x509write_csr_set_extension mbedtls_x509write_csr_set_extension
+#define x509write_csr_set_key mbedtls_x509write_csr_set_key
+#define x509write_csr_set_key_usage mbedtls_x509write_csr_set_key_usage
+#define x509write_csr_set_md_alg mbedtls_x509write_csr_set_md_alg
+#define x509write_csr_set_ns_cert_type mbedtls_x509write_csr_set_ns_cert_type
+#define x509write_csr_set_subject_name mbedtls_x509write_csr_set_subject_name
+#define xtea_context mbedtls_xtea_context
+#define xtea_crypt_cbc mbedtls_xtea_crypt_cbc
+#define xtea_crypt_ecb mbedtls_xtea_crypt_ecb
+#define xtea_free mbedtls_xtea_free
+#define xtea_init mbedtls_xtea_init
+#define xtea_self_test mbedtls_xtea_self_test
+#define xtea_setup mbedtls_xtea_setup
+
+#endif /* compat-1.3.h */
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/config.h b/third-party/mbedtls-3.6/include/mbedtls/config.h
new file mode 100644
index 00000000..a1b2d77f
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/config.h
@@ -0,0 +1,2976 @@
+/**
+ * \file config.h
+ *
+ * \brief Configuration options (set of defines)
+ *
+ *  This set of compile-time options may be used to enable
+ *  or disable features selectively, and reduce the global
+ *  memory footprint.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#ifndef MBEDTLS_CONFIG_H
+#define MBEDTLS_CONFIG_H
+
+#if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE)
+#define _CRT_SECURE_NO_DEPRECATE 1
+#endif
+
+/**
+ * \name SECTION: System support
+ *
+ * This section sets system specific settings.
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_HAVE_ASM
+ *
+ * The compiler has support for asm().
+ *
+ * Requires support for asm() in compiler.
+ *
+ * Used in:
+ *      library/timing.c
+ *      library/padlock.c
+ *      include/mbedtls/bn_mul.h
+ *
+ * Comment to disable the use of assembly code.
+ */
+#define MBEDTLS_HAVE_ASM
+
+/**
+ * \def MBEDTLS_NO_UDBL_DIVISION
+ *
+ * The platform lacks support for double-width integer division (64-bit
+ * division on a 32-bit platform, 128-bit division on a 64-bit platform).
+ *
+ * Used in:
+ *      include/mbedtls/bignum.h
+ *      library/bignum.c
+ *
+ * The bignum code uses double-width division to speed up some operations.
+ * Double-width division is often implemented in software that needs to
+ * be linked with the program. The presence of a double-width integer
+ * type is usually detected automatically through preprocessor macros,
+ * but the automatic detection cannot know whether the code needs to
+ * and can be linked with an implementation of division for that type.
+ * By default division is assumed to be usable if the type is present.
+ * Uncomment this option to prevent the use of double-width division.
+ *
+ * Note that division for the native integer type is always required.
+ * Furthermore, a 64-bit type is always required even on a 32-bit
+ * platform, but it need not support multiplication or division. In some
+ * cases it is also desirable to disable some double-width operations. For
+ * example, if double-width division is implemented in software, disabling
+ * it can reduce code size in some embedded targets.
+ */
+//#define MBEDTLS_NO_UDBL_DIVISION
+
+/**
+ * \def MBEDTLS_HAVE_SSE2
+ *
+ * CPU supports SSE2 instruction set.
+ *
+ * Uncomment if the CPU supports SSE2 (IA-32 specific).
+ */
+//#define MBEDTLS_HAVE_SSE2
+
+/**
+ * \def MBEDTLS_HAVE_TIME
+ *
+ * System has time.h and time().
+ * The time does not need to be correct, only time differences are used,
+ * by contrast with MBEDTLS_HAVE_TIME_DATE
+ *
+ * Defining MBEDTLS_HAVE_TIME allows you to specify MBEDTLS_PLATFORM_TIME_ALT,
+ * MBEDTLS_PLATFORM_TIME_MACRO, MBEDTLS_PLATFORM_TIME_TYPE_MACRO and
+ * MBEDTLS_PLATFORM_STD_TIME.
+ *
+ * Comment if your system does not support time functions
+ */
+// #define MBEDTLS_HAVE_TIME
+
+/**
+ * \def MBEDTLS_HAVE_TIME_DATE
+ *
+ * System has time.h and time(), gmtime() and the clock is correct.
+ * The time needs to be correct (not necessarily very accurate, but at least
+ * the date should be correct). This is used to verify the validity period of
+ * X.509 certificates.
+ *
+ * Comment if your system does not have a correct clock.
+ */
+// #define MBEDTLS_HAVE_TIME_DATE
+
+/**
+ * \def MBEDTLS_PLATFORM_MEMORY
+ *
+ * Enable the memory allocation layer.
+ *
+ * By default mbed TLS uses the system-provided calloc() and free().
+ * This allows different allocators (self-implemented or provided) to be
+ * provided to the platform abstraction layer.
+ *
+ * Enabling MBEDTLS_PLATFORM_MEMORY without the
+ * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide
+ * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and
+ * free() function pointer at runtime.
+ *
+ * Enabling MBEDTLS_PLATFORM_MEMORY and specifying
+ * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the
+ * alternate function at compile time.
+ *
+ * Requires: MBEDTLS_PLATFORM_C
+ *
+ * Enable this layer to allow use of alternative memory allocators.
+ */
+//#define MBEDTLS_PLATFORM_MEMORY
+
+/**
+ * \def MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
+ *
+ * Do not assign standard functions in the platform layer (e.g. calloc() to
+ * MBEDTLS_PLATFORM_STD_CALLOC and printf() to MBEDTLS_PLATFORM_STD_PRINTF)
+ *
+ * This makes sure there are no linking errors on platforms that do not support
+ * these functions. You will HAVE to provide alternatives, either at runtime
+ * via the platform_set_xxx() functions or at compile time by setting
+ * the MBEDTLS_PLATFORM_STD_XXX defines, or enabling a
+ * MBEDTLS_PLATFORM_XXX_MACRO.
+ *
+ * Requires: MBEDTLS_PLATFORM_C
+ *
+ * Uncomment to prevent default assignment of standard functions in the
+ * platform layer.
+ */
+//#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
+
+/**
+ * \def MBEDTLS_PLATFORM_EXIT_ALT
+ *
+ * MBEDTLS_PLATFORM_XXX_ALT: Uncomment a macro to let mbed TLS support the
+ * function in the platform abstraction layer.
+ *
+ * Example: In case you uncomment MBEDTLS_PLATFORM_PRINTF_ALT, mbed TLS will
+ * provide a function "mbedtls_platform_set_printf()" that allows you to set an
+ * alternative printf function pointer.
+ *
+ * All these define require MBEDTLS_PLATFORM_C to be defined!
+ *
+ * \note MBEDTLS_PLATFORM_SNPRINTF_ALT is required on Windows;
+ * it will be enabled automatically by check_config.h
+ *
+ * \warning MBEDTLS_PLATFORM_XXX_ALT cannot be defined at the same time as
+ * MBEDTLS_PLATFORM_XXX_MACRO!
+ *
+ * Requires: MBEDTLS_PLATFORM_TIME_ALT requires MBEDTLS_HAVE_TIME
+ *
+ * Uncomment a macro to enable alternate implementation of specific base
+ * platform function
+ */
+//#define MBEDTLS_PLATFORM_EXIT_ALT
+//#define MBEDTLS_PLATFORM_TIME_ALT
+//#define MBEDTLS_PLATFORM_FPRINTF_ALT
+//#define MBEDTLS_PLATFORM_PRINTF_ALT
+//#define MBEDTLS_PLATFORM_SNPRINTF_ALT
+//#define MBEDTLS_PLATFORM_NV_SEED_ALT
+//#define MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT
+
+/**
+ * \def MBEDTLS_DEPRECATED_WARNING
+ *
+ * Mark deprecated functions so that they generate a warning if used.
+ * Functions deprecated in one version will usually be removed in the next
+ * version. You can enable this to help you prepare the transition to a new
+ * major version by making sure your code is not using these functions.
+ *
+ * This only works with GCC and Clang. With other compilers, you may want to
+ * use MBEDTLS_DEPRECATED_REMOVED
+ *
+ * Uncomment to get warnings on using deprecated functions.
+ */
+//#define MBEDTLS_DEPRECATED_WARNING
+
+/**
+ * \def MBEDTLS_DEPRECATED_REMOVED
+ *
+ * Remove deprecated functions so that they generate an error if used.
+ * Functions deprecated in one version will usually be removed in the next
+ * version. You can enable this to help you prepare the transition to a new
+ * major version by making sure your code is not using these functions.
+ *
+ * Uncomment to get errors on using deprecated functions.
+ */
+//#define MBEDTLS_DEPRECATED_REMOVED
+
+/* \} name SECTION: System support */
+
+/**
+ * \name SECTION: mbed TLS feature support
+ *
+ * This section sets support for features that are or are not needed
+ * within the modules that are enabled.
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_TIMING_ALT
+ *
+ * Uncomment to provide your own alternate implementation for mbedtls_timing_hardclock(),
+ * mbedtls_timing_get_timer(), mbedtls_set_alarm(), mbedtls_set/get_delay()
+ *
+ * Only works if you have MBEDTLS_TIMING_C enabled.
+ *
+ * You will need to provide a header "timing_alt.h" and an implementation at
+ * compile time.
+ */
+//#define MBEDTLS_TIMING_ALT
+
+/**
+ * \def MBEDTLS_AES_ALT
+ *
+ * MBEDTLS__MODULE_NAME__ALT: Uncomment a macro to let mbed TLS use your
+ * alternate core implementation of a symmetric crypto, an arithmetic or hash
+ * module (e.g. platform specific assembly optimized implementations). Keep
+ * in mind that the function prototypes should remain the same.
+ *
+ * This replaces the whole module. If you only want to replace one of the
+ * functions, use one of the MBEDTLS__FUNCTION_NAME__ALT flags.
+ *
+ * Example: In case you uncomment MBEDTLS_AES_ALT, mbed TLS will no longer
+ * provide the "struct mbedtls_aes_context" definition and omit the base
+ * function declarations and implementations. "aes_alt.h" will be included from
+ * "aes.h" to include the new function definitions.
+ *
+ * Uncomment a macro to enable alternate implementation of the corresponding
+ * module.
+ *
+ * \warning   MD2, MD4, MD5, ARC4, DES and SHA-1 are considered weak and their
+ *            use constitutes a security risk. If possible, we recommend
+ *            avoiding dependencies on them, and considering stronger message
+ *            digests and ciphers instead.
+ *
+ */
+//#define MBEDTLS_AES_ALT
+//#define MBEDTLS_ARC4_ALT
+//#define MBEDTLS_BLOWFISH_ALT
+//#define MBEDTLS_CAMELLIA_ALT
+//#define MBEDTLS_CCM_ALT
+//#define MBEDTLS_CMAC_ALT
+//#define MBEDTLS_DES_ALT
+//#define MBEDTLS_DHM_ALT
+//#define MBEDTLS_ECJPAKE_ALT
+//#define MBEDTLS_GCM_ALT
+//#define MBEDTLS_MD2_ALT
+//#define MBEDTLS_MD4_ALT
+//#define MBEDTLS_MD5_ALT
+//#define MBEDTLS_RIPEMD160_ALT
+//#define MBEDTLS_RSA_ALT
+//#define MBEDTLS_SHA1_ALT
+//#define MBEDTLS_SHA256_ALT
+//#define MBEDTLS_SHA512_ALT
+//#define MBEDTLS_XTEA_ALT
+/*
+ * When replacing the elliptic curve module, pleace consider, that it is
+ * implemented with two .c files:
+ *      - ecp.c
+ *      - ecp_curves.c
+ * You can replace them very much like all the other MBEDTLS__MODULE_NAME__ALT
+ * macros as described above. The only difference is that you have to make sure
+ * that you provide functionality for both .c files.
+ */
+//#define MBEDTLS_ECP_ALT
+
+/**
+ * \def MBEDTLS_MD2_PROCESS_ALT
+ *
+ * MBEDTLS__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use you
+ * alternate core implementation of symmetric crypto or hash function. Keep in
+ * mind that function prototypes should remain the same.
+ *
+ * This replaces only one function. The header file from mbed TLS is still
+ * used, in contrast to the MBEDTLS__MODULE_NAME__ALT flags.
+ *
+ * Example: In case you uncomment MBEDTLS_SHA256_PROCESS_ALT, mbed TLS will
+ * no longer provide the mbedtls_sha1_process() function, but it will still provide
+ * the other function (using your mbedtls_sha1_process() function) and the definition
+ * of mbedtls_sha1_context, so your implementation of mbedtls_sha1_process must be compatible
+ * with this definition.
+ *
+ * \note Because of a signature change, the core AES encryption and decryption routines are
+ *       currently named mbedtls_aes_internal_encrypt and mbedtls_aes_internal_decrypt,
+ *       respectively. When setting up alternative implementations, these functions should
+ *       be overridden, but the wrapper functions mbedtls_aes_decrypt and mbedtls_aes_encrypt
+ *       must stay untouched.
+ *
+ * \note If you use the AES_xxx_ALT macros, then is is recommended to also set
+ *       MBEDTLS_AES_ROM_TABLES in order to help the linker garbage-collect the AES
+ *       tables.
+ *
+ * Uncomment a macro to enable alternate implementation of the corresponding
+ * function.
+ *
+ * \warning   MD2, MD4, MD5, DES and SHA-1 are considered weak and their use
+ *            constitutes a security risk. If possible, we recommend avoiding
+ *            dependencies on them, and considering stronger message digests
+ *            and ciphers instead.
+ *
+ * \warning   If both MBEDTLS_ECDSA_SIGN_ALT and MBEDTLS_ECDSA_DETERMINISTIC are
+ *            enabled, then the deterministic ECDH signature functions pass the
+ *            the static HMAC-DRBG as RNG to mbedtls_ecdsa_sign(). Therefore
+ *            alternative implementations should use the RNG only for generating
+ *            the ephemeral key and nothing else. If this is not possible, then
+ *            MBEDTLS_ECDSA_DETERMINISTIC should be disabled and an alternative
+ *            implementation should be provided for mbedtls_ecdsa_sign_det_ext()
+ *            (and for mbedtls_ecdsa_sign_det() too if backward compatibility is
+ *            desirable).
+ *
+ */
+//#define MBEDTLS_MD2_PROCESS_ALT
+//#define MBEDTLS_MD4_PROCESS_ALT
+//#define MBEDTLS_MD5_PROCESS_ALT
+//#define MBEDTLS_RIPEMD160_PROCESS_ALT
+//#define MBEDTLS_SHA1_PROCESS_ALT
+//#define MBEDTLS_SHA256_PROCESS_ALT
+//#define MBEDTLS_SHA512_PROCESS_ALT
+//#define MBEDTLS_DES_SETKEY_ALT
+//#define MBEDTLS_DES_CRYPT_ECB_ALT
+//#define MBEDTLS_DES3_CRYPT_ECB_ALT
+//#define MBEDTLS_AES_SETKEY_ENC_ALT
+//#define MBEDTLS_AES_SETKEY_DEC_ALT
+//#define MBEDTLS_AES_ENCRYPT_ALT
+//#define MBEDTLS_AES_DECRYPT_ALT
+//#define MBEDTLS_ECDH_GEN_PUBLIC_ALT
+//#define MBEDTLS_ECDH_COMPUTE_SHARED_ALT
+//#define MBEDTLS_ECDSA_VERIFY_ALT
+//#define MBEDTLS_ECDSA_SIGN_ALT
+//#define MBEDTLS_ECDSA_GENKEY_ALT
+
+/**
+ * \def MBEDTLS_ECP_INTERNAL_ALT
+ *
+ * Expose a part of the internal interface of the Elliptic Curve Point module.
+ *
+ * MBEDTLS_ECP__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use your
+ * alternative core implementation of elliptic curve arithmetic. Keep in mind
+ * that function prototypes should remain the same.
+ *
+ * This partially replaces one function. The header file from mbed TLS is still
+ * used, in contrast to the MBEDTLS_ECP_ALT flag. The original implementation
+ * is still present and it is used for group structures not supported by the
+ * alternative.
+ *
+ * Any of these options become available by defining MBEDTLS_ECP_INTERNAL_ALT
+ * and implementing the following functions:
+ *      unsigned char mbedtls_internal_ecp_grp_capable(
+ *          const mbedtls_ecp_group *grp )
+ *      int  mbedtls_internal_ecp_init( const mbedtls_ecp_group *grp )
+ *      void mbedtls_internal_ecp_deinit( const mbedtls_ecp_group *grp )
+ * The mbedtls_internal_ecp_grp_capable function should return 1 if the
+ * replacement functions implement arithmetic for the given group and 0
+ * otherwise.
+ * The functions mbedtls_internal_ecp_init and mbedtls_internal_ecp_deinit are
+ * called before and after each point operation and provide an opportunity to
+ * implement optimized set up and tear down instructions.
+ *
+ * Example: In case you uncomment MBEDTLS_ECP_INTERNAL_ALT and
+ * MBEDTLS_ECP_DOUBLE_JAC_ALT, mbed TLS will still provide the ecp_double_jac
+ * function, but will use your mbedtls_internal_ecp_double_jac if the group is
+ * supported (your mbedtls_internal_ecp_grp_capable function returns 1 when
+ * receives it as an argument). If the group is not supported then the original
+ * implementation is used. The other functions and the definition of
+ * mbedtls_ecp_group and mbedtls_ecp_point will not change, so your
+ * implementation of mbedtls_internal_ecp_double_jac and
+ * mbedtls_internal_ecp_grp_capable must be compatible with this definition.
+ *
+ * Uncomment a macro to enable alternate implementation of the corresponding
+ * function.
+ */
+/* Required for all the functions in this section */
+//#define MBEDTLS_ECP_INTERNAL_ALT
+/* Support for Weierstrass curves with Jacobi representation */
+//#define MBEDTLS_ECP_RANDOMIZE_JAC_ALT
+//#define MBEDTLS_ECP_ADD_MIXED_ALT
+//#define MBEDTLS_ECP_DOUBLE_JAC_ALT
+//#define MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT
+//#define MBEDTLS_ECP_NORMALIZE_JAC_ALT
+/* Support for curves with Montgomery arithmetic */
+//#define MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT
+//#define MBEDTLS_ECP_RANDOMIZE_MXZ_ALT
+//#define MBEDTLS_ECP_NORMALIZE_MXZ_ALT
+
+/**
+ * \def MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN
+ *
+ * Enable testing of the constant-flow nature of some sensitive functions with
+ * clang's MemorySanitizer. This causes some existing tests to also test
+ * this non-functional property of the code under test.
+ *
+ * This setting requires compiling with clang -fsanitize=memory. The test
+ * suites can then be run normally.
+ *
+ * \warning This macro is only used for extended testing; it is not considered
+ * part of the library's API, so it may change or disappear at any time.
+ *
+ * Uncomment to enable testing of the constant-flow nature of selected code.
+ */
+//#define MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN
+
+/**
+ * \def MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND
+ *
+ * Enable testing of the constant-flow nature of some sensitive functions with
+ * valgrind's memcheck tool. This causes some existing tests to also test
+ * this non-functional property of the code under test.
+ *
+ * This setting requires valgrind headers for building, and is only useful for
+ * testing if the tests suites are run with valgrind's memcheck. This can be
+ * done for an individual test suite with 'valgrind ./test_suite_xxx', or when
+ * using CMake, this can be done for all test suites with 'make memcheck'.
+ *
+ * \warning This macro is only used for extended testing; it is not considered
+ * part of the library's API, so it may change or disappear at any time.
+ *
+ * Uncomment to enable testing of the constant-flow nature of selected code.
+ */
+//#define MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND
+
+/**
+ * \def MBEDTLS_TEST_NULL_ENTROPY
+ *
+ * Enables testing and use of mbed TLS without any configured entropy sources.
+ * This permits use of the library on platforms before an entropy source has
+ * been integrated (see for example the MBEDTLS_ENTROPY_HARDWARE_ALT or the
+ * MBEDTLS_ENTROPY_NV_SEED switches).
+ *
+ * WARNING! This switch MUST be disabled in production builds, and is suitable
+ * only for development.
+ * Enabling the switch negates any security provided by the library.
+ *
+ * Requires MBEDTLS_ENTROPY_C, MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
+ *
+ */
+//#define MBEDTLS_TEST_NULL_ENTROPY
+
+/**
+ * \def MBEDTLS_ENTROPY_HARDWARE_ALT
+ *
+ * Uncomment this macro to let mbed TLS use your own implementation of a
+ * hardware entropy collector.
+ *
+ * Your function must be called \c mbedtls_hardware_poll(), have the same
+ * prototype as declared in entropy_poll.h, and accept NULL as first argument.
+ *
+ * Uncomment to use your own hardware entropy collector.
+ */
+#define MBEDTLS_ENTROPY_HARDWARE_ALT
+
+/**
+ * \def MBEDTLS_AES_ROM_TABLES
+ *
+ * Store the AES tables in ROM.
+ *
+ * Uncomment this macro to store the AES tables in ROM.
+ */
+#define MBEDTLS_AES_ROM_TABLES
+
+/**
+ * \def MBEDTLS_CAMELLIA_SMALL_MEMORY
+ *
+ * Use less ROM for the Camellia implementation (saves about 768 bytes).
+ *
+ * Uncomment this macro to use less memory for Camellia.
+ */
+//#define MBEDTLS_CAMELLIA_SMALL_MEMORY
+
+/**
+ * \def MBEDTLS_CIPHER_MODE_CBC
+ *
+ * Enable Cipher Block Chaining mode (CBC) for symmetric ciphers.
+ */
+#define MBEDTLS_CIPHER_MODE_CBC
+
+/**
+ * \def MBEDTLS_CIPHER_MODE_CFB
+ *
+ * Enable Cipher Feedback mode (CFB) for symmetric ciphers.
+ */
+#define MBEDTLS_CIPHER_MODE_CFB
+
+/**
+ * \def MBEDTLS_CIPHER_MODE_CTR
+ *
+ * Enable Counter Block Cipher mode (CTR) for symmetric ciphers.
+ */
+#define MBEDTLS_CIPHER_MODE_CTR
+
+/**
+ * \def MBEDTLS_CIPHER_NULL_CIPHER
+ *
+ * Enable NULL cipher.
+ * Warning: Only do so when you know what you are doing. This allows for
+ * encryption or channels without any security!
+ *
+ * Requires MBEDTLS_ENABLE_WEAK_CIPHERSUITES as well to enable
+ * the following ciphersuites:
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA
+ *      MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384
+ *      MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256
+ *      MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA
+ *      MBEDTLS_TLS_RSA_WITH_NULL_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_NULL_SHA
+ *      MBEDTLS_TLS_RSA_WITH_NULL_MD5
+ *      MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384
+ *      MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256
+ *      MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA
+ *      MBEDTLS_TLS_PSK_WITH_NULL_SHA384
+ *      MBEDTLS_TLS_PSK_WITH_NULL_SHA256
+ *      MBEDTLS_TLS_PSK_WITH_NULL_SHA
+ *
+ * Uncomment this macro to enable the NULL cipher and ciphersuites
+ */
+//#define MBEDTLS_CIPHER_NULL_CIPHER
+
+/**
+ * \def MBEDTLS_CIPHER_PADDING_PKCS7
+ *
+ * MBEDTLS_CIPHER_PADDING_XXX: Uncomment or comment macros to add support for
+ * specific padding modes in the cipher layer with cipher modes that support
+ * padding (e.g. CBC)
+ *
+ * If you disable all padding modes, only full blocks can be used with CBC.
+ *
+ * Enable padding modes in the cipher layer.
+ */
+#define MBEDTLS_CIPHER_PADDING_PKCS7
+#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
+#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
+#define MBEDTLS_CIPHER_PADDING_ZEROS
+
+/**
+ * \def MBEDTLS_ENABLE_WEAK_CIPHERSUITES
+ *
+ * Enable weak ciphersuites in SSL / TLS.
+ * Warning: Only do so when you know what you are doing. This allows for
+ * channels with virtually no security at all!
+ *
+ * This enables the following ciphersuites:
+ *      MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA
+ *      MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA
+ *
+ * Uncomment this macro to enable weak ciphersuites
+ *
+ * \warning   DES is considered a weak cipher and its use constitutes a
+ *            security risk. We recommend considering stronger ciphers instead.
+ */
+//#define MBEDTLS_ENABLE_WEAK_CIPHERSUITES
+
+/**
+ * \def MBEDTLS_REMOVE_ARC4_CIPHERSUITES
+ *
+ * Remove RC4 ciphersuites by default in SSL / TLS.
+ * This flag removes the ciphersuites based on RC4 from the default list as
+ * returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible to
+ * enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including them
+ * explicitly.
+ *
+ * Uncomment this macro to remove RC4 ciphersuites by default.
+ */
+#define MBEDTLS_REMOVE_ARC4_CIPHERSUITES
+
+/**
+ * \def MBEDTLS_REMOVE_3DES_CIPHERSUITES
+ *
+ * Remove 3DES ciphersuites by default in SSL / TLS.
+ * This flag removes the ciphersuites based on 3DES from the default list as
+ * returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible
+ * to enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including
+ * them explicitly.
+ *
+ * A man-in-the-browser attacker can recover authentication tokens sent through
+ * a TLS connection using a 3DES based cipher suite (see "On the Practical
+ * (In-)Security of 64-bit Block Ciphers" by Karthikeyan Bhargavan and Gaëtan
+ * Leurent, see https://sweet32.info/SWEET32_CCS16.pdf). If this attack falls
+ * in your threat model or you are unsure, then you should keep this option
+ * enabled to remove 3DES based cipher suites.
+ *
+ * Comment this macro to keep 3DES in the default ciphersuite list.
+ */
+#define MBEDTLS_REMOVE_3DES_CIPHERSUITES
+
+/**
+ * \def MBEDTLS_ECP_DP_SECP192R1_ENABLED
+ *
+ * MBEDTLS_ECP_XXXX_ENABLED: Enables specific curves within the Elliptic Curve
+ * module.  By default all supported curves are enabled.
+ *
+ * Comment macros to disable the curve and functions for it
+ */
+#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
+#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
+#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
+#define MBEDTLS_ECP_DP_BP256R1_ENABLED
+#define MBEDTLS_ECP_DP_BP384R1_ENABLED
+#define MBEDTLS_ECP_DP_BP512R1_ENABLED
+#define MBEDTLS_ECP_DP_CURVE25519_ENABLED
+
+/**
+ * \def MBEDTLS_ECP_NIST_OPTIM
+ *
+ * Enable specific 'modulo p' routines for each NIST prime.
+ * Depending on the prime and architecture, makes operations 4 to 8 times
+ * faster on the corresponding curve.
+ *
+ * Comment this macro to disable NIST curves optimisation.
+ */
+#define MBEDTLS_ECP_NIST_OPTIM
+
+/**
+ * \def MBEDTLS_ECP_NO_INTERNAL_RNG
+ *
+ * When this option is disabled, mbedtls_ecp_mul() will make use of an
+ * internal RNG when called with a NULL \c f_rng argument, in order to protect
+ * against some side-channel attacks.
+ *
+ * This protection introduces a dependency of the ECP module on one of the
+ * DRBG or SHA modules (HMAC-DRBG, CTR-DRBG, SHA-512 or SHA-256.) For very
+ * constrained applications that don't require this protection (for example,
+ * because you're only doing signature verification, so not manipulating any
+ * secret, or because local/physical side-channel attacks are outside your
+ * threat model), it might be desirable to get rid of that dependency.
+ *
+ * \warning Enabling this option makes some uses of ECP vulnerable to some
+ * side-channel attacks. Only enable it if you know that's not a problem for
+ * your use case.
+ *
+ * Uncomment this macro to disable some counter-measures in ECP.
+ */
+//#define MBEDTLS_ECP_NO_INTERNAL_RNG
+
+/**
+ * \def MBEDTLS_ECDSA_DETERMINISTIC
+ *
+ * Enable deterministic ECDSA (RFC 6979).
+ * Standard ECDSA is "fragile" in the sense that lack of entropy when signing
+ * may result in a compromise of the long-term signing key. This is avoided by
+ * the deterministic variant.
+ *
+ * Requires: MBEDTLS_HMAC_DRBG_C
+ *
+ * Comment this macro to disable deterministic ECDSA.
+ */
+#define MBEDTLS_ECDSA_DETERMINISTIC
+
+/**
+ * \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
+ *
+ * Enable the PSK based ciphersuite modes in SSL / TLS.
+ *
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_PSK_WITH_RC4_128_SHA
+ */
+#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
+
+/**
+ * \def MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
+ *
+ * Enable the DHE-PSK based ciphersuite modes in SSL / TLS.
+ *
+ * Requires: MBEDTLS_DHM_C
+ *
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA
+ *
+ * \warning    Using DHE constitutes a security risk as it
+ *             is not possible to validate custom DH parameters.
+ *             If possible, it is recommended users should consider
+ *             preferring other methods of key exchange.
+ *             See dhm.h for more details.
+ *
+ */
+#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
+
+/**
+ * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+ *
+ * Enable the ECDHE-PSK based ciphersuite modes in SSL / TLS.
+ *
+ * Requires: MBEDTLS_ECDH_C
+ *
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
+ */
+#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+
+/**
+ * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
+ *
+ * Enable the RSA-PSK based ciphersuite modes in SSL / TLS.
+ *
+ * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
+ *           MBEDTLS_X509_CRT_PARSE_C
+ *
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
+ */
+#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
+
+/**
+ * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+ *
+ * Enable the RSA-only based ciphersuite modes in SSL / TLS.
+ *
+ * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
+ *           MBEDTLS_X509_CRT_PARSE_C
+ *
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
+ *      MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
+ *      MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_RSA_WITH_RC4_128_SHA
+ *      MBEDTLS_TLS_RSA_WITH_RC4_128_MD5
+ */
+#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+
+/**
+ * \def MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
+ *
+ * Enable the DHE-RSA based ciphersuite modes in SSL / TLS.
+ *
+ * Requires: MBEDTLS_DHM_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
+ *           MBEDTLS_X509_CRT_PARSE_C
+ *
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
+ *      MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
+ *      MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
+ *
+ * \warning    Using DHE constitutes a security risk as it
+ *             is not possible to validate custom DH parameters.
+ *             If possible, it is recommended users should consider
+ *             preferring other methods of key exchange.
+ *             See dhm.h for more details.
+ *
+ */
+#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
+
+/**
+ * \def MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+ *
+ * Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS.
+ *
+ * Requires: MBEDTLS_ECDH_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
+ *           MBEDTLS_X509_CRT_PARSE_C
+ *
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA
+ */
+#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+
+/**
+ * \def MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+ *
+ * Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS.
+ *
+ * Requires: MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C, MBEDTLS_X509_CRT_PARSE_C,
+ *
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
+ */
+#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+
+/**
+ * \def MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+ *
+ * Enable the ECDH-ECDSA based ciphersuite modes in SSL / TLS.
+ *
+ * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C
+ *
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
+ */
+#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+
+/**
+ * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
+ *
+ * Enable the ECDH-RSA based ciphersuite modes in SSL / TLS.
+ *
+ * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C
+ *
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
+ */
+#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
+
+/**
+ * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
+ *
+ * Enable the ECJPAKE based ciphersuite modes in SSL / TLS.
+ *
+ * \warning This is currently experimental. EC J-PAKE support is based on the
+ * Thread v1.0.0 specification; incompatible changes to the specification
+ * might still happen. For this reason, this is disabled by default.
+ *
+ * Requires: MBEDTLS_ECJPAKE_C
+ *           MBEDTLS_SHA256_C
+ *           MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ *
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8
+ */
+//#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
+
+/**
+ * \def MBEDTLS_PK_PARSE_EC_EXTENDED
+ *
+ * Enhance support for reading EC keys using variants of SEC1 not allowed by
+ * RFC 5915 and RFC 5480.
+ *
+ * Currently this means parsing the SpecifiedECDomain choice of EC
+ * parameters (only known groups are supported, not arbitrary domains, to
+ * avoid validation issues).
+ *
+ * Disable if you only need to support RFC 5915 + 5480 key formats.
+ */
+#define MBEDTLS_PK_PARSE_EC_EXTENDED
+
+/**
+ * \def MBEDTLS_ERROR_STRERROR_DUMMY
+ *
+ * Enable a dummy error function to make use of mbedtls_strerror() in
+ * third party libraries easier when MBEDTLS_ERROR_C is disabled
+ * (no effect when MBEDTLS_ERROR_C is enabled).
+ *
+ * You can safely disable this if MBEDTLS_ERROR_C is enabled, or if you're
+ * not using mbedtls_strerror() or error_strerror() in your application.
+ *
+ * Disable if you run into name conflicts and want to really remove the
+ * mbedtls_strerror()
+ */
+#define MBEDTLS_ERROR_STRERROR_DUMMY
+
+/**
+ * \def MBEDTLS_GENPRIME
+ *
+ * Enable the prime-number generation code.
+ *
+ * Requires: MBEDTLS_BIGNUM_C
+ */
+#define MBEDTLS_GENPRIME
+
+/**
+ * \def MBEDTLS_FS_IO
+ *
+ * Enable functions that use the filesystem.
+ */
+// #define MBEDTLS_FS_IO
+
+/**
+ * \def MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
+ *
+ * Do not add default entropy sources. These are the platform specific,
+ * mbedtls_timing_hardclock and HAVEGE based poll functions.
+ *
+ * This is useful to have more control over the added entropy sources in an
+ * application.
+ *
+ * Uncomment this macro to prevent loading of default entropy functions.
+ */
+#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
+
+/**
+ * \def MBEDTLS_NO_PLATFORM_ENTROPY
+ *
+ * Do not use built-in platform entropy functions.
+ * This is useful if your platform does not support
+ * standards like the /dev/urandom or Windows CryptoAPI.
+ *
+ * Uncomment this macro to disable the built-in platform entropy functions.
+ */
+#define MBEDTLS_NO_PLATFORM_ENTROPY
+
+/**
+ * \def MBEDTLS_ENTROPY_FORCE_SHA256
+ *
+ * Force the entropy accumulator to use a SHA-256 accumulator instead of the
+ * default SHA-512 based one (if both are available).
+ *
+ * Requires: MBEDTLS_SHA256_C
+ *
+ * On 32-bit systems SHA-256 can be much faster than SHA-512. Use this option
+ * if you have performance concerns.
+ *
+ * This option is only useful if both MBEDTLS_SHA256_C and
+ * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used.
+ */
+#define MBEDTLS_ENTROPY_FORCE_SHA256
+
+/**
+ * \def MBEDTLS_ENTROPY_NV_SEED
+ *
+ * Enable the non-volatile (NV) seed file-based entropy source.
+ * (Also enables the NV seed read/write functions in the platform layer)
+ *
+ * This is crucial (if not required) on systems that do not have a
+ * cryptographic entropy source (in hardware or kernel) available.
+ *
+ * Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C
+ *
+ * \note The read/write functions that are used by the entropy source are
+ *       determined in the platform layer, and can be modified at runtime and/or
+ *       compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used.
+ *
+ * \note If you use the default implementation functions that read a seedfile
+ *       with regular fopen(), please make sure you make a seedfile with the
+ *       proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at
+ *       least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from
+ *       and written to or you will get an entropy source error! The default
+ *       implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE
+ *       bytes from the file.
+ *
+ * \note The entropy collector will write to the seed file before entropy is
+ *       given to an external source, to update it.
+ */
+//#define MBEDTLS_ENTROPY_NV_SEED
+
+/**
+ * \def MBEDTLS_MEMORY_DEBUG
+ *
+ * Enable debugging of buffer allocator memory issues. Automatically prints
+ * (to stderr) all (fatal) messages on memory allocation issues. Enables
+ * function for 'debug output' of allocated memory.
+ *
+ * Requires: MBEDTLS_MEMORY_BUFFER_ALLOC_C
+ *
+ * Uncomment this macro to let the buffer allocator print out error messages.
+ */
+//#define MBEDTLS_MEMORY_DEBUG
+
+/**
+ * \def MBEDTLS_MEMORY_BACKTRACE
+ *
+ * Include backtrace information with each allocated block.
+ *
+ * Requires: MBEDTLS_MEMORY_BUFFER_ALLOC_C
+ *           GLIBC-compatible backtrace() an backtrace_symbols() support
+ *
+ * Uncomment this macro to include backtrace information
+ */
+//#define MBEDTLS_MEMORY_BACKTRACE
+
+/**
+ * \def MBEDTLS_PK_RSA_ALT_SUPPORT
+ *
+ * Support external private RSA keys (eg from a HSM) in the PK layer.
+ *
+ * Comment this macro to disable support for external private RSA keys.
+ */
+#define MBEDTLS_PK_RSA_ALT_SUPPORT
+
+/**
+ * \def MBEDTLS_PKCS1_V15
+ *
+ * Enable support for PKCS#1 v1.5 encoding.
+ *
+ * Requires: MBEDTLS_RSA_C
+ *
+ * This enables support for PKCS#1 v1.5 operations.
+ */
+#define MBEDTLS_PKCS1_V15
+
+/**
+ * \def MBEDTLS_PKCS1_V21
+ *
+ * Enable support for PKCS#1 v2.1 encoding.
+ *
+ * Requires: MBEDTLS_MD_C, MBEDTLS_RSA_C
+ *
+ * This enables support for RSAES-OAEP and RSASSA-PSS operations.
+ */
+#define MBEDTLS_PKCS1_V21
+
+/**
+ * \def MBEDTLS_RSA_NO_CRT
+ *
+ * Do not use the Chinese Remainder Theorem
+ * for the RSA private operation.
+ *
+ * Uncomment this macro to disable the use of CRT in RSA.
+ *
+ */
+//#define MBEDTLS_RSA_NO_CRT
+
+/**
+ * \def MBEDTLS_SELF_TEST
+ *
+ * Enable the checkup functions (*_self_test).
+ */
+#define MBEDTLS_SELF_TEST
+
+/**
+ * \def MBEDTLS_SHA256_SMALLER
+ *
+ * Enable an implementation of SHA-256 that has lower ROM footprint but also
+ * lower performance.
+ *
+ * The default implementation is meant to be a reasonnable compromise between
+ * performance and size. This version optimizes more aggressively for size at
+ * the expense of performance. Eg on Cortex-M4 it reduces the size of
+ * mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about
+ * 30%.
+ *
+ * Uncomment to enable the smaller implementation of SHA256.
+ */
+//#define MBEDTLS_SHA256_SMALLER
+
+/**
+ * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES
+ *
+ * Enable sending of alert messages in case of encountered errors as per RFC.
+ * If you choose not to send the alert messages, mbed TLS can still communicate
+ * with other servers, only debugging of failures is harder.
+ *
+ * The advantage of not sending alert messages, is that no information is given
+ * about reasons for failures thus preventing adversaries of gaining intel.
+ *
+ * Enable sending of all alert messages
+ */
+#define MBEDTLS_SSL_ALL_ALERT_MESSAGES
+
+/**
+ * \def MBEDTLS_SSL_DEBUG_ALL
+ *
+ * Enable the debug messages in SSL module for all issues.
+ * Debug messages have been disabled in some places to prevent timing
+ * attacks due to (unbalanced) debugging function calls.
+ *
+ * If you need all error reporting you should enable this during debugging,
+ * but remove this for production servers that should log as well.
+ *
+ * Uncomment this macro to report all debug messages on errors introducing
+ * a timing side-channel.
+ *
+ */
+//#define MBEDTLS_SSL_DEBUG_ALL
+
+/** \def MBEDTLS_SSL_ENCRYPT_THEN_MAC
+ *
+ * Enable support for Encrypt-then-MAC, RFC 7366.
+ *
+ * This allows peers that both support it to use a more robust protection for
+ * ciphersuites using CBC, providing deep resistance against timing attacks
+ * on the padding or underlying cipher.
+ *
+ * This only affects CBC ciphersuites, and is useless if none is defined.
+ *
+ * Requires: MBEDTLS_SSL_PROTO_TLS1    or
+ *           MBEDTLS_SSL_PROTO_TLS1_1  or
+ *           MBEDTLS_SSL_PROTO_TLS1_2
+ *
+ * Comment this macro to disable support for Encrypt-then-MAC
+ */
+#define MBEDTLS_SSL_ENCRYPT_THEN_MAC
+
+/** \def MBEDTLS_SSL_EXTENDED_MASTER_SECRET
+ *
+ * Enable support for Extended Master Secret, aka Session Hash
+ * (draft-ietf-tls-session-hash-02).
+ *
+ * This was introduced as "the proper fix" to the Triple Handshake familiy of
+ * attacks, but it is recommended to always use it (even if you disable
+ * renegotiation), since it actually fixes a more fundamental issue in the
+ * original SSL/TLS design, and has implications beyond Triple Handshake.
+ *
+ * Requires: MBEDTLS_SSL_PROTO_TLS1    or
+ *           MBEDTLS_SSL_PROTO_TLS1_1  or
+ *           MBEDTLS_SSL_PROTO_TLS1_2
+ *
+ * Comment this macro to disable support for Extended Master Secret.
+ */
+#define MBEDTLS_SSL_EXTENDED_MASTER_SECRET
+
+/**
+ * \def MBEDTLS_SSL_FALLBACK_SCSV
+ *
+ * Enable support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv-00).
+ *
+ * For servers, it is recommended to always enable this, unless you support
+ * only one version of TLS, or know for sure that none of your clients
+ * implements a fallback strategy.
+ *
+ * For clients, you only need this if you're using a fallback strategy, which
+ * is not recommended in the first place, unless you absolutely need it to
+ * interoperate with buggy (version-intolerant) servers.
+ *
+ * Comment this macro to disable support for FALLBACK_SCSV
+ */
+#define MBEDTLS_SSL_FALLBACK_SCSV
+
+/**
+ * \def MBEDTLS_SSL_HW_RECORD_ACCEL
+ *
+ * Enable hooking functions in SSL module for hardware acceleration of
+ * individual records.
+ *
+ * Uncomment this macro to enable hooking functions.
+ */
+//#define MBEDTLS_SSL_HW_RECORD_ACCEL
+
+/**
+ * \def MBEDTLS_SSL_CBC_RECORD_SPLITTING
+ *
+ * Enable 1/n-1 record splitting for CBC mode in SSLv3 and TLS 1.0.
+ *
+ * This is a countermeasure to the BEAST attack, which also minimizes the risk
+ * of interoperability issues compared to sending 0-length records.
+ *
+ * Comment this macro to disable 1/n-1 record splitting.
+ */
+#define MBEDTLS_SSL_CBC_RECORD_SPLITTING
+
+/**
+ * \def MBEDTLS_SSL_RENEGOTIATION
+ *
+ * Enable support for TLS renegotiation.
+ *
+ * The two main uses of renegotiation are (1) refresh keys on long-lived
+ * connections and (2) client authentication after the initial handshake.
+ * If you don't need renegotiation, it's probably better to disable it, since
+ * it has been associated with security issues in the past and is easy to
+ * misuse/misunderstand.
+ *
+ * Comment this to disable support for renegotiation.
+ *
+ * \note   Even if this option is disabled, both client and server are aware
+ *         of the Renegotiation Indication Extension (RFC 5746) used to
+ *         prevent the SSL renegotiation attack (see RFC 5746 Sect. 1).
+ *         (See \c mbedtls_ssl_conf_legacy_renegotiation for the
+ *          configuration of this extension).
+ *
+ */
+#define MBEDTLS_SSL_RENEGOTIATION
+
+/**
+ * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
+ *
+ * Enable support for receiving and parsing SSLv2 Client Hello messages for the
+ * SSL Server module (MBEDTLS_SSL_SRV_C).
+ *
+ * Uncomment this macro to enable support for SSLv2 Client Hello messages.
+ */
+//#define MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
+
+/**
+ * \def MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE
+ *
+ * Pick the ciphersuite according to the client's preferences rather than ours
+ * in the SSL Server module (MBEDTLS_SSL_SRV_C).
+ *
+ * Uncomment this macro to respect client's ciphersuite order
+ */
+//#define MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE
+
+/**
+ * \def MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+ *
+ * Enable support for RFC 6066 max_fragment_length extension in SSL.
+ *
+ * Comment this macro to disable support for the max_fragment_length extension
+ */
+#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+
+/**
+ * \def MBEDTLS_SSL_PROTO_SSL3
+ *
+ * Enable support for SSL 3.0.
+ *
+ * Requires: MBEDTLS_MD5_C
+ *           MBEDTLS_SHA1_C
+ *
+ * Comment this macro to disable support for SSL 3.0
+ */
+//#define MBEDTLS_SSL_PROTO_SSL3
+
+/**
+ * \def MBEDTLS_SSL_PROTO_TLS1
+ *
+ * Enable support for TLS 1.0.
+ *
+ * Requires: MBEDTLS_MD5_C
+ *           MBEDTLS_SHA1_C
+ *
+ * Comment this macro to disable support for TLS 1.0
+ */
+#define MBEDTLS_SSL_PROTO_TLS1
+
+/**
+ * \def MBEDTLS_SSL_PROTO_TLS1_1
+ *
+ * Enable support for TLS 1.1 (and DTLS 1.0 if DTLS is enabled).
+ *
+ * Requires: MBEDTLS_MD5_C
+ *           MBEDTLS_SHA1_C
+ *
+ * Comment this macro to disable support for TLS 1.1 / DTLS 1.0
+ */
+#define MBEDTLS_SSL_PROTO_TLS1_1
+
+/**
+ * \def MBEDTLS_SSL_PROTO_TLS1_2
+ *
+ * Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled).
+ *
+ * Requires: MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C
+ *           (Depends on ciphersuites)
+ *
+ * Comment this macro to disable support for TLS 1.2 / DTLS 1.2
+ */
+#define MBEDTLS_SSL_PROTO_TLS1_2
+
+/**
+ * \def MBEDTLS_SSL_PROTO_DTLS
+ *
+ * Enable support for DTLS (all available versions).
+ *
+ * Enable this and MBEDTLS_SSL_PROTO_TLS1_1 to enable DTLS 1.0,
+ * and/or this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2.
+ *
+ * Requires: MBEDTLS_SSL_PROTO_TLS1_1
+ *        or MBEDTLS_SSL_PROTO_TLS1_2
+ *
+ * Comment this macro to disable support for DTLS
+ */
+#define MBEDTLS_SSL_PROTO_DTLS
+
+/**
+ * \def MBEDTLS_SSL_ALPN
+ *
+ * Enable support for RFC 7301 Application Layer Protocol Negotiation.
+ *
+ * Comment this macro to disable support for ALPN.
+ */
+#define MBEDTLS_SSL_ALPN
+
+/**
+ * \def MBEDTLS_SSL_DTLS_ANTI_REPLAY
+ *
+ * Enable support for the anti-replay mechanism in DTLS.
+ *
+ * Requires: MBEDTLS_SSL_TLS_C
+ *           MBEDTLS_SSL_PROTO_DTLS
+ *
+ * \warning Disabling this is often a security risk!
+ * See mbedtls_ssl_conf_dtls_anti_replay() for details.
+ *
+ * Comment this to disable anti-replay in DTLS.
+ */
+#define MBEDTLS_SSL_DTLS_ANTI_REPLAY
+
+/**
+ * \def MBEDTLS_SSL_DTLS_HELLO_VERIFY
+ *
+ * Enable support for HelloVerifyRequest on DTLS servers.
+ *
+ * This feature is highly recommended to prevent DTLS servers being used as
+ * amplifiers in DoS attacks against other hosts. It should always be enabled
+ * unless you know for sure amplification cannot be a problem in the
+ * environment in which your server operates.
+ *
+ * \warning Disabling this can ba a security risk! (see above)
+ *
+ * Requires: MBEDTLS_SSL_PROTO_DTLS
+ *
+ * Comment this to disable support for HelloVerifyRequest.
+ */
+#define MBEDTLS_SSL_DTLS_HELLO_VERIFY
+
+/**
+ * \def MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
+ *
+ * Enable server-side support for clients that reconnect from the same port.
+ *
+ * Some clients unexpectedly close the connection and try to reconnect using the
+ * same source port. This needs special support from the server to handle the
+ * new connection securely, as described in section 4.2.8 of RFC 6347. This
+ * flag enables that support.
+ *
+ * Requires: MBEDTLS_SSL_DTLS_HELLO_VERIFY
+ *
+ * Comment this to disable support for clients reusing the source port.
+ */
+#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
+
+/**
+ * \def MBEDTLS_SSL_DTLS_BADMAC_LIMIT
+ *
+ * Enable support for a limit of records with bad MAC.
+ *
+ * See mbedtls_ssl_conf_dtls_badmac_limit().
+ *
+ * Requires: MBEDTLS_SSL_PROTO_DTLS
+ */
+#define MBEDTLS_SSL_DTLS_BADMAC_LIMIT
+
+/**
+ * \def MBEDTLS_SSL_SESSION_TICKETS
+ *
+ * Enable support for RFC 5077 session tickets in SSL.
+ * Client-side, provides full support for session tickets (maintenance of a
+ * session store remains the responsibility of the application, though).
+ * Server-side, you also need to provide callbacks for writing and parsing
+ * tickets, including authenticated encryption and key management. Example
+ * callbacks are provided by MBEDTLS_SSL_TICKET_C.
+ *
+ * Comment this macro to disable support for SSL session tickets
+ */
+#define MBEDTLS_SSL_SESSION_TICKETS
+
+/**
+ * \def MBEDTLS_SSL_EXPORT_KEYS
+ *
+ * Enable support for exporting key block and master secret.
+ * This is required for certain users of TLS, e.g. EAP-TLS.
+ *
+ * Comment this macro to disable support for key export
+ */
+#define MBEDTLS_SSL_EXPORT_KEYS
+
+/**
+ * \def MBEDTLS_SSL_SERVER_NAME_INDICATION
+ *
+ * Enable support for RFC 6066 server name indication (SNI) in SSL.
+ *
+ * Requires: MBEDTLS_X509_CRT_PARSE_C
+ *
+ * Comment this macro to disable support for server name indication in SSL
+ */
+#define MBEDTLS_SSL_SERVER_NAME_INDICATION
+
+/**
+ * \def MBEDTLS_SSL_TRUNCATED_HMAC
+ *
+ * Enable support for RFC 6066 truncated HMAC in SSL.
+ *
+ * Comment this macro to disable support for truncated HMAC in SSL
+ */
+#define MBEDTLS_SSL_TRUNCATED_HMAC
+
+/**
+ * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
+ *
+ * Fallback to old (pre-2.7), non-conforming implementation of the truncated
+ * HMAC extension which also truncates the HMAC key. Note that this option is
+ * only meant for a transitory upgrade period and is likely to be removed in
+ * a future version of the library.
+ *
+ * \warning The old implementation is non-compliant and has a security weakness
+ *          (2^80 brute force attack on the HMAC key used for a single,
+ *          uninterrupted connection). This should only be enabled temporarily
+ *          when (1) the use of truncated HMAC is essential in order to save
+ *          bandwidth, and (2) the peer is an Mbed TLS stack that doesn't use
+ *          the fixed implementation yet (pre-2.7).
+ *
+ * \deprecated This option is deprecated and will likely be removed in a
+ *             future version of Mbed TLS.
+ *
+ * Uncomment to fallback to old, non-compliant truncated HMAC implementation.
+ *
+ * Requires: MBEDTLS_SSL_TRUNCATED_HMAC
+ */
+//#define MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
+
+/**
+ * \def MBEDTLS_TEST_HOOKS
+ *
+ * Enable features for invasive testing such as introspection functions and
+ * hooks for fault injection. This enables additional unit tests.
+ *
+ * Merely enabling this feature should not change the behavior of the product.
+ * It only adds new code, and new branching points where the default behavior
+ * is the same as when this feature is disabled.
+ * However, this feature increases the attack surface: there is an added
+ * risk of vulnerabilities, and more gadgets that can make exploits easier.
+ * Therefore this feature must never be enabled in production.
+ *
+ * Uncomment to enable invasive tests.
+ */
+//#define MBEDTLS_TEST_HOOKS
+
+/**
+ * \def MBEDTLS_THREADING_ALT
+ *
+ * Provide your own alternate threading implementation.
+ *
+ * Requires: MBEDTLS_THREADING_C
+ *
+ * Uncomment this to allow your own alternate threading implementation.
+ */
+//#define MBEDTLS_THREADING_ALT
+
+/**
+ * \def MBEDTLS_THREADING_PTHREAD
+ *
+ * Enable the pthread wrapper layer for the threading layer.
+ *
+ * Requires: MBEDTLS_THREADING_C
+ *
+ * Uncomment this to enable pthread mutexes.
+ */
+//#define MBEDTLS_THREADING_PTHREAD
+
+/**
+ * \def MBEDTLS_VERSION_FEATURES
+ *
+ * Allow run-time checking of compile-time enabled features. Thus allowing users
+ * to check at run-time if the library is for instance compiled with threading
+ * support via mbedtls_version_check_feature().
+ *
+ * Requires: MBEDTLS_VERSION_C
+ *
+ * Comment this to disable run-time checking and save ROM space
+ */
+#define MBEDTLS_VERSION_FEATURES
+
+/**
+ * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
+ *
+ * If set, the X509 parser will not break-off when parsing an X509 certificate
+ * and encountering an extension in a v1 or v2 certificate.
+ *
+ * Uncomment to prevent an error.
+ */
+//#define MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
+
+/**
+ * \def MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
+ *
+ * If set, the X509 parser will not break-off when parsing an X509 certificate
+ * and encountering an unknown critical extension.
+ *
+ * \warning Depending on your PKI use, enabling this can be a security risk!
+ *
+ * Uncomment to prevent an error.
+ */
+//#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
+
+/**
+ * \def MBEDTLS_X509_CHECK_KEY_USAGE
+ *
+ * Enable verification of the keyUsage extension (CA and leaf certificates).
+ *
+ * Disabling this avoids problems with mis-issued and/or misused
+ * (intermediate) CA and leaf certificates.
+ *
+ * \warning Depending on your PKI use, disabling this can be a security risk!
+ *
+ * Comment to skip keyUsage checking for both CA and leaf certificates.
+ */
+#define MBEDTLS_X509_CHECK_KEY_USAGE
+
+/**
+ * \def MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
+ *
+ * Enable verification of the extendedKeyUsage extension (leaf certificates).
+ *
+ * Disabling this avoids problems with mis-issued and/or misused certificates.
+ *
+ * \warning Depending on your PKI use, disabling this can be a security risk!
+ *
+ * Comment to skip extendedKeyUsage checking for certificates.
+ */
+#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
+
+/**
+ * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT
+ *
+ * Enable parsing and verification of X.509 certificates, CRLs and CSRS
+ * signed with RSASSA-PSS (aka PKCS#1 v2.1).
+ *
+ * Comment this macro to disallow using RSASSA-PSS in certificates.
+ */
+#define MBEDTLS_X509_RSASSA_PSS_SUPPORT
+
+/**
+ * \def MBEDTLS_ZLIB_SUPPORT
+ *
+ * If set, the SSL/TLS module uses ZLIB to support compression and
+ * decompression of packet data.
+ *
+ * \warning TLS-level compression MAY REDUCE SECURITY! See for example the
+ * CRIME attack. Before enabling this option, you should examine with care if
+ * CRIME or similar exploits may be applicable to your use case.
+ *
+ * \note Currently compression can't be used with DTLS.
+ *
+ * Used in: library/ssl_tls.c
+ *          library/ssl_cli.c
+ *          library/ssl_srv.c
+ *
+ * This feature requires zlib library and headers to be present.
+ *
+ * Uncomment to enable use of ZLIB
+ */
+//#define MBEDTLS_ZLIB_SUPPORT
+/* \} name SECTION: mbed TLS feature support */
+
+/**
+ * \name SECTION: mbed TLS modules
+ *
+ * This section enables or disables entire modules in mbed TLS
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_AESNI_C
+ *
+ * Enable AES-NI support on x86-64.
+ *
+ * Module:  library/aesni.c
+ * Caller:  library/aes.c
+ *
+ * Requires: MBEDTLS_HAVE_ASM
+ *
+ * This modules adds support for the AES-NI instructions on x86-64
+ */
+#define MBEDTLS_AESNI_C
+
+/**
+ * \def MBEDTLS_AES_C
+ *
+ * Enable the AES block cipher.
+ *
+ * Module:  library/aes.c
+ * Caller:  library/ssl_tls.c
+ *          library/pem.c
+ *          library/ctr_drbg.c
+ *
+ * This module enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
+ *
+ * PEM_PARSE uses AES for decrypting encrypted keys.
+ */
+#define MBEDTLS_AES_C
+
+/**
+ * \def MBEDTLS_ARC4_C
+ *
+ * Enable the ARCFOUR stream cipher.
+ *
+ * Module:  library/arc4.c
+ * Caller:  library/ssl_tls.c
+ *
+ * This module enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
+ *      MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA
+ *      MBEDTLS_TLS_RSA_WITH_RC4_128_SHA
+ *      MBEDTLS_TLS_RSA_WITH_RC4_128_MD5
+ *      MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
+ *      MBEDTLS_TLS_PSK_WITH_RC4_128_SHA
+ *
+ * \warning   ARC4 is considered a weak cipher and its use constitutes a
+ *            security risk. If possible, we recommend avoidng dependencies on
+ *            it, and considering stronger ciphers instead.
+ *
+ */
+#define MBEDTLS_ARC4_C
+
+/**
+ * \def MBEDTLS_ASN1_PARSE_C
+ *
+ * Enable the generic ASN1 parser.
+ *
+ * Module:  library/asn1.c
+ * Caller:  library/x509.c
+ *          library/dhm.c
+ *          library/pkcs12.c
+ *          library/pkcs5.c
+ *          library/pkparse.c
+ */
+#define MBEDTLS_ASN1_PARSE_C
+
+/**
+ * \def MBEDTLS_ASN1_WRITE_C
+ *
+ * Enable the generic ASN1 writer.
+ *
+ * Module:  library/asn1write.c
+ * Caller:  library/ecdsa.c
+ *          library/pkwrite.c
+ *          library/x509_create.c
+ *          library/x509write_crt.c
+ *          library/x509write_csr.c
+ */
+#define MBEDTLS_ASN1_WRITE_C
+
+/**
+ * \def MBEDTLS_BASE64_C
+ *
+ * Enable the Base64 module.
+ *
+ * Module:  library/base64.c
+ * Caller:  library/pem.c
+ *
+ * This module is required for PEM support (required by X.509).
+ */
+#define MBEDTLS_BASE64_C
+
+/**
+ * \def MBEDTLS_BIGNUM_C
+ *
+ * Enable the multi-precision integer library.
+ *
+ * Module:  library/bignum.c
+ * Caller:  library/dhm.c
+ *          library/ecp.c
+ *          library/ecdsa.c
+ *          library/rsa.c
+ *          library/rsa_internal.c
+ *          library/ssl_tls.c
+ *
+ * This module is required for RSA, DHM and ECC (ECDH, ECDSA) support.
+ */
+#define MBEDTLS_BIGNUM_C
+
+/**
+ * \def MBEDTLS_BLOWFISH_C
+ *
+ * Enable the Blowfish block cipher.
+ *
+ * Module:  library/blowfish.c
+ */
+#define MBEDTLS_BLOWFISH_C
+
+/**
+ * \def MBEDTLS_CAMELLIA_C
+ *
+ * Enable the Camellia block cipher.
+ *
+ * Module:  library/camellia.c
+ * Caller:  library/ssl_tls.c
+ *
+ * This module enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
+ *      MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
+ *      MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
+ *      MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
+ */
+#define MBEDTLS_CAMELLIA_C
+
+/**
+ * \def MBEDTLS_CCM_C
+ *
+ * Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher.
+ *
+ * Module:  library/ccm.c
+ *
+ * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C
+ *
+ * This module enables the AES-CCM ciphersuites, if other requisites are
+ * enabled as well.
+ */
+#define MBEDTLS_CCM_C
+
+/**
+ * \def MBEDTLS_CERTS_C
+ *
+ * Enable the test certificates.
+ *
+ * Module:  library/certs.c
+ * Caller:
+ *
+ * This module is used for testing (ssl_client/server).
+ */
+#define MBEDTLS_CERTS_C
+
+/**
+ * \def MBEDTLS_CIPHER_C
+ *
+ * Enable the generic cipher layer.
+ *
+ * Module:  library/cipher.c
+ * Caller:  library/ssl_tls.c
+ *
+ * Uncomment to enable generic cipher wrappers.
+ */
+#define MBEDTLS_CIPHER_C
+
+/**
+ * \def MBEDTLS_CMAC_C
+ *
+ * Enable the CMAC (Cipher-based Message Authentication Code) mode for block
+ * ciphers.
+ *
+ * Module:  library/cmac.c
+ *
+ * Requires: MBEDTLS_AES_C or MBEDTLS_DES_C
+ *
+ */
+//#define MBEDTLS_CMAC_C
+
+/**
+ * \def MBEDTLS_CTR_DRBG_C
+ *
+ * Enable the CTR_DRBG AES-256-based random generator.
+ *
+ * \note This module only achieves a 256-bit security strength if
+ *       the generator is seeded with sufficient entropy.
+ *       See ctr_drbg.h for more details.
+ *
+ * Module:  library/ctr_drbg.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_AES_C
+ *
+ * This module provides the CTR_DRBG AES-256 random number generator.
+ */
+#define MBEDTLS_CTR_DRBG_C
+
+/**
+ * \def MBEDTLS_DEBUG_C
+ *
+ * Enable the debug functions.
+ *
+ * Module:  library/debug.c
+ * Caller:  library/ssl_cli.c
+ *          library/ssl_srv.c
+ *          library/ssl_tls.c
+ *
+ * This module provides debugging functions.
+ */
+#define MBEDTLS_DEBUG_C
+
+/**
+ * \def MBEDTLS_DES_C
+ *
+ * Enable the DES block cipher.
+ *
+ * Module:  library/des.c
+ * Caller:  library/pem.c
+ *          library/ssl_tls.c
+ *
+ * This module enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
+ *
+ * PEM_PARSE uses DES/3DES for decrypting encrypted keys.
+ *
+ * \warning   DES is considered a weak cipher and its use constitutes a
+ *            security risk. We recommend considering stronger ciphers instead.
+ */
+#define MBEDTLS_DES_C
+
+/**
+ * \def MBEDTLS_DHM_C
+ *
+ * Enable the Diffie-Hellman-Merkle module.
+ *
+ * Module:  library/dhm.c
+ * Caller:  library/ssl_cli.c
+ *          library/ssl_srv.c
+ *
+ * This module is used by the following key exchanges:
+ *      DHE-RSA, DHE-PSK
+ *
+ * \warning    Using DHE constitutes a security risk as it
+ *             is not possible to validate custom DH parameters.
+ *             If possible, it is recommended users should consider
+ *             preferring other methods of key exchange.
+ *             See dhm.h for more details.
+ *
+ */
+#define MBEDTLS_DHM_C
+
+/**
+ * \def MBEDTLS_ECDH_C
+ *
+ * Enable the elliptic curve Diffie-Hellman library.
+ *
+ * Module:  library/ecdh.c
+ * Caller:  library/ssl_cli.c
+ *          library/ssl_srv.c
+ *
+ * This module is used by the following key exchanges:
+ *      ECDHE-ECDSA, ECDHE-RSA, DHE-PSK
+ *
+ * Requires: MBEDTLS_ECP_C
+ */
+#define MBEDTLS_ECDH_C
+
+/**
+ * \def MBEDTLS_ECDSA_C
+ *
+ * Enable the elliptic curve DSA library.
+ *
+ * Module:  library/ecdsa.c
+ * Caller:
+ *
+ * This module is used by the following key exchanges:
+ *      ECDHE-ECDSA
+ *
+ * Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C
+ */
+#define MBEDTLS_ECDSA_C
+
+/**
+ * \def MBEDTLS_ECJPAKE_C
+ *
+ * Enable the elliptic curve J-PAKE library.
+ *
+ * \warning This is currently experimental. EC J-PAKE support is based on the
+ * Thread v1.0.0 specification; incompatible changes to the specification
+ * might still happen. For this reason, this is disabled by default.
+ *
+ * Module:  library/ecjpake.c
+ * Caller:
+ *
+ * This module is used by the following key exchanges:
+ *      ECJPAKE
+ *
+ * Requires: MBEDTLS_ECP_C, MBEDTLS_MD_C
+ */
+//#define MBEDTLS_ECJPAKE_C
+
+/**
+ * \def MBEDTLS_ECP_C
+ *
+ * Enable the elliptic curve over GF(p) library.
+ *
+ * Module:  library/ecp.c
+ * Caller:  library/ecdh.c
+ *          library/ecdsa.c
+ *          library/ecjpake.c
+ *
+ * Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED
+ */
+#define MBEDTLS_ECP_C
+
+/**
+ * \def MBEDTLS_ENTROPY_C
+ *
+ * Enable the platform-specific entropy code.
+ *
+ * Module:  library/entropy.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C
+ *
+ * This module provides a generic entropy pool
+ */
+#define MBEDTLS_ENTROPY_C
+
+/**
+ * \def MBEDTLS_ERROR_C
+ *
+ * Enable error code to error string conversion.
+ *
+ * Module:  library/error.c
+ * Caller:
+ *
+ * This module enables mbedtls_strerror().
+ */
+#define MBEDTLS_ERROR_C
+
+/**
+ * \def MBEDTLS_GCM_C
+ *
+ * Enable the Galois/Counter Mode (GCM) for AES.
+ *
+ * Module:  library/gcm.c
+ *
+ * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C
+ *
+ * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other
+ * requisites are enabled as well.
+ */
+#define MBEDTLS_GCM_C
+
+/**
+ * \def MBEDTLS_HAVEGE_C
+ *
+ * Enable the HAVEGE random generator.
+ *
+ * Warning: the HAVEGE random generator is not suitable for virtualized
+ *          environments
+ *
+ * Warning: the HAVEGE random generator is dependent on timing and specific
+ *          processor traits. It is therefore not advised to use HAVEGE as
+ *          your applications primary random generator or primary entropy pool
+ *          input. As a secondary input to your entropy pool, it IS able add
+ *          the (limited) extra entropy it provides.
+ *
+ * Module:  library/havege.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_TIMING_C
+ *
+ * Uncomment to enable the HAVEGE random generator.
+ */
+//#define MBEDTLS_HAVEGE_C
+
+/**
+ * \def MBEDTLS_HMAC_DRBG_C
+ *
+ * Enable the HMAC_DRBG random generator.
+ *
+ * Module:  library/hmac_drbg.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_MD_C
+ *
+ * Uncomment to enable the HMAC_DRBG random number geerator.
+ */
+#define MBEDTLS_HMAC_DRBG_C
+
+/**
+ * \def MBEDTLS_MD_C
+ *
+ * Enable the generic message digest layer.
+ *
+ * Module:  library/md.c
+ * Caller:
+ *
+ * Uncomment to enable generic message digest wrappers.
+ */
+#define MBEDTLS_MD_C
+
+/**
+ * \def MBEDTLS_MD2_C
+ *
+ * Enable the MD2 hash algorithm.
+ *
+ * Module:  library/md2.c
+ * Caller:
+ *
+ * Uncomment to enable support for (rare) MD2-signed X.509 certs.
+ *
+ * \warning   MD2 is considered a weak message digest and its use constitutes a
+ *            security risk. If possible, we recommend avoiding dependencies on
+ *            it, and considering stronger message digests instead.
+ *
+ */
+//#define MBEDTLS_MD2_C
+
+/**
+ * \def MBEDTLS_MD4_C
+ *
+ * Enable the MD4 hash algorithm.
+ *
+ * Module:  library/md4.c
+ * Caller:
+ *
+ * Uncomment to enable support for (rare) MD4-signed X.509 certs.
+ *
+ * \warning   MD4 is considered a weak message digest and its use constitutes a
+ *            security risk. If possible, we recommend avoiding dependencies on
+ *            it, and considering stronger message digests instead.
+ *
+ */
+//#define MBEDTLS_MD4_C
+
+/**
+ * \def MBEDTLS_MD5_C
+ *
+ * Enable the MD5 hash algorithm.
+ *
+ * Module:  library/md5.c
+ * Caller:  library/md.c
+ *          library/pem.c
+ *          library/ssl_tls.c
+ *
+ * This module is required for SSL/TLS up to version 1.1, and for TLS 1.2
+ * depending on the handshake parameters. Further, it is used for checking
+ * MD5-signed certificates, and for PBKDF1 when decrypting PEM-encoded
+ * encrypted keys.
+ *
+ * \warning   MD5 is considered a weak message digest and its use constitutes a
+ *            security risk. If possible, we recommend avoiding dependencies on
+ *            it, and considering stronger message digests instead.
+ *
+ */
+#define MBEDTLS_MD5_C
+
+/**
+ * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C
+ *
+ * Enable the buffer allocator implementation that makes use of a (stack)
+ * based buffer to 'allocate' dynamic memory. (replaces calloc() and free()
+ * calls)
+ *
+ * Module:  library/memory_buffer_alloc.c
+ *
+ * Requires: MBEDTLS_PLATFORM_C
+ *           MBEDTLS_PLATFORM_MEMORY (to use it within mbed TLS)
+ *
+ * Enable this module to enable the buffer memory allocator.
+ */
+//#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
+
+/**
+ * \def MBEDTLS_NET_C
+ *
+ * Enable the TCP and UDP over IPv6/IPv4 networking routines.
+ *
+ * \note This module only works on POSIX/Unix (including Linux, BSD and OS X)
+ * and Windows. For other platforms, you'll want to disable it, and write your
+ * own networking callbacks to be passed to \c mbedtls_ssl_set_bio().
+ *
+ * \note See also our Knowledge Base article about porting to a new
+ * environment:
+ * https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS
+ *
+ * Module:  library/net_sockets.c
+ *
+ * This module provides networking routines.
+ */
+// #define MBEDTLS_NET_C
+
+/**
+ * \def MBEDTLS_OID_C
+ *
+ * Enable the OID database.
+ *
+ * Module:  library/oid.c
+ * Caller:  library/asn1write.c
+ *          library/pkcs5.c
+ *          library/pkparse.c
+ *          library/pkwrite.c
+ *          library/rsa.c
+ *          library/x509.c
+ *          library/x509_create.c
+ *          library/x509_crl.c
+ *          library/x509_crt.c
+ *          library/x509_csr.c
+ *          library/x509write_crt.c
+ *          library/x509write_csr.c
+ *
+ * This modules translates between OIDs and internal values.
+ */
+#define MBEDTLS_OID_C
+
+/**
+ * \def MBEDTLS_PADLOCK_C
+ *
+ * Enable VIA Padlock support on x86.
+ *
+ * Module:  library/padlock.c
+ * Caller:  library/aes.c
+ *
+ * Requires: MBEDTLS_HAVE_ASM
+ *
+ * This modules adds support for the VIA PadLock on x86.
+ */
+#define MBEDTLS_PADLOCK_C
+
+/**
+ * \def MBEDTLS_PEM_PARSE_C
+ *
+ * Enable PEM decoding / parsing.
+ *
+ * Module:  library/pem.c
+ * Caller:  library/dhm.c
+ *          library/pkparse.c
+ *          library/x509_crl.c
+ *          library/x509_crt.c
+ *          library/x509_csr.c
+ *
+ * Requires: MBEDTLS_BASE64_C
+ *
+ * This modules adds support for decoding / parsing PEM files.
+ */
+#define MBEDTLS_PEM_PARSE_C
+
+/**
+ * \def MBEDTLS_PEM_WRITE_C
+ *
+ * Enable PEM encoding / writing.
+ *
+ * Module:  library/pem.c
+ * Caller:  library/pkwrite.c
+ *          library/x509write_crt.c
+ *          library/x509write_csr.c
+ *
+ * Requires: MBEDTLS_BASE64_C
+ *
+ * This modules adds support for encoding / writing PEM files.
+ */
+#define MBEDTLS_PEM_WRITE_C
+
+/**
+ * \def MBEDTLS_PK_C
+ *
+ * Enable the generic public (asymetric) key layer.
+ *
+ * Module:  library/pk.c
+ * Caller:  library/ssl_tls.c
+ *          library/ssl_cli.c
+ *          library/ssl_srv.c
+ *
+ * Requires: MBEDTLS_RSA_C or MBEDTLS_ECP_C
+ *
+ * Uncomment to enable generic public key wrappers.
+ */
+#define MBEDTLS_PK_C
+
+/**
+ * \def MBEDTLS_PK_PARSE_C
+ *
+ * Enable the generic public (asymetric) key parser.
+ *
+ * Module:  library/pkparse.c
+ * Caller:  library/x509_crt.c
+ *          library/x509_csr.c
+ *
+ * Requires: MBEDTLS_PK_C
+ *
+ * Uncomment to enable generic public key parse functions.
+ */
+#define MBEDTLS_PK_PARSE_C
+
+/**
+ * \def MBEDTLS_PK_WRITE_C
+ *
+ * Enable the generic public (asymetric) key writer.
+ *
+ * Module:  library/pkwrite.c
+ * Caller:  library/x509write.c
+ *
+ * Requires: MBEDTLS_PK_C
+ *
+ * Uncomment to enable generic public key write functions.
+ */
+#define MBEDTLS_PK_WRITE_C
+
+/**
+ * \def MBEDTLS_PKCS5_C
+ *
+ * Enable PKCS#5 functions.
+ *
+ * Module:  library/pkcs5.c
+ *
+ * Requires: MBEDTLS_MD_C
+ *
+ * This module adds support for the PKCS#5 functions.
+ */
+#define MBEDTLS_PKCS5_C
+
+/**
+ * \def MBEDTLS_PKCS11_C
+ *
+ * Enable wrapper for PKCS#11 smartcard support.
+ *
+ * Module:  library/pkcs11.c
+ * Caller:  library/pk.c
+ *
+ * Requires: MBEDTLS_PK_C
+ *
+ * This module enables SSL/TLS PKCS #11 smartcard support.
+ * Requires the presence of the PKCS#11 helper library (libpkcs11-helper)
+ */
+//#define MBEDTLS_PKCS11_C
+
+/**
+ * \def MBEDTLS_PKCS12_C
+ *
+ * Enable PKCS#12 PBE functions.
+ * Adds algorithms for parsing PKCS#8 encrypted private keys
+ *
+ * Module:  library/pkcs12.c
+ * Caller:  library/pkparse.c
+ *
+ * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_CIPHER_C, MBEDTLS_MD_C
+ * Can use:  MBEDTLS_ARC4_C
+ *
+ * This module enables PKCS#12 functions.
+ */
+#define MBEDTLS_PKCS12_C
+
+/**
+ * \def MBEDTLS_PLATFORM_C
+ *
+ * Enable the platform abstraction layer that allows you to re-assign
+ * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit().
+ *
+ * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT
+ * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned
+ * above to be specified at runtime or compile time respectively.
+ *
+ * \note This abstraction layer must be enabled on Windows (including MSYS2)
+ * as other module rely on it for a fixed snprintf implementation.
+ *
+ * Module:  library/platform.c
+ * Caller:  Most other .c files
+ *
+ * This module enables abstraction of common (libc) functions.
+ */
+#define MBEDTLS_PLATFORM_C
+
+/**
+ * \def MBEDTLS_RIPEMD160_C
+ *
+ * Enable the RIPEMD-160 hash algorithm.
+ *
+ * Module:  library/ripemd160.c
+ * Caller:  library/md.c
+ *
+ */
+#define MBEDTLS_RIPEMD160_C
+
+/**
+ * \def MBEDTLS_RSA_C
+ *
+ * Enable the RSA public-key cryptosystem.
+ *
+ * Module:  library/rsa.c
+ *          library/rsa_internal.c
+ * Caller:  library/ssl_cli.c
+ *          library/ssl_srv.c
+ *          library/ssl_tls.c
+ *          library/x509.c
+ *
+ * This module is used by the following key exchanges:
+ *      RSA, DHE-RSA, ECDHE-RSA, RSA-PSK
+ *
+ * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C
+ */
+#define MBEDTLS_RSA_C
+
+/**
+ * \def MBEDTLS_SHA1_C
+ *
+ * Enable the SHA1 cryptographic hash algorithm.
+ *
+ * Module:  library/sha1.c
+ * Caller:  library/md.c
+ *          library/ssl_cli.c
+ *          library/ssl_srv.c
+ *          library/ssl_tls.c
+ *          library/x509write_crt.c
+ *
+ * This module is required for SSL/TLS up to version 1.1, for TLS 1.2
+ * depending on the handshake parameters, and for SHA1-signed certificates.
+ *
+ * \warning   SHA-1 is considered a weak message digest and its use constitutes
+ *            a security risk. If possible, we recommend avoiding dependencies
+ *            on it, and considering stronger message digests instead.
+ *
+ */
+#define MBEDTLS_SHA1_C
+
+/**
+ * \def MBEDTLS_SHA256_C
+ *
+ * Enable the SHA-224 and SHA-256 cryptographic hash algorithms.
+ *
+ * Module:  library/sha256.c
+ * Caller:  library/entropy.c
+ *          library/md.c
+ *          library/ssl_cli.c
+ *          library/ssl_srv.c
+ *          library/ssl_tls.c
+ *
+ * This module adds support for SHA-224 and SHA-256.
+ * This module is required for the SSL/TLS 1.2 PRF function.
+ */
+#define MBEDTLS_SHA256_C
+
+/**
+ * \def MBEDTLS_SHA512_C
+ *
+ * Enable the SHA-384 and SHA-512 cryptographic hash algorithms.
+ *
+ * Module:  library/sha512.c
+ * Caller:  library/entropy.c
+ *          library/md.c
+ *          library/ssl_cli.c
+ *          library/ssl_srv.c
+ *
+ * This module adds support for SHA-384 and SHA-512.
+ */
+#define MBEDTLS_SHA512_C
+
+/**
+ * \def MBEDTLS_SSL_CACHE_C
+ *
+ * Enable simple SSL cache implementation.
+ *
+ * Module:  library/ssl_cache.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_SSL_CACHE_C
+ */
+#define MBEDTLS_SSL_CACHE_C
+
+/**
+ * \def MBEDTLS_SSL_COOKIE_C
+ *
+ * Enable basic implementation of DTLS cookies for hello verification.
+ *
+ * Module:  library/ssl_cookie.c
+ * Caller:
+ */
+#define MBEDTLS_SSL_COOKIE_C
+
+/**
+ * \def MBEDTLS_SSL_TICKET_C
+ *
+ * Enable an implementation of TLS server-side callbacks for session tickets.
+ *
+ * Module:  library/ssl_ticket.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_CIPHER_C
+ */
+#define MBEDTLS_SSL_TICKET_C
+
+/**
+ * \def MBEDTLS_SSL_CLI_C
+ *
+ * Enable the SSL/TLS client code.
+ *
+ * Module:  library/ssl_cli.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_SSL_TLS_C
+ *
+ * This module is required for SSL/TLS client support.
+ */
+#define MBEDTLS_SSL_CLI_C
+
+/**
+ * \def MBEDTLS_SSL_SRV_C
+ *
+ * Enable the SSL/TLS server code.
+ *
+ * Module:  library/ssl_srv.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_SSL_TLS_C
+ *
+ * This module is required for SSL/TLS server support.
+ */
+#define MBEDTLS_SSL_SRV_C
+
+/**
+ * \def MBEDTLS_SSL_TLS_C
+ *
+ * Enable the generic SSL/TLS code.
+ *
+ * Module:  library/ssl_tls.c
+ * Caller:  library/ssl_cli.c
+ *          library/ssl_srv.c
+ *
+ * Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C
+ *           and at least one of the MBEDTLS_SSL_PROTO_XXX defines
+ *
+ * This module is required for SSL/TLS.
+ */
+#define MBEDTLS_SSL_TLS_C
+
+/**
+ * \def MBEDTLS_THREADING_C
+ *
+ * Enable the threading abstraction layer.
+ * By default mbed TLS assumes it is used in a non-threaded environment or that
+ * contexts are not shared between threads. If you do intend to use contexts
+ * between threads, you will need to enable this layer to prevent race
+ * conditions. See also our Knowledge Base article about threading:
+ * https://tls.mbed.org/kb/development/thread-safety-and-multi-threading
+ *
+ * Module:  library/threading.c
+ *
+ * This allows different threading implementations (self-implemented or
+ * provided).
+ *
+ * You will have to enable either MBEDTLS_THREADING_ALT or
+ * MBEDTLS_THREADING_PTHREAD.
+ *
+ * Enable this layer to allow use of mutexes within mbed TLS
+ */
+//#define MBEDTLS_THREADING_C
+
+/**
+ * \def MBEDTLS_TIMING_C
+ *
+ * Enable the semi-portable timing interface.
+ *
+ * \note The provided implementation only works on POSIX/Unix (including Linux,
+ * BSD and OS X) and Windows. On other platforms, you can either disable that
+ * module and provide your own implementations of the callbacks needed by
+ * \c mbedtls_ssl_set_timer_cb() for DTLS, or leave it enabled and provide
+ * your own implementation of the whole module by setting
+ * \c MBEDTLS_TIMING_ALT in the current file.
+ *
+ * \note See also our Knowledge Base article about porting to a new
+ * environment:
+ * https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS
+ *
+ * Module:  library/timing.c
+ * Caller:  library/havege.c
+ *
+ * This module is used by the HAVEGE random number generator.
+ */
+// #define MBEDTLS_TIMING_C
+
+/**
+ * \def MBEDTLS_VERSION_C
+ *
+ * Enable run-time version information.
+ *
+ * Module:  library/version.c
+ *
+ * This module provides run-time version information.
+ */
+#define MBEDTLS_VERSION_C
+
+/**
+ * \def MBEDTLS_X509_USE_C
+ *
+ * Enable X.509 core for using certificates.
+ *
+ * Module:  library/x509.c
+ * Caller:  library/x509_crl.c
+ *          library/x509_crt.c
+ *          library/x509_csr.c
+ *
+ * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C,
+ *           MBEDTLS_PK_PARSE_C
+ *
+ * This module is required for the X.509 parsing modules.
+ */
+#define MBEDTLS_X509_USE_C
+
+/**
+ * \def MBEDTLS_X509_CRT_PARSE_C
+ *
+ * Enable X.509 certificate parsing.
+ *
+ * Module:  library/x509_crt.c
+ * Caller:  library/ssl_cli.c
+ *          library/ssl_srv.c
+ *          library/ssl_tls.c
+ *
+ * Requires: MBEDTLS_X509_USE_C
+ *
+ * This module is required for X.509 certificate parsing.
+ */
+#define MBEDTLS_X509_CRT_PARSE_C
+
+/**
+ * \def MBEDTLS_X509_CRL_PARSE_C
+ *
+ * Enable X.509 CRL parsing.
+ *
+ * Module:  library/x509_crl.c
+ * Caller:  library/x509_crt.c
+ *
+ * Requires: MBEDTLS_X509_USE_C
+ *
+ * This module is required for X.509 CRL parsing.
+ */
+#define MBEDTLS_X509_CRL_PARSE_C
+
+/**
+ * \def MBEDTLS_X509_CSR_PARSE_C
+ *
+ * Enable X.509 Certificate Signing Request (CSR) parsing.
+ *
+ * Module:  library/x509_csr.c
+ * Caller:  library/x509_crt_write.c
+ *
+ * Requires: MBEDTLS_X509_USE_C
+ *
+ * This module is used for reading X.509 certificate request.
+ */
+#define MBEDTLS_X509_CSR_PARSE_C
+
+/**
+ * \def MBEDTLS_X509_CREATE_C
+ *
+ * Enable X.509 core for creating certificates.
+ *
+ * Module:  library/x509_create.c
+ *
+ * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_WRITE_C
+ *
+ * This module is the basis for creating X.509 certificates and CSRs.
+ */
+#define MBEDTLS_X509_CREATE_C
+
+/**
+ * \def MBEDTLS_X509_CRT_WRITE_C
+ *
+ * Enable creating X.509 certificates.
+ *
+ * Module:  library/x509_crt_write.c
+ *
+ * Requires: MBEDTLS_X509_CREATE_C
+ *
+ * This module is required for X.509 certificate creation.
+ */
+#define MBEDTLS_X509_CRT_WRITE_C
+
+/**
+ * \def MBEDTLS_X509_CSR_WRITE_C
+ *
+ * Enable creating X.509 Certificate Signing Requests (CSR).
+ *
+ * Module:  library/x509_csr_write.c
+ *
+ * Requires: MBEDTLS_X509_CREATE_C
+ *
+ * This module is required for X.509 certificate request writing.
+ */
+#define MBEDTLS_X509_CSR_WRITE_C
+
+/**
+ * \def MBEDTLS_XTEA_C
+ *
+ * Enable the XTEA block cipher.
+ *
+ * Module:  library/xtea.c
+ * Caller:
+ */
+#define MBEDTLS_XTEA_C
+
+/* \} name SECTION: mbed TLS modules */
+
+/**
+ * \name SECTION: Module configuration options
+ *
+ * This section allows for the setting of module specific sizes and
+ * configuration options. The default values are already present in the
+ * relevant header files and should suffice for the regular use cases.
+ *
+ * Our advice is to enable options and change their values here
+ * only if you have a good reason and know the consequences.
+ *
+ * Please check the respective header file for documentation on these
+ * parameters (to prevent duplicate documentation).
+ * \{
+ */
+
+/* MPI / BIGNUM options */
+//#define MBEDTLS_MPI_WINDOW_SIZE            6 /**< Maximum window size used. */
+//#define MBEDTLS_MPI_MAX_SIZE            1024 /**< Maximum number of bytes for usable MPIs. */
+
+/* CTR_DRBG options */
+//#define MBEDTLS_CTR_DRBG_ENTROPY_LEN               48 /**< Amount of entropy used per seed by default (48 with SHA-512, 32 with SHA-256) */
+//#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL        10000 /**< Interval before reseed is performed by default */
+//#define MBEDTLS_CTR_DRBG_MAX_INPUT                256 /**< Maximum number of additional input bytes */
+//#define MBEDTLS_CTR_DRBG_MAX_REQUEST             1024 /**< Maximum number of requested bytes per call */
+//#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT           384 /**< Maximum size of (re)seed buffer */
+
+/* HMAC_DRBG options */
+//#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL   10000 /**< Interval before reseed is performed by default */
+//#define MBEDTLS_HMAC_DRBG_MAX_INPUT           256 /**< Maximum number of additional input bytes */
+//#define MBEDTLS_HMAC_DRBG_MAX_REQUEST        1024 /**< Maximum number of requested bytes per call */
+//#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT      384 /**< Maximum size of (re)seed buffer */
+
+/* ECP options */
+//#define MBEDTLS_ECP_MAX_BITS             521 /**< Maximum bit size of groups */
+//#define MBEDTLS_ECP_WINDOW_SIZE            6 /**< Maximum window size used */
+//#define MBEDTLS_ECP_FIXED_POINT_OPTIM      1 /**< Enable fixed-point speed-up */
+
+/* Entropy options */
+//#define MBEDTLS_ENTROPY_MAX_SOURCES                20 /**< Maximum number of sources supported */
+//#define MBEDTLS_ENTROPY_MAX_GATHER                128 /**< Maximum amount requested from entropy sources */
+//#define MBEDTLS_ENTROPY_MIN_HARDWARE               32 /**< Default minimum number of bytes required for the hardware entropy source mbedtls_hardware_poll() before entropy is released */
+
+/* Memory buffer allocator options */
+//#define MBEDTLS_MEMORY_ALIGN_MULTIPLE      4 /**< Align on multiples of this value */
+
+/* Platform options */
+//#define MBEDTLS_PLATFORM_STD_MEM_HDR   <stdlib.h> /**< Header to include if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS is defined. Don't define if no header is needed. */
+//#define MBEDTLS_PLATFORM_STD_CALLOC        calloc /**< Default allocator to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_FREE            free /**< Default free to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_EXIT            exit /**< Default exit to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_TIME            time /**< Default time to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
+//#define MBEDTLS_PLATFORM_STD_FPRINTF      fprintf /**< Default fprintf to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_PRINTF        printf /**< Default printf to use, can be undefined */
+/* Note: your snprintf must correctly zero-terminate the buffer! */
+//#define MBEDTLS_PLATFORM_STD_SNPRINTF    snprintf /**< Default snprintf to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS       0 /**< Default exit value to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE       1 /**< Default exit value to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_NV_SEED_READ   mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE  mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_NV_SEED_FILE  "seedfile" /**< Seed file to read/write with default implementation */
+
+/* To Use Function Macros MBEDTLS_PLATFORM_C must be enabled */
+/* MBEDTLS_PLATFORM_XXX_MACRO and MBEDTLS_PLATFORM_XXX_ALT cannot both be defined */
+//#define MBEDTLS_PLATFORM_CALLOC_MACRO        calloc /**< Default allocator macro to use, can be undefined */
+//#define MBEDTLS_PLATFORM_FREE_MACRO            free /**< Default free macro to use, can be undefined */
+//#define MBEDTLS_PLATFORM_EXIT_MACRO            exit /**< Default exit macro to use, can be undefined */
+//#define MBEDTLS_PLATFORM_TIME_MACRO            time /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
+//#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO       time_t /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
+//#define MBEDTLS_PLATFORM_FPRINTF_MACRO      fprintf /**< Default fprintf macro to use, can be undefined */
+//#define MBEDTLS_PLATFORM_PRINTF_MACRO        printf /**< Default printf macro to use, can be undefined */
+/* Note: your snprintf must correctly zero-terminate the buffer! */
+//#define MBEDTLS_PLATFORM_SNPRINTF_MACRO    snprintf /**< Default snprintf macro to use, can be undefined */
+//#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO   mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */
+//#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO  mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */
+
+/* SSL Cache options */
+//#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT       86400 /**< 1 day  */
+//#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES      50 /**< Maximum entries in cache */
+
+/* SSL options */
+//#define MBEDTLS_SSL_MAX_CONTENT_LEN             16384 /**< Maxium fragment length in bytes, determines the size of each of the two internal I/O buffers */
+//#define MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME     86400 /**< Lifetime of session tickets (if enabled) */
+//#define MBEDTLS_PSK_MAX_LEN               32 /**< Max size of TLS pre-shared keys, in bytes (default 256 bits) */
+//#define MBEDTLS_SSL_COOKIE_TIMEOUT        60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */
+
+/**
+ * Complete list of ciphersuites to use, in order of preference.
+ *
+ * \warning No dependency checking is done on that field! This option can only
+ * be used to restrict the set of available ciphersuites. It is your
+ * responsibility to make sure the needed modules are active.
+ *
+ * Use this to save a few hundred bytes of ROM (default ordering of all
+ * available ciphersuites) and a few to a few hundred bytes of RAM.
+ *
+ * The value below is only an example, not the default.
+ */
+//#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+
+/* X509 options */
+//#define MBEDTLS_X509_MAX_INTERMEDIATE_CA   8   /**< Maximum number of intermediate CAs in a verification chain. */
+//#define MBEDTLS_X509_MAX_FILE_PATH_LEN     512 /**< Maximum length of a path/filename string in bytes including the null terminator character ('\0'). */
+
+/**
+ * Allow SHA-1 in the default TLS configuration for certificate signing.
+ * Without this build-time option, SHA-1 support must be activated explicitly
+ * through mbedtls_ssl_conf_cert_profile. Turning on this option is not
+ * recommended because of it is possible to generate SHA-1 collisions, however
+ * this may be safe for legacy infrastructure where additional controls apply.
+ *
+ * \warning   SHA-1 is considered a weak message digest and its use constitutes
+ *            a security risk. If possible, we recommend avoiding dependencies
+ *            on it, and considering stronger message digests instead.
+ *
+ */
+// #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
+
+/**
+ * Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake
+ * signature and ciphersuite selection. Without this build-time option, SHA-1
+ * support must be activated explicitly through mbedtls_ssl_conf_sig_hashes.
+ * The use of SHA-1 in TLS <= 1.1 and in HMAC-SHA-1 is always allowed by
+ * default. At the time of writing, there is no practical attack on the use
+ * of SHA-1 in handshake signatures, hence this option is turned on by default
+ * to preserve compatibility with existing peers, but the general
+ * warning applies nonetheless:
+ *
+ * \warning   SHA-1 is considered a weak message digest and its use constitutes
+ *            a security risk. If possible, we recommend avoiding dependencies
+ *            on it, and considering stronger message digests instead.
+ *
+ */
+#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
+
+/* \} name SECTION: Customisation configuration options */
+
+/* Target and application specific configurations */
+//#define YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE "target_config.h"
+
+#if defined(TARGET_LIKE_MBED) && defined(YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE)
+#include YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE
+#endif
+
+/*
+ * Allow user to override any previous default.
+ *
+ * Use two macro names for that, as:
+ * - with yotta the prefix YOTTA_CFG_ is forced
+ * - without yotta is looks weird to have a YOTTA prefix.
+ */
+#if defined(YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE)
+#include YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE
+#elif defined(MBEDTLS_USER_CONFIG_FILE)
+#include MBEDTLS_USER_CONFIG_FILE
+#endif
+
+#include "check_config.h"
+
+#endif /* MBEDTLS_CONFIG_H */
\ No newline at end of file
diff --git a/third-party/mbedtls-3.6/include/mbedtls/ctr_drbg.h b/third-party/mbedtls-3.6/include/mbedtls/ctr_drbg.h
new file mode 100644
index 00000000..33fe63f4
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/ctr_drbg.h
@@ -0,0 +1,543 @@
+/**
+ * \file ctr_drbg.h
+ *
+ * \brief    The CTR_DRBG pseudorandom generator.
+ *
+ * CTR_DRBG is a standardized way of building a PRNG from a block-cipher
+ * in counter mode operation, as defined in <em>NIST SP 800-90A:
+ * Recommendation for Random Number Generation Using Deterministic Random
+ * Bit Generators</em>.
+ *
+ * The Mbed TLS implementation of CTR_DRBG uses AES-256
+ * as the underlying block cipher, with a derivation function.
+ * The initial seeding grabs #MBEDTLS_CTR_DRBG_ENTROPY_LEN bytes of entropy.
+ * See the documentation of mbedtls_ctr_drbg_seed() for more details.
+ *
+ * Based on NIST SP 800-90A §10.2.1 table 3 and NIST SP 800-57 part 1 table 2,
+ * here are the security strengths achieved in typical configuration:
+ * - 256 bits under the default configuration of the library,
+ *   with #MBEDTLS_CTR_DRBG_ENTROPY_LEN set to 48 or more.
+ * - 256 bits if #MBEDTLS_CTR_DRBG_ENTROPY_LEN is set
+ *   to 32 or more and the DRBG is initialized with an explicit
+ *   nonce in the \c custom parameter to mbedtls_ctr_drbg_seed().
+ * - 128 bits if #MBEDTLS_CTR_DRBG_ENTROPY_LEN is
+ *   between 24 and 47 and the DRBG is not initialized with an explicit
+ *   nonce (see mbedtls_ctr_drbg_seed()).
+ *
+ * Note that the value of #MBEDTLS_CTR_DRBG_ENTROPY_LEN defaults to:
+ * - \c 48 if the module \c MBEDTLS_SHA512_C is enabled and the symbol
+ *   \c MBEDTLS_ENTROPY_FORCE_SHA256 is not enabled at compile time.
+ *   This is the default configuration of the library.
+ * - \c 32 if the module \c MBEDTLS_SHA512_C is disabled at compile time.
+ * - \c 32 if \c MBEDTLS_ENTROPY_FORCE_SHA256 is enabled at compile time.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#ifndef MBEDTLS_CTR_DRBG_H
+#define MBEDTLS_CTR_DRBG_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "aes.h"
+
+#if defined(MBEDTLS_THREADING_C)
+#include "threading.h"
+#endif
+
+#define MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED        -0x0034  /**< The entropy source failed. */
+#define MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG              -0x0036  /**< The requested random buffer length is too big. */
+#define MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG                -0x0038  /**< The input (entropy + additional data) is too large. */
+#define MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR                -0x003A  /**< Read or write error in file. */
+
+#define MBEDTLS_CTR_DRBG_BLOCKSIZE          16 /**< The block size used by the cipher. */
+#define MBEDTLS_CTR_DRBG_KEYSIZE            32 /**< The key size used by the cipher. */
+#define MBEDTLS_CTR_DRBG_KEYBITS            ( MBEDTLS_CTR_DRBG_KEYSIZE * 8 ) /**< The key size for the DRBG operation, in bits. */
+#define MBEDTLS_CTR_DRBG_SEEDLEN            ( MBEDTLS_CTR_DRBG_KEYSIZE + MBEDTLS_CTR_DRBG_BLOCKSIZE ) /**< The seed length, calculated as (counter + AES key). */
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in config.h or define them using the compiler command
+ * line.
+ * \{
+ */
+
+/** \def MBEDTLS_CTR_DRBG_ENTROPY_LEN
+ *
+ * \brief The amount of entropy used per seed by default, in bytes.
+ */
+#if !defined(MBEDTLS_CTR_DRBG_ENTROPY_LEN)
+#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_ENTROPY_FORCE_SHA256)
+/** This is 48 bytes because the entropy module uses SHA-512
+ * (\c MBEDTLS_ENTROPY_FORCE_SHA256 is not set).
+ */
+#define MBEDTLS_CTR_DRBG_ENTROPY_LEN        48
+
+#else /* defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_ENTROPY_FORCE_SHA256) */
+
+/** This is 32 bytes because the entropy module uses SHA-256
+ * (the SHA512 module is disabled or
+ * \c MBEDTLS_ENTROPY_FORCE_SHA256 is enabled).
+ *
+ * \warning To achieve a 256-bit security strength, you must pass a nonce
+ *           to mbedtls_ctr_drbg_seed().
+ */
+#define MBEDTLS_CTR_DRBG_ENTROPY_LEN        32
+#endif /* defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_ENTROPY_FORCE_SHA256) */
+#endif /* !defined(MBEDTLS_CTR_DRBG_ENTROPY_LEN) */
+
+#if !defined(MBEDTLS_CTR_DRBG_RESEED_INTERVAL)
+#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL    10000
+/**< The interval before reseed is performed by default. */
+#endif
+
+#if !defined(MBEDTLS_CTR_DRBG_MAX_INPUT)
+#define MBEDTLS_CTR_DRBG_MAX_INPUT          256
+/**< The maximum number of additional input Bytes. */
+#endif
+
+#if !defined(MBEDTLS_CTR_DRBG_MAX_REQUEST)
+#define MBEDTLS_CTR_DRBG_MAX_REQUEST        1024
+/**< The maximum number of requested Bytes per call. */
+#endif
+
+#if !defined(MBEDTLS_CTR_DRBG_MAX_SEED_INPUT)
+#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT     384
+/**< The maximum size of seed or reseed buffer in bytes. */
+#endif
+
+/* \} name SECTION: Module settings */
+
+#define MBEDTLS_CTR_DRBG_PR_OFF             0
+/**< Prediction resistance is disabled. */
+#define MBEDTLS_CTR_DRBG_PR_ON              1
+/**< Prediction resistance is enabled. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          The CTR_DRBG context structure.
+ */
+typedef struct
+{
+    unsigned char counter[16];  /*!< The counter (V). */
+    int reseed_counter;         /*!< The reseed counter. */
+    int prediction_resistance;  /*!< This determines whether prediction
+                                     resistance is enabled, that is
+                                     whether to systematically reseed before
+                                     each random generation. */
+    size_t entropy_len;         /*!< The amount of entropy grabbed on each
+                                     seed or reseed operation. */
+    int reseed_interval;        /*!< The reseed interval. */
+
+    mbedtls_aes_context aes_ctx;        /*!< The AES context. */
+
+    /*
+     * Callbacks (Entropy)
+     */
+    int (*f_entropy)(void *, unsigned char *, size_t);
+                                /*!< The entropy callback function. */
+
+    void *p_entropy;            /*!< The context for the entropy function. */
+
+#if defined(MBEDTLS_THREADING_C)
+    /* Invariant: the mutex is initialized if and only if f_entropy != NULL.
+     * This means that the mutex is initialized during the initial seeding
+     * in mbedtls_ctr_drbg_seed() and freed in mbedtls_ctr_drbg_free().
+     *
+     * Note that this invariant may change without notice. Do not rely on it
+     * and do not access the mutex directly in application code.
+     */
+    mbedtls_threading_mutex_t mutex;
+#endif
+}
+mbedtls_ctr_drbg_context;
+
+/**
+ * \brief               This function initializes the CTR_DRBG context,
+ *                      and prepares it for mbedtls_ctr_drbg_seed()
+ *                      or mbedtls_ctr_drbg_free().
+ *
+ * \note                The reseed interval is
+ *                      #MBEDTLS_CTR_DRBG_RESEED_INTERVAL by default.
+ *                      You can override it by calling
+ *                      mbedtls_ctr_drbg_set_reseed_interval().
+ *
+ * \param ctx           The CTR_DRBG context to initialize.
+ */
+void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx );
+
+/**
+ * \brief               This function seeds and sets up the CTR_DRBG
+ *                      entropy source for future reseeds.
+ *
+ * A typical choice for the \p f_entropy and \p p_entropy parameters is
+ * to use the entropy module:
+ * - \p f_entropy is mbedtls_entropy_func();
+ * - \p p_entropy is an instance of ::mbedtls_entropy_context initialized
+ *   with mbedtls_entropy_init() (which registers the platform's default
+ *   entropy sources).
+ *
+ * The entropy length is #MBEDTLS_CTR_DRBG_ENTROPY_LEN by default.
+ * You can override it by calling mbedtls_ctr_drbg_set_entropy_len().
+ *
+ * You can provide a personalization string in addition to the
+ * entropy source, to make this instantiation as unique as possible.
+ *
+ * \note                The _seed_material_ value passed to the derivation
+ *                      function in the CTR_DRBG Instantiate Process
+ *                      described in NIST SP 800-90A §10.2.1.3.2
+ *                      is the concatenation of the string obtained from
+ *                      calling \p f_entropy and the \p custom string.
+ *                      The origin of the nonce depends on the value of
+ *                      the entropy length relative to the security strength.
+ *                      - If the entropy length is at least 1.5 times the
+ *                        security strength then the nonce is taken from the
+ *                        string obtained with \p f_entropy.
+ *                      - If the entropy length is less than the security
+ *                        strength, then the nonce is taken from \p custom.
+ *                        In this case, for compliance with SP 800-90A,
+ *                        you must pass a unique value of \p custom at
+ *                        each invocation. See SP 800-90A §8.6.7 for more
+ *                        details.
+ */
+#if MBEDTLS_CTR_DRBG_ENTROPY_LEN < MBEDTLS_CTR_DRBG_KEYSIZE * 3 / 2
+/** \warning            When #MBEDTLS_CTR_DRBG_ENTROPY_LEN is less than
+ *                      48, to achieve a 256-bit security strength,
+ *                      you must pass a value of \p custom that is a nonce:
+ *                      this value must never be repeated in subsequent
+ *                      runs of the same application or on a different
+ *                      device.
+ */
+#endif
+#if defined(MBEDTLS_THREADING_C)
+/**
+ * \note                When Mbed TLS is built with threading support,
+ *                      after this function returns successfully,
+ *                      it is safe to call mbedtls_ctr_drbg_random()
+ *                      from multiple threads. Other operations, including
+ *                      reseeding, are not thread-safe.
+ */
+#endif /* MBEDTLS_THREADING_C */
+/**
+ * \param ctx           The CTR_DRBG context to seed.
+ *                      It must have been initialized with
+ *                      mbedtls_ctr_drbg_init().
+ *                      After a successful call to mbedtls_ctr_drbg_seed(),
+ *                      you may not call mbedtls_ctr_drbg_seed() again on
+ *                      the same context unless you call
+ *                      mbedtls_ctr_drbg_free() and mbedtls_ctr_drbg_init()
+ *                      again first.
+ *                      After a failed call to mbedtls_ctr_drbg_seed(),
+ *                      you must call mbedtls_ctr_drbg_free().
+ * \param f_entropy     The entropy callback, taking as arguments the
+ *                      \p p_entropy context, the buffer to fill, and the
+ *                      length of the buffer.
+ *                      \p f_entropy is always called with a buffer size
+ *                      equal to the entropy length.
+ * \param p_entropy     The entropy context to pass to \p f_entropy.
+ * \param custom        The personalization string.
+ *                      This can be \c NULL, in which case the personalization
+ *                      string is empty regardless of the value of \p len.
+ * \param len           The length of the personalization string.
+ *                      This must be at most
+ *                      #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT
+ *                      - #MBEDTLS_CTR_DRBG_ENTROPY_LEN.
+ *
+ * \return              \c 0 on success, or
+ *                      #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure.
+ */
+int mbedtls_ctr_drbg_seed( mbedtls_ctr_drbg_context *ctx,
+                   int (*f_entropy)(void *, unsigned char *, size_t),
+                   void *p_entropy,
+                   const unsigned char *custom,
+                   size_t len );
+
+/**
+ * \brief               This function resets CTR_DRBG context to the state immediately
+ *                      after initial call of mbedtls_ctr_drbg_init().
+ *
+ * \param ctx           The CTR_DRBG context to clear.
+ */
+void mbedtls_ctr_drbg_free( mbedtls_ctr_drbg_context *ctx );
+
+/**
+ * \brief               This function turns prediction resistance on or off.
+ *                      The default value is off.
+ *
+ * \note                If enabled, entropy is gathered at the beginning of
+ *                      every call to mbedtls_ctr_drbg_random_with_add()
+ *                      or mbedtls_ctr_drbg_random().
+ *                      Only use this if your entropy source has sufficient
+ *                      throughput.
+ *
+ * \param ctx           The CTR_DRBG context.
+ * \param resistance    #MBEDTLS_CTR_DRBG_PR_ON or #MBEDTLS_CTR_DRBG_PR_OFF.
+ */
+void mbedtls_ctr_drbg_set_prediction_resistance( mbedtls_ctr_drbg_context *ctx,
+                                         int resistance );
+
+/**
+ * \brief               This function sets the amount of entropy grabbed on each
+ *                      seed or reseed.
+ *
+ * The default value is #MBEDTLS_CTR_DRBG_ENTROPY_LEN.
+ *
+ * \note                The security strength of CTR_DRBG is bounded by the
+ *                      entropy length. Thus \p len must be at least
+ *                      32 (in bytes) to achieve a 256-bit strength.
+ *
+ * \param ctx           The CTR_DRBG context.
+ * \param len           The amount of entropy to grab, in bytes.
+ *                      This must be at most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT.
+ */
+void mbedtls_ctr_drbg_set_entropy_len( mbedtls_ctr_drbg_context *ctx,
+                               size_t len );
+
+/**
+ * \brief               This function sets the reseed interval.
+ *
+ * The reseed interval is the number of calls to mbedtls_ctr_drbg_random()
+ * or mbedtls_ctr_drbg_random_with_add() after which the entropy function
+ * is called again.
+ *
+ * The default value is #MBEDTLS_CTR_DRBG_RESEED_INTERVAL.
+ *
+ * \param ctx           The CTR_DRBG context.
+ * \param interval      The reseed interval.
+ */
+void mbedtls_ctr_drbg_set_reseed_interval( mbedtls_ctr_drbg_context *ctx,
+                                   int interval );
+
+/**
+ * \brief               This function reseeds the CTR_DRBG context, that is
+ *                      extracts data from the entropy source.
+ *
+ * \note                This function is not thread-safe. It is not safe
+ *                      to call this function if another thread might be
+ *                      concurrently obtaining random numbers from the same
+ *                      context or updating or reseeding the same context.
+ *
+ * \param ctx           The CTR_DRBG context.
+ * \param additional    Additional data to add to the state. Can be \c NULL.
+ * \param len           The length of the additional data.
+ *                      This must be less than
+ *                      #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - \c entropy_len
+ *                      where \c entropy_len is the entropy length
+ *                      configured for the context.
+ *
+ * \return   \c 0 on success, or
+ *           #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure.
+ */
+int mbedtls_ctr_drbg_reseed( mbedtls_ctr_drbg_context *ctx,
+                     const unsigned char *additional, size_t len );
+
+/**
+ * \brief               This function updates the state of the CTR_DRBG context.
+ *
+ * \note                This function is not thread-safe. It is not safe
+ *                      to call this function if another thread might be
+ *                      concurrently obtaining random numbers from the same
+ *                      context or updating or reseeding the same context.
+ *
+ * \param ctx           The CTR_DRBG context.
+ * \param additional    The data to update the state with. This must not be
+ *                      \c NULL unless \p add_len is \c 0.
+ * \param add_len       Length of \p additional in bytes. This must be at
+ *                      most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if
+ *                      \p add_len is more than
+ *                      #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT.
+ * \return              An error from the underlying AES cipher on failure.
+ */
+int mbedtls_ctr_drbg_update_ret( mbedtls_ctr_drbg_context *ctx,
+                                 const unsigned char *additional,
+                                 size_t add_len );
+
+/**
+ * \brief               This function updates the state of the CTR_DRBG context.
+ *
+ * \warning             This function cannot report errors. You should use
+ *                      mbedtls_ctr_drbg_update_ret() instead.
+ *
+ * \note                If \p add_len is greater than
+ *                      #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT, only the first
+ *                      #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT Bytes are used.
+ *                      The remaining Bytes are silently discarded.
+ *
+ * \note                This function is not thread-safe. It is not safe
+ *                      to call this function if another thread might be
+ *                      concurrently obtaining random numbers from the same
+ *                      context or updating or reseeding the same context.
+ *
+ * \param ctx           The CTR_DRBG context.
+ * \param additional    The data to update the state with. This must not be
+ *                      \c NULL unless \p add_len is \c 0.
+ * \param add_len       Length of \p additional data. This must be at
+ *                      most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT.
+ */
+void mbedtls_ctr_drbg_update( mbedtls_ctr_drbg_context *ctx,
+                              const unsigned char *additional,
+                              size_t add_len );
+
+/**
+ * \brief   This function updates a CTR_DRBG instance with additional
+ *          data and uses it to generate random data.
+ *
+ * This function automatically reseeds if the reseed counter is exceeded
+ * or prediction resistance is enabled.
+ *
+ * \note                This function is not thread-safe. It is not safe
+ *                      to call this function if another thread might be
+ *                      concurrently obtaining random numbers from the same
+ *                      context or updating or reseeding the same context.
+ *
+ * \param p_rng         The CTR_DRBG context. This must be a pointer to a
+ *                      #mbedtls_ctr_drbg_context structure.
+ * \param output        The buffer to fill.
+ * \param output_len    The length of the buffer in bytes.
+ * \param additional    Additional data to update. Can be \c NULL, in which
+ *                      case the additional data is empty regardless of
+ *                      the value of \p add_len.
+ * \param add_len       The length of the additional data
+ *                      if \p additional is not \c NULL.
+ *                      This must be less than #MBEDTLS_CTR_DRBG_MAX_INPUT
+ *                      and less than
+ *                      #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - \c entropy_len
+ *                      where \c entropy_len is the entropy length
+ *                      configured for the context.
+ *
+ * \return    \c 0 on success.
+ * \return    #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or
+ *            #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure.
+ */
+int mbedtls_ctr_drbg_random_with_add( void *p_rng,
+                              unsigned char *output, size_t output_len,
+                              const unsigned char *additional, size_t add_len );
+
+/**
+ * \brief   This function uses CTR_DRBG to generate random data.
+ *
+ * This function automatically reseeds if the reseed counter is exceeded
+ * or prediction resistance is enabled.
+ */
+#if defined(MBEDTLS_THREADING_C)
+/**
+ * \note                When Mbed TLS is built with threading support,
+ *                      it is safe to call mbedtls_ctr_drbg_random()
+ *                      from multiple threads. Other operations, including
+ *                      reseeding, are not thread-safe.
+ */
+#endif /* MBEDTLS_THREADING_C */
+/**
+ * \param p_rng         The CTR_DRBG context. This must be a pointer to a
+ *                      #mbedtls_ctr_drbg_context structure.
+ * \param output        The buffer to fill.
+ * \param output_len    The length of the buffer in bytes.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or
+ *                      #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure.
+ */
+int mbedtls_ctr_drbg_random( void *p_rng,
+                     unsigned char *output, size_t output_len );
+
+#if defined(MBEDTLS_FS_IO)
+/**
+ * \brief               This function writes a seed file.
+ *
+ * \param ctx           The CTR_DRBG context.
+ * \param path          The name of the file.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR on file error.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on reseed
+ *                      failure.
+ */
+int mbedtls_ctr_drbg_write_seed_file( mbedtls_ctr_drbg_context *ctx, const char *path );
+
+/**
+ * \brief               This function reads and updates a seed file. The seed
+ *                      is added to this instance.
+ *
+ * \param ctx           The CTR_DRBG context.
+ * \param path          The name of the file.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR on file error.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on
+ *                      reseed failure.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if the existing
+ *                      seed file is too large.
+ */
+int mbedtls_ctr_drbg_update_seed_file( mbedtls_ctr_drbg_context *ctx, const char *path );
+#endif /* MBEDTLS_FS_IO */
+
+/**
+ * \brief               The CTR_DRBG checkup routine.
+ *
+ * \return              \c 0 on success, or \c 1 on failure.
+ */
+int mbedtls_ctr_drbg_self_test( int verbose );
+
+/* Internal functions (do not call directly) */
+int mbedtls_ctr_drbg_seed_entropy_len( mbedtls_ctr_drbg_context *,
+                               int (*)(void *, unsigned char *, size_t), void *,
+                               const unsigned char *, size_t, size_t );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ctr_drbg.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/debug.h b/third-party/mbedtls-3.6/include/mbedtls/debug.h
new file mode 100644
index 00000000..efc7e9ff
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/debug.h
@@ -0,0 +1,254 @@
+/**
+ * \file debug.h
+ *
+ * \brief Functions for controlling and providing debug output from the library.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_DEBUG_H
+#define MBEDTLS_DEBUG_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "ssl.h"
+
+#if defined(MBEDTLS_ECP_C)
+#include "ecp.h"
+#endif
+
+#if defined(MBEDTLS_DEBUG_C)
+
+#define MBEDTLS_DEBUG_STRIP_PARENS( ... )   __VA_ARGS__
+
+#define MBEDTLS_SSL_DEBUG_MSG( level, args )                    \
+    mbedtls_debug_print_msg( ssl, level, __FILE__, __LINE__,    \
+                             MBEDTLS_DEBUG_STRIP_PARENS args )
+
+#define MBEDTLS_SSL_DEBUG_RET( level, text, ret )                \
+    mbedtls_debug_print_ret( ssl, level, __FILE__, __LINE__, text, ret )
+
+#define MBEDTLS_SSL_DEBUG_BUF( level, text, buf, len )           \
+    mbedtls_debug_print_buf( ssl, level, __FILE__, __LINE__, text, buf, len )
+
+#if defined(MBEDTLS_BIGNUM_C)
+#define MBEDTLS_SSL_DEBUG_MPI( level, text, X )                  \
+    mbedtls_debug_print_mpi( ssl, level, __FILE__, __LINE__, text, X )
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+#define MBEDTLS_SSL_DEBUG_ECP( level, text, X )                  \
+    mbedtls_debug_print_ecp( ssl, level, __FILE__, __LINE__, text, X )
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#define MBEDTLS_SSL_DEBUG_CRT( level, text, crt )                \
+    mbedtls_debug_print_crt( ssl, level, __FILE__, __LINE__, text, crt )
+#endif
+
+#else /* MBEDTLS_DEBUG_C */
+
+#define MBEDTLS_SSL_DEBUG_MSG( level, args )            do { } while( 0 )
+#define MBEDTLS_SSL_DEBUG_RET( level, text, ret )       do { } while( 0 )
+#define MBEDTLS_SSL_DEBUG_BUF( level, text, buf, len )  do { } while( 0 )
+#define MBEDTLS_SSL_DEBUG_MPI( level, text, X )         do { } while( 0 )
+#define MBEDTLS_SSL_DEBUG_ECP( level, text, X )         do { } while( 0 )
+#define MBEDTLS_SSL_DEBUG_CRT( level, text, crt )       do { } while( 0 )
+
+#endif /* MBEDTLS_DEBUG_C */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief   Set the threshold error level to handle globally all debug output.
+ *          Debug messages that have a level over the threshold value are
+ *          discarded.
+ *          (Default value: 0 = No debug )
+ *
+ * \param threshold     theshold level of messages to filter on. Messages at a
+ *                      higher level will be discarded.
+ *                          - Debug levels
+ *                              - 0 No debug
+ *                              - 1 Error
+ *                              - 2 State change
+ *                              - 3 Informational
+ *                              - 4 Verbose
+ */
+void mbedtls_debug_set_threshold( int threshold );
+
+/**
+ * \brief    Print a message to the debug output. This function is always used
+ *          through the MBEDTLS_SSL_DEBUG_MSG() macro, which supplies the ssl
+ *          context, file and line number parameters.
+ *
+ * \param ssl       SSL context
+ * \param level     error level of the debug message
+ * \param file      file the message has occurred in
+ * \param line      line number the message has occurred at
+ * \param format    format specifier, in printf format
+ * \param ...       variables used by the format specifier
+ *
+ * \attention       This function is intended for INTERNAL usage within the
+ *                  library only.
+ */
+void mbedtls_debug_print_msg( const mbedtls_ssl_context *ssl, int level,
+                              const char *file, int line,
+                              const char *format, ... );
+
+/**
+ * \brief   Print the return value of a function to the debug output. This
+ *          function is always used through the MBEDTLS_SSL_DEBUG_RET() macro,
+ *          which supplies the ssl context, file and line number parameters.
+ *
+ * \param ssl       SSL context
+ * \param level     error level of the debug message
+ * \param file      file the error has occurred in
+ * \param line      line number the error has occurred in
+ * \param text      the name of the function that returned the error
+ * \param ret       the return code value
+ *
+ * \attention       This function is intended for INTERNAL usage within the
+ *                  library only.
+ */
+void mbedtls_debug_print_ret( const mbedtls_ssl_context *ssl, int level,
+                      const char *file, int line,
+                      const char *text, int ret );
+
+/**
+ * \brief   Output a buffer of size len bytes to the debug output. This function
+ *          is always used through the MBEDTLS_SSL_DEBUG_BUF() macro,
+ *          which supplies the ssl context, file and line number parameters.
+ *
+ * \param ssl       SSL context
+ * \param level     error level of the debug message
+ * \param file      file the error has occurred in
+ * \param line      line number the error has occurred in
+ * \param text      a name or label for the buffer being dumped. Normally the
+ *                  variable or buffer name
+ * \param buf       the buffer to be outputted
+ * \param len       length of the buffer
+ *
+ * \attention       This function is intended for INTERNAL usage within the
+ *                  library only.
+ */
+void mbedtls_debug_print_buf( const mbedtls_ssl_context *ssl, int level,
+                      const char *file, int line, const char *text,
+                      const unsigned char *buf, size_t len );
+
+#if defined(MBEDTLS_BIGNUM_C)
+/**
+ * \brief   Print a MPI variable to the debug output. This function is always
+ *          used through the MBEDTLS_SSL_DEBUG_MPI() macro, which supplies the
+ *          ssl context, file and line number parameters.
+ *
+ * \param ssl       SSL context
+ * \param level     error level of the debug message
+ * \param file      file the error has occurred in
+ * \param line      line number the error has occurred in
+ * \param text      a name or label for the MPI being output. Normally the
+ *                  variable name
+ * \param X         the MPI variable
+ *
+ * \attention       This function is intended for INTERNAL usage within the
+ *                  library only.
+ */
+void mbedtls_debug_print_mpi( const mbedtls_ssl_context *ssl, int level,
+                      const char *file, int line,
+                      const char *text, const mbedtls_mpi *X );
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+/**
+ * \brief   Print an ECP point to the debug output. This function is always
+ *          used through the MBEDTLS_SSL_DEBUG_ECP() macro, which supplies the
+ *          ssl context, file and line number parameters.
+ *
+ * \param ssl       SSL context
+ * \param level     error level of the debug message
+ * \param file      file the error has occurred in
+ * \param line      line number the error has occurred in
+ * \param text      a name or label for the ECP point being output. Normally the
+ *                  variable name
+ * \param X         the ECP point
+ *
+ * \attention       This function is intended for INTERNAL usage within the
+ *                  library only.
+ */
+void mbedtls_debug_print_ecp( const mbedtls_ssl_context *ssl, int level,
+                      const char *file, int line,
+                      const char *text, const mbedtls_ecp_point *X );
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/**
+ * \brief   Print a X.509 certificate structure to the debug output. This
+ *          function is always used through the MBEDTLS_SSL_DEBUG_CRT() macro,
+ *          which supplies the ssl context, file and line number parameters.
+ *
+ * \param ssl       SSL context
+ * \param level     error level of the debug message
+ * \param file      file the error has occurred in
+ * \param line      line number the error has occurred in
+ * \param text      a name or label for the certificate being output
+ * \param crt       X.509 certificate structure
+ *
+ * \attention       This function is intended for INTERNAL usage within the
+ *                  library only.
+ */
+void mbedtls_debug_print_crt( const mbedtls_ssl_context *ssl, int level,
+                      const char *file, int line,
+                      const char *text, const mbedtls_x509_crt *crt );
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* debug.h */
+
diff --git a/third-party/mbedtls-3.6/include/mbedtls/des.h b/third-party/mbedtls-3.6/include/mbedtls/des.h
new file mode 100644
index 00000000..b04ad170
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/des.h
@@ -0,0 +1,382 @@
+/**
+ * \file des.h
+ *
+ * \brief DES block cipher
+ *
+ * \warning   DES is considered a weak cipher and its use constitutes a
+ *            security risk. We recommend considering stronger ciphers
+ *            instead.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ *
+ */
+#ifndef MBEDTLS_DES_H
+#define MBEDTLS_DES_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+#define MBEDTLS_DES_ENCRYPT     1
+#define MBEDTLS_DES_DECRYPT     0
+
+#define MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH              -0x0032  /**< The data input has an invalid length. */
+#define MBEDTLS_ERR_DES_HW_ACCEL_FAILED                   -0x0033  /**< DES hardware accelerator failed. */
+
+#define MBEDTLS_DES_KEY_SIZE    8
+
+#if !defined(MBEDTLS_DES_ALT)
+// Regular implementation
+//
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          DES context structure
+ *
+ * \warning        DES is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+typedef struct
+{
+    uint32_t sk[32];            /*!<  DES subkeys       */
+}
+mbedtls_des_context;
+
+/**
+ * \brief          Triple-DES context structure
+ */
+typedef struct
+{
+    uint32_t sk[96];            /*!<  3DES subkeys      */
+}
+mbedtls_des3_context;
+
+/**
+ * \brief          Initialize DES context
+ *
+ * \param ctx      DES context to be initialized
+ *
+ * \warning        DES is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+void mbedtls_des_init( mbedtls_des_context *ctx );
+
+/**
+ * \brief          Clear DES context
+ *
+ * \param ctx      DES context to be cleared
+ *
+ * \warning        DES is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+void mbedtls_des_free( mbedtls_des_context *ctx );
+
+/**
+ * \brief          Initialize Triple-DES context
+ *
+ * \param ctx      DES3 context to be initialized
+ */
+void mbedtls_des3_init( mbedtls_des3_context *ctx );
+
+/**
+ * \brief          Clear Triple-DES context
+ *
+ * \param ctx      DES3 context to be cleared
+ */
+void mbedtls_des3_free( mbedtls_des3_context *ctx );
+
+/**
+ * \brief          Set key parity on the given key to odd.
+ *
+ *                 DES keys are 56 bits long, but each byte is padded with
+ *                 a parity bit to allow verification.
+ *
+ * \param key      8-byte secret key
+ *
+ * \warning        DES is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+void mbedtls_des_key_set_parity( unsigned char key[MBEDTLS_DES_KEY_SIZE] );
+
+/**
+ * \brief          Check that key parity on the given key is odd.
+ *
+ *                 DES keys are 56 bits long, but each byte is padded with
+ *                 a parity bit to allow verification.
+ *
+ * \param key      8-byte secret key
+ *
+ * \return         0 is parity was ok, 1 if parity was not correct.
+ *
+ * \warning        DES is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+int mbedtls_des_key_check_key_parity( const unsigned char key[MBEDTLS_DES_KEY_SIZE] );
+
+/**
+ * \brief          Check that key is not a weak or semi-weak DES key
+ *
+ * \param key      8-byte secret key
+ *
+ * \return         0 if no weak key was found, 1 if a weak key was identified.
+ *
+ * \warning        DES is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+int mbedtls_des_key_check_weak( const unsigned char key[MBEDTLS_DES_KEY_SIZE] );
+
+/**
+ * \brief          DES key schedule (56-bit, encryption)
+ *
+ * \param ctx      DES context to be initialized
+ * \param key      8-byte secret key
+ *
+ * \return         0
+ *
+ * \warning        DES is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+int mbedtls_des_setkey_enc( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] );
+
+/**
+ * \brief          DES key schedule (56-bit, decryption)
+ *
+ * \param ctx      DES context to be initialized
+ * \param key      8-byte secret key
+ *
+ * \return         0
+ *
+ * \warning        DES is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+int mbedtls_des_setkey_dec( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] );
+
+/**
+ * \brief          Triple-DES key schedule (112-bit, encryption)
+ *
+ * \param ctx      3DES context to be initialized
+ * \param key      16-byte secret key
+ *
+ * \return         0
+ */
+int mbedtls_des3_set2key_enc( mbedtls_des3_context *ctx,
+                      const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2] );
+
+/**
+ * \brief          Triple-DES key schedule (112-bit, decryption)
+ *
+ * \param ctx      3DES context to be initialized
+ * \param key      16-byte secret key
+ *
+ * \return         0
+ */
+int mbedtls_des3_set2key_dec( mbedtls_des3_context *ctx,
+                      const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2] );
+
+/**
+ * \brief          Triple-DES key schedule (168-bit, encryption)
+ *
+ * \param ctx      3DES context to be initialized
+ * \param key      24-byte secret key
+ *
+ * \return         0
+ */
+int mbedtls_des3_set3key_enc( mbedtls_des3_context *ctx,
+                      const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3] );
+
+/**
+ * \brief          Triple-DES key schedule (168-bit, decryption)
+ *
+ * \param ctx      3DES context to be initialized
+ * \param key      24-byte secret key
+ *
+ * \return         0
+ */
+int mbedtls_des3_set3key_dec( mbedtls_des3_context *ctx,
+                      const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3] );
+
+/**
+ * \brief          DES-ECB block encryption/decryption
+ *
+ * \param ctx      DES context
+ * \param input    64-bit input block
+ * \param output   64-bit output block
+ *
+ * \return         0 if successful
+ *
+ * \warning        DES is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+int mbedtls_des_crypt_ecb( mbedtls_des_context *ctx,
+                    const unsigned char input[8],
+                    unsigned char output[8] );
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/**
+ * \brief          DES-CBC buffer encryption/decryption
+ *
+ * \note           Upon exit, the content of the IV is updated so that you can
+ *                 call the function same function again on the following
+ *                 block(s) of data and get the same result as if it was
+ *                 encrypted in one call. This allows a "streaming" usage.
+ *                 If on the other hand you need to retain the contents of the
+ *                 IV, you should either save it manually or use the cipher
+ *                 module instead.
+ *
+ * \param ctx      DES context
+ * \param mode     MBEDTLS_DES_ENCRYPT or MBEDTLS_DES_DECRYPT
+ * \param length   length of the input data
+ * \param iv       initialization vector (updated after use)
+ * \param input    buffer holding the input data
+ * \param output   buffer holding the output data
+ *
+ * \warning        DES is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+int mbedtls_des_crypt_cbc( mbedtls_des_context *ctx,
+                    int mode,
+                    size_t length,
+                    unsigned char iv[8],
+                    const unsigned char *input,
+                    unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+/**
+ * \brief          3DES-ECB block encryption/decryption
+ *
+ * \param ctx      3DES context
+ * \param input    64-bit input block
+ * \param output   64-bit output block
+ *
+ * \return         0 if successful
+ */
+int mbedtls_des3_crypt_ecb( mbedtls_des3_context *ctx,
+                     const unsigned char input[8],
+                     unsigned char output[8] );
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/**
+ * \brief          3DES-CBC buffer encryption/decryption
+ *
+ * \note           Upon exit, the content of the IV is updated so that you can
+ *                 call the function same function again on the following
+ *                 block(s) of data and get the same result as if it was
+ *                 encrypted in one call. This allows a "streaming" usage.
+ *                 If on the other hand you need to retain the contents of the
+ *                 IV, you should either save it manually or use the cipher
+ *                 module instead.
+ *
+ * \param ctx      3DES context
+ * \param mode     MBEDTLS_DES_ENCRYPT or MBEDTLS_DES_DECRYPT
+ * \param length   length of the input data
+ * \param iv       initialization vector (updated after use)
+ * \param input    buffer holding the input data
+ * \param output   buffer holding the output data
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH
+ */
+int mbedtls_des3_crypt_cbc( mbedtls_des3_context *ctx,
+                     int mode,
+                     size_t length,
+                     unsigned char iv[8],
+                     const unsigned char *input,
+                     unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+/**
+ * \brief          Internal function for key expansion.
+ *                 (Only exposed to allow overriding it,
+ *                 see MBEDTLS_DES_SETKEY_ALT)
+ *
+ * \param SK       Round keys
+ * \param key      Base key
+ *
+ * \warning        DES is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+void mbedtls_des_setkey( uint32_t SK[32],
+                         const unsigned char key[MBEDTLS_DES_KEY_SIZE] );
+#ifdef __cplusplus
+}
+#endif
+
+#else  /* MBEDTLS_DES_ALT */
+#include "des_alt.h"
+#endif /* MBEDTLS_DES_ALT */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ */
+int mbedtls_des_self_test( int verbose );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* des.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/dhm.h b/third-party/mbedtls-3.6/include/mbedtls/dhm.h
new file mode 100644
index 00000000..233b1f20
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/dhm.h
@@ -0,0 +1,1086 @@
+/**
+ * \file dhm.h
+ *
+ * \brief Diffie-Hellman-Merkle key exchange.
+ *
+ * <em>RFC-3526: More Modular Exponential (MODP) Diffie-Hellman groups for
+ * Internet Key Exchange (IKE)</em> defines a number of standardized
+ * Diffie-Hellman groups for IKE.
+ *
+ * <em>RFC-5114: Additional Diffie-Hellman Groups for Use with IETF
+ * Standards</em> defines a number of standardized Diffie-Hellman
+ * groups that can be used.
+ *
+ * \warning  The security of the DHM key exchange relies on the proper choice
+ *           of prime modulus - optimally, it should be a safe prime. The usage
+ *           of non-safe primes both decreases the difficulty of the underlying
+ *           discrete logarithm problem and can lead to small subgroup attacks
+ *           leaking private exponent bits when invalid public keys are used
+ *           and not detected. This is especially relevant if the same DHM
+ *           parameters are reused for multiple key exchanges as in static DHM,
+ *           while the criticality of small-subgroup attacks is lower for
+ *           ephemeral DHM.
+ *
+ * \warning  For performance reasons, the code does neither perform primality
+ *           nor safe primality tests, nor the expensive checks for invalid
+ *           subgroups. Moreover, even if these were performed, non-standardized
+ *           primes cannot be trusted because of the possibility of backdoors
+ *           that can't be effectively checked for.
+ *
+ * \warning  Diffie-Hellman-Merkle is therefore a security risk when not using
+ *           standardized primes generated using a trustworthy ("nothing up
+ *           my sleeve") method, such as the RFC 3526 / 7919 primes. In the TLS
+ *           protocol, DH parameters need to be negotiated, so using the default
+ *           primes systematically is not always an option. If possible, use
+ *           Elliptic Curve Diffie-Hellman (ECDH), which has better performance,
+ *           and for which the TLS protocol mandates the use of standard
+ *           parameters.
+ *
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#ifndef MBEDTLS_DHM_H
+#define MBEDTLS_DHM_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+#include "bignum.h"
+#if !defined(MBEDTLS_DHM_ALT)
+
+/*
+ * DHM Error codes
+ */
+#define MBEDTLS_ERR_DHM_BAD_INPUT_DATA                    -0x3080  /**< Bad input parameters. */
+#define MBEDTLS_ERR_DHM_READ_PARAMS_FAILED                -0x3100  /**< Reading of the DHM parameters failed. */
+#define MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED                -0x3180  /**< Making of the DHM parameters failed. */
+#define MBEDTLS_ERR_DHM_READ_PUBLIC_FAILED                -0x3200  /**< Reading of the public values failed. */
+#define MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED                -0x3280  /**< Making of the public value failed. */
+#define MBEDTLS_ERR_DHM_CALC_SECRET_FAILED                -0x3300  /**< Calculation of the DHM secret failed. */
+#define MBEDTLS_ERR_DHM_INVALID_FORMAT                    -0x3380  /**< The ASN.1 data is not formatted correctly. */
+#define MBEDTLS_ERR_DHM_ALLOC_FAILED                      -0x3400  /**< Allocation of memory failed. */
+#define MBEDTLS_ERR_DHM_FILE_IO_ERROR                     -0x3480  /**< Read or write of file failed. */
+#define MBEDTLS_ERR_DHM_HW_ACCEL_FAILED                   -0x3500  /**< DHM hardware accelerator failed. */
+#define MBEDTLS_ERR_DHM_SET_GROUP_FAILED                  -0x3580  /**< Setting the modulus and generator failed. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          The DHM context structure.
+ */
+typedef struct
+{
+    size_t len;         /*!<  The size of \p P in Bytes. */
+    mbedtls_mpi P;      /*!<  The prime modulus. */
+    mbedtls_mpi G;      /*!<  The generator. */
+    mbedtls_mpi X;      /*!<  Our secret value. */
+    mbedtls_mpi GX;     /*!<  Our public key = \c G^X mod \c P. */
+    mbedtls_mpi GY;     /*!<  The public key of the peer = \c G^Y mod \c P. */
+    mbedtls_mpi K;      /*!<  The shared secret = \c G^(XY) mod \c P. */
+    mbedtls_mpi RP;     /*!<  The cached value = \c R^2 mod \c P. */
+    mbedtls_mpi Vi;     /*!<  The blinding value. */
+    mbedtls_mpi Vf;     /*!<  The unblinding value. */
+    mbedtls_mpi pX;     /*!<  The previous \c X. */
+}
+mbedtls_dhm_context;
+
+/**
+ * \brief          This function initializes the DHM context.
+ *
+ * \param ctx      The DHM context to initialize.
+ */
+void mbedtls_dhm_init( mbedtls_dhm_context *ctx );
+
+/**
+ * \brief          This function parses the ServerKeyExchange parameters.
+ *
+ * \param ctx      The DHM context.
+ * \param p        On input, *p must be the start of the input buffer.
+ *                 On output, *p is updated to point to the end of the data
+ *                 that has been read. On success, this is the first byte
+ *                 past the end of the ServerKeyExchange parameters.
+ *                 On error, this is the point at which an error has been
+ *                 detected, which is usually not useful except to debug
+ *                 failures.
+ * \param end      The end of the input buffer.
+ *
+ * \return         \c 0 on success, or an \c MBEDTLS_ERR_DHM_XXX error code
+ *                 on failure.
+ */
+int mbedtls_dhm_read_params( mbedtls_dhm_context *ctx,
+                     unsigned char **p,
+                     const unsigned char *end );
+
+/**
+ * \brief          This function sets up and writes the ServerKeyExchange
+ *                 parameters.
+ *
+ * \param ctx      The DHM context.
+ * \param x_size   The private value size in Bytes.
+ * \param olen     The number of characters written.
+ * \param output   The destination buffer.
+ * \param f_rng    The RNG function.
+ * \param p_rng    The RNG parameter.
+ *
+ * \note           The destination buffer must be large enough to hold
+ *                 the reduced binary presentation of the modulus, the generator
+ *                 and the public key, each wrapped with a 2-byte length field.
+ *                 It is the responsibility of the caller to ensure that enough
+ *                 space is available. Refer to \c mbedtls_mpi_size to computing
+ *                 the byte-size of an MPI.
+ *
+ * \note           This function assumes that \c ctx->P and \c ctx->G
+ *                 have already been properly set. For that, use
+ *                 mbedtls_dhm_set_group() below in conjunction with
+ *                 mbedtls_mpi_read_binary() and mbedtls_mpi_read_string().
+ *
+ * \return         \c 0 on success, or an \c MBEDTLS_ERR_DHM_XXX error code
+ *                 on failure.
+ */
+int mbedtls_dhm_make_params( mbedtls_dhm_context *ctx, int x_size,
+                     unsigned char *output, size_t *olen,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng );
+
+/**
+ * \brief          Set prime modulus and generator
+ *
+ * \param ctx      The DHM context.
+ * \param P        The MPI holding DHM prime modulus.
+ * \param G        The MPI holding DHM generator.
+ *
+ * \note           This function can be used to set P, G
+ *                 in preparation for \c mbedtls_dhm_make_params.
+ *
+ * \return         \c 0 if successful, or an \c MBEDTLS_ERR_DHM_XXX error code
+ *                 on failure.
+ */
+int mbedtls_dhm_set_group( mbedtls_dhm_context *ctx,
+                           const mbedtls_mpi *P,
+                           const mbedtls_mpi *G );
+
+/**
+ * \brief          This function imports the public value G^Y of the peer.
+ *
+ * \param ctx      The DHM context.
+ * \param input    The input buffer.
+ * \param ilen     The size of the input buffer.
+ *
+ * \return         \c 0 on success, or an \c MBEDTLS_ERR_DHM_XXX error code
+ *                 on failure.
+ */
+int mbedtls_dhm_read_public( mbedtls_dhm_context *ctx,
+                     const unsigned char *input, size_t ilen );
+
+/**
+ * \brief          This function creates its own private value \c X and
+ *                 exports \c G^X.
+ *
+ * \param ctx      The DHM context.
+ * \param x_size   The private value size in Bytes.
+ * \param output   The destination buffer.
+ * \param olen     The length of the destination buffer. Must be at least
+                   equal to ctx->len (the size of \c P).
+ * \param f_rng    The RNG function.
+ * \param p_rng    The RNG parameter.
+ *
+ * \note           The destination buffer will always be fully written
+ *                 so as to contain a big-endian presentation of G^X mod P.
+ *                 If it is larger than ctx->len, it will accordingly be
+ *                 padded with zero-bytes in the beginning.
+ *
+ * \return         \c 0 on success, or an \c MBEDTLS_ERR_DHM_XXX error code
+ *                 on failure.
+ */
+int mbedtls_dhm_make_public( mbedtls_dhm_context *ctx, int x_size,
+                     unsigned char *output, size_t olen,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng );
+
+/**
+ * \brief               This function derives and exports the shared secret
+ *                      \c (G^Y)^X mod \c P.
+ *
+ * \param ctx           The DHM context.
+ * \param output        The destination buffer.
+ * \param output_size   The size of the destination buffer. Must be at least
+ *                      the size of ctx->len.
+ * \param olen          On exit, holds the actual number of Bytes written.
+ * \param f_rng         The RNG function, for blinding purposes.
+ * \param p_rng         The RNG parameter.
+ *
+ * \return         \c 0 on success, or an \c MBEDTLS_ERR_DHM_XXX error code
+ *                 on failure.
+ *
+ * \note           If non-NULL, \p f_rng is used to blind the input as
+ *                 a countermeasure against timing attacks. Blinding is used
+ *                 only if our secret value \p X is re-used and omitted
+ *                 otherwise. Therefore, we recommend always passing a
+ *                 non-NULL \p f_rng argument.
+ */
+int mbedtls_dhm_calc_secret( mbedtls_dhm_context *ctx,
+                     unsigned char *output, size_t output_size, size_t *olen,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng );
+
+/**
+ * \brief          This function frees and clears the components of a DHM key.
+ *
+ * \param ctx      The DHM context to free and clear.
+ */
+void mbedtls_dhm_free( mbedtls_dhm_context *ctx );
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+/** \ingroup x509_module */
+/**
+ * \brief             This function parses DHM parameters in PEM or DER format.
+ *
+ * \param dhm         The DHM context to initialize.
+ * \param dhmin       The input buffer.
+ * \param dhminlen    The size of the buffer, including the terminating null
+ *                    Byte for PEM data.
+ *
+ * \return            \c 0 on success, or a specific DHM or PEM error code
+ *                    on failure.
+ */
+int mbedtls_dhm_parse_dhm( mbedtls_dhm_context *dhm, const unsigned char *dhmin,
+                   size_t dhminlen );
+
+#if defined(MBEDTLS_FS_IO)
+/** \ingroup x509_module */
+/**
+ * \brief          This function loads and parses DHM parameters from a file.
+ *
+ * \param dhm      The DHM context to load the parameters to.
+ * \param path     The filename to read the DHM parameters from.
+ *
+ * \return         \c 0 on success, or a specific DHM or PEM error code
+ *                 on failure.
+ */
+int mbedtls_dhm_parse_dhmfile( mbedtls_dhm_context *dhm, const char *path );
+#endif /* MBEDTLS_FS_IO */
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
+#ifdef __cplusplus
+}
+#endif
+
+#else /* MBEDTLS_DHM_ALT */
+#include "dhm_alt.h"
+#endif /* MBEDTLS_DHM_ALT */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          The DMH checkup routine.
+ *
+ * \return         \c 0 on success, or \c 1 on failure.
+ */
+int mbedtls_dhm_self_test( int verbose );
+
+#ifdef __cplusplus
+}
+#endif
+
+/**
+ * RFC 3526, RFC 5114 and RFC 7919 standardize a number of
+ * Diffie-Hellman groups, some of which are included here
+ * for use within the SSL/TLS module and the user's convenience
+ * when configuring the Diffie-Hellman parameters by hand
+ * through \c mbedtls_ssl_conf_dh_param.
+ *
+ * The following lists the source of the above groups in the standards:
+ * - RFC 5114 section 2.2:  2048-bit MODP Group with 224-bit Prime Order Subgroup
+ * - RFC 3526 section 3:    2048-bit MODP Group
+ * - RFC 3526 section 4:    3072-bit MODP Group
+ * - RFC 3526 section 5:    4096-bit MODP Group
+ * - RFC 7919 section A.1:  ffdhe2048
+ * - RFC 7919 section A.2:  ffdhe3072
+ * - RFC 7919 section A.3:  ffdhe4096
+ * - RFC 7919 section A.4:  ffdhe6144
+ * - RFC 7919 section A.5:  ffdhe8192
+ *
+ * The constants with suffix "_p" denote the chosen prime moduli, while
+ * the constants with suffix "_g" denote the chosen generator
+ * of the associated prime field.
+ *
+ * The constants further suffixed with "_bin" are provided in binary format,
+ * while all other constants represent null-terminated strings holding the
+ * hexadecimal presentation of the respective numbers.
+ *
+ * The primes from RFC 3526 and RFC 7919 have been generating by the following
+ * trust-worthy procedure:
+ * - Fix N in { 2048, 3072, 4096, 6144, 8192 } and consider the N-bit number
+ *   the first and last 64 bits are all 1, and the remaining N - 128 bits of
+ *   which are 0x7ff...ff.
+ * - Add the smallest multiple of the first N - 129 bits of the binary expansion
+ *   of pi (for RFC 5236) or e (for RFC 7919) to this intermediate bit-string
+ *   such that the resulting integer is a safe-prime.
+ * - The result is the respective RFC 3526 / 7919 prime, and the corresponding
+ *   generator is always chosen to be 2 (which is a square for these prime,
+ *   hence the corresponding subgroup has order (p-1)/2 and avoids leaking a
+ *   bit in the private exponent).
+ *
+ */
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED __attribute__((deprecated))
+MBEDTLS_DEPRECATED typedef char const * mbedtls_deprecated_constant_t;
+#define MBEDTLS_DEPRECATED_STRING_CONSTANT( VAL )       \
+    ( (mbedtls_deprecated_constant_t) ( VAL ) )
+#else
+#define MBEDTLS_DEPRECATED_STRING_CONSTANT( VAL ) VAL
+#endif /* ! MBEDTLS_DEPRECATED_WARNING */
+
+/**
+ * \warning The origin of the primes in RFC 5114 is not documented and
+ *          their use therefore constitutes a security risk!
+ *
+ * \deprecated The hex-encoded primes from RFC 5114 are deprecated and are
+ *             likely to be removed in a future version of the library without
+ *             replacement.
+ */
+
+/**
+ * The hexadecimal presentation of the prime underlying the
+ * 2048-bit MODP Group with 224-bit Prime Order Subgroup, as defined
+ * in <em>RFC-5114: Additional Diffie-Hellman Groups for Use with
+ * IETF Standards</em>.
+ */
+#define MBEDTLS_DHM_RFC5114_MODP_2048_P                         \
+    MBEDTLS_DEPRECATED_STRING_CONSTANT(                         \
+        "AD107E1E9123A9D0D660FAA79559C51FA20D64E5683B9FD1"      \
+        "B54B1597B61D0A75E6FA141DF95A56DBAF9A3C407BA1DF15"      \
+        "EB3D688A309C180E1DE6B85A1274A0A66D3F8152AD6AC212"      \
+        "9037C9EDEFDA4DF8D91E8FEF55B7394B7AD5B7D0B6C12207"      \
+        "C9F98D11ED34DBF6C6BA0B2C8BBC27BE6A00E0A0B9C49708"      \
+        "B3BF8A317091883681286130BC8985DB1602E714415D9330"      \
+        "278273C7DE31EFDC7310F7121FD5A07415987D9ADC0A486D"      \
+        "CDF93ACC44328387315D75E198C641A480CD86A1B9E587E8"      \
+        "BE60E69CC928B2B9C52172E413042E9B23F10B0E16E79763"      \
+        "C9B53DCF4BA80A29E3FB73C16B8E75B97EF363E2FFA31F71"      \
+        "CF9DE5384E71B81C0AC4DFFE0C10E64F" )
+
+/**
+ * The hexadecimal presentation of the chosen generator of the 2048-bit MODP
+ * Group with 224-bit Prime Order Subgroup, as defined in <em>RFC-5114:
+ * Additional Diffie-Hellman Groups for Use with IETF Standards</em>.
+ */
+#define MBEDTLS_DHM_RFC5114_MODP_2048_G                         \
+    MBEDTLS_DEPRECATED_STRING_CONSTANT(                         \
+        "AC4032EF4F2D9AE39DF30B5C8FFDAC506CDEBE7B89998CAF"      \
+        "74866A08CFE4FFE3A6824A4E10B9A6F0DD921F01A70C4AFA"      \
+        "AB739D7700C29F52C57DB17C620A8652BE5E9001A8D66AD7"      \
+        "C17669101999024AF4D027275AC1348BB8A762D0521BC98A"      \
+        "E247150422EA1ED409939D54DA7460CDB5F6C6B250717CBE"      \
+        "F180EB34118E98D119529A45D6F834566E3025E316A330EF"      \
+        "BB77A86F0C1AB15B051AE3D428C8F8ACB70A8137150B8EEB"      \
+        "10E183EDD19963DDD9E263E4770589EF6AA21E7F5F2FF381"      \
+        "B539CCE3409D13CD566AFBB48D6C019181E1BCFE94B30269"      \
+        "EDFE72FE9B6AA4BD7B5A0F1C71CFFF4C19C418E1F6EC0179"      \
+        "81BC087F2A7065B384B890D3191F2BFA" )
+
+/**
+ * The hexadecimal presentation of the prime underlying the 2048-bit MODP
+ * Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
+ * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
+ *
+ * \deprecated The hex-encoded primes from RFC 3625 are deprecated and
+ *             superseded by the corresponding macros providing them as
+ *             binary constants. Their hex-encoded constants are likely
+ *             to be removed in a future version of the library.
+ *
+ */
+#define MBEDTLS_DHM_RFC3526_MODP_2048_P                         \
+    MBEDTLS_DEPRECATED_STRING_CONSTANT(                         \
+        "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"      \
+        "29024E088A67CC74020BBEA63B139B22514A08798E3404DD"      \
+        "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"      \
+        "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"      \
+        "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D"      \
+        "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F"      \
+        "83655D23DCA3AD961C62F356208552BB9ED529077096966D"      \
+        "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B"      \
+        "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9"      \
+        "DE2BCBF6955817183995497CEA956AE515D2261898FA0510"      \
+        "15728E5A8AACAA68FFFFFFFFFFFFFFFF" )
+
+/**
+ * The hexadecimal presentation of the chosen generator of the 2048-bit MODP
+ * Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
+ * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
+ */
+#define MBEDTLS_DHM_RFC3526_MODP_2048_G                         \
+    MBEDTLS_DEPRECATED_STRING_CONSTANT( "02" )
+
+/**
+ * The hexadecimal presentation of the prime underlying the 3072-bit MODP
+ * Group, as defined in <em>RFC-3072: More Modular Exponential (MODP)
+ * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
+ */
+#define MBEDTLS_DHM_RFC3526_MODP_3072_P                         \
+    MBEDTLS_DEPRECATED_STRING_CONSTANT(                         \
+        "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"      \
+        "29024E088A67CC74020BBEA63B139B22514A08798E3404DD"      \
+        "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"      \
+        "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"      \
+        "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D"      \
+        "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F"      \
+        "83655D23DCA3AD961C62F356208552BB9ED529077096966D"      \
+        "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B"      \
+        "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9"      \
+        "DE2BCBF6955817183995497CEA956AE515D2261898FA0510"      \
+        "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64"      \
+        "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7"      \
+        "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B"      \
+        "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C"      \
+        "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31"      \
+        "43DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF" )
+
+/**
+ * The hexadecimal presentation of the chosen generator of the 3072-bit MODP
+ * Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
+ * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
+ */
+#define MBEDTLS_DHM_RFC3526_MODP_3072_G                      \
+    MBEDTLS_DEPRECATED_STRING_CONSTANT( "02" )
+
+/**
+ * The hexadecimal presentation of the prime underlying the 4096-bit MODP
+ * Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
+ * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
+ */
+#define MBEDTLS_DHM_RFC3526_MODP_4096_P                      \
+    MBEDTLS_DEPRECATED_STRING_CONSTANT(                      \
+        "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"   \
+        "29024E088A67CC74020BBEA63B139B22514A08798E3404DD"   \
+        "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"   \
+        "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"   \
+        "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D"   \
+        "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F"   \
+        "83655D23DCA3AD961C62F356208552BB9ED529077096966D"   \
+        "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B"   \
+        "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9"   \
+        "DE2BCBF6955817183995497CEA956AE515D2261898FA0510"   \
+        "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64"   \
+        "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7"   \
+        "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B"   \
+        "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C"   \
+        "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31"   \
+        "43DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D7"   \
+        "88719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA"   \
+        "2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6"   \
+        "287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED"   \
+        "1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA9"   \
+        "93B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199"   \
+        "FFFFFFFFFFFFFFFF" )
+
+/**
+ * The hexadecimal presentation of the chosen generator of the 4096-bit MODP
+ * Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
+ * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
+ */
+#define MBEDTLS_DHM_RFC3526_MODP_4096_G                      \
+    MBEDTLS_DEPRECATED_STRING_CONSTANT( "02" )
+
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+/*
+ * Trustworthy DHM parameters in binary form
+ */
+
+#define MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN {        \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
+     0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, \
+     0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, \
+     0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, \
+     0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, \
+     0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, \
+     0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, \
+     0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, \
+     0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, \
+     0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, \
+     0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, \
+     0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, \
+     0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, \
+     0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, \
+     0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, \
+     0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, \
+     0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, \
+     0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, \
+     0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, \
+     0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, \
+     0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, \
+     0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, \
+     0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, \
+     0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, \
+     0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, \
+     0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, \
+     0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, \
+     0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, \
+     0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, \
+     0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, \
+     0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAC, 0xAA, 0x68, \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
+
+#define MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN { 0x02 }
+
+#define MBEDTLS_DHM_RFC3526_MODP_3072_P_BIN {       \
+    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
+    0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, \
+    0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, \
+    0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, \
+    0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, \
+    0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, \
+    0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, \
+    0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, \
+    0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, \
+    0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, \
+    0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, \
+    0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, \
+    0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, \
+    0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, \
+    0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, \
+    0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, \
+    0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, \
+    0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, \
+    0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, \
+    0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, \
+    0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, \
+    0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, \
+    0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, \
+    0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, \
+    0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, \
+    0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, \
+    0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, \
+    0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, \
+    0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, \
+    0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, \
+    0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, \
+    0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33, \
+    0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, \
+    0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, \
+    0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D, \
+    0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, \
+    0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, \
+    0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D, \
+    0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, \
+    0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, \
+    0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64, \
+    0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, \
+    0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, \
+    0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2, \
+    0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, \
+    0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, \
+    0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x3A, 0xD2, 0xCA, \
+    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
+
+#define MBEDTLS_DHM_RFC3526_MODP_3072_G_BIN { 0x02 }
+
+#define MBEDTLS_DHM_RFC3526_MODP_4096_P_BIN  {       \
+    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,  \
+    0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,  \
+    0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,  \
+    0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74,  \
+    0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22,  \
+    0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,  \
+    0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B,  \
+    0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37,  \
+    0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,  \
+    0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6,  \
+    0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B,  \
+    0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,  \
+    0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5,  \
+    0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6,  \
+    0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D,  \
+    0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05,  \
+    0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A,  \
+    0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F,  \
+    0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96,  \
+    0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB,  \
+    0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D,  \
+    0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04,  \
+    0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C,  \
+    0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B,  \
+    0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03,  \
+    0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F,  \
+    0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9,  \
+    0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18,  \
+    0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5,  \
+    0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10,  \
+    0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D,  \
+    0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33,  \
+    0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64,  \
+    0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A,  \
+    0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D,  \
+    0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7,  \
+    0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7,  \
+    0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D,  \
+    0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B,  \
+    0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64,  \
+    0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64,  \
+    0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C,  \
+    0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C,  \
+    0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2,  \
+    0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31,  \
+    0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E,  \
+    0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x21, 0x08, 0x01,  \
+    0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7,  \
+    0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26,  \
+    0x99, 0xC3, 0x27, 0x18, 0x6A, 0xF4, 0xE2, 0x3C,  \
+    0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA,  \
+    0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8,  \
+    0xDB, 0xBB, 0xC2, 0xDB, 0x04, 0xDE, 0x8E, 0xF9,  \
+    0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6,  \
+    0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D,  \
+    0x99, 0xB2, 0x96, 0x4F, 0xA0, 0x90, 0xC3, 0xA2,  \
+    0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED,  \
+    0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF,  \
+    0xB8, 0x1B, 0xDD, 0x76, 0x21, 0x70, 0x48, 0x1C,  \
+    0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9,  \
+    0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1,  \
+    0x86, 0xFF, 0xB7, 0xDC, 0x90, 0xA6, 0xC0, 0x8F,  \
+    0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x06, 0x31, 0x99,  \
+    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
+
+#define MBEDTLS_DHM_RFC3526_MODP_4096_G_BIN { 0x02 }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE2048_P_BIN {        \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
+     0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \
+     0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \
+     0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \
+     0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \
+     0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \
+     0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \
+     0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \
+     0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \
+     0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \
+     0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \
+     0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \
+     0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \
+     0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \
+     0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \
+     0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \
+     0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \
+     0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \
+     0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \
+     0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \
+     0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \
+     0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \
+     0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \
+     0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \
+     0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \
+     0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \
+     0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \
+     0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \
+     0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \
+     0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \
+     0x88, 0x6B, 0x42, 0x38, 0x61, 0x28, 0x5C, 0x97, \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE2048_G_BIN { 0x02 }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE3072_P_BIN { \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
+     0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \
+     0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \
+     0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \
+     0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \
+     0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \
+     0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \
+     0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \
+     0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \
+     0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \
+     0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \
+     0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \
+     0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \
+     0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \
+     0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \
+     0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \
+     0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \
+     0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \
+     0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \
+     0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \
+     0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \
+     0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \
+     0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \
+     0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \
+     0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \
+     0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \
+     0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \
+     0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \
+     0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \
+     0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \
+     0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, \
+     0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B, \
+     0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, \
+     0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, \
+     0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE, \
+     0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, \
+     0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, \
+     0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44, \
+     0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, \
+     0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, \
+     0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E, \
+     0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, \
+     0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, \
+     0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E, \
+     0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, \
+     0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, \
+     0x25, 0xE4, 0x1D, 0x2B, 0x66, 0xC6, 0x2E, 0x37, \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE3072_G_BIN { 0x02 }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE4096_P_BIN {        \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
+     0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \
+     0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \
+     0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \
+     0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \
+     0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \
+     0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \
+     0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \
+     0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \
+     0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \
+     0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \
+     0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \
+     0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \
+     0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \
+     0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \
+     0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \
+     0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \
+     0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \
+     0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \
+     0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \
+     0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \
+     0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \
+     0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \
+     0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \
+     0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \
+     0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \
+     0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \
+     0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \
+     0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \
+     0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \
+     0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, \
+     0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B, \
+     0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, \
+     0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, \
+     0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE, \
+     0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, \
+     0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, \
+     0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44, \
+     0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, \
+     0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, \
+     0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E, \
+     0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, \
+     0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, \
+     0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E, \
+     0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, \
+     0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, \
+     0x25, 0xE4, 0x1D, 0x2B, 0x66, 0x9E, 0x1E, 0xF1, \
+     0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB, \
+     0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6, \
+     0xAC, 0x7D, 0x5F, 0x42, 0xD6, 0x9F, 0x6D, 0x18, \
+     0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04, \
+     0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A, \
+     0x71, 0x35, 0xC8, 0x86, 0xEF, 0xB4, 0x31, 0x8A, \
+     0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32, \
+     0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4, \
+     0x6D, 0xC7, 0x78, 0xF9, 0x71, 0xAD, 0x00, 0x38, \
+     0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A, \
+     0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C, \
+     0x2A, 0x4E, 0xCE, 0xA9, 0xF9, 0x8D, 0x0A, 0xCC, \
+     0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF, \
+     0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B, \
+     0x4D, 0xB5, 0xA8, 0x51, 0xF4, 0x41, 0x82, 0xE1, \
+     0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x65, 0x5F, 0x6A, \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE4096_G_BIN { 0x02 }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE6144_P_BIN {        \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
+     0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \
+     0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \
+     0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \
+     0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \
+     0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \
+     0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \
+     0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \
+     0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \
+     0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \
+     0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \
+     0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \
+     0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \
+     0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \
+     0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \
+     0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \
+     0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \
+     0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \
+     0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \
+     0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \
+     0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \
+     0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \
+     0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \
+     0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \
+     0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \
+     0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \
+     0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \
+     0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \
+     0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \
+     0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \
+     0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, \
+     0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B, \
+     0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, \
+     0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, \
+     0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE, \
+     0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, \
+     0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, \
+     0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44, \
+     0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, \
+     0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, \
+     0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E, \
+     0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, \
+     0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, \
+     0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E, \
+     0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, \
+     0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, \
+     0x25, 0xE4, 0x1D, 0x2B, 0x66, 0x9E, 0x1E, 0xF1, \
+     0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB, \
+     0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6, \
+     0xAC, 0x7D, 0x5F, 0x42, 0xD6, 0x9F, 0x6D, 0x18, \
+     0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04, \
+     0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A, \
+     0x71, 0x35, 0xC8, 0x86, 0xEF, 0xB4, 0x31, 0x8A, \
+     0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32, \
+     0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4, \
+     0x6D, 0xC7, 0x78, 0xF9, 0x71, 0xAD, 0x00, 0x38, \
+     0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A, \
+     0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C, \
+     0x2A, 0x4E, 0xCE, 0xA9, 0xF9, 0x8D, 0x0A, 0xCC, \
+     0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF, \
+     0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B, \
+     0x4D, 0xB5, 0xA8, 0x51, 0xF4, 0x41, 0x82, 0xE1, \
+     0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x0D, 0xD9, 0x02, \
+     0x0B, 0xFD, 0x64, 0xB6, 0x45, 0x03, 0x6C, 0x7A, \
+     0x4E, 0x67, 0x7D, 0x2C, 0x38, 0x53, 0x2A, 0x3A, \
+     0x23, 0xBA, 0x44, 0x42, 0xCA, 0xF5, 0x3E, 0xA6, \
+     0x3B, 0xB4, 0x54, 0x32, 0x9B, 0x76, 0x24, 0xC8, \
+     0x91, 0x7B, 0xDD, 0x64, 0xB1, 0xC0, 0xFD, 0x4C, \
+     0xB3, 0x8E, 0x8C, 0x33, 0x4C, 0x70, 0x1C, 0x3A, \
+     0xCD, 0xAD, 0x06, 0x57, 0xFC, 0xCF, 0xEC, 0x71, \
+     0x9B, 0x1F, 0x5C, 0x3E, 0x4E, 0x46, 0x04, 0x1F, \
+     0x38, 0x81, 0x47, 0xFB, 0x4C, 0xFD, 0xB4, 0x77, \
+     0xA5, 0x24, 0x71, 0xF7, 0xA9, 0xA9, 0x69, 0x10, \
+     0xB8, 0x55, 0x32, 0x2E, 0xDB, 0x63, 0x40, 0xD8, \
+     0xA0, 0x0E, 0xF0, 0x92, 0x35, 0x05, 0x11, 0xE3, \
+     0x0A, 0xBE, 0xC1, 0xFF, 0xF9, 0xE3, 0xA2, 0x6E, \
+     0x7F, 0xB2, 0x9F, 0x8C, 0x18, 0x30, 0x23, 0xC3, \
+     0x58, 0x7E, 0x38, 0xDA, 0x00, 0x77, 0xD9, 0xB4, \
+     0x76, 0x3E, 0x4E, 0x4B, 0x94, 0xB2, 0xBB, 0xC1, \
+     0x94, 0xC6, 0x65, 0x1E, 0x77, 0xCA, 0xF9, 0x92, \
+     0xEE, 0xAA, 0xC0, 0x23, 0x2A, 0x28, 0x1B, 0xF6, \
+     0xB3, 0xA7, 0x39, 0xC1, 0x22, 0x61, 0x16, 0x82, \
+     0x0A, 0xE8, 0xDB, 0x58, 0x47, 0xA6, 0x7C, 0xBE, \
+     0xF9, 0xC9, 0x09, 0x1B, 0x46, 0x2D, 0x53, 0x8C, \
+     0xD7, 0x2B, 0x03, 0x74, 0x6A, 0xE7, 0x7F, 0x5E, \
+     0x62, 0x29, 0x2C, 0x31, 0x15, 0x62, 0xA8, 0x46, \
+     0x50, 0x5D, 0xC8, 0x2D, 0xB8, 0x54, 0x33, 0x8A, \
+     0xE4, 0x9F, 0x52, 0x35, 0xC9, 0x5B, 0x91, 0x17, \
+     0x8C, 0xCF, 0x2D, 0xD5, 0xCA, 0xCE, 0xF4, 0x03, \
+     0xEC, 0x9D, 0x18, 0x10, 0xC6, 0x27, 0x2B, 0x04, \
+     0x5B, 0x3B, 0x71, 0xF9, 0xDC, 0x6B, 0x80, 0xD6, \
+     0x3F, 0xDD, 0x4A, 0x8E, 0x9A, 0xDB, 0x1E, 0x69, \
+     0x62, 0xA6, 0x95, 0x26, 0xD4, 0x31, 0x61, 0xC1, \
+     0xA4, 0x1D, 0x57, 0x0D, 0x79, 0x38, 0xDA, 0xD4, \
+     0xA4, 0x0E, 0x32, 0x9C, 0xD0, 0xE4, 0x0E, 0x65, \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE6144_G_BIN { 0x02 }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE8192_P_BIN {        \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
+     0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \
+     0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \
+     0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \
+     0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \
+     0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \
+     0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \
+     0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \
+     0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \
+     0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \
+     0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \
+     0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \
+     0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \
+     0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \
+     0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \
+     0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \
+     0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \
+     0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \
+     0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \
+     0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \
+     0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \
+     0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \
+     0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \
+     0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \
+     0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \
+     0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \
+     0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \
+     0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \
+     0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \
+     0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \
+     0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, \
+     0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B, \
+     0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, \
+     0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, \
+     0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE, \
+     0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, \
+     0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, \
+     0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44, \
+     0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, \
+     0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, \
+     0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E, \
+     0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, \
+     0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, \
+     0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E, \
+     0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, \
+     0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, \
+     0x25, 0xE4, 0x1D, 0x2B, 0x66, 0x9E, 0x1E, 0xF1, \
+     0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB, \
+     0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6, \
+     0xAC, 0x7D, 0x5F, 0x42, 0xD6, 0x9F, 0x6D, 0x18, \
+     0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04, \
+     0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A, \
+     0x71, 0x35, 0xC8, 0x86, 0xEF, 0xB4, 0x31, 0x8A, \
+     0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32, \
+     0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4, \
+     0x6D, 0xC7, 0x78, 0xF9, 0x71, 0xAD, 0x00, 0x38, \
+     0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A, \
+     0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C, \
+     0x2A, 0x4E, 0xCE, 0xA9, 0xF9, 0x8D, 0x0A, 0xCC, \
+     0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF, \
+     0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B, \
+     0x4D, 0xB5, 0xA8, 0x51, 0xF4, 0x41, 0x82, 0xE1, \
+     0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x0D, 0xD9, 0x02, \
+     0x0B, 0xFD, 0x64, 0xB6, 0x45, 0x03, 0x6C, 0x7A, \
+     0x4E, 0x67, 0x7D, 0x2C, 0x38, 0x53, 0x2A, 0x3A, \
+     0x23, 0xBA, 0x44, 0x42, 0xCA, 0xF5, 0x3E, 0xA6, \
+     0x3B, 0xB4, 0x54, 0x32, 0x9B, 0x76, 0x24, 0xC8, \
+     0x91, 0x7B, 0xDD, 0x64, 0xB1, 0xC0, 0xFD, 0x4C, \
+     0xB3, 0x8E, 0x8C, 0x33, 0x4C, 0x70, 0x1C, 0x3A, \
+     0xCD, 0xAD, 0x06, 0x57, 0xFC, 0xCF, 0xEC, 0x71, \
+     0x9B, 0x1F, 0x5C, 0x3E, 0x4E, 0x46, 0x04, 0x1F, \
+     0x38, 0x81, 0x47, 0xFB, 0x4C, 0xFD, 0xB4, 0x77, \
+     0xA5, 0x24, 0x71, 0xF7, 0xA9, 0xA9, 0x69, 0x10, \
+     0xB8, 0x55, 0x32, 0x2E, 0xDB, 0x63, 0x40, 0xD8, \
+     0xA0, 0x0E, 0xF0, 0x92, 0x35, 0x05, 0x11, 0xE3, \
+     0x0A, 0xBE, 0xC1, 0xFF, 0xF9, 0xE3, 0xA2, 0x6E, \
+     0x7F, 0xB2, 0x9F, 0x8C, 0x18, 0x30, 0x23, 0xC3, \
+     0x58, 0x7E, 0x38, 0xDA, 0x00, 0x77, 0xD9, 0xB4, \
+     0x76, 0x3E, 0x4E, 0x4B, 0x94, 0xB2, 0xBB, 0xC1, \
+     0x94, 0xC6, 0x65, 0x1E, 0x77, 0xCA, 0xF9, 0x92, \
+     0xEE, 0xAA, 0xC0, 0x23, 0x2A, 0x28, 0x1B, 0xF6, \
+     0xB3, 0xA7, 0x39, 0xC1, 0x22, 0x61, 0x16, 0x82, \
+     0x0A, 0xE8, 0xDB, 0x58, 0x47, 0xA6, 0x7C, 0xBE, \
+     0xF9, 0xC9, 0x09, 0x1B, 0x46, 0x2D, 0x53, 0x8C, \
+     0xD7, 0x2B, 0x03, 0x74, 0x6A, 0xE7, 0x7F, 0x5E, \
+     0x62, 0x29, 0x2C, 0x31, 0x15, 0x62, 0xA8, 0x46, \
+     0x50, 0x5D, 0xC8, 0x2D, 0xB8, 0x54, 0x33, 0x8A, \
+     0xE4, 0x9F, 0x52, 0x35, 0xC9, 0x5B, 0x91, 0x17, \
+     0x8C, 0xCF, 0x2D, 0xD5, 0xCA, 0xCE, 0xF4, 0x03, \
+     0xEC, 0x9D, 0x18, 0x10, 0xC6, 0x27, 0x2B, 0x04, \
+     0x5B, 0x3B, 0x71, 0xF9, 0xDC, 0x6B, 0x80, 0xD6, \
+     0x3F, 0xDD, 0x4A, 0x8E, 0x9A, 0xDB, 0x1E, 0x69, \
+     0x62, 0xA6, 0x95, 0x26, 0xD4, 0x31, 0x61, 0xC1, \
+     0xA4, 0x1D, 0x57, 0x0D, 0x79, 0x38, 0xDA, 0xD4, \
+     0xA4, 0x0E, 0x32, 0x9C, 0xCF, 0xF4, 0x6A, 0xAA, \
+     0x36, 0xAD, 0x00, 0x4C, 0xF6, 0x00, 0xC8, 0x38, \
+     0x1E, 0x42, 0x5A, 0x31, 0xD9, 0x51, 0xAE, 0x64, \
+     0xFD, 0xB2, 0x3F, 0xCE, 0xC9, 0x50, 0x9D, 0x43, \
+     0x68, 0x7F, 0xEB, 0x69, 0xED, 0xD1, 0xCC, 0x5E, \
+     0x0B, 0x8C, 0xC3, 0xBD, 0xF6, 0x4B, 0x10, 0xEF, \
+     0x86, 0xB6, 0x31, 0x42, 0xA3, 0xAB, 0x88, 0x29, \
+     0x55, 0x5B, 0x2F, 0x74, 0x7C, 0x93, 0x26, 0x65, \
+     0xCB, 0x2C, 0x0F, 0x1C, 0xC0, 0x1B, 0xD7, 0x02, \
+     0x29, 0x38, 0x88, 0x39, 0xD2, 0xAF, 0x05, 0xE4, \
+     0x54, 0x50, 0x4A, 0xC7, 0x8B, 0x75, 0x82, 0x82, \
+     0x28, 0x46, 0xC0, 0xBA, 0x35, 0xC3, 0x5F, 0x5C, \
+     0x59, 0x16, 0x0C, 0xC0, 0x46, 0xFD, 0x82, 0x51, \
+     0x54, 0x1F, 0xC6, 0x8C, 0x9C, 0x86, 0xB0, 0x22, \
+     0xBB, 0x70, 0x99, 0x87, 0x6A, 0x46, 0x0E, 0x74, \
+     0x51, 0xA8, 0xA9, 0x31, 0x09, 0x70, 0x3F, 0xEE, \
+     0x1C, 0x21, 0x7E, 0x6C, 0x38, 0x26, 0xE5, 0x2C, \
+     0x51, 0xAA, 0x69, 0x1E, 0x0E, 0x42, 0x3C, 0xFC, \
+     0x99, 0xE9, 0xE3, 0x16, 0x50, 0xC1, 0x21, 0x7B, \
+     0x62, 0x48, 0x16, 0xCD, 0xAD, 0x9A, 0x95, 0xF9, \
+     0xD5, 0xB8, 0x01, 0x94, 0x88, 0xD9, 0xC0, 0xA0, \
+     0xA1, 0xFE, 0x30, 0x75, 0xA5, 0x77, 0xE2, 0x31, \
+     0x83, 0xF8, 0x1D, 0x4A, 0x3F, 0x2F, 0xA4, 0x57, \
+     0x1E, 0xFC, 0x8C, 0xE0, 0xBA, 0x8A, 0x4F, 0xE8, \
+     0xB6, 0x85, 0x5D, 0xFE, 0x72, 0xB0, 0xA6, 0x6E, \
+     0xDE, 0xD2, 0xFB, 0xAB, 0xFB, 0xE5, 0x8A, 0x30, \
+     0xFA, 0xFA, 0xBE, 0x1C, 0x5D, 0x71, 0xA8, 0x7E, \
+     0x2F, 0x74, 0x1E, 0xF8, 0xC1, 0xFE, 0x86, 0xFE, \
+     0xA6, 0xBB, 0xFD, 0xE5, 0x30, 0x67, 0x7F, 0x0D, \
+     0x97, 0xD1, 0x1D, 0x49, 0xF7, 0xA8, 0x44, 0x3D, \
+     0x08, 0x22, 0xE5, 0x06, 0xA9, 0xF4, 0x61, 0x4E, \
+     0x01, 0x1E, 0x2A, 0x94, 0x83, 0x8F, 0xF8, 0x8C, \
+     0xD6, 0x8C, 0x8B, 0xB7, 0xC5, 0xC6, 0x42, 0x4C, \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE8192_G_BIN { 0x02 }
+
+#endif /* dhm.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/ecdh.h b/third-party/mbedtls-3.6/include/mbedtls/ecdh.h
new file mode 100644
index 00000000..e937c899
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/ecdh.h
@@ -0,0 +1,308 @@
+/**
+ * \file ecdh.h
+ *
+ * \brief The Elliptic Curve Diffie-Hellman (ECDH) protocol APIs.
+ *
+ * ECDH is an anonymous key agreement protocol allowing two parties to
+ * establish a shared secret over an insecure channel. Each party must have an
+ * elliptic-curve public–private key pair.
+ *
+ * For more information, see <em>NIST SP 800-56A Rev. 2: Recommendation for
+ * Pair-Wise Key Establishment Schemes Using Discrete Logarithm
+ * Cryptography</em>.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#ifndef MBEDTLS_ECDH_H
+#define MBEDTLS_ECDH_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "ecp.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Defines the source of the imported EC key:
+ * <ul><li>Our key.</li>
+ * <li>The key of the peer.</li></ul>
+ */
+typedef enum
+{
+    MBEDTLS_ECDH_OURS,
+    MBEDTLS_ECDH_THEIRS,
+} mbedtls_ecdh_side;
+
+/**
+ * \brief           The ECDH context structure.
+ */
+typedef struct
+{
+    mbedtls_ecp_group grp;   /*!< The elliptic curve used. */
+    mbedtls_mpi d;           /*!< The private key. */
+    mbedtls_ecp_point Q;     /*!< The public key. */
+    mbedtls_ecp_point Qp;    /*!< The value of the public key of the peer. */
+    mbedtls_mpi z;           /*!< The shared secret. */
+    int point_format;        /*!< The format of point export in TLS messages. */
+    mbedtls_ecp_point Vi;    /*!< The blinding value. */
+    mbedtls_ecp_point Vf;    /*!< The unblinding value. */
+    mbedtls_mpi _d;          /*!< The previous \p d. */
+}
+mbedtls_ecdh_context;
+
+/**
+ * \brief           This function generates an ECDH keypair on an elliptic
+ *                  curve.
+ *
+ *                  This function performs the first of two core computations
+ *                  implemented during the ECDH key exchange. The second core
+ *                  computation is performed by mbedtls_ecdh_compute_shared().
+ *
+ * \param grp       The ECP group.
+ * \param d         The destination MPI (private key).
+ * \param Q         The destination point (public key).
+ * \param f_rng     The RNG function.
+ * \param p_rng     The RNG parameter.
+ *
+ * \return          \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX or
+ *                  \c MBEDTLS_MPI_XXX error code on failure.
+ *
+ * \see             ecp.h
+ */
+int mbedtls_ecdh_gen_public( mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng );
+
+/**
+ * \brief           This function computes the shared secret.
+ *
+ *                  This function performs the second of two core computations
+ *                  implemented during the ECDH key exchange. The first core
+ *                  computation is performed by mbedtls_ecdh_gen_public().
+ *
+ * \param grp       The ECP group.
+ * \param z         The destination MPI (shared secret).
+ * \param Q         The public key from another party.
+ * \param d         Our secret exponent (private key).
+ * \param f_rng     The RNG function.
+ * \param p_rng     The RNG parameter.
+ *
+ * \return          \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX or
+ *                  \c MBEDTLS_MPI_XXX error code on failure.
+ *
+ * \see             ecp.h
+ *
+ * \note            If \p f_rng is not NULL, it is used to implement
+ *                  countermeasures against potential elaborate timing
+ *                  attacks. For more information, see mbedtls_ecp_mul().
+ */
+int mbedtls_ecdh_compute_shared( mbedtls_ecp_group *grp, mbedtls_mpi *z,
+                         const mbedtls_ecp_point *Q, const mbedtls_mpi *d,
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng );
+
+/**
+ * \brief           This function initializes an ECDH context.
+ *
+ * \param ctx       The ECDH context to initialize.
+ */
+void mbedtls_ecdh_init( mbedtls_ecdh_context *ctx );
+
+/**
+ * \brief           This function frees a context.
+ *
+ * \param ctx       The context to free.
+ */
+void mbedtls_ecdh_free( mbedtls_ecdh_context *ctx );
+
+/**
+ * \brief           This function generates a public key and a TLS
+ *                  ServerKeyExchange payload.
+ *
+ *                  This is the first function used by a TLS server for ECDHE
+ *                  ciphersuites.
+ *
+ * \param ctx       The ECDH context.
+ * \param olen      The number of characters written.
+ * \param buf       The destination buffer.
+ * \param blen      The length of the destination buffer.
+ * \param f_rng     The RNG function.
+ * \param p_rng     The RNG parameter.
+ *
+ * \note            This function assumes that the ECP group (grp) of the
+ *                  \p ctx context has already been properly set,
+ *                  for example, using mbedtls_ecp_group_load().
+ *
+ * \return          \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX error code
+ *                  on failure.
+ *
+ * \see             ecp.h
+ */
+int mbedtls_ecdh_make_params( mbedtls_ecdh_context *ctx, size_t *olen,
+                      unsigned char *buf, size_t blen,
+                      int (*f_rng)(void *, unsigned char *, size_t),
+                      void *p_rng );
+
+/**
+ * \brief           This function parses and processes a TLS ServerKeyExhange
+ *                  payload.
+ *
+ *                  This is the first function used by a TLS client for ECDHE
+ *                  ciphersuites.
+ *
+ * \param ctx       The ECDH context.
+ * \param buf       The pointer to the start of the input buffer.
+ * \param end       The address for one Byte past the end of the buffer.
+ *
+ * \return          \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX error code
+ *                  on failure.
+ *
+ * \see             ecp.h
+ */
+int mbedtls_ecdh_read_params( mbedtls_ecdh_context *ctx,
+                      const unsigned char **buf, const unsigned char *end );
+
+/**
+ * \brief           This function sets up an ECDH context from an EC key.
+ *
+ *                  It is used by clients and servers in place of the
+ *                  ServerKeyEchange for static ECDH, and imports ECDH
+ *                  parameters from the EC key information of a certificate.
+ *
+ * \param ctx       The ECDH context to set up.
+ * \param key       The EC key to use.
+ * \param side      Defines the source of the key:
+ *                  <ul><li>1: Our key.</li>
+                    <li>0: The key of the peer.</li></ul>
+ *
+ * \return          \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX error code
+ *                  on failure.
+ *
+ * \see             ecp.h
+ */
+int mbedtls_ecdh_get_params( mbedtls_ecdh_context *ctx, const mbedtls_ecp_keypair *key,
+                     mbedtls_ecdh_side side );
+
+/**
+ * \brief           This function generates a public key and a TLS
+ *                  ClientKeyExchange payload.
+ *
+ *                  This is the second function used by a TLS client for ECDH(E)
+ *                  ciphersuites.
+ *
+ * \param ctx       The ECDH context.
+ * \param olen      The number of Bytes written.
+ * \param buf       The destination buffer.
+ * \param blen      The size of the destination buffer.
+ * \param f_rng     The RNG function.
+ * \param p_rng     The RNG parameter.
+ *
+ * \return          \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX error code
+ *                  on failure.
+ *
+ * \see             ecp.h
+ */
+int mbedtls_ecdh_make_public( mbedtls_ecdh_context *ctx, size_t *olen,
+                      unsigned char *buf, size_t blen,
+                      int (*f_rng)(void *, unsigned char *, size_t),
+                      void *p_rng );
+
+/**
+ * \brief       This function parses and processes a TLS ClientKeyExchange
+ *              payload.
+ *
+ *              This is the second function used by a TLS server for ECDH(E)
+ *              ciphersuites.
+ *
+ * \param ctx   The ECDH context.
+ * \param buf   The start of the input buffer.
+ * \param blen  The length of the input buffer.
+ *
+ * \return      \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX error code
+ *              on failure.
+ *
+ * \see         ecp.h
+ */
+int mbedtls_ecdh_read_public( mbedtls_ecdh_context *ctx,
+                      const unsigned char *buf, size_t blen );
+
+/**
+ * \brief           This function derives and exports the shared secret.
+ *
+ *                  This is the last function used by both TLS client
+ *                  and servers.
+ *
+ * \param ctx       The ECDH context.
+ * \param olen      The number of Bytes written.
+ * \param buf       The destination buffer.
+ * \param blen      The length of the destination buffer.
+ * \param f_rng     The RNG function.
+ * \param p_rng     The RNG parameter.
+ *
+ * \return          \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX error code
+ *                  on failure.
+ *
+ * \see             ecp.h
+ *
+ * \note            If \p f_rng is not NULL, it is used to implement
+ *                  countermeasures against potential elaborate timing
+ *                  attacks. For more information, see mbedtls_ecp_mul().
+ */
+int mbedtls_ecdh_calc_secret( mbedtls_ecdh_context *ctx, size_t *olen,
+                      unsigned char *buf, size_t blen,
+                      int (*f_rng)(void *, unsigned char *, size_t),
+                      void *p_rng );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ecdh.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/ecdsa.h b/third-party/mbedtls-3.6/include/mbedtls/ecdsa.h
new file mode 100644
index 00000000..1a34ff27
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/ecdsa.h
@@ -0,0 +1,426 @@
+/**
+ * \file ecdsa.h
+ *
+ * \brief The Elliptic Curve Digital Signature Algorithm (ECDSA).
+ *
+ * ECDSA is defined in <em>Standards for Efficient Cryptography Group (SECG):
+ * SEC1 Elliptic Curve Cryptography</em>.
+ * The use of ECDSA for TLS is defined in <em>RFC-4492: Elliptic Curve
+ * Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)</em>.
+ *
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#ifndef MBEDTLS_ECDSA_H
+#define MBEDTLS_ECDSA_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "ecp.h"
+#include "md.h"
+
+/*
+ * RFC-4492 page 20:
+ *
+ *     Ecdsa-Sig-Value ::= SEQUENCE {
+ *         r       INTEGER,
+ *         s       INTEGER
+ *     }
+ *
+ * Size is at most
+ *    1 (tag) + 1 (len) + 1 (initial 0) + ECP_MAX_BYTES for each of r and s,
+ *    twice that + 1 (tag) + 2 (len) for the sequence
+ * (assuming ECP_MAX_BYTES is less than 126 for r and s,
+ * and less than 124 (total len <= 255) for the sequence)
+ */
+#if MBEDTLS_ECP_MAX_BYTES > 124
+#error "MBEDTLS_ECP_MAX_BYTES bigger than expected, please fix MBEDTLS_ECDSA_MAX_LEN"
+#endif
+/** The maximal size of an ECDSA signature in Bytes. */
+#define MBEDTLS_ECDSA_MAX_LEN  ( 3 + 2 * ( 3 + MBEDTLS_ECP_MAX_BYTES ) )
+
+/**
+ * \brief           The ECDSA context structure.
+ */
+typedef mbedtls_ecp_keypair mbedtls_ecdsa_context;
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief           This function computes the ECDSA signature of a
+ *                  previously-hashed message.
+ *
+ * \note            The deterministic version is usually preferred.
+ *
+ * \param grp       The ECP group.
+ * \param r         The first output integer.
+ * \param s         The second output integer.
+ * \param d         The private signing key.
+ * \param buf       The message hash.
+ * \param blen      The length of \p buf.
+ * \param f_rng     The RNG function.
+ * \param p_rng     The RNG parameter.
+ *
+ * \note            If the bitlength of the message hash is larger than the
+ *                  bitlength of the group order, then the hash is truncated
+ *                  as defined in <em>Standards for Efficient Cryptography Group
+ *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
+ *                  4.1.3, step 5.
+ *
+ * \return          \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX
+ *                  or \c MBEDTLS_MPI_XXX error code on failure.
+ *
+ * \see             ecp.h
+ */
+int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
+                const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
+                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+/**
+ * \brief           This function computes the ECDSA signature of a
+ *                  previously-hashed message, deterministic version.
+ *                  For more information, see <em>RFC-6979: Deterministic
+ *                  Usage of the Digital Signature Algorithm (DSA) and Elliptic
+ *                  Curve Digital Signature Algorithm (ECDSA)</em>.
+ *
+ *
+ * \warning         Since the output of the internal RNG is always the same for
+ *                  the same key and message, this limits the efficiency of
+ *                  blinding and leaks information through side channels. For
+ *                  secure behavior use mbedtls_ecdsa_sign_det_ext() instead.
+ *
+ *                  (Optimally the blinding is a random value that is different
+ *                  on every execution. In this case the blinding is still
+ *                  random from the attackers perspective, but is the same on
+ *                  each execution. This means that this blinding does not
+ *                  prevent attackers from recovering secrets by combining
+ *                  several measurement traces, but may prevent some attacks
+ *                  that exploit relationships between secret data.)
+ *
+ * \param grp       The ECP group.
+ * \param r         The first output integer.
+ * \param s         The second output integer.
+ * \param d         The private signing key.
+ * \param buf       The message hash.
+ * \param blen      The length of \p buf.
+ * \param md_alg    The MD algorithm used to hash the message.
+ *
+ * \note            If the bitlength of the message hash is larger than the
+ *                  bitlength of the group order, then the hash is truncated as
+ *                  defined in <em>Standards for Efficient Cryptography Group
+ *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
+ *                  4.1.3, step 5.
+ *
+ * \return          \c 0 on success,
+ *                  or an \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
+ *                  error code on failure.
+ *
+ * \see             ecp.h
+ */
+int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r,
+                            mbedtls_mpi *s, const mbedtls_mpi *d,
+                            const unsigned char *buf, size_t blen,
+                            mbedtls_md_type_t md_alg );
+/**
+ * \brief           This function computes the ECDSA signature of a
+ *                  previously-hashed message, deterministic version.
+ *
+ *                  For more information, see <em>RFC-6979: Deterministic
+ *                  Usage of the Digital Signature Algorithm (DSA) and Elliptic
+ *                  Curve Digital Signature Algorithm (ECDSA)</em>.
+ *
+ * \note            If the bitlength of the message hash is larger than the
+ *                  bitlength of the group order, then the hash is truncated as
+ *                  defined in <em>Standards for Efficient Cryptography Group
+ *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
+ *                  4.1.3, step 5.
+ *
+ * \see             ecp.h
+ *
+ * \param grp           The context for the elliptic curve to use.
+ *                      This must be initialized and have group parameters
+ *                      set, for example through mbedtls_ecp_group_load().
+ * \param r             The MPI context in which to store the first part
+ *                      the signature. This must be initialized.
+ * \param s             The MPI context in which to store the second part
+ *                      the signature. This must be initialized.
+ * \param d             The private signing key. This must be initialized
+ *                      and setup, for example through mbedtls_ecp_gen_privkey().
+ * \param buf           The hashed content to be signed. This must be a readable
+ *                      buffer of length \p blen Bytes. It may be \c NULL if
+ *                      \p blen is zero.
+ * \param blen          The length of \p buf in Bytes.
+ * \param md_alg        The hash algorithm used to hash the original data.
+ * \param f_rng_blind   The RNG function used for blinding. This must not be
+ *                      \c NULL.
+ * \param p_rng_blind   The RNG context to be passed to \p f_rng. This may be
+ *                      \c NULL if \p f_rng doesn't need a context parameter.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
+ *                  error code on failure.
+ */
+int mbedtls_ecdsa_sign_det_ext( mbedtls_ecp_group *grp, mbedtls_mpi *r,
+                                mbedtls_mpi *s, const mbedtls_mpi *d,
+                                const unsigned char *buf, size_t blen,
+                                mbedtls_md_type_t md_alg,
+                                int (*f_rng_blind)(void *, unsigned char *,
+                                                   size_t),
+                                void *p_rng_blind );
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+
+/**
+ * \brief           This function verifies the ECDSA signature of a
+ *                  previously-hashed message.
+ *
+ * \param grp       The ECP group.
+ * \param buf       The message hash.
+ * \param blen      The length of \p buf.
+ * \param Q         The public key to use for verification.
+ * \param r         The first integer of the signature.
+ * \param s         The second integer of the signature.
+ *
+ * \note            If the bitlength of the message hash is larger than the
+ *                  bitlength of the group order, then the hash is truncated as
+ *                  defined in <em>Standards for Efficient Cryptography Group
+ *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
+ *                  4.1.4, step 3.
+ *
+ * \return          \c 0 on success,
+ *                  #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid,
+ *                  or an \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
+ *                  error code on failure for any other reason.
+ *
+ * \see             ecp.h
+ */
+int mbedtls_ecdsa_verify( mbedtls_ecp_group *grp,
+                  const unsigned char *buf, size_t blen,
+                  const mbedtls_ecp_point *Q, const mbedtls_mpi *r, const mbedtls_mpi *s);
+
+/**
+ * \brief           This function computes the ECDSA signature and writes it
+ *                  to a buffer, serialized as defined in <em>RFC-4492:
+ *                  Elliptic Curve Cryptography (ECC) Cipher Suites for
+ *                  Transport Layer Security (TLS)</em>.
+ *
+ * \warning         It is not thread-safe to use the same context in
+ *                  multiple threads.
+ *
+ * \note            The deterministic version is used if
+ *                  #MBEDTLS_ECDSA_DETERMINISTIC is defined. For more
+ *                  information, see <em>RFC-6979: Deterministic Usage
+ *                  of the Digital Signature Algorithm (DSA) and Elliptic
+ *                  Curve Digital Signature Algorithm (ECDSA)</em>.
+ *
+ * \param ctx       The ECDSA context.
+ * \param md_alg    The message digest that was used to hash the message.
+ * \param hash      The message hash.
+ * \param hlen      The length of the hash.
+ * \param sig       The buffer that holds the signature.
+ * \param slen      The length of the signature written.
+ * \param f_rng     The RNG function.
+ * \param p_rng     The RNG parameter.
+ *
+ * \note            The \p sig buffer must be at least twice as large as the
+ *                  size of the curve used, plus 9. For example, 73 Bytes if
+ *                  a 256-bit curve is used. A buffer length of
+ *                  #MBEDTLS_ECDSA_MAX_LEN is always safe.
+ *
+ * \note            If the bitlength of the message hash is larger than the
+ *                  bitlength of the group order, then the hash is truncated as
+ *                  defined in <em>Standards for Efficient Cryptography Group
+ *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
+ *                  4.1.3, step 5.
+ *
+ * \return          \c 0 on success,
+ *                  or an \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
+ *                  \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ *
+ * \see             ecp.h
+ */
+int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx, mbedtls_md_type_t md_alg,
+                           const unsigned char *hash, size_t hlen,
+                           unsigned char *sig, size_t *slen,
+                           int (*f_rng)(void *, unsigned char *, size_t),
+                           void *p_rng );
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED    __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief   This function computes an ECDSA signature and writes it to a buffer,
+ *          serialized as defined in <em>RFC-4492: Elliptic Curve Cryptography
+ *          (ECC) Cipher Suites for Transport Layer Security (TLS)</em>.
+ *
+ *          The deterministic version is defined in <em>RFC-6979:
+ *          Deterministic Usage of the Digital Signature Algorithm (DSA) and
+ *          Elliptic Curve Digital Signature Algorithm (ECDSA)</em>.
+ *
+ * \warning         It is not thread-safe to use the same context in
+ *                  multiple threads.
+
+ *
+ * \deprecated      Superseded by mbedtls_ecdsa_write_signature() in 2.0.0
+ *
+ * \param ctx       The ECDSA context.
+ * \param hash      The Message hash.
+ * \param hlen      The length of the hash.
+ * \param sig       The buffer that holds the signature.
+ * \param slen      The length of the signature written.
+ * \param md_alg    The MD algorithm used to hash the message.
+ *
+ * \note            The \p sig buffer must be at least twice as large as the
+ *                  size of the curve used, plus 9. For example, 73 Bytes if a
+ *                  256-bit curve is used. A buffer length of
+ *                  #MBEDTLS_ECDSA_MAX_LEN is always safe.
+ *
+ * \note            If the bitlength of the message hash is larger than the
+ *                  bitlength of the group order, then the hash is truncated as
+ *                  defined in <em>Standards for Efficient Cryptography Group
+ *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
+ *                  4.1.3, step 5.
+ *
+ * \return          \c 0 on success,
+ *                  or an \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
+ *                  \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ *
+ * \see             ecp.h
+ */
+int mbedtls_ecdsa_write_signature_det( mbedtls_ecdsa_context *ctx,
+                               const unsigned char *hash, size_t hlen,
+                               unsigned char *sig, size_t *slen,
+                               mbedtls_md_type_t md_alg ) MBEDTLS_DEPRECATED;
+#undef MBEDTLS_DEPRECATED
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+
+/**
+ * \brief           This function reads and verifies an ECDSA signature.
+ *
+ * \param ctx       The ECDSA context.
+ * \param hash      The message hash.
+ * \param hlen      The size of the hash.
+ * \param sig       The signature to read and verify.
+ * \param slen      The size of \p sig.
+ *
+ * \note            If the bitlength of the message hash is larger than the
+ *                  bitlength of the group order, then the hash is truncated as
+ *                  defined in <em>Standards for Efficient Cryptography Group
+ *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
+ *                  4.1.4, step 3.
+ *
+ * \return          \c 0 on success,
+ *                  #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid,
+ *                  #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid
+ *                  signature in sig but its length is less than \p siglen,
+ *                  or an \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX
+ *                  error code on failure for any other reason.
+ *
+ * \see             ecp.h
+ */
+int mbedtls_ecdsa_read_signature( mbedtls_ecdsa_context *ctx,
+                          const unsigned char *hash, size_t hlen,
+                          const unsigned char *sig, size_t slen );
+
+/**
+ * \brief          This function generates an ECDSA keypair on the given curve.
+ *
+ * \param ctx      The ECDSA context to store the keypair in.
+ * \param gid      The elliptic curve to use. One of the various
+ *                 \c MBEDTLS_ECP_DP_XXX macros depending on configuration.
+ * \param f_rng    The RNG function.
+ * \param p_rng    The RNG parameter.
+ *
+ * \return         \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX code on
+ *                 failure.
+ *
+ * \see            ecp.h
+ */
+int mbedtls_ecdsa_genkey( mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid,
+                  int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
+
+/**
+ * \brief           This function sets an ECDSA context from an EC key pair.
+ *
+ * \param ctx       The ECDSA context to set.
+ * \param key       The EC key to use.
+ *
+ * \return          \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX code on
+ *                  failure.
+ *
+ * \see             ecp.h
+ */
+int mbedtls_ecdsa_from_keypair( mbedtls_ecdsa_context *ctx, const mbedtls_ecp_keypair *key );
+
+/**
+ * \brief           This function initializes an ECDSA context.
+ *
+ * \param ctx       The ECDSA context to initialize.
+ */
+void mbedtls_ecdsa_init( mbedtls_ecdsa_context *ctx );
+
+/**
+ * \brief           This function frees an ECDSA context.
+ *
+ * \param ctx       The ECDSA context to free.
+ */
+void mbedtls_ecdsa_free( mbedtls_ecdsa_context *ctx );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ecdsa.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/ecjpake.h b/third-party/mbedtls-3.6/include/mbedtls/ecjpake.h
new file mode 100644
index 00000000..1e941702
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/ecjpake.h
@@ -0,0 +1,285 @@
+/**
+ * \file ecjpake.h
+ *
+ * \brief Elliptic curve J-PAKE
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_ECJPAKE_H
+#define MBEDTLS_ECJPAKE_H
+
+/*
+ * J-PAKE is a password-authenticated key exchange that allows deriving a
+ * strong shared secret from a (potentially low entropy) pre-shared
+ * passphrase, with forward secrecy and mutual authentication.
+ * https://en.wikipedia.org/wiki/Password_Authenticated_Key_Exchange_by_Juggling
+ *
+ * This file implements the Elliptic Curve variant of J-PAKE,
+ * as defined in Chapter 7.4 of the Thread v1.0 Specification,
+ * available to members of the Thread Group http://threadgroup.org/
+ *
+ * As the J-PAKE algorithm is inherently symmetric, so is our API.
+ * Each party needs to send its first round message, in any order, to the
+ * other party, then each sends its second round message, in any order.
+ * The payloads are serialized in a way suitable for use in TLS, but could
+ * also be use outside TLS.
+ */
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "ecp.h"
+#include "md.h"
+
+#if !defined(MBEDTLS_ECJPAKE_ALT)
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Roles in the EC J-PAKE exchange
+ */
+typedef enum {
+    MBEDTLS_ECJPAKE_CLIENT = 0,         /**< Client                         */
+    MBEDTLS_ECJPAKE_SERVER,             /**< Server                         */
+} mbedtls_ecjpake_role;
+
+/**
+ * EC J-PAKE context structure.
+ *
+ * J-PAKE is a symmetric protocol, except for the identifiers used in
+ * Zero-Knowledge Proofs, and the serialization of the second message
+ * (KeyExchange) as defined by the Thread spec.
+ *
+ * In order to benefit from this symmetry, we choose a different naming
+ * convetion from the Thread v1.0 spec. Correspondance is indicated in the
+ * description as a pair C: client name, S: server name
+ */
+typedef struct
+{
+    const mbedtls_md_info_t *md_info;   /**< Hash to use                    */
+    mbedtls_ecp_group grp;              /**< Elliptic curve                 */
+    mbedtls_ecjpake_role role;          /**< Are we client or server?       */
+    int point_format;                   /**< Format for point export        */
+
+    mbedtls_ecp_point Xm1;              /**< My public key 1   C: X1, S: X3 */
+    mbedtls_ecp_point Xm2;              /**< My public key 2   C: X2, S: X4 */
+    mbedtls_ecp_point Xp1;              /**< Peer public key 1 C: X3, S: X1 */
+    mbedtls_ecp_point Xp2;              /**< Peer public key 2 C: X4, S: X2 */
+    mbedtls_ecp_point Xp;               /**< Peer public key   C: Xs, S: Xc */
+
+    mbedtls_mpi xm1;                    /**< My private key 1  C: x1, S: x3 */
+    mbedtls_mpi xm2;                    /**< My private key 2  C: x2, S: x4 */
+
+    mbedtls_mpi s;                      /**< Pre-shared secret (passphrase) */
+} mbedtls_ecjpake_context;
+
+/**
+ * \brief           Initialize a context
+ *                  (just makes it ready for setup() or free()).
+ *
+ * \param ctx       context to initialize
+ */
+void mbedtls_ecjpake_init( mbedtls_ecjpake_context *ctx );
+
+/**
+ * \brief           Set up a context for use
+ *
+ * \note            Currently the only values for hash/curve allowed by the
+ *                  standard are MBEDTLS_MD_SHA256/MBEDTLS_ECP_DP_SECP256R1.
+ *
+ * \param ctx       context to set up
+ * \param role      Our role: client or server
+ * \param hash      hash function to use (MBEDTLS_MD_XXX)
+ * \param curve     elliptic curve identifier (MBEDTLS_ECP_DP_XXX)
+ * \param secret    pre-shared secret (passphrase)
+ * \param len       length of the shared secret
+ *
+ * \return          0 if successfull,
+ *                  a negative error code otherwise
+ */
+int mbedtls_ecjpake_setup( mbedtls_ecjpake_context *ctx,
+                           mbedtls_ecjpake_role role,
+                           mbedtls_md_type_t hash,
+                           mbedtls_ecp_group_id curve,
+                           const unsigned char *secret,
+                           size_t len );
+
+/**
+ * \brief           Check if a context is ready for use
+ *
+ * \param ctx       Context to check
+ *
+ * \return          0 if the context is ready for use,
+ *                  MBEDTLS_ERR_ECP_BAD_INPUT_DATA otherwise
+ */
+int mbedtls_ecjpake_check( const mbedtls_ecjpake_context *ctx );
+
+/**
+ * \brief           Generate and write the first round message
+ *                  (TLS: contents of the Client/ServerHello extension,
+ *                  excluding extension type and length bytes)
+ *
+ * \param ctx       Context to use
+ * \param buf       Buffer to write the contents to
+ * \param len       Buffer size
+ * \param olen      Will be updated with the number of bytes written
+ * \param f_rng     RNG function
+ * \param p_rng     RNG parameter
+ *
+ * \return          0 if successfull,
+ *                  a negative error code otherwise
+ */
+int mbedtls_ecjpake_write_round_one( mbedtls_ecjpake_context *ctx,
+                            unsigned char *buf, size_t len, size_t *olen,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng );
+
+/**
+ * \brief           Read and process the first round message
+ *                  (TLS: contents of the Client/ServerHello extension,
+ *                  excluding extension type and length bytes)
+ *
+ * \param ctx       Context to use
+ * \param buf       Pointer to extension contents
+ * \param len       Extension length
+ *
+ * \return          0 if successfull,
+ *                  a negative error code otherwise
+ */
+int mbedtls_ecjpake_read_round_one( mbedtls_ecjpake_context *ctx,
+                                    const unsigned char *buf,
+                                    size_t len );
+
+/**
+ * \brief           Generate and write the second round message
+ *                  (TLS: contents of the Client/ServerKeyExchange)
+ *
+ * \param ctx       Context to use
+ * \param buf       Buffer to write the contents to
+ * \param len       Buffer size
+ * \param olen      Will be updated with the number of bytes written
+ * \param f_rng     RNG function
+ * \param p_rng     RNG parameter
+ *
+ * \return          0 if successfull,
+ *                  a negative error code otherwise
+ */
+int mbedtls_ecjpake_write_round_two( mbedtls_ecjpake_context *ctx,
+                            unsigned char *buf, size_t len, size_t *olen,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng );
+
+/**
+ * \brief           Read and process the second round message
+ *                  (TLS: contents of the Client/ServerKeyExchange)
+ *
+ * \param ctx       Context to use
+ * \param buf       Pointer to the message
+ * \param len       Message length
+ *
+ * \return          0 if successfull,
+ *                  a negative error code otherwise
+ */
+int mbedtls_ecjpake_read_round_two( mbedtls_ecjpake_context *ctx,
+                                    const unsigned char *buf,
+                                    size_t len );
+
+/**
+ * \brief           Derive the shared secret
+ *                  (TLS: Pre-Master Secret)
+ *
+ * \param ctx       Context to use
+ * \param buf       Buffer to write the contents to
+ * \param len       Buffer size
+ * \param olen      Will be updated with the number of bytes written
+ * \param f_rng     RNG function
+ * \param p_rng     RNG parameter
+ *
+ * \return          0 if successfull,
+ *                  a negative error code otherwise
+ */
+int mbedtls_ecjpake_derive_secret( mbedtls_ecjpake_context *ctx,
+                            unsigned char *buf, size_t len, size_t *olen,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng );
+
+/**
+ * \brief           Free a context's content
+ *
+ * \param ctx       context to free
+ */
+void mbedtls_ecjpake_free( mbedtls_ecjpake_context *ctx );
+
+#ifdef __cplusplus
+}
+#endif
+
+#else  /* MBEDTLS_ECJPAKE_ALT */
+#include "ecjpake_alt.h"
+#endif /* MBEDTLS_ECJPAKE_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if a test failed
+ */
+int mbedtls_ecjpake_self_test( int verbose );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* ecjpake.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/ecp.h b/third-party/mbedtls-3.6/include/mbedtls/ecp.h
new file mode 100644
index 00000000..6ebd2d65
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/ecp.h
@@ -0,0 +1,736 @@
+/**
+ * \file ecp.h
+ *
+ * \brief Elliptic curves over GF(p)
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_ECP_H
+#define MBEDTLS_ECP_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "bignum.h"
+
+/*
+ * ECP error codes
+ */
+#define MBEDTLS_ERR_ECP_BAD_INPUT_DATA                    -0x4F80  /**< Bad input parameters to function. */
+#define MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL                  -0x4F00  /**< The buffer is too small to write to. */
+#define MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE               -0x4E80  /**< Requested curve not available. */
+#define MBEDTLS_ERR_ECP_VERIFY_FAILED                     -0x4E00  /**< The signature is not valid. */
+#define MBEDTLS_ERR_ECP_ALLOC_FAILED                      -0x4D80  /**< Memory allocation failed. */
+#define MBEDTLS_ERR_ECP_RANDOM_FAILED                     -0x4D00  /**< Generation of random value, such as (ephemeral) key, failed. */
+#define MBEDTLS_ERR_ECP_INVALID_KEY                       -0x4C80  /**< Invalid private or public key. */
+#define MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH                  -0x4C00  /**< The buffer contains a valid signature followed by more data. */
+#define MBEDTLS_ERR_ECP_HW_ACCEL_FAILED                   -0x4B80  /**< ECP hardware accelerator failed. */
+
+#if !defined(MBEDTLS_ECP_ALT)
+/*
+ * default mbed TLS elliptic curve arithmetic implementation
+ *
+ * (in case MBEDTLS_ECP_ALT is defined then the developer has to provide an
+ * alternative implementation for the whole module and it will replace this
+ * one.)
+ */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Domain parameters (curve, subgroup and generator) identifiers.
+ *
+ * Only curves over prime fields are supported.
+ *
+ * \warning This library does not support validation of arbitrary domain
+ * parameters. Therefore, only well-known domain parameters from trusted
+ * sources should be used. See mbedtls_ecp_group_load().
+ */
+typedef enum
+{
+    MBEDTLS_ECP_DP_NONE = 0,
+    MBEDTLS_ECP_DP_SECP192R1,      /*!< 192-bits NIST curve  */
+    MBEDTLS_ECP_DP_SECP224R1,      /*!< 224-bits NIST curve  */
+    MBEDTLS_ECP_DP_SECP256R1,      /*!< 256-bits NIST curve  */
+    MBEDTLS_ECP_DP_SECP384R1,      /*!< 384-bits NIST curve  */
+    MBEDTLS_ECP_DP_SECP521R1,      /*!< 521-bits NIST curve  */
+    MBEDTLS_ECP_DP_BP256R1,        /*!< 256-bits Brainpool curve */
+    MBEDTLS_ECP_DP_BP384R1,        /*!< 384-bits Brainpool curve */
+    MBEDTLS_ECP_DP_BP512R1,        /*!< 512-bits Brainpool curve */
+    MBEDTLS_ECP_DP_CURVE25519,           /*!< Curve25519               */
+    MBEDTLS_ECP_DP_SECP192K1,      /*!< 192-bits "Koblitz" curve */
+    MBEDTLS_ECP_DP_SECP224K1,      /*!< 224-bits "Koblitz" curve */
+    MBEDTLS_ECP_DP_SECP256K1,      /*!< 256-bits "Koblitz" curve */
+} mbedtls_ecp_group_id;
+
+/**
+ * Number of supported curves (plus one for NONE).
+ *
+ * (Montgomery curves excluded for now.)
+ */
+#define MBEDTLS_ECP_DP_MAX     12
+
+/**
+ * Curve information for use by other modules
+ */
+typedef struct
+{
+    mbedtls_ecp_group_id grp_id;    /*!< Internal identifier        */
+    uint16_t tls_id;                /*!< TLS NamedCurve identifier  */
+    uint16_t bit_size;              /*!< Curve size in bits         */
+    const char *name;               /*!< Human-friendly name        */
+} mbedtls_ecp_curve_info;
+
+/**
+ * \brief           ECP point structure (jacobian coordinates)
+ *
+ * \note            All functions expect and return points satisfying
+ *                  the following condition: Z == 0 or Z == 1. (Other
+ *                  values of Z are used by internal functions only.)
+ *                  The point is zero, or "at infinity", if Z == 0.
+ *                  Otherwise, X and Y are its standard (affine) coordinates.
+ */
+typedef struct
+{
+    mbedtls_mpi X;          /*!<  the point's X coordinate  */
+    mbedtls_mpi Y;          /*!<  the point's Y coordinate  */
+    mbedtls_mpi Z;          /*!<  the point's Z coordinate  */
+}
+mbedtls_ecp_point;
+
+/**
+ * \brief           ECP group structure
+ *
+ * We consider two types of curves equations:
+ * 1. Short Weierstrass y^2 = x^3 + A x + B     mod P   (SEC1 + RFC 4492)
+ * 2. Montgomery,       y^2 = x^3 + A x^2 + x   mod P   (Curve25519 + draft)
+ * In both cases, a generator G for a prime-order subgroup is fixed. In the
+ * short weierstrass, this subgroup is actually the whole curve, and its
+ * cardinal is denoted by N.
+ *
+ * In the case of Short Weierstrass curves, our code requires that N is an odd
+ * prime. (Use odd in mbedtls_ecp_mul() and prime in mbedtls_ecdsa_sign() for blinding.)
+ *
+ * In the case of Montgomery curves, we don't store A but (A + 2) / 4 which is
+ * the quantity actually used in the formulas. Also, nbits is not the size of N
+ * but the required size for private keys.
+ *
+ * If modp is NULL, reduction modulo P is done using a generic algorithm.
+ * Otherwise, it must point to a function that takes an mbedtls_mpi in the range
+ * 0..2^(2*pbits)-1 and transforms it in-place in an integer of little more
+ * than pbits, so that the integer may be efficiently brought in the 0..P-1
+ * range by a few additions or substractions. It must return 0 on success and
+ * non-zero on failure.
+ */
+typedef struct
+{
+    mbedtls_ecp_group_id id;    /*!<  internal group identifier                     */
+    mbedtls_mpi P;              /*!<  prime modulus of the base field               */
+    mbedtls_mpi A;              /*!<  1. A in the equation, or 2. (A + 2) / 4       */
+    mbedtls_mpi B;              /*!<  1. B in the equation, or 2. unused            */
+    mbedtls_ecp_point G;        /*!<  generator of the (sub)group used              */
+    mbedtls_mpi N;              /*!<  1. the order of G, or 2. unused               */
+    size_t pbits;       /*!<  number of bits in P                           */
+    size_t nbits;       /*!<  number of bits in 1. P, or 2. private keys    */
+    unsigned int h;     /*!<  internal: 1 if the constants are static       */
+    int (*modp)(mbedtls_mpi *); /*!<  function for fast reduction mod P             */
+    int (*t_pre)(mbedtls_ecp_point *, void *);  /*!< unused                         */
+    int (*t_post)(mbedtls_ecp_point *, void *); /*!< unused                         */
+    void *t_data;                       /*!< unused                         */
+    mbedtls_ecp_point *T;       /*!<  pre-computed points for ecp_mul_comb()        */
+    size_t T_size;      /*!<  number for pre-computed points                */
+}
+mbedtls_ecp_group;
+
+/**
+ * \brief           ECP key pair structure
+ *
+ * A generic key pair that could be used for ECDSA, fixed ECDH, etc.
+ *
+ * \note Members purposefully in the same order as struc mbedtls_ecdsa_context.
+ */
+typedef struct
+{
+    mbedtls_ecp_group grp;      /*!<  Elliptic curve and base point     */
+    mbedtls_mpi d;              /*!<  our secret value                  */
+    mbedtls_ecp_point Q;        /*!<  our public value                  */
+}
+mbedtls_ecp_keypair;
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in config.h or define them on the compiler command line.
+ * \{
+ */
+
+#if !defined(MBEDTLS_ECP_MAX_BITS)
+/**
+ * Maximum size of the groups (that is, of N and P)
+ */
+#define MBEDTLS_ECP_MAX_BITS     521   /**< Maximum bit size of groups */
+#endif
+
+#define MBEDTLS_ECP_MAX_BYTES    ( ( MBEDTLS_ECP_MAX_BITS + 7 ) / 8 )
+#define MBEDTLS_ECP_MAX_PT_LEN   ( 2 * MBEDTLS_ECP_MAX_BYTES + 1 )
+
+#if !defined(MBEDTLS_ECP_WINDOW_SIZE)
+/*
+ * Maximum "window" size used for point multiplication.
+ * Default: 6.
+ * Minimum value: 2. Maximum value: 7.
+ *
+ * Result is an array of at most ( 1 << ( MBEDTLS_ECP_WINDOW_SIZE - 1 ) )
+ * points used for point multiplication. This value is directly tied to EC
+ * peak memory usage, so decreasing it by one should roughly cut memory usage
+ * by two (if large curves are in use).
+ *
+ * Reduction in size may reduce speed, but larger curves are impacted first.
+ * Sample performances (in ECDHE handshakes/s, with FIXED_POINT_OPTIM = 1):
+ *      w-size:     6       5       4       3       2
+ *      521       145     141     135     120      97
+ *      384       214     209     198     177     146
+ *      256       320     320     303     262     226
+
+ *      224       475     475     453     398     342
+ *      192       640     640     633     587     476
+ */
+#define MBEDTLS_ECP_WINDOW_SIZE    6   /**< Maximum window size used */
+#endif /* MBEDTLS_ECP_WINDOW_SIZE */
+
+#if !defined(MBEDTLS_ECP_FIXED_POINT_OPTIM)
+/*
+ * Trade memory for speed on fixed-point multiplication.
+ *
+ * This speeds up repeated multiplication of the generator (that is, the
+ * multiplication in ECDSA signatures, and half of the multiplications in
+ * ECDSA verification and ECDHE) by a factor roughly 3 to 4.
+ *
+ * The cost is increasing EC peak memory usage by a factor roughly 2.
+ *
+ * Change this value to 0 to reduce peak memory usage.
+ */
+#define MBEDTLS_ECP_FIXED_POINT_OPTIM  1   /**< Enable fixed-point speed-up */
+#endif /* MBEDTLS_ECP_FIXED_POINT_OPTIM */
+
+/* \} name SECTION: Module settings */
+
+/*
+ * Point formats, from RFC 4492's enum ECPointFormat
+ */
+#define MBEDTLS_ECP_PF_UNCOMPRESSED    0   /**< Uncompressed point format */
+#define MBEDTLS_ECP_PF_COMPRESSED      1   /**< Compressed point format */
+
+/*
+ * Some other constants from RFC 4492
+ */
+#define MBEDTLS_ECP_TLS_NAMED_CURVE    3   /**< ECCurveType's named_curve */
+
+/**
+ * \brief           Get the list of supported curves in order of preferrence
+ *                  (full information)
+ *
+ * \return          A statically allocated array, the last entry is 0.
+ */
+const mbedtls_ecp_curve_info *mbedtls_ecp_curve_list( void );
+
+/**
+ * \brief           Get the list of supported curves in order of preferrence
+ *                  (grp_id only)
+ *
+ * \return          A statically allocated array,
+ *                  terminated with MBEDTLS_ECP_DP_NONE.
+ */
+const mbedtls_ecp_group_id *mbedtls_ecp_grp_id_list( void );
+
+/**
+ * \brief           Get curve information from an internal group identifier
+ *
+ * \param grp_id    A MBEDTLS_ECP_DP_XXX value
+ *
+ * \return          The associated curve information or NULL
+ */
+const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_grp_id( mbedtls_ecp_group_id grp_id );
+
+/**
+ * \brief           Get curve information from a TLS NamedCurve value
+ *
+ * \param tls_id    A MBEDTLS_ECP_DP_XXX value
+ *
+ * \return          The associated curve information or NULL
+ */
+const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_tls_id( uint16_t tls_id );
+
+/**
+ * \brief           Get curve information from a human-readable name
+ *
+ * \param name      The name
+ *
+ * \return          The associated curve information or NULL
+ */
+const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_name( const char *name );
+
+/**
+ * \brief           Initialize a point (as zero)
+ */
+void mbedtls_ecp_point_init( mbedtls_ecp_point *pt );
+
+/**
+ * \brief           Initialize a group (to something meaningless)
+ */
+void mbedtls_ecp_group_init( mbedtls_ecp_group *grp );
+
+/**
+ * \brief           Initialize a key pair (as an invalid one)
+ */
+void mbedtls_ecp_keypair_init( mbedtls_ecp_keypair *key );
+
+/**
+ * \brief           Free the components of a point
+ */
+void mbedtls_ecp_point_free( mbedtls_ecp_point *pt );
+
+/**
+ * \brief           Free the components of an ECP group
+ */
+void mbedtls_ecp_group_free( mbedtls_ecp_group *grp );
+
+/**
+ * \brief           Free the components of a key pair
+ */
+void mbedtls_ecp_keypair_free( mbedtls_ecp_keypair *key );
+
+/**
+ * \brief           Copy the contents of point Q into P
+ *
+ * \param P         Destination point
+ * \param Q         Source point
+ *
+ * \return          0 if successful,
+ *                  MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ */
+int mbedtls_ecp_copy( mbedtls_ecp_point *P, const mbedtls_ecp_point *Q );
+
+/**
+ * \brief           Copy the contents of a group object
+ *
+ * \param dst       Destination group
+ * \param src       Source group
+ *
+ * \return          0 if successful,
+ *                  MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ */
+int mbedtls_ecp_group_copy( mbedtls_ecp_group *dst, const mbedtls_ecp_group *src );
+
+/**
+ * \brief           Set a point to zero
+ *
+ * \param pt        Destination point
+ *
+ * \return          0 if successful,
+ *                  MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ */
+int mbedtls_ecp_set_zero( mbedtls_ecp_point *pt );
+
+/**
+ * \brief           Tell if a point is zero
+ *
+ * \param pt        Point to test
+ *
+ * \return          1 if point is zero, 0 otherwise
+ */
+int mbedtls_ecp_is_zero( mbedtls_ecp_point *pt );
+
+/**
+ * \brief           Compare two points
+ *
+ * \note            This assumes the points are normalized. Otherwise,
+ *                  they may compare as "not equal" even if they are.
+ *
+ * \param P         First point to compare
+ * \param Q         Second point to compare
+ *
+ * \return          0 if the points are equal,
+ *                  MBEDTLS_ERR_ECP_BAD_INPUT_DATA otherwise
+ */
+int mbedtls_ecp_point_cmp( const mbedtls_ecp_point *P,
+                           const mbedtls_ecp_point *Q );
+
+/**
+ * \brief           Import a non-zero point from two ASCII strings
+ *
+ * \param P         Destination point
+ * \param radix     Input numeric base
+ * \param x         First affine coordinate as a null-terminated string
+ * \param y         Second affine coordinate as a null-terminated string
+ *
+ * \return          0 if successful, or a MBEDTLS_ERR_MPI_XXX error code
+ */
+int mbedtls_ecp_point_read_string( mbedtls_ecp_point *P, int radix,
+                           const char *x, const char *y );
+
+/**
+ * \brief           Export a point into unsigned binary data
+ *
+ * \param grp       Group to which the point should belong
+ * \param P         Point to export
+ * \param format    Point format, should be a MBEDTLS_ECP_PF_XXX macro
+ * \param olen      Length of the actual output
+ * \param buf       Output buffer
+ * \param buflen    Length of the output buffer
+ *
+ * \return          0 if successful,
+ *                  or MBEDTLS_ERR_ECP_BAD_INPUT_DATA
+ *                  or MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+ */
+int mbedtls_ecp_point_write_binary( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *P,
+                            int format, size_t *olen,
+                            unsigned char *buf, size_t buflen );
+
+/**
+ * \brief           Import a point from unsigned binary data
+ *
+ * \param grp       Group to which the point should belong
+ * \param P         Point to import
+ * \param buf       Input buffer
+ * \param ilen      Actual length of input
+ *
+ * \return          0 if successful,
+ *                  MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid,
+ *                  MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
+ *                  MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the point format
+ *                  is not implemented.
+ *
+ * \note            This function does NOT check that the point actually
+ *                  belongs to the given group, see mbedtls_ecp_check_pubkey() for
+ *                  that.
+ */
+int mbedtls_ecp_point_read_binary( const mbedtls_ecp_group *grp, mbedtls_ecp_point *P,
+                           const unsigned char *buf, size_t ilen );
+
+/**
+ * \brief           Import a point from a TLS ECPoint record
+ *
+ * \param grp       ECP group used
+ * \param pt        Destination point
+ * \param buf       $(Start of input buffer)
+ * \param len       Buffer length
+ *
+ * \note            buf is updated to point right after the ECPoint on exit
+ *
+ * \return          0 if successful,
+ *                  MBEDTLS_ERR_MPI_XXX if initialization failed
+ *                  MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid
+ */
+int mbedtls_ecp_tls_read_point( const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt,
+                        const unsigned char **buf, size_t len );
+
+/**
+ * \brief           Export a point as a TLS ECPoint record
+ *
+ * \param grp       ECP group used
+ * \param pt        Point to export
+ * \param format    Export format
+ * \param olen      length of data written
+ * \param buf       Buffer to write to
+ * \param blen      Buffer length
+ *
+ * \return          0 if successful,
+ *                  or MBEDTLS_ERR_ECP_BAD_INPUT_DATA
+ *                  or MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+ */
+int mbedtls_ecp_tls_write_point( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt,
+                         int format, size_t *olen,
+                         unsigned char *buf, size_t blen );
+
+/**
+ * \brief           Set a group using well-known domain parameters
+ *
+ * \param grp       Destination group
+ * \param id        Index in the list of well-known domain parameters
+ *
+ * \return          0 if successful,
+ *                  MBEDTLS_ERR_MPI_XXX if initialization failed
+ *                  MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE for unkownn groups
+ *
+ * \note            Index should be a value of RFC 4492's enum NamedCurve,
+ *                  usually in the form of a MBEDTLS_ECP_DP_XXX macro.
+ */
+int mbedtls_ecp_group_load( mbedtls_ecp_group *grp, mbedtls_ecp_group_id id );
+
+/**
+ * \brief           Set a group from a TLS ECParameters record
+ *
+ * \param grp       Destination group
+ * \param buf       &(Start of input buffer)
+ * \param len       Buffer length
+ *
+ * \note            buf is updated to point right after ECParameters on exit
+ *
+ * \return          0 if successful,
+ *                  MBEDTLS_ERR_MPI_XXX if initialization failed
+ *                  MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid
+ */
+int mbedtls_ecp_tls_read_group( mbedtls_ecp_group *grp, const unsigned char **buf, size_t len );
+
+/**
+ * \brief           Write the TLS ECParameters record for a group
+ *
+ * \param grp       ECP group used
+ * \param olen      Number of bytes actually written
+ * \param buf       Buffer to write to
+ * \param blen      Buffer length
+ *
+ * \return          0 if successful,
+ *                  or MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+ */
+int mbedtls_ecp_tls_write_group( const mbedtls_ecp_group *grp, size_t *olen,
+                         unsigned char *buf, size_t blen );
+
+/**
+ * \brief           Multiplication by an integer: R = m * P
+ *                  (Not thread-safe to use same group in multiple threads)
+ *
+ * \note            In order to prevent timing attacks, this function
+ *                  executes the exact same sequence of (base field)
+ *                  operations for any valid m. It avoids any if-branch or
+ *                  array index depending on the value of m.
+ *
+ * \note            If \p f_rng is not NULL, it is used to randomize
+ *                  intermediate results to prevent potential timing attacks
+ *                  targeting these results. We recommend always providing
+ *                  a non-NULL \p f_rng. The overhead is negligible.
+ *                  Note: unless #MBEDTLS_ECP_NO_INTERNAL_RNG is defined, when
+ *                  \p f_rng is NULL, an internal RNG (seeded from the value
+ *                  of \p m) will be used instead.
+ *
+ * \param grp       ECP group
+ * \param R         Destination point
+ * \param m         Integer by which to multiply
+ * \param P         Point to multiply
+ * \param f_rng     RNG function (see notes)
+ * \param p_rng     RNG parameter
+ *
+ * \return          0 if successful,
+ *                  MBEDTLS_ERR_ECP_INVALID_KEY if m is not a valid privkey
+ *                  or P is not a valid pubkey,
+ *                  MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ */
+int mbedtls_ecp_mul( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+             const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
+
+/**
+ * \brief           Multiplication and addition of two points by integers:
+ *                  R = m * P + n * Q
+ *                  (Not thread-safe to use same group in multiple threads)
+ *
+ * \note            In contrast to mbedtls_ecp_mul(), this function does not guarantee
+ *                  a constant execution flow and timing.
+ *
+ * \param grp       ECP group
+ * \param R         Destination point
+ * \param m         Integer by which to multiply P
+ * \param P         Point to multiply by m
+ * \param n         Integer by which to multiply Q
+ * \param Q         Point to be multiplied by n
+ *
+ * \return          0 if successful,
+ *                  MBEDTLS_ERR_ECP_INVALID_KEY if m or n is not a valid privkey
+ *                  or P or Q is not a valid pubkey,
+ *                  MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ */
+int mbedtls_ecp_muladd( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+             const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+             const mbedtls_mpi *n, const mbedtls_ecp_point *Q );
+
+/**
+ * \brief           Check that a point is a valid public key on this curve
+ *
+ * \param grp       Curve/group the point should belong to
+ * \param pt        Point to check
+ *
+ * \return          0 if point is a valid public key,
+ *                  MBEDTLS_ERR_ECP_INVALID_KEY otherwise.
+ *
+ * \note            This function only checks the point is non-zero, has valid
+ *                  coordinates and lies on the curve, but not that it is
+ *                  indeed a multiple of G. This is additional check is more
+ *                  expensive, isn't required by standards, and shouldn't be
+ *                  necessary if the group used has a small cofactor. In
+ *                  particular, it is useless for the NIST groups which all
+ *                  have a cofactor of 1.
+ *
+ * \note            Uses bare components rather than an mbedtls_ecp_keypair structure
+ *                  in order to ease use with other structures such as
+ *                  mbedtls_ecdh_context of mbedtls_ecdsa_context.
+ */
+int mbedtls_ecp_check_pubkey( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt );
+
+/**
+ * \brief           Check that an mbedtls_mpi is a valid private key for this curve
+ *
+ * \param grp       Group used
+ * \param d         Integer to check
+ *
+ * \return          0 if point is a valid private key,
+ *                  MBEDTLS_ERR_ECP_INVALID_KEY otherwise.
+ *
+ * \note            Uses bare components rather than an mbedtls_ecp_keypair structure
+ *                  in order to ease use with other structures such as
+ *                  mbedtls_ecdh_context of mbedtls_ecdsa_context.
+ */
+int mbedtls_ecp_check_privkey( const mbedtls_ecp_group *grp, const mbedtls_mpi *d );
+
+/**
+ * \brief           Generate a private key
+ *
+ * \param grp       ECP group
+ * \param d         Destination MPI (secret part)
+ * \param f_rng     RNG function
+ * \param p_rng     RNG parameter
+ *
+ * \return          0 if successful,
+ *                  or a MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code
+ */
+int mbedtls_ecp_gen_privkey( const mbedtls_ecp_group *grp,
+                     mbedtls_mpi *d,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng );
+
+/**
+ * \brief           Generate a keypair with configurable base point
+ *
+ * \param grp       ECP group
+ * \param G         Chosen base point
+ * \param d         Destination MPI (secret part)
+ * \param Q         Destination point (public part)
+ * \param f_rng     RNG function
+ * \param p_rng     RNG parameter
+ *
+ * \return          0 if successful,
+ *                  or a MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code
+ *
+ * \note            Uses bare components rather than an mbedtls_ecp_keypair structure
+ *                  in order to ease use with other structures such as
+ *                  mbedtls_ecdh_context of mbedtls_ecdsa_context.
+ */
+int mbedtls_ecp_gen_keypair_base( mbedtls_ecp_group *grp,
+                     const mbedtls_ecp_point *G,
+                     mbedtls_mpi *d, mbedtls_ecp_point *Q,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng );
+
+/**
+ * \brief           Generate a keypair
+ *
+ * \param grp       ECP group
+ * \param d         Destination MPI (secret part)
+ * \param Q         Destination point (public part)
+ * \param f_rng     RNG function
+ * \param p_rng     RNG parameter
+ *
+ * \return          0 if successful,
+ *                  or a MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code
+ *
+ * \note            Uses bare components rather than an mbedtls_ecp_keypair structure
+ *                  in order to ease use with other structures such as
+ *                  mbedtls_ecdh_context of mbedtls_ecdsa_context.
+ */
+int mbedtls_ecp_gen_keypair( mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng );
+
+/**
+ * \brief           Generate a keypair
+ *
+ * \param grp_id    ECP group identifier
+ * \param key       Destination keypair
+ * \param f_rng     RNG function
+ * \param p_rng     RNG parameter
+ *
+ * \return          0 if successful,
+ *                  or a MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code
+ */
+int mbedtls_ecp_gen_key( mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
+                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
+
+/**
+ * \brief           Check a public-private key pair
+ *
+ * \param pub       Keypair structure holding a public key
+ * \param prv       Keypair structure holding a private (plus public) key
+ *
+ * \return          0 if successful (keys are valid and match), or
+ *                  MBEDTLS_ERR_ECP_BAD_INPUT_DATA, or
+ *                  a MBEDTLS_ERR_ECP_XXX or MBEDTLS_ERR_MPI_XXX code.
+ */
+int mbedtls_ecp_check_pub_priv( const mbedtls_ecp_keypair *pub, const mbedtls_ecp_keypair *prv );
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if a test failed
+ */
+int mbedtls_ecp_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#else  /* MBEDTLS_ECP_ALT */
+#include "ecp_alt.h"
+#endif /* MBEDTLS_ECP_ALT */
+
+#endif /* ecp.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/ecp_internal.h b/third-party/mbedtls-3.6/include/mbedtls/ecp_internal.h
new file mode 100644
index 00000000..0047bd4e
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/ecp_internal.h
@@ -0,0 +1,324 @@
+/**
+ * \file ecp_internal.h
+ *
+ * \brief Function declarations for alternative implementation of elliptic curve
+ * point arithmetic.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+/*
+ * References:
+ *
+ * [1] BERNSTEIN, Daniel J. Curve25519: new Diffie-Hellman speed records.
+ *     <http://cr.yp.to/ecdh/curve25519-20060209.pdf>
+ *
+ * [2] CORON, Jean-S'ebastien. Resistance against differential power analysis
+ *     for elliptic curve cryptosystems. In : Cryptographic Hardware and
+ *     Embedded Systems. Springer Berlin Heidelberg, 1999. p. 292-302.
+ *     <http://link.springer.com/chapter/10.1007/3-540-48059-5_25>
+ *
+ * [3] HEDABOU, Mustapha, PINEL, Pierre, et B'EN'ETEAU, Lucien. A comb method to
+ *     render ECC resistant against Side Channel Attacks. IACR Cryptology
+ *     ePrint Archive, 2004, vol. 2004, p. 342.
+ *     <http://eprint.iacr.org/2004/342.pdf>
+ *
+ * [4] Certicom Research. SEC 2: Recommended Elliptic Curve Domain Parameters.
+ *     <http://www.secg.org/sec2-v2.pdf>
+ *
+ * [5] HANKERSON, Darrel, MENEZES, Alfred J., VANSTONE, Scott. Guide to Elliptic
+ *     Curve Cryptography.
+ *
+ * [6] Digital Signature Standard (DSS), FIPS 186-4.
+ *     <http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf>
+ *
+ * [7] Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer
+ *     Security (TLS), RFC 4492.
+ *     <https://tools.ietf.org/search/rfc4492>
+ *
+ * [8] <http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html>
+ *
+ * [9] COHEN, Henri. A Course in Computational Algebraic Number Theory.
+ *     Springer Science & Business Media, 1 Aug 2000
+ */
+
+#ifndef MBEDTLS_ECP_INTERNAL_H
+#define MBEDTLS_ECP_INTERNAL_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+
+/**
+ * \brief           Indicate if the Elliptic Curve Point module extension can
+ *                  handle the group.
+ *
+ * \param grp       The pointer to the elliptic curve group that will be the
+ *                  basis of the cryptographic computations.
+ *
+ * \return          Non-zero if successful.
+ */
+unsigned char mbedtls_internal_ecp_grp_capable( const mbedtls_ecp_group *grp );
+
+/**
+ * \brief           Initialise the Elliptic Curve Point module extension.
+ *
+ *                  If mbedtls_internal_ecp_grp_capable returns true for a
+ *                  group, this function has to be able to initialise the
+ *                  module for it.
+ *
+ *                  This module can be a driver to a crypto hardware
+ *                  accelerator, for which this could be an initialise function.
+ *
+ * \param grp       The pointer to the group the module needs to be
+ *                  initialised for.
+ *
+ * \return          0 if successful.
+ */
+int mbedtls_internal_ecp_init( const mbedtls_ecp_group *grp );
+
+/**
+ * \brief           Frees and deallocates the Elliptic Curve Point module
+ *                  extension.
+ *
+ * \param grp       The pointer to the group the module was initialised for.
+ */
+void mbedtls_internal_ecp_free( const mbedtls_ecp_group *grp );
+
+#if defined(ECP_SHORTWEIERSTRASS)
+
+#if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT)
+/**
+ * \brief           Randomize jacobian coordinates:
+ *                  (X, Y, Z) -> (l^2 X, l^3 Y, l Z) for random l.
+ *
+ * \param grp       Pointer to the group representing the curve.
+ *
+ * \param pt        The point on the curve to be randomised, given with Jacobian
+ *                  coordinates.
+ *
+ * \param f_rng     A function pointer to the random number generator.
+ *
+ * \param p_rng     A pointer to the random number generator state.
+ *
+ * \return          0 if successful.
+ */
+int mbedtls_internal_ecp_randomize_jac( const mbedtls_ecp_group *grp,
+        mbedtls_ecp_point *pt, int (*f_rng)(void *, unsigned char *, size_t),
+        void *p_rng );
+#endif
+
+#if defined(MBEDTLS_ECP_ADD_MIXED_ALT)
+/**
+ * \brief           Addition: R = P + Q, mixed affine-Jacobian coordinates.
+ *
+ *                  The coordinates of Q must be normalized (= affine),
+ *                  but those of P don't need to. R is not normalized.
+ *
+ *                  This function is used only as a subrutine of
+ *                  ecp_mul_comb().
+ *
+ *                  Special cases: (1) P or Q is zero, (2) R is zero,
+ *                      (3) P == Q.
+ *                  None of these cases can happen as intermediate step in
+ *                  ecp_mul_comb():
+ *                      - at each step, P, Q and R are multiples of the base
+ *                      point, the factor being less than its order, so none of
+ *                      them is zero;
+ *                      - Q is an odd multiple of the base point, P an even
+ *                      multiple, due to the choice of precomputed points in the
+ *                      modified comb method.
+ *                  So branches for these cases do not leak secret information.
+ *
+ *                  We accept Q->Z being unset (saving memory in tables) as
+ *                  meaning 1.
+ *
+ *                  Cost in field operations if done by [5] 3.22:
+ *                      1A := 8M + 3S
+ *
+ * \param grp       Pointer to the group representing the curve.
+ *
+ * \param R         Pointer to a point structure to hold the result.
+ *
+ * \param P         Pointer to the first summand, given with Jacobian
+ *                  coordinates
+ *
+ * \param Q         Pointer to the second summand, given with affine
+ *                  coordinates.
+ *
+ * \return          0 if successful.
+ */
+int mbedtls_internal_ecp_add_mixed( const mbedtls_ecp_group *grp,
+        mbedtls_ecp_point *R, const mbedtls_ecp_point *P,
+        const mbedtls_ecp_point *Q );
+#endif
+
+/**
+ * \brief           Point doubling R = 2 P, Jacobian coordinates.
+ *
+ *                  Cost:   1D := 3M + 4S    (A ==  0)
+ *                          4M + 4S          (A == -3)
+ *                          3M + 6S + 1a     otherwise
+ *                  when the implementation is based on the "dbl-1998-cmo-2"
+ *                  doubling formulas in [8] and standard optimizations are
+ *                  applied when curve parameter A is one of { 0, -3 }.
+ *
+ * \param grp       Pointer to the group representing the curve.
+ *
+ * \param R         Pointer to a point structure to hold the result.
+ *
+ * \param P         Pointer to the point that has to be doubled, given with
+ *                  Jacobian coordinates.
+ *
+ * \return          0 if successful.
+ */
+#if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT)
+int mbedtls_internal_ecp_double_jac( const mbedtls_ecp_group *grp,
+        mbedtls_ecp_point *R, const mbedtls_ecp_point *P );
+#endif
+
+/**
+ * \brief           Normalize jacobian coordinates of an array of (pointers to)
+ *                  points.
+ *
+ *                  Using Montgomery's trick to perform only one inversion mod P
+ *                  the cost is:
+ *                      1N(t) := 1I + (6t - 3)M + 1S
+ *                  (See for example Algorithm 10.3.4. in [9])
+ *
+ *                  This function is used only as a subrutine of
+ *                  ecp_mul_comb().
+ *
+ *                  Warning: fails (returning an error) if one of the points is
+ *                  zero!
+ *                  This should never happen, see choice of w in ecp_mul_comb().
+ *
+ * \param grp       Pointer to the group representing the curve.
+ *
+ * \param T         Array of pointers to the points to normalise.
+ *
+ * \param t_len     Number of elements in the array.
+ *
+ * \return          0 if successful,
+ *                      an error if one of the points is zero.
+ */
+#if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT)
+int mbedtls_internal_ecp_normalize_jac_many( const mbedtls_ecp_group *grp,
+        mbedtls_ecp_point *T[], size_t t_len );
+#endif
+
+/**
+ * \brief           Normalize jacobian coordinates so that Z == 0 || Z == 1.
+ *
+ *                  Cost in field operations if done by [5] 3.2.1:
+ *                      1N := 1I + 3M + 1S
+ *
+ * \param grp       Pointer to the group representing the curve.
+ *
+ * \param pt        pointer to the point to be normalised. This is an
+ *                  input/output parameter.
+ *
+ * \return          0 if successful.
+ */
+#if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT)
+int mbedtls_internal_ecp_normalize_jac( const mbedtls_ecp_group *grp,
+        mbedtls_ecp_point *pt );
+#endif
+
+#endif /* ECP_SHORTWEIERSTRASS */
+
+#if defined(ECP_MONTGOMERY)
+
+#if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)
+int mbedtls_internal_ecp_double_add_mxz( const mbedtls_ecp_group *grp,
+        mbedtls_ecp_point *R, mbedtls_ecp_point *S, const mbedtls_ecp_point *P,
+        const mbedtls_ecp_point *Q, const mbedtls_mpi *d );
+#endif
+
+/**
+ * \brief           Randomize projective x/z coordinates:
+ *                      (X, Z) -> (l X, l Z) for random l
+ *
+ * \param grp       pointer to the group representing the curve
+ *
+ * \param P         the point on the curve to be randomised given with
+ *                  projective coordinates. This is an input/output parameter.
+ *
+ * \param f_rng     a function pointer to the random number generator
+ *
+ * \param p_rng     a pointer to the random number generator state
+ *
+ * \return          0 if successful
+ */
+#if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT)
+int mbedtls_internal_ecp_randomize_mxz( const mbedtls_ecp_group *grp,
+        mbedtls_ecp_point *P, int (*f_rng)(void *, unsigned char *, size_t),
+        void *p_rng );
+#endif
+
+/**
+ * \brief           Normalize Montgomery x/z coordinates: X = X/Z, Z = 1.
+ *
+ * \param grp       pointer to the group representing the curve
+ *
+ * \param P         pointer to the point to be normalised. This is an
+ *                  input/output parameter.
+ *
+ * \return          0 if successful
+ */
+#if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT)
+int mbedtls_internal_ecp_normalize_mxz( const mbedtls_ecp_group *grp,
+        mbedtls_ecp_point *P );
+#endif
+
+#endif /* ECP_MONTGOMERY */
+
+#endif /* MBEDTLS_ECP_INTERNAL_ALT */
+
+#endif /* ecp_internal.h */
+
diff --git a/third-party/mbedtls-3.6/include/mbedtls/entropy.h b/third-party/mbedtls-3.6/include/mbedtls/entropy.h
new file mode 100644
index 00000000..41648aaf
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/entropy.h
@@ -0,0 +1,316 @@
+/**
+ * \file entropy.h
+ *
+ * \brief Entropy accumulator implementation
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_ENTROPY_H
+#define MBEDTLS_ENTROPY_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+
+#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_ENTROPY_FORCE_SHA256)
+#include "sha512.h"
+#define MBEDTLS_ENTROPY_SHA512_ACCUMULATOR
+#else
+#if defined(MBEDTLS_SHA256_C)
+#define MBEDTLS_ENTROPY_SHA256_ACCUMULATOR
+#include "sha256.h"
+#endif
+#endif
+
+#if defined(MBEDTLS_THREADING_C)
+#include "threading.h"
+#endif
+
+#if defined(MBEDTLS_HAVEGE_C)
+#include "havege.h"
+#endif
+
+#define MBEDTLS_ERR_ENTROPY_SOURCE_FAILED                 -0x003C  /**< Critical entropy source failure. */
+#define MBEDTLS_ERR_ENTROPY_MAX_SOURCES                   -0x003E  /**< No more sources can be added. */
+#define MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED            -0x0040  /**< No sources have been added to poll. */
+#define MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE              -0x003D  /**< No strong sources have been added to poll. */
+#define MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR                 -0x003F  /**< Read/write error in file. */
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in config.h or define them on the compiler command line.
+ * \{
+ */
+
+#if !defined(MBEDTLS_ENTROPY_MAX_SOURCES)
+#define MBEDTLS_ENTROPY_MAX_SOURCES     20      /**< Maximum number of sources supported */
+#endif
+
+#if !defined(MBEDTLS_ENTROPY_MAX_GATHER)
+#define MBEDTLS_ENTROPY_MAX_GATHER      128     /**< Maximum amount requested from entropy sources */
+#endif
+
+/* \} name SECTION: Module settings */
+
+#if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
+#define MBEDTLS_ENTROPY_BLOCK_SIZE      64      /**< Block size of entropy accumulator (SHA-512) */
+#else
+#define MBEDTLS_ENTROPY_BLOCK_SIZE      32      /**< Block size of entropy accumulator (SHA-256) */
+#endif
+
+#define MBEDTLS_ENTROPY_MAX_SEED_SIZE   1024    /**< Maximum size of seed we read from seed file */
+#define MBEDTLS_ENTROPY_SOURCE_MANUAL   MBEDTLS_ENTROPY_MAX_SOURCES
+
+#define MBEDTLS_ENTROPY_SOURCE_STRONG   1       /**< Entropy source is strong   */
+#define MBEDTLS_ENTROPY_SOURCE_WEAK     0       /**< Entropy source is weak     */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief           Entropy poll callback pointer
+ *
+ * \param data      Callback-specific data pointer
+ * \param output    Data to fill
+ * \param len       Maximum size to provide
+ * \param olen      The actual amount of bytes put into the buffer (Can be 0)
+ *
+ * \return          0 if no critical failures occurred,
+ *                  MBEDTLS_ERR_ENTROPY_SOURCE_FAILED otherwise
+ */
+typedef int (*mbedtls_entropy_f_source_ptr)(void *data, unsigned char *output, size_t len,
+                            size_t *olen);
+
+/**
+ * \brief           Entropy source state
+ */
+typedef struct
+{
+    mbedtls_entropy_f_source_ptr    f_source;   /**< The entropy source callback */
+    void *          p_source;   /**< The callback data pointer */
+    size_t          size;       /**< Amount received in bytes */
+    size_t          threshold;  /**< Minimum bytes required before release */
+    int             strong;     /**< Is the source strong? */
+}
+mbedtls_entropy_source_state;
+
+/**
+ * \brief           Entropy context structure
+ */
+typedef struct
+{
+    int accumulator_started; /* 0 after init.
+                              * 1 after the first update.
+                              * -1 after free. */
+#if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
+    mbedtls_sha512_context  accumulator;
+#else
+    mbedtls_sha256_context  accumulator;
+#endif
+    int             source_count; /* Number of entries used in source. */
+    mbedtls_entropy_source_state    source[MBEDTLS_ENTROPY_MAX_SOURCES];
+#if defined(MBEDTLS_HAVEGE_C)
+    mbedtls_havege_state    havege_data;
+#endif
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_threading_mutex_t mutex;    /*!< mutex                  */
+#endif
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+    int initial_entropy_run;
+#endif
+}
+mbedtls_entropy_context;
+
+/**
+ * \brief           Initialize the context
+ *
+ * \param ctx       Entropy context to initialize
+ */
+void mbedtls_entropy_init( mbedtls_entropy_context *ctx );
+
+/**
+ * \brief           Free the data in the context
+ *
+ * \param ctx       Entropy context to free
+ */
+void mbedtls_entropy_free( mbedtls_entropy_context *ctx );
+
+/**
+ * \brief           Adds an entropy source to poll
+ *                  (Thread-safe if MBEDTLS_THREADING_C is enabled)
+ *
+ * \param ctx       Entropy context
+ * \param f_source  Entropy function
+ * \param p_source  Function data
+ * \param threshold Minimum required from source before entropy is released
+ *                  ( with mbedtls_entropy_func() ) (in bytes)
+ * \param strong    MBEDTLS_ENTROPY_SOURCE_STRONG or
+ *                  MBEDTSL_ENTROPY_SOURCE_WEAK.
+ *                  At least one strong source needs to be added.
+ *                  Weaker sources (such as the cycle counter) can be used as
+ *                  a complement.
+ *
+ * \return          0 if successful or MBEDTLS_ERR_ENTROPY_MAX_SOURCES
+ */
+int mbedtls_entropy_add_source( mbedtls_entropy_context *ctx,
+                        mbedtls_entropy_f_source_ptr f_source, void *p_source,
+                        size_t threshold, int strong );
+
+/**
+ * \brief           Trigger an extra gather poll for the accumulator
+ *                  (Thread-safe if MBEDTLS_THREADING_C is enabled)
+ *
+ * \param ctx       Entropy context
+ *
+ * \return          0 if successful, or MBEDTLS_ERR_ENTROPY_SOURCE_FAILED
+ */
+int mbedtls_entropy_gather( mbedtls_entropy_context *ctx );
+
+/**
+ * \brief           Retrieve entropy from the accumulator
+ *                  (Maximum length: MBEDTLS_ENTROPY_BLOCK_SIZE)
+ *                  (Thread-safe if MBEDTLS_THREADING_C is enabled)
+ *
+ * \param data      Entropy context
+ * \param output    Buffer to fill
+ * \param len       Number of bytes desired, must be at most MBEDTLS_ENTROPY_BLOCK_SIZE
+ *
+ * \return          0 if successful, or MBEDTLS_ERR_ENTROPY_SOURCE_FAILED
+ */
+int mbedtls_entropy_func( void *data, unsigned char *output, size_t len );
+
+/**
+ * \brief           Add data to the accumulator manually
+ *                  (Thread-safe if MBEDTLS_THREADING_C is enabled)
+ *
+ * \param ctx       Entropy context
+ * \param data      Data to add
+ * \param len       Length of data
+ *
+ * \return          0 if successful
+ */
+int mbedtls_entropy_update_manual( mbedtls_entropy_context *ctx,
+                           const unsigned char *data, size_t len );
+
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+/**
+ * \brief           Trigger an update of the seed file in NV by using the
+ *                  current entropy pool.
+ *
+ * \param ctx       Entropy context
+ *
+ * \return          0 if successful
+ */
+int mbedtls_entropy_update_nv_seed( mbedtls_entropy_context *ctx );
+#endif /* MBEDTLS_ENTROPY_NV_SEED */
+
+#if defined(MBEDTLS_FS_IO)
+/**
+ * \brief               Write a seed file
+ *
+ * \param ctx           Entropy context
+ * \param path          Name of the file
+ *
+ * \return              0 if successful,
+ *                      MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR on file error, or
+ *                      MBEDTLS_ERR_ENTROPY_SOURCE_FAILED
+ */
+int mbedtls_entropy_write_seed_file( mbedtls_entropy_context *ctx, const char *path );
+
+/**
+ * \brief               Read and update a seed file. Seed is added to this
+ *                      instance. No more than MBEDTLS_ENTROPY_MAX_SEED_SIZE bytes are
+ *                      read from the seed file. The rest is ignored.
+ *
+ * \param ctx           Entropy context
+ * \param path          Name of the file
+ *
+ * \return              0 if successful,
+ *                      MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR on file error,
+ *                      MBEDTLS_ERR_ENTROPY_SOURCE_FAILED
+ */
+int mbedtls_entropy_update_seed_file( mbedtls_entropy_context *ctx, const char *path );
+#endif /* MBEDTLS_FS_IO */
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief          Checkup routine
+ *
+ *                 This module self-test also calls the entropy self-test,
+ *                 mbedtls_entropy_source_self_test();
+ *
+ * \return         0 if successful, or 1 if a test failed
+ */
+int mbedtls_entropy_self_test( int verbose );
+
+#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
+/**
+ * \brief          Checkup routine
+ *
+ *                 Verifies the integrity of the hardware entropy source
+ *                 provided by the function 'mbedtls_hardware_poll()'.
+ *
+ *                 Note this is the only hardware entropy source that is known
+ *                 at link time, and other entropy sources configured
+ *                 dynamically at runtime by the function
+ *                 mbedtls_entropy_add_source() will not be tested.
+ *
+ * \return         0 if successful, or 1 if a test failed
+ */
+int mbedtls_entropy_source_self_test( int verbose );
+#endif /* MBEDTLS_ENTROPY_HARDWARE_ALT */
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* entropy.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/entropy_poll.h b/third-party/mbedtls-3.6/include/mbedtls/entropy_poll.h
new file mode 100644
index 00000000..c348fe52
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/entropy_poll.h
@@ -0,0 +1,135 @@
+/**
+ * \file entropy_poll.h
+ *
+ * \brief Platform-specific and custom entropy polling functions
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_ENTROPY_POLL_H
+#define MBEDTLS_ENTROPY_POLL_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * Default thresholds for built-in sources, in bytes
+ */
+#define MBEDTLS_ENTROPY_MIN_PLATFORM     32     /**< Minimum for platform source    */
+#define MBEDTLS_ENTROPY_MIN_HAVEGE       32     /**< Minimum for HAVEGE             */
+#define MBEDTLS_ENTROPY_MIN_HARDCLOCK     4     /**< Minimum for mbedtls_timing_hardclock()        */
+#if !defined(MBEDTLS_ENTROPY_MIN_HARDWARE)
+#define MBEDTLS_ENTROPY_MIN_HARDWARE     32     /**< Minimum for the hardware source */
+#endif
+
+/**
+ * \brief           Entropy poll callback that provides 0 entropy.
+ */
+#if defined(MBEDTLS_TEST_NULL_ENTROPY)
+    int mbedtls_null_entropy_poll( void *data,
+                                unsigned char *output, size_t len, size_t *olen );
+#endif
+
+#if !defined(MBEDTLS_NO_PLATFORM_ENTROPY)
+/**
+ * \brief           Platform-specific entropy poll callback
+ */
+int mbedtls_platform_entropy_poll( void *data,
+                           unsigned char *output, size_t len, size_t *olen );
+#endif
+
+#if defined(MBEDTLS_HAVEGE_C)
+/**
+ * \brief           HAVEGE based entropy poll callback
+ *
+ * Requires an HAVEGE state as its data pointer.
+ */
+int mbedtls_havege_poll( void *data,
+                 unsigned char *output, size_t len, size_t *olen );
+#endif
+
+#if defined(MBEDTLS_TIMING_C)
+/**
+ * \brief           mbedtls_timing_hardclock-based entropy poll callback
+ */
+int mbedtls_hardclock_poll( void *data,
+                    unsigned char *output, size_t len, size_t *olen );
+#endif
+
+#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
+/**
+ * \brief           Entropy poll callback for a hardware source
+ *
+ * \warning         This is not provided by mbed TLS!
+ *                  See \c MBEDTLS_ENTROPY_HARDWARE_ALT in config.h.
+ *
+ * \note            This must accept NULL as its first argument.
+ */
+int mbedtls_hardware_poll( void *data,
+                           unsigned char *output, size_t len, size_t *olen );
+#endif
+
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+/**
+ * \brief           Entropy poll callback for a non-volatile seed file
+ *
+ * \note            This must accept NULL as its first argument.
+ */
+int mbedtls_nv_seed_poll( void *data,
+                          unsigned char *output, size_t len, size_t *olen );
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* entropy_poll.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/error.h b/third-party/mbedtls-3.6/include/mbedtls/error.h
new file mode 100644
index 00000000..10354543
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/error.h
@@ -0,0 +1,149 @@
+/**
+ * \file error.h
+ *
+ * \brief Error to string translation
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_ERROR_H
+#define MBEDTLS_ERROR_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+
+/**
+ * Error code layout.
+ *
+ * Currently we try to keep all error codes within the negative space of 16
+ * bits signed integers to support all platforms (-0x0001 - -0x7FFF). In
+ * addition we'd like to give two layers of information on the error if
+ * possible.
+ *
+ * For that purpose the error codes are segmented in the following manner:
+ *
+ * 16 bit error code bit-segmentation
+ *
+ * 1 bit  - Unused (sign bit)
+ * 3 bits - High level module ID
+ * 5 bits - Module-dependent error code
+ * 7 bits - Low level module errors
+ *
+ * For historical reasons, low-level error codes are divided in even and odd,
+ * even codes were assigned first, and -1 is reserved for other errors.
+ *
+ * Low-level module errors (0x0002-0x007E, 0x0003-0x007F)
+ *
+ * Module   Nr  Codes assigned
+ * MPI       7  0x0002-0x0010
+ * GCM       3  0x0012-0x0014   0x0013-0x0013
+ * BLOWFISH  3  0x0016-0x0018   0x0017-0x0017
+ * THREADING 3  0x001A-0x001E
+ * AES       4  0x0020-0x0022   0x0023-0x0025
+ * CAMELLIA  3  0x0024-0x0026   0x0027-0x0027
+ * XTEA      2  0x0028-0x0028   0x0029-0x0029
+ * BASE64    2  0x002A-0x002C
+ * OID       1  0x002E-0x002E   0x000B-0x000B
+ * PADLOCK   1  0x0030-0x0030
+ * DES       2  0x0032-0x0032   0x0033-0x0033
+ * CTR_DBRG  4  0x0034-0x003A
+ * ENTROPY   3  0x003C-0x0040   0x003D-0x003F
+ * NET      11  0x0042-0x0052   0x0043-0x0045
+ * ASN1      7  0x0060-0x006C
+ * CMAC      1  0x007A-0x007A
+ * PBKDF2    1  0x007C-0x007C
+ * HMAC_DRBG 4                  0x0003-0x0009
+ * CCM       3                  0x000D-0x0011
+ * ARC4      1                  0x0019-0x0019
+ * MD2       1                  0x002B-0x002B
+ * MD4       1                  0x002D-0x002D
+ * MD5       1                  0x002F-0x002F
+ * RIPEMD160 1                  0x0031-0x0031
+ * SHA1      1                  0x0035-0x0035
+ * SHA256    1                  0x0037-0x0037
+ * SHA512    1                  0x0039-0x0039
+ *
+ * High-level module nr (3 bits - 0x0...-0x7...)
+ * Name      ID  Nr of Errors
+ * PEM       1   9
+ * PKCS#12   1   4 (Started from top)
+ * X509      2   20
+ * PKCS5     2   4 (Started from top)
+ * DHM       3   11
+ * PK        3   15 (Started from top)
+ * RSA       4   11
+ * ECP       4   9 (Started from top)
+ * MD        5   5
+ * SSL       5   1 (Started from 0x5E80)
+ * CIPHER    6   8
+ * SSL       6   17 (Started from top)
+ * SSL       7   31
+ *
+ * Module dependent error code (5 bits 0x.00.-0x.F8.)
+ */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief Translate a mbed TLS error code into a string representation,
+ *        Result is truncated if necessary and always includes a terminating
+ *        null byte.
+ *
+ * \param errnum    error code
+ * \param buffer    buffer to place representation in
+ * \param buflen    length of the buffer
+ */
+void mbedtls_strerror( int errnum, char *buffer, size_t buflen );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* error.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/gcm.h b/third-party/mbedtls-3.6/include/mbedtls/gcm.h
new file mode 100644
index 00000000..2a49a87f
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/gcm.h
@@ -0,0 +1,320 @@
+/**
+ * \file gcm.h
+ *
+ * \brief Galois/Counter Mode (GCM) for 128-bit block ciphers, as defined
+ *        in <em>D. McGrew, J. Viega, The Galois/Counter Mode of Operation
+ *        (GCM), Natl. Inst. Stand. Technol.</em>
+ *
+ * For more information on GCM, see <em>NIST SP 800-38D: Recommendation for
+ * Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC</em>.
+ *
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#ifndef MBEDTLS_GCM_H
+#define MBEDTLS_GCM_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "cipher.h"
+
+#include <stdint.h>
+
+#define MBEDTLS_GCM_ENCRYPT     1
+#define MBEDTLS_GCM_DECRYPT     0
+
+#define MBEDTLS_ERR_GCM_AUTH_FAILED                       -0x0012  /**< Authenticated decryption failed. */
+#define MBEDTLS_ERR_GCM_HW_ACCEL_FAILED                   -0x0013  /**< GCM hardware accelerator failed. */
+#define MBEDTLS_ERR_GCM_BAD_INPUT                         -0x0014  /**< Bad input parameters to function. */
+
+#if !defined(MBEDTLS_GCM_ALT)
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          The GCM context structure.
+ */
+typedef struct {
+    mbedtls_cipher_context_t cipher_ctx;  /*!< The cipher context used. */
+    uint64_t HL[16];                      /*!< Precalculated HTable low. */
+    uint64_t HH[16];                      /*!< Precalculated HTable high. */
+    uint64_t len;                         /*!< The total length of the encrypted data. */
+    uint64_t add_len;                     /*!< The total length of the additional data. */
+    unsigned char base_ectr[16];          /*!< The first ECTR for tag. */
+    unsigned char y[16];                  /*!< The Y working value. */
+    unsigned char buf[16];                /*!< The buf working value. */
+    int mode;                             /*!< The operation to perform:
+                                               #MBEDTLS_GCM_ENCRYPT or
+                                               #MBEDTLS_GCM_DECRYPT. */
+}
+mbedtls_gcm_context;
+
+/**
+ * \brief           This function initializes the specified GCM context,
+ *                  to make references valid, and prepares the context
+ *                  for mbedtls_gcm_setkey() or mbedtls_gcm_free().
+ *
+ *                  The function does not bind the GCM context to a particular
+ *                  cipher, nor set the key. For this purpose, use
+ *                  mbedtls_gcm_setkey().
+ *
+ * \param ctx       The GCM context to initialize.
+ */
+void mbedtls_gcm_init( mbedtls_gcm_context *ctx );
+
+/**
+ * \brief           This function associates a GCM context with a
+ *                  cipher algorithm and a key.
+ *
+ * \param ctx       The GCM context to initialize.
+ * \param cipher    The 128-bit block cipher to use.
+ * \param key       The encryption key.
+ * \param keybits   The key size in bits. Valid options are:
+ *                  <ul><li>128 bits</li>
+ *                  <li>192 bits</li>
+ *                  <li>256 bits</li></ul>
+ *
+ * \return          \c 0 on success, or a cipher specific error code.
+ */
+int mbedtls_gcm_setkey( mbedtls_gcm_context *ctx,
+                        mbedtls_cipher_id_t cipher,
+                        const unsigned char *key,
+                        unsigned int keybits );
+
+/**
+ * \brief           This function performs GCM encryption or decryption of a buffer.
+ *
+ * \note For encryption, the output buffer can be the same as the input buffer.
+ *       For decryption, the output buffer cannot be the same as input buffer.
+ *       If the buffers overlap, the output buffer must trail at least 8 Bytes
+ *       behind the input buffer.
+ *
+ * \warning         When this function performs a decryption, it outputs the
+ *                  authentication tag and does not verify that the data is
+ *                  authentic. You should use this function to perform encryption
+ *                  only. For decryption, use mbedtls_gcm_auth_decrypt() instead.
+ *
+ * \param ctx       The GCM context to use for encryption or decryption.
+ * \param mode      The operation to perform:
+ *                  - #MBEDTLS_GCM_ENCRYPT to perform authenticated encryption.
+ *                    The ciphertext is written to \p output and the
+ *                    authentication tag is written to \p tag.
+ *                  - #MBEDTLS_GCM_DECRYPT to perform decryption.
+ *                    The plaintext is written to \p output and the
+ *                    authentication tag is written to \p tag.
+ *                    Note that this mode is not recommended, because it does
+ *                    not verify the authenticity of the data. For this reason,
+ *                    you should use mbedtls_gcm_auth_decrypt() instead of
+ *                    calling this function in decryption mode.
+ * \param length    The length of the input data, which is equal to the length
+ *                  of the output data.
+ * \param iv        The initialization vector.
+ * \param iv_len    The length of the IV.
+ * \param add       The buffer holding the additional data.
+ * \param add_len   The length of the additional data.
+ * \param input     The buffer holding the input data. Its size is \b length.
+ * \param output    The buffer for holding the output data. It must have room
+ *                  for \b length bytes.
+ * \param tag_len   The length of the tag to generate.
+ * \param tag       The buffer for holding the tag.
+ *
+ * \return          \c 0 if the encryption or decryption was performed
+ *                  successfully. Note that in #MBEDTLS_GCM_DECRYPT mode,
+ *                  this does not indicate that the data is authentic.
+ * \return          #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths are not valid.
+ * \return          #MBEDTLS_ERR_GCM_HW_ACCEL_FAILED or a cipher-specific
+ *                  error code if the encryption or decryption failed.
+ */
+int mbedtls_gcm_crypt_and_tag( mbedtls_gcm_context *ctx,
+                       int mode,
+                       size_t length,
+                       const unsigned char *iv,
+                       size_t iv_len,
+                       const unsigned char *add,
+                       size_t add_len,
+                       const unsigned char *input,
+                       unsigned char *output,
+                       size_t tag_len,
+                       unsigned char *tag );
+
+/**
+ * \brief           This function performs a GCM authenticated decryption of a
+ *                  buffer.
+ *
+ * \note For decryption, the output buffer cannot be the same as input buffer.
+ *       If the buffers overlap, the output buffer must trail at least 8 Bytes
+ *       behind the input buffer.
+ *
+ * \param ctx       The GCM context.
+ * \param length    The length of the ciphertext to decrypt, which is also
+ *                  the length of the decrypted plaintext.
+ * \param iv        The initialization vector.
+ * \param iv_len    The length of the IV.
+ * \param add       The buffer holding the additional data.
+ * \param add_len   The length of the additional data.
+ * \param tag       The buffer holding the tag to verify.
+ * \param tag_len   The length of the tag to verify.
+ * \param input     The buffer holding the ciphertext. Its size is \b length.
+ * \param output    The buffer for holding the decrypted plaintext. It must
+ *                  have room for \b length bytes.
+ *
+ * \return          \c 0 if successful and authenticated.
+ * \return          #MBEDTLS_ERR_GCM_AUTH_FAILED if the tag does not match.
+ * \return          #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths are not valid.
+ * \return          #MBEDTLS_ERR_GCM_HW_ACCEL_FAILED or a cipher-specific
+ *                  error code if the decryption failed.
+ */
+int mbedtls_gcm_auth_decrypt( mbedtls_gcm_context *ctx,
+                      size_t length,
+                      const unsigned char *iv,
+                      size_t iv_len,
+                      const unsigned char *add,
+                      size_t add_len,
+                      const unsigned char *tag,
+                      size_t tag_len,
+                      const unsigned char *input,
+                      unsigned char *output );
+
+/**
+ * \brief           This function starts a GCM encryption or decryption
+ *                  operation.
+ *
+ * \param ctx       The GCM context.
+ * \param mode      The operation to perform: #MBEDTLS_GCM_ENCRYPT or
+ *                  #MBEDTLS_GCM_DECRYPT.
+ * \param iv        The initialization vector.
+ * \param iv_len    The length of the IV.
+ * \param add       The buffer holding the additional data, or NULL if \p add_len is 0.
+ * \param add_len   The length of the additional data. If 0, \p  add is NULL.
+ *
+ * \return         \c 0 on success.
+ */
+int mbedtls_gcm_starts( mbedtls_gcm_context *ctx,
+                int mode,
+                const unsigned char *iv,
+                size_t iv_len,
+                const unsigned char *add,
+                size_t add_len );
+
+/**
+ * \brief           This function feeds an input buffer into an ongoing GCM
+ *                  encryption or decryption operation.
+ *
+ *    `             The function expects input to be a multiple of 16
+ *                  Bytes. Only the last call before calling
+ *                  mbedtls_gcm_finish() can be less than 16 Bytes.
+ *
+ * \note For decryption, the output buffer cannot be the same as input buffer.
+ *       If the buffers overlap, the output buffer must trail at least 8 Bytes
+ *       behind the input buffer.
+ *
+ * \param ctx       The GCM context.
+ * \param length    The length of the input data. This must be a multiple of 16 except in the last call before mbedtls_gcm_finish().
+ * \param input     The buffer holding the input data.
+ * \param output    The buffer for holding the output data.
+ *
+ * \return         \c 0 on success, or #MBEDTLS_ERR_GCM_BAD_INPUT on failure.
+ */
+int mbedtls_gcm_update( mbedtls_gcm_context *ctx,
+                size_t length,
+                const unsigned char *input,
+                unsigned char *output );
+
+/**
+ * \brief           This function finishes the GCM operation and generates
+ *                  the authentication tag.
+ *
+ *                  It wraps up the GCM stream, and generates the
+ *                  tag. The tag can have a maximum length of 16 Bytes.
+ *
+ * \param ctx       The GCM context.
+ * \param tag       The buffer for holding the tag.
+ * \param tag_len   The length of the tag to generate. Must be at least four.
+ *
+ * \return          \c 0 on success, or #MBEDTLS_ERR_GCM_BAD_INPUT on failure.
+ */
+int mbedtls_gcm_finish( mbedtls_gcm_context *ctx,
+                unsigned char *tag,
+                size_t tag_len );
+
+/**
+ * \brief           This function clears a GCM context and the underlying
+ *                  cipher sub-context.
+ *
+ * \param ctx       The GCM context to clear.
+ */
+void mbedtls_gcm_free( mbedtls_gcm_context *ctx );
+
+#ifdef __cplusplus
+}
+#endif
+
+#else  /* !MBEDTLS_GCM_ALT */
+#include "gcm_alt.h"
+#endif /* !MBEDTLS_GCM_ALT */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          The GCM checkup routine.
+ *
+ * \return         \c 0 on success, or \c 1 on failure.
+ */
+int mbedtls_gcm_self_test( int verbose );
+
+#ifdef __cplusplus
+}
+#endif
+
+
+#endif /* gcm.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/havege.h b/third-party/mbedtls-3.6/include/mbedtls/havege.h
new file mode 100644
index 00000000..781a6094
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/havege.h
@@ -0,0 +1,106 @@
+/**
+ * \file havege.h
+ *
+ * \brief HAVEGE: HArdware Volatile Entropy Gathering and Expansion
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_HAVEGE_H
+#define MBEDTLS_HAVEGE_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+
+#define MBEDTLS_HAVEGE_COLLECT_SIZE 1024
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          HAVEGE state structure
+ */
+typedef struct
+{
+    int PT1, PT2, offset[2];
+    int pool[MBEDTLS_HAVEGE_COLLECT_SIZE];
+    int WALK[8192];
+}
+mbedtls_havege_state;
+
+/**
+ * \brief          HAVEGE initialization
+ *
+ * \param hs       HAVEGE state to be initialized
+ */
+void mbedtls_havege_init( mbedtls_havege_state *hs );
+
+/**
+ * \brief          Clear HAVEGE state
+ *
+ * \param hs       HAVEGE state to be cleared
+ */
+void mbedtls_havege_free( mbedtls_havege_state *hs );
+
+/**
+ * \brief          HAVEGE rand function
+ *
+ * \param p_rng    A HAVEGE state
+ * \param output   Buffer to fill
+ * \param len      Length of buffer
+ *
+ * \return         0
+ */
+int mbedtls_havege_random( void *p_rng, unsigned char *output, size_t len );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* havege.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/hmac_drbg.h b/third-party/mbedtls-3.6/include/mbedtls/hmac_drbg.h
new file mode 100644
index 00000000..4a797d47
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/hmac_drbg.h
@@ -0,0 +1,495 @@
+/**
+ * \file hmac_drbg.h
+ *
+ * \brief The HMAC_DRBG pseudorandom generator.
+ *
+ * This module implements the HMAC_DRBG pseudorandom generator described
+ * in <em>NIST SP 800-90A: Recommendation for Random Number Generation Using
+ * Deterministic Random Bit Generators</em>.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_HMAC_DRBG_H
+#define MBEDTLS_HMAC_DRBG_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "md.h"
+
+#if defined(MBEDTLS_THREADING_C)
+#include "threading.h"
+#endif
+
+/*
+ * Error codes
+ */
+#define MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG              -0x0003  /**< Too many random requested in single call. */
+#define MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG                -0x0005  /**< Input too large (Entropy + additional). */
+#define MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR                -0x0007  /**< Read/write error in file. */
+#define MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED        -0x0009  /**< The entropy source failed. */
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in config.h or define them on the compiler command line.
+ * \{
+ */
+
+#if !defined(MBEDTLS_HMAC_DRBG_RESEED_INTERVAL)
+#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL   10000   /**< Interval before reseed is performed by default */
+#endif
+
+#if !defined(MBEDTLS_HMAC_DRBG_MAX_INPUT)
+#define MBEDTLS_HMAC_DRBG_MAX_INPUT         256     /**< Maximum number of additional input bytes */
+#endif
+
+#if !defined(MBEDTLS_HMAC_DRBG_MAX_REQUEST)
+#define MBEDTLS_HMAC_DRBG_MAX_REQUEST       1024    /**< Maximum number of requested bytes per call */
+#endif
+
+#if !defined(MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT)
+#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT    384     /**< Maximum size of (re)seed buffer */
+#endif
+
+/* \} name SECTION: Module settings */
+
+#define MBEDTLS_HMAC_DRBG_PR_OFF   0   /**< No prediction resistance       */
+#define MBEDTLS_HMAC_DRBG_PR_ON    1   /**< Prediction resistance enabled  */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * HMAC_DRBG context.
+ */
+typedef struct
+{
+    /* Working state: the key K is not stored explicitly,
+     * but is implied by the HMAC context */
+    mbedtls_md_context_t md_ctx;                    /*!< HMAC context (inc. K)  */
+    unsigned char V[MBEDTLS_MD_MAX_SIZE];  /*!< V in the spec          */
+    int reseed_counter;                     /*!< reseed counter         */
+
+    /* Administrative state */
+    size_t entropy_len;         /*!< entropy bytes grabbed on each (re)seed */
+    int prediction_resistance;  /*!< enable prediction resistance (Automatic
+                                     reseed before every random generation) */
+    int reseed_interval;        /*!< reseed interval   */
+
+    /* Callbacks */
+    int (*f_entropy)(void *, unsigned char *, size_t); /*!< entropy function */
+    void *p_entropy;            /*!< context for the entropy function        */
+
+#if defined(MBEDTLS_THREADING_C)
+    /* Invariant: the mutex is initialized if and only if
+     * md_ctx->md_info != NULL. This means that the mutex is initialized
+     * during the initial seeding in mbedtls_hmac_drbg_seed() or
+     * mbedtls_hmac_drbg_seed_buf() and freed in mbedtls_ctr_drbg_free().
+     *
+     * Note that this invariant may change without notice. Do not rely on it
+     * and do not access the mutex directly in application code.
+     */
+    mbedtls_threading_mutex_t mutex;
+#endif
+} mbedtls_hmac_drbg_context;
+
+/**
+ * \brief               HMAC_DRBG context initialization.
+ *
+ * This function makes the context ready for mbedtls_hmac_drbg_seed(),
+ * mbedtls_hmac_drbg_seed_buf() or mbedtls_hmac_drbg_free().
+ *
+ * \note                The reseed interval is #MBEDTLS_HMAC_DRBG_RESEED_INTERVAL
+ *                      by default. Override this value by calling
+ *                      mbedtls_hmac_drbg_set_reseed_interval().
+ *
+ * \param ctx           HMAC_DRBG context to be initialized.
+ */
+void mbedtls_hmac_drbg_init( mbedtls_hmac_drbg_context *ctx );
+
+/**
+ * \brief               HMAC_DRBG initial seeding.
+ *
+ * Set the initial seed and set up the entropy source for future reseeds.
+ *
+ * A typical choice for the \p f_entropy and \p p_entropy parameters is
+ * to use the entropy module:
+ * - \p f_entropy is mbedtls_entropy_func();
+ * - \p p_entropy is an instance of ::mbedtls_entropy_context initialized
+ *   with mbedtls_entropy_init() (which registers the platform's default
+ *   entropy sources).
+ *
+ * You can provide a personalization string in addition to the
+ * entropy source, to make this instantiation as unique as possible.
+ *
+ * \note                By default, the security strength as defined by NIST is:
+ *                      - 128 bits if \p md_info is SHA-1;
+ *                      - 192 bits if \p md_info is SHA-224;
+ *                      - 256 bits if \p md_info is SHA-256, SHA-384 or SHA-512.
+ *                      Note that SHA-256 is just as efficient as SHA-224.
+ *                      The security strength can be reduced if a smaller
+ *                      entropy length is set with
+ *                      mbedtls_hmac_drbg_set_entropy_len().
+ *
+ * \note                The default entropy length is the security strength
+ *                      (converted from bits to bytes). You can override
+ *                      it by calling mbedtls_hmac_drbg_set_entropy_len().
+ *
+ * \note                During the initial seeding, this function calls
+ *                      the entropy source to obtain a nonce
+ *                      whose length is half the entropy length.
+ */
+#if defined(MBEDTLS_THREADING_C)
+/**
+ * \note                When Mbed TLS is built with threading support,
+ *                      after this function returns successfully,
+ *                      it is safe to call mbedtls_hmac_drbg_random()
+ *                      from multiple threads. Other operations, including
+ *                      reseeding, are not thread-safe.
+ */
+#endif /* MBEDTLS_THREADING_C */
+/**
+ * \param ctx           HMAC_DRBG context to be seeded.
+ * \param md_info       MD algorithm to use for HMAC_DRBG.
+ * \param f_entropy     The entropy callback, taking as arguments the
+ *                      \p p_entropy context, the buffer to fill, and the
+ *                      length of the buffer.
+ *                      \p f_entropy is always called with a length that is
+ *                      less than or equal to the entropy length.
+ * \param p_entropy     The entropy context to pass to \p f_entropy.
+ * \param custom        The personalization string.
+ *                      This can be \c NULL, in which case the personalization
+ *                      string is empty regardless of the value of \p len.
+ * \param len           The length of the personalization string.
+ *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT
+ *                      and also at most
+ *                      #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \p entropy_len * 3 / 2
+ *                      where \p entropy_len is the entropy length
+ *                      described above.
+ *
+ * \return              \c 0 if successful.
+ * \return              #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info is
+ *                      invalid.
+ * \return              #MBEDTLS_ERR_MD_ALLOC_FAILED if there was not enough
+ *                      memory to allocate context data.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
+ *                      if the call to \p f_entropy failed.
+ */
+int mbedtls_hmac_drbg_seed( mbedtls_hmac_drbg_context *ctx,
+                    const mbedtls_md_info_t * md_info,
+                    int (*f_entropy)(void *, unsigned char *, size_t),
+                    void *p_entropy,
+                    const unsigned char *custom,
+                    size_t len );
+
+/**
+ * \brief               Initilisation of simpified HMAC_DRBG (never reseeds).
+ *
+ * This function is meant for use in algorithms that need a pseudorandom
+ * input such as deterministic ECDSA.
+ */
+#if defined(MBEDTLS_THREADING_C)
+/**
+ * \note                When Mbed TLS is built with threading support,
+ *                      after this function returns successfully,
+ *                      it is safe to call mbedtls_hmac_drbg_random()
+ *                      from multiple threads. Other operations, including
+ *                      reseeding, are not thread-safe.
+ */
+#endif /* MBEDTLS_THREADING_C */
+/**
+ * \param ctx           HMAC_DRBG context to be initialised.
+ * \param md_info       MD algorithm to use for HMAC_DRBG.
+ * \param data          Concatenation of the initial entropy string and
+ *                      the additional data.
+ * \param data_len      Length of \p data in bytes.
+ *
+ * \return              \c 0 if successful. or
+ * \return              #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info is
+ *                      invalid.
+ * \return              #MBEDTLS_ERR_MD_ALLOC_FAILED if there was not enough
+ *                      memory to allocate context data.
+ */
+int mbedtls_hmac_drbg_seed_buf( mbedtls_hmac_drbg_context *ctx,
+                        const mbedtls_md_info_t * md_info,
+                        const unsigned char *data, size_t data_len );
+
+/**
+ * \brief               This function turns prediction resistance on or off.
+ *                      The default value is off.
+ *
+ * \note                If enabled, entropy is gathered at the beginning of
+ *                      every call to mbedtls_hmac_drbg_random_with_add()
+ *                      or mbedtls_hmac_drbg_random().
+ *                      Only use this if your entropy source has sufficient
+ *                      throughput.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param resistance    #MBEDTLS_HMAC_DRBG_PR_ON or #MBEDTLS_HMAC_DRBG_PR_OFF.
+ */
+void mbedtls_hmac_drbg_set_prediction_resistance( mbedtls_hmac_drbg_context *ctx,
+                                          int resistance );
+
+/**
+ * \brief               This function sets the amount of entropy grabbed on each
+ *                      seed or reseed.
+ *
+ * See the documentation of mbedtls_hmac_drbg_seed() for the default value.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param len           The amount of entropy to grab, in bytes.
+ */
+void mbedtls_hmac_drbg_set_entropy_len( mbedtls_hmac_drbg_context *ctx,
+                                size_t len );
+
+/**
+ * \brief               Set the reseed interval.
+ *
+ * The reseed interval is the number of calls to mbedtls_hmac_drbg_random()
+ * or mbedtls_hmac_drbg_random_with_add() after which the entropy function
+ * is called again.
+ *
+ * The default value is #MBEDTLS_HMAC_DRBG_RESEED_INTERVAL.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param interval      The reseed interval.
+ */
+void mbedtls_hmac_drbg_set_reseed_interval( mbedtls_hmac_drbg_context *ctx,
+                                    int interval );
+
+/**
+ * \brief               This function updates the state of the HMAC_DRBG context.
+ *
+ * \note                This function is not thread-safe. It is not safe
+ *                      to call this function if another thread might be
+ *                      concurrently obtaining random numbers from the same
+ *                      context or updating or reseeding the same context.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param additional    The data to update the state with.
+ *                      If this is \c NULL, there is no additional data.
+ * \param add_len       Length of \p additional in bytes.
+ *                      Unused if \p additional is \c NULL.
+ *
+ * \return              \c 0 on success, or an error from the underlying
+ *                      hash calculation.
+ */
+int mbedtls_hmac_drbg_update_ret( mbedtls_hmac_drbg_context *ctx,
+                       const unsigned char *additional, size_t add_len );
+
+/**
+ * \brief               HMAC_DRBG update state
+ *
+ * \warning             This function cannot report errors. You should use
+ *                      mbedtls_hmac_drbg_update_ret() instead.
+ *
+ * \note                This function is not thread-safe. It is not safe
+ *                      to call this function if another thread might be
+ *                      concurrently obtaining random numbers from the same
+ *                      context or updating or reseeding the same context.
+ *
+ * \param ctx           HMAC_DRBG context
+ * \param additional    Additional data to update state with, or NULL
+ * \param add_len       Length of additional data, or 0
+ *
+ * \note                Additional data is optional, pass NULL and 0 as second
+ *                      third argument if no additional data is being used.
+ */
+void mbedtls_hmac_drbg_update( mbedtls_hmac_drbg_context *ctx,
+                               const unsigned char *additional,
+                               size_t add_len );
+
+/**
+ * \brief               This function reseeds the HMAC_DRBG context, that is
+ *                      extracts data from the entropy source.
+ *
+ * \note                This function is not thread-safe. It is not safe
+ *                      to call this function if another thread might be
+ *                      concurrently obtaining random numbers from the same
+ *                      context or updating or reseeding the same context.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param additional    Additional data to add to the state.
+ *                      If this is \c NULL, there is no additional data
+ *                      and \p len should be \c 0.
+ * \param len           The length of the additional data.
+ *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT
+ *                      and also at most
+ *                      #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \p entropy_len
+ *                      where \p entropy_len is the entropy length
+ *                      (see mbedtls_hmac_drbg_set_entropy_len()).
+ *
+ * \return              \c 0 if successful.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
+ *                      if a call to the entropy function failed.
+ */
+int mbedtls_hmac_drbg_reseed( mbedtls_hmac_drbg_context *ctx,
+                      const unsigned char *additional, size_t len );
+
+/**
+ * \brief   This function updates an HMAC_DRBG instance with additional
+ *          data and uses it to generate random data.
+ *
+ * This function automatically reseeds if the reseed counter is exceeded
+ * or prediction resistance is enabled.
+ *
+ * \note                This function is not thread-safe. It is not safe
+ *                      to call this function if another thread might be
+ *                      concurrently obtaining random numbers from the same
+ *                      context or updating or reseeding the same context.
+ *
+ * \param p_rng         The HMAC_DRBG context. This must be a pointer to a
+ *                      #mbedtls_hmac_drbg_context structure.
+ * \param output        The buffer to fill.
+ * \param output_len    The length of the buffer in bytes.
+ *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
+ * \param additional    Additional data to update with.
+ *                      If this is \c NULL, there is no additional data
+ *                      and \p add_len should be \c 0.
+ * \param add_len       The length of the additional data.
+ *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT.
+ *
+ * \return              \c 0 if successful.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
+ *                      if a call to the entropy source failed.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG if
+ *                      \p output_len > #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG if
+ *                      \p add_len > #MBEDTLS_HMAC_DRBG_MAX_INPUT.
+ */
+int mbedtls_hmac_drbg_random_with_add( void *p_rng,
+                               unsigned char *output, size_t output_len,
+                               const unsigned char *additional,
+                               size_t add_len );
+
+/**
+ * \brief   This function uses HMAC_DRBG to generate random data.
+ *
+ * This function automatically reseeds if the reseed counter is exceeded
+ * or prediction resistance is enabled.
+ */
+#if defined(MBEDTLS_THREADING_C)
+/**
+ * \note                When Mbed TLS is built with threading support,
+ *                      it is safe to call mbedtls_ctr_drbg_random()
+ *                      from multiple threads. Other operations, including
+ *                      reseeding, are not thread-safe.
+ */
+#endif /* MBEDTLS_THREADING_C */
+/**
+ * \param p_rng         The HMAC_DRBG context. This must be a pointer to a
+ *                      #mbedtls_hmac_drbg_context structure.
+ * \param output        The buffer to fill.
+ * \param out_len       The length of the buffer in bytes.
+ *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
+ *
+ * \return              \c 0 if successful.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
+ *                      if a call to the entropy source failed.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG if
+ *                      \p out_len > #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
+ */
+int mbedtls_hmac_drbg_random( void *p_rng, unsigned char *output, size_t out_len );
+
+/**
+ * \brief               This function resets HMAC_DRBG context to the state immediately
+ *                      after initial call of mbedtls_hmac_drbg_init().
+ *
+ * \param ctx           The HMAC_DRBG context to free.
+ */
+void mbedtls_hmac_drbg_free( mbedtls_hmac_drbg_context *ctx );
+
+#if defined(MBEDTLS_FS_IO)
+/**
+ * \brief               This function writes a seed file.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param path          The name of the file.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR on file error.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED on reseed
+ *                      failure.
+ */
+int mbedtls_hmac_drbg_write_seed_file( mbedtls_hmac_drbg_context *ctx, const char *path );
+
+/**
+ * \brief               This function reads and updates a seed file. The seed
+ *                      is added to this instance.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param path          The name of the file.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR on file error.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED on
+ *                      reseed failure.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG if the existing
+ *                      seed file is too large.
+ */
+int mbedtls_hmac_drbg_update_seed_file( mbedtls_hmac_drbg_context *ctx, const char *path );
+#endif /* MBEDTLS_FS_IO */
+
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief               The HMAC_DRBG Checkup routine.
+ *
+ * \return              \c 0 if successful.
+ * \return              \c 1 if the test failed.
+ */
+int mbedtls_hmac_drbg_self_test( int verbose );
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* hmac_drbg.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/md.h b/third-party/mbedtls-3.6/include/mbedtls/md.h
new file mode 100644
index 00000000..2903e435
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/md.h
@@ -0,0 +1,480 @@
+ /**
+ * \file md.h
+ *
+ * \brief The generic message-digest wrapper.
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#ifndef MBEDTLS_MD_H
+#define MBEDTLS_MD_H
+
+#include <stddef.h>
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#define MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE                -0x5080  /**< The selected feature is not available. */
+#define MBEDTLS_ERR_MD_BAD_INPUT_DATA                     -0x5100  /**< Bad input parameters to function. */
+#define MBEDTLS_ERR_MD_ALLOC_FAILED                       -0x5180  /**< Failed to allocate memory. */
+#define MBEDTLS_ERR_MD_FILE_IO_ERROR                      -0x5200  /**< Opening or reading of file failed. */
+#define MBEDTLS_ERR_MD_HW_ACCEL_FAILED                    -0x5280  /**< MD hardware accelerator failed. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief     Enumeration of supported message digests
+ *
+ * \warning   MD2, MD4, MD5 and SHA-1 are considered weak message digests and
+ *            their use constitutes a security risk. We recommend considering
+ *            stronger message digests instead.
+ *
+ */
+typedef enum {
+    MBEDTLS_MD_NONE=0,
+    MBEDTLS_MD_MD2,
+    MBEDTLS_MD_MD4,
+    MBEDTLS_MD_MD5,
+    MBEDTLS_MD_SHA1,
+    MBEDTLS_MD_SHA224,
+    MBEDTLS_MD_SHA256,
+    MBEDTLS_MD_SHA384,
+    MBEDTLS_MD_SHA512,
+    MBEDTLS_MD_RIPEMD160,
+} mbedtls_md_type_t;
+
+#if defined(MBEDTLS_SHA512_C)
+#define MBEDTLS_MD_MAX_SIZE         64  /* longest known is SHA512 */
+#else
+#define MBEDTLS_MD_MAX_SIZE         32  /* longest known is SHA256 or less */
+#endif
+
+/**
+ * Opaque struct defined in md_internal.h.
+ */
+typedef struct mbedtls_md_info_t mbedtls_md_info_t;
+
+/**
+ * The generic message-digest context.
+ */
+typedef struct {
+    /** Information about the associated message digest. */
+    const mbedtls_md_info_t *md_info;
+
+    /** The digest-specific context. */
+    void *md_ctx;
+
+    /** The HMAC part of the context. */
+    void *hmac_ctx;
+} mbedtls_md_context_t;
+
+/**
+ * \brief           This function returns the list of digests supported by the
+ *                  generic digest module.
+ *
+ * \note            The list starts with the strongest available hashes.
+ *
+ * \return          A statically allocated array of digests. Each element
+ *                  in the returned list is an integer belonging to the
+ *                  message-digest enumeration #mbedtls_md_type_t.
+ *                  The last entry is 0.
+ */
+const int *mbedtls_md_list( void );
+
+/**
+ * \brief           This function returns the message-digest information
+ *                  associated with the given digest name.
+ *
+ * \param md_name   The name of the digest to search for.
+ *
+ * \return          The message-digest information associated with \p md_name,
+ *                  or NULL if not found.
+ */
+const mbedtls_md_info_t *mbedtls_md_info_from_string( const char *md_name );
+
+/**
+ * \brief           This function returns the message-digest information
+ *                  associated with the given digest type.
+ *
+ * \param md_type   The type of digest to search for.
+ *
+ * \return          The message-digest information associated with \p md_type,
+ *                  or NULL if not found.
+ */
+const mbedtls_md_info_t *mbedtls_md_info_from_type( mbedtls_md_type_t md_type );
+
+/**
+ * \brief           This function initializes a message-digest context without
+ *                  binding it to a particular message-digest algorithm.
+ *
+ *                  This function should always be called first. It prepares the
+ *                  context for mbedtls_md_setup() for binding it to a
+ *                  message-digest algorithm.
+ */
+void mbedtls_md_init( mbedtls_md_context_t *ctx );
+
+/**
+ * \brief           This function clears the internal structure of \p ctx and
+ *                  frees any embedded internal structure, but does not free
+ *                  \p ctx itself.
+ *
+ *                  If you have called mbedtls_md_setup() on \p ctx, you must
+ *                  call mbedtls_md_free() when you are no longer using the
+ *                  context.
+ *                  Calling this function if you have previously
+ *                  called mbedtls_md_init() and nothing else is optional.
+ *                  You must not call this function if you have not called
+ *                  mbedtls_md_init().
+ */
+void mbedtls_md_free( mbedtls_md_context_t *ctx );
+
+#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED    __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief           This function selects the message digest algorithm to use,
+ *                  and allocates internal structures.
+ *
+ *                  It should be called after mbedtls_md_init() or mbedtls_md_free().
+ *                  Makes it necessary to call mbedtls_md_free() later.
+ *
+ * \deprecated      Superseded by mbedtls_md_setup() in 2.0.0
+ *
+ * \param ctx       The context to set up.
+ * \param md_info   The information structure of the message-digest algorithm
+ *                  to use.
+ *
+ * \returns         \c 0 on success,
+ *                  #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter failure,
+ *                  #MBEDTLS_ERR_MD_ALLOC_FAILED memory allocation failure.
+ */
+int mbedtls_md_init_ctx( mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_info ) MBEDTLS_DEPRECATED;
+#undef MBEDTLS_DEPRECATED
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief           This function selects the message digest algorithm to use,
+ *                  and allocates internal structures.
+ *
+ *                  It should be called after mbedtls_md_init() or
+ *                  mbedtls_md_free(). Makes it necessary to call
+ *                  mbedtls_md_free() later.
+ *
+ * \param ctx       The context to set up.
+ * \param md_info   The information structure of the message-digest algorithm
+ *                  to use.
+ * \param hmac      <ul><li>0: HMAC is not used. Saves some memory.</li>
+ *                  <li>non-zero: HMAC is used with this context.</li></ul>
+ *
+ * \returns         \c 0 on success,
+ *                  #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter failure, or
+ *                  #MBEDTLS_ERR_MD_ALLOC_FAILED on memory allocation failure.
+ */
+int mbedtls_md_setup( mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_info, int hmac );
+
+/**
+ * \brief           This function clones the state of an message-digest
+ *                  context.
+ *
+ * \note            You must call mbedtls_md_setup() on \c dst before calling
+ *                  this function.
+ *
+ * \note            The two contexts must have the same type,
+ *                  for example, both are SHA-256.
+ *
+ * \warning         This function clones the message-digest state, not the
+ *                  HMAC state.
+ *
+ * \param dst       The destination context.
+ * \param src       The context to be cloned.
+ *
+ * \return          \c 0 on success,
+ *                  #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter failure.
+ */
+int mbedtls_md_clone( mbedtls_md_context_t *dst,
+                      const mbedtls_md_context_t *src );
+
+/**
+ * \brief           This function extracts the message-digest size from the
+ *                  message-digest information structure.
+ *
+ * \param md_info   The information structure of the message-digest algorithm
+ *                  to use.
+ *
+ * \return          The size of the message-digest output in Bytes.
+ */
+unsigned char mbedtls_md_get_size( const mbedtls_md_info_t *md_info );
+
+/**
+ * \brief           This function extracts the message-digest type from the
+ *                  message-digest information structure.
+ *
+ * \param md_info   The information structure of the message-digest algorithm
+ *                  to use.
+ *
+ * \return          The type of the message digest.
+ */
+mbedtls_md_type_t mbedtls_md_get_type( const mbedtls_md_info_t *md_info );
+
+/**
+ * \brief           This function extracts the message-digest name from the
+ *                  message-digest information structure.
+ *
+ * \param md_info   The information structure of the message-digest algorithm
+ *                  to use.
+ *
+ * \return          The name of the message digest.
+ */
+const char *mbedtls_md_get_name( const mbedtls_md_info_t *md_info );
+
+/**
+ * \brief           This function starts a message-digest computation.
+ *
+ *                  You must call this function after setting up the context
+ *                  with mbedtls_md_setup(), and before passing data with
+ *                  mbedtls_md_update().
+ *
+ * \param ctx       The generic message-digest context.
+ *
+ * \returns         \c 0 on success, #MBEDTLS_ERR_MD_BAD_INPUT_DATA if
+ *                  parameter verification fails.
+ */
+int mbedtls_md_starts( mbedtls_md_context_t *ctx );
+
+/**
+ * \brief           This function feeds an input buffer into an ongoing
+ *                  message-digest computation.
+ *
+ *                  You must call mbedtls_md_starts() before calling this
+ *                  function. You may call this function multiple times.
+ *                  Afterwards, call mbedtls_md_finish().
+ *
+ * \param ctx       The generic message-digest context.
+ * \param input     The buffer holding the input data.
+ * \param ilen      The length of the input data.
+ *
+ * \returns         \c 0 on success, #MBEDTLS_ERR_MD_BAD_INPUT_DATA if
+ *                  parameter verification fails.
+ */
+int mbedtls_md_update( mbedtls_md_context_t *ctx, const unsigned char *input, size_t ilen );
+
+/**
+ * \brief           This function finishes the digest operation,
+ *                  and writes the result to the output buffer.
+ *
+ *                  Call this function after a call to mbedtls_md_starts(),
+ *                  followed by any number of calls to mbedtls_md_update().
+ *                  Afterwards, you may either clear the context with
+ *                  mbedtls_md_free(), or call mbedtls_md_starts() to reuse
+ *                  the context for another digest operation with the same
+ *                  algorithm.
+ *
+ * \param ctx       The generic message-digest context.
+ * \param output    The buffer for the generic message-digest checksum result.
+ *
+ * \returns         \c 0 on success, or #MBEDTLS_ERR_MD_BAD_INPUT_DATA if
+ *                  parameter verification fails.
+ */
+int mbedtls_md_finish( mbedtls_md_context_t *ctx, unsigned char *output );
+
+/**
+ * \brief          This function calculates the message-digest of a buffer,
+ *                 with respect to a configurable message-digest algorithm
+ *                 in a single call.
+ *
+ *                 The result is calculated as
+ *                 Output = message_digest(input buffer).
+ *
+ * \param md_info  The information structure of the message-digest algorithm
+ *                 to use.
+ * \param input    The buffer holding the data.
+ * \param ilen     The length of the input data.
+ * \param output   The generic message-digest checksum result.
+ *
+ * \returns        \c 0 on success, or #MBEDTLS_ERR_MD_BAD_INPUT_DATA if
+ *                 parameter verification fails.
+ */
+int mbedtls_md( const mbedtls_md_info_t *md_info, const unsigned char *input, size_t ilen,
+        unsigned char *output );
+
+#if defined(MBEDTLS_FS_IO)
+/**
+ * \brief          This function calculates the message-digest checksum
+ *                 result of the contents of the provided file.
+ *
+ *                 The result is calculated as
+ *                 Output = message_digest(file contents).
+ *
+ * \param md_info  The information structure of the message-digest algorithm
+ *                 to use.
+ * \param path     The input file name.
+ * \param output   The generic message-digest checksum result.
+ *
+ * \return         \c 0 on success,
+ *                 #MBEDTLS_ERR_MD_FILE_IO_ERROR if file input failed, or
+ *                 #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info was NULL.
+ */
+int mbedtls_md_file( const mbedtls_md_info_t *md_info, const char *path,
+                     unsigned char *output );
+#endif /* MBEDTLS_FS_IO */
+
+/**
+ * \brief           This function sets the HMAC key and prepares to
+ *                  authenticate a new message.
+ *
+ *                  Call this function after mbedtls_md_setup(), to use
+ *                  the MD context for an HMAC calculation, then call
+ *                  mbedtls_md_hmac_update() to provide the input data, and
+ *                  mbedtls_md_hmac_finish() to get the HMAC value.
+ *
+ * \param ctx       The message digest context containing an embedded HMAC
+ *                  context.
+ * \param key       The HMAC secret key.
+ * \param keylen    The length of the HMAC key in Bytes.
+ *
+ * \returns         \c 0 on success, or #MBEDTLS_ERR_MD_BAD_INPUT_DATA if
+ *                  parameter verification fails.
+ */
+int mbedtls_md_hmac_starts( mbedtls_md_context_t *ctx, const unsigned char *key,
+                    size_t keylen );
+
+/**
+ * \brief           This function feeds an input buffer into an ongoing HMAC
+ *                  computation.
+ *
+ *                  Call mbedtls_md_hmac_starts() or mbedtls_md_hmac_reset()
+ *                  before calling this function.
+ *                  You may call this function multiple times to pass the
+ *                  input piecewise.
+ *                  Afterwards, call mbedtls_md_hmac_finish().
+ *
+ * \param ctx       The message digest context containing an embedded HMAC
+ *                  context.
+ * \param input     The buffer holding the input data.
+ * \param ilen      The length of the input data.
+ *
+ * \returns         \c 0 on success, or #MBEDTLS_ERR_MD_BAD_INPUT_DATA if
+ *                  parameter verification fails.
+ */
+int mbedtls_md_hmac_update( mbedtls_md_context_t *ctx, const unsigned char *input,
+                    size_t ilen );
+
+/**
+ * \brief           This function finishes the HMAC operation, and writes
+ *                  the result to the output buffer.
+ *
+ *                  Call this function after mbedtls_md_hmac_starts() and
+ *                  mbedtls_md_hmac_update() to get the HMAC value. Afterwards
+ *                  you may either call mbedtls_md_free() to clear the context,
+ *                  or call mbedtls_md_hmac_reset() to reuse the context with
+ *                  the same HMAC key.
+ *
+ * \param ctx       The message digest context containing an embedded HMAC
+ *                  context.
+ * \param output    The generic HMAC checksum result.
+ *
+ * \returns         \c 0 on success, or #MBEDTLS_ERR_MD_BAD_INPUT_DATA if
+ *                  parameter verification fails.
+ */
+int mbedtls_md_hmac_finish( mbedtls_md_context_t *ctx, unsigned char *output);
+
+/**
+ * \brief           This function prepares to authenticate a new message with
+ *                  the same key as the previous HMAC operation.
+ *
+ *                  You may call this function after mbedtls_md_hmac_finish().
+ *                  Afterwards call mbedtls_md_hmac_update() to pass the new
+ *                  input.
+ *
+ * \param ctx       The message digest context containing an embedded HMAC
+ *                  context.
+ *
+ * \returns         \c 0 on success, or #MBEDTLS_ERR_MD_BAD_INPUT_DATA if
+ *                  parameter verification fails.
+ */
+int mbedtls_md_hmac_reset( mbedtls_md_context_t *ctx );
+
+/**
+ * \brief          This function calculates the full generic HMAC
+ *                 on the input buffer with the provided key.
+ *
+ *                 The function allocates the context, performs the
+ *                 calculation, and frees the context.
+ *
+ *                 The HMAC result is calculated as
+ *                 output = generic HMAC(hmac key, input buffer).
+ *
+ * \param md_info  The information structure of the message-digest algorithm
+ *                 to use.
+ * \param key      The HMAC secret key.
+ * \param keylen   The length of the HMAC secret key in Bytes.
+ * \param input    The buffer holding the input data.
+ * \param ilen     The length of the input data.
+ * \param output   The generic HMAC result.
+ *
+ * \returns        \c 0 on success, or #MBEDTLS_ERR_MD_BAD_INPUT_DATA if
+ *                 parameter verification fails.
+ */
+int mbedtls_md_hmac( const mbedtls_md_info_t *md_info, const unsigned char *key, size_t keylen,
+                const unsigned char *input, size_t ilen,
+                unsigned char *output );
+
+/* Internal use */
+int mbedtls_md_process( mbedtls_md_context_t *ctx, const unsigned char *data );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_MD_H */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/md2.h b/third-party/mbedtls-3.6/include/mbedtls/md2.h
new file mode 100644
index 00000000..795db37d
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/md2.h
@@ -0,0 +1,334 @@
+/**
+ * \file md2.h
+ *
+ * \brief MD2 message digest algorithm (hash function)
+ *
+ * \warning MD2 is considered a weak message digest and its use constitutes a
+ *          security risk. We recommend considering stronger message digests
+ *          instead.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ *
+ */
+#ifndef MBEDTLS_MD2_H
+#define MBEDTLS_MD2_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+
+#define MBEDTLS_ERR_MD2_HW_ACCEL_FAILED                   -0x002B  /**< MD2 hardware accelerator failed */
+
+#if !defined(MBEDTLS_MD2_ALT)
+// Regular implementation
+//
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          MD2 context structure
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+typedef struct
+{
+    unsigned char cksum[16];    /*!< checksum of the data block */
+    unsigned char state[48];    /*!< intermediate digest state  */
+    unsigned char buffer[16];   /*!< data block being processed */
+    size_t left;                /*!< amount of data in buffer   */
+}
+mbedtls_md2_context;
+
+/**
+ * \brief          Initialize MD2 context
+ *
+ * \param ctx      MD2 context to be initialized
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_md2_init( mbedtls_md2_context *ctx );
+
+/**
+ * \brief          Clear MD2 context
+ *
+ * \param ctx      MD2 context to be cleared
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_md2_free( mbedtls_md2_context *ctx );
+
+/**
+ * \brief          Clone (the state of) an MD2 context
+ *
+ * \param dst      The destination context
+ * \param src      The context to be cloned
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_md2_clone( mbedtls_md2_context *dst,
+                        const mbedtls_md2_context *src );
+
+/**
+ * \brief          MD2 context setup
+ *
+ * \param ctx      context to be initialized
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md2_starts_ret( mbedtls_md2_context *ctx );
+
+/**
+ * \brief          MD2 process buffer
+ *
+ * \param ctx      MD2 context
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md2_update_ret( mbedtls_md2_context *ctx,
+                            const unsigned char *input,
+                            size_t ilen );
+
+/**
+ * \brief          MD2 final digest
+ *
+ * \param ctx      MD2 context
+ * \param output   MD2 checksum result
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md2_finish_ret( mbedtls_md2_context *ctx,
+                            unsigned char output[16] );
+
+/**
+ * \brief          MD2 process data block (internal use only)
+ *
+ * \param ctx      MD2 context
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_internal_md2_process( mbedtls_md2_context *ctx );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          MD2 context setup
+ *
+ * \deprecated     Superseded by mbedtls_md2_starts_ret() in 2.7.0
+ *
+ * \param ctx      context to be initialized
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md2_starts( mbedtls_md2_context *ctx );
+
+/**
+ * \brief          MD2 process buffer
+ *
+ * \deprecated     Superseded by mbedtls_md2_update_ret() in 2.7.0
+ *
+ * \param ctx      MD2 context
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md2_update( mbedtls_md2_context *ctx,
+                                            const unsigned char *input,
+                                            size_t ilen );
+
+/**
+ * \brief          MD2 final digest
+ *
+ * \deprecated     Superseded by mbedtls_md2_finish_ret() in 2.7.0
+ *
+ * \param ctx      MD2 context
+ * \param output   MD2 checksum result
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md2_finish( mbedtls_md2_context *ctx,
+                                            unsigned char output[16] );
+
+/**
+ * \brief          MD2 process data block (internal use only)
+ *
+ * \deprecated     Superseded by mbedtls_internal_md2_process() in 2.7.0
+ *
+ * \param ctx      MD2 context
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md2_process( mbedtls_md2_context *ctx );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+#ifdef __cplusplus
+}
+#endif
+
+#else  /* MBEDTLS_MD2_ALT */
+#include "md2_alt.h"
+#endif /* MBEDTLS_MD2_ALT */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          Output = MD2( input buffer )
+ *
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ * \param output   MD2 checksum result
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md2_ret( const unsigned char *input,
+                     size_t ilen,
+                     unsigned char output[16] );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          Output = MD2( input buffer )
+ *
+ * \deprecated     Superseded by mbedtls_md2_ret() in 2.7.0
+ *
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ * \param output   MD2 checksum result
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md2( const unsigned char *input,
+                                     size_t ilen,
+                                     unsigned char output[16] );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md2_self_test( int verbose );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_md2.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/md4.h b/third-party/mbedtls-3.6/include/mbedtls/md4.h
new file mode 100644
index 00000000..e091fd91
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/md4.h
@@ -0,0 +1,339 @@
+/**
+ * \file md4.h
+ *
+ * \brief MD4 message digest algorithm (hash function)
+ *
+ * \warning MD4 is considered a weak message digest and its use constitutes a
+ *          security risk. We recommend considering stronger message digests
+ *          instead.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ *
+ */
+#ifndef MBEDTLS_MD4_H
+#define MBEDTLS_MD4_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+#define MBEDTLS_ERR_MD4_HW_ACCEL_FAILED                   -0x002D  /**< MD4 hardware accelerator failed */
+
+#if !defined(MBEDTLS_MD4_ALT)
+// Regular implementation
+//
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          MD4 context structure
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+typedef struct
+{
+    uint32_t total[2];          /*!< number of bytes processed  */
+    uint32_t state[4];          /*!< intermediate digest state  */
+    unsigned char buffer[64];   /*!< data block being processed */
+}
+mbedtls_md4_context;
+
+/**
+ * \brief          Initialize MD4 context
+ *
+ * \param ctx      MD4 context to be initialized
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_md4_init( mbedtls_md4_context *ctx );
+
+/**
+ * \brief          Clear MD4 context
+ *
+ * \param ctx      MD4 context to be cleared
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_md4_free( mbedtls_md4_context *ctx );
+
+/**
+ * \brief          Clone (the state of) an MD4 context
+ *
+ * \param dst      The destination context
+ * \param src      The context to be cloned
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_md4_clone( mbedtls_md4_context *dst,
+                        const mbedtls_md4_context *src );
+
+/**
+ * \brief          MD4 context setup
+ *
+ * \param ctx      context to be initialized
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ */
+int mbedtls_md4_starts_ret( mbedtls_md4_context *ctx );
+
+/**
+ * \brief          MD4 process buffer
+ *
+ * \param ctx      MD4 context
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md4_update_ret( mbedtls_md4_context *ctx,
+                            const unsigned char *input,
+                            size_t ilen );
+
+/**
+ * \brief          MD4 final digest
+ *
+ * \param ctx      MD4 context
+ * \param output   MD4 checksum result
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md4_finish_ret( mbedtls_md4_context *ctx,
+                            unsigned char output[16] );
+
+/**
+ * \brief          MD4 process data block (internal use only)
+ *
+ * \param ctx      MD4 context
+ * \param data     buffer holding one block of data
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_internal_md4_process( mbedtls_md4_context *ctx,
+                                  const unsigned char data[64] );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          MD4 context setup
+ *
+ * \deprecated     Superseded by mbedtls_md4_starts_ret() in 2.7.0
+ *
+ * \param ctx      context to be initialized
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md4_starts( mbedtls_md4_context *ctx );
+
+/**
+ * \brief          MD4 process buffer
+ *
+ * \deprecated     Superseded by mbedtls_md4_update_ret() in 2.7.0
+ *
+ * \param ctx      MD4 context
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md4_update( mbedtls_md4_context *ctx,
+                                            const unsigned char *input,
+                                            size_t ilen );
+
+/**
+ * \brief          MD4 final digest
+ *
+ * \deprecated     Superseded by mbedtls_md4_finish_ret() in 2.7.0
+ *
+ * \param ctx      MD4 context
+ * \param output   MD4 checksum result
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md4_finish( mbedtls_md4_context *ctx,
+                                            unsigned char output[16] );
+
+/**
+ * \brief          MD4 process data block (internal use only)
+ *
+ * \deprecated     Superseded by mbedtls_internal_md4_process() in 2.7.0
+ *
+ * \param ctx      MD4 context
+ * \param data     buffer holding one block of data
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md4_process( mbedtls_md4_context *ctx,
+                                             const unsigned char data[64] );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+#ifdef __cplusplus
+}
+#endif
+
+#else  /* MBEDTLS_MD4_ALT */
+#include "md4_alt.h"
+#endif /* MBEDTLS_MD4_ALT */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          Output = MD4( input buffer )
+ *
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ * \param output   MD4 checksum result
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md4_ret( const unsigned char *input,
+                     size_t ilen,
+                     unsigned char output[16] );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          Output = MD4( input buffer )
+ *
+ * \deprecated     Superseded by mbedtls_md4_ret() in 2.7.0
+ *
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ * \param output   MD4 checksum result
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md4( const unsigned char *input,
+                                     size_t ilen,
+                                     unsigned char output[16] );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md4_self_test( int verbose );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_md4.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/md5.h b/third-party/mbedtls-3.6/include/mbedtls/md5.h
new file mode 100644
index 00000000..e24c87de
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/md5.h
@@ -0,0 +1,339 @@
+/**
+ * \file md5.h
+ *
+ * \brief MD5 message digest algorithm (hash function)
+ *
+ * \warning   MD5 is considered a weak message digest and its use constitutes a
+ *            security risk. We recommend considering stronger message
+ *            digests instead.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_MD5_H
+#define MBEDTLS_MD5_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+#define MBEDTLS_ERR_MD5_HW_ACCEL_FAILED                   -0x002F  /**< MD5 hardware accelerator failed */
+
+#if !defined(MBEDTLS_MD5_ALT)
+// Regular implementation
+//
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          MD5 context structure
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+typedef struct
+{
+    uint32_t total[2];          /*!< number of bytes processed  */
+    uint32_t state[4];          /*!< intermediate digest state  */
+    unsigned char buffer[64];   /*!< data block being processed */
+}
+mbedtls_md5_context;
+
+/**
+ * \brief          Initialize MD5 context
+ *
+ * \param ctx      MD5 context to be initialized
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_md5_init( mbedtls_md5_context *ctx );
+
+/**
+ * \brief          Clear MD5 context
+ *
+ * \param ctx      MD5 context to be cleared
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_md5_free( mbedtls_md5_context *ctx );
+
+/**
+ * \brief          Clone (the state of) an MD5 context
+ *
+ * \param dst      The destination context
+ * \param src      The context to be cloned
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_md5_clone( mbedtls_md5_context *dst,
+                        const mbedtls_md5_context *src );
+
+/**
+ * \brief          MD5 context setup
+ *
+ * \param ctx      context to be initialized
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md5_starts_ret( mbedtls_md5_context *ctx );
+
+/**
+ * \brief          MD5 process buffer
+ *
+ * \param ctx      MD5 context
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md5_update_ret( mbedtls_md5_context *ctx,
+                            const unsigned char *input,
+                            size_t ilen );
+
+/**
+ * \brief          MD5 final digest
+ *
+ * \param ctx      MD5 context
+ * \param output   MD5 checksum result
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md5_finish_ret( mbedtls_md5_context *ctx,
+                            unsigned char output[16] );
+
+/**
+ * \brief          MD5 process data block (internal use only)
+ *
+ * \param ctx      MD5 context
+ * \param data     buffer holding one block of data
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_internal_md5_process( mbedtls_md5_context *ctx,
+                                  const unsigned char data[64] );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          MD5 context setup
+ *
+ * \deprecated     Superseded by mbedtls_md5_starts_ret() in 2.7.0
+ *
+ * \param ctx      context to be initialized
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md5_starts( mbedtls_md5_context *ctx );
+
+/**
+ * \brief          MD5 process buffer
+ *
+ * \deprecated     Superseded by mbedtls_md5_update_ret() in 2.7.0
+ *
+ * \param ctx      MD5 context
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md5_update( mbedtls_md5_context *ctx,
+                                            const unsigned char *input,
+                                            size_t ilen );
+
+/**
+ * \brief          MD5 final digest
+ *
+ * \deprecated     Superseded by mbedtls_md5_finish_ret() in 2.7.0
+ *
+ * \param ctx      MD5 context
+ * \param output   MD5 checksum result
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md5_finish( mbedtls_md5_context *ctx,
+                                            unsigned char output[16] );
+
+/**
+ * \brief          MD5 process data block (internal use only)
+ *
+ * \deprecated     Superseded by mbedtls_internal_md5_process() in 2.7.0
+ *
+ * \param ctx      MD5 context
+ * \param data     buffer holding one block of data
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md5_process( mbedtls_md5_context *ctx,
+                                             const unsigned char data[64] );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+#ifdef __cplusplus
+}
+#endif
+
+#else  /* MBEDTLS_MD5_ALT */
+#include "md5_alt.h"
+#endif /* MBEDTLS_MD5_ALT */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          Output = MD5( input buffer )
+ *
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ * \param output   MD5 checksum result
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md5_ret( const unsigned char *input,
+                     size_t ilen,
+                     unsigned char output[16] );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          Output = MD5( input buffer )
+ *
+ * \deprecated     Superseded by mbedtls_md5_ret() in 2.7.0
+ *
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ * \param output   MD5 checksum result
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md5( const unsigned char *input,
+                                     size_t ilen,
+                                     unsigned char output[16] );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md5_self_test( int verbose );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_md5.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/md_internal.h b/third-party/mbedtls-3.6/include/mbedtls/md_internal.h
new file mode 100644
index 00000000..847f50aa
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/md_internal.h
@@ -0,0 +1,140 @@
+/**
+ * \file md_internal.h
+ *
+ * \brief Message digest wrappers.
+ *
+ * \warning This in an internal header. Do not include directly.
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_MD_WRAP_H
+#define MBEDTLS_MD_WRAP_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "md.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Message digest information.
+ * Allows message digest functions to be called in a generic way.
+ */
+struct mbedtls_md_info_t
+{
+    /** Digest identifier */
+    mbedtls_md_type_t type;
+
+    /** Name of the message digest */
+    const char * name;
+
+    /** Output length of the digest function in bytes */
+    int size;
+
+    /** Block length of the digest function in bytes */
+    int block_size;
+
+    /** Digest initialisation function */
+    int (*starts_func)( void *ctx );
+
+    /** Digest update function */
+    int (*update_func)( void *ctx, const unsigned char *input, size_t ilen );
+
+    /** Digest finalisation function */
+    int (*finish_func)( void *ctx, unsigned char *output );
+
+    /** Generic digest function */
+    int (*digest_func)( const unsigned char *input, size_t ilen,
+                        unsigned char *output );
+
+    /** Allocate a new context */
+    void * (*ctx_alloc_func)( void );
+
+    /** Free the given context */
+    void (*ctx_free_func)( void *ctx );
+
+    /** Clone state from a context */
+    void (*clone_func)( void *dst, const void *src );
+
+    /** Internal use only */
+    int (*process_func)( void *ctx, const unsigned char *input );
+};
+
+#if defined(MBEDTLS_MD2_C)
+extern const mbedtls_md_info_t mbedtls_md2_info;
+#endif
+#if defined(MBEDTLS_MD4_C)
+extern const mbedtls_md_info_t mbedtls_md4_info;
+#endif
+#if defined(MBEDTLS_MD5_C)
+extern const mbedtls_md_info_t mbedtls_md5_info;
+#endif
+#if defined(MBEDTLS_RIPEMD160_C)
+extern const mbedtls_md_info_t mbedtls_ripemd160_info;
+#endif
+#if defined(MBEDTLS_SHA1_C)
+extern const mbedtls_md_info_t mbedtls_sha1_info;
+#endif
+#if defined(MBEDTLS_SHA256_C)
+extern const mbedtls_md_info_t mbedtls_sha224_info;
+extern const mbedtls_md_info_t mbedtls_sha256_info;
+#endif
+#if defined(MBEDTLS_SHA512_C)
+extern const mbedtls_md_info_t mbedtls_sha384_info;
+extern const mbedtls_md_info_t mbedtls_sha512_info;
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_MD_WRAP_H */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/memory_buffer_alloc.h b/third-party/mbedtls-3.6/include/mbedtls/memory_buffer_alloc.h
new file mode 100644
index 00000000..89c06174
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/memory_buffer_alloc.h
@@ -0,0 +1,176 @@
+/**
+ * \file memory_buffer_alloc.h
+ *
+ * \brief Buffer-based memory allocator
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_MEMORY_BUFFER_ALLOC_H
+#define MBEDTLS_MEMORY_BUFFER_ALLOC_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in config.h or define them on the compiler command line.
+ * \{
+ */
+
+#if !defined(MBEDTLS_MEMORY_ALIGN_MULTIPLE)
+#define MBEDTLS_MEMORY_ALIGN_MULTIPLE       4 /**< Align on multiples of this value */
+#endif
+
+/* \} name SECTION: Module settings */
+
+#define MBEDTLS_MEMORY_VERIFY_NONE         0
+#define MBEDTLS_MEMORY_VERIFY_ALLOC        (1 << 0)
+#define MBEDTLS_MEMORY_VERIFY_FREE         (1 << 1)
+#define MBEDTLS_MEMORY_VERIFY_ALWAYS       (MBEDTLS_MEMORY_VERIFY_ALLOC | MBEDTLS_MEMORY_VERIFY_FREE)
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief   Initialize use of stack-based memory allocator.
+ *          The stack-based allocator does memory management inside the
+ *          presented buffer and does not call calloc() and free().
+ *          It sets the global mbedtls_calloc() and mbedtls_free() pointers
+ *          to its own functions.
+ *          (Provided mbedtls_calloc() and mbedtls_free() are thread-safe if
+ *           MBEDTLS_THREADING_C is defined)
+ *
+ * \note    This code is not optimized and provides a straight-forward
+ *          implementation of a stack-based memory allocator.
+ *
+ * \param buf   buffer to use as heap
+ * \param len   size of the buffer
+ */
+void mbedtls_memory_buffer_alloc_init( unsigned char *buf, size_t len );
+
+/**
+ * \brief   Free the mutex for thread-safety and clear remaining memory
+ */
+void mbedtls_memory_buffer_alloc_free( void );
+
+/**
+ * \brief   Determine when the allocator should automatically verify the state
+ *          of the entire chain of headers / meta-data.
+ *          (Default: MBEDTLS_MEMORY_VERIFY_NONE)
+ *
+ * \param verify    One of MBEDTLS_MEMORY_VERIFY_NONE, MBEDTLS_MEMORY_VERIFY_ALLOC,
+ *                  MBEDTLS_MEMORY_VERIFY_FREE or MBEDTLS_MEMORY_VERIFY_ALWAYS
+ */
+void mbedtls_memory_buffer_set_verify( int verify );
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+/**
+ * \brief   Print out the status of the allocated memory (primarily for use
+ *          after a program should have de-allocated all memory)
+ *          Prints out a list of 'still allocated' blocks and their stack
+ *          trace if MBEDTLS_MEMORY_BACKTRACE is defined.
+ */
+void mbedtls_memory_buffer_alloc_status( void );
+
+/**
+ * \brief   Get the peak heap usage so far
+ *
+ * \param max_used      Peak number of bytes in use or committed. This
+ *                      includes bytes in allocated blocks too small to split
+ *                      into smaller blocks but larger than the requested size.
+ * \param max_blocks    Peak number of blocks in use, including free and used
+ */
+void mbedtls_memory_buffer_alloc_max_get( size_t *max_used, size_t *max_blocks );
+
+/**
+ * \brief   Reset peak statistics
+ */
+void mbedtls_memory_buffer_alloc_max_reset( void );
+
+/**
+ * \brief   Get the current heap usage
+ *
+ * \param cur_used      Current number of bytes in use or committed. This
+ *                      includes bytes in allocated blocks too small to split
+ *                      into smaller blocks but larger than the requested size.
+ * \param cur_blocks    Current number of blocks in use, including free and used
+ */
+void mbedtls_memory_buffer_alloc_cur_get( size_t *cur_used, size_t *cur_blocks );
+#endif /* MBEDTLS_MEMORY_DEBUG */
+
+/**
+ * \brief   Verifies that all headers in the memory buffer are correct
+ *          and contain sane values. Helps debug buffer-overflow errors.
+ *
+ *          Prints out first failure if MBEDTLS_MEMORY_DEBUG is defined.
+ *          Prints out full header information if MBEDTLS_MEMORY_DEBUG
+ *          is defined. (Includes stack trace information for each block if
+ *          MBEDTLS_MEMORY_BACKTRACE is defined as well).
+ *
+ * \return             0 if verified, 1 otherwise
+ */
+int mbedtls_memory_buffer_alloc_verify( void );
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if a test failed
+ */
+int mbedtls_memory_buffer_alloc_self_test( int verbose );
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* memory_buffer_alloc.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/net.h b/third-party/mbedtls-3.6/include/mbedtls/net.h
new file mode 100644
index 00000000..6c7a49d3
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/net.h
@@ -0,0 +1,62 @@
+/**
+ * \file net.h
+ *
+ * \brief Deprecated header file that includes net_sockets.h
+ *
+ * \deprecated Superseded by mbedtls/net_sockets.h
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#include "net_sockets.h"
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#warning "Deprecated header file: Superseded by mbedtls/net_sockets.h"
+#endif /* MBEDTLS_DEPRECATED_WARNING */
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/net_sockets.h b/third-party/mbedtls-3.6/include/mbedtls/net_sockets.h
new file mode 100644
index 00000000..e58b0681
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/net_sockets.h
@@ -0,0 +1,264 @@
+/**
+ * \file net_sockets.h
+ *
+ * \brief Network communication functions
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_NET_SOCKETS_H
+#define MBEDTLS_NET_SOCKETS_H
+
+#if defined(MBEDTLS_NET_C)
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "ssl.h"
+
+#include <stddef.h>
+#include <stdint.h>
+
+#define MBEDTLS_ERR_NET_SOCKET_FAILED                     -0x0042  /**< Failed to open a socket. */
+#define MBEDTLS_ERR_NET_CONNECT_FAILED                    -0x0044  /**< The connection to the given server / port failed. */
+#define MBEDTLS_ERR_NET_BIND_FAILED                       -0x0046  /**< Binding of the socket failed. */
+#define MBEDTLS_ERR_NET_LISTEN_FAILED                     -0x0048  /**< Could not listen on the socket. */
+#define MBEDTLS_ERR_NET_ACCEPT_FAILED                     -0x004A  /**< Could not accept the incoming connection. */
+#define MBEDTLS_ERR_NET_RECV_FAILED                       -0x004C  /**< Reading information from the socket failed. */
+#define MBEDTLS_ERR_NET_SEND_FAILED                       -0x004E  /**< Sending information through the socket failed. */
+#define MBEDTLS_ERR_NET_CONN_RESET                        -0x0050  /**< Connection was reset by peer. */
+#define MBEDTLS_ERR_NET_UNKNOWN_HOST                      -0x0052  /**< Failed to get an IP address for the given hostname. */
+#define MBEDTLS_ERR_NET_BUFFER_TOO_SMALL                  -0x0043  /**< Buffer is too small to hold the data. */
+#define MBEDTLS_ERR_NET_INVALID_CONTEXT                   -0x0045  /**< The context is invalid, eg because it was free()ed. */
+
+#define MBEDTLS_NET_LISTEN_BACKLOG         10 /**< The backlog that listen() should use. */
+
+#define MBEDTLS_NET_PROTO_TCP 0 /**< The TCP transport protocol */
+#define MBEDTLS_NET_PROTO_UDP 1 /**< The UDP transport protocol */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Wrapper type for sockets.
+ *
+ * Currently backed by just a file descriptor, but might be more in the future
+ * (eg two file descriptors for combined IPv4 + IPv6 support, or additional
+ * structures for hand-made UDP demultiplexing).
+ */
+typedef struct
+{
+    int fd;             /**< The underlying file descriptor                 */
+}
+mbedtls_net_context;
+
+/**
+ * \brief          Initialize a context
+ *                 Just makes the context ready to be used or freed safely.
+ *
+ * \param ctx      Context to initialize
+ */
+void mbedtls_net_init( mbedtls_net_context *ctx );
+
+/**
+ * \brief          Initiate a connection with host:port in the given protocol
+ *
+ * \param ctx      Socket to use
+ * \param host     Host to connect to
+ * \param port     Port to connect to
+ * \param proto    Protocol: MBEDTLS_NET_PROTO_TCP or MBEDTLS_NET_PROTO_UDP
+ *
+ * \return         0 if successful, or one of:
+ *                      MBEDTLS_ERR_NET_SOCKET_FAILED,
+ *                      MBEDTLS_ERR_NET_UNKNOWN_HOST,
+ *                      MBEDTLS_ERR_NET_CONNECT_FAILED
+ *
+ * \note           Sets the socket in connected mode even with UDP.
+ */
+int mbedtls_net_connect( mbedtls_net_context *ctx, const char *host, const char *port, int proto );
+
+/**
+ * \brief          Create a receiving socket on bind_ip:port in the chosen
+ *                 protocol. If bind_ip == NULL, all interfaces are bound.
+ *
+ * \param ctx      Socket to use
+ * \param bind_ip  IP to bind to, can be NULL
+ * \param port     Port number to use
+ * \param proto    Protocol: MBEDTLS_NET_PROTO_TCP or MBEDTLS_NET_PROTO_UDP
+ *
+ * \return         0 if successful, or one of:
+ *                      MBEDTLS_ERR_NET_SOCKET_FAILED,
+ *                      MBEDTLS_ERR_NET_UNKNOWN_HOST,
+ *                      MBEDTLS_ERR_NET_BIND_FAILED,
+ *                      MBEDTLS_ERR_NET_LISTEN_FAILED
+ *
+ * \note           Regardless of the protocol, opens the sockets and binds it.
+ *                 In addition, make the socket listening if protocol is TCP.
+ */
+int mbedtls_net_bind( mbedtls_net_context *ctx, const char *bind_ip, const char *port, int proto );
+
+/**
+ * \brief           Accept a connection from a remote client
+ *
+ * \param bind_ctx  Relevant socket
+ * \param client_ctx Will contain the connected client socket
+ * \param client_ip Will contain the client IP address, can be NULL
+ * \param buf_size  Size of the client_ip buffer
+ * \param ip_len    Will receive the size of the client IP written,
+ *                  can be NULL if client_ip is null
+ *
+ * \return          0 if successful, or
+ *                  MBEDTLS_ERR_NET_SOCKET_FAILED,
+ *                  MBEDTLS_ERR_NET_BIND_FAILED,
+ *                  MBEDTLS_ERR_NET_ACCEPT_FAILED, or
+ *                  MBEDTLS_ERR_NET_BUFFER_TOO_SMALL if buf_size is too small,
+ *                  MBEDTLS_ERR_SSL_WANT_READ if bind_fd was set to
+ *                  non-blocking and accept() would block.
+ */
+int mbedtls_net_accept( mbedtls_net_context *bind_ctx,
+                        mbedtls_net_context *client_ctx,
+                        void *client_ip, size_t buf_size, size_t *ip_len );
+
+/**
+ * \brief          Set the socket blocking
+ *
+ * \param ctx      Socket to set
+ *
+ * \return         0 if successful, or a non-zero error code
+ */
+int mbedtls_net_set_block( mbedtls_net_context *ctx );
+
+/**
+ * \brief          Set the socket non-blocking
+ *
+ * \param ctx      Socket to set
+ *
+ * \return         0 if successful, or a non-zero error code
+ */
+int mbedtls_net_set_nonblock( mbedtls_net_context *ctx );
+
+/**
+ * \brief          Portable usleep helper
+ *
+ * \param usec     Amount of microseconds to sleep
+ *
+ * \note           Real amount of time slept will not be less than
+ *                 select()'s timeout granularity (typically, 10ms).
+ */
+void mbedtls_net_usleep( unsigned long usec );
+
+/**
+ * \brief          Read at most 'len' characters. If no error occurs,
+ *                 the actual amount read is returned.
+ *
+ * \param ctx      Socket
+ * \param buf      The buffer to write to
+ * \param len      Maximum length of the buffer
+ *
+ * \return         the number of bytes received,
+ *                 or a non-zero error code; with a non-blocking socket,
+ *                 MBEDTLS_ERR_SSL_WANT_READ indicates read() would block.
+ */
+int mbedtls_net_recv( void *ctx, unsigned char *buf, size_t len );
+
+/**
+ * \brief          Write at most 'len' characters. If no error occurs,
+ *                 the actual amount read is returned.
+ *
+ * \param ctx      Socket
+ * \param buf      The buffer to read from
+ * \param len      The length of the buffer
+ *
+ * \return         the number of bytes sent,
+ *                 or a non-zero error code; with a non-blocking socket,
+ *                 MBEDTLS_ERR_SSL_WANT_WRITE indicates write() would block.
+ */
+int mbedtls_net_send( void *ctx, const unsigned char *buf, size_t len );
+
+/**
+ * \brief          Read at most 'len' characters, blocking for at most
+ *                 'timeout' seconds. If no error occurs, the actual amount
+ *                 read is returned.
+ *
+ * \note           The current implementation of this function uses
+ *                 select() and returns an error if the file descriptor
+ *                 is \c FD_SETSIZE or greater.
+ *
+ * \param ctx      Socket
+ * \param buf      The buffer to write to
+ * \param len      Maximum length of the buffer
+ * \param timeout  Maximum number of milliseconds to wait for data
+ *                 0 means no timeout (wait forever)
+ *
+ * \return         The number of bytes received if successful.
+ *                 MBEDTLS_ERR_SSL_TIMEOUT if the operation timed out.
+ *                 MBEDTLS_ERR_SSL_WANT_READ if interrupted by a signal.
+ *                 Another negative error code (MBEDTLS_ERR_NET_xxx)
+ *                 for other failures.
+ *
+ * \note           This function will block (until data becomes available or
+ *                 timeout is reached) even if the socket is set to
+ *                 non-blocking. Handling timeouts with non-blocking reads
+ *                 requires a different strategy.
+ */
+int mbedtls_net_recv_timeout( void *ctx, unsigned char *buf, size_t len,
+                      uint32_t timeout );
+
+/**
+ * \brief          Gracefully shutdown the connection and free associated data
+ *
+ * \param ctx      The context to free
+ */
+void mbedtls_net_free( mbedtls_net_context *ctx );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
+
+#endif /* MBEDTLS_NET_SOCKETS_H */
\ No newline at end of file
diff --git a/third-party/mbedtls-3.6/include/mbedtls/oid.h b/third-party/mbedtls-3.6/include/mbedtls/oid.h
new file mode 100644
index 00000000..40b4bc4f
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/oid.h
@@ -0,0 +1,614 @@
+/**
+ * \file oid.h
+ *
+ * \brief Object Identifier (OID) database
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_OID_H
+#define MBEDTLS_OID_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "asn1.h"
+#include "pk.h"
+
+#include <stddef.h>
+
+#if defined(MBEDTLS_CIPHER_C)
+#include "cipher.h"
+#endif
+
+#if defined(MBEDTLS_MD_C)
+#include "md.h"
+#endif
+
+#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
+#include "x509.h"
+#endif
+
+#define MBEDTLS_ERR_OID_NOT_FOUND                         -0x002E  /**< OID is not found. */
+#define MBEDTLS_ERR_OID_BUF_TOO_SMALL                     -0x000B  /**< output buffer is too small */
+
+/*
+ * Top level OID tuples
+ */
+#define MBEDTLS_OID_ISO_MEMBER_BODIES           "\x2a"          /* {iso(1) member-body(2)} */
+#define MBEDTLS_OID_ISO_IDENTIFIED_ORG          "\x2b"          /* {iso(1) identified-organization(3)} */
+#define MBEDTLS_OID_ISO_CCITT_DS                "\x55"          /* {joint-iso-ccitt(2) ds(5)} */
+#define MBEDTLS_OID_ISO_ITU_COUNTRY             "\x60"          /* {joint-iso-itu-t(2) country(16)} */
+
+/*
+ * ISO Member bodies OID parts
+ */
+#define MBEDTLS_OID_COUNTRY_US                  "\x86\x48"      /* {us(840)} */
+#define MBEDTLS_OID_ORG_RSA_DATA_SECURITY       "\x86\xf7\x0d"  /* {rsadsi(113549)} */
+#define MBEDTLS_OID_RSA_COMPANY                 MBEDTLS_OID_ISO_MEMBER_BODIES MBEDTLS_OID_COUNTRY_US \
+                                        MBEDTLS_OID_ORG_RSA_DATA_SECURITY /* {iso(1) member-body(2) us(840) rsadsi(113549)} */
+#define MBEDTLS_OID_ORG_ANSI_X9_62              "\xce\x3d" /* ansi-X9-62(10045) */
+#define MBEDTLS_OID_ANSI_X9_62                  MBEDTLS_OID_ISO_MEMBER_BODIES MBEDTLS_OID_COUNTRY_US \
+                                        MBEDTLS_OID_ORG_ANSI_X9_62
+
+/*
+ * ISO Identified organization OID parts
+ */
+#define MBEDTLS_OID_ORG_DOD                     "\x06"          /* {dod(6)} */
+#define MBEDTLS_OID_ORG_OIW                     "\x0e"
+#define MBEDTLS_OID_OIW_SECSIG                  MBEDTLS_OID_ORG_OIW "\x03"
+#define MBEDTLS_OID_OIW_SECSIG_ALG              MBEDTLS_OID_OIW_SECSIG "\x02"
+#define MBEDTLS_OID_OIW_SECSIG_SHA1             MBEDTLS_OID_OIW_SECSIG_ALG "\x1a"
+#define MBEDTLS_OID_ORG_CERTICOM                "\x81\x04"  /* certicom(132) */
+#define MBEDTLS_OID_CERTICOM                    MBEDTLS_OID_ISO_IDENTIFIED_ORG MBEDTLS_OID_ORG_CERTICOM
+#define MBEDTLS_OID_ORG_TELETRUST               "\x24" /* teletrust(36) */
+#define MBEDTLS_OID_TELETRUST                   MBEDTLS_OID_ISO_IDENTIFIED_ORG MBEDTLS_OID_ORG_TELETRUST
+
+/*
+ * ISO ITU OID parts
+ */
+#define MBEDTLS_OID_ORGANIZATION                "\x01"          /* {organization(1)} */
+#define MBEDTLS_OID_ISO_ITU_US_ORG              MBEDTLS_OID_ISO_ITU_COUNTRY MBEDTLS_OID_COUNTRY_US MBEDTLS_OID_ORGANIZATION /* {joint-iso-itu-t(2) country(16) us(840) organization(1)} */
+
+#define MBEDTLS_OID_ORG_GOV                     "\x65"          /* {gov(101)} */
+#define MBEDTLS_OID_GOV                         MBEDTLS_OID_ISO_ITU_US_ORG MBEDTLS_OID_ORG_GOV /* {joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101)} */
+
+#define MBEDTLS_OID_ORG_NETSCAPE                "\x86\xF8\x42"  /* {netscape(113730)} */
+#define MBEDTLS_OID_NETSCAPE                    MBEDTLS_OID_ISO_ITU_US_ORG MBEDTLS_OID_ORG_NETSCAPE /* Netscape OID {joint-iso-itu-t(2) country(16) us(840) organization(1) netscape(113730)} */
+
+/* ISO arc for standard certificate and CRL extensions */
+#define MBEDTLS_OID_ID_CE                       MBEDTLS_OID_ISO_CCITT_DS "\x1D" /**< id-ce OBJECT IDENTIFIER  ::=  {joint-iso-ccitt(2) ds(5) 29} */
+
+/**
+ * Private Internet Extensions
+ * { iso(1) identified-organization(3) dod(6) internet(1)
+ *                      security(5) mechanisms(5) pkix(7) }
+ */
+#define MBEDTLS_OID_PKIX                        MBEDTLS_OID_ISO_IDENTIFIED_ORG MBEDTLS_OID_ORG_DOD "\x01\x05\x05\x07"
+
+/*
+ * Arc for standard naming attributes
+ */
+#define MBEDTLS_OID_AT                          MBEDTLS_OID_ISO_CCITT_DS "\x04" /**< id-at OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 4} */
+#define MBEDTLS_OID_AT_CN                       MBEDTLS_OID_AT "\x03" /**< id-at-commonName AttributeType:= {id-at 3} */
+#define MBEDTLS_OID_AT_SUR_NAME                 MBEDTLS_OID_AT "\x04" /**< id-at-surName AttributeType:= {id-at 4} */
+#define MBEDTLS_OID_AT_SERIAL_NUMBER            MBEDTLS_OID_AT "\x05" /**< id-at-serialNumber AttributeType:= {id-at 5} */
+#define MBEDTLS_OID_AT_COUNTRY                  MBEDTLS_OID_AT "\x06" /**< id-at-countryName AttributeType:= {id-at 6} */
+#define MBEDTLS_OID_AT_LOCALITY                 MBEDTLS_OID_AT "\x07" /**< id-at-locality AttributeType:= {id-at 7} */
+#define MBEDTLS_OID_AT_STATE                    MBEDTLS_OID_AT "\x08" /**< id-at-state AttributeType:= {id-at 8} */
+#define MBEDTLS_OID_AT_ORGANIZATION             MBEDTLS_OID_AT "\x0A" /**< id-at-organizationName AttributeType:= {id-at 10} */
+#define MBEDTLS_OID_AT_ORG_UNIT                 MBEDTLS_OID_AT "\x0B" /**< id-at-organizationalUnitName AttributeType:= {id-at 11} */
+#define MBEDTLS_OID_AT_TITLE                    MBEDTLS_OID_AT "\x0C" /**< id-at-title AttributeType:= {id-at 12} */
+#define MBEDTLS_OID_AT_POSTAL_ADDRESS           MBEDTLS_OID_AT "\x10" /**< id-at-postalAddress AttributeType:= {id-at 16} */
+#define MBEDTLS_OID_AT_POSTAL_CODE              MBEDTLS_OID_AT "\x11" /**< id-at-postalCode AttributeType:= {id-at 17} */
+#define MBEDTLS_OID_AT_GIVEN_NAME               MBEDTLS_OID_AT "\x2A" /**< id-at-givenName AttributeType:= {id-at 42} */
+#define MBEDTLS_OID_AT_INITIALS                 MBEDTLS_OID_AT "\x2B" /**< id-at-initials AttributeType:= {id-at 43} */
+#define MBEDTLS_OID_AT_GENERATION_QUALIFIER     MBEDTLS_OID_AT "\x2C" /**< id-at-generationQualifier AttributeType:= {id-at 44} */
+#define MBEDTLS_OID_AT_UNIQUE_IDENTIFIER        MBEDTLS_OID_AT "\x2D" /**< id-at-uniqueIdentifier AttributType:= {id-at 45} */
+#define MBEDTLS_OID_AT_DN_QUALIFIER             MBEDTLS_OID_AT "\x2E" /**< id-at-dnQualifier AttributeType:= {id-at 46} */
+#define MBEDTLS_OID_AT_PSEUDONYM                MBEDTLS_OID_AT "\x41" /**< id-at-pseudonym AttributeType:= {id-at 65} */
+
+#define MBEDTLS_OID_DOMAIN_COMPONENT            "\x09\x92\x26\x89\x93\xF2\x2C\x64\x01\x19" /** id-domainComponent AttributeType:= {itu-t(0) data(9) pss(2342) ucl(19200300) pilot(100) pilotAttributeType(1) domainComponent(25)} */
+
+/*
+ * OIDs for standard certificate extensions
+ */
+#define MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER    MBEDTLS_OID_ID_CE "\x23" /**< id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 35 } */
+#define MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER      MBEDTLS_OID_ID_CE "\x0E" /**< id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 14 } */
+#define MBEDTLS_OID_KEY_USAGE                   MBEDTLS_OID_ID_CE "\x0F" /**< id-ce-keyUsage OBJECT IDENTIFIER ::=  { id-ce 15 } */
+#define MBEDTLS_OID_CERTIFICATE_POLICIES        MBEDTLS_OID_ID_CE "\x20" /**< id-ce-certificatePolicies OBJECT IDENTIFIER ::=  { id-ce 32 } */
+#define MBEDTLS_OID_POLICY_MAPPINGS             MBEDTLS_OID_ID_CE "\x21" /**< id-ce-policyMappings OBJECT IDENTIFIER ::=  { id-ce 33 } */
+#define MBEDTLS_OID_SUBJECT_ALT_NAME            MBEDTLS_OID_ID_CE "\x11" /**< id-ce-subjectAltName OBJECT IDENTIFIER ::=  { id-ce 17 } */
+#define MBEDTLS_OID_ISSUER_ALT_NAME             MBEDTLS_OID_ID_CE "\x12" /**< id-ce-issuerAltName OBJECT IDENTIFIER ::=  { id-ce 18 } */
+#define MBEDTLS_OID_SUBJECT_DIRECTORY_ATTRS     MBEDTLS_OID_ID_CE "\x09" /**< id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::=  { id-ce 9 } */
+#define MBEDTLS_OID_BASIC_CONSTRAINTS           MBEDTLS_OID_ID_CE "\x13" /**< id-ce-basicConstraints OBJECT IDENTIFIER ::=  { id-ce 19 } */
+#define MBEDTLS_OID_NAME_CONSTRAINTS            MBEDTLS_OID_ID_CE "\x1E" /**< id-ce-nameConstraints OBJECT IDENTIFIER ::=  { id-ce 30 } */
+#define MBEDTLS_OID_POLICY_CONSTRAINTS          MBEDTLS_OID_ID_CE "\x24" /**< id-ce-policyConstraints OBJECT IDENTIFIER ::=  { id-ce 36 } */
+#define MBEDTLS_OID_EXTENDED_KEY_USAGE          MBEDTLS_OID_ID_CE "\x25" /**< id-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-ce 37 } */
+#define MBEDTLS_OID_CRL_DISTRIBUTION_POINTS     MBEDTLS_OID_ID_CE "\x1F" /**< id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::=  { id-ce 31 } */
+#define MBEDTLS_OID_INIHIBIT_ANYPOLICY          MBEDTLS_OID_ID_CE "\x36" /**< id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::=  { id-ce 54 } */
+#define MBEDTLS_OID_FRESHEST_CRL                MBEDTLS_OID_ID_CE "\x2E" /**< id-ce-freshestCRL OBJECT IDENTIFIER ::=  { id-ce 46 } */
+
+/*
+ * Netscape certificate extensions
+ */
+#define MBEDTLS_OID_NS_CERT                 MBEDTLS_OID_NETSCAPE "\x01"
+#define MBEDTLS_OID_NS_CERT_TYPE            MBEDTLS_OID_NS_CERT  "\x01"
+#define MBEDTLS_OID_NS_BASE_URL             MBEDTLS_OID_NS_CERT  "\x02"
+#define MBEDTLS_OID_NS_REVOCATION_URL       MBEDTLS_OID_NS_CERT  "\x03"
+#define MBEDTLS_OID_NS_CA_REVOCATION_URL    MBEDTLS_OID_NS_CERT  "\x04"
+#define MBEDTLS_OID_NS_RENEWAL_URL          MBEDTLS_OID_NS_CERT  "\x07"
+#define MBEDTLS_OID_NS_CA_POLICY_URL        MBEDTLS_OID_NS_CERT  "\x08"
+#define MBEDTLS_OID_NS_SSL_SERVER_NAME      MBEDTLS_OID_NS_CERT  "\x0C"
+#define MBEDTLS_OID_NS_COMMENT              MBEDTLS_OID_NS_CERT  "\x0D"
+#define MBEDTLS_OID_NS_DATA_TYPE            MBEDTLS_OID_NETSCAPE "\x02"
+#define MBEDTLS_OID_NS_CERT_SEQUENCE        MBEDTLS_OID_NS_DATA_TYPE "\x05"
+
+/*
+ * OIDs for CRL extensions
+ */
+#define MBEDTLS_OID_PRIVATE_KEY_USAGE_PERIOD    MBEDTLS_OID_ID_CE "\x10"
+#define MBEDTLS_OID_CRL_NUMBER                  MBEDTLS_OID_ID_CE "\x14" /**< id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } */
+
+/*
+ * X.509 v3 Extended key usage OIDs
+ */
+#define MBEDTLS_OID_ANY_EXTENDED_KEY_USAGE      MBEDTLS_OID_EXTENDED_KEY_USAGE "\x00" /**< anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 } */
+
+#define MBEDTLS_OID_KP                          MBEDTLS_OID_PKIX "\x03" /**< id-kp OBJECT IDENTIFIER ::= { id-pkix 3 } */
+#define MBEDTLS_OID_SERVER_AUTH                 MBEDTLS_OID_KP "\x01" /**< id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } */
+#define MBEDTLS_OID_CLIENT_AUTH                 MBEDTLS_OID_KP "\x02" /**< id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } */
+#define MBEDTLS_OID_CODE_SIGNING                MBEDTLS_OID_KP "\x03" /**< id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 } */
+#define MBEDTLS_OID_EMAIL_PROTECTION            MBEDTLS_OID_KP "\x04" /**< id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 } */
+#define MBEDTLS_OID_TIME_STAMPING               MBEDTLS_OID_KP "\x08" /**< id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } */
+#define MBEDTLS_OID_OCSP_SIGNING                MBEDTLS_OID_KP "\x09" /**< id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } */
+
+/*
+ * PKCS definition OIDs
+ */
+
+#define MBEDTLS_OID_PKCS                MBEDTLS_OID_RSA_COMPANY "\x01" /**< pkcs OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) 1 } */
+#define MBEDTLS_OID_PKCS1               MBEDTLS_OID_PKCS "\x01" /**< pkcs-1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 } */
+#define MBEDTLS_OID_PKCS5               MBEDTLS_OID_PKCS "\x05" /**< pkcs-5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 5 } */
+#define MBEDTLS_OID_PKCS9               MBEDTLS_OID_PKCS "\x09" /**< pkcs-9 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 } */
+#define MBEDTLS_OID_PKCS12              MBEDTLS_OID_PKCS "\x0c" /**< pkcs-12 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 12 } */
+
+/*
+ * PKCS#1 OIDs
+ */
+#define MBEDTLS_OID_PKCS1_RSA           MBEDTLS_OID_PKCS1 "\x01" /**< rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 } */
+#define MBEDTLS_OID_PKCS1_MD2           MBEDTLS_OID_PKCS1 "\x02" /**< md2WithRSAEncryption ::= { pkcs-1 2 } */
+#define MBEDTLS_OID_PKCS1_MD4           MBEDTLS_OID_PKCS1 "\x03" /**< md4WithRSAEncryption ::= { pkcs-1 3 } */
+#define MBEDTLS_OID_PKCS1_MD5           MBEDTLS_OID_PKCS1 "\x04" /**< md5WithRSAEncryption ::= { pkcs-1 4 } */
+#define MBEDTLS_OID_PKCS1_SHA1          MBEDTLS_OID_PKCS1 "\x05" /**< sha1WithRSAEncryption ::= { pkcs-1 5 } */
+#define MBEDTLS_OID_PKCS1_SHA224        MBEDTLS_OID_PKCS1 "\x0e" /**< sha224WithRSAEncryption ::= { pkcs-1 14 } */
+#define MBEDTLS_OID_PKCS1_SHA256        MBEDTLS_OID_PKCS1 "\x0b" /**< sha256WithRSAEncryption ::= { pkcs-1 11 } */
+#define MBEDTLS_OID_PKCS1_SHA384        MBEDTLS_OID_PKCS1 "\x0c" /**< sha384WithRSAEncryption ::= { pkcs-1 12 } */
+#define MBEDTLS_OID_PKCS1_SHA512        MBEDTLS_OID_PKCS1 "\x0d" /**< sha512WithRSAEncryption ::= { pkcs-1 13 } */
+
+#define MBEDTLS_OID_RSA_SHA_OBS         "\x2B\x0E\x03\x02\x1D"
+
+#define MBEDTLS_OID_PKCS9_EMAIL         MBEDTLS_OID_PKCS9 "\x01" /**< emailAddress AttributeType ::= { pkcs-9 1 } */
+
+/* RFC 4055 */
+#define MBEDTLS_OID_RSASSA_PSS          MBEDTLS_OID_PKCS1 "\x0a" /**< id-RSASSA-PSS ::= { pkcs-1 10 } */
+#define MBEDTLS_OID_MGF1                MBEDTLS_OID_PKCS1 "\x08" /**< id-mgf1 ::= { pkcs-1 8 } */
+
+/*
+ * Digest algorithms
+ */
+#define MBEDTLS_OID_DIGEST_ALG_MD2              MBEDTLS_OID_RSA_COMPANY "\x02\x02" /**< id-mbedtls_md2 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 2 } */
+#define MBEDTLS_OID_DIGEST_ALG_MD4              MBEDTLS_OID_RSA_COMPANY "\x02\x04" /**< id-mbedtls_md4 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 4 } */
+#define MBEDTLS_OID_DIGEST_ALG_MD5              MBEDTLS_OID_RSA_COMPANY "\x02\x05" /**< id-mbedtls_md5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 5 } */
+#define MBEDTLS_OID_DIGEST_ALG_SHA1             MBEDTLS_OID_ISO_IDENTIFIED_ORG MBEDTLS_OID_OIW_SECSIG_SHA1 /**< id-mbedtls_sha1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 26 } */
+#define MBEDTLS_OID_DIGEST_ALG_SHA224           MBEDTLS_OID_GOV "\x03\x04\x02\x04" /**< id-sha224 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 4 } */
+#define MBEDTLS_OID_DIGEST_ALG_SHA256           MBEDTLS_OID_GOV "\x03\x04\x02\x01" /**< id-mbedtls_sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 1 } */
+
+#define MBEDTLS_OID_DIGEST_ALG_SHA384           MBEDTLS_OID_GOV "\x03\x04\x02\x02" /**< id-sha384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 2 } */
+
+#define MBEDTLS_OID_DIGEST_ALG_SHA512           MBEDTLS_OID_GOV "\x03\x04\x02\x03" /**< id-mbedtls_sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 3 } */
+
+#define MBEDTLS_OID_HMAC_SHA1                   MBEDTLS_OID_RSA_COMPANY "\x02\x07" /**< id-hmacWithSHA1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 7 } */
+
+#define MBEDTLS_OID_HMAC_SHA224                 MBEDTLS_OID_RSA_COMPANY "\x02\x08" /**< id-hmacWithSHA224 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 8 } */
+
+#define MBEDTLS_OID_HMAC_SHA256                 MBEDTLS_OID_RSA_COMPANY "\x02\x09" /**< id-hmacWithSHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 9 } */
+
+#define MBEDTLS_OID_HMAC_SHA384                 MBEDTLS_OID_RSA_COMPANY "\x02\x0A" /**< id-hmacWithSHA384 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 10 } */
+
+#define MBEDTLS_OID_HMAC_SHA512                 MBEDTLS_OID_RSA_COMPANY "\x02\x0B" /**< id-hmacWithSHA512 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 11 } */
+
+/*
+ * Encryption algorithms
+ */
+#define MBEDTLS_OID_DES_CBC                     MBEDTLS_OID_ISO_IDENTIFIED_ORG MBEDTLS_OID_OIW_SECSIG_ALG "\x07" /**< desCBC OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 7 } */
+#define MBEDTLS_OID_DES_EDE3_CBC                MBEDTLS_OID_RSA_COMPANY "\x03\x07" /**< des-ede3-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) -- us(840) rsadsi(113549) encryptionAlgorithm(3) 7 } */
+
+/*
+ * PKCS#5 OIDs
+ */
+#define MBEDTLS_OID_PKCS5_PBKDF2                MBEDTLS_OID_PKCS5 "\x0c" /**< id-PBKDF2 OBJECT IDENTIFIER ::= {pkcs-5 12} */
+#define MBEDTLS_OID_PKCS5_PBES2                 MBEDTLS_OID_PKCS5 "\x0d" /**< id-PBES2 OBJECT IDENTIFIER ::= {pkcs-5 13} */
+#define MBEDTLS_OID_PKCS5_PBMAC1                MBEDTLS_OID_PKCS5 "\x0e" /**< id-PBMAC1 OBJECT IDENTIFIER ::= {pkcs-5 14} */
+
+/*
+ * PKCS#5 PBES1 algorithms
+ */
+#define MBEDTLS_OID_PKCS5_PBE_MD2_DES_CBC       MBEDTLS_OID_PKCS5 "\x01" /**< pbeWithMD2AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 1} */
+#define MBEDTLS_OID_PKCS5_PBE_MD2_RC2_CBC       MBEDTLS_OID_PKCS5 "\x04" /**< pbeWithMD2AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 4} */
+#define MBEDTLS_OID_PKCS5_PBE_MD5_DES_CBC       MBEDTLS_OID_PKCS5 "\x03" /**< pbeWithMD5AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 3} */
+#define MBEDTLS_OID_PKCS5_PBE_MD5_RC2_CBC       MBEDTLS_OID_PKCS5 "\x06" /**< pbeWithMD5AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 6} */
+#define MBEDTLS_OID_PKCS5_PBE_SHA1_DES_CBC      MBEDTLS_OID_PKCS5 "\x0a" /**< pbeWithSHA1AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 10} */
+#define MBEDTLS_OID_PKCS5_PBE_SHA1_RC2_CBC      MBEDTLS_OID_PKCS5 "\x0b" /**< pbeWithSHA1AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 11} */
+
+/*
+ * PKCS#8 OIDs
+ */
+#define MBEDTLS_OID_PKCS9_CSR_EXT_REQ           MBEDTLS_OID_PKCS9 "\x0e" /**< extensionRequest OBJECT IDENTIFIER ::= {pkcs-9 14} */
+
+/*
+ * PKCS#12 PBE OIDs
+ */
+#define MBEDTLS_OID_PKCS12_PBE                      MBEDTLS_OID_PKCS12 "\x01" /**< pkcs-12PbeIds OBJECT IDENTIFIER ::= {pkcs-12 1} */
+
+#define MBEDTLS_OID_PKCS12_PBE_SHA1_RC4_128         MBEDTLS_OID_PKCS12_PBE "\x01" /**< pbeWithSHAAnd128BitRC4 OBJECT IDENTIFIER ::= {pkcs-12PbeIds 1} */
+#define MBEDTLS_OID_PKCS12_PBE_SHA1_RC4_40          MBEDTLS_OID_PKCS12_PBE "\x02" /**< pbeWithSHAAnd40BitRC4 OBJECT IDENTIFIER ::= {pkcs-12PbeIds 2} */
+#define MBEDTLS_OID_PKCS12_PBE_SHA1_DES3_EDE_CBC    MBEDTLS_OID_PKCS12_PBE "\x03" /**< pbeWithSHAAnd3-KeyTripleDES-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 3} */
+#define MBEDTLS_OID_PKCS12_PBE_SHA1_DES2_EDE_CBC    MBEDTLS_OID_PKCS12_PBE "\x04" /**< pbeWithSHAAnd2-KeyTripleDES-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 4} */
+#define MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_128_CBC     MBEDTLS_OID_PKCS12_PBE "\x05" /**< pbeWithSHAAnd128BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 5} */
+#define MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_40_CBC      MBEDTLS_OID_PKCS12_PBE "\x06" /**< pbeWithSHAAnd40BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 6} */
+
+/*
+ * EC key algorithms from RFC 5480
+ */
+
+/* id-ecPublicKey OBJECT IDENTIFIER ::= {
+ *       iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 } */
+#define MBEDTLS_OID_EC_ALG_UNRESTRICTED         MBEDTLS_OID_ANSI_X9_62 "\x02\01"
+
+/*   id-ecDH OBJECT IDENTIFIER ::= {
+ *     iso(1) identified-organization(3) certicom(132)
+ *     schemes(1) ecdh(12) } */
+#define MBEDTLS_OID_EC_ALG_ECDH                 MBEDTLS_OID_CERTICOM "\x01\x0c"
+
+/*
+ * ECParameters namedCurve identifiers, from RFC 5480, RFC 5639, and SEC2
+ */
+
+/* secp192r1 OBJECT IDENTIFIER ::= {
+ *   iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) prime(1) 1 } */
+#define MBEDTLS_OID_EC_GRP_SECP192R1        MBEDTLS_OID_ANSI_X9_62 "\x03\x01\x01"
+
+/* secp224r1 OBJECT IDENTIFIER ::= {
+ *   iso(1) identified-organization(3) certicom(132) curve(0) 33 } */
+#define MBEDTLS_OID_EC_GRP_SECP224R1        MBEDTLS_OID_CERTICOM "\x00\x21"
+
+/* secp256r1 OBJECT IDENTIFIER ::= {
+ *   iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) prime(1) 7 } */
+#define MBEDTLS_OID_EC_GRP_SECP256R1        MBEDTLS_OID_ANSI_X9_62 "\x03\x01\x07"
+
+/* secp384r1 OBJECT IDENTIFIER ::= {
+ *   iso(1) identified-organization(3) certicom(132) curve(0) 34 } */
+#define MBEDTLS_OID_EC_GRP_SECP384R1        MBEDTLS_OID_CERTICOM "\x00\x22"
+
+/* secp521r1 OBJECT IDENTIFIER ::= {
+ *   iso(1) identified-organization(3) certicom(132) curve(0) 35 } */
+#define MBEDTLS_OID_EC_GRP_SECP521R1        MBEDTLS_OID_CERTICOM "\x00\x23"
+
+/* secp192k1 OBJECT IDENTIFIER ::= {
+ *   iso(1) identified-organization(3) certicom(132) curve(0) 31 } */
+#define MBEDTLS_OID_EC_GRP_SECP192K1        MBEDTLS_OID_CERTICOM "\x00\x1f"
+
+/* secp224k1 OBJECT IDENTIFIER ::= {
+ *   iso(1) identified-organization(3) certicom(132) curve(0) 32 } */
+#define MBEDTLS_OID_EC_GRP_SECP224K1        MBEDTLS_OID_CERTICOM "\x00\x20"
+
+/* secp256k1 OBJECT IDENTIFIER ::= {
+ *   iso(1) identified-organization(3) certicom(132) curve(0) 10 } */
+#define MBEDTLS_OID_EC_GRP_SECP256K1        MBEDTLS_OID_CERTICOM "\x00\x0a"
+
+/* RFC 5639 4.1
+ * ecStdCurvesAndGeneration OBJECT IDENTIFIER::= {iso(1)
+ * identified-organization(3) teletrust(36) algorithm(3) signature-
+ * algorithm(3) ecSign(2) 8}
+ * ellipticCurve OBJECT IDENTIFIER ::= {ecStdCurvesAndGeneration 1}
+ * versionOne OBJECT IDENTIFIER ::= {ellipticCurve 1} */
+#define MBEDTLS_OID_EC_BRAINPOOL_V1         MBEDTLS_OID_TELETRUST "\x03\x03\x02\x08\x01\x01"
+
+/* brainpoolP256r1 OBJECT IDENTIFIER ::= {versionOne 7} */
+#define MBEDTLS_OID_EC_GRP_BP256R1          MBEDTLS_OID_EC_BRAINPOOL_V1 "\x07"
+
+/* brainpoolP384r1 OBJECT IDENTIFIER ::= {versionOne 11} */
+#define MBEDTLS_OID_EC_GRP_BP384R1          MBEDTLS_OID_EC_BRAINPOOL_V1 "\x0B"
+
+/* brainpoolP512r1 OBJECT IDENTIFIER ::= {versionOne 13} */
+#define MBEDTLS_OID_EC_GRP_BP512R1          MBEDTLS_OID_EC_BRAINPOOL_V1 "\x0D"
+
+/*
+ * SEC1 C.1
+ *
+ * prime-field OBJECT IDENTIFIER ::= { id-fieldType 1 }
+ * id-fieldType OBJECT IDENTIFIER ::= { ansi-X9-62 fieldType(1)}
+ */
+#define MBEDTLS_OID_ANSI_X9_62_FIELD_TYPE   MBEDTLS_OID_ANSI_X9_62 "\x01"
+#define MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD  MBEDTLS_OID_ANSI_X9_62_FIELD_TYPE "\x01"
+
+/*
+ * ECDSA signature identifiers, from RFC 5480
+ */
+#define MBEDTLS_OID_ANSI_X9_62_SIG          MBEDTLS_OID_ANSI_X9_62 "\x04" /* signatures(4) */
+#define MBEDTLS_OID_ANSI_X9_62_SIG_SHA2     MBEDTLS_OID_ANSI_X9_62_SIG "\x03" /* ecdsa-with-SHA2(3) */
+
+/* ecdsa-with-SHA1 OBJECT IDENTIFIER ::= {
+ *   iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 1 } */
+#define MBEDTLS_OID_ECDSA_SHA1              MBEDTLS_OID_ANSI_X9_62_SIG "\x01"
+
+/* ecdsa-with-SHA224 OBJECT IDENTIFIER ::= {
+ *   iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
+ *   ecdsa-with-SHA2(3) 1 } */
+#define MBEDTLS_OID_ECDSA_SHA224            MBEDTLS_OID_ANSI_X9_62_SIG_SHA2 "\x01"
+
+/* ecdsa-with-SHA256 OBJECT IDENTIFIER ::= {
+ *   iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
+ *   ecdsa-with-SHA2(3) 2 } */
+#define MBEDTLS_OID_ECDSA_SHA256            MBEDTLS_OID_ANSI_X9_62_SIG_SHA2 "\x02"
+
+/* ecdsa-with-SHA384 OBJECT IDENTIFIER ::= {
+ *   iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
+ *   ecdsa-with-SHA2(3) 3 } */
+#define MBEDTLS_OID_ECDSA_SHA384            MBEDTLS_OID_ANSI_X9_62_SIG_SHA2 "\x03"
+
+/* ecdsa-with-SHA512 OBJECT IDENTIFIER ::= {
+ *   iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
+ *   ecdsa-with-SHA2(3) 4 } */
+#define MBEDTLS_OID_ECDSA_SHA512            MBEDTLS_OID_ANSI_X9_62_SIG_SHA2 "\x04"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief Base OID descriptor structure
+ */
+typedef struct {
+    const char *asn1;               /*!< OID ASN.1 representation       */
+    size_t asn1_len;                /*!< length of asn1                 */
+    const char *name;               /*!< official name (e.g. from RFC)  */
+    const char *description;        /*!< human friendly description     */
+} mbedtls_oid_descriptor_t;
+
+/**
+ * \brief           Translate an ASN.1 OID into its numeric representation
+ *                  (e.g. "\x2A\x86\x48\x86\xF7\x0D" into "1.2.840.113549")
+ *
+ * \param buf       buffer to put representation in
+ * \param size      size of the buffer
+ * \param oid       OID to translate
+ *
+ * \return          Length of the string written (excluding final NULL) or
+ *                  MBEDTLS_ERR_OID_BUF_TOO_SMALL in case of error
+ */
+int mbedtls_oid_get_numeric_string( char *buf, size_t size, const mbedtls_asn1_buf *oid );
+
+#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
+/**
+ * \brief          Translate an X.509 extension OID into local values
+ *
+ * \param oid      OID to use
+ * \param ext_type place to store the extension type
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_x509_ext_type( const mbedtls_asn1_buf *oid, int *ext_type );
+#endif
+
+/**
+ * \brief          Translate an X.509 attribute type OID into the short name
+ *                 (e.g. the OID for an X520 Common Name into "CN")
+ *
+ * \param oid      OID to use
+ * \param short_name    place to store the string pointer
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_attr_short_name( const mbedtls_asn1_buf *oid, const char **short_name );
+
+/**
+ * \brief          Translate PublicKeyAlgorithm OID into pk_type
+ *
+ * \param oid      OID to use
+ * \param pk_alg   place to store public key algorithm
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_pk_alg( const mbedtls_asn1_buf *oid, mbedtls_pk_type_t *pk_alg );
+
+/**
+ * \brief          Translate pk_type into PublicKeyAlgorithm OID
+ *
+ * \param pk_alg   Public key type to look for
+ * \param oid      place to store ASN.1 OID string pointer
+ * \param olen     length of the OID
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_oid_by_pk_alg( mbedtls_pk_type_t pk_alg,
+                           const char **oid, size_t *olen );
+
+#if defined(MBEDTLS_ECP_C)
+/**
+ * \brief          Translate NamedCurve OID into an EC group identifier
+ *
+ * \param oid      OID to use
+ * \param grp_id   place to store group id
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_ec_grp( const mbedtls_asn1_buf *oid, mbedtls_ecp_group_id *grp_id );
+
+/**
+ * \brief          Translate EC group identifier into NamedCurve OID
+ *
+ * \param grp_id   EC group identifier
+ * \param oid      place to store ASN.1 OID string pointer
+ * \param olen     length of the OID
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_oid_by_ec_grp( mbedtls_ecp_group_id grp_id,
+                           const char **oid, size_t *olen );
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_MD_C)
+/**
+ * \brief          Translate SignatureAlgorithm OID into md_type and pk_type
+ *
+ * \param oid      OID to use
+ * \param md_alg   place to store message digest algorithm
+ * \param pk_alg   place to store public key algorithm
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_sig_alg( const mbedtls_asn1_buf *oid,
+                     mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg );
+
+/**
+ * \brief          Translate SignatureAlgorithm OID into description
+ *
+ * \param oid      OID to use
+ * \param desc     place to store string pointer
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_sig_alg_desc( const mbedtls_asn1_buf *oid, const char **desc );
+
+/**
+ * \brief          Translate md_type and pk_type into SignatureAlgorithm OID
+ *
+ * \param md_alg   message digest algorithm
+ * \param pk_alg   public key algorithm
+ * \param oid      place to store ASN.1 OID string pointer
+ * \param olen     length of the OID
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_oid_by_sig_alg( mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg,
+                            const char **oid, size_t *olen );
+
+/**
+ * \brief          Translate hash algorithm OID into md_type
+ *
+ * \param oid      OID to use
+ * \param md_alg   place to store message digest algorithm
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_md_alg( const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_alg );
+
+/**
+ * \brief          Translate hmac algorithm OID into md_type
+ *
+ * \param oid      OID to use
+ * \param md_hmac  place to store message hmac algorithm
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_md_hmac( const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_hmac );
+#endif /* MBEDTLS_MD_C */
+
+/**
+ * \brief          Translate Extended Key Usage OID into description
+ *
+ * \param oid      OID to use
+ * \param desc     place to store string pointer
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_extended_key_usage( const mbedtls_asn1_buf *oid, const char **desc );
+
+/**
+ * \brief          Translate md_type into hash algorithm OID
+ *
+ * \param md_alg   message digest algorithm
+ * \param oid      place to store ASN.1 OID string pointer
+ * \param olen     length of the OID
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_oid_by_md( mbedtls_md_type_t md_alg, const char **oid, size_t *olen );
+
+#if defined(MBEDTLS_CIPHER_C)
+/**
+ * \brief          Translate encryption algorithm OID into cipher_type
+ *
+ * \param oid           OID to use
+ * \param cipher_alg    place to store cipher algorithm
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_cipher_alg( const mbedtls_asn1_buf *oid, mbedtls_cipher_type_t *cipher_alg );
+#endif /* MBEDTLS_CIPHER_C */
+
+#if defined(MBEDTLS_PKCS12_C)
+/**
+ * \brief          Translate PKCS#12 PBE algorithm OID into md_type and
+ *                 cipher_type
+ *
+ * \param oid           OID to use
+ * \param md_alg        place to store message digest algorithm
+ * \param cipher_alg    place to store cipher algorithm
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_pkcs12_pbe_alg( const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_alg,
+                            mbedtls_cipher_type_t *cipher_alg );
+#endif /* MBEDTLS_PKCS12_C */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* oid.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/padlock.h b/third-party/mbedtls-3.6/include/mbedtls/padlock.h
new file mode 100644
index 00000000..91ad2a6c
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/padlock.h
@@ -0,0 +1,139 @@
+/**
+ * \file padlock.h
+ *
+ * \brief VIA PadLock ACE for HW encryption/decryption supported by some
+ *        processors
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_PADLOCK_H
+#define MBEDTLS_PADLOCK_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "aes.h"
+
+#define MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED               -0x0030  /**< Input data should be aligned. */
+
+#if defined(__has_feature)
+#if __has_feature(address_sanitizer)
+#define MBEDTLS_HAVE_ASAN
+#endif
+#endif
+
+/* Some versions of ASan result in errors about not enough registers */
+#if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) && defined(__i386__) && \
+    !defined(MBEDTLS_HAVE_ASAN)
+
+#ifndef MBEDTLS_HAVE_X86
+#define MBEDTLS_HAVE_X86
+#endif
+
+#include <stdint.h>
+
+#define MBEDTLS_PADLOCK_RNG 0x000C
+#define MBEDTLS_PADLOCK_ACE 0x00C0
+#define MBEDTLS_PADLOCK_PHE 0x0C00
+#define MBEDTLS_PADLOCK_PMM 0x3000
+
+#define MBEDTLS_PADLOCK_ALIGN16(x) (uint32_t *) (16 + ((int32_t) x & ~15))
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          PadLock detection routine
+ *
+ * \param feature  The feature to detect
+ *
+ * \return         1 if CPU has support for the feature, 0 otherwise
+ */
+int mbedtls_padlock_has_support( int feature );
+
+/**
+ * \brief          PadLock AES-ECB block en(de)cryption
+ *
+ * \param ctx      AES context
+ * \param mode     MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
+ * \param input    16-byte input block
+ * \param output   16-byte output block
+ *
+ * \return         0 if success, 1 if operation failed
+ */
+int mbedtls_padlock_xcryptecb( mbedtls_aes_context *ctx,
+                       int mode,
+                       const unsigned char input[16],
+                       unsigned char output[16] );
+
+/**
+ * \brief          PadLock AES-CBC buffer en(de)cryption
+ *
+ * \param ctx      AES context
+ * \param mode     MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
+ * \param length   length of the input data
+ * \param iv       initialization vector (updated after use)
+ * \param input    buffer holding the input data
+ * \param output   buffer holding the output data
+ *
+ * \return         0 if success, 1 if operation failed
+ */
+int mbedtls_padlock_xcryptcbc( mbedtls_aes_context *ctx,
+                       int mode,
+                       size_t length,
+                       unsigned char iv[16],
+                       const unsigned char *input,
+                       unsigned char *output );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* HAVE_X86  */
+
+#endif /* padlock.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/pem.h b/third-party/mbedtls-3.6/include/mbedtls/pem.h
new file mode 100644
index 00000000..dfcc5187
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/pem.h
@@ -0,0 +1,161 @@
+/**
+ * \file pem.h
+ *
+ * \brief Privacy Enhanced Mail (PEM) decoding
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_PEM_H
+#define MBEDTLS_PEM_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+
+/**
+ * \name PEM Error codes
+ * These error codes are returned in case of errors reading the
+ * PEM data.
+ * \{
+ */
+#define MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT          -0x1080  /**< No PEM header or footer found. */
+#define MBEDTLS_ERR_PEM_INVALID_DATA                      -0x1100  /**< PEM string is not as expected. */
+#define MBEDTLS_ERR_PEM_ALLOC_FAILED                      -0x1180  /**< Failed to allocate memory. */
+#define MBEDTLS_ERR_PEM_INVALID_ENC_IV                    -0x1200  /**< RSA IV is not in hex-format. */
+#define MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG                   -0x1280  /**< Unsupported key encryption algorithm. */
+#define MBEDTLS_ERR_PEM_PASSWORD_REQUIRED                 -0x1300  /**< Private key password can't be empty. */
+#define MBEDTLS_ERR_PEM_PASSWORD_MISMATCH                 -0x1380  /**< Given private key password does not allow for correct decryption. */
+#define MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE               -0x1400  /**< Unavailable feature, e.g. hashing/encryption combination. */
+#define MBEDTLS_ERR_PEM_BAD_INPUT_DATA                    -0x1480  /**< Bad input parameters to function. */
+/* \} name */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+/**
+ * \brief       PEM context structure
+ */
+typedef struct
+{
+    unsigned char *buf;     /*!< buffer for decoded data             */
+    size_t buflen;          /*!< length of the buffer                */
+    unsigned char *info;    /*!< buffer for extra header information */
+}
+mbedtls_pem_context;
+
+/**
+ * \brief       PEM context setup
+ *
+ * \param ctx   context to be initialized
+ */
+void mbedtls_pem_init( mbedtls_pem_context *ctx );
+
+/**
+ * \brief       Read a buffer for PEM information and store the resulting
+ *              data into the specified context buffers.
+ *
+ * \param ctx       context to use
+ * \param header    header string to seek and expect
+ * \param footer    footer string to seek and expect
+ * \param data      source data to look in (must be nul-terminated)
+ * \param pwd       password for decryption (can be NULL)
+ * \param pwdlen    length of password
+ * \param use_len   destination for total length used (set after header is
+ *                  correctly read, so unless you get
+ *                  MBEDTLS_ERR_PEM_BAD_INPUT_DATA or
+ *                  MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT, use_len is
+ *                  the length to skip)
+ *
+ * \note            Attempts to check password correctness by verifying if
+ *                  the decrypted text starts with an ASN.1 sequence of
+ *                  appropriate length
+ *
+ * \return          0 on success, or a specific PEM error code
+ */
+int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const char *footer,
+                     const unsigned char *data,
+                     const unsigned char *pwd,
+                     size_t pwdlen, size_t *use_len );
+
+/**
+ * \brief       PEM context memory freeing
+ *
+ * \param ctx   context to be freed
+ */
+void mbedtls_pem_free( mbedtls_pem_context *ctx );
+#endif /* MBEDTLS_PEM_PARSE_C */
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+/**
+ * \brief           Write a buffer of PEM information from a DER encoded
+ *                  buffer.
+ *
+ * \param header    header string to write
+ * \param footer    footer string to write
+ * \param der_data  DER data to write
+ * \param der_len   length of the DER data
+ * \param buf       buffer to write to
+ * \param buf_len   length of output buffer
+ * \param olen      total length written / required (if buf_len is not enough)
+ *
+ * \return          0 on success, or a specific PEM or BASE64 error code. On
+ *                  MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL olen is the required
+ *                  size.
+ */
+int mbedtls_pem_write_buffer( const char *header, const char *footer,
+                      const unsigned char *der_data, size_t der_len,
+                      unsigned char *buf, size_t buf_len, size_t *olen );
+#endif /* MBEDTLS_PEM_WRITE_C */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* pem.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/pk.h b/third-party/mbedtls-3.6/include/mbedtls/pk.h
new file mode 100644
index 00000000..c636c3d5
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/pk.h
@@ -0,0 +1,647 @@
+/**
+ * \file pk.h
+ *
+ * \brief Public Key abstraction layer
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#ifndef MBEDTLS_PK_H
+#define MBEDTLS_PK_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "md.h"
+
+#if defined(MBEDTLS_RSA_C)
+#include "rsa.h"
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+#include "ecp.h"
+#endif
+
+#if defined(MBEDTLS_ECDSA_C)
+#include "ecdsa.h"
+#endif
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+#define MBEDTLS_ERR_PK_ALLOC_FAILED        -0x3F80  /**< Memory allocation failed. */
+#define MBEDTLS_ERR_PK_TYPE_MISMATCH       -0x3F00  /**< Type mismatch, eg attempt to encrypt with an ECDSA key */
+#define MBEDTLS_ERR_PK_BAD_INPUT_DATA      -0x3E80  /**< Bad input parameters to function. */
+#define MBEDTLS_ERR_PK_FILE_IO_ERROR       -0x3E00  /**< Read/write of file failed. */
+#define MBEDTLS_ERR_PK_KEY_INVALID_VERSION -0x3D80  /**< Unsupported key version */
+#define MBEDTLS_ERR_PK_KEY_INVALID_FORMAT  -0x3D00  /**< Invalid key tag or value. */
+#define MBEDTLS_ERR_PK_UNKNOWN_PK_ALG      -0x3C80  /**< Key algorithm is unsupported (only RSA and EC are supported). */
+#define MBEDTLS_ERR_PK_PASSWORD_REQUIRED   -0x3C00  /**< Private key password can't be empty. */
+#define MBEDTLS_ERR_PK_PASSWORD_MISMATCH   -0x3B80  /**< Given private key password does not allow for correct decryption. */
+#define MBEDTLS_ERR_PK_INVALID_PUBKEY      -0x3B00  /**< The pubkey tag or value is invalid (only RSA and EC are supported). */
+#define MBEDTLS_ERR_PK_INVALID_ALG         -0x3A80  /**< The algorithm tag or value is invalid. */
+#define MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE -0x3A00  /**< Elliptic curve is unsupported (only NIST curves are supported). */
+#define MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE -0x3980  /**< Unavailable feature, e.g. RSA disabled for RSA key. */
+#define MBEDTLS_ERR_PK_SIG_LEN_MISMATCH    -0x3900  /**< The buffer contains a valid signature followed by more data. */
+#define MBEDTLS_ERR_PK_HW_ACCEL_FAILED     -0x3880  /**< PK hardware accelerator failed. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          Public key types
+ */
+typedef enum {
+    MBEDTLS_PK_NONE=0,
+    MBEDTLS_PK_RSA,
+    MBEDTLS_PK_ECKEY,
+    MBEDTLS_PK_ECKEY_DH,
+    MBEDTLS_PK_ECDSA,
+    MBEDTLS_PK_RSA_ALT,
+    MBEDTLS_PK_RSASSA_PSS,
+} mbedtls_pk_type_t;
+
+/**
+ * \brief           Options for RSASSA-PSS signature verification.
+ *                  See \c mbedtls_rsa_rsassa_pss_verify_ext()
+ */
+typedef struct
+{
+    mbedtls_md_type_t mgf1_hash_id;
+    int expected_salt_len;
+
+} mbedtls_pk_rsassa_pss_options;
+
+/**
+ * \brief           Types for interfacing with the debug module
+ */
+typedef enum
+{
+    MBEDTLS_PK_DEBUG_NONE = 0,
+    MBEDTLS_PK_DEBUG_MPI,
+    MBEDTLS_PK_DEBUG_ECP,
+} mbedtls_pk_debug_type;
+
+/**
+ * \brief           Item to send to the debug module
+ */
+typedef struct
+{
+    mbedtls_pk_debug_type type;
+    const char *name;
+    void *value;
+} mbedtls_pk_debug_item;
+
+/** Maximum number of item send for debugging, plus 1 */
+#define MBEDTLS_PK_DEBUG_MAX_ITEMS 3
+
+/**
+ * \brief           Public key information and operations
+ */
+typedef struct mbedtls_pk_info_t mbedtls_pk_info_t;
+
+/**
+ * \brief           Public key container
+ */
+typedef struct
+{
+    const mbedtls_pk_info_t *   pk_info; /**< Public key informations        */
+    void *                      pk_ctx;  /**< Underlying public key context  */
+} mbedtls_pk_context;
+
+#if defined(MBEDTLS_RSA_C)
+/**
+ * Quick access to an RSA context inside a PK context.
+ *
+ * \warning You must make sure the PK context actually holds an RSA context
+ * before using this function!
+ */
+static inline mbedtls_rsa_context *mbedtls_pk_rsa( const mbedtls_pk_context pk )
+{
+    return( (mbedtls_rsa_context *) (pk).pk_ctx );
+}
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_ECP_C)
+/**
+ * Quick access to an EC context inside a PK context.
+ *
+ * \warning You must make sure the PK context actually holds an EC context
+ * before using this function!
+ */
+static inline mbedtls_ecp_keypair *mbedtls_pk_ec( const mbedtls_pk_context pk )
+{
+    return( (mbedtls_ecp_keypair *) (pk).pk_ctx );
+}
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+/**
+ * \brief           Types for RSA-alt abstraction
+ */
+typedef int (*mbedtls_pk_rsa_alt_decrypt_func)( void *ctx, int mode, size_t *olen,
+                    const unsigned char *input, unsigned char *output,
+                    size_t output_max_len );
+typedef int (*mbedtls_pk_rsa_alt_sign_func)( void *ctx,
+                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                    int mode, mbedtls_md_type_t md_alg, unsigned int hashlen,
+                    const unsigned char *hash, unsigned char *sig );
+typedef size_t (*mbedtls_pk_rsa_alt_key_len_func)( void *ctx );
+#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
+
+/**
+ * \brief           Return information associated with the given PK type
+ *
+ * \param pk_type   PK type to search for.
+ *
+ * \return          The PK info associated with the type or NULL if not found.
+ */
+const mbedtls_pk_info_t *mbedtls_pk_info_from_type( mbedtls_pk_type_t pk_type );
+
+/**
+ * \brief           Initialize a mbedtls_pk_context (as NONE)
+ */
+void mbedtls_pk_init( mbedtls_pk_context *ctx );
+
+/**
+ * \brief           Free a mbedtls_pk_context
+ */
+void mbedtls_pk_free( mbedtls_pk_context *ctx );
+
+/**
+ * \brief           Initialize a PK context with the information given
+ *                  and allocates the type-specific PK subcontext.
+ *
+ * \param ctx       Context to initialize. Must be empty (type NONE).
+ * \param info      Information to use
+ *
+ * \return          0 on success,
+ *                  MBEDTLS_ERR_PK_BAD_INPUT_DATA on invalid input,
+ *                  MBEDTLS_ERR_PK_ALLOC_FAILED on allocation failure.
+ *
+ * \note            For contexts holding an RSA-alt key, use
+ *                  \c mbedtls_pk_setup_rsa_alt() instead.
+ */
+int mbedtls_pk_setup( mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info );
+
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+/**
+ * \brief           Initialize an RSA-alt context
+ *
+ * \param ctx       Context to initialize. Must be empty (type NONE).
+ * \param key       RSA key pointer
+ * \param decrypt_func  Decryption function
+ * \param sign_func     Signing function
+ * \param key_len_func  Function returning key length in bytes
+ *
+ * \return          0 on success, or MBEDTLS_ERR_PK_BAD_INPUT_DATA if the
+ *                  context wasn't already initialized as RSA_ALT.
+ *
+ * \note            This function replaces \c mbedtls_pk_setup() for RSA-alt.
+ */
+int mbedtls_pk_setup_rsa_alt( mbedtls_pk_context *ctx, void * key,
+                         mbedtls_pk_rsa_alt_decrypt_func decrypt_func,
+                         mbedtls_pk_rsa_alt_sign_func sign_func,
+                         mbedtls_pk_rsa_alt_key_len_func key_len_func );
+#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
+
+/**
+ * \brief           Get the size in bits of the underlying key
+ *
+ * \param ctx       Context to use
+ *
+ * \return          Key size in bits, or 0 on error
+ */
+size_t mbedtls_pk_get_bitlen( const mbedtls_pk_context *ctx );
+
+/**
+ * \brief           Get the length in bytes of the underlying key
+ * \param ctx       Context to use
+ *
+ * \return          Key length in bytes, or 0 on error
+ */
+static inline size_t mbedtls_pk_get_len( const mbedtls_pk_context *ctx )
+{
+    return( ( mbedtls_pk_get_bitlen( ctx ) + 7 ) / 8 );
+}
+
+/**
+ * \brief           Tell if a context can do the operation given by type
+ *
+ * \param ctx       Context to test
+ * \param type      Target type
+ *
+ * \return          0 if context can't do the operations,
+ *                  1 otherwise.
+ */
+int mbedtls_pk_can_do( const mbedtls_pk_context *ctx, mbedtls_pk_type_t type );
+
+/**
+ * \brief           Verify signature (including padding if relevant).
+ *
+ * \param ctx       PK context to use
+ * \param md_alg    Hash algorithm used (see notes)
+ * \param hash      Hash of the message to sign
+ * \param hash_len  Hash length or 0 (see notes)
+ * \param sig       Signature to verify
+ * \param sig_len   Signature length
+ *
+ * \return          0 on success (signature is valid),
+ *                  #MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if there is a valid
+ *                  signature in sig but its length is less than \p siglen,
+ *                  or a specific error code.
+ *
+ * \note            For RSA keys, the default padding type is PKCS#1 v1.5.
+ *                  Use \c mbedtls_pk_verify_ext( MBEDTLS_PK_RSASSA_PSS, ... )
+ *                  to verify RSASSA_PSS signatures.
+ *
+ * \note            If hash_len is 0, then the length associated with md_alg
+ *                  is used instead, or an error returned if it is invalid.
+ *
+ * \note            md_alg may be MBEDTLS_MD_NONE, only if hash_len != 0
+ */
+int mbedtls_pk_verify( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
+               const unsigned char *hash, size_t hash_len,
+               const unsigned char *sig, size_t sig_len );
+
+/**
+ * \brief           Verify signature, with options.
+ *                  (Includes verification of the padding depending on type.)
+ *
+ * \param type      Signature type (inc. possible padding type) to verify
+ * \param options   Pointer to type-specific options, or NULL
+ * \param ctx       PK context to use
+ * \param md_alg    Hash algorithm used (see notes)
+ * \param hash      Hash of the message to sign
+ * \param hash_len  Hash length or 0 (see notes)
+ * \param sig       Signature to verify
+ * \param sig_len   Signature length
+ *
+ * \return          0 on success (signature is valid),
+ *                  #MBEDTLS_ERR_PK_TYPE_MISMATCH if the PK context can't be
+ *                  used for this type of signatures,
+ *                  #MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if there is a valid
+ *                  signature in sig but its length is less than \p siglen,
+ *                  or a specific error code.
+ *
+ * \note            If hash_len is 0, then the length associated with md_alg
+ *                  is used instead, or an error returned if it is invalid.
+ *
+ * \note            md_alg may be MBEDTLS_MD_NONE, only if hash_len != 0
+ *
+ * \note            If type is MBEDTLS_PK_RSASSA_PSS, then options must point
+ *                  to a mbedtls_pk_rsassa_pss_options structure,
+ *                  otherwise it must be NULL.
+ */
+int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options,
+                   mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
+                   const unsigned char *hash, size_t hash_len,
+                   const unsigned char *sig, size_t sig_len );
+
+/**
+ * \brief           Make signature, including padding if relevant.
+ *
+ * \param ctx       PK context to use - must hold a private key
+ * \param md_alg    Hash algorithm used (see notes)
+ * \param hash      Hash of the message to sign
+ * \param hash_len  Hash length or 0 (see notes)
+ * \param sig       Place to write the signature
+ * \param sig_len   Number of bytes written
+ * \param f_rng     RNG function
+ * \param p_rng     RNG parameter
+ *
+ * \return          0 on success, or a specific error code.
+ *
+ * \note            For RSA keys, the default padding type is PKCS#1 v1.5.
+ *                  There is no interface in the PK module to make RSASSA-PSS
+ *                  signatures yet.
+ *
+ * \note            If hash_len is 0, then the length associated with md_alg
+ *                  is used instead, or an error returned if it is invalid.
+ *
+ * \note            For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0.
+ *                  For ECDSA, md_alg may never be MBEDTLS_MD_NONE.
+ *
+ * \note            In order to ensure enough space for the signature, the
+ *                  \p sig buffer size must be of at least
+ *                  `max(MBEDTLS_ECDSA_MAX_LEN, MBEDTLS_MPI_MAX_SIZE)` bytes.
+ */
+int mbedtls_pk_sign( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
+             const unsigned char *hash, size_t hash_len,
+             unsigned char *sig, size_t *sig_len,
+             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
+
+/**
+ * \brief           Decrypt message (including padding if relevant).
+ *
+ * \param ctx       PK context to use - must hold a private key
+ * \param input     Input to decrypt
+ * \param ilen      Input size
+ * \param output    Decrypted output
+ * \param olen      Decrypted message length
+ * \param osize     Size of the output buffer
+ * \param f_rng     RNG function
+ * \param p_rng     RNG parameter
+ *
+ * \note            For RSA keys, the default padding type is PKCS#1 v1.5.
+ *
+ * \return          0 on success, or a specific error code.
+ */
+int mbedtls_pk_decrypt( mbedtls_pk_context *ctx,
+                const unsigned char *input, size_t ilen,
+                unsigned char *output, size_t *olen, size_t osize,
+                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
+
+/**
+ * \brief           Encrypt message (including padding if relevant).
+ *
+ * \param ctx       PK context to use
+ * \param input     Message to encrypt
+ * \param ilen      Message size
+ * \param output    Encrypted output
+ * \param olen      Encrypted output length
+ * \param osize     Size of the output buffer
+ * \param f_rng     RNG function
+ * \param p_rng     RNG parameter
+ *
+ * \note            For RSA keys, the default padding type is PKCS#1 v1.5.
+ *
+ * \return          0 on success, or a specific error code.
+ */
+int mbedtls_pk_encrypt( mbedtls_pk_context *ctx,
+                const unsigned char *input, size_t ilen,
+                unsigned char *output, size_t *olen, size_t osize,
+                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
+
+/**
+ * \brief           Check if a public-private pair of keys matches.
+ *
+ * \param pub       Context holding a public key.
+ * \param prv       Context holding a private (and public) key.
+ *
+ * \return          0 on success or MBEDTLS_ERR_PK_BAD_INPUT_DATA
+ */
+int mbedtls_pk_check_pair( const mbedtls_pk_context *pub, const mbedtls_pk_context *prv );
+
+/**
+ * \brief           Export debug information
+ *
+ * \param ctx       Context to use
+ * \param items     Place to write debug items
+ *
+ * \return          0 on success or MBEDTLS_ERR_PK_BAD_INPUT_DATA
+ */
+int mbedtls_pk_debug( const mbedtls_pk_context *ctx, mbedtls_pk_debug_item *items );
+
+/**
+ * \brief           Access the type name
+ *
+ * \param ctx       Context to use
+ *
+ * \return          Type name on success, or "invalid PK"
+ */
+const char * mbedtls_pk_get_name( const mbedtls_pk_context *ctx );
+
+/**
+ * \brief           Get the key type
+ *
+ * \param ctx       Context to use
+ *
+ * \return          Type on success, or MBEDTLS_PK_NONE
+ */
+mbedtls_pk_type_t mbedtls_pk_get_type( const mbedtls_pk_context *ctx );
+
+#if defined(MBEDTLS_PK_PARSE_C)
+/** \ingroup pk_module */
+/**
+ * \brief           Parse a private key in PEM or DER format
+ *
+ * \param ctx       key to be initialized
+ * \param key       input buffer
+ * \param keylen    size of the buffer
+ *                  (including the terminating null byte for PEM data)
+ * \param pwd       password for decryption (optional)
+ * \param pwdlen    size of the password
+ *
+ * \note            On entry, ctx must be empty, either freshly initialised
+ *                  with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a
+ *                  specific key type, check the result with mbedtls_pk_can_do().
+ *
+ * \note            The key is also checked for correctness.
+ *
+ * \return          0 if successful, or a specific PK or PEM error code
+ */
+int mbedtls_pk_parse_key( mbedtls_pk_context *ctx,
+                  const unsigned char *key, size_t keylen,
+                  const unsigned char *pwd, size_t pwdlen );
+
+/** \ingroup pk_module */
+/**
+ * \brief           Parse a public key in PEM or DER format
+ *
+ * \param ctx       key to be initialized
+ * \param key       input buffer
+ * \param keylen    size of the buffer
+ *                  (including the terminating null byte for PEM data)
+ *
+ * \note            On entry, ctx must be empty, either freshly initialised
+ *                  with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a
+ *                  specific key type, check the result with mbedtls_pk_can_do().
+ *
+ * \note            The key is also checked for correctness.
+ *
+ * \return          0 if successful, or a specific PK or PEM error code
+ */
+int mbedtls_pk_parse_public_key( mbedtls_pk_context *ctx,
+                         const unsigned char *key, size_t keylen );
+
+#if defined(MBEDTLS_FS_IO)
+/** \ingroup pk_module */
+/**
+ * \brief           Load and parse a private key
+ *
+ * \param ctx       key to be initialized
+ * \param path      filename to read the private key from
+ * \param password  password to decrypt the file (can be NULL)
+ *
+ * \note            On entry, ctx must be empty, either freshly initialised
+ *                  with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a
+ *                  specific key type, check the result with mbedtls_pk_can_do().
+ *
+ * \note            The key is also checked for correctness.
+ *
+ * \return          0 if successful, or a specific PK or PEM error code
+ */
+int mbedtls_pk_parse_keyfile( mbedtls_pk_context *ctx,
+                      const char *path, const char *password );
+
+/** \ingroup pk_module */
+/**
+ * \brief           Load and parse a public key
+ *
+ * \param ctx       key to be initialized
+ * \param path      filename to read the public key from
+ *
+ * \note            On entry, ctx must be empty, either freshly initialised
+ *                  with mbedtls_pk_init() or reset with mbedtls_pk_free(). If
+ *                  you need a specific key type, check the result with
+ *                  mbedtls_pk_can_do().
+ *
+ * \note            The key is also checked for correctness.
+ *
+ * \return          0 if successful, or a specific PK or PEM error code
+ */
+int mbedtls_pk_parse_public_keyfile( mbedtls_pk_context *ctx, const char *path );
+#endif /* MBEDTLS_FS_IO */
+#endif /* MBEDTLS_PK_PARSE_C */
+
+#if defined(MBEDTLS_PK_WRITE_C)
+/**
+ * \brief           Write a private key to a PKCS#1 or SEC1 DER structure
+ *                  Note: data is written at the end of the buffer! Use the
+ *                        return value to determine where you should start
+ *                        using the buffer
+ *
+ * \param ctx       private to write away
+ * \param buf       buffer to write to
+ * \param size      size of the buffer
+ *
+ * \return          length of data written if successful, or a specific
+ *                  error code
+ */
+int mbedtls_pk_write_key_der( mbedtls_pk_context *ctx, unsigned char *buf, size_t size );
+
+/**
+ * \brief           Write a public key to a SubjectPublicKeyInfo DER structure
+ *                  Note: data is written at the end of the buffer! Use the
+ *                        return value to determine where you should start
+ *                        using the buffer
+ *
+ * \param ctx       public key to write away
+ * \param buf       buffer to write to
+ * \param size      size of the buffer
+ *
+ * \return          length of data written if successful, or a specific
+ *                  error code
+ */
+int mbedtls_pk_write_pubkey_der( mbedtls_pk_context *ctx, unsigned char *buf, size_t size );
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+/**
+ * \brief           Write a public key to a PEM string
+ *
+ * \param ctx       public key to write away
+ * \param buf       buffer to write to
+ * \param size      size of the buffer
+ *
+ * \return          0 if successful, or a specific error code
+ */
+int mbedtls_pk_write_pubkey_pem( mbedtls_pk_context *ctx, unsigned char *buf, size_t size );
+
+/**
+ * \brief           Write a private key to a PKCS#1 or SEC1 PEM string
+ *
+ * \param ctx       private to write away
+ * \param buf       buffer to write to
+ * \param size      size of the buffer
+ *
+ * \return          0 if successful, or a specific error code
+ */
+int mbedtls_pk_write_key_pem( mbedtls_pk_context *ctx, unsigned char *buf, size_t size );
+#endif /* MBEDTLS_PEM_WRITE_C */
+#endif /* MBEDTLS_PK_WRITE_C */
+
+/*
+ * WARNING: Low-level functions. You probably do not want to use these unless
+ *          you are certain you do ;)
+ */
+
+#if defined(MBEDTLS_PK_PARSE_C)
+/**
+ * \brief           Parse a SubjectPublicKeyInfo DER structure
+ *
+ * \param p         the position in the ASN.1 data
+ * \param end       end of the buffer
+ * \param pk        the key to fill
+ *
+ * \return          0 if successful, or a specific PK error code
+ */
+int mbedtls_pk_parse_subpubkey( unsigned char **p, const unsigned char *end,
+                        mbedtls_pk_context *pk );
+#endif /* MBEDTLS_PK_PARSE_C */
+
+#if defined(MBEDTLS_PK_WRITE_C)
+/**
+ * \brief           Write a subjectPublicKey to ASN.1 data
+ *                  Note: function works backwards in data buffer
+ *
+ * \param p         reference to current position pointer
+ * \param start     start of the buffer (for bounds-checking)
+ * \param key       public key to write away
+ *
+ * \return          the length written or a negative error code
+ */
+int mbedtls_pk_write_pubkey( unsigned char **p, unsigned char *start,
+                     const mbedtls_pk_context *key );
+#endif /* MBEDTLS_PK_WRITE_C */
+
+/*
+ * Internal module functions. You probably do not want to use these unless you
+ * know you do.
+ */
+#if defined(MBEDTLS_FS_IO)
+int mbedtls_pk_load_file( const char *path, unsigned char **buf, size_t *n );
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_PK_H */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/pk_internal.h b/third-party/mbedtls-3.6/include/mbedtls/pk_internal.h
new file mode 100644
index 00000000..038acf9a
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/pk_internal.h
@@ -0,0 +1,140 @@
+/**
+ * \file pk_internal.h
+ *
+ * \brief Public Key abstraction layer: wrapper functions
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#ifndef MBEDTLS_PK_WRAP_H
+#define MBEDTLS_PK_WRAP_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "pk.h"
+
+struct mbedtls_pk_info_t
+{
+    /** Public key type */
+    mbedtls_pk_type_t type;
+
+    /** Type name */
+    const char *name;
+
+    /** Get key size in bits */
+    size_t (*get_bitlen)( const void * );
+
+    /** Tell if the context implements this type (e.g. ECKEY can do ECDSA) */
+    int (*can_do)( mbedtls_pk_type_t type );
+
+    /** Verify signature */
+    int (*verify_func)( void *ctx, mbedtls_md_type_t md_alg,
+                        const unsigned char *hash, size_t hash_len,
+                        const unsigned char *sig, size_t sig_len );
+
+    /** Make signature */
+    int (*sign_func)( void *ctx, mbedtls_md_type_t md_alg,
+                      const unsigned char *hash, size_t hash_len,
+                      unsigned char *sig, size_t *sig_len,
+                      int (*f_rng)(void *, unsigned char *, size_t),
+                      void *p_rng );
+
+    /** Decrypt message */
+    int (*decrypt_func)( void *ctx, const unsigned char *input, size_t ilen,
+                         unsigned char *output, size_t *olen, size_t osize,
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng );
+
+    /** Encrypt message */
+    int (*encrypt_func)( void *ctx, const unsigned char *input, size_t ilen,
+                         unsigned char *output, size_t *olen, size_t osize,
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng );
+
+    /** Check public-private key pair */
+    int (*check_pair_func)( const void *pub, const void *prv );
+
+    /** Allocate a new context */
+    void * (*ctx_alloc_func)( void );
+
+    /** Free the given context */
+    void (*ctx_free_func)( void *ctx );
+
+    /** Interface with the debug module */
+    void (*debug_func)( const void *ctx, mbedtls_pk_debug_item *items );
+
+};
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+/* Container for RSA-alt */
+typedef struct
+{
+    void *key;
+    mbedtls_pk_rsa_alt_decrypt_func decrypt_func;
+    mbedtls_pk_rsa_alt_sign_func sign_func;
+    mbedtls_pk_rsa_alt_key_len_func key_len_func;
+} mbedtls_rsa_alt_context;
+#endif
+
+#if defined(MBEDTLS_RSA_C)
+extern const mbedtls_pk_info_t mbedtls_rsa_info;
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+extern const mbedtls_pk_info_t mbedtls_eckey_info;
+extern const mbedtls_pk_info_t mbedtls_eckeydh_info;
+#endif
+
+#if defined(MBEDTLS_ECDSA_C)
+extern const mbedtls_pk_info_t mbedtls_ecdsa_info;
+#endif
+
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+extern const mbedtls_pk_info_t mbedtls_rsa_alt_info;
+#endif
+
+#endif /* MBEDTLS_PK_WRAP_H */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/pkcs11.h b/third-party/mbedtls-3.6/include/mbedtls/pkcs11.h
new file mode 100644
index 00000000..c620722e
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/pkcs11.h
@@ -0,0 +1,199 @@
+/**
+ * \file pkcs11.h
+ *
+ * \brief Wrapper for PKCS#11 library libpkcs11-helper
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_PKCS11_H
+#define MBEDTLS_PKCS11_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_PKCS11_C)
+
+#include "x509_crt.h"
+
+#include <pkcs11-helper-1.0/pkcs11h-certificate.h>
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Context for PKCS #11 private keys.
+ */
+typedef struct {
+        pkcs11h_certificate_t pkcs11h_cert;
+        int len;
+} mbedtls_pkcs11_context;
+
+/**
+ * Initialize a mbedtls_pkcs11_context.
+ * (Just making memory references valid.)
+ */
+void mbedtls_pkcs11_init( mbedtls_pkcs11_context *ctx );
+
+/**
+ * Fill in a mbed TLS certificate, based on the given PKCS11 helper certificate.
+ *
+ * \param cert          X.509 certificate to fill
+ * \param pkcs11h_cert  PKCS #11 helper certificate
+ *
+ * \return              0 on success.
+ */
+int mbedtls_pkcs11_x509_cert_bind( mbedtls_x509_crt *cert, pkcs11h_certificate_t pkcs11h_cert );
+
+/**
+ * Set up a mbedtls_pkcs11_context storing the given certificate. Note that the
+ * mbedtls_pkcs11_context will take over control of the certificate, freeing it when
+ * done.
+ *
+ * \param priv_key      Private key structure to fill.
+ * \param pkcs11_cert   PKCS #11 helper certificate
+ *
+ * \return              0 on success
+ */
+int mbedtls_pkcs11_priv_key_bind( mbedtls_pkcs11_context *priv_key,
+        pkcs11h_certificate_t pkcs11_cert );
+
+/**
+ * Free the contents of the given private key context. Note that the structure
+ * itself is not freed.
+ *
+ * \param priv_key      Private key structure to cleanup
+ */
+void mbedtls_pkcs11_priv_key_free( mbedtls_pkcs11_context *priv_key );
+
+/**
+ * \brief          Do an RSA private key decrypt, then remove the message
+ *                 padding
+ *
+ * \param ctx      PKCS #11 context
+ * \param mode     must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
+ * \param input    buffer holding the encrypted data
+ * \param output   buffer that will hold the plaintext
+ * \param olen     will contain the plaintext length
+ * \param output_max_len    maximum length of the output buffer
+ *
+ * \return         0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
+ *
+ * \note           The output buffer must be as large as the size
+ *                 of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
+ *                 an error is thrown.
+ */
+int mbedtls_pkcs11_decrypt( mbedtls_pkcs11_context *ctx,
+                       int mode, size_t *olen,
+                       const unsigned char *input,
+                       unsigned char *output,
+                       size_t output_max_len );
+
+/**
+ * \brief          Do a private RSA to sign a message digest
+ *
+ * \param ctx      PKCS #11 context
+ * \param mode     must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
+ * \param md_alg   a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
+ * \param hashlen  message digest length (for MBEDTLS_MD_NONE only)
+ * \param hash     buffer holding the message digest
+ * \param sig      buffer that will hold the ciphertext
+ *
+ * \return         0 if the signing operation was successful,
+ *                 or an MBEDTLS_ERR_RSA_XXX error code
+ *
+ * \note           The "sig" buffer must be as large as the size
+ *                 of ctx->N (eg. 128 bytes if RSA-1024 is used).
+ */
+int mbedtls_pkcs11_sign( mbedtls_pkcs11_context *ctx,
+                    int mode,
+                    mbedtls_md_type_t md_alg,
+                    unsigned int hashlen,
+                    const unsigned char *hash,
+                    unsigned char *sig );
+
+/**
+ * SSL/TLS wrappers for PKCS#11 functions
+ */
+static inline int mbedtls_ssl_pkcs11_decrypt( void *ctx, int mode, size_t *olen,
+                        const unsigned char *input, unsigned char *output,
+                        size_t output_max_len )
+{
+    return mbedtls_pkcs11_decrypt( (mbedtls_pkcs11_context *) ctx, mode, olen, input, output,
+                           output_max_len );
+}
+
+static inline int mbedtls_ssl_pkcs11_sign( void *ctx,
+                     int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                     int mode, mbedtls_md_type_t md_alg, unsigned int hashlen,
+                     const unsigned char *hash, unsigned char *sig )
+{
+    ((void) f_rng);
+    ((void) p_rng);
+    return mbedtls_pkcs11_sign( (mbedtls_pkcs11_context *) ctx, mode, md_alg,
+                        hashlen, hash, sig );
+}
+
+static inline size_t mbedtls_ssl_pkcs11_key_len( void *ctx )
+{
+    return ( (mbedtls_pkcs11_context *) ctx )->len;
+}
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_PKCS11_C */
+
+#endif /* MBEDTLS_PKCS11_H */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/pkcs12.h b/third-party/mbedtls-3.6/include/mbedtls/pkcs12.h
new file mode 100644
index 00000000..9cbcb173
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/pkcs12.h
@@ -0,0 +1,155 @@
+/**
+ * \file pkcs12.h
+ *
+ * \brief PKCS#12 Personal Information Exchange Syntax
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_PKCS12_H
+#define MBEDTLS_PKCS12_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "md.h"
+#include "cipher.h"
+#include "asn1.h"
+
+#include <stddef.h>
+
+#define MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA                 -0x1F80  /**< Bad input parameters to function. */
+#define MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE            -0x1F00  /**< Feature not available, e.g. unsupported encryption scheme. */
+#define MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT             -0x1E80  /**< PBE ASN.1 data not as expected. */
+#define MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH              -0x1E00  /**< Given private key password does not allow for correct decryption. */
+
+#define MBEDTLS_PKCS12_DERIVE_KEY       1   /**< encryption/decryption key */
+#define MBEDTLS_PKCS12_DERIVE_IV        2   /**< initialization vector     */
+#define MBEDTLS_PKCS12_DERIVE_MAC_KEY   3   /**< integrity / MAC key       */
+
+#define MBEDTLS_PKCS12_PBE_DECRYPT      0
+#define MBEDTLS_PKCS12_PBE_ENCRYPT      1
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+
+/**
+ * \brief            PKCS12 Password Based function (encryption / decryption)
+ *                   for pbeWithSHAAnd128BitRC4
+ *
+ * \param pbe_params an ASN1 buffer containing the pkcs-12PbeParams structure
+ * \param mode       either MBEDTLS_PKCS12_PBE_ENCRYPT or MBEDTLS_PKCS12_PBE_DECRYPT
+ * \param pwd        the password used (may be NULL if no password is used)
+ * \param pwdlen     length of the password (may be 0)
+ * \param input      the input data
+ * \param len        data length
+ * \param output     the output buffer
+ *
+ * \return           0 if successful, or a MBEDTLS_ERR_XXX code
+ */
+int mbedtls_pkcs12_pbe_sha1_rc4_128( mbedtls_asn1_buf *pbe_params, int mode,
+                             const unsigned char *pwd,  size_t pwdlen,
+                             const unsigned char *input, size_t len,
+                             unsigned char *output );
+
+/**
+ * \brief            PKCS12 Password Based function (encryption / decryption)
+ *                   for cipher-based and mbedtls_md-based PBE's
+ *
+ * \param pbe_params an ASN1 buffer containing the pkcs-12PbeParams structure
+ * \param mode       either MBEDTLS_PKCS12_PBE_ENCRYPT or MBEDTLS_PKCS12_PBE_DECRYPT
+ * \param cipher_type the cipher used
+ * \param md_type     the mbedtls_md used
+ * \param pwd        the password used (may be NULL if no password is used)
+ * \param pwdlen     length of the password (may be 0)
+ * \param input      the input data
+ * \param len        data length
+ * \param output     the output buffer
+ *
+ * \return           0 if successful, or a MBEDTLS_ERR_XXX code
+ */
+int mbedtls_pkcs12_pbe( mbedtls_asn1_buf *pbe_params, int mode,
+                mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
+                const unsigned char *pwd,  size_t pwdlen,
+                const unsigned char *input, size_t len,
+                unsigned char *output );
+
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
+/**
+ * \brief            The PKCS#12 derivation function uses a password and a salt
+ *                   to produce pseudo-random bits for a particular "purpose".
+ *
+ *                   Depending on the given id, this function can produce an
+ *                   encryption/decryption key, an nitialization vector or an
+ *                   integrity key.
+ *
+ * \param data       buffer to store the derived data in
+ * \param datalen    length to fill
+ * \param pwd        password to use (may be NULL if no password is used)
+ * \param pwdlen     length of the password (may be 0)
+ * \param salt       salt buffer to use
+ * \param saltlen    length of the salt
+ * \param mbedtls_md         mbedtls_md type to use during the derivation
+ * \param id         id that describes the purpose (can be MBEDTLS_PKCS12_DERIVE_KEY,
+ *                   MBEDTLS_PKCS12_DERIVE_IV or MBEDTLS_PKCS12_DERIVE_MAC_KEY)
+ * \param iterations number of iterations
+ *
+ * \return          0 if successful, or a MD, BIGNUM type error.
+ */
+int mbedtls_pkcs12_derivation( unsigned char *data, size_t datalen,
+                       const unsigned char *pwd, size_t pwdlen,
+                       const unsigned char *salt, size_t saltlen,
+                       mbedtls_md_type_t mbedtls_md, int id, int iterations );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* pkcs12.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/pkcs5.h b/third-party/mbedtls-3.6/include/mbedtls/pkcs5.h
new file mode 100644
index 00000000..759d1722
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/pkcs5.h
@@ -0,0 +1,130 @@
+/**
+ * \file pkcs5.h
+ *
+ * \brief PKCS#5 functions
+ *
+ * \author Mathias Olsson <mathias@kompetensum.com>
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_PKCS5_H
+#define MBEDTLS_PKCS5_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "asn1.h"
+#include "md.h"
+
+#include <stddef.h>
+#include <stdint.h>
+
+#define MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA                  -0x2f80  /**< Bad input parameters to function. */
+#define MBEDTLS_ERR_PKCS5_INVALID_FORMAT                  -0x2f00  /**< Unexpected ASN.1 data. */
+#define MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE             -0x2e80  /**< Requested encryption or digest alg not available. */
+#define MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH               -0x2e00  /**< Given private key password does not allow for correct decryption. */
+
+#define MBEDTLS_PKCS5_DECRYPT      0
+#define MBEDTLS_PKCS5_ENCRYPT      1
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+
+/**
+ * \brief          PKCS#5 PBES2 function
+ *
+ * \param pbe_params the ASN.1 algorithm parameters
+ * \param mode       either MBEDTLS_PKCS5_DECRYPT or MBEDTLS_PKCS5_ENCRYPT
+ * \param pwd        password to use when generating key
+ * \param pwdlen     length of password
+ * \param data       data to process
+ * \param datalen    length of data
+ * \param output     output buffer
+ *
+ * \returns        0 on success, or a MBEDTLS_ERR_XXX code if verification fails.
+ */
+int mbedtls_pkcs5_pbes2( const mbedtls_asn1_buf *pbe_params, int mode,
+                 const unsigned char *pwd,  size_t pwdlen,
+                 const unsigned char *data, size_t datalen,
+                 unsigned char *output );
+
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
+/**
+ * \brief          PKCS#5 PBKDF2 using HMAC
+ *
+ * \param ctx      Generic HMAC context
+ * \param password Password to use when generating key
+ * \param plen     Length of password
+ * \param salt     Salt to use when generating key
+ * \param slen     Length of salt
+ * \param iteration_count       Iteration count
+ * \param key_length            Length of generated key in bytes
+ * \param output   Generated key. Must be at least as big as key_length
+ *
+ * \returns        0 on success, or a MBEDTLS_ERR_XXX code if verification fails.
+ */
+int mbedtls_pkcs5_pbkdf2_hmac( mbedtls_md_context_t *ctx, const unsigned char *password,
+                       size_t plen, const unsigned char *salt, size_t slen,
+                       unsigned int iteration_count,
+                       uint32_t key_length, unsigned char *output );
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ */
+int mbedtls_pkcs5_self_test( int verbose );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* pkcs5.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/platform.h b/third-party/mbedtls-3.6/include/mbedtls/platform.h
new file mode 100644
index 00000000..4eaad53c
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/platform.h
@@ -0,0 +1,373 @@
+/**
+ * \file platform.h
+ *
+ * \brief The Mbed TLS platform abstraction layer.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_PLATFORM_H
+#define MBEDTLS_PLATFORM_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_HAVE_TIME)
+#include "platform_time.h"
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in config.h or define them on the compiler command line.
+ * \{
+ */
+
+#if !defined(MBEDTLS_PLATFORM_NO_STD_FUNCTIONS)
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#if !defined(MBEDTLS_PLATFORM_STD_SNPRINTF)
+#if defined(_WIN32)
+#define MBEDTLS_PLATFORM_STD_SNPRINTF   mbedtls_platform_win32_snprintf /**< The default \c snprintf function to use.  */
+#else
+#define MBEDTLS_PLATFORM_STD_SNPRINTF   snprintf /**< The default \c snprintf function to use.  */
+#endif
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_PRINTF)
+#define MBEDTLS_PLATFORM_STD_PRINTF   printf /**< The default \c printf function to use. */
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_FPRINTF)
+#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf /**< The default \c fprintf function to use. */
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_CALLOC)
+#define MBEDTLS_PLATFORM_STD_CALLOC   calloc /**< The default \c calloc function to use. */
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_FREE)
+#define MBEDTLS_PLATFORM_STD_FREE       free /**< The default \c free function to use. */
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_EXIT)
+#define MBEDTLS_PLATFORM_STD_EXIT      exit /**< The default \c exit function to use. */
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_TIME)
+#define MBEDTLS_PLATFORM_STD_TIME       time    /**< The default \c time function to use. */
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_EXIT_SUCCESS)
+#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS  EXIT_SUCCESS /**< The default exit value to use. */
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_EXIT_FAILURE)
+#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE  EXIT_FAILURE /**< The default exit value to use. */
+#endif
+#if defined(MBEDTLS_FS_IO)
+#if !defined(MBEDTLS_PLATFORM_STD_NV_SEED_READ)
+#define MBEDTLS_PLATFORM_STD_NV_SEED_READ   mbedtls_platform_std_nv_seed_read
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_NV_SEED_WRITE)
+#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE  mbedtls_platform_std_nv_seed_write
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_NV_SEED_FILE)
+#define MBEDTLS_PLATFORM_STD_NV_SEED_FILE   "seedfile"
+#endif
+#endif /* MBEDTLS_FS_IO */
+#else /* MBEDTLS_PLATFORM_NO_STD_FUNCTIONS */
+#if defined(MBEDTLS_PLATFORM_STD_MEM_HDR)
+#include MBEDTLS_PLATFORM_STD_MEM_HDR
+#endif
+#endif /* MBEDTLS_PLATFORM_NO_STD_FUNCTIONS */
+
+
+/* \} name SECTION: Module settings */
+
+/*
+ * The function pointers for calloc and free
+ */
+#if defined(MBEDTLS_PLATFORM_MEMORY)
+#if defined(MBEDTLS_PLATFORM_FREE_MACRO) && \
+    defined(MBEDTLS_PLATFORM_CALLOC_MACRO)
+#define mbedtls_free       MBEDTLS_PLATFORM_FREE_MACRO
+#define mbedtls_calloc     MBEDTLS_PLATFORM_CALLOC_MACRO
+#else
+/* For size_t */
+#include <stddef.h>
+extern void * (*mbedtls_calloc)( size_t n, size_t size );
+extern void (*mbedtls_free)( void *ptr );
+
+/**
+ * \brief   This function allows configuring custom memory-management functions.
+ *
+ * \param calloc_func   The \c calloc function implementation.
+ * \param free_func     The \c free function implementation.
+ *
+ * \return              \c 0.
+ */
+int mbedtls_platform_set_calloc_free( void * (*calloc_func)( size_t, size_t ),
+                              void (*free_func)( void * ) );
+#endif /* MBEDTLS_PLATFORM_FREE_MACRO && MBEDTLS_PLATFORM_CALLOC_MACRO */
+#else /* !MBEDTLS_PLATFORM_MEMORY */
+#define mbedtls_free       free
+#define mbedtls_calloc     calloc
+#endif /* MBEDTLS_PLATFORM_MEMORY && !MBEDTLS_PLATFORM_{FREE,CALLOC}_MACRO */
+
+/*
+ * The function pointers for fprintf
+ */
+#if defined(MBEDTLS_PLATFORM_FPRINTF_ALT)
+/* We need FILE * */
+#include <stdio.h>
+extern int (*mbedtls_fprintf)( FILE *stream, const char *format, ... );
+
+/**
+ * \brief   This function allows configuring a custom \p fprintf function pointer.
+ *
+ * \param fprintf_func   The \c fprintf function implementation.
+ *
+ * \return               \c 0.
+ */
+int mbedtls_platform_set_fprintf( int (*fprintf_func)( FILE *stream, const char *,
+                                               ... ) );
+#else
+#if defined(MBEDTLS_PLATFORM_FPRINTF_MACRO)
+#define mbedtls_fprintf    MBEDTLS_PLATFORM_FPRINTF_MACRO
+#else
+#define mbedtls_fprintf    fprintf
+#endif /* MBEDTLS_PLATFORM_FPRINTF_MACRO */
+#endif /* MBEDTLS_PLATFORM_FPRINTF_ALT */
+
+/*
+ * The function pointers for printf
+ */
+#if defined(MBEDTLS_PLATFORM_PRINTF_ALT)
+extern int (*mbedtls_printf)( const char *format, ... );
+
+/**
+ * \brief    This function allows configuring a custom \c printf function
+ *           pointer.
+ *
+ * \param printf_func   The \c printf function implementation.
+ *
+ * \return              \c 0 on success.
+ */
+int mbedtls_platform_set_printf( int (*printf_func)( const char *, ... ) );
+#else /* !MBEDTLS_PLATFORM_PRINTF_ALT */
+#if defined(MBEDTLS_PLATFORM_PRINTF_MACRO)
+#define mbedtls_printf     MBEDTLS_PLATFORM_PRINTF_MACRO
+#else
+#define mbedtls_printf     printf
+#endif /* MBEDTLS_PLATFORM_PRINTF_MACRO */
+#endif /* MBEDTLS_PLATFORM_PRINTF_ALT */
+
+/*
+ * The function pointers for snprintf
+ *
+ * The snprintf implementation should conform to C99:
+ * - it *must* always correctly zero-terminate the buffer
+ *   (except when n == 0, then it must leave the buffer untouched)
+ * - however it is acceptable to return -1 instead of the required length when
+ *   the destination buffer is too short.
+ */
+#if defined(_WIN32)
+/* For Windows (inc. MSYS2), we provide our own fixed implementation */
+int mbedtls_platform_win32_snprintf( char *s, size_t n, const char *fmt, ... );
+#endif
+
+#if defined(MBEDTLS_PLATFORM_SNPRINTF_ALT)
+extern int (*mbedtls_snprintf)( char * s, size_t n, const char * format, ... );
+
+/**
+ * \brief   This function allows configuring a custom \c snprintf function
+ *          pointer.
+ *
+ * \param snprintf_func   The \c snprintf function implementation.
+ *
+ * \return    \c 0 on success.
+ */
+int mbedtls_platform_set_snprintf( int (*snprintf_func)( char * s, size_t n,
+                                                 const char * format, ... ) );
+#else /* MBEDTLS_PLATFORM_SNPRINTF_ALT */
+#if defined(MBEDTLS_PLATFORM_SNPRINTF_MACRO)
+#define mbedtls_snprintf   MBEDTLS_PLATFORM_SNPRINTF_MACRO
+#else
+#define mbedtls_snprintf   MBEDTLS_PLATFORM_STD_SNPRINTF
+#endif /* MBEDTLS_PLATFORM_SNPRINTF_MACRO */
+#endif /* MBEDTLS_PLATFORM_SNPRINTF_ALT */
+
+/*
+ * The function pointers for exit
+ */
+#if defined(MBEDTLS_PLATFORM_EXIT_ALT)
+extern void (*mbedtls_exit)( int status );
+
+/**
+ * \brief   This function allows configuring a custom \c exit function
+ *          pointer.
+ *
+ * \param exit_func   The \c exit function implementation.
+ *
+ * \return  \c 0 on success.
+ */
+int mbedtls_platform_set_exit( void (*exit_func)( int status ) );
+#else
+#if defined(MBEDTLS_PLATFORM_EXIT_MACRO)
+#define mbedtls_exit   MBEDTLS_PLATFORM_EXIT_MACRO
+#else
+#define mbedtls_exit   exit
+#endif /* MBEDTLS_PLATFORM_EXIT_MACRO */
+#endif /* MBEDTLS_PLATFORM_EXIT_ALT */
+
+/*
+ * The default exit values
+ */
+#if defined(MBEDTLS_PLATFORM_STD_EXIT_SUCCESS)
+#define MBEDTLS_EXIT_SUCCESS MBEDTLS_PLATFORM_STD_EXIT_SUCCESS
+#else
+#define MBEDTLS_EXIT_SUCCESS 0
+#endif
+#if defined(MBEDTLS_PLATFORM_STD_EXIT_FAILURE)
+#define MBEDTLS_EXIT_FAILURE MBEDTLS_PLATFORM_STD_EXIT_FAILURE
+#else
+#define MBEDTLS_EXIT_FAILURE 1
+#endif
+
+/*
+ * The function pointers for reading from and writing a seed file to
+ * Non-Volatile storage (NV) in a platform-independent way
+ *
+ * Only enabled when the NV seed entropy source is enabled
+ */
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+#if !defined(MBEDTLS_PLATFORM_NO_STD_FUNCTIONS) && defined(MBEDTLS_FS_IO)
+/* Internal standard platform definitions */
+int mbedtls_platform_std_nv_seed_read( unsigned char *buf, size_t buf_len );
+int mbedtls_platform_std_nv_seed_write( unsigned char *buf, size_t buf_len );
+#endif
+
+#if defined(MBEDTLS_PLATFORM_NV_SEED_ALT)
+extern int (*mbedtls_nv_seed_read)( unsigned char *buf, size_t buf_len );
+extern int (*mbedtls_nv_seed_write)( unsigned char *buf, size_t buf_len );
+
+/**
+ * \brief   This function allows configuring custom seed file writing and
+ *          reading functions.
+ *
+ * \param   nv_seed_read_func   The seed reading function implementation.
+ * \param   nv_seed_write_func  The seed writing function implementation.
+ *
+ * \return  \c 0 on success.
+ */
+int mbedtls_platform_set_nv_seed(
+            int (*nv_seed_read_func)( unsigned char *buf, size_t buf_len ),
+            int (*nv_seed_write_func)( unsigned char *buf, size_t buf_len )
+            );
+#else
+#if defined(MBEDTLS_PLATFORM_NV_SEED_READ_MACRO) && \
+    defined(MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO)
+#define mbedtls_nv_seed_read    MBEDTLS_PLATFORM_NV_SEED_READ_MACRO
+#define mbedtls_nv_seed_write   MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO
+#else
+#define mbedtls_nv_seed_read    mbedtls_platform_std_nv_seed_read
+#define mbedtls_nv_seed_write   mbedtls_platform_std_nv_seed_write
+#endif
+#endif /* MBEDTLS_PLATFORM_NV_SEED_ALT */
+#endif /* MBEDTLS_ENTROPY_NV_SEED */
+
+#if !defined(MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT)
+
+/**
+ * \brief   The platform context structure.
+ *
+ * \note    This structure may be used to assist platform-specific
+ *          setup or teardown operations.
+ */
+typedef struct {
+    char dummy; /**< Placeholder member, as empty structs are not portable. */
+}
+mbedtls_platform_context;
+
+#else
+#include "platform_alt.h"
+#endif /* !MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT */
+
+/**
+ * \brief   This function performs any platform initialization operations.
+ *
+ * \param   ctx     The Mbed TLS context.
+ *
+ * \return  \c 0 on success.
+ *
+ * \note    This function is intended to allow platform-specific initialization,
+ *          and should be called before any other library functions. Its
+ *          implementation is platform-specific, and unless
+ *          platform-specific code is provided, it does nothing.
+ *
+ *          Its use and whether it is necessary to call it is dependent on the
+ *          platform.
+ */
+int mbedtls_platform_setup( mbedtls_platform_context *ctx );
+/**
+ * \brief   This function performs any platform teardown operations.
+ *
+ * \param   ctx     The Mbed TLS context.
+ *
+ * \note    This function should be called after every other Mbed TLS module
+ *          has been correctly freed using the appropriate free function.
+ *          Its implementation is platform-specific, and unless
+ *          platform-specific code is provided, it does nothing.
+ *
+ *          Its use and whether it is necessary to call it is dependent on the
+ *          platform.
+ */
+void mbedtls_platform_teardown( mbedtls_platform_context *ctx );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* platform.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/platform_time.h b/third-party/mbedtls-3.6/include/mbedtls/platform_time.h
new file mode 100644
index 00000000..e132f6a6
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/platform_time.h
@@ -0,0 +1,107 @@
+/**
+ * \file platform_time.h
+ *
+ * \brief mbed TLS Platform time abstraction
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_PLATFORM_TIME_H
+#define MBEDTLS_PLATFORM_TIME_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in config.h or define them on the compiler command line.
+ * \{
+ */
+
+/*
+ * The time_t datatype
+ */
+#if defined(MBEDTLS_PLATFORM_TIME_TYPE_MACRO)
+typedef MBEDTLS_PLATFORM_TIME_TYPE_MACRO mbedtls_time_t;
+#else
+/* For time_t */
+#include <time.h>
+typedef time_t mbedtls_time_t;
+#endif /* MBEDTLS_PLATFORM_TIME_TYPE_MACRO */
+
+/*
+ * The function pointers for time
+ */
+#if defined(MBEDTLS_PLATFORM_TIME_ALT)
+extern mbedtls_time_t (*mbedtls_time)( mbedtls_time_t* time );
+
+/**
+ * \brief   Set your own time function pointer
+ *
+ * \param   time_func   the time function implementation
+ *
+ * \return              0
+ */
+int mbedtls_platform_set_time( mbedtls_time_t (*time_func)( mbedtls_time_t* time ) );
+#else
+#if defined(MBEDTLS_PLATFORM_TIME_MACRO)
+#define mbedtls_time    MBEDTLS_PLATFORM_TIME_MACRO
+#else
+#define mbedtls_time   time
+#endif /* MBEDTLS_PLATFORM_TIME_MACRO */
+#endif /* MBEDTLS_PLATFORM_TIME_ALT */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* platform_time.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/ripemd160.h b/third-party/mbedtls-3.6/include/mbedtls/ripemd160.h
new file mode 100644
index 00000000..e954c65b
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/ripemd160.h
@@ -0,0 +1,264 @@
+/**
+ * \file ripemd160.h
+ *
+ * \brief RIPE MD-160 message digest
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_RIPEMD160_H
+#define MBEDTLS_RIPEMD160_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+#define MBEDTLS_ERR_RIPEMD160_HW_ACCEL_FAILED             -0x0031  /**< RIPEMD160 hardware accelerator failed */
+
+#if !defined(MBEDTLS_RIPEMD160_ALT)
+// Regular implementation
+//
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          RIPEMD-160 context structure
+ */
+typedef struct
+{
+    uint32_t total[2];          /*!< number of bytes processed  */
+    uint32_t state[5];          /*!< intermediate digest state  */
+    unsigned char buffer[64];   /*!< data block being processed */
+}
+mbedtls_ripemd160_context;
+
+/**
+ * \brief          Initialize RIPEMD-160 context
+ *
+ * \param ctx      RIPEMD-160 context to be initialized
+ */
+void mbedtls_ripemd160_init( mbedtls_ripemd160_context *ctx );
+
+/**
+ * \brief          Clear RIPEMD-160 context
+ *
+ * \param ctx      RIPEMD-160 context to be cleared
+ */
+void mbedtls_ripemd160_free( mbedtls_ripemd160_context *ctx );
+
+/**
+ * \brief          Clone (the state of) an RIPEMD-160 context
+ *
+ * \param dst      The destination context
+ * \param src      The context to be cloned
+ */
+void mbedtls_ripemd160_clone( mbedtls_ripemd160_context *dst,
+                        const mbedtls_ripemd160_context *src );
+
+/**
+ * \brief          RIPEMD-160 context setup
+ *
+ * \param ctx      context to be initialized
+ *
+ * \return         0 if successful
+ */
+int mbedtls_ripemd160_starts_ret( mbedtls_ripemd160_context *ctx );
+
+/**
+ * \brief          RIPEMD-160 process buffer
+ *
+ * \param ctx      RIPEMD-160 context
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ *
+ * \return         0 if successful
+ */
+int mbedtls_ripemd160_update_ret( mbedtls_ripemd160_context *ctx,
+                                  const unsigned char *input,
+                                  size_t ilen );
+
+/**
+ * \brief          RIPEMD-160 final digest
+ *
+ * \param ctx      RIPEMD-160 context
+ * \param output   RIPEMD-160 checksum result
+ *
+ * \return         0 if successful
+ */
+int mbedtls_ripemd160_finish_ret( mbedtls_ripemd160_context *ctx,
+                                  unsigned char output[20] );
+
+/**
+ * \brief          RIPEMD-160 process data block (internal use only)
+ *
+ * \param ctx      RIPEMD-160 context
+ * \param data     buffer holding one block of data
+ *
+ * \return         0 if successful
+ */
+int mbedtls_internal_ripemd160_process( mbedtls_ripemd160_context *ctx,
+                                        const unsigned char data[64] );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          RIPEMD-160 context setup
+ *
+ * \deprecated     Superseded by mbedtls_ripemd160_starts_ret() in 2.7.0
+ *
+ * \param ctx      context to be initialized
+ */
+MBEDTLS_DEPRECATED void mbedtls_ripemd160_starts(
+                                            mbedtls_ripemd160_context *ctx );
+
+/**
+ * \brief          RIPEMD-160 process buffer
+ *
+ * \deprecated     Superseded by mbedtls_ripemd160_update_ret() in 2.7.0
+ *
+ * \param ctx      RIPEMD-160 context
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ */
+MBEDTLS_DEPRECATED void mbedtls_ripemd160_update(
+                                                mbedtls_ripemd160_context *ctx,
+                                                const unsigned char *input,
+                                                size_t ilen );
+
+/**
+ * \brief          RIPEMD-160 final digest
+ *
+ * \deprecated     Superseded by mbedtls_ripemd160_finish_ret() in 2.7.0
+ *
+ * \param ctx      RIPEMD-160 context
+ * \param output   RIPEMD-160 checksum result
+ */
+MBEDTLS_DEPRECATED void mbedtls_ripemd160_finish(
+                                                mbedtls_ripemd160_context *ctx,
+                                                unsigned char output[20] );
+
+/**
+ * \brief          RIPEMD-160 process data block (internal use only)
+ *
+ * \deprecated     Superseded by mbedtls_internal_ripemd160_process() in 2.7.0
+ *
+ * \param ctx      RIPEMD-160 context
+ * \param data     buffer holding one block of data
+ */
+MBEDTLS_DEPRECATED void mbedtls_ripemd160_process(
+                                            mbedtls_ripemd160_context *ctx,
+                                            const unsigned char data[64] );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+#ifdef __cplusplus
+}
+#endif
+
+#else  /* MBEDTLS_RIPEMD160_ALT */
+#include "ripemd160_alt.h"
+#endif /* MBEDTLS_RIPEMD160_ALT */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          Output = RIPEMD-160( input buffer )
+ *
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ * \param output   RIPEMD-160 checksum result
+ *
+ * \return         0 if successful
+ */
+int mbedtls_ripemd160_ret( const unsigned char *input,
+                           size_t ilen,
+                           unsigned char output[20] );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          Output = RIPEMD-160( input buffer )
+ *
+ * \deprecated     Superseded by mbedtls_ripemd160_ret() in 2.7.0
+ *
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ * \param output   RIPEMD-160 checksum result
+ */
+MBEDTLS_DEPRECATED void mbedtls_ripemd160( const unsigned char *input,
+                                           size_t ilen,
+                                           unsigned char output[20] );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ */
+int mbedtls_ripemd160_self_test( int verbose );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_ripemd160.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/rsa.h b/third-party/mbedtls-3.6/include/mbedtls/rsa.h
new file mode 100644
index 00000000..cfb66dd8
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/rsa.h
@@ -0,0 +1,1170 @@
+/**
+ * \file rsa.h
+ *
+ * \brief The RSA public-key cryptosystem.
+ *
+ * For more information, see <em>Public-Key Cryptography Standards (PKCS)
+ * #1 v1.5: RSA Encryption</em> and <em>Public-Key Cryptography Standards
+ * (PKCS) #1 v2.1: RSA Cryptography Specifications</em>.
+ *
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_RSA_H
+#define MBEDTLS_RSA_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "bignum.h"
+#include "md.h"
+
+#if defined(MBEDTLS_THREADING_C)
+#include "threading.h"
+#endif
+
+/*
+ * RSA Error codes
+ */
+#define MBEDTLS_ERR_RSA_BAD_INPUT_DATA                    -0x4080  /**< Bad input parameters to function. */
+#define MBEDTLS_ERR_RSA_INVALID_PADDING                   -0x4100  /**< Input data contains invalid padding and is rejected. */
+#define MBEDTLS_ERR_RSA_KEY_GEN_FAILED                    -0x4180  /**< Something failed during generation of a key. */
+#define MBEDTLS_ERR_RSA_KEY_CHECK_FAILED                  -0x4200  /**< Key failed to pass the validity check of the library. */
+#define MBEDTLS_ERR_RSA_PUBLIC_FAILED                     -0x4280  /**< The public key operation failed. */
+#define MBEDTLS_ERR_RSA_PRIVATE_FAILED                    -0x4300  /**< The private key operation failed. */
+#define MBEDTLS_ERR_RSA_VERIFY_FAILED                     -0x4380  /**< The PKCS#1 verification failed. */
+#define MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE                  -0x4400  /**< The output buffer for decryption is not large enough. */
+#define MBEDTLS_ERR_RSA_RNG_FAILED                        -0x4480  /**< The random generator failed to generate non-zeros. */
+#define MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION             -0x4500  /**< The implementation does not offer the requested operation, for example, because of security violations or lack of functionality. */
+#define MBEDTLS_ERR_RSA_HW_ACCEL_FAILED                   -0x4580  /**< RSA hardware accelerator failed. */
+
+/*
+ * RSA constants
+ */
+#define MBEDTLS_RSA_PUBLIC      0 /**< Request private key operation. */
+#define MBEDTLS_RSA_PRIVATE     1 /**< Request public key operation. */
+
+#define MBEDTLS_RSA_PKCS_V15    0 /**< Use PKCS-1 v1.5 encoding. */
+#define MBEDTLS_RSA_PKCS_V21    1 /**< Use PKCS-1 v2.1 encoding. */
+
+#define MBEDTLS_RSA_SIGN        1 /**< Identifier for RSA signature operations. */
+#define MBEDTLS_RSA_CRYPT       2 /**< Identifier for RSA encryption and decryption operations. */
+
+#define MBEDTLS_RSA_SALT_LEN_ANY    -1
+
+/*
+ * The above constants may be used even if the RSA module is compile out,
+ * eg for alternative (PKCS#11) RSA implemenations in the PK layers.
+ */
+
+#if !defined(MBEDTLS_RSA_ALT)
+// Regular implementation
+//
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief   The RSA context structure.
+ *
+ * \note    Direct manipulation of the members of this structure
+ *          is deprecated. All manipulation should instead be done through
+ *          the public interface functions.
+ */
+typedef struct
+{
+    int ver;                    /*!<  Reserved for internal purposes.
+                                 *    Do not set this field in application
+                                 *    code. Its meaning might change without
+                                 *    notice. */
+    size_t len;                 /*!<  The size of \p N in Bytes. */
+
+    mbedtls_mpi N;                      /*!<  The public modulus. */
+    mbedtls_mpi E;                      /*!<  The public exponent. */
+
+    mbedtls_mpi D;                      /*!<  The private exponent. */
+    mbedtls_mpi P;                      /*!<  The first prime factor. */
+    mbedtls_mpi Q;                      /*!<  The second prime factor. */
+
+    mbedtls_mpi DP;                     /*!<  \p D % (P - 1)       */
+    mbedtls_mpi DQ;                     /*!<  \p D % (Q - 1)       */
+    mbedtls_mpi QP;                     /*!<  1 / (Q % P)       */
+
+    mbedtls_mpi RN;                     /*!<  cached R^2 mod \p N  */
+
+    mbedtls_mpi RP;                     /*!<  cached R^2 mod \p P  */
+    mbedtls_mpi RQ;                     /*!<  cached R^2 mod \p Q  */
+
+    mbedtls_mpi Vi;                     /*!<  The cached blinding value. */
+    mbedtls_mpi Vf;                     /*!<  The cached un-blinding value. */
+
+    int padding;                /*!< Selects padding mode:
+                                     #MBEDTLS_RSA_PKCS_V15 for 1.5 padding and
+                                     #MBEDTLS_RSA_PKCS_V21 for OAEP or PSS. */
+    int hash_id;                /*!< Hash identifier of mbedtls_md_type_t type,
+                                     as specified in md.h for use in the MGF
+                                     mask generating function used in the
+                                     EME-OAEP and EMSA-PSS encodings. */
+#if defined(MBEDTLS_THREADING_C)
+    /* Invariant: the mutex is initialized iff ver != 0. */
+    mbedtls_threading_mutex_t mutex;    /*!<  Thread-safety mutex. */
+#endif
+}
+mbedtls_rsa_context;
+
+/**
+ * \brief          This function initializes an RSA context.
+ *
+ * \note           Set padding to #MBEDTLS_RSA_PKCS_V21 for the RSAES-OAEP
+ *                 encryption scheme and the RSASSA-PSS signature scheme.
+ *
+ * \param ctx      The RSA context to initialize.
+ * \param padding  Selects padding mode: #MBEDTLS_RSA_PKCS_V15 or
+ *                 #MBEDTLS_RSA_PKCS_V21.
+ * \param hash_id  The hash identifier of #mbedtls_md_type_t type, if
+ *                 \p padding is #MBEDTLS_RSA_PKCS_V21.
+ *
+ * \note           The \p hash_id parameter is ignored when using
+ *                 #MBEDTLS_RSA_PKCS_V15 padding.
+ *
+ * \note           The choice of padding mode is strictly enforced for private key
+ *                 operations, since there might be security concerns in
+ *                 mixing padding modes. For public key operations it is
+ *                 a default value, which can be overridden by calling specific
+ *                 \c rsa_rsaes_xxx or \c rsa_rsassa_xxx functions.
+ *
+ * \note           The hash selected in \p hash_id is always used for OEAP
+ *                 encryption. For PSS signatures, it is always used for
+ *                 making signatures, but can be overridden for verifying them.
+ *                 If set to #MBEDTLS_MD_NONE, it is always overridden.
+ */
+void mbedtls_rsa_init( mbedtls_rsa_context *ctx,
+                       int padding,
+                       int hash_id);
+
+/**
+ * \brief          This function imports a set of core parameters into an
+ *                 RSA context.
+ *
+ * \param ctx      The initialized RSA context to store the parameters in.
+ * \param N        The RSA modulus, or NULL.
+ * \param P        The first prime factor of \p N, or NULL.
+ * \param Q        The second prime factor of \p N, or NULL.
+ * \param D        The private exponent, or NULL.
+ * \param E        The public exponent, or NULL.
+ *
+ * \note           This function can be called multiple times for successive
+ *                 imports, if the parameters are not simultaneously present.
+ *
+ *                 Any sequence of calls to this function should be followed
+ *                 by a call to mbedtls_rsa_complete(), which checks and
+ *                 completes the provided information to a ready-for-use
+ *                 public or private RSA key.
+ *
+ * \note           See mbedtls_rsa_complete() for more information on which
+ *                 parameters are necessary to set up a private or public
+ *                 RSA key.
+ *
+ * \note           The imported parameters are copied and need not be preserved
+ *                 for the lifetime of the RSA context being set up.
+ *
+ * \return         \c 0 on success, or a non-zero error code on failure.
+ */
+int mbedtls_rsa_import( mbedtls_rsa_context *ctx,
+                        const mbedtls_mpi *N,
+                        const mbedtls_mpi *P, const mbedtls_mpi *Q,
+                        const mbedtls_mpi *D, const mbedtls_mpi *E );
+
+/**
+ * \brief          This function imports core RSA parameters, in raw big-endian
+ *                 binary format, into an RSA context.
+ *
+ * \param ctx      The initialized RSA context to store the parameters in.
+ * \param N        The RSA modulus, or NULL.
+ * \param N_len    The Byte length of \p N, ignored if \p N == NULL.
+ * \param P        The first prime factor of \p N, or NULL.
+ * \param P_len    The Byte length of \p P, ignored if \p P == NULL.
+ * \param Q        The second prime factor of \p N, or NULL.
+ * \param Q_len    The Byte length of \p Q, ignored if \p Q == NULL.
+ * \param D        The private exponent, or NULL.
+ * \param D_len    The Byte length of \p D, ignored if \p D == NULL.
+ * \param E        The public exponent, or NULL.
+ * \param E_len    The Byte length of \p E, ignored if \p E == NULL.
+ *
+ * \note           This function can be called multiple times for successive
+ *                 imports, if the parameters are not simultaneously present.
+ *
+ *                 Any sequence of calls to this function should be followed
+ *                 by a call to mbedtls_rsa_complete(), which checks and
+ *                 completes the provided information to a ready-for-use
+ *                 public or private RSA key.
+ *
+ * \note           See mbedtls_rsa_complete() for more information on which
+ *                 parameters are necessary to set up a private or public
+ *                 RSA key.
+ *
+ * \note           The imported parameters are copied and need not be preserved
+ *                 for the lifetime of the RSA context being set up.
+ *
+ * \return         \c 0 on success, or a non-zero error code on failure.
+ */
+int mbedtls_rsa_import_raw( mbedtls_rsa_context *ctx,
+                            unsigned char const *N, size_t N_len,
+                            unsigned char const *P, size_t P_len,
+                            unsigned char const *Q, size_t Q_len,
+                            unsigned char const *D, size_t D_len,
+                            unsigned char const *E, size_t E_len );
+
+/**
+ * \brief          This function completes an RSA context from
+ *                 a set of imported core parameters.
+ *
+ *                 To setup an RSA public key, precisely \p N and \p E
+ *                 must have been imported.
+ *
+ *                 To setup an RSA private key, sufficient information must
+ *                 be present for the other parameters to be derivable.
+ *
+ *                 The default implementation supports the following:
+ *                 <ul><li>Derive \p P, \p Q from \p N, \p D, \p E.</li>
+ *                 <li>Derive \p N, \p D from \p P, \p Q, \p E.</li></ul>
+ *                 Alternative implementations need not support these.
+ *
+ *                 If this function runs successfully, it guarantees that
+ *                 the RSA context can be used for RSA operations without
+ *                 the risk of failure or crash.
+ *
+ * \param ctx      The initialized RSA context holding imported parameters.
+ *
+ * \return         \c 0 on success, or #MBEDTLS_ERR_RSA_BAD_INPUT_DATA if the
+ *                 attempted derivations failed.
+ *
+ * \warning        This function need not perform consistency checks
+ *                 for the imported parameters. In particular, parameters that
+ *                 are not needed by the implementation might be silently
+ *                 discarded and left unchecked. To check the consistency
+ *                 of the key material, see mbedtls_rsa_check_privkey().
+ *
+ */
+int mbedtls_rsa_complete( mbedtls_rsa_context *ctx );
+
+/**
+ * \brief          This function exports the core parameters of an RSA key.
+ *
+ *                 If this function runs successfully, the non-NULL buffers
+ *                 pointed to by \p N, \p P, \p Q, \p D, and \p E are fully
+ *                 written, with additional unused space filled leading by
+ *                 zero Bytes.
+ *
+ *                 Possible reasons for returning
+ *                 #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION:<ul>
+ *                 <li>An alternative RSA implementation is in use, which
+ *                 stores the key externally, and either cannot or should
+ *                 not export it into RAM.</li>
+ *                 <li>A SW or HW implementation might not support a certain
+ *                 deduction. For example, \p P, \p Q from \p N, \p D,
+ *                 and \p E if the former are not part of the
+ *                 implementation.</li></ul>
+ *
+ *                 If the function fails due to an unsupported operation,
+ *                 the RSA context stays intact and remains usable.
+ *
+ * \param ctx      The initialized RSA context.
+ * \param N        The MPI to hold the RSA modulus, or NULL.
+ * \param P        The MPI to hold the first prime factor of \p N, or NULL.
+ * \param Q        The MPI to hold the second prime factor of \p N, or NULL.
+ * \param D        The MPI to hold the private exponent, or NULL.
+ * \param E        The MPI to hold the public exponent, or NULL.
+ *
+ * \return         \c 0 on success,
+ *                 #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION if exporting the
+ *                 requested parameters cannot be done due to missing
+ *                 functionality or because of security policies,
+ *                 or a non-zero return code on any other failure.
+ *
+ */
+int mbedtls_rsa_export( const mbedtls_rsa_context *ctx,
+                        mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q,
+                        mbedtls_mpi *D, mbedtls_mpi *E );
+
+/**
+ * \brief          This function exports core parameters of an RSA key
+ *                 in raw big-endian binary format.
+ *
+ *                 If this function runs successfully, the non-NULL buffers
+ *                 pointed to by \p N, \p P, \p Q, \p D, and \p E are fully
+ *                 written, with additional unused space filled leading by
+ *                 zero Bytes.
+ *
+ *                 Possible reasons for returning
+ *                 #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION:<ul>
+ *                 <li>An alternative RSA implementation is in use, which
+ *                 stores the key externally, and either cannot or should
+ *                 not export it into RAM.</li>
+ *                 <li>A SW or HW implementation might not support a certain
+ *                 deduction. For example, \p P, \p Q from \p N, \p D,
+ *                 and \p E if the former are not part of the
+ *                 implementation.</li></ul>
+ *                 If the function fails due to an unsupported operation,
+ *                 the RSA context stays intact and remains usable.
+ *
+ * \param ctx      The initialized RSA context.
+ * \param N        The Byte array to store the RSA modulus, or NULL.
+ * \param N_len    The size of the buffer for the modulus.
+ * \param P        The Byte array to hold the first prime factor of \p N, or
+ *                 NULL.
+ * \param P_len    The size of the buffer for the first prime factor.
+ * \param Q        The Byte array to hold the second prime factor of \p N, or
+                   NULL.
+ * \param Q_len    The size of the buffer for the second prime factor.
+ * \param D        The Byte array to hold the private exponent, or NULL.
+ * \param D_len    The size of the buffer for the private exponent.
+ * \param E        The Byte array to hold the public exponent, or NULL.
+ * \param E_len    The size of the buffer for the public exponent.
+ *
+ * \note           The length fields are ignored if the corresponding
+ *                 buffer pointers are NULL.
+ *
+ * \return         \c 0 on success,
+ *                 #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION if exporting the
+ *                 requested parameters cannot be done due to missing
+ *                 functionality or because of security policies,
+ *                 or a non-zero return code on any other failure.
+ */
+int mbedtls_rsa_export_raw( const mbedtls_rsa_context *ctx,
+                            unsigned char *N, size_t N_len,
+                            unsigned char *P, size_t P_len,
+                            unsigned char *Q, size_t Q_len,
+                            unsigned char *D, size_t D_len,
+                            unsigned char *E, size_t E_len );
+
+/**
+ * \brief          This function exports CRT parameters of a private RSA key.
+ *
+ * \param ctx      The initialized RSA context.
+ * \param DP       The MPI to hold D modulo P-1, or NULL.
+ * \param DQ       The MPI to hold D modulo Q-1, or NULL.
+ * \param QP       The MPI to hold modular inverse of Q modulo P, or NULL.
+ *
+ * \return         \c 0 on success, non-zero error code otherwise.
+ *
+ * \note           Alternative RSA implementations not using CRT-parameters
+ *                 internally can implement this function based on
+ *                 mbedtls_rsa_deduce_opt().
+ *
+ */
+int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx,
+                            mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP );
+
+/**
+ * \brief          This function sets padding for an already initialized RSA
+ *                 context. See mbedtls_rsa_init() for details.
+ *
+ * \param ctx      The RSA context to be set.
+ * \param padding  Selects padding mode: #MBEDTLS_RSA_PKCS_V15 or
+ *                 #MBEDTLS_RSA_PKCS_V21.
+ * \param hash_id  The #MBEDTLS_RSA_PKCS_V21 hash identifier.
+ */
+void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding,
+                              int hash_id);
+
+/**
+ * \brief          This function retrieves the length of RSA modulus in Bytes.
+ *
+ * \param ctx      The initialized RSA context.
+ *
+ * \return         The length of the RSA modulus in Bytes.
+ *
+ */
+size_t mbedtls_rsa_get_len( const mbedtls_rsa_context *ctx );
+
+/**
+ * \brief          This function generates an RSA keypair.
+ *
+ * \param ctx      The RSA context used to hold the key.
+ * \param f_rng    The RNG function.
+ * \param p_rng    The RNG parameter.
+ * \param nbits    The size of the public key in bits.
+ * \param exponent The public exponent. For example, 65537.
+ *
+ * \note           mbedtls_rsa_init() must be called before this function,
+ *                 to set up the RSA context.
+ *
+ * \return         \c 0 on success, or an \c MBEDTLS_ERR_RSA_XXX error code
+                   on failure.
+ */
+int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng,
+                         unsigned int nbits, int exponent );
+
+/**
+ * \brief          This function checks if a context contains at least an RSA
+ *                 public key.
+ *
+ *                 If the function runs successfully, it is guaranteed that
+ *                 enough information is present to perform an RSA public key
+ *                 operation using mbedtls_rsa_public().
+ *
+ * \param ctx      The RSA context to check.
+ *
+ * \return         \c 0 on success, or an \c MBEDTLS_ERR_RSA_XXX error code
+ *                 on failure.
+ *
+ */
+int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx );
+
+/**
+ * \brief      This function checks if a context contains an RSA private key
+ *             and perform basic consistency checks.
+ *
+ * \param ctx  The RSA context to check.
+ *
+ * \return     \c 0 on success, or an \c MBEDTLS_ERR_RSA_XXX error code on
+ *             failure.
+ *
+ * \note       The consistency checks performed by this function not only
+ *             ensure that mbedtls_rsa_private() can be called successfully
+ *             on the given context, but that the various parameters are
+ *             mutually consistent with high probability, in the sense that
+ *             mbedtls_rsa_public() and mbedtls_rsa_private() are inverses.
+ *
+ * \warning    This function should catch accidental misconfigurations
+ *             like swapping of parameters, but it cannot establish full
+ *             trust in neither the quality nor the consistency of the key
+ *             material that was used to setup the given RSA context:
+ *             <ul><li>Consistency: Imported parameters that are irrelevant
+ *             for the implementation might be silently dropped. If dropped,
+ *             the current function does not have access to them,
+ *             and therefore cannot check them. See mbedtls_rsa_complete().
+ *             If you want to check the consistency of the entire
+ *             content of an PKCS1-encoded RSA private key, for example, you
+ *             should use mbedtls_rsa_validate_params() before setting
+ *             up the RSA context.
+ *             Additionally, if the implementation performs empirical checks,
+ *             these checks substantiate but do not guarantee consistency.</li>
+ *             <li>Quality: This function is not expected to perform
+ *             extended quality assessments like checking that the prime
+ *             factors are safe. Additionally, it is the responsibility of the
+ *             user to ensure the trustworthiness of the source of his RSA
+ *             parameters, which goes beyond what is effectively checkable
+ *             by the library.</li></ul>
+ */
+int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx );
+
+/**
+ * \brief          This function checks a public-private RSA key pair.
+ *
+ *                 It checks each of the contexts, and makes sure they match.
+ *
+ * \param pub      The RSA context holding the public key.
+ * \param prv      The RSA context holding the private key.
+ *
+ * \return         \c 0 on success, or an \c MBEDTLS_ERR_RSA_XXX error code
+ *                 on failure.
+ */
+int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub,
+                                const mbedtls_rsa_context *prv );
+
+/**
+ * \brief          This function performs an RSA public key operation.
+ *
+ * \param ctx      The RSA context.
+ * \param input    The input buffer.
+ * \param output   The output buffer.
+ *
+ * \return         \c 0 on success, or an \c MBEDTLS_ERR_RSA_XXX error code
+ *                 on failure.
+ *
+ * \note           This function does not handle message padding.
+ *
+ * \note           Make sure to set \p input[0] = 0 or ensure that
+ *                 input is smaller than \p N.
+ *
+ * \note           The input and output buffers must be large
+ *                 enough. For example, 128 Bytes if RSA-1024 is used.
+ */
+int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
+                const unsigned char *input,
+                unsigned char *output );
+
+/**
+ * \brief          This function performs an RSA private key operation.
+ *
+ * \param ctx      The RSA context.
+ * \param f_rng    The RNG function. Needed for blinding.
+ * \param p_rng    The RNG parameter.
+ * \param input    The input buffer.
+ * \param output   The output buffer.
+ *
+ * \return         \c 0 on success, or an \c MBEDTLS_ERR_RSA_XXX error code
+ *                 on failure.
+ *
+ * \note           The input and output buffers must be large
+ *                 enough. For example, 128 Bytes if RSA-1024 is used.
+ *
+ * \note           Blinding is used if and only if a PRNG is provided.
+ *
+ * \note           If blinding is used, both the base of exponentation
+ *                 and the exponent are blinded, providing protection
+ *                 against some side-channel attacks.
+ *
+ * \warning        It is deprecated and a security risk to not provide
+ *                 a PRNG here and thereby prevent the use of blinding.
+ *                 Future versions of the library may enforce the presence
+ *                 of a PRNG.
+ *
+ */
+int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
+                 int (*f_rng)(void *, unsigned char *, size_t),
+                 void *p_rng,
+                 const unsigned char *input,
+                 unsigned char *output );
+
+/**
+ * \brief          This function adds the message padding, then performs an RSA
+ *                 operation.
+ *
+ *                 It is the generic wrapper for performing a PKCS#1 encryption
+ *                 operation using the \p mode from the context.
+ *
+ *
+ * \param ctx      The RSA context.
+ * \param f_rng    The RNG function. Needed for padding, PKCS#1 v2.1
+ *                 encoding, and #MBEDTLS_RSA_PRIVATE.
+ * \param p_rng    The RNG parameter.
+ * \param mode     #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
+ * \param ilen     The length of the plaintext.
+ * \param input    The buffer holding the data to encrypt.
+ * \param output   The buffer used to hold the ciphertext.
+ *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
+ *                 are likely to remove the \p mode argument and have it
+ *                 implicitly set to #MBEDTLS_RSA_PUBLIC.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to #MBEDTLS_RSA_PRIVATE and might instead
+ *                 return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *
+ * \return         \c 0 on success, or an \c MBEDTLS_ERR_RSA_XXX error code
+ *                 on failure.
+ *
+ * \note           The input and output buffers must be as large as the size
+ *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
+ */
+int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng,
+                       int mode, size_t ilen,
+                       const unsigned char *input,
+                       unsigned char *output );
+
+/**
+ * \brief          This function performs a PKCS#1 v1.5 encryption operation
+ *                 (RSAES-PKCS1-v1_5-ENCRYPT).
+ *
+ * \param ctx      The RSA context.
+ * \param f_rng    The RNG function. Needed for padding and
+ *                 #MBEDTLS_RSA_PRIVATE.
+ * \param p_rng    The RNG parameter.
+ * \param mode     #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
+ * \param ilen     The length of the plaintext.
+ * \param input    The buffer holding the data to encrypt.
+ * \param output   The buffer used to hold the ciphertext.
+ *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
+ *                 are likely to remove the \p mode argument and have it
+ *                 implicitly set to #MBEDTLS_RSA_PUBLIC.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to #MBEDTLS_RSA_PRIVATE and might instead
+ *                 return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *
+ * \return         \c 0 on success, or an \c MBEDTLS_ERR_RSA_XXX error code
+ *                 on failure.
+ *
+ * \note           The output buffer must be as large as the size
+ *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
+ */
+int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,
+                                 int (*f_rng)(void *, unsigned char *, size_t),
+                                 void *p_rng,
+                                 int mode, size_t ilen,
+                                 const unsigned char *input,
+                                 unsigned char *output );
+
+/**
+ * \brief            This function performs a PKCS#1 v2.1 OAEP encryption
+ *                   operation (RSAES-OAEP-ENCRYPT).
+ *
+ * \param ctx        The RSA context.
+ * \param f_rng      The RNG function. Needed for padding and PKCS#1 v2.1
+ *                   encoding and #MBEDTLS_RSA_PRIVATE.
+ * \param p_rng      The RNG parameter.
+ * \param mode       #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
+ * \param label      The buffer holding the custom label to use.
+ * \param label_len  The length of the label.
+ * \param ilen       The length of the plaintext.
+ * \param input      The buffer holding the data to encrypt.
+ * \param output     The buffer used to hold the ciphertext.
+ *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
+ *                 are likely to remove the \p mode argument and have it
+ *                 implicitly set to #MBEDTLS_RSA_PUBLIC.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to #MBEDTLS_RSA_PRIVATE and might instead
+ *                 return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *
+ * \return         \c 0 on success, or an \c MBEDTLS_ERR_RSA_XXX error code
+ *                 on failure.
+ *
+ * \note           The output buffer must be as large as the size
+ *                 of ctx->N. For example, 128 Bytes if RSA-1024 is used.
+ */
+int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng,
+                            int mode,
+                            const unsigned char *label, size_t label_len,
+                            size_t ilen,
+                            const unsigned char *input,
+                            unsigned char *output );
+
+/**
+ * \brief          This function performs an RSA operation, then removes the
+ *                 message padding.
+ *
+ *                 It is the generic wrapper for performing a PKCS#1 decryption
+ *                 operation using the \p mode from the context.
+ *
+ * \param ctx      The RSA context.
+ * \param f_rng    The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
+ * \param p_rng    The RNG parameter.
+ * \param mode     #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
+ * \param olen     The length of the plaintext.
+ * \param input    The buffer holding the encrypted data.
+ * \param output   The buffer used to hold the plaintext.
+ * \param output_max_len    The maximum length of the output buffer.
+ *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
+ *                 are likely to remove the \p mode argument and have it
+ *                 implicitly set to #MBEDTLS_RSA_PRIVATE.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to #MBEDTLS_RSA_PUBLIC and might instead
+ *                 return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *
+ * \return         \c 0 on success, or an \c MBEDTLS_ERR_RSA_XXX error code
+ *                 on failure.
+ *
+ * \note           The output buffer length \c output_max_len should be
+ *                 as large as the size \p ctx->len of \p ctx->N (for example,
+ *                 128 Bytes if RSA-1024 is used) to be able to hold an
+ *                 arbitrary decrypted message. If it is not large enough to
+ *                 hold the decryption of the particular ciphertext provided,
+ *                 the function returns \c MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
+ *
+ * \note           The input buffer must be as large as the size
+ *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
+ */
+int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng,
+                       int mode, size_t *olen,
+                       const unsigned char *input,
+                       unsigned char *output,
+                       size_t output_max_len );
+
+/**
+ * \brief          This function performs a PKCS#1 v1.5 decryption
+ *                 operation (RSAES-PKCS1-v1_5-DECRYPT).
+ *
+ * \param ctx      The RSA context.
+ * \param f_rng    The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
+ * \param p_rng    The RNG parameter.
+ * \param mode     #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
+ * \param olen     The length of the plaintext.
+ * \param input    The buffer holding the encrypted data.
+ * \param output   The buffer to hold the plaintext.
+ * \param output_max_len    The maximum length of the output buffer.
+ *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
+ *                 are likely to remove the \p mode argument and have it
+ *                 implicitly set to #MBEDTLS_RSA_PRIVATE.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to #MBEDTLS_RSA_PUBLIC and might instead
+ *                 return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *
+ * \return         \c 0 on success, or an \c MBEDTLS_ERR_RSA_XXX error code
+ *                 on failure.
+ *
+ * \note           The output buffer length \c output_max_len should be
+ *                 as large as the size \p ctx->len of \p ctx->N, for example,
+ *                 128 Bytes if RSA-1024 is used, to be able to hold an
+ *                 arbitrary decrypted message. If it is not large enough to
+ *                 hold the decryption of the particular ciphertext provided,
+ *                 the function returns #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
+ *
+ * \note           The input buffer must be as large as the size
+ *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
+ */
+int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
+                                 int (*f_rng)(void *, unsigned char *, size_t),
+                                 void *p_rng,
+                                 int mode, size_t *olen,
+                                 const unsigned char *input,
+                                 unsigned char *output,
+                                 size_t output_max_len );
+
+/**
+ * \brief          This function performs a PKCS#1 v2.1 OAEP decryption
+ *                 operation (RSAES-OAEP-DECRYPT).
+ *
+ * \param ctx        The RSA context.
+ * \param f_rng      The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
+ * \param p_rng      The RNG parameter.
+ * \param mode       #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
+ * \param label      The buffer holding the custom label to use.
+ * \param label_len  The length of the label.
+ * \param olen       The length of the plaintext.
+ * \param input      The buffer holding the encrypted data.
+ * \param output     The buffer to hold the plaintext.
+ * \param output_max_len    The maximum length of the output buffer.
+ *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
+ *                 are likely to remove the \p mode argument and have it
+ *                 implicitly set to #MBEDTLS_RSA_PRIVATE.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to #MBEDTLS_RSA_PUBLIC and might instead
+ *                 return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *
+ * \return         \c 0 on success, or an \c MBEDTLS_ERR_RSA_XXX error code
+ *                 on failure.
+ *
+ * \note           The output buffer length \c output_max_len should be
+ *                 as large as the size \p ctx->len of \p ctx->N, for
+ *                 example, 128 Bytes if RSA-1024 is used, to be able to
+ *                 hold an arbitrary decrypted message. If it is not
+ *                 large enough to hold the decryption of the particular
+ *                 ciphertext provided, the function returns
+ *                 #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
+ *
+ * \note           The input buffer must be as large as the size
+ *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
+ */
+int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng,
+                            int mode,
+                            const unsigned char *label, size_t label_len,
+                            size_t *olen,
+                            const unsigned char *input,
+                            unsigned char *output,
+                            size_t output_max_len );
+
+/**
+ * \brief          This function performs a private RSA operation to sign
+ *                 a message digest using PKCS#1.
+ *
+ *                 It is the generic wrapper for performing a PKCS#1
+ *                 signature using the \p mode from the context.
+ *
+ * \param ctx      The RSA context.
+ * \param f_rng    The RNG function. Needed for PKCS#1 v2.1 encoding and for
+ *                 #MBEDTLS_RSA_PRIVATE.
+ * \param p_rng    The RNG parameter.
+ * \param mode     #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
+ * \param md_alg   The message-digest algorithm used to hash the original data.
+ *                 Use #MBEDTLS_MD_NONE for signing raw data.
+ * \param hashlen  The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash     The buffer holding the message digest.
+ * \param sig      The buffer to hold the ciphertext.
+ *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
+ *                 are likely to remove the \p mode argument and have it
+ *                 implicitly set to #MBEDTLS_RSA_PRIVATE.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to #MBEDTLS_RSA_PUBLIC and might instead
+ *                 return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *
+ * \return         \c 0 if the signing operation was successful,
+ *                 or an \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ *
+ * \note           The \p sig buffer must be as large as the size
+ *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
+ *                 A buffer length of #MBEDTLS_MPI_MAX_SIZE is always safe.
+ *
+ * \note           For PKCS#1 v2.1 encoding, see comments on
+ *                 mbedtls_rsa_rsassa_pss_sign() for details on
+ *                 \p md_alg and \p hash_id.
+ */
+int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
+                    int (*f_rng)(void *, unsigned char *, size_t),
+                    void *p_rng,
+                    int mode,
+                    mbedtls_md_type_t md_alg,
+                    unsigned int hashlen,
+                    const unsigned char *hash,
+                    unsigned char *sig );
+
+/**
+ * \brief          This function performs a PKCS#1 v1.5 signature
+ *                 operation (RSASSA-PKCS1-v1_5-SIGN).
+ *
+ * \param ctx      The RSA context.
+ * \param f_rng    The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
+ * \param p_rng    The RNG parameter.
+ * \param mode     #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
+ * \param md_alg   The message-digest algorithm used to hash the original data.
+ *                 Use #MBEDTLS_MD_NONE for signing raw data.
+ * \param hashlen  The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash     The buffer holding the message digest.
+ * \param sig      The buffer to hold the ciphertext.
+ *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
+ *                 are likely to remove the \p mode argument and have it
+ *                 implicitly set to #MBEDTLS_RSA_PRIVATE.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to #MBEDTLS_RSA_PUBLIC and might instead
+ *                 return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *
+ * \return         \c 0 if the signing operation was successful,
+ *                 or an \c MBEDTLS_ERR_RSA_XXX error code
+ *                 on failure.
+ *
+ * \note           The \p sig buffer must be as large as the size
+ *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
+ *                 A buffer length of #MBEDTLS_MPI_MAX_SIZE is always safe.
+ */
+int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
+                               int (*f_rng)(void *, unsigned char *, size_t),
+                               void *p_rng,
+                               int mode,
+                               mbedtls_md_type_t md_alg,
+                               unsigned int hashlen,
+                               const unsigned char *hash,
+                               unsigned char *sig );
+
+/**
+ * \brief          This function performs a PKCS#1 v2.1 PSS signature
+ *                 operation (RSASSA-PSS-SIGN).
+ *
+ * \param ctx      The RSA context.
+ * \param f_rng    The RNG function. Needed for PKCS#1 v2.1 encoding and for
+ *                 #MBEDTLS_RSA_PRIVATE.
+ * \param p_rng    The RNG parameter.
+ * \param mode     #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
+ * \param md_alg   The message-digest algorithm used to hash the original data.
+ *                 Use #MBEDTLS_MD_NONE for signing raw data.
+ * \param hashlen  The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash     The buffer holding the message digest.
+ * \param sig      The buffer to hold the ciphertext.
+ *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
+ *                 are likely to remove the \p mode argument and have it
+ *                 implicitly set to #MBEDTLS_RSA_PRIVATE.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to #MBEDTLS_RSA_PUBLIC and might instead
+ *                 return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *
+ * \return         \c 0 if the signing operation was successful,
+ *                 or an \c MBEDTLS_ERR_RSA_XXX error code
+ *                 on failure.
+ *
+ * \note           The \p sig buffer must be as large as the size
+ *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
+ *                 A buffer length of #MBEDTLS_MPI_MAX_SIZE is always safe.
+ *
+ * \note           The \p hash_id in the RSA context is the one used for the
+ *                 encoding. \p md_alg in the function call is the type of hash
+ *                 that is encoded. According to <em>RFC-3447: Public-Key
+ *                 Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography
+ *                 Specifications</em> it is advised to keep both hashes the
+ *                 same.
+ */
+int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng,
+                         int mode,
+                         mbedtls_md_type_t md_alg,
+                         unsigned int hashlen,
+                         const unsigned char *hash,
+                         unsigned char *sig );
+
+/**
+ * \brief          This function performs a public RSA operation and checks
+ *                 the message digest.
+ *
+ *                 This is the generic wrapper for performing a PKCS#1
+ *                 verification using the mode from the context.
+ *
+ * \param ctx      The RSA public key context.
+ * \param f_rng    The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
+ * \param p_rng    The RNG parameter.
+ * \param mode     #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
+ * \param md_alg   The message-digest algorithm used to hash the original data.
+ *                 Use #MBEDTLS_MD_NONE for signing raw data.
+ * \param hashlen  The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash     The buffer holding the message digest.
+ * \param sig      The buffer holding the ciphertext.
+ *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
+ *                 are likely to remove the \p mode argument and have it
+ *                 set to #MBEDTLS_RSA_PUBLIC.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to #MBEDTLS_RSA_PRIVATE and might instead
+ *                 return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *
+ * \return         \c 0 if the verify operation was successful,
+ *                 or an \c MBEDTLS_ERR_RSA_XXX error code
+ *                 on failure.
+ *
+ * \note           The \p sig buffer must be as large as the size
+ *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
+ *
+ * \note           For PKCS#1 v2.1 encoding, see comments on
+ *                 mbedtls_rsa_rsassa_pss_verify() about \p md_alg and
+ *                 \p hash_id.
+ */
+int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
+                      int (*f_rng)(void *, unsigned char *, size_t),
+                      void *p_rng,
+                      int mode,
+                      mbedtls_md_type_t md_alg,
+                      unsigned int hashlen,
+                      const unsigned char *hash,
+                      const unsigned char *sig );
+
+/**
+ * \brief          This function performs a PKCS#1 v1.5 verification
+ *                 operation (RSASSA-PKCS1-v1_5-VERIFY).
+ *
+ * \param ctx      The RSA public key context.
+ * \param f_rng    The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
+ * \param p_rng    The RNG parameter.
+ * \param mode     #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
+ * \param md_alg   The message-digest algorithm used to hash the original data.
+ *                 Use #MBEDTLS_MD_NONE for signing raw data.
+ * \param hashlen  The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash     The buffer holding the message digest.
+ * \param sig      The buffer holding the ciphertext.
+ *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
+ *                 are likely to remove the \p mode argument and have it
+ *                 set to #MBEDTLS_RSA_PUBLIC.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to #MBEDTLS_RSA_PRIVATE and might instead
+ *                 return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *
+ * \return         \c 0 if the verify operation was successful,
+ *                 or an \c MBEDTLS_ERR_RSA_XXX error code
+ *                 on failure.
+ *
+ * \note           The \p sig buffer must be as large as the size
+ *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
+ */
+int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
+                                 int (*f_rng)(void *, unsigned char *, size_t),
+                                 void *p_rng,
+                                 int mode,
+                                 mbedtls_md_type_t md_alg,
+                                 unsigned int hashlen,
+                                 const unsigned char *hash,
+                                 const unsigned char *sig );
+
+/**
+ * \brief          This function performs a PKCS#1 v2.1 PSS verification
+ *                 operation (RSASSA-PSS-VERIFY).
+ *
+ *                 The hash function for the MGF mask generating function
+ *                 is that specified in the RSA context.
+ *
+ * \param ctx      The RSA public key context.
+ * \param f_rng    The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
+ * \param p_rng    The RNG parameter.
+ * \param mode     #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
+ * \param md_alg   The message-digest algorithm used to hash the original data.
+ *                 Use #MBEDTLS_MD_NONE for signing raw data.
+ * \param hashlen  The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash     The buffer holding the message digest.
+ * \param sig      The buffer holding the ciphertext.
+ *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
+ *                 are likely to remove the \p mode argument and have it
+ *                 implicitly set to #MBEDTLS_RSA_PUBLIC.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to #MBEDTLS_RSA_PRIVATE and might instead
+ *                 return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *
+ * \return         \c 0 if the verify operation was successful,
+ *                 or an \c MBEDTLS_ERR_RSA_XXX error code
+ *                 on failure.
+ *
+ * \note           The \p sig buffer must be as large as the size
+ *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
+ *
+ * \note           The \p hash_id in the RSA context is the one used for the
+ *                 verification. \p md_alg in the function call is the type of
+ *                 hash that is verified. According to <em>RFC-3447: Public-Key
+ *                 Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography
+ *                 Specifications</em> it is advised to keep both hashes the
+ *                 same. If \p hash_id in the RSA context is unset,
+ *                 the \p md_alg from the function call is used.
+ */
+int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,
+                           int (*f_rng)(void *, unsigned char *, size_t),
+                           void *p_rng,
+                           int mode,
+                           mbedtls_md_type_t md_alg,
+                           unsigned int hashlen,
+                           const unsigned char *hash,
+                           const unsigned char *sig );
+
+/**
+ * \brief          This function performs a PKCS#1 v2.1 PSS verification
+ *                 operation (RSASSA-PSS-VERIFY).
+ *
+ *                 The hash function for the MGF mask generating function
+ *                 is that specified in \p mgf1_hash_id.
+ *
+ * \param ctx      The RSA public key context.
+ * \param f_rng    The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
+ * \param p_rng    The RNG parameter.
+ * \param mode     #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
+ * \param md_alg   The message-digest algorithm used to hash the original data.
+ *                 Use #MBEDTLS_MD_NONE for signing raw data.
+ * \param hashlen  The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash     The buffer holding the message digest.
+ * \param mgf1_hash_id The message digest used for mask generation.
+ * \param expected_salt_len The length of the salt used in padding. Use
+ *                 #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length.
+ * \param sig      The buffer holding the ciphertext.
+ *
+ * \return         \c 0 if the verify operation was successful,
+ *                 or an \c MBEDTLS_ERR_RSA_XXX error code
+ *                 on failure.
+ *
+ * \note           The \p sig buffer must be as large as the size
+ *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
+ *
+ * \note           The \p hash_id in the RSA context is ignored.
+ */
+int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
+                               int (*f_rng)(void *, unsigned char *, size_t),
+                               void *p_rng,
+                               int mode,
+                               mbedtls_md_type_t md_alg,
+                               unsigned int hashlen,
+                               const unsigned char *hash,
+                               mbedtls_md_type_t mgf1_hash_id,
+                               int expected_salt_len,
+                               const unsigned char *sig );
+
+/**
+ * \brief          This function copies the components of an RSA context.
+ *
+ * \param dst      The destination context.
+ * \param src      The source context.
+ *
+ * \return         \c 0 on success,
+ *                 #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory allocation failure.
+ */
+int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src );
+
+/**
+ * \brief          This function frees the components of an RSA key.
+ *
+ * \param ctx      The RSA Context to free.
+ */
+void mbedtls_rsa_free( mbedtls_rsa_context *ctx );
+
+#ifdef __cplusplus
+}
+#endif
+
+#else  /* MBEDTLS_RSA_ALT */
+#include "rsa_alt.h"
+#endif /* MBEDTLS_RSA_ALT */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          The RSA checkup routine.
+ *
+ * \return         \c 0 on success, or \c 1 on failure.
+ */
+int mbedtls_rsa_self_test( int verbose );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* rsa.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/rsa_internal.h b/third-party/mbedtls-3.6/include/mbedtls/rsa_internal.h
new file mode 100644
index 00000000..953cb7b8
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/rsa_internal.h
@@ -0,0 +1,251 @@
+/**
+ * \file rsa_internal.h
+ *
+ * \brief Context-independent RSA helper functions
+ *
+ *  This module declares some RSA-related helper functions useful when
+ *  implementing the RSA interface. These functions are provided in a separate
+ *  compilation unit in order to make it easy for designers of alternative RSA
+ *  implementations to use them in their own code, as it is conceived that the
+ *  functionality they provide will be necessary for most complete
+ *  implementations.
+ *
+ *  End-users of Mbed TLS who are not providing their own alternative RSA
+ *  implementations should not use these functions directly, and should instead
+ *  use only the functions declared in rsa.h.
+ *
+ *  The interface provided by this module will be maintained through LTS (Long
+ *  Term Support) branches of Mbed TLS, but may otherwise be subject to change,
+ *  and must be considered an internal interface of the library.
+ *
+ *  There are two classes of helper functions:
+ *
+ *  (1) Parameter-generating helpers. These are:
+ *      - mbedtls_rsa_deduce_primes
+ *      - mbedtls_rsa_deduce_private_exponent
+ *      - mbedtls_rsa_deduce_crt
+ *       Each of these functions takes a set of core RSA parameters and
+ *       generates some other, or CRT related parameters.
+ *
+ *  (2) Parameter-checking helpers. These are:
+ *      - mbedtls_rsa_validate_params
+ *      - mbedtls_rsa_validate_crt
+ *      They take a set of core or CRT related RSA parameters and check their
+ *      validity.
+ *
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ *
+ */
+
+#ifndef MBEDTLS_RSA_INTERNAL_H
+#define MBEDTLS_RSA_INTERNAL_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "bignum.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+/**
+ * \brief          Compute RSA prime moduli P, Q from public modulus N=PQ
+ *                 and a pair of private and public key.
+ *
+ * \note           This is a 'static' helper function not operating on
+ *                 an RSA context. Alternative implementations need not
+ *                 overwrite it.
+ *
+ * \param N        RSA modulus N = PQ, with P, Q to be found
+ * \param E        RSA public exponent
+ * \param D        RSA private exponent
+ * \param P        Pointer to MPI holding first prime factor of N on success
+ * \param Q        Pointer to MPI holding second prime factor of N on success
+ *
+ * \return
+ *                 - 0 if successful. In this case, P and Q constitute a
+ *                   factorization of N.
+ *                 - A non-zero error code otherwise.
+ *
+ * \note           It is neither checked that P, Q are prime nor that
+ *                 D, E are modular inverses wrt. P-1 and Q-1. For that,
+ *                 use the helper function \c mbedtls_rsa_validate_params.
+ *
+ */
+int mbedtls_rsa_deduce_primes( mbedtls_mpi const *N, mbedtls_mpi const *E,
+                               mbedtls_mpi const *D,
+                               mbedtls_mpi *P, mbedtls_mpi *Q );
+
+/**
+ * \brief          Compute RSA private exponent from
+ *                 prime moduli and public key.
+ *
+ * \note           This is a 'static' helper function not operating on
+ *                 an RSA context. Alternative implementations need not
+ *                 overwrite it.
+ *
+ * \param P        First prime factor of RSA modulus
+ * \param Q        Second prime factor of RSA modulus
+ * \param E        RSA public exponent
+ * \param D        Pointer to MPI holding the private exponent on success.
+ *
+ * \return
+ *                 - 0 if successful. In this case, D is set to a simultaneous
+ *                   modular inverse of E modulo both P-1 and Q-1.
+ *                 - A non-zero error code otherwise.
+ *
+ * \note           This function does not check whether P and Q are primes.
+ *
+ */
+int mbedtls_rsa_deduce_private_exponent( mbedtls_mpi const *P,
+                                         mbedtls_mpi const *Q,
+                                         mbedtls_mpi const *E,
+                                         mbedtls_mpi *D );
+
+
+/**
+ * \brief          Generate RSA-CRT parameters
+ *
+ * \note           This is a 'static' helper function not operating on
+ *                 an RSA context. Alternative implementations need not
+ *                 overwrite it.
+ *
+ * \param P        First prime factor of N
+ * \param Q        Second prime factor of N
+ * \param D        RSA private exponent
+ * \param DP       Output variable for D modulo P-1
+ * \param DQ       Output variable for D modulo Q-1
+ * \param QP       Output variable for the modular inverse of Q modulo P.
+ *
+ * \return         0 on success, non-zero error code otherwise.
+ *
+ * \note           This function does not check whether P, Q are
+ *                 prime and whether D is a valid private exponent.
+ *
+ */
+int mbedtls_rsa_deduce_crt( const mbedtls_mpi *P, const mbedtls_mpi *Q,
+                            const mbedtls_mpi *D, mbedtls_mpi *DP,
+                            mbedtls_mpi *DQ, mbedtls_mpi *QP );
+
+
+/**
+ * \brief          Check validity of core RSA parameters
+ *
+ * \note           This is a 'static' helper function not operating on
+ *                 an RSA context. Alternative implementations need not
+ *                 overwrite it.
+ *
+ * \param N        RSA modulus N = PQ
+ * \param P        First prime factor of N
+ * \param Q        Second prime factor of N
+ * \param D        RSA private exponent
+ * \param E        RSA public exponent
+ * \param f_rng    PRNG to be used for primality check, or NULL
+ * \param p_rng    PRNG context for f_rng, or NULL
+ *
+ * \return
+ *                 - 0 if the following conditions are satisfied
+ *                   if all relevant parameters are provided:
+ *                    - P prime if f_rng != NULL (%)
+ *                    - Q prime if f_rng != NULL (%)
+ *                    - 1 < N = P * Q
+ *                    - 1 < D, E < N
+ *                    - D and E are modular inverses modulo P-1 and Q-1
+ *                   (%) This is only done if MBEDTLS_GENPRIME is defined.
+ *                 - A non-zero error code otherwise.
+ *
+ * \note           The function can be used with a restricted set of arguments
+ *                 to perform specific checks only. E.g., calling it with
+ *                 (-,P,-,-,-) and a PRNG amounts to a primality check for P.
+ */
+int mbedtls_rsa_validate_params( const mbedtls_mpi *N, const mbedtls_mpi *P,
+                                 const mbedtls_mpi *Q, const mbedtls_mpi *D,
+                                 const mbedtls_mpi *E,
+                                 int (*f_rng)(void *, unsigned char *, size_t),
+                                 void *p_rng );
+
+/**
+ * \brief          Check validity of RSA CRT parameters
+ *
+ * \note           This is a 'static' helper function not operating on
+ *                 an RSA context. Alternative implementations need not
+ *                 overwrite it.
+ *
+ * \param P        First prime factor of RSA modulus
+ * \param Q        Second prime factor of RSA modulus
+ * \param D        RSA private exponent
+ * \param DP       MPI to check for D modulo P-1
+ * \param DQ       MPI to check for D modulo P-1
+ * \param QP       MPI to check for the modular inverse of Q modulo P.
+ *
+ * \return
+ *                 - 0 if the following conditions are satisfied:
+ *                    - D = DP mod P-1 if P, D, DP != NULL
+ *                    - Q = DQ mod P-1 if P, D, DQ != NULL
+ *                    - QP = Q^-1 mod P if P, Q, QP != NULL
+ *                 - \c MBEDTLS_ERR_RSA_KEY_CHECK_FAILED if check failed,
+ *                   potentially including \c MBEDTLS_ERR_MPI_XXX if some
+ *                   MPI calculations failed.
+ *                 - \c MBEDTLS_ERR_RSA_BAD_INPUT_DATA if insufficient
+ *                   data was provided to check DP, DQ or QP.
+ *
+ * \note           The function can be used with a restricted set of arguments
+ *                 to perform specific checks only. E.g., calling it with the
+ *                 parameters (P, -, D, DP, -, -) will check DP = D mod P-1.
+ */
+int mbedtls_rsa_validate_crt( const mbedtls_mpi *P,  const mbedtls_mpi *Q,
+                              const mbedtls_mpi *D,  const mbedtls_mpi *DP,
+                              const mbedtls_mpi *DQ, const mbedtls_mpi *QP );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* rsa_internal.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/sha1.h b/third-party/mbedtls-3.6/include/mbedtls/sha1.h
new file mode 100644
index 00000000..4ae8ad60
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/sha1.h
@@ -0,0 +1,347 @@
+/**
+ * \file sha1.h
+ *
+ * \brief The SHA-1 cryptographic hash function.
+ *
+ * \warning   SHA-1 is considered a weak message digest and its use constitutes
+ *            a security risk. We recommend considering stronger message
+ *            digests instead.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_SHA1_H
+#define MBEDTLS_SHA1_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+#define MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED                  -0x0035  /**< SHA-1 hardware accelerator failed */
+
+#if !defined(MBEDTLS_SHA1_ALT)
+// Regular implementation
+//
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          The SHA-1 context structure.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+typedef struct
+{
+    uint32_t total[2];          /*!< The number of Bytes processed.  */
+    uint32_t state[5];          /*!< The intermediate digest state.  */
+    unsigned char buffer[64];   /*!< The data block being processed. */
+}
+mbedtls_sha1_context;
+
+/**
+ * \brief          This function initializes a SHA-1 context.
+ *
+ * \param ctx      The SHA-1 context to initialize.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_sha1_init( mbedtls_sha1_context *ctx );
+
+/**
+ * \brief          This function clears a SHA-1 context.
+ *
+ * \param ctx      The SHA-1 context to clear.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_sha1_free( mbedtls_sha1_context *ctx );
+
+/**
+ * \brief          This function clones the state of a SHA-1 context.
+ *
+ * \param dst      The destination context.
+ * \param src      The context to clone.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_sha1_clone( mbedtls_sha1_context *dst,
+                         const mbedtls_sha1_context *src );
+
+/**
+ * \brief          This function starts a SHA-1 checksum calculation.
+ *
+ * \param ctx      The context to initialize.
+ *
+ * \return         \c 0 if successful
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_sha1_starts_ret( mbedtls_sha1_context *ctx );
+
+/**
+ * \brief          This function feeds an input buffer into an ongoing SHA-1
+ *                 checksum calculation.
+ *
+ * \param ctx      The SHA-1 context.
+ * \param input    The buffer holding the input data.
+ * \param ilen     The length of the input data.
+ *
+ * \return         \c 0 if successful
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_sha1_update_ret( mbedtls_sha1_context *ctx,
+                             const unsigned char *input,
+                             size_t ilen );
+
+/**
+ * \brief          This function finishes the SHA-1 operation, and writes
+ *                 the result to the output buffer.
+ *
+ * \param ctx      The SHA-1 context.
+ * \param output   The SHA-1 checksum result.
+ *
+ * \return         \c 0 if successful
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_sha1_finish_ret( mbedtls_sha1_context *ctx,
+                             unsigned char output[20] );
+
+/**
+ * \brief          SHA-1 process data block (internal use only)
+ *
+ * \param ctx      SHA-1 context
+ * \param data     The data block being processed.
+ *
+ * \return         \c 0 if successful
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx,
+                                   const unsigned char data[64] );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          SHA-1 context setup
+ *
+ * \deprecated     Superseded by mbedtls_sha1_starts_ret() in 2.7.0
+ *
+ * \param ctx      The SHA-1 context to be initialized.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha1_starts( mbedtls_sha1_context *ctx );
+
+/**
+ * \brief          SHA-1 process buffer
+ *
+ * \deprecated     Superseded by mbedtls_sha1_update_ret() in 2.7.0
+ *
+ * \param ctx      The SHA-1 context.
+ * \param input    The buffer holding the input data.
+ * \param ilen     The length of the input data.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha1_update( mbedtls_sha1_context *ctx,
+                                             const unsigned char *input,
+                                             size_t ilen );
+
+/**
+ * \brief          SHA-1 final digest
+ *
+ * \deprecated     Superseded by mbedtls_sha1_finish_ret() in 2.7.0
+ *
+ * \param ctx      The SHA-1 context.
+ * \param output   The SHA-1 checksum result.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha1_finish( mbedtls_sha1_context *ctx,
+                                             unsigned char output[20] );
+
+/**
+ * \brief          SHA-1 process data block (internal use only)
+ *
+ * \deprecated     Superseded by mbedtls_internal_sha1_process() in 2.7.0
+ *
+ * \param ctx      The SHA-1 context.
+ * \param data     The data block being processed.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha1_process( mbedtls_sha1_context *ctx,
+                                              const unsigned char data[64] );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+#ifdef __cplusplus
+}
+#endif
+
+#else  /* MBEDTLS_SHA1_ALT */
+#include "sha1_alt.h"
+#endif /* MBEDTLS_SHA1_ALT */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          This function calculates the SHA-1 checksum of a buffer.
+ *
+ *                 The function allocates the context, performs the
+ *                 calculation, and frees the context.
+ *
+ *                 The SHA-1 result is calculated as
+ *                 output = SHA-1(input buffer).
+ *
+ * \param input    The buffer holding the input data.
+ * \param ilen     The length of the input data.
+ * \param output   The SHA-1 checksum result.
+ *
+ * \return         \c 0 if successful
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_sha1_ret( const unsigned char *input,
+                      size_t ilen,
+                      unsigned char output[20] );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          Output = SHA-1( input buffer )
+ *
+ * \deprecated     Superseded by mbedtls_sha1_ret() in 2.7.0
+ *
+ * \param input    The buffer holding the input data.
+ * \param ilen     The length of the input data.
+ * \param output   The SHA-1 checksum result.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha1( const unsigned char *input,
+                                      size_t ilen,
+                                      unsigned char output[20] );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief          The SHA-1 checkup routine.
+ *
+ * \return         \c 0 on success, or \c 1 on failure.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_sha1_self_test( int verbose );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_sha1.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/sha256.h b/third-party/mbedtls-3.6/include/mbedtls/sha256.h
new file mode 100644
index 00000000..9bcf28cb
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/sha256.h
@@ -0,0 +1,303 @@
+/**
+ * \file sha256.h
+ *
+ * \brief The SHA-224 and SHA-256 cryptographic hash function.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_SHA256_H
+#define MBEDTLS_SHA256_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+#define MBEDTLS_ERR_SHA256_HW_ACCEL_FAILED                -0x0037  /**< SHA-256 hardware accelerator failed */
+
+#if !defined(MBEDTLS_SHA256_ALT)
+// Regular implementation
+//
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          The SHA-256 context structure.
+ *
+ *                 The structure is used both for SHA-256 and for SHA-224
+ *                 checksum calculations. The choice between these two is
+ *                 made in the call to mbedtls_sha256_starts_ret().
+ */
+typedef struct
+{
+    uint32_t total[2];          /*!< The number of Bytes processed.  */
+    uint32_t state[8];          /*!< The intermediate digest state.  */
+    unsigned char buffer[64];   /*!< The data block being processed. */
+    int is224;                  /*!< Determines which function to use.
+                                     <ul><li>0: Use SHA-256.</li>
+                                     <li>1: Use SHA-224.</li></ul> */
+}
+mbedtls_sha256_context;
+
+/**
+ * \brief          This function initializes a SHA-256 context.
+ *
+ * \param ctx      The SHA-256 context to initialize.
+ */
+void mbedtls_sha256_init( mbedtls_sha256_context *ctx );
+
+/**
+ * \brief          This function clears a SHA-256 context.
+ *
+ * \param ctx      The SHA-256 context to clear.
+ */
+void mbedtls_sha256_free( mbedtls_sha256_context *ctx );
+
+/**
+ * \brief          This function clones the state of a SHA-256 context.
+ *
+ * \param dst      The destination context.
+ * \param src      The context to clone.
+ */
+void mbedtls_sha256_clone( mbedtls_sha256_context *dst,
+                           const mbedtls_sha256_context *src );
+
+/**
+ * \brief          This function starts a SHA-224 or SHA-256 checksum
+ *                 calculation.
+ *
+ * \param ctx      The context to initialize.
+ * \param is224    Determines which function to use.
+ *                 <ul><li>0: Use SHA-256.</li>
+ *                 <li>1: Use SHA-224.</li></ul>
+ *
+ * \return         \c 0 on success.
+ */
+int mbedtls_sha256_starts_ret( mbedtls_sha256_context *ctx, int is224 );
+
+/**
+ * \brief          This function feeds an input buffer into an ongoing
+ *                 SHA-256 checksum calculation.
+ *
+ * \param ctx      SHA-256 context
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ *
+ * \return         \c 0 on success.
+ */
+int mbedtls_sha256_update_ret( mbedtls_sha256_context *ctx,
+                               const unsigned char *input,
+                               size_t ilen );
+
+/**
+ * \brief          This function finishes the SHA-256 operation, and writes
+ *                 the result to the output buffer.
+ *
+ * \param ctx      The SHA-256 context.
+ * \param output   The SHA-224 or SHA-256 checksum result.
+ *
+ * \return         \c 0 on success.
+ */
+int mbedtls_sha256_finish_ret( mbedtls_sha256_context *ctx,
+                               unsigned char output[32] );
+
+/**
+ * \brief          This function processes a single data block within
+ *                 the ongoing SHA-256 computation. This function is for
+ *                 internal use only.
+ *
+ * \param ctx      The SHA-256 context.
+ * \param data     The buffer holding one block of data.
+ *
+ * \return         \c 0 on success.
+ */
+int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx,
+                                     const unsigned char data[64] );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          This function starts a SHA-256 checksum calculation.
+ *
+ * \deprecated     Superseded by mbedtls_sha256_starts_ret() in 2.7.0.
+ *
+ * \param ctx      The SHA-256 context to initialize.
+ * \param is224    Determines which function to use.
+ *                 <ul><li>0: Use SHA-256.</li>
+ *                 <li>1: Use SHA-224.</li></ul>
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha256_starts( mbedtls_sha256_context *ctx,
+                                               int is224 );
+
+/**
+ * \brief          This function feeds an input buffer into an ongoing
+ *                 SHA-256 checksum calculation.
+ *
+ * \deprecated     Superseded by mbedtls_sha256_update_ret() in 2.7.0.
+ *
+ * \param ctx      The SHA-256 context to initialize.
+ * \param input    The buffer holding the data.
+ * \param ilen     The length of the input data.
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha256_update( mbedtls_sha256_context *ctx,
+                                               const unsigned char *input,
+                                               size_t ilen );
+
+/**
+ * \brief          This function finishes the SHA-256 operation, and writes
+ *                 the result to the output buffer.
+ *
+ * \deprecated     Superseded by mbedtls_sha256_finish_ret() in 2.7.0.
+ *
+ * \param ctx      The SHA-256 context.
+ * \param output   The SHA-224or SHA-256 checksum result.
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha256_finish( mbedtls_sha256_context *ctx,
+                                               unsigned char output[32] );
+
+/**
+ * \brief          This function processes a single data block within
+ *                 the ongoing SHA-256 computation. This function is for
+ *                 internal use only.
+ *
+ * \deprecated     Superseded by mbedtls_internal_sha256_process() in 2.7.0.
+ *
+ * \param ctx      The SHA-256 context.
+ * \param data     The buffer holding one block of data.
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha256_process( mbedtls_sha256_context *ctx,
+                                                const unsigned char data[64] );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+#ifdef __cplusplus
+}
+#endif
+
+#else  /* MBEDTLS_SHA256_ALT */
+#include "sha256_alt.h"
+#endif /* MBEDTLS_SHA256_ALT */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          This function calculates the SHA-224 or SHA-256
+ *                 checksum of a buffer.
+ *
+ *                 The function allocates the context, performs the
+ *                 calculation, and frees the context.
+ *
+ *                 The SHA-256 result is calculated as
+ *                 output = SHA-256(input buffer).
+ *
+ * \param input    The buffer holding the input data.
+ * \param ilen     The length of the input data.
+ * \param output   The SHA-224 or SHA-256 checksum result.
+ * \param is224    Determines which function to use.
+ *                 <ul><li>0: Use SHA-256.</li>
+ *                 <li>1: Use SHA-224.</li></ul>
+ */
+int mbedtls_sha256_ret( const unsigned char *input,
+                        size_t ilen,
+                        unsigned char output[32],
+                        int is224 );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+
+/**
+ * \brief          This function calculates the SHA-224 or SHA-256 checksum
+ *                 of a buffer.
+ *
+ *                 The function allocates the context, performs the
+ *                 calculation, and frees the context.
+ *
+ *                 The SHA-256 result is calculated as
+ *                 output = SHA-256(input buffer).
+ *
+ * \deprecated     Superseded by mbedtls_sha256_ret() in 2.7.0.
+ *
+ * \param input    The buffer holding the data.
+ * \param ilen     The length of the input data.
+ * \param output   The SHA-224 or SHA-256 checksum result.
+ * \param is224    Determines which function to use.
+ *                 <ul><li>0: Use SHA-256.</li>
+ *                 <li>1: Use SHA-224.</li></ul>
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha256( const unsigned char *input,
+                                        size_t ilen,
+                                        unsigned char output[32],
+                                        int is224 );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief          The SHA-224 and SHA-256 checkup routine.
+ *
+ * \return         \c 0 on success, or \c 1 on failure.
+ */
+int mbedtls_sha256_self_test( int verbose );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_sha256.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/sha512.h b/third-party/mbedtls-3.6/include/mbedtls/sha512.h
new file mode 100644
index 00000000..b7f41ea3
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/sha512.h
@@ -0,0 +1,305 @@
+/**
+ * \file sha512.h
+ *
+ * \brief The SHA-384 and SHA-512 cryptographic hash function.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_SHA512_H
+#define MBEDTLS_SHA512_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+#define MBEDTLS_ERR_SHA512_HW_ACCEL_FAILED                -0x0039  /**< SHA-512 hardware accelerator failed */
+
+#if !defined(MBEDTLS_SHA512_ALT)
+// Regular implementation
+//
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          The SHA-512 context structure.
+ *
+ *                 The structure is used both for SHA-384 and for SHA-512
+ *                 checksum calculations. The choice between these two is
+ *                 made in the call to mbedtls_sha512_starts_ret().
+ */
+typedef struct
+{
+    uint64_t total[2];          /*!< The number of Bytes processed. */
+    uint64_t state[8];          /*!< The intermediate digest state. */
+    unsigned char buffer[128];  /*!< The data block being processed. */
+    int is384;                  /*!< Determines which function to use.
+                                 *   <ul><li>0: Use SHA-512.</li>
+                                 *   <li>1: Use SHA-384.</li></ul> */
+}
+mbedtls_sha512_context;
+
+/**
+ * \brief          This function initializes a SHA-512 context.
+ *
+ * \param ctx      The SHA-512 context to initialize.
+ */
+void mbedtls_sha512_init( mbedtls_sha512_context *ctx );
+
+/**
+ * \brief          This function clears a SHA-512 context.
+ *
+ * \param ctx      The SHA-512 context to clear.
+ */
+void mbedtls_sha512_free( mbedtls_sha512_context *ctx );
+
+/**
+ * \brief          This function clones the state of a SHA-512 context.
+ *
+ * \param dst      The destination context.
+ * \param src      The context to clone.
+ */
+void mbedtls_sha512_clone( mbedtls_sha512_context *dst,
+                           const mbedtls_sha512_context *src );
+
+/**
+ * \brief          This function starts a SHA-384 or SHA-512 checksum
+ *                 calculation.
+ *
+ * \param ctx      The SHA-512 context to initialize.
+ * \param is384    Determines which function to use.
+ *                 <ul><li>0: Use SHA-512.</li>
+ *                 <li>1: Use SHA-384.</li></ul>
+ *
+ * \return         \c 0 on success.
+ */
+int mbedtls_sha512_starts_ret( mbedtls_sha512_context *ctx, int is384 );
+
+/**
+ * \brief          This function feeds an input buffer into an ongoing
+ *                 SHA-512 checksum calculation.
+ *
+ * \param ctx      The SHA-512 context.
+ * \param input    The buffer holding the input data.
+ * \param ilen     The length of the input data.
+ *
+ * \return         \c 0 on success.
+ */
+int mbedtls_sha512_update_ret( mbedtls_sha512_context *ctx,
+                    const unsigned char *input,
+                    size_t ilen );
+
+/**
+ * \brief          This function finishes the SHA-512 operation, and writes
+ *                 the result to the output buffer.
+ *
+ * \param ctx      The SHA-512 context.
+ * \param output   The SHA-384 or SHA-512 checksum result.
+ *
+ * \return         \c 0 on success.
+ */
+int mbedtls_sha512_finish_ret( mbedtls_sha512_context *ctx,
+                               unsigned char output[64] );
+
+/**
+ * \brief          This function processes a single data block within
+ *                 the ongoing SHA-512 computation.
+ *                 This function is for internal use only.
+ *
+ * \param ctx      The SHA-512 context.
+ * \param data     The buffer holding one block of data.
+ *
+ * \return         \c 0 on success.
+ */
+int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx,
+                                     const unsigned char data[128] );
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          This function starts a SHA-384 or SHA-512 checksum
+ *                 calculation.
+ *
+ * \deprecated     Superseded by mbedtls_sha512_starts_ret() in 2.7.0
+ *
+ * \param ctx      The SHA-512 context to initialize.
+ * \param is384    Determines which function to use.
+ *                 <ul><li>0: Use SHA-512.</li>
+ *                 <li>1: Use SHA-384.</li></ul>
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha512_starts( mbedtls_sha512_context *ctx,
+                                               int is384 );
+
+/**
+ * \brief          This function feeds an input buffer into an ongoing
+ *                 SHA-512 checksum calculation.
+ *
+ * \deprecated     Superseded by mbedtls_sha512_update_ret() in 2.7.0
+ *
+ * \param ctx      The SHA-512 context.
+ * \param input    The buffer holding the data.
+ * \param ilen     The length of the input data.
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha512_update( mbedtls_sha512_context *ctx,
+                                               const unsigned char *input,
+                                               size_t ilen );
+
+/**
+ * \brief          This function finishes the SHA-512 operation, and writes
+ *                 the result to the output buffer.
+ *
+ * \deprecated     Superseded by mbedtls_sha512_finish_ret() in 2.7.0
+ *
+ * \param ctx      The SHA-512 context.
+ * \param output   The SHA-384 or SHA-512 checksum result.
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha512_finish( mbedtls_sha512_context *ctx,
+                                               unsigned char output[64] );
+
+/**
+ * \brief          This function processes a single data block within
+ *                 the ongoing SHA-512 computation. This function is for
+ *                 internal use only.
+ *
+ * \deprecated     Superseded by mbedtls_internal_sha512_process() in 2.7.0
+ *
+ * \param ctx      The SHA-512 context.
+ * \param data     The buffer holding one block of data.
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha512_process(
+                                            mbedtls_sha512_context *ctx,
+                                            const unsigned char data[128] );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+#ifdef __cplusplus
+}
+#endif
+
+#else  /* MBEDTLS_SHA512_ALT */
+#include "sha512_alt.h"
+#endif /* MBEDTLS_SHA512_ALT */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          This function calculates the SHA-512 or SHA-384
+ *                 checksum of a buffer.
+ *
+ *                 The function allocates the context, performs the
+ *                 calculation, and frees the context.
+ *
+ *                 The SHA-512 result is calculated as
+ *                 output = SHA-512(input buffer).
+ *
+ * \param input    The buffer holding the input data.
+ * \param ilen     The length of the input data.
+ * \param output   The SHA-384 or SHA-512 checksum result.
+ * \param is384    Determines which function to use.
+ *                 <ul><li>0: Use SHA-512.</li>
+ *                 <li>1: Use SHA-384.</li></ul>
+ *
+ * \return         \c 0 on success.
+ */
+int mbedtls_sha512_ret( const unsigned char *input,
+                        size_t ilen,
+                        unsigned char output[64],
+                        int is384 );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          This function calculates the SHA-512 or SHA-384
+ *                 checksum of a buffer.
+ *
+ *                 The function allocates the context, performs the
+ *                 calculation, and frees the context.
+ *
+ *                 The SHA-512 result is calculated as
+ *                 output = SHA-512(input buffer).
+ *
+ * \deprecated     Superseded by mbedtls_sha512_ret() in 2.7.0
+ *
+ * \param input    The buffer holding the data.
+ * \param ilen     The length of the input data.
+ * \param output   The SHA-384 or SHA-512 checksum result.
+ * \param is384    Determines which function to use.
+ *                 <ul><li>0: Use SHA-512.</li>
+ *                 <li>1: Use SHA-384.</li></ul>
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha512( const unsigned char *input,
+                                        size_t ilen,
+                                        unsigned char output[64],
+                                        int is384 );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+ /**
+ * \brief          The SHA-384 or SHA-512 checkup routine.
+ *
+ * \return         \c 0 on success, or \c 1 on failure.
+ */
+int mbedtls_sha512_self_test( int verbose );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_sha512.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/ssl.h b/third-party/mbedtls-3.6/include/mbedtls/ssl.h
new file mode 100644
index 00000000..0f4cbb62
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/ssl.h
@@ -0,0 +1,2697 @@
+/**
+ * \file ssl.h
+ *
+ * \brief SSL/TLS functions.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_SSL_H
+#define MBEDTLS_SSL_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "bignum.h"
+#include "ecp.h"
+
+#include "ssl_ciphersuites.h"
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#include "x509_crt.h"
+#include "x509_crl.h"
+#endif
+
+#if defined(MBEDTLS_DHM_C)
+#include "dhm.h"
+#endif
+
+#if defined(MBEDTLS_ECDH_C)
+#include "ecdh.h"
+#endif
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+#include "zlib.h"
+#endif
+
+#if defined(MBEDTLS_HAVE_TIME)
+#include "platform_time.h"
+#endif
+
+/*
+ * SSL Error codes
+ */
+#define MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE               -0x7080  /**< The requested feature is not available. */
+#define MBEDTLS_ERR_SSL_BAD_INPUT_DATA                    -0x7100  /**< Bad input parameters to function. */
+#define MBEDTLS_ERR_SSL_INVALID_MAC                       -0x7180  /**< Verification of the message MAC failed. */
+#define MBEDTLS_ERR_SSL_INVALID_RECORD                    -0x7200  /**< An invalid SSL record was received. */
+#define MBEDTLS_ERR_SSL_CONN_EOF                          -0x7280  /**< The connection indicated an EOF. */
+#define MBEDTLS_ERR_SSL_UNKNOWN_CIPHER                    -0x7300  /**< An unknown cipher was received. */
+#define MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN                  -0x7380  /**< The server has no ciphersuites in common with the client. */
+#define MBEDTLS_ERR_SSL_NO_RNG                            -0x7400  /**< No RNG was provided to the SSL module. */
+#define MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE             -0x7480  /**< No client certification received from the client, but required by the authentication mode. */
+#define MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE             -0x7500  /**< Our own certificate(s) is/are too large to send in an SSL message. */
+#define MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED              -0x7580  /**< The own certificate is not set, but needed by the server. */
+#define MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED              -0x7600  /**< The own private key or pre-shared key is not set, but needed. */
+#define MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED                 -0x7680  /**< No CA Chain is set, but required to operate. */
+#define MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE                -0x7700  /**< An unexpected message was received from our peer. */
+#define MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE               -0x7780  /**< A fatal alert message was received from our peer. */
+#define MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED                -0x7800  /**< Verification of our peer failed. */
+#define MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY                 -0x7880  /**< The peer notified us that the connection is going to be closed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO               -0x7900  /**< Processing of the ClientHello handshake message failed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO               -0x7980  /**< Processing of the ServerHello handshake message failed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE                -0x7A00  /**< Processing of the Certificate handshake message failed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST        -0x7A80  /**< Processing of the CertificateRequest handshake message failed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE        -0x7B00  /**< Processing of the ServerKeyExchange handshake message failed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE          -0x7B80  /**< Processing of the ServerHelloDone handshake message failed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE        -0x7C00  /**< Processing of the ClientKeyExchange handshake message failed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP     -0x7C80  /**< Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Read Public. */
+#define MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS     -0x7D00  /**< Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Calculate Secret. */
+#define MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY         -0x7D80  /**< Processing of the CertificateVerify handshake message failed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC         -0x7E00  /**< Processing of the ChangeCipherSpec handshake message failed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_FINISHED                   -0x7E80  /**< Processing of the Finished handshake message failed. */
+#define MBEDTLS_ERR_SSL_ALLOC_FAILED                      -0x7F00  /**< Memory allocation failed */
+#define MBEDTLS_ERR_SSL_HW_ACCEL_FAILED                   -0x7F80  /**< Hardware acceleration function returned with error */
+#define MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH              -0x6F80  /**< Hardware acceleration function skipped / left alone data */
+#define MBEDTLS_ERR_SSL_COMPRESSION_FAILED                -0x6F00  /**< Processing of the compression / decompression failed */
+#define MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION           -0x6E80  /**< Handshake protocol not within min/max boundaries */
+#define MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET         -0x6E00  /**< Processing of the NewSessionTicket handshake message failed. */
+#define MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED            -0x6D80  /**< Session ticket has expired. */
+#define MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH                  -0x6D00  /**< Public key type mismatch (eg, asked for RSA key exchange and presented EC key) */
+#define MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY                  -0x6C80  /**< Unknown identity received (eg, PSK identity) */
+#define MBEDTLS_ERR_SSL_INTERNAL_ERROR                    -0x6C00  /**< Internal error (eg, unexpected failure in lower-level module) */
+#define MBEDTLS_ERR_SSL_COUNTER_WRAPPING                  -0x6B80  /**< A counter would wrap (eg, too many messages exchanged). */
+#define MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO       -0x6B00  /**< Unexpected message at ServerHello in renegotiation. */
+#define MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED             -0x6A80  /**< DTLS client must retry for hello verification */
+#define MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL                  -0x6A00  /**< A buffer is too small to receive or write a message */
+#define MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE             -0x6980  /**< None of the common ciphersuites is usable (eg, no suitable certificate, see debug messages). */
+#define MBEDTLS_ERR_SSL_WANT_READ                         -0x6900  /**< Connection requires a read call. */
+#define MBEDTLS_ERR_SSL_WANT_WRITE                        -0x6880  /**< Connection requires a write call. */
+#define MBEDTLS_ERR_SSL_TIMEOUT                           -0x6800  /**< The operation timed out. */
+#define MBEDTLS_ERR_SSL_CLIENT_RECONNECT                  -0x6780  /**< The client initiated a reconnect from the same port. */
+#define MBEDTLS_ERR_SSL_UNEXPECTED_RECORD                 -0x6700  /**< Record header looks valid but is not expected. */
+#define MBEDTLS_ERR_SSL_NON_FATAL                         -0x6680  /**< The alert message received indicates a non-fatal error. */
+#define MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH               -0x6600  /**< Couldn't set the hash for verifying CertificateVerify */
+#define MBEDTLS_ERR_SSL_BAD_CONFIG                        -0x5E80  /**< Invalid value in SSL config */
+
+/*
+ * Various constants
+ */
+#define MBEDTLS_SSL_MAJOR_VERSION_3             3
+#define MBEDTLS_SSL_MINOR_VERSION_0             0   /*!< SSL v3.0 */
+#define MBEDTLS_SSL_MINOR_VERSION_1             1   /*!< TLS v1.0 */
+#define MBEDTLS_SSL_MINOR_VERSION_2             2   /*!< TLS v1.1 */
+#define MBEDTLS_SSL_MINOR_VERSION_3             3   /*!< TLS v1.2 */
+
+#define MBEDTLS_SSL_TRANSPORT_STREAM            0   /*!< TLS      */
+#define MBEDTLS_SSL_TRANSPORT_DATAGRAM          1   /*!< DTLS     */
+
+#define MBEDTLS_SSL_MAX_HOST_NAME_LEN           255 /*!< Maximum host name defined in RFC 1035 */
+#define MBEDTLS_SSL_MAX_ALPN_NAME_LEN           255 /*!< Maximum size in bytes of a protocol name in alpn ext., RFC 7301 */
+
+#define MBEDTLS_SSL_MAX_ALPN_LIST_LEN           65535 /*!< Maximum size in bytes of list in alpn ext., RFC 7301          */
+
+/* RFC 6066 section 4, see also mfl_code_to_length in ssl_tls.c
+ * NONE must be zero so that memset()ing structure to zero works */
+#define MBEDTLS_SSL_MAX_FRAG_LEN_NONE           0   /*!< don't use this extension   */
+#define MBEDTLS_SSL_MAX_FRAG_LEN_512            1   /*!< MaxFragmentLength 2^9      */
+#define MBEDTLS_SSL_MAX_FRAG_LEN_1024           2   /*!< MaxFragmentLength 2^10     */
+#define MBEDTLS_SSL_MAX_FRAG_LEN_2048           3   /*!< MaxFragmentLength 2^11     */
+#define MBEDTLS_SSL_MAX_FRAG_LEN_4096           4   /*!< MaxFragmentLength 2^12     */
+#define MBEDTLS_SSL_MAX_FRAG_LEN_INVALID        5   /*!< first invalid value        */
+
+#define MBEDTLS_SSL_IS_CLIENT                   0
+#define MBEDTLS_SSL_IS_SERVER                   1
+
+#define MBEDTLS_SSL_IS_NOT_FALLBACK             0
+#define MBEDTLS_SSL_IS_FALLBACK                 1
+
+#define MBEDTLS_SSL_EXTENDED_MS_DISABLED        0
+#define MBEDTLS_SSL_EXTENDED_MS_ENABLED         1
+
+#define MBEDTLS_SSL_ETM_DISABLED                0
+#define MBEDTLS_SSL_ETM_ENABLED                 1
+
+#define MBEDTLS_SSL_COMPRESS_NULL               0
+#define MBEDTLS_SSL_COMPRESS_DEFLATE            1
+
+#define MBEDTLS_SSL_VERIFY_NONE                 0
+#define MBEDTLS_SSL_VERIFY_OPTIONAL             1
+#define MBEDTLS_SSL_VERIFY_REQUIRED             2
+#define MBEDTLS_SSL_VERIFY_UNSET                3 /* Used only for sni_authmode */
+
+#define MBEDTLS_SSL_LEGACY_RENEGOTIATION        0
+#define MBEDTLS_SSL_SECURE_RENEGOTIATION        1
+
+#define MBEDTLS_SSL_RENEGOTIATION_DISABLED      0
+#define MBEDTLS_SSL_RENEGOTIATION_ENABLED       1
+
+#define MBEDTLS_SSL_ANTI_REPLAY_DISABLED        0
+#define MBEDTLS_SSL_ANTI_REPLAY_ENABLED         1
+
+#define MBEDTLS_SSL_RENEGOTIATION_NOT_ENFORCED  -1
+#define MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT  16
+
+#define MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION     0
+#define MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION  1
+#define MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE      2
+
+#define MBEDTLS_SSL_TRUNC_HMAC_DISABLED         0
+#define MBEDTLS_SSL_TRUNC_HMAC_ENABLED          1
+#define MBEDTLS_SSL_TRUNCATED_HMAC_LEN          10  /* 80 bits, rfc 6066 section 7 */
+
+#define MBEDTLS_SSL_SESSION_TICKETS_DISABLED     0
+#define MBEDTLS_SSL_SESSION_TICKETS_ENABLED      1
+
+#define MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED    0
+#define MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED     1
+
+#define MBEDTLS_SSL_ARC4_ENABLED                0
+#define MBEDTLS_SSL_ARC4_DISABLED               1
+
+#define MBEDTLS_SSL_PRESET_DEFAULT              0
+#define MBEDTLS_SSL_PRESET_SUITEB               2
+
+#define MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED       1
+#define MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED      0
+
+/*
+ * Default range for DTLS retransmission timer value, in milliseconds.
+ * RFC 6347 4.2.4.1 says from 1 second to 60 seconds.
+ */
+#define MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN    1000
+#define MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX   60000
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in config.h or define them on the compiler command line.
+ * \{
+ */
+
+#if !defined(MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME)
+#define MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME     86400 /**< Lifetime of session tickets (if enabled) */
+#endif
+
+/*
+ * Maxium fragment length in bytes,
+ * determines the size of each of the two internal I/O buffers.
+ *
+ * Note: the RFC defines the default size of SSL / TLS messages. If you
+ * change the value here, other clients / servers may not be able to
+ * communicate with you anymore. Only change this value if you control
+ * both sides of the connection and have it reduced at both sides, or
+ * if you're using the Max Fragment Length extension and you know all your
+ * peers are using it too!
+ */
+#if !defined(MBEDTLS_SSL_MAX_CONTENT_LEN)
+#define MBEDTLS_SSL_MAX_CONTENT_LEN         16384   /**< Size of the input / output buffer */
+#endif
+
+/* \} name SECTION: Module settings */
+
+/*
+ * Length of the verify data for secure renegotiation
+ */
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+#define MBEDTLS_SSL_VERIFY_DATA_MAX_LEN 36
+#else
+#define MBEDTLS_SSL_VERIFY_DATA_MAX_LEN 12
+#endif
+
+/*
+ * Signaling ciphersuite values (SCSV)
+ */
+#define MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO    0xFF   /**< renegotiation info ext */
+#define MBEDTLS_SSL_FALLBACK_SCSV_VALUE         0x5600 /**< RFC 7507 section 2 */
+
+/*
+ * Supported Signature and Hash algorithms (For TLS 1.2)
+ * RFC 5246 section 7.4.1.4.1
+ */
+#define MBEDTLS_SSL_HASH_NONE                0
+#define MBEDTLS_SSL_HASH_MD5                 1
+#define MBEDTLS_SSL_HASH_SHA1                2
+#define MBEDTLS_SSL_HASH_SHA224              3
+#define MBEDTLS_SSL_HASH_SHA256              4
+#define MBEDTLS_SSL_HASH_SHA384              5
+#define MBEDTLS_SSL_HASH_SHA512              6
+
+#define MBEDTLS_SSL_SIG_ANON                 0
+#define MBEDTLS_SSL_SIG_RSA                  1
+#define MBEDTLS_SSL_SIG_ECDSA                3
+
+/*
+ * Client Certificate Types
+ * RFC 5246 section 7.4.4 plus RFC 4492 section 5.5
+ */
+#define MBEDTLS_SSL_CERT_TYPE_RSA_SIGN       1
+#define MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN    64
+
+/*
+ * Message, alert and handshake types
+ */
+#define MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC     20
+#define MBEDTLS_SSL_MSG_ALERT                  21
+#define MBEDTLS_SSL_MSG_HANDSHAKE              22
+#define MBEDTLS_SSL_MSG_APPLICATION_DATA       23
+
+#define MBEDTLS_SSL_ALERT_LEVEL_WARNING         1
+#define MBEDTLS_SSL_ALERT_LEVEL_FATAL           2
+
+#define MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY           0  /* 0x00 */
+#define MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE    10  /* 0x0A */
+#define MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC        20  /* 0x14 */
+#define MBEDTLS_SSL_ALERT_MSG_DECRYPTION_FAILED     21  /* 0x15 */
+#define MBEDTLS_SSL_ALERT_MSG_RECORD_OVERFLOW       22  /* 0x16 */
+#define MBEDTLS_SSL_ALERT_MSG_DECOMPRESSION_FAILURE 30  /* 0x1E */
+#define MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE     40  /* 0x28 */
+#define MBEDTLS_SSL_ALERT_MSG_NO_CERT               41  /* 0x29 */
+#define MBEDTLS_SSL_ALERT_MSG_BAD_CERT              42  /* 0x2A */
+#define MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT      43  /* 0x2B */
+#define MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED          44  /* 0x2C */
+#define MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED          45  /* 0x2D */
+#define MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN          46  /* 0x2E */
+#define MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER     47  /* 0x2F */
+#define MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA            48  /* 0x30 */
+#define MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED         49  /* 0x31 */
+#define MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR          50  /* 0x32 */
+#define MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR         51  /* 0x33 */
+#define MBEDTLS_SSL_ALERT_MSG_EXPORT_RESTRICTION    60  /* 0x3C */
+#define MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION      70  /* 0x46 */
+#define MBEDTLS_SSL_ALERT_MSG_INSUFFICIENT_SECURITY 71  /* 0x47 */
+#define MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR        80  /* 0x50 */
+#define MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK 86  /* 0x56 */
+#define MBEDTLS_SSL_ALERT_MSG_USER_CANCELED         90  /* 0x5A */
+#define MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION     100  /* 0x64 */
+#define MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT      110  /* 0x6E */
+#define MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME    112  /* 0x70 */
+#define MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY 115  /* 0x73 */
+#define MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL 120 /* 0x78 */
+
+#define MBEDTLS_SSL_HS_HELLO_REQUEST            0
+#define MBEDTLS_SSL_HS_CLIENT_HELLO             1
+#define MBEDTLS_SSL_HS_SERVER_HELLO             2
+#define MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST     3
+#define MBEDTLS_SSL_HS_NEW_SESSION_TICKET       4
+#define MBEDTLS_SSL_HS_CERTIFICATE             11
+#define MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE     12
+#define MBEDTLS_SSL_HS_CERTIFICATE_REQUEST     13
+#define MBEDTLS_SSL_HS_SERVER_HELLO_DONE       14
+#define MBEDTLS_SSL_HS_CERTIFICATE_VERIFY      15
+#define MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE     16
+#define MBEDTLS_SSL_HS_FINISHED                20
+
+/*
+ * TLS extensions
+ */
+#define MBEDTLS_TLS_EXT_SERVERNAME                   0
+#define MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME          0
+
+#define MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH          1
+
+#define MBEDTLS_TLS_EXT_TRUNCATED_HMAC               4
+
+#define MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES   10
+#define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS     11
+
+#define MBEDTLS_TLS_EXT_SIG_ALG                     13
+
+#define MBEDTLS_TLS_EXT_ALPN                        16
+
+#define MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC            22 /* 0x16 */
+#define MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET  0x0017 /* 23 */
+
+#define MBEDTLS_TLS_EXT_SESSION_TICKET              35
+
+#define MBEDTLS_TLS_EXT_ECJPAKE_KKPP               256 /* experimental */
+
+#define MBEDTLS_TLS_EXT_RENEGOTIATION_INFO      0xFF01
+
+/*
+ * Size defines
+ */
+#if !defined(MBEDTLS_PSK_MAX_LEN)
+#define MBEDTLS_PSK_MAX_LEN            32 /* 256 bits */
+#endif
+
+/* Dummy type used only for its size */
+union mbedtls_ssl_premaster_secret
+{
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+    unsigned char _pms_rsa[48];                         /* RFC 5246 8.1.1 */
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+    unsigned char _pms_dhm[MBEDTLS_MPI_MAX_SIZE];      /* RFC 5246 8.1.2 */
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)    || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)  || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)     || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+    unsigned char _pms_ecdh[MBEDTLS_ECP_MAX_BYTES];    /* RFC 4492 5.10 */
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+    unsigned char _pms_psk[4 + 2 * MBEDTLS_PSK_MAX_LEN];       /* RFC 4279 2 */
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+    unsigned char _pms_dhe_psk[4 + MBEDTLS_MPI_MAX_SIZE
+                                 + MBEDTLS_PSK_MAX_LEN];       /* RFC 4279 3 */
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+    unsigned char _pms_rsa_psk[52 + MBEDTLS_PSK_MAX_LEN];      /* RFC 4279 4 */
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+    unsigned char _pms_ecdhe_psk[4 + MBEDTLS_ECP_MAX_BYTES
+                                   + MBEDTLS_PSK_MAX_LEN];     /* RFC 5489 2 */
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    unsigned char _pms_ecjpake[32];     /* Thread spec: SHA-256 output */
+#endif
+};
+
+#define MBEDTLS_PREMASTER_SIZE     sizeof( union mbedtls_ssl_premaster_secret )
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * SSL state machine
+ */
+typedef enum
+{
+    MBEDTLS_SSL_HELLO_REQUEST,
+    MBEDTLS_SSL_CLIENT_HELLO,
+    MBEDTLS_SSL_SERVER_HELLO,
+    MBEDTLS_SSL_SERVER_CERTIFICATE,
+    MBEDTLS_SSL_SERVER_KEY_EXCHANGE,
+    MBEDTLS_SSL_CERTIFICATE_REQUEST,
+    MBEDTLS_SSL_SERVER_HELLO_DONE,
+    MBEDTLS_SSL_CLIENT_CERTIFICATE,
+    MBEDTLS_SSL_CLIENT_KEY_EXCHANGE,
+    MBEDTLS_SSL_CERTIFICATE_VERIFY,
+    MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC,
+    MBEDTLS_SSL_CLIENT_FINISHED,
+    MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC,
+    MBEDTLS_SSL_SERVER_FINISHED,
+    MBEDTLS_SSL_FLUSH_BUFFERS,
+    MBEDTLS_SSL_HANDSHAKE_WRAPUP,
+    MBEDTLS_SSL_HANDSHAKE_OVER,
+    MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET,
+    MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT,
+}
+mbedtls_ssl_states;
+
+/**
+ * \brief          Callback type: send data on the network.
+ *
+ * \note           That callback may be either blocking or non-blocking.
+ *
+ * \param ctx      Context for the send callback (typically a file descriptor)
+ * \param buf      Buffer holding the data to send
+ * \param len      Length of the data to send
+ *
+ * \return         The callback must return the number of bytes sent if any,
+ *                 or a non-zero error code.
+ *                 If performing non-blocking I/O, \c MBEDTLS_ERR_SSL_WANT_WRITE
+ *                 must be returned when the operation would block.
+ *
+ * \note           The callback is allowed to send fewer bytes than requested.
+ *                 It must always return the number of bytes actually sent.
+ */
+typedef int mbedtls_ssl_send_t( void *ctx,
+                                const unsigned char *buf,
+                                size_t len );
+
+/**
+ * \brief          Callback type: receive data from the network.
+ *
+ * \note           That callback may be either blocking or non-blocking.
+ *
+ * \param ctx      Context for the receive callback (typically a file
+ *                 descriptor)
+ * \param buf      Buffer to write the received data to
+ * \param len      Length of the receive buffer
+ *
+ * \return         The callback must return the number of bytes received,
+ *                 or a non-zero error code.
+ *                 If performing non-blocking I/O, \c MBEDTLS_ERR_SSL_WANT_READ
+ *                 must be returned when the operation would block.
+ *
+ * \note           The callback may receive fewer bytes than the length of the
+ *                 buffer. It must always return the number of bytes actually
+ *                 received and written to the buffer.
+ */
+typedef int mbedtls_ssl_recv_t( void *ctx,
+                                unsigned char *buf,
+                                size_t len );
+
+/**
+ * \brief          Callback type: receive data from the network, with timeout
+ *
+ * \note           That callback must block until data is received, or the
+ *                 timeout delay expires, or the operation is interrupted by a
+ *                 signal.
+ *
+ * \param ctx      Context for the receive callback (typically a file descriptor)
+ * \param buf      Buffer to write the received data to
+ * \param len      Length of the receive buffer
+ * \param timeout  Maximum nomber of millisecondes to wait for data
+ *                 0 means no timeout (potentially waiting forever)
+ *
+ * \return         The callback must return the number of bytes received,
+ *                 or a non-zero error code:
+ *                 \c MBEDTLS_ERR_SSL_TIMEOUT if the operation timed out,
+ *                 \c MBEDTLS_ERR_SSL_WANT_READ if interrupted by a signal.
+ *
+ * \note           The callback may receive fewer bytes than the length of the
+ *                 buffer. It must always return the number of bytes actually
+ *                 received and written to the buffer.
+ */
+typedef int mbedtls_ssl_recv_timeout_t( void *ctx,
+                                        unsigned char *buf,
+                                        size_t len,
+                                        uint32_t timeout );
+/**
+ * \brief          Callback type: set a pair of timers/delays to watch
+ *
+ * \param ctx      Context pointer
+ * \param int_ms   Intermediate delay in milliseconds
+ * \param fin_ms   Final delay in milliseconds
+ *                 0 cancels the current timer.
+ *
+ * \note           This callback must at least store the necessary information
+ *                 for the associated \c mbedtls_ssl_get_timer_t callback to
+ *                 return correct information.
+ *
+ * \note           If using a event-driven style of programming, an event must
+ *                 be generated when the final delay is passed. The event must
+ *                 cause a call to \c mbedtls_ssl_handshake() with the proper
+ *                 SSL context to be scheduled. Care must be taken to ensure
+ *                 that at most one such call happens at a time.
+ *
+ * \note           Only one timer at a time must be running. Calling this
+ *                 function while a timer is running must cancel it. Cancelled
+ *                 timers must not generate any event.
+ */
+typedef void mbedtls_ssl_set_timer_t( void * ctx,
+                                      uint32_t int_ms,
+                                      uint32_t fin_ms );
+
+/**
+ * \brief          Callback type: get status of timers/delays
+ *
+ * \param ctx      Context pointer
+ *
+ * \return         This callback must return:
+ *                 -1 if cancelled (fin_ms == 0),
+ *                  0 if none of the delays have passed,
+ *                  1 if only the intermediate delay has passed,
+ *                  2 if the final delay has passed.
+ */
+typedef int mbedtls_ssl_get_timer_t( void * ctx );
+
+
+/* Defined below */
+typedef struct mbedtls_ssl_session mbedtls_ssl_session;
+typedef struct mbedtls_ssl_context mbedtls_ssl_context;
+typedef struct mbedtls_ssl_config  mbedtls_ssl_config;
+
+/* Defined in ssl_internal.h */
+typedef struct mbedtls_ssl_transform mbedtls_ssl_transform;
+typedef struct mbedtls_ssl_handshake_params mbedtls_ssl_handshake_params;
+typedef struct mbedtls_ssl_sig_hash_set_t mbedtls_ssl_sig_hash_set_t;
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+typedef struct mbedtls_ssl_key_cert mbedtls_ssl_key_cert;
+#endif
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item;
+#endif
+
+/*
+ * This structure is used for storing current session data.
+ */
+struct mbedtls_ssl_session
+{
+#if defined(MBEDTLS_HAVE_TIME)
+    mbedtls_time_t start;       /*!< starting time      */
+#endif
+    int ciphersuite;            /*!< chosen ciphersuite */
+    int compression;            /*!< chosen compression */
+    size_t id_len;              /*!< session id length  */
+    unsigned char id[32];       /*!< session identifier */
+    unsigned char master[48];   /*!< the master secret  */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    mbedtls_x509_crt *peer_cert;        /*!< peer X.509 cert chain */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+    uint32_t verify_result;          /*!<  verification result     */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
+    unsigned char *ticket;      /*!< RFC 5077 session ticket */
+    size_t ticket_len;          /*!< session ticket length   */
+    uint32_t ticket_lifetime;   /*!< ticket lifetime hint    */
+#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+    unsigned char mfl_code;     /*!< MaxFragmentLength negotiated by peer */
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+    int trunc_hmac;             /*!< flag for truncated hmac activation   */
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+    int encrypt_then_mac;       /*!< flag for EtM activation                */
+#endif
+};
+
+/**
+ * SSL/TLS configuration to be shared between mbedtls_ssl_context structures.
+ */
+struct mbedtls_ssl_config
+{
+    /* Group items by size (largest first) to minimize padding overhead */
+
+    /*
+     * Pointers
+     */
+
+    const int *ciphersuite_list[4]; /*!< allowed ciphersuites per version   */
+
+    /** Callback for printing debug output                                  */
+    void (*f_dbg)(void *, int, const char *, int, const char *);
+    void *p_dbg;                    /*!< context for the debug function     */
+
+    /** Callback for getting (pseudo-)random numbers                        */
+    int  (*f_rng)(void *, unsigned char *, size_t);
+    void *p_rng;                    /*!< context for the RNG function       */
+
+    /** Callback to retrieve a session from the cache                       */
+    int (*f_get_cache)(void *, mbedtls_ssl_session *);
+    /** Callback to store a session into the cache                          */
+    int (*f_set_cache)(void *, const mbedtls_ssl_session *);
+    void *p_cache;                  /*!< context for cache callbacks        */
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    /** Callback for setting cert according to SNI extension                */
+    int (*f_sni)(void *, mbedtls_ssl_context *, const unsigned char *, size_t);
+    void *p_sni;                    /*!< context for SNI callback           */
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    /** Callback to customize X.509 certificate chain verification          */
+    int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
+    void *p_vrfy;                   /*!< context for X.509 verify calllback */
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+    /** Callback to retrieve PSK key from identity                          */
+    int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *, size_t);
+    void *p_psk;                    /*!< context for PSK callback           */
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
+    /** Callback to create & write a cookie for ClientHello veirifcation    */
+    int (*f_cookie_write)( void *, unsigned char **, unsigned char *,
+                           const unsigned char *, size_t );
+    /** Callback to verify validity of a ClientHello cookie                 */
+    int (*f_cookie_check)( void *, const unsigned char *, size_t,
+                           const unsigned char *, size_t );
+    void *p_cookie;                 /*!< context for the cookie callbacks   */
+#endif
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_SRV_C)
+    /** Callback to create & write a session ticket                         */
+    int (*f_ticket_write)( void *, const mbedtls_ssl_session *,
+            unsigned char *, const unsigned char *, size_t *, uint32_t * );
+    /** Callback to parse a session ticket into a session structure         */
+    int (*f_ticket_parse)( void *, mbedtls_ssl_session *, unsigned char *, size_t);
+    void *p_ticket;                 /*!< context for the ticket callbacks   */
+#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_EXPORT_KEYS)
+    /** Callback to export key block and master secret                      */
+    int (*f_export_keys)( void *, const unsigned char *,
+            const unsigned char *, size_t, size_t, size_t );
+    void *p_export_keys;            /*!< context for key export callback    */
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    const mbedtls_x509_crt_profile *cert_profile; /*!< verification profile */
+    mbedtls_ssl_key_cert *key_cert; /*!< own certificate/key pair(s)        */
+    mbedtls_x509_crt *ca_chain;     /*!< trusted CAs                        */
+    mbedtls_x509_crl *ca_crl;       /*!< trusted CAs CRLs                   */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+    const int *sig_hashes;          /*!< allowed signature hashes           */
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+    const mbedtls_ecp_group_id *curve_list; /*!< allowed curves             */
+#endif
+
+#if defined(MBEDTLS_DHM_C)
+    mbedtls_mpi dhm_P;              /*!< prime modulus for DHM              */
+    mbedtls_mpi dhm_G;              /*!< generator for DHM                  */
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+    unsigned char *psk;             /*!< pre-shared key                     */
+    size_t         psk_len;         /*!< length of the pre-shared key       */
+    unsigned char *psk_identity;    /*!< identity for PSK negotiation       */
+    size_t         psk_identity_len;/*!< length of identity                 */
+#endif
+
+#if defined(MBEDTLS_SSL_ALPN)
+    const char **alpn_list;         /*!< ordered list of protocols          */
+#endif
+
+    /*
+     * Numerical settings (int then char)
+     */
+
+    uint32_t read_timeout;          /*!< timeout for mbedtls_ssl_read (ms)  */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    uint32_t hs_timeout_min;        /*!< initial value of the handshake
+                                         retransmission timeout (ms)        */
+    uint32_t hs_timeout_max;        /*!< maximum value of the handshake
+                                         retransmission timeout (ms)        */
+#endif
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    int renego_max_records;         /*!< grace period for renegotiation     */
+    unsigned char renego_period[8]; /*!< value of the record counters
+                                         that triggers renegotiation        */
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
+    unsigned int badmac_limit;      /*!< limit of records with a bad MAC    */
+#endif
+
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
+    unsigned int dhm_min_bitlen;    /*!< min. bit length of the DHM prime   */
+#endif
+
+    unsigned char max_major_ver;    /*!< max. major version used            */
+    unsigned char max_minor_ver;    /*!< max. minor version used            */
+    unsigned char min_major_ver;    /*!< min. major version used            */
+    unsigned char min_minor_ver;    /*!< min. minor version used            */
+
+    /*
+     * Flags (bitfields)
+     */
+
+    unsigned int endpoint : 1;      /*!< 0: client, 1: server               */
+    unsigned int transport : 1;     /*!< stream (TLS) or datagram (DTLS)    */
+    unsigned int authmode : 2;      /*!< MBEDTLS_SSL_VERIFY_XXX             */
+    /* needed even with renego disabled for LEGACY_BREAK_HANDSHAKE          */
+    unsigned int allow_legacy_renegotiation : 2 ; /*!< MBEDTLS_LEGACY_XXX   */
+#if defined(MBEDTLS_ARC4_C)
+    unsigned int arc4_disabled : 1; /*!< blacklist RC4 ciphersuites?        */
+#endif
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+    unsigned int mfl_code : 3;      /*!< desired fragment length            */
+#endif
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+    unsigned int encrypt_then_mac : 1 ; /*!< negotiate encrypt-then-mac?    */
+#endif
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+    unsigned int extended_ms : 1;   /*!< negotiate extended master secret?  */
+#endif
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+    unsigned int anti_replay : 1;   /*!< detect and prevent replay?         */
+#endif
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
+    unsigned int cbc_record_splitting : 1;  /*!< do cbc record splitting    */
+#endif
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    unsigned int disable_renegotiation : 1; /*!< disable renegotiation?     */
+#endif
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+    unsigned int trunc_hmac : 1;    /*!< negotiate truncated hmac?          */
+#endif
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+    unsigned int session_tickets : 1;   /*!< use session tickets?           */
+#endif
+#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
+    unsigned int fallback : 1;      /*!< is this a fallback?                */
+#endif
+#if defined(MBEDTLS_SSL_SRV_C)
+    unsigned int cert_req_ca_list : 1;  /*!< enable sending CA list in
+                                          Certificate Request messages?     */
+#endif
+};
+
+
+struct mbedtls_ssl_context
+{
+    const mbedtls_ssl_config *conf; /*!< configuration information          */
+
+    /*
+     * Miscellaneous
+     */
+    int state;                  /*!< SSL handshake: current state     */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    int renego_status;          /*!< Initial, in progress, pending?   */
+    int renego_records_seen;    /*!< Records since renego request, or with DTLS,
+                                  number of retransmissions of request if
+                                  renego_max_records is < 0           */
+#endif
+
+    int major_ver;              /*!< equal to  MBEDTLS_SSL_MAJOR_VERSION_3    */
+    int minor_ver;              /*!< either 0 (SSL3) or 1 (TLS1.0)    */
+
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
+    unsigned badmac_seen;       /*!< records with a bad MAC received    */
+#endif
+
+    mbedtls_ssl_send_t *f_send; /*!< Callback for network send */
+    mbedtls_ssl_recv_t *f_recv; /*!< Callback for network receive */
+    mbedtls_ssl_recv_timeout_t *f_recv_timeout;
+                                /*!< Callback for network receive with timeout */
+
+    void *p_bio;                /*!< context for I/O operations   */
+
+    /*
+     * Session layer
+     */
+    mbedtls_ssl_session *session_in;            /*!<  current session data (in)   */
+    mbedtls_ssl_session *session_out;           /*!<  current session data (out)  */
+    mbedtls_ssl_session *session;               /*!<  negotiated session data     */
+    mbedtls_ssl_session *session_negotiate;     /*!<  session data in negotiation */
+
+    mbedtls_ssl_handshake_params *handshake;    /*!<  params required only during
+                                              the handshake process        */
+
+    /*
+     * Record layer transformations
+     */
+    mbedtls_ssl_transform *transform_in;        /*!<  current transform params (in)   */
+    mbedtls_ssl_transform *transform_out;       /*!<  current transform params (in)   */
+    mbedtls_ssl_transform *transform;           /*!<  negotiated transform params     */
+    mbedtls_ssl_transform *transform_negotiate; /*!<  transform params in negotiation */
+
+    /*
+     * Timers
+     */
+    void *p_timer;              /*!< context for the timer callbacks */
+
+    mbedtls_ssl_set_timer_t *f_set_timer;       /*!< set timer callback */
+    mbedtls_ssl_get_timer_t *f_get_timer;       /*!< get timer callback */
+
+    /*
+     * Record layer (incoming data)
+     */
+    unsigned char *in_buf;      /*!< input buffer                     */
+    unsigned char *in_ctr;      /*!< 64-bit incoming message counter
+                                     TLS: maintained by us
+                                     DTLS: read from peer             */
+    unsigned char *in_hdr;      /*!< start of record header           */
+    unsigned char *in_len;      /*!< two-bytes message length field   */
+    unsigned char *in_iv;       /*!< ivlen-byte IV                    */
+    unsigned char *in_msg;      /*!< message contents (in_iv+ivlen)   */
+    unsigned char *in_offt;     /*!< read offset in application data  */
+
+    int in_msgtype;             /*!< record header: message type      */
+    size_t in_msglen;           /*!< record header: message length    */
+    size_t in_left;             /*!< amount of data read so far       */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    uint16_t in_epoch;          /*!< DTLS epoch for incoming records  */
+    size_t next_record_offset;  /*!< offset of the next record in datagram
+                                     (equal to in_left if none)       */
+#endif
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+    uint64_t in_window_top;     /*!< last validated record seq_num    */
+    uint64_t in_window;         /*!< bitmask for replay detection     */
+#endif
+
+    size_t in_hslen;            /*!< current handshake message length,
+                                     including the handshake header   */
+    int nb_zero;                /*!< # of 0-length encrypted messages */
+
+    int keep_current_message;   /*!< drop or reuse current message
+                                     on next call to record layer? */
+
+    /*
+     * Record layer (outgoing data)
+     */
+    unsigned char *out_buf;     /*!< output buffer                    */
+    unsigned char *out_ctr;     /*!< 64-bit outgoing message counter  */
+    unsigned char *out_hdr;     /*!< start of record header           */
+    unsigned char *out_len;     /*!< two-bytes message length field   */
+    unsigned char *out_iv;      /*!< ivlen-byte IV                    */
+    unsigned char *out_msg;     /*!< message contents (out_iv+ivlen)  */
+
+    int out_msgtype;            /*!< record header: message type      */
+    size_t out_msglen;          /*!< record header: message length    */
+    size_t out_left;            /*!< amount of data not yet written   */
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    unsigned char *compress_buf;        /*!<  zlib data buffer        */
+#endif
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
+    signed char split_done;     /*!< current record already splitted? */
+#endif
+
+    /*
+     * PKI layer
+     */
+    int client_auth;                    /*!<  flag for client auth.   */
+
+    /*
+     * User settings
+     */
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    char *hostname;             /*!< expected peer CN for verification
+                                     (and SNI if available)                 */
+#endif
+
+#if defined(MBEDTLS_SSL_ALPN)
+    const char *alpn_chosen;    /*!<  negotiated protocol                   */
+#endif
+
+    /*
+     * Information for DTLS hello verify
+     */
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
+    unsigned char  *cli_id;         /*!<  transport-level ID of the client  */
+    size_t          cli_id_len;     /*!<  length of cli_id                  */
+#endif
+
+    /*
+     * Secure renegotiation
+     */
+    /* needed to know when to send extension on server */
+    int secure_renegotiation;           /*!<  does peer support legacy or
+                                              secure renegotiation           */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    size_t verify_data_len;             /*!<  length of verify data stored   */
+    char own_verify_data[MBEDTLS_SSL_VERIFY_DATA_MAX_LEN]; /*!<  previous handshake verify data */
+    char peer_verify_data[MBEDTLS_SSL_VERIFY_DATA_MAX_LEN]; /*!<  previous handshake verify data */
+#endif
+};
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+
+#define MBEDTLS_SSL_CHANNEL_OUTBOUND    0
+#define MBEDTLS_SSL_CHANNEL_INBOUND     1
+
+extern int (*mbedtls_ssl_hw_record_init)(mbedtls_ssl_context *ssl,
+                const unsigned char *key_enc, const unsigned char *key_dec,
+                size_t keylen,
+                const unsigned char *iv_enc,  const unsigned char *iv_dec,
+                size_t ivlen,
+                const unsigned char *mac_enc, const unsigned char *mac_dec,
+                size_t maclen);
+extern int (*mbedtls_ssl_hw_record_activate)(mbedtls_ssl_context *ssl, int direction);
+extern int (*mbedtls_ssl_hw_record_reset)(mbedtls_ssl_context *ssl);
+extern int (*mbedtls_ssl_hw_record_write)(mbedtls_ssl_context *ssl);
+extern int (*mbedtls_ssl_hw_record_read)(mbedtls_ssl_context *ssl);
+extern int (*mbedtls_ssl_hw_record_finish)(mbedtls_ssl_context *ssl);
+#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
+
+/**
+ * \brief               Return the name of the ciphersuite associated with the
+ *                      given ID
+ *
+ * \param ciphersuite_id SSL ciphersuite ID
+ *
+ * \return              a string containing the ciphersuite name
+ */
+const char *mbedtls_ssl_get_ciphersuite_name( const int ciphersuite_id );
+
+/**
+ * \brief               Return the ID of the ciphersuite associated with the
+ *                      given name
+ *
+ * \param ciphersuite_name SSL ciphersuite name
+ *
+ * \return              the ID with the ciphersuite or 0 if not found
+ */
+int mbedtls_ssl_get_ciphersuite_id( const char *ciphersuite_name );
+
+/**
+ * \brief          Initialize an SSL context
+ *                 Just makes the context ready for mbedtls_ssl_setup() or
+ *                 mbedtls_ssl_free()
+ *
+ * \param ssl      SSL context
+ */
+void mbedtls_ssl_init( mbedtls_ssl_context *ssl );
+
+/**
+ * \brief          Set up an SSL context for use
+ *
+ * \note           No copy of the configuration context is made, it can be
+ *                 shared by many mbedtls_ssl_context structures.
+ *
+ * \warning        The conf structure will be accessed during the session.
+ *                 It must not be modified or freed as long as the session
+ *                 is active.
+ *
+ * \warning        This function must be called exactly once per context.
+ *                 Calling mbedtls_ssl_setup again is not supported, even
+ *                 if no session is active.
+ *
+ * \param ssl      SSL context
+ * \param conf     SSL configuration to use
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_SSL_ALLOC_FAILED if
+ *                 memory allocation failed
+ */
+int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
+                       const mbedtls_ssl_config *conf );
+
+/**
+ * \brief          Reset an already initialized SSL context for re-use
+ *                 while retaining application-set variables, function
+ *                 pointers and data.
+ *
+ * \param ssl      SSL context
+ * \return         0 if successful, or MBEDTLS_ERR_SSL_ALLOC_FAILED,
+                   MBEDTLS_ERR_SSL_HW_ACCEL_FAILED or
+ *                 MBEDTLS_ERR_SSL_COMPRESSION_FAILED
+ */
+int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl );
+
+/**
+ * \brief          Set the current endpoint type
+ *
+ * \param conf     SSL configuration
+ * \param endpoint must be MBEDTLS_SSL_IS_CLIENT or MBEDTLS_SSL_IS_SERVER
+ */
+void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint );
+
+/**
+ * \brief           Set the transport type (TLS or DTLS).
+ *                  Default: TLS
+ *
+ * \note            For DTLS, you must either provide a recv callback that
+ *                  doesn't block, or one that handles timeouts, see
+ *                  \c mbedtls_ssl_set_bio(). You also need to provide timer
+ *                  callbacks with \c mbedtls_ssl_set_timer_cb().
+ *
+ * \param conf      SSL configuration
+ * \param transport transport type:
+ *                  MBEDTLS_SSL_TRANSPORT_STREAM for TLS,
+ *                  MBEDTLS_SSL_TRANSPORT_DATAGRAM for DTLS.
+ */
+void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport );
+
+/**
+ * \brief          Set the certificate verification mode
+ *                 Default: NONE on server, REQUIRED on client
+ *
+ * \param conf     SSL configuration
+ * \param authmode can be:
+ *
+ *  MBEDTLS_SSL_VERIFY_NONE:      peer certificate is not checked
+ *                        (default on server)
+ *                        (insecure on client)
+ *
+ *  MBEDTLS_SSL_VERIFY_OPTIONAL:  peer certificate is checked, however the
+ *                        handshake continues even if verification failed;
+ *                        mbedtls_ssl_get_verify_result() can be called after the
+ *                        handshake is complete.
+ *
+ *  MBEDTLS_SSL_VERIFY_REQUIRED:  peer *must* present a valid certificate,
+ *                        handshake is aborted if verification failed.
+ *                        (default on client)
+ *
+ * \note On client, MBEDTLS_SSL_VERIFY_REQUIRED is the recommended mode.
+ * With MBEDTLS_SSL_VERIFY_OPTIONAL, the user needs to call mbedtls_ssl_get_verify_result() at
+ * the right time(s), which may not be obvious, while REQUIRED always perform
+ * the verification as soon as possible. For example, REQUIRED was protecting
+ * against the "triple handshake" attack even before it was found.
+ */
+void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode );
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/**
+ * \brief          Set the verification callback (Optional).
+ *
+ *                 If set, the verify callback is called for each
+ *                 certificate in the chain. For implementation
+ *                 information, please see \c mbedtls_x509_crt_verify()
+ *
+ * \param conf     SSL configuration
+ * \param f_vrfy   verification function
+ * \param p_vrfy   verification parameter
+ */
+void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
+                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                     void *p_vrfy );
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+/**
+ * \brief          Set the random number generator callback
+ *
+ * \param conf     SSL configuration
+ * \param f_rng    RNG function
+ * \param p_rng    RNG parameter
+ */
+void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf,
+                  int (*f_rng)(void *, unsigned char *, size_t),
+                  void *p_rng );
+
+/**
+ * \brief          Set the debug callback
+ *
+ *                 The callback has the following argument:
+ *                 void *           opaque context for the callback
+ *                 int              debug level
+ *                 const char *     file name
+ *                 int              line number
+ *                 const char *     message
+ *
+ * \param conf     SSL configuration
+ * \param f_dbg    debug function
+ * \param p_dbg    debug parameter
+ */
+void mbedtls_ssl_conf_dbg( mbedtls_ssl_config *conf,
+                  void (*f_dbg)(void *, int, const char *, int, const char *),
+                  void  *p_dbg );
+
+/**
+ * \brief          Set the underlying BIO callbacks for write, read and
+ *                 read-with-timeout.
+ *
+ * \param ssl      SSL context
+ * \param p_bio    parameter (context) shared by BIO callbacks
+ * \param f_send   write callback
+ * \param f_recv   read callback
+ * \param f_recv_timeout blocking read callback with timeout.
+ *
+ * \note           One of f_recv or f_recv_timeout can be NULL, in which case
+ *                 the other is used. If both are non-NULL, f_recv_timeout is
+ *                 used and f_recv is ignored (as if it were NULL).
+ *
+ * \note           The two most common use cases are:
+ *                 - non-blocking I/O, f_recv != NULL, f_recv_timeout == NULL
+ *                 - blocking I/O, f_recv == NULL, f_recv_timout != NULL
+ *
+ * \note           For DTLS, you need to provide either a non-NULL
+ *                 f_recv_timeout callback, or a f_recv that doesn't block.
+ *
+ * \note           See the documentations of \c mbedtls_ssl_send_t,
+ *                 \c mbedtls_ssl_recv_t and \c mbedtls_ssl_recv_timeout_t for
+ *                 the conventions those callbacks must follow.
+ *
+ * \note           On some platforms, net_sockets.c provides
+ *                 \c mbedtls_net_send(), \c mbedtls_net_recv() and
+ *                 \c mbedtls_net_recv_timeout() that are suitable to be used
+ *                 here.
+ */
+void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl,
+                          void *p_bio,
+                          mbedtls_ssl_send_t *f_send,
+                          mbedtls_ssl_recv_t *f_recv,
+                          mbedtls_ssl_recv_timeout_t *f_recv_timeout );
+
+/**
+ * \brief          Set the timeout period for mbedtls_ssl_read()
+ *                 (Default: no timeout.)
+ *
+ * \param conf     SSL configuration context
+ * \param timeout  Timeout value in milliseconds.
+ *                 Use 0 for no timeout (default).
+ *
+ * \note           With blocking I/O, this will only work if a non-NULL
+ *                 \c f_recv_timeout was set with \c mbedtls_ssl_set_bio().
+ *                 With non-blocking I/O, this will only work if timer
+ *                 callbacks were set with \c mbedtls_ssl_set_timer_cb().
+ *
+ * \note           With non-blocking I/O, you may also skip this function
+ *                 altogether and handle timeouts at the application layer.
+ */
+void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout );
+
+/**
+ * \brief          Set the timer callbacks (Mandatory for DTLS.)
+ *
+ * \param ssl      SSL context
+ * \param p_timer  parameter (context) shared by timer callbacks
+ * \param f_set_timer   set timer callback
+ * \param f_get_timer   get timer callback. Must return:
+ *
+ * \note           See the documentation of \c mbedtls_ssl_set_timer_t and
+ *                 \c mbedtls_ssl_get_timer_t for the conventions this pair of
+ *                 callbacks must follow.
+ *
+ * \note           On some platforms, timing.c provides
+ *                 \c mbedtls_timing_set_delay() and
+ *                 \c mbedtls_timing_get_delay() that are suitable for using
+ *                 here, except if using an event-driven style.
+ *
+ * \note           See also the "DTLS tutorial" article in our knowledge base.
+ *                 https://tls.mbed.org/kb/how-to/dtls-tutorial
+ */
+void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl,
+                               void *p_timer,
+                               mbedtls_ssl_set_timer_t *f_set_timer,
+                               mbedtls_ssl_get_timer_t *f_get_timer );
+
+/**
+ * \brief           Callback type: generate and write session ticket
+ *
+ * \note            This describes what a callback implementation should do.
+ *                  This callback should generate an encrypted and
+ *                  authenticated ticket for the session and write it to the
+ *                  output buffer. Here, ticket means the opaque ticket part
+ *                  of the NewSessionTicket structure of RFC 5077.
+ *
+ * \param p_ticket  Context for the callback
+ * \param session   SSL session to be written in the ticket
+ * \param start     Start of the output buffer
+ * \param end       End of the output buffer
+ * \param tlen      On exit, holds the length written
+ * \param lifetime  On exit, holds the lifetime of the ticket in seconds
+ *
+ * \return          0 if successful, or
+ *                  a specific MBEDTLS_ERR_XXX code.
+ */
+typedef int mbedtls_ssl_ticket_write_t( void *p_ticket,
+                                        const mbedtls_ssl_session *session,
+                                        unsigned char *start,
+                                        const unsigned char *end,
+                                        size_t *tlen,
+                                        uint32_t *lifetime );
+
+#if defined(MBEDTLS_SSL_EXPORT_KEYS)
+/**
+ * \brief           Callback type: Export key block and master secret
+ *
+ * \note            This is required for certain uses of TLS, e.g. EAP-TLS
+ *                  (RFC 5216) and Thread. The key pointers are ephemeral and
+ *                  therefore must not be stored. The master secret and keys
+ *                  should not be used directly except as an input to a key
+ *                  derivation function.
+ *
+ * \param p_expkey  Context for the callback
+ * \param ms        Pointer to master secret (fixed length: 48 bytes)
+ * \param kb        Pointer to key block, see RFC 5246 section 6.3
+ *                  (variable length: 2 * maclen + 2 * keylen + 2 * ivlen).
+ * \param maclen    MAC length
+ * \param keylen    Key length
+ * \param ivlen     IV length
+ *
+ * \return          0 if successful, or
+ *                  a specific MBEDTLS_ERR_XXX code.
+ */
+typedef int mbedtls_ssl_export_keys_t( void *p_expkey,
+                                const unsigned char *ms,
+                                const unsigned char *kb,
+                                size_t maclen,
+                                size_t keylen,
+                                size_t ivlen );
+#endif /* MBEDTLS_SSL_EXPORT_KEYS */
+
+/**
+ * \brief           Callback type: parse and load session ticket
+ *
+ * \note            This describes what a callback implementation should do.
+ *                  This callback should parse a session ticket as generated
+ *                  by the corresponding mbedtls_ssl_ticket_write_t function,
+ *                  and, if the ticket is authentic and valid, load the
+ *                  session.
+ *
+ * \note            The implementation is allowed to modify the first len
+ *                  bytes of the input buffer, eg to use it as a temporary
+ *                  area for the decrypted ticket contents.
+ *
+ * \param p_ticket  Context for the callback
+ * \param session   SSL session to be loaded
+ * \param buf       Start of the buffer containing the ticket
+ * \param len       Length of the ticket.
+ *
+ * \return          0 if successful, or
+ *                  MBEDTLS_ERR_SSL_INVALID_MAC if not authentic, or
+ *                  MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED if expired, or
+ *                  any other non-zero code for other failures.
+ */
+typedef int mbedtls_ssl_ticket_parse_t( void *p_ticket,
+                                        mbedtls_ssl_session *session,
+                                        unsigned char *buf,
+                                        size_t len );
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_SRV_C)
+/**
+ * \brief           Configure SSL session ticket callbacks (server only).
+ *                  (Default: none.)
+ *
+ * \note            On server, session tickets are enabled by providing
+ *                  non-NULL callbacks.
+ *
+ * \note            On client, use \c mbedtls_ssl_conf_session_tickets().
+ *
+ * \param conf      SSL configuration context
+ * \param f_ticket_write    Callback for writing a ticket
+ * \param f_ticket_parse    Callback for parsing a ticket
+ * \param p_ticket          Context shared by the two callbacks
+ */
+void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf,
+        mbedtls_ssl_ticket_write_t *f_ticket_write,
+        mbedtls_ssl_ticket_parse_t *f_ticket_parse,
+        void *p_ticket );
+#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_EXPORT_KEYS)
+/**
+ * \brief           Configure key export callback.
+ *                  (Default: none.)
+ *
+ * \note            See \c mbedtls_ssl_export_keys_t.
+ *
+ * \param conf      SSL configuration context
+ * \param f_export_keys     Callback for exporting keys
+ * \param p_export_keys     Context for the callback
+ */
+void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf,
+        mbedtls_ssl_export_keys_t *f_export_keys,
+        void *p_export_keys );
+#endif /* MBEDTLS_SSL_EXPORT_KEYS */
+
+/**
+ * \brief          Callback type: generate a cookie
+ *
+ * \param ctx      Context for the callback
+ * \param p        Buffer to write to,
+ *                 must be updated to point right after the cookie
+ * \param end      Pointer to one past the end of the output buffer
+ * \param info     Client ID info that was passed to
+ *                 \c mbedtls_ssl_set_client_transport_id()
+ * \param ilen     Length of info in bytes
+ *
+ * \return         The callback must return 0 on success,
+ *                 or a negative error code.
+ */
+typedef int mbedtls_ssl_cookie_write_t( void *ctx,
+                                unsigned char **p, unsigned char *end,
+                                const unsigned char *info, size_t ilen );
+
+/**
+ * \brief          Callback type: verify a cookie
+ *
+ * \param ctx      Context for the callback
+ * \param cookie   Cookie to verify
+ * \param clen     Length of cookie
+ * \param info     Client ID info that was passed to
+ *                 \c mbedtls_ssl_set_client_transport_id()
+ * \param ilen     Length of info in bytes
+ *
+ * \return         The callback must return 0 if cookie is valid,
+ *                 or a negative error code.
+ */
+typedef int mbedtls_ssl_cookie_check_t( void *ctx,
+                                const unsigned char *cookie, size_t clen,
+                                const unsigned char *info, size_t ilen );
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
+/**
+ * \brief           Register callbacks for DTLS cookies
+ *                  (Server only. DTLS only.)
+ *
+ *                  Default: dummy callbacks that fail, in order to force you to
+ *                  register working callbacks (and initialize their context).
+ *
+ *                  To disable HelloVerifyRequest, register NULL callbacks.
+ *
+ * \warning         Disabling hello verification allows your server to be used
+ *                  for amplification in DoS attacks against other hosts.
+ *                  Only disable if you known this can't happen in your
+ *                  particular environment.
+ *
+ * \note            See comments on \c mbedtls_ssl_handshake() about handling
+ *                  the MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED that is expected
+ *                  on the first handshake attempt when this is enabled.
+ *
+ * \note            This is also necessary to handle client reconnection from
+ *                  the same port as described in RFC 6347 section 4.2.8 (only
+ *                  the variant with cookies is supported currently). See
+ *                  comments on \c mbedtls_ssl_read() for details.
+ *
+ * \param conf              SSL configuration
+ * \param f_cookie_write    Cookie write callback
+ * \param f_cookie_check    Cookie check callback
+ * \param p_cookie          Context for both callbacks
+ */
+void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config *conf,
+                           mbedtls_ssl_cookie_write_t *f_cookie_write,
+                           mbedtls_ssl_cookie_check_t *f_cookie_check,
+                           void *p_cookie );
+
+/**
+ * \brief          Set client's transport-level identification info.
+ *                 (Server only. DTLS only.)
+ *
+ *                 This is usually the IP address (and port), but could be
+ *                 anything identify the client depending on the underlying
+ *                 network stack. Used for HelloVerifyRequest with DTLS.
+ *                 This is *not* used to route the actual packets.
+ *
+ * \param ssl      SSL context
+ * \param info     Transport-level info identifying the client (eg IP + port)
+ * \param ilen     Length of info in bytes
+ *
+ * \note           An internal copy is made, so the info buffer can be reused.
+ *
+ * \return         0 on success,
+ *                 MBEDTLS_ERR_SSL_BAD_INPUT_DATA if used on client,
+ *                 MBEDTLS_ERR_SSL_ALLOC_FAILED if out of memory.
+ */
+int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl,
+                                 const unsigned char *info,
+                                 size_t ilen );
+
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+/**
+ * \brief          Enable or disable anti-replay protection for DTLS.
+ *                 (DTLS only, no effect on TLS.)
+ *                 Default: enabled.
+ *
+ * \param conf     SSL configuration
+ * \param mode     MBEDTLS_SSL_ANTI_REPLAY_ENABLED or MBEDTLS_SSL_ANTI_REPLAY_DISABLED.
+ *
+ * \warning        Disabling this is a security risk unless the application
+ *                 protocol handles duplicated packets in a safe way. You
+ *                 should not disable this without careful consideration.
+ *                 However, if your application already detects duplicated
+ *                 packets and needs information about them to adjust its
+ *                 transmission strategy, then you'll want to disable this.
+ */
+void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode );
+#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
+
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
+/**
+ * \brief          Set a limit on the number of records with a bad MAC
+ *                 before terminating the connection.
+ *                 (DTLS only, no effect on TLS.)
+ *                 Default: 0 (disabled).
+ *
+ * \param conf     SSL configuration
+ * \param limit    Limit, or 0 to disable.
+ *
+ * \note           If the limit is N, then the connection is terminated when
+ *                 the Nth non-authentic record is seen.
+ *
+ * \note           Records with an invalid header are not counted, only the
+ *                 ones going through the authentication-decryption phase.
+ *
+ * \note           This is a security trade-off related to the fact that it's
+ *                 often relatively easy for an active attacker ot inject UDP
+ *                 datagrams. On one hand, setting a low limit here makes it
+ *                 easier for such an attacker to forcibly terminated a
+ *                 connection. On the other hand, a high limit or no limit
+ *                 might make us waste resources checking authentication on
+ *                 many bogus packets.
+ */
+void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit );
+#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+/**
+ * \brief          Set retransmit timeout values for the DTLS handshake.
+ *                 (DTLS only, no effect on TLS.)
+ *
+ * \param conf     SSL configuration
+ * \param min      Initial timeout value in milliseconds.
+ *                 Default: 1000 (1 second).
+ * \param max      Maximum timeout value in milliseconds.
+ *                 Default: 60000 (60 seconds).
+ *
+ * \note           Default values are from RFC 6347 section 4.2.4.1.
+ *
+ * \note           The 'min' value should typically be slightly above the
+ *                 expected round-trip time to your peer, plus whatever time
+ *                 it takes for the peer to process the message. For example,
+ *                 if your RTT is about 600ms and you peer needs up to 1s to
+ *                 do the cryptographic operations in the handshake, then you
+ *                 should set 'min' slightly above 1600. Lower values of 'min'
+ *                 might cause spurious resends which waste network resources,
+ *                 while larger value of 'min' will increase overall latency
+ *                 on unreliable network links.
+ *
+ * \note           The more unreliable your network connection is, the larger
+ *                 your max / min ratio needs to be in order to achieve
+ *                 reliable handshakes.
+ *
+ * \note           Messages are retransmitted up to log2(ceil(max/min)) times.
+ *                 For example, if min = 1s and max = 5s, the retransmit plan
+ *                 goes: send ... 1s -> resend ... 2s -> resend ... 4s ->
+ *                 resend ... 5s -> give up and return a timeout error.
+ */
+void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf, uint32_t min, uint32_t max );
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+#if defined(MBEDTLS_SSL_SRV_C)
+/**
+ * \brief          Set the session cache callbacks (server-side only)
+ *                 If not set, no session resuming is done (except if session
+ *                 tickets are enabled too).
+ *
+ *                 The session cache has the responsibility to check for stale
+ *                 entries based on timeout. See RFC 5246 for recommendations.
+ *
+ *                 Warning: session.peer_cert is cleared by the SSL/TLS layer on
+ *                 connection shutdown, so do not cache the pointer! Either set
+ *                 it to NULL or make a full copy of the certificate.
+ *
+ *                 The get callback is called once during the initial handshake
+ *                 to enable session resuming. The get function has the
+ *                 following parameters: (void *parameter, mbedtls_ssl_session *session)
+ *                 If a valid entry is found, it should fill the master of
+ *                 the session object with the cached values and return 0,
+ *                 return 1 otherwise. Optionally peer_cert can be set as well
+ *                 if it is properly present in cache entry.
+ *
+ *                 The set callback is called once during the initial handshake
+ *                 to enable session resuming after the entire handshake has
+ *                 been finished. The set function has the following parameters:
+ *                 (void *parameter, const mbedtls_ssl_session *session). The function
+ *                 should create a cache entry for future retrieval based on
+ *                 the data in the session structure and should keep in mind
+ *                 that the mbedtls_ssl_session object presented (and all its referenced
+ *                 data) is cleared by the SSL/TLS layer when the connection is
+ *                 terminated. It is recommended to add metadata to determine if
+ *                 an entry is still valid in the future. Return 0 if
+ *                 successfully cached, return 1 otherwise.
+ *
+ * \param conf           SSL configuration
+ * \param p_cache        parmater (context) for both callbacks
+ * \param f_get_cache    session get callback
+ * \param f_set_cache    session set callback
+ */
+void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf,
+        void *p_cache,
+        int (*f_get_cache)(void *, mbedtls_ssl_session *),
+        int (*f_set_cache)(void *, const mbedtls_ssl_session *) );
+#endif /* MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+/**
+ * \brief          Request resumption of session (client-side only)
+ *                 Session data is copied from presented session structure.
+ *
+ * \param ssl      SSL context
+ * \param session  session context
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed,
+ *                 MBEDTLS_ERR_SSL_BAD_INPUT_DATA if used server-side or
+ *                 arguments are otherwise invalid
+ *
+ * \sa             mbedtls_ssl_get_session()
+ */
+int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session );
+#endif /* MBEDTLS_SSL_CLI_C */
+
+/**
+ * \brief               Set the list of allowed ciphersuites and the preference
+ *                      order. First in the list has the highest preference.
+ *                      (Overrides all version-specific lists)
+ *
+ *                      The ciphersuites array is not copied, and must remain
+ *                      valid for the lifetime of the ssl_config.
+ *
+ *                      Note: The server uses its own preferences
+ *                      over the preference of the client unless
+ *                      MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE is defined!
+ *
+ * \param conf          SSL configuration
+ * \param ciphersuites  0-terminated list of allowed ciphersuites
+ */
+void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
+                                   const int *ciphersuites );
+
+/**
+ * \brief               Set the list of allowed ciphersuites and the
+ *                      preference order for a specific version of the protocol.
+ *                      (Only useful on the server side)
+ *
+ *                      The ciphersuites array is not copied, and must remain
+ *                      valid for the lifetime of the ssl_config.
+ *
+ * \param conf          SSL configuration
+ * \param ciphersuites  0-terminated list of allowed ciphersuites
+ * \param major         Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3
+ *                      supported)
+ * \param minor         Minor version number (MBEDTLS_SSL_MINOR_VERSION_0,
+ *                      MBEDTLS_SSL_MINOR_VERSION_1 and MBEDTLS_SSL_MINOR_VERSION_2,
+ *                      MBEDTLS_SSL_MINOR_VERSION_3 supported)
+ *
+ * \note                With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0
+ *                      and MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2
+ */
+void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf,
+                                       const int *ciphersuites,
+                                       int major, int minor );
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/**
+ * \brief          Set the X.509 security profile used for verification
+ *
+ * \note           The restrictions are enforced for all certificates in the
+ *                 chain. However, signatures in the handshake are not covered
+ *                 by this setting but by \b mbedtls_ssl_conf_sig_hashes().
+ *
+ * \param conf     SSL configuration
+ * \param profile  Profile to use
+ */
+void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf,
+                                    const mbedtls_x509_crt_profile *profile );
+
+/**
+ * \brief          Set the data required to verify peer certificate
+ *
+ * \note           See \c mbedtls_x509_crt_verify() for notes regarding the
+ *                 parameters ca_chain (maps to trust_ca for that function)
+ *                 and ca_crl.
+ *
+ * \param conf     SSL configuration
+ * \param ca_chain trusted CA chain (meaning all fully trusted top-level CAs)
+ * \param ca_crl   trusted CA CRLs
+ */
+void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf,
+                               mbedtls_x509_crt *ca_chain,
+                               mbedtls_x509_crl *ca_crl );
+
+/**
+ * \brief          Set own certificate chain and private key
+ *
+ * \note           own_cert should contain in order from the bottom up your
+ *                 certificate chain. The top certificate (self-signed)
+ *                 can be omitted.
+ *
+ * \note           On server, this function can be called multiple times to
+ *                 provision more than one cert/key pair (eg one ECDSA, one
+ *                 RSA with SHA-256, one RSA with SHA-1). An adequate
+ *                 certificate will be selected according to the client's
+ *                 advertised capabilities. In case multiple certificates are
+ *                 adequate, preference is given to the one set by the first
+ *                 call to this function, then second, etc.
+ *
+ * \note           On client, only the first call has any effect. That is,
+ *                 only one client certificate can be provisioned. The
+ *                 server's preferences in its CertficateRequest message will
+ *                 be ignored and our only cert will be sent regardless of
+ *                 whether it matches those preferences - the server can then
+ *                 decide what it wants to do with it.
+ *
+ * \note           The provided \p pk_key needs to match the public key in the
+ *                 first certificate in \p own_cert, or all handshakes using
+ *                 that certificate will fail. It is your responsibility
+ *                 to ensure that; this function will not perform any check.
+ *                 You may use mbedtls_pk_check_pair() in order to perform
+ *                 this check yourself, but be aware that this function can
+ *                 be computationally expensive on some key types.
+ *
+ * \param conf     SSL configuration
+ * \param own_cert own public certificate chain
+ * \param pk_key   own private key
+ *
+ * \return         0 on success or MBEDTLS_ERR_SSL_ALLOC_FAILED
+ */
+int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf,
+                              mbedtls_x509_crt *own_cert,
+                              mbedtls_pk_context *pk_key );
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+/**
+ * \brief          Set the Pre Shared Key (PSK) and the expected identity name
+ *
+ * \note           This is mainly useful for clients. Servers will usually
+ *                 want to use \c mbedtls_ssl_conf_psk_cb() instead.
+ *
+ * \note           Currently clients can only register one pre-shared key.
+ *                 In other words, the servers' identity hint is ignored.
+ *                 Support for setting multiple PSKs on clients and selecting
+ *                 one based on the identity hint is not a planned feature but
+ *                 feedback is welcomed.
+ *
+ * \param conf     SSL configuration
+ * \param psk      pointer to the pre-shared key
+ * \param psk_len  pre-shared key length
+ * \param psk_identity      pointer to the pre-shared key identity
+ * \param psk_identity_len  identity key length
+ *
+ * \return         0 if successful or MBEDTLS_ERR_SSL_ALLOC_FAILED
+ */
+int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
+                const unsigned char *psk, size_t psk_len,
+                const unsigned char *psk_identity, size_t psk_identity_len );
+
+
+/**
+ * \brief          Set the Pre Shared Key (PSK) for the current handshake
+ *
+ * \note           This should only be called inside the PSK callback,
+ *                 ie the function passed to \c mbedtls_ssl_conf_psk_cb().
+ *
+ * \param ssl      SSL context
+ * \param psk      pointer to the pre-shared key
+ * \param psk_len  pre-shared key length
+ *
+ * \return         0 if successful or MBEDTLS_ERR_SSL_ALLOC_FAILED
+ */
+int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl,
+                            const unsigned char *psk, size_t psk_len );
+
+/**
+ * \brief          Set the PSK callback (server-side only).
+ *
+ *                 If set, the PSK callback is called for each
+ *                 handshake where a PSK ciphersuite was negotiated.
+ *                 The caller provides the identity received and wants to
+ *                 receive the actual PSK data and length.
+ *
+ *                 The callback has the following parameters: (void *parameter,
+ *                 mbedtls_ssl_context *ssl, const unsigned char *psk_identity,
+ *                 size_t identity_len)
+ *                 If a valid PSK identity is found, the callback should use
+ *                 \c mbedtls_ssl_set_hs_psk() on the ssl context to set the
+ *                 correct PSK and return 0.
+ *                 Any other return value will result in a denied PSK identity.
+ *
+ * \note           If you set a PSK callback using this function, then you
+ *                 don't need to set a PSK key and identity using
+ *                 \c mbedtls_ssl_conf_psk().
+ *
+ * \param conf     SSL configuration
+ * \param f_psk    PSK identity function
+ * \param p_psk    PSK identity parameter
+ */
+void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf,
+                     int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,
+                                  size_t),
+                     void *p_psk );
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
+
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED    __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+
+/**
+ * \brief          Set the Diffie-Hellman public P and G values,
+ *                 read as hexadecimal strings (server-side only)
+ *                 (Default values: MBEDTLS_DHM_RFC3526_MODP_2048_[PG])
+ *
+ * \param conf     SSL configuration
+ * \param dhm_P    Diffie-Hellman-Merkle modulus
+ * \param dhm_G    Diffie-Hellman-Merkle generator
+ *
+ * \deprecated     Superseded by \c mbedtls_ssl_conf_dh_param_bin.
+ *
+ * \return         0 if successful
+ */
+MBEDTLS_DEPRECATED int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf,
+                                                  const char *dhm_P,
+                                                  const char *dhm_G );
+
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief          Set the Diffie-Hellman public P and G values
+ *                 from big-endian binary presentations.
+ *                 (Default values: MBEDTLS_DHM_RFC3526_MODP_2048_[PG]_BIN)
+ *
+ * \param conf     SSL configuration
+ * \param dhm_P    Diffie-Hellman-Merkle modulus in big-endian binary form
+ * \param P_len    Length of DHM modulus
+ * \param dhm_G    Diffie-Hellman-Merkle generator in big-endian binary form
+ * \param G_len    Length of DHM generator
+ *
+ * \return         0 if successful
+ */
+int mbedtls_ssl_conf_dh_param_bin( mbedtls_ssl_config *conf,
+                                   const unsigned char *dhm_P, size_t P_len,
+                                   const unsigned char *dhm_G,  size_t G_len );
+
+/**
+ * \brief          Set the Diffie-Hellman public P and G values,
+ *                 read from existing context (server-side only)
+ *
+ * \param conf     SSL configuration
+ * \param dhm_ctx  Diffie-Hellman-Merkle context
+ *
+ * \return         0 if successful
+ */
+int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx );
+#endif /* MBEDTLS_DHM_C && defined(MBEDTLS_SSL_SRV_C) */
+
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
+/**
+ * \brief          Set the minimum length for Diffie-Hellman parameters.
+ *                 (Client-side only.)
+ *                 (Default: 1024 bits.)
+ *
+ * \param conf     SSL configuration
+ * \param bitlen   Minimum bit length of the DHM prime
+ */
+void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
+                                      unsigned int bitlen );
+#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_ECP_C)
+/**
+ * \brief          Set the allowed curves in order of preference.
+ *                 (Default: all defined curves.)
+ *
+ *                 On server: this only affects selection of the ECDHE curve;
+ *                 the curves used for ECDH and ECDSA are determined by the
+ *                 list of available certificates instead.
+ *
+ *                 On client: this affects the list of curves offered for any
+ *                 use. The server can override our preference order.
+ *
+ *                 Both sides: limits the set of curves accepted for use in
+ *                 ECDHE and in the peer's end-entity certificate.
+ *
+ * \note           This has no influence on which curves are allowed inside the
+ *                 certificate chains, see \c mbedtls_ssl_conf_cert_profile()
+ *                 for that. For the end-entity certificate however, the key
+ *                 will be accepted only if it is allowed both by this list
+ *                 and by the cert profile.
+ *
+ * \note           This list should be ordered by decreasing preference
+ *                 (preferred curve first).
+ *
+ * \param conf     SSL configuration
+ * \param curves   Ordered list of allowed curves,
+ *                 terminated by MBEDTLS_ECP_DP_NONE.
+ */
+void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
+                              const mbedtls_ecp_group_id *curves );
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+/**
+ * \brief          Set the allowed hashes for signatures during the handshake.
+ *                 (Default: all available hashes except MD5.)
+ *
+ * \note           This only affects which hashes are offered and can be used
+ *                 for signatures during the handshake. Hashes for message
+ *                 authentication and the TLS PRF are controlled by the
+ *                 ciphersuite, see \c mbedtls_ssl_conf_ciphersuites(). Hashes
+ *                 used for certificate signature are controlled by the
+ *                 verification profile, see \c mbedtls_ssl_conf_cert_profile().
+ *
+ * \note           This list should be ordered by decreasing preference
+ *                 (preferred hash first).
+ *
+ * \param conf     SSL configuration
+ * \param hashes   Ordered list of allowed signature hashes,
+ *                 terminated by \c MBEDTLS_MD_NONE.
+ */
+void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf,
+                                  const int *hashes );
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/**
+ * \brief          Set or reset the hostname to check against the received
+ *                 server certificate. It sets the ServerName TLS extension,
+ *                 too, if that extension is enabled. (client-side only)
+ *
+ * \param ssl      SSL context
+ * \param hostname the server hostname, may be NULL to clear hostname
+ *
+ * \note           Maximum hostname length MBEDTLS_SSL_MAX_HOST_NAME_LEN.
+ *
+ * \return         0 if successful, MBEDTLS_ERR_SSL_ALLOC_FAILED on
+ *                 allocation failure, MBEDTLS_ERR_SSL_BAD_INPUT_DATA on
+ *                 too long input hostname.
+ *
+ *                 Hostname set to the one provided on success (cleared
+ *                 when NULL). On allocation failure hostname is cleared.
+ *                 On too long input failure, old hostname is unchanged.
+ */
+int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname );
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+/**
+ * \brief          Set own certificate and key for the current handshake
+ *
+ * \note           Same as \c mbedtls_ssl_conf_own_cert() but for use within
+ *                 the SNI callback.
+ *
+ * \param ssl      SSL context
+ * \param own_cert own public certificate chain
+ * \param pk_key   own private key
+ *
+ * \return         0 on success or MBEDTLS_ERR_SSL_ALLOC_FAILED
+ */
+int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl,
+                                 mbedtls_x509_crt *own_cert,
+                                 mbedtls_pk_context *pk_key );
+
+/**
+ * \brief          Set the data required to verify peer certificate for the
+ *                 current handshake
+ *
+ * \note           Same as \c mbedtls_ssl_conf_ca_chain() but for use within
+ *                 the SNI callback.
+ *
+ * \param ssl      SSL context
+ * \param ca_chain trusted CA chain (meaning all fully trusted top-level CAs)
+ * \param ca_crl   trusted CA CRLs
+ */
+void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl,
+                                  mbedtls_x509_crt *ca_chain,
+                                  mbedtls_x509_crl *ca_crl );
+
+/**
+ * \brief          Set authmode for the current handshake.
+ *
+ * \note           Same as \c mbedtls_ssl_conf_authmode() but for use within
+ *                 the SNI callback.
+ *
+ * \param ssl      SSL context
+ * \param authmode MBEDTLS_SSL_VERIFY_NONE, MBEDTLS_SSL_VERIFY_OPTIONAL or
+ *                 MBEDTLS_SSL_VERIFY_REQUIRED
+ */
+void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl,
+                                  int authmode );
+
+/**
+ * \brief          Set server side ServerName TLS extension callback
+ *                 (optional, server-side only).
+ *
+ *                 If set, the ServerName callback is called whenever the
+ *                 server receives a ServerName TLS extension from the client
+ *                 during a handshake. The ServerName callback has the
+ *                 following parameters: (void *parameter, mbedtls_ssl_context *ssl,
+ *                 const unsigned char *hostname, size_t len). If a suitable
+ *                 certificate is found, the callback must set the
+ *                 certificate(s) and key(s) to use with \c
+ *                 mbedtls_ssl_set_hs_own_cert() (can be called repeatedly),
+ *                 and may optionally adjust the CA and associated CRL with \c
+ *                 mbedtls_ssl_set_hs_ca_chain() as well as the client
+ *                 authentication mode with \c mbedtls_ssl_set_hs_authmode(),
+ *                 then must return 0. If no matching name is found, the
+ *                 callback must either set a default cert, or
+ *                 return non-zero to abort the handshake at this point.
+ *
+ * \param conf     SSL configuration
+ * \param f_sni    verification function
+ * \param p_sni    verification parameter
+ */
+void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf,
+                  int (*f_sni)(void *, mbedtls_ssl_context *, const unsigned char *,
+                               size_t),
+                  void *p_sni );
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+/**
+ * \brief          Set the EC J-PAKE password for current handshake.
+ *
+ * \note           An internal copy is made, and destroyed as soon as the
+ *                 handshake is completed, or when the SSL context is reset or
+ *                 freed.
+ *
+ * \note           The SSL context needs to be already set up. The right place
+ *                 to call this function is between \c mbedtls_ssl_setup() or
+ *                 \c mbedtls_ssl_reset() and \c mbedtls_ssl_handshake().
+ *
+ * \param ssl      SSL context
+ * \param pw       EC J-PAKE password (pre-shared secret)
+ * \param pw_len   length of pw in bytes
+ *
+ * \return         0 on success, or a negative error code.
+ */
+int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl,
+                                         const unsigned char *pw,
+                                         size_t pw_len );
+#endif /*MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_SSL_ALPN)
+/**
+ * \brief          Set the supported Application Layer Protocols.
+ *
+ * \param conf     SSL configuration
+ * \param protos   Pointer to a NULL-terminated list of supported protocols,
+ *                 in decreasing preference order. The pointer to the list is
+ *                 recorded by the library for later reference as required, so
+ *                 the lifetime of the table must be atleast as long as the
+ *                 lifetime of the SSL configuration structure.
+ *
+ * \return         0 on success, or MBEDTLS_ERR_SSL_BAD_INPUT_DATA.
+ */
+int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config *conf, const char **protos );
+
+/**
+ * \brief          Get the name of the negotiated Application Layer Protocol.
+ *                 This function should be called after the handshake is
+ *                 completed.
+ *
+ * \param ssl      SSL context
+ *
+ * \return         Protcol name, or NULL if no protocol was negotiated.
+ */
+const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl );
+#endif /* MBEDTLS_SSL_ALPN */
+
+/**
+ * \brief          Set the maximum supported version sent from the client side
+ *                 and/or accepted at the server side
+ *                 (Default: MBEDTLS_SSL_MAX_MAJOR_VERSION, MBEDTLS_SSL_MAX_MINOR_VERSION)
+ *
+ * \note           This ignores ciphersuites from higher versions.
+ *
+ * \note           With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 and
+ *                 MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2
+ *
+ * \param conf     SSL configuration
+ * \param major    Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3 supported)
+ * \param minor    Minor version number (MBEDTLS_SSL_MINOR_VERSION_0,
+ *                 MBEDTLS_SSL_MINOR_VERSION_1 and MBEDTLS_SSL_MINOR_VERSION_2,
+ *                 MBEDTLS_SSL_MINOR_VERSION_3 supported)
+ */
+void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor );
+
+/**
+ * \brief          Set the minimum accepted SSL/TLS protocol version
+ *                 (Default: TLS 1.0)
+ *
+ * \note           Input outside of the SSL_MAX_XXXXX_VERSION and
+ *                 SSL_MIN_XXXXX_VERSION range is ignored.
+ *
+ * \note           MBEDTLS_SSL_MINOR_VERSION_0 (SSL v3) should be avoided.
+ *
+ * \note           With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 and
+ *                 MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2
+ *
+ * \param conf     SSL configuration
+ * \param major    Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3 supported)
+ * \param minor    Minor version number (MBEDTLS_SSL_MINOR_VERSION_0,
+ *                 MBEDTLS_SSL_MINOR_VERSION_1 and MBEDTLS_SSL_MINOR_VERSION_2,
+ *                 MBEDTLS_SSL_MINOR_VERSION_3 supported)
+ */
+void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor );
+
+#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
+/**
+ * \brief          Set the fallback flag (client-side only).
+ *                 (Default: MBEDTLS_SSL_IS_NOT_FALLBACK).
+ *
+ * \note           Set to MBEDTLS_SSL_IS_FALLBACK when preparing a fallback
+ *                 connection, that is a connection with max_version set to a
+ *                 lower value than the value you're willing to use. Such
+ *                 fallback connections are not recommended but are sometimes
+ *                 necessary to interoperate with buggy (version-intolerant)
+ *                 servers.
+ *
+ * \warning        You should NOT set this to MBEDTLS_SSL_IS_FALLBACK for
+ *                 non-fallback connections! This would appear to work for a
+ *                 while, then cause failures when the server is upgraded to
+ *                 support a newer TLS version.
+ *
+ * \param conf     SSL configuration
+ * \param fallback MBEDTLS_SSL_IS_NOT_FALLBACK or MBEDTLS_SSL_IS_FALLBACK
+ */
+void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback );
+#endif /* MBEDTLS_SSL_FALLBACK_SCSV && MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+/**
+ * \brief           Enable or disable Encrypt-then-MAC
+ *                  (Default: MBEDTLS_SSL_ETM_ENABLED)
+ *
+ * \note            This should always be enabled, it is a security
+ *                  improvement, and should not cause any interoperability
+ *                  issue (used only if the peer supports it too).
+ *
+ * \param conf      SSL configuration
+ * \param etm       MBEDTLS_SSL_ETM_ENABLED or MBEDTLS_SSL_ETM_DISABLED
+ */
+void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm );
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+/**
+ * \brief           Enable or disable Extended Master Secret negotiation.
+ *                  (Default: MBEDTLS_SSL_EXTENDED_MS_ENABLED)
+ *
+ * \note            This should always be enabled, it is a security fix to the
+ *                  protocol, and should not cause any interoperability issue
+ *                  (used only if the peer supports it too).
+ *
+ * \param conf      SSL configuration
+ * \param ems       MBEDTLS_SSL_EXTENDED_MS_ENABLED or MBEDTLS_SSL_EXTENDED_MS_DISABLED
+ */
+void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems );
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
+#if defined(MBEDTLS_ARC4_C)
+/**
+ * \brief          Disable or enable support for RC4
+ *                 (Default: MBEDTLS_SSL_ARC4_DISABLED)
+ *
+ * \warning        Use of RC4 in DTLS/TLS has been prohibited by RFC 7465
+ *                 for security reasons. Use at your own risk.
+ *
+ * \note           This function is deprecated and will likely be removed in
+ *                 a future version of the library.
+ *                 RC4 is disabled by default at compile time and needs to be
+ *                 actively enabled for use with legacy systems.
+ *
+ * \param conf     SSL configuration
+ * \param arc4     MBEDTLS_SSL_ARC4_ENABLED or MBEDTLS_SSL_ARC4_DISABLED
+ */
+void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 );
+#endif /* MBEDTLS_ARC4_C */
+
+#if defined(MBEDTLS_SSL_SRV_C)
+/**
+ * \brief          Whether to send a list of acceptable CAs in
+ *                 CertificateRequest messages.
+ *                 (Default: do send)
+ *
+ * \param conf     SSL configuration
+ * \param cert_req_ca_list   MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED or
+ *                          MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED
+ */
+void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
+                                          char cert_req_ca_list );
+#endif /* MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+/**
+ * \brief          Set the maximum fragment length to emit and/or negotiate.
+ *                 (Typical: #MBEDTLS_SSL_MAX_CONTENT_LEN, by default that is
+ *                 set to `2^14` bytes)
+ *                 (Server: set maximum fragment length to emit,
+ *                 usually negotiated by the client during handshake)
+ *                 (Client: set maximum fragment length to emit *and*
+ *                 negotiate with the server during handshake)
+ *                 (Default: #MBEDTLS_SSL_MAX_FRAG_LEN_NONE)
+ *
+ * \note           With TLS, this currently only affects ApplicationData (sent
+ *                 with \c mbedtls_ssl_read()), not handshake messages.
+ *                 With DTLS, this affects both ApplicationData and handshake.
+ *
+ * \note           On the client side, the maximum fragment length extension
+ *                 *will not* be used, unless the maximum fragment length has
+ *                 been set via this function to a value different than
+ *                 #MBEDTLS_SSL_MAX_FRAG_LEN_NONE.
+ *
+ * \note           This sets the maximum length for a record's payload,
+ *                 excluding record overhead that will be added to it, see
+ *                 \c mbedtls_ssl_get_record_expansion().
+ *
+ * \param conf     SSL configuration
+ * \param mfl_code Code for maximum fragment length (allowed values:
+ *                 MBEDTLS_SSL_MAX_FRAG_LEN_512,  MBEDTLS_SSL_MAX_FRAG_LEN_1024,
+ *                 MBEDTLS_SSL_MAX_FRAG_LEN_2048, MBEDTLS_SSL_MAX_FRAG_LEN_4096)
+ *
+ * \return         0 if successful or MBEDTLS_ERR_SSL_BAD_INPUT_DATA
+ */
+int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code );
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+/**
+ * \brief          Activate negotiation of truncated HMAC
+ *                 (Default: MBEDTLS_SSL_TRUNC_HMAC_DISABLED)
+ *
+ * \param conf     SSL configuration
+ * \param truncate Enable or disable (MBEDTLS_SSL_TRUNC_HMAC_ENABLED or
+ *                                    MBEDTLS_SSL_TRUNC_HMAC_DISABLED)
+ */
+void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate );
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
+/**
+ * \brief          Enable / Disable 1/n-1 record splitting
+ *                 (Default: MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED)
+ *
+ * \note           Only affects SSLv3 and TLS 1.0, not higher versions.
+ *                 Does not affect non-CBC ciphersuites in any version.
+ *
+ * \param conf     SSL configuration
+ * \param split    MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED or
+ *                 MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED
+ */
+void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split );
+#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
+/**
+ * \brief          Enable / Disable session tickets (client only).
+ *                 (Default: MBEDTLS_SSL_SESSION_TICKETS_ENABLED.)
+ *
+ * \note           On server, use \c mbedtls_ssl_conf_session_tickets_cb().
+ *
+ * \param conf     SSL configuration
+ * \param use_tickets   Enable or disable (MBEDTLS_SSL_SESSION_TICKETS_ENABLED or
+ *                                         MBEDTLS_SSL_SESSION_TICKETS_DISABLED)
+ */
+void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets );
+#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+/**
+ * \brief          Enable / Disable renegotiation support for connection when
+ *                 initiated by peer
+ *                 (Default: MBEDTLS_SSL_RENEGOTIATION_DISABLED)
+ *
+ * \warning        It is recommended to always disable renegotation unless you
+ *                 know you need it and you know what you're doing. In the
+ *                 past, there have been several issues associated with
+ *                 renegotiation or a poor understanding of its properties.
+ *
+ * \note           Server-side, enabling renegotiation also makes the server
+ *                 susceptible to a resource DoS by a malicious client.
+ *
+ * \param conf    SSL configuration
+ * \param renegotiation     Enable or disable (MBEDTLS_SSL_RENEGOTIATION_ENABLED or
+ *                                             MBEDTLS_SSL_RENEGOTIATION_DISABLED)
+ */
+void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation );
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+/**
+ * \brief          Prevent or allow legacy renegotiation.
+ *                 (Default: MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION)
+ *
+ *                 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION allows connections to
+ *                 be established even if the peer does not support
+ *                 secure renegotiation, but does not allow renegotiation
+ *                 to take place if not secure.
+ *                 (Interoperable and secure option)
+ *
+ *                 MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION allows renegotiations
+ *                 with non-upgraded peers. Allowing legacy renegotiation
+ *                 makes the connection vulnerable to specific man in the
+ *                 middle attacks. (See RFC 5746)
+ *                 (Most interoperable and least secure option)
+ *
+ *                 MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE breaks off connections
+ *                 if peer does not support secure renegotiation. Results
+ *                 in interoperability issues with non-upgraded peers
+ *                 that do not support renegotiation altogether.
+ *                 (Most secure option, interoperability issues)
+ *
+ * \param conf     SSL configuration
+ * \param allow_legacy  Prevent or allow (SSL_NO_LEGACY_RENEGOTIATION,
+ *                                        SSL_ALLOW_LEGACY_RENEGOTIATION or
+ *                                        MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE)
+ */
+void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy );
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+/**
+ * \brief          Enforce renegotiation requests.
+ *                 (Default: enforced, max_records = 16)
+ *
+ *                 When we request a renegotiation, the peer can comply or
+ *                 ignore the request. This function allows us to decide
+ *                 whether to enforce our renegotiation requests by closing
+ *                 the connection if the peer doesn't comply.
+ *
+ *                 However, records could already be in transit from the peer
+ *                 when the request is emitted. In order to increase
+ *                 reliability, we can accept a number of records before the
+ *                 expected handshake records.
+ *
+ *                 The optimal value is highly dependent on the specific usage
+ *                 scenario.
+ *
+ * \note           With DTLS and server-initiated renegotiation, the
+ *                 HelloRequest is retransmited every time mbedtls_ssl_read() times
+ *                 out or receives Application Data, until:
+ *                 - max_records records have beens seen, if it is >= 0, or
+ *                 - the number of retransmits that would happen during an
+ *                 actual handshake has been reached.
+ *                 Please remember the request might be lost a few times
+ *                 if you consider setting max_records to a really low value.
+ *
+ * \warning        On client, the grace period can only happen during
+ *                 mbedtls_ssl_read(), as opposed to mbedtls_ssl_write() and mbedtls_ssl_renegotiate()
+ *                 which always behave as if max_record was 0. The reason is,
+ *                 if we receive application data from the server, we need a
+ *                 place to write it, which only happens during mbedtls_ssl_read().
+ *
+ * \param conf     SSL configuration
+ * \param max_records Use MBEDTLS_SSL_RENEGOTIATION_NOT_ENFORCED if you don't want to
+ *                 enforce renegotiation, or a non-negative value to enforce
+ *                 it but allow for a grace period of max_records records.
+ */
+void mbedtls_ssl_conf_renegotiation_enforced( mbedtls_ssl_config *conf, int max_records );
+
+/**
+ * \brief          Set record counter threshold for periodic renegotiation.
+ *                 (Default: 2^48 - 1)
+ *
+ *                 Renegotiation is automatically triggered when a record
+ *                 counter (outgoing or ingoing) crosses the defined
+ *                 threshold. The default value is meant to prevent the
+ *                 connection from being closed when the counter is about to
+ *                 reached its maximal value (it is not allowed to wrap).
+ *
+ *                 Lower values can be used to enforce policies such as "keys
+ *                 must be refreshed every N packets with cipher X".
+ *
+ *                 The renegotiation period can be disabled by setting
+ *                 conf->disable_renegotiation to
+ *                 MBEDTLS_SSL_RENEGOTIATION_DISABLED.
+ *
+ * \note           When the configured transport is
+ *                 MBEDTLS_SSL_TRANSPORT_DATAGRAM the maximum renegotiation
+ *                 period is 2^48 - 1, and for MBEDTLS_SSL_TRANSPORT_STREAM,
+ *                 the maximum renegotiation period is 2^64 - 1.
+ *
+ * \param conf     SSL configuration
+ * \param period   The threshold value: a big-endian 64-bit number.
+ */
+void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf,
+                                   const unsigned char period[8] );
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+/**
+ * \brief          Return the number of data bytes available to read
+ *
+ * \param ssl      SSL context
+ *
+ * \return         how many bytes are available in the read buffer
+ */
+size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl );
+
+/**
+ * \brief          Return the result of the certificate verification
+ *
+ * \param ssl      The SSL context to use.
+ *
+ * \return         \c 0 if the certificate verification was successful.
+ * \return         \c -1u if the result is not available. This may happen
+ *                 e.g. if the handshake aborts early, or a verification
+ *                 callback returned a fatal error.
+ * \return         A bitwise combination of \c MBEDTLS_X509_BADCERT_XXX
+ *                 and \c MBEDTLS_X509_BADCRL_XXX failure flags; see x509.h.
+ */
+uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl );
+
+/**
+ * \brief          Return the name of the current ciphersuite
+ *
+ * \param ssl      SSL context
+ *
+ * \return         a string containing the ciphersuite name
+ */
+const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl );
+
+/**
+ * \brief          Return the current SSL version (SSLv3/TLSv1/etc)
+ *
+ * \param ssl      SSL context
+ *
+ * \return         a string containing the SSL version
+ */
+const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl );
+
+/**
+ * \brief          Return the (maximum) number of bytes added by the record
+ *                 layer: header + encryption/MAC overhead (inc. padding)
+ *
+ * \param ssl      SSL context
+ *
+ * \return         Current maximum record expansion in bytes, or
+ *                 MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if compression is
+ *                 enabled, which makes expansion much less predictable
+ */
+int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl );
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+/**
+ * \brief          Return the maximum fragment length (payload, in bytes).
+ *                 This is the value negotiated with peer if any,
+ *                 or the locally configured value.
+ *
+ * \note           With DTLS, \c mbedtls_ssl_write() will return an error if
+ *                 called with a larger length value.
+ *                 With TLS, \c mbedtls_ssl_write() will fragment the input if
+ *                 necessary and return the number of bytes written; it is up
+ *                 to the caller to call \c mbedtls_ssl_write() again in
+ *                 order to send the remaining bytes if any.
+ *
+ * \param ssl      SSL context
+ *
+ * \return         Current maximum fragment length.
+ */
+size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl );
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/**
+ * \brief          Return the peer certificate from the current connection
+ *
+ *                 Note: Can be NULL in case no certificate was sent during
+ *                 the handshake. Different calls for the same connection can
+ *                 return the same or different pointers for the same
+ *                 certificate and even a different certificate altogether.
+ *                 The peer cert CAN change in a single connection if
+ *                 renegotiation is performed.
+ *
+ * \param ssl      SSL context
+ *
+ * \return         the current peer certificate
+ */
+const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ssl );
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+/**
+ * \brief          Save session in order to resume it later (client-side only)
+ *                 Session data is copied to presented session structure.
+ *
+ *
+ * \param ssl      SSL context
+ * \param session  session context
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed,
+ *                 MBEDTLS_ERR_SSL_BAD_INPUT_DATA if used server-side or
+ *                 arguments are otherwise invalid.
+ *
+ * \note           Only the server certificate is copied, and not the full chain,
+ *                 so you should not attempt to validate the certificate again
+ *                 by calling \c mbedtls_x509_crt_verify() on it.
+ *                 Instead, you should use the results from the verification
+ *                 in the original handshake by calling \c mbedtls_ssl_get_verify_result()
+ *                 after loading the session again into a new SSL context
+ *                 using \c mbedtls_ssl_set_session().
+ *
+ * \note           Once the session object is not needed anymore, you should
+ *                 free it by calling \c mbedtls_ssl_session_free().
+ *
+ * \sa             mbedtls_ssl_set_session()
+ */
+int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl, mbedtls_ssl_session *session );
+#endif /* MBEDTLS_SSL_CLI_C */
+
+/**
+ * \brief          Perform the SSL handshake
+ *
+ * \param ssl      SSL context
+ *
+ * \return         0 if successful, or
+ *                 MBEDTLS_ERR_SSL_WANT_READ or MBEDTLS_ERR_SSL_WANT_WRITE, or
+ *                 MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED (see below), or
+ *                 a specific SSL error code.
+ *
+ * \note           If this function returns something other than 0 or
+ *                 MBEDTLS_ERR_SSL_WANT_READ/WRITE, then the ssl context
+ *                 becomes unusable, and you should either free it or call
+ *                 \c mbedtls_ssl_session_reset() on it before re-using it for
+ *                 a new connection; the current connection must be closed.
+ *
+ * \note           If DTLS is in use, then you may choose to handle
+ *                 MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED specially for logging
+ *                 purposes, as it is an expected return value rather than an
+ *                 actual error, but you still need to reset/free the context.
+ */
+int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl );
+
+/**
+ * \brief          Perform a single step of the SSL handshake
+ *
+ * \note           The state of the context (ssl->state) will be at
+ *                 the next state after execution of this function. Do not
+ *                 call this function if state is MBEDTLS_SSL_HANDSHAKE_OVER.
+ *
+ * \note           If this function returns something other than 0 or
+ *                 MBEDTLS_ERR_SSL_WANT_READ/WRITE, then the ssl context
+ *                 becomes unusable, and you should either free it or call
+ *                 \c mbedtls_ssl_session_reset() on it before re-using it for
+ *                 a new connection; the current connection must be closed.
+ *
+ * \param ssl      SSL context
+ *
+ * \return         0 if successful, or
+ *                 MBEDTLS_ERR_SSL_WANT_READ or MBEDTLS_ERR_SSL_WANT_WRITE, or
+ *                 a specific SSL error code.
+ */
+int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl );
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+/**
+ * \brief          Initiate an SSL renegotiation on the running connection.
+ *                 Client: perform the renegotiation right now.
+ *                 Server: request renegotiation, which will be performed
+ *                 during the next call to mbedtls_ssl_read() if honored by
+ *                 client.
+ *
+ * \param ssl      SSL context
+ *
+ * \return         0 if successful, or any mbedtls_ssl_handshake() return
+ *                 value.
+ *
+ * \note           If this function returns something other than 0 or
+ *                 MBEDTLS_ERR_SSL_WANT_READ/WRITE, then the ssl context
+ *                 becomes unusable, and you should either free it or call
+ *                 \c mbedtls_ssl_session_reset() on it before re-using it for
+ *                 a new connection; the current connection must be closed.
+ */
+int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl );
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+/**
+ * \brief          Read at most 'len' application data bytes
+ *
+ * \param ssl      SSL context
+ * \param buf      buffer that will hold the data
+ * \param len      maximum number of bytes to read
+ *
+ * \return         the number of bytes read, or
+ *                 0 for EOF, or
+ *                 MBEDTLS_ERR_SSL_WANT_READ or MBEDTLS_ERR_SSL_WANT_WRITE, or
+ *                 MBEDTLS_ERR_SSL_CLIENT_RECONNECT (see below), or
+ *                 another negative error code.
+ *
+ * \note           If this function returns something other than a positive
+ *                 value or MBEDTLS_ERR_SSL_WANT_READ/WRITE or
+ *                 MBEDTLS_ERR_SSL_CLIENT_RECONNECT, then the ssl context
+ *                 becomes unusable, and you should either free it or call
+ *                 \c mbedtls_ssl_session_reset() on it before re-using it for
+ *                 a new connection; the current connection must be closed.
+ *
+ * \note           When this function return MBEDTLS_ERR_SSL_CLIENT_RECONNECT
+ *                 (which can only happen server-side), it means that a client
+ *                 is initiating a new connection using the same source port.
+ *                 You can either treat that as a connection close and wait
+ *                 for the client to resend a ClientHello, or directly
+ *                 continue with \c mbedtls_ssl_handshake() with the same
+ *                 context (as it has beeen reset internally). Either way, you
+ *                 should make sure this is seen by the application as a new
+ *                 connection: application state, if any, should be reset, and
+ *                 most importantly the identity of the client must be checked
+ *                 again. WARNING: not validating the identity of the client
+ *                 again, or not transmitting the new identity to the
+ *                 application layer, would allow authentication bypass!
+ */
+int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len );
+
+/**
+ * \brief          Try to write exactly 'len' application data bytes
+ *
+ * \warning        This function will do partial writes in some cases. If the
+ *                 return value is non-negative but less than length, the
+ *                 function must be called again with updated arguments:
+ *                 buf + ret, len - ret (if ret is the return value) until
+ *                 it returns a value equal to the last 'len' argument.
+ *
+ * \param ssl      SSL context
+ * \param buf      buffer holding the data
+ * \param len      how many bytes must be written
+ *
+ * \return         the number of bytes actually written (may be less than len),
+ *                 or MBEDTLS_ERR_SSL_WANT_WRITE or MBEDTLS_ERR_SSL_WANT_READ,
+ *                 or another negative error code.
+ *
+ * \note           If this function returns something other than 0, a positive
+ *                 value or MBEDTLS_ERR_SSL_WANT_READ/WRITE, you must stop
+ *                 using the SSL context for reading or writing, and either
+ *                 free it or call \c mbedtls_ssl_session_reset() on it before
+ *                 re-using it for a new connection; the current connection
+ *                 must be closed.
+ *
+ * \note           When this function returns MBEDTLS_ERR_SSL_WANT_WRITE/READ,
+ *                 it must be called later with the *same* arguments,
+ *                 until it returns a value greater that or equal to 0. When
+ *                 the function returns MBEDTLS_ERR_SSL_WANT_WRITE there may be
+ *                 some partial data in the output buffer, however this is not
+ *                 yet sent.
+ *
+ * \note           If the requested length is greater than the maximum
+ *                 fragment length (either the built-in limit or the one set
+ *                 or negotiated with the peer), then:
+ *                 - with TLS, less bytes than requested are written.
+ *                 - with DTLS, MBEDTLS_ERR_SSL_BAD_INPUT_DATA is returned.
+ *                 \c mbedtls_ssl_get_max_frag_len() may be used to query the
+ *                 active maximum fragment length.
+ *
+ * \note           Attempting to write 0 bytes will result in an empty TLS
+ *                 application record being sent.
+ */
+int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len );
+
+/**
+ * \brief           Send an alert message
+ *
+ * \param ssl       SSL context
+ * \param level     The alert level of the message
+ *                  (MBEDTLS_SSL_ALERT_LEVEL_WARNING or MBEDTLS_SSL_ALERT_LEVEL_FATAL)
+ * \param message   The alert message (SSL_ALERT_MSG_*)
+ *
+ * \return          0 if successful, or a specific SSL error code.
+ *
+ * \note           If this function returns something other than 0 or
+ *                 MBEDTLS_ERR_SSL_WANT_READ/WRITE, then the ssl context
+ *                 becomes unusable, and you should either free it or call
+ *                 \c mbedtls_ssl_session_reset() on it before re-using it for
+ *                 a new connection; the current connection must be closed.
+ */
+int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl,
+                            unsigned char level,
+                            unsigned char message );
+/**
+ * \brief          Notify the peer that the connection is being closed
+ *
+ * \param ssl      SSL context
+ *
+ * \return          0 if successful, or a specific SSL error code.
+ *
+ * \note           If this function returns something other than 0 or
+ *                 MBEDTLS_ERR_SSL_WANT_READ/WRITE, then the ssl context
+ *                 becomes unusable, and you should either free it or call
+ *                 \c mbedtls_ssl_session_reset() on it before re-using it for
+ *                 a new connection; the current connection must be closed.
+ */
+int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl );
+
+/**
+ * \brief          Free referenced items in an SSL context and clear memory
+ *
+ * \param ssl      SSL context
+ */
+void mbedtls_ssl_free( mbedtls_ssl_context *ssl );
+
+/**
+ * \brief          Initialize an SSL configuration context
+ *                 Just makes the context ready for
+ *                 mbedtls_ssl_config_defaults() or mbedtls_ssl_config_free().
+ *
+ * \note           You need to call mbedtls_ssl_config_defaults() unless you
+ *                 manually set all of the relevant fields yourself.
+ *
+ * \param conf     SSL configuration context
+ */
+void mbedtls_ssl_config_init( mbedtls_ssl_config *conf );
+
+/**
+ * \brief          Load reasonnable default SSL configuration values.
+ *                 (You need to call mbedtls_ssl_config_init() first.)
+ *
+ * \param conf     SSL configuration context
+ * \param endpoint MBEDTLS_SSL_IS_CLIENT or MBEDTLS_SSL_IS_SERVER
+ * \param transport MBEDTLS_SSL_TRANSPORT_STREAM for TLS, or
+ *                  MBEDTLS_SSL_TRANSPORT_DATAGRAM for DTLS
+ * \param preset   a MBEDTLS_SSL_PRESET_XXX value
+ *
+ * \note           See \c mbedtls_ssl_conf_transport() for notes on DTLS.
+ *
+ * \return         0 if successful, or
+ *                 MBEDTLS_ERR_XXX_ALLOC_FAILED on memory allocation error.
+ */
+int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
+                                 int endpoint, int transport, int preset );
+
+/**
+ * \brief          Free an SSL configuration context
+ *
+ * \param conf     SSL configuration context
+ */
+void mbedtls_ssl_config_free( mbedtls_ssl_config *conf );
+
+/**
+ * \brief          Initialize SSL session structure
+ *
+ * \param session  SSL session
+ */
+void mbedtls_ssl_session_init( mbedtls_ssl_session *session );
+
+/**
+ * \brief          Free referenced items in an SSL session including the
+ *                 peer certificate and clear memory
+ *
+ * \note           A session object can be freed even if the SSL context
+ *                 that was used to retrieve the session is still in use.
+ *
+ * \param session  SSL session
+ */
+void mbedtls_ssl_session_free( mbedtls_ssl_session *session );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ssl.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/ssl_cache.h b/third-party/mbedtls-3.6/include/mbedtls/ssl_cache.h
new file mode 100644
index 00000000..612d8177
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/ssl_cache.h
@@ -0,0 +1,175 @@
+/**
+ * \file ssl_cache.h
+ *
+ * \brief SSL session cache implementation
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_SSL_CACHE_H
+#define MBEDTLS_SSL_CACHE_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "ssl.h"
+
+#if defined(MBEDTLS_THREADING_C)
+#include "threading.h"
+#endif
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in config.h or define them on the compiler command line.
+ * \{
+ */
+
+#if !defined(MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT)
+#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT       86400   /*!< 1 day  */
+#endif
+
+#if !defined(MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES)
+#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES      50   /*!< Maximum entries in cache */
+#endif
+
+/* \} name SECTION: Module settings */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct mbedtls_ssl_cache_context mbedtls_ssl_cache_context;
+typedef struct mbedtls_ssl_cache_entry mbedtls_ssl_cache_entry;
+
+/**
+ * \brief   This structure is used for storing cache entries
+ */
+struct mbedtls_ssl_cache_entry
+{
+#if defined(MBEDTLS_HAVE_TIME)
+    mbedtls_time_t timestamp;           /*!< entry timestamp    */
+#endif
+    mbedtls_ssl_session session;        /*!< entry session      */
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    mbedtls_x509_buf peer_cert;         /*!< entry peer_cert    */
+#endif
+    mbedtls_ssl_cache_entry *next;      /*!< chain pointer      */
+};
+
+/**
+ * \brief Cache context
+ */
+struct mbedtls_ssl_cache_context
+{
+    mbedtls_ssl_cache_entry *chain;     /*!< start of the chain     */
+    int timeout;                /*!< cache entry timeout    */
+    int max_entries;            /*!< maximum entries        */
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_threading_mutex_t mutex;    /*!< mutex                  */
+#endif
+};
+
+/**
+ * \brief          Initialize an SSL cache context
+ *
+ * \param cache    SSL cache context
+ */
+void mbedtls_ssl_cache_init( mbedtls_ssl_cache_context *cache );
+
+/**
+ * \brief          Cache get callback implementation
+ *                 (Thread-safe if MBEDTLS_THREADING_C is enabled)
+ *
+ * \param data     SSL cache context
+ * \param session  session to retrieve entry for
+ */
+int mbedtls_ssl_cache_get( void *data, mbedtls_ssl_session *session );
+
+/**
+ * \brief          Cache set callback implementation
+ *                 (Thread-safe if MBEDTLS_THREADING_C is enabled)
+ *
+ * \param data     SSL cache context
+ * \param session  session to store entry for
+ */
+int mbedtls_ssl_cache_set( void *data, const mbedtls_ssl_session *session );
+
+#if defined(MBEDTLS_HAVE_TIME)
+/**
+ * \brief          Set the cache timeout
+ *                 (Default: MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT (1 day))
+ *
+ *                 A timeout of 0 indicates no timeout.
+ *
+ * \param cache    SSL cache context
+ * \param timeout  cache entry timeout in seconds
+ */
+void mbedtls_ssl_cache_set_timeout( mbedtls_ssl_cache_context *cache, int timeout );
+#endif /* MBEDTLS_HAVE_TIME */
+
+/**
+ * \brief          Set the maximum number of cache entries
+ *                 (Default: MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES (50))
+ *
+ * \param cache    SSL cache context
+ * \param max      cache entry maximum
+ */
+void mbedtls_ssl_cache_set_max_entries( mbedtls_ssl_cache_context *cache, int max );
+
+/**
+ * \brief          Free referenced items in a cache context and clear memory
+ *
+ * \param cache    SSL cache context
+ */
+void mbedtls_ssl_cache_free( mbedtls_ssl_cache_context *cache );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ssl_cache.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/ssl_ciphersuites.h b/third-party/mbedtls-3.6/include/mbedtls/ssl_ciphersuites.h
new file mode 100644
index 00000000..fcfbca83
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/ssl_ciphersuites.h
@@ -0,0 +1,517 @@
+/**
+ * \file ssl_ciphersuites.h
+ *
+ * \brief SSL Ciphersuites for mbed TLS
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_SSL_CIPHERSUITES_H
+#define MBEDTLS_SSL_CIPHERSUITES_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "pk.h"
+#include "cipher.h"
+#include "md.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * Supported ciphersuites (Official IANA names)
+ */
+#define MBEDTLS_TLS_RSA_WITH_NULL_MD5                    0x01   /**< Weak! */
+#define MBEDTLS_TLS_RSA_WITH_NULL_SHA                    0x02   /**< Weak! */
+
+#define MBEDTLS_TLS_RSA_WITH_RC4_128_MD5                 0x04
+#define MBEDTLS_TLS_RSA_WITH_RC4_128_SHA                 0x05
+#define MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA                 0x09   /**< Weak! Not in TLS 1.2 */
+
+#define MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA            0x0A
+
+#define MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA             0x15   /**< Weak! Not in TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA        0x16
+
+#define MBEDTLS_TLS_PSK_WITH_NULL_SHA                    0x2C   /**< Weak! */
+#define MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA                0x2D   /**< Weak! */
+#define MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA                0x2E   /**< Weak! */
+#define MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA             0x2F
+
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA         0x33
+#define MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA             0x35
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA         0x39
+
+#define MBEDTLS_TLS_RSA_WITH_NULL_SHA256                 0x3B   /**< Weak! */
+#define MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256          0x3C   /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256          0x3D   /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA        0x41
+#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA    0x45
+
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256      0x67   /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256      0x6B   /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA        0x84
+#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA    0x88
+
+#define MBEDTLS_TLS_PSK_WITH_RC4_128_SHA                 0x8A
+#define MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA            0x8B
+#define MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA             0x8C
+#define MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA             0x8D
+
+#define MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA             0x8E
+#define MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA        0x8F
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA         0x90
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA         0x91
+
+#define MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA             0x92
+#define MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA        0x93
+#define MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA         0x94
+#define MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA         0x95
+
+#define MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256          0x9C   /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384          0x9D   /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256      0x9E   /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384      0x9F   /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256          0xA8   /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384          0xA9   /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256      0xAA   /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384      0xAB   /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256      0xAC   /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384      0xAD   /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256          0xAE
+#define MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384          0xAF
+#define MBEDTLS_TLS_PSK_WITH_NULL_SHA256                 0xB0   /**< Weak! */
+#define MBEDTLS_TLS_PSK_WITH_NULL_SHA384                 0xB1   /**< Weak! */
+
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256      0xB2
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384      0xB3
+#define MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256             0xB4   /**< Weak! */
+#define MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384             0xB5   /**< Weak! */
+
+#define MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256      0xB6
+#define MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384      0xB7
+#define MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256             0xB8   /**< Weak! */
+#define MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384             0xB9   /**< Weak! */
+
+#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256     0xBA   /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 0xBE   /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256     0xC0   /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 0xC4   /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA             0xC001 /**< Weak! */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA          0xC002 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA     0xC003 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA      0xC004 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA      0xC005 /**< Not in SSL3! */
+
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA            0xC006 /**< Weak! */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA         0xC007 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA    0xC008 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA     0xC009 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA     0xC00A /**< Not in SSL3! */
+
+#define MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA               0xC00B /**< Weak! */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA            0xC00C /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA       0xC00D /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA        0xC00E /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA        0xC00F /**< Not in SSL3! */
+
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA              0xC010 /**< Weak! */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA           0xC011 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA      0xC012 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA       0xC013 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA       0xC014 /**< Not in SSL3! */
+
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256  0xC023 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384  0xC024 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256   0xC025 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384   0xC026 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256    0xC027 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384    0xC028 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256     0xC029 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384     0xC02A /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  0xC02B /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384  0xC02C /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256   0xC02D /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384   0xC02E /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256    0xC02F /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384    0xC030 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256     0xC031 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384     0xC032 /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA           0xC033 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA      0xC034 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA       0xC035 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA       0xC036 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256    0xC037 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384    0xC038 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA              0xC039 /**< Weak! No SSL3! */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256           0xC03A /**< Weak! No SSL3! */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384           0xC03B /**< Weak! No SSL3! */
+
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 0xC072 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 0xC073 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256  0xC074 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384  0xC075 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256   0xC076 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384   0xC077 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256    0xC078 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384    0xC079 /**< Not in SSL3! */
+
+#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256         0xC07A /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384         0xC07B /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256     0xC07C /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384     0xC07D /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 0xC086 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 0xC087 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256  0xC088 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384  0xC089 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256   0xC08A /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384   0xC08B /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256    0xC08C /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384    0xC08D /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256       0xC08E /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384       0xC08F /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256   0xC090 /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384   0xC091 /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256   0xC092 /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384   0xC093 /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256       0xC094
+#define MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384       0xC095
+#define MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256   0xC096
+#define MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384   0xC097
+#define MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256   0xC098
+#define MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384   0xC099
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 0xC09A /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 0xC09B /**< Not in SSL3! */
+
+#define MBEDTLS_TLS_RSA_WITH_AES_128_CCM                0xC09C  /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_AES_256_CCM                0xC09D  /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM            0xC09E  /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM            0xC09F  /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_AES_128_CCM_8              0xC0A0  /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_AES_256_CCM_8              0xC0A1  /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM_8          0xC0A2  /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM_8          0xC0A3  /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_AES_128_CCM                0xC0A4  /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_AES_256_CCM                0xC0A5  /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM            0xC0A6  /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM            0xC0A7  /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8              0xC0A8  /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_AES_256_CCM_8              0xC0A9  /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM_8          0xC0AA  /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM_8          0xC0AB  /**< TLS 1.2 */
+/* The last two are named with PSK_DHE in the RFC, which looks like a typo */
+
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM        0xC0AC  /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM        0xC0AD  /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8      0xC0AE  /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8      0xC0AF  /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8          0xC0FF  /**< experimental */
+
+/* Reminder: update mbedtls_ssl_premaster_secret when adding a new key exchange.
+ * Reminder: update MBEDTLS_KEY_EXCHANGE__xxx below
+ */
+typedef enum {
+    MBEDTLS_KEY_EXCHANGE_NONE = 0,
+    MBEDTLS_KEY_EXCHANGE_RSA,
+    MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+    MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+    MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+    MBEDTLS_KEY_EXCHANGE_PSK,
+    MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+    MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+    MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+    MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+    MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+    MBEDTLS_KEY_EXCHANGE_ECJPAKE,
+} mbedtls_key_exchange_type_t;
+
+/* Key exchanges using a certificate */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)           || \
+    defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)       || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)     || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)   || \
+    defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)       || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)      || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED
+#endif
+
+/* Key exchanges allowing client certificate requests */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)           ||       \
+    defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)       ||       \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)      ||       \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)     ||       \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)    ||       \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED
+#endif
+
+/* Key exchanges involving server signature in ServerKeyExchange */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)       || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)     || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED
+#endif
+
+/* Key exchanges using ECDH */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)      || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED
+#endif
+
+/* Key exchanges that don't involve ephemeral keys */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)           || \
+    defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)           || \
+    defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)       || \
+    defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED
+#endif
+
+/* Key exchanges that involve ephemeral keys */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)       || \
+    defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)       || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)     || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)     || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)   || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED
+#endif
+
+/* Key exchanges using a PSK */
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)           || \
+    defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)       || \
+    defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)       || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED
+#endif
+
+/* Key exchanges using DHE */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)       || \
+    defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED
+#endif
+
+/* Key exchanges using ECDHE */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)     || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)   || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED
+#endif
+
+typedef struct mbedtls_ssl_ciphersuite_t mbedtls_ssl_ciphersuite_t;
+
+#define MBEDTLS_CIPHERSUITE_WEAK       0x01    /**< Weak ciphersuite flag  */
+#define MBEDTLS_CIPHERSUITE_SHORT_TAG  0x02    /**< Short authentication tag,
+                                                     eg for CCM_8 */
+#define MBEDTLS_CIPHERSUITE_NODTLS     0x04    /**< Can't be used with DTLS */
+
+/**
+ * \brief   This structure is used for storing ciphersuite information
+ */
+struct mbedtls_ssl_ciphersuite_t
+{
+    int id;
+    const char * name;
+
+    mbedtls_cipher_type_t cipher;
+    mbedtls_md_type_t mac;
+    mbedtls_key_exchange_type_t key_exchange;
+
+    int min_major_ver;
+    int min_minor_ver;
+    int max_major_ver;
+    int max_minor_ver;
+
+    unsigned char flags;
+};
+
+const int *mbedtls_ssl_list_ciphersuites( void );
+
+const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_string( const char *ciphersuite_name );
+const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_id( int ciphersuite_id );
+
+#if defined(MBEDTLS_PK_C)
+mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg( const mbedtls_ssl_ciphersuite_t *info );
+mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg( const mbedtls_ssl_ciphersuite_t *info );
+#endif
+
+int mbedtls_ssl_ciphersuite_uses_ec( const mbedtls_ssl_ciphersuite_t *info );
+int mbedtls_ssl_ciphersuite_uses_psk( const mbedtls_ssl_ciphersuite_t *info );
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED)
+static inline int mbedtls_ssl_ciphersuite_has_pfs( const mbedtls_ssl_ciphersuite_t *info )
+{
+    switch( info->key_exchange )
+    {
+        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+        case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
+            return( 1 );
+
+        default:
+            return( 0 );
+    }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
+static inline int mbedtls_ssl_ciphersuite_no_pfs( const mbedtls_ssl_ciphersuite_t *info )
+{
+    switch( info->key_exchange )
+    {
+        case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+        case MBEDTLS_KEY_EXCHANGE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_PSK:
+        case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
+            return( 1 );
+
+        default:
+            return( 0 );
+    }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED)
+static inline int mbedtls_ssl_ciphersuite_uses_ecdh( const mbedtls_ssl_ciphersuite_t *info )
+{
+    switch( info->key_exchange )
+    {
+        case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+            return( 1 );
+
+        default:
+            return( 0 );
+    }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED */
+
+static inline int mbedtls_ssl_ciphersuite_cert_req_allowed( const mbedtls_ssl_ciphersuite_t *info )
+{
+    switch( info->key_exchange )
+    {
+        case MBEDTLS_KEY_EXCHANGE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+            return( 1 );
+
+        default:
+            return( 0 );
+    }
+}
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED)
+static inline int mbedtls_ssl_ciphersuite_uses_dhe( const mbedtls_ssl_ciphersuite_t *info )
+{
+    switch( info->key_exchange )
+    {
+        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
+            return( 1 );
+
+        default:
+            return( 0 );
+    }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED) */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
+static inline int mbedtls_ssl_ciphersuite_uses_ecdhe( const mbedtls_ssl_ciphersuite_t *info )
+{
+    switch( info->key_exchange )
+    {
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
+            return( 1 );
+
+        default:
+            return( 0 );
+    }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED) */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
+static inline int mbedtls_ssl_ciphersuite_uses_server_signature( const mbedtls_ssl_ciphersuite_t *info )
+{
+    switch( info->key_exchange )
+    {
+        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+            return( 1 );
+
+        default:
+            return( 0 );
+    }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ssl_ciphersuites.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/ssl_cookie.h b/third-party/mbedtls-3.6/include/mbedtls/ssl_cookie.h
new file mode 100644
index 00000000..cd526f6d
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/ssl_cookie.h
@@ -0,0 +1,140 @@
+/**
+ * \file ssl_cookie.h
+ *
+ * \brief DTLS cookie callbacks implementation
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_SSL_COOKIE_H
+#define MBEDTLS_SSL_COOKIE_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "ssl.h"
+
+#if defined(MBEDTLS_THREADING_C)
+#include "threading.h"
+#endif
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in config.h or define them on the compiler command line.
+ * \{
+ */
+#ifndef MBEDTLS_SSL_COOKIE_TIMEOUT
+#define MBEDTLS_SSL_COOKIE_TIMEOUT     60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */
+#endif
+
+/* \} name SECTION: Module settings */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          Context for the default cookie functions.
+ */
+typedef struct
+{
+    mbedtls_md_context_t    hmac_ctx;   /*!< context for the HMAC portion   */
+#if !defined(MBEDTLS_HAVE_TIME)
+    unsigned long   serial;     /*!< serial number for expiration   */
+#endif
+    unsigned long   timeout;    /*!< timeout delay, in seconds if HAVE_TIME,
+                                     or in number of tickets issued */
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_threading_mutex_t mutex;
+#endif
+} mbedtls_ssl_cookie_ctx;
+
+/**
+ * \brief          Initialize cookie context
+ */
+void mbedtls_ssl_cookie_init( mbedtls_ssl_cookie_ctx *ctx );
+
+/**
+ * \brief          Setup cookie context (generate keys)
+ */
+int mbedtls_ssl_cookie_setup( mbedtls_ssl_cookie_ctx *ctx,
+                      int (*f_rng)(void *, unsigned char *, size_t),
+                      void *p_rng );
+
+/**
+ * \brief          Set expiration delay for cookies
+ *                 (Default MBEDTLS_SSL_COOKIE_TIMEOUT)
+ *
+ * \param ctx      Cookie contex
+ * \param delay    Delay, in seconds if HAVE_TIME, or in number of cookies
+ *                 issued in the meantime.
+ *                 0 to disable expiration (NOT recommended)
+ */
+void mbedtls_ssl_cookie_set_timeout( mbedtls_ssl_cookie_ctx *ctx, unsigned long delay );
+
+/**
+ * \brief          Free cookie context
+ */
+void mbedtls_ssl_cookie_free( mbedtls_ssl_cookie_ctx *ctx );
+
+/**
+ * \brief          Generate cookie, see \c mbedtls_ssl_cookie_write_t
+ */
+mbedtls_ssl_cookie_write_t mbedtls_ssl_cookie_write;
+
+/**
+ * \brief          Verify cookie, see \c mbedtls_ssl_cookie_write_t
+ */
+mbedtls_ssl_cookie_check_t mbedtls_ssl_cookie_check;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ssl_cookie.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/ssl_internal.h b/third-party/mbedtls-3.6/include/mbedtls/ssl_internal.h
new file mode 100644
index 00000000..6a04c8d0
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/ssl_internal.h
@@ -0,0 +1,821 @@
+/**
+ * \file ssl_internal.h
+ *
+ * \brief Internal functions shared by the SSL modules
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_SSL_INTERNAL_H
+#define MBEDTLS_SSL_INTERNAL_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "ssl.h"
+#include "cipher.h"
+
+#if defined(MBEDTLS_MD5_C)
+#include "md5.h"
+#endif
+
+#if defined(MBEDTLS_SHA1_C)
+#include "sha1.h"
+#endif
+
+#if defined(MBEDTLS_SHA256_C)
+#include "sha256.h"
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+#include "sha512.h"
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+#include "ecjpake.h"
+#endif
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+/* Determine minimum supported version */
+#define MBEDTLS_SSL_MIN_MAJOR_VERSION           MBEDTLS_SSL_MAJOR_VERSION_3
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+#define MBEDTLS_SSL_MIN_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_0
+#else
+#if defined(MBEDTLS_SSL_PROTO_TLS1)
+#define MBEDTLS_SSL_MIN_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_1
+#else
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1)
+#define MBEDTLS_SSL_MIN_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_2
+#else
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#define MBEDTLS_SSL_MIN_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_3
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
+#endif /* MBEDTLS_SSL_PROTO_TLS1   */
+#endif /* MBEDTLS_SSL_PROTO_SSL3   */
+
+#define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
+#define MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
+
+/* Determine maximum supported version */
+#define MBEDTLS_SSL_MAX_MAJOR_VERSION           MBEDTLS_SSL_MAJOR_VERSION_3
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#define MBEDTLS_SSL_MAX_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_3
+#else
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1)
+#define MBEDTLS_SSL_MAX_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_2
+#else
+#if defined(MBEDTLS_SSL_PROTO_TLS1)
+#define MBEDTLS_SSL_MAX_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_1
+#else
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+#define MBEDTLS_SSL_MAX_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_0
+#endif /* MBEDTLS_SSL_PROTO_SSL3   */
+#endif /* MBEDTLS_SSL_PROTO_TLS1   */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#define MBEDTLS_SSL_INITIAL_HANDSHAKE           0
+#define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS   1   /* In progress */
+#define MBEDTLS_SSL_RENEGOTIATION_DONE          2   /* Done or aborted */
+#define MBEDTLS_SSL_RENEGOTIATION_PENDING       3   /* Requested (server only) */
+
+/*
+ * DTLS retransmission states, see RFC 6347 4.2.4
+ *
+ * The SENDING state is merged in PREPARING for initial sends,
+ * but is distinct for resends.
+ *
+ * Note: initial state is wrong for server, but is not used anyway.
+ */
+#define MBEDTLS_SSL_RETRANS_PREPARING       0
+#define MBEDTLS_SSL_RETRANS_SENDING         1
+#define MBEDTLS_SSL_RETRANS_WAITING         2
+#define MBEDTLS_SSL_RETRANS_FINISHED        3
+
+/* This macro determines whether CBC is supported. */
+#if defined(MBEDTLS_CIPHER_MODE_CBC) &&                               \
+    ( defined(MBEDTLS_AES_C)      ||                                  \
+      defined(MBEDTLS_CAMELLIA_C) ||                                  \
+      defined(MBEDTLS_DES_C) )
+#define MBEDTLS_SSL_SOME_SUITES_USE_CBC
+#endif
+
+/* This macro determines whether the CBC construct used in TLS 1.0-1.2 (as
+ * opposed to the very different CBC construct used in SSLv3) is supported. */
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
+    ( defined(MBEDTLS_SSL_PROTO_TLS1) ||        \
+      defined(MBEDTLS_SSL_PROTO_TLS1_1) ||      \
+      defined(MBEDTLS_SSL_PROTO_TLS1_2) )
+#define MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC
+#endif
+
+/*
+ * Allow extra bytes for record, authentication and encryption overhead:
+ * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256)
+ * and allow for a maximum of 1024 of compression expansion if
+ * enabled.
+ */
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+#define MBEDTLS_SSL_COMPRESSION_ADD          1024
+#else
+#define MBEDTLS_SSL_COMPRESSION_ADD             0
+#endif
+
+#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_MODE_CBC)
+/* Ciphersuites using HMAC */
+#if defined(MBEDTLS_SHA512_C)
+#define MBEDTLS_SSL_MAC_ADD                 48  /* SHA-384 used for HMAC */
+#elif defined(MBEDTLS_SHA256_C)
+#define MBEDTLS_SSL_MAC_ADD                 32  /* SHA-256 used for HMAC */
+#else
+#define MBEDTLS_SSL_MAC_ADD                 20  /* SHA-1   used for HMAC */
+#endif
+#else
+/* AEAD ciphersuites: GCM and CCM use a 128 bits tag */
+#define MBEDTLS_SSL_MAC_ADD                 16
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#define MBEDTLS_SSL_PADDING_ADD            256
+#else
+#define MBEDTLS_SSL_PADDING_ADD              0
+#endif
+
+#define MBEDTLS_SSL_PAYLOAD_LEN ( MBEDTLS_SSL_MAX_CONTENT_LEN    \
+                        + MBEDTLS_SSL_COMPRESSION_ADD            \
+                        + MBEDTLS_MAX_IV_LENGTH                  \
+                        + MBEDTLS_SSL_MAC_ADD                    \
+                        + MBEDTLS_SSL_PADDING_ADD                \
+                        )
+
+/* Maximum size in bytes of list in sig-hash algorithm ext., RFC 5246 */
+#define MBEDTLS_SSL_MAX_SIG_HASH_ALG_LIST_LEN  65534
+
+/* Maximum size in bytes of list in supported elliptic curve ext., RFC 4492 */
+#define MBEDTLS_SSL_MAX_CURVE_LIST_LEN         65535
+
+/*
+ * Check that we obey the standard's message size bounds
+ */
+
+#if MBEDTLS_SSL_MAX_CONTENT_LEN > 16384
+#error Bad configuration - record content too large.
+#endif
+
+#if MBEDTLS_SSL_PAYLOAD_LEN > 16384 + 2048
+#error Bad configuration - protected record payload too large.
+#endif
+
+/* Note: Even though the TLS record header is only 5 bytes
+   long, we're internally using 8 bytes to store the
+   implicit sequence number. */
+#define MBEDTLS_SSL_HEADER_LEN 13
+
+#define MBEDTLS_SSL_BUFFER_LEN  \
+    ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_PAYLOAD_LEN ) )
+
+/*
+ * TLS extension flags (for extensions with outgoing ServerHello content
+ * that need it (e.g. for RENEGOTIATION_INFO the server already knows because
+ * of state of the renegotiation flag, so no indicator is required)
+ */
+#define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
+#define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK                 (1 << 1)
+
+/**
+ * \brief        This function checks if the remaining size in a buffer is
+ *               greater or equal than a needed space.
+ *
+ * \param cur    Pointer to the current position in the buffer.
+ * \param end    Pointer to one past the end of the buffer.
+ * \param need   Needed space in bytes.
+ *
+ * \return       Zero if the needed space is available in the buffer, non-zero
+ *               otherwise.
+ */
+static inline int mbedtls_ssl_chk_buf_ptr( const uint8_t *cur,
+                                           const uint8_t *end, size_t need )
+{
+    return( ( cur > end ) || ( need > (size_t)( end - cur ) ) );
+}
+
+/**
+ * \brief        This macro checks if the remaining size in a buffer is
+ *               greater or equal than a needed space. If it is not the case,
+ *               it returns an SSL_BUFFER_TOO_SMALL error.
+ *
+ * \param cur    Pointer to the current position in the buffer.
+ * \param end    Pointer to one past the end of the buffer.
+ * \param need   Needed space in bytes.
+ *
+ */
+#define MBEDTLS_SSL_CHK_BUF_PTR( cur, end, need )                        \
+    do {                                                                 \
+        if( mbedtls_ssl_chk_buf_ptr( ( cur ), ( end ), ( need ) ) != 0 ) \
+        {                                                                \
+            return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );                  \
+        }                                                                \
+    } while( 0 )
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+/*
+ * Abstraction for a grid of allowed signature-hash-algorithm pairs.
+ */
+struct mbedtls_ssl_sig_hash_set_t
+{
+    /* At the moment, we only need to remember a single suitable
+     * hash algorithm per signature algorithm. As long as that's
+     * the case - and we don't need a general lookup function -
+     * we can implement the sig-hash-set as a map from signatures
+     * to hash algorithms. */
+    mbedtls_md_type_t rsa;
+    mbedtls_md_type_t ecdsa;
+};
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
+          MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
+/*
+ * This structure contains the parameters only needed during handshake.
+ */
+struct mbedtls_ssl_handshake_params
+{
+    /*
+     * Handshake specific crypto variables
+     */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+    mbedtls_ssl_sig_hash_set_t hash_algs;             /*!<  Set of suitable sig-hash pairs */
+#endif
+#if defined(MBEDTLS_DHM_C)
+    mbedtls_dhm_context dhm_ctx;                /*!<  DHM key exchange        */
+#endif
+#if defined(MBEDTLS_ECDH_C)
+    mbedtls_ecdh_context ecdh_ctx;              /*!<  ECDH key exchange       */
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    mbedtls_ecjpake_context ecjpake_ctx;        /*!< EC J-PAKE key exchange */
+#if defined(MBEDTLS_SSL_CLI_C)
+    unsigned char *ecjpake_cache;               /*!< Cache for ClientHello ext */
+    size_t ecjpake_cache_len;                   /*!< Length of cached data */
+#endif
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    const mbedtls_ecp_curve_info **curves;      /*!<  Supported elliptic curves */
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+    unsigned char *psk;                 /*!<  PSK from the callback         */
+    size_t psk_len;                     /*!<  Length of PSK from callback   */
+#endif
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    mbedtls_ssl_key_cert *key_cert;     /*!< chosen key/cert pair (server)  */
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    int sni_authmode;                   /*!< authmode from SNI callback     */
+    mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI         */
+    mbedtls_x509_crt *sni_ca_chain;     /*!< trusted CAs from SNI callback  */
+    mbedtls_x509_crl *sni_ca_crl;       /*!< trusted CAs CRLs from SNI      */
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    unsigned int out_msg_seq;           /*!<  Outgoing handshake sequence number */
+    unsigned int in_msg_seq;            /*!<  Incoming handshake sequence number */
+
+    unsigned char *verify_cookie;       /*!<  Cli: HelloVerifyRequest cookie
+                                              Srv: unused                    */
+    unsigned char verify_cookie_len;    /*!<  Cli: cookie length
+                                              Srv: flag for sending a cookie */
+
+    unsigned char *hs_msg;              /*!<  Reassembled handshake message  */
+
+    uint32_t retransmit_timeout;        /*!<  Current value of timeout       */
+    unsigned char retransmit_state;     /*!<  Retransmission state           */
+    mbedtls_ssl_flight_item *flight;            /*!<  Current outgoing flight        */
+    mbedtls_ssl_flight_item *cur_msg;           /*!<  Current message in flight      */
+    unsigned int in_flight_start_seq;   /*!<  Minimum message sequence in the
+                                              flight being received          */
+    mbedtls_ssl_transform *alt_transform_out;   /*!<  Alternative transform for
+                                              resending messages             */
+    unsigned char alt_out_ctr[8];       /*!<  Alternative record epoch/counter
+                                              for resending messages         */
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    /*
+     * Checksum contexts
+     */
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+       mbedtls_md5_context fin_md5;
+      mbedtls_sha1_context fin_sha1;
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA256_C)
+    mbedtls_sha256_context fin_sha256;
+#endif
+#if defined(MBEDTLS_SHA512_C)
+    mbedtls_sha512_context fin_sha512;
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+    void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
+    void (*calc_verify)(mbedtls_ssl_context *, unsigned char *);
+    void (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
+    int  (*tls_prf)(const unsigned char *, size_t, const char *,
+                    const unsigned char *, size_t,
+                    unsigned char *, size_t);
+
+    size_t pmslen;                      /*!<  premaster length        */
+
+    unsigned char randbytes[64];        /*!<  random bytes            */
+    unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
+                                        /*!<  premaster secret        */
+
+    int resume;                         /*!<  session resume indicator*/
+    int max_major_ver;                  /*!< max. major version client*/
+    int max_minor_ver;                  /*!< max. minor version client*/
+    int cli_exts;                       /*!< client extension presence*/
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+    int new_session_ticket;             /*!< use NewSessionTicket?    */
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+    int extended_ms;                    /*!< use Extended Master Secret? */
+#endif
+};
+
+/*
+ * This structure contains a full set of runtime transform parameters
+ * either in negotiation or active.
+ */
+struct mbedtls_ssl_transform
+{
+    /*
+     * Session specific crypto layer
+     */
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+                                        /*!<  Chosen cipersuite_info  */
+    unsigned int keylen;                /*!<  symmetric key length (bytes)  */
+    size_t minlen;                      /*!<  min. ciphertext length  */
+    size_t ivlen;                       /*!<  IV length               */
+    size_t fixed_ivlen;                 /*!<  Fixed part of IV (AEAD) */
+    size_t maclen;                      /*!<  MAC length              */
+
+    unsigned char iv_enc[16];           /*!<  IV (encryption)         */
+    unsigned char iv_dec[16];           /*!<  IV (decryption)         */
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    /* Needed only for SSL v3.0 secret */
+    unsigned char mac_enc[20];          /*!<  SSL v3.0 secret (enc)   */
+    unsigned char mac_dec[20];          /*!<  SSL v3.0 secret (dec)   */
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+
+    mbedtls_md_context_t md_ctx_enc;            /*!<  MAC (encryption)        */
+    mbedtls_md_context_t md_ctx_dec;            /*!<  MAC (decryption)        */
+
+    mbedtls_cipher_context_t cipher_ctx_enc;    /*!<  encryption context      */
+    mbedtls_cipher_context_t cipher_ctx_dec;    /*!<  decryption context      */
+
+    /*
+     * Session specific compression layer
+     */
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    z_stream ctx_deflate;               /*!<  compression context     */
+    z_stream ctx_inflate;               /*!<  decompression context   */
+#endif
+};
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/*
+ * List of certificate + private key pairs
+ */
+struct mbedtls_ssl_key_cert
+{
+    mbedtls_x509_crt *cert;                 /*!< cert                       */
+    mbedtls_pk_context *key;                /*!< private key                */
+    mbedtls_ssl_key_cert *next;             /*!< next key/cert pair         */
+};
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+/*
+ * List of handshake messages kept around for resending
+ */
+struct mbedtls_ssl_flight_item
+{
+    unsigned char *p;       /*!< message, including handshake headers   */
+    size_t len;             /*!< length of p                            */
+    unsigned char type;     /*!< type of the message: handshake or CCS  */
+    mbedtls_ssl_flight_item *next;  /*!< next handshake message(s)              */
+};
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+
+/* Find an entry in a signature-hash set matching a given hash algorithm. */
+mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
+                                                 mbedtls_pk_type_t sig_alg );
+/* Add a signature-hash-pair to a signature-hash set */
+void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
+                                   mbedtls_pk_type_t sig_alg,
+                                   mbedtls_md_type_t md_alg );
+/* Allow exactly one hash algorithm for each signature. */
+void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
+                                          mbedtls_md_type_t md_alg );
+
+/* Setup an empty signature-hash set */
+static inline void mbedtls_ssl_sig_hash_set_init( mbedtls_ssl_sig_hash_set_t *set )
+{
+    mbedtls_ssl_sig_hash_set_const_hash( set, MBEDTLS_MD_NONE );
+}
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
+          MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
+/**
+ * \brief           Free referenced items in an SSL transform context and clear
+ *                  memory
+ *
+ * \param transform SSL transform context
+ */
+void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform );
+
+/**
+ * \brief           Free referenced items in an SSL handshake context and clear
+ *                  memory
+ *
+ * \param handshake SSL handshake context
+ */
+void mbedtls_ssl_handshake_free( mbedtls_ssl_handshake_params *handshake );
+
+int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl );
+void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl );
+
+int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl );
+
+void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl );
+
+int mbedtls_ssl_read_record_layer( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl );
+void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl );
+
+/**
+ * \brief       Update record layer
+ *
+ *              This function roughly separates the implementation
+ *              of the logic of (D)TLS from the implementation
+ *              of the secure transport.
+ *
+ * \param  ssl  SSL context to use
+ *
+ * \return      0 or non-zero error code.
+ *
+ * \note        A clarification on what is called 'record layer' here
+ *              is in order, as many sensible definitions are possible:
+ *
+ *              The record layer takes as input an untrusted underlying
+ *              transport (stream or datagram) and transforms it into
+ *              a serially multiplexed, secure transport, which
+ *              conceptually provides the following:
+ *
+ *              (1) Three datagram based, content-agnostic transports
+ *                  for handshake, alert and CCS messages.
+ *              (2) One stream- or datagram-based transport
+ *                  for application data.
+ *              (3) Functionality for changing the underlying transform
+ *                  securing the contents.
+ *
+ *              The interface to this functionality is given as follows:
+ *
+ *              a Updating
+ *                [Currently implemented by mbedtls_ssl_read_record]
+ *
+ *                Check if and on which of the four 'ports' data is pending:
+ *                Nothing, a controlling datagram of type (1), or application
+ *                data (2). In any case data is present, internal buffers
+ *                provide access to the data for the user to process it.
+ *                Consumption of type (1) datagrams is done automatically
+ *                on the next update, invalidating that the internal buffers
+ *                for previous datagrams, while consumption of application
+ *                data (2) is user-controlled.
+ *
+ *              b Reading of application data
+ *                [Currently manual adaption of ssl->in_offt pointer]
+ *
+ *                As mentioned in the last paragraph, consumption of data
+ *                is different from the automatic consumption of control
+ *                datagrams (1) because application data is treated as a stream.
+ *
+ *              c Tracking availability of application data
+ *                [Currently manually through decreasing ssl->in_msglen]
+ *
+ *                For efficiency and to retain datagram semantics for
+ *                application data in case of DTLS, the record layer
+ *                provides functionality for checking how much application
+ *                data is still available in the internal buffer.
+ *
+ *              d Changing the transformation securing the communication.
+ *
+ *              Given an opaque implementation of the record layer in the
+ *              above sense, it should be possible to implement the logic
+ *              of (D)TLS on top of it without the need to know anything
+ *              about the record layer's internals. This is done e.g.
+ *              in all the handshake handling functions, and in the
+ *              application data reading function mbedtls_ssl_read.
+ *
+ * \note        The above tries to give a conceptual picture of the
+ *              record layer, but the current implementation deviates
+ *              from it in some places. For example, our implementation of
+ *              the update functionality through mbedtls_ssl_read_record
+ *              discards datagrams depending on the current state, which
+ *              wouldn't fall under the record layer's responsibility
+ *              following the above definition.
+ *
+ */
+int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want );
+
+int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl );
+
+int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl );
+
+int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl );
+
+int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl );
+
+void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
+                            const mbedtls_ssl_ciphersuite_t *ciphersuite_info );
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex );
+#endif
+
+#if defined(MBEDTLS_PK_C)
+unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk );
+unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type );
+mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig );
+#endif
+
+mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash );
+unsigned char mbedtls_ssl_hash_from_md_alg( int md );
+int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md );
+
+#if defined(MBEDTLS_ECP_C)
+int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id );
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
+                                mbedtls_md_type_t md );
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+static inline mbedtls_pk_context *mbedtls_ssl_own_key( mbedtls_ssl_context *ssl )
+{
+    mbedtls_ssl_key_cert *key_cert;
+
+    if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
+        key_cert = ssl->handshake->key_cert;
+    else
+        key_cert = ssl->conf->key_cert;
+
+    return( key_cert == NULL ? NULL : key_cert->key );
+}
+
+static inline mbedtls_x509_crt *mbedtls_ssl_own_cert( mbedtls_ssl_context *ssl )
+{
+    mbedtls_ssl_key_cert *key_cert;
+
+    if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
+        key_cert = ssl->handshake->key_cert;
+    else
+        key_cert = ssl->conf->key_cert;
+
+    return( key_cert == NULL ? NULL : key_cert->cert );
+}
+
+/*
+ * Check usage of a certificate wrt extensions:
+ * keyUsage, extendedKeyUsage (later), and nSCertType (later).
+ *
+ * Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we
+ * check a cert we received from them)!
+ *
+ * Return 0 if everything is OK, -1 if not.
+ */
+int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
+                          const mbedtls_ssl_ciphersuite_t *ciphersuite,
+                          int cert_endpoint,
+                          uint32_t *flags );
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+void mbedtls_ssl_write_version( int major, int minor, int transport,
+                        unsigned char ver[2] );
+void mbedtls_ssl_read_version( int *major, int *minor, int transport,
+                       const unsigned char ver[2] );
+
+static inline size_t mbedtls_ssl_hdr_len( const mbedtls_ssl_context *ssl )
+{
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        return( 13 );
+#else
+    ((void) ssl);
+#endif
+    return( 5 );
+}
+
+static inline size_t mbedtls_ssl_hs_hdr_len( const mbedtls_ssl_context *ssl )
+{
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        return( 12 );
+#else
+    ((void) ssl);
+#endif
+    return( 4 );
+}
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl );
+void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_resend( mbedtls_ssl_context *ssl );
+#endif
+
+/* Visible for testing purposes only */
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl );
+void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl );
+#endif
+
+/* constant-time buffer comparison */
+static inline int mbedtls_ssl_safer_memcmp( const void *a, const void *b, size_t n )
+{
+    size_t i;
+    volatile const unsigned char *A = (volatile const unsigned char *) a;
+    volatile const unsigned char *B = (volatile const unsigned char *) b;
+    volatile unsigned char diff = 0;
+
+    for( i = 0; i < n; i++ )
+    {
+        /* Read volatile data in order before computing diff.
+         * This avoids IAR compiler warning:
+         * 'the order of volatile accesses is undefined ..' */
+        unsigned char x = A[i], y = B[i];
+        diff |= x ^ y;
+    }
+
+    return( diff );
+}
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl,
+                                        unsigned char *output,
+                                        unsigned char *data, size_t data_len );
+#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
+          MBEDTLS_SSL_PROTO_TLS1_1 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
+                                        unsigned char *output,
+                                        unsigned char *data, size_t data_len,
+                                        mbedtls_md_type_t md_alg );
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
+          MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC)
+/** \brief Compute the HMAC of variable-length data with constant flow.
+ *
+ * This function computes the HMAC of the concatenation of \p add_data and \p
+ * data, and does with a code flow and memory access pattern that does not
+ * depend on \p data_len_secret, but only on \p min_data_len and \p
+ * max_data_len. In particular, this function always reads exactly \p
+ * max_data_len bytes from \p data.
+ *
+ * \param ctx               The HMAC context. It must have keys configured
+ *                          with mbedtls_md_hmac_starts() and use one of the
+ *                          following hashes: SHA-384, SHA-256, SHA-1 or MD-5.
+ *                          It is reset using mbedtls_md_hmac_reset() after
+ *                          the computation is complete to prepare for the
+ *                          next computation.
+ * \param add_data          The additional data prepended to \p data. This
+ *                          must point to a readable buffer of \p add_data_len
+ *                          bytes.
+ * \param add_data_len      The length of \p add_data in bytes.
+ * \param data              The data appended to \p add_data. This must point
+ *                          to a readable buffer of \p max_data_len bytes.
+ * \param data_len_secret   The length of the data to process in \p data.
+ *                          This must be no less than \p min_data_len and no
+ *                          greater than \p max_data_len.
+ * \param min_data_len      The minimal length of \p data in bytes.
+ * \param max_data_len      The maximal length of \p data in bytes.
+ * \param output            The HMAC will be written here. This must point to
+ *                          a writable buffer of sufficient size to hold the
+ *                          HMAC value.
+ *
+ * \retval 0
+ *         Success.
+ * \retval non-zero
+ *         Failure.
+ */
+int mbedtls_ssl_cf_hmac(
+        mbedtls_md_context_t *ctx,
+        const unsigned char *add_data, size_t add_data_len,
+        const unsigned char *data, size_t data_len_secret,
+        size_t min_data_len, size_t max_data_len,
+        unsigned char *output );
+
+/** \brief Copy data from a secret position with constant flow.
+ *
+ * This function copies \p len bytes from \p src_base + \p offset_secret to \p
+ * dst, with a code flow and memory access pattern that does not depend on \p
+ * offset_secret, but only on \p offset_min, \p offset_max and \p len.
+ *
+ * \param dst           The destination buffer. This must point to a writable
+ *                      buffer of at least \p len bytes.
+ * \param src_base      The base of the source buffer. This must point to a
+ *                      readable buffer of at least \p offset_max + \p len
+ *                      bytes.
+ * \param offset_secret The offset in the source buffer from which to copy.
+ *                      This must be no less than \p offset_min and no greater
+ *                      than \p offset_max.
+ * \param offset_min    The minimal value of \p offset_secret.
+ * \param offset_max    The maximal value of \p offset_secret.
+ * \param len           The number of bytes to copy.
+ */
+void mbedtls_ssl_cf_memcpy_offset( unsigned char *dst,
+                                   const unsigned char *src_base,
+                                   size_t offset_secret,
+                                   size_t offset_min, size_t offset_max,
+                                   size_t len );
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ssl_internal.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/ssl_ticket.h b/third-party/mbedtls-3.6/include/mbedtls/ssl_ticket.h
new file mode 100644
index 00000000..53c39c5f
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/ssl_ticket.h
@@ -0,0 +1,167 @@
+/**
+ * \file ssl_ticket.h
+ *
+ * \brief TLS server ticket callbacks implementation
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_SSL_TICKET_H
+#define MBEDTLS_SSL_TICKET_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+/*
+ * This implementation of the session ticket callbacks includes key
+ * management, rotating the keys periodically in order to preserve forward
+ * secrecy, when MBEDTLS_HAVE_TIME is defined.
+ */
+
+#include "ssl.h"
+#include "cipher.h"
+
+#if defined(MBEDTLS_THREADING_C)
+#include "threading.h"
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief   Information for session ticket protection
+ */
+typedef struct
+{
+    unsigned char name[4];          /*!< random key identifier              */
+    uint32_t generation_time;       /*!< key generation timestamp (seconds) */
+    mbedtls_cipher_context_t ctx;   /*!< context for auth enc/decryption    */
+}
+mbedtls_ssl_ticket_key;
+
+/**
+ * \brief   Context for session ticket handling functions
+ */
+typedef struct
+{
+    mbedtls_ssl_ticket_key keys[2]; /*!< ticket protection keys             */
+    unsigned char active;           /*!< index of the currently active key  */
+
+    uint32_t ticket_lifetime;       /*!< lifetime of tickets in seconds     */
+
+    /** Callback for getting (pseudo-)random numbers                        */
+    int  (*f_rng)(void *, unsigned char *, size_t);
+    void *p_rng;                    /*!< context for the RNG function       */
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_threading_mutex_t mutex;
+#endif
+}
+mbedtls_ssl_ticket_context;
+
+/**
+ * \brief           Initialize a ticket context.
+ *                  (Just make it ready for mbedtls_ssl_ticket_setup()
+ *                  or mbedtls_ssl_ticket_free().)
+ *
+ * \param ctx       Context to be initialized
+ */
+void mbedtls_ssl_ticket_init( mbedtls_ssl_ticket_context *ctx );
+
+/**
+ * \brief           Prepare context to be actually used
+ *
+ * \param ctx       Context to be set up
+ * \param f_rng     RNG callback function
+ * \param p_rng     RNG callback context
+ * \param cipher    AEAD cipher to use for ticket protection.
+ *                  Recommended value: MBEDTLS_CIPHER_AES_256_GCM.
+ * \param lifetime  Tickets lifetime in seconds
+ *                  Recommended value: 86400 (one day).
+ *
+ * \note            It is highly recommended to select a cipher that is at
+ *                  least as strong as the the strongest ciphersuite
+ *                  supported. Usually that means a 256-bit key.
+ *
+ * \note            The lifetime of the keys is twice the lifetime of tickets.
+ *                  It is recommended to pick a reasonnable lifetime so as not
+ *                  to negate the benefits of forward secrecy.
+ *
+ * \return          0 if successful,
+ *                  or a specific MBEDTLS_ERR_XXX error code
+ */
+int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx,
+    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+    mbedtls_cipher_type_t cipher,
+    uint32_t lifetime );
+
+/**
+ * \brief           Implementation of the ticket write callback
+ *
+ * \note            See \c mbedtls_ssl_ticket_write_t for description
+ */
+mbedtls_ssl_ticket_write_t mbedtls_ssl_ticket_write;
+
+/**
+ * \brief           Implementation of the ticket parse callback
+ *
+ * \note            See \c mbedtls_ssl_ticket_parse_t for description
+ */
+mbedtls_ssl_ticket_parse_t mbedtls_ssl_ticket_parse;
+
+/**
+ * \brief           Free a context's content and zeroize it.
+ *
+ * \param ctx       Context to be cleaned up
+ */
+void mbedtls_ssl_ticket_free( mbedtls_ssl_ticket_context *ctx );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ssl_ticket.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/threading.h b/third-party/mbedtls-3.6/include/mbedtls/threading.h
new file mode 100644
index 00000000..f1d53bdb
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/threading.h
@@ -0,0 +1,139 @@
+/**
+ * \file threading.h
+ *
+ * \brief Threading abstraction layer
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_THREADING_H
+#define MBEDTLS_THREADING_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stdlib.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define MBEDTLS_ERR_THREADING_FEATURE_UNAVAILABLE         -0x001A  /**< The selected feature is not available. */
+#define MBEDTLS_ERR_THREADING_BAD_INPUT_DATA              -0x001C  /**< Bad input parameters to function. */
+#define MBEDTLS_ERR_THREADING_MUTEX_ERROR                 -0x001E  /**< Locking / unlocking / free failed with error code. */
+
+#if defined(MBEDTLS_THREADING_PTHREAD)
+#include <pthread.h>
+typedef struct
+{
+    pthread_mutex_t mutex;
+    /* is_valid is 0 after a failed init or a free, and nonzero after a
+     * successful init. This field is not considered part of the public
+     * API of Mbed TLS and may change without notice. */
+    char is_valid;
+} mbedtls_threading_mutex_t;
+#endif
+
+#if defined(MBEDTLS_THREADING_ALT)
+/* You should define the mbedtls_threading_mutex_t type in your header */
+#include "threading_alt.h"
+
+/**
+ * \brief           Set your alternate threading implementation function
+ *                  pointers and initialize global mutexes. If used, this
+ *                  function must be called once in the main thread before any
+ *                  other mbed TLS function is called, and
+ *                  mbedtls_threading_free_alt() must be called once in the main
+ *                  thread after all other mbed TLS functions.
+ *
+ * \note            mutex_init() and mutex_free() don't return a status code.
+ *                  If mutex_init() fails, it should leave its argument (the
+ *                  mutex) in a state such that mutex_lock() will fail when
+ *                  called with this argument.
+ *
+ * \param mutex_init    the init function implementation
+ * \param mutex_free    the free function implementation
+ * \param mutex_lock    the lock function implementation
+ * \param mutex_unlock  the unlock function implementation
+ */
+void mbedtls_threading_set_alt( void (*mutex_init)( mbedtls_threading_mutex_t * ),
+                       void (*mutex_free)( mbedtls_threading_mutex_t * ),
+                       int (*mutex_lock)( mbedtls_threading_mutex_t * ),
+                       int (*mutex_unlock)( mbedtls_threading_mutex_t * ) );
+
+/**
+ * \brief               Free global mutexes.
+ */
+void mbedtls_threading_free_alt( void );
+#endif /* MBEDTLS_THREADING_ALT */
+
+#if defined(MBEDTLS_THREADING_C)
+/*
+ * The function pointers for mutex_init, mutex_free, mutex_ and mutex_unlock
+ *
+ * All these functions are expected to work or the result will be undefined.
+ */
+extern void (*mbedtls_mutex_init)( mbedtls_threading_mutex_t *mutex );
+extern void (*mbedtls_mutex_free)( mbedtls_threading_mutex_t *mutex );
+extern int (*mbedtls_mutex_lock)( mbedtls_threading_mutex_t *mutex );
+extern int (*mbedtls_mutex_unlock)( mbedtls_threading_mutex_t *mutex );
+
+/*
+ * Global mutexes
+ */
+#if defined(MBEDTLS_FS_IO)
+extern mbedtls_threading_mutex_t mbedtls_threading_readdir_mutex;
+#endif
+#if defined(MBEDTLS_HAVE_TIME_DATE)
+extern mbedtls_threading_mutex_t mbedtls_threading_gmtime_mutex;
+#endif
+#endif /* MBEDTLS_THREADING_C */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* threading.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/timing.h b/third-party/mbedtls-3.6/include/mbedtls/timing.h
new file mode 100644
index 00000000..564e76b8
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/timing.h
@@ -0,0 +1,186 @@
+/**
+ * \file timing.h
+ *
+ * \brief Portable interface to timeouts and to the CPU cycle counter
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_TIMING_H
+#define MBEDTLS_TIMING_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if !defined(MBEDTLS_TIMING_ALT)
+// Regular implementation
+//
+
+#include <stdint.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          timer structure
+ */
+struct mbedtls_timing_hr_time
+{
+    unsigned char opaque[32];
+};
+
+/**
+ * \brief          Context for mbedtls_timing_set/get_delay()
+ */
+typedef struct
+{
+    struct mbedtls_timing_hr_time   timer;
+    uint32_t                        int_ms;
+    uint32_t                        fin_ms;
+} mbedtls_timing_delay_context;
+
+extern volatile int mbedtls_timing_alarmed;
+
+/**
+ * \brief          Return the CPU cycle counter value
+ *
+ * \warning        This is only a best effort! Do not rely on this!
+ *                 In particular, it is known to be unreliable on virtual
+ *                 machines.
+ *
+ * \note           This value starts at an unspecified origin and
+ *                 may wrap around.
+ */
+unsigned long mbedtls_timing_hardclock( void );
+
+/**
+ * \brief          Return the elapsed time in milliseconds
+ *
+ * \param val      points to a timer structure
+ * \param reset    If 0, query the elapsed time. Otherwise (re)start the timer.
+ *
+ * \return         Elapsed time since the previous reset in ms. When
+ *                 restarting, this is always 0.
+ *
+ * \note           To initialize a timer, call this function with reset=1.
+ *
+ *                 Determining the elapsed time and resetting the timer is not
+ *                 atomic on all platforms, so after the sequence
+ *                 `{ get_timer(1); ...; time1 = get_timer(1); ...; time2 =
+ *                 get_timer(0) }` the value time1+time2 is only approximately
+ *                 the delay since the first reset.
+ */
+unsigned long mbedtls_timing_get_timer( struct mbedtls_timing_hr_time *val, int reset );
+
+/**
+ * \brief          Setup an alarm clock
+ *
+ * \param seconds  delay before the "mbedtls_timing_alarmed" flag is set
+ *                 (must be >=0)
+ *
+ * \warning        Only one alarm at a time  is supported. In a threaded
+ *                 context, this means one for the whole process, not one per
+ *                 thread.
+ */
+void mbedtls_set_alarm( int seconds );
+
+/**
+ * \brief          Set a pair of delays to watch
+ *                 (See \c mbedtls_timing_get_delay().)
+ *
+ * \param data     Pointer to timing data.
+ *                 Must point to a valid \c mbedtls_timing_delay_context struct.
+ * \param int_ms   First (intermediate) delay in milliseconds.
+ *                 The effect if int_ms > fin_ms is unspecified.
+ * \param fin_ms   Second (final) delay in milliseconds.
+ *                 Pass 0 to cancel the current delay.
+ *
+ * \note           To set a single delay, either use \c mbedtls_timing_set_timer
+ *                 directly or use this function with int_ms == fin_ms.
+ */
+void mbedtls_timing_set_delay( void *data, uint32_t int_ms, uint32_t fin_ms );
+
+/**
+ * \brief          Get the status of delays
+ *                 (Memory helper: number of delays passed.)
+ *
+ * \param data     Pointer to timing data
+ *                 Must point to a valid \c mbedtls_timing_delay_context struct.
+ *
+ * \return         -1 if cancelled (fin_ms = 0),
+ *                  0 if none of the delays are passed,
+ *                  1 if only the intermediate delay is passed,
+ *                  2 if the final delay is passed.
+ */
+int mbedtls_timing_get_delay( void *data );
+
+#ifdef __cplusplus
+}
+#endif
+
+#else  /* MBEDTLS_TIMING_ALT */
+#include "timing_alt.h"
+#endif /* MBEDTLS_TIMING_ALT */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if a test failed
+ */
+int mbedtls_timing_self_test( int verbose );
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* timing.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/version.h b/third-party/mbedtls-3.6/include/mbedtls/version.h
new file mode 100644
index 00000000..622bebf5
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/version.h
@@ -0,0 +1,137 @@
+/**
+ * \file version.h
+ *
+ * \brief Run-time version information
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+/*
+ * This set of compile-time defines and run-time variables can be used to
+ * determine the version number of the mbed TLS library used.
+ */
+#ifndef MBEDTLS_VERSION_H
+#define MBEDTLS_VERSION_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+/**
+ * The version number x.y.z is split into three parts.
+ * Major, Minor, Patchlevel
+ */
+#define MBEDTLS_VERSION_MAJOR  2
+#define MBEDTLS_VERSION_MINOR  7
+#define MBEDTLS_VERSION_PATCH  19
+
+/**
+ * The single version number has the following structure:
+ *    MMNNPP00
+ *    Major version | Minor version | Patch version
+ */
+#define MBEDTLS_VERSION_NUMBER         0x02071300
+#define MBEDTLS_VERSION_STRING         "2.7.19"
+#define MBEDTLS_VERSION_STRING_FULL    "mbed TLS 2.7.19"
+
+#if defined(MBEDTLS_VERSION_C)
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Get the version number.
+ *
+ * \return          The constructed version number in the format
+ *                  MMNNPP00 (Major, Minor, Patch).
+ */
+unsigned int mbedtls_version_get_number( void );
+
+/**
+ * Get the version string ("x.y.z").
+ *
+ * \param string    The string that will receive the value.
+ *                  (Should be at least 9 bytes in size)
+ */
+void mbedtls_version_get_string( char *string );
+
+/**
+ * Get the full version string ("mbed TLS x.y.z").
+ *
+ * \param string    The string that will receive the value. The mbed TLS version
+ *                  string will use 18 bytes AT MOST including a terminating
+ *                  null byte.
+ *                  (So the buffer should be at least 18 bytes to receive this
+ *                  version string).
+ */
+void mbedtls_version_get_string_full( char *string );
+
+/**
+ * \brief           Check if support for a feature was compiled into this
+ *                  mbed TLS binary. This allows you to see at runtime if the
+ *                  library was for instance compiled with or without
+ *                  Multi-threading support.
+ *
+ * \note            only checks against defines in the sections "System
+ *                  support", "mbed TLS modules" and "mbed TLS feature
+ *                  support" in config.h
+ *
+ * \param feature   The string for the define to check (e.g. "MBEDTLS_AES_C")
+ *
+ * \return          0 if the feature is present,
+ *                  -1 if the feature is not present and
+ *                  -2 if support for feature checking as a whole was not
+ *                  compiled in.
+ */
+int mbedtls_version_check_feature( const char *feature );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_VERSION_C */
+
+#endif /* version.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/x509.h b/third-party/mbedtls-3.6/include/mbedtls/x509.h
new file mode 100644
index 00000000..e8b98a1e
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/x509.h
@@ -0,0 +1,358 @@
+/**
+ * \file x509.h
+ *
+ * \brief X.509 generic defines and structures
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_X509_H
+#define MBEDTLS_X509_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "asn1.h"
+#include "pk.h"
+
+#if defined(MBEDTLS_RSA_C)
+#include "rsa.h"
+#endif
+
+/**
+ * \addtogroup x509_module
+ * \{
+ */
+
+#if !defined(MBEDTLS_X509_MAX_INTERMEDIATE_CA)
+/**
+ * Maximum number of intermediate CAs in a verification chain.
+ * That is, maximum length of the chain, excluding the end-entity certificate
+ * and the trusted root certificate.
+ *
+ * Set this to a low value to prevent an adversary from making you waste
+ * resources verifying an overlong certificate chain.
+ */
+#define MBEDTLS_X509_MAX_INTERMEDIATE_CA   8
+#endif
+
+/**
+ * \name X509 Error codes
+ * \{
+ */
+#define MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE              -0x2080  /**< Unavailable feature, e.g. RSA hashing/encryption combination. */
+#define MBEDTLS_ERR_X509_UNKNOWN_OID                      -0x2100  /**< Requested OID is unknown. */
+#define MBEDTLS_ERR_X509_INVALID_FORMAT                   -0x2180  /**< The CRT/CRL/CSR format is invalid, e.g. different type expected. */
+#define MBEDTLS_ERR_X509_INVALID_VERSION                  -0x2200  /**< The CRT/CRL/CSR version element is invalid. */
+#define MBEDTLS_ERR_X509_INVALID_SERIAL                   -0x2280  /**< The serial tag or value is invalid. */
+#define MBEDTLS_ERR_X509_INVALID_ALG                      -0x2300  /**< The algorithm tag or value is invalid. */
+#define MBEDTLS_ERR_X509_INVALID_NAME                     -0x2380  /**< The name tag or value is invalid. */
+#define MBEDTLS_ERR_X509_INVALID_DATE                     -0x2400  /**< The date tag or value is invalid. */
+#define MBEDTLS_ERR_X509_INVALID_SIGNATURE                -0x2480  /**< The signature tag or value invalid. */
+#define MBEDTLS_ERR_X509_INVALID_EXTENSIONS               -0x2500  /**< The extension tag or value is invalid. */
+#define MBEDTLS_ERR_X509_UNKNOWN_VERSION                  -0x2580  /**< CRT/CRL/CSR has an unsupported version number. */
+#define MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG                  -0x2600  /**< Signature algorithm (oid) is unsupported. */
+#define MBEDTLS_ERR_X509_SIG_MISMATCH                     -0x2680  /**< Signature algorithms do not match. (see \c ::mbedtls_x509_crt sig_oid) */
+#define MBEDTLS_ERR_X509_CERT_VERIFY_FAILED               -0x2700  /**< Certificate verification failed, e.g. CRL, CA or signature check failed. */
+#define MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT              -0x2780  /**< Format not recognized as DER or PEM. */
+#define MBEDTLS_ERR_X509_BAD_INPUT_DATA                   -0x2800  /**< Input invalid. */
+#define MBEDTLS_ERR_X509_ALLOC_FAILED                     -0x2880  /**< Allocation of memory failed. */
+#define MBEDTLS_ERR_X509_FILE_IO_ERROR                    -0x2900  /**< Read/write of file failed. */
+#define MBEDTLS_ERR_X509_BUFFER_TOO_SMALL                 -0x2980  /**< Destination buffer is too small. */
+#define MBEDTLS_ERR_X509_FATAL_ERROR                      -0x3000  /**< A fatal error occurred, eg the chain is too long or the vrfy callback failed. */
+/* \} name */
+
+/**
+ * \name X509 Verify codes
+ * \{
+ */
+/* Reminder: update x509_crt_verify_strings[] in library/x509_crt.c */
+#define MBEDTLS_X509_BADCERT_EXPIRED             0x01  /**< The certificate validity has expired. */
+#define MBEDTLS_X509_BADCERT_REVOKED             0x02  /**< The certificate has been revoked (is on a CRL). */
+#define MBEDTLS_X509_BADCERT_CN_MISMATCH         0x04  /**< The certificate Common Name (CN) does not match with the expected CN. */
+#define MBEDTLS_X509_BADCERT_NOT_TRUSTED         0x08  /**< The certificate is not correctly signed by the trusted CA. */
+#define MBEDTLS_X509_BADCRL_NOT_TRUSTED          0x10  /**< The CRL is not correctly signed by the trusted CA. */
+#define MBEDTLS_X509_BADCRL_EXPIRED              0x20  /**< The CRL is expired. */
+#define MBEDTLS_X509_BADCERT_MISSING             0x40  /**< Certificate was missing. */
+#define MBEDTLS_X509_BADCERT_SKIP_VERIFY         0x80  /**< Certificate verification was skipped. */
+#define MBEDTLS_X509_BADCERT_OTHER             0x0100  /**< Other reason (can be used by verify callback) */
+#define MBEDTLS_X509_BADCERT_FUTURE            0x0200  /**< The certificate validity starts in the future. */
+#define MBEDTLS_X509_BADCRL_FUTURE             0x0400  /**< The CRL is from the future */
+#define MBEDTLS_X509_BADCERT_KEY_USAGE         0x0800  /**< Usage does not match the keyUsage extension. */
+#define MBEDTLS_X509_BADCERT_EXT_KEY_USAGE     0x1000  /**< Usage does not match the extendedKeyUsage extension. */
+#define MBEDTLS_X509_BADCERT_NS_CERT_TYPE      0x2000  /**< Usage does not match the nsCertType extension. */
+#define MBEDTLS_X509_BADCERT_BAD_MD            0x4000  /**< The certificate is signed with an unacceptable hash. */
+#define MBEDTLS_X509_BADCERT_BAD_PK            0x8000  /**< The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA). */
+#define MBEDTLS_X509_BADCERT_BAD_KEY         0x010000  /**< The certificate is signed with an unacceptable key (eg bad curve, RSA too short). */
+#define MBEDTLS_X509_BADCRL_BAD_MD           0x020000  /**< The CRL is signed with an unacceptable hash. */
+#define MBEDTLS_X509_BADCRL_BAD_PK           0x040000  /**< The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA). */
+#define MBEDTLS_X509_BADCRL_BAD_KEY          0x080000  /**< The CRL is signed with an unacceptable key (eg bad curve, RSA too short). */
+
+/* \} name */
+/* \} addtogroup x509_module */
+
+/*
+ * X.509 v3 Key Usage Extension flags
+ * Reminder: update x509_info_key_usage() when adding new flags.
+ */
+#define MBEDTLS_X509_KU_DIGITAL_SIGNATURE            (0x80)  /* bit 0 */
+#define MBEDTLS_X509_KU_NON_REPUDIATION              (0x40)  /* bit 1 */
+#define MBEDTLS_X509_KU_KEY_ENCIPHERMENT             (0x20)  /* bit 2 */
+#define MBEDTLS_X509_KU_DATA_ENCIPHERMENT            (0x10)  /* bit 3 */
+#define MBEDTLS_X509_KU_KEY_AGREEMENT                (0x08)  /* bit 4 */
+#define MBEDTLS_X509_KU_KEY_CERT_SIGN                (0x04)  /* bit 5 */
+#define MBEDTLS_X509_KU_CRL_SIGN                     (0x02)  /* bit 6 */
+#define MBEDTLS_X509_KU_ENCIPHER_ONLY                (0x01)  /* bit 7 */
+#define MBEDTLS_X509_KU_DECIPHER_ONLY              (0x8000)  /* bit 8 */
+
+/*
+ * Netscape certificate types
+ * (http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn3.html)
+ */
+
+#define MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT         (0x80)  /* bit 0 */
+#define MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER         (0x40)  /* bit 1 */
+#define MBEDTLS_X509_NS_CERT_TYPE_EMAIL              (0x20)  /* bit 2 */
+#define MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING     (0x10)  /* bit 3 */
+#define MBEDTLS_X509_NS_CERT_TYPE_RESERVED           (0x08)  /* bit 4 */
+#define MBEDTLS_X509_NS_CERT_TYPE_SSL_CA             (0x04)  /* bit 5 */
+#define MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA           (0x02)  /* bit 6 */
+#define MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA  (0x01)  /* bit 7 */
+
+/*
+ * X.509 extension types
+ *
+ * Comments refer to the status for using certificates. Status can be
+ * different for writing certificates or reading CRLs or CSRs.
+ */
+#define MBEDTLS_X509_EXT_AUTHORITY_KEY_IDENTIFIER    (1 << 0)
+#define MBEDTLS_X509_EXT_SUBJECT_KEY_IDENTIFIER      (1 << 1)
+#define MBEDTLS_X509_EXT_KEY_USAGE                   (1 << 2)
+#define MBEDTLS_X509_EXT_CERTIFICATE_POLICIES        (1 << 3)
+#define MBEDTLS_X509_EXT_POLICY_MAPPINGS             (1 << 4)
+#define MBEDTLS_X509_EXT_SUBJECT_ALT_NAME            (1 << 5)    /* Supported (DNS) */
+#define MBEDTLS_X509_EXT_ISSUER_ALT_NAME             (1 << 6)
+#define MBEDTLS_X509_EXT_SUBJECT_DIRECTORY_ATTRS     (1 << 7)
+#define MBEDTLS_X509_EXT_BASIC_CONSTRAINTS           (1 << 8)    /* Supported */
+#define MBEDTLS_X509_EXT_NAME_CONSTRAINTS            (1 << 9)
+#define MBEDTLS_X509_EXT_POLICY_CONSTRAINTS          (1 << 10)
+#define MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE          (1 << 11)
+#define MBEDTLS_X509_EXT_CRL_DISTRIBUTION_POINTS     (1 << 12)
+#define MBEDTLS_X509_EXT_INIHIBIT_ANYPOLICY          (1 << 13)
+#define MBEDTLS_X509_EXT_FRESHEST_CRL                (1 << 14)
+
+#define MBEDTLS_X509_EXT_NS_CERT_TYPE                (1 << 16)
+
+/*
+ * Storage format identifiers
+ * Recognized formats: PEM and DER
+ */
+#define MBEDTLS_X509_FORMAT_DER                 1
+#define MBEDTLS_X509_FORMAT_PEM                 2
+
+#define MBEDTLS_X509_MAX_DN_NAME_SIZE         256 /**< Maximum value size of a DN entry */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \addtogroup x509_module
+ * \{ */
+
+/**
+ * \name Structures for parsing X.509 certificates, CRLs and CSRs
+ * \{
+ */
+
+/**
+ * Type-length-value structure that allows for ASN1 using DER.
+ */
+typedef mbedtls_asn1_buf mbedtls_x509_buf;
+
+/**
+ * Container for ASN1 bit strings.
+ */
+typedef mbedtls_asn1_bitstring mbedtls_x509_bitstring;
+
+/**
+ * Container for ASN1 named information objects.
+ * It allows for Relative Distinguished Names (e.g. cn=localhost,ou=code,etc.).
+ */
+typedef mbedtls_asn1_named_data mbedtls_x509_name;
+
+/**
+ * Container for a sequence of ASN.1 items
+ */
+typedef mbedtls_asn1_sequence mbedtls_x509_sequence;
+
+/** Container for date and time (precision in seconds). */
+typedef struct mbedtls_x509_time
+{
+    int year, mon, day;         /**< Date. */
+    int hour, min, sec;         /**< Time. */
+}
+mbedtls_x509_time;
+
+/** \} name Structures for parsing X.509 certificates, CRLs and CSRs */
+/** \} addtogroup x509_module */
+
+/**
+ * \brief          Store the certificate DN in printable form into buf;
+ *                 no more than size characters will be written.
+ *
+ * \param buf      Buffer to write to
+ * \param size     Maximum size of buffer
+ * \param dn       The X509 name to represent
+ *
+ * \return         The length of the string written (not including the
+ *                 terminated nul byte), or a negative error code.
+ */
+int mbedtls_x509_dn_gets( char *buf, size_t size, const mbedtls_x509_name *dn );
+
+/**
+ * \brief          Store the certificate serial in printable form into buf;
+ *                 no more than size characters will be written.
+ *
+ * \param buf      Buffer to write to
+ * \param size     Maximum size of buffer
+ * \param serial   The X509 serial to represent
+ *
+ * \return         The length of the string written (not including the
+ *                 terminated nul byte), or a negative error code.
+ */
+int mbedtls_x509_serial_gets( char *buf, size_t size, const mbedtls_x509_buf *serial );
+
+/**
+ * \brief          Check a given mbedtls_x509_time against the system time
+ *                 and tell if it's in the past.
+ *
+ * \note           Intended usage is "if( is_past( valid_to ) ) ERROR".
+ *                 Hence the return value of 1 if on internal errors.
+ *
+ * \param to       mbedtls_x509_time to check
+ *
+ * \return         1 if the given time is in the past or an error occurred,
+ *                 0 otherwise.
+ */
+int mbedtls_x509_time_is_past( const mbedtls_x509_time *to );
+
+/**
+ * \brief          Check a given mbedtls_x509_time against the system time
+ *                 and tell if it's in the future.
+ *
+ * \note           Intended usage is "if( is_future( valid_from ) ) ERROR".
+ *                 Hence the return value of 1 if on internal errors.
+ *
+ * \param from     mbedtls_x509_time to check
+ *
+ * \return         1 if the given time is in the future or an error occurred,
+ *                 0 otherwise.
+ */
+int mbedtls_x509_time_is_future( const mbedtls_x509_time *from );
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ */
+int mbedtls_x509_self_test( int verbose );
+
+/*
+ * Internal module functions. You probably do not want to use these unless you
+ * know you do.
+ */
+int mbedtls_x509_get_name( unsigned char **p, const unsigned char *end,
+                   mbedtls_x509_name *cur );
+int mbedtls_x509_get_alg_null( unsigned char **p, const unsigned char *end,
+                       mbedtls_x509_buf *alg );
+int mbedtls_x509_get_alg( unsigned char **p, const unsigned char *end,
+                  mbedtls_x509_buf *alg, mbedtls_x509_buf *params );
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+int mbedtls_x509_get_rsassa_pss_params( const mbedtls_x509_buf *params,
+                                mbedtls_md_type_t *md_alg, mbedtls_md_type_t *mgf_md,
+                                int *salt_len );
+#endif
+int mbedtls_x509_get_sig( unsigned char **p, const unsigned char *end, mbedtls_x509_buf *sig );
+int mbedtls_x509_get_sig_alg( const mbedtls_x509_buf *sig_oid, const mbedtls_x509_buf *sig_params,
+                      mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg,
+                      void **sig_opts );
+int mbedtls_x509_get_time( unsigned char **p, const unsigned char *end,
+                   mbedtls_x509_time *t );
+int mbedtls_x509_get_serial( unsigned char **p, const unsigned char *end,
+                     mbedtls_x509_buf *serial );
+int mbedtls_x509_get_ext( unsigned char **p, const unsigned char *end,
+                  mbedtls_x509_buf *ext, int tag );
+int mbedtls_x509_sig_alg_gets( char *buf, size_t size, const mbedtls_x509_buf *sig_oid,
+                       mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg,
+                       const void *sig_opts );
+int mbedtls_x509_key_size_helper( char *buf, size_t buf_size, const char *name );
+int mbedtls_x509_string_to_names( mbedtls_asn1_named_data **head, const char *name );
+int mbedtls_x509_set_extension( mbedtls_asn1_named_data **head, const char *oid, size_t oid_len,
+                        int critical, const unsigned char *val,
+                        size_t val_len );
+int mbedtls_x509_write_extensions( unsigned char **p, unsigned char *start,
+                           mbedtls_asn1_named_data *first );
+int mbedtls_x509_write_names( unsigned char **p, unsigned char *start,
+                      mbedtls_asn1_named_data *first );
+int mbedtls_x509_write_sig( unsigned char **p, unsigned char *start,
+                    const char *oid, size_t oid_len,
+                    unsigned char *sig, size_t size );
+
+#define MBEDTLS_X509_SAFE_SNPRINTF                          \
+    do {                                                    \
+        if( ret < 0 || (size_t) ret >= n )                  \
+            return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL );    \
+                                                            \
+        n -= (size_t) ret;                                  \
+        p += (size_t) ret;                                  \
+    } while( 0 )
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* x509.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/x509_crl.h b/third-party/mbedtls-3.6/include/mbedtls/x509_crl.h
new file mode 100644
index 00000000..2ade47c8
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/x509_crl.h
@@ -0,0 +1,199 @@
+/**
+ * \file x509_crl.h
+ *
+ * \brief X.509 certificate revocation list parsing
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_X509_CRL_H
+#define MBEDTLS_X509_CRL_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "x509.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \addtogroup x509_module
+ * \{ */
+
+/**
+ * \name Structures and functions for parsing CRLs
+ * \{
+ */
+
+/**
+ * Certificate revocation list entry.
+ * Contains the CA-specific serial numbers and revocation dates.
+ */
+typedef struct mbedtls_x509_crl_entry
+{
+    mbedtls_x509_buf raw;
+
+    mbedtls_x509_buf serial;
+
+    mbedtls_x509_time revocation_date;
+
+    mbedtls_x509_buf entry_ext;
+
+    struct mbedtls_x509_crl_entry *next;
+}
+mbedtls_x509_crl_entry;
+
+/**
+ * Certificate revocation list structure.
+ * Every CRL may have multiple entries.
+ */
+typedef struct mbedtls_x509_crl
+{
+    mbedtls_x509_buf raw;           /**< The raw certificate data (DER). */
+    mbedtls_x509_buf tbs;           /**< The raw certificate body (DER). The part that is To Be Signed. */
+
+    int version;            /**< CRL version (1=v1, 2=v2) */
+    mbedtls_x509_buf sig_oid;       /**< CRL signature type identifier */
+
+    mbedtls_x509_buf issuer_raw;    /**< The raw issuer data (DER). */
+
+    mbedtls_x509_name issuer;       /**< The parsed issuer data (named information object). */
+
+    mbedtls_x509_time this_update;
+    mbedtls_x509_time next_update;
+
+    mbedtls_x509_crl_entry entry;   /**< The CRL entries containing the certificate revocation times for this CA. */
+
+    mbedtls_x509_buf crl_ext;
+
+    mbedtls_x509_buf sig_oid2;
+    mbedtls_x509_buf sig;
+    mbedtls_md_type_t sig_md;           /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
+    mbedtls_pk_type_t sig_pk;           /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
+    void *sig_opts;             /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
+
+    struct mbedtls_x509_crl *next;
+}
+mbedtls_x509_crl;
+
+/**
+ * \brief          Parse a DER-encoded CRL and append it to the chained list
+ *
+ * \param chain    points to the start of the chain
+ * \param buf      buffer holding the CRL data in DER format
+ * \param buflen   size of the buffer
+ *                 (including the terminating null byte for PEM data)
+ *
+ * \return         0 if successful, or a specific X509 or PEM error code
+ */
+int mbedtls_x509_crl_parse_der( mbedtls_x509_crl *chain,
+                        const unsigned char *buf, size_t buflen );
+/**
+ * \brief          Parse one or more CRLs and append them to the chained list
+ *
+ * \note           Multiple CRLs are accepted only if using PEM format
+ *
+ * \param chain    points to the start of the chain
+ * \param buf      buffer holding the CRL data in PEM or DER format
+ * \param buflen   size of the buffer
+ *                 (including the terminating null byte for PEM data)
+ *
+ * \return         0 if successful, or a specific X509 or PEM error code
+ */
+int mbedtls_x509_crl_parse( mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen );
+
+#if defined(MBEDTLS_FS_IO)
+/**
+ * \brief          Load one or more CRLs and append them to the chained list
+ *
+ * \note           Multiple CRLs are accepted only if using PEM format
+ *
+ * \param chain    points to the start of the chain
+ * \param path     filename to read the CRLs from (in PEM or DER encoding)
+ *
+ * \return         0 if successful, or a specific X509 or PEM error code
+ */
+int mbedtls_x509_crl_parse_file( mbedtls_x509_crl *chain, const char *path );
+#endif /* MBEDTLS_FS_IO */
+
+/**
+ * \brief          Returns an informational string about the CRL.
+ *
+ * \param buf      Buffer to write to
+ * \param size     Maximum size of buffer
+ * \param prefix   A line prefix
+ * \param crl      The X509 CRL to represent
+ *
+ * \return         The length of the string written (not including the
+ *                 terminated nul byte), or a negative error code.
+ */
+int mbedtls_x509_crl_info( char *buf, size_t size, const char *prefix,
+                   const mbedtls_x509_crl *crl );
+
+/**
+ * \brief          Initialize a CRL (chain)
+ *
+ * \param crl      CRL chain to initialize
+ */
+void mbedtls_x509_crl_init( mbedtls_x509_crl *crl );
+
+/**
+ * \brief          Unallocate all CRL data
+ *
+ * \param crl      CRL chain to free
+ */
+void mbedtls_x509_crl_free( mbedtls_x509_crl *crl );
+
+/* \} name */
+/* \} addtogroup x509_module */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_x509_crl.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/x509_crt.h b/third-party/mbedtls-3.6/include/mbedtls/x509_crt.h
new file mode 100644
index 00000000..af2a3b42
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/x509_crt.h
@@ -0,0 +1,710 @@
+/**
+ * \file x509_crt.h
+ *
+ * \brief X.509 certificate parsing and writing
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_X509_CRT_H
+#define MBEDTLS_X509_CRT_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "x509.h"
+#include "x509_crl.h"
+
+/**
+ * \addtogroup x509_module
+ * \{
+ */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \name Structures and functions for parsing and writing X.509 certificates
+ * \{
+ */
+
+/**
+ * Container for an X.509 certificate. The certificate may be chained.
+ */
+typedef struct mbedtls_x509_crt
+{
+    mbedtls_x509_buf raw;               /**< The raw certificate data (DER). */
+    mbedtls_x509_buf tbs;               /**< The raw certificate body (DER). The part that is To Be Signed. */
+
+    int version;                /**< The X.509 version. (1=v1, 2=v2, 3=v3) */
+    mbedtls_x509_buf serial;            /**< Unique id for certificate issued by a specific CA. */
+    mbedtls_x509_buf sig_oid;           /**< Signature algorithm, e.g. sha1RSA */
+
+    mbedtls_x509_buf issuer_raw;        /**< The raw issuer data (DER). Used for quick comparison. */
+    mbedtls_x509_buf subject_raw;       /**< The raw subject data (DER). Used for quick comparison. */
+
+    mbedtls_x509_name issuer;           /**< The parsed issuer data (named information object). */
+    mbedtls_x509_name subject;          /**< The parsed subject data (named information object). */
+
+    mbedtls_x509_time valid_from;       /**< Start time of certificate validity. */
+    mbedtls_x509_time valid_to;         /**< End time of certificate validity. */
+
+    mbedtls_pk_context pk;              /**< Container for the public key context. */
+
+    mbedtls_x509_buf issuer_id;         /**< Optional X.509 v2/v3 issuer unique identifier. */
+    mbedtls_x509_buf subject_id;        /**< Optional X.509 v2/v3 subject unique identifier. */
+    mbedtls_x509_buf v3_ext;            /**< Optional X.509 v3 extensions.  */
+    mbedtls_x509_sequence subject_alt_names;    /**< Optional list of Subject Alternative Names (Only dNSName supported). */
+
+    int ext_types;              /**< Bit string containing detected and parsed extensions */
+    int ca_istrue;              /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */
+    int max_pathlen;            /**< Optional Basic Constraint extension value: The maximum path length to the root certificate. Path length is 1 higher than RFC 5280 'meaning', so 1+ */
+
+    unsigned int key_usage;     /**< Optional key usage extension value: See the values in x509.h */
+
+    mbedtls_x509_sequence ext_key_usage; /**< Optional list of extended key usage OIDs. */
+
+    unsigned char ns_cert_type; /**< Optional Netscape certificate type extension value: See the values in x509.h */
+
+    mbedtls_x509_buf sig;               /**< Signature: hash of the tbs part signed with the private key. */
+    mbedtls_md_type_t sig_md;           /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
+    mbedtls_pk_type_t sig_pk;           /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
+    void *sig_opts;             /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
+
+    struct mbedtls_x509_crt *next;     /**< Next certificate in the CA-chain. */
+}
+mbedtls_x509_crt;
+
+/**
+ * Build flag from an algorithm/curve identifier (pk, md, ecp)
+ * Since 0 is always XXX_NONE, ignore it.
+ */
+#define MBEDTLS_X509_ID_FLAG( id )   ( 1 << ( ( id ) - 1 ) )
+
+/**
+ * Security profile for certificate verification.
+ *
+ * All lists are bitfields, built by ORing flags from MBEDTLS_X509_ID_FLAG().
+ */
+typedef struct
+{
+    uint32_t allowed_mds;       /**< MDs for signatures         */
+    uint32_t allowed_pks;       /**< PK algs for signatures     */
+    uint32_t allowed_curves;    /**< Elliptic curves for ECDSA  */
+    uint32_t rsa_min_bitlen;    /**< Minimum size for RSA keys  */
+}
+mbedtls_x509_crt_profile;
+
+#define MBEDTLS_X509_CRT_VERSION_1              0
+#define MBEDTLS_X509_CRT_VERSION_2              1
+#define MBEDTLS_X509_CRT_VERSION_3              2
+
+#define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 32
+#define MBEDTLS_X509_RFC5280_UTC_TIME_LEN   15
+
+#if !defined( MBEDTLS_X509_MAX_FILE_PATH_LEN )
+#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512
+#endif
+
+/**
+ * Container for writing a certificate (CRT)
+ */
+typedef struct mbedtls_x509write_cert
+{
+    int version;
+    mbedtls_mpi serial;
+    mbedtls_pk_context *subject_key;
+    mbedtls_pk_context *issuer_key;
+    mbedtls_asn1_named_data *subject;
+    mbedtls_asn1_named_data *issuer;
+    mbedtls_md_type_t md_alg;
+    char not_before[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1];
+    char not_after[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1];
+    mbedtls_asn1_named_data *extensions;
+}
+mbedtls_x509write_cert;
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/**
+ * Default security profile. Should provide a good balance between security
+ * and compatibility with current deployments.
+ */
+extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default;
+
+/**
+ * Expected next default profile. Recommended for new deployments.
+ * Currently targets a 128-bit security level, except for RSA-2048.
+ */
+extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next;
+
+/**
+ * NSA Suite B profile.
+ */
+extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb;
+
+/**
+ * \brief          Parse a single DER formatted certificate and add it
+ *                 to the chained list.
+ *
+ * \param chain    points to the start of the chain
+ * \param buf      buffer holding the certificate DER data
+ * \param buflen   size of the buffer
+ *
+ * \return         0 if successful, or a specific X509 or PEM error code
+ */
+int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain, const unsigned char *buf,
+                        size_t buflen );
+
+/**
+ * \brief          Parse one DER-encoded or one or more concatenated PEM-encoded
+ *                 certificates and add them to the chained list.
+ *
+ *                 For CRTs in PEM encoding, the function parses permissively:
+ *                 if at least one certificate can be parsed, the function
+ *                 returns the number of certificates for which parsing failed
+ *                 (hence \c 0 if all certificates were parsed successfully).
+ *                 If no certificate could be parsed, the function returns
+ *                 the first (negative) error encountered during parsing.
+ *
+ *                 PEM encoded certificates may be interleaved by other data
+ *                 such as human readable descriptions of their content, as
+ *                 long as the certificates are enclosed in the PEM specific
+ *                 '-----{BEGIN/END} CERTIFICATE-----' delimiters.
+ *
+ * \param chain    The chain to which to add the parsed certificates.
+ * \param buf      The buffer holding the certificate data in PEM or DER format.
+ *                 For certificates in PEM encoding, this may be a concatenation
+ *                 of multiple certificates; for DER encoding, the buffer must
+ *                 comprise exactly one certificate.
+ * \param buflen   The size of \p buf, including the terminating \c NULL byte
+ *                 in case of PEM encoded data.
+ *
+ * \return         \c 0 if all certificates were parsed successfully.
+ * \return         The (positive) number of certificates that couldn't
+ *                 be parsed if parsing was partly successful (see above).
+ * \return         A negative X509 or PEM error code otherwise.
+ *
+ */
+int mbedtls_x509_crt_parse( mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen );
+
+#if defined(MBEDTLS_FS_IO)
+/**
+ * \brief          Load one or more certificates and add them
+ *                 to the chained list. Parses permissively. If some
+ *                 certificates can be parsed, the result is the number
+ *                 of failed certificates it encountered. If none complete
+ *                 correctly, the first error is returned.
+ *
+ * \param chain    points to the start of the chain
+ * \param path     filename to read the certificates from
+ *
+ * \return         0 if all certificates parsed successfully, a positive number
+ *                 if partly successful or a specific X509 or PEM error code
+ */
+int mbedtls_x509_crt_parse_file( mbedtls_x509_crt *chain, const char *path );
+
+/**
+ * \brief          Load one or more certificate files from a path and add them
+ *                 to the chained list. Parses permissively. If some
+ *                 certificates can be parsed, the result is the number
+ *                 of failed certificates it encountered. If none complete
+ *                 correctly, the first error is returned.
+ *
+ * \param chain    points to the start of the chain
+ * \param path     directory / folder to read the certificate files from
+ *
+ * \return         0 if all certificates parsed successfully, a positive number
+ *                 if partly successful or a specific X509 or PEM error code
+ */
+int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path );
+#endif /* MBEDTLS_FS_IO */
+
+/**
+ * \brief          Returns an informational string about the
+ *                 certificate.
+ *
+ * \param buf      Buffer to write to
+ * \param size     Maximum size of buffer
+ * \param prefix   A line prefix
+ * \param crt      The X509 certificate to represent
+ *
+ * \return         The length of the string written (not including the
+ *                 terminated nul byte), or a negative error code.
+ */
+int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
+                   const mbedtls_x509_crt *crt );
+
+/**
+ * \brief          Returns an informational string about the
+ *                 verification status of a certificate.
+ *
+ * \param buf      Buffer to write to
+ * \param size     Maximum size of buffer
+ * \param prefix   A line prefix
+ * \param flags    Verification flags created by mbedtls_x509_crt_verify()
+ *
+ * \return         The length of the string written (not including the
+ *                 terminated nul byte), or a negative error code.
+ */
+int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
+                          uint32_t flags );
+
+/**
+ * \brief          Verify the certificate signature
+ *
+ *                 The verify callback is a user-supplied callback that
+ *                 can clear / modify / add flags for a certificate. If set,
+ *                 the verification callback is called for each
+ *                 certificate in the chain (from the trust-ca down to the
+ *                 presented crt). The parameters for the callback are:
+ *                 (void *parameter, mbedtls_x509_crt *crt, int certificate_depth,
+ *                 int *flags). With the flags representing current flags for
+ *                 that specific certificate and the certificate depth from
+ *                 the bottom (Peer cert depth = 0).
+ *
+ *                 All flags left after returning from the callback
+ *                 are also returned to the application. The function should
+ *                 return 0 for anything (including invalid certificates)
+ *                 other than fatal error, as a non-zero return code
+ *                 immediately aborts the verification process. For fatal
+ *                 errors, a specific error code should be used (different
+ *                 from MBEDTLS_ERR_X509_CERT_VERIFY_FAILED which should not
+ *                 be returned at this point), or MBEDTLS_ERR_X509_FATAL_ERROR
+ *                 can be used if no better code is available.
+ *
+ * \note           In case verification failed, the results can be displayed
+ *                 using \c mbedtls_x509_crt_verify_info()
+ *
+ * \note           Same as \c mbedtls_x509_crt_verify_with_profile() with the
+ *                 default security profile.
+ *
+ * \note           It is your responsibility to provide up-to-date CRLs for
+ *                 all trusted CAs. If no CRL is provided for the CA that was
+ *                 used to sign the certificate, CRL verification is skipped
+ *                 silently, that is *without* setting any flag.
+ *
+ * \note           The \c trust_ca list can contain two types of certificates:
+ *                 (1) those of trusted root CAs, so that certificates
+ *                 chaining up to those CAs will be trusted, and (2)
+ *                 self-signed end-entity certificates to be trusted (for
+ *                 specific peers you know) - in that case, the self-signed
+ *                 certificate doesn't need to have the CA bit set.
+ *
+ * \param crt      a certificate (chain) to be verified
+ * \param trust_ca the list of trusted CAs (see note above)
+ * \param ca_crl   the list of CRLs for trusted CAs (see note above)
+ * \param cn       expected Common Name (can be set to
+ *                 NULL if the CN must not be verified)
+ * \param flags    result of the verification
+ * \param f_vrfy   verification function
+ * \param p_vrfy   verification parameter
+ *
+ * \return         0 (and flags set to 0) if the chain was verified and valid,
+ *                 MBEDTLS_ERR_X509_CERT_VERIFY_FAILED if the chain was verified
+ *                 but found to be invalid, in which case *flags will have one
+ *                 or more MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX
+ *                 flags set, or another error (and flags set to 0xffffffff)
+ *                 in case of a fatal error encountered during the
+ *                 verification process.
+ */
+int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
+                     mbedtls_x509_crt *trust_ca,
+                     mbedtls_x509_crl *ca_crl,
+                     const char *cn, uint32_t *flags,
+                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                     void *p_vrfy );
+
+/**
+ * \brief          Verify the certificate signature according to profile
+ *
+ * \note           Same as \c mbedtls_x509_crt_verify(), but with explicit
+ *                 security profile.
+ *
+ * \note           The restrictions on keys (RSA minimum size, allowed curves
+ *                 for ECDSA) apply to all certificates: trusted root,
+ *                 intermediate CAs if any, and end entity certificate.
+ *
+ * \param crt      a certificate (chain) to be verified
+ * \param trust_ca the list of trusted CAs
+ * \param ca_crl   the list of CRLs for trusted CAs
+ * \param profile  security profile for verification
+ * \param cn       expected Common Name (can be set to
+ *                 NULL if the CN must not be verified)
+ * \param flags    result of the verification
+ * \param f_vrfy   verification function
+ * \param p_vrfy   verification parameter
+ *
+ * \return         0 if successful or MBEDTLS_ERR_X509_CERT_VERIFY_FAILED
+ *                 in which case *flags will have one or more
+ *                 MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX flags
+ *                 set,
+ *                 or another error in case of a fatal error encountered
+ *                 during the verification process.
+ */
+int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
+                     mbedtls_x509_crt *trust_ca,
+                     mbedtls_x509_crl *ca_crl,
+                     const mbedtls_x509_crt_profile *profile,
+                     const char *cn, uint32_t *flags,
+                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                     void *p_vrfy );
+
+#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
+/**
+ * \brief          Check usage of certificate against keyUsage extension.
+ *
+ * \param crt      Leaf certificate used.
+ * \param usage    Intended usage(s) (eg MBEDTLS_X509_KU_KEY_ENCIPHERMENT
+ *                 before using the certificate to perform an RSA key
+ *                 exchange).
+ *
+ * \note           Except for decipherOnly and encipherOnly, a bit set in the
+ *                 usage argument means this bit MUST be set in the
+ *                 certificate. For decipherOnly and encipherOnly, it means
+ *                 that bit MAY be set.
+ *
+ * \return         0 is these uses of the certificate are allowed,
+ *                 MBEDTLS_ERR_X509_BAD_INPUT_DATA if the keyUsage extension
+ *                 is present but does not match the usage argument.
+ *
+ * \note           You should only call this function on leaf certificates, on
+ *                 (intermediate) CAs the keyUsage extension is automatically
+ *                 checked by \c mbedtls_x509_crt_verify().
+ */
+int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt,
+                                      unsigned int usage );
+#endif /* MBEDTLS_X509_CHECK_KEY_USAGE) */
+
+#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
+/**
+ * \brief           Check usage of certificate against extendedKeyUsage.
+ *
+ * \param crt       Leaf certificate used.
+ * \param usage_oid Intended usage (eg MBEDTLS_OID_SERVER_AUTH or
+ *                  MBEDTLS_OID_CLIENT_AUTH).
+ * \param usage_len Length of usage_oid (eg given by MBEDTLS_OID_SIZE()).
+ *
+ * \return          0 if this use of the certificate is allowed,
+ *                  MBEDTLS_ERR_X509_BAD_INPUT_DATA if not.
+ *
+ * \note            Usually only makes sense on leaf certificates.
+ */
+int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt,
+                                               const char *usage_oid,
+                                               size_t usage_len );
+#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
+
+#if defined(MBEDTLS_X509_CRL_PARSE_C)
+/**
+ * \brief          Verify the certificate revocation status
+ *
+ * \param crt      a certificate to be verified
+ * \param crl      the CRL to verify against
+ *
+ * \return         1 if the certificate is revoked, 0 otherwise
+ *
+ */
+int mbedtls_x509_crt_is_revoked( const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl );
+#endif /* MBEDTLS_X509_CRL_PARSE_C */
+
+/**
+ * \brief          Initialize a certificate (chain)
+ *
+ * \param crt      Certificate chain to initialize
+ */
+void mbedtls_x509_crt_init( mbedtls_x509_crt *crt );
+
+/**
+ * \brief          Unallocate all certificate data
+ *
+ * \param crt      Certificate chain to free
+ */
+void mbedtls_x509_crt_free( mbedtls_x509_crt *crt );
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+/* \} name */
+/* \} addtogroup x509_module */
+
+#if defined(MBEDTLS_X509_CRT_WRITE_C)
+/**
+ * \brief           Initialize a CRT writing context
+ *
+ * \param ctx       CRT context to initialize
+ */
+void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx );
+
+/**
+ * \brief           Set the verion for a Certificate
+ *                  Default: MBEDTLS_X509_CRT_VERSION_3
+ *
+ * \param ctx       CRT context to use
+ * \param version   version to set (MBEDTLS_X509_CRT_VERSION_1, MBEDTLS_X509_CRT_VERSION_2 or
+ *                                  MBEDTLS_X509_CRT_VERSION_3)
+ */
+void mbedtls_x509write_crt_set_version( mbedtls_x509write_cert *ctx, int version );
+
+/**
+ * \brief           Set the serial number for a Certificate.
+ *
+ * \param ctx       CRT context to use
+ * \param serial    serial number to set
+ *
+ * \return          0 if successful
+ */
+int mbedtls_x509write_crt_set_serial( mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial );
+
+/**
+ * \brief           Set the validity period for a Certificate
+ *                  Timestamps should be in string format for UTC timezone
+ *                  i.e. "YYYYMMDDhhmmss"
+ *                  e.g. "20131231235959" for December 31st 2013
+ *                       at 23:59:59
+ *
+ * \param ctx       CRT context to use
+ * \param not_before    not_before timestamp
+ * \param not_after     not_after timestamp
+ *
+ * \return          0 if timestamp was parsed successfully, or
+ *                  a specific error code
+ */
+int mbedtls_x509write_crt_set_validity( mbedtls_x509write_cert *ctx, const char *not_before,
+                                const char *not_after );
+
+/**
+ * \brief           Set the issuer name for a Certificate
+ *                  Issuer names should contain a comma-separated list
+ *                  of OID types and values:
+ *                  e.g. "C=UK,O=ARM,CN=mbed TLS CA"
+ *
+ * \param ctx           CRT context to use
+ * \param issuer_name   issuer name to set
+ *
+ * \return          0 if issuer name was parsed successfully, or
+ *                  a specific error code
+ */
+int mbedtls_x509write_crt_set_issuer_name( mbedtls_x509write_cert *ctx,
+                                   const char *issuer_name );
+
+/**
+ * \brief           Set the subject name for a Certificate
+ *                  Subject names should contain a comma-separated list
+ *                  of OID types and values:
+ *                  e.g. "C=UK,O=ARM,CN=mbed TLS Server 1"
+ *
+ * \param ctx           CRT context to use
+ * \param subject_name  subject name to set
+ *
+ * \return          0 if subject name was parsed successfully, or
+ *                  a specific error code
+ */
+int mbedtls_x509write_crt_set_subject_name( mbedtls_x509write_cert *ctx,
+                                    const char *subject_name );
+
+/**
+ * \brief           Set the subject public key for the certificate
+ *
+ * \param ctx       CRT context to use
+ * \param key       public key to include
+ */
+void mbedtls_x509write_crt_set_subject_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key );
+
+/**
+ * \brief           Set the issuer key used for signing the certificate
+ *
+ * \param ctx       CRT context to use
+ * \param key       private key to sign with
+ */
+void mbedtls_x509write_crt_set_issuer_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key );
+
+/**
+ * \brief           Set the MD algorithm to use for the signature
+ *                  (e.g. MBEDTLS_MD_SHA1)
+ *
+ * \param ctx       CRT context to use
+ * \param md_alg    MD algorithm to use
+ */
+void mbedtls_x509write_crt_set_md_alg( mbedtls_x509write_cert *ctx, mbedtls_md_type_t md_alg );
+
+/**
+ * \brief           Generic function to add to or replace an extension in the
+ *                  CRT
+ *
+ * \param ctx       CRT context to use
+ * \param oid       OID of the extension
+ * \param oid_len   length of the OID
+ * \param critical  if the extension is critical (per the RFC's definition)
+ * \param val       value of the extension OCTET STRING
+ * \param val_len   length of the value data
+ *
+ * \return          0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
+ */
+int mbedtls_x509write_crt_set_extension( mbedtls_x509write_cert *ctx,
+                                 const char *oid, size_t oid_len,
+                                 int critical,
+                                 const unsigned char *val, size_t val_len );
+
+/**
+ * \brief           Set the basicConstraints extension for a CRT
+ *
+ * \param ctx       CRT context to use
+ * \param is_ca     is this a CA certificate
+ * \param max_pathlen   maximum length of certificate chains below this
+ *                      certificate (only for CA certificates, -1 is
+ *                      inlimited)
+ *
+ * \return          0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
+ */
+int mbedtls_x509write_crt_set_basic_constraints( mbedtls_x509write_cert *ctx,
+                                         int is_ca, int max_pathlen );
+
+#if defined(MBEDTLS_SHA1_C)
+/**
+ * \brief           Set the subjectKeyIdentifier extension for a CRT
+ *                  Requires that mbedtls_x509write_crt_set_subject_key() has been
+ *                  called before
+ *
+ * \param ctx       CRT context to use
+ *
+ * \return          0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
+ */
+int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ctx );
+
+/**
+ * \brief           Set the authorityKeyIdentifier extension for a CRT
+ *                  Requires that mbedtls_x509write_crt_set_issuer_key() has been
+ *                  called before
+ *
+ * \param ctx       CRT context to use
+ *
+ * \return          0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
+ */
+int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *ctx );
+#endif /* MBEDTLS_SHA1_C */
+
+/**
+ * \brief           Set the Key Usage Extension flags
+ *                  (e.g. MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_SIGN)
+ *
+ * \param ctx       CRT context to use
+ * \param key_usage key usage flags to set
+ *
+ * \return          0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
+ */
+int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx,
+                                         unsigned int key_usage );
+
+/**
+ * \brief           Set the Netscape Cert Type flags
+ *                  (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TYPE_EMAIL)
+ *
+ * \param ctx           CRT context to use
+ * \param ns_cert_type  Netscape Cert Type flags to set
+ *
+ * \return          0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
+ */
+int mbedtls_x509write_crt_set_ns_cert_type( mbedtls_x509write_cert *ctx,
+                                    unsigned char ns_cert_type );
+
+/**
+ * \brief           Free the contents of a CRT write context
+ *
+ * \param ctx       CRT context to free
+ */
+void mbedtls_x509write_crt_free( mbedtls_x509write_cert *ctx );
+
+/**
+ * \brief           Write a built up certificate to a X509 DER structure
+ *                  Note: data is written at the end of the buffer! Use the
+ *                        return value to determine where you should start
+ *                        using the buffer
+ *
+ * \param ctx       certificate to write away
+ * \param buf       buffer to write to
+ * \param size      size of the buffer
+ * \param f_rng     RNG function (for signature, see note)
+ * \param p_rng     RNG parameter
+ *
+ * \return          length of data written if successful, or a specific
+ *                  error code
+ *
+ * \note            f_rng may be NULL if RSA is used for signature and the
+ *                  signature is made offline (otherwise f_rng is desirable
+ *                  for countermeasures against timing attacks).
+ *                  ECDSA signatures always require a non-NULL f_rng.
+ */
+int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng );
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+/**
+ * \brief           Write a built up certificate to a X509 PEM string
+ *
+ * \param ctx       certificate to write away
+ * \param buf       buffer to write to
+ * \param size      size of the buffer
+ * \param f_rng     RNG function (for signature, see note)
+ * \param p_rng     RNG parameter
+ *
+ * \return          0 if successful, or a specific error code
+ *
+ * \note            f_rng may be NULL if RSA is used for signature and the
+ *                  signature is made offline (otherwise f_rng is desirable
+ *                  for countermeasures against timing attacks).
+ *                  ECDSA signatures always require a non-NULL f_rng.
+ */
+int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng );
+#endif /* MBEDTLS_PEM_WRITE_C */
+#endif /* MBEDTLS_X509_CRT_WRITE_C */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_x509_crt.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/x509_csr.h b/third-party/mbedtls-3.6/include/mbedtls/x509_csr.h
new file mode 100644
index 00000000..5dfb4213
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/x509_csr.h
@@ -0,0 +1,332 @@
+/**
+ * \file x509_csr.h
+ *
+ * \brief X.509 certificate signing request parsing and writing
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_X509_CSR_H
+#define MBEDTLS_X509_CSR_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "x509.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \addtogroup x509_module
+ * \{ */
+
+/**
+ * \name Structures and functions for X.509 Certificate Signing Requests (CSR)
+ * \{
+ */
+
+/**
+ * Certificate Signing Request (CSR) structure.
+ */
+typedef struct mbedtls_x509_csr
+{
+    mbedtls_x509_buf raw;           /**< The raw CSR data (DER). */
+    mbedtls_x509_buf cri;           /**< The raw CertificateRequestInfo body (DER). */
+
+    int version;            /**< CSR version (1=v1). */
+
+    mbedtls_x509_buf  subject_raw;  /**< The raw subject data (DER). */
+    mbedtls_x509_name subject;      /**< The parsed subject data (named information object). */
+
+    mbedtls_pk_context pk;          /**< Container for the public key context. */
+
+    mbedtls_x509_buf sig_oid;
+    mbedtls_x509_buf sig;
+    mbedtls_md_type_t sig_md;       /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
+    mbedtls_pk_type_t sig_pk;       /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
+    void *sig_opts;         /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
+}
+mbedtls_x509_csr;
+
+/**
+ * Container for writing a CSR
+ */
+typedef struct mbedtls_x509write_csr
+{
+    mbedtls_pk_context *key;
+    mbedtls_asn1_named_data *subject;
+    mbedtls_md_type_t md_alg;
+    mbedtls_asn1_named_data *extensions;
+}
+mbedtls_x509write_csr;
+
+#if defined(MBEDTLS_X509_CSR_PARSE_C)
+/**
+ * \brief          Load a Certificate Signing Request (CSR) in DER format
+ *
+ * \note           CSR attributes (if any) are currently silently ignored.
+ *
+ * \param csr      CSR context to fill
+ * \param buf      buffer holding the CRL data
+ * \param buflen   size of the buffer
+ *
+ * \return         0 if successful, or a specific X509 error code
+ */
+int mbedtls_x509_csr_parse_der( mbedtls_x509_csr *csr,
+                        const unsigned char *buf, size_t buflen );
+
+/**
+ * \brief          Load a Certificate Signing Request (CSR), DER or PEM format
+ *
+ * \note           See notes for \c mbedtls_x509_csr_parse_der()
+ *
+ * \param csr      CSR context to fill
+ * \param buf      buffer holding the CRL data
+ * \param buflen   size of the buffer
+ *                 (including the terminating null byte for PEM data)
+ *
+ * \return         0 if successful, or a specific X509 or PEM error code
+ */
+int mbedtls_x509_csr_parse( mbedtls_x509_csr *csr, const unsigned char *buf, size_t buflen );
+
+#if defined(MBEDTLS_FS_IO)
+/**
+ * \brief          Load a Certificate Signing Request (CSR)
+ *
+ * \note           See notes for \c mbedtls_x509_csr_parse()
+ *
+ * \param csr      CSR context to fill
+ * \param path     filename to read the CSR from
+ *
+ * \return         0 if successful, or a specific X509 or PEM error code
+ */
+int mbedtls_x509_csr_parse_file( mbedtls_x509_csr *csr, const char *path );
+#endif /* MBEDTLS_FS_IO */
+
+/**
+ * \brief          Returns an informational string about the
+ *                 CSR.
+ *
+ * \param buf      Buffer to write to
+ * \param size     Maximum size of buffer
+ * \param prefix   A line prefix
+ * \param csr      The X509 CSR to represent
+ *
+ * \return         The length of the string written (not including the
+ *                 terminated nul byte), or a negative error code.
+ */
+int mbedtls_x509_csr_info( char *buf, size_t size, const char *prefix,
+                   const mbedtls_x509_csr *csr );
+
+/**
+ * \brief          Initialize a CSR
+ *
+ * \param csr      CSR to initialize
+ */
+void mbedtls_x509_csr_init( mbedtls_x509_csr *csr );
+
+/**
+ * \brief          Unallocate all CSR data
+ *
+ * \param csr      CSR to free
+ */
+void mbedtls_x509_csr_free( mbedtls_x509_csr *csr );
+#endif /* MBEDTLS_X509_CSR_PARSE_C */
+
+/* \} name */
+/* \} addtogroup x509_module */
+
+#if defined(MBEDTLS_X509_CSR_WRITE_C)
+/**
+ * \brief           Initialize a CSR context
+ *
+ * \param ctx       CSR context to initialize
+ */
+void mbedtls_x509write_csr_init( mbedtls_x509write_csr *ctx );
+
+/**
+ * \brief           Set the subject name for a CSR
+ *                  Subject names should contain a comma-separated list
+ *                  of OID types and values:
+ *                  e.g. "C=UK,O=ARM,CN=mbed TLS Server 1"
+ *
+ * \param ctx           CSR context to use
+ * \param subject_name  subject name to set
+ *
+ * \return          0 if subject name was parsed successfully, or
+ *                  a specific error code
+ */
+int mbedtls_x509write_csr_set_subject_name( mbedtls_x509write_csr *ctx,
+                                    const char *subject_name );
+
+/**
+ * \brief           Set the key for a CSR (public key will be included,
+ *                  private key used to sign the CSR when writing it)
+ *
+ * \param ctx       CSR context to use
+ * \param key       Asymetric key to include
+ */
+void mbedtls_x509write_csr_set_key( mbedtls_x509write_csr *ctx, mbedtls_pk_context *key );
+
+/**
+ * \brief           Set the MD algorithm to use for the signature
+ *                  (e.g. MBEDTLS_MD_SHA1)
+ *
+ * \param ctx       CSR context to use
+ * \param md_alg    MD algorithm to use
+ */
+void mbedtls_x509write_csr_set_md_alg( mbedtls_x509write_csr *ctx, mbedtls_md_type_t md_alg );
+
+/**
+ * \brief           Set the Key Usage Extension flags
+ *                  (e.g. MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_SIGN)
+ *
+ * \param ctx       CSR context to use
+ * \param key_usage key usage flags to set
+ *
+ * \return          0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
+ *
+ * \note            The <code>decipherOnly</code> flag from the Key Usage
+ *                  extension is represented by bit 8 (i.e.
+ *                  <code>0x8000</code>), which cannot typically be represented
+ *                  in an unsigned char. Therefore, the flag
+ *                  <code>decipherOnly</code> (i.e.
+ *                  #MBEDTLS_X509_KU_DECIPHER_ONLY) cannot be set using this
+ *                  function.
+ */
+int mbedtls_x509write_csr_set_key_usage( mbedtls_x509write_csr *ctx, unsigned char key_usage );
+
+/**
+ * \brief           Set the Netscape Cert Type flags
+ *                  (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TYPE_EMAIL)
+ *
+ * \param ctx           CSR context to use
+ * \param ns_cert_type  Netscape Cert Type flags to set
+ *
+ * \return          0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
+ */
+int mbedtls_x509write_csr_set_ns_cert_type( mbedtls_x509write_csr *ctx,
+                                    unsigned char ns_cert_type );
+
+/**
+ * \brief           Generic function to add to or replace an extension in the
+ *                  CSR
+ *
+ * \param ctx       CSR context to use
+ * \param oid       OID of the extension
+ * \param oid_len   length of the OID
+ * \param val       value of the extension OCTET STRING
+ * \param val_len   length of the value data
+ *
+ * \return          0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
+ */
+int mbedtls_x509write_csr_set_extension( mbedtls_x509write_csr *ctx,
+                                 const char *oid, size_t oid_len,
+                                 const unsigned char *val, size_t val_len );
+
+/**
+ * \brief           Free the contents of a CSR context
+ *
+ * \param ctx       CSR context to free
+ */
+void mbedtls_x509write_csr_free( mbedtls_x509write_csr *ctx );
+
+/**
+ * \brief           Write a CSR (Certificate Signing Request) to a
+ *                  DER structure
+ *                  Note: data is written at the end of the buffer! Use the
+ *                        return value to determine where you should start
+ *                        using the buffer
+ *
+ * \param ctx       CSR to write away
+ * \param buf       buffer to write to
+ * \param size      size of the buffer
+ * \param f_rng     RNG function (for signature, see note)
+ * \param p_rng     RNG parameter
+ *
+ * \return          length of data written if successful, or a specific
+ *                  error code
+ *
+ * \note            f_rng may be NULL if RSA is used for signature and the
+ *                  signature is made offline (otherwise f_rng is desirable
+ *                  for countermeasures against timing attacks).
+ *                  ECDSA signatures always require a non-NULL f_rng.
+ */
+int mbedtls_x509write_csr_der( mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng );
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+/**
+ * \brief           Write a CSR (Certificate Signing Request) to a
+ *                  PEM string
+ *
+ * \param ctx       CSR to write away
+ * \param buf       buffer to write to
+ * \param size      size of the buffer
+ * \param f_rng     RNG function (for signature, see note)
+ * \param p_rng     RNG parameter
+ *
+ * \return          0 if successful, or a specific error code
+ *
+ * \note            f_rng may be NULL if RSA is used for signature and the
+ *                  signature is made offline (otherwise f_rng is desirable
+ *                  for countermeasures against timing attacks).
+ *                  ECDSA signatures always require a non-NULL f_rng.
+ */
+int mbedtls_x509write_csr_pem( mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng );
+#endif /* MBEDTLS_PEM_WRITE_C */
+#endif /* MBEDTLS_X509_CSR_WRITE_C */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_x509_csr.h */
diff --git a/third-party/mbedtls-3.6/include/mbedtls/xtea.h b/third-party/mbedtls-3.6/include/mbedtls/xtea.h
new file mode 100644
index 00000000..c0259b8c
--- /dev/null
+++ b/third-party/mbedtls-3.6/include/mbedtls/xtea.h
@@ -0,0 +1,166 @@
+/**
+ * \file xtea.h
+ *
+ * \brief XTEA block cipher (32-bit)
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+#ifndef MBEDTLS_XTEA_H
+#define MBEDTLS_XTEA_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+#define MBEDTLS_XTEA_ENCRYPT     1
+#define MBEDTLS_XTEA_DECRYPT     0
+
+#define MBEDTLS_ERR_XTEA_INVALID_INPUT_LENGTH             -0x0028  /**< The data input has an invalid length. */
+#define MBEDTLS_ERR_XTEA_HW_ACCEL_FAILED                  -0x0029  /**< XTEA hardware accelerator failed. */
+
+#if !defined(MBEDTLS_XTEA_ALT)
+// Regular implementation
+//
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          XTEA context structure
+ */
+typedef struct
+{
+    uint32_t k[4];       /*!< key */
+}
+mbedtls_xtea_context;
+
+/**
+ * \brief          Initialize XTEA context
+ *
+ * \param ctx      XTEA context to be initialized
+ */
+void mbedtls_xtea_init( mbedtls_xtea_context *ctx );
+
+/**
+ * \brief          Clear XTEA context
+ *
+ * \param ctx      XTEA context to be cleared
+ */
+void mbedtls_xtea_free( mbedtls_xtea_context *ctx );
+
+/**
+ * \brief          XTEA key schedule
+ *
+ * \param ctx      XTEA context to be initialized
+ * \param key      the secret key
+ */
+void mbedtls_xtea_setup( mbedtls_xtea_context *ctx, const unsigned char key[16] );
+
+/**
+ * \brief          XTEA cipher function
+ *
+ * \param ctx      XTEA context
+ * \param mode     MBEDTLS_XTEA_ENCRYPT or MBEDTLS_XTEA_DECRYPT
+ * \param input    8-byte input block
+ * \param output   8-byte output block
+ *
+ * \return         0 if successful
+ */
+int mbedtls_xtea_crypt_ecb( mbedtls_xtea_context *ctx,
+                    int mode,
+                    const unsigned char input[8],
+                    unsigned char output[8] );
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/**
+ * \brief          XTEA CBC cipher function
+ *
+ * \param ctx      XTEA context
+ * \param mode     MBEDTLS_XTEA_ENCRYPT or MBEDTLS_XTEA_DECRYPT
+ * \param length   the length of input, multiple of 8
+ * \param iv       initialization vector for CBC mode
+ * \param input    input block
+ * \param output   output block
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_XTEA_INVALID_INPUT_LENGTH if the length % 8 != 0
+ */
+int mbedtls_xtea_crypt_cbc( mbedtls_xtea_context *ctx,
+                    int mode,
+                    size_t length,
+                    unsigned char iv[8],
+                    const unsigned char *input,
+                    unsigned char *output);
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#ifdef __cplusplus
+}
+#endif
+
+#else  /* MBEDTLS_XTEA_ALT */
+#include "xtea_alt.h"
+#endif /* MBEDTLS_XTEA_ALT */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ */
+int mbedtls_xtea_self_test( int verbose );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* xtea.h */
diff --git a/third-party/mbedtls-3.6/library/.gitignore b/third-party/mbedtls-3.6/library/.gitignore
new file mode 100644
index 00000000..3a63a63a
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/.gitignore
@@ -0,0 +1,4 @@
+*.o
+libmbed*
+*.sln
+*.vcxproj
diff --git a/third-party/mbedtls-3.6/library/CMakeLists.txt b/third-party/mbedtls-3.6/library/CMakeLists.txt
new file mode 100644
index 00000000..3c105ddc
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/CMakeLists.txt
@@ -0,0 +1,169 @@
+option(USE_STATIC_MBEDTLS_LIBRARY "Build mbed TLS static library." ON)
+option(USE_SHARED_MBEDTLS_LIBRARY "Build mbed TLS shared library." OFF)
+option(LINK_WITH_PTHREAD "Explicitly link mbed TLS library to pthread." OFF)
+
+set(src_crypto
+    aes.c
+    aesni.c
+    arc4.c
+    asn1parse.c
+    asn1write.c
+    base64.c
+    bignum.c
+    blowfish.c
+    camellia.c
+    ccm.c
+    cipher.c
+    cipher_wrap.c
+    cmac.c
+    ctr_drbg.c
+    des.c
+    dhm.c
+    ecdh.c
+    ecdsa.c
+    ecjpake.c
+    ecp.c
+    ecp_curves.c
+    entropy.c
+    entropy_poll.c
+    error.c
+    gcm.c
+    havege.c
+    hmac_drbg.c
+    md.c
+    md2.c
+    md4.c
+    md5.c
+    md_wrap.c
+    memory_buffer_alloc.c
+    oid.c
+    padlock.c
+    pem.c
+    pk.c
+    pk_wrap.c
+    pkcs12.c
+    pkcs5.c
+    pkparse.c
+    pkwrite.c
+    platform.c
+    ripemd160.c
+    rsa.c
+    rsa_internal.c
+    sha1.c
+    sha256.c
+    sha512.c
+    threading.c
+    timing.c
+    version.c
+    version_features.c
+    xtea.c
+)
+
+set(src_x509
+    certs.c
+    pkcs11.c
+    x509.c
+    x509_create.c
+    x509_crl.c
+    x509_crt.c
+    x509_csr.c
+    x509write_crt.c
+    x509write_csr.c
+)
+
+set(src_tls
+    debug.c
+    net_sockets.c
+    ssl_cache.c
+    ssl_ciphersuites.c
+    ssl_cli.c
+    ssl_cookie.c
+    ssl_srv.c
+    ssl_ticket.c
+    ssl_tls.c
+)
+
+if(CMAKE_COMPILER_IS_GNUCC)
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wmissing-declarations -Wmissing-prototypes")
+endif(CMAKE_COMPILER_IS_GNUCC)
+
+if(CMAKE_COMPILER_IS_CLANG)
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wmissing-declarations -Wmissing-prototypes -Wdocumentation -Wno-documentation-deprecated-sync -Wunreachable-code")
+endif(CMAKE_COMPILER_IS_CLANG)
+
+if(UNSAFE_BUILD)
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-error")
+    set(CMAKE_C_FLAGS_ASAN "${CMAKE_C_FLAGS_ASAN} -Wno-error")
+    set(CMAKE_C_FLAGS_ASANDBG "${CMAKE_C_FLAGS_ASANDBG} -Wno-error")
+endif(UNSAFE_BUILD)
+
+if(WIN32)
+    set(libs ${libs} ws2_32)
+endif(WIN32)
+
+if(USE_PKCS11_HELPER_LIBRARY)
+    set(libs ${libs} pkcs11-helper)
+endif(USE_PKCS11_HELPER_LIBRARY)
+
+if(ENABLE_ZLIB_SUPPORT)
+    set(libs ${libs} ${ZLIB_LIBRARIES})
+endif(ENABLE_ZLIB_SUPPORT)
+
+if(LINK_WITH_PTHREAD)
+    set(libs ${libs} pthread)
+endif()
+
+if (NOT USE_STATIC_MBEDTLS_LIBRARY AND NOT USE_SHARED_MBEDTLS_LIBRARY)
+    message(FATAL_ERROR "Need to choose static or shared mbedtls build!")
+endif(NOT USE_STATIC_MBEDTLS_LIBRARY AND NOT USE_SHARED_MBEDTLS_LIBRARY)
+
+if(USE_STATIC_MBEDTLS_LIBRARY AND USE_SHARED_MBEDTLS_LIBRARY)
+    set(mbedtls_static_target "mbedtls_static")
+    set(mbedx509_static_target "mbedx509_static")
+    set(mbedcrypto_static_target "mbedcrypto_static")
+elseif(USE_STATIC_MBEDTLS_LIBRARY)
+    set(mbedtls_static_target "mbedtls")
+    set(mbedx509_static_target "mbedx509")
+    set(mbedcrypto_static_target "mbedcrypto")
+endif()
+
+if(USE_STATIC_MBEDTLS_LIBRARY)
+    add_library(${mbedcrypto_static_target} STATIC ${src_crypto})
+    set_target_properties(${mbedcrypto_static_target} PROPERTIES OUTPUT_NAME mbedcrypto)
+    target_link_libraries(${mbedcrypto_static_target} ${libs})
+
+    add_library(${mbedx509_static_target} STATIC ${src_x509})
+    set_target_properties(${mbedx509_static_target} PROPERTIES OUTPUT_NAME mbedx509)
+    target_link_libraries(${mbedx509_static_target} ${libs} ${mbedcrypto_static_target})
+
+    add_library(${mbedtls_static_target} STATIC ${src_tls})
+    set_target_properties(${mbedtls_static_target} PROPERTIES OUTPUT_NAME mbedtls)
+    target_link_libraries(${mbedtls_static_target} ${libs} ${mbedx509_static_target})
+
+    install(TARGETS ${mbedtls_static_target} ${mbedx509_static_target} ${mbedcrypto_static_target}
+            DESTINATION ${LIB_INSTALL_DIR}
+            PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)
+endif(USE_STATIC_MBEDTLS_LIBRARY)
+
+if(USE_SHARED_MBEDTLS_LIBRARY)
+    add_library(mbedcrypto SHARED ${src_crypto})
+    set_target_properties(mbedcrypto PROPERTIES VERSION 2.7.19 SOVERSION 2)
+    target_link_libraries(mbedcrypto ${libs})
+
+    add_library(mbedx509 SHARED ${src_x509})
+    set_target_properties(mbedx509 PROPERTIES VERSION 2.7.19 SOVERSION 0)
+    target_link_libraries(mbedx509 ${libs} mbedcrypto)
+
+    add_library(mbedtls SHARED ${src_tls})
+    set_target_properties(mbedtls PROPERTIES VERSION 2.7.19 SOVERSION 10)
+    target_link_libraries(mbedtls ${libs} mbedx509)
+
+    install(TARGETS mbedtls mbedx509 mbedcrypto
+            DESTINATION ${LIB_INSTALL_DIR}
+            PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)
+endif(USE_SHARED_MBEDTLS_LIBRARY)
+
+add_custom_target(lib DEPENDS mbedcrypto mbedx509 mbedtls)
+if(USE_STATIC_MBEDTLS_LIBRARY AND USE_SHARED_MBEDTLS_LIBRARY)
+    add_dependencies(lib mbedcrypto_static mbedx509_static mbedtls_static)
+endif()
diff --git a/third-party/mbedtls-3.6/library/Makefile b/third-party/mbedtls-3.6/library/Makefile
new file mode 100644
index 00000000..51d72595
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/Makefile
@@ -0,0 +1,172 @@
+
+# Also see "include/mbedtls/config.h"
+
+CFLAGS	?= -O2
+WARNING_CFLAGS ?=  -Wall -W -Wdeclaration-after-statement
+LDFLAGS ?=
+
+LOCAL_CFLAGS = $(WARNING_CFLAGS) -I../include -D_FILE_OFFSET_BITS=64
+LOCAL_LDFLAGS =
+
+ifdef DEBUG
+LOCAL_CFLAGS += -g3
+endif
+
+# MicroBlaze specific options:
+# CFLAGS += -mno-xl-soft-mul -mxl-barrel-shift
+
+# To compile on Plan9:
+# CFLAGS += -D_BSD_EXTENSION
+
+# if were running on Windows build for Windows
+ifdef WINDOWS
+WINDOWS_BUILD=1
+endif
+
+# To compile as a shared library:
+ifdef SHARED
+# all code is position-indep with mingw, avoid warning about useless flag
+ifndef WINDOWS_BUILD
+LOCAL_CFLAGS += -fPIC -fpic
+endif
+endif
+
+SOEXT_TLS=so.10
+SOEXT_X509=so.0
+SOEXT_CRYPTO=so.2
+
+# Set DLEXT=dylib to compile as a shared library for Mac OS X
+DLEXT ?= so
+
+# Set AR_DASH= (empty string) to use an ar implementation that does not accept
+# the - prefix for command line options (e.g. llvm-ar)
+AR_DASH ?= -
+
+# Windows shared library extension:
+ifdef WINDOWS_BUILD
+DLEXT=dll
+endif
+
+OBJS_CRYPTO=	aes.o		aesni.o		arc4.o		\
+		asn1parse.o	asn1write.o	base64.o	\
+		bignum.o	blowfish.o	camellia.o	\
+		ccm.o		cipher.o	cipher_wrap.o	\
+		cmac.o		ctr_drbg.o	des.o		\
+		dhm.o		ecdh.o		ecdsa.o		\
+		ecjpake.o	ecp.o				\
+		ecp_curves.o	entropy.o	entropy_poll.o	\
+		error.o		gcm.o		havege.o	\
+		hmac_drbg.o	md.o		md2.o		\
+		md4.o		md5.o		md_wrap.o	\
+		memory_buffer_alloc.o		oid.o		\
+		padlock.o	pem.o		pk.o		\
+		pk_wrap.o	pkcs12.o	pkcs5.o		\
+		pkparse.o	pkwrite.o	platform.o	\
+		ripemd160.o	rsa_internal.o	rsa.o  		\
+		sha1.o		sha256.o	sha512.o	\
+		threading.o	timing.o	version.o	\
+		version_features.o		xtea.o
+
+OBJS_X509=	certs.o		pkcs11.o	x509.o		\
+		x509_create.o	x509_crl.o	x509_crt.o	\
+		x509_csr.o	x509write_crt.o	x509write_csr.o
+
+OBJS_TLS=	debug.o		net_sockets.o		\
+		ssl_cache.o	ssl_ciphersuites.o	\
+		ssl_cli.o	ssl_cookie.o		\
+		ssl_srv.o	ssl_ticket.o		\
+		ssl_tls.o
+
+.SILENT:
+
+.PHONY: all static shared clean
+
+ifndef SHARED
+all: static
+else
+all: shared static
+endif
+
+static: libmbedcrypto.a libmbedx509.a libmbedtls.a
+
+shared: libmbedcrypto.$(DLEXT) libmbedx509.$(DLEXT) libmbedtls.$(DLEXT)
+
+# tls
+libmbedtls.a: $(OBJS_TLS)
+	echo "  AR    $@"
+	$(AR) $(AR_DASH)rc $@ $(OBJS_TLS)
+	echo "  RL    $@"
+	$(AR) $(AR_DASH)s $@
+
+libmbedtls.$(SOEXT_TLS): $(OBJS_TLS) libmbedx509.so
+	echo "  LD    $@"
+	$(CC) -shared -Wl,-soname,$@ -L. -lmbedcrypto -lmbedx509 $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ $(OBJS_TLS)
+
+libmbedtls.so: libmbedtls.$(SOEXT_TLS)
+	echo "  LN    $@ -> $<"
+	ln -sf $< $@
+
+libmbedtls.dylib: $(OBJS_TLS) libmbedx509.dylib
+	echo "  LD    $@"
+	$(CC) -dynamiclib -L. -lmbedcrypto -lmbedx509 $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ $(OBJS_TLS)
+
+libmbedtls.dll: $(OBJS_TLS) libmbedx509.dll
+	echo "  LD    $@"
+	$(CC) -shared -Wl,-soname,$@ -Wl,--out-implib,$@.a -o $@ $(OBJS_TLS) -lws2_32 -lwinmm -lgdi32 -L. -lmbedcrypto -lmbedx509 -static-libgcc $(LOCAL_LDFLAGS) $(LDFLAGS)
+
+# x509
+libmbedx509.a: $(OBJS_X509)
+	echo "  AR    $@"
+	$(AR) $(AR_DASH)rc $@ $(OBJS_X509)
+	echo "  RL    $@"
+	$(AR) $(AR_DASH)s $@
+
+libmbedx509.$(SOEXT_X509): $(OBJS_X509) libmbedcrypto.so
+	echo "  LD    $@"
+	$(CC) -shared -Wl,-soname,$@ -L. -lmbedcrypto $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ $(OBJS_X509)
+
+libmbedx509.so: libmbedx509.$(SOEXT_X509)
+	echo "  LN    $@ -> $<"
+	ln -sf $< $@
+
+libmbedx509.dylib: $(OBJS_X509) libmbedcrypto.dylib
+	echo "  LD    $@"
+	$(CC) -dynamiclib -L. -lmbedcrypto  $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ $(OBJS_X509)
+
+libmbedx509.dll: $(OBJS_X509) libmbedcrypto.dll
+	echo "  LD    $@"
+	$(CC) -shared -Wl,-soname,$@ -Wl,--out-implib,$@.a -o $@ $(OBJS_X509) -lws2_32 -lwinmm -lgdi32 -L. -lmbedcrypto -static-libgcc $(LOCAL_LDFLAGS) $(LDFLAGS)
+
+# crypto
+libmbedcrypto.a: $(OBJS_CRYPTO)
+	echo "  AR    $@"
+	$(AR) $(AR_DASH)rc $@ $(OBJS_CRYPTO)
+	echo "  RL    $@"
+	$(AR) $(AR_DASH)s $@
+
+libmbedcrypto.$(SOEXT_CRYPTO): $(OBJS_CRYPTO)
+	echo "  LD    $@"
+	$(CC) -shared -Wl,-soname,$@ $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ $(OBJS_CRYPTO)
+
+libmbedcrypto.so: libmbedcrypto.$(SOEXT_CRYPTO)
+	echo "  LN    $@ -> $<"
+	ln -sf $< $@
+
+libmbedcrypto.dylib: $(OBJS_CRYPTO)
+	echo "  LD    $@"
+	$(CC) -dynamiclib $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ $(OBJS_CRYPTO)
+
+libmbedcrypto.dll: $(OBJS_CRYPTO)
+	echo "  LD    $@"
+	$(CC) -shared -Wl,-soname,$@ -Wl,--out-implib,$@.a -o $@ $(OBJS_CRYPTO) -lws2_32 -lwinmm -lgdi32 -static-libgcc $(LOCAL_LDFLAGS) $(LDFLAGS)
+
+.c.o:
+	echo "  CC    $<"
+	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) -c $<
+
+clean:
+ifndef WINDOWS
+	rm -f *.o libmbed*
+else
+	del /Q /F *.o libmbed*
+endif
diff --git a/third-party/mbedtls-3.6/library/aes.c b/third-party/mbedtls-3.6/library/aes.c
new file mode 100644
index 00000000..b8aee907
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/aes.c
@@ -0,0 +1,1565 @@
+/*
+ *  FIPS-197 compliant AES implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+/*
+ *  The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
+ *
+ *  http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
+ *  http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_AES_C)
+
+#include <string.h>
+
+#include "mbedtls/aes.h"
+#if defined(MBEDTLS_PADLOCK_C)
+#include "mbedtls/padlock.h"
+#endif
+#if defined(MBEDTLS_AESNI_C)
+#include "mbedtls/aesni.h"
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_AES_ALT)
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
+}
+
+/*
+ * 32-bit integer manipulation macros (little endian)
+ */
+#ifndef GET_UINT32_LE
+#define GET_UINT32_LE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ]       )             \
+        | ( (uint32_t) (b)[(i) + 1] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 2] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 3] << 24 );            \
+}
+#endif
+
+#ifndef PUT_UINT32_LE
+#define PUT_UINT32_LE(n,b,i)                                    \
+{                                                               \
+    (b)[(i)    ] = (unsigned char) ( ( (n)       ) & 0xFF );    \
+    (b)[(i) + 1] = (unsigned char) ( ( (n) >>  8 ) & 0xFF );    \
+    (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF );    \
+    (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF );    \
+}
+#endif
+
+#if defined(MBEDTLS_PADLOCK_C) &&                      \
+    ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
+static int aes_padlock_ace = -1;
+#endif
+
+#if defined(MBEDTLS_AES_ROM_TABLES)
+/*
+ * Forward S-box
+ */
+static const unsigned char FSb[256] =
+{
+    0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
+    0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
+    0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
+    0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
+    0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
+    0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
+    0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
+    0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
+    0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
+    0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
+    0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
+    0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
+    0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
+    0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
+    0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
+    0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
+    0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
+    0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
+    0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
+    0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
+    0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
+    0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
+    0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
+    0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
+    0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
+    0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
+    0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
+    0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
+    0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
+    0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
+    0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
+    0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
+};
+
+/*
+ * Forward tables
+ */
+#define FT \
+\
+    V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
+    V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
+    V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
+    V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
+    V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
+    V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
+    V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
+    V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
+    V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
+    V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
+    V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
+    V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
+    V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
+    V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
+    V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
+    V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
+    V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
+    V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
+    V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
+    V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
+    V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
+    V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
+    V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
+    V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
+    V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
+    V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
+    V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
+    V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
+    V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
+    V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
+    V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
+    V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
+    V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
+    V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
+    V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
+    V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
+    V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
+    V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
+    V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
+    V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
+    V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
+    V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
+    V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
+    V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
+    V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
+    V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
+    V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
+    V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
+    V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
+    V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
+    V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
+    V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
+    V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
+    V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
+    V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
+    V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
+    V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
+    V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
+    V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
+    V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
+    V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
+    V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
+    V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
+    V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
+
+#define V(a,b,c,d) 0x##a##b##c##d
+static const uint32_t FT0[256] = { FT };
+#undef V
+
+#define V(a,b,c,d) 0x##b##c##d##a
+static const uint32_t FT1[256] = { FT };
+#undef V
+
+#define V(a,b,c,d) 0x##c##d##a##b
+static const uint32_t FT2[256] = { FT };
+#undef V
+
+#define V(a,b,c,d) 0x##d##a##b##c
+static const uint32_t FT3[256] = { FT };
+#undef V
+
+#undef FT
+
+/*
+ * Reverse S-box
+ */
+static const unsigned char RSb[256] =
+{
+    0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
+    0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
+    0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
+    0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
+    0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
+    0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
+    0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
+    0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
+    0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
+    0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
+    0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
+    0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
+    0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
+    0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
+    0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
+    0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
+    0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
+    0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
+    0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
+    0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
+    0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
+    0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
+    0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
+    0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
+    0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
+    0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
+    0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
+    0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
+    0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
+    0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
+    0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
+    0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
+};
+
+/*
+ * Reverse tables
+ */
+#define RT \
+\
+    V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
+    V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
+    V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
+    V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
+    V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
+    V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
+    V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
+    V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
+    V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
+    V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
+    V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
+    V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
+    V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
+    V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
+    V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
+    V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
+    V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
+    V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
+    V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
+    V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
+    V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
+    V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
+    V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
+    V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
+    V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
+    V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
+    V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
+    V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
+    V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
+    V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
+    V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
+    V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
+    V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
+    V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
+    V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
+    V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
+    V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
+    V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
+    V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
+    V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
+    V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
+    V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
+    V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
+    V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
+    V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
+    V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
+    V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
+    V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
+    V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
+    V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
+    V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
+    V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
+    V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
+    V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
+    V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
+    V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
+    V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
+    V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
+    V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
+    V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
+    V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
+    V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
+    V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
+    V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
+
+#define V(a,b,c,d) 0x##a##b##c##d
+static const uint32_t RT0[256] = { RT };
+#undef V
+
+#define V(a,b,c,d) 0x##b##c##d##a
+static const uint32_t RT1[256] = { RT };
+#undef V
+
+#define V(a,b,c,d) 0x##c##d##a##b
+static const uint32_t RT2[256] = { RT };
+#undef V
+
+#define V(a,b,c,d) 0x##d##a##b##c
+static const uint32_t RT3[256] = { RT };
+#undef V
+
+#undef RT
+
+/*
+ * Round constants
+ */
+static const uint32_t RCON[10] =
+{
+    0x00000001, 0x00000002, 0x00000004, 0x00000008,
+    0x00000010, 0x00000020, 0x00000040, 0x00000080,
+    0x0000001B, 0x00000036
+};
+
+#else /* MBEDTLS_AES_ROM_TABLES */
+
+/*
+ * Forward S-box & tables
+ */
+static unsigned char FSb[256];
+static uint32_t FT0[256];
+static uint32_t FT1[256];
+static uint32_t FT2[256];
+static uint32_t FT3[256];
+
+/*
+ * Reverse S-box & tables
+ */
+static unsigned char RSb[256];
+static uint32_t RT0[256];
+static uint32_t RT1[256];
+static uint32_t RT2[256];
+static uint32_t RT3[256];
+
+/*
+ * Round constants
+ */
+static uint32_t RCON[10];
+
+/*
+ * Tables generation code
+ */
+#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
+#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
+#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
+
+static int aes_init_done = 0;
+
+static void aes_gen_tables( void )
+{
+    int i, x, y, z;
+    int pow[256];
+    int log[256];
+
+    /*
+     * compute pow and log tables over GF(2^8)
+     */
+    for( i = 0, x = 1; i < 256; i++ )
+    {
+        pow[i] = x;
+        log[x] = i;
+        x = ( x ^ XTIME( x ) ) & 0xFF;
+    }
+
+    /*
+     * calculate the round constants
+     */
+    for( i = 0, x = 1; i < 10; i++ )
+    {
+        RCON[i] = (uint32_t) x;
+        x = XTIME( x ) & 0xFF;
+    }
+
+    /*
+     * generate the forward and reverse S-boxes
+     */
+    FSb[0x00] = 0x63;
+    RSb[0x63] = 0x00;
+
+    for( i = 1; i < 256; i++ )
+    {
+        x = pow[255 - log[i]];
+
+        y  = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
+        x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
+        x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
+        x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
+        x ^= y ^ 0x63;
+
+        FSb[i] = (unsigned char) x;
+        RSb[x] = (unsigned char) i;
+    }
+
+    /*
+     * generate the forward and reverse tables
+     */
+    for( i = 0; i < 256; i++ )
+    {
+        x = FSb[i];
+        y = XTIME( x ) & 0xFF;
+        z =  ( y ^ x ) & 0xFF;
+
+        FT0[i] = ( (uint32_t) y       ) ^
+                 ( (uint32_t) x <<  8 ) ^
+                 ( (uint32_t) x << 16 ) ^
+                 ( (uint32_t) z << 24 );
+
+        FT1[i] = ROTL8( FT0[i] );
+        FT2[i] = ROTL8( FT1[i] );
+        FT3[i] = ROTL8( FT2[i] );
+
+        x = RSb[i];
+
+        RT0[i] = ( (uint32_t) MUL( 0x0E, x )       ) ^
+                 ( (uint32_t) MUL( 0x09, x ) <<  8 ) ^
+                 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
+                 ( (uint32_t) MUL( 0x0B, x ) << 24 );
+
+        RT1[i] = ROTL8( RT0[i] );
+        RT2[i] = ROTL8( RT1[i] );
+        RT3[i] = ROTL8( RT2[i] );
+    }
+}
+
+#endif /* MBEDTLS_AES_ROM_TABLES */
+
+void mbedtls_aes_init( mbedtls_aes_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_aes_context ) );
+}
+
+void mbedtls_aes_free( mbedtls_aes_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_zeroize( ctx, sizeof( mbedtls_aes_context ) );
+}
+
+/*
+ * AES key schedule (encryption)
+ */
+#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
+int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
+                    unsigned int keybits )
+{
+    unsigned int i;
+    uint32_t *RK;
+
+#if !defined(MBEDTLS_AES_ROM_TABLES)
+    if( aes_init_done == 0 )
+    {
+        aes_gen_tables();
+        aes_init_done = 1;
+
+    }
+#endif
+
+    switch( keybits )
+    {
+        case 128: ctx->nr = 10; break;
+        case 192: ctx->nr = 12; break;
+        case 256: ctx->nr = 14; break;
+        default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
+    }
+
+#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
+    if( aes_padlock_ace == -1 )
+        aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
+
+    if( aes_padlock_ace )
+        ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
+    else
+#endif
+    ctx->rk = RK = ctx->buf;
+
+#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
+    if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
+        return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
+#endif
+
+    for( i = 0; i < ( keybits >> 5 ); i++ )
+    {
+        GET_UINT32_LE( RK[i], key, i << 2 );
+    }
+
+    switch( ctx->nr )
+    {
+        case 10:
+
+            for( i = 0; i < 10; i++, RK += 4 )
+            {
+                RK[4]  = RK[0] ^ RCON[i] ^
+                ( (uint32_t) FSb[ ( RK[3] >>  8 ) & 0xFF ]       ) ^
+                ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] <<  8 ) ^
+                ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
+                ( (uint32_t) FSb[ ( RK[3]       ) & 0xFF ] << 24 );
+
+                RK[5]  = RK[1] ^ RK[4];
+                RK[6]  = RK[2] ^ RK[5];
+                RK[7]  = RK[3] ^ RK[6];
+            }
+            break;
+
+        case 12:
+
+            for( i = 0; i < 8; i++, RK += 6 )
+            {
+                RK[6]  = RK[0] ^ RCON[i] ^
+                ( (uint32_t) FSb[ ( RK[5] >>  8 ) & 0xFF ]       ) ^
+                ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] <<  8 ) ^
+                ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
+                ( (uint32_t) FSb[ ( RK[5]       ) & 0xFF ] << 24 );
+
+                RK[7]  = RK[1] ^ RK[6];
+                RK[8]  = RK[2] ^ RK[7];
+                RK[9]  = RK[3] ^ RK[8];
+                RK[10] = RK[4] ^ RK[9];
+                RK[11] = RK[5] ^ RK[10];
+            }
+            break;
+
+        case 14:
+
+            for( i = 0; i < 7; i++, RK += 8 )
+            {
+                RK[8]  = RK[0] ^ RCON[i] ^
+                ( (uint32_t) FSb[ ( RK[7] >>  8 ) & 0xFF ]       ) ^
+                ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] <<  8 ) ^
+                ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
+                ( (uint32_t) FSb[ ( RK[7]       ) & 0xFF ] << 24 );
+
+                RK[9]  = RK[1] ^ RK[8];
+                RK[10] = RK[2] ^ RK[9];
+                RK[11] = RK[3] ^ RK[10];
+
+                RK[12] = RK[4] ^
+                ( (uint32_t) FSb[ ( RK[11]       ) & 0xFF ]       ) ^
+                ( (uint32_t) FSb[ ( RK[11] >>  8 ) & 0xFF ] <<  8 ) ^
+                ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
+                ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
+
+                RK[13] = RK[5] ^ RK[12];
+                RK[14] = RK[6] ^ RK[13];
+                RK[15] = RK[7] ^ RK[14];
+            }
+            break;
+    }
+
+    return( 0 );
+}
+#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
+
+/*
+ * AES key schedule (decryption)
+ */
+#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
+int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
+                    unsigned int keybits )
+{
+    int i, j, ret;
+    mbedtls_aes_context cty;
+    uint32_t *RK;
+    uint32_t *SK;
+
+    mbedtls_aes_init( &cty );
+
+#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
+    if( aes_padlock_ace == -1 )
+        aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
+
+    if( aes_padlock_ace )
+        ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
+    else
+#endif
+    ctx->rk = RK = ctx->buf;
+
+    /* Also checks keybits */
+    if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
+        goto exit;
+
+    ctx->nr = cty.nr;
+
+#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
+    if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
+    {
+        mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
+                           (const unsigned char *) cty.rk, ctx->nr );
+        goto exit;
+    }
+#endif
+
+    SK = cty.rk + cty.nr * 4;
+
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+
+    for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
+    {
+        for( j = 0; j < 4; j++, SK++ )
+        {
+            *RK++ = RT0[ FSb[ ( *SK       ) & 0xFF ] ] ^
+                    RT1[ FSb[ ( *SK >>  8 ) & 0xFF ] ] ^
+                    RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
+                    RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
+        }
+    }
+
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+
+exit:
+    mbedtls_aes_free( &cty );
+
+    return( ret );
+}
+#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
+
+#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3)     \
+{                                               \
+    X0 = *RK++ ^ FT0[ ( Y0       ) & 0xFF ] ^   \
+                 FT1[ ( Y1 >>  8 ) & 0xFF ] ^   \
+                 FT2[ ( Y2 >> 16 ) & 0xFF ] ^   \
+                 FT3[ ( Y3 >> 24 ) & 0xFF ];    \
+                                                \
+    X1 = *RK++ ^ FT0[ ( Y1       ) & 0xFF ] ^   \
+                 FT1[ ( Y2 >>  8 ) & 0xFF ] ^   \
+                 FT2[ ( Y3 >> 16 ) & 0xFF ] ^   \
+                 FT3[ ( Y0 >> 24 ) & 0xFF ];    \
+                                                \
+    X2 = *RK++ ^ FT0[ ( Y2       ) & 0xFF ] ^   \
+                 FT1[ ( Y3 >>  8 ) & 0xFF ] ^   \
+                 FT2[ ( Y0 >> 16 ) & 0xFF ] ^   \
+                 FT3[ ( Y1 >> 24 ) & 0xFF ];    \
+                                                \
+    X3 = *RK++ ^ FT0[ ( Y3       ) & 0xFF ] ^   \
+                 FT1[ ( Y0 >>  8 ) & 0xFF ] ^   \
+                 FT2[ ( Y1 >> 16 ) & 0xFF ] ^   \
+                 FT3[ ( Y2 >> 24 ) & 0xFF ];    \
+}
+
+#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3)     \
+{                                               \
+    X0 = *RK++ ^ RT0[ ( Y0       ) & 0xFF ] ^   \
+                 RT1[ ( Y3 >>  8 ) & 0xFF ] ^   \
+                 RT2[ ( Y2 >> 16 ) & 0xFF ] ^   \
+                 RT3[ ( Y1 >> 24 ) & 0xFF ];    \
+                                                \
+    X1 = *RK++ ^ RT0[ ( Y1       ) & 0xFF ] ^   \
+                 RT1[ ( Y0 >>  8 ) & 0xFF ] ^   \
+                 RT2[ ( Y3 >> 16 ) & 0xFF ] ^   \
+                 RT3[ ( Y2 >> 24 ) & 0xFF ];    \
+                                                \
+    X2 = *RK++ ^ RT0[ ( Y2       ) & 0xFF ] ^   \
+                 RT1[ ( Y1 >>  8 ) & 0xFF ] ^   \
+                 RT2[ ( Y0 >> 16 ) & 0xFF ] ^   \
+                 RT3[ ( Y3 >> 24 ) & 0xFF ];    \
+                                                \
+    X3 = *RK++ ^ RT0[ ( Y3       ) & 0xFF ] ^   \
+                 RT1[ ( Y2 >>  8 ) & 0xFF ] ^   \
+                 RT2[ ( Y1 >> 16 ) & 0xFF ] ^   \
+                 RT3[ ( Y0 >> 24 ) & 0xFF ];    \
+}
+
+/*
+ * AES-ECB block encryption
+ */
+#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
+int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
+                                  const unsigned char input[16],
+                                  unsigned char output[16] )
+{
+    int i;
+    uint32_t *RK = ctx->rk;
+    struct
+    {
+        uint32_t X[4];
+        uint32_t Y[4];
+    } t;
+
+    GET_UINT32_LE( t.X[0], input,  0 ); t.X[0] ^= *RK++;
+    GET_UINT32_LE( t.X[1], input,  4 ); t.X[1] ^= *RK++;
+    GET_UINT32_LE( t.X[2], input,  8 ); t.X[2] ^= *RK++;
+    GET_UINT32_LE( t.X[3], input, 12 ); t.X[3] ^= *RK++;
+
+    for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
+    {
+        AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
+        AES_FROUND( t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3] );
+    }
+
+    AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
+
+    t.X[0] = *RK++ ^ \
+            ( (uint32_t) FSb[ ( t.Y[0]       ) & 0xFF ]       ) ^
+            ( (uint32_t) FSb[ ( t.Y[1] >>  8 ) & 0xFF ] <<  8 ) ^
+            ( (uint32_t) FSb[ ( t.Y[2] >> 16 ) & 0xFF ] << 16 ) ^
+            ( (uint32_t) FSb[ ( t.Y[3] >> 24 ) & 0xFF ] << 24 );
+
+    t.X[1] = *RK++ ^ \
+            ( (uint32_t) FSb[ ( t.Y[1]       ) & 0xFF ]       ) ^
+            ( (uint32_t) FSb[ ( t.Y[2] >>  8 ) & 0xFF ] <<  8 ) ^
+            ( (uint32_t) FSb[ ( t.Y[3] >> 16 ) & 0xFF ] << 16 ) ^
+            ( (uint32_t) FSb[ ( t.Y[0] >> 24 ) & 0xFF ] << 24 );
+
+    t.X[2] = *RK++ ^ \
+            ( (uint32_t) FSb[ ( t.Y[2]       ) & 0xFF ]       ) ^
+            ( (uint32_t) FSb[ ( t.Y[3] >>  8 ) & 0xFF ] <<  8 ) ^
+            ( (uint32_t) FSb[ ( t.Y[0] >> 16 ) & 0xFF ] << 16 ) ^
+            ( (uint32_t) FSb[ ( t.Y[1] >> 24 ) & 0xFF ] << 24 );
+
+    t.X[3] = *RK++ ^ \
+            ( (uint32_t) FSb[ ( t.Y[3]       ) & 0xFF ]       ) ^
+            ( (uint32_t) FSb[ ( t.Y[0] >>  8 ) & 0xFF ] <<  8 ) ^
+            ( (uint32_t) FSb[ ( t.Y[1] >> 16 ) & 0xFF ] << 16 ) ^
+            ( (uint32_t) FSb[ ( t.Y[2] >> 24 ) & 0xFF ] << 24 );
+
+    PUT_UINT32_LE( t.X[0], output,  0 );
+    PUT_UINT32_LE( t.X[1], output,  4 );
+    PUT_UINT32_LE( t.X[2], output,  8 );
+    PUT_UINT32_LE( t.X[3], output, 12 );
+
+    mbedtls_zeroize( &t, sizeof( t ) );
+
+    return( 0 );
+}
+#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
+                          const unsigned char input[16],
+                          unsigned char output[16] )
+{
+    mbedtls_internal_aes_encrypt( ctx, input, output );
+}
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+/*
+ * AES-ECB block decryption
+ */
+#if !defined(MBEDTLS_AES_DECRYPT_ALT)
+int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
+                                  const unsigned char input[16],
+                                  unsigned char output[16] )
+{
+    int i;
+    uint32_t *RK = ctx->rk;
+    struct
+    {
+        uint32_t X[4];
+        uint32_t Y[4];
+    } t;
+
+    GET_UINT32_LE( t.X[0], input,  0 ); t.X[0] ^= *RK++;
+    GET_UINT32_LE( t.X[1], input,  4 ); t.X[1] ^= *RK++;
+    GET_UINT32_LE( t.X[2], input,  8 ); t.X[2] ^= *RK++;
+    GET_UINT32_LE( t.X[3], input, 12 ); t.X[3] ^= *RK++;
+
+    for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
+    {
+        AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
+        AES_RROUND( t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3] );
+    }
+
+    AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
+
+    t.X[0] = *RK++ ^ \
+            ( (uint32_t) RSb[ ( t.Y[0]       ) & 0xFF ]       ) ^
+            ( (uint32_t) RSb[ ( t.Y[3] >>  8 ) & 0xFF ] <<  8 ) ^
+            ( (uint32_t) RSb[ ( t.Y[2] >> 16 ) & 0xFF ] << 16 ) ^
+            ( (uint32_t) RSb[ ( t.Y[1] >> 24 ) & 0xFF ] << 24 );
+
+    t.X[1] = *RK++ ^ \
+            ( (uint32_t) RSb[ ( t.Y[1]       ) & 0xFF ]       ) ^
+            ( (uint32_t) RSb[ ( t.Y[0] >>  8 ) & 0xFF ] <<  8 ) ^
+            ( (uint32_t) RSb[ ( t.Y[3] >> 16 ) & 0xFF ] << 16 ) ^
+            ( (uint32_t) RSb[ ( t.Y[2] >> 24 ) & 0xFF ] << 24 );
+
+    t.X[2] = *RK++ ^ \
+            ( (uint32_t) RSb[ ( t.Y[2]       ) & 0xFF ]       ) ^
+            ( (uint32_t) RSb[ ( t.Y[1] >>  8 ) & 0xFF ] <<  8 ) ^
+            ( (uint32_t) RSb[ ( t.Y[0] >> 16 ) & 0xFF ] << 16 ) ^
+            ( (uint32_t) RSb[ ( t.Y[3] >> 24 ) & 0xFF ] << 24 );
+
+    t.X[3] = *RK++ ^ \
+            ( (uint32_t) RSb[ ( t.Y[3]       ) & 0xFF ]       ) ^
+            ( (uint32_t) RSb[ ( t.Y[2] >>  8 ) & 0xFF ] <<  8 ) ^
+            ( (uint32_t) RSb[ ( t.Y[1] >> 16 ) & 0xFF ] << 16 ) ^
+            ( (uint32_t) RSb[ ( t.Y[0] >> 24 ) & 0xFF ] << 24 );
+
+    PUT_UINT32_LE( t.X[0], output,  0 );
+    PUT_UINT32_LE( t.X[1], output,  4 );
+    PUT_UINT32_LE( t.X[2], output,  8 );
+    PUT_UINT32_LE( t.X[3], output, 12 );
+
+    mbedtls_zeroize( &t, sizeof( t ) );
+
+    return( 0 );
+}
+#endif /* !MBEDTLS_AES_DECRYPT_ALT */
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
+                          const unsigned char input[16],
+                          unsigned char output[16] )
+{
+    mbedtls_internal_aes_decrypt( ctx, input, output );
+}
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+/*
+ * AES-ECB block encryption/decryption
+ */
+int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
+                    int mode,
+                    const unsigned char input[16],
+                    unsigned char output[16] )
+{
+#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
+    if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
+        return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
+#endif
+
+#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
+    if( aes_padlock_ace )
+    {
+        if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
+            return( 0 );
+
+        // If padlock data misaligned, we just fall back to
+        // unaccelerated mode
+        //
+    }
+#endif
+
+    if( mode == MBEDTLS_AES_ENCRYPT )
+        return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
+    else
+        return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/*
+ * AES-CBC buffer encryption/decryption
+ */
+int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
+                    int mode,
+                    size_t length,
+                    unsigned char iv[16],
+                    const unsigned char *input,
+                    unsigned char *output )
+{
+    int i;
+    unsigned char temp[16];
+
+    if( length % 16 )
+        return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
+
+#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
+    if( aes_padlock_ace )
+    {
+        if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
+            return( 0 );
+
+        // If padlock data misaligned, we just fall back to
+        // unaccelerated mode
+        //
+    }
+#endif
+
+    if( mode == MBEDTLS_AES_DECRYPT )
+    {
+        while( length > 0 )
+        {
+            memcpy( temp, input, 16 );
+            mbedtls_aes_crypt_ecb( ctx, mode, input, output );
+
+            for( i = 0; i < 16; i++ )
+                output[i] = (unsigned char)( output[i] ^ iv[i] );
+
+            memcpy( iv, temp, 16 );
+
+            input  += 16;
+            output += 16;
+            length -= 16;
+        }
+    }
+    else
+    {
+        while( length > 0 )
+        {
+            for( i = 0; i < 16; i++ )
+                output[i] = (unsigned char)( input[i] ^ iv[i] );
+
+            mbedtls_aes_crypt_ecb( ctx, mode, output, output );
+            memcpy( iv, output, 16 );
+
+            input  += 16;
+            output += 16;
+            length -= 16;
+        }
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/*
+ * AES-CFB128 buffer encryption/decryption
+ */
+int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
+                       int mode,
+                       size_t length,
+                       size_t *iv_off,
+                       unsigned char iv[16],
+                       const unsigned char *input,
+                       unsigned char *output )
+{
+    int c;
+    size_t n = *iv_off;
+
+    if( mode == MBEDTLS_AES_DECRYPT )
+    {
+        while( length-- )
+        {
+            if( n == 0 )
+                mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
+
+            c = *input++;
+            *output++ = (unsigned char)( c ^ iv[n] );
+            iv[n] = (unsigned char) c;
+
+            n = ( n + 1 ) & 0x0F;
+        }
+    }
+    else
+    {
+        while( length-- )
+        {
+            if( n == 0 )
+                mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
+
+            iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
+
+            n = ( n + 1 ) & 0x0F;
+        }
+    }
+
+    *iv_off = n;
+
+    return( 0 );
+}
+
+/*
+ * AES-CFB8 buffer encryption/decryption
+ */
+int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
+                       int mode,
+                       size_t length,
+                       unsigned char iv[16],
+                       const unsigned char *input,
+                       unsigned char *output )
+{
+    unsigned char c;
+    unsigned char ov[17];
+
+    while( length-- )
+    {
+        memcpy( ov, iv, 16 );
+        mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
+
+        if( mode == MBEDTLS_AES_DECRYPT )
+            ov[16] = *input;
+
+        c = *output++ = (unsigned char)( iv[0] ^ *input++ );
+
+        if( mode == MBEDTLS_AES_ENCRYPT )
+            ov[16] = c;
+
+        memcpy( iv, ov + 1, 16 );
+    }
+
+    return( 0 );
+}
+#endif /*MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/*
+ * AES-CTR buffer encryption/decryption
+ */
+int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
+                       size_t length,
+                       size_t *nc_off,
+                       unsigned char nonce_counter[16],
+                       unsigned char stream_block[16],
+                       const unsigned char *input,
+                       unsigned char *output )
+{
+    int c, i;
+    size_t n = *nc_off;
+
+    while( length-- )
+    {
+        if( n == 0 ) {
+            mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
+
+            for( i = 16; i > 0; i-- )
+                if( ++nonce_counter[i - 1] != 0 )
+                    break;
+        }
+        c = *input++;
+        *output++ = (unsigned char)( c ^ stream_block[n] );
+
+        n = ( n + 1 ) & 0x0F;
+    }
+
+    *nc_off = n;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#endif /* !MBEDTLS_AES_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * AES test vectors from:
+ *
+ * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
+ */
+static const unsigned char aes_test_ecb_dec[3][16] =
+{
+    { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
+      0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
+    { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
+      0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
+    { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
+      0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
+};
+
+static const unsigned char aes_test_ecb_enc[3][16] =
+{
+    { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
+      0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
+    { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
+      0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
+    { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
+      0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const unsigned char aes_test_cbc_dec[3][16] =
+{
+    { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
+      0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
+    { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
+      0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
+    { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
+      0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
+};
+
+static const unsigned char aes_test_cbc_enc[3][16] =
+{
+    { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
+      0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
+    { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
+      0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
+    { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
+      0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/*
+ * AES-CFB128 test vectors from:
+ *
+ * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
+ */
+static const unsigned char aes_test_cfb128_key[3][32] =
+{
+    { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
+      0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
+    { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
+      0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
+      0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
+    { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
+      0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
+      0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
+      0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
+};
+
+static const unsigned char aes_test_cfb128_iv[16] =
+{
+    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+    0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
+};
+
+static const unsigned char aes_test_cfb128_pt[64] =
+{
+    0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
+    0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
+    0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
+    0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
+    0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
+    0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
+    0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
+    0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
+};
+
+static const unsigned char aes_test_cfb128_ct[3][64] =
+{
+    { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
+      0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
+      0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
+      0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
+      0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
+      0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
+      0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
+      0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
+    { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
+      0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
+      0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
+      0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
+      0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
+      0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
+      0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
+      0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
+    { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
+      0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
+      0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
+      0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
+      0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
+      0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
+      0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
+      0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
+};
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/*
+ * AES-CTR test vectors from:
+ *
+ * http://www.faqs.org/rfcs/rfc3686.html
+ */
+
+static const unsigned char aes_test_ctr_key[3][16] =
+{
+    { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
+      0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
+    { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
+      0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
+    { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
+      0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
+};
+
+static const unsigned char aes_test_ctr_nonce_counter[3][16] =
+{
+    { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
+    { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
+      0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
+    { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
+      0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
+};
+
+static const unsigned char aes_test_ctr_pt[3][48] =
+{
+    { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
+      0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
+
+    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+      0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
+
+    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+      0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
+      0x20, 0x21, 0x22, 0x23 }
+};
+
+static const unsigned char aes_test_ctr_ct[3][48] =
+{
+    { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
+      0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
+    { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
+      0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
+      0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
+      0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
+    { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
+      0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
+      0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
+      0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
+      0x25, 0xB2, 0x07, 0x2F }
+};
+
+static const int aes_test_ctr_len[3] =
+    { 16, 32, 36 };
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+/*
+ * Checkup routine
+ */
+int mbedtls_aes_self_test( int verbose )
+{
+    int ret = 0, i, j, u, mode;
+    unsigned int keybits;
+    unsigned char key[32];
+    unsigned char buf[64];
+    const unsigned char *aes_tests;
+#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
+    unsigned char iv[16];
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    unsigned char prv[16];
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB)
+    size_t offset;
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    int len;
+    unsigned char nonce_counter[16];
+    unsigned char stream_block[16];
+#endif
+    mbedtls_aes_context ctx;
+
+    memset( key, 0, 32 );
+    mbedtls_aes_init( &ctx );
+
+    /*
+     * ECB mode
+     */
+    for( i = 0; i < 6; i++ )
+    {
+        u = i >> 1;
+        keybits = 128 + u * 64;
+        mode = i & 1;
+
+        if( verbose != 0 )
+            mbedtls_printf( "  AES-ECB-%3d (%s): ", keybits,
+                            ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
+
+        memset( buf, 0, 16 );
+
+        if( mode == MBEDTLS_AES_DECRYPT )
+        {
+            ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
+            aes_tests = aes_test_ecb_dec[u];
+        }
+        else
+        {
+            ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
+            aes_tests = aes_test_ecb_enc[u];
+        }
+
+        /*
+         * AES-192 is an optional feature that may be unavailable when
+         * there is an alternative underlying implementation i.e. when
+         * MBEDTLS_AES_ALT is defined.
+         */
+        if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
+        {
+            mbedtls_printf( "skipped\n" );
+            continue;
+        }
+        else if( ret != 0 )
+        {
+            goto exit;
+        }
+
+        for( j = 0; j < 10000; j++ )
+        {
+            ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
+            if( ret != 0 )
+                goto exit;
+        }
+
+        if( memcmp( buf, aes_tests, 16 ) != 0 )
+        {
+            ret = 1;
+            goto exit;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    /*
+     * CBC mode
+     */
+    for( i = 0; i < 6; i++ )
+    {
+        u = i >> 1;
+        keybits = 128 + u * 64;
+        mode = i & 1;
+
+        if( verbose != 0 )
+            mbedtls_printf( "  AES-CBC-%3d (%s): ", keybits,
+                            ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
+
+        memset( iv , 0, 16 );
+        memset( prv, 0, 16 );
+        memset( buf, 0, 16 );
+
+        if( mode == MBEDTLS_AES_DECRYPT )
+        {
+            ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
+            aes_tests = aes_test_cbc_dec[u];
+        }
+        else
+        {
+            ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
+            aes_tests = aes_test_cbc_enc[u];
+        }
+
+        /*
+         * AES-192 is an optional feature that may be unavailable when
+         * there is an alternative underlying implementation i.e. when
+         * MBEDTLS_AES_ALT is defined.
+         */
+        if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
+        {
+            mbedtls_printf( "skipped\n" );
+            continue;
+        }
+        else if( ret != 0 )
+        {
+            goto exit;
+        }
+
+        for( j = 0; j < 10000; j++ )
+        {
+            if( mode == MBEDTLS_AES_ENCRYPT )
+            {
+                unsigned char tmp[16];
+
+                memcpy( tmp, prv, 16 );
+                memcpy( prv, buf, 16 );
+                memcpy( buf, tmp, 16 );
+            }
+
+            ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
+            if( ret != 0 )
+                goto exit;
+
+        }
+
+        if( memcmp( buf, aes_tests, 16 ) != 0 )
+        {
+            ret = 1;
+            goto exit;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    /*
+     * CFB128 mode
+     */
+    for( i = 0; i < 6; i++ )
+    {
+        u = i >> 1;
+        keybits = 128 + u * 64;
+        mode = i & 1;
+
+        if( verbose != 0 )
+            mbedtls_printf( "  AES-CFB128-%3d (%s): ", keybits,
+                            ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
+
+        memcpy( iv,  aes_test_cfb128_iv, 16 );
+        memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
+
+        offset = 0;
+        ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
+        /*
+         * AES-192 is an optional feature that may be unavailable when
+         * there is an alternative underlying implementation i.e. when
+         * MBEDTLS_AES_ALT is defined.
+         */
+        if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
+        {
+            mbedtls_printf( "skipped\n" );
+            continue;
+        }
+        else if( ret != 0 )
+        {
+            goto exit;
+        }
+
+        if( mode == MBEDTLS_AES_DECRYPT )
+        {
+            memcpy( buf, aes_test_cfb128_ct[u], 64 );
+            aes_tests = aes_test_cfb128_pt;
+        }
+        else
+        {
+            memcpy( buf, aes_test_cfb128_pt, 64 );
+            aes_tests = aes_test_cfb128_ct[u];
+        }
+
+        ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
+        if( ret != 0 )
+            goto exit;
+
+        if( memcmp( buf, aes_tests, 64 ) != 0 )
+        {
+            ret = 1;
+            goto exit;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    /*
+     * CTR mode
+     */
+    for( i = 0; i < 6; i++ )
+    {
+        u = i >> 1;
+        mode = i & 1;
+
+        if( verbose != 0 )
+            mbedtls_printf( "  AES-CTR-128 (%s): ",
+                            ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
+
+        memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
+        memcpy( key, aes_test_ctr_key[u], 16 );
+
+        offset = 0;
+        if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
+            goto exit;
+
+        len = aes_test_ctr_len[u];
+
+        if( mode == MBEDTLS_AES_DECRYPT )
+        {
+            memcpy( buf, aes_test_ctr_ct[u], len );
+            aes_tests = aes_test_ctr_pt[u];
+        }
+        else
+        {
+            memcpy( buf, aes_test_ctr_pt[u], len );
+            aes_tests = aes_test_ctr_ct[u];
+        }
+
+        ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
+                                     stream_block, buf, buf );
+        if( ret != 0 )
+            goto exit;
+
+        if( memcmp( buf, aes_tests, len ) != 0 )
+        {
+            ret = 1;
+            goto exit;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+    ret = 0;
+
+exit:
+    if( ret != 0 && verbose != 0 )
+        mbedtls_printf( "failed\n" );
+
+    mbedtls_aes_free( &ctx );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_AES_C */
diff --git a/third-party/mbedtls-3.6/library/aesni.c b/third-party/mbedtls-3.6/library/aesni.c
new file mode 100644
index 00000000..d4969f52
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/aesni.c
@@ -0,0 +1,489 @@
+/*
+ *  AES-NI support functions
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+/*
+ * [AES-WP] http://software.intel.com/en-us/articles/intel-advanced-encryption-standard-aes-instructions-set
+ * [CLMUL-WP] http://software.intel.com/en-us/articles/intel-carry-less-multiplication-instruction-and-its-usage-for-computing-the-gcm-mode/
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_AESNI_C)
+
+#include "mbedtls/aesni.h"
+
+#include <string.h>
+
+#ifndef asm
+#define asm __asm
+#endif
+
+#if defined(MBEDTLS_HAVE_X86_64)
+
+/*
+ * AES-NI support detection routine
+ */
+int mbedtls_aesni_has_support( unsigned int what )
+{
+    static int done = 0;
+    static unsigned int c = 0;
+
+    if( ! done )
+    {
+        asm( "movl  $1, %%eax   \n\t"
+             "cpuid             \n\t"
+             : "=c" (c)
+             :
+             : "eax", "ebx", "edx" );
+        done = 1;
+    }
+
+    return( ( c & what ) != 0 );
+}
+
+/*
+ * Binutils needs to be at least 2.19 to support AES-NI instructions.
+ * Unfortunately, a lot of users have a lower version now (2014-04).
+ * Emit bytecode directly in order to support "old" version of gas.
+ *
+ * Opcodes from the Intel architecture reference manual, vol. 3.
+ * We always use registers, so we don't need prefixes for memory operands.
+ * Operand macros are in gas order (src, dst) as opposed to Intel order
+ * (dst, src) in order to blend better into the surrounding assembly code.
+ */
+#define AESDEC      ".byte 0x66,0x0F,0x38,0xDE,"
+#define AESDECLAST  ".byte 0x66,0x0F,0x38,0xDF,"
+#define AESENC      ".byte 0x66,0x0F,0x38,0xDC,"
+#define AESENCLAST  ".byte 0x66,0x0F,0x38,0xDD,"
+#define AESIMC      ".byte 0x66,0x0F,0x38,0xDB,"
+#define AESKEYGENA  ".byte 0x66,0x0F,0x3A,0xDF,"
+#define PCLMULQDQ   ".byte 0x66,0x0F,0x3A,0x44,"
+
+#define xmm0_xmm0   "0xC0"
+#define xmm0_xmm1   "0xC8"
+#define xmm0_xmm2   "0xD0"
+#define xmm0_xmm3   "0xD8"
+#define xmm0_xmm4   "0xE0"
+#define xmm1_xmm0   "0xC1"
+#define xmm1_xmm2   "0xD1"
+
+/*
+ * AES-NI AES-ECB block en(de)cryption
+ */
+int mbedtls_aesni_crypt_ecb( mbedtls_aes_context *ctx,
+                     int mode,
+                     const unsigned char input[16],
+                     unsigned char output[16] )
+{
+    asm( "movdqu    (%3), %%xmm0    \n\t" // load input
+         "movdqu    (%1), %%xmm1    \n\t" // load round key 0
+         "pxor      %%xmm1, %%xmm0  \n\t" // round 0
+         "add       $16, %1         \n\t" // point to next round key
+         "subl      $1, %0          \n\t" // normal rounds = nr - 1
+         "test      %2, %2          \n\t" // mode?
+         "jz        2f              \n\t" // 0 = decrypt
+
+         "1:                        \n\t" // encryption loop
+         "movdqu    (%1), %%xmm1    \n\t" // load round key
+         AESENC     xmm1_xmm0      "\n\t" // do round
+         "add       $16, %1         \n\t" // point to next round key
+         "subl      $1, %0          \n\t" // loop
+         "jnz       1b              \n\t"
+         "movdqu    (%1), %%xmm1    \n\t" // load round key
+         AESENCLAST xmm1_xmm0      "\n\t" // last round
+         "jmp       3f              \n\t"
+
+         "2:                        \n\t" // decryption loop
+         "movdqu    (%1), %%xmm1    \n\t"
+         AESDEC     xmm1_xmm0      "\n\t" // do round
+         "add       $16, %1         \n\t"
+         "subl      $1, %0          \n\t"
+         "jnz       2b              \n\t"
+         "movdqu    (%1), %%xmm1    \n\t" // load round key
+         AESDECLAST xmm1_xmm0      "\n\t" // last round
+
+         "3:                        \n\t"
+         "movdqu    %%xmm0, (%4)    \n\t" // export output
+         :
+         : "r" (ctx->nr), "r" (ctx->rk), "r" (mode), "r" (input), "r" (output)
+         : "memory", "cc", "xmm0", "xmm1" );
+
+
+    return( 0 );
+}
+
+/*
+ * GCM multiplication: c = a times b in GF(2^128)
+ * Based on [CLMUL-WP] algorithms 1 (with equation 27) and 5.
+ */
+void mbedtls_aesni_gcm_mult( unsigned char c[16],
+                     const unsigned char a[16],
+                     const unsigned char b[16] )
+{
+    unsigned char aa[16], bb[16], cc[16];
+    size_t i;
+
+    /* The inputs are in big-endian order, so byte-reverse them */
+    for( i = 0; i < 16; i++ )
+    {
+        aa[i] = a[15 - i];
+        bb[i] = b[15 - i];
+    }
+
+    asm( "movdqu (%0), %%xmm0               \n\t" // a1:a0
+         "movdqu (%1), %%xmm1               \n\t" // b1:b0
+
+         /*
+          * Caryless multiplication xmm2:xmm1 = xmm0 * xmm1
+          * using [CLMUL-WP] algorithm 1 (p. 13).
+          */
+         "movdqa %%xmm1, %%xmm2             \n\t" // copy of b1:b0
+         "movdqa %%xmm1, %%xmm3             \n\t" // same
+         "movdqa %%xmm1, %%xmm4             \n\t" // same
+         PCLMULQDQ xmm0_xmm1 ",0x00         \n\t" // a0*b0 = c1:c0
+         PCLMULQDQ xmm0_xmm2 ",0x11         \n\t" // a1*b1 = d1:d0
+         PCLMULQDQ xmm0_xmm3 ",0x10         \n\t" // a0*b1 = e1:e0
+         PCLMULQDQ xmm0_xmm4 ",0x01         \n\t" // a1*b0 = f1:f0
+         "pxor %%xmm3, %%xmm4               \n\t" // e1+f1:e0+f0
+         "movdqa %%xmm4, %%xmm3             \n\t" // same
+         "psrldq $8, %%xmm4                 \n\t" // 0:e1+f1
+         "pslldq $8, %%xmm3                 \n\t" // e0+f0:0
+         "pxor %%xmm4, %%xmm2               \n\t" // d1:d0+e1+f1
+         "pxor %%xmm3, %%xmm1               \n\t" // c1+e0+f1:c0
+
+         /*
+          * Now shift the result one bit to the left,
+          * taking advantage of [CLMUL-WP] eq 27 (p. 20)
+          */
+         "movdqa %%xmm1, %%xmm3             \n\t" // r1:r0
+         "movdqa %%xmm2, %%xmm4             \n\t" // r3:r2
+         "psllq $1, %%xmm1                  \n\t" // r1<<1:r0<<1
+         "psllq $1, %%xmm2                  \n\t" // r3<<1:r2<<1
+         "psrlq $63, %%xmm3                 \n\t" // r1>>63:r0>>63
+         "psrlq $63, %%xmm4                 \n\t" // r3>>63:r2>>63
+         "movdqa %%xmm3, %%xmm5             \n\t" // r1>>63:r0>>63
+         "pslldq $8, %%xmm3                 \n\t" // r0>>63:0
+         "pslldq $8, %%xmm4                 \n\t" // r2>>63:0
+         "psrldq $8, %%xmm5                 \n\t" // 0:r1>>63
+         "por %%xmm3, %%xmm1                \n\t" // r1<<1|r0>>63:r0<<1
+         "por %%xmm4, %%xmm2                \n\t" // r3<<1|r2>>62:r2<<1
+         "por %%xmm5, %%xmm2                \n\t" // r3<<1|r2>>62:r2<<1|r1>>63
+
+         /*
+          * Now reduce modulo the GCM polynomial x^128 + x^7 + x^2 + x + 1
+          * using [CLMUL-WP] algorithm 5 (p. 20).
+          * Currently xmm2:xmm1 holds x3:x2:x1:x0 (already shifted).
+          */
+         /* Step 2 (1) */
+         "movdqa %%xmm1, %%xmm3             \n\t" // x1:x0
+         "movdqa %%xmm1, %%xmm4             \n\t" // same
+         "movdqa %%xmm1, %%xmm5             \n\t" // same
+         "psllq $63, %%xmm3                 \n\t" // x1<<63:x0<<63 = stuff:a
+         "psllq $62, %%xmm4                 \n\t" // x1<<62:x0<<62 = stuff:b
+         "psllq $57, %%xmm5                 \n\t" // x1<<57:x0<<57 = stuff:c
+
+         /* Step 2 (2) */
+         "pxor %%xmm4, %%xmm3               \n\t" // stuff:a+b
+         "pxor %%xmm5, %%xmm3               \n\t" // stuff:a+b+c
+         "pslldq $8, %%xmm3                 \n\t" // a+b+c:0
+         "pxor %%xmm3, %%xmm1               \n\t" // x1+a+b+c:x0 = d:x0
+
+         /* Steps 3 and 4 */
+         "movdqa %%xmm1,%%xmm0              \n\t" // d:x0
+         "movdqa %%xmm1,%%xmm4              \n\t" // same
+         "movdqa %%xmm1,%%xmm5              \n\t" // same
+         "psrlq $1, %%xmm0                  \n\t" // e1:x0>>1 = e1:e0'
+         "psrlq $2, %%xmm4                  \n\t" // f1:x0>>2 = f1:f0'
+         "psrlq $7, %%xmm5                  \n\t" // g1:x0>>7 = g1:g0'
+         "pxor %%xmm4, %%xmm0               \n\t" // e1+f1:e0'+f0'
+         "pxor %%xmm5, %%xmm0               \n\t" // e1+f1+g1:e0'+f0'+g0'
+         // e0'+f0'+g0' is almost e0+f0+g0, ex\tcept for some missing
+         // bits carried from d. Now get those\t bits back in.
+         "movdqa %%xmm1,%%xmm3              \n\t" // d:x0
+         "movdqa %%xmm1,%%xmm4              \n\t" // same
+         "movdqa %%xmm1,%%xmm5              \n\t" // same
+         "psllq $63, %%xmm3                 \n\t" // d<<63:stuff
+         "psllq $62, %%xmm4                 \n\t" // d<<62:stuff
+         "psllq $57, %%xmm5                 \n\t" // d<<57:stuff
+         "pxor %%xmm4, %%xmm3               \n\t" // d<<63+d<<62:stuff
+         "pxor %%xmm5, %%xmm3               \n\t" // missing bits of d:stuff
+         "psrldq $8, %%xmm3                 \n\t" // 0:missing bits of d
+         "pxor %%xmm3, %%xmm0               \n\t" // e1+f1+g1:e0+f0+g0
+         "pxor %%xmm1, %%xmm0               \n\t" // h1:h0
+         "pxor %%xmm2, %%xmm0               \n\t" // x3+h1:x2+h0
+
+         "movdqu %%xmm0, (%2)               \n\t" // done
+         :
+         : "r" (aa), "r" (bb), "r" (cc)
+         : "memory", "cc", "xmm0", "xmm1", "xmm2", "xmm3", "xmm4", "xmm5" );
+
+    /* Now byte-reverse the outputs */
+    for( i = 0; i < 16; i++ )
+        c[i] = cc[15 - i];
+
+    return;
+}
+
+/*
+ * Compute decryption round keys from encryption round keys
+ */
+void mbedtls_aesni_inverse_key( unsigned char *invkey,
+                        const unsigned char *fwdkey, int nr )
+{
+    unsigned char *ik = invkey;
+    const unsigned char *fk = fwdkey + 16 * nr;
+
+    memcpy( ik, fk, 16 );
+
+    for( fk -= 16, ik += 16; fk > fwdkey; fk -= 16, ik += 16 )
+        asm( "movdqu (%0), %%xmm0       \n\t"
+             AESIMC  xmm0_xmm0         "\n\t"
+             "movdqu %%xmm0, (%1)       \n\t"
+             :
+             : "r" (fk), "r" (ik)
+             : "memory", "xmm0" );
+
+    memcpy( ik, fk, 16 );
+}
+
+/*
+ * Key expansion, 128-bit case
+ */
+static void aesni_setkey_enc_128( unsigned char *rk,
+                                  const unsigned char *key )
+{
+    asm( "movdqu (%1), %%xmm0               \n\t" // copy the original key
+         "movdqu %%xmm0, (%0)               \n\t" // as round key 0
+         "jmp 2f                            \n\t" // skip auxiliary routine
+
+         /*
+          * Finish generating the next round key.
+          *
+          * On entry xmm0 is r3:r2:r1:r0 and xmm1 is X:stuff:stuff:stuff
+          * with X = rot( sub( r3 ) ) ^ RCON.
+          *
+          * On exit, xmm0 is r7:r6:r5:r4
+          * with r4 = X + r0, r5 = r4 + r1, r6 = r5 + r2, r7 = r6 + r3
+          * and those are written to the round key buffer.
+          */
+         "1:                                \n\t"
+         "pshufd $0xff, %%xmm1, %%xmm1      \n\t" // X:X:X:X
+         "pxor %%xmm0, %%xmm1               \n\t" // X+r3:X+r2:X+r1:r4
+         "pslldq $4, %%xmm0                 \n\t" // r2:r1:r0:0
+         "pxor %%xmm0, %%xmm1               \n\t" // X+r3+r2:X+r2+r1:r5:r4
+         "pslldq $4, %%xmm0                 \n\t" // etc
+         "pxor %%xmm0, %%xmm1               \n\t"
+         "pslldq $4, %%xmm0                 \n\t"
+         "pxor %%xmm1, %%xmm0               \n\t" // update xmm0 for next time!
+         "add $16, %0                       \n\t" // point to next round key
+         "movdqu %%xmm0, (%0)               \n\t" // write it
+         "ret                               \n\t"
+
+         /* Main "loop" */
+         "2:                                \n\t"
+         AESKEYGENA xmm0_xmm1 ",0x01        \n\tcall 1b \n\t"
+         AESKEYGENA xmm0_xmm1 ",0x02        \n\tcall 1b \n\t"
+         AESKEYGENA xmm0_xmm1 ",0x04        \n\tcall 1b \n\t"
+         AESKEYGENA xmm0_xmm1 ",0x08        \n\tcall 1b \n\t"
+         AESKEYGENA xmm0_xmm1 ",0x10        \n\tcall 1b \n\t"
+         AESKEYGENA xmm0_xmm1 ",0x20        \n\tcall 1b \n\t"
+         AESKEYGENA xmm0_xmm1 ",0x40        \n\tcall 1b \n\t"
+         AESKEYGENA xmm0_xmm1 ",0x80        \n\tcall 1b \n\t"
+         AESKEYGENA xmm0_xmm1 ",0x1B        \n\tcall 1b \n\t"
+         AESKEYGENA xmm0_xmm1 ",0x36        \n\tcall 1b \n\t"
+         :
+         : "r" (rk), "r" (key)
+         : "memory", "cc", "0" );
+}
+
+/*
+ * Key expansion, 192-bit case
+ */
+static void aesni_setkey_enc_192( unsigned char *rk,
+                                  const unsigned char *key )
+{
+    asm( "movdqu (%1), %%xmm0   \n\t" // copy original round key
+         "movdqu %%xmm0, (%0)   \n\t"
+         "add $16, %0           \n\t"
+         "movq 16(%1), %%xmm1   \n\t"
+         "movq %%xmm1, (%0)     \n\t"
+         "add $8, %0            \n\t"
+         "jmp 2f                \n\t" // skip auxiliary routine
+
+         /*
+          * Finish generating the next 6 quarter-keys.
+          *
+          * On entry xmm0 is r3:r2:r1:r0, xmm1 is stuff:stuff:r5:r4
+          * and xmm2 is stuff:stuff:X:stuff with X = rot( sub( r3 ) ) ^ RCON.
+          *
+          * On exit, xmm0 is r9:r8:r7:r6 and xmm1 is stuff:stuff:r11:r10
+          * and those are written to the round key buffer.
+          */
+         "1:                            \n\t"
+         "pshufd $0x55, %%xmm2, %%xmm2  \n\t" // X:X:X:X
+         "pxor %%xmm0, %%xmm2           \n\t" // X+r3:X+r2:X+r1:r4
+         "pslldq $4, %%xmm0             \n\t" // etc
+         "pxor %%xmm0, %%xmm2           \n\t"
+         "pslldq $4, %%xmm0             \n\t"
+         "pxor %%xmm0, %%xmm2           \n\t"
+         "pslldq $4, %%xmm0             \n\t"
+         "pxor %%xmm2, %%xmm0           \n\t" // update xmm0 = r9:r8:r7:r6
+         "movdqu %%xmm0, (%0)           \n\t"
+         "add $16, %0                   \n\t"
+         "pshufd $0xff, %%xmm0, %%xmm2  \n\t" // r9:r9:r9:r9
+         "pxor %%xmm1, %%xmm2           \n\t" // stuff:stuff:r9+r5:r10
+         "pslldq $4, %%xmm1             \n\t" // r2:r1:r0:0
+         "pxor %%xmm2, %%xmm1           \n\t" // xmm1 = stuff:stuff:r11:r10
+         "movq %%xmm1, (%0)             \n\t"
+         "add $8, %0                    \n\t"
+         "ret                           \n\t"
+
+         "2:                            \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x01    \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x02    \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x04    \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x08    \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x10    \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x20    \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x40    \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x80    \n\tcall 1b \n\t"
+
+         :
+         : "r" (rk), "r" (key)
+         : "memory", "cc", "0" );
+}
+
+/*
+ * Key expansion, 256-bit case
+ */
+static void aesni_setkey_enc_256( unsigned char *rk,
+                                  const unsigned char *key )
+{
+    asm( "movdqu (%1), %%xmm0           \n\t"
+         "movdqu %%xmm0, (%0)           \n\t"
+         "add $16, %0                   \n\t"
+         "movdqu 16(%1), %%xmm1         \n\t"
+         "movdqu %%xmm1, (%0)           \n\t"
+         "jmp 2f                        \n\t" // skip auxiliary routine
+
+         /*
+          * Finish generating the next two round keys.
+          *
+          * On entry xmm0 is r3:r2:r1:r0, xmm1 is r7:r6:r5:r4 and
+          * xmm2 is X:stuff:stuff:stuff with X = rot( sub( r7 )) ^ RCON
+          *
+          * On exit, xmm0 is r11:r10:r9:r8 and xmm1 is r15:r14:r13:r12
+          * and those have been written to the output buffer.
+          */
+         "1:                                \n\t"
+         "pshufd $0xff, %%xmm2, %%xmm2      \n\t"
+         "pxor %%xmm0, %%xmm2               \n\t"
+         "pslldq $4, %%xmm0                 \n\t"
+         "pxor %%xmm0, %%xmm2               \n\t"
+         "pslldq $4, %%xmm0                 \n\t"
+         "pxor %%xmm0, %%xmm2               \n\t"
+         "pslldq $4, %%xmm0                 \n\t"
+         "pxor %%xmm2, %%xmm0               \n\t"
+         "add $16, %0                       \n\t"
+         "movdqu %%xmm0, (%0)               \n\t"
+
+         /* Set xmm2 to stuff:Y:stuff:stuff with Y = subword( r11 )
+          * and proceed to generate next round key from there */
+         AESKEYGENA xmm0_xmm2 ",0x00        \n\t"
+         "pshufd $0xaa, %%xmm2, %%xmm2      \n\t"
+         "pxor %%xmm1, %%xmm2               \n\t"
+         "pslldq $4, %%xmm1                 \n\t"
+         "pxor %%xmm1, %%xmm2               \n\t"
+         "pslldq $4, %%xmm1                 \n\t"
+         "pxor %%xmm1, %%xmm2               \n\t"
+         "pslldq $4, %%xmm1                 \n\t"
+         "pxor %%xmm2, %%xmm1               \n\t"
+         "add $16, %0                       \n\t"
+         "movdqu %%xmm1, (%0)               \n\t"
+         "ret                               \n\t"
+
+         /*
+          * Main "loop" - Generating one more key than necessary,
+          * see definition of mbedtls_aes_context.buf
+          */
+         "2:                                \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x01        \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x02        \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x04        \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x08        \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x10        \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x20        \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x40        \n\tcall 1b \n\t"
+         :
+         : "r" (rk), "r" (key)
+         : "memory", "cc", "0" );
+}
+
+/*
+ * Key expansion, wrapper
+ */
+int mbedtls_aesni_setkey_enc( unsigned char *rk,
+                      const unsigned char *key,
+                      size_t bits )
+{
+    switch( bits )
+    {
+        case 128: aesni_setkey_enc_128( rk, key ); break;
+        case 192: aesni_setkey_enc_192( rk, key ); break;
+        case 256: aesni_setkey_enc_256( rk, key ); break;
+        default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
+    }
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_HAVE_X86_64 */
+
+#endif /* MBEDTLS_AESNI_C */
diff --git a/third-party/mbedtls-3.6/library/arc4.c b/third-party/mbedtls-3.6/library/arc4.c
new file mode 100644
index 00000000..338ecd7a
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/arc4.c
@@ -0,0 +1,230 @@
+/*
+ *  An implementation of the ARCFOUR algorithm
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+/*
+ *  The ARCFOUR algorithm was publicly disclosed on 94/09.
+ *
+ *  http://groups.google.com/group/sci.crypt/msg/10a300c9d21afca0
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_ARC4_C)
+
+#include "mbedtls/arc4.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_ARC4_ALT)
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
+}
+
+void mbedtls_arc4_init( mbedtls_arc4_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_arc4_context ) );
+}
+
+void mbedtls_arc4_free( mbedtls_arc4_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_zeroize( ctx, sizeof( mbedtls_arc4_context ) );
+}
+
+/*
+ * ARC4 key schedule
+ */
+void mbedtls_arc4_setup( mbedtls_arc4_context *ctx, const unsigned char *key,
+                 unsigned int keylen )
+{
+    int i, j, a;
+    unsigned int k;
+    unsigned char *m;
+
+    ctx->x = 0;
+    ctx->y = 0;
+    m = ctx->m;
+
+    for( i = 0; i < 256; i++ )
+        m[i] = (unsigned char) i;
+
+    j = k = 0;
+
+    for( i = 0; i < 256; i++, k++ )
+    {
+        if( k >= keylen ) k = 0;
+
+        a = m[i];
+        j = ( j + a + key[k] ) & 0xFF;
+        m[i] = m[j];
+        m[j] = (unsigned char) a;
+    }
+}
+
+/*
+ * ARC4 cipher function
+ */
+int mbedtls_arc4_crypt( mbedtls_arc4_context *ctx, size_t length, const unsigned char *input,
+                unsigned char *output )
+{
+    int x, y, a, b;
+    size_t i;
+    unsigned char *m;
+
+    x = ctx->x;
+    y = ctx->y;
+    m = ctx->m;
+
+    for( i = 0; i < length; i++ )
+    {
+        x = ( x + 1 ) & 0xFF; a = m[x];
+        y = ( y + a ) & 0xFF; b = m[y];
+
+        m[x] = (unsigned char) b;
+        m[y] = (unsigned char) a;
+
+        output[i] = (unsigned char)
+            ( input[i] ^ m[(unsigned char)( a + b )] );
+    }
+
+    ctx->x = x;
+    ctx->y = y;
+
+    return( 0 );
+}
+
+#endif /* !MBEDTLS_ARC4_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * ARC4 tests vectors as posted by Eric Rescorla in sep. 1994:
+ *
+ * http://groups.google.com/group/comp.security.misc/msg/10a300c9d21afca0
+ */
+static const unsigned char arc4_test_key[3][8] =
+{
+    { 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF },
+    { 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF },
+    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
+};
+
+static const unsigned char arc4_test_pt[3][8] =
+{
+    { 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF },
+    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
+};
+
+static const unsigned char arc4_test_ct[3][8] =
+{
+    { 0x75, 0xB7, 0x87, 0x80, 0x99, 0xE0, 0xC5, 0x96 },
+    { 0x74, 0x94, 0xC2, 0xE7, 0x10, 0x4B, 0x08, 0x79 },
+    { 0xDE, 0x18, 0x89, 0x41, 0xA3, 0x37, 0x5D, 0x3A }
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_arc4_self_test( int verbose )
+{
+    int i, ret = 0;
+    unsigned char ibuf[8];
+    unsigned char obuf[8];
+    mbedtls_arc4_context ctx;
+
+    mbedtls_arc4_init( &ctx );
+
+    for( i = 0; i < 3; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  ARC4 test #%d: ", i + 1 );
+
+        memcpy( ibuf, arc4_test_pt[i], 8 );
+
+        mbedtls_arc4_setup( &ctx, arc4_test_key[i], 8 );
+        mbedtls_arc4_crypt( &ctx, 8, ibuf, obuf );
+
+        if( memcmp( obuf, arc4_test_ct[i], 8 ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+
+            ret = 1;
+            goto exit;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+exit:
+    mbedtls_arc4_free( &ctx );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_ARC4_C */
diff --git a/third-party/mbedtls-3.6/library/asn1parse.c b/third-party/mbedtls-3.6/library/asn1parse.c
new file mode 100644
index 00000000..9b445585
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/asn1parse.c
@@ -0,0 +1,418 @@
+/*
+ *  Generic ASN.1 parsing
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+
+#include "mbedtls/asn1.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_BIGNUM_C)
+#include "mbedtls/bignum.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
+}
+
+/*
+ * ASN.1 DER decoding routines
+ */
+int mbedtls_asn1_get_len( unsigned char **p,
+                  const unsigned char *end,
+                  size_t *len )
+{
+    if( ( end - *p ) < 1 )
+        return( MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+    if( ( **p & 0x80 ) == 0 )
+        *len = *(*p)++;
+    else
+    {
+        switch( **p & 0x7F )
+        {
+        case 1:
+            if( ( end - *p ) < 2 )
+                return( MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+            *len = (*p)[1];
+            (*p) += 2;
+            break;
+
+        case 2:
+            if( ( end - *p ) < 3 )
+                return( MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+            *len = ( (size_t)(*p)[1] << 8 ) | (*p)[2];
+            (*p) += 3;
+            break;
+
+        case 3:
+            if( ( end - *p ) < 4 )
+                return( MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+            *len = ( (size_t)(*p)[1] << 16 ) |
+                   ( (size_t)(*p)[2] << 8  ) | (*p)[3];
+            (*p) += 4;
+            break;
+
+        case 4:
+            if( ( end - *p ) < 5 )
+                return( MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+            *len = ( (size_t)(*p)[1] << 24 ) | ( (size_t)(*p)[2] << 16 ) |
+                   ( (size_t)(*p)[3] << 8  ) |           (*p)[4];
+            (*p) += 5;
+            break;
+
+        default:
+            return( MBEDTLS_ERR_ASN1_INVALID_LENGTH );
+        }
+    }
+
+    if( *len > (size_t) ( end - *p ) )
+        return( MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+    return( 0 );
+}
+
+int mbedtls_asn1_get_tag( unsigned char **p,
+                  const unsigned char *end,
+                  size_t *len, int tag )
+{
+    if( ( end - *p ) < 1 )
+        return( MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+    if( **p != tag )
+        return( MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+
+    (*p)++;
+
+    return( mbedtls_asn1_get_len( p, end, len ) );
+}
+
+int mbedtls_asn1_get_bool( unsigned char **p,
+                   const unsigned char *end,
+                   int *val )
+{
+    int ret;
+    size_t len;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_BOOLEAN ) ) != 0 )
+        return( ret );
+
+    if( len != 1 )
+        return( MBEDTLS_ERR_ASN1_INVALID_LENGTH );
+
+    *val = ( **p != 0 ) ? 1 : 0;
+    (*p)++;
+
+    return( 0 );
+}
+
+int mbedtls_asn1_get_int( unsigned char **p,
+                  const unsigned char *end,
+                  int *val )
+{
+    int ret;
+    size_t len;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 )
+        return( ret );
+
+    if( len == 0 || len > sizeof( int ) || ( **p & 0x80 ) != 0 )
+        return( MBEDTLS_ERR_ASN1_INVALID_LENGTH );
+
+    *val = 0;
+
+    while( len-- > 0 )
+    {
+        *val = ( *val << 8 ) | **p;
+        (*p)++;
+    }
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_BIGNUM_C)
+int mbedtls_asn1_get_mpi( unsigned char **p,
+                  const unsigned char *end,
+                  mbedtls_mpi *X )
+{
+    int ret;
+    size_t len;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 )
+        return( ret );
+
+    ret = mbedtls_mpi_read_binary( X, *p, len );
+
+    *p += len;
+
+    return( ret );
+}
+#endif /* MBEDTLS_BIGNUM_C */
+
+int mbedtls_asn1_get_bitstring( unsigned char **p, const unsigned char *end,
+                        mbedtls_asn1_bitstring *bs)
+{
+    int ret;
+
+    /* Certificate type is a single byte bitstring */
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &bs->len, MBEDTLS_ASN1_BIT_STRING ) ) != 0 )
+        return( ret );
+
+    /* Check length, subtract one for actual bit string length */
+    if( bs->len < 1 )
+        return( MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+    bs->len -= 1;
+
+    /* Get number of unused bits, ensure unused bits <= 7 */
+    bs->unused_bits = **p;
+    if( bs->unused_bits > 7 )
+        return( MBEDTLS_ERR_ASN1_INVALID_LENGTH );
+    (*p)++;
+
+    /* Get actual bitstring */
+    bs->p = *p;
+    *p += bs->len;
+
+    if( *p != end )
+        return( MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+/*
+ * Get a bit string without unused bits
+ */
+int mbedtls_asn1_get_bitstring_null( unsigned char **p, const unsigned char *end,
+                             size_t *len )
+{
+    int ret;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, len, MBEDTLS_ASN1_BIT_STRING ) ) != 0 )
+        return( ret );
+
+    if( (*len)-- < 2 || *(*p)++ != 0 )
+        return( MBEDTLS_ERR_ASN1_INVALID_DATA );
+
+    return( 0 );
+}
+
+
+
+/*
+ *  Parses and splits an ASN.1 "SEQUENCE OF <tag>"
+ */
+int mbedtls_asn1_get_sequence_of( unsigned char **p,
+                          const unsigned char *end,
+                          mbedtls_asn1_sequence *cur,
+                          int tag)
+{
+    int ret;
+    size_t len;
+    mbedtls_asn1_buf *buf;
+
+    /* Get main sequence tag */
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+        return( ret );
+
+    if( *p + len != end )
+        return( MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    while( *p < end )
+    {
+        buf = &(cur->buf);
+        buf->tag = **p;
+
+        if( ( ret = mbedtls_asn1_get_tag( p, end, &buf->len, tag ) ) != 0 )
+            return( ret );
+
+        buf->p = *p;
+        *p += buf->len;
+
+        /* Allocate and assign next pointer */
+        if( *p < end )
+        {
+            cur->next = (mbedtls_asn1_sequence*)mbedtls_calloc( 1,
+                                            sizeof( mbedtls_asn1_sequence ) );
+
+            if( cur->next == NULL )
+                return( MBEDTLS_ERR_ASN1_ALLOC_FAILED );
+
+            cur = cur->next;
+        }
+    }
+
+    /* Set final sequence entry's next pointer to NULL */
+    cur->next = NULL;
+
+    if( *p != end )
+        return( MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+int mbedtls_asn1_get_alg( unsigned char **p,
+                  const unsigned char *end,
+                  mbedtls_asn1_buf *alg, mbedtls_asn1_buf *params )
+{
+    int ret;
+    size_t len;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+        return( ret );
+
+    if( ( end - *p ) < 1 )
+        return( MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+    alg->tag = **p;
+    end = *p + len;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &alg->len, MBEDTLS_ASN1_OID ) ) != 0 )
+        return( ret );
+
+    alg->p = *p;
+    *p += alg->len;
+
+    if( *p == end )
+    {
+        mbedtls_zeroize( params, sizeof(mbedtls_asn1_buf) );
+        return( 0 );
+    }
+
+    params->tag = **p;
+    (*p)++;
+
+    if( ( ret = mbedtls_asn1_get_len( p, end, &params->len ) ) != 0 )
+        return( ret );
+
+    params->p = *p;
+    *p += params->len;
+
+    if( *p != end )
+        return( MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+int mbedtls_asn1_get_alg_null( unsigned char **p,
+                       const unsigned char *end,
+                       mbedtls_asn1_buf *alg )
+{
+    int ret;
+    mbedtls_asn1_buf params;
+
+    memset( &params, 0, sizeof(mbedtls_asn1_buf) );
+
+    if( ( ret = mbedtls_asn1_get_alg( p, end, alg, &params ) ) != 0 )
+        return( ret );
+
+    if( ( params.tag != MBEDTLS_ASN1_NULL && params.tag != 0 ) || params.len != 0 )
+        return( MBEDTLS_ERR_ASN1_INVALID_DATA );
+
+    return( 0 );
+}
+
+void mbedtls_asn1_free_named_data( mbedtls_asn1_named_data *cur )
+{
+    if( cur == NULL )
+        return;
+
+    mbedtls_free( cur->oid.p );
+    mbedtls_free( cur->val.p );
+
+    mbedtls_zeroize( cur, sizeof( mbedtls_asn1_named_data ) );
+}
+
+void mbedtls_asn1_free_named_data_list( mbedtls_asn1_named_data **head )
+{
+    mbedtls_asn1_named_data *cur;
+
+    while( ( cur = *head ) != NULL )
+    {
+        *head = cur->next;
+        mbedtls_asn1_free_named_data( cur );
+        mbedtls_free( cur );
+    }
+}
+
+mbedtls_asn1_named_data *mbedtls_asn1_find_named_data( mbedtls_asn1_named_data *list,
+                                       const char *oid, size_t len )
+{
+    while( list != NULL )
+    {
+        if( list->oid.len == len &&
+            memcmp( list->oid.p, oid, len ) == 0 )
+        {
+            break;
+        }
+
+        list = list->next;
+    }
+
+    return( list );
+}
+
+#endif /* MBEDTLS_ASN1_PARSE_C */
diff --git a/third-party/mbedtls-3.6/library/asn1write.c b/third-party/mbedtls-3.6/library/asn1write.c
new file mode 100644
index 00000000..9740320b
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/asn1write.c
@@ -0,0 +1,446 @@
+/*
+ * ASN.1 buffer writing functionality
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_ASN1_WRITE_C)
+
+#include "mbedtls/asn1write.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+int mbedtls_asn1_write_len( unsigned char **p, unsigned char *start, size_t len )
+{
+    if( len < 0x80 )
+    {
+        if( *p - start < 1 )
+            return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+        *--(*p) = (unsigned char) len;
+        return( 1 );
+    }
+
+    if( len <= 0xFF )
+    {
+        if( *p - start < 2 )
+            return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+        *--(*p) = (unsigned char) len;
+        *--(*p) = 0x81;
+        return( 2 );
+    }
+
+    if( len <= 0xFFFF )
+    {
+        if( *p - start < 3 )
+            return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+        *--(*p) = ( len       ) & 0xFF;
+        *--(*p) = ( len >>  8 ) & 0xFF;
+        *--(*p) = 0x82;
+        return( 3 );
+    }
+
+    if( len <= 0xFFFFFF )
+    {
+        if( *p - start < 4 )
+            return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+        *--(*p) = ( len       ) & 0xFF;
+        *--(*p) = ( len >>  8 ) & 0xFF;
+        *--(*p) = ( len >> 16 ) & 0xFF;
+        *--(*p) = 0x83;
+        return( 4 );
+    }
+
+#if SIZE_MAX > 0xFFFFFFFF
+    if( len <= 0xFFFFFFFF )
+#endif
+    {
+        if( *p - start < 5 )
+            return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+        *--(*p) = ( len       ) & 0xFF;
+        *--(*p) = ( len >>  8 ) & 0xFF;
+        *--(*p) = ( len >> 16 ) & 0xFF;
+        *--(*p) = ( len >> 24 ) & 0xFF;
+        *--(*p) = 0x84;
+        return( 5 );
+    }
+
+#if SIZE_MAX > 0xFFFFFFFF
+    return( MBEDTLS_ERR_ASN1_INVALID_LENGTH );
+#endif
+}
+
+int mbedtls_asn1_write_tag( unsigned char **p, unsigned char *start, unsigned char tag )
+{
+    if( *p - start < 1 )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+    *--(*p) = tag;
+
+    return( 1 );
+}
+
+int mbedtls_asn1_write_raw_buffer( unsigned char **p, unsigned char *start,
+                           const unsigned char *buf, size_t size )
+{
+    size_t len = 0;
+
+    if( *p < start || (size_t)( *p - start ) < size )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+    len = size;
+    (*p) -= len;
+    memcpy( *p, buf, len );
+
+    return( (int) len );
+}
+
+#if defined(MBEDTLS_BIGNUM_C)
+int mbedtls_asn1_write_mpi( unsigned char **p, unsigned char *start, const mbedtls_mpi *X )
+{
+    int ret;
+    size_t len = 0;
+
+    // Write the MPI
+    //
+    len = mbedtls_mpi_size( X );
+
+    if( *p < start || (size_t)( *p - start ) < len )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+    (*p) -= len;
+    MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( X, *p, len ) );
+
+    // DER format assumes 2s complement for numbers, so the leftmost bit
+    // should be 0 for positive numbers and 1 for negative numbers.
+    //
+    if( X->s ==1 && **p & 0x80 )
+    {
+        if( *p - start < 1 )
+            return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+        *--(*p) = 0x00;
+        len += 1;
+    }
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_INTEGER ) );
+
+    ret = (int) len;
+
+cleanup:
+    return( ret );
+}
+#endif /* MBEDTLS_BIGNUM_C */
+
+int mbedtls_asn1_write_null( unsigned char **p, unsigned char *start )
+{
+    int ret;
+    size_t len = 0;
+
+    // Write NULL
+    //
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, 0) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_NULL ) );
+
+    return( (int) len );
+}
+
+int mbedtls_asn1_write_oid( unsigned char **p, unsigned char *start,
+                    const char *oid, size_t oid_len )
+{
+    int ret;
+    size_t len = 0;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( p, start,
+                                  (const unsigned char *) oid, oid_len ) );
+    MBEDTLS_ASN1_CHK_ADD( len , mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len , mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_OID ) );
+
+    return( (int) len );
+}
+
+int mbedtls_asn1_write_algorithm_identifier( unsigned char **p, unsigned char *start,
+                                     const char *oid, size_t oid_len,
+                                     size_t par_len )
+{
+    int ret;
+    size_t len = 0;
+
+    if( par_len == 0 )
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_null( p, start ) );
+    else
+        len += par_len;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_oid( p, start, oid, oid_len ) );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start,
+                                       MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) );
+
+    return( (int) len );
+}
+
+int mbedtls_asn1_write_bool( unsigned char **p, unsigned char *start, int boolean )
+{
+    int ret;
+    size_t len = 0;
+
+    if( *p - start < 1 )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+    *--(*p) = (boolean) ? 255 : 0;
+    len++;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_BOOLEAN ) );
+
+    return( (int) len );
+}
+
+int mbedtls_asn1_write_int( unsigned char **p, unsigned char *start, int val )
+{
+    int ret;
+    size_t len = 0;
+
+    // DER format assumes 2s complement for numbers, so the leftmost bit
+    // should be 0 for positive numbers and 1 for negative numbers.
+    //
+    if( *p - start < 1 )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+    len += 1;
+    *--(*p) = val;
+
+    if( val > 0 && **p & 0x80 )
+    {
+        if( *p - start < 1 )
+            return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+        *--(*p) = 0x00;
+        len += 1;
+    }
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_INTEGER ) );
+
+    return( (int) len );
+}
+
+int mbedtls_asn1_write_printable_string( unsigned char **p, unsigned char *start,
+                                 const char *text, size_t text_len )
+{
+    int ret;
+    size_t len = 0;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( p, start,
+                  (const unsigned char *) text, text_len ) );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_PRINTABLE_STRING ) );
+
+    return( (int) len );
+}
+
+int mbedtls_asn1_write_ia5_string( unsigned char **p, unsigned char *start,
+                           const char *text, size_t text_len )
+{
+    int ret;
+    size_t len = 0;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( p, start,
+                  (const unsigned char *) text, text_len ) );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_IA5_STRING ) );
+
+    return( (int) len );
+}
+
+int mbedtls_asn1_write_bitstring( unsigned char **p, unsigned char *start,
+                          const unsigned char *buf, size_t bits )
+{
+    int ret;
+    size_t len = 0;
+    size_t unused_bits, byte_len;
+
+    byte_len = ( bits + 7 ) / 8;
+    unused_bits = ( byte_len * 8 ) - bits;
+
+    if( *p < start || (size_t)( *p - start ) < byte_len + 1 )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+    len = byte_len + 1;
+
+    /* Write the bitstring. Ensure the unused bits are zeroed */
+    if( byte_len > 0 )
+    {
+        byte_len--;
+        *--( *p ) = buf[byte_len] & ~( ( 0x1 << unused_bits ) - 1 );
+        ( *p ) -= byte_len;
+        memcpy( *p, buf, byte_len );
+    }
+
+    /* Write unused bits */
+    *--( *p ) = (unsigned char)unused_bits;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_BIT_STRING ) );
+
+    return( (int) len );
+}
+
+int mbedtls_asn1_write_octet_string( unsigned char **p, unsigned char *start,
+                             const unsigned char *buf, size_t size )
+{
+    int ret;
+    size_t len = 0;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( p, start, buf, size ) );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_OCTET_STRING ) );
+
+    return( (int) len );
+}
+
+
+/* This is a copy of the ASN.1 parsing function mbedtls_asn1_find_named_data(),
+ * which is replicated to avoid a dependency ASN1_WRITE_C on ASN1_PARSE_C. */
+static mbedtls_asn1_named_data *asn1_find_named_data(
+                                               mbedtls_asn1_named_data *list,
+                                               const char *oid, size_t len )
+{
+    while( list != NULL )
+    {
+        if( list->oid.len == len &&
+            memcmp( list->oid.p, oid, len ) == 0 )
+        {
+            break;
+        }
+
+        list = list->next;
+    }
+
+    return( list );
+}
+
+mbedtls_asn1_named_data *mbedtls_asn1_store_named_data(
+                                        mbedtls_asn1_named_data **head,
+                                        const char *oid, size_t oid_len,
+                                        const unsigned char *val,
+                                        size_t val_len )
+{
+    mbedtls_asn1_named_data *cur;
+
+    if( ( cur = asn1_find_named_data( *head, oid, oid_len ) ) == NULL )
+    {
+        // Add new entry if not present yet based on OID
+        //
+        cur = (mbedtls_asn1_named_data*)mbedtls_calloc( 1,
+                                            sizeof(mbedtls_asn1_named_data) );
+        if( cur == NULL )
+            return( NULL );
+
+        cur->oid.len = oid_len;
+        cur->oid.p = mbedtls_calloc( 1, oid_len );
+        if( cur->oid.p == NULL )
+        {
+            mbedtls_free( cur );
+            return( NULL );
+        }
+
+        memcpy( cur->oid.p, oid, oid_len );
+
+        cur->val.len = val_len;
+        cur->val.p = mbedtls_calloc( 1, val_len );
+        if( cur->val.p == NULL )
+        {
+            mbedtls_free( cur->oid.p );
+            mbedtls_free( cur );
+            return( NULL );
+        }
+
+        cur->next = *head;
+        *head = cur;
+    }
+    else if( cur->val.len < val_len )
+    {
+        /*
+         * Enlarge existing value buffer if needed
+         * Preserve old data until the allocation succeeded, to leave list in
+         * a consistent state in case allocation fails.
+         */
+        void *p = mbedtls_calloc( 1, val_len );
+        if( p == NULL )
+            return( NULL );
+
+        mbedtls_free( cur->val.p );
+        cur->val.p = p;
+        cur->val.len = val_len;
+    }
+
+    if( val != NULL )
+        memcpy( cur->val.p, val, val_len );
+
+    return( cur );
+}
+#endif /* MBEDTLS_ASN1_WRITE_C */
diff --git a/third-party/mbedtls-3.6/library/base64.c b/third-party/mbedtls-3.6/library/base64.c
new file mode 100644
index 00000000..692e11e3
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/base64.c
@@ -0,0 +1,427 @@
+/*
+ *  RFC 1521 base64 encoding/decoding
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_BASE64_C)
+
+#include "mbedtls/base64.h"
+
+#include <stdint.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#include <string.h>
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+static const unsigned char base64_enc_map[64] =
+{
+    'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J',
+    'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T',
+    'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd',
+    'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n',
+    'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x',
+    'y', 'z', '0', '1', '2', '3', '4', '5', '6', '7',
+    '8', '9', '+', '/'
+};
+
+static const unsigned char base64_dec_map[128] =
+{
+    127, 127, 127, 127, 127, 127, 127, 127, 127, 127,
+    127, 127, 127, 127, 127, 127, 127, 127, 127, 127,
+    127, 127, 127, 127, 127, 127, 127, 127, 127, 127,
+    127, 127, 127, 127, 127, 127, 127, 127, 127, 127,
+    127, 127, 127,  62, 127, 127, 127,  63,  52,  53,
+     54,  55,  56,  57,  58,  59,  60,  61, 127, 127,
+    127,  64, 127, 127, 127,   0,   1,   2,   3,   4,
+      5,   6,   7,   8,   9,  10,  11,  12,  13,  14,
+     15,  16,  17,  18,  19,  20,  21,  22,  23,  24,
+     25, 127, 127, 127, 127, 127, 127,  26,  27,  28,
+     29,  30,  31,  32,  33,  34,  35,  36,  37,  38,
+     39,  40,  41,  42,  43,  44,  45,  46,  47,  48,
+     49,  50,  51, 127, 127, 127, 127, 127
+};
+
+#define BASE64_SIZE_T_MAX   ( (size_t) -1 ) /* SIZE_T_MAX is not standard */
+
+/*
+ * Constant flow conditional assignment to unsigned char
+ */
+static void mbedtls_base64_cond_assign_uchar( unsigned char * dest, const unsigned char * const src,
+                                       unsigned char condition )
+{
+    /* MSVC has a warning about unary minus on unsigned integer types,
+     * but this is well-defined and precisely what we want to do here. */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+
+    /* Generate bitmask from condition, mask will either be 0xFF or 0 */
+    unsigned char mask = ( condition | -condition );
+    mask >>= 7;
+    mask = -mask;
+
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
+
+    *dest = ( ( *src ) & mask ) | ( ( *dest ) & ~mask );
+}
+
+/*
+ * Constant flow conditional assignment to uint_32
+ */
+static void mbedtls_base64_cond_assign_uint32( uint32_t * dest, const uint32_t src,
+                                       uint32_t condition )
+{
+    /* MSVC has a warning about unary minus on unsigned integer types,
+     * but this is well-defined and precisely what we want to do here. */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+
+    /* Generate bitmask from condition, mask will either be 0xFFFFFFFF or 0 */
+    uint32_t mask = ( condition | -condition );
+    mask >>= 31;
+    mask = -mask;
+
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
+
+    *dest = ( src & mask ) | ( ( *dest ) & ~mask );
+}
+
+/*
+ * Constant flow check for equality
+ */
+static unsigned char mbedtls_base64_eq( size_t in_a, size_t in_b )
+{
+    size_t difference = in_a ^ in_b;
+
+    /* MSVC has a warning about unary minus on unsigned integer types,
+     * but this is well-defined and precisely what we want to do here. */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+
+    difference |= -difference;
+
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
+
+    /* cope with the varying size of size_t per platform */
+    difference >>= ( sizeof( difference ) * 8 - 1 );
+
+    return (unsigned char) ( 1 ^ difference );
+}
+
+/*
+ * Constant flow lookup into table.
+ */
+static unsigned char mbedtls_base64_table_lookup( const unsigned char * const table,
+                                                 const size_t table_size, const size_t table_index )
+{
+    size_t i;
+    unsigned char result = 0;
+
+    for( i = 0; i < table_size; ++i )
+    {
+        mbedtls_base64_cond_assign_uchar( &result, &table[i], mbedtls_base64_eq( i, table_index ) );
+    }
+
+    return result;
+}
+
+/*
+ * Encode a buffer into base64 format
+ */
+int mbedtls_base64_encode( unsigned char *dst, size_t dlen, size_t *olen,
+                   const unsigned char *src, size_t slen )
+{
+    size_t i, n;
+    int C1, C2, C3;
+    unsigned char *p;
+
+    if( slen == 0 )
+    {
+        *olen = 0;
+        return( 0 );
+    }
+
+    n = slen / 3 + ( slen % 3 != 0 );
+
+    if( n > ( BASE64_SIZE_T_MAX - 1 ) / 4 )
+    {
+        *olen = BASE64_SIZE_T_MAX;
+        return( MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL );
+    }
+
+    n *= 4;
+
+    if( ( dlen < n + 1 ) || ( NULL == dst ) )
+    {
+        *olen = n + 1;
+        return( MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL );
+    }
+
+    n = ( slen / 3 ) * 3;
+
+    for( i = 0, p = dst; i < n; i += 3 )
+    {
+        C1 = *src++;
+        C2 = *src++;
+        C3 = *src++;
+
+        *p++ = mbedtls_base64_table_lookup( base64_enc_map, sizeof( base64_enc_map ),
+                                            ( ( C1 >> 2 ) & 0x3F ) );
+
+        *p++ = mbedtls_base64_table_lookup( base64_enc_map, sizeof( base64_enc_map ),
+                                            ( ( ( ( C1 &  3 ) << 4 ) + ( C2 >> 4 ) ) & 0x3F ) );
+
+        *p++ = mbedtls_base64_table_lookup( base64_enc_map, sizeof( base64_enc_map ),
+                                            ( ( ( ( C2 & 15 ) << 2 ) + ( C3 >> 6 ) ) & 0x3F ) );
+
+        *p++ = mbedtls_base64_table_lookup( base64_enc_map, sizeof( base64_enc_map ),
+                                            ( C3 & 0x3F ) );
+    }
+
+    if( i < slen )
+    {
+        C1 = *src++;
+        C2 = ( ( i + 1 ) < slen ) ? *src++ : 0;
+
+        *p++ = mbedtls_base64_table_lookup( base64_enc_map, sizeof( base64_enc_map ),
+                                            ( ( C1 >> 2 ) & 0x3F ) );
+
+        *p++ = mbedtls_base64_table_lookup( base64_enc_map, sizeof( base64_enc_map ),
+                                            ( ( ( ( C1 & 3 ) << 4 ) + ( C2 >> 4 ) ) & 0x3F ) );
+
+        if( ( i + 1 ) < slen )
+             *p++ = mbedtls_base64_table_lookup( base64_enc_map, sizeof( base64_enc_map ),
+                                                 ( ( ( C2 & 15 ) << 2 ) & 0x3F ) );
+        else *p++ = '=';
+
+        *p++ = '=';
+    }
+
+    *olen = p - dst;
+    *p = 0;
+
+    return( 0 );
+}
+
+/*
+ * Decode a base64-formatted buffer
+ */
+int mbedtls_base64_decode( unsigned char *dst, size_t dlen, size_t *olen,
+                   const unsigned char *src, size_t slen )
+{
+    size_t i, n;
+    uint32_t j, x;
+    unsigned char *p;
+    unsigned char dec_map_lookup;
+
+    /* First pass: check for validity and get output length */
+    for( i = n = j = 0; i < slen; i++ )
+    {
+        /* Skip spaces before checking for EOL */
+        x = 0;
+        while( i < slen && src[i] == ' ' )
+        {
+            ++i;
+            ++x;
+        }
+
+        /* Spaces at end of buffer are OK */
+        if( i == slen )
+            break;
+
+        if( ( slen - i ) >= 2 &&
+            src[i] == '\r' && src[i + 1] == '\n' )
+            continue;
+
+        if( src[i] == '\n' )
+            continue;
+
+        /* Space inside a line is an error */
+        if( x != 0 )
+            return( MBEDTLS_ERR_BASE64_INVALID_CHARACTER );
+
+        if( src[i] == '=' && ++j > 2 )
+            return( MBEDTLS_ERR_BASE64_INVALID_CHARACTER );
+
+        dec_map_lookup = mbedtls_base64_table_lookup( base64_dec_map, sizeof( base64_dec_map ), src[i] );
+
+        if( src[i] > 127 || dec_map_lookup == 127 )
+            return( MBEDTLS_ERR_BASE64_INVALID_CHARACTER );
+
+        if( dec_map_lookup < 64 && j != 0 )
+            return( MBEDTLS_ERR_BASE64_INVALID_CHARACTER );
+
+        n++;
+    }
+
+    if( n == 0 )
+    {
+        *olen = 0;
+        return( 0 );
+    }
+
+    /* The following expression is to calculate the following formula without
+     * risk of integer overflow in n:
+     *     n = ( ( n * 6 ) + 7 ) >> 3;
+     */
+    n = ( 6 * ( n >> 3 ) ) + ( ( 6 * ( n & 0x7 ) + 7 ) >> 3 );
+    n -= j;
+
+    if( dst == NULL || dlen < n )
+    {
+        *olen = n;
+        return( MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL );
+    }
+
+   for( j = 3, n = x = 0, p = dst; i > 0; i--, src++ )
+   {
+        if( *src == '\r' || *src == '\n' || *src == ' ' )
+            continue;
+
+        dec_map_lookup = mbedtls_base64_table_lookup( base64_dec_map, sizeof( base64_dec_map ), *src );
+
+        mbedtls_base64_cond_assign_uint32( &j, j - 1, mbedtls_base64_eq( dec_map_lookup, 64 ) );
+        x  = ( x << 6 ) | ( dec_map_lookup & 0x3F );
+
+        if( ++n == 4 )
+        {
+            n = 0;
+            if( j > 0 ) *p++ = (unsigned char)( x >> 16 );
+            if( j > 1 ) *p++ = (unsigned char)( x >>  8 );
+            if( j > 2 ) *p++ = (unsigned char)( x       );
+        }
+    }
+
+    *olen = p - dst;
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_SELF_TEST)
+
+static const unsigned char base64_test_dec[64] =
+{
+    0x24, 0x48, 0x6E, 0x56, 0x87, 0x62, 0x5A, 0xBD,
+    0xBF, 0x17, 0xD9, 0xA2, 0xC4, 0x17, 0x1A, 0x01,
+    0x94, 0xED, 0x8F, 0x1E, 0x11, 0xB3, 0xD7, 0x09,
+    0x0C, 0xB6, 0xE9, 0x10, 0x6F, 0x22, 0xEE, 0x13,
+    0xCA, 0xB3, 0x07, 0x05, 0x76, 0xC9, 0xFA, 0x31,
+    0x6C, 0x08, 0x34, 0xFF, 0x8D, 0xC2, 0x6C, 0x38,
+    0x00, 0x43, 0xE9, 0x54, 0x97, 0xAF, 0x50, 0x4B,
+    0xD1, 0x41, 0xBA, 0x95, 0x31, 0x5A, 0x0B, 0x97
+};
+
+static const unsigned char base64_test_enc[] =
+    "JEhuVodiWr2/F9mixBcaAZTtjx4Rs9cJDLbpEG8i7hPK"
+    "swcFdsn6MWwINP+Nwmw4AEPpVJevUEvRQbqVMVoLlw==";
+
+/*
+ * Checkup routine
+ */
+int mbedtls_base64_self_test( int verbose )
+{
+    size_t len;
+    const unsigned char *src;
+    unsigned char buffer[128];
+
+    if( verbose != 0 )
+        mbedtls_printf( "  Base64 encoding test: " );
+
+    src = base64_test_dec;
+
+    if( mbedtls_base64_encode( buffer, sizeof( buffer ), &len, src, 64 ) != 0 ||
+         memcmp( base64_test_enc, buffer, 88 ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        return( 1 );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n  Base64 decoding test: " );
+
+    src = base64_test_enc;
+
+    if( mbedtls_base64_decode( buffer, sizeof( buffer ), &len, src, 88 ) != 0 ||
+         memcmp( base64_test_dec, buffer, 64 ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        return( 1 );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n\n" );
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_BASE64_C */
diff --git a/third-party/mbedtls-3.6/library/bignum.c b/third-party/mbedtls-3.6/library/bignum.c
new file mode 100644
index 00000000..bc3491cd
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/bignum.c
@@ -0,0 +1,2708 @@
+/*
+ *  Multi-precision integer library
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+/*
+ *  The following sources were referenced in the design of this Multi-precision
+ *  Integer library:
+ *
+ *  [1] Handbook of Applied Cryptography - 1997
+ *      Menezes, van Oorschot and Vanstone
+ *
+ *  [2] Multi-Precision Math
+ *      Tom St Denis
+ *      https://github.com/libtom/libtommath/blob/develop/tommath.pdf
+ *
+ *  [3] GNU Multi-Precision Arithmetic Library
+ *      https://gmplib.org/manual/index.html
+ *
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_BIGNUM_C)
+
+#include "mbedtls/bignum.h"
+#include "mbedtls/bn_mul.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#include <stdlib.h>
+#define mbedtls_printf     printf
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_mpi_zeroize( mbedtls_mpi_uint *v, size_t n ) {
+    volatile mbedtls_mpi_uint *p = v; while( n-- ) *p++ = 0;
+}
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
+#define ciL    (sizeof(mbedtls_mpi_uint))         /* chars in limb  */
+#define biL    (ciL << 3)               /* bits  in limb  */
+#define biH    (ciL << 2)               /* half limb size */
+
+#define MPI_SIZE_T_MAX  ( (size_t) -1 ) /* SIZE_T_MAX is not standard */
+
+/*
+ * Convert between bits/chars and number of limbs
+ * Divide first in order to avoid potential overflows
+ */
+#define BITS_TO_LIMBS(i)  ( (i) / biL + ( (i) % biL != 0 ) )
+#define CHARS_TO_LIMBS(i) ( (i) / ciL + ( (i) % ciL != 0 ) )
+
+/*
+ * Initialize one MPI
+ */
+void mbedtls_mpi_init( mbedtls_mpi *X )
+{
+    if( X == NULL )
+        return;
+
+    X->s = 1;
+    X->n = 0;
+    X->p = NULL;
+}
+
+/*
+ * Unallocate one MPI
+ */
+void mbedtls_mpi_free( mbedtls_mpi *X )
+{
+    if( X == NULL )
+        return;
+
+    if( X->p != NULL )
+    {
+        mbedtls_mpi_zeroize( X->p, X->n );
+        mbedtls_free( X->p );
+    }
+
+    X->s = 1;
+    X->n = 0;
+    X->p = NULL;
+}
+
+/*
+ * Enlarge to the specified number of limbs
+ */
+int mbedtls_mpi_grow( mbedtls_mpi *X, size_t nblimbs )
+{
+    mbedtls_mpi_uint *p;
+
+    if( nblimbs > MBEDTLS_MPI_MAX_LIMBS )
+        return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
+
+    if( X->n < nblimbs )
+    {
+        if( ( p = (mbedtls_mpi_uint*)mbedtls_calloc( nblimbs, ciL ) ) == NULL )
+            return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
+
+        if( X->p != NULL )
+        {
+            memcpy( p, X->p, X->n * ciL );
+            mbedtls_mpi_zeroize( X->p, X->n );
+            mbedtls_free( X->p );
+        }
+
+        X->n = nblimbs;
+        X->p = p;
+    }
+
+    return( 0 );
+}
+
+/*
+ * Resize down as much as possible,
+ * while keeping at least the specified number of limbs
+ */
+int mbedtls_mpi_shrink( mbedtls_mpi *X, size_t nblimbs )
+{
+    mbedtls_mpi_uint *p;
+    size_t i;
+
+    /* Actually resize up if there are currently fewer than nblimbs limbs. */
+    if( X->n <= nblimbs )
+        return( mbedtls_mpi_grow( X, nblimbs ) );
+    /* After this point, then X->n > nblimbs and in particular X->n > 0. */
+
+    for( i = X->n - 1; i > 0; i-- )
+        if( X->p[i] != 0 )
+            break;
+    i++;
+
+    if( i < nblimbs )
+        i = nblimbs;
+
+    if( ( p = (mbedtls_mpi_uint*)mbedtls_calloc( i, ciL ) ) == NULL )
+        return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
+
+    if( X->p != NULL )
+    {
+        memcpy( p, X->p, i * ciL );
+        mbedtls_mpi_zeroize( X->p, X->n );
+        mbedtls_free( X->p );
+    }
+
+    X->n = i;
+    X->p = p;
+
+    return( 0 );
+}
+
+/*
+ * Copy the contents of Y into X
+ */
+int mbedtls_mpi_copy( mbedtls_mpi *X, const mbedtls_mpi *Y )
+{
+    int ret;
+    size_t i;
+
+    if( X == Y )
+        return( 0 );
+
+    if( Y->n == 0 )
+    {
+        mbedtls_mpi_free( X );
+        return( 0 );
+    }
+
+    for( i = Y->n - 1; i > 0; i-- )
+        if( Y->p[i] != 0 )
+            break;
+    i++;
+
+    X->s = Y->s;
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, i ) );
+
+    memset( X->p, 0, X->n * ciL );
+    memcpy( X->p, Y->p, i * ciL );
+
+cleanup:
+
+    return( ret );
+}
+
+/*
+ * Swap the contents of X and Y
+ */
+void mbedtls_mpi_swap( mbedtls_mpi *X, mbedtls_mpi *Y )
+{
+    mbedtls_mpi T;
+
+    memcpy( &T,  X, sizeof( mbedtls_mpi ) );
+    memcpy(  X,  Y, sizeof( mbedtls_mpi ) );
+    memcpy(  Y, &T, sizeof( mbedtls_mpi ) );
+}
+
+/*
+ * Conditionally assign dest = src, without leaking information
+ * about whether the assignment was made or not.
+ * dest and src must be arrays of limbs of size n.
+ * assign must be 0 or 1.
+ */
+static void mpi_safe_cond_assign( size_t n,
+                                  mbedtls_mpi_uint *dest,
+                                  const mbedtls_mpi_uint *src,
+                                  unsigned char assign )
+{
+    size_t i;
+    for( i = 0; i < n; i++ )
+        dest[i] = dest[i] * ( 1 - assign ) + src[i] * assign;
+}
+
+/*
+ * Conditionally assign X = Y, without leaking information
+ * about whether the assignment was made or not.
+ * (Leaking information about the respective sizes of X and Y is ok however.)
+ */
+int mbedtls_mpi_safe_cond_assign( mbedtls_mpi *X, const mbedtls_mpi *Y, unsigned char assign )
+{
+    int ret = 0;
+    size_t i;
+
+    /* make sure assign is 0 or 1 in a time-constant manner */
+    assign = (assign | (unsigned char)-assign) >> 7;
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) );
+
+    X->s = X->s * ( 1 - assign ) + Y->s * assign;
+
+    mpi_safe_cond_assign( Y->n, X->p, Y->p, assign );
+
+    for( i = Y->n; i < X->n; i++ )
+        X->p[i] *= ( 1 - assign );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Conditionally swap X and Y, without leaking information
+ * about whether the swap was made or not.
+ * Here it is not ok to simply swap the pointers, which whould lead to
+ * different memory access patterns when X and Y are used afterwards.
+ */
+int mbedtls_mpi_safe_cond_swap( mbedtls_mpi *X, mbedtls_mpi *Y, unsigned char swap )
+{
+    int ret, s;
+    size_t i;
+    mbedtls_mpi_uint tmp;
+
+    if( X == Y )
+        return( 0 );
+
+    /* make sure swap is 0 or 1 in a time-constant manner */
+    swap = (swap | (unsigned char)-swap) >> 7;
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( Y, X->n ) );
+
+    s = X->s;
+    X->s = X->s * ( 1 - swap ) + Y->s * swap;
+    Y->s = Y->s * ( 1 - swap ) +    s * swap;
+
+
+    for( i = 0; i < X->n; i++ )
+    {
+        tmp = X->p[i];
+        X->p[i] = X->p[i] * ( 1 - swap ) + Y->p[i] * swap;
+        Y->p[i] = Y->p[i] * ( 1 - swap ) +     tmp * swap;
+    }
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Set value from integer
+ */
+int mbedtls_mpi_lset( mbedtls_mpi *X, mbedtls_mpi_sint z )
+{
+    int ret;
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, 1 ) );
+    memset( X->p, 0, X->n * ciL );
+
+    X->p[0] = ( z < 0 ) ? -z : z;
+    X->s    = ( z < 0 ) ? -1 : 1;
+
+cleanup:
+
+    return( ret );
+}
+
+/*
+ * Get a specific bit
+ */
+int mbedtls_mpi_get_bit( const mbedtls_mpi *X, size_t pos )
+{
+    if( X->n * biL <= pos )
+        return( 0 );
+
+    return( ( X->p[pos / biL] >> ( pos % biL ) ) & 0x01 );
+}
+
+/* Get a specific byte, without range checks. */
+#define GET_BYTE( X, i )                                \
+    ( ( ( X )->p[( i ) / ciL] >> ( ( ( i ) % ciL ) * 8 ) ) & 0xff )
+
+/*
+ * Set a bit to a specific value of 0 or 1
+ */
+int mbedtls_mpi_set_bit( mbedtls_mpi *X, size_t pos, unsigned char val )
+{
+    int ret = 0;
+    size_t off = pos / biL;
+    size_t idx = pos % biL;
+
+    if( val != 0 && val != 1 )
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+    if( X->n * biL <= pos )
+    {
+        if( val == 0 )
+            return( 0 );
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, off + 1 ) );
+    }
+
+    X->p[off] &= ~( (mbedtls_mpi_uint) 0x01 << idx );
+    X->p[off] |= (mbedtls_mpi_uint) val << idx;
+
+cleanup:
+
+    return( ret );
+}
+
+/*
+ * Return the number of less significant zero-bits
+ */
+size_t mbedtls_mpi_lsb( const mbedtls_mpi *X )
+{
+    size_t i, j, count = 0;
+
+    for( i = 0; i < X->n; i++ )
+        for( j = 0; j < biL; j++, count++ )
+            if( ( ( X->p[i] >> j ) & 1 ) != 0 )
+                return( count );
+
+    return( 0 );
+}
+
+/*
+ * Count leading zero bits in a given integer
+ */
+static size_t mbedtls_clz( const mbedtls_mpi_uint x )
+{
+    size_t j;
+    mbedtls_mpi_uint mask = (mbedtls_mpi_uint) 1 << (biL - 1);
+
+    for( j = 0; j < biL; j++ )
+    {
+        if( x & mask ) break;
+
+        mask >>= 1;
+    }
+
+    return j;
+}
+
+/*
+ * Return the number of bits
+ */
+size_t mbedtls_mpi_bitlen( const mbedtls_mpi *X )
+{
+    size_t i, j;
+
+    if( X->n == 0 )
+        return( 0 );
+
+    for( i = X->n - 1; i > 0; i-- )
+        if( X->p[i] != 0 )
+            break;
+
+    j = biL - mbedtls_clz( X->p[i] );
+
+    return( ( i * biL ) + j );
+}
+
+/*
+ * Return the total size in bytes
+ */
+size_t mbedtls_mpi_size( const mbedtls_mpi *X )
+{
+    return( ( mbedtls_mpi_bitlen( X ) + 7 ) >> 3 );
+}
+
+/*
+ * Convert an ASCII character to digit value
+ */
+static int mpi_get_digit( mbedtls_mpi_uint *d, int radix, char c )
+{
+    *d = 255;
+
+    if( c >= 0x30 && c <= 0x39 ) *d = c - 0x30;
+    if( c >= 0x41 && c <= 0x46 ) *d = c - 0x37;
+    if( c >= 0x61 && c <= 0x66 ) *d = c - 0x57;
+
+    if( *d >= (mbedtls_mpi_uint) radix )
+        return( MBEDTLS_ERR_MPI_INVALID_CHARACTER );
+
+    return( 0 );
+}
+
+/*
+ * Import from an ASCII string
+ */
+int mbedtls_mpi_read_string( mbedtls_mpi *X, int radix, const char *s )
+{
+    int ret;
+    size_t i, j, slen, n;
+    mbedtls_mpi_uint d;
+    mbedtls_mpi T;
+
+    if( radix < 2 || radix > 16 )
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+    mbedtls_mpi_init( &T );
+
+    slen = strlen( s );
+
+    if( radix == 16 )
+    {
+        if( slen > MPI_SIZE_T_MAX >> 2 )
+            return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+        n = BITS_TO_LIMBS( slen << 2 );
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, n ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
+
+        for( i = slen, j = 0; i > 0; i--, j++ )
+        {
+            if( i == 1 && s[i - 1] == '-' )
+            {
+                X->s = -1;
+                break;
+            }
+
+            MBEDTLS_MPI_CHK( mpi_get_digit( &d, radix, s[i - 1] ) );
+            X->p[j / ( 2 * ciL )] |= d << ( ( j % ( 2 * ciL ) ) << 2 );
+        }
+    }
+    else
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
+
+        for( i = 0; i < slen; i++ )
+        {
+            if( i == 0 && s[i] == '-' )
+            {
+                X->s = -1;
+                continue;
+            }
+
+            MBEDTLS_MPI_CHK( mpi_get_digit( &d, radix, s[i] ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &T, X, radix ) );
+
+            if( X->s == 1 )
+            {
+                MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( X, &T, d ) );
+            }
+            else
+            {
+                MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( X, &T, d ) );
+            }
+        }
+    }
+
+cleanup:
+
+    mbedtls_mpi_free( &T );
+
+    return( ret );
+}
+
+/*
+ * Helper to write the digits high-order first.
+ */
+static int mpi_write_hlp( mbedtls_mpi *X, int radix,
+                          char **p, const size_t buflen )
+{
+    int ret;
+    mbedtls_mpi_uint r;
+    size_t length = 0;
+    char *p_end = *p + buflen;
+
+    do
+    {
+        if( length >= buflen )
+        {
+            return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );
+        }
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_int( &r, X, radix ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_div_int( X, NULL, X, radix ) );
+        /*
+         * Write the residue in the current position, as an ASCII character.
+         */
+        if( r < 0xA )
+            *(--p_end) = (char)( '0' + r );
+        else
+            *(--p_end) = (char)( 'A' + ( r - 0xA ) );
+
+        length++;
+    } while( mbedtls_mpi_cmp_int( X, 0 ) != 0 );
+
+    memmove( *p, p_end, length );
+    *p += length;
+
+cleanup:
+
+    return( ret );
+}
+
+/*
+ * Export into an ASCII string
+ */
+int mbedtls_mpi_write_string( const mbedtls_mpi *X, int radix,
+                              char *buf, size_t buflen, size_t *olen )
+{
+    int ret = 0;
+    size_t n;
+    char *p;
+    mbedtls_mpi T;
+
+    if( radix < 2 || radix > 16 )
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+    n = mbedtls_mpi_bitlen( X ); /* Number of bits necessary to present `n`. */
+    if( radix >=  4 ) n >>= 1;   /* Number of 4-adic digits necessary to present
+                                  * `n`. If radix > 4, this might be a strict
+                                  * overapproximation of the number of
+                                  * radix-adic digits needed to present `n`. */
+    if( radix >= 16 ) n >>= 1;   /* Number of hexadecimal digits necessary to
+                                  * present `n`. */
+
+    n += 1; /* Terminating null byte */
+    n += 1; /* Compensate for the divisions above, which round down `n`
+             * in case it's not even. */
+    n += 1; /* Potential '-'-sign. */
+    n += ( n & 1 ); /* Make n even to have enough space for hexadecimal writing,
+                     * which always uses an even number of hex-digits. */
+
+    if( buflen < n )
+    {
+        *olen = n;
+        return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );
+    }
+
+    p = buf;
+    mbedtls_mpi_init( &T );
+
+    if( X->s == -1 )
+    {
+        *p++ = '-';
+        buflen--;
+    }
+
+    if( radix == 16 )
+    {
+        int c;
+        size_t i, j, k;
+
+        for( i = X->n, k = 0; i > 0; i-- )
+        {
+            for( j = ciL; j > 0; j-- )
+            {
+                c = ( X->p[i - 1] >> ( ( j - 1 ) << 3) ) & 0xFF;
+
+                if( c == 0 && k == 0 && ( i + j ) != 2 )
+                    continue;
+
+                *(p++) = "0123456789ABCDEF" [c / 16];
+                *(p++) = "0123456789ABCDEF" [c % 16];
+                k = 1;
+            }
+        }
+    }
+    else
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &T, X ) );
+
+        if( T.s == -1 )
+            T.s = 1;
+
+        MBEDTLS_MPI_CHK( mpi_write_hlp( &T, radix, &p, buflen ) );
+    }
+
+    *p++ = '\0';
+    *olen = p - buf;
+
+cleanup:
+
+    mbedtls_mpi_free( &T );
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_FS_IO)
+/*
+ * Read X from an opened file
+ */
+int mbedtls_mpi_read_file( mbedtls_mpi *X, int radix, FILE *fin )
+{
+    mbedtls_mpi_uint d;
+    size_t slen;
+    char *p;
+    /*
+     * Buffer should have space for (short) label and decimal formatted MPI,
+     * newline characters and '\0'
+     */
+    char s[ MBEDTLS_MPI_RW_BUFFER_SIZE ];
+
+    memset( s, 0, sizeof( s ) );
+    if( fgets( s, sizeof( s ) - 1, fin ) == NULL )
+        return( MBEDTLS_ERR_MPI_FILE_IO_ERROR );
+
+    slen = strlen( s );
+    if( slen == sizeof( s ) - 2 )
+        return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );
+
+    if( slen > 0 && s[slen - 1] == '\n' ) { slen--; s[slen] = '\0'; }
+    if( slen > 0 && s[slen - 1] == '\r' ) { slen--; s[slen] = '\0'; }
+
+    p = s + slen;
+    while( p-- > s )
+        if( mpi_get_digit( &d, radix, *p ) != 0 )
+            break;
+
+    return( mbedtls_mpi_read_string( X, radix, p + 1 ) );
+}
+
+/*
+ * Write X into an opened file (or stdout if fout == NULL)
+ */
+int mbedtls_mpi_write_file( const char *p, const mbedtls_mpi *X, int radix, FILE *fout )
+{
+    int ret;
+    size_t n, slen, plen;
+    /*
+     * Buffer should have space for (short) label and decimal formatted MPI,
+     * newline characters and '\0'
+     */
+    char s[ MBEDTLS_MPI_RW_BUFFER_SIZE ];
+
+    memset( s, 0, sizeof( s ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_write_string( X, radix, s, sizeof( s ) - 2, &n ) );
+
+    if( p == NULL ) p = "";
+
+    plen = strlen( p );
+    slen = strlen( s );
+    s[slen++] = '\r';
+    s[slen++] = '\n';
+
+    if( fout != NULL )
+    {
+        if( fwrite( p, 1, plen, fout ) != plen ||
+            fwrite( s, 1, slen, fout ) != slen )
+            return( MBEDTLS_ERR_MPI_FILE_IO_ERROR );
+    }
+    else
+        mbedtls_printf( "%s%s", p, s );
+
+cleanup:
+
+    return( ret );
+}
+#endif /* MBEDTLS_FS_IO */
+
+/*
+ * Import X from unsigned binary data, big endian
+ */
+int mbedtls_mpi_read_binary( mbedtls_mpi *X, const unsigned char *buf, size_t buflen )
+{
+    int ret;
+    size_t i, j;
+    size_t const limbs = CHARS_TO_LIMBS( buflen );
+
+    /* Ensure that target MPI has exactly the necessary number of limbs */
+    if( X->n != limbs )
+    {
+        mbedtls_mpi_free( X );
+        mbedtls_mpi_init( X );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, limbs ) );
+    }
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
+
+    for( i = buflen, j = 0; i > 0; i--, j++ )
+        X->p[j / ciL] |= ((mbedtls_mpi_uint) buf[i - 1]) << ((j % ciL) << 3);
+
+cleanup:
+
+    return( ret );
+}
+
+/*
+ * Export X into unsigned binary data, big endian
+ */
+int mbedtls_mpi_write_binary( const mbedtls_mpi *X,
+                              unsigned char *buf, size_t buflen )
+{
+    size_t stored_bytes = X->n * ciL;
+    size_t bytes_to_copy;
+    unsigned char *p;
+    size_t i;
+
+    if( stored_bytes < buflen )
+    {
+        /* There is enough space in the output buffer. Write initial
+         * null bytes and record the position at which to start
+         * writing the significant bytes. In this case, the execution
+         * trace of this function does not depend on the value of the
+         * number. */
+        bytes_to_copy = stored_bytes;
+        p = buf + buflen - stored_bytes;
+        memset( buf, 0, buflen - stored_bytes );
+    }
+    else
+    {
+        /* The output buffer is smaller than the allocated size of X.
+         * However X may fit if its leading bytes are zero. */
+        bytes_to_copy = buflen;
+        p = buf;
+        for( i = bytes_to_copy; i < stored_bytes; i++ )
+        {
+            if( GET_BYTE( X, i ) != 0 )
+                return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );
+        }
+    }
+
+    for( i = 0; i < bytes_to_copy; i++ )
+        p[bytes_to_copy - i - 1] = GET_BYTE( X, i );
+
+    return( 0 );
+}
+
+/*
+ * Left-shift: X <<= count
+ */
+int mbedtls_mpi_shift_l( mbedtls_mpi *X, size_t count )
+{
+    int ret;
+    size_t i, v0, t1;
+    mbedtls_mpi_uint r0 = 0, r1;
+
+    v0 = count / (biL    );
+    t1 = count & (biL - 1);
+
+    i = mbedtls_mpi_bitlen( X ) + count;
+
+    if( X->n * biL < i )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, BITS_TO_LIMBS( i ) ) );
+
+    ret = 0;
+
+    /*
+     * shift by count / limb_size
+     */
+    if( v0 > 0 )
+    {
+        for( i = X->n; i > v0; i-- )
+            X->p[i - 1] = X->p[i - v0 - 1];
+
+        for( ; i > 0; i-- )
+            X->p[i - 1] = 0;
+    }
+
+    /*
+     * shift by count % limb_size
+     */
+    if( t1 > 0 )
+    {
+        for( i = v0; i < X->n; i++ )
+        {
+            r1 = X->p[i] >> (biL - t1);
+            X->p[i] <<= t1;
+            X->p[i] |= r0;
+            r0 = r1;
+        }
+    }
+
+cleanup:
+
+    return( ret );
+}
+
+/*
+ * Right-shift: X >>= count
+ */
+int mbedtls_mpi_shift_r( mbedtls_mpi *X, size_t count )
+{
+    size_t i, v0, v1;
+    mbedtls_mpi_uint r0 = 0, r1;
+
+    v0 = count /  biL;
+    v1 = count & (biL - 1);
+
+    if( v0 > X->n || ( v0 == X->n && v1 > 0 ) )
+        return mbedtls_mpi_lset( X, 0 );
+
+    /*
+     * shift by count / limb_size
+     */
+    if( v0 > 0 )
+    {
+        for( i = 0; i < X->n - v0; i++ )
+            X->p[i] = X->p[i + v0];
+
+        for( ; i < X->n; i++ )
+            X->p[i] = 0;
+    }
+
+    /*
+     * shift by count % limb_size
+     */
+    if( v1 > 0 )
+    {
+        for( i = X->n; i > 0; i-- )
+        {
+            r1 = X->p[i - 1] << (biL - v1);
+            X->p[i - 1] >>= v1;
+            X->p[i - 1] |= r0;
+            r0 = r1;
+        }
+    }
+
+    return( 0 );
+}
+
+/*
+ * Compare unsigned values
+ */
+int mbedtls_mpi_cmp_abs( const mbedtls_mpi *X, const mbedtls_mpi *Y )
+{
+    size_t i, j;
+
+    for( i = X->n; i > 0; i-- )
+        if( X->p[i - 1] != 0 )
+            break;
+
+    for( j = Y->n; j > 0; j-- )
+        if( Y->p[j - 1] != 0 )
+            break;
+
+    if( i == 0 && j == 0 )
+        return( 0 );
+
+    if( i > j ) return(  1 );
+    if( j > i ) return( -1 );
+
+    for( ; i > 0; i-- )
+    {
+        if( X->p[i - 1] > Y->p[i - 1] ) return(  1 );
+        if( X->p[i - 1] < Y->p[i - 1] ) return( -1 );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Compare signed values
+ */
+int mbedtls_mpi_cmp_mpi( const mbedtls_mpi *X, const mbedtls_mpi *Y )
+{
+    size_t i, j;
+
+    for( i = X->n; i > 0; i-- )
+        if( X->p[i - 1] != 0 )
+            break;
+
+    for( j = Y->n; j > 0; j-- )
+        if( Y->p[j - 1] != 0 )
+            break;
+
+    if( i == 0 && j == 0 )
+        return( 0 );
+
+    if( i > j ) return(  X->s );
+    if( j > i ) return( -Y->s );
+
+    if( X->s > 0 && Y->s < 0 ) return(  1 );
+    if( Y->s > 0 && X->s < 0 ) return( -1 );
+
+    for( ; i > 0; i-- )
+    {
+        if( X->p[i - 1] > Y->p[i - 1] ) return(  X->s );
+        if( X->p[i - 1] < Y->p[i - 1] ) return( -X->s );
+    }
+
+    return( 0 );
+}
+
+/** Decide if an integer is less than the other, without branches.
+ *
+ * \param x         First integer.
+ * \param y         Second integer.
+ *
+ * \return          1 if \p x is less than \p y, 0 otherwise
+ */
+static unsigned ct_lt_mpi_uint( const mbedtls_mpi_uint x,
+        const mbedtls_mpi_uint y )
+{
+    mbedtls_mpi_uint ret;
+    mbedtls_mpi_uint cond;
+
+    /*
+     * Check if the most significant bits (MSB) of the operands are different.
+     */
+    cond = ( x ^ y );
+    /*
+     * If the MSB are the same then the difference x-y will be negative (and
+     * have its MSB set to 1 during conversion to unsigned) if and only if x<y.
+     */
+    ret = ( x - y ) & ~cond;
+    /*
+     * If the MSB are different, then the operand with the MSB of 1 is the
+     * bigger. (That is if y has MSB of 1, then x<y is true and it is false if
+     * the MSB of y is 0.)
+     */
+    ret |= y & cond;
+
+
+    ret = ret >> ( biL - 1 );
+
+    return (unsigned) ret;
+}
+
+/*
+ * Compare signed values in constant time
+ */
+int mbedtls_mpi_lt_mpi_ct( const mbedtls_mpi *X, const mbedtls_mpi *Y,
+        unsigned *ret )
+{
+    size_t i;
+    /* The value of any of these variables is either 0 or 1 at all times. */
+    unsigned cond, done, X_is_negative, Y_is_negative;
+
+    if( X->n != Y->n )
+        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+
+    /*
+     * Set sign_N to 1 if N >= 0, 0 if N < 0.
+     * We know that N->s == 1 if N >= 0 and N->s == -1 if N < 0.
+     */
+    X_is_negative = ( X->s & 2 ) >> 1;
+    Y_is_negative = ( Y->s & 2 ) >> 1;
+
+    /*
+     * If the signs are different, then the positive operand is the bigger.
+     * That is if X is negative (X_is_negative == 1), then X < Y is true and it
+     * is false if X is positive (X_is_negative == 0).
+     */
+    cond = ( X_is_negative ^ Y_is_negative );
+    *ret = cond & X_is_negative;
+
+    /*
+     * This is a constant-time function. We might have the result, but we still
+     * need to go through the loop. Record if we have the result already.
+     */
+    done = cond;
+
+    for( i = X->n; i > 0; i-- )
+    {
+        /*
+         * If Y->p[i - 1] < X->p[i - 1] then X < Y is true if and only if both
+         * X and Y are negative.
+         *
+         * Again even if we can make a decision, we just mark the result and
+         * the fact that we are done and continue looping.
+         */
+        cond = ct_lt_mpi_uint( Y->p[i - 1], X->p[i - 1] );
+        *ret |= cond & ( 1 - done ) & X_is_negative;
+        done |= cond;
+
+        /*
+         * If X->p[i - 1] < Y->p[i - 1] then X < Y is true if and only if both
+         * X and Y are positive.
+         *
+         * Again even if we can make a decision, we just mark the result and
+         * the fact that we are done and continue looping.
+         */
+        cond = ct_lt_mpi_uint( X->p[i - 1], Y->p[i - 1] );
+        *ret |= cond & ( 1 - done ) & ( 1 - X_is_negative );
+        done |= cond;
+    }
+
+    return( 0 );
+}
+
+/*
+ * Compare signed values
+ */
+int mbedtls_mpi_cmp_int( const mbedtls_mpi *X, mbedtls_mpi_sint z )
+{
+    mbedtls_mpi Y;
+    mbedtls_mpi_uint p[1];
+
+    *p  = ( z < 0 ) ? -z : z;
+    Y.s = ( z < 0 ) ? -1 : 1;
+    Y.n = 1;
+    Y.p = p;
+
+    return( mbedtls_mpi_cmp_mpi( X, &Y ) );
+}
+
+/*
+ * Unsigned addition: X = |A| + |B|  (HAC 14.7)
+ */
+int mbedtls_mpi_add_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
+{
+    int ret;
+    size_t i, j;
+    mbedtls_mpi_uint *o, *p, c, tmp;
+
+    if( X == B )
+    {
+        const mbedtls_mpi *T = A; A = X; B = T;
+    }
+
+    if( X != A )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, A ) );
+
+    /*
+     * X should always be positive as a result of unsigned additions.
+     */
+    X->s = 1;
+
+    for( j = B->n; j > 0; j-- )
+        if( B->p[j - 1] != 0 )
+            break;
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, j ) );
+
+    o = B->p; p = X->p; c = 0;
+
+    /*
+     * tmp is used because it might happen that p == o
+     */
+    for( i = 0; i < j; i++, o++, p++ )
+    {
+        tmp= *o;
+        *p +=  c; c  = ( *p <  c );
+        *p += tmp; c += ( *p < tmp );
+    }
+
+    while( c != 0 )
+    {
+        if( i >= X->n )
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, i + 1 ) );
+            p = X->p + i;
+        }
+
+        *p += c; c = ( *p < c ); i++; p++;
+    }
+
+cleanup:
+
+    return( ret );
+}
+
+/**
+ * Helper for mbedtls_mpi subtraction.
+ *
+ * Calculate d - s where d and s have the same size.
+ * This function operates modulo (2^ciL)^n and returns the carry
+ * (1 if there was a wraparound, i.e. if `d < s`, and 0 otherwise).
+ *
+ * \param n             Number of limbs of \p d and \p s.
+ * \param[in,out] d     On input, the left operand.
+ *                      On output, the result of the subtraction:
+ * \param[in] s         The right operand.
+ *
+ * \return              1 if `d < s`.
+ *                      0 if `d >= s`.
+ */
+static mbedtls_mpi_uint mpi_sub_hlp( size_t n,
+                                     mbedtls_mpi_uint *d,
+                                     const mbedtls_mpi_uint *s )
+{
+    size_t i;
+    mbedtls_mpi_uint c, z;
+
+    for( i = c = 0; i < n; i++, s++, d++ )
+    {
+        z = ( *d <  c );     *d -=  c;
+        c = ( *d < *s ) + z; *d -= *s;
+    }
+
+    return( c );
+}
+
+/*
+ * Unsigned subtraction: X = |A| - |B|  (HAC 14.9, 14.10)
+ */
+int mbedtls_mpi_sub_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
+{
+    mbedtls_mpi TB;
+    int ret;
+    size_t n;
+    mbedtls_mpi_uint carry;
+
+    mbedtls_mpi_init( &TB );
+
+    if( X == B )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TB, B ) );
+        B = &TB;
+    }
+
+    if( X != A )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, A ) );
+
+    /*
+     * X should always be positive as a result of unsigned subtractions.
+     */
+    X->s = 1;
+
+    ret = 0;
+
+    for( n = B->n; n > 0; n-- )
+        if( B->p[n - 1] != 0 )
+            break;
+    if( n > A->n )
+    {
+        /* B >= (2^ciL)^n > A */
+        ret = MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
+        goto cleanup;
+    }
+
+    carry = mpi_sub_hlp( n, X->p, B->p );
+    if( carry != 0 )
+    {
+        /* Propagate the carry to the first nonzero limb of X. */
+        for( ; n < X->n && X->p[n] == 0; n++ )
+            --X->p[n];
+        /* If we ran out of space for the carry, it means that the result
+         * is negative. */
+        if( n == X->n )
+        {
+            ret = MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
+            goto cleanup;
+        }
+        --X->p[n];
+    }
+
+cleanup:
+
+    mbedtls_mpi_free( &TB );
+
+    return( ret );
+}
+
+/*
+ * Signed addition: X = A + B
+ */
+int mbedtls_mpi_add_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
+{
+    int ret, s = A->s;
+
+    if( A->s * B->s < 0 )
+    {
+        if( mbedtls_mpi_cmp_abs( A, B ) >= 0 )
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, A, B ) );
+            X->s =  s;
+        }
+        else
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, B, A ) );
+            X->s = -s;
+        }
+    }
+    else
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( X, A, B ) );
+        X->s = s;
+    }
+
+cleanup:
+
+    return( ret );
+}
+
+/*
+ * Signed subtraction: X = A - B
+ */
+int mbedtls_mpi_sub_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
+{
+    int ret, s = A->s;
+
+    if( A->s * B->s > 0 )
+    {
+        if( mbedtls_mpi_cmp_abs( A, B ) >= 0 )
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, A, B ) );
+            X->s =  s;
+        }
+        else
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, B, A ) );
+            X->s = -s;
+        }
+    }
+    else
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( X, A, B ) );
+        X->s = s;
+    }
+
+cleanup:
+
+    return( ret );
+}
+
+/*
+ * Signed addition: X = A + b
+ */
+int mbedtls_mpi_add_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b )
+{
+    mbedtls_mpi _B;
+    mbedtls_mpi_uint p[1];
+
+    p[0] = ( b < 0 ) ? -b : b;
+    _B.s = ( b < 0 ) ? -1 : 1;
+    _B.n = 1;
+    _B.p = p;
+
+    return( mbedtls_mpi_add_mpi( X, A, &_B ) );
+}
+
+/*
+ * Signed subtraction: X = A - b
+ */
+int mbedtls_mpi_sub_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b )
+{
+    mbedtls_mpi _B;
+    mbedtls_mpi_uint p[1];
+
+    p[0] = ( b < 0 ) ? -b : b;
+    _B.s = ( b < 0 ) ? -1 : 1;
+    _B.n = 1;
+    _B.p = p;
+
+    return( mbedtls_mpi_sub_mpi( X, A, &_B ) );
+}
+
+/*
+ * Helper for mbedtls_mpi multiplication
+ */
+static
+#if defined(__APPLE__) && defined(__arm__)
+/*
+ * Apple LLVM version 4.2 (clang-425.0.24) (based on LLVM 3.2svn)
+ * appears to need this to prevent bad ARM code generation at -O3.
+ */
+__attribute__ ((noinline))
+#endif
+void mpi_mul_hlp( size_t i, mbedtls_mpi_uint *s, mbedtls_mpi_uint *d, mbedtls_mpi_uint b )
+{
+    mbedtls_mpi_uint c = 0, t = 0;
+
+#if defined(MULADDC_HUIT)
+    for( ; i >= 8; i -= 8 )
+    {
+        MULADDC_INIT
+        MULADDC_HUIT
+        MULADDC_STOP
+    }
+
+    for( ; i > 0; i-- )
+    {
+        MULADDC_INIT
+        MULADDC_CORE
+        MULADDC_STOP
+    }
+#else /* MULADDC_HUIT */
+    for( ; i >= 16; i -= 16 )
+    {
+        MULADDC_INIT
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_CORE   MULADDC_CORE
+
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_STOP
+    }
+
+    for( ; i >= 8; i -= 8 )
+    {
+        MULADDC_INIT
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_CORE   MULADDC_CORE
+
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_STOP
+    }
+
+    for( ; i > 0; i-- )
+    {
+        MULADDC_INIT
+        MULADDC_CORE
+        MULADDC_STOP
+    }
+#endif /* MULADDC_HUIT */
+
+    t++;
+
+    do {
+        *d += c; c = ( *d < c ); d++;
+    }
+    while( c != 0 );
+}
+
+/*
+ * Baseline multiplication: X = A * B  (HAC 14.12)
+ */
+int mbedtls_mpi_mul_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
+{
+    int ret;
+    size_t i, j;
+    mbedtls_mpi TA, TB;
+
+    mbedtls_mpi_init( &TA ); mbedtls_mpi_init( &TB );
+
+    if( X == A ) { MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TA, A ) ); A = &TA; }
+    if( X == B ) { MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TB, B ) ); B = &TB; }
+
+    for( i = A->n; i > 0; i-- )
+        if( A->p[i - 1] != 0 )
+            break;
+
+    for( j = B->n; j > 0; j-- )
+        if( B->p[j - 1] != 0 )
+            break;
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, i + j ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
+
+    for( i++; j > 0; j-- )
+        mpi_mul_hlp( i - 1, A->p, X->p + j - 1, B->p[j - 1] );
+
+    X->s = A->s * B->s;
+
+cleanup:
+
+    mbedtls_mpi_free( &TB ); mbedtls_mpi_free( &TA );
+
+    return( ret );
+}
+
+/*
+ * Baseline multiplication: X = A * b
+ */
+int mbedtls_mpi_mul_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_uint b )
+{
+    mbedtls_mpi _B;
+    mbedtls_mpi_uint p[1];
+
+    _B.s = 1;
+    _B.n = 1;
+    _B.p = p;
+    p[0] = b;
+
+    return( mbedtls_mpi_mul_mpi( X, A, &_B ) );
+}
+
+/*
+ * Unsigned integer divide - double mbedtls_mpi_uint dividend, u1/u0, and
+ * mbedtls_mpi_uint divisor, d
+ */
+static mbedtls_mpi_uint mbedtls_int_div_int( mbedtls_mpi_uint u1,
+            mbedtls_mpi_uint u0, mbedtls_mpi_uint d, mbedtls_mpi_uint *r )
+{
+#if defined(MBEDTLS_HAVE_UDBL)
+    mbedtls_t_udbl dividend, quotient;
+#else
+    const mbedtls_mpi_uint radix = (mbedtls_mpi_uint) 1 << biH;
+    const mbedtls_mpi_uint uint_halfword_mask = ( (mbedtls_mpi_uint) 1 << biH ) - 1;
+    mbedtls_mpi_uint d0, d1, q0, q1, rAX, r0, quotient;
+    mbedtls_mpi_uint u0_msw, u0_lsw;
+    size_t s;
+#endif
+
+    /*
+     * Check for overflow
+     */
+    if( 0 == d || u1 >= d )
+    {
+        if (r != NULL) *r = ~0;
+
+        return ( ~0 );
+    }
+
+#if defined(MBEDTLS_HAVE_UDBL)
+    dividend  = (mbedtls_t_udbl) u1 << biL;
+    dividend |= (mbedtls_t_udbl) u0;
+    quotient = dividend / d;
+    if( quotient > ( (mbedtls_t_udbl) 1 << biL ) - 1 )
+        quotient = ( (mbedtls_t_udbl) 1 << biL ) - 1;
+
+    if( r != NULL )
+        *r = (mbedtls_mpi_uint)( dividend - (quotient * d ) );
+
+    return (mbedtls_mpi_uint) quotient;
+#else
+
+    /*
+     * Algorithm D, Section 4.3.1 - The Art of Computer Programming
+     *   Vol. 2 - Seminumerical Algorithms, Knuth
+     */
+
+    /*
+     * Normalize the divisor, d, and dividend, u0, u1
+     */
+    s = mbedtls_clz( d );
+    d = d << s;
+
+    u1 = u1 << s;
+    u1 |= ( u0 >> ( biL - s ) ) & ( -(mbedtls_mpi_sint)s >> ( biL - 1 ) );
+    u0 =  u0 << s;
+
+    d1 = d >> biH;
+    d0 = d & uint_halfword_mask;
+
+    u0_msw = u0 >> biH;
+    u0_lsw = u0 & uint_halfword_mask;
+
+    /*
+     * Find the first quotient and remainder
+     */
+    q1 = u1 / d1;
+    r0 = u1 - d1 * q1;
+
+    while( q1 >= radix || ( q1 * d0 > radix * r0 + u0_msw ) )
+    {
+        q1 -= 1;
+        r0 += d1;
+
+        if ( r0 >= radix ) break;
+    }
+
+    rAX = ( u1 * radix ) + ( u0_msw - q1 * d );
+    q0 = rAX / d1;
+    r0 = rAX - q0 * d1;
+
+    while( q0 >= radix || ( q0 * d0 > radix * r0 + u0_lsw ) )
+    {
+        q0 -= 1;
+        r0 += d1;
+
+        if ( r0 >= radix ) break;
+    }
+
+    if (r != NULL)
+        *r = ( rAX * radix + u0_lsw - q0 * d ) >> s;
+
+    quotient = q1 * radix + q0;
+
+    return quotient;
+#endif
+}
+
+/*
+ * Division by mbedtls_mpi: A = Q * B + R  (HAC 14.20)
+ */
+int mbedtls_mpi_div_mpi( mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A, const mbedtls_mpi *B )
+{
+    int ret;
+    size_t i, n, t, k;
+    mbedtls_mpi X, Y, Z, T1, T2;
+
+    if( mbedtls_mpi_cmp_int( B, 0 ) == 0 )
+        return( MBEDTLS_ERR_MPI_DIVISION_BY_ZERO );
+
+    mbedtls_mpi_init( &X ); mbedtls_mpi_init( &Y ); mbedtls_mpi_init( &Z );
+    mbedtls_mpi_init( &T1 ); mbedtls_mpi_init( &T2 );
+
+    if( mbedtls_mpi_cmp_abs( A, B ) < 0 )
+    {
+        if( Q != NULL ) MBEDTLS_MPI_CHK( mbedtls_mpi_lset( Q, 0 ) );
+        if( R != NULL ) MBEDTLS_MPI_CHK( mbedtls_mpi_copy( R, A ) );
+        return( 0 );
+    }
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &X, A ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &Y, B ) );
+    X.s = Y.s = 1;
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &Z, A->n + 2 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &Z,  0 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &T1, 2 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &T2, 3 ) );
+
+    k = mbedtls_mpi_bitlen( &Y ) % biL;
+    if( k < biL - 1 )
+    {
+        k = biL - 1 - k;
+        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &X, k ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &Y, k ) );
+    }
+    else k = 0;
+
+    n = X.n - 1;
+    t = Y.n - 1;
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &Y, biL * ( n - t ) ) );
+
+    while( mbedtls_mpi_cmp_mpi( &X, &Y ) >= 0 )
+    {
+        Z.p[n - t]++;
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &X, &X, &Y ) );
+    }
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &Y, biL * ( n - t ) ) );
+
+    for( i = n; i > t ; i-- )
+    {
+        if( X.p[i] >= Y.p[t] )
+            Z.p[i - t - 1] = ~0;
+        else
+        {
+            Z.p[i - t - 1] = mbedtls_int_div_int( X.p[i], X.p[i - 1],
+                                                            Y.p[t], NULL);
+        }
+
+        Z.p[i - t - 1]++;
+        do
+        {
+            Z.p[i - t - 1]--;
+
+            MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &T1, 0 ) );
+            T1.p[0] = ( t < 1 ) ? 0 : Y.p[t - 1];
+            T1.p[1] = Y.p[t];
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &T1, &T1, Z.p[i - t - 1] ) );
+
+            MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &T2, 0 ) );
+            T2.p[0] = ( i < 2 ) ? 0 : X.p[i - 2];
+            T2.p[1] = ( i < 1 ) ? 0 : X.p[i - 1];
+            T2.p[2] = X.p[i];
+        }
+        while( mbedtls_mpi_cmp_mpi( &T1, &T2 ) > 0 );
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &T1, &Y, Z.p[i - t - 1] ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &T1,  biL * ( i - t - 1 ) ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &X, &X, &T1 ) );
+
+        if( mbedtls_mpi_cmp_int( &X, 0 ) < 0 )
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &T1, &Y ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &T1, biL * ( i - t - 1 ) ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &X, &X, &T1 ) );
+            Z.p[i - t - 1]--;
+        }
+    }
+
+    if( Q != NULL )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( Q, &Z ) );
+        Q->s = A->s * B->s;
+    }
+
+    if( R != NULL )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &X, k ) );
+        X.s = A->s;
+        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( R, &X ) );
+
+        if( mbedtls_mpi_cmp_int( R, 0 ) == 0 )
+            R->s = 1;
+    }
+
+cleanup:
+
+    mbedtls_mpi_free( &X ); mbedtls_mpi_free( &Y ); mbedtls_mpi_free( &Z );
+    mbedtls_mpi_free( &T1 ); mbedtls_mpi_free( &T2 );
+
+    return( ret );
+}
+
+/*
+ * Division by int: A = Q * b + R
+ */
+int mbedtls_mpi_div_int( mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A, mbedtls_mpi_sint b )
+{
+    mbedtls_mpi _B;
+    mbedtls_mpi_uint p[1];
+
+    p[0] = ( b < 0 ) ? -b : b;
+    _B.s = ( b < 0 ) ? -1 : 1;
+    _B.n = 1;
+    _B.p = p;
+
+    return( mbedtls_mpi_div_mpi( Q, R, A, &_B ) );
+}
+
+/*
+ * Modulo: R = A mod B
+ */
+int mbedtls_mpi_mod_mpi( mbedtls_mpi *R, const mbedtls_mpi *A, const mbedtls_mpi *B )
+{
+    int ret;
+
+    if( mbedtls_mpi_cmp_int( B, 0 ) < 0 )
+        return( MBEDTLS_ERR_MPI_NEGATIVE_VALUE );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( NULL, R, A, B ) );
+
+    while( mbedtls_mpi_cmp_int( R, 0 ) < 0 )
+      MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( R, R, B ) );
+
+    while( mbedtls_mpi_cmp_mpi( R, B ) >= 0 )
+      MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( R, R, B ) );
+
+cleanup:
+
+    return( ret );
+}
+
+/*
+ * Modulo: r = A mod b
+ */
+int mbedtls_mpi_mod_int( mbedtls_mpi_uint *r, const mbedtls_mpi *A, mbedtls_mpi_sint b )
+{
+    size_t i;
+    mbedtls_mpi_uint x, y, z;
+
+    if( b == 0 )
+        return( MBEDTLS_ERR_MPI_DIVISION_BY_ZERO );
+
+    if( b < 0 )
+        return( MBEDTLS_ERR_MPI_NEGATIVE_VALUE );
+
+    /*
+     * handle trivial cases
+     */
+    if( b == 1 )
+    {
+        *r = 0;
+        return( 0 );
+    }
+
+    if( b == 2 )
+    {
+        *r = A->p[0] & 1;
+        return( 0 );
+    }
+
+    /*
+     * general case
+     */
+    for( i = A->n, y = 0; i > 0; i-- )
+    {
+        x  = A->p[i - 1];
+        y  = ( y << biH ) | ( x >> biH );
+        z  = y / b;
+        y -= z * b;
+
+        x <<= biH;
+        y  = ( y << biH ) | ( x >> biH );
+        z  = y / b;
+        y -= z * b;
+    }
+
+    /*
+     * If A is negative, then the current y represents a negative value.
+     * Flipping it to the positive side.
+     */
+    if( A->s < 0 && y != 0 )
+        y = b - y;
+
+    *r = y;
+
+    return( 0 );
+}
+
+/*
+ * Fast Montgomery initialization (thanks to Tom St Denis)
+ */
+static void mpi_montg_init( mbedtls_mpi_uint *mm, const mbedtls_mpi *N )
+{
+    mbedtls_mpi_uint x, m0 = N->p[0];
+    unsigned int i;
+
+    x  = m0;
+    x += ( ( m0 + 2 ) & 4 ) << 1;
+
+    for( i = biL; i >= 8; i /= 2 )
+        x *= ( 2 - ( m0 * x ) );
+
+    *mm = ~x + 1;
+}
+
+/** Montgomery multiplication: A = A * B * R^-1 mod N  (HAC 14.36)
+ *
+ * \param[in,out]   A   One of the numbers to multiply.
+ *                      It must have at least as many limbs as N
+ *                      (A->n >= N->n), and any limbs beyond n are ignored.
+ *                      On successful completion, A contains the result of
+ *                      the multiplication A * B * R^-1 mod N where
+ *                      R = (2^ciL)^n.
+ * \param[in]       B   One of the numbers to multiply.
+ *                      It must be nonzero and must not have more limbs than N
+ *                      (B->n <= N->n).
+ * \param[in]       N   The modulo. N must be odd.
+ * \param           mm  The value calculated by `mpi_montg_init(&mm, N)`.
+ *                      This is -N^-1 mod 2^ciL.
+ * \param[in,out]   T   A bignum for temporary storage.
+ *                      It must be at least twice the limb size of N plus 2
+ *                      (T->n >= 2 * (N->n + 1)).
+ *                      Its initial content is unused and
+ *                      its final content is indeterminate.
+ *                      Note that unlike the usual convention in the library
+ *                      for `const mbedtls_mpi*`, the content of T can change.
+ */
+static void mpi_montmul( mbedtls_mpi *A, const mbedtls_mpi *B, const mbedtls_mpi *N, mbedtls_mpi_uint mm,
+                         const mbedtls_mpi *T )
+{
+    size_t i, n, m;
+    mbedtls_mpi_uint u0, u1, *d;
+
+    memset( T->p, 0, T->n * ciL );
+
+    d = T->p;
+    n = N->n;
+    m = ( B->n < n ) ? B->n : n;
+
+    for( i = 0; i < n; i++ )
+    {
+        /*
+         * T = (T + u0*B + u1*N) / 2^biL
+         */
+        u0 = A->p[i];
+        u1 = ( d[0] + u0 * B->p[0] ) * mm;
+
+        mpi_mul_hlp( m, B->p, d, u0 );
+        mpi_mul_hlp( n, N->p, d, u1 );
+
+        *d++ = u0; d[n + 1] = 0;
+    }
+
+    /* At this point, d is either the desired result or the desired result
+     * plus N. We now potentially subtract N, avoiding leaking whether the
+     * subtraction is performed through side channels. */
+
+    /* Copy the n least significant limbs of d to A, so that
+     * A = d if d < N (recall that N has n limbs). */
+    memcpy( A->p, d, n * ciL );
+    /* If d >= N then we want to set A to d - N. To prevent timing attacks,
+     * do the calculation without using conditional tests. */
+    /* Set d to d0 + (2^biL)^n - N where d0 is the current value of d. */
+    d[n] += 1;
+    d[n] -= mpi_sub_hlp( n, d, N->p );
+    /* If d0 < N then d < (2^biL)^n
+     * so d[n] == 0 and we want to keep A as it is.
+     * If d0 >= N then d >= (2^biL)^n, and d <= (2^biL)^n + N < 2 * (2^biL)^n
+     * so d[n] == 1 and we want to set A to the result of the subtraction
+     * which is d - (2^biL)^n, i.e. the n least significant limbs of d.
+     * This exactly corresponds to a conditional assignment. */
+    mpi_safe_cond_assign( n, A->p, d, (unsigned char) d[n] );
+}
+
+/*
+ * Montgomery reduction: A = A * R^-1 mod N
+ *
+ * See mpi_montmul() regarding constraints and guarantees on the parameters.
+ */
+static void mpi_montred( mbedtls_mpi *A, const mbedtls_mpi *N, mbedtls_mpi_uint mm, const mbedtls_mpi *T )
+{
+    mbedtls_mpi_uint z = 1;
+    mbedtls_mpi U;
+
+    U.n = U.s = (int) z;
+    U.p = &z;
+
+    mpi_montmul( A, &U, N, mm, T );
+}
+
+/*
+ * Sliding-window exponentiation: X = A^E mod N  (HAC 14.85)
+ */
+int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *E, const mbedtls_mpi *N, mbedtls_mpi *_RR )
+{
+    int ret;
+    size_t wbits, wsize, one = 1;
+    size_t i, j, nblimbs;
+    size_t bufsize, nbits;
+    mbedtls_mpi_uint ei, mm, state;
+    mbedtls_mpi RR, T, W[ 1 << MBEDTLS_MPI_WINDOW_SIZE ], Apos;
+    int neg;
+
+    if( mbedtls_mpi_cmp_int( N, 0 ) <= 0 || ( N->p[0] & 1 ) == 0 )
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+    if( mbedtls_mpi_cmp_int( E, 0 ) < 0 )
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+    if( mbedtls_mpi_bitlen( E ) > MBEDTLS_MPI_MAX_BITS ||
+        mbedtls_mpi_bitlen( N ) > MBEDTLS_MPI_MAX_BITS )
+        return ( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+    /*
+     * Init temps and window size
+     */
+    mpi_montg_init( &mm, N );
+    mbedtls_mpi_init( &RR ); mbedtls_mpi_init( &T );
+    mbedtls_mpi_init( &Apos );
+    memset( W, 0, sizeof( W ) );
+
+    i = mbedtls_mpi_bitlen( E );
+
+    wsize = ( i > 671 ) ? 6 : ( i > 239 ) ? 5 :
+            ( i >  79 ) ? 4 : ( i >  23 ) ? 3 : 1;
+
+#if( MBEDTLS_MPI_WINDOW_SIZE < 6 )
+    if( wsize > MBEDTLS_MPI_WINDOW_SIZE )
+        wsize = MBEDTLS_MPI_WINDOW_SIZE;
+#endif
+
+    j = N->n + 1;
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, j ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[1],  j ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &T, j * 2 ) );
+
+    /*
+     * Compensate for negative A (and correct at the end)
+     */
+    neg = ( A->s == -1 );
+    if( neg )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &Apos, A ) );
+        Apos.s = 1;
+        A = &Apos;
+    }
+
+    /*
+     * If 1st call, pre-compute R^2 mod N
+     */
+    if( _RR == NULL || _RR->p == NULL )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &RR, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &RR, N->n * 2 * biL ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &RR, &RR, N ) );
+
+        if( _RR != NULL )
+            memcpy( _RR, &RR, sizeof( mbedtls_mpi ) );
+    }
+    else
+        memcpy( &RR, _RR, sizeof( mbedtls_mpi ) );
+
+    /*
+     * W[1] = A * R^2 * R^-1 mod N = A * R mod N
+     */
+    if( mbedtls_mpi_cmp_mpi( A, N ) >= 0 )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &W[1], A, N ) );
+    else
+        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[1], A ) );
+
+    mpi_montmul( &W[1], &RR, N, mm, &T );
+
+    /*
+     * X = R^2 * R^-1 mod N = R mod N
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, &RR ) );
+    mpi_montred( X, N, mm, &T );
+
+    if( wsize > 1 )
+    {
+        /*
+         * W[1 << (wsize - 1)] = W[1] ^ (wsize - 1)
+         */
+        j =  one << ( wsize - 1 );
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[j], N->n + 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[j], &W[1]    ) );
+
+        for( i = 0; i < wsize - 1; i++ )
+            mpi_montmul( &W[j], &W[j], N, mm, &T );
+
+        /*
+         * W[i] = W[i - 1] * W[1]
+         */
+        for( i = j + 1; i < ( one << wsize ); i++ )
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[i], N->n + 1 ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[i], &W[i - 1] ) );
+
+            mpi_montmul( &W[i], &W[1], N, mm, &T );
+        }
+    }
+
+    nblimbs = E->n;
+    bufsize = 0;
+    nbits   = 0;
+    wbits   = 0;
+    state   = 0;
+
+    while( 1 )
+    {
+        if( bufsize == 0 )
+        {
+            if( nblimbs == 0 )
+                break;
+
+            nblimbs--;
+
+            bufsize = sizeof( mbedtls_mpi_uint ) << 3;
+        }
+
+        bufsize--;
+
+        ei = (E->p[nblimbs] >> bufsize) & 1;
+
+        /*
+         * skip leading 0s
+         */
+        if( ei == 0 && state == 0 )
+            continue;
+
+        if( ei == 0 && state == 1 )
+        {
+            /*
+             * out of window, square X
+             */
+            mpi_montmul( X, X, N, mm, &T );
+            continue;
+        }
+
+        /*
+         * add ei to current window
+         */
+        state = 2;
+
+        nbits++;
+        wbits |= ( ei << ( wsize - nbits ) );
+
+        if( nbits == wsize )
+        {
+            /*
+             * X = X^wsize R^-1 mod N
+             */
+            for( i = 0; i < wsize; i++ )
+                mpi_montmul( X, X, N, mm, &T );
+
+            /*
+             * X = X * W[wbits] R^-1 mod N
+             */
+            mpi_montmul( X, &W[wbits], N, mm, &T );
+
+            state--;
+            nbits = 0;
+            wbits = 0;
+        }
+    }
+
+    /*
+     * process the remaining bits
+     */
+    for( i = 0; i < nbits; i++ )
+    {
+        mpi_montmul( X, X, N, mm, &T );
+
+        wbits <<= 1;
+
+        if( ( wbits & ( one << wsize ) ) != 0 )
+            mpi_montmul( X, &W[1], N, mm, &T );
+    }
+
+    /*
+     * X = A^E * R * R^-1 mod N = A^E mod N
+     */
+    mpi_montred( X, N, mm, &T );
+
+    if( neg && E->n != 0 && ( E->p[0] & 1 ) != 0 )
+    {
+        X->s = -1;
+        MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( X, N, X ) );
+    }
+
+cleanup:
+
+    for( i = ( one << ( wsize - 1 ) ); i < ( one << wsize ); i++ )
+        mbedtls_mpi_free( &W[i] );
+
+    mbedtls_mpi_free( &W[1] ); mbedtls_mpi_free( &T ); mbedtls_mpi_free( &Apos );
+
+    if( _RR == NULL || _RR->p == NULL )
+        mbedtls_mpi_free( &RR );
+
+    return( ret );
+}
+
+/*
+ * Greatest common divisor: G = gcd(A, B)  (HAC 14.54)
+ */
+int mbedtls_mpi_gcd( mbedtls_mpi *G, const mbedtls_mpi *A, const mbedtls_mpi *B )
+{
+    int ret;
+    size_t lz, lzt;
+    mbedtls_mpi TG, TA, TB;
+
+    mbedtls_mpi_init( &TG ); mbedtls_mpi_init( &TA ); mbedtls_mpi_init( &TB );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TA, A ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TB, B ) );
+
+    lz = mbedtls_mpi_lsb( &TA );
+    lzt = mbedtls_mpi_lsb( &TB );
+
+    if( lzt < lz )
+        lz = lzt;
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TA, lz ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TB, lz ) );
+
+    TA.s = TB.s = 1;
+
+    while( mbedtls_mpi_cmp_int( &TA, 0 ) != 0 )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TA, mbedtls_mpi_lsb( &TA ) ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TB, mbedtls_mpi_lsb( &TB ) ) );
+
+        if( mbedtls_mpi_cmp_mpi( &TA, &TB ) >= 0 )
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( &TA, &TA, &TB ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TA, 1 ) );
+        }
+        else
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( &TB, &TB, &TA ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TB, 1 ) );
+        }
+    }
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &TB, lz ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( G, &TB ) );
+
+cleanup:
+
+    mbedtls_mpi_free( &TG ); mbedtls_mpi_free( &TA ); mbedtls_mpi_free( &TB );
+
+    return( ret );
+}
+
+/*
+ * Fill X with size bytes of random.
+ *
+ * Use a temporary bytes representation to make sure the result is the same
+ * regardless of the platform endianness (useful when f_rng is actually
+ * deterministic, eg for tests).
+ */
+int mbedtls_mpi_fill_random( mbedtls_mpi *X, size_t size,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng )
+{
+    int ret;
+    unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
+
+    if( size > MBEDTLS_MPI_MAX_SIZE )
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+    MBEDTLS_MPI_CHK( f_rng( p_rng, buf, size ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( X, buf, size ) );
+
+cleanup:
+    mbedtls_zeroize( buf, sizeof( buf ) );
+    return( ret );
+}
+
+/*
+ * Modular inverse: X = A^-1 mod N  (HAC 14.61 / 14.64)
+ */
+int mbedtls_mpi_inv_mod( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *N )
+{
+    int ret;
+    mbedtls_mpi G, TA, TU, U1, U2, TB, TV, V1, V2;
+
+    if( mbedtls_mpi_cmp_int( N, 1 ) <= 0 )
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+    mbedtls_mpi_init( &TA ); mbedtls_mpi_init( &TU ); mbedtls_mpi_init( &U1 ); mbedtls_mpi_init( &U2 );
+    mbedtls_mpi_init( &G ); mbedtls_mpi_init( &TB ); mbedtls_mpi_init( &TV );
+    mbedtls_mpi_init( &V1 ); mbedtls_mpi_init( &V2 );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, A, N ) );
+
+    if( mbedtls_mpi_cmp_int( &G, 1 ) != 0 )
+    {
+        ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
+        goto cleanup;
+    }
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &TA, A, N ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TU, &TA ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TB, N ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TV, N ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &U1, 1 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &U2, 0 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &V1, 0 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &V2, 1 ) );
+
+    do
+    {
+        while( ( TU.p[0] & 1 ) == 0 )
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TU, 1 ) );
+
+            if( ( U1.p[0] & 1 ) != 0 || ( U2.p[0] & 1 ) != 0 )
+            {
+                MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &U1, &U1, &TB ) );
+                MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &U2, &U2, &TA ) );
+            }
+
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &U1, 1 ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &U2, 1 ) );
+        }
+
+        while( ( TV.p[0] & 1 ) == 0 )
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TV, 1 ) );
+
+            if( ( V1.p[0] & 1 ) != 0 || ( V2.p[0] & 1 ) != 0 )
+            {
+                MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &V1, &V1, &TB ) );
+                MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &V2, &V2, &TA ) );
+            }
+
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &V1, 1 ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &V2, 1 ) );
+        }
+
+        if( mbedtls_mpi_cmp_mpi( &TU, &TV ) >= 0 )
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &TU, &TU, &TV ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &U1, &U1, &V1 ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &U2, &U2, &V2 ) );
+        }
+        else
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &TV, &TV, &TU ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &V1, &V1, &U1 ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &V2, &V2, &U2 ) );
+        }
+    }
+    while( mbedtls_mpi_cmp_int( &TU, 0 ) != 0 );
+
+    while( mbedtls_mpi_cmp_int( &V1, 0 ) < 0 )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &V1, &V1, N ) );
+
+    while( mbedtls_mpi_cmp_mpi( &V1, N ) >= 0 )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &V1, &V1, N ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, &V1 ) );
+
+cleanup:
+
+    mbedtls_mpi_free( &TA ); mbedtls_mpi_free( &TU ); mbedtls_mpi_free( &U1 ); mbedtls_mpi_free( &U2 );
+    mbedtls_mpi_free( &G ); mbedtls_mpi_free( &TB ); mbedtls_mpi_free( &TV );
+    mbedtls_mpi_free( &V1 ); mbedtls_mpi_free( &V2 );
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_GENPRIME)
+
+static const int small_prime[] =
+{
+        3,    5,    7,   11,   13,   17,   19,   23,
+       29,   31,   37,   41,   43,   47,   53,   59,
+       61,   67,   71,   73,   79,   83,   89,   97,
+      101,  103,  107,  109,  113,  127,  131,  137,
+      139,  149,  151,  157,  163,  167,  173,  179,
+      181,  191,  193,  197,  199,  211,  223,  227,
+      229,  233,  239,  241,  251,  257,  263,  269,
+      271,  277,  281,  283,  293,  307,  311,  313,
+      317,  331,  337,  347,  349,  353,  359,  367,
+      373,  379,  383,  389,  397,  401,  409,  419,
+      421,  431,  433,  439,  443,  449,  457,  461,
+      463,  467,  479,  487,  491,  499,  503,  509,
+      521,  523,  541,  547,  557,  563,  569,  571,
+      577,  587,  593,  599,  601,  607,  613,  617,
+      619,  631,  641,  643,  647,  653,  659,  661,
+      673,  677,  683,  691,  701,  709,  719,  727,
+      733,  739,  743,  751,  757,  761,  769,  773,
+      787,  797,  809,  811,  821,  823,  827,  829,
+      839,  853,  857,  859,  863,  877,  881,  883,
+      887,  907,  911,  919,  929,  937,  941,  947,
+      953,  967,  971,  977,  983,  991,  997, -103
+};
+
+/*
+ * Small divisors test (X must be positive)
+ *
+ * Return values:
+ * 0: no small factor (possible prime, more tests needed)
+ * 1: certain prime
+ * MBEDTLS_ERR_MPI_NOT_ACCEPTABLE: certain non-prime
+ * other negative: error
+ */
+static int mpi_check_small_factors( const mbedtls_mpi *X )
+{
+    int ret = 0;
+    size_t i;
+    mbedtls_mpi_uint r;
+
+    if( ( X->p[0] & 1 ) == 0 )
+        return( MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
+
+    for( i = 0; small_prime[i] > 0; i++ )
+    {
+        if( mbedtls_mpi_cmp_int( X, small_prime[i] ) <= 0 )
+            return( 1 );
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_int( &r, X, small_prime[i] ) );
+
+        if( r == 0 )
+            return( MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
+    }
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Miller-Rabin pseudo-primality test  (HAC 4.24)
+ */
+static int mpi_miller_rabin( const mbedtls_mpi *X, size_t rounds,
+                             int (*f_rng)(void *, unsigned char *, size_t),
+                             void *p_rng )
+{
+    int ret, count;
+    size_t i, j, k, s;
+    mbedtls_mpi W, R, T, A, RR;
+
+    mbedtls_mpi_init( &W ); mbedtls_mpi_init( &R ); mbedtls_mpi_init( &T ); mbedtls_mpi_init( &A );
+    mbedtls_mpi_init( &RR );
+
+    /*
+     * W = |X| - 1
+     * R = W >> lsb( W )
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &W, X, 1 ) );
+    s = mbedtls_mpi_lsb( &W );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &R, &W ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &R, s ) );
+
+    i = mbedtls_mpi_bitlen( X );
+
+    for( i = 0; i < rounds; i++ )
+    {
+        /*
+         * pick a random A, 1 < A < |X| - 1
+         */
+        count = 0;
+        do {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &A, X->n * ciL, f_rng, p_rng ) );
+
+            j = mbedtls_mpi_bitlen( &A );
+            k = mbedtls_mpi_bitlen( &W );
+            if (j > k) {
+                A.p[A.n - 1] &= ( (mbedtls_mpi_uint) 1 << ( k - ( A.n - 1 ) * biL - 1 ) ) - 1;
+            }
+
+            if (count++ > 30) {
+                ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
+                goto cleanup;
+            }
+
+        } while ( mbedtls_mpi_cmp_mpi( &A, &W ) >= 0 ||
+                  mbedtls_mpi_cmp_int( &A, 1 )  <= 0    );
+
+        /*
+         * A = A^R mod |X|
+         */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &A, &A, &R, X, &RR ) );
+
+        if( mbedtls_mpi_cmp_mpi( &A, &W ) == 0 ||
+            mbedtls_mpi_cmp_int( &A,  1 ) == 0 )
+            continue;
+
+        j = 1;
+        while( j < s && mbedtls_mpi_cmp_mpi( &A, &W ) != 0 )
+        {
+            /*
+             * A = A * A mod |X|
+             */
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &A, &A ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &A, &T, X  ) );
+
+            if( mbedtls_mpi_cmp_int( &A, 1 ) == 0 )
+                break;
+
+            j++;
+        }
+
+        /*
+         * not prime if A != |X| - 1 or A == 1
+         */
+        if( mbedtls_mpi_cmp_mpi( &A, &W ) != 0 ||
+            mbedtls_mpi_cmp_int( &A,  1 ) == 0 )
+        {
+            ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
+            break;
+        }
+    }
+
+cleanup:
+    mbedtls_mpi_free( &W ); mbedtls_mpi_free( &R ); mbedtls_mpi_free( &T ); mbedtls_mpi_free( &A );
+    mbedtls_mpi_free( &RR );
+
+    return( ret );
+}
+
+/*
+ * Pseudo-primality test: small factors, then Miller-Rabin
+ */
+static int mpi_is_prime_internal( const mbedtls_mpi *X, int rounds,
+                  int (*f_rng)(void *, unsigned char *, size_t),
+                  void *p_rng )
+{
+    int ret;
+    mbedtls_mpi XX;
+
+    XX.s = 1;
+    XX.n = X->n;
+    XX.p = X->p;
+
+    if( mbedtls_mpi_cmp_int( &XX, 0 ) == 0 ||
+        mbedtls_mpi_cmp_int( &XX, 1 ) == 0 )
+        return( MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
+
+    if( mbedtls_mpi_cmp_int( &XX, 2 ) == 0 )
+        return( 0 );
+
+    if( ( ret = mpi_check_small_factors( &XX ) ) != 0 )
+    {
+        if( ret == 1 )
+            return( 0 );
+
+        return( ret );
+    }
+
+    return( mpi_miller_rabin( &XX, rounds, f_rng, p_rng ) );
+}
+
+/*
+ * Pseudo-primality test, error probability 2^-80
+ */
+int mbedtls_mpi_is_prime( const mbedtls_mpi *X,
+                  int (*f_rng)(void *, unsigned char *, size_t),
+                  void *p_rng )
+{
+    return mpi_is_prime_internal( X, 40, f_rng, p_rng );
+}
+
+/*
+ * Prime number generation
+ */
+int mbedtls_mpi_gen_prime( mbedtls_mpi *X, size_t nbits, int dh_flag,
+                   int (*f_rng)(void *, unsigned char *, size_t),
+                   void *p_rng )
+{
+    int ret;
+    size_t k, n;
+    int rounds;
+    mbedtls_mpi_uint r;
+    mbedtls_mpi Y;
+
+    if( nbits < 3 || nbits > MBEDTLS_MPI_MAX_BITS )
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+    mbedtls_mpi_init( &Y );
+
+    n = BITS_TO_LIMBS( nbits );
+
+    /*
+     * 2^-80 error probability, number of rounds chosen per HAC, table 4.4
+     */
+    rounds = ( ( nbits >= 1300 ) ?  2 : ( nbits >=  850 ) ?  3 :
+               ( nbits >=  650 ) ?  4 : ( nbits >=  350 ) ?  8 :
+               ( nbits >=  250 ) ? 12 : ( nbits >=  150 ) ? 18 : 27 );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( X, n * ciL, f_rng, p_rng ) );
+
+    k = mbedtls_mpi_bitlen( X );
+    if( k > nbits ) MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( X, k - nbits + 1 ) );
+
+    mbedtls_mpi_set_bit( X, nbits-1, 1 );
+
+    X->p[0] |= 1;
+
+    if( dh_flag == 0 )
+    {
+        while( ( ret = mpi_is_prime_internal( X, rounds, f_rng, p_rng ) ) != 0 )
+        {
+            if( ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
+                goto cleanup;
+
+            MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( X, X, 2 ) );
+        }
+    }
+    else
+    {
+        /*
+         * An necessary condition for Y and X = 2Y + 1 to be prime
+         * is X = 2 mod 3 (which is equivalent to Y = 2 mod 3).
+         * Make sure it is satisfied, while keeping X = 3 mod 4
+         */
+
+        X->p[0] |= 2;
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_int( &r, X, 3 ) );
+        if( r == 0 )
+            MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( X, X, 8 ) );
+        else if( r == 1 )
+            MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( X, X, 4 ) );
+
+        /* Set Y = (X-1) / 2, which is X / 2 because X is odd */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &Y, X ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &Y, 1 ) );
+
+        while( 1 )
+        {
+            /*
+             * First, check small factors for X and Y
+             * before doing Miller-Rabin on any of them
+             */
+            if( ( ret = mpi_check_small_factors(  X         ) ) == 0 &&
+                ( ret = mpi_check_small_factors( &Y         ) ) == 0 &&
+                ( ret = mpi_miller_rabin(  X, rounds, f_rng, p_rng  ) )
+                                                                == 0 &&
+                ( ret = mpi_miller_rabin( &Y, rounds, f_rng, p_rng  ) )
+                                                                == 0 )
+            {
+                break;
+            }
+
+            if( ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
+                goto cleanup;
+
+            /*
+             * Next candidates. We want to preserve Y = (X-1) / 2 and
+             * Y = 1 mod 2 and Y = 2 mod 3 (eq X = 3 mod 4 and X = 2 mod 3)
+             * so up Y by 6 and X by 12.
+             */
+            MBEDTLS_MPI_CHK( mbedtls_mpi_add_int(  X,  X, 12 ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &Y, &Y, 6  ) );
+        }
+    }
+
+cleanup:
+
+    mbedtls_mpi_free( &Y );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_GENPRIME */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#define GCD_PAIR_COUNT  3
+
+static const int gcd_pairs[GCD_PAIR_COUNT][3] =
+{
+    { 693, 609, 21 },
+    { 1764, 868, 28 },
+    { 768454923, 542167814, 1 }
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_mpi_self_test( int verbose )
+{
+    int ret, i;
+    mbedtls_mpi A, E, N, X, Y, U, V;
+
+    mbedtls_mpi_init( &A ); mbedtls_mpi_init( &E ); mbedtls_mpi_init( &N ); mbedtls_mpi_init( &X );
+    mbedtls_mpi_init( &Y ); mbedtls_mpi_init( &U ); mbedtls_mpi_init( &V );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &A, 16,
+        "EFE021C2645FD1DC586E69184AF4A31E" \
+        "D5F53E93B5F123FA41680867BA110131" \
+        "944FE7952E2517337780CB0DB80E61AA" \
+        "E7C8DDC6C5C6AADEB34EB38A2F40D5E6" ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &E, 16,
+        "B2E7EFD37075B9F03FF989C7C5051C20" \
+        "34D2A323810251127E7BF8625A4F49A5" \
+        "F3E27F4DA8BD59C47D6DAABA4C8127BD" \
+        "5B5C25763222FEFCCFC38B832366C29E" ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &N, 16,
+        "0066A198186C18C10B2F5ED9B522752A" \
+        "9830B69916E535C8F047518A889A43A5" \
+        "94B6BED27A168D31D4A52F88925AA8F5" ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &X, &A, &N ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &U, 16,
+        "602AB7ECA597A3D6B56FF9829A5E8B85" \
+        "9E857EA95A03512E2BAE7391688D264A" \
+        "A5663B0341DB9CCFD2C4C5F421FEC814" \
+        "8001B72E848A38CAE1C65F78E56ABDEF" \
+        "E12D3C039B8A02D6BE593F0BBBDA56F1" \
+        "ECF677152EF804370C1A305CAF3B5BF1" \
+        "30879B56C61DE584A0F53A2447A51E" ) );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  MPI test #1 (mul_mpi): " );
+
+    if( mbedtls_mpi_cmp_mpi( &X, &U ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &X, &Y, &A, &N ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &U, 16,
+        "256567336059E52CAE22925474705F39A94" ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &V, 16,
+        "6613F26162223DF488E9CD48CC132C7A" \
+        "0AC93C701B001B092E4E5B9F73BCD27B" \
+        "9EE50D0657C77F374E903CDFA4C642" ) );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  MPI test #2 (div_mpi): " );
+
+    if( mbedtls_mpi_cmp_mpi( &X, &U ) != 0 ||
+        mbedtls_mpi_cmp_mpi( &Y, &V ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &X, &A, &E, &N, NULL ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &U, 16,
+        "36E139AEA55215609D2816998ED020BB" \
+        "BD96C37890F65171D948E9BC7CBAA4D9" \
+        "325D24D6A3C12710F10A09FA08AB87" ) );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  MPI test #3 (exp_mod): " );
+
+    if( mbedtls_mpi_cmp_mpi( &X, &U ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &X, &A, &N ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &U, 16,
+        "003A0AAEDD7E784FC07D8F9EC6E3BFD5" \
+        "C3DBA76456363A10869622EAC2DD84EC" \
+        "C5B8A74DAC4D09E03B5E0BE779F2DF61" ) );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  MPI test #4 (inv_mod): " );
+
+    if( mbedtls_mpi_cmp_mpi( &X, &U ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  MPI test #5 (simple gcd): " );
+
+    for( i = 0; i < GCD_PAIR_COUNT; i++ )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &X, gcd_pairs[i][0] ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &Y, gcd_pairs[i][1] ) );
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &A, &X, &Y ) );
+
+        if( mbedtls_mpi_cmp_int( &A, gcd_pairs[i][2] ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed at %d\n", i );
+
+            ret = 1;
+            goto cleanup;
+        }
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+cleanup:
+
+    if( ret != 0 && verbose != 0 )
+        mbedtls_printf( "Unexpected error, return code = %08X\n", ret );
+
+    mbedtls_mpi_free( &A ); mbedtls_mpi_free( &E ); mbedtls_mpi_free( &N ); mbedtls_mpi_free( &X );
+    mbedtls_mpi_free( &Y ); mbedtls_mpi_free( &U ); mbedtls_mpi_free( &V );
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_BIGNUM_C */
diff --git a/third-party/mbedtls-3.6/library/blowfish.c b/third-party/mbedtls-3.6/library/blowfish.c
new file mode 100644
index 00000000..66bf355e
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/blowfish.c
@@ -0,0 +1,681 @@
+/*
+ *  Blowfish implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+/*
+ *  The Blowfish block cipher was designed by Bruce Schneier in 1993.
+ *  http://www.schneier.com/blowfish.html
+ *  http://en.wikipedia.org/wiki/Blowfish_%28cipher%29
+ *
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_BLOWFISH_C)
+
+#include "mbedtls/blowfish.h"
+
+#include <string.h>
+
+#if !defined(MBEDTLS_BLOWFISH_ALT)
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
+}
+
+/*
+ * 32-bit integer manipulation macros (big endian)
+ */
+#ifndef GET_UINT32_BE
+#define GET_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
+        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 3]       );            \
+}
+#endif
+
+#ifndef PUT_UINT32_BE
+#define PUT_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
+}
+#endif
+
+static const uint32_t P[MBEDTLS_BLOWFISH_ROUNDS + 2] = {
+        0x243F6A88L, 0x85A308D3L, 0x13198A2EL, 0x03707344L,
+        0xA4093822L, 0x299F31D0L, 0x082EFA98L, 0xEC4E6C89L,
+        0x452821E6L, 0x38D01377L, 0xBE5466CFL, 0x34E90C6CL,
+        0xC0AC29B7L, 0xC97C50DDL, 0x3F84D5B5L, 0xB5470917L,
+        0x9216D5D9L, 0x8979FB1BL
+};
+
+/* declarations of data at the end of this file */
+static const uint32_t S[4][256];
+
+static uint32_t F( mbedtls_blowfish_context *ctx, uint32_t x )
+{
+   unsigned short a, b, c, d;
+   uint32_t  y;
+
+   d = (unsigned short)(x & 0xFF);
+   x >>= 8;
+   c = (unsigned short)(x & 0xFF);
+   x >>= 8;
+   b = (unsigned short)(x & 0xFF);
+   x >>= 8;
+   a = (unsigned short)(x & 0xFF);
+   y = ctx->S[0][a] + ctx->S[1][b];
+   y = y ^ ctx->S[2][c];
+   y = y + ctx->S[3][d];
+
+   return( y );
+}
+
+static void blowfish_enc( mbedtls_blowfish_context *ctx, uint32_t *xl, uint32_t *xr )
+{
+    uint32_t  Xl, Xr, temp;
+    short i;
+
+    Xl = *xl;
+    Xr = *xr;
+
+    for( i = 0; i < MBEDTLS_BLOWFISH_ROUNDS; ++i )
+    {
+        Xl = Xl ^ ctx->P[i];
+        Xr = F( ctx, Xl ) ^ Xr;
+
+        temp = Xl;
+        Xl = Xr;
+        Xr = temp;
+    }
+
+    temp = Xl;
+    Xl = Xr;
+    Xr = temp;
+
+    Xr = Xr ^ ctx->P[MBEDTLS_BLOWFISH_ROUNDS];
+    Xl = Xl ^ ctx->P[MBEDTLS_BLOWFISH_ROUNDS + 1];
+
+    *xl = Xl;
+    *xr = Xr;
+}
+
+static void blowfish_dec( mbedtls_blowfish_context *ctx, uint32_t *xl, uint32_t *xr )
+{
+    uint32_t  Xl, Xr, temp;
+    short i;
+
+    Xl = *xl;
+    Xr = *xr;
+
+    for( i = MBEDTLS_BLOWFISH_ROUNDS + 1; i > 1; --i )
+    {
+        Xl = Xl ^ ctx->P[i];
+        Xr = F( ctx, Xl ) ^ Xr;
+
+        temp = Xl;
+        Xl = Xr;
+        Xr = temp;
+    }
+
+    temp = Xl;
+    Xl = Xr;
+    Xr = temp;
+
+    Xr = Xr ^ ctx->P[1];
+    Xl = Xl ^ ctx->P[0];
+
+    *xl = Xl;
+    *xr = Xr;
+}
+
+void mbedtls_blowfish_init( mbedtls_blowfish_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_blowfish_context ) );
+}
+
+void mbedtls_blowfish_free( mbedtls_blowfish_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_zeroize( ctx, sizeof( mbedtls_blowfish_context ) );
+}
+
+/*
+ * Blowfish key schedule
+ */
+int mbedtls_blowfish_setkey( mbedtls_blowfish_context *ctx, const unsigned char *key,
+                     unsigned int keybits )
+{
+    unsigned int i, j, k;
+    uint32_t data, datal, datar;
+
+    if( keybits < MBEDTLS_BLOWFISH_MIN_KEY_BITS || keybits > MBEDTLS_BLOWFISH_MAX_KEY_BITS ||
+        ( keybits % 8 ) )
+    {
+        return( MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH );
+    }
+
+    keybits >>= 3;
+
+    for( i = 0; i < 4; i++ )
+    {
+        for( j = 0; j < 256; j++ )
+            ctx->S[i][j] = S[i][j];
+    }
+
+    j = 0;
+    for( i = 0; i < MBEDTLS_BLOWFISH_ROUNDS + 2; ++i )
+    {
+        data = 0x00000000;
+        for( k = 0; k < 4; ++k )
+        {
+            data = ( data << 8 ) | key[j++];
+            if( j >= keybits )
+                j = 0;
+        }
+        ctx->P[i] = P[i] ^ data;
+    }
+
+    datal = 0x00000000;
+    datar = 0x00000000;
+
+    for( i = 0; i < MBEDTLS_BLOWFISH_ROUNDS + 2; i += 2 )
+    {
+        blowfish_enc( ctx, &datal, &datar );
+        ctx->P[i] = datal;
+        ctx->P[i + 1] = datar;
+    }
+
+    for( i = 0; i < 4; i++ )
+    {
+       for( j = 0; j < 256; j += 2 )
+       {
+            blowfish_enc( ctx, &datal, &datar );
+            ctx->S[i][j] = datal;
+            ctx->S[i][j + 1] = datar;
+        }
+    }
+    return( 0 );
+}
+
+/*
+ * Blowfish-ECB block encryption/decryption
+ */
+int mbedtls_blowfish_crypt_ecb( mbedtls_blowfish_context *ctx,
+                    int mode,
+                    const unsigned char input[MBEDTLS_BLOWFISH_BLOCKSIZE],
+                    unsigned char output[MBEDTLS_BLOWFISH_BLOCKSIZE] )
+{
+    uint32_t X0, X1;
+
+    GET_UINT32_BE( X0, input,  0 );
+    GET_UINT32_BE( X1, input,  4 );
+
+    if( mode == MBEDTLS_BLOWFISH_DECRYPT )
+    {
+        blowfish_dec( ctx, &X0, &X1 );
+    }
+    else /* MBEDTLS_BLOWFISH_ENCRYPT */
+    {
+        blowfish_enc( ctx, &X0, &X1 );
+    }
+
+    PUT_UINT32_BE( X0, output,  0 );
+    PUT_UINT32_BE( X1, output,  4 );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/*
+ * Blowfish-CBC buffer encryption/decryption
+ */
+int mbedtls_blowfish_crypt_cbc( mbedtls_blowfish_context *ctx,
+                    int mode,
+                    size_t length,
+                    unsigned char iv[MBEDTLS_BLOWFISH_BLOCKSIZE],
+                    const unsigned char *input,
+                    unsigned char *output )
+{
+    int i;
+    unsigned char temp[MBEDTLS_BLOWFISH_BLOCKSIZE];
+
+    if( length % MBEDTLS_BLOWFISH_BLOCKSIZE )
+        return( MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH );
+
+    if( mode == MBEDTLS_BLOWFISH_DECRYPT )
+    {
+        while( length > 0 )
+        {
+            memcpy( temp, input, MBEDTLS_BLOWFISH_BLOCKSIZE );
+            mbedtls_blowfish_crypt_ecb( ctx, mode, input, output );
+
+            for( i = 0; i < MBEDTLS_BLOWFISH_BLOCKSIZE;i++ )
+                output[i] = (unsigned char)( output[i] ^ iv[i] );
+
+            memcpy( iv, temp, MBEDTLS_BLOWFISH_BLOCKSIZE );
+
+            input  += MBEDTLS_BLOWFISH_BLOCKSIZE;
+            output += MBEDTLS_BLOWFISH_BLOCKSIZE;
+            length -= MBEDTLS_BLOWFISH_BLOCKSIZE;
+        }
+    }
+    else
+    {
+        while( length > 0 )
+        {
+            for( i = 0; i < MBEDTLS_BLOWFISH_BLOCKSIZE; i++ )
+                output[i] = (unsigned char)( input[i] ^ iv[i] );
+
+            mbedtls_blowfish_crypt_ecb( ctx, mode, output, output );
+            memcpy( iv, output, MBEDTLS_BLOWFISH_BLOCKSIZE );
+
+            input  += MBEDTLS_BLOWFISH_BLOCKSIZE;
+            output += MBEDTLS_BLOWFISH_BLOCKSIZE;
+            length -= MBEDTLS_BLOWFISH_BLOCKSIZE;
+        }
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/*
+ * Blowfish CFB buffer encryption/decryption
+ */
+int mbedtls_blowfish_crypt_cfb64( mbedtls_blowfish_context *ctx,
+                       int mode,
+                       size_t length,
+                       size_t *iv_off,
+                       unsigned char iv[MBEDTLS_BLOWFISH_BLOCKSIZE],
+                       const unsigned char *input,
+                       unsigned char *output )
+{
+    int c;
+    size_t n = *iv_off;
+
+    if( mode == MBEDTLS_BLOWFISH_DECRYPT )
+    {
+        while( length-- )
+        {
+            if( n == 0 )
+                mbedtls_blowfish_crypt_ecb( ctx, MBEDTLS_BLOWFISH_ENCRYPT, iv, iv );
+
+            c = *input++;
+            *output++ = (unsigned char)( c ^ iv[n] );
+            iv[n] = (unsigned char) c;
+
+            n = ( n + 1 ) % MBEDTLS_BLOWFISH_BLOCKSIZE;
+        }
+    }
+    else
+    {
+        while( length-- )
+        {
+            if( n == 0 )
+                mbedtls_blowfish_crypt_ecb( ctx, MBEDTLS_BLOWFISH_ENCRYPT, iv, iv );
+
+            iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
+
+            n = ( n + 1 ) % MBEDTLS_BLOWFISH_BLOCKSIZE;
+        }
+    }
+
+    *iv_off = n;
+
+    return( 0 );
+}
+#endif /*MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/*
+ * Blowfish CTR buffer encryption/decryption
+ */
+int mbedtls_blowfish_crypt_ctr( mbedtls_blowfish_context *ctx,
+                       size_t length,
+                       size_t *nc_off,
+                       unsigned char nonce_counter[MBEDTLS_BLOWFISH_BLOCKSIZE],
+                       unsigned char stream_block[MBEDTLS_BLOWFISH_BLOCKSIZE],
+                       const unsigned char *input,
+                       unsigned char *output )
+{
+    int c, i;
+    size_t n = *nc_off;
+
+    while( length-- )
+    {
+        if( n == 0 ) {
+            mbedtls_blowfish_crypt_ecb( ctx, MBEDTLS_BLOWFISH_ENCRYPT, nonce_counter,
+                                stream_block );
+
+            for( i = MBEDTLS_BLOWFISH_BLOCKSIZE; i > 0; i-- )
+                if( ++nonce_counter[i - 1] != 0 )
+                    break;
+        }
+        c = *input++;
+        *output++ = (unsigned char)( c ^ stream_block[n] );
+
+        n = ( n + 1 ) % MBEDTLS_BLOWFISH_BLOCKSIZE;
+    }
+
+    *nc_off = n;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+static const uint32_t S[4][256] = {
+    {   0xD1310BA6L, 0x98DFB5ACL, 0x2FFD72DBL, 0xD01ADFB7L,
+        0xB8E1AFEDL, 0x6A267E96L, 0xBA7C9045L, 0xF12C7F99L,
+        0x24A19947L, 0xB3916CF7L, 0x0801F2E2L, 0x858EFC16L,
+        0x636920D8L, 0x71574E69L, 0xA458FEA3L, 0xF4933D7EL,
+        0x0D95748FL, 0x728EB658L, 0x718BCD58L, 0x82154AEEL,
+        0x7B54A41DL, 0xC25A59B5L, 0x9C30D539L, 0x2AF26013L,
+        0xC5D1B023L, 0x286085F0L, 0xCA417918L, 0xB8DB38EFL,
+        0x8E79DCB0L, 0x603A180EL, 0x6C9E0E8BL, 0xB01E8A3EL,
+        0xD71577C1L, 0xBD314B27L, 0x78AF2FDAL, 0x55605C60L,
+        0xE65525F3L, 0xAA55AB94L, 0x57489862L, 0x63E81440L,
+        0x55CA396AL, 0x2AAB10B6L, 0xB4CC5C34L, 0x1141E8CEL,
+        0xA15486AFL, 0x7C72E993L, 0xB3EE1411L, 0x636FBC2AL,
+        0x2BA9C55DL, 0x741831F6L, 0xCE5C3E16L, 0x9B87931EL,
+        0xAFD6BA33L, 0x6C24CF5CL, 0x7A325381L, 0x28958677L,
+        0x3B8F4898L, 0x6B4BB9AFL, 0xC4BFE81BL, 0x66282193L,
+        0x61D809CCL, 0xFB21A991L, 0x487CAC60L, 0x5DEC8032L,
+        0xEF845D5DL, 0xE98575B1L, 0xDC262302L, 0xEB651B88L,
+        0x23893E81L, 0xD396ACC5L, 0x0F6D6FF3L, 0x83F44239L,
+        0x2E0B4482L, 0xA4842004L, 0x69C8F04AL, 0x9E1F9B5EL,
+        0x21C66842L, 0xF6E96C9AL, 0x670C9C61L, 0xABD388F0L,
+        0x6A51A0D2L, 0xD8542F68L, 0x960FA728L, 0xAB5133A3L,
+        0x6EEF0B6CL, 0x137A3BE4L, 0xBA3BF050L, 0x7EFB2A98L,
+        0xA1F1651DL, 0x39AF0176L, 0x66CA593EL, 0x82430E88L,
+        0x8CEE8619L, 0x456F9FB4L, 0x7D84A5C3L, 0x3B8B5EBEL,
+        0xE06F75D8L, 0x85C12073L, 0x401A449FL, 0x56C16AA6L,
+        0x4ED3AA62L, 0x363F7706L, 0x1BFEDF72L, 0x429B023DL,
+        0x37D0D724L, 0xD00A1248L, 0xDB0FEAD3L, 0x49F1C09BL,
+        0x075372C9L, 0x80991B7BL, 0x25D479D8L, 0xF6E8DEF7L,
+        0xE3FE501AL, 0xB6794C3BL, 0x976CE0BDL, 0x04C006BAL,
+        0xC1A94FB6L, 0x409F60C4L, 0x5E5C9EC2L, 0x196A2463L,
+        0x68FB6FAFL, 0x3E6C53B5L, 0x1339B2EBL, 0x3B52EC6FL,
+        0x6DFC511FL, 0x9B30952CL, 0xCC814544L, 0xAF5EBD09L,
+        0xBEE3D004L, 0xDE334AFDL, 0x660F2807L, 0x192E4BB3L,
+        0xC0CBA857L, 0x45C8740FL, 0xD20B5F39L, 0xB9D3FBDBL,
+        0x5579C0BDL, 0x1A60320AL, 0xD6A100C6L, 0x402C7279L,
+        0x679F25FEL, 0xFB1FA3CCL, 0x8EA5E9F8L, 0xDB3222F8L,
+        0x3C7516DFL, 0xFD616B15L, 0x2F501EC8L, 0xAD0552ABL,
+        0x323DB5FAL, 0xFD238760L, 0x53317B48L, 0x3E00DF82L,
+        0x9E5C57BBL, 0xCA6F8CA0L, 0x1A87562EL, 0xDF1769DBL,
+        0xD542A8F6L, 0x287EFFC3L, 0xAC6732C6L, 0x8C4F5573L,
+        0x695B27B0L, 0xBBCA58C8L, 0xE1FFA35DL, 0xB8F011A0L,
+        0x10FA3D98L, 0xFD2183B8L, 0x4AFCB56CL, 0x2DD1D35BL,
+        0x9A53E479L, 0xB6F84565L, 0xD28E49BCL, 0x4BFB9790L,
+        0xE1DDF2DAL, 0xA4CB7E33L, 0x62FB1341L, 0xCEE4C6E8L,
+        0xEF20CADAL, 0x36774C01L, 0xD07E9EFEL, 0x2BF11FB4L,
+        0x95DBDA4DL, 0xAE909198L, 0xEAAD8E71L, 0x6B93D5A0L,
+        0xD08ED1D0L, 0xAFC725E0L, 0x8E3C5B2FL, 0x8E7594B7L,
+        0x8FF6E2FBL, 0xF2122B64L, 0x8888B812L, 0x900DF01CL,
+        0x4FAD5EA0L, 0x688FC31CL, 0xD1CFF191L, 0xB3A8C1ADL,
+        0x2F2F2218L, 0xBE0E1777L, 0xEA752DFEL, 0x8B021FA1L,
+        0xE5A0CC0FL, 0xB56F74E8L, 0x18ACF3D6L, 0xCE89E299L,
+        0xB4A84FE0L, 0xFD13E0B7L, 0x7CC43B81L, 0xD2ADA8D9L,
+        0x165FA266L, 0x80957705L, 0x93CC7314L, 0x211A1477L,
+        0xE6AD2065L, 0x77B5FA86L, 0xC75442F5L, 0xFB9D35CFL,
+        0xEBCDAF0CL, 0x7B3E89A0L, 0xD6411BD3L, 0xAE1E7E49L,
+        0x00250E2DL, 0x2071B35EL, 0x226800BBL, 0x57B8E0AFL,
+        0x2464369BL, 0xF009B91EL, 0x5563911DL, 0x59DFA6AAL,
+        0x78C14389L, 0xD95A537FL, 0x207D5BA2L, 0x02E5B9C5L,
+        0x83260376L, 0x6295CFA9L, 0x11C81968L, 0x4E734A41L,
+        0xB3472DCAL, 0x7B14A94AL, 0x1B510052L, 0x9A532915L,
+        0xD60F573FL, 0xBC9BC6E4L, 0x2B60A476L, 0x81E67400L,
+        0x08BA6FB5L, 0x571BE91FL, 0xF296EC6BL, 0x2A0DD915L,
+        0xB6636521L, 0xE7B9F9B6L, 0xFF34052EL, 0xC5855664L,
+        0x53B02D5DL, 0xA99F8FA1L, 0x08BA4799L, 0x6E85076AL   },
+    {   0x4B7A70E9L, 0xB5B32944L, 0xDB75092EL, 0xC4192623L,
+        0xAD6EA6B0L, 0x49A7DF7DL, 0x9CEE60B8L, 0x8FEDB266L,
+        0xECAA8C71L, 0x699A17FFL, 0x5664526CL, 0xC2B19EE1L,
+        0x193602A5L, 0x75094C29L, 0xA0591340L, 0xE4183A3EL,
+        0x3F54989AL, 0x5B429D65L, 0x6B8FE4D6L, 0x99F73FD6L,
+        0xA1D29C07L, 0xEFE830F5L, 0x4D2D38E6L, 0xF0255DC1L,
+        0x4CDD2086L, 0x8470EB26L, 0x6382E9C6L, 0x021ECC5EL,
+        0x09686B3FL, 0x3EBAEFC9L, 0x3C971814L, 0x6B6A70A1L,
+        0x687F3584L, 0x52A0E286L, 0xB79C5305L, 0xAA500737L,
+        0x3E07841CL, 0x7FDEAE5CL, 0x8E7D44ECL, 0x5716F2B8L,
+        0xB03ADA37L, 0xF0500C0DL, 0xF01C1F04L, 0x0200B3FFL,
+        0xAE0CF51AL, 0x3CB574B2L, 0x25837A58L, 0xDC0921BDL,
+        0xD19113F9L, 0x7CA92FF6L, 0x94324773L, 0x22F54701L,
+        0x3AE5E581L, 0x37C2DADCL, 0xC8B57634L, 0x9AF3DDA7L,
+        0xA9446146L, 0x0FD0030EL, 0xECC8C73EL, 0xA4751E41L,
+        0xE238CD99L, 0x3BEA0E2FL, 0x3280BBA1L, 0x183EB331L,
+        0x4E548B38L, 0x4F6DB908L, 0x6F420D03L, 0xF60A04BFL,
+        0x2CB81290L, 0x24977C79L, 0x5679B072L, 0xBCAF89AFL,
+        0xDE9A771FL, 0xD9930810L, 0xB38BAE12L, 0xDCCF3F2EL,
+        0x5512721FL, 0x2E6B7124L, 0x501ADDE6L, 0x9F84CD87L,
+        0x7A584718L, 0x7408DA17L, 0xBC9F9ABCL, 0xE94B7D8CL,
+        0xEC7AEC3AL, 0xDB851DFAL, 0x63094366L, 0xC464C3D2L,
+        0xEF1C1847L, 0x3215D908L, 0xDD433B37L, 0x24C2BA16L,
+        0x12A14D43L, 0x2A65C451L, 0x50940002L, 0x133AE4DDL,
+        0x71DFF89EL, 0x10314E55L, 0x81AC77D6L, 0x5F11199BL,
+        0x043556F1L, 0xD7A3C76BL, 0x3C11183BL, 0x5924A509L,
+        0xF28FE6EDL, 0x97F1FBFAL, 0x9EBABF2CL, 0x1E153C6EL,
+        0x86E34570L, 0xEAE96FB1L, 0x860E5E0AL, 0x5A3E2AB3L,
+        0x771FE71CL, 0x4E3D06FAL, 0x2965DCB9L, 0x99E71D0FL,
+        0x803E89D6L, 0x5266C825L, 0x2E4CC978L, 0x9C10B36AL,
+        0xC6150EBAL, 0x94E2EA78L, 0xA5FC3C53L, 0x1E0A2DF4L,
+        0xF2F74EA7L, 0x361D2B3DL, 0x1939260FL, 0x19C27960L,
+        0x5223A708L, 0xF71312B6L, 0xEBADFE6EL, 0xEAC31F66L,
+        0xE3BC4595L, 0xA67BC883L, 0xB17F37D1L, 0x018CFF28L,
+        0xC332DDEFL, 0xBE6C5AA5L, 0x65582185L, 0x68AB9802L,
+        0xEECEA50FL, 0xDB2F953BL, 0x2AEF7DADL, 0x5B6E2F84L,
+        0x1521B628L, 0x29076170L, 0xECDD4775L, 0x619F1510L,
+        0x13CCA830L, 0xEB61BD96L, 0x0334FE1EL, 0xAA0363CFL,
+        0xB5735C90L, 0x4C70A239L, 0xD59E9E0BL, 0xCBAADE14L,
+        0xEECC86BCL, 0x60622CA7L, 0x9CAB5CABL, 0xB2F3846EL,
+        0x648B1EAFL, 0x19BDF0CAL, 0xA02369B9L, 0x655ABB50L,
+        0x40685A32L, 0x3C2AB4B3L, 0x319EE9D5L, 0xC021B8F7L,
+        0x9B540B19L, 0x875FA099L, 0x95F7997EL, 0x623D7DA8L,
+        0xF837889AL, 0x97E32D77L, 0x11ED935FL, 0x16681281L,
+        0x0E358829L, 0xC7E61FD6L, 0x96DEDFA1L, 0x7858BA99L,
+        0x57F584A5L, 0x1B227263L, 0x9B83C3FFL, 0x1AC24696L,
+        0xCDB30AEBL, 0x532E3054L, 0x8FD948E4L, 0x6DBC3128L,
+        0x58EBF2EFL, 0x34C6FFEAL, 0xFE28ED61L, 0xEE7C3C73L,
+        0x5D4A14D9L, 0xE864B7E3L, 0x42105D14L, 0x203E13E0L,
+        0x45EEE2B6L, 0xA3AAABEAL, 0xDB6C4F15L, 0xFACB4FD0L,
+        0xC742F442L, 0xEF6ABBB5L, 0x654F3B1DL, 0x41CD2105L,
+        0xD81E799EL, 0x86854DC7L, 0xE44B476AL, 0x3D816250L,
+        0xCF62A1F2L, 0x5B8D2646L, 0xFC8883A0L, 0xC1C7B6A3L,
+        0x7F1524C3L, 0x69CB7492L, 0x47848A0BL, 0x5692B285L,
+        0x095BBF00L, 0xAD19489DL, 0x1462B174L, 0x23820E00L,
+        0x58428D2AL, 0x0C55F5EAL, 0x1DADF43EL, 0x233F7061L,
+        0x3372F092L, 0x8D937E41L, 0xD65FECF1L, 0x6C223BDBL,
+        0x7CDE3759L, 0xCBEE7460L, 0x4085F2A7L, 0xCE77326EL,
+        0xA6078084L, 0x19F8509EL, 0xE8EFD855L, 0x61D99735L,
+        0xA969A7AAL, 0xC50C06C2L, 0x5A04ABFCL, 0x800BCADCL,
+        0x9E447A2EL, 0xC3453484L, 0xFDD56705L, 0x0E1E9EC9L,
+        0xDB73DBD3L, 0x105588CDL, 0x675FDA79L, 0xE3674340L,
+        0xC5C43465L, 0x713E38D8L, 0x3D28F89EL, 0xF16DFF20L,
+        0x153E21E7L, 0x8FB03D4AL, 0xE6E39F2BL, 0xDB83ADF7L   },
+    {   0xE93D5A68L, 0x948140F7L, 0xF64C261CL, 0x94692934L,
+        0x411520F7L, 0x7602D4F7L, 0xBCF46B2EL, 0xD4A20068L,
+        0xD4082471L, 0x3320F46AL, 0x43B7D4B7L, 0x500061AFL,
+        0x1E39F62EL, 0x97244546L, 0x14214F74L, 0xBF8B8840L,
+        0x4D95FC1DL, 0x96B591AFL, 0x70F4DDD3L, 0x66A02F45L,
+        0xBFBC09ECL, 0x03BD9785L, 0x7FAC6DD0L, 0x31CB8504L,
+        0x96EB27B3L, 0x55FD3941L, 0xDA2547E6L, 0xABCA0A9AL,
+        0x28507825L, 0x530429F4L, 0x0A2C86DAL, 0xE9B66DFBL,
+        0x68DC1462L, 0xD7486900L, 0x680EC0A4L, 0x27A18DEEL,
+        0x4F3FFEA2L, 0xE887AD8CL, 0xB58CE006L, 0x7AF4D6B6L,
+        0xAACE1E7CL, 0xD3375FECL, 0xCE78A399L, 0x406B2A42L,
+        0x20FE9E35L, 0xD9F385B9L, 0xEE39D7ABL, 0x3B124E8BL,
+        0x1DC9FAF7L, 0x4B6D1856L, 0x26A36631L, 0xEAE397B2L,
+        0x3A6EFA74L, 0xDD5B4332L, 0x6841E7F7L, 0xCA7820FBL,
+        0xFB0AF54EL, 0xD8FEB397L, 0x454056ACL, 0xBA489527L,
+        0x55533A3AL, 0x20838D87L, 0xFE6BA9B7L, 0xD096954BL,
+        0x55A867BCL, 0xA1159A58L, 0xCCA92963L, 0x99E1DB33L,
+        0xA62A4A56L, 0x3F3125F9L, 0x5EF47E1CL, 0x9029317CL,
+        0xFDF8E802L, 0x04272F70L, 0x80BB155CL, 0x05282CE3L,
+        0x95C11548L, 0xE4C66D22L, 0x48C1133FL, 0xC70F86DCL,
+        0x07F9C9EEL, 0x41041F0FL, 0x404779A4L, 0x5D886E17L,
+        0x325F51EBL, 0xD59BC0D1L, 0xF2BCC18FL, 0x41113564L,
+        0x257B7834L, 0x602A9C60L, 0xDFF8E8A3L, 0x1F636C1BL,
+        0x0E12B4C2L, 0x02E1329EL, 0xAF664FD1L, 0xCAD18115L,
+        0x6B2395E0L, 0x333E92E1L, 0x3B240B62L, 0xEEBEB922L,
+        0x85B2A20EL, 0xE6BA0D99L, 0xDE720C8CL, 0x2DA2F728L,
+        0xD0127845L, 0x95B794FDL, 0x647D0862L, 0xE7CCF5F0L,
+        0x5449A36FL, 0x877D48FAL, 0xC39DFD27L, 0xF33E8D1EL,
+        0x0A476341L, 0x992EFF74L, 0x3A6F6EABL, 0xF4F8FD37L,
+        0xA812DC60L, 0xA1EBDDF8L, 0x991BE14CL, 0xDB6E6B0DL,
+        0xC67B5510L, 0x6D672C37L, 0x2765D43BL, 0xDCD0E804L,
+        0xF1290DC7L, 0xCC00FFA3L, 0xB5390F92L, 0x690FED0BL,
+        0x667B9FFBL, 0xCEDB7D9CL, 0xA091CF0BL, 0xD9155EA3L,
+        0xBB132F88L, 0x515BAD24L, 0x7B9479BFL, 0x763BD6EBL,
+        0x37392EB3L, 0xCC115979L, 0x8026E297L, 0xF42E312DL,
+        0x6842ADA7L, 0xC66A2B3BL, 0x12754CCCL, 0x782EF11CL,
+        0x6A124237L, 0xB79251E7L, 0x06A1BBE6L, 0x4BFB6350L,
+        0x1A6B1018L, 0x11CAEDFAL, 0x3D25BDD8L, 0xE2E1C3C9L,
+        0x44421659L, 0x0A121386L, 0xD90CEC6EL, 0xD5ABEA2AL,
+        0x64AF674EL, 0xDA86A85FL, 0xBEBFE988L, 0x64E4C3FEL,
+        0x9DBC8057L, 0xF0F7C086L, 0x60787BF8L, 0x6003604DL,
+        0xD1FD8346L, 0xF6381FB0L, 0x7745AE04L, 0xD736FCCCL,
+        0x83426B33L, 0xF01EAB71L, 0xB0804187L, 0x3C005E5FL,
+        0x77A057BEL, 0xBDE8AE24L, 0x55464299L, 0xBF582E61L,
+        0x4E58F48FL, 0xF2DDFDA2L, 0xF474EF38L, 0x8789BDC2L,
+        0x5366F9C3L, 0xC8B38E74L, 0xB475F255L, 0x46FCD9B9L,
+        0x7AEB2661L, 0x8B1DDF84L, 0x846A0E79L, 0x915F95E2L,
+        0x466E598EL, 0x20B45770L, 0x8CD55591L, 0xC902DE4CL,
+        0xB90BACE1L, 0xBB8205D0L, 0x11A86248L, 0x7574A99EL,
+        0xB77F19B6L, 0xE0A9DC09L, 0x662D09A1L, 0xC4324633L,
+        0xE85A1F02L, 0x09F0BE8CL, 0x4A99A025L, 0x1D6EFE10L,
+        0x1AB93D1DL, 0x0BA5A4DFL, 0xA186F20FL, 0x2868F169L,
+        0xDCB7DA83L, 0x573906FEL, 0xA1E2CE9BL, 0x4FCD7F52L,
+        0x50115E01L, 0xA70683FAL, 0xA002B5C4L, 0x0DE6D027L,
+        0x9AF88C27L, 0x773F8641L, 0xC3604C06L, 0x61A806B5L,
+        0xF0177A28L, 0xC0F586E0L, 0x006058AAL, 0x30DC7D62L,
+        0x11E69ED7L, 0x2338EA63L, 0x53C2DD94L, 0xC2C21634L,
+        0xBBCBEE56L, 0x90BCB6DEL, 0xEBFC7DA1L, 0xCE591D76L,
+        0x6F05E409L, 0x4B7C0188L, 0x39720A3DL, 0x7C927C24L,
+        0x86E3725FL, 0x724D9DB9L, 0x1AC15BB4L, 0xD39EB8FCL,
+        0xED545578L, 0x08FCA5B5L, 0xD83D7CD3L, 0x4DAD0FC4L,
+        0x1E50EF5EL, 0xB161E6F8L, 0xA28514D9L, 0x6C51133CL,
+        0x6FD5C7E7L, 0x56E14EC4L, 0x362ABFCEL, 0xDDC6C837L,
+        0xD79A3234L, 0x92638212L, 0x670EFA8EL, 0x406000E0L  },
+    {   0x3A39CE37L, 0xD3FAF5CFL, 0xABC27737L, 0x5AC52D1BL,
+        0x5CB0679EL, 0x4FA33742L, 0xD3822740L, 0x99BC9BBEL,
+        0xD5118E9DL, 0xBF0F7315L, 0xD62D1C7EL, 0xC700C47BL,
+        0xB78C1B6BL, 0x21A19045L, 0xB26EB1BEL, 0x6A366EB4L,
+        0x5748AB2FL, 0xBC946E79L, 0xC6A376D2L, 0x6549C2C8L,
+        0x530FF8EEL, 0x468DDE7DL, 0xD5730A1DL, 0x4CD04DC6L,
+        0x2939BBDBL, 0xA9BA4650L, 0xAC9526E8L, 0xBE5EE304L,
+        0xA1FAD5F0L, 0x6A2D519AL, 0x63EF8CE2L, 0x9A86EE22L,
+        0xC089C2B8L, 0x43242EF6L, 0xA51E03AAL, 0x9CF2D0A4L,
+        0x83C061BAL, 0x9BE96A4DL, 0x8FE51550L, 0xBA645BD6L,
+        0x2826A2F9L, 0xA73A3AE1L, 0x4BA99586L, 0xEF5562E9L,
+        0xC72FEFD3L, 0xF752F7DAL, 0x3F046F69L, 0x77FA0A59L,
+        0x80E4A915L, 0x87B08601L, 0x9B09E6ADL, 0x3B3EE593L,
+        0xE990FD5AL, 0x9E34D797L, 0x2CF0B7D9L, 0x022B8B51L,
+        0x96D5AC3AL, 0x017DA67DL, 0xD1CF3ED6L, 0x7C7D2D28L,
+        0x1F9F25CFL, 0xADF2B89BL, 0x5AD6B472L, 0x5A88F54CL,
+        0xE029AC71L, 0xE019A5E6L, 0x47B0ACFDL, 0xED93FA9BL,
+        0xE8D3C48DL, 0x283B57CCL, 0xF8D56629L, 0x79132E28L,
+        0x785F0191L, 0xED756055L, 0xF7960E44L, 0xE3D35E8CL,
+        0x15056DD4L, 0x88F46DBAL, 0x03A16125L, 0x0564F0BDL,
+        0xC3EB9E15L, 0x3C9057A2L, 0x97271AECL, 0xA93A072AL,
+        0x1B3F6D9BL, 0x1E6321F5L, 0xF59C66FBL, 0x26DCF319L,
+        0x7533D928L, 0xB155FDF5L, 0x03563482L, 0x8ABA3CBBL,
+        0x28517711L, 0xC20AD9F8L, 0xABCC5167L, 0xCCAD925FL,
+        0x4DE81751L, 0x3830DC8EL, 0x379D5862L, 0x9320F991L,
+        0xEA7A90C2L, 0xFB3E7BCEL, 0x5121CE64L, 0x774FBE32L,
+        0xA8B6E37EL, 0xC3293D46L, 0x48DE5369L, 0x6413E680L,
+        0xA2AE0810L, 0xDD6DB224L, 0x69852DFDL, 0x09072166L,
+        0xB39A460AL, 0x6445C0DDL, 0x586CDECFL, 0x1C20C8AEL,
+        0x5BBEF7DDL, 0x1B588D40L, 0xCCD2017FL, 0x6BB4E3BBL,
+        0xDDA26A7EL, 0x3A59FF45L, 0x3E350A44L, 0xBCB4CDD5L,
+        0x72EACEA8L, 0xFA6484BBL, 0x8D6612AEL, 0xBF3C6F47L,
+        0xD29BE463L, 0x542F5D9EL, 0xAEC2771BL, 0xF64E6370L,
+        0x740E0D8DL, 0xE75B1357L, 0xF8721671L, 0xAF537D5DL,
+        0x4040CB08L, 0x4EB4E2CCL, 0x34D2466AL, 0x0115AF84L,
+        0xE1B00428L, 0x95983A1DL, 0x06B89FB4L, 0xCE6EA048L,
+        0x6F3F3B82L, 0x3520AB82L, 0x011A1D4BL, 0x277227F8L,
+        0x611560B1L, 0xE7933FDCL, 0xBB3A792BL, 0x344525BDL,
+        0xA08839E1L, 0x51CE794BL, 0x2F32C9B7L, 0xA01FBAC9L,
+        0xE01CC87EL, 0xBCC7D1F6L, 0xCF0111C3L, 0xA1E8AAC7L,
+        0x1A908749L, 0xD44FBD9AL, 0xD0DADECBL, 0xD50ADA38L,
+        0x0339C32AL, 0xC6913667L, 0x8DF9317CL, 0xE0B12B4FL,
+        0xF79E59B7L, 0x43F5BB3AL, 0xF2D519FFL, 0x27D9459CL,
+        0xBF97222CL, 0x15E6FC2AL, 0x0F91FC71L, 0x9B941525L,
+        0xFAE59361L, 0xCEB69CEBL, 0xC2A86459L, 0x12BAA8D1L,
+        0xB6C1075EL, 0xE3056A0CL, 0x10D25065L, 0xCB03A442L,
+        0xE0EC6E0EL, 0x1698DB3BL, 0x4C98A0BEL, 0x3278E964L,
+        0x9F1F9532L, 0xE0D392DFL, 0xD3A0342BL, 0x8971F21EL,
+        0x1B0A7441L, 0x4BA3348CL, 0xC5BE7120L, 0xC37632D8L,
+        0xDF359F8DL, 0x9B992F2EL, 0xE60B6F47L, 0x0FE3F11DL,
+        0xE54CDA54L, 0x1EDAD891L, 0xCE6279CFL, 0xCD3E7E6FL,
+        0x1618B166L, 0xFD2C1D05L, 0x848FD2C5L, 0xF6FB2299L,
+        0xF523F357L, 0xA6327623L, 0x93A83531L, 0x56CCCD02L,
+        0xACF08162L, 0x5A75EBB5L, 0x6E163697L, 0x88D273CCL,
+        0xDE966292L, 0x81B949D0L, 0x4C50901BL, 0x71C65614L,
+        0xE6C6C7BDL, 0x327A140AL, 0x45E1D006L, 0xC3F27B9AL,
+        0xC9AA53FDL, 0x62A80F00L, 0xBB25BFE2L, 0x35BDD2F6L,
+        0x71126905L, 0xB2040222L, 0xB6CBCF7CL, 0xCD769C2BL,
+        0x53113EC0L, 0x1640E3D3L, 0x38ABBD60L, 0x2547ADF0L,
+        0xBA38209CL, 0xF746CE76L, 0x77AFA1C5L, 0x20756060L,
+        0x85CBFE4EL, 0x8AE88DD8L, 0x7AAAF9B0L, 0x4CF9AA7EL,
+        0x1948C25CL, 0x02FB8A8CL, 0x01C36AE4L, 0xD6EBE1F9L,
+        0x90D4F869L, 0xA65CDEA0L, 0x3F09252DL, 0xC208E69FL,
+        0xB74E6132L, 0xCE77E25BL, 0x578FDFE3L, 0x3AC372E6L  }
+};
+
+#endif /* !MBEDTLS_BLOWFISH_ALT */
+#endif /* MBEDTLS_BLOWFISH_C */
diff --git a/third-party/mbedtls-3.6/library/camellia.c b/third-party/mbedtls-3.6/library/camellia.c
new file mode 100644
index 00000000..6ef4c213
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/camellia.c
@@ -0,0 +1,1097 @@
+/*
+ *  Camellia implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+/*
+ *  The Camellia block cipher was designed by NTT and Mitsubishi Electric
+ *  Corporation.
+ *
+ *  http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_CAMELLIA_C)
+
+#include "mbedtls/camellia.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_CAMELLIA_ALT)
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
+}
+
+/*
+ * 32-bit integer manipulation macros (big endian)
+ */
+#ifndef GET_UINT32_BE
+#define GET_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
+        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 3]       );            \
+}
+#endif
+
+#ifndef PUT_UINT32_BE
+#define PUT_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
+}
+#endif
+
+static const unsigned char SIGMA_CHARS[6][8] =
+{
+    { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
+    { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
+    { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
+    { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
+    { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
+    { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
+};
+
+#if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
+
+static const unsigned char FSb[256] =
+{
+    112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
+     35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
+    134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
+    166,225, 57,202,213, 71, 93, 61,217,  1, 90,214, 81, 86,108, 77,
+    139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
+    223, 76,203,194, 52,126,118,  5,109,183,169, 49,209, 23,  4,215,
+     20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
+    254, 68,207,178,195,181,122,145, 36,  8,232,168, 96,252,105, 80,
+    170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
+     16,196,  0, 72,163,247,117,219,138,  3,230,218,  9, 63,221,148,
+    135, 92,131,  2,205, 74,144, 51,115,103,246,243,157,127,191,226,
+     82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
+    233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
+    120,152,  6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
+    114,  7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
+     64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158
+};
+
+#define SBOX1(n) FSb[(n)]
+#define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
+#define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
+#define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
+
+#else /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
+
+static const unsigned char FSb[256] =
+{
+ 112, 130,  44, 236, 179,  39, 192, 229, 228, 133,  87,  53, 234,  12, 174,  65,
+  35, 239, 107, 147,  69,  25, 165,  33, 237,  14,  79,  78,  29, 101, 146, 189,
+ 134, 184, 175, 143, 124, 235,  31, 206,  62,  48, 220,  95,  94, 197,  11,  26,
+ 166, 225,  57, 202, 213,  71,  93,  61, 217,   1,  90, 214,  81,  86, 108,  77,
+ 139,  13, 154, 102, 251, 204, 176,  45, 116,  18,  43,  32, 240, 177, 132, 153,
+ 223,  76, 203, 194,  52, 126, 118,   5, 109, 183, 169,  49, 209,  23,   4, 215,
+  20,  88,  58,  97, 222,  27,  17,  28,  50,  15, 156,  22,  83,  24, 242,  34,
+ 254,  68, 207, 178, 195, 181, 122, 145,  36,   8, 232, 168,  96, 252, 105,  80,
+ 170, 208, 160, 125, 161, 137,  98, 151,  84,  91,  30, 149, 224, 255, 100, 210,
+  16, 196,   0,  72, 163, 247, 117, 219, 138,   3, 230, 218,   9,  63, 221, 148,
+ 135,  92, 131,   2, 205,  74, 144,  51, 115, 103, 246, 243, 157, 127, 191, 226,
+  82, 155, 216,  38, 200,  55, 198,  59, 129, 150, 111,  75,  19, 190,  99,  46,
+ 233, 121, 167, 140, 159, 110, 188, 142,  41, 245, 249, 182,  47, 253, 180,  89,
+ 120, 152,   6, 106, 231,  70, 113, 186, 212,  37, 171,  66, 136, 162, 141, 250,
+ 114,   7, 185,  85, 248, 238, 172,  10,  54,  73,  42, 104,  60,  56, 241, 164,
+ 64,  40, 211, 123, 187, 201,  67, 193,  21, 227, 173, 244, 119, 199, 128, 158
+};
+
+static const unsigned char FSb2[256] =
+{
+ 224,   5,  88, 217, 103,  78, 129, 203, 201,  11, 174, 106, 213,  24,  93, 130,
+  70, 223, 214,  39, 138,  50,  75,  66, 219,  28, 158, 156,  58, 202,  37, 123,
+  13, 113,  95,  31, 248, 215,  62, 157, 124,  96, 185, 190, 188, 139,  22,  52,
+  77, 195, 114, 149, 171, 142, 186, 122, 179,   2, 180, 173, 162, 172, 216, 154,
+  23,  26,  53, 204, 247, 153,  97,  90, 232,  36,  86,  64, 225,  99,   9,  51,
+ 191, 152, 151, 133, 104, 252, 236,  10, 218, 111,  83,  98, 163,  46,   8, 175,
+  40, 176, 116, 194, 189,  54,  34,  56, 100,  30,  57,  44, 166,  48, 229,  68,
+ 253, 136, 159, 101, 135, 107, 244,  35,  72,  16, 209,  81, 192, 249, 210, 160,
+  85, 161,  65, 250,  67,  19, 196,  47, 168, 182,  60,  43, 193, 255, 200, 165,
+  32, 137,   0, 144,  71, 239, 234, 183,  21,   6, 205, 181,  18, 126, 187,  41,
+  15, 184,   7,   4, 155, 148,  33, 102, 230, 206, 237, 231,  59, 254, 127, 197,
+ 164,  55, 177,  76, 145, 110, 141, 118,   3,  45, 222, 150,  38, 125, 198,  92,
+ 211, 242,  79,  25,  63, 220, 121,  29,  82, 235, 243, 109,  94, 251, 105, 178,
+ 240,  49,  12, 212, 207, 140, 226, 117, 169,  74,  87, 132,  17,  69,  27, 245,
+ 228,  14, 115, 170, 241, 221,  89,  20, 108, 146,  84, 208, 120, 112, 227,  73,
+ 128,  80, 167, 246, 119, 147, 134, 131,  42, 199,  91, 233, 238, 143,   1,  61
+};
+
+static const unsigned char FSb3[256] =
+{
+  56,  65,  22, 118, 217, 147,  96, 242, 114, 194, 171, 154, 117,   6,  87, 160,
+ 145, 247, 181, 201, 162, 140, 210, 144, 246,   7, 167,  39, 142, 178,  73, 222,
+  67,  92, 215, 199,  62, 245, 143, 103,  31,  24, 110, 175,  47, 226, 133,  13,
+  83, 240, 156, 101, 234, 163, 174, 158, 236, 128,  45, 107, 168,  43,  54, 166,
+ 197, 134,  77,  51, 253, 102,  88, 150,  58,   9, 149,  16, 120, 216,  66, 204,
+ 239,  38, 229,  97,  26,  63,  59, 130, 182, 219, 212, 152, 232, 139,   2, 235,
+  10,  44,  29, 176, 111, 141, 136,  14,  25, 135,  78,  11, 169,  12, 121,  17,
+ 127,  34, 231,  89, 225, 218,  61, 200,  18,   4, 116,  84,  48, 126, 180,  40,
+  85, 104,  80, 190, 208, 196,  49, 203,  42, 173,  15, 202, 112, 255,  50, 105,
+   8,  98,   0,  36, 209, 251, 186, 237,  69, 129, 115, 109, 132, 159, 238,  74,
+ 195,  46, 193,   1, 230,  37,  72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
+  41, 205, 108,  19, 100, 155,  99, 157, 192,  75, 183, 165, 137,  95, 177,  23,
+ 244, 188, 211,  70, 207,  55,  94,  71, 148, 250, 252,  91, 151, 254,  90, 172,
+  60,  76,   3,  53, 243,  35, 184,  93, 106, 146, 213,  33,  68,  81, 198, 125,
+  57, 131, 220, 170, 124, 119,  86,   5,  27, 164,  21,  52,  30,  28, 248,  82,
+  32,  20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227,  64,  79
+};
+
+static const unsigned char FSb4[256] =
+{
+ 112,  44, 179, 192, 228,  87, 234, 174,  35, 107,  69, 165, 237,  79,  29, 146,
+ 134, 175, 124,  31,  62, 220,  94,  11, 166,  57, 213,  93, 217,  90,  81, 108,
+ 139, 154, 251, 176, 116,  43, 240, 132, 223, 203,  52, 118, 109, 169, 209,   4,
+  20,  58, 222,  17,  50, 156,  83, 242, 254, 207, 195, 122,  36, 232,  96, 105,
+ 170, 160, 161,  98,  84,  30, 224, 100,  16,   0, 163, 117, 138, 230,   9, 221,
+ 135, 131, 205, 144, 115, 246, 157, 191,  82, 216, 200, 198, 129, 111,  19,  99,
+ 233, 167, 159, 188,  41, 249,  47, 180, 120,   6, 231, 113, 212, 171, 136, 141,
+ 114, 185, 248, 172,  54,  42,  60, 241,  64, 211, 187,  67,  21, 173, 119, 128,
+ 130, 236,  39, 229, 133,  53,  12,  65, 239, 147,  25,  33,  14,  78, 101, 189,
+ 184, 143, 235, 206,  48,  95, 197,  26, 225, 202,  71,  61,   1, 214,  86,  77,
+  13, 102, 204,  45,  18,  32, 177, 153,  76, 194, 126,   5, 183,  49,  23, 215,
+  88,  97,  27,  28,  15,  22,  24,  34,  68, 178, 181, 145,   8, 168, 252,  80,
+ 208, 125, 137, 151,  91, 149, 255, 210, 196,  72, 247, 219,   3, 218,  63, 148,
+  92,   2,  74,  51, 103, 243, 127, 226, 155,  38,  55,  59, 150,  75, 190,  46,
+ 121, 140, 110, 142, 245, 182, 253,  89, 152, 106,  70, 186,  37,  66, 162, 250,
+  7,  85, 238,  10,  73, 104,  56, 164,  40, 123, 201, 193, 227, 244, 199, 158
+};
+
+#define SBOX1(n) FSb[(n)]
+#define SBOX2(n) FSb2[(n)]
+#define SBOX3(n) FSb3[(n)]
+#define SBOX4(n) FSb4[(n)]
+
+#endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
+
+static const unsigned char shifts[2][4][4] =
+{
+    {
+        { 1, 1, 1, 1 }, /* KL */
+        { 0, 0, 0, 0 }, /* KR */
+        { 1, 1, 1, 1 }, /* KA */
+        { 0, 0, 0, 0 }  /* KB */
+    },
+    {
+        { 1, 0, 1, 1 }, /* KL */
+        { 1, 1, 0, 1 }, /* KR */
+        { 1, 1, 1, 0 }, /* KA */
+        { 1, 1, 0, 1 }  /* KB */
+    }
+};
+
+static const signed char indexes[2][4][20] =
+{
+    {
+        {  0,  1,  2,  3,  8,  9, 10, 11, 38, 39,
+          36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
+        { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+          -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
+        {  4,  5,  6,  7, 12, 13, 14, 15, 16, 17,
+          18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
+        { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+          -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }  /* KB -> RK */
+    },
+    {
+        {  0,  1,  2,  3, 61, 62, 63, 60, -1, -1,
+          -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
+        { -1, -1, -1, -1,  8,  9, 10, 11, 16, 17,
+          18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
+        { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
+          56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
+        {  4,  5,  6,  7, 65, 66, 67, 64, 20, 21,
+          22, 23, -1, -1, -1, -1, 43, 40, 41, 42 }  /* KB -> RK */
+    }
+};
+
+static const signed char transposes[2][20] =
+{
+    {
+        21, 22, 23, 20,
+        -1, -1, -1, -1,
+        18, 19, 16, 17,
+        11,  8,  9, 10,
+        15, 12, 13, 14
+    },
+    {
+        25, 26, 27, 24,
+        29, 30, 31, 28,
+        18, 19, 16, 17,
+        -1, -1, -1, -1,
+        -1, -1, -1, -1
+    }
+};
+
+/* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
+#define ROTL(DEST, SRC, SHIFT)                                      \
+{                                                                   \
+    (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT));   \
+    (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT));   \
+    (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT));   \
+    (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT));   \
+}
+
+#define FL(XL, XR, KL, KR)                                          \
+{                                                                   \
+    (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR);   \
+    (XL) = ((XR) | (KR)) ^ (XL);                                    \
+}
+
+#define FLInv(YL, YR, KL, KR)                                       \
+{                                                                   \
+    (YL) = ((YR) | (KR)) ^ (YL);                                    \
+    (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR);   \
+}
+
+#define SHIFT_AND_PLACE(INDEX, OFFSET)                      \
+{                                                           \
+    TK[0] = KC[(OFFSET) * 4 + 0];                           \
+    TK[1] = KC[(OFFSET) * 4 + 1];                           \
+    TK[2] = KC[(OFFSET) * 4 + 2];                           \
+    TK[3] = KC[(OFFSET) * 4 + 3];                           \
+                                                            \
+    for( i = 1; i <= 4; i++ )                               \
+        if( shifts[(INDEX)][(OFFSET)][i -1] )               \
+            ROTL(TK + i * 4, TK, ( 15 * i ) % 32);          \
+                                                            \
+    for( i = 0; i < 20; i++ )                               \
+        if( indexes[(INDEX)][(OFFSET)][i] != -1 ) {         \
+            RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ];    \
+        }                                                   \
+}
+
+static void camellia_feistel( const uint32_t x[2], const uint32_t k[2],
+                              uint32_t z[2])
+{
+    uint32_t I0, I1;
+    I0 = x[0] ^ k[0];
+    I1 = x[1] ^ k[1];
+
+    I0 = ((uint32_t) SBOX1((I0 >> 24) & 0xFF) << 24) |
+         ((uint32_t) SBOX2((I0 >> 16) & 0xFF) << 16) |
+         ((uint32_t) SBOX3((I0 >>  8) & 0xFF) <<  8) |
+         ((uint32_t) SBOX4((I0      ) & 0xFF)      );
+    I1 = ((uint32_t) SBOX2((I1 >> 24) & 0xFF) << 24) |
+         ((uint32_t) SBOX3((I1 >> 16) & 0xFF) << 16) |
+         ((uint32_t) SBOX4((I1 >>  8) & 0xFF) <<  8) |
+         ((uint32_t) SBOX1((I1      ) & 0xFF)      );
+
+    I0 ^= (I1 << 8) | (I1 >> 24);
+    I1 ^= (I0 << 16) | (I0 >> 16);
+    I0 ^= (I1 >> 8) | (I1 << 24);
+    I1 ^= (I0 >> 8) | (I0 << 24);
+
+    z[0] ^= I1;
+    z[1] ^= I0;
+}
+
+void mbedtls_camellia_init( mbedtls_camellia_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_camellia_context ) );
+}
+
+void mbedtls_camellia_free( mbedtls_camellia_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_zeroize( ctx, sizeof( mbedtls_camellia_context ) );
+}
+
+/*
+ * Camellia key schedule (encryption)
+ */
+int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx, const unsigned char *key,
+                         unsigned int keybits )
+{
+    int idx;
+    size_t i;
+    uint32_t *RK;
+    unsigned char t[64];
+    uint32_t SIGMA[6][2];
+    uint32_t KC[16];
+    uint32_t TK[20];
+
+    RK = ctx->rk;
+
+    memset( t, 0, 64 );
+    memset( RK, 0, sizeof(ctx->rk) );
+
+    switch( keybits )
+    {
+        case 128: ctx->nr = 3; idx = 0; break;
+        case 192:
+        case 256: ctx->nr = 4; idx = 1; break;
+        default : return( MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH );
+    }
+
+    for( i = 0; i < keybits / 8; ++i )
+        t[i] = key[i];
+
+    if( keybits == 192 ) {
+        for( i = 0; i < 8; i++ )
+            t[24 + i] = ~t[16 + i];
+    }
+
+    /*
+     * Prepare SIGMA values
+     */
+    for( i = 0; i < 6; i++ ) {
+        GET_UINT32_BE( SIGMA[i][0], SIGMA_CHARS[i], 0 );
+        GET_UINT32_BE( SIGMA[i][1], SIGMA_CHARS[i], 4 );
+    }
+
+    /*
+     * Key storage in KC
+     * Order: KL, KR, KA, KB
+     */
+    memset( KC, 0, sizeof(KC) );
+
+    /* Store KL, KR */
+    for( i = 0; i < 8; i++ )
+        GET_UINT32_BE( KC[i], t, i * 4 );
+
+    /* Generate KA */
+    for( i = 0; i < 4; ++i )
+        KC[8 + i] = KC[i] ^ KC[4 + i];
+
+    camellia_feistel( KC + 8, SIGMA[0], KC + 10 );
+    camellia_feistel( KC + 10, SIGMA[1], KC + 8 );
+
+    for( i = 0; i < 4; ++i )
+        KC[8 + i] ^= KC[i];
+
+    camellia_feistel( KC + 8, SIGMA[2], KC + 10 );
+    camellia_feistel( KC + 10, SIGMA[3], KC + 8 );
+
+    if( keybits > 128 ) {
+        /* Generate KB */
+        for( i = 0; i < 4; ++i )
+            KC[12 + i] = KC[4 + i] ^ KC[8 + i];
+
+        camellia_feistel( KC + 12, SIGMA[4], KC + 14 );
+        camellia_feistel( KC + 14, SIGMA[5], KC + 12 );
+    }
+
+    /*
+     * Generating subkeys
+     */
+
+    /* Manipulating KL */
+    SHIFT_AND_PLACE( idx, 0 );
+
+    /* Manipulating KR */
+    if( keybits > 128 ) {
+        SHIFT_AND_PLACE( idx, 1 );
+    }
+
+    /* Manipulating KA */
+    SHIFT_AND_PLACE( idx, 2 );
+
+    /* Manipulating KB */
+    if( keybits > 128 ) {
+        SHIFT_AND_PLACE( idx, 3 );
+    }
+
+    /* Do transpositions */
+    for( i = 0; i < 20; i++ ) {
+        if( transposes[idx][i] != -1 ) {
+            RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
+        }
+    }
+
+    return( 0 );
+}
+
+/*
+ * Camellia key schedule (decryption)
+ */
+int mbedtls_camellia_setkey_dec( mbedtls_camellia_context *ctx, const unsigned char *key,
+                         unsigned int keybits )
+{
+    int idx, ret;
+    size_t i;
+    mbedtls_camellia_context cty;
+    uint32_t *RK;
+    uint32_t *SK;
+
+    mbedtls_camellia_init( &cty );
+
+    /* Also checks keybits */
+    if( ( ret = mbedtls_camellia_setkey_enc( &cty, key, keybits ) ) != 0 )
+        goto exit;
+
+    ctx->nr = cty.nr;
+    idx = ( ctx->nr == 4 );
+
+    RK = ctx->rk;
+    SK = cty.rk + 24 * 2 + 8 * idx * 2;
+
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+
+    for( i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4 )
+    {
+        *RK++ = *SK++;
+        *RK++ = *SK++;
+    }
+
+    SK -= 2;
+
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+
+exit:
+    mbedtls_camellia_free( &cty );
+
+    return( ret );
+}
+
+/*
+ * Camellia-ECB block encryption/decryption
+ */
+int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx,
+                    int mode,
+                    const unsigned char input[16],
+                    unsigned char output[16] )
+{
+    int NR;
+    uint32_t *RK, X[4];
+
+    ( (void) mode );
+
+    NR = ctx->nr;
+    RK = ctx->rk;
+
+    GET_UINT32_BE( X[0], input,  0 );
+    GET_UINT32_BE( X[1], input,  4 );
+    GET_UINT32_BE( X[2], input,  8 );
+    GET_UINT32_BE( X[3], input, 12 );
+
+    X[0] ^= *RK++;
+    X[1] ^= *RK++;
+    X[2] ^= *RK++;
+    X[3] ^= *RK++;
+
+    while( NR ) {
+        --NR;
+        camellia_feistel( X, RK, X + 2 );
+        RK += 2;
+        camellia_feistel( X + 2, RK, X );
+        RK += 2;
+        camellia_feistel( X, RK, X + 2 );
+        RK += 2;
+        camellia_feistel( X + 2, RK, X );
+        RK += 2;
+        camellia_feistel( X, RK, X + 2 );
+        RK += 2;
+        camellia_feistel( X + 2, RK, X );
+        RK += 2;
+
+        if( NR ) {
+            FL(X[0], X[1], RK[0], RK[1]);
+            RK += 2;
+            FLInv(X[2], X[3], RK[0], RK[1]);
+            RK += 2;
+        }
+    }
+
+    X[2] ^= *RK++;
+    X[3] ^= *RK++;
+    X[0] ^= *RK++;
+    X[1] ^= *RK++;
+
+    PUT_UINT32_BE( X[2], output,  0 );
+    PUT_UINT32_BE( X[3], output,  4 );
+    PUT_UINT32_BE( X[0], output,  8 );
+    PUT_UINT32_BE( X[1], output, 12 );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/*
+ * Camellia-CBC buffer encryption/decryption
+ */
+int mbedtls_camellia_crypt_cbc( mbedtls_camellia_context *ctx,
+                    int mode,
+                    size_t length,
+                    unsigned char iv[16],
+                    const unsigned char *input,
+                    unsigned char *output )
+{
+    int i;
+    unsigned char temp[16];
+
+    if( length % 16 )
+        return( MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH );
+
+    if( mode == MBEDTLS_CAMELLIA_DECRYPT )
+    {
+        while( length > 0 )
+        {
+            memcpy( temp, input, 16 );
+            mbedtls_camellia_crypt_ecb( ctx, mode, input, output );
+
+            for( i = 0; i < 16; i++ )
+                output[i] = (unsigned char)( output[i] ^ iv[i] );
+
+            memcpy( iv, temp, 16 );
+
+            input  += 16;
+            output += 16;
+            length -= 16;
+        }
+    }
+    else
+    {
+        while( length > 0 )
+        {
+            for( i = 0; i < 16; i++ )
+                output[i] = (unsigned char)( input[i] ^ iv[i] );
+
+            mbedtls_camellia_crypt_ecb( ctx, mode, output, output );
+            memcpy( iv, output, 16 );
+
+            input  += 16;
+            output += 16;
+            length -= 16;
+        }
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/*
+ * Camellia-CFB128 buffer encryption/decryption
+ */
+int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx,
+                       int mode,
+                       size_t length,
+                       size_t *iv_off,
+                       unsigned char iv[16],
+                       const unsigned char *input,
+                       unsigned char *output )
+{
+    int c;
+    size_t n = *iv_off;
+
+    if( mode == MBEDTLS_CAMELLIA_DECRYPT )
+    {
+        while( length-- )
+        {
+            if( n == 0 )
+                mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv );
+
+            c = *input++;
+            *output++ = (unsigned char)( c ^ iv[n] );
+            iv[n] = (unsigned char) c;
+
+            n = ( n + 1 ) & 0x0F;
+        }
+    }
+    else
+    {
+        while( length-- )
+        {
+            if( n == 0 )
+                mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv );
+
+            iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
+
+            n = ( n + 1 ) & 0x0F;
+        }
+    }
+
+    *iv_off = n;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/*
+ * Camellia-CTR buffer encryption/decryption
+ */
+int mbedtls_camellia_crypt_ctr( mbedtls_camellia_context *ctx,
+                       size_t length,
+                       size_t *nc_off,
+                       unsigned char nonce_counter[16],
+                       unsigned char stream_block[16],
+                       const unsigned char *input,
+                       unsigned char *output )
+{
+    int c, i;
+    size_t n = *nc_off;
+
+    while( length-- )
+    {
+        if( n == 0 ) {
+            mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, nonce_counter,
+                                stream_block );
+
+            for( i = 16; i > 0; i-- )
+                if( ++nonce_counter[i - 1] != 0 )
+                    break;
+        }
+        c = *input++;
+        *output++ = (unsigned char)( c ^ stream_block[n] );
+
+        n = ( n + 1 ) & 0x0F;
+    }
+
+    *nc_off = n;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+#endif /* !MBEDTLS_CAMELLIA_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/*
+ * Camellia test vectors from:
+ *
+ * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
+ *   http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
+ *   http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
+ *                      (For each bitlength: Key 0, Nr 39)
+ */
+#define CAMELLIA_TESTS_ECB  2
+
+static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
+{
+    {
+        { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+          0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
+        { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
+    },
+    {
+        { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+          0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
+          0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
+        { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
+    },
+    {
+        { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+          0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
+          0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
+          0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
+        { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
+    },
+};
+
+static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
+{
+    { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+      0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
+    { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
+};
+
+static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
+{
+    {
+        { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
+          0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
+        { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
+          0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
+    },
+    {
+        { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
+          0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
+        { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
+          0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
+    },
+    {
+        { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
+          0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
+        { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
+          0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
+    }
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#define CAMELLIA_TESTS_CBC  3
+
+static const unsigned char camellia_test_cbc_key[3][32] =
+{
+        { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
+          0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
+    ,
+        { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
+          0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
+          0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
+    ,
+        { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
+          0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
+          0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
+          0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
+};
+
+static const unsigned char camellia_test_cbc_iv[16] =
+
+    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
+;
+
+static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
+{
+    { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
+      0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
+    { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
+      0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
+    { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
+      0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
+
+};
+
+static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
+{
+    {
+        { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
+          0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
+        { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
+          0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
+        { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
+          0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
+    },
+    {
+        { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
+          0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
+        { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
+          0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
+        { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
+          0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
+    },
+    {
+        { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
+          0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
+        { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
+          0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
+        { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
+          0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
+    }
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/*
+ * Camellia-CTR test vectors from:
+ *
+ * http://www.faqs.org/rfcs/rfc5528.html
+ */
+
+static const unsigned char camellia_test_ctr_key[3][16] =
+{
+    { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
+      0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
+    { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
+      0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
+    { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
+      0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
+};
+
+static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
+{
+    { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
+    { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
+      0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
+    { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
+      0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
+};
+
+static const unsigned char camellia_test_ctr_pt[3][48] =
+{
+    { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
+      0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
+
+    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+      0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
+
+    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+      0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
+      0x20, 0x21, 0x22, 0x23 }
+};
+
+static const unsigned char camellia_test_ctr_ct[3][48] =
+{
+    { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
+      0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
+    { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
+      0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
+      0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
+      0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
+    { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
+      0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
+      0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
+      0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
+      0xDF, 0x50, 0x86, 0x96 }
+};
+
+static const int camellia_test_ctr_len[3] =
+    { 16, 32, 36 };
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+/*
+ * Checkup routine
+ */
+int mbedtls_camellia_self_test( int verbose )
+{
+    int i, j, u, v;
+    unsigned char key[32];
+    unsigned char buf[64];
+    unsigned char src[16];
+    unsigned char dst[16];
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    unsigned char iv[16];
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    size_t offset, len;
+    unsigned char nonce_counter[16];
+    unsigned char stream_block[16];
+#endif
+
+    mbedtls_camellia_context ctx;
+
+    memset( key, 0, 32 );
+
+    for( j = 0; j < 6; j++ ) {
+        u = j >> 1;
+    v = j & 1;
+
+    if( verbose != 0 )
+        mbedtls_printf( "  CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
+                         (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
+
+    for( i = 0; i < CAMELLIA_TESTS_ECB; i++ ) {
+        memcpy( key, camellia_test_ecb_key[u][i], 16 + 8 * u );
+
+        if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
+            mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 );
+            memcpy( src, camellia_test_ecb_cipher[u][i], 16 );
+            memcpy( dst, camellia_test_ecb_plain[i], 16 );
+        } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
+            mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 );
+            memcpy( src, camellia_test_ecb_plain[i], 16 );
+            memcpy( dst, camellia_test_ecb_cipher[u][i], 16 );
+        }
+
+        mbedtls_camellia_crypt_ecb( &ctx, v, src, buf );
+
+        if( memcmp( buf, dst, 16 ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+
+            return( 1 );
+        }
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    /*
+     * CBC mode
+     */
+    for( j = 0; j < 6; j++ )
+    {
+        u = j >> 1;
+        v = j  & 1;
+
+        if( verbose != 0 )
+            mbedtls_printf( "  CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
+                             ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" );
+
+        memcpy( src, camellia_test_cbc_iv, 16 );
+        memcpy( dst, camellia_test_cbc_iv, 16 );
+        memcpy( key, camellia_test_cbc_key[u], 16 + 8 * u );
+
+        if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
+            mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 );
+        } else {
+            mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 );
+        }
+
+        for( i = 0; i < CAMELLIA_TESTS_CBC; i++ ) {
+
+            if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
+                memcpy( iv , src, 16 );
+                memcpy( src, camellia_test_cbc_cipher[u][i], 16 );
+                memcpy( dst, camellia_test_cbc_plain[i], 16 );
+            } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
+                memcpy( iv , dst, 16 );
+                memcpy( src, camellia_test_cbc_plain[i], 16 );
+                memcpy( dst, camellia_test_cbc_cipher[u][i], 16 );
+            }
+
+            mbedtls_camellia_crypt_cbc( &ctx, v, 16, iv, src, buf );
+
+            if( memcmp( buf, dst, 16 ) != 0 )
+            {
+                if( verbose != 0 )
+                    mbedtls_printf( "failed\n" );
+
+                return( 1 );
+            }
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    /*
+     * CTR mode
+     */
+    for( i = 0; i < 6; i++ )
+    {
+        u = i >> 1;
+        v = i  & 1;
+
+        if( verbose != 0 )
+            mbedtls_printf( "  CAMELLIA-CTR-128 (%s): ",
+                             ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" );
+
+        memcpy( nonce_counter, camellia_test_ctr_nonce_counter[u], 16 );
+        memcpy( key, camellia_test_ctr_key[u], 16 );
+
+        offset = 0;
+        mbedtls_camellia_setkey_enc( &ctx, key, 128 );
+
+        if( v == MBEDTLS_CAMELLIA_DECRYPT )
+        {
+            len = camellia_test_ctr_len[u];
+            memcpy( buf, camellia_test_ctr_ct[u], len );
+
+            mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
+                                buf, buf );
+
+            if( memcmp( buf, camellia_test_ctr_pt[u], len ) != 0 )
+            {
+                if( verbose != 0 )
+                    mbedtls_printf( "failed\n" );
+
+                return( 1 );
+            }
+        }
+        else
+        {
+            len = camellia_test_ctr_len[u];
+            memcpy( buf, camellia_test_ctr_pt[u], len );
+
+            mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
+                                buf, buf );
+
+            if( memcmp( buf, camellia_test_ctr_ct[u], len ) != 0 )
+            {
+                if( verbose != 0 )
+                    mbedtls_printf( "failed\n" );
+
+                return( 1 );
+            }
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_CAMELLIA_C */
diff --git a/third-party/mbedtls-3.6/library/ccm.c b/third-party/mbedtls-3.6/library/ccm.c
new file mode 100644
index 00000000..ed3c74c8
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/ccm.c
@@ -0,0 +1,504 @@
+/*
+ *  NIST SP800-38C compliant CCM implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+/*
+ * Definition of CCM:
+ * http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf
+ * RFC 3610 "Counter with CBC-MAC (CCM)"
+ *
+ * Related:
+ * RFC 5116 "An Interface and Algorithms for Authenticated Encryption"
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_CCM_C)
+
+#include "mbedtls/ccm.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#if !defined(MBEDTLS_CCM_ALT)
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
+}
+
+#define CCM_ENCRYPT 0
+#define CCM_DECRYPT 1
+
+/*
+ * Initialize context
+ */
+void mbedtls_ccm_init( mbedtls_ccm_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_ccm_context ) );
+}
+
+int mbedtls_ccm_setkey( mbedtls_ccm_context *ctx,
+                        mbedtls_cipher_id_t cipher,
+                        const unsigned char *key,
+                        unsigned int keybits )
+{
+    int ret;
+    const mbedtls_cipher_info_t *cipher_info;
+
+    cipher_info = mbedtls_cipher_info_from_values( cipher, keybits, MBEDTLS_MODE_ECB );
+    if( cipher_info == NULL )
+        return( MBEDTLS_ERR_CCM_BAD_INPUT );
+
+    if( cipher_info->block_size != 16 )
+        return( MBEDTLS_ERR_CCM_BAD_INPUT );
+
+    mbedtls_cipher_free( &ctx->cipher_ctx );
+
+    if( ( ret = mbedtls_cipher_setup( &ctx->cipher_ctx, cipher_info ) ) != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_cipher_setkey( &ctx->cipher_ctx, key, keybits,
+                               MBEDTLS_ENCRYPT ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Free context
+ */
+void mbedtls_ccm_free( mbedtls_ccm_context *ctx )
+{
+    mbedtls_cipher_free( &ctx->cipher_ctx );
+    mbedtls_zeroize( ctx, sizeof( mbedtls_ccm_context ) );
+}
+
+/*
+ * Macros for common operations.
+ * Results in smaller compiled code than static inline functions.
+ */
+
+/*
+ * Update the CBC-MAC state in y using a block in b
+ * (Always using b as the source helps the compiler optimise a bit better.)
+ */
+#define UPDATE_CBC_MAC                                                      \
+    for( i = 0; i < 16; i++ )                                               \
+        y[i] ^= b[i];                                                       \
+                                                                            \
+    if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, y, 16, y, &olen ) ) != 0 ) \
+        return( ret );
+
+/*
+ * Encrypt or decrypt a partial block with CTR
+ * Warning: using b for temporary storage! src and dst must not be b!
+ * This avoids allocating one more 16 bytes buffer while allowing src == dst.
+ */
+#define CTR_CRYPT( dst, src, len  )                                            \
+    if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctr, 16, b, &olen ) ) != 0 )  \
+        return( ret );                                                         \
+                                                                               \
+    for( i = 0; i < len; i++ )                                                 \
+        dst[i] = src[i] ^ b[i];
+
+/*
+ * Authenticated encryption or decryption
+ */
+static int ccm_auth_crypt( mbedtls_ccm_context *ctx, int mode, size_t length,
+                           const unsigned char *iv, size_t iv_len,
+                           const unsigned char *add, size_t add_len,
+                           const unsigned char *input, unsigned char *output,
+                           unsigned char *tag, size_t tag_len )
+{
+    int ret;
+    unsigned char i;
+    unsigned char q;
+    size_t len_left, olen;
+    unsigned char b[16];
+    unsigned char y[16];
+    unsigned char ctr[16];
+    const unsigned char *src;
+    unsigned char *dst;
+
+    /*
+     * Check length requirements: SP800-38C A.1
+     * Additional requirement: a < 2^16 - 2^8 to simplify the code.
+     * 'length' checked later (when writing it to the first block)
+     */
+    if( tag_len < 4 || tag_len > 16 || tag_len % 2 != 0 )
+        return( MBEDTLS_ERR_CCM_BAD_INPUT );
+
+    /* Also implies q is within bounds */
+    if( iv_len < 7 || iv_len > 13 )
+        return( MBEDTLS_ERR_CCM_BAD_INPUT );
+
+    if( add_len > 0xFF00 )
+        return( MBEDTLS_ERR_CCM_BAD_INPUT );
+
+    q = 16 - 1 - (unsigned char) iv_len;
+
+    /*
+     * First block B_0:
+     * 0        .. 0        flags
+     * 1        .. iv_len   nonce (aka iv)
+     * iv_len+1 .. 15       length
+     *
+     * With flags as (bits):
+     * 7        0
+     * 6        add present?
+     * 5 .. 3   (t - 2) / 2
+     * 2 .. 0   q - 1
+     */
+    b[0] = 0;
+    b[0] |= ( add_len > 0 ) << 6;
+    b[0] |= ( ( tag_len - 2 ) / 2 ) << 3;
+    b[0] |= q - 1;
+
+    memcpy( b + 1, iv, iv_len );
+
+    for( i = 0, len_left = length; i < q; i++, len_left >>= 8 )
+        b[15-i] = (unsigned char)( len_left & 0xFF );
+
+    if( len_left > 0 )
+        return( MBEDTLS_ERR_CCM_BAD_INPUT );
+
+
+    /* Start CBC-MAC with first block */
+    memset( y, 0, 16 );
+    UPDATE_CBC_MAC;
+
+    /*
+     * If there is additional data, update CBC-MAC with
+     * add_len, add, 0 (padding to a block boundary)
+     */
+    if( add_len > 0 )
+    {
+        size_t use_len;
+        len_left = add_len;
+        src = add;
+
+        memset( b, 0, 16 );
+        b[0] = (unsigned char)( ( add_len >> 8 ) & 0xFF );
+        b[1] = (unsigned char)( ( add_len      ) & 0xFF );
+
+        use_len = len_left < 16 - 2 ? len_left : 16 - 2;
+        memcpy( b + 2, src, use_len );
+        len_left -= use_len;
+        src += use_len;
+
+        UPDATE_CBC_MAC;
+
+        while( len_left > 0 )
+        {
+            use_len = len_left > 16 ? 16 : len_left;
+
+            memset( b, 0, 16 );
+            memcpy( b, src, use_len );
+            UPDATE_CBC_MAC;
+
+            len_left -= use_len;
+            src += use_len;
+        }
+    }
+
+    /*
+     * Prepare counter block for encryption:
+     * 0        .. 0        flags
+     * 1        .. iv_len   nonce (aka iv)
+     * iv_len+1 .. 15       counter (initially 1)
+     *
+     * With flags as (bits):
+     * 7 .. 3   0
+     * 2 .. 0   q - 1
+     */
+    ctr[0] = q - 1;
+    memcpy( ctr + 1, iv, iv_len );
+    memset( ctr + 1 + iv_len, 0, q );
+    ctr[15] = 1;
+
+    /*
+     * Authenticate and {en,de}crypt the message.
+     *
+     * The only difference between encryption and decryption is
+     * the respective order of authentication and {en,de}cryption.
+     */
+    len_left = length;
+    src = input;
+    dst = output;
+
+    while( len_left > 0 )
+    {
+        size_t use_len = len_left > 16 ? 16 : len_left;
+
+        if( mode == CCM_ENCRYPT )
+        {
+            memset( b, 0, 16 );
+            memcpy( b, src, use_len );
+            UPDATE_CBC_MAC;
+        }
+
+        CTR_CRYPT( dst, src, use_len );
+
+        if( mode == CCM_DECRYPT )
+        {
+            memset( b, 0, 16 );
+            memcpy( b, dst, use_len );
+            UPDATE_CBC_MAC;
+        }
+
+        dst += use_len;
+        src += use_len;
+        len_left -= use_len;
+
+        /*
+         * Increment counter.
+         * No need to check for overflow thanks to the length check above.
+         */
+        for( i = 0; i < q; i++ )
+            if( ++ctr[15-i] != 0 )
+                break;
+    }
+
+    /*
+     * Authentication: reset counter and crypt/mask internal tag
+     */
+    for( i = 0; i < q; i++ )
+        ctr[15-i] = 0;
+
+    CTR_CRYPT( y, y, 16 );
+    memcpy( tag, y, tag_len );
+
+    return( 0 );
+}
+
+/*
+ * Authenticated encryption
+ */
+int mbedtls_ccm_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length,
+                         const unsigned char *iv, size_t iv_len,
+                         const unsigned char *add, size_t add_len,
+                         const unsigned char *input, unsigned char *output,
+                         unsigned char *tag, size_t tag_len )
+{
+    return( ccm_auth_crypt( ctx, CCM_ENCRYPT, length, iv, iv_len,
+                            add, add_len, input, output, tag, tag_len ) );
+}
+
+/*
+ * Authenticated decryption
+ */
+int mbedtls_ccm_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
+                      const unsigned char *iv, size_t iv_len,
+                      const unsigned char *add, size_t add_len,
+                      const unsigned char *input, unsigned char *output,
+                      const unsigned char *tag, size_t tag_len )
+{
+    int ret;
+    unsigned char check_tag[16];
+    unsigned char i;
+    int diff;
+
+    if( ( ret = ccm_auth_crypt( ctx, CCM_DECRYPT, length,
+                                iv, iv_len, add, add_len,
+                                input, output, check_tag, tag_len ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    /* Check tag in "constant-time" */
+    for( diff = 0, i = 0; i < tag_len; i++ )
+        diff |= tag[i] ^ check_tag[i];
+
+    if( diff != 0 )
+    {
+        mbedtls_zeroize( output, length );
+        return( MBEDTLS_ERR_CCM_AUTH_FAILED );
+    }
+
+    return( 0 );
+}
+
+#endif /* !MBEDTLS_CCM_ALT */
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+/*
+ * Examples 1 to 3 from SP800-38C Appendix C
+ */
+
+#define NB_TESTS 3
+#define CCM_SELFTEST_PT_MAX_LEN 24
+#define CCM_SELFTEST_CT_MAX_LEN 32
+/*
+ * The data is the same for all tests, only the used length changes
+ */
+static const unsigned char key[] = {
+    0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
+    0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f
+};
+
+static const unsigned char iv[] = {
+    0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+    0x18, 0x19, 0x1a, 0x1b
+};
+
+static const unsigned char ad[] = {
+    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+    0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+    0x10, 0x11, 0x12, 0x13
+};
+
+static const unsigned char msg[CCM_SELFTEST_PT_MAX_LEN] = {
+    0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
+    0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
+    0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+};
+
+static const size_t iv_len [NB_TESTS] = { 7, 8,  12 };
+static const size_t add_len[NB_TESTS] = { 8, 16, 20 };
+static const size_t msg_len[NB_TESTS] = { 4, 16, 24 };
+static const size_t tag_len[NB_TESTS] = { 4, 6,  8  };
+
+static const unsigned char res[NB_TESTS][CCM_SELFTEST_CT_MAX_LEN] = {
+    {   0x71, 0x62, 0x01, 0x5b, 0x4d, 0xac, 0x25, 0x5d },
+    {   0xd2, 0xa1, 0xf0, 0xe0, 0x51, 0xea, 0x5f, 0x62,
+        0x08, 0x1a, 0x77, 0x92, 0x07, 0x3d, 0x59, 0x3d,
+        0x1f, 0xc6, 0x4f, 0xbf, 0xac, 0xcd },
+    {   0xe3, 0xb2, 0x01, 0xa9, 0xf5, 0xb7, 0x1a, 0x7a,
+        0x9b, 0x1c, 0xea, 0xec, 0xcd, 0x97, 0xe7, 0x0b,
+        0x61, 0x76, 0xaa, 0xd9, 0xa4, 0x42, 0x8a, 0xa5,
+        0x48, 0x43, 0x92, 0xfb, 0xc1, 0xb0, 0x99, 0x51 }
+};
+
+int mbedtls_ccm_self_test( int verbose )
+{
+    mbedtls_ccm_context ctx;
+    /*
+     * Some hardware accelerators require the input and output buffers
+     * would be in RAM, because the flash is not accessible.
+     * Use buffers on the stack to hold the test vectors data.
+     */
+    unsigned char plaintext[CCM_SELFTEST_PT_MAX_LEN];
+    unsigned char ciphertext[CCM_SELFTEST_CT_MAX_LEN];
+    size_t i;
+    int ret;
+
+    mbedtls_ccm_init( &ctx );
+
+    if( mbedtls_ccm_setkey( &ctx, MBEDTLS_CIPHER_ID_AES, key, 8 * sizeof key ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  CCM: setup failed" );
+
+        return( 1 );
+    }
+
+    for( i = 0; i < NB_TESTS; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  CCM-AES #%u: ", (unsigned int) i + 1 );
+
+        memset( plaintext, 0, CCM_SELFTEST_PT_MAX_LEN );
+        memset( ciphertext, 0, CCM_SELFTEST_CT_MAX_LEN );
+        memcpy( plaintext, msg, msg_len[i] );
+
+        ret = mbedtls_ccm_encrypt_and_tag( &ctx, msg_len[i],
+                                           iv, iv_len[i], ad, add_len[i],
+                                           plaintext, ciphertext,
+                                           ciphertext + msg_len[i], tag_len[i] );
+
+        if( ret != 0 ||
+            memcmp( ciphertext, res[i], msg_len[i] + tag_len[i] ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+
+            return( 1 );
+        }
+        memset( plaintext, 0, CCM_SELFTEST_PT_MAX_LEN );
+
+        ret = mbedtls_ccm_auth_decrypt( &ctx, msg_len[i],
+                                        iv, iv_len[i], ad, add_len[i],
+                                        ciphertext, plaintext,
+                                        ciphertext + msg_len[i], tag_len[i] );
+
+        if( ret != 0 ||
+            memcmp( plaintext, msg, msg_len[i] ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+
+            return( 1 );
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    mbedtls_ccm_free( &ctx );
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#endif /* MBEDTLS_CCM_C */
diff --git a/third-party/mbedtls-3.6/library/certs.c b/third-party/mbedtls-3.6/library/certs.c
new file mode 100644
index 00000000..360325c8
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/certs.c
@@ -0,0 +1,463 @@
+/*
+ *  X.509 test certificates
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "mbedtls/certs.h"
+
+#if defined(MBEDTLS_CERTS_C)
+
+#if defined(MBEDTLS_ECDSA_C)
+#define TEST_CA_CRT_EC                                                  \
+"-----BEGIN CERTIFICATE-----\r\n"                                       \
+"MIICUjCCAdegAwIBAgIJAMFD4n5iQ8zoMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT\r\n"  \
+"Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF\r\n"  \
+"QyBDQTAeFw0xMzA5MjQxNTQ5NDhaFw0yMzA5MjIxNTQ5NDhaMD4xCzAJBgNVBAYT\r\n"  \
+"Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF\r\n"  \
+"QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu\r\n"  \
+"ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy\r\n"  \
+"aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqOBoDCBnTAdBgNVHQ4EFgQUnW0g\r\n"  \
+"JEkBPyvLeLUZvH4kydv7NnwwbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7\r\n"  \
+"NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE\r\n"  \
+"AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w\r\n"  \
+"CgYIKoZIzj0EAwIDaQAwZgIxAMO0YnNWKJUAfXgSJtJxexn4ipg+kv4znuR50v56\r\n"  \
+"t4d0PCu412mUC6Nnd7izvtE2MgIxAP1nnJQjZ8BWukszFQDG48wxCCyci9qpdSMv\r\n"  \
+"uCjn8pwUOkABXK8Mss90fzCfCEOtIA==\r\n"                                  \
+"-----END CERTIFICATE-----\r\n"
+const char mbedtls_test_ca_crt_ec[] = TEST_CA_CRT_EC;
+const size_t mbedtls_test_ca_crt_ec_len = sizeof( mbedtls_test_ca_crt_ec );
+
+const char mbedtls_test_ca_key_ec[] =
+"-----BEGIN EC PRIVATE KEY-----\r\n"
+"Proc-Type: 4,ENCRYPTED\r\n"
+"DEK-Info: DES-EDE3-CBC,307EAB469933D64E\r\n"
+"\r\n"
+"IxbrRmKcAzctJqPdTQLA4SWyBYYGYJVkYEna+F7Pa5t5Yg/gKADrFKcm6B72e7DG\r\n"
+"ihExtZI648s0zdYw6qSJ74vrPSuWDe5qm93BqsfVH9svtCzWHW0pm1p0KTBCFfUq\r\n"
+"UsuWTITwJImcnlAs1gaRZ3sAWm7cOUidL0fo2G0fYUFNcYoCSLffCFTEHBuPnagb\r\n"
+"a77x/sY1Bvii8S9/XhDTb6pTMx06wzrm\r\n"
+"-----END EC PRIVATE KEY-----\r\n";
+const size_t mbedtls_test_ca_key_ec_len = sizeof( mbedtls_test_ca_key_ec );
+
+const char mbedtls_test_ca_pwd_ec[] = "PolarSSLTest";
+const size_t mbedtls_test_ca_pwd_ec_len = sizeof( mbedtls_test_ca_pwd_ec ) - 1;
+
+const char mbedtls_test_srv_crt_ec[] =
+"-----BEGIN CERTIFICATE-----\r\n"
+"MIICHzCCAaWgAwIBAgIBCTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G\r\n"
+"A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN\r\n"
+"MTMwOTI0MTU1MjA0WhcNMjMwOTIyMTU1MjA0WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n"
+"A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG\r\n"
+"CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA\r\n"
+"2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd\r\n"
+"BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB\r\n"
+"PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh\r\n"
+"clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG\r\n"
+"CCqGSM49BAMCA2gAMGUCMQCaLFzXptui5WQN8LlO3ddh1hMxx6tzgLvT03MTVK2S\r\n"
+"C12r0Lz3ri/moSEpNZWqPjkCMCE2f53GXcYLqyfyJR078c/xNSUU5+Xxl7VZ414V\r\n"
+"fGa5kHvHARBPc8YAIVIqDvHH1Q==\r\n"
+"-----END CERTIFICATE-----\r\n";
+const size_t mbedtls_test_srv_crt_ec_len = sizeof( mbedtls_test_srv_crt_ec );
+
+const char mbedtls_test_srv_key_ec[] =
+"-----BEGIN EC PRIVATE KEY-----\r\n"
+"MHcCAQEEIPEqEyB2AnCoPL/9U/YDHvdqXYbIogTywwyp6/UfDw6noAoGCCqGSM49\r\n"
+"AwEHoUQDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO5QDYIxH/\r\n"
+"6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/w==\r\n"
+"-----END EC PRIVATE KEY-----\r\n";
+const size_t mbedtls_test_srv_key_ec_len = sizeof( mbedtls_test_srv_key_ec );
+
+const char mbedtls_test_cli_crt_ec[] =
+"-----BEGIN CERTIFICATE-----\r\n"
+"MIICLDCCAbKgAwIBAgIBDTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G\r\n"
+"A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN\r\n"
+"MTMwOTI0MTU1MjA0WhcNMjMwOTIyMTU1MjA0WjBBMQswCQYDVQQGEwJOTDERMA8G\r\n"
+"A1UEChMIUG9sYXJTU0wxHzAdBgNVBAMTFlBvbGFyU1NMIFRlc3QgQ2xpZW50IDIw\r\n"
+"WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARX5a6xc9/TrLuTuIH/Eq7u5lOszlVT\r\n"
+"9jQOzC7jYyUL35ji81xgNpbA1RgUcOV/n9VLRRjlsGzVXPiWj4dwo+THo4GdMIGa\r\n"
+"MAkGA1UdEwQCMAAwHQYDVR0OBBYEFHoAX4Zk/OBd5REQO7LmO8QmP8/iMG4GA1Ud\r\n"
+"IwRnMGWAFJ1tICRJAT8ry3i1Gbx+JMnb+zZ8oUKkQDA+MQswCQYDVQQGEwJOTDER\r\n"
+"MA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0GC\r\n"
+"CQDBQ+J+YkPM6DAKBggqhkjOPQQDAgNoADBlAjBKZQ17IIOimbmoD/yN7o89u3BM\r\n"
+"lgOsjnhw3fIOoLIWy2WOGsk/LGF++DzvrRzuNiACMQCd8iem1XS4JK7haj8xocpU\r\n"
+"LwjQje5PDGHfd3h9tP38Qknu5bJqws0md2KOKHyeV0U=\r\n"
+"-----END CERTIFICATE-----\r\n";
+const size_t mbedtls_test_cli_crt_ec_len = sizeof( mbedtls_test_cli_crt_ec );
+
+const char mbedtls_test_cli_key_ec[] =
+"-----BEGIN EC PRIVATE KEY-----\r\n"
+"MHcCAQEEIPb3hmTxZ3/mZI3vyk7p3U3wBf+WIop6hDhkFzJhmLcqoAoGCCqGSM49\r\n"
+"AwEHoUQDQgAEV+WusXPf06y7k7iB/xKu7uZTrM5VU/Y0Dswu42MlC9+Y4vNcYDaW\r\n"
+"wNUYFHDlf5/VS0UY5bBs1Vz4lo+HcKPkxw==\r\n"
+"-----END EC PRIVATE KEY-----\r\n";
+const size_t mbedtls_test_cli_key_ec_len = sizeof( mbedtls_test_cli_key_ec );
+#endif /* MBEDTLS_ECDSA_C */
+
+#if defined(MBEDTLS_RSA_C)
+#if defined(MBEDTLS_SHA256_C)
+#define TEST_CA_CRT_RSA_SHA256                                          \
+"-----BEGIN CERTIFICATE-----\r\n"                                       \
+"MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n"  \
+"MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n"  \
+"MTcwNTA0MTY1NzAxWhcNMjcwNTA1MTY1NzAxWjA7MQswCQYDVQQGEwJOTDERMA8G\r\n"  \
+"A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G\r\n"  \
+"CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx\r\n"  \
+"mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny\r\n"  \
+"50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n\r\n"  \
+"YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL\r\n"  \
+"R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu\r\n"  \
+"KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj\r\n"  \
+"gZUwgZIwHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/MGMGA1UdIwRcMFqA\r\n"  \
+"FLRa5KWz3tJS9rnVppUP6z68x/3/oT+kPTA7MQswCQYDVQQGEwJOTDERMA8GA1UE\r\n"  \
+"CgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0GCAQAwDAYDVR0T\r\n"  \
+"BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAHK/HHrTZMnnVMpde1io+voAtql7j\r\n"  \
+"4sRhLrjD7o3THtwRbDa2diCvpq0Sq23Ng2LMYoXsOxoL/RQK3iN7UKxV3MKPEr0w\r\n"  \
+"XQS+kKQqiT2bsfrjnWMVHZtUOMpm6FNqcdGm/Rss3vKda2lcKl8kUnq/ylc1+QbB\r\n"  \
+"G6A6tUvQcr2ZyWfVg+mM5XkhTrOOXus2OLikb4WwEtJTJRNE0f+yPODSUz0/vT57\r\n"  \
+"ApH0CnB80bYJshYHPHHymOtleAB8KSYtqm75g/YNobjnjB6cm4HkW3OZRVIl6fYY\r\n"  \
+"n20NRVA1Vjs6GAROr4NqW4k/+LofY9y0LLDE+p0oIEKXIsIvhPr39swxSA==\r\n"      \
+"-----END CERTIFICATE-----\r\n"
+
+static const char mbedtls_test_ca_crt_rsa_sha256[] = TEST_CA_CRT_RSA_SHA256;
+const char   mbedtls_test_ca_crt_rsa[]   = TEST_CA_CRT_RSA_SHA256;
+const size_t mbedtls_test_ca_crt_rsa_len = sizeof( mbedtls_test_ca_crt_rsa );
+#define TEST_CA_CRT_RSA_SOME
+#endif /* MBEDTLS_SHA256_C */
+
+#if !defined(TEST_CA_CRT_RSA_SOME) || defined(MBEDTLS_SHA1_C)
+#define TEST_CA_CRT_RSA_SHA1                                            \
+"-----BEGIN CERTIFICATE-----\r\n"                                       \
+"MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n"  \
+"MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n"  \
+"MTEwMjEyMTQ0NDAwWhcNMjEwMjEyMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G\r\n"  \
+"A1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G\r\n"  \
+"CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx\r\n"  \
+"mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny\r\n"  \
+"50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n\r\n"  \
+"YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL\r\n"  \
+"R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu\r\n"  \
+"KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj\r\n"  \
+"gZUwgZIwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtFrkpbPe0lL2udWmlQ/rPrzH\r\n"  \
+"/f8wYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNV\r\n"  \
+"BAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVz\r\n"  \
+"dCBDQYIBADANBgkqhkiG9w0BAQUFAAOCAQEAuP1U2ABUkIslsCfdlc2i94QHHYeJ\r\n"  \
+"SsR4EdgHtdciUI5I62J6Mom+Y0dT/7a+8S6MVMCZP6C5NyNyXw1GWY/YR82XTJ8H\r\n"  \
+"DBJiCTok5DbZ6SzaONBzdWHXwWwmi5vg1dxn7YxrM9d0IjxM27WNKs4sDQhZBQkF\r\n"  \
+"pjmfs2cb4oPl4Y9T9meTx/lvdkRYEug61Jfn6cA+qHpyPYdTH+UshITnmp5/Ztkf\r\n"  \
+"m/UTSLBNFNHesiTZeH31NcxYGdHSme9Nc/gfidRa0FLOCfWxRlFqAI47zG9jAQCZ\r\n"  \
+"7Z2mCGDNMhjQc+BYcdnl0lPXjdDK6V0qCg1dVewhUBcW5gZKzV7e9+DpVA==\r\n"      \
+"-----END CERTIFICATE-----\r\n"
+
+static const char mbedtls_test_ca_crt_rsa_sha1[] = TEST_CA_CRT_RSA_SHA1;
+
+#if !defined (TEST_CA_CRT_RSA_SOME)
+const char   mbedtls_test_ca_crt_rsa[]   = TEST_CA_CRT_RSA_SHA1;
+const size_t mbedtls_test_ca_crt_rsa_len = sizeof( mbedtls_test_ca_crt_rsa );
+#endif /* !TEST_CA_CRT_RSA_SOME */
+#endif /* !TEST_CA_CRT_RSA_COME || MBEDTLS_SHA1_C */
+
+#if defined(MBEDTLS_SHA256_C)
+/* tests/data_files/server2-sha256.crt */
+#define TEST_SRV_CRT_RSA_SHA256                                          \
+"-----BEGIN CERTIFICATE-----\r\n"                                        \
+"MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n"   \
+"MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n"   \
+"MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n"   \
+"A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN\r\n"   \
+"AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN\r\n"   \
+"owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz\r\n"   \
+"NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM\r\n"   \
+"tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P\r\n"   \
+"hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya\r\n"   \
+"HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD\r\n"   \
+"VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw\r\n"   \
+"FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBALVvYxsd\r\n"   \
+"o5YSOIaApPlpnFUnz5zD/TbI9/63iJH+ae61jvpjTY1bqLBBEcqMMg9tVFUdt4xd\r\n"   \
+"9MifL5zRZOGqKpfhWyoUZv7kXXMtfJsy0A6sqK11FcUE9r2Mt50tAO1MLZLJ5tKD\r\n"   \
+"XY9/dTqXnENPxCGUo89/UwIFuNhKPUDBRMeyx8FaKsGVksF/lGxYVFWrfzZFlW0M\r\n"   \
+"SXduk5xjoHE83erLEtZoxWIgrx7LXXgkDtswGkH+VpFt9dFFXJaeAQPeUBDAhEE9\r\n"   \
+"UDkaCx5tPlyriwUW1w1xDx40VFV+Dgg9CFxiHCF+ppg+MG8HV0LVDRJlhN94QHNg\r\n"   \
+"DAAVd5iuv8P+00Y=\r\n" \
+"-----END CERTIFICATE-----\r\n"
+
+const char mbedtls_test_srv_crt_rsa[]     =  TEST_SRV_CRT_RSA_SHA256;
+const size_t mbedtls_test_srv_crt_rsa_len = sizeof( mbedtls_test_srv_crt_rsa );
+#define TEST_SRV_CRT_RSA_SOME
+#endif /* MBEDTLS_SHA256_C */
+
+#if !defined(TEST_SRV_CRT_RSA_SOME) || defined(MBEDTLS_SHA1_C)
+/* tests/data_files/server2.crt */
+#define TEST_SRV_CRT_RSA_SHA1                                          \
+"-----BEGIN CERTIFICATE-----\r\n"                                      \
+"MIIDfTCCAmWgAwIBAgIBBDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n" \
+"MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \
+"MTkwMzEyMTAwNjA2WhcNMjkwMzEyMTAwNjA2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n" \
+"A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN\r\n" \
+"AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN\r\n" \
+"owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz\r\n" \
+"NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM\r\n" \
+"tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P\r\n" \
+"hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya\r\n" \
+"HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaOBkjCBjzAd\r\n" \
+"BgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwYwYDVR0jBFwwWoAUtFrkpbPe\r\n" \
+"0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xh\r\n" \
+"clNTTDEZMBcGA1UEAwwQUG9sYXJTU0wgVGVzdCBDQYIBAzAJBgNVHRMEAjAAMA0G\r\n" \
+"CSqGSIb3DQEBBQUAA4IBAQBYbmGUE3tboOInTANuIf63NHlNGw0Zx79G9Oxv8gny\r\n" \
+"oBwzIg7LGeiuIeSJXGLZ6+MVR6vjCSm4lYVFbLmrk7DRRb+JlB/9knpAtMIzT4JB\r\n" \
+"x/eDnoI9/gNO8K8pLFmNkcXBdr/QxVR+Ao/kPWHoWQtxnzfyusZlbYNvFlchORCw\r\n" \
+"m1Wcvksm9LiIXDknugnXrAc2itXY1Iq8QmyFR/SXn3IMrn1LMlwgLOl6RccliBNm\r\n" \
+"YmyNC+pRJ047hjzMIgDT0FZH3eVgJ93b3ec4bxY1tPPlAAx1QwFGnXlt67QzsLCb\r\n" \
+"WBKL+sRYcWvNwEUnwbOii6N895YciSZUnzCo53uhJq6/\r\n"                     \
+"-----END CERTIFICATE-----\r\n"
+
+#if !defined(TEST_SRV_CRT_RSA_SOME)
+const char mbedtls_test_srv_crt_rsa[]     =  TEST_SRV_CRT_RSA_SHA1;
+const size_t mbedtls_test_srv_crt_rsa_len = sizeof( mbedtls_test_srv_crt_rsa );
+#endif /* TEST_SRV_CRT_RSA_SOME */
+#endif /* !TEST_CA_CRT_RSA_SOME || MBEDTLS_SHA1_C */
+
+const char mbedtls_test_ca_key_rsa[] =
+"-----BEGIN RSA PRIVATE KEY-----\r\n"
+"Proc-Type: 4,ENCRYPTED\r\n"
+"DEK-Info: DES-EDE3-CBC,A8A95B05D5B7206B\r\n"
+"\r\n"
+"9Qd9GeArejl1GDVh2lLV1bHt0cPtfbh5h/5zVpAVaFpqtSPMrElp50Rntn9et+JA\r\n"
+"7VOyboR+Iy2t/HU4WvA687k3Bppe9GwKHjHhtl//8xFKwZr3Xb5yO5JUP8AUctQq\r\n"
+"Nb8CLlZyuUC+52REAAthdWgsX+7dJO4yabzUcQ22Tp9JSD0hiL43BlkWYUNK3dAo\r\n"
+"PZlmiptjnzVTjg1MxsBSydZinWOLBV8/JQgxSPo2yD4uEfig28qbvQ2wNIn0pnAb\r\n"
+"GxnSAOazkongEGfvcjIIs+LZN9gXFhxcOh6kc4Q/c99B7QWETwLLkYgZ+z1a9VY9\r\n"
+"gEU7CwCxYCD+h9hY6FPmsK0/lC4O7aeRKpYq00rPPxs6i7phiexg6ax6yTMmArQq\r\n"
+"QmK3TAsJm8V/J5AWpLEV6jAFgRGymGGHnof0DXzVWZidrcZJWTNuGEX90nB3ee2w\r\n"
+"PXJEFWKoD3K3aFcSLdHYr3mLGxP7H9ThQai9VsycxZKS5kwvBKQ//YMrmFfwPk8x\r\n"
+"vTeY4KZMaUrveEel5tWZC94RSMKgxR6cyE1nBXyTQnDOGbfpNNgBKxyKbINWoOJU\r\n"
+"WJZAwlsQn+QzCDwpri7+sV1mS3gBE6UY7aQmnmiiaC2V3Hbphxct/en5QsfDOt1X\r\n"
+"JczSfpRWLlbPznZg8OQh/VgCMA58N5DjOzTIK7sJJ5r+94ZBTCpgAMbF588f0NTR\r\n"
+"KCe4yrxGJR7X02M4nvD4IwOlpsQ8xQxZtOSgXv4LkxvdU9XJJKWZ/XNKJeWztxSe\r\n"
+"Z1vdTc2YfsDBA2SEv33vxHx2g1vqtw8SjDRT2RaQSS0QuSaMJimdOX6mTOCBKk1J\r\n"
+"9Q5mXTrER+/LnK0jEmXsBXWA5bqqVZIyahXSx4VYZ7l7w/PHiUDtDgyRhMMKi4n2\r\n"
+"iQvQcWSQTjrpnlJbca1/DkpRt3YwrvJwdqb8asZU2VrNETh5x0QVefDRLFiVpif/\r\n"
+"tUaeAe/P1F8OkS7OIZDs1SUbv/sD2vMbhNkUoCms3/PvNtdnvgL4F0zhaDpKCmlT\r\n"
+"P8vx49E7v5CyRNmED9zZg4o3wmMqrQO93PtTug3Eu9oVx1zPQM1NVMyBa2+f29DL\r\n"
+"1nuTCeXdo9+ni45xx+jAI4DCwrRdhJ9uzZyC6962H37H6D+5naNvClFR1s6li1Gb\r\n"
+"nqPoiy/OBsEx9CaDGcqQBp5Wme/3XW+6z1ISOx+igwNTVCT14mHdBMbya0eIKft5\r\n"
+"X+GnwtgEMyCYyyWuUct8g4RzErcY9+yW9Om5Hzpx4zOuW4NPZgPDTgK+t2RSL/Yq\r\n"
+"rE1njrgeGYcVeG3f+OftH4s6fPbq7t1A5ZgUscbLMBqr9tK+OqygR4EgKBPsH6Cz\r\n"
+"L6zlv/2RV0qAHvVuDJcIDIgwY5rJtINEm32rhOeFNJwZS5MNIC1czXZx5//ugX7l\r\n"
+"I4sy5nbVhwSjtAk8Xg5dZbdTZ6mIrb7xqH+fdakZor1khG7bC2uIwibD3cSl2XkR\r\n"
+"wN48lslbHnqqagr6Xm1nNOSVl8C/6kbJEsMpLhAezfRtGwvOucoaE+WbeUNolGde\r\n"
+"P/eQiddSf0brnpiLJRh7qZrl9XuqYdpUqnoEdMAfotDOID8OtV7gt8a48ad8VPW2\r\n"
+"-----END RSA PRIVATE KEY-----\r\n";
+const size_t mbedtls_test_ca_key_rsa_len = sizeof( mbedtls_test_ca_key_rsa );
+
+const char mbedtls_test_ca_pwd_rsa[] = "PolarSSLTest";
+const size_t mbedtls_test_ca_pwd_rsa_len = sizeof( mbedtls_test_ca_pwd_rsa ) - 1;
+
+/* tests/data_files/server2.key */
+const char mbedtls_test_srv_key_rsa[] =
+"-----BEGIN RSA PRIVATE KEY-----\r\n"
+"MIIEpAIBAAKCAQEAwU2j3efNHdEE10lyuJmsDnjkOjxKzzoTFtBa5M2jAIin7h5r\r\n"
+"lqdStJDvLXJ6PiSa/LY0rCT1d+AmZIycsCh9odrqjObJHJa8/sEEUrM21KP64bF2\r\n"
+"2JDBYbRmUjaiJlOqq3ReB30Zgtsq2B+g2Q0cLUlm91slc0boC4pPaQy1AJDh2oIQ\r\n"
+"Zn2uVCuLZXmRoeJhw81ASQjuaAzxi4bSRr/QuKoRAx5/VqgaHkQYDw+Fi9qLRF7i\r\n"
+"GMZiL8dmjfpd2H3zJ4kpAcWQDj8n8TDISg7v1t7HxydrxwU9esQCPJodPg/oNJhb\r\n"
+"y3NLUpbYEaIsgIhpOVrTD7DeWS8Rx/fqEgEwlwIDAQABAoIBAQCXR0S8EIHFGORZ\r\n"
+"++AtOg6eENxD+xVs0f1IeGz57Tjo3QnXX7VBZNdj+p1ECvhCE/G7XnkgU5hLZX+G\r\n"
+"Z0jkz/tqJOI0vRSdLBbipHnWouyBQ4e/A1yIJdlBtqXxJ1KE/ituHRbNc4j4kL8Z\r\n"
+"/r6pvwnTI0PSx2Eqs048YdS92LT6qAv4flbNDxMn2uY7s4ycS4Q8w1JXnCeaAnYm\r\n"
+"WYI5wxO+bvRELR2Mcz5DmVnL8jRyml6l6582bSv5oufReFIbyPZbQWlXgYnpu6He\r\n"
+"GTc7E1zKYQGG/9+DQUl/1vQuCPqQwny0tQoX2w5tdYpdMdVm+zkLtbajzdTviJJa\r\n"
+"TWzL6lt5AoGBAN86+SVeJDcmQJcv4Eq6UhtRr4QGMiQMz0Sod6ettYxYzMgxtw28\r\n"
+"CIrgpozCc+UaZJLo7UxvC6an85r1b2nKPCLQFaggJ0H4Q0J/sZOhBIXaoBzWxveK\r\n"
+"nupceKdVxGsFi8CDy86DBfiyFivfBj+47BbaQzPBj7C4rK7UlLjab2rDAoGBAN2u\r\n"
+"AM2gchoFiu4v1HFL8D7lweEpi6ZnMJjnEu/dEgGQJFjwdpLnPbsj4c75odQ4Gz8g\r\n"
+"sw9lao9VVzbusoRE/JGI4aTdO0pATXyG7eG1Qu+5Yc1YGXcCrliA2xM9xx+d7f+s\r\n"
+"mPzN+WIEg5GJDYZDjAzHG5BNvi/FfM1C9dOtjv2dAoGAF0t5KmwbjWHBhcVqO4Ic\r\n"
+"BVvN3BIlc1ue2YRXEDlxY5b0r8N4XceMgKmW18OHApZxfl8uPDauWZLXOgl4uepv\r\n"
+"whZC3EuWrSyyICNhLY21Ah7hbIEBPF3L3ZsOwC+UErL+dXWLdB56Jgy3gZaBeW7b\r\n"
+"vDrEnocJbqCm7IukhXHOBK8CgYEAwqdHB0hqyNSzIOGY7v9abzB6pUdA3BZiQvEs\r\n"
+"3LjHVd4HPJ2x0N8CgrBIWOE0q8+0hSMmeE96WW/7jD3fPWwCR5zlXknxBQsfv0gP\r\n"
+"3BC5PR0Qdypz+d+9zfMf625kyit4T/hzwhDveZUzHnk1Cf+IG7Q+TOEnLnWAWBED\r\n"
+"ISOWmrUCgYAFEmRxgwAc/u+D6t0syCwAYh6POtscq9Y0i9GyWk89NzgC4NdwwbBH\r\n"
+"4AgahOxIxXx2gxJnq3yfkJfIjwf0s2DyP0kY2y6Ua1OeomPeY9mrIS4tCuDQ6LrE\r\n"
+"TB6l9VGoxJL4fyHnZb8L5gGvnB1bbD8cL6YPaDiOhcRseC9vBiEuVg==\r\n"
+"-----END RSA PRIVATE KEY-----\r\n";
+const size_t mbedtls_test_srv_key_rsa_len = sizeof( mbedtls_test_srv_key_rsa );
+
+/* tests/data_files/cli-rsa-sha256.crt */
+const char mbedtls_test_cli_crt_rsa[] =
+"-----BEGIN CERTIFICATE-----\r\n"
+"MIIDhTCCAm2gAwIBAgIBBDANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n"
+"MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n"
+"MTkwMzEyMTAwNDAxWhcNMjkwMzEyMTAwNDAxWjA8MQswCQYDVQQGEwJOTDERMA8G\r\n"
+"A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIENsaWVudCAyMIIBIjAN\r\n"
+"BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6f\r\n"
+"M60Nj4o8VmXl3ETZzGaFB9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu\r\n"
+"1C93KYRhTYJQj6eVSHD1bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEw\r\n"
+"MjDV0/YI0FZPRo7yX/k9Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v\r\n"
+"4Jv4EFbMs44TFeY0BGbH7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx/\r\n"
+"/DZrtenNLQNiTrM9AM+vdqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQAB\r\n"
+"o4GSMIGPMB0GA1UdDgQWBBRxoQBzckAvVHZeM/xSj7zx3WtGITBjBgNVHSMEXDBa\r\n"
+"gBS0WuSls97SUva51aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNV\r\n"
+"BAoMCFBvbGFyU1NMMRkwFwYDVQQDDBBQb2xhclNTTCBUZXN0IENBggEDMAkGA1Ud\r\n"
+"EwQCMAAwDQYJKoZIhvcNAQELBQADggEBAH78VDMNqHyxX1Tdss1Dcbx475Gei+OO\r\n"
+"Pv5Z4EPLg/0Y7YgBoXI+3lM17CVhT9w5epPaSYmxzthtK0QSuJaS6Jgt7eHaQITT\r\n"
+"3KXcMPqluwCy1ddr1IRYW9dXCFtgaRNJibpDuuAwf8T2tCSsY6EaYDoNgv2y6ogu\r\n"
+"rh5/q7ca7Q4ENv3H+xq1V77baDa0QZijdPQ+WR+NTKPU0D8mDKlWLNSCpuItQ4Tu\r\n"
+"AYzCCTosMTHlGQJ/7BkhqChH0MLTCIlUktVjY7z/4XfOWYVUMPdqUJWwfz6AgEXL\r\n"
+"wjAFhq2OPrmyY2u8mrcVqpArDukPi9hOX5jzJtJaQVf4srpOL8e4nYg=\r\n"
+"-----END CERTIFICATE-----\r\n";
+const size_t mbedtls_test_cli_crt_rsa_len = sizeof( mbedtls_test_cli_crt_rsa );
+
+const char mbedtls_test_cli_key_rsa[] =
+"-----BEGIN RSA PRIVATE KEY-----\r\n"
+"MIIEpAIBAAKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6fM60Nj4o8VmXl3ETZzGaF\r\n"
+"B9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu1C93KYRhTYJQj6eVSHD1\r\n"
+"bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEwMjDV0/YI0FZPRo7yX/k9\r\n"
+"Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v4Jv4EFbMs44TFeY0BGbH\r\n"
+"7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx//DZrtenNLQNiTrM9AM+v\r\n"
+"dqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQABAoIBAGdNtfYDiap6bzst\r\n"
+"yhCiI8m9TtrhZw4MisaEaN/ll3XSjaOG2dvV6xMZCMV+5TeXDHOAZnY18Yi18vzz\r\n"
+"4Ut2TnNFzizCECYNaA2fST3WgInnxUkV3YXAyP6CNxJaCmv2aA0yFr2kFVSeaKGt\r\n"
+"ymvljNp2NVkvm7Th8fBQBO7I7AXhz43k0mR7XmPgewe8ApZOG3hstkOaMvbWAvWA\r\n"
+"zCZupdDjZYjOJqlA4eEA4H8/w7F83r5CugeBE8LgEREjLPiyejrU5H1fubEY+h0d\r\n"
+"l5HZBJ68ybTXfQ5U9o/QKA3dd0toBEhhdRUDGzWtjvwkEQfqF1reGWj/tod/gCpf\r\n"
+"DFi6X0ECgYEA4wOv/pjSC3ty6TuOvKX2rOUiBrLXXv2JSxZnMoMiWI5ipLQt+RYT\r\n"
+"VPafL/m7Dn6MbwjayOkcZhBwk5CNz5A6Q4lJ64Mq/lqHznRCQQ2Mc1G8eyDF/fYL\r\n"
+"Ze2pLvwP9VD5jTc2miDfw+MnvJhywRRLcemDFP8k4hQVtm8PMp3ZmNECgYEA4gz7\r\n"
+"wzObR4gn8ibe617uQPZjWzUj9dUHYd+in1gwBCIrtNnaRn9I9U/Q6tegRYpii4ys\r\n"
+"c176NmU+umy6XmuSKV5qD9bSpZWG2nLFnslrN15Lm3fhZxoeMNhBaEDTnLT26yoi\r\n"
+"33gp0mSSWy94ZEqipms+ULF6sY1ZtFW6tpGFoy8CgYAQHhnnvJflIs2ky4q10B60\r\n"
+"ZcxFp3rtDpkp0JxhFLhiizFrujMtZSjYNm5U7KkgPVHhLELEUvCmOnKTt4ap/vZ0\r\n"
+"BxJNe1GZH3pW6SAvGDQpl9sG7uu/vTFP+lCxukmzxB0DrrDcvorEkKMom7ZCCRvW\r\n"
+"KZsZ6YeH2Z81BauRj218kQKBgQCUV/DgKP2985xDTT79N08jUo3hTP5MVYCCuj/+\r\n"
+"UeEw1TvZcx3LJby7P6Xad6a1/BqveaGyFKIfEFIaBUBItk801sDDpDaYc4gL00Xc\r\n"
+"7lFuBHOZkxJYlss5QrGpuOEl9ZwUt5IrFLBdYaKqNHzNVC1pCPfb/JyH6Dr2HUxq\r\n"
+"gxUwAQKBgQCcU6G2L8AG9d9c0UpOyL1tMvFe5Ttw0KjlQVdsh1MP6yigYo9DYuwu\r\n"
+"bHFVW2r0dBTqegP2/KTOxKzaHfC1qf0RGDsUoJCNJrd1cwoCLG8P2EF4w3OBrKqv\r\n"
+"8u4ytY0F+Vlanj5lm3TaoHSVF1+NWPyOTiwevIECGKwSxvlki4fDAA==\r\n"
+"-----END RSA PRIVATE KEY-----\r\n";
+const size_t mbedtls_test_cli_key_rsa_len = sizeof( mbedtls_test_cli_key_rsa );
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+/* Concatenation of all available CA certificates */
+const char mbedtls_test_cas_pem[] =
+#ifdef TEST_CA_CRT_RSA_SHA1
+    TEST_CA_CRT_RSA_SHA1
+#endif
+#ifdef TEST_CA_CRT_RSA_SHA256
+    TEST_CA_CRT_RSA_SHA256
+#endif
+#ifdef TEST_CA_CRT_EC
+    TEST_CA_CRT_EC
+#endif
+    "";
+const size_t mbedtls_test_cas_pem_len = sizeof( mbedtls_test_cas_pem );
+#endif
+
+/* List of all available CA certificates */
+const char * mbedtls_test_cas[] = {
+#if defined(TEST_CA_CRT_RSA_SHA1)
+    mbedtls_test_ca_crt_rsa_sha1,
+#endif
+#if defined(TEST_CA_CRT_RSA_SHA256)
+    mbedtls_test_ca_crt_rsa_sha256,
+#endif
+#if defined(MBEDTLS_ECDSA_C)
+    mbedtls_test_ca_crt_ec,
+#endif
+    NULL
+};
+const size_t mbedtls_test_cas_len[] = {
+#if defined(TEST_CA_CRT_RSA_SHA1)
+    sizeof( mbedtls_test_ca_crt_rsa_sha1 ),
+#endif
+#if defined(TEST_CA_CRT_RSA_SHA256)
+    sizeof( mbedtls_test_ca_crt_rsa_sha256 ),
+#endif
+#if defined(MBEDTLS_ECDSA_C)
+    sizeof( mbedtls_test_ca_crt_ec ),
+#endif
+    0
+};
+
+#if defined(MBEDTLS_RSA_C)
+const char *mbedtls_test_ca_crt  = mbedtls_test_ca_crt_rsa; /* SHA1 or SHA256 */
+const char *mbedtls_test_ca_key  = mbedtls_test_ca_key_rsa;
+const char *mbedtls_test_ca_pwd  = mbedtls_test_ca_pwd_rsa;
+const char *mbedtls_test_srv_crt = mbedtls_test_srv_crt_rsa;
+const char *mbedtls_test_srv_key = mbedtls_test_srv_key_rsa;
+const char *mbedtls_test_cli_crt = mbedtls_test_cli_crt_rsa;
+const char *mbedtls_test_cli_key = mbedtls_test_cli_key_rsa;
+const size_t mbedtls_test_ca_crt_len  = sizeof( mbedtls_test_ca_crt_rsa );
+const size_t mbedtls_test_ca_key_len  = sizeof( mbedtls_test_ca_key_rsa );
+const size_t mbedtls_test_ca_pwd_len  = sizeof( mbedtls_test_ca_pwd_rsa ) - 1;
+const size_t mbedtls_test_srv_crt_len = sizeof( mbedtls_test_srv_crt_rsa );
+const size_t mbedtls_test_srv_key_len = sizeof( mbedtls_test_srv_key_rsa );
+const size_t mbedtls_test_cli_crt_len = sizeof( mbedtls_test_cli_crt_rsa );
+const size_t mbedtls_test_cli_key_len = sizeof( mbedtls_test_cli_key_rsa );
+#else /* ! MBEDTLS_RSA_C, so MBEDTLS_ECDSA_C */
+const char *mbedtls_test_ca_crt  = mbedtls_test_ca_crt_ec;
+const char *mbedtls_test_ca_key  = mbedtls_test_ca_key_ec;
+const char *mbedtls_test_ca_pwd  = mbedtls_test_ca_pwd_ec;
+const char *mbedtls_test_srv_crt = mbedtls_test_srv_crt_ec;
+const char *mbedtls_test_srv_key = mbedtls_test_srv_key_ec;
+const char *mbedtls_test_cli_crt = mbedtls_test_cli_crt_ec;
+const char *mbedtls_test_cli_key = mbedtls_test_cli_key_ec;
+const size_t mbedtls_test_ca_crt_len  = sizeof( mbedtls_test_ca_crt_ec );
+const size_t mbedtls_test_ca_key_len  = sizeof( mbedtls_test_ca_key_ec );
+const size_t mbedtls_test_ca_pwd_len  = sizeof( mbedtls_test_ca_pwd_ec ) - 1;
+const size_t mbedtls_test_srv_crt_len = sizeof( mbedtls_test_srv_crt_ec );
+const size_t mbedtls_test_srv_key_len = sizeof( mbedtls_test_srv_key_ec );
+const size_t mbedtls_test_cli_crt_len = sizeof( mbedtls_test_cli_crt_ec );
+const size_t mbedtls_test_cli_key_len = sizeof( mbedtls_test_cli_key_ec );
+#endif /* MBEDTLS_RSA_C */
+
+#endif /* MBEDTLS_CERTS_C */
diff --git a/third-party/mbedtls-3.6/library/cipher.c b/third-party/mbedtls-3.6/library/cipher.c
new file mode 100644
index 00000000..7054f4bc
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/cipher.c
@@ -0,0 +1,948 @@
+/**
+ * \file cipher.c
+ *
+ * \brief Generic cipher wrapper for mbed TLS
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_CIPHER_C)
+
+#include "mbedtls/cipher.h"
+#include "mbedtls/cipher_internal.h"
+
+#include <stdlib.h>
+#include <string.h>
+
+#if defined(MBEDTLS_GCM_C)
+#include "mbedtls/gcm.h"
+#endif
+
+#if defined(MBEDTLS_CCM_C)
+#include "mbedtls/ccm.h"
+#endif
+
+#if defined(MBEDTLS_CMAC_C)
+#include "mbedtls/cmac.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#define mbedtls_calloc calloc
+#define mbedtls_free   free
+#endif
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
+}
+
+static int supported_init = 0;
+
+const int *mbedtls_cipher_list( void )
+{
+    const mbedtls_cipher_definition_t *def;
+    int *type;
+
+    if( ! supported_init )
+    {
+        def = mbedtls_cipher_definitions;
+        type = mbedtls_cipher_supported;
+
+        while( def->type != 0 )
+            *type++ = (*def++).type;
+
+        *type = 0;
+
+        supported_init = 1;
+    }
+
+    return( mbedtls_cipher_supported );
+}
+
+const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type( const mbedtls_cipher_type_t cipher_type )
+{
+    const mbedtls_cipher_definition_t *def;
+
+    for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
+        if( def->type == cipher_type )
+            return( def->info );
+
+    return( NULL );
+}
+
+const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string( const char *cipher_name )
+{
+    const mbedtls_cipher_definition_t *def;
+
+    if( NULL == cipher_name )
+        return( NULL );
+
+    for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
+        if( !  strcmp( def->info->name, cipher_name ) )
+            return( def->info );
+
+    return( NULL );
+}
+
+const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values( const mbedtls_cipher_id_t cipher_id,
+                                              int key_bitlen,
+                                              const mbedtls_cipher_mode_t mode )
+{
+    const mbedtls_cipher_definition_t *def;
+
+    for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
+        if( def->info->base->cipher == cipher_id &&
+            def->info->key_bitlen == (unsigned) key_bitlen &&
+            def->info->mode == mode )
+            return( def->info );
+
+    return( NULL );
+}
+
+void mbedtls_cipher_init( mbedtls_cipher_context_t *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
+}
+
+void mbedtls_cipher_free( mbedtls_cipher_context_t *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+#if defined(MBEDTLS_CMAC_C)
+    if( ctx->cmac_ctx )
+    {
+       mbedtls_zeroize( ctx->cmac_ctx, sizeof( mbedtls_cmac_context_t ) );
+       mbedtls_free( ctx->cmac_ctx );
+    }
+#endif
+
+    if( ctx->cipher_ctx )
+        ctx->cipher_info->base->ctx_free_func( ctx->cipher_ctx );
+
+    mbedtls_zeroize( ctx, sizeof(mbedtls_cipher_context_t) );
+}
+
+int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx, const mbedtls_cipher_info_t *cipher_info )
+{
+    if( NULL == cipher_info || NULL == ctx )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
+
+    if( NULL == ( ctx->cipher_ctx = cipher_info->base->ctx_alloc_func() ) )
+        return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
+
+    ctx->cipher_info = cipher_info;
+
+#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
+    /*
+     * Ignore possible errors caused by a cipher mode that doesn't use padding
+     */
+#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
+    (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_PKCS7 );
+#else
+    (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_NONE );
+#endif
+#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
+
+    return( 0 );
+}
+
+int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx, const unsigned char *key,
+        int key_bitlen, const mbedtls_operation_t operation )
+{
+    if( NULL == ctx || NULL == ctx->cipher_info )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN ) == 0 &&
+        (int) ctx->cipher_info->key_bitlen != key_bitlen )
+    {
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+    }
+
+    ctx->key_bitlen = key_bitlen;
+    ctx->operation = operation;
+
+    /*
+     * For CFB and CTR mode always use the encryption key schedule
+     */
+    if( MBEDTLS_ENCRYPT == operation ||
+        MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
+        MBEDTLS_MODE_CTR == ctx->cipher_info->mode )
+    {
+        return ctx->cipher_info->base->setkey_enc_func( ctx->cipher_ctx, key,
+                ctx->key_bitlen );
+    }
+
+    if( MBEDTLS_DECRYPT == operation )
+        return ctx->cipher_info->base->setkey_dec_func( ctx->cipher_ctx, key,
+                ctx->key_bitlen );
+
+    return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+}
+
+int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx,
+                   const unsigned char *iv, size_t iv_len )
+{
+    size_t actual_iv_size;
+    if( NULL == ctx || NULL == ctx->cipher_info )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+    else if( NULL == iv && iv_len != 0  )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    if( NULL == iv && iv_len == 0 )
+        ctx->iv_size = 0;
+
+    /* avoid buffer overflow in ctx->iv */
+    if( iv_len > MBEDTLS_MAX_IV_LENGTH )
+        return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
+
+    if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN ) != 0 )
+        actual_iv_size = iv_len;
+    else
+    {
+        actual_iv_size = ctx->cipher_info->iv_size;
+
+        /* avoid reading past the end of input buffer */
+        if( actual_iv_size > iv_len )
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+    }
+    if ( actual_iv_size != 0 )
+    {
+        memcpy( ctx->iv, iv, actual_iv_size );
+        ctx->iv_size = actual_iv_size;
+    }
+
+    return( 0 );
+}
+
+int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx )
+{
+    if( NULL == ctx || NULL == ctx->cipher_info )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    ctx->unprocessed_len = 0;
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_GCM_C)
+int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx,
+                      const unsigned char *ad, size_t ad_len )
+{
+    if( NULL == ctx || NULL == ctx->cipher_info )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
+    {
+        return mbedtls_gcm_starts( (mbedtls_gcm_context *) ctx->cipher_ctx, ctx->operation,
+                           ctx->iv, ctx->iv_size, ad, ad_len );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_GCM_C */
+
+int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *input,
+                   size_t ilen, unsigned char *output, size_t *olen )
+{
+    int ret;
+    size_t block_size = 0;
+
+    if( NULL == ctx || NULL == ctx->cipher_info || NULL == olen )
+    {
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+    }
+
+    *olen = 0;
+    block_size = mbedtls_cipher_get_block_size( ctx );
+    if ( 0 == block_size )
+    {
+        return( MBEDTLS_ERR_CIPHER_INVALID_CONTEXT );
+    }
+
+    if( ctx->cipher_info->mode == MBEDTLS_MODE_ECB )
+    {
+        if( ilen != block_size )
+            return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
+
+        *olen = ilen;
+
+        if( 0 != ( ret = ctx->cipher_info->base->ecb_func( ctx->cipher_ctx,
+                    ctx->operation, input, output ) ) )
+        {
+            return( ret );
+        }
+
+        return( 0 );
+    }
+
+#if defined(MBEDTLS_GCM_C)
+    if( ctx->cipher_info->mode == MBEDTLS_MODE_GCM )
+    {
+        *olen = ilen;
+        return mbedtls_gcm_update( (mbedtls_gcm_context *) ctx->cipher_ctx, ilen, input,
+                           output );
+    }
+#endif
+
+    if( input == output &&
+       ( ctx->unprocessed_len != 0 || ilen % block_size ) )
+    {
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+    }
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    if( ctx->cipher_info->mode == MBEDTLS_MODE_CBC )
+    {
+        size_t copy_len = 0;
+
+        /*
+         * If there is not enough data for a full block, cache it.
+         */
+        if( ( ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding &&
+                ilen <= block_size - ctx->unprocessed_len ) ||
+            ( ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding &&
+                ilen < block_size - ctx->unprocessed_len ) ||
+             ( ctx->operation == MBEDTLS_ENCRYPT &&
+                ilen < block_size - ctx->unprocessed_len ) )
+        {
+            memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
+                    ilen );
+
+            ctx->unprocessed_len += ilen;
+            return( 0 );
+        }
+
+        /*
+         * Process cached data first
+         */
+        if( 0 != ctx->unprocessed_len )
+        {
+            copy_len = block_size - ctx->unprocessed_len;
+
+            memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
+                    copy_len );
+
+            if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
+                    ctx->operation, block_size, ctx->iv,
+                    ctx->unprocessed_data, output ) ) )
+            {
+                return( ret );
+            }
+
+            *olen += block_size;
+            output += block_size;
+            ctx->unprocessed_len = 0;
+
+            input += copy_len;
+            ilen -= copy_len;
+        }
+
+        /*
+         * Cache final, incomplete block
+         */
+        if( 0 != ilen )
+        {
+            /* Encryption: only cache partial blocks
+             * Decryption w/ padding: always keep at least one whole block
+             * Decryption w/o padding: only cache partial blocks
+             */
+            copy_len = ilen % block_size;
+            if( copy_len == 0 &&
+                ctx->operation == MBEDTLS_DECRYPT &&
+                NULL != ctx->add_padding)
+            {
+                copy_len = block_size;
+            }
+
+            memcpy( ctx->unprocessed_data, &( input[ilen - copy_len] ),
+                    copy_len );
+
+            ctx->unprocessed_len += copy_len;
+            ilen -= copy_len;
+        }
+
+        /*
+         * Process remaining full blocks
+         */
+        if( ilen )
+        {
+            if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
+                    ctx->operation, ilen, ctx->iv, input, output ) ) )
+            {
+                return( ret );
+            }
+
+            *olen += ilen;
+        }
+
+        return( 0 );
+    }
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    if( ctx->cipher_info->mode == MBEDTLS_MODE_CFB )
+    {
+        if( 0 != ( ret = ctx->cipher_info->base->cfb_func( ctx->cipher_ctx,
+                ctx->operation, ilen, &ctx->unprocessed_len, ctx->iv,
+                input, output ) ) )
+        {
+            return( ret );
+        }
+
+        *olen = ilen;
+
+        return( 0 );
+    }
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    if( ctx->cipher_info->mode == MBEDTLS_MODE_CTR )
+    {
+        if( 0 != ( ret = ctx->cipher_info->base->ctr_func( ctx->cipher_ctx,
+                ilen, &ctx->unprocessed_len, ctx->iv,
+                ctx->unprocessed_data, input, output ) ) )
+        {
+            return( ret );
+        }
+
+        *olen = ilen;
+
+        return( 0 );
+    }
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    if( ctx->cipher_info->mode == MBEDTLS_MODE_STREAM )
+    {
+        if( 0 != ( ret = ctx->cipher_info->base->stream_func( ctx->cipher_ctx,
+                                                    ilen, input, output ) ) )
+        {
+            return( ret );
+        }
+
+        *olen = ilen;
+
+        return( 0 );
+    }
+#endif /* MBEDTLS_CIPHER_MODE_STREAM */
+
+    return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
+#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
+/*
+ * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len
+ */
+static void add_pkcs_padding( unsigned char *output, size_t output_len,
+        size_t data_len )
+{
+    size_t padding_len = output_len - data_len;
+    unsigned char i;
+
+    for( i = 0; i < padding_len; i++ )
+        output[data_len + i] = (unsigned char) padding_len;
+}
+
+static int get_pkcs_padding( unsigned char *input, size_t input_len,
+        size_t *data_len )
+{
+    size_t i, pad_idx;
+    unsigned char padding_len, bad = 0;
+
+    if( NULL == input || NULL == data_len )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    padding_len = input[input_len - 1];
+    *data_len = input_len - padding_len;
+
+    /* Avoid logical || since it results in a branch */
+    bad |= padding_len > input_len;
+    bad |= padding_len == 0;
+
+    /* The number of bytes checked must be independent of padding_len,
+     * so pick input_len, which is usually 8 or 16 (one block) */
+    pad_idx = input_len - padding_len;
+    for( i = 0; i < input_len; i++ )
+        bad |= ( input[i] ^ padding_len ) * ( i >= pad_idx );
+
+    return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
+}
+#endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
+
+#if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
+/*
+ * One and zeros padding: fill with 80 00 ... 00
+ */
+static void add_one_and_zeros_padding( unsigned char *output,
+                                       size_t output_len, size_t data_len )
+{
+    size_t padding_len = output_len - data_len;
+    unsigned char i = 0;
+
+    output[data_len] = 0x80;
+    for( i = 1; i < padding_len; i++ )
+        output[data_len + i] = 0x00;
+}
+
+static int get_one_and_zeros_padding( unsigned char *input, size_t input_len,
+                                      size_t *data_len )
+{
+    size_t i;
+    unsigned char done = 0, prev_done, bad;
+
+    if( NULL == input || NULL == data_len )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    bad = 0x80;
+    *data_len = 0;
+    for( i = input_len; i > 0; i-- )
+    {
+        prev_done = done;
+        done |= ( input[i - 1] != 0 );
+        *data_len |= ( i - 1 ) * ( done != prev_done );
+        bad ^= input[i - 1] * ( done != prev_done );
+    }
+
+    return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
+
+}
+#endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */
+
+#if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
+/*
+ * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length
+ */
+static void add_zeros_and_len_padding( unsigned char *output,
+                                       size_t output_len, size_t data_len )
+{
+    size_t padding_len = output_len - data_len;
+    unsigned char i = 0;
+
+    for( i = 1; i < padding_len; i++ )
+        output[data_len + i - 1] = 0x00;
+    output[output_len - 1] = (unsigned char) padding_len;
+}
+
+static int get_zeros_and_len_padding( unsigned char *input, size_t input_len,
+                                      size_t *data_len )
+{
+    size_t i, pad_idx;
+    unsigned char padding_len, bad = 0;
+
+    if( NULL == input || NULL == data_len )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    padding_len = input[input_len - 1];
+    *data_len = input_len - padding_len;
+
+    /* Avoid logical || since it results in a branch */
+    bad |= padding_len > input_len;
+    bad |= padding_len == 0;
+
+    /* The number of bytes checked must be independent of padding_len */
+    pad_idx = input_len - padding_len;
+    for( i = 0; i < input_len - 1; i++ )
+        bad |= input[i] * ( i >= pad_idx );
+
+    return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
+}
+#endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */
+
+#if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
+/*
+ * Zero padding: fill with 00 ... 00
+ */
+static void add_zeros_padding( unsigned char *output,
+                               size_t output_len, size_t data_len )
+{
+    size_t i;
+
+    for( i = data_len; i < output_len; i++ )
+        output[i] = 0x00;
+}
+
+static int get_zeros_padding( unsigned char *input, size_t input_len,
+                              size_t *data_len )
+{
+    size_t i;
+    unsigned char done = 0, prev_done;
+
+    if( NULL == input || NULL == data_len )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    *data_len = 0;
+    for( i = input_len; i > 0; i-- )
+    {
+        prev_done = done;
+        done |= ( input[i-1] != 0 );
+        *data_len |= i * ( done != prev_done );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_PADDING_ZEROS */
+
+/*
+ * No padding: don't pad :)
+ *
+ * There is no add_padding function (check for NULL in mbedtls_cipher_finish)
+ * but a trivial get_padding function
+ */
+static int get_no_padding( unsigned char *input, size_t input_len,
+                              size_t *data_len )
+{
+    if( NULL == input || NULL == data_len )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    *data_len = input_len;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
+
+int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx,
+                   unsigned char *output, size_t *olen )
+{
+    if( NULL == ctx || NULL == ctx->cipher_info || NULL == olen )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    *olen = 0;
+
+    if( MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
+        MBEDTLS_MODE_CTR == ctx->cipher_info->mode ||
+        MBEDTLS_MODE_GCM == ctx->cipher_info->mode ||
+        MBEDTLS_MODE_STREAM == ctx->cipher_info->mode )
+    {
+        return( 0 );
+    }
+
+    if( MBEDTLS_MODE_ECB == ctx->cipher_info->mode )
+    {
+        if( ctx->unprocessed_len != 0 )
+            return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
+
+        return( 0 );
+    }
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    if( MBEDTLS_MODE_CBC == ctx->cipher_info->mode )
+    {
+        int ret = 0;
+
+        if( MBEDTLS_ENCRYPT == ctx->operation )
+        {
+            /* check for 'no padding' mode */
+            if( NULL == ctx->add_padding )
+            {
+                if( 0 != ctx->unprocessed_len )
+                    return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
+
+                return( 0 );
+            }
+
+            ctx->add_padding( ctx->unprocessed_data, mbedtls_cipher_get_iv_size( ctx ),
+                    ctx->unprocessed_len );
+        }
+        else if( mbedtls_cipher_get_block_size( ctx ) != ctx->unprocessed_len )
+        {
+            /*
+             * For decrypt operations, expect a full block,
+             * or an empty block if no padding
+             */
+            if( NULL == ctx->add_padding && 0 == ctx->unprocessed_len )
+                return( 0 );
+
+            return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
+        }
+
+        /* cipher block */
+        if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
+                ctx->operation, mbedtls_cipher_get_block_size( ctx ), ctx->iv,
+                ctx->unprocessed_data, output ) ) )
+        {
+            return( ret );
+        }
+
+        /* Set output size for decryption */
+        if( MBEDTLS_DECRYPT == ctx->operation )
+            return ctx->get_padding( output, mbedtls_cipher_get_block_size( ctx ),
+                                     olen );
+
+        /* Set output size for encryption */
+        *olen = mbedtls_cipher_get_block_size( ctx );
+        return( 0 );
+    }
+#else
+    ((void) output);
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+    return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
+int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx, mbedtls_cipher_padding_t mode )
+{
+    if( NULL == ctx ||
+        MBEDTLS_MODE_CBC != ctx->cipher_info->mode )
+    {
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+    }
+
+    switch( mode )
+    {
+#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
+    case MBEDTLS_PADDING_PKCS7:
+        ctx->add_padding = add_pkcs_padding;
+        ctx->get_padding = get_pkcs_padding;
+        break;
+#endif
+#if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
+    case MBEDTLS_PADDING_ONE_AND_ZEROS:
+        ctx->add_padding = add_one_and_zeros_padding;
+        ctx->get_padding = get_one_and_zeros_padding;
+        break;
+#endif
+#if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
+    case MBEDTLS_PADDING_ZEROS_AND_LEN:
+        ctx->add_padding = add_zeros_and_len_padding;
+        ctx->get_padding = get_zeros_and_len_padding;
+        break;
+#endif
+#if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
+    case MBEDTLS_PADDING_ZEROS:
+        ctx->add_padding = add_zeros_padding;
+        ctx->get_padding = get_zeros_padding;
+        break;
+#endif
+    case MBEDTLS_PADDING_NONE:
+        ctx->add_padding = NULL;
+        ctx->get_padding = get_no_padding;
+        break;
+
+    default:
+        return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
+
+#if defined(MBEDTLS_GCM_C)
+int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx,
+                      unsigned char *tag, size_t tag_len )
+{
+    if( NULL == ctx || NULL == ctx->cipher_info || NULL == tag )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    if( MBEDTLS_ENCRYPT != ctx->operation )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
+        return mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx, tag, tag_len );
+
+    return( 0 );
+}
+
+int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx,
+                      const unsigned char *tag, size_t tag_len )
+{
+    int ret;
+
+    if( NULL == ctx || NULL == ctx->cipher_info ||
+        MBEDTLS_DECRYPT != ctx->operation )
+    {
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+    }
+
+    if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
+    {
+        unsigned char check_tag[16];
+        size_t i;
+        int diff;
+
+        if( tag_len > sizeof( check_tag ) )
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+        if( 0 != ( ret = mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx,
+                                     check_tag, tag_len ) ) )
+        {
+            return( ret );
+        }
+
+        /* Check the tag in "constant-time" */
+        for( diff = 0, i = 0; i < tag_len; i++ )
+            diff |= tag[i] ^ check_tag[i];
+
+        if( diff != 0 )
+            return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
+
+        return( 0 );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_GCM_C */
+
+/*
+ * Packet-oriented wrapper for non-AEAD modes
+ */
+int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx,
+                  const unsigned char *iv, size_t iv_len,
+                  const unsigned char *input, size_t ilen,
+                  unsigned char *output, size_t *olen )
+{
+    int ret;
+    size_t finish_olen;
+
+    if( ( ret = mbedtls_cipher_set_iv( ctx, iv, iv_len ) ) != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_cipher_reset( ctx ) ) != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_cipher_update( ctx, input, ilen, output, olen ) ) != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_cipher_finish( ctx, output + *olen, &finish_olen ) ) != 0 )
+        return( ret );
+
+    *olen += finish_olen;
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_AEAD)
+/*
+ * Packet-oriented encryption for AEAD modes
+ */
+int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx,
+                         const unsigned char *iv, size_t iv_len,
+                         const unsigned char *ad, size_t ad_len,
+                         const unsigned char *input, size_t ilen,
+                         unsigned char *output, size_t *olen,
+                         unsigned char *tag, size_t tag_len )
+{
+#if defined(MBEDTLS_GCM_C)
+    if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
+    {
+        *olen = ilen;
+        return( mbedtls_gcm_crypt_and_tag( ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT, ilen,
+                                   iv, iv_len, ad, ad_len, input, output,
+                                   tag_len, tag ) );
+    }
+#endif /* MBEDTLS_GCM_C */
+#if defined(MBEDTLS_CCM_C)
+    if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode )
+    {
+        *olen = ilen;
+        return( mbedtls_ccm_encrypt_and_tag( ctx->cipher_ctx, ilen,
+                                     iv, iv_len, ad, ad_len, input, output,
+                                     tag, tag_len ) );
+    }
+#endif /* MBEDTLS_CCM_C */
+
+    return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
+}
+
+/*
+ * Packet-oriented decryption for AEAD modes
+ */
+int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx,
+                         const unsigned char *iv, size_t iv_len,
+                         const unsigned char *ad, size_t ad_len,
+                         const unsigned char *input, size_t ilen,
+                         unsigned char *output, size_t *olen,
+                         const unsigned char *tag, size_t tag_len )
+{
+#if defined(MBEDTLS_GCM_C)
+    if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
+    {
+        int ret;
+
+        *olen = ilen;
+        ret = mbedtls_gcm_auth_decrypt( ctx->cipher_ctx, ilen,
+                                iv, iv_len, ad, ad_len,
+                                tag, tag_len, input, output );
+
+        if( ret == MBEDTLS_ERR_GCM_AUTH_FAILED )
+            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+
+        return( ret );
+    }
+#endif /* MBEDTLS_GCM_C */
+#if defined(MBEDTLS_CCM_C)
+    if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode )
+    {
+        int ret;
+
+        *olen = ilen;
+        ret = mbedtls_ccm_auth_decrypt( ctx->cipher_ctx, ilen,
+                                iv, iv_len, ad, ad_len,
+                                input, output, tag, tag_len );
+
+        if( ret == MBEDTLS_ERR_CCM_AUTH_FAILED )
+            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+
+        return( ret );
+    }
+#endif /* MBEDTLS_CCM_C */
+
+    return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
+}
+#endif /* MBEDTLS_CIPHER_MODE_AEAD */
+
+#endif /* MBEDTLS_CIPHER_C */
diff --git a/third-party/mbedtls-3.6/library/cipher_wrap.c b/third-party/mbedtls-3.6/library/cipher_wrap.c
new file mode 100644
index 00000000..64ce9017
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/cipher_wrap.c
@@ -0,0 +1,1476 @@
+/**
+ * \file cipher_wrap.c
+ *
+ * \brief Generic cipher wrapper for mbed TLS
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_CIPHER_C)
+
+#include "mbedtls/cipher_internal.h"
+
+#if defined(MBEDTLS_AES_C)
+#include "mbedtls/aes.h"
+#endif
+
+#if defined(MBEDTLS_ARC4_C)
+#include "mbedtls/arc4.h"
+#endif
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#include "mbedtls/camellia.h"
+#endif
+
+#if defined(MBEDTLS_DES_C)
+#include "mbedtls/des.h"
+#endif
+
+#if defined(MBEDTLS_BLOWFISH_C)
+#include "mbedtls/blowfish.h"
+#endif
+
+#if defined(MBEDTLS_GCM_C)
+#include "mbedtls/gcm.h"
+#endif
+
+#if defined(MBEDTLS_CCM_C)
+#include "mbedtls/ccm.h"
+#endif
+
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+#include <string.h>
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+#if defined(MBEDTLS_GCM_C)
+/* shared by all GCM ciphers */
+static void *gcm_ctx_alloc( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_gcm_context ) );
+
+    if( ctx != NULL )
+        mbedtls_gcm_init( (mbedtls_gcm_context *) ctx );
+
+    return( ctx );
+}
+
+static void gcm_ctx_free( void *ctx )
+{
+    mbedtls_gcm_free( ctx );
+    mbedtls_free( ctx );
+}
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CCM_C)
+/* shared by all CCM ciphers */
+static void *ccm_ctx_alloc( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ccm_context ) );
+
+    if( ctx != NULL )
+        mbedtls_ccm_init( (mbedtls_ccm_context *) ctx );
+
+    return( ctx );
+}
+
+static void ccm_ctx_free( void *ctx )
+{
+    mbedtls_ccm_free( ctx );
+    mbedtls_free( ctx );
+}
+#endif /* MBEDTLS_CCM_C */
+
+#if defined(MBEDTLS_AES_C)
+
+static int aes_crypt_ecb_wrap( void *ctx, mbedtls_operation_t operation,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_aes_crypt_ecb( (mbedtls_aes_context *) ctx, operation, input, output );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static int aes_crypt_cbc_wrap( void *ctx, mbedtls_operation_t operation, size_t length,
+        unsigned char *iv, const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_aes_crypt_cbc( (mbedtls_aes_context *) ctx, operation, length, iv, input,
+                          output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static int aes_crypt_cfb128_wrap( void *ctx, mbedtls_operation_t operation,
+        size_t length, size_t *iv_off, unsigned char *iv,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_aes_crypt_cfb128( (mbedtls_aes_context *) ctx, operation, length, iv_off, iv,
+                             input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static int aes_crypt_ctr_wrap( void *ctx, size_t length, size_t *nc_off,
+        unsigned char *nonce_counter, unsigned char *stream_block,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_aes_crypt_ctr( (mbedtls_aes_context *) ctx, length, nc_off, nonce_counter,
+                          stream_block, input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+static int aes_setkey_dec_wrap( void *ctx, const unsigned char *key,
+                                unsigned int key_bitlen )
+{
+    return mbedtls_aes_setkey_dec( (mbedtls_aes_context *) ctx, key, key_bitlen );
+}
+
+static int aes_setkey_enc_wrap( void *ctx, const unsigned char *key,
+                                unsigned int key_bitlen )
+{
+    return mbedtls_aes_setkey_enc( (mbedtls_aes_context *) ctx, key, key_bitlen );
+}
+
+static void * aes_ctx_alloc( void )
+{
+    mbedtls_aes_context *aes = mbedtls_calloc( 1, sizeof( mbedtls_aes_context ) );
+
+    if( aes == NULL )
+        return( NULL );
+
+    mbedtls_aes_init( aes );
+
+    return( aes );
+}
+
+static void aes_ctx_free( void *ctx )
+{
+    mbedtls_aes_free( (mbedtls_aes_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static const mbedtls_cipher_base_t aes_info = {
+    MBEDTLS_CIPHER_ID_AES,
+    aes_crypt_ecb_wrap,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    aes_crypt_cbc_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    aes_crypt_cfb128_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    aes_crypt_ctr_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    aes_setkey_enc_wrap,
+    aes_setkey_dec_wrap,
+    aes_ctx_alloc,
+    aes_ctx_free
+};
+
+static const mbedtls_cipher_info_t aes_128_ecb_info = {
+    MBEDTLS_CIPHER_AES_128_ECB,
+    MBEDTLS_MODE_ECB,
+    128,
+    "AES-128-ECB",
+    0,
+    0,
+    16,
+    &aes_info
+};
+
+static const mbedtls_cipher_info_t aes_192_ecb_info = {
+    MBEDTLS_CIPHER_AES_192_ECB,
+    MBEDTLS_MODE_ECB,
+    192,
+    "AES-192-ECB",
+    0,
+    0,
+    16,
+    &aes_info
+};
+
+static const mbedtls_cipher_info_t aes_256_ecb_info = {
+    MBEDTLS_CIPHER_AES_256_ECB,
+    MBEDTLS_MODE_ECB,
+    256,
+    "AES-256-ECB",
+    0,
+    0,
+    16,
+    &aes_info
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const mbedtls_cipher_info_t aes_128_cbc_info = {
+    MBEDTLS_CIPHER_AES_128_CBC,
+    MBEDTLS_MODE_CBC,
+    128,
+    "AES-128-CBC",
+    16,
+    0,
+    16,
+    &aes_info
+};
+
+static const mbedtls_cipher_info_t aes_192_cbc_info = {
+    MBEDTLS_CIPHER_AES_192_CBC,
+    MBEDTLS_MODE_CBC,
+    192,
+    "AES-192-CBC",
+    16,
+    0,
+    16,
+    &aes_info
+};
+
+static const mbedtls_cipher_info_t aes_256_cbc_info = {
+    MBEDTLS_CIPHER_AES_256_CBC,
+    MBEDTLS_MODE_CBC,
+    256,
+    "AES-256-CBC",
+    16,
+    0,
+    16,
+    &aes_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static const mbedtls_cipher_info_t aes_128_cfb128_info = {
+    MBEDTLS_CIPHER_AES_128_CFB128,
+    MBEDTLS_MODE_CFB,
+    128,
+    "AES-128-CFB128",
+    16,
+    0,
+    16,
+    &aes_info
+};
+
+static const mbedtls_cipher_info_t aes_192_cfb128_info = {
+    MBEDTLS_CIPHER_AES_192_CFB128,
+    MBEDTLS_MODE_CFB,
+    192,
+    "AES-192-CFB128",
+    16,
+    0,
+    16,
+    &aes_info
+};
+
+static const mbedtls_cipher_info_t aes_256_cfb128_info = {
+    MBEDTLS_CIPHER_AES_256_CFB128,
+    MBEDTLS_MODE_CFB,
+    256,
+    "AES-256-CFB128",
+    16,
+    0,
+    16,
+    &aes_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static const mbedtls_cipher_info_t aes_128_ctr_info = {
+    MBEDTLS_CIPHER_AES_128_CTR,
+    MBEDTLS_MODE_CTR,
+    128,
+    "AES-128-CTR",
+    16,
+    0,
+    16,
+    &aes_info
+};
+
+static const mbedtls_cipher_info_t aes_192_ctr_info = {
+    MBEDTLS_CIPHER_AES_192_CTR,
+    MBEDTLS_MODE_CTR,
+    192,
+    "AES-192-CTR",
+    16,
+    0,
+    16,
+    &aes_info
+};
+
+static const mbedtls_cipher_info_t aes_256_ctr_info = {
+    MBEDTLS_CIPHER_AES_256_CTR,
+    MBEDTLS_MODE_CTR,
+    256,
+    "AES-256-CTR",
+    16,
+    0,
+    16,
+    &aes_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_GCM_C)
+static int gcm_aes_setkey_wrap( void *ctx, const unsigned char *key,
+                                unsigned int key_bitlen )
+{
+    return mbedtls_gcm_setkey( (mbedtls_gcm_context *) ctx, MBEDTLS_CIPHER_ID_AES,
+                     key, key_bitlen );
+}
+
+static const mbedtls_cipher_base_t gcm_aes_info = {
+    MBEDTLS_CIPHER_ID_AES,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    gcm_aes_setkey_wrap,
+    gcm_aes_setkey_wrap,
+    gcm_ctx_alloc,
+    gcm_ctx_free,
+};
+
+static const mbedtls_cipher_info_t aes_128_gcm_info = {
+    MBEDTLS_CIPHER_AES_128_GCM,
+    MBEDTLS_MODE_GCM,
+    128,
+    "AES-128-GCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &gcm_aes_info
+};
+
+static const mbedtls_cipher_info_t aes_192_gcm_info = {
+    MBEDTLS_CIPHER_AES_192_GCM,
+    MBEDTLS_MODE_GCM,
+    192,
+    "AES-192-GCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &gcm_aes_info
+};
+
+static const mbedtls_cipher_info_t aes_256_gcm_info = {
+    MBEDTLS_CIPHER_AES_256_GCM,
+    MBEDTLS_MODE_GCM,
+    256,
+    "AES-256-GCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &gcm_aes_info
+};
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CCM_C)
+static int ccm_aes_setkey_wrap( void *ctx, const unsigned char *key,
+                                unsigned int key_bitlen )
+{
+    return mbedtls_ccm_setkey( (mbedtls_ccm_context *) ctx, MBEDTLS_CIPHER_ID_AES,
+                     key, key_bitlen );
+}
+
+static const mbedtls_cipher_base_t ccm_aes_info = {
+    MBEDTLS_CIPHER_ID_AES,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    ccm_aes_setkey_wrap,
+    ccm_aes_setkey_wrap,
+    ccm_ctx_alloc,
+    ccm_ctx_free,
+};
+
+static const mbedtls_cipher_info_t aes_128_ccm_info = {
+    MBEDTLS_CIPHER_AES_128_CCM,
+    MBEDTLS_MODE_CCM,
+    128,
+    "AES-128-CCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &ccm_aes_info
+};
+
+static const mbedtls_cipher_info_t aes_192_ccm_info = {
+    MBEDTLS_CIPHER_AES_192_CCM,
+    MBEDTLS_MODE_CCM,
+    192,
+    "AES-192-CCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &ccm_aes_info
+};
+
+static const mbedtls_cipher_info_t aes_256_ccm_info = {
+    MBEDTLS_CIPHER_AES_256_CCM,
+    MBEDTLS_MODE_CCM,
+    256,
+    "AES-256-CCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &ccm_aes_info
+};
+#endif /* MBEDTLS_CCM_C */
+
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+
+static int camellia_crypt_ecb_wrap( void *ctx, mbedtls_operation_t operation,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_camellia_crypt_ecb( (mbedtls_camellia_context *) ctx, operation, input,
+                               output );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static int camellia_crypt_cbc_wrap( void *ctx, mbedtls_operation_t operation,
+        size_t length, unsigned char *iv,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_camellia_crypt_cbc( (mbedtls_camellia_context *) ctx, operation, length, iv,
+                               input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static int camellia_crypt_cfb128_wrap( void *ctx, mbedtls_operation_t operation,
+        size_t length, size_t *iv_off, unsigned char *iv,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_camellia_crypt_cfb128( (mbedtls_camellia_context *) ctx, operation, length,
+                                  iv_off, iv, input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static int camellia_crypt_ctr_wrap( void *ctx, size_t length, size_t *nc_off,
+        unsigned char *nonce_counter, unsigned char *stream_block,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_camellia_crypt_ctr( (mbedtls_camellia_context *) ctx, length, nc_off,
+                               nonce_counter, stream_block, input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+static int camellia_setkey_dec_wrap( void *ctx, const unsigned char *key,
+                                     unsigned int key_bitlen )
+{
+    return mbedtls_camellia_setkey_dec( (mbedtls_camellia_context *) ctx, key, key_bitlen );
+}
+
+static int camellia_setkey_enc_wrap( void *ctx, const unsigned char *key,
+                                     unsigned int key_bitlen )
+{
+    return mbedtls_camellia_setkey_enc( (mbedtls_camellia_context *) ctx, key, key_bitlen );
+}
+
+static void * camellia_ctx_alloc( void )
+{
+    mbedtls_camellia_context *ctx;
+    ctx = mbedtls_calloc( 1, sizeof( mbedtls_camellia_context ) );
+
+    if( ctx == NULL )
+        return( NULL );
+
+    mbedtls_camellia_init( ctx );
+
+    return( ctx );
+}
+
+static void camellia_ctx_free( void *ctx )
+{
+    mbedtls_camellia_free( (mbedtls_camellia_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static const mbedtls_cipher_base_t camellia_info = {
+    MBEDTLS_CIPHER_ID_CAMELLIA,
+    camellia_crypt_ecb_wrap,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    camellia_crypt_cbc_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    camellia_crypt_cfb128_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    camellia_crypt_ctr_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    camellia_setkey_enc_wrap,
+    camellia_setkey_dec_wrap,
+    camellia_ctx_alloc,
+    camellia_ctx_free
+};
+
+static const mbedtls_cipher_info_t camellia_128_ecb_info = {
+    MBEDTLS_CIPHER_CAMELLIA_128_ECB,
+    MBEDTLS_MODE_ECB,
+    128,
+    "CAMELLIA-128-ECB",
+    0,
+    0,
+    16,
+    &camellia_info
+};
+
+static const mbedtls_cipher_info_t camellia_192_ecb_info = {
+    MBEDTLS_CIPHER_CAMELLIA_192_ECB,
+    MBEDTLS_MODE_ECB,
+    192,
+    "CAMELLIA-192-ECB",
+    0,
+    0,
+    16,
+    &camellia_info
+};
+
+static const mbedtls_cipher_info_t camellia_256_ecb_info = {
+    MBEDTLS_CIPHER_CAMELLIA_256_ECB,
+    MBEDTLS_MODE_ECB,
+    256,
+    "CAMELLIA-256-ECB",
+    0,
+    0,
+    16,
+    &camellia_info
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const mbedtls_cipher_info_t camellia_128_cbc_info = {
+    MBEDTLS_CIPHER_CAMELLIA_128_CBC,
+    MBEDTLS_MODE_CBC,
+    128,
+    "CAMELLIA-128-CBC",
+    16,
+    0,
+    16,
+    &camellia_info
+};
+
+static const mbedtls_cipher_info_t camellia_192_cbc_info = {
+    MBEDTLS_CIPHER_CAMELLIA_192_CBC,
+    MBEDTLS_MODE_CBC,
+    192,
+    "CAMELLIA-192-CBC",
+    16,
+    0,
+    16,
+    &camellia_info
+};
+
+static const mbedtls_cipher_info_t camellia_256_cbc_info = {
+    MBEDTLS_CIPHER_CAMELLIA_256_CBC,
+    MBEDTLS_MODE_CBC,
+    256,
+    "CAMELLIA-256-CBC",
+    16,
+    0,
+    16,
+    &camellia_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static const mbedtls_cipher_info_t camellia_128_cfb128_info = {
+    MBEDTLS_CIPHER_CAMELLIA_128_CFB128,
+    MBEDTLS_MODE_CFB,
+    128,
+    "CAMELLIA-128-CFB128",
+    16,
+    0,
+    16,
+    &camellia_info
+};
+
+static const mbedtls_cipher_info_t camellia_192_cfb128_info = {
+    MBEDTLS_CIPHER_CAMELLIA_192_CFB128,
+    MBEDTLS_MODE_CFB,
+    192,
+    "CAMELLIA-192-CFB128",
+    16,
+    0,
+    16,
+    &camellia_info
+};
+
+static const mbedtls_cipher_info_t camellia_256_cfb128_info = {
+    MBEDTLS_CIPHER_CAMELLIA_256_CFB128,
+    MBEDTLS_MODE_CFB,
+    256,
+    "CAMELLIA-256-CFB128",
+    16,
+    0,
+    16,
+    &camellia_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static const mbedtls_cipher_info_t camellia_128_ctr_info = {
+    MBEDTLS_CIPHER_CAMELLIA_128_CTR,
+    MBEDTLS_MODE_CTR,
+    128,
+    "CAMELLIA-128-CTR",
+    16,
+    0,
+    16,
+    &camellia_info
+};
+
+static const mbedtls_cipher_info_t camellia_192_ctr_info = {
+    MBEDTLS_CIPHER_CAMELLIA_192_CTR,
+    MBEDTLS_MODE_CTR,
+    192,
+    "CAMELLIA-192-CTR",
+    16,
+    0,
+    16,
+    &camellia_info
+};
+
+static const mbedtls_cipher_info_t camellia_256_ctr_info = {
+    MBEDTLS_CIPHER_CAMELLIA_256_CTR,
+    MBEDTLS_MODE_CTR,
+    256,
+    "CAMELLIA-256-CTR",
+    16,
+    0,
+    16,
+    &camellia_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_GCM_C)
+static int gcm_camellia_setkey_wrap( void *ctx, const unsigned char *key,
+                                     unsigned int key_bitlen )
+{
+    return mbedtls_gcm_setkey( (mbedtls_gcm_context *) ctx, MBEDTLS_CIPHER_ID_CAMELLIA,
+                     key, key_bitlen );
+}
+
+static const mbedtls_cipher_base_t gcm_camellia_info = {
+    MBEDTLS_CIPHER_ID_CAMELLIA,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    gcm_camellia_setkey_wrap,
+    gcm_camellia_setkey_wrap,
+    gcm_ctx_alloc,
+    gcm_ctx_free,
+};
+
+static const mbedtls_cipher_info_t camellia_128_gcm_info = {
+    MBEDTLS_CIPHER_CAMELLIA_128_GCM,
+    MBEDTLS_MODE_GCM,
+    128,
+    "CAMELLIA-128-GCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &gcm_camellia_info
+};
+
+static const mbedtls_cipher_info_t camellia_192_gcm_info = {
+    MBEDTLS_CIPHER_CAMELLIA_192_GCM,
+    MBEDTLS_MODE_GCM,
+    192,
+    "CAMELLIA-192-GCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &gcm_camellia_info
+};
+
+static const mbedtls_cipher_info_t camellia_256_gcm_info = {
+    MBEDTLS_CIPHER_CAMELLIA_256_GCM,
+    MBEDTLS_MODE_GCM,
+    256,
+    "CAMELLIA-256-GCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &gcm_camellia_info
+};
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CCM_C)
+static int ccm_camellia_setkey_wrap( void *ctx, const unsigned char *key,
+                                     unsigned int key_bitlen )
+{
+    return mbedtls_ccm_setkey( (mbedtls_ccm_context *) ctx, MBEDTLS_CIPHER_ID_CAMELLIA,
+                     key, key_bitlen );
+}
+
+static const mbedtls_cipher_base_t ccm_camellia_info = {
+    MBEDTLS_CIPHER_ID_CAMELLIA,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    ccm_camellia_setkey_wrap,
+    ccm_camellia_setkey_wrap,
+    ccm_ctx_alloc,
+    ccm_ctx_free,
+};
+
+static const mbedtls_cipher_info_t camellia_128_ccm_info = {
+    MBEDTLS_CIPHER_CAMELLIA_128_CCM,
+    MBEDTLS_MODE_CCM,
+    128,
+    "CAMELLIA-128-CCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &ccm_camellia_info
+};
+
+static const mbedtls_cipher_info_t camellia_192_ccm_info = {
+    MBEDTLS_CIPHER_CAMELLIA_192_CCM,
+    MBEDTLS_MODE_CCM,
+    192,
+    "CAMELLIA-192-CCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &ccm_camellia_info
+};
+
+static const mbedtls_cipher_info_t camellia_256_ccm_info = {
+    MBEDTLS_CIPHER_CAMELLIA_256_CCM,
+    MBEDTLS_MODE_CCM,
+    256,
+    "CAMELLIA-256-CCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &ccm_camellia_info
+};
+#endif /* MBEDTLS_CCM_C */
+
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+
+static int des_crypt_ecb_wrap( void *ctx, mbedtls_operation_t operation,
+        const unsigned char *input, unsigned char *output )
+{
+    ((void) operation);
+    return mbedtls_des_crypt_ecb( (mbedtls_des_context *) ctx, input, output );
+}
+
+static int des3_crypt_ecb_wrap( void *ctx, mbedtls_operation_t operation,
+        const unsigned char *input, unsigned char *output )
+{
+    ((void) operation);
+    return mbedtls_des3_crypt_ecb( (mbedtls_des3_context *) ctx, input, output );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static int des_crypt_cbc_wrap( void *ctx, mbedtls_operation_t operation, size_t length,
+        unsigned char *iv, const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_des_crypt_cbc( (mbedtls_des_context *) ctx, operation, length, iv, input,
+                          output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static int des3_crypt_cbc_wrap( void *ctx, mbedtls_operation_t operation, size_t length,
+        unsigned char *iv, const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_des3_crypt_cbc( (mbedtls_des3_context *) ctx, operation, length, iv, input,
+                           output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+static int des_setkey_dec_wrap( void *ctx, const unsigned char *key,
+                                unsigned int key_bitlen )
+{
+    ((void) key_bitlen);
+
+    return mbedtls_des_setkey_dec( (mbedtls_des_context *) ctx, key );
+}
+
+static int des_setkey_enc_wrap( void *ctx, const unsigned char *key,
+                                unsigned int key_bitlen )
+{
+    ((void) key_bitlen);
+
+    return mbedtls_des_setkey_enc( (mbedtls_des_context *) ctx, key );
+}
+
+static int des3_set2key_dec_wrap( void *ctx, const unsigned char *key,
+                                  unsigned int key_bitlen )
+{
+    ((void) key_bitlen);
+
+    return mbedtls_des3_set2key_dec( (mbedtls_des3_context *) ctx, key );
+}
+
+static int des3_set2key_enc_wrap( void *ctx, const unsigned char *key,
+                                  unsigned int key_bitlen )
+{
+    ((void) key_bitlen);
+
+    return mbedtls_des3_set2key_enc( (mbedtls_des3_context *) ctx, key );
+}
+
+static int des3_set3key_dec_wrap( void *ctx, const unsigned char *key,
+                                  unsigned int key_bitlen )
+{
+    ((void) key_bitlen);
+
+    return mbedtls_des3_set3key_dec( (mbedtls_des3_context *) ctx, key );
+}
+
+static int des3_set3key_enc_wrap( void *ctx, const unsigned char *key,
+                                  unsigned int key_bitlen )
+{
+    ((void) key_bitlen);
+
+    return mbedtls_des3_set3key_enc( (mbedtls_des3_context *) ctx, key );
+}
+
+static void * des_ctx_alloc( void )
+{
+    mbedtls_des_context *des = mbedtls_calloc( 1, sizeof( mbedtls_des_context ) );
+
+    if( des == NULL )
+        return( NULL );
+
+    mbedtls_des_init( des );
+
+    return( des );
+}
+
+static void des_ctx_free( void *ctx )
+{
+    mbedtls_des_free( (mbedtls_des_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static void * des3_ctx_alloc( void )
+{
+    mbedtls_des3_context *des3;
+    des3 = mbedtls_calloc( 1, sizeof( mbedtls_des3_context ) );
+
+    if( des3 == NULL )
+        return( NULL );
+
+    mbedtls_des3_init( des3 );
+
+    return( des3 );
+}
+
+static void des3_ctx_free( void *ctx )
+{
+    mbedtls_des3_free( (mbedtls_des3_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static const mbedtls_cipher_base_t des_info = {
+    MBEDTLS_CIPHER_ID_DES,
+    des_crypt_ecb_wrap,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    des_crypt_cbc_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    des_setkey_enc_wrap,
+    des_setkey_dec_wrap,
+    des_ctx_alloc,
+    des_ctx_free
+};
+
+static const mbedtls_cipher_info_t des_ecb_info = {
+    MBEDTLS_CIPHER_DES_ECB,
+    MBEDTLS_MODE_ECB,
+    MBEDTLS_KEY_LENGTH_DES,
+    "DES-ECB",
+    0,
+    0,
+    8,
+    &des_info
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const mbedtls_cipher_info_t des_cbc_info = {
+    MBEDTLS_CIPHER_DES_CBC,
+    MBEDTLS_MODE_CBC,
+    MBEDTLS_KEY_LENGTH_DES,
+    "DES-CBC",
+    8,
+    0,
+    8,
+    &des_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+static const mbedtls_cipher_base_t des_ede_info = {
+    MBEDTLS_CIPHER_ID_DES,
+    des3_crypt_ecb_wrap,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    des3_crypt_cbc_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    des3_set2key_enc_wrap,
+    des3_set2key_dec_wrap,
+    des3_ctx_alloc,
+    des3_ctx_free
+};
+
+static const mbedtls_cipher_info_t des_ede_ecb_info = {
+    MBEDTLS_CIPHER_DES_EDE_ECB,
+    MBEDTLS_MODE_ECB,
+    MBEDTLS_KEY_LENGTH_DES_EDE,
+    "DES-EDE-ECB",
+    0,
+    0,
+    8,
+    &des_ede_info
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const mbedtls_cipher_info_t des_ede_cbc_info = {
+    MBEDTLS_CIPHER_DES_EDE_CBC,
+    MBEDTLS_MODE_CBC,
+    MBEDTLS_KEY_LENGTH_DES_EDE,
+    "DES-EDE-CBC",
+    8,
+    0,
+    8,
+    &des_ede_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+static const mbedtls_cipher_base_t des_ede3_info = {
+    MBEDTLS_CIPHER_ID_3DES,
+    des3_crypt_ecb_wrap,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    des3_crypt_cbc_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    des3_set3key_enc_wrap,
+    des3_set3key_dec_wrap,
+    des3_ctx_alloc,
+    des3_ctx_free
+};
+
+static const mbedtls_cipher_info_t des_ede3_ecb_info = {
+    MBEDTLS_CIPHER_DES_EDE3_ECB,
+    MBEDTLS_MODE_ECB,
+    MBEDTLS_KEY_LENGTH_DES_EDE3,
+    "DES-EDE3-ECB",
+    0,
+    0,
+    8,
+    &des_ede3_info
+};
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const mbedtls_cipher_info_t des_ede3_cbc_info = {
+    MBEDTLS_CIPHER_DES_EDE3_CBC,
+    MBEDTLS_MODE_CBC,
+    MBEDTLS_KEY_LENGTH_DES_EDE3,
+    "DES-EDE3-CBC",
+    8,
+    0,
+    8,
+    &des_ede3_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_BLOWFISH_C)
+
+static int blowfish_crypt_ecb_wrap( void *ctx, mbedtls_operation_t operation,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_blowfish_crypt_ecb( (mbedtls_blowfish_context *) ctx, operation, input,
+                               output );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static int blowfish_crypt_cbc_wrap( void *ctx, mbedtls_operation_t operation,
+        size_t length, unsigned char *iv, const unsigned char *input,
+        unsigned char *output )
+{
+    return mbedtls_blowfish_crypt_cbc( (mbedtls_blowfish_context *) ctx, operation, length, iv,
+                               input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static int blowfish_crypt_cfb64_wrap( void *ctx, mbedtls_operation_t operation,
+        size_t length, size_t *iv_off, unsigned char *iv,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_blowfish_crypt_cfb64( (mbedtls_blowfish_context *) ctx, operation, length,
+                                 iv_off, iv, input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static int blowfish_crypt_ctr_wrap( void *ctx, size_t length, size_t *nc_off,
+        unsigned char *nonce_counter, unsigned char *stream_block,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_blowfish_crypt_ctr( (mbedtls_blowfish_context *) ctx, length, nc_off,
+                               nonce_counter, stream_block, input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+static int blowfish_setkey_wrap( void *ctx, const unsigned char *key,
+                                 unsigned int key_bitlen )
+{
+    return mbedtls_blowfish_setkey( (mbedtls_blowfish_context *) ctx, key, key_bitlen );
+}
+
+static void * blowfish_ctx_alloc( void )
+{
+    mbedtls_blowfish_context *ctx;
+    ctx = mbedtls_calloc( 1, sizeof( mbedtls_blowfish_context ) );
+
+    if( ctx == NULL )
+        return( NULL );
+
+    mbedtls_blowfish_init( ctx );
+
+    return( ctx );
+}
+
+static void blowfish_ctx_free( void *ctx )
+{
+    mbedtls_blowfish_free( (mbedtls_blowfish_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static const mbedtls_cipher_base_t blowfish_info = {
+    MBEDTLS_CIPHER_ID_BLOWFISH,
+    blowfish_crypt_ecb_wrap,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    blowfish_crypt_cbc_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    blowfish_crypt_cfb64_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    blowfish_crypt_ctr_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    blowfish_setkey_wrap,
+    blowfish_setkey_wrap,
+    blowfish_ctx_alloc,
+    blowfish_ctx_free
+};
+
+static const mbedtls_cipher_info_t blowfish_ecb_info = {
+    MBEDTLS_CIPHER_BLOWFISH_ECB,
+    MBEDTLS_MODE_ECB,
+    128,
+    "BLOWFISH-ECB",
+    0,
+    MBEDTLS_CIPHER_VARIABLE_KEY_LEN,
+    8,
+    &blowfish_info
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const mbedtls_cipher_info_t blowfish_cbc_info = {
+    MBEDTLS_CIPHER_BLOWFISH_CBC,
+    MBEDTLS_MODE_CBC,
+    128,
+    "BLOWFISH-CBC",
+    8,
+    MBEDTLS_CIPHER_VARIABLE_KEY_LEN,
+    8,
+    &blowfish_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static const mbedtls_cipher_info_t blowfish_cfb64_info = {
+    MBEDTLS_CIPHER_BLOWFISH_CFB64,
+    MBEDTLS_MODE_CFB,
+    128,
+    "BLOWFISH-CFB64",
+    8,
+    MBEDTLS_CIPHER_VARIABLE_KEY_LEN,
+    8,
+    &blowfish_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static const mbedtls_cipher_info_t blowfish_ctr_info = {
+    MBEDTLS_CIPHER_BLOWFISH_CTR,
+    MBEDTLS_MODE_CTR,
+    128,
+    "BLOWFISH-CTR",
+    8,
+    MBEDTLS_CIPHER_VARIABLE_KEY_LEN,
+    8,
+    &blowfish_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+#endif /* MBEDTLS_BLOWFISH_C */
+
+#if defined(MBEDTLS_ARC4_C)
+static int arc4_crypt_stream_wrap( void *ctx, size_t length,
+                                   const unsigned char *input,
+                                   unsigned char *output )
+{
+    return( mbedtls_arc4_crypt( (mbedtls_arc4_context *) ctx, length, input, output ) );
+}
+
+static int arc4_setkey_wrap( void *ctx, const unsigned char *key,
+                             unsigned int key_bitlen )
+{
+    /* we get key_bitlen in bits, arc4 expects it in bytes */
+    if( key_bitlen % 8 != 0 )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    mbedtls_arc4_setup( (mbedtls_arc4_context *) ctx, key, key_bitlen / 8 );
+    return( 0 );
+}
+
+static void * arc4_ctx_alloc( void )
+{
+    mbedtls_arc4_context *ctx;
+    ctx = mbedtls_calloc( 1, sizeof( mbedtls_arc4_context ) );
+
+    if( ctx == NULL )
+        return( NULL );
+
+    mbedtls_arc4_init( ctx );
+
+    return( ctx );
+}
+
+static void arc4_ctx_free( void *ctx )
+{
+    mbedtls_arc4_free( (mbedtls_arc4_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static const mbedtls_cipher_base_t arc4_base_info = {
+    MBEDTLS_CIPHER_ID_ARC4,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    arc4_crypt_stream_wrap,
+#endif
+    arc4_setkey_wrap,
+    arc4_setkey_wrap,
+    arc4_ctx_alloc,
+    arc4_ctx_free
+};
+
+static const mbedtls_cipher_info_t arc4_128_info = {
+    MBEDTLS_CIPHER_ARC4_128,
+    MBEDTLS_MODE_STREAM,
+    128,
+    "ARC4-128",
+    0,
+    0,
+    1,
+    &arc4_base_info
+};
+#endif /* MBEDTLS_ARC4_C */
+
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+static int null_crypt_stream( void *ctx, size_t length,
+                              const unsigned char *input,
+                              unsigned char *output )
+{
+    ((void) ctx);
+    memmove( output, input, length );
+    return( 0 );
+}
+
+static int null_setkey( void *ctx, const unsigned char *key,
+                        unsigned int key_bitlen )
+{
+    ((void) ctx);
+    ((void) key);
+    ((void) key_bitlen);
+
+    return( 0 );
+}
+
+static void * null_ctx_alloc( void )
+{
+    return( (void *) 1 );
+}
+
+static void null_ctx_free( void *ctx )
+{
+    ((void) ctx);
+}
+
+static const mbedtls_cipher_base_t null_base_info = {
+    MBEDTLS_CIPHER_ID_NULL,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    null_crypt_stream,
+#endif
+    null_setkey,
+    null_setkey,
+    null_ctx_alloc,
+    null_ctx_free
+};
+
+static const mbedtls_cipher_info_t null_cipher_info = {
+    MBEDTLS_CIPHER_NULL,
+    MBEDTLS_MODE_STREAM,
+    0,
+    "NULL",
+    0,
+    0,
+    1,
+    &null_base_info
+};
+#endif /* defined(MBEDTLS_CIPHER_NULL_CIPHER) */
+
+const mbedtls_cipher_definition_t mbedtls_cipher_definitions[] =
+{
+#if defined(MBEDTLS_AES_C)
+    { MBEDTLS_CIPHER_AES_128_ECB,          &aes_128_ecb_info },
+    { MBEDTLS_CIPHER_AES_192_ECB,          &aes_192_ecb_info },
+    { MBEDTLS_CIPHER_AES_256_ECB,          &aes_256_ecb_info },
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_CIPHER_AES_128_CBC,          &aes_128_cbc_info },
+    { MBEDTLS_CIPHER_AES_192_CBC,          &aes_192_cbc_info },
+    { MBEDTLS_CIPHER_AES_256_CBC,          &aes_256_cbc_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    { MBEDTLS_CIPHER_AES_128_CFB128,       &aes_128_cfb128_info },
+    { MBEDTLS_CIPHER_AES_192_CFB128,       &aes_192_cfb128_info },
+    { MBEDTLS_CIPHER_AES_256_CFB128,       &aes_256_cfb128_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    { MBEDTLS_CIPHER_AES_128_CTR,          &aes_128_ctr_info },
+    { MBEDTLS_CIPHER_AES_192_CTR,          &aes_192_ctr_info },
+    { MBEDTLS_CIPHER_AES_256_CTR,          &aes_256_ctr_info },
+#endif
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_CIPHER_AES_128_GCM,          &aes_128_gcm_info },
+    { MBEDTLS_CIPHER_AES_192_GCM,          &aes_192_gcm_info },
+    { MBEDTLS_CIPHER_AES_256_GCM,          &aes_256_gcm_info },
+#endif
+#if defined(MBEDTLS_CCM_C)
+    { MBEDTLS_CIPHER_AES_128_CCM,          &aes_128_ccm_info },
+    { MBEDTLS_CIPHER_AES_192_CCM,          &aes_192_ccm_info },
+    { MBEDTLS_CIPHER_AES_256_CCM,          &aes_256_ccm_info },
+#endif
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+    { MBEDTLS_CIPHER_ARC4_128,             &arc4_128_info },
+#endif
+
+#if defined(MBEDTLS_BLOWFISH_C)
+    { MBEDTLS_CIPHER_BLOWFISH_ECB,         &blowfish_ecb_info },
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_CIPHER_BLOWFISH_CBC,         &blowfish_cbc_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    { MBEDTLS_CIPHER_BLOWFISH_CFB64,       &blowfish_cfb64_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    { MBEDTLS_CIPHER_BLOWFISH_CTR,         &blowfish_ctr_info },
+#endif
+#endif /* MBEDTLS_BLOWFISH_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+    { MBEDTLS_CIPHER_CAMELLIA_128_ECB,     &camellia_128_ecb_info },
+    { MBEDTLS_CIPHER_CAMELLIA_192_ECB,     &camellia_192_ecb_info },
+    { MBEDTLS_CIPHER_CAMELLIA_256_ECB,     &camellia_256_ecb_info },
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_CIPHER_CAMELLIA_128_CBC,     &camellia_128_cbc_info },
+    { MBEDTLS_CIPHER_CAMELLIA_192_CBC,     &camellia_192_cbc_info },
+    { MBEDTLS_CIPHER_CAMELLIA_256_CBC,     &camellia_256_cbc_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    { MBEDTLS_CIPHER_CAMELLIA_128_CFB128,  &camellia_128_cfb128_info },
+    { MBEDTLS_CIPHER_CAMELLIA_192_CFB128,  &camellia_192_cfb128_info },
+    { MBEDTLS_CIPHER_CAMELLIA_256_CFB128,  &camellia_256_cfb128_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    { MBEDTLS_CIPHER_CAMELLIA_128_CTR,     &camellia_128_ctr_info },
+    { MBEDTLS_CIPHER_CAMELLIA_192_CTR,     &camellia_192_ctr_info },
+    { MBEDTLS_CIPHER_CAMELLIA_256_CTR,     &camellia_256_ctr_info },
+#endif
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_CIPHER_CAMELLIA_128_GCM,     &camellia_128_gcm_info },
+    { MBEDTLS_CIPHER_CAMELLIA_192_GCM,     &camellia_192_gcm_info },
+    { MBEDTLS_CIPHER_CAMELLIA_256_GCM,     &camellia_256_gcm_info },
+#endif
+#if defined(MBEDTLS_CCM_C)
+    { MBEDTLS_CIPHER_CAMELLIA_128_CCM,     &camellia_128_ccm_info },
+    { MBEDTLS_CIPHER_CAMELLIA_192_CCM,     &camellia_192_ccm_info },
+    { MBEDTLS_CIPHER_CAMELLIA_256_CCM,     &camellia_256_ccm_info },
+#endif
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+    { MBEDTLS_CIPHER_DES_ECB,              &des_ecb_info },
+    { MBEDTLS_CIPHER_DES_EDE_ECB,          &des_ede_ecb_info },
+    { MBEDTLS_CIPHER_DES_EDE3_ECB,         &des_ede3_ecb_info },
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_CIPHER_DES_CBC,              &des_cbc_info },
+    { MBEDTLS_CIPHER_DES_EDE_CBC,          &des_ede_cbc_info },
+    { MBEDTLS_CIPHER_DES_EDE3_CBC,         &des_ede3_cbc_info },
+#endif
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+    { MBEDTLS_CIPHER_NULL,                 &null_cipher_info },
+#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
+
+    { MBEDTLS_CIPHER_NONE, NULL }
+};
+
+#define NUM_CIPHERS sizeof mbedtls_cipher_definitions / sizeof mbedtls_cipher_definitions[0]
+int mbedtls_cipher_supported[NUM_CIPHERS];
+
+#endif /* MBEDTLS_CIPHER_C */
diff --git a/third-party/mbedtls-3.6/library/cmac.c b/third-party/mbedtls-3.6/library/cmac.c
new file mode 100644
index 00000000..3f76344a
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/cmac.c
@@ -0,0 +1,1107 @@
+/**
+ * \file cmac.c
+ *
+ * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+/*
+ * References:
+ *
+ * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The
+ *      CMAC Mode for Authentication
+ *   http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf
+ *
+ * - RFC 4493 - The AES-CMAC Algorithm
+ *   https://tools.ietf.org/html/rfc4493
+ *
+ * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message
+ *      Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
+ *      Algorithm for the Internet Key Exchange Protocol (IKE)
+ *   https://tools.ietf.org/html/rfc4615
+ *
+ *   Additional test vectors: ISO/IEC 9797-1
+ *
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_CMAC_C)
+
+#include "mbedtls/cmac.h"
+
+#include <string.h>
+
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc     calloc
+#define mbedtls_free       free
+#if defined(MBEDTLS_SELF_TEST)
+#include <stdio.h>
+#define mbedtls_printf     printf
+#endif /* MBEDTLS_SELF_TEST */
+#endif /* MBEDTLS_PLATFORM_C */
+
+#if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST)
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
+}
+
+/*
+ * Multiplication by u in the Galois field of GF(2^n)
+ *
+ * As explained in NIST SP 800-38B, this can be computed:
+ *
+ *   If MSB(p) = 0, then p = (p << 1)
+ *   If MSB(p) = 1, then p = (p << 1) ^ R_n
+ *   with R_64 = 0x1B and  R_128 = 0x87
+ *
+ * Input and output MUST NOT point to the same buffer
+ * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES.
+ */
+static int cmac_multiply_by_u( unsigned char *output,
+                               const unsigned char *input,
+                               size_t blocksize )
+{
+    const unsigned char R_128 = 0x87;
+    const unsigned char R_64 = 0x1B;
+    unsigned char R_n, mask;
+    unsigned char overflow = 0x00;
+    int i;
+
+    if( blocksize == MBEDTLS_AES_BLOCK_SIZE )
+    {
+        R_n = R_128;
+    }
+    else if( blocksize == MBEDTLS_DES3_BLOCK_SIZE )
+    {
+        R_n = R_64;
+    }
+    else
+    {
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+    }
+
+    for( i = (int)blocksize - 1; i >= 0; i-- )
+    {
+        output[i] = input[i] << 1 | overflow;
+        overflow = input[i] >> 7;
+    }
+
+    /* mask = ( input[0] >> 7 ) ? 0xff : 0x00
+     * using bit operations to avoid branches */
+
+    /* MSVC has a warning about unary minus on unsigned, but this is
+     * well-defined and precisely what we want to do here */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+    mask = - ( input[0] >> 7 );
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
+
+    output[ blocksize - 1 ] ^= R_n & mask;
+
+    return( 0 );
+}
+
+/*
+ * Generate subkeys
+ *
+ * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm
+ */
+static int cmac_generate_subkeys( mbedtls_cipher_context_t *ctx,
+                                  unsigned char* K1, unsigned char* K2 )
+{
+    int ret;
+    unsigned char L[MBEDTLS_CIPHER_BLKSIZE_MAX];
+    size_t olen, block_size;
+
+    mbedtls_zeroize( L, sizeof( L ) );
+
+    block_size = ctx->cipher_info->block_size;
+
+    /* Calculate Ek(0) */
+    if( ( ret = mbedtls_cipher_update( ctx, L, block_size, L, &olen ) ) != 0 )
+        goto exit;
+
+    /*
+     * Generate K1 and K2
+     */
+    if( ( ret = cmac_multiply_by_u( K1, L , block_size ) ) != 0 )
+        goto exit;
+
+    if( ( ret = cmac_multiply_by_u( K2, K1 , block_size ) ) != 0 )
+        goto exit;
+
+exit:
+    mbedtls_zeroize( L, sizeof( L ) );
+
+    return( ret );
+}
+#endif /* !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) */
+
+#if !defined(MBEDTLS_CMAC_ALT)
+static void cmac_xor_block( unsigned char *output, const unsigned char *input1,
+                            const unsigned char *input2,
+                            const size_t block_size )
+{
+    size_t idx;
+
+    for( idx = 0; idx < block_size; idx++ )
+        output[ idx ] = input1[ idx ] ^ input2[ idx ];
+}
+
+/*
+ * Create padded last block from (partial) last block.
+ *
+ * We can't use the padding option from the cipher layer, as it only works for
+ * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition.
+ */
+static void cmac_pad( unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX],
+                      size_t padded_block_len,
+                      const unsigned char *last_block,
+                      size_t last_block_len )
+{
+    size_t j;
+
+    for( j = 0; j < padded_block_len; j++ )
+    {
+        if( j < last_block_len )
+            padded_block[j] = last_block[j];
+        else if( j == last_block_len )
+            padded_block[j] = 0x80;
+        else
+            padded_block[j] = 0x00;
+    }
+}
+
+int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx,
+                                const unsigned char *key, size_t keybits )
+{
+    mbedtls_cipher_type_t type;
+    mbedtls_cmac_context_t *cmac_ctx;
+    int retval;
+
+    if( ctx == NULL || ctx->cipher_info == NULL || key == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    if( ( retval = mbedtls_cipher_setkey( ctx, key, (int)keybits,
+                                          MBEDTLS_ENCRYPT ) ) != 0 )
+        return( retval );
+
+    type = ctx->cipher_info->type;
+
+    switch( type )
+    {
+        case MBEDTLS_CIPHER_AES_128_ECB:
+        case MBEDTLS_CIPHER_AES_192_ECB:
+        case MBEDTLS_CIPHER_AES_256_ECB:
+        case MBEDTLS_CIPHER_DES_EDE3_ECB:
+            break;
+        default:
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+    }
+
+    /* Allocated and initialise in the cipher context memory for the CMAC
+     * context */
+    cmac_ctx = mbedtls_calloc( 1, sizeof( mbedtls_cmac_context_t ) );
+    if( cmac_ctx == NULL )
+        return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
+
+    ctx->cmac_ctx = cmac_ctx;
+
+    mbedtls_zeroize( cmac_ctx->state, sizeof( cmac_ctx->state ) );
+
+    return 0;
+}
+
+int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx,
+                                const unsigned char *input, size_t ilen )
+{
+    mbedtls_cmac_context_t* cmac_ctx;
+    unsigned char *state;
+    int ret = 0;
+    size_t n, j, olen, block_size;
+
+    if( ctx == NULL || ctx->cipher_info == NULL || input == NULL ||
+        ctx->cmac_ctx == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    cmac_ctx = ctx->cmac_ctx;
+    block_size = ctx->cipher_info->block_size;
+    state = ctx->cmac_ctx->state;
+
+    /* Is there data still to process from the last call, that's greater in
+     * size than a block? */
+    if( cmac_ctx->unprocessed_len > 0 &&
+        ilen > block_size - cmac_ctx->unprocessed_len )
+    {
+        memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
+                input,
+                block_size - cmac_ctx->unprocessed_len );
+
+        cmac_xor_block( state, cmac_ctx->unprocessed_block, state, block_size );
+
+        if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
+                                           &olen ) ) != 0 )
+        {
+           goto exit;
+        }
+
+        input += block_size - cmac_ctx->unprocessed_len;
+        ilen -= block_size - cmac_ctx->unprocessed_len;
+        cmac_ctx->unprocessed_len = 0;
+    }
+
+    /* n is the number of blocks including any final partial block */
+    n = ( ilen + block_size - 1 ) / block_size;
+
+    /* Iterate across the input data in block sized chunks, excluding any
+     * final partial or complete block */
+    for( j = 1; j < n; j++ )
+    {
+        cmac_xor_block( state, input, state, block_size );
+
+        if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
+                                           &olen ) ) != 0 )
+           goto exit;
+
+        ilen -= block_size;
+        input += block_size;
+    }
+
+    /* If there is data left over that wasn't aligned to a block */
+    if( ilen > 0 )
+    {
+        memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
+                input,
+                ilen );
+        cmac_ctx->unprocessed_len += ilen;
+    }
+
+exit:
+    return( ret );
+}
+
+int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx,
+                                unsigned char *output )
+{
+    mbedtls_cmac_context_t* cmac_ctx;
+    unsigned char *state, *last_block;
+    unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
+    unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
+    unsigned char M_last[MBEDTLS_CIPHER_BLKSIZE_MAX];
+    int ret;
+    size_t olen, block_size;
+
+    if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL ||
+        output == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    cmac_ctx = ctx->cmac_ctx;
+    block_size = ctx->cipher_info->block_size;
+    state = cmac_ctx->state;
+
+    mbedtls_zeroize( K1, sizeof( K1 ) );
+    mbedtls_zeroize( K2, sizeof( K2 ) );
+    cmac_generate_subkeys( ctx, K1, K2 );
+
+    last_block = cmac_ctx->unprocessed_block;
+
+    /* Calculate last block */
+    if( cmac_ctx->unprocessed_len < block_size )
+    {
+        cmac_pad( M_last, block_size, last_block, cmac_ctx->unprocessed_len );
+        cmac_xor_block( M_last, M_last, K2, block_size );
+    }
+    else
+    {
+        /* Last block is complete block */
+        cmac_xor_block( M_last, last_block, K1, block_size );
+    }
+
+
+    cmac_xor_block( state, M_last, state, block_size );
+    if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
+                                       &olen ) ) != 0 )
+    {
+        goto exit;
+    }
+
+    memcpy( output, state, block_size );
+
+exit:
+    /* Wipe the generated keys on the stack, and any other transients to avoid
+     * side channel leakage */
+    mbedtls_zeroize( K1, sizeof( K1 ) );
+    mbedtls_zeroize( K2, sizeof( K2 ) );
+
+    cmac_ctx->unprocessed_len = 0;
+    mbedtls_zeroize( cmac_ctx->unprocessed_block,
+                     sizeof( cmac_ctx->unprocessed_block ) );
+
+    mbedtls_zeroize( state, MBEDTLS_CIPHER_BLKSIZE_MAX );
+    return( ret );
+}
+
+int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx )
+{
+    mbedtls_cmac_context_t* cmac_ctx;
+
+    if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    cmac_ctx = ctx->cmac_ctx;
+
+    /* Reset the internal state */
+    cmac_ctx->unprocessed_len = 0;
+    mbedtls_zeroize( cmac_ctx->unprocessed_block,
+                     sizeof( cmac_ctx->unprocessed_block ) );
+    mbedtls_zeroize( cmac_ctx->state,
+                     sizeof( cmac_ctx->state ) );
+
+    return( 0 );
+}
+
+int mbedtls_cipher_cmac( const mbedtls_cipher_info_t *cipher_info,
+                         const unsigned char *key, size_t keylen,
+                         const unsigned char *input, size_t ilen,
+                         unsigned char *output )
+{
+    mbedtls_cipher_context_t ctx;
+    int ret;
+
+    if( cipher_info == NULL || key == NULL || input == NULL || output == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    mbedtls_cipher_init( &ctx );
+
+    if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
+        goto exit;
+
+    ret = mbedtls_cipher_cmac_starts( &ctx, key, keylen );
+    if( ret != 0 )
+        goto exit;
+
+    ret = mbedtls_cipher_cmac_update( &ctx, input, ilen );
+    if( ret != 0 )
+        goto exit;
+
+    ret = mbedtls_cipher_cmac_finish( &ctx, output );
+
+exit:
+    mbedtls_cipher_free( &ctx );
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_AES_C)
+/*
+ * Implementation of AES-CMAC-PRF-128 defined in RFC 4615
+ */
+int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_length,
+                              const unsigned char *input, size_t in_len,
+                              unsigned char output[16] )
+{
+    int ret;
+    const mbedtls_cipher_info_t *cipher_info;
+    unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE];
+    unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE];
+
+    if( key == NULL || input == NULL || output == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    cipher_info = mbedtls_cipher_info_from_type( MBEDTLS_CIPHER_AES_128_ECB );
+    if( cipher_info == NULL )
+    {
+        /* Failing at this point must be due to a build issue */
+        ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+        goto exit;
+    }
+
+    if( key_length == MBEDTLS_AES_BLOCK_SIZE )
+    {
+        /* Use key as is */
+        memcpy( int_key, key, MBEDTLS_AES_BLOCK_SIZE );
+    }
+    else
+    {
+        memset( zero_key, 0, MBEDTLS_AES_BLOCK_SIZE );
+
+        ret = mbedtls_cipher_cmac( cipher_info, zero_key, 128, key,
+                                   key_length, int_key );
+        if( ret != 0 )
+            goto exit;
+    }
+
+    ret = mbedtls_cipher_cmac( cipher_info, int_key, 128, input, in_len,
+                               output );
+
+exit:
+    mbedtls_zeroize( int_key, sizeof( int_key ) );
+
+    return( ret );
+}
+#endif /* MBEDTLS_AES_C */
+
+#endif /* !MBEDTLS_CMAC_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * CMAC test data for SP800-38B
+ * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf
+ * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf
+ *
+ * AES-CMAC-PRF-128 test data from RFC 4615
+ * https://tools.ietf.org/html/rfc4615#page-4
+ */
+
+#define NB_CMAC_TESTS_PER_KEY 4
+#define NB_PRF_TESTS 3
+
+#if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C)
+/* All CMAC test inputs are truncated from the same 64 byte buffer. */
+static const unsigned char test_message[] = {
+    /* PT */
+    0x6b, 0xc1, 0xbe, 0xe2,     0x2e, 0x40, 0x9f, 0x96,
+    0xe9, 0x3d, 0x7e, 0x11,     0x73, 0x93, 0x17, 0x2a,
+    0xae, 0x2d, 0x8a, 0x57,     0x1e, 0x03, 0xac, 0x9c,
+    0x9e, 0xb7, 0x6f, 0xac,     0x45, 0xaf, 0x8e, 0x51,
+    0x30, 0xc8, 0x1c, 0x46,     0xa3, 0x5c, 0xe4, 0x11,
+    0xe5, 0xfb, 0xc1, 0x19,     0x1a, 0x0a, 0x52, 0xef,
+    0xf6, 0x9f, 0x24, 0x45,     0xdf, 0x4f, 0x9b, 0x17,
+    0xad, 0x2b, 0x41, 0x7b,     0xe6, 0x6c, 0x37, 0x10
+};
+#endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_AES_C)
+/* Truncation point of message for AES CMAC tests  */
+static const  unsigned int  aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
+    /* Mlen */
+    0,
+    16,
+    20,
+    64
+};
+
+/* CMAC-AES128 Test Data */
+static const unsigned char aes_128_key[16] = {
+    0x2b, 0x7e, 0x15, 0x16,     0x28, 0xae, 0xd2, 0xa6,
+    0xab, 0xf7, 0x15, 0x88,     0x09, 0xcf, 0x4f, 0x3c
+};
+static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
+    {
+        /* K1 */
+        0xfb, 0xee, 0xd6, 0x18,     0x35, 0x71, 0x33, 0x66,
+        0x7c, 0x85, 0xe0, 0x8f,     0x72, 0x36, 0xa8, 0xde
+    },
+    {
+        /* K2 */
+        0xf7, 0xdd, 0xac, 0x30,     0x6a, 0xe2, 0x66, 0xcc,
+        0xf9, 0x0b, 0xc1, 0x1e,     0xe4, 0x6d, 0x51, 0x3b
+    }
+};
+static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
+    {
+        /* Example #1 */
+        0xbb, 0x1d, 0x69, 0x29,     0xe9, 0x59, 0x37, 0x28,
+        0x7f, 0xa3, 0x7d, 0x12,     0x9b, 0x75, 0x67, 0x46
+    },
+    {
+        /* Example #2 */
+        0x07, 0x0a, 0x16, 0xb4,     0x6b, 0x4d, 0x41, 0x44,
+        0xf7, 0x9b, 0xdd, 0x9d,     0xd0, 0x4a, 0x28, 0x7c
+    },
+    {
+        /* Example #3 */
+        0x7d, 0x85, 0x44, 0x9e,     0xa6, 0xea, 0x19, 0xc8,
+        0x23, 0xa7, 0xbf, 0x78,     0x83, 0x7d, 0xfa, 0xde
+    },
+    {
+        /* Example #4 */
+        0x51, 0xf0, 0xbe, 0xbf,     0x7e, 0x3b, 0x9d, 0x92,
+        0xfc, 0x49, 0x74, 0x17,     0x79, 0x36, 0x3c, 0xfe
+    }
+};
+
+/* CMAC-AES192 Test Data */
+static const unsigned char aes_192_key[24] = {
+    0x8e, 0x73, 0xb0, 0xf7,     0xda, 0x0e, 0x64, 0x52,
+    0xc8, 0x10, 0xf3, 0x2b,     0x80, 0x90, 0x79, 0xe5,
+    0x62, 0xf8, 0xea, 0xd2,     0x52, 0x2c, 0x6b, 0x7b
+};
+static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
+    {
+        /* K1 */
+        0x44, 0x8a, 0x5b, 0x1c,     0x93, 0x51, 0x4b, 0x27,
+        0x3e, 0xe6, 0x43, 0x9d,     0xd4, 0xda, 0xa2, 0x96
+    },
+    {
+        /* K2 */
+        0x89, 0x14, 0xb6, 0x39,     0x26, 0xa2, 0x96, 0x4e,
+        0x7d, 0xcc, 0x87, 0x3b,     0xa9, 0xb5, 0x45, 0x2c
+    }
+};
+static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
+    {
+        /* Example #1 */
+        0xd1, 0x7d, 0xdf, 0x46,     0xad, 0xaa, 0xcd, 0xe5,
+        0x31, 0xca, 0xc4, 0x83,     0xde, 0x7a, 0x93, 0x67
+    },
+    {
+        /* Example #2 */
+        0x9e, 0x99, 0xa7, 0xbf,     0x31, 0xe7, 0x10, 0x90,
+        0x06, 0x62, 0xf6, 0x5e,     0x61, 0x7c, 0x51, 0x84
+    },
+    {
+        /* Example #3 */
+        0x3d, 0x75, 0xc1, 0x94,     0xed, 0x96, 0x07, 0x04,
+        0x44, 0xa9, 0xfa, 0x7e,     0xc7, 0x40, 0xec, 0xf8
+    },
+    {
+        /* Example #4 */
+        0xa1, 0xd5, 0xdf, 0x0e,     0xed, 0x79, 0x0f, 0x79,
+        0x4d, 0x77, 0x58, 0x96,     0x59, 0xf3, 0x9a, 0x11
+    }
+};
+
+/* CMAC-AES256 Test Data */
+static const unsigned char aes_256_key[32] = {
+    0x60, 0x3d, 0xeb, 0x10,     0x15, 0xca, 0x71, 0xbe,
+    0x2b, 0x73, 0xae, 0xf0,     0x85, 0x7d, 0x77, 0x81,
+    0x1f, 0x35, 0x2c, 0x07,     0x3b, 0x61, 0x08, 0xd7,
+    0x2d, 0x98, 0x10, 0xa3,     0x09, 0x14, 0xdf, 0xf4
+};
+static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
+    {
+        /* K1 */
+        0xca, 0xd1, 0xed, 0x03,     0x29, 0x9e, 0xed, 0xac,
+        0x2e, 0x9a, 0x99, 0x80,     0x86, 0x21, 0x50, 0x2f
+    },
+    {
+        /* K2 */
+        0x95, 0xa3, 0xda, 0x06,     0x53, 0x3d, 0xdb, 0x58,
+        0x5d, 0x35, 0x33, 0x01,     0x0c, 0x42, 0xa0, 0xd9
+    }
+};
+static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
+    {
+        /* Example #1 */
+        0x02, 0x89, 0x62, 0xf6,     0x1b, 0x7b, 0xf8, 0x9e,
+        0xfc, 0x6b, 0x55, 0x1f,     0x46, 0x67, 0xd9, 0x83
+    },
+    {
+        /* Example #2 */
+        0x28, 0xa7, 0x02, 0x3f,     0x45, 0x2e, 0x8f, 0x82,
+        0xbd, 0x4b, 0xf2, 0x8d,     0x8c, 0x37, 0xc3, 0x5c
+    },
+    {
+        /* Example #3 */
+        0x15, 0x67, 0x27, 0xdc,     0x08, 0x78, 0x94, 0x4a,
+        0x02, 0x3c, 0x1f, 0xe0,     0x3b, 0xad, 0x6d, 0x93
+    },
+    {
+        /* Example #4 */
+        0xe1, 0x99, 0x21, 0x90,     0x54, 0x9f, 0x6e, 0xd5,
+        0x69, 0x6a, 0x2c, 0x05,     0x6c, 0x31, 0x54, 0x10
+    }
+};
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_DES_C)
+/* Truncation point of message for 3DES CMAC tests  */
+static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
+    0,
+    16,
+    20,
+    32
+};
+
+/* CMAC-TDES (Generation) - 2 Key Test Data */
+static const unsigned char des3_2key_key[24] = {
+    /* Key1 */
+    0x01, 0x23, 0x45, 0x67,     0x89, 0xab, 0xcd, 0xef,
+    /* Key2 */
+    0x23, 0x45, 0x67, 0x89,     0xab, 0xcd, 0xEF, 0x01,
+    /* Key3 */
+    0x01, 0x23, 0x45, 0x67,     0x89, 0xab, 0xcd, 0xef
+};
+static const unsigned char des3_2key_subkeys[2][8] = {
+    {
+        /* K1 */
+        0x0d, 0xd2, 0xcb, 0x7a,     0x3d, 0x88, 0x88, 0xd9
+    },
+    {
+        /* K2 */
+        0x1b, 0xa5, 0x96, 0xf4,     0x7b, 0x11, 0x11, 0xb2
+    }
+};
+static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
+    {
+        /* Sample #1 */
+        0x79, 0xce, 0x52, 0xa7,     0xf7, 0x86, 0xa9, 0x60
+    },
+    {
+        /* Sample #2 */
+        0xcc, 0x18, 0xa0, 0xb7,     0x9a, 0xf2, 0x41, 0x3b
+    },
+    {
+        /* Sample #3 */
+        0xc0, 0x6d, 0x37, 0x7e,     0xcd, 0x10, 0x19, 0x69
+    },
+    {
+        /* Sample #4 */
+        0x9c, 0xd3, 0x35, 0x80,     0xf9, 0xb6, 0x4d, 0xfb
+    }
+};
+
+/* CMAC-TDES (Generation) - 3 Key Test Data */
+static const unsigned char des3_3key_key[24] = {
+    /* Key1 */
+    0x01, 0x23, 0x45, 0x67,     0x89, 0xaa, 0xcd, 0xef,
+    /* Key2 */
+    0x23, 0x45, 0x67, 0x89,     0xab, 0xcd, 0xef, 0x01,
+    /* Key3 */
+    0x45, 0x67, 0x89, 0xab,     0xcd, 0xef, 0x01, 0x23
+};
+static const unsigned char des3_3key_subkeys[2][8] = {
+    {
+        /* K1 */
+        0x9d, 0x74, 0xe7, 0x39,     0x33, 0x17, 0x96, 0xc0
+    },
+    {
+        /* K2 */
+        0x3a, 0xe9, 0xce, 0x72,     0x66, 0x2f, 0x2d, 0x9b
+    }
+};
+static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
+    {
+        /* Sample #1 */
+        0x7d, 0xb0, 0xd3, 0x7d,     0xf9, 0x36, 0xc5, 0x50
+    },
+    {
+        /* Sample #2 */
+        0x30, 0x23, 0x9c, 0xf1,     0xf5, 0x2e, 0x66, 0x09
+    },
+    {
+        /* Sample #3 */
+        0x6c, 0x9f, 0x3e, 0xe4,     0x92, 0x3f, 0x6b, 0xe2
+    },
+    {
+        /* Sample #4 */
+        0x99, 0x42, 0x9b, 0xd0,     0xbF, 0x79, 0x04, 0xe5
+    }
+};
+
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_AES_C)
+/* AES AES-CMAC-PRF-128 Test Data */
+static const unsigned char PRFK[] = {
+    /* Key */
+    0x00, 0x01, 0x02, 0x03,     0x04, 0x05, 0x06, 0x07,
+    0x08, 0x09, 0x0a, 0x0b,     0x0c, 0x0d, 0x0e, 0x0f,
+    0xed, 0xcb
+};
+
+/* Sizes in bytes */
+static const size_t PRFKlen[NB_PRF_TESTS] = {
+    18,
+    16,
+    10
+};
+
+/* Message */
+static const unsigned char PRFM[] = {
+    0x00, 0x01, 0x02, 0x03,     0x04, 0x05, 0x06, 0x07,
+    0x08, 0x09, 0x0a, 0x0b,     0x0c, 0x0d, 0x0e, 0x0f,
+    0x10, 0x11, 0x12, 0x13
+};
+
+static const unsigned char PRFT[NB_PRF_TESTS][16] = {
+    {
+        0x84, 0xa3, 0x48, 0xa4,     0xa4, 0x5d, 0x23, 0x5b,
+        0xab, 0xff, 0xfc, 0x0d,     0x2b, 0x4d, 0xa0, 0x9a
+    },
+    {
+        0x98, 0x0a, 0xe8, 0x7b,     0x5f, 0x4c, 0x9c, 0x52,
+        0x14, 0xf5, 0xb6, 0xa8,     0x45, 0x5e, 0x4c, 0x2d
+    },
+    {
+        0x29, 0x0d, 0x9e, 0x11,     0x2e, 0xdb, 0x09, 0xee,
+        0x14, 0x1f, 0xcf, 0x64,     0xc0, 0xb7, 0x2f, 0x3d
+    }
+};
+#endif /* MBEDTLS_AES_C */
+
+static int cmac_test_subkeys( int verbose,
+                              const char* testname,
+                              const unsigned char* key,
+                              int keybits,
+                              const unsigned char* subkeys,
+                              mbedtls_cipher_type_t cipher_type,
+                              int block_size,
+                              int num_tests )
+{
+    int i, ret = 0;
+    mbedtls_cipher_context_t ctx;
+    const mbedtls_cipher_info_t *cipher_info;
+    unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
+    unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
+
+    cipher_info = mbedtls_cipher_info_from_type( cipher_type );
+    if( cipher_info == NULL )
+    {
+        /* Failing at this point must be due to a build issue */
+        return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
+    }
+
+    for( i = 0; i < num_tests; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  %s CMAC subkey #%u: ", testname, i + 1 );
+
+        mbedtls_cipher_init( &ctx );
+
+        if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "test execution failed\n" );
+
+            goto cleanup;
+        }
+
+        if( ( ret = mbedtls_cipher_setkey( &ctx, key, keybits,
+                                       MBEDTLS_ENCRYPT ) ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "test execution failed\n" );
+
+            goto cleanup;
+        }
+
+        ret = cmac_generate_subkeys( &ctx, K1, K2 );
+        if( ret != 0 )
+        {
+           if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+
+            goto cleanup;
+        }
+
+        if( ( ret = memcmp( K1, subkeys, block_size ) ) != 0  ||
+            ( ret = memcmp( K2, &subkeys[block_size], block_size ) ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+
+            goto cleanup;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+
+        mbedtls_cipher_free( &ctx );
+    }
+
+    ret = 0;
+    goto exit;
+
+cleanup:
+    mbedtls_cipher_free( &ctx );
+
+exit:
+    return( ret );
+}
+
+static int cmac_test_wth_cipher( int verbose,
+                                 const char* testname,
+                                 const unsigned char* key,
+                                 int keybits,
+                                 const unsigned char* messages,
+                                 const unsigned int message_lengths[4],
+                                 const unsigned char* expected_result,
+                                 mbedtls_cipher_type_t cipher_type,
+                                 int block_size,
+                                 int num_tests )
+{
+    const mbedtls_cipher_info_t *cipher_info;
+    int i, ret = 0;
+    unsigned char output[MBEDTLS_CIPHER_BLKSIZE_MAX];
+
+    cipher_info = mbedtls_cipher_info_from_type( cipher_type );
+    if( cipher_info == NULL )
+    {
+        /* Failing at this point must be due to a build issue */
+        ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+        goto exit;
+    }
+
+    for( i = 0; i < num_tests; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  %s CMAC #%u: ", testname, i + 1 );
+
+        if( ( ret = mbedtls_cipher_cmac( cipher_info, key, keybits, messages,
+                                         message_lengths[i], output ) ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+            goto exit;
+        }
+
+        if( ( ret = memcmp( output, &expected_result[i * block_size], block_size ) ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+            goto exit;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+    ret = 0;
+
+exit:
+    return( ret );
+}
+
+#if defined(MBEDTLS_AES_C)
+static int test_aes128_cmac_prf( int verbose )
+{
+    int i;
+    int ret;
+    unsigned char output[MBEDTLS_AES_BLOCK_SIZE];
+
+    for( i = 0; i < NB_PRF_TESTS; i++ )
+    {
+        mbedtls_printf( "  AES CMAC 128 PRF #%u: ", i );
+        ret = mbedtls_aes_cmac_prf_128( PRFK, PRFKlen[i], PRFM, 20, output );
+        if( ret != 0 ||
+            memcmp( output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE ) != 0 )
+        {
+
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+
+            return( ret );
+        }
+        else if( verbose != 0 )
+        {
+            mbedtls_printf( "passed\n" );
+        }
+    }
+    return( ret );
+}
+#endif /* MBEDTLS_AES_C */
+
+int mbedtls_cmac_self_test( int verbose )
+{
+    int ret;
+
+#if defined(MBEDTLS_AES_C)
+    /* AES-128 */
+    if( ( ret = cmac_test_subkeys( verbose,
+                                   "AES 128",
+                                   aes_128_key,
+                                   128,
+                                   (const unsigned char*)aes_128_subkeys,
+                                   MBEDTLS_CIPHER_AES_128_ECB,
+                                   MBEDTLS_AES_BLOCK_SIZE,
+                                   NB_CMAC_TESTS_PER_KEY ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( ( ret = cmac_test_wth_cipher( verbose,
+                                      "AES 128",
+                                      aes_128_key,
+                                      128,
+                                      test_message,
+                                      aes_message_lengths,
+                                      (const unsigned char*)aes_128_expected_result,
+                                      MBEDTLS_CIPHER_AES_128_ECB,
+                                      MBEDTLS_AES_BLOCK_SIZE,
+                                      NB_CMAC_TESTS_PER_KEY ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    /* AES-192 */
+    if( ( ret = cmac_test_subkeys( verbose,
+                                   "AES 192",
+                                   aes_192_key,
+                                   192,
+                                   (const unsigned char*)aes_192_subkeys,
+                                   MBEDTLS_CIPHER_AES_192_ECB,
+                                   MBEDTLS_AES_BLOCK_SIZE,
+                                   NB_CMAC_TESTS_PER_KEY ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( ( ret = cmac_test_wth_cipher( verbose,
+                                      "AES 192",
+                                      aes_192_key,
+                                      192,
+                                      test_message,
+                                      aes_message_lengths,
+                                      (const unsigned char*)aes_192_expected_result,
+                                      MBEDTLS_CIPHER_AES_192_ECB,
+                                      MBEDTLS_AES_BLOCK_SIZE,
+                                      NB_CMAC_TESTS_PER_KEY ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    /* AES-256 */
+    if( ( ret = cmac_test_subkeys( verbose,
+                                   "AES 256",
+                                   aes_256_key,
+                                   256,
+                                   (const unsigned char*)aes_256_subkeys,
+                                   MBEDTLS_CIPHER_AES_256_ECB,
+                                   MBEDTLS_AES_BLOCK_SIZE,
+                                   NB_CMAC_TESTS_PER_KEY ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( ( ret = cmac_test_wth_cipher ( verbose,
+                                       "AES 256",
+                                       aes_256_key,
+                                       256,
+                                       test_message,
+                                       aes_message_lengths,
+                                       (const unsigned char*)aes_256_expected_result,
+                                       MBEDTLS_CIPHER_AES_256_ECB,
+                                       MBEDTLS_AES_BLOCK_SIZE,
+                                       NB_CMAC_TESTS_PER_KEY ) ) != 0 )
+    {
+        return( ret );
+    }
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_DES_C)
+    /* 3DES 2 key */
+    if( ( ret = cmac_test_subkeys( verbose,
+                                   "3DES 2 key",
+                                   des3_2key_key,
+                                   192,
+                                   (const unsigned char*)des3_2key_subkeys,
+                                   MBEDTLS_CIPHER_DES_EDE3_ECB,
+                                   MBEDTLS_DES3_BLOCK_SIZE,
+                                   NB_CMAC_TESTS_PER_KEY ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( ( ret = cmac_test_wth_cipher( verbose,
+                                      "3DES 2 key",
+                                      des3_2key_key,
+                                      192,
+                                      test_message,
+                                      des3_message_lengths,
+                                      (const unsigned char*)des3_2key_expected_result,
+                                      MBEDTLS_CIPHER_DES_EDE3_ECB,
+                                      MBEDTLS_DES3_BLOCK_SIZE,
+                                      NB_CMAC_TESTS_PER_KEY ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    /* 3DES 3 key */
+    if( ( ret = cmac_test_subkeys( verbose,
+                                   "3DES 3 key",
+                                   des3_3key_key,
+                                   192,
+                                   (const unsigned char*)des3_3key_subkeys,
+                                   MBEDTLS_CIPHER_DES_EDE3_ECB,
+                                   MBEDTLS_DES3_BLOCK_SIZE,
+                                   NB_CMAC_TESTS_PER_KEY ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( ( ret = cmac_test_wth_cipher( verbose,
+                                      "3DES 3 key",
+                                      des3_3key_key,
+                                      192,
+                                      test_message,
+                                      des3_message_lengths,
+                                      (const unsigned char*)des3_3key_expected_result,
+                                      MBEDTLS_CIPHER_DES_EDE3_ECB,
+                                      MBEDTLS_DES3_BLOCK_SIZE,
+                                      NB_CMAC_TESTS_PER_KEY ) ) != 0 )
+    {
+        return( ret );
+    }
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_AES_C)
+    if( ( ret = test_aes128_cmac_prf( verbose ) ) != 0 )
+        return( ret );
+#endif /* MBEDTLS_AES_C */
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_CMAC_C */
diff --git a/third-party/mbedtls-3.6/library/ctr_drbg.c b/third-party/mbedtls-3.6/library/ctr_drbg.c
new file mode 100644
index 00000000..e275f1a7
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/ctr_drbg.c
@@ -0,0 +1,696 @@
+/*
+ *  CTR_DRBG implementation based on AES-256 (NIST SP 800-90)
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+/*
+ *  The NIST SP 800-90 DRBGs are described in the following publication.
+ *
+ *  http://csrc.nist.gov/publications/nistpubs/800-90/SP800-90revised_March2007.pdf
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_CTR_DRBG_C)
+
+#include "mbedtls/ctr_drbg.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_FS_IO)
+#include <stdio.h>
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
+/*
+ * CTR_DRBG context initialization
+ */
+void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_ctr_drbg_context ) );
+
+    ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL;
+}
+
+/*
+ *  This function resets CTR_DRBG context to the state immediately
+ *  after initial call of mbedtls_ctr_drbg_init().
+ */
+void mbedtls_ctr_drbg_free( mbedtls_ctr_drbg_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+#if defined(MBEDTLS_THREADING_C)
+    /* The mutex is initialized iff f_entropy is set. */
+    if( ctx->f_entropy != NULL )
+        mbedtls_mutex_free( &ctx->mutex );
+#endif
+    mbedtls_aes_free( &ctx->aes_ctx );
+    mbedtls_zeroize( ctx, sizeof( mbedtls_ctr_drbg_context ) );
+    ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL;
+}
+
+void mbedtls_ctr_drbg_set_prediction_resistance( mbedtls_ctr_drbg_context *ctx, int resistance )
+{
+    ctx->prediction_resistance = resistance;
+}
+
+void mbedtls_ctr_drbg_set_entropy_len( mbedtls_ctr_drbg_context *ctx, size_t len )
+{
+    ctx->entropy_len = len;
+}
+
+void mbedtls_ctr_drbg_set_reseed_interval( mbedtls_ctr_drbg_context *ctx, int interval )
+{
+    ctx->reseed_interval = interval;
+}
+
+static int block_cipher_df( unsigned char *output,
+                            const unsigned char *data, size_t data_len )
+{
+    unsigned char buf[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + MBEDTLS_CTR_DRBG_BLOCKSIZE + 16];
+    unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
+    unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE];
+    unsigned char chain[MBEDTLS_CTR_DRBG_BLOCKSIZE];
+    unsigned char *p, *iv;
+    mbedtls_aes_context aes_ctx;
+    int ret = 0;
+
+    int i, j;
+    size_t buf_len, use_len;
+
+    if( data_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT )
+        return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
+
+    memset( buf, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + MBEDTLS_CTR_DRBG_BLOCKSIZE + 16 );
+    mbedtls_aes_init( &aes_ctx );
+
+    /*
+     * Construct IV (16 bytes) and S in buffer
+     * IV = Counter (in 32-bits) padded to 16 with zeroes
+     * S = Length input string (in 32-bits) || Length of output (in 32-bits) ||
+     *     data || 0x80
+     *     (Total is padded to a multiple of 16-bytes with zeroes)
+     */
+    p = buf + MBEDTLS_CTR_DRBG_BLOCKSIZE;
+    *p++ = ( data_len >> 24 ) & 0xff;
+    *p++ = ( data_len >> 16 ) & 0xff;
+    *p++ = ( data_len >> 8  ) & 0xff;
+    *p++ = ( data_len       ) & 0xff;
+    p += 3;
+    *p++ = MBEDTLS_CTR_DRBG_SEEDLEN;
+    memcpy( p, data, data_len );
+    p[data_len] = 0x80;
+
+    buf_len = MBEDTLS_CTR_DRBG_BLOCKSIZE + 8 + data_len + 1;
+
+    for( i = 0; i < MBEDTLS_CTR_DRBG_KEYSIZE; i++ )
+        key[i] = i;
+
+    if( ( ret = mbedtls_aes_setkey_enc( &aes_ctx, key, MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 )
+    {
+        goto exit;
+    }
+
+    /*
+     * Reduce data to MBEDTLS_CTR_DRBG_SEEDLEN bytes of data
+     */
+    for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE )
+    {
+        p = buf;
+        memset( chain, 0, MBEDTLS_CTR_DRBG_BLOCKSIZE );
+        use_len = buf_len;
+
+        while( use_len > 0 )
+        {
+            for( i = 0; i < MBEDTLS_CTR_DRBG_BLOCKSIZE; i++ )
+                chain[i] ^= p[i];
+            p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
+            use_len -= ( use_len >= MBEDTLS_CTR_DRBG_BLOCKSIZE ) ?
+                       MBEDTLS_CTR_DRBG_BLOCKSIZE : use_len;
+
+            if( ( ret = mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT, chain, chain ) ) != 0 )
+            {
+                goto exit;
+            }
+        }
+
+        memcpy( tmp + j, chain, MBEDTLS_CTR_DRBG_BLOCKSIZE );
+
+        /*
+         * Update IV
+         */
+        buf[3]++;
+    }
+
+    /*
+     * Do final encryption with reduced data
+     */
+    if( ( ret = mbedtls_aes_setkey_enc( &aes_ctx, tmp, MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 )
+    {
+        goto exit;
+    }
+    iv = tmp + MBEDTLS_CTR_DRBG_KEYSIZE;
+    p = output;
+
+    for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE )
+    {
+        if( ( ret = mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT, iv, iv ) ) != 0 )
+        {
+            goto exit;
+        }
+        memcpy( p, iv, MBEDTLS_CTR_DRBG_BLOCKSIZE );
+        p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
+    }
+exit:
+    mbedtls_aes_free( &aes_ctx );
+    /*
+    * tidy up the stack
+    */
+    mbedtls_zeroize( buf, sizeof( buf ) );
+    mbedtls_zeroize( tmp, sizeof( tmp ) );
+    mbedtls_zeroize( key, sizeof( key ) );
+    mbedtls_zeroize( chain, sizeof( chain ) );
+    if( 0 != ret )
+    {
+        /*
+        * wipe partial seed from memory
+        */
+        mbedtls_zeroize( output, MBEDTLS_CTR_DRBG_SEEDLEN );
+    }
+
+    return( ret );
+}
+
+static int ctr_drbg_update_internal( mbedtls_ctr_drbg_context *ctx,
+                              const unsigned char data[MBEDTLS_CTR_DRBG_SEEDLEN] )
+{
+    unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
+    unsigned char *p = tmp;
+    int i, j;
+    int ret = 0;
+
+    memset( tmp, 0, MBEDTLS_CTR_DRBG_SEEDLEN );
+
+    for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE )
+    {
+        /*
+         * Increase counter
+         */
+        for( i = MBEDTLS_CTR_DRBG_BLOCKSIZE; i > 0; i-- )
+            if( ++ctx->counter[i - 1] != 0 )
+                break;
+
+        /*
+         * Crypt counter block
+         */
+        if( ( ret = mbedtls_aes_crypt_ecb( &ctx->aes_ctx, MBEDTLS_AES_ENCRYPT, ctx->counter, p ) ) != 0 )
+            goto exit;
+
+        p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
+    }
+
+    for( i = 0; i < MBEDTLS_CTR_DRBG_SEEDLEN; i++ )
+        tmp[i] ^= data[i];
+
+    /*
+     * Update key and counter
+     */
+    if( ( ret = mbedtls_aes_setkey_enc( &ctx->aes_ctx, tmp, MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 )
+        goto exit;
+    memcpy( ctx->counter, tmp + MBEDTLS_CTR_DRBG_KEYSIZE, MBEDTLS_CTR_DRBG_BLOCKSIZE );
+
+exit:
+    mbedtls_zeroize( tmp, sizeof( tmp ) );
+    return( ret );
+}
+
+int mbedtls_ctr_drbg_update_ret( mbedtls_ctr_drbg_context *ctx,
+                                 const unsigned char *additional,
+                                 size_t add_len )
+{
+    unsigned char add_input[MBEDTLS_CTR_DRBG_SEEDLEN];
+    int ret;
+
+    if( add_len == 0 )
+        return( 0 );
+
+    if( ( ret = block_cipher_df( add_input, additional, add_len ) ) != 0 )
+        goto exit;
+    if( ( ret = ctr_drbg_update_internal( ctx, add_input ) ) != 0 )
+        goto exit;
+
+exit:
+    mbedtls_zeroize( add_input, sizeof( add_input ) );
+    return( ret );
+}
+
+/* Deprecated function, kept for backward compatibility. */
+void mbedtls_ctr_drbg_update( mbedtls_ctr_drbg_context *ctx,
+                              const unsigned char *additional,
+                              size_t add_len )
+{
+    /* MAX_INPUT would be more logical here, but we have to match
+     * block_cipher_df()'s limits since we can't propagate errors */
+    if( add_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT )
+        add_len = MBEDTLS_CTR_DRBG_MAX_SEED_INPUT;
+    (void) mbedtls_ctr_drbg_update_ret( ctx, additional, add_len );
+}
+
+int mbedtls_ctr_drbg_reseed( mbedtls_ctr_drbg_context *ctx,
+                     const unsigned char *additional, size_t len )
+{
+    unsigned char seed[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT];
+    size_t seedlen = 0;
+    int ret;
+
+    if( ctx->entropy_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT ||
+        len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - ctx->entropy_len )
+        return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
+
+    memset( seed, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT );
+
+    /*
+     * Gather entropy_len bytes of entropy to seed state
+     */
+    if( 0 != ctx->f_entropy( ctx->p_entropy, seed,
+                             ctx->entropy_len ) )
+    {
+        return( MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED );
+    }
+
+    seedlen += ctx->entropy_len;
+
+    /*
+     * Add additional data
+     */
+    if( additional && len )
+    {
+        memcpy( seed + seedlen, additional, len );
+        seedlen += len;
+    }
+
+    /*
+     * Reduce to 384 bits
+     */
+    if( ( ret = block_cipher_df( seed, seed, seedlen ) ) != 0 )
+        goto exit;
+
+    /*
+     * Update state
+     */
+    if( ( ret = ctr_drbg_update_internal( ctx, seed ) ) != 0 )
+        goto exit;
+    ctx->reseed_counter = 1;
+
+exit:
+    mbedtls_zeroize( seed, sizeof( seed ) );
+    return( ret );
+}
+
+int mbedtls_ctr_drbg_seed( mbedtls_ctr_drbg_context *ctx,
+                           int (*f_entropy)(void *, unsigned char *, size_t),
+                           void *p_entropy,
+                           const unsigned char *custom,
+                           size_t len )
+{
+    int ret;
+    unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE];
+
+    memset( key, 0, MBEDTLS_CTR_DRBG_KEYSIZE );
+
+    /* The mutex is initialized iff f_entropy is set. */
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_init( &ctx->mutex );
+#endif
+
+    mbedtls_aes_init( &ctx->aes_ctx );
+
+    ctx->f_entropy = f_entropy;
+    ctx->p_entropy = p_entropy;
+
+    if( ctx->entropy_len == 0 )
+        ctx->entropy_len = MBEDTLS_CTR_DRBG_ENTROPY_LEN;
+
+    /*
+     * Initialize with an empty key
+     */
+    if( ( ret = mbedtls_aes_setkey_enc( &ctx->aes_ctx, key, MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( ( ret = mbedtls_ctr_drbg_reseed( ctx, custom, len ) ) != 0 )
+    {
+        return( ret );
+    }
+    return( 0 );
+}
+
+/* Backward compatibility wrapper */
+int mbedtls_ctr_drbg_seed_entropy_len(
+    mbedtls_ctr_drbg_context *ctx,
+    int (*f_entropy)(void *, unsigned char *, size_t), void *p_entropy,
+    const unsigned char *custom, size_t len,
+    size_t entropy_len )
+{
+    mbedtls_ctr_drbg_set_entropy_len( ctx, entropy_len );
+    return( mbedtls_ctr_drbg_seed( ctx, f_entropy, p_entropy, custom, len ) );
+}
+
+int mbedtls_ctr_drbg_random_with_add( void *p_rng,
+                              unsigned char *output, size_t output_len,
+                              const unsigned char *additional, size_t add_len )
+{
+    int ret = 0;
+    mbedtls_ctr_drbg_context *ctx = (mbedtls_ctr_drbg_context *) p_rng;
+    unsigned char add_input[MBEDTLS_CTR_DRBG_SEEDLEN];
+    unsigned char *p = output;
+    unsigned char tmp[MBEDTLS_CTR_DRBG_BLOCKSIZE];
+    int i;
+    size_t use_len;
+
+    if( output_len > MBEDTLS_CTR_DRBG_MAX_REQUEST )
+        return( MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG );
+
+    if( add_len > MBEDTLS_CTR_DRBG_MAX_INPUT )
+        return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
+
+    memset( add_input, 0, MBEDTLS_CTR_DRBG_SEEDLEN );
+
+    if( ctx->reseed_counter > ctx->reseed_interval ||
+        ctx->prediction_resistance )
+    {
+        if( ( ret = mbedtls_ctr_drbg_reseed( ctx, additional, add_len ) ) != 0 )
+        {
+            return( ret );
+        }
+        add_len = 0;
+    }
+
+    if( add_len > 0 )
+    {
+        if( ( ret = block_cipher_df( add_input, additional, add_len ) ) != 0 )
+            goto exit;
+        if( ( ret = ctr_drbg_update_internal( ctx, add_input ) ) != 0 )
+            goto exit;
+    }
+
+    while( output_len > 0 )
+    {
+        /*
+         * Increase counter
+         */
+        for( i = MBEDTLS_CTR_DRBG_BLOCKSIZE; i > 0; i-- )
+            if( ++ctx->counter[i - 1] != 0 )
+                break;
+
+        /*
+         * Crypt counter block
+         */
+        if( ( ret = mbedtls_aes_crypt_ecb( &ctx->aes_ctx, MBEDTLS_AES_ENCRYPT, ctx->counter, tmp ) ) != 0 )
+            goto exit;
+
+        use_len = ( output_len > MBEDTLS_CTR_DRBG_BLOCKSIZE ) ? MBEDTLS_CTR_DRBG_BLOCKSIZE :
+                                                       output_len;
+        /*
+         * Copy random block to destination
+         */
+        memcpy( p, tmp, use_len );
+        p += use_len;
+        output_len -= use_len;
+    }
+
+    if( ( ret = ctr_drbg_update_internal( ctx, add_input ) ) != 0 )
+        goto exit;
+
+    ctx->reseed_counter++;
+
+exit:
+    mbedtls_zeroize( add_input, sizeof( add_input ) );
+    mbedtls_zeroize( tmp, sizeof( tmp ) );
+    return( ret );
+}
+
+int mbedtls_ctr_drbg_random( void *p_rng, unsigned char *output, size_t output_len )
+{
+    int ret;
+    mbedtls_ctr_drbg_context *ctx = (mbedtls_ctr_drbg_context *) p_rng;
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
+        return( ret );
+#endif
+
+    ret = mbedtls_ctr_drbg_random_with_add( ctx, output, output_len, NULL, 0 );
+
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
+        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+#endif
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_FS_IO)
+int mbedtls_ctr_drbg_write_seed_file( mbedtls_ctr_drbg_context *ctx, const char *path )
+{
+    int ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
+    FILE *f;
+    unsigned char buf[ MBEDTLS_CTR_DRBG_MAX_INPUT ];
+
+    if( ( f = fopen( path, "wb" ) ) == NULL )
+        return( MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR );
+
+    if( ( ret = mbedtls_ctr_drbg_random( ctx, buf, MBEDTLS_CTR_DRBG_MAX_INPUT ) ) != 0 )
+        goto exit;
+
+    if( fwrite( buf, 1, MBEDTLS_CTR_DRBG_MAX_INPUT, f ) != MBEDTLS_CTR_DRBG_MAX_INPUT )
+        ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
+    else
+        ret = 0;
+
+exit:
+    mbedtls_zeroize( buf, sizeof( buf ) );
+
+    fclose( f );
+    return( ret );
+}
+
+int mbedtls_ctr_drbg_update_seed_file( mbedtls_ctr_drbg_context *ctx, const char *path )
+{
+    int ret = 0;
+    FILE *f;
+    size_t n;
+    unsigned char buf[ MBEDTLS_CTR_DRBG_MAX_INPUT ];
+
+    if( ( f = fopen( path, "rb" ) ) == NULL )
+        return( MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR );
+
+    fseek( f, 0, SEEK_END );
+    n = (size_t) ftell( f );
+    fseek( f, 0, SEEK_SET );
+
+    if( n > MBEDTLS_CTR_DRBG_MAX_INPUT )
+    {
+        fclose( f );
+        return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
+    }
+
+    if( fread( buf, 1, n, f ) != n )
+        ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
+    else
+        ret = mbedtls_ctr_drbg_update_ret( ctx, buf, n );
+
+    fclose( f );
+
+    mbedtls_zeroize( buf, sizeof( buf ) );
+
+    if( ret != 0 )
+        return( ret );
+
+    return( mbedtls_ctr_drbg_write_seed_file( ctx, path ) );
+}
+#endif /* MBEDTLS_FS_IO */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+static const unsigned char entropy_source_pr[96] =
+    { 0xc1, 0x80, 0x81, 0xa6, 0x5d, 0x44, 0x02, 0x16,
+      0x19, 0xb3, 0xf1, 0x80, 0xb1, 0xc9, 0x20, 0x02,
+      0x6a, 0x54, 0x6f, 0x0c, 0x70, 0x81, 0x49, 0x8b,
+      0x6e, 0xa6, 0x62, 0x52, 0x6d, 0x51, 0xb1, 0xcb,
+      0x58, 0x3b, 0xfa, 0xd5, 0x37, 0x5f, 0xfb, 0xc9,
+      0xff, 0x46, 0xd2, 0x19, 0xc7, 0x22, 0x3e, 0x95,
+      0x45, 0x9d, 0x82, 0xe1, 0xe7, 0x22, 0x9f, 0x63,
+      0x31, 0x69, 0xd2, 0x6b, 0x57, 0x47, 0x4f, 0xa3,
+      0x37, 0xc9, 0x98, 0x1c, 0x0b, 0xfb, 0x91, 0x31,
+      0x4d, 0x55, 0xb9, 0xe9, 0x1c, 0x5a, 0x5e, 0xe4,
+      0x93, 0x92, 0xcf, 0xc5, 0x23, 0x12, 0xd5, 0x56,
+      0x2c, 0x4a, 0x6e, 0xff, 0xdc, 0x10, 0xd0, 0x68 };
+
+static const unsigned char entropy_source_nopr[64] =
+    { 0x5a, 0x19, 0x4d, 0x5e, 0x2b, 0x31, 0x58, 0x14,
+      0x54, 0xde, 0xf6, 0x75, 0xfb, 0x79, 0x58, 0xfe,
+      0xc7, 0xdb, 0x87, 0x3e, 0x56, 0x89, 0xfc, 0x9d,
+      0x03, 0x21, 0x7c, 0x68, 0xd8, 0x03, 0x38, 0x20,
+      0xf9, 0xe6, 0x5e, 0x04, 0xd8, 0x56, 0xf3, 0xa9,
+      0xc4, 0x4a, 0x4c, 0xbd, 0xc1, 0xd0, 0x08, 0x46,
+      0xf5, 0x98, 0x3d, 0x77, 0x1c, 0x1b, 0x13, 0x7e,
+      0x4e, 0x0f, 0x9d, 0x8e, 0xf4, 0x09, 0xf9, 0x2e };
+
+static const unsigned char nonce_pers_pr[16] =
+    { 0xd2, 0x54, 0xfc, 0xff, 0x02, 0x1e, 0x69, 0xd2,
+      0x29, 0xc9, 0xcf, 0xad, 0x85, 0xfa, 0x48, 0x6c };
+
+static const unsigned char nonce_pers_nopr[16] =
+    { 0x1b, 0x54, 0xb8, 0xff, 0x06, 0x42, 0xbf, 0xf5,
+      0x21, 0xf1, 0x5c, 0x1c, 0x0b, 0x66, 0x5f, 0x3f };
+
+static const unsigned char result_pr[16] =
+    { 0x34, 0x01, 0x16, 0x56, 0xb4, 0x29, 0x00, 0x8f,
+      0x35, 0x63, 0xec, 0xb5, 0xf2, 0x59, 0x07, 0x23 };
+
+static const unsigned char result_nopr[16] =
+    { 0xa0, 0x54, 0x30, 0x3d, 0x8a, 0x7e, 0xa9, 0x88,
+      0x9d, 0x90, 0x3e, 0x07, 0x7c, 0x6f, 0x21, 0x8f };
+
+static size_t test_offset;
+static int ctr_drbg_self_test_entropy( void *data, unsigned char *buf,
+                                       size_t len )
+{
+    const unsigned char *p = data;
+    memcpy( buf, p + test_offset, len );
+    test_offset += len;
+    return( 0 );
+}
+
+#define CHK( c )    if( (c) != 0 )                          \
+                    {                                       \
+                        if( verbose != 0 )                  \
+                            mbedtls_printf( "failed\n" );  \
+                        return( 1 );                        \
+                    }
+
+/*
+ * Checkup routine
+ */
+int mbedtls_ctr_drbg_self_test( int verbose )
+{
+    mbedtls_ctr_drbg_context ctx;
+    unsigned char buf[16];
+
+    mbedtls_ctr_drbg_init( &ctx );
+
+    /*
+     * Based on a NIST CTR_DRBG test vector (PR = True)
+     */
+    if( verbose != 0 )
+        mbedtls_printf( "  CTR_DRBG (PR = TRUE) : " );
+
+    test_offset = 0;
+    mbedtls_ctr_drbg_set_entropy_len( &ctx, 32 );
+    CHK( mbedtls_ctr_drbg_seed( &ctx,
+                                ctr_drbg_self_test_entropy,
+                                (void *) entropy_source_pr,
+                                nonce_pers_pr, 16 ) );
+    mbedtls_ctr_drbg_set_prediction_resistance( &ctx, MBEDTLS_CTR_DRBG_PR_ON );
+    CHK( mbedtls_ctr_drbg_random( &ctx, buf, MBEDTLS_CTR_DRBG_BLOCKSIZE ) );
+    CHK( mbedtls_ctr_drbg_random( &ctx, buf, MBEDTLS_CTR_DRBG_BLOCKSIZE ) );
+    CHK( memcmp( buf, result_pr, MBEDTLS_CTR_DRBG_BLOCKSIZE ) );
+
+    mbedtls_ctr_drbg_free( &ctx );
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    /*
+     * Based on a NIST CTR_DRBG test vector (PR = FALSE)
+     */
+    if( verbose != 0 )
+        mbedtls_printf( "  CTR_DRBG (PR = FALSE): " );
+
+    mbedtls_ctr_drbg_init( &ctx );
+
+    test_offset = 0;
+    mbedtls_ctr_drbg_set_entropy_len( &ctx, 32 );
+    CHK( mbedtls_ctr_drbg_seed( &ctx,
+                                ctr_drbg_self_test_entropy,
+                                (void *) entropy_source_nopr,
+                                nonce_pers_nopr, 16 ) );
+    CHK( mbedtls_ctr_drbg_random( &ctx, buf, 16 ) );
+    CHK( mbedtls_ctr_drbg_reseed( &ctx, NULL, 0 ) );
+    CHK( mbedtls_ctr_drbg_random( &ctx, buf, 16 ) );
+    CHK( memcmp( buf, result_nopr, 16 ) );
+
+    mbedtls_ctr_drbg_free( &ctx );
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    if( verbose != 0 )
+            mbedtls_printf( "\n" );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_CTR_DRBG_C */
diff --git a/third-party/mbedtls-3.6/library/debug.c b/third-party/mbedtls-3.6/library/debug.c
new file mode 100644
index 00000000..25951eac
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/debug.c
@@ -0,0 +1,425 @@
+/*
+ *  Debugging routines
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_DEBUG_C)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc      calloc
+#define mbedtls_free        free
+#define mbedtls_time_t      time_t
+#define mbedtls_snprintf    snprintf
+#endif
+
+#include "mbedtls/debug.h"
+
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+#define DEBUG_BUF_SIZE      512
+
+static int debug_threshold = 0;
+
+void mbedtls_debug_set_threshold( int threshold )
+{
+    debug_threshold = threshold;
+}
+
+/*
+ * All calls to f_dbg must be made via this function
+ */
+static inline void debug_send_line( const mbedtls_ssl_context *ssl, int level,
+                                    const char *file, int line,
+                                    const char *str )
+{
+    /*
+     * If in a threaded environment, we need a thread identifier.
+     * Since there is no portable way to get one, use the address of the ssl
+     * context instead, as it shouldn't be shared between threads.
+     */
+#if defined(MBEDTLS_THREADING_C)
+    char idstr[20 + DEBUG_BUF_SIZE]; /* 0x + 16 nibbles + ': ' */
+    mbedtls_snprintf( idstr, sizeof( idstr ), "%p: %s", (void*)ssl, str );
+    ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, idstr );
+#else
+    ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, str );
+#endif
+}
+
+void mbedtls_debug_print_msg( const mbedtls_ssl_context *ssl, int level,
+                              const char *file, int line,
+                              const char *format, ... )
+{
+    va_list argp;
+    char str[DEBUG_BUF_SIZE];
+    int ret;
+
+    if( NULL == ssl              ||
+        NULL == ssl->conf        ||
+        NULL == ssl->conf->f_dbg ||
+        level > debug_threshold )
+    {
+        return;
+    }
+
+    va_start( argp, format );
+#if defined(_WIN32)
+#if defined(_TRUNCATE) && !defined(__MINGW32__)
+    ret = _vsnprintf_s( str, DEBUG_BUF_SIZE, _TRUNCATE, format, argp );
+#else
+    ret = _vsnprintf( str, DEBUG_BUF_SIZE, format, argp );
+    if( ret < 0 || (size_t) ret == DEBUG_BUF_SIZE )
+    {
+        str[DEBUG_BUF_SIZE-1] = '\0';
+        ret = -1;
+    }
+#endif
+#else
+    ret = vsnprintf( str, DEBUG_BUF_SIZE, format, argp );
+#endif
+    va_end( argp );
+
+    if( ret >= 0 && ret < DEBUG_BUF_SIZE - 1 )
+    {
+        str[ret]     = '\n';
+        str[ret + 1] = '\0';
+    }
+
+    debug_send_line( ssl, level, file, line, str );
+}
+
+void mbedtls_debug_print_ret( const mbedtls_ssl_context *ssl, int level,
+                      const char *file, int line,
+                      const char *text, int ret )
+{
+    char str[DEBUG_BUF_SIZE];
+
+    if( NULL == ssl              ||
+        NULL == ssl->conf        ||
+        NULL == ssl->conf->f_dbg ||
+        level > debug_threshold )
+    {
+        return;
+    }
+
+    /*
+     * With non-blocking I/O and examples that just retry immediately,
+     * the logs would be quickly flooded with WANT_READ, so ignore that.
+     * Don't ignore WANT_WRITE however, since is is usually rare.
+     */
+    if( ret == MBEDTLS_ERR_SSL_WANT_READ )
+        return;
+
+    mbedtls_snprintf( str, sizeof( str ), "%s() returned %d (-0x%04x)\n",
+              text, ret, -ret );
+
+    debug_send_line( ssl, level, file, line, str );
+}
+
+void mbedtls_debug_print_buf( const mbedtls_ssl_context *ssl, int level,
+                      const char *file, int line, const char *text,
+                      const unsigned char *buf, size_t len )
+{
+    char str[DEBUG_BUF_SIZE];
+    char txt[17];
+    size_t i, idx = 0;
+
+    if( NULL == ssl              ||
+        NULL == ssl->conf        ||
+        NULL == ssl->conf->f_dbg ||
+        level > debug_threshold )
+    {
+        return;
+    }
+
+    mbedtls_snprintf( str + idx, sizeof( str ) - idx, "dumping '%s' (%u bytes)\n",
+              text, (unsigned int) len );
+
+    debug_send_line( ssl, level, file, line, str );
+
+    idx = 0;
+    memset( txt, 0, sizeof( txt ) );
+    for( i = 0; i < len; i++ )
+    {
+        if( i >= 4096 )
+            break;
+
+        if( i % 16 == 0 )
+        {
+            if( i > 0 )
+            {
+                mbedtls_snprintf( str + idx, sizeof( str ) - idx, "  %s\n", txt );
+                debug_send_line( ssl, level, file, line, str );
+
+                idx = 0;
+                memset( txt, 0, sizeof( txt ) );
+            }
+
+            idx += mbedtls_snprintf( str + idx, sizeof( str ) - idx, "%04x: ",
+                             (unsigned int) i );
+
+        }
+
+        idx += mbedtls_snprintf( str + idx, sizeof( str ) - idx, " %02x",
+                         (unsigned int) buf[i] );
+        txt[i % 16] = ( buf[i] > 31 && buf[i] < 127 ) ? buf[i] : '.' ;
+    }
+
+    if( len > 0 )
+    {
+        for( /* i = i */; i % 16 != 0; i++ )
+            idx += mbedtls_snprintf( str + idx, sizeof( str ) - idx, "   " );
+
+        mbedtls_snprintf( str + idx, sizeof( str ) - idx, "  %s\n", txt );
+        debug_send_line( ssl, level, file, line, str );
+    }
+}
+
+#if defined(MBEDTLS_ECP_C)
+void mbedtls_debug_print_ecp( const mbedtls_ssl_context *ssl, int level,
+                      const char *file, int line,
+                      const char *text, const mbedtls_ecp_point *X )
+{
+    char str[DEBUG_BUF_SIZE];
+
+    if( NULL == ssl              ||
+        NULL == ssl->conf        ||
+        NULL == ssl->conf->f_dbg ||
+        level > debug_threshold )
+    {
+        return;
+    }
+
+    mbedtls_snprintf( str, sizeof( str ), "%s(X)", text );
+    mbedtls_debug_print_mpi( ssl, level, file, line, str, &X->X );
+
+    mbedtls_snprintf( str, sizeof( str ), "%s(Y)", text );
+    mbedtls_debug_print_mpi( ssl, level, file, line, str, &X->Y );
+}
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_BIGNUM_C)
+void mbedtls_debug_print_mpi( const mbedtls_ssl_context *ssl, int level,
+                      const char *file, int line,
+                      const char *text, const mbedtls_mpi *X )
+{
+    char str[DEBUG_BUF_SIZE];
+    int j, k, zeros = 1;
+    size_t i, n, idx = 0;
+
+    if( NULL == ssl              ||
+        NULL == ssl->conf        ||
+        NULL == ssl->conf->f_dbg ||
+        NULL == X                ||
+        level > debug_threshold )
+    {
+        return;
+    }
+
+    for( n = X->n - 1; n > 0; n-- )
+        if( X->p[n] != 0 )
+            break;
+
+    for( j = ( sizeof(mbedtls_mpi_uint) << 3 ) - 1; j >= 0; j-- )
+        if( ( ( X->p[n] >> j ) & 1 ) != 0 )
+            break;
+
+    mbedtls_snprintf( str + idx, sizeof( str ) - idx, "value of '%s' (%d bits) is:\n",
+              text, (int) ( ( n * ( sizeof(mbedtls_mpi_uint) << 3 ) ) + j + 1 ) );
+
+    debug_send_line( ssl, level, file, line, str );
+
+    idx = 0;
+    for( i = n + 1, j = 0; i > 0; i-- )
+    {
+        if( zeros && X->p[i - 1] == 0 )
+            continue;
+
+        for( k = sizeof( mbedtls_mpi_uint ) - 1; k >= 0; k-- )
+        {
+            if( zeros && ( ( X->p[i - 1] >> ( k << 3 ) ) & 0xFF ) == 0 )
+                continue;
+            else
+                zeros = 0;
+
+            if( j % 16 == 0 )
+            {
+                if( j > 0 )
+                {
+                    mbedtls_snprintf( str + idx, sizeof( str ) - idx, "\n" );
+                    debug_send_line( ssl, level, file, line, str );
+                    idx = 0;
+                }
+            }
+
+            idx += mbedtls_snprintf( str + idx, sizeof( str ) - idx, " %02x", (unsigned int)
+                             ( X->p[i - 1] >> ( k << 3 ) ) & 0xFF );
+
+            j++;
+        }
+
+    }
+
+    if( zeros == 1 )
+        idx += mbedtls_snprintf( str + idx, sizeof( str ) - idx, " 00" );
+
+    mbedtls_snprintf( str + idx, sizeof( str ) - idx, "\n" );
+    debug_send_line( ssl, level, file, line, str );
+}
+#endif /* MBEDTLS_BIGNUM_C */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+static void debug_print_pk( const mbedtls_ssl_context *ssl, int level,
+                            const char *file, int line,
+                            const char *text, const mbedtls_pk_context *pk )
+{
+    size_t i;
+    mbedtls_pk_debug_item items[MBEDTLS_PK_DEBUG_MAX_ITEMS];
+    char name[16];
+
+    memset( items, 0, sizeof( items ) );
+
+    if( mbedtls_pk_debug( pk, items ) != 0 )
+    {
+        debug_send_line( ssl, level, file, line,
+                          "invalid PK context\n" );
+        return;
+    }
+
+    for( i = 0; i < MBEDTLS_PK_DEBUG_MAX_ITEMS; i++ )
+    {
+        if( items[i].type == MBEDTLS_PK_DEBUG_NONE )
+            return;
+
+        mbedtls_snprintf( name, sizeof( name ), "%s%s", text, items[i].name );
+        name[sizeof( name ) - 1] = '\0';
+
+        if( items[i].type == MBEDTLS_PK_DEBUG_MPI )
+            mbedtls_debug_print_mpi( ssl, level, file, line, name, items[i].value );
+        else
+#if defined(MBEDTLS_ECP_C)
+        if( items[i].type == MBEDTLS_PK_DEBUG_ECP )
+            mbedtls_debug_print_ecp( ssl, level, file, line, name, items[i].value );
+        else
+#endif
+            debug_send_line( ssl, level, file, line,
+                              "should not happen\n" );
+    }
+}
+
+static void debug_print_line_by_line( const mbedtls_ssl_context *ssl, int level,
+                                      const char *file, int line, const char *text )
+{
+    char str[DEBUG_BUF_SIZE];
+    const char *start, *cur;
+
+    start = text;
+    for( cur = text; *cur != '\0'; cur++ )
+    {
+        if( *cur == '\n' )
+        {
+            size_t len = cur - start + 1;
+            if( len > DEBUG_BUF_SIZE - 1 )
+                len = DEBUG_BUF_SIZE - 1;
+
+            memcpy( str, start, len );
+            str[len] = '\0';
+
+            debug_send_line( ssl, level, file, line, str );
+
+            start = cur + 1;
+        }
+    }
+}
+
+void mbedtls_debug_print_crt( const mbedtls_ssl_context *ssl, int level,
+                      const char *file, int line,
+                      const char *text, const mbedtls_x509_crt *crt )
+{
+    char str[DEBUG_BUF_SIZE];
+    int i = 0;
+
+    if( NULL == ssl              ||
+        NULL == ssl->conf        ||
+        NULL == ssl->conf->f_dbg ||
+        NULL == crt              ||
+        level > debug_threshold )
+    {
+        return;
+    }
+
+    while( crt != NULL )
+    {
+        char buf[1024];
+
+        mbedtls_snprintf( str, sizeof( str ), "%s #%d:\n", text, ++i );
+        debug_send_line( ssl, level, file, line, str );
+
+        mbedtls_x509_crt_info( buf, sizeof( buf ) - 1, "", crt );
+        debug_print_line_by_line( ssl, level, file, line, buf );
+
+        debug_print_pk( ssl, level, file, line, "crt->", &crt->pk );
+
+        crt = crt->next;
+    }
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#endif /* MBEDTLS_DEBUG_C */
diff --git a/third-party/mbedtls-3.6/library/des.c b/third-party/mbedtls-3.6/library/des.c
new file mode 100644
index 00000000..f68dba0b
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/des.c
@@ -0,0 +1,1086 @@
+/*
+ *  FIPS-46-3 compliant Triple-DES implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+/*
+ *  DES, on which TDES is based, was originally designed by Horst Feistel
+ *  at IBM in 1974, and was adopted as a standard by NIST (formerly NBS).
+ *
+ *  http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_DES_C)
+
+#include "mbedtls/des.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_DES_ALT)
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
+}
+
+/*
+ * 32-bit integer manipulation macros (big endian)
+ */
+#ifndef GET_UINT32_BE
+#define GET_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
+        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 3]       );            \
+}
+#endif
+
+#ifndef PUT_UINT32_BE
+#define PUT_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
+}
+#endif
+
+/*
+ * Expanded DES S-boxes
+ */
+static const uint32_t SB1[64] =
+{
+    0x01010400, 0x00000000, 0x00010000, 0x01010404,
+    0x01010004, 0x00010404, 0x00000004, 0x00010000,
+    0x00000400, 0x01010400, 0x01010404, 0x00000400,
+    0x01000404, 0x01010004, 0x01000000, 0x00000004,
+    0x00000404, 0x01000400, 0x01000400, 0x00010400,
+    0x00010400, 0x01010000, 0x01010000, 0x01000404,
+    0x00010004, 0x01000004, 0x01000004, 0x00010004,
+    0x00000000, 0x00000404, 0x00010404, 0x01000000,
+    0x00010000, 0x01010404, 0x00000004, 0x01010000,
+    0x01010400, 0x01000000, 0x01000000, 0x00000400,
+    0x01010004, 0x00010000, 0x00010400, 0x01000004,
+    0x00000400, 0x00000004, 0x01000404, 0x00010404,
+    0x01010404, 0x00010004, 0x01010000, 0x01000404,
+    0x01000004, 0x00000404, 0x00010404, 0x01010400,
+    0x00000404, 0x01000400, 0x01000400, 0x00000000,
+    0x00010004, 0x00010400, 0x00000000, 0x01010004
+};
+
+static const uint32_t SB2[64] =
+{
+    0x80108020, 0x80008000, 0x00008000, 0x00108020,
+    0x00100000, 0x00000020, 0x80100020, 0x80008020,
+    0x80000020, 0x80108020, 0x80108000, 0x80000000,
+    0x80008000, 0x00100000, 0x00000020, 0x80100020,
+    0x00108000, 0x00100020, 0x80008020, 0x00000000,
+    0x80000000, 0x00008000, 0x00108020, 0x80100000,
+    0x00100020, 0x80000020, 0x00000000, 0x00108000,
+    0x00008020, 0x80108000, 0x80100000, 0x00008020,
+    0x00000000, 0x00108020, 0x80100020, 0x00100000,
+    0x80008020, 0x80100000, 0x80108000, 0x00008000,
+    0x80100000, 0x80008000, 0x00000020, 0x80108020,
+    0x00108020, 0x00000020, 0x00008000, 0x80000000,
+    0x00008020, 0x80108000, 0x00100000, 0x80000020,
+    0x00100020, 0x80008020, 0x80000020, 0x00100020,
+    0x00108000, 0x00000000, 0x80008000, 0x00008020,
+    0x80000000, 0x80100020, 0x80108020, 0x00108000
+};
+
+static const uint32_t SB3[64] =
+{
+    0x00000208, 0x08020200, 0x00000000, 0x08020008,
+    0x08000200, 0x00000000, 0x00020208, 0x08000200,
+    0x00020008, 0x08000008, 0x08000008, 0x00020000,
+    0x08020208, 0x00020008, 0x08020000, 0x00000208,
+    0x08000000, 0x00000008, 0x08020200, 0x00000200,
+    0x00020200, 0x08020000, 0x08020008, 0x00020208,
+    0x08000208, 0x00020200, 0x00020000, 0x08000208,
+    0x00000008, 0x08020208, 0x00000200, 0x08000000,
+    0x08020200, 0x08000000, 0x00020008, 0x00000208,
+    0x00020000, 0x08020200, 0x08000200, 0x00000000,
+    0x00000200, 0x00020008, 0x08020208, 0x08000200,
+    0x08000008, 0x00000200, 0x00000000, 0x08020008,
+    0x08000208, 0x00020000, 0x08000000, 0x08020208,
+    0x00000008, 0x00020208, 0x00020200, 0x08000008,
+    0x08020000, 0x08000208, 0x00000208, 0x08020000,
+    0x00020208, 0x00000008, 0x08020008, 0x00020200
+};
+
+static const uint32_t SB4[64] =
+{
+    0x00802001, 0x00002081, 0x00002081, 0x00000080,
+    0x00802080, 0x00800081, 0x00800001, 0x00002001,
+    0x00000000, 0x00802000, 0x00802000, 0x00802081,
+    0x00000081, 0x00000000, 0x00800080, 0x00800001,
+    0x00000001, 0x00002000, 0x00800000, 0x00802001,
+    0x00000080, 0x00800000, 0x00002001, 0x00002080,
+    0x00800081, 0x00000001, 0x00002080, 0x00800080,
+    0x00002000, 0x00802080, 0x00802081, 0x00000081,
+    0x00800080, 0x00800001, 0x00802000, 0x00802081,
+    0x00000081, 0x00000000, 0x00000000, 0x00802000,
+    0x00002080, 0x00800080, 0x00800081, 0x00000001,
+    0x00802001, 0x00002081, 0x00002081, 0x00000080,
+    0x00802081, 0x00000081, 0x00000001, 0x00002000,
+    0x00800001, 0x00002001, 0x00802080, 0x00800081,
+    0x00002001, 0x00002080, 0x00800000, 0x00802001,
+    0x00000080, 0x00800000, 0x00002000, 0x00802080
+};
+
+static const uint32_t SB5[64] =
+{
+    0x00000100, 0x02080100, 0x02080000, 0x42000100,
+    0x00080000, 0x00000100, 0x40000000, 0x02080000,
+    0x40080100, 0x00080000, 0x02000100, 0x40080100,
+    0x42000100, 0x42080000, 0x00080100, 0x40000000,
+    0x02000000, 0x40080000, 0x40080000, 0x00000000,
+    0x40000100, 0x42080100, 0x42080100, 0x02000100,
+    0x42080000, 0x40000100, 0x00000000, 0x42000000,
+    0x02080100, 0x02000000, 0x42000000, 0x00080100,
+    0x00080000, 0x42000100, 0x00000100, 0x02000000,
+    0x40000000, 0x02080000, 0x42000100, 0x40080100,
+    0x02000100, 0x40000000, 0x42080000, 0x02080100,
+    0x40080100, 0x00000100, 0x02000000, 0x42080000,
+    0x42080100, 0x00080100, 0x42000000, 0x42080100,
+    0x02080000, 0x00000000, 0x40080000, 0x42000000,
+    0x00080100, 0x02000100, 0x40000100, 0x00080000,
+    0x00000000, 0x40080000, 0x02080100, 0x40000100
+};
+
+static const uint32_t SB6[64] =
+{
+    0x20000010, 0x20400000, 0x00004000, 0x20404010,
+    0x20400000, 0x00000010, 0x20404010, 0x00400000,
+    0x20004000, 0x00404010, 0x00400000, 0x20000010,
+    0x00400010, 0x20004000, 0x20000000, 0x00004010,
+    0x00000000, 0x00400010, 0x20004010, 0x00004000,
+    0x00404000, 0x20004010, 0x00000010, 0x20400010,
+    0x20400010, 0x00000000, 0x00404010, 0x20404000,
+    0x00004010, 0x00404000, 0x20404000, 0x20000000,
+    0x20004000, 0x00000010, 0x20400010, 0x00404000,
+    0x20404010, 0x00400000, 0x00004010, 0x20000010,
+    0x00400000, 0x20004000, 0x20000000, 0x00004010,
+    0x20000010, 0x20404010, 0x00404000, 0x20400000,
+    0x00404010, 0x20404000, 0x00000000, 0x20400010,
+    0x00000010, 0x00004000, 0x20400000, 0x00404010,
+    0x00004000, 0x00400010, 0x20004010, 0x00000000,
+    0x20404000, 0x20000000, 0x00400010, 0x20004010
+};
+
+static const uint32_t SB7[64] =
+{
+    0x00200000, 0x04200002, 0x04000802, 0x00000000,
+    0x00000800, 0x04000802, 0x00200802, 0x04200800,
+    0x04200802, 0x00200000, 0x00000000, 0x04000002,
+    0x00000002, 0x04000000, 0x04200002, 0x00000802,
+    0x04000800, 0x00200802, 0x00200002, 0x04000800,
+    0x04000002, 0x04200000, 0x04200800, 0x00200002,
+    0x04200000, 0x00000800, 0x00000802, 0x04200802,
+    0x00200800, 0x00000002, 0x04000000, 0x00200800,
+    0x04000000, 0x00200800, 0x00200000, 0x04000802,
+    0x04000802, 0x04200002, 0x04200002, 0x00000002,
+    0x00200002, 0x04000000, 0x04000800, 0x00200000,
+    0x04200800, 0x00000802, 0x00200802, 0x04200800,
+    0x00000802, 0x04000002, 0x04200802, 0x04200000,
+    0x00200800, 0x00000000, 0x00000002, 0x04200802,
+    0x00000000, 0x00200802, 0x04200000, 0x00000800,
+    0x04000002, 0x04000800, 0x00000800, 0x00200002
+};
+
+static const uint32_t SB8[64] =
+{
+    0x10001040, 0x00001000, 0x00040000, 0x10041040,
+    0x10000000, 0x10001040, 0x00000040, 0x10000000,
+    0x00040040, 0x10040000, 0x10041040, 0x00041000,
+    0x10041000, 0x00041040, 0x00001000, 0x00000040,
+    0x10040000, 0x10000040, 0x10001000, 0x00001040,
+    0x00041000, 0x00040040, 0x10040040, 0x10041000,
+    0x00001040, 0x00000000, 0x00000000, 0x10040040,
+    0x10000040, 0x10001000, 0x00041040, 0x00040000,
+    0x00041040, 0x00040000, 0x10041000, 0x00001000,
+    0x00000040, 0x10040040, 0x00001000, 0x00041040,
+    0x10001000, 0x00000040, 0x10000040, 0x10040000,
+    0x10040040, 0x10000000, 0x00040000, 0x10001040,
+    0x00000000, 0x10041040, 0x00040040, 0x10000040,
+    0x10040000, 0x10001000, 0x10001040, 0x00000000,
+    0x10041040, 0x00041000, 0x00041000, 0x00001040,
+    0x00001040, 0x00040040, 0x10000000, 0x10041000
+};
+
+/*
+ * PC1: left and right halves bit-swap
+ */
+static const uint32_t LHs[16] =
+{
+    0x00000000, 0x00000001, 0x00000100, 0x00000101,
+    0x00010000, 0x00010001, 0x00010100, 0x00010101,
+    0x01000000, 0x01000001, 0x01000100, 0x01000101,
+    0x01010000, 0x01010001, 0x01010100, 0x01010101
+};
+
+static const uint32_t RHs[16] =
+{
+    0x00000000, 0x01000000, 0x00010000, 0x01010000,
+    0x00000100, 0x01000100, 0x00010100, 0x01010100,
+    0x00000001, 0x01000001, 0x00010001, 0x01010001,
+    0x00000101, 0x01000101, 0x00010101, 0x01010101,
+};
+
+/*
+ * Initial Permutation macro
+ */
+#define DES_IP(X,Y)                                             \
+{                                                               \
+    T = ((X >>  4) ^ Y) & 0x0F0F0F0F; Y ^= T; X ^= (T <<  4);   \
+    T = ((X >> 16) ^ Y) & 0x0000FFFF; Y ^= T; X ^= (T << 16);   \
+    T = ((Y >>  2) ^ X) & 0x33333333; X ^= T; Y ^= (T <<  2);   \
+    T = ((Y >>  8) ^ X) & 0x00FF00FF; X ^= T; Y ^= (T <<  8);   \
+    Y = ((Y << 1) | (Y >> 31)) & 0xFFFFFFFF;                    \
+    T = (X ^ Y) & 0xAAAAAAAA; Y ^= T; X ^= T;                   \
+    X = ((X << 1) | (X >> 31)) & 0xFFFFFFFF;                    \
+}
+
+/*
+ * Final Permutation macro
+ */
+#define DES_FP(X,Y)                                             \
+{                                                               \
+    X = ((X << 31) | (X >> 1)) & 0xFFFFFFFF;                    \
+    T = (X ^ Y) & 0xAAAAAAAA; X ^= T; Y ^= T;                   \
+    Y = ((Y << 31) | (Y >> 1)) & 0xFFFFFFFF;                    \
+    T = ((Y >>  8) ^ X) & 0x00FF00FF; X ^= T; Y ^= (T <<  8);   \
+    T = ((Y >>  2) ^ X) & 0x33333333; X ^= T; Y ^= (T <<  2);   \
+    T = ((X >> 16) ^ Y) & 0x0000FFFF; Y ^= T; X ^= (T << 16);   \
+    T = ((X >>  4) ^ Y) & 0x0F0F0F0F; Y ^= T; X ^= (T <<  4);   \
+}
+
+/*
+ * DES round macro
+ */
+#define DES_ROUND(X,Y)                          \
+{                                               \
+    T = *SK++ ^ X;                              \
+    Y ^= SB8[ (T      ) & 0x3F ] ^              \
+         SB6[ (T >>  8) & 0x3F ] ^              \
+         SB4[ (T >> 16) & 0x3F ] ^              \
+         SB2[ (T >> 24) & 0x3F ];               \
+                                                \
+    T = *SK++ ^ ((X << 28) | (X >> 4));         \
+    Y ^= SB7[ (T      ) & 0x3F ] ^              \
+         SB5[ (T >>  8) & 0x3F ] ^              \
+         SB3[ (T >> 16) & 0x3F ] ^              \
+         SB1[ (T >> 24) & 0x3F ];               \
+}
+
+#define SWAP(a,b) { uint32_t t = a; a = b; b = t; t = 0; }
+
+void mbedtls_des_init( mbedtls_des_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_des_context ) );
+}
+
+void mbedtls_des_free( mbedtls_des_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_zeroize( ctx, sizeof( mbedtls_des_context ) );
+}
+
+void mbedtls_des3_init( mbedtls_des3_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_des3_context ) );
+}
+
+void mbedtls_des3_free( mbedtls_des3_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_zeroize( ctx, sizeof( mbedtls_des3_context ) );
+}
+
+static const unsigned char odd_parity_table[128] = { 1,  2,  4,  7,  8,
+        11, 13, 14, 16, 19, 21, 22, 25, 26, 28, 31, 32, 35, 37, 38, 41, 42, 44,
+        47, 49, 50, 52, 55, 56, 59, 61, 62, 64, 67, 69, 70, 73, 74, 76, 79, 81,
+        82, 84, 87, 88, 91, 93, 94, 97, 98, 100, 103, 104, 107, 109, 110, 112,
+        115, 117, 118, 121, 122, 124, 127, 128, 131, 133, 134, 137, 138, 140,
+        143, 145, 146, 148, 151, 152, 155, 157, 158, 161, 162, 164, 167, 168,
+        171, 173, 174, 176, 179, 181, 182, 185, 186, 188, 191, 193, 194, 196,
+        199, 200, 203, 205, 206, 208, 211, 213, 214, 217, 218, 220, 223, 224,
+        227, 229, 230, 233, 234, 236, 239, 241, 242, 244, 247, 248, 251, 253,
+        254 };
+
+void mbedtls_des_key_set_parity( unsigned char key[MBEDTLS_DES_KEY_SIZE] )
+{
+    int i;
+
+    for( i = 0; i < MBEDTLS_DES_KEY_SIZE; i++ )
+        key[i] = odd_parity_table[key[i] / 2];
+}
+
+/*
+ * Check the given key's parity, returns 1 on failure, 0 on SUCCESS
+ */
+int mbedtls_des_key_check_key_parity( const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
+{
+    int i;
+
+    for( i = 0; i < MBEDTLS_DES_KEY_SIZE; i++ )
+        if( key[i] != odd_parity_table[key[i] / 2] )
+            return( 1 );
+
+    return( 0 );
+}
+
+/*
+ * Table of weak and semi-weak keys
+ *
+ * Source: http://en.wikipedia.org/wiki/Weak_key
+ *
+ * Weak:
+ * Alternating ones + zeros (0x0101010101010101)
+ * Alternating 'F' + 'E' (0xFEFEFEFEFEFEFEFE)
+ * '0xE0E0E0E0F1F1F1F1'
+ * '0x1F1F1F1F0E0E0E0E'
+ *
+ * Semi-weak:
+ * 0x011F011F010E010E and 0x1F011F010E010E01
+ * 0x01E001E001F101F1 and 0xE001E001F101F101
+ * 0x01FE01FE01FE01FE and 0xFE01FE01FE01FE01
+ * 0x1FE01FE00EF10EF1 and 0xE01FE01FF10EF10E
+ * 0x1FFE1FFE0EFE0EFE and 0xFE1FFE1FFE0EFE0E
+ * 0xE0FEE0FEF1FEF1FE and 0xFEE0FEE0FEF1FEF1
+ *
+ */
+
+#define WEAK_KEY_COUNT 16
+
+static const unsigned char weak_key_table[WEAK_KEY_COUNT][MBEDTLS_DES_KEY_SIZE] =
+{
+    { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 },
+    { 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE },
+    { 0x1F, 0x1F, 0x1F, 0x1F, 0x0E, 0x0E, 0x0E, 0x0E },
+    { 0xE0, 0xE0, 0xE0, 0xE0, 0xF1, 0xF1, 0xF1, 0xF1 },
+
+    { 0x01, 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E },
+    { 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E, 0x01 },
+    { 0x01, 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1 },
+    { 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1, 0x01 },
+    { 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE },
+    { 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01 },
+    { 0x1F, 0xE0, 0x1F, 0xE0, 0x0E, 0xF1, 0x0E, 0xF1 },
+    { 0xE0, 0x1F, 0xE0, 0x1F, 0xF1, 0x0E, 0xF1, 0x0E },
+    { 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E, 0xFE },
+    { 0xFE, 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E },
+    { 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1, 0xFE },
+    { 0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1 }
+};
+
+int mbedtls_des_key_check_weak( const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
+{
+    int i;
+
+    for( i = 0; i < WEAK_KEY_COUNT; i++ )
+        if( memcmp( weak_key_table[i], key, MBEDTLS_DES_KEY_SIZE) == 0 )
+            return( 1 );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DES_SETKEY_ALT)
+void mbedtls_des_setkey( uint32_t SK[32], const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
+{
+    int i;
+    uint32_t X, Y, T;
+
+    GET_UINT32_BE( X, key, 0 );
+    GET_UINT32_BE( Y, key, 4 );
+
+    /*
+     * Permuted Choice 1
+     */
+    T =  ((Y >>  4) ^ X) & 0x0F0F0F0F;  X ^= T; Y ^= (T <<  4);
+    T =  ((Y      ) ^ X) & 0x10101010;  X ^= T; Y ^= (T      );
+
+    X =   (LHs[ (X      ) & 0xF] << 3) | (LHs[ (X >>  8) & 0xF ] << 2)
+        | (LHs[ (X >> 16) & 0xF] << 1) | (LHs[ (X >> 24) & 0xF ]     )
+        | (LHs[ (X >>  5) & 0xF] << 7) | (LHs[ (X >> 13) & 0xF ] << 6)
+        | (LHs[ (X >> 21) & 0xF] << 5) | (LHs[ (X >> 29) & 0xF ] << 4);
+
+    Y =   (RHs[ (Y >>  1) & 0xF] << 3) | (RHs[ (Y >>  9) & 0xF ] << 2)
+        | (RHs[ (Y >> 17) & 0xF] << 1) | (RHs[ (Y >> 25) & 0xF ]     )
+        | (RHs[ (Y >>  4) & 0xF] << 7) | (RHs[ (Y >> 12) & 0xF ] << 6)
+        | (RHs[ (Y >> 20) & 0xF] << 5) | (RHs[ (Y >> 28) & 0xF ] << 4);
+
+    X &= 0x0FFFFFFF;
+    Y &= 0x0FFFFFFF;
+
+    /*
+     * calculate subkeys
+     */
+    for( i = 0; i < 16; i++ )
+    {
+        if( i < 2 || i == 8 || i == 15 )
+        {
+            X = ((X <<  1) | (X >> 27)) & 0x0FFFFFFF;
+            Y = ((Y <<  1) | (Y >> 27)) & 0x0FFFFFFF;
+        }
+        else
+        {
+            X = ((X <<  2) | (X >> 26)) & 0x0FFFFFFF;
+            Y = ((Y <<  2) | (Y >> 26)) & 0x0FFFFFFF;
+        }
+
+        *SK++ =   ((X <<  4) & 0x24000000) | ((X << 28) & 0x10000000)
+                | ((X << 14) & 0x08000000) | ((X << 18) & 0x02080000)
+                | ((X <<  6) & 0x01000000) | ((X <<  9) & 0x00200000)
+                | ((X >>  1) & 0x00100000) | ((X << 10) & 0x00040000)
+                | ((X <<  2) & 0x00020000) | ((X >> 10) & 0x00010000)
+                | ((Y >> 13) & 0x00002000) | ((Y >>  4) & 0x00001000)
+                | ((Y <<  6) & 0x00000800) | ((Y >>  1) & 0x00000400)
+                | ((Y >> 14) & 0x00000200) | ((Y      ) & 0x00000100)
+                | ((Y >>  5) & 0x00000020) | ((Y >> 10) & 0x00000010)
+                | ((Y >>  3) & 0x00000008) | ((Y >> 18) & 0x00000004)
+                | ((Y >> 26) & 0x00000002) | ((Y >> 24) & 0x00000001);
+
+        *SK++ =   ((X << 15) & 0x20000000) | ((X << 17) & 0x10000000)
+                | ((X << 10) & 0x08000000) | ((X << 22) & 0x04000000)
+                | ((X >>  2) & 0x02000000) | ((X <<  1) & 0x01000000)
+                | ((X << 16) & 0x00200000) | ((X << 11) & 0x00100000)
+                | ((X <<  3) & 0x00080000) | ((X >>  6) & 0x00040000)
+                | ((X << 15) & 0x00020000) | ((X >>  4) & 0x00010000)
+                | ((Y >>  2) & 0x00002000) | ((Y <<  8) & 0x00001000)
+                | ((Y >> 14) & 0x00000808) | ((Y >>  9) & 0x00000400)
+                | ((Y      ) & 0x00000200) | ((Y <<  7) & 0x00000100)
+                | ((Y >>  7) & 0x00000020) | ((Y >>  3) & 0x00000011)
+                | ((Y <<  2) & 0x00000004) | ((Y >> 21) & 0x00000002);
+    }
+}
+#endif /* !MBEDTLS_DES_SETKEY_ALT */
+
+/*
+ * DES key schedule (56-bit, encryption)
+ */
+int mbedtls_des_setkey_enc( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
+{
+    mbedtls_des_setkey( ctx->sk, key );
+
+    return( 0 );
+}
+
+/*
+ * DES key schedule (56-bit, decryption)
+ */
+int mbedtls_des_setkey_dec( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
+{
+    int i;
+
+    mbedtls_des_setkey( ctx->sk, key );
+
+    for( i = 0; i < 16; i += 2 )
+    {
+        SWAP( ctx->sk[i    ], ctx->sk[30 - i] );
+        SWAP( ctx->sk[i + 1], ctx->sk[31 - i] );
+    }
+
+    return( 0 );
+}
+
+static void des3_set2key( uint32_t esk[96],
+                          uint32_t dsk[96],
+                          const unsigned char key[MBEDTLS_DES_KEY_SIZE*2] )
+{
+    int i;
+
+    mbedtls_des_setkey( esk, key );
+    mbedtls_des_setkey( dsk + 32, key + 8 );
+
+    for( i = 0; i < 32; i += 2 )
+    {
+        dsk[i     ] = esk[30 - i];
+        dsk[i +  1] = esk[31 - i];
+
+        esk[i + 32] = dsk[62 - i];
+        esk[i + 33] = dsk[63 - i];
+
+        esk[i + 64] = esk[i    ];
+        esk[i + 65] = esk[i + 1];
+
+        dsk[i + 64] = dsk[i    ];
+        dsk[i + 65] = dsk[i + 1];
+    }
+}
+
+/*
+ * Triple-DES key schedule (112-bit, encryption)
+ */
+int mbedtls_des3_set2key_enc( mbedtls_des3_context *ctx,
+                      const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2] )
+{
+    uint32_t sk[96];
+
+    des3_set2key( ctx->sk, sk, key );
+    mbedtls_zeroize( sk,  sizeof( sk ) );
+
+    return( 0 );
+}
+
+/*
+ * Triple-DES key schedule (112-bit, decryption)
+ */
+int mbedtls_des3_set2key_dec( mbedtls_des3_context *ctx,
+                      const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2] )
+{
+    uint32_t sk[96];
+
+    des3_set2key( sk, ctx->sk, key );
+    mbedtls_zeroize( sk,  sizeof( sk ) );
+
+    return( 0 );
+}
+
+static void des3_set3key( uint32_t esk[96],
+                          uint32_t dsk[96],
+                          const unsigned char key[24] )
+{
+    int i;
+
+    mbedtls_des_setkey( esk, key );
+    mbedtls_des_setkey( dsk + 32, key +  8 );
+    mbedtls_des_setkey( esk + 64, key + 16 );
+
+    for( i = 0; i < 32; i += 2 )
+    {
+        dsk[i     ] = esk[94 - i];
+        dsk[i +  1] = esk[95 - i];
+
+        esk[i + 32] = dsk[62 - i];
+        esk[i + 33] = dsk[63 - i];
+
+        dsk[i + 64] = esk[30 - i];
+        dsk[i + 65] = esk[31 - i];
+    }
+}
+
+/*
+ * Triple-DES key schedule (168-bit, encryption)
+ */
+int mbedtls_des3_set3key_enc( mbedtls_des3_context *ctx,
+                      const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3] )
+{
+    uint32_t sk[96];
+
+    des3_set3key( ctx->sk, sk, key );
+    mbedtls_zeroize( sk,  sizeof( sk ) );
+
+    return( 0 );
+}
+
+/*
+ * Triple-DES key schedule (168-bit, decryption)
+ */
+int mbedtls_des3_set3key_dec( mbedtls_des3_context *ctx,
+                      const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3] )
+{
+    uint32_t sk[96];
+
+    des3_set3key( sk, ctx->sk, key );
+    mbedtls_zeroize( sk,  sizeof( sk ) );
+
+    return( 0 );
+}
+
+/*
+ * DES-ECB block encryption/decryption
+ */
+#if !defined(MBEDTLS_DES_CRYPT_ECB_ALT)
+int mbedtls_des_crypt_ecb( mbedtls_des_context *ctx,
+                    const unsigned char input[8],
+                    unsigned char output[8] )
+{
+    int i;
+    uint32_t X, Y, T, *SK;
+
+    SK = ctx->sk;
+
+    GET_UINT32_BE( X, input, 0 );
+    GET_UINT32_BE( Y, input, 4 );
+
+    DES_IP( X, Y );
+
+    for( i = 0; i < 8; i++ )
+    {
+        DES_ROUND( Y, X );
+        DES_ROUND( X, Y );
+    }
+
+    DES_FP( Y, X );
+
+    PUT_UINT32_BE( Y, output, 0 );
+    PUT_UINT32_BE( X, output, 4 );
+
+    return( 0 );
+}
+#endif /* !MBEDTLS_DES_CRYPT_ECB_ALT */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/*
+ * DES-CBC buffer encryption/decryption
+ */
+int mbedtls_des_crypt_cbc( mbedtls_des_context *ctx,
+                    int mode,
+                    size_t length,
+                    unsigned char iv[8],
+                    const unsigned char *input,
+                    unsigned char *output )
+{
+    int i;
+    unsigned char temp[8];
+
+    if( length % 8 )
+        return( MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH );
+
+    if( mode == MBEDTLS_DES_ENCRYPT )
+    {
+        while( length > 0 )
+        {
+            for( i = 0; i < 8; i++ )
+                output[i] = (unsigned char)( input[i] ^ iv[i] );
+
+            mbedtls_des_crypt_ecb( ctx, output, output );
+            memcpy( iv, output, 8 );
+
+            input  += 8;
+            output += 8;
+            length -= 8;
+        }
+    }
+    else /* MBEDTLS_DES_DECRYPT */
+    {
+        while( length > 0 )
+        {
+            memcpy( temp, input, 8 );
+            mbedtls_des_crypt_ecb( ctx, input, output );
+
+            for( i = 0; i < 8; i++ )
+                output[i] = (unsigned char)( output[i] ^ iv[i] );
+
+            memcpy( iv, temp, 8 );
+
+            input  += 8;
+            output += 8;
+            length -= 8;
+        }
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+/*
+ * 3DES-ECB block encryption/decryption
+ */
+#if !defined(MBEDTLS_DES3_CRYPT_ECB_ALT)
+int mbedtls_des3_crypt_ecb( mbedtls_des3_context *ctx,
+                     const unsigned char input[8],
+                     unsigned char output[8] )
+{
+    int i;
+    uint32_t X, Y, T, *SK;
+
+    SK = ctx->sk;
+
+    GET_UINT32_BE( X, input, 0 );
+    GET_UINT32_BE( Y, input, 4 );
+
+    DES_IP( X, Y );
+
+    for( i = 0; i < 8; i++ )
+    {
+        DES_ROUND( Y, X );
+        DES_ROUND( X, Y );
+    }
+
+    for( i = 0; i < 8; i++ )
+    {
+        DES_ROUND( X, Y );
+        DES_ROUND( Y, X );
+    }
+
+    for( i = 0; i < 8; i++ )
+    {
+        DES_ROUND( Y, X );
+        DES_ROUND( X, Y );
+    }
+
+    DES_FP( Y, X );
+
+    PUT_UINT32_BE( Y, output, 0 );
+    PUT_UINT32_BE( X, output, 4 );
+
+    return( 0 );
+}
+#endif /* !MBEDTLS_DES3_CRYPT_ECB_ALT */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/*
+ * 3DES-CBC buffer encryption/decryption
+ */
+int mbedtls_des3_crypt_cbc( mbedtls_des3_context *ctx,
+                     int mode,
+                     size_t length,
+                     unsigned char iv[8],
+                     const unsigned char *input,
+                     unsigned char *output )
+{
+    int i;
+    unsigned char temp[8];
+
+    if( length % 8 )
+        return( MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH );
+
+    if( mode == MBEDTLS_DES_ENCRYPT )
+    {
+        while( length > 0 )
+        {
+            for( i = 0; i < 8; i++ )
+                output[i] = (unsigned char)( input[i] ^ iv[i] );
+
+            mbedtls_des3_crypt_ecb( ctx, output, output );
+            memcpy( iv, output, 8 );
+
+            input  += 8;
+            output += 8;
+            length -= 8;
+        }
+    }
+    else /* MBEDTLS_DES_DECRYPT */
+    {
+        while( length > 0 )
+        {
+            memcpy( temp, input, 8 );
+            mbedtls_des3_crypt_ecb( ctx, input, output );
+
+            for( i = 0; i < 8; i++ )
+                output[i] = (unsigned char)( output[i] ^ iv[i] );
+
+            memcpy( iv, temp, 8 );
+
+            input  += 8;
+            output += 8;
+            length -= 8;
+        }
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#endif /* !MBEDTLS_DES_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * DES and 3DES test vectors from:
+ *
+ * http://csrc.nist.gov/groups/STM/cavp/documents/des/tripledes-vectors.zip
+ */
+static const unsigned char des3_test_keys[24] =
+{
+    0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,
+    0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01,
+    0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 0x23
+};
+
+static const unsigned char des3_test_buf[8] =
+{
+    0x4E, 0x6F, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74
+};
+
+static const unsigned char des3_test_ecb_dec[3][8] =
+{
+    { 0xCD, 0xD6, 0x4F, 0x2F, 0x94, 0x27, 0xC1, 0x5D },
+    { 0x69, 0x96, 0xC8, 0xFA, 0x47, 0xA2, 0xAB, 0xEB },
+    { 0x83, 0x25, 0x39, 0x76, 0x44, 0x09, 0x1A, 0x0A }
+};
+
+static const unsigned char des3_test_ecb_enc[3][8] =
+{
+    { 0x6A, 0x2A, 0x19, 0xF4, 0x1E, 0xCA, 0x85, 0x4B },
+    { 0x03, 0xE6, 0x9F, 0x5B, 0xFA, 0x58, 0xEB, 0x42 },
+    { 0xDD, 0x17, 0xE8, 0xB8, 0xB4, 0x37, 0xD2, 0x32 }
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const unsigned char des3_test_iv[8] =
+{
+    0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF,
+};
+
+static const unsigned char des3_test_cbc_dec[3][8] =
+{
+    { 0x12, 0x9F, 0x40, 0xB9, 0xD2, 0x00, 0x56, 0xB3 },
+    { 0x47, 0x0E, 0xFC, 0x9A, 0x6B, 0x8E, 0xE3, 0x93 },
+    { 0xC5, 0xCE, 0xCF, 0x63, 0xEC, 0xEC, 0x51, 0x4C }
+};
+
+static const unsigned char des3_test_cbc_enc[3][8] =
+{
+    { 0x54, 0xF1, 0x5A, 0xF6, 0xEB, 0xE3, 0xA4, 0xB4 },
+    { 0x35, 0x76, 0x11, 0x56, 0x5F, 0xA1, 0x8E, 0x4D },
+    { 0xCB, 0x19, 0x1F, 0x85, 0xD1, 0xED, 0x84, 0x39 }
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+/*
+ * Checkup routine
+ */
+int mbedtls_des_self_test( int verbose )
+{
+    int i, j, u, v, ret = 0;
+    mbedtls_des_context ctx;
+    mbedtls_des3_context ctx3;
+    unsigned char buf[8];
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    unsigned char prv[8];
+    unsigned char iv[8];
+#endif
+
+    mbedtls_des_init( &ctx );
+    mbedtls_des3_init( &ctx3 );
+    /*
+     * ECB mode
+     */
+    for( i = 0; i < 6; i++ )
+    {
+        u = i >> 1;
+        v = i  & 1;
+
+        if( verbose != 0 )
+            mbedtls_printf( "  DES%c-ECB-%3d (%s): ",
+                             ( u == 0 ) ? ' ' : '3', 56 + u * 56,
+                             ( v == MBEDTLS_DES_DECRYPT ) ? "dec" : "enc" );
+
+        memcpy( buf, des3_test_buf, 8 );
+
+        switch( i )
+        {
+        case 0:
+            mbedtls_des_setkey_dec( &ctx, des3_test_keys );
+            break;
+
+        case 1:
+            mbedtls_des_setkey_enc( &ctx, des3_test_keys );
+            break;
+
+        case 2:
+            mbedtls_des3_set2key_dec( &ctx3, des3_test_keys );
+            break;
+
+        case 3:
+            mbedtls_des3_set2key_enc( &ctx3, des3_test_keys );
+            break;
+
+        case 4:
+            mbedtls_des3_set3key_dec( &ctx3, des3_test_keys );
+            break;
+
+        case 5:
+            mbedtls_des3_set3key_enc( &ctx3, des3_test_keys );
+            break;
+
+        default:
+            return( 1 );
+        }
+
+        for( j = 0; j < 10000; j++ )
+        {
+            if( u == 0 )
+                mbedtls_des_crypt_ecb( &ctx, buf, buf );
+            else
+                mbedtls_des3_crypt_ecb( &ctx3, buf, buf );
+        }
+
+        if( ( v == MBEDTLS_DES_DECRYPT &&
+                memcmp( buf, des3_test_ecb_dec[u], 8 ) != 0 ) ||
+            ( v != MBEDTLS_DES_DECRYPT &&
+                memcmp( buf, des3_test_ecb_enc[u], 8 ) != 0 ) )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+
+            ret = 1;
+            goto exit;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    /*
+     * CBC mode
+     */
+    for( i = 0; i < 6; i++ )
+    {
+        u = i >> 1;
+        v = i  & 1;
+
+        if( verbose != 0 )
+            mbedtls_printf( "  DES%c-CBC-%3d (%s): ",
+                             ( u == 0 ) ? ' ' : '3', 56 + u * 56,
+                             ( v == MBEDTLS_DES_DECRYPT ) ? "dec" : "enc" );
+
+        memcpy( iv,  des3_test_iv,  8 );
+        memcpy( prv, des3_test_iv,  8 );
+        memcpy( buf, des3_test_buf, 8 );
+
+        switch( i )
+        {
+        case 0:
+            mbedtls_des_setkey_dec( &ctx, des3_test_keys );
+            break;
+
+        case 1:
+            mbedtls_des_setkey_enc( &ctx, des3_test_keys );
+            break;
+
+        case 2:
+            mbedtls_des3_set2key_dec( &ctx3, des3_test_keys );
+            break;
+
+        case 3:
+            mbedtls_des3_set2key_enc( &ctx3, des3_test_keys );
+            break;
+
+        case 4:
+            mbedtls_des3_set3key_dec( &ctx3, des3_test_keys );
+            break;
+
+        case 5:
+            mbedtls_des3_set3key_enc( &ctx3, des3_test_keys );
+            break;
+
+        default:
+            return( 1 );
+        }
+
+        if( v == MBEDTLS_DES_DECRYPT )
+        {
+            for( j = 0; j < 10000; j++ )
+            {
+                if( u == 0 )
+                    mbedtls_des_crypt_cbc( &ctx, v, 8, iv, buf, buf );
+                else
+                    mbedtls_des3_crypt_cbc( &ctx3, v, 8, iv, buf, buf );
+            }
+        }
+        else
+        {
+            for( j = 0; j < 10000; j++ )
+            {
+                unsigned char tmp[8];
+
+                if( u == 0 )
+                    mbedtls_des_crypt_cbc( &ctx, v, 8, iv, buf, buf );
+                else
+                    mbedtls_des3_crypt_cbc( &ctx3, v, 8, iv, buf, buf );
+
+                memcpy( tmp, prv, 8 );
+                memcpy( prv, buf, 8 );
+                memcpy( buf, tmp, 8 );
+            }
+
+            memcpy( buf, prv, 8 );
+        }
+
+        if( ( v == MBEDTLS_DES_DECRYPT &&
+                memcmp( buf, des3_test_cbc_dec[u], 8 ) != 0 ) ||
+            ( v != MBEDTLS_DES_DECRYPT &&
+                memcmp( buf, des3_test_cbc_enc[u], 8 ) != 0 ) )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+
+            ret = 1;
+            goto exit;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+exit:
+    mbedtls_des_free( &ctx );
+    mbedtls_des3_free( &ctx3 );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_DES_C */
diff --git a/third-party/mbedtls-3.6/library/dhm.c b/third-party/mbedtls-3.6/library/dhm.c
new file mode 100644
index 00000000..e15cc8e9
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/dhm.c
@@ -0,0 +1,716 @@
+/*
+ *  Diffie-Hellman-Merkle key exchange
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+/*
+ *  The following sources were referenced in the design of this implementation
+ *  of the Diffie-Hellman-Merkle algorithm:
+ *
+ *  [1] Handbook of Applied Cryptography - 1997, Chapter 12
+ *      Menezes, van Oorschot and Vanstone
+ *
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_DHM_C)
+
+#include "mbedtls/dhm.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+#include "mbedtls/pem.h"
+#endif
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+#include "mbedtls/asn1.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#include <stdio.h>
+#define mbedtls_printf     printf
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+#if !defined(MBEDTLS_DHM_ALT)
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
+/*
+ * helper to validate the mbedtls_mpi size and import it
+ */
+static int dhm_read_bignum( mbedtls_mpi *X,
+                            unsigned char **p,
+                            const unsigned char *end )
+{
+    int ret, n;
+
+    if( end - *p < 2 )
+        return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA );
+
+    n = ( (*p)[0] << 8 ) | (*p)[1];
+    (*p) += 2;
+
+    if( (int)( end - *p ) < n )
+        return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA );
+
+    if( ( ret = mbedtls_mpi_read_binary( X, *p, n ) ) != 0 )
+        return( MBEDTLS_ERR_DHM_READ_PARAMS_FAILED + ret );
+
+    (*p) += n;
+
+    return( 0 );
+}
+
+/*
+ * Verify sanity of parameter with regards to P
+ *
+ * Parameter should be: 2 <= public_param <= P - 2
+ *
+ * This means that we need to return an error if
+ *              public_param < 2 or public_param > P-2
+ *
+ * For more information on the attack, see:
+ *  http://www.cl.cam.ac.uk/~rja14/Papers/psandqs.pdf
+ *  http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2643
+ */
+static int dhm_check_range( const mbedtls_mpi *param, const mbedtls_mpi *P )
+{
+    mbedtls_mpi L, U;
+    int ret = 0;
+
+    mbedtls_mpi_init( &L ); mbedtls_mpi_init( &U );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &L, 2 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &U, P, 2 ) );
+
+    if( mbedtls_mpi_cmp_mpi( param, &L ) < 0 ||
+        mbedtls_mpi_cmp_mpi( param, &U ) > 0 )
+    {
+        ret = MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
+    }
+
+cleanup:
+    mbedtls_mpi_free( &L ); mbedtls_mpi_free( &U );
+    return( ret );
+}
+
+void mbedtls_dhm_init( mbedtls_dhm_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_dhm_context ) );
+}
+
+/*
+ * Parse the ServerKeyExchange parameters
+ */
+int mbedtls_dhm_read_params( mbedtls_dhm_context *ctx,
+                     unsigned char **p,
+                     const unsigned char *end )
+{
+    int ret;
+
+    if( ( ret = dhm_read_bignum( &ctx->P,  p, end ) ) != 0 ||
+        ( ret = dhm_read_bignum( &ctx->G,  p, end ) ) != 0 ||
+        ( ret = dhm_read_bignum( &ctx->GY, p, end ) ) != 0 )
+        return( ret );
+
+    if( ( ret = dhm_check_range( &ctx->GY, &ctx->P ) ) != 0 )
+        return( ret );
+
+    ctx->len = mbedtls_mpi_size( &ctx->P );
+
+    return( 0 );
+}
+
+/*
+ * Setup and write the ServerKeyExchange parameters
+ */
+int mbedtls_dhm_make_params( mbedtls_dhm_context *ctx, int x_size,
+                     unsigned char *output, size_t *olen,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng )
+{
+    int ret, count = 0;
+    size_t n1, n2, n3;
+    unsigned char *p;
+
+    if( mbedtls_mpi_cmp_int( &ctx->P, 0 ) == 0 )
+        return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA );
+
+    /*
+     * Generate X as large as possible ( < P )
+     */
+    do
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->X, x_size, f_rng, p_rng ) );
+
+        while( mbedtls_mpi_cmp_mpi( &ctx->X, &ctx->P ) >= 0 )
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &ctx->X, 1 ) );
+
+        if( count++ > 10 )
+            return( MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED );
+    }
+    while( dhm_check_range( &ctx->X, &ctx->P ) != 0 );
+
+    /*
+     * Calculate GX = G^X mod P
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->GX, &ctx->G, &ctx->X,
+                          &ctx->P , &ctx->RP ) );
+
+    if( ( ret = dhm_check_range( &ctx->GX, &ctx->P ) ) != 0 )
+        return( ret );
+
+    /*
+     * export P, G, GX
+     */
+#define DHM_MPI_EXPORT( X, n )                                          \
+    do {                                                                \
+        MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( ( X ),               \
+                                                   p + 2,               \
+                                                   ( n ) ) );           \
+        *p++ = (unsigned char)( ( n ) >> 8 );                           \
+        *p++ = (unsigned char)( ( n )      );                           \
+        p += ( n );                                                     \
+    } while( 0 )
+
+    n1 = mbedtls_mpi_size( &ctx->P  );
+    n2 = mbedtls_mpi_size( &ctx->G  );
+    n3 = mbedtls_mpi_size( &ctx->GX );
+
+    p = output;
+    DHM_MPI_EXPORT( &ctx->P , n1 );
+    DHM_MPI_EXPORT( &ctx->G , n2 );
+    DHM_MPI_EXPORT( &ctx->GX, n3 );
+
+    *olen = p - output;
+
+    ctx->len = n1;
+
+cleanup:
+
+    if( ret != 0 )
+        return( MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED + ret );
+
+    return( 0 );
+}
+
+/*
+ * Set prime modulus and generator
+ */
+int mbedtls_dhm_set_group( mbedtls_dhm_context *ctx,
+                           const mbedtls_mpi *P,
+                           const mbedtls_mpi *G )
+{
+    int ret;
+
+    if( ctx == NULL || P == NULL || G == NULL )
+        return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA );
+
+    if( ( ret = mbedtls_mpi_copy( &ctx->P, P ) ) != 0 ||
+        ( ret = mbedtls_mpi_copy( &ctx->G, G ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_DHM_SET_GROUP_FAILED + ret );
+    }
+
+    ctx->len = mbedtls_mpi_size( &ctx->P );
+    return( 0 );
+}
+
+/*
+ * Import the peer's public value G^Y
+ */
+int mbedtls_dhm_read_public( mbedtls_dhm_context *ctx,
+                     const unsigned char *input, size_t ilen )
+{
+    int ret;
+
+    if( ctx == NULL || ilen < 1 || ilen > ctx->len )
+        return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA );
+
+    if( ( ret = mbedtls_mpi_read_binary( &ctx->GY, input, ilen ) ) != 0 )
+        return( MBEDTLS_ERR_DHM_READ_PUBLIC_FAILED + ret );
+
+    return( 0 );
+}
+
+/*
+ * Create own private value X and export G^X
+ */
+int mbedtls_dhm_make_public( mbedtls_dhm_context *ctx, int x_size,
+                     unsigned char *output, size_t olen,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng )
+{
+    int ret, count = 0;
+
+    if( ctx == NULL || olen < 1 || olen > ctx->len )
+        return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA );
+
+    if( mbedtls_mpi_cmp_int( &ctx->P, 0 ) == 0 )
+        return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA );
+
+    /*
+     * generate X and calculate GX = G^X mod P
+     */
+    do
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->X, x_size, f_rng, p_rng ) );
+
+        while( mbedtls_mpi_cmp_mpi( &ctx->X, &ctx->P ) >= 0 )
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &ctx->X, 1 ) );
+
+        if( count++ > 10 )
+            return( MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED );
+    }
+    while( dhm_check_range( &ctx->X, &ctx->P ) != 0 );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->GX, &ctx->G, &ctx->X,
+                          &ctx->P , &ctx->RP ) );
+
+    if( ( ret = dhm_check_range( &ctx->GX, &ctx->P ) ) != 0 )
+        return( ret );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->GX, output, olen ) );
+
+cleanup:
+
+    if( ret != 0 )
+        return( MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED + ret );
+
+    return( 0 );
+}
+
+/*
+ * Pick a random R in the range [2, M) for blinding purposes
+ */
+static int dhm_random_below( mbedtls_mpi *R, const mbedtls_mpi *M,
+                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    int ret, count;
+
+    count = 0;
+    do
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( R, mbedtls_mpi_size( M ), f_rng, p_rng ) );
+
+        while( mbedtls_mpi_cmp_mpi( R, M ) >= 0 )
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( R, 1 ) );
+
+        if( count++ > 10 )
+            return( MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
+    }
+    while( mbedtls_mpi_cmp_int( R, 1 ) <= 0 );
+
+cleanup:
+    return( ret );
+}
+
+
+/*
+ * Use the blinding method and optimisation suggested in section 10 of:
+ *  KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
+ *  DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
+ *  Berlin Heidelberg, 1996. p. 104-113.
+ */
+static int dhm_update_blinding( mbedtls_dhm_context *ctx,
+                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    int ret;
+    mbedtls_mpi R;
+
+    mbedtls_mpi_init( &R );
+
+    /*
+     * Don't use any blinding the first time a particular X is used,
+     * but remember it to use blinding next time.
+     */
+    if( mbedtls_mpi_cmp_mpi( &ctx->X, &ctx->pX ) != 0 )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &ctx->pX, &ctx->X ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->Vi, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->Vf, 1 ) );
+
+        return( 0 );
+    }
+
+    /*
+     * Ok, we need blinding. Can we re-use existing values?
+     * If yes, just update them by squaring them.
+     */
+    if( mbedtls_mpi_cmp_int( &ctx->Vi, 1 ) != 0 )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->P ) );
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->P ) );
+
+        return( 0 );
+    }
+
+    /*
+     * We need to generate blinding values from scratch
+     */
+
+    /* Vi = random( 2, P-1 ) */
+    MBEDTLS_MPI_CHK( dhm_random_below( &ctx->Vi, &ctx->P, f_rng, p_rng ) );
+
+    /* Vf = Vi^-X mod P
+     * First compute Vi^-1 = R * (R Vi)^-1, (avoiding leaks from inv_mod),
+     * then elevate to the Xth power. */
+    MBEDTLS_MPI_CHK( dhm_random_below( &R, &ctx->P, f_rng, p_rng ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vi, &R ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->P ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vf, &ctx->Vf, &ctx->P ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &R ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->P ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vf, &ctx->Vf, &ctx->X, &ctx->P, &ctx->RP ) );
+
+cleanup:
+    mbedtls_mpi_free( &R );
+
+    return( ret );
+}
+
+/*
+ * Derive and export the shared secret (G^Y)^X mod P
+ */
+int mbedtls_dhm_calc_secret( mbedtls_dhm_context *ctx,
+                     unsigned char *output, size_t output_size, size_t *olen,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng )
+{
+    int ret;
+    mbedtls_mpi GYb;
+
+    if( ctx == NULL || output_size < ctx->len )
+        return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA );
+
+    if( ( ret = dhm_check_range( &ctx->GY, &ctx->P ) ) != 0 )
+        return( ret );
+
+    mbedtls_mpi_init( &GYb );
+
+    /* Blind peer's value */
+    if( f_rng != NULL )
+    {
+        MBEDTLS_MPI_CHK( dhm_update_blinding( ctx, f_rng, p_rng ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &GYb, &ctx->GY, &ctx->Vi ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &GYb, &GYb, &ctx->P ) );
+    }
+    else
+        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &GYb, &ctx->GY ) );
+
+    /* Do modular exponentiation */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->K, &GYb, &ctx->X,
+                          &ctx->P, &ctx->RP ) );
+
+    /* Unblind secret value */
+    if( f_rng != NULL )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->K, &ctx->K, &ctx->Vf ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->K, &ctx->K, &ctx->P ) );
+    }
+
+    *olen = mbedtls_mpi_size( &ctx->K );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->K, output, *olen ) );
+
+cleanup:
+    mbedtls_mpi_free( &GYb );
+
+    if( ret != 0 )
+        return( MBEDTLS_ERR_DHM_CALC_SECRET_FAILED + ret );
+
+    return( 0 );
+}
+
+/*
+ * Free the components of a DHM key
+ */
+void mbedtls_dhm_free( mbedtls_dhm_context *ctx )
+{
+    mbedtls_mpi_free( &ctx->pX ); mbedtls_mpi_free( &ctx->Vf );
+    mbedtls_mpi_free( &ctx->Vi ); mbedtls_mpi_free( &ctx->RP );
+    mbedtls_mpi_free( &ctx->K  ); mbedtls_mpi_free( &ctx->GY );
+    mbedtls_mpi_free( &ctx->GX ); mbedtls_mpi_free( &ctx->X  );
+    mbedtls_mpi_free( &ctx->G  ); mbedtls_mpi_free( &ctx->P  );
+
+    mbedtls_zeroize( ctx, sizeof( mbedtls_dhm_context ) );
+}
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+/*
+ * Parse DHM parameters
+ */
+int mbedtls_dhm_parse_dhm( mbedtls_dhm_context *dhm, const unsigned char *dhmin,
+                   size_t dhminlen )
+{
+    int ret;
+    size_t len;
+    unsigned char *p, *end;
+#if defined(MBEDTLS_PEM_PARSE_C)
+    mbedtls_pem_context pem;
+
+    mbedtls_pem_init( &pem );
+
+    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+    if( dhminlen == 0 || dhmin[dhminlen - 1] != '\0' )
+        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+    else
+        ret = mbedtls_pem_read_buffer( &pem,
+                               "-----BEGIN DH PARAMETERS-----",
+                               "-----END DH PARAMETERS-----",
+                               dhmin, NULL, 0, &dhminlen );
+
+    if( ret == 0 )
+    {
+        /*
+         * Was PEM encoded
+         */
+        dhminlen = pem.buflen;
+    }
+    else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
+        goto exit;
+
+    p = ( ret == 0 ) ? pem.buf : (unsigned char *) dhmin;
+#else
+    p = (unsigned char *) dhmin;
+#endif /* MBEDTLS_PEM_PARSE_C */
+    end = p + dhminlen;
+
+    /*
+     *  DHParams ::= SEQUENCE {
+     *      prime              INTEGER,  -- P
+     *      generator          INTEGER,  -- g
+     *      privateValueLength INTEGER OPTIONAL
+     *  }
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        ret = MBEDTLS_ERR_DHM_INVALID_FORMAT + ret;
+        goto exit;
+    }
+
+    end = p + len;
+
+    if( ( ret = mbedtls_asn1_get_mpi( &p, end, &dhm->P  ) ) != 0 ||
+        ( ret = mbedtls_asn1_get_mpi( &p, end, &dhm->G ) ) != 0 )
+    {
+        ret = MBEDTLS_ERR_DHM_INVALID_FORMAT + ret;
+        goto exit;
+    }
+
+    if( p != end )
+    {
+        /* This might be the optional privateValueLength.
+         * If so, we can cleanly discard it */
+        mbedtls_mpi rec;
+        mbedtls_mpi_init( &rec );
+        ret = mbedtls_asn1_get_mpi( &p, end, &rec );
+        mbedtls_mpi_free( &rec );
+        if ( ret != 0 )
+        {
+            ret = MBEDTLS_ERR_DHM_INVALID_FORMAT + ret;
+            goto exit;
+        }
+        if ( p != end )
+        {
+            ret = MBEDTLS_ERR_DHM_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
+            goto exit;
+        }
+    }
+
+    ret = 0;
+
+    dhm->len = mbedtls_mpi_size( &dhm->P );
+
+exit:
+#if defined(MBEDTLS_PEM_PARSE_C)
+    mbedtls_pem_free( &pem );
+#endif
+    if( ret != 0 )
+        mbedtls_dhm_free( dhm );
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_FS_IO)
+/*
+ * Load all data from a file into a given buffer.
+ *
+ * The file is expected to contain either PEM or DER encoded data.
+ * A terminating null byte is always appended. It is included in the announced
+ * length only if the data looks like it is PEM encoded.
+ */
+static int load_file( const char *path, unsigned char **buf, size_t *n )
+{
+    FILE *f;
+    long size;
+
+    if( ( f = fopen( path, "rb" ) ) == NULL )
+        return( MBEDTLS_ERR_DHM_FILE_IO_ERROR );
+
+    fseek( f, 0, SEEK_END );
+    if( ( size = ftell( f ) ) == -1 )
+    {
+        fclose( f );
+        return( MBEDTLS_ERR_DHM_FILE_IO_ERROR );
+    }
+    fseek( f, 0, SEEK_SET );
+
+    *n = (size_t) size;
+
+    if( *n + 1 == 0 ||
+        ( *buf = mbedtls_calloc( 1, *n + 1 ) ) == NULL )
+    {
+        fclose( f );
+        return( MBEDTLS_ERR_DHM_ALLOC_FAILED );
+    }
+
+    if( fread( *buf, 1, *n, f ) != *n )
+    {
+        fclose( f );
+
+        mbedtls_zeroize( *buf, *n + 1 );
+        mbedtls_free( *buf );
+
+        return( MBEDTLS_ERR_DHM_FILE_IO_ERROR );
+    }
+
+    fclose( f );
+
+    (*buf)[*n] = '\0';
+
+    if( strstr( (const char *) *buf, "-----BEGIN " ) != NULL )
+        ++*n;
+
+    return( 0 );
+}
+
+/*
+ * Load and parse DHM parameters
+ */
+int mbedtls_dhm_parse_dhmfile( mbedtls_dhm_context *dhm, const char *path )
+{
+    int ret;
+    size_t n;
+    unsigned char *buf;
+
+    if( ( ret = load_file( path, &buf, &n ) ) != 0 )
+        return( ret );
+
+    ret = mbedtls_dhm_parse_dhm( dhm, buf, n );
+
+    mbedtls_zeroize( buf, n );
+    mbedtls_free( buf );
+
+    return( ret );
+}
+#endif /* MBEDTLS_FS_IO */
+#endif /* MBEDTLS_ASN1_PARSE_C */
+#endif /* MBEDTLS_DHM_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+static const char mbedtls_test_dhm_params[] =
+"-----BEGIN DH PARAMETERS-----\r\n"
+"MIGHAoGBAJ419DBEOgmQTzo5qXl5fQcN9TN455wkOL7052HzxxRVMyhYmwQcgJvh\r\n"
+"1sa18fyfR9OiVEMYglOpkqVoGLN7qd5aQNNi5W7/C+VBdHTBJcGZJyyP5B3qcz32\r\n"
+"9mLJKudlVudV0Qxk5qUJaPZ/xupz0NyoVpviuiBOI1gNi8ovSXWzAgEC\r\n"
+"-----END DH PARAMETERS-----\r\n";
+
+static const size_t mbedtls_test_dhm_params_len = sizeof( mbedtls_test_dhm_params );
+
+/*
+ * Checkup routine
+ */
+int mbedtls_dhm_self_test( int verbose )
+{
+    int ret;
+    mbedtls_dhm_context dhm;
+
+    mbedtls_dhm_init( &dhm );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  DHM parameter load: " );
+
+    if( ( ret = mbedtls_dhm_parse_dhm( &dhm,
+                    (const unsigned char *) mbedtls_test_dhm_params,
+                    mbedtls_test_dhm_params_len ) ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        ret = 1;
+        goto exit;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n\n" );
+
+exit:
+    mbedtls_dhm_free( &dhm );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_DHM_C */
diff --git a/third-party/mbedtls-3.6/library/ecdh.c b/third-party/mbedtls-3.6/library/ecdh.c
new file mode 100644
index 00000000..a8ff5b94
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/ecdh.c
@@ -0,0 +1,305 @@
+/*
+ *  Elliptic curve Diffie-Hellman
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+/*
+ * References:
+ *
+ * SEC1 http://www.secg.org/index.php?action=secg,docs_secg
+ * RFC 4492
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_ECDH_C)
+
+#include "mbedtls/ecdh.h"
+
+#include <string.h>
+
+#if !defined(MBEDTLS_ECDH_GEN_PUBLIC_ALT)
+/*
+ * Generate public key: simple wrapper around mbedtls_ecp_gen_keypair
+ */
+int mbedtls_ecdh_gen_public( mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng )
+{
+    return mbedtls_ecp_gen_keypair( grp, d, Q, f_rng, p_rng );
+}
+#endif /* MBEDTLS_ECDH_GEN_PUBLIC_ALT */
+
+#if !defined(MBEDTLS_ECDH_COMPUTE_SHARED_ALT)
+/*
+ * Compute shared secret (SEC1 3.3.1)
+ */
+int mbedtls_ecdh_compute_shared( mbedtls_ecp_group *grp, mbedtls_mpi *z,
+                         const mbedtls_ecp_point *Q, const mbedtls_mpi *d,
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng )
+{
+    int ret;
+    mbedtls_ecp_point P;
+
+    mbedtls_ecp_point_init( &P );
+
+    /*
+     * Make sure Q is a valid pubkey before using it
+     */
+    MBEDTLS_MPI_CHK( mbedtls_ecp_check_pubkey( grp, Q ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul( grp, &P, d, Q, f_rng, p_rng ) );
+
+    if( mbedtls_ecp_is_zero( &P ) )
+    {
+        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( z, &P.X ) );
+
+cleanup:
+    mbedtls_ecp_point_free( &P );
+
+    return( ret );
+}
+#endif /* MBEDTLS_ECDH_COMPUTE_SHARED_ALT */
+
+/*
+ * Initialize context
+ */
+void mbedtls_ecdh_init( mbedtls_ecdh_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_ecdh_context ) );
+}
+
+/*
+ * Free context
+ */
+void mbedtls_ecdh_free( mbedtls_ecdh_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_ecp_group_free( &ctx->grp );
+    mbedtls_ecp_point_free( &ctx->Q   );
+    mbedtls_ecp_point_free( &ctx->Qp  );
+    mbedtls_ecp_point_free( &ctx->Vi  );
+    mbedtls_ecp_point_free( &ctx->Vf  );
+    mbedtls_mpi_free( &ctx->d  );
+    mbedtls_mpi_free( &ctx->z  );
+    mbedtls_mpi_free( &ctx->_d );
+}
+
+/*
+ * Setup and write the ServerKeyExhange parameters (RFC 4492)
+ *      struct {
+ *          ECParameters    curve_params;
+ *          ECPoint         public;
+ *      } ServerECDHParams;
+ */
+int mbedtls_ecdh_make_params( mbedtls_ecdh_context *ctx, size_t *olen,
+                      unsigned char *buf, size_t blen,
+                      int (*f_rng)(void *, unsigned char *, size_t),
+                      void *p_rng )
+{
+    int ret;
+    size_t grp_len, pt_len;
+
+    if( ctx == NULL || ctx->grp.pbits == 0 )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    if( ( ret = mbedtls_ecdh_gen_public( &ctx->grp, &ctx->d, &ctx->Q, f_rng, p_rng ) )
+                != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_ecp_tls_write_group( &ctx->grp, &grp_len, buf, blen ) )
+                != 0 )
+        return( ret );
+
+    buf += grp_len;
+    blen -= grp_len;
+
+    if( ( ret = mbedtls_ecp_tls_write_point( &ctx->grp, &ctx->Q, ctx->point_format,
+                                     &pt_len, buf, blen ) ) != 0 )
+        return( ret );
+
+    *olen = grp_len + pt_len;
+    return( 0 );
+}
+
+/*
+ * Read the ServerKeyExhange parameters (RFC 4492)
+ *      struct {
+ *          ECParameters    curve_params;
+ *          ECPoint         public;
+ *      } ServerECDHParams;
+ */
+int mbedtls_ecdh_read_params( mbedtls_ecdh_context *ctx,
+                      const unsigned char **buf, const unsigned char *end )
+{
+    int ret;
+
+    if( ( ret = mbedtls_ecp_tls_read_group( &ctx->grp, buf, end - *buf ) ) != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_ecp_tls_read_point( &ctx->grp, &ctx->Qp, buf, end - *buf ) )
+                != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
+/*
+ * Get parameters from a keypair
+ */
+int mbedtls_ecdh_get_params( mbedtls_ecdh_context *ctx, const mbedtls_ecp_keypair *key,
+                     mbedtls_ecdh_side side )
+{
+    int ret;
+
+    if( ctx->grp.id == MBEDTLS_ECP_DP_NONE )
+    {
+        /* This is the first call to get_params(). Copy the group information
+         * into the context. */
+        if( ( ret = mbedtls_ecp_group_copy( &ctx->grp, &key->grp ) ) != 0 )
+            return( ret );
+    }
+    else
+    {
+        /* This is not the first call to get_params(). Check that the group
+         * is the same as the first time. */
+        if( ctx->grp.id != key->grp.id )
+            return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+    }
+
+    /* If it's not our key, just import the public part as Qp */
+    if( side == MBEDTLS_ECDH_THEIRS )
+        return( mbedtls_ecp_copy( &ctx->Qp, &key->Q ) );
+
+    /* Our key: import public (as Q) and private parts */
+    if( side != MBEDTLS_ECDH_OURS )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    if( ( ret = mbedtls_ecp_copy( &ctx->Q, &key->Q ) ) != 0 ||
+        ( ret = mbedtls_mpi_copy( &ctx->d, &key->d ) ) != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
+/*
+ * Setup and export the client public value
+ */
+int mbedtls_ecdh_make_public( mbedtls_ecdh_context *ctx, size_t *olen,
+                      unsigned char *buf, size_t blen,
+                      int (*f_rng)(void *, unsigned char *, size_t),
+                      void *p_rng )
+{
+    int ret;
+
+    if( ctx == NULL || ctx->grp.pbits == 0 )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    if( ( ret = mbedtls_ecdh_gen_public( &ctx->grp, &ctx->d, &ctx->Q, f_rng, p_rng ) )
+                != 0 )
+        return( ret );
+
+    return mbedtls_ecp_tls_write_point( &ctx->grp, &ctx->Q, ctx->point_format,
+                                olen, buf, blen );
+}
+
+/*
+ * Parse and import the client's public value
+ */
+int mbedtls_ecdh_read_public( mbedtls_ecdh_context *ctx,
+                      const unsigned char *buf, size_t blen )
+{
+    int ret;
+    const unsigned char *p = buf;
+
+    if( ctx == NULL )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    if( ( ret = mbedtls_ecp_tls_read_point( &ctx->grp, &ctx->Qp, &p, blen ) ) != 0 )
+        return( ret );
+
+    if( (size_t)( p - buf ) != blen )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    return( 0 );
+}
+
+/*
+ * Derive and export the shared secret
+ */
+int mbedtls_ecdh_calc_secret( mbedtls_ecdh_context *ctx, size_t *olen,
+                      unsigned char *buf, size_t blen,
+                      int (*f_rng)(void *, unsigned char *, size_t),
+                      void *p_rng )
+{
+    int ret;
+
+    if( ctx == NULL )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    if( ( ret = mbedtls_ecdh_compute_shared( &ctx->grp, &ctx->z, &ctx->Qp, &ctx->d,
+                                     f_rng, p_rng ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( mbedtls_mpi_size( &ctx->z ) > blen )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    *olen = ctx->grp.pbits / 8 + ( ( ctx->grp.pbits % 8 ) != 0 );
+    return mbedtls_mpi_write_binary( &ctx->z, buf, *olen );
+}
+
+#endif /* MBEDTLS_ECDH_C */
diff --git a/third-party/mbedtls-3.6/library/ecdsa.c b/third-party/mbedtls-3.6/library/ecdsa.c
new file mode 100644
index 00000000..59803d04
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/ecdsa.c
@@ -0,0 +1,575 @@
+/*
+ *  Elliptic curve DSA
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+/*
+ * References:
+ *
+ * SEC1 http://www.secg.org/index.php?action=secg,docs_secg
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_ECDSA_C)
+
+#include "mbedtls/ecdsa.h"
+#include "mbedtls/asn1write.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+#include "mbedtls/hmac_drbg.h"
+#endif
+
+/*
+ * Derive a suitable integer for group grp from a buffer of length len
+ * SEC1 4.1.3 step 5 aka SEC1 4.1.4 step 3
+ */
+static int derive_mpi( const mbedtls_ecp_group *grp, mbedtls_mpi *x,
+                       const unsigned char *buf, size_t blen )
+{
+    int ret;
+    size_t n_size = ( grp->nbits + 7 ) / 8;
+    size_t use_size = blen > n_size ? n_size : blen;
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( x, buf, use_size ) );
+    if( use_size * 8 > grp->nbits )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( x, use_size * 8 - grp->nbits ) );
+
+    /* While at it, reduce modulo N */
+    if( mbedtls_mpi_cmp_mpi( x, &grp->N ) >= 0 )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( x, x, &grp->N ) );
+
+cleanup:
+    return( ret );
+}
+
+#if !defined(MBEDTLS_ECDSA_SIGN_ALT)
+/*
+ * Compute ECDSA signature of a hashed message (SEC1 4.1.3)
+ * Obviously, compared to SEC1 4.1.3, we skip step 4 (hash message)
+ */
+static int ecdsa_sign_internal( mbedtls_ecp_group *grp, mbedtls_mpi *r,
+                                mbedtls_mpi *s, const mbedtls_mpi *d,
+                                const unsigned char *buf, size_t blen,
+                                int (*f_rng)(void *, unsigned char *, size_t),
+                                void *p_rng,
+                                int (*f_rng_blind)(void *, unsigned char *,
+                                                   size_t),
+                                void *p_rng_blind )
+{
+    int ret, key_tries, sign_tries, blind_tries;
+    mbedtls_ecp_point R;
+    mbedtls_mpi k, e, t;
+
+    /* Fail cleanly on curves such as Curve25519 that can't be used for ECDSA */
+    if( grp->N.p == NULL )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    /* Make sure d is in range 1..n-1 */
+    if( mbedtls_mpi_cmp_int( d, 1 ) < 0 || mbedtls_mpi_cmp_mpi( d, &grp->N ) >= 0 )
+        return( MBEDTLS_ERR_ECP_INVALID_KEY );
+
+    mbedtls_ecp_point_init( &R );
+    mbedtls_mpi_init( &k ); mbedtls_mpi_init( &e ); mbedtls_mpi_init( &t );
+
+    sign_tries = 0;
+    do
+    {
+        /*
+         * Steps 1-3: generate a suitable ephemeral keypair
+         * and set r = xR mod n
+         */
+        key_tries = 0;
+        do
+        {
+            MBEDTLS_MPI_CHK( mbedtls_ecp_gen_privkey( grp, &k, f_rng, p_rng ) );
+
+            MBEDTLS_MPI_CHK( mbedtls_ecp_mul( grp, &R, &k, &grp->G,
+                                              f_rng_blind, p_rng_blind ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( r, &R.X, &grp->N ) );
+
+            if( key_tries++ > 10 )
+            {
+                ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
+                goto cleanup;
+            }
+        }
+        while( mbedtls_mpi_cmp_int( r, 0 ) == 0 );
+
+        /*
+         * Step 5: derive MPI from hashed message
+         */
+        MBEDTLS_MPI_CHK( derive_mpi( grp, &e, buf, blen ) );
+
+        /*
+         * Generate a random value to blind inv_mod in next step,
+         * avoiding a potential timing leak.
+         *
+         * This loop does the same job as mbedtls_ecp_gen_privkey() and it is
+         * replaced by a call to it in the mainline. This change is not
+         * necessary to backport the fix separating the blinding and ephemeral
+         * key generating RNGs, therefore the original code is kept.
+         */
+        blind_tries = 0;
+        do
+        {
+            size_t n_size = ( grp->nbits + 7 ) / 8;
+            MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &t, n_size, f_rng_blind,
+                                                      p_rng_blind ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &t, 8 * n_size - grp->nbits ) );
+
+            if( ++blind_tries > 30 )
+                return( MBEDTLS_ERR_ECP_RANDOM_FAILED );
+        }
+        while( mbedtls_mpi_cmp_int( &t, 1 ) < 0 ||
+               mbedtls_mpi_cmp_mpi( &t, &grp->N ) >= 0 );
+
+        /*
+         * Step 6: compute s = (e + r * d) / k = t (e + rd) / (kt) mod n
+         */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( s, r, d ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &e, &e, s ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &e, &e, &t ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &k, &k, &t ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &k, &k, &grp->N ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( s, &k, &grp->N ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( s, s, &e ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( s, s, &grp->N ) );
+
+        if( sign_tries++ > 10 )
+        {
+            ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
+            goto cleanup;
+        }
+    }
+    while( mbedtls_mpi_cmp_int( s, 0 ) == 0 );
+
+cleanup:
+    mbedtls_ecp_point_free( &R );
+    mbedtls_mpi_free( &k ); mbedtls_mpi_free( &e ); mbedtls_mpi_free( &t );
+
+    return( ret );
+}
+
+int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
+                        const mbedtls_mpi *d, const unsigned char *buf,
+                        size_t blen,
+                        int (*f_rng)(void *, unsigned char *, size_t),
+                        void *p_rng )
+{
+    /* Use the same RNG for both blinding and ephemeral key generation */
+    return( ecdsa_sign_internal( grp, r, s, d, buf, blen, f_rng, p_rng,
+                                 f_rng, p_rng ) );
+}
+#endif /* MBEDTLS_ECDSA_SIGN_ALT */
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+static int ecdsa_sign_det_internal( mbedtls_ecp_group *grp, mbedtls_mpi *r,
+                                    mbedtls_mpi *s, const mbedtls_mpi *d,
+                                    const unsigned char *buf, size_t blen,
+                                    mbedtls_md_type_t md_alg,
+                                    int (*f_rng_blind)(void *, unsigned char *,
+                                                       size_t),
+                                    void *p_rng_blind )
+{
+    int ret;
+    mbedtls_hmac_drbg_context rng_ctx;
+    unsigned char data[2 * MBEDTLS_ECP_MAX_BYTES];
+    size_t grp_len = ( grp->nbits + 7 ) / 8;
+    const mbedtls_md_info_t *md_info;
+    mbedtls_mpi h;
+    /* Variables for deterministic blinding fallback */
+    const char* blind_label = "BLINDING CONTEXT";
+    mbedtls_hmac_drbg_context rng_ctx_blind;
+
+    if( ( md_info = mbedtls_md_info_from_type( md_alg ) ) == NULL )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    mbedtls_mpi_init( &h );
+    mbedtls_hmac_drbg_init( &rng_ctx );
+    mbedtls_hmac_drbg_init( &rng_ctx_blind );
+
+    /* Use private key and message hash (reduced) to initialize HMAC_DRBG */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( d, data, grp_len ) );
+    MBEDTLS_MPI_CHK( derive_mpi( grp, &h, buf, blen ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &h, data + grp_len, grp_len ) );
+    mbedtls_hmac_drbg_seed_buf( &rng_ctx, md_info, data, 2 * grp_len );
+
+    if( f_rng_blind != NULL )
+        ret = ecdsa_sign_internal( grp, r, s, d, buf, blen,
+                                   mbedtls_hmac_drbg_random, &rng_ctx,
+                                   f_rng_blind, p_rng_blind );
+    else
+    {
+        /*
+         * To avoid reusing rng_ctx and risking incorrect behavior we seed a
+         * second HMAC-DRBG with the same seed. We also apply a label to avoid
+         * reusing the bits of the ephemeral key for blinding and eliminate the
+         * risk that they leak this way.
+         */
+
+        mbedtls_hmac_drbg_seed_buf( &rng_ctx_blind, md_info,
+                                    data, 2 * grp_len );
+        ret = mbedtls_hmac_drbg_update_ret( &rng_ctx_blind,
+                                            (const unsigned char*) blind_label,
+                                            strlen( blind_label ) );
+        if( ret != 0 )
+            goto cleanup;
+
+        /*
+         * Since the output of the RNGs is always the same for the same key and
+         * message, this limits the efficiency of blinding and leaks information
+         * through side channels. After mbedtls_ecdsa_sign_det() is removed NULL
+         * won't be a valid value for f_rng_blind anymore. Therefore it should
+         * be checked by the caller and this branch and check can be removed.
+         */
+        ret = ecdsa_sign_internal( grp, r, s, d, buf, blen,
+                                   mbedtls_hmac_drbg_random, &rng_ctx,
+                                   mbedtls_hmac_drbg_random, &rng_ctx_blind );
+
+    }
+
+cleanup:
+    mbedtls_hmac_drbg_free( &rng_ctx );
+    mbedtls_hmac_drbg_free( &rng_ctx_blind );
+    mbedtls_mpi_free( &h );
+
+    return( ret );
+}
+
+/*
+ * Deterministic signature wrappers
+ */
+int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r,
+                            mbedtls_mpi *s, const mbedtls_mpi *d,
+                            const unsigned char *buf, size_t blen,
+                            mbedtls_md_type_t md_alg )
+{
+    return( ecdsa_sign_det_internal( grp, r, s, d, buf, blen, md_alg,
+                                     NULL, NULL ) );
+}
+
+int mbedtls_ecdsa_sign_det_ext( mbedtls_ecp_group *grp, mbedtls_mpi *r,
+                                mbedtls_mpi *s, const mbedtls_mpi *d,
+                                const unsigned char *buf, size_t blen,
+                                mbedtls_md_type_t md_alg,
+                                int (*f_rng_blind)(void *, unsigned char *,
+                                                   size_t),
+                                void *p_rng_blind )
+{
+    return( ecdsa_sign_det_internal( grp, r, s, d, buf, blen, md_alg,
+                                     f_rng_blind, p_rng_blind ) );
+}
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+
+#if !defined(MBEDTLS_ECDSA_VERIFY_ALT)
+/*
+ * Verify ECDSA signature of hashed message (SEC1 4.1.4)
+ * Obviously, compared to SEC1 4.1.3, we skip step 2 (hash message)
+ */
+int mbedtls_ecdsa_verify( mbedtls_ecp_group *grp,
+                  const unsigned char *buf, size_t blen,
+                  const mbedtls_ecp_point *Q, const mbedtls_mpi *r, const mbedtls_mpi *s)
+{
+    int ret;
+    mbedtls_mpi e, s_inv, u1, u2;
+    mbedtls_ecp_point R;
+
+    mbedtls_ecp_point_init( &R );
+    mbedtls_mpi_init( &e ); mbedtls_mpi_init( &s_inv ); mbedtls_mpi_init( &u1 ); mbedtls_mpi_init( &u2 );
+
+    /* Fail cleanly on curves such as Curve25519 that can't be used for ECDSA */
+    if( grp->N.p == NULL )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    /*
+     * Step 1: make sure r and s are in range 1..n-1
+     */
+    if( mbedtls_mpi_cmp_int( r, 1 ) < 0 || mbedtls_mpi_cmp_mpi( r, &grp->N ) >= 0 ||
+        mbedtls_mpi_cmp_int( s, 1 ) < 0 || mbedtls_mpi_cmp_mpi( s, &grp->N ) >= 0 )
+    {
+        ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
+        goto cleanup;
+    }
+
+    /*
+     * Additional precaution: make sure Q is valid
+     */
+    MBEDTLS_MPI_CHK( mbedtls_ecp_check_pubkey( grp, Q ) );
+
+    /*
+     * Step 3: derive MPI from hashed message
+     */
+    MBEDTLS_MPI_CHK( derive_mpi( grp, &e, buf, blen ) );
+
+    /*
+     * Step 4: u1 = e / s mod n, u2 = r / s mod n
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &s_inv, s, &grp->N ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &u1, &e, &s_inv ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &u1, &u1, &grp->N ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &u2, r, &s_inv ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &u2, &u2, &grp->N ) );
+
+    /*
+     * Step 5: R = u1 G + u2 Q
+     *
+     * Since we're not using any secret data, no need to pass a RNG to
+     * mbedtls_ecp_mul() for countermesures.
+     */
+    MBEDTLS_MPI_CHK( mbedtls_ecp_muladd( grp, &R, &u1, &grp->G, &u2, Q ) );
+
+    if( mbedtls_ecp_is_zero( &R ) )
+    {
+        ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
+        goto cleanup;
+    }
+
+    /*
+     * Step 6: convert xR to an integer (no-op)
+     * Step 7: reduce xR mod n (gives v)
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &R.X, &R.X, &grp->N ) );
+
+    /*
+     * Step 8: check if v (that is, R.X) is equal to r
+     */
+    if( mbedtls_mpi_cmp_mpi( &R.X, r ) != 0 )
+    {
+        ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
+        goto cleanup;
+    }
+
+cleanup:
+    mbedtls_ecp_point_free( &R );
+    mbedtls_mpi_free( &e ); mbedtls_mpi_free( &s_inv ); mbedtls_mpi_free( &u1 ); mbedtls_mpi_free( &u2 );
+
+    return( ret );
+}
+#endif /* MBEDTLS_ECDSA_VERIFY_ALT */
+
+/*
+ * Convert a signature (given by context) to ASN.1
+ */
+static int ecdsa_signature_to_asn1( const mbedtls_mpi *r, const mbedtls_mpi *s,
+                                    unsigned char *sig, size_t *slen )
+{
+    int ret;
+    unsigned char buf[MBEDTLS_ECDSA_MAX_LEN];
+    unsigned char *p = buf + sizeof( buf );
+    size_t len = 0;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &p, buf, s ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &p, buf, r ) );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &p, buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &p, buf,
+                                       MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) );
+
+    memcpy( sig, p, len );
+    *slen = len;
+
+    return( 0 );
+}
+
+/*
+ * Compute and write signature
+ */
+int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx, mbedtls_md_type_t md_alg,
+                           const unsigned char *hash, size_t hlen,
+                           unsigned char *sig, size_t *slen,
+                           int (*f_rng)(void *, unsigned char *, size_t),
+                           void *p_rng )
+{
+    int ret;
+    mbedtls_mpi r, s;
+
+    mbedtls_mpi_init( &r );
+    mbedtls_mpi_init( &s );
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+    MBEDTLS_MPI_CHK( ecdsa_sign_det_internal( &ctx->grp, &r, &s, &ctx->d,
+                                              hash, hlen, md_alg,
+                                              f_rng, p_rng ) );
+#else
+    (void) md_alg;
+
+    MBEDTLS_MPI_CHK( mbedtls_ecdsa_sign( &ctx->grp, &r, &s, &ctx->d,
+                         hash, hlen, f_rng, p_rng ) );
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+
+    MBEDTLS_MPI_CHK( ecdsa_signature_to_asn1( &r, &s, sig, slen ) );
+
+cleanup:
+    mbedtls_mpi_free( &r );
+    mbedtls_mpi_free( &s );
+
+    return( ret );
+}
+
+#if ! defined(MBEDTLS_DEPRECATED_REMOVED) && \
+    defined(MBEDTLS_ECDSA_DETERMINISTIC)
+int mbedtls_ecdsa_write_signature_det( mbedtls_ecdsa_context *ctx,
+                               const unsigned char *hash, size_t hlen,
+                               unsigned char *sig, size_t *slen,
+                               mbedtls_md_type_t md_alg )
+{
+    return( mbedtls_ecdsa_write_signature( ctx, md_alg, hash, hlen, sig, slen,
+                                   NULL, NULL ) );
+}
+#endif
+
+/*
+ * Read and check signature
+ */
+int mbedtls_ecdsa_read_signature( mbedtls_ecdsa_context *ctx,
+                          const unsigned char *hash, size_t hlen,
+                          const unsigned char *sig, size_t slen )
+{
+    int ret;
+    unsigned char *p = (unsigned char *) sig;
+    const unsigned char *end = sig + slen;
+    size_t len;
+    mbedtls_mpi r, s;
+
+    mbedtls_mpi_init( &r );
+    mbedtls_mpi_init( &s );
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    if( p + len != end )
+    {
+        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA +
+              MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
+        goto cleanup;
+    }
+
+    if( ( ret = mbedtls_asn1_get_mpi( &p, end, &r ) ) != 0 ||
+        ( ret = mbedtls_asn1_get_mpi( &p, end, &s ) ) != 0 )
+    {
+        ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    if( ( ret = mbedtls_ecdsa_verify( &ctx->grp, hash, hlen,
+                              &ctx->Q, &r, &s ) ) != 0 )
+        goto cleanup;
+
+    /* At this point we know that the buffer starts with a valid signature.
+     * Return 0 if the buffer just contains the signature, and a specific
+     * error code if the valid signature is followed by more data. */
+    if( p != end )
+        ret = MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH;
+
+cleanup:
+    mbedtls_mpi_free( &r );
+    mbedtls_mpi_free( &s );
+
+    return( ret );
+}
+
+#if !defined(MBEDTLS_ECDSA_GENKEY_ALT)
+/*
+ * Generate key pair
+ */
+int mbedtls_ecdsa_genkey( mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid,
+                  int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    int ret = 0;
+    ret = mbedtls_ecp_group_load( &ctx->grp, gid );
+    if( ret != 0 )
+        return( ret );
+
+   return( mbedtls_ecp_gen_keypair( &ctx->grp, &ctx->d,
+                                    &ctx->Q, f_rng, p_rng ) );
+}
+#endif /* MBEDTLS_ECDSA_GENKEY_ALT */
+
+/*
+ * Set context from an mbedtls_ecp_keypair
+ */
+int mbedtls_ecdsa_from_keypair( mbedtls_ecdsa_context *ctx, const mbedtls_ecp_keypair *key )
+{
+    int ret;
+
+    if( ( ret = mbedtls_ecp_group_copy( &ctx->grp, &key->grp ) ) != 0 ||
+        ( ret = mbedtls_mpi_copy( &ctx->d, &key->d ) ) != 0 ||
+        ( ret = mbedtls_ecp_copy( &ctx->Q, &key->Q ) ) != 0 )
+    {
+        mbedtls_ecdsa_free( ctx );
+    }
+
+    return( ret );
+}
+
+/*
+ * Initialize context
+ */
+void mbedtls_ecdsa_init( mbedtls_ecdsa_context *ctx )
+{
+    mbedtls_ecp_keypair_init( ctx );
+}
+
+/*
+ * Free context
+ */
+void mbedtls_ecdsa_free( mbedtls_ecdsa_context *ctx )
+{
+    mbedtls_ecp_keypair_free( ctx );
+}
+
+#endif /* MBEDTLS_ECDSA_C */
diff --git a/third-party/mbedtls-3.6/library/ecjpake.c b/third-party/mbedtls-3.6/library/ecjpake.c
new file mode 100644
index 00000000..a6f50838
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/ecjpake.c
@@ -0,0 +1,1131 @@
+/*
+ *  Elliptic curve J-PAKE
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+/*
+ * References in the code are to the Thread v1.0 Specification,
+ * available to members of the Thread Group http://threadgroup.org/
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_ECJPAKE_C)
+
+#include "mbedtls/ecjpake.h"
+
+#include <string.h>
+
+#if !defined(MBEDTLS_ECJPAKE_ALT)
+
+/*
+ * Convert a mbedtls_ecjpake_role to identifier string
+ */
+static const char * const ecjpake_id[] = {
+    "client",
+    "server"
+};
+
+#define ID_MINE     ( ecjpake_id[ ctx->role ] )
+#define ID_PEER     ( ecjpake_id[ 1 - ctx->role ] )
+
+/*
+ * Initialize context
+ */
+void mbedtls_ecjpake_init( mbedtls_ecjpake_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    ctx->md_info = NULL;
+    mbedtls_ecp_group_init( &ctx->grp );
+    ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED;
+
+    mbedtls_ecp_point_init( &ctx->Xm1 );
+    mbedtls_ecp_point_init( &ctx->Xm2 );
+    mbedtls_ecp_point_init( &ctx->Xp1 );
+    mbedtls_ecp_point_init( &ctx->Xp2 );
+    mbedtls_ecp_point_init( &ctx->Xp  );
+
+    mbedtls_mpi_init( &ctx->xm1 );
+    mbedtls_mpi_init( &ctx->xm2 );
+    mbedtls_mpi_init( &ctx->s   );
+}
+
+/*
+ * Free context
+ */
+void mbedtls_ecjpake_free( mbedtls_ecjpake_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    ctx->md_info = NULL;
+    mbedtls_ecp_group_free( &ctx->grp );
+
+    mbedtls_ecp_point_free( &ctx->Xm1 );
+    mbedtls_ecp_point_free( &ctx->Xm2 );
+    mbedtls_ecp_point_free( &ctx->Xp1 );
+    mbedtls_ecp_point_free( &ctx->Xp2 );
+    mbedtls_ecp_point_free( &ctx->Xp  );
+
+    mbedtls_mpi_free( &ctx->xm1 );
+    mbedtls_mpi_free( &ctx->xm2 );
+    mbedtls_mpi_free( &ctx->s   );
+}
+
+/*
+ * Setup context
+ */
+int mbedtls_ecjpake_setup( mbedtls_ecjpake_context *ctx,
+                           mbedtls_ecjpake_role role,
+                           mbedtls_md_type_t hash,
+                           mbedtls_ecp_group_id curve,
+                           const unsigned char *secret,
+                           size_t len )
+{
+    int ret;
+
+    ctx->role = role;
+
+    if( ( ctx->md_info = mbedtls_md_info_from_type( hash ) ) == NULL )
+        return( MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE );
+
+    MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &ctx->grp, curve ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->s, secret, len ) );
+
+cleanup:
+    if( ret != 0 )
+        mbedtls_ecjpake_free( ctx );
+
+    return( ret );
+}
+
+/*
+ * Check if context is ready for use
+ */
+int mbedtls_ecjpake_check( const mbedtls_ecjpake_context *ctx )
+{
+    if( ctx->md_info == NULL ||
+        ctx->grp.id == MBEDTLS_ECP_DP_NONE ||
+        ctx->s.p == NULL )
+    {
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Write a point plus its length to a buffer
+ */
+static int ecjpake_write_len_point( unsigned char **p,
+                                    const unsigned char *end,
+                                    const mbedtls_ecp_group *grp,
+                                    const int pf,
+                                    const mbedtls_ecp_point *P )
+{
+    int ret;
+    size_t len;
+
+    /* Need at least 4 for length plus 1 for point */
+    if( end < *p || end - *p < 5 )
+        return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
+
+    ret = mbedtls_ecp_point_write_binary( grp, P, pf,
+                                          &len, *p + 4, end - ( *p + 4 ) );
+    if( ret != 0 )
+        return( ret );
+
+    (*p)[0] = (unsigned char)( ( len >> 24 ) & 0xFF );
+    (*p)[1] = (unsigned char)( ( len >> 16 ) & 0xFF );
+    (*p)[2] = (unsigned char)( ( len >>  8 ) & 0xFF );
+    (*p)[3] = (unsigned char)( ( len       ) & 0xFF );
+
+    *p += 4 + len;
+
+    return( 0 );
+}
+
+/*
+ * Size of the temporary buffer for ecjpake_hash:
+ * 3 EC points plus their length, plus ID and its length (4 + 6 bytes)
+ */
+#define ECJPAKE_HASH_BUF_LEN    ( 3 * ( 4 + MBEDTLS_ECP_MAX_PT_LEN ) + 4 + 6 )
+
+/*
+ * Compute hash for ZKP (7.4.2.2.2.1)
+ */
+static int ecjpake_hash( const mbedtls_md_info_t *md_info,
+                         const mbedtls_ecp_group *grp,
+                         const int pf,
+                         const mbedtls_ecp_point *G,
+                         const mbedtls_ecp_point *V,
+                         const mbedtls_ecp_point *X,
+                         const char *id,
+                         mbedtls_mpi *h )
+{
+    int ret;
+    unsigned char buf[ECJPAKE_HASH_BUF_LEN];
+    unsigned char *p = buf;
+    const unsigned char *end = buf + sizeof( buf );
+    const size_t id_len = strlen( id );
+    unsigned char hash[MBEDTLS_MD_MAX_SIZE];
+
+    /* Write things to temporary buffer */
+    MBEDTLS_MPI_CHK( ecjpake_write_len_point( &p, end, grp, pf, G ) );
+    MBEDTLS_MPI_CHK( ecjpake_write_len_point( &p, end, grp, pf, V ) );
+    MBEDTLS_MPI_CHK( ecjpake_write_len_point( &p, end, grp, pf, X ) );
+
+    if( end - p < 4 )
+        return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
+
+    *p++ = (unsigned char)( ( id_len >> 24 ) & 0xFF );
+    *p++ = (unsigned char)( ( id_len >> 16 ) & 0xFF );
+    *p++ = (unsigned char)( ( id_len >>  8 ) & 0xFF );
+    *p++ = (unsigned char)( ( id_len       ) & 0xFF );
+
+    if( end < p || (size_t)( end - p ) < id_len )
+        return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
+
+    memcpy( p, id, id_len );
+    p += id_len;
+
+    /* Compute hash */
+    MBEDTLS_MPI_CHK( mbedtls_md( md_info, buf, p - buf, hash ) );
+
+    /* Turn it into an integer mod n */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( h, hash,
+                                        mbedtls_md_get_size( md_info ) ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( h, h, &grp->N ) );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Parse a ECShnorrZKP (7.4.2.2.2) and verify it (7.4.2.3.3)
+ */
+static int ecjpake_zkp_read( const mbedtls_md_info_t *md_info,
+                             const mbedtls_ecp_group *grp,
+                             const int pf,
+                             const mbedtls_ecp_point *G,
+                             const mbedtls_ecp_point *X,
+                             const char *id,
+                             const unsigned char **p,
+                             const unsigned char *end )
+{
+    int ret;
+    mbedtls_ecp_point V, VV;
+    mbedtls_mpi r, h;
+    size_t r_len;
+
+    mbedtls_ecp_point_init( &V );
+    mbedtls_ecp_point_init( &VV );
+    mbedtls_mpi_init( &r );
+    mbedtls_mpi_init( &h );
+
+    /*
+     * struct {
+     *     ECPoint V;
+     *     opaque r<1..2^8-1>;
+     * } ECSchnorrZKP;
+     */
+    if( end < *p )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    MBEDTLS_MPI_CHK( mbedtls_ecp_tls_read_point( grp, &V, p, end - *p ) );
+
+    if( end < *p || (size_t)( end - *p ) < 1 )
+    {
+        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    r_len = *(*p)++;
+
+    if( end < *p || (size_t)( end - *p ) < r_len )
+    {
+        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &r, *p, r_len ) );
+    *p += r_len;
+
+    /*
+     * Verification
+     */
+    MBEDTLS_MPI_CHK( ecjpake_hash( md_info, grp, pf, G, &V, X, id, &h ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_muladd( (mbedtls_ecp_group *) grp,
+                     &VV, &h, X, &r, G ) );
+
+    if( mbedtls_ecp_point_cmp( &VV, &V ) != 0 )
+    {
+        ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
+        goto cleanup;
+    }
+
+cleanup:
+    mbedtls_ecp_point_free( &V );
+    mbedtls_ecp_point_free( &VV );
+    mbedtls_mpi_free( &r );
+    mbedtls_mpi_free( &h );
+
+    return( ret );
+}
+
+/*
+ * Generate ZKP (7.4.2.3.2) and write it as ECSchnorrZKP (7.4.2.2.2)
+ */
+static int ecjpake_zkp_write( const mbedtls_md_info_t *md_info,
+                              const mbedtls_ecp_group *grp,
+                              const int pf,
+                              const mbedtls_ecp_point *G,
+                              const mbedtls_mpi *x,
+                              const mbedtls_ecp_point *X,
+                              const char *id,
+                              unsigned char **p,
+                              const unsigned char *end,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng )
+{
+    int ret;
+    mbedtls_ecp_point V;
+    mbedtls_mpi v;
+    mbedtls_mpi h; /* later recycled to hold r */
+    size_t len;
+
+    if( end < *p )
+        return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
+
+    mbedtls_ecp_point_init( &V );
+    mbedtls_mpi_init( &v );
+    mbedtls_mpi_init( &h );
+
+    /* Compute signature */
+    MBEDTLS_MPI_CHK( mbedtls_ecp_gen_keypair_base( (mbedtls_ecp_group *) grp,
+                                                   G, &v, &V, f_rng, p_rng ) );
+    MBEDTLS_MPI_CHK( ecjpake_hash( md_info, grp, pf, G, &V, X, id, &h ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &h, &h, x ) ); /* x*h */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &h, &v, &h ) ); /* v - x*h */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &h, &h, &grp->N ) ); /* r */
+
+    /* Write it out */
+    MBEDTLS_MPI_CHK( mbedtls_ecp_tls_write_point( grp, &V,
+                pf, &len, *p, end - *p ) );
+    *p += len;
+
+    len = mbedtls_mpi_size( &h ); /* actually r */
+    if( end < *p || (size_t)( end - *p ) < 1 + len || len > 255 )
+    {
+        ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+        goto cleanup;
+    }
+
+    *(*p)++ = (unsigned char)( len & 0xFF );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &h, *p, len ) ); /* r */
+    *p += len;
+
+cleanup:
+    mbedtls_ecp_point_free( &V );
+    mbedtls_mpi_free( &v );
+    mbedtls_mpi_free( &h );
+
+    return( ret );
+}
+
+/*
+ * Parse a ECJPAKEKeyKP (7.4.2.2.1) and check proof
+ * Output: verified public key X
+ */
+static int ecjpake_kkp_read( const mbedtls_md_info_t *md_info,
+                             const mbedtls_ecp_group *grp,
+                             const int pf,
+                             const mbedtls_ecp_point *G,
+                             mbedtls_ecp_point *X,
+                             const char *id,
+                             const unsigned char **p,
+                             const unsigned char *end )
+{
+    int ret;
+
+    if( end < *p )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    /*
+     * struct {
+     *     ECPoint X;
+     *     ECSchnorrZKP zkp;
+     * } ECJPAKEKeyKP;
+     */
+    MBEDTLS_MPI_CHK( mbedtls_ecp_tls_read_point( grp, X, p, end - *p ) );
+    if( mbedtls_ecp_is_zero( X ) )
+    {
+        ret = MBEDTLS_ERR_ECP_INVALID_KEY;
+        goto cleanup;
+    }
+
+    MBEDTLS_MPI_CHK( ecjpake_zkp_read( md_info, grp, pf, G, X, id, p, end ) );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Generate an ECJPAKEKeyKP
+ * Output: the serialized structure, plus private/public key pair
+ */
+static int ecjpake_kkp_write( const mbedtls_md_info_t *md_info,
+                              const mbedtls_ecp_group *grp,
+                              const int pf,
+                              const mbedtls_ecp_point *G,
+                              mbedtls_mpi *x,
+                              mbedtls_ecp_point *X,
+                              const char *id,
+                              unsigned char **p,
+                              const unsigned char *end,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng )
+{
+    int ret;
+    size_t len;
+
+    if( end < *p )
+        return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
+
+    /* Generate key (7.4.2.3.1) and write it out */
+    MBEDTLS_MPI_CHK( mbedtls_ecp_gen_keypair_base( (mbedtls_ecp_group *) grp, G, x, X,
+                                                   f_rng, p_rng ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_tls_write_point( grp, X,
+                pf, &len, *p, end - *p ) );
+    *p += len;
+
+    /* Generate and write proof */
+    MBEDTLS_MPI_CHK( ecjpake_zkp_write( md_info, grp, pf, G, x, X, id,
+                                        p, end, f_rng, p_rng ) );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Read a ECJPAKEKeyKPPairList (7.4.2.3) and check proofs
+ * Ouputs: verified peer public keys Xa, Xb
+ */
+static int ecjpake_kkpp_read( const mbedtls_md_info_t *md_info,
+                              const mbedtls_ecp_group *grp,
+                              const int pf,
+                              const mbedtls_ecp_point *G,
+                              mbedtls_ecp_point *Xa,
+                              mbedtls_ecp_point *Xb,
+                              const char *id,
+                              const unsigned char *buf,
+                              size_t len )
+{
+    int ret;
+    const unsigned char *p = buf;
+    const unsigned char *end = buf + len;
+
+    /*
+     * struct {
+     *     ECJPAKEKeyKP ecjpake_key_kp_pair_list[2];
+     * } ECJPAKEKeyKPPairList;
+     */
+    MBEDTLS_MPI_CHK( ecjpake_kkp_read( md_info, grp, pf, G, Xa, id, &p, end ) );
+    MBEDTLS_MPI_CHK( ecjpake_kkp_read( md_info, grp, pf, G, Xb, id, &p, end ) );
+
+    if( p != end )
+        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Generate a ECJPAKEKeyKPPairList
+ * Outputs: the serialized structure, plus two private/public key pairs
+ */
+static int ecjpake_kkpp_write( const mbedtls_md_info_t *md_info,
+                               const mbedtls_ecp_group *grp,
+                               const int pf,
+                               const mbedtls_ecp_point *G,
+                               mbedtls_mpi *xm1,
+                               mbedtls_ecp_point *Xa,
+                               mbedtls_mpi *xm2,
+                               mbedtls_ecp_point *Xb,
+                               const char *id,
+                               unsigned char *buf,
+                               size_t len,
+                               size_t *olen,
+                               int (*f_rng)(void *, unsigned char *, size_t),
+                               void *p_rng )
+{
+    int ret;
+    unsigned char *p = buf;
+    const unsigned char *end = buf + len;
+
+    MBEDTLS_MPI_CHK( ecjpake_kkp_write( md_info, grp, pf, G, xm1, Xa, id,
+                &p, end, f_rng, p_rng ) );
+    MBEDTLS_MPI_CHK( ecjpake_kkp_write( md_info, grp, pf, G, xm2, Xb, id,
+                &p, end, f_rng, p_rng ) );
+
+    *olen = p - buf;
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Read and process the first round message
+ */
+int mbedtls_ecjpake_read_round_one( mbedtls_ecjpake_context *ctx,
+                                    const unsigned char *buf,
+                                    size_t len )
+{
+    return( ecjpake_kkpp_read( ctx->md_info, &ctx->grp, ctx->point_format,
+                               &ctx->grp.G,
+                               &ctx->Xp1, &ctx->Xp2, ID_PEER,
+                               buf, len ) );
+}
+
+/*
+ * Generate and write the first round message
+ */
+int mbedtls_ecjpake_write_round_one( mbedtls_ecjpake_context *ctx,
+                            unsigned char *buf, size_t len, size_t *olen,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng )
+{
+    return( ecjpake_kkpp_write( ctx->md_info, &ctx->grp, ctx->point_format,
+                                &ctx->grp.G,
+                                &ctx->xm1, &ctx->Xm1, &ctx->xm2, &ctx->Xm2,
+                                ID_MINE, buf, len, olen, f_rng, p_rng ) );
+}
+
+/*
+ * Compute the sum of three points R = A + B + C
+ */
+static int ecjpake_ecp_add3( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                             const mbedtls_ecp_point *A,
+                             const mbedtls_ecp_point *B,
+                             const mbedtls_ecp_point *C )
+{
+    int ret;
+    mbedtls_mpi one;
+
+    mbedtls_mpi_init( &one );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &one, 1 ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_muladd( grp, R, &one, A, &one, B ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_muladd( grp, R, &one, R, &one, C ) );
+
+cleanup:
+    mbedtls_mpi_free( &one );
+
+    return( ret );
+}
+
+/*
+ * Read and process second round message (C: 7.4.2.5, S: 7.4.2.6)
+ */
+int mbedtls_ecjpake_read_round_two( mbedtls_ecjpake_context *ctx,
+                                            const unsigned char *buf,
+                                            size_t len )
+{
+    int ret;
+    const unsigned char *p = buf;
+    const unsigned char *end = buf + len;
+    mbedtls_ecp_group grp;
+    mbedtls_ecp_point G;    /* C: GB, S: GA */
+
+    mbedtls_ecp_group_init( &grp );
+    mbedtls_ecp_point_init( &G );
+
+    /*
+     * Server: GA = X3  + X4  + X1      (7.4.2.6.1)
+     * Client: GB = X1  + X2  + X3      (7.4.2.5.1)
+     * Unified: G = Xm1 + Xm2 + Xp1
+     * We need that before parsing in order to check Xp as we read it
+     */
+    MBEDTLS_MPI_CHK( ecjpake_ecp_add3( &ctx->grp, &G,
+                                       &ctx->Xm1, &ctx->Xm2, &ctx->Xp1 ) );
+
+    /*
+     * struct {
+     *     ECParameters curve_params;   // only client reading server msg
+     *     ECJPAKEKeyKP ecjpake_key_kp;
+     * } Client/ServerECJPAKEParams;
+     */
+    if( ctx->role == MBEDTLS_ECJPAKE_CLIENT )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_ecp_tls_read_group( &grp, &p, len ) );
+        if( grp.id != ctx->grp.id )
+        {
+            ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+            goto cleanup;
+        }
+    }
+
+    MBEDTLS_MPI_CHK( ecjpake_kkp_read( ctx->md_info, &ctx->grp,
+                            ctx->point_format,
+                            &G, &ctx->Xp, ID_PEER, &p, end ) );
+
+    if( p != end )
+    {
+        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+cleanup:
+    mbedtls_ecp_group_free( &grp );
+    mbedtls_ecp_point_free( &G );
+
+    return( ret );
+}
+
+/*
+ * Compute R = +/- X * S mod N, taking care not to leak S
+ */
+static int ecjpake_mul_secret( mbedtls_mpi *R, int sign,
+                               const mbedtls_mpi *X,
+                               const mbedtls_mpi *S,
+                               const mbedtls_mpi *N,
+                               int (*f_rng)(void *, unsigned char *, size_t),
+                               void *p_rng )
+{
+    int ret;
+    mbedtls_mpi b; /* Blinding value, then s + N * blinding */
+
+    mbedtls_mpi_init( &b );
+
+    /* b = s + rnd-128-bit * N */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &b, 16, f_rng, p_rng ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &b, &b, N ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &b, &b, S ) );
+
+    /* R = sign * X * b mod N */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( R, X, &b ) );
+    R->s *= sign;
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( R, R, N ) );
+
+cleanup:
+    mbedtls_mpi_free( &b );
+
+    return( ret );
+}
+
+/*
+ * Generate and write the second round message (S: 7.4.2.5, C: 7.4.2.6)
+ */
+int mbedtls_ecjpake_write_round_two( mbedtls_ecjpake_context *ctx,
+                            unsigned char *buf, size_t len, size_t *olen,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng )
+{
+    int ret;
+    mbedtls_ecp_point G;    /* C: GA, S: GB */
+    mbedtls_ecp_point Xm;   /* C: Xc, S: Xs */
+    mbedtls_mpi xm;         /* C: xc, S: xs */
+    unsigned char *p = buf;
+    const unsigned char *end = buf + len;
+    size_t ec_len;
+
+    mbedtls_ecp_point_init( &G );
+    mbedtls_ecp_point_init( &Xm );
+    mbedtls_mpi_init( &xm );
+
+    /*
+     * First generate private/public key pair (S: 7.4.2.5.1, C: 7.4.2.6.1)
+     *
+     * Client:  GA = X1  + X3  + X4  | xs = x2  * s | Xc = xc * GA
+     * Server:  GB = X3  + X1  + X2  | xs = x4  * s | Xs = xs * GB
+     * Unified: G  = Xm1 + Xp1 + Xp2 | xm = xm2 * s | Xm = xm * G
+     */
+    MBEDTLS_MPI_CHK( ecjpake_ecp_add3( &ctx->grp, &G,
+                                       &ctx->Xp1, &ctx->Xp2, &ctx->Xm1 ) );
+    MBEDTLS_MPI_CHK( ecjpake_mul_secret( &xm, 1, &ctx->xm2, &ctx->s,
+                                         &ctx->grp.N, f_rng, p_rng ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &ctx->grp, &Xm, &xm, &G, f_rng, p_rng ) );
+
+    /*
+     * Now write things out
+     *
+     * struct {
+     *     ECParameters curve_params;   // only server writing its message
+     *     ECJPAKEKeyKP ecjpake_key_kp;
+     * } Client/ServerECJPAKEParams;
+     */
+    if( ctx->role == MBEDTLS_ECJPAKE_SERVER )
+    {
+        if( end < p )
+        {
+            ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+            goto cleanup;
+        }
+        MBEDTLS_MPI_CHK( mbedtls_ecp_tls_write_group( &ctx->grp, &ec_len,
+                                                      p, end - p ) );
+        p += ec_len;
+    }
+
+    if( end < p )
+    {
+        ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+        goto cleanup;
+    }
+    MBEDTLS_MPI_CHK( mbedtls_ecp_tls_write_point( &ctx->grp, &Xm,
+                     ctx->point_format, &ec_len, p, end - p ) );
+    p += ec_len;
+
+    MBEDTLS_MPI_CHK( ecjpake_zkp_write( ctx->md_info, &ctx->grp,
+                                        ctx->point_format,
+                                        &G, &xm, &Xm, ID_MINE,
+                                        &p, end, f_rng, p_rng ) );
+
+    *olen = p - buf;
+
+cleanup:
+    mbedtls_ecp_point_free( &G );
+    mbedtls_ecp_point_free( &Xm );
+    mbedtls_mpi_free( &xm );
+
+    return( ret );
+}
+
+/*
+ * Derive PMS (7.4.2.7 / 7.4.2.8)
+ */
+int mbedtls_ecjpake_derive_secret( mbedtls_ecjpake_context *ctx,
+                            unsigned char *buf, size_t len, size_t *olen,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng )
+{
+    int ret;
+    mbedtls_ecp_point K;
+    mbedtls_mpi m_xm2_s, one;
+    unsigned char kx[MBEDTLS_ECP_MAX_BYTES];
+    size_t x_bytes;
+
+    *olen = mbedtls_md_get_size( ctx->md_info );
+    if( len < *olen )
+        return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
+
+    mbedtls_ecp_point_init( &K );
+    mbedtls_mpi_init( &m_xm2_s );
+    mbedtls_mpi_init( &one );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &one, 1 ) );
+
+    /*
+     * Client:  K = ( Xs - X4  * x2  * s ) * x2
+     * Server:  K = ( Xc - X2  * x4  * s ) * x4
+     * Unified: K = ( Xp - Xp2 * xm2 * s ) * xm2
+     */
+    MBEDTLS_MPI_CHK( ecjpake_mul_secret( &m_xm2_s, -1, &ctx->xm2, &ctx->s,
+                                         &ctx->grp.N, f_rng, p_rng ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_muladd( &ctx->grp, &K,
+                                         &one, &ctx->Xp,
+                                         &m_xm2_s, &ctx->Xp2 ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &ctx->grp, &K, &ctx->xm2, &K,
+                                      f_rng, p_rng ) );
+
+    /* PMS = SHA-256( K.X ) */
+    x_bytes = ( ctx->grp.pbits + 7 ) / 8;
+    MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &K.X, kx, x_bytes ) );
+    MBEDTLS_MPI_CHK( mbedtls_md( ctx->md_info, kx, x_bytes, buf ) );
+
+cleanup:
+    mbedtls_ecp_point_free( &K );
+    mbedtls_mpi_free( &m_xm2_s );
+    mbedtls_mpi_free( &one );
+
+    return( ret );
+}
+
+#undef ID_MINE
+#undef ID_PEER
+
+#endif /* ! MBEDTLS_ECJPAKE_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf     printf
+#endif
+
+#if !defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \
+    !defined(MBEDTLS_SHA256_C)
+int mbedtls_ecjpake_self_test( int verbose )
+{
+    (void) verbose;
+    return( 0 );
+}
+#else
+
+static const unsigned char ecjpake_test_password[] = {
+    0x74, 0x68, 0x72, 0x65, 0x61, 0x64, 0x6a, 0x70, 0x61, 0x6b, 0x65, 0x74,
+    0x65, 0x73, 0x74
+};
+
+static const unsigned char ecjpake_test_x1[] = {
+    0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c,
+    0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
+    0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x21
+};
+
+static const unsigned char ecjpake_test_x2[] = {
+    0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c,
+    0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,
+    0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x81
+};
+
+static const unsigned char ecjpake_test_x3[] = {
+    0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c,
+    0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,
+    0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x81
+};
+
+static const unsigned char ecjpake_test_x4[] = {
+    0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb, 0xcc,
+    0xcd, 0xce, 0xcf, 0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7, 0xd8,
+    0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf, 0xe1
+};
+
+static const unsigned char ecjpake_test_cli_one[] = {
+    0x41, 0x04, 0xac, 0xcf, 0x01, 0x06, 0xef, 0x85, 0x8f, 0xa2, 0xd9, 0x19,
+    0x33, 0x13, 0x46, 0x80, 0x5a, 0x78, 0xb5, 0x8b, 0xba, 0xd0, 0xb8, 0x44,
+    0xe5, 0xc7, 0x89, 0x28, 0x79, 0x14, 0x61, 0x87, 0xdd, 0x26, 0x66, 0xad,
+    0xa7, 0x81, 0xbb, 0x7f, 0x11, 0x13, 0x72, 0x25, 0x1a, 0x89, 0x10, 0x62,
+    0x1f, 0x63, 0x4d, 0xf1, 0x28, 0xac, 0x48, 0xe3, 0x81, 0xfd, 0x6e, 0xf9,
+    0x06, 0x07, 0x31, 0xf6, 0x94, 0xa4, 0x41, 0x04, 0x1d, 0xd0, 0xbd, 0x5d,
+    0x45, 0x66, 0xc9, 0xbe, 0xd9, 0xce, 0x7d, 0xe7, 0x01, 0xb5, 0xe8, 0x2e,
+    0x08, 0xe8, 0x4b, 0x73, 0x04, 0x66, 0x01, 0x8a, 0xb9, 0x03, 0xc7, 0x9e,
+    0xb9, 0x82, 0x17, 0x22, 0x36, 0xc0, 0xc1, 0x72, 0x8a, 0xe4, 0xbf, 0x73,
+    0x61, 0x0d, 0x34, 0xde, 0x44, 0x24, 0x6e, 0xf3, 0xd9, 0xc0, 0x5a, 0x22,
+    0x36, 0xfb, 0x66, 0xa6, 0x58, 0x3d, 0x74, 0x49, 0x30, 0x8b, 0xab, 0xce,
+    0x20, 0x72, 0xfe, 0x16, 0x66, 0x29, 0x92, 0xe9, 0x23, 0x5c, 0x25, 0x00,
+    0x2f, 0x11, 0xb1, 0x50, 0x87, 0xb8, 0x27, 0x38, 0xe0, 0x3c, 0x94, 0x5b,
+    0xf7, 0xa2, 0x99, 0x5d, 0xda, 0x1e, 0x98, 0x34, 0x58, 0x41, 0x04, 0x7e,
+    0xa6, 0xe3, 0xa4, 0x48, 0x70, 0x37, 0xa9, 0xe0, 0xdb, 0xd7, 0x92, 0x62,
+    0xb2, 0xcc, 0x27, 0x3e, 0x77, 0x99, 0x30, 0xfc, 0x18, 0x40, 0x9a, 0xc5,
+    0x36, 0x1c, 0x5f, 0xe6, 0x69, 0xd7, 0x02, 0xe1, 0x47, 0x79, 0x0a, 0xeb,
+    0x4c, 0xe7, 0xfd, 0x65, 0x75, 0xab, 0x0f, 0x6c, 0x7f, 0xd1, 0xc3, 0x35,
+    0x93, 0x9a, 0xa8, 0x63, 0xba, 0x37, 0xec, 0x91, 0xb7, 0xe3, 0x2b, 0xb0,
+    0x13, 0xbb, 0x2b, 0x41, 0x04, 0xa4, 0x95, 0x58, 0xd3, 0x2e, 0xd1, 0xeb,
+    0xfc, 0x18, 0x16, 0xaf, 0x4f, 0xf0, 0x9b, 0x55, 0xfc, 0xb4, 0xca, 0x47,
+    0xb2, 0xa0, 0x2d, 0x1e, 0x7c, 0xaf, 0x11, 0x79, 0xea, 0x3f, 0xe1, 0x39,
+    0x5b, 0x22, 0xb8, 0x61, 0x96, 0x40, 0x16, 0xfa, 0xba, 0xf7, 0x2c, 0x97,
+    0x56, 0x95, 0xd9, 0x3d, 0x4d, 0xf0, 0xe5, 0x19, 0x7f, 0xe9, 0xf0, 0x40,
+    0x63, 0x4e, 0xd5, 0x97, 0x64, 0x93, 0x77, 0x87, 0xbe, 0x20, 0xbc, 0x4d,
+    0xee, 0xbb, 0xf9, 0xb8, 0xd6, 0x0a, 0x33, 0x5f, 0x04, 0x6c, 0xa3, 0xaa,
+    0x94, 0x1e, 0x45, 0x86, 0x4c, 0x7c, 0xad, 0xef, 0x9c, 0xf7, 0x5b, 0x3d,
+    0x8b, 0x01, 0x0e, 0x44, 0x3e, 0xf0
+};
+
+static const unsigned char ecjpake_test_srv_one[] = {
+    0x41, 0x04, 0x7e, 0xa6, 0xe3, 0xa4, 0x48, 0x70, 0x37, 0xa9, 0xe0, 0xdb,
+    0xd7, 0x92, 0x62, 0xb2, 0xcc, 0x27, 0x3e, 0x77, 0x99, 0x30, 0xfc, 0x18,
+    0x40, 0x9a, 0xc5, 0x36, 0x1c, 0x5f, 0xe6, 0x69, 0xd7, 0x02, 0xe1, 0x47,
+    0x79, 0x0a, 0xeb, 0x4c, 0xe7, 0xfd, 0x65, 0x75, 0xab, 0x0f, 0x6c, 0x7f,
+    0xd1, 0xc3, 0x35, 0x93, 0x9a, 0xa8, 0x63, 0xba, 0x37, 0xec, 0x91, 0xb7,
+    0xe3, 0x2b, 0xb0, 0x13, 0xbb, 0x2b, 0x41, 0x04, 0x09, 0xf8, 0x5b, 0x3d,
+    0x20, 0xeb, 0xd7, 0x88, 0x5c, 0xe4, 0x64, 0xc0, 0x8d, 0x05, 0x6d, 0x64,
+    0x28, 0xfe, 0x4d, 0xd9, 0x28, 0x7a, 0xa3, 0x65, 0xf1, 0x31, 0xf4, 0x36,
+    0x0f, 0xf3, 0x86, 0xd8, 0x46, 0x89, 0x8b, 0xc4, 0xb4, 0x15, 0x83, 0xc2,
+    0xa5, 0x19, 0x7f, 0x65, 0xd7, 0x87, 0x42, 0x74, 0x6c, 0x12, 0xa5, 0xec,
+    0x0a, 0x4f, 0xfe, 0x2f, 0x27, 0x0a, 0x75, 0x0a, 0x1d, 0x8f, 0xb5, 0x16,
+    0x20, 0x93, 0x4d, 0x74, 0xeb, 0x43, 0xe5, 0x4d, 0xf4, 0x24, 0xfd, 0x96,
+    0x30, 0x6c, 0x01, 0x17, 0xbf, 0x13, 0x1a, 0xfa, 0xbf, 0x90, 0xa9, 0xd3,
+    0x3d, 0x11, 0x98, 0xd9, 0x05, 0x19, 0x37, 0x35, 0x14, 0x41, 0x04, 0x19,
+    0x0a, 0x07, 0x70, 0x0f, 0xfa, 0x4b, 0xe6, 0xae, 0x1d, 0x79, 0xee, 0x0f,
+    0x06, 0xae, 0xb5, 0x44, 0xcd, 0x5a, 0xdd, 0xaa, 0xbe, 0xdf, 0x70, 0xf8,
+    0x62, 0x33, 0x21, 0x33, 0x2c, 0x54, 0xf3, 0x55, 0xf0, 0xfb, 0xfe, 0xc7,
+    0x83, 0xed, 0x35, 0x9e, 0x5d, 0x0b, 0xf7, 0x37, 0x7a, 0x0f, 0xc4, 0xea,
+    0x7a, 0xce, 0x47, 0x3c, 0x9c, 0x11, 0x2b, 0x41, 0xcc, 0xd4, 0x1a, 0xc5,
+    0x6a, 0x56, 0x12, 0x41, 0x04, 0x36, 0x0a, 0x1c, 0xea, 0x33, 0xfc, 0xe6,
+    0x41, 0x15, 0x64, 0x58, 0xe0, 0xa4, 0xea, 0xc2, 0x19, 0xe9, 0x68, 0x31,
+    0xe6, 0xae, 0xbc, 0x88, 0xb3, 0xf3, 0x75, 0x2f, 0x93, 0xa0, 0x28, 0x1d,
+    0x1b, 0xf1, 0xfb, 0x10, 0x60, 0x51, 0xdb, 0x96, 0x94, 0xa8, 0xd6, 0xe8,
+    0x62, 0xa5, 0xef, 0x13, 0x24, 0xa3, 0xd9, 0xe2, 0x78, 0x94, 0xf1, 0xee,
+    0x4f, 0x7c, 0x59, 0x19, 0x99, 0x65, 0xa8, 0xdd, 0x4a, 0x20, 0x91, 0x84,
+    0x7d, 0x2d, 0x22, 0xdf, 0x3e, 0xe5, 0x5f, 0xaa, 0x2a, 0x3f, 0xb3, 0x3f,
+    0xd2, 0xd1, 0xe0, 0x55, 0xa0, 0x7a, 0x7c, 0x61, 0xec, 0xfb, 0x8d, 0x80,
+    0xec, 0x00, 0xc2, 0xc9, 0xeb, 0x12
+};
+
+static const unsigned char ecjpake_test_srv_two[] = {
+    0x03, 0x00, 0x17, 0x41, 0x04, 0x0f, 0xb2, 0x2b, 0x1d, 0x5d, 0x11, 0x23,
+    0xe0, 0xef, 0x9f, 0xeb, 0x9d, 0x8a, 0x2e, 0x59, 0x0a, 0x1f, 0x4d, 0x7c,
+    0xed, 0x2c, 0x2b, 0x06, 0x58, 0x6e, 0x8f, 0x2a, 0x16, 0xd4, 0xeb, 0x2f,
+    0xda, 0x43, 0x28, 0xa2, 0x0b, 0x07, 0xd8, 0xfd, 0x66, 0x76, 0x54, 0xca,
+    0x18, 0xc5, 0x4e, 0x32, 0xa3, 0x33, 0xa0, 0x84, 0x54, 0x51, 0xe9, 0x26,
+    0xee, 0x88, 0x04, 0xfd, 0x7a, 0xf0, 0xaa, 0xa7, 0xa6, 0x41, 0x04, 0x55,
+    0x16, 0xea, 0x3e, 0x54, 0xa0, 0xd5, 0xd8, 0xb2, 0xce, 0x78, 0x6b, 0x38,
+    0xd3, 0x83, 0x37, 0x00, 0x29, 0xa5, 0xdb, 0xe4, 0x45, 0x9c, 0x9d, 0xd6,
+    0x01, 0xb4, 0x08, 0xa2, 0x4a, 0xe6, 0x46, 0x5c, 0x8a, 0xc9, 0x05, 0xb9,
+    0xeb, 0x03, 0xb5, 0xd3, 0x69, 0x1c, 0x13, 0x9e, 0xf8, 0x3f, 0x1c, 0xd4,
+    0x20, 0x0f, 0x6c, 0x9c, 0xd4, 0xec, 0x39, 0x22, 0x18, 0xa5, 0x9e, 0xd2,
+    0x43, 0xd3, 0xc8, 0x20, 0xff, 0x72, 0x4a, 0x9a, 0x70, 0xb8, 0x8c, 0xb8,
+    0x6f, 0x20, 0xb4, 0x34, 0xc6, 0x86, 0x5a, 0xa1, 0xcd, 0x79, 0x06, 0xdd,
+    0x7c, 0x9b, 0xce, 0x35, 0x25, 0xf5, 0x08, 0x27, 0x6f, 0x26, 0x83, 0x6c
+};
+
+static const unsigned char ecjpake_test_cli_two[] = {
+    0x41, 0x04, 0x69, 0xd5, 0x4e, 0xe8, 0x5e, 0x90, 0xce, 0x3f, 0x12, 0x46,
+    0x74, 0x2d, 0xe5, 0x07, 0xe9, 0x39, 0xe8, 0x1d, 0x1d, 0xc1, 0xc5, 0xcb,
+    0x98, 0x8b, 0x58, 0xc3, 0x10, 0xc9, 0xfd, 0xd9, 0x52, 0x4d, 0x93, 0x72,
+    0x0b, 0x45, 0x54, 0x1c, 0x83, 0xee, 0x88, 0x41, 0x19, 0x1d, 0xa7, 0xce,
+    0xd8, 0x6e, 0x33, 0x12, 0xd4, 0x36, 0x23, 0xc1, 0xd6, 0x3e, 0x74, 0x98,
+    0x9a, 0xba, 0x4a, 0xff, 0xd1, 0xee, 0x41, 0x04, 0x07, 0x7e, 0x8c, 0x31,
+    0xe2, 0x0e, 0x6b, 0xed, 0xb7, 0x60, 0xc1, 0x35, 0x93, 0xe6, 0x9f, 0x15,
+    0xbe, 0x85, 0xc2, 0x7d, 0x68, 0xcd, 0x09, 0xcc, 0xb8, 0xc4, 0x18, 0x36,
+    0x08, 0x91, 0x7c, 0x5c, 0x3d, 0x40, 0x9f, 0xac, 0x39, 0xfe, 0xfe, 0xe8,
+    0x2f, 0x72, 0x92, 0xd3, 0x6f, 0x0d, 0x23, 0xe0, 0x55, 0x91, 0x3f, 0x45,
+    0xa5, 0x2b, 0x85, 0xdd, 0x8a, 0x20, 0x52, 0xe9, 0xe1, 0x29, 0xbb, 0x4d,
+    0x20, 0x0f, 0x01, 0x1f, 0x19, 0x48, 0x35, 0x35, 0xa6, 0xe8, 0x9a, 0x58,
+    0x0c, 0x9b, 0x00, 0x03, 0xba, 0xf2, 0x14, 0x62, 0xec, 0xe9, 0x1a, 0x82,
+    0xcc, 0x38, 0xdb, 0xdc, 0xae, 0x60, 0xd9, 0xc5, 0x4c
+};
+
+static const unsigned char ecjpake_test_pms[] = {
+    0xf3, 0xd4, 0x7f, 0x59, 0x98, 0x44, 0xdb, 0x92, 0xa5, 0x69, 0xbb, 0xe7,
+    0x98, 0x1e, 0x39, 0xd9, 0x31, 0xfd, 0x74, 0x3b, 0xf2, 0x2e, 0x98, 0xf9,
+    0xb4, 0x38, 0xf7, 0x19, 0xd3, 0xc4, 0xf3, 0x51
+};
+
+/* Load my private keys and generate the corresponding public keys */
+static int ecjpake_test_load( mbedtls_ecjpake_context *ctx,
+                              const unsigned char *xm1, size_t len1,
+                              const unsigned char *xm2, size_t len2 )
+{
+    int ret;
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->xm1, xm1, len1 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->xm2, xm2, len2 ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &ctx->grp, &ctx->Xm1, &ctx->xm1,
+                                      &ctx->grp.G, NULL, NULL ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &ctx->grp, &ctx->Xm2, &ctx->xm2,
+                                      &ctx->grp.G, NULL, NULL ) );
+
+cleanup:
+    return( ret );
+}
+
+/* For tests we don't need a secure RNG;
+ * use the LGC from Numerical Recipes for simplicity */
+static int ecjpake_lgc( void *p, unsigned char *out, size_t len )
+{
+    static uint32_t x = 42;
+    (void) p;
+
+    while( len > 0 )
+    {
+        size_t use_len = len > 4 ? 4 : len;
+        x = 1664525 * x + 1013904223;
+        memcpy( out, &x, use_len );
+        out += use_len;
+        len -= use_len;
+    }
+
+    return( 0 );
+}
+
+#define TEST_ASSERT( x )    \
+    do {                    \
+        if( x )             \
+            ret = 0;        \
+        else                \
+        {                   \
+            ret = 1;        \
+            goto cleanup;   \
+        }                   \
+    } while( 0 )
+
+/*
+ * Checkup routine
+ */
+int mbedtls_ecjpake_self_test( int verbose )
+{
+    int ret;
+    mbedtls_ecjpake_context cli;
+    mbedtls_ecjpake_context srv;
+    unsigned char buf[512], pms[32];
+    size_t len, pmslen;
+
+    mbedtls_ecjpake_init( &cli );
+    mbedtls_ecjpake_init( &srv );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  ECJPAKE test #0 (setup): " );
+
+    TEST_ASSERT( mbedtls_ecjpake_setup( &cli, MBEDTLS_ECJPAKE_CLIENT,
+                    MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1,
+                    ecjpake_test_password,
+            sizeof( ecjpake_test_password ) ) == 0 );
+
+    TEST_ASSERT( mbedtls_ecjpake_setup( &srv, MBEDTLS_ECJPAKE_SERVER,
+                    MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1,
+                    ecjpake_test_password,
+            sizeof( ecjpake_test_password ) ) == 0 );
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  ECJPAKE test #1 (random handshake): " );
+
+    TEST_ASSERT( mbedtls_ecjpake_write_round_one( &cli,
+                 buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 );
+
+    TEST_ASSERT( mbedtls_ecjpake_read_round_one( &srv, buf, len ) == 0 );
+
+    TEST_ASSERT( mbedtls_ecjpake_write_round_one( &srv,
+                 buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 );
+
+    TEST_ASSERT( mbedtls_ecjpake_read_round_one( &cli, buf, len ) == 0 );
+
+    TEST_ASSERT( mbedtls_ecjpake_write_round_two( &srv,
+                 buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 );
+
+    TEST_ASSERT( mbedtls_ecjpake_read_round_two( &cli, buf, len ) == 0 );
+
+    TEST_ASSERT( mbedtls_ecjpake_derive_secret( &cli,
+                 pms, sizeof( pms ), &pmslen, ecjpake_lgc, NULL ) == 0 );
+
+    TEST_ASSERT( mbedtls_ecjpake_write_round_two( &cli,
+                 buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 );
+
+    TEST_ASSERT( mbedtls_ecjpake_read_round_two( &srv, buf, len ) == 0 );
+
+    TEST_ASSERT( mbedtls_ecjpake_derive_secret( &srv,
+                 buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 );
+
+    TEST_ASSERT( len == pmslen );
+    TEST_ASSERT( memcmp( buf, pms, len ) == 0 );
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  ECJPAKE test #2 (reference handshake): " );
+
+    /* Simulate generation of round one */
+    MBEDTLS_MPI_CHK( ecjpake_test_load( &cli,
+                ecjpake_test_x1, sizeof( ecjpake_test_x1 ),
+                ecjpake_test_x2, sizeof( ecjpake_test_x2 ) ) );
+
+    MBEDTLS_MPI_CHK( ecjpake_test_load( &srv,
+                ecjpake_test_x3, sizeof( ecjpake_test_x3 ),
+                ecjpake_test_x4, sizeof( ecjpake_test_x4 ) ) );
+
+    /* Read round one */
+    TEST_ASSERT( mbedtls_ecjpake_read_round_one( &srv,
+                                    ecjpake_test_cli_one,
+                            sizeof( ecjpake_test_cli_one ) ) == 0 );
+
+    TEST_ASSERT( mbedtls_ecjpake_read_round_one( &cli,
+                                    ecjpake_test_srv_one,
+                            sizeof( ecjpake_test_srv_one ) ) == 0 );
+
+    /* Skip generation of round two, read round two */
+    TEST_ASSERT( mbedtls_ecjpake_read_round_two( &cli,
+                                    ecjpake_test_srv_two,
+                            sizeof( ecjpake_test_srv_two ) ) == 0 );
+
+    TEST_ASSERT( mbedtls_ecjpake_read_round_two( &srv,
+                                    ecjpake_test_cli_two,
+                            sizeof( ecjpake_test_cli_two ) ) == 0 );
+
+    /* Server derives PMS */
+    TEST_ASSERT( mbedtls_ecjpake_derive_secret( &srv,
+                 buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 );
+
+    TEST_ASSERT( len == sizeof( ecjpake_test_pms ) );
+    TEST_ASSERT( memcmp( buf, ecjpake_test_pms, len ) == 0 );
+
+    memset( buf, 0, len ); /* Avoid interferences with next step */
+
+    /* Client derives PMS */
+    TEST_ASSERT( mbedtls_ecjpake_derive_secret( &cli,
+                 buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 );
+
+    TEST_ASSERT( len == sizeof( ecjpake_test_pms ) );
+    TEST_ASSERT( memcmp( buf, ecjpake_test_pms, len ) == 0 );
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+cleanup:
+    mbedtls_ecjpake_free( &cli );
+    mbedtls_ecjpake_free( &srv );
+
+    if( ret != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        ret = 1;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( ret );
+}
+
+#undef TEST_ASSERT
+
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED && MBEDTLS_SHA256_C */
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_ECJPAKE_C */
diff --git a/third-party/mbedtls-3.6/library/ecp.c b/third-party/mbedtls-3.6/library/ecp.c
new file mode 100644
index 00000000..897c01e1
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/ecp.c
@@ -0,0 +1,2633 @@
+/*
+ *  Elliptic curves over GF(p): generic functions
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+/*
+ * References:
+ *
+ * SEC1 http://www.secg.org/index.php?action=secg,docs_secg
+ * GECC = Guide to Elliptic Curve Cryptography - Hankerson, Menezes, Vanstone
+ * FIPS 186-3 http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf
+ * RFC 4492 for the related TLS structures and constants
+ *
+ * [Curve25519] http://cr.yp.to/ecdh/curve25519-20060209.pdf
+ *
+ * [2] CORON, Jean-S'ebastien. Resistance against differential power analysis
+ *     for elliptic curve cryptosystems. In : Cryptographic Hardware and
+ *     Embedded Systems. Springer Berlin Heidelberg, 1999. p. 292-302.
+ *     <http://link.springer.com/chapter/10.1007/3-540-48059-5_25>
+ *
+ * [3] HEDABOU, Mustapha, PINEL, Pierre, et B'EN'ETEAU, Lucien. A comb method to
+ *     render ECC resistant against Side Channel Attacks. IACR Cryptology
+ *     ePrint Archive, 2004, vol. 2004, p. 342.
+ *     <http://eprint.iacr.org/2004/342.pdf>
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+
+#include "mbedtls/ecp.h"
+#include "mbedtls/threading.h"
+
+#include <string.h>
+
+#if !defined(MBEDTLS_ECP_ALT)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#include <stdio.h>
+#define mbedtls_printf     printf
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+#include "mbedtls/ecp_internal.h"
+
+#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
+#if defined(MBEDTLS_HMAC_DRBG_C)
+#include "mbedtls/hmac_drbg.h"
+#elif defined(MBEDTLS_CTR_DRBG_C)
+#include "mbedtls/ctr_drbg.h"
+#elif defined(MBEDTLS_SHA512_C)
+#include "mbedtls/sha512.h"
+#elif defined(MBEDTLS_SHA256_C)
+#include "mbedtls/sha256.h"
+#else
+#error "Invalid configuration detected. Include check_config.h to ensure that the configuration is valid."
+#endif
+#endif /* MBEDTLS_ECP_NO_INTERNAL_RNG */
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * Counts of point addition and doubling, and field multiplications.
+ * Used to test resistance of point multiplication to simple timing attacks.
+ */
+static unsigned long add_count, dbl_count, mul_count;
+#endif
+
+#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
+/*
+ * Currently ecp_mul() takes a RNG function as an argument, used for
+ * side-channel protection, but it can be NULL. The initial reasoning was
+ * that people will pass non-NULL RNG when they care about side-channels, but
+ * unfortunately we have some APIs that call ecp_mul() with a NULL RNG, with
+ * no opportunity for the user to do anything about it.
+ *
+ * The obvious strategies for addressing that include:
+ * - change those APIs so that they take RNG arguments;
+ * - require a global RNG to be available to all crypto modules.
+ *
+ * Unfortunately those would break compatibility. So what we do instead is
+ * have our own internal DRBG instance, seeded from the secret scalar.
+ *
+ * The following is a light-weight abstraction layer for doing that with
+ * HMAC_DRBG (first choice) or CTR_DRBG.
+ */
+
+#if defined(MBEDTLS_HMAC_DRBG_C)
+
+/* DRBG context type */
+typedef mbedtls_hmac_drbg_context ecp_drbg_context;
+
+/* DRBG context init */
+static inline void ecp_drbg_init( ecp_drbg_context *ctx )
+{
+    mbedtls_hmac_drbg_init( ctx );
+}
+
+/* DRBG context free */
+static inline void ecp_drbg_free( ecp_drbg_context *ctx )
+{
+    mbedtls_hmac_drbg_free( ctx );
+}
+
+/* DRBG function */
+static inline int ecp_drbg_random( void *p_rng,
+                                   unsigned char *output, size_t output_len )
+{
+    return( mbedtls_hmac_drbg_random( p_rng, output, output_len ) );
+}
+
+/* DRBG context seeding */
+static int ecp_drbg_seed( ecp_drbg_context *ctx,
+                   const mbedtls_mpi *secret, size_t secret_len )
+{
+    int ret;
+    unsigned char secret_bytes[MBEDTLS_ECP_MAX_BYTES];
+    /* The list starts with strong hashes */
+    const mbedtls_md_type_t md_type = mbedtls_md_list()[0];
+    const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_type );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( secret,
+                                               secret_bytes, secret_len ) );
+
+    ret = mbedtls_hmac_drbg_seed_buf( ctx, md_info, secret_bytes, secret_len );
+
+cleanup:
+    mbedtls_zeroize( secret_bytes, secret_len );
+
+    return( ret );
+}
+
+#elif defined(MBEDTLS_CTR_DRBG_C)
+
+/* DRBG context type */
+typedef mbedtls_ctr_drbg_context ecp_drbg_context;
+
+/* DRBG context init */
+static inline void ecp_drbg_init( ecp_drbg_context *ctx )
+{
+    mbedtls_ctr_drbg_init( ctx );
+}
+
+/* DRBG context free */
+static inline void ecp_drbg_free( ecp_drbg_context *ctx )
+{
+    mbedtls_ctr_drbg_free( ctx );
+}
+
+/* DRBG function */
+static inline int ecp_drbg_random( void *p_rng,
+                                   unsigned char *output, size_t output_len )
+{
+    return( mbedtls_ctr_drbg_random( p_rng, output, output_len ) );
+}
+
+/*
+ * Since CTR_DRBG doesn't have a seed_buf() function the way HMAC_DRBG does,
+ * we need to pass an entropy function when seeding. So we use a dummy
+ * function for that, and pass the actual entropy as customisation string.
+ * (During seeding of CTR_DRBG the entropy input and customisation string are
+ * concatenated before being used to update the secret state.)
+ */
+static int ecp_ctr_drbg_null_entropy(void *ctx, unsigned char *out, size_t len)
+{
+    (void) ctx;
+    memset( out, 0, len );
+    return( 0 );
+}
+
+/* DRBG context seeding */
+static int ecp_drbg_seed( ecp_drbg_context *ctx,
+                   const mbedtls_mpi *secret, size_t secret_len )
+{
+    int ret;
+    unsigned char secret_bytes[MBEDTLS_ECP_MAX_BYTES];
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( secret,
+                                               secret_bytes, secret_len ) );
+
+    ret = mbedtls_ctr_drbg_seed( ctx, ecp_ctr_drbg_null_entropy, NULL,
+                                 secret_bytes, secret_len );
+
+cleanup:
+    mbedtls_zeroize( secret_bytes, secret_len );
+
+    return( ret );
+}
+
+#elif defined(MBEDTLS_SHA512_C) || defined(MBEDTLS_SHA256_C)
+
+/* This will be used in the self-test function */
+#define ECP_ONE_STEP_KDF
+
+/*
+ * We need to expand secret data (the scalar) into a longer stream of bytes.
+ *
+ * We'll use the One-Step KDF from NIST SP 800-56C, with option 1 (H is a hash
+ * function) and empty FixedInfo. (Though we'll make it fit the DRBG API for
+ * convenience, this is not a full-fledged DRBG, but we don't need one here.)
+ *
+ * We need a basic hash abstraction layer to use whatever SHA-2 is available.
+ */
+#if defined(MBEDTLS_SHA512_C)
+
+#define HASH_FUNC( in, ilen, out )  mbedtls_sha512_ret( in, ilen, out, 0 );
+#define HASH_BLOCK_BYTES            ( 512 / 8 )
+
+#elif defined(MBEDTLS_SHA256_C)
+
+#define HASH_FUNC( in, ilen, out )  mbedtls_sha256_ret( in, ilen, out, 0 );
+#define HASH_BLOCK_BYTES            ( 256 / 8 )
+
+#endif /* SHA512/SHA256 abstraction */
+
+/*
+ * State consists of a 32-bit counter plus the secret value.
+ *
+ * We stored them concatenated in a single buffer as that's what will get
+ * passed to the hash function.
+ */
+typedef struct {
+    size_t total_len;
+    uint8_t buf[4 + MBEDTLS_ECP_MAX_BYTES];
+} ecp_drbg_context;
+
+static void ecp_drbg_init( ecp_drbg_context *ctx )
+{
+    memset( ctx, 0, sizeof( ecp_drbg_context ) );
+}
+
+static void ecp_drbg_free( ecp_drbg_context *ctx )
+{
+    mbedtls_zeroize( ctx, sizeof( ecp_drbg_context ) );
+}
+
+static int ecp_drbg_seed( ecp_drbg_context *ctx,
+                   const mbedtls_mpi *secret, size_t secret_len )
+{
+    ctx->total_len = 4 + secret_len;
+    memset( ctx->buf, 0, 4);
+    return( mbedtls_mpi_write_binary( secret, ctx->buf + 4, secret_len ) );
+}
+
+static int ecp_drbg_random( void *p_rng, unsigned char *output, size_t output_len )
+{
+    ecp_drbg_context *ctx = p_rng;
+    int ret;
+    size_t len_done = 0;
+    uint8_t tmp[HASH_BLOCK_BYTES];
+
+    while( len_done < output_len )
+    {
+        uint8_t use_len;
+
+        /* This function is only called for coordinate randomisation, which
+         * happens only twice in a scalar multiplication. Each time needs a
+         * random value in the range [2, p-1], and gets it by drawing len(p)
+         * bytes from this function, and retrying up to 10 times if unlucky.
+         *
+         * So for the largest curve, each scalar multiplication draws at most
+         * 20 * 66 bytes. The minimum block size is 32 (SHA-256), so with
+         * rounding that means a most 20 * 3 blocks.
+         *
+         * Since we don't need to draw more that 255 blocks, don't bother
+         * with carry propagation and just return an error instead. We can
+         * change that it we even need to draw more blinding values.
+         */
+        ctx->buf[3] += 1;
+        if( ctx->buf[3] == 0 )
+            return( MBEDTLS_ERR_ECP_RANDOM_FAILED );
+
+        ret = HASH_FUNC( ctx->buf, ctx->total_len, tmp );
+        if( ret != 0 )
+            return( ret );
+
+        if( output_len - len_done > HASH_BLOCK_BYTES )
+            use_len = HASH_BLOCK_BYTES;
+        else
+            use_len = output_len - len_done;
+
+        memcpy( output + len_done, tmp, use_len );
+        len_done += use_len;
+    }
+
+    mbedtls_zeroize( tmp, sizeof( tmp ) );
+
+    return( 0 );
+}
+
+#else /* DRBG/SHA modules */
+#error "Invalid configuration detected. Include check_config.h to ensure that the configuration is valid."
+#endif /* DRBG/SHA modules */
+#endif /* MBEDTLS_ECP_NO_INTERNAL_RNG */
+
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)   ||   \
+    defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)   ||   \
+    defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)   ||   \
+    defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+#define ECP_SHORTWEIERSTRASS
+#endif
+
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+#define ECP_MONTGOMERY
+#endif
+
+/*
+ * Curve types: internal for now, might be exposed later
+ */
+typedef enum
+{
+    ECP_TYPE_NONE = 0,
+    ECP_TYPE_SHORT_WEIERSTRASS,    /* y^2 = x^3 + a x + b      */
+    ECP_TYPE_MONTGOMERY,           /* y^2 = x^3 + a x^2 + x    */
+} ecp_curve_type;
+
+/*
+ * List of supported curves:
+ *  - internal ID
+ *  - TLS NamedCurve ID (RFC 4492 sec. 5.1.1, RFC 7071 sec. 2)
+ *  - size in bits
+ *  - readable name
+ *
+ * Curves are listed in order: largest curves first, and for a given size,
+ * fastest curves first. This provides the default order for the SSL module.
+ *
+ * Reminder: update profiles in x509_crt.c when adding a new curves!
+ */
+static const mbedtls_ecp_curve_info ecp_supported_curves[] =
+{
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+    { MBEDTLS_ECP_DP_SECP521R1,    25,     521,    "secp521r1"         },
+#endif
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+    { MBEDTLS_ECP_DP_BP512R1,      28,     512,    "brainpoolP512r1"   },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+    { MBEDTLS_ECP_DP_SECP384R1,    24,     384,    "secp384r1"         },
+#endif
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+    { MBEDTLS_ECP_DP_BP384R1,      27,     384,    "brainpoolP384r1"   },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+    { MBEDTLS_ECP_DP_SECP256R1,    23,     256,    "secp256r1"         },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+    { MBEDTLS_ECP_DP_SECP256K1,    22,     256,    "secp256k1"         },
+#endif
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+    { MBEDTLS_ECP_DP_BP256R1,      26,     256,    "brainpoolP256r1"   },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+    { MBEDTLS_ECP_DP_SECP224R1,    21,     224,    "secp224r1"         },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+    { MBEDTLS_ECP_DP_SECP224K1,    20,     224,    "secp224k1"         },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+    { MBEDTLS_ECP_DP_SECP192R1,    19,     192,    "secp192r1"         },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+    { MBEDTLS_ECP_DP_SECP192K1,    18,     192,    "secp192k1"         },
+#endif
+    { MBEDTLS_ECP_DP_NONE,          0,     0,      NULL                },
+};
+
+#define ECP_NB_CURVES   sizeof( ecp_supported_curves ) /    \
+                        sizeof( ecp_supported_curves[0] )
+
+static mbedtls_ecp_group_id ecp_supported_grp_id[ECP_NB_CURVES];
+
+/*
+ * List of supported curves and associated info
+ */
+const mbedtls_ecp_curve_info *mbedtls_ecp_curve_list( void )
+{
+    return( ecp_supported_curves );
+}
+
+/*
+ * List of supported curves, group ID only
+ */
+const mbedtls_ecp_group_id *mbedtls_ecp_grp_id_list( void )
+{
+    static int init_done = 0;
+
+    if( ! init_done )
+    {
+        size_t i = 0;
+        const mbedtls_ecp_curve_info *curve_info;
+
+        for( curve_info = mbedtls_ecp_curve_list();
+             curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
+             curve_info++ )
+        {
+            ecp_supported_grp_id[i++] = curve_info->grp_id;
+        }
+        ecp_supported_grp_id[i] = MBEDTLS_ECP_DP_NONE;
+
+        init_done = 1;
+    }
+
+    return( ecp_supported_grp_id );
+}
+
+/*
+ * Get the curve info for the internal identifier
+ */
+const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_grp_id( mbedtls_ecp_group_id grp_id )
+{
+    const mbedtls_ecp_curve_info *curve_info;
+
+    for( curve_info = mbedtls_ecp_curve_list();
+         curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
+         curve_info++ )
+    {
+        if( curve_info->grp_id == grp_id )
+            return( curve_info );
+    }
+
+    return( NULL );
+}
+
+/*
+ * Get the curve info from the TLS identifier
+ */
+const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_tls_id( uint16_t tls_id )
+{
+    const mbedtls_ecp_curve_info *curve_info;
+
+    for( curve_info = mbedtls_ecp_curve_list();
+         curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
+         curve_info++ )
+    {
+        if( curve_info->tls_id == tls_id )
+            return( curve_info );
+    }
+
+    return( NULL );
+}
+
+/*
+ * Get the curve info from the name
+ */
+const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_name( const char *name )
+{
+    const mbedtls_ecp_curve_info *curve_info;
+
+    for( curve_info = mbedtls_ecp_curve_list();
+         curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
+         curve_info++ )
+    {
+        if( strcmp( curve_info->name, name ) == 0 )
+            return( curve_info );
+    }
+
+    return( NULL );
+}
+
+/*
+ * Get the type of a curve
+ */
+static inline ecp_curve_type ecp_get_type( const mbedtls_ecp_group *grp )
+{
+    if( grp->G.X.p == NULL )
+        return( ECP_TYPE_NONE );
+
+    if( grp->G.Y.p == NULL )
+        return( ECP_TYPE_MONTGOMERY );
+    else
+        return( ECP_TYPE_SHORT_WEIERSTRASS );
+}
+
+/*
+ * Initialize (the components of) a point
+ */
+void mbedtls_ecp_point_init( mbedtls_ecp_point *pt )
+{
+    if( pt == NULL )
+        return;
+
+    mbedtls_mpi_init( &pt->X );
+    mbedtls_mpi_init( &pt->Y );
+    mbedtls_mpi_init( &pt->Z );
+}
+
+/*
+ * Initialize (the components of) a group
+ */
+void mbedtls_ecp_group_init( mbedtls_ecp_group *grp )
+{
+    if( grp == NULL )
+        return;
+
+    memset( grp, 0, sizeof( mbedtls_ecp_group ) );
+}
+
+/*
+ * Initialize (the components of) a key pair
+ */
+void mbedtls_ecp_keypair_init( mbedtls_ecp_keypair *key )
+{
+    if( key == NULL )
+        return;
+
+    mbedtls_ecp_group_init( &key->grp );
+    mbedtls_mpi_init( &key->d );
+    mbedtls_ecp_point_init( &key->Q );
+}
+
+/*
+ * Unallocate (the components of) a point
+ */
+void mbedtls_ecp_point_free( mbedtls_ecp_point *pt )
+{
+    if( pt == NULL )
+        return;
+
+    mbedtls_mpi_free( &( pt->X ) );
+    mbedtls_mpi_free( &( pt->Y ) );
+    mbedtls_mpi_free( &( pt->Z ) );
+}
+
+/*
+ * Unallocate (the components of) a group
+ */
+void mbedtls_ecp_group_free( mbedtls_ecp_group *grp )
+{
+    size_t i;
+
+    if( grp == NULL )
+        return;
+
+    if( grp->h != 1 )
+    {
+        mbedtls_mpi_free( &grp->P );
+        mbedtls_mpi_free( &grp->A );
+        mbedtls_mpi_free( &grp->B );
+        mbedtls_ecp_point_free( &grp->G );
+        mbedtls_mpi_free( &grp->N );
+    }
+
+    if( grp->T != NULL )
+    {
+        for( i = 0; i < grp->T_size; i++ )
+            mbedtls_ecp_point_free( &grp->T[i] );
+        mbedtls_free( grp->T );
+    }
+
+    mbedtls_zeroize( grp, sizeof( mbedtls_ecp_group ) );
+}
+
+/*
+ * Unallocate (the components of) a key pair
+ */
+void mbedtls_ecp_keypair_free( mbedtls_ecp_keypair *key )
+{
+    if( key == NULL )
+        return;
+
+    mbedtls_ecp_group_free( &key->grp );
+    mbedtls_mpi_free( &key->d );
+    mbedtls_ecp_point_free( &key->Q );
+}
+
+/*
+ * Copy the contents of a point
+ */
+int mbedtls_ecp_copy( mbedtls_ecp_point *P, const mbedtls_ecp_point *Q )
+{
+    int ret;
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &P->X, &Q->X ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &P->Y, &Q->Y ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &P->Z, &Q->Z ) );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Copy the contents of a group object
+ */
+int mbedtls_ecp_group_copy( mbedtls_ecp_group *dst, const mbedtls_ecp_group *src )
+{
+    return mbedtls_ecp_group_load( dst, src->id );
+}
+
+/*
+ * Set point to zero
+ */
+int mbedtls_ecp_set_zero( mbedtls_ecp_point *pt )
+{
+    int ret;
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &pt->X , 1 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &pt->Y , 1 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &pt->Z , 0 ) );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Tell if a point is zero
+ */
+int mbedtls_ecp_is_zero( mbedtls_ecp_point *pt )
+{
+    return( mbedtls_mpi_cmp_int( &pt->Z, 0 ) == 0 );
+}
+
+/*
+ * Compare two points lazily
+ */
+int mbedtls_ecp_point_cmp( const mbedtls_ecp_point *P,
+                           const mbedtls_ecp_point *Q )
+{
+    if( mbedtls_mpi_cmp_mpi( &P->X, &Q->X ) == 0 &&
+        mbedtls_mpi_cmp_mpi( &P->Y, &Q->Y ) == 0 &&
+        mbedtls_mpi_cmp_mpi( &P->Z, &Q->Z ) == 0 )
+    {
+        return( 0 );
+    }
+
+    return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+}
+
+/*
+ * Import a non-zero point from ASCII strings
+ */
+int mbedtls_ecp_point_read_string( mbedtls_ecp_point *P, int radix,
+                           const char *x, const char *y )
+{
+    int ret;
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &P->X, radix, x ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &P->Y, radix, y ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &P->Z, 1 ) );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Export a point into unsigned binary data (SEC1 2.3.3)
+ */
+int mbedtls_ecp_point_write_binary( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *P,
+                            int format, size_t *olen,
+                            unsigned char *buf, size_t buflen )
+{
+    int ret = 0;
+    size_t plen;
+
+    if( format != MBEDTLS_ECP_PF_UNCOMPRESSED &&
+        format != MBEDTLS_ECP_PF_COMPRESSED )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    /*
+     * Common case: P == 0
+     */
+    if( mbedtls_mpi_cmp_int( &P->Z, 0 ) == 0 )
+    {
+        if( buflen < 1 )
+            return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
+
+        buf[0] = 0x00;
+        *olen = 1;
+
+        return( 0 );
+    }
+
+    plen = mbedtls_mpi_size( &grp->P );
+
+    if( format == MBEDTLS_ECP_PF_UNCOMPRESSED )
+    {
+        *olen = 2 * plen + 1;
+
+        if( buflen < *olen )
+            return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
+
+        buf[0] = 0x04;
+        MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &P->X, buf + 1, plen ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &P->Y, buf + 1 + plen, plen ) );
+    }
+    else if( format == MBEDTLS_ECP_PF_COMPRESSED )
+    {
+        *olen = plen + 1;
+
+        if( buflen < *olen )
+            return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
+
+        buf[0] = 0x02 + mbedtls_mpi_get_bit( &P->Y, 0 );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &P->X, buf + 1, plen ) );
+    }
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Import a point from unsigned binary data (SEC1 2.3.4)
+ */
+int mbedtls_ecp_point_read_binary( const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt,
+                           const unsigned char *buf, size_t ilen )
+{
+    int ret;
+    size_t plen;
+
+    if( ilen < 1 )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    if( buf[0] == 0x00 )
+    {
+        if( ilen == 1 )
+            return( mbedtls_ecp_set_zero( pt ) );
+        else
+            return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+    }
+
+    plen = mbedtls_mpi_size( &grp->P );
+
+    if( buf[0] != 0x04 )
+        return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
+
+    if( ilen != 2 * plen + 1 )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &pt->X, buf + 1, plen ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &pt->Y, buf + 1 + plen, plen ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &pt->Z, 1 ) );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Import a point from a TLS ECPoint record (RFC 4492)
+ *      struct {
+ *          opaque point <1..2^8-1>;
+ *      } ECPoint;
+ */
+int mbedtls_ecp_tls_read_point( const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt,
+                        const unsigned char **buf, size_t buf_len )
+{
+    unsigned char data_len;
+    const unsigned char *buf_start;
+
+    /*
+     * We must have at least two bytes (1 for length, at least one for data)
+     */
+    if( buf_len < 2 )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    data_len = *(*buf)++;
+    if( data_len < 1 || data_len > buf_len - 1 )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    /*
+     * Save buffer start for read_binary and update buf
+     */
+    buf_start = *buf;
+    *buf += data_len;
+
+    return mbedtls_ecp_point_read_binary( grp, pt, buf_start, data_len );
+}
+
+/*
+ * Export a point as a TLS ECPoint record (RFC 4492)
+ *      struct {
+ *          opaque point <1..2^8-1>;
+ *      } ECPoint;
+ */
+int mbedtls_ecp_tls_write_point( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt,
+                         int format, size_t *olen,
+                         unsigned char *buf, size_t blen )
+{
+    int ret;
+
+    /*
+     * buffer length must be at least one, for our length byte
+     */
+    if( blen < 1 )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    if( ( ret = mbedtls_ecp_point_write_binary( grp, pt, format,
+                    olen, buf + 1, blen - 1) ) != 0 )
+        return( ret );
+
+    /*
+     * write length to the first byte and update total length
+     */
+    buf[0] = (unsigned char) *olen;
+    ++*olen;
+
+    return( 0 );
+}
+
+/*
+ * Set a group from an ECParameters record (RFC 4492)
+ */
+int mbedtls_ecp_tls_read_group( mbedtls_ecp_group *grp, const unsigned char **buf, size_t len )
+{
+    uint16_t tls_id;
+    const mbedtls_ecp_curve_info *curve_info;
+
+    /*
+     * We expect at least three bytes (see below)
+     */
+    if( len < 3 )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    /*
+     * First byte is curve_type; only named_curve is handled
+     */
+    if( *(*buf)++ != MBEDTLS_ECP_TLS_NAMED_CURVE )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    /*
+     * Next two bytes are the namedcurve value
+     */
+    tls_id = *(*buf)++;
+    tls_id <<= 8;
+    tls_id |= *(*buf)++;
+
+    if( ( curve_info = mbedtls_ecp_curve_info_from_tls_id( tls_id ) ) == NULL )
+        return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
+
+    return mbedtls_ecp_group_load( grp, curve_info->grp_id );
+}
+
+/*
+ * Write the ECParameters record corresponding to a group (RFC 4492)
+ */
+int mbedtls_ecp_tls_write_group( const mbedtls_ecp_group *grp, size_t *olen,
+                         unsigned char *buf, size_t blen )
+{
+    const mbedtls_ecp_curve_info *curve_info;
+
+    if( ( curve_info = mbedtls_ecp_curve_info_from_grp_id( grp->id ) ) == NULL )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    /*
+     * We are going to write 3 bytes (see below)
+     */
+    *olen = 3;
+    if( blen < *olen )
+        return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
+
+    /*
+     * First byte is curve_type, always named_curve
+     */
+    *buf++ = MBEDTLS_ECP_TLS_NAMED_CURVE;
+
+    /*
+     * Next two bytes are the namedcurve value
+     */
+    buf[0] = curve_info->tls_id >> 8;
+    buf[1] = curve_info->tls_id & 0xFF;
+
+    return( 0 );
+}
+
+/*
+ * Wrapper around fast quasi-modp functions, with fall-back to mbedtls_mpi_mod_mpi.
+ * See the documentation of struct mbedtls_ecp_group.
+ *
+ * This function is in the critial loop for mbedtls_ecp_mul, so pay attention to perf.
+ */
+static int ecp_modp( mbedtls_mpi *N, const mbedtls_ecp_group *grp )
+{
+    int ret;
+
+    if( grp->modp == NULL )
+        return( mbedtls_mpi_mod_mpi( N, N, &grp->P ) );
+
+    /* N->s < 0 is a much faster test, which fails only if N is 0 */
+    if( ( N->s < 0 && mbedtls_mpi_cmp_int( N, 0 ) != 0 ) ||
+        mbedtls_mpi_bitlen( N ) > 2 * grp->pbits )
+    {
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+    }
+
+    MBEDTLS_MPI_CHK( grp->modp( N ) );
+
+    /* N->s < 0 is a much faster test, which fails only if N is 0 */
+    while( N->s < 0 && mbedtls_mpi_cmp_int( N, 0 ) != 0 )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( N, N, &grp->P ) );
+
+    while( mbedtls_mpi_cmp_mpi( N, &grp->P ) >= 0 )
+        /* we known P, N and the result are positive */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( N, N, &grp->P ) );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Fast mod-p functions expect their argument to be in the 0..p^2 range.
+ *
+ * In order to guarantee that, we need to ensure that operands of
+ * mbedtls_mpi_mul_mpi are in the 0..p range. So, after each operation we will
+ * bring the result back to this range.
+ *
+ * The following macros are shortcuts for doing that.
+ */
+
+/*
+ * Reduce a mbedtls_mpi mod p in-place, general case, to use after mbedtls_mpi_mul_mpi
+ */
+#if defined(MBEDTLS_SELF_TEST)
+#define INC_MUL_COUNT   mul_count++;
+#else
+#define INC_MUL_COUNT
+#endif
+
+#define MOD_MUL( N )    do { MBEDTLS_MPI_CHK( ecp_modp( &N, grp ) ); INC_MUL_COUNT } \
+                        while( 0 )
+
+/*
+ * Reduce a mbedtls_mpi mod p in-place, to use after mbedtls_mpi_sub_mpi
+ * N->s < 0 is a very fast test, which fails only if N is 0
+ */
+#define MOD_SUB( N )                                \
+    while( N.s < 0 && mbedtls_mpi_cmp_int( &N, 0 ) != 0 )   \
+        MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &N, &N, &grp->P ) )
+
+/*
+ * Reduce a mbedtls_mpi mod p in-place, to use after mbedtls_mpi_add_mpi and mbedtls_mpi_mul_int.
+ * We known P, N and the result are positive, so sub_abs is correct, and
+ * a bit faster.
+ */
+#define MOD_ADD( N )                                \
+    while( mbedtls_mpi_cmp_mpi( &N, &grp->P ) >= 0 )        \
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( &N, &N, &grp->P ) )
+
+#if defined(ECP_SHORTWEIERSTRASS)
+/*
+ * For curves in short Weierstrass form, we do all the internal operations in
+ * Jacobian coordinates.
+ *
+ * For multiplication, we'll use a comb method with coutermeasueres against
+ * SPA, hence timing attacks.
+ */
+
+/*
+ * Normalize jacobian coordinates so that Z == 0 || Z == 1  (GECC 3.2.1)
+ * Cost: 1N := 1I + 3M + 1S
+ */
+static int ecp_normalize_jac( const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt )
+{
+    int ret;
+    mbedtls_mpi Zi, ZZi;
+
+    if( mbedtls_mpi_cmp_int( &pt->Z, 0 ) == 0 )
+        return( 0 );
+
+#if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT)
+    if ( mbedtls_internal_ecp_grp_capable( grp ) )
+    {
+        return mbedtls_internal_ecp_normalize_jac( grp, pt );
+    }
+#endif /* MBEDTLS_ECP_NORMALIZE_JAC_ALT */
+    mbedtls_mpi_init( &Zi ); mbedtls_mpi_init( &ZZi );
+
+    /*
+     * X = X / Z^2  mod p
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &Zi,      &pt->Z,     &grp->P ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ZZi,     &Zi,        &Zi     ) ); MOD_MUL( ZZi );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &pt->X,   &pt->X,     &ZZi    ) ); MOD_MUL( pt->X );
+
+    /*
+     * Y = Y / Z^3  mod p
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &pt->Y,   &pt->Y,     &ZZi    ) ); MOD_MUL( pt->Y );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &pt->Y,   &pt->Y,     &Zi     ) ); MOD_MUL( pt->Y );
+
+    /*
+     * Z = 1
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &pt->Z, 1 ) );
+
+cleanup:
+
+    mbedtls_mpi_free( &Zi ); mbedtls_mpi_free( &ZZi );
+
+    return( ret );
+}
+
+/*
+ * Normalize jacobian coordinates of an array of (pointers to) points,
+ * using Montgomery's trick to perform only one inversion mod P.
+ * (See for example Cohen's "A Course in Computational Algebraic Number
+ * Theory", Algorithm 10.3.4.)
+ *
+ * Warning: fails (returning an error) if one of the points is zero!
+ * This should never happen, see choice of w in ecp_mul_comb().
+ *
+ * Cost: 1N(t) := 1I + (6t - 3)M + 1S
+ */
+static int ecp_normalize_jac_many( const mbedtls_ecp_group *grp,
+                                   mbedtls_ecp_point *T[], size_t t_len )
+{
+    int ret;
+    size_t i;
+    mbedtls_mpi *c, u, Zi, ZZi;
+
+    if( t_len < 2 )
+        return( ecp_normalize_jac( grp, *T ) );
+
+#if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT)
+    if ( mbedtls_internal_ecp_grp_capable( grp ) )
+    {
+        return mbedtls_internal_ecp_normalize_jac_many(grp, T, t_len);
+    }
+#endif
+
+    if( ( c = mbedtls_calloc( t_len, sizeof( mbedtls_mpi ) ) ) == NULL )
+        return( MBEDTLS_ERR_ECP_ALLOC_FAILED );
+
+    mbedtls_mpi_init( &u ); mbedtls_mpi_init( &Zi ); mbedtls_mpi_init( &ZZi );
+
+    /*
+     * c[i] = Z_0 * ... * Z_i
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &c[0], &T[0]->Z ) );
+    for( i = 1; i < t_len; i++ )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &c[i], &c[i-1], &T[i]->Z ) );
+        MOD_MUL( c[i] );
+    }
+
+    /*
+     * u = 1 / (Z_0 * ... * Z_n) mod P
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &u, &c[t_len-1], &grp->P ) );
+
+    for( i = t_len - 1; ; i-- )
+    {
+        /*
+         * Zi = 1 / Z_i mod p
+         * u = 1 / (Z_0 * ... * Z_i) mod P
+         */
+        if( i == 0 ) {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &Zi, &u ) );
+        }
+        else
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &Zi, &u, &c[i-1]  ) ); MOD_MUL( Zi );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &u,  &u, &T[i]->Z ) ); MOD_MUL( u );
+        }
+
+        /*
+         * proceed as in normalize()
+         */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ZZi,     &Zi,      &Zi  ) ); MOD_MUL( ZZi );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T[i]->X, &T[i]->X, &ZZi ) ); MOD_MUL( T[i]->X );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T[i]->Y, &T[i]->Y, &ZZi ) ); MOD_MUL( T[i]->Y );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T[i]->Y, &T[i]->Y, &Zi  ) ); MOD_MUL( T[i]->Y );
+
+        /*
+         * Post-precessing: reclaim some memory by shrinking coordinates
+         * - not storing Z (always 1)
+         * - shrinking other coordinates, but still keeping the same number of
+         *   limbs as P, as otherwise it will too likely be regrown too fast.
+         */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_shrink( &T[i]->X, grp->P.n ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_shrink( &T[i]->Y, grp->P.n ) );
+        mbedtls_mpi_free( &T[i]->Z );
+
+        if( i == 0 )
+            break;
+    }
+
+cleanup:
+
+    mbedtls_mpi_free( &u ); mbedtls_mpi_free( &Zi ); mbedtls_mpi_free( &ZZi );
+    for( i = 0; i < t_len; i++ )
+        mbedtls_mpi_free( &c[i] );
+    mbedtls_free( c );
+
+    return( ret );
+}
+
+/*
+ * Conditional point inversion: Q -> -Q = (Q.X, -Q.Y, Q.Z) without leak.
+ * "inv" must be 0 (don't invert) or 1 (invert) or the result will be invalid
+ */
+static int ecp_safe_invert_jac( const mbedtls_ecp_group *grp,
+                            mbedtls_ecp_point *Q,
+                            unsigned char inv )
+{
+    int ret;
+    unsigned char nonzero;
+    mbedtls_mpi mQY;
+
+    mbedtls_mpi_init( &mQY );
+
+    /* Use the fact that -Q.Y mod P = P - Q.Y unless Q.Y == 0 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &mQY, &grp->P, &Q->Y ) );
+    nonzero = mbedtls_mpi_cmp_int( &Q->Y, 0 ) != 0;
+    MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_assign( &Q->Y, &mQY, inv & nonzero ) );
+
+cleanup:
+    mbedtls_mpi_free( &mQY );
+
+    return( ret );
+}
+
+/*
+ * Point doubling R = 2 P, Jacobian coordinates
+ *
+ * Based on http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html#doubling-dbl-1998-cmo-2 .
+ *
+ * We follow the variable naming fairly closely. The formula variations that trade a MUL for a SQR
+ * (plus a few ADDs) aren't useful as our bignum implementation doesn't distinguish squaring.
+ *
+ * Standard optimizations are applied when curve parameter A is one of { 0, -3 }.
+ *
+ * Cost: 1D := 3M + 4S          (A ==  0)
+ *             4M + 4S          (A == -3)
+ *             3M + 6S + 1a     otherwise
+ */
+static int ecp_double_jac( const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                           const mbedtls_ecp_point *P )
+{
+    int ret;
+    mbedtls_mpi M, S, T, U;
+
+#if defined(MBEDTLS_SELF_TEST)
+    dbl_count++;
+#endif
+
+#if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT)
+    if ( mbedtls_internal_ecp_grp_capable( grp ) )
+    {
+        return mbedtls_internal_ecp_double_jac( grp, R, P );
+    }
+#endif /* MBEDTLS_ECP_DOUBLE_JAC_ALT */
+
+    mbedtls_mpi_init( &M ); mbedtls_mpi_init( &S ); mbedtls_mpi_init( &T ); mbedtls_mpi_init( &U );
+
+    /* Special case for A = -3 */
+    if( grp->A.p == NULL )
+    {
+        /* M = 3(X + Z^2)(X - Z^2) */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S,  &P->Z,  &P->Z   ) ); MOD_MUL( S );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T,  &P->X,  &S      ) ); MOD_ADD( T );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &U,  &P->X,  &S      ) ); MOD_SUB( U );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S,  &T,     &U      ) ); MOD_MUL( S );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &M,  &S,     3       ) ); MOD_ADD( M );
+    }
+    else
+    {
+        /* M = 3.X^2 */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S,  &P->X,  &P->X   ) ); MOD_MUL( S );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &M,  &S,     3       ) ); MOD_ADD( M );
+
+        /* Optimize away for "koblitz" curves with A = 0 */
+        if( mbedtls_mpi_cmp_int( &grp->A, 0 ) != 0 )
+        {
+            /* M += A.Z^4 */
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S,  &P->Z,  &P->Z   ) ); MOD_MUL( S );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T,  &S,     &S      ) ); MOD_MUL( T );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S,  &T,     &grp->A ) ); MOD_MUL( S );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &M,  &M,     &S      ) ); MOD_ADD( M );
+        }
+    }
+
+    /* S = 4.X.Y^2 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T,  &P->Y,  &P->Y   ) ); MOD_MUL( T );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &T,  1               ) ); MOD_ADD( T );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S,  &P->X,  &T      ) ); MOD_MUL( S );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &S,  1               ) ); MOD_ADD( S );
+
+    /* U = 8.Y^4 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &U,  &T,     &T      ) ); MOD_MUL( U );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &U,  1               ) ); MOD_ADD( U );
+
+    /* T = M^2 - 2.S */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T,  &M,     &M      ) ); MOD_MUL( T );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T,  &T,     &S      ) ); MOD_SUB( T );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T,  &T,     &S      ) ); MOD_SUB( T );
+
+    /* S = M(S - T) - U */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &S,  &S,     &T      ) ); MOD_SUB( S );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S,  &S,     &M      ) ); MOD_MUL( S );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &S,  &S,     &U      ) ); MOD_SUB( S );
+
+    /* U = 2.Y.Z */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &U,  &P->Y,  &P->Z   ) ); MOD_MUL( U );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &U,  1               ) ); MOD_ADD( U );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &R->X, &T ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &R->Y, &S ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &R->Z, &U ) );
+
+cleanup:
+    mbedtls_mpi_free( &M ); mbedtls_mpi_free( &S ); mbedtls_mpi_free( &T ); mbedtls_mpi_free( &U );
+
+    return( ret );
+}
+
+/*
+ * Addition: R = P + Q, mixed affine-Jacobian coordinates (GECC 3.22)
+ *
+ * The coordinates of Q must be normalized (= affine),
+ * but those of P don't need to. R is not normalized.
+ *
+ * Special cases: (1) P or Q is zero, (2) R is zero, (3) P == Q.
+ * None of these cases can happen as intermediate step in ecp_mul_comb():
+ * - at each step, P, Q and R are multiples of the base point, the factor
+ *   being less than its order, so none of them is zero;
+ * - Q is an odd multiple of the base point, P an even multiple,
+ *   due to the choice of precomputed points in the modified comb method.
+ * So branches for these cases do not leak secret information.
+ *
+ * We accept Q->Z being unset (saving memory in tables) as meaning 1.
+ *
+ * Cost: 1A := 8M + 3S
+ */
+static int ecp_add_mixed( const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                          const mbedtls_ecp_point *P, const mbedtls_ecp_point *Q )
+{
+    int ret;
+    mbedtls_mpi T1, T2, T3, T4, X, Y, Z;
+
+#if defined(MBEDTLS_SELF_TEST)
+    add_count++;
+#endif
+
+#if defined(MBEDTLS_ECP_ADD_MIXED_ALT)
+    if ( mbedtls_internal_ecp_grp_capable( grp ) )
+    {
+        return mbedtls_internal_ecp_add_mixed( grp, R, P, Q );
+    }
+#endif /* MBEDTLS_ECP_ADD_MIXED_ALT */
+
+    /*
+     * Trivial cases: P == 0 or Q == 0 (case 1)
+     */
+    if( mbedtls_mpi_cmp_int( &P->Z, 0 ) == 0 )
+        return( mbedtls_ecp_copy( R, Q ) );
+
+    if( Q->Z.p != NULL && mbedtls_mpi_cmp_int( &Q->Z, 0 ) == 0 )
+        return( mbedtls_ecp_copy( R, P ) );
+
+    /*
+     * Make sure Q coordinates are normalized
+     */
+    if( Q->Z.p != NULL && mbedtls_mpi_cmp_int( &Q->Z, 1 ) != 0 )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    mbedtls_mpi_init( &T1 ); mbedtls_mpi_init( &T2 ); mbedtls_mpi_init( &T3 ); mbedtls_mpi_init( &T4 );
+    mbedtls_mpi_init( &X ); mbedtls_mpi_init( &Y ); mbedtls_mpi_init( &Z );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1,  &P->Z,  &P->Z ) );  MOD_MUL( T1 );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T2,  &T1,    &P->Z ) );  MOD_MUL( T2 );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1,  &T1,    &Q->X ) );  MOD_MUL( T1 );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T2,  &T2,    &Q->Y ) );  MOD_MUL( T2 );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T1,  &T1,    &P->X ) );  MOD_SUB( T1 );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T2,  &T2,    &P->Y ) );  MOD_SUB( T2 );
+
+    /* Special cases (2) and (3) */
+    if( mbedtls_mpi_cmp_int( &T1, 0 ) == 0 )
+    {
+        if( mbedtls_mpi_cmp_int( &T2, 0 ) == 0 )
+        {
+            ret = ecp_double_jac( grp, R, P );
+            goto cleanup;
+        }
+        else
+        {
+            ret = mbedtls_ecp_set_zero( R );
+            goto cleanup;
+        }
+    }
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &Z,   &P->Z,  &T1   ) );  MOD_MUL( Z  );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T3,  &T1,    &T1   ) );  MOD_MUL( T3 );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T4,  &T3,    &T1   ) );  MOD_MUL( T4 );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T3,  &T3,    &P->X ) );  MOD_MUL( T3 );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &T1,  &T3,    2     ) );  MOD_ADD( T1 );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &X,   &T2,    &T2   ) );  MOD_MUL( X  );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &X,   &X,     &T1   ) );  MOD_SUB( X  );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &X,   &X,     &T4   ) );  MOD_SUB( X  );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T3,  &T3,    &X    ) );  MOD_SUB( T3 );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T3,  &T3,    &T2   ) );  MOD_MUL( T3 );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T4,  &T4,    &P->Y ) );  MOD_MUL( T4 );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &Y,   &T3,    &T4   ) );  MOD_SUB( Y  );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &R->X, &X ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &R->Y, &Y ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &R->Z, &Z ) );
+
+cleanup:
+
+    mbedtls_mpi_free( &T1 ); mbedtls_mpi_free( &T2 ); mbedtls_mpi_free( &T3 ); mbedtls_mpi_free( &T4 );
+    mbedtls_mpi_free( &X ); mbedtls_mpi_free( &Y ); mbedtls_mpi_free( &Z );
+
+    return( ret );
+}
+
+/*
+ * Randomize jacobian coordinates:
+ * (X, Y, Z) -> (l^2 X, l^3 Y, l Z) for random l
+ * This is sort of the reverse operation of ecp_normalize_jac().
+ *
+ * This countermeasure was first suggested in [2].
+ */
+static int ecp_randomize_jac( const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt,
+                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    int ret;
+    mbedtls_mpi l, ll;
+    size_t p_size;
+    int count = 0;
+
+#if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT)
+    if ( mbedtls_internal_ecp_grp_capable( grp ) )
+    {
+        return mbedtls_internal_ecp_randomize_jac( grp, pt, f_rng, p_rng );
+    }
+#endif /* MBEDTLS_ECP_RANDOMIZE_JAC_ALT */
+
+    p_size = ( grp->pbits + 7 ) / 8;
+    mbedtls_mpi_init( &l ); mbedtls_mpi_init( &ll );
+
+    /* Generate l such that 1 < l < p */
+    do
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &l, p_size, f_rng, p_rng ) );
+
+        while( mbedtls_mpi_cmp_mpi( &l, &grp->P ) >= 0 )
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &l, 1 ) );
+
+        if( count++ > 10 )
+        {
+            ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
+            goto cleanup;
+        }
+    }
+    while( mbedtls_mpi_cmp_int( &l, 1 ) <= 0 );
+
+    /* Z = l * Z */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &pt->Z,   &pt->Z,     &l  ) ); MOD_MUL( pt->Z );
+
+    /* X = l^2 * X */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ll,      &l,         &l  ) ); MOD_MUL( ll );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &pt->X,   &pt->X,     &ll ) ); MOD_MUL( pt->X );
+
+    /* Y = l^3 * Y */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ll,      &ll,        &l  ) ); MOD_MUL( ll );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &pt->Y,   &pt->Y,     &ll ) ); MOD_MUL( pt->Y );
+
+cleanup:
+    mbedtls_mpi_free( &l ); mbedtls_mpi_free( &ll );
+
+    return( ret );
+}
+
+/*
+ * Check and define parameters used by the comb method (see below for details)
+ */
+#if MBEDTLS_ECP_WINDOW_SIZE < 2 || MBEDTLS_ECP_WINDOW_SIZE > 7
+#error "MBEDTLS_ECP_WINDOW_SIZE out of bounds"
+#endif
+
+/* d = ceil( n / w ) */
+#define COMB_MAX_D      ( MBEDTLS_ECP_MAX_BITS + 1 ) / 2
+
+/* number of precomputed points */
+#define COMB_MAX_PRE    ( 1 << ( MBEDTLS_ECP_WINDOW_SIZE - 1 ) )
+
+/*
+ * Compute the representation of m that will be used with our comb method.
+ *
+ * The basic comb method is described in GECC 3.44 for example. We use a
+ * modified version that provides resistance to SPA by avoiding zero
+ * digits in the representation as in [3]. We modify the method further by
+ * requiring that all K_i be odd, which has the small cost that our
+ * representation uses one more K_i, due to carries.
+ *
+ * Also, for the sake of compactness, only the seven low-order bits of x[i]
+ * are used to represent K_i, and the msb of x[i] encodes the the sign (s_i in
+ * the paper): it is set if and only if if s_i == -1;
+ *
+ * Calling conventions:
+ * - x is an array of size d + 1
+ * - w is the size, ie number of teeth, of the comb, and must be between
+ *   2 and 7 (in practice, between 2 and MBEDTLS_ECP_WINDOW_SIZE)
+ * - m is the MPI, expected to be odd and such that bitlength(m) <= w * d
+ *   (the result will be incorrect if these assumptions are not satisfied)
+ */
+static void ecp_comb_fixed( unsigned char x[], size_t d,
+                            unsigned char w, const mbedtls_mpi *m )
+{
+    size_t i, j;
+    unsigned char c, cc, adjust;
+
+    memset( x, 0, d+1 );
+
+    /* First get the classical comb values (except for x_d = 0) */
+    for( i = 0; i < d; i++ )
+        for( j = 0; j < w; j++ )
+            x[i] |= mbedtls_mpi_get_bit( m, i + d * j ) << j;
+
+    /* Now make sure x_1 .. x_d are odd */
+    c = 0;
+    for( i = 1; i <= d; i++ )
+    {
+        /* Add carry and update it */
+        cc   = x[i] & c;
+        x[i] = x[i] ^ c;
+        c = cc;
+
+        /* Adjust if needed, avoiding branches */
+        adjust = 1 - ( x[i] & 0x01 );
+        c   |= x[i] & ( x[i-1] * adjust );
+        x[i] = x[i] ^ ( x[i-1] * adjust );
+        x[i-1] |= adjust << 7;
+    }
+}
+
+/*
+ * Precompute points for the comb method
+ *
+ * If i = i_{w-1} ... i_1 is the binary representation of i, then
+ * T[i] = i_{w-1} 2^{(w-1)d} P + ... + i_1 2^d P + P
+ *
+ * T must be able to hold 2^{w - 1} elements
+ *
+ * Cost: d(w-1) D + (2^{w-1} - 1) A + 1 N(w-1) + 1 N(2^{w-1} - 1)
+ */
+static int ecp_precompute_comb( const mbedtls_ecp_group *grp,
+                                mbedtls_ecp_point T[], const mbedtls_ecp_point *P,
+                                unsigned char w, size_t d )
+{
+    int ret;
+    unsigned char i, k;
+    size_t j;
+    mbedtls_ecp_point *cur, *TT[COMB_MAX_PRE - 1];
+
+    /*
+     * Set T[0] = P and
+     * T[2^{l-1}] = 2^{dl} P for l = 1 .. w-1 (this is not the final value)
+     */
+    MBEDTLS_MPI_CHK( mbedtls_ecp_copy( &T[0], P ) );
+
+    k = 0;
+    for( i = 1; i < ( 1U << ( w - 1 ) ); i <<= 1 )
+    {
+        cur = T + i;
+        MBEDTLS_MPI_CHK( mbedtls_ecp_copy( cur, T + ( i >> 1 ) ) );
+        for( j = 0; j < d; j++ )
+            MBEDTLS_MPI_CHK( ecp_double_jac( grp, cur, cur ) );
+
+        TT[k++] = cur;
+    }
+
+    MBEDTLS_MPI_CHK( ecp_normalize_jac_many( grp, TT, k ) );
+
+    /*
+     * Compute the remaining ones using the minimal number of additions
+     * Be careful to update T[2^l] only after using it!
+     */
+    k = 0;
+    for( i = 1; i < ( 1U << ( w - 1 ) ); i <<= 1 )
+    {
+        j = i;
+        while( j-- )
+        {
+            MBEDTLS_MPI_CHK( ecp_add_mixed( grp, &T[i + j], &T[j], &T[i] ) );
+            TT[k++] = &T[i + j];
+        }
+    }
+
+    MBEDTLS_MPI_CHK( ecp_normalize_jac_many( grp, TT, k ) );
+
+cleanup:
+
+    return( ret );
+}
+
+/*
+ * Select precomputed point: R = sign(i) * T[ abs(i) / 2 ]
+ */
+static int ecp_select_comb( const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                            const mbedtls_ecp_point T[], unsigned char t_len,
+                            unsigned char i )
+{
+    int ret;
+    unsigned char ii, j;
+
+    /* Ignore the "sign" bit and scale down */
+    ii =  ( i & 0x7Fu ) >> 1;
+
+    /* Read the whole table to thwart cache-based timing attacks */
+    for( j = 0; j < t_len; j++ )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_assign( &R->X, &T[j].X, j == ii ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_assign( &R->Y, &T[j].Y, j == ii ) );
+    }
+
+    /* Safely invert result if i is "negative" */
+    MBEDTLS_MPI_CHK( ecp_safe_invert_jac( grp, R, i >> 7 ) );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Core multiplication algorithm for the (modified) comb method.
+ * This part is actually common with the basic comb method (GECC 3.44)
+ *
+ * Cost: d A + d D + 1 R
+ */
+static int ecp_mul_comb_core( const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                              const mbedtls_ecp_point T[], unsigned char t_len,
+                              const unsigned char x[], size_t d,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng )
+{
+    int ret;
+    mbedtls_ecp_point Txi;
+    size_t i;
+
+    mbedtls_ecp_point_init( &Txi );
+
+    /* Start with a non-zero point and randomize its coordinates */
+    i = d;
+    MBEDTLS_MPI_CHK( ecp_select_comb( grp, R, T, t_len, x[i] ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &R->Z, 1 ) );
+#if defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
+    if( f_rng != 0 )
+#endif
+        MBEDTLS_MPI_CHK( ecp_randomize_jac( grp, R, f_rng, p_rng ) );
+
+    while( i-- != 0 )
+    {
+        MBEDTLS_MPI_CHK( ecp_double_jac( grp, R, R ) );
+        MBEDTLS_MPI_CHK( ecp_select_comb( grp, &Txi, T, t_len, x[i] ) );
+        MBEDTLS_MPI_CHK( ecp_add_mixed( grp, R, R, &Txi ) );
+    }
+
+cleanup:
+
+    mbedtls_ecp_point_free( &Txi );
+
+    return( ret );
+}
+
+/*
+ * Multiplication using the comb method,
+ * for curves in short Weierstrass form
+ */
+static int ecp_mul_comb( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                         const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng )
+{
+    int ret;
+    unsigned char w, m_is_odd, p_eq_g, pre_len, i;
+    size_t d;
+    unsigned char k[COMB_MAX_D + 1];
+    mbedtls_ecp_point *T;
+    mbedtls_mpi M, mm;
+
+    mbedtls_mpi_init( &M );
+    mbedtls_mpi_init( &mm );
+
+    /* we need N to be odd to trnaform m in an odd number, check now */
+    if( mbedtls_mpi_get_bit( &grp->N, 0 ) != 1 )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    /*
+     * Minimize the number of multiplications, that is minimize
+     * 10 * d * w + 18 * 2^(w-1) + 11 * d + 7 * w, with d = ceil( nbits / w )
+     * (see costs of the various parts, with 1S = 1M)
+     */
+    w = grp->nbits >= 384 ? 5 : 4;
+
+    /*
+     * If P == G, pre-compute a bit more, since this may be re-used later.
+     * Just adding one avoids upping the cost of the first mul too much,
+     * and the memory cost too.
+     */
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+    p_eq_g = ( mbedtls_mpi_cmp_mpi( &P->Y, &grp->G.Y ) == 0 &&
+               mbedtls_mpi_cmp_mpi( &P->X, &grp->G.X ) == 0 );
+    if( p_eq_g )
+        w++;
+#else
+    p_eq_g = 0;
+#endif
+
+    /*
+     * Make sure w is within bounds.
+     * (The last test is useful only for very small curves in the test suite.)
+     */
+    if( w > MBEDTLS_ECP_WINDOW_SIZE )
+        w = MBEDTLS_ECP_WINDOW_SIZE;
+    if( w >= grp->nbits )
+        w = 2;
+
+    /* Other sizes that depend on w */
+    pre_len = 1U << ( w - 1 );
+    d = ( grp->nbits + w - 1 ) / w;
+
+    /*
+     * Prepare precomputed points: if P == G we want to
+     * use grp->T if already initialized, or initialize it.
+     */
+    T = p_eq_g ? grp->T : NULL;
+
+    if( T == NULL )
+    {
+        T = mbedtls_calloc( pre_len, sizeof( mbedtls_ecp_point ) );
+        if( T == NULL )
+        {
+            ret = MBEDTLS_ERR_ECP_ALLOC_FAILED;
+            goto cleanup;
+        }
+
+        MBEDTLS_MPI_CHK( ecp_precompute_comb( grp, T, P, w, d ) );
+
+        if( p_eq_g )
+        {
+            grp->T = T;
+            grp->T_size = pre_len;
+        }
+    }
+
+    /*
+     * Make sure M is odd (M = m or M = N - m, since N is odd)
+     * using the fact that m * P = - (N - m) * P
+     */
+    m_is_odd = ( mbedtls_mpi_get_bit( m, 0 ) == 1 );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &M, m ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &mm, &grp->N, m ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_assign( &M, &mm, ! m_is_odd ) );
+
+    /*
+     * Go for comb multiplication, R = M * P
+     */
+    ecp_comb_fixed( k, d, w, &M );
+    MBEDTLS_MPI_CHK( ecp_mul_comb_core( grp, R, T, pre_len, k, d, f_rng, p_rng ) );
+
+    /*
+     * Now get m * P from M * P and normalize it
+     */
+    MBEDTLS_MPI_CHK( ecp_safe_invert_jac( grp, R, ! m_is_odd ) );
+
+    /*
+     * Knowledge of the jacobian coordinates may leak the last few bits of the
+     * scalar [1], and since our MPI implementation isn't constant-flow,
+     * inversion (used for coordinate normalization) may leak the full value
+     * of its input via side-channels [2].
+     *
+     * [1] https://eprint.iacr.org/2003/191
+     * [2] https://eprint.iacr.org/2020/055
+     *
+     * Avoid the leak by randomizing coordinates before we normalize them.
+     */
+#if defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
+    if( f_rng != 0 )
+#endif
+        MBEDTLS_MPI_CHK( ecp_randomize_jac( grp, R, f_rng, p_rng ) );
+    MBEDTLS_MPI_CHK( ecp_normalize_jac( grp, R ) );
+
+cleanup:
+
+    /* There are two cases where T is not stored in grp:
+     * - P != G
+     * - An intermediate operation failed before setting grp->T
+     * In either case, T must be freed.
+     */
+    if( T != NULL && T != grp->T )
+    {
+        for( i = 0; i < pre_len; i++ )
+            mbedtls_ecp_point_free( &T[i] );
+        mbedtls_free( T );
+    }
+
+    mbedtls_mpi_free( &M );
+    mbedtls_mpi_free( &mm );
+
+    if( ret != 0 )
+        mbedtls_ecp_point_free( R );
+
+    return( ret );
+}
+
+#endif /* ECP_SHORTWEIERSTRASS */
+
+#if defined(ECP_MONTGOMERY)
+/*
+ * For Montgomery curves, we do all the internal arithmetic in projective
+ * coordinates. Import/export of points uses only the x coordinates, which is
+ * internaly represented as X / Z.
+ *
+ * For scalar multiplication, we'll use a Montgomery ladder.
+ */
+
+/*
+ * Normalize Montgomery x/z coordinates: X = X/Z, Z = 1
+ * Cost: 1M + 1I
+ */
+static int ecp_normalize_mxz( const mbedtls_ecp_group *grp, mbedtls_ecp_point *P )
+{
+    int ret;
+
+#if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT)
+    if ( mbedtls_internal_ecp_grp_capable( grp ) )
+    {
+        return mbedtls_internal_ecp_normalize_mxz( grp, P );
+    }
+#endif /* MBEDTLS_ECP_NORMALIZE_MXZ_ALT */
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &P->Z, &P->Z, &grp->P ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &P->X, &P->X, &P->Z ) ); MOD_MUL( P->X );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &P->Z, 1 ) );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Randomize projective x/z coordinates:
+ * (X, Z) -> (l X, l Z) for random l
+ * This is sort of the reverse operation of ecp_normalize_mxz().
+ *
+ * This countermeasure was first suggested in [2].
+ * Cost: 2M
+ */
+static int ecp_randomize_mxz( const mbedtls_ecp_group *grp, mbedtls_ecp_point *P,
+                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    int ret;
+    mbedtls_mpi l;
+    size_t p_size;
+    int count = 0;
+
+#if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT)
+    if ( mbedtls_internal_ecp_grp_capable( grp ) )
+    {
+        return mbedtls_internal_ecp_randomize_mxz( grp, P, f_rng, p_rng );
+    }
+#endif /* MBEDTLS_ECP_RANDOMIZE_MXZ_ALT */
+
+    p_size = ( grp->pbits + 7 ) / 8;
+    mbedtls_mpi_init( &l );
+
+    /* Generate l such that 1 < l < p */
+    do
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &l, p_size, f_rng, p_rng ) );
+
+        while( mbedtls_mpi_cmp_mpi( &l, &grp->P ) >= 0 )
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &l, 1 ) );
+
+        if( count++ > 10 )
+        {
+            ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
+            goto cleanup;
+        }
+    }
+    while( mbedtls_mpi_cmp_int( &l, 1 ) <= 0 );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &P->X, &P->X, &l ) ); MOD_MUL( P->X );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &P->Z, &P->Z, &l ) ); MOD_MUL( P->Z );
+
+cleanup:
+    mbedtls_mpi_free( &l );
+
+    return( ret );
+}
+
+/*
+ * Double-and-add: R = 2P, S = P + Q, with d = X(P - Q),
+ * for Montgomery curves in x/z coordinates.
+ *
+ * http://www.hyperelliptic.org/EFD/g1p/auto-code/montgom/xz/ladder/mladd-1987-m.op3
+ * with
+ * d =  X1
+ * P = (X2, Z2)
+ * Q = (X3, Z3)
+ * R = (X4, Z4)
+ * S = (X5, Z5)
+ * and eliminating temporary variables tO, ..., t4.
+ *
+ * Cost: 5M + 4S
+ */
+static int ecp_double_add_mxz( const mbedtls_ecp_group *grp,
+                               mbedtls_ecp_point *R, mbedtls_ecp_point *S,
+                               const mbedtls_ecp_point *P, const mbedtls_ecp_point *Q,
+                               const mbedtls_mpi *d )
+{
+    int ret;
+    mbedtls_mpi A, AA, B, BB, E, C, D, DA, CB;
+
+#if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)
+    if ( mbedtls_internal_ecp_grp_capable( grp ) )
+    {
+        return mbedtls_internal_ecp_double_add_mxz( grp, R, S, P, Q, d );
+    }
+#endif /* MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT */
+
+    mbedtls_mpi_init( &A ); mbedtls_mpi_init( &AA ); mbedtls_mpi_init( &B );
+    mbedtls_mpi_init( &BB ); mbedtls_mpi_init( &E ); mbedtls_mpi_init( &C );
+    mbedtls_mpi_init( &D ); mbedtls_mpi_init( &DA ); mbedtls_mpi_init( &CB );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &A,    &P->X,   &P->Z ) ); MOD_ADD( A    );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &AA,   &A,      &A    ) ); MOD_MUL( AA   );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &B,    &P->X,   &P->Z ) ); MOD_SUB( B    );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &BB,   &B,      &B    ) ); MOD_MUL( BB   );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &E,    &AA,     &BB   ) ); MOD_SUB( E    );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &C,    &Q->X,   &Q->Z ) ); MOD_ADD( C    );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &D,    &Q->X,   &Q->Z ) ); MOD_SUB( D    );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DA,   &D,      &A    ) ); MOD_MUL( DA   );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &CB,   &C,      &B    ) ); MOD_MUL( CB   );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &S->X, &DA,     &CB   ) ); MOD_MUL( S->X );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S->X, &S->X,   &S->X ) ); MOD_MUL( S->X );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &S->Z, &DA,     &CB   ) ); MOD_SUB( S->Z );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S->Z, &S->Z,   &S->Z ) ); MOD_MUL( S->Z );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S->Z, d,       &S->Z ) ); MOD_MUL( S->Z );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &R->X, &AA,     &BB   ) ); MOD_MUL( R->X );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &R->Z, &grp->A, &E    ) ); MOD_MUL( R->Z );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &R->Z, &BB,     &R->Z ) ); MOD_ADD( R->Z );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &R->Z, &E,      &R->Z ) ); MOD_MUL( R->Z );
+
+cleanup:
+    mbedtls_mpi_free( &A ); mbedtls_mpi_free( &AA ); mbedtls_mpi_free( &B );
+    mbedtls_mpi_free( &BB ); mbedtls_mpi_free( &E ); mbedtls_mpi_free( &C );
+    mbedtls_mpi_free( &D ); mbedtls_mpi_free( &DA ); mbedtls_mpi_free( &CB );
+
+    return( ret );
+}
+
+/*
+ * Multiplication with Montgomery ladder in x/z coordinates,
+ * for curves in Montgomery form
+ */
+static int ecp_mul_mxz( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                        const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+                        int (*f_rng)(void *, unsigned char *, size_t),
+                        void *p_rng )
+{
+    int ret;
+    size_t i;
+    unsigned char b;
+    mbedtls_ecp_point RP;
+    mbedtls_mpi PX;
+
+    mbedtls_ecp_point_init( &RP ); mbedtls_mpi_init( &PX );
+
+    /* Save PX and read from P before writing to R, in case P == R */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &PX, &P->X ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_copy( &RP, P ) );
+
+    /* Set R to zero in modified x/z coordinates */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &R->X, 1 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &R->Z, 0 ) );
+    mbedtls_mpi_free( &R->Y );
+
+    /* RP.X might be sligtly larger than P, so reduce it */
+    MOD_ADD( RP.X );
+
+    /* Randomize coordinates of the starting point */
+#if defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
+    if( f_rng != NULL )
+#endif
+        MBEDTLS_MPI_CHK( ecp_randomize_mxz( grp, &RP, f_rng, p_rng ) );
+
+    /* Loop invariant: R = result so far, RP = R + P */
+    i = mbedtls_mpi_bitlen( m ); /* one past the (zero-based) most significant bit */
+    while( i-- > 0 )
+    {
+        b = mbedtls_mpi_get_bit( m, i );
+        /*
+         *  if (b) R = 2R + P else R = 2R,
+         * which is:
+         *  if (b) double_add( RP, R, RP, R )
+         *  else   double_add( R, RP, R, RP )
+         * but using safe conditional swaps to avoid leaks
+         */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_swap( &R->X, &RP.X, b ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_swap( &R->Z, &RP.Z, b ) );
+        MBEDTLS_MPI_CHK( ecp_double_add_mxz( grp, R, &RP, R, &RP, &PX ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_swap( &R->X, &RP.X, b ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_swap( &R->Z, &RP.Z, b ) );
+    }
+
+    /*
+     * Knowledge of the projective coordinates may leak the last few bits of the
+     * scalar [1], and since our MPI implementation isn't constant-flow,
+     * inversion (used for coordinate normalization) may leak the full value
+     * of its input via side-channels [2].
+     *
+     * [1] https://eprint.iacr.org/2003/191
+     * [2] https://eprint.iacr.org/2020/055
+     *
+     * Avoid the leak by randomizing coordinates before we normalize them.
+     */
+#if defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
+    if( f_rng != NULL )
+#endif
+        MBEDTLS_MPI_CHK( ecp_randomize_mxz( grp, R, f_rng, p_rng ) );
+
+    MBEDTLS_MPI_CHK( ecp_normalize_mxz( grp, R ) );
+
+cleanup:
+    mbedtls_ecp_point_free( &RP ); mbedtls_mpi_free( &PX );
+
+    return( ret );
+}
+
+#endif /* ECP_MONTGOMERY */
+
+/*
+ * Multiplication R = m * P
+ */
+int mbedtls_ecp_mul( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+             const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    int ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+    char is_grp_capable = 0;
+#endif
+#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
+    ecp_drbg_context drbg_ctx;
+
+    ecp_drbg_init( &drbg_ctx );
+#endif /* !MBEDTLS_ECP_NO_INTERNAL_RNG */
+
+    /* Common sanity checks */
+    if( mbedtls_mpi_cmp_int( &P->Z, 1 ) != 0 )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    if( ( ret = mbedtls_ecp_check_privkey( grp, m ) ) != 0 ||
+        ( ret = mbedtls_ecp_check_pubkey( grp, P ) ) != 0 )
+        return( ret );
+
+#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
+    if( f_rng == NULL )
+    {
+        const size_t m_len = ( grp->nbits + 7 ) / 8;
+        MBEDTLS_MPI_CHK( ecp_drbg_seed( &drbg_ctx, m, m_len ) );
+        f_rng = &ecp_drbg_random;
+        p_rng = &drbg_ctx;
+    }
+#endif /* !MBEDTLS_ECP_NO_INTERNAL_RNG */
+
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+    if ( is_grp_capable = mbedtls_internal_ecp_grp_capable( grp )  )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_internal_ecp_init( grp ) );
+    }
+#endif /* MBEDTLS_ECP_INTERNAL_ALT */
+
+#if defined(ECP_MONTGOMERY)
+    if( ecp_get_type( grp ) == ECP_TYPE_MONTGOMERY )
+        ret = ecp_mul_mxz( grp, R, m, P, f_rng, p_rng );
+#endif
+#if defined(ECP_SHORTWEIERSTRASS)
+    if( ecp_get_type( grp ) == ECP_TYPE_SHORT_WEIERSTRASS )
+        ret = ecp_mul_comb( grp, R, m, P, f_rng, p_rng );
+#endif
+
+#if defined(MBEDTLS_ECP_INTERNAL_ALT) || !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
+cleanup:
+#endif
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+    if ( is_grp_capable )
+    {
+        mbedtls_internal_ecp_free( grp );
+    }
+#endif /* MBEDTLS_ECP_INTERNAL_ALT */
+
+#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
+    ecp_drbg_free( &drbg_ctx );
+#endif
+
+    return( ret );
+}
+
+#if defined(ECP_SHORTWEIERSTRASS)
+/*
+ * Check that an affine point is valid as a public key,
+ * short weierstrass curves (SEC1 3.2.3.1)
+ */
+static int ecp_check_pubkey_sw( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt )
+{
+    int ret;
+    mbedtls_mpi YY, RHS;
+
+    /* pt coordinates must be normalized for our checks */
+    if( mbedtls_mpi_cmp_int( &pt->X, 0 ) < 0 ||
+        mbedtls_mpi_cmp_int( &pt->Y, 0 ) < 0 ||
+        mbedtls_mpi_cmp_mpi( &pt->X, &grp->P ) >= 0 ||
+        mbedtls_mpi_cmp_mpi( &pt->Y, &grp->P ) >= 0 )
+        return( MBEDTLS_ERR_ECP_INVALID_KEY );
+
+    mbedtls_mpi_init( &YY ); mbedtls_mpi_init( &RHS );
+
+    /*
+     * YY = Y^2
+     * RHS = X (X^2 + A) + B = X^3 + A X + B
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &YY,  &pt->Y,   &pt->Y  ) );  MOD_MUL( YY  );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &RHS, &pt->X,   &pt->X  ) );  MOD_MUL( RHS );
+
+    /* Special case for A = -3 */
+    if( grp->A.p == NULL )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &RHS, &RHS, 3       ) );  MOD_SUB( RHS );
+    }
+    else
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &RHS, &RHS, &grp->A ) );  MOD_ADD( RHS );
+    }
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &RHS, &RHS,     &pt->X  ) );  MOD_MUL( RHS );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &RHS, &RHS,     &grp->B ) );  MOD_ADD( RHS );
+
+    if( mbedtls_mpi_cmp_mpi( &YY, &RHS ) != 0 )
+        ret = MBEDTLS_ERR_ECP_INVALID_KEY;
+
+cleanup:
+
+    mbedtls_mpi_free( &YY ); mbedtls_mpi_free( &RHS );
+
+    return( ret );
+}
+#endif /* ECP_SHORTWEIERSTRASS */
+
+/*
+ * R = m * P with shortcuts for m == 1 and m == -1
+ * NOT constant-time - ONLY for short Weierstrass!
+ */
+static int mbedtls_ecp_mul_shortcuts( mbedtls_ecp_group *grp,
+                                      mbedtls_ecp_point *R,
+                                      const mbedtls_mpi *m,
+                                      const mbedtls_ecp_point *P )
+{
+    int ret;
+
+    if( mbedtls_mpi_cmp_int( m, 1 ) == 0 )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_ecp_copy( R, P ) );
+    }
+    else if( mbedtls_mpi_cmp_int( m, -1 ) == 0 )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_ecp_copy( R, P ) );
+        if( mbedtls_mpi_cmp_int( &R->Y, 0 ) != 0 )
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &R->Y, &grp->P, &R->Y ) );
+    }
+    else
+    {
+        MBEDTLS_MPI_CHK( mbedtls_ecp_mul( grp, R, m, P, NULL, NULL ) );
+    }
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Linear combination
+ * NOT constant-time
+ */
+int mbedtls_ecp_muladd( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+             const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+             const mbedtls_mpi *n, const mbedtls_ecp_point *Q )
+{
+    int ret;
+    mbedtls_ecp_point mP;
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+    char is_grp_capable = 0;
+#endif
+
+    if( ecp_get_type( grp ) != ECP_TYPE_SHORT_WEIERSTRASS )
+        return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
+
+    mbedtls_ecp_point_init( &mP );
+
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul_shortcuts( grp, &mP, m, P ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul_shortcuts( grp, R,   n, Q ) );
+
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+    if (  is_grp_capable = mbedtls_internal_ecp_grp_capable( grp )  )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_internal_ecp_init( grp ) );
+    }
+
+#endif /* MBEDTLS_ECP_INTERNAL_ALT */
+    MBEDTLS_MPI_CHK( ecp_add_mixed( grp, R, &mP, R ) );
+    MBEDTLS_MPI_CHK( ecp_normalize_jac( grp, R ) );
+
+cleanup:
+
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+    if ( is_grp_capable )
+    {
+        mbedtls_internal_ecp_free( grp );
+    }
+
+#endif /* MBEDTLS_ECP_INTERNAL_ALT */
+    mbedtls_ecp_point_free( &mP );
+
+    return( ret );
+}
+
+
+#if defined(ECP_MONTGOMERY)
+/*
+ * Check validity of a public key for Montgomery curves with x-only schemes
+ */
+static int ecp_check_pubkey_mx( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt )
+{
+    /* [Curve25519 p. 5] Just check X is the correct number of bytes */
+    if( mbedtls_mpi_size( &pt->X ) > ( grp->nbits + 7 ) / 8 )
+        return( MBEDTLS_ERR_ECP_INVALID_KEY );
+
+    return( 0 );
+}
+#endif /* ECP_MONTGOMERY */
+
+/*
+ * Check that a point is valid as a public key
+ */
+int mbedtls_ecp_check_pubkey( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt )
+{
+    /* Must use affine coordinates */
+    if( mbedtls_mpi_cmp_int( &pt->Z, 1 ) != 0 )
+        return( MBEDTLS_ERR_ECP_INVALID_KEY );
+
+#if defined(ECP_MONTGOMERY)
+    if( ecp_get_type( grp ) == ECP_TYPE_MONTGOMERY )
+        return( ecp_check_pubkey_mx( grp, pt ) );
+#endif
+#if defined(ECP_SHORTWEIERSTRASS)
+    if( ecp_get_type( grp ) == ECP_TYPE_SHORT_WEIERSTRASS )
+        return( ecp_check_pubkey_sw( grp, pt ) );
+#endif
+    return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+}
+
+/*
+ * Check that an mbedtls_mpi is valid as a private key
+ */
+int mbedtls_ecp_check_privkey( const mbedtls_ecp_group *grp, const mbedtls_mpi *d )
+{
+#if defined(ECP_MONTGOMERY)
+    if( ecp_get_type( grp ) == ECP_TYPE_MONTGOMERY )
+    {
+        /* see [Curve25519] page 5 */
+        if( mbedtls_mpi_get_bit( d, 0 ) != 0 ||
+            mbedtls_mpi_get_bit( d, 1 ) != 0 ||
+            mbedtls_mpi_get_bit( d, 2 ) != 0 ||
+            mbedtls_mpi_bitlen( d ) - 1 != grp->nbits ) /* mbedtls_mpi_bitlen is one-based! */
+            return( MBEDTLS_ERR_ECP_INVALID_KEY );
+        else
+            return( 0 );
+    }
+#endif /* ECP_MONTGOMERY */
+#if defined(ECP_SHORTWEIERSTRASS)
+    if( ecp_get_type( grp ) == ECP_TYPE_SHORT_WEIERSTRASS )
+    {
+        /* see SEC1 3.2 */
+        if( mbedtls_mpi_cmp_int( d, 1 ) < 0 ||
+            mbedtls_mpi_cmp_mpi( d, &grp->N ) >= 0 )
+            return( MBEDTLS_ERR_ECP_INVALID_KEY );
+        else
+            return( 0 );
+    }
+#endif /* ECP_SHORTWEIERSTRASS */
+
+    return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+}
+
+/*
+ * Generate a private key
+ */
+int mbedtls_ecp_gen_privkey( const mbedtls_ecp_group *grp,
+                     mbedtls_mpi *d,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng )
+{
+    int ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    size_t n_size = ( grp->nbits + 7 ) / 8;
+
+#if defined(ECP_MONTGOMERY)
+    if( ecp_get_type( grp ) == ECP_TYPE_MONTGOMERY )
+    {
+        /* [M225] page 5 */
+        size_t b;
+
+        do {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( d, n_size, f_rng, p_rng ) );
+        } while( mbedtls_mpi_bitlen( d ) == 0);
+
+        /* Make sure the most significant bit is nbits */
+        b = mbedtls_mpi_bitlen( d ) - 1; /* mbedtls_mpi_bitlen is one-based */
+        if( b > grp->nbits )
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( d, b - grp->nbits ) );
+        else
+            MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( d, grp->nbits, 1 ) );
+
+        /* Make sure the last three bits are unset */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( d, 0, 0 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( d, 1, 0 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( d, 2, 0 ) );
+    }
+#endif /* ECP_MONTGOMERY */
+
+#if defined(ECP_SHORTWEIERSTRASS)
+    if( ecp_get_type( grp ) == ECP_TYPE_SHORT_WEIERSTRASS )
+    {
+        /* SEC1 3.2.1: Generate d such that 1 <= n < N */
+        int count = 0;
+        unsigned cmp = 0;
+
+        /*
+         * Match the procedure given in RFC 6979 (deterministic ECDSA):
+         * - use the same byte ordering;
+         * - keep the leftmost nbits bits of the generated octet string;
+         * - try until result is in the desired range.
+         * This also avoids any biais, which is especially important for ECDSA.
+         */
+        do
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( d, n_size, f_rng, p_rng ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( d, 8 * n_size - grp->nbits ) );
+
+            /*
+             * Each try has at worst a probability 1/2 of failing (the msb has
+             * a probability 1/2 of being 0, and then the result will be < N),
+             * so after 30 tries failure probability is a most 2**(-30).
+             *
+             * For most curves, 1 try is enough with overwhelming probability,
+             * since N starts with a lot of 1s in binary, but some curves
+             * such as secp224k1 are actually very close to the worst case.
+             */
+            if( ++count > 30 )
+                return( MBEDTLS_ERR_ECP_RANDOM_FAILED );
+
+            ret = mbedtls_mpi_lt_mpi_ct( d, &grp->N, &cmp );
+            if( ret != 0 )
+            {
+                goto cleanup;
+            }
+        }
+        while( mbedtls_mpi_cmp_int( d, 1 ) < 0 || cmp != 1 );
+    }
+#endif /* ECP_SHORTWEIERSTRASS */
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Generate a keypair with configurable base point
+ */
+int mbedtls_ecp_gen_keypair_base( mbedtls_ecp_group *grp,
+                     const mbedtls_ecp_point *G,
+                     mbedtls_mpi *d, mbedtls_ecp_point *Q,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng )
+{
+    int ret;
+
+    MBEDTLS_MPI_CHK( mbedtls_ecp_gen_privkey( grp, d, f_rng, p_rng ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul( grp, Q, d, G, f_rng, p_rng ) );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Generate key pair, wrapper for conventional base point
+ */
+int mbedtls_ecp_gen_keypair( mbedtls_ecp_group *grp,
+                             mbedtls_mpi *d, mbedtls_ecp_point *Q,
+                             int (*f_rng)(void *, unsigned char *, size_t),
+                             void *p_rng )
+{
+    return( mbedtls_ecp_gen_keypair_base( grp, &grp->G, d, Q, f_rng, p_rng ) );
+}
+
+/*
+ * Generate a keypair, prettier wrapper
+ */
+int mbedtls_ecp_gen_key( mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
+                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    int ret;
+
+    if( ( ret = mbedtls_ecp_group_load( &key->grp, grp_id ) ) != 0 )
+        return( ret );
+
+    return( mbedtls_ecp_gen_keypair( &key->grp, &key->d, &key->Q, f_rng, p_rng ) );
+}
+
+/*
+ * Check a public-private key pair
+ */
+int mbedtls_ecp_check_pub_priv( const mbedtls_ecp_keypair *pub, const mbedtls_ecp_keypair *prv )
+{
+    int ret;
+    mbedtls_ecp_point Q;
+    mbedtls_ecp_group grp;
+
+    if( pub->grp.id == MBEDTLS_ECP_DP_NONE ||
+        pub->grp.id != prv->grp.id ||
+        mbedtls_mpi_cmp_mpi( &pub->Q.X, &prv->Q.X ) ||
+        mbedtls_mpi_cmp_mpi( &pub->Q.Y, &prv->Q.Y ) ||
+        mbedtls_mpi_cmp_mpi( &pub->Q.Z, &prv->Q.Z ) )
+    {
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+    }
+
+    mbedtls_ecp_point_init( &Q );
+    mbedtls_ecp_group_init( &grp );
+
+    /* mbedtls_ecp_mul() needs a non-const group... */
+    mbedtls_ecp_group_copy( &grp, &prv->grp );
+
+    /* Also checks d is valid */
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &grp, &Q, &prv->d, &prv->grp.G, NULL, NULL ) );
+
+    if( mbedtls_mpi_cmp_mpi( &Q.X, &prv->Q.X ) ||
+        mbedtls_mpi_cmp_mpi( &Q.Y, &prv->Q.Y ) ||
+        mbedtls_mpi_cmp_mpi( &Q.Z, &prv->Q.Z ) )
+    {
+        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+cleanup:
+    mbedtls_ecp_point_free( &Q );
+    mbedtls_ecp_group_free( &grp );
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#if defined(ECP_ONE_STEP_KDF)
+/*
+ * There are no test vectors from NIST for the One-Step KDF in SP 800-56C,
+ * but unofficial ones can be found at:
+ * https://github.com/patrickfav/singlestep-kdf/wiki/NIST-SP-800-56C-Rev1:-Non-Official-Test-Vectors
+ *
+ * We only use the ones with empty fixedInfo, and for brevity's sake, only
+ * 40-bytes output (with SHA-256 that's more than one block, and with SHA-512
+ * less than one block).
+ */
+#if defined(MBEDTLS_SHA512_C)
+
+static const uint8_t test_kdf_z[16] = {
+    0x3b, 0xa9, 0x79, 0xe9, 0xbc, 0x5e, 0x3e, 0xc7,
+    0x61, 0x30, 0x36, 0xb6, 0xf5, 0x1c, 0xd5, 0xaa,
+};
+static const uint8_t test_kdf_out[40] = {
+    0x3e, 0xf6, 0xda, 0xf9, 0x51, 0x60, 0x70, 0x5f,
+    0xdf, 0x21, 0xcd, 0xab, 0xac, 0x25, 0x7b, 0x05,
+    0xfe, 0xc1, 0xab, 0x7c, 0xc9, 0x68, 0x43, 0x25,
+    0x8a, 0xfc, 0x40, 0x6e, 0x5b, 0xf7, 0x98, 0x27,
+    0x10, 0xfa, 0x7b, 0x93, 0x52, 0xd4, 0x16, 0xaa,
+};
+
+#elif defined(MBEDTLS_SHA256_C)
+
+static const uint8_t test_kdf_z[16] = {
+    0xc8, 0x3e, 0x35, 0x8e, 0x99, 0xa6, 0x89, 0xc6,
+    0x7d, 0xb4, 0xfe, 0x39, 0xcf, 0x8f, 0x26, 0xe1,
+};
+static const uint8_t test_kdf_out[40] = {
+    0x7d, 0xf6, 0x41, 0xf8, 0x3c, 0x47, 0xdc, 0x28,
+    0x5f, 0x7f, 0xaa, 0xde, 0x05, 0x64, 0xd6, 0x25,
+    0x00, 0x6a, 0x47, 0xd9, 0x1e, 0xa4, 0xa0, 0x8c,
+    0xd7, 0xf7, 0x0c, 0x99, 0xaa, 0xa0, 0x72, 0x66,
+    0x69, 0x0e, 0x25, 0xaa, 0xa1, 0x63, 0x14, 0x79,
+};
+
+#endif
+
+static int ecp_kdf_self_test( void )
+{
+    int ret;
+    ecp_drbg_context kdf_ctx;
+    mbedtls_mpi scalar;
+    uint8_t out[sizeof( test_kdf_out )];
+
+    ecp_drbg_init( &kdf_ctx );
+    mbedtls_mpi_init( &scalar );
+    memset( out, 0, sizeof( out ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &scalar,
+                        test_kdf_z, sizeof( test_kdf_z ) ) );
+
+    MBEDTLS_MPI_CHK( ecp_drbg_seed( &kdf_ctx,
+                                    &scalar, sizeof( test_kdf_z ) ) );
+
+    MBEDTLS_MPI_CHK( ecp_drbg_random( &kdf_ctx, out, sizeof( out ) ) );
+
+    if( memcmp( out, test_kdf_out, sizeof( out ) ) != 0 )
+        ret = -1;
+
+cleanup:
+    ecp_drbg_free( &kdf_ctx );
+    mbedtls_mpi_free( &scalar );
+
+    return( ret );
+}
+#endif /* ECP_ONE_STEP_KDF */
+
+/*
+ * Checkup routine
+ */
+int mbedtls_ecp_self_test( int verbose )
+{
+    int ret;
+    size_t i;
+    mbedtls_ecp_group grp;
+    mbedtls_ecp_point R, P;
+    mbedtls_mpi m;
+    unsigned long add_c_prev, dbl_c_prev, mul_c_prev;
+    /* exponents especially adapted for secp192r1 */
+    const char *exponents[] =
+    {
+        "000000000000000000000000000000000000000000000001", /* one */
+        "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22830", /* N - 1 */
+        "5EA6F389A38B8BC81E767753B15AA5569E1782E30ABE7D25", /* random */
+        "400000000000000000000000000000000000000000000000", /* one and zeros */
+        "7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", /* all ones */
+        "555555555555555555555555555555555555555555555555", /* 101010... */
+    };
+
+    mbedtls_ecp_group_init( &grp );
+    mbedtls_ecp_point_init( &R );
+    mbedtls_ecp_point_init( &P );
+    mbedtls_mpi_init( &m );
+
+    /* Use secp192r1 if available, or any available curve */
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+    MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &grp, MBEDTLS_ECP_DP_SECP192R1 ) );
+#else
+    MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &grp, mbedtls_ecp_curve_list()->grp_id ) );
+#endif
+
+    if( verbose != 0 )
+        mbedtls_printf( "  ECP test #1 (constant op_count, base point G): " );
+
+    /* Do a dummy multiplication first to trigger precomputation */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &m, 2 ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &grp, &P, &m, &grp.G, NULL, NULL ) );
+
+    add_count = 0;
+    dbl_count = 0;
+    mul_count = 0;
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &m, 16, exponents[0] ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &grp, &R, &m, &grp.G, NULL, NULL ) );
+
+    for( i = 1; i < sizeof( exponents ) / sizeof( exponents[0] ); i++ )
+    {
+        add_c_prev = add_count;
+        dbl_c_prev = dbl_count;
+        mul_c_prev = mul_count;
+        add_count = 0;
+        dbl_count = 0;
+        mul_count = 0;
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &m, 16, exponents[i] ) );
+        MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &grp, &R, &m, &grp.G, NULL, NULL ) );
+
+        if( add_count != add_c_prev ||
+            dbl_count != dbl_c_prev ||
+            mul_count != mul_c_prev )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed (%u)\n", (unsigned int) i );
+
+            ret = 1;
+            goto cleanup;
+        }
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  ECP test #2 (constant op_count, other point): " );
+    /* We computed P = 2G last time, use it */
+
+    add_count = 0;
+    dbl_count = 0;
+    mul_count = 0;
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &m, 16, exponents[0] ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &grp, &R, &m, &P, NULL, NULL ) );
+
+    for( i = 1; i < sizeof( exponents ) / sizeof( exponents[0] ); i++ )
+    {
+        add_c_prev = add_count;
+        dbl_c_prev = dbl_count;
+        mul_c_prev = mul_count;
+        add_count = 0;
+        dbl_count = 0;
+        mul_count = 0;
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &m, 16, exponents[i] ) );
+        MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &grp, &R, &m, &P, NULL, NULL ) );
+
+        if( add_count != add_c_prev ||
+            dbl_count != dbl_c_prev ||
+            mul_count != mul_c_prev )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed (%u)\n", (unsigned int) i );
+
+            ret = 1;
+            goto cleanup;
+        }
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+#if defined(ECP_ONE_STEP_KDF)
+    if( verbose != 0 )
+        mbedtls_printf( "  ECP test #3 (internal KDF): " );
+
+    ret = ecp_kdf_self_test();
+    if( ret != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+#endif /* ECP_ONE_STEP_KDF */
+
+cleanup:
+
+    if( ret < 0 && verbose != 0 )
+        mbedtls_printf( "Unexpected error, return code = %08X\n", ret );
+
+    mbedtls_ecp_group_free( &grp );
+    mbedtls_ecp_point_free( &R );
+    mbedtls_ecp_point_free( &P );
+    mbedtls_mpi_free( &m );
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* !MBEDTLS_ECP_ALT */
+
+#endif /* MBEDTLS_ECP_C */
diff --git a/third-party/mbedtls-3.6/library/ecp_curves.c b/third-party/mbedtls-3.6/library/ecp_curves.c
new file mode 100644
index 00000000..93315870
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/ecp_curves.c
@@ -0,0 +1,1354 @@
+/*
+ *  Elliptic curves over GF(p): curve-specific data and functions
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+
+#include "mbedtls/ecp.h"
+
+#include <string.h>
+
+#if !defined(MBEDTLS_ECP_ALT)
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+/*
+ * Conversion macros for embedded constants:
+ * build lists of mbedtls_mpi_uint's from lists of unsigned char's grouped by 8, 4 or 2
+ */
+#if defined(MBEDTLS_HAVE_INT32)
+
+#define BYTES_TO_T_UINT_4( a, b, c, d )             \
+    ( (mbedtls_mpi_uint) a <<  0 ) |                          \
+    ( (mbedtls_mpi_uint) b <<  8 ) |                          \
+    ( (mbedtls_mpi_uint) c << 16 ) |                          \
+    ( (mbedtls_mpi_uint) d << 24 )
+
+#define BYTES_TO_T_UINT_2( a, b )                   \
+    BYTES_TO_T_UINT_4( a, b, 0, 0 )
+
+#define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \
+    BYTES_TO_T_UINT_4( a, b, c, d ),                \
+    BYTES_TO_T_UINT_4( e, f, g, h )
+
+#else /* 64-bits */
+
+#define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \
+    ( (mbedtls_mpi_uint) a <<  0 ) |                          \
+    ( (mbedtls_mpi_uint) b <<  8 ) |                          \
+    ( (mbedtls_mpi_uint) c << 16 ) |                          \
+    ( (mbedtls_mpi_uint) d << 24 ) |                          \
+    ( (mbedtls_mpi_uint) e << 32 ) |                          \
+    ( (mbedtls_mpi_uint) f << 40 ) |                          \
+    ( (mbedtls_mpi_uint) g << 48 ) |                          \
+    ( (mbedtls_mpi_uint) h << 56 )
+
+#define BYTES_TO_T_UINT_4( a, b, c, d )             \
+    BYTES_TO_T_UINT_8( a, b, c, d, 0, 0, 0, 0 )
+
+#define BYTES_TO_T_UINT_2( a, b )                   \
+    BYTES_TO_T_UINT_8( a, b, 0, 0, 0, 0, 0, 0 )
+
+#endif /* bits in mbedtls_mpi_uint */
+
+/*
+ * Note: the constants are in little-endian order
+ * to be directly usable in MPIs
+ */
+
+/*
+ * Domain parameters for secp192r1
+ */
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+static const mbedtls_mpi_uint secp192r1_p[] = {
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+};
+static const mbedtls_mpi_uint secp192r1_b[] = {
+    BYTES_TO_T_UINT_8( 0xB1, 0xB9, 0x46, 0xC1, 0xEC, 0xDE, 0xB8, 0xFE ),
+    BYTES_TO_T_UINT_8( 0x49, 0x30, 0x24, 0x72, 0xAB, 0xE9, 0xA7, 0x0F ),
+    BYTES_TO_T_UINT_8( 0xE7, 0x80, 0x9C, 0xE5, 0x19, 0x05, 0x21, 0x64 ),
+};
+static const mbedtls_mpi_uint secp192r1_gx[] = {
+    BYTES_TO_T_UINT_8( 0x12, 0x10, 0xFF, 0x82, 0xFD, 0x0A, 0xFF, 0xF4 ),
+    BYTES_TO_T_UINT_8( 0x00, 0x88, 0xA1, 0x43, 0xEB, 0x20, 0xBF, 0x7C ),
+    BYTES_TO_T_UINT_8( 0xF6, 0x90, 0x30, 0xB0, 0x0E, 0xA8, 0x8D, 0x18 ),
+};
+static const mbedtls_mpi_uint secp192r1_gy[] = {
+    BYTES_TO_T_UINT_8( 0x11, 0x48, 0x79, 0x1E, 0xA1, 0x77, 0xF9, 0x73 ),
+    BYTES_TO_T_UINT_8( 0xD5, 0xCD, 0x24, 0x6B, 0xED, 0x11, 0x10, 0x63 ),
+    BYTES_TO_T_UINT_8( 0x78, 0xDA, 0xC8, 0xFF, 0x95, 0x2B, 0x19, 0x07 ),
+};
+static const mbedtls_mpi_uint secp192r1_n[] = {
+    BYTES_TO_T_UINT_8( 0x31, 0x28, 0xD2, 0xB4, 0xB1, 0xC9, 0x6B, 0x14 ),
+    BYTES_TO_T_UINT_8( 0x36, 0xF8, 0xDE, 0x99, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+};
+#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
+
+/*
+ * Domain parameters for secp224r1
+ */
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+static const mbedtls_mpi_uint secp224r1_p[] = {
+    BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
+    BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
+};
+static const mbedtls_mpi_uint secp224r1_b[] = {
+    BYTES_TO_T_UINT_8( 0xB4, 0xFF, 0x55, 0x23, 0x43, 0x39, 0x0B, 0x27 ),
+    BYTES_TO_T_UINT_8( 0xBA, 0xD8, 0xBF, 0xD7, 0xB7, 0xB0, 0x44, 0x50 ),
+    BYTES_TO_T_UINT_8( 0x56, 0x32, 0x41, 0xF5, 0xAB, 0xB3, 0x04, 0x0C ),
+    BYTES_TO_T_UINT_4( 0x85, 0x0A, 0x05, 0xB4 ),
+};
+static const mbedtls_mpi_uint secp224r1_gx[] = {
+    BYTES_TO_T_UINT_8( 0x21, 0x1D, 0x5C, 0x11, 0xD6, 0x80, 0x32, 0x34 ),
+    BYTES_TO_T_UINT_8( 0x22, 0x11, 0xC2, 0x56, 0xD3, 0xC1, 0x03, 0x4A ),
+    BYTES_TO_T_UINT_8( 0xB9, 0x90, 0x13, 0x32, 0x7F, 0xBF, 0xB4, 0x6B ),
+    BYTES_TO_T_UINT_4( 0xBD, 0x0C, 0x0E, 0xB7 ),
+};
+static const mbedtls_mpi_uint secp224r1_gy[] = {
+    BYTES_TO_T_UINT_8( 0x34, 0x7E, 0x00, 0x85, 0x99, 0x81, 0xD5, 0x44 ),
+    BYTES_TO_T_UINT_8( 0x64, 0x47, 0x07, 0x5A, 0xA0, 0x75, 0x43, 0xCD ),
+    BYTES_TO_T_UINT_8( 0xE6, 0xDF, 0x22, 0x4C, 0xFB, 0x23, 0xF7, 0xB5 ),
+    BYTES_TO_T_UINT_4( 0x88, 0x63, 0x37, 0xBD ),
+};
+static const mbedtls_mpi_uint secp224r1_n[] = {
+    BYTES_TO_T_UINT_8( 0x3D, 0x2A, 0x5C, 0x5C, 0x45, 0x29, 0xDD, 0x13 ),
+    BYTES_TO_T_UINT_8( 0x3E, 0xF0, 0xB8, 0xE0, 0xA2, 0x16, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ),
+};
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
+
+/*
+ * Domain parameters for secp256r1
+ */
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+static const mbedtls_mpi_uint secp256r1_p[] = {
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
+    BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
+    BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
+};
+static const mbedtls_mpi_uint secp256r1_b[] = {
+    BYTES_TO_T_UINT_8( 0x4B, 0x60, 0xD2, 0x27, 0x3E, 0x3C, 0xCE, 0x3B ),
+    BYTES_TO_T_UINT_8( 0xF6, 0xB0, 0x53, 0xCC, 0xB0, 0x06, 0x1D, 0x65 ),
+    BYTES_TO_T_UINT_8( 0xBC, 0x86, 0x98, 0x76, 0x55, 0xBD, 0xEB, 0xB3 ),
+    BYTES_TO_T_UINT_8( 0xE7, 0x93, 0x3A, 0xAA, 0xD8, 0x35, 0xC6, 0x5A ),
+};
+static const mbedtls_mpi_uint secp256r1_gx[] = {
+    BYTES_TO_T_UINT_8( 0x96, 0xC2, 0x98, 0xD8, 0x45, 0x39, 0xA1, 0xF4 ),
+    BYTES_TO_T_UINT_8( 0xA0, 0x33, 0xEB, 0x2D, 0x81, 0x7D, 0x03, 0x77 ),
+    BYTES_TO_T_UINT_8( 0xF2, 0x40, 0xA4, 0x63, 0xE5, 0xE6, 0xBC, 0xF8 ),
+    BYTES_TO_T_UINT_8( 0x47, 0x42, 0x2C, 0xE1, 0xF2, 0xD1, 0x17, 0x6B ),
+};
+static const mbedtls_mpi_uint secp256r1_gy[] = {
+    BYTES_TO_T_UINT_8( 0xF5, 0x51, 0xBF, 0x37, 0x68, 0x40, 0xB6, 0xCB ),
+    BYTES_TO_T_UINT_8( 0xCE, 0x5E, 0x31, 0x6B, 0x57, 0x33, 0xCE, 0x2B ),
+    BYTES_TO_T_UINT_8( 0x16, 0x9E, 0x0F, 0x7C, 0x4A, 0xEB, 0xE7, 0x8E ),
+    BYTES_TO_T_UINT_8( 0x9B, 0x7F, 0x1A, 0xFE, 0xE2, 0x42, 0xE3, 0x4F ),
+};
+static const mbedtls_mpi_uint secp256r1_n[] = {
+    BYTES_TO_T_UINT_8( 0x51, 0x25, 0x63, 0xFC, 0xC2, 0xCA, 0xB9, 0xF3 ),
+    BYTES_TO_T_UINT_8( 0x84, 0x9E, 0x17, 0xA7, 0xAD, 0xFA, 0xE6, 0xBC ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
+};
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+
+/*
+ * Domain parameters for secp384r1
+ */
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+static const mbedtls_mpi_uint secp384r1_p[] = {
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
+    BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+};
+static const mbedtls_mpi_uint secp384r1_b[] = {
+    BYTES_TO_T_UINT_8( 0xEF, 0x2A, 0xEC, 0xD3, 0xED, 0xC8, 0x85, 0x2A ),
+    BYTES_TO_T_UINT_8( 0x9D, 0xD1, 0x2E, 0x8A, 0x8D, 0x39, 0x56, 0xC6 ),
+    BYTES_TO_T_UINT_8( 0x5A, 0x87, 0x13, 0x50, 0x8F, 0x08, 0x14, 0x03 ),
+    BYTES_TO_T_UINT_8( 0x12, 0x41, 0x81, 0xFE, 0x6E, 0x9C, 0x1D, 0x18 ),
+    BYTES_TO_T_UINT_8( 0x19, 0x2D, 0xF8, 0xE3, 0x6B, 0x05, 0x8E, 0x98 ),
+    BYTES_TO_T_UINT_8( 0xE4, 0xE7, 0x3E, 0xE2, 0xA7, 0x2F, 0x31, 0xB3 ),
+};
+static const mbedtls_mpi_uint secp384r1_gx[] = {
+    BYTES_TO_T_UINT_8( 0xB7, 0x0A, 0x76, 0x72, 0x38, 0x5E, 0x54, 0x3A ),
+    BYTES_TO_T_UINT_8( 0x6C, 0x29, 0x55, 0xBF, 0x5D, 0xF2, 0x02, 0x55 ),
+    BYTES_TO_T_UINT_8( 0x38, 0x2A, 0x54, 0x82, 0xE0, 0x41, 0xF7, 0x59 ),
+    BYTES_TO_T_UINT_8( 0x98, 0x9B, 0xA7, 0x8B, 0x62, 0x3B, 0x1D, 0x6E ),
+    BYTES_TO_T_UINT_8( 0x74, 0xAD, 0x20, 0xF3, 0x1E, 0xC7, 0xB1, 0x8E ),
+    BYTES_TO_T_UINT_8( 0x37, 0x05, 0x8B, 0xBE, 0x22, 0xCA, 0x87, 0xAA ),
+};
+static const mbedtls_mpi_uint secp384r1_gy[] = {
+    BYTES_TO_T_UINT_8( 0x5F, 0x0E, 0xEA, 0x90, 0x7C, 0x1D, 0x43, 0x7A ),
+    BYTES_TO_T_UINT_8( 0x9D, 0x81, 0x7E, 0x1D, 0xCE, 0xB1, 0x60, 0x0A ),
+    BYTES_TO_T_UINT_8( 0xC0, 0xB8, 0xF0, 0xB5, 0x13, 0x31, 0xDA, 0xE9 ),
+    BYTES_TO_T_UINT_8( 0x7C, 0x14, 0x9A, 0x28, 0xBD, 0x1D, 0xF4, 0xF8 ),
+    BYTES_TO_T_UINT_8( 0x29, 0xDC, 0x92, 0x92, 0xBF, 0x98, 0x9E, 0x5D ),
+    BYTES_TO_T_UINT_8( 0x6F, 0x2C, 0x26, 0x96, 0x4A, 0xDE, 0x17, 0x36 ),
+};
+static const mbedtls_mpi_uint secp384r1_n[] = {
+    BYTES_TO_T_UINT_8( 0x73, 0x29, 0xC5, 0xCC, 0x6A, 0x19, 0xEC, 0xEC ),
+    BYTES_TO_T_UINT_8( 0x7A, 0xA7, 0xB0, 0x48, 0xB2, 0x0D, 0x1A, 0x58 ),
+    BYTES_TO_T_UINT_8( 0xDF, 0x2D, 0x37, 0xF4, 0x81, 0x4D, 0x63, 0xC7 ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+};
+#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+
+/*
+ * Domain parameters for secp521r1
+ */
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+static const mbedtls_mpi_uint secp521r1_p[] = {
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_2( 0xFF, 0x01 ),
+};
+static const mbedtls_mpi_uint secp521r1_b[] = {
+    BYTES_TO_T_UINT_8( 0x00, 0x3F, 0x50, 0x6B, 0xD4, 0x1F, 0x45, 0xEF ),
+    BYTES_TO_T_UINT_8( 0xF1, 0x34, 0x2C, 0x3D, 0x88, 0xDF, 0x73, 0x35 ),
+    BYTES_TO_T_UINT_8( 0x07, 0xBF, 0xB1, 0x3B, 0xBD, 0xC0, 0x52, 0x16 ),
+    BYTES_TO_T_UINT_8( 0x7B, 0x93, 0x7E, 0xEC, 0x51, 0x39, 0x19, 0x56 ),
+    BYTES_TO_T_UINT_8( 0xE1, 0x09, 0xF1, 0x8E, 0x91, 0x89, 0xB4, 0xB8 ),
+    BYTES_TO_T_UINT_8( 0xF3, 0x15, 0xB3, 0x99, 0x5B, 0x72, 0xDA, 0xA2 ),
+    BYTES_TO_T_UINT_8( 0xEE, 0x40, 0x85, 0xB6, 0xA0, 0x21, 0x9A, 0x92 ),
+    BYTES_TO_T_UINT_8( 0x1F, 0x9A, 0x1C, 0x8E, 0x61, 0xB9, 0x3E, 0x95 ),
+    BYTES_TO_T_UINT_2( 0x51, 0x00 ),
+};
+static const mbedtls_mpi_uint secp521r1_gx[] = {
+    BYTES_TO_T_UINT_8( 0x66, 0xBD, 0xE5, 0xC2, 0x31, 0x7E, 0x7E, 0xF9 ),
+    BYTES_TO_T_UINT_8( 0x9B, 0x42, 0x6A, 0x85, 0xC1, 0xB3, 0x48, 0x33 ),
+    BYTES_TO_T_UINT_8( 0xDE, 0xA8, 0xFF, 0xA2, 0x27, 0xC1, 0x1D, 0xFE ),
+    BYTES_TO_T_UINT_8( 0x28, 0x59, 0xE7, 0xEF, 0x77, 0x5E, 0x4B, 0xA1 ),
+    BYTES_TO_T_UINT_8( 0xBA, 0x3D, 0x4D, 0x6B, 0x60, 0xAF, 0x28, 0xF8 ),
+    BYTES_TO_T_UINT_8( 0x21, 0xB5, 0x3F, 0x05, 0x39, 0x81, 0x64, 0x9C ),
+    BYTES_TO_T_UINT_8( 0x42, 0xB4, 0x95, 0x23, 0x66, 0xCB, 0x3E, 0x9E ),
+    BYTES_TO_T_UINT_8( 0xCD, 0xE9, 0x04, 0x04, 0xB7, 0x06, 0x8E, 0x85 ),
+    BYTES_TO_T_UINT_2( 0xC6, 0x00 ),
+};
+static const mbedtls_mpi_uint secp521r1_gy[] = {
+    BYTES_TO_T_UINT_8( 0x50, 0x66, 0xD1, 0x9F, 0x76, 0x94, 0xBE, 0x88 ),
+    BYTES_TO_T_UINT_8( 0x40, 0xC2, 0x72, 0xA2, 0x86, 0x70, 0x3C, 0x35 ),
+    BYTES_TO_T_UINT_8( 0x61, 0x07, 0xAD, 0x3F, 0x01, 0xB9, 0x50, 0xC5 ),
+    BYTES_TO_T_UINT_8( 0x40, 0x26, 0xF4, 0x5E, 0x99, 0x72, 0xEE, 0x97 ),
+    BYTES_TO_T_UINT_8( 0x2C, 0x66, 0x3E, 0x27, 0x17, 0xBD, 0xAF, 0x17 ),
+    BYTES_TO_T_UINT_8( 0x68, 0x44, 0x9B, 0x57, 0x49, 0x44, 0xF5, 0x98 ),
+    BYTES_TO_T_UINT_8( 0xD9, 0x1B, 0x7D, 0x2C, 0xB4, 0x5F, 0x8A, 0x5C ),
+    BYTES_TO_T_UINT_8( 0x04, 0xC0, 0x3B, 0x9A, 0x78, 0x6A, 0x29, 0x39 ),
+    BYTES_TO_T_UINT_2( 0x18, 0x01 ),
+};
+static const mbedtls_mpi_uint secp521r1_n[] = {
+    BYTES_TO_T_UINT_8( 0x09, 0x64, 0x38, 0x91, 0x1E, 0xB7, 0x6F, 0xBB ),
+    BYTES_TO_T_UINT_8( 0xAE, 0x47, 0x9C, 0x89, 0xB8, 0xC9, 0xB5, 0x3B ),
+    BYTES_TO_T_UINT_8( 0xD0, 0xA5, 0x09, 0xF7, 0x48, 0x01, 0xCC, 0x7F ),
+    BYTES_TO_T_UINT_8( 0x6B, 0x96, 0x2F, 0xBF, 0x83, 0x87, 0x86, 0x51 ),
+    BYTES_TO_T_UINT_8( 0xFA, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_2( 0xFF, 0x01 ),
+};
+#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+static const mbedtls_mpi_uint secp192k1_p[] = {
+    BYTES_TO_T_UINT_8( 0x37, 0xEE, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+};
+static const mbedtls_mpi_uint secp192k1_a[] = {
+    BYTES_TO_T_UINT_2( 0x00, 0x00 ),
+};
+static const mbedtls_mpi_uint secp192k1_b[] = {
+    BYTES_TO_T_UINT_2( 0x03, 0x00 ),
+};
+static const mbedtls_mpi_uint secp192k1_gx[] = {
+    BYTES_TO_T_UINT_8( 0x7D, 0x6C, 0xE0, 0xEA, 0xB1, 0xD1, 0xA5, 0x1D ),
+    BYTES_TO_T_UINT_8( 0x34, 0xF4, 0xB7, 0x80, 0x02, 0x7D, 0xB0, 0x26 ),
+    BYTES_TO_T_UINT_8( 0xAE, 0xE9, 0x57, 0xC0, 0x0E, 0xF1, 0x4F, 0xDB ),
+};
+static const mbedtls_mpi_uint secp192k1_gy[] = {
+    BYTES_TO_T_UINT_8( 0x9D, 0x2F, 0x5E, 0xD9, 0x88, 0xAA, 0x82, 0x40 ),
+    BYTES_TO_T_UINT_8( 0x34, 0x86, 0xBE, 0x15, 0xD0, 0x63, 0x41, 0x84 ),
+    BYTES_TO_T_UINT_8( 0xA7, 0x28, 0x56, 0x9C, 0x6D, 0x2F, 0x2F, 0x9B ),
+};
+static const mbedtls_mpi_uint secp192k1_n[] = {
+    BYTES_TO_T_UINT_8( 0x8D, 0xFD, 0xDE, 0x74, 0x6A, 0x46, 0x69, 0x0F ),
+    BYTES_TO_T_UINT_8( 0x17, 0xFC, 0xF2, 0x26, 0xFE, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+};
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+static const mbedtls_mpi_uint secp224k1_p[] = {
+    BYTES_TO_T_UINT_8( 0x6D, 0xE5, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ),
+};
+static const mbedtls_mpi_uint secp224k1_a[] = {
+    BYTES_TO_T_UINT_2( 0x00, 0x00 ),
+};
+static const mbedtls_mpi_uint secp224k1_b[] = {
+    BYTES_TO_T_UINT_2( 0x05, 0x00 ),
+};
+static const mbedtls_mpi_uint secp224k1_gx[] = {
+    BYTES_TO_T_UINT_8( 0x5C, 0xA4, 0xB7, 0xB6, 0x0E, 0x65, 0x7E, 0x0F ),
+    BYTES_TO_T_UINT_8( 0xA9, 0x75, 0x70, 0xE4, 0xE9, 0x67, 0xA4, 0x69 ),
+    BYTES_TO_T_UINT_8( 0xA1, 0x28, 0xFC, 0x30, 0xDF, 0x99, 0xF0, 0x4D ),
+    BYTES_TO_T_UINT_4( 0x33, 0x5B, 0x45, 0xA1 ),
+};
+static const mbedtls_mpi_uint secp224k1_gy[] = {
+    BYTES_TO_T_UINT_8( 0xA5, 0x61, 0x6D, 0x55, 0xDB, 0x4B, 0xCA, 0xE2 ),
+    BYTES_TO_T_UINT_8( 0x59, 0xBD, 0xB0, 0xC0, 0xF7, 0x19, 0xE3, 0xF7 ),
+    BYTES_TO_T_UINT_8( 0xD6, 0xFB, 0xCA, 0x82, 0x42, 0x34, 0xBA, 0x7F ),
+    BYTES_TO_T_UINT_4( 0xED, 0x9F, 0x08, 0x7E ),
+};
+static const mbedtls_mpi_uint secp224k1_n[] = {
+    BYTES_TO_T_UINT_8( 0xF7, 0xB1, 0x9F, 0x76, 0x71, 0xA9, 0xF0, 0xCA ),
+    BYTES_TO_T_UINT_8( 0x84, 0x61, 0xEC, 0xD2, 0xE8, 0xDC, 0x01, 0x00 ),
+    BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
+    BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ),
+};
+#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+static const mbedtls_mpi_uint secp256k1_p[] = {
+    BYTES_TO_T_UINT_8( 0x2F, 0xFC, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+};
+static const mbedtls_mpi_uint secp256k1_a[] = {
+    BYTES_TO_T_UINT_2( 0x00, 0x00 ),
+};
+static const mbedtls_mpi_uint secp256k1_b[] = {
+    BYTES_TO_T_UINT_2( 0x07, 0x00 ),
+};
+static const mbedtls_mpi_uint secp256k1_gx[] = {
+    BYTES_TO_T_UINT_8( 0x98, 0x17, 0xF8, 0x16, 0x5B, 0x81, 0xF2, 0x59 ),
+    BYTES_TO_T_UINT_8( 0xD9, 0x28, 0xCE, 0x2D, 0xDB, 0xFC, 0x9B, 0x02 ),
+    BYTES_TO_T_UINT_8( 0x07, 0x0B, 0x87, 0xCE, 0x95, 0x62, 0xA0, 0x55 ),
+    BYTES_TO_T_UINT_8( 0xAC, 0xBB, 0xDC, 0xF9, 0x7E, 0x66, 0xBE, 0x79 ),
+};
+static const mbedtls_mpi_uint secp256k1_gy[] = {
+    BYTES_TO_T_UINT_8( 0xB8, 0xD4, 0x10, 0xFB, 0x8F, 0xD0, 0x47, 0x9C ),
+    BYTES_TO_T_UINT_8( 0x19, 0x54, 0x85, 0xA6, 0x48, 0xB4, 0x17, 0xFD ),
+    BYTES_TO_T_UINT_8( 0xA8, 0x08, 0x11, 0x0E, 0xFC, 0xFB, 0xA4, 0x5D ),
+    BYTES_TO_T_UINT_8( 0x65, 0xC4, 0xA3, 0x26, 0x77, 0xDA, 0x3A, 0x48 ),
+};
+static const mbedtls_mpi_uint secp256k1_n[] = {
+    BYTES_TO_T_UINT_8( 0x41, 0x41, 0x36, 0xD0, 0x8C, 0x5E, 0xD2, 0xBF ),
+    BYTES_TO_T_UINT_8( 0x3B, 0xA0, 0x48, 0xAF, 0xE6, 0xDC, 0xAE, 0xBA ),
+    BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+};
+#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
+
+/*
+ * Domain parameters for brainpoolP256r1 (RFC 5639 3.4)
+ */
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+static const mbedtls_mpi_uint brainpoolP256r1_p[] = {
+    BYTES_TO_T_UINT_8( 0x77, 0x53, 0x6E, 0x1F, 0x1D, 0x48, 0x13, 0x20 ),
+    BYTES_TO_T_UINT_8( 0x28, 0x20, 0x26, 0xD5, 0x23, 0xF6, 0x3B, 0x6E ),
+    BYTES_TO_T_UINT_8( 0x72, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ),
+    BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_a[] = {
+    BYTES_TO_T_UINT_8( 0xD9, 0xB5, 0x30, 0xF3, 0x44, 0x4B, 0x4A, 0xE9 ),
+    BYTES_TO_T_UINT_8( 0x6C, 0x5C, 0xDC, 0x26, 0xC1, 0x55, 0x80, 0xFB ),
+    BYTES_TO_T_UINT_8( 0xE7, 0xFF, 0x7A, 0x41, 0x30, 0x75, 0xF6, 0xEE ),
+    BYTES_TO_T_UINT_8( 0x57, 0x30, 0x2C, 0xFC, 0x75, 0x09, 0x5A, 0x7D ),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_b[] = {
+    BYTES_TO_T_UINT_8( 0xB6, 0x07, 0x8C, 0xFF, 0x18, 0xDC, 0xCC, 0x6B ),
+    BYTES_TO_T_UINT_8( 0xCE, 0xE1, 0xF7, 0x5C, 0x29, 0x16, 0x84, 0x95 ),
+    BYTES_TO_T_UINT_8( 0xBF, 0x7C, 0xD7, 0xBB, 0xD9, 0xB5, 0x30, 0xF3 ),
+    BYTES_TO_T_UINT_8( 0x44, 0x4B, 0x4A, 0xE9, 0x6C, 0x5C, 0xDC, 0x26 ),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_gx[] = {
+    BYTES_TO_T_UINT_8( 0x62, 0x32, 0xCE, 0x9A, 0xBD, 0x53, 0x44, 0x3A ),
+    BYTES_TO_T_UINT_8( 0xC2, 0x23, 0xBD, 0xE3, 0xE1, 0x27, 0xDE, 0xB9 ),
+    BYTES_TO_T_UINT_8( 0xAF, 0xB7, 0x81, 0xFC, 0x2F, 0x48, 0x4B, 0x2C ),
+    BYTES_TO_T_UINT_8( 0xCB, 0x57, 0x7E, 0xCB, 0xB9, 0xAE, 0xD2, 0x8B ),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_gy[] = {
+    BYTES_TO_T_UINT_8( 0x97, 0x69, 0x04, 0x2F, 0xC7, 0x54, 0x1D, 0x5C ),
+    BYTES_TO_T_UINT_8( 0x54, 0x8E, 0xED, 0x2D, 0x13, 0x45, 0x77, 0xC2 ),
+    BYTES_TO_T_UINT_8( 0xC9, 0x1D, 0x61, 0x14, 0x1A, 0x46, 0xF8, 0x97 ),
+    BYTES_TO_T_UINT_8( 0xFD, 0xC4, 0xDA, 0xC3, 0x35, 0xF8, 0x7E, 0x54 ),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_n[] = {
+    BYTES_TO_T_UINT_8( 0xA7, 0x56, 0x48, 0x97, 0x82, 0x0E, 0x1E, 0x90 ),
+    BYTES_TO_T_UINT_8( 0xF7, 0xA6, 0x61, 0xB5, 0xA3, 0x7A, 0x39, 0x8C ),
+    BYTES_TO_T_UINT_8( 0x71, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ),
+    BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ),
+};
+#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
+
+/*
+ * Domain parameters for brainpoolP384r1 (RFC 5639 3.6)
+ */
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+static const mbedtls_mpi_uint brainpoolP384r1_p[] = {
+    BYTES_TO_T_UINT_8( 0x53, 0xEC, 0x07, 0x31, 0x13, 0x00, 0x47, 0x87 ),
+    BYTES_TO_T_UINT_8( 0x71, 0x1A, 0x1D, 0x90, 0x29, 0xA7, 0xD3, 0xAC ),
+    BYTES_TO_T_UINT_8( 0x23, 0x11, 0xB7, 0x7F, 0x19, 0xDA, 0xB1, 0x12 ),
+    BYTES_TO_T_UINT_8( 0xB4, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ),
+    BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ),
+    BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_a[] = {
+    BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ),
+    BYTES_TO_T_UINT_8( 0xEB, 0xD4, 0x3A, 0x50, 0x4A, 0x81, 0xA5, 0x8A ),
+    BYTES_TO_T_UINT_8( 0x0F, 0xF9, 0x91, 0xBA, 0xEF, 0x65, 0x91, 0x13 ),
+    BYTES_TO_T_UINT_8( 0x87, 0x27, 0xB2, 0x4F, 0x8E, 0xA2, 0xBE, 0xC2 ),
+    BYTES_TO_T_UINT_8( 0xA0, 0xAF, 0x05, 0xCE, 0x0A, 0x08, 0x72, 0x3C ),
+    BYTES_TO_T_UINT_8( 0x0C, 0x15, 0x8C, 0x3D, 0xC6, 0x82, 0xC3, 0x7B ),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_b[] = {
+    BYTES_TO_T_UINT_8( 0x11, 0x4C, 0x50, 0xFA, 0x96, 0x86, 0xB7, 0x3A ),
+    BYTES_TO_T_UINT_8( 0x94, 0xC9, 0xDB, 0x95, 0x02, 0x39, 0xB4, 0x7C ),
+    BYTES_TO_T_UINT_8( 0xD5, 0x62, 0xEB, 0x3E, 0xA5, 0x0E, 0x88, 0x2E ),
+    BYTES_TO_T_UINT_8( 0xA6, 0xD2, 0xDC, 0x07, 0xE1, 0x7D, 0xB7, 0x2F ),
+    BYTES_TO_T_UINT_8( 0x7C, 0x44, 0xF0, 0x16, 0x54, 0xB5, 0x39, 0x8B ),
+    BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_gx[] = {
+    BYTES_TO_T_UINT_8( 0x1E, 0xAF, 0xD4, 0x47, 0xE2, 0xB2, 0x87, 0xEF ),
+    BYTES_TO_T_UINT_8( 0xAA, 0x46, 0xD6, 0x36, 0x34, 0xE0, 0x26, 0xE8 ),
+    BYTES_TO_T_UINT_8( 0xE8, 0x10, 0xBD, 0x0C, 0xFE, 0xCA, 0x7F, 0xDB ),
+    BYTES_TO_T_UINT_8( 0xE3, 0x4F, 0xF1, 0x7E, 0xE7, 0xA3, 0x47, 0x88 ),
+    BYTES_TO_T_UINT_8( 0x6B, 0x3F, 0xC1, 0xB7, 0x81, 0x3A, 0xA6, 0xA2 ),
+    BYTES_TO_T_UINT_8( 0xFF, 0x45, 0xCF, 0x68, 0xF0, 0x64, 0x1C, 0x1D ),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_gy[] = {
+    BYTES_TO_T_UINT_8( 0x15, 0x53, 0x3C, 0x26, 0x41, 0x03, 0x82, 0x42 ),
+    BYTES_TO_T_UINT_8( 0x11, 0x81, 0x91, 0x77, 0x21, 0x46, 0x46, 0x0E ),
+    BYTES_TO_T_UINT_8( 0x28, 0x29, 0x91, 0xF9, 0x4F, 0x05, 0x9C, 0xE1 ),
+    BYTES_TO_T_UINT_8( 0x64, 0x58, 0xEC, 0xFE, 0x29, 0x0B, 0xB7, 0x62 ),
+    BYTES_TO_T_UINT_8( 0x52, 0xD5, 0xCF, 0x95, 0x8E, 0xEB, 0xB1, 0x5C ),
+    BYTES_TO_T_UINT_8( 0xA4, 0xC2, 0xF9, 0x20, 0x75, 0x1D, 0xBE, 0x8A ),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_n[] = {
+    BYTES_TO_T_UINT_8( 0x65, 0x65, 0x04, 0xE9, 0x02, 0x32, 0x88, 0x3B ),
+    BYTES_TO_T_UINT_8( 0x10, 0xC3, 0x7F, 0x6B, 0xAF, 0xB6, 0x3A, 0xCF ),
+    BYTES_TO_T_UINT_8( 0xA7, 0x25, 0x04, 0xAC, 0x6C, 0x6E, 0x16, 0x1F ),
+    BYTES_TO_T_UINT_8( 0xB3, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ),
+    BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ),
+    BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ),
+};
+#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
+
+/*
+ * Domain parameters for brainpoolP512r1 (RFC 5639 3.7)
+ */
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+static const mbedtls_mpi_uint brainpoolP512r1_p[] = {
+    BYTES_TO_T_UINT_8( 0xF3, 0x48, 0x3A, 0x58, 0x56, 0x60, 0xAA, 0x28 ),
+    BYTES_TO_T_UINT_8( 0x85, 0xC6, 0x82, 0x2D, 0x2F, 0xFF, 0x81, 0x28 ),
+    BYTES_TO_T_UINT_8( 0xE6, 0x80, 0xA3, 0xE6, 0x2A, 0xA1, 0xCD, 0xAE ),
+    BYTES_TO_T_UINT_8( 0x42, 0x68, 0xC6, 0x9B, 0x00, 0x9B, 0x4D, 0x7D ),
+    BYTES_TO_T_UINT_8( 0x71, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ),
+    BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ),
+    BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ),
+    BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_a[] = {
+    BYTES_TO_T_UINT_8( 0xCA, 0x94, 0xFC, 0x77, 0x4D, 0xAC, 0xC1, 0xE7 ),
+    BYTES_TO_T_UINT_8( 0xB9, 0xC7, 0xF2, 0x2B, 0xA7, 0x17, 0x11, 0x7F ),
+    BYTES_TO_T_UINT_8( 0xB5, 0xC8, 0x9A, 0x8B, 0xC9, 0xF1, 0x2E, 0x0A ),
+    BYTES_TO_T_UINT_8( 0xA1, 0x3A, 0x25, 0xA8, 0x5A, 0x5D, 0xED, 0x2D ),
+    BYTES_TO_T_UINT_8( 0xBC, 0x63, 0x98, 0xEA, 0xCA, 0x41, 0x34, 0xA8 ),
+    BYTES_TO_T_UINT_8( 0x10, 0x16, 0xF9, 0x3D, 0x8D, 0xDD, 0xCB, 0x94 ),
+    BYTES_TO_T_UINT_8( 0xC5, 0x4C, 0x23, 0xAC, 0x45, 0x71, 0x32, 0xE2 ),
+    BYTES_TO_T_UINT_8( 0x89, 0x3B, 0x60, 0x8B, 0x31, 0xA3, 0x30, 0x78 ),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_b[] = {
+    BYTES_TO_T_UINT_8( 0x23, 0xF7, 0x16, 0x80, 0x63, 0xBD, 0x09, 0x28 ),
+    BYTES_TO_T_UINT_8( 0xDD, 0xE5, 0xBA, 0x5E, 0xB7, 0x50, 0x40, 0x98 ),
+    BYTES_TO_T_UINT_8( 0x67, 0x3E, 0x08, 0xDC, 0xCA, 0x94, 0xFC, 0x77 ),
+    BYTES_TO_T_UINT_8( 0x4D, 0xAC, 0xC1, 0xE7, 0xB9, 0xC7, 0xF2, 0x2B ),
+    BYTES_TO_T_UINT_8( 0xA7, 0x17, 0x11, 0x7F, 0xB5, 0xC8, 0x9A, 0x8B ),
+    BYTES_TO_T_UINT_8( 0xC9, 0xF1, 0x2E, 0x0A, 0xA1, 0x3A, 0x25, 0xA8 ),
+    BYTES_TO_T_UINT_8( 0x5A, 0x5D, 0xED, 0x2D, 0xBC, 0x63, 0x98, 0xEA ),
+    BYTES_TO_T_UINT_8( 0xCA, 0x41, 0x34, 0xA8, 0x10, 0x16, 0xF9, 0x3D ),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_gx[] = {
+    BYTES_TO_T_UINT_8( 0x22, 0xF8, 0xB9, 0xBC, 0x09, 0x22, 0x35, 0x8B ),
+    BYTES_TO_T_UINT_8( 0x68, 0x5E, 0x6A, 0x40, 0x47, 0x50, 0x6D, 0x7C ),
+    BYTES_TO_T_UINT_8( 0x5F, 0x7D, 0xB9, 0x93, 0x7B, 0x68, 0xD1, 0x50 ),
+    BYTES_TO_T_UINT_8( 0x8D, 0xD4, 0xD0, 0xE2, 0x78, 0x1F, 0x3B, 0xFF ),
+    BYTES_TO_T_UINT_8( 0x8E, 0x09, 0xD0, 0xF4, 0xEE, 0x62, 0x3B, 0xB4 ),
+    BYTES_TO_T_UINT_8( 0xC1, 0x16, 0xD9, 0xB5, 0x70, 0x9F, 0xED, 0x85 ),
+    BYTES_TO_T_UINT_8( 0x93, 0x6A, 0x4C, 0x9C, 0x2E, 0x32, 0x21, 0x5A ),
+    BYTES_TO_T_UINT_8( 0x64, 0xD9, 0x2E, 0xD8, 0xBD, 0xE4, 0xAE, 0x81 ),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_gy[] = {
+    BYTES_TO_T_UINT_8( 0x92, 0x08, 0xD8, 0x3A, 0x0F, 0x1E, 0xCD, 0x78 ),
+    BYTES_TO_T_UINT_8( 0x06, 0x54, 0xF0, 0xA8, 0x2F, 0x2B, 0xCA, 0xD1 ),
+    BYTES_TO_T_UINT_8( 0xAE, 0x63, 0x27, 0x8A, 0xD8, 0x4B, 0xCA, 0x5B ),
+    BYTES_TO_T_UINT_8( 0x5E, 0x48, 0x5F, 0x4A, 0x49, 0xDE, 0xDC, 0xB2 ),
+    BYTES_TO_T_UINT_8( 0x11, 0x81, 0x1F, 0x88, 0x5B, 0xC5, 0x00, 0xA0 ),
+    BYTES_TO_T_UINT_8( 0x1A, 0x7B, 0xA5, 0x24, 0x00, 0xF7, 0x09, 0xF2 ),
+    BYTES_TO_T_UINT_8( 0xFD, 0x22, 0x78, 0xCF, 0xA9, 0xBF, 0xEA, 0xC0 ),
+    BYTES_TO_T_UINT_8( 0xEC, 0x32, 0x63, 0x56, 0x5D, 0x38, 0xDE, 0x7D ),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_n[] = {
+    BYTES_TO_T_UINT_8( 0x69, 0x00, 0xA9, 0x9C, 0x82, 0x96, 0x87, 0xB5 ),
+    BYTES_TO_T_UINT_8( 0xDD, 0xDA, 0x5D, 0x08, 0x81, 0xD3, 0xB1, 0x1D ),
+    BYTES_TO_T_UINT_8( 0x47, 0x10, 0xAC, 0x7F, 0x19, 0x61, 0x86, 0x41 ),
+    BYTES_TO_T_UINT_8( 0x19, 0x26, 0xA9, 0x4C, 0x41, 0x5C, 0x3E, 0x55 ),
+    BYTES_TO_T_UINT_8( 0x70, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ),
+    BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ),
+    BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ),
+    BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ),
+};
+#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
+
+/*
+ * Create an MPI from embedded constants
+ * (assumes len is an exact multiple of sizeof mbedtls_mpi_uint)
+ */
+static inline void ecp_mpi_load( mbedtls_mpi *X, const mbedtls_mpi_uint *p, size_t len )
+{
+    X->s = 1;
+    X->n = len / sizeof( mbedtls_mpi_uint );
+    X->p = (mbedtls_mpi_uint *) p;
+}
+
+/*
+ * Set an MPI to static value 1
+ */
+static inline void ecp_mpi_set1( mbedtls_mpi *X )
+{
+    static mbedtls_mpi_uint one[] = { 1 };
+    X->s = 1;
+    X->n = 1;
+    X->p = one;
+}
+
+/*
+ * Make group available from embedded constants
+ */
+static int ecp_group_load( mbedtls_ecp_group *grp,
+                           const mbedtls_mpi_uint *p,  size_t plen,
+                           const mbedtls_mpi_uint *a,  size_t alen,
+                           const mbedtls_mpi_uint *b,  size_t blen,
+                           const mbedtls_mpi_uint *gx, size_t gxlen,
+                           const mbedtls_mpi_uint *gy, size_t gylen,
+                           const mbedtls_mpi_uint *n,  size_t nlen)
+{
+    ecp_mpi_load( &grp->P, p, plen );
+    if( a != NULL )
+        ecp_mpi_load( &grp->A, a, alen );
+    ecp_mpi_load( &grp->B, b, blen );
+    ecp_mpi_load( &grp->N, n, nlen );
+
+    ecp_mpi_load( &grp->G.X, gx, gxlen );
+    ecp_mpi_load( &grp->G.Y, gy, gylen );
+    ecp_mpi_set1( &grp->G.Z );
+
+    grp->pbits = mbedtls_mpi_bitlen( &grp->P );
+    grp->nbits = mbedtls_mpi_bitlen( &grp->N );
+
+    grp->h = 1;
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_ECP_NIST_OPTIM)
+/* Forward declarations */
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+static int ecp_mod_p192( mbedtls_mpi * );
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+static int ecp_mod_p224( mbedtls_mpi * );
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+static int ecp_mod_p256( mbedtls_mpi * );
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+static int ecp_mod_p384( mbedtls_mpi * );
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+static int ecp_mod_p521( mbedtls_mpi * );
+#endif
+
+#define NIST_MODP( P )      grp->modp = ecp_mod_ ## P;
+#else
+#define NIST_MODP( P )
+#endif /* MBEDTLS_ECP_NIST_OPTIM */
+
+/* Additional forward declarations */
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+static int ecp_mod_p255( mbedtls_mpi * );
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+static int ecp_mod_p192k1( mbedtls_mpi * );
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+static int ecp_mod_p224k1( mbedtls_mpi * );
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+static int ecp_mod_p256k1( mbedtls_mpi * );
+#endif
+
+#define LOAD_GROUP_A( G )   ecp_group_load( grp,            \
+                            G ## _p,  sizeof( G ## _p  ),   \
+                            G ## _a,  sizeof( G ## _a  ),   \
+                            G ## _b,  sizeof( G ## _b  ),   \
+                            G ## _gx, sizeof( G ## _gx ),   \
+                            G ## _gy, sizeof( G ## _gy ),   \
+                            G ## _n,  sizeof( G ## _n  ) )
+
+#define LOAD_GROUP( G )     ecp_group_load( grp,            \
+                            G ## _p,  sizeof( G ## _p  ),   \
+                            NULL,     0,                    \
+                            G ## _b,  sizeof( G ## _b  ),   \
+                            G ## _gx, sizeof( G ## _gx ),   \
+                            G ## _gy, sizeof( G ## _gy ),   \
+                            G ## _n,  sizeof( G ## _n  ) )
+
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+/*
+ * Specialized function for creating the Curve25519 group
+ */
+static int ecp_use_curve25519( mbedtls_ecp_group *grp )
+{
+    int ret;
+
+    /* Actually ( A + 2 ) / 4 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &grp->A, 16, "01DB42" ) );
+
+    /* P = 2^255 - 19 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->P, 1 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &grp->P, 255 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &grp->P, &grp->P, 19 ) );
+    grp->pbits = mbedtls_mpi_bitlen( &grp->P );
+
+    /* Y intentionaly not set, since we use x/z coordinates.
+     * This is used as a marker to identify Montgomery curves! */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.X, 9 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.Z, 1 ) );
+    mbedtls_mpi_free( &grp->G.Y );
+
+    /* Actually, the required msb for private keys */
+    grp->nbits = 254;
+
+cleanup:
+    if( ret != 0 )
+        mbedtls_ecp_group_free( grp );
+
+    return( ret );
+}
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+
+/*
+ * Set a group using well-known domain parameters
+ */
+int mbedtls_ecp_group_load( mbedtls_ecp_group *grp, mbedtls_ecp_group_id id )
+{
+    mbedtls_ecp_group_free( grp );
+
+    grp->id = id;
+
+    switch( id )
+    {
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP192R1:
+            NIST_MODP( p192 );
+            return( LOAD_GROUP( secp192r1 ) );
+#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP224R1:
+            NIST_MODP( p224 );
+            return( LOAD_GROUP( secp224r1 ) );
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP256R1:
+            NIST_MODP( p256 );
+            return( LOAD_GROUP( secp256r1 ) );
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP384R1:
+            NIST_MODP( p384 );
+            return( LOAD_GROUP( secp384r1 ) );
+#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP521R1:
+            NIST_MODP( p521 );
+            return( LOAD_GROUP( secp521r1 ) );
+#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP192K1:
+            grp->modp = ecp_mod_p192k1;
+            return( LOAD_GROUP_A( secp192k1 ) );
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP224K1:
+            grp->modp = ecp_mod_p224k1;
+            return( LOAD_GROUP_A( secp224k1 ) );
+#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP256K1:
+            grp->modp = ecp_mod_p256k1;
+            return( LOAD_GROUP_A( secp256k1 ) );
+#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+        case MBEDTLS_ECP_DP_BP256R1:
+            return( LOAD_GROUP_A( brainpoolP256r1 ) );
+#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+        case MBEDTLS_ECP_DP_BP384R1:
+            return( LOAD_GROUP_A( brainpoolP384r1 ) );
+#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+        case MBEDTLS_ECP_DP_BP512R1:
+            return( LOAD_GROUP_A( brainpoolP512r1 ) );
+#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+        case MBEDTLS_ECP_DP_CURVE25519:
+            grp->modp = ecp_mod_p255;
+            return( ecp_use_curve25519( grp ) );
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+
+        default:
+            mbedtls_ecp_group_free( grp );
+            return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
+    }
+}
+
+#if defined(MBEDTLS_ECP_NIST_OPTIM)
+/*
+ * Fast reduction modulo the primes used by the NIST curves.
+ *
+ * These functions are critical for speed, but not needed for correct
+ * operations. So, we make the choice to heavily rely on the internals of our
+ * bignum library, which creates a tight coupling between these functions and
+ * our MPI implementation.  However, the coupling between the ECP module and
+ * MPI remains loose, since these functions can be deactivated at will.
+ */
+
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+/*
+ * Compared to the way things are presented in FIPS 186-3 D.2,
+ * we proceed in columns, from right (least significant chunk) to left,
+ * adding chunks to N in place, and keeping a carry for the next chunk.
+ * This avoids moving things around in memory, and uselessly adding zeros,
+ * compared to the more straightforward, line-oriented approach.
+ *
+ * For this prime we need to handle data in chunks of 64 bits.
+ * Since this is always a multiple of our basic mbedtls_mpi_uint, we can
+ * use a mbedtls_mpi_uint * to designate such a chunk, and small loops to handle it.
+ */
+
+/* Add 64-bit chunks (dst += src) and update carry */
+static inline void add64( mbedtls_mpi_uint *dst, mbedtls_mpi_uint *src, mbedtls_mpi_uint *carry )
+{
+    unsigned char i;
+    mbedtls_mpi_uint c = 0;
+    for( i = 0; i < 8 / sizeof( mbedtls_mpi_uint ); i++, dst++, src++ )
+    {
+        *dst += c;      c  = ( *dst < c );
+        *dst += *src;   c += ( *dst < *src );
+    }
+    *carry += c;
+}
+
+/* Add carry to a 64-bit chunk and update carry */
+static inline void carry64( mbedtls_mpi_uint *dst, mbedtls_mpi_uint *carry )
+{
+    unsigned char i;
+    for( i = 0; i < 8 / sizeof( mbedtls_mpi_uint ); i++, dst++ )
+    {
+        *dst += *carry;
+        *carry  = ( *dst < *carry );
+    }
+}
+
+#define WIDTH       8 / sizeof( mbedtls_mpi_uint )
+#define A( i )      N->p + i * WIDTH
+#define ADD( i )    add64( p, A( i ), &c )
+#define NEXT        p += WIDTH; carry64( p, &c )
+#define LAST        p += WIDTH; *p = c; while( ++p < end ) *p = 0
+
+/*
+ * Fast quasi-reduction modulo p192 (FIPS 186-3 D.2.1)
+ */
+static int ecp_mod_p192( mbedtls_mpi *N )
+{
+    int ret;
+    mbedtls_mpi_uint c = 0;
+    mbedtls_mpi_uint *p, *end;
+
+    /* Make sure we have enough blocks so that A(5) is legal */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( N, 6 * WIDTH ) );
+
+    p = N->p;
+    end = p + N->n;
+
+    ADD( 3 ); ADD( 5 );             NEXT; // A0 += A3 + A5
+    ADD( 3 ); ADD( 4 ); ADD( 5 );   NEXT; // A1 += A3 + A4 + A5
+    ADD( 4 ); ADD( 5 );             LAST; // A2 += A4 + A5
+
+cleanup:
+    return( ret );
+}
+
+#undef WIDTH
+#undef A
+#undef ADD
+#undef NEXT
+#undef LAST
+#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+/*
+ * The reader is advised to first understand ecp_mod_p192() since the same
+ * general structure is used here, but with additional complications:
+ * (1) chunks of 32 bits, and (2) subtractions.
+ */
+
+/*
+ * For these primes, we need to handle data in chunks of 32 bits.
+ * This makes it more complicated if we use 64 bits limbs in MPI,
+ * which prevents us from using a uniform access method as for p192.
+ *
+ * So, we define a mini abstraction layer to access 32 bit chunks,
+ * load them in 'cur' for work, and store them back from 'cur' when done.
+ *
+ * While at it, also define the size of N in terms of 32-bit chunks.
+ */
+#define LOAD32      cur = A( i );
+
+#if defined(MBEDTLS_HAVE_INT32)  /* 32 bit */
+
+#define MAX32       N->n
+#define A( j )      N->p[j]
+#define STORE32     N->p[i] = cur;
+
+#else                               /* 64-bit */
+
+#define MAX32       N->n * 2
+#define A( j ) j % 2 ? (uint32_t)( N->p[j/2] >> 32 ) : (uint32_t)( N->p[j/2] )
+#define STORE32                                   \
+    if( i % 2 ) {                                 \
+        N->p[i/2] &= 0x00000000FFFFFFFF;          \
+        N->p[i/2] |= ((mbedtls_mpi_uint) cur) << 32;        \
+    } else {                                      \
+        N->p[i/2] &= 0xFFFFFFFF00000000;          \
+        N->p[i/2] |= (mbedtls_mpi_uint) cur;                \
+    }
+
+#endif /* sizeof( mbedtls_mpi_uint ) */
+
+/*
+ * Helpers for addition and subtraction of chunks, with signed carry.
+ */
+static inline void add32( uint32_t *dst, uint32_t src, signed char *carry )
+{
+    *dst += src;
+    *carry += ( *dst < src );
+}
+
+static inline void sub32( uint32_t *dst, uint32_t src, signed char *carry )
+{
+    *carry -= ( *dst < src );
+    *dst -= src;
+}
+
+#define ADD( j )    add32( &cur, A( j ), &c );
+#define SUB( j )    sub32( &cur, A( j ), &c );
+
+/*
+ * Helpers for the main 'loop'
+ * (see fix_negative for the motivation of C)
+ */
+#define INIT( b )                                           \
+    int ret;                                                \
+    signed char c = 0, cc;                                  \
+    uint32_t cur;                                           \
+    size_t i = 0, bits = b;                                 \
+    mbedtls_mpi C;                                                  \
+    mbedtls_mpi_uint Cp[ b / 8 / sizeof( mbedtls_mpi_uint) + 1 ];               \
+                                                            \
+    C.s = 1;                                                \
+    C.n = b / 8 / sizeof( mbedtls_mpi_uint) + 1;                      \
+    C.p = Cp;                                               \
+    memset( Cp, 0, C.n * sizeof( mbedtls_mpi_uint ) );                \
+                                                            \
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( N, b * 2 / 8 / sizeof( mbedtls_mpi_uint ) ) ); \
+    LOAD32;
+
+#define NEXT                    \
+    STORE32; i++; LOAD32;       \
+    cc = c; c = 0;              \
+    if( cc < 0 )                \
+        sub32( &cur, -cc, &c ); \
+    else                        \
+        add32( &cur, cc, &c );  \
+
+#define LAST                                    \
+    STORE32; i++;                               \
+    cur = c > 0 ? c : 0; STORE32;               \
+    cur = 0; while( ++i < MAX32 ) { STORE32; }  \
+    if( c < 0 ) MBEDTLS_MPI_CHK( fix_negative( N, c, &C, bits ) );
+
+/*
+ * If the result is negative, we get it in the form
+ * c * 2^(bits + 32) + N, with c negative and N positive shorter than 'bits'
+ */
+static inline int fix_negative( mbedtls_mpi *N, signed char c, mbedtls_mpi *C, size_t bits )
+{
+    int ret;
+
+    /* C = - c * 2^(bits + 32) */
+#if !defined(MBEDTLS_HAVE_INT64)
+    ((void) bits);
+#else
+    if( bits == 224 )
+        C->p[ C->n - 1 ] = ((mbedtls_mpi_uint) -c) << 32;
+    else
+#endif
+        C->p[ C->n - 1 ] = (mbedtls_mpi_uint) -c;
+
+    /* N = - ( C - N ) */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( N, C, N ) );
+    N->s = -1;
+
+cleanup:
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+/*
+ * Fast quasi-reduction modulo p224 (FIPS 186-3 D.2.2)
+ */
+static int ecp_mod_p224( mbedtls_mpi *N )
+{
+    INIT( 224 );
+
+    SUB(  7 ); SUB( 11 );               NEXT; // A0 += -A7 - A11
+    SUB(  8 ); SUB( 12 );               NEXT; // A1 += -A8 - A12
+    SUB(  9 ); SUB( 13 );               NEXT; // A2 += -A9 - A13
+    SUB( 10 ); ADD(  7 ); ADD( 11 );    NEXT; // A3 += -A10 + A7 + A11
+    SUB( 11 ); ADD(  8 ); ADD( 12 );    NEXT; // A4 += -A11 + A8 + A12
+    SUB( 12 ); ADD(  9 ); ADD( 13 );    NEXT; // A5 += -A12 + A9 + A13
+    SUB( 13 ); ADD( 10 );               LAST; // A6 += -A13 + A10
+
+cleanup:
+    return( ret );
+}
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+/*
+ * Fast quasi-reduction modulo p256 (FIPS 186-3 D.2.3)
+ */
+static int ecp_mod_p256( mbedtls_mpi *N )
+{
+    INIT( 256 );
+
+    ADD(  8 ); ADD(  9 );
+    SUB( 11 ); SUB( 12 ); SUB( 13 ); SUB( 14 );             NEXT; // A0
+
+    ADD(  9 ); ADD( 10 );
+    SUB( 12 ); SUB( 13 ); SUB( 14 ); SUB( 15 );             NEXT; // A1
+
+    ADD( 10 ); ADD( 11 );
+    SUB( 13 ); SUB( 14 ); SUB( 15 );                        NEXT; // A2
+
+    ADD( 11 ); ADD( 11 ); ADD( 12 ); ADD( 12 ); ADD( 13 );
+    SUB( 15 ); SUB(  8 ); SUB(  9 );                        NEXT; // A3
+
+    ADD( 12 ); ADD( 12 ); ADD( 13 ); ADD( 13 ); ADD( 14 );
+    SUB(  9 ); SUB( 10 );                                   NEXT; // A4
+
+    ADD( 13 ); ADD( 13 ); ADD( 14 ); ADD( 14 ); ADD( 15 );
+    SUB( 10 ); SUB( 11 );                                   NEXT; // A5
+
+    ADD( 14 ); ADD( 14 ); ADD( 15 ); ADD( 15 ); ADD( 14 ); ADD( 13 );
+    SUB(  8 ); SUB(  9 );                                   NEXT; // A6
+
+    ADD( 15 ); ADD( 15 ); ADD( 15 ); ADD( 8 );
+    SUB( 10 ); SUB( 11 ); SUB( 12 ); SUB( 13 );             LAST; // A7
+
+cleanup:
+    return( ret );
+}
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+/*
+ * Fast quasi-reduction modulo p384 (FIPS 186-3 D.2.4)
+ */
+static int ecp_mod_p384( mbedtls_mpi *N )
+{
+    INIT( 384 );
+
+    ADD( 12 ); ADD( 21 ); ADD( 20 );
+    SUB( 23 );                                              NEXT; // A0
+
+    ADD( 13 ); ADD( 22 ); ADD( 23 );
+    SUB( 12 ); SUB( 20 );                                   NEXT; // A2
+
+    ADD( 14 ); ADD( 23 );
+    SUB( 13 ); SUB( 21 );                                   NEXT; // A2
+
+    ADD( 15 ); ADD( 12 ); ADD( 20 ); ADD( 21 );
+    SUB( 14 ); SUB( 22 ); SUB( 23 );                        NEXT; // A3
+
+    ADD( 21 ); ADD( 21 ); ADD( 16 ); ADD( 13 ); ADD( 12 ); ADD( 20 ); ADD( 22 );
+    SUB( 15 ); SUB( 23 ); SUB( 23 );                        NEXT; // A4
+
+    ADD( 22 ); ADD( 22 ); ADD( 17 ); ADD( 14 ); ADD( 13 ); ADD( 21 ); ADD( 23 );
+    SUB( 16 );                                              NEXT; // A5
+
+    ADD( 23 ); ADD( 23 ); ADD( 18 ); ADD( 15 ); ADD( 14 ); ADD( 22 );
+    SUB( 17 );                                              NEXT; // A6
+
+    ADD( 19 ); ADD( 16 ); ADD( 15 ); ADD( 23 );
+    SUB( 18 );                                              NEXT; // A7
+
+    ADD( 20 ); ADD( 17 ); ADD( 16 );
+    SUB( 19 );                                              NEXT; // A8
+
+    ADD( 21 ); ADD( 18 ); ADD( 17 );
+    SUB( 20 );                                              NEXT; // A9
+
+    ADD( 22 ); ADD( 19 ); ADD( 18 );
+    SUB( 21 );                                              NEXT; // A10
+
+    ADD( 23 ); ADD( 20 ); ADD( 19 );
+    SUB( 22 );                                              LAST; // A11
+
+cleanup:
+    return( ret );
+}
+#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+
+#undef A
+#undef LOAD32
+#undef STORE32
+#undef MAX32
+#undef INIT
+#undef NEXT
+#undef LAST
+
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED ||
+          MBEDTLS_ECP_DP_SECP256R1_ENABLED ||
+          MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+/*
+ * Here we have an actual Mersenne prime, so things are more straightforward.
+ * However, chunks are aligned on a 'weird' boundary (521 bits).
+ */
+
+/* Size of p521 in terms of mbedtls_mpi_uint */
+#define P521_WIDTH      ( 521 / 8 / sizeof( mbedtls_mpi_uint ) + 1 )
+
+/* Bits to keep in the most significant mbedtls_mpi_uint */
+#define P521_MASK       0x01FF
+
+/*
+ * Fast quasi-reduction modulo p521 (FIPS 186-3 D.2.5)
+ * Write N as A1 + 2^521 A0, return A0 + A1
+ */
+static int ecp_mod_p521( mbedtls_mpi *N )
+{
+    int ret;
+    size_t i;
+    mbedtls_mpi M;
+    mbedtls_mpi_uint Mp[P521_WIDTH + 1];
+    /* Worst case for the size of M is when mbedtls_mpi_uint is 16 bits:
+     * we need to hold bits 513 to 1056, which is 34 limbs, that is
+     * P521_WIDTH + 1. Otherwise P521_WIDTH is enough. */
+
+    if( N->n < P521_WIDTH )
+        return( 0 );
+
+    /* M = A1 */
+    M.s = 1;
+    M.n = N->n - ( P521_WIDTH - 1 );
+    if( M.n > P521_WIDTH + 1 )
+        M.n = P521_WIDTH + 1;
+    M.p = Mp;
+    memcpy( Mp, N->p + P521_WIDTH - 1, M.n * sizeof( mbedtls_mpi_uint ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, 521 % ( 8 * sizeof( mbedtls_mpi_uint ) ) ) );
+
+    /* N = A0 */
+    N->p[P521_WIDTH - 1] &= P521_MASK;
+    for( i = P521_WIDTH; i < N->n; i++ )
+        N->p[i] = 0;
+
+    /* N = A0 + A1 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) );
+
+cleanup:
+    return( ret );
+}
+
+#undef P521_WIDTH
+#undef P521_MASK
+#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+
+#endif /* MBEDTLS_ECP_NIST_OPTIM */
+
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+
+/* Size of p255 in terms of mbedtls_mpi_uint */
+#define P255_WIDTH      ( 255 / 8 / sizeof( mbedtls_mpi_uint ) + 1 )
+
+/*
+ * Fast quasi-reduction modulo p255 = 2^255 - 19
+ * Write N as A0 + 2^255 A1, return A0 + 19 * A1
+ */
+static int ecp_mod_p255( mbedtls_mpi *N )
+{
+    int ret;
+    size_t i;
+    mbedtls_mpi M;
+    mbedtls_mpi_uint Mp[P255_WIDTH + 2];
+
+    if( N->n < P255_WIDTH )
+        return( 0 );
+
+    /* M = A1 */
+    M.s = 1;
+    M.n = N->n - ( P255_WIDTH - 1 );
+    if( M.n > P255_WIDTH + 1 )
+        M.n = P255_WIDTH + 1;
+    M.p = Mp;
+    memset( Mp, 0, sizeof Mp );
+    memcpy( Mp, N->p + P255_WIDTH - 1, M.n * sizeof( mbedtls_mpi_uint ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, 255 % ( 8 * sizeof( mbedtls_mpi_uint ) ) ) );
+    M.n++; /* Make room for multiplication by 19 */
+
+    /* N = A0 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( N, 255, 0 ) );
+    for( i = P255_WIDTH; i < N->n; i++ )
+        N->p[i] = 0;
+
+    /* N = A0 + 19 * A1 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &M, &M, 19 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) );
+
+cleanup:
+    return( ret );
+}
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+/*
+ * Fast quasi-reduction modulo P = 2^s - R,
+ * with R about 33 bits, used by the Koblitz curves.
+ *
+ * Write N as A0 + 2^224 A1, return A0 + R * A1.
+ * Actually do two passes, since R is big.
+ */
+#define P_KOBLITZ_MAX   ( 256 / 8 / sizeof( mbedtls_mpi_uint ) )  // Max limbs in P
+#define P_KOBLITZ_R     ( 8 / sizeof( mbedtls_mpi_uint ) )        // Limbs in R
+static inline int ecp_mod_koblitz( mbedtls_mpi *N, mbedtls_mpi_uint *Rp, size_t p_limbs,
+                                   size_t adjust, size_t shift, mbedtls_mpi_uint mask )
+{
+    int ret;
+    size_t i;
+    mbedtls_mpi M, R;
+    mbedtls_mpi_uint Mp[P_KOBLITZ_MAX + P_KOBLITZ_R + 1];
+
+    if( N->n < p_limbs )
+        return( 0 );
+
+    /* Init R */
+    R.s = 1;
+    R.p = Rp;
+    R.n = P_KOBLITZ_R;
+
+    /* Common setup for M */
+    M.s = 1;
+    M.p = Mp;
+
+    /* M = A1 */
+    M.n = N->n - ( p_limbs - adjust );
+    if( M.n > p_limbs + adjust )
+        M.n = p_limbs + adjust;
+    memset( Mp, 0, sizeof Mp );
+    memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( mbedtls_mpi_uint ) );
+    if( shift != 0 )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, shift ) );
+    M.n += R.n; /* Make room for multiplication by R */
+
+    /* N = A0 */
+    if( mask != 0 )
+        N->p[p_limbs - 1] &= mask;
+    for( i = p_limbs; i < N->n; i++ )
+        N->p[i] = 0;
+
+    /* N = A0 + R * A1 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &M, &M, &R ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) );
+
+    /* Second pass */
+
+    /* M = A1 */
+    M.n = N->n - ( p_limbs - adjust );
+    if( M.n > p_limbs + adjust )
+        M.n = p_limbs + adjust;
+    memset( Mp, 0, sizeof Mp );
+    memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( mbedtls_mpi_uint ) );
+    if( shift != 0 )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, shift ) );
+    M.n += R.n; /* Make room for multiplication by R */
+
+    /* N = A0 */
+    if( mask != 0 )
+        N->p[p_limbs - 1] &= mask;
+    for( i = p_limbs; i < N->n; i++ )
+        N->p[i] = 0;
+
+    /* N = A0 + R * A1 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &M, &M, &R ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) );
+
+cleanup:
+    return( ret );
+}
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED) ||
+          MBEDTLS_ECP_DP_SECP224K1_ENABLED) ||
+          MBEDTLS_ECP_DP_SECP256K1_ENABLED) */
+
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+/*
+ * Fast quasi-reduction modulo p192k1 = 2^192 - R,
+ * with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x0100001119
+ */
+static int ecp_mod_p192k1( mbedtls_mpi *N )
+{
+    static mbedtls_mpi_uint Rp[] = {
+        BYTES_TO_T_UINT_8( 0xC9, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) };
+
+    return( ecp_mod_koblitz( N, Rp, 192 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) );
+}
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+/*
+ * Fast quasi-reduction modulo p224k1 = 2^224 - R,
+ * with R = 2^32 + 2^12 + 2^11 + 2^9 + 2^7 + 2^4 + 2 + 1 = 0x0100001A93
+ */
+static int ecp_mod_p224k1( mbedtls_mpi *N )
+{
+    static mbedtls_mpi_uint Rp[] = {
+        BYTES_TO_T_UINT_8( 0x93, 0x1A, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) };
+
+#if defined(MBEDTLS_HAVE_INT64)
+    return( ecp_mod_koblitz( N, Rp, 4, 1, 32, 0xFFFFFFFF ) );
+#else
+    return( ecp_mod_koblitz( N, Rp, 224 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) );
+#endif
+}
+
+#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+/*
+ * Fast quasi-reduction modulo p256k1 = 2^256 - R,
+ * with R = 2^32 + 2^9 + 2^8 + 2^7 + 2^6 + 2^4 + 1 = 0x01000003D1
+ */
+static int ecp_mod_p256k1( mbedtls_mpi *N )
+{
+    static mbedtls_mpi_uint Rp[] = {
+        BYTES_TO_T_UINT_8( 0xD1, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) };
+    return( ecp_mod_koblitz( N, Rp, 256 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) );
+}
+#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
+
+#endif /* !MBEDTLS_ECP_ALT */
+
+#endif /* MBEDTLS_ECP_C */
diff --git a/third-party/mbedtls-3.6/library/entropy.c b/third-party/mbedtls-3.6/library/entropy.c
new file mode 100644
index 00000000..fb5e0eca
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/entropy.c
@@ -0,0 +1,755 @@
+/*
+ *  Entropy accumulator implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_ENTROPY_C)
+
+#if defined(MBEDTLS_TEST_NULL_ENTROPY)
+#warning "**** WARNING!  MBEDTLS_TEST_NULL_ENTROPY defined! "
+#warning "**** THIS BUILD HAS NO DEFINED ENTROPY SOURCES "
+#warning "**** THIS BUILD IS *NOT* SUITABLE FOR PRODUCTION USE "
+#endif
+
+#include "mbedtls/entropy.h"
+#include "mbedtls/entropy_poll.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_FS_IO)
+#include <stdio.h>
+#endif
+
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+#include "mbedtls/platform.h"
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf     printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if defined(MBEDTLS_HAVEGE_C)
+#include "mbedtls/havege.h"
+#endif
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
+#define ENTROPY_MAX_LOOP    256     /**< Maximum amount to loop before error */
+
+void mbedtls_entropy_init( mbedtls_entropy_context *ctx )
+{
+    ctx->source_count = 0;
+    memset( ctx->source, 0, sizeof( ctx->source ) );
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_init( &ctx->mutex );
+#endif
+
+    ctx->accumulator_started = 0;
+#if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
+    mbedtls_sha512_init( &ctx->accumulator );
+#else
+    mbedtls_sha256_init( &ctx->accumulator );
+#endif
+#if defined(MBEDTLS_HAVEGE_C)
+    mbedtls_havege_init( &ctx->havege_data );
+#endif
+
+    /* Reminder: Update ENTROPY_HAVE_STRONG in the test files
+     *           when adding more strong entropy sources here. */
+
+#if defined(MBEDTLS_TEST_NULL_ENTROPY)
+    mbedtls_entropy_add_source( ctx, mbedtls_null_entropy_poll, NULL,
+                                1, MBEDTLS_ENTROPY_SOURCE_STRONG );
+#endif
+
+#if !defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES)
+#if !defined(MBEDTLS_NO_PLATFORM_ENTROPY)
+    mbedtls_entropy_add_source( ctx, mbedtls_platform_entropy_poll, NULL,
+                                MBEDTLS_ENTROPY_MIN_PLATFORM,
+                                MBEDTLS_ENTROPY_SOURCE_STRONG );
+#endif
+#if defined(MBEDTLS_TIMING_C)
+    mbedtls_entropy_add_source( ctx, mbedtls_hardclock_poll, NULL,
+                                MBEDTLS_ENTROPY_MIN_HARDCLOCK,
+                                MBEDTLS_ENTROPY_SOURCE_WEAK );
+#endif
+#if defined(MBEDTLS_HAVEGE_C)
+    mbedtls_entropy_add_source( ctx, mbedtls_havege_poll, &ctx->havege_data,
+                                MBEDTLS_ENTROPY_MIN_HAVEGE,
+                                MBEDTLS_ENTROPY_SOURCE_STRONG );
+#endif
+#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
+    mbedtls_entropy_add_source( ctx, mbedtls_hardware_poll, NULL,
+                                MBEDTLS_ENTROPY_MIN_HARDWARE,
+                                MBEDTLS_ENTROPY_SOURCE_STRONG );
+#endif
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+    mbedtls_entropy_add_source( ctx, mbedtls_nv_seed_poll, NULL,
+                                MBEDTLS_ENTROPY_BLOCK_SIZE,
+                                MBEDTLS_ENTROPY_SOURCE_STRONG );
+    ctx->initial_entropy_run = 0;
+#endif
+#endif /* MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES */
+}
+
+void mbedtls_entropy_free( mbedtls_entropy_context *ctx )
+{
+    /* If the context was already free, don't call free() again.
+     * This is important for mutexes which don't allow double-free. */
+    if( ctx->accumulator_started == -1 )
+        return;
+
+#if defined(MBEDTLS_HAVEGE_C)
+    mbedtls_havege_free( &ctx->havege_data );
+#endif
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_free( &ctx->mutex );
+#endif
+#if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
+    mbedtls_sha512_free( &ctx->accumulator );
+#else
+    mbedtls_sha256_free( &ctx->accumulator );
+#endif
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+    ctx->initial_entropy_run = 0;
+#endif
+    ctx->source_count = 0;
+    mbedtls_zeroize( ctx->source, sizeof( ctx->source ) );
+    ctx->accumulator_started = -1;
+}
+
+int mbedtls_entropy_add_source( mbedtls_entropy_context *ctx,
+                        mbedtls_entropy_f_source_ptr f_source, void *p_source,
+                        size_t threshold, int strong )
+{
+    int idx, ret = 0;
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
+        return( ret );
+#endif
+
+    idx = ctx->source_count;
+    if( idx >= MBEDTLS_ENTROPY_MAX_SOURCES )
+    {
+        ret = MBEDTLS_ERR_ENTROPY_MAX_SOURCES;
+        goto exit;
+    }
+
+    ctx->source[idx].f_source  = f_source;
+    ctx->source[idx].p_source  = p_source;
+    ctx->source[idx].threshold = threshold;
+    ctx->source[idx].strong    = strong;
+
+    ctx->source_count++;
+
+exit:
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
+        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+#endif
+
+    return( ret );
+}
+
+/*
+ * Entropy accumulator update
+ */
+static int entropy_update( mbedtls_entropy_context *ctx, unsigned char source_id,
+                           const unsigned char *data, size_t len )
+{
+    unsigned char header[2];
+    unsigned char tmp[MBEDTLS_ENTROPY_BLOCK_SIZE];
+    size_t use_len = len;
+    const unsigned char *p = data;
+    int ret = 0;
+
+    if( use_len > MBEDTLS_ENTROPY_BLOCK_SIZE )
+    {
+#if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
+        if( ( ret = mbedtls_sha512_ret( data, len, tmp, 0 ) ) != 0 )
+            goto cleanup;
+#else
+        if( ( ret = mbedtls_sha256_ret( data, len, tmp, 0 ) ) != 0 )
+            goto cleanup;
+#endif
+        p = tmp;
+        use_len = MBEDTLS_ENTROPY_BLOCK_SIZE;
+    }
+
+    header[0] = source_id;
+    header[1] = use_len & 0xFF;
+
+    /*
+     * Start the accumulator if this has not already happened. Note that
+     * it is sufficient to start the accumulator here only because all calls to
+     * gather entropy eventually execute this code.
+     */
+#if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
+    if( ctx->accumulator_started == 0 &&
+        ( ret = mbedtls_sha512_starts_ret( &ctx->accumulator, 0 ) ) != 0 )
+        goto cleanup;
+    else
+        ctx->accumulator_started = 1;
+    if( ( ret = mbedtls_sha512_update_ret( &ctx->accumulator, header, 2 ) ) != 0 )
+        goto cleanup;
+    ret = mbedtls_sha512_update_ret( &ctx->accumulator, p, use_len );
+#else
+    if( ctx->accumulator_started == 0 &&
+        ( ret = mbedtls_sha256_starts_ret( &ctx->accumulator, 0 ) ) != 0 )
+        goto cleanup;
+    else
+        ctx->accumulator_started = 1;
+    if( ( ret = mbedtls_sha256_update_ret( &ctx->accumulator, header, 2 ) ) != 0 )
+        goto cleanup;
+    ret = mbedtls_sha256_update_ret( &ctx->accumulator, p, use_len );
+#endif
+
+cleanup:
+    mbedtls_zeroize( tmp, sizeof( tmp ) );
+
+    return( ret );
+}
+
+int mbedtls_entropy_update_manual( mbedtls_entropy_context *ctx,
+                           const unsigned char *data, size_t len )
+{
+    int ret;
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
+        return( ret );
+#endif
+
+    ret = entropy_update( ctx, MBEDTLS_ENTROPY_SOURCE_MANUAL, data, len );
+
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
+        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+#endif
+
+    return( ret );
+}
+
+/*
+ * Run through the different sources to add entropy to our accumulator
+ */
+static int entropy_gather_internal( mbedtls_entropy_context *ctx )
+{
+    int ret, i, have_one_strong = 0;
+    unsigned char buf[MBEDTLS_ENTROPY_MAX_GATHER];
+    size_t olen;
+
+    if( ctx->source_count == 0 )
+        return( MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED );
+
+    /*
+     * Run through our entropy sources
+     */
+    for( i = 0; i < ctx->source_count; i++ )
+    {
+        if( ctx->source[i].strong == MBEDTLS_ENTROPY_SOURCE_STRONG )
+            have_one_strong = 1;
+
+        olen = 0;
+        if( ( ret = ctx->source[i].f_source( ctx->source[i].p_source,
+                        buf, MBEDTLS_ENTROPY_MAX_GATHER, &olen ) ) != 0 )
+        {
+            goto cleanup;
+        }
+
+        /*
+         * Add if we actually gathered something
+         */
+        if( olen > 0 )
+        {
+            if( ( ret = entropy_update( ctx, (unsigned char) i,
+                                        buf, olen ) ) != 0 )
+                return( ret );
+            ctx->source[i].size += olen;
+        }
+    }
+
+    if( have_one_strong == 0 )
+        ret = MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE;
+
+cleanup:
+    mbedtls_zeroize( buf, sizeof( buf ) );
+
+    return( ret );
+}
+
+/*
+ * Thread-safe wrapper for entropy_gather_internal()
+ */
+int mbedtls_entropy_gather( mbedtls_entropy_context *ctx )
+{
+    int ret;
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
+        return( ret );
+#endif
+
+    ret = entropy_gather_internal( ctx );
+
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
+        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+#endif
+
+    return( ret );
+}
+
+int mbedtls_entropy_func( void *data, unsigned char *output, size_t len )
+{
+    int ret, count = 0, i, done;
+    mbedtls_entropy_context *ctx = (mbedtls_entropy_context *) data;
+    unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE];
+
+    if( len > MBEDTLS_ENTROPY_BLOCK_SIZE )
+        return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
+
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+    /* Update the NV entropy seed before generating any entropy for outside
+     * use.
+     */
+    if( ctx->initial_entropy_run == 0 )
+    {
+        ctx->initial_entropy_run = 1;
+        if( ( ret = mbedtls_entropy_update_nv_seed( ctx ) ) != 0 )
+            return( ret );
+    }
+#endif
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
+        return( ret );
+#endif
+
+    /*
+     * Always gather extra entropy before a call
+     */
+    do
+    {
+        if( count++ > ENTROPY_MAX_LOOP )
+        {
+            ret = MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+            goto exit;
+        }
+
+        if( ( ret = entropy_gather_internal( ctx ) ) != 0 )
+            goto exit;
+
+        done = 1;
+        for( i = 0; i < ctx->source_count; i++ )
+            if( ctx->source[i].size < ctx->source[i].threshold )
+                done = 0;
+    }
+    while( ! done );
+
+    memset( buf, 0, MBEDTLS_ENTROPY_BLOCK_SIZE );
+
+#if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
+    /*
+     * Note that at this stage it is assumed that the accumulator was started
+     * in a previous call to entropy_update(). If this is not guaranteed, the
+     * code below will fail.
+     */
+    if( ( ret = mbedtls_sha512_finish_ret( &ctx->accumulator, buf ) ) != 0 )
+        goto exit;
+
+    /*
+     * Reset accumulator and counters and recycle existing entropy
+     */
+    mbedtls_sha512_free( &ctx->accumulator );
+    mbedtls_sha512_init( &ctx->accumulator );
+    if( ( ret = mbedtls_sha512_starts_ret( &ctx->accumulator, 0 ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_sha512_update_ret( &ctx->accumulator, buf,
+                                           MBEDTLS_ENTROPY_BLOCK_SIZE ) ) != 0 )
+        goto exit;
+
+    /*
+     * Perform second SHA-512 on entropy
+     */
+    if( ( ret = mbedtls_sha512_ret( buf, MBEDTLS_ENTROPY_BLOCK_SIZE,
+                                    buf, 0 ) ) != 0 )
+        goto exit;
+#else /* MBEDTLS_ENTROPY_SHA512_ACCUMULATOR */
+    if( ( ret = mbedtls_sha256_finish_ret( &ctx->accumulator, buf ) ) != 0 )
+        goto exit;
+
+    /*
+     * Reset accumulator and counters and recycle existing entropy
+     */
+    mbedtls_sha256_free( &ctx->accumulator );
+    mbedtls_sha256_init( &ctx->accumulator );
+    if( ( ret = mbedtls_sha256_starts_ret( &ctx->accumulator, 0 ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_sha256_update_ret( &ctx->accumulator, buf,
+                                           MBEDTLS_ENTROPY_BLOCK_SIZE ) ) != 0 )
+        goto exit;
+
+    /*
+     * Perform second SHA-256 on entropy
+     */
+    if( ( ret = mbedtls_sha256_ret( buf, MBEDTLS_ENTROPY_BLOCK_SIZE,
+                                    buf, 0 ) ) != 0 )
+        goto exit;
+#endif /* MBEDTLS_ENTROPY_SHA512_ACCUMULATOR */
+
+    for( i = 0; i < ctx->source_count; i++ )
+        ctx->source[i].size = 0;
+
+    memcpy( output, buf, len );
+
+    ret = 0;
+
+exit:
+    mbedtls_zeroize( buf, sizeof( buf ) );
+
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
+        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+#endif
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+int mbedtls_entropy_update_nv_seed( mbedtls_entropy_context *ctx )
+{
+    int ret = MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR;
+    unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE];
+
+    /* Read new seed  and write it to NV */
+    if( ( ret = mbedtls_entropy_func( ctx, buf, MBEDTLS_ENTROPY_BLOCK_SIZE ) ) != 0 )
+        return( ret );
+
+    if( mbedtls_nv_seed_write( buf, MBEDTLS_ENTROPY_BLOCK_SIZE ) < 0 )
+        return( MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR );
+
+    /* Manually update the remaining stream with a separator value to diverge */
+    memset( buf, 0, MBEDTLS_ENTROPY_BLOCK_SIZE );
+    ret = mbedtls_entropy_update_manual( ctx, buf, MBEDTLS_ENTROPY_BLOCK_SIZE );
+
+    return( ret );
+}
+#endif /* MBEDTLS_ENTROPY_NV_SEED */
+
+#if defined(MBEDTLS_FS_IO)
+int mbedtls_entropy_write_seed_file( mbedtls_entropy_context *ctx, const char *path )
+{
+    int ret = MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR;
+    FILE *f;
+    unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE];
+
+    if( ( f = fopen( path, "wb" ) ) == NULL )
+        return( MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR );
+
+    if( ( ret = mbedtls_entropy_func( ctx, buf, MBEDTLS_ENTROPY_BLOCK_SIZE ) ) != 0 )
+        goto exit;
+
+    if( fwrite( buf, 1, MBEDTLS_ENTROPY_BLOCK_SIZE, f ) != MBEDTLS_ENTROPY_BLOCK_SIZE )
+    {
+        ret = MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR;
+        goto exit;
+    }
+
+    ret = 0;
+
+exit:
+    mbedtls_zeroize( buf, sizeof( buf ) );
+
+    fclose( f );
+    return( ret );
+}
+
+int mbedtls_entropy_update_seed_file( mbedtls_entropy_context *ctx, const char *path )
+{
+    int ret = 0;
+    FILE *f;
+    size_t n;
+    unsigned char buf[ MBEDTLS_ENTROPY_MAX_SEED_SIZE ];
+
+    if( ( f = fopen( path, "rb" ) ) == NULL )
+        return( MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR );
+
+    fseek( f, 0, SEEK_END );
+    n = (size_t) ftell( f );
+    fseek( f, 0, SEEK_SET );
+
+    if( n > MBEDTLS_ENTROPY_MAX_SEED_SIZE )
+        n = MBEDTLS_ENTROPY_MAX_SEED_SIZE;
+
+    if( fread( buf, 1, n, f ) != n )
+        ret = MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR;
+    else
+        ret = mbedtls_entropy_update_manual( ctx, buf, n );
+
+    fclose( f );
+
+    mbedtls_zeroize( buf, sizeof( buf ) );
+
+    if( ret != 0 )
+        return( ret );
+
+    return( mbedtls_entropy_write_seed_file( ctx, path ) );
+}
+#endif /* MBEDTLS_FS_IO */
+
+#if defined(MBEDTLS_SELF_TEST)
+#if !defined(MBEDTLS_TEST_NULL_ENTROPY)
+/*
+ * Dummy source function
+ */
+static int entropy_dummy_source( void *data, unsigned char *output,
+                                 size_t len, size_t *olen )
+{
+    ((void) data);
+
+    memset( output, 0x2a, len );
+    *olen = len;
+
+    return( 0 );
+}
+#endif /* !MBEDTLS_TEST_NULL_ENTROPY */
+
+#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
+
+static int mbedtls_entropy_source_self_test_gather( unsigned char *buf, size_t buf_len )
+{
+    int ret = 0;
+    size_t entropy_len = 0;
+    size_t olen = 0;
+    size_t attempts = buf_len;
+
+    while( attempts > 0 && entropy_len < buf_len )
+    {
+        if( ( ret = mbedtls_hardware_poll( NULL, buf + entropy_len,
+            buf_len - entropy_len, &olen ) ) != 0 )
+            return( ret );
+
+        entropy_len += olen;
+        attempts--;
+    }
+
+    if( entropy_len < buf_len )
+    {
+        ret = 1;
+    }
+
+    return( ret );
+}
+
+
+static int mbedtls_entropy_source_self_test_check_bits( const unsigned char *buf,
+                                                        size_t buf_len )
+{
+    unsigned char set= 0xFF;
+    unsigned char unset = 0x00;
+    size_t i;
+
+    for( i = 0; i < buf_len; i++ )
+    {
+        set &= buf[i];
+        unset |= buf[i];
+    }
+
+    return( set == 0xFF || unset == 0x00 );
+}
+
+/*
+ * A test to ensure hat the entropy sources are functioning correctly
+ * and there is no obvious failure. The test performs the following checks:
+ *  - The entropy source is not providing only 0s (all bits unset) or 1s (all
+ *    bits set).
+ *  - The entropy source is not providing values in a pattern. Because the
+ *    hardware could be providing data in an arbitrary length, this check polls
+ *    the hardware entropy source twice and compares the result to ensure they
+ *    are not equal.
+ *  - The error code returned by the entropy source is not an error.
+ */
+int mbedtls_entropy_source_self_test( int verbose )
+{
+    int ret = 0;
+    unsigned char buf0[2 * sizeof( unsigned long long int )];
+    unsigned char buf1[2 * sizeof( unsigned long long int )];
+
+    if( verbose != 0 )
+        mbedtls_printf( "  ENTROPY_BIAS test: " );
+
+    memset( buf0, 0x00, sizeof( buf0 ) );
+    memset( buf1, 0x00, sizeof( buf1 ) );
+
+    if( ( ret = mbedtls_entropy_source_self_test_gather( buf0, sizeof( buf0 ) ) ) != 0 )
+        goto cleanup;
+    if( ( ret = mbedtls_entropy_source_self_test_gather( buf1, sizeof( buf1 ) ) ) != 0 )
+        goto cleanup;
+
+    /* Make sure that the returned values are not all 0 or 1 */
+    if( ( ret = mbedtls_entropy_source_self_test_check_bits( buf0, sizeof( buf0 ) ) ) != 0 )
+        goto cleanup;
+    if( ( ret = mbedtls_entropy_source_self_test_check_bits( buf1, sizeof( buf1 ) ) ) != 0 )
+        goto cleanup;
+
+    /* Make sure that the entropy source is not returning values in a
+     * pattern */
+    ret = memcmp( buf0, buf1, sizeof( buf0 ) ) == 0;
+
+cleanup:
+    if( verbose != 0 )
+    {
+        if( ret != 0 )
+            mbedtls_printf( "failed\n" );
+        else
+            mbedtls_printf( "passed\n" );
+
+        mbedtls_printf( "\n" );
+    }
+
+    return( ret != 0 );
+}
+
+#endif /* MBEDTLS_ENTROPY_HARDWARE_ALT */
+
+/*
+ * The actual entropy quality is hard to test, but we can at least
+ * test that the functions don't cause errors and write the correct
+ * amount of data to buffers.
+ */
+int mbedtls_entropy_self_test( int verbose )
+{
+    int ret = 1;
+#if !defined(MBEDTLS_TEST_NULL_ENTROPY)
+    mbedtls_entropy_context ctx;
+    unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE] = { 0 };
+    unsigned char acc[MBEDTLS_ENTROPY_BLOCK_SIZE] = { 0 };
+    size_t i, j;
+#endif /* !MBEDTLS_TEST_NULL_ENTROPY */
+
+    if( verbose != 0 )
+        mbedtls_printf( "  ENTROPY test: " );
+
+#if !defined(MBEDTLS_TEST_NULL_ENTROPY)
+    mbedtls_entropy_init( &ctx );
+
+    /* First do a gather to make sure we have default sources */
+    if( ( ret = mbedtls_entropy_gather( &ctx ) ) != 0 )
+        goto cleanup;
+
+    ret = mbedtls_entropy_add_source( &ctx, entropy_dummy_source, NULL, 16,
+                                      MBEDTLS_ENTROPY_SOURCE_WEAK );
+    if( ret != 0 )
+        goto cleanup;
+
+    if( ( ret = mbedtls_entropy_update_manual( &ctx, buf, sizeof buf ) ) != 0 )
+        goto cleanup;
+
+    /*
+     * To test that mbedtls_entropy_func writes correct number of bytes:
+     * - use the whole buffer and rely on ASan to detect overruns
+     * - collect entropy 8 times and OR the result in an accumulator:
+     *   any byte should then be 0 with probably 2^(-64), so requiring
+     *   each of the 32 or 64 bytes to be non-zero has a false failure rate
+     *   of at most 2^(-58) which is acceptable.
+     */
+    for( i = 0; i < 8; i++ )
+    {
+        if( ( ret = mbedtls_entropy_func( &ctx, buf, sizeof( buf ) ) ) != 0 )
+            goto cleanup;
+
+        for( j = 0; j < sizeof( buf ); j++ )
+            acc[j] |= buf[j];
+    }
+
+    for( j = 0; j < sizeof( buf ); j++ )
+    {
+        if( acc[j] == 0 )
+        {
+            ret = 1;
+            goto cleanup;
+        }
+    }
+
+#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
+    if( ( ret = mbedtls_entropy_source_self_test( 0 ) ) != 0 )
+        goto cleanup;
+#endif
+
+cleanup:
+    mbedtls_entropy_free( &ctx );
+#endif /* !MBEDTLS_TEST_NULL_ENTROPY */
+
+    if( verbose != 0 )
+    {
+        if( ret != 0 )
+            mbedtls_printf( "failed\n" );
+        else
+            mbedtls_printf( "passed\n" );
+
+        mbedtls_printf( "\n" );
+    }
+
+    return( ret != 0 );
+}
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_ENTROPY_C */
diff --git a/third-party/mbedtls-3.6/library/entropy_poll.c b/third-party/mbedtls-3.6/library/entropy_poll.c
new file mode 100644
index 00000000..dbb57008
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/entropy_poll.c
@@ -0,0 +1,254 @@
+/*
+ *  Platform-specific and custom entropy polling functions
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_ENTROPY_C)
+
+#include "mbedtls/entropy.h"
+#include "mbedtls/entropy_poll.h"
+
+#if defined(MBEDTLS_TIMING_C)
+#include <string.h>
+#include "mbedtls/timing.h"
+#endif
+#if defined(MBEDTLS_HAVEGE_C)
+#include "mbedtls/havege.h"
+#endif
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+#include "mbedtls/platform.h"
+#endif
+
+#if !defined(MBEDTLS_NO_PLATFORM_ENTROPY)
+
+#if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
+    !defined(__APPLE__) && !defined(_WIN32)
+#error "Platform entropy sources only work on Unix and Windows, see MBEDTLS_NO_PLATFORM_ENTROPY in config.h"
+#endif
+
+#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+
+#if !defined(_WIN32_WINNT)
+#define _WIN32_WINNT 0x0400
+#endif
+#include <windows.h>
+#include <wincrypt.h>
+
+int mbedtls_platform_entropy_poll( void *data, unsigned char *output, size_t len,
+                           size_t *olen )
+{
+    HCRYPTPROV provider;
+    ((void) data);
+    *olen = 0;
+
+    if( CryptAcquireContext( &provider, NULL, NULL,
+                              PROV_RSA_FULL, CRYPT_VERIFYCONTEXT ) == FALSE )
+    {
+        return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
+    }
+
+    if( CryptGenRandom( provider, (DWORD) len, output ) == FALSE )
+    {
+        CryptReleaseContext( provider, 0 );
+        return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
+    }
+
+    CryptReleaseContext( provider, 0 );
+    *olen = len;
+
+    return( 0 );
+}
+#else /* _WIN32 && !EFIX64 && !EFI32 */
+
+/*
+ * Test for Linux getrandom() support.
+ * Since there is no wrapper in the libc yet, use the generic syscall wrapper
+ * available in GNU libc and compatible libc's (eg uClibc).
+ */
+#if defined(__linux__) && defined(__GLIBC__)
+#include <unistd.h>
+#include <sys/syscall.h>
+#if defined(SYS_getrandom)
+#define HAVE_GETRANDOM
+#include <errno.h>
+
+static int getrandom_wrapper( void *buf, size_t buflen, unsigned int flags )
+{
+    /* MemSan cannot understand that the syscall writes to the buffer */
+#if defined(__has_feature)
+#if __has_feature(memory_sanitizer)
+    memset( buf, 0, buflen );
+#endif
+#endif
+    return( syscall( SYS_getrandom, buf, buflen, flags ) );
+}
+#endif /* SYS_getrandom */
+#endif /* __linux__ */
+
+#include <stdio.h>
+
+int mbedtls_platform_entropy_poll( void *data,
+                           unsigned char *output, size_t len, size_t *olen )
+{
+    FILE *file;
+    size_t read_len;
+    int ret;
+    ((void) data);
+
+#if defined(HAVE_GETRANDOM)
+    ret = getrandom_wrapper( output, len, 0 );
+    if( ret >= 0 )
+    {
+        *olen = ret;
+        return( 0 );
+    }
+    else if( errno != ENOSYS )
+        return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
+    /* Fall through if the system call isn't known. */
+#else
+    ((void) ret);
+#endif /* HAVE_GETRANDOM */
+
+    *olen = 0;
+
+    file = fopen( "/dev/urandom", "rb" );
+    if( file == NULL )
+        return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
+
+    read_len = fread( output, 1, len, file );
+    if( read_len != len )
+    {
+        fclose( file );
+        return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
+    }
+
+    fclose( file );
+    *olen = len;
+
+    return( 0 );
+}
+#endif /* _WIN32 && !EFIX64 && !EFI32 */
+#endif /* !MBEDTLS_NO_PLATFORM_ENTROPY */
+
+#if defined(MBEDTLS_TEST_NULL_ENTROPY)
+int mbedtls_null_entropy_poll( void *data,
+                    unsigned char *output, size_t len, size_t *olen )
+{
+    ((void) data);
+    ((void) output);
+    *olen = 0;
+
+    if( len < sizeof(unsigned char) )
+        return( 0 );
+
+    *olen = sizeof(unsigned char);
+
+    return( 0 );
+}
+#endif
+
+#if defined(MBEDTLS_TIMING_C)
+int mbedtls_hardclock_poll( void *data,
+                    unsigned char *output, size_t len, size_t *olen )
+{
+    unsigned long timer = mbedtls_timing_hardclock();
+    ((void) data);
+    *olen = 0;
+
+    if( len < sizeof(unsigned long) )
+        return( 0 );
+
+    memcpy( output, &timer, sizeof(unsigned long) );
+    *olen = sizeof(unsigned long);
+
+    return( 0 );
+}
+#endif /* MBEDTLS_TIMING_C */
+
+#if defined(MBEDTLS_HAVEGE_C)
+int mbedtls_havege_poll( void *data,
+                 unsigned char *output, size_t len, size_t *olen )
+{
+    mbedtls_havege_state *hs = (mbedtls_havege_state *) data;
+    *olen = 0;
+
+    if( mbedtls_havege_random( hs, output, len ) != 0 )
+        return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
+
+    *olen = len;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_HAVEGE_C */
+
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+int mbedtls_nv_seed_poll( void *data,
+                          unsigned char *output, size_t len, size_t *olen )
+{
+    unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE];
+    size_t use_len = MBEDTLS_ENTROPY_BLOCK_SIZE;
+    ((void) data);
+
+    memset( buf, 0, MBEDTLS_ENTROPY_BLOCK_SIZE );
+
+    if( mbedtls_nv_seed_read( buf, MBEDTLS_ENTROPY_BLOCK_SIZE ) < 0 )
+      return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
+
+    if( len < use_len )
+      use_len = len;
+
+    memcpy( output, buf, use_len );
+    *olen = use_len;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_ENTROPY_NV_SEED */
+
+#endif /* MBEDTLS_ENTROPY_C */
diff --git a/third-party/mbedtls-3.6/library/error.c b/third-party/mbedtls-3.6/library/error.c
new file mode 100644
index 00000000..9b04dcd2
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/error.c
@@ -0,0 +1,850 @@
+/*
+ *  Error message information
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_ERROR_C) || defined(MBEDTLS_ERROR_STRERROR_DUMMY)
+
+#include "mbedtls/error.h"
+
+#if defined(MBEDTLS_ERROR_C)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#define mbedtls_snprintf snprintf
+#endif
+
+#include <stdio.h>
+#include <string.h>
+
+#if defined(MBEDTLS_AES_C)
+#include "mbedtls/aes.h"
+#endif
+
+#if defined(MBEDTLS_ARC4_C)
+#include "mbedtls/arc4.h"
+#endif
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+#include "mbedtls/asn1.h"
+#endif
+
+#if defined(MBEDTLS_BASE64_C)
+#include "mbedtls/base64.h"
+#endif
+
+#if defined(MBEDTLS_BIGNUM_C)
+#include "mbedtls/bignum.h"
+#endif
+
+#if defined(MBEDTLS_BLOWFISH_C)
+#include "mbedtls/blowfish.h"
+#endif
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#include "mbedtls/camellia.h"
+#endif
+
+#if defined(MBEDTLS_CCM_C)
+#include "mbedtls/ccm.h"
+#endif
+
+#if defined(MBEDTLS_CIPHER_C)
+#include "mbedtls/cipher.h"
+#endif
+
+#if defined(MBEDTLS_CMAC_C)
+#include "mbedtls/cmac.h"
+#endif
+
+#if defined(MBEDTLS_CTR_DRBG_C)
+#include "mbedtls/ctr_drbg.h"
+#endif
+
+#if defined(MBEDTLS_DES_C)
+#include "mbedtls/des.h"
+#endif
+
+#if defined(MBEDTLS_DHM_C)
+#include "mbedtls/dhm.h"
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+#include "mbedtls/ecp.h"
+#endif
+
+#if defined(MBEDTLS_ENTROPY_C)
+#include "mbedtls/entropy.h"
+#endif
+
+#if defined(MBEDTLS_GCM_C)
+#include "mbedtls/gcm.h"
+#endif
+
+#if defined(MBEDTLS_HMAC_DRBG_C)
+#include "mbedtls/hmac_drbg.h"
+#endif
+
+#if defined(MBEDTLS_MD_C)
+#include "mbedtls/md.h"
+#endif
+
+#if defined(MBEDTLS_MD2_C)
+#include "mbedtls/md2.h"
+#endif
+
+#if defined(MBEDTLS_MD4_C)
+#include "mbedtls/md4.h"
+#endif
+
+#if defined(MBEDTLS_MD5_C)
+#include "mbedtls/md5.h"
+#endif
+
+#if defined(MBEDTLS_NET_C)
+#include "mbedtls/net_sockets.h"
+#endif
+
+#if defined(MBEDTLS_OID_C)
+#include "mbedtls/oid.h"
+#endif
+
+#if defined(MBEDTLS_PADLOCK_C)
+#include "mbedtls/padlock.h"
+#endif
+
+#if defined(MBEDTLS_PEM_PARSE_C) || defined(MBEDTLS_PEM_WRITE_C)
+#include "mbedtls/pem.h"
+#endif
+
+#if defined(MBEDTLS_PK_C)
+#include "mbedtls/pk.h"
+#endif
+
+#if defined(MBEDTLS_PKCS12_C)
+#include "mbedtls/pkcs12.h"
+#endif
+
+#if defined(MBEDTLS_PKCS5_C)
+#include "mbedtls/pkcs5.h"
+#endif
+
+#if defined(MBEDTLS_RIPEMD160_C)
+#include "mbedtls/ripemd160.h"
+#endif
+
+#if defined(MBEDTLS_RSA_C)
+#include "mbedtls/rsa.h"
+#endif
+
+#if defined(MBEDTLS_SHA1_C)
+#include "mbedtls/sha1.h"
+#endif
+
+#if defined(MBEDTLS_SHA256_C)
+#include "mbedtls/sha256.h"
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+#include "mbedtls/sha512.h"
+#endif
+
+#if defined(MBEDTLS_SSL_TLS_C)
+#include "mbedtls/ssl.h"
+#endif
+
+#if defined(MBEDTLS_THREADING_C)
+#include "mbedtls/threading.h"
+#endif
+
+#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
+#include "mbedtls/x509.h"
+#endif
+
+#if defined(MBEDTLS_XTEA_C)
+#include "mbedtls/xtea.h"
+#endif
+
+
+void mbedtls_strerror( int ret, char *buf, size_t buflen )
+{
+    size_t len;
+    int use_ret;
+
+    if( buflen == 0 )
+        return;
+
+    memset( buf, 0x00, buflen );
+
+    if( ret < 0 )
+        ret = -ret;
+
+    if( ret & 0xFF80 )
+    {
+        use_ret = ret & 0xFF80;
+
+        // High level error codes
+        //
+        // BEGIN generated code
+#if defined(MBEDTLS_CIPHER_C)
+        if( use_ret == -(MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE) )
+            mbedtls_snprintf( buf, buflen, "CIPHER - The selected feature is not available" );
+        if( use_ret == -(MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA) )
+            mbedtls_snprintf( buf, buflen, "CIPHER - Bad input parameters" );
+        if( use_ret == -(MBEDTLS_ERR_CIPHER_ALLOC_FAILED) )
+            mbedtls_snprintf( buf, buflen, "CIPHER - Failed to allocate memory" );
+        if( use_ret == -(MBEDTLS_ERR_CIPHER_INVALID_PADDING) )
+            mbedtls_snprintf( buf, buflen, "CIPHER - Input data contains invalid padding and is rejected" );
+        if( use_ret == -(MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED) )
+            mbedtls_snprintf( buf, buflen, "CIPHER - Decryption of block requires a full block" );
+        if( use_ret == -(MBEDTLS_ERR_CIPHER_AUTH_FAILED) )
+            mbedtls_snprintf( buf, buflen, "CIPHER - Authentication failed (for AEAD modes)" );
+        if( use_ret == -(MBEDTLS_ERR_CIPHER_INVALID_CONTEXT) )
+            mbedtls_snprintf( buf, buflen, "CIPHER - The context is invalid. For example, because it was freed" );
+        if( use_ret == -(MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED) )
+            mbedtls_snprintf( buf, buflen, "CIPHER - Cipher hardware accelerator failed" );
+#endif /* MBEDTLS_CIPHER_C */
+
+#if defined(MBEDTLS_DHM_C)
+        if( use_ret == -(MBEDTLS_ERR_DHM_BAD_INPUT_DATA) )
+            mbedtls_snprintf( buf, buflen, "DHM - Bad input parameters" );
+        if( use_ret == -(MBEDTLS_ERR_DHM_READ_PARAMS_FAILED) )
+            mbedtls_snprintf( buf, buflen, "DHM - Reading of the DHM parameters failed" );
+        if( use_ret == -(MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED) )
+            mbedtls_snprintf( buf, buflen, "DHM - Making of the DHM parameters failed" );
+        if( use_ret == -(MBEDTLS_ERR_DHM_READ_PUBLIC_FAILED) )
+            mbedtls_snprintf( buf, buflen, "DHM - Reading of the public values failed" );
+        if( use_ret == -(MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED) )
+            mbedtls_snprintf( buf, buflen, "DHM - Making of the public value failed" );
+        if( use_ret == -(MBEDTLS_ERR_DHM_CALC_SECRET_FAILED) )
+            mbedtls_snprintf( buf, buflen, "DHM - Calculation of the DHM secret failed" );
+        if( use_ret == -(MBEDTLS_ERR_DHM_INVALID_FORMAT) )
+            mbedtls_snprintf( buf, buflen, "DHM - The ASN.1 data is not formatted correctly" );
+        if( use_ret == -(MBEDTLS_ERR_DHM_ALLOC_FAILED) )
+            mbedtls_snprintf( buf, buflen, "DHM - Allocation of memory failed" );
+        if( use_ret == -(MBEDTLS_ERR_DHM_FILE_IO_ERROR) )
+            mbedtls_snprintf( buf, buflen, "DHM - Read or write of file failed" );
+        if( use_ret == -(MBEDTLS_ERR_DHM_HW_ACCEL_FAILED) )
+            mbedtls_snprintf( buf, buflen, "DHM - DHM hardware accelerator failed" );
+        if( use_ret == -(MBEDTLS_ERR_DHM_SET_GROUP_FAILED) )
+            mbedtls_snprintf( buf, buflen, "DHM - Setting the modulus and generator failed" );
+#endif /* MBEDTLS_DHM_C */
+
+#if defined(MBEDTLS_ECP_C)
+        if( use_ret == -(MBEDTLS_ERR_ECP_BAD_INPUT_DATA) )
+            mbedtls_snprintf( buf, buflen, "ECP - Bad input parameters to function" );
+        if( use_ret == -(MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL) )
+            mbedtls_snprintf( buf, buflen, "ECP - The buffer is too small to write to" );
+        if( use_ret == -(MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE) )
+            mbedtls_snprintf( buf, buflen, "ECP - Requested curve not available" );
+        if( use_ret == -(MBEDTLS_ERR_ECP_VERIFY_FAILED) )
+            mbedtls_snprintf( buf, buflen, "ECP - The signature is not valid" );
+        if( use_ret == -(MBEDTLS_ERR_ECP_ALLOC_FAILED) )
+            mbedtls_snprintf( buf, buflen, "ECP - Memory allocation failed" );
+        if( use_ret == -(MBEDTLS_ERR_ECP_RANDOM_FAILED) )
+            mbedtls_snprintf( buf, buflen, "ECP - Generation of random value, such as (ephemeral) key, failed" );
+        if( use_ret == -(MBEDTLS_ERR_ECP_INVALID_KEY) )
+            mbedtls_snprintf( buf, buflen, "ECP - Invalid private or public key" );
+        if( use_ret == -(MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH) )
+            mbedtls_snprintf( buf, buflen, "ECP - The buffer contains a valid signature followed by more data" );
+        if( use_ret == -(MBEDTLS_ERR_ECP_HW_ACCEL_FAILED) )
+            mbedtls_snprintf( buf, buflen, "ECP - ECP hardware accelerator failed" );
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_MD_C)
+        if( use_ret == -(MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE) )
+            mbedtls_snprintf( buf, buflen, "MD - The selected feature is not available" );
+        if( use_ret == -(MBEDTLS_ERR_MD_BAD_INPUT_DATA) )
+            mbedtls_snprintf( buf, buflen, "MD - Bad input parameters to function" );
+        if( use_ret == -(MBEDTLS_ERR_MD_ALLOC_FAILED) )
+            mbedtls_snprintf( buf, buflen, "MD - Failed to allocate memory" );
+        if( use_ret == -(MBEDTLS_ERR_MD_FILE_IO_ERROR) )
+            mbedtls_snprintf( buf, buflen, "MD - Opening or reading of file failed" );
+        if( use_ret == -(MBEDTLS_ERR_MD_HW_ACCEL_FAILED) )
+            mbedtls_snprintf( buf, buflen, "MD - MD hardware accelerator failed" );
+#endif /* MBEDTLS_MD_C */
+
+#if defined(MBEDTLS_PEM_PARSE_C) || defined(MBEDTLS_PEM_WRITE_C)
+        if( use_ret == -(MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) )
+            mbedtls_snprintf( buf, buflen, "PEM - No PEM header or footer found" );
+        if( use_ret == -(MBEDTLS_ERR_PEM_INVALID_DATA) )
+            mbedtls_snprintf( buf, buflen, "PEM - PEM string is not as expected" );
+        if( use_ret == -(MBEDTLS_ERR_PEM_ALLOC_FAILED) )
+            mbedtls_snprintf( buf, buflen, "PEM - Failed to allocate memory" );
+        if( use_ret == -(MBEDTLS_ERR_PEM_INVALID_ENC_IV) )
+            mbedtls_snprintf( buf, buflen, "PEM - RSA IV is not in hex-format" );
+        if( use_ret == -(MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG) )
+            mbedtls_snprintf( buf, buflen, "PEM - Unsupported key encryption algorithm" );
+        if( use_ret == -(MBEDTLS_ERR_PEM_PASSWORD_REQUIRED) )
+            mbedtls_snprintf( buf, buflen, "PEM - Private key password can't be empty" );
+        if( use_ret == -(MBEDTLS_ERR_PEM_PASSWORD_MISMATCH) )
+            mbedtls_snprintf( buf, buflen, "PEM - Given private key password does not allow for correct decryption" );
+        if( use_ret == -(MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE) )
+            mbedtls_snprintf( buf, buflen, "PEM - Unavailable feature, e.g. hashing/encryption combination" );
+        if( use_ret == -(MBEDTLS_ERR_PEM_BAD_INPUT_DATA) )
+            mbedtls_snprintf( buf, buflen, "PEM - Bad input parameters to function" );
+#endif /* MBEDTLS_PEM_PARSE_C || MBEDTLS_PEM_WRITE_C */
+
+#if defined(MBEDTLS_PK_C)
+        if( use_ret == -(MBEDTLS_ERR_PK_ALLOC_FAILED) )
+            mbedtls_snprintf( buf, buflen, "PK - Memory allocation failed" );
+        if( use_ret == -(MBEDTLS_ERR_PK_TYPE_MISMATCH) )
+            mbedtls_snprintf( buf, buflen, "PK - Type mismatch, eg attempt to encrypt with an ECDSA key" );
+        if( use_ret == -(MBEDTLS_ERR_PK_BAD_INPUT_DATA) )
+            mbedtls_snprintf( buf, buflen, "PK - Bad input parameters to function" );
+        if( use_ret == -(MBEDTLS_ERR_PK_FILE_IO_ERROR) )
+            mbedtls_snprintf( buf, buflen, "PK - Read/write of file failed" );
+        if( use_ret == -(MBEDTLS_ERR_PK_KEY_INVALID_VERSION) )
+            mbedtls_snprintf( buf, buflen, "PK - Unsupported key version" );
+        if( use_ret == -(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT) )
+            mbedtls_snprintf( buf, buflen, "PK - Invalid key tag or value" );
+        if( use_ret == -(MBEDTLS_ERR_PK_UNKNOWN_PK_ALG) )
+            mbedtls_snprintf( buf, buflen, "PK - Key algorithm is unsupported (only RSA and EC are supported)" );
+        if( use_ret == -(MBEDTLS_ERR_PK_PASSWORD_REQUIRED) )
+            mbedtls_snprintf( buf, buflen, "PK - Private key password can't be empty" );
+        if( use_ret == -(MBEDTLS_ERR_PK_PASSWORD_MISMATCH) )
+            mbedtls_snprintf( buf, buflen, "PK - Given private key password does not allow for correct decryption" );
+        if( use_ret == -(MBEDTLS_ERR_PK_INVALID_PUBKEY) )
+            mbedtls_snprintf( buf, buflen, "PK - The pubkey tag or value is invalid (only RSA and EC are supported)" );
+        if( use_ret == -(MBEDTLS_ERR_PK_INVALID_ALG) )
+            mbedtls_snprintf( buf, buflen, "PK - The algorithm tag or value is invalid" );
+        if( use_ret == -(MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE) )
+            mbedtls_snprintf( buf, buflen, "PK - Elliptic curve is unsupported (only NIST curves are supported)" );
+        if( use_ret == -(MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE) )
+            mbedtls_snprintf( buf, buflen, "PK - Unavailable feature, e.g. RSA disabled for RSA key" );
+        if( use_ret == -(MBEDTLS_ERR_PK_SIG_LEN_MISMATCH) )
+            mbedtls_snprintf( buf, buflen, "PK - The buffer contains a valid signature followed by more data" );
+        if( use_ret == -(MBEDTLS_ERR_PK_HW_ACCEL_FAILED) )
+            mbedtls_snprintf( buf, buflen, "PK - PK hardware accelerator failed" );
+#endif /* MBEDTLS_PK_C */
+
+#if defined(MBEDTLS_PKCS12_C)
+        if( use_ret == -(MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA) )
+            mbedtls_snprintf( buf, buflen, "PKCS12 - Bad input parameters to function" );
+        if( use_ret == -(MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE) )
+            mbedtls_snprintf( buf, buflen, "PKCS12 - Feature not available, e.g. unsupported encryption scheme" );
+        if( use_ret == -(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT) )
+            mbedtls_snprintf( buf, buflen, "PKCS12 - PBE ASN.1 data not as expected" );
+        if( use_ret == -(MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH) )
+            mbedtls_snprintf( buf, buflen, "PKCS12 - Given private key password does not allow for correct decryption" );
+#endif /* MBEDTLS_PKCS12_C */
+
+#if defined(MBEDTLS_PKCS5_C)
+        if( use_ret == -(MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA) )
+            mbedtls_snprintf( buf, buflen, "PKCS5 - Bad input parameters to function" );
+        if( use_ret == -(MBEDTLS_ERR_PKCS5_INVALID_FORMAT) )
+            mbedtls_snprintf( buf, buflen, "PKCS5 - Unexpected ASN.1 data" );
+        if( use_ret == -(MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE) )
+            mbedtls_snprintf( buf, buflen, "PKCS5 - Requested encryption or digest alg not available" );
+        if( use_ret == -(MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH) )
+            mbedtls_snprintf( buf, buflen, "PKCS5 - Given private key password does not allow for correct decryption" );
+#endif /* MBEDTLS_PKCS5_C */
+
+#if defined(MBEDTLS_RSA_C)
+        if( use_ret == -(MBEDTLS_ERR_RSA_BAD_INPUT_DATA) )
+            mbedtls_snprintf( buf, buflen, "RSA - Bad input parameters to function" );
+        if( use_ret == -(MBEDTLS_ERR_RSA_INVALID_PADDING) )
+            mbedtls_snprintf( buf, buflen, "RSA - Input data contains invalid padding and is rejected" );
+        if( use_ret == -(MBEDTLS_ERR_RSA_KEY_GEN_FAILED) )
+            mbedtls_snprintf( buf, buflen, "RSA - Something failed during generation of a key" );
+        if( use_ret == -(MBEDTLS_ERR_RSA_KEY_CHECK_FAILED) )
+            mbedtls_snprintf( buf, buflen, "RSA - Key failed to pass the validity check of the library" );
+        if( use_ret == -(MBEDTLS_ERR_RSA_PUBLIC_FAILED) )
+            mbedtls_snprintf( buf, buflen, "RSA - The public key operation failed" );
+        if( use_ret == -(MBEDTLS_ERR_RSA_PRIVATE_FAILED) )
+            mbedtls_snprintf( buf, buflen, "RSA - The private key operation failed" );
+        if( use_ret == -(MBEDTLS_ERR_RSA_VERIFY_FAILED) )
+            mbedtls_snprintf( buf, buflen, "RSA - The PKCS#1 verification failed" );
+        if( use_ret == -(MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE) )
+            mbedtls_snprintf( buf, buflen, "RSA - The output buffer for decryption is not large enough" );
+        if( use_ret == -(MBEDTLS_ERR_RSA_RNG_FAILED) )
+            mbedtls_snprintf( buf, buflen, "RSA - The random generator failed to generate non-zeros" );
+        if( use_ret == -(MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION) )
+            mbedtls_snprintf( buf, buflen, "RSA - The implementation does not offer the requested operation, for example, because of security violations or lack of functionality" );
+        if( use_ret == -(MBEDTLS_ERR_RSA_HW_ACCEL_FAILED) )
+            mbedtls_snprintf( buf, buflen, "RSA - RSA hardware accelerator failed" );
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_SSL_TLS_C)
+        if( use_ret == -(MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE) )
+            mbedtls_snprintf( buf, buflen, "SSL - The requested feature is not available" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_INPUT_DATA) )
+            mbedtls_snprintf( buf, buflen, "SSL - Bad input parameters to function" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_INVALID_MAC) )
+            mbedtls_snprintf( buf, buflen, "SSL - Verification of the message MAC failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_INVALID_RECORD) )
+            mbedtls_snprintf( buf, buflen, "SSL - An invalid SSL record was received" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_CONN_EOF) )
+            mbedtls_snprintf( buf, buflen, "SSL - The connection indicated an EOF" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_UNKNOWN_CIPHER) )
+            mbedtls_snprintf( buf, buflen, "SSL - An unknown cipher was received" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN) )
+            mbedtls_snprintf( buf, buflen, "SSL - The server has no ciphersuites in common with the client" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_NO_RNG) )
+            mbedtls_snprintf( buf, buflen, "SSL - No RNG was provided to the SSL module" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE) )
+            mbedtls_snprintf( buf, buflen, "SSL - No client certification received from the client, but required by the authentication mode" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE) )
+            mbedtls_snprintf( buf, buflen, "SSL - Our own certificate(s) is/are too large to send in an SSL message" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED) )
+            mbedtls_snprintf( buf, buflen, "SSL - The own certificate is not set, but needed by the server" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED) )
+            mbedtls_snprintf( buf, buflen, "SSL - The own private key or pre-shared key is not set, but needed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED) )
+            mbedtls_snprintf( buf, buflen, "SSL - No CA Chain is set, but required to operate" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE) )
+            mbedtls_snprintf( buf, buflen, "SSL - An unexpected message was received from our peer" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE) )
+        {
+            mbedtls_snprintf( buf, buflen, "SSL - A fatal alert message was received from our peer" );
+            return;
+        }
+        if( use_ret == -(MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED) )
+            mbedtls_snprintf( buf, buflen, "SSL - Verification of our peer failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) )
+            mbedtls_snprintf( buf, buflen, "SSL - The peer notified us that the connection is going to be closed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the ClientHello handshake message failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the ServerHello handshake message failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the Certificate handshake message failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the CertificateRequest handshake message failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the ServerKeyExchange handshake message failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the ServerHelloDone handshake message failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the ClientKeyExchange handshake message failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Read Public" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Calculate Secret" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the CertificateVerify handshake message failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the ChangeCipherSpec handshake message failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_FINISHED) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the Finished handshake message failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_ALLOC_FAILED) )
+            mbedtls_snprintf( buf, buflen, "SSL - Memory allocation failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_HW_ACCEL_FAILED) )
+            mbedtls_snprintf( buf, buflen, "SSL - Hardware acceleration function returned with error" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH) )
+            mbedtls_snprintf( buf, buflen, "SSL - Hardware acceleration function skipped / left alone data" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_COMPRESSION_FAILED) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the compression / decompression failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION) )
+            mbedtls_snprintf( buf, buflen, "SSL - Handshake protocol not within min/max boundaries" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the NewSessionTicket handshake message failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED) )
+            mbedtls_snprintf( buf, buflen, "SSL - Session ticket has expired" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH) )
+            mbedtls_snprintf( buf, buflen, "SSL - Public key type mismatch (eg, asked for RSA key exchange and presented EC key)" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) )
+            mbedtls_snprintf( buf, buflen, "SSL - Unknown identity received (eg, PSK identity)" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_INTERNAL_ERROR) )
+            mbedtls_snprintf( buf, buflen, "SSL - Internal error (eg, unexpected failure in lower-level module)" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_COUNTER_WRAPPING) )
+            mbedtls_snprintf( buf, buflen, "SSL - A counter would wrap (eg, too many messages exchanged)" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO) )
+            mbedtls_snprintf( buf, buflen, "SSL - Unexpected message at ServerHello in renegotiation" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED) )
+            mbedtls_snprintf( buf, buflen, "SSL - DTLS client must retry for hello verification" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) )
+            mbedtls_snprintf( buf, buflen, "SSL - A buffer is too small to receive or write a message" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE) )
+            mbedtls_snprintf( buf, buflen, "SSL - None of the common ciphersuites is usable (eg, no suitable certificate, see debug messages)" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_WANT_READ) )
+            mbedtls_snprintf( buf, buflen, "SSL - Connection requires a read call" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_WANT_WRITE) )
+            mbedtls_snprintf( buf, buflen, "SSL - Connection requires a write call" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_TIMEOUT) )
+            mbedtls_snprintf( buf, buflen, "SSL - The operation timed out" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_CLIENT_RECONNECT) )
+            mbedtls_snprintf( buf, buflen, "SSL - The client initiated a reconnect from the same port" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_UNEXPECTED_RECORD) )
+            mbedtls_snprintf( buf, buflen, "SSL - Record header looks valid but is not expected" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_NON_FATAL) )
+            mbedtls_snprintf( buf, buflen, "SSL - The alert message received indicates a non-fatal error" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH) )
+            mbedtls_snprintf( buf, buflen, "SSL - Couldn't set the hash for verifying CertificateVerify" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_CONFIG) )
+            mbedtls_snprintf( buf, buflen, "SSL - Invalid value in SSL config" );
+#endif /* MBEDTLS_SSL_TLS_C */
+
+#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
+        if( use_ret == -(MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE) )
+            mbedtls_snprintf( buf, buflen, "X509 - Unavailable feature, e.g. RSA hashing/encryption combination" );
+        if( use_ret == -(MBEDTLS_ERR_X509_UNKNOWN_OID) )
+            mbedtls_snprintf( buf, buflen, "X509 - Requested OID is unknown" );
+        if( use_ret == -(MBEDTLS_ERR_X509_INVALID_FORMAT) )
+            mbedtls_snprintf( buf, buflen, "X509 - The CRT/CRL/CSR format is invalid, e.g. different type expected" );
+        if( use_ret == -(MBEDTLS_ERR_X509_INVALID_VERSION) )
+            mbedtls_snprintf( buf, buflen, "X509 - The CRT/CRL/CSR version element is invalid" );
+        if( use_ret == -(MBEDTLS_ERR_X509_INVALID_SERIAL) )
+            mbedtls_snprintf( buf, buflen, "X509 - The serial tag or value is invalid" );
+        if( use_ret == -(MBEDTLS_ERR_X509_INVALID_ALG) )
+            mbedtls_snprintf( buf, buflen, "X509 - The algorithm tag or value is invalid" );
+        if( use_ret == -(MBEDTLS_ERR_X509_INVALID_NAME) )
+            mbedtls_snprintf( buf, buflen, "X509 - The name tag or value is invalid" );
+        if( use_ret == -(MBEDTLS_ERR_X509_INVALID_DATE) )
+            mbedtls_snprintf( buf, buflen, "X509 - The date tag or value is invalid" );
+        if( use_ret == -(MBEDTLS_ERR_X509_INVALID_SIGNATURE) )
+            mbedtls_snprintf( buf, buflen, "X509 - The signature tag or value invalid" );
+        if( use_ret == -(MBEDTLS_ERR_X509_INVALID_EXTENSIONS) )
+            mbedtls_snprintf( buf, buflen, "X509 - The extension tag or value is invalid" );
+        if( use_ret == -(MBEDTLS_ERR_X509_UNKNOWN_VERSION) )
+            mbedtls_snprintf( buf, buflen, "X509 - CRT/CRL/CSR has an unsupported version number" );
+        if( use_ret == -(MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG) )
+            mbedtls_snprintf( buf, buflen, "X509 - Signature algorithm (oid) is unsupported" );
+        if( use_ret == -(MBEDTLS_ERR_X509_SIG_MISMATCH) )
+            mbedtls_snprintf( buf, buflen, "X509 - Signature algorithms do not match. (see \\c ::mbedtls_x509_crt sig_oid)" );
+        if( use_ret == -(MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) )
+            mbedtls_snprintf( buf, buflen, "X509 - Certificate verification failed, e.g. CRL, CA or signature check failed" );
+        if( use_ret == -(MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT) )
+            mbedtls_snprintf( buf, buflen, "X509 - Format not recognized as DER or PEM" );
+        if( use_ret == -(MBEDTLS_ERR_X509_BAD_INPUT_DATA) )
+            mbedtls_snprintf( buf, buflen, "X509 - Input invalid" );
+        if( use_ret == -(MBEDTLS_ERR_X509_ALLOC_FAILED) )
+            mbedtls_snprintf( buf, buflen, "X509 - Allocation of memory failed" );
+        if( use_ret == -(MBEDTLS_ERR_X509_FILE_IO_ERROR) )
+            mbedtls_snprintf( buf, buflen, "X509 - Read/write of file failed" );
+        if( use_ret == -(MBEDTLS_ERR_X509_BUFFER_TOO_SMALL) )
+            mbedtls_snprintf( buf, buflen, "X509 - Destination buffer is too small" );
+        if( use_ret == -(MBEDTLS_ERR_X509_FATAL_ERROR) )
+            mbedtls_snprintf( buf, buflen, "X509 - A fatal error occurred, eg the chain is too long or the vrfy callback failed" );
+#endif /* MBEDTLS_X509_USE_C || MBEDTLS_X509_CREATE_C */
+        // END generated code
+
+        if( strlen( buf ) == 0 )
+            mbedtls_snprintf( buf, buflen, "UNKNOWN ERROR CODE (%04X)", use_ret );
+    }
+
+    use_ret = ret & ~0xFF80;
+
+    if( use_ret == 0 )
+        return;
+
+    // If high level code is present, make a concatenation between both
+    // error strings.
+    //
+    len = strlen( buf );
+
+    if( len > 0 )
+    {
+        if( buflen - len < 5 )
+            return;
+
+        mbedtls_snprintf( buf + len, buflen - len, " : " );
+
+        buf += len + 3;
+        buflen -= len + 3;
+    }
+
+    // Low level error codes
+    //
+    // BEGIN generated code
+#if defined(MBEDTLS_AES_C)
+    if( use_ret == -(MBEDTLS_ERR_AES_INVALID_KEY_LENGTH) )
+        mbedtls_snprintf( buf, buflen, "AES - Invalid key length" );
+    if( use_ret == -(MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH) )
+        mbedtls_snprintf( buf, buflen, "AES - Invalid data input length" );
+    if( use_ret == -(MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE) )
+        mbedtls_snprintf( buf, buflen, "AES - Feature not available. For example, an unsupported AES key size" );
+    if( use_ret == -(MBEDTLS_ERR_AES_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "AES - AES hardware accelerator failed" );
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+    if( use_ret == -(MBEDTLS_ERR_ARC4_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "ARC4 - ARC4 hardware accelerator failed" );
+#endif /* MBEDTLS_ARC4_C */
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+    if( use_ret == -(MBEDTLS_ERR_ASN1_OUT_OF_DATA) )
+        mbedtls_snprintf( buf, buflen, "ASN1 - Out of data when parsing an ASN1 data structure" );
+    if( use_ret == -(MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) )
+        mbedtls_snprintf( buf, buflen, "ASN1 - ASN1 tag was of an unexpected value" );
+    if( use_ret == -(MBEDTLS_ERR_ASN1_INVALID_LENGTH) )
+        mbedtls_snprintf( buf, buflen, "ASN1 - Error when trying to determine the length or invalid length" );
+    if( use_ret == -(MBEDTLS_ERR_ASN1_LENGTH_MISMATCH) )
+        mbedtls_snprintf( buf, buflen, "ASN1 - Actual length differs from expected length" );
+    if( use_ret == -(MBEDTLS_ERR_ASN1_INVALID_DATA) )
+        mbedtls_snprintf( buf, buflen, "ASN1 - Data is invalid. (not used)" );
+    if( use_ret == -(MBEDTLS_ERR_ASN1_ALLOC_FAILED) )
+        mbedtls_snprintf( buf, buflen, "ASN1 - Memory allocation failed" );
+    if( use_ret == -(MBEDTLS_ERR_ASN1_BUF_TOO_SMALL) )
+        mbedtls_snprintf( buf, buflen, "ASN1 - Buffer too small when writing ASN.1 data structure" );
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
+#if defined(MBEDTLS_BASE64_C)
+    if( use_ret == -(MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL) )
+        mbedtls_snprintf( buf, buflen, "BASE64 - Output buffer too small" );
+    if( use_ret == -(MBEDTLS_ERR_BASE64_INVALID_CHARACTER) )
+        mbedtls_snprintf( buf, buflen, "BASE64 - Invalid character in input" );
+#endif /* MBEDTLS_BASE64_C */
+
+#if defined(MBEDTLS_BIGNUM_C)
+    if( use_ret == -(MBEDTLS_ERR_MPI_FILE_IO_ERROR) )
+        mbedtls_snprintf( buf, buflen, "BIGNUM - An error occurred while reading from or writing to a file" );
+    if( use_ret == -(MBEDTLS_ERR_MPI_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "BIGNUM - Bad input parameters to function" );
+    if( use_ret == -(MBEDTLS_ERR_MPI_INVALID_CHARACTER) )
+        mbedtls_snprintf( buf, buflen, "BIGNUM - There is an invalid character in the digit string" );
+    if( use_ret == -(MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL) )
+        mbedtls_snprintf( buf, buflen, "BIGNUM - The buffer is too small to write to" );
+    if( use_ret == -(MBEDTLS_ERR_MPI_NEGATIVE_VALUE) )
+        mbedtls_snprintf( buf, buflen, "BIGNUM - The input arguments are negative or result in illegal output" );
+    if( use_ret == -(MBEDTLS_ERR_MPI_DIVISION_BY_ZERO) )
+        mbedtls_snprintf( buf, buflen, "BIGNUM - The input argument for division is zero, which is not allowed" );
+    if( use_ret == -(MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) )
+        mbedtls_snprintf( buf, buflen, "BIGNUM - The input arguments are not acceptable" );
+    if( use_ret == -(MBEDTLS_ERR_MPI_ALLOC_FAILED) )
+        mbedtls_snprintf( buf, buflen, "BIGNUM - Memory allocation failed" );
+#endif /* MBEDTLS_BIGNUM_C */
+
+#if defined(MBEDTLS_BLOWFISH_C)
+    if( use_ret == -(MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH) )
+        mbedtls_snprintf( buf, buflen, "BLOWFISH - Invalid key length" );
+    if( use_ret == -(MBEDTLS_ERR_BLOWFISH_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "BLOWFISH - Blowfish hardware accelerator failed" );
+    if( use_ret == -(MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH) )
+        mbedtls_snprintf( buf, buflen, "BLOWFISH - Invalid data input length" );
+#endif /* MBEDTLS_BLOWFISH_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+    if( use_ret == -(MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH) )
+        mbedtls_snprintf( buf, buflen, "CAMELLIA - Invalid key length" );
+    if( use_ret == -(MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH) )
+        mbedtls_snprintf( buf, buflen, "CAMELLIA - Invalid data input length" );
+    if( use_ret == -(MBEDTLS_ERR_CAMELLIA_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "CAMELLIA - Camellia hardware accelerator failed" );
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_CCM_C)
+    if( use_ret == -(MBEDTLS_ERR_CCM_BAD_INPUT) )
+        mbedtls_snprintf( buf, buflen, "CCM - Bad input parameters to the function" );
+    if( use_ret == -(MBEDTLS_ERR_CCM_AUTH_FAILED) )
+        mbedtls_snprintf( buf, buflen, "CCM - Authenticated decryption failed" );
+    if( use_ret == -(MBEDTLS_ERR_CCM_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "CCM - CCM hardware accelerator failed" );
+#endif /* MBEDTLS_CCM_C */
+
+#if defined(MBEDTLS_CMAC_C)
+    if( use_ret == -(MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "CMAC - CMAC hardware accelerator failed" );
+#endif /* MBEDTLS_CMAC_C */
+
+#if defined(MBEDTLS_CTR_DRBG_C)
+    if( use_ret == -(MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED) )
+        mbedtls_snprintf( buf, buflen, "CTR_DRBG - The entropy source failed" );
+    if( use_ret == -(MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG) )
+        mbedtls_snprintf( buf, buflen, "CTR_DRBG - The requested random buffer length is too big" );
+    if( use_ret == -(MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG) )
+        mbedtls_snprintf( buf, buflen, "CTR_DRBG - The input (entropy + additional data) is too large" );
+    if( use_ret == -(MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR) )
+        mbedtls_snprintf( buf, buflen, "CTR_DRBG - Read or write error in file" );
+#endif /* MBEDTLS_CTR_DRBG_C */
+
+#if defined(MBEDTLS_DES_C)
+    if( use_ret == -(MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH) )
+        mbedtls_snprintf( buf, buflen, "DES - The data input has an invalid length" );
+    if( use_ret == -(MBEDTLS_ERR_DES_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "DES - DES hardware accelerator failed" );
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ENTROPY_C)
+    if( use_ret == -(MBEDTLS_ERR_ENTROPY_SOURCE_FAILED) )
+        mbedtls_snprintf( buf, buflen, "ENTROPY - Critical entropy source failure" );
+    if( use_ret == -(MBEDTLS_ERR_ENTROPY_MAX_SOURCES) )
+        mbedtls_snprintf( buf, buflen, "ENTROPY - No more sources can be added" );
+    if( use_ret == -(MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED) )
+        mbedtls_snprintf( buf, buflen, "ENTROPY - No sources have been added to poll" );
+    if( use_ret == -(MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE) )
+        mbedtls_snprintf( buf, buflen, "ENTROPY - No strong sources have been added to poll" );
+    if( use_ret == -(MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR) )
+        mbedtls_snprintf( buf, buflen, "ENTROPY - Read/write error in file" );
+#endif /* MBEDTLS_ENTROPY_C */
+
+#if defined(MBEDTLS_GCM_C)
+    if( use_ret == -(MBEDTLS_ERR_GCM_AUTH_FAILED) )
+        mbedtls_snprintf( buf, buflen, "GCM - Authenticated decryption failed" );
+    if( use_ret == -(MBEDTLS_ERR_GCM_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "GCM - GCM hardware accelerator failed" );
+    if( use_ret == -(MBEDTLS_ERR_GCM_BAD_INPUT) )
+        mbedtls_snprintf( buf, buflen, "GCM - Bad input parameters to function" );
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_HMAC_DRBG_C)
+    if( use_ret == -(MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG) )
+        mbedtls_snprintf( buf, buflen, "HMAC_DRBG - Too many random requested in single call" );
+    if( use_ret == -(MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG) )
+        mbedtls_snprintf( buf, buflen, "HMAC_DRBG - Input too large (Entropy + additional)" );
+    if( use_ret == -(MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR) )
+        mbedtls_snprintf( buf, buflen, "HMAC_DRBG - Read/write error in file" );
+    if( use_ret == -(MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED) )
+        mbedtls_snprintf( buf, buflen, "HMAC_DRBG - The entropy source failed" );
+#endif /* MBEDTLS_HMAC_DRBG_C */
+
+#if defined(MBEDTLS_MD2_C)
+    if( use_ret == -(MBEDTLS_ERR_MD2_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "MD2 - MD2 hardware accelerator failed" );
+#endif /* MBEDTLS_MD2_C */
+
+#if defined(MBEDTLS_MD4_C)
+    if( use_ret == -(MBEDTLS_ERR_MD4_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "MD4 - MD4 hardware accelerator failed" );
+#endif /* MBEDTLS_MD4_C */
+
+#if defined(MBEDTLS_MD5_C)
+    if( use_ret == -(MBEDTLS_ERR_MD5_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "MD5 - MD5 hardware accelerator failed" );
+#endif /* MBEDTLS_MD5_C */
+
+#if defined(MBEDTLS_NET_C)
+    if( use_ret == -(MBEDTLS_ERR_NET_SOCKET_FAILED) )
+        mbedtls_snprintf( buf, buflen, "NET - Failed to open a socket" );
+    if( use_ret == -(MBEDTLS_ERR_NET_CONNECT_FAILED) )
+        mbedtls_snprintf( buf, buflen, "NET - The connection to the given server / port failed" );
+    if( use_ret == -(MBEDTLS_ERR_NET_BIND_FAILED) )
+        mbedtls_snprintf( buf, buflen, "NET - Binding of the socket failed" );
+    if( use_ret == -(MBEDTLS_ERR_NET_LISTEN_FAILED) )
+        mbedtls_snprintf( buf, buflen, "NET - Could not listen on the socket" );
+    if( use_ret == -(MBEDTLS_ERR_NET_ACCEPT_FAILED) )
+        mbedtls_snprintf( buf, buflen, "NET - Could not accept the incoming connection" );
+    if( use_ret == -(MBEDTLS_ERR_NET_RECV_FAILED) )
+        mbedtls_snprintf( buf, buflen, "NET - Reading information from the socket failed" );
+    if( use_ret == -(MBEDTLS_ERR_NET_SEND_FAILED) )
+        mbedtls_snprintf( buf, buflen, "NET - Sending information through the socket failed" );
+    if( use_ret == -(MBEDTLS_ERR_NET_CONN_RESET) )
+        mbedtls_snprintf( buf, buflen, "NET - Connection was reset by peer" );
+    if( use_ret == -(MBEDTLS_ERR_NET_UNKNOWN_HOST) )
+        mbedtls_snprintf( buf, buflen, "NET - Failed to get an IP address for the given hostname" );
+    if( use_ret == -(MBEDTLS_ERR_NET_BUFFER_TOO_SMALL) )
+        mbedtls_snprintf( buf, buflen, "NET - Buffer is too small to hold the data" );
+    if( use_ret == -(MBEDTLS_ERR_NET_INVALID_CONTEXT) )
+        mbedtls_snprintf( buf, buflen, "NET - The context is invalid, eg because it was free()ed" );
+#endif /* MBEDTLS_NET_C */
+
+#if defined(MBEDTLS_OID_C)
+    if( use_ret == -(MBEDTLS_ERR_OID_NOT_FOUND) )
+        mbedtls_snprintf( buf, buflen, "OID - OID is not found" );
+    if( use_ret == -(MBEDTLS_ERR_OID_BUF_TOO_SMALL) )
+        mbedtls_snprintf( buf, buflen, "OID - output buffer is too small" );
+#endif /* MBEDTLS_OID_C */
+
+#if defined(MBEDTLS_PADLOCK_C)
+    if( use_ret == -(MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED) )
+        mbedtls_snprintf( buf, buflen, "PADLOCK - Input data should be aligned" );
+#endif /* MBEDTLS_PADLOCK_C */
+
+#if defined(MBEDTLS_RIPEMD160_C)
+    if( use_ret == -(MBEDTLS_ERR_RIPEMD160_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "RIPEMD160 - RIPEMD160 hardware accelerator failed" );
+#endif /* MBEDTLS_RIPEMD160_C */
+
+#if defined(MBEDTLS_SHA1_C)
+    if( use_ret == -(MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "SHA1 - SHA-1 hardware accelerator failed" );
+#endif /* MBEDTLS_SHA1_C */
+
+#if defined(MBEDTLS_SHA256_C)
+    if( use_ret == -(MBEDTLS_ERR_SHA256_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "SHA256 - SHA-256 hardware accelerator failed" );
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    if( use_ret == -(MBEDTLS_ERR_SHA512_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "SHA512 - SHA-512 hardware accelerator failed" );
+#endif /* MBEDTLS_SHA512_C */
+
+#if defined(MBEDTLS_THREADING_C)
+    if( use_ret == -(MBEDTLS_ERR_THREADING_FEATURE_UNAVAILABLE) )
+        mbedtls_snprintf( buf, buflen, "THREADING - The selected feature is not available" );
+    if( use_ret == -(MBEDTLS_ERR_THREADING_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "THREADING - Bad input parameters to function" );
+    if( use_ret == -(MBEDTLS_ERR_THREADING_MUTEX_ERROR) )
+        mbedtls_snprintf( buf, buflen, "THREADING - Locking / unlocking / free failed with error code" );
+#endif /* MBEDTLS_THREADING_C */
+
+#if defined(MBEDTLS_XTEA_C)
+    if( use_ret == -(MBEDTLS_ERR_XTEA_INVALID_INPUT_LENGTH) )
+        mbedtls_snprintf( buf, buflen, "XTEA - The data input has an invalid length" );
+    if( use_ret == -(MBEDTLS_ERR_XTEA_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "XTEA - XTEA hardware accelerator failed" );
+#endif /* MBEDTLS_XTEA_C */
+    // END generated code
+
+    if( strlen( buf ) != 0 )
+        return;
+
+    mbedtls_snprintf( buf, buflen, "UNKNOWN ERROR CODE (%04X)", use_ret );
+}
+
+#else /* MBEDTLS_ERROR_C */
+
+/*
+ * Provide an non-function in case MBEDTLS_ERROR_C is not defined
+ */
+void mbedtls_strerror( int ret, char *buf, size_t buflen )
+{
+    ((void) ret);
+
+    if( buflen > 0 )
+        buf[0] = '\0';
+}
+
+#endif /* MBEDTLS_ERROR_C */
+
+#endif /* MBEDTLS_ERROR_C || MBEDTLS_ERROR_STRERROR_DUMMY */
diff --git a/third-party/mbedtls-3.6/library/gcm.c b/third-party/mbedtls-3.6/library/gcm.c
new file mode 100644
index 00000000..a7e67063
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/gcm.c
@@ -0,0 +1,983 @@
+/*
+ *  NIST SP800-38D compliant GCM implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+/*
+ * http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
+ *
+ * See also:
+ * [MGV] http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf
+ *
+ * We use the algorithm described as Shoup's method with 4-bit tables in
+ * [MGV] 4.1, pp. 12-13, to enhance speed without using too much memory.
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_GCM_C)
+
+#include "mbedtls/gcm.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_AESNI_C)
+#include "mbedtls/aesni.h"
+#endif
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+#include "mbedtls/aes.h"
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#if !defined(MBEDTLS_GCM_ALT)
+
+/*
+ * 32-bit integer manipulation macros (big endian)
+ */
+#ifndef GET_UINT32_BE
+#define GET_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
+        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 3]       );            \
+}
+#endif
+
+#ifndef PUT_UINT32_BE
+#define PUT_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
+}
+#endif
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
+/*
+ * Initialize a context
+ */
+void mbedtls_gcm_init( mbedtls_gcm_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_gcm_context ) );
+}
+
+/*
+ * Precompute small multiples of H, that is set
+ *      HH[i] || HL[i] = H times i,
+ * where i is seen as a field element as in [MGV], ie high-order bits
+ * correspond to low powers of P. The result is stored in the same way, that
+ * is the high-order bit of HH corresponds to P^0 and the low-order bit of HL
+ * corresponds to P^127.
+ */
+static int gcm_gen_table( mbedtls_gcm_context *ctx )
+{
+    int ret, i, j;
+    uint64_t hi, lo;
+    uint64_t vl, vh;
+    unsigned char h[16];
+    size_t olen = 0;
+
+    memset( h, 0, 16 );
+    if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, h, 16, h, &olen ) ) != 0 )
+        return( ret );
+
+    /* pack h as two 64-bits ints, big-endian */
+    GET_UINT32_BE( hi, h,  0  );
+    GET_UINT32_BE( lo, h,  4  );
+    vh = (uint64_t) hi << 32 | lo;
+
+    GET_UINT32_BE( hi, h,  8  );
+    GET_UINT32_BE( lo, h,  12 );
+    vl = (uint64_t) hi << 32 | lo;
+
+    /* 8 = 1000 corresponds to 1 in GF(2^128) */
+    ctx->HL[8] = vl;
+    ctx->HH[8] = vh;
+
+#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
+    /* With CLMUL support, we need only h, not the rest of the table */
+    if( mbedtls_aesni_has_support( MBEDTLS_AESNI_CLMUL ) )
+        return( 0 );
+#endif
+
+    /* 0 corresponds to 0 in GF(2^128) */
+    ctx->HH[0] = 0;
+    ctx->HL[0] = 0;
+
+    for( i = 4; i > 0; i >>= 1 )
+    {
+        uint32_t T = ( vl & 1 ) * 0xe1000000U;
+        vl  = ( vh << 63 ) | ( vl >> 1 );
+        vh  = ( vh >> 1 ) ^ ( (uint64_t) T << 32);
+
+        ctx->HL[i] = vl;
+        ctx->HH[i] = vh;
+    }
+
+    for( i = 2; i <= 8; i *= 2 )
+    {
+        uint64_t *HiL = ctx->HL + i, *HiH = ctx->HH + i;
+        vh = *HiH;
+        vl = *HiL;
+        for( j = 1; j < i; j++ )
+        {
+            HiH[j] = vh ^ ctx->HH[j];
+            HiL[j] = vl ^ ctx->HL[j];
+        }
+    }
+
+    return( 0 );
+}
+
+int mbedtls_gcm_setkey( mbedtls_gcm_context *ctx,
+                        mbedtls_cipher_id_t cipher,
+                        const unsigned char *key,
+                        unsigned int keybits )
+{
+    int ret;
+    const mbedtls_cipher_info_t *cipher_info;
+
+    cipher_info = mbedtls_cipher_info_from_values( cipher, keybits, MBEDTLS_MODE_ECB );
+    if( cipher_info == NULL )
+        return( MBEDTLS_ERR_GCM_BAD_INPUT );
+
+    if( cipher_info->block_size != 16 )
+        return( MBEDTLS_ERR_GCM_BAD_INPUT );
+
+    mbedtls_cipher_free( &ctx->cipher_ctx );
+
+    if( ( ret = mbedtls_cipher_setup( &ctx->cipher_ctx, cipher_info ) ) != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_cipher_setkey( &ctx->cipher_ctx, key, keybits,
+                               MBEDTLS_ENCRYPT ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( ( ret = gcm_gen_table( ctx ) ) != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
+/*
+ * Shoup's method for multiplication use this table with
+ *      last4[x] = x times P^128
+ * where x and last4[x] are seen as elements of GF(2^128) as in [MGV]
+ */
+static const uint64_t last4[16] =
+{
+    0x0000, 0x1c20, 0x3840, 0x2460,
+    0x7080, 0x6ca0, 0x48c0, 0x54e0,
+    0xe100, 0xfd20, 0xd940, 0xc560,
+    0x9180, 0x8da0, 0xa9c0, 0xb5e0
+};
+
+/*
+ * Sets output to x times H using the precomputed tables.
+ * x and output are seen as elements of GF(2^128) as in [MGV].
+ */
+static void gcm_mult( mbedtls_gcm_context *ctx, const unsigned char x[16],
+                      unsigned char output[16] )
+{
+    int i = 0;
+    unsigned char lo, hi, rem;
+    uint64_t zh, zl;
+
+#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
+    if( mbedtls_aesni_has_support( MBEDTLS_AESNI_CLMUL ) ) {
+        unsigned char h[16];
+
+        PUT_UINT32_BE( ctx->HH[8] >> 32, h,  0 );
+        PUT_UINT32_BE( ctx->HH[8],       h,  4 );
+        PUT_UINT32_BE( ctx->HL[8] >> 32, h,  8 );
+        PUT_UINT32_BE( ctx->HL[8],       h, 12 );
+
+        mbedtls_aesni_gcm_mult( output, x, h );
+        return;
+    }
+#endif /* MBEDTLS_AESNI_C && MBEDTLS_HAVE_X86_64 */
+
+    lo = x[15] & 0xf;
+
+    zh = ctx->HH[lo];
+    zl = ctx->HL[lo];
+
+    for( i = 15; i >= 0; i-- )
+    {
+        lo = x[i] & 0xf;
+        hi = x[i] >> 4;
+
+        if( i != 15 )
+        {
+            rem = (unsigned char) zl & 0xf;
+            zl = ( zh << 60 ) | ( zl >> 4 );
+            zh = ( zh >> 4 );
+            zh ^= (uint64_t) last4[rem] << 48;
+            zh ^= ctx->HH[lo];
+            zl ^= ctx->HL[lo];
+
+        }
+
+        rem = (unsigned char) zl & 0xf;
+        zl = ( zh << 60 ) | ( zl >> 4 );
+        zh = ( zh >> 4 );
+        zh ^= (uint64_t) last4[rem] << 48;
+        zh ^= ctx->HH[hi];
+        zl ^= ctx->HL[hi];
+    }
+
+    PUT_UINT32_BE( zh >> 32, output, 0 );
+    PUT_UINT32_BE( zh, output, 4 );
+    PUT_UINT32_BE( zl >> 32, output, 8 );
+    PUT_UINT32_BE( zl, output, 12 );
+}
+
+int mbedtls_gcm_starts( mbedtls_gcm_context *ctx,
+                int mode,
+                const unsigned char *iv,
+                size_t iv_len,
+                const unsigned char *add,
+                size_t add_len )
+{
+    int ret;
+    unsigned char work_buf[16];
+    size_t i;
+    const unsigned char *p;
+    size_t use_len, olen = 0;
+
+    /* IV and AD are limited to 2^64 bits, so 2^61 bytes */
+    /* IV is not allowed to be zero length */
+    if( iv_len == 0 ||
+      ( (uint64_t) iv_len  ) >> 61 != 0 ||
+      ( (uint64_t) add_len ) >> 61 != 0 )
+    {
+        return( MBEDTLS_ERR_GCM_BAD_INPUT );
+    }
+
+    memset( ctx->y, 0x00, sizeof(ctx->y) );
+    memset( ctx->buf, 0x00, sizeof(ctx->buf) );
+
+    ctx->mode = mode;
+    ctx->len = 0;
+    ctx->add_len = 0;
+
+    if( iv_len == 12 )
+    {
+        memcpy( ctx->y, iv, iv_len );
+        ctx->y[15] = 1;
+    }
+    else
+    {
+        memset( work_buf, 0x00, 16 );
+        PUT_UINT32_BE( iv_len * 8, work_buf, 12 );
+
+        p = iv;
+        while( iv_len > 0 )
+        {
+            use_len = ( iv_len < 16 ) ? iv_len : 16;
+
+            for( i = 0; i < use_len; i++ )
+                ctx->y[i] ^= p[i];
+
+            gcm_mult( ctx, ctx->y, ctx->y );
+
+            iv_len -= use_len;
+            p += use_len;
+        }
+
+        for( i = 0; i < 16; i++ )
+            ctx->y[i] ^= work_buf[i];
+
+        gcm_mult( ctx, ctx->y, ctx->y );
+    }
+
+    if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctx->y, 16, ctx->base_ectr,
+                             &olen ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    ctx->add_len = add_len;
+    p = add;
+    while( add_len > 0 )
+    {
+        use_len = ( add_len < 16 ) ? add_len : 16;
+
+        for( i = 0; i < use_len; i++ )
+            ctx->buf[i] ^= p[i];
+
+        gcm_mult( ctx, ctx->buf, ctx->buf );
+
+        add_len -= use_len;
+        p += use_len;
+    }
+
+    return( 0 );
+}
+
+int mbedtls_gcm_update( mbedtls_gcm_context *ctx,
+                size_t length,
+                const unsigned char *input,
+                unsigned char *output )
+{
+    int ret;
+    unsigned char ectr[16];
+    size_t i;
+    const unsigned char *p;
+    unsigned char *out_p = output;
+    size_t use_len, olen = 0;
+
+    if( output > input && (size_t) ( output - input ) < length )
+        return( MBEDTLS_ERR_GCM_BAD_INPUT );
+
+    /* Total length is restricted to 2^39 - 256 bits, ie 2^36 - 2^5 bytes
+     * Also check for possible overflow */
+    if( ctx->len + length < ctx->len ||
+        (uint64_t) ctx->len + length > 0xFFFFFFFE0ull )
+    {
+        return( MBEDTLS_ERR_GCM_BAD_INPUT );
+    }
+
+    ctx->len += length;
+
+    p = input;
+    while( length > 0 )
+    {
+        use_len = ( length < 16 ) ? length : 16;
+
+        for( i = 16; i > 12; i-- )
+            if( ++ctx->y[i - 1] != 0 )
+                break;
+
+        if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctx->y, 16, ectr,
+                                   &olen ) ) != 0 )
+        {
+            return( ret );
+        }
+
+        for( i = 0; i < use_len; i++ )
+        {
+            if( ctx->mode == MBEDTLS_GCM_DECRYPT )
+                ctx->buf[i] ^= p[i];
+            out_p[i] = ectr[i] ^ p[i];
+            if( ctx->mode == MBEDTLS_GCM_ENCRYPT )
+                ctx->buf[i] ^= out_p[i];
+        }
+
+        gcm_mult( ctx, ctx->buf, ctx->buf );
+
+        length -= use_len;
+        p += use_len;
+        out_p += use_len;
+    }
+
+    return( 0 );
+}
+
+int mbedtls_gcm_finish( mbedtls_gcm_context *ctx,
+                unsigned char *tag,
+                size_t tag_len )
+{
+    unsigned char work_buf[16];
+    size_t i;
+    uint64_t orig_len = ctx->len * 8;
+    uint64_t orig_add_len = ctx->add_len * 8;
+
+    if( tag_len > 16 || tag_len < 4 )
+        return( MBEDTLS_ERR_GCM_BAD_INPUT );
+
+    memcpy( tag, ctx->base_ectr, tag_len );
+
+    if( orig_len || orig_add_len )
+    {
+        memset( work_buf, 0x00, 16 );
+
+        PUT_UINT32_BE( ( orig_add_len >> 32 ), work_buf, 0  );
+        PUT_UINT32_BE( ( orig_add_len       ), work_buf, 4  );
+        PUT_UINT32_BE( ( orig_len     >> 32 ), work_buf, 8  );
+        PUT_UINT32_BE( ( orig_len           ), work_buf, 12 );
+
+        for( i = 0; i < 16; i++ )
+            ctx->buf[i] ^= work_buf[i];
+
+        gcm_mult( ctx, ctx->buf, ctx->buf );
+
+        for( i = 0; i < tag_len; i++ )
+            tag[i] ^= ctx->buf[i];
+    }
+
+    return( 0 );
+}
+
+int mbedtls_gcm_crypt_and_tag( mbedtls_gcm_context *ctx,
+                       int mode,
+                       size_t length,
+                       const unsigned char *iv,
+                       size_t iv_len,
+                       const unsigned char *add,
+                       size_t add_len,
+                       const unsigned char *input,
+                       unsigned char *output,
+                       size_t tag_len,
+                       unsigned char *tag )
+{
+    int ret;
+
+    if( ( ret = mbedtls_gcm_starts( ctx, mode, iv, iv_len, add, add_len ) ) != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_gcm_update( ctx, length, input, output ) ) != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_gcm_finish( ctx, tag, tag_len ) ) != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
+int mbedtls_gcm_auth_decrypt( mbedtls_gcm_context *ctx,
+                      size_t length,
+                      const unsigned char *iv,
+                      size_t iv_len,
+                      const unsigned char *add,
+                      size_t add_len,
+                      const unsigned char *tag,
+                      size_t tag_len,
+                      const unsigned char *input,
+                      unsigned char *output )
+{
+    int ret;
+    unsigned char check_tag[16];
+    size_t i;
+    int diff;
+
+    if( ( ret = mbedtls_gcm_crypt_and_tag( ctx, MBEDTLS_GCM_DECRYPT, length,
+                                   iv, iv_len, add, add_len,
+                                   input, output, tag_len, check_tag ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    /* Check tag in "constant-time" */
+    for( diff = 0, i = 0; i < tag_len; i++ )
+        diff |= tag[i] ^ check_tag[i];
+
+    if( diff != 0 )
+    {
+        mbedtls_zeroize( output, length );
+        return( MBEDTLS_ERR_GCM_AUTH_FAILED );
+    }
+
+    return( 0 );
+}
+
+void mbedtls_gcm_free( mbedtls_gcm_context *ctx )
+{
+    mbedtls_cipher_free( &ctx->cipher_ctx );
+    mbedtls_zeroize( ctx, sizeof( mbedtls_gcm_context ) );
+}
+
+#endif /* !MBEDTLS_GCM_ALT */
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+/*
+ * AES-GCM test vectors from:
+ *
+ * http://csrc.nist.gov/groups/STM/cavp/documents/mac/gcmtestvectors.zip
+ */
+#define MAX_TESTS   6
+
+static const int key_index[MAX_TESTS] =
+    { 0, 0, 1, 1, 1, 1 };
+
+static const unsigned char key[MAX_TESTS][32] =
+{
+    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+    { 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+      0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08,
+      0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+      0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08 },
+};
+
+static const size_t iv_len[MAX_TESTS] =
+    { 12, 12, 12, 12, 8, 60 };
+
+static const int iv_index[MAX_TESTS] =
+    { 0, 0, 1, 1, 1, 2 };
+
+static const unsigned char iv[MAX_TESTS][64] =
+{
+    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00 },
+    { 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
+      0xde, 0xca, 0xf8, 0x88 },
+    { 0x93, 0x13, 0x22, 0x5d, 0xf8, 0x84, 0x06, 0xe5,
+      0x55, 0x90, 0x9c, 0x5a, 0xff, 0x52, 0x69, 0xaa,
+      0x6a, 0x7a, 0x95, 0x38, 0x53, 0x4f, 0x7d, 0xa1,
+      0xe4, 0xc3, 0x03, 0xd2, 0xa3, 0x18, 0xa7, 0x28,
+      0xc3, 0xc0, 0xc9, 0x51, 0x56, 0x80, 0x95, 0x39,
+      0xfc, 0xf0, 0xe2, 0x42, 0x9a, 0x6b, 0x52, 0x54,
+      0x16, 0xae, 0xdb, 0xf5, 0xa0, 0xde, 0x6a, 0x57,
+      0xa6, 0x37, 0xb3, 0x9b },
+};
+
+static const size_t add_len[MAX_TESTS] =
+    { 0, 0, 0, 20, 20, 20 };
+
+static const int add_index[MAX_TESTS] =
+    { 0, 0, 0, 1, 1, 1 };
+
+static const unsigned char additional[MAX_TESTS][64] =
+{
+    { 0x00 },
+    { 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+      0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+      0xab, 0xad, 0xda, 0xd2 },
+};
+
+static const size_t pt_len[MAX_TESTS] =
+    { 0, 16, 64, 60, 60, 60 };
+
+static const int pt_index[MAX_TESTS] =
+    { 0, 0, 1, 1, 1, 1 };
+
+static const unsigned char pt[MAX_TESTS][64] =
+{
+    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+    { 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
+      0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
+      0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
+      0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
+      0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
+      0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
+      0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
+      0xba, 0x63, 0x7b, 0x39, 0x1a, 0xaf, 0xd2, 0x55 },
+};
+
+static const unsigned char ct[MAX_TESTS * 3][64] =
+{
+    { 0x00 },
+    { 0x03, 0x88, 0xda, 0xce, 0x60, 0xb6, 0xa3, 0x92,
+      0xf3, 0x28, 0xc2, 0xb9, 0x71, 0xb2, 0xfe, 0x78 },
+    { 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24,
+      0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c,
+      0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0,
+      0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e,
+      0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c,
+      0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05,
+      0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97,
+      0x3d, 0x58, 0xe0, 0x91, 0x47, 0x3f, 0x59, 0x85 },
+    { 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24,
+      0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c,
+      0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0,
+      0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e,
+      0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c,
+      0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05,
+      0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97,
+      0x3d, 0x58, 0xe0, 0x91 },
+    { 0x61, 0x35, 0x3b, 0x4c, 0x28, 0x06, 0x93, 0x4a,
+      0x77, 0x7f, 0xf5, 0x1f, 0xa2, 0x2a, 0x47, 0x55,
+      0x69, 0x9b, 0x2a, 0x71, 0x4f, 0xcd, 0xc6, 0xf8,
+      0x37, 0x66, 0xe5, 0xf9, 0x7b, 0x6c, 0x74, 0x23,
+      0x73, 0x80, 0x69, 0x00, 0xe4, 0x9f, 0x24, 0xb2,
+      0x2b, 0x09, 0x75, 0x44, 0xd4, 0x89, 0x6b, 0x42,
+      0x49, 0x89, 0xb5, 0xe1, 0xeb, 0xac, 0x0f, 0x07,
+      0xc2, 0x3f, 0x45, 0x98 },
+    { 0x8c, 0xe2, 0x49, 0x98, 0x62, 0x56, 0x15, 0xb6,
+      0x03, 0xa0, 0x33, 0xac, 0xa1, 0x3f, 0xb8, 0x94,
+      0xbe, 0x91, 0x12, 0xa5, 0xc3, 0xa2, 0x11, 0xa8,
+      0xba, 0x26, 0x2a, 0x3c, 0xca, 0x7e, 0x2c, 0xa7,
+      0x01, 0xe4, 0xa9, 0xa4, 0xfb, 0xa4, 0x3c, 0x90,
+      0xcc, 0xdc, 0xb2, 0x81, 0xd4, 0x8c, 0x7c, 0x6f,
+      0xd6, 0x28, 0x75, 0xd2, 0xac, 0xa4, 0x17, 0x03,
+      0x4c, 0x34, 0xae, 0xe5 },
+    { 0x00 },
+    { 0x98, 0xe7, 0x24, 0x7c, 0x07, 0xf0, 0xfe, 0x41,
+      0x1c, 0x26, 0x7e, 0x43, 0x84, 0xb0, 0xf6, 0x00 },
+    { 0x39, 0x80, 0xca, 0x0b, 0x3c, 0x00, 0xe8, 0x41,
+      0xeb, 0x06, 0xfa, 0xc4, 0x87, 0x2a, 0x27, 0x57,
+      0x85, 0x9e, 0x1c, 0xea, 0xa6, 0xef, 0xd9, 0x84,
+      0x62, 0x85, 0x93, 0xb4, 0x0c, 0xa1, 0xe1, 0x9c,
+      0x7d, 0x77, 0x3d, 0x00, 0xc1, 0x44, 0xc5, 0x25,
+      0xac, 0x61, 0x9d, 0x18, 0xc8, 0x4a, 0x3f, 0x47,
+      0x18, 0xe2, 0x44, 0x8b, 0x2f, 0xe3, 0x24, 0xd9,
+      0xcc, 0xda, 0x27, 0x10, 0xac, 0xad, 0xe2, 0x56 },
+    { 0x39, 0x80, 0xca, 0x0b, 0x3c, 0x00, 0xe8, 0x41,
+      0xeb, 0x06, 0xfa, 0xc4, 0x87, 0x2a, 0x27, 0x57,
+      0x85, 0x9e, 0x1c, 0xea, 0xa6, 0xef, 0xd9, 0x84,
+      0x62, 0x85, 0x93, 0xb4, 0x0c, 0xa1, 0xe1, 0x9c,
+      0x7d, 0x77, 0x3d, 0x00, 0xc1, 0x44, 0xc5, 0x25,
+      0xac, 0x61, 0x9d, 0x18, 0xc8, 0x4a, 0x3f, 0x47,
+      0x18, 0xe2, 0x44, 0x8b, 0x2f, 0xe3, 0x24, 0xd9,
+      0xcc, 0xda, 0x27, 0x10 },
+    { 0x0f, 0x10, 0xf5, 0x99, 0xae, 0x14, 0xa1, 0x54,
+      0xed, 0x24, 0xb3, 0x6e, 0x25, 0x32, 0x4d, 0xb8,
+      0xc5, 0x66, 0x63, 0x2e, 0xf2, 0xbb, 0xb3, 0x4f,
+      0x83, 0x47, 0x28, 0x0f, 0xc4, 0x50, 0x70, 0x57,
+      0xfd, 0xdc, 0x29, 0xdf, 0x9a, 0x47, 0x1f, 0x75,
+      0xc6, 0x65, 0x41, 0xd4, 0xd4, 0xda, 0xd1, 0xc9,
+      0xe9, 0x3a, 0x19, 0xa5, 0x8e, 0x8b, 0x47, 0x3f,
+      0xa0, 0xf0, 0x62, 0xf7 },
+    { 0xd2, 0x7e, 0x88, 0x68, 0x1c, 0xe3, 0x24, 0x3c,
+      0x48, 0x30, 0x16, 0x5a, 0x8f, 0xdc, 0xf9, 0xff,
+      0x1d, 0xe9, 0xa1, 0xd8, 0xe6, 0xb4, 0x47, 0xef,
+      0x6e, 0xf7, 0xb7, 0x98, 0x28, 0x66, 0x6e, 0x45,
+      0x81, 0xe7, 0x90, 0x12, 0xaf, 0x34, 0xdd, 0xd9,
+      0xe2, 0xf0, 0x37, 0x58, 0x9b, 0x29, 0x2d, 0xb3,
+      0xe6, 0x7c, 0x03, 0x67, 0x45, 0xfa, 0x22, 0xe7,
+      0xe9, 0xb7, 0x37, 0x3b },
+    { 0x00 },
+    { 0xce, 0xa7, 0x40, 0x3d, 0x4d, 0x60, 0x6b, 0x6e,
+      0x07, 0x4e, 0xc5, 0xd3, 0xba, 0xf3, 0x9d, 0x18 },
+    { 0x52, 0x2d, 0xc1, 0xf0, 0x99, 0x56, 0x7d, 0x07,
+      0xf4, 0x7f, 0x37, 0xa3, 0x2a, 0x84, 0x42, 0x7d,
+      0x64, 0x3a, 0x8c, 0xdc, 0xbf, 0xe5, 0xc0, 0xc9,
+      0x75, 0x98, 0xa2, 0xbd, 0x25, 0x55, 0xd1, 0xaa,
+      0x8c, 0xb0, 0x8e, 0x48, 0x59, 0x0d, 0xbb, 0x3d,
+      0xa7, 0xb0, 0x8b, 0x10, 0x56, 0x82, 0x88, 0x38,
+      0xc5, 0xf6, 0x1e, 0x63, 0x93, 0xba, 0x7a, 0x0a,
+      0xbc, 0xc9, 0xf6, 0x62, 0x89, 0x80, 0x15, 0xad },
+    { 0x52, 0x2d, 0xc1, 0xf0, 0x99, 0x56, 0x7d, 0x07,
+      0xf4, 0x7f, 0x37, 0xa3, 0x2a, 0x84, 0x42, 0x7d,
+      0x64, 0x3a, 0x8c, 0xdc, 0xbf, 0xe5, 0xc0, 0xc9,
+      0x75, 0x98, 0xa2, 0xbd, 0x25, 0x55, 0xd1, 0xaa,
+      0x8c, 0xb0, 0x8e, 0x48, 0x59, 0x0d, 0xbb, 0x3d,
+      0xa7, 0xb0, 0x8b, 0x10, 0x56, 0x82, 0x88, 0x38,
+      0xc5, 0xf6, 0x1e, 0x63, 0x93, 0xba, 0x7a, 0x0a,
+      0xbc, 0xc9, 0xf6, 0x62 },
+    { 0xc3, 0x76, 0x2d, 0xf1, 0xca, 0x78, 0x7d, 0x32,
+      0xae, 0x47, 0xc1, 0x3b, 0xf1, 0x98, 0x44, 0xcb,
+      0xaf, 0x1a, 0xe1, 0x4d, 0x0b, 0x97, 0x6a, 0xfa,
+      0xc5, 0x2f, 0xf7, 0xd7, 0x9b, 0xba, 0x9d, 0xe0,
+      0xfe, 0xb5, 0x82, 0xd3, 0x39, 0x34, 0xa4, 0xf0,
+      0x95, 0x4c, 0xc2, 0x36, 0x3b, 0xc7, 0x3f, 0x78,
+      0x62, 0xac, 0x43, 0x0e, 0x64, 0xab, 0xe4, 0x99,
+      0xf4, 0x7c, 0x9b, 0x1f },
+    { 0x5a, 0x8d, 0xef, 0x2f, 0x0c, 0x9e, 0x53, 0xf1,
+      0xf7, 0x5d, 0x78, 0x53, 0x65, 0x9e, 0x2a, 0x20,
+      0xee, 0xb2, 0xb2, 0x2a, 0xaf, 0xde, 0x64, 0x19,
+      0xa0, 0x58, 0xab, 0x4f, 0x6f, 0x74, 0x6b, 0xf4,
+      0x0f, 0xc0, 0xc3, 0xb7, 0x80, 0xf2, 0x44, 0x45,
+      0x2d, 0xa3, 0xeb, 0xf1, 0xc5, 0xd8, 0x2c, 0xde,
+      0xa2, 0x41, 0x89, 0x97, 0x20, 0x0e, 0xf8, 0x2e,
+      0x44, 0xae, 0x7e, 0x3f },
+};
+
+static const unsigned char tag[MAX_TESTS * 3][16] =
+{
+    { 0x58, 0xe2, 0xfc, 0xce, 0xfa, 0x7e, 0x30, 0x61,
+      0x36, 0x7f, 0x1d, 0x57, 0xa4, 0xe7, 0x45, 0x5a },
+    { 0xab, 0x6e, 0x47, 0xd4, 0x2c, 0xec, 0x13, 0xbd,
+      0xf5, 0x3a, 0x67, 0xb2, 0x12, 0x57, 0xbd, 0xdf },
+    { 0x4d, 0x5c, 0x2a, 0xf3, 0x27, 0xcd, 0x64, 0xa6,
+      0x2c, 0xf3, 0x5a, 0xbd, 0x2b, 0xa6, 0xfa, 0xb4 },
+    { 0x5b, 0xc9, 0x4f, 0xbc, 0x32, 0x21, 0xa5, 0xdb,
+      0x94, 0xfa, 0xe9, 0x5a, 0xe7, 0x12, 0x1a, 0x47 },
+    { 0x36, 0x12, 0xd2, 0xe7, 0x9e, 0x3b, 0x07, 0x85,
+      0x56, 0x1b, 0xe1, 0x4a, 0xac, 0xa2, 0xfc, 0xcb },
+    { 0x61, 0x9c, 0xc5, 0xae, 0xff, 0xfe, 0x0b, 0xfa,
+      0x46, 0x2a, 0xf4, 0x3c, 0x16, 0x99, 0xd0, 0x50 },
+    { 0xcd, 0x33, 0xb2, 0x8a, 0xc7, 0x73, 0xf7, 0x4b,
+      0xa0, 0x0e, 0xd1, 0xf3, 0x12, 0x57, 0x24, 0x35 },
+    { 0x2f, 0xf5, 0x8d, 0x80, 0x03, 0x39, 0x27, 0xab,
+      0x8e, 0xf4, 0xd4, 0x58, 0x75, 0x14, 0xf0, 0xfb },
+    { 0x99, 0x24, 0xa7, 0xc8, 0x58, 0x73, 0x36, 0xbf,
+      0xb1, 0x18, 0x02, 0x4d, 0xb8, 0x67, 0x4a, 0x14 },
+    { 0x25, 0x19, 0x49, 0x8e, 0x80, 0xf1, 0x47, 0x8f,
+      0x37, 0xba, 0x55, 0xbd, 0x6d, 0x27, 0x61, 0x8c },
+    { 0x65, 0xdc, 0xc5, 0x7f, 0xcf, 0x62, 0x3a, 0x24,
+      0x09, 0x4f, 0xcc, 0xa4, 0x0d, 0x35, 0x33, 0xf8 },
+    { 0xdc, 0xf5, 0x66, 0xff, 0x29, 0x1c, 0x25, 0xbb,
+      0xb8, 0x56, 0x8f, 0xc3, 0xd3, 0x76, 0xa6, 0xd9 },
+    { 0x53, 0x0f, 0x8a, 0xfb, 0xc7, 0x45, 0x36, 0xb9,
+      0xa9, 0x63, 0xb4, 0xf1, 0xc4, 0xcb, 0x73, 0x8b },
+    { 0xd0, 0xd1, 0xc8, 0xa7, 0x99, 0x99, 0x6b, 0xf0,
+      0x26, 0x5b, 0x98, 0xb5, 0xd4, 0x8a, 0xb9, 0x19 },
+    { 0xb0, 0x94, 0xda, 0xc5, 0xd9, 0x34, 0x71, 0xbd,
+      0xec, 0x1a, 0x50, 0x22, 0x70, 0xe3, 0xcc, 0x6c },
+    { 0x76, 0xfc, 0x6e, 0xce, 0x0f, 0x4e, 0x17, 0x68,
+      0xcd, 0xdf, 0x88, 0x53, 0xbb, 0x2d, 0x55, 0x1b },
+    { 0x3a, 0x33, 0x7d, 0xbf, 0x46, 0xa7, 0x92, 0xc4,
+      0x5e, 0x45, 0x49, 0x13, 0xfe, 0x2e, 0xa8, 0xf2 },
+    { 0xa4, 0x4a, 0x82, 0x66, 0xee, 0x1c, 0x8e, 0xb0,
+      0xc8, 0xb5, 0xd4, 0xcf, 0x5a, 0xe9, 0xf1, 0x9a },
+};
+
+int mbedtls_gcm_self_test( int verbose )
+{
+    mbedtls_gcm_context ctx;
+    unsigned char buf[64];
+    unsigned char tag_buf[16];
+    int i, j, ret;
+    mbedtls_cipher_id_t cipher = MBEDTLS_CIPHER_ID_AES;
+
+    for( j = 0; j < 3; j++ )
+    {
+        int key_len = 128 + 64 * j;
+
+        for( i = 0; i < MAX_TESTS; i++ )
+        {
+            mbedtls_gcm_init( &ctx );
+
+            if( verbose != 0 )
+                mbedtls_printf( "  AES-GCM-%3d #%d (%s): ",
+                                key_len, i, "enc" );
+
+            ret = mbedtls_gcm_setkey( &ctx, cipher, key[key_index[i]],
+                                      key_len );
+            /*
+             * AES-192 is an optional feature that may be unavailable when
+             * there is an alternative underlying implementation i.e. when
+             * MBEDTLS_AES_ALT is defined.
+             */
+            if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && key_len == 192 )
+            {
+                mbedtls_printf( "skipped\n" );
+                break;
+            }
+            else if( ret != 0 )
+            {
+                goto exit;
+            }
+
+            ret = mbedtls_gcm_crypt_and_tag( &ctx, MBEDTLS_GCM_ENCRYPT,
+                                        pt_len[i],
+                                        iv[iv_index[i]], iv_len[i],
+                                        additional[add_index[i]], add_len[i],
+                                        pt[pt_index[i]], buf, 16, tag_buf );
+            if( ret != 0 )
+                goto exit;
+
+            if ( memcmp( buf, ct[j * 6 + i], pt_len[i] ) != 0 ||
+                 memcmp( tag_buf, tag[j * 6 + i], 16 ) != 0 )
+            {
+                ret = 1;
+                goto exit;
+            }
+
+            mbedtls_gcm_free( &ctx );
+
+            if( verbose != 0 )
+                mbedtls_printf( "passed\n" );
+
+            mbedtls_gcm_init( &ctx );
+
+            if( verbose != 0 )
+                mbedtls_printf( "  AES-GCM-%3d #%d (%s): ",
+                                key_len, i, "dec" );
+
+            ret = mbedtls_gcm_setkey( &ctx, cipher, key[key_index[i]],
+                                      key_len );
+            if( ret != 0 )
+                goto exit;
+
+            ret = mbedtls_gcm_crypt_and_tag( &ctx, MBEDTLS_GCM_DECRYPT,
+                                        pt_len[i],
+                                        iv[iv_index[i]], iv_len[i],
+                                        additional[add_index[i]], add_len[i],
+                                        ct[j * 6 + i], buf, 16, tag_buf );
+
+            if( ret != 0 )
+                goto exit;
+
+            if( memcmp( buf, pt[pt_index[i]], pt_len[i] ) != 0 ||
+                memcmp( tag_buf, tag[j * 6 + i], 16 ) != 0 )
+            {
+                ret = 1;
+                goto exit;
+            }
+
+            mbedtls_gcm_free( &ctx );
+
+            if( verbose != 0 )
+                mbedtls_printf( "passed\n" );
+
+            mbedtls_gcm_init( &ctx );
+
+            if( verbose != 0 )
+                mbedtls_printf( "  AES-GCM-%3d #%d split (%s): ",
+                                key_len, i, "enc" );
+
+            ret = mbedtls_gcm_setkey( &ctx, cipher, key[key_index[i]],
+                                      key_len );
+            if( ret != 0 )
+                goto exit;
+
+            ret = mbedtls_gcm_starts( &ctx, MBEDTLS_GCM_ENCRYPT,
+                                      iv[iv_index[i]], iv_len[i],
+                                      additional[add_index[i]], add_len[i] );
+            if( ret != 0 )
+                goto exit;
+
+            if( pt_len[i] > 32 )
+            {
+                size_t rest_len = pt_len[i] - 32;
+                ret = mbedtls_gcm_update( &ctx, 32, pt[pt_index[i]], buf );
+                if( ret != 0 )
+                    goto exit;
+
+                ret = mbedtls_gcm_update( &ctx, rest_len, pt[pt_index[i]] + 32,
+                                  buf + 32 );
+                if( ret != 0 )
+                    goto exit;
+            }
+            else
+            {
+                ret = mbedtls_gcm_update( &ctx, pt_len[i], pt[pt_index[i]], buf );
+                if( ret != 0 )
+                    goto exit;
+            }
+
+            ret = mbedtls_gcm_finish( &ctx, tag_buf, 16 );
+            if( ret != 0 )
+                goto exit;
+
+            if( memcmp( buf, ct[j * 6 + i], pt_len[i] ) != 0 ||
+                memcmp( tag_buf, tag[j * 6 + i], 16 ) != 0 )
+            {
+                ret = 1;
+                goto exit;
+            }
+
+            mbedtls_gcm_free( &ctx );
+
+            if( verbose != 0 )
+                mbedtls_printf( "passed\n" );
+
+            mbedtls_gcm_init( &ctx );
+
+            if( verbose != 0 )
+                mbedtls_printf( "  AES-GCM-%3d #%d split (%s): ",
+                                key_len, i, "dec" );
+
+            ret = mbedtls_gcm_setkey( &ctx, cipher, key[key_index[i]],
+                                      key_len );
+            if( ret != 0 )
+                goto exit;
+
+            ret = mbedtls_gcm_starts( &ctx, MBEDTLS_GCM_DECRYPT,
+                              iv[iv_index[i]], iv_len[i],
+                              additional[add_index[i]], add_len[i] );
+            if( ret != 0 )
+                goto exit;
+
+            if( pt_len[i] > 32 )
+            {
+                size_t rest_len = pt_len[i] - 32;
+                ret = mbedtls_gcm_update( &ctx, 32, ct[j * 6 + i], buf );
+                if( ret != 0 )
+                    goto exit;
+
+                ret = mbedtls_gcm_update( &ctx, rest_len, ct[j * 6 + i] + 32,
+                                          buf + 32 );
+                if( ret != 0 )
+                    goto exit;
+            }
+            else
+            {
+                ret = mbedtls_gcm_update( &ctx, pt_len[i], ct[j * 6 + i],
+                                          buf );
+                if( ret != 0 )
+                    goto exit;
+            }
+
+            ret = mbedtls_gcm_finish( &ctx, tag_buf, 16 );
+            if( ret != 0 )
+                goto exit;
+
+            if( memcmp( buf, pt[pt_index[i]], pt_len[i] ) != 0 ||
+                memcmp( tag_buf, tag[j * 6 + i], 16 ) != 0 )
+            {
+                ret = 1;
+                goto exit;
+            }
+
+            mbedtls_gcm_free( &ctx );
+
+            if( verbose != 0 )
+                mbedtls_printf( "passed\n" );
+        }
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    ret = 0;
+
+exit:
+    if( ret != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+        mbedtls_gcm_free( &ctx );
+    }
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#endif /* MBEDTLS_GCM_C */
diff --git a/third-party/mbedtls-3.6/library/havege.c b/third-party/mbedtls-3.6/library/havege.c
new file mode 100644
index 00000000..8d106df8
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/havege.c
@@ -0,0 +1,282 @@
+/**
+ *  \brief HAVEGE: HArdware Volatile Entropy Gathering and Expansion
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+/*
+ *  The HAVEGE RNG was designed by Andre Seznec in 2002.
+ *
+ *  http://www.irisa.fr/caps/projects/hipsor/publi.php
+ *
+ *  Contact: seznec(at)irisa_dot_fr - orocheco(at)irisa_dot_fr
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_HAVEGE_C)
+
+#include "mbedtls/havege.h"
+#include "mbedtls/timing.h"
+
+#include <limits.h>
+#include <string.h>
+
+/* If int isn't capable of storing 2^32 distinct values, the code of this
+ * module may cause a processor trap or a miscalculation. If int is more
+ * than 32 bits, the code may not calculate the intended values. */
+#if INT_MIN + 1 != -0x7fffffff
+#error "The HAVEGE module requires int to be exactly 32 bits, with INT_MIN = -2^31."
+#endif
+#if UINT_MAX != 0xffffffff
+#error "The HAVEGE module requires unsigned to be exactly 32 bits."
+#endif
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
+/* ------------------------------------------------------------------------
+ * On average, one iteration accesses two 8-word blocks in the havege WALK
+ * table, and generates 16 words in the RES array.
+ *
+ * The data read in the WALK table is updated and permuted after each use.
+ * The result of the hardware clock counter read is used  for this update.
+ *
+ * 25 conditional tests are present.  The conditional tests are grouped in
+ * two nested  groups of 12 conditional tests and 1 test that controls the
+ * permutation; on average, there should be 6 tests executed and 3 of them
+ * should be mispredicted.
+ * ------------------------------------------------------------------------
+ */
+
+#define SWAP(X,Y) { unsigned *T = (X); (X) = (Y); (Y) = T; }
+
+#define TST1_ENTER if( PTEST & 1 ) { PTEST ^= 3; PTEST >>= 1;
+#define TST2_ENTER if( PTEST & 1 ) { PTEST ^= 3; PTEST >>= 1;
+
+#define TST1_LEAVE U1++; }
+#define TST2_LEAVE U2++; }
+
+#define ONE_ITERATION                                   \
+                                                        \
+    PTEST = PT1 >> 20;                                  \
+                                                        \
+    TST1_ENTER  TST1_ENTER  TST1_ENTER  TST1_ENTER      \
+    TST1_ENTER  TST1_ENTER  TST1_ENTER  TST1_ENTER      \
+    TST1_ENTER  TST1_ENTER  TST1_ENTER  TST1_ENTER      \
+                                                        \
+    TST1_LEAVE  TST1_LEAVE  TST1_LEAVE  TST1_LEAVE      \
+    TST1_LEAVE  TST1_LEAVE  TST1_LEAVE  TST1_LEAVE      \
+    TST1_LEAVE  TST1_LEAVE  TST1_LEAVE  TST1_LEAVE      \
+                                                        \
+    PTX = (PT1 >> 18) & 7;                              \
+    PT1 &= 0x1FFF;                                      \
+    PT2 &= 0x1FFF;                                      \
+    CLK = (unsigned) mbedtls_timing_hardclock();        \
+                                                        \
+    i = 0;                                              \
+    A = &WALK[PT1    ]; RES[i++] ^= *A;                 \
+    B = &WALK[PT2    ]; RES[i++] ^= *B;                 \
+    C = &WALK[PT1 ^ 1]; RES[i++] ^= *C;                 \
+    D = &WALK[PT2 ^ 4]; RES[i++] ^= *D;                 \
+                                                        \
+    IN = (*A >> (1)) ^ (*A << (31)) ^ CLK;              \
+    *A = (*B >> (2)) ^ (*B << (30)) ^ CLK;              \
+    *B = IN ^ U1;                                       \
+    *C = (*C >> (3)) ^ (*C << (29)) ^ CLK;              \
+    *D = (*D >> (4)) ^ (*D << (28)) ^ CLK;              \
+                                                        \
+    A = &WALK[PT1 ^ 2]; RES[i++] ^= *A;                 \
+    B = &WALK[PT2 ^ 2]; RES[i++] ^= *B;                 \
+    C = &WALK[PT1 ^ 3]; RES[i++] ^= *C;                 \
+    D = &WALK[PT2 ^ 6]; RES[i++] ^= *D;                 \
+                                                        \
+    if( PTEST & 1 ) SWAP( A, C );                       \
+                                                        \
+    IN = (*A >> (5)) ^ (*A << (27)) ^ CLK;              \
+    *A = (*B >> (6)) ^ (*B << (26)) ^ CLK;              \
+    *B = IN; CLK = (unsigned) mbedtls_timing_hardclock(); \
+    *C = (*C >> (7)) ^ (*C << (25)) ^ CLK;              \
+    *D = (*D >> (8)) ^ (*D << (24)) ^ CLK;              \
+                                                        \
+    A = &WALK[PT1 ^ 4];                                 \
+    B = &WALK[PT2 ^ 1];                                 \
+                                                        \
+    PTEST = PT2 >> 1;                                   \
+                                                        \
+    PT2 = (RES[(i - 8) ^ PTY] ^ WALK[PT2 ^ PTY ^ 7]);   \
+    PT2 = ((PT2 & 0x1FFF) & (~8)) ^ ((PT1 ^ 8) & 0x8);  \
+    PTY = (PT2 >> 10) & 7;                              \
+                                                        \
+    TST2_ENTER  TST2_ENTER  TST2_ENTER  TST2_ENTER      \
+    TST2_ENTER  TST2_ENTER  TST2_ENTER  TST2_ENTER      \
+    TST2_ENTER  TST2_ENTER  TST2_ENTER  TST2_ENTER      \
+                                                        \
+    TST2_LEAVE  TST2_LEAVE  TST2_LEAVE  TST2_LEAVE      \
+    TST2_LEAVE  TST2_LEAVE  TST2_LEAVE  TST2_LEAVE      \
+    TST2_LEAVE  TST2_LEAVE  TST2_LEAVE  TST2_LEAVE      \
+                                                        \
+    C = &WALK[PT1 ^ 5];                                 \
+    D = &WALK[PT2 ^ 5];                                 \
+                                                        \
+    RES[i++] ^= *A;                                     \
+    RES[i++] ^= *B;                                     \
+    RES[i++] ^= *C;                                     \
+    RES[i++] ^= *D;                                     \
+                                                        \
+    IN = (*A >> ( 9)) ^ (*A << (23)) ^ CLK;             \
+    *A = (*B >> (10)) ^ (*B << (22)) ^ CLK;             \
+    *B = IN ^ U2;                                       \
+    *C = (*C >> (11)) ^ (*C << (21)) ^ CLK;             \
+    *D = (*D >> (12)) ^ (*D << (20)) ^ CLK;             \
+                                                        \
+    A = &WALK[PT1 ^ 6]; RES[i++] ^= *A;                 \
+    B = &WALK[PT2 ^ 3]; RES[i++] ^= *B;                 \
+    C = &WALK[PT1 ^ 7]; RES[i++] ^= *C;                 \
+    D = &WALK[PT2 ^ 7]; RES[i++] ^= *D;                 \
+                                                        \
+    IN = (*A >> (13)) ^ (*A << (19)) ^ CLK;             \
+    *A = (*B >> (14)) ^ (*B << (18)) ^ CLK;             \
+    *B = IN;                                            \
+    *C = (*C >> (15)) ^ (*C << (17)) ^ CLK;             \
+    *D = (*D >> (16)) ^ (*D << (16)) ^ CLK;             \
+                                                        \
+    PT1 = ( RES[( i - 8 ) ^ PTX] ^                      \
+            WALK[PT1 ^ PTX ^ 7] ) & (~1);               \
+    PT1 ^= (PT2 ^ 0x10) & 0x10;                         \
+                                                        \
+    for( n++, i = 0; i < 16; i++ )                      \
+        POOL[n % MBEDTLS_HAVEGE_COLLECT_SIZE] ^= RES[i];
+
+/*
+ * Entropy gathering function
+ */
+static void havege_fill( mbedtls_havege_state *hs )
+{
+    unsigned i, n = 0;
+    unsigned  U1,  U2, *A, *B, *C, *D;
+    unsigned PT1, PT2, *WALK, *POOL, RES[16];
+    unsigned PTX, PTY, CLK, PTEST, IN;
+
+    WALK = (unsigned *) hs->WALK;
+    POOL = (unsigned *) hs->pool;
+    PT1  = hs->PT1;
+    PT2  = hs->PT2;
+
+    PTX  = U1 = 0;
+    PTY  = U2 = 0;
+
+    (void)PTX;
+
+    memset( RES, 0, sizeof( RES ) );
+
+    while( n < MBEDTLS_HAVEGE_COLLECT_SIZE * 4 )
+    {
+        ONE_ITERATION
+        ONE_ITERATION
+        ONE_ITERATION
+        ONE_ITERATION
+    }
+
+    hs->PT1 = PT1;
+    hs->PT2 = PT2;
+
+    hs->offset[0] = 0;
+    hs->offset[1] = MBEDTLS_HAVEGE_COLLECT_SIZE / 2;
+}
+
+/*
+ * HAVEGE initialization
+ */
+void mbedtls_havege_init( mbedtls_havege_state *hs )
+{
+    memset( hs, 0, sizeof( mbedtls_havege_state ) );
+
+    havege_fill( hs );
+}
+
+void mbedtls_havege_free( mbedtls_havege_state *hs )
+{
+    if( hs == NULL )
+        return;
+
+    mbedtls_zeroize( hs, sizeof( mbedtls_havege_state ) );
+}
+
+/*
+ * HAVEGE rand function
+ */
+int mbedtls_havege_random( void *p_rng, unsigned char *buf, size_t len )
+{
+    int val;
+    size_t use_len;
+    mbedtls_havege_state *hs = (mbedtls_havege_state *) p_rng;
+    unsigned char *p = buf;
+
+    while( len > 0 )
+    {
+        use_len = len;
+        if( use_len > sizeof(int) )
+            use_len = sizeof(int);
+
+        if( hs->offset[1] >= MBEDTLS_HAVEGE_COLLECT_SIZE )
+            havege_fill( hs );
+
+        val  = hs->pool[hs->offset[0]++];
+        val ^= hs->pool[hs->offset[1]++];
+
+        memcpy( p, &val, use_len );
+
+        len -= use_len;
+        p += use_len;
+    }
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_HAVEGE_C */
diff --git a/third-party/mbedtls-3.6/library/hmac_drbg.c b/third-party/mbedtls-3.6/library/hmac_drbg.c
new file mode 100644
index 00000000..876fa574
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/hmac_drbg.c
@@ -0,0 +1,660 @@
+/*
+ *  HMAC_DRBG implementation (NIST SP 800-90)
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+/*
+ *  The NIST SP 800-90A DRBGs are described in the following publication.
+ *  http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf
+ *  References below are based on rev. 1 (January 2012).
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_HMAC_DRBG_C)
+
+#include "mbedtls/hmac_drbg.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_FS_IO)
+#include <stdio.h>
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_SELF_TEST */
+#endif /* MBEDTLS_PLATFORM_C */
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
+/*
+ * HMAC_DRBG context initialization
+ */
+void mbedtls_hmac_drbg_init( mbedtls_hmac_drbg_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_hmac_drbg_context ) );
+
+    ctx->reseed_interval = MBEDTLS_HMAC_DRBG_RESEED_INTERVAL;
+}
+
+/*
+ * HMAC_DRBG update, using optional additional data (10.1.2.2)
+ */
+int mbedtls_hmac_drbg_update_ret( mbedtls_hmac_drbg_context *ctx,
+                                  const unsigned char *additional,
+                                  size_t add_len )
+{
+    size_t md_len = mbedtls_md_get_size( ctx->md_ctx.md_info );
+    unsigned char rounds = ( additional != NULL && add_len != 0 ) ? 2 : 1;
+    unsigned char sep[1];
+    unsigned char K[MBEDTLS_MD_MAX_SIZE];
+    int ret;
+
+    for( sep[0] = 0; sep[0] < rounds; sep[0]++ )
+    {
+        /* Step 1 or 4 */
+        if( ( ret = mbedtls_md_hmac_reset( &ctx->md_ctx ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_md_hmac_update( &ctx->md_ctx,
+                                            ctx->V, md_len ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_md_hmac_update( &ctx->md_ctx,
+                                            sep, 1 ) ) != 0 )
+            goto exit;
+        if( rounds == 2 )
+        {
+            if( ( ret = mbedtls_md_hmac_update( &ctx->md_ctx,
+                                                additional, add_len ) ) != 0 )
+            goto exit;
+        }
+        if( ( ret = mbedtls_md_hmac_finish( &ctx->md_ctx, K ) ) != 0 )
+            goto exit;
+
+        /* Step 2 or 5 */
+        if( ( ret = mbedtls_md_hmac_starts( &ctx->md_ctx, K, md_len ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_md_hmac_update( &ctx->md_ctx,
+                                            ctx->V, md_len ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_md_hmac_finish( &ctx->md_ctx, ctx->V ) ) != 0 )
+            goto exit;
+    }
+
+exit:
+    mbedtls_zeroize( K, sizeof( K ) );
+    return( ret );
+}
+
+void mbedtls_hmac_drbg_update( mbedtls_hmac_drbg_context *ctx,
+                               const unsigned char *additional,
+                               size_t add_len )
+{
+    (void) mbedtls_hmac_drbg_update_ret( ctx, additional, add_len );
+}
+
+/*
+ * Simplified HMAC_DRBG initialisation (for use with deterministic ECDSA)
+ */
+int mbedtls_hmac_drbg_seed_buf( mbedtls_hmac_drbg_context *ctx,
+                        const mbedtls_md_info_t * md_info,
+                        const unsigned char *data, size_t data_len )
+{
+    int ret;
+
+    if( ( ret = mbedtls_md_setup( &ctx->md_ctx, md_info, 1 ) ) != 0 )
+        return( ret );
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_init( &ctx->mutex );
+#endif
+
+    /*
+     * Set initial working state.
+     * Use the V memory location, which is currently all 0, to initialize the
+     * MD context with an all-zero key. Then set V to its initial value.
+     */
+    if( ( ret = mbedtls_md_hmac_starts( &ctx->md_ctx, ctx->V,
+                                        mbedtls_md_get_size( md_info ) ) ) != 0 )
+        return( ret );
+    memset( ctx->V, 0x01, mbedtls_md_get_size( md_info ) );
+
+    if( ( ret = mbedtls_hmac_drbg_update_ret( ctx, data, data_len ) ) != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
+/*
+ * Internal function used both for seeding and reseeding the DRBG.
+ * Comments starting with arabic numbers refer to section 10.1.2.4
+ * of SP800-90A, while roman numbers refer to section 9.2.
+ */
+static int hmac_drbg_reseed_core( mbedtls_hmac_drbg_context *ctx,
+                                  const unsigned char *additional, size_t len,
+                                  int use_nonce )
+{
+    unsigned char seed[MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT];
+    size_t seedlen = 0;
+    int ret;
+
+    {
+        size_t total_entropy_len;
+
+        if( use_nonce == 0 )
+            total_entropy_len = ctx->entropy_len;
+        else
+            total_entropy_len = ctx->entropy_len * 3 / 2;
+
+        /* III. Check input length */
+        if( len > MBEDTLS_HMAC_DRBG_MAX_INPUT ||
+            total_entropy_len + len > MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT )
+        {
+            return( MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG );
+        }
+    }
+
+    memset( seed, 0, MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT );
+
+    /* IV. Gather entropy_len bytes of entropy for the seed */
+    if( ( ret = ctx->f_entropy( ctx->p_entropy,
+                                seed, ctx->entropy_len ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED );
+    }
+    seedlen += ctx->entropy_len;
+
+    /* For initial seeding, allow adding of nonce generated
+     * from the entropy source. See Sect 8.6.7 in SP800-90A. */
+    if( use_nonce )
+    {
+        /* Note: We don't merge the two calls to f_entropy() in order
+         *       to avoid requesting too much entropy from f_entropy()
+         *       at once. Specifically, if the underlying digest is not
+         *       SHA-1, 3 / 2 * entropy_len is at least 36 Bytes, which
+         *       is larger than the maximum of 32 Bytes that our own
+         *       entropy source implementation can emit in a single
+         *       call in configurations disabling SHA-512. */
+        if( ( ret = ctx->f_entropy( ctx->p_entropy,
+                                    seed + seedlen,
+                                    ctx->entropy_len / 2 ) ) != 0 )
+        {
+            return( MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED );
+        }
+
+        seedlen += ctx->entropy_len / 2;
+    }
+
+
+    /* 1. Concatenate entropy and additional data if any */
+    if( additional != NULL && len != 0 )
+    {
+        memcpy( seed + seedlen, additional, len );
+        seedlen += len;
+    }
+
+    /* 2. Update state */
+    if( ( ret = mbedtls_hmac_drbg_update_ret( ctx, seed, seedlen ) ) != 0 )
+        goto exit;
+
+    /* 3. Reset reseed_counter */
+    ctx->reseed_counter = 1;
+
+exit:
+    /* 4. Done */
+    mbedtls_zeroize( seed, seedlen );
+    return( ret );
+}
+
+/*
+ * HMAC_DRBG reseeding: 10.1.2.4 + 9.2
+ */
+int mbedtls_hmac_drbg_reseed( mbedtls_hmac_drbg_context *ctx,
+                      const unsigned char *additional, size_t len )
+{
+    return( hmac_drbg_reseed_core( ctx, additional, len, 0 ) );
+}
+
+/*
+ * HMAC_DRBG initialisation (10.1.2.3 + 9.1)
+ *
+ * The nonce is not passed as a separate parameter but extracted
+ * from the entropy source as suggested in 8.6.7.
+ */
+int mbedtls_hmac_drbg_seed( mbedtls_hmac_drbg_context *ctx,
+                    const mbedtls_md_info_t * md_info,
+                    int (*f_entropy)(void *, unsigned char *, size_t),
+                    void *p_entropy,
+                    const unsigned char *custom,
+                    size_t len )
+{
+    int ret;
+    size_t md_size;
+
+    if( ( ret = mbedtls_md_setup( &ctx->md_ctx, md_info, 1 ) ) != 0 )
+        return( ret );
+
+    /* The mutex is initialized iff the md context is set up. */
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_init( &ctx->mutex );
+#endif
+
+    md_size = mbedtls_md_get_size( md_info );
+
+    /*
+     * Set initial working state.
+     * Use the V memory location, which is currently all 0, to initialize the
+     * MD context with an all-zero key. Then set V to its initial value.
+     */
+    if( ( ret = mbedtls_md_hmac_starts( &ctx->md_ctx, ctx->V, md_size ) ) != 0 )
+        return( ret );
+    memset( ctx->V, 0x01, md_size );
+
+    ctx->f_entropy = f_entropy;
+    ctx->p_entropy = p_entropy;
+
+    if( ctx->entropy_len == 0 )
+    {
+        /*
+         * See SP800-57 5.6.1 (p. 65-66) for the security strength provided by
+         * each hash function, then according to SP800-90A rev1 10.1 table 2,
+         * min_entropy_len (in bits) is security_strength.
+         *
+         * (This also matches the sizes used in the NIST test vectors.)
+         */
+        ctx->entropy_len = md_size <= 20 ? 16 : /* 160-bits hash -> 128 bits */
+                           md_size <= 28 ? 24 : /* 224-bits hash -> 192 bits */
+                           32;  /* better (256+) -> 256 bits */
+    }
+
+    if( ( ret = hmac_drbg_reseed_core( ctx, custom, len,
+                                       1 /* add nonce */ ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Set prediction resistance
+ */
+void mbedtls_hmac_drbg_set_prediction_resistance( mbedtls_hmac_drbg_context *ctx,
+                                          int resistance )
+{
+    ctx->prediction_resistance = resistance;
+}
+
+/*
+ * Set entropy length grabbed for seeding
+ */
+void mbedtls_hmac_drbg_set_entropy_len( mbedtls_hmac_drbg_context *ctx, size_t len )
+{
+    ctx->entropy_len = len;
+}
+
+/*
+ * Set reseed interval
+ */
+void mbedtls_hmac_drbg_set_reseed_interval( mbedtls_hmac_drbg_context *ctx, int interval )
+{
+    ctx->reseed_interval = interval;
+}
+
+/*
+ * HMAC_DRBG random function with optional additional data:
+ * 10.1.2.5 (arabic) + 9.3 (Roman)
+ */
+int mbedtls_hmac_drbg_random_with_add( void *p_rng,
+                               unsigned char *output, size_t out_len,
+                               const unsigned char *additional, size_t add_len )
+{
+    int ret;
+    mbedtls_hmac_drbg_context *ctx = (mbedtls_hmac_drbg_context *) p_rng;
+    size_t md_len = mbedtls_md_get_size( ctx->md_ctx.md_info );
+    size_t left = out_len;
+    unsigned char *out = output;
+
+    /* II. Check request length */
+    if( out_len > MBEDTLS_HMAC_DRBG_MAX_REQUEST )
+        return( MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG );
+
+    /* III. Check input length */
+    if( add_len > MBEDTLS_HMAC_DRBG_MAX_INPUT )
+        return( MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG );
+
+    /* 1. (aka VII and IX) Check reseed counter and PR */
+    if( ctx->f_entropy != NULL && /* For no-reseeding instances */
+        ( ctx->prediction_resistance == MBEDTLS_HMAC_DRBG_PR_ON ||
+          ctx->reseed_counter > ctx->reseed_interval ) )
+    {
+        if( ( ret = mbedtls_hmac_drbg_reseed( ctx, additional, add_len ) ) != 0 )
+            return( ret );
+
+        add_len = 0; /* VII.4 */
+    }
+
+    /* 2. Use additional data if any */
+    if( additional != NULL && add_len != 0 )
+    {
+        if( ( ret = mbedtls_hmac_drbg_update_ret( ctx,
+                                                  additional, add_len ) ) != 0 )
+            goto exit;
+    }
+
+    /* 3, 4, 5. Generate bytes */
+    while( left != 0 )
+    {
+        size_t use_len = left > md_len ? md_len : left;
+
+        if( ( ret = mbedtls_md_hmac_reset( &ctx->md_ctx ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_md_hmac_update( &ctx->md_ctx,
+                                            ctx->V, md_len ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_md_hmac_finish( &ctx->md_ctx, ctx->V ) ) != 0 )
+            goto exit;
+
+        memcpy( out, ctx->V, use_len );
+        out += use_len;
+        left -= use_len;
+    }
+
+    /* 6. Update */
+    if( ( ret = mbedtls_hmac_drbg_update_ret( ctx,
+                                              additional, add_len ) ) != 0 )
+        goto exit;
+
+    /* 7. Update reseed counter */
+    ctx->reseed_counter++;
+
+exit:
+    /* 8. Done */
+    return( ret );
+}
+
+/*
+ * HMAC_DRBG random function
+ */
+int mbedtls_hmac_drbg_random( void *p_rng, unsigned char *output, size_t out_len )
+{
+    int ret;
+    mbedtls_hmac_drbg_context *ctx = (mbedtls_hmac_drbg_context *) p_rng;
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
+        return( ret );
+#endif
+
+    ret = mbedtls_hmac_drbg_random_with_add( ctx, output, out_len, NULL, 0 );
+
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
+        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+#endif
+
+    return( ret );
+}
+
+/*
+ *  This function resets HMAC_DRBG context to the state immediately
+ *  after initial call of mbedtls_hmac_drbg_init().
+ */
+void mbedtls_hmac_drbg_free( mbedtls_hmac_drbg_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+#if defined(MBEDTLS_THREADING_C)
+    /* The mutex is initialized iff the md context is set up. */
+    if( ctx->md_ctx.md_info != NULL )
+        mbedtls_mutex_free( &ctx->mutex );
+#endif
+    mbedtls_md_free( &ctx->md_ctx );
+    mbedtls_zeroize( ctx, sizeof( mbedtls_hmac_drbg_context ) );
+    ctx->reseed_interval = MBEDTLS_HMAC_DRBG_RESEED_INTERVAL;
+}
+
+#if defined(MBEDTLS_FS_IO)
+int mbedtls_hmac_drbg_write_seed_file( mbedtls_hmac_drbg_context *ctx, const char *path )
+{
+    int ret;
+    FILE *f;
+    unsigned char buf[ MBEDTLS_HMAC_DRBG_MAX_INPUT ];
+
+    if( ( f = fopen( path, "wb" ) ) == NULL )
+        return( MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR );
+
+    if( ( ret = mbedtls_hmac_drbg_random( ctx, buf, sizeof( buf ) ) ) != 0 )
+        goto exit;
+
+    if( fwrite( buf, 1, sizeof( buf ), f ) != sizeof( buf ) )
+    {
+        ret = MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR;
+        goto exit;
+    }
+
+    ret = 0;
+
+exit:
+    fclose( f );
+    mbedtls_zeroize( buf, sizeof( buf ) );
+
+    return( ret );
+}
+
+int mbedtls_hmac_drbg_update_seed_file( mbedtls_hmac_drbg_context *ctx, const char *path )
+{
+    int ret = 0;
+    FILE *f;
+    size_t n;
+    unsigned char buf[ MBEDTLS_HMAC_DRBG_MAX_INPUT ];
+
+    if( ( f = fopen( path, "rb" ) ) == NULL )
+        return( MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR );
+
+    fseek( f, 0, SEEK_END );
+    n = (size_t) ftell( f );
+    fseek( f, 0, SEEK_SET );
+
+    if( n > MBEDTLS_HMAC_DRBG_MAX_INPUT )
+    {
+        fclose( f );
+        return( MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG );
+    }
+
+    if( fread( buf, 1, n, f ) != n )
+        ret = MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR;
+    else
+        ret = mbedtls_hmac_drbg_update_ret( ctx, buf, n );
+
+    fclose( f );
+
+    mbedtls_zeroize( buf, sizeof( buf ) );
+
+    if( ret != 0 )
+        return( ret );
+
+    return( mbedtls_hmac_drbg_write_seed_file( ctx, path ) );
+}
+#endif /* MBEDTLS_FS_IO */
+
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#if !defined(MBEDTLS_SHA1_C)
+/* Dummy checkup routine */
+int mbedtls_hmac_drbg_self_test( int verbose )
+{
+    (void) verbose;
+    return( 0 );
+}
+#else
+
+#define OUTPUT_LEN  80
+
+/* From a NIST PR=true test vector */
+static const unsigned char entropy_pr[] = {
+    0xa0, 0xc9, 0xab, 0x58, 0xf1, 0xe2, 0xe5, 0xa4, 0xde, 0x3e, 0xbd, 0x4f,
+    0xf7, 0x3e, 0x9c, 0x5b, 0x64, 0xef, 0xd8, 0xca, 0x02, 0x8c, 0xf8, 0x11,
+    0x48, 0xa5, 0x84, 0xfe, 0x69, 0xab, 0x5a, 0xee, 0x42, 0xaa, 0x4d, 0x42,
+    0x17, 0x60, 0x99, 0xd4, 0x5e, 0x13, 0x97, 0xdc, 0x40, 0x4d, 0x86, 0xa3,
+    0x7b, 0xf5, 0x59, 0x54, 0x75, 0x69, 0x51, 0xe4 };
+static const unsigned char result_pr[OUTPUT_LEN] = {
+    0x9a, 0x00, 0xa2, 0xd0, 0x0e, 0xd5, 0x9b, 0xfe, 0x31, 0xec, 0xb1, 0x39,
+    0x9b, 0x60, 0x81, 0x48, 0xd1, 0x96, 0x9d, 0x25, 0x0d, 0x3c, 0x1e, 0x94,
+    0x10, 0x10, 0x98, 0x12, 0x93, 0x25, 0xca, 0xb8, 0xfc, 0xcc, 0x2d, 0x54,
+    0x73, 0x19, 0x70, 0xc0, 0x10, 0x7a, 0xa4, 0x89, 0x25, 0x19, 0x95, 0x5e,
+    0x4b, 0xc6, 0x00, 0x1d, 0x7f, 0x4e, 0x6a, 0x2b, 0xf8, 0xa3, 0x01, 0xab,
+    0x46, 0x05, 0x5c, 0x09, 0xa6, 0x71, 0x88, 0xf1, 0xa7, 0x40, 0xee, 0xf3,
+    0xe1, 0x5c, 0x02, 0x9b, 0x44, 0xaf, 0x03, 0x44 };
+
+/* From a NIST PR=false test vector */
+static const unsigned char entropy_nopr[] = {
+    0x79, 0x34, 0x9b, 0xbf, 0x7c, 0xdd, 0xa5, 0x79, 0x95, 0x57, 0x86, 0x66,
+    0x21, 0xc9, 0x13, 0x83, 0x11, 0x46, 0x73, 0x3a, 0xbf, 0x8c, 0x35, 0xc8,
+    0xc7, 0x21, 0x5b, 0x5b, 0x96, 0xc4, 0x8e, 0x9b, 0x33, 0x8c, 0x74, 0xe3,
+    0xe9, 0x9d, 0xfe, 0xdf };
+static const unsigned char result_nopr[OUTPUT_LEN] = {
+    0xc6, 0xa1, 0x6a, 0xb8, 0xd4, 0x20, 0x70, 0x6f, 0x0f, 0x34, 0xab, 0x7f,
+    0xec, 0x5a, 0xdc, 0xa9, 0xd8, 0xca, 0x3a, 0x13, 0x3e, 0x15, 0x9c, 0xa6,
+    0xac, 0x43, 0xc6, 0xf8, 0xa2, 0xbe, 0x22, 0x83, 0x4a, 0x4c, 0x0a, 0x0a,
+    0xff, 0xb1, 0x0d, 0x71, 0x94, 0xf1, 0xc1, 0xa5, 0xcf, 0x73, 0x22, 0xec,
+    0x1a, 0xe0, 0x96, 0x4e, 0xd4, 0xbf, 0x12, 0x27, 0x46, 0xe0, 0x87, 0xfd,
+    0xb5, 0xb3, 0xe9, 0x1b, 0x34, 0x93, 0xd5, 0xbb, 0x98, 0xfa, 0xed, 0x49,
+    0xe8, 0x5f, 0x13, 0x0f, 0xc8, 0xa4, 0x59, 0xb7 };
+
+/* "Entropy" from buffer */
+static size_t test_offset;
+static int hmac_drbg_self_test_entropy( void *data,
+                                        unsigned char *buf, size_t len )
+{
+    const unsigned char *p = data;
+    memcpy( buf, p + test_offset, len );
+    test_offset += len;
+    return( 0 );
+}
+
+#define CHK( c )    if( (c) != 0 )                          \
+                    {                                       \
+                        if( verbose != 0 )                  \
+                            mbedtls_printf( "failed\n" );  \
+                        return( 1 );                        \
+                    }
+
+/*
+ * Checkup routine for HMAC_DRBG with SHA-1
+ */
+int mbedtls_hmac_drbg_self_test( int verbose )
+{
+    mbedtls_hmac_drbg_context ctx;
+    unsigned char buf[OUTPUT_LEN];
+    const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 );
+
+    mbedtls_hmac_drbg_init( &ctx );
+
+    /*
+     * PR = True
+     */
+    if( verbose != 0 )
+        mbedtls_printf( "  HMAC_DRBG (PR = True) : " );
+
+    test_offset = 0;
+    CHK( mbedtls_hmac_drbg_seed( &ctx, md_info,
+                         hmac_drbg_self_test_entropy, (void *) entropy_pr,
+                         NULL, 0 ) );
+    mbedtls_hmac_drbg_set_prediction_resistance( &ctx, MBEDTLS_HMAC_DRBG_PR_ON );
+    CHK( mbedtls_hmac_drbg_random( &ctx, buf, OUTPUT_LEN ) );
+    CHK( mbedtls_hmac_drbg_random( &ctx, buf, OUTPUT_LEN ) );
+    CHK( memcmp( buf, result_pr, OUTPUT_LEN ) );
+    mbedtls_hmac_drbg_free( &ctx );
+
+    mbedtls_hmac_drbg_free( &ctx );
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    /*
+     * PR = False
+     */
+    if( verbose != 0 )
+        mbedtls_printf( "  HMAC_DRBG (PR = False) : " );
+
+    mbedtls_hmac_drbg_init( &ctx );
+
+    test_offset = 0;
+    CHK( mbedtls_hmac_drbg_seed( &ctx, md_info,
+                         hmac_drbg_self_test_entropy, (void *) entropy_nopr,
+                         NULL, 0 ) );
+    CHK( mbedtls_hmac_drbg_reseed( &ctx, NULL, 0 ) );
+    CHK( mbedtls_hmac_drbg_random( &ctx, buf, OUTPUT_LEN ) );
+    CHK( mbedtls_hmac_drbg_random( &ctx, buf, OUTPUT_LEN ) );
+    CHK( memcmp( buf, result_nopr, OUTPUT_LEN ) );
+    mbedtls_hmac_drbg_free( &ctx );
+
+    mbedtls_hmac_drbg_free( &ctx );
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_HMAC_DRBG_C */
diff --git a/third-party/mbedtls-3.6/library/md.c b/third-party/mbedtls-3.6/library/md.c
new file mode 100644
index 00000000..ba48471c
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/md.c
@@ -0,0 +1,503 @@
+/**
+ * \file mbedtls_md.c
+ *
+ * \brief Generic message digest wrapper for mbed TLS
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_MD_C)
+
+#include "mbedtls/md.h"
+#include "mbedtls/md_internal.h"
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+#include <string.h>
+
+#if defined(MBEDTLS_FS_IO)
+#include <stdio.h>
+#endif
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
+/*
+ * Reminder: update profiles in x509_crt.c when adding a new hash!
+ */
+static const int supported_digests[] = {
+
+#if defined(MBEDTLS_SHA512_C)
+        MBEDTLS_MD_SHA512,
+        MBEDTLS_MD_SHA384,
+#endif
+
+#if defined(MBEDTLS_SHA256_C)
+        MBEDTLS_MD_SHA256,
+        MBEDTLS_MD_SHA224,
+#endif
+
+#if defined(MBEDTLS_SHA1_C)
+        MBEDTLS_MD_SHA1,
+#endif
+
+#if defined(MBEDTLS_RIPEMD160_C)
+        MBEDTLS_MD_RIPEMD160,
+#endif
+
+#if defined(MBEDTLS_MD5_C)
+        MBEDTLS_MD_MD5,
+#endif
+
+#if defined(MBEDTLS_MD4_C)
+        MBEDTLS_MD_MD4,
+#endif
+
+#if defined(MBEDTLS_MD2_C)
+        MBEDTLS_MD_MD2,
+#endif
+
+        MBEDTLS_MD_NONE
+};
+
+const int *mbedtls_md_list( void )
+{
+    return( supported_digests );
+}
+
+const mbedtls_md_info_t *mbedtls_md_info_from_string( const char *md_name )
+{
+    if( NULL == md_name )
+        return( NULL );
+
+    /* Get the appropriate digest information */
+#if defined(MBEDTLS_MD2_C)
+    if( !strcmp( "MD2", md_name ) )
+        return mbedtls_md_info_from_type( MBEDTLS_MD_MD2 );
+#endif
+#if defined(MBEDTLS_MD4_C)
+    if( !strcmp( "MD4", md_name ) )
+        return mbedtls_md_info_from_type( MBEDTLS_MD_MD4 );
+#endif
+#if defined(MBEDTLS_MD5_C)
+    if( !strcmp( "MD5", md_name ) )
+        return mbedtls_md_info_from_type( MBEDTLS_MD_MD5 );
+#endif
+#if defined(MBEDTLS_RIPEMD160_C)
+    if( !strcmp( "RIPEMD160", md_name ) )
+        return mbedtls_md_info_from_type( MBEDTLS_MD_RIPEMD160 );
+#endif
+#if defined(MBEDTLS_SHA1_C)
+    if( !strcmp( "SHA1", md_name ) || !strcmp( "SHA", md_name ) )
+        return mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 );
+#endif
+#if defined(MBEDTLS_SHA256_C)
+    if( !strcmp( "SHA224", md_name ) )
+        return mbedtls_md_info_from_type( MBEDTLS_MD_SHA224 );
+    if( !strcmp( "SHA256", md_name ) )
+        return mbedtls_md_info_from_type( MBEDTLS_MD_SHA256 );
+#endif
+#if defined(MBEDTLS_SHA512_C)
+    if( !strcmp( "SHA384", md_name ) )
+        return mbedtls_md_info_from_type( MBEDTLS_MD_SHA384 );
+    if( !strcmp( "SHA512", md_name ) )
+        return mbedtls_md_info_from_type( MBEDTLS_MD_SHA512 );
+#endif
+    return( NULL );
+}
+
+const mbedtls_md_info_t *mbedtls_md_info_from_type( mbedtls_md_type_t md_type )
+{
+    switch( md_type )
+    {
+#if defined(MBEDTLS_MD2_C)
+        case MBEDTLS_MD_MD2:
+            return( &mbedtls_md2_info );
+#endif
+#if defined(MBEDTLS_MD4_C)
+        case MBEDTLS_MD_MD4:
+            return( &mbedtls_md4_info );
+#endif
+#if defined(MBEDTLS_MD5_C)
+        case MBEDTLS_MD_MD5:
+            return( &mbedtls_md5_info );
+#endif
+#if defined(MBEDTLS_RIPEMD160_C)
+        case MBEDTLS_MD_RIPEMD160:
+            return( &mbedtls_ripemd160_info );
+#endif
+#if defined(MBEDTLS_SHA1_C)
+        case MBEDTLS_MD_SHA1:
+            return( &mbedtls_sha1_info );
+#endif
+#if defined(MBEDTLS_SHA256_C)
+        case MBEDTLS_MD_SHA224:
+            return( &mbedtls_sha224_info );
+        case MBEDTLS_MD_SHA256:
+            return( &mbedtls_sha256_info );
+#endif
+#if defined(MBEDTLS_SHA512_C)
+        case MBEDTLS_MD_SHA384:
+            return( &mbedtls_sha384_info );
+        case MBEDTLS_MD_SHA512:
+            return( &mbedtls_sha512_info );
+#endif
+        default:
+            return( NULL );
+    }
+}
+
+void mbedtls_md_init( mbedtls_md_context_t *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_md_context_t ) );
+}
+
+void mbedtls_md_free( mbedtls_md_context_t *ctx )
+{
+    if( ctx == NULL || ctx->md_info == NULL )
+        return;
+
+    if( ctx->md_ctx != NULL )
+        ctx->md_info->ctx_free_func( ctx->md_ctx );
+
+    if( ctx->hmac_ctx != NULL )
+    {
+        mbedtls_zeroize( ctx->hmac_ctx, 2 * ctx->md_info->block_size );
+        mbedtls_free( ctx->hmac_ctx );
+    }
+
+    mbedtls_zeroize( ctx, sizeof( mbedtls_md_context_t ) );
+}
+
+int mbedtls_md_clone( mbedtls_md_context_t *dst,
+                      const mbedtls_md_context_t *src )
+{
+    if( dst == NULL || dst->md_info == NULL ||
+        src == NULL || src->md_info == NULL ||
+        dst->md_info != src->md_info )
+    {
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+    }
+
+    dst->md_info->clone_func( dst->md_ctx, src->md_ctx );
+
+    return( 0 );
+}
+
+#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
+int mbedtls_md_init_ctx( mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_info )
+{
+    return mbedtls_md_setup( ctx, md_info, 1 );
+}
+#endif
+
+int mbedtls_md_setup( mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_info, int hmac )
+{
+    if( md_info == NULL || ctx == NULL )
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+
+    if( ( ctx->md_ctx = md_info->ctx_alloc_func() ) == NULL )
+        return( MBEDTLS_ERR_MD_ALLOC_FAILED );
+
+    if( hmac != 0 )
+    {
+        ctx->hmac_ctx = mbedtls_calloc( 2, md_info->block_size );
+        if( ctx->hmac_ctx == NULL )
+        {
+            md_info->ctx_free_func( ctx->md_ctx );
+            return( MBEDTLS_ERR_MD_ALLOC_FAILED );
+        }
+    }
+
+    ctx->md_info = md_info;
+
+    return( 0 );
+}
+
+int mbedtls_md_starts( mbedtls_md_context_t *ctx )
+{
+    if( ctx == NULL || ctx->md_info == NULL )
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+
+    return( ctx->md_info->starts_func( ctx->md_ctx ) );
+}
+
+int mbedtls_md_update( mbedtls_md_context_t *ctx, const unsigned char *input, size_t ilen )
+{
+    if( ctx == NULL || ctx->md_info == NULL )
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+
+    return( ctx->md_info->update_func( ctx->md_ctx, input, ilen ) );
+}
+
+int mbedtls_md_finish( mbedtls_md_context_t *ctx, unsigned char *output )
+{
+    if( ctx == NULL || ctx->md_info == NULL )
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+
+    return( ctx->md_info->finish_func( ctx->md_ctx, output ) );
+}
+
+int mbedtls_md( const mbedtls_md_info_t *md_info, const unsigned char *input, size_t ilen,
+            unsigned char *output )
+{
+    if( md_info == NULL )
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+
+    return( md_info->digest_func( input, ilen, output ) );
+}
+
+#if defined(MBEDTLS_FS_IO)
+int mbedtls_md_file( const mbedtls_md_info_t *md_info, const char *path, unsigned char *output )
+{
+    int ret;
+    FILE *f;
+    size_t n;
+    mbedtls_md_context_t ctx;
+    unsigned char buf[1024];
+
+    if( md_info == NULL )
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+
+    if( ( f = fopen( path, "rb" ) ) == NULL )
+        return( MBEDTLS_ERR_MD_FILE_IO_ERROR );
+
+    mbedtls_md_init( &ctx );
+
+    if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 )
+        goto cleanup;
+
+    if( ( ret = md_info->starts_func( ctx.md_ctx ) ) != 0 )
+        goto cleanup;
+
+    while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
+        if( ( ret = md_info->update_func( ctx.md_ctx, buf, n ) ) != 0 )
+            goto cleanup;
+
+    if( ferror( f ) != 0 )
+        ret = MBEDTLS_ERR_MD_FILE_IO_ERROR;
+    else
+        ret = md_info->finish_func( ctx.md_ctx, output );
+
+cleanup:
+    mbedtls_zeroize( buf, sizeof( buf ) );
+    fclose( f );
+    mbedtls_md_free( &ctx );
+
+    return( ret );
+}
+#endif /* MBEDTLS_FS_IO */
+
+int mbedtls_md_hmac_starts( mbedtls_md_context_t *ctx, const unsigned char *key, size_t keylen )
+{
+    int ret;
+    unsigned char sum[MBEDTLS_MD_MAX_SIZE];
+    unsigned char *ipad, *opad;
+    size_t i;
+
+    if( ctx == NULL || ctx->md_info == NULL || ctx->hmac_ctx == NULL )
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+
+    if( keylen > (size_t) ctx->md_info->block_size )
+    {
+        if( ( ret = ctx->md_info->starts_func( ctx->md_ctx ) ) != 0 )
+            goto cleanup;
+        if( ( ret = ctx->md_info->update_func( ctx->md_ctx, key, keylen ) ) != 0 )
+            goto cleanup;
+        if( ( ret = ctx->md_info->finish_func( ctx->md_ctx, sum ) ) != 0 )
+            goto cleanup;
+
+        keylen = ctx->md_info->size;
+        key = sum;
+    }
+
+    ipad = (unsigned char *) ctx->hmac_ctx;
+    opad = (unsigned char *) ctx->hmac_ctx + ctx->md_info->block_size;
+
+    memset( ipad, 0x36, ctx->md_info->block_size );
+    memset( opad, 0x5C, ctx->md_info->block_size );
+
+    for( i = 0; i < keylen; i++ )
+    {
+        ipad[i] = (unsigned char)( ipad[i] ^ key[i] );
+        opad[i] = (unsigned char)( opad[i] ^ key[i] );
+    }
+
+    if( ( ret = ctx->md_info->starts_func( ctx->md_ctx ) ) != 0 )
+        goto cleanup;
+    if( ( ret = ctx->md_info->update_func( ctx->md_ctx, ipad,
+                                           ctx->md_info->block_size ) ) != 0 )
+        goto cleanup;
+
+cleanup:
+    mbedtls_zeroize( sum, sizeof( sum ) );
+
+    return( ret );
+}
+
+int mbedtls_md_hmac_update( mbedtls_md_context_t *ctx, const unsigned char *input, size_t ilen )
+{
+    if( ctx == NULL || ctx->md_info == NULL || ctx->hmac_ctx == NULL )
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+
+    return( ctx->md_info->update_func( ctx->md_ctx, input, ilen ) );
+}
+
+int mbedtls_md_hmac_finish( mbedtls_md_context_t *ctx, unsigned char *output )
+{
+    int ret;
+    unsigned char tmp[MBEDTLS_MD_MAX_SIZE];
+    unsigned char *opad;
+
+    if( ctx == NULL || ctx->md_info == NULL || ctx->hmac_ctx == NULL )
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+
+    opad = (unsigned char *) ctx->hmac_ctx + ctx->md_info->block_size;
+
+    if( ( ret = ctx->md_info->finish_func( ctx->md_ctx, tmp ) ) != 0 )
+        return( ret );
+    if( ( ret = ctx->md_info->starts_func( ctx->md_ctx ) ) != 0 )
+        return( ret );
+    if( ( ret = ctx->md_info->update_func( ctx->md_ctx, opad,
+                                           ctx->md_info->block_size ) ) != 0 )
+        return( ret );
+    if( ( ret = ctx->md_info->update_func( ctx->md_ctx, tmp,
+                                           ctx->md_info->size ) ) != 0 )
+        return( ret );
+    return( ctx->md_info->finish_func( ctx->md_ctx, output ) );
+}
+
+int mbedtls_md_hmac_reset( mbedtls_md_context_t *ctx )
+{
+    int ret;
+    unsigned char *ipad;
+
+    if( ctx == NULL || ctx->md_info == NULL || ctx->hmac_ctx == NULL )
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+
+    ipad = (unsigned char *) ctx->hmac_ctx;
+
+    if( ( ret = ctx->md_info->starts_func( ctx->md_ctx ) ) != 0 )
+        return( ret );
+    return( ctx->md_info->update_func( ctx->md_ctx, ipad,
+                                       ctx->md_info->block_size ) );
+}
+
+int mbedtls_md_hmac( const mbedtls_md_info_t *md_info,
+                     const unsigned char *key, size_t keylen,
+                     const unsigned char *input, size_t ilen,
+                     unsigned char *output )
+{
+    mbedtls_md_context_t ctx;
+    int ret;
+
+    if( md_info == NULL )
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+
+    mbedtls_md_init( &ctx );
+
+    if( ( ret = mbedtls_md_setup( &ctx, md_info, 1 ) ) != 0 )
+        goto cleanup;
+
+    if( ( ret = mbedtls_md_hmac_starts( &ctx, key, keylen ) ) != 0 )
+        goto cleanup;
+    if( ( ret = mbedtls_md_hmac_update( &ctx, input, ilen ) ) != 0 )
+        goto cleanup;
+    if( ( ret = mbedtls_md_hmac_finish( &ctx, output ) ) != 0 )
+        goto cleanup;
+
+cleanup:
+    mbedtls_md_free( &ctx );
+
+    return( ret );
+}
+
+int mbedtls_md_process( mbedtls_md_context_t *ctx, const unsigned char *data )
+{
+    if( ctx == NULL || ctx->md_info == NULL )
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+
+    return( ctx->md_info->process_func( ctx->md_ctx, data ) );
+}
+
+unsigned char mbedtls_md_get_size( const mbedtls_md_info_t *md_info )
+{
+    if( md_info == NULL )
+        return( 0 );
+
+    return md_info->size;
+}
+
+mbedtls_md_type_t mbedtls_md_get_type( const mbedtls_md_info_t *md_info )
+{
+    if( md_info == NULL )
+        return( MBEDTLS_MD_NONE );
+
+    return md_info->type;
+}
+
+const char *mbedtls_md_get_name( const mbedtls_md_info_t *md_info )
+{
+    if( md_info == NULL )
+        return( NULL );
+
+    return md_info->name;
+}
+
+#endif /* MBEDTLS_MD_C */
diff --git a/third-party/mbedtls-3.6/library/md2.c b/third-party/mbedtls-3.6/library/md2.c
new file mode 100644
index 00000000..eb4d0d03
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/md2.c
@@ -0,0 +1,395 @@
+/*
+ *  RFC 1115/1319 compliant MD2 implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+/*
+ *  The MD2 algorithm was designed by Ron Rivest in 1989.
+ *
+ *  http://www.ietf.org/rfc/rfc1115.txt
+ *  http://www.ietf.org/rfc/rfc1319.txt
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_MD2_C)
+
+#include "mbedtls/md2.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_MD2_ALT)
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
+static const unsigned char PI_SUBST[256] =
+{
+    0x29, 0x2E, 0x43, 0xC9, 0xA2, 0xD8, 0x7C, 0x01, 0x3D, 0x36,
+    0x54, 0xA1, 0xEC, 0xF0, 0x06, 0x13, 0x62, 0xA7, 0x05, 0xF3,
+    0xC0, 0xC7, 0x73, 0x8C, 0x98, 0x93, 0x2B, 0xD9, 0xBC, 0x4C,
+    0x82, 0xCA, 0x1E, 0x9B, 0x57, 0x3C, 0xFD, 0xD4, 0xE0, 0x16,
+    0x67, 0x42, 0x6F, 0x18, 0x8A, 0x17, 0xE5, 0x12, 0xBE, 0x4E,
+    0xC4, 0xD6, 0xDA, 0x9E, 0xDE, 0x49, 0xA0, 0xFB, 0xF5, 0x8E,
+    0xBB, 0x2F, 0xEE, 0x7A, 0xA9, 0x68, 0x79, 0x91, 0x15, 0xB2,
+    0x07, 0x3F, 0x94, 0xC2, 0x10, 0x89, 0x0B, 0x22, 0x5F, 0x21,
+    0x80, 0x7F, 0x5D, 0x9A, 0x5A, 0x90, 0x32, 0x27, 0x35, 0x3E,
+    0xCC, 0xE7, 0xBF, 0xF7, 0x97, 0x03, 0xFF, 0x19, 0x30, 0xB3,
+    0x48, 0xA5, 0xB5, 0xD1, 0xD7, 0x5E, 0x92, 0x2A, 0xAC, 0x56,
+    0xAA, 0xC6, 0x4F, 0xB8, 0x38, 0xD2, 0x96, 0xA4, 0x7D, 0xB6,
+    0x76, 0xFC, 0x6B, 0xE2, 0x9C, 0x74, 0x04, 0xF1, 0x45, 0x9D,
+    0x70, 0x59, 0x64, 0x71, 0x87, 0x20, 0x86, 0x5B, 0xCF, 0x65,
+    0xE6, 0x2D, 0xA8, 0x02, 0x1B, 0x60, 0x25, 0xAD, 0xAE, 0xB0,
+    0xB9, 0xF6, 0x1C, 0x46, 0x61, 0x69, 0x34, 0x40, 0x7E, 0x0F,
+    0x55, 0x47, 0xA3, 0x23, 0xDD, 0x51, 0xAF, 0x3A, 0xC3, 0x5C,
+    0xF9, 0xCE, 0xBA, 0xC5, 0xEA, 0x26, 0x2C, 0x53, 0x0D, 0x6E,
+    0x85, 0x28, 0x84, 0x09, 0xD3, 0xDF, 0xCD, 0xF4, 0x41, 0x81,
+    0x4D, 0x52, 0x6A, 0xDC, 0x37, 0xC8, 0x6C, 0xC1, 0xAB, 0xFA,
+    0x24, 0xE1, 0x7B, 0x08, 0x0C, 0xBD, 0xB1, 0x4A, 0x78, 0x88,
+    0x95, 0x8B, 0xE3, 0x63, 0xE8, 0x6D, 0xE9, 0xCB, 0xD5, 0xFE,
+    0x3B, 0x00, 0x1D, 0x39, 0xF2, 0xEF, 0xB7, 0x0E, 0x66, 0x58,
+    0xD0, 0xE4, 0xA6, 0x77, 0x72, 0xF8, 0xEB, 0x75, 0x4B, 0x0A,
+    0x31, 0x44, 0x50, 0xB4, 0x8F, 0xED, 0x1F, 0x1A, 0xDB, 0x99,
+    0x8D, 0x33, 0x9F, 0x11, 0x83, 0x14
+};
+
+void mbedtls_md2_init( mbedtls_md2_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_md2_context ) );
+}
+
+void mbedtls_md2_free( mbedtls_md2_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_zeroize( ctx, sizeof( mbedtls_md2_context ) );
+}
+
+void mbedtls_md2_clone( mbedtls_md2_context *dst,
+                        const mbedtls_md2_context *src )
+{
+    *dst = *src;
+}
+
+/*
+ * MD2 context setup
+ */
+int mbedtls_md2_starts_ret( mbedtls_md2_context *ctx )
+{
+    memset( ctx->cksum, 0, 16 );
+    memset( ctx->state, 0, 46 );
+    memset( ctx->buffer, 0, 16 );
+    ctx->left = 0;
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md2_starts( mbedtls_md2_context *ctx )
+{
+    mbedtls_md2_starts_ret( ctx );
+}
+#endif
+
+#if !defined(MBEDTLS_MD2_PROCESS_ALT)
+int mbedtls_internal_md2_process( mbedtls_md2_context *ctx )
+{
+    int i, j;
+    unsigned char t = 0;
+
+    for( i = 0; i < 16; i++ )
+    {
+        ctx->state[i + 16] = ctx->buffer[i];
+        ctx->state[i + 32] =
+            (unsigned char)( ctx->buffer[i] ^ ctx->state[i]);
+    }
+
+    for( i = 0; i < 18; i++ )
+    {
+        for( j = 0; j < 48; j++ )
+        {
+            ctx->state[j] = (unsigned char)
+               ( ctx->state[j] ^ PI_SUBST[t] );
+            t  = ctx->state[j];
+        }
+
+        t = (unsigned char)( t + i );
+    }
+
+    t = ctx->cksum[15];
+
+    for( i = 0; i < 16; i++ )
+    {
+        ctx->cksum[i] = (unsigned char)
+           ( ctx->cksum[i] ^ PI_SUBST[ctx->buffer[i] ^ t] );
+        t  = ctx->cksum[i];
+    }
+
+    /* Zeroise variables to clear sensitive data from memory. */
+    mbedtls_zeroize( &t, sizeof( t ) );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md2_process( mbedtls_md2_context *ctx )
+{
+    mbedtls_internal_md2_process( ctx );
+}
+#endif
+#endif /* !MBEDTLS_MD2_PROCESS_ALT */
+
+/*
+ * MD2 process buffer
+ */
+int mbedtls_md2_update_ret( mbedtls_md2_context *ctx,
+                            const unsigned char *input,
+                            size_t ilen )
+{
+    int ret;
+    size_t fill;
+
+    while( ilen > 0 )
+    {
+        if( ilen > 16 - ctx->left )
+            fill = 16 - ctx->left;
+        else
+            fill = ilen;
+
+        memcpy( ctx->buffer + ctx->left, input, fill );
+
+        ctx->left += fill;
+        input += fill;
+        ilen  -= fill;
+
+        if( ctx->left == 16 )
+        {
+            ctx->left = 0;
+            if( ( ret = mbedtls_internal_md2_process( ctx ) ) != 0 )
+                return( ret );
+        }
+    }
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md2_update( mbedtls_md2_context *ctx,
+                         const unsigned char *input,
+                         size_t ilen )
+{
+    mbedtls_md2_update_ret( ctx, input, ilen );
+}
+#endif
+
+/*
+ * MD2 final digest
+ */
+int mbedtls_md2_finish_ret( mbedtls_md2_context *ctx,
+                            unsigned char output[16] )
+{
+    int ret;
+    size_t i;
+    unsigned char x;
+
+    x = (unsigned char)( 16 - ctx->left );
+
+    for( i = ctx->left; i < 16; i++ )
+        ctx->buffer[i] = x;
+
+    if( ( ret = mbedtls_internal_md2_process( ctx ) ) != 0 )
+        return( ret );
+
+    memcpy( ctx->buffer, ctx->cksum, 16 );
+    if( ( ret = mbedtls_internal_md2_process( ctx ) ) != 0 )
+        return( ret );
+
+    memcpy( output, ctx->state, 16 );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md2_finish( mbedtls_md2_context *ctx,
+                         unsigned char output[16] )
+{
+    mbedtls_md2_finish_ret( ctx, output );
+}
+#endif
+
+#endif /* !MBEDTLS_MD2_ALT */
+
+/*
+ * output = MD2( input buffer )
+ */
+int mbedtls_md2_ret( const unsigned char *input,
+                     size_t ilen,
+                     unsigned char output[16] )
+{
+    int ret;
+    mbedtls_md2_context ctx;
+
+    mbedtls_md2_init( &ctx );
+
+    if( ( ret = mbedtls_md2_starts_ret( &ctx ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_md2_update_ret( &ctx, input, ilen ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_md2_finish_ret( &ctx, output ) ) != 0 )
+        goto exit;
+
+exit:
+    mbedtls_md2_free( &ctx );
+
+    return( ret );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md2( const unsigned char *input,
+                  size_t ilen,
+                  unsigned char output[16] )
+{
+    mbedtls_md2_ret( input, ilen, output );
+}
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/*
+ * RFC 1319 test vectors
+ */
+static const unsigned char md2_test_str[7][81] =
+{
+    { "" },
+    { "a" },
+    { "abc" },
+    { "message digest" },
+    { "abcdefghijklmnopqrstuvwxyz" },
+    { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" },
+    { "12345678901234567890123456789012345678901234567890123456789012"
+      "345678901234567890" }
+};
+
+static const size_t md2_test_strlen[7] =
+{
+    0, 1, 3, 14, 26, 62, 80
+};
+
+static const unsigned char md2_test_sum[7][16] =
+{
+    { 0x83, 0x50, 0xE5, 0xA3, 0xE2, 0x4C, 0x15, 0x3D,
+      0xF2, 0x27, 0x5C, 0x9F, 0x80, 0x69, 0x27, 0x73 },
+    { 0x32, 0xEC, 0x01, 0xEC, 0x4A, 0x6D, 0xAC, 0x72,
+      0xC0, 0xAB, 0x96, 0xFB, 0x34, 0xC0, 0xB5, 0xD1 },
+    { 0xDA, 0x85, 0x3B, 0x0D, 0x3F, 0x88, 0xD9, 0x9B,
+      0x30, 0x28, 0x3A, 0x69, 0xE6, 0xDE, 0xD6, 0xBB },
+    { 0xAB, 0x4F, 0x49, 0x6B, 0xFB, 0x2A, 0x53, 0x0B,
+      0x21, 0x9F, 0xF3, 0x30, 0x31, 0xFE, 0x06, 0xB0 },
+    { 0x4E, 0x8D, 0xDF, 0xF3, 0x65, 0x02, 0x92, 0xAB,
+      0x5A, 0x41, 0x08, 0xC3, 0xAA, 0x47, 0x94, 0x0B },
+    { 0xDA, 0x33, 0xDE, 0xF2, 0xA4, 0x2D, 0xF1, 0x39,
+      0x75, 0x35, 0x28, 0x46, 0xC3, 0x03, 0x38, 0xCD },
+    { 0xD5, 0x97, 0x6F, 0x79, 0xD8, 0x3D, 0x3A, 0x0D,
+      0xC9, 0x80, 0x6C, 0x3C, 0x66, 0xF3, 0xEF, 0xD8 }
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_md2_self_test( int verbose )
+{
+    int i, ret = 0;
+    unsigned char md2sum[16];
+
+    for( i = 0; i < 7; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  MD2 test #%d: ", i + 1 );
+
+        ret = mbedtls_md2_ret( md2_test_str[i], md2_test_strlen[i], md2sum );
+        if( ret != 0 )
+            goto fail;
+
+        if( memcmp( md2sum, md2_test_sum[i], 16 ) != 0 )
+        {
+            ret = 1;
+            goto fail;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( 0 );
+
+fail:
+    if( verbose != 0 )
+        mbedtls_printf( "failed\n" );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_MD2_C */
diff --git a/third-party/mbedtls-3.6/library/md4.c b/third-party/mbedtls-3.6/library/md4.c
new file mode 100644
index 00000000..160a8149
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/md4.c
@@ -0,0 +1,503 @@
+/*
+ *  RFC 1186/1320 compliant MD4 implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+/*
+ *  The MD4 algorithm was designed by Ron Rivest in 1990.
+ *
+ *  http://www.ietf.org/rfc/rfc1186.txt
+ *  http://www.ietf.org/rfc/rfc1320.txt
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_MD4_C)
+
+#include "mbedtls/md4.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_MD4_ALT)
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
+/*
+ * 32-bit integer manipulation macros (little endian)
+ */
+#ifndef GET_UINT32_LE
+#define GET_UINT32_LE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ]       )             \
+        | ( (uint32_t) (b)[(i) + 1] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 2] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 3] << 24 );            \
+}
+#endif
+
+#ifndef PUT_UINT32_LE
+#define PUT_UINT32_LE(n,b,i)                                    \
+{                                                               \
+    (b)[(i)    ] = (unsigned char) ( ( (n)       ) & 0xFF );    \
+    (b)[(i) + 1] = (unsigned char) ( ( (n) >>  8 ) & 0xFF );    \
+    (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF );    \
+    (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF );    \
+}
+#endif
+
+void mbedtls_md4_init( mbedtls_md4_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_md4_context ) );
+}
+
+void mbedtls_md4_free( mbedtls_md4_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_zeroize( ctx, sizeof( mbedtls_md4_context ) );
+}
+
+void mbedtls_md4_clone( mbedtls_md4_context *dst,
+                        const mbedtls_md4_context *src )
+{
+    *dst = *src;
+}
+
+/*
+ * MD4 context setup
+ */
+int mbedtls_md4_starts_ret( mbedtls_md4_context *ctx )
+{
+    ctx->total[0] = 0;
+    ctx->total[1] = 0;
+
+    ctx->state[0] = 0x67452301;
+    ctx->state[1] = 0xEFCDAB89;
+    ctx->state[2] = 0x98BADCFE;
+    ctx->state[3] = 0x10325476;
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md4_starts( mbedtls_md4_context *ctx )
+{
+    mbedtls_md4_starts_ret( ctx );
+}
+#endif
+
+#if !defined(MBEDTLS_MD4_PROCESS_ALT)
+int mbedtls_internal_md4_process( mbedtls_md4_context *ctx,
+                                  const unsigned char data[64] )
+{
+    struct
+    {
+        uint32_t X[16], A, B, C, D;
+    } local;
+
+    GET_UINT32_LE( local.X[ 0], data,  0 );
+    GET_UINT32_LE( local.X[ 1], data,  4 );
+    GET_UINT32_LE( local.X[ 2], data,  8 );
+    GET_UINT32_LE( local.X[ 3], data, 12 );
+    GET_UINT32_LE( local.X[ 4], data, 16 );
+    GET_UINT32_LE( local.X[ 5], data, 20 );
+    GET_UINT32_LE( local.X[ 6], data, 24 );
+    GET_UINT32_LE( local.X[ 7], data, 28 );
+    GET_UINT32_LE( local.X[ 8], data, 32 );
+    GET_UINT32_LE( local.X[ 9], data, 36 );
+    GET_UINT32_LE( local.X[10], data, 40 );
+    GET_UINT32_LE( local.X[11], data, 44 );
+    GET_UINT32_LE( local.X[12], data, 48 );
+    GET_UINT32_LE( local.X[13], data, 52 );
+    GET_UINT32_LE( local.X[14], data, 56 );
+    GET_UINT32_LE( local.X[15], data, 60 );
+
+#define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 - n)))
+
+    local.A = ctx->state[0];
+    local.B = ctx->state[1];
+    local.C = ctx->state[2];
+    local.D = ctx->state[3];
+
+#define F(x, y, z) ((x & y) | ((~x) & z))
+#define P(a,b,c,d,x,s) { a += F(b,c,d) + x; a = S(a,s); }
+
+    P( local.A, local.B, local.C, local.D, local.X[ 0],  3 );
+    P( local.D, local.A, local.B, local.C, local.X[ 1],  7 );
+    P( local.C, local.D, local.A, local.B, local.X[ 2], 11 );
+    P( local.B, local.C, local.D, local.A, local.X[ 3], 19 );
+    P( local.A, local.B, local.C, local.D, local.X[ 4],  3 );
+    P( local.D, local.A, local.B, local.C, local.X[ 5],  7 );
+    P( local.C, local.D, local.A, local.B, local.X[ 6], 11 );
+    P( local.B, local.C, local.D, local.A, local.X[ 7], 19 );
+    P( local.A, local.B, local.C, local.D, local.X[ 8],  3 );
+    P( local.D, local.A, local.B, local.C, local.X[ 9],  7 );
+    P( local.C, local.D, local.A, local.B, local.X[10], 11 );
+    P( local.B, local.C, local.D, local.A, local.X[11], 19 );
+    P( local.A, local.B, local.C, local.D, local.X[12],  3 );
+    P( local.D, local.A, local.B, local.C, local.X[13],  7 );
+    P( local.C, local.D, local.A, local.B, local.X[14], 11 );
+    P( local.B, local.C, local.D, local.A, local.X[15], 19 );
+
+#undef P
+#undef F
+
+#define F(x,y,z) ((x & y) | (x & z) | (y & z))
+#define P(a,b,c,d,x,s) { a += F(b,c,d) + x + 0x5A827999; a = S(a,s); }
+
+    P( local.A, local.B, local.C, local.D, local.X[ 0],  3 );
+    P( local.D, local.A, local.B, local.C, local.X[ 4],  5 );
+    P( local.C, local.D, local.A, local.B, local.X[ 8],  9 );
+    P( local.B, local.C, local.D, local.A, local.X[12], 13 );
+    P( local.A, local.B, local.C, local.D, local.X[ 1],  3 );
+    P( local.D, local.A, local.B, local.C, local.X[ 5],  5 );
+    P( local.C, local.D, local.A, local.B, local.X[ 9],  9 );
+    P( local.B, local.C, local.D, local.A, local.X[13], 13 );
+    P( local.A, local.B, local.C, local.D, local.X[ 2],  3 );
+    P( local.D, local.A, local.B, local.C, local.X[ 6],  5 );
+    P( local.C, local.D, local.A, local.B, local.X[10],  9 );
+    P( local.B, local.C, local.D, local.A, local.X[14], 13 );
+    P( local.A, local.B, local.C, local.D, local.X[ 3],  3 );
+    P( local.D, local.A, local.B, local.C, local.X[ 7],  5 );
+    P( local.C, local.D, local.A, local.B, local.X[11],  9 );
+    P( local.B, local.C, local.D, local.A, local.X[15], 13 );
+
+#undef P
+#undef F
+
+#define F(x,y,z) (x ^ y ^ z)
+#define P(a,b,c,d,x,s) { a += F(b,c,d) + x + 0x6ED9EBA1; a = S(a,s); }
+
+    P( local.A, local.B, local.C, local.D, local.X[ 0],  3 );
+    P( local.D, local.A, local.B, local.C, local.X[ 8],  9 );
+    P( local.C, local.D, local.A, local.B, local.X[ 4], 11 );
+    P( local.B, local.C, local.D, local.A, local.X[12], 15 );
+    P( local.A, local.B, local.C, local.D, local.X[ 2],  3 );
+    P( local.D, local.A, local.B, local.C, local.X[10],  9 );
+    P( local.C, local.D, local.A, local.B, local.X[ 6], 11 );
+    P( local.B, local.C, local.D, local.A, local.X[14], 15 );
+    P( local.A, local.B, local.C, local.D, local.X[ 1],  3 );
+    P( local.D, local.A, local.B, local.C, local.X[ 9],  9 );
+    P( local.C, local.D, local.A, local.B, local.X[ 5], 11 );
+    P( local.B, local.C, local.D, local.A, local.X[13], 15 );
+    P( local.A, local.B, local.C, local.D, local.X[ 3],  3 );
+    P( local.D, local.A, local.B, local.C, local.X[11],  9 );
+    P( local.C, local.D, local.A, local.B, local.X[ 7], 11 );
+    P( local.B, local.C, local.D, local.A, local.X[15], 15 );
+
+#undef F
+#undef P
+
+    ctx->state[0] += local.A;
+    ctx->state[1] += local.B;
+    ctx->state[2] += local.C;
+    ctx->state[3] += local.D;
+
+    /* Zeroise variables to clear sensitive data from memory. */
+    mbedtls_zeroize( &local, sizeof( local ) );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md4_process( mbedtls_md4_context *ctx,
+                          const unsigned char data[64] )
+{
+    mbedtls_internal_md4_process( ctx, data );
+}
+#endif
+#endif /* !MBEDTLS_MD4_PROCESS_ALT */
+
+/*
+ * MD4 process buffer
+ */
+int mbedtls_md4_update_ret( mbedtls_md4_context *ctx,
+                            const unsigned char *input,
+                            size_t ilen )
+{
+    int ret;
+    size_t fill;
+    uint32_t left;
+
+    if( ilen == 0 )
+        return( 0 );
+
+    left = ctx->total[0] & 0x3F;
+    fill = 64 - left;
+
+    ctx->total[0] += (uint32_t) ilen;
+    ctx->total[0] &= 0xFFFFFFFF;
+
+    if( ctx->total[0] < (uint32_t) ilen )
+        ctx->total[1]++;
+
+    if( left && ilen >= fill )
+    {
+        memcpy( (void *) (ctx->buffer + left),
+                (void *) input, fill );
+
+        if( ( ret = mbedtls_internal_md4_process( ctx, ctx->buffer ) ) != 0 )
+            return( ret );
+
+        input += fill;
+        ilen  -= fill;
+        left = 0;
+    }
+
+    while( ilen >= 64 )
+    {
+        if( ( ret = mbedtls_internal_md4_process( ctx, input ) ) != 0 )
+            return( ret );
+
+        input += 64;
+        ilen  -= 64;
+    }
+
+    if( ilen > 0 )
+    {
+        memcpy( (void *) (ctx->buffer + left),
+                (void *) input, ilen );
+    }
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md4_update( mbedtls_md4_context *ctx,
+                         const unsigned char *input,
+                         size_t ilen )
+{
+    mbedtls_md4_update_ret( ctx, input, ilen );
+}
+#endif
+
+static const unsigned char md4_padding[64] =
+{
+ 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+};
+
+/*
+ * MD4 final digest
+ */
+int mbedtls_md4_finish_ret( mbedtls_md4_context *ctx,
+                            unsigned char output[16] )
+{
+    int ret;
+    uint32_t last, padn;
+    uint32_t high, low;
+    unsigned char msglen[8];
+
+    high = ( ctx->total[0] >> 29 )
+         | ( ctx->total[1] <<  3 );
+    low  = ( ctx->total[0] <<  3 );
+
+    PUT_UINT32_LE( low,  msglen, 0 );
+    PUT_UINT32_LE( high, msglen, 4 );
+
+    last = ctx->total[0] & 0x3F;
+    padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
+
+    ret = mbedtls_md4_update_ret( ctx, (unsigned char *)md4_padding, padn );
+    if( ret != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_md4_update_ret( ctx, msglen, 8 ) ) != 0 )
+        return( ret );
+
+
+    PUT_UINT32_LE( ctx->state[0], output,  0 );
+    PUT_UINT32_LE( ctx->state[1], output,  4 );
+    PUT_UINT32_LE( ctx->state[2], output,  8 );
+    PUT_UINT32_LE( ctx->state[3], output, 12 );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md4_finish( mbedtls_md4_context *ctx,
+                         unsigned char output[16] )
+{
+    mbedtls_md4_finish_ret( ctx, output );
+}
+#endif
+
+#endif /* !MBEDTLS_MD4_ALT */
+
+/*
+ * output = MD4( input buffer )
+ */
+int mbedtls_md4_ret( const unsigned char *input,
+                     size_t ilen,
+                     unsigned char output[16] )
+{
+    int ret;
+    mbedtls_md4_context ctx;
+
+    mbedtls_md4_init( &ctx );
+
+    if( ( ret = mbedtls_md4_starts_ret( &ctx ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_md4_update_ret( &ctx, input, ilen ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_md4_finish_ret( &ctx, output ) ) != 0 )
+        goto exit;
+
+exit:
+    mbedtls_md4_free( &ctx );
+
+    return( ret );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md4( const unsigned char *input,
+                  size_t ilen,
+                  unsigned char output[16] )
+{
+    mbedtls_md4_ret( input, ilen, output );
+}
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/*
+ * RFC 1320 test vectors
+ */
+static const unsigned char md4_test_str[7][81] =
+{
+    { "" },
+    { "a" },
+    { "abc" },
+    { "message digest" },
+    { "abcdefghijklmnopqrstuvwxyz" },
+    { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" },
+    { "12345678901234567890123456789012345678901234567890123456789012"
+      "345678901234567890" }
+};
+
+static const size_t md4_test_strlen[7] =
+{
+    0, 1, 3, 14, 26, 62, 80
+};
+
+static const unsigned char md4_test_sum[7][16] =
+{
+    { 0x31, 0xD6, 0xCF, 0xE0, 0xD1, 0x6A, 0xE9, 0x31,
+      0xB7, 0x3C, 0x59, 0xD7, 0xE0, 0xC0, 0x89, 0xC0 },
+    { 0xBD, 0xE5, 0x2C, 0xB3, 0x1D, 0xE3, 0x3E, 0x46,
+      0x24, 0x5E, 0x05, 0xFB, 0xDB, 0xD6, 0xFB, 0x24 },
+    { 0xA4, 0x48, 0x01, 0x7A, 0xAF, 0x21, 0xD8, 0x52,
+      0x5F, 0xC1, 0x0A, 0xE8, 0x7A, 0xA6, 0x72, 0x9D },
+    { 0xD9, 0x13, 0x0A, 0x81, 0x64, 0x54, 0x9F, 0xE8,
+      0x18, 0x87, 0x48, 0x06, 0xE1, 0xC7, 0x01, 0x4B },
+    { 0xD7, 0x9E, 0x1C, 0x30, 0x8A, 0xA5, 0xBB, 0xCD,
+      0xEE, 0xA8, 0xED, 0x63, 0xDF, 0x41, 0x2D, 0xA9 },
+    { 0x04, 0x3F, 0x85, 0x82, 0xF2, 0x41, 0xDB, 0x35,
+      0x1C, 0xE6, 0x27, 0xE1, 0x53, 0xE7, 0xF0, 0xE4 },
+    { 0xE3, 0x3B, 0x4D, 0xDC, 0x9C, 0x38, 0xF2, 0x19,
+      0x9C, 0x3E, 0x7B, 0x16, 0x4F, 0xCC, 0x05, 0x36 }
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_md4_self_test( int verbose )
+{
+    int i, ret = 0;
+    unsigned char md4sum[16];
+
+    for( i = 0; i < 7; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  MD4 test #%d: ", i + 1 );
+
+        ret = mbedtls_md4_ret( md4_test_str[i], md4_test_strlen[i], md4sum );
+        if( ret != 0 )
+            goto fail;
+
+        if( memcmp( md4sum, md4_test_sum[i], 16 ) != 0 )
+        {
+            ret = 1;
+            goto fail;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( 0 );
+
+fail:
+    if( verbose != 0 )
+        mbedtls_printf( "failed\n" );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_MD4_C */
diff --git a/third-party/mbedtls-3.6/library/md5.c b/third-party/mbedtls-3.6/library/md5.c
new file mode 100644
index 00000000..125406f1
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/md5.c
@@ -0,0 +1,530 @@
+/*
+ *  RFC 1321 compliant MD5 implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+/*
+ *  The MD5 algorithm was designed by Ron Rivest in 1991.
+ *
+ *  http://www.ietf.org/rfc/rfc1321.txt
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_MD5_C)
+
+#include "mbedtls/md5.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_MD5_ALT)
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
+/*
+ * 32-bit integer manipulation macros (little endian)
+ */
+#ifndef GET_UINT32_LE
+#define GET_UINT32_LE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ]       )             \
+        | ( (uint32_t) (b)[(i) + 1] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 2] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 3] << 24 );            \
+}
+#endif
+
+#ifndef PUT_UINT32_LE
+#define PUT_UINT32_LE(n,b,i)                                    \
+{                                                               \
+    (b)[(i)    ] = (unsigned char) ( ( (n)       ) & 0xFF );    \
+    (b)[(i) + 1] = (unsigned char) ( ( (n) >>  8 ) & 0xFF );    \
+    (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF );    \
+    (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF );    \
+}
+#endif
+
+void mbedtls_md5_init( mbedtls_md5_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_md5_context ) );
+}
+
+void mbedtls_md5_free( mbedtls_md5_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_zeroize( ctx, sizeof( mbedtls_md5_context ) );
+}
+
+void mbedtls_md5_clone( mbedtls_md5_context *dst,
+                        const mbedtls_md5_context *src )
+{
+    *dst = *src;
+}
+
+/*
+ * MD5 context setup
+ */
+int mbedtls_md5_starts_ret( mbedtls_md5_context *ctx )
+{
+    ctx->total[0] = 0;
+    ctx->total[1] = 0;
+
+    ctx->state[0] = 0x67452301;
+    ctx->state[1] = 0xEFCDAB89;
+    ctx->state[2] = 0x98BADCFE;
+    ctx->state[3] = 0x10325476;
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md5_starts( mbedtls_md5_context *ctx )
+{
+    mbedtls_md5_starts_ret( ctx );
+}
+#endif
+
+#if !defined(MBEDTLS_MD5_PROCESS_ALT)
+int mbedtls_internal_md5_process( mbedtls_md5_context *ctx,
+                                  const unsigned char data[64] )
+{
+    struct
+    {
+        uint32_t X[16], A, B, C, D;
+    } local;
+
+    GET_UINT32_LE( local.X[ 0], data,  0 );
+    GET_UINT32_LE( local.X[ 1], data,  4 );
+    GET_UINT32_LE( local.X[ 2], data,  8 );
+    GET_UINT32_LE( local.X[ 3], data, 12 );
+    GET_UINT32_LE( local.X[ 4], data, 16 );
+    GET_UINT32_LE( local.X[ 5], data, 20 );
+    GET_UINT32_LE( local.X[ 6], data, 24 );
+    GET_UINT32_LE( local.X[ 7], data, 28 );
+    GET_UINT32_LE( local.X[ 8], data, 32 );
+    GET_UINT32_LE( local.X[ 9], data, 36 );
+    GET_UINT32_LE( local.X[10], data, 40 );
+    GET_UINT32_LE( local.X[11], data, 44 );
+    GET_UINT32_LE( local.X[12], data, 48 );
+    GET_UINT32_LE( local.X[13], data, 52 );
+    GET_UINT32_LE( local.X[14], data, 56 );
+    GET_UINT32_LE( local.X[15], data, 60 );
+
+#define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 - n)))
+
+#define P(a,b,c,d,k,s,t)                                \
+{                                                       \
+    a += F(b,c,d) + local.X[k] + t; a = S(a,s) + b;     \
+}
+
+    local.A = ctx->state[0];
+    local.B = ctx->state[1];
+    local.C = ctx->state[2];
+    local.D = ctx->state[3];
+
+#define F(x,y,z) (z ^ (x & (y ^ z)))
+
+    P( local.A, local.B, local.C, local.D,  0,  7, 0xD76AA478 );
+    P( local.D, local.A, local.B, local.C,  1, 12, 0xE8C7B756 );
+    P( local.C, local.D, local.A, local.B,  2, 17, 0x242070DB );
+    P( local.B, local.C, local.D, local.A,  3, 22, 0xC1BDCEEE );
+    P( local.A, local.B, local.C, local.D,  4,  7, 0xF57C0FAF );
+    P( local.D, local.A, local.B, local.C,  5, 12, 0x4787C62A );
+    P( local.C, local.D, local.A, local.B,  6, 17, 0xA8304613 );
+    P( local.B, local.C, local.D, local.A,  7, 22, 0xFD469501 );
+    P( local.A, local.B, local.C, local.D,  8,  7, 0x698098D8 );
+    P( local.D, local.A, local.B, local.C,  9, 12, 0x8B44F7AF );
+    P( local.C, local.D, local.A, local.B, 10, 17, 0xFFFF5BB1 );
+    P( local.B, local.C, local.D, local.A, 11, 22, 0x895CD7BE );
+    P( local.A, local.B, local.C, local.D, 12,  7, 0x6B901122 );
+    P( local.D, local.A, local.B, local.C, 13, 12, 0xFD987193 );
+    P( local.C, local.D, local.A, local.B, 14, 17, 0xA679438E );
+    P( local.B, local.C, local.D, local.A, 15, 22, 0x49B40821 );
+
+#undef F
+
+#define F(x,y,z) (y ^ (z & (x ^ y)))
+
+    P( local.A, local.B, local.C, local.D,  1,  5, 0xF61E2562 );
+    P( local.D, local.A, local.B, local.C,  6,  9, 0xC040B340 );
+    P( local.C, local.D, local.A, local.B, 11, 14, 0x265E5A51 );
+    P( local.B, local.C, local.D, local.A,  0, 20, 0xE9B6C7AA );
+    P( local.A, local.B, local.C, local.D,  5,  5, 0xD62F105D );
+    P( local.D, local.A, local.B, local.C, 10,  9, 0x02441453 );
+    P( local.C, local.D, local.A, local.B, 15, 14, 0xD8A1E681 );
+    P( local.B, local.C, local.D, local.A,  4, 20, 0xE7D3FBC8 );
+    P( local.A, local.B, local.C, local.D,  9,  5, 0x21E1CDE6 );
+    P( local.D, local.A, local.B, local.C, 14,  9, 0xC33707D6 );
+    P( local.C, local.D, local.A, local.B,  3, 14, 0xF4D50D87 );
+    P( local.B, local.C, local.D, local.A,  8, 20, 0x455A14ED );
+    P( local.A, local.B, local.C, local.D, 13,  5, 0xA9E3E905 );
+    P( local.D, local.A, local.B, local.C,  2,  9, 0xFCEFA3F8 );
+    P( local.C, local.D, local.A, local.B,  7, 14, 0x676F02D9 );
+    P( local.B, local.C, local.D, local.A, 12, 20, 0x8D2A4C8A );
+
+#undef F
+
+#define F(x,y,z) (x ^ y ^ z)
+
+    P( local.A, local.B, local.C, local.D,  5,  4, 0xFFFA3942 );
+    P( local.D, local.A, local.B, local.C,  8, 11, 0x8771F681 );
+    P( local.C, local.D, local.A, local.B, 11, 16, 0x6D9D6122 );
+    P( local.B, local.C, local.D, local.A, 14, 23, 0xFDE5380C );
+    P( local.A, local.B, local.C, local.D,  1,  4, 0xA4BEEA44 );
+    P( local.D, local.A, local.B, local.C,  4, 11, 0x4BDECFA9 );
+    P( local.C, local.D, local.A, local.B,  7, 16, 0xF6BB4B60 );
+    P( local.B, local.C, local.D, local.A, 10, 23, 0xBEBFBC70 );
+    P( local.A, local.B, local.C, local.D, 13,  4, 0x289B7EC6 );
+    P( local.D, local.A, local.B, local.C,  0, 11, 0xEAA127FA );
+    P( local.C, local.D, local.A, local.B,  3, 16, 0xD4EF3085 );
+    P( local.B, local.C, local.D, local.A,  6, 23, 0x04881D05 );
+    P( local.A, local.B, local.C, local.D,  9,  4, 0xD9D4D039 );
+    P( local.D, local.A, local.B, local.C, 12, 11, 0xE6DB99E5 );
+    P( local.C, local.D, local.A, local.B, 15, 16, 0x1FA27CF8 );
+    P( local.B, local.C, local.D, local.A,  2, 23, 0xC4AC5665 );
+
+#undef F
+
+#define F(x,y,z) (y ^ (x | ~z))
+
+    P( local.A, local.B, local.C, local.D,  0,  6, 0xF4292244 );
+    P( local.D, local.A, local.B, local.C,  7, 10, 0x432AFF97 );
+    P( local.C, local.D, local.A, local.B, 14, 15, 0xAB9423A7 );
+    P( local.B, local.C, local.D, local.A,  5, 21, 0xFC93A039 );
+    P( local.A, local.B, local.C, local.D, 12,  6, 0x655B59C3 );
+    P( local.D, local.A, local.B, local.C,  3, 10, 0x8F0CCC92 );
+    P( local.C, local.D, local.A, local.B, 10, 15, 0xFFEFF47D );
+    P( local.B, local.C, local.D, local.A,  1, 21, 0x85845DD1 );
+    P( local.A, local.B, local.C, local.D,  8,  6, 0x6FA87E4F );
+    P( local.D, local.A, local.B, local.C, 15, 10, 0xFE2CE6E0 );
+    P( local.C, local.D, local.A, local.B,  6, 15, 0xA3014314 );
+    P( local.B, local.C, local.D, local.A, 13, 21, 0x4E0811A1 );
+    P( local.A, local.B, local.C, local.D,  4,  6, 0xF7537E82 );
+    P( local.D, local.A, local.B, local.C, 11, 10, 0xBD3AF235 );
+    P( local.C, local.D, local.A, local.B,  2, 15, 0x2AD7D2BB );
+    P( local.B, local.C, local.D, local.A,  9, 21, 0xEB86D391 );
+
+#undef F
+
+    ctx->state[0] += local.A;
+    ctx->state[1] += local.B;
+    ctx->state[2] += local.C;
+    ctx->state[3] += local.D;
+
+    /* Zeroise variables to clear sensitive data from memory. */
+    mbedtls_zeroize( &local, sizeof( local ) );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md5_process( mbedtls_md5_context *ctx,
+                          const unsigned char data[64] )
+{
+    mbedtls_internal_md5_process( ctx, data );
+}
+#endif
+#endif /* !MBEDTLS_MD5_PROCESS_ALT */
+
+/*
+ * MD5 process buffer
+ */
+int mbedtls_md5_update_ret( mbedtls_md5_context *ctx,
+                            const unsigned char *input,
+                            size_t ilen )
+{
+    int ret;
+    size_t fill;
+    uint32_t left;
+
+    if( ilen == 0 )
+        return( 0 );
+
+    left = ctx->total[0] & 0x3F;
+    fill = 64 - left;
+
+    ctx->total[0] += (uint32_t) ilen;
+    ctx->total[0] &= 0xFFFFFFFF;
+
+    if( ctx->total[0] < (uint32_t) ilen )
+        ctx->total[1]++;
+
+    if( left && ilen >= fill )
+    {
+        memcpy( (void *) (ctx->buffer + left), input, fill );
+        if( ( ret = mbedtls_internal_md5_process( ctx, ctx->buffer ) ) != 0 )
+            return( ret );
+
+        input += fill;
+        ilen  -= fill;
+        left = 0;
+    }
+
+    while( ilen >= 64 )
+    {
+        if( ( ret = mbedtls_internal_md5_process( ctx, input ) ) != 0 )
+            return( ret );
+
+        input += 64;
+        ilen  -= 64;
+    }
+
+    if( ilen > 0 )
+    {
+        memcpy( (void *) (ctx->buffer + left), input, ilen );
+    }
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md5_update( mbedtls_md5_context *ctx,
+                         const unsigned char *input,
+                         size_t ilen )
+{
+    mbedtls_md5_update_ret( ctx, input, ilen );
+}
+#endif
+
+/*
+ * MD5 final digest
+ */
+int mbedtls_md5_finish_ret( mbedtls_md5_context *ctx,
+                            unsigned char output[16] )
+{
+    int ret;
+    uint32_t used;
+    uint32_t high, low;
+
+    /*
+     * Add padding: 0x80 then 0x00 until 8 bytes remain for the length
+     */
+    used = ctx->total[0] & 0x3F;
+
+    ctx->buffer[used++] = 0x80;
+
+    if( used <= 56 )
+    {
+        /* Enough room for padding + length in current block */
+        memset( ctx->buffer + used, 0, 56 - used );
+    }
+    else
+    {
+        /* We'll need an extra block */
+        memset( ctx->buffer + used, 0, 64 - used );
+
+        if( ( ret = mbedtls_internal_md5_process( ctx, ctx->buffer ) ) != 0 )
+            return( ret );
+
+        memset( ctx->buffer, 0, 56 );
+    }
+
+    /*
+     * Add message length
+     */
+    high = ( ctx->total[0] >> 29 )
+         | ( ctx->total[1] <<  3 );
+    low  = ( ctx->total[0] <<  3 );
+
+    PUT_UINT32_LE( low,  ctx->buffer, 56 );
+    PUT_UINT32_LE( high, ctx->buffer, 60 );
+
+    if( ( ret = mbedtls_internal_md5_process( ctx, ctx->buffer ) ) != 0 )
+        return( ret );
+
+    /*
+     * Output final state
+     */
+    PUT_UINT32_LE( ctx->state[0], output,  0 );
+    PUT_UINT32_LE( ctx->state[1], output,  4 );
+    PUT_UINT32_LE( ctx->state[2], output,  8 );
+    PUT_UINT32_LE( ctx->state[3], output, 12 );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md5_finish( mbedtls_md5_context *ctx,
+                         unsigned char output[16] )
+{
+    mbedtls_md5_finish_ret( ctx, output );
+}
+#endif
+
+#endif /* !MBEDTLS_MD5_ALT */
+
+/*
+ * output = MD5( input buffer )
+ */
+int mbedtls_md5_ret( const unsigned char *input,
+                     size_t ilen,
+                     unsigned char output[16] )
+{
+    int ret;
+    mbedtls_md5_context ctx;
+
+    mbedtls_md5_init( &ctx );
+
+    if( ( ret = mbedtls_md5_starts_ret( &ctx ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_md5_update_ret( &ctx, input, ilen ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_md5_finish_ret( &ctx, output ) ) != 0 )
+        goto exit;
+
+exit:
+    mbedtls_md5_free( &ctx );
+
+    return( ret );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md5( const unsigned char *input,
+                  size_t ilen,
+                  unsigned char output[16] )
+{
+    mbedtls_md5_ret( input, ilen, output );
+}
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * RFC 1321 test vectors
+ */
+static const unsigned char md5_test_buf[7][81] =
+{
+    { "" },
+    { "a" },
+    { "abc" },
+    { "message digest" },
+    { "abcdefghijklmnopqrstuvwxyz" },
+    { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" },
+    { "12345678901234567890123456789012345678901234567890123456789012"
+      "345678901234567890" }
+};
+
+static const size_t md5_test_buflen[7] =
+{
+    0, 1, 3, 14, 26, 62, 80
+};
+
+static const unsigned char md5_test_sum[7][16] =
+{
+    { 0xD4, 0x1D, 0x8C, 0xD9, 0x8F, 0x00, 0xB2, 0x04,
+      0xE9, 0x80, 0x09, 0x98, 0xEC, 0xF8, 0x42, 0x7E },
+    { 0x0C, 0xC1, 0x75, 0xB9, 0xC0, 0xF1, 0xB6, 0xA8,
+      0x31, 0xC3, 0x99, 0xE2, 0x69, 0x77, 0x26, 0x61 },
+    { 0x90, 0x01, 0x50, 0x98, 0x3C, 0xD2, 0x4F, 0xB0,
+      0xD6, 0x96, 0x3F, 0x7D, 0x28, 0xE1, 0x7F, 0x72 },
+    { 0xF9, 0x6B, 0x69, 0x7D, 0x7C, 0xB7, 0x93, 0x8D,
+      0x52, 0x5A, 0x2F, 0x31, 0xAA, 0xF1, 0x61, 0xD0 },
+    { 0xC3, 0xFC, 0xD3, 0xD7, 0x61, 0x92, 0xE4, 0x00,
+      0x7D, 0xFB, 0x49, 0x6C, 0xCA, 0x67, 0xE1, 0x3B },
+    { 0xD1, 0x74, 0xAB, 0x98, 0xD2, 0x77, 0xD9, 0xF5,
+      0xA5, 0x61, 0x1C, 0x2C, 0x9F, 0x41, 0x9D, 0x9F },
+    { 0x57, 0xED, 0xF4, 0xA2, 0x2B, 0xE3, 0xC9, 0x55,
+      0xAC, 0x49, 0xDA, 0x2E, 0x21, 0x07, 0xB6, 0x7A }
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_md5_self_test( int verbose )
+{
+    int i, ret = 0;
+    unsigned char md5sum[16];
+
+    for( i = 0; i < 7; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  MD5 test #%d: ", i + 1 );
+
+        ret = mbedtls_md5_ret( md5_test_buf[i], md5_test_buflen[i], md5sum );
+        if( ret != 0 )
+            goto fail;
+
+        if( memcmp( md5sum, md5_test_sum[i], 16 ) != 0 )
+        {
+            ret = 1;
+            goto fail;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( 0 );
+
+fail:
+    if( verbose != 0 )
+        mbedtls_printf( "failed\n" );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_MD5_C */
diff --git a/third-party/mbedtls-3.6/library/md_wrap.c b/third-party/mbedtls-3.6/library/md_wrap.c
new file mode 100644
index 00000000..7459db2f
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/md_wrap.c
@@ -0,0 +1,611 @@
+/**
+ * \file md_wrap.c
+ *
+ * \brief Generic message digest wrapper for mbed TLS
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_MD_C)
+
+#include "mbedtls/md_internal.h"
+
+#if defined(MBEDTLS_MD2_C)
+#include "mbedtls/md2.h"
+#endif
+
+#if defined(MBEDTLS_MD4_C)
+#include "mbedtls/md4.h"
+#endif
+
+#if defined(MBEDTLS_MD5_C)
+#include "mbedtls/md5.h"
+#endif
+
+#if defined(MBEDTLS_RIPEMD160_C)
+#include "mbedtls/ripemd160.h"
+#endif
+
+#if defined(MBEDTLS_SHA1_C)
+#include "mbedtls/sha1.h"
+#endif
+
+#if defined(MBEDTLS_SHA256_C)
+#include "mbedtls/sha256.h"
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+#include "mbedtls/sha512.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+#if defined(MBEDTLS_MD2_C)
+
+static int md2_starts_wrap( void *ctx )
+{
+    return( mbedtls_md2_starts_ret( (mbedtls_md2_context *) ctx ) );
+}
+
+static int md2_update_wrap( void *ctx, const unsigned char *input,
+                             size_t ilen )
+{
+    return( mbedtls_md2_update_ret( (mbedtls_md2_context *) ctx, input, ilen ) );
+}
+
+static int md2_finish_wrap( void *ctx, unsigned char *output )
+{
+    return( mbedtls_md2_finish_ret( (mbedtls_md2_context *) ctx, output ) );
+}
+
+static void *md2_ctx_alloc( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_md2_context ) );
+
+    if( ctx != NULL )
+        mbedtls_md2_init( (mbedtls_md2_context *) ctx );
+
+    return( ctx );
+}
+
+static void md2_ctx_free( void *ctx )
+{
+    mbedtls_md2_free( (mbedtls_md2_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static void md2_clone_wrap( void *dst, const void *src )
+{
+    mbedtls_md2_clone( (mbedtls_md2_context *) dst,
+                 (const mbedtls_md2_context *) src );
+}
+
+static int md2_process_wrap( void *ctx, const unsigned char *data )
+{
+    ((void) data);
+
+    return( mbedtls_internal_md2_process( (mbedtls_md2_context *) ctx ) );
+}
+
+const mbedtls_md_info_t mbedtls_md2_info = {
+    MBEDTLS_MD_MD2,
+    "MD2",
+    16,
+    16,
+    md2_starts_wrap,
+    md2_update_wrap,
+    md2_finish_wrap,
+    mbedtls_md2_ret,
+    md2_ctx_alloc,
+    md2_ctx_free,
+    md2_clone_wrap,
+    md2_process_wrap,
+};
+
+#endif /* MBEDTLS_MD2_C */
+
+#if defined(MBEDTLS_MD4_C)
+
+static int md4_starts_wrap( void *ctx )
+{
+    return( mbedtls_md4_starts_ret( (mbedtls_md4_context *) ctx ) );
+}
+
+static int md4_update_wrap( void *ctx, const unsigned char *input,
+                             size_t ilen )
+{
+    return( mbedtls_md4_update_ret( (mbedtls_md4_context *) ctx, input, ilen ) );
+}
+
+static int md4_finish_wrap( void *ctx, unsigned char *output )
+{
+    return( mbedtls_md4_finish_ret( (mbedtls_md4_context *) ctx, output ) );
+}
+
+static void *md4_ctx_alloc( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_md4_context ) );
+
+    if( ctx != NULL )
+        mbedtls_md4_init( (mbedtls_md4_context *) ctx );
+
+    return( ctx );
+}
+
+static void md4_ctx_free( void *ctx )
+{
+    mbedtls_md4_free( (mbedtls_md4_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static void md4_clone_wrap( void *dst, const void *src )
+{
+    mbedtls_md4_clone( (mbedtls_md4_context *) dst,
+                       (const mbedtls_md4_context *) src );
+}
+
+static int md4_process_wrap( void *ctx, const unsigned char *data )
+{
+    return( mbedtls_internal_md4_process( (mbedtls_md4_context *) ctx, data ) );
+}
+
+const mbedtls_md_info_t mbedtls_md4_info = {
+    MBEDTLS_MD_MD4,
+    "MD4",
+    16,
+    64,
+    md4_starts_wrap,
+    md4_update_wrap,
+    md4_finish_wrap,
+    mbedtls_md4_ret,
+    md4_ctx_alloc,
+    md4_ctx_free,
+    md4_clone_wrap,
+    md4_process_wrap,
+};
+
+#endif /* MBEDTLS_MD4_C */
+
+#if defined(MBEDTLS_MD5_C)
+
+static int md5_starts_wrap( void *ctx )
+{
+    return( mbedtls_md5_starts_ret( (mbedtls_md5_context *) ctx ) );
+}
+
+static int md5_update_wrap( void *ctx, const unsigned char *input,
+                             size_t ilen )
+{
+    return( mbedtls_md5_update_ret( (mbedtls_md5_context *) ctx, input, ilen ) );
+}
+
+static int md5_finish_wrap( void *ctx, unsigned char *output )
+{
+    return( mbedtls_md5_finish_ret( (mbedtls_md5_context *) ctx, output ) );
+}
+
+static void *md5_ctx_alloc( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_md5_context ) );
+
+    if( ctx != NULL )
+        mbedtls_md5_init( (mbedtls_md5_context *) ctx );
+
+    return( ctx );
+}
+
+static void md5_ctx_free( void *ctx )
+{
+    mbedtls_md5_free( (mbedtls_md5_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static void md5_clone_wrap( void *dst, const void *src )
+{
+    mbedtls_md5_clone( (mbedtls_md5_context *) dst,
+                       (const mbedtls_md5_context *) src );
+}
+
+static int md5_process_wrap( void *ctx, const unsigned char *data )
+{
+    return( mbedtls_internal_md5_process( (mbedtls_md5_context *) ctx, data ) );
+}
+
+const mbedtls_md_info_t mbedtls_md5_info = {
+    MBEDTLS_MD_MD5,
+    "MD5",
+    16,
+    64,
+    md5_starts_wrap,
+    md5_update_wrap,
+    md5_finish_wrap,
+    mbedtls_md5_ret,
+    md5_ctx_alloc,
+    md5_ctx_free,
+    md5_clone_wrap,
+    md5_process_wrap,
+};
+
+#endif /* MBEDTLS_MD5_C */
+
+#if defined(MBEDTLS_RIPEMD160_C)
+
+static int ripemd160_starts_wrap( void *ctx )
+{
+    return( mbedtls_ripemd160_starts_ret( (mbedtls_ripemd160_context *) ctx ) );
+}
+
+static int ripemd160_update_wrap( void *ctx, const unsigned char *input,
+                                   size_t ilen )
+{
+    return( mbedtls_ripemd160_update_ret( (mbedtls_ripemd160_context *) ctx,
+                                          input, ilen ) );
+}
+
+static int ripemd160_finish_wrap( void *ctx, unsigned char *output )
+{
+    return( mbedtls_ripemd160_finish_ret( (mbedtls_ripemd160_context *) ctx,
+                                          output ) );
+}
+
+static void *ripemd160_ctx_alloc( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ripemd160_context ) );
+
+    if( ctx != NULL )
+        mbedtls_ripemd160_init( (mbedtls_ripemd160_context *) ctx );
+
+    return( ctx );
+}
+
+static void ripemd160_ctx_free( void *ctx )
+{
+    mbedtls_ripemd160_free( (mbedtls_ripemd160_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static void ripemd160_clone_wrap( void *dst, const void *src )
+{
+    mbedtls_ripemd160_clone( (mbedtls_ripemd160_context *) dst,
+                       (const mbedtls_ripemd160_context *) src );
+}
+
+static int ripemd160_process_wrap( void *ctx, const unsigned char *data )
+{
+    return( mbedtls_internal_ripemd160_process(
+                                (mbedtls_ripemd160_context *) ctx, data ) );
+}
+
+const mbedtls_md_info_t mbedtls_ripemd160_info = {
+    MBEDTLS_MD_RIPEMD160,
+    "RIPEMD160",
+    20,
+    64,
+    ripemd160_starts_wrap,
+    ripemd160_update_wrap,
+    ripemd160_finish_wrap,
+    mbedtls_ripemd160_ret,
+    ripemd160_ctx_alloc,
+    ripemd160_ctx_free,
+    ripemd160_clone_wrap,
+    ripemd160_process_wrap,
+};
+
+#endif /* MBEDTLS_RIPEMD160_C */
+
+#if defined(MBEDTLS_SHA1_C)
+
+static int sha1_starts_wrap( void *ctx )
+{
+    return( mbedtls_sha1_starts_ret( (mbedtls_sha1_context *) ctx ) );
+}
+
+static int sha1_update_wrap( void *ctx, const unsigned char *input,
+                              size_t ilen )
+{
+    return( mbedtls_sha1_update_ret( (mbedtls_sha1_context *) ctx,
+                                     input, ilen ) );
+}
+
+static int sha1_finish_wrap( void *ctx, unsigned char *output )
+{
+    return( mbedtls_sha1_finish_ret( (mbedtls_sha1_context *) ctx, output ) );
+}
+
+static void *sha1_ctx_alloc( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_sha1_context ) );
+
+    if( ctx != NULL )
+        mbedtls_sha1_init( (mbedtls_sha1_context *) ctx );
+
+    return( ctx );
+}
+
+static void sha1_clone_wrap( void *dst, const void *src )
+{
+    mbedtls_sha1_clone( (mbedtls_sha1_context *) dst,
+                  (const mbedtls_sha1_context *) src );
+}
+
+static void sha1_ctx_free( void *ctx )
+{
+    mbedtls_sha1_free( (mbedtls_sha1_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static int sha1_process_wrap( void *ctx, const unsigned char *data )
+{
+    return( mbedtls_internal_sha1_process( (mbedtls_sha1_context *) ctx,
+                                           data ) );
+}
+
+const mbedtls_md_info_t mbedtls_sha1_info = {
+    MBEDTLS_MD_SHA1,
+    "SHA1",
+    20,
+    64,
+    sha1_starts_wrap,
+    sha1_update_wrap,
+    sha1_finish_wrap,
+    mbedtls_sha1_ret,
+    sha1_ctx_alloc,
+    sha1_ctx_free,
+    sha1_clone_wrap,
+    sha1_process_wrap,
+};
+
+#endif /* MBEDTLS_SHA1_C */
+
+/*
+ * Wrappers for generic message digests
+ */
+#if defined(MBEDTLS_SHA256_C)
+
+static int sha224_starts_wrap( void *ctx )
+{
+    return( mbedtls_sha256_starts_ret( (mbedtls_sha256_context *) ctx, 1 ) );
+}
+
+static int sha224_update_wrap( void *ctx, const unsigned char *input,
+                                size_t ilen )
+{
+    return( mbedtls_sha256_update_ret( (mbedtls_sha256_context *) ctx,
+                                       input, ilen ) );
+}
+
+static int sha224_finish_wrap( void *ctx, unsigned char *output )
+{
+    return( mbedtls_sha256_finish_ret( (mbedtls_sha256_context *) ctx,
+                                       output ) );
+}
+
+static int sha224_wrap( const unsigned char *input, size_t ilen,
+                        unsigned char *output )
+{
+    return( mbedtls_sha256_ret( input, ilen, output, 1 ) );
+}
+
+static void *sha224_ctx_alloc( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_sha256_context ) );
+
+    if( ctx != NULL )
+        mbedtls_sha256_init( (mbedtls_sha256_context *) ctx );
+
+    return( ctx );
+}
+
+static void sha224_ctx_free( void *ctx )
+{
+    mbedtls_sha256_free( (mbedtls_sha256_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static void sha224_clone_wrap( void *dst, const void *src )
+{
+    mbedtls_sha256_clone( (mbedtls_sha256_context *) dst,
+                    (const mbedtls_sha256_context *) src );
+}
+
+static int sha224_process_wrap( void *ctx, const unsigned char *data )
+{
+    return( mbedtls_internal_sha256_process( (mbedtls_sha256_context *) ctx,
+                                             data ) );
+}
+
+const mbedtls_md_info_t mbedtls_sha224_info = {
+    MBEDTLS_MD_SHA224,
+    "SHA224",
+    28,
+    64,
+    sha224_starts_wrap,
+    sha224_update_wrap,
+    sha224_finish_wrap,
+    sha224_wrap,
+    sha224_ctx_alloc,
+    sha224_ctx_free,
+    sha224_clone_wrap,
+    sha224_process_wrap,
+};
+
+static int sha256_starts_wrap( void *ctx )
+{
+    return( mbedtls_sha256_starts_ret( (mbedtls_sha256_context *) ctx, 0 ) );
+}
+
+static int sha256_wrap( const unsigned char *input, size_t ilen,
+                        unsigned char *output )
+{
+    return( mbedtls_sha256_ret( input, ilen, output, 0 ) );
+}
+
+const mbedtls_md_info_t mbedtls_sha256_info = {
+    MBEDTLS_MD_SHA256,
+    "SHA256",
+    32,
+    64,
+    sha256_starts_wrap,
+    sha224_update_wrap,
+    sha224_finish_wrap,
+    sha256_wrap,
+    sha224_ctx_alloc,
+    sha224_ctx_free,
+    sha224_clone_wrap,
+    sha224_process_wrap,
+};
+
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+
+static int sha384_starts_wrap( void *ctx )
+{
+    return( mbedtls_sha512_starts_ret( (mbedtls_sha512_context *) ctx, 1 ) );
+}
+
+static int sha384_update_wrap( void *ctx, const unsigned char *input,
+                               size_t ilen )
+{
+    return( mbedtls_sha512_update_ret( (mbedtls_sha512_context *) ctx,
+                                       input, ilen ) );
+}
+
+static int sha384_finish_wrap( void *ctx, unsigned char *output )
+{
+    return( mbedtls_sha512_finish_ret( (mbedtls_sha512_context *) ctx,
+                                       output ) );
+}
+
+static int sha384_wrap( const unsigned char *input, size_t ilen,
+                        unsigned char *output )
+{
+    return( mbedtls_sha512_ret( input, ilen, output, 1 ) );
+}
+
+static void *sha384_ctx_alloc( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_sha512_context ) );
+
+    if( ctx != NULL )
+        mbedtls_sha512_init( (mbedtls_sha512_context *) ctx );
+
+    return( ctx );
+}
+
+static void sha384_ctx_free( void *ctx )
+{
+    mbedtls_sha512_free( (mbedtls_sha512_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static void sha384_clone_wrap( void *dst, const void *src )
+{
+    mbedtls_sha512_clone( (mbedtls_sha512_context *) dst,
+                    (const mbedtls_sha512_context *) src );
+}
+
+static int sha384_process_wrap( void *ctx, const unsigned char *data )
+{
+    return( mbedtls_internal_sha512_process( (mbedtls_sha512_context *) ctx,
+                                             data ) );
+}
+
+const mbedtls_md_info_t mbedtls_sha384_info = {
+    MBEDTLS_MD_SHA384,
+    "SHA384",
+    48,
+    128,
+    sha384_starts_wrap,
+    sha384_update_wrap,
+    sha384_finish_wrap,
+    sha384_wrap,
+    sha384_ctx_alloc,
+    sha384_ctx_free,
+    sha384_clone_wrap,
+    sha384_process_wrap,
+};
+
+static int sha512_starts_wrap( void *ctx )
+{
+    return( mbedtls_sha512_starts_ret( (mbedtls_sha512_context *) ctx, 0 ) );
+}
+
+static int sha512_wrap( const unsigned char *input, size_t ilen,
+                        unsigned char *output )
+{
+    return( mbedtls_sha512_ret( input, ilen, output, 0 ) );
+}
+
+const mbedtls_md_info_t mbedtls_sha512_info = {
+    MBEDTLS_MD_SHA512,
+    "SHA512",
+    64,
+    128,
+    sha512_starts_wrap,
+    sha384_update_wrap,
+    sha384_finish_wrap,
+    sha512_wrap,
+    sha384_ctx_alloc,
+    sha384_ctx_free,
+    sha384_clone_wrap,
+    sha384_process_wrap,
+};
+
+#endif /* MBEDTLS_SHA512_C */
+
+#endif /* MBEDTLS_MD_C */
diff --git a/third-party/mbedtls-3.6/library/memory_buffer_alloc.c b/third-party/mbedtls-3.6/library/memory_buffer_alloc.c
new file mode 100644
index 00000000..dc8b4bf0
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/memory_buffer_alloc.c
@@ -0,0 +1,779 @@
+/*
+ *  Buffer-based memory allocator
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
+#include "mbedtls/memory_buffer_alloc.h"
+
+/* No need for the header guard as MBEDTLS_MEMORY_BUFFER_ALLOC_C
+   is dependent upon MBEDTLS_PLATFORM_C */
+#include "mbedtls/platform.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+#include <execinfo.h>
+#endif
+
+#if defined(MBEDTLS_THREADING_C)
+#include "mbedtls/threading.h"
+#endif
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
+#define MAGIC1       0xFF00AA55
+#define MAGIC2       0xEE119966
+#define MAX_BT 20
+
+typedef struct _memory_header memory_header;
+struct _memory_header
+{
+    size_t          magic1;
+    size_t          size;
+    size_t          alloc;
+    memory_header   *prev;
+    memory_header   *next;
+    memory_header   *prev_free;
+    memory_header   *next_free;
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    char            **trace;
+    size_t          trace_count;
+#endif
+    size_t          magic2;
+};
+
+typedef struct
+{
+    unsigned char   *buf;
+    size_t          len;
+    memory_header   *first;
+    memory_header   *first_free;
+    int             verify;
+#if defined(MBEDTLS_MEMORY_DEBUG)
+    size_t          alloc_count;
+    size_t          free_count;
+    size_t          total_used;
+    size_t          maximum_used;
+    size_t          header_count;
+    size_t          maximum_header_count;
+#endif
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_threading_mutex_t   mutex;
+#endif
+}
+buffer_alloc_ctx;
+
+static buffer_alloc_ctx heap;
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+static void debug_header( memory_header *hdr )
+{
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    size_t i;
+#endif
+
+    mbedtls_fprintf( stderr, "HDR:  PTR(%10zu), PREV(%10zu), NEXT(%10zu), "
+                              "ALLOC(%zu), SIZE(%10zu)\n",
+                      (size_t) hdr, (size_t) hdr->prev, (size_t) hdr->next,
+                      hdr->alloc, hdr->size );
+    mbedtls_fprintf( stderr, "      FPREV(%10zu), FNEXT(%10zu)\n",
+                      (size_t) hdr->prev_free, (size_t) hdr->next_free );
+
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    mbedtls_fprintf( stderr, "TRACE: \n" );
+    for( i = 0; i < hdr->trace_count; i++ )
+        mbedtls_fprintf( stderr, "%s\n", hdr->trace[i] );
+    mbedtls_fprintf( stderr, "\n" );
+#endif
+}
+
+static void debug_chain()
+{
+    memory_header *cur = heap.first;
+
+    mbedtls_fprintf( stderr, "\nBlock list\n" );
+    while( cur != NULL )
+    {
+        debug_header( cur );
+        cur = cur->next;
+    }
+
+    mbedtls_fprintf( stderr, "Free list\n" );
+    cur = heap.first_free;
+
+    while( cur != NULL )
+    {
+        debug_header( cur );
+        cur = cur->next_free;
+    }
+}
+#endif /* MBEDTLS_MEMORY_DEBUG */
+
+static int verify_header( memory_header *hdr )
+{
+    if( hdr->magic1 != MAGIC1 )
+    {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf( stderr, "FATAL: MAGIC1 mismatch\n" );
+#endif
+        return( 1 );
+    }
+
+    if( hdr->magic2 != MAGIC2 )
+    {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf( stderr, "FATAL: MAGIC2 mismatch\n" );
+#endif
+        return( 1 );
+    }
+
+    if( hdr->alloc > 1 )
+    {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf( stderr, "FATAL: alloc has illegal value\n" );
+#endif
+        return( 1 );
+    }
+
+    if( hdr->prev != NULL && hdr->prev == hdr->next )
+    {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf( stderr, "FATAL: prev == next\n" );
+#endif
+        return( 1 );
+    }
+
+    if( hdr->prev_free != NULL && hdr->prev_free == hdr->next_free )
+    {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf( stderr, "FATAL: prev_free == next_free\n" );
+#endif
+        return( 1 );
+    }
+
+    return( 0 );
+}
+
+static int verify_chain()
+{
+    memory_header *prv = heap.first, *cur;
+
+    if( prv == NULL || verify_header( prv ) != 0 )
+    {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf( stderr, "FATAL: verification of first header "
+                                  "failed\n" );
+#endif
+        return( 1 );
+    }
+
+    if( heap.first->prev != NULL )
+    {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf( stderr, "FATAL: verification failed: "
+                                  "first->prev != NULL\n" );
+#endif
+        return( 1 );
+    }
+
+    cur = heap.first->next;
+
+    while( cur != NULL )
+    {
+        if( verify_header( cur ) != 0 )
+        {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+            mbedtls_fprintf( stderr, "FATAL: verification of header "
+                                      "failed\n" );
+#endif
+            return( 1 );
+        }
+
+        if( cur->prev != prv )
+        {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+            mbedtls_fprintf( stderr, "FATAL: verification failed: "
+                                      "cur->prev != prv\n" );
+#endif
+            return( 1 );
+        }
+
+        prv = cur;
+        cur = cur->next;
+    }
+
+    return( 0 );
+}
+
+static void *buffer_alloc_calloc( size_t n, size_t size )
+{
+    memory_header *new, *cur = heap.first_free;
+    unsigned char *p;
+    void *ret;
+    size_t original_len, len;
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    void *trace_buffer[MAX_BT];
+    size_t trace_cnt;
+#endif
+
+    if( heap.buf == NULL || heap.first == NULL )
+        return( NULL );
+
+    original_len = len = n * size;
+
+    if( n == 0 || size == 0 || len / n != size )
+        return( NULL );
+    else if( len > (size_t)-MBEDTLS_MEMORY_ALIGN_MULTIPLE )
+        return( NULL );
+
+    if( len % MBEDTLS_MEMORY_ALIGN_MULTIPLE )
+    {
+        len -= len % MBEDTLS_MEMORY_ALIGN_MULTIPLE;
+        len += MBEDTLS_MEMORY_ALIGN_MULTIPLE;
+    }
+
+    // Find block that fits
+    //
+    while( cur != NULL )
+    {
+        if( cur->size >= len )
+            break;
+
+        cur = cur->next_free;
+    }
+
+    if( cur == NULL )
+        return( NULL );
+
+    if( cur->alloc != 0 )
+    {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf( stderr, "FATAL: block in free_list but allocated "
+                                  "data\n" );
+#endif
+        mbedtls_exit( 1 );
+    }
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+    heap.alloc_count++;
+#endif
+
+    // Found location, split block if > memory_header + 4 room left
+    //
+    if( cur->size - len < sizeof(memory_header) +
+                          MBEDTLS_MEMORY_ALIGN_MULTIPLE )
+    {
+        cur->alloc = 1;
+
+        // Remove from free_list
+        //
+        if( cur->prev_free != NULL )
+            cur->prev_free->next_free = cur->next_free;
+        else
+            heap.first_free = cur->next_free;
+
+        if( cur->next_free != NULL )
+            cur->next_free->prev_free = cur->prev_free;
+
+        cur->prev_free = NULL;
+        cur->next_free = NULL;
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        heap.total_used += cur->size;
+        if( heap.total_used > heap.maximum_used )
+            heap.maximum_used = heap.total_used;
+#endif
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+        trace_cnt = backtrace( trace_buffer, MAX_BT );
+        cur->trace = backtrace_symbols( trace_buffer, trace_cnt );
+        cur->trace_count = trace_cnt;
+#endif
+
+        if( ( heap.verify & MBEDTLS_MEMORY_VERIFY_ALLOC ) && verify_chain() != 0 )
+            mbedtls_exit( 1 );
+
+        ret = (unsigned char *) cur + sizeof( memory_header );
+        memset( ret, 0, original_len );
+
+        return( ret );
+    }
+
+    p = ( (unsigned char *) cur ) + sizeof(memory_header) + len;
+    new = (memory_header *) p;
+
+    new->size = cur->size - len - sizeof(memory_header);
+    new->alloc = 0;
+    new->prev = cur;
+    new->next = cur->next;
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    new->trace = NULL;
+    new->trace_count = 0;
+#endif
+    new->magic1 = MAGIC1;
+    new->magic2 = MAGIC2;
+
+    if( new->next != NULL )
+        new->next->prev = new;
+
+    // Replace cur with new in free_list
+    //
+    new->prev_free = cur->prev_free;
+    new->next_free = cur->next_free;
+    if( new->prev_free != NULL )
+        new->prev_free->next_free = new;
+    else
+        heap.first_free = new;
+
+    if( new->next_free != NULL )
+        new->next_free->prev_free = new;
+
+    cur->alloc = 1;
+    cur->size = len;
+    cur->next = new;
+    cur->prev_free = NULL;
+    cur->next_free = NULL;
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+    heap.header_count++;
+    if( heap.header_count > heap.maximum_header_count )
+        heap.maximum_header_count = heap.header_count;
+    heap.total_used += cur->size;
+    if( heap.total_used > heap.maximum_used )
+        heap.maximum_used = heap.total_used;
+#endif
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    trace_cnt = backtrace( trace_buffer, MAX_BT );
+    cur->trace = backtrace_symbols( trace_buffer, trace_cnt );
+    cur->trace_count = trace_cnt;
+#endif
+
+    if( ( heap.verify & MBEDTLS_MEMORY_VERIFY_ALLOC ) && verify_chain() != 0 )
+        mbedtls_exit( 1 );
+
+    ret = (unsigned char *) cur + sizeof( memory_header );
+    memset( ret, 0, original_len );
+
+    return( ret );
+}
+
+static void buffer_alloc_free( void *ptr )
+{
+    memory_header *hdr, *old = NULL;
+    unsigned char *p = (unsigned char *) ptr;
+
+    if( ptr == NULL || heap.buf == NULL || heap.first == NULL )
+        return;
+
+    if( p < heap.buf || p >= heap.buf + heap.len )
+    {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf( stderr, "FATAL: mbedtls_free() outside of managed "
+                                  "space\n" );
+#endif
+        mbedtls_exit( 1 );
+    }
+
+    p -= sizeof(memory_header);
+    hdr = (memory_header *) p;
+
+    if( verify_header( hdr ) != 0 )
+        mbedtls_exit( 1 );
+
+    if( hdr->alloc != 1 )
+    {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf( stderr, "FATAL: mbedtls_free() on unallocated "
+                                  "data\n" );
+#endif
+        mbedtls_exit( 1 );
+    }
+
+    hdr->alloc = 0;
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+    heap.free_count++;
+    heap.total_used -= hdr->size;
+#endif
+
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    free( hdr->trace );
+    hdr->trace = NULL;
+    hdr->trace_count = 0;
+#endif
+
+    // Regroup with block before
+    //
+    if( hdr->prev != NULL && hdr->prev->alloc == 0 )
+    {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        heap.header_count--;
+#endif
+        hdr->prev->size += sizeof(memory_header) + hdr->size;
+        hdr->prev->next = hdr->next;
+        old = hdr;
+        hdr = hdr->prev;
+
+        if( hdr->next != NULL )
+            hdr->next->prev = hdr;
+
+        memset( old, 0, sizeof(memory_header) );
+    }
+
+    // Regroup with block after
+    //
+    if( hdr->next != NULL && hdr->next->alloc == 0 )
+    {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        heap.header_count--;
+#endif
+        hdr->size += sizeof(memory_header) + hdr->next->size;
+        old = hdr->next;
+        hdr->next = hdr->next->next;
+
+        if( hdr->prev_free != NULL || hdr->next_free != NULL )
+        {
+            if( hdr->prev_free != NULL )
+                hdr->prev_free->next_free = hdr->next_free;
+            else
+                heap.first_free = hdr->next_free;
+
+            if( hdr->next_free != NULL )
+                hdr->next_free->prev_free = hdr->prev_free;
+        }
+
+        hdr->prev_free = old->prev_free;
+        hdr->next_free = old->next_free;
+
+        if( hdr->prev_free != NULL )
+            hdr->prev_free->next_free = hdr;
+        else
+            heap.first_free = hdr;
+
+        if( hdr->next_free != NULL )
+            hdr->next_free->prev_free = hdr;
+
+        if( hdr->next != NULL )
+            hdr->next->prev = hdr;
+
+        memset( old, 0, sizeof(memory_header) );
+    }
+
+    // Prepend to free_list if we have not merged
+    // (Does not have to stay in same order as prev / next list)
+    //
+    if( old == NULL )
+    {
+        hdr->next_free = heap.first_free;
+        if( heap.first_free != NULL )
+            heap.first_free->prev_free = hdr;
+        heap.first_free = hdr;
+    }
+
+    if( ( heap.verify & MBEDTLS_MEMORY_VERIFY_FREE ) && verify_chain() != 0 )
+        mbedtls_exit( 1 );
+}
+
+void mbedtls_memory_buffer_set_verify( int verify )
+{
+    heap.verify = verify;
+}
+
+int mbedtls_memory_buffer_alloc_verify()
+{
+    return verify_chain();
+}
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+void mbedtls_memory_buffer_alloc_status()
+{
+    mbedtls_fprintf( stderr,
+                      "Current use: %zu blocks / %zu bytes, max: %zu blocks / "
+                      "%zu bytes (total %zu bytes), alloc / free: %zu / %zu\n",
+                      heap.header_count, heap.total_used,
+                      heap.maximum_header_count, heap.maximum_used,
+                      heap.maximum_header_count * sizeof( memory_header )
+                      + heap.maximum_used,
+                      heap.alloc_count, heap.free_count );
+
+    if( heap.first->next == NULL )
+    {
+        mbedtls_fprintf( stderr, "All memory de-allocated in stack buffer\n" );
+    }
+    else
+    {
+        mbedtls_fprintf( stderr, "Memory currently allocated:\n" );
+        debug_chain();
+    }
+}
+
+void mbedtls_memory_buffer_alloc_max_get( size_t *max_used, size_t *max_blocks )
+{
+    *max_used   = heap.maximum_used;
+    *max_blocks = heap.maximum_header_count;
+}
+
+void mbedtls_memory_buffer_alloc_max_reset( void )
+{
+    heap.maximum_used = 0;
+    heap.maximum_header_count = 0;
+}
+
+void mbedtls_memory_buffer_alloc_cur_get( size_t *cur_used, size_t *cur_blocks )
+{
+    *cur_used   = heap.total_used;
+    *cur_blocks = heap.header_count;
+}
+#endif /* MBEDTLS_MEMORY_DEBUG */
+
+#if defined(MBEDTLS_THREADING_C)
+static void *buffer_alloc_calloc_mutexed( size_t n, size_t size )
+{
+    void *buf;
+    if( mbedtls_mutex_lock( &heap.mutex ) != 0 )
+        return( NULL );
+    buf = buffer_alloc_calloc( n, size );
+    if( mbedtls_mutex_unlock( &heap.mutex ) )
+        return( NULL );
+    return( buf );
+}
+
+static void buffer_alloc_free_mutexed( void *ptr )
+{
+    /* We have to good option here, but corrupting the heap seems
+     * worse than loosing memory. */
+    if( mbedtls_mutex_lock( &heap.mutex ) )
+        return;
+    buffer_alloc_free( ptr );
+    (void) mbedtls_mutex_unlock( &heap.mutex );
+}
+#endif /* MBEDTLS_THREADING_C */
+
+void mbedtls_memory_buffer_alloc_init( unsigned char *buf, size_t len )
+{
+    memset( &heap, 0, sizeof( buffer_alloc_ctx ) );
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_init( &heap.mutex );
+    mbedtls_platform_set_calloc_free( buffer_alloc_calloc_mutexed,
+                              buffer_alloc_free_mutexed );
+#else
+    mbedtls_platform_set_calloc_free( buffer_alloc_calloc, buffer_alloc_free );
+#endif
+
+    if( len < sizeof( memory_header ) + MBEDTLS_MEMORY_ALIGN_MULTIPLE )
+        return;
+    else if( (size_t)buf % MBEDTLS_MEMORY_ALIGN_MULTIPLE )
+    {
+        /* Adjust len first since buf is used in the computation */
+        len -= MBEDTLS_MEMORY_ALIGN_MULTIPLE
+             - (size_t)buf % MBEDTLS_MEMORY_ALIGN_MULTIPLE;
+        buf += MBEDTLS_MEMORY_ALIGN_MULTIPLE
+             - (size_t)buf % MBEDTLS_MEMORY_ALIGN_MULTIPLE;
+    }
+
+    memset( buf, 0, len );
+
+    heap.buf = buf;
+    heap.len = len;
+
+    heap.first = (memory_header *)buf;
+    heap.first->size = len - sizeof( memory_header );
+    heap.first->magic1 = MAGIC1;
+    heap.first->magic2 = MAGIC2;
+    heap.first_free = heap.first;
+}
+
+void mbedtls_memory_buffer_alloc_free()
+{
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_free( &heap.mutex );
+#endif
+    mbedtls_zeroize( &heap, sizeof(buffer_alloc_ctx) );
+}
+
+#if defined(MBEDTLS_SELF_TEST)
+static int check_pointer( void *p )
+{
+    if( p == NULL )
+        return( -1 );
+
+    if( (size_t) p % MBEDTLS_MEMORY_ALIGN_MULTIPLE != 0 )
+        return( -1 );
+
+    return( 0 );
+}
+
+static int check_all_free( )
+{
+    if(
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        heap.total_used != 0 ||
+#endif
+        heap.first != heap.first_free ||
+        (void *) heap.first != (void *) heap.buf )
+    {
+        return( -1 );
+    }
+
+    return( 0 );
+}
+
+#define TEST_ASSERT( condition )            \
+    if( ! (condition) )                     \
+    {                                       \
+        if( verbose != 0 )                  \
+            mbedtls_printf( "failed\n" );  \
+                                            \
+        ret = 1;                            \
+        goto cleanup;                       \
+    }
+
+int mbedtls_memory_buffer_alloc_self_test( int verbose )
+{
+    unsigned char buf[1024];
+    unsigned char *p, *q, *r, *end;
+    int ret = 0;
+
+    if( verbose != 0 )
+        mbedtls_printf( "  MBA test #1 (basic alloc-free cycle): " );
+
+    mbedtls_memory_buffer_alloc_init( buf, sizeof( buf ) );
+
+    p = mbedtls_calloc( 1, 1 );
+    q = mbedtls_calloc( 1, 128 );
+    r = mbedtls_calloc( 1, 16 );
+
+    TEST_ASSERT( check_pointer( p ) == 0 &&
+                 check_pointer( q ) == 0 &&
+                 check_pointer( r ) == 0 );
+
+    mbedtls_free( r );
+    mbedtls_free( q );
+    mbedtls_free( p );
+
+    TEST_ASSERT( check_all_free( ) == 0 );
+
+    /* Memorize end to compare with the next test */
+    end = heap.buf + heap.len;
+
+    mbedtls_memory_buffer_alloc_free( );
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  MBA test #2 (buf not aligned): " );
+
+    mbedtls_memory_buffer_alloc_init( buf + 1, sizeof( buf ) - 1 );
+
+    TEST_ASSERT( heap.buf + heap.len == end );
+
+    p = mbedtls_calloc( 1, 1 );
+    q = mbedtls_calloc( 1, 128 );
+    r = mbedtls_calloc( 1, 16 );
+
+    TEST_ASSERT( check_pointer( p ) == 0 &&
+                 check_pointer( q ) == 0 &&
+                 check_pointer( r ) == 0 );
+
+    mbedtls_free( r );
+    mbedtls_free( q );
+    mbedtls_free( p );
+
+    TEST_ASSERT( check_all_free( ) == 0 );
+
+    mbedtls_memory_buffer_alloc_free( );
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  MBA test #3 (full): " );
+
+    mbedtls_memory_buffer_alloc_init( buf, sizeof( buf ) );
+
+    p = mbedtls_calloc( 1, sizeof( buf ) - sizeof( memory_header ) );
+
+    TEST_ASSERT( check_pointer( p ) == 0 );
+    TEST_ASSERT( mbedtls_calloc( 1, 1 ) == NULL );
+
+    mbedtls_free( p );
+
+    p = mbedtls_calloc( 1, sizeof( buf ) - 2 * sizeof( memory_header ) - 16 );
+    q = mbedtls_calloc( 1, 16 );
+
+    TEST_ASSERT( check_pointer( p ) == 0 && check_pointer( q ) == 0 );
+    TEST_ASSERT( mbedtls_calloc( 1, 1 ) == NULL );
+
+    mbedtls_free( q );
+
+    TEST_ASSERT( mbedtls_calloc( 1, 17 ) == NULL );
+
+    mbedtls_free( p );
+
+    TEST_ASSERT( check_all_free( ) == 0 );
+
+    mbedtls_memory_buffer_alloc_free( );
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+cleanup:
+    mbedtls_memory_buffer_alloc_free( );
+
+    return( ret );
+}
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_MEMORY_BUFFER_ALLOC_C */
diff --git a/third-party/mbedtls-3.6/library/net_sockets.c b/third-party/mbedtls-3.6/library/net_sockets.c
new file mode 100644
index 00000000..fa27603c
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/net_sockets.c
@@ -0,0 +1,625 @@
+/*
+ *  TCP/IP or UDP/IP networking functions
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_NET_C)
+
+#if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
+    !defined(__APPLE__) && !defined(_WIN32)
+#error "This module only works on Unix and Windows, see MBEDTLS_NET_C in config.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#endif
+
+#include "mbedtls/net_sockets.h"
+
+#include <string.h>
+
+#if (defined(_WIN32) || defined(_WIN32_WCE)) && !defined(EFIX64) && \
+    !defined(EFI32)
+
+#if !defined(_WIN32_WINNT) || (_WIN32_WINNT < 0x0501)
+#undef _WIN32_WINNT
+/* Enables getaddrinfo() & Co */
+#define _WIN32_WINNT 0x0501
+#endif
+
+#include <ws2tcpip.h>
+
+#include <winsock2.h>
+#include <windows.h>
+
+#if defined(_MSC_VER)
+#if defined(_WIN32_WCE)
+#pragma comment( lib, "ws2.lib" )
+#else
+#pragma comment( lib, "ws2_32.lib" )
+#endif
+#endif /* _MSC_VER */
+
+#define read(fd,buf,len)        recv( fd, (char*)( buf ), (int)( len ), 0 )
+#define write(fd,buf,len)       send( fd, (char*)( buf ), (int)( len ), 0 )
+#define close(fd)               closesocket(fd)
+
+static int wsa_init_done = 0;
+
+#else /* ( _WIN32 || _WIN32_WCE ) && !EFIX64 && !EFI32 */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <sys/time.h>
+#include <unistd.h>
+#include <signal.h>
+#include <fcntl.h>
+#include <netdb.h>
+#include <errno.h>
+
+#endif /* ( _WIN32 || _WIN32_WCE ) && !EFIX64 && !EFI32 */
+
+/* Some MS functions want int and MSVC warns if we pass size_t,
+ * but the standard functions use socklen_t, so cast only for MSVC */
+#if defined(_MSC_VER)
+#define MSVC_INT_CAST   (int)
+#else
+#define MSVC_INT_CAST
+#endif
+
+#include <stdio.h>
+
+#include <time.h>
+
+#include <stdint.h>
+
+/*
+ * Prepare for using the sockets interface
+ */
+static int net_prepare( void )
+{
+#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
+    !defined(EFI32)
+    WSADATA wsaData;
+
+    if( wsa_init_done == 0 )
+    {
+        if( WSAStartup( MAKEWORD(2,0), &wsaData ) != 0 )
+            return( MBEDTLS_ERR_NET_SOCKET_FAILED );
+
+        wsa_init_done = 1;
+    }
+#else
+#if !defined(EFIX64) && !defined(EFI32)
+    signal( SIGPIPE, SIG_IGN );
+#endif
+#endif
+    return( 0 );
+}
+
+/*
+ * Initialize a context
+ */
+void mbedtls_net_init( mbedtls_net_context *ctx )
+{
+    ctx->fd = -1;
+}
+
+/*
+ * Initiate a TCP connection with host:port and the given protocol
+ */
+int mbedtls_net_connect( mbedtls_net_context *ctx, const char *host,
+                         const char *port, int proto )
+{
+    int ret;
+    struct addrinfo hints, *addr_list, *cur;
+
+    if( ( ret = net_prepare() ) != 0 )
+        return( ret );
+
+    /* Do name resolution with both IPv6 and IPv4 */
+    memset( &hints, 0, sizeof( hints ) );
+    hints.ai_family = AF_UNSPEC;
+    hints.ai_socktype = proto == MBEDTLS_NET_PROTO_UDP ? SOCK_DGRAM : SOCK_STREAM;
+    hints.ai_protocol = proto == MBEDTLS_NET_PROTO_UDP ? IPPROTO_UDP : IPPROTO_TCP;
+
+    if( getaddrinfo( host, port, &hints, &addr_list ) != 0 )
+        return( MBEDTLS_ERR_NET_UNKNOWN_HOST );
+
+    /* Try the sockaddrs until a connection succeeds */
+    ret = MBEDTLS_ERR_NET_UNKNOWN_HOST;
+    for( cur = addr_list; cur != NULL; cur = cur->ai_next )
+    {
+        ctx->fd = (int) socket( cur->ai_family, cur->ai_socktype,
+                            cur->ai_protocol );
+        if( ctx->fd < 0 )
+        {
+            ret = MBEDTLS_ERR_NET_SOCKET_FAILED;
+            continue;
+        }
+
+        if( connect( ctx->fd, cur->ai_addr, MSVC_INT_CAST cur->ai_addrlen ) == 0 )
+        {
+            ret = 0;
+            break;
+        }
+
+        close( ctx->fd );
+        ret = MBEDTLS_ERR_NET_CONNECT_FAILED;
+    }
+
+    freeaddrinfo( addr_list );
+
+    return( ret );
+}
+
+/*
+ * Create a listening socket on bind_ip:port
+ */
+int mbedtls_net_bind( mbedtls_net_context *ctx, const char *bind_ip, const char *port, int proto )
+{
+    int n, ret;
+    struct addrinfo hints, *addr_list, *cur;
+
+    if( ( ret = net_prepare() ) != 0 )
+        return( ret );
+
+    /* Bind to IPv6 and/or IPv4, but only in the desired protocol */
+    memset( &hints, 0, sizeof( hints ) );
+    hints.ai_family = AF_UNSPEC;
+    hints.ai_socktype = proto == MBEDTLS_NET_PROTO_UDP ? SOCK_DGRAM : SOCK_STREAM;
+    hints.ai_protocol = proto == MBEDTLS_NET_PROTO_UDP ? IPPROTO_UDP : IPPROTO_TCP;
+    if( bind_ip == NULL )
+        hints.ai_flags = AI_PASSIVE;
+
+    if( getaddrinfo( bind_ip, port, &hints, &addr_list ) != 0 )
+        return( MBEDTLS_ERR_NET_UNKNOWN_HOST );
+
+    /* Try the sockaddrs until a binding succeeds */
+    ret = MBEDTLS_ERR_NET_UNKNOWN_HOST;
+    for( cur = addr_list; cur != NULL; cur = cur->ai_next )
+    {
+        ctx->fd = (int) socket( cur->ai_family, cur->ai_socktype,
+                            cur->ai_protocol );
+        if( ctx->fd < 0 )
+        {
+            ret = MBEDTLS_ERR_NET_SOCKET_FAILED;
+            continue;
+        }
+
+        n = 1;
+        if( setsockopt( ctx->fd, SOL_SOCKET, SO_REUSEADDR,
+                        (const char *) &n, sizeof( n ) ) != 0 )
+        {
+            close( ctx->fd );
+            ret = MBEDTLS_ERR_NET_SOCKET_FAILED;
+            continue;
+        }
+
+        if( bind( ctx->fd, cur->ai_addr, MSVC_INT_CAST cur->ai_addrlen ) != 0 )
+        {
+            close( ctx->fd );
+            ret = MBEDTLS_ERR_NET_BIND_FAILED;
+            continue;
+        }
+
+        /* Listen only makes sense for TCP */
+        if( proto == MBEDTLS_NET_PROTO_TCP )
+        {
+            if( listen( ctx->fd, MBEDTLS_NET_LISTEN_BACKLOG ) != 0 )
+            {
+                close( ctx->fd );
+                ret = MBEDTLS_ERR_NET_LISTEN_FAILED;
+                continue;
+            }
+        }
+
+        /* Bind was successful */
+        ret = 0;
+        break;
+    }
+
+    freeaddrinfo( addr_list );
+
+    return( ret );
+
+}
+
+#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
+    !defined(EFI32)
+/*
+ * Check if the requested operation would be blocking on a non-blocking socket
+ * and thus 'failed' with a negative return value.
+ */
+static int net_would_block( const mbedtls_net_context *ctx )
+{
+    ((void) ctx);
+    return( WSAGetLastError() == WSAEWOULDBLOCK );
+}
+#else
+/*
+ * Check if the requested operation would be blocking on a non-blocking socket
+ * and thus 'failed' with a negative return value.
+ *
+ * Note: on a blocking socket this function always returns 0!
+ */
+static int net_would_block( const mbedtls_net_context *ctx )
+{
+    int err = errno;
+
+    /*
+     * Never return 'WOULD BLOCK' on a blocking socket
+     */
+    if( ( fcntl( ctx->fd, F_GETFL ) & O_NONBLOCK ) != O_NONBLOCK )
+    {
+        errno = err;
+        return( 0 );
+    }
+
+    switch( errno = err )
+    {
+#if defined EAGAIN
+        case EAGAIN:
+#endif
+#if defined EWOULDBLOCK && EWOULDBLOCK != EAGAIN
+        case EWOULDBLOCK:
+#endif
+            return( 1 );
+    }
+    return( 0 );
+}
+#endif /* ( _WIN32 || _WIN32_WCE ) && !EFIX64 && !EFI32 */
+
+/*
+ * Accept a connection from a remote client
+ */
+int mbedtls_net_accept( mbedtls_net_context *bind_ctx,
+                        mbedtls_net_context *client_ctx,
+                        void *client_ip, size_t buf_size, size_t *ip_len )
+{
+    int ret;
+    int type;
+
+    struct sockaddr_storage client_addr;
+
+#if defined(__socklen_t_defined) || defined(_SOCKLEN_T) || \
+    defined(_SOCKLEN_T_DECLARED) || defined(__DEFINED_socklen_t) || \
+    ( defined(__NetBSD__) && defined(socklen_t) )
+    socklen_t n = (socklen_t) sizeof( client_addr );
+    socklen_t type_len = (socklen_t) sizeof( type );
+#else
+    int n = (int) sizeof( client_addr );
+    int type_len = (int) sizeof( type );
+#endif
+
+    /* Is this a TCP or UDP socket? */
+    if( getsockopt( bind_ctx->fd, SOL_SOCKET, SO_TYPE,
+                    (void *) &type, &type_len ) != 0 ||
+        ( type != SOCK_STREAM && type != SOCK_DGRAM ) )
+    {
+        return( MBEDTLS_ERR_NET_ACCEPT_FAILED );
+    }
+
+    if( type == SOCK_STREAM )
+    {
+        /* TCP: actual accept() */
+        ret = client_ctx->fd = (int) accept( bind_ctx->fd,
+                                             (struct sockaddr *) &client_addr, &n );
+    }
+    else
+    {
+        /* UDP: wait for a message, but keep it in the queue */
+        char buf[1] = { 0 };
+
+        ret = (int) recvfrom( bind_ctx->fd, buf, sizeof( buf ), MSG_PEEK,
+                        (struct sockaddr *) &client_addr, &n );
+
+#if defined(_WIN32)
+        if( ret == SOCKET_ERROR &&
+            WSAGetLastError() == WSAEMSGSIZE )
+        {
+            /* We know buf is too small, thanks, just peeking here */
+            ret = 0;
+        }
+#endif
+    }
+
+    if( ret < 0 )
+    {
+        if( net_would_block( bind_ctx ) != 0 )
+            return( MBEDTLS_ERR_SSL_WANT_READ );
+
+        return( MBEDTLS_ERR_NET_ACCEPT_FAILED );
+    }
+
+    /* UDP: hijack the listening socket to communicate with the client,
+     * then bind a new socket to accept new connections */
+    if( type != SOCK_STREAM )
+    {
+        struct sockaddr_storage local_addr;
+        int one = 1;
+
+        if( connect( bind_ctx->fd, (struct sockaddr *) &client_addr, n ) != 0 )
+            return( MBEDTLS_ERR_NET_ACCEPT_FAILED );
+
+        client_ctx->fd = bind_ctx->fd;
+        bind_ctx->fd   = -1; /* In case we exit early */
+
+        n = sizeof( struct sockaddr_storage );
+        if( getsockname( client_ctx->fd,
+                         (struct sockaddr *) &local_addr, &n ) != 0 ||
+            ( bind_ctx->fd = (int) socket( local_addr.ss_family,
+                                           SOCK_DGRAM, IPPROTO_UDP ) ) < 0 ||
+            setsockopt( bind_ctx->fd, SOL_SOCKET, SO_REUSEADDR,
+                        (const char *) &one, sizeof( one ) ) != 0 )
+        {
+            return( MBEDTLS_ERR_NET_SOCKET_FAILED );
+        }
+
+        if( bind( bind_ctx->fd, (struct sockaddr *) &local_addr, n ) != 0 )
+        {
+            return( MBEDTLS_ERR_NET_BIND_FAILED );
+        }
+    }
+
+    if( client_ip != NULL )
+    {
+        if( client_addr.ss_family == AF_INET )
+        {
+            struct sockaddr_in *addr4 = (struct sockaddr_in *) &client_addr;
+            *ip_len = sizeof( addr4->sin_addr.s_addr );
+
+            if( buf_size < *ip_len )
+                return( MBEDTLS_ERR_NET_BUFFER_TOO_SMALL );
+
+            memcpy( client_ip, &addr4->sin_addr.s_addr, *ip_len );
+        }
+        else
+        {
+            struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *) &client_addr;
+            *ip_len = sizeof( addr6->sin6_addr.s6_addr );
+
+            if( buf_size < *ip_len )
+                return( MBEDTLS_ERR_NET_BUFFER_TOO_SMALL );
+
+            memcpy( client_ip, &addr6->sin6_addr.s6_addr, *ip_len);
+        }
+    }
+
+    return( 0 );
+}
+
+/*
+ * Set the socket blocking or non-blocking
+ */
+int mbedtls_net_set_block( mbedtls_net_context *ctx )
+{
+#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
+    !defined(EFI32)
+    u_long n = 0;
+    return( ioctlsocket( ctx->fd, FIONBIO, &n ) );
+#else
+    return( fcntl( ctx->fd, F_SETFL, fcntl( ctx->fd, F_GETFL ) & ~O_NONBLOCK ) );
+#endif
+}
+
+int mbedtls_net_set_nonblock( mbedtls_net_context *ctx )
+{
+#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
+    !defined(EFI32)
+    u_long n = 1;
+    return( ioctlsocket( ctx->fd, FIONBIO, &n ) );
+#else
+    return( fcntl( ctx->fd, F_SETFL, fcntl( ctx->fd, F_GETFL ) | O_NONBLOCK ) );
+#endif
+}
+
+/*
+ * Portable usleep helper
+ */
+void mbedtls_net_usleep( unsigned long usec )
+{
+#if defined(_WIN32)
+    Sleep( ( usec + 999 ) / 1000 );
+#else
+    struct timeval tv;
+    tv.tv_sec  = usec / 1000000;
+#if defined(__unix__) || defined(__unix) || \
+    ( defined(__APPLE__) && defined(__MACH__) )
+    tv.tv_usec = (suseconds_t) usec % 1000000;
+#else
+    tv.tv_usec = usec % 1000000;
+#endif
+    select( 0, NULL, NULL, NULL, &tv );
+#endif
+}
+
+/*
+ * Read at most 'len' characters
+ */
+int mbedtls_net_recv( void *ctx, unsigned char *buf, size_t len )
+{
+    int ret;
+    int fd = ((mbedtls_net_context *) ctx)->fd;
+
+    if( fd < 0 )
+        return( MBEDTLS_ERR_NET_INVALID_CONTEXT );
+
+    ret = (int) read( fd, buf, len );
+
+    if( ret < 0 )
+    {
+        if( net_would_block( ctx ) != 0 )
+            return( MBEDTLS_ERR_SSL_WANT_READ );
+
+#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
+    !defined(EFI32)
+        if( WSAGetLastError() == WSAECONNRESET )
+            return( MBEDTLS_ERR_NET_CONN_RESET );
+#else
+        if( errno == EPIPE || errno == ECONNRESET )
+            return( MBEDTLS_ERR_NET_CONN_RESET );
+
+        if( errno == EINTR )
+            return( MBEDTLS_ERR_SSL_WANT_READ );
+#endif
+
+        return( MBEDTLS_ERR_NET_RECV_FAILED );
+    }
+
+    return( ret );
+}
+
+/*
+ * Read at most 'len' characters, blocking for at most 'timeout' ms
+ */
+int mbedtls_net_recv_timeout( void *ctx, unsigned char *buf, size_t len,
+                      uint32_t timeout )
+{
+    int ret;
+    struct timeval tv;
+    fd_set read_fds;
+    int fd = ((mbedtls_net_context *) ctx)->fd;
+
+    if( fd < 0 )
+        return( MBEDTLS_ERR_NET_INVALID_CONTEXT );
+
+    /* A limitation of select() is that it only works with file descriptors
+     * that are strictly less than FD_SETSIZE. This is a limitation of the
+     * fd_set type. Error out early, because attempting to call FD_SET on a
+     * large file descriptor is a buffer overflow on typical platforms. */
+    if( fd >= FD_SETSIZE )
+        return( MBEDTLS_ERR_NET_RECV_FAILED );
+
+    FD_ZERO( &read_fds );
+    FD_SET( fd, &read_fds );
+
+    tv.tv_sec  = timeout / 1000;
+    tv.tv_usec = ( timeout % 1000 ) * 1000;
+
+    ret = select( fd + 1, &read_fds, NULL, NULL, timeout == 0 ? NULL : &tv );
+
+    /* Zero fds ready means we timed out */
+    if( ret == 0 )
+        return( MBEDTLS_ERR_SSL_TIMEOUT );
+
+    if( ret < 0 )
+    {
+#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
+    !defined(EFI32)
+        if( WSAGetLastError() == WSAEINTR )
+            return( MBEDTLS_ERR_SSL_WANT_READ );
+#else
+        if( errno == EINTR )
+            return( MBEDTLS_ERR_SSL_WANT_READ );
+#endif
+
+        return( MBEDTLS_ERR_NET_RECV_FAILED );
+    }
+
+    /* This call will not block */
+    return( mbedtls_net_recv( ctx, buf, len ) );
+}
+
+/*
+ * Write at most 'len' characters
+ */
+int mbedtls_net_send( void *ctx, const unsigned char *buf, size_t len )
+{
+    int ret;
+    int fd = ((mbedtls_net_context *) ctx)->fd;
+
+    if( fd < 0 )
+        return( MBEDTLS_ERR_NET_INVALID_CONTEXT );
+
+    ret = (int) write( fd, buf, len );
+
+    if( ret < 0 )
+    {
+        if( net_would_block( ctx ) != 0 )
+            return( MBEDTLS_ERR_SSL_WANT_WRITE );
+
+#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
+    !defined(EFI32)
+        if( WSAGetLastError() == WSAECONNRESET )
+            return( MBEDTLS_ERR_NET_CONN_RESET );
+#else
+        if( errno == EPIPE || errno == ECONNRESET )
+            return( MBEDTLS_ERR_NET_CONN_RESET );
+
+        if( errno == EINTR )
+            return( MBEDTLS_ERR_SSL_WANT_WRITE );
+#endif
+
+        return( MBEDTLS_ERR_NET_SEND_FAILED );
+    }
+
+    return( ret );
+}
+
+/*
+ * Gracefully close the connection
+ */
+void mbedtls_net_free( mbedtls_net_context *ctx )
+{
+    if( ctx->fd == -1 )
+        return;
+
+    shutdown( ctx->fd, 2 );
+    close( ctx->fd );
+
+    ctx->fd = -1;
+}
+
+#endif /* MBEDTLS_NET_C */
diff --git a/third-party/mbedtls-3.6/library/oid.c b/third-party/mbedtls-3.6/library/oid.c
new file mode 100644
index 00000000..ad2c3222
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/oid.c
@@ -0,0 +1,780 @@
+/**
+ * \file oid.c
+ *
+ * \brief Object Identifier (OID) database
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_OID_C)
+
+#include "mbedtls/oid.h"
+#include "mbedtls/rsa.h"
+
+#include <stdio.h>
+#include <string.h>
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#define mbedtls_snprintf snprintf
+#endif
+
+#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
+#include "mbedtls/x509.h"
+#endif
+
+/*
+ * Macro to automatically add the size of #define'd OIDs
+ */
+#define ADD_LEN(s)      s, MBEDTLS_OID_SIZE(s)
+
+/*
+ * Macro to generate an internal function for oid_XXX_from_asn1() (used by
+ * the other functions)
+ */
+#define FN_OID_TYPED_FROM_ASN1( TYPE_T, NAME, LIST )                        \
+static const TYPE_T * oid_ ## NAME ## _from_asn1( const mbedtls_asn1_buf *oid )     \
+{                                                                           \
+    const TYPE_T *p = LIST;                                                 \
+    const mbedtls_oid_descriptor_t *cur = (const mbedtls_oid_descriptor_t *) p;             \
+    if( p == NULL || oid == NULL ) return( NULL );                          \
+    while( cur->asn1 != NULL ) {                                            \
+        if( cur->asn1_len == oid->len &&                                    \
+            memcmp( cur->asn1, oid->p, oid->len ) == 0 ) {                  \
+            return( p );                                                    \
+        }                                                                   \
+        p++;                                                                \
+        cur = (const mbedtls_oid_descriptor_t *) p;                                 \
+    }                                                                       \
+    return( NULL );                                                         \
+}
+
+/*
+ * Macro to generate a function for retrieving a single attribute from the
+ * descriptor of an mbedtls_oid_descriptor_t wrapper.
+ */
+#define FN_OID_GET_DESCRIPTOR_ATTR1(FN_NAME, TYPE_T, TYPE_NAME, ATTR1_TYPE, ATTR1) \
+int FN_NAME( const mbedtls_asn1_buf *oid, ATTR1_TYPE * ATTR1 )                  \
+{                                                                       \
+    const TYPE_T *data = oid_ ## TYPE_NAME ## _from_asn1( oid );        \
+    if( data == NULL ) return( MBEDTLS_ERR_OID_NOT_FOUND );            \
+    *ATTR1 = data->descriptor.ATTR1;                                    \
+    return( 0 );                                                        \
+}
+
+/*
+ * Macro to generate a function for retrieving a single attribute from an
+ * mbedtls_oid_descriptor_t wrapper.
+ */
+#define FN_OID_GET_ATTR1(FN_NAME, TYPE_T, TYPE_NAME, ATTR1_TYPE, ATTR1) \
+int FN_NAME( const mbedtls_asn1_buf *oid, ATTR1_TYPE * ATTR1 )                  \
+{                                                                       \
+    const TYPE_T *data = oid_ ## TYPE_NAME ## _from_asn1( oid );        \
+    if( data == NULL ) return( MBEDTLS_ERR_OID_NOT_FOUND );            \
+    *ATTR1 = data->ATTR1;                                               \
+    return( 0 );                                                        \
+}
+
+/*
+ * Macro to generate a function for retrieving two attributes from an
+ * mbedtls_oid_descriptor_t wrapper.
+ */
+#define FN_OID_GET_ATTR2(FN_NAME, TYPE_T, TYPE_NAME, ATTR1_TYPE, ATTR1,     \
+                         ATTR2_TYPE, ATTR2)                                 \
+int FN_NAME( const mbedtls_asn1_buf *oid, ATTR1_TYPE * ATTR1, ATTR2_TYPE * ATTR2 )  \
+{                                                                           \
+    const TYPE_T *data = oid_ ## TYPE_NAME ## _from_asn1( oid );            \
+    if( data == NULL ) return( MBEDTLS_ERR_OID_NOT_FOUND );                \
+    *ATTR1 = data->ATTR1;                                                   \
+    *ATTR2 = data->ATTR2;                                                   \
+    return( 0 );                                                            \
+}
+
+/*
+ * Macro to generate a function for retrieving the OID based on a single
+ * attribute from a mbedtls_oid_descriptor_t wrapper.
+ */
+#define FN_OID_GET_OID_BY_ATTR1(FN_NAME, TYPE_T, LIST, ATTR1_TYPE, ATTR1)   \
+int FN_NAME( ATTR1_TYPE ATTR1, const char **oid, size_t *olen )             \
+{                                                                           \
+    const TYPE_T *cur = LIST;                                               \
+    while( cur->descriptor.asn1 != NULL ) {                                 \
+        if( cur->ATTR1 == ATTR1 ) {                                         \
+            *oid = cur->descriptor.asn1;                                    \
+            *olen = cur->descriptor.asn1_len;                               \
+            return( 0 );                                                    \
+        }                                                                   \
+        cur++;                                                              \
+    }                                                                       \
+    return( MBEDTLS_ERR_OID_NOT_FOUND );                                   \
+}
+
+/*
+ * Macro to generate a function for retrieving the OID based on two
+ * attributes from a mbedtls_oid_descriptor_t wrapper.
+ */
+#define FN_OID_GET_OID_BY_ATTR2(FN_NAME, TYPE_T, LIST, ATTR1_TYPE, ATTR1,   \
+                                ATTR2_TYPE, ATTR2)                          \
+int FN_NAME( ATTR1_TYPE ATTR1, ATTR2_TYPE ATTR2, const char **oid ,         \
+             size_t *olen )                                                 \
+{                                                                           \
+    const TYPE_T *cur = LIST;                                               \
+    while( cur->descriptor.asn1 != NULL ) {                                 \
+        if( cur->ATTR1 == ATTR1 && cur->ATTR2 == ATTR2 ) {                  \
+            *oid = cur->descriptor.asn1;                                    \
+            *olen = cur->descriptor.asn1_len;                               \
+            return( 0 );                                                    \
+        }                                                                   \
+        cur++;                                                              \
+    }                                                                       \
+    return( MBEDTLS_ERR_OID_NOT_FOUND );                                   \
+}
+
+#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
+/*
+ * For X520 attribute types
+ */
+typedef struct {
+    mbedtls_oid_descriptor_t    descriptor;
+    const char          *short_name;
+} oid_x520_attr_t;
+
+static const oid_x520_attr_t oid_x520_attr_type[] =
+{
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_CN ),          "id-at-commonName",               "Common Name" },
+        "CN",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_COUNTRY ),     "id-at-countryName",              "Country" },
+        "C",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_LOCALITY ),    "id-at-locality",                 "Locality" },
+        "L",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_STATE ),       "id-at-state",                    "State" },
+        "ST",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_ORGANIZATION ),"id-at-organizationName",         "Organization" },
+        "O",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_ORG_UNIT ),    "id-at-organizationalUnitName",   "Org Unit" },
+        "OU",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_PKCS9_EMAIL ),    "emailAddress",                   "E-mail address" },
+        "emailAddress",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_SERIAL_NUMBER ),"id-at-serialNumber",            "Serial number" },
+        "serialNumber",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_POSTAL_ADDRESS ),"id-at-postalAddress",          "Postal address" },
+        "postalAddress",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_POSTAL_CODE ), "id-at-postalCode",               "Postal code" },
+        "postalCode",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_SUR_NAME ),    "id-at-surName",                  "Surname" },
+        "SN",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_GIVEN_NAME ),  "id-at-givenName",                "Given name" },
+        "GN",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_INITIALS ),    "id-at-initials",                 "Initials" },
+        "initials",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_GENERATION_QUALIFIER ), "id-at-generationQualifier", "Generation qualifier" },
+        "generationQualifier",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_TITLE ),       "id-at-title",                    "Title" },
+        "title",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_DN_QUALIFIER ),"id-at-dnQualifier",              "Distinguished Name qualifier" },
+        "dnQualifier",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_PSEUDONYM ),   "id-at-pseudonym",                "Pseudonym" },
+        "pseudonym",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_DOMAIN_COMPONENT ), "id-domainComponent",           "Domain component" },
+        "DC",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_UNIQUE_IDENTIFIER ), "id-at-uniqueIdentifier",    "Unique Identifier" },
+        "uniqueIdentifier",
+    },
+    {
+        { NULL, 0, NULL, NULL },
+        NULL,
+    }
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_x520_attr_t, x520_attr, oid_x520_attr_type)
+FN_OID_GET_ATTR1(mbedtls_oid_get_attr_short_name, oid_x520_attr_t, x520_attr, const char *, short_name)
+
+/*
+ * For X509 extensions
+ */
+typedef struct {
+    mbedtls_oid_descriptor_t    descriptor;
+    int                 ext_type;
+} oid_x509_ext_t;
+
+static const oid_x509_ext_t oid_x509_ext[] =
+{
+    {
+        { ADD_LEN( MBEDTLS_OID_BASIC_CONSTRAINTS ),    "id-ce-basicConstraints",   "Basic Constraints" },
+        MBEDTLS_X509_EXT_BASIC_CONSTRAINTS,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_KEY_USAGE ),            "id-ce-keyUsage",           "Key Usage" },
+        MBEDTLS_X509_EXT_KEY_USAGE,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_EXTENDED_KEY_USAGE ),   "id-ce-extKeyUsage",        "Extended Key Usage" },
+        MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_SUBJECT_ALT_NAME ),     "id-ce-subjectAltName",     "Subject Alt Name" },
+        MBEDTLS_X509_EXT_SUBJECT_ALT_NAME,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_NS_CERT_TYPE ),         "id-netscape-certtype",     "Netscape Certificate Type" },
+        MBEDTLS_X509_EXT_NS_CERT_TYPE,
+    },
+    {
+        { NULL, 0, NULL, NULL },
+        0,
+    },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_x509_ext_t, x509_ext, oid_x509_ext)
+FN_OID_GET_ATTR1(mbedtls_oid_get_x509_ext_type, oid_x509_ext_t, x509_ext, int, ext_type)
+
+static const mbedtls_oid_descriptor_t oid_ext_key_usage[] =
+{
+    { ADD_LEN( MBEDTLS_OID_SERVER_AUTH ),      "id-kp-serverAuth",      "TLS Web Server Authentication" },
+    { ADD_LEN( MBEDTLS_OID_CLIENT_AUTH ),      "id-kp-clientAuth",      "TLS Web Client Authentication" },
+    { ADD_LEN( MBEDTLS_OID_CODE_SIGNING ),     "id-kp-codeSigning",     "Code Signing" },
+    { ADD_LEN( MBEDTLS_OID_EMAIL_PROTECTION ), "id-kp-emailProtection", "E-mail Protection" },
+    { ADD_LEN( MBEDTLS_OID_TIME_STAMPING ),    "id-kp-timeStamping",    "Time Stamping" },
+    { ADD_LEN( MBEDTLS_OID_OCSP_SIGNING ),     "id-kp-OCSPSigning",     "OCSP Signing" },
+    { NULL, 0, NULL, NULL },
+};
+
+FN_OID_TYPED_FROM_ASN1(mbedtls_oid_descriptor_t, ext_key_usage, oid_ext_key_usage)
+FN_OID_GET_ATTR1(mbedtls_oid_get_extended_key_usage, mbedtls_oid_descriptor_t, ext_key_usage, const char *, description)
+#endif /* MBEDTLS_X509_USE_C || MBEDTLS_X509_CREATE_C */
+
+#if defined(MBEDTLS_MD_C)
+/*
+ * For SignatureAlgorithmIdentifier
+ */
+typedef struct {
+    mbedtls_oid_descriptor_t    descriptor;
+    mbedtls_md_type_t           md_alg;
+    mbedtls_pk_type_t           pk_alg;
+} oid_sig_alg_t;
+
+static const oid_sig_alg_t oid_sig_alg[] =
+{
+#if defined(MBEDTLS_RSA_C)
+#if defined(MBEDTLS_MD2_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_PKCS1_MD2 ),        "md2WithRSAEncryption",     "RSA with MD2" },
+        MBEDTLS_MD_MD2,      MBEDTLS_PK_RSA,
+    },
+#endif /* MBEDTLS_MD2_C */
+#if defined(MBEDTLS_MD4_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_PKCS1_MD4 ),        "md4WithRSAEncryption",     "RSA with MD4" },
+        MBEDTLS_MD_MD4,      MBEDTLS_PK_RSA,
+    },
+#endif /* MBEDTLS_MD4_C */
+#if defined(MBEDTLS_MD5_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_PKCS1_MD5 ),        "md5WithRSAEncryption",     "RSA with MD5" },
+        MBEDTLS_MD_MD5,      MBEDTLS_PK_RSA,
+    },
+#endif /* MBEDTLS_MD5_C */
+#if defined(MBEDTLS_SHA1_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_PKCS1_SHA1 ),       "sha-1WithRSAEncryption",   "RSA with SHA1" },
+        MBEDTLS_MD_SHA1,     MBEDTLS_PK_RSA,
+    },
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_SHA256_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_PKCS1_SHA224 ),     "sha224WithRSAEncryption",  "RSA with SHA-224" },
+        MBEDTLS_MD_SHA224,   MBEDTLS_PK_RSA,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_PKCS1_SHA256 ),     "sha256WithRSAEncryption",  "RSA with SHA-256" },
+        MBEDTLS_MD_SHA256,   MBEDTLS_PK_RSA,
+    },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_PKCS1_SHA384 ),     "sha384WithRSAEncryption",  "RSA with SHA-384" },
+        MBEDTLS_MD_SHA384,   MBEDTLS_PK_RSA,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_PKCS1_SHA512 ),     "sha512WithRSAEncryption",  "RSA with SHA-512" },
+        MBEDTLS_MD_SHA512,   MBEDTLS_PK_RSA,
+    },
+#endif /* MBEDTLS_SHA512_C */
+#if defined(MBEDTLS_SHA1_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_RSA_SHA_OBS ),      "sha-1WithRSAEncryption",   "RSA with SHA1" },
+        MBEDTLS_MD_SHA1,     MBEDTLS_PK_RSA,
+    },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_ECDSA_C)
+#if defined(MBEDTLS_SHA1_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_ECDSA_SHA1 ),       "ecdsa-with-SHA1",      "ECDSA with SHA1" },
+        MBEDTLS_MD_SHA1,     MBEDTLS_PK_ECDSA,
+    },
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_SHA256_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_ECDSA_SHA224 ),     "ecdsa-with-SHA224",    "ECDSA with SHA224" },
+        MBEDTLS_MD_SHA224,   MBEDTLS_PK_ECDSA,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_ECDSA_SHA256 ),     "ecdsa-with-SHA256",    "ECDSA with SHA256" },
+        MBEDTLS_MD_SHA256,   MBEDTLS_PK_ECDSA,
+    },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_ECDSA_SHA384 ),     "ecdsa-with-SHA384",    "ECDSA with SHA384" },
+        MBEDTLS_MD_SHA384,   MBEDTLS_PK_ECDSA,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_ECDSA_SHA512 ),     "ecdsa-with-SHA512",    "ECDSA with SHA512" },
+        MBEDTLS_MD_SHA512,   MBEDTLS_PK_ECDSA,
+    },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_ECDSA_C */
+#if defined(MBEDTLS_RSA_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_RSASSA_PSS ),        "RSASSA-PSS",           "RSASSA-PSS" },
+        MBEDTLS_MD_NONE,     MBEDTLS_PK_RSASSA_PSS,
+    },
+#endif /* MBEDTLS_RSA_C */
+    {
+        { NULL, 0, NULL, NULL },
+        MBEDTLS_MD_NONE, MBEDTLS_PK_NONE,
+    },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_sig_alg_t, sig_alg, oid_sig_alg)
+FN_OID_GET_DESCRIPTOR_ATTR1(mbedtls_oid_get_sig_alg_desc, oid_sig_alg_t, sig_alg, const char *, description)
+FN_OID_GET_ATTR2(mbedtls_oid_get_sig_alg, oid_sig_alg_t, sig_alg, mbedtls_md_type_t, md_alg, mbedtls_pk_type_t, pk_alg)
+FN_OID_GET_OID_BY_ATTR2(mbedtls_oid_get_oid_by_sig_alg, oid_sig_alg_t, oid_sig_alg, mbedtls_pk_type_t, pk_alg, mbedtls_md_type_t, md_alg)
+#endif /* MBEDTLS_MD_C */
+
+/*
+ * For PublicKeyInfo (PKCS1, RFC 5480)
+ */
+typedef struct {
+    mbedtls_oid_descriptor_t    descriptor;
+    mbedtls_pk_type_t           pk_alg;
+} oid_pk_alg_t;
+
+static const oid_pk_alg_t oid_pk_alg[] =
+{
+    {
+        { ADD_LEN( MBEDTLS_OID_PKCS1_RSA ),      "rsaEncryption",   "RSA" },
+        MBEDTLS_PK_RSA,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_ALG_UNRESTRICTED ),  "id-ecPublicKey",   "Generic EC key" },
+        MBEDTLS_PK_ECKEY,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_ALG_ECDH ),          "id-ecDH",          "EC key for ECDH" },
+        MBEDTLS_PK_ECKEY_DH,
+    },
+    {
+        { NULL, 0, NULL, NULL },
+        MBEDTLS_PK_NONE,
+    },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_pk_alg_t, pk_alg, oid_pk_alg)
+FN_OID_GET_ATTR1(mbedtls_oid_get_pk_alg, oid_pk_alg_t, pk_alg, mbedtls_pk_type_t, pk_alg)
+FN_OID_GET_OID_BY_ATTR1(mbedtls_oid_get_oid_by_pk_alg, oid_pk_alg_t, oid_pk_alg, mbedtls_pk_type_t, pk_alg)
+
+#if defined(MBEDTLS_ECP_C)
+/*
+ * For namedCurve (RFC 5480)
+ */
+typedef struct {
+    mbedtls_oid_descriptor_t    descriptor;
+    mbedtls_ecp_group_id        grp_id;
+} oid_ecp_grp_t;
+
+static const oid_ecp_grp_t oid_ecp_grp[] =
+{
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_GRP_SECP192R1 ), "secp192r1",    "secp192r1" },
+        MBEDTLS_ECP_DP_SECP192R1,
+    },
+#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_GRP_SECP224R1 ), "secp224r1",    "secp224r1" },
+        MBEDTLS_ECP_DP_SECP224R1,
+    },
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_GRP_SECP256R1 ), "secp256r1",    "secp256r1" },
+        MBEDTLS_ECP_DP_SECP256R1,
+    },
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_GRP_SECP384R1 ), "secp384r1",    "secp384r1" },
+        MBEDTLS_ECP_DP_SECP384R1,
+    },
+#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_GRP_SECP521R1 ), "secp521r1",    "secp521r1" },
+        MBEDTLS_ECP_DP_SECP521R1,
+    },
+#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_GRP_SECP192K1 ), "secp192k1",    "secp192k1" },
+        MBEDTLS_ECP_DP_SECP192K1,
+    },
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_GRP_SECP224K1 ), "secp224k1",    "secp224k1" },
+        MBEDTLS_ECP_DP_SECP224K1,
+    },
+#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_GRP_SECP256K1 ), "secp256k1",    "secp256k1" },
+        MBEDTLS_ECP_DP_SECP256K1,
+    },
+#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_GRP_BP256R1 ),   "brainpoolP256r1","brainpool256r1" },
+        MBEDTLS_ECP_DP_BP256R1,
+    },
+#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_GRP_BP384R1 ),   "brainpoolP384r1","brainpool384r1" },
+        MBEDTLS_ECP_DP_BP384R1,
+    },
+#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_GRP_BP512R1 ),   "brainpoolP512r1","brainpool512r1" },
+        MBEDTLS_ECP_DP_BP512R1,
+    },
+#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
+    {
+        { NULL, 0, NULL, NULL },
+        MBEDTLS_ECP_DP_NONE,
+    },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_ecp_grp_t, grp_id, oid_ecp_grp)
+FN_OID_GET_ATTR1(mbedtls_oid_get_ec_grp, oid_ecp_grp_t, grp_id, mbedtls_ecp_group_id, grp_id)
+FN_OID_GET_OID_BY_ATTR1(mbedtls_oid_get_oid_by_ec_grp, oid_ecp_grp_t, oid_ecp_grp, mbedtls_ecp_group_id, grp_id)
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_CIPHER_C)
+/*
+ * For PKCS#5 PBES2 encryption algorithm
+ */
+typedef struct {
+    mbedtls_oid_descriptor_t    descriptor;
+    mbedtls_cipher_type_t       cipher_alg;
+} oid_cipher_alg_t;
+
+static const oid_cipher_alg_t oid_cipher_alg[] =
+{
+    {
+        { ADD_LEN( MBEDTLS_OID_DES_CBC ),              "desCBC",       "DES-CBC" },
+        MBEDTLS_CIPHER_DES_CBC,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_DES_EDE3_CBC ),         "des-ede3-cbc", "DES-EDE3-CBC" },
+        MBEDTLS_CIPHER_DES_EDE3_CBC,
+    },
+    {
+        { NULL, 0, NULL, NULL },
+        MBEDTLS_CIPHER_NONE,
+    },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_cipher_alg_t, cipher_alg, oid_cipher_alg)
+FN_OID_GET_ATTR1(mbedtls_oid_get_cipher_alg, oid_cipher_alg_t, cipher_alg, mbedtls_cipher_type_t, cipher_alg)
+#endif /* MBEDTLS_CIPHER_C */
+
+#if defined(MBEDTLS_MD_C)
+/*
+ * For digestAlgorithm
+ */
+typedef struct {
+    mbedtls_oid_descriptor_t    descriptor;
+    mbedtls_md_type_t           md_alg;
+} oid_md_alg_t;
+
+static const oid_md_alg_t oid_md_alg[] =
+{
+#if defined(MBEDTLS_MD2_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_DIGEST_ALG_MD2 ),       "id-md2",       "MD2" },
+        MBEDTLS_MD_MD2,
+    },
+#endif /* MBEDTLS_MD2_C */
+#if defined(MBEDTLS_MD4_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_DIGEST_ALG_MD4 ),       "id-md4",       "MD4" },
+        MBEDTLS_MD_MD4,
+    },
+#endif /* MBEDTLS_MD4_C */
+#if defined(MBEDTLS_MD5_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_DIGEST_ALG_MD5 ),       "id-md5",       "MD5" },
+        MBEDTLS_MD_MD5,
+    },
+#endif /* MBEDTLS_MD5_C */
+#if defined(MBEDTLS_SHA1_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_DIGEST_ALG_SHA1 ),      "id-sha1",      "SHA-1" },
+        MBEDTLS_MD_SHA1,
+    },
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_SHA256_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_DIGEST_ALG_SHA224 ),    "id-sha224",    "SHA-224" },
+        MBEDTLS_MD_SHA224,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_DIGEST_ALG_SHA256 ),    "id-sha256",    "SHA-256" },
+        MBEDTLS_MD_SHA256,
+    },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_DIGEST_ALG_SHA384 ),    "id-sha384",    "SHA-384" },
+        MBEDTLS_MD_SHA384,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_DIGEST_ALG_SHA512 ),    "id-sha512",    "SHA-512" },
+        MBEDTLS_MD_SHA512,
+    },
+#endif /* MBEDTLS_SHA512_C */
+    {
+        { NULL, 0, NULL, NULL },
+        MBEDTLS_MD_NONE,
+    },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_md_alg_t, md_alg, oid_md_alg)
+FN_OID_GET_ATTR1(mbedtls_oid_get_md_alg, oid_md_alg_t, md_alg, mbedtls_md_type_t, md_alg)
+FN_OID_GET_OID_BY_ATTR1(mbedtls_oid_get_oid_by_md, oid_md_alg_t, oid_md_alg, mbedtls_md_type_t, md_alg)
+
+/*
+ * For HMAC digestAlgorithm
+ */
+typedef struct {
+    mbedtls_oid_descriptor_t    descriptor;
+    mbedtls_md_type_t           md_hmac;
+} oid_md_hmac_t;
+
+static const oid_md_hmac_t oid_md_hmac[] =
+{
+#if defined(MBEDTLS_SHA1_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_HMAC_SHA1 ),      "hmacSHA1",      "HMAC-SHA-1" },
+        MBEDTLS_MD_SHA1,
+    },
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_SHA256_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_HMAC_SHA224 ),    "hmacSHA224",    "HMAC-SHA-224" },
+        MBEDTLS_MD_SHA224,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_HMAC_SHA256 ),    "hmacSHA256",    "HMAC-SHA-256" },
+        MBEDTLS_MD_SHA256,
+    },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_HMAC_SHA384 ),    "hmacSHA384",    "HMAC-SHA-384" },
+        MBEDTLS_MD_SHA384,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_HMAC_SHA512 ),    "hmacSHA512",    "HMAC-SHA-512" },
+        MBEDTLS_MD_SHA512,
+    },
+#endif /* MBEDTLS_SHA512_C */
+    {
+        { NULL, 0, NULL, NULL },
+        MBEDTLS_MD_NONE,
+    },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_md_hmac_t, md_hmac, oid_md_hmac)
+FN_OID_GET_ATTR1(mbedtls_oid_get_md_hmac, oid_md_hmac_t, md_hmac, mbedtls_md_type_t, md_hmac)
+#endif /* MBEDTLS_MD_C */
+
+#if defined(MBEDTLS_PKCS12_C)
+/*
+ * For PKCS#12 PBEs
+ */
+typedef struct {
+    mbedtls_oid_descriptor_t    descriptor;
+    mbedtls_md_type_t           md_alg;
+    mbedtls_cipher_type_t       cipher_alg;
+} oid_pkcs12_pbe_alg_t;
+
+static const oid_pkcs12_pbe_alg_t oid_pkcs12_pbe_alg[] =
+{
+    {
+        { ADD_LEN( MBEDTLS_OID_PKCS12_PBE_SHA1_DES3_EDE_CBC ), "pbeWithSHAAnd3-KeyTripleDES-CBC", "PBE with SHA1 and 3-Key 3DES" },
+        MBEDTLS_MD_SHA1,      MBEDTLS_CIPHER_DES_EDE3_CBC,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_PKCS12_PBE_SHA1_DES2_EDE_CBC ), "pbeWithSHAAnd2-KeyTripleDES-CBC", "PBE with SHA1 and 2-Key 3DES" },
+        MBEDTLS_MD_SHA1,      MBEDTLS_CIPHER_DES_EDE_CBC,
+    },
+    {
+        { NULL, 0, NULL, NULL },
+        MBEDTLS_MD_NONE, MBEDTLS_CIPHER_NONE,
+    },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_pkcs12_pbe_alg_t, pkcs12_pbe_alg, oid_pkcs12_pbe_alg)
+FN_OID_GET_ATTR2(mbedtls_oid_get_pkcs12_pbe_alg, oid_pkcs12_pbe_alg_t, pkcs12_pbe_alg, mbedtls_md_type_t, md_alg, mbedtls_cipher_type_t, cipher_alg)
+#endif /* MBEDTLS_PKCS12_C */
+
+#define OID_SAFE_SNPRINTF                               \
+    do {                                                \
+        if( ret < 0 || (size_t) ret >= n )              \
+            return( MBEDTLS_ERR_OID_BUF_TOO_SMALL );    \
+                                                        \
+        n -= (size_t) ret;                              \
+        p += (size_t) ret;                              \
+    } while( 0 )
+
+/* Return the x.y.z.... style numeric string for the given OID */
+int mbedtls_oid_get_numeric_string( char *buf, size_t size,
+                            const mbedtls_asn1_buf *oid )
+{
+    int ret;
+    size_t i, n;
+    unsigned int value;
+    char *p;
+
+    p = buf;
+    n = size;
+
+    /* First byte contains first two dots */
+    if( oid->len > 0 )
+    {
+        ret = mbedtls_snprintf( p, n, "%d.%d", oid->p[0] / 40, oid->p[0] % 40 );
+        OID_SAFE_SNPRINTF;
+    }
+
+    value = 0;
+    for( i = 1; i < oid->len; i++ )
+    {
+        /* Prevent overflow in value. */
+        if( ( ( value << 7 ) >> 7 ) != value )
+            return( MBEDTLS_ERR_OID_BUF_TOO_SMALL );
+
+        value <<= 7;
+        value += oid->p[i] & 0x7F;
+
+        if( !( oid->p[i] & 0x80 ) )
+        {
+            /* Last byte */
+            ret = mbedtls_snprintf( p, n, ".%d", value );
+            OID_SAFE_SNPRINTF;
+            value = 0;
+        }
+    }
+
+    return( (int) ( size - n ) );
+}
+
+#endif /* MBEDTLS_OID_C */
diff --git a/third-party/mbedtls-3.6/library/padlock.c b/third-party/mbedtls-3.6/library/padlock.c
new file mode 100644
index 00000000..afb7e0ad
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/padlock.c
@@ -0,0 +1,195 @@
+/*
+ *  VIA PadLock support functions
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+/*
+ *  This implementation is based on the VIA PadLock Programming Guide:
+ *
+ *  http://www.via.com.tw/en/downloads/whitepapers/initiatives/padlock/
+ *  programming_guide.pdf
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_PADLOCK_C)
+
+#include "mbedtls/padlock.h"
+
+#include <string.h>
+
+#ifndef asm
+#define asm __asm
+#endif
+
+#if defined(MBEDTLS_HAVE_X86)
+
+/*
+ * PadLock detection routine
+ */
+int mbedtls_padlock_has_support( int feature )
+{
+    static int flags = -1;
+    int ebx = 0, edx = 0;
+
+    if( flags == -1 )
+    {
+        asm( "movl  %%ebx, %0           \n\t"
+             "movl  $0xC0000000, %%eax  \n\t"
+             "cpuid                     \n\t"
+             "cmpl  $0xC0000001, %%eax  \n\t"
+             "movl  $0, %%edx           \n\t"
+             "jb    unsupported         \n\t"
+             "movl  $0xC0000001, %%eax  \n\t"
+             "cpuid                     \n\t"
+             "unsupported:              \n\t"
+             "movl  %%edx, %1           \n\t"
+             "movl  %2, %%ebx           \n\t"
+             : "=m" (ebx), "=m" (edx)
+             :  "m" (ebx)
+             : "eax", "ecx", "edx" );
+
+        flags = edx;
+    }
+
+    return( flags & feature );
+}
+
+/*
+ * PadLock AES-ECB block en(de)cryption
+ */
+int mbedtls_padlock_xcryptecb( mbedtls_aes_context *ctx,
+                       int mode,
+                       const unsigned char input[16],
+                       unsigned char output[16] )
+{
+    int ebx = 0;
+    uint32_t *rk;
+    uint32_t *blk;
+    uint32_t *ctrl;
+    unsigned char buf[256];
+
+    rk  = ctx->rk;
+    blk = MBEDTLS_PADLOCK_ALIGN16( buf );
+    memcpy( blk, input, 16 );
+
+     ctrl = blk + 4;
+    *ctrl = 0x80 | ctx->nr | ( ( ctx->nr + ( mode^1 ) - 10 ) << 9 );
+
+    asm( "pushfl                        \n\t"
+         "popfl                         \n\t"
+         "movl    %%ebx, %0             \n\t"
+         "movl    $1, %%ecx             \n\t"
+         "movl    %2, %%edx             \n\t"
+         "movl    %3, %%ebx             \n\t"
+         "movl    %4, %%esi             \n\t"
+         "movl    %4, %%edi             \n\t"
+         ".byte  0xf3,0x0f,0xa7,0xc8    \n\t"
+         "movl    %1, %%ebx             \n\t"
+         : "=m" (ebx)
+         :  "m" (ebx), "m" (ctrl), "m" (rk), "m" (blk)
+         : "memory", "ecx", "edx", "esi", "edi" );
+
+    memcpy( output, blk, 16 );
+
+    return( 0 );
+}
+
+/*
+ * PadLock AES-CBC buffer en(de)cryption
+ */
+int mbedtls_padlock_xcryptcbc( mbedtls_aes_context *ctx,
+                       int mode,
+                       size_t length,
+                       unsigned char iv[16],
+                       const unsigned char *input,
+                       unsigned char *output )
+{
+    int ebx = 0;
+    size_t count;
+    uint32_t *rk;
+    uint32_t *iw;
+    uint32_t *ctrl;
+    unsigned char buf[256];
+
+    if( ( (long) input  & 15 ) != 0 ||
+        ( (long) output & 15 ) != 0 )
+        return( MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED );
+
+    rk = ctx->rk;
+    iw = MBEDTLS_PADLOCK_ALIGN16( buf );
+    memcpy( iw, iv, 16 );
+
+     ctrl = iw + 4;
+    *ctrl = 0x80 | ctx->nr | ( ( ctx->nr + ( mode ^ 1 ) - 10 ) << 9 );
+
+    count = ( length + 15 ) >> 4;
+
+    asm( "pushfl                        \n\t"
+         "popfl                         \n\t"
+         "movl    %%ebx, %0             \n\t"
+         "movl    %2, %%ecx             \n\t"
+         "movl    %3, %%edx             \n\t"
+         "movl    %4, %%ebx             \n\t"
+         "movl    %5, %%esi             \n\t"
+         "movl    %6, %%edi             \n\t"
+         "movl    %7, %%eax             \n\t"
+         ".byte  0xf3,0x0f,0xa7,0xd0    \n\t"
+         "movl    %1, %%ebx             \n\t"
+         : "=m" (ebx)
+         :  "m" (ebx), "m" (count), "m" (ctrl),
+            "m"  (rk), "m" (input), "m" (output), "m" (iw)
+         : "memory", "eax", "ecx", "edx", "esi", "edi" );
+
+    memcpy( iv, iw, 16 );
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_HAVE_X86 */
+
+#endif /* MBEDTLS_PADLOCK_C */
diff --git a/third-party/mbedtls-3.6/library/pem.c b/third-party/mbedtls-3.6/library/pem.c
new file mode 100644
index 00000000..8c070487
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/pem.c
@@ -0,0 +1,520 @@
+/*
+ *  Privacy Enhanced Mail (PEM) decoding
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_PEM_PARSE_C) || defined(MBEDTLS_PEM_WRITE_C)
+
+#include "mbedtls/pem.h"
+#include "mbedtls/base64.h"
+#include "mbedtls/des.h"
+#include "mbedtls/aes.h"
+#include "mbedtls/md5.h"
+#include "mbedtls/cipher.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
+void mbedtls_pem_init( mbedtls_pem_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_pem_context ) );
+}
+
+#if defined(MBEDTLS_MD5_C) && defined(MBEDTLS_CIPHER_MODE_CBC) &&         \
+    ( defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C) )
+/*
+ * Read a 16-byte hex string and convert it to binary
+ */
+static int pem_get_iv( const unsigned char *s, unsigned char *iv,
+                       size_t iv_len )
+{
+    size_t i, j, k;
+
+    memset( iv, 0, iv_len );
+
+    for( i = 0; i < iv_len * 2; i++, s++ )
+    {
+        if( *s >= '0' && *s <= '9' ) j = *s - '0'; else
+        if( *s >= 'A' && *s <= 'F' ) j = *s - '7'; else
+        if( *s >= 'a' && *s <= 'f' ) j = *s - 'W'; else
+            return( MBEDTLS_ERR_PEM_INVALID_ENC_IV );
+
+        k = ( ( i & 1 ) != 0 ) ? j : j << 4;
+
+        iv[i >> 1] = (unsigned char)( iv[i >> 1] | k );
+    }
+
+    return( 0 );
+}
+
+static int pem_pbkdf1( unsigned char *key, size_t keylen,
+                       unsigned char *iv,
+                       const unsigned char *pwd, size_t pwdlen )
+{
+    mbedtls_md5_context md5_ctx;
+    unsigned char md5sum[16];
+    size_t use_len;
+    int ret;
+
+    mbedtls_md5_init( &md5_ctx );
+
+    /*
+     * key[ 0..15] = MD5(pwd || IV)
+     */
+    if( ( ret = mbedtls_md5_starts_ret( &md5_ctx ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_md5_update_ret( &md5_ctx, pwd, pwdlen ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_md5_update_ret( &md5_ctx, iv,  8 ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_md5_finish_ret( &md5_ctx, md5sum ) ) != 0 )
+        goto exit;
+
+    if( keylen <= 16 )
+    {
+        memcpy( key, md5sum, keylen );
+        goto exit;
+    }
+
+    memcpy( key, md5sum, 16 );
+
+    /*
+     * key[16..23] = MD5(key[ 0..15] || pwd || IV])
+     */
+    if( ( ret = mbedtls_md5_starts_ret( &md5_ctx ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_md5_update_ret( &md5_ctx, md5sum, 16 ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_md5_update_ret( &md5_ctx, pwd, pwdlen ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_md5_update_ret( &md5_ctx, iv, 8 ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_md5_finish_ret( &md5_ctx, md5sum ) ) != 0 )
+        goto exit;
+
+    use_len = 16;
+    if( keylen < 32 )
+        use_len = keylen - 16;
+
+    memcpy( key + 16, md5sum, use_len );
+
+exit:
+    mbedtls_md5_free( &md5_ctx );
+    mbedtls_zeroize( md5sum, 16 );
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_DES_C)
+/*
+ * Decrypt with DES-CBC, using PBKDF1 for key derivation
+ */
+static int pem_des_decrypt( unsigned char des_iv[8],
+                            unsigned char *buf, size_t buflen,
+                            const unsigned char *pwd, size_t pwdlen )
+{
+    mbedtls_des_context des_ctx;
+    unsigned char des_key[8];
+    int ret;
+
+    mbedtls_des_init( &des_ctx );
+
+    if( ( ret = pem_pbkdf1( des_key, 8, des_iv, pwd, pwdlen ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_des_setkey_dec( &des_ctx, des_key ) ) != 0 )
+        goto exit;
+    ret = mbedtls_des_crypt_cbc( &des_ctx, MBEDTLS_DES_DECRYPT, buflen,
+                     des_iv, buf, buf );
+
+exit:
+    mbedtls_des_free( &des_ctx );
+    mbedtls_zeroize( des_key, 8 );
+
+    return( ret );
+}
+
+/*
+ * Decrypt with 3DES-CBC, using PBKDF1 for key derivation
+ */
+static int pem_des3_decrypt( unsigned char des3_iv[8],
+                             unsigned char *buf, size_t buflen,
+                             const unsigned char *pwd, size_t pwdlen )
+{
+    mbedtls_des3_context des3_ctx;
+    unsigned char des3_key[24];
+    int ret;
+
+    mbedtls_des3_init( &des3_ctx );
+
+    if( ( ret = pem_pbkdf1( des3_key, 24, des3_iv, pwd, pwdlen ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_des3_set3key_dec( &des3_ctx, des3_key ) ) != 0 )
+        goto exit;
+    ret = mbedtls_des3_crypt_cbc( &des3_ctx, MBEDTLS_DES_DECRYPT, buflen,
+                     des3_iv, buf, buf );
+
+exit:
+    mbedtls_des3_free( &des3_ctx );
+    mbedtls_zeroize( des3_key, 24 );
+
+    return( ret );
+}
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_AES_C)
+/*
+ * Decrypt with AES-XXX-CBC, using PBKDF1 for key derivation
+ */
+static int pem_aes_decrypt( unsigned char aes_iv[16], unsigned int keylen,
+                            unsigned char *buf, size_t buflen,
+                            const unsigned char *pwd, size_t pwdlen )
+{
+    mbedtls_aes_context aes_ctx;
+    unsigned char aes_key[32];
+    int ret;
+
+    mbedtls_aes_init( &aes_ctx );
+
+    if( ( ret = pem_pbkdf1( aes_key, keylen, aes_iv, pwd, pwdlen ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_aes_setkey_dec( &aes_ctx, aes_key, keylen * 8 ) ) != 0 )
+        goto exit;
+    ret = mbedtls_aes_crypt_cbc( &aes_ctx, MBEDTLS_AES_DECRYPT, buflen,
+                     aes_iv, buf, buf );
+
+exit:
+    mbedtls_aes_free( &aes_ctx );
+    mbedtls_zeroize( aes_key, keylen );
+
+    return( ret );
+}
+#endif /* MBEDTLS_AES_C */
+
+#endif /* MBEDTLS_MD5_C && MBEDTLS_CIPHER_MODE_CBC &&
+          ( MBEDTLS_AES_C || MBEDTLS_DES_C ) */
+
+int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const char *footer,
+                     const unsigned char *data, const unsigned char *pwd,
+                     size_t pwdlen, size_t *use_len )
+{
+    int ret, enc;
+    size_t len;
+    unsigned char *buf;
+    const unsigned char *s1, *s2, *end;
+#if defined(MBEDTLS_MD5_C) && defined(MBEDTLS_CIPHER_MODE_CBC) &&         \
+    ( defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C) )
+    unsigned char pem_iv[16];
+    mbedtls_cipher_type_t enc_alg = MBEDTLS_CIPHER_NONE;
+#else
+    ((void) pwd);
+    ((void) pwdlen);
+#endif /* MBEDTLS_MD5_C && MBEDTLS_CIPHER_MODE_CBC &&
+          ( MBEDTLS_AES_C || MBEDTLS_DES_C ) */
+
+    if( ctx == NULL )
+        return( MBEDTLS_ERR_PEM_BAD_INPUT_DATA );
+
+    s1 = (unsigned char *) strstr( (const char *) data, header );
+
+    if( s1 == NULL )
+        return( MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT );
+
+    s2 = (unsigned char *) strstr( (const char *) data, footer );
+
+    if( s2 == NULL || s2 <= s1 )
+        return( MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT );
+
+    s1 += strlen( header );
+    if( *s1 == ' '  ) s1++;
+    if( *s1 == '\r' ) s1++;
+    if( *s1 == '\n' ) s1++;
+    else return( MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT );
+
+    end = s2;
+    end += strlen( footer );
+    if( *end == ' '  ) end++;
+    if( *end == '\r' ) end++;
+    if( *end == '\n' ) end++;
+    *use_len = end - data;
+
+    enc = 0;
+
+    if( s2 - s1 >= 22 && memcmp( s1, "Proc-Type: 4,ENCRYPTED", 22 ) == 0 )
+    {
+#if defined(MBEDTLS_MD5_C) && defined(MBEDTLS_CIPHER_MODE_CBC) &&         \
+    ( defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C) )
+        enc++;
+
+        s1 += 22;
+        if( *s1 == '\r' ) s1++;
+        if( *s1 == '\n' ) s1++;
+        else return( MBEDTLS_ERR_PEM_INVALID_DATA );
+
+
+#if defined(MBEDTLS_DES_C)
+        if( s2 - s1 >= 23 && memcmp( s1, "DEK-Info: DES-EDE3-CBC,", 23 ) == 0 )
+        {
+            enc_alg = MBEDTLS_CIPHER_DES_EDE3_CBC;
+
+            s1 += 23;
+            if( s2 - s1 < 16 || pem_get_iv( s1, pem_iv, 8 ) != 0 )
+                return( MBEDTLS_ERR_PEM_INVALID_ENC_IV );
+
+            s1 += 16;
+        }
+        else if( s2 - s1 >= 18 && memcmp( s1, "DEK-Info: DES-CBC,", 18 ) == 0 )
+        {
+            enc_alg = MBEDTLS_CIPHER_DES_CBC;
+
+            s1 += 18;
+            if( s2 - s1 < 16 || pem_get_iv( s1, pem_iv, 8) != 0 )
+                return( MBEDTLS_ERR_PEM_INVALID_ENC_IV );
+
+            s1 += 16;
+        }
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_AES_C)
+        if( s2 - s1 >= 14 && memcmp( s1, "DEK-Info: AES-", 14 ) == 0 )
+        {
+            if( s2 - s1 < 22 )
+                return( MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG );
+            else if( memcmp( s1, "DEK-Info: AES-128-CBC,", 22 ) == 0 )
+                enc_alg = MBEDTLS_CIPHER_AES_128_CBC;
+            else if( memcmp( s1, "DEK-Info: AES-192-CBC,", 22 ) == 0 )
+                enc_alg = MBEDTLS_CIPHER_AES_192_CBC;
+            else if( memcmp( s1, "DEK-Info: AES-256-CBC,", 22 ) == 0 )
+                enc_alg = MBEDTLS_CIPHER_AES_256_CBC;
+            else
+                return( MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG );
+
+            s1 += 22;
+            if( s2 - s1 < 32 || pem_get_iv( s1, pem_iv, 16 ) != 0 )
+                return( MBEDTLS_ERR_PEM_INVALID_ENC_IV );
+
+            s1 += 32;
+        }
+#endif /* MBEDTLS_AES_C */
+
+        if( enc_alg == MBEDTLS_CIPHER_NONE )
+            return( MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG );
+
+        if( *s1 == '\r' ) s1++;
+        if( *s1 == '\n' ) s1++;
+        else return( MBEDTLS_ERR_PEM_INVALID_DATA );
+#else
+        return( MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE );
+#endif /* MBEDTLS_MD5_C && MBEDTLS_CIPHER_MODE_CBC &&
+          ( MBEDTLS_AES_C || MBEDTLS_DES_C ) */
+    }
+
+    if( s1 >= s2 )
+        return( MBEDTLS_ERR_PEM_INVALID_DATA );
+
+    ret = mbedtls_base64_decode( NULL, 0, &len, s1, s2 - s1 );
+
+    if( ret == MBEDTLS_ERR_BASE64_INVALID_CHARACTER )
+        return( MBEDTLS_ERR_PEM_INVALID_DATA + ret );
+
+    if( ( buf = mbedtls_calloc( 1, len ) ) == NULL )
+        return( MBEDTLS_ERR_PEM_ALLOC_FAILED );
+
+    if( ( ret = mbedtls_base64_decode( buf, len, &len, s1, s2 - s1 ) ) != 0 )
+    {
+        mbedtls_zeroize( buf, len );
+        mbedtls_free( buf );
+        return( MBEDTLS_ERR_PEM_INVALID_DATA + ret );
+    }
+
+    if( enc != 0 )
+    {
+#if defined(MBEDTLS_MD5_C) && defined(MBEDTLS_CIPHER_MODE_CBC) &&         \
+    ( defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C) )
+        if( pwd == NULL )
+        {
+            mbedtls_zeroize( buf, len );
+            mbedtls_free( buf );
+            return( MBEDTLS_ERR_PEM_PASSWORD_REQUIRED );
+        }
+
+        ret = 0;
+
+#if defined(MBEDTLS_DES_C)
+        if( enc_alg == MBEDTLS_CIPHER_DES_EDE3_CBC )
+            ret = pem_des3_decrypt( pem_iv, buf, len, pwd, pwdlen );
+        else if( enc_alg == MBEDTLS_CIPHER_DES_CBC )
+            ret = pem_des_decrypt( pem_iv, buf, len, pwd, pwdlen );
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_AES_C)
+        if( enc_alg == MBEDTLS_CIPHER_AES_128_CBC )
+            ret = pem_aes_decrypt( pem_iv, 16, buf, len, pwd, pwdlen );
+        else if( enc_alg == MBEDTLS_CIPHER_AES_192_CBC )
+            ret = pem_aes_decrypt( pem_iv, 24, buf, len, pwd, pwdlen );
+        else if( enc_alg == MBEDTLS_CIPHER_AES_256_CBC )
+            ret = pem_aes_decrypt( pem_iv, 32, buf, len, pwd, pwdlen );
+#endif /* MBEDTLS_AES_C */
+
+        if( ret != 0 )
+        {
+            mbedtls_free( buf );
+            return( ret );
+        }
+
+        /*
+         * The result will be ASN.1 starting with a SEQUENCE tag, with 1 to 3
+         * length bytes (allow 4 to be sure) in all known use cases.
+         *
+         * Use that as heurisitic to try detecting password mismatchs.
+         */
+        if( len <= 2 || buf[0] != 0x30 || buf[1] > 0x83 )
+        {
+            mbedtls_zeroize( buf, len );
+            mbedtls_free( buf );
+            return( MBEDTLS_ERR_PEM_PASSWORD_MISMATCH );
+        }
+#else
+        mbedtls_zeroize( buf, len );
+        mbedtls_free( buf );
+        return( MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE );
+#endif /* MBEDTLS_MD5_C && MBEDTLS_CIPHER_MODE_CBC &&
+          ( MBEDTLS_AES_C || MBEDTLS_DES_C ) */
+    }
+
+    ctx->buf = buf;
+    ctx->buflen = len;
+
+    return( 0 );
+}
+
+void mbedtls_pem_free( mbedtls_pem_context *ctx )
+{
+    if( ctx->buf != NULL )
+        mbedtls_zeroize( ctx->buf, ctx->buflen );
+    mbedtls_free( ctx->buf );
+    mbedtls_free( ctx->info );
+
+    mbedtls_zeroize( ctx, sizeof( mbedtls_pem_context ) );
+}
+#endif /* MBEDTLS_PEM_PARSE_C */
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+int mbedtls_pem_write_buffer( const char *header, const char *footer,
+                      const unsigned char *der_data, size_t der_len,
+                      unsigned char *buf, size_t buf_len, size_t *olen )
+{
+    int ret;
+    unsigned char *encode_buf = NULL, *c, *p = buf;
+    size_t len = 0, use_len, add_len = 0;
+
+    mbedtls_base64_encode( NULL, 0, &use_len, der_data, der_len );
+    add_len = strlen( header ) + strlen( footer ) + ( use_len / 64 ) + 1;
+
+    if( use_len + add_len > buf_len )
+    {
+        *olen = use_len + add_len;
+        return( MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL );
+    }
+
+    if( use_len != 0 &&
+        ( ( encode_buf = mbedtls_calloc( 1, use_len ) ) == NULL ) )
+        return( MBEDTLS_ERR_PEM_ALLOC_FAILED );
+
+    if( ( ret = mbedtls_base64_encode( encode_buf, use_len, &use_len, der_data,
+                               der_len ) ) != 0 )
+    {
+        mbedtls_free( encode_buf );
+        return( ret );
+    }
+
+    memcpy( p, header, strlen( header ) );
+    p += strlen( header );
+    c = encode_buf;
+
+    while( use_len )
+    {
+        len = ( use_len > 64 ) ? 64 : use_len;
+        memcpy( p, c, len );
+        use_len -= len;
+        p += len;
+        c += len;
+        *p++ = '\n';
+    }
+
+    memcpy( p, footer, strlen( footer ) );
+    p += strlen( footer );
+
+    *p++ = '\0';
+    *olen = p - buf;
+
+    /* Clean any remaining data previously written to the buffer */
+    memset( buf + *olen, 0, buf_len - *olen );
+
+    mbedtls_free( encode_buf );
+    return( 0 );
+}
+#endif /* MBEDTLS_PEM_WRITE_C */
+#endif /* MBEDTLS_PEM_PARSE_C || MBEDTLS_PEM_WRITE_C */
diff --git a/third-party/mbedtls-3.6/library/pk.c b/third-party/mbedtls-3.6/library/pk.c
new file mode 100644
index 00000000..bf96debb
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/pk.c
@@ -0,0 +1,407 @@
+/*
+ *  Public Key abstraction layer
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_PK_C)
+#include "mbedtls/pk.h"
+#include "mbedtls/pk_internal.h"
+
+#if defined(MBEDTLS_RSA_C)
+#include "mbedtls/rsa.h"
+#endif
+#if defined(MBEDTLS_ECP_C)
+#include "mbedtls/ecp.h"
+#endif
+#if defined(MBEDTLS_ECDSA_C)
+#include "mbedtls/ecdsa.h"
+#endif
+
+#include <limits.h>
+#include <stdint.h>
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
+/*
+ * Initialise a mbedtls_pk_context
+ */
+void mbedtls_pk_init( mbedtls_pk_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    ctx->pk_info = NULL;
+    ctx->pk_ctx = NULL;
+}
+
+/*
+ * Free (the components of) a mbedtls_pk_context
+ */
+void mbedtls_pk_free( mbedtls_pk_context *ctx )
+{
+    if( ctx == NULL || ctx->pk_info == NULL )
+        return;
+
+    ctx->pk_info->ctx_free_func( ctx->pk_ctx );
+
+    mbedtls_zeroize( ctx, sizeof( mbedtls_pk_context ) );
+}
+
+/*
+ * Get pk_info structure from type
+ */
+const mbedtls_pk_info_t * mbedtls_pk_info_from_type( mbedtls_pk_type_t pk_type )
+{
+    switch( pk_type ) {
+#if defined(MBEDTLS_RSA_C)
+        case MBEDTLS_PK_RSA:
+            return( &mbedtls_rsa_info );
+#endif
+#if defined(MBEDTLS_ECP_C)
+        case MBEDTLS_PK_ECKEY:
+            return( &mbedtls_eckey_info );
+        case MBEDTLS_PK_ECKEY_DH:
+            return( &mbedtls_eckeydh_info );
+#endif
+#if defined(MBEDTLS_ECDSA_C)
+        case MBEDTLS_PK_ECDSA:
+            return( &mbedtls_ecdsa_info );
+#endif
+        /* MBEDTLS_PK_RSA_ALT omitted on purpose */
+        default:
+            return( NULL );
+    }
+}
+
+/*
+ * Initialise context
+ */
+int mbedtls_pk_setup( mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info )
+{
+    if( ctx == NULL || info == NULL || ctx->pk_info != NULL )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    if( ( ctx->pk_ctx = info->ctx_alloc_func() ) == NULL )
+        return( MBEDTLS_ERR_PK_ALLOC_FAILED );
+
+    ctx->pk_info = info;
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+/*
+ * Initialize an RSA-alt context
+ */
+int mbedtls_pk_setup_rsa_alt( mbedtls_pk_context *ctx, void * key,
+                         mbedtls_pk_rsa_alt_decrypt_func decrypt_func,
+                         mbedtls_pk_rsa_alt_sign_func sign_func,
+                         mbedtls_pk_rsa_alt_key_len_func key_len_func )
+{
+    mbedtls_rsa_alt_context *rsa_alt;
+    const mbedtls_pk_info_t *info = &mbedtls_rsa_alt_info;
+
+    if( ctx == NULL || ctx->pk_info != NULL )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    if( ( ctx->pk_ctx = info->ctx_alloc_func() ) == NULL )
+        return( MBEDTLS_ERR_PK_ALLOC_FAILED );
+
+    ctx->pk_info = info;
+
+    rsa_alt = (mbedtls_rsa_alt_context *) ctx->pk_ctx;
+
+    rsa_alt->key = key;
+    rsa_alt->decrypt_func = decrypt_func;
+    rsa_alt->sign_func = sign_func;
+    rsa_alt->key_len_func = key_len_func;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
+
+/*
+ * Tell if a PK can do the operations of the given type
+ */
+int mbedtls_pk_can_do( const mbedtls_pk_context *ctx, mbedtls_pk_type_t type )
+{
+    /* null or NONE context can't do anything */
+    if( ctx == NULL || ctx->pk_info == NULL )
+        return( 0 );
+
+    return( ctx->pk_info->can_do( type ) );
+}
+
+/*
+ * Helper for mbedtls_pk_sign and mbedtls_pk_verify
+ */
+static inline int pk_hashlen_helper( mbedtls_md_type_t md_alg, size_t *hash_len )
+{
+    const mbedtls_md_info_t *md_info;
+
+    if( *hash_len != 0 )
+        return( 0 );
+
+    if( ( md_info = mbedtls_md_info_from_type( md_alg ) ) == NULL )
+        return( -1 );
+
+    *hash_len = mbedtls_md_get_size( md_info );
+    return( 0 );
+}
+
+/*
+ * Verify a signature
+ */
+int mbedtls_pk_verify( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
+               const unsigned char *hash, size_t hash_len,
+               const unsigned char *sig, size_t sig_len )
+{
+    if( ctx == NULL || ctx->pk_info == NULL ||
+        pk_hashlen_helper( md_alg, &hash_len ) != 0 )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    if( ctx->pk_info->verify_func == NULL )
+        return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
+
+    return( ctx->pk_info->verify_func( ctx->pk_ctx, md_alg, hash, hash_len,
+                                       sig, sig_len ) );
+}
+
+/*
+ * Verify a signature with options
+ */
+int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options,
+                   mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
+                   const unsigned char *hash, size_t hash_len,
+                   const unsigned char *sig, size_t sig_len )
+{
+    if( ctx == NULL || ctx->pk_info == NULL )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    if( ! mbedtls_pk_can_do( ctx, type ) )
+        return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
+
+    if( type == MBEDTLS_PK_RSASSA_PSS )
+    {
+#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PKCS1_V21)
+        int ret;
+        const mbedtls_pk_rsassa_pss_options *pss_opts;
+
+#if SIZE_MAX > UINT_MAX
+        if( md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len )
+            return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+#endif /* SIZE_MAX > UINT_MAX */
+
+        if( options == NULL )
+            return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+        pss_opts = (const mbedtls_pk_rsassa_pss_options *) options;
+
+        if( sig_len < mbedtls_pk_get_len( ctx ) )
+            return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
+
+        ret = mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_pk_rsa( *ctx ),
+                NULL, NULL, MBEDTLS_RSA_PUBLIC,
+                md_alg, (unsigned int) hash_len, hash,
+                pss_opts->mgf1_hash_id,
+                pss_opts->expected_salt_len,
+                sig );
+        if( ret != 0 )
+            return( ret );
+
+        if( sig_len > mbedtls_pk_get_len( ctx ) )
+            return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH );
+
+        return( 0 );
+#else
+        return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
+#endif /* MBEDTLS_RSA_C && MBEDTLS_PKCS1_V21 */
+    }
+
+    /* General case: no options */
+    if( options != NULL )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    return( mbedtls_pk_verify( ctx, md_alg, hash, hash_len, sig, sig_len ) );
+}
+
+/*
+ * Make a signature
+ */
+int mbedtls_pk_sign( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
+             const unsigned char *hash, size_t hash_len,
+             unsigned char *sig, size_t *sig_len,
+             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    if( ctx == NULL || ctx->pk_info == NULL ||
+        pk_hashlen_helper( md_alg, &hash_len ) != 0 )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    if( ctx->pk_info->sign_func == NULL )
+        return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
+
+    return( ctx->pk_info->sign_func( ctx->pk_ctx, md_alg, hash, hash_len,
+                                     sig, sig_len, f_rng, p_rng ) );
+}
+
+/*
+ * Decrypt message
+ */
+int mbedtls_pk_decrypt( mbedtls_pk_context *ctx,
+                const unsigned char *input, size_t ilen,
+                unsigned char *output, size_t *olen, size_t osize,
+                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    if( ctx == NULL || ctx->pk_info == NULL )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    if( ctx->pk_info->decrypt_func == NULL )
+        return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
+
+    return( ctx->pk_info->decrypt_func( ctx->pk_ctx, input, ilen,
+                output, olen, osize, f_rng, p_rng ) );
+}
+
+/*
+ * Encrypt message
+ */
+int mbedtls_pk_encrypt( mbedtls_pk_context *ctx,
+                const unsigned char *input, size_t ilen,
+                unsigned char *output, size_t *olen, size_t osize,
+                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    if( ctx == NULL || ctx->pk_info == NULL )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    if( ctx->pk_info->encrypt_func == NULL )
+        return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
+
+    return( ctx->pk_info->encrypt_func( ctx->pk_ctx, input, ilen,
+                output, olen, osize, f_rng, p_rng ) );
+}
+
+/*
+ * Check public-private key pair
+ */
+int mbedtls_pk_check_pair( const mbedtls_pk_context *pub, const mbedtls_pk_context *prv )
+{
+    if( pub == NULL || pub->pk_info == NULL ||
+        prv == NULL || prv->pk_info == NULL ||
+        prv->pk_info->check_pair_func == NULL )
+    {
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+    }
+
+    if( prv->pk_info->type == MBEDTLS_PK_RSA_ALT )
+    {
+        if( pub->pk_info->type != MBEDTLS_PK_RSA )
+            return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
+    }
+    else
+    {
+        if( pub->pk_info != prv->pk_info )
+            return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
+    }
+
+    return( prv->pk_info->check_pair_func( pub->pk_ctx, prv->pk_ctx ) );
+}
+
+/*
+ * Get key size in bits
+ */
+size_t mbedtls_pk_get_bitlen( const mbedtls_pk_context *ctx )
+{
+    if( ctx == NULL || ctx->pk_info == NULL )
+        return( 0 );
+
+    return( ctx->pk_info->get_bitlen( ctx->pk_ctx ) );
+}
+
+/*
+ * Export debug information
+ */
+int mbedtls_pk_debug( const mbedtls_pk_context *ctx, mbedtls_pk_debug_item *items )
+{
+    if( ctx == NULL || ctx->pk_info == NULL )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    if( ctx->pk_info->debug_func == NULL )
+        return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
+
+    ctx->pk_info->debug_func( ctx->pk_ctx, items );
+    return( 0 );
+}
+
+/*
+ * Access the PK type name
+ */
+const char *mbedtls_pk_get_name( const mbedtls_pk_context *ctx )
+{
+    if( ctx == NULL || ctx->pk_info == NULL )
+        return( "invalid PK" );
+
+    return( ctx->pk_info->name );
+}
+
+/*
+ * Access the PK type
+ */
+mbedtls_pk_type_t mbedtls_pk_get_type( const mbedtls_pk_context *ctx )
+{
+    if( ctx == NULL || ctx->pk_info == NULL )
+        return( MBEDTLS_PK_NONE );
+
+    return( ctx->pk_info->type );
+}
+
+#endif /* MBEDTLS_PK_C */
diff --git a/third-party/mbedtls-3.6/library/pk_wrap.c b/third-party/mbedtls-3.6/library/pk_wrap.c
new file mode 100644
index 00000000..966a17c1
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/pk_wrap.c
@@ -0,0 +1,551 @@
+/*
+ *  Public Key abstraction layer: wrapper functions
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_PK_C)
+#include "mbedtls/pk_internal.h"
+
+/* Even if RSA not activated, for the sake of RSA-alt */
+#include "mbedtls/rsa.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_ECP_C)
+#include "mbedtls/ecp.h"
+#endif
+
+#if defined(MBEDTLS_ECDSA_C)
+#include "mbedtls/ecdsa.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+#include <limits.h>
+#include <stdint.h>
+
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+#endif
+
+#if defined(MBEDTLS_RSA_C)
+static int rsa_can_do( mbedtls_pk_type_t type )
+{
+    return( type == MBEDTLS_PK_RSA ||
+            type == MBEDTLS_PK_RSASSA_PSS );
+}
+
+static size_t rsa_get_bitlen( const void *ctx )
+{
+    const mbedtls_rsa_context * rsa = (const mbedtls_rsa_context *) ctx;
+    return( 8 * mbedtls_rsa_get_len( rsa ) );
+}
+
+static int rsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                   const unsigned char *hash, size_t hash_len,
+                   const unsigned char *sig, size_t sig_len )
+{
+    int ret;
+    mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx;
+    size_t rsa_len = mbedtls_rsa_get_len( rsa );
+
+#if SIZE_MAX > UINT_MAX
+    if( md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+#endif /* SIZE_MAX > UINT_MAX */
+
+    if( sig_len < rsa_len )
+        return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
+
+    if( ( ret = mbedtls_rsa_pkcs1_verify( rsa, NULL, NULL,
+                                  MBEDTLS_RSA_PUBLIC, md_alg,
+                                  (unsigned int) hash_len, hash, sig ) ) != 0 )
+        return( ret );
+
+    /* The buffer contains a valid signature followed by extra data.
+     * We have a special error code for that so that so that callers can
+     * use mbedtls_pk_verify() to check "Does the buffer start with a
+     * valid signature?" and not just "Does the buffer contain a valid
+     * signature?". */
+    if( sig_len > rsa_len )
+        return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH );
+
+    return( 0 );
+}
+
+static int rsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                   const unsigned char *hash, size_t hash_len,
+                   unsigned char *sig, size_t *sig_len,
+                   int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx;
+
+#if SIZE_MAX > UINT_MAX
+    if( md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+#endif /* SIZE_MAX > UINT_MAX */
+
+    *sig_len = mbedtls_rsa_get_len( rsa );
+
+    return( mbedtls_rsa_pkcs1_sign( rsa, f_rng, p_rng, MBEDTLS_RSA_PRIVATE,
+                md_alg, (unsigned int) hash_len, hash, sig ) );
+}
+
+static int rsa_decrypt_wrap( void *ctx,
+                    const unsigned char *input, size_t ilen,
+                    unsigned char *output, size_t *olen, size_t osize,
+                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx;
+
+    if( ilen != mbedtls_rsa_get_len( rsa ) )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    return( mbedtls_rsa_pkcs1_decrypt( rsa, f_rng, p_rng,
+                MBEDTLS_RSA_PRIVATE, olen, input, output, osize ) );
+}
+
+static int rsa_encrypt_wrap( void *ctx,
+                    const unsigned char *input, size_t ilen,
+                    unsigned char *output, size_t *olen, size_t osize,
+                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx;
+    *olen = mbedtls_rsa_get_len( rsa );
+
+    if( *olen > osize )
+        return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
+
+    return( mbedtls_rsa_pkcs1_encrypt( rsa, f_rng, p_rng, MBEDTLS_RSA_PUBLIC,
+                                       ilen, input, output ) );
+}
+
+static int rsa_check_pair_wrap( const void *pub, const void *prv )
+{
+    return( mbedtls_rsa_check_pub_priv( (const mbedtls_rsa_context *) pub,
+                                (const mbedtls_rsa_context *) prv ) );
+}
+
+static void *rsa_alloc_wrap( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_rsa_context ) );
+
+    if( ctx != NULL )
+        mbedtls_rsa_init( (mbedtls_rsa_context *) ctx, 0, 0 );
+
+    return( ctx );
+}
+
+static void rsa_free_wrap( void *ctx )
+{
+    mbedtls_rsa_free( (mbedtls_rsa_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static void rsa_debug( const void *ctx, mbedtls_pk_debug_item *items )
+{
+    items->type = MBEDTLS_PK_DEBUG_MPI;
+    items->name = "rsa.N";
+    items->value = &( ((mbedtls_rsa_context *) ctx)->N );
+
+    items++;
+
+    items->type = MBEDTLS_PK_DEBUG_MPI;
+    items->name = "rsa.E";
+    items->value = &( ((mbedtls_rsa_context *) ctx)->E );
+}
+
+const mbedtls_pk_info_t mbedtls_rsa_info = {
+    MBEDTLS_PK_RSA,
+    "RSA",
+    rsa_get_bitlen,
+    rsa_can_do,
+    rsa_verify_wrap,
+    rsa_sign_wrap,
+    rsa_decrypt_wrap,
+    rsa_encrypt_wrap,
+    rsa_check_pair_wrap,
+    rsa_alloc_wrap,
+    rsa_free_wrap,
+    rsa_debug,
+};
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_ECP_C)
+/*
+ * Generic EC key
+ */
+static int eckey_can_do( mbedtls_pk_type_t type )
+{
+    return( type == MBEDTLS_PK_ECKEY ||
+            type == MBEDTLS_PK_ECKEY_DH ||
+            type == MBEDTLS_PK_ECDSA );
+}
+
+static size_t eckey_get_bitlen( const void *ctx )
+{
+    return( ((mbedtls_ecp_keypair *) ctx)->grp.pbits );
+}
+
+#if defined(MBEDTLS_ECDSA_C)
+/* Forward declarations */
+static int ecdsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                       const unsigned char *hash, size_t hash_len,
+                       const unsigned char *sig, size_t sig_len );
+
+static int ecdsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                   const unsigned char *hash, size_t hash_len,
+                   unsigned char *sig, size_t *sig_len,
+                   int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
+
+static int eckey_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                       const unsigned char *hash, size_t hash_len,
+                       const unsigned char *sig, size_t sig_len )
+{
+    int ret;
+    mbedtls_ecdsa_context ecdsa;
+
+    mbedtls_ecdsa_init( &ecdsa );
+
+    if( ( ret = mbedtls_ecdsa_from_keypair( &ecdsa, ctx ) ) == 0 )
+        ret = ecdsa_verify_wrap( &ecdsa, md_alg, hash, hash_len, sig, sig_len );
+
+    mbedtls_ecdsa_free( &ecdsa );
+
+    return( ret );
+}
+
+static int eckey_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                   const unsigned char *hash, size_t hash_len,
+                   unsigned char *sig, size_t *sig_len,
+                   int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    int ret;
+    mbedtls_ecdsa_context ecdsa;
+
+    mbedtls_ecdsa_init( &ecdsa );
+
+    if( ( ret = mbedtls_ecdsa_from_keypair( &ecdsa, ctx ) ) == 0 )
+        ret = ecdsa_sign_wrap( &ecdsa, md_alg, hash, hash_len, sig, sig_len,
+                               f_rng, p_rng );
+
+    mbedtls_ecdsa_free( &ecdsa );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_ECDSA_C */
+
+static int eckey_check_pair( const void *pub, const void *prv )
+{
+    return( mbedtls_ecp_check_pub_priv( (const mbedtls_ecp_keypair *) pub,
+                                (const mbedtls_ecp_keypair *) prv ) );
+}
+
+static void *eckey_alloc_wrap( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ecp_keypair ) );
+
+    if( ctx != NULL )
+        mbedtls_ecp_keypair_init( ctx );
+
+    return( ctx );
+}
+
+static void eckey_free_wrap( void *ctx )
+{
+    mbedtls_ecp_keypair_free( (mbedtls_ecp_keypair *) ctx );
+    mbedtls_free( ctx );
+}
+
+static void eckey_debug( const void *ctx, mbedtls_pk_debug_item *items )
+{
+    items->type = MBEDTLS_PK_DEBUG_ECP;
+    items->name = "eckey.Q";
+    items->value = &( ((mbedtls_ecp_keypair *) ctx)->Q );
+}
+
+const mbedtls_pk_info_t mbedtls_eckey_info = {
+    MBEDTLS_PK_ECKEY,
+    "EC",
+    eckey_get_bitlen,
+    eckey_can_do,
+#if defined(MBEDTLS_ECDSA_C)
+    eckey_verify_wrap,
+    eckey_sign_wrap,
+#else
+    NULL,
+    NULL,
+#endif
+    NULL,
+    NULL,
+    eckey_check_pair,
+    eckey_alloc_wrap,
+    eckey_free_wrap,
+    eckey_debug,
+};
+
+/*
+ * EC key restricted to ECDH
+ */
+static int eckeydh_can_do( mbedtls_pk_type_t type )
+{
+    return( type == MBEDTLS_PK_ECKEY ||
+            type == MBEDTLS_PK_ECKEY_DH );
+}
+
+const mbedtls_pk_info_t mbedtls_eckeydh_info = {
+    MBEDTLS_PK_ECKEY_DH,
+    "EC_DH",
+    eckey_get_bitlen,         /* Same underlying key structure */
+    eckeydh_can_do,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    eckey_check_pair,
+    eckey_alloc_wrap,       /* Same underlying key structure */
+    eckey_free_wrap,        /* Same underlying key structure */
+    eckey_debug,            /* Same underlying key structure */
+};
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_ECDSA_C)
+static int ecdsa_can_do( mbedtls_pk_type_t type )
+{
+    return( type == MBEDTLS_PK_ECDSA );
+}
+
+static int ecdsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                       const unsigned char *hash, size_t hash_len,
+                       const unsigned char *sig, size_t sig_len )
+{
+    int ret;
+    ((void) md_alg);
+
+    ret = mbedtls_ecdsa_read_signature( (mbedtls_ecdsa_context *) ctx,
+                                hash, hash_len, sig, sig_len );
+
+    if( ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH )
+        return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH );
+
+    return( ret );
+}
+
+static int ecdsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                   const unsigned char *hash, size_t hash_len,
+                   unsigned char *sig, size_t *sig_len,
+                   int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    return( mbedtls_ecdsa_write_signature( (mbedtls_ecdsa_context *) ctx,
+                md_alg, hash, hash_len, sig, sig_len, f_rng, p_rng ) );
+}
+
+static void *ecdsa_alloc_wrap( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ecdsa_context ) );
+
+    if( ctx != NULL )
+        mbedtls_ecdsa_init( (mbedtls_ecdsa_context *) ctx );
+
+    return( ctx );
+}
+
+static void ecdsa_free_wrap( void *ctx )
+{
+    mbedtls_ecdsa_free( (mbedtls_ecdsa_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+const mbedtls_pk_info_t mbedtls_ecdsa_info = {
+    MBEDTLS_PK_ECDSA,
+    "ECDSA",
+    eckey_get_bitlen,     /* Compatible key structures */
+    ecdsa_can_do,
+    ecdsa_verify_wrap,
+    ecdsa_sign_wrap,
+    NULL,
+    NULL,
+    eckey_check_pair,   /* Compatible key structures */
+    ecdsa_alloc_wrap,
+    ecdsa_free_wrap,
+    eckey_debug,        /* Compatible key structures */
+};
+#endif /* MBEDTLS_ECDSA_C */
+
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+/*
+ * Support for alternative RSA-private implementations
+ */
+
+static int rsa_alt_can_do( mbedtls_pk_type_t type )
+{
+    return( type == MBEDTLS_PK_RSA );
+}
+
+static size_t rsa_alt_get_bitlen( const void *ctx )
+{
+    const mbedtls_rsa_alt_context *rsa_alt = (const mbedtls_rsa_alt_context *) ctx;
+
+    return( 8 * rsa_alt->key_len_func( rsa_alt->key ) );
+}
+
+static int rsa_alt_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                   const unsigned char *hash, size_t hash_len,
+                   unsigned char *sig, size_t *sig_len,
+                   int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    mbedtls_rsa_alt_context *rsa_alt = (mbedtls_rsa_alt_context *) ctx;
+
+#if SIZE_MAX > UINT_MAX
+    if( UINT_MAX < hash_len )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+#endif /* SIZE_MAX > UINT_MAX */
+
+    *sig_len = rsa_alt->key_len_func( rsa_alt->key );
+
+    return( rsa_alt->sign_func( rsa_alt->key, f_rng, p_rng, MBEDTLS_RSA_PRIVATE,
+                md_alg, (unsigned int) hash_len, hash, sig ) );
+}
+
+static int rsa_alt_decrypt_wrap( void *ctx,
+                    const unsigned char *input, size_t ilen,
+                    unsigned char *output, size_t *olen, size_t osize,
+                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    mbedtls_rsa_alt_context *rsa_alt = (mbedtls_rsa_alt_context *) ctx;
+
+    ((void) f_rng);
+    ((void) p_rng);
+
+    if( ilen != rsa_alt->key_len_func( rsa_alt->key ) )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    return( rsa_alt->decrypt_func( rsa_alt->key,
+                MBEDTLS_RSA_PRIVATE, olen, input, output, osize ) );
+}
+
+#if defined(MBEDTLS_RSA_C)
+static int rsa_alt_check_pair( const void *pub, const void *prv )
+{
+    unsigned char sig[MBEDTLS_MPI_MAX_SIZE];
+    unsigned char hash[32];
+    size_t sig_len = 0;
+    int ret;
+
+    if( rsa_alt_get_bitlen( prv ) != rsa_get_bitlen( pub ) )
+        return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
+
+    memset( hash, 0x2a, sizeof( hash ) );
+
+    if( ( ret = rsa_alt_sign_wrap( (void *) prv, MBEDTLS_MD_NONE,
+                                   hash, sizeof( hash ),
+                                   sig, &sig_len, NULL, NULL ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( rsa_verify_wrap( (void *) pub, MBEDTLS_MD_NONE,
+                         hash, sizeof( hash ), sig, sig_len ) != 0 )
+    {
+        return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_RSA_C */
+
+static void *rsa_alt_alloc_wrap( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_rsa_alt_context ) );
+
+    if( ctx != NULL )
+        memset( ctx, 0, sizeof( mbedtls_rsa_alt_context ) );
+
+    return( ctx );
+}
+
+static void rsa_alt_free_wrap( void *ctx )
+{
+    mbedtls_zeroize( ctx, sizeof( mbedtls_rsa_alt_context ) );
+    mbedtls_free( ctx );
+}
+
+const mbedtls_pk_info_t mbedtls_rsa_alt_info = {
+    MBEDTLS_PK_RSA_ALT,
+    "RSA-alt",
+    rsa_alt_get_bitlen,
+    rsa_alt_can_do,
+    NULL,
+    rsa_alt_sign_wrap,
+    rsa_alt_decrypt_wrap,
+    NULL,
+#if defined(MBEDTLS_RSA_C)
+    rsa_alt_check_pair,
+#else
+    NULL,
+#endif
+    rsa_alt_alloc_wrap,
+    rsa_alt_free_wrap,
+    NULL,
+};
+
+#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
+
+#endif /* MBEDTLS_PK_C */
diff --git a/third-party/mbedtls-3.6/library/pkcs11.c b/third-party/mbedtls-3.6/library/pkcs11.c
new file mode 100644
index 00000000..cf484b86
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/pkcs11.c
@@ -0,0 +1,265 @@
+/**
+ * \file pkcs11.c
+ *
+ * \brief Wrapper for PKCS#11 library libpkcs11-helper
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#include "mbedtls/pkcs11.h"
+
+#if defined(MBEDTLS_PKCS11_C)
+
+#include "mbedtls/md.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/x509_crt.h"
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+#include <string.h>
+
+void mbedtls_pkcs11_init( mbedtls_pkcs11_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_pkcs11_context ) );
+}
+
+int mbedtls_pkcs11_x509_cert_bind( mbedtls_x509_crt *cert, pkcs11h_certificate_t pkcs11_cert )
+{
+    int ret = 1;
+    unsigned char *cert_blob = NULL;
+    size_t cert_blob_size = 0;
+
+    if( cert == NULL )
+    {
+        ret = 2;
+        goto cleanup;
+    }
+
+    if( pkcs11h_certificate_getCertificateBlob( pkcs11_cert, NULL,
+                                                &cert_blob_size ) != CKR_OK )
+    {
+        ret = 3;
+        goto cleanup;
+    }
+
+    cert_blob = mbedtls_calloc( 1, cert_blob_size );
+    if( NULL == cert_blob )
+    {
+        ret = 4;
+        goto cleanup;
+    }
+
+    if( pkcs11h_certificate_getCertificateBlob( pkcs11_cert, cert_blob,
+                                                &cert_blob_size ) != CKR_OK )
+    {
+        ret = 5;
+        goto cleanup;
+    }
+
+    if( 0 != mbedtls_x509_crt_parse( cert, cert_blob, cert_blob_size ) )
+    {
+        ret = 6;
+        goto cleanup;
+    }
+
+    ret = 0;
+
+cleanup:
+    if( NULL != cert_blob )
+        mbedtls_free( cert_blob );
+
+    return( ret );
+}
+
+
+int mbedtls_pkcs11_priv_key_bind( mbedtls_pkcs11_context *priv_key,
+        pkcs11h_certificate_t pkcs11_cert )
+{
+    int ret = 1;
+    mbedtls_x509_crt cert;
+
+    mbedtls_x509_crt_init( &cert );
+
+    if( priv_key == NULL )
+        goto cleanup;
+
+    if( 0 != mbedtls_pkcs11_x509_cert_bind( &cert, pkcs11_cert ) )
+        goto cleanup;
+
+    priv_key->len = mbedtls_pk_get_len( &cert.pk );
+    priv_key->pkcs11h_cert = pkcs11_cert;
+
+    ret = 0;
+
+cleanup:
+    mbedtls_x509_crt_free( &cert );
+
+    return( ret );
+}
+
+void mbedtls_pkcs11_priv_key_free( mbedtls_pkcs11_context *priv_key )
+{
+    if( NULL != priv_key )
+        pkcs11h_certificate_freeCertificate( priv_key->pkcs11h_cert );
+}
+
+int mbedtls_pkcs11_decrypt( mbedtls_pkcs11_context *ctx,
+                       int mode, size_t *olen,
+                       const unsigned char *input,
+                       unsigned char *output,
+                       size_t output_max_len )
+{
+    size_t input_len, output_len;
+
+    if( NULL == ctx )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    if( MBEDTLS_RSA_PRIVATE != mode )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    output_len = input_len = ctx->len;
+
+    if( input_len < 16 || input_len > output_max_len )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    /* Determine size of output buffer */
+    if( pkcs11h_certificate_decryptAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, input,
+            input_len, NULL, &output_len ) != CKR_OK )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
+
+    if( output_len > output_max_len )
+        return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
+
+    if( pkcs11h_certificate_decryptAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, input,
+            input_len, output, &output_len ) != CKR_OK )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
+    *olen = output_len;
+    return( 0 );
+}
+
+int mbedtls_pkcs11_sign( mbedtls_pkcs11_context *ctx,
+                    int mode,
+                    mbedtls_md_type_t md_alg,
+                    unsigned int hashlen,
+                    const unsigned char *hash,
+                    unsigned char *sig )
+{
+    size_t sig_len = 0, asn_len = 0, oid_size = 0;
+    unsigned char *p = sig;
+    const char *oid;
+
+    if( NULL == ctx )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    if( MBEDTLS_RSA_PRIVATE != mode )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    if( md_alg != MBEDTLS_MD_NONE )
+    {
+        const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
+        if( md_info == NULL )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+        if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+        hashlen = mbedtls_md_get_size( md_info );
+        asn_len = 10 + oid_size;
+    }
+
+    sig_len = ctx->len;
+    if( hashlen > sig_len || asn_len > sig_len ||
+        hashlen + asn_len > sig_len )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
+
+    if( md_alg != MBEDTLS_MD_NONE )
+    {
+        /*
+         * DigestInfo ::= SEQUENCE {
+         *   digestAlgorithm DigestAlgorithmIdentifier,
+         *   digest Digest }
+         *
+         * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
+         *
+         * Digest ::= OCTET STRING
+         */
+        *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
+        *p++ = (unsigned char) ( 0x08 + oid_size + hashlen );
+        *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
+        *p++ = (unsigned char) ( 0x04 + oid_size );
+        *p++ = MBEDTLS_ASN1_OID;
+        *p++ = oid_size & 0xFF;
+        memcpy( p, oid, oid_size );
+        p += oid_size;
+        *p++ = MBEDTLS_ASN1_NULL;
+        *p++ = 0x00;
+        *p++ = MBEDTLS_ASN1_OCTET_STRING;
+        *p++ = hashlen;
+    }
+
+    memcpy( p, hash, hashlen );
+
+    if( pkcs11h_certificate_signAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, sig,
+            asn_len + hashlen, sig, &sig_len ) != CKR_OK )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
+
+    return( 0 );
+}
+
+#endif /* defined(MBEDTLS_PKCS11_C) */
diff --git a/third-party/mbedtls-3.6/library/pkcs12.c b/third-party/mbedtls-3.6/library/pkcs12.c
new file mode 100644
index 00000000..9ee63c2d
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/pkcs12.c
@@ -0,0 +1,394 @@
+/*
+ *  PKCS#12 Personal Information Exchange Syntax
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+/*
+ *  The PKCS #12 Personal Information Exchange Syntax Standard v1.1
+ *
+ *  http://www.rsa.com/rsalabs/pkcs/files/h11301-wp-pkcs-12v1-1-personal-information-exchange-syntax.pdf
+ *  ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1-1.asn
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_PKCS12_C)
+
+#include "mbedtls/pkcs12.h"
+#include "mbedtls/asn1.h"
+#include "mbedtls/cipher.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_ARC4_C)
+#include "mbedtls/arc4.h"
+#endif
+
+#if defined(MBEDTLS_DES_C)
+#include "mbedtls/des.h"
+#endif
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+
+static int pkcs12_parse_pbe_params( mbedtls_asn1_buf *params,
+                                    mbedtls_asn1_buf *salt, int *iterations )
+{
+    int ret;
+    unsigned char **p = &params->p;
+    const unsigned char *end = params->p + params->len;
+
+    /*
+     *  pkcs-12PbeParams ::= SEQUENCE {
+     *    salt          OCTET STRING,
+     *    iterations    INTEGER
+     *  }
+     *
+     */
+    if( params->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) )
+        return( MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &salt->len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
+        return( MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT + ret );
+
+    salt->p = *p;
+    *p += salt->len;
+
+    if( ( ret = mbedtls_asn1_get_int( p, end, iterations ) ) != 0 )
+        return( MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT + ret );
+
+    if( *p != end )
+        return( MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+#define PKCS12_MAX_PWDLEN 128
+
+static int pkcs12_pbe_derive_key_iv( mbedtls_asn1_buf *pbe_params, mbedtls_md_type_t md_type,
+                                     const unsigned char *pwd,  size_t pwdlen,
+                                     unsigned char *key, size_t keylen,
+                                     unsigned char *iv,  size_t ivlen )
+{
+    int ret, iterations = 0;
+    mbedtls_asn1_buf salt;
+    size_t i;
+    unsigned char unipwd[PKCS12_MAX_PWDLEN * 2 + 2];
+
+    if( pwdlen > PKCS12_MAX_PWDLEN )
+        return( MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA );
+
+    memset( &salt, 0, sizeof(mbedtls_asn1_buf) );
+    memset( &unipwd, 0, sizeof(unipwd) );
+
+    if( ( ret = pkcs12_parse_pbe_params( pbe_params, &salt,
+                                         &iterations ) ) != 0 )
+        return( ret );
+
+    for( i = 0; i < pwdlen; i++ )
+        unipwd[i * 2 + 1] = pwd[i];
+
+    if( ( ret = mbedtls_pkcs12_derivation( key, keylen, unipwd, pwdlen * 2 + 2,
+                                   salt.p, salt.len, md_type,
+                                   MBEDTLS_PKCS12_DERIVE_KEY, iterations ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( iv == NULL || ivlen == 0 )
+        return( 0 );
+
+    if( ( ret = mbedtls_pkcs12_derivation( iv, ivlen, unipwd, pwdlen * 2 + 2,
+                                   salt.p, salt.len, md_type,
+                                   MBEDTLS_PKCS12_DERIVE_IV, iterations ) ) != 0 )
+    {
+        return( ret );
+    }
+    return( 0 );
+}
+
+#undef PKCS12_MAX_PWDLEN
+
+int mbedtls_pkcs12_pbe_sha1_rc4_128( mbedtls_asn1_buf *pbe_params, int mode,
+                             const unsigned char *pwd,  size_t pwdlen,
+                             const unsigned char *data, size_t len,
+                             unsigned char *output )
+{
+#if !defined(MBEDTLS_ARC4_C)
+    ((void) pbe_params);
+    ((void) mode);
+    ((void) pwd);
+    ((void) pwdlen);
+    ((void) data);
+    ((void) len);
+    ((void) output);
+    return( MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE );
+#else
+    int ret;
+    unsigned char key[16];
+    mbedtls_arc4_context ctx;
+    ((void) mode);
+
+    mbedtls_arc4_init( &ctx );
+
+    if( ( ret = pkcs12_pbe_derive_key_iv( pbe_params, MBEDTLS_MD_SHA1,
+                                          pwd, pwdlen,
+                                          key, 16, NULL, 0 ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    mbedtls_arc4_setup( &ctx, key, 16 );
+    if( ( ret = mbedtls_arc4_crypt( &ctx, len, data, output ) ) != 0 )
+        goto exit;
+
+exit:
+    mbedtls_zeroize( key, sizeof( key ) );
+    mbedtls_arc4_free( &ctx );
+
+    return( ret );
+#endif /* MBEDTLS_ARC4_C */
+}
+
+int mbedtls_pkcs12_pbe( mbedtls_asn1_buf *pbe_params, int mode,
+                mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
+                const unsigned char *pwd,  size_t pwdlen,
+                const unsigned char *data, size_t len,
+                unsigned char *output )
+{
+    int ret, keylen = 0;
+    unsigned char key[32];
+    unsigned char iv[16];
+    const mbedtls_cipher_info_t *cipher_info;
+    mbedtls_cipher_context_t cipher_ctx;
+    size_t olen = 0;
+
+    cipher_info = mbedtls_cipher_info_from_type( cipher_type );
+    if( cipher_info == NULL )
+        return( MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE );
+
+    keylen = cipher_info->key_bitlen / 8;
+
+    if( ( ret = pkcs12_pbe_derive_key_iv( pbe_params, md_type, pwd, pwdlen,
+                                          key, keylen,
+                                          iv, cipher_info->iv_size ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    mbedtls_cipher_init( &cipher_ctx );
+
+    if( ( ret = mbedtls_cipher_setup( &cipher_ctx, cipher_info ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_cipher_setkey( &cipher_ctx, key, 8 * keylen, (mbedtls_operation_t) mode ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_cipher_set_iv( &cipher_ctx, iv, cipher_info->iv_size ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_cipher_reset( &cipher_ctx ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_cipher_update( &cipher_ctx, data, len,
+                                output, &olen ) ) != 0 )
+    {
+        goto exit;
+    }
+
+    if( ( ret = mbedtls_cipher_finish( &cipher_ctx, output + olen, &olen ) ) != 0 )
+        ret = MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH;
+
+exit:
+    mbedtls_zeroize( key, sizeof( key ) );
+    mbedtls_zeroize( iv,  sizeof( iv  ) );
+    mbedtls_cipher_free( &cipher_ctx );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
+static void pkcs12_fill_buffer( unsigned char *data, size_t data_len,
+                                const unsigned char *filler, size_t fill_len )
+{
+    unsigned char *p = data;
+    size_t use_len;
+
+    while( data_len > 0 )
+    {
+        use_len = ( data_len > fill_len ) ? fill_len : data_len;
+        memcpy( p, filler, use_len );
+        p += use_len;
+        data_len -= use_len;
+    }
+}
+
+int mbedtls_pkcs12_derivation( unsigned char *data, size_t datalen,
+                       const unsigned char *pwd, size_t pwdlen,
+                       const unsigned char *salt, size_t saltlen,
+                       mbedtls_md_type_t md_type, int id, int iterations )
+{
+    int ret;
+    unsigned int j;
+
+    unsigned char diversifier[128];
+    unsigned char salt_block[128], pwd_block[128], hash_block[128];
+    unsigned char hash_output[MBEDTLS_MD_MAX_SIZE];
+    unsigned char *p;
+    unsigned char c;
+
+    size_t hlen, use_len, v, i;
+
+    const mbedtls_md_info_t *md_info;
+    mbedtls_md_context_t md_ctx;
+
+    // This version only allows max of 64 bytes of password or salt
+    if( datalen > 128 || pwdlen > 64 || saltlen > 64 )
+        return( MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA );
+
+    md_info = mbedtls_md_info_from_type( md_type );
+    if( md_info == NULL )
+        return( MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE );
+
+    mbedtls_md_init( &md_ctx );
+
+    if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
+        return( ret );
+    hlen = mbedtls_md_get_size( md_info );
+
+    if( hlen <= 32 )
+        v = 64;
+    else
+        v = 128;
+
+    memset( diversifier, (unsigned char) id, v );
+
+    pkcs12_fill_buffer( salt_block, v, salt, saltlen );
+    pkcs12_fill_buffer( pwd_block,  v, pwd,  pwdlen  );
+
+    p = data;
+    while( datalen > 0 )
+    {
+        // Calculate hash( diversifier || salt_block || pwd_block )
+        if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 )
+            goto exit;
+
+        if( ( ret = mbedtls_md_update( &md_ctx, diversifier, v ) ) != 0 )
+            goto exit;
+
+        if( ( ret = mbedtls_md_update( &md_ctx, salt_block, v ) ) != 0 )
+            goto exit;
+
+        if( ( ret = mbedtls_md_update( &md_ctx, pwd_block, v ) ) != 0 )
+            goto exit;
+
+        if( ( ret = mbedtls_md_finish( &md_ctx, hash_output ) ) != 0 )
+            goto exit;
+
+        // Perform remaining ( iterations - 1 ) recursive hash calculations
+        for( i = 1; i < (size_t) iterations; i++ )
+        {
+            if( ( ret = mbedtls_md( md_info, hash_output, hlen, hash_output ) ) != 0 )
+                goto exit;
+        }
+
+        use_len = ( datalen > hlen ) ? hlen : datalen;
+        memcpy( p, hash_output, use_len );
+        datalen -= use_len;
+        p += use_len;
+
+        if( datalen == 0 )
+            break;
+
+        // Concatenating copies of hash_output into hash_block (B)
+        pkcs12_fill_buffer( hash_block, v, hash_output, hlen );
+
+        // B += 1
+        for( i = v; i > 0; i-- )
+            if( ++hash_block[i - 1] != 0 )
+                break;
+
+        // salt_block += B
+        c = 0;
+        for( i = v; i > 0; i-- )
+        {
+            j = salt_block[i - 1] + hash_block[i - 1] + c;
+            c = (unsigned char) (j >> 8);
+            salt_block[i - 1] = j & 0xFF;
+        }
+
+        // pwd_block  += B
+        c = 0;
+        for( i = v; i > 0; i-- )
+        {
+            j = pwd_block[i - 1] + hash_block[i - 1] + c;
+            c = (unsigned char) (j >> 8);
+            pwd_block[i - 1] = j & 0xFF;
+        }
+    }
+
+    ret = 0;
+
+exit:
+    mbedtls_zeroize( salt_block, sizeof( salt_block ) );
+    mbedtls_zeroize( pwd_block, sizeof( pwd_block ) );
+    mbedtls_zeroize( hash_block, sizeof( hash_block ) );
+    mbedtls_zeroize( hash_output, sizeof( hash_output ) );
+
+    mbedtls_md_free( &md_ctx );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_PKCS12_C */
diff --git a/third-party/mbedtls-3.6/library/pkcs5.c b/third-party/mbedtls-3.6/library/pkcs5.c
new file mode 100644
index 00000000..7d392a64
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/pkcs5.c
@@ -0,0 +1,446 @@
+/**
+ * \file pkcs5.c
+ *
+ * \brief PKCS#5 functions
+ *
+ * \author Mathias Olsson <mathias@kompetensum.com>
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+/*
+ * PKCS#5 includes PBKDF2 and more
+ *
+ * http://tools.ietf.org/html/rfc2898 (Specification)
+ * http://tools.ietf.org/html/rfc6070 (Test vectors)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_PKCS5_C)
+
+#include "mbedtls/pkcs5.h"
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+#include "mbedtls/asn1.h"
+#include "mbedtls/cipher.h"
+#include "mbedtls/oid.h"
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
+#include <string.h>
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
+}
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+static int pkcs5_parse_pbkdf2_params( const mbedtls_asn1_buf *params,
+                                      mbedtls_asn1_buf *salt, int *iterations,
+                                      int *keylen, mbedtls_md_type_t *md_type )
+{
+    int ret;
+    mbedtls_asn1_buf prf_alg_oid;
+    unsigned char *p = params->p;
+    const unsigned char *end = params->p + params->len;
+
+    if( params->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) )
+        return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+    /*
+     *  PBKDF2-params ::= SEQUENCE {
+     *    salt              OCTET STRING,
+     *    iterationCount    INTEGER,
+     *    keyLength         INTEGER OPTIONAL
+     *    prf               AlgorithmIdentifier DEFAULT algid-hmacWithSHA1
+     *  }
+     *
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &salt->len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
+        return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret );
+
+    salt->p = p;
+    p += salt->len;
+
+    if( ( ret = mbedtls_asn1_get_int( &p, end, iterations ) ) != 0 )
+        return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret );
+
+    if( p == end )
+        return( 0 );
+
+    if( ( ret = mbedtls_asn1_get_int( &p, end, keylen ) ) != 0 )
+    {
+        if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+            return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret );
+    }
+
+    if( p == end )
+        return( 0 );
+
+    if( ( ret = mbedtls_asn1_get_alg_null( &p, end, &prf_alg_oid ) ) != 0 )
+        return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret );
+
+    if( mbedtls_oid_get_md_hmac( &prf_alg_oid, md_type ) != 0 )
+        return( MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE );
+
+    if( p != end )
+        return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+int mbedtls_pkcs5_pbes2( const mbedtls_asn1_buf *pbe_params, int mode,
+                 const unsigned char *pwd,  size_t pwdlen,
+                 const unsigned char *data, size_t datalen,
+                 unsigned char *output )
+{
+    int ret, iterations = 0, keylen = 0;
+    unsigned char *p, *end;
+    mbedtls_asn1_buf kdf_alg_oid, enc_scheme_oid, kdf_alg_params, enc_scheme_params;
+    mbedtls_asn1_buf salt;
+    mbedtls_md_type_t md_type = MBEDTLS_MD_SHA1;
+    unsigned char key[32], iv[32];
+    size_t olen = 0;
+    const mbedtls_md_info_t *md_info;
+    const mbedtls_cipher_info_t *cipher_info;
+    mbedtls_md_context_t md_ctx;
+    mbedtls_cipher_type_t cipher_alg;
+    mbedtls_cipher_context_t cipher_ctx;
+
+    p = pbe_params->p;
+    end = p + pbe_params->len;
+
+    /*
+     *  PBES2-params ::= SEQUENCE {
+     *    keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}},
+     *    encryptionScheme AlgorithmIdentifier {{PBES2-Encs}}
+     *  }
+     */
+    if( pbe_params->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) )
+        return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+
+    if( ( ret = mbedtls_asn1_get_alg( &p, end, &kdf_alg_oid, &kdf_alg_params ) ) != 0 )
+        return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret );
+
+    // Only PBKDF2 supported at the moment
+    //
+    if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS5_PBKDF2, &kdf_alg_oid ) != 0 )
+        return( MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE );
+
+    if( ( ret = pkcs5_parse_pbkdf2_params( &kdf_alg_params,
+                                           &salt, &iterations, &keylen,
+                                           &md_type ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    md_info = mbedtls_md_info_from_type( md_type );
+    if( md_info == NULL )
+        return( MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE );
+
+    if( ( ret = mbedtls_asn1_get_alg( &p, end, &enc_scheme_oid,
+                              &enc_scheme_params ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret );
+    }
+
+    if( mbedtls_oid_get_cipher_alg( &enc_scheme_oid, &cipher_alg ) != 0 )
+        return( MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE );
+
+    cipher_info = mbedtls_cipher_info_from_type( cipher_alg );
+    if( cipher_info == NULL )
+        return( MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE );
+
+    /*
+     * The value of keylen from pkcs5_parse_pbkdf2_params() is ignored
+     * since it is optional and we don't know if it was set or not
+     */
+    keylen = cipher_info->key_bitlen / 8;
+
+    if( enc_scheme_params.tag != MBEDTLS_ASN1_OCTET_STRING ||
+        enc_scheme_params.len != cipher_info->iv_size )
+    {
+        return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT );
+    }
+
+    mbedtls_md_init( &md_ctx );
+    mbedtls_cipher_init( &cipher_ctx );
+
+    memcpy( iv, enc_scheme_params.p, enc_scheme_params.len );
+
+    if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_pkcs5_pbkdf2_hmac( &md_ctx, pwd, pwdlen, salt.p, salt.len,
+                                   iterations, keylen, key ) ) != 0 )
+    {
+        goto exit;
+    }
+
+    if( ( ret = mbedtls_cipher_setup( &cipher_ctx, cipher_info ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_cipher_setkey( &cipher_ctx, key, 8 * keylen, (mbedtls_operation_t) mode ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_cipher_crypt( &cipher_ctx, iv, enc_scheme_params.len,
+                              data, datalen, output, &olen ) ) != 0 )
+        ret = MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH;
+
+exit:
+    mbedtls_md_free( &md_ctx );
+    mbedtls_cipher_free( &cipher_ctx );
+
+    return( ret );
+}
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
+int mbedtls_pkcs5_pbkdf2_hmac( mbedtls_md_context_t *ctx, const unsigned char *password,
+                       size_t plen, const unsigned char *salt, size_t slen,
+                       unsigned int iteration_count,
+                       uint32_t key_length, unsigned char *output )
+{
+    int ret = 0, j;
+    unsigned int i;
+    unsigned char md1[MBEDTLS_MD_MAX_SIZE];
+    unsigned char work[MBEDTLS_MD_MAX_SIZE];
+    unsigned char md_size = mbedtls_md_get_size( ctx->md_info );
+    size_t use_len;
+    unsigned char *out_p = output;
+    unsigned char counter[4];
+
+    memset( counter, 0, 4 );
+    counter[3] = 1;
+
+#if UINT_MAX > 0xFFFFFFFF
+    if( iteration_count > 0xFFFFFFFF )
+        return( MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA );
+#endif
+
+    while( key_length )
+    {
+        // U1 ends up in work
+        //
+        if( ( ret = mbedtls_md_hmac_starts( ctx, password, plen ) ) != 0 )
+            goto cleanup;
+
+        if( ( ret = mbedtls_md_hmac_update( ctx, salt, slen ) ) != 0 )
+            goto cleanup;
+
+        if( ( ret = mbedtls_md_hmac_update( ctx, counter, 4 ) ) != 0 )
+            goto cleanup;
+
+        if( ( ret = mbedtls_md_hmac_finish( ctx, work ) ) != 0 )
+            goto cleanup;
+
+        memcpy( md1, work, md_size );
+
+        for( i = 1; i < iteration_count; i++ )
+        {
+            // U2 ends up in md1
+            //
+            if( ( ret = mbedtls_md_hmac_starts( ctx, password, plen ) ) != 0 )
+                goto cleanup;
+
+            if( ( ret = mbedtls_md_hmac_update( ctx, md1, md_size ) ) != 0 )
+                goto cleanup;
+
+            if( ( ret = mbedtls_md_hmac_finish( ctx, md1 ) ) != 0 )
+                goto cleanup;
+
+            // U1 xor U2
+            //
+            for( j = 0; j < md_size; j++ )
+                work[j] ^= md1[j];
+        }
+
+        use_len = ( key_length < md_size ) ? key_length : md_size;
+        memcpy( out_p, work, use_len );
+
+        key_length -= (uint32_t) use_len;
+        out_p += use_len;
+
+        for( i = 4; i > 0; i-- )
+            if( ++counter[i - 1] != 0 )
+                break;
+    }
+
+cleanup:
+    /* Zeroise buffers to clear sensitive data from memory. */
+    mbedtls_zeroize( work, MBEDTLS_MD_MAX_SIZE );
+    mbedtls_zeroize( md1, MBEDTLS_MD_MAX_SIZE );
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#if !defined(MBEDTLS_SHA1_C)
+int mbedtls_pkcs5_self_test( int verbose )
+{
+    if( verbose != 0 )
+        mbedtls_printf( "  PBKDF2 (SHA1): skipped\n\n" );
+
+    return( 0 );
+}
+#else
+
+#define MAX_TESTS   6
+
+static const size_t plen[MAX_TESTS] =
+    { 8, 8, 8, 24, 9 };
+
+static const unsigned char password[MAX_TESTS][32] =
+{
+    "password",
+    "password",
+    "password",
+    "passwordPASSWORDpassword",
+    "pass\0word",
+};
+
+static const size_t slen[MAX_TESTS] =
+    { 4, 4, 4, 36, 5 };
+
+static const unsigned char salt[MAX_TESTS][40] =
+{
+    "salt",
+    "salt",
+    "salt",
+    "saltSALTsaltSALTsaltSALTsaltSALTsalt",
+    "sa\0lt",
+};
+
+static const uint32_t it_cnt[MAX_TESTS] =
+    { 1, 2, 4096, 4096, 4096 };
+
+static const uint32_t key_len[MAX_TESTS] =
+    { 20, 20, 20, 25, 16 };
+
+static const unsigned char result_key[MAX_TESTS][32] =
+{
+    { 0x0c, 0x60, 0xc8, 0x0f, 0x96, 0x1f, 0x0e, 0x71,
+      0xf3, 0xa9, 0xb5, 0x24, 0xaf, 0x60, 0x12, 0x06,
+      0x2f, 0xe0, 0x37, 0xa6 },
+    { 0xea, 0x6c, 0x01, 0x4d, 0xc7, 0x2d, 0x6f, 0x8c,
+      0xcd, 0x1e, 0xd9, 0x2a, 0xce, 0x1d, 0x41, 0xf0,
+      0xd8, 0xde, 0x89, 0x57 },
+    { 0x4b, 0x00, 0x79, 0x01, 0xb7, 0x65, 0x48, 0x9a,
+      0xbe, 0xad, 0x49, 0xd9, 0x26, 0xf7, 0x21, 0xd0,
+      0x65, 0xa4, 0x29, 0xc1 },
+    { 0x3d, 0x2e, 0xec, 0x4f, 0xe4, 0x1c, 0x84, 0x9b,
+      0x80, 0xc8, 0xd8, 0x36, 0x62, 0xc0, 0xe4, 0x4a,
+      0x8b, 0x29, 0x1a, 0x96, 0x4c, 0xf2, 0xf0, 0x70,
+      0x38 },
+    { 0x56, 0xfa, 0x6a, 0xa7, 0x55, 0x48, 0x09, 0x9d,
+      0xcc, 0x37, 0xd7, 0xf0, 0x34, 0x25, 0xe0, 0xc3 },
+};
+
+int mbedtls_pkcs5_self_test( int verbose )
+{
+    mbedtls_md_context_t sha1_ctx;
+    const mbedtls_md_info_t *info_sha1;
+    int ret, i;
+    unsigned char key[64];
+
+    mbedtls_md_init( &sha1_ctx );
+
+    info_sha1 = mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 );
+    if( info_sha1 == NULL )
+    {
+        ret = 1;
+        goto exit;
+    }
+
+    if( ( ret = mbedtls_md_setup( &sha1_ctx, info_sha1, 1 ) ) != 0 )
+    {
+        ret = 1;
+        goto exit;
+    }
+
+    for( i = 0; i < MAX_TESTS; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  PBKDF2 (SHA1) #%d: ", i );
+
+        ret = mbedtls_pkcs5_pbkdf2_hmac( &sha1_ctx, password[i], plen[i], salt[i],
+                                  slen[i], it_cnt[i], key_len[i], key );
+        if( ret != 0 ||
+            memcmp( result_key[i], key, key_len[i] ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+
+            ret = 1;
+            goto exit;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+exit:
+    mbedtls_md_free( &sha1_ctx );
+
+    return( ret );
+}
+#endif /* MBEDTLS_SHA1_C */
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_PKCS5_C */
diff --git a/third-party/mbedtls-3.6/library/pkparse.c b/third-party/mbedtls-3.6/library/pkparse.c
new file mode 100644
index 00000000..f54ed546
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/pkparse.c
@@ -0,0 +1,1485 @@
+/*
+ *  Public Key layer for parsing key files and structures
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_PK_PARSE_C)
+
+#include "mbedtls/pk.h"
+#include "mbedtls/asn1.h"
+#include "mbedtls/oid.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_RSA_C)
+#include "mbedtls/rsa.h"
+#endif
+#if defined(MBEDTLS_ECP_C)
+#include "mbedtls/ecp.h"
+#endif
+#if defined(MBEDTLS_ECDSA_C)
+#include "mbedtls/ecdsa.h"
+#endif
+#if defined(MBEDTLS_PEM_PARSE_C)
+#include "mbedtls/pem.h"
+#endif
+#if defined(MBEDTLS_PKCS5_C)
+#include "mbedtls/pkcs5.h"
+#endif
+#if defined(MBEDTLS_PKCS12_C)
+#include "mbedtls/pkcs12.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+#if defined(MBEDTLS_FS_IO) || \
+    defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+#endif
+
+#if defined(MBEDTLS_FS_IO)
+/*
+ * Load all data from a file into a given buffer.
+ *
+ * The file is expected to contain either PEM or DER encoded data.
+ * A terminating null byte is always appended. It is included in the announced
+ * length only if the data looks like it is PEM encoded.
+ */
+int mbedtls_pk_load_file( const char *path, unsigned char **buf, size_t *n )
+{
+    FILE *f;
+    long size;
+
+    if( ( f = fopen( path, "rb" ) ) == NULL )
+        return( MBEDTLS_ERR_PK_FILE_IO_ERROR );
+
+    fseek( f, 0, SEEK_END );
+    if( ( size = ftell( f ) ) == -1 )
+    {
+        fclose( f );
+        return( MBEDTLS_ERR_PK_FILE_IO_ERROR );
+    }
+    fseek( f, 0, SEEK_SET );
+
+    *n = (size_t) size;
+
+    if( *n + 1 == 0 ||
+        ( *buf = mbedtls_calloc( 1, *n + 1 ) ) == NULL )
+    {
+        fclose( f );
+        return( MBEDTLS_ERR_PK_ALLOC_FAILED );
+    }
+
+    if( fread( *buf, 1, *n, f ) != *n )
+    {
+        fclose( f );
+
+        mbedtls_zeroize( *buf, *n );
+        mbedtls_free( *buf );
+
+        return( MBEDTLS_ERR_PK_FILE_IO_ERROR );
+    }
+
+    fclose( f );
+
+    (*buf)[*n] = '\0';
+
+    if( strstr( (const char *) *buf, "-----BEGIN " ) != NULL )
+        ++*n;
+
+    return( 0 );
+}
+
+/*
+ * Load and parse a private key
+ */
+int mbedtls_pk_parse_keyfile( mbedtls_pk_context *ctx,
+                      const char *path, const char *pwd )
+{
+    int ret;
+    size_t n;
+    unsigned char *buf;
+
+    if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
+        return( ret );
+
+    if( pwd == NULL )
+        ret = mbedtls_pk_parse_key( ctx, buf, n, NULL, 0 );
+    else
+        ret = mbedtls_pk_parse_key( ctx, buf, n,
+                (const unsigned char *) pwd, strlen( pwd ) );
+
+    mbedtls_zeroize( buf, n );
+    mbedtls_free( buf );
+
+    return( ret );
+}
+
+/*
+ * Load and parse a public key
+ */
+int mbedtls_pk_parse_public_keyfile( mbedtls_pk_context *ctx, const char *path )
+{
+    int ret;
+    size_t n;
+    unsigned char *buf;
+
+    if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
+        return( ret );
+
+    ret = mbedtls_pk_parse_public_key( ctx, buf, n );
+
+    mbedtls_zeroize( buf, n );
+    mbedtls_free( buf );
+
+    return( ret );
+}
+#endif /* MBEDTLS_FS_IO */
+
+#if defined(MBEDTLS_ECP_C)
+/* Minimally parse an ECParameters buffer to and mbedtls_asn1_buf
+ *
+ * ECParameters ::= CHOICE {
+ *   namedCurve         OBJECT IDENTIFIER
+ *   specifiedCurve     SpecifiedECDomain -- = SEQUENCE { ... }
+ *   -- implicitCurve   NULL
+ * }
+ */
+static int pk_get_ecparams( unsigned char **p, const unsigned char *end,
+                            mbedtls_asn1_buf *params )
+{
+    int ret;
+
+    if ( end - *p < 1 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+    /* Tag may be either OID or SEQUENCE */
+    params->tag = **p;
+    if( params->tag != MBEDTLS_ASN1_OID
+#if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
+            && params->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE )
+#endif
+            )
+    {
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+    }
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &params->len, params->tag ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+    }
+
+    params->p = *p;
+    *p += params->len;
+
+    if( *p != end )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
+/*
+ * Parse a SpecifiedECDomain (SEC 1 C.2) and (mostly) fill the group with it.
+ * WARNING: the resulting group should only be used with
+ * pk_group_id_from_specified(), since its base point may not be set correctly
+ * if it was encoded compressed.
+ *
+ *  SpecifiedECDomain ::= SEQUENCE {
+ *      version SpecifiedECDomainVersion(ecdpVer1 | ecdpVer2 | ecdpVer3, ...),
+ *      fieldID FieldID {{FieldTypes}},
+ *      curve Curve,
+ *      base ECPoint,
+ *      order INTEGER,
+ *      cofactor INTEGER OPTIONAL,
+ *      hash HashAlgorithm OPTIONAL,
+ *      ...
+ *  }
+ *
+ * We only support prime-field as field type, and ignore hash and cofactor.
+ */
+static int pk_group_from_specified( const mbedtls_asn1_buf *params, mbedtls_ecp_group *grp )
+{
+    int ret;
+    unsigned char *p = params->p;
+    const unsigned char * const end = params->p + params->len;
+    const unsigned char *end_field, *end_curve;
+    size_t len;
+    int ver;
+
+    /* SpecifiedECDomainVersion ::= INTEGER { 1, 2, 3 } */
+    if( ( ret = mbedtls_asn1_get_int( &p, end, &ver ) ) != 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+
+    if( ver < 1 || ver > 3 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
+
+    /*
+     * FieldID { FIELD-ID:IOSet } ::= SEQUENCE { -- Finite field
+     *       fieldType FIELD-ID.&id({IOSet}),
+     *       parameters FIELD-ID.&Type({IOSet}{@fieldType})
+     * }
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+        return( ret );
+
+    end_field = p + len;
+
+    /*
+     * FIELD-ID ::= TYPE-IDENTIFIER
+     * FieldTypes FIELD-ID ::= {
+     *       { Prime-p IDENTIFIED BY prime-field } |
+     *       { Characteristic-two IDENTIFIED BY characteristic-two-field }
+     * }
+     * prime-field OBJECT IDENTIFIER ::= { id-fieldType 1 }
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end_field, &len, MBEDTLS_ASN1_OID ) ) != 0 )
+        return( ret );
+
+    if( len != MBEDTLS_OID_SIZE( MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD ) ||
+        memcmp( p, MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD, len ) != 0 )
+    {
+        return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
+    }
+
+    p += len;
+
+    /* Prime-p ::= INTEGER -- Field of size p. */
+    if( ( ret = mbedtls_asn1_get_mpi( &p, end_field, &grp->P ) ) != 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+
+    grp->pbits = mbedtls_mpi_bitlen( &grp->P );
+
+    if( p != end_field )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    /*
+     * Curve ::= SEQUENCE {
+     *       a FieldElement,
+     *       b FieldElement,
+     *       seed BIT STRING OPTIONAL
+     *       -- Shall be present if used in SpecifiedECDomain
+     *       -- with version equal to ecdpVer2 or ecdpVer3
+     * }
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+        return( ret );
+
+    end_curve = p + len;
+
+    /*
+     * FieldElement ::= OCTET STRING
+     * containing an integer in the case of a prime field
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ||
+        ( ret = mbedtls_mpi_read_binary( &grp->A, p, len ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+    }
+
+    p += len;
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ||
+        ( ret = mbedtls_mpi_read_binary( &grp->B, p, len ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+    }
+
+    p += len;
+
+    /* Ignore seed BIT STRING OPTIONAL */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_BIT_STRING ) ) == 0 )
+        p += len;
+
+    if( p != end_curve )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    /*
+     * ECPoint ::= OCTET STRING
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+
+    if( ( ret = mbedtls_ecp_point_read_binary( grp, &grp->G,
+                                      ( const unsigned char *) p, len ) ) != 0 )
+    {
+        /*
+         * If we can't read the point because it's compressed, cheat by
+         * reading only the X coordinate and the parity bit of Y.
+         */
+        if( ret != MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE ||
+            ( p[0] != 0x02 && p[0] != 0x03 ) ||
+            len != mbedtls_mpi_size( &grp->P ) + 1 ||
+            mbedtls_mpi_read_binary( &grp->G.X, p + 1, len - 1 ) != 0 ||
+            mbedtls_mpi_lset( &grp->G.Y, p[0] - 2 ) != 0 ||
+            mbedtls_mpi_lset( &grp->G.Z, 1 ) != 0 )
+        {
+            return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
+        }
+    }
+
+    p += len;
+
+    /*
+     * order INTEGER
+     */
+    if( ( ret = mbedtls_asn1_get_mpi( &p, end, &grp->N ) ) != 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+
+    grp->nbits = mbedtls_mpi_bitlen( &grp->N );
+
+    /*
+     * Allow optional elements by purposefully not enforcing p == end here.
+     */
+
+    return( 0 );
+}
+
+/*
+ * Find the group id associated with an (almost filled) group as generated by
+ * pk_group_from_specified(), or return an error if unknown.
+ */
+static int pk_group_id_from_group( const mbedtls_ecp_group *grp, mbedtls_ecp_group_id *grp_id )
+{
+    int ret = 0;
+    mbedtls_ecp_group ref;
+    const mbedtls_ecp_group_id *id;
+
+    mbedtls_ecp_group_init( &ref );
+
+    for( id = mbedtls_ecp_grp_id_list(); *id != MBEDTLS_ECP_DP_NONE; id++ )
+    {
+        /* Load the group associated to that id */
+        mbedtls_ecp_group_free( &ref );
+        MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &ref, *id ) );
+
+        /* Compare to the group we were given, starting with easy tests */
+        if( grp->pbits == ref.pbits && grp->nbits == ref.nbits &&
+            mbedtls_mpi_cmp_mpi( &grp->P, &ref.P ) == 0 &&
+            mbedtls_mpi_cmp_mpi( &grp->A, &ref.A ) == 0 &&
+            mbedtls_mpi_cmp_mpi( &grp->B, &ref.B ) == 0 &&
+            mbedtls_mpi_cmp_mpi( &grp->N, &ref.N ) == 0 &&
+            mbedtls_mpi_cmp_mpi( &grp->G.X, &ref.G.X ) == 0 &&
+            mbedtls_mpi_cmp_mpi( &grp->G.Z, &ref.G.Z ) == 0 &&
+            /* For Y we may only know the parity bit, so compare only that */
+            mbedtls_mpi_get_bit( &grp->G.Y, 0 ) == mbedtls_mpi_get_bit( &ref.G.Y, 0 ) )
+        {
+            break;
+        }
+
+    }
+
+cleanup:
+    mbedtls_ecp_group_free( &ref );
+
+    *grp_id = *id;
+
+    if( ret == 0 && *id == MBEDTLS_ECP_DP_NONE )
+        ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+
+    return( ret );
+}
+
+/*
+ * Parse a SpecifiedECDomain (SEC 1 C.2) and find the associated group ID
+ */
+static int pk_group_id_from_specified( const mbedtls_asn1_buf *params,
+                                       mbedtls_ecp_group_id *grp_id )
+{
+    int ret;
+    mbedtls_ecp_group grp;
+
+    mbedtls_ecp_group_init( &grp );
+
+    if( ( ret = pk_group_from_specified( params, &grp ) ) != 0 )
+        goto cleanup;
+
+    ret = pk_group_id_from_group( &grp, grp_id );
+
+cleanup:
+    mbedtls_ecp_group_free( &grp );
+
+    return( ret );
+}
+#endif /* MBEDTLS_PK_PARSE_EC_EXTENDED */
+
+/*
+ * Use EC parameters to initialise an EC group
+ *
+ * ECParameters ::= CHOICE {
+ *   namedCurve         OBJECT IDENTIFIER
+ *   specifiedCurve     SpecifiedECDomain -- = SEQUENCE { ... }
+ *   -- implicitCurve   NULL
+ */
+static int pk_use_ecparams( const mbedtls_asn1_buf *params, mbedtls_ecp_group *grp )
+{
+    int ret;
+    mbedtls_ecp_group_id grp_id;
+
+    if( params->tag == MBEDTLS_ASN1_OID )
+    {
+        if( mbedtls_oid_get_ec_grp( params, &grp_id ) != 0 )
+            return( MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE );
+    }
+    else
+    {
+#if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
+        if( ( ret = pk_group_id_from_specified( params, &grp_id ) ) != 0 )
+            return( ret );
+#else
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
+#endif
+    }
+
+    /*
+     * grp may already be initilialized; if so, make sure IDs match
+     */
+    if( grp->id != MBEDTLS_ECP_DP_NONE && grp->id != grp_id )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
+
+    if( ( ret = mbedtls_ecp_group_load( grp, grp_id ) ) != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
+/*
+ * EC public key is an EC point
+ *
+ * The caller is responsible for clearing the structure upon failure if
+ * desired. Take care to pass along the possible ECP_FEATURE_UNAVAILABLE
+ * return code of mbedtls_ecp_point_read_binary() and leave p in a usable state.
+ */
+static int pk_get_ecpubkey( unsigned char **p, const unsigned char *end,
+                            mbedtls_ecp_keypair *key )
+{
+    int ret;
+
+    if( ( ret = mbedtls_ecp_point_read_binary( &key->grp, &key->Q,
+                    (const unsigned char *) *p, end - *p ) ) == 0 )
+    {
+        ret = mbedtls_ecp_check_pubkey( &key->grp, &key->Q );
+    }
+
+    /*
+     * We know mbedtls_ecp_point_read_binary consumed all bytes or failed
+     */
+    *p = (unsigned char *) end;
+
+    return( ret );
+}
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_RSA_C)
+/*
+ *  RSAPublicKey ::= SEQUENCE {
+ *      modulus           INTEGER,  -- n
+ *      publicExponent    INTEGER   -- e
+ *  }
+ */
+static int pk_get_rsapubkey( unsigned char **p,
+                             const unsigned char *end,
+                             mbedtls_rsa_context *rsa )
+{
+    int ret;
+    size_t len;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+        return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret );
+
+    if( *p + len != end )
+        return( MBEDTLS_ERR_PK_INVALID_PUBKEY +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    /* Import N */
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 )
+        return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret );
+
+    if( ( ret = mbedtls_rsa_import_raw( rsa, *p, len, NULL, 0, NULL, 0,
+                                        NULL, 0, NULL, 0 ) ) != 0 )
+        return( MBEDTLS_ERR_PK_INVALID_PUBKEY );
+
+    *p += len;
+
+    /* Import E */
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 )
+        return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret );
+
+    if( ( ret = mbedtls_rsa_import_raw( rsa, NULL, 0, NULL, 0, NULL, 0,
+                                        NULL, 0, *p, len ) ) != 0 )
+        return( MBEDTLS_ERR_PK_INVALID_PUBKEY );
+
+    *p += len;
+
+    if( mbedtls_rsa_complete( rsa ) != 0 ||
+        mbedtls_rsa_check_pubkey( rsa ) != 0 )
+    {
+        return( MBEDTLS_ERR_PK_INVALID_PUBKEY );
+    }
+
+    if( *p != end )
+        return( MBEDTLS_ERR_PK_INVALID_PUBKEY +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_RSA_C */
+
+/* Get a PK algorithm identifier
+ *
+ *  AlgorithmIdentifier  ::=  SEQUENCE  {
+ *       algorithm               OBJECT IDENTIFIER,
+ *       parameters              ANY DEFINED BY algorithm OPTIONAL  }
+ */
+static int pk_get_pk_alg( unsigned char **p,
+                          const unsigned char *end,
+                          mbedtls_pk_type_t *pk_alg, mbedtls_asn1_buf *params )
+{
+    int ret;
+    mbedtls_asn1_buf alg_oid;
+
+    memset( params, 0, sizeof(mbedtls_asn1_buf) );
+
+    if( ( ret = mbedtls_asn1_get_alg( p, end, &alg_oid, params ) ) != 0 )
+        return( MBEDTLS_ERR_PK_INVALID_ALG + ret );
+
+    if( mbedtls_oid_get_pk_alg( &alg_oid, pk_alg ) != 0 )
+        return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
+
+    /*
+     * No parameters with RSA (only for EC)
+     */
+    if( *pk_alg == MBEDTLS_PK_RSA &&
+            ( ( params->tag != MBEDTLS_ASN1_NULL && params->tag != 0 ) ||
+                params->len != 0 ) )
+    {
+        return( MBEDTLS_ERR_PK_INVALID_ALG );
+    }
+
+    return( 0 );
+}
+
+/*
+ *  SubjectPublicKeyInfo  ::=  SEQUENCE  {
+ *       algorithm            AlgorithmIdentifier,
+ *       subjectPublicKey     BIT STRING }
+ */
+int mbedtls_pk_parse_subpubkey( unsigned char **p, const unsigned char *end,
+                        mbedtls_pk_context *pk )
+{
+    int ret;
+    size_t len;
+    mbedtls_asn1_buf alg_params;
+    mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
+    const mbedtls_pk_info_t *pk_info;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+    }
+
+    end = *p + len;
+
+    if( ( ret = pk_get_pk_alg( p, end, &pk_alg, &alg_params ) ) != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_asn1_get_bitstring_null( p, end, &len ) ) != 0 )
+        return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret );
+
+    if( *p + len != end )
+        return( MBEDTLS_ERR_PK_INVALID_PUBKEY +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    if( ( pk_info = mbedtls_pk_info_from_type( pk_alg ) ) == NULL )
+        return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
+
+    if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 )
+        return( ret );
+
+#if defined(MBEDTLS_RSA_C)
+    if( pk_alg == MBEDTLS_PK_RSA )
+    {
+        ret = pk_get_rsapubkey( p, end, mbedtls_pk_rsa( *pk ) );
+    } else
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_ECP_C)
+    if( pk_alg == MBEDTLS_PK_ECKEY_DH || pk_alg == MBEDTLS_PK_ECKEY )
+    {
+        ret = pk_use_ecparams( &alg_params, &mbedtls_pk_ec( *pk )->grp );
+        if( ret == 0 )
+            ret = pk_get_ecpubkey( p, end, mbedtls_pk_ec( *pk ) );
+    } else
+#endif /* MBEDTLS_ECP_C */
+        ret = MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
+
+    if( ret == 0 && *p != end )
+        ret = MBEDTLS_ERR_PK_INVALID_PUBKEY +
+              MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
+
+    if( ret != 0 )
+        mbedtls_pk_free( pk );
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_RSA_C)
+/*
+ * Wrapper around mbedtls_asn1_get_mpi() that rejects zero.
+ *
+ * The value zero is:
+ * - never a valid value for an RSA parameter
+ * - interpreted as "omitted, please reconstruct" by mbedtls_rsa_complete().
+ *
+ * Since values can't be omitted in PKCS#1, passing a zero value to
+ * rsa_complete() would be incorrect, so reject zero values early.
+ */
+static int asn1_get_nonzero_mpi( unsigned char **p,
+                                 const unsigned char *end,
+                                 mbedtls_mpi *X )
+{
+    int ret;
+
+    ret = mbedtls_asn1_get_mpi( p, end, X );
+    if( ret != 0 )
+        return( ret );
+
+    if( mbedtls_mpi_cmp_int( X, 0 ) == 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
+
+    return( 0 );
+}
+
+/*
+ * Parse a PKCS#1 encoded private RSA key
+ */
+static int pk_parse_key_pkcs1_der( mbedtls_rsa_context *rsa,
+                                   const unsigned char *key,
+                                   size_t keylen )
+{
+    int ret, version;
+    size_t len;
+    unsigned char *p, *end;
+
+    mbedtls_mpi T;
+    mbedtls_mpi_init( &T );
+
+    p = (unsigned char *) key;
+    end = p + keylen;
+
+    /*
+     * This function parses the RSAPrivateKey (PKCS#1)
+     *
+     *  RSAPrivateKey ::= SEQUENCE {
+     *      version           Version,
+     *      modulus           INTEGER,  -- n
+     *      publicExponent    INTEGER,  -- e
+     *      privateExponent   INTEGER,  -- d
+     *      prime1            INTEGER,  -- p
+     *      prime2            INTEGER,  -- q
+     *      exponent1         INTEGER,  -- d mod (p-1)
+     *      exponent2         INTEGER,  -- d mod (q-1)
+     *      coefficient       INTEGER,  -- (inverse of q) mod p
+     *      otherPrimeInfos   OtherPrimeInfos OPTIONAL
+     *  }
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+    }
+
+    end = p + len;
+
+    if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+    }
+
+    if( version != 0 )
+    {
+        return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION );
+    }
+
+    /* Import N */
+    if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
+        ( ret = mbedtls_rsa_import( rsa, &T, NULL, NULL,
+                                        NULL, NULL ) ) != 0 )
+        goto cleanup;
+
+    /* Import E */
+    if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
+        ( ret = mbedtls_rsa_import( rsa, NULL, NULL, NULL,
+                                        NULL, &T ) ) != 0 )
+        goto cleanup;
+
+    /* Import D */
+    if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
+        ( ret = mbedtls_rsa_import( rsa, NULL, NULL, NULL,
+                                        &T, NULL ) ) != 0 )
+        goto cleanup;
+
+    /* Import P */
+    if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
+        ( ret = mbedtls_rsa_import( rsa, NULL, &T, NULL,
+                                        NULL, NULL ) ) != 0 )
+        goto cleanup;
+
+    /* Import Q */
+    if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
+        ( ret = mbedtls_rsa_import( rsa, NULL, NULL, &T,
+                                        NULL, NULL ) ) != 0 )
+        goto cleanup;
+
+#if !defined(MBEDTLS_RSA_NO_CRT) && !defined(MBEDTLS_RSA_ALT)
+    /*
+    * The RSA CRT parameters DP, DQ and QP are nominally redundant, in
+    * that they can be easily recomputed from D, P and Q. However by
+    * parsing them from the PKCS1 structure it is possible to avoid
+    * recalculating them which both reduces the overhead of loading
+    * RSA private keys into memory and also avoids side channels which
+    * can arise when computing those values, since all of D, P, and Q
+    * are secret. See https://eprint.iacr.org/2020/055 for a
+    * description of one such attack.
+    */
+
+    /* Import DP */
+    if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
+        ( ret = mbedtls_mpi_copy( &rsa->DP, &T ) ) != 0 )
+       goto cleanup;
+
+    /* Import DQ */
+    if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
+        ( ret = mbedtls_mpi_copy( &rsa->DQ, &T ) ) != 0 )
+       goto cleanup;
+
+    /* Import QP */
+    if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
+        ( ret = mbedtls_mpi_copy( &rsa->QP, &T ) ) != 0 )
+       goto cleanup;
+
+#else
+    /* Verify existance of the CRT params */
+    if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
+        ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
+        ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 )
+       goto cleanup;
+#endif
+
+    /* rsa_complete() doesn't complete anything with the default
+     * implementation but is still called:
+     * - for the benefit of alternative implementation that may want to
+     *   pre-compute stuff beyond what's provided (eg Montgomery factors)
+     * - as is also sanity-checks the key
+     *
+     * Furthermore, we also check the public part for consistency with
+     * mbedtls_pk_parse_pubkey(), as it includes size minima for example.
+     */
+    if( ( ret = mbedtls_rsa_complete( rsa ) ) != 0 ||
+        ( ret = mbedtls_rsa_check_pubkey( rsa ) ) != 0 )
+    {
+        goto cleanup;
+    }
+
+    if( p != end )
+    {
+        ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
+              MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ;
+    }
+
+cleanup:
+
+    mbedtls_mpi_free( &T );
+
+    if( ret != 0 )
+    {
+        /* Wrap error code if it's coming from a lower level */
+        if( ( ret & 0xff80 ) == 0 )
+            ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret;
+        else
+            ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
+
+        mbedtls_rsa_free( rsa );
+    }
+
+    return( ret );
+}
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_ECP_C)
+/*
+ * Parse a SEC1 encoded private EC key
+ */
+static int pk_parse_key_sec1_der( mbedtls_ecp_keypair *eck,
+                                  const unsigned char *key,
+                                  size_t keylen )
+{
+    int ret;
+    int version, pubkey_done;
+    size_t len;
+    mbedtls_asn1_buf params;
+    unsigned char *p = (unsigned char *) key;
+    unsigned char *end = p + keylen;
+    unsigned char *end2;
+
+    /*
+     * RFC 5915, or SEC1 Appendix C.4
+     *
+     * ECPrivateKey ::= SEQUENCE {
+     *      version        INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
+     *      privateKey     OCTET STRING,
+     *      parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
+     *      publicKey  [1] BIT STRING OPTIONAL
+     *    }
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+    }
+
+    end = p + len;
+
+    if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+
+    if( version != 1 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION );
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+
+    if( ( ret = mbedtls_mpi_read_binary( &eck->d, p, len ) ) != 0 )
+    {
+        mbedtls_ecp_keypair_free( eck );
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+    }
+
+    p += len;
+
+    pubkey_done = 0;
+    if( p != end )
+    {
+        /*
+         * Is 'parameters' present?
+         */
+        if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+                        MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0 ) ) == 0 )
+        {
+            if( ( ret = pk_get_ecparams( &p, p + len, &params) ) != 0 ||
+                ( ret = pk_use_ecparams( &params, &eck->grp )  ) != 0 )
+            {
+                mbedtls_ecp_keypair_free( eck );
+                return( ret );
+            }
+        }
+        else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+        {
+            mbedtls_ecp_keypair_free( eck );
+            return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+        }
+    }
+
+    if( p != end )
+    {
+        /*
+         * Is 'publickey' present? If not, or if we can't read it (eg because it
+         * is compressed), create it from the private key.
+         */
+        if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+                        MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 1 ) ) == 0 )
+        {
+            end2 = p + len;
+
+            if( ( ret = mbedtls_asn1_get_bitstring_null( &p, end2, &len ) ) != 0 )
+                return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+
+            if( p + len != end2 )
+                return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
+                        MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+            if( ( ret = pk_get_ecpubkey( &p, end2, eck ) ) == 0 )
+                pubkey_done = 1;
+            else
+            {
+                /*
+                 * The only acceptable failure mode of pk_get_ecpubkey() above
+                 * is if the point format is not recognized.
+                 */
+                if( ret != MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE )
+                    return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
+            }
+        }
+        else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+        {
+            mbedtls_ecp_keypair_free( eck );
+            return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+        }
+    }
+
+    if( ! pubkey_done &&
+        ( ret = mbedtls_ecp_mul( &eck->grp, &eck->Q, &eck->d, &eck->grp.G,
+                                                      NULL, NULL ) ) != 0 )
+    {
+        mbedtls_ecp_keypair_free( eck );
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+    }
+
+    if( ( ret = mbedtls_ecp_check_privkey( &eck->grp, &eck->d ) ) != 0 )
+    {
+        mbedtls_ecp_keypair_free( eck );
+        return( ret );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_ECP_C */
+
+/*
+ * Parse an unencrypted PKCS#8 encoded private key
+ *
+ * Notes:
+ *
+ * - This function does not own the key buffer. It is the
+ *   responsibility of the caller to take care of zeroizing
+ *   and freeing it after use.
+ *
+ * - The function is responsible for freeing the provided
+ *   PK context on failure.
+ *
+ */
+static int pk_parse_key_pkcs8_unencrypted_der(
+                                    mbedtls_pk_context *pk,
+                                    const unsigned char* key,
+                                    size_t keylen )
+{
+    int ret, version;
+    size_t len;
+    mbedtls_asn1_buf params;
+    unsigned char *p = (unsigned char *) key;
+    unsigned char *end = p + keylen;
+    mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
+    const mbedtls_pk_info_t *pk_info;
+
+    /*
+     * This function parses the PrivateKeyInfo object (PKCS#8 v1.2 = RFC 5208)
+     *
+     *    PrivateKeyInfo ::= SEQUENCE {
+     *      version                   Version,
+     *      privateKeyAlgorithm       PrivateKeyAlgorithmIdentifier,
+     *      privateKey                PrivateKey,
+     *      attributes           [0]  IMPLICIT Attributes OPTIONAL }
+     *
+     *    Version ::= INTEGER
+     *    PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier
+     *    PrivateKey ::= OCTET STRING
+     *
+     *  The PrivateKey OCTET STRING is a SEC1 ECPrivateKey
+     */
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+    }
+
+    end = p + len;
+
+    if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+
+    if( version != 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION + ret );
+
+    if( ( ret = pk_get_pk_alg( &p, end, &pk_alg, &params ) ) != 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+
+    if( len < 1 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+    if( ( pk_info = mbedtls_pk_info_from_type( pk_alg ) ) == NULL )
+        return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
+
+    if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 )
+        return( ret );
+
+#if defined(MBEDTLS_RSA_C)
+    if( pk_alg == MBEDTLS_PK_RSA )
+    {
+        if( ( ret = pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ), p, len ) ) != 0 )
+        {
+            mbedtls_pk_free( pk );
+            return( ret );
+        }
+    } else
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_ECP_C)
+    if( pk_alg == MBEDTLS_PK_ECKEY || pk_alg == MBEDTLS_PK_ECKEY_DH )
+    {
+        if( ( ret = pk_use_ecparams( &params, &mbedtls_pk_ec( *pk )->grp ) ) != 0 ||
+            ( ret = pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ), p, len )  ) != 0 )
+        {
+            mbedtls_pk_free( pk );
+            return( ret );
+        }
+    } else
+#endif /* MBEDTLS_ECP_C */
+        return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
+
+    return( 0 );
+}
+
+/*
+ * Parse an encrypted PKCS#8 encoded private key
+ *
+ * To save space, the decryption happens in-place on the given key buffer.
+ * Also, while this function may modify the keybuffer, it doesn't own it,
+ * and instead it is the responsibility of the caller to zeroize and properly
+ * free it after use.
+ *
+ */
+#if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
+static int pk_parse_key_pkcs8_encrypted_der(
+                                    mbedtls_pk_context *pk,
+                                    unsigned char *key, size_t keylen,
+                                    const unsigned char *pwd, size_t pwdlen )
+{
+    int ret, decrypted = 0;
+    size_t len;
+    unsigned char *buf;
+    unsigned char *p, *end;
+    mbedtls_asn1_buf pbe_alg_oid, pbe_params;
+#if defined(MBEDTLS_PKCS12_C)
+    mbedtls_cipher_type_t cipher_alg;
+    mbedtls_md_type_t md_alg;
+#endif
+
+    p = key;
+    end = p + keylen;
+
+    if( pwdlen == 0 )
+        return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED );
+
+    /*
+     * This function parses the EncryptedPrivateKeyInfo object (PKCS#8)
+     *
+     *  EncryptedPrivateKeyInfo ::= SEQUENCE {
+     *    encryptionAlgorithm  EncryptionAlgorithmIdentifier,
+     *    encryptedData        EncryptedData
+     *  }
+     *
+     *  EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
+     *
+     *  EncryptedData ::= OCTET STRING
+     *
+     *  The EncryptedData OCTET STRING is a PKCS#8 PrivateKeyInfo
+     *
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+    }
+
+    end = p + len;
+
+    if( ( ret = mbedtls_asn1_get_alg( &p, end, &pbe_alg_oid, &pbe_params ) ) != 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+
+    buf = p;
+
+    /*
+     * Decrypt EncryptedData with appropriate PBE
+     */
+#if defined(MBEDTLS_PKCS12_C)
+    if( mbedtls_oid_get_pkcs12_pbe_alg( &pbe_alg_oid, &md_alg, &cipher_alg ) == 0 )
+    {
+        if( ( ret = mbedtls_pkcs12_pbe( &pbe_params, MBEDTLS_PKCS12_PBE_DECRYPT,
+                                cipher_alg, md_alg,
+                                pwd, pwdlen, p, len, buf ) ) != 0 )
+        {
+            if( ret == MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH )
+                return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
+
+            return( ret );
+        }
+
+        decrypted = 1;
+    }
+    else if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS12_PBE_SHA1_RC4_128, &pbe_alg_oid ) == 0 )
+    {
+        if( ( ret = mbedtls_pkcs12_pbe_sha1_rc4_128( &pbe_params,
+                                             MBEDTLS_PKCS12_PBE_DECRYPT,
+                                             pwd, pwdlen,
+                                             p, len, buf ) ) != 0 )
+        {
+            return( ret );
+        }
+
+        // Best guess for password mismatch when using RC4. If first tag is
+        // not MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE
+        //
+        if( *buf != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) )
+            return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
+
+        decrypted = 1;
+    }
+    else
+#endif /* MBEDTLS_PKCS12_C */
+#if defined(MBEDTLS_PKCS5_C)
+    if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS5_PBES2, &pbe_alg_oid ) == 0 )
+    {
+        if( ( ret = mbedtls_pkcs5_pbes2( &pbe_params, MBEDTLS_PKCS5_DECRYPT, pwd, pwdlen,
+                                  p, len, buf ) ) != 0 )
+        {
+            if( ret == MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH )
+                return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
+
+            return( ret );
+        }
+
+        decrypted = 1;
+    }
+    else
+#endif /* MBEDTLS_PKCS5_C */
+    {
+        ((void) pwd);
+    }
+
+    if( decrypted == 0 )
+        return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
+
+    return( pk_parse_key_pkcs8_unencrypted_der( pk, buf, len ) );
+}
+#endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
+
+/*
+ * Parse a private key
+ */
+int mbedtls_pk_parse_key( mbedtls_pk_context *pk,
+                  const unsigned char *key, size_t keylen,
+                  const unsigned char *pwd, size_t pwdlen )
+{
+    int ret;
+    const mbedtls_pk_info_t *pk_info;
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+    size_t len;
+    mbedtls_pem_context pem;
+
+    mbedtls_pem_init( &pem );
+
+#if defined(MBEDTLS_RSA_C)
+    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+    if( keylen == 0 || key[keylen - 1] != '\0' )
+        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+    else
+        ret = mbedtls_pem_read_buffer( &pem,
+                               "-----BEGIN RSA PRIVATE KEY-----",
+                               "-----END RSA PRIVATE KEY-----",
+                               key, pwd, pwdlen, &len );
+
+    if( ret == 0 )
+    {
+        pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA );
+        if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ||
+            ( ret = pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ),
+                                            pem.buf, pem.buflen ) ) != 0 )
+        {
+            mbedtls_pk_free( pk );
+        }
+
+        mbedtls_pem_free( &pem );
+        return( ret );
+    }
+    else if( ret == MBEDTLS_ERR_PEM_PASSWORD_MISMATCH )
+        return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
+    else if( ret == MBEDTLS_ERR_PEM_PASSWORD_REQUIRED )
+        return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED );
+    else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
+        return( ret );
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_ECP_C)
+    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+    if( keylen == 0 || key[keylen - 1] != '\0' )
+        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+    else
+        ret = mbedtls_pem_read_buffer( &pem,
+                               "-----BEGIN EC PRIVATE KEY-----",
+                               "-----END EC PRIVATE KEY-----",
+                               key, pwd, pwdlen, &len );
+    if( ret == 0 )
+    {
+        pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY );
+
+        if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ||
+            ( ret = pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ),
+                                           pem.buf, pem.buflen ) ) != 0 )
+        {
+            mbedtls_pk_free( pk );
+        }
+
+        mbedtls_pem_free( &pem );
+        return( ret );
+    }
+    else if( ret == MBEDTLS_ERR_PEM_PASSWORD_MISMATCH )
+        return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
+    else if( ret == MBEDTLS_ERR_PEM_PASSWORD_REQUIRED )
+        return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED );
+    else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
+        return( ret );
+#endif /* MBEDTLS_ECP_C */
+
+    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+    if( keylen == 0 || key[keylen - 1] != '\0' )
+        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+    else
+        ret = mbedtls_pem_read_buffer( &pem,
+                               "-----BEGIN PRIVATE KEY-----",
+                               "-----END PRIVATE KEY-----",
+                               key, NULL, 0, &len );
+    if( ret == 0 )
+    {
+        if( ( ret = pk_parse_key_pkcs8_unencrypted_der( pk,
+                                                pem.buf, pem.buflen ) ) != 0 )
+        {
+            mbedtls_pk_free( pk );
+        }
+
+        mbedtls_pem_free( &pem );
+        return( ret );
+    }
+    else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
+        return( ret );
+
+#if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
+    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+    if( keylen == 0 || key[keylen - 1] != '\0' )
+        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+    else
+        ret = mbedtls_pem_read_buffer( &pem,
+                               "-----BEGIN ENCRYPTED PRIVATE KEY-----",
+                               "-----END ENCRYPTED PRIVATE KEY-----",
+                               key, NULL, 0, &len );
+    if( ret == 0 )
+    {
+        if( ( ret = pk_parse_key_pkcs8_encrypted_der( pk,
+                                                      pem.buf, pem.buflen,
+                                                      pwd, pwdlen ) ) != 0 )
+        {
+            mbedtls_pk_free( pk );
+        }
+
+        mbedtls_pem_free( &pem );
+        return( ret );
+    }
+    else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
+        return( ret );
+#endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
+#else
+    ((void) pwd);
+    ((void) pwdlen);
+#endif /* MBEDTLS_PEM_PARSE_C */
+
+    /*
+     * At this point we only know it's not a PEM formatted key. Could be any
+     * of the known DER encoded private key formats
+     *
+     * We try the different DER format parsers to see if one passes without
+     * error
+     */
+#if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
+    {
+        unsigned char *key_copy;
+
+        if( keylen == 0 )
+            return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
+
+        if( ( key_copy = mbedtls_calloc( 1, keylen ) ) == NULL )
+            return( MBEDTLS_ERR_PK_ALLOC_FAILED );
+
+        memcpy( key_copy, key, keylen );
+
+        ret = pk_parse_key_pkcs8_encrypted_der( pk, key_copy, keylen,
+                                                pwd, pwdlen );
+
+        mbedtls_zeroize( key_copy, keylen );
+        mbedtls_free( key_copy );
+    }
+
+    if( ret == 0 )
+        return( 0 );
+
+    mbedtls_pk_free( pk );
+    mbedtls_pk_init( pk );
+
+    if( ret == MBEDTLS_ERR_PK_PASSWORD_MISMATCH )
+    {
+        return( ret );
+    }
+#endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
+
+    if( ( ret = pk_parse_key_pkcs8_unencrypted_der( pk, key, keylen ) ) == 0 )
+        return( 0 );
+
+    mbedtls_pk_free( pk );
+    mbedtls_pk_init( pk );
+
+#if defined(MBEDTLS_RSA_C)
+
+    pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA );
+    if( mbedtls_pk_setup( pk, pk_info ) == 0 &&
+        pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ), key, keylen ) == 0 )
+    {
+        return( 0 );
+    }
+
+    mbedtls_pk_free( pk );
+    mbedtls_pk_init( pk );
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_ECP_C)
+    pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY );
+    if( mbedtls_pk_setup( pk, pk_info ) == 0 &&
+        pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ),
+                               key, keylen ) == 0 )
+    {
+        return( 0 );
+    }
+    mbedtls_pk_free( pk );
+#endif /* MBEDTLS_ECP_C */
+
+    /* If MBEDTLS_RSA_C is defined but MBEDTLS_ECP_C isn't,
+     * it is ok to leave the PK context initialized but not
+     * freed: It is the caller's responsibility to call pk_init()
+     * before calling this function, and to call pk_free()
+     * when it fails. If MBEDTLS_ECP_C is defined but MBEDTLS_RSA_C
+     * isn't, this leads to mbedtls_pk_free() being called
+     * twice, once here and once by the caller, but this is
+     * also ok and in line with the mbedtls_pk_free() calls
+     * on failed PEM parsing attempts. */
+
+    return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
+}
+
+/*
+ * Parse a public key
+ */
+int mbedtls_pk_parse_public_key( mbedtls_pk_context *ctx,
+                         const unsigned char *key, size_t keylen )
+{
+    int ret;
+    unsigned char *p;
+#if defined(MBEDTLS_PEM_PARSE_C)
+    size_t len;
+    mbedtls_pem_context pem;
+
+    mbedtls_pem_init( &pem );
+
+    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+    if( keylen == 0 || key[keylen - 1] != '\0' )
+        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+    else
+        ret = mbedtls_pem_read_buffer( &pem,
+                "-----BEGIN PUBLIC KEY-----",
+                "-----END PUBLIC KEY-----",
+                key, NULL, 0, &len );
+
+    if( ret == 0 )
+    {
+        /*
+         * Was PEM encoded
+         */
+        key = pem.buf;
+        keylen = pem.buflen;
+    }
+    else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
+    {
+        mbedtls_pem_free( &pem );
+        return( ret );
+    }
+#endif /* MBEDTLS_PEM_PARSE_C */
+    p = (unsigned char *) key;
+
+    ret = mbedtls_pk_parse_subpubkey( &p, p + keylen, ctx );
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+    mbedtls_pem_free( &pem );
+#endif
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_PK_PARSE_C */
diff --git a/third-party/mbedtls-3.6/library/pkwrite.c b/third-party/mbedtls-3.6/library/pkwrite.c
new file mode 100644
index 00000000..d54c74a3
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/pkwrite.c
@@ -0,0 +1,567 @@
+/*
+ *  Public Key layer for writing key files and structures
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_PK_WRITE_C)
+
+#include "mbedtls/pk.h"
+#include "mbedtls/asn1write.h"
+#include "mbedtls/oid.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_RSA_C)
+#include "mbedtls/rsa.h"
+#endif
+#if defined(MBEDTLS_ECP_C)
+#include "mbedtls/bignum.h"
+#include "mbedtls/ecp.h"
+#endif
+#if defined(MBEDTLS_ECDSA_C)
+#include "mbedtls/ecdsa.h"
+#endif
+#if defined(MBEDTLS_PEM_WRITE_C)
+#include "mbedtls/pem.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
+}
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_RSA_C)
+/*
+ *  RSAPublicKey ::= SEQUENCE {
+ *      modulus           INTEGER,  -- n
+ *      publicExponent    INTEGER   -- e
+ *  }
+ */
+static int pk_write_rsa_pubkey( unsigned char **p, unsigned char *start,
+                                mbedtls_rsa_context *rsa )
+{
+    int ret;
+    size_t len = 0;
+    mbedtls_mpi T;
+
+    mbedtls_mpi_init( &T );
+
+    /* Export E */
+    if ( ( ret = mbedtls_rsa_export( rsa, NULL, NULL, NULL, NULL, &T ) ) != 0 ||
+         ( ret = mbedtls_asn1_write_mpi( p, start, &T ) ) < 0 )
+        goto end_of_export;
+    len += ret;
+
+    /* Export N */
+    if ( ( ret = mbedtls_rsa_export( rsa, &T, NULL, NULL, NULL, NULL ) ) != 0 ||
+         ( ret = mbedtls_asn1_write_mpi( p, start, &T ) ) < 0 )
+        goto end_of_export;
+    len += ret;
+
+end_of_export:
+
+    mbedtls_mpi_free( &T );
+    if( ret < 0 )
+        return( ret );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_CONSTRUCTED |
+                                                 MBEDTLS_ASN1_SEQUENCE ) );
+
+    return( (int) len );
+}
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_ECP_C)
+/*
+ * EC public key is an EC point
+ */
+static int pk_write_ec_pubkey( unsigned char **p, unsigned char *start,
+                               mbedtls_ecp_keypair *ec )
+{
+    int ret;
+    size_t len = 0;
+    unsigned char buf[MBEDTLS_ECP_MAX_PT_LEN];
+
+    if( ( ret = mbedtls_ecp_point_write_binary( &ec->grp, &ec->Q,
+                                        MBEDTLS_ECP_PF_UNCOMPRESSED,
+                                        &len, buf, sizeof( buf ) ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( *p < start || (size_t)( *p - start ) < len )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+    *p -= len;
+    memcpy( *p, buf, len );
+
+    return( (int) len );
+}
+
+/*
+ * ECParameters ::= CHOICE {
+ *   namedCurve         OBJECT IDENTIFIER
+ * }
+ */
+static int pk_write_ec_param( unsigned char **p, unsigned char *start,
+                              mbedtls_ecp_keypair *ec )
+{
+    int ret;
+    size_t len = 0;
+    const char *oid;
+    size_t oid_len;
+
+    if( ( ret = mbedtls_oid_get_oid_by_ec_grp( ec->grp.id, &oid, &oid_len ) ) != 0 )
+        return( ret );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_oid( p, start, oid, oid_len ) );
+
+    return( (int) len );
+}
+
+/*
+ * privateKey  OCTET STRING -- always of length ceil(log2(n)/8)
+ */
+static int pk_write_ec_private( unsigned char **p, unsigned char *start,
+                                mbedtls_ecp_keypair *ec )
+{
+    int ret;
+    size_t byte_length = ( ec->grp.pbits + 7 ) / 8;
+    unsigned char tmp[MBEDTLS_ECP_MAX_BYTES];
+
+    ret = mbedtls_mpi_write_binary( &ec->d, tmp, byte_length );
+    if( ret != 0 )
+        goto exit;
+    ret = mbedtls_asn1_write_octet_string( p, start, tmp, byte_length );
+
+exit:
+    mbedtls_zeroize( tmp, byte_length );
+    return( ret );
+}
+#endif /* MBEDTLS_ECP_C */
+
+int mbedtls_pk_write_pubkey( unsigned char **p, unsigned char *start,
+                             const mbedtls_pk_context *key )
+{
+    int ret;
+    size_t len = 0;
+
+#if defined(MBEDTLS_RSA_C)
+    if( mbedtls_pk_get_type( key ) == MBEDTLS_PK_RSA )
+        MBEDTLS_ASN1_CHK_ADD( len, pk_write_rsa_pubkey( p, start, mbedtls_pk_rsa( *key ) ) );
+    else
+#endif
+#if defined(MBEDTLS_ECP_C)
+    if( mbedtls_pk_get_type( key ) == MBEDTLS_PK_ECKEY )
+        MBEDTLS_ASN1_CHK_ADD( len, pk_write_ec_pubkey( p, start, mbedtls_pk_ec( *key ) ) );
+    else
+#endif
+        return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
+
+    return( (int) len );
+}
+
+int mbedtls_pk_write_pubkey_der( mbedtls_pk_context *key, unsigned char *buf, size_t size )
+{
+    int ret;
+    unsigned char *c;
+    size_t len = 0, par_len = 0, oid_len;
+    const char *oid;
+
+    c = buf + size;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_pk_write_pubkey( &c, buf, key ) );
+
+    if( c - buf < 1 )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+    /*
+     *  SubjectPublicKeyInfo  ::=  SEQUENCE  {
+     *       algorithm            AlgorithmIdentifier,
+     *       subjectPublicKey     BIT STRING }
+     */
+    *--c = 0;
+    len += 1;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_BIT_STRING ) );
+
+    if( ( ret = mbedtls_oid_get_oid_by_pk_alg( mbedtls_pk_get_type( key ),
+                                       &oid, &oid_len ) ) != 0 )
+    {
+        return( ret );
+    }
+
+#if defined(MBEDTLS_ECP_C)
+    if( mbedtls_pk_get_type( key ) == MBEDTLS_PK_ECKEY )
+    {
+        MBEDTLS_ASN1_CHK_ADD( par_len, pk_write_ec_param( &c, buf, mbedtls_pk_ec( *key ) ) );
+    }
+#endif
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_algorithm_identifier( &c, buf, oid, oid_len,
+                                                        par_len ) );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                MBEDTLS_ASN1_SEQUENCE ) );
+
+    return( (int) len );
+}
+
+int mbedtls_pk_write_key_der( mbedtls_pk_context *key, unsigned char *buf, size_t size )
+{
+    int ret;
+    unsigned char *c = buf + size;
+    size_t len = 0;
+
+#if defined(MBEDTLS_RSA_C)
+    if( mbedtls_pk_get_type( key ) == MBEDTLS_PK_RSA )
+    {
+        mbedtls_mpi T; /* Temporary holding the exported parameters */
+        mbedtls_rsa_context *rsa = mbedtls_pk_rsa( *key );
+
+        /*
+         * Export the parameters one after another to avoid simultaneous copies.
+         */
+
+        mbedtls_mpi_init( &T );
+
+        /* Export QP */
+        if( ( ret = mbedtls_rsa_export_crt( rsa, NULL, NULL, &T ) ) != 0 ||
+            ( ret = mbedtls_asn1_write_mpi( &c, buf, &T ) ) < 0 )
+            goto end_of_export;
+        len += ret;
+
+        /* Export DQ */
+        if( ( ret = mbedtls_rsa_export_crt( rsa, NULL, &T, NULL ) ) != 0 ||
+            ( ret = mbedtls_asn1_write_mpi( &c, buf, &T ) ) < 0 )
+            goto end_of_export;
+        len += ret;
+
+        /* Export DP */
+        if( ( ret = mbedtls_rsa_export_crt( rsa, &T, NULL, NULL ) ) != 0 ||
+            ( ret = mbedtls_asn1_write_mpi( &c, buf, &T ) ) < 0 )
+            goto end_of_export;
+        len += ret;
+
+        /* Export Q */
+        if ( ( ret = mbedtls_rsa_export( rsa, NULL, NULL,
+                                         &T, NULL, NULL ) ) != 0 ||
+             ( ret = mbedtls_asn1_write_mpi( &c, buf, &T ) ) < 0 )
+            goto end_of_export;
+        len += ret;
+
+        /* Export P */
+        if ( ( ret = mbedtls_rsa_export( rsa, NULL, &T,
+                                         NULL, NULL, NULL ) ) != 0 ||
+             ( ret = mbedtls_asn1_write_mpi( &c, buf, &T ) ) < 0 )
+            goto end_of_export;
+        len += ret;
+
+        /* Export D */
+        if ( ( ret = mbedtls_rsa_export( rsa, NULL, NULL,
+                                         NULL, &T, NULL ) ) != 0 ||
+             ( ret = mbedtls_asn1_write_mpi( &c, buf, &T ) ) < 0 )
+            goto end_of_export;
+        len += ret;
+
+        /* Export E */
+        if ( ( ret = mbedtls_rsa_export( rsa, NULL, NULL,
+                                         NULL, NULL, &T ) ) != 0 ||
+             ( ret = mbedtls_asn1_write_mpi( &c, buf, &T ) ) < 0 )
+            goto end_of_export;
+        len += ret;
+
+        /* Export N */
+        if ( ( ret = mbedtls_rsa_export( rsa, &T, NULL,
+                                         NULL, NULL, NULL ) ) != 0 ||
+             ( ret = mbedtls_asn1_write_mpi( &c, buf, &T ) ) < 0 )
+            goto end_of_export;
+        len += ret;
+
+    end_of_export:
+
+        mbedtls_mpi_free( &T );
+        if( ret < 0 )
+            return( ret );
+
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_int( &c, buf, 0 ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c,
+                                               buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                               MBEDTLS_ASN1_SEQUENCE ) );
+    }
+    else
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_ECP_C)
+    if( mbedtls_pk_get_type( key ) == MBEDTLS_PK_ECKEY )
+    {
+        mbedtls_ecp_keypair *ec = mbedtls_pk_ec( *key );
+        size_t pub_len = 0, par_len = 0;
+
+        /*
+         * RFC 5915, or SEC1 Appendix C.4
+         *
+         * ECPrivateKey ::= SEQUENCE {
+         *      version        INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
+         *      privateKey     OCTET STRING,
+         *      parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
+         *      publicKey  [1] BIT STRING OPTIONAL
+         *    }
+         */
+
+        /* publicKey */
+        MBEDTLS_ASN1_CHK_ADD( pub_len, pk_write_ec_pubkey( &c, buf, ec ) );
+
+        if( c - buf < 1 )
+            return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+        *--c = 0;
+        pub_len += 1;
+
+        MBEDTLS_ASN1_CHK_ADD( pub_len, mbedtls_asn1_write_len( &c, buf, pub_len ) );
+        MBEDTLS_ASN1_CHK_ADD( pub_len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_BIT_STRING ) );
+
+        MBEDTLS_ASN1_CHK_ADD( pub_len, mbedtls_asn1_write_len( &c, buf, pub_len ) );
+        MBEDTLS_ASN1_CHK_ADD( pub_len, mbedtls_asn1_write_tag( &c, buf,
+                            MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 1 ) );
+        len += pub_len;
+
+        /* parameters */
+        MBEDTLS_ASN1_CHK_ADD( par_len, pk_write_ec_param( &c, buf, ec ) );
+
+        MBEDTLS_ASN1_CHK_ADD( par_len, mbedtls_asn1_write_len( &c, buf, par_len ) );
+        MBEDTLS_ASN1_CHK_ADD( par_len, mbedtls_asn1_write_tag( &c, buf,
+                            MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0 ) );
+        len += par_len;
+
+        /* privateKey */
+        MBEDTLS_ASN1_CHK_ADD( len, pk_write_ec_private( &c, buf, ec ) );
+
+        /* version */
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_int( &c, buf, 1 ) );
+
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                    MBEDTLS_ASN1_SEQUENCE ) );
+    }
+    else
+#endif /* MBEDTLS_ECP_C */
+        return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
+
+    return( (int) len );
+}
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+
+#define PEM_BEGIN_PUBLIC_KEY    "-----BEGIN PUBLIC KEY-----\n"
+#define PEM_END_PUBLIC_KEY      "-----END PUBLIC KEY-----\n"
+
+#define PEM_BEGIN_PRIVATE_KEY_RSA   "-----BEGIN RSA PRIVATE KEY-----\n"
+#define PEM_END_PRIVATE_KEY_RSA     "-----END RSA PRIVATE KEY-----\n"
+#define PEM_BEGIN_PRIVATE_KEY_EC    "-----BEGIN EC PRIVATE KEY-----\n"
+#define PEM_END_PRIVATE_KEY_EC      "-----END EC PRIVATE KEY-----\n"
+
+/*
+ * Max sizes of key per types. Shown as tag + len (+ content).
+ */
+
+#if defined(MBEDTLS_RSA_C)
+/*
+ * RSA public keys:
+ *  SubjectPublicKeyInfo  ::=  SEQUENCE  {          1 + 3
+ *       algorithm            AlgorithmIdentifier,  1 + 1 (sequence)
+ *                                                + 1 + 1 + 9 (rsa oid)
+ *                                                + 1 + 1 (params null)
+ *       subjectPublicKey     BIT STRING }          1 + 3 + (1 + below)
+ *  RSAPublicKey ::= SEQUENCE {                     1 + 3
+ *      modulus           INTEGER,  -- n            1 + 3 + MPI_MAX + 1
+ *      publicExponent    INTEGER   -- e            1 + 3 + MPI_MAX + 1
+ *  }
+ */
+#define RSA_PUB_DER_MAX_BYTES   ( 38 + 2 * MBEDTLS_MPI_MAX_SIZE )
+
+/*
+ * RSA private keys:
+ *  RSAPrivateKey ::= SEQUENCE {                    1 + 3
+ *      version           Version,                  1 + 1 + 1
+ *      modulus           INTEGER,                  1 + 3 + MPI_MAX + 1
+ *      publicExponent    INTEGER,                  1 + 3 + MPI_MAX + 1
+ *      privateExponent   INTEGER,                  1 + 3 + MPI_MAX + 1
+ *      prime1            INTEGER,                  1 + 3 + MPI_MAX / 2 + 1
+ *      prime2            INTEGER,                  1 + 3 + MPI_MAX / 2 + 1
+ *      exponent1         INTEGER,                  1 + 3 + MPI_MAX / 2 + 1
+ *      exponent2         INTEGER,                  1 + 3 + MPI_MAX / 2 + 1
+ *      coefficient       INTEGER,                  1 + 3 + MPI_MAX / 2 + 1
+ *      otherPrimeInfos   OtherPrimeInfos OPTIONAL  0 (not supported)
+ *  }
+ */
+#define MPI_MAX_SIZE_2          ( MBEDTLS_MPI_MAX_SIZE / 2 + \
+                                  MBEDTLS_MPI_MAX_SIZE % 2 )
+#define RSA_PRV_DER_MAX_BYTES   ( 47 + 3 * MBEDTLS_MPI_MAX_SIZE \
+                                   + 5 * MPI_MAX_SIZE_2 )
+
+#else /* MBEDTLS_RSA_C */
+
+#define RSA_PUB_DER_MAX_BYTES   0
+#define RSA_PRV_DER_MAX_BYTES   0
+
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_ECP_C)
+/*
+ * EC public keys:
+ *  SubjectPublicKeyInfo  ::=  SEQUENCE  {      1 + 2
+ *    algorithm         AlgorithmIdentifier,    1 + 1 (sequence)
+ *                                            + 1 + 1 + 7 (ec oid)
+ *                                            + 1 + 1 + 9 (namedCurve oid)
+ *    subjectPublicKey  BIT STRING              1 + 2 + 1               [1]
+ *                                            + 1 (point format)        [1]
+ *                                            + 2 * ECP_MAX (coords)    [1]
+ *  }
+ */
+#define ECP_PUB_DER_MAX_BYTES   ( 30 + 2 * MBEDTLS_ECP_MAX_BYTES )
+
+/*
+ * EC private keys:
+ * ECPrivateKey ::= SEQUENCE {                  1 + 2
+ *      version        INTEGER ,                1 + 1 + 1
+ *      privateKey     OCTET STRING,            1 + 1 + ECP_MAX
+ *      parameters [0] ECParameters OPTIONAL,   1 + 1 + (1 + 1 + 9)
+ *      publicKey  [1] BIT STRING OPTIONAL      1 + 2 + [1] above
+ *    }
+ */
+#define ECP_PRV_DER_MAX_BYTES   ( 29 + 3 * MBEDTLS_ECP_MAX_BYTES )
+
+#else /* MBEDTLS_ECP_C */
+
+#define ECP_PUB_DER_MAX_BYTES   0
+#define ECP_PRV_DER_MAX_BYTES   0
+
+#endif /* MBEDTLS_ECP_C */
+
+#define PUB_DER_MAX_BYTES   ( RSA_PUB_DER_MAX_BYTES > ECP_PUB_DER_MAX_BYTES ? \
+                              RSA_PUB_DER_MAX_BYTES : ECP_PUB_DER_MAX_BYTES )
+#define PRV_DER_MAX_BYTES   ( RSA_PRV_DER_MAX_BYTES > ECP_PRV_DER_MAX_BYTES ? \
+                              RSA_PRV_DER_MAX_BYTES : ECP_PRV_DER_MAX_BYTES )
+
+int mbedtls_pk_write_pubkey_pem( mbedtls_pk_context *key, unsigned char *buf, size_t size )
+{
+    int ret;
+    unsigned char output_buf[PUB_DER_MAX_BYTES];
+    size_t olen = 0;
+
+    if( ( ret = mbedtls_pk_write_pubkey_der( key, output_buf,
+                                     sizeof(output_buf) ) ) < 0 )
+    {
+        return( ret );
+    }
+
+    if( ( ret = mbedtls_pem_write_buffer( PEM_BEGIN_PUBLIC_KEY, PEM_END_PUBLIC_KEY,
+                                  output_buf + sizeof(output_buf) - ret,
+                                  ret, buf, size, &olen ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    return( 0 );
+}
+
+int mbedtls_pk_write_key_pem( mbedtls_pk_context *key, unsigned char *buf, size_t size )
+{
+    int ret;
+    unsigned char output_buf[PRV_DER_MAX_BYTES];
+    const char *begin, *end;
+    size_t olen = 0;
+
+    if( ( ret = mbedtls_pk_write_key_der( key, output_buf, sizeof(output_buf) ) ) < 0 )
+        return( ret );
+
+#if defined(MBEDTLS_RSA_C)
+    if( mbedtls_pk_get_type( key ) == MBEDTLS_PK_RSA )
+    {
+        begin = PEM_BEGIN_PRIVATE_KEY_RSA;
+        end = PEM_END_PRIVATE_KEY_RSA;
+    }
+    else
+#endif
+#if defined(MBEDTLS_ECP_C)
+    if( mbedtls_pk_get_type( key ) == MBEDTLS_PK_ECKEY )
+    {
+        begin = PEM_BEGIN_PRIVATE_KEY_EC;
+        end = PEM_END_PRIVATE_KEY_EC;
+    }
+    else
+#endif
+        return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
+
+    if( ( ret = mbedtls_pem_write_buffer( begin, end,
+                                  output_buf + sizeof(output_buf) - ret,
+                                  ret, buf, size, &olen ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_PEM_WRITE_C */
+
+#endif /* MBEDTLS_PK_WRITE_C */
diff --git a/third-party/mbedtls-3.6/library/platform.c b/third-party/mbedtls-3.6/library/platform.c
new file mode 100644
index 00000000..a9267b16
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/platform.c
@@ -0,0 +1,370 @@
+/*
+ *  Platform abstraction layer
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+
+#include "mbedtls/platform.h"
+
+#if defined(MBEDTLS_ENTROPY_NV_SEED) && \
+    !defined(MBEDTLS_PLATFORM_NO_STD_FUNCTIONS) && defined(MBEDTLS_FS_IO)
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
+}
+#endif
+
+/* The compile time configuration of memory allocation via the macros
+ * MBEDTLS_PLATFORM_{FREE/CALLOC}_MACRO takes precedence over the runtime
+ * configuration via mbedtls_platform_set_calloc_free(). So, omit everything
+ * related to the latter if MBEDTLS_PLATFORM_{FREE/CALLOC}_MACRO are defined. */
+#if defined(MBEDTLS_PLATFORM_MEMORY) &&                 \
+    !( defined(MBEDTLS_PLATFORM_CALLOC_MACRO) &&        \
+       defined(MBEDTLS_PLATFORM_FREE_MACRO) )
+
+#if !defined(MBEDTLS_PLATFORM_STD_CALLOC)
+static void *platform_calloc_uninit( size_t n, size_t size )
+{
+    ((void) n);
+    ((void) size);
+    return( NULL );
+}
+
+#define MBEDTLS_PLATFORM_STD_CALLOC   platform_calloc_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_CALLOC */
+
+#if !defined(MBEDTLS_PLATFORM_STD_FREE)
+static void platform_free_uninit( void *ptr )
+{
+    ((void) ptr);
+}
+
+#define MBEDTLS_PLATFORM_STD_FREE     platform_free_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_FREE */
+
+void * (*mbedtls_calloc)( size_t, size_t ) = MBEDTLS_PLATFORM_STD_CALLOC;
+void (*mbedtls_free)( void * )     = MBEDTLS_PLATFORM_STD_FREE;
+
+int mbedtls_platform_set_calloc_free( void * (*calloc_func)( size_t, size_t ),
+                              void (*free_func)( void * ) )
+{
+    mbedtls_calloc = calloc_func;
+    mbedtls_free = free_func;
+    return( 0 );
+}
+#endif /* MBEDTLS_PLATFORM_MEMORY &&
+          !( defined(MBEDTLS_PLATFORM_CALLOC_MACRO) &&
+             defined(MBEDTLS_PLATFORM_FREE_MACRO) ) */
+
+#if defined(_WIN32)
+#include <stdarg.h>
+int mbedtls_platform_win32_snprintf( char *s, size_t n, const char *fmt, ... )
+{
+    int ret;
+    va_list argp;
+
+    /* Avoid calling the invalid parameter handler by checking ourselves */
+    if( s == NULL || n == 0 || fmt == NULL )
+        return( -1 );
+
+    va_start( argp, fmt );
+#if defined(_TRUNCATE) && !defined(__MINGW32__)
+    ret = _vsnprintf_s( s, n, _TRUNCATE, fmt, argp );
+#else
+    ret = _vsnprintf( s, n, fmt, argp );
+    if( ret < 0 || (size_t) ret == n )
+    {
+        s[n-1] = '\0';
+        ret = -1;
+    }
+#endif
+    va_end( argp );
+
+    return( ret );
+}
+#endif
+
+#if defined(MBEDTLS_PLATFORM_SNPRINTF_ALT)
+#if !defined(MBEDTLS_PLATFORM_STD_SNPRINTF)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static int platform_snprintf_uninit( char * s, size_t n,
+                                     const char * format, ... )
+{
+    ((void) s);
+    ((void) n);
+    ((void) format);
+    return( 0 );
+}
+
+#define MBEDTLS_PLATFORM_STD_SNPRINTF    platform_snprintf_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_SNPRINTF */
+
+int (*mbedtls_snprintf)( char * s, size_t n,
+                          const char * format,
+                          ... ) = MBEDTLS_PLATFORM_STD_SNPRINTF;
+
+int mbedtls_platform_set_snprintf( int (*snprintf_func)( char * s, size_t n,
+                                                 const char * format,
+                                                 ... ) )
+{
+    mbedtls_snprintf = snprintf_func;
+    return( 0 );
+}
+#endif /* MBEDTLS_PLATFORM_SNPRINTF_ALT */
+
+#if defined(MBEDTLS_PLATFORM_PRINTF_ALT)
+#if !defined(MBEDTLS_PLATFORM_STD_PRINTF)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static int platform_printf_uninit( const char *format, ... )
+{
+    ((void) format);
+    return( 0 );
+}
+
+#define MBEDTLS_PLATFORM_STD_PRINTF    platform_printf_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_PRINTF */
+
+int (*mbedtls_printf)( const char *, ... ) = MBEDTLS_PLATFORM_STD_PRINTF;
+
+int mbedtls_platform_set_printf( int (*printf_func)( const char *, ... ) )
+{
+    mbedtls_printf = printf_func;
+    return( 0 );
+}
+#endif /* MBEDTLS_PLATFORM_PRINTF_ALT */
+
+#if defined(MBEDTLS_PLATFORM_FPRINTF_ALT)
+#if !defined(MBEDTLS_PLATFORM_STD_FPRINTF)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static int platform_fprintf_uninit( FILE *stream, const char *format, ... )
+{
+    ((void) stream);
+    ((void) format);
+    return( 0 );
+}
+
+#define MBEDTLS_PLATFORM_STD_FPRINTF   platform_fprintf_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_FPRINTF */
+
+int (*mbedtls_fprintf)( FILE *, const char *, ... ) =
+                                        MBEDTLS_PLATFORM_STD_FPRINTF;
+
+int mbedtls_platform_set_fprintf( int (*fprintf_func)( FILE *, const char *, ... ) )
+{
+    mbedtls_fprintf = fprintf_func;
+    return( 0 );
+}
+#endif /* MBEDTLS_PLATFORM_FPRINTF_ALT */
+
+#if defined(MBEDTLS_PLATFORM_EXIT_ALT)
+#if !defined(MBEDTLS_PLATFORM_STD_EXIT)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static void platform_exit_uninit( int status )
+{
+    ((void) status);
+}
+
+#define MBEDTLS_PLATFORM_STD_EXIT   platform_exit_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_EXIT */
+
+void (*mbedtls_exit)( int status ) = MBEDTLS_PLATFORM_STD_EXIT;
+
+int mbedtls_platform_set_exit( void (*exit_func)( int status ) )
+{
+    mbedtls_exit = exit_func;
+    return( 0 );
+}
+#endif /* MBEDTLS_PLATFORM_EXIT_ALT */
+
+#if defined(MBEDTLS_HAVE_TIME)
+
+#if defined(MBEDTLS_PLATFORM_TIME_ALT)
+#if !defined(MBEDTLS_PLATFORM_STD_TIME)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static mbedtls_time_t platform_time_uninit( mbedtls_time_t* timer )
+{
+    ((void) timer);
+    return( 0 );
+}
+
+#define MBEDTLS_PLATFORM_STD_TIME   platform_time_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_TIME */
+
+mbedtls_time_t (*mbedtls_time)( mbedtls_time_t* timer ) = MBEDTLS_PLATFORM_STD_TIME;
+
+int mbedtls_platform_set_time( mbedtls_time_t (*time_func)( mbedtls_time_t* timer ) )
+{
+    mbedtls_time = time_func;
+    return( 0 );
+}
+#endif /* MBEDTLS_PLATFORM_TIME_ALT */
+
+#endif /* MBEDTLS_HAVE_TIME */
+
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+#if !defined(MBEDTLS_PLATFORM_NO_STD_FUNCTIONS) && defined(MBEDTLS_FS_IO)
+/* Default implementations for the platform independent seed functions use
+ * standard libc file functions to read from and write to a pre-defined filename
+ */
+int mbedtls_platform_std_nv_seed_read( unsigned char *buf, size_t buf_len )
+{
+    FILE *file;
+    size_t n;
+
+    if( ( file = fopen( MBEDTLS_PLATFORM_STD_NV_SEED_FILE, "rb" ) ) == NULL )
+        return( -1 );
+
+    if( ( n = fread( buf, 1, buf_len, file ) ) != buf_len )
+    {
+        fclose( file );
+        mbedtls_zeroize( buf, buf_len );
+        return( -1 );
+    }
+
+    fclose( file );
+    return( (int)n );
+}
+
+int mbedtls_platform_std_nv_seed_write( unsigned char *buf, size_t buf_len )
+{
+    FILE *file;
+    size_t n;
+
+    if( ( file = fopen( MBEDTLS_PLATFORM_STD_NV_SEED_FILE, "w" ) ) == NULL )
+        return -1;
+
+    if( ( n = fwrite( buf, 1, buf_len, file ) ) != buf_len )
+    {
+        fclose( file );
+        return -1;
+    }
+
+    fclose( file );
+    return( (int)n );
+}
+#endif /* MBEDTLS_PLATFORM_NO_STD_FUNCTIONS */
+
+#if defined(MBEDTLS_PLATFORM_NV_SEED_ALT)
+#if !defined(MBEDTLS_PLATFORM_STD_NV_SEED_READ)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static int platform_nv_seed_read_uninit( unsigned char *buf, size_t buf_len )
+{
+    ((void) buf);
+    ((void) buf_len);
+    return( -1 );
+}
+
+#define MBEDTLS_PLATFORM_STD_NV_SEED_READ   platform_nv_seed_read_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_NV_SEED_READ */
+
+#if !defined(MBEDTLS_PLATFORM_STD_NV_SEED_WRITE)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static int platform_nv_seed_write_uninit( unsigned char *buf, size_t buf_len )
+{
+    ((void) buf);
+    ((void) buf_len);
+    return( -1 );
+}
+
+#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE   platform_nv_seed_write_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_NV_SEED_WRITE */
+
+int (*mbedtls_nv_seed_read)( unsigned char *buf, size_t buf_len ) =
+            MBEDTLS_PLATFORM_STD_NV_SEED_READ;
+int (*mbedtls_nv_seed_write)( unsigned char *buf, size_t buf_len ) =
+            MBEDTLS_PLATFORM_STD_NV_SEED_WRITE;
+
+int mbedtls_platform_set_nv_seed(
+        int (*nv_seed_read_func)( unsigned char *buf, size_t buf_len ),
+        int (*nv_seed_write_func)( unsigned char *buf, size_t buf_len ) )
+{
+    mbedtls_nv_seed_read = nv_seed_read_func;
+    mbedtls_nv_seed_write = nv_seed_write_func;
+    return( 0 );
+}
+#endif /* MBEDTLS_PLATFORM_NV_SEED_ALT */
+#endif /* MBEDTLS_ENTROPY_NV_SEED */
+
+#if !defined(MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT)
+/*
+ * Placeholder platform setup that does nothing by default
+ */
+int mbedtls_platform_setup( mbedtls_platform_context *ctx )
+{
+    (void)ctx;
+
+    return( 0 );
+}
+
+/*
+ * Placeholder platform teardown that does nothing by default
+ */
+void mbedtls_platform_teardown( mbedtls_platform_context *ctx )
+{
+    (void)ctx;
+}
+#endif /* MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT */
+
+#endif /* MBEDTLS_PLATFORM_C */
diff --git a/third-party/mbedtls-3.6/library/ripemd160.c b/third-party/mbedtls-3.6/library/ripemd160.c
new file mode 100644
index 00000000..d89ed0a3
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/ripemd160.c
@@ -0,0 +1,587 @@
+/*
+ *  RIPE MD-160 implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+/*
+ *  The RIPEMD-160 algorithm was designed by RIPE in 1996
+ *  http://homes.esat.kuleuven.be/~bosselae/mbedtls_ripemd160.html
+ *  http://ehash.iaik.tugraz.at/wiki/RIPEMD-160
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_RIPEMD160_C)
+
+#include "mbedtls/ripemd160.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_RIPEMD160_ALT)
+
+/*
+ * 32-bit integer manipulation macros (little endian)
+ */
+#ifndef GET_UINT32_LE
+#define GET_UINT32_LE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ]       )             \
+        | ( (uint32_t) (b)[(i) + 1] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 2] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 3] << 24 );            \
+}
+#endif
+
+#ifndef PUT_UINT32_LE
+#define PUT_UINT32_LE(n,b,i)                                    \
+{                                                               \
+    (b)[(i)    ] = (unsigned char) ( ( (n)       ) & 0xFF );    \
+    (b)[(i) + 1] = (unsigned char) ( ( (n) >>  8 ) & 0xFF );    \
+    (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF );    \
+    (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF );    \
+}
+#endif
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
+void mbedtls_ripemd160_init( mbedtls_ripemd160_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_ripemd160_context ) );
+}
+
+void mbedtls_ripemd160_free( mbedtls_ripemd160_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_zeroize( ctx, sizeof( mbedtls_ripemd160_context ) );
+}
+
+void mbedtls_ripemd160_clone( mbedtls_ripemd160_context *dst,
+                        const mbedtls_ripemd160_context *src )
+{
+    *dst = *src;
+}
+
+/*
+ * RIPEMD-160 context setup
+ */
+int mbedtls_ripemd160_starts_ret( mbedtls_ripemd160_context *ctx )
+{
+    ctx->total[0] = 0;
+    ctx->total[1] = 0;
+
+    ctx->state[0] = 0x67452301;
+    ctx->state[1] = 0xEFCDAB89;
+    ctx->state[2] = 0x98BADCFE;
+    ctx->state[3] = 0x10325476;
+    ctx->state[4] = 0xC3D2E1F0;
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_ripemd160_starts( mbedtls_ripemd160_context *ctx )
+{
+    mbedtls_ripemd160_starts_ret( ctx );
+}
+#endif
+
+#if !defined(MBEDTLS_RIPEMD160_PROCESS_ALT)
+/*
+ * Process one block
+ */
+int mbedtls_internal_ripemd160_process( mbedtls_ripemd160_context *ctx,
+                                        const unsigned char data[64] )
+{
+    struct
+    {
+        uint32_t A, B, C, D, E, Ap, Bp, Cp, Dp, Ep, X[16];
+    } local;
+
+    GET_UINT32_LE( local.X[ 0], data,  0 );
+    GET_UINT32_LE( local.X[ 1], data,  4 );
+    GET_UINT32_LE( local.X[ 2], data,  8 );
+    GET_UINT32_LE( local.X[ 3], data, 12 );
+    GET_UINT32_LE( local.X[ 4], data, 16 );
+    GET_UINT32_LE( local.X[ 5], data, 20 );
+    GET_UINT32_LE( local.X[ 6], data, 24 );
+    GET_UINT32_LE( local.X[ 7], data, 28 );
+    GET_UINT32_LE( local.X[ 8], data, 32 );
+    GET_UINT32_LE( local.X[ 9], data, 36 );
+    GET_UINT32_LE( local.X[10], data, 40 );
+    GET_UINT32_LE( local.X[11], data, 44 );
+    GET_UINT32_LE( local.X[12], data, 48 );
+    GET_UINT32_LE( local.X[13], data, 52 );
+    GET_UINT32_LE( local.X[14], data, 56 );
+    GET_UINT32_LE( local.X[15], data, 60 );
+
+    local.A = local.Ap = ctx->state[0];
+    local.B = local.Bp = ctx->state[1];
+    local.C = local.Cp = ctx->state[2];
+    local.D = local.Dp = ctx->state[3];
+    local.E = local.Ep = ctx->state[4];
+
+#define F1( x, y, z )   ( x ^ y ^ z )
+#define F2( x, y, z )   ( ( x & y ) | ( ~x & z ) )
+#define F3( x, y, z )   ( ( x | ~y ) ^ z )
+#define F4( x, y, z )   ( ( x & z ) | ( y & ~z ) )
+#define F5( x, y, z )   ( x ^ ( y | ~z ) )
+
+#define S( x, n ) ( ( x << n ) | ( x >> (32 - n) ) )
+
+#define P( a, b, c, d, e, r, s, f, k )      \
+    a += f( b, c, d ) + local.X[r] + k;     \
+    a = S( a, s ) + e;                      \
+    c = S( c, 10 );
+
+#define P2( a, b, c, d, e, r, s, rp, sp )   \
+    P( a, b, c, d, e, r, s, F, K );         \
+    P( a ## p, b ## p, c ## p, d ## p, e ## p, rp, sp, Fp, Kp );
+
+#define F   F1
+#define K   0x00000000
+#define Fp  F5
+#define Kp  0x50A28BE6
+    P2( local.A, local.B, local.C, local.D, local.E,  0, 11,  5,  8 );
+    P2( local.E, local.A, local.B, local.C, local.D,  1, 14, 14,  9 );
+    P2( local.D, local.E, local.A, local.B, local.C,  2, 15,  7,  9 );
+    P2( local.C, local.D, local.E, local.A, local.B,  3, 12,  0, 11 );
+    P2( local.B, local.C, local.D, local.E, local.A,  4,  5,  9, 13 );
+    P2( local.A, local.B, local.C, local.D, local.E,  5,  8,  2, 15 );
+    P2( local.E, local.A, local.B, local.C, local.D,  6,  7, 11, 15 );
+    P2( local.D, local.E, local.A, local.B, local.C,  7,  9,  4,  5 );
+    P2( local.C, local.D, local.E, local.A, local.B,  8, 11, 13,  7 );
+    P2( local.B, local.C, local.D, local.E, local.A,  9, 13,  6,  7 );
+    P2( local.A, local.B, local.C, local.D, local.E, 10, 14, 15,  8 );
+    P2( local.E, local.A, local.B, local.C, local.D, 11, 15,  8, 11 );
+    P2( local.D, local.E, local.A, local.B, local.C, 12,  6,  1, 14 );
+    P2( local.C, local.D, local.E, local.A, local.B, 13,  7, 10, 14 );
+    P2( local.B, local.C, local.D, local.E, local.A, 14,  9,  3, 12 );
+    P2( local.A, local.B, local.C, local.D, local.E, 15,  8, 12,  6 );
+#undef F
+#undef K
+#undef Fp
+#undef Kp
+
+#define F   F2
+#define K   0x5A827999
+#define Fp  F4
+#define Kp  0x5C4DD124
+    P2( local.E, local.A, local.B, local.C, local.D,  7,  7,  6,  9 );
+    P2( local.D, local.E, local.A, local.B, local.C,  4,  6, 11, 13 );
+    P2( local.C, local.D, local.E, local.A, local.B, 13,  8,  3, 15 );
+    P2( local.B, local.C, local.D, local.E, local.A,  1, 13,  7,  7 );
+    P2( local.A, local.B, local.C, local.D, local.E, 10, 11,  0, 12 );
+    P2( local.E, local.A, local.B, local.C, local.D,  6,  9, 13,  8 );
+    P2( local.D, local.E, local.A, local.B, local.C, 15,  7,  5,  9 );
+    P2( local.C, local.D, local.E, local.A, local.B,  3, 15, 10, 11 );
+    P2( local.B, local.C, local.D, local.E, local.A, 12,  7, 14,  7 );
+    P2( local.A, local.B, local.C, local.D, local.E,  0, 12, 15,  7 );
+    P2( local.E, local.A, local.B, local.C, local.D,  9, 15,  8, 12 );
+    P2( local.D, local.E, local.A, local.B, local.C,  5,  9, 12,  7 );
+    P2( local.C, local.D, local.E, local.A, local.B,  2, 11,  4,  6 );
+    P2( local.B, local.C, local.D, local.E, local.A, 14,  7,  9, 15 );
+    P2( local.A, local.B, local.C, local.D, local.E, 11, 13,  1, 13 );
+    P2( local.E, local.A, local.B, local.C, local.D,  8, 12,  2, 11 );
+#undef F
+#undef K
+#undef Fp
+#undef Kp
+
+#define F   F3
+#define K   0x6ED9EBA1
+#define Fp  F3
+#define Kp  0x6D703EF3
+    P2( local.D, local.E, local.A, local.B, local.C,  3, 11, 15,  9 );
+    P2( local.C, local.D, local.E, local.A, local.B, 10, 13,  5,  7 );
+    P2( local.B, local.C, local.D, local.E, local.A, 14,  6,  1, 15 );
+    P2( local.A, local.B, local.C, local.D, local.E,  4,  7,  3, 11 );
+    P2( local.E, local.A, local.B, local.C, local.D,  9, 14,  7,  8 );
+    P2( local.D, local.E, local.A, local.B, local.C, 15,  9, 14,  6 );
+    P2( local.C, local.D, local.E, local.A, local.B,  8, 13,  6,  6 );
+    P2( local.B, local.C, local.D, local.E, local.A,  1, 15,  9, 14 );
+    P2( local.A, local.B, local.C, local.D, local.E,  2, 14, 11, 12 );
+    P2( local.E, local.A, local.B, local.C, local.D,  7,  8,  8, 13 );
+    P2( local.D, local.E, local.A, local.B, local.C,  0, 13, 12,  5 );
+    P2( local.C, local.D, local.E, local.A, local.B,  6,  6,  2, 14 );
+    P2( local.B, local.C, local.D, local.E, local.A, 13,  5, 10, 13 );
+    P2( local.A, local.B, local.C, local.D, local.E, 11, 12,  0, 13 );
+    P2( local.E, local.A, local.B, local.C, local.D,  5,  7,  4,  7 );
+    P2( local.D, local.E, local.A, local.B, local.C, 12,  5, 13,  5 );
+#undef F
+#undef K
+#undef Fp
+#undef Kp
+
+#define F   F4
+#define K   0x8F1BBCDC
+#define Fp  F2
+#define Kp  0x7A6D76E9
+    P2( local.C, local.D, local.E, local.A, local.B,  1, 11,  8, 15 );
+    P2( local.B, local.C, local.D, local.E, local.A,  9, 12,  6,  5 );
+    P2( local.A, local.B, local.C, local.D, local.E, 11, 14,  4,  8 );
+    P2( local.E, local.A, local.B, local.C, local.D, 10, 15,  1, 11 );
+    P2( local.D, local.E, local.A, local.B, local.C,  0, 14,  3, 14 );
+    P2( local.C, local.D, local.E, local.A, local.B,  8, 15, 11, 14 );
+    P2( local.B, local.C, local.D, local.E, local.A, 12,  9, 15,  6 );
+    P2( local.A, local.B, local.C, local.D, local.E,  4,  8,  0, 14 );
+    P2( local.E, local.A, local.B, local.C, local.D, 13,  9,  5,  6 );
+    P2( local.D, local.E, local.A, local.B, local.C,  3, 14, 12,  9 );
+    P2( local.C, local.D, local.E, local.A, local.B,  7,  5,  2, 12 );
+    P2( local.B, local.C, local.D, local.E, local.A, 15,  6, 13,  9 );
+    P2( local.A, local.B, local.C, local.D, local.E, 14,  8,  9, 12 );
+    P2( local.E, local.A, local.B, local.C, local.D,  5,  6,  7,  5 );
+    P2( local.D, local.E, local.A, local.B, local.C,  6,  5, 10, 15 );
+    P2( local.C, local.D, local.E, local.A, local.B,  2, 12, 14,  8 );
+#undef F
+#undef K
+#undef Fp
+#undef Kp
+
+#define F   F5
+#define K   0xA953FD4E
+#define Fp  F1
+#define Kp  0x00000000
+    P2( local.B, local.C, local.D, local.E, local.A,  4,  9, 12,  8 );
+    P2( local.A, local.B, local.C, local.D, local.E,  0, 15, 15,  5 );
+    P2( local.E, local.A, local.B, local.C, local.D,  5,  5, 10, 12 );
+    P2( local.D, local.E, local.A, local.B, local.C,  9, 11,  4,  9 );
+    P2( local.C, local.D, local.E, local.A, local.B,  7,  6,  1, 12 );
+    P2( local.B, local.C, local.D, local.E, local.A, 12,  8,  5,  5 );
+    P2( local.A, local.B, local.C, local.D, local.E,  2, 13,  8, 14 );
+    P2( local.E, local.A, local.B, local.C, local.D, 10, 12,  7,  6 );
+    P2( local.D, local.E, local.A, local.B, local.C, 14,  5,  6,  8 );
+    P2( local.C, local.D, local.E, local.A, local.B,  1, 12,  2, 13 );
+    P2( local.B, local.C, local.D, local.E, local.A,  3, 13, 13,  6 );
+    P2( local.A, local.B, local.C, local.D, local.E,  8, 14, 14,  5 );
+    P2( local.E, local.A, local.B, local.C, local.D, 11, 11,  0, 15 );
+    P2( local.D, local.E, local.A, local.B, local.C,  6,  8,  3, 13 );
+    P2( local.C, local.D, local.E, local.A, local.B, 15,  5,  9, 11 );
+    P2( local.B, local.C, local.D, local.E, local.A, 13,  6, 11, 11 );
+#undef F
+#undef K
+#undef Fp
+#undef Kp
+
+    local.C       = ctx->state[1] + local.C + local.Dp;
+    ctx->state[1] = ctx->state[2] + local.D + local.Ep;
+    ctx->state[2] = ctx->state[3] + local.E + local.Ap;
+    ctx->state[3] = ctx->state[4] + local.A + local.Bp;
+    ctx->state[4] = ctx->state[0] + local.B + local.Cp;
+    ctx->state[0] = local.C;
+
+    /* Zeroise variables to clear sensitive data from memory. */
+    mbedtls_zeroize( &local, sizeof( local ) );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_ripemd160_process( mbedtls_ripemd160_context *ctx,
+                                const unsigned char data[64] )
+{
+    mbedtls_internal_ripemd160_process( ctx, data );
+}
+#endif
+#endif /* !MBEDTLS_RIPEMD160_PROCESS_ALT */
+
+/*
+ * RIPEMD-160 process buffer
+ */
+int mbedtls_ripemd160_update_ret( mbedtls_ripemd160_context *ctx,
+                                  const unsigned char *input,
+                                  size_t ilen )
+{
+    int ret;
+    size_t fill;
+    uint32_t left;
+
+    if( ilen == 0 )
+        return( 0 );
+
+    left = ctx->total[0] & 0x3F;
+    fill = 64 - left;
+
+    ctx->total[0] += (uint32_t) ilen;
+    ctx->total[0] &= 0xFFFFFFFF;
+
+    if( ctx->total[0] < (uint32_t) ilen )
+        ctx->total[1]++;
+
+    if( left && ilen >= fill )
+    {
+        memcpy( (void *) (ctx->buffer + left), input, fill );
+
+        if( ( ret = mbedtls_internal_ripemd160_process( ctx, ctx->buffer ) ) != 0 )
+            return( ret );
+
+        input += fill;
+        ilen  -= fill;
+        left = 0;
+    }
+
+    while( ilen >= 64 )
+    {
+        if( ( ret = mbedtls_internal_ripemd160_process( ctx, input ) ) != 0 )
+            return( ret );
+
+        input += 64;
+        ilen  -= 64;
+    }
+
+    if( ilen > 0 )
+    {
+        memcpy( (void *) (ctx->buffer + left), input, ilen );
+    }
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_ripemd160_update( mbedtls_ripemd160_context *ctx,
+                               const unsigned char *input,
+                               size_t ilen )
+{
+    mbedtls_ripemd160_update_ret( ctx, input, ilen );
+}
+#endif
+
+static const unsigned char ripemd160_padding[64] =
+{
+ 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+};
+
+/*
+ * RIPEMD-160 final digest
+ */
+int mbedtls_ripemd160_finish_ret( mbedtls_ripemd160_context *ctx,
+                                  unsigned char output[20] )
+{
+    int ret;
+    uint32_t last, padn;
+    uint32_t high, low;
+    unsigned char msglen[8];
+
+    high = ( ctx->total[0] >> 29 )
+         | ( ctx->total[1] <<  3 );
+    low  = ( ctx->total[0] <<  3 );
+
+    PUT_UINT32_LE( low,  msglen, 0 );
+    PUT_UINT32_LE( high, msglen, 4 );
+
+    last = ctx->total[0] & 0x3F;
+    padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
+
+    ret = mbedtls_ripemd160_update_ret( ctx, ripemd160_padding, padn );
+    if( ret != 0 )
+        return( ret );
+
+    ret = mbedtls_ripemd160_update_ret( ctx, msglen, 8 );
+    if( ret != 0 )
+        return( ret );
+
+    PUT_UINT32_LE( ctx->state[0], output,  0 );
+    PUT_UINT32_LE( ctx->state[1], output,  4 );
+    PUT_UINT32_LE( ctx->state[2], output,  8 );
+    PUT_UINT32_LE( ctx->state[3], output, 12 );
+    PUT_UINT32_LE( ctx->state[4], output, 16 );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_ripemd160_finish( mbedtls_ripemd160_context *ctx,
+                               unsigned char output[20] )
+{
+    mbedtls_ripemd160_finish_ret( ctx, output );
+}
+#endif
+
+#endif /* ! MBEDTLS_RIPEMD160_ALT */
+
+/*
+ * output = RIPEMD-160( input buffer )
+ */
+int mbedtls_ripemd160_ret( const unsigned char *input,
+                           size_t ilen,
+                           unsigned char output[20] )
+{
+    int ret;
+    mbedtls_ripemd160_context ctx;
+
+    mbedtls_ripemd160_init( &ctx );
+
+    if( ( ret = mbedtls_ripemd160_starts_ret( &ctx ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_ripemd160_update_ret( &ctx, input, ilen ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_ripemd160_finish_ret( &ctx, output ) ) != 0 )
+        goto exit;
+
+exit:
+    mbedtls_ripemd160_free( &ctx );
+
+    return( ret );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_ripemd160( const unsigned char *input,
+                        size_t ilen,
+                        unsigned char output[20] )
+{
+    mbedtls_ripemd160_ret( input, ilen, output );
+}
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * Test vectors from the RIPEMD-160 paper and
+ * http://homes.esat.kuleuven.be/~bosselae/mbedtls_ripemd160.html#HMAC
+ */
+#define TESTS   8
+static const unsigned char ripemd160_test_str[TESTS][81] =
+{
+    { "" },
+    { "a" },
+    { "abc" },
+    { "message digest" },
+    { "abcdefghijklmnopqrstuvwxyz" },
+    { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
+    { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" },
+    { "12345678901234567890123456789012345678901234567890123456789012"
+      "345678901234567890" },
+};
+
+static const size_t ripemd160_test_strlen[TESTS] =
+{
+    0, 1, 3, 14, 26, 56, 62, 80
+};
+
+static const unsigned char ripemd160_test_md[TESTS][20] =
+{
+    { 0x9c, 0x11, 0x85, 0xa5, 0xc5, 0xe9, 0xfc, 0x54, 0x61, 0x28,
+      0x08, 0x97, 0x7e, 0xe8, 0xf5, 0x48, 0xb2, 0x25, 0x8d, 0x31 },
+    { 0x0b, 0xdc, 0x9d, 0x2d, 0x25, 0x6b, 0x3e, 0xe9, 0xda, 0xae,
+      0x34, 0x7b, 0xe6, 0xf4, 0xdc, 0x83, 0x5a, 0x46, 0x7f, 0xfe },
+    { 0x8e, 0xb2, 0x08, 0xf7, 0xe0, 0x5d, 0x98, 0x7a, 0x9b, 0x04,
+      0x4a, 0x8e, 0x98, 0xc6, 0xb0, 0x87, 0xf1, 0x5a, 0x0b, 0xfc },
+    { 0x5d, 0x06, 0x89, 0xef, 0x49, 0xd2, 0xfa, 0xe5, 0x72, 0xb8,
+      0x81, 0xb1, 0x23, 0xa8, 0x5f, 0xfa, 0x21, 0x59, 0x5f, 0x36 },
+    { 0xf7, 0x1c, 0x27, 0x10, 0x9c, 0x69, 0x2c, 0x1b, 0x56, 0xbb,
+      0xdc, 0xeb, 0x5b, 0x9d, 0x28, 0x65, 0xb3, 0x70, 0x8d, 0xbc },
+    { 0x12, 0xa0, 0x53, 0x38, 0x4a, 0x9c, 0x0c, 0x88, 0xe4, 0x05,
+      0xa0, 0x6c, 0x27, 0xdc, 0xf4, 0x9a, 0xda, 0x62, 0xeb, 0x2b },
+    { 0xb0, 0xe2, 0x0b, 0x6e, 0x31, 0x16, 0x64, 0x02, 0x86, 0xed,
+      0x3a, 0x87, 0xa5, 0x71, 0x30, 0x79, 0xb2, 0x1f, 0x51, 0x89 },
+    { 0x9b, 0x75, 0x2e, 0x45, 0x57, 0x3d, 0x4b, 0x39, 0xf4, 0xdb,
+      0xd3, 0x32, 0x3c, 0xab, 0x82, 0xbf, 0x63, 0x32, 0x6b, 0xfb },
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_ripemd160_self_test( int verbose )
+{
+    int i, ret = 0;
+    unsigned char output[20];
+
+    memset( output, 0, sizeof output );
+
+    for( i = 0; i < TESTS; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  RIPEMD-160 test #%d: ", i + 1 );
+
+        ret = mbedtls_ripemd160_ret( ripemd160_test_str[i],
+                                     ripemd160_test_strlen[i], output );
+        if( ret != 0 )
+            goto fail;
+
+        if( memcmp( output, ripemd160_test_md[i], 20 ) != 0 )
+        {
+            ret = 1;
+            goto fail;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( 0 );
+
+fail:
+    if( verbose != 0 )
+        mbedtls_printf( "failed\n" );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_RIPEMD160_C */
diff --git a/third-party/mbedtls-3.6/library/rsa.c b/third-party/mbedtls-3.6/library/rsa.c
new file mode 100644
index 00000000..94ace5e2
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/rsa.c
@@ -0,0 +1,2602 @@
+/*
+ *  The RSA public-key cryptosystem
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+/*
+ *  The following sources were referenced in the design of this implementation
+ *  of the RSA algorithm:
+ *
+ *  [1] A method for obtaining digital signatures and public-key cryptosystems
+ *      R Rivest, A Shamir, and L Adleman
+ *      http://people.csail.mit.edu/rivest/pubs.html#RSA78
+ *
+ *  [2] Handbook of Applied Cryptography - 1997, Chapter 8
+ *      Menezes, van Oorschot and Vanstone
+ *
+ *  [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks
+ *      Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and
+ *      Stefan Mangard
+ *      https://arxiv.org/abs/1702.08719v2
+ *
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_RSA_C)
+
+#include "mbedtls/rsa.h"
+#include "mbedtls/rsa_internal.h"
+#include "mbedtls/oid.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_PKCS1_V21)
+#include "mbedtls/md.h"
+#endif
+
+#if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__) && !defined(__NetBSD__)
+#include <stdlib.h>
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#define mbedtls_calloc calloc
+#define mbedtls_free   free
+#endif
+
+#if !defined(MBEDTLS_RSA_ALT)
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
+}
+
+#if defined(MBEDTLS_PKCS1_V15)
+/* constant-time buffer comparison */
+static inline int mbedtls_safer_memcmp( const void *a, const void *b, size_t n )
+{
+    size_t i;
+    const unsigned char *A = (const unsigned char *) a;
+    const unsigned char *B = (const unsigned char *) b;
+    unsigned char diff = 0;
+
+    for( i = 0; i < n; i++ )
+        diff |= A[i] ^ B[i];
+
+    return( diff );
+}
+#endif /* MBEDTLS_PKCS1_V15 */
+
+int mbedtls_rsa_import( mbedtls_rsa_context *ctx,
+                        const mbedtls_mpi *N,
+                        const mbedtls_mpi *P, const mbedtls_mpi *Q,
+                        const mbedtls_mpi *D, const mbedtls_mpi *E )
+{
+    int ret;
+
+    if( ( N != NULL && ( ret = mbedtls_mpi_copy( &ctx->N, N ) ) != 0 ) ||
+        ( P != NULL && ( ret = mbedtls_mpi_copy( &ctx->P, P ) ) != 0 ) ||
+        ( Q != NULL && ( ret = mbedtls_mpi_copy( &ctx->Q, Q ) ) != 0 ) ||
+        ( D != NULL && ( ret = mbedtls_mpi_copy( &ctx->D, D ) ) != 0 ) ||
+        ( E != NULL && ( ret = mbedtls_mpi_copy( &ctx->E, E ) ) != 0 ) )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
+    }
+
+    if( N != NULL )
+        ctx->len = mbedtls_mpi_size( &ctx->N );
+
+    return( 0 );
+}
+
+int mbedtls_rsa_import_raw( mbedtls_rsa_context *ctx,
+                            unsigned char const *N, size_t N_len,
+                            unsigned char const *P, size_t P_len,
+                            unsigned char const *Q, size_t Q_len,
+                            unsigned char const *D, size_t D_len,
+                            unsigned char const *E, size_t E_len )
+{
+    int ret = 0;
+
+    if( N != NULL )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->N, N, N_len ) );
+        ctx->len = mbedtls_mpi_size( &ctx->N );
+    }
+
+    if( P != NULL )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->P, P, P_len ) );
+
+    if( Q != NULL )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->Q, Q, Q_len ) );
+
+    if( D != NULL )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->D, D, D_len ) );
+
+    if( E != NULL )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->E, E, E_len ) );
+
+cleanup:
+
+    if( ret != 0 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
+
+    return( 0 );
+}
+
+/*
+ * Checks whether the context fields are set in such a way
+ * that the RSA primitives will be able to execute without error.
+ * It does *not* make guarantees for consistency of the parameters.
+ */
+static int rsa_check_context( mbedtls_rsa_context const *ctx, int is_priv,
+                              int blinding_needed )
+{
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    /* blinding_needed is only used for NO_CRT to decide whether
+     * P,Q need to be present or not. */
+    ((void) blinding_needed);
+#endif
+
+    if( ctx->len != mbedtls_mpi_size( &ctx->N ) ||
+        ctx->len > MBEDTLS_MPI_MAX_SIZE )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
+
+    /*
+     * 1. Modular exponentiation needs positive, odd moduli.
+     */
+
+    /* Modular exponentiation wrt. N is always used for
+     * RSA public key operations. */
+    if( mbedtls_mpi_cmp_int( &ctx->N, 0 ) <= 0 ||
+        mbedtls_mpi_get_bit( &ctx->N, 0 ) == 0  )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    /* Modular exponentiation for P and Q is only
+     * used for private key operations and if CRT
+     * is used. */
+    if( is_priv &&
+        ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) <= 0 ||
+          mbedtls_mpi_get_bit( &ctx->P, 0 ) == 0 ||
+          mbedtls_mpi_cmp_int( &ctx->Q, 0 ) <= 0 ||
+          mbedtls_mpi_get_bit( &ctx->Q, 0 ) == 0  ) )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
+#endif /* !MBEDTLS_RSA_NO_CRT */
+
+    /*
+     * 2. Exponents must be positive
+     */
+
+    /* Always need E for public key operations */
+    if( mbedtls_mpi_cmp_int( &ctx->E, 0 ) <= 0 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+#if defined(MBEDTLS_RSA_NO_CRT)
+    /* For private key operations, use D or DP & DQ
+     * as (unblinded) exponents. */
+    if( is_priv && mbedtls_mpi_cmp_int( &ctx->D, 0 ) <= 0 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+#else
+    if( is_priv &&
+        ( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) <= 0 ||
+          mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) <= 0  ) )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
+#endif /* MBEDTLS_RSA_NO_CRT */
+
+    /* Blinding shouldn't make exponents negative either,
+     * so check that P, Q >= 1 if that hasn't yet been
+     * done as part of 1. */
+#if defined(MBEDTLS_RSA_NO_CRT)
+    if( is_priv && blinding_needed &&
+        ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) <= 0 ||
+          mbedtls_mpi_cmp_int( &ctx->Q, 0 ) <= 0 ) )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
+#endif
+
+    /* It wouldn't lead to an error if it wasn't satisfied,
+     * but check for QP >= 1 nonetheless. */
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    if( is_priv &&
+        mbedtls_mpi_cmp_int( &ctx->QP, 0 ) <= 0 )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
+#endif
+
+    return( 0 );
+}
+
+int mbedtls_rsa_complete( mbedtls_rsa_context *ctx )
+{
+    int ret = 0;
+
+    const int have_N = ( mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 );
+    const int have_P = ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 );
+    const int have_Q = ( mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 );
+    const int have_D = ( mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 );
+    const int have_E = ( mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0 );
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    const int have_DP = ( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) != 0 );
+    const int have_DQ = ( mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) != 0 );
+    const int have_QP = ( mbedtls_mpi_cmp_int( &ctx->QP, 0 ) != 0 );
+#endif
+
+    /*
+     * Check whether provided parameters are enough
+     * to deduce all others. The following incomplete
+     * parameter sets for private keys are supported:
+     *
+     * (1) P, Q missing.
+     * (2) D and potentially N missing.
+     *
+     */
+
+    const int n_missing  =              have_P &&  have_Q &&  have_D && have_E;
+    const int pq_missing =   have_N && !have_P && !have_Q &&  have_D && have_E;
+    const int d_missing  =              have_P &&  have_Q && !have_D && have_E;
+    const int is_pub     =   have_N && !have_P && !have_Q && !have_D && have_E;
+
+    /* These three alternatives are mutually exclusive */
+    const int is_priv = n_missing || pq_missing || d_missing;
+
+    if( !is_priv && !is_pub )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    /*
+     * Step 1: Deduce N if P, Q are provided.
+     */
+
+    if( !have_N && have_P && have_Q )
+    {
+        if( ( ret = mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P,
+                                         &ctx->Q ) ) != 0 )
+        {
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
+        }
+
+        ctx->len = mbedtls_mpi_size( &ctx->N );
+    }
+
+    /*
+     * Step 2: Deduce and verify all remaining core parameters.
+     */
+
+    if( pq_missing )
+    {
+        ret = mbedtls_rsa_deduce_primes( &ctx->N, &ctx->E, &ctx->D,
+                                         &ctx->P, &ctx->Q );
+        if( ret != 0 )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
+
+    }
+    else if( d_missing )
+    {
+        if( ( ret = mbedtls_rsa_deduce_private_exponent( &ctx->P,
+                                                         &ctx->Q,
+                                                         &ctx->E,
+                                                         &ctx->D ) ) != 0 )
+        {
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
+        }
+    }
+
+    /*
+     * Step 3: Deduce all additional parameters specific
+     *         to our current RSA implementation.
+     */
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    if( is_priv && ! ( have_DP && have_DQ && have_QP ) )
+    {
+        ret = mbedtls_rsa_deduce_crt( &ctx->P,  &ctx->Q,  &ctx->D,
+                                      &ctx->DP, &ctx->DQ, &ctx->QP );
+        if( ret != 0 )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
+    }
+#endif /* MBEDTLS_RSA_NO_CRT */
+
+    /*
+     * Step 3: Basic sanity checks
+     */
+
+    return( rsa_check_context( ctx, is_priv, 1 ) );
+}
+
+int mbedtls_rsa_export_raw( const mbedtls_rsa_context *ctx,
+                            unsigned char *N, size_t N_len,
+                            unsigned char *P, size_t P_len,
+                            unsigned char *Q, size_t Q_len,
+                            unsigned char *D, size_t D_len,
+                            unsigned char *E, size_t E_len )
+{
+    int ret = 0;
+
+    /* Check if key is private or public */
+    const int is_priv =
+        mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
+        mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
+        mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
+        mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&
+        mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;
+
+    if( !is_priv )
+    {
+        /* If we're trying to export private parameters for a public key,
+         * something must be wrong. */
+        if( P != NULL || Q != NULL || D != NULL )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    }
+
+    if( N != NULL )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->N, N, N_len ) );
+
+    if( P != NULL )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->P, P, P_len ) );
+
+    if( Q != NULL )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->Q, Q, Q_len ) );
+
+    if( D != NULL )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->D, D, D_len ) );
+
+    if( E != NULL )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->E, E, E_len ) );
+
+cleanup:
+
+    return( ret );
+}
+
+int mbedtls_rsa_export( const mbedtls_rsa_context *ctx,
+                        mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q,
+                        mbedtls_mpi *D, mbedtls_mpi *E )
+{
+    int ret;
+
+    /* Check if key is private or public */
+    int is_priv =
+        mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
+        mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
+        mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
+        mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&
+        mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;
+
+    if( !is_priv )
+    {
+        /* If we're trying to export private parameters for a public key,
+         * something must be wrong. */
+        if( P != NULL || Q != NULL || D != NULL )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    }
+
+    /* Export all requested core parameters. */
+
+    if( ( N != NULL && ( ret = mbedtls_mpi_copy( N, &ctx->N ) ) != 0 ) ||
+        ( P != NULL && ( ret = mbedtls_mpi_copy( P, &ctx->P ) ) != 0 ) ||
+        ( Q != NULL && ( ret = mbedtls_mpi_copy( Q, &ctx->Q ) ) != 0 ) ||
+        ( D != NULL && ( ret = mbedtls_mpi_copy( D, &ctx->D ) ) != 0 ) ||
+        ( E != NULL && ( ret = mbedtls_mpi_copy( E, &ctx->E ) ) != 0 ) )
+    {
+        return( ret );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Export CRT parameters
+ * This must also be implemented if CRT is not used, for being able to
+ * write DER encoded RSA keys. The helper function mbedtls_rsa_deduce_crt
+ * can be used in this case.
+ */
+int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx,
+                            mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP )
+{
+    int ret;
+
+    /* Check if key is private or public */
+    int is_priv =
+        mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
+        mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
+        mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
+        mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&
+        mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;
+
+    if( !is_priv )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    /* Export all requested blinding parameters. */
+    if( ( DP != NULL && ( ret = mbedtls_mpi_copy( DP, &ctx->DP ) ) != 0 ) ||
+        ( DQ != NULL && ( ret = mbedtls_mpi_copy( DQ, &ctx->DQ ) ) != 0 ) ||
+        ( QP != NULL && ( ret = mbedtls_mpi_copy( QP, &ctx->QP ) ) != 0 ) )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
+    }
+#else
+    if( ( ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
+                                        DP, DQ, QP ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
+    }
+#endif
+
+    return( 0 );
+}
+
+/*
+ * Initialize an RSA context
+ */
+void mbedtls_rsa_init( mbedtls_rsa_context *ctx,
+               int padding,
+               int hash_id )
+{
+    memset( ctx, 0, sizeof( mbedtls_rsa_context ) );
+
+    mbedtls_rsa_set_padding( ctx, padding, hash_id );
+
+#if defined(MBEDTLS_THREADING_C)
+    /* Set ctx->ver to nonzero to indicate that the mutex has been
+     * initialized and will need to be freed. */
+    ctx->ver = 1;
+    mbedtls_mutex_init( &ctx->mutex );
+#endif
+}
+
+/*
+ * Set padding for an existing RSA context
+ */
+void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, int hash_id )
+{
+    ctx->padding = padding;
+    ctx->hash_id = hash_id;
+}
+
+/*
+ * Get length in bytes of RSA modulus
+ */
+
+size_t mbedtls_rsa_get_len( const mbedtls_rsa_context *ctx )
+{
+    return( ctx->len );
+}
+
+
+#if defined(MBEDTLS_GENPRIME)
+
+/*
+ * Generate an RSA keypair
+ */
+int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
+                 int (*f_rng)(void *, unsigned char *, size_t),
+                 void *p_rng,
+                 unsigned int nbits, int exponent )
+{
+    int ret;
+    mbedtls_mpi H, G;
+
+    mbedtls_mpi_init( &H );
+    mbedtls_mpi_init( &G );
+
+    if( f_rng == NULL || nbits < 128 || exponent < 3 || nbits % 2 != 0 )
+    {
+        ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    /*
+     * find primes P and Q with Q < P so that:
+     * GCD( E, (P-1)*(Q-1) ) == 1
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E, exponent ) );
+
+    do
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P, nbits >> 1, 0,
+                                                f_rng, p_rng ) );
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, nbits >> 1, 0,
+                                                f_rng, p_rng ) );
+
+        if( mbedtls_mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 )
+            continue;
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
+        if( mbedtls_mpi_bitlen( &ctx->N ) != nbits )
+            continue;
+
+        if( mbedtls_mpi_cmp_mpi( &ctx->P, &ctx->Q ) < 0 )
+            mbedtls_mpi_swap( &ctx->P, &ctx->Q );
+
+        /* Temporarily replace P,Q by P-1, Q-1 */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->P, &ctx->P, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->Q, &ctx->Q, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &ctx->P, &ctx->Q ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H  ) );
+    }
+    while( mbedtls_mpi_cmp_int( &G, 1 ) != 0 );
+
+    /* Restore P,Q */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->P,  &ctx->P, 1 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->Q,  &ctx->Q, 1 ) );
+
+    ctx->len = mbedtls_mpi_size( &ctx->N );
+
+    /*
+     * D  = E^-1 mod ((P-1)*(Q-1))
+     * DP = D mod (P - 1)
+     * DQ = D mod (Q - 1)
+     * QP = Q^-1 mod P
+     */
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D, &ctx->E, &H  ) );
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    MBEDTLS_MPI_CHK( mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
+                                             &ctx->DP, &ctx->DQ, &ctx->QP ) );
+#endif /* MBEDTLS_RSA_NO_CRT */
+
+    /* Double-check */
+    MBEDTLS_MPI_CHK( mbedtls_rsa_check_privkey( ctx ) );
+
+cleanup:
+
+    mbedtls_mpi_free( &H );
+    mbedtls_mpi_free( &G );
+
+    if( ret != 0 )
+    {
+        mbedtls_rsa_free( ctx );
+        if( ( -ret & ~0x7f ) == 0 )
+            ret = MBEDTLS_ERR_RSA_KEY_GEN_FAILED + ret;
+        return( ret );
+    }
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_GENPRIME */
+
+/*
+ * Check a public RSA key
+ */
+int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx )
+{
+    if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) != 0 )
+        return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
+
+    if( mbedtls_mpi_bitlen( &ctx->N ) < 128 )
+    {
+        return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
+    }
+
+    if( mbedtls_mpi_get_bit( &ctx->E, 0 ) == 0 ||
+        mbedtls_mpi_bitlen( &ctx->E )     < 2  ||
+        mbedtls_mpi_cmp_mpi( &ctx->E, &ctx->N ) >= 0 )
+    {
+        return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Check for the consistency of all fields in an RSA private key context
+ */
+int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx )
+{
+    if( mbedtls_rsa_check_pubkey( ctx ) != 0 ||
+        rsa_check_context( ctx, 1 /* private */, 1 /* blinding */ ) != 0 )
+    {
+        return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
+    }
+
+    if( mbedtls_rsa_validate_params( &ctx->N, &ctx->P, &ctx->Q,
+                                     &ctx->D, &ctx->E, NULL, NULL ) != 0 )
+    {
+        return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
+    }
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    else if( mbedtls_rsa_validate_crt( &ctx->P, &ctx->Q, &ctx->D,
+                                       &ctx->DP, &ctx->DQ, &ctx->QP ) != 0 )
+    {
+        return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
+    }
+#endif
+
+    return( 0 );
+}
+
+/*
+ * Check if contexts holding a public and private key match
+ */
+int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub,
+                                const mbedtls_rsa_context *prv )
+{
+    if( mbedtls_rsa_check_pubkey( pub )  != 0 ||
+        mbedtls_rsa_check_privkey( prv ) != 0 )
+    {
+        return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
+    }
+
+    if( mbedtls_mpi_cmp_mpi( &pub->N, &prv->N ) != 0 ||
+        mbedtls_mpi_cmp_mpi( &pub->E, &prv->E ) != 0 )
+    {
+        return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Do an RSA public key operation
+ */
+int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
+                const unsigned char *input,
+                unsigned char *output )
+{
+    int ret;
+    size_t olen;
+    mbedtls_mpi T;
+
+    if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    mbedtls_mpi_init( &T );
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
+        return( ret );
+#endif
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
+
+    if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
+    {
+        ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    olen = ctx->len;
+    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
+
+cleanup:
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
+        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+#endif
+
+    mbedtls_mpi_free( &T );
+
+    if( ret != 0 )
+        return( MBEDTLS_ERR_RSA_PUBLIC_FAILED + ret );
+
+    return( 0 );
+}
+
+/*
+ * Generate or update blinding values, see section 10 of:
+ *  KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
+ *  DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
+ *  Berlin Heidelberg, 1996. p. 104-113.
+ */
+static int rsa_prepare_blinding( mbedtls_rsa_context *ctx,
+                 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    int ret, count = 0;
+    mbedtls_mpi R;
+
+    mbedtls_mpi_init( &R );
+
+    if( ctx->Vf.p != NULL )
+    {
+        /* We already have blinding values, just update them by squaring */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) );
+
+        goto cleanup;
+    }
+
+    /* Unblinding value: Vf = random number, invertible mod N */
+    do {
+        if( count++ > 10 )
+        {
+            ret = MBEDTLS_ERR_RSA_RNG_FAILED;
+            goto cleanup;
+        }
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
+
+        /* Compute Vf^-1 as R * (R Vf)^-1 to avoid leaks from inv_mod. */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, ctx->len - 1, f_rng, p_rng ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vf, &R ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
+
+        /* At this point, Vi is invertible mod N if and only if both Vf and R
+         * are invertible mod N. If one of them isn't, we don't need to know
+         * which one, we just loop and choose new values for both of them.
+         * (Each iteration succeeds with overwhelming probability.) */
+        ret = mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vi, &ctx->N );
+        if( ret != 0 && ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
+            goto cleanup;
+
+    } while( ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
+
+    /* Finish the computation of Vf^-1 = R * (R Vf)^-1 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &R ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
+
+    /* Blinding value: Vi = Vf^(-e) mod N
+     * (Vi already contains Vf^-1 at this point) */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );
+
+
+cleanup:
+    mbedtls_mpi_free( &R );
+
+    return( ret );
+}
+
+/*
+ * Exponent blinding supposed to prevent side-channel attacks using multiple
+ * traces of measurements to recover the RSA key. The more collisions are there,
+ * the more bits of the key can be recovered. See [3].
+ *
+ * Collecting n collisions with m bit long blinding value requires 2^(m-m/n)
+ * observations on avarage.
+ *
+ * For example with 28 byte blinding to achieve 2 collisions the adversary has
+ * to make 2^112 observations on avarage.
+ *
+ * (With the currently (as of 2017 April) known best algorithms breaking 2048
+ * bit RSA requires approximately as much time as trying out 2^112 random keys.
+ * Thus in this sense with 28 byte blinding the security is not reduced by
+ * side-channel attacks like the one in [3])
+ *
+ * This countermeasure does not help if the key recovery is possible with a
+ * single trace.
+ */
+#define RSA_EXPONENT_BLINDING 28
+
+/*
+ * Do an RSA private key operation
+ */
+int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
+                 int (*f_rng)(void *, unsigned char *, size_t),
+                 void *p_rng,
+                 const unsigned char *input,
+                 unsigned char *output )
+{
+    int ret;
+    size_t olen;
+
+    /* Temporary holding the result */
+    mbedtls_mpi T;
+
+    /* Temporaries holding P-1, Q-1 and the
+     * exponent blinding factor, respectively. */
+    mbedtls_mpi P1, Q1, R;
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    /* Temporaries holding the results mod p resp. mod q. */
+    mbedtls_mpi TP, TQ;
+
+    /* Temporaries holding the blinded exponents for
+     * the mod p resp. mod q computation (if used). */
+    mbedtls_mpi DP_blind, DQ_blind;
+
+    /* Pointers to actual exponents to be used - either the unblinded
+     * or the blinded ones, depending on the presence of a PRNG. */
+    mbedtls_mpi *DP = &ctx->DP;
+    mbedtls_mpi *DQ = &ctx->DQ;
+#else
+    /* Temporary holding the blinded exponent (if used). */
+    mbedtls_mpi D_blind;
+
+    /* Pointer to actual exponent to be used - either the unblinded
+     * or the blinded one, depending on the presence of a PRNG. */
+    mbedtls_mpi *D = &ctx->D;
+#endif /* MBEDTLS_RSA_NO_CRT */
+
+    /* Temporaries holding the initial input and the double
+     * checked result; should be the same in the end. */
+    mbedtls_mpi I, C;
+
+    if( rsa_check_context( ctx, 1             /* private key checks */,
+                                f_rng != NULL /* blinding y/n       */ ) != 0 )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
+        return( ret );
+#endif
+
+    /* MPI Initialization */
+    mbedtls_mpi_init( &T );
+
+    mbedtls_mpi_init( &P1 );
+    mbedtls_mpi_init( &Q1 );
+    mbedtls_mpi_init( &R );
+
+    if( f_rng != NULL )
+    {
+#if defined(MBEDTLS_RSA_NO_CRT)
+        mbedtls_mpi_init( &D_blind );
+#else
+        mbedtls_mpi_init( &DP_blind );
+        mbedtls_mpi_init( &DQ_blind );
+#endif
+    }
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    mbedtls_mpi_init( &TP ); mbedtls_mpi_init( &TQ );
+#endif
+
+    mbedtls_mpi_init( &I );
+    mbedtls_mpi_init( &C );
+
+    /* End of MPI initialization */
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
+    if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
+    {
+        ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &I, &T ) );
+
+    if( f_rng != NULL )
+    {
+        /*
+         * Blinding
+         * T = T * Vi mod N
+         */
+        MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
+
+        /*
+         * Exponent blinding
+         */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );
+
+#if defined(MBEDTLS_RSA_NO_CRT)
+        /*
+         * D_blind = ( P - 1 ) * ( Q - 1 ) * R + D
+         */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
+                         f_rng, p_rng ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &P1, &Q1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &D_blind, &R ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &D_blind, &D_blind, &ctx->D ) );
+
+        D = &D_blind;
+#else
+        /*
+         * DP_blind = ( P - 1 ) * R + DP
+         */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
+                         f_rng, p_rng ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DP_blind, &P1, &R ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DP_blind, &DP_blind,
+                    &ctx->DP ) );
+
+        DP = &DP_blind;
+
+        /*
+         * DQ_blind = ( Q - 1 ) * R + DQ
+         */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
+                         f_rng, p_rng ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DQ_blind, &Q1, &R ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DQ_blind, &DQ_blind,
+                    &ctx->DQ ) );
+
+        DQ = &DQ_blind;
+#endif /* MBEDTLS_RSA_NO_CRT */
+    }
+
+#if defined(MBEDTLS_RSA_NO_CRT)
+    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, D, &ctx->N, &ctx->RN ) );
+#else
+    /*
+     * Faster decryption using the CRT
+     *
+     * TP = input ^ dP mod P
+     * TQ = input ^ dQ mod Q
+     */
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &TP, &T, DP, &ctx->P, &ctx->RP ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &TQ, &T, DQ, &ctx->Q, &ctx->RQ ) );
+
+    /*
+     * T = (TP - TQ) * (Q^-1 mod P) mod P
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T, &TP, &TQ ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &TP, &T, &ctx->QP ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &TP, &ctx->P ) );
+
+    /*
+     * T = TQ + T * Q
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &TP, &T, &ctx->Q ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T, &TQ, &TP ) );
+#endif /* MBEDTLS_RSA_NO_CRT */
+
+    if( f_rng != NULL )
+    {
+        /*
+         * Unblind
+         * T = T * Vf mod N
+         */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
+    }
+
+    /* Verify the result to prevent glitching attacks. */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &C, &T, &ctx->E,
+                                          &ctx->N, &ctx->RN ) );
+    if( mbedtls_mpi_cmp_mpi( &C, &I ) != 0 )
+    {
+        ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
+        goto cleanup;
+    }
+
+    olen = ctx->len;
+    MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
+
+cleanup:
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
+        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+#endif
+
+    mbedtls_mpi_free( &P1 );
+    mbedtls_mpi_free( &Q1 );
+    mbedtls_mpi_free( &R );
+
+    if( f_rng != NULL )
+    {
+#if defined(MBEDTLS_RSA_NO_CRT)
+        mbedtls_mpi_free( &D_blind );
+#else
+        mbedtls_mpi_free( &DP_blind );
+        mbedtls_mpi_free( &DQ_blind );
+#endif
+    }
+
+    mbedtls_mpi_free( &T );
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    mbedtls_mpi_free( &TP ); mbedtls_mpi_free( &TQ );
+#endif
+
+    mbedtls_mpi_free( &C );
+    mbedtls_mpi_free( &I );
+
+    if( ret != 0 && ret >= -0x007f )
+        return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret );
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_PKCS1_V21)
+/**
+ * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
+ *
+ * \param dst       buffer to mask
+ * \param dlen      length of destination buffer
+ * \param src       source of the mask generation
+ * \param slen      length of the source buffer
+ * \param md_ctx    message digest context to use
+ */
+static int mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src,
+                      size_t slen, mbedtls_md_context_t *md_ctx )
+{
+    unsigned char mask[MBEDTLS_MD_MAX_SIZE];
+    unsigned char counter[4];
+    unsigned char *p;
+    unsigned int hlen;
+    size_t i, use_len;
+    int ret = 0;
+
+    memset( mask, 0, MBEDTLS_MD_MAX_SIZE );
+    memset( counter, 0, 4 );
+
+    hlen = mbedtls_md_get_size( md_ctx->md_info );
+
+    /* Generate and apply dbMask */
+    p = dst;
+
+    while( dlen > 0 )
+    {
+        use_len = hlen;
+        if( dlen < hlen )
+            use_len = dlen;
+
+        if( ( ret = mbedtls_md_starts( md_ctx ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_md_update( md_ctx, src, slen ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_md_update( md_ctx, counter, 4 ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_md_finish( md_ctx, mask ) ) != 0 )
+            goto exit;
+
+        for( i = 0; i < use_len; ++i )
+            *p++ ^= mask[i];
+
+        counter[3]++;
+
+        dlen -= use_len;
+    }
+
+exit:
+    mbedtls_zeroize( mask, sizeof( mask ) );
+
+    return( ret );
+}
+#endif /* MBEDTLS_PKCS1_V21 */
+
+#if defined(MBEDTLS_PKCS1_V21)
+/*
+ * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
+ */
+int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng,
+                            int mode,
+                            const unsigned char *label, size_t label_len,
+                            size_t ilen,
+                            const unsigned char *input,
+                            unsigned char *output )
+{
+    size_t olen;
+    int ret;
+    unsigned char *p = output;
+    unsigned int hlen;
+    const mbedtls_md_info_t *md_info;
+    mbedtls_md_context_t md_ctx;
+
+    if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    if( f_rng == NULL )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
+    if( md_info == NULL )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    olen = ctx->len;
+    hlen = mbedtls_md_get_size( md_info );
+
+    /* first comparison checks for overflow */
+    if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    memset( output, 0, olen );
+
+    *p++ = 0;
+
+    /* Generate a random octet string seed */
+    if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )
+        return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
+
+    p += hlen;
+
+    /* Construct DB */
+    if( ( ret = mbedtls_md( md_info, label, label_len, p ) ) != 0 )
+        return( ret );
+    p += hlen;
+    p += olen - 2 * hlen - 2 - ilen;
+    *p++ = 1;
+    memcpy( p, input, ilen );
+
+    mbedtls_md_init( &md_ctx );
+    if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
+        goto exit;
+
+    /* maskedDB: Apply dbMask to DB */
+    if( ( ret = mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,
+                          &md_ctx ) ) != 0 )
+        goto exit;
+
+    /* maskedSeed: Apply seedMask to seed */
+    if( ( ret = mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,
+                          &md_ctx ) ) != 0 )
+        goto exit;
+
+exit:
+    mbedtls_md_free( &md_ctx );
+
+    if( ret != 0 )
+        return( ret );
+
+    return( ( mode == MBEDTLS_RSA_PUBLIC )
+            ? mbedtls_rsa_public(  ctx, output, output )
+            : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
+}
+#endif /* MBEDTLS_PKCS1_V21 */
+
+#if defined(MBEDTLS_PKCS1_V15)
+/*
+ * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
+ */
+int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,
+                                 int (*f_rng)(void *, unsigned char *, size_t),
+                                 void *p_rng,
+                                 int mode, size_t ilen,
+                                 const unsigned char *input,
+                                 unsigned char *output )
+{
+    size_t nb_pad, olen;
+    int ret;
+    unsigned char *p = output;
+
+    if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    // We don't check p_rng because it won't be dereferenced here
+    if( f_rng == NULL || input == NULL || output == NULL )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    olen = ctx->len;
+
+    /* first comparison checks for overflow */
+    if( ilen + 11 < ilen || olen < ilen + 11 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    nb_pad = olen - 3 - ilen;
+
+    *p++ = 0;
+    if( mode == MBEDTLS_RSA_PUBLIC )
+    {
+        *p++ = MBEDTLS_RSA_CRYPT;
+
+        while( nb_pad-- > 0 )
+        {
+            int rng_dl = 100;
+
+            do {
+                ret = f_rng( p_rng, p, 1 );
+            } while( *p == 0 && --rng_dl && ret == 0 );
+
+            /* Check if RNG failed to generate data */
+            if( rng_dl == 0 || ret != 0 )
+                return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
+
+            p++;
+        }
+    }
+    else
+    {
+        *p++ = MBEDTLS_RSA_SIGN;
+
+        while( nb_pad-- > 0 )
+            *p++ = 0xFF;
+    }
+
+    *p++ = 0;
+    memcpy( p, input, ilen );
+
+    return( ( mode == MBEDTLS_RSA_PUBLIC )
+            ? mbedtls_rsa_public(  ctx, output, output )
+            : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
+}
+#endif /* MBEDTLS_PKCS1_V15 */
+
+/*
+ * Add the message padding, then do an RSA operation
+ */
+int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng,
+                       int mode, size_t ilen,
+                       const unsigned char *input,
+                       unsigned char *output )
+{
+    switch( ctx->padding )
+    {
+#if defined(MBEDTLS_PKCS1_V15)
+        case MBEDTLS_RSA_PKCS_V15:
+            return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen,
+                                                input, output );
+#endif
+
+#if defined(MBEDTLS_PKCS1_V21)
+        case MBEDTLS_RSA_PKCS_V21:
+            return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0,
+                                           ilen, input, output );
+#endif
+
+        default:
+            return( MBEDTLS_ERR_RSA_INVALID_PADDING );
+    }
+}
+
+#if defined(MBEDTLS_PKCS1_V21)
+/*
+ * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
+ */
+int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng,
+                            int mode,
+                            const unsigned char *label, size_t label_len,
+                            size_t *olen,
+                            const unsigned char *input,
+                            unsigned char *output,
+                            size_t output_max_len )
+{
+    int ret;
+    size_t ilen, i, pad_len;
+    unsigned char *p, bad, pad_done;
+    unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
+    unsigned char lhash[MBEDTLS_MD_MAX_SIZE];
+    unsigned int hlen;
+    const mbedtls_md_info_t *md_info;
+    mbedtls_md_context_t md_ctx;
+
+    /*
+     * Parameters sanity checks
+     */
+    if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    ilen = ctx->len;
+
+    if( ilen < 16 || ilen > sizeof( buf ) )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
+    if( md_info == NULL )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    hlen = mbedtls_md_get_size( md_info );
+
+    // checking for integer underflow
+    if( 2 * hlen + 2 > ilen )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    /*
+     * RSA operation
+     */
+    ret = ( mode == MBEDTLS_RSA_PUBLIC )
+          ? mbedtls_rsa_public(  ctx, input, buf )
+          : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
+
+    if( ret != 0 )
+        goto cleanup;
+
+    /*
+     * Unmask data and generate lHash
+     */
+    mbedtls_md_init( &md_ctx );
+    if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
+    {
+        mbedtls_md_free( &md_ctx );
+        goto cleanup;
+    }
+
+    /* seed: Apply seedMask to maskedSeed */
+    if( ( ret = mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
+                          &md_ctx ) ) != 0 ||
+    /* DB: Apply dbMask to maskedDB */
+        ( ret = mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
+                          &md_ctx ) ) != 0 )
+    {
+        mbedtls_md_free( &md_ctx );
+        goto cleanup;
+    }
+
+    mbedtls_md_free( &md_ctx );
+
+    /* Generate lHash */
+    if( ( ret = mbedtls_md( md_info, label, label_len, lhash ) ) != 0 )
+        goto cleanup;
+
+    /*
+     * Check contents, in "constant-time"
+     */
+    p = buf;
+    bad = 0;
+
+    bad |= *p++; /* First byte must be 0 */
+
+    p += hlen; /* Skip seed */
+
+    /* Check lHash */
+    for( i = 0; i < hlen; i++ )
+        bad |= lhash[i] ^ *p++;
+
+    /* Get zero-padding len, but always read till end of buffer
+     * (minus one, for the 01 byte) */
+    pad_len = 0;
+    pad_done = 0;
+    for( i = 0; i < ilen - 2 * hlen - 2; i++ )
+    {
+        pad_done |= p[i];
+        pad_len += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
+    }
+
+    p += pad_len;
+    bad |= *p++ ^ 0x01;
+
+    /*
+     * The only information "leaked" is whether the padding was correct or not
+     * (eg, no data is copied if it was not correct). This meets the
+     * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
+     * the different error conditions.
+     */
+    if( bad != 0 )
+    {
+        ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
+        goto cleanup;
+    }
+
+    if( ilen - ( p - buf ) > output_max_len )
+    {
+        ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
+        goto cleanup;
+    }
+
+    *olen = ilen - (p - buf);
+    memcpy( output, p, *olen );
+    ret = 0;
+
+cleanup:
+    mbedtls_zeroize( buf, sizeof( buf ) );
+    mbedtls_zeroize( lhash, sizeof( lhash ) );
+
+    return( ret );
+}
+#endif /* MBEDTLS_PKCS1_V21 */
+
+#if defined(MBEDTLS_PKCS1_V15)
+/** Turn zero-or-nonzero into zero-or-all-bits-one, without branches.
+ *
+ * \param value     The value to analyze.
+ * \return          Zero if \p value is zero, otherwise all-bits-one.
+ */
+static unsigned all_or_nothing_int( unsigned value )
+{
+    /* MSVC has a warning about unary minus on unsigned, but this is
+     * well-defined and precisely what we want to do here */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+    return( - ( ( value | - value ) >> ( sizeof( value ) * 8 - 1 ) ) );
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
+}
+
+/** Check whether a size is out of bounds, without branches.
+ *
+ * This is equivalent to `size > max`, but is likely to be compiled to
+ * to code using bitwise operation rather than a branch.
+ *
+ * \param size      Size to check.
+ * \param max       Maximum desired value for \p size.
+ * \return          \c 0 if `size <= max`.
+ * \return          \c 1 if `size > max`.
+ */
+static unsigned size_greater_than( size_t size, size_t max )
+{
+    /* Return the sign bit (1 for negative) of (max - size). */
+    return( ( max - size ) >> ( sizeof( size_t ) * 8 - 1 ) );
+}
+
+/** Choose between two integer values, without branches.
+ *
+ * This is equivalent to `cond ? if1 : if0`, but is likely to be compiled
+ * to code using bitwise operation rather than a branch.
+ *
+ * \param cond      Condition to test.
+ * \param if1       Value to use if \p cond is nonzero.
+ * \param if0       Value to use if \p cond is zero.
+ * \return          \c if1 if \p cond is nonzero, otherwise \c if0.
+ */
+static unsigned if_int( unsigned cond, unsigned if1, unsigned if0 )
+{
+    unsigned mask = all_or_nothing_int( cond );
+    return( ( mask & if1 ) | (~mask & if0 ) );
+}
+
+/** Shift some data towards the left inside a buffer without leaking
+ * the length of the data through side channels.
+ *
+ * `mem_move_to_left(start, total, offset)` is functionally equivalent to
+ * ```
+ * memmove(start, start + offset, total - offset);
+ * memset(start + offset, 0, total - offset);
+ * ```
+ * but it strives to use a memory access pattern (and thus total timing)
+ * that does not depend on \p offset. This timing independence comes at
+ * the expense of performance.
+ *
+ * \param start     Pointer to the start of the buffer.
+ * \param total     Total size of the buffer.
+ * \param offset    Offset from which to copy \p total - \p offset bytes.
+ */
+static void mem_move_to_left( void *start,
+                              size_t total,
+                              size_t offset )
+{
+    volatile unsigned char *buf = start;
+    size_t i, n;
+    if( total == 0 )
+        return;
+    for( i = 0; i < total; i++ )
+    {
+        unsigned no_op = size_greater_than( total - offset, i );
+        /* The first `total - offset` passes are a no-op. The last
+         * `offset` passes shift the data one byte to the left and
+         * zero out the last byte. */
+        for( n = 0; n < total - 1; n++ )
+        {
+            unsigned char current = buf[n];
+            unsigned char next = buf[n+1];
+            buf[n] = if_int( no_op, current, next );
+        }
+        buf[total-1] = if_int( no_op, buf[total-1], 0 );
+    }
+}
+
+/*
+ * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
+ */
+int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
+                                 int (*f_rng)(void *, unsigned char *, size_t),
+                                 void *p_rng,
+                                 int mode, size_t *olen,
+                                 const unsigned char *input,
+                                 unsigned char *output,
+                                 size_t output_max_len )
+{
+    int ret;
+    size_t ilen = ctx->len;
+    size_t i;
+    size_t plaintext_max_size = ( output_max_len > ilen - 11 ?
+                                  ilen - 11 :
+                                  output_max_len );
+    unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
+    /* The following variables take sensitive values: their value must
+     * not leak into the observable behavior of the function other than
+     * the designated outputs (output, olen, return value). Otherwise
+     * this would open the execution of the function to
+     * side-channel-based variants of the Bleichenbacher padding oracle
+     * attack. Potential side channels include overall timing, memory
+     * access patterns (especially visible to an adversary who has access
+     * to a shared memory cache), and branches (especially visible to
+     * an adversary who has access to a shared code cache or to a shared
+     * branch predictor). */
+    size_t pad_count = 0;
+    unsigned bad = 0;
+    unsigned char pad_done = 0;
+    size_t plaintext_size = 0;
+    unsigned output_too_large;
+
+    if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    if( ilen < 16 || ilen > sizeof( buf ) )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    ret = ( mode == MBEDTLS_RSA_PUBLIC )
+          ? mbedtls_rsa_public(  ctx, input, buf )
+          : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
+
+    if( ret != 0 )
+        goto cleanup;
+
+    /* Check and get padding length in constant time and constant
+     * memory trace. The first byte must be 0. */
+    bad |= buf[0];
+
+    if( mode == MBEDTLS_RSA_PRIVATE )
+    {
+        /* Decode EME-PKCS1-v1_5 padding: 0x00 || 0x02 || PS || 0x00
+         * where PS must be at least 8 nonzero bytes. */
+        bad |= buf[1] ^ MBEDTLS_RSA_CRYPT;
+
+        /* Read the whole buffer. Set pad_done to nonzero if we find
+         * the 0x00 byte and remember the padding length in pad_count. */
+        for( i = 2; i < ilen; i++ )
+        {
+            pad_done  |= ((buf[i] | (unsigned char)-buf[i]) >> 7) ^ 1;
+            pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
+        }
+    }
+    else
+    {
+        /* Decode EMSA-PKCS1-v1_5 padding: 0x00 || 0x01 || PS || 0x00
+         * where PS must be at least 8 bytes with the value 0xFF. */
+        bad |= buf[1] ^ MBEDTLS_RSA_SIGN;
+
+        /* Read the whole buffer. Set pad_done to nonzero if we find
+         * the 0x00 byte and remember the padding length in pad_count.
+         * If there's a non-0xff byte in the padding, the padding is bad. */
+        for( i = 2; i < ilen; i++ )
+        {
+            pad_done |= if_int( buf[i], 0, 1 );
+            pad_count += if_int( pad_done, 0, 1 );
+            bad |= if_int( pad_done, 0, buf[i] ^ 0xFF );
+        }
+    }
+
+    /* If pad_done is still zero, there's no data, only unfinished padding. */
+    bad |= if_int( pad_done, 0, 1 );
+
+    /* There must be at least 8 bytes of padding. */
+    bad |= size_greater_than( 8, pad_count );
+
+    /* If the padding is valid, set plaintext_size to the number of
+     * remaining bytes after stripping the padding. If the padding
+     * is invalid, avoid leaking this fact through the size of the
+     * output: use the maximum message size that fits in the output
+     * buffer. Do it without branches to avoid leaking the padding
+     * validity through timing. RSA keys are small enough that all the
+     * size_t values involved fit in unsigned int. */
+    plaintext_size = if_int( bad,
+                             (unsigned) plaintext_max_size,
+                             (unsigned) ( ilen - pad_count - 3 ) );
+
+    /* Set output_too_large to 0 if the plaintext fits in the output
+     * buffer and to 1 otherwise. */
+    output_too_large = size_greater_than( plaintext_size,
+                                          plaintext_max_size );
+
+    /* Set ret without branches to avoid timing attacks. Return:
+     * - INVALID_PADDING if the padding is bad (bad != 0).
+     * - OUTPUT_TOO_LARGE if the padding is good but the decrypted
+     *   plaintext does not fit in the output buffer.
+     * - 0 if the padding is correct. */
+    ret = - (int) if_int( bad, - MBEDTLS_ERR_RSA_INVALID_PADDING,
+                  if_int( output_too_large, - MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE,
+                          0 ) );
+
+    /* If the padding is bad or the plaintext is too large, zero the
+     * data that we're about to copy to the output buffer.
+     * We need to copy the same amount of data
+     * from the same buffer whether the padding is good or not to
+     * avoid leaking the padding validity through overall timing or
+     * through memory or cache access patterns. */
+    bad = all_or_nothing_int( bad | output_too_large );
+    for( i = 11; i < ilen; i++ )
+        buf[i] &= ~bad;
+
+    /* If the plaintext is too large, truncate it to the buffer size.
+     * Copy anyway to avoid revealing the length through timing, because
+     * revealing the length is as bad as revealing the padding validity
+     * for a Bleichenbacher attack. */
+    plaintext_size = if_int( output_too_large,
+                             (unsigned) plaintext_max_size,
+                             (unsigned) plaintext_size );
+
+    /* Move the plaintext to the leftmost position where it can start in
+     * the working buffer, i.e. make it start plaintext_max_size from
+     * the end of the buffer. Do this with a memory access trace that
+     * does not depend on the plaintext size. After this move, the
+     * starting location of the plaintext is no longer sensitive
+     * information. */
+    mem_move_to_left( buf + ilen - plaintext_max_size,
+                      plaintext_max_size,
+                      plaintext_max_size - plaintext_size );
+
+    /* Finally copy the decrypted plaintext plus trailing zeros
+     * into the output buffer. */
+    memcpy( output, buf + ilen - plaintext_max_size, plaintext_max_size );
+
+    /* Report the amount of data we copied to the output buffer. In case
+     * of errors (bad padding or output too large), the value of *olen
+     * when this function returns is not specified. Making it equivalent
+     * to the good case limits the risks of leaking the padding validity. */
+    *olen = plaintext_size;
+
+cleanup:
+    mbedtls_zeroize( buf, sizeof( buf ) );
+
+    return( ret );
+}
+#endif /* MBEDTLS_PKCS1_V15 */
+
+/*
+ * Do an RSA operation, then remove the message padding
+ */
+int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng,
+                       int mode, size_t *olen,
+                       const unsigned char *input,
+                       unsigned char *output,
+                       size_t output_max_len)
+{
+    switch( ctx->padding )
+    {
+#if defined(MBEDTLS_PKCS1_V15)
+        case MBEDTLS_RSA_PKCS_V15:
+            return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen,
+                                                input, output, output_max_len );
+#endif
+
+#if defined(MBEDTLS_PKCS1_V21)
+        case MBEDTLS_RSA_PKCS_V21:
+            return mbedtls_rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0,
+                                           olen, input, output,
+                                           output_max_len );
+#endif
+
+        default:
+            return( MBEDTLS_ERR_RSA_INVALID_PADDING );
+    }
+}
+
+#if defined(MBEDTLS_PKCS1_V21)
+/*
+ * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
+ */
+int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng,
+                         int mode,
+                         mbedtls_md_type_t md_alg,
+                         unsigned int hashlen,
+                         const unsigned char *hash,
+                         unsigned char *sig )
+{
+    size_t olen;
+    unsigned char *p = sig;
+    unsigned char salt[MBEDTLS_MD_MAX_SIZE];
+    unsigned int slen, hlen, offset = 0;
+    int ret;
+    size_t msb;
+    const mbedtls_md_info_t *md_info;
+    mbedtls_md_context_t md_ctx;
+
+    if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    if( f_rng == NULL )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    olen = ctx->len;
+
+    if( md_alg != MBEDTLS_MD_NONE )
+    {
+        /* Gather length of hash to sign */
+        md_info = mbedtls_md_info_from_type( md_alg );
+        if( md_info == NULL )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+        hashlen = mbedtls_md_get_size( md_info );
+    }
+
+    md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
+    if( md_info == NULL )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    hlen = mbedtls_md_get_size( md_info );
+    slen = hlen;
+
+    if( olen < hlen + slen + 2 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    memset( sig, 0, olen );
+
+    /* Generate salt of length slen */
+    if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )
+        return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
+
+    /* Note: EMSA-PSS encoding is over the length of N - 1 bits */
+    msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
+    p += olen - hlen * 2 - 2;
+    *p++ = 0x01;
+    memcpy( p, salt, slen );
+    p += slen;
+
+    mbedtls_md_init( &md_ctx );
+    if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
+        goto exit;
+
+    /* Generate H = Hash( M' ) */
+    if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_md_update( &md_ctx, p, 8 ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_md_update( &md_ctx, hash, hashlen ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_md_update( &md_ctx, salt, slen ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_md_finish( &md_ctx, p ) ) != 0 )
+        goto exit;
+
+    /* Compensate for boundary condition when applying mask */
+    if( msb % 8 == 0 )
+        offset = 1;
+
+    /* maskedDB: Apply dbMask to DB */
+    if( ( ret = mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen,
+                          &md_ctx ) ) != 0 )
+        goto exit;
+
+    msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
+    sig[0] &= 0xFF >> ( olen * 8 - msb );
+
+    p += hlen;
+    *p++ = 0xBC;
+
+    mbedtls_zeroize( salt, sizeof( salt ) );
+
+exit:
+    mbedtls_md_free( &md_ctx );
+
+    if( ret != 0 )
+        return( ret );
+
+    return( ( mode == MBEDTLS_RSA_PUBLIC )
+            ? mbedtls_rsa_public(  ctx, sig, sig )
+            : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) );
+}
+#endif /* MBEDTLS_PKCS1_V21 */
+
+#if defined(MBEDTLS_PKCS1_V15)
+/*
+ * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
+ */
+
+/* Construct a PKCS v1.5 encoding of a hashed message
+ *
+ * This is used both for signature generation and verification.
+ *
+ * Parameters:
+ * - md_alg:  Identifies the hash algorithm used to generate the given hash;
+ *            MBEDTLS_MD_NONE if raw data is signed.
+ * - hashlen: Length of hash in case hashlen is MBEDTLS_MD_NONE.
+ * - hash:    Buffer containing the hashed message or the raw data.
+ * - dst_len: Length of the encoded message.
+ * - dst:     Buffer to hold the encoded message.
+ *
+ * Assumptions:
+ * - hash has size hashlen if md_alg == MBEDTLS_MD_NONE.
+ * - hash has size corresponding to md_alg if md_alg != MBEDTLS_MD_NONE.
+ * - dst points to a buffer of size at least dst_len.
+ *
+ */
+static int rsa_rsassa_pkcs1_v15_encode( mbedtls_md_type_t md_alg,
+                                        unsigned int hashlen,
+                                        const unsigned char *hash,
+                                        size_t dst_len,
+                                        unsigned char *dst )
+{
+    size_t oid_size  = 0;
+    size_t nb_pad    = dst_len;
+    unsigned char *p = dst;
+    const char *oid  = NULL;
+
+    /* Are we signing hashed or raw data? */
+    if( md_alg != MBEDTLS_MD_NONE )
+    {
+        const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
+        if( md_info == NULL )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+        if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+        hashlen = mbedtls_md_get_size( md_info );
+
+        /* Double-check that 8 + hashlen + oid_size can be used as a
+         * 1-byte ASN.1 length encoding and that there's no overflow. */
+        if( 8 + hashlen + oid_size  >= 0x80         ||
+            10 + hashlen            <  hashlen      ||
+            10 + hashlen + oid_size <  10 + hashlen )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+        /*
+         * Static bounds check:
+         * - Need 10 bytes for five tag-length pairs.
+         *   (Insist on 1-byte length encodings to protect against variants of
+         *    Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification)
+         * - Need hashlen bytes for hash
+         * - Need oid_size bytes for hash alg OID.
+         */
+        if( nb_pad < 10 + hashlen + oid_size )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+        nb_pad -= 10 + hashlen + oid_size;
+    }
+    else
+    {
+        if( nb_pad < hashlen )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+        nb_pad -= hashlen;
+    }
+
+    /* Need space for signature header and padding delimiter (3 bytes),
+     * and 8 bytes for the minimal padding */
+    if( nb_pad < 3 + 8 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    nb_pad -= 3;
+
+    /* Now nb_pad is the amount of memory to be filled
+     * with padding, and at least 8 bytes long. */
+
+    /* Write signature header and padding */
+    *p++ = 0;
+    *p++ = MBEDTLS_RSA_SIGN;
+    memset( p, 0xFF, nb_pad );
+    p += nb_pad;
+    *p++ = 0;
+
+    /* Are we signing raw data? */
+    if( md_alg == MBEDTLS_MD_NONE )
+    {
+        memcpy( p, hash, hashlen );
+        return( 0 );
+    }
+
+    /* Signing hashed data, add corresponding ASN.1 structure
+     *
+     * DigestInfo ::= SEQUENCE {
+     *   digestAlgorithm DigestAlgorithmIdentifier,
+     *   digest Digest }
+     * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
+     * Digest ::= OCTET STRING
+     *
+     * Schematic:
+     * TAG-SEQ + LEN [ TAG-SEQ + LEN [ TAG-OID  + LEN [ OID  ]
+     *                                 TAG-NULL + LEN [ NULL ] ]
+     *                 TAG-OCTET + LEN [ HASH ] ]
+     */
+    *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
+    *p++ = (unsigned char)( 0x08 + oid_size + hashlen );
+    *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
+    *p++ = (unsigned char)( 0x04 + oid_size );
+    *p++ = MBEDTLS_ASN1_OID;
+    *p++ = (unsigned char) oid_size;
+    memcpy( p, oid, oid_size );
+    p += oid_size;
+    *p++ = MBEDTLS_ASN1_NULL;
+    *p++ = 0x00;
+    *p++ = MBEDTLS_ASN1_OCTET_STRING;
+    *p++ = (unsigned char) hashlen;
+    memcpy( p, hash, hashlen );
+    p += hashlen;
+
+    /* Just a sanity-check, should be automatic
+     * after the initial bounds check. */
+    if( p != dst + dst_len )
+    {
+        mbedtls_zeroize( dst, dst_len );
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Do an RSA operation to sign the message digest
+ */
+int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
+                               int (*f_rng)(void *, unsigned char *, size_t),
+                               void *p_rng,
+                               int mode,
+                               mbedtls_md_type_t md_alg,
+                               unsigned int hashlen,
+                               const unsigned char *hash,
+                               unsigned char *sig )
+{
+    int ret;
+    unsigned char *sig_try = NULL, *verif = NULL;
+
+    if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    /*
+     * Prepare PKCS1-v1.5 encoding (padding and hash identifier)
+     */
+
+    if( ( ret = rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash,
+                                             ctx->len, sig ) ) != 0 )
+        return( ret );
+
+    /*
+     * Call respective RSA primitive
+     */
+
+    if( mode == MBEDTLS_RSA_PUBLIC )
+    {
+        /* Skip verification on a public key operation */
+        return( mbedtls_rsa_public( ctx, sig, sig ) );
+    }
+
+    /* Private key operation
+     *
+     * In order to prevent Lenstra's attack, make the signature in a
+     * temporary buffer and check it before returning it.
+     */
+
+    sig_try = mbedtls_calloc( 1, ctx->len );
+    if( sig_try == NULL )
+        return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
+
+    verif = mbedtls_calloc( 1, ctx->len );
+    if( verif == NULL )
+    {
+        mbedtls_free( sig_try );
+        return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
+    }
+
+    MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) );
+    MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) );
+
+    if( mbedtls_safer_memcmp( verif, sig, ctx->len ) != 0 )
+    {
+        ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;
+        goto cleanup;
+    }
+
+    memcpy( sig, sig_try, ctx->len );
+
+cleanup:
+    mbedtls_free( sig_try );
+    mbedtls_free( verif );
+
+    return( ret );
+}
+#endif /* MBEDTLS_PKCS1_V15 */
+
+/*
+ * Do an RSA operation to sign the message digest
+ */
+int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
+                    int (*f_rng)(void *, unsigned char *, size_t),
+                    void *p_rng,
+                    int mode,
+                    mbedtls_md_type_t md_alg,
+                    unsigned int hashlen,
+                    const unsigned char *hash,
+                    unsigned char *sig )
+{
+    switch( ctx->padding )
+    {
+#if defined(MBEDTLS_PKCS1_V15)
+        case MBEDTLS_RSA_PKCS_V15:
+            return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg,
+                                              hashlen, hash, sig );
+#endif
+
+#if defined(MBEDTLS_PKCS1_V21)
+        case MBEDTLS_RSA_PKCS_V21:
+            return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg,
+                                        hashlen, hash, sig );
+#endif
+
+        default:
+            return( MBEDTLS_ERR_RSA_INVALID_PADDING );
+    }
+}
+
+#if defined(MBEDTLS_PKCS1_V21)
+/*
+ * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
+ */
+int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
+                               int (*f_rng)(void *, unsigned char *, size_t),
+                               void *p_rng,
+                               int mode,
+                               mbedtls_md_type_t md_alg,
+                               unsigned int hashlen,
+                               const unsigned char *hash,
+                               mbedtls_md_type_t mgf1_hash_id,
+                               int expected_salt_len,
+                               const unsigned char *sig )
+{
+    int ret;
+    size_t siglen;
+    unsigned char *p;
+    unsigned char *hash_start;
+    unsigned char result[MBEDTLS_MD_MAX_SIZE];
+    unsigned char zeros[8];
+    unsigned int hlen;
+    size_t observed_salt_len, msb;
+    const mbedtls_md_info_t *md_info;
+    mbedtls_md_context_t md_ctx;
+    unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
+
+    if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    siglen = ctx->len;
+
+    if( siglen < 16 || siglen > sizeof( buf ) )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    ret = ( mode == MBEDTLS_RSA_PUBLIC )
+          ? mbedtls_rsa_public(  ctx, sig, buf )
+          : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf );
+
+    if( ret != 0 )
+        return( ret );
+
+    p = buf;
+
+    if( buf[siglen - 1] != 0xBC )
+        return( MBEDTLS_ERR_RSA_INVALID_PADDING );
+
+    if( md_alg != MBEDTLS_MD_NONE )
+    {
+        /* Gather length of hash to sign */
+        md_info = mbedtls_md_info_from_type( md_alg );
+        if( md_info == NULL )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+        hashlen = mbedtls_md_get_size( md_info );
+    }
+
+    md_info = mbedtls_md_info_from_type( mgf1_hash_id );
+    if( md_info == NULL )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    hlen = mbedtls_md_get_size( md_info );
+
+    memset( zeros, 0, 8 );
+
+    /*
+     * Note: EMSA-PSS verification is over the length of N - 1 bits
+     */
+    msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
+
+    if( buf[0] >> ( 8 - siglen * 8 + msb ) )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    /* Compensate for boundary condition when applying mask */
+    if( msb % 8 == 0 )
+    {
+        p++;
+        siglen -= 1;
+    }
+
+    if( siglen < hlen + 2 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    hash_start = p + siglen - hlen - 1;
+
+    mbedtls_md_init( &md_ctx );
+    if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
+        goto exit;
+
+    ret = mgf_mask( p, siglen - hlen - 1, hash_start, hlen, &md_ctx );
+    if( ret != 0 )
+        goto exit;
+
+    buf[0] &= 0xFF >> ( siglen * 8 - msb );
+
+    while( p < hash_start - 1 && *p == 0 )
+        p++;
+
+    if( *p++ != 0x01 )
+    {
+        ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
+        goto exit;
+    }
+
+    observed_salt_len = hash_start - p;
+
+    if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&
+        observed_salt_len != (size_t) expected_salt_len )
+    {
+        ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
+        goto exit;
+    }
+
+    /*
+     * Generate H = Hash( M' )
+     */
+    ret = mbedtls_md_starts( &md_ctx );
+    if ( ret != 0 )
+        goto exit;
+    ret = mbedtls_md_update( &md_ctx, zeros, 8 );
+    if ( ret != 0 )
+        goto exit;
+    ret = mbedtls_md_update( &md_ctx, hash, hashlen );
+    if ( ret != 0 )
+        goto exit;
+    ret = mbedtls_md_update( &md_ctx, p, observed_salt_len );
+    if ( ret != 0 )
+        goto exit;
+    ret = mbedtls_md_finish( &md_ctx, result );
+    if ( ret != 0 )
+        goto exit;
+
+    if( memcmp( hash_start, result, hlen ) != 0 )
+    {
+        ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
+        goto exit;
+    }
+
+exit:
+    mbedtls_md_free( &md_ctx );
+
+    return( ret );
+}
+
+/*
+ * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
+ */
+int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,
+                           int (*f_rng)(void *, unsigned char *, size_t),
+                           void *p_rng,
+                           int mode,
+                           mbedtls_md_type_t md_alg,
+                           unsigned int hashlen,
+                           const unsigned char *hash,
+                           const unsigned char *sig )
+{
+    mbedtls_md_type_t mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE )
+                             ? (mbedtls_md_type_t) ctx->hash_id
+                             : md_alg;
+
+    return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, f_rng, p_rng, mode,
+                                       md_alg, hashlen, hash,
+                                       mgf1_hash_id, MBEDTLS_RSA_SALT_LEN_ANY,
+                                       sig ) );
+
+}
+#endif /* MBEDTLS_PKCS1_V21 */
+
+#if defined(MBEDTLS_PKCS1_V15)
+/*
+ * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
+ */
+int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
+                                 int (*f_rng)(void *, unsigned char *, size_t),
+                                 void *p_rng,
+                                 int mode,
+                                 mbedtls_md_type_t md_alg,
+                                 unsigned int hashlen,
+                                 const unsigned char *hash,
+                                 const unsigned char *sig )
+{
+    int ret = 0;
+    const size_t sig_len = ctx->len;
+    unsigned char *encoded = NULL, *encoded_expected = NULL;
+
+    if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    /*
+     * Prepare expected PKCS1 v1.5 encoding of hash.
+     */
+
+    if( ( encoded          = mbedtls_calloc( 1, sig_len ) ) == NULL ||
+        ( encoded_expected = mbedtls_calloc( 1, sig_len ) ) == NULL )
+    {
+        ret = MBEDTLS_ERR_MPI_ALLOC_FAILED;
+        goto cleanup;
+    }
+
+    if( ( ret = rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash, sig_len,
+                                             encoded_expected ) ) != 0 )
+        goto cleanup;
+
+    /*
+     * Apply RSA primitive to get what should be PKCS1 encoded hash.
+     */
+
+    ret = ( mode == MBEDTLS_RSA_PUBLIC )
+          ? mbedtls_rsa_public(  ctx, sig, encoded )
+          : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, encoded );
+    if( ret != 0 )
+        goto cleanup;
+
+    /*
+     * Compare
+     */
+
+    if( ( ret = mbedtls_safer_memcmp( encoded, encoded_expected,
+                                      sig_len ) ) != 0 )
+    {
+        ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
+        goto cleanup;
+    }
+
+cleanup:
+
+    if( encoded != NULL )
+    {
+        mbedtls_zeroize( encoded, sig_len );
+        mbedtls_free( encoded );
+    }
+
+    if( encoded_expected != NULL )
+    {
+        mbedtls_zeroize( encoded_expected, sig_len );
+        mbedtls_free( encoded_expected );
+    }
+
+    return( ret );
+}
+#endif /* MBEDTLS_PKCS1_V15 */
+
+/*
+ * Do an RSA operation and check the message digest
+ */
+int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
+                      int (*f_rng)(void *, unsigned char *, size_t),
+                      void *p_rng,
+                      int mode,
+                      mbedtls_md_type_t md_alg,
+                      unsigned int hashlen,
+                      const unsigned char *hash,
+                      const unsigned char *sig )
+{
+    switch( ctx->padding )
+    {
+#if defined(MBEDTLS_PKCS1_V15)
+        case MBEDTLS_RSA_PKCS_V15:
+            return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg,
+                                                hashlen, hash, sig );
+#endif
+
+#if defined(MBEDTLS_PKCS1_V21)
+        case MBEDTLS_RSA_PKCS_V21:
+            return mbedtls_rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg,
+                                          hashlen, hash, sig );
+#endif
+
+        default:
+            return( MBEDTLS_ERR_RSA_INVALID_PADDING );
+    }
+}
+
+/*
+ * Copy the components of an RSA key
+ */
+int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src )
+{
+    int ret;
+
+    dst->len = src->len;
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N, &src->N ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->E, &src->E ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->D, &src->D ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->P, &src->P ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Q, &src->Q ) );
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DP, &src->DP ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DQ, &src->DQ ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->QP, &src->QP ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RP, &src->RP ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RQ, &src->RQ ) );
+#endif
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RN, &src->RN ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vi, &src->Vi ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vf, &src->Vf ) );
+
+    dst->padding = src->padding;
+    dst->hash_id = src->hash_id;
+
+cleanup:
+    if( ret != 0 )
+        mbedtls_rsa_free( dst );
+
+    return( ret );
+}
+
+/*
+ * Free the components of an RSA key
+ */
+void mbedtls_rsa_free( mbedtls_rsa_context *ctx )
+{
+    mbedtls_mpi_free( &ctx->Vi ); mbedtls_mpi_free( &ctx->Vf );
+    mbedtls_mpi_free( &ctx->RN ); mbedtls_mpi_free( &ctx->D  );
+    mbedtls_mpi_free( &ctx->Q  ); mbedtls_mpi_free( &ctx->P  );
+    mbedtls_mpi_free( &ctx->E  ); mbedtls_mpi_free( &ctx->N  );
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    mbedtls_mpi_free( &ctx->RQ ); mbedtls_mpi_free( &ctx->RP );
+    mbedtls_mpi_free( &ctx->QP ); mbedtls_mpi_free( &ctx->DQ );
+    mbedtls_mpi_free( &ctx->DP );
+#endif /* MBEDTLS_RSA_NO_CRT */
+
+#if defined(MBEDTLS_THREADING_C)
+    /* Free the mutex, but only if it hasn't been freed already. */
+    if( ctx->ver != 0 )
+    {
+        mbedtls_mutex_free( &ctx->mutex );
+        ctx->ver = 0;
+    }
+#endif
+}
+
+#endif /* !MBEDTLS_RSA_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#include "mbedtls/sha1.h"
+
+/*
+ * Example RSA-1024 keypair, for test purposes
+ */
+#define KEY_LEN 128
+
+#define RSA_N   "9292758453063D803DD603D5E777D788" \
+                "8ED1D5BF35786190FA2F23EBC0848AEA" \
+                "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
+                "7130B9CED7ACDF54CFC7555AC14EEBAB" \
+                "93A89813FBF3C4F8066D2D800F7C38A8" \
+                "1AE31942917403FF4946B0A83D3D3E05" \
+                "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
+                "5E94BB77B07507233A0BC7BAC8F90F79"
+
+#define RSA_E   "10001"
+
+#define RSA_D   "24BF6185468786FDD303083D25E64EFC" \
+                "66CA472BC44D253102F8B4A9D3BFA750" \
+                "91386C0077937FE33FA3252D28855837" \
+                "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
+                "DF79C5CE07EE72C7F123142198164234" \
+                "CABB724CF78B8173B9F880FC86322407" \
+                "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
+                "071513A1E85B5DFA031F21ECAE91A34D"
+
+#define RSA_P   "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
+                "2C01CAD19EA484A87EA4377637E75500" \
+                "FCB2005C5C7DD6EC4AC023CDA285D796" \
+                "C3D9E75E1EFC42488BB4F1D13AC30A57"
+
+#define RSA_Q   "C000DF51A7C77AE8D7C7370C1FF55B69" \
+                "E211C2B9E5DB1ED0BF61D0D9899620F4" \
+                "910E4168387E3C30AA1E00C339A79508" \
+                "8452DD96A9A5EA5D9DCA68DA636032AF"
+
+#define PT_LEN  24
+#define RSA_PT  "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
+                "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
+
+#if defined(MBEDTLS_PKCS1_V15)
+static int myrand( void *rng_state, unsigned char *output, size_t len )
+{
+#if !defined(__OpenBSD__) && !defined(__NetBSD__)
+    size_t i;
+
+    if( rng_state != NULL )
+        rng_state  = NULL;
+
+    for( i = 0; i < len; ++i )
+        output[i] = rand();
+#else
+    if( rng_state != NULL )
+        rng_state = NULL;
+
+    arc4random_buf( output, len );
+#endif /* !OpenBSD && !NetBSD */
+
+    return( 0 );
+}
+#endif /* MBEDTLS_PKCS1_V15 */
+
+/*
+ * Checkup routine
+ */
+int mbedtls_rsa_self_test( int verbose )
+{
+    int ret = 0;
+#if defined(MBEDTLS_PKCS1_V15)
+    size_t len;
+    mbedtls_rsa_context rsa;
+    unsigned char rsa_plaintext[PT_LEN];
+    unsigned char rsa_decrypted[PT_LEN];
+    unsigned char rsa_ciphertext[KEY_LEN];
+#if defined(MBEDTLS_SHA1_C)
+    unsigned char sha1sum[20];
+#endif
+
+    mbedtls_mpi K;
+
+    mbedtls_mpi_init( &K );
+    mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_N  ) );
+    MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, &K, NULL, NULL, NULL, NULL ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_P  ) );
+    MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, &K, NULL, NULL, NULL ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_Q  ) );
+    MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, &K, NULL, NULL ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_D  ) );
+    MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, &K, NULL ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_E  ) );
+    MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, NULL, &K ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_rsa_complete( &rsa ) );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  RSA key validation: " );
+
+    if( mbedtls_rsa_check_pubkey(  &rsa ) != 0 ||
+        mbedtls_rsa_check_privkey( &rsa ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n  PKCS#1 encryption : " );
+
+    memcpy( rsa_plaintext, RSA_PT, PT_LEN );
+
+    if( mbedtls_rsa_pkcs1_encrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PUBLIC,
+                                   PT_LEN, rsa_plaintext,
+                                   rsa_ciphertext ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n  PKCS#1 decryption : " );
+
+    if( mbedtls_rsa_pkcs1_decrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE,
+                                   &len, rsa_ciphertext, rsa_decrypted,
+                                   sizeof(rsa_decrypted) ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+#if defined(MBEDTLS_SHA1_C)
+    if( verbose != 0 )
+        mbedtls_printf( "  PKCS#1 data sign  : " );
+
+    if( mbedtls_sha1_ret( rsa_plaintext, PT_LEN, sha1sum ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        return( 1 );
+    }
+
+    if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL,
+                                MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0,
+                                sha1sum, rsa_ciphertext ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n  PKCS#1 sig. verify: " );
+
+    if( mbedtls_rsa_pkcs1_verify( &rsa, NULL, NULL,
+                                  MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0,
+                                  sha1sum, rsa_ciphertext ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+#endif /* MBEDTLS_SHA1_C */
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+cleanup:
+    mbedtls_mpi_free( &K );
+    mbedtls_rsa_free( &rsa );
+#else /* MBEDTLS_PKCS1_V15 */
+    ((void) verbose);
+#endif /* MBEDTLS_PKCS1_V15 */
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_RSA_C */
diff --git a/third-party/mbedtls-3.6/library/rsa_internal.c b/third-party/mbedtls-3.6/library/rsa_internal.c
new file mode 100644
index 00000000..30115a0d
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/rsa_internal.c
@@ -0,0 +1,512 @@
+/*
+ *  Helper functions for the RSA module
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ *
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_RSA_C)
+
+#include "mbedtls/rsa.h"
+#include "mbedtls/bignum.h"
+#include "mbedtls/rsa_internal.h"
+
+/*
+ * Compute RSA prime factors from public and private exponents
+ *
+ * Summary of algorithm:
+ * Setting F := lcm(P-1,Q-1), the idea is as follows:
+ *
+ * (a) For any 1 <= X < N with gcd(X,N)=1, we have X^F = 1 modulo N, so X^(F/2)
+ *     is a square root of 1 in Z/NZ. Since Z/NZ ~= Z/PZ x Z/QZ by CRT and the
+ *     square roots of 1 in Z/PZ and Z/QZ are +1 and -1, this leaves the four
+ *     possibilities X^(F/2) = (+-1, +-1). If it happens that X^(F/2) = (-1,+1)
+ *     or (+1,-1), then gcd(X^(F/2) + 1, N) will be equal to one of the prime
+ *     factors of N.
+ *
+ * (b) If we don't know F/2 but (F/2) * K for some odd (!) K, then the same
+ *     construction still applies since (-)^K is the identity on the set of
+ *     roots of 1 in Z/NZ.
+ *
+ * The public and private key primitives (-)^E and (-)^D are mutually inverse
+ * bijections on Z/NZ if and only if (-)^(DE) is the identity on Z/NZ, i.e.
+ * if and only if DE - 1 is a multiple of F, say DE - 1 = F * L.
+ * Splitting L = 2^t * K with K odd, we have
+ *
+ *   DE - 1 = FL = (F/2) * (2^(t+1)) * K,
+ *
+ * so (F / 2) * K is among the numbers
+ *
+ *   (DE - 1) >> 1, (DE - 1) >> 2, ..., (DE - 1) >> ord
+ *
+ * where ord is the order of 2 in (DE - 1).
+ * We can therefore iterate through these numbers apply the construction
+ * of (a) and (b) above to attempt to factor N.
+ *
+ */
+int mbedtls_rsa_deduce_primes( mbedtls_mpi const *N,
+                     mbedtls_mpi const *E, mbedtls_mpi const *D,
+                     mbedtls_mpi *P, mbedtls_mpi *Q )
+{
+    int ret = 0;
+
+    uint16_t attempt;  /* Number of current attempt  */
+    uint16_t iter;     /* Number of squares computed in the current attempt */
+
+    uint16_t order;    /* Order of 2 in DE - 1 */
+
+    mbedtls_mpi T;  /* Holds largest odd divisor of DE - 1     */
+    mbedtls_mpi K;  /* Temporary holding the current candidate */
+
+    const unsigned char primes[] = { 2,
+           3,    5,    7,   11,   13,   17,   19,   23,
+          29,   31,   37,   41,   43,   47,   53,   59,
+          61,   67,   71,   73,   79,   83,   89,   97,
+         101,  103,  107,  109,  113,  127,  131,  137,
+         139,  149,  151,  157,  163,  167,  173,  179,
+         181,  191,  193,  197,  199,  211,  223,  227,
+         229,  233,  239,  241,  251
+    };
+
+    const size_t num_primes = sizeof( primes ) / sizeof( *primes );
+
+    if( P == NULL || Q == NULL || P->p != NULL || Q->p != NULL )
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+    if( mbedtls_mpi_cmp_int( N, 0 ) <= 0 ||
+        mbedtls_mpi_cmp_int( D, 1 ) <= 0 ||
+        mbedtls_mpi_cmp_mpi( D, N ) >= 0 ||
+        mbedtls_mpi_cmp_int( E, 1 ) <= 0 ||
+        mbedtls_mpi_cmp_mpi( E, N ) >= 0 )
+    {
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+    }
+
+    /*
+     * Initializations and temporary changes
+     */
+
+    mbedtls_mpi_init( &K );
+    mbedtls_mpi_init( &T );
+
+    /* T := DE - 1 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, D,  E ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &T, &T, 1 ) );
+
+    if( ( order = (uint16_t) mbedtls_mpi_lsb( &T ) ) == 0 )
+    {
+        ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    /* After this operation, T holds the largest odd divisor of DE - 1. */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &T, order ) );
+
+    /*
+     * Actual work
+     */
+
+    /* Skip trying 2 if N == 1 mod 8 */
+    attempt = 0;
+    if( N->p[0] % 8 == 1 )
+        attempt = 1;
+
+    for( ; attempt < num_primes; ++attempt )
+    {
+        mbedtls_mpi_lset( &K, primes[attempt] );
+
+        /* Check if gcd(K,N) = 1 */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( P, &K, N ) );
+        if( mbedtls_mpi_cmp_int( P, 1 ) != 0 )
+            continue;
+
+        /* Go through K^T + 1, K^(2T) + 1, K^(4T) + 1, ...
+         * and check whether they have nontrivial GCD with N. */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &K, &K, &T, N,
+                             Q /* temporarily use Q for storing Montgomery
+                                * multiplication helper values */ ) );
+
+        for( iter = 1; iter <= order; ++iter )
+        {
+            /* If we reach 1 prematurely, there's no point
+             * in continuing to square K */
+            if( mbedtls_mpi_cmp_int( &K, 1 ) == 0 )
+                break;
+
+            MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &K, &K, 1 ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( P, &K, N ) );
+
+            if( mbedtls_mpi_cmp_int( P, 1 ) ==  1 &&
+                mbedtls_mpi_cmp_mpi( P, N ) == -1 )
+            {
+                /*
+                 * Have found a nontrivial divisor P of N.
+                 * Set Q := N / P.
+                 */
+
+                MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( Q, NULL, N, P ) );
+                goto cleanup;
+            }
+
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, &K, 1 ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, &K, &K ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &K, &K, N ) );
+        }
+
+        /*
+         * If we get here, then either we prematurely aborted the loop because
+         * we reached 1, or K holds primes[attempt]^(DE - 1) mod N, which must
+         * be 1 if D,E,N were consistent.
+         * Check if that's the case and abort if not, to avoid very long,
+         * yet eventually failing, computations if N,D,E were not sane.
+         */
+        if( mbedtls_mpi_cmp_int( &K, 1 ) != 0 )
+        {
+            break;
+        }
+    }
+
+    ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+
+cleanup:
+
+    mbedtls_mpi_free( &K );
+    mbedtls_mpi_free( &T );
+    return( ret );
+}
+
+/*
+ * Given P, Q and the public exponent E, deduce D.
+ * This is essentially a modular inversion.
+ */
+int mbedtls_rsa_deduce_private_exponent( mbedtls_mpi const *P,
+                                         mbedtls_mpi const *Q,
+                                         mbedtls_mpi const *E,
+                                         mbedtls_mpi *D )
+{
+    int ret = 0;
+    mbedtls_mpi K, L;
+
+    if( D == NULL || mbedtls_mpi_cmp_int( D, 0 ) != 0 )
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+    if( mbedtls_mpi_cmp_int( P, 1 ) <= 0 ||
+        mbedtls_mpi_cmp_int( Q, 1 ) <= 0 ||
+        mbedtls_mpi_cmp_int( E, 0 ) == 0 )
+    {
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+    }
+
+    mbedtls_mpi_init( &K );
+    mbedtls_mpi_init( &L );
+
+    /* Temporarily put K := P-1 and L := Q-1 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, P, 1 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &L, Q, 1 ) );
+
+    /* Temporarily put D := gcd(P-1, Q-1) */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( D, &K, &L ) );
+
+    /* K := LCM(P-1, Q-1) */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, &K, &L ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &K, NULL, &K, D ) );
+
+    /* Compute modular inverse of E in LCM(P-1, Q-1) */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( D, E, &K ) );
+
+cleanup:
+
+    mbedtls_mpi_free( &K );
+    mbedtls_mpi_free( &L );
+
+    return( ret );
+}
+
+/*
+ * Check that RSA CRT parameters are in accordance with core parameters.
+ */
+int mbedtls_rsa_validate_crt( const mbedtls_mpi *P,  const mbedtls_mpi *Q,
+                              const mbedtls_mpi *D,  const mbedtls_mpi *DP,
+                              const mbedtls_mpi *DQ, const mbedtls_mpi *QP )
+{
+    int ret = 0;
+
+    mbedtls_mpi K, L;
+    mbedtls_mpi_init( &K );
+    mbedtls_mpi_init( &L );
+
+    /* Check that DP - D == 0 mod P - 1 */
+    if( DP != NULL )
+    {
+        if( P == NULL )
+        {
+            ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+            goto cleanup;
+        }
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, P, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &L, DP, D ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &L, &L, &K ) );
+
+        if( mbedtls_mpi_cmp_int( &L, 0 ) != 0 )
+        {
+            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+            goto cleanup;
+        }
+    }
+
+    /* Check that DQ - D == 0 mod Q - 1 */
+    if( DQ != NULL )
+    {
+        if( Q == NULL )
+        {
+            ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+            goto cleanup;
+        }
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, Q, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &L, DQ, D ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &L, &L, &K ) );
+
+        if( mbedtls_mpi_cmp_int( &L, 0 ) != 0 )
+        {
+            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+            goto cleanup;
+        }
+    }
+
+    /* Check that QP * Q - 1 == 0 mod P */
+    if( QP != NULL )
+    {
+        if( P == NULL || Q == NULL )
+        {
+            ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+            goto cleanup;
+        }
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, QP, Q ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, &K, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &K, &K, P ) );
+        if( mbedtls_mpi_cmp_int( &K, 0 ) != 0 )
+        {
+            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+            goto cleanup;
+        }
+    }
+
+cleanup:
+
+    /* Wrap MPI error codes by RSA check failure error code */
+    if( ret != 0 &&
+        ret != MBEDTLS_ERR_RSA_KEY_CHECK_FAILED &&
+        ret != MBEDTLS_ERR_RSA_BAD_INPUT_DATA )
+    {
+        ret += MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+    }
+
+    mbedtls_mpi_free( &K );
+    mbedtls_mpi_free( &L );
+
+    return( ret );
+}
+
+/*
+ * Check that core RSA parameters are sane.
+ */
+int mbedtls_rsa_validate_params( const mbedtls_mpi *N, const mbedtls_mpi *P,
+                                 const mbedtls_mpi *Q, const mbedtls_mpi *D,
+                                 const mbedtls_mpi *E,
+                                 int (*f_rng)(void *, unsigned char *, size_t),
+                                 void *p_rng )
+{
+    int ret = 0;
+    mbedtls_mpi K, L;
+
+    mbedtls_mpi_init( &K );
+    mbedtls_mpi_init( &L );
+
+    /*
+     * Step 1: If PRNG provided, check that P and Q are prime
+     */
+
+#if defined(MBEDTLS_GENPRIME)
+    if( f_rng != NULL && P != NULL &&
+        ( ret = mbedtls_mpi_is_prime( P, f_rng, p_rng ) ) != 0 )
+    {
+        ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+        goto cleanup;
+    }
+
+    if( f_rng != NULL && Q != NULL &&
+        ( ret = mbedtls_mpi_is_prime( Q, f_rng, p_rng ) ) != 0 )
+    {
+        ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+        goto cleanup;
+    }
+#else
+    ((void) f_rng);
+    ((void) p_rng);
+#endif /* MBEDTLS_GENPRIME */
+
+    /*
+     * Step 2: Check that 1 < N = P * Q
+     */
+
+    if( P != NULL && Q != NULL && N != NULL )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, P, Q ) );
+        if( mbedtls_mpi_cmp_int( N, 1 )  <= 0 ||
+            mbedtls_mpi_cmp_mpi( &K, N ) != 0 )
+        {
+            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+            goto cleanup;
+        }
+    }
+
+    /*
+     * Step 3: Check and 1 < D, E < N if present.
+     */
+
+    if( N != NULL && D != NULL && E != NULL )
+    {
+        if ( mbedtls_mpi_cmp_int( D, 1 ) <= 0 ||
+             mbedtls_mpi_cmp_int( E, 1 ) <= 0 ||
+             mbedtls_mpi_cmp_mpi( D, N ) >= 0 ||
+             mbedtls_mpi_cmp_mpi( E, N ) >= 0 )
+        {
+            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+            goto cleanup;
+        }
+    }
+
+    /*
+     * Step 4: Check that D, E are inverse modulo P-1 and Q-1
+     */
+
+    if( P != NULL && Q != NULL && D != NULL && E != NULL )
+    {
+        if( mbedtls_mpi_cmp_int( P, 1 ) <= 0 ||
+            mbedtls_mpi_cmp_int( Q, 1 ) <= 0 )
+        {
+            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+            goto cleanup;
+        }
+
+        /* Compute DE-1 mod P-1 */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, D, E ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, &K, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &L, P, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &K, &K, &L ) );
+        if( mbedtls_mpi_cmp_int( &K, 0 ) != 0 )
+        {
+            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+            goto cleanup;
+        }
+
+        /* Compute DE-1 mod Q-1 */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, D, E ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, &K, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &L, Q, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &K, &K, &L ) );
+        if( mbedtls_mpi_cmp_int( &K, 0 ) != 0 )
+        {
+            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+            goto cleanup;
+        }
+    }
+
+cleanup:
+
+    mbedtls_mpi_free( &K );
+    mbedtls_mpi_free( &L );
+
+    /* Wrap MPI error codes by RSA check failure error code */
+    if( ret != 0 && ret != MBEDTLS_ERR_RSA_KEY_CHECK_FAILED )
+    {
+        ret += MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+    }
+
+    return( ret );
+}
+
+int mbedtls_rsa_deduce_crt( const mbedtls_mpi *P, const mbedtls_mpi *Q,
+                            const mbedtls_mpi *D, mbedtls_mpi *DP,
+                            mbedtls_mpi *DQ, mbedtls_mpi *QP )
+{
+    int ret = 0;
+    mbedtls_mpi K;
+    mbedtls_mpi_init( &K );
+
+    /* DP = D mod P-1 */
+    if( DP != NULL )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, P, 1  ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( DP, D, &K ) );
+    }
+
+    /* DQ = D mod Q-1 */
+    if( DQ != NULL )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, Q, 1  ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( DQ, D, &K ) );
+    }
+
+    /* QP = Q^{-1} mod P */
+    if( QP != NULL )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( QP, Q, P ) );
+    }
+
+cleanup:
+    mbedtls_mpi_free( &K );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_RSA_C */
diff --git a/third-party/mbedtls-3.6/library/sha1.c b/third-party/mbedtls-3.6/library/sha1.c
new file mode 100644
index 00000000..7e6981d5
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/sha1.c
@@ -0,0 +1,584 @@
+/*
+ *  FIPS-180-1 compliant SHA-1 implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+/*
+ *  The SHA-1 standard was published by NIST in 1993.
+ *
+ *  http://www.itl.nist.gov/fipspubs/fip180-1.htm
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_SHA1_C)
+
+#include "mbedtls/sha1.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_SHA1_ALT)
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
+}
+
+/*
+ * 32-bit integer manipulation macros (big endian)
+ */
+#ifndef GET_UINT32_BE
+#define GET_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
+        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 3]       );            \
+}
+#endif
+
+#ifndef PUT_UINT32_BE
+#define PUT_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
+}
+#endif
+
+void mbedtls_sha1_init( mbedtls_sha1_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_sha1_context ) );
+}
+
+void mbedtls_sha1_free( mbedtls_sha1_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_zeroize( ctx, sizeof( mbedtls_sha1_context ) );
+}
+
+void mbedtls_sha1_clone( mbedtls_sha1_context *dst,
+                         const mbedtls_sha1_context *src )
+{
+    *dst = *src;
+}
+
+/*
+ * SHA-1 context setup
+ */
+int mbedtls_sha1_starts_ret( mbedtls_sha1_context *ctx )
+{
+    ctx->total[0] = 0;
+    ctx->total[1] = 0;
+
+    ctx->state[0] = 0x67452301;
+    ctx->state[1] = 0xEFCDAB89;
+    ctx->state[2] = 0x98BADCFE;
+    ctx->state[3] = 0x10325476;
+    ctx->state[4] = 0xC3D2E1F0;
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha1_starts( mbedtls_sha1_context *ctx )
+{
+    mbedtls_sha1_starts_ret( ctx );
+}
+#endif
+
+#if !defined(MBEDTLS_SHA1_PROCESS_ALT)
+int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx,
+                                   const unsigned char data[64] )
+{
+    struct
+    {
+        uint32_t temp, W[16], A, B, C, D, E;
+    } local;
+
+    GET_UINT32_BE( local.W[ 0], data,  0 );
+    GET_UINT32_BE( local.W[ 1], data,  4 );
+    GET_UINT32_BE( local.W[ 2], data,  8 );
+    GET_UINT32_BE( local.W[ 3], data, 12 );
+    GET_UINT32_BE( local.W[ 4], data, 16 );
+    GET_UINT32_BE( local.W[ 5], data, 20 );
+    GET_UINT32_BE( local.W[ 6], data, 24 );
+    GET_UINT32_BE( local.W[ 7], data, 28 );
+    GET_UINT32_BE( local.W[ 8], data, 32 );
+    GET_UINT32_BE( local.W[ 9], data, 36 );
+    GET_UINT32_BE( local.W[10], data, 40 );
+    GET_UINT32_BE( local.W[11], data, 44 );
+    GET_UINT32_BE( local.W[12], data, 48 );
+    GET_UINT32_BE( local.W[13], data, 52 );
+    GET_UINT32_BE( local.W[14], data, 56 );
+    GET_UINT32_BE( local.W[15], data, 60 );
+
+#define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 - n)))
+
+#define R(t)                                            \
+(                                                       \
+    local.temp = local.W[( t -  3 ) & 0x0F] ^           \
+                 local.W[( t -  8 ) & 0x0F] ^           \
+                 local.W[( t - 14 ) & 0x0F] ^           \
+                 local.W[  t        & 0x0F],            \
+    ( local.W[t & 0x0F] = S(local.temp,1) )             \
+)
+
+#define P(a,b,c,d,e,x)                                  \
+{                                                       \
+    e += S(a,5) + F(b,c,d) + K + x; b = S(b,30);        \
+}
+
+    local.A = ctx->state[0];
+    local.B = ctx->state[1];
+    local.C = ctx->state[2];
+    local.D = ctx->state[3];
+    local.E = ctx->state[4];
+
+#define F(x,y,z) (z ^ (x & (y ^ z)))
+#define K 0x5A827999
+
+    P( local.A, local.B, local.C, local.D, local.E, local.W[0]  );
+    P( local.E, local.A, local.B, local.C, local.D, local.W[1]  );
+    P( local.D, local.E, local.A, local.B, local.C, local.W[2]  );
+    P( local.C, local.D, local.E, local.A, local.B, local.W[3]  );
+    P( local.B, local.C, local.D, local.E, local.A, local.W[4]  );
+    P( local.A, local.B, local.C, local.D, local.E, local.W[5]  );
+    P( local.E, local.A, local.B, local.C, local.D, local.W[6]  );
+    P( local.D, local.E, local.A, local.B, local.C, local.W[7]  );
+    P( local.C, local.D, local.E, local.A, local.B, local.W[8]  );
+    P( local.B, local.C, local.D, local.E, local.A, local.W[9]  );
+    P( local.A, local.B, local.C, local.D, local.E, local.W[10] );
+    P( local.E, local.A, local.B, local.C, local.D, local.W[11] );
+    P( local.D, local.E, local.A, local.B, local.C, local.W[12] );
+    P( local.C, local.D, local.E, local.A, local.B, local.W[13] );
+    P( local.B, local.C, local.D, local.E, local.A, local.W[14] );
+    P( local.A, local.B, local.C, local.D, local.E, local.W[15] );
+    P( local.E, local.A, local.B, local.C, local.D, R(16) );
+    P( local.D, local.E, local.A, local.B, local.C, R(17) );
+    P( local.C, local.D, local.E, local.A, local.B, R(18) );
+    P( local.B, local.C, local.D, local.E, local.A, R(19) );
+
+#undef K
+#undef F
+
+#define F(x,y,z) (x ^ y ^ z)
+#define K 0x6ED9EBA1
+
+    P( local.A, local.B, local.C, local.D, local.E, R(20) );
+    P( local.E, local.A, local.B, local.C, local.D, R(21) );
+    P( local.D, local.E, local.A, local.B, local.C, R(22) );
+    P( local.C, local.D, local.E, local.A, local.B, R(23) );
+    P( local.B, local.C, local.D, local.E, local.A, R(24) );
+    P( local.A, local.B, local.C, local.D, local.E, R(25) );
+    P( local.E, local.A, local.B, local.C, local.D, R(26) );
+    P( local.D, local.E, local.A, local.B, local.C, R(27) );
+    P( local.C, local.D, local.E, local.A, local.B, R(28) );
+    P( local.B, local.C, local.D, local.E, local.A, R(29) );
+    P( local.A, local.B, local.C, local.D, local.E, R(30) );
+    P( local.E, local.A, local.B, local.C, local.D, R(31) );
+    P( local.D, local.E, local.A, local.B, local.C, R(32) );
+    P( local.C, local.D, local.E, local.A, local.B, R(33) );
+    P( local.B, local.C, local.D, local.E, local.A, R(34) );
+    P( local.A, local.B, local.C, local.D, local.E, R(35) );
+    P( local.E, local.A, local.B, local.C, local.D, R(36) );
+    P( local.D, local.E, local.A, local.B, local.C, R(37) );
+    P( local.C, local.D, local.E, local.A, local.B, R(38) );
+    P( local.B, local.C, local.D, local.E, local.A, R(39) );
+
+#undef K
+#undef F
+
+#define F(x,y,z) ((x & y) | (z & (x | y)))
+#define K 0x8F1BBCDC
+
+    P( local.A, local.B, local.C, local.D, local.E, R(40) );
+    P( local.E, local.A, local.B, local.C, local.D, R(41) );
+    P( local.D, local.E, local.A, local.B, local.C, R(42) );
+    P( local.C, local.D, local.E, local.A, local.B, R(43) );
+    P( local.B, local.C, local.D, local.E, local.A, R(44) );
+    P( local.A, local.B, local.C, local.D, local.E, R(45) );
+    P( local.E, local.A, local.B, local.C, local.D, R(46) );
+    P( local.D, local.E, local.A, local.B, local.C, R(47) );
+    P( local.C, local.D, local.E, local.A, local.B, R(48) );
+    P( local.B, local.C, local.D, local.E, local.A, R(49) );
+    P( local.A, local.B, local.C, local.D, local.E, R(50) );
+    P( local.E, local.A, local.B, local.C, local.D, R(51) );
+    P( local.D, local.E, local.A, local.B, local.C, R(52) );
+    P( local.C, local.D, local.E, local.A, local.B, R(53) );
+    P( local.B, local.C, local.D, local.E, local.A, R(54) );
+    P( local.A, local.B, local.C, local.D, local.E, R(55) );
+    P( local.E, local.A, local.B, local.C, local.D, R(56) );
+    P( local.D, local.E, local.A, local.B, local.C, R(57) );
+    P( local.C, local.D, local.E, local.A, local.B, R(58) );
+    P( local.B, local.C, local.D, local.E, local.A, R(59) );
+
+#undef K
+#undef F
+
+#define F(x,y,z) (x ^ y ^ z)
+#define K 0xCA62C1D6
+
+    P( local.A, local.B, local.C, local.D, local.E, R(60) );
+    P( local.E, local.A, local.B, local.C, local.D, R(61) );
+    P( local.D, local.E, local.A, local.B, local.C, R(62) );
+    P( local.C, local.D, local.E, local.A, local.B, R(63) );
+    P( local.B, local.C, local.D, local.E, local.A, R(64) );
+    P( local.A, local.B, local.C, local.D, local.E, R(65) );
+    P( local.E, local.A, local.B, local.C, local.D, R(66) );
+    P( local.D, local.E, local.A, local.B, local.C, R(67) );
+    P( local.C, local.D, local.E, local.A, local.B, R(68) );
+    P( local.B, local.C, local.D, local.E, local.A, R(69) );
+    P( local.A, local.B, local.C, local.D, local.E, R(70) );
+    P( local.E, local.A, local.B, local.C, local.D, R(71) );
+    P( local.D, local.E, local.A, local.B, local.C, R(72) );
+    P( local.C, local.D, local.E, local.A, local.B, R(73) );
+    P( local.B, local.C, local.D, local.E, local.A, R(74) );
+    P( local.A, local.B, local.C, local.D, local.E, R(75) );
+    P( local.E, local.A, local.B, local.C, local.D, R(76) );
+    P( local.D, local.E, local.A, local.B, local.C, R(77) );
+    P( local.C, local.D, local.E, local.A, local.B, R(78) );
+    P( local.B, local.C, local.D, local.E, local.A, R(79) );
+
+#undef K
+#undef F
+
+    ctx->state[0] += local.A;
+    ctx->state[1] += local.B;
+    ctx->state[2] += local.C;
+    ctx->state[3] += local.D;
+    ctx->state[4] += local.E;
+
+    /* Zeroise buffers and variables to clear sensitive data from memory. */
+    mbedtls_zeroize( &local, sizeof( local ) );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha1_process( mbedtls_sha1_context *ctx,
+                           const unsigned char data[64] )
+{
+    mbedtls_internal_sha1_process( ctx, data );
+}
+#endif
+#endif /* !MBEDTLS_SHA1_PROCESS_ALT */
+
+/*
+ * SHA-1 process buffer
+ */
+int mbedtls_sha1_update_ret( mbedtls_sha1_context *ctx,
+                             const unsigned char *input,
+                             size_t ilen )
+{
+    int ret;
+    size_t fill;
+    uint32_t left;
+
+    if( ilen == 0 )
+        return( 0 );
+
+    left = ctx->total[0] & 0x3F;
+    fill = 64 - left;
+
+    ctx->total[0] += (uint32_t) ilen;
+    ctx->total[0] &= 0xFFFFFFFF;
+
+    if( ctx->total[0] < (uint32_t) ilen )
+        ctx->total[1]++;
+
+    if( left && ilen >= fill )
+    {
+        memcpy( (void *) (ctx->buffer + left), input, fill );
+
+        if( ( ret = mbedtls_internal_sha1_process( ctx, ctx->buffer ) ) != 0 )
+            return( ret );
+
+        input += fill;
+        ilen  -= fill;
+        left = 0;
+    }
+
+    while( ilen >= 64 )
+    {
+        if( ( ret = mbedtls_internal_sha1_process( ctx, input ) ) != 0 )
+            return( ret );
+
+        input += 64;
+        ilen  -= 64;
+    }
+
+    if( ilen > 0 )
+        memcpy( (void *) (ctx->buffer + left), input, ilen );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha1_update( mbedtls_sha1_context *ctx,
+                          const unsigned char *input,
+                          size_t ilen )
+{
+    mbedtls_sha1_update_ret( ctx, input, ilen );
+}
+#endif
+
+/*
+ * SHA-1 final digest
+ */
+int mbedtls_sha1_finish_ret( mbedtls_sha1_context *ctx,
+                             unsigned char output[20] )
+{
+    int ret;
+    uint32_t used;
+    uint32_t high, low;
+
+    /*
+     * Add padding: 0x80 then 0x00 until 8 bytes remain for the length
+     */
+    used = ctx->total[0] & 0x3F;
+
+    ctx->buffer[used++] = 0x80;
+
+    if( used <= 56 )
+    {
+        /* Enough room for padding + length in current block */
+        memset( ctx->buffer + used, 0, 56 - used );
+    }
+    else
+    {
+        /* We'll need an extra block */
+        memset( ctx->buffer + used, 0, 64 - used );
+
+        if( ( ret = mbedtls_internal_sha1_process( ctx, ctx->buffer ) ) != 0 )
+            return( ret );
+
+        memset( ctx->buffer, 0, 56 );
+    }
+
+    /*
+     * Add message length
+     */
+    high = ( ctx->total[0] >> 29 )
+         | ( ctx->total[1] <<  3 );
+    low  = ( ctx->total[0] <<  3 );
+
+    PUT_UINT32_BE( high, ctx->buffer, 56 );
+    PUT_UINT32_BE( low,  ctx->buffer, 60 );
+
+    if( ( ret = mbedtls_internal_sha1_process( ctx, ctx->buffer ) ) != 0 )
+        return( ret );
+
+    /*
+     * Output final state
+     */
+    PUT_UINT32_BE( ctx->state[0], output,  0 );
+    PUT_UINT32_BE( ctx->state[1], output,  4 );
+    PUT_UINT32_BE( ctx->state[2], output,  8 );
+    PUT_UINT32_BE( ctx->state[3], output, 12 );
+    PUT_UINT32_BE( ctx->state[4], output, 16 );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha1_finish( mbedtls_sha1_context *ctx,
+                          unsigned char output[20] )
+{
+    mbedtls_sha1_finish_ret( ctx, output );
+}
+#endif
+
+#endif /* !MBEDTLS_SHA1_ALT */
+
+/*
+ * output = SHA-1( input buffer )
+ */
+int mbedtls_sha1_ret( const unsigned char *input,
+                      size_t ilen,
+                      unsigned char output[20] )
+{
+    int ret;
+    mbedtls_sha1_context ctx;
+
+    mbedtls_sha1_init( &ctx );
+
+    if( ( ret = mbedtls_sha1_starts_ret( &ctx ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_sha1_update_ret( &ctx, input, ilen ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_sha1_finish_ret( &ctx, output ) ) != 0 )
+        goto exit;
+
+exit:
+    mbedtls_sha1_free( &ctx );
+
+    return( ret );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha1( const unsigned char *input,
+                   size_t ilen,
+                   unsigned char output[20] )
+{
+    mbedtls_sha1_ret( input, ilen, output );
+}
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * FIPS-180-1 test vectors
+ */
+static const unsigned char sha1_test_buf[3][57] =
+{
+    { "abc" },
+    { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
+    { "" }
+};
+
+static const size_t sha1_test_buflen[3] =
+{
+    3, 56, 1000
+};
+
+static const unsigned char sha1_test_sum[3][20] =
+{
+    { 0xA9, 0x99, 0x3E, 0x36, 0x47, 0x06, 0x81, 0x6A, 0xBA, 0x3E,
+      0x25, 0x71, 0x78, 0x50, 0xC2, 0x6C, 0x9C, 0xD0, 0xD8, 0x9D },
+    { 0x84, 0x98, 0x3E, 0x44, 0x1C, 0x3B, 0xD2, 0x6E, 0xBA, 0xAE,
+      0x4A, 0xA1, 0xF9, 0x51, 0x29, 0xE5, 0xE5, 0x46, 0x70, 0xF1 },
+    { 0x34, 0xAA, 0x97, 0x3C, 0xD4, 0xC4, 0xDA, 0xA4, 0xF6, 0x1E,
+      0xEB, 0x2B, 0xDB, 0xAD, 0x27, 0x31, 0x65, 0x34, 0x01, 0x6F }
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_sha1_self_test( int verbose )
+{
+    int i, j, buflen, ret = 0;
+    unsigned char buf[1024];
+    unsigned char sha1sum[20];
+    mbedtls_sha1_context ctx;
+
+    mbedtls_sha1_init( &ctx );
+
+    /*
+     * SHA-1
+     */
+    for( i = 0; i < 3; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  SHA-1 test #%d: ", i + 1 );
+
+        if( ( ret = mbedtls_sha1_starts_ret( &ctx ) ) != 0 )
+            goto fail;
+
+        if( i == 2 )
+        {
+            memset( buf, 'a', buflen = 1000 );
+
+            for( j = 0; j < 1000; j++ )
+            {
+                ret = mbedtls_sha1_update_ret( &ctx, buf, buflen );
+                if( ret != 0 )
+                    goto fail;
+            }
+        }
+        else
+        {
+            ret = mbedtls_sha1_update_ret( &ctx, sha1_test_buf[i],
+                                           sha1_test_buflen[i] );
+            if( ret != 0 )
+                goto fail;
+        }
+
+        if( ( ret = mbedtls_sha1_finish_ret( &ctx, sha1sum ) ) != 0 )
+            goto fail;
+
+        if( memcmp( sha1sum, sha1_test_sum[i], 20 ) != 0 )
+        {
+            ret = 1;
+            goto fail;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    goto exit;
+
+fail:
+    if( verbose != 0 )
+        mbedtls_printf( "failed\n" );
+
+exit:
+    mbedtls_sha1_free( &ctx );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_SHA1_C */
diff --git a/third-party/mbedtls-3.6/library/sha256.c b/third-party/mbedtls-3.6/library/sha256.c
new file mode 100644
index 00000000..9bbf6907
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/sha256.c
@@ -0,0 +1,616 @@
+/*
+ *  FIPS-180-2 compliant SHA-256 implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+/*
+ *  The SHA-256 Secure Hash Standard was published by NIST in 2002.
+ *
+ *  http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_SHA256_C)
+
+#include "mbedtls/sha256.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#include <stdlib.h>
+#define mbedtls_printf printf
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_SHA256_ALT)
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
+/*
+ * 32-bit integer manipulation macros (big endian)
+ */
+#ifndef GET_UINT32_BE
+#define GET_UINT32_BE(n,b,i)                            \
+do {                                                    \
+    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
+        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 3]       );            \
+} while( 0 )
+#endif
+
+#ifndef PUT_UINT32_BE
+#define PUT_UINT32_BE(n,b,i)                            \
+do {                                                    \
+    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
+} while( 0 )
+#endif
+
+void mbedtls_sha256_init( mbedtls_sha256_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_sha256_context ) );
+}
+
+void mbedtls_sha256_free( mbedtls_sha256_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_zeroize( ctx, sizeof( mbedtls_sha256_context ) );
+}
+
+void mbedtls_sha256_clone( mbedtls_sha256_context *dst,
+                           const mbedtls_sha256_context *src )
+{
+    *dst = *src;
+}
+
+/*
+ * SHA-256 context setup
+ */
+int mbedtls_sha256_starts_ret( mbedtls_sha256_context *ctx, int is224 )
+{
+    ctx->total[0] = 0;
+    ctx->total[1] = 0;
+
+    if( is224 == 0 )
+    {
+        /* SHA-256 */
+        ctx->state[0] = 0x6A09E667;
+        ctx->state[1] = 0xBB67AE85;
+        ctx->state[2] = 0x3C6EF372;
+        ctx->state[3] = 0xA54FF53A;
+        ctx->state[4] = 0x510E527F;
+        ctx->state[5] = 0x9B05688C;
+        ctx->state[6] = 0x1F83D9AB;
+        ctx->state[7] = 0x5BE0CD19;
+    }
+    else
+    {
+        /* SHA-224 */
+        ctx->state[0] = 0xC1059ED8;
+        ctx->state[1] = 0x367CD507;
+        ctx->state[2] = 0x3070DD17;
+        ctx->state[3] = 0xF70E5939;
+        ctx->state[4] = 0xFFC00B31;
+        ctx->state[5] = 0x68581511;
+        ctx->state[6] = 0x64F98FA7;
+        ctx->state[7] = 0xBEFA4FA4;
+    }
+
+    ctx->is224 = is224;
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha256_starts( mbedtls_sha256_context *ctx,
+                            int is224 )
+{
+    mbedtls_sha256_starts_ret( ctx, is224 );
+}
+#endif
+
+#if !defined(MBEDTLS_SHA256_PROCESS_ALT)
+static const uint32_t K[] =
+{
+    0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5,
+    0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5,
+    0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3,
+    0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174,
+    0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC,
+    0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA,
+    0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7,
+    0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967,
+    0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13,
+    0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85,
+    0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3,
+    0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070,
+    0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5,
+    0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3,
+    0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208,
+    0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2,
+};
+
+#define  SHR(x,n) ((x & 0xFFFFFFFF) >> n)
+#define ROTR(x,n) (SHR(x,n) | (x << (32 - n)))
+
+#define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^  SHR(x, 3))
+#define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^  SHR(x,10))
+
+#define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
+#define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
+
+#define F0(x,y,z) ((x & y) | (z & (x | y)))
+#define F1(x,y,z) (z ^ (x & (y ^ z)))
+
+#define R(t)                                                        \
+(                                                                   \
+    local.W[t] = S1(local.W[t -  2]) + local.W[t -  7] +            \
+                 S0(local.W[t - 15]) + local.W[t - 16]              \
+)
+
+#define P(a,b,c,d,e,f,g,h,x,K)                                      \
+{                                                                   \
+    local.temp1 = h + S3(e) + F1(e,f,g) + K + x;                    \
+    local.temp2 = S2(a) + F0(a,b,c);                                \
+    d += local.temp1; h = local.temp1 + local.temp2;                \
+}
+
+int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx,
+                                const unsigned char data[64] )
+{
+    struct
+    {
+        uint32_t temp1, temp2, W[64];
+        uint32_t A[8];
+    } local;
+
+    unsigned int i;
+
+    for( i = 0; i < 8; i++ )
+        local.A[i] = ctx->state[i];
+
+#if defined(MBEDTLS_SHA256_SMALLER)
+    for( i = 0; i < 64; i++ )
+    {
+        if( i < 16 )
+            GET_UINT32_BE( local.W[i], data, 4 * i );
+        else
+            R( i );
+
+        P( local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
+           local.A[5], local.A[6], local.A[7], local.W[i], K[i] );
+
+        local.temp1 = local.A[7]; local.A[7] = local.A[6];
+        local.A[6] = local.A[5]; local.A[5] = local.A[4];
+        local.A[4] = local.A[3]; local.A[3] = local.A[2];
+        local.A[2] = local.A[1]; local.A[1] = local.A[0];
+        local.A[0] = local.temp1;
+    }
+#else /* MBEDTLS_SHA256_SMALLER */
+    for( i = 0; i < 16; i++ )
+        GET_UINT32_BE( local.W[i], data, 4 * i );
+
+    for( i = 0; i < 16; i += 8 )
+    {
+        P( local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
+           local.A[5], local.A[6], local.A[7], local.W[i+0], K[i+0] );
+        P( local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
+           local.A[4], local.A[5], local.A[6], local.W[i+1], K[i+1] );
+        P( local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
+           local.A[3], local.A[4], local.A[5], local.W[i+2], K[i+2] );
+        P( local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
+           local.A[2], local.A[3], local.A[4], local.W[i+3], K[i+3] );
+        P( local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
+           local.A[1], local.A[2], local.A[3], local.W[i+4], K[i+4] );
+        P( local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
+           local.A[0], local.A[1], local.A[2], local.W[i+5], K[i+5] );
+        P( local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
+           local.A[7], local.A[0], local.A[1], local.W[i+6], K[i+6] );
+        P( local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
+           local.A[6], local.A[7], local.A[0], local.W[i+7], K[i+7] );
+    }
+
+    for( i = 16; i < 64; i += 8 )
+    {
+        P( local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
+           local.A[5], local.A[6], local.A[7], R(i+0), K[i+0] );
+        P( local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
+           local.A[4], local.A[5], local.A[6], R(i+1), K[i+1] );
+        P( local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
+           local.A[3], local.A[4], local.A[5], R(i+2), K[i+2] );
+        P( local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
+           local.A[2], local.A[3], local.A[4], R(i+3), K[i+3] );
+        P( local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
+           local.A[1], local.A[2], local.A[3], R(i+4), K[i+4] );
+        P( local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
+           local.A[0], local.A[1], local.A[2], R(i+5), K[i+5] );
+        P( local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
+           local.A[7], local.A[0], local.A[1], R(i+6), K[i+6] );
+        P( local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
+           local.A[6], local.A[7], local.A[0], R(i+7), K[i+7] );
+    }
+#endif /* MBEDTLS_SHA256_SMALLER */
+
+    for( i = 0; i < 8; i++ )
+        ctx->state[i] += local.A[i];
+
+    /* Zeroise buffers and variables to clear sensitive data from memory. */
+    mbedtls_zeroize( &local, sizeof( local ) );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha256_process( mbedtls_sha256_context *ctx,
+                             const unsigned char data[64] )
+{
+    mbedtls_internal_sha256_process( ctx, data );
+}
+#endif
+#endif /* !MBEDTLS_SHA256_PROCESS_ALT */
+
+/*
+ * SHA-256 process buffer
+ */
+int mbedtls_sha256_update_ret( mbedtls_sha256_context *ctx,
+                               const unsigned char *input,
+                               size_t ilen )
+{
+    int ret;
+    size_t fill;
+    uint32_t left;
+
+    if( ilen == 0 )
+        return( 0 );
+
+    left = ctx->total[0] & 0x3F;
+    fill = 64 - left;
+
+    ctx->total[0] += (uint32_t) ilen;
+    ctx->total[0] &= 0xFFFFFFFF;
+
+    if( ctx->total[0] < (uint32_t) ilen )
+        ctx->total[1]++;
+
+    if( left && ilen >= fill )
+    {
+        memcpy( (void *) (ctx->buffer + left), input, fill );
+
+        if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 )
+            return( ret );
+
+        input += fill;
+        ilen  -= fill;
+        left = 0;
+    }
+
+    while( ilen >= 64 )
+    {
+        if( ( ret = mbedtls_internal_sha256_process( ctx, input ) ) != 0 )
+            return( ret );
+
+        input += 64;
+        ilen  -= 64;
+    }
+
+    if( ilen > 0 )
+        memcpy( (void *) (ctx->buffer + left), input, ilen );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha256_update( mbedtls_sha256_context *ctx,
+                            const unsigned char *input,
+                            size_t ilen )
+{
+    mbedtls_sha256_update_ret( ctx, input, ilen );
+}
+#endif
+
+/*
+ * SHA-256 final digest
+ */
+int mbedtls_sha256_finish_ret( mbedtls_sha256_context *ctx,
+                               unsigned char output[32] )
+{
+    int ret;
+    uint32_t used;
+    uint32_t high, low;
+
+    /*
+     * Add padding: 0x80 then 0x00 until 8 bytes remain for the length
+     */
+    used = ctx->total[0] & 0x3F;
+
+    ctx->buffer[used++] = 0x80;
+
+    if( used <= 56 )
+    {
+        /* Enough room for padding + length in current block */
+        memset( ctx->buffer + used, 0, 56 - used );
+    }
+    else
+    {
+        /* We'll need an extra block */
+        memset( ctx->buffer + used, 0, 64 - used );
+
+        if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 )
+            return( ret );
+
+        memset( ctx->buffer, 0, 56 );
+    }
+
+    /*
+     * Add message length
+     */
+    high = ( ctx->total[0] >> 29 )
+         | ( ctx->total[1] <<  3 );
+    low  = ( ctx->total[0] <<  3 );
+
+    PUT_UINT32_BE( high, ctx->buffer, 56 );
+    PUT_UINT32_BE( low,  ctx->buffer, 60 );
+
+    if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 )
+        return( ret );
+
+    /*
+     * Output final state
+     */
+    PUT_UINT32_BE( ctx->state[0], output,  0 );
+    PUT_UINT32_BE( ctx->state[1], output,  4 );
+    PUT_UINT32_BE( ctx->state[2], output,  8 );
+    PUT_UINT32_BE( ctx->state[3], output, 12 );
+    PUT_UINT32_BE( ctx->state[4], output, 16 );
+    PUT_UINT32_BE( ctx->state[5], output, 20 );
+    PUT_UINT32_BE( ctx->state[6], output, 24 );
+
+    if( ctx->is224 == 0 )
+        PUT_UINT32_BE( ctx->state[7], output, 28 );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha256_finish( mbedtls_sha256_context *ctx,
+                            unsigned char output[32] )
+{
+    mbedtls_sha256_finish_ret( ctx, output );
+}
+#endif
+
+#endif /* !MBEDTLS_SHA256_ALT */
+
+/*
+ * output = SHA-256( input buffer )
+ */
+int mbedtls_sha256_ret( const unsigned char *input,
+                        size_t ilen,
+                        unsigned char output[32],
+                        int is224 )
+{
+    int ret;
+    mbedtls_sha256_context ctx;
+
+    mbedtls_sha256_init( &ctx );
+
+    if( ( ret = mbedtls_sha256_starts_ret( &ctx, is224 ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_sha256_update_ret( &ctx, input, ilen ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_sha256_finish_ret( &ctx, output ) ) != 0 )
+        goto exit;
+
+exit:
+    mbedtls_sha256_free( &ctx );
+
+    return( ret );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha256( const unsigned char *input,
+                     size_t ilen,
+                     unsigned char output[32],
+                     int is224 )
+{
+    mbedtls_sha256_ret( input, ilen, output, is224 );
+}
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * FIPS-180-2 test vectors
+ */
+static const unsigned char sha256_test_buf[3][57] =
+{
+    { "abc" },
+    { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
+    { "" }
+};
+
+static const size_t sha256_test_buflen[3] =
+{
+    3, 56, 1000
+};
+
+static const unsigned char sha256_test_sum[6][32] =
+{
+    /*
+     * SHA-224 test vectors
+     */
+    { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
+      0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
+      0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
+      0xE3, 0x6C, 0x9D, 0xA7 },
+    { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
+      0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
+      0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
+      0x52, 0x52, 0x25, 0x25 },
+    { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
+      0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
+      0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
+      0x4E, 0xE7, 0xAD, 0x67 },
+
+    /*
+     * SHA-256 test vectors
+     */
+    { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
+      0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
+      0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
+      0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
+    { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
+      0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
+      0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
+      0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
+    { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
+      0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
+      0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
+      0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_sha256_self_test( int verbose )
+{
+    int i, j, k, buflen, ret = 0;
+    unsigned char *buf;
+    unsigned char sha256sum[32];
+    mbedtls_sha256_context ctx;
+
+    buf = mbedtls_calloc( 1024, sizeof(unsigned char) );
+    if( NULL == buf )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "Buffer allocation failed\n" );
+
+        return( 1 );
+    }
+
+    mbedtls_sha256_init( &ctx );
+
+    for( i = 0; i < 6; i++ )
+    {
+        j = i % 3;
+        k = i < 3;
+
+        if( verbose != 0 )
+            mbedtls_printf( "  SHA-%d test #%d: ", 256 - k * 32, j + 1 );
+
+        if( ( ret = mbedtls_sha256_starts_ret( &ctx, k ) ) != 0 )
+            goto fail;
+
+        if( j == 2 )
+        {
+            memset( buf, 'a', buflen = 1000 );
+
+            for( j = 0; j < 1000; j++ )
+            {
+                ret = mbedtls_sha256_update_ret( &ctx, buf, buflen );
+                if( ret != 0 )
+                    goto fail;
+            }
+
+        }
+        else
+        {
+            ret = mbedtls_sha256_update_ret( &ctx, sha256_test_buf[j],
+                                             sha256_test_buflen[j] );
+            if( ret != 0 )
+                 goto fail;
+        }
+
+        if( ( ret = mbedtls_sha256_finish_ret( &ctx, sha256sum ) ) != 0 )
+            goto fail;
+
+
+        if( memcmp( sha256sum, sha256_test_sum[i], 32 - k * 4 ) != 0 )
+        {
+            ret = 1;
+            goto fail;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    goto exit;
+
+fail:
+    if( verbose != 0 )
+        mbedtls_printf( "failed\n" );
+
+exit:
+    mbedtls_sha256_free( &ctx );
+    mbedtls_free( buf );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_SHA256_C */
diff --git a/third-party/mbedtls-3.6/library/sha512.c b/third-party/mbedtls-3.6/library/sha512.c
new file mode 100644
index 00000000..fdd4ec9d
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/sha512.c
@@ -0,0 +1,653 @@
+/*
+ *  FIPS-180-2 compliant SHA-384/512 implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+/*
+ *  The SHA-512 Secure Hash Standard was published by NIST in 2002.
+ *
+ *  http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+
+#include "mbedtls/sha512.h"
+
+#if defined(_MSC_VER) || defined(__WATCOMC__)
+  #define UL64(x) x##ui64
+#else
+  #define UL64(x) x##ULL
+#endif
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#include <stdlib.h>
+#define mbedtls_printf printf
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_SHA512_ALT)
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
+/*
+ * 64-bit integer manipulation macros (big endian)
+ */
+#ifndef GET_UINT64_BE
+#define GET_UINT64_BE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint64_t) (b)[(i)    ] << 56 )       \
+        | ( (uint64_t) (b)[(i) + 1] << 48 )       \
+        | ( (uint64_t) (b)[(i) + 2] << 40 )       \
+        | ( (uint64_t) (b)[(i) + 3] << 32 )       \
+        | ( (uint64_t) (b)[(i) + 4] << 24 )       \
+        | ( (uint64_t) (b)[(i) + 5] << 16 )       \
+        | ( (uint64_t) (b)[(i) + 6] <<  8 )       \
+        | ( (uint64_t) (b)[(i) + 7]       );      \
+}
+#endif /* GET_UINT64_BE */
+
+#ifndef PUT_UINT64_BE
+#define PUT_UINT64_BE(n,b,i)                            \
+{                                                       \
+    (b)[(i)    ] = (unsigned char) ( (n) >> 56 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >> 48 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >> 40 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n) >> 32 );       \
+    (b)[(i) + 4] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 5] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 6] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i) + 7] = (unsigned char) ( (n)       );       \
+}
+#endif /* PUT_UINT64_BE */
+
+void mbedtls_sha512_init( mbedtls_sha512_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_sha512_context ) );
+}
+
+void mbedtls_sha512_free( mbedtls_sha512_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_zeroize( ctx, sizeof( mbedtls_sha512_context ) );
+}
+
+void mbedtls_sha512_clone( mbedtls_sha512_context *dst,
+                           const mbedtls_sha512_context *src )
+{
+    *dst = *src;
+}
+
+/*
+ * SHA-512 context setup
+ */
+int mbedtls_sha512_starts_ret( mbedtls_sha512_context *ctx, int is384 )
+{
+    ctx->total[0] = 0;
+    ctx->total[1] = 0;
+
+    if( is384 == 0 )
+    {
+        /* SHA-512 */
+        ctx->state[0] = UL64(0x6A09E667F3BCC908);
+        ctx->state[1] = UL64(0xBB67AE8584CAA73B);
+        ctx->state[2] = UL64(0x3C6EF372FE94F82B);
+        ctx->state[3] = UL64(0xA54FF53A5F1D36F1);
+        ctx->state[4] = UL64(0x510E527FADE682D1);
+        ctx->state[5] = UL64(0x9B05688C2B3E6C1F);
+        ctx->state[6] = UL64(0x1F83D9ABFB41BD6B);
+        ctx->state[7] = UL64(0x5BE0CD19137E2179);
+    }
+    else
+    {
+        /* SHA-384 */
+        ctx->state[0] = UL64(0xCBBB9D5DC1059ED8);
+        ctx->state[1] = UL64(0x629A292A367CD507);
+        ctx->state[2] = UL64(0x9159015A3070DD17);
+        ctx->state[3] = UL64(0x152FECD8F70E5939);
+        ctx->state[4] = UL64(0x67332667FFC00B31);
+        ctx->state[5] = UL64(0x8EB44A8768581511);
+        ctx->state[6] = UL64(0xDB0C2E0D64F98FA7);
+        ctx->state[7] = UL64(0x47B5481DBEFA4FA4);
+    }
+
+    ctx->is384 = is384;
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha512_starts( mbedtls_sha512_context *ctx,
+                            int is384 )
+{
+    mbedtls_sha512_starts_ret( ctx, is384 );
+}
+#endif
+
+#if !defined(MBEDTLS_SHA512_PROCESS_ALT)
+
+/*
+ * Round constants
+ */
+static const uint64_t K[80] =
+{
+    UL64(0x428A2F98D728AE22),  UL64(0x7137449123EF65CD),
+    UL64(0xB5C0FBCFEC4D3B2F),  UL64(0xE9B5DBA58189DBBC),
+    UL64(0x3956C25BF348B538),  UL64(0x59F111F1B605D019),
+    UL64(0x923F82A4AF194F9B),  UL64(0xAB1C5ED5DA6D8118),
+    UL64(0xD807AA98A3030242),  UL64(0x12835B0145706FBE),
+    UL64(0x243185BE4EE4B28C),  UL64(0x550C7DC3D5FFB4E2),
+    UL64(0x72BE5D74F27B896F),  UL64(0x80DEB1FE3B1696B1),
+    UL64(0x9BDC06A725C71235),  UL64(0xC19BF174CF692694),
+    UL64(0xE49B69C19EF14AD2),  UL64(0xEFBE4786384F25E3),
+    UL64(0x0FC19DC68B8CD5B5),  UL64(0x240CA1CC77AC9C65),
+    UL64(0x2DE92C6F592B0275),  UL64(0x4A7484AA6EA6E483),
+    UL64(0x5CB0A9DCBD41FBD4),  UL64(0x76F988DA831153B5),
+    UL64(0x983E5152EE66DFAB),  UL64(0xA831C66D2DB43210),
+    UL64(0xB00327C898FB213F),  UL64(0xBF597FC7BEEF0EE4),
+    UL64(0xC6E00BF33DA88FC2),  UL64(0xD5A79147930AA725),
+    UL64(0x06CA6351E003826F),  UL64(0x142929670A0E6E70),
+    UL64(0x27B70A8546D22FFC),  UL64(0x2E1B21385C26C926),
+    UL64(0x4D2C6DFC5AC42AED),  UL64(0x53380D139D95B3DF),
+    UL64(0x650A73548BAF63DE),  UL64(0x766A0ABB3C77B2A8),
+    UL64(0x81C2C92E47EDAEE6),  UL64(0x92722C851482353B),
+    UL64(0xA2BFE8A14CF10364),  UL64(0xA81A664BBC423001),
+    UL64(0xC24B8B70D0F89791),  UL64(0xC76C51A30654BE30),
+    UL64(0xD192E819D6EF5218),  UL64(0xD69906245565A910),
+    UL64(0xF40E35855771202A),  UL64(0x106AA07032BBD1B8),
+    UL64(0x19A4C116B8D2D0C8),  UL64(0x1E376C085141AB53),
+    UL64(0x2748774CDF8EEB99),  UL64(0x34B0BCB5E19B48A8),
+    UL64(0x391C0CB3C5C95A63),  UL64(0x4ED8AA4AE3418ACB),
+    UL64(0x5B9CCA4F7763E373),  UL64(0x682E6FF3D6B2B8A3),
+    UL64(0x748F82EE5DEFB2FC),  UL64(0x78A5636F43172F60),
+    UL64(0x84C87814A1F0AB72),  UL64(0x8CC702081A6439EC),
+    UL64(0x90BEFFFA23631E28),  UL64(0xA4506CEBDE82BDE9),
+    UL64(0xBEF9A3F7B2C67915),  UL64(0xC67178F2E372532B),
+    UL64(0xCA273ECEEA26619C),  UL64(0xD186B8C721C0C207),
+    UL64(0xEADA7DD6CDE0EB1E),  UL64(0xF57D4F7FEE6ED178),
+    UL64(0x06F067AA72176FBA),  UL64(0x0A637DC5A2C898A6),
+    UL64(0x113F9804BEF90DAE),  UL64(0x1B710B35131C471B),
+    UL64(0x28DB77F523047D84),  UL64(0x32CAAB7B40C72493),
+    UL64(0x3C9EBE0A15C9BEBC),  UL64(0x431D67C49C100D4C),
+    UL64(0x4CC5D4BECB3E42B6),  UL64(0x597F299CFC657E2A),
+    UL64(0x5FCB6FAB3AD6FAEC),  UL64(0x6C44198C4A475817)
+};
+
+int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx,
+                                     const unsigned char data[128] )
+{
+    int i;
+    struct
+    {
+        uint64_t temp1, temp2, W[80];
+        uint64_t A, B, C, D, E, F, G, H;
+    } local;
+
+#define  SHR(x,n) (x >> n)
+#define ROTR(x,n) (SHR(x,n) | (x << (64 - n)))
+
+#define S0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^  SHR(x, 7))
+#define S1(x) (ROTR(x,19) ^ ROTR(x,61) ^  SHR(x, 6))
+
+#define S2(x) (ROTR(x,28) ^ ROTR(x,34) ^ ROTR(x,39))
+#define S3(x) (ROTR(x,14) ^ ROTR(x,18) ^ ROTR(x,41))
+
+#define F0(x,y,z) ((x & y) | (z & (x | y)))
+#define F1(x,y,z) (z ^ (x & (y ^ z)))
+
+#define P(a,b,c,d,e,f,g,h,x,K)                        \
+{                                                     \
+    local.temp1 = h + S3(e) + F1(e,f,g) + K + x;      \
+    local.temp2 = S2(a) + F0(a,b,c);                  \
+    d += local.temp1; h = local.temp1 + local.temp2;  \
+}
+
+    for( i = 0; i < 16; i++ )
+    {
+        GET_UINT64_BE( local.W[i], data, i << 3 );
+    }
+
+    for( ; i < 80; i++ )
+    {
+        local.W[i] = S1(local.W[i -  2]) + local.W[i -  7] +
+                     S0(local.W[i - 15]) + local.W[i - 16];
+    }
+
+    local.A = ctx->state[0];
+    local.B = ctx->state[1];
+    local.C = ctx->state[2];
+    local.D = ctx->state[3];
+    local.E = ctx->state[4];
+    local.F = ctx->state[5];
+    local.G = ctx->state[6];
+    local.H = ctx->state[7];
+    i = 0;
+
+    do
+    {
+        P( local.A, local.B, local.C, local.D, local.E,
+           local.F, local.G, local.H, local.W[i], K[i] ); i++;
+        P( local.H, local.A, local.B, local.C, local.D,
+           local.E, local.F, local.G, local.W[i], K[i] ); i++;
+        P( local.G, local.H, local.A, local.B, local.C,
+           local.D, local.E, local.F, local.W[i], K[i] ); i++;
+        P( local.F, local.G, local.H, local.A, local.B,
+           local.C, local.D, local.E, local.W[i], K[i] ); i++;
+        P( local.E, local.F, local.G, local.H, local.A,
+           local.B, local.C, local.D, local.W[i], K[i] ); i++;
+        P( local.D, local.E, local.F, local.G, local.H,
+           local.A, local.B, local.C, local.W[i], K[i] ); i++;
+        P( local.C, local.D, local.E, local.F, local.G,
+           local.H, local.A, local.B, local.W[i], K[i] ); i++;
+        P( local.B, local.C, local.D, local.E, local.F,
+           local.G, local.H, local.A, local.W[i], K[i] ); i++;
+    }
+    while( i < 80 );
+
+    ctx->state[0] += local.A;
+    ctx->state[1] += local.B;
+    ctx->state[2] += local.C;
+    ctx->state[3] += local.D;
+    ctx->state[4] += local.E;
+    ctx->state[5] += local.F;
+    ctx->state[6] += local.G;
+    ctx->state[7] += local.H;
+
+    /* Zeroise buffers and variables to clear sensitive data from memory. */
+    mbedtls_zeroize( &local, sizeof( local ) );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha512_process( mbedtls_sha512_context *ctx,
+                             const unsigned char data[128] )
+{
+    mbedtls_internal_sha512_process( ctx, data );
+}
+#endif
+#endif /* !MBEDTLS_SHA512_PROCESS_ALT */
+
+/*
+ * SHA-512 process buffer
+ */
+int mbedtls_sha512_update_ret( mbedtls_sha512_context *ctx,
+                               const unsigned char *input,
+                               size_t ilen )
+{
+    int ret;
+    size_t fill;
+    unsigned int left;
+
+    if( ilen == 0 )
+        return( 0 );
+
+    left = (unsigned int) (ctx->total[0] & 0x7F);
+    fill = 128 - left;
+
+    ctx->total[0] += (uint64_t) ilen;
+
+    if( ctx->total[0] < (uint64_t) ilen )
+        ctx->total[1]++;
+
+    if( left && ilen >= fill )
+    {
+        memcpy( (void *) (ctx->buffer + left), input, fill );
+
+        if( ( ret = mbedtls_internal_sha512_process( ctx, ctx->buffer ) ) != 0 )
+            return( ret );
+
+        input += fill;
+        ilen  -= fill;
+        left = 0;
+    }
+
+    while( ilen >= 128 )
+    {
+        if( ( ret = mbedtls_internal_sha512_process( ctx, input ) ) != 0 )
+            return( ret );
+
+        input += 128;
+        ilen  -= 128;
+    }
+
+    if( ilen > 0 )
+        memcpy( (void *) (ctx->buffer + left), input, ilen );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha512_update( mbedtls_sha512_context *ctx,
+                            const unsigned char *input,
+                            size_t ilen )
+{
+    mbedtls_sha512_update_ret( ctx, input, ilen );
+}
+#endif
+
+/*
+ * SHA-512 final digest
+ */
+int mbedtls_sha512_finish_ret( mbedtls_sha512_context *ctx,
+                               unsigned char output[64] )
+{
+    int ret;
+    unsigned used;
+    uint64_t high, low;
+
+    /*
+     * Add padding: 0x80 then 0x00 until 16 bytes remain for the length
+     */
+    used = ctx->total[0] & 0x7F;
+
+    ctx->buffer[used++] = 0x80;
+
+    if( used <= 112 )
+    {
+        /* Enough room for padding + length in current block */
+        memset( ctx->buffer + used, 0, 112 - used );
+    }
+    else
+    {
+        /* We'll need an extra block */
+        memset( ctx->buffer + used, 0, 128 - used );
+
+        if( ( ret = mbedtls_internal_sha512_process( ctx, ctx->buffer ) ) != 0 )
+            return( ret );
+
+        memset( ctx->buffer, 0, 112 );
+    }
+
+    /*
+     * Add message length
+     */
+    high = ( ctx->total[0] >> 61 )
+         | ( ctx->total[1] <<  3 );
+    low  = ( ctx->total[0] <<  3 );
+
+    PUT_UINT64_BE( high, ctx->buffer, 112 );
+    PUT_UINT64_BE( low,  ctx->buffer, 120 );
+
+    if( ( ret = mbedtls_internal_sha512_process( ctx, ctx->buffer ) ) != 0 )
+        return( ret );
+
+    /*
+     * Output final state
+     */
+    PUT_UINT64_BE( ctx->state[0], output,  0 );
+    PUT_UINT64_BE( ctx->state[1], output,  8 );
+    PUT_UINT64_BE( ctx->state[2], output, 16 );
+    PUT_UINT64_BE( ctx->state[3], output, 24 );
+    PUT_UINT64_BE( ctx->state[4], output, 32 );
+    PUT_UINT64_BE( ctx->state[5], output, 40 );
+
+    if( ctx->is384 == 0 )
+    {
+        PUT_UINT64_BE( ctx->state[6], output, 48 );
+        PUT_UINT64_BE( ctx->state[7], output, 56 );
+    }
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha512_finish( mbedtls_sha512_context *ctx,
+                            unsigned char output[64] )
+{
+    mbedtls_sha512_finish_ret( ctx, output );
+}
+#endif
+
+#endif /* !MBEDTLS_SHA512_ALT */
+
+/*
+ * output = SHA-512( input buffer )
+ */
+int mbedtls_sha512_ret( const unsigned char *input,
+                    size_t ilen,
+                    unsigned char output[64],
+                    int is384 )
+{
+    int ret;
+    mbedtls_sha512_context ctx;
+
+    mbedtls_sha512_init( &ctx );
+
+    if( ( ret = mbedtls_sha512_starts_ret( &ctx, is384 ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_sha512_update_ret( &ctx, input, ilen ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_sha512_finish_ret( &ctx, output ) ) != 0 )
+        goto exit;
+
+exit:
+    mbedtls_sha512_free( &ctx );
+
+    return( ret );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha512( const unsigned char *input,
+                     size_t ilen,
+                     unsigned char output[64],
+                     int is384 )
+{
+    mbedtls_sha512_ret( input, ilen, output, is384 );
+}
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/*
+ * FIPS-180-2 test vectors
+ */
+static const unsigned char sha512_test_buf[3][113] =
+{
+    { "abc" },
+    { "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
+      "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" },
+    { "" }
+};
+
+static const size_t sha512_test_buflen[3] =
+{
+    3, 112, 1000
+};
+
+static const unsigned char sha512_test_sum[6][64] =
+{
+    /*
+     * SHA-384 test vectors
+     */
+    { 0xCB, 0x00, 0x75, 0x3F, 0x45, 0xA3, 0x5E, 0x8B,
+      0xB5, 0xA0, 0x3D, 0x69, 0x9A, 0xC6, 0x50, 0x07,
+      0x27, 0x2C, 0x32, 0xAB, 0x0E, 0xDE, 0xD1, 0x63,
+      0x1A, 0x8B, 0x60, 0x5A, 0x43, 0xFF, 0x5B, 0xED,
+      0x80, 0x86, 0x07, 0x2B, 0xA1, 0xE7, 0xCC, 0x23,
+      0x58, 0xBA, 0xEC, 0xA1, 0x34, 0xC8, 0x25, 0xA7 },
+    { 0x09, 0x33, 0x0C, 0x33, 0xF7, 0x11, 0x47, 0xE8,
+      0x3D, 0x19, 0x2F, 0xC7, 0x82, 0xCD, 0x1B, 0x47,
+      0x53, 0x11, 0x1B, 0x17, 0x3B, 0x3B, 0x05, 0xD2,
+      0x2F, 0xA0, 0x80, 0x86, 0xE3, 0xB0, 0xF7, 0x12,
+      0xFC, 0xC7, 0xC7, 0x1A, 0x55, 0x7E, 0x2D, 0xB9,
+      0x66, 0xC3, 0xE9, 0xFA, 0x91, 0x74, 0x60, 0x39 },
+    { 0x9D, 0x0E, 0x18, 0x09, 0x71, 0x64, 0x74, 0xCB,
+      0x08, 0x6E, 0x83, 0x4E, 0x31, 0x0A, 0x4A, 0x1C,
+      0xED, 0x14, 0x9E, 0x9C, 0x00, 0xF2, 0x48, 0x52,
+      0x79, 0x72, 0xCE, 0xC5, 0x70, 0x4C, 0x2A, 0x5B,
+      0x07, 0xB8, 0xB3, 0xDC, 0x38, 0xEC, 0xC4, 0xEB,
+      0xAE, 0x97, 0xDD, 0xD8, 0x7F, 0x3D, 0x89, 0x85 },
+
+    /*
+     * SHA-512 test vectors
+     */
+    { 0xDD, 0xAF, 0x35, 0xA1, 0x93, 0x61, 0x7A, 0xBA,
+      0xCC, 0x41, 0x73, 0x49, 0xAE, 0x20, 0x41, 0x31,
+      0x12, 0xE6, 0xFA, 0x4E, 0x89, 0xA9, 0x7E, 0xA2,
+      0x0A, 0x9E, 0xEE, 0xE6, 0x4B, 0x55, 0xD3, 0x9A,
+      0x21, 0x92, 0x99, 0x2A, 0x27, 0x4F, 0xC1, 0xA8,
+      0x36, 0xBA, 0x3C, 0x23, 0xA3, 0xFE, 0xEB, 0xBD,
+      0x45, 0x4D, 0x44, 0x23, 0x64, 0x3C, 0xE8, 0x0E,
+      0x2A, 0x9A, 0xC9, 0x4F, 0xA5, 0x4C, 0xA4, 0x9F },
+    { 0x8E, 0x95, 0x9B, 0x75, 0xDA, 0xE3, 0x13, 0xDA,
+      0x8C, 0xF4, 0xF7, 0x28, 0x14, 0xFC, 0x14, 0x3F,
+      0x8F, 0x77, 0x79, 0xC6, 0xEB, 0x9F, 0x7F, 0xA1,
+      0x72, 0x99, 0xAE, 0xAD, 0xB6, 0x88, 0x90, 0x18,
+      0x50, 0x1D, 0x28, 0x9E, 0x49, 0x00, 0xF7, 0xE4,
+      0x33, 0x1B, 0x99, 0xDE, 0xC4, 0xB5, 0x43, 0x3A,
+      0xC7, 0xD3, 0x29, 0xEE, 0xB6, 0xDD, 0x26, 0x54,
+      0x5E, 0x96, 0xE5, 0x5B, 0x87, 0x4B, 0xE9, 0x09 },
+    { 0xE7, 0x18, 0x48, 0x3D, 0x0C, 0xE7, 0x69, 0x64,
+      0x4E, 0x2E, 0x42, 0xC7, 0xBC, 0x15, 0xB4, 0x63,
+      0x8E, 0x1F, 0x98, 0xB1, 0x3B, 0x20, 0x44, 0x28,
+      0x56, 0x32, 0xA8, 0x03, 0xAF, 0xA9, 0x73, 0xEB,
+      0xDE, 0x0F, 0xF2, 0x44, 0x87, 0x7E, 0xA6, 0x0A,
+      0x4C, 0xB0, 0x43, 0x2C, 0xE5, 0x77, 0xC3, 0x1B,
+      0xEB, 0x00, 0x9C, 0x5C, 0x2C, 0x49, 0xAA, 0x2E,
+      0x4E, 0xAD, 0xB2, 0x17, 0xAD, 0x8C, 0xC0, 0x9B }
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_sha512_self_test( int verbose )
+{
+    int i, j, k, buflen, ret = 0;
+    unsigned char *buf;
+    unsigned char sha512sum[64];
+    mbedtls_sha512_context ctx;
+
+    buf = mbedtls_calloc( 1024, sizeof(unsigned char) );
+    if( NULL == buf )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "Buffer allocation failed\n" );
+
+        return( 1 );
+    }
+
+    mbedtls_sha512_init( &ctx );
+
+    for( i = 0; i < 6; i++ )
+    {
+        j = i % 3;
+        k = i < 3;
+
+        if( verbose != 0 )
+            mbedtls_printf( "  SHA-%d test #%d: ", 512 - k * 128, j + 1 );
+
+        if( ( ret = mbedtls_sha512_starts_ret( &ctx, k ) ) != 0 )
+            goto fail;
+
+        if( j == 2 )
+        {
+            memset( buf, 'a', buflen = 1000 );
+
+            for( j = 0; j < 1000; j++ )
+            {
+                ret = mbedtls_sha512_update_ret( &ctx, buf, buflen );
+                if( ret != 0 )
+                    goto fail;
+            }
+        }
+        else
+        {
+            ret = mbedtls_sha512_update_ret( &ctx, sha512_test_buf[j],
+                                             sha512_test_buflen[j] );
+            if( ret != 0 )
+                goto fail;
+        }
+
+        if( ( ret = mbedtls_sha512_finish_ret( &ctx, sha512sum ) ) != 0 )
+            goto fail;
+
+        if( memcmp( sha512sum, sha512_test_sum[i], 64 - k * 16 ) != 0 )
+        {
+            ret = 1;
+            goto fail;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    goto exit;
+
+fail:
+    if( verbose != 0 )
+        mbedtls_printf( "failed\n" );
+
+exit:
+    mbedtls_sha512_free( &ctx );
+    mbedtls_free( buf );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_SHA512_C */
diff --git a/third-party/mbedtls-3.6/library/ssl_cache.c b/third-party/mbedtls-3.6/library/ssl_cache.c
new file mode 100644
index 00000000..1d2558a1
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/ssl_cache.c
@@ -0,0 +1,352 @@
+/*
+ *  SSL session cache implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+/*
+ * These session callbacks use a simple chained list
+ * to store and retrieve the session information.
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_SSL_CACHE_C)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free      free
+#endif
+
+#include "mbedtls/ssl_cache.h"
+
+#include <string.h>
+
+void mbedtls_ssl_cache_init( mbedtls_ssl_cache_context *cache )
+{
+    memset( cache, 0, sizeof( mbedtls_ssl_cache_context ) );
+
+    cache->timeout = MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT;
+    cache->max_entries = MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES;
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_init( &cache->mutex );
+#endif
+}
+
+int mbedtls_ssl_cache_get( void *data, mbedtls_ssl_session *session )
+{
+    int ret = 1;
+#if defined(MBEDTLS_HAVE_TIME)
+    mbedtls_time_t t = mbedtls_time( NULL );
+#endif
+    mbedtls_ssl_cache_context *cache = (mbedtls_ssl_cache_context *) data;
+    mbedtls_ssl_cache_entry *cur, *entry;
+
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_lock( &cache->mutex ) != 0 )
+        return( 1 );
+#endif
+
+    cur = cache->chain;
+    entry = NULL;
+
+    while( cur != NULL )
+    {
+        entry = cur;
+        cur = cur->next;
+
+#if defined(MBEDTLS_HAVE_TIME)
+        if( cache->timeout != 0 &&
+            (int) ( t - entry->timestamp ) > cache->timeout )
+            continue;
+#endif
+
+        if( session->ciphersuite != entry->session.ciphersuite ||
+            session->compression != entry->session.compression ||
+            session->id_len != entry->session.id_len )
+            continue;
+
+        if( memcmp( session->id, entry->session.id,
+                    entry->session.id_len ) != 0 )
+            continue;
+
+        memcpy( session->master, entry->session.master, 48 );
+
+        session->verify_result = entry->session.verify_result;
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+        /*
+         * Restore peer certificate (without rest of the original chain)
+         */
+        if( entry->peer_cert.p != NULL )
+        {
+            if( ( session->peer_cert = mbedtls_calloc( 1,
+                                 sizeof(mbedtls_x509_crt) ) ) == NULL )
+            {
+                ret = 1;
+                goto exit;
+            }
+
+            mbedtls_x509_crt_init( session->peer_cert );
+            if( mbedtls_x509_crt_parse( session->peer_cert, entry->peer_cert.p,
+                                entry->peer_cert.len ) != 0 )
+            {
+                mbedtls_free( session->peer_cert );
+                session->peer_cert = NULL;
+                ret = 1;
+                goto exit;
+            }
+        }
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+        ret = 0;
+        goto exit;
+    }
+
+exit:
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &cache->mutex ) != 0 )
+        ret = 1;
+#endif
+
+    return( ret );
+}
+
+int mbedtls_ssl_cache_set( void *data, const mbedtls_ssl_session *session )
+{
+    int ret = 1;
+#if defined(MBEDTLS_HAVE_TIME)
+    mbedtls_time_t t = mbedtls_time( NULL ), oldest = 0;
+    mbedtls_ssl_cache_entry *old = NULL;
+#endif
+    mbedtls_ssl_cache_context *cache = (mbedtls_ssl_cache_context *) data;
+    mbedtls_ssl_cache_entry *cur, *prv;
+    int count = 0;
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &cache->mutex ) ) != 0 )
+        return( ret );
+#endif
+
+    cur = cache->chain;
+    prv = NULL;
+
+    while( cur != NULL )
+    {
+        count++;
+
+#if defined(MBEDTLS_HAVE_TIME)
+        if( cache->timeout != 0 &&
+            (int) ( t - cur->timestamp ) > cache->timeout )
+        {
+            cur->timestamp = t;
+            break; /* expired, reuse this slot, update timestamp */
+        }
+#endif
+
+        if( memcmp( session->id, cur->session.id, cur->session.id_len ) == 0 )
+            break; /* client reconnected, keep timestamp for session id */
+
+#if defined(MBEDTLS_HAVE_TIME)
+        if( oldest == 0 || cur->timestamp < oldest )
+        {
+            oldest = cur->timestamp;
+            old = cur;
+        }
+#endif
+
+        prv = cur;
+        cur = cur->next;
+    }
+
+    if( cur == NULL )
+    {
+#if defined(MBEDTLS_HAVE_TIME)
+        /*
+         * Reuse oldest entry if max_entries reached
+         */
+        if( count >= cache->max_entries )
+        {
+            if( old == NULL )
+            {
+                ret = 1;
+                goto exit;
+            }
+
+            cur = old;
+        }
+#else /* MBEDTLS_HAVE_TIME */
+        /*
+         * Reuse first entry in chain if max_entries reached,
+         * but move to last place
+         */
+        if( count >= cache->max_entries )
+        {
+            if( cache->chain == NULL )
+            {
+                ret = 1;
+                goto exit;
+            }
+
+            cur = cache->chain;
+            cache->chain = cur->next;
+            cur->next = NULL;
+            prv->next = cur;
+        }
+#endif /* MBEDTLS_HAVE_TIME */
+        else
+        {
+            /*
+             * max_entries not reached, create new entry
+             */
+            cur = mbedtls_calloc( 1, sizeof(mbedtls_ssl_cache_entry) );
+            if( cur == NULL )
+            {
+                ret = 1;
+                goto exit;
+            }
+
+            if( prv == NULL )
+                cache->chain = cur;
+            else
+                prv->next = cur;
+        }
+
+#if defined(MBEDTLS_HAVE_TIME)
+        cur->timestamp = t;
+#endif
+    }
+
+    memcpy( &cur->session, session, sizeof( mbedtls_ssl_session ) );
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    /*
+     * If we're reusing an entry, free its certificate first
+     */
+    if( cur->peer_cert.p != NULL )
+    {
+        mbedtls_free( cur->peer_cert.p );
+        memset( &cur->peer_cert, 0, sizeof(mbedtls_x509_buf) );
+    }
+
+    /*
+     * Store peer certificate
+     */
+    if( session->peer_cert != NULL )
+    {
+        cur->peer_cert.p = mbedtls_calloc( 1, session->peer_cert->raw.len );
+        if( cur->peer_cert.p == NULL )
+        {
+            ret = 1;
+            goto exit;
+        }
+
+        memcpy( cur->peer_cert.p, session->peer_cert->raw.p,
+                session->peer_cert->raw.len );
+        cur->peer_cert.len = session->peer_cert->raw.len;
+
+        cur->session.peer_cert = NULL;
+    }
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+    ret = 0;
+
+exit:
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &cache->mutex ) != 0 )
+        ret = 1;
+#endif
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_HAVE_TIME)
+void mbedtls_ssl_cache_set_timeout( mbedtls_ssl_cache_context *cache, int timeout )
+{
+    if( timeout < 0 ) timeout = 0;
+
+    cache->timeout = timeout;
+}
+#endif /* MBEDTLS_HAVE_TIME */
+
+void mbedtls_ssl_cache_set_max_entries( mbedtls_ssl_cache_context *cache, int max )
+{
+    if( max < 0 ) max = 0;
+
+    cache->max_entries = max;
+}
+
+void mbedtls_ssl_cache_free( mbedtls_ssl_cache_context *cache )
+{
+    mbedtls_ssl_cache_entry *cur, *prv;
+
+    cur = cache->chain;
+
+    while( cur != NULL )
+    {
+        prv = cur;
+        cur = cur->next;
+
+        mbedtls_ssl_session_free( &prv->session );
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+        mbedtls_free( prv->peer_cert.p );
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+        mbedtls_free( prv );
+    }
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_free( &cache->mutex );
+#endif
+    cache->chain = NULL;
+}
+
+#endif /* MBEDTLS_SSL_CACHE_C */
diff --git a/third-party/mbedtls-3.6/library/ssl_ciphersuites.c b/third-party/mbedtls-3.6/library/ssl_ciphersuites.c
new file mode 100644
index 00000000..7efc558d
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/ssl_ciphersuites.c
@@ -0,0 +1,1915 @@
+/**
+ * \file ssl_ciphersuites.c
+ *
+ * \brief SSL ciphersuites for mbed TLS
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_SSL_TLS_C)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#endif
+
+#include "mbedtls/ssl_ciphersuites.h"
+#include "mbedtls/ssl.h"
+
+#include <string.h>
+
+/*
+ * Ordered from most preferred to least preferred in terms of security.
+ *
+ * Current rule (except RC4 and 3DES, weak and null which come last):
+ * 1. By key exchange:
+ *    Forward-secure non-PSK > forward-secure PSK > ECJPAKE > other non-PSK > other PSK
+ * 2. By key length and cipher:
+ *    AES-256 > Camellia-256 > AES-128 > Camellia-128
+ * 3. By cipher mode when relevant GCM > CCM > CBC > CCM_8
+ * 4. By hash function used when relevant
+ * 5. By key exchange/auth again: EC > non-EC
+ */
+static const int ciphersuite_preference[] =
+{
+#if defined(MBEDTLS_SSL_CIPHERSUITES)
+    MBEDTLS_SSL_CIPHERSUITES,
+#else
+    /* All AES-256 ephemeral suites */
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM_8,
+
+    /* All CAMELLIA-256 ephemeral suites */
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+    MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
+    MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
+    MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
+
+    /* All AES-128 ephemeral suites */
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM_8,
+
+    /* All CAMELLIA-128 ephemeral suites */
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+    MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+    MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+    MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+
+    /* The PSK ephemeral suites */
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384,
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384,
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+    MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM_8,
+
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256,
+    MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM_8,
+
+    /* The ECJPAKE suite */
+    MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8,
+
+    /* All AES-256 suites */
+    MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384,
+    MBEDTLS_TLS_RSA_WITH_AES_256_CCM,
+    MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256,
+    MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
+    MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_RSA_WITH_AES_256_CCM_8,
+
+    /* All CAMELLIA-256 suites */
+    MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+    MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
+    MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
+    MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
+
+    /* All AES-128 suites */
+    MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_RSA_WITH_AES_128_CCM,
+    MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_RSA_WITH_AES_128_CCM_8,
+
+    /* All CAMELLIA-128 suites */
+    MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+    MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+    MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
+    MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
+
+    /* The RSA PSK suites */
+    MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384,
+    MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384,
+    MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384,
+    MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+
+    MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256,
+    MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+
+    /* The PSK suites */
+    MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384,
+    MBEDTLS_TLS_PSK_WITH_AES_256_CCM,
+    MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384,
+    MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384,
+    MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+    MBEDTLS_TLS_PSK_WITH_AES_256_CCM_8,
+
+    MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_PSK_WITH_AES_128_CCM,
+    MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256,
+    MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+    MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8,
+
+    /* 3DES suites */
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA,
+
+    /* RC4 suites */
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA,
+    MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA,
+    MBEDTLS_TLS_RSA_WITH_RC4_128_SHA,
+    MBEDTLS_TLS_RSA_WITH_RC4_128_MD5,
+    MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
+    MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA,
+    MBEDTLS_TLS_PSK_WITH_RC4_128_SHA,
+
+    /* Weak suites */
+    MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA,
+    MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA,
+
+    /* NULL suites */
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA,
+    MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384,
+    MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256,
+    MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA,
+
+    MBEDTLS_TLS_RSA_WITH_NULL_SHA256,
+    MBEDTLS_TLS_RSA_WITH_NULL_SHA,
+    MBEDTLS_TLS_RSA_WITH_NULL_MD5,
+    MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA,
+    MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384,
+    MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256,
+    MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA,
+    MBEDTLS_TLS_PSK_WITH_NULL_SHA384,
+    MBEDTLS_TLS_PSK_WITH_NULL_SHA256,
+    MBEDTLS_TLS_PSK_WITH_NULL_SHA,
+
+#endif /* MBEDTLS_SSL_CIPHERSUITES */
+    0
+};
+
+static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
+{
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_SHA1_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_SHA256_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256",
+      MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384",
+      MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_SHA512_C */
+#if defined(MBEDTLS_CCM_C)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM, "TLS-ECDHE-ECDSA-WITH-AES-256-CCM",
+      MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, "TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8",
+      MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_SHORT_TAG },
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM, "TLS-ECDHE-ECDSA-WITH-AES-128-CCM",
+      MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, "TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8",
+      MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_SHORT_TAG },
+#endif /* MBEDTLS_CCM_C */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, "TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA",
+      MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, "TLS-ECDHE-ECDSA-WITH-RC4-128-SHA",
+      MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_NODTLS },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_ARC4_C */
+
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA, "TLS-ECDHE-ECDSA-WITH-NULL-SHA",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_SHA1_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_SHA256_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256",
+      MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, "TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384",
+      MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384, "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, "TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA",
+      MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA, "TLS-ECDHE-RSA-WITH-RC4-128-SHA",
+      MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_NODTLS },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_ARC4_C */
+
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA, "TLS-ECDHE-RSA-WITH-NULL-SHA",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_GCM_C)
+    { MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384",
+      MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C && MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_SHA256_C)
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256",
+      MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+
+    { MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA, "TLS-DHE-RSA-WITH-AES-128-CBC-SHA",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+
+    { MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA, "TLS-DHE-RSA-WITH-AES-256-CBC-SHA",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_CCM_C)
+    { MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM, "TLS-DHE-RSA-WITH-AES-256-CCM",
+      MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM_8, "TLS-DHE-RSA-WITH-AES-256-CCM-8",
+      MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_SHORT_TAG },
+    { MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM, "TLS-DHE-RSA-WITH-AES-128-CCM",
+      MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM_8, "TLS-DHE-RSA-WITH-AES-128-CCM-8",
+      MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_SHORT_TAG },
+#endif /* MBEDTLS_CCM_C */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+
+    { MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA",
+      MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+
+    { MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA",
+      MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA",
+      MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_GCM_C)
+    { MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384, "TLS-RSA-WITH-AES-256-GCM-SHA384",
+      MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C && MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_SHA256_C)
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256, "TLS-RSA-WITH-AES-128-GCM-SHA256",
+      MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256, "TLS-RSA-WITH-AES-128-CBC-SHA256",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+
+    { MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256, "TLS-RSA-WITH-AES-256-CBC-SHA256",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA1_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA, "TLS-RSA-WITH-AES-128-CBC-SHA",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+
+    { MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA, "TLS-RSA-WITH-AES-256-CBC-SHA",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_CCM_C)
+    { MBEDTLS_TLS_RSA_WITH_AES_256_CCM, "TLS-RSA-WITH-AES-256-CCM",
+      MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_RSA_WITH_AES_256_CCM_8, "TLS-RSA-WITH-AES-256-CCM-8",
+      MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_SHORT_TAG },
+    { MBEDTLS_TLS_RSA_WITH_AES_128_CCM, "TLS-RSA-WITH-AES-128-CCM",
+      MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_RSA_WITH_AES_128_CCM_8, "TLS-RSA-WITH-AES-128-CCM-8",
+      MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_SHORT_TAG },
+#endif /* MBEDTLS_CCM_C */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+
+    { MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256, "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA",
+      MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+
+    { MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA",
+      MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-RSA-WITH-CAMELLIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA, "TLS-RSA-WITH-3DES-EDE-CBC-SHA",
+      MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+#if defined(MBEDTLS_MD5_C)
+    { MBEDTLS_TLS_RSA_WITH_RC4_128_MD5, "TLS-RSA-WITH-RC4-128-MD5",
+      MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_MD5, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_NODTLS },
+#endif
+
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_RSA_WITH_RC4_128_SHA, "TLS-RSA-WITH-RC4-128-SHA",
+      MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_NODTLS },
+#endif
+#endif /* MBEDTLS_ARC4_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_SHA1_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_SHA256_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, "TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256",
+      MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, "TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384",
+      MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384, "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-ECDH-RSA-WITH-CAMELLIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-ECDH-RSA-WITH-CAMELLIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, "TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA",
+      MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA, "TLS-ECDH-RSA-WITH-RC4-128-SHA",
+      MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_NODTLS },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_ARC4_C */
+
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA, "TLS-ECDH-RSA-WITH-NULL-SHA",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_SHA1_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_SHA256_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, "TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256",
+      MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, "TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384",
+      MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, "TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA",
+      MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA, "TLS-ECDH-ECDSA-WITH-RC4-128-SHA",
+      MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_NODTLS },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_ARC4_C */
+
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA, "TLS-ECDH-ECDSA-WITH-NULL-SHA",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256, "TLS-PSK-WITH-AES-128-GCM-SHA256",
+      MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384, "TLS-PSK-WITH-AES-256-GCM-SHA384",
+      MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256, "TLS-PSK-WITH-AES-128-CBC-SHA256",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384, "TLS-PSK-WITH-AES-256-CBC-SHA384",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA, "TLS-PSK-WITH-AES-128-CBC-SHA",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+
+    { MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA, "TLS-PSK-WITH-AES-256-CBC-SHA",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_CCM_C)
+    { MBEDTLS_TLS_PSK_WITH_AES_256_CCM, "TLS-PSK-WITH-AES-256-CCM",
+      MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_PSK_WITH_AES_256_CCM_8, "TLS-PSK-WITH-AES-256-CCM-8",
+      MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_SHORT_TAG },
+    { MBEDTLS_TLS_PSK_WITH_AES_128_CCM, "TLS-PSK-WITH-AES-128-CCM",
+      MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8, "TLS-PSK-WITH-AES-128-CCM-8",
+      MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_SHORT_TAG },
+#endif /* MBEDTLS_CCM_C */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256, "TLS-PSK-WITH-CAMELLIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384, "TLS-PSK-WITH-CAMELLIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256, "TLS-PSK-WITH-CAMELLIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384, "TLS-PSK-WITH-CAMELLIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA, "TLS-PSK-WITH-3DES-EDE-CBC-SHA",
+      MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_PSK_WITH_RC4_128_SHA, "TLS-PSK-WITH-RC4-128-SHA",
+      MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_NODTLS },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_ARC4_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256, "TLS-DHE-PSK-WITH-AES-128-GCM-SHA256",
+      MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384, "TLS-DHE-PSK-WITH-AES-256-GCM-SHA384",
+      MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256, "TLS-DHE-PSK-WITH-AES-128-CBC-SHA256",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384, "TLS-DHE-PSK-WITH-AES-256-CBC-SHA384",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA, "TLS-DHE-PSK-WITH-AES-128-CBC-SHA",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+
+    { MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA, "TLS-DHE-PSK-WITH-AES-256-CBC-SHA",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_CCM_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM, "TLS-DHE-PSK-WITH-AES-256-CCM",
+      MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM_8, "TLS-DHE-PSK-WITH-AES-256-CCM-8",
+      MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_SHORT_TAG },
+    { MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM, "TLS-DHE-PSK-WITH-AES-128-CCM",
+      MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM_8, "TLS-DHE-PSK-WITH-AES-128-CCM-8",
+      MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_SHORT_TAG },
+#endif /* MBEDTLS_CCM_C */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256, "TLS-DHE-PSK-WITH-CAMELLIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384, "TLS-DHE-PSK-WITH-CAMELLIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256, "TLS-DHE-PSK-WITH-CAMELLIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384, "TLS-DHE-PSK-WITH-CAMELLIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA, "TLS-DHE-PSK-WITH-3DES-EDE-CBC-SHA",
+      MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA, "TLS-DHE-PSK-WITH-RC4-128-SHA",
+      MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_NODTLS },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_ARC4_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+#if defined(MBEDTLS_AES_C)
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, "TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384, "TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA, "TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA, "TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256, "TLS-ECDHE-PSK-WITH-CAMELLIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384, "TLS-ECDHE-PSK-WITH-CAMELLIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA, "TLS-ECDHE-PSK-WITH-3DES-EDE-CBC-SHA",
+      MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA, "TLS-ECDHE-PSK-WITH-RC4-128-SHA",
+      MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_NODTLS },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_ARC4_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256, "TLS-RSA-PSK-WITH-AES-128-GCM-SHA256",
+      MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384, "TLS-RSA-PSK-WITH-AES-256-GCM-SHA384",
+      MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256, "TLS-RSA-PSK-WITH-AES-128-CBC-SHA256",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384, "TLS-RSA-PSK-WITH-AES-256-CBC-SHA384",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA, "TLS-RSA-PSK-WITH-AES-128-CBC-SHA",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+
+    { MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA, "TLS-RSA-PSK-WITH-AES-256-CBC-SHA",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256, "TLS-RSA-PSK-WITH-CAMELLIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384, "TLS-RSA-PSK-WITH-CAMELLIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256, "TLS-RSA-PSK-WITH-CAMELLIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384, "TLS-RSA-PSK-WITH-CAMELLIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA, "TLS-RSA-PSK-WITH-3DES-EDE-CBC-SHA",
+      MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA, "TLS-RSA-PSK-WITH-RC4-128-SHA",
+      MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_NODTLS },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_ARC4_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_CCM_C)
+    { MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8, "TLS-ECJPAKE-WITH-AES-128-CCM-8",
+      MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECJPAKE,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_SHORT_TAG },
+#endif /* MBEDTLS_CCM_C */
+#endif /* MBEDTLS_AES_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_ENABLE_WEAK_CIPHERSUITES)
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+#if defined(MBEDTLS_MD5_C)
+    { MBEDTLS_TLS_RSA_WITH_NULL_MD5, "TLS-RSA-WITH-NULL-MD5",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_MD5, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif
+
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_RSA_WITH_NULL_SHA, "TLS-RSA-WITH-NULL-SHA",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif
+
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_RSA_WITH_NULL_SHA256, "TLS-RSA-WITH-NULL-SHA256",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_PSK_WITH_NULL_SHA, "TLS-PSK-WITH-NULL-SHA",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif /* MBEDTLS_SHA1_C */
+
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_PSK_WITH_NULL_SHA256, "TLS-PSK-WITH-NULL-SHA256",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_PSK_WITH_NULL_SHA384, "TLS-PSK-WITH-NULL-SHA384",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif
+#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA, "TLS-DHE-PSK-WITH-NULL-SHA",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif /* MBEDTLS_SHA1_C */
+
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256, "TLS-DHE-PSK-WITH-NULL-SHA256",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384, "TLS-DHE-PSK-WITH-NULL-SHA384",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA, "TLS-ECDHE-PSK-WITH-NULL-SHA",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif /* MBEDTLS_SHA1_C */
+
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256, "TLS-ECDHE-PSK-WITH-NULL-SHA256",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384, "TLS-ECDHE-PSK-WITH-NULL-SHA384",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA, "TLS-RSA-PSK-WITH-NULL-SHA",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif /* MBEDTLS_SHA1_C */
+
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256, "TLS-RSA-PSK-WITH-NULL-SHA256",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384, "TLS-RSA-PSK-WITH-NULL-SHA384",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA, "TLS-DHE-RSA-WITH-DES-CBC-SHA",
+      MBEDTLS_CIPHER_DES_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA, "TLS-RSA-WITH-DES-CBC-SHA",
+      MBEDTLS_CIPHER_DES_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+#endif /* MBEDTLS_ENABLE_WEAK_CIPHERSUITES */
+
+    { 0, "",
+      MBEDTLS_CIPHER_NONE, MBEDTLS_MD_NONE, MBEDTLS_KEY_EXCHANGE_NONE,
+      0, 0, 0, 0, 0 }
+};
+
+#if defined(MBEDTLS_SSL_CIPHERSUITES)
+const int *mbedtls_ssl_list_ciphersuites( void )
+{
+    return( ciphersuite_preference );
+}
+#else
+#define MAX_CIPHERSUITES    sizeof( ciphersuite_definitions     ) /         \
+                            sizeof( ciphersuite_definitions[0]  )
+static int supported_ciphersuites[MAX_CIPHERSUITES];
+static int supported_init = 0;
+
+static int ciphersuite_is_removed( const mbedtls_ssl_ciphersuite_t *cs_info )
+{
+    (void)cs_info;
+
+#if defined(MBEDTLS_REMOVE_ARC4_CIPHERSUITES)
+    if( cs_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
+        return( 1 );
+#endif /* MBEDTLS_REMOVE_ARC4_CIPHERSUITES */
+
+#if defined(MBEDTLS_REMOVE_3DES_CIPHERSUITES)
+    if( cs_info->cipher == MBEDTLS_CIPHER_DES_EDE3_ECB ||
+        cs_info->cipher == MBEDTLS_CIPHER_DES_EDE3_CBC )
+    {
+        return( 1 );
+    }
+#endif /* MBEDTLS_REMOVE_3DES_CIPHERSUITES */
+
+    return( 0 );
+}
+
+const int *mbedtls_ssl_list_ciphersuites( void )
+{
+    /*
+     * On initial call filter out all ciphersuites not supported by current
+     * build based on presence in the ciphersuite_definitions.
+     */
+    if( supported_init == 0 )
+    {
+        const int *p;
+        int *q;
+
+        for( p = ciphersuite_preference, q = supported_ciphersuites;
+             *p != 0 && q < supported_ciphersuites + MAX_CIPHERSUITES - 1;
+             p++ )
+        {
+            const mbedtls_ssl_ciphersuite_t *cs_info;
+            if( ( cs_info = mbedtls_ssl_ciphersuite_from_id( *p ) ) != NULL &&
+                !ciphersuite_is_removed( cs_info ) )
+            {
+                *(q++) = *p;
+            }
+        }
+        *q = 0;
+
+        supported_init = 1;
+    }
+
+    return( supported_ciphersuites );
+}
+#endif /* MBEDTLS_SSL_CIPHERSUITES */
+
+const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_string(
+                                                const char *ciphersuite_name )
+{
+    const mbedtls_ssl_ciphersuite_t *cur = ciphersuite_definitions;
+
+    if( NULL == ciphersuite_name )
+        return( NULL );
+
+    while( cur->id != 0 )
+    {
+        if( 0 == strcmp( cur->name, ciphersuite_name ) )
+            return( cur );
+
+        cur++;
+    }
+
+    return( NULL );
+}
+
+const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_id( int ciphersuite )
+{
+    const mbedtls_ssl_ciphersuite_t *cur = ciphersuite_definitions;
+
+    while( cur->id != 0 )
+    {
+        if( cur->id == ciphersuite )
+            return( cur );
+
+        cur++;
+    }
+
+    return( NULL );
+}
+
+const char *mbedtls_ssl_get_ciphersuite_name( const int ciphersuite_id )
+{
+    const mbedtls_ssl_ciphersuite_t *cur;
+
+    cur = mbedtls_ssl_ciphersuite_from_id( ciphersuite_id );
+
+    if( cur == NULL )
+        return( "unknown" );
+
+    return( cur->name );
+}
+
+int mbedtls_ssl_get_ciphersuite_id( const char *ciphersuite_name )
+{
+    const mbedtls_ssl_ciphersuite_t *cur;
+
+    cur = mbedtls_ssl_ciphersuite_from_string( ciphersuite_name );
+
+    if( cur == NULL )
+        return( 0 );
+
+    return( cur->id );
+}
+
+#if defined(MBEDTLS_PK_C)
+mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg( const mbedtls_ssl_ciphersuite_t *info )
+{
+    switch( info->key_exchange )
+    {
+        case MBEDTLS_KEY_EXCHANGE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
+            return( MBEDTLS_PK_RSA );
+
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+            return( MBEDTLS_PK_ECDSA );
+
+        case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+            return( MBEDTLS_PK_ECKEY );
+
+        default:
+            return( MBEDTLS_PK_NONE );
+    }
+}
+
+mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg( const mbedtls_ssl_ciphersuite_t *info )
+{
+    switch( info->key_exchange )
+    {
+        case MBEDTLS_KEY_EXCHANGE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+            return( MBEDTLS_PK_RSA );
+
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+            return( MBEDTLS_PK_ECDSA );
+
+        default:
+            return( MBEDTLS_PK_NONE );
+    }
+}
+
+#endif /* MBEDTLS_PK_C */
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+int mbedtls_ssl_ciphersuite_uses_ec( const mbedtls_ssl_ciphersuite_t *info )
+{
+    switch( info->key_exchange )
+    {
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
+        case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+        case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
+            return( 1 );
+
+        default:
+            return( 0 );
+    }
+}
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED*/
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+int mbedtls_ssl_ciphersuite_uses_psk( const mbedtls_ssl_ciphersuite_t *info )
+{
+    switch( info->key_exchange )
+    {
+        case MBEDTLS_KEY_EXCHANGE_PSK:
+        case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
+        case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
+            return( 1 );
+
+        default:
+            return( 0 );
+    }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
+
+#endif /* MBEDTLS_SSL_TLS_C */
diff --git a/third-party/mbedtls-3.6/library/ssl_cli.c b/third-party/mbedtls-3.6/library/ssl_cli.c
new file mode 100644
index 00000000..8a485707
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/ssl_cli.c
@@ -0,0 +1,3801 @@
+/*
+ *  SSLv3/TLSv1 client-side functions
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_SSL_CLI_C)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free      free
+#endif
+
+#include "mbedtls/debug.h"
+#include "mbedtls/ssl.h"
+#include "mbedtls/ssl_internal.h"
+
+#include <string.h>
+
+#include <stdint.h>
+
+#if defined(MBEDTLS_HAVE_TIME)
+#include "mbedtls/platform_time.h"
+#endif
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+#endif
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+static int ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
+                                   unsigned char *buf,
+                                   const unsigned char *end,
+                                   size_t *olen )
+{
+    unsigned char *p = buf;
+    size_t hostname_len;
+
+    *olen = 0;
+
+    if( ssl->hostname == NULL )
+        return( 0 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3,
+        ( "client hello, adding server name extension: %s",
+          ssl->hostname ) );
+
+    hostname_len = strlen( ssl->hostname );
+
+    MBEDTLS_SSL_CHK_BUF_PTR( p, end, hostname_len + 9 );
+
+    /*
+     * Sect. 3, RFC 6066 (TLS Extensions Definitions)
+     *
+     * In order to provide any of the server names, clients MAY include an
+     * extension of type "server_name" in the (extended) client hello. The
+     * "extension_data" field of this extension SHALL contain
+     * "ServerNameList" where:
+     *
+     * struct {
+     *     NameType name_type;
+     *     select (name_type) {
+     *         case host_name: HostName;
+     *     } name;
+     * } ServerName;
+     *
+     * enum {
+     *     host_name(0), (255)
+     * } NameType;
+     *
+     * opaque HostName<1..2^16-1>;
+     *
+     * struct {
+     *     ServerName server_name_list<1..2^16-1>
+     * } ServerNameList;
+     *
+     */
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME      ) & 0xFF );
+
+    *p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( (hostname_len + 5)      ) & 0xFF );
+
+    *p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( (hostname_len + 3)      ) & 0xFF );
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
+    *p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( hostname_len      ) & 0xFF );
+
+    memcpy( p, ssl->hostname, hostname_len );
+
+    *olen = hostname_len + 9;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+static int ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
+                                        unsigned char *buf,
+                                        const unsigned char *end,
+                                        size_t *olen )
+{
+    unsigned char *p = buf;
+
+    *olen = 0;
+
+    /* We're always including an TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the
+     * initial ClientHello, in which case also adding the renegotiation
+     * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */
+    if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
+        return( 0 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3,
+        ( "client hello, adding renegotiation extension" ) );
+
+    MBEDTLS_SSL_CHK_BUF_PTR( p, end, 5 + ssl->verify_data_len );
+
+    /*
+     * Secure renegotiation
+     */
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 )
+                            & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO      )
+                            & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = ( ssl->verify_data_len + 1 ) & 0xFF;
+    *p++ = ssl->verify_data_len & 0xFF;
+
+    memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
+
+    *olen = 5 + ssl->verify_data_len;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+/*
+ * Only if we handle at least one key exchange that needs signatures.
+ */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+static int ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl,
+                                               unsigned char *buf,
+                                               const unsigned char *end,
+                                               size_t *olen )
+{
+    unsigned char *p = buf;
+    size_t sig_alg_len = 0;
+    const int *md;
+
+#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C)
+    unsigned char *sig_alg_list = buf + 6;
+#endif
+
+    *olen = 0;
+
+    if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
+        return( 0 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3,
+        ( "client hello, adding signature_algorithms extension" ) );
+
+    if( ssl->conf->sig_hashes == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_CONFIG );
+
+    for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
+    {
+#if defined(MBEDTLS_ECDSA_C)
+        sig_alg_len += 2;
+#endif
+#if defined(MBEDTLS_RSA_C)
+        sig_alg_len += 2;
+#endif
+        if( sig_alg_len > MBEDTLS_SSL_MAX_SIG_HASH_ALG_LIST_LEN )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3,
+                ( "length in bytes of sig-hash-alg extension too big" ) );
+            return( MBEDTLS_ERR_SSL_BAD_CONFIG );
+        }
+    }
+
+    /* Empty signature algorithms list, this is a configuration error. */
+    if( sig_alg_len == 0 )
+        return( MBEDTLS_ERR_SSL_BAD_CONFIG );
+
+    MBEDTLS_SSL_CHK_BUF_PTR( p, end, sig_alg_len + 6 );
+
+    /*
+     * Prepare signature_algorithms extension (TLS 1.2)
+     */
+    sig_alg_len = 0;
+
+    for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
+    {
+#if defined(MBEDTLS_ECDSA_C)
+        sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
+        sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA;
+#endif
+#if defined(MBEDTLS_RSA_C)
+        sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
+        sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA;
+#endif
+    }
+
+    /*
+     * enum {
+     *     none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
+     *     sha512(6), (255)
+     * } HashAlgorithm;
+     *
+     * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
+     *   SignatureAlgorithm;
+     *
+     * struct {
+     *     HashAlgorithm hash;
+     *     SignatureAlgorithm signature;
+     * } SignatureAndHashAlgorithm;
+     *
+     * SignatureAndHashAlgorithm
+     *   supported_signature_algorithms<2..2^16-2>;
+     */
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG      ) & 0xFF );
+
+    *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( ( sig_alg_len + 2 )      ) & 0xFF );
+
+    *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( sig_alg_len      ) & 0xFF );
+
+    *olen = 6 + sig_alg_len;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
+          MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+static int ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl,
+                                                    unsigned char *buf,
+                                                    const unsigned char *end,
+                                                    size_t *olen )
+{
+    unsigned char *p = buf;
+    unsigned char *elliptic_curve_list = p + 6;
+    size_t elliptic_curve_len = 0;
+    const mbedtls_ecp_curve_info *info;
+    const mbedtls_ecp_group_id *grp_id;
+
+    *olen = 0;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3,
+        ( "client hello, adding supported_elliptic_curves extension" ) );
+
+    if( ssl->conf->curve_list == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_CONFIG );
+
+    for( grp_id = ssl->conf->curve_list;
+         *grp_id != MBEDTLS_ECP_DP_NONE;
+         grp_id++ )
+    {
+        info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
+        if( info == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1,
+                ( "invalid curve in ssl configuration" ) );
+            return( MBEDTLS_ERR_SSL_BAD_CONFIG );
+        }
+        elliptic_curve_len += 2;
+
+        if( elliptic_curve_len > MBEDTLS_SSL_MAX_CURVE_LIST_LEN )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3,
+                ( "malformed supported_elliptic_curves extension in config" ) );
+            return( MBEDTLS_ERR_SSL_BAD_CONFIG );
+        }
+    }
+
+    /* Empty elliptic curve list, this is a configuration error. */
+    if( elliptic_curve_len == 0 )
+        return( MBEDTLS_ERR_SSL_BAD_CONFIG );
+
+    MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 + elliptic_curve_len );
+
+    elliptic_curve_len = 0;
+
+    for( grp_id = ssl->conf->curve_list;
+         *grp_id != MBEDTLS_ECP_DP_NONE;
+         grp_id++ )
+    {
+        info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
+        elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8;
+        elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF;
+    }
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 )
+                            & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES      )
+                            & 0xFF );
+
+    *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 )      ) & 0xFF );
+
+    *p++ = (unsigned char)( ( ( elliptic_curve_len     ) >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( ( elliptic_curve_len     )      ) & 0xFF );
+
+    *olen = 6 + elliptic_curve_len;
+
+    return( 0 );
+}
+
+static int ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
+                                                  unsigned char *buf,
+                                                  const unsigned char *end,
+                                                  size_t *olen )
+{
+    unsigned char *p = buf;
+    (void) ssl; /* ssl used for debugging only */
+
+    *olen = 0;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3,
+        ( "client hello, adding supported_point_formats extension" ) );
+    MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 )
+                            & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS      )
+                            & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 2;
+
+    *p++ = 1;
+    *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
+
+    *olen = 6;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
+          MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+static int ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
+                                       unsigned char *buf,
+                                       const unsigned char *end,
+                                       size_t *olen )
+{
+    int ret;
+    unsigned char *p = buf;
+    size_t kkpp_len;
+
+    *olen = 0;
+
+    /* Skip costly extension if we can't use EC J-PAKE anyway */
+    if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
+        return( 0 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3,
+        ( "client hello, adding ecjpake_kkpp extension" ) );
+
+    MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP      ) & 0xFF );
+
+    /*
+     * We may need to send ClientHello multiple times for Hello verification.
+     * We don't want to compute fresh values every time (both for performance
+     * and consistency reasons), so cache the extension content.
+     */
+    if( ssl->handshake->ecjpake_cache == NULL ||
+        ssl->handshake->ecjpake_cache_len == 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) );
+
+        ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
+                                               p + 2, end - p - 2, &kkpp_len,
+                                               ssl->conf->f_rng, ssl->conf->p_rng );
+        if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1 ,
+                "mbedtls_ecjpake_write_round_one", ret );
+            return( ret );
+        }
+
+        ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len );
+        if( ssl->handshake->ecjpake_cache == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) );
+            return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+        }
+
+        memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len );
+        ssl->handshake->ecjpake_cache_len = kkpp_len;
+    }
+    else
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) );
+
+        kkpp_len = ssl->handshake->ecjpake_cache_len;
+        MBEDTLS_SSL_CHK_BUF_PTR( p + 2, end, kkpp_len );
+
+        memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len );
+    }
+
+    *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( kkpp_len      ) & 0xFF );
+
+    *olen = kkpp_len + 4;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+static int ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
+                                              unsigned char *buf,
+                                              const unsigned char *end,
+                                              size_t *olen )
+{
+    unsigned char *p = buf;
+
+    *olen = 0;
+
+    if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE )
+        return( 0 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3,
+        ( "client hello, adding max_fragment_length extension" ) );
+
+    MBEDTLS_SSL_CHK_BUF_PTR( p, end, 5 );
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 )
+                            & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH      )
+                            & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 1;
+
+    *p++ = ssl->conf->mfl_code;
+
+    *olen = 5;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+static int ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
+                                         unsigned char *buf,
+                                         const unsigned char *end,
+                                         size_t *olen )
+{
+    unsigned char *p = buf;
+
+    *olen = 0;
+
+    if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
+        return( 0 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3,
+        ( "client hello, adding truncated_hmac extension" ) );
+
+    MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC      ) & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 0x00;
+
+    *olen = 4;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+static int ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
+                                           unsigned char *buf,
+                                           const unsigned char *end,
+                                           size_t *olen )
+{
+    unsigned char *p = buf;
+
+    *olen = 0;
+
+    if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
+        ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+        return( 0 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3,
+        ( "client hello, adding encrypt_then_mac extension" ) );
+
+    MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC      ) & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 0x00;
+
+    *olen = 4;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+static int ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
+                                      unsigned char *buf,
+                                      const unsigned char *end,
+                                      size_t *olen )
+{
+    unsigned char *p = buf;
+
+    *olen = 0;
+
+    if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
+        ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+        return( 0 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3,
+        ( "client hello, adding extended_master_secret extension" ) );
+
+    MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 )
+                            & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET      )
+                            & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 0x00;
+
+    *olen = 4;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+static int ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
+                                         unsigned char *buf,
+                                         const unsigned char *end,
+                                         size_t *olen )
+{
+    unsigned char *p = buf;
+    size_t tlen = ssl->session_negotiate->ticket_len;
+
+    *olen = 0;
+
+    if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED )
+        return( 0 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3,
+        ( "client hello, adding session ticket extension" ) );
+
+    /* The addition is safe here since the ticket length is 16 bit. */
+    MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 + tlen );
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET      ) & 0xFF );
+
+    *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( tlen      ) & 0xFF );
+
+    *olen = 4;
+
+    if( ssl->session_negotiate->ticket == NULL || tlen == 0 )
+        return( 0 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3,
+        ( "sending session ticket of length %d", tlen ) );
+
+    memcpy( p, ssl->session_negotiate->ticket, tlen );
+
+    *olen += tlen;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_SSL_ALPN)
+static int ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
+                               unsigned char *buf,
+                               const unsigned char *end,
+                               size_t *olen )
+{
+    unsigned char *p = buf;
+    size_t alpnlen = 0;
+    const char **cur;
+
+    *olen = 0;
+
+    if( ssl->conf->alpn_list == NULL )
+        return( 0 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) );
+
+    for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
+        alpnlen += strlen( *cur ) + 1;
+
+    MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 + alpnlen );
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN      ) & 0xFF );
+
+    /*
+     * opaque ProtocolName<1..2^8-1>;
+     *
+     * struct {
+     *     ProtocolName protocol_name_list<2..2^16-1>
+     * } ProtocolNameList;
+     */
+
+    /* Skip writing extension and list length for now */
+    p += 4;
+
+    for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
+    {
+        /*
+         * mbedtls_ssl_conf_set_alpn_protocols() checked that the length of
+         * protocol names is less than 255.
+         */
+        *p = (unsigned char)strlen( *cur );
+        memcpy( p + 1, *cur, *p );
+        p += 1 + *p;
+    }
+
+    *olen = p - buf;
+
+    /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */
+    buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
+    buf[5] = (unsigned char)( ( ( *olen - 6 )      ) & 0xFF );
+
+    /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */
+    buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
+    buf[3] = (unsigned char)( ( ( *olen - 4 )      ) & 0xFF );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_ALPN */
+
+/*
+ * Generate random bytes for ClientHello
+ */
+static int ssl_generate_random( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    unsigned char *p = ssl->handshake->randbytes;
+#if defined(MBEDTLS_HAVE_TIME)
+    mbedtls_time_t t;
+#endif
+
+    /*
+     * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1)
+     */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ssl->handshake->verify_cookie != NULL )
+    {
+        return( 0 );
+    }
+#endif
+
+#if defined(MBEDTLS_HAVE_TIME)
+    t = mbedtls_time( NULL );
+    *p++ = (unsigned char)( t >> 24 );
+    *p++ = (unsigned char)( t >> 16 );
+    *p++ = (unsigned char)( t >>  8 );
+    *p++ = (unsigned char)( t       );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
+#else
+    if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
+        return( ret );
+
+    p += 4;
+#endif /* MBEDTLS_HAVE_TIME */
+
+    if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
+/**
+ * \brief           Validate cipher suite against config in SSL context.
+ *
+ * \param suite_info    cipher suite to validate
+ * \param ssl           SSL context
+ * \param min_minor_ver Minimal minor version to accept a cipher suite
+ * \param max_minor_ver Maximal minor version to accept a cipher suite
+ *
+ * \return          0 if valid, else 1
+ */
+static int ssl_validate_ciphersuite(
+    const mbedtls_ssl_ciphersuite_t * suite_info,
+    const mbedtls_ssl_context * ssl,
+    int min_minor_ver, int max_minor_ver )
+{
+    (void) ssl;
+    if( suite_info == NULL )
+        return( 1 );
+
+    if( suite_info->min_minor_ver > max_minor_ver ||
+            suite_info->max_minor_ver < min_minor_ver )
+        return( 1 );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+            ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
+        return( 1 );
+#endif
+
+#if defined(MBEDTLS_ARC4_C)
+    if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
+            suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
+        return( 1 );
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
+            mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
+        return( 1 );
+#endif
+
+    return( 0 );
+}
+
+static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    size_t i, n, olen, ext_len = 0;
+
+    unsigned char *buf;
+    unsigned char *p, *q;
+    const unsigned char *end;
+
+    unsigned char offer_compress;
+    const int *ciphersuites;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    int uses_ec = 0;
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
+
+    if( ssl->conf->f_rng == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
+        return( MBEDTLS_ERR_SSL_NO_RNG );
+    }
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
+#endif
+    {
+        ssl->major_ver = ssl->conf->min_major_ver;
+        ssl->minor_ver = ssl->conf->min_minor_ver;
+    }
+
+    if( ssl->conf->max_major_ver == 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1,
+            ( "configured max major version is invalid, consider using mbedtls_ssl_config_defaults()" ) );
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    buf = ssl->out_msg;
+    end = buf + MBEDTLS_SSL_MAX_CONTENT_LEN;
+
+    /*
+     * Check if there's enough space for the first part of the ClientHello
+     * consisting of the 38 bytes described below, the session identifier (at
+     * most 32 bytes) and its length (1 byte).
+     *
+     * Use static upper bounds instead of the actual values
+     * to allow the compiler to optimize this away.
+     */
+    MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 38 + 1 + 32 );
+
+    /*
+     * The 38 first bytes of the ClientHello:
+     *     0  .   0   handshake type (written later)
+     *     1  .   3   handshake length (written later)
+     *     4  .   5   highest version supported
+     *     6  .   9   current UNIX time
+     *    10  .  37   random bytes
+     *
+     * The current UNIX time (4 bytes) and following 28 random bytes are written
+     * by ssl_generate_random() into ssl->handshake->randbytes buffer and then
+     * copied from there into the output buffer.
+     */
+
+    p = buf + 4;
+    mbedtls_ssl_write_version( ssl->conf->max_major_ver,
+                               ssl->conf->max_minor_ver,
+                               ssl->conf->transport, p );
+    p += 2;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
+                   buf[4], buf[5] ) );
+
+    if( ( ret = ssl_generate_random( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret );
+        return( ret );
+    }
+
+    memcpy( p, ssl->handshake->randbytes, 32 );
+    MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 );
+    p += 32;
+
+    /*
+     *    38  .  38   session id length
+     *    39  . 39+n  session id
+     *   39+n . 39+n  DTLS only: cookie length (1 byte)
+     *   40+n .  ..   DTLS only: cookie
+     *   ..   . ..    ciphersuitelist length (2 bytes)
+     *   ..   . ..    ciphersuitelist
+     *   ..   . ..    compression methods length (1 byte)
+     *   ..   . ..    compression methods
+     *   ..   . ..    extensions length (2 bytes)
+     *   ..   . ..    extensions
+     */
+    n = ssl->session_negotiate->id_len;
+
+    if( n < 16 || n > 32 ||
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+        ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
+#endif
+        ssl->handshake->resume == 0 )
+    {
+        n = 0;
+    }
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+    /*
+     * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
+     * generate and include a Session ID in the TLS ClientHello."
+     */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
+#endif
+    {
+        if( ssl->session_negotiate->ticket != NULL &&
+                ssl->session_negotiate->ticket_len != 0 )
+        {
+            ret = ssl->conf->f_rng( ssl->conf->p_rng,
+                                    ssl->session_negotiate->id, 32 );
+
+            if( ret != 0 )
+                return( ret );
+
+            ssl->session_negotiate->id_len = n = 32;
+        }
+    }
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+    /*
+     * The first check of the output buffer size above (
+     * MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 38 + 1 + 32 );)
+     * has checked that there is enough space in the output buffer for the
+     * session identifier length byte and the session identifier (n <= 32).
+     */
+    *p++ = (unsigned char) n;
+
+    for( i = 0; i < n; i++ )
+        *p++ = ssl->session_negotiate->id[i];
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
+    MBEDTLS_SSL_DEBUG_BUF( 3,   "client hello, session id", buf + 39, n );
+
+    /*
+     *   With 'n' being the length of the session identifier
+     *
+     *   39+n . 39+n  DTLS only: cookie length (1 byte)
+     *   40+n .  ..   DTLS only: cookie
+     *   ..   . ..    ciphersuitelist length (2 bytes)
+     *   ..   . ..    ciphersuitelist
+     *   ..   . ..    compression methods length (1 byte)
+     *   ..   . ..    compression methods
+     *   ..   . ..    extensions length (2 bytes)
+     *   ..   . ..    extensions
+     */
+
+    /*
+     * DTLS cookie
+     */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        MBEDTLS_SSL_CHK_BUF_PTR( p, end, 1 );
+
+        if( ssl->handshake->verify_cookie == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) );
+            *p++ = 0;
+        }
+        else
+        {
+            MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
+                              ssl->handshake->verify_cookie,
+                              ssl->handshake->verify_cookie_len );
+
+            *p++ = ssl->handshake->verify_cookie_len;
+
+            MBEDTLS_SSL_CHK_BUF_PTR( p, end,
+                                     ssl->handshake->verify_cookie_len );
+            memcpy( p, ssl->handshake->verify_cookie,
+                       ssl->handshake->verify_cookie_len );
+            p += ssl->handshake->verify_cookie_len;
+        }
+    }
+#endif
+
+    /*
+     * Ciphersuite list
+     */
+    ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
+
+    /* Skip writing ciphersuite length for now */
+    n = 0;
+    q = p;
+
+    MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
+    p += 2;
+
+    for( i = 0; ciphersuites[i] != 0; i++ )
+    {
+        ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] );
+
+        if( ssl_validate_ciphersuite( ciphersuite_info, ssl,
+                                      ssl->conf->min_minor_ver,
+                                      ssl->conf->max_minor_ver ) != 0 )
+            continue;
+
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x",
+                                    ciphersuites[i] ) );
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+        uses_ec |= mbedtls_ssl_ciphersuite_uses_ec( ciphersuite_info );
+#endif
+
+        MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
+
+        n++;
+        *p++ = (unsigned char)( ciphersuites[i] >> 8 );
+        *p++ = (unsigned char)( ciphersuites[i]      );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3,
+        ( "client hello, got %d ciphersuites (excluding SCSVs)", n ) );
+
+    /*
+     * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
+     */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
+#endif
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding EMPTY_RENEGOTIATION_INFO_SCSV" ) );
+        MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
+        *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
+        *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO      );
+        n++;
+    }
+
+    /* Some versions of OpenSSL don't handle it correctly if not at end */
+#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
+    if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) );
+
+        MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
+        *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 );
+        *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE      );
+        n++;
+    }
+#endif
+
+    *q++ = (unsigned char)( n >> 7 );
+    *q++ = (unsigned char)( n << 1 );
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    offer_compress = 1;
+#else
+    offer_compress = 0;
+#endif
+
+    /*
+     * We don't support compression with DTLS right now: if many records come
+     * in the same datagram, uncompressing one could overwrite the next one.
+     * We don't want to add complexity for handling that case unless there is
+     * an actual need for it.
+     */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        offer_compress = 0;
+#endif
+
+    if( offer_compress )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) );
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d",
+                                    MBEDTLS_SSL_COMPRESS_DEFLATE,
+                                    MBEDTLS_SSL_COMPRESS_NULL ) );
+
+        MBEDTLS_SSL_CHK_BUF_PTR( p, end, 3 );
+        *p++ = 2;
+        *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE;
+        *p++ = MBEDTLS_SSL_COMPRESS_NULL;
+    }
+    else
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d",
+                            MBEDTLS_SSL_COMPRESS_NULL ) );
+
+        MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
+        *p++ = 1;
+        *p++ = MBEDTLS_SSL_COMPRESS_NULL;
+    }
+
+    /* First write extensions, then the total length */
+
+    MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    if( ( ret = ssl_write_hostname_ext( ssl, p + 2 + ext_len,
+                                        end, &olen ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_hostname_ext", ret );
+        return( ret );
+    }
+    ext_len += olen;
+#endif
+
+    /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added
+     * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if( ( ret = ssl_write_renegotiation_ext( ssl, p + 2 + ext_len,
+                                             end, &olen ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_renegotiation_ext", ret );
+        return( ret );
+    }
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+    if( ( ret = ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len,
+                                                    end, &olen ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_signature_algorithms_ext", ret );
+        return( ret );
+    }
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    if( uses_ec )
+    {
+        if( ( ret = ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len,
+                                                             end, &olen ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_supported_elliptic_curves_ext", ret );
+            return( ret );
+        }
+        ext_len += olen;
+
+        if( ( ret = ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len,
+                                                           end, &olen ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_supported_point_formats_ext", ret );
+            return( ret );
+        }
+        ext_len += olen;
+    }
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    if( ( ret = ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len,
+                                            end, &olen ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_ecjpake_kkpp_ext", ret );
+        return( ret );
+    }
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+    if( ( ret = ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len,
+                                                   end, &olen ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_max_fragment_length_ext", ret );
+        return( ret );
+    }
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+    if( ( ret = ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len,
+                                              end, &olen ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_truncated_hmac_ext", ret );
+        return( ret );
+    }
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+    if( ( ret = ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len,
+                                                end, &olen ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_encrypt_then_mac_ext", ret );
+        return( ret );
+    }
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+    if( ( ret = ssl_write_extended_ms_ext( ssl, p + 2 + ext_len,
+                                           end, &olen ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_extended_ms_ext", ret );
+        return( ret );
+    }
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_ALPN)
+    if( ( ret = ssl_write_alpn_ext( ssl, p + 2 + ext_len,
+                                    end, &olen ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_alpn_ext", ret );
+        return( ret );
+    }
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+    if( ( ret = ssl_write_session_ticket_ext( ssl, p + 2 + ext_len,
+                                              end, &olen ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_session_ticket_ext", ret );
+        return( ret );
+    }
+    ext_len += olen;
+#endif
+
+    /* olen unused if all extensions are disabled */
+    ((void) olen);
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
+                                ext_len ) );
+
+    if( ext_len > 0 )
+    {
+        /* No need to check for space here, because the extension
+         * writing functions already took care of that. */
+        *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
+        *p++ = (unsigned char)( ( ext_len      ) & 0xFF );
+        p += ext_len;
+    }
+
+    ssl->out_msglen  = p - buf;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_CLIENT_HELLO;
+
+    ssl->state++;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        mbedtls_ssl_send_flight_completed( ssl );
+#endif
+
+    if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
+        return( ret );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
+
+    return( 0 );
+}
+
+static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
+                                         const unsigned char *buf,
+                                         size_t len )
+{
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
+    {
+        /* Check verify-data in constant-time. The length OTOH is no secret */
+        if( len    != 1 + ssl->verify_data_len * 2 ||
+            buf[0] !=     ssl->verify_data_len * 2 ||
+            mbedtls_ssl_safer_memcmp( buf + 1,
+                          ssl->own_verify_data, ssl->verify_data_len ) != 0 ||
+            mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len,
+                          ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
+            mbedtls_ssl_send_alert_message(
+                ssl,
+                MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+        }
+    }
+    else
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+    {
+        if( len != 1 || buf[0] != 0x00 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1,
+                ( "non-zero length renegotiation info" ) );
+            mbedtls_ssl_send_alert_message(
+                ssl,
+                MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+        }
+
+        ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
+    }
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
+                                              const unsigned char *buf,
+                                              size_t len )
+{
+    /*
+     * server should use the extension only if we did,
+     * and if so the server's value should match ours (and len is always 1)
+     */
+    if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ||
+        len != 1 ||
+        buf[0] != ssl->conf->mfl_code )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1,
+            ( "non-matching max fragment length extension" ) );
+        mbedtls_ssl_send_alert_message(
+            ssl,
+            MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
+                                         const unsigned char *buf,
+                                         size_t len )
+{
+    if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ||
+        len != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1,
+            ( "non-matching truncated HMAC extension" ) );
+        mbedtls_ssl_send_alert_message(
+            ssl,
+            MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    ((void) buf);
+
+    ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
+                                         const unsigned char *buf,
+                                         size_t len )
+{
+    if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
+        ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
+        len != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1,
+            ( "non-matching encrypt-then-MAC extension" ) );
+        mbedtls_ssl_send_alert_message(
+            ssl,
+            MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    ((void) buf);
+
+    ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
+                                         const unsigned char *buf,
+                                         size_t len )
+{
+    if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
+        ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
+        len != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1,
+            ( "non-matching extended master secret extension" ) );
+        mbedtls_ssl_send_alert_message(
+            ssl,
+            MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    ((void) buf);
+
+    ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
+                                         const unsigned char *buf,
+                                         size_t len )
+{
+    if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
+        len != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1,
+            ( "non-matching session ticket extension" ) );
+        mbedtls_ssl_send_alert_message(
+            ssl,
+            MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    ((void) buf);
+
+    ssl->handshake->new_session_ticket = 1;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl,
+                                                  const unsigned char *buf,
+                                                  size_t len )
+{
+    size_t list_size;
+    const unsigned char *p;
+
+    if( len == 0 || (size_t)( buf[0] + 1 ) != len )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+    list_size = buf[0];
+
+    p = buf + 1;
+    while( list_size > 0 )
+    {
+        if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
+            p[0] == MBEDTLS_ECP_PF_COMPRESSED )
+        {
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
+            ssl->handshake->ecdh_ctx.point_format = p[0];
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+            ssl->handshake->ecjpake_ctx.point_format = p[0];
+#endif
+            MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
+            return( 0 );
+        }
+
+        list_size--;
+        p++;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) );
+    mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                    MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+    return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+}
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
+          MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
+                                   const unsigned char *buf,
+                                   size_t len )
+{
+    int ret;
+
+    if( ssl->transform_negotiate->ciphersuite_info->key_exchange !=
+        MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
+        return( 0 );
+    }
+
+    /* If we got here, we no longer need our cached extension */
+    mbedtls_free( ssl->handshake->ecjpake_cache );
+    ssl->handshake->ecjpake_cache = NULL;
+    ssl->handshake->ecjpake_cache_len = 0;
+
+    if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
+                                                buf, len ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
+        mbedtls_ssl_send_alert_message(
+            ssl,
+            MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( ret );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_SSL_ALPN)
+static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
+                               const unsigned char *buf, size_t len )
+{
+    size_t list_len, name_len;
+    const char **p;
+
+    /* If we didn't send it, the server shouldn't send it */
+    if( ssl->conf->alpn_list == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching ALPN extension" ) );
+        mbedtls_ssl_send_alert_message(
+            ssl,
+            MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    /*
+     * opaque ProtocolName<1..2^8-1>;
+     *
+     * struct {
+     *     ProtocolName protocol_name_list<2..2^16-1>
+     * } ProtocolNameList;
+     *
+     * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
+     */
+
+    /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
+    if( len < 4 )
+    {
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    list_len = ( buf[0] << 8 ) | buf[1];
+    if( list_len != len - 2 )
+    {
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    name_len = buf[2];
+    if( name_len != list_len - 1 )
+    {
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    /* Check that the server chosen protocol was in our list and save it */
+    for( p = ssl->conf->alpn_list; *p != NULL; p++ )
+    {
+        if( name_len == strlen( *p ) &&
+            memcmp( buf + 3, *p, name_len ) == 0 )
+        {
+            ssl->alpn_chosen = *p;
+            return( 0 );
+        }
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 1, ( "ALPN extension: no matching protocol" ) );
+    mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                    MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+    return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+}
+#endif /* MBEDTLS_SSL_ALPN */
+
+/*
+ * Parse HelloVerifyRequest.  Only called after verifying the HS type.
+ */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
+{
+    const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
+    int major_ver, minor_ver;
+    unsigned char cookie_len;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) );
+
+    /* Check that there is enough room for:
+     * - 2 bytes of version
+     * - 1 byte of cookie_len
+     */
+    if( mbedtls_ssl_hs_hdr_len( ssl ) + 3 > ssl->in_msglen )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1,
+            ( "incoming HelloVerifyRequest message is too short" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                    MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    /*
+     * struct {
+     *   ProtocolVersion server_version;
+     *   opaque cookie<0..2^8-1>;
+     * } HelloVerifyRequest;
+     */
+    MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
+    mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p );
+    p += 2;
+
+    /*
+     * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1)
+     * even is lower than our min version.
+     */
+    if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
+        minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ||
+        major_ver > ssl->conf->max_major_ver  ||
+        minor_ver > ssl->conf->max_minor_ver  )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) );
+
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                     MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
+
+        return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
+    }
+
+    cookie_len = *p++;
+    if( ( ssl->in_msg + ssl->in_msglen ) - p < cookie_len )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1,
+            ( "cookie length does not match incoming message size" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                    MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+    MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len );
+
+    mbedtls_free( ssl->handshake->verify_cookie );
+
+    ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len );
+    if( ssl->handshake->verify_cookie  == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) );
+        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+    }
+
+    memcpy( ssl->handshake->verify_cookie, p, cookie_len );
+    ssl->handshake->verify_cookie_len = cookie_len;
+
+    /* Start over at ClientHello */
+    ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
+    mbedtls_ssl_reset_checksum( ssl );
+
+    mbedtls_ssl_recv_flight_completed( ssl );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
+{
+    int ret, i;
+    size_t n;
+    size_t ext_len;
+    unsigned char *buf, *ext;
+    unsigned char comp;
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    int accept_comp;
+#endif
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    int renegotiation_info_seen = 0;
+#endif
+    int handshake_failure = 0;
+    const mbedtls_ssl_ciphersuite_t *suite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
+
+    buf = ssl->in_msg;
+
+    if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
+    {
+        /* No alert on a read error. */
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+        return( ret );
+    }
+
+    if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
+    {
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+        if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
+        {
+            ssl->renego_records_seen++;
+
+            if( ssl->conf->renego_max_records >= 0 &&
+                ssl->renego_records_seen > ssl->conf->renego_max_records )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1,
+                    ( "renegotiation requested, but not honored by server" ) );
+                return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+            }
+
+            MBEDTLS_SSL_DEBUG_MSG( 1,
+                ( "non-handshake message during renegotiation" ) );
+
+            ssl->keep_current_message = 1;
+            return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO );
+        }
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
+        mbedtls_ssl_send_alert_message(
+            ssl,
+            MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+            MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
+        return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) );
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
+            return( ssl_parse_hello_verify_request( ssl ) );
+        }
+        else
+        {
+            /* We made it through the verification process */
+            mbedtls_free( ssl->handshake->verify_cookie );
+            ssl->handshake->verify_cookie = NULL;
+            ssl->handshake->verify_cookie_len = 0;
+        }
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) ||
+        buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    /*
+     *  0   .  1    server_version
+     *  2   . 33    random (maybe including 4 bytes of Unix time)
+     * 34   . 34    session_id length = n
+     * 35   . 34+n  session_id
+     * 35+n . 36+n  cipher_suite
+     * 37+n . 37+n  compression_method
+     *
+     * 38+n . 39+n  extensions length (optional)
+     * 40+n .  ..   extensions
+     */
+    buf += mbedtls_ssl_hs_hdr_len( ssl );
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 );
+    mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
+                      ssl->conf->transport, buf + 0 );
+
+    if( ssl->major_ver < ssl->conf->min_major_ver ||
+        ssl->minor_ver < ssl->conf->min_minor_ver ||
+        ssl->major_ver > ssl->conf->max_major_ver ||
+        ssl->minor_ver > ssl->conf->max_minor_ver )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1,
+            ( "server version out of bounds -  min: [%d:%d], server: [%d:%d], max: [%d:%d]",
+              ssl->conf->min_major_ver,
+              ssl->conf->min_minor_ver,
+              ssl->major_ver, ssl->minor_ver,
+              ssl->conf->max_major_ver,
+              ssl->conf->max_minor_ver ) );
+
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                     MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
+
+        return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu",
+                           ( (uint32_t) buf[2] << 24 ) |
+                           ( (uint32_t) buf[3] << 16 ) |
+                           ( (uint32_t) buf[4] <<  8 ) |
+                           ( (uint32_t) buf[5]       ) ) );
+
+    memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 );
+
+    n = buf[34];
+
+    MBEDTLS_SSL_DEBUG_BUF( 3,   "server hello, random bytes", buf + 2, 32 );
+
+    if( n > 32 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n )
+    {
+        ext_len = ( ( buf[38 + n] <<  8 )
+                  | ( buf[39 + n]       ) );
+
+        if( ( ext_len > 0 && ext_len < 4 ) ||
+            ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
+            mbedtls_ssl_send_alert_message(
+                ssl,
+                MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+        }
+    }
+    else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n )
+    {
+        ext_len = 0;
+    }
+    else
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    /* ciphersuite (used later) */
+    i = ( buf[35 + n] << 8 ) | buf[36 + n];
+
+    /*
+     * Read and check compression
+     */
+    comp = buf[37 + n];
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    /* See comments in ssl_write_client_hello() */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        accept_comp = 0;
+    else
+#endif
+        accept_comp = 1;
+
+    if( comp != MBEDTLS_SSL_COMPRESS_NULL &&
+        ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) )
+#else /* MBEDTLS_ZLIB_SUPPORT */
+    if( comp != MBEDTLS_SSL_COMPRESS_NULL )
+#endif/* MBEDTLS_ZLIB_SUPPORT */
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1,
+            ( "server hello, bad compression: %d", comp ) );
+        mbedtls_ssl_send_alert_message(
+            ssl,
+            MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+            MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+        return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+    }
+
+    /*
+     * Initialize update checksum functions
+     */
+    ssl->transform_negotiate->ciphersuite_info =
+                                  mbedtls_ssl_ciphersuite_from_id( i );
+
+    if( ssl->transform_negotiate->ciphersuite_info == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1,
+            ( "ciphersuite info for %04x not found", i ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    mbedtls_ssl_optimize_checksum( ssl,
+                                   ssl->transform_negotiate->ciphersuite_info );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
+    MBEDTLS_SSL_DEBUG_BUF( 3,   "server hello, session id", buf + 35, n );
+
+    /*
+     * Check if the session can be resumed
+     */
+    if( ssl->handshake->resume == 0 || n == 0 ||
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+        ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
+#endif
+        ssl->session_negotiate->ciphersuite != i ||
+        ssl->session_negotiate->compression != comp ||
+        ssl->session_negotiate->id_len != n ||
+        memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 )
+    {
+        ssl->state++;
+        ssl->handshake->resume = 0;
+#if defined(MBEDTLS_HAVE_TIME)
+        ssl->session_negotiate->start = mbedtls_time( NULL );
+#endif
+        ssl->session_negotiate->ciphersuite = i;
+        ssl->session_negotiate->compression = comp;
+        ssl->session_negotiate->id_len = n;
+        memcpy( ssl->session_negotiate->id, buf + 35, n );
+    }
+    else
+    {
+        ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
+
+        if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
+            mbedtls_ssl_send_alert_message(
+                ssl,
+                MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
+            return( ret );
+        }
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
+                   ssl->handshake->resume ? "a" : "no" ) );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) );
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d",
+                                buf[37 + n] ) );
+
+    /*
+     * Perform cipher suite validation in same way as in ssl_write_client_hello.
+     */
+    i = 0;
+    while( 1 )
+    {
+        if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
+            mbedtls_ssl_send_alert_message(
+                ssl,
+                MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+        }
+
+        if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] ==
+            ssl->session_negotiate->ciphersuite )
+        {
+            break;
+        }
+    }
+
+    suite_info = mbedtls_ssl_ciphersuite_from_id(
+        ssl->session_negotiate->ciphersuite );
+    if( ssl_validate_ciphersuite( suite_info, ssl, ssl->minor_ver,
+                                  ssl->minor_ver ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
+        mbedtls_ssl_send_alert_message(
+            ssl,
+            MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+            MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3,
+        ( "server hello, chosen ciphersuite: %s", suite_info->name ) );
+
+    if( comp != MBEDTLS_SSL_COMPRESS_NULL
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+        && comp != MBEDTLS_SSL_COMPRESS_DEFLATE
+#endif
+      )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
+        mbedtls_ssl_send_alert_message(
+            ssl,
+            MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+            MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+    ssl->session_negotiate->compression = comp;
+
+    ext = buf + 40 + n;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2,
+        ( "server hello, total extension length: %d", ext_len ) );
+
+    while( ext_len )
+    {
+        unsigned int ext_id   = ( ( ext[0] <<  8 )
+                                | ( ext[1]       ) );
+        unsigned int ext_size = ( ( ext[2] <<  8 )
+                                | ( ext[3]       ) );
+
+        if( ext_size + 4 > ext_len )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
+            mbedtls_ssl_send_alert_message(
+                ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+        }
+
+        switch( ext_id )
+        {
+        case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+            renegotiation_info_seen = 1;
+#endif
+
+            if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4,
+                                                      ext_size ) ) != 0 )
+                return( ret );
+
+            break;
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+        case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
+            MBEDTLS_SSL_DEBUG_MSG( 3,
+                ( "found max_fragment_length extension" ) );
+
+            if( ( ret = ssl_parse_max_fragment_length_ext( ssl,
+                            ext + 4, ext_size ) ) != 0 )
+            {
+                return( ret );
+            }
+
+            break;
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+        case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
+
+            if( ( ret = ssl_parse_truncated_hmac_ext( ssl,
+                            ext + 4, ext_size ) ) != 0 )
+            {
+                return( ret );
+            }
+
+            break;
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+        case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) );
+
+            if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl,
+                            ext + 4, ext_size ) ) != 0 )
+            {
+                return( ret );
+            }
+
+            break;
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+        case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
+            MBEDTLS_SSL_DEBUG_MSG( 3,
+                ( "found extended_master_secret extension" ) );
+
+            if( ( ret = ssl_parse_extended_ms_ext( ssl,
+                            ext + 4, ext_size ) ) != 0 )
+            {
+                return( ret );
+            }
+
+            break;
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+        case MBEDTLS_TLS_EXT_SESSION_TICKET:
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) );
+
+            if( ( ret = ssl_parse_session_ticket_ext( ssl,
+                            ext + 4, ext_size ) ) != 0 )
+            {
+                return( ret );
+            }
+
+            break;
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+        case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
+            MBEDTLS_SSL_DEBUG_MSG( 3,
+                ( "found supported_point_formats extension" ) );
+
+            if( ( ret = ssl_parse_supported_point_formats_ext( ssl,
+                            ext + 4, ext_size ) ) != 0 )
+            {
+                return( ret );
+            }
+
+            break;
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
+          MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+        case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) );
+
+            if( ( ret = ssl_parse_ecjpake_kkpp( ssl,
+                            ext + 4, ext_size ) ) != 0 )
+            {
+                return( ret );
+            }
+
+            break;
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_SSL_ALPN)
+        case MBEDTLS_TLS_EXT_ALPN:
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
+
+            if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 )
+                return( ret );
+
+            break;
+#endif /* MBEDTLS_SSL_ALPN */
+
+        default:
+            MBEDTLS_SSL_DEBUG_MSG( 3,
+                ( "unknown extension found: %d (ignoring)", ext_id ) );
+        }
+
+        ext_len -= 4 + ext_size;
+        ext += 4 + ext_size;
+
+        if( ext_len > 0 && ext_len < 4 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+        }
+    }
+
+    /*
+     * Renegotiation security checks
+     */
+    if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
+        ssl->conf->allow_legacy_renegotiation ==
+        MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1,
+            ( "legacy renegotiation, breaking off handshake" ) );
+        handshake_failure = 1;
+    }
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
+             ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
+             renegotiation_info_seen == 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1,
+            ( "renegotiation_info extension missing (secure)" ) );
+        handshake_failure = 1;
+    }
+    else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
+             ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
+             ssl->conf->allow_legacy_renegotiation ==
+             MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
+        handshake_failure = 1;
+    }
+    else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
+             ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
+             renegotiation_info_seen == 1 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1,
+            ( "renegotiation_info extension present (legacy)" ) );
+        handshake_failure = 1;
+    }
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+    if( handshake_failure == 1 )
+    {
+        mbedtls_ssl_send_alert_message(
+            ssl,
+            MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
+    defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl,
+                                       unsigned char **p,
+                                       unsigned char *end )
+{
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+
+    /*
+     * Ephemeral DH parameters:
+     *
+     * struct {
+     *     opaque dh_p<1..2^16-1>;
+     *     opaque dh_g<1..2^16-1>;
+     *     opaque dh_Ys<1..2^16-1>;
+     * } ServerDHParams;
+     */
+    if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx,
+                                         p, end ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret );
+        return( ret );
+    }
+
+    if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d",
+                                    ssl->handshake->dhm_ctx.len * 8,
+                                    ssl->conf->dhm_min_bitlen ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+    }
+
+    MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P  );
+    MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G  );
+    MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
+
+    return( ret );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||                   \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) ||                     \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||                      \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
+{
+    const mbedtls_ecp_curve_info *curve_info;
+
+    curve_info = mbedtls_ecp_curve_info_from_grp_id( ssl->handshake->ecdh_ctx.grp.id );
+    if( curve_info == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
+
+#if defined(MBEDTLS_ECP_C)
+    if( mbedtls_ssl_check_curve( ssl, ssl->handshake->ecdh_ctx.grp.id ) != 0 )
+#else
+    if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
+        ssl->handshake->ecdh_ctx.grp.nbits > 521 )
+#endif
+        return( -1 );
+
+    MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp", &ssl->handshake->ecdh_ctx.Qp );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||                   \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl,
+                                         unsigned char **p,
+                                         unsigned char *end )
+{
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+
+    /*
+     * Ephemeral ECDH parameters:
+     *
+     * struct {
+     *     ECParameters curve_params;
+     *     ECPoint      public;
+     * } ServerECDHParams;
+     */
+    if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx,
+                                  (const unsigned char **) p, end ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret );
+        return( ret );
+    }
+
+    if( ssl_check_server_ecdh_params( ssl ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1,
+            ( "bad server key exchange message (ECDHE curve)" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+    }
+
+    return( ret );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl,
+                                      unsigned char **p,
+                                      unsigned char *end )
+{
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+    size_t  len;
+    ((void) ssl);
+
+    /*
+     * PSK parameters:
+     *
+     * opaque psk_identity_hint<0..2^16-1>;
+     */
+    if( end - (*p) < 2 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1,
+            ( "bad server key exchange message (psk_identity_hint length)" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+    }
+    len = (*p)[0] << 8 | (*p)[1];
+    *p += 2;
+
+    if( end - (*p) < (int) len )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1,
+            ( "bad server key exchange message (psk_identity_hint length)" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+    }
+
+    /*
+     * Note: we currently ignore the PKS identity hint, as we only allow one
+     * PSK to be provisionned on the client. This could be changed later if
+     * someone needs that feature.
+     */
+    *p += len;
+    ret = 0;
+
+    return( ret );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) ||                           \
+    defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+/*
+ * Generate a pre-master secret and encrypt it with the server's RSA key
+ */
+static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
+                                    size_t offset, size_t *olen,
+                                    size_t pms_offset )
+{
+    int ret;
+    size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
+    unsigned char *p = ssl->handshake->premaster + pms_offset;
+
+    if( offset + len_bytes > MBEDTLS_SSL_MAX_CONTENT_LEN )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) );
+        return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
+    }
+
+    /*
+     * Generate (part of) the pre-master as
+     *  struct {
+     *      ProtocolVersion client_version;
+     *      opaque random[46];
+     *  } PreMasterSecret;
+     */
+    mbedtls_ssl_write_version( ssl->conf->max_major_ver,
+                               ssl->conf->max_minor_ver,
+                               ssl->conf->transport, p );
+
+    if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
+        return( ret );
+    }
+
+    ssl->handshake->pmslen = 48;
+
+    if( ssl->session_negotiate->peer_cert == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
+        return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+    }
+
+    /*
+     * Now write it out, encrypted
+     */
+    if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
+                MBEDTLS_PK_RSA ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) );
+        return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
+    }
+
+    if( ( ret = mbedtls_pk_encrypt( &ssl->session_negotiate->peer_cert->pk,
+                            p, ssl->handshake->pmslen,
+                            ssl->out_msg + offset + len_bytes, olen,
+                            MBEDTLS_SSL_MAX_CONTENT_LEN - offset - len_bytes,
+                            ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret );
+        return( ret );
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    if( len_bytes == 2 )
+    {
+        ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 );
+        ssl->out_msg[offset+1] = (unsigned char)( *olen      );
+        *olen += 2;
+    }
+#endif
+
+    return( 0 );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
+                                          unsigned char **p,
+                                          unsigned char *end,
+                                          mbedtls_md_type_t *md_alg,
+                                          mbedtls_pk_type_t *pk_alg )
+{
+    ((void) ssl);
+    *md_alg = MBEDTLS_MD_NONE;
+    *pk_alg = MBEDTLS_PK_NONE;
+
+    /* Only in TLS 1.2 */
+    if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
+    {
+        return( 0 );
+    }
+
+    if( (*p) + 2 > end )
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+
+    /*
+     * Get hash algorithm
+     */
+    if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) )
+        == MBEDTLS_MD_NONE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1,
+            ( "Server used unsupported HashAlgorithm %d", *(p)[0] ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+    }
+
+    /*
+     * Get signature algorithm
+     */
+    if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) )
+        == MBEDTLS_PK_NONE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1,
+            ( "server used unsupported SignatureAlgorithm %d", (*p)[1] ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+    }
+
+    /*
+     * Check if the hash is acceptable
+     */
+    if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1,
+            ( "server used HashAlgorithm %d that was not offered", *(p)[0] ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d",
+                                (*p)[1] ) );
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d",
+                                (*p)[0] ) );
+    *p += 2;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    const mbedtls_ecp_keypair *peer_key;
+
+    if( ssl->session_negotiate->peer_cert == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
+        return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+    }
+
+    if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
+                     MBEDTLS_PK_ECKEY ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
+        return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
+    }
+
+    peer_key = mbedtls_pk_ec( ssl->session_negotiate->peer_cert->pk );
+
+    if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key,
+                                 MBEDTLS_ECDH_THEIRS ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
+        return( ret );
+    }
+
+    if( ssl_check_server_ecdh_params( ssl ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
+    }
+
+    return( ret );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
+          MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+
+static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->transform_negotiate->ciphersuite_info;
+    unsigned char *p = NULL, *end = NULL;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
+        ssl->state++;
+        return( 0 );
+    }
+    ((void) p);
+    ((void) end);
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
+    {
+        if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret );
+            mbedtls_ssl_send_alert_message(
+                ssl,
+                MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+            return( ret );
+        }
+
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
+        ssl->state++;
+        return( 0 );
+    }
+    ((void) p);
+    ((void) end);
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+
+    if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+        return( ret );
+    }
+
+    if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
+        mbedtls_ssl_send_alert_message(
+            ssl,
+            MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+            MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
+        return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+    }
+
+    /*
+     * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
+     * doesn't use a psk_identity_hint
+     */
+    if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE )
+    {
+        if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+            ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
+        {
+            /* Current message is probably either
+             * CertificateRequest or ServerHelloDone */
+            ssl->keep_current_message = 1;
+            goto exit;
+        }
+
+        MBEDTLS_SSL_DEBUG_MSG( 1,
+            ( "server key exchange message must not be skipped" ) );
+        mbedtls_ssl_send_alert_message(
+            ssl,
+            MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+            MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
+
+        return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+    }
+
+    p   = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
+    end = ssl->in_msg + ssl->in_hslen;
+    MBEDTLS_SSL_DEBUG_BUF( 3,   "server key exchange", p, end - p );
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
+    {
+        if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
+            mbedtls_ssl_send_alert_message(
+                ssl,
+                MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+        }
+    } /* FALLTROUGH */
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) ||                       \
+    defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
+        ; /* nothing more to do */
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
+    defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
+    {
+        if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
+            mbedtls_ssl_send_alert_message(
+                ssl,
+                MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+        }
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) ||                     \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
+    {
+        if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
+            mbedtls_ssl_send_alert_message(
+                ssl,
+                MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+        }
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
+                                              p, end - p );
+        if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
+            mbedtls_ssl_send_alert_message(
+                ssl,
+                MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+        }
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
+    if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
+    {
+        size_t sig_len, hashlen;
+        unsigned char hash[64];
+        mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
+        mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
+        unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
+        size_t params_len = p - params;
+
+        /*
+         * Handle the digitally-signed structure
+         */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+        {
+            if( ssl_parse_signature_algorithm( ssl, &p, end,
+                                               &md_alg, &pk_alg ) != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1,
+                    ( "bad server key exchange message" ) );
+                mbedtls_ssl_send_alert_message(
+                    ssl,
+                    MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                    MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+                return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+            }
+
+            if( pk_alg !=
+                mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1,
+                    ( "bad server key exchange message" ) );
+                mbedtls_ssl_send_alert_message(
+                    ssl,
+                    MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                    MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+                return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+            }
+        }
+        else
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+        if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
+        {
+            pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
+
+            /* Default hash for ECDSA is SHA-1 */
+            if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE )
+                md_alg = MBEDTLS_MD_SHA1;
+        }
+        else
+#endif
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        /*
+         * Read signature
+         */
+        if( p > end - 2 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
+            mbedtls_ssl_send_alert_message(
+                ssl,
+                MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+        }
+        sig_len = ( p[0] << 8 ) | p[1];
+        p += 2;
+
+        if( p != end - sig_len )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
+            mbedtls_ssl_send_alert_message(
+                ssl,
+                MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+        }
+
+        MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len );
+
+        /*
+         * Compute the hash that has been signed
+         */
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+        if( md_alg == MBEDTLS_MD_NONE )
+        {
+            hashlen = 36;
+            ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash, params,
+                                                           params_len );
+            if( ret != 0 )
+                return( ret );
+        }
+        else
+#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
+          MBEDTLS_SSL_PROTO_TLS1_1 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        if( md_alg != MBEDTLS_MD_NONE )
+        {
+            /* Info from md_alg will be used instead */
+            hashlen = 0;
+            ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, params,
+                                                          params_len, md_alg );
+            if( ret != 0 )
+                return( ret );
+        }
+        else
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
+          MBEDTLS_SSL_PROTO_TLS1_2 */
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
+            (unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) );
+
+        if( ssl->session_negotiate->peer_cert == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
+            mbedtls_ssl_send_alert_message(
+                ssl,
+                MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+            return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+        }
+
+        /*
+         * Verify signature
+         */
+        if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
+                                 pk_alg ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
+            mbedtls_ssl_send_alert_message(
+                ssl,
+                MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+            return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
+        }
+
+        if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk,
+                               md_alg, hash, hashlen, p, sig_len ) ) != 0 )
+        {
+            mbedtls_ssl_send_alert_message(
+                ssl,
+                MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
+            return( ret );
+        }
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
+
+exit:
+    ssl->state++;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
+
+    return( 0 );
+}
+
+#if ! defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED)
+static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
+{
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->transform_negotiate->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
+
+    if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+    return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+}
+#else /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
+static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    unsigned char *buf;
+    size_t n = 0;
+    size_t cert_type_len = 0, dn_len = 0;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->transform_negotiate->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
+
+    if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+    if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+        return( ret );
+    }
+
+    if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
+        mbedtls_ssl_send_alert_message(
+            ssl,
+            MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+            MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
+        return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+    }
+
+    ssl->state++;
+    ssl->client_auth = ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request",
+                        ssl->client_auth ? "a" : "no" ) );
+
+    if( ssl->client_auth == 0 )
+    {
+        /* Current message is probably the ServerHelloDone */
+        ssl->keep_current_message = 1;
+        goto exit;
+    }
+
+    /*
+     *  struct {
+     *      ClientCertificateType certificate_types<1..2^8-1>;
+     *      SignatureAndHashAlgorithm
+     *        supported_signature_algorithms<2^16-1>; -- TLS 1.2 only
+     *      DistinguishedName certificate_authorities<0..2^16-1>;
+     *  } CertificateRequest;
+     *
+     *  Since we only support a single certificate on clients, let's just
+     *  ignore all the information that's supposed to help us pick a
+     *  certificate.
+     *
+     *  We could check that our certificate matches the request, and bail out
+     *  if it doesn't, but it's simpler to just send the certificate anyway,
+     *  and give the server the opportunity to decide if it should terminate
+     *  the connection when it doesn't like our certificate.
+     *
+     *  Same goes for the hash in TLS 1.2's signature_algorithms: at this
+     *  point we only have one hash available (see comments in
+     *  write_certificate_verify), so let's just use what we have.
+     *
+     *  However, we still minimally parse the message to check it is at least
+     *  superficially sane.
+     */
+    buf = ssl->in_msg;
+
+    /* certificate_types */
+    if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
+    }
+    cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )];
+    n = cert_type_len;
+
+    /*
+     * In the subsequent code there are two paths that read from buf:
+     *     * the length of the signature algorithms field (if minor version of
+     *       SSL is 3),
+     *     * distinguished name length otherwise.
+     * Both reach at most the index:
+     *    ...hdr_len + 2 + n,
+     * therefore the buffer length at this point must be greater than that
+     * regardless of the actual code path.
+     */
+    if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
+    }
+
+    /* supported_signature_algorithms */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+    {
+        size_t sig_alg_len =
+            ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] <<  8 )
+              | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n]   ) );
+#if defined(MBEDTLS_DEBUG_C)
+        unsigned char* sig_alg;
+        size_t i;
+#endif
+
+        /*
+         * The furthest access in buf is in the loop few lines below:
+         *     sig_alg[i + 1],
+         * where:
+         *     sig_alg = buf + ...hdr_len + 3 + n,
+         *     max(i) = sig_alg_len - 1.
+         * Therefore the furthest access is:
+         *     buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1],
+         * which reduces to:
+         *     buf[...hdr_len + 3 + n + sig_alg_len],
+         * which is one less than we need the buf to be.
+         */
+        if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl )
+                                + 3 + n + sig_alg_len )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
+            mbedtls_ssl_send_alert_message(
+                ssl,
+                MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
+        }
+
+#if defined(MBEDTLS_DEBUG_C)
+        sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n;
+        for( i = 0; i < sig_alg_len; i += 2 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3,
+                ( "Supported Signature Algorithm found: %d,%d",
+                  sig_alg[i], sig_alg[i + 1]  ) );
+        }
+#endif
+
+        n += 2 + sig_alg_len;
+    }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+    /* certificate_authorities */
+    dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] <<  8 )
+             | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n]       ) );
+
+    n += dn_len;
+    if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
+    }
+
+exit:
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
+
+static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl )
+{
+    int ret;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
+
+    if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+        return( ret );
+    }
+
+    if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
+        return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+    }
+
+    if( ssl->in_hslen  != mbedtls_ssl_hs_hdr_len( ssl ) ||
+        ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE );
+    }
+
+    ssl->state++;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        mbedtls_ssl_recv_flight_completed( ssl );
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
+
+    return( 0 );
+}
+
+static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    size_t i, n;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->transform_negotiate->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
+    {
+        /*
+         * DHM key exchange -- send G^X mod P
+         */
+        n = ssl->handshake->dhm_ctx.len;
+
+        ssl->out_msg[4] = (unsigned char)( n >> 8 );
+        ssl->out_msg[5] = (unsigned char)( n      );
+        i = 6;
+
+        ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
+                          (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
+                          &ssl->out_msg[i], n,
+                          ssl->conf->f_rng, ssl->conf->p_rng );
+        if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
+            return( ret );
+        }
+
+        MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X  );
+        MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
+
+        if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
+                                  ssl->handshake->premaster,
+                                  MBEDTLS_PREMASTER_SIZE,
+                                  &ssl->handshake->pmslen,
+                                  ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
+            return( ret );
+        }
+
+        MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K  );
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||                   \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||                      \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
+    {
+        /*
+         * ECDH key exchange -- send client public value
+         */
+        i = 4;
+
+        ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx,
+                                &n,
+                                &ssl->out_msg[i], 1000,
+                                ssl->conf->f_rng, ssl->conf->p_rng );
+        if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
+            return( ret );
+        }
+
+        MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
+
+        if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
+                                  &ssl->handshake->pmslen,
+                                  ssl->handshake->premaster,
+                                  MBEDTLS_MPI_MAX_SIZE,
+                                  ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
+            return( ret );
+        }
+
+        MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+    if( mbedtls_ssl_ciphersuite_uses_psk( ciphersuite_info ) )
+    {
+        /*
+         * opaque psk_identity<0..2^16-1>;
+         */
+        if( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for PSK" ) );
+            return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
+        }
+
+        i = 4;
+        n = ssl->conf->psk_identity_len;
+
+        if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1,
+                ( "psk identity too long or SSL buffer too short" ) );
+            return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
+        }
+
+        ssl->out_msg[i++] = (unsigned char)( n >> 8 );
+        ssl->out_msg[i++] = (unsigned char)( n      );
+
+        memcpy( ssl->out_msg + i,
+                ssl->conf->psk_identity,
+                ssl->conf->psk_identity_len );
+        i += ssl->conf->psk_identity_len;
+
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+        if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
+        {
+            n = 0;
+        }
+        else
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+        if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
+        {
+            if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 )
+                return( ret );
+        }
+        else
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+        if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
+        {
+            /*
+             * ClientDiffieHellmanPublic public (DHM send G^X mod P)
+             */
+            n = ssl->handshake->dhm_ctx.len;
+
+            if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1,
+                    ( "psk identity or DHM size too long or SSL buffer too short" ) );
+                return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
+            }
+
+            ssl->out_msg[i++] = (unsigned char)( n >> 8 );
+            ssl->out_msg[i++] = (unsigned char)( n      );
+
+            ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
+                    (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
+                    &ssl->out_msg[i], n,
+                    ssl->conf->f_rng, ssl->conf->p_rng );
+            if( ret != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
+                return( ret );
+            }
+        }
+        else
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+        if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
+        {
+            /*
+             * ClientECDiffieHellmanPublic public;
+             */
+            ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n,
+                    &ssl->out_msg[i], MBEDTLS_SSL_MAX_CONTENT_LEN - i,
+                    ssl->conf->f_rng, ssl->conf->p_rng );
+            if( ret != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
+                return( ret );
+            }
+
+            MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
+        }
+        else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
+                        ciphersuite_info->key_exchange ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1,
+                "mbedtls_ssl_psk_derive_premaster", ret );
+            return( ret );
+        }
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
+    {
+        i = 4;
+        if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 )
+            return( ret );
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        i = 4;
+
+        ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
+                ssl->out_msg + i, MBEDTLS_SSL_MAX_CONTENT_LEN - i, &n,
+                ssl->conf->f_rng, ssl->conf->p_rng );
+        if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
+            return( ret );
+        }
+
+        ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
+                ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
+                ssl->conf->f_rng, ssl->conf->p_rng );
+        if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
+            return( ret );
+        }
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+    {
+        ((void) ciphersuite_info);
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    ssl->out_msglen  = i + n;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
+
+    ssl->state++;
+
+    if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
+        return( ret );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)       && \
+    !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)   && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)  && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
+{
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->transform_negotiate->ciphersuite_info;
+    int ret;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
+
+    if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
+        return( ret );
+    }
+
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+    return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+}
+#else
+static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
+{
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->transform_negotiate->ciphersuite_info;
+    size_t n = 0, offset = 0;
+    unsigned char hash[48];
+    unsigned char *hash_start = hash;
+    mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
+    unsigned int hashlen;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
+
+    if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
+        return( ret );
+    }
+
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+    if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+    if( mbedtls_ssl_own_key( ssl ) == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) );
+        return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
+    }
+
+    /*
+     * Make an RSA signature of the handshake digests
+     */
+    ssl->handshake->calc_verify( ssl, hash );
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+    if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
+    {
+        /*
+         * digitally-signed struct {
+         *     opaque md5_hash[16];
+         *     opaque sha_hash[20];
+         * };
+         *
+         * md5_hash
+         *     MD5(handshake_messages);
+         *
+         * sha_hash
+         *     SHA(handshake_messages);
+         */
+        hashlen = 36;
+        md_alg = MBEDTLS_MD_NONE;
+
+        /*
+         * For ECDSA, default hash is SHA-1 only
+         */
+        if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) )
+        {
+            hash_start += 16;
+            hashlen -= 16;
+            md_alg = MBEDTLS_MD_SHA1;
+        }
+    }
+    else
+#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
+          MBEDTLS_SSL_PROTO_TLS1_1 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+    {
+        /*
+         * digitally-signed struct {
+         *     opaque handshake_messages[handshake_messages_length];
+         * };
+         *
+         * Taking shortcut here. We assume that the server always allows the
+         * PRF Hash function and has sent it in the allowed signature
+         * algorithms list received in the Certificate Request message.
+         *
+         * Until we encounter a server that does not, we will take this
+         * shortcut.
+         *
+         * Reason: Otherwise we should have running hashes for SHA512 and
+         *         SHA224 in order to satisfy 'weird' needs from the server
+         *         side.
+         */
+        if( ssl->transform_negotiate->ciphersuite_info->mac ==
+            MBEDTLS_MD_SHA384 )
+        {
+            md_alg = MBEDTLS_MD_SHA384;
+            ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384;
+        }
+        else
+        {
+            md_alg = MBEDTLS_MD_SHA256;
+            ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256;
+        }
+        ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) );
+
+        /* Info from md_alg will be used instead */
+        hashlen = 0;
+        offset = 2;
+    }
+    else
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash_start, hashlen,
+                         ssl->out_msg + 6 + offset, &n,
+                         ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
+        return( ret );
+    }
+
+    ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 );
+    ssl->out_msg[5 + offset] = (unsigned char)( n      );
+
+    ssl->out_msglen  = 6 + n + offset;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
+
+    ssl->state++;
+
+    if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
+        return( ret );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
+
+    return( ret );
+}
+#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    uint32_t lifetime;
+    size_t ticket_len;
+    unsigned char *ticket;
+    const unsigned char *msg;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
+
+    if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+        return( ret );
+    }
+
+    if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
+        mbedtls_ssl_send_alert_message(
+            ssl,
+            MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+            MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
+        return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+    }
+
+    /*
+     * struct {
+     *     uint32 ticket_lifetime_hint;
+     *     opaque ticket<0..2^16-1>;
+     * } NewSessionTicket;
+     *
+     * 0  .  3   ticket_lifetime_hint
+     * 4  .  5   ticket_len (n)
+     * 6  .  5+n ticket content
+     */
+    if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET ||
+        ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
+    }
+
+    msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
+
+    lifetime = ( ((uint32_t) msg[0]) << 24 ) | ( msg[1] << 16 ) |
+               ( msg[2] << 8 ) | ( msg[3] );
+
+    ticket_len = ( msg[4] << 8 ) | ( msg[5] );
+
+    if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) );
+
+    /* We're not waiting for a NewSessionTicket message any more */
+    ssl->handshake->new_session_ticket = 0;
+    ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
+
+    /*
+     * Zero-length ticket means the server changed his mind and doesn't want
+     * to send a ticket after all, so just forget it
+     */
+    if( ticket_len == 0 )
+        return( 0 );
+
+    mbedtls_zeroize( ssl->session_negotiate->ticket,
+                      ssl->session_negotiate->ticket_len );
+    mbedtls_free( ssl->session_negotiate->ticket );
+    ssl->session_negotiate->ticket = NULL;
+    ssl->session_negotiate->ticket_len = 0;
+
+    if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
+        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+    }
+
+    memcpy( ticket, msg + 6, ticket_len );
+
+    ssl->session_negotiate->ticket = ticket;
+    ssl->session_negotiate->ticket_len = ticket_len;
+    ssl->session_negotiate->ticket_lifetime = lifetime;
+
+    /*
+     * RFC 5077 section 3.4:
+     * "If the client receives a session ticket from the server, then it
+     * discards any Session ID that was sent in the ServerHello."
+     */
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) );
+    ssl->session_negotiate->id_len = 0;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+/*
+ * SSL handshake -- client side -- single step
+ */
+int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl )
+{
+    int ret = 0;
+
+    if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
+
+    if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
+        return( ret );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
+    {
+        if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
+            return( ret );
+    }
+#endif
+
+    /* Change state now, so that it is right in mbedtls_ssl_read_record(), used
+     * by DTLS for dropping out-of-sequence ChangeCipherSpec records */
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+    if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
+        ssl->handshake->new_session_ticket != 0 )
+    {
+        ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET;
+    }
+#endif
+
+    switch( ssl->state )
+    {
+        case MBEDTLS_SSL_HELLO_REQUEST:
+            ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
+            break;
+
+       /*
+        *  ==>   ClientHello
+        */
+       case MBEDTLS_SSL_CLIENT_HELLO:
+           ret = ssl_write_client_hello( ssl );
+           break;
+
+       /*
+        *  <==   ServerHello
+        *        Certificate
+        *      ( ServerKeyExchange  )
+        *      ( CertificateRequest )
+        *        ServerHelloDone
+        */
+       case MBEDTLS_SSL_SERVER_HELLO:
+           ret = ssl_parse_server_hello( ssl );
+           break;
+
+       case MBEDTLS_SSL_SERVER_CERTIFICATE:
+           ret = mbedtls_ssl_parse_certificate( ssl );
+           break;
+
+       case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
+           ret = ssl_parse_server_key_exchange( ssl );
+           break;
+
+       case MBEDTLS_SSL_CERTIFICATE_REQUEST:
+           ret = ssl_parse_certificate_request( ssl );
+           break;
+
+       case MBEDTLS_SSL_SERVER_HELLO_DONE:
+           ret = ssl_parse_server_hello_done( ssl );
+           break;
+
+       /*
+        *  ==> ( Certificate/Alert  )
+        *        ClientKeyExchange
+        *      ( CertificateVerify  )
+        *        ChangeCipherSpec
+        *        Finished
+        */
+       case MBEDTLS_SSL_CLIENT_CERTIFICATE:
+           ret = mbedtls_ssl_write_certificate( ssl );
+           break;
+
+       case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
+           ret = ssl_write_client_key_exchange( ssl );
+           break;
+
+       case MBEDTLS_SSL_CERTIFICATE_VERIFY:
+           ret = ssl_write_certificate_verify( ssl );
+           break;
+
+       case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
+           ret = mbedtls_ssl_write_change_cipher_spec( ssl );
+           break;
+
+       case MBEDTLS_SSL_CLIENT_FINISHED:
+           ret = mbedtls_ssl_write_finished( ssl );
+           break;
+
+       /*
+        *  <==   ( NewSessionTicket )
+        *        ChangeCipherSpec
+        *        Finished
+        */
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+       case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET:
+           ret = ssl_parse_new_session_ticket( ssl );
+           break;
+#endif
+
+       case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
+           ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
+           break;
+
+       case MBEDTLS_SSL_SERVER_FINISHED:
+           ret = mbedtls_ssl_parse_finished( ssl );
+           break;
+
+       case MBEDTLS_SSL_FLUSH_BUFFERS:
+           MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
+           ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
+           break;
+
+       case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
+           mbedtls_ssl_handshake_wrapup( ssl );
+           break;
+
+       default:
+           MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
+           return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+   }
+
+    return( ret );
+}
+#endif /* MBEDTLS_SSL_CLI_C */
diff --git a/third-party/mbedtls-3.6/library/ssl_cookie.c b/third-party/mbedtls-3.6/library/ssl_cookie.c
new file mode 100644
index 00000000..a777a93f
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/ssl_cookie.c
@@ -0,0 +1,283 @@
+/*
+ *  DTLS cookie callbacks implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+/*
+ * These session callbacks use a simple chained list
+ * to store and retrieve the session information.
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_SSL_COOKIE_C)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#define mbedtls_calloc    calloc
+#define mbedtls_free      free
+#endif
+
+#include "mbedtls/ssl_cookie.h"
+#include "mbedtls/ssl_internal.h"
+
+#include <string.h>
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
+/*
+ * If DTLS is in use, then at least one of SHA-1, SHA-256, SHA-512 is
+ * available. Try SHA-256 first, 512 wastes resources since we need to stay
+ * with max 32 bytes of cookie for DTLS 1.0
+ */
+#if defined(MBEDTLS_SHA256_C)
+#define COOKIE_MD           MBEDTLS_MD_SHA224
+#define COOKIE_MD_OUTLEN    32
+#define COOKIE_HMAC_LEN     28
+#elif defined(MBEDTLS_SHA512_C)
+#define COOKIE_MD           MBEDTLS_MD_SHA384
+#define COOKIE_MD_OUTLEN    48
+#define COOKIE_HMAC_LEN     28
+#elif defined(MBEDTLS_SHA1_C)
+#define COOKIE_MD           MBEDTLS_MD_SHA1
+#define COOKIE_MD_OUTLEN    20
+#define COOKIE_HMAC_LEN     20
+#else
+#error "DTLS hello verify needs SHA-1 or SHA-2"
+#endif
+
+/*
+ * Cookies are formed of a 4-bytes timestamp (or serial number) and
+ * an HMAC of timestemp and client ID.
+ */
+#define COOKIE_LEN      ( 4 + COOKIE_HMAC_LEN )
+
+void mbedtls_ssl_cookie_init( mbedtls_ssl_cookie_ctx *ctx )
+{
+    mbedtls_md_init( &ctx->hmac_ctx );
+#if !defined(MBEDTLS_HAVE_TIME)
+    ctx->serial = 0;
+#endif
+    ctx->timeout = MBEDTLS_SSL_COOKIE_TIMEOUT;
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_init( &ctx->mutex );
+#endif
+}
+
+void mbedtls_ssl_cookie_set_timeout( mbedtls_ssl_cookie_ctx *ctx, unsigned long delay )
+{
+    ctx->timeout = delay;
+}
+
+void mbedtls_ssl_cookie_free( mbedtls_ssl_cookie_ctx *ctx )
+{
+    mbedtls_md_free( &ctx->hmac_ctx );
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_free( &ctx->mutex );
+#endif
+
+    mbedtls_zeroize( ctx, sizeof( mbedtls_ssl_cookie_ctx ) );
+}
+
+int mbedtls_ssl_cookie_setup( mbedtls_ssl_cookie_ctx *ctx,
+                      int (*f_rng)(void *, unsigned char *, size_t),
+                      void *p_rng )
+{
+    int ret;
+    unsigned char key[COOKIE_MD_OUTLEN];
+
+    if( ( ret = f_rng( p_rng, key, sizeof( key ) ) ) != 0 )
+        return( ret );
+
+    ret = mbedtls_md_setup( &ctx->hmac_ctx, mbedtls_md_info_from_type( COOKIE_MD ), 1 );
+    if( ret != 0 )
+        return( ret );
+
+    ret = mbedtls_md_hmac_starts( &ctx->hmac_ctx, key, sizeof( key ) );
+    if( ret != 0 )
+        return( ret );
+
+    mbedtls_zeroize( key, sizeof( key ) );
+
+    return( 0 );
+}
+
+/*
+ * Generate the HMAC part of a cookie
+ */
+static int ssl_cookie_hmac( mbedtls_md_context_t *hmac_ctx,
+                            const unsigned char time[4],
+                            unsigned char **p, unsigned char *end,
+                            const unsigned char *cli_id, size_t cli_id_len )
+{
+    unsigned char hmac_out[COOKIE_MD_OUTLEN];
+
+    MBEDTLS_SSL_CHK_BUF_PTR( *p, end, COOKIE_HMAC_LEN );
+
+    if( mbedtls_md_hmac_reset(  hmac_ctx ) != 0 ||
+        mbedtls_md_hmac_update( hmac_ctx, time, 4 ) != 0 ||
+        mbedtls_md_hmac_update( hmac_ctx, cli_id, cli_id_len ) != 0 ||
+        mbedtls_md_hmac_finish( hmac_ctx, hmac_out ) != 0 )
+    {
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    memcpy( *p, hmac_out, COOKIE_HMAC_LEN );
+    *p += COOKIE_HMAC_LEN;
+
+    return( 0 );
+}
+
+/*
+ * Generate cookie for DTLS ClientHello verification
+ */
+int mbedtls_ssl_cookie_write( void *p_ctx,
+                      unsigned char **p, unsigned char *end,
+                      const unsigned char *cli_id, size_t cli_id_len )
+{
+    int ret;
+    mbedtls_ssl_cookie_ctx *ctx = (mbedtls_ssl_cookie_ctx *) p_ctx;
+    unsigned long t;
+
+    if( ctx == NULL || cli_id == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    MBEDTLS_SSL_CHK_BUF_PTR( *p, end, COOKIE_LEN );
+
+#if defined(MBEDTLS_HAVE_TIME)
+    t = (unsigned long) mbedtls_time( NULL );
+#else
+    t = ctx->serial++;
+#endif
+
+    (*p)[0] = (unsigned char)( t >> 24 );
+    (*p)[1] = (unsigned char)( t >> 16 );
+    (*p)[2] = (unsigned char)( t >>  8 );
+    (*p)[3] = (unsigned char)( t       );
+    *p += 4;
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR + ret );
+#endif
+
+    ret = ssl_cookie_hmac( &ctx->hmac_ctx, *p - 4,
+                           p, end, cli_id, cli_id_len );
+
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR +
+                MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+#endif
+
+    return( ret );
+}
+
+/*
+ * Check a cookie
+ */
+int mbedtls_ssl_cookie_check( void *p_ctx,
+                      const unsigned char *cookie, size_t cookie_len,
+                      const unsigned char *cli_id, size_t cli_id_len )
+{
+    unsigned char ref_hmac[COOKIE_HMAC_LEN];
+    int ret = 0;
+    unsigned char *p = ref_hmac;
+    mbedtls_ssl_cookie_ctx *ctx = (mbedtls_ssl_cookie_ctx *) p_ctx;
+    unsigned long cur_time, cookie_time;
+
+    if( ctx == NULL || cli_id == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    if( cookie_len != COOKIE_LEN )
+        return( -1 );
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR + ret );
+#endif
+
+    if( ssl_cookie_hmac( &ctx->hmac_ctx, cookie,
+                         &p, p + sizeof( ref_hmac ),
+                         cli_id, cli_id_len ) != 0 )
+        ret = -1;
+
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR +
+                MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+#endif
+
+    if( ret != 0 )
+        return( ret );
+
+    if( mbedtls_ssl_safer_memcmp( cookie + 4, ref_hmac, sizeof( ref_hmac ) ) != 0 )
+        return( -1 );
+
+#if defined(MBEDTLS_HAVE_TIME)
+    cur_time = (unsigned long) mbedtls_time( NULL );
+#else
+    cur_time = ctx->serial;
+#endif
+
+    cookie_time = ( (unsigned long) cookie[0] << 24 ) |
+                  ( (unsigned long) cookie[1] << 16 ) |
+                  ( (unsigned long) cookie[2] <<  8 ) |
+                  ( (unsigned long) cookie[3]       );
+
+    if( ctx->timeout != 0 && cur_time - cookie_time > ctx->timeout )
+        return( -1 );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_COOKIE_C */
diff --git a/third-party/mbedtls-3.6/library/ssl_srv.c b/third-party/mbedtls-3.6/library/ssl_srv.c
new file mode 100644
index 00000000..c3e89486
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/ssl_srv.c
@@ -0,0 +1,4160 @@
+/*
+ *  SSLv3/TLSv1 server-side functions
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_SSL_SRV_C)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free      free
+#endif
+
+#include "mbedtls/debug.h"
+#include "mbedtls/ssl.h"
+#include "mbedtls/ssl_internal.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_ECP_C)
+#include "mbedtls/ecp.h"
+#endif
+
+#if defined(MBEDTLS_HAVE_TIME)
+#include "mbedtls/platform_time.h"
+#endif
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
+int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl,
+                                 const unsigned char *info,
+                                 size_t ilen )
+{
+    if( ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    mbedtls_free( ssl->cli_id );
+
+    if( ( ssl->cli_id = mbedtls_calloc( 1, ilen ) ) == NULL )
+        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+
+    memcpy( ssl->cli_id, info, ilen );
+    ssl->cli_id_len = ilen;
+
+    return( 0 );
+}
+
+void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config *conf,
+                           mbedtls_ssl_cookie_write_t *f_cookie_write,
+                           mbedtls_ssl_cookie_check_t *f_cookie_check,
+                           void *p_cookie )
+{
+    conf->f_cookie_write = f_cookie_write;
+    conf->f_cookie_check = f_cookie_check;
+    conf->p_cookie       = p_cookie;
+}
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl,
+                                     const unsigned char *buf,
+                                     size_t len )
+{
+    int ret;
+    size_t servername_list_size, hostname_len;
+    const unsigned char *p;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) );
+
+    if( len < 2 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+    servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
+    if( servername_list_size + 2 != len )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    p = buf + 2;
+    while( servername_list_size > 2 )
+    {
+        hostname_len = ( ( p[1] << 8 ) | p[2] );
+        if( hostname_len + 3 > servername_list_size )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+        }
+
+        if( p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME )
+        {
+            ret = ssl->conf->f_sni( ssl->conf->p_sni,
+                                    ssl, p + 3, hostname_len );
+            if( ret != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret );
+                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                        MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME );
+                return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+            }
+            return( 0 );
+        }
+
+        servername_list_size -= hostname_len + 3;
+        p += hostname_len + 3;
+    }
+
+    if( servername_list_size != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
+                                         const unsigned char *buf,
+                                         size_t len )
+{
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
+    {
+        /* Check verify-data in constant-time. The length OTOH is no secret */
+        if( len    != 1 + ssl->verify_data_len ||
+            buf[0] !=     ssl->verify_data_len ||
+            mbedtls_ssl_safer_memcmp( buf + 1, ssl->peer_verify_data,
+                          ssl->verify_data_len ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+        }
+    }
+    else
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+    {
+        if( len != 1 || buf[0] != 0x0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+        }
+
+        ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
+    }
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+
+/*
+ * Status of the implementation of signature-algorithms extension:
+ *
+ * Currently, we are only considering the signature-algorithm extension
+ * to pick a ciphersuite which allows us to send the ServerKeyExchange
+ * message with a signature-hash combination that the user allows.
+ *
+ * We do *not* check whether all certificates in our certificate
+ * chain are signed with an allowed signature-hash pair.
+ * This needs to be done at a later stage.
+ *
+ */
+static int ssl_parse_signature_algorithms_ext( mbedtls_ssl_context *ssl,
+                                               const unsigned char *buf,
+                                               size_t len )
+{
+    size_t sig_alg_list_size;
+
+    const unsigned char *p;
+    const unsigned char *end = buf + len;
+
+    mbedtls_md_type_t md_cur;
+    mbedtls_pk_type_t sig_cur;
+
+    if ( len < 2 ) {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+    sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
+    if( sig_alg_list_size + 2 != len ||
+        sig_alg_list_size % 2 != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    /* Currently we only guarantee signing the ServerKeyExchange message according
+     * to the constraints specified in this extension (see above), so it suffices
+     * to remember only one suitable hash for each possible signature algorithm.
+     *
+     * This will change when we also consider certificate signatures,
+     * in which case we will need to remember the whole signature-hash
+     * pair list from the extension.
+     */
+
+    for( p = buf + 2; p < end; p += 2 )
+    {
+        /* Silently ignore unknown signature or hash algorithms. */
+
+        if( ( sig_cur = mbedtls_ssl_pk_alg_from_sig( p[1] ) ) == MBEDTLS_PK_NONE )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext"
+                                        " unknown sig alg encoding %d", p[1] ) );
+            continue;
+        }
+
+        /* Check if we support the hash the user proposes */
+        md_cur = mbedtls_ssl_md_alg_from_hash( p[0] );
+        if( md_cur == MBEDTLS_MD_NONE )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"
+                                        " unknown hash alg encoding %d", p[0] ) );
+            continue;
+        }
+
+        if( mbedtls_ssl_check_sig_hash( ssl, md_cur ) == 0 )
+        {
+            mbedtls_ssl_sig_hash_set_add( &ssl->handshake->hash_algs, sig_cur, md_cur );
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"
+                                        " match sig %d and hash %d",
+                                        sig_cur, md_cur ) );
+        }
+        else
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: "
+                                        "hash alg %d not supported", md_cur ) );
+        }
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
+          MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+static int ssl_parse_supported_elliptic_curves( mbedtls_ssl_context *ssl,
+                                                const unsigned char *buf,
+                                                size_t len )
+{
+    size_t list_size, our_size;
+    const unsigned char *p;
+    const mbedtls_ecp_curve_info *curve_info, **curves;
+
+    if ( len < 2 ) {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+    list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
+    if( list_size + 2 != len ||
+        list_size % 2 != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    /* Should never happen unless client duplicates the extension */
+    if( ssl->handshake->curves != NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    /* Don't allow our peer to make us allocate too much memory,
+     * and leave room for a final 0 */
+    our_size = list_size / 2 + 1;
+    if( our_size > MBEDTLS_ECP_DP_MAX )
+        our_size = MBEDTLS_ECP_DP_MAX;
+
+    if( ( curves = mbedtls_calloc( our_size, sizeof( *curves ) ) ) == NULL )
+    {
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
+        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+    }
+
+    ssl->handshake->curves = curves;
+
+    p = buf + 2;
+    while( list_size > 0 && our_size > 1 )
+    {
+        curve_info = mbedtls_ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] );
+
+        if( curve_info != NULL )
+        {
+            *curves++ = curve_info;
+            our_size--;
+        }
+
+        list_size -= 2;
+        p += 2;
+    }
+
+    return( 0 );
+}
+
+static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl,
+                                              const unsigned char *buf,
+                                              size_t len )
+{
+    size_t list_size;
+    const unsigned char *p;
+
+    if( len == 0 || (size_t)( buf[0] + 1 ) != len )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+    list_size = buf[0];
+
+    p = buf + 1;
+    while( list_size > 0 )
+    {
+        if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
+            p[0] == MBEDTLS_ECP_PF_COMPRESSED )
+        {
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
+            ssl->handshake->ecdh_ctx.point_format = p[0];
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+            ssl->handshake->ecjpake_ctx.point_format = p[0];
+#endif
+            MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
+            return( 0 );
+        }
+
+        list_size--;
+        p++;
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
+          MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
+                                   const unsigned char *buf,
+                                   size_t len )
+{
+    int ret;
+
+    if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
+        return( 0 );
+    }
+
+    if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
+                                                buf, len ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+        return( ret );
+    }
+
+    /* Only mark the extension as OK when we're sure it is */
+    ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
+                                              const unsigned char *buf,
+                                              size_t len )
+{
+    if( len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    ssl->session_negotiate->mfl_code = buf[0];
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
+                                         const unsigned char *buf,
+                                         size_t len )
+{
+    if( len != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    ((void) buf);
+
+    if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
+        ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
+                                      const unsigned char *buf,
+                                      size_t len )
+{
+    if( len != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    ((void) buf);
+
+    if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
+        ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
+    {
+        ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
+                                      const unsigned char *buf,
+                                      size_t len )
+{
+    if( len != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    ((void) buf);
+
+    if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
+        ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
+    {
+        ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
+                                         unsigned char *buf,
+                                         size_t len )
+{
+    int ret;
+    mbedtls_ssl_session session;
+
+    mbedtls_ssl_session_init( &session );
+
+    if( ssl->conf->f_ticket_parse == NULL ||
+        ssl->conf->f_ticket_write == NULL )
+    {
+        return( 0 );
+    }
+
+    /* Remember the client asked us to send a new ticket */
+    ssl->handshake->new_session_ticket = 1;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
+
+    if( len == 0 )
+        return( 0 );
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+    /*
+     * Failures are ok: just ignore the ticket and proceed.
+     */
+    if( ( ret = ssl->conf->f_ticket_parse( ssl->conf->p_ticket, &session,
+                                           buf, len ) ) != 0 )
+    {
+        mbedtls_ssl_session_free( &session );
+
+        if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) );
+        else if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED )
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) );
+        else
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret );
+
+        return( 0 );
+    }
+
+    /*
+     * Keep the session ID sent by the client, since we MUST send it back to
+     * inform them we're accepting the ticket  (RFC 5077 section 3.4)
+     */
+    session.id_len = ssl->session_negotiate->id_len;
+    memcpy( &session.id, ssl->session_negotiate->id, session.id_len );
+
+    mbedtls_ssl_session_free( ssl->session_negotiate );
+    memcpy( ssl->session_negotiate, &session, sizeof( mbedtls_ssl_session ) );
+
+    /* Zeroize instead of free as we copied the content */
+    mbedtls_zeroize( &session, sizeof( mbedtls_ssl_session ) );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
+
+    ssl->handshake->resume = 1;
+
+    /* Don't send a new ticket after all, this one is OK */
+    ssl->handshake->new_session_ticket = 0;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_SSL_ALPN)
+static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
+                               const unsigned char *buf, size_t len )
+{
+    size_t list_len, cur_len, ours_len;
+    const unsigned char *theirs, *start, *end;
+    const char **ours;
+
+    /* If ALPN not configured, just ignore the extension */
+    if( ssl->conf->alpn_list == NULL )
+        return( 0 );
+
+    /*
+     * opaque ProtocolName<1..2^8-1>;
+     *
+     * struct {
+     *     ProtocolName protocol_name_list<2..2^16-1>
+     * } ProtocolNameList;
+     */
+
+    /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
+    if( len < 4 )
+    {
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    list_len = ( buf[0] << 8 ) | buf[1];
+    if( list_len != len - 2 )
+    {
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    /*
+     * Validate peer's list (lengths)
+     */
+    start = buf + 2;
+    end = buf + len;
+    for( theirs = start; theirs != end; theirs += cur_len )
+    {
+        cur_len = *theirs++;
+
+        /* Current identifier must fit in list */
+        if( cur_len > (size_t)( end - theirs ) )
+        {
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+        }
+
+        /* Empty strings MUST NOT be included */
+        if( cur_len == 0 )
+        {
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+        }
+    }
+
+    /*
+     * Use our order of preference
+     */
+    for( ours = ssl->conf->alpn_list; *ours != NULL; ours++ )
+    {
+        ours_len = strlen( *ours );
+        for( theirs = start; theirs != end; theirs += cur_len )
+        {
+            cur_len = *theirs++;
+
+            if( cur_len == ours_len &&
+                memcmp( theirs, *ours, cur_len ) == 0 )
+            {
+                ssl->alpn_chosen = *ours;
+                return( 0 );
+            }
+        }
+    }
+
+    /* If we get there, no match was found */
+    mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                            MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL );
+    return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+}
+#endif /* MBEDTLS_SSL_ALPN */
+
+/*
+ * Auxiliary functions for ServerHello parsing and related actions
+ */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/*
+ * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
+ */
+#if defined(MBEDTLS_ECDSA_C)
+static int ssl_check_key_curve( mbedtls_pk_context *pk,
+                                const mbedtls_ecp_curve_info **curves )
+{
+    const mbedtls_ecp_curve_info **crv = curves;
+    mbedtls_ecp_group_id grp_id = mbedtls_pk_ec( *pk )->grp.id;
+
+    while( *crv != NULL )
+    {
+        if( (*crv)->grp_id == grp_id )
+            return( 0 );
+        crv++;
+    }
+
+    return( -1 );
+}
+#endif /* MBEDTLS_ECDSA_C */
+
+/*
+ * Try picking a certificate for this ciphersuite,
+ * return 0 on success and -1 on failure.
+ */
+static int ssl_pick_cert( mbedtls_ssl_context *ssl,
+                          const mbedtls_ssl_ciphersuite_t * ciphersuite_info )
+{
+    mbedtls_ssl_key_cert *cur, *list, *fallback = NULL;
+    mbedtls_pk_type_t pk_alg =
+        mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
+    uint32_t flags;
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    if( ssl->handshake->sni_key_cert != NULL )
+        list = ssl->handshake->sni_key_cert;
+    else
+#endif
+        list = ssl->conf->key_cert;
+
+    if( pk_alg == MBEDTLS_PK_NONE )
+        return( 0 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite requires certificate" ) );
+
+    if( list == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) );
+        return( -1 );
+    }
+
+    for( cur = list; cur != NULL; cur = cur->next )
+    {
+        MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate",
+                          cur->cert );
+
+        if( ! mbedtls_pk_can_do( cur->key, pk_alg ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) );
+            continue;
+        }
+
+        /*
+         * This avoids sending the client a cert it'll reject based on
+         * keyUsage or other extensions.
+         *
+         * It also allows the user to provision different certificates for
+         * different uses based on keyUsage, eg if they want to avoid signing
+         * and decrypting with the same RSA key.
+         */
+        if( mbedtls_ssl_check_cert_usage( cur->cert, ciphersuite_info,
+                                  MBEDTLS_SSL_IS_SERVER, &flags ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
+                                "(extended) key usage extension" ) );
+            continue;
+        }
+
+#if defined(MBEDTLS_ECDSA_C)
+        if( pk_alg == MBEDTLS_PK_ECDSA &&
+            ssl_check_key_curve( cur->key, ssl->handshake->curves ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) );
+            continue;
+        }
+#endif
+
+        /*
+         * Try to select a SHA-1 certificate for pre-1.2 clients, but still
+         * present them a SHA-higher cert rather than failing if it's the only
+         * one we got that satisfies the other conditions.
+         */
+        if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 &&
+            cur->cert->sig_md != MBEDTLS_MD_SHA1 )
+        {
+            if( fallback == NULL )
+                fallback = cur;
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate not preferred: "
+                                    "sha-2 with pre-TLS 1.2 client" ) );
+            continue;
+            }
+        }
+
+        /* If we get there, we got a winner */
+        break;
+    }
+
+    if( cur == NULL )
+        cur = fallback;
+
+    /* Do not update ssl->handshake->key_cert unless there is a match */
+    if( cur != NULL )
+    {
+        ssl->handshake->key_cert = cur;
+        MBEDTLS_SSL_DEBUG_CRT( 3, "selected certificate chain, certificate",
+                          ssl->handshake->key_cert->cert );
+        return( 0 );
+    }
+
+    return( -1 );
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+/*
+ * Check if a given ciphersuite is suitable for use with our config/keys/etc
+ * Sets ciphersuite_info only if the suite matches.
+ */
+static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
+                                  const mbedtls_ssl_ciphersuite_t **ciphersuite_info )
+{
+    const mbedtls_ssl_ciphersuite_t *suite_info;
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+    mbedtls_pk_type_t sig_type;
+#endif
+
+    suite_info = mbedtls_ssl_ciphersuite_from_id( suite_id );
+    if( suite_info == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info->name ) );
+
+    if( suite_info->min_minor_ver > ssl->minor_ver ||
+        suite_info->max_minor_ver < ssl->minor_ver )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) );
+        return( 0 );
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
+        return( 0 );
+#endif
+
+#if defined(MBEDTLS_ARC4_C)
+    if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
+            suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) );
+        return( 0 );
+    }
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
+        ( ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK ) == 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: ecjpake "
+                                    "not configured or ext missing" ) );
+        return( 0 );
+    }
+#endif
+
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
+    if( mbedtls_ssl_ciphersuite_uses_ec( suite_info ) &&
+        ( ssl->handshake->curves == NULL ||
+          ssl->handshake->curves[0] == NULL ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
+                            "no common elliptic curve" ) );
+        return( 0 );
+    }
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+    /* If the ciphersuite requires a pre-shared key and we don't
+     * have one, skip it now rather than failing later */
+    if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) &&
+        ssl->conf->f_psk == NULL &&
+        ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ||
+          ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) );
+        return( 0 );
+    }
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+    /* If the ciphersuite requires signing, check whether
+     * a suitable hash algorithm is present. */
+    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+    {
+        sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info );
+        if( sig_type != MBEDTLS_PK_NONE &&
+            mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, sig_type ) == MBEDTLS_MD_NONE )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no suitable hash algorithm "
+                                        "for signature algorithm %d", sig_type ) );
+            return( 0 );
+        }
+    }
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
+          MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    /*
+     * Final check: if ciphersuite requires us to have a
+     * certificate/key of a particular type:
+     * - select the appropriate certificate if we have one, or
+     * - try the next ciphersuite if we don't
+     * This must be done last since we modify the key_cert list.
+     */
+    if( ssl_pick_cert( ssl, suite_info ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
+                            "no suitable certificate" ) );
+        return( 0 );
+    }
+#endif
+
+    *ciphersuite_info = suite_info;
+    return( 0 );
+}
+
+#if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
+static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
+{
+    int ret, got_common_suite;
+    unsigned int i, j;
+    size_t n;
+    unsigned int ciph_len, sess_len, chal_len;
+    unsigned char *buf, *p;
+    const int *ciphersuites;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+    buf = ssl->in_hdr;
+
+    MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, 5 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
+                   buf[2] ) );
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
+                   ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
+                   buf[3], buf[4] ) );
+
+    /*
+     * SSLv2 Client Hello
+     *
+     * Record layer:
+     *     0  .   1   message length
+     *
+     * SSL layer:
+     *     2  .   2   message type
+     *     3  .   4   protocol version
+     */
+    if( buf[2] != MBEDTLS_SSL_HS_CLIENT_HELLO ||
+        buf[3] != MBEDTLS_SSL_MAJOR_VERSION_3 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
+
+    if( n < 17 || n > 512 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
+    ssl->minor_ver = ( buf[4] <= ssl->conf->max_minor_ver )
+                     ? buf[4]  : ssl->conf->max_minor_ver;
+
+    if( ssl->minor_ver < ssl->conf->min_minor_ver )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
+                            " [%d:%d] < [%d:%d]",
+                            ssl->major_ver, ssl->minor_ver,
+                            ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
+
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                     MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
+        return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
+    }
+
+    ssl->handshake->max_major_ver = buf[3];
+    ssl->handshake->max_minor_ver = buf[4];
+
+    if( ( ret = mbedtls_ssl_fetch_input( ssl, 2 + n ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
+        return( ret );
+    }
+
+    ssl->handshake->update_checksum( ssl, buf + 2, n );
+
+    buf = ssl->in_msg;
+    n = ssl->in_left - 5;
+
+    /*
+     *    0  .   1   ciphersuitelist length
+     *    2  .   3   session id length
+     *    4  .   5   challenge length
+     *    6  .  ..   ciphersuitelist
+     *   ..  .  ..   session id
+     *   ..  .  ..   challenge
+     */
+    MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, n );
+
+    ciph_len = ( buf[0] << 8 ) | buf[1];
+    sess_len = ( buf[2] << 8 ) | buf[3];
+    chal_len = ( buf[4] << 8 ) | buf[5];
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
+                   ciph_len, sess_len, chal_len ) );
+
+    /*
+     * Make sure each parameter length is valid
+     */
+    if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    if( sess_len > 32 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    if( chal_len < 8 || chal_len > 32 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    if( n != 6 + ciph_len + sess_len + chal_len )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
+                   buf + 6, ciph_len );
+    MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id",
+                   buf + 6 + ciph_len, sess_len );
+    MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, challenge",
+                   buf + 6 + ciph_len + sess_len, chal_len );
+
+    p = buf + 6 + ciph_len;
+    ssl->session_negotiate->id_len = sess_len;
+    memset( ssl->session_negotiate->id, 0,
+            sizeof( ssl->session_negotiate->id ) );
+    memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->id_len );
+
+    p += sess_len;
+    memset( ssl->handshake->randbytes, 0, 64 );
+    memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
+
+    /*
+     * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
+     */
+    for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
+    {
+        if( p[0] == 0 && p[1] == 0 && p[2] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+            if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
+                                    "during renegotiation" ) );
+
+                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                                MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+                return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+            }
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+            ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
+            break;
+        }
+    }
+
+#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
+    for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
+    {
+        if( p[0] == 0 &&
+            p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) &&
+            p[2] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE      ) & 0xff ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) );
+
+            if( ssl->minor_ver < ssl->conf->max_minor_ver )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
+
+                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
+
+                return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+            }
+
+            break;
+        }
+    }
+#endif /* MBEDTLS_SSL_FALLBACK_SCSV */
+
+    got_common_suite = 0;
+    ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
+    ciphersuite_info = NULL;
+#if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
+    for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
+        for( i = 0; ciphersuites[i] != 0; i++ )
+#else
+    for( i = 0; ciphersuites[i] != 0; i++ )
+        for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
+#endif
+        {
+            if( p[0] != 0 ||
+                p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
+                p[2] != ( ( ciphersuites[i]      ) & 0xFF ) )
+                continue;
+
+            got_common_suite = 1;
+
+            if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
+                                               &ciphersuite_info ) ) != 0 )
+                return( ret );
+
+            if( ciphersuite_info != NULL )
+                goto have_ciphersuite_v2;
+        }
+
+    if( got_common_suite )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
+                            "but none of them usable" ) );
+        return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE );
+    }
+    else
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
+        return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
+    }
+
+have_ciphersuite_v2:
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
+
+    ssl->session_negotiate->ciphersuite = ciphersuites[i];
+    ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
+
+    /*
+     * SSLv2 Client Hello relevant renegotiation security checks
+     */
+    if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
+        ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    ssl->in_left = 0;
+    ssl->state++;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
+
+/* This function doesn't alert on errors that happen early during
+   ClientHello parsing because they might indicate that the client is
+   not talking SSL/TLS at all and would not understand our alert. */
+static int ssl_parse_client_hello( mbedtls_ssl_context *ssl )
+{
+    int ret, got_common_suite;
+    size_t i, j;
+    size_t ciph_offset, comp_offset, ext_offset;
+    size_t msg_len, ciph_len, sess_len, comp_len, ext_len;
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    size_t cookie_offset, cookie_len;
+#endif
+    unsigned char *buf, *p, *ext;
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    int renegotiation_info_seen = 0;
+#endif
+    int handshake_failure = 0;
+    const int *ciphersuites;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+    int major, minor;
+
+    /* If there is no signature-algorithm extension present,
+     * we need to fall back to the default values for allowed
+     * signature-hash pairs. */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+    int sig_hash_alg_ext_present = 0;
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
+          MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+read_record_header:
+#endif
+    /*
+     * If renegotiating, then the input was read with mbedtls_ssl_read_record(),
+     * otherwise read it ourselves manually in order to support SSLv2
+     * ClientHello, which doesn't use the same record layer format.
+     */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
+#endif
+    {
+        if( ( ret = mbedtls_ssl_fetch_input( ssl, 5 ) ) != 0 )
+        {
+            /* No alert on a read error. */
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
+            return( ret );
+        }
+    }
+
+    buf = ssl->in_hdr;
+
+#if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM )
+#endif
+        if( ( buf[0] & 0x80 ) != 0 )
+            return( ssl_parse_client_hello_v2( ssl ) );
+#endif
+
+    MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, mbedtls_ssl_hdr_len( ssl ) );
+
+    /*
+     * SSLv3/TLS Client Hello
+     *
+     * Record layer:
+     *     0  .   0   message type
+     *     1  .   2   protocol version
+     *     3  .   11  DTLS: epoch + record sequence number
+     *     3  .   4   message length
+     */
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
+                   buf[0] ) );
+
+    if( buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
+                   ( ssl->in_len[0] << 8 ) | ssl->in_len[1] ) );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, protocol version: [%d:%d]",
+                   buf[1], buf[2] ) );
+
+    mbedtls_ssl_read_version( &major, &minor, ssl->conf->transport, buf + 1 );
+
+    /* According to RFC 5246 Appendix E.1, the version here is typically
+     * "{03,00}, the lowest version number supported by the client, [or] the
+     * value of ClientHello.client_version", so the only meaningful check here
+     * is the major version shouldn't be less than 3 */
+    if( major < MBEDTLS_SSL_MAJOR_VERSION_3 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    /* For DTLS if this is the initial handshake, remember the client sequence
+     * number to use it in our next message (RFC 6347 4.2.1) */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+        && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
+#endif
+        )
+    {
+        /* Epoch should be 0 for initial handshakes */
+        if( ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+        }
+
+        memcpy( ssl->out_ctr + 2, ssl->in_ctr + 2, 6 );
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+        if( mbedtls_ssl_dtls_replay_check( ssl ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record, discarding" ) );
+            ssl->next_record_offset = 0;
+            ssl->in_left = 0;
+            goto read_record_header;
+        }
+
+        /* No MAC to check yet, so we can update right now */
+        mbedtls_ssl_dtls_replay_update( ssl );
+#endif
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    msg_len = ( ssl->in_len[0] << 8 ) | ssl->in_len[1];
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
+    {
+        /* Set by mbedtls_ssl_read_record() */
+        msg_len = ssl->in_hslen;
+    }
+    else
+#endif
+    {
+        if( msg_len > MBEDTLS_SSL_MAX_CONTENT_LEN )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+        }
+
+        if( ( ret = mbedtls_ssl_fetch_input( ssl,
+                       mbedtls_ssl_hdr_len( ssl ) + msg_len ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
+            return( ret );
+        }
+
+    /* Done reading this record, get ready for the next one */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+            ssl->next_record_offset = msg_len + mbedtls_ssl_hdr_len( ssl );
+        else
+#endif
+            ssl->in_left = 0;
+    }
+
+    buf = ssl->in_msg;
+
+    MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, msg_len );
+
+    ssl->handshake->update_checksum( ssl, buf, msg_len );
+
+    /*
+     * Handshake layer:
+     *     0  .   0   handshake type
+     *     1  .   3   handshake length
+     *     4  .   5   DTLS only: message seqence number
+     *     6  .   8   DTLS only: fragment offset
+     *     9  .  11   DTLS only: fragment length
+     */
+    if( msg_len < mbedtls_ssl_hs_hdr_len( ssl ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d", buf[0] ) );
+
+    if( buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
+                   ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
+
+    /* We don't support fragmentation of ClientHello (yet?) */
+    if( buf[1] != 0 ||
+        msg_len != mbedtls_ssl_hs_hdr_len( ssl ) + ( ( buf[2] << 8 ) | buf[3] ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        /*
+         * Copy the client's handshake message_seq on initial handshakes,
+         * check sequence number on renego.
+         */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+        if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
+        {
+            /* This couldn't be done in ssl_prepare_handshake_record() */
+            unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) |
+                                         ssl->in_msg[5];
+
+            if( cli_msg_seq != ssl->handshake->in_msg_seq )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message_seq: "
+                                    "%d (expected %d)", cli_msg_seq,
+                                    ssl->handshake->in_msg_seq ) );
+                return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+            }
+
+            ssl->handshake->in_msg_seq++;
+        }
+        else
+#endif
+        {
+            unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) |
+                                         ssl->in_msg[5];
+            ssl->handshake->out_msg_seq = cli_msg_seq;
+            ssl->handshake->in_msg_seq  = cli_msg_seq + 1;
+        }
+
+        /*
+         * For now we don't support fragmentation, so make sure
+         * fragment_offset == 0 and fragment_length == length
+         */
+        if( ssl->in_msg[6] != 0 || ssl->in_msg[7] != 0 || ssl->in_msg[8] != 0 ||
+            memcmp( ssl->in_msg + 1, ssl->in_msg + 9, 3 ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "ClientHello fragmentation not supported" ) );
+            return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+        }
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    buf += mbedtls_ssl_hs_hdr_len( ssl );
+    msg_len -= mbedtls_ssl_hs_hdr_len( ssl );
+
+    /*
+     * ClientHello layer:
+     *     0  .   1   protocol version
+     *     2  .  33   random bytes (starting with 4 bytes of Unix time)
+     *    34  .  35   session id length (1 byte)
+     *    35  . 34+x  session id
+     *   35+x . 35+x  DTLS only: cookie length (1 byte)
+     *   36+x .  ..   DTLS only: cookie
+     *    ..  .  ..   ciphersuite list length (2 bytes)
+     *    ..  .  ..   ciphersuite list
+     *    ..  .  ..   compression alg. list length (1 byte)
+     *    ..  .  ..   compression alg. list
+     *    ..  .  ..   extensions length (2 bytes, optional)
+     *    ..  .  ..   extensions (optional)
+     */
+
+    /*
+     * Minimal length (with everything empty and extensions omitted) is
+     * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
+     * read at least up to session id length without worrying.
+     */
+    if( msg_len < 38 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    /*
+     * Check and save the protocol version
+     */
+    MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf, 2 );
+
+    mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
+                      ssl->conf->transport, buf );
+
+    ssl->handshake->max_major_ver = ssl->major_ver;
+    ssl->handshake->max_minor_ver = ssl->minor_ver;
+
+    if( ssl->major_ver < ssl->conf->min_major_ver ||
+        ssl->minor_ver < ssl->conf->min_minor_ver )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
+                            " [%d:%d] < [%d:%d]",
+                            ssl->major_ver, ssl->minor_ver,
+                            ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                     MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
+        return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
+    }
+
+    if( ssl->major_ver > ssl->conf->max_major_ver )
+    {
+        ssl->major_ver = ssl->conf->max_major_ver;
+        ssl->minor_ver = ssl->conf->max_minor_ver;
+    }
+    else if( ssl->minor_ver > ssl->conf->max_minor_ver )
+        ssl->minor_ver = ssl->conf->max_minor_ver;
+
+    /*
+     * Save client random (inc. Unix time)
+     */
+    MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 2, 32 );
+
+    memcpy( ssl->handshake->randbytes, buf + 2, 32 );
+
+    /*
+     * Check the session ID length and save session ID
+     */
+    sess_len = buf[34];
+
+    if( sess_len > sizeof( ssl->session_negotiate->id ) ||
+        sess_len + 34 + 2 > msg_len ) /* 2 for cipherlist length field */
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 35, sess_len );
+
+    ssl->session_negotiate->id_len = sess_len;
+    memset( ssl->session_negotiate->id, 0,
+            sizeof( ssl->session_negotiate->id ) );
+    memcpy( ssl->session_negotiate->id, buf + 35,
+            ssl->session_negotiate->id_len );
+
+    /*
+     * Check the cookie length and content
+     */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        cookie_offset = 35 + sess_len;
+        cookie_len = buf[cookie_offset];
+
+        if( cookie_offset + 1 + cookie_len + 2 > msg_len )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+        }
+
+        MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
+                       buf + cookie_offset + 1, cookie_len );
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
+        if( ssl->conf->f_cookie_check != NULL
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+            && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
+#endif
+            )
+        {
+            if( ssl->conf->f_cookie_check( ssl->conf->p_cookie,
+                                     buf + cookie_offset + 1, cookie_len,
+                                     ssl->cli_id, ssl->cli_id_len ) != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification failed" ) );
+                ssl->handshake->verify_cookie_len = 1;
+            }
+            else
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification passed" ) );
+                ssl->handshake->verify_cookie_len = 0;
+            }
+        }
+        else
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
+        {
+            /* We know we didn't send a cookie, so it should be empty */
+            if( cookie_len != 0 )
+            {
+                /* This may be an attacker's probe, so don't send an alert */
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+                return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+            }
+
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification skipped" ) );
+        }
+
+    /*
+     * Check the ciphersuitelist length (will be parsed later)
+     */
+        ciph_offset = cookie_offset + 1 + cookie_len;
+    }
+    else
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+        ciph_offset = 35 + sess_len;
+
+    ciph_len = ( buf[ciph_offset + 0] << 8 )
+             | ( buf[ciph_offset + 1]      );
+
+    if( ciph_len < 2 ||
+        ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */
+        ( ciph_len % 2 ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
+                   buf + ciph_offset + 2,  ciph_len );
+
+    /*
+     * Check the compression algorithms length and pick one
+     */
+    comp_offset = ciph_offset + 2 + ciph_len;
+
+    comp_len = buf[comp_offset];
+
+    if( comp_len < 1 ||
+        comp_len > 16 ||
+        comp_len + comp_offset + 1 > msg_len )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, compression",
+                      buf + comp_offset + 1, comp_len );
+
+    ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    for( i = 0; i < comp_len; ++i )
+    {
+        if( buf[comp_offset + 1 + i] == MBEDTLS_SSL_COMPRESS_DEFLATE )
+        {
+            ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_DEFLATE;
+            break;
+        }
+    }
+#endif
+
+    /* See comments in ssl_write_client_hello() */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
+#endif
+
+    /* Do not parse the extensions if the protocol is SSLv3 */
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
+    {
+#endif
+        /*
+         * Check the extension length
+         */
+        ext_offset = comp_offset + 1 + comp_len;
+        if( msg_len > ext_offset )
+        {
+            if( msg_len < ext_offset + 2 )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                                MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+                return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+            }
+
+            ext_len = ( buf[ext_offset + 0] << 8 )
+                    | ( buf[ext_offset + 1]      );
+
+            if( ( ext_len > 0 && ext_len < 4 ) ||
+                msg_len != ext_offset + 2 + ext_len )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                                MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+                return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+            }
+        }
+        else
+            ext_len = 0;
+
+        ext = buf + ext_offset + 2;
+        MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", ext, ext_len );
+
+        while( ext_len != 0 )
+        {
+            unsigned int ext_id;
+            unsigned int ext_size;
+            if ( ext_len < 4 ) {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                               MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+                return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+            }
+            ext_id   = ( ( ext[0] <<  8 ) | ( ext[1] ) );
+            ext_size = ( ( ext[2] <<  8 ) | ( ext[3] ) );
+
+            if( ext_size + 4 > ext_len )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                                MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+                return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+            }
+            switch( ext_id )
+            {
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+            case MBEDTLS_TLS_EXT_SERVERNAME:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
+                if( ssl->conf->f_sni == NULL )
+                    break;
+
+                ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
+                if( ret != 0 )
+                    return( ret );
+                break;
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+            case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+                renegotiation_info_seen = 1;
+#endif
+
+                ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
+                if( ret != 0 )
+                    return( ret );
+                break;
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+            case MBEDTLS_TLS_EXT_SIG_ALG:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
+
+                ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
+                if( ret != 0 )
+                    return( ret );
+
+                sig_hash_alg_ext_present = 1;
+                break;
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
+          MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+            case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
+
+                ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
+                if( ret != 0 )
+                    return( ret );
+                break;
+
+            case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
+                ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
+
+                ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
+                if( ret != 0 )
+                    return( ret );
+                break;
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
+          MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+            case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake kkpp extension" ) );
+
+                ret = ssl_parse_ecjpake_kkpp( ssl, ext + 4, ext_size );
+                if( ret != 0 )
+                    return( ret );
+                break;
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+            case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
+
+                ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
+                if( ret != 0 )
+                    return( ret );
+                break;
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+            case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
+
+                ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
+                if( ret != 0 )
+                    return( ret );
+                break;
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+            case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) );
+
+                ret = ssl_parse_encrypt_then_mac_ext( ssl, ext + 4, ext_size );
+                if( ret != 0 )
+                    return( ret );
+                break;
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+            case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) );
+
+                ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size );
+                if( ret != 0 )
+                    return( ret );
+                break;
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+            case MBEDTLS_TLS_EXT_SESSION_TICKET:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
+
+                ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
+                if( ret != 0 )
+                    return( ret );
+                break;
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_SSL_ALPN)
+            case MBEDTLS_TLS_EXT_ALPN:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
+
+                ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size );
+                if( ret != 0 )
+                    return( ret );
+                break;
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+            default:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
+                               ext_id ) );
+            }
+
+            ext_len -= 4 + ext_size;
+            ext += 4 + ext_size;
+
+            if( ext_len > 0 && ext_len < 4 )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                                MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+                return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+            }
+        }
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    }
+#endif
+
+#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
+    for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 )
+    {
+        if( p[0] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) &&
+            p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE      ) & 0xff ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) );
+
+            if( ssl->minor_ver < ssl->conf->max_minor_ver )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
+
+                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
+
+                return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+            }
+
+            break;
+        }
+    }
+#endif /* MBEDTLS_SSL_FALLBACK_SCSV */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+
+    /*
+     * Try to fall back to default hash SHA1 if the client
+     * hasn't provided any preferred signature-hash combinations.
+     */
+    if( sig_hash_alg_ext_present == 0 )
+    {
+        mbedtls_md_type_t md_default = MBEDTLS_MD_SHA1;
+
+        if( mbedtls_ssl_check_sig_hash( ssl, md_default ) != 0 )
+            md_default = MBEDTLS_MD_NONE;
+
+        mbedtls_ssl_sig_hash_set_const_hash( &ssl->handshake->hash_algs, md_default );
+    }
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
+          MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
+    /*
+     * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
+     */
+    for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 )
+    {
+        if( p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+            if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
+                                            "during renegotiation" ) );
+                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                                MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+                return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+            }
+#endif
+            ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
+            break;
+        }
+    }
+
+    /*
+     * Renegotiation security checks
+     */
+    if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
+        ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
+        handshake_failure = 1;
+    }
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
+             ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
+             renegotiation_info_seen == 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
+        handshake_failure = 1;
+    }
+    else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
+             ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
+             ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
+        handshake_failure = 1;
+    }
+    else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
+             ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
+             renegotiation_info_seen == 1 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
+        handshake_failure = 1;
+    }
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+    if( handshake_failure == 1 )
+    {
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    /*
+     * Search for a matching ciphersuite
+     * (At the end because we need information from the EC-based extensions
+     * and certificate from the SNI callback triggered by the SNI extension.)
+     */
+    got_common_suite = 0;
+    ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
+    ciphersuite_info = NULL;
+#if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
+    for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
+        for( i = 0; ciphersuites[i] != 0; i++ )
+#else
+    for( i = 0; ciphersuites[i] != 0; i++ )
+        for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
+#endif
+        {
+            if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
+                p[1] != ( ( ciphersuites[i]      ) & 0xFF ) )
+                continue;
+
+            got_common_suite = 1;
+
+            if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
+                                               &ciphersuite_info ) ) != 0 )
+                return( ret );
+
+            if( ciphersuite_info != NULL )
+                goto have_ciphersuite;
+        }
+
+    if( got_common_suite )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
+                            "but none of them usable" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE );
+    }
+    else
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
+    }
+
+have_ciphersuite:
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
+
+    ssl->session_negotiate->ciphersuite = ciphersuites[i];
+    ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
+
+    ssl->state++;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        mbedtls_ssl_recv_flight_completed( ssl );
+#endif
+
+    /* Debugging-only output for testsuite */
+#if defined(MBEDTLS_DEBUG_C)                         && \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)                && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+    {
+        mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg( ciphersuite_info );
+        if( sig_alg != MBEDTLS_PK_NONE )
+        {
+            mbedtls_md_type_t md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs,
+                                                                  sig_alg );
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
+                                        mbedtls_ssl_hash_from_md_alg( md_alg ) ) );
+        }
+        else
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "no hash algorithm for signature algorithm "
+                                        "%d - should not happen", sig_alg ) );
+        }
+    }
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
+                                          unsigned char *buf,
+                                          size_t *olen )
+{
+    unsigned char *p = buf;
+
+    if( ssl->session_negotiate->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
+    {
+        *olen = 0;
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC      ) & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 0x00;
+
+    *olen = 4;
+}
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
+                                            unsigned char *buf,
+                                            size_t *olen )
+{
+    unsigned char *p = buf;
+    const mbedtls_ssl_ciphersuite_t *suite = NULL;
+    const mbedtls_cipher_info_t *cipher = NULL;
+
+    if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
+        ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+    {
+        *olen = 0;
+        return;
+    }
+
+    /*
+     * RFC 7366: "If a server receives an encrypt-then-MAC request extension
+     * from a client and then selects a stream or Authenticated Encryption
+     * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
+     * encrypt-then-MAC response extension back to the client."
+     */
+    if( ( suite = mbedtls_ssl_ciphersuite_from_id(
+                    ssl->session_negotiate->ciphersuite ) ) == NULL ||
+        ( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL ||
+        cipher->mode != MBEDTLS_MODE_CBC )
+    {
+        *olen = 0;
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) );
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC      ) & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 0x00;
+
+    *olen = 4;
+}
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
+                                       unsigned char *buf,
+                                       size_t *olen )
+{
+    unsigned char *p = buf;
+
+    if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
+        ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+    {
+        *olen = 0;
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding extended master secret "
+                        "extension" ) );
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET      ) & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 0x00;
+
+    *olen = 4;
+}
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
+                                          unsigned char *buf,
+                                          size_t *olen )
+{
+    unsigned char *p = buf;
+
+    if( ssl->handshake->new_session_ticket == 0 )
+    {
+        *olen = 0;
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET      ) & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 0x00;
+
+    *olen = 4;
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
+                                         unsigned char *buf,
+                                         size_t *olen )
+{
+    unsigned char *p = buf;
+
+    if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION )
+    {
+        *olen = 0;
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO      ) & 0xFF );
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
+    {
+        *p++ = 0x00;
+        *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
+        *p++ = ssl->verify_data_len * 2 & 0xFF;
+
+        memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
+        p += ssl->verify_data_len;
+        memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
+        p += ssl->verify_data_len;
+    }
+    else
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+    {
+        *p++ = 0x00;
+        *p++ = 0x01;
+        *p++ = 0x00;
+    }
+
+    *olen = p - buf;
+}
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
+                                               unsigned char *buf,
+                                               size_t *olen )
+{
+    unsigned char *p = buf;
+
+    if( ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE )
+    {
+        *olen = 0;
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH      ) & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 1;
+
+    *p++ = ssl->session_negotiate->mfl_code;
+
+    *olen = 5;
+}
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
+                                                   unsigned char *buf,
+                                                   size_t *olen )
+{
+    unsigned char *p = buf;
+    ((void) ssl);
+
+    if( ( ssl->handshake->cli_exts &
+          MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 )
+    {
+        *olen = 0;
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS      ) & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 2;
+
+    *p++ = 1;
+    *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
+
+    *olen = 6;
+}
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
+                                        unsigned char *buf,
+                                        size_t *olen )
+{
+    int ret;
+    unsigned char *p = buf;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
+    size_t kkpp_len;
+
+    *olen = 0;
+
+    /* Skip costly computation if not needed */
+    if( ssl->transform_negotiate->ciphersuite_info->key_exchange !=
+        MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+        return;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, ecjpake kkpp extension" ) );
+
+    if( end - p < 4 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+        return;
+    }
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP      ) & 0xFF );
+
+    ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
+                                        p + 2, end - p - 2, &kkpp_len,
+                                        ssl->conf->f_rng, ssl->conf->p_rng );
+    if( ret != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret );
+        return;
+    }
+
+    *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( kkpp_len      ) & 0xFF );
+
+    *olen = kkpp_len + 4;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_SSL_ALPN )
+static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
+                                unsigned char *buf, size_t *olen )
+{
+    if( ssl->alpn_chosen == NULL )
+    {
+        *olen = 0;
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) );
+
+    /*
+     * 0 . 1    ext identifier
+     * 2 . 3    ext length
+     * 4 . 5    protocol list length
+     * 6 . 6    protocol name length
+     * 7 . 7+n  protocol name
+     */
+    buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
+    buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN      ) & 0xFF );
+
+    *olen = 7 + strlen( ssl->alpn_chosen );
+
+    buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
+    buf[3] = (unsigned char)( ( ( *olen - 4 )      ) & 0xFF );
+
+    buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
+    buf[5] = (unsigned char)( ( ( *olen - 6 )      ) & 0xFF );
+
+    buf[6] = (unsigned char)( ( ( *olen - 7 )      ) & 0xFF );
+
+    memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 );
+}
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
+static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    unsigned char *p = ssl->out_msg + 4;
+    unsigned char *cookie_len_byte;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello verify request" ) );
+
+    /*
+     * struct {
+     *   ProtocolVersion server_version;
+     *   opaque cookie<0..2^8-1>;
+     * } HelloVerifyRequest;
+     */
+
+    /* The RFC is not clear on this point, but sending the actual negotiated
+     * version looks like the most interoperable thing to do. */
+    mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
+                       ssl->conf->transport, p );
+    MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
+    p += 2;
+
+    /* If we get here, f_cookie_check is not null */
+    if( ssl->conf->f_cookie_write == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "inconsistent cookie callbacks" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    /* Skip length byte until we know the length */
+    cookie_len_byte = p++;
+
+    if( ( ret = ssl->conf->f_cookie_write( ssl->conf->p_cookie,
+                                     &p, ssl->out_buf + MBEDTLS_SSL_BUFFER_LEN,
+                                     ssl->cli_id, ssl->cli_id_len ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "f_cookie_write", ret );
+        return( ret );
+    }
+
+    *cookie_len_byte = (unsigned char)( p - ( cookie_len_byte + 1 ) );
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte );
+
+    ssl->out_msglen  = p - ssl->out_msg;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
+
+    ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
+
+    if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
+        return( ret );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello verify request" ) );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
+
+static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
+{
+#if defined(MBEDTLS_HAVE_TIME)
+    mbedtls_time_t t;
+#endif
+    int ret;
+    size_t olen, ext_len = 0, n;
+    unsigned char *buf, *p;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ssl->handshake->verify_cookie_len != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) );
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
+
+        return( ssl_write_hello_verify_request( ssl ) );
+    }
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
+
+    if( ssl->conf->f_rng == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
+        return( MBEDTLS_ERR_SSL_NO_RNG );
+    }
+
+    /*
+     *     0  .   0   handshake type
+     *     1  .   3   handshake length
+     *     4  .   5   protocol version
+     *     6  .   9   UNIX time()
+     *    10  .  37   random bytes
+     */
+    buf = ssl->out_msg;
+    p = buf + 4;
+
+    mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
+                       ssl->conf->transport, p );
+    p += 2;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
+                        buf[4], buf[5] ) );
+
+#if defined(MBEDTLS_HAVE_TIME)
+    t = mbedtls_time( NULL );
+    *p++ = (unsigned char)( t >> 24 );
+    *p++ = (unsigned char)( t >> 16 );
+    *p++ = (unsigned char)( t >>  8 );
+    *p++ = (unsigned char)( t       );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
+#else
+    if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
+        return( ret );
+
+    p += 4;
+#endif /* MBEDTLS_HAVE_TIME */
+
+    if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
+        return( ret );
+
+    p += 28;
+
+    memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
+
+    /*
+     * Resume is 0  by default, see ssl_handshake_init().
+     * It may be already set to 1 by ssl_parse_session_ticket_ext().
+     * If not, try looking up session ID in our cache.
+     */
+    if( ssl->handshake->resume == 0 &&
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+        ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE &&
+#endif
+        ssl->session_negotiate->id_len != 0 &&
+        ssl->conf->f_get_cache != NULL &&
+        ssl->conf->f_get_cache( ssl->conf->p_cache, ssl->session_negotiate ) == 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) );
+        ssl->handshake->resume = 1;
+    }
+
+    if( ssl->handshake->resume == 0 )
+    {
+        /*
+         * New session, create a new session id,
+         * unless we're about to issue a session ticket
+         */
+        ssl->state++;
+
+#if defined(MBEDTLS_HAVE_TIME)
+        ssl->session_negotiate->start = mbedtls_time( NULL );
+#endif
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+        if( ssl->handshake->new_session_ticket != 0 )
+        {
+            ssl->session_negotiate->id_len = n = 0;
+            memset( ssl->session_negotiate->id, 0, 32 );
+        }
+        else
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+        {
+            ssl->session_negotiate->id_len = n = 32;
+            if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id,
+                                    n ) ) != 0 )
+                return( ret );
+        }
+    }
+    else
+    {
+        /*
+         * Resuming a session
+         */
+        n = ssl->session_negotiate->id_len;
+        ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
+
+        if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
+            return( ret );
+        }
+    }
+
+    /*
+     *    38  .  38     session id length
+     *    39  . 38+n    session id
+     *   39+n . 40+n    chosen ciphersuite
+     *   41+n . 41+n    chosen compression alg.
+     *   42+n . 43+n    extensions length
+     *   44+n . 43+n+m  extensions
+     */
+    *p++ = (unsigned char) ssl->session_negotiate->id_len;
+    memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->id_len );
+    p += ssl->session_negotiate->id_len;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
+    MBEDTLS_SSL_DEBUG_BUF( 3,   "server hello, session id", buf + 39, n );
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
+                   ssl->handshake->resume ? "a" : "no" ) );
+
+    *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
+    *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite      );
+    *p++ = (unsigned char)( ssl->session_negotiate->compression      );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
+           mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) );
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
+                   ssl->session_negotiate->compression ) );
+
+    /* Do not write the extensions if the protocol is SSLv3 */
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
+    {
+#endif
+
+    /*
+     *  First write extensions, then the total length
+     */
+    ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+    ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+    ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+    ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+    ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+    ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    if ( mbedtls_ssl_ciphersuite_uses_ec(
+         mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ) ) )
+    {
+        ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
+        ext_len += olen;
+    }
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_ALPN)
+    ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
+
+    if( ext_len > 0 )
+    {
+        *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
+        *p++ = (unsigned char)( ( ext_len      ) & 0xFF );
+        p += ext_len;
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    }
+#endif
+
+    ssl->out_msglen  = p - buf;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_SERVER_HELLO;
+
+    ret = mbedtls_ssl_write_record( ssl );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
+
+    return( ret );
+}
+
+#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)       && \
+    !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)   && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)  && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
+{
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->transform_negotiate->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
+
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+    return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+}
+#else
+static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
+{
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->transform_negotiate->ciphersuite_info;
+    size_t dn_size, total_dn_size; /* excluding length bytes */
+    size_t ct_len, sa_len; /* including length bytes */
+    unsigned char *buf, *p;
+    const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
+    const mbedtls_x509_crt *crt;
+    int authmode;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
+
+    ssl->state++;
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
+        authmode = ssl->handshake->sni_authmode;
+    else
+#endif
+        authmode = ssl->conf->authmode;
+
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
+        authmode == MBEDTLS_SSL_VERIFY_NONE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
+        return( 0 );
+    }
+
+    /*
+     *     0  .   0   handshake type
+     *     1  .   3   handshake length
+     *     4  .   4   cert type count
+     *     5  .. m-1  cert types
+     *     m  .. m+1  sig alg length (TLS 1.2 only)
+     *    m+1 .. n-1  SignatureAndHashAlgorithms (TLS 1.2 only)
+     *     n  .. n+1  length of all DNs
+     *    n+2 .. n+3  length of DN 1
+     *    n+4 .. ...  Distinguished Name #1
+     *    ... .. ...  length of DN 2, etc.
+     */
+    buf = ssl->out_msg;
+    p = buf + 4;
+
+    /*
+     * Supported certificate types
+     *
+     *     ClientCertificateType certificate_types<1..2^8-1>;
+     *     enum { (255) } ClientCertificateType;
+     */
+    ct_len = 0;
+
+#if defined(MBEDTLS_RSA_C)
+    p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
+#endif
+#if defined(MBEDTLS_ECDSA_C)
+    p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
+#endif
+
+    p[0] = (unsigned char) ct_len++;
+    p += ct_len;
+
+    sa_len = 0;
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    /*
+     * Add signature_algorithms for verify (TLS 1.2)
+     *
+     *     SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
+     *
+     *     struct {
+     *           HashAlgorithm hash;
+     *           SignatureAlgorithm signature;
+     *     } SignatureAndHashAlgorithm;
+     *
+     *     enum { (255) } HashAlgorithm;
+     *     enum { (255) } SignatureAlgorithm;
+     */
+    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+    {
+        const int *cur;
+
+        /*
+         * Supported signature algorithms
+         */
+        for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ )
+        {
+            unsigned char hash = mbedtls_ssl_hash_from_md_alg( *cur );
+
+            if( MBEDTLS_SSL_HASH_NONE == hash || mbedtls_ssl_set_calc_verify_md( ssl, hash ) )
+                continue;
+
+#if defined(MBEDTLS_RSA_C)
+            p[2 + sa_len++] = hash;
+            p[2 + sa_len++] = MBEDTLS_SSL_SIG_RSA;
+#endif
+#if defined(MBEDTLS_ECDSA_C)
+            p[2 + sa_len++] = hash;
+            p[2 + sa_len++] = MBEDTLS_SSL_SIG_ECDSA;
+#endif
+        }
+
+        p[0] = (unsigned char)( sa_len >> 8 );
+        p[1] = (unsigned char)( sa_len      );
+        sa_len += 2;
+        p += sa_len;
+    }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+    /*
+     * DistinguishedName certificate_authorities<0..2^16-1>;
+     * opaque DistinguishedName<1..2^16-1>;
+     */
+    p += 2;
+
+    total_dn_size = 0;
+
+    if( ssl->conf->cert_req_ca_list ==  MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED )
+    {
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+        if( ssl->handshake->sni_ca_chain != NULL )
+            crt = ssl->handshake->sni_ca_chain;
+        else
+#endif
+            crt = ssl->conf->ca_chain;
+
+        while( crt != NULL && crt->version != 0 )
+        {
+            dn_size = crt->subject_raw.len;
+
+            if( end < p ||
+                (size_t)( end - p ) < dn_size ||
+                (size_t)( end - p ) < 2 + dn_size )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) );
+                break;
+            }
+
+            *p++ = (unsigned char)( dn_size >> 8 );
+            *p++ = (unsigned char)( dn_size      );
+            memcpy( p, crt->subject_raw.p, dn_size );
+            p += dn_size;
+
+            MBEDTLS_SSL_DEBUG_BUF( 3, "requested DN", p - dn_size, dn_size );
+
+            total_dn_size += 2 + dn_size;
+            crt = crt->next;
+        }
+    }
+
+    ssl->out_msglen  = p - buf;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
+    ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size  >> 8 );
+    ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size       );
+
+    ret = mbedtls_ssl_write_record( ssl );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
+
+    return( ret );
+}
+#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
+{
+    int ret;
+
+    if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECKEY ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
+        return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
+    }
+
+    if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx,
+                                 mbedtls_pk_ec( *mbedtls_ssl_own_key( ssl ) ),
+                                 MBEDTLS_ECDH_OURS ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
+        return( ret );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
+          MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+
+static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    size_t n = 0;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+                            ssl->transform_negotiate->ciphersuite_info;
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED)
+    unsigned char *p = ssl->out_msg + 4;
+    size_t len = 0;
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
+    unsigned char *dig_signed = p;
+    size_t dig_signed_len = 0;
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED */
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
+
+    /*
+     *
+     * Part 1: Extract static ECDH parameters and abort
+     *         if ServerKeyExchange not needed.
+     *
+     */
+
+    /* For suites involving ECDH, extract DH parameters
+     * from certificate at this point. */
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED)
+    if( mbedtls_ssl_ciphersuite_uses_ecdh( ciphersuite_info ) )
+    {
+        ssl_get_ecdh_params_from_cert( ssl );
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED */
+
+    /* Key exchanges not involving ephemeral keys don't use
+     * ServerKeyExchange, so end here. */
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
+    if( mbedtls_ssl_ciphersuite_no_pfs( ciphersuite_info ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
+        ssl->state++;
+        return( 0 );
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE__NON_PFS__ENABLED */
+
+    /*
+     *
+     * Part 2: Provide key exchange parameters for chosen ciphersuite.
+     *
+     */
+
+    /*
+     * - ECJPAKE key exchanges
+     */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
+
+        ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
+                p, end - p, &len, ssl->conf->f_rng, ssl->conf->p_rng );
+        if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
+            return( ret );
+        }
+
+        p += len;
+        n += len;
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+    /*
+     * For (EC)DHE key exchanges with PSK, parameters are prefixed by support
+     * identity hint (RFC 4279, Sec. 3). Until someone needs this feature,
+     * we use empty support identity hints here.
+     **/
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)   || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
+    {
+        *(p++) = 0x00;
+        *(p++) = 0x00;
+
+        n += 2;
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+
+    /*
+     * - DHE key exchanges
+     */
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED)
+    if( mbedtls_ssl_ciphersuite_uses_dhe( ciphersuite_info ) )
+    {
+        if( ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "no DH parameters set" ) );
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+        }
+
+        /*
+         * Ephemeral DH parameters:
+         *
+         * struct {
+         *     opaque dh_p<1..2^16-1>;
+         *     opaque dh_g<1..2^16-1>;
+         *     opaque dh_Ys<1..2^16-1>;
+         * } ServerDHParams;
+         */
+        if( ( ret = mbedtls_dhm_set_group( &ssl->handshake->dhm_ctx,
+                                           &ssl->conf->dhm_P,
+                                           &ssl->conf->dhm_G ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_set_group", ret );
+            return( ret );
+        }
+
+        if( ( ret = mbedtls_dhm_make_params( &ssl->handshake->dhm_ctx,
+                        (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
+                        p, &len, ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_params", ret );
+            return( ret );
+        }
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
+        dig_signed = p;
+        dig_signed_len = len;
+#endif
+
+        p += len;
+        n += len;
+
+        MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X  );
+        MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P  );
+        MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G  );
+        MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED */
+
+    /*
+     * - ECDHE key exchanges
+     */
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
+    if( mbedtls_ssl_ciphersuite_uses_ecdhe( ciphersuite_info ) )
+    {
+        /*
+         * Ephemeral ECDH parameters:
+         *
+         * struct {
+         *     ECParameters curve_params;
+         *     ECPoint      public;
+         * } ServerECDHParams;
+         */
+        const mbedtls_ecp_curve_info **curve = NULL;
+        const mbedtls_ecp_group_id *gid;
+
+        /* Match our preference list against the offered curves */
+        for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
+            for( curve = ssl->handshake->curves; *curve != NULL; curve++ )
+                if( (*curve)->grp_id == *gid )
+                    goto curve_matching_done;
+
+curve_matching_done:
+        if( curve == NULL || *curve == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) );
+            return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
+        }
+
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) );
+
+        if( ( ret = mbedtls_ecp_group_load( &ssl->handshake->ecdh_ctx.grp,
+                                       (*curve)->grp_id ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret );
+            return( ret );
+        }
+
+        if( ( ret = mbedtls_ecdh_make_params( &ssl->handshake->ecdh_ctx, &len,
+                                      p, MBEDTLS_SSL_MAX_CONTENT_LEN - n,
+                                      ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret );
+            return( ret );
+        }
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
+        dig_signed     = p;
+        dig_signed_len = len;
+#endif
+
+        p += len;
+        n += len;
+
+        MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q );
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */
+
+    /*
+     *
+     * Part 3: For key exchanges involving the server signing the
+     *         exchange parameters, compute and add the signature here.
+     *
+     */
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
+    if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
+    {
+        size_t signature_len = 0;
+        unsigned int hashlen = 0;
+        unsigned char hash[64];
+
+        /*
+         * 3.1: Choose hash algorithm:
+         * A: For TLS 1.2, obey signature-hash-algorithm extension
+         *    to choose appropriate hash.
+         * B: For SSL3, TLS1.0, TLS1.1 and ECDHE_ECDSA, use SHA1
+         *    (RFC 4492, Sec. 5.4)
+         * C: Otherwise, use MD5 + SHA1 (RFC 4346, Sec. 7.4.3)
+         */
+
+        mbedtls_md_type_t md_alg;
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        mbedtls_pk_type_t sig_alg =
+            mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
+        if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+        {
+            /* A: For TLS 1.2, obey signature-hash-algorithm extension
+             *    (RFC 5246, Sec. 7.4.1.4.1). */
+            if( sig_alg == MBEDTLS_PK_NONE ||
+                ( md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs,
+                                                          sig_alg ) ) == MBEDTLS_MD_NONE )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+                /* (... because we choose a cipher suite
+                 *      only if there is a matching hash.) */
+                return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+            }
+        }
+        else
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+        if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
+        {
+            /* B: Default hash SHA1 */
+            md_alg = MBEDTLS_MD_SHA1;
+        }
+        else
+#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
+          MBEDTLS_SSL_PROTO_TLS1_1 */
+        {
+            /* C: MD5 + SHA1 */
+            md_alg = MBEDTLS_MD_NONE;
+        }
+
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "pick hash algorithm %d for signing", md_alg ) );
+
+        /*
+         * 3.2: Compute the hash to be signed
+         */
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+        if( md_alg == MBEDTLS_MD_NONE )
+        {
+            hashlen = 36;
+            ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash,
+                                                           dig_signed,
+                                                           dig_signed_len );
+            if( ret != 0 )
+                return( ret );
+        }
+        else
+#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
+          MBEDTLS_SSL_PROTO_TLS1_1 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        if( md_alg != MBEDTLS_MD_NONE )
+        {
+            /* Info from md_alg will be used instead */
+            hashlen = 0;
+            ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash,
+                                                          dig_signed,
+                                                          dig_signed_len,
+                                                          md_alg );
+            if( ret != 0 )
+                return( ret );
+        }
+        else
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
+          MBEDTLS_SSL_PROTO_TLS1_2 */
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
+            (unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) );
+
+        /*
+         * 3.3: Compute and add the signature
+         */
+        if( mbedtls_ssl_own_key( ssl ) == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key" ) );
+            return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
+        }
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+        {
+            /*
+             * For TLS 1.2, we need to specify signature and hash algorithm
+             * explicitly through a prefix to the signature.
+             *
+             * struct {
+             *    HashAlgorithm hash;
+             *    SignatureAlgorithm signature;
+             * } SignatureAndHashAlgorithm;
+             *
+             * struct {
+             *    SignatureAndHashAlgorithm algorithm;
+             *    opaque signature<0..2^16-1>;
+             * } DigitallySigned;
+             *
+             */
+
+            *(p++) = mbedtls_ssl_hash_from_md_alg( md_alg );
+            *(p++) = mbedtls_ssl_sig_from_pk_alg( sig_alg );
+
+            n += 2;
+        }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+        if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash, hashlen,
+                        p + 2 , &signature_len, ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
+            return( ret );
+        }
+
+        *(p++) = (unsigned char)( signature_len >> 8 );
+        *(p++) = (unsigned char)( signature_len      );
+        n += 2;
+
+        MBEDTLS_SSL_DEBUG_BUF( 3, "my signature", p, signature_len );
+
+        n += signature_len;
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
+
+    /* Done with actual work; add header and send. */
+
+    ssl->out_msglen  = 4 + n;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
+
+    ssl->state++;
+
+    if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
+        return( ret );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
+
+    return( 0 );
+}
+
+static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl )
+{
+    int ret;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
+
+    ssl->out_msglen  = 4;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
+
+    ssl->state++;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        mbedtls_ssl_send_flight_completed( ssl );
+#endif
+
+    if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
+        return( ret );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
+    defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+static int ssl_parse_client_dh_public( mbedtls_ssl_context *ssl, unsigned char **p,
+                                       const unsigned char *end )
+{
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+    size_t n;
+
+    /*
+     * Receive G^Y mod P, premaster = (G^Y)^X mod P
+     */
+    if( *p + 2 > end )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+    }
+
+    n = ( (*p)[0] << 8 ) | (*p)[1];
+    *p += 2;
+
+    if( *p + n > end )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+    }
+
+    if( ( ret = mbedtls_dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_read_public", ret );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
+    }
+
+    *p += n;
+
+    MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
+
+    return( ret );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) ||                           \
+    defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
+                                    const unsigned char *p,
+                                    const unsigned char *end,
+                                    size_t pms_offset )
+{
+    int ret;
+    size_t len = mbedtls_pk_get_len( mbedtls_ssl_own_key( ssl ) );
+    unsigned char *pms = ssl->handshake->premaster + pms_offset;
+    unsigned char ver[2];
+    unsigned char fake_pms[48], peer_pms[48];
+    unsigned char mask;
+    size_t i, peer_pmslen;
+    unsigned int diff;
+
+    if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_RSA ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
+        return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
+    }
+
+    /*
+     * Decrypt the premaster using own private RSA key
+     */
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
+    {
+        if ( p + 2 > end ) {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+        }
+        if( *p++ != ( ( len >> 8 ) & 0xFF ) ||
+            *p++ != ( ( len      ) & 0xFF ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+        }
+    }
+#endif
+
+    if( p + len != end )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+    }
+
+    mbedtls_ssl_write_version( ssl->handshake->max_major_ver,
+                       ssl->handshake->max_minor_ver,
+                       ssl->conf->transport, ver );
+
+    /*
+     * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
+     * must not cause the connection to end immediately; instead, send a
+     * bad_record_mac later in the handshake.
+     * Also, avoid data-dependant branches here to protect against
+     * timing-based variants.
+     */
+    ret = ssl->conf->f_rng( ssl->conf->p_rng, fake_pms, sizeof( fake_pms ) );
+    if( ret != 0 )
+        return( ret );
+
+    /* In case of a failure in decryption, peer_pmslen may not have been
+     * initialized, and it is accessed later. The diff will be nonzero anyway,
+     * but it's better to avoid accessing uninitialized memory in any case.
+     */
+    peer_pmslen = 0;
+
+    ret = mbedtls_pk_decrypt( mbedtls_ssl_own_key( ssl ), p, len,
+                      peer_pms, &peer_pmslen,
+                      sizeof( peer_pms ),
+                      ssl->conf->f_rng, ssl->conf->p_rng );
+
+    diff  = (unsigned int) ret;
+    diff |= peer_pmslen ^ 48;
+    diff |= peer_pms[0] ^ ver[0];
+    diff |= peer_pms[1] ^ ver[1];
+
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+    if( diff != 0 )
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
+#endif
+
+    if( sizeof( ssl->handshake->premaster ) < pms_offset ||
+        sizeof( ssl->handshake->premaster ) - pms_offset < 48 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+    ssl->handshake->pmslen = 48;
+
+    /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */
+    /* MSVC has a warning about unary minus on unsigned, but this is
+     * well-defined and precisely what we want to do here */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+    mask = - ( ( diff | - diff ) >> ( sizeof( unsigned int ) * 8 - 1 ) );
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
+
+    for( i = 0; i < ssl->handshake->pmslen; i++ )
+        pms[i] = ( mask & fake_pms[i] ) | ( (~mask) & peer_pms[i] );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned char **p,
+                                          const unsigned char *end )
+{
+    int ret = 0;
+    size_t n;
+
+    if( ssl->conf->f_psk == NULL &&
+        ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ||
+          ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
+        return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
+    }
+
+    /*
+     * Receive client pre-shared key identity name
+     */
+    if( end - *p < 2 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+    }
+
+    n = ( (*p)[0] << 8 ) | (*p)[1];
+    *p += 2;
+
+    if( n < 1 || n > 65535 || n > (size_t) ( end - *p ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+    }
+
+    if( ssl->conf->f_psk != NULL )
+    {
+        if( ssl->conf->f_psk( ssl->conf->p_psk, ssl, *p, n ) != 0 )
+            ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
+    }
+    else
+    {
+        /* Identity is not a big secret since clients send it in the clear,
+         * but treat it carefully anyway, just in case */
+        if( n != ssl->conf->psk_identity_len ||
+            mbedtls_ssl_safer_memcmp( ssl->conf->psk_identity, *p, n ) != 0 )
+        {
+            ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
+        }
+    }
+
+    if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY )
+    {
+        MBEDTLS_SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY );
+        return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY );
+    }
+
+    *p += n;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
+
+static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+    unsigned char *p, *end;
+
+    ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
+
+    if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+        return( ret );
+    }
+
+    p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
+    end = ssl->in_msg + ssl->in_hslen;
+
+    if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+    }
+
+    if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+    }
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
+    {
+        if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
+            return( ret );
+        }
+
+        if( p != end )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+        }
+
+        if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
+                                      ssl->handshake->premaster,
+                                      MBEDTLS_PREMASTER_SIZE,
+                                     &ssl->handshake->pmslen,
+                                      ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
+        }
+
+        MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K  );
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||                   \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||                      \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
+    {
+        if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
+                                      p, end - p) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
+        }
+
+        MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
+
+        if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
+                                      &ssl->handshake->pmslen,
+                                       ssl->handshake->premaster,
+                                       MBEDTLS_MPI_MAX_SIZE,
+                                       ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
+        }
+
+        MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z  ", &ssl->handshake->ecdh_ctx.z );
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
+    {
+        if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
+            return( ret );
+        }
+
+        if( p != end )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+        }
+
+        if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
+                        ciphersuite_info->key_exchange ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
+            return( ret );
+        }
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
+    {
+        if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
+            return( ret );
+        }
+
+        if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret );
+            return( ret );
+        }
+
+        if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
+                        ciphersuite_info->key_exchange ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
+            return( ret );
+        }
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
+    {
+        if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
+            return( ret );
+        }
+        if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
+            return( ret );
+        }
+
+        if( p != end )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+        }
+
+        if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
+                        ciphersuite_info->key_exchange ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
+            return( ret );
+        }
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
+    {
+        if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
+            return( ret );
+        }
+
+        if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
+                                       p, end - p ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
+        }
+
+        MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
+
+        if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
+                        ciphersuite_info->key_exchange ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
+            return( ret );
+        }
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
+    {
+        if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 0 ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret );
+            return( ret );
+        }
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
+                                              p, end - p );
+        if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+        }
+
+        ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
+                ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
+                ssl->conf->f_rng, ssl->conf->p_rng );
+        if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
+            return( ret );
+        }
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
+        return( ret );
+    }
+
+    ssl->state++;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)       && \
+    !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)   && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)  && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
+{
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->transform_negotiate->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
+
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+    return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+}
+#else
+static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
+{
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+    size_t i, sig_len;
+    unsigned char hash[48];
+    unsigned char *hash_start = hash;
+    size_t hashlen;
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    mbedtls_pk_type_t pk_alg;
+#endif
+    mbedtls_md_type_t md_alg;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->transform_negotiate->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
+
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
+        ssl->session_negotiate->peer_cert == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+    /* Read the message without adding it to the checksum */
+    do {
+
+        if( ( ret = mbedtls_ssl_read_record_layer( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record_layer" ), ret );
+            return( ret );
+        }
+
+        ret = mbedtls_ssl_handle_message_type( ssl );
+
+    } while( MBEDTLS_ERR_SSL_NON_FATAL == ret );
+
+    if( 0 != ret )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret );
+        return( ret );
+    }
+
+    ssl->state++;
+
+    /* Process the message contents */
+    if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
+        ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
+    }
+
+    i = mbedtls_ssl_hs_hdr_len( ssl );
+
+    /*
+     *  struct {
+     *     SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
+     *     opaque signature<0..2^16-1>;
+     *  } DigitallySigned;
+     */
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+    if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
+    {
+        md_alg = MBEDTLS_MD_NONE;
+        hashlen = 36;
+
+        /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
+        if( mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
+                        MBEDTLS_PK_ECDSA ) )
+        {
+            hash_start += 16;
+            hashlen -= 16;
+            md_alg = MBEDTLS_MD_SHA1;
+        }
+    }
+    else
+#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 ||
+          MBEDTLS_SSL_PROTO_TLS1_1 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+    {
+        if( i + 2 > ssl->in_hslen )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
+        }
+
+        /*
+         * Hash
+         */
+        md_alg = mbedtls_ssl_md_alg_from_hash( ssl->in_msg[i] );
+
+        if( md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md( ssl, ssl->in_msg[i] ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
+                                " for verify message" ) );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
+        }
+
+#if !defined(MBEDTLS_MD_SHA1)
+        if( MBEDTLS_MD_SHA1 == md_alg )
+            hash_start += 16;
+#endif
+
+        /* Info from md_alg will be used instead */
+        hashlen = 0;
+
+        i++;
+
+        /*
+         * Signature
+         */
+        if( ( pk_alg = mbedtls_ssl_pk_alg_from_sig( ssl->in_msg[i] ) )
+                        == MBEDTLS_PK_NONE )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
+                                " for verify message" ) );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
+        }
+
+        /*
+         * Check the certificate's key type matches the signature alg
+         */
+        if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
+        }
+
+        i++;
+    }
+    else
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    if( i + 2 > ssl->in_hslen )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
+    }
+
+    sig_len = ( ssl->in_msg[i] << 8 ) | ssl->in_msg[i+1];
+    i += 2;
+
+    if( i + sig_len != ssl->in_hslen )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
+    }
+
+    /* Calculate hash and verify signature */
+    ssl->handshake->calc_verify( ssl, hash );
+
+    if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk,
+                           md_alg, hash_start, hashlen,
+                           ssl->in_msg + i, sig_len ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
+        return( ret );
+    }
+
+    mbedtls_ssl_update_handshake_status( ssl );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
+
+    return( ret );
+}
+#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    size_t tlen;
+    uint32_t lifetime;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
+
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_NEW_SESSION_TICKET;
+
+    /*
+     * struct {
+     *     uint32 ticket_lifetime_hint;
+     *     opaque ticket<0..2^16-1>;
+     * } NewSessionTicket;
+     *
+     * 4  .  7   ticket_lifetime_hint (0 = unspecified)
+     * 8  .  9   ticket_len (n)
+     * 10 .  9+n ticket content
+     */
+
+    if( ( ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket,
+                                ssl->session_negotiate,
+                                ssl->out_msg + 10,
+                                ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN,
+                                &tlen, &lifetime ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_write", ret );
+        tlen = 0;
+    }
+
+    ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF;
+    ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF;
+    ssl->out_msg[6] = ( lifetime >>  8 ) & 0xFF;
+    ssl->out_msg[7] = ( lifetime       ) & 0xFF;
+
+    ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
+    ssl->out_msg[9] = (unsigned char)( ( tlen      ) & 0xFF );
+
+    ssl->out_msglen = 10 + tlen;
+
+    /*
+     * Morally equivalent to updating ssl->state, but NewSessionTicket and
+     * ChangeCipherSpec share the same state.
+     */
+    ssl->handshake->new_session_ticket = 0;
+
+    if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
+        return( ret );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+/*
+ * SSL handshake -- server side -- single step
+ */
+int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl )
+{
+    int ret = 0;
+
+    if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
+
+    if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
+        return( ret );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
+    {
+        if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
+            return( ret );
+    }
+#endif
+
+    switch( ssl->state )
+    {
+        case MBEDTLS_SSL_HELLO_REQUEST:
+            ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
+            break;
+
+        /*
+         *  <==   ClientHello
+         */
+        case MBEDTLS_SSL_CLIENT_HELLO:
+            ret = ssl_parse_client_hello( ssl );
+            break;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
+            return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
+#endif
+
+        /*
+         *  ==>   ServerHello
+         *        Certificate
+         *      ( ServerKeyExchange  )
+         *      ( CertificateRequest )
+         *        ServerHelloDone
+         */
+        case MBEDTLS_SSL_SERVER_HELLO:
+            ret = ssl_write_server_hello( ssl );
+            break;
+
+        case MBEDTLS_SSL_SERVER_CERTIFICATE:
+            ret = mbedtls_ssl_write_certificate( ssl );
+            break;
+
+        case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
+            ret = ssl_write_server_key_exchange( ssl );
+            break;
+
+        case MBEDTLS_SSL_CERTIFICATE_REQUEST:
+            ret = ssl_write_certificate_request( ssl );
+            break;
+
+        case MBEDTLS_SSL_SERVER_HELLO_DONE:
+            ret = ssl_write_server_hello_done( ssl );
+            break;
+
+        /*
+         *  <== ( Certificate/Alert  )
+         *        ClientKeyExchange
+         *      ( CertificateVerify  )
+         *        ChangeCipherSpec
+         *        Finished
+         */
+        case MBEDTLS_SSL_CLIENT_CERTIFICATE:
+            ret = mbedtls_ssl_parse_certificate( ssl );
+            break;
+
+        case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
+            ret = ssl_parse_client_key_exchange( ssl );
+            break;
+
+        case MBEDTLS_SSL_CERTIFICATE_VERIFY:
+            ret = ssl_parse_certificate_verify( ssl );
+            break;
+
+        case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
+            ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
+            break;
+
+        case MBEDTLS_SSL_CLIENT_FINISHED:
+            ret = mbedtls_ssl_parse_finished( ssl );
+            break;
+
+        /*
+         *  ==> ( NewSessionTicket )
+         *        ChangeCipherSpec
+         *        Finished
+         */
+        case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+            if( ssl->handshake->new_session_ticket != 0 )
+                ret = ssl_write_new_session_ticket( ssl );
+            else
+#endif
+                ret = mbedtls_ssl_write_change_cipher_spec( ssl );
+            break;
+
+        case MBEDTLS_SSL_SERVER_FINISHED:
+            ret = mbedtls_ssl_write_finished( ssl );
+            break;
+
+        case MBEDTLS_SSL_FLUSH_BUFFERS:
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
+            ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
+            break;
+
+        case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
+            mbedtls_ssl_handshake_wrapup( ssl );
+            break;
+
+        default:
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    return( ret );
+}
+#endif /* MBEDTLS_SSL_SRV_C */
diff --git a/third-party/mbedtls-3.6/library/ssl_ticket.c b/third-party/mbedtls-3.6/library/ssl_ticket.c
new file mode 100644
index 00000000..ad0f11f2
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/ssl_ticket.c
@@ -0,0 +1,534 @@
+/*
+ *  TLS server tickets callbacks implementation
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_SSL_TICKET_C)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free      free
+#endif
+
+#include "mbedtls/ssl_internal.h"
+#include "mbedtls/ssl_ticket.h"
+
+#include <string.h>
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
+/*
+ * Initialze context
+ */
+void mbedtls_ssl_ticket_init( mbedtls_ssl_ticket_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_ssl_ticket_context ) );
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_init( &ctx->mutex );
+#endif
+}
+
+#define MAX_KEY_BYTES 32    /* 256 bits */
+
+#define TICKET_KEY_NAME_BYTES    4
+#define TICKET_IV_BYTES         12
+#define TICKET_CRYPT_LEN_BYTES   2
+#define TICKET_AUTH_TAG_BYTES   16
+
+#define TICKET_MIN_LEN ( TICKET_KEY_NAME_BYTES  +        \
+                         TICKET_IV_BYTES        +        \
+                         TICKET_CRYPT_LEN_BYTES +        \
+                         TICKET_AUTH_TAG_BYTES )
+#define TICKET_ADD_DATA_LEN ( TICKET_KEY_NAME_BYTES  +        \
+                              TICKET_IV_BYTES        +        \
+                              TICKET_CRYPT_LEN_BYTES )
+
+/*
+ * Generate/update a key
+ */
+static int ssl_ticket_gen_key( mbedtls_ssl_ticket_context *ctx,
+                               unsigned char index )
+{
+    int ret;
+    unsigned char buf[MAX_KEY_BYTES];
+    mbedtls_ssl_ticket_key *key = ctx->keys + index;
+
+#if defined(MBEDTLS_HAVE_TIME)
+    key->generation_time = (uint32_t) mbedtls_time( NULL );
+#endif
+
+    if( ( ret = ctx->f_rng( ctx->p_rng, key->name, sizeof( key->name ) ) ) != 0 )
+        return( ret );
+
+    if( ( ret = ctx->f_rng( ctx->p_rng, buf, sizeof( buf ) ) ) != 0 )
+        return( ret );
+
+    /* With GCM and CCM, same context can encrypt & decrypt */
+    ret = mbedtls_cipher_setkey( &key->ctx, buf,
+                                 mbedtls_cipher_get_key_bitlen( &key->ctx ),
+                                 MBEDTLS_ENCRYPT );
+
+    mbedtls_zeroize( buf, sizeof( buf ) );
+
+    return( ret );
+}
+
+/*
+ * Rotate/generate keys if necessary
+ */
+static int ssl_ticket_update_keys( mbedtls_ssl_ticket_context *ctx )
+{
+#if !defined(MBEDTLS_HAVE_TIME)
+    ((void) ctx);
+#else
+    if( ctx->ticket_lifetime != 0 )
+    {
+        uint32_t current_time = (uint32_t) mbedtls_time( NULL );
+        uint32_t key_time = ctx->keys[ctx->active].generation_time;
+
+        if( current_time >= key_time &&
+            current_time - key_time < ctx->ticket_lifetime )
+        {
+            return( 0 );
+        }
+
+        ctx->active = 1 - ctx->active;
+
+        return( ssl_ticket_gen_key( ctx, ctx->active ) );
+    }
+    else
+#endif /* MBEDTLS_HAVE_TIME */
+        return( 0 );
+}
+
+/*
+ * Setup context for actual use
+ */
+int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx,
+    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+    mbedtls_cipher_type_t cipher,
+    uint32_t lifetime )
+{
+    int ret;
+    const mbedtls_cipher_info_t *cipher_info;
+
+    ctx->f_rng = f_rng;
+    ctx->p_rng = p_rng;
+
+    ctx->ticket_lifetime = lifetime;
+
+    cipher_info = mbedtls_cipher_info_from_type( cipher);
+    if( cipher_info == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    if( cipher_info->mode != MBEDTLS_MODE_GCM &&
+        cipher_info->mode != MBEDTLS_MODE_CCM )
+    {
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    if( cipher_info->key_bitlen > 8 * MAX_KEY_BYTES )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    if( ( ret = mbedtls_cipher_setup( &ctx->keys[0].ctx, cipher_info ) ) != 0 ||
+        ( ret = mbedtls_cipher_setup( &ctx->keys[1].ctx, cipher_info ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( ( ret = ssl_ticket_gen_key( ctx, 0 ) ) != 0 ||
+        ( ret = ssl_ticket_gen_key( ctx, 1 ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Serialize a session in the following format:
+ *  0   .   n-1     session structure, n = sizeof(mbedtls_ssl_session)
+ *  n   .   n+2     peer_cert length = m (0 if no certificate)
+ *  n+3 .   n+2+m   peer cert ASN.1
+ */
+static int ssl_save_session( const mbedtls_ssl_session *session,
+                             unsigned char *buf, size_t buf_len,
+                             size_t *olen )
+{
+    unsigned char *p = buf;
+    size_t left = buf_len;
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    size_t cert_len;
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+    if( left < sizeof( mbedtls_ssl_session ) )
+        return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
+
+    memcpy( p, session, sizeof( mbedtls_ssl_session ) );
+    p += sizeof( mbedtls_ssl_session );
+    left -= sizeof( mbedtls_ssl_session );
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    if( session->peer_cert == NULL )
+        cert_len = 0;
+    else
+        cert_len = session->peer_cert->raw.len;
+
+    if( left < 3 + cert_len )
+        return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
+
+    *p++ = (unsigned char)( ( cert_len >> 16 ) & 0xFF );
+    *p++ = (unsigned char)( ( cert_len >>  8 ) & 0xFF );
+    *p++ = (unsigned char)( ( cert_len       ) & 0xFF );
+
+    if( session->peer_cert != NULL )
+        memcpy( p, session->peer_cert->raw.p, cert_len );
+
+    p += cert_len;
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+    *olen = p - buf;
+
+    return( 0 );
+}
+
+/*
+ * Unserialise session, see ssl_save_session()
+ */
+static int ssl_load_session( mbedtls_ssl_session *session,
+                             const unsigned char *buf, size_t len )
+{
+    const unsigned char *p = buf;
+    const unsigned char * const end = buf + len;
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    size_t cert_len;
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+    if( sizeof( mbedtls_ssl_session ) > (size_t)( end - p ) )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    memcpy( session, p, sizeof( mbedtls_ssl_session ) );
+    p += sizeof( mbedtls_ssl_session );
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    if( 3 > (size_t)( end - p ) )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
+    p += 3;
+
+    if( cert_len == 0 )
+    {
+        session->peer_cert = NULL;
+    }
+    else
+    {
+        int ret;
+
+        if( cert_len > (size_t)( end - p ) )
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+        session->peer_cert = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );
+
+        if( session->peer_cert == NULL )
+            return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+
+        mbedtls_x509_crt_init( session->peer_cert );
+
+        if( ( ret = mbedtls_x509_crt_parse_der( session->peer_cert,
+                                                p, cert_len ) ) != 0 )
+        {
+            mbedtls_x509_crt_free( session->peer_cert );
+            mbedtls_free( session->peer_cert );
+            session->peer_cert = NULL;
+            return( ret );
+        }
+
+        p += cert_len;
+    }
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+    if( p != end )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    return( 0 );
+}
+
+/*
+ * Create session ticket, with the following structure:
+ *
+ *    struct {
+ *        opaque key_name[4];
+ *        opaque iv[12];
+ *        opaque encrypted_state<0..2^16-1>;
+ *        opaque tag[16];
+ *    } ticket;
+ *
+ * The key_name, iv, and length of encrypted_state are the additional
+ * authenticated data.
+ */
+
+int mbedtls_ssl_ticket_write( void *p_ticket,
+                              const mbedtls_ssl_session *session,
+                              unsigned char *start,
+                              const unsigned char *end,
+                              size_t *tlen,
+                              uint32_t *ticket_lifetime )
+{
+    int ret;
+    mbedtls_ssl_ticket_context *ctx = p_ticket;
+    mbedtls_ssl_ticket_key *key;
+    unsigned char *key_name = start;
+    unsigned char *iv = start + TICKET_KEY_NAME_BYTES;
+    unsigned char *state_len_bytes = iv + TICKET_IV_BYTES;
+    unsigned char *state = state_len_bytes + TICKET_CRYPT_LEN_BYTES;
+    unsigned char *tag;
+    size_t clear_len, ciph_len;
+
+    *tlen = 0;
+
+    if( ctx == NULL || ctx->f_rng == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    /* We need at least 4 bytes for key_name, 12 for IV, 2 for len 16 for tag,
+     * in addition to session itself, that will be checked when writing it. */
+    MBEDTLS_SSL_CHK_BUF_PTR( start, end, TICKET_MIN_LEN );
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
+        return( ret );
+#endif
+
+    if( ( ret = ssl_ticket_update_keys( ctx ) ) != 0 )
+        goto cleanup;
+
+    key = &ctx->keys[ctx->active];
+
+    *ticket_lifetime = ctx->ticket_lifetime;
+
+    memcpy( key_name, key->name, TICKET_KEY_NAME_BYTES );
+
+    if( ( ret = ctx->f_rng( ctx->p_rng, iv, TICKET_IV_BYTES ) ) != 0 )
+        goto cleanup;
+
+    /* Dump session state */
+    if( ( ret = ssl_save_session( session,
+                                  state, end - state, &clear_len ) ) != 0 ||
+        (unsigned long) clear_len > 65535 )
+    {
+         goto cleanup;
+    }
+    state_len_bytes[0] = ( clear_len >> 8 ) & 0xff;
+    state_len_bytes[1] = ( clear_len      ) & 0xff;
+
+    /* Encrypt and authenticate */
+    tag = state + clear_len;
+    if( ( ret = mbedtls_cipher_auth_encrypt( &key->ctx,
+                    iv, TICKET_IV_BYTES,
+                    /* Additional data: key name, IV and length */
+                    key_name, TICKET_ADD_DATA_LEN,
+                    state, clear_len, state, &ciph_len,
+                    tag, TICKET_AUTH_TAG_BYTES ) ) != 0 )
+    {
+        goto cleanup;
+    }
+    if( ciph_len != clear_len )
+    {
+        ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+        goto cleanup;
+    }
+
+    *tlen = TICKET_MIN_LEN + ciph_len;
+
+cleanup:
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
+        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+#endif
+
+    return( ret );
+}
+
+/*
+ * Select key based on name
+ */
+static mbedtls_ssl_ticket_key *ssl_ticket_select_key(
+        mbedtls_ssl_ticket_context *ctx,
+        const unsigned char name[4] )
+{
+    unsigned char i;
+
+    for( i = 0; i < sizeof( ctx->keys ) / sizeof( *ctx->keys ); i++ )
+        if( memcmp( name, ctx->keys[i].name, 4 ) == 0 )
+            return( &ctx->keys[i] );
+
+    return( NULL );
+}
+
+/*
+ * Load session ticket (see mbedtls_ssl_ticket_write for structure)
+ */
+int mbedtls_ssl_ticket_parse( void *p_ticket,
+                              mbedtls_ssl_session *session,
+                              unsigned char *buf,
+                              size_t len )
+{
+    int ret;
+    mbedtls_ssl_ticket_context *ctx = p_ticket;
+    mbedtls_ssl_ticket_key *key;
+    unsigned char *key_name = buf;
+    unsigned char *iv = buf + TICKET_KEY_NAME_BYTES;
+    unsigned char *enc_len_p = iv + TICKET_IV_BYTES;
+    unsigned char *ticket = enc_len_p + TICKET_CRYPT_LEN_BYTES;
+    unsigned char *tag;
+    size_t enc_len, clear_len;
+
+    if( ctx == NULL || ctx->f_rng == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    if( len < TICKET_MIN_LEN )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
+        return( ret );
+#endif
+
+    if( ( ret = ssl_ticket_update_keys( ctx ) ) != 0 )
+        goto cleanup;
+
+    enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
+    tag = ticket + enc_len;
+
+    if( len != TICKET_MIN_LEN + enc_len )
+    {
+        ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    /* Select key */
+    if( ( key = ssl_ticket_select_key( ctx, key_name ) ) == NULL )
+    {
+        /* We can't know for sure but this is a likely option unless we're
+         * under attack - this is only informative anyway */
+        ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
+        goto cleanup;
+    }
+
+    /* Decrypt and authenticate */
+    if( ( ret = mbedtls_cipher_auth_decrypt( &key->ctx,
+                    iv, TICKET_IV_BYTES,
+                    /* Additional data: key name, IV and length */
+                    key_name, TICKET_ADD_DATA_LEN,
+                    ticket, enc_len,
+                    ticket, &clear_len,
+                    tag, TICKET_AUTH_TAG_BYTES ) ) != 0 )
+    {
+        if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
+            ret = MBEDTLS_ERR_SSL_INVALID_MAC;
+
+        goto cleanup;
+    }
+    if( clear_len != enc_len )
+    {
+        ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+        goto cleanup;
+    }
+
+    /* Actually load session */
+    if( ( ret = ssl_load_session( session, ticket, clear_len ) ) != 0 )
+        goto cleanup;
+
+#if defined(MBEDTLS_HAVE_TIME)
+    {
+        /* Check for expiration */
+        mbedtls_time_t current_time = mbedtls_time( NULL );
+
+        if( current_time < session->start ||
+            (uint32_t)( current_time - session->start ) > ctx->ticket_lifetime )
+        {
+            ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
+            goto cleanup;
+        }
+    }
+#endif
+
+cleanup:
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
+        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+#endif
+
+    return( ret );
+}
+
+/*
+ * Free context
+ */
+void mbedtls_ssl_ticket_free( mbedtls_ssl_ticket_context *ctx )
+{
+    mbedtls_cipher_free( &ctx->keys[0].ctx );
+    mbedtls_cipher_free( &ctx->keys[1].ctx );
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_free( &ctx->mutex );
+#endif
+
+    mbedtls_zeroize( ctx, sizeof( mbedtls_ssl_ticket_context ) );
+}
+
+#endif /* MBEDTLS_SSL_TICKET_C */
diff --git a/third-party/mbedtls-3.6/library/ssl_tls.c b/third-party/mbedtls-3.6/library/ssl_tls.c
new file mode 100644
index 00000000..2b1aa011
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/ssl_tls.c
@@ -0,0 +1,8604 @@
+/*
+ *  SSLv3/TLSv1 shared functions
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+/*
+ *  The SSL 3.0 specification was drafted by Netscape in 1996,
+ *  and became an IETF standard in 1999.
+ *
+ *  http://wp.netscape.com/eng/ssl3/
+ *  http://www.ietf.org/rfc/rfc2246.txt
+ *  http://www.ietf.org/rfc/rfc4346.txt
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_SSL_TLS_C)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free      free
+#endif
+
+#include "mbedtls/debug.h"
+#include "mbedtls/ssl.h"
+#include "mbedtls/ssl_internal.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#include "mbedtls/oid.h"
+#endif
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
+/* Length of the "epoch" field in the record header */
+static inline size_t ssl_ep_len( const mbedtls_ssl_context *ssl )
+{
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        return( 2 );
+#else
+    ((void) ssl);
+#endif
+    return( 0 );
+}
+
+/*
+ * Start a timer.
+ * Passing millisecs = 0 cancels a running timer.
+ */
+static void ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs )
+{
+    if( ssl->f_set_timer == NULL )
+        return;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "set_timer to %d ms", (int) millisecs ) );
+    ssl->f_set_timer( ssl->p_timer, millisecs / 4, millisecs );
+}
+
+/*
+ * Return -1 is timer is expired, 0 if it isn't.
+ */
+static int ssl_check_timer( mbedtls_ssl_context *ssl )
+{
+    if( ssl->f_get_timer == NULL )
+        return( 0 );
+
+    if( ssl->f_get_timer( ssl->p_timer ) == 2 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "timer expired" ) );
+        return( -1 );
+    }
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+/*
+ * Double the retransmit timeout value, within the allowed range,
+ * returning -1 if the maximum value has already been reached.
+ */
+static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl )
+{
+    uint32_t new_timeout;
+
+    if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max )
+        return( -1 );
+
+    new_timeout = 2 * ssl->handshake->retransmit_timeout;
+
+    /* Avoid arithmetic overflow and range overflow */
+    if( new_timeout < ssl->handshake->retransmit_timeout ||
+        new_timeout > ssl->conf->hs_timeout_max )
+    {
+        new_timeout = ssl->conf->hs_timeout_max;
+    }
+
+    ssl->handshake->retransmit_timeout = new_timeout;
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
+                        ssl->handshake->retransmit_timeout ) );
+
+    return( 0 );
+}
+
+static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl )
+{
+    ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min;
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
+                        ssl->handshake->retransmit_timeout ) );
+}
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+/*
+ * Convert max_fragment_length codes to length.
+ * RFC 6066 says:
+ *    enum{
+ *        2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
+ *    } MaxFragmentLength;
+ * and we add 0 -> extension unused
+ */
+static unsigned int mfl_code_to_length[MBEDTLS_SSL_MAX_FRAG_LEN_INVALID] =
+{
+    MBEDTLS_SSL_MAX_CONTENT_LEN,    /* MBEDTLS_SSL_MAX_FRAG_LEN_NONE */
+    512,                    /* MBEDTLS_SSL_MAX_FRAG_LEN_512  */
+    1024,                   /* MBEDTLS_SSL_MAX_FRAG_LEN_1024 */
+    2048,                   /* MBEDTLS_SSL_MAX_FRAG_LEN_2048 */
+    4096,                   /* MBEDTLS_SSL_MAX_FRAG_LEN_4096 */
+};
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+static int ssl_session_copy( mbedtls_ssl_session *dst, const mbedtls_ssl_session *src )
+{
+    mbedtls_ssl_session_free( dst );
+    memcpy( dst, src, sizeof( mbedtls_ssl_session ) );
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    if( src->peer_cert != NULL )
+    {
+        int ret;
+
+        dst->peer_cert = mbedtls_calloc( 1, sizeof(mbedtls_x509_crt) );
+        if( dst->peer_cert == NULL )
+            return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+
+        mbedtls_x509_crt_init( dst->peer_cert );
+
+        if( ( ret = mbedtls_x509_crt_parse_der( dst->peer_cert, src->peer_cert->raw.p,
+                                        src->peer_cert->raw.len ) ) != 0 )
+        {
+            mbedtls_free( dst->peer_cert );
+            dst->peer_cert = NULL;
+            return( ret );
+        }
+    }
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
+    if( src->ticket != NULL )
+    {
+        dst->ticket = mbedtls_calloc( 1, src->ticket_len );
+        if( dst->ticket == NULL )
+            return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+
+        memcpy( dst->ticket, src->ticket, src->ticket_len );
+    }
+#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+int (*mbedtls_ssl_hw_record_init)( mbedtls_ssl_context *ssl,
+                     const unsigned char *key_enc, const unsigned char *key_dec,
+                     size_t keylen,
+                     const unsigned char *iv_enc,  const unsigned char *iv_dec,
+                     size_t ivlen,
+                     const unsigned char *mac_enc, const unsigned char *mac_dec,
+                     size_t maclen ) = NULL;
+int (*mbedtls_ssl_hw_record_activate)( mbedtls_ssl_context *ssl, int direction) = NULL;
+int (*mbedtls_ssl_hw_record_reset)( mbedtls_ssl_context *ssl ) = NULL;
+int (*mbedtls_ssl_hw_record_write)( mbedtls_ssl_context *ssl ) = NULL;
+int (*mbedtls_ssl_hw_record_read)( mbedtls_ssl_context *ssl ) = NULL;
+int (*mbedtls_ssl_hw_record_finish)( mbedtls_ssl_context *ssl ) = NULL;
+#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
+
+/*
+ * Key material generation
+ */
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+static int ssl3_prf( const unsigned char *secret, size_t slen,
+                     const char *label,
+                     const unsigned char *random, size_t rlen,
+                     unsigned char *dstbuf, size_t dlen )
+{
+    int ret = 0;
+    size_t i;
+    mbedtls_md5_context md5;
+    mbedtls_sha1_context sha1;
+    unsigned char padding[16];
+    unsigned char sha1sum[20];
+    ((void)label);
+
+    mbedtls_md5_init(  &md5  );
+    mbedtls_sha1_init( &sha1 );
+
+    /*
+     *  SSLv3:
+     *    block =
+     *      MD5( secret + SHA1( 'A'    + secret + random ) ) +
+     *      MD5( secret + SHA1( 'BB'   + secret + random ) ) +
+     *      MD5( secret + SHA1( 'CCC'  + secret + random ) ) +
+     *      ...
+     */
+    for( i = 0; i < dlen / 16; i++ )
+    {
+        memset( padding, (unsigned char) ('A' + i), 1 + i );
+
+        if( ( ret = mbedtls_sha1_starts_ret( &sha1 ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_sha1_update_ret( &sha1, padding, 1 + i ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_sha1_update_ret( &sha1, secret, slen ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_sha1_update_ret( &sha1, random, rlen ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_sha1_finish_ret( &sha1, sha1sum ) ) != 0 )
+            goto exit;
+
+        if( ( ret = mbedtls_md5_starts_ret( &md5 ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_md5_update_ret( &md5, secret, slen ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_md5_update_ret( &md5, sha1sum, 20 ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_md5_finish_ret( &md5, dstbuf + i * 16 ) ) != 0 )
+            goto exit;
+    }
+
+exit:
+    mbedtls_md5_free(  &md5  );
+    mbedtls_sha1_free( &sha1 );
+
+    mbedtls_zeroize( padding, sizeof( padding ) );
+    mbedtls_zeroize( sha1sum, sizeof( sha1sum ) );
+
+    return( ret );
+}
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
+static int tls1_prf( const unsigned char *secret, size_t slen,
+                     const char *label,
+                     const unsigned char *random, size_t rlen,
+                     unsigned char *dstbuf, size_t dlen )
+{
+    size_t nb, hs;
+    size_t i, j, k;
+    const unsigned char *S1, *S2;
+    unsigned char tmp[128];
+    unsigned char h_i[20];
+    const mbedtls_md_info_t *md_info;
+    mbedtls_md_context_t md_ctx;
+    int ret;
+
+    mbedtls_md_init( &md_ctx );
+
+    if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    hs = ( slen + 1 ) / 2;
+    S1 = secret;
+    S2 = secret + slen - hs;
+
+    nb = strlen( label );
+    memcpy( tmp + 20, label, nb );
+    memcpy( tmp + 20 + nb, random, rlen );
+    nb += rlen;
+
+    /*
+     * First compute P_md5(secret,label+random)[0..dlen]
+     */
+    if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_MD5 ) ) == NULL )
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+
+    if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
+        return( ret );
+
+    mbedtls_md_hmac_starts( &md_ctx, S1, hs );
+    mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );
+    mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );
+
+    for( i = 0; i < dlen; i += 16 )
+    {
+        mbedtls_md_hmac_reset ( &md_ctx );
+        mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 + nb );
+        mbedtls_md_hmac_finish( &md_ctx, h_i );
+
+        mbedtls_md_hmac_reset ( &md_ctx );
+        mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 );
+        mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );
+
+        k = ( i + 16 > dlen ) ? dlen % 16 : 16;
+
+        for( j = 0; j < k; j++ )
+            dstbuf[i + j]  = h_i[j];
+    }
+
+    mbedtls_md_free( &md_ctx );
+
+    /*
+     * XOR out with P_sha1(secret,label+random)[0..dlen]
+     */
+    if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 ) ) == NULL )
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+
+    if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
+        return( ret );
+
+    mbedtls_md_hmac_starts( &md_ctx, S2, hs );
+    mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );
+    mbedtls_md_hmac_finish( &md_ctx, tmp );
+
+    for( i = 0; i < dlen; i += 20 )
+    {
+        mbedtls_md_hmac_reset ( &md_ctx );
+        mbedtls_md_hmac_update( &md_ctx, tmp, 20 + nb );
+        mbedtls_md_hmac_finish( &md_ctx, h_i );
+
+        mbedtls_md_hmac_reset ( &md_ctx );
+        mbedtls_md_hmac_update( &md_ctx, tmp, 20 );
+        mbedtls_md_hmac_finish( &md_ctx, tmp );
+
+        k = ( i + 20 > dlen ) ? dlen % 20 : 20;
+
+        for( j = 0; j < k; j++ )
+            dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
+    }
+
+    mbedtls_md_free( &md_ctx );
+
+    mbedtls_zeroize( tmp, sizeof( tmp ) );
+    mbedtls_zeroize( h_i, sizeof( h_i ) );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1) || MBEDTLS_SSL_PROTO_TLS1_1 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+static int tls_prf_generic( mbedtls_md_type_t md_type,
+                            const unsigned char *secret, size_t slen,
+                            const char *label,
+                            const unsigned char *random, size_t rlen,
+                            unsigned char *dstbuf, size_t dlen )
+{
+    size_t nb;
+    size_t i, j, k, md_len;
+    unsigned char tmp[128];
+    unsigned char h_i[MBEDTLS_MD_MAX_SIZE];
+    const mbedtls_md_info_t *md_info;
+    mbedtls_md_context_t md_ctx;
+    int ret;
+
+    mbedtls_md_init( &md_ctx );
+
+    if( ( md_info = mbedtls_md_info_from_type( md_type ) ) == NULL )
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+
+    md_len = mbedtls_md_get_size( md_info );
+
+    if( sizeof( tmp ) < md_len + strlen( label ) + rlen )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    nb = strlen( label );
+    memcpy( tmp + md_len, label, nb );
+    memcpy( tmp + md_len + nb, random, rlen );
+    nb += rlen;
+
+    /*
+     * Compute P_<hash>(secret, label + random)[0..dlen]
+     */
+    if ( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
+        return( ret );
+
+    mbedtls_md_hmac_starts( &md_ctx, secret, slen );
+    mbedtls_md_hmac_update( &md_ctx, tmp + md_len, nb );
+    mbedtls_md_hmac_finish( &md_ctx, tmp );
+
+    for( i = 0; i < dlen; i += md_len )
+    {
+        mbedtls_md_hmac_reset ( &md_ctx );
+        mbedtls_md_hmac_update( &md_ctx, tmp, md_len + nb );
+        mbedtls_md_hmac_finish( &md_ctx, h_i );
+
+        mbedtls_md_hmac_reset ( &md_ctx );
+        mbedtls_md_hmac_update( &md_ctx, tmp, md_len );
+        mbedtls_md_hmac_finish( &md_ctx, tmp );
+
+        k = ( i + md_len > dlen ) ? dlen % md_len : md_len;
+
+        for( j = 0; j < k; j++ )
+            dstbuf[i + j]  = h_i[j];
+    }
+
+    mbedtls_md_free( &md_ctx );
+
+    mbedtls_zeroize( tmp, sizeof( tmp ) );
+    mbedtls_zeroize( h_i, sizeof( h_i ) );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_SHA256_C)
+static int tls_prf_sha256( const unsigned char *secret, size_t slen,
+                           const char *label,
+                           const unsigned char *random, size_t rlen,
+                           unsigned char *dstbuf, size_t dlen )
+{
+    return( tls_prf_generic( MBEDTLS_MD_SHA256, secret, slen,
+                             label, random, rlen, dstbuf, dlen ) );
+}
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+static int tls_prf_sha384( const unsigned char *secret, size_t slen,
+                           const char *label,
+                           const unsigned char *random, size_t rlen,
+                           unsigned char *dstbuf, size_t dlen )
+{
+    return( tls_prf_generic( MBEDTLS_MD_SHA384, secret, slen,
+                             label, random, rlen, dstbuf, dlen ) );
+}
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+static void ssl_update_checksum_start( mbedtls_ssl_context *, const unsigned char *, size_t );
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *, const unsigned char *, size_t );
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+static void ssl_calc_verify_ssl( mbedtls_ssl_context *, unsigned char * );
+static void ssl_calc_finished_ssl( mbedtls_ssl_context *, unsigned char *, int );
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
+static void ssl_calc_verify_tls( mbedtls_ssl_context *, unsigned char * );
+static void ssl_calc_finished_tls( mbedtls_ssl_context *, unsigned char *, int );
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA256_C)
+static void ssl_update_checksum_sha256( mbedtls_ssl_context *, const unsigned char *, size_t );
+static void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *, unsigned char * );
+static void ssl_calc_finished_tls_sha256( mbedtls_ssl_context *,unsigned char *, int );
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+static void ssl_update_checksum_sha384( mbedtls_ssl_context *, const unsigned char *, size_t );
+static void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *, unsigned char * );
+static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context *, unsigned char *, int );
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
+{
+    int ret = 0;
+    unsigned char tmp[64];
+    unsigned char keyblk[256];
+    unsigned char *key1;
+    unsigned char *key2;
+    unsigned char *mac_enc;
+    unsigned char *mac_dec;
+    size_t mac_key_len;
+    size_t iv_copy_len;
+    const mbedtls_cipher_info_t *cipher_info;
+    const mbedtls_md_info_t *md_info;
+
+    mbedtls_ssl_session *session = ssl->session_negotiate;
+    mbedtls_ssl_transform *transform = ssl->transform_negotiate;
+    mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
+
+    cipher_info = mbedtls_cipher_info_from_type( transform->ciphersuite_info->cipher );
+    if( cipher_info == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %d not found",
+                            transform->ciphersuite_info->cipher ) );
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    md_info = mbedtls_md_info_from_type( transform->ciphersuite_info->mac );
+    if( md_info == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %d not found",
+                            transform->ciphersuite_info->mac ) );
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    /*
+     * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
+     */
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+    {
+        handshake->tls_prf = ssl3_prf;
+        handshake->calc_verify = ssl_calc_verify_ssl;
+        handshake->calc_finished = ssl_calc_finished_ssl;
+    }
+    else
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
+    if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
+    {
+        handshake->tls_prf = tls1_prf;
+        handshake->calc_verify = ssl_calc_verify_tls;
+        handshake->calc_finished = ssl_calc_finished_tls;
+    }
+    else
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA512_C)
+    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
+        transform->ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
+    {
+        handshake->tls_prf = tls_prf_sha384;
+        handshake->calc_verify = ssl_calc_verify_tls_sha384;
+        handshake->calc_finished = ssl_calc_finished_tls_sha384;
+    }
+    else
+#endif
+#if defined(MBEDTLS_SHA256_C)
+    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+    {
+        handshake->tls_prf = tls_prf_sha256;
+        handshake->calc_verify = ssl_calc_verify_tls_sha256;
+        handshake->calc_finished = ssl_calc_finished_tls_sha256;
+    }
+    else
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    /*
+     * SSLv3:
+     *   master =
+     *     MD5( premaster + SHA1( 'A'   + premaster + randbytes ) ) +
+     *     MD5( premaster + SHA1( 'BB'  + premaster + randbytes ) ) +
+     *     MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
+     *
+     * TLSv1+:
+     *   master = PRF( premaster, "master secret", randbytes )[0..47]
+     */
+    if( handshake->resume == 0 )
+    {
+        MBEDTLS_SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster,
+                       handshake->pmslen );
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+        if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED )
+        {
+            unsigned char session_hash[48];
+            size_t hash_len;
+
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "using extended master secret" ) );
+
+            ssl->handshake->calc_verify( ssl, session_hash );
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+            if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+            {
+#if defined(MBEDTLS_SHA512_C)
+                if( ssl->transform_negotiate->ciphersuite_info->mac ==
+                    MBEDTLS_MD_SHA384 )
+                {
+                    hash_len = 48;
+                }
+                else
+#endif
+                    hash_len = 32;
+            }
+            else
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+                hash_len = 36;
+
+            MBEDTLS_SSL_DEBUG_BUF( 3, "session hash", session_hash, hash_len );
+
+            ret = handshake->tls_prf( handshake->premaster, handshake->pmslen,
+                                      "extended master secret",
+                                      session_hash, hash_len,
+                                      session->master, 48 );
+            if( ret != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
+                return( ret );
+            }
+
+        }
+        else
+#endif
+        ret = handshake->tls_prf( handshake->premaster, handshake->pmslen,
+                                  "master secret",
+                                  handshake->randbytes, 64,
+                                  session->master, 48 );
+        if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
+            return( ret );
+        }
+
+        mbedtls_zeroize( handshake->premaster, sizeof(handshake->premaster) );
+    }
+    else
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
+
+    /*
+     * Swap the client and server random values.
+     */
+    memcpy( tmp, handshake->randbytes, 64 );
+    memcpy( handshake->randbytes, tmp + 32, 32 );
+    memcpy( handshake->randbytes + 32, tmp, 32 );
+    mbedtls_zeroize( tmp, sizeof( tmp ) );
+
+    /*
+     *  SSLv3:
+     *    key block =
+     *      MD5( master + SHA1( 'A'    + master + randbytes ) ) +
+     *      MD5( master + SHA1( 'BB'   + master + randbytes ) ) +
+     *      MD5( master + SHA1( 'CCC'  + master + randbytes ) ) +
+     *      MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
+     *      ...
+     *
+     *  TLSv1:
+     *    key block = PRF( master, "key expansion", randbytes )
+     */
+    ret = handshake->tls_prf( session->master, 48, "key expansion",
+                              handshake->randbytes, 64, keyblk, 256 );
+    if( ret != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
+        return( ret );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
+                   mbedtls_ssl_get_ciphersuite_name( session->ciphersuite ) ) );
+    MBEDTLS_SSL_DEBUG_BUF( 3, "master secret", session->master, 48 );
+    MBEDTLS_SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 );
+    MBEDTLS_SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
+
+    mbedtls_zeroize( handshake->randbytes, sizeof( handshake->randbytes ) );
+
+    /*
+     * Determine the appropriate key, IV and MAC length.
+     */
+
+    transform->keylen = cipher_info->key_bitlen / 8;
+
+    if( cipher_info->mode == MBEDTLS_MODE_GCM ||
+        cipher_info->mode == MBEDTLS_MODE_CCM )
+    {
+        transform->maclen = 0;
+        mac_key_len = 0;
+
+        transform->ivlen = 12;
+        transform->fixed_ivlen = 4;
+
+        /* Minimum length is expicit IV + tag */
+        transform->minlen = transform->ivlen - transform->fixed_ivlen
+                            + ( transform->ciphersuite_info->flags &
+                                MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16 );
+    }
+    else
+    {
+        /* Initialize HMAC contexts */
+        if( ( ret = mbedtls_md_setup( &transform->md_ctx_enc, md_info, 1 ) ) != 0 ||
+            ( ret = mbedtls_md_setup( &transform->md_ctx_dec, md_info, 1 ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
+            return( ret );
+        }
+
+        /* Get MAC length */
+        mac_key_len = mbedtls_md_get_size( md_info );
+        transform->maclen = mac_key_len;
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+        /*
+         * If HMAC is to be truncated, we shall keep the leftmost bytes,
+         * (rfc 6066 page 13 or rfc 2104 section 4),
+         * so we only need to adjust the length here.
+         */
+        if( session->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
+        {
+            transform->maclen = MBEDTLS_SSL_TRUNCATED_HMAC_LEN;
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT)
+            /* Fall back to old, non-compliant version of the truncated
+             * HMAC implementation which also truncates the key
+             * (Mbed TLS versions from 1.3 to 2.6.0) */
+            mac_key_len = transform->maclen;
+#endif
+        }
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+        /* IV length */
+        transform->ivlen = cipher_info->iv_size;
+
+        /* Minimum length */
+        if( cipher_info->mode == MBEDTLS_MODE_STREAM )
+            transform->minlen = transform->maclen;
+        else
+        {
+            /*
+             * GenericBlockCipher:
+             * 1. if EtM is in use: one block plus MAC
+             *    otherwise: * first multiple of blocklen greater than maclen
+             * 2. IV except for SSL3 and TLS 1.0
+             */
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+            if( session->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
+            {
+                transform->minlen = transform->maclen
+                                  + cipher_info->block_size;
+            }
+            else
+#endif
+            {
+                transform->minlen = transform->maclen
+                                  + cipher_info->block_size
+                                  - transform->maclen % cipher_info->block_size;
+            }
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
+            if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
+                ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_1 )
+                ; /* No need to adjust minlen */
+            else
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
+            if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_2 ||
+                ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+            {
+                transform->minlen += transform->ivlen;
+            }
+            else
+#endif
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+                return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+            }
+        }
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
+                   transform->keylen, transform->minlen, transform->ivlen,
+                   transform->maclen ) );
+
+    /*
+     * Finally setup the cipher contexts, IVs and MAC secrets.
+     */
+#if defined(MBEDTLS_SSL_CLI_C)
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
+    {
+        key1 = keyblk + mac_key_len * 2;
+        key2 = keyblk + mac_key_len * 2 + transform->keylen;
+
+        mac_enc = keyblk;
+        mac_dec = keyblk + mac_key_len;
+
+        /*
+         * This is not used in TLS v1.1.
+         */
+        iv_copy_len = ( transform->fixed_ivlen ) ?
+                            transform->fixed_ivlen : transform->ivlen;
+        memcpy( transform->iv_enc, key2 + transform->keylen,  iv_copy_len );
+        memcpy( transform->iv_dec, key2 + transform->keylen + iv_copy_len,
+                iv_copy_len );
+    }
+    else
+#endif /* MBEDTLS_SSL_CLI_C */
+#if defined(MBEDTLS_SSL_SRV_C)
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
+    {
+        key1 = keyblk + mac_key_len * 2 + transform->keylen;
+        key2 = keyblk + mac_key_len * 2;
+
+        mac_enc = keyblk + mac_key_len;
+        mac_dec = keyblk;
+
+        /*
+         * This is not used in TLS v1.1.
+         */
+        iv_copy_len = ( transform->fixed_ivlen ) ?
+                            transform->fixed_ivlen : transform->ivlen;
+        memcpy( transform->iv_dec, key1 + transform->keylen,  iv_copy_len );
+        memcpy( transform->iv_enc, key1 + transform->keylen + iv_copy_len,
+                iv_copy_len );
+    }
+    else
+#endif /* MBEDTLS_SSL_SRV_C */
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+    {
+        if( mac_key_len > sizeof transform->mac_enc )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        memcpy( transform->mac_enc, mac_enc, mac_key_len );
+        memcpy( transform->mac_dec, mac_dec, mac_key_len );
+    }
+    else
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
+    {
+        /* For HMAC-based ciphersuites, initialize the HMAC transforms.
+           For AEAD-based ciphersuites, there is nothing to do here. */
+        if( mac_key_len != 0 )
+        {
+            mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, mac_key_len );
+            mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, mac_key_len );
+        }
+    }
+    else
+#endif
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+    if( mbedtls_ssl_hw_record_init != NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_init()" ) );
+
+        if( ( ret = mbedtls_ssl_hw_record_init( ssl, key1, key2, transform->keylen,
+                                        transform->iv_enc, transform->iv_dec,
+                                        iv_copy_len,
+                                        mac_enc, mac_dec,
+                                        mac_key_len ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_init", ret );
+            return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
+        }
+    }
+#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
+
+#if defined(MBEDTLS_SSL_EXPORT_KEYS)
+    if( ssl->conf->f_export_keys != NULL )
+    {
+        ssl->conf->f_export_keys( ssl->conf->p_export_keys,
+                                  session->master, keyblk,
+                                  mac_key_len, transform->keylen,
+                                  iv_copy_len );
+    }
+#endif
+
+    if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc,
+                                 cipher_info ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
+        return( ret );
+    }
+
+    if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec,
+                                 cipher_info ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
+        return( ret );
+    }
+
+    if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc, key1,
+                               cipher_info->key_bitlen,
+                               MBEDTLS_ENCRYPT ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
+        return( ret );
+    }
+
+    if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec, key2,
+                               cipher_info->key_bitlen,
+                               MBEDTLS_DECRYPT ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
+        return( ret );
+    }
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    if( cipher_info->mode == MBEDTLS_MODE_CBC )
+    {
+        if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_enc,
+                                             MBEDTLS_PADDING_NONE ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
+            return( ret );
+        }
+
+        if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_dec,
+                                             MBEDTLS_PADDING_NONE ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
+            return( ret );
+        }
+    }
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+    mbedtls_zeroize( keyblk, sizeof( keyblk ) );
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    // Initialize compression
+    //
+    if( session->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
+    {
+        if( ssl->compress_buf == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) );
+            ssl->compress_buf = mbedtls_calloc( 1, MBEDTLS_SSL_BUFFER_LEN );
+            if( ssl->compress_buf == NULL )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
+                                    MBEDTLS_SSL_BUFFER_LEN ) );
+                return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+            }
+        }
+
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
+
+        memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) );
+        memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) );
+
+        if( deflateInit( &transform->ctx_deflate,
+                         Z_DEFAULT_COMPRESSION )   != Z_OK ||
+            inflateInit( &transform->ctx_inflate ) != Z_OK )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
+            return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
+        }
+    }
+#endif /* MBEDTLS_ZLIB_SUPPORT */
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+void ssl_calc_verify_ssl( mbedtls_ssl_context *ssl, unsigned char *hash )
+{
+    mbedtls_md5_context md5;
+    mbedtls_sha1_context sha1;
+    unsigned char pad_1[48];
+    unsigned char pad_2[48];
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
+
+    mbedtls_md5_init( &md5 );
+    mbedtls_sha1_init( &sha1 );
+
+    mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
+    mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
+
+    memset( pad_1, 0x36, 48 );
+    memset( pad_2, 0x5C, 48 );
+
+    mbedtls_md5_update_ret( &md5, ssl->session_negotiate->master, 48 );
+    mbedtls_md5_update_ret( &md5, pad_1, 48 );
+    mbedtls_md5_finish_ret( &md5, hash );
+
+    mbedtls_md5_starts_ret( &md5 );
+    mbedtls_md5_update_ret( &md5, ssl->session_negotiate->master, 48 );
+    mbedtls_md5_update_ret( &md5, pad_2, 48 );
+    mbedtls_md5_update_ret( &md5, hash,  16 );
+    mbedtls_md5_finish_ret( &md5, hash );
+
+    mbedtls_sha1_update_ret( &sha1, ssl->session_negotiate->master, 48 );
+    mbedtls_sha1_update_ret( &sha1, pad_1, 40 );
+    mbedtls_sha1_finish_ret( &sha1, hash + 16 );
+
+    mbedtls_sha1_starts_ret( &sha1 );
+    mbedtls_sha1_update_ret( &sha1, ssl->session_negotiate->master, 48 );
+    mbedtls_sha1_update_ret( &sha1, pad_2, 40 );
+    mbedtls_sha1_update_ret( &sha1, hash + 16, 20 );
+    mbedtls_sha1_finish_ret( &sha1, hash + 16 );
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
+
+    mbedtls_md5_free(  &md5  );
+    mbedtls_sha1_free( &sha1 );
+
+    return;
+}
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
+void ssl_calc_verify_tls( mbedtls_ssl_context *ssl, unsigned char *hash )
+{
+    mbedtls_md5_context md5;
+    mbedtls_sha1_context sha1;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
+
+    mbedtls_md5_init( &md5 );
+    mbedtls_sha1_init( &sha1 );
+
+    mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
+    mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
+
+     mbedtls_md5_finish_ret( &md5,  hash );
+    mbedtls_sha1_finish_ret( &sha1, hash + 16 );
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
+
+    mbedtls_md5_free(  &md5  );
+    mbedtls_sha1_free( &sha1 );
+
+    return;
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA256_C)
+void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *ssl, unsigned char *hash )
+{
+    mbedtls_sha256_context sha256;
+
+    mbedtls_sha256_init( &sha256 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
+
+    mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
+    mbedtls_sha256_finish_ret( &sha256, hash );
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
+
+    mbedtls_sha256_free( &sha256 );
+
+    return;
+}
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *ssl, unsigned char *hash )
+{
+    mbedtls_sha512_context sha512;
+
+    mbedtls_sha512_init( &sha512 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
+
+    mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
+    mbedtls_sha512_finish_ret( &sha512, hash );
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
+
+    mbedtls_sha512_free( &sha512 );
+
+    return;
+}
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex )
+{
+    unsigned char *p = ssl->handshake->premaster;
+    unsigned char *end = p + sizeof( ssl->handshake->premaster );
+    const unsigned char *psk = ssl->conf->psk;
+    size_t psk_len = ssl->conf->psk_len;
+
+    /* If the psk callback was called, use its result */
+    if( ssl->handshake->psk != NULL )
+    {
+        psk = ssl->handshake->psk;
+        psk_len = ssl->handshake->psk_len;
+    }
+
+    /*
+     * PMS = struct {
+     *     opaque other_secret<0..2^16-1>;
+     *     opaque psk<0..2^16-1>;
+     * };
+     * with "other_secret" depending on the particular key exchange
+     */
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+    if( key_ex == MBEDTLS_KEY_EXCHANGE_PSK )
+    {
+        if( end - p < 2 )
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+        *(p++) = (unsigned char)( psk_len >> 8 );
+        *(p++) = (unsigned char)( psk_len      );
+
+        if( end < p || (size_t)( end - p ) < psk_len )
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+        memset( p, 0, psk_len );
+        p += psk_len;
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+    if( key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
+    {
+        /*
+         * other_secret already set by the ClientKeyExchange message,
+         * and is 48 bytes long
+         */
+        if( end - p < 2 )
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+        *p++ = 0;
+        *p++ = 48;
+        p += 48;
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+    if( key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
+    {
+        int ret;
+        size_t len;
+
+        /* Write length only when we know the actual value */
+        if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
+                                      p + 2, end - ( p + 2 ), &len,
+                                      ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
+            return( ret );
+        }
+        *(p++) = (unsigned char)( len >> 8 );
+        *(p++) = (unsigned char)( len );
+        p += len;
+
+        MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K  );
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+    if( key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
+    {
+        int ret;
+        size_t zlen;
+
+        if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, &zlen,
+                                       p + 2, end - ( p + 2 ),
+                                       ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
+            return( ret );
+        }
+
+        *(p++) = (unsigned char)( zlen >> 8 );
+        *(p++) = (unsigned char)( zlen      );
+        p += zlen;
+
+        MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    /* opaque psk<0..2^16-1>; */
+    if( end - p < 2 )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    *(p++) = (unsigned char)( psk_len >> 8 );
+    *(p++) = (unsigned char)( psk_len      );
+
+    if( end < p || (size_t)( end - p ) < psk_len )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    memcpy( p, psk, psk_len );
+    p += psk_len;
+
+    ssl->handshake->pmslen = p - ssl->handshake->premaster;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+/*
+ * SSLv3.0 MAC functions
+ */
+#define SSL_MAC_MAX_BYTES   20  /* MD-5 or SHA-1 */
+static void ssl_mac( mbedtls_md_context_t *md_ctx,
+                     const unsigned char *secret,
+                     const unsigned char *buf, size_t len,
+                     const unsigned char *ctr, int type,
+                     unsigned char out[SSL_MAC_MAX_BYTES] )
+{
+    unsigned char header[11];
+    unsigned char padding[48];
+    int padlen;
+    int md_size = mbedtls_md_get_size( md_ctx->md_info );
+    int md_type = mbedtls_md_get_type( md_ctx->md_info );
+
+    /* Only MD5 and SHA-1 supported */
+    if( md_type == MBEDTLS_MD_MD5 )
+        padlen = 48;
+    else
+        padlen = 40;
+
+    memcpy( header, ctr, 8 );
+    header[ 8] = (unsigned char)  type;
+    header[ 9] = (unsigned char)( len >> 8 );
+    header[10] = (unsigned char)( len      );
+
+    memset( padding, 0x36, padlen );
+    mbedtls_md_starts( md_ctx );
+    mbedtls_md_update( md_ctx, secret,  md_size );
+    mbedtls_md_update( md_ctx, padding, padlen  );
+    mbedtls_md_update( md_ctx, header,  11      );
+    mbedtls_md_update( md_ctx, buf,     len     );
+    mbedtls_md_finish( md_ctx, out              );
+
+    memset( padding, 0x5C, padlen );
+    mbedtls_md_starts( md_ctx );
+    mbedtls_md_update( md_ctx, secret,    md_size );
+    mbedtls_md_update( md_ctx, padding,   padlen  );
+    mbedtls_md_update( md_ctx, out,       md_size );
+    mbedtls_md_finish( md_ctx, out                );
+}
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+
+#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) ||     \
+    defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
+#define SSL_SOME_MODES_USE_MAC
+#endif
+
+/*
+ * Encryption/decryption functions
+ */
+static int ssl_encrypt_buf( mbedtls_ssl_context *ssl )
+{
+    mbedtls_cipher_mode_t mode;
+    int auth_done = 0;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
+
+    if( ssl->session_out == NULL || ssl->transform_out == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    mode = mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc );
+
+    MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload",
+                      ssl->out_msg, ssl->out_msglen );
+
+    if( ssl->out_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record content %u too large, maximum %d",
+                                    (unsigned) ssl->out_msglen,
+                                    MBEDTLS_SSL_MAX_CONTENT_LEN ) );
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    /*
+     * Add MAC before if needed
+     */
+#if defined(SSL_SOME_MODES_USE_MAC)
+    if( mode == MBEDTLS_MODE_STREAM ||
+        ( mode == MBEDTLS_MODE_CBC
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+          && ssl->session_out->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED
+#endif
+        ) )
+    {
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+        if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+        {
+            unsigned char mac[SSL_MAC_MAX_BYTES];
+
+            ssl_mac( &ssl->transform_out->md_ctx_enc,
+                      ssl->transform_out->mac_enc,
+                      ssl->out_msg, ssl->out_msglen,
+                      ssl->out_ctr, ssl->out_msgtype,
+                      mac );
+
+            memcpy( ssl->out_msg + ssl->out_msglen, mac, ssl->transform_out->maclen );
+        }
+        else
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+        defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
+        {
+            unsigned char mac[MBEDTLS_SSL_MAC_ADD];
+
+            mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_ctr, 8 );
+            mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_hdr, 3 );
+            mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_len, 2 );
+            mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc,
+                             ssl->out_msg, ssl->out_msglen );
+            mbedtls_md_hmac_finish( &ssl->transform_out->md_ctx_enc, mac );
+            mbedtls_md_hmac_reset( &ssl->transform_out->md_ctx_enc );
+
+            memcpy( ssl->out_msg + ssl->out_msglen, mac, ssl->transform_out->maclen );
+        }
+        else
+#endif
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac",
+                       ssl->out_msg + ssl->out_msglen,
+                       ssl->transform_out->maclen );
+
+        ssl->out_msglen += ssl->transform_out->maclen;
+        auth_done++;
+    }
+#endif /* AEAD not the only option */
+
+    /*
+     * Encrypt
+     */
+#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
+    if( mode == MBEDTLS_MODE_STREAM )
+    {
+        int ret;
+        size_t olen = 0;
+
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
+                            "including %d bytes of padding",
+                       ssl->out_msglen, 0 ) );
+
+        if( ( ret = mbedtls_cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
+                                   ssl->transform_out->iv_enc,
+                                   ssl->transform_out->ivlen,
+                                   ssl->out_msg, ssl->out_msglen,
+                                   ssl->out_msg, &olen ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
+            return( ret );
+        }
+
+        if( ssl->out_msglen != olen )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+    }
+    else
+#endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C)
+    if( mode == MBEDTLS_MODE_GCM ||
+        mode == MBEDTLS_MODE_CCM )
+    {
+        int ret;
+        size_t enc_msglen, olen;
+        unsigned char *enc_msg;
+        unsigned char add_data[13];
+        unsigned char taglen = ssl->transform_out->ciphersuite_info->flags &
+                               MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
+
+        memcpy( add_data, ssl->out_ctr, 8 );
+        add_data[8]  = ssl->out_msgtype;
+        mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
+                           ssl->conf->transport, add_data + 9 );
+        add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
+        add_data[12] = ssl->out_msglen & 0xFF;
+
+        MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
+                       add_data, 13 );
+
+        /*
+         * Generate IV
+         */
+        if( ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen != 8 )
+        {
+            /* Reminder if we ever add an AEAD mode with a different size */
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        memcpy( ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
+                             ssl->out_ctr, 8 );
+        memcpy( ssl->out_iv, ssl->out_ctr, 8 );
+
+        MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv,
+                ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
+
+        /*
+         * Fix pointer positions and message length with added IV
+         */
+        enc_msg = ssl->out_msg;
+        enc_msglen = ssl->out_msglen;
+        ssl->out_msglen += ssl->transform_out->ivlen -
+                           ssl->transform_out->fixed_ivlen;
+
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
+                            "including %d bytes of padding",
+                       ssl->out_msglen, 0 ) );
+
+        /*
+         * Encrypt and authenticate
+         */
+        if( ( ret = mbedtls_cipher_auth_encrypt( &ssl->transform_out->cipher_ctx_enc,
+                                         ssl->transform_out->iv_enc,
+                                         ssl->transform_out->ivlen,
+                                         add_data, 13,
+                                         enc_msg, enc_msglen,
+                                         enc_msg, &olen,
+                                         enc_msg + enc_msglen, taglen ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt", ret );
+            return( ret );
+        }
+
+        if( olen != enc_msglen )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        ssl->out_msglen += taglen;
+        auth_done++;
+
+        MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag", enc_msg + enc_msglen, taglen );
+    }
+    else
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
+    if( mode == MBEDTLS_MODE_CBC )
+    {
+        int ret;
+        unsigned char *enc_msg;
+        size_t enc_msglen, padlen, olen = 0, i;
+
+        padlen = ssl->transform_out->ivlen - ( ssl->out_msglen + 1 ) %
+                 ssl->transform_out->ivlen;
+        if( padlen == ssl->transform_out->ivlen )
+            padlen = 0;
+
+        for( i = 0; i <= padlen; i++ )
+            ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
+
+        ssl->out_msglen += padlen + 1;
+
+        enc_msglen = ssl->out_msglen;
+        enc_msg = ssl->out_msg;
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        /*
+         * Prepend per-record IV for block cipher in TLS v1.1 and up as per
+         * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
+         */
+        if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
+        {
+            /*
+             * Generate IV
+             */
+            ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->transform_out->iv_enc,
+                                  ssl->transform_out->ivlen );
+            if( ret != 0 )
+                return( ret );
+
+            memcpy( ssl->out_iv, ssl->transform_out->iv_enc,
+                    ssl->transform_out->ivlen );
+
+            /*
+             * Fix pointer positions and message length with added IV
+             */
+            enc_msg = ssl->out_msg;
+            enc_msglen = ssl->out_msglen;
+            ssl->out_msglen += ssl->transform_out->ivlen;
+        }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
+
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
+                            "including %d bytes of IV and %d bytes of padding",
+                            ssl->out_msglen, ssl->transform_out->ivlen,
+                            padlen + 1 ) );
+
+        if( ( ret = mbedtls_cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
+                                   ssl->transform_out->iv_enc,
+                                   ssl->transform_out->ivlen,
+                                   enc_msg, enc_msglen,
+                                   enc_msg, &olen ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
+            return( ret );
+        }
+
+        if( enc_msglen != olen )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
+        if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
+        {
+            /*
+             * Save IV in SSL3 and TLS1
+             */
+            memcpy( ssl->transform_out->iv_enc,
+                    ssl->transform_out->cipher_ctx_enc.iv,
+                    ssl->transform_out->ivlen );
+        }
+#endif
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+        if( auth_done == 0 )
+        {
+            unsigned char mac[MBEDTLS_SSL_MAC_ADD];
+
+            /*
+             * MAC(MAC_write_key, seq_num +
+             *     TLSCipherText.type +
+             *     TLSCipherText.version +
+             *     length_of( (IV +) ENC(...) ) +
+             *     IV + // except for TLS 1.0
+             *     ENC(content + padding + padding_length));
+             */
+            unsigned char pseudo_hdr[13];
+
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
+
+            memcpy( pseudo_hdr +  0, ssl->out_ctr, 8 );
+            memcpy( pseudo_hdr +  8, ssl->out_hdr, 3 );
+            pseudo_hdr[11] = (unsigned char)( ( ssl->out_msglen >> 8 ) & 0xFF );
+            pseudo_hdr[12] = (unsigned char)( ( ssl->out_msglen      ) & 0xFF );
+
+            MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 );
+
+            mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, pseudo_hdr, 13 );
+            mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc,
+                             ssl->out_iv, ssl->out_msglen );
+            mbedtls_md_hmac_finish( &ssl->transform_out->md_ctx_enc, mac );
+            mbedtls_md_hmac_reset( &ssl->transform_out->md_ctx_enc );
+
+            memcpy( ssl->out_iv + ssl->out_msglen, mac,
+                    ssl->transform_out->maclen );
+
+            ssl->out_msglen += ssl->transform_out->maclen;
+            auth_done++;
+        }
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+    }
+    else
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC */
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    /* Make extra sure authentication was performed, exactly once */
+    if( auth_done != 1 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC)
+/*
+ * Constant-flow conditional memcpy:
+ *  - if c1 == c2, equivalent to memcpy(dst, src, len),
+ *  - otherwise, a no-op,
+ * but with execution flow independent of the values of c1 and c2.
+ *
+ * Use only bit operations to avoid branches that could be used by some
+ * compilers on some platforms to translate comparison operators.
+ */
+static void mbedtls_ssl_cf_memcpy_if_eq( unsigned char *dst,
+                                         const unsigned char *src,
+                                         size_t len,
+                                         size_t c1, size_t c2 )
+{
+    /* diff = 0 if c1 == c2, non-zero otherwise */
+    const size_t diff = c1 ^ c2;
+
+    /* MSVC has a warning about unary minus on unsigned integer types,
+     * but this is well-defined and precisely what we want to do here. */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+
+    /* diff_msb's most significant bit is equal to c1 != c2 */
+    const size_t diff_msb = ( diff | -diff );
+
+    /* diff1 = c1 != c2 */
+    const size_t diff1 = diff_msb >> ( sizeof( diff_msb ) * 8 - 1 );
+
+    /* mask = c1 != c2 ? 0xff : 0x00 */
+    const unsigned char mask = (unsigned char) -diff1;
+
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
+
+    /* dst[i] = c1 != c2 ? dst[i] : src[i] */
+    size_t i;
+    for( i = 0; i < len; i++ )
+        dst[i] = ( dst[i] & mask ) | ( src[i] & ~mask );
+}
+
+/*
+ * Compute HMAC of variable-length data with constant flow.
+ *
+ * Only works with MD-5, SHA-1, SHA-256 and SHA-384.
+ * (Otherwise, computation of block_size needs to be adapted.)
+ */
+int mbedtls_ssl_cf_hmac(
+        mbedtls_md_context_t *ctx,
+        const unsigned char *add_data, size_t add_data_len,
+        const unsigned char *data, size_t data_len_secret,
+        size_t min_data_len, size_t max_data_len,
+        unsigned char *output )
+{
+    /*
+     * This function breaks the HMAC abstraction and uses the md_clone()
+     * extension to the MD API in order to get constant-flow behaviour.
+     *
+     * HMAC(msg) is defined as HASH(okey + HASH(ikey + msg)) where + means
+     * concatenation, and okey/ikey are the XOR of the key with some fixed bit
+     * patterns (see RFC 2104, sec. 2), which are stored in ctx->hmac_ctx.
+     *
+     * We'll first compute inner_hash = HASH(ikey + msg) by hashing up to
+     * minlen, then cloning the context, and for each byte up to maxlen
+     * finishing up the hash computation, keeping only the correct result.
+     *
+     * Then we only need to compute HASH(okey + inner_hash) and we're done.
+     */
+    const mbedtls_md_type_t md_alg = mbedtls_md_get_type( ctx->md_info );
+    /* TLS 1.0-1.2 only support SHA-384, SHA-256, SHA-1, MD-5,
+     * all of which have the same block size except SHA-384. */
+    const size_t block_size = md_alg == MBEDTLS_MD_SHA384 ? 128 : 64;
+    const unsigned char * const ikey = ctx->hmac_ctx;
+    const unsigned char * const okey = ikey + block_size;
+    const size_t hash_size = mbedtls_md_get_size( ctx->md_info );
+
+    unsigned char aux_out[MBEDTLS_MD_MAX_SIZE];
+    mbedtls_md_context_t aux;
+    size_t offset;
+    int ret;
+
+    mbedtls_md_init( &aux );
+
+#define MD_CHK( func_call ) \
+    do {                    \
+        ret = (func_call);  \
+        if( ret != 0 )      \
+            goto cleanup;   \
+    } while( 0 )
+
+    MD_CHK( mbedtls_md_setup( &aux, ctx->md_info, 0 ) );
+
+    /* After hmac_start() of hmac_reset(), ikey has already been hashed,
+     * so we can start directly with the message */
+    MD_CHK( mbedtls_md_update( ctx, add_data, add_data_len ) );
+    MD_CHK( mbedtls_md_update( ctx, data, min_data_len ) );
+
+    /* For each possible length, compute the hash up to that point */
+    for( offset = min_data_len; offset <= max_data_len; offset++ )
+    {
+        MD_CHK( mbedtls_md_clone( &aux, ctx ) );
+        MD_CHK( mbedtls_md_finish( &aux, aux_out ) );
+        /* Keep only the correct inner_hash in the output buffer */
+        mbedtls_ssl_cf_memcpy_if_eq( output, aux_out, hash_size,
+                                     offset, data_len_secret );
+
+        if( offset < max_data_len )
+            MD_CHK( mbedtls_md_update( ctx, data + offset, 1 ) );
+    }
+
+    /* Now compute HASH(okey + inner_hash) */
+    MD_CHK( mbedtls_md_starts( ctx ) );
+    MD_CHK( mbedtls_md_update( ctx, okey, block_size ) );
+    MD_CHK( mbedtls_md_update( ctx, output, hash_size ) );
+    MD_CHK( mbedtls_md_finish( ctx, output ) );
+
+    /* Done, get ready for next time */
+    MD_CHK( mbedtls_md_hmac_reset( ctx ) );
+
+#undef MD_CHK
+
+cleanup:
+    mbedtls_md_free( &aux );
+    return( ret );
+}
+
+/*
+ * Constant-flow memcpy from variable position in buffer.
+ * - functionally equivalent to memcpy(dst, src + offset_secret, len)
+ * - but with execution flow independent from the value of offset_secret.
+ */
+void mbedtls_ssl_cf_memcpy_offset( unsigned char *dst,
+                                   const unsigned char *src_base,
+                                   size_t offset_secret,
+                                   size_t offset_min, size_t offset_max,
+                                   size_t len )
+{
+    size_t offset;
+
+    for( offset = offset_min; offset <= offset_max; offset++ )
+    {
+        mbedtls_ssl_cf_memcpy_if_eq( dst, src_base + offset, len,
+                                     offset, offset_secret );
+    }
+}
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */
+
+static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
+{
+    size_t i;
+    mbedtls_cipher_mode_t mode;
+    int auth_done = 0;
+#if defined(SSL_SOME_MODES_USE_MAC)
+    size_t padlen = 0, correct = 1;
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
+
+    if( ssl->session_in == NULL || ssl->transform_in == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    mode = mbedtls_cipher_get_cipher_mode( &ssl->transform_in->cipher_ctx_dec );
+
+    if( ssl->in_msglen < ssl->transform_in->minlen )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
+                       ssl->in_msglen, ssl->transform_in->minlen ) );
+        return( MBEDTLS_ERR_SSL_INVALID_MAC );
+    }
+
+#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
+    if( mode == MBEDTLS_MODE_STREAM )
+    {
+        int ret;
+        size_t olen = 0;
+
+        padlen = 0;
+
+        if( ( ret = mbedtls_cipher_crypt( &ssl->transform_in->cipher_ctx_dec,
+                                   ssl->transform_in->iv_dec,
+                                   ssl->transform_in->ivlen,
+                                   ssl->in_msg, ssl->in_msglen,
+                                   ssl->in_msg, &olen ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
+            return( ret );
+        }
+
+        if( ssl->in_msglen != olen )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+    }
+    else
+#endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C)
+    if( mode == MBEDTLS_MODE_GCM ||
+        mode == MBEDTLS_MODE_CCM )
+    {
+        int ret;
+        size_t dec_msglen, olen;
+        unsigned char *dec_msg;
+        unsigned char *dec_msg_result;
+        unsigned char add_data[13];
+        unsigned char taglen = ssl->transform_in->ciphersuite_info->flags &
+                               MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
+        size_t explicit_iv_len = ssl->transform_in->ivlen -
+                                 ssl->transform_in->fixed_ivlen;
+
+        if( ssl->in_msglen < explicit_iv_len + taglen )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) "
+                                "+ taglen (%d)", ssl->in_msglen,
+                                explicit_iv_len, taglen ) );
+            return( MBEDTLS_ERR_SSL_INVALID_MAC );
+        }
+        dec_msglen = ssl->in_msglen - explicit_iv_len - taglen;
+
+        dec_msg = ssl->in_msg;
+        dec_msg_result = ssl->in_msg;
+        ssl->in_msglen = dec_msglen;
+
+        memcpy( add_data, ssl->in_ctr, 8 );
+        add_data[8]  = ssl->in_msgtype;
+        mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
+                           ssl->conf->transport, add_data + 9 );
+        add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
+        add_data[12] = ssl->in_msglen & 0xFF;
+
+        MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
+                       add_data, 13 );
+
+        memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen,
+                ssl->in_iv,
+                ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen );
+
+        MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->transform_in->iv_dec,
+                                     ssl->transform_in->ivlen );
+        MBEDTLS_SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, taglen );
+
+        /*
+         * Decrypt and authenticate
+         */
+        if( ( ret = mbedtls_cipher_auth_decrypt( &ssl->transform_in->cipher_ctx_dec,
+                                         ssl->transform_in->iv_dec,
+                                         ssl->transform_in->ivlen,
+                                         add_data, 13,
+                                         dec_msg, dec_msglen,
+                                         dec_msg_result, &olen,
+                                         dec_msg + dec_msglen, taglen ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt", ret );
+
+            if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
+                return( MBEDTLS_ERR_SSL_INVALID_MAC );
+
+            return( ret );
+        }
+        auth_done++;
+
+        if( olen != dec_msglen )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+    }
+    else
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
+    if( mode == MBEDTLS_MODE_CBC )
+    {
+        /*
+         * Decrypt and check the padding
+         */
+        int ret;
+        unsigned char *dec_msg;
+        unsigned char *dec_msg_result;
+        size_t dec_msglen;
+        size_t minlen = 0;
+        size_t olen = 0;
+
+        /*
+         * Check immediate ciphertext sanity
+         */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
+            minlen += ssl->transform_in->ivlen;
+#endif
+
+        if( ssl->in_msglen < minlen + ssl->transform_in->ivlen ||
+            ssl->in_msglen < minlen + ssl->transform_in->maclen + 1 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) "
+                                "+ 1 ) ( + expl IV )", ssl->in_msglen,
+                                ssl->transform_in->ivlen,
+                                ssl->transform_in->maclen ) );
+            return( MBEDTLS_ERR_SSL_INVALID_MAC );
+        }
+
+        dec_msglen = ssl->in_msglen;
+        dec_msg = ssl->in_msg;
+        dec_msg_result = ssl->in_msg;
+
+        /*
+         * Authenticate before decrypt if enabled
+         */
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+        if( ssl->session_in->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
+        {
+            unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
+            unsigned char pseudo_hdr[13];
+
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
+
+            dec_msglen -= ssl->transform_in->maclen;
+            ssl->in_msglen -= ssl->transform_in->maclen;
+
+            memcpy( pseudo_hdr +  0, ssl->in_ctr, 8 );
+            memcpy( pseudo_hdr +  8, ssl->in_hdr, 3 );
+            pseudo_hdr[11] = (unsigned char)( ( ssl->in_msglen >> 8 ) & 0xFF );
+            pseudo_hdr[12] = (unsigned char)( ( ssl->in_msglen      ) & 0xFF );
+
+            MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 );
+
+            mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, pseudo_hdr, 13 );
+            mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec,
+                             ssl->in_iv, ssl->in_msglen );
+            mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, mac_expect );
+            mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec );
+
+            MBEDTLS_SSL_DEBUG_BUF( 4, "message  mac", ssl->in_iv + ssl->in_msglen,
+                                              ssl->transform_in->maclen );
+            MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect,
+                                              ssl->transform_in->maclen );
+
+            if( mbedtls_ssl_safer_memcmp( ssl->in_iv + ssl->in_msglen, mac_expect,
+                                          ssl->transform_in->maclen ) != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
+
+                return( MBEDTLS_ERR_SSL_INVALID_MAC );
+            }
+            auth_done++;
+        }
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+        /*
+         * Check length sanity
+         */
+        if( ssl->in_msglen % ssl->transform_in->ivlen != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
+                           ssl->in_msglen, ssl->transform_in->ivlen ) );
+            return( MBEDTLS_ERR_SSL_INVALID_MAC );
+        }
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        /*
+         * Initialize for prepended IV for block cipher in TLS v1.1 and up
+         */
+        if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
+        {
+            dec_msglen -= ssl->transform_in->ivlen;
+            ssl->in_msglen -= ssl->transform_in->ivlen;
+
+            for( i = 0; i < ssl->transform_in->ivlen; i++ )
+                ssl->transform_in->iv_dec[i] = ssl->in_iv[i];
+        }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
+
+        if( ( ret = mbedtls_cipher_crypt( &ssl->transform_in->cipher_ctx_dec,
+                                   ssl->transform_in->iv_dec,
+                                   ssl->transform_in->ivlen,
+                                   dec_msg, dec_msglen,
+                                   dec_msg_result, &olen ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
+            return( ret );
+        }
+
+        if( dec_msglen != olen )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
+        if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
+        {
+            /*
+             * Save IV in SSL3 and TLS1
+             */
+            memcpy( ssl->transform_in->iv_dec,
+                    ssl->transform_in->cipher_ctx_dec.iv,
+                    ssl->transform_in->ivlen );
+        }
+#endif
+
+        padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
+
+        if( ssl->in_msglen < ssl->transform_in->maclen + padlen &&
+            auth_done == 0 )
+        {
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
+                        ssl->in_msglen, ssl->transform_in->maclen, padlen ) );
+#endif
+            padlen = 0;
+            correct = 0;
+        }
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+        if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+        {
+            if( padlen > ssl->transform_in->ivlen )
+            {
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
+                                    "should be no more than %d",
+                               padlen, ssl->transform_in->ivlen ) );
+#endif
+                correct = 0;
+            }
+        }
+        else
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        if( ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
+        {
+            /*
+             * TLSv1+: always check the padding up to the first failure
+             * and fake check up to 256 bytes of padding
+             */
+            size_t pad_count = 0, real_count = 1;
+            size_t padding_idx = ssl->in_msglen - padlen;
+
+            /*
+             * Padding is guaranteed to be incorrect if:
+             *   1. padlen > ssl->in_msglen
+             *
+             *   2. padding_idx > MBEDTLS_SSL_MAX_CONTENT_LEN +
+             *                     ssl->transform_in->maclen
+             *
+             * In both cases we reset padding_idx to a safe value (0) to
+             * prevent out-of-buffer reads.
+             */
+            correct &= ( padlen <= ssl->in_msglen );
+            correct &= ( padding_idx <= MBEDTLS_SSL_MAX_CONTENT_LEN +
+                                       ssl->transform_in->maclen );
+
+            padding_idx *= correct;
+
+            for( i = 0; i < 256; i++ )
+            {
+                real_count &= ( i < padlen );
+                pad_count += real_count *
+                             ( ssl->in_msg[padding_idx + i] == padlen - 1 );
+            }
+
+            correct &= ( pad_count == padlen ); /* Only 1 on correct padding */
+
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+            if( padlen > 0 && correct == 0 )
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
+#endif
+            padlen &= correct * 0x1FF;
+        }
+        else
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
+          MBEDTLS_SSL_PROTO_TLS1_2 */
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        ssl->in_msglen -= padlen;
+    }
+    else
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC) */
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+    MBEDTLS_SSL_DEBUG_BUF( 4, "raw buffer after decryption",
+                   ssl->in_msg, ssl->in_msglen );
+#endif
+
+    /*
+     * Authenticate if not done yet.
+     * Compute the MAC regardless of the padding result (RFC4346, CBCTIME).
+     */
+#if defined(SSL_SOME_MODES_USE_MAC)
+    if( auth_done == 0 )
+    {
+        unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
+        unsigned char mac_peer[MBEDTLS_SSL_MAC_ADD];
+
+        ssl->in_msglen -= ssl->transform_in->maclen;
+
+        ssl->in_len[0] = (unsigned char)( ssl->in_msglen >> 8 );
+        ssl->in_len[1] = (unsigned char)( ssl->in_msglen      );
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+        if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+        {
+            ssl_mac( &ssl->transform_in->md_ctx_dec,
+                      ssl->transform_in->mac_dec,
+                      ssl->in_msg, ssl->in_msglen,
+                      ssl->in_ctr, ssl->in_msgtype,
+                      mac_expect );
+            memcpy( mac_peer, ssl->in_msg + ssl->in_msglen,
+                              ssl->transform_in->maclen );
+        }
+        else
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+        defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        if( ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
+        {
+            int ret;
+            unsigned char add_data[13];
+
+            /*
+             * The next two sizes are the minimum and maximum values of
+             * in_msglen over all padlen values.
+             *
+             * They're independent of padlen, since we previously did
+             * in_msglen -= padlen.
+             *
+             * Note that max_len + maclen is never more than the buffer
+             * length, as we previously did in_msglen -= maclen too.
+             */
+            const size_t max_len = ssl->in_msglen + padlen;
+            const size_t min_len = ( max_len > 256 ) ? max_len - 256 : 0;
+
+            memcpy( add_data +  0, ssl->in_ctr, 8 );
+            memcpy( add_data +  8, ssl->in_hdr, 3 );
+            memcpy( add_data + 11, ssl->in_len, 2 );
+
+            ret = mbedtls_ssl_cf_hmac( &ssl->transform_in->md_ctx_dec,
+                                       add_data, sizeof( add_data ),
+                                       ssl->in_msg, ssl->in_msglen,
+                                       min_len, max_len,
+                                       mac_expect );
+            if( ret != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_cf_hmac", ret );
+                return( ret );
+            }
+
+            mbedtls_ssl_cf_memcpy_offset( mac_peer, ssl->in_msg,
+                                          ssl->in_msglen,
+                                          min_len, max_len,
+                                          ssl->transform_in->maclen );
+        }
+        else
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
+              MBEDTLS_SSL_PROTO_TLS1_2 */
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+        MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, ssl->transform_in->maclen );
+        MBEDTLS_SSL_DEBUG_BUF( 4, "message  mac", mac_peer, ssl->transform_in->maclen );
+#endif
+
+        if( mbedtls_ssl_safer_memcmp( mac_peer, mac_expect,
+                                      ssl->transform_in->maclen ) != 0 )
+        {
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
+#endif
+            correct = 0;
+        }
+        auth_done++;
+    }
+
+    /*
+     * Finally check the correct flag
+     */
+    if( correct == 0 )
+        return( MBEDTLS_ERR_SSL_INVALID_MAC );
+#endif /* SSL_SOME_MODES_USE_MAC */
+
+    /* Make extra sure authentication was performed, exactly once */
+    if( auth_done != 1 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    if( ssl->in_msglen == 0 )
+    {
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3
+            && ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
+        {
+            /* TLS v1.2 explicitly disallows zero-length messages which are not application data */
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid zero-length message type: %d", ssl->in_msgtype ) );
+            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+        }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+        ssl->nb_zero++;
+
+        /*
+         * Three or more empty messages may be a DoS attack
+         * (excessive CPU consumption).
+         */
+        if( ssl->nb_zero > 3 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
+                                "messages, possible DoS attack" ) );
+            return( MBEDTLS_ERR_SSL_INVALID_MAC );
+        }
+    }
+    else
+        ssl->nb_zero = 0;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        ; /* in_ctr read from peer, not maintained internally */
+    }
+    else
+#endif
+    {
+        for( i = 8; i > ssl_ep_len( ssl ); i-- )
+            if( ++ssl->in_ctr[i - 1] != 0 )
+                break;
+
+        /* The loop goes to its end iff the counter is wrapping */
+        if( i == ssl_ep_len( ssl ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) );
+            return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
+        }
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
+
+    return( 0 );
+}
+
+#undef MAC_NONE
+#undef MAC_PLAINTEXT
+#undef MAC_CIPHERTEXT
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+/*
+ * Compression/decompression functions
+ */
+static int ssl_compress_buf( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    unsigned char *msg_post = ssl->out_msg;
+    ptrdiff_t bytes_written = ssl->out_msg - ssl->out_buf;
+    size_t len_pre = ssl->out_msglen;
+    unsigned char *msg_pre = ssl->compress_buf;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
+
+    if( len_pre == 0 )
+        return( 0 );
+
+    memcpy( msg_pre, ssl->out_msg, len_pre );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
+                   ssl->out_msglen ) );
+
+    MBEDTLS_SSL_DEBUG_BUF( 4, "before compression: output payload",
+                   ssl->out_msg, ssl->out_msglen );
+
+    ssl->transform_out->ctx_deflate.next_in = msg_pre;
+    ssl->transform_out->ctx_deflate.avail_in = len_pre;
+    ssl->transform_out->ctx_deflate.next_out = msg_post;
+    ssl->transform_out->ctx_deflate.avail_out = MBEDTLS_SSL_BUFFER_LEN - bytes_written;
+
+    ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
+    if( ret != Z_OK )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
+        return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
+    }
+
+    ssl->out_msglen = MBEDTLS_SSL_BUFFER_LEN -
+                      ssl->transform_out->ctx_deflate.avail_out - bytes_written;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
+                   ssl->out_msglen ) );
+
+    MBEDTLS_SSL_DEBUG_BUF( 4, "after compression: output payload",
+                   ssl->out_msg, ssl->out_msglen );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
+
+    return( 0 );
+}
+
+static int ssl_decompress_buf( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    unsigned char *msg_post = ssl->in_msg;
+    ptrdiff_t header_bytes = ssl->in_msg - ssl->in_buf;
+    size_t len_pre = ssl->in_msglen;
+    unsigned char *msg_pre = ssl->compress_buf;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
+
+    if( len_pre == 0 )
+        return( 0 );
+
+    memcpy( msg_pre, ssl->in_msg, len_pre );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
+                   ssl->in_msglen ) );
+
+    MBEDTLS_SSL_DEBUG_BUF( 4, "before decompression: input payload",
+                   ssl->in_msg, ssl->in_msglen );
+
+    ssl->transform_in->ctx_inflate.next_in = msg_pre;
+    ssl->transform_in->ctx_inflate.avail_in = len_pre;
+    ssl->transform_in->ctx_inflate.next_out = msg_post;
+    ssl->transform_in->ctx_inflate.avail_out = MBEDTLS_SSL_BUFFER_LEN -
+                                               header_bytes;
+
+    ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
+    if( ret != Z_OK )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
+        return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
+    }
+
+    ssl->in_msglen = MBEDTLS_SSL_BUFFER_LEN -
+                     ssl->transform_in->ctx_inflate.avail_out - header_bytes;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
+                   ssl->in_msglen ) );
+
+    MBEDTLS_SSL_DEBUG_BUF( 4, "after decompression: input payload",
+                   ssl->in_msg, ssl->in_msglen );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_ZLIB_SUPPORT */
+
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
+static int ssl_write_hello_request( mbedtls_ssl_context *ssl );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+static int ssl_resend_hello_request( mbedtls_ssl_context *ssl )
+{
+    /* If renegotiation is not enforced, retransmit until we would reach max
+     * timeout if we were using the usual handshake doubling scheme */
+    if( ssl->conf->renego_max_records < 0 )
+    {
+        uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1;
+        unsigned char doublings = 1;
+
+        while( ratio != 0 )
+        {
+            ++doublings;
+            ratio >>= 1;
+        }
+
+        if( ++ssl->renego_records_seen > doublings )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "no longer retransmitting hello request" ) );
+            return( 0 );
+        }
+    }
+
+    return( ssl_write_hello_request( ssl ) );
+}
+#endif
+#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
+
+/*
+ * Fill the input message buffer by appending data to it.
+ * The amount of data already fetched is in ssl->in_left.
+ *
+ * If we return 0, is it guaranteed that (at least) nb_want bytes are
+ * available (from this read and/or a previous one). Otherwise, an error code
+ * is returned (possibly EOF or WANT_READ).
+ *
+ * With stream transport (TLS) on success ssl->in_left == nb_want, but
+ * with datagram transport (DTLS) on success ssl->in_left >= nb_want,
+ * since we always read a whole datagram at once.
+ *
+ * For DTLS, it is up to the caller to set ssl->next_record_offset when
+ * they're done reading a record.
+ */
+int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
+{
+    int ret;
+    size_t len;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
+
+    if( ssl->f_recv == NULL && ssl->f_recv_timeout == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
+                            "or mbedtls_ssl_set_bio()" ) );
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    if( nb_want > MBEDTLS_SSL_BUFFER_LEN - (size_t)( ssl->in_hdr - ssl->in_buf ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) );
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        uint32_t timeout;
+
+        /* Just to be sure */
+        if( ssl->f_set_timer == NULL || ssl->f_get_timer == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "You must use "
+                        "mbedtls_ssl_set_timer_cb() for DTLS" ) );
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+        }
+
+        /*
+         * The point is, we need to always read a full datagram at once, so we
+         * sometimes read more then requested, and handle the additional data.
+         * It could be the rest of the current record (while fetching the
+         * header) and/or some other records in the same datagram.
+         */
+
+        /*
+         * Move to the next record in the already read datagram if applicable
+         */
+        if( ssl->next_record_offset != 0 )
+        {
+            if( ssl->in_left < ssl->next_record_offset )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+                return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+            }
+
+            ssl->in_left -= ssl->next_record_offset;
+
+            if( ssl->in_left != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 2, ( "next record in same datagram, offset: %d",
+                                    ssl->next_record_offset ) );
+                memmove( ssl->in_hdr,
+                         ssl->in_hdr + ssl->next_record_offset,
+                         ssl->in_left );
+            }
+
+            ssl->next_record_offset = 0;
+        }
+
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
+                       ssl->in_left, nb_want ) );
+
+        /*
+         * Done if we already have enough data.
+         */
+        if( nb_want <= ssl->in_left)
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
+            return( 0 );
+        }
+
+        /*
+         * A record can't be split across datagrams. If we need to read but
+         * are not at the beginning of a new record, the caller did something
+         * wrong.
+         */
+        if( ssl->in_left != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        /*
+         * Don't even try to read if time's out already.
+         * This avoids by-passing the timer when repeatedly receiving messages
+         * that will end up being dropped.
+         */
+        if( ssl_check_timer( ssl ) != 0 )
+            ret = MBEDTLS_ERR_SSL_TIMEOUT;
+        else
+        {
+            len = MBEDTLS_SSL_BUFFER_LEN - ( ssl->in_hdr - ssl->in_buf );
+
+            if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
+                timeout = ssl->handshake->retransmit_timeout;
+            else
+                timeout = ssl->conf->read_timeout;
+
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %u ms", timeout ) );
+
+            if( ssl->f_recv_timeout != NULL )
+                ret = ssl->f_recv_timeout( ssl->p_bio, ssl->in_hdr, len,
+                                                                    timeout );
+            else
+                ret = ssl->f_recv( ssl->p_bio, ssl->in_hdr, len );
+
+            MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
+
+            if( ret == 0 )
+                return( MBEDTLS_ERR_SSL_CONN_EOF );
+        }
+
+        if( ret == MBEDTLS_ERR_SSL_TIMEOUT )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) );
+            ssl_set_timer( ssl, 0 );
+
+            if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
+            {
+                if( ssl_double_retransmit_timeout( ssl ) != 0 )
+                {
+                    MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake timeout" ) );
+                    return( MBEDTLS_ERR_SSL_TIMEOUT );
+                }
+
+                if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
+                {
+                    MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
+                    return( ret );
+                }
+
+                return( MBEDTLS_ERR_SSL_WANT_READ );
+            }
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
+            else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+                     ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
+            {
+                if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 )
+                {
+                    MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret );
+                    return( ret );
+                }
+
+                return( MBEDTLS_ERR_SSL_WANT_READ );
+            }
+#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
+        }
+
+        if( ret < 0 )
+            return( ret );
+
+        ssl->in_left = ret;
+    }
+    else
+#endif
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
+                       ssl->in_left, nb_want ) );
+
+        while( ssl->in_left < nb_want )
+        {
+            len = nb_want - ssl->in_left;
+
+            if( ssl_check_timer( ssl ) != 0 )
+                ret = MBEDTLS_ERR_SSL_TIMEOUT;
+            else
+            {
+                if( ssl->f_recv_timeout != NULL )
+                {
+                    ret = ssl->f_recv_timeout( ssl->p_bio,
+                                               ssl->in_hdr + ssl->in_left, len,
+                                               ssl->conf->read_timeout );
+                }
+                else
+                {
+                    ret = ssl->f_recv( ssl->p_bio,
+                                       ssl->in_hdr + ssl->in_left, len );
+                }
+            }
+
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
+                                        ssl->in_left, nb_want ) );
+            MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
+
+            if( ret == 0 )
+                return( MBEDTLS_ERR_SSL_CONN_EOF );
+
+            if( ret < 0 )
+                return( ret );
+
+            if ( (size_t)ret > len || ( INT_MAX > SIZE_MAX && ret > (int)SIZE_MAX ) )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1,
+                    ( "f_recv returned %d bytes but only %lu were requested",
+                    ret, (unsigned long)len ) );
+                return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+            }
+
+            ssl->in_left += ret;
+        }
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
+
+    return( 0 );
+}
+
+/*
+ * Flush any data not yet written
+ */
+int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    unsigned char *buf, i;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
+
+    if( ssl->f_send == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
+                            "or mbedtls_ssl_set_bio()" ) );
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    /* Avoid incrementing counter if data is flushed */
+    if( ssl->out_left == 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
+        return( 0 );
+    }
+
+    while( ssl->out_left > 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
+                       mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen, ssl->out_left ) );
+
+        buf = ssl->out_hdr + mbedtls_ssl_hdr_len( ssl ) +
+              ssl->out_msglen - ssl->out_left;
+        ret = ssl->f_send( ssl->p_bio, buf, ssl->out_left );
+
+        MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", ret );
+
+        if( ret <= 0 )
+            return( ret );
+
+        if( (size_t)ret > ssl->out_left || ( INT_MAX > SIZE_MAX && ret > (int)SIZE_MAX ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1,
+                ( "f_send returned %d bytes but only %lu bytes were sent",
+                ret, (unsigned long)ssl->out_left ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        ssl->out_left -= ret;
+    }
+
+    for( i = 8; i > ssl_ep_len( ssl ); i-- )
+        if( ++ssl->out_ctr[i - 1] != 0 )
+            break;
+
+    /* The loop goes to its end iff the counter is wrapping */
+    if( i == ssl_ep_len( ssl ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
+        return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
+
+    return( 0 );
+}
+
+/*
+ * Functions to handle the DTLS retransmission state machine
+ */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+/*
+ * Append current handshake message to current outgoing flight
+ */
+static int ssl_flight_append( mbedtls_ssl_context *ssl )
+{
+    mbedtls_ssl_flight_item *msg;
+
+    /* Allocate space for current message */
+    if( ( msg = mbedtls_calloc( 1, sizeof(  mbedtls_ssl_flight_item ) ) ) == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed",
+                            sizeof( mbedtls_ssl_flight_item ) ) );
+        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+    }
+
+    if( ( msg->p = mbedtls_calloc( 1, ssl->out_msglen ) ) == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed", ssl->out_msglen ) );
+        mbedtls_free( msg );
+        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+    }
+
+    /* Copy current handshake message with headers */
+    memcpy( msg->p, ssl->out_msg, ssl->out_msglen );
+    msg->len = ssl->out_msglen;
+    msg->type = ssl->out_msgtype;
+    msg->next = NULL;
+
+    /* Append to the current flight */
+    if( ssl->handshake->flight == NULL )
+        ssl->handshake->flight = msg;
+    else
+    {
+        mbedtls_ssl_flight_item *cur = ssl->handshake->flight;
+        while( cur->next != NULL )
+            cur = cur->next;
+        cur->next = msg;
+    }
+
+    return( 0 );
+}
+
+/*
+ * Free the current flight of handshake messages
+ */
+static void ssl_flight_free( mbedtls_ssl_flight_item *flight )
+{
+    mbedtls_ssl_flight_item *cur = flight;
+    mbedtls_ssl_flight_item *next;
+
+    while( cur != NULL )
+    {
+        next = cur->next;
+
+        mbedtls_free( cur->p );
+        mbedtls_free( cur );
+
+        cur = next;
+    }
+}
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl );
+#endif
+
+/*
+ * Swap transform_out and out_ctr with the alternative ones
+ */
+static int ssl_swap_epochs( mbedtls_ssl_context *ssl )
+{
+    mbedtls_ssl_transform *tmp_transform;
+    unsigned char tmp_out_ctr[8];
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+    int ret;
+#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
+
+    if( ssl->transform_out == ssl->handshake->alt_transform_out )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip swap epochs" ) );
+        return( 0 );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "swap epochs" ) );
+
+    /* Swap transforms */
+    tmp_transform                     = ssl->transform_out;
+    ssl->transform_out                = ssl->handshake->alt_transform_out;
+    ssl->handshake->alt_transform_out = tmp_transform;
+
+    /* Swap epoch + sequence_number */
+    memcpy( tmp_out_ctr,                 ssl->out_ctr,                8 );
+    memcpy( ssl->out_ctr,                ssl->handshake->alt_out_ctr, 8 );
+    memcpy( ssl->handshake->alt_out_ctr, tmp_out_ctr,                 8 );
+
+    /* Adjust to the newly activated transform */
+    if( ssl->transform_out != NULL &&
+        ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
+    {
+        ssl->out_msg = ssl->out_iv + ssl->transform_out->ivlen -
+                                     ssl->transform_out->fixed_ivlen;
+    }
+    else
+        ssl->out_msg = ssl->out_iv;
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+    if( mbedtls_ssl_hw_record_activate != NULL )
+    {
+        if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
+            return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
+        }
+    }
+#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
+
+    return( 0 );
+}
+
+/*
+ * Retransmit the current flight of messages.
+ *
+ * Need to remember the current message in case flush_output returns
+ * WANT_WRITE, causing us to exit this function and come back later.
+ * This function must be called until state is no longer SENDING.
+ */
+int mbedtls_ssl_resend( mbedtls_ssl_context *ssl )
+{
+    int ret;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_resend" ) );
+
+    if( ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialise resending" ) );
+
+        ssl->handshake->cur_msg = ssl->handshake->flight;
+        if( ( ret = ssl_swap_epochs( ssl ) ) != 0 )
+            return( ret );
+
+        ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_SENDING;
+    }
+
+    while( ssl->handshake->cur_msg != NULL )
+    {
+        mbedtls_ssl_flight_item *cur = ssl->handshake->cur_msg;
+
+        /* Swap epochs before sending Finished: we can't do it after
+         * sending ChangeCipherSpec, in case write returns WANT_READ.
+         * Must be done before copying, may change out_msg pointer */
+        if( cur->type == MBEDTLS_SSL_MSG_HANDSHAKE &&
+            cur->p[0] == MBEDTLS_SSL_HS_FINISHED )
+        {
+            if( ( ret = ssl_swap_epochs( ssl ) ) != 0 )
+                return( ret );
+        }
+
+        memcpy( ssl->out_msg, cur->p, cur->len );
+        ssl->out_msglen = cur->len;
+        ssl->out_msgtype = cur->type;
+
+        ssl->handshake->cur_msg = cur->next;
+
+        MBEDTLS_SSL_DEBUG_BUF( 3, "resent handshake message header", ssl->out_msg, 12 );
+
+        if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
+            return( ret );
+        }
+    }
+
+    if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
+        ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
+    else
+    {
+        ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
+        ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_resend" ) );
+
+    return( 0 );
+}
+
+/*
+ * To be called when the last message of an incoming flight is received.
+ */
+void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl )
+{
+    /* We won't need to resend that one any more */
+    ssl_flight_free( ssl->handshake->flight );
+    ssl->handshake->flight = NULL;
+    ssl->handshake->cur_msg = NULL;
+
+    /* The next incoming flight will start with this msg_seq */
+    ssl->handshake->in_flight_start_seq = ssl->handshake->in_msg_seq;
+
+    /* Cancel timer */
+    ssl_set_timer( ssl, 0 );
+
+    if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
+        ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
+    {
+        ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
+    }
+    else
+        ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
+}
+
+/*
+ * To be called when the last message of an outgoing flight is send.
+ */
+void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl )
+{
+    ssl_reset_retransmit_timeout( ssl );
+    ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
+
+    if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
+        ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
+    {
+        ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
+    }
+    else
+        ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
+}
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+/*
+ * Record layer functions
+ */
+
+/*
+ * Write current record.
+ * Uses ssl->out_msgtype, ssl->out_msglen and bytes at ssl->out_msg.
+ */
+int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl )
+{
+    int ret, done = 0, out_msg_type;
+    size_t len = ssl->out_msglen;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ssl->handshake != NULL &&
+        ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
+    {
+        ; /* Skip special handshake treatment when resending */
+    }
+    else
+#endif
+    if( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
+    {
+        out_msg_type = ssl->out_msg[0];
+
+        if( out_msg_type != MBEDTLS_SSL_HS_HELLO_REQUEST &&
+            ssl->handshake == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
+        ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >>  8 );
+        ssl->out_msg[3] = (unsigned char)( ( len - 4 )       );
+
+        /*
+         * DTLS has additional fields in the Handshake layer,
+         * between the length field and the actual payload:
+         *      uint16 message_seq;
+         *      uint24 fragment_offset;
+         *      uint24 fragment_length;
+         */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        {
+            /* Make room for the additional DTLS fields */
+            if( MBEDTLS_SSL_MAX_CONTENT_LEN - ssl->out_msglen < 8 )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS handshake message too large: "
+                              "size %u, maximum %u",
+                               (unsigned) ( ssl->in_hslen - 4 ),
+                               (unsigned) ( MBEDTLS_SSL_MAX_CONTENT_LEN - 12 ) ) );
+                return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+            }
+
+            memmove( ssl->out_msg + 12, ssl->out_msg + 4, len - 4 );
+            ssl->out_msglen += 8;
+            len += 8;
+
+            /* Write message_seq and update it, except for HelloRequest */
+            if( out_msg_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
+            {
+                ssl->out_msg[4] = ( ssl->handshake->out_msg_seq >> 8 ) & 0xFF;
+                ssl->out_msg[5] = ( ssl->handshake->out_msg_seq      ) & 0xFF;
+                ++( ssl->handshake->out_msg_seq );
+            }
+            else
+            {
+                ssl->out_msg[4] = 0;
+                ssl->out_msg[5] = 0;
+            }
+
+            /* We don't fragment, so frag_offset = 0 and frag_len = len */
+            memset( ssl->out_msg + 6, 0x00, 3 );
+            memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 );
+        }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+        if( out_msg_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
+            ssl->handshake->update_checksum( ssl, ssl->out_msg, len );
+    }
+
+    /* Save handshake and CCS messages for resending */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ssl->handshake != NULL &&
+        ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING &&
+        ( ssl->out_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC ||
+          ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) )
+    {
+        if( ( ret = ssl_flight_append( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "ssl_flight_append", ret );
+            return( ret );
+        }
+    }
+#endif
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    if( ssl->transform_out != NULL &&
+        ssl->session_out->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
+    {
+        if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
+            return( ret );
+        }
+
+        len = ssl->out_msglen;
+    }
+#endif /*MBEDTLS_ZLIB_SUPPORT */
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+    if( mbedtls_ssl_hw_record_write != NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_write()" ) );
+
+        ret = mbedtls_ssl_hw_record_write( ssl );
+        if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_write", ret );
+            return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
+        }
+
+        if( ret == 0 )
+            done = 1;
+    }
+#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
+    if( !done )
+    {
+        ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
+        mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
+                           ssl->conf->transport, ssl->out_hdr + 1 );
+
+        ssl->out_len[0] = (unsigned char)( len >> 8 );
+        ssl->out_len[1] = (unsigned char)( len      );
+
+        if( ssl->transform_out != NULL )
+        {
+            if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
+                return( ret );
+            }
+
+            len = ssl->out_msglen;
+            ssl->out_len[0] = (unsigned char)( len >> 8 );
+            ssl->out_len[1] = (unsigned char)( len      );
+        }
+
+        ssl->out_left = mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen;
+
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
+                            "version = [%d:%d], msglen = %d",
+                       ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
+                     ( ssl->out_len[0] << 8 ) | ssl->out_len[1] ) );
+
+        MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network",
+                       ssl->out_hdr, mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen );
+    }
+
+    if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
+        return( ret );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write record" ) );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+/*
+ * Mark bits in bitmask (used for DTLS HS reassembly)
+ */
+static void ssl_bitmask_set( unsigned char *mask, size_t offset, size_t len )
+{
+    unsigned int start_bits, end_bits;
+
+    start_bits = 8 - ( offset % 8 );
+    if( start_bits != 8 )
+    {
+        size_t first_byte_idx = offset / 8;
+
+        /* Special case */
+        if( len <= start_bits )
+        {
+            for( ; len != 0; len-- )
+                mask[first_byte_idx] |= 1 << ( start_bits - len );
+
+            /* Avoid potential issues with offset or len becoming invalid */
+            return;
+        }
+
+        offset += start_bits; /* Now offset % 8 == 0 */
+        len -= start_bits;
+
+        for( ; start_bits != 0; start_bits-- )
+            mask[first_byte_idx] |= 1 << ( start_bits - 1 );
+    }
+
+    end_bits = len % 8;
+    if( end_bits != 0 )
+    {
+        size_t last_byte_idx = ( offset + len ) / 8;
+
+        len -= end_bits; /* Now len % 8 == 0 */
+
+        for( ; end_bits != 0; end_bits-- )
+            mask[last_byte_idx] |= 1 << ( 8 - end_bits );
+    }
+
+    memset( mask + offset / 8, 0xFF, len / 8 );
+}
+
+/*
+ * Check that bitmask is full
+ */
+static int ssl_bitmask_check( unsigned char *mask, size_t len )
+{
+    size_t i;
+
+    for( i = 0; i < len / 8; i++ )
+        if( mask[i] != 0xFF )
+            return( -1 );
+
+    for( i = 0; i < len % 8; i++ )
+        if( ( mask[len / 8] & ( 1 << ( 7 - i ) ) ) == 0 )
+            return( -1 );
+
+    return( 0 );
+}
+
+/*
+ * Reassemble fragmented DTLS handshake messages.
+ *
+ * Use a temporary buffer for reassembly, divided in two parts:
+ * - the first holds the reassembled message (including handshake header),
+ * - the second holds a bitmask indicating which parts of the message
+ *   (excluding headers) have been received so far.
+ */
+static int ssl_reassemble_dtls_handshake( mbedtls_ssl_context *ssl )
+{
+    unsigned char *msg, *bitmask;
+    size_t frag_len, frag_off;
+    size_t msg_len = ssl->in_hslen - 12; /* Without headers */
+
+    if( ssl->handshake == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "not supported outside handshake (for now)" ) );
+        return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+    }
+
+    /*
+     * For first fragment, check size and allocate buffer
+     */
+    if( ssl->handshake->hs_msg == NULL )
+    {
+        size_t alloc_len;
+
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %d",
+                            msg_len ) );
+
+        if( ssl->in_hslen > MBEDTLS_SSL_MAX_CONTENT_LEN )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too large" ) );
+            return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+        }
+
+        /* The bitmask needs one bit per byte of message excluding header */
+        alloc_len = 12 + msg_len + msg_len / 8 + ( msg_len % 8 != 0 );
+
+        ssl->handshake->hs_msg = mbedtls_calloc( 1, alloc_len );
+        if( ssl->handshake->hs_msg == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", alloc_len ) );
+            return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+        }
+
+        /* Prepare final header: copy msg_type, length and message_seq,
+         * then add standardised fragment_offset and fragment_length */
+        memcpy( ssl->handshake->hs_msg, ssl->in_msg, 6 );
+        memset( ssl->handshake->hs_msg + 6, 0, 3 );
+        memcpy( ssl->handshake->hs_msg + 9,
+                ssl->handshake->hs_msg + 1, 3 );
+    }
+    else
+    {
+        /* Make sure msg_type and length are consistent */
+        if( memcmp( ssl->handshake->hs_msg, ssl->in_msg, 4 ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment header mismatch" ) );
+            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+        }
+    }
+
+    msg = ssl->handshake->hs_msg + 12;
+    bitmask = msg + msg_len;
+
+    /*
+     * Check and copy current fragment
+     */
+    frag_off = ( ssl->in_msg[6]  << 16 ) |
+               ( ssl->in_msg[7]  << 8  ) |
+                 ssl->in_msg[8];
+    frag_len = ( ssl->in_msg[9]  << 16 ) |
+               ( ssl->in_msg[10] << 8  ) |
+                 ssl->in_msg[11];
+
+    if( frag_off + frag_len > msg_len )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid fragment offset/len: %d + %d > %d",
+                          frag_off, frag_len, msg_len ) );
+        return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+    }
+
+    if( frag_len + 12 > ssl->in_msglen )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid fragment length: %d + 12 > %d",
+                          frag_len, ssl->in_msglen ) );
+        return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "adding fragment, offset = %d, length = %d",
+                        frag_off, frag_len ) );
+
+    memcpy( msg + frag_off, ssl->in_msg + 12, frag_len );
+    ssl_bitmask_set( bitmask, frag_off, frag_len );
+
+    /*
+     * Do we have the complete message by now?
+     * If yes, finalize it, else ask to read the next record.
+     */
+    if( ssl_bitmask_check( bitmask, msg_len ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "message is not complete yet" ) );
+        return( MBEDTLS_ERR_SSL_WANT_READ );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake message completed" ) );
+
+    if( frag_len + 12 < ssl->in_msglen )
+    {
+        /*
+         * We'got more handshake messages in the same record.
+         * This case is not handled now because no know implementation does
+         * that and it's hard to test, so we prefer to fail cleanly for now.
+         */
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "last fragment not alone in its record" ) );
+        return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+    }
+
+    if( ssl->in_left > ssl->next_record_offset )
+    {
+        /*
+         * We've got more data in the buffer after the current record,
+         * that we don't want to overwrite. Move it before writing the
+         * reassembled message, and adjust in_left and next_record_offset.
+         */
+        unsigned char *cur_remain = ssl->in_hdr + ssl->next_record_offset;
+        unsigned char *new_remain = ssl->in_msg + ssl->in_hslen;
+        size_t remain_len = ssl->in_left - ssl->next_record_offset;
+
+        /* First compute and check new lengths */
+        ssl->next_record_offset = new_remain - ssl->in_hdr;
+        ssl->in_left = ssl->next_record_offset + remain_len;
+
+        if( ssl->in_left > MBEDTLS_SSL_BUFFER_LEN -
+                           (size_t)( ssl->in_hdr - ssl->in_buf ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "reassembled message too large for buffer" ) );
+            return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
+        }
+
+        memmove( new_remain, cur_remain, remain_len );
+    }
+
+    memcpy( ssl->in_msg, ssl->handshake->hs_msg, ssl->in_hslen );
+
+    mbedtls_zeroize( ssl->handshake->hs_msg, ssl->in_hslen );
+    mbedtls_free( ssl->handshake->hs_msg );
+    ssl->handshake->hs_msg = NULL;
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "reassembled handshake message",
+                   ssl->in_msg, ssl->in_hslen );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl )
+{
+    if( ssl->in_msglen < mbedtls_ssl_hs_hdr_len( ssl ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too short: %d",
+                            ssl->in_msglen ) );
+        return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+    }
+
+    ssl->in_hslen = mbedtls_ssl_hs_hdr_len( ssl ) + (
+                    ( ssl->in_msg[1] << 16 ) |
+                    ( ssl->in_msg[2] << 8  ) |
+                      ssl->in_msg[3] );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
+                        " %d, type = %d, hslen = %d",
+                        ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        int ret;
+        unsigned int recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
+
+        /* ssl->handshake is NULL when receiving ClientHello for renego */
+        if( ssl->handshake != NULL &&
+            recv_msg_seq != ssl->handshake->in_msg_seq )
+        {
+            /* Retransmit only on last message from previous flight, to avoid
+             * too many retransmissions.
+             * Besides, No sane server ever retransmits HelloVerifyRequest */
+            if( recv_msg_seq == ssl->handshake->in_flight_start_seq - 1 &&
+                ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 2, ( "received message from last flight, "
+                                    "message_seq = %d, start_of_flight = %d",
+                                    recv_msg_seq,
+                                    ssl->handshake->in_flight_start_seq ) );
+
+                if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
+                {
+                    MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
+                    return( ret );
+                }
+            }
+            else
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 2, ( "dropping out-of-sequence message: "
+                                    "message_seq = %d, expected = %d",
+                                    recv_msg_seq,
+                                    ssl->handshake->in_msg_seq ) );
+            }
+
+            return( MBEDTLS_ERR_SSL_WANT_READ );
+        }
+        /* Wait until message completion to increment in_msg_seq */
+
+        /* Reassemble if current message is fragmented or reassembly is
+         * already in progress */
+        if( ssl->in_msglen < ssl->in_hslen ||
+            memcmp( ssl->in_msg + 6, "\0\0\0",        3 ) != 0 ||
+            memcmp( ssl->in_msg + 9, ssl->in_msg + 1, 3 ) != 0 ||
+            ( ssl->handshake != NULL && ssl->handshake->hs_msg != NULL ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "found fragmented DTLS handshake message" ) );
+
+            if( ( ret = ssl_reassemble_dtls_handshake( ssl ) ) != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_RET( 1, "ssl_reassemble_dtls_handshake", ret );
+                return( ret );
+            }
+        }
+    }
+    else
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+    /* With TLS we don't handle fragmentation (for now) */
+    if( ssl->in_msglen < ssl->in_hslen )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS handshake fragmentation not supported" ) );
+        return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+    }
+
+    return( 0 );
+}
+
+void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl )
+{
+
+    if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER &&
+        ssl->handshake != NULL )
+    {
+        ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
+    }
+
+    /* Handshake message is complete, increment counter */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ssl->handshake != NULL )
+    {
+        ssl->handshake->in_msg_seq++;
+    }
+#endif
+}
+
+/*
+ * DTLS anti-replay: RFC 6347 4.1.2.6
+ *
+ * in_window is a field of bits numbered from 0 (lsb) to 63 (msb).
+ * Bit n is set iff record number in_window_top - n has been seen.
+ *
+ * Usually, in_window_top is the last record number seen and the lsb of
+ * in_window is set. The only exception is the initial state (record number 0
+ * not seen yet).
+ */
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl )
+{
+    ssl->in_window_top = 0;
+    ssl->in_window = 0;
+}
+
+static inline uint64_t ssl_load_six_bytes( unsigned char *buf )
+{
+    return( ( (uint64_t) buf[0] << 40 ) |
+            ( (uint64_t) buf[1] << 32 ) |
+            ( (uint64_t) buf[2] << 24 ) |
+            ( (uint64_t) buf[3] << 16 ) |
+            ( (uint64_t) buf[4] <<  8 ) |
+            ( (uint64_t) buf[5]       ) );
+}
+
+/*
+ * Return 0 if sequence number is acceptable, -1 otherwise
+ */
+int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl )
+{
+    uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
+    uint64_t bit;
+
+    if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
+        return( 0 );
+
+    if( rec_seqnum > ssl->in_window_top )
+        return( 0 );
+
+    bit = ssl->in_window_top - rec_seqnum;
+
+    if( bit >= 64 )
+        return( -1 );
+
+    if( ( ssl->in_window & ( (uint64_t) 1 << bit ) ) != 0 )
+        return( -1 );
+
+    return( 0 );
+}
+
+/*
+ * Update replay window on new validated record
+ */
+void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl )
+{
+    uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
+
+    if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
+        return;
+
+    if( rec_seqnum > ssl->in_window_top )
+    {
+        /* Update window_top and the contents of the window */
+        uint64_t shift = rec_seqnum - ssl->in_window_top;
+
+        if( shift >= 64 )
+            ssl->in_window = 1;
+        else
+        {
+            ssl->in_window <<= shift;
+            ssl->in_window |= 1;
+        }
+
+        ssl->in_window_top = rec_seqnum;
+    }
+    else
+    {
+        /* Mark that number as seen in the current window */
+        uint64_t bit = ssl->in_window_top - rec_seqnum;
+
+        if( bit < 64 ) /* Always true, but be extra sure */
+            ssl->in_window |= (uint64_t) 1 << bit;
+    }
+}
+#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
+
+#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
+/* Forward declaration */
+static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial );
+
+/*
+ * Without any SSL context, check if a datagram looks like a ClientHello with
+ * a valid cookie, and if it doesn't, generate a HelloVerifyRequest message.
+ * Both input and output include full DTLS headers.
+ *
+ * - if cookie is valid, return 0
+ * - if ClientHello looks superficially valid but cookie is not,
+ *   fill obuf and set olen, then
+ *   return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
+ * - otherwise return a specific error code
+ */
+static int ssl_check_dtls_clihlo_cookie(
+                           mbedtls_ssl_cookie_write_t *f_cookie_write,
+                           mbedtls_ssl_cookie_check_t *f_cookie_check,
+                           void *p_cookie,
+                           const unsigned char *cli_id, size_t cli_id_len,
+                           const unsigned char *in, size_t in_len,
+                           unsigned char *obuf, size_t buf_len, size_t *olen )
+{
+    size_t sid_len, cookie_len;
+    unsigned char *p;
+
+    if( f_cookie_write == NULL || f_cookie_check == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    /*
+     * Structure of ClientHello with record and handshake headers,
+     * and expected values. We don't need to check a lot, more checks will be
+     * done when actually parsing the ClientHello - skipping those checks
+     * avoids code duplication and does not make cookie forging any easier.
+     *
+     *  0-0  ContentType type;                  copied, must be handshake
+     *  1-2  ProtocolVersion version;           copied
+     *  3-4  uint16 epoch;                      copied, must be 0
+     *  5-10 uint48 sequence_number;            copied
+     * 11-12 uint16 length;                     (ignored)
+     *
+     * 13-13 HandshakeType msg_type;            (ignored)
+     * 14-16 uint24 length;                     (ignored)
+     * 17-18 uint16 message_seq;                copied
+     * 19-21 uint24 fragment_offset;            copied, must be 0
+     * 22-24 uint24 fragment_length;            (ignored)
+     *
+     * 25-26 ProtocolVersion client_version;    (ignored)
+     * 27-58 Random random;                     (ignored)
+     * 59-xx SessionID session_id;              1 byte len + sid_len content
+     * 60+   opaque cookie<0..2^8-1>;           1 byte len + content
+     *       ...
+     *
+     * Minimum length is 61 bytes.
+     */
+    if( in_len < 61 ||
+        in[0] != MBEDTLS_SSL_MSG_HANDSHAKE ||
+        in[3] != 0 || in[4] != 0 ||
+        in[19] != 0 || in[20] != 0 || in[21] != 0 )
+    {
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    sid_len = in[59];
+    if( sid_len > in_len - 61 )
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+
+    cookie_len = in[60 + sid_len];
+    if( cookie_len > in_len - 60 )
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+
+    if( f_cookie_check( p_cookie, in + sid_len + 61, cookie_len,
+                        cli_id, cli_id_len ) == 0 )
+    {
+        /* Valid cookie */
+        return( 0 );
+    }
+
+    /*
+     * If we get here, we've got an invalid cookie, let's prepare HVR.
+     *
+     *  0-0  ContentType type;                  copied
+     *  1-2  ProtocolVersion version;           copied
+     *  3-4  uint16 epoch;                      copied
+     *  5-10 uint48 sequence_number;            copied
+     * 11-12 uint16 length;                     olen - 13
+     *
+     * 13-13 HandshakeType msg_type;            hello_verify_request
+     * 14-16 uint24 length;                     olen - 25
+     * 17-18 uint16 message_seq;                copied
+     * 19-21 uint24 fragment_offset;            copied
+     * 22-24 uint24 fragment_length;            olen - 25
+     *
+     * 25-26 ProtocolVersion server_version;    0xfe 0xff
+     * 27-27 opaque cookie<0..2^8-1>;           cookie_len = olen - 27, cookie
+     *
+     * Minimum length is 28.
+     */
+    if( buf_len < 28 )
+        return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
+
+    /* Copy most fields and adapt others */
+    memcpy( obuf, in, 25 );
+    obuf[13] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
+    obuf[25] = 0xfe;
+    obuf[26] = 0xff;
+
+    /* Generate and write actual cookie */
+    p = obuf + 28;
+    if( f_cookie_write( p_cookie,
+                        &p, obuf + buf_len, cli_id, cli_id_len ) != 0 )
+    {
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    *olen = p - obuf;
+
+    /* Go back and fill length fields */
+    obuf[27] = (unsigned char)( *olen - 28 );
+
+    obuf[14] = obuf[22] = (unsigned char)( ( *olen - 25 ) >> 16 );
+    obuf[15] = obuf[23] = (unsigned char)( ( *olen - 25 ) >>  8 );
+    obuf[16] = obuf[24] = (unsigned char)( ( *olen - 25 )       );
+
+    obuf[11] = (unsigned char)( ( *olen - 13 ) >>  8 );
+    obuf[12] = (unsigned char)( ( *olen - 13 )       );
+
+    return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
+}
+
+/*
+ * Handle possible client reconnect with the same UDP quadruplet
+ * (RFC 6347 Section 4.2.8).
+ *
+ * Called by ssl_parse_record_header() in case we receive an epoch 0 record
+ * that looks like a ClientHello.
+ *
+ * - if the input looks like a ClientHello without cookies,
+ *   send back HelloVerifyRequest, then
+ *   return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
+ * - if the input looks like a ClientHello with a valid cookie,
+ *   reset the session of the current context, and
+ *   return MBEDTLS_ERR_SSL_CLIENT_RECONNECT
+ * - if anything goes wrong, return a specific error code
+ *
+ * mbedtls_ssl_read_record() will ignore the record if anything else than
+ * MBEDTLS_ERR_SSL_CLIENT_RECONNECT or 0 is returned, although this function
+ * cannot not return 0.
+ */
+static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    size_t len;
+
+    /* Use out_msg as temporary buffer for writing out HelloVerifyRequest,
+     * because the output buffer's already around. Don't use out_buf though,
+     * as we don't want to overwrite out_ctr. */
+    ret = ssl_check_dtls_clihlo_cookie(
+            ssl->conf->f_cookie_write,
+            ssl->conf->f_cookie_check,
+            ssl->conf->p_cookie,
+            ssl->cli_id, ssl->cli_id_len,
+            ssl->in_buf, ssl->in_left,
+            ssl->out_msg, MBEDTLS_SSL_MAX_CONTENT_LEN, &len );
+
+    MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret );
+
+    if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED )
+    {
+        int send_ret;
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "sending HelloVerifyRequest" ) );
+        MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network",
+                                  ssl->out_msg, len );
+        /* Don't check write errors as we can't do anything here.
+         * If the error is permanent we'll catch it later,
+         * if it's not, then hopefully it'll work next time. */
+        send_ret = ssl->f_send( ssl->p_bio, ssl->out_msg, len );
+        MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", send_ret );
+        (void) send_ret;
+
+        return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
+    }
+
+    if( ret == 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "cookie is valid, resetting context" ) );
+        if( ( ret = ssl_session_reset_int( ssl, 1 ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "reset", ret );
+            return( ret );
+        }
+
+        return( MBEDTLS_ERR_SSL_CLIENT_RECONNECT );
+    }
+
+    return( ret );
+}
+#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
+
+/*
+ * ContentType type;
+ * ProtocolVersion version;
+ * uint16 epoch;            // DTLS only
+ * uint48 sequence_number;  // DTLS only
+ * uint16 length;
+ *
+ * Return 0 if header looks sane (and, for DTLS, the record is expected)
+ * MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad,
+ * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected.
+ *
+ * With DTLS, mbedtls_ssl_read_record() will:
+ * 1. proceed with the record if this function returns 0
+ * 2. drop only the current record if this function returns UNEXPECTED_RECORD
+ * 3. return CLIENT_RECONNECT if this function return that value
+ * 4. drop the whole datagram if this function returns anything else.
+ * Point 2 is needed when the peer is resending, and we have already received
+ * the first record from a datagram but are still waiting for the others.
+ */
+static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
+{
+    int major_ver, minor_ver;
+
+    MBEDTLS_SSL_DEBUG_BUF( 4, "input record header", ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) );
+
+    ssl->in_msgtype =  ssl->in_hdr[0];
+    ssl->in_msglen = ( ssl->in_len[0] << 8 ) | ssl->in_len[1];
+    mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, ssl->in_hdr + 1 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
+                        "version = [%d:%d], msglen = %d",
+                        ssl->in_msgtype,
+                        major_ver, minor_ver, ssl->in_msglen ) );
+
+    /* Check record type */
+    if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE &&
+        ssl->in_msgtype != MBEDTLS_SSL_MSG_ALERT &&
+        ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC &&
+        ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        /* Silently ignore invalid DTLS records as recommended by RFC 6347
+         * Section 4.1.2.7 */
+        if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                    MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
+
+        return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+    }
+
+    /* Check version */
+    if( major_ver != ssl->major_ver )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
+        return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+    }
+
+    if( minor_ver > ssl->conf->max_minor_ver )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
+        return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+    }
+
+    /* Check length against the size of our buffer */
+    if( ssl->in_msglen > MBEDTLS_SSL_BUFFER_LEN
+                         - (size_t)( ssl->in_msg - ssl->in_buf ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
+        return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+    }
+
+    /*
+     * DTLS-related tests.
+     * Check epoch before checking length constraint because
+     * the latter varies with the epoch. E.g., if a ChangeCipherSpec
+     * message gets duplicated before the corresponding Finished message,
+     * the second ChangeCipherSpec should be discarded because it belongs
+     * to an old epoch, but not because its length is shorter than
+     * the minimum record length for packets using the new record transform.
+     * Note that these two kinds of failures are handled differently,
+     * as an unexpected record is silently skipped but an invalid
+     * record leads to the entire datagram being dropped.
+     */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1];
+
+        /* Check epoch (and sequence number) with DTLS */
+        if( rec_epoch != ssl->in_epoch )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "record from another epoch: "
+                                        "expected %d, received %d",
+                                        ssl->in_epoch, rec_epoch ) );
+
+#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
+            /*
+             * Check for an epoch 0 ClientHello. We can't use in_msg here to
+             * access the first byte of record content (handshake type), as we
+             * have an active transform (possibly iv_len != 0), so use the
+             * fact that the record header len is 13 instead.
+             */
+            if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+                ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER &&
+                rec_epoch == 0 &&
+                ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
+                ssl->in_left > 13 &&
+                ssl->in_buf[13] == MBEDTLS_SSL_HS_CLIENT_HELLO )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "possible client reconnect "
+                                            "from the same port" ) );
+                return( ssl_handle_possible_reconnect( ssl ) );
+            }
+            else
+#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
+                return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
+        }
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+        /* Replay detection only works for the current epoch */
+        if( rec_epoch == ssl->in_epoch &&
+            mbedtls_ssl_dtls_replay_check( ssl ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record" ) );
+            return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
+        }
+#endif
+
+        /* Drop unexpected ChangeCipherSpec messages */
+        if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC &&
+            ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC &&
+            ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ChangeCipherSpec" ) );
+            return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
+        }
+
+        /* Drop unexpected ApplicationData records,
+         * except at the beginning of renegotiations */
+        if( ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA &&
+            ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+            && ! ( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
+                   ssl->state == MBEDTLS_SSL_SERVER_HELLO )
+#endif
+            )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) );
+            return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
+        }
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+
+    /* Check length against bounds of the current transform and version */
+    if( ssl->transform_in == NULL )
+    {
+        if( ssl->in_msglen < 1 ||
+            ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
+            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+        }
+    }
+    else
+    {
+        if( ssl->in_msglen < ssl->transform_in->minlen )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
+            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+        }
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+        if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
+            ssl->in_msglen > ssl->transform_in->minlen + MBEDTLS_SSL_MAX_CONTENT_LEN )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
+            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+        }
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        /*
+         * TLS encrypted messages can have up to 256 bytes of padding
+         */
+        if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 &&
+            ssl->in_msglen > ssl->transform_in->minlen +
+                             MBEDTLS_SSL_MAX_CONTENT_LEN + 256 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
+            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+        }
+#endif
+    }
+
+    return( 0 );
+}
+
+/*
+ * If applicable, decrypt (and decompress) record content
+ */
+static int ssl_prepare_record_content( mbedtls_ssl_context *ssl )
+{
+    int ret, done = 0;
+
+    MBEDTLS_SSL_DEBUG_BUF( 4, "input record from network",
+                   ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen );
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+    if( mbedtls_ssl_hw_record_read != NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_read()" ) );
+
+        ret = mbedtls_ssl_hw_record_read( ssl );
+        if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_read", ret );
+            return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
+        }
+
+        if( ret == 0 )
+            done = 1;
+    }
+#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
+    if( !done && ssl->transform_in != NULL )
+    {
+        if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
+            return( ret );
+        }
+
+        MBEDTLS_SSL_DEBUG_BUF( 4, "input payload after decrypt",
+                       ssl->in_msg, ssl->in_msglen );
+
+        if( ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
+            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+        }
+    }
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    if( ssl->transform_in != NULL &&
+        ssl->session_in->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
+    {
+        if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
+            return( ret );
+        }
+    }
+#endif /* MBEDTLS_ZLIB_SUPPORT */
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        mbedtls_ssl_dtls_replay_update( ssl );
+    }
+#endif
+
+    return( 0 );
+}
+
+static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl );
+
+/*
+ * Read a record.
+ *
+ * Silently ignore non-fatal alert (and for DTLS, invalid records as well,
+ * RFC 6347 4.1.2.7) and continue reading until a valid record is found.
+ *
+ */
+int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl )
+{
+    int ret;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read record" ) );
+
+    if( ssl->keep_current_message == 0 )
+    {
+        do {
+
+            if( ( ret = mbedtls_ssl_read_record_layer( ssl ) ) != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record_layer" ), ret );
+                return( ret );
+            }
+
+            ret = mbedtls_ssl_handle_message_type( ssl );
+
+        } while( MBEDTLS_ERR_SSL_NON_FATAL == ret );
+
+        if( 0 != ret )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record_layer" ), ret );
+            return( ret );
+        }
+
+        if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
+        {
+            mbedtls_ssl_update_handshake_status( ssl );
+        }
+    }
+    else
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= reuse previously read message" ) );
+        ssl->keep_current_message = 0;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read record" ) );
+
+    return( 0 );
+}
+
+int mbedtls_ssl_read_record_layer( mbedtls_ssl_context *ssl )
+{
+    int ret;
+
+    /*
+     * Step A
+     *
+     * Consume last content-layer message and potentially
+     * update in_msglen which keeps track of the contents'
+     * consumption state.
+     *
+     * (1) Handshake messages:
+     *     Remove last handshake message, move content
+     *     and adapt in_msglen.
+     *
+     * (2) Alert messages:
+     *     Consume whole record content, in_msglen = 0.
+     *
+     *     NOTE: This needs to be fixed, since like for
+     *     handshake messages it is allowed to have
+     *     multiple alerts witin a single record.
+     *     Internal reference IOTSSL-1321.
+     *
+     * (3) Change cipher spec:
+     *     Consume whole record content, in_msglen = 0.
+     *
+     * (4) Application data:
+     *     Don't do anything - the record layer provides
+     *     the application data as a stream transport
+     *     and consumes through mbedtls_ssl_read only.
+     *
+     */
+
+    /* Case (1): Handshake messages */
+    if( ssl->in_hslen != 0 )
+    {
+        /* Hard assertion to be sure that no application data
+         * is in flight, as corrupting ssl->in_msglen during
+         * ssl->in_offt != NULL is fatal. */
+        if( ssl->in_offt != NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        /*
+         * Get next Handshake message in the current record
+         */
+
+        /* Notes:
+         * (1) in_hslen is *NOT* necessarily the size of the
+         *     current handshake content: If DTLS handshake
+         *     fragmentation is used, that's the fragment
+         *     size instead. Using the total handshake message
+         *     size here is FAULTY and should be changed at
+         *     some point. Internal reference IOTSSL-1414.
+         * (2) While it doesn't seem to cause problems, one
+         *     has to be very careful not to assume that in_hslen
+         *     is always <= in_msglen in a sensible communication.
+         *     Again, it's wrong for DTLS handshake fragmentation.
+         *     The following check is therefore mandatory, and
+         *     should not be treated as a silently corrected assertion.
+         *     Additionally, ssl->in_hslen might be arbitrarily out of
+         *     bounds after handling a DTLS message with an unexpected
+         *     sequence number, see mbedtls_ssl_prepare_handshake_record.
+         */
+        if( ssl->in_hslen < ssl->in_msglen )
+        {
+            ssl->in_msglen -= ssl->in_hslen;
+            memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
+                     ssl->in_msglen );
+
+            MBEDTLS_SSL_DEBUG_BUF( 4, "remaining content in record",
+                                   ssl->in_msg, ssl->in_msglen );
+        }
+        else
+        {
+            ssl->in_msglen = 0;
+        }
+
+        ssl->in_hslen   = 0;
+    }
+    /* Case (4): Application data */
+    else if( ssl->in_offt != NULL )
+    {
+        return( 0 );
+    }
+    /* Everything else (CCS & Alerts) */
+    else
+    {
+        ssl->in_msglen = 0;
+    }
+
+    /*
+     * Step B
+     *
+     * Fetch and decode new record if current one is fully consumed.
+     *
+     */
+
+    if( ssl->in_msglen > 0 )
+    {
+        /* There's something left to be processed in the current record. */
+        return( 0 );
+    }
+
+    /* Need to fetch a new record */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+read_record_header:
+#endif
+
+    /* Current record either fully processed or to be discarded. */
+
+    if( ( ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_hdr_len( ssl ) ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
+        return( ret );
+    }
+
+    if( ( ret = ssl_parse_record_header( ssl ) ) != 0 )
+    {
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+            ret != MBEDTLS_ERR_SSL_CLIENT_RECONNECT )
+        {
+            if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD )
+            {
+                /* Skip unexpected record (but not whole datagram) */
+                ssl->next_record_offset = ssl->in_msglen
+                                        + mbedtls_ssl_hdr_len( ssl );
+
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding unexpected record "
+                                            "(header)" ) );
+            }
+            else
+            {
+                /* Skip invalid record and the rest of the datagram */
+                ssl->next_record_offset = 0;
+                ssl->in_left = 0;
+
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record "
+                                            "(header)" ) );
+            }
+
+            /* Get next record */
+            goto read_record_header;
+        }
+#endif
+        return( ret );
+    }
+
+    /*
+     * Read and optionally decrypt the message contents
+     */
+    if( ( ret = mbedtls_ssl_fetch_input( ssl,
+                                 mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
+        return( ret );
+    }
+
+    /* Done reading this record, get ready for the next one */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        ssl->next_record_offset = ssl->in_msglen + mbedtls_ssl_hdr_len( ssl );
+    else
+#endif
+        ssl->in_left = 0;
+
+    if( ( ret = ssl_prepare_record_content( ssl ) ) != 0 )
+    {
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        {
+            /* Silently discard invalid records */
+            if( ret == MBEDTLS_ERR_SSL_INVALID_RECORD ||
+                ret == MBEDTLS_ERR_SSL_INVALID_MAC )
+            {
+                /* Except when waiting for Finished as a bad mac here
+                 * probably means something went wrong in the handshake
+                 * (eg wrong psk used, mitm downgrade attempt, etc.) */
+                if( ssl->state == MBEDTLS_SSL_CLIENT_FINISHED ||
+                    ssl->state == MBEDTLS_SSL_SERVER_FINISHED )
+                {
+#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
+                    if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
+                    {
+                        mbedtls_ssl_send_alert_message( ssl,
+                                MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
+                    }
+#endif
+                    return( ret );
+                }
+
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
+                if( ssl->conf->badmac_limit != 0 &&
+                    ++ssl->badmac_seen >= ssl->conf->badmac_limit )
+                {
+                    MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) );
+                    return( MBEDTLS_ERR_SSL_INVALID_MAC );
+                }
+#endif
+
+                /* As above, invalid records cause
+                 * dismissal of the whole datagram. */
+
+                ssl->next_record_offset = 0;
+                ssl->in_left = 0;
+
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record (mac)" ) );
+                goto read_record_header;
+            }
+
+            return( ret );
+        }
+        else
+#endif
+        {
+            /* Error out (and send alert) on invalid records */
+#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
+            if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
+            {
+                mbedtls_ssl_send_alert_message( ssl,
+                        MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                        MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
+            }
+#endif
+            return( ret );
+        }
+    }
+
+    /*
+     * When we sent the last flight of the handshake, we MUST respond to a
+     * retransmit of the peer's previous flight with a retransmit. (In
+     * practice, only the Finished message will make it, other messages
+     * including CCS use the old transform so they're dropped as invalid.)
+     *
+     * If the record we received is not a handshake message, however, it
+     * means the peer received our last flight so we can clean up
+     * handshake info.
+     *
+     * This check needs to be done before prepare_handshake() due to an edge
+     * case: if the client immediately requests renegotiation, this
+     * finishes the current handshake first, avoiding the new ClientHello
+     * being mistaken for an ancient message in the current handshake.
+     */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ssl->handshake != NULL &&
+        ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
+    {
+        if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
+                ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "received retransmit of last flight" ) );
+
+            if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
+                return( ret );
+            }
+
+            return( MBEDTLS_ERR_SSL_WANT_READ );
+        }
+        else
+        {
+            ssl_handshake_wrapup_free_hs_transform( ssl );
+        }
+    }
+#endif
+
+    return( 0 );
+}
+
+int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl )
+{
+    int ret;
+
+    /*
+     * Handle particular types of records
+     */
+    if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
+    {
+        if( ( ret = mbedtls_ssl_prepare_handshake_record( ssl ) ) != 0 )
+        {
+            return( ret );
+        }
+    }
+
+    if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
+    {
+        if( ssl->in_msglen != 2 )
+        {
+            /* Note: Standard allows for more than one 2 byte alert
+               to be packed in a single message, but Mbed TLS doesn't
+               currently support this. */
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid alert message, len: %d",
+                           ssl->in_msglen ) );
+            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+        }
+
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
+                       ssl->in_msg[0], ssl->in_msg[1] ) );
+
+        /*
+         * Ignore non-fatal alerts, except close_notify and no_renegotiation
+         */
+        if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_FATAL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
+                           ssl->in_msg[1] ) );
+            return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE );
+        }
+
+        if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
+            ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
+            return( MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY );
+        }
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION_ENABLED)
+        if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
+            ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) );
+            /* Will be handled when trying to parse ServerHello */
+            return( 0 );
+        }
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C)
+        if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
+            ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+            ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
+            ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) );
+            /* Will be handled in mbedtls_ssl_parse_certificate() */
+            return( 0 );
+        }
+#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
+
+        /* Silently ignore: fetch new message */
+        return MBEDTLS_ERR_SSL_NON_FATAL;
+    }
+
+    return( 0 );
+}
+
+int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl )
+{
+    int ret;
+
+    if( ( ret = mbedtls_ssl_send_alert_message( ssl,
+                    MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                    MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    return( 0 );
+}
+
+int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl,
+                            unsigned char level,
+                            unsigned char message )
+{
+    int ret;
+
+    if( ssl == NULL || ssl->conf == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "send alert level=%u message=%u", level, message ));
+
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
+    ssl->out_msglen = 2;
+    ssl->out_msg[0] = level;
+    ssl->out_msg[1] = message;
+
+    if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
+        return( ret );
+    }
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
+
+    return( 0 );
+}
+
+/*
+ * Handshake functions
+ */
+#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)         && \
+    !defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)     && \
+    !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)     && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)   && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)    && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+/* No certificate support -> dummy functions */
+int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
+{
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
+
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+    return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+}
+
+int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
+{
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
+
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+    return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+}
+
+#else
+/* Some certificate support -> implement write and parse */
+
+int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
+{
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+    size_t i, n;
+    const mbedtls_x509_crt *crt;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
+
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+#if defined(MBEDTLS_SSL_CLI_C)
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
+    {
+        if( ssl->client_auth == 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
+            ssl->state++;
+            return( 0 );
+        }
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+        /*
+         * If using SSLv3 and got no cert, send an Alert message
+         * (otherwise an empty Certificate message will be sent).
+         */
+        if( mbedtls_ssl_own_cert( ssl )  == NULL &&
+            ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+        {
+            ssl->out_msglen  = 2;
+            ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
+            ssl->out_msg[0]  = MBEDTLS_SSL_ALERT_LEVEL_WARNING;
+            ssl->out_msg[1]  = MBEDTLS_SSL_ALERT_MSG_NO_CERT;
+
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
+            goto write_msg;
+        }
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+    }
+#endif /* MBEDTLS_SSL_CLI_C */
+#if defined(MBEDTLS_SSL_SRV_C)
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
+    {
+        if( mbedtls_ssl_own_cert( ssl ) == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
+            return( MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED );
+        }
+    }
+#endif
+
+    MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", mbedtls_ssl_own_cert( ssl ) );
+
+    /*
+     *     0  .  0    handshake type
+     *     1  .  3    handshake length
+     *     4  .  6    length of all certs
+     *     7  .  9    length of cert. 1
+     *    10  . n-1   peer certificate
+     *     n  . n+2   length of cert. 2
+     *    n+3 . ...   upper level cert, etc.
+     */
+    i = 7;
+    crt = mbedtls_ssl_own_cert( ssl );
+
+    while( crt != NULL )
+    {
+        n = crt->raw.len;
+        if( n > MBEDTLS_SSL_MAX_CONTENT_LEN - 3 - i )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
+                           i + 3 + n, MBEDTLS_SSL_MAX_CONTENT_LEN ) );
+            return( MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE );
+        }
+
+        ssl->out_msg[i    ] = (unsigned char)( n >> 16 );
+        ssl->out_msg[i + 1] = (unsigned char)( n >>  8 );
+        ssl->out_msg[i + 2] = (unsigned char)( n       );
+
+        i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
+        i += n; crt = crt->next;
+    }
+
+    ssl->out_msg[4]  = (unsigned char)( ( i - 7 ) >> 16 );
+    ssl->out_msg[5]  = (unsigned char)( ( i - 7 ) >>  8 );
+    ssl->out_msg[6]  = (unsigned char)( ( i - 7 )       );
+
+    ssl->out_msglen  = i;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_CERTIFICATE;
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
+write_msg:
+#endif
+
+    ssl->state++;
+
+    if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
+        return( ret );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
+
+    return( ret );
+}
+
+int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
+{
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+    size_t i, n;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
+    int authmode = ssl->conf->authmode;
+    uint8_t alert;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
+
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+#if defined(MBEDTLS_SSL_SRV_C)
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
+        authmode = ssl->handshake->sni_authmode;
+#endif
+
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+        authmode == MBEDTLS_SSL_VERIFY_NONE )
+    {
+        ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
+        ssl->state++;
+        return( 0 );
+    }
+#endif
+
+    if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
+    {
+        /* mbedtls_ssl_read_record may have sent an alert already. We
+           let it decide whether to alert. */
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+        return( ret );
+    }
+
+    ssl->state++;
+
+#if defined(MBEDTLS_SSL_SRV_C)
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    /*
+     * Check if the client sent an empty certificate
+     */
+    if( ssl->conf->endpoint  == MBEDTLS_SSL_IS_SERVER &&
+        ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+    {
+        if( ssl->in_msglen  == 2                        &&
+            ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT            &&
+            ssl->in_msg[0]  == MBEDTLS_SSL_ALERT_LEVEL_WARNING  &&
+            ssl->in_msg[1]  == MBEDTLS_SSL_ALERT_MSG_NO_CERT )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
+
+            /* The client was asked for a certificate but didn't send
+               one. The client should know what's going on, so we
+               don't send an alert. */
+            ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
+            if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
+                return( 0 );
+            else
+                return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
+        }
+    }
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    if( ssl->conf->endpoint  == MBEDTLS_SSL_IS_SERVER &&
+        ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
+    {
+        if( ssl->in_hslen   == 3 + mbedtls_ssl_hs_hdr_len( ssl ) &&
+            ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE    &&
+            ssl->in_msg[0]  == MBEDTLS_SSL_HS_CERTIFICATE   &&
+            memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
+
+            /* The client was asked for a certificate but didn't send
+               one. The client should know what's going on, so we
+               don't send an alert. */
+            ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
+            if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
+                return( 0 );
+            else
+                return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
+        }
+    }
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
+          MBEDTLS_SSL_PROTO_TLS1_2 */
+#endif /* MBEDTLS_SSL_SRV_C */
+
+    if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
+        return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+    }
+
+    if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE ||
+        ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 3 + 3 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
+    }
+
+    i = mbedtls_ssl_hs_hdr_len( ssl );
+
+    /*
+     * Same message structure as in mbedtls_ssl_write_certificate()
+     */
+    n = ( ssl->in_msg[i+1] << 8 ) | ssl->in_msg[i+2];
+
+    if( ssl->in_msg[i] != 0 ||
+        ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len( ssl ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
+    }
+
+    /* In case we tried to reuse a session but it failed */
+    if( ssl->session_negotiate->peer_cert != NULL )
+    {
+        mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert );
+        mbedtls_free( ssl->session_negotiate->peer_cert );
+    }
+
+    if( ( ssl->session_negotiate->peer_cert = mbedtls_calloc( 1,
+                    sizeof( mbedtls_x509_crt ) ) ) == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
+                       sizeof( mbedtls_x509_crt ) ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
+        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+    }
+
+    mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert );
+
+    i += 3;
+
+    while( i < ssl->in_hslen )
+    {
+        if ( i + 3 > ssl->in_hslen ) {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                           MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
+        }
+        if( ssl->in_msg[i] != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
+        }
+
+        n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
+            | (unsigned int) ssl->in_msg[i + 2];
+        i += 3;
+
+        if( n < 128 || i + n > ssl->in_hslen )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
+        }
+
+        ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert,
+                                  ssl->in_msg + i, n );
+        switch( ret )
+        {
+        case 0: /*ok*/
+        case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
+            /* Ignore certificate with an unknown algorithm: maybe a
+               prior certificate was already trusted. */
+            break;
+
+        case MBEDTLS_ERR_X509_ALLOC_FAILED:
+            alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR;
+            goto crt_parse_der_failed;
+
+        case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
+            alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
+            goto crt_parse_der_failed;
+
+        default:
+            alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
+        crt_parse_der_failed:
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, alert );
+            MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
+            return( ret );
+        }
+
+        i += n;
+    }
+
+    MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
+
+    /*
+     * On client, make sure the server cert doesn't change during renego to
+     * avoid "triple handshake" attack: https://secure-resumption.com/
+     */
+#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
+        ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
+    {
+        if( ssl->session->peer_cert == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
+        }
+
+        if( ssl->session->peer_cert->raw.len !=
+            ssl->session_negotiate->peer_cert->raw.len ||
+            memcmp( ssl->session->peer_cert->raw.p,
+                    ssl->session_negotiate->peer_cert->raw.p,
+                    ssl->session->peer_cert->raw.len ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "server cert changed during renegotiation" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
+        }
+    }
+#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
+
+    if( authmode != MBEDTLS_SSL_VERIFY_NONE )
+    {
+        mbedtls_x509_crt *ca_chain;
+        mbedtls_x509_crl *ca_crl;
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+        if( ssl->handshake->sni_ca_chain != NULL )
+        {
+            ca_chain = ssl->handshake->sni_ca_chain;
+            ca_crl   = ssl->handshake->sni_ca_crl;
+        }
+        else
+#endif
+        {
+            ca_chain = ssl->conf->ca_chain;
+            ca_crl   = ssl->conf->ca_crl;
+        }
+
+        /*
+         * Main check: verify certificate
+         */
+        ret = mbedtls_x509_crt_verify_with_profile(
+                                ssl->session_negotiate->peer_cert,
+                                ca_chain, ca_crl,
+                                ssl->conf->cert_profile,
+                                ssl->hostname,
+                               &ssl->session_negotiate->verify_result,
+                                ssl->conf->f_vrfy, ssl->conf->p_vrfy );
+
+        if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
+        }
+
+        /*
+         * Secondary checks: always done, but change 'ret' only if it was 0
+         */
+
+#if defined(MBEDTLS_ECP_C)
+        {
+            const mbedtls_pk_context *pk = &ssl->session_negotiate->peer_cert->pk;
+
+            /* If certificate uses an EC key, make sure the curve is OK */
+            if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) &&
+                mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp.id ) != 0 )
+            {
+                ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY;
+
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) );
+                if( ret == 0 )
+                    ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
+            }
+        }
+#endif /* MBEDTLS_ECP_C */
+
+        if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert,
+                                 ciphersuite_info,
+                                 ! ssl->conf->endpoint,
+                                 &ssl->session_negotiate->verify_result ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
+            if( ret == 0 )
+                ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
+        }
+
+        /* mbedtls_x509_crt_verify_with_profile is supposed to report a
+         * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED,
+         * with details encoded in the verification flags. All other kinds
+         * of error codes, including those from the user provided f_vrfy
+         * functions, are treated as fatal and lead to a failure of
+         * ssl_parse_certificate even if verification was optional. */
+        if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
+            ( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
+              ret == MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ) )
+        {
+            ret = 0;
+        }
+
+        if( ca_chain == NULL && authmode == MBEDTLS_SSL_VERIFY_REQUIRED )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
+            ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
+        }
+
+        if( ret != 0 )
+        {
+            /* The certificate may have been rejected for several reasons.
+               Pick one and send the corresponding alert. Which alert to send
+               may be a subject of debate in some cases. */
+            if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER )
+                alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED;
+            else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH )
+                alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
+            else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE )
+                alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
+            else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE )
+                alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
+            else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NS_CERT_TYPE )
+                alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
+            else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK )
+                alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
+            else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY )
+                alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
+            else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED )
+                alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED;
+            else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED )
+                alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED;
+            else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED )
+                alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA;
+            else
+                alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN;
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            alert );
+        }
+
+#if defined(MBEDTLS_DEBUG_C)
+        if( ssl->session_negotiate->verify_result != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %x",
+                                        ssl->session_negotiate->verify_result ) );
+        }
+        else
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) );
+        }
+#endif /* MBEDTLS_DEBUG_C */
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
+
+    return( ret );
+}
+#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+          !MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
+          !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
+          !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+          !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+          !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
+          !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+
+int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl )
+{
+    int ret;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
+
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
+    ssl->out_msglen  = 1;
+    ssl->out_msg[0]  = 1;
+
+    ssl->state++;
+
+    if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
+        return( ret );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
+
+    return( 0 );
+}
+
+int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl )
+{
+    int ret;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
+
+    if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+        return( ret );
+    }
+
+    if( ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
+        return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+    }
+
+    if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC );
+    }
+
+    /*
+     * Switch to our negotiated transform and session parameters for inbound
+     * data.
+     */
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
+    ssl->transform_in = ssl->transform_negotiate;
+    ssl->session_in = ssl->session_negotiate;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+        ssl_dtls_replay_reset( ssl );
+#endif
+
+        /* Increment epoch */
+        if( ++ssl->in_epoch == 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
+            /* This is highly unlikely to happen for legitimate reasons, so
+               treat it as an attack and don't send an alert. */
+            return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
+        }
+    }
+    else
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+    memset( ssl->in_ctr, 0, 8 );
+
+    /*
+     * Set the in_msg pointer to the correct location based on IV length
+     */
+    if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
+    {
+        ssl->in_msg = ssl->in_iv + ssl->transform_negotiate->ivlen -
+                      ssl->transform_negotiate->fixed_ivlen;
+    }
+    else
+        ssl->in_msg = ssl->in_iv;
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+    if( mbedtls_ssl_hw_record_activate != NULL )
+    {
+        if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_INBOUND ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
+            return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
+        }
+    }
+#endif
+
+    ssl->state++;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
+
+    return( 0 );
+}
+
+void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
+                            const mbedtls_ssl_ciphersuite_t *ciphersuite_info )
+{
+    ((void) ciphersuite_info);
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+    if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
+        ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
+    else
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA512_C)
+    if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
+        ssl->handshake->update_checksum = ssl_update_checksum_sha384;
+    else
+#endif
+#if defined(MBEDTLS_SHA256_C)
+    if( ciphersuite_info->mac != MBEDTLS_MD_SHA384 )
+        ssl->handshake->update_checksum = ssl_update_checksum_sha256;
+    else
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return;
+    }
+}
+
+void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl )
+{
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+     mbedtls_md5_starts_ret( &ssl->handshake->fin_md5  );
+    mbedtls_sha1_starts_ret( &ssl->handshake->fin_sha1 );
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA256_C)
+    mbedtls_sha256_starts_ret( &ssl->handshake->fin_sha256, 0 );
+#endif
+#if defined(MBEDTLS_SHA512_C)
+    mbedtls_sha512_starts_ret( &ssl->handshake->fin_sha512, 1 );
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+}
+
+static void ssl_update_checksum_start( mbedtls_ssl_context *ssl,
+                                       const unsigned char *buf, size_t len )
+{
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+     mbedtls_md5_update_ret( &ssl->handshake->fin_md5 , buf, len );
+    mbedtls_sha1_update_ret( &ssl->handshake->fin_sha1, buf, len );
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA256_C)
+    mbedtls_sha256_update_ret( &ssl->handshake->fin_sha256, buf, len );
+#endif
+#if defined(MBEDTLS_SHA512_C)
+    mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len );
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+}
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *ssl,
+                                         const unsigned char *buf, size_t len )
+{
+     mbedtls_md5_update_ret( &ssl->handshake->fin_md5 , buf, len );
+    mbedtls_sha1_update_ret( &ssl->handshake->fin_sha1, buf, len );
+}
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA256_C)
+static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl,
+                                        const unsigned char *buf, size_t len )
+{
+    mbedtls_sha256_update_ret( &ssl->handshake->fin_sha256, buf, len );
+}
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl,
+                                        const unsigned char *buf, size_t len )
+{
+    mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len );
+}
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+static void ssl_calc_finished_ssl(
+                mbedtls_ssl_context *ssl, unsigned char *buf, int from )
+{
+    const char *sender;
+    mbedtls_md5_context  md5;
+    mbedtls_sha1_context sha1;
+
+    unsigned char padbuf[48];
+    unsigned char md5sum[16];
+    unsigned char sha1sum[20];
+
+    mbedtls_ssl_session *session = ssl->session_negotiate;
+    if( !session )
+        session = ssl->session;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc  finished ssl" ) );
+
+    mbedtls_md5_init( &md5 );
+    mbedtls_sha1_init( &sha1 );
+
+    mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
+    mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
+
+    /*
+     * SSLv3:
+     *   hash =
+     *      MD5( master + pad2 +
+     *          MD5( handshake + sender + master + pad1 ) )
+     *   + SHA1( master + pad2 +
+     *         SHA1( handshake + sender + master + pad1 ) )
+     */
+
+#if !defined(MBEDTLS_MD5_ALT)
+    MBEDTLS_SSL_DEBUG_BUF( 4, "finished  md5 state", (unsigned char *)
+                    md5.state, sizeof(  md5.state ) );
+#endif
+
+#if !defined(MBEDTLS_SHA1_ALT)
+    MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
+                   sha1.state, sizeof( sha1.state ) );
+#endif
+
+    sender = ( from == MBEDTLS_SSL_IS_CLIENT ) ? "CLNT"
+                                       : "SRVR";
+
+    memset( padbuf, 0x36, 48 );
+
+    mbedtls_md5_update_ret( &md5, (const unsigned char *) sender, 4 );
+    mbedtls_md5_update_ret( &md5, session->master, 48 );
+    mbedtls_md5_update_ret( &md5, padbuf, 48 );
+    mbedtls_md5_finish_ret( &md5, md5sum );
+
+    mbedtls_sha1_update_ret( &sha1, (const unsigned char *) sender, 4 );
+    mbedtls_sha1_update_ret( &sha1, session->master, 48 );
+    mbedtls_sha1_update_ret( &sha1, padbuf, 40 );
+    mbedtls_sha1_finish_ret( &sha1, sha1sum );
+
+    memset( padbuf, 0x5C, 48 );
+
+    mbedtls_md5_starts_ret( &md5 );
+    mbedtls_md5_update_ret( &md5, session->master, 48 );
+    mbedtls_md5_update_ret( &md5, padbuf, 48 );
+    mbedtls_md5_update_ret( &md5, md5sum, 16 );
+    mbedtls_md5_finish_ret( &md5, buf );
+
+    mbedtls_sha1_starts_ret( &sha1 );
+    mbedtls_sha1_update_ret( &sha1, session->master, 48 );
+    mbedtls_sha1_update_ret( &sha1, padbuf , 40 );
+    mbedtls_sha1_update_ret( &sha1, sha1sum, 20 );
+    mbedtls_sha1_finish_ret( &sha1, buf + 16 );
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
+
+    mbedtls_md5_free(  &md5  );
+    mbedtls_sha1_free( &sha1 );
+
+    mbedtls_zeroize(  padbuf, sizeof(  padbuf ) );
+    mbedtls_zeroize(  md5sum, sizeof(  md5sum ) );
+    mbedtls_zeroize( sha1sum, sizeof( sha1sum ) );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc  finished" ) );
+}
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
+static void ssl_calc_finished_tls(
+                mbedtls_ssl_context *ssl, unsigned char *buf, int from )
+{
+    int len = 12;
+    const char *sender;
+    mbedtls_md5_context  md5;
+    mbedtls_sha1_context sha1;
+    unsigned char padbuf[36];
+
+    mbedtls_ssl_session *session = ssl->session_negotiate;
+    if( !session )
+        session = ssl->session;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc  finished tls" ) );
+
+    mbedtls_md5_init( &md5 );
+    mbedtls_sha1_init( &sha1 );
+
+    mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
+    mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
+
+    /*
+     * TLSv1:
+     *   hash = PRF( master, finished_label,
+     *               MD5( handshake ) + SHA1( handshake ) )[0..11]
+     */
+
+#if !defined(MBEDTLS_MD5_ALT)
+    MBEDTLS_SSL_DEBUG_BUF( 4, "finished  md5 state", (unsigned char *)
+                    md5.state, sizeof(  md5.state ) );
+#endif
+
+#if !defined(MBEDTLS_SHA1_ALT)
+    MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
+                   sha1.state, sizeof( sha1.state ) );
+#endif
+
+    sender = ( from == MBEDTLS_SSL_IS_CLIENT )
+             ? "client finished"
+             : "server finished";
+
+    mbedtls_md5_finish_ret(  &md5, padbuf );
+    mbedtls_sha1_finish_ret( &sha1, padbuf + 16 );
+
+    ssl->handshake->tls_prf( session->master, 48, sender,
+                             padbuf, 36, buf, len );
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
+
+    mbedtls_md5_free(  &md5  );
+    mbedtls_sha1_free( &sha1 );
+
+    mbedtls_zeroize(  padbuf, sizeof(  padbuf ) );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc  finished" ) );
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA256_C)
+static void ssl_calc_finished_tls_sha256(
+                mbedtls_ssl_context *ssl, unsigned char *buf, int from )
+{
+    int len = 12;
+    const char *sender;
+    mbedtls_sha256_context sha256;
+    unsigned char padbuf[32];
+
+    mbedtls_ssl_session *session = ssl->session_negotiate;
+    if( !session )
+        session = ssl->session;
+
+    mbedtls_sha256_init( &sha256 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc  finished tls sha256" ) );
+
+    mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
+
+    /*
+     * TLSv1.2:
+     *   hash = PRF( master, finished_label,
+     *               Hash( handshake ) )[0.11]
+     */
+
+#if !defined(MBEDTLS_SHA256_ALT)
+    MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
+                   sha256.state, sizeof( sha256.state ) );
+#endif
+
+    sender = ( from == MBEDTLS_SSL_IS_CLIENT )
+             ? "client finished"
+             : "server finished";
+
+    mbedtls_sha256_finish_ret( &sha256, padbuf );
+
+    ssl->handshake->tls_prf( session->master, 48, sender,
+                             padbuf, 32, buf, len );
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
+
+    mbedtls_sha256_free( &sha256 );
+
+    mbedtls_zeroize(  padbuf, sizeof(  padbuf ) );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc  finished" ) );
+}
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+
+typedef int (*finish_sha384_t)(mbedtls_sha512_context*, unsigned char*);
+
+static void ssl_calc_finished_tls_sha384(
+                mbedtls_ssl_context *ssl, unsigned char *buf, int from )
+{
+    int len = 12;
+    const char *sender;
+    mbedtls_sha512_context sha512;
+    unsigned char padbuf[48];
+    /*
+     * For SHA-384, we can save 16 bytes by keeping padbuf 48 bytes long.
+     * However, to avoid stringop-overflow warning in gcc, we have to cast
+     * mbedtls_sha512_finish_ret().
+     */
+    finish_sha384_t finish_sha384 = (finish_sha384_t)mbedtls_sha512_finish_ret;
+
+    mbedtls_ssl_session *session = ssl->session_negotiate;
+    if( !session )
+        session = ssl->session;
+
+    mbedtls_sha512_init( &sha512 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc  finished tls sha384" ) );
+
+    mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
+
+    /*
+     * TLSv1.2:
+     *   hash = PRF( master, finished_label,
+     *               Hash( handshake ) )[0.11]
+     */
+
+#if !defined(MBEDTLS_SHA512_ALT)
+    MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *)
+                   sha512.state, sizeof( sha512.state ) );
+#endif
+
+    sender = ( from == MBEDTLS_SSL_IS_CLIENT )
+             ? "client finished"
+             : "server finished";
+
+    finish_sha384( &sha512, padbuf );
+
+    ssl->handshake->tls_prf( session->master, 48, sender,
+                             padbuf, 48, buf, len );
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
+
+    mbedtls_sha512_free( &sha512 );
+
+    mbedtls_zeroize(  padbuf, sizeof( padbuf ) );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc  finished" ) );
+}
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl )
+{
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup: final free" ) );
+
+    /*
+     * Free our handshake params
+     */
+    mbedtls_ssl_handshake_free( ssl->handshake );
+    mbedtls_free( ssl->handshake );
+    ssl->handshake = NULL;
+
+    /*
+     * Free the previous transform and swith in the current one
+     */
+    if( ssl->transform )
+    {
+        mbedtls_ssl_transform_free( ssl->transform );
+        mbedtls_free( ssl->transform );
+    }
+    ssl->transform = ssl->transform_negotiate;
+    ssl->transform_negotiate = NULL;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup: final free" ) );
+}
+
+void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl )
+{
+    int resume = ssl->handshake->resume;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
+    {
+        ssl->renego_status =  MBEDTLS_SSL_RENEGOTIATION_DONE;
+        ssl->renego_records_seen = 0;
+    }
+#endif
+
+    /*
+     * Free the previous session and switch in the current one
+     */
+    if( ssl->session )
+    {
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+        /* RFC 7366 3.1: keep the EtM state */
+        ssl->session_negotiate->encrypt_then_mac =
+                  ssl->session->encrypt_then_mac;
+#endif
+
+        mbedtls_ssl_session_free( ssl->session );
+        mbedtls_free( ssl->session );
+    }
+    ssl->session = ssl->session_negotiate;
+    ssl->session_negotiate = NULL;
+
+    /*
+     * Add cache entry
+     */
+    if( ssl->conf->f_set_cache != NULL &&
+        ssl->session->id_len != 0 &&
+        resume == 0 )
+    {
+        if( ssl->conf->f_set_cache( ssl->conf->p_cache, ssl->session ) != 0 )
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ssl->handshake->flight != NULL )
+    {
+        /* Cancel handshake timer */
+        ssl_set_timer( ssl, 0 );
+
+        /* Keep last flight around in case we need to resend it:
+         * we need the handshake and transform structures for that */
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip freeing handshake and transform" ) );
+    }
+    else
+#endif
+        ssl_handshake_wrapup_free_hs_transform( ssl );
+
+    ssl->state++;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
+}
+
+int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
+{
+    int ret, hash_len;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
+
+    /*
+     * Set the out_msg pointer to the correct location based on IV length
+     */
+    if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
+    {
+        ssl->out_msg = ssl->out_iv + ssl->transform_negotiate->ivlen -
+                       ssl->transform_negotiate->fixed_ivlen;
+    }
+    else
+        ssl->out_msg = ssl->out_iv;
+
+    ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->conf->endpoint );
+
+    /*
+     * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites
+     * may define some other value. Currently (early 2016), no defined
+     * ciphersuite does this (and this is unlikely to change as activity has
+     * moved to TLS 1.3 now) so we can keep the hardcoded 12 here.
+     */
+    hash_len = ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) ? 36 : 12;
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    ssl->verify_data_len = hash_len;
+    memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
+#endif
+
+    ssl->out_msglen  = 4 + hash_len;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_FINISHED;
+
+    /*
+     * In case of session resuming, invert the client and server
+     * ChangeCipherSpec messages order.
+     */
+    if( ssl->handshake->resume != 0 )
+    {
+#if defined(MBEDTLS_SSL_CLI_C)
+        if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
+            ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
+#endif
+#if defined(MBEDTLS_SSL_SRV_C)
+        if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
+            ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
+#endif
+    }
+    else
+        ssl->state++;
+
+    /*
+     * Switch to our negotiated transform and session parameters for outbound
+     * data.
+     */
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        unsigned char i;
+
+        /* Remember current epoch settings for resending */
+        ssl->handshake->alt_transform_out = ssl->transform_out;
+        memcpy( ssl->handshake->alt_out_ctr, ssl->out_ctr, 8 );
+
+        /* Set sequence_number to zero */
+        memset( ssl->out_ctr + 2, 0, 6 );
+
+        /* Increment epoch */
+        for( i = 2; i > 0; i-- )
+            if( ++ssl->out_ctr[i - 1] != 0 )
+                break;
+
+        /* The loop goes to its end iff the counter is wrapping */
+        if( i == 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
+            return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
+        }
+    }
+    else
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+    memset( ssl->out_ctr, 0, 8 );
+
+    ssl->transform_out = ssl->transform_negotiate;
+    ssl->session_out = ssl->session_negotiate;
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+    if( mbedtls_ssl_hw_record_activate != NULL )
+    {
+        if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
+            return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
+        }
+    }
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        mbedtls_ssl_send_flight_completed( ssl );
+#endif
+
+    if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
+        return( ret );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+#define SSL_MAX_HASH_LEN 36
+#else
+#define SSL_MAX_HASH_LEN 12
+#endif
+
+int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    unsigned int hash_len;
+    unsigned char buf[SSL_MAX_HASH_LEN];
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
+
+    ssl->handshake->calc_finished( ssl, buf, ssl->conf->endpoint ^ 1 );
+
+    if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+        return( ret );
+    }
+
+    if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
+        return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+    }
+
+    /* There is currently no ciphersuite using another length with TLS 1.2 */
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+        hash_len = 36;
+    else
+#endif
+        hash_len = 12;
+
+    if( ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED ||
+        ssl->in_hslen  != mbedtls_ssl_hs_hdr_len( ssl ) + hash_len )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED );
+    }
+
+    if( mbedtls_ssl_safer_memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ),
+                      buf, hash_len ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED );
+    }
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    ssl->verify_data_len = hash_len;
+    memcpy( ssl->peer_verify_data, buf, hash_len );
+#endif
+
+    if( ssl->handshake->resume != 0 )
+    {
+#if defined(MBEDTLS_SSL_CLI_C)
+        if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
+            ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
+#endif
+#if defined(MBEDTLS_SSL_SRV_C)
+        if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
+            ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
+#endif
+    }
+    else
+        ssl->state++;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        mbedtls_ssl_recv_flight_completed( ssl );
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
+
+    return( 0 );
+}
+
+static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake )
+{
+    memset( handshake, 0, sizeof( mbedtls_ssl_handshake_params ) );
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+     mbedtls_md5_init(   &handshake->fin_md5  );
+    mbedtls_sha1_init(   &handshake->fin_sha1 );
+     mbedtls_md5_starts_ret( &handshake->fin_md5  );
+    mbedtls_sha1_starts_ret( &handshake->fin_sha1 );
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA256_C)
+    mbedtls_sha256_init(   &handshake->fin_sha256    );
+    mbedtls_sha256_starts_ret( &handshake->fin_sha256, 0 );
+#endif
+#if defined(MBEDTLS_SHA512_C)
+    mbedtls_sha512_init(   &handshake->fin_sha512    );
+    mbedtls_sha512_starts_ret( &handshake->fin_sha512, 1 );
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+    handshake->update_checksum = ssl_update_checksum_start;
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+    mbedtls_ssl_sig_hash_set_init( &handshake->hash_algs );
+#endif
+
+#if defined(MBEDTLS_DHM_C)
+    mbedtls_dhm_init( &handshake->dhm_ctx );
+#endif
+#if defined(MBEDTLS_ECDH_C)
+    mbedtls_ecdh_init( &handshake->ecdh_ctx );
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    mbedtls_ecjpake_init( &handshake->ecjpake_ctx );
+#if defined(MBEDTLS_SSL_CLI_C)
+    handshake->ecjpake_cache = NULL;
+    handshake->ecjpake_cache_len = 0;
+#endif
+#endif
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET;
+#endif
+}
+
+static void ssl_transform_init( mbedtls_ssl_transform *transform )
+{
+    memset( transform, 0, sizeof(mbedtls_ssl_transform) );
+
+    mbedtls_cipher_init( &transform->cipher_ctx_enc );
+    mbedtls_cipher_init( &transform->cipher_ctx_dec );
+
+    mbedtls_md_init( &transform->md_ctx_enc );
+    mbedtls_md_init( &transform->md_ctx_dec );
+}
+
+void mbedtls_ssl_session_init( mbedtls_ssl_session *session )
+{
+    memset( session, 0, sizeof(mbedtls_ssl_session) );
+}
+
+static int ssl_handshake_init( mbedtls_ssl_context *ssl )
+{
+    /* Clear old handshake information if present */
+    if( ssl->transform_negotiate )
+        mbedtls_ssl_transform_free( ssl->transform_negotiate );
+    if( ssl->session_negotiate )
+        mbedtls_ssl_session_free( ssl->session_negotiate );
+    if( ssl->handshake )
+        mbedtls_ssl_handshake_free( ssl->handshake );
+
+    /*
+     * Either the pointers are now NULL or cleared properly and can be freed.
+     * Now allocate missing structures.
+     */
+    if( ssl->transform_negotiate == NULL )
+    {
+        ssl->transform_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_transform) );
+    }
+
+    if( ssl->session_negotiate == NULL )
+    {
+        ssl->session_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_session) );
+    }
+
+    if( ssl->handshake == NULL )
+    {
+        ssl->handshake = mbedtls_calloc( 1, sizeof(mbedtls_ssl_handshake_params) );
+    }
+
+    /* All pointers should exist and can be directly freed without issue */
+    if( ssl->handshake == NULL ||
+        ssl->transform_negotiate == NULL ||
+        ssl->session_negotiate == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc() of ssl sub-contexts failed" ) );
+
+        mbedtls_free( ssl->handshake );
+        mbedtls_free( ssl->transform_negotiate );
+        mbedtls_free( ssl->session_negotiate );
+
+        ssl->handshake = NULL;
+        ssl->transform_negotiate = NULL;
+        ssl->session_negotiate = NULL;
+
+        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+    }
+
+    /* Initialize structures */
+    mbedtls_ssl_session_init( ssl->session_negotiate );
+    ssl_transform_init( ssl->transform_negotiate );
+    ssl_handshake_params_init( ssl->handshake );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        ssl->handshake->alt_transform_out = ssl->transform_out;
+
+        if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
+            ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
+        else
+            ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
+
+        ssl_set_timer( ssl, 0 );
+    }
+#endif
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
+/* Dummy cookie callbacks for defaults */
+static int ssl_cookie_write_dummy( void *ctx,
+                      unsigned char **p, unsigned char *end,
+                      const unsigned char *cli_id, size_t cli_id_len )
+{
+    ((void) ctx);
+    ((void) p);
+    ((void) end);
+    ((void) cli_id);
+    ((void) cli_id_len);
+
+    return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+}
+
+static int ssl_cookie_check_dummy( void *ctx,
+                      const unsigned char *cookie, size_t cookie_len,
+                      const unsigned char *cli_id, size_t cli_id_len )
+{
+    ((void) ctx);
+    ((void) cookie);
+    ((void) cookie_len);
+    ((void) cli_id);
+    ((void) cli_id_len);
+
+    return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+}
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
+
+/*
+ * Initialize an SSL context
+ */
+void mbedtls_ssl_init( mbedtls_ssl_context *ssl )
+{
+    memset( ssl, 0, sizeof( mbedtls_ssl_context ) );
+}
+
+/*
+ * Setup an SSL context
+ */
+int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
+                       const mbedtls_ssl_config *conf )
+{
+    int ret;
+    const size_t len = MBEDTLS_SSL_BUFFER_LEN;
+
+    ssl->conf = conf;
+
+    /*
+     * Prepare base structures
+     */
+    ssl->in_buf = NULL;
+    ssl->out_buf = NULL;
+    if( ( ssl-> in_buf = mbedtls_calloc( 1, len ) ) == NULL ||
+        ( ssl->out_buf = mbedtls_calloc( 1, len ) ) == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", len ) );
+        ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
+        goto error;
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        ssl->out_hdr = ssl->out_buf;
+        ssl->out_ctr = ssl->out_buf +  3;
+        ssl->out_len = ssl->out_buf + 11;
+        ssl->out_iv  = ssl->out_buf + 13;
+        ssl->out_msg = ssl->out_buf + 13;
+
+        ssl->in_hdr = ssl->in_buf;
+        ssl->in_ctr = ssl->in_buf +  3;
+        ssl->in_len = ssl->in_buf + 11;
+        ssl->in_iv  = ssl->in_buf + 13;
+        ssl->in_msg = ssl->in_buf + 13;
+    }
+    else
+#endif
+    {
+        ssl->out_ctr = ssl->out_buf;
+        ssl->out_hdr = ssl->out_buf +  8;
+        ssl->out_len = ssl->out_buf + 11;
+        ssl->out_iv  = ssl->out_buf + 13;
+        ssl->out_msg = ssl->out_buf + 13;
+
+        ssl->in_ctr = ssl->in_buf;
+        ssl->in_hdr = ssl->in_buf +  8;
+        ssl->in_len = ssl->in_buf + 11;
+        ssl->in_iv  = ssl->in_buf + 13;
+        ssl->in_msg = ssl->in_buf + 13;
+    }
+
+    if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
+        goto error;
+
+    return( 0 );
+
+error:
+    mbedtls_free( ssl->in_buf );
+    mbedtls_free( ssl->out_buf );
+
+    ssl->conf = NULL;
+
+    ssl->in_buf = NULL;
+    ssl->out_buf = NULL;
+
+    ssl->in_hdr = NULL;
+    ssl->in_ctr = NULL;
+    ssl->in_len = NULL;
+    ssl->in_iv = NULL;
+    ssl->in_msg = NULL;
+
+    ssl->out_hdr = NULL;
+    ssl->out_ctr = NULL;
+    ssl->out_len = NULL;
+    ssl->out_iv = NULL;
+    ssl->out_msg = NULL;
+
+    return( ret );
+}
+
+/*
+ * Reset an initialized and used SSL context for re-use while retaining
+ * all application-set variables, function pointers and data.
+ *
+ * If partial is non-zero, keep data in the input buffer and client ID.
+ * (Use when a DTLS client reconnects from the same port.)
+ */
+static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
+{
+    int ret;
+
+    ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
+
+    /* Cancel any possibly running timer */
+    ssl_set_timer( ssl, 0 );
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE;
+    ssl->renego_records_seen = 0;
+
+    ssl->verify_data_len = 0;
+    memset( ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );
+    memset( ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );
+#endif
+    ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION;
+
+    ssl->in_offt = NULL;
+
+    ssl->in_msg = ssl->in_buf + 13;
+    ssl->in_msgtype = 0;
+    ssl->in_msglen = 0;
+    if( partial == 0 )
+        ssl->in_left = 0;
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    ssl->next_record_offset = 0;
+    ssl->in_epoch = 0;
+#endif
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+    ssl_dtls_replay_reset( ssl );
+#endif
+
+    ssl->in_hslen = 0;
+    ssl->nb_zero = 0;
+
+    ssl->keep_current_message = 0;
+
+    ssl->out_msg = ssl->out_buf + 13;
+    ssl->out_msgtype = 0;
+    ssl->out_msglen = 0;
+    ssl->out_left = 0;
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
+    if( ssl->split_done != MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED )
+        ssl->split_done = 0;
+#endif
+
+    ssl->transform_in = NULL;
+    ssl->transform_out = NULL;
+
+    ssl->session_in = NULL;
+    ssl->session_out = NULL;
+
+    memset( ssl->out_buf, 0, MBEDTLS_SSL_BUFFER_LEN );
+
+    if( partial == 0 )
+        memset( ssl->in_buf, 0, MBEDTLS_SSL_BUFFER_LEN );
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+    if( mbedtls_ssl_hw_record_reset != NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_reset()" ) );
+        if( ( ret = mbedtls_ssl_hw_record_reset( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_reset", ret );
+            return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
+        }
+    }
+#endif
+
+    if( ssl->transform )
+    {
+        mbedtls_ssl_transform_free( ssl->transform );
+        mbedtls_free( ssl->transform );
+        ssl->transform = NULL;
+    }
+
+    if( ssl->session )
+    {
+        mbedtls_ssl_session_free( ssl->session );
+        mbedtls_free( ssl->session );
+        ssl->session = NULL;
+    }
+
+#if defined(MBEDTLS_SSL_ALPN)
+    ssl->alpn_chosen = NULL;
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
+    if( partial == 0 )
+    {
+        mbedtls_free( ssl->cli_id );
+        ssl->cli_id = NULL;
+        ssl->cli_id_len = 0;
+    }
+#endif
+
+    if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
+/*
+ * Reset an initialized and used SSL context for re-use while retaining
+ * all application-set variables, function pointers and data.
+ */
+int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl )
+{
+    return( ssl_session_reset_int( ssl, 0 ) );
+}
+
+/*
+ * SSL set accessors
+ */
+void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint )
+{
+    conf->endpoint   = endpoint;
+}
+
+void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport )
+{
+    conf->transport = transport;
+}
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode )
+{
+    conf->anti_replay = mode;
+}
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
+void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit )
+{
+    conf->badmac_limit = limit;
+}
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf, uint32_t min, uint32_t max )
+{
+    conf->hs_timeout_min = min;
+    conf->hs_timeout_max = max;
+}
+#endif
+
+void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode )
+{
+    conf->authmode   = authmode;
+}
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
+                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                     void *p_vrfy )
+{
+    conf->f_vrfy      = f_vrfy;
+    conf->p_vrfy      = p_vrfy;
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf,
+                  int (*f_rng)(void *, unsigned char *, size_t),
+                  void *p_rng )
+{
+    conf->f_rng      = f_rng;
+    conf->p_rng      = p_rng;
+}
+
+void mbedtls_ssl_conf_dbg( mbedtls_ssl_config *conf,
+                  void (*f_dbg)(void *, int, const char *, int, const char *),
+                  void  *p_dbg )
+{
+    conf->f_dbg      = f_dbg;
+    conf->p_dbg      = p_dbg;
+}
+
+void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl,
+        void *p_bio,
+        mbedtls_ssl_send_t *f_send,
+        mbedtls_ssl_recv_t *f_recv,
+        mbedtls_ssl_recv_timeout_t *f_recv_timeout )
+{
+    ssl->p_bio          = p_bio;
+    ssl->f_send         = f_send;
+    ssl->f_recv         = f_recv;
+    ssl->f_recv_timeout = f_recv_timeout;
+}
+
+void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout )
+{
+    conf->read_timeout   = timeout;
+}
+
+void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl,
+                               void *p_timer,
+                               mbedtls_ssl_set_timer_t *f_set_timer,
+                               mbedtls_ssl_get_timer_t *f_get_timer )
+{
+    ssl->p_timer        = p_timer;
+    ssl->f_set_timer    = f_set_timer;
+    ssl->f_get_timer    = f_get_timer;
+
+    /* Make sure we start with no timer running */
+    ssl_set_timer( ssl, 0 );
+}
+
+#if defined(MBEDTLS_SSL_SRV_C)
+void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf,
+        void *p_cache,
+        int (*f_get_cache)(void *, mbedtls_ssl_session *),
+        int (*f_set_cache)(void *, const mbedtls_ssl_session *) )
+{
+    conf->p_cache = p_cache;
+    conf->f_get_cache = f_get_cache;
+    conf->f_set_cache = f_set_cache;
+}
+#endif /* MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session )
+{
+    int ret;
+
+    if( ssl == NULL ||
+        session == NULL ||
+        ssl->session_negotiate == NULL ||
+        ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
+    {
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    if( ( ret = ssl_session_copy( ssl->session_negotiate, session ) ) != 0 )
+        return( ret );
+
+    ssl->handshake->resume = 1;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_CLI_C */
+
+void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
+                                   const int *ciphersuites )
+{
+    conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] = ciphersuites;
+    conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] = ciphersuites;
+    conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] = ciphersuites;
+    conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] = ciphersuites;
+}
+
+void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf,
+                                       const int *ciphersuites,
+                                       int major, int minor )
+{
+    if( major != MBEDTLS_SSL_MAJOR_VERSION_3 )
+        return;
+
+    if( minor < MBEDTLS_SSL_MINOR_VERSION_0 || minor > MBEDTLS_SSL_MINOR_VERSION_3 )
+        return;
+
+    conf->ciphersuite_list[minor] = ciphersuites;
+}
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf,
+                                    const mbedtls_x509_crt_profile *profile )
+{
+    conf->cert_profile = profile;
+}
+
+/* Append a new keycert entry to a (possibly empty) list */
+static int ssl_append_key_cert( mbedtls_ssl_key_cert **head,
+                                mbedtls_x509_crt *cert,
+                                mbedtls_pk_context *key )
+{
+    mbedtls_ssl_key_cert *new_cert;
+
+    new_cert = mbedtls_calloc( 1, sizeof( mbedtls_ssl_key_cert ) );
+    if( new_cert == NULL )
+        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+
+    new_cert->cert = cert;
+    new_cert->key  = key;
+    new_cert->next = NULL;
+
+    /* Update head is the list was null, else add to the end */
+    if( *head == NULL )
+    {
+        *head = new_cert;
+    }
+    else
+    {
+        mbedtls_ssl_key_cert *cur = *head;
+        while( cur->next != NULL )
+            cur = cur->next;
+        cur->next = new_cert;
+    }
+
+    return( 0 );
+}
+
+int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf,
+                              mbedtls_x509_crt *own_cert,
+                              mbedtls_pk_context *pk_key )
+{
+    return( ssl_append_key_cert( &conf->key_cert, own_cert, pk_key ) );
+}
+
+void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf,
+                               mbedtls_x509_crt *ca_chain,
+                               mbedtls_x509_crl *ca_crl )
+{
+    conf->ca_chain   = ca_chain;
+    conf->ca_crl     = ca_crl;
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl,
+                                 mbedtls_x509_crt *own_cert,
+                                 mbedtls_pk_context *pk_key )
+{
+    return( ssl_append_key_cert( &ssl->handshake->sni_key_cert,
+                                 own_cert, pk_key ) );
+}
+
+void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl,
+                                  mbedtls_x509_crt *ca_chain,
+                                  mbedtls_x509_crl *ca_crl )
+{
+    ssl->handshake->sni_ca_chain   = ca_chain;
+    ssl->handshake->sni_ca_crl     = ca_crl;
+}
+
+void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl,
+                                  int authmode )
+{
+    ssl->handshake->sni_authmode = authmode;
+}
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+/*
+ * Set EC J-PAKE password for current handshake
+ */
+int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl,
+                                         const unsigned char *pw,
+                                         size_t pw_len )
+{
+    mbedtls_ecjpake_role role;
+
+    if( ssl->handshake == NULL || ssl->conf == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
+        role = MBEDTLS_ECJPAKE_SERVER;
+    else
+        role = MBEDTLS_ECJPAKE_CLIENT;
+
+    return( mbedtls_ecjpake_setup( &ssl->handshake->ecjpake_ctx,
+                                   role,
+                                   MBEDTLS_MD_SHA256,
+                                   MBEDTLS_ECP_DP_SECP256R1,
+                                   pw, pw_len ) );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
+                const unsigned char *psk, size_t psk_len,
+                const unsigned char *psk_identity, size_t psk_identity_len )
+{
+    if( psk == NULL || psk_identity == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    if( psk_len > MBEDTLS_PSK_MAX_LEN )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    /* Identity len will be encoded on two bytes */
+    if( ( psk_identity_len >> 16 ) != 0 ||
+        psk_identity_len > MBEDTLS_SSL_MAX_CONTENT_LEN )
+    {
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    if( conf->psk != NULL )
+    {
+        mbedtls_zeroize( conf->psk, conf->psk_len );
+
+        mbedtls_free( conf->psk );
+        conf->psk = NULL;
+        conf->psk_len = 0;
+    }
+    if( conf->psk_identity != NULL )
+    {
+        mbedtls_free( conf->psk_identity );
+        conf->psk_identity = NULL;
+        conf->psk_identity_len = 0;
+    }
+
+    if( ( conf->psk = mbedtls_calloc( 1, psk_len ) ) == NULL ||
+        ( conf->psk_identity = mbedtls_calloc( 1, psk_identity_len ) ) == NULL )
+    {
+        mbedtls_free( conf->psk );
+        mbedtls_free( conf->psk_identity );
+        conf->psk = NULL;
+        conf->psk_identity = NULL;
+        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+    }
+
+    conf->psk_len = psk_len;
+    conf->psk_identity_len = psk_identity_len;
+
+    memcpy( conf->psk, psk, conf->psk_len );
+    memcpy( conf->psk_identity, psk_identity, conf->psk_identity_len );
+
+    return( 0 );
+}
+
+int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl,
+                            const unsigned char *psk, size_t psk_len )
+{
+    if( psk == NULL || ssl->handshake == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    if( psk_len > MBEDTLS_PSK_MAX_LEN )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    if( ssl->handshake->psk != NULL )
+    {
+        mbedtls_zeroize( ssl->handshake->psk, ssl->handshake->psk_len );
+        mbedtls_free( ssl->handshake->psk );
+        ssl->handshake->psk_len = 0;
+    }
+
+    if( ( ssl->handshake->psk = mbedtls_calloc( 1, psk_len ) ) == NULL )
+        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+
+    ssl->handshake->psk_len = psk_len;
+    memcpy( ssl->handshake->psk, psk, ssl->handshake->psk_len );
+
+    return( 0 );
+}
+
+void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf,
+                     int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,
+                     size_t),
+                     void *p_psk )
+{
+    conf->f_psk = f_psk;
+    conf->p_psk = p_psk;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
+
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf, const char *dhm_P, const char *dhm_G )
+{
+    int ret;
+
+    if( ( ret = mbedtls_mpi_read_string( &conf->dhm_P, 16, dhm_P ) ) != 0 ||
+        ( ret = mbedtls_mpi_read_string( &conf->dhm_G, 16, dhm_G ) ) != 0 )
+    {
+        mbedtls_mpi_free( &conf->dhm_P );
+        mbedtls_mpi_free( &conf->dhm_G );
+        return( ret );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+int mbedtls_ssl_conf_dh_param_bin( mbedtls_ssl_config *conf,
+                                   const unsigned char *dhm_P, size_t P_len,
+                                   const unsigned char *dhm_G, size_t G_len )
+{
+    int ret;
+
+    if( ( ret = mbedtls_mpi_read_binary( &conf->dhm_P, dhm_P, P_len ) ) != 0 ||
+        ( ret = mbedtls_mpi_read_binary( &conf->dhm_G, dhm_G, G_len ) ) != 0 )
+    {
+        mbedtls_mpi_free( &conf->dhm_P );
+        mbedtls_mpi_free( &conf->dhm_G );
+        return( ret );
+    }
+
+    return( 0 );
+}
+
+int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx )
+{
+    int ret;
+
+    if( ( ret = mbedtls_mpi_copy( &conf->dhm_P, &dhm_ctx->P ) ) != 0 ||
+        ( ret = mbedtls_mpi_copy( &conf->dhm_G, &dhm_ctx->G ) ) != 0 )
+    {
+        mbedtls_mpi_free( &conf->dhm_P );
+        mbedtls_mpi_free( &conf->dhm_G );
+        return( ret );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
+/*
+ * Set the minimum length for Diffie-Hellman parameters
+ */
+void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
+                                      unsigned int bitlen )
+{
+    conf->dhm_min_bitlen = bitlen;
+}
+#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+/*
+ * Set allowed/preferred hashes for handshake signatures
+ */
+void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf,
+                                  const int *hashes )
+{
+    conf->sig_hashes = hashes;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
+#if defined(MBEDTLS_ECP_C)
+/*
+ * Set the allowed elliptic curves
+ */
+void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
+                             const mbedtls_ecp_group_id *curve_list )
+{
+    conf->curve_list = curve_list;
+}
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname )
+{
+    /* Initialize to suppress unnecessary compiler warning */
+    size_t hostname_len = 0;
+
+    /* Check if new hostname is valid before
+     * making any change to current one */
+    if( hostname != NULL )
+    {
+        hostname_len = strlen( hostname );
+
+        if( hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN )
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    /* Now it's clear that we will overwrite the old hostname,
+     * so we can free it safely */
+
+    if( ssl->hostname != NULL )
+    {
+        mbedtls_zeroize( ssl->hostname, strlen( ssl->hostname ) );
+        mbedtls_free( ssl->hostname );
+    }
+
+    /* Passing NULL as hostname shall clear the old one */
+
+    if( hostname == NULL )
+    {
+        ssl->hostname = NULL;
+    }
+    else
+    {
+        ssl->hostname = mbedtls_calloc( 1, hostname_len + 1 );
+        if( ssl->hostname == NULL )
+            return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+
+        memcpy( ssl->hostname, hostname, hostname_len );
+
+        ssl->hostname[hostname_len] = '\0';
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf,
+                  int (*f_sni)(void *, mbedtls_ssl_context *,
+                                const unsigned char *, size_t),
+                  void *p_sni )
+{
+    conf->f_sni = f_sni;
+    conf->p_sni = p_sni;
+}
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+#if defined(MBEDTLS_SSL_ALPN)
+int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config *conf, const char **protos )
+{
+    size_t cur_len, tot_len;
+    const char **p;
+
+    /*
+     * RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings
+     * MUST NOT be truncated."
+     * We check lengths now rather than later.
+     */
+    tot_len = 0;
+    for( p = protos; *p != NULL; p++ )
+    {
+        cur_len = strlen( *p );
+        tot_len += cur_len;
+
+        if( ( cur_len == 0 ) ||
+            ( cur_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN ) ||
+            ( tot_len > MBEDTLS_SSL_MAX_ALPN_LIST_LEN ) )
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    conf->alpn_list = protos;
+
+    return( 0 );
+}
+
+const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl )
+{
+    return( ssl->alpn_chosen );
+}
+#endif /* MBEDTLS_SSL_ALPN */
+
+void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor )
+{
+    conf->max_major_ver = major;
+    conf->max_minor_ver = minor;
+}
+
+void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor )
+{
+    conf->min_major_ver = major;
+    conf->min_minor_ver = minor;
+}
+
+#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
+void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback )
+{
+    conf->fallback = fallback;
+}
+#endif
+
+#if defined(MBEDTLS_SSL_SRV_C)
+void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
+                                          char cert_req_ca_list )
+{
+    conf->cert_req_ca_list = cert_req_ca_list;
+}
+#endif
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm )
+{
+    conf->encrypt_then_mac = etm;
+}
+#endif
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems )
+{
+    conf->extended_ms = ems;
+}
+#endif
+
+#if defined(MBEDTLS_ARC4_C)
+void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 )
+{
+    conf->arc4_disabled = arc4;
+}
+#endif
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code )
+{
+    if( mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ||
+        mfl_code_to_length[mfl_code] > MBEDTLS_SSL_MAX_CONTENT_LEN )
+    {
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    conf->mfl_code = mfl_code;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate )
+{
+    conf->trunc_hmac = truncate;
+}
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
+void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split )
+{
+    conf->cbc_record_splitting = split;
+}
+#endif
+
+void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy )
+{
+    conf->allow_legacy_renegotiation = allow_legacy;
+}
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation )
+{
+    conf->disable_renegotiation = renegotiation;
+}
+
+void mbedtls_ssl_conf_renegotiation_enforced( mbedtls_ssl_config *conf, int max_records )
+{
+    conf->renego_max_records = max_records;
+}
+
+void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf,
+                                   const unsigned char period[8] )
+{
+    memcpy( conf->renego_period, period, 8 );
+}
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+#if defined(MBEDTLS_SSL_CLI_C)
+void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets )
+{
+    conf->session_tickets = use_tickets;
+}
+#endif
+
+#if defined(MBEDTLS_SSL_SRV_C)
+void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf,
+        mbedtls_ssl_ticket_write_t *f_ticket_write,
+        mbedtls_ssl_ticket_parse_t *f_ticket_parse,
+        void *p_ticket )
+{
+    conf->f_ticket_write = f_ticket_write;
+    conf->f_ticket_parse = f_ticket_parse;
+    conf->p_ticket       = p_ticket;
+}
+#endif
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_SSL_EXPORT_KEYS)
+void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf,
+        mbedtls_ssl_export_keys_t *f_export_keys,
+        void *p_export_keys )
+{
+    conf->f_export_keys = f_export_keys;
+    conf->p_export_keys = p_export_keys;
+}
+#endif
+
+/*
+ * SSL get accessors
+ */
+size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl )
+{
+    return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
+}
+
+uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl )
+{
+    if( ssl->session != NULL )
+        return( ssl->session->verify_result );
+
+    if( ssl->session_negotiate != NULL )
+        return( ssl->session_negotiate->verify_result );
+
+    return( 0xFFFFFFFF );
+}
+
+const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl )
+{
+    if( ssl == NULL || ssl->session == NULL )
+        return( NULL );
+
+    return mbedtls_ssl_get_ciphersuite_name( ssl->session->ciphersuite );
+}
+
+const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl )
+{
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        switch( ssl->minor_ver )
+        {
+            case MBEDTLS_SSL_MINOR_VERSION_2:
+                return( "DTLSv1.0" );
+
+            case MBEDTLS_SSL_MINOR_VERSION_3:
+                return( "DTLSv1.2" );
+
+            default:
+                return( "unknown (DTLS)" );
+        }
+    }
+#endif
+
+    switch( ssl->minor_ver )
+    {
+        case MBEDTLS_SSL_MINOR_VERSION_0:
+            return( "SSLv3.0" );
+
+        case MBEDTLS_SSL_MINOR_VERSION_1:
+            return( "TLSv1.0" );
+
+        case MBEDTLS_SSL_MINOR_VERSION_2:
+            return( "TLSv1.1" );
+
+        case MBEDTLS_SSL_MINOR_VERSION_3:
+            return( "TLSv1.2" );
+
+        default:
+            return( "unknown" );
+    }
+}
+
+int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl )
+{
+    size_t transform_expansion = 0;
+    const mbedtls_ssl_transform *transform = ssl->transform_out;
+    unsigned block_size;
+
+    if( transform == NULL )
+        return( (int) mbedtls_ssl_hdr_len( ssl ) );
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    if( ssl->session_out->compression != MBEDTLS_SSL_COMPRESS_NULL )
+        return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+#endif
+
+    switch( mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ) )
+    {
+        case MBEDTLS_MODE_GCM:
+        case MBEDTLS_MODE_CCM:
+        case MBEDTLS_MODE_STREAM:
+            transform_expansion = transform->minlen;
+            break;
+
+        case MBEDTLS_MODE_CBC:
+
+            block_size = mbedtls_cipher_get_block_size(
+                &transform->cipher_ctx_enc );
+
+            /* Expansion due to the addition of the MAC. */
+            transform_expansion += transform->maclen;
+
+            /* Expansion due to the addition of CBC padding;
+             * Theoretically up to 256 bytes, but we never use
+             * more than the block size of the underlying cipher. */
+            transform_expansion += block_size;
+
+            /* For TLS 1.1 or higher, an explicit IV is added
+             * after the record header. */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
+            if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
+                transform_expansion += block_size;
+#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
+
+            break;
+
+        default:
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    return( (int)( mbedtls_ssl_hdr_len( ssl ) + transform_expansion ) );
+}
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl )
+{
+    size_t max_len;
+
+    /*
+     * Assume mfl_code is correct since it was checked when set
+     */
+    max_len = mfl_code_to_length[ssl->conf->mfl_code];
+
+    /*
+     * Check if a smaller max length was negotiated
+     */
+    if( ssl->session_out != NULL &&
+        mfl_code_to_length[ssl->session_out->mfl_code] < max_len )
+    {
+        max_len = mfl_code_to_length[ssl->session_out->mfl_code];
+    }
+
+    return max_len;
+}
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ssl )
+{
+    if( ssl == NULL || ssl->session == NULL )
+        return( NULL );
+
+    return( ssl->session->peer_cert );
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl, mbedtls_ssl_session *dst )
+{
+    if( ssl == NULL ||
+        dst == NULL ||
+        ssl->session == NULL ||
+        ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
+    {
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    return( ssl_session_copy( dst, ssl->session ) );
+}
+#endif /* MBEDTLS_SSL_CLI_C */
+
+/*
+ * Perform a single step of the SSL handshake
+ */
+int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl )
+{
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+
+    if( ssl == NULL || ssl->conf == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+#if defined(MBEDTLS_SSL_CLI_C)
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
+        ret = mbedtls_ssl_handshake_client_step( ssl );
+#endif
+#if defined(MBEDTLS_SSL_SRV_C)
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
+        ret = mbedtls_ssl_handshake_server_step( ssl );
+#endif
+
+    return( ret );
+}
+
+/*
+ * Perform the SSL handshake
+ */
+int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl )
+{
+    int ret = 0;
+
+    if( ssl == NULL || ssl->conf == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
+
+    while( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
+    {
+        ret = mbedtls_ssl_handshake_step( ssl );
+
+        if( ret != 0 )
+            break;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+#if defined(MBEDTLS_SSL_SRV_C)
+/*
+ * Write HelloRequest to request renegotiation on server
+ */
+static int ssl_write_hello_request( mbedtls_ssl_context *ssl )
+{
+    int ret;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello request" ) );
+
+    ssl->out_msglen  = 4;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_HELLO_REQUEST;
+
+    if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
+        return( ret );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello request" ) );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_SRV_C */
+
+/*
+ * Actually renegotiate current connection, triggered by either:
+ * - any side: calling mbedtls_ssl_renegotiate(),
+ * - client: receiving a HelloRequest during mbedtls_ssl_read(),
+ * - server: receiving any handshake message on server during mbedtls_ssl_read() after
+ *   the initial handshake is completed.
+ * If the handshake doesn't complete due to waiting for I/O, it will continue
+ * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively.
+ */
+static int ssl_start_renegotiation( mbedtls_ssl_context *ssl )
+{
+    int ret;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );
+
+    if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
+        return( ret );
+
+    /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and
+     * the ServerHello will have message_seq = 1" */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
+    {
+        if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
+            ssl->handshake->out_msg_seq = 1;
+        else
+            ssl->handshake->in_msg_seq = 1;
+    }
+#endif
+
+    ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
+    ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS;
+
+    if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
+        return( ret );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );
+
+    return( 0 );
+}
+
+/*
+ * Renegotiate current connection on client,
+ * or request renegotiation on server
+ */
+int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl )
+{
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+
+    if( ssl == NULL || ssl->conf == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+#if defined(MBEDTLS_SSL_SRV_C)
+    /* On server, just send the request */
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
+    {
+        if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+        ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
+
+        /* Did we already try/start sending HelloRequest? */
+        if( ssl->out_left != 0 )
+            return( mbedtls_ssl_flush_output( ssl ) );
+
+        return( ssl_write_hello_request( ssl ) );
+    }
+#endif /* MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+    /*
+     * On client, either start the renegotiation process or,
+     * if already in progress, continue the handshake
+     */
+    if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
+    {
+        if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+        if( ( ret = ssl_start_renegotiation( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
+            return( ret );
+        }
+    }
+    else
+    {
+        if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
+            return( ret );
+        }
+    }
+#endif /* MBEDTLS_SSL_CLI_C */
+
+    return( ret );
+}
+
+/*
+ * Check record counters and renegotiate if they're above the limit.
+ */
+static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl )
+{
+    size_t ep_len = ssl_ep_len( ssl );
+    int in_ctr_cmp;
+    int out_ctr_cmp;
+
+    if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ||
+        ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ||
+        ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED )
+    {
+        return( 0 );
+    }
+
+    in_ctr_cmp = memcmp( ssl->in_ctr + ep_len,
+                        ssl->conf->renego_period + ep_len, 8 - ep_len );
+    out_ctr_cmp = memcmp( ssl->out_ctr + ep_len,
+                          ssl->conf->renego_period + ep_len, 8 - ep_len );
+
+    if( in_ctr_cmp <= 0 && out_ctr_cmp <= 0 )
+    {
+        return( 0 );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 1, ( "record counter limit reached: renegotiate" ) );
+    return( mbedtls_ssl_renegotiate( ssl ) );
+}
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+/*
+ * Receive application data decrypted from the SSL layer
+ */
+int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
+{
+    int ret;
+    size_t n;
+
+    if( ssl == NULL || ssl->conf == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
+            return( ret );
+
+        if( ssl->handshake != NULL &&
+            ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
+        {
+            if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
+                return( ret );
+        }
+    }
+#endif
+
+    /*
+     * Check if renegotiation is necessary and/or handshake is
+     * in process. If yes, perform/continue, and fall through
+     * if an unexpected packet is received while the client
+     * is waiting for the ServerHello.
+     *
+     * (There is no equivalent to the last condition on
+     *  the server-side as it is not treated as within
+     *  a handshake while waiting for the ClientHello
+     *  after a renegotiation request.)
+     */
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    ret = ssl_check_ctr_renegotiate( ssl );
+    if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
+        ret != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
+        return( ret );
+    }
+#endif
+
+    if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
+    {
+        ret = mbedtls_ssl_handshake( ssl );
+        if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
+            ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
+            return( ret );
+        }
+    }
+
+    if( ssl->in_offt == NULL )
+    {
+        /* Start timer if not already running */
+        if( ssl->f_get_timer != NULL &&
+            ssl->f_get_timer( ssl->p_timer ) == -1 )
+        {
+            ssl_set_timer( ssl, ssl->conf->read_timeout );
+        }
+
+        if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
+        {
+            if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
+                return( 0 );
+
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+            return( ret );
+        }
+
+        if( ssl->in_msglen  == 0 &&
+            ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA )
+        {
+            /*
+             * OpenSSL sends empty messages to randomize the IV
+             */
+            if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
+            {
+                if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
+                    return( 0 );
+
+                MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+                return( ret );
+            }
+        }
+
+        if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
+
+            /*
+             * - For client-side, expect SERVER_HELLO_REQUEST.
+             * - For server-side, expect CLIENT_HELLO.
+             * - Fail (TLS) or silently drop record (DTLS) in other cases.
+             */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+            if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
+                ( ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST ||
+                  ssl->in_hslen  != mbedtls_ssl_hs_hdr_len( ssl ) ) )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
+
+                /* With DTLS, drop the packet (probably from last handshake) */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+                if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+                    return( MBEDTLS_ERR_SSL_WANT_READ );
+#endif
+                return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+            }
+#endif /* MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_SSL_SRV_C)
+            if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+                ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) );
+
+                /* With DTLS, drop the packet (probably from last handshake) */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+                if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+                    return( MBEDTLS_ERR_SSL_WANT_READ );
+#endif
+                return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+            }
+#endif /* MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+            /* Determine whether renegotiation attempt should be accepted */
+            if( ! ( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
+                    ( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
+                      ssl->conf->allow_legacy_renegotiation ==
+                                                   MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) ) )
+            {
+                /*
+                 * Accept renegotiation request
+                 */
+
+                /* DTLS clients need to know renego is server-initiated */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+                if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+                    ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
+                {
+                    ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
+                }
+#endif
+                ret = ssl_start_renegotiation( ssl );
+                if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
+                    ret != 0 )
+                {
+                    MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
+                    return( ret );
+                }
+            }
+            else
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+            {
+                /*
+                 * Refuse renegotiation
+                 */
+
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) );
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+                if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+                {
+                    /* SSLv3 does not have a "no_renegotiation" warning, so
+                       we send a fatal alert and abort the connection. */
+                    mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                                    MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
+                    return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+                }
+                else
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+                if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
+                {
+                    if( ( ret = mbedtls_ssl_send_alert_message( ssl,
+                                    MBEDTLS_SSL_ALERT_LEVEL_WARNING,
+                                    MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 )
+                    {
+                        return( ret );
+                    }
+                }
+                else
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 ||
+          MBEDTLS_SSL_PROTO_TLS1_2 */
+                {
+                    MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+                    return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+                }
+            }
+
+            return( MBEDTLS_ERR_SSL_WANT_READ );
+        }
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+        else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
+        {
+            if( ssl->conf->renego_max_records >= 0 )
+            {
+                if( ++ssl->renego_records_seen > ssl->conf->renego_max_records )
+                {
+                    MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
+                                        "but not honored by client" ) );
+                    return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+                }
+            }
+        }
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+        /* Fatal and closure alerts handled by mbedtls_ssl_read_record() */
+        if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) );
+            return( MBEDTLS_ERR_SSL_WANT_READ );
+        }
+
+        if( ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
+            return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+        }
+
+        ssl->in_offt = ssl->in_msg;
+
+        /* We're going to return something now, cancel timer,
+         * except if handshake (renegotiation) is in progress */
+        if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
+            ssl_set_timer( ssl, 0 );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        /* If we requested renego but received AppData, resend HelloRequest.
+         * Do it now, after setting in_offt, to avoid taking this branch
+         * again if ssl_write_hello_request() returns WANT_WRITE */
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
+        if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+            ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
+        {
+            if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret );
+                return( ret );
+            }
+        }
+#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+    }
+
+    n = ( len < ssl->in_msglen )
+        ? len : ssl->in_msglen;
+
+    memcpy( buf, ssl->in_offt, n );
+    ssl->in_msglen -= n;
+
+    /* Zeroising the plaintext buffer to erase unused application data
+       from the memory. */
+    mbedtls_zeroize( ssl->in_offt, n );
+
+    if( ssl->in_msglen == 0 )
+    {
+        /* all bytes consumed */
+        ssl->in_offt = NULL;
+        ssl->keep_current_message = 0;
+    }
+    else
+    {
+        /* more data available */
+        ssl->in_offt += n;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read" ) );
+
+    return( (int) n );
+}
+
+/*
+ * Send application data to be encrypted by the SSL layer, taking care of max
+ * fragment length and buffer size.
+ *
+ * According to RFC 5246 Section 6.2.1:
+ *
+ *      Zero-length fragments of Application data MAY be sent as they are
+ *      potentially useful as a traffic analysis countermeasure.
+ *
+ * Therefore, it is possible that the input message length is 0 and the
+ * corresponding return code is 0 on success.
+ */
+static int ssl_write_real( mbedtls_ssl_context *ssl,
+                           const unsigned char *buf, size_t len )
+{
+    int ret;
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+    size_t max_len = mbedtls_ssl_get_max_frag_len( ssl );
+#else
+    size_t max_len = MBEDTLS_SSL_MAX_CONTENT_LEN;
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+    if( len > max_len )
+    {
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) "
+                                "maximum fragment length: %d > %d",
+                                len, max_len ) );
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+        }
+        else
+#endif
+            len = max_len;
+    }
+
+    if( ssl->out_left != 0 )
+    {
+        /*
+         * The user has previously tried to send the data and
+         * MBEDTLS_ERR_SSL_WANT_WRITE or the message was only partially
+         * written. In this case, we expect the high-level write function
+         * (e.g. mbedtls_ssl_write()) to be called with the same parameters
+         */
+        if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
+            return( ret );
+        }
+    }
+    else
+    {
+        /*
+         * The user is trying to send a message the first time, so we need to
+         * copy the data into the internal buffers and setup the data structure
+         * to keep track of partial writes
+         */
+        ssl->out_msglen  = len;
+        ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
+        memcpy( ssl->out_msg, buf, len );
+
+        if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
+            return( ret );
+        }
+    }
+
+    return( (int) len );
+}
+
+/*
+ * Write application data, doing 1/n-1 splitting if necessary.
+ *
+ * With non-blocking I/O, ssl_write_real() may return WANT_WRITE,
+ * then the caller will call us again with the same arguments, so
+ * remember whether we already did the split or not.
+ */
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
+static int ssl_write_split( mbedtls_ssl_context *ssl,
+                            const unsigned char *buf, size_t len )
+{
+    int ret;
+
+    if( ssl->conf->cbc_record_splitting ==
+            MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ||
+        len <= 1 ||
+        ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_1 ||
+        mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc )
+                                != MBEDTLS_MODE_CBC )
+    {
+        return( ssl_write_real( ssl, buf, len ) );
+    }
+
+    if( ssl->split_done == 0 )
+    {
+        if( ( ret = ssl_write_real( ssl, buf, 1 ) ) <= 0 )
+            return( ret );
+        ssl->split_done = 1;
+    }
+
+    if( ( ret = ssl_write_real( ssl, buf + 1, len - 1 ) ) <= 0 )
+        return( ret );
+    ssl->split_done = 0;
+
+    return( ret + 1 );
+}
+#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
+
+/*
+ * Write application data (public-facing wrapper)
+ */
+int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len )
+{
+    int ret;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write" ) );
+
+    if( ssl == NULL || ssl->conf == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
+        return( ret );
+    }
+#endif
+
+    if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
+    {
+        if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
+            return( ret );
+        }
+    }
+
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
+    ret = ssl_write_split( ssl, buf, len );
+#else
+    ret = ssl_write_real( ssl, buf, len );
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) );
+
+    return( ret );
+}
+
+/*
+ * Notify the peer that the connection is being closed
+ */
+int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl )
+{
+    int ret;
+
+    if( ssl == NULL || ssl->conf == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
+
+    if( ssl->out_left != 0 )
+        return( mbedtls_ssl_flush_output( ssl ) );
+
+    if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
+    {
+        if( ( ret = mbedtls_ssl_send_alert_message( ssl,
+                        MBEDTLS_SSL_ALERT_LEVEL_WARNING,
+                        MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_send_alert_message", ret );
+            return( ret );
+        }
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
+
+    return( 0 );
+}
+
+void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform )
+{
+    if( transform == NULL )
+        return;
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    deflateEnd( &transform->ctx_deflate );
+    inflateEnd( &transform->ctx_inflate );
+#endif
+
+    mbedtls_cipher_free( &transform->cipher_ctx_enc );
+    mbedtls_cipher_free( &transform->cipher_ctx_dec );
+
+    mbedtls_md_free( &transform->md_ctx_enc );
+    mbedtls_md_free( &transform->md_ctx_dec );
+
+    mbedtls_zeroize( transform, sizeof( mbedtls_ssl_transform ) );
+}
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+static void ssl_key_cert_free( mbedtls_ssl_key_cert *key_cert )
+{
+    mbedtls_ssl_key_cert *cur = key_cert, *next;
+
+    while( cur != NULL )
+    {
+        next = cur->next;
+        mbedtls_free( cur );
+        cur = next;
+    }
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+void mbedtls_ssl_handshake_free( mbedtls_ssl_handshake_params *handshake )
+{
+    if( handshake == NULL )
+        return;
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+    mbedtls_md5_free(    &handshake->fin_md5  );
+    mbedtls_sha1_free(   &handshake->fin_sha1 );
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA256_C)
+    mbedtls_sha256_free(   &handshake->fin_sha256    );
+#endif
+#if defined(MBEDTLS_SHA512_C)
+    mbedtls_sha512_free(   &handshake->fin_sha512    );
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#if defined(MBEDTLS_DHM_C)
+    mbedtls_dhm_free( &handshake->dhm_ctx );
+#endif
+#if defined(MBEDTLS_ECDH_C)
+    mbedtls_ecdh_free( &handshake->ecdh_ctx );
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    mbedtls_ecjpake_free( &handshake->ecjpake_ctx );
+#if defined(MBEDTLS_SSL_CLI_C)
+    mbedtls_free( handshake->ecjpake_cache );
+    handshake->ecjpake_cache = NULL;
+    handshake->ecjpake_cache_len = 0;
+#endif
+#endif
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    /* explicit void pointer cast for buggy MS compiler */
+    mbedtls_free( (void *) handshake->curves );
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+    if( handshake->psk != NULL )
+    {
+        mbedtls_zeroize( handshake->psk, handshake->psk_len );
+        mbedtls_free( handshake->psk );
+    }
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
+    defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    /*
+     * Free only the linked list wrapper, not the keys themselves
+     * since the belong to the SNI callback
+     */
+    if( handshake->sni_key_cert != NULL )
+    {
+        mbedtls_ssl_key_cert *cur = handshake->sni_key_cert, *next;
+
+        while( cur != NULL )
+        {
+            next = cur->next;
+            mbedtls_free( cur );
+            cur = next;
+        }
+    }
+#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    mbedtls_free( handshake->verify_cookie );
+    mbedtls_free( handshake->hs_msg );
+    ssl_flight_free( handshake->flight );
+#endif
+
+    mbedtls_zeroize( handshake, sizeof( mbedtls_ssl_handshake_params ) );
+}
+
+void mbedtls_ssl_session_free( mbedtls_ssl_session *session )
+{
+    if( session == NULL )
+        return;
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    if( session->peer_cert != NULL )
+    {
+        mbedtls_x509_crt_free( session->peer_cert );
+        mbedtls_free( session->peer_cert );
+    }
+#endif
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
+    mbedtls_free( session->ticket );
+#endif
+
+    mbedtls_zeroize( session, sizeof( mbedtls_ssl_session ) );
+}
+
+/*
+ * Free an SSL context
+ */
+void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
+{
+    if( ssl == NULL )
+        return;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> free" ) );
+
+    if( ssl->out_buf != NULL )
+    {
+        mbedtls_zeroize( ssl->out_buf, MBEDTLS_SSL_BUFFER_LEN );
+        mbedtls_free( ssl->out_buf );
+    }
+
+    if( ssl->in_buf != NULL )
+    {
+        mbedtls_zeroize( ssl->in_buf, MBEDTLS_SSL_BUFFER_LEN );
+        mbedtls_free( ssl->in_buf );
+    }
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    if( ssl->compress_buf != NULL )
+    {
+        mbedtls_zeroize( ssl->compress_buf, MBEDTLS_SSL_BUFFER_LEN );
+        mbedtls_free( ssl->compress_buf );
+    }
+#endif
+
+    if( ssl->transform )
+    {
+        mbedtls_ssl_transform_free( ssl->transform );
+        mbedtls_free( ssl->transform );
+    }
+
+    if( ssl->handshake )
+    {
+        mbedtls_ssl_handshake_free( ssl->handshake );
+        mbedtls_ssl_transform_free( ssl->transform_negotiate );
+        mbedtls_ssl_session_free( ssl->session_negotiate );
+
+        mbedtls_free( ssl->handshake );
+        mbedtls_free( ssl->transform_negotiate );
+        mbedtls_free( ssl->session_negotiate );
+    }
+
+    if( ssl->session )
+    {
+        mbedtls_ssl_session_free( ssl->session );
+        mbedtls_free( ssl->session );
+    }
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    if( ssl->hostname != NULL )
+    {
+        mbedtls_zeroize( ssl->hostname, strlen( ssl->hostname ) );
+        mbedtls_free( ssl->hostname );
+    }
+#endif
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+    if( mbedtls_ssl_hw_record_finish != NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_finish()" ) );
+        mbedtls_ssl_hw_record_finish( ssl );
+    }
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
+    mbedtls_free( ssl->cli_id );
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= free" ) );
+
+    /* Actually clear after last debug message */
+    mbedtls_zeroize( ssl, sizeof( mbedtls_ssl_context ) );
+}
+
+/*
+ * Initialze mbedtls_ssl_config
+ */
+void mbedtls_ssl_config_init( mbedtls_ssl_config *conf )
+{
+    memset( conf, 0, sizeof( mbedtls_ssl_config ) );
+}
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+static int ssl_preset_default_hashes[] = {
+#if defined(MBEDTLS_SHA512_C)
+    MBEDTLS_MD_SHA512,
+    MBEDTLS_MD_SHA384,
+#endif
+#if defined(MBEDTLS_SHA256_C)
+    MBEDTLS_MD_SHA256,
+    MBEDTLS_MD_SHA224,
+#endif
+#if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE)
+    MBEDTLS_MD_SHA1,
+#endif
+    MBEDTLS_MD_NONE
+};
+#endif
+
+static int ssl_preset_suiteb_ciphersuites[] = {
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+    0
+};
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+static int ssl_preset_suiteb_hashes[] = {
+    MBEDTLS_MD_SHA256,
+    MBEDTLS_MD_SHA384,
+    MBEDTLS_MD_NONE
+};
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+static mbedtls_ecp_group_id ssl_preset_suiteb_curves[] = {
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+    MBEDTLS_ECP_DP_SECP256R1,
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+    MBEDTLS_ECP_DP_SECP384R1,
+#endif
+    MBEDTLS_ECP_DP_NONE
+};
+#endif
+
+/*
+ * Load default in mbedtls_ssl_config
+ */
+int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
+                                 int endpoint, int transport, int preset )
+{
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
+    int ret;
+#endif
+
+    /* Use the functions here so that they are covered in tests,
+     * but otherwise access member directly for efficiency */
+    mbedtls_ssl_conf_endpoint( conf, endpoint );
+    mbedtls_ssl_conf_transport( conf, transport );
+
+    /*
+     * Things that are common to all presets
+     */
+#if defined(MBEDTLS_SSL_CLI_C)
+    if( endpoint == MBEDTLS_SSL_IS_CLIENT )
+    {
+        conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+        conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
+#endif
+    }
+#endif
+
+#if defined(MBEDTLS_ARC4_C)
+    conf->arc4_disabled = MBEDTLS_SSL_ARC4_DISABLED;
+#endif
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+    conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
+#endif
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+    conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
+#endif
+
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
+    conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED;
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
+    conf->f_cookie_write = ssl_cookie_write_dummy;
+    conf->f_cookie_check = ssl_cookie_check_dummy;
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+    conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED;
+#endif
+
+#if defined(MBEDTLS_SSL_SRV_C)
+    conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN;
+    conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX;
+#endif
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT;
+    memset( conf->renego_period,     0x00, 2 );
+    memset( conf->renego_period + 2, 0xFF, 6 );
+#endif
+
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
+            if( endpoint == MBEDTLS_SSL_IS_SERVER )
+            {
+                const unsigned char dhm_p[] =
+                    MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN;
+                const unsigned char dhm_g[] =
+                    MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN;
+
+                if ( ( ret = mbedtls_ssl_conf_dh_param_bin( conf,
+                                               dhm_p, sizeof( dhm_p ),
+                                               dhm_g, sizeof( dhm_g ) ) ) != 0 )
+                {
+                    return( ret );
+                }
+            }
+#endif
+
+    /*
+     * Preset-specific defaults
+     */
+    switch( preset )
+    {
+        /*
+         * NSA Suite B
+         */
+        case MBEDTLS_SSL_PRESET_SUITEB:
+            conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
+            conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */
+            conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
+            conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
+
+            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
+            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
+            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
+            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
+                                   ssl_preset_suiteb_ciphersuites;
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+            conf->cert_profile = &mbedtls_x509_crt_profile_suiteb;
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+            conf->sig_hashes = ssl_preset_suiteb_hashes;
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+            conf->curve_list = ssl_preset_suiteb_curves;
+#endif
+            break;
+
+        /*
+         * Default
+         */
+        default:
+            conf->min_major_ver = ( MBEDTLS_SSL_MIN_MAJOR_VERSION >
+                                    MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION ) ?
+                                    MBEDTLS_SSL_MIN_MAJOR_VERSION :
+                                    MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION;
+            conf->min_minor_ver = ( MBEDTLS_SSL_MIN_MINOR_VERSION >
+                                    MBEDTLS_SSL_MIN_VALID_MINOR_VERSION ) ?
+                                    MBEDTLS_SSL_MIN_MINOR_VERSION :
+                                    MBEDTLS_SSL_MIN_VALID_MINOR_VERSION;
+            conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
+            conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+            if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+                conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2;
+#endif
+
+            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
+            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
+            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
+            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
+                                   mbedtls_ssl_list_ciphersuites();
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+            conf->cert_profile = &mbedtls_x509_crt_profile_default;
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+            conf->sig_hashes = ssl_preset_default_hashes;
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+            conf->curve_list = mbedtls_ecp_grp_id_list();
+#endif
+
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
+            conf->dhm_min_bitlen = 1024;
+#endif
+    }
+
+    return( 0 );
+}
+
+/*
+ * Free mbedtls_ssl_config
+ */
+void mbedtls_ssl_config_free( mbedtls_ssl_config *conf )
+{
+#if defined(MBEDTLS_DHM_C)
+    mbedtls_mpi_free( &conf->dhm_P );
+    mbedtls_mpi_free( &conf->dhm_G );
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+    if( conf->psk != NULL )
+    {
+        mbedtls_zeroize( conf->psk, conf->psk_len );
+        mbedtls_zeroize( conf->psk_identity, conf->psk_identity_len );
+        mbedtls_free( conf->psk );
+        mbedtls_free( conf->psk_identity );
+        conf->psk_len = 0;
+        conf->psk_identity_len = 0;
+    }
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    ssl_key_cert_free( conf->key_cert );
+#endif
+
+    mbedtls_zeroize( conf, sizeof( mbedtls_ssl_config ) );
+}
+
+#if defined(MBEDTLS_PK_C) && \
+    ( defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) )
+/*
+ * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX
+ */
+unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk )
+{
+#if defined(MBEDTLS_RSA_C)
+    if( mbedtls_pk_can_do( pk, MBEDTLS_PK_RSA ) )
+        return( MBEDTLS_SSL_SIG_RSA );
+#endif
+#if defined(MBEDTLS_ECDSA_C)
+    if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECDSA ) )
+        return( MBEDTLS_SSL_SIG_ECDSA );
+#endif
+    return( MBEDTLS_SSL_SIG_ANON );
+}
+
+unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type )
+{
+    switch( type ) {
+        case MBEDTLS_PK_RSA:
+            return( MBEDTLS_SSL_SIG_RSA );
+        case MBEDTLS_PK_ECDSA:
+        case MBEDTLS_PK_ECKEY:
+            return( MBEDTLS_SSL_SIG_ECDSA );
+        default:
+            return( MBEDTLS_SSL_SIG_ANON );
+    }
+}
+
+mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig )
+{
+    switch( sig )
+    {
+#if defined(MBEDTLS_RSA_C)
+        case MBEDTLS_SSL_SIG_RSA:
+            return( MBEDTLS_PK_RSA );
+#endif
+#if defined(MBEDTLS_ECDSA_C)
+        case MBEDTLS_SSL_SIG_ECDSA:
+            return( MBEDTLS_PK_ECDSA );
+#endif
+        default:
+            return( MBEDTLS_PK_NONE );
+    }
+}
+#endif /* MBEDTLS_PK_C && ( MBEDTLS_RSA_C || MBEDTLS_ECDSA_C ) */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+
+/* Find an entry in a signature-hash set matching a given hash algorithm. */
+mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
+                                                 mbedtls_pk_type_t sig_alg )
+{
+    switch( sig_alg )
+    {
+        case MBEDTLS_PK_RSA:
+            return( set->rsa );
+        case MBEDTLS_PK_ECDSA:
+            return( set->ecdsa );
+        default:
+            return( MBEDTLS_MD_NONE );
+    }
+}
+
+/* Add a signature-hash-pair to a signature-hash set */
+void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
+                                   mbedtls_pk_type_t sig_alg,
+                                   mbedtls_md_type_t md_alg )
+{
+    switch( sig_alg )
+    {
+        case MBEDTLS_PK_RSA:
+            if( set->rsa == MBEDTLS_MD_NONE )
+                set->rsa = md_alg;
+            break;
+
+        case MBEDTLS_PK_ECDSA:
+            if( set->ecdsa == MBEDTLS_MD_NONE )
+                set->ecdsa = md_alg;
+            break;
+
+        default:
+            break;
+    }
+}
+
+/* Allow exactly one hash algorithm for each signature. */
+void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
+                                          mbedtls_md_type_t md_alg )
+{
+    set->rsa   = md_alg;
+    set->ecdsa = md_alg;
+}
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
+          MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
+/*
+ * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX
+ */
+mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash )
+{
+    switch( hash )
+    {
+#if defined(MBEDTLS_MD5_C)
+        case MBEDTLS_SSL_HASH_MD5:
+            return( MBEDTLS_MD_MD5 );
+#endif
+#if defined(MBEDTLS_SHA1_C)
+        case MBEDTLS_SSL_HASH_SHA1:
+            return( MBEDTLS_MD_SHA1 );
+#endif
+#if defined(MBEDTLS_SHA256_C)
+        case MBEDTLS_SSL_HASH_SHA224:
+            return( MBEDTLS_MD_SHA224 );
+        case MBEDTLS_SSL_HASH_SHA256:
+            return( MBEDTLS_MD_SHA256 );
+#endif
+#if defined(MBEDTLS_SHA512_C)
+        case MBEDTLS_SSL_HASH_SHA384:
+            return( MBEDTLS_MD_SHA384 );
+        case MBEDTLS_SSL_HASH_SHA512:
+            return( MBEDTLS_MD_SHA512 );
+#endif
+        default:
+            return( MBEDTLS_MD_NONE );
+    }
+}
+
+/*
+ * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX
+ */
+unsigned char mbedtls_ssl_hash_from_md_alg( int md )
+{
+    switch( md )
+    {
+#if defined(MBEDTLS_MD5_C)
+        case MBEDTLS_MD_MD5:
+            return( MBEDTLS_SSL_HASH_MD5 );
+#endif
+#if defined(MBEDTLS_SHA1_C)
+        case MBEDTLS_MD_SHA1:
+            return( MBEDTLS_SSL_HASH_SHA1 );
+#endif
+#if defined(MBEDTLS_SHA256_C)
+        case MBEDTLS_MD_SHA224:
+            return( MBEDTLS_SSL_HASH_SHA224 );
+        case MBEDTLS_MD_SHA256:
+            return( MBEDTLS_SSL_HASH_SHA256 );
+#endif
+#if defined(MBEDTLS_SHA512_C)
+        case MBEDTLS_MD_SHA384:
+            return( MBEDTLS_SSL_HASH_SHA384 );
+        case MBEDTLS_MD_SHA512:
+            return( MBEDTLS_SSL_HASH_SHA512 );
+#endif
+        default:
+            return( MBEDTLS_SSL_HASH_NONE );
+    }
+}
+
+#if defined(MBEDTLS_ECP_C)
+/*
+ * Check if a curve proposed by the peer is in our list.
+ * Return 0 if we're willing to use it, -1 otherwise.
+ */
+int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id )
+{
+    const mbedtls_ecp_group_id *gid;
+
+    if( ssl->conf->curve_list == NULL )
+        return( -1 );
+
+    for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
+        if( *gid == grp_id )
+            return( 0 );
+
+    return( -1 );
+}
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+/*
+ * Check if a hash proposed by the peer is in our list.
+ * Return 0 if we're willing to use it, -1 otherwise.
+ */
+int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
+                                mbedtls_md_type_t md )
+{
+    const int *cur;
+
+    if( ssl->conf->sig_hashes == NULL )
+        return( -1 );
+
+    for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ )
+        if( *cur == (int) md )
+            return( 0 );
+
+    return( -1 );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
+                          const mbedtls_ssl_ciphersuite_t *ciphersuite,
+                          int cert_endpoint,
+                          uint32_t *flags )
+{
+    int ret = 0;
+#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
+    int usage = 0;
+#endif
+#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
+    const char *ext_oid;
+    size_t ext_len;
+#endif
+
+#if !defined(MBEDTLS_X509_CHECK_KEY_USAGE) &&          \
+    !defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
+    ((void) cert);
+    ((void) cert_endpoint);
+    ((void) flags);
+#endif
+
+#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
+    if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
+    {
+        /* Server part of the key exchange */
+        switch( ciphersuite->key_exchange )
+        {
+            case MBEDTLS_KEY_EXCHANGE_RSA:
+            case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
+                usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
+                break;
+
+            case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+            case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+            case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+                usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
+                break;
+
+            case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+            case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+                usage = MBEDTLS_X509_KU_KEY_AGREEMENT;
+                break;
+
+            /* Don't use default: we want warnings when adding new values */
+            case MBEDTLS_KEY_EXCHANGE_NONE:
+            case MBEDTLS_KEY_EXCHANGE_PSK:
+            case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
+            case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
+            case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
+                usage = 0;
+        }
+    }
+    else
+    {
+        /* Client auth: we only implement rsa_sign and mbedtls_ecdsa_sign for now */
+        usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
+    }
+
+    if( mbedtls_x509_crt_check_key_usage( cert, usage ) != 0 )
+    {
+        *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE;
+        ret = -1;
+    }
+#else
+    ((void) ciphersuite);
+#endif /* MBEDTLS_X509_CHECK_KEY_USAGE */
+
+#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
+    if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
+    {
+        ext_oid = MBEDTLS_OID_SERVER_AUTH;
+        ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH );
+    }
+    else
+    {
+        ext_oid = MBEDTLS_OID_CLIENT_AUTH;
+        ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_CLIENT_AUTH );
+    }
+
+    if( mbedtls_x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 )
+    {
+        *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
+        ret = -1;
+    }
+#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
+
+    return( ret );
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+/*
+ * Convert version numbers to/from wire format
+ * and, for DTLS, to/from TLS equivalent.
+ *
+ * For TLS this is the identity.
+ * For DTLS, use 1's complement (v -> 255 - v, and then map as follows:
+ * 1.0 <-> 3.2      (DTLS 1.0 is based on TLS 1.1)
+ * 1.x <-> 3.x+1    for x != 0 (DTLS 1.2 based on TLS 1.2)
+ */
+void mbedtls_ssl_write_version( int major, int minor, int transport,
+                        unsigned char ver[2] )
+{
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        if( minor == MBEDTLS_SSL_MINOR_VERSION_2 )
+            --minor; /* DTLS 1.0 stored as TLS 1.1 internally */
+
+        ver[0] = (unsigned char)( 255 - ( major - 2 ) );
+        ver[1] = (unsigned char)( 255 - ( minor - 1 ) );
+    }
+    else
+#else
+    ((void) transport);
+#endif
+    {
+        ver[0] = (unsigned char) major;
+        ver[1] = (unsigned char) minor;
+    }
+}
+
+void mbedtls_ssl_read_version( int *major, int *minor, int transport,
+                       const unsigned char ver[2] )
+{
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        *major = 255 - ver[0] + 2;
+        *minor = 255 - ver[1] + 1;
+
+        if( *minor == MBEDTLS_SSL_MINOR_VERSION_1 )
+            ++*minor; /* DTLS 1.0 stored as TLS 1.1 internally */
+    }
+    else
+#else
+    ((void) transport);
+#endif
+    {
+        *major = ver[0];
+        *minor = ver[1];
+    }
+}
+
+int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md )
+{
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
+        return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
+
+    switch( md )
+    {
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
+#if defined(MBEDTLS_MD5_C)
+        case MBEDTLS_SSL_HASH_MD5:
+            return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
+#endif
+#if defined(MBEDTLS_SHA1_C)
+        case MBEDTLS_SSL_HASH_SHA1:
+            ssl->handshake->calc_verify = ssl_calc_verify_tls;
+            break;
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
+#if defined(MBEDTLS_SHA512_C)
+        case MBEDTLS_SSL_HASH_SHA384:
+            ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384;
+            break;
+#endif
+#if defined(MBEDTLS_SHA256_C)
+        case MBEDTLS_SSL_HASH_SHA256:
+            ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256;
+            break;
+#endif
+        default:
+            return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
+    }
+
+    return 0;
+#else /* !MBEDTLS_SSL_PROTO_TLS1_2 */
+    (void) ssl;
+    (void) md;
+
+    return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+}
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl,
+                                        unsigned char *output,
+                                        unsigned char *data, size_t data_len )
+{
+    int ret = 0;
+    mbedtls_md5_context mbedtls_md5;
+    mbedtls_sha1_context mbedtls_sha1;
+
+    mbedtls_md5_init( &mbedtls_md5 );
+    mbedtls_sha1_init( &mbedtls_sha1 );
+
+    /*
+     * digitally-signed struct {
+     *     opaque md5_hash[16];
+     *     opaque sha_hash[20];
+     * };
+     *
+     * md5_hash
+     *     MD5(ClientHello.random + ServerHello.random
+     *                            + ServerParams);
+     * sha_hash
+     *     SHA(ClientHello.random + ServerHello.random
+     *                            + ServerParams);
+     */
+    if( ( ret = mbedtls_md5_starts_ret( &mbedtls_md5 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_starts_ret", ret );
+        goto exit;
+    }
+    if( ( ret = mbedtls_md5_update_ret( &mbedtls_md5,
+                                        ssl->handshake->randbytes, 64 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_update_ret", ret );
+        goto exit;
+    }
+    if( ( ret = mbedtls_md5_update_ret( &mbedtls_md5, data, data_len ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_update_ret", ret );
+        goto exit;
+    }
+    if( ( ret = mbedtls_md5_finish_ret( &mbedtls_md5, output ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_finish_ret", ret );
+        goto exit;
+    }
+
+    if( ( ret = mbedtls_sha1_starts_ret( &mbedtls_sha1 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_starts_ret", ret );
+        goto exit;
+    }
+    if( ( ret = mbedtls_sha1_update_ret( &mbedtls_sha1,
+                                         ssl->handshake->randbytes, 64 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_update_ret", ret );
+        goto exit;
+    }
+    if( ( ret = mbedtls_sha1_update_ret( &mbedtls_sha1, data,
+                                         data_len ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_update_ret", ret );
+        goto exit;
+    }
+    if( ( ret = mbedtls_sha1_finish_ret( &mbedtls_sha1,
+                                         output + 16 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_finish_ret", ret );
+        goto exit;
+    }
+
+exit:
+    mbedtls_md5_free( &mbedtls_md5 );
+    mbedtls_sha1_free( &mbedtls_sha1 );
+
+    if( ret != 0 )
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
+
+    return( ret );
+
+}
+#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
+          MBEDTLS_SSL_PROTO_TLS1_1 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
+                                       unsigned char *output,
+                                       unsigned char *data, size_t data_len,
+                                       mbedtls_md_type_t md_alg )
+{
+    int ret = 0;
+    mbedtls_md_context_t ctx;
+    const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
+
+    mbedtls_md_init( &ctx );
+
+    /*
+     * digitally-signed struct {
+     *     opaque client_random[32];
+     *     opaque server_random[32];
+     *     ServerDHParams params;
+     * };
+     */
+    if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
+        goto exit;
+    }
+    if( ( ret = mbedtls_md_starts( &ctx ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_starts", ret );
+        goto exit;
+    }
+    if( ( ret = mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret );
+        goto exit;
+    }
+    if( ( ret = mbedtls_md_update( &ctx, data, data_len ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret );
+        goto exit;
+    }
+    if( ( ret = mbedtls_md_finish( &ctx, output ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_finish", ret );
+        goto exit;
+    }
+
+exit:
+    mbedtls_md_free( &ctx );
+
+    if( ret != 0 )
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
+
+    return( ret );
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
+          MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#endif /* MBEDTLS_SSL_TLS_C */
diff --git a/third-party/mbedtls-3.6/library/threading.c b/third-party/mbedtls-3.6/library/threading.c
new file mode 100644
index 00000000..df16fe72
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/threading.c
@@ -0,0 +1,180 @@
+/*
+ *  Threading abstraction layer
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_THREADING_C)
+
+#include "mbedtls/threading.h"
+
+#if defined(MBEDTLS_THREADING_PTHREAD)
+static void threading_mutex_init_pthread( mbedtls_threading_mutex_t *mutex )
+{
+    if( mutex == NULL )
+        return;
+
+    /* A nonzero value of is_valid indicates a successfully initialized
+     * mutex. This is a workaround for not being able to return an error
+     * code for this function. The lock/unlock functions return an error
+     * if is_valid is nonzero. The Mbed TLS unit test code uses this field
+     * to distinguish more states of the mutex; see helpers.function for
+     * details. */
+    mutex->is_valid = pthread_mutex_init( &mutex->mutex, NULL ) == 0;
+}
+
+static void threading_mutex_free_pthread( mbedtls_threading_mutex_t *mutex )
+{
+    if( mutex == NULL || !mutex->is_valid )
+        return;
+
+    (void) pthread_mutex_destroy( &mutex->mutex );
+    mutex->is_valid = 0;
+}
+
+static int threading_mutex_lock_pthread( mbedtls_threading_mutex_t *mutex )
+{
+    if( mutex == NULL || ! mutex->is_valid )
+        return( MBEDTLS_ERR_THREADING_BAD_INPUT_DATA );
+
+    if( pthread_mutex_lock( &mutex->mutex ) != 0 )
+        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+
+    return( 0 );
+}
+
+static int threading_mutex_unlock_pthread( mbedtls_threading_mutex_t *mutex )
+{
+    if( mutex == NULL || ! mutex->is_valid )
+        return( MBEDTLS_ERR_THREADING_BAD_INPUT_DATA );
+
+    if( pthread_mutex_unlock( &mutex->mutex ) != 0 )
+        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+
+    return( 0 );
+}
+
+void (*mbedtls_mutex_init)( mbedtls_threading_mutex_t * ) = threading_mutex_init_pthread;
+void (*mbedtls_mutex_free)( mbedtls_threading_mutex_t * ) = threading_mutex_free_pthread;
+int (*mbedtls_mutex_lock)( mbedtls_threading_mutex_t * ) = threading_mutex_lock_pthread;
+int (*mbedtls_mutex_unlock)( mbedtls_threading_mutex_t * ) = threading_mutex_unlock_pthread;
+
+/*
+ * With phtreads we can statically initialize mutexes
+ */
+#define MUTEX_INIT  = { PTHREAD_MUTEX_INITIALIZER, 1 }
+
+#endif /* MBEDTLS_THREADING_PTHREAD */
+
+#if defined(MBEDTLS_THREADING_ALT)
+static int threading_mutex_fail( mbedtls_threading_mutex_t *mutex )
+{
+    ((void) mutex );
+    return( MBEDTLS_ERR_THREADING_BAD_INPUT_DATA );
+}
+static void threading_mutex_dummy( mbedtls_threading_mutex_t *mutex )
+{
+    ((void) mutex );
+    return;
+}
+
+void (*mbedtls_mutex_init)( mbedtls_threading_mutex_t * ) = threading_mutex_dummy;
+void (*mbedtls_mutex_free)( mbedtls_threading_mutex_t * ) = threading_mutex_dummy;
+int (*mbedtls_mutex_lock)( mbedtls_threading_mutex_t * ) = threading_mutex_fail;
+int (*mbedtls_mutex_unlock)( mbedtls_threading_mutex_t * ) = threading_mutex_fail;
+
+/*
+ * Set functions pointers and initialize global mutexes
+ */
+void mbedtls_threading_set_alt( void (*mutex_init)( mbedtls_threading_mutex_t * ),
+                       void (*mutex_free)( mbedtls_threading_mutex_t * ),
+                       int (*mutex_lock)( mbedtls_threading_mutex_t * ),
+                       int (*mutex_unlock)( mbedtls_threading_mutex_t * ) )
+{
+    mbedtls_mutex_init = mutex_init;
+    mbedtls_mutex_free = mutex_free;
+    mbedtls_mutex_lock = mutex_lock;
+    mbedtls_mutex_unlock = mutex_unlock;
+
+#if defined(MBEDTLS_FS_IO)
+    mbedtls_mutex_init( &mbedtls_threading_readdir_mutex );
+#endif
+#if defined(MBEDTLS_HAVE_TIME_DATE)
+    mbedtls_mutex_init( &mbedtls_threading_gmtime_mutex );
+#endif
+}
+
+/*
+ * Free global mutexes
+ */
+void mbedtls_threading_free_alt( void )
+{
+#if defined(MBEDTLS_FS_IO)
+    mbedtls_mutex_free( &mbedtls_threading_readdir_mutex );
+#endif
+#if defined(MBEDTLS_HAVE_TIME_DATE)
+    mbedtls_mutex_free( &mbedtls_threading_gmtime_mutex );
+#endif
+}
+#endif /* MBEDTLS_THREADING_ALT */
+
+/*
+ * Define global mutexes
+ */
+#ifndef MUTEX_INIT
+#define MUTEX_INIT
+#endif
+#if defined(MBEDTLS_FS_IO)
+mbedtls_threading_mutex_t mbedtls_threading_readdir_mutex MUTEX_INIT;
+#endif
+#if defined(MBEDTLS_HAVE_TIME_DATE)
+mbedtls_threading_mutex_t mbedtls_threading_gmtime_mutex MUTEX_INIT;
+#endif
+
+#endif /* MBEDTLS_THREADING_C */
diff --git a/third-party/mbedtls-3.6/library/timing.c b/third-party/mbedtls-3.6/library/timing.c
new file mode 100644
index 00000000..6b91ea43
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/timing.c
@@ -0,0 +1,560 @@
+/*
+ *  Portable interface to the CPU cycle counter
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf     printf
+#endif
+
+#if defined(MBEDTLS_TIMING_C)
+
+#include "mbedtls/timing.h"
+
+#if !defined(MBEDTLS_TIMING_ALT)
+
+#if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
+    !defined(__APPLE__) && !defined(_WIN32)
+#error "This module only works on Unix and Windows, see MBEDTLS_TIMING_C in config.h"
+#endif
+
+#ifndef asm
+#define asm __asm
+#endif
+
+#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+
+#include <windows.h>
+#include <process.h>
+
+struct _hr_time
+{
+    LARGE_INTEGER start;
+};
+
+#else
+
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/time.h>
+#include <signal.h>
+#include <time.h>
+
+struct _hr_time
+{
+    struct timeval start;
+};
+
+#endif /* _WIN32 && !EFIX64 && !EFI32 */
+
+#if !defined(HAVE_HARDCLOCK) && defined(MBEDTLS_HAVE_ASM) &&  \
+    ( defined(_MSC_VER) && defined(_M_IX86) ) || defined(__WATCOMC__)
+
+#define HAVE_HARDCLOCK
+
+unsigned long mbedtls_timing_hardclock( void )
+{
+    unsigned long tsc;
+    __asm   rdtsc
+    __asm   mov  [tsc], eax
+    return( tsc );
+}
+#endif /* !HAVE_HARDCLOCK && MBEDTLS_HAVE_ASM &&
+          ( _MSC_VER && _M_IX86 ) || __WATCOMC__ */
+
+/* some versions of mingw-64 have 32-bit longs even on x84_64 */
+#if !defined(HAVE_HARDCLOCK) && defined(MBEDTLS_HAVE_ASM) &&  \
+    defined(__GNUC__) && ( defined(__i386__) || (                       \
+    ( defined(__amd64__) || defined( __x86_64__) ) && __SIZEOF_LONG__ == 4 ) )
+
+#define HAVE_HARDCLOCK
+
+unsigned long mbedtls_timing_hardclock( void )
+{
+    unsigned long lo, hi;
+    asm volatile( "rdtsc" : "=a" (lo), "=d" (hi) );
+    return( lo );
+}
+#endif /* !HAVE_HARDCLOCK && MBEDTLS_HAVE_ASM &&
+          __GNUC__ && __i386__ */
+
+#if !defined(HAVE_HARDCLOCK) && defined(MBEDTLS_HAVE_ASM) &&  \
+    defined(__GNUC__) && ( defined(__amd64__) || defined(__x86_64__) )
+
+#define HAVE_HARDCLOCK
+
+unsigned long mbedtls_timing_hardclock( void )
+{
+    unsigned long lo, hi;
+    asm volatile( "rdtsc" : "=a" (lo), "=d" (hi) );
+    return( lo | ( hi << 32 ) );
+}
+#endif /* !HAVE_HARDCLOCK && MBEDTLS_HAVE_ASM &&
+          __GNUC__ && ( __amd64__ || __x86_64__ ) */
+
+#if !defined(HAVE_HARDCLOCK) && defined(MBEDTLS_HAVE_ASM) &&  \
+    defined(__GNUC__) && ( defined(__powerpc__) || defined(__ppc__) )
+
+#define HAVE_HARDCLOCK
+
+unsigned long mbedtls_timing_hardclock( void )
+{
+    unsigned long tbl, tbu0, tbu1;
+
+    do
+    {
+        asm volatile( "mftbu %0" : "=r" (tbu0) );
+        asm volatile( "mftb  %0" : "=r" (tbl ) );
+        asm volatile( "mftbu %0" : "=r" (tbu1) );
+    }
+    while( tbu0 != tbu1 );
+
+    return( tbl );
+}
+#endif /* !HAVE_HARDCLOCK && MBEDTLS_HAVE_ASM &&
+          __GNUC__ && ( __powerpc__ || __ppc__ ) */
+
+#if !defined(HAVE_HARDCLOCK) && defined(MBEDTLS_HAVE_ASM) &&  \
+    defined(__GNUC__) && defined(__sparc64__)
+
+#if defined(__OpenBSD__)
+#warning OpenBSD does not allow access to tick register using software version instead
+#else
+#define HAVE_HARDCLOCK
+
+unsigned long mbedtls_timing_hardclock( void )
+{
+    unsigned long tick;
+    asm volatile( "rdpr %%tick, %0;" : "=&r" (tick) );
+    return( tick );
+}
+#endif /* __OpenBSD__ */
+#endif /* !HAVE_HARDCLOCK && MBEDTLS_HAVE_ASM &&
+          __GNUC__ && __sparc64__ */
+
+#if !defined(HAVE_HARDCLOCK) && defined(MBEDTLS_HAVE_ASM) &&  \
+    defined(__GNUC__) && defined(__sparc__) && !defined(__sparc64__)
+
+#define HAVE_HARDCLOCK
+
+unsigned long mbedtls_timing_hardclock( void )
+{
+    unsigned long tick;
+    asm volatile( ".byte 0x83, 0x41, 0x00, 0x00" );
+    asm volatile( "mov   %%g1, %0" : "=r" (tick) );
+    return( tick );
+}
+#endif /* !HAVE_HARDCLOCK && MBEDTLS_HAVE_ASM &&
+          __GNUC__ && __sparc__ && !__sparc64__ */
+
+#if !defined(HAVE_HARDCLOCK) && defined(MBEDTLS_HAVE_ASM) &&      \
+    defined(__GNUC__) && defined(__alpha__)
+
+#define HAVE_HARDCLOCK
+
+unsigned long mbedtls_timing_hardclock( void )
+{
+    unsigned long cc;
+    asm volatile( "rpcc %0" : "=r" (cc) );
+    return( cc & 0xFFFFFFFF );
+}
+#endif /* !HAVE_HARDCLOCK && MBEDTLS_HAVE_ASM &&
+          __GNUC__ && __alpha__ */
+
+#if !defined(HAVE_HARDCLOCK) && defined(MBEDTLS_HAVE_ASM) &&      \
+    defined(__GNUC__) && defined(__ia64__)
+
+#define HAVE_HARDCLOCK
+
+unsigned long mbedtls_timing_hardclock( void )
+{
+    unsigned long itc;
+    asm volatile( "mov %0 = ar.itc" : "=r" (itc) );
+    return( itc );
+}
+#endif /* !HAVE_HARDCLOCK && MBEDTLS_HAVE_ASM &&
+          __GNUC__ && __ia64__ */
+
+#if !defined(HAVE_HARDCLOCK) && defined(_MSC_VER) && \
+    !defined(EFIX64) && !defined(EFI32)
+
+#define HAVE_HARDCLOCK
+
+unsigned long mbedtls_timing_hardclock( void )
+{
+    LARGE_INTEGER offset;
+
+    QueryPerformanceCounter( &offset );
+
+    return( (unsigned long)( offset.QuadPart ) );
+}
+#endif /* !HAVE_HARDCLOCK && _MSC_VER && !EFIX64 && !EFI32 */
+
+#if !defined(HAVE_HARDCLOCK)
+
+#define HAVE_HARDCLOCK
+
+static int hardclock_init = 0;
+static struct timeval tv_init;
+
+unsigned long mbedtls_timing_hardclock( void )
+{
+    struct timeval tv_cur;
+
+    if( hardclock_init == 0 )
+    {
+        gettimeofday( &tv_init, NULL );
+        hardclock_init = 1;
+    }
+
+    gettimeofday( &tv_cur, NULL );
+    return( ( tv_cur.tv_sec  - tv_init.tv_sec  ) * 1000000
+          + ( tv_cur.tv_usec - tv_init.tv_usec ) );
+}
+#endif /* !HAVE_HARDCLOCK */
+
+volatile int mbedtls_timing_alarmed = 0;
+
+#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+
+unsigned long mbedtls_timing_get_timer( struct mbedtls_timing_hr_time *val, int reset )
+{
+    struct _hr_time *t = (struct _hr_time *) val;
+
+    if( reset )
+    {
+        QueryPerformanceCounter( &t->start );
+        return( 0 );
+    }
+    else
+    {
+        unsigned long delta;
+        LARGE_INTEGER now, hfreq;
+        QueryPerformanceCounter(  &now );
+        QueryPerformanceFrequency( &hfreq );
+        delta = (unsigned long)( ( now.QuadPart - t->start.QuadPart ) * 1000ul
+                                 / hfreq.QuadPart );
+        return( delta );
+    }
+}
+
+/* It's OK to use a global because alarm() is supposed to be global anyway */
+static DWORD alarmMs;
+
+static void TimerProc( void *TimerContext )
+{
+    (void) TimerContext;
+    Sleep( alarmMs );
+    mbedtls_timing_alarmed = 1;
+    /* _endthread will be called implicitly on return
+     * That ensures execution of thread funcition's epilogue */
+}
+
+void mbedtls_set_alarm( int seconds )
+{
+    if( seconds == 0 )
+    {
+        /* No need to create a thread for this simple case.
+         * Also, this shorcut is more reliable at least on MinGW32 */
+        mbedtls_timing_alarmed = 1;
+        return;
+    }
+
+    mbedtls_timing_alarmed = 0;
+    alarmMs = seconds * 1000;
+    (void) _beginthread( TimerProc, 0, NULL );
+}
+
+#else /* _WIN32 && !EFIX64 && !EFI32 */
+
+unsigned long mbedtls_timing_get_timer( struct mbedtls_timing_hr_time *val, int reset )
+{
+    struct _hr_time *t = (struct _hr_time *) val;
+
+    if( reset )
+    {
+        gettimeofday( &t->start, NULL );
+        return( 0 );
+    }
+    else
+    {
+        unsigned long delta;
+        struct timeval now;
+        gettimeofday( &now, NULL );
+        delta = ( now.tv_sec  - t->start.tv_sec  ) * 1000ul
+              + ( now.tv_usec - t->start.tv_usec ) / 1000;
+        return( delta );
+    }
+}
+
+static void sighandler( int signum )
+{
+    mbedtls_timing_alarmed = 1;
+    signal( signum, sighandler );
+}
+
+void mbedtls_set_alarm( int seconds )
+{
+    mbedtls_timing_alarmed = 0;
+    signal( SIGALRM, sighandler );
+    alarm( seconds );
+    if( seconds == 0 )
+    {
+        /* alarm(0) cancelled any previous pending alarm, but the
+           handler won't fire, so raise the flag straight away. */
+        mbedtls_timing_alarmed = 1;
+    }
+}
+
+#endif /* _WIN32 && !EFIX64 && !EFI32 */
+
+/*
+ * Set delays to watch
+ */
+void mbedtls_timing_set_delay( void *data, uint32_t int_ms, uint32_t fin_ms )
+{
+    mbedtls_timing_delay_context *ctx = (mbedtls_timing_delay_context *) data;
+
+    ctx->int_ms = int_ms;
+    ctx->fin_ms = fin_ms;
+
+    if( fin_ms != 0 )
+        (void) mbedtls_timing_get_timer( &ctx->timer, 1 );
+}
+
+/*
+ * Get number of delays expired
+ */
+int mbedtls_timing_get_delay( void *data )
+{
+    mbedtls_timing_delay_context *ctx = (mbedtls_timing_delay_context *) data;
+    unsigned long elapsed_ms;
+
+    if( ctx->fin_ms == 0 )
+        return( -1 );
+
+    elapsed_ms = mbedtls_timing_get_timer( &ctx->timer, 0 );
+
+    if( elapsed_ms >= ctx->fin_ms )
+        return( 2 );
+
+    if( elapsed_ms >= ctx->int_ms )
+        return( 1 );
+
+    return( 0 );
+}
+
+#endif /* !MBEDTLS_TIMING_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/*
+ * Busy-waits for the given number of milliseconds.
+ * Used for testing mbedtls_timing_hardclock.
+ */
+static void busy_msleep( unsigned long msec )
+{
+    struct mbedtls_timing_hr_time hires;
+    unsigned long i = 0; /* for busy-waiting */
+    volatile unsigned long j; /* to prevent optimisation */
+
+    (void) mbedtls_timing_get_timer( &hires, 1 );
+
+    while( mbedtls_timing_get_timer( &hires, 0 ) < msec )
+        i++;
+
+    j = i;
+    (void) j;
+}
+
+#define FAIL    do                                                      \
+    {                                                                   \
+        if( verbose != 0 )                                              \
+        {                                                               \
+            mbedtls_printf( "failed at line %d\n", __LINE__ );          \
+            mbedtls_printf( " cycles=%lu ratio=%lu millisecs=%lu secs=%lu hardfail=%d a=%lu b=%lu\n", \
+                            cycles, ratio, millisecs, secs, hardfail,   \
+                            (unsigned long) a, (unsigned long) b );     \
+            mbedtls_printf( " elapsed(hires)=%lu elapsed(ctx)=%lu status(ctx)=%d\n", \
+                            mbedtls_timing_get_timer( &hires, 0 ),      \
+                            mbedtls_timing_get_timer( &ctx.timer, 0 ),  \
+                            mbedtls_timing_get_delay( &ctx ) );         \
+        }                                                               \
+        return( 1 );                                                    \
+    } while( 0 )
+
+/*
+ * Checkup routine
+ *
+ * Warning: this is work in progress, some tests may not be reliable enough
+ * yet! False positives may happen.
+ */
+int mbedtls_timing_self_test( int verbose )
+{
+    unsigned long cycles = 0, ratio = 0;
+    unsigned long millisecs = 0, secs = 0;
+    int hardfail = 0;
+    struct mbedtls_timing_hr_time hires;
+    uint32_t a = 0, b = 0;
+    mbedtls_timing_delay_context ctx;
+
+    if( verbose != 0 )
+        mbedtls_printf( "  TIMING tests note: will take some time!\n" );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  TIMING test #1 (set_alarm / get_timer): " );
+
+    {
+        secs = 1;
+
+        (void) mbedtls_timing_get_timer( &hires, 1 );
+
+        mbedtls_set_alarm( (int) secs );
+        while( !mbedtls_timing_alarmed )
+            ;
+
+        millisecs = mbedtls_timing_get_timer( &hires, 0 );
+
+        /* For some reason on Windows it looks like alarm has an extra delay
+         * (maybe related to creating a new thread). Allow some room here. */
+        if( millisecs < 800 * secs || millisecs > 1200 * secs + 300 )
+            FAIL;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  TIMING test #2 (set/get_delay        ): " );
+
+    {
+        a = 800;
+        b = 400;
+        mbedtls_timing_set_delay( &ctx, a, a + b );          /* T = 0 */
+
+        busy_msleep( a - a / 4 );                      /* T = a - a/4 */
+        if( mbedtls_timing_get_delay( &ctx ) != 0 )
+            FAIL;
+
+        busy_msleep( a / 4 + b / 4 );                  /* T = a + b/4 */
+        if( mbedtls_timing_get_delay( &ctx ) != 1 )
+            FAIL;
+
+        busy_msleep( b );                          /* T = a + b + b/4 */
+        if( mbedtls_timing_get_delay( &ctx ) != 2 )
+            FAIL;
+    }
+
+    mbedtls_timing_set_delay( &ctx, 0, 0 );
+    busy_msleep( 200 );
+    if( mbedtls_timing_get_delay( &ctx ) != -1 )
+        FAIL;
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  TIMING test #3 (hardclock / get_timer): " );
+
+    /*
+     * Allow one failure for possible counter wrapping.
+     * On a 4Ghz 32-bit machine the cycle counter wraps about once per second;
+     * since the whole test is about 10ms, it shouldn't happen twice in a row.
+     */
+
+hard_test:
+    if( hardfail > 1 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed (ignored)\n" );
+
+        goto hard_test_done;
+    }
+
+    /* Get a reference ratio cycles/ms */
+    millisecs = 1;
+    cycles = mbedtls_timing_hardclock();
+    busy_msleep( millisecs );
+    cycles = mbedtls_timing_hardclock() - cycles;
+    ratio = cycles / millisecs;
+
+    /* Check that the ratio is mostly constant */
+    for( millisecs = 2; millisecs <= 4; millisecs++ )
+    {
+        cycles = mbedtls_timing_hardclock();
+        busy_msleep( millisecs );
+        cycles = mbedtls_timing_hardclock() - cycles;
+
+        /* Allow variation up to 20% */
+        if( cycles / millisecs < ratio - ratio / 5 ||
+            cycles / millisecs > ratio + ratio / 5 )
+        {
+            hardfail++;
+            goto hard_test;
+        }
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+hard_test_done:
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_TIMING_C */
diff --git a/third-party/mbedtls-3.6/library/version.c b/third-party/mbedtls-3.6/library/version.c
new file mode 100644
index 00000000..22682b85
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/version.c
@@ -0,0 +1,75 @@
+/*
+ *  Version information
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_VERSION_C)
+
+#include "mbedtls/version.h"
+#include <string.h>
+
+unsigned int mbedtls_version_get_number()
+{
+    return( MBEDTLS_VERSION_NUMBER );
+}
+
+void mbedtls_version_get_string( char *string )
+{
+    memcpy( string, MBEDTLS_VERSION_STRING,
+            sizeof( MBEDTLS_VERSION_STRING ) );
+}
+
+void mbedtls_version_get_string_full( char *string )
+{
+    memcpy( string, MBEDTLS_VERSION_STRING_FULL,
+            sizeof( MBEDTLS_VERSION_STRING_FULL ) );
+}
+
+#endif /* MBEDTLS_VERSION_C */
diff --git a/third-party/mbedtls-3.6/library/version_features.c b/third-party/mbedtls-3.6/library/version_features.c
new file mode 100644
index 00000000..ee13f789
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/version_features.c
@@ -0,0 +1,759 @@
+/*
+ *  Version feature information
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_VERSION_C)
+
+#include "mbedtls/version.h"
+
+#include <string.h>
+
+static const char *features[] = {
+#if defined(MBEDTLS_VERSION_FEATURES)
+#if defined(MBEDTLS_HAVE_ASM)
+    "MBEDTLS_HAVE_ASM",
+#endif /* MBEDTLS_HAVE_ASM */
+#if defined(MBEDTLS_NO_UDBL_DIVISION)
+    "MBEDTLS_NO_UDBL_DIVISION",
+#endif /* MBEDTLS_NO_UDBL_DIVISION */
+#if defined(MBEDTLS_HAVE_SSE2)
+    "MBEDTLS_HAVE_SSE2",
+#endif /* MBEDTLS_HAVE_SSE2 */
+#if defined(MBEDTLS_HAVE_TIME)
+    "MBEDTLS_HAVE_TIME",
+#endif /* MBEDTLS_HAVE_TIME */
+#if defined(MBEDTLS_HAVE_TIME_DATE)
+    "MBEDTLS_HAVE_TIME_DATE",
+#endif /* MBEDTLS_HAVE_TIME_DATE */
+#if defined(MBEDTLS_PLATFORM_MEMORY)
+    "MBEDTLS_PLATFORM_MEMORY",
+#endif /* MBEDTLS_PLATFORM_MEMORY */
+#if defined(MBEDTLS_PLATFORM_NO_STD_FUNCTIONS)
+    "MBEDTLS_PLATFORM_NO_STD_FUNCTIONS",
+#endif /* MBEDTLS_PLATFORM_NO_STD_FUNCTIONS */
+#if defined(MBEDTLS_PLATFORM_EXIT_ALT)
+    "MBEDTLS_PLATFORM_EXIT_ALT",
+#endif /* MBEDTLS_PLATFORM_EXIT_ALT */
+#if defined(MBEDTLS_PLATFORM_TIME_ALT)
+    "MBEDTLS_PLATFORM_TIME_ALT",
+#endif /* MBEDTLS_PLATFORM_TIME_ALT */
+#if defined(MBEDTLS_PLATFORM_FPRINTF_ALT)
+    "MBEDTLS_PLATFORM_FPRINTF_ALT",
+#endif /* MBEDTLS_PLATFORM_FPRINTF_ALT */
+#if defined(MBEDTLS_PLATFORM_PRINTF_ALT)
+    "MBEDTLS_PLATFORM_PRINTF_ALT",
+#endif /* MBEDTLS_PLATFORM_PRINTF_ALT */
+#if defined(MBEDTLS_PLATFORM_SNPRINTF_ALT)
+    "MBEDTLS_PLATFORM_SNPRINTF_ALT",
+#endif /* MBEDTLS_PLATFORM_SNPRINTF_ALT */
+#if defined(MBEDTLS_PLATFORM_NV_SEED_ALT)
+    "MBEDTLS_PLATFORM_NV_SEED_ALT",
+#endif /* MBEDTLS_PLATFORM_NV_SEED_ALT */
+#if defined(MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT)
+    "MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT",
+#endif /* MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT */
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+    "MBEDTLS_DEPRECATED_WARNING",
+#endif /* MBEDTLS_DEPRECATED_WARNING */
+#if defined(MBEDTLS_DEPRECATED_REMOVED)
+    "MBEDTLS_DEPRECATED_REMOVED",
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+#if defined(MBEDTLS_TIMING_ALT)
+    "MBEDTLS_TIMING_ALT",
+#endif /* MBEDTLS_TIMING_ALT */
+#if defined(MBEDTLS_AES_ALT)
+    "MBEDTLS_AES_ALT",
+#endif /* MBEDTLS_AES_ALT */
+#if defined(MBEDTLS_ARC4_ALT)
+    "MBEDTLS_ARC4_ALT",
+#endif /* MBEDTLS_ARC4_ALT */
+#if defined(MBEDTLS_BLOWFISH_ALT)
+    "MBEDTLS_BLOWFISH_ALT",
+#endif /* MBEDTLS_BLOWFISH_ALT */
+#if defined(MBEDTLS_CAMELLIA_ALT)
+    "MBEDTLS_CAMELLIA_ALT",
+#endif /* MBEDTLS_CAMELLIA_ALT */
+#if defined(MBEDTLS_CCM_ALT)
+    "MBEDTLS_CCM_ALT",
+#endif /* MBEDTLS_CCM_ALT */
+#if defined(MBEDTLS_CMAC_ALT)
+    "MBEDTLS_CMAC_ALT",
+#endif /* MBEDTLS_CMAC_ALT */
+#if defined(MBEDTLS_DES_ALT)
+    "MBEDTLS_DES_ALT",
+#endif /* MBEDTLS_DES_ALT */
+#if defined(MBEDTLS_DHM_ALT)
+    "MBEDTLS_DHM_ALT",
+#endif /* MBEDTLS_DHM_ALT */
+#if defined(MBEDTLS_ECJPAKE_ALT)
+    "MBEDTLS_ECJPAKE_ALT",
+#endif /* MBEDTLS_ECJPAKE_ALT */
+#if defined(MBEDTLS_GCM_ALT)
+    "MBEDTLS_GCM_ALT",
+#endif /* MBEDTLS_GCM_ALT */
+#if defined(MBEDTLS_MD2_ALT)
+    "MBEDTLS_MD2_ALT",
+#endif /* MBEDTLS_MD2_ALT */
+#if defined(MBEDTLS_MD4_ALT)
+    "MBEDTLS_MD4_ALT",
+#endif /* MBEDTLS_MD4_ALT */
+#if defined(MBEDTLS_MD5_ALT)
+    "MBEDTLS_MD5_ALT",
+#endif /* MBEDTLS_MD5_ALT */
+#if defined(MBEDTLS_RIPEMD160_ALT)
+    "MBEDTLS_RIPEMD160_ALT",
+#endif /* MBEDTLS_RIPEMD160_ALT */
+#if defined(MBEDTLS_RSA_ALT)
+    "MBEDTLS_RSA_ALT",
+#endif /* MBEDTLS_RSA_ALT */
+#if defined(MBEDTLS_SHA1_ALT)
+    "MBEDTLS_SHA1_ALT",
+#endif /* MBEDTLS_SHA1_ALT */
+#if defined(MBEDTLS_SHA256_ALT)
+    "MBEDTLS_SHA256_ALT",
+#endif /* MBEDTLS_SHA256_ALT */
+#if defined(MBEDTLS_SHA512_ALT)
+    "MBEDTLS_SHA512_ALT",
+#endif /* MBEDTLS_SHA512_ALT */
+#if defined(MBEDTLS_XTEA_ALT)
+    "MBEDTLS_XTEA_ALT",
+#endif /* MBEDTLS_XTEA_ALT */
+#if defined(MBEDTLS_ECP_ALT)
+    "MBEDTLS_ECP_ALT",
+#endif /* MBEDTLS_ECP_ALT */
+#if defined(MBEDTLS_MD2_PROCESS_ALT)
+    "MBEDTLS_MD2_PROCESS_ALT",
+#endif /* MBEDTLS_MD2_PROCESS_ALT */
+#if defined(MBEDTLS_MD4_PROCESS_ALT)
+    "MBEDTLS_MD4_PROCESS_ALT",
+#endif /* MBEDTLS_MD4_PROCESS_ALT */
+#if defined(MBEDTLS_MD5_PROCESS_ALT)
+    "MBEDTLS_MD5_PROCESS_ALT",
+#endif /* MBEDTLS_MD5_PROCESS_ALT */
+#if defined(MBEDTLS_RIPEMD160_PROCESS_ALT)
+    "MBEDTLS_RIPEMD160_PROCESS_ALT",
+#endif /* MBEDTLS_RIPEMD160_PROCESS_ALT */
+#if defined(MBEDTLS_SHA1_PROCESS_ALT)
+    "MBEDTLS_SHA1_PROCESS_ALT",
+#endif /* MBEDTLS_SHA1_PROCESS_ALT */
+#if defined(MBEDTLS_SHA256_PROCESS_ALT)
+    "MBEDTLS_SHA256_PROCESS_ALT",
+#endif /* MBEDTLS_SHA256_PROCESS_ALT */
+#if defined(MBEDTLS_SHA512_PROCESS_ALT)
+    "MBEDTLS_SHA512_PROCESS_ALT",
+#endif /* MBEDTLS_SHA512_PROCESS_ALT */
+#if defined(MBEDTLS_DES_SETKEY_ALT)
+    "MBEDTLS_DES_SETKEY_ALT",
+#endif /* MBEDTLS_DES_SETKEY_ALT */
+#if defined(MBEDTLS_DES_CRYPT_ECB_ALT)
+    "MBEDTLS_DES_CRYPT_ECB_ALT",
+#endif /* MBEDTLS_DES_CRYPT_ECB_ALT */
+#if defined(MBEDTLS_DES3_CRYPT_ECB_ALT)
+    "MBEDTLS_DES3_CRYPT_ECB_ALT",
+#endif /* MBEDTLS_DES3_CRYPT_ECB_ALT */
+#if defined(MBEDTLS_AES_SETKEY_ENC_ALT)
+    "MBEDTLS_AES_SETKEY_ENC_ALT",
+#endif /* MBEDTLS_AES_SETKEY_ENC_ALT */
+#if defined(MBEDTLS_AES_SETKEY_DEC_ALT)
+    "MBEDTLS_AES_SETKEY_DEC_ALT",
+#endif /* MBEDTLS_AES_SETKEY_DEC_ALT */
+#if defined(MBEDTLS_AES_ENCRYPT_ALT)
+    "MBEDTLS_AES_ENCRYPT_ALT",
+#endif /* MBEDTLS_AES_ENCRYPT_ALT */
+#if defined(MBEDTLS_AES_DECRYPT_ALT)
+    "MBEDTLS_AES_DECRYPT_ALT",
+#endif /* MBEDTLS_AES_DECRYPT_ALT */
+#if defined(MBEDTLS_ECDH_GEN_PUBLIC_ALT)
+    "MBEDTLS_ECDH_GEN_PUBLIC_ALT",
+#endif /* MBEDTLS_ECDH_GEN_PUBLIC_ALT */
+#if defined(MBEDTLS_ECDH_COMPUTE_SHARED_ALT)
+    "MBEDTLS_ECDH_COMPUTE_SHARED_ALT",
+#endif /* MBEDTLS_ECDH_COMPUTE_SHARED_ALT */
+#if defined(MBEDTLS_ECDSA_VERIFY_ALT)
+    "MBEDTLS_ECDSA_VERIFY_ALT",
+#endif /* MBEDTLS_ECDSA_VERIFY_ALT */
+#if defined(MBEDTLS_ECDSA_SIGN_ALT)
+    "MBEDTLS_ECDSA_SIGN_ALT",
+#endif /* MBEDTLS_ECDSA_SIGN_ALT */
+#if defined(MBEDTLS_ECDSA_GENKEY_ALT)
+    "MBEDTLS_ECDSA_GENKEY_ALT",
+#endif /* MBEDTLS_ECDSA_GENKEY_ALT */
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+    "MBEDTLS_ECP_INTERNAL_ALT",
+#endif /* MBEDTLS_ECP_INTERNAL_ALT */
+#if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT)
+    "MBEDTLS_ECP_RANDOMIZE_JAC_ALT",
+#endif /* MBEDTLS_ECP_RANDOMIZE_JAC_ALT */
+#if defined(MBEDTLS_ECP_ADD_MIXED_ALT)
+    "MBEDTLS_ECP_ADD_MIXED_ALT",
+#endif /* MBEDTLS_ECP_ADD_MIXED_ALT */
+#if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT)
+    "MBEDTLS_ECP_DOUBLE_JAC_ALT",
+#endif /* MBEDTLS_ECP_DOUBLE_JAC_ALT */
+#if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT)
+    "MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT",
+#endif /* MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT */
+#if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT)
+    "MBEDTLS_ECP_NORMALIZE_JAC_ALT",
+#endif /* MBEDTLS_ECP_NORMALIZE_JAC_ALT */
+#if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)
+    "MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT",
+#endif /* MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT */
+#if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT)
+    "MBEDTLS_ECP_RANDOMIZE_MXZ_ALT",
+#endif /* MBEDTLS_ECP_RANDOMIZE_MXZ_ALT */
+#if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT)
+    "MBEDTLS_ECP_NORMALIZE_MXZ_ALT",
+#endif /* MBEDTLS_ECP_NORMALIZE_MXZ_ALT */
+#if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN)
+    "MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN",
+#endif /* MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN */
+#if defined(MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND)
+    "MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND",
+#endif /* MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND */
+#if defined(MBEDTLS_TEST_NULL_ENTROPY)
+    "MBEDTLS_TEST_NULL_ENTROPY",
+#endif /* MBEDTLS_TEST_NULL_ENTROPY */
+#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
+    "MBEDTLS_ENTROPY_HARDWARE_ALT",
+#endif /* MBEDTLS_ENTROPY_HARDWARE_ALT */
+#if defined(MBEDTLS_AES_ROM_TABLES)
+    "MBEDTLS_AES_ROM_TABLES",
+#endif /* MBEDTLS_AES_ROM_TABLES */
+#if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
+    "MBEDTLS_CAMELLIA_SMALL_MEMORY",
+#endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    "MBEDTLS_CIPHER_MODE_CBC",
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    "MBEDTLS_CIPHER_MODE_CFB",
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    "MBEDTLS_CIPHER_MODE_CTR",
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+    "MBEDTLS_CIPHER_NULL_CIPHER",
+#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
+#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
+    "MBEDTLS_CIPHER_PADDING_PKCS7",
+#endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
+#if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
+    "MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS",
+#endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */
+#if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
+    "MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN",
+#endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */
+#if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
+    "MBEDTLS_CIPHER_PADDING_ZEROS",
+#endif /* MBEDTLS_CIPHER_PADDING_ZEROS */
+#if defined(MBEDTLS_ENABLE_WEAK_CIPHERSUITES)
+    "MBEDTLS_ENABLE_WEAK_CIPHERSUITES",
+#endif /* MBEDTLS_ENABLE_WEAK_CIPHERSUITES */
+#if defined(MBEDTLS_REMOVE_ARC4_CIPHERSUITES)
+    "MBEDTLS_REMOVE_ARC4_CIPHERSUITES",
+#endif /* MBEDTLS_REMOVE_ARC4_CIPHERSUITES */
+#if defined(MBEDTLS_REMOVE_3DES_CIPHERSUITES)
+    "MBEDTLS_REMOVE_3DES_CIPHERSUITES",
+#endif /* MBEDTLS_REMOVE_3DES_CIPHERSUITES */
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+    "MBEDTLS_ECP_DP_SECP192R1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+    "MBEDTLS_ECP_DP_SECP224R1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+    "MBEDTLS_ECP_DP_SECP256R1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+    "MBEDTLS_ECP_DP_SECP384R1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+    "MBEDTLS_ECP_DP_SECP521R1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+    "MBEDTLS_ECP_DP_SECP192K1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+    "MBEDTLS_ECP_DP_SECP224K1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+    "MBEDTLS_ECP_DP_SECP256K1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+    "MBEDTLS_ECP_DP_BP256R1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+    "MBEDTLS_ECP_DP_BP384R1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+    "MBEDTLS_ECP_DP_BP512R1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+    "MBEDTLS_ECP_DP_CURVE25519_ENABLED",
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+#if defined(MBEDTLS_ECP_NIST_OPTIM)
+    "MBEDTLS_ECP_NIST_OPTIM",
+#endif /* MBEDTLS_ECP_NIST_OPTIM */
+#if defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
+    "MBEDTLS_ECP_NO_INTERNAL_RNG",
+#endif /* MBEDTLS_ECP_NO_INTERNAL_RNG */
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+    "MBEDTLS_ECDSA_DETERMINISTIC",
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_PSK_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_RSA_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+#if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
+    "MBEDTLS_PK_PARSE_EC_EXTENDED",
+#endif /* MBEDTLS_PK_PARSE_EC_EXTENDED */
+#if defined(MBEDTLS_ERROR_STRERROR_DUMMY)
+    "MBEDTLS_ERROR_STRERROR_DUMMY",
+#endif /* MBEDTLS_ERROR_STRERROR_DUMMY */
+#if defined(MBEDTLS_GENPRIME)
+    "MBEDTLS_GENPRIME",
+#endif /* MBEDTLS_GENPRIME */
+#if defined(MBEDTLS_FS_IO)
+    "MBEDTLS_FS_IO",
+#endif /* MBEDTLS_FS_IO */
+#if defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES)
+    "MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES",
+#endif /* MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES */
+#if defined(MBEDTLS_NO_PLATFORM_ENTROPY)
+    "MBEDTLS_NO_PLATFORM_ENTROPY",
+#endif /* MBEDTLS_NO_PLATFORM_ENTROPY */
+#if defined(MBEDTLS_ENTROPY_FORCE_SHA256)
+    "MBEDTLS_ENTROPY_FORCE_SHA256",
+#endif /* MBEDTLS_ENTROPY_FORCE_SHA256 */
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+    "MBEDTLS_ENTROPY_NV_SEED",
+#endif /* MBEDTLS_ENTROPY_NV_SEED */
+#if defined(MBEDTLS_MEMORY_DEBUG)
+    "MBEDTLS_MEMORY_DEBUG",
+#endif /* MBEDTLS_MEMORY_DEBUG */
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    "MBEDTLS_MEMORY_BACKTRACE",
+#endif /* MBEDTLS_MEMORY_BACKTRACE */
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+    "MBEDTLS_PK_RSA_ALT_SUPPORT",
+#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
+#if defined(MBEDTLS_PKCS1_V15)
+    "MBEDTLS_PKCS1_V15",
+#endif /* MBEDTLS_PKCS1_V15 */
+#if defined(MBEDTLS_PKCS1_V21)
+    "MBEDTLS_PKCS1_V21",
+#endif /* MBEDTLS_PKCS1_V21 */
+#if defined(MBEDTLS_RSA_NO_CRT)
+    "MBEDTLS_RSA_NO_CRT",
+#endif /* MBEDTLS_RSA_NO_CRT */
+#if defined(MBEDTLS_SELF_TEST)
+    "MBEDTLS_SELF_TEST",
+#endif /* MBEDTLS_SELF_TEST */
+#if defined(MBEDTLS_SHA256_SMALLER)
+    "MBEDTLS_SHA256_SMALLER",
+#endif /* MBEDTLS_SHA256_SMALLER */
+#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
+    "MBEDTLS_SSL_ALL_ALERT_MESSAGES",
+#endif /* MBEDTLS_SSL_ALL_ALERT_MESSAGES */
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+    "MBEDTLS_SSL_DEBUG_ALL",
+#endif /* MBEDTLS_SSL_DEBUG_ALL */
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+    "MBEDTLS_SSL_ENCRYPT_THEN_MAC",
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+    "MBEDTLS_SSL_EXTENDED_MASTER_SECRET",
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
+    "MBEDTLS_SSL_FALLBACK_SCSV",
+#endif /* MBEDTLS_SSL_FALLBACK_SCSV */
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+    "MBEDTLS_SSL_HW_RECORD_ACCEL",
+#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
+    "MBEDTLS_SSL_CBC_RECORD_SPLITTING",
+#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    "MBEDTLS_SSL_RENEGOTIATION",
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+#if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
+    "MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO",
+#endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
+#if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
+    "MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE",
+#endif /* MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE */
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+    "MBEDTLS_SSL_MAX_FRAGMENT_LENGTH",
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    "MBEDTLS_SSL_PROTO_SSL3",
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1)
+    "MBEDTLS_SSL_PROTO_TLS1",
+#endif /* MBEDTLS_SSL_PROTO_TLS1 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1)
+    "MBEDTLS_SSL_PROTO_TLS1_1",
+#endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    "MBEDTLS_SSL_PROTO_TLS1_2",
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    "MBEDTLS_SSL_PROTO_DTLS",
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+#if defined(MBEDTLS_SSL_ALPN)
+    "MBEDTLS_SSL_ALPN",
+#endif /* MBEDTLS_SSL_ALPN */
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+    "MBEDTLS_SSL_DTLS_ANTI_REPLAY",
+#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
+    "MBEDTLS_SSL_DTLS_HELLO_VERIFY",
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
+#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE)
+    "MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE",
+#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE */
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
+    "MBEDTLS_SSL_DTLS_BADMAC_LIMIT",
+#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+    "MBEDTLS_SSL_SESSION_TICKETS",
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+#if defined(MBEDTLS_SSL_EXPORT_KEYS)
+    "MBEDTLS_SSL_EXPORT_KEYS",
+#endif /* MBEDTLS_SSL_EXPORT_KEYS */
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    "MBEDTLS_SSL_SERVER_NAME_INDICATION",
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+    "MBEDTLS_SSL_TRUNCATED_HMAC",
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT)
+    "MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT",
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT */
+#if defined(MBEDTLS_TEST_HOOKS)
+    "MBEDTLS_TEST_HOOKS",
+#endif /* MBEDTLS_TEST_HOOKS */
+#if defined(MBEDTLS_THREADING_ALT)
+    "MBEDTLS_THREADING_ALT",
+#endif /* MBEDTLS_THREADING_ALT */
+#if defined(MBEDTLS_THREADING_PTHREAD)
+    "MBEDTLS_THREADING_PTHREAD",
+#endif /* MBEDTLS_THREADING_PTHREAD */
+#if defined(MBEDTLS_VERSION_FEATURES)
+    "MBEDTLS_VERSION_FEATURES",
+#endif /* MBEDTLS_VERSION_FEATURES */
+#if defined(MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3)
+    "MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3",
+#endif /* MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 */
+#if defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION)
+    "MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION",
+#endif /* MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION */
+#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
+    "MBEDTLS_X509_CHECK_KEY_USAGE",
+#endif /* MBEDTLS_X509_CHECK_KEY_USAGE */
+#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
+    "MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE",
+#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+    "MBEDTLS_X509_RSASSA_PSS_SUPPORT",
+#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    "MBEDTLS_ZLIB_SUPPORT",
+#endif /* MBEDTLS_ZLIB_SUPPORT */
+#if defined(MBEDTLS_AESNI_C)
+    "MBEDTLS_AESNI_C",
+#endif /* MBEDTLS_AESNI_C */
+#if defined(MBEDTLS_AES_C)
+    "MBEDTLS_AES_C",
+#endif /* MBEDTLS_AES_C */
+#if defined(MBEDTLS_ARC4_C)
+    "MBEDTLS_ARC4_C",
+#endif /* MBEDTLS_ARC4_C */
+#if defined(MBEDTLS_ASN1_PARSE_C)
+    "MBEDTLS_ASN1_PARSE_C",
+#endif /* MBEDTLS_ASN1_PARSE_C */
+#if defined(MBEDTLS_ASN1_WRITE_C)
+    "MBEDTLS_ASN1_WRITE_C",
+#endif /* MBEDTLS_ASN1_WRITE_C */
+#if defined(MBEDTLS_BASE64_C)
+    "MBEDTLS_BASE64_C",
+#endif /* MBEDTLS_BASE64_C */
+#if defined(MBEDTLS_BIGNUM_C)
+    "MBEDTLS_BIGNUM_C",
+#endif /* MBEDTLS_BIGNUM_C */
+#if defined(MBEDTLS_BLOWFISH_C)
+    "MBEDTLS_BLOWFISH_C",
+#endif /* MBEDTLS_BLOWFISH_C */
+#if defined(MBEDTLS_CAMELLIA_C)
+    "MBEDTLS_CAMELLIA_C",
+#endif /* MBEDTLS_CAMELLIA_C */
+#if defined(MBEDTLS_CCM_C)
+    "MBEDTLS_CCM_C",
+#endif /* MBEDTLS_CCM_C */
+#if defined(MBEDTLS_CERTS_C)
+    "MBEDTLS_CERTS_C",
+#endif /* MBEDTLS_CERTS_C */
+#if defined(MBEDTLS_CIPHER_C)
+    "MBEDTLS_CIPHER_C",
+#endif /* MBEDTLS_CIPHER_C */
+#if defined(MBEDTLS_CMAC_C)
+    "MBEDTLS_CMAC_C",
+#endif /* MBEDTLS_CMAC_C */
+#if defined(MBEDTLS_CTR_DRBG_C)
+    "MBEDTLS_CTR_DRBG_C",
+#endif /* MBEDTLS_CTR_DRBG_C */
+#if defined(MBEDTLS_DEBUG_C)
+    "MBEDTLS_DEBUG_C",
+#endif /* MBEDTLS_DEBUG_C */
+#if defined(MBEDTLS_DES_C)
+    "MBEDTLS_DES_C",
+#endif /* MBEDTLS_DES_C */
+#if defined(MBEDTLS_DHM_C)
+    "MBEDTLS_DHM_C",
+#endif /* MBEDTLS_DHM_C */
+#if defined(MBEDTLS_ECDH_C)
+    "MBEDTLS_ECDH_C",
+#endif /* MBEDTLS_ECDH_C */
+#if defined(MBEDTLS_ECDSA_C)
+    "MBEDTLS_ECDSA_C",
+#endif /* MBEDTLS_ECDSA_C */
+#if defined(MBEDTLS_ECJPAKE_C)
+    "MBEDTLS_ECJPAKE_C",
+#endif /* MBEDTLS_ECJPAKE_C */
+#if defined(MBEDTLS_ECP_C)
+    "MBEDTLS_ECP_C",
+#endif /* MBEDTLS_ECP_C */
+#if defined(MBEDTLS_ENTROPY_C)
+    "MBEDTLS_ENTROPY_C",
+#endif /* MBEDTLS_ENTROPY_C */
+#if defined(MBEDTLS_ERROR_C)
+    "MBEDTLS_ERROR_C",
+#endif /* MBEDTLS_ERROR_C */
+#if defined(MBEDTLS_GCM_C)
+    "MBEDTLS_GCM_C",
+#endif /* MBEDTLS_GCM_C */
+#if defined(MBEDTLS_HAVEGE_C)
+    "MBEDTLS_HAVEGE_C",
+#endif /* MBEDTLS_HAVEGE_C */
+#if defined(MBEDTLS_HMAC_DRBG_C)
+    "MBEDTLS_HMAC_DRBG_C",
+#endif /* MBEDTLS_HMAC_DRBG_C */
+#if defined(MBEDTLS_MD_C)
+    "MBEDTLS_MD_C",
+#endif /* MBEDTLS_MD_C */
+#if defined(MBEDTLS_MD2_C)
+    "MBEDTLS_MD2_C",
+#endif /* MBEDTLS_MD2_C */
+#if defined(MBEDTLS_MD4_C)
+    "MBEDTLS_MD4_C",
+#endif /* MBEDTLS_MD4_C */
+#if defined(MBEDTLS_MD5_C)
+    "MBEDTLS_MD5_C",
+#endif /* MBEDTLS_MD5_C */
+#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
+    "MBEDTLS_MEMORY_BUFFER_ALLOC_C",
+#endif /* MBEDTLS_MEMORY_BUFFER_ALLOC_C */
+#if defined(MBEDTLS_NET_C)
+    "MBEDTLS_NET_C",
+#endif /* MBEDTLS_NET_C */
+#if defined(MBEDTLS_OID_C)
+    "MBEDTLS_OID_C",
+#endif /* MBEDTLS_OID_C */
+#if defined(MBEDTLS_PADLOCK_C)
+    "MBEDTLS_PADLOCK_C",
+#endif /* MBEDTLS_PADLOCK_C */
+#if defined(MBEDTLS_PEM_PARSE_C)
+    "MBEDTLS_PEM_PARSE_C",
+#endif /* MBEDTLS_PEM_PARSE_C */
+#if defined(MBEDTLS_PEM_WRITE_C)
+    "MBEDTLS_PEM_WRITE_C",
+#endif /* MBEDTLS_PEM_WRITE_C */
+#if defined(MBEDTLS_PK_C)
+    "MBEDTLS_PK_C",
+#endif /* MBEDTLS_PK_C */
+#if defined(MBEDTLS_PK_PARSE_C)
+    "MBEDTLS_PK_PARSE_C",
+#endif /* MBEDTLS_PK_PARSE_C */
+#if defined(MBEDTLS_PK_WRITE_C)
+    "MBEDTLS_PK_WRITE_C",
+#endif /* MBEDTLS_PK_WRITE_C */
+#if defined(MBEDTLS_PKCS5_C)
+    "MBEDTLS_PKCS5_C",
+#endif /* MBEDTLS_PKCS5_C */
+#if defined(MBEDTLS_PKCS11_C)
+    "MBEDTLS_PKCS11_C",
+#endif /* MBEDTLS_PKCS11_C */
+#if defined(MBEDTLS_PKCS12_C)
+    "MBEDTLS_PKCS12_C",
+#endif /* MBEDTLS_PKCS12_C */
+#if defined(MBEDTLS_PLATFORM_C)
+    "MBEDTLS_PLATFORM_C",
+#endif /* MBEDTLS_PLATFORM_C */
+#if defined(MBEDTLS_RIPEMD160_C)
+    "MBEDTLS_RIPEMD160_C",
+#endif /* MBEDTLS_RIPEMD160_C */
+#if defined(MBEDTLS_RSA_C)
+    "MBEDTLS_RSA_C",
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_SHA1_C)
+    "MBEDTLS_SHA1_C",
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_SHA256_C)
+    "MBEDTLS_SHA256_C",
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    "MBEDTLS_SHA512_C",
+#endif /* MBEDTLS_SHA512_C */
+#if defined(MBEDTLS_SSL_CACHE_C)
+    "MBEDTLS_SSL_CACHE_C",
+#endif /* MBEDTLS_SSL_CACHE_C */
+#if defined(MBEDTLS_SSL_COOKIE_C)
+    "MBEDTLS_SSL_COOKIE_C",
+#endif /* MBEDTLS_SSL_COOKIE_C */
+#if defined(MBEDTLS_SSL_TICKET_C)
+    "MBEDTLS_SSL_TICKET_C",
+#endif /* MBEDTLS_SSL_TICKET_C */
+#if defined(MBEDTLS_SSL_CLI_C)
+    "MBEDTLS_SSL_CLI_C",
+#endif /* MBEDTLS_SSL_CLI_C */
+#if defined(MBEDTLS_SSL_SRV_C)
+    "MBEDTLS_SSL_SRV_C",
+#endif /* MBEDTLS_SSL_SRV_C */
+#if defined(MBEDTLS_SSL_TLS_C)
+    "MBEDTLS_SSL_TLS_C",
+#endif /* MBEDTLS_SSL_TLS_C */
+#if defined(MBEDTLS_THREADING_C)
+    "MBEDTLS_THREADING_C",
+#endif /* MBEDTLS_THREADING_C */
+#if defined(MBEDTLS_TIMING_C)
+    "MBEDTLS_TIMING_C",
+#endif /* MBEDTLS_TIMING_C */
+#if defined(MBEDTLS_VERSION_C)
+    "MBEDTLS_VERSION_C",
+#endif /* MBEDTLS_VERSION_C */
+#if defined(MBEDTLS_X509_USE_C)
+    "MBEDTLS_X509_USE_C",
+#endif /* MBEDTLS_X509_USE_C */
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    "MBEDTLS_X509_CRT_PARSE_C",
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#if defined(MBEDTLS_X509_CRL_PARSE_C)
+    "MBEDTLS_X509_CRL_PARSE_C",
+#endif /* MBEDTLS_X509_CRL_PARSE_C */
+#if defined(MBEDTLS_X509_CSR_PARSE_C)
+    "MBEDTLS_X509_CSR_PARSE_C",
+#endif /* MBEDTLS_X509_CSR_PARSE_C */
+#if defined(MBEDTLS_X509_CREATE_C)
+    "MBEDTLS_X509_CREATE_C",
+#endif /* MBEDTLS_X509_CREATE_C */
+#if defined(MBEDTLS_X509_CRT_WRITE_C)
+    "MBEDTLS_X509_CRT_WRITE_C",
+#endif /* MBEDTLS_X509_CRT_WRITE_C */
+#if defined(MBEDTLS_X509_CSR_WRITE_C)
+    "MBEDTLS_X509_CSR_WRITE_C",
+#endif /* MBEDTLS_X509_CSR_WRITE_C */
+#if defined(MBEDTLS_XTEA_C)
+    "MBEDTLS_XTEA_C",
+#endif /* MBEDTLS_XTEA_C */
+#endif /* MBEDTLS_VERSION_FEATURES */
+    NULL
+};
+
+int mbedtls_version_check_feature( const char *feature )
+{
+    const char **idx = features;
+
+    if( *idx == NULL )
+        return( -2 );
+
+    if( feature == NULL )
+        return( -1 );
+
+    while( *idx != NULL )
+    {
+        if( !strcmp( *idx, feature ) )
+            return( 0 );
+        idx++;
+    }
+    return( -1 );
+}
+
+#endif /* MBEDTLS_VERSION_C */
diff --git a/third-party/mbedtls-3.6/library/x509.c b/third-party/mbedtls-3.6/library/x509.c
new file mode 100644
index 00000000..377c106d
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/x509.c
@@ -0,0 +1,1121 @@
+/*
+ *  X.509 common functions for parsing and verification
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+/*
+ *  The ITU-T X.509 standard defines a certificate format for PKI.
+ *
+ *  http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
+ *  http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
+ *  http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
+ *
+ *  http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
+ *  http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_X509_USE_C)
+
+#include "mbedtls/x509.h"
+#include "mbedtls/asn1.h"
+#include "mbedtls/oid.h"
+
+#include <stdio.h>
+#include <string.h>
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+#include "mbedtls/pem.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#include <stdlib.h>
+#define mbedtls_free      free
+#define mbedtls_calloc    calloc
+#define mbedtls_printf    printf
+#define mbedtls_snprintf  snprintf
+#endif
+
+
+#if defined(MBEDTLS_HAVE_TIME)
+#include "mbedtls/platform_time.h"
+#endif
+
+#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+#include <windows.h>
+#else
+#include <time.h>
+#endif
+
+#define CHECK(code) if( ( ret = code ) != 0 ){ return( ret ); }
+#define CHECK_RANGE(min, max, val) if( val < min || val > max ){ return( ret ); }
+
+/*
+ *  CertificateSerialNumber  ::=  INTEGER
+ */
+int mbedtls_x509_get_serial( unsigned char **p, const unsigned char *end,
+                     mbedtls_x509_buf *serial )
+{
+    int ret;
+
+    if( ( end - *p ) < 1 )
+        return( MBEDTLS_ERR_X509_INVALID_SERIAL +
+                MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+    if( **p != ( MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_PRIMITIVE | 2 ) &&
+        **p !=   MBEDTLS_ASN1_INTEGER )
+        return( MBEDTLS_ERR_X509_INVALID_SERIAL +
+                MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+
+    serial->tag = *(*p)++;
+
+    if( ( ret = mbedtls_asn1_get_len( p, end, &serial->len ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_SERIAL + ret );
+
+    serial->p = *p;
+    *p += serial->len;
+
+    return( 0 );
+}
+
+/* Get an algorithm identifier without parameters (eg for signatures)
+ *
+ *  AlgorithmIdentifier  ::=  SEQUENCE  {
+ *       algorithm               OBJECT IDENTIFIER,
+ *       parameters              ANY DEFINED BY algorithm OPTIONAL  }
+ */
+int mbedtls_x509_get_alg_null( unsigned char **p, const unsigned char *end,
+                       mbedtls_x509_buf *alg )
+{
+    int ret;
+
+    if( ( ret = mbedtls_asn1_get_alg_null( p, end, alg ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+
+    return( 0 );
+}
+
+/*
+ * Parse an algorithm identifier with (optional) parameters
+ */
+int mbedtls_x509_get_alg( unsigned char **p, const unsigned char *end,
+                  mbedtls_x509_buf *alg, mbedtls_x509_buf *params )
+{
+    int ret;
+
+    if( ( ret = mbedtls_asn1_get_alg( p, end, alg, params ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+/*
+ * HashAlgorithm ::= AlgorithmIdentifier
+ *
+ * AlgorithmIdentifier  ::=  SEQUENCE  {
+ *      algorithm               OBJECT IDENTIFIER,
+ *      parameters              ANY DEFINED BY algorithm OPTIONAL  }
+ *
+ * For HashAlgorithm, parameters MUST be NULL or absent.
+ */
+static int x509_get_hash_alg( const mbedtls_x509_buf *alg, mbedtls_md_type_t *md_alg )
+{
+    int ret;
+    unsigned char *p;
+    const unsigned char *end;
+    mbedtls_x509_buf md_oid;
+    size_t len;
+
+    /* Make sure we got a SEQUENCE and setup bounds */
+    if( alg->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) )
+        return( MBEDTLS_ERR_X509_INVALID_ALG +
+                MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+
+    p = (unsigned char *) alg->p;
+    end = p + alg->len;
+
+    if( p >= end )
+        return( MBEDTLS_ERR_X509_INVALID_ALG +
+                MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+    /* Parse md_oid */
+    md_oid.tag = *p;
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &md_oid.len, MBEDTLS_ASN1_OID ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+
+    md_oid.p = p;
+    p += md_oid.len;
+
+    /* Get md_alg from md_oid */
+    if( ( ret = mbedtls_oid_get_md_alg( &md_oid, md_alg ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+
+    /* Make sure params is absent of NULL */
+    if( p == end )
+        return( 0 );
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_NULL ) ) != 0 || len != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+
+    if( p != end )
+        return( MBEDTLS_ERR_X509_INVALID_ALG +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+/*
+ *    RSASSA-PSS-params  ::=  SEQUENCE  {
+ *       hashAlgorithm     [0] HashAlgorithm DEFAULT sha1Identifier,
+ *       maskGenAlgorithm  [1] MaskGenAlgorithm DEFAULT mgf1SHA1Identifier,
+ *       saltLength        [2] INTEGER DEFAULT 20,
+ *       trailerField      [3] INTEGER DEFAULT 1  }
+ *    -- Note that the tags in this Sequence are explicit.
+ *
+ * RFC 4055 (which defines use of RSASSA-PSS in PKIX) states that the value
+ * of trailerField MUST be 1, and PKCS#1 v2.2 doesn't even define any other
+ * option. Enfore this at parsing time.
+ */
+int mbedtls_x509_get_rsassa_pss_params( const mbedtls_x509_buf *params,
+                                mbedtls_md_type_t *md_alg, mbedtls_md_type_t *mgf_md,
+                                int *salt_len )
+{
+    int ret;
+    unsigned char *p;
+    const unsigned char *end, *end2;
+    size_t len;
+    mbedtls_x509_buf alg_id, alg_params;
+
+    /* First set everything to defaults */
+    *md_alg = MBEDTLS_MD_SHA1;
+    *mgf_md = MBEDTLS_MD_SHA1;
+    *salt_len = 20;
+
+    /* Make sure params is a SEQUENCE and setup bounds */
+    if( params->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) )
+        return( MBEDTLS_ERR_X509_INVALID_ALG +
+                MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+
+    p = (unsigned char *) params->p;
+    end = p + params->len;
+
+    if( p == end )
+        return( 0 );
+
+    /*
+     * HashAlgorithm
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+                    MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0 ) ) == 0 )
+    {
+        end2 = p + len;
+
+        /* HashAlgorithm ::= AlgorithmIdentifier (without parameters) */
+        if( ( ret = mbedtls_x509_get_alg_null( &p, end2, &alg_id ) ) != 0 )
+            return( ret );
+
+        if( ( ret = mbedtls_oid_get_md_alg( &alg_id, md_alg ) ) != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+
+        if( p != end2 )
+            return( MBEDTLS_ERR_X509_INVALID_ALG +
+                    MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+    else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+        return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+
+    if( p == end )
+        return( 0 );
+
+    /*
+     * MaskGenAlgorithm
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+                    MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 1 ) ) == 0 )
+    {
+        end2 = p + len;
+
+        /* MaskGenAlgorithm ::= AlgorithmIdentifier (params = HashAlgorithm) */
+        if( ( ret = mbedtls_x509_get_alg( &p, end2, &alg_id, &alg_params ) ) != 0 )
+            return( ret );
+
+        /* Only MFG1 is recognised for now */
+        if( MBEDTLS_OID_CMP( MBEDTLS_OID_MGF1, &alg_id ) != 0 )
+            return( MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE +
+                    MBEDTLS_ERR_OID_NOT_FOUND );
+
+        /* Parse HashAlgorithm */
+        if( ( ret = x509_get_hash_alg( &alg_params, mgf_md ) ) != 0 )
+            return( ret );
+
+        if( p != end2 )
+            return( MBEDTLS_ERR_X509_INVALID_ALG +
+                    MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+    else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+        return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+
+    if( p == end )
+        return( 0 );
+
+    /*
+     * salt_len
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+                    MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 2 ) ) == 0 )
+    {
+        end2 = p + len;
+
+        if( ( ret = mbedtls_asn1_get_int( &p, end2, salt_len ) ) != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+
+        if( p != end2 )
+            return( MBEDTLS_ERR_X509_INVALID_ALG +
+                    MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+    else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+        return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+
+    if( p == end )
+        return( 0 );
+
+    /*
+     * trailer_field (if present, must be 1)
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+                    MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 3 ) ) == 0 )
+    {
+        int trailer_field;
+
+        end2 = p + len;
+
+        if( ( ret = mbedtls_asn1_get_int( &p, end2, &trailer_field ) ) != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+
+        if( p != end2 )
+            return( MBEDTLS_ERR_X509_INVALID_ALG +
+                    MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+        if( trailer_field != 1 )
+            return( MBEDTLS_ERR_X509_INVALID_ALG );
+    }
+    else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+        return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+
+    if( p != end )
+        return( MBEDTLS_ERR_X509_INVALID_ALG +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
+
+/*
+ *  AttributeTypeAndValue ::= SEQUENCE {
+ *    type     AttributeType,
+ *    value    AttributeValue }
+ *
+ *  AttributeType ::= OBJECT IDENTIFIER
+ *
+ *  AttributeValue ::= ANY DEFINED BY AttributeType
+ */
+static int x509_get_attr_type_value( unsigned char **p,
+                                     const unsigned char *end,
+                                     mbedtls_x509_name *cur )
+{
+    int ret;
+    size_t len;
+    mbedtls_x509_buf *oid;
+    mbedtls_x509_buf *val;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_NAME + ret );
+
+    end = *p + len;
+
+    if( ( end - *p ) < 1 )
+        return( MBEDTLS_ERR_X509_INVALID_NAME +
+                MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+    oid = &cur->oid;
+    oid->tag = **p;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &oid->len, MBEDTLS_ASN1_OID ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_NAME + ret );
+
+    oid->p = *p;
+    *p += oid->len;
+
+    if( ( end - *p ) < 1 )
+        return( MBEDTLS_ERR_X509_INVALID_NAME +
+                MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+    if( **p != MBEDTLS_ASN1_BMP_STRING && **p != MBEDTLS_ASN1_UTF8_STRING      &&
+        **p != MBEDTLS_ASN1_T61_STRING && **p != MBEDTLS_ASN1_PRINTABLE_STRING &&
+        **p != MBEDTLS_ASN1_IA5_STRING && **p != MBEDTLS_ASN1_UNIVERSAL_STRING &&
+        **p != MBEDTLS_ASN1_BIT_STRING )
+        return( MBEDTLS_ERR_X509_INVALID_NAME +
+                MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+
+    val = &cur->val;
+    val->tag = *(*p)++;
+
+    if( ( ret = mbedtls_asn1_get_len( p, end, &val->len ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_NAME + ret );
+
+    val->p = *p;
+    *p += val->len;
+
+    if( *p != end )
+    {
+        return( MBEDTLS_ERR_X509_INVALID_NAME +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+
+    cur->next = NULL;
+
+    return( 0 );
+}
+
+/*
+ *  Name ::= CHOICE { -- only one possibility for now --
+ *       rdnSequence  RDNSequence }
+ *
+ *  RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+ *
+ *  RelativeDistinguishedName ::=
+ *    SET OF AttributeTypeAndValue
+ *
+ *  AttributeTypeAndValue ::= SEQUENCE {
+ *    type     AttributeType,
+ *    value    AttributeValue }
+ *
+ *  AttributeType ::= OBJECT IDENTIFIER
+ *
+ *  AttributeValue ::= ANY DEFINED BY AttributeType
+ *
+ * The data structure is optimized for the common case where each RDN has only
+ * one element, which is represented as a list of AttributeTypeAndValue.
+ * For the general case we still use a flat list, but we mark elements of the
+ * same set so that they are "merged" together in the functions that consume
+ * this list, eg mbedtls_x509_dn_gets().
+ */
+int mbedtls_x509_get_name( unsigned char **p, const unsigned char *end,
+                   mbedtls_x509_name *cur )
+{
+    int ret;
+    size_t set_len;
+    const unsigned char *end_set;
+
+    /* don't use recursion, we'd risk stack overflow if not optimized */
+    while( 1 )
+    {
+        /*
+         * parse SET
+         */
+        if( ( ret = mbedtls_asn1_get_tag( p, end, &set_len,
+                MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SET ) ) != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_NAME + ret );
+
+        end_set  = *p + set_len;
+
+        while( 1 )
+        {
+            if( ( ret = x509_get_attr_type_value( p, end_set, cur ) ) != 0 )
+                return( ret );
+
+            if( *p == end_set )
+                break;
+
+            /* Mark this item as being no the only one in a set */
+            cur->next_merged = 1;
+
+            cur->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_name ) );
+
+            if( cur->next == NULL )
+                return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+
+            cur = cur->next;
+        }
+
+        /*
+         * continue until end of SEQUENCE is reached
+         */
+        if( *p == end )
+            return( 0 );
+
+        cur->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_name ) );
+
+        if( cur->next == NULL )
+            return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+
+        cur = cur->next;
+    }
+}
+
+static int x509_parse_int( unsigned char **p, size_t n, int *res )
+{
+    *res = 0;
+
+    for( ; n > 0; --n )
+    {
+        if( ( **p < '0') || ( **p > '9' ) )
+            return ( MBEDTLS_ERR_X509_INVALID_DATE );
+
+        *res *= 10;
+        *res += ( *(*p)++ - '0' );
+    }
+
+    return( 0 );
+}
+
+static int x509_date_is_valid(const mbedtls_x509_time *t )
+{
+    int ret = MBEDTLS_ERR_X509_INVALID_DATE;
+    int month_len;
+
+    CHECK_RANGE( 0, 9999, t->year );
+    CHECK_RANGE( 0, 23,   t->hour );
+    CHECK_RANGE( 0, 59,   t->min  );
+    CHECK_RANGE( 0, 59,   t->sec  );
+
+    switch( t->mon )
+    {
+        case 1: case 3: case 5: case 7: case 8: case 10: case 12:
+            month_len = 31;
+            break;
+        case 4: case 6: case 9: case 11:
+            month_len = 30;
+            break;
+        case 2:
+            if( ( !( t->year % 4 ) && t->year % 100 ) ||
+                !( t->year % 400 ) )
+                month_len = 29;
+            else
+                month_len = 28;
+            break;
+        default:
+            return( ret );
+    }
+    CHECK_RANGE( 1, month_len, t->day );
+
+    return( 0 );
+}
+
+/*
+ * Parse an ASN1_UTC_TIME (yearlen=2) or ASN1_GENERALIZED_TIME (yearlen=4)
+ * field.
+ */
+static int x509_parse_time( unsigned char **p, size_t len, size_t yearlen,
+                            mbedtls_x509_time *tm )
+{
+    int ret;
+
+    /*
+     * Minimum length is 10 or 12 depending on yearlen
+     */
+    if ( len < yearlen + 8 )
+        return ( MBEDTLS_ERR_X509_INVALID_DATE );
+    len -= yearlen + 8;
+
+    /*
+     * Parse year, month, day, hour, minute
+     */
+    CHECK( x509_parse_int( p, yearlen, &tm->year ) );
+    if ( 2 == yearlen )
+    {
+        if ( tm->year < 50 )
+            tm->year += 100;
+
+        tm->year += 1900;
+    }
+
+    CHECK( x509_parse_int( p, 2, &tm->mon ) );
+    CHECK( x509_parse_int( p, 2, &tm->day ) );
+    CHECK( x509_parse_int( p, 2, &tm->hour ) );
+    CHECK( x509_parse_int( p, 2, &tm->min ) );
+
+    /*
+     * Parse seconds if present
+     */
+    if ( len >= 2 )
+    {
+        CHECK( x509_parse_int( p, 2, &tm->sec ) );
+        len -= 2;
+    }
+    else
+        return ( MBEDTLS_ERR_X509_INVALID_DATE );
+
+    /*
+     * Parse trailing 'Z' if present
+     */
+    if ( 1 == len && 'Z' == **p )
+    {
+        (*p)++;
+        len--;
+    }
+
+    /*
+     * We should have parsed all characters at this point
+     */
+    if ( 0 != len )
+        return ( MBEDTLS_ERR_X509_INVALID_DATE );
+
+    CHECK( x509_date_is_valid( tm ) );
+
+    return ( 0 );
+}
+
+/*
+ *  Time ::= CHOICE {
+ *       utcTime        UTCTime,
+ *       generalTime    GeneralizedTime }
+ */
+int mbedtls_x509_get_time( unsigned char **p, const unsigned char *end,
+                           mbedtls_x509_time *tm )
+{
+    int ret;
+    size_t len, year_len;
+    unsigned char tag;
+
+    if( ( end - *p ) < 1 )
+        return( MBEDTLS_ERR_X509_INVALID_DATE +
+                MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+    tag = **p;
+
+    if( tag == MBEDTLS_ASN1_UTC_TIME )
+        year_len = 2;
+    else if( tag == MBEDTLS_ASN1_GENERALIZED_TIME )
+        year_len = 4;
+    else
+        return( MBEDTLS_ERR_X509_INVALID_DATE +
+                MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+
+    (*p)++;
+    ret = mbedtls_asn1_get_len( p, end, &len );
+
+    if( ret != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_DATE + ret );
+
+    return x509_parse_time( p, len, year_len, tm );
+}
+
+int mbedtls_x509_get_sig( unsigned char **p, const unsigned char *end, mbedtls_x509_buf *sig )
+{
+    int ret;
+    size_t len;
+    int tag_type;
+
+    if( ( end - *p ) < 1 )
+        return( MBEDTLS_ERR_X509_INVALID_SIGNATURE +
+                MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+    tag_type = **p;
+
+    if( ( ret = mbedtls_asn1_get_bitstring_null( p, end, &len ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_SIGNATURE + ret );
+
+    sig->tag = tag_type;
+    sig->len = len;
+    sig->p = *p;
+
+    *p += len;
+
+    return( 0 );
+}
+
+/*
+ * Get signature algorithm from alg OID and optional parameters
+ */
+int mbedtls_x509_get_sig_alg( const mbedtls_x509_buf *sig_oid, const mbedtls_x509_buf *sig_params,
+                      mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg,
+                      void **sig_opts )
+{
+    int ret;
+
+    if( *sig_opts != NULL )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+    if( ( ret = mbedtls_oid_get_sig_alg( sig_oid, md_alg, pk_alg ) ) != 0 )
+        return( MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + ret );
+
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+    if( *pk_alg == MBEDTLS_PK_RSASSA_PSS )
+    {
+        mbedtls_pk_rsassa_pss_options *pss_opts;
+
+        pss_opts = mbedtls_calloc( 1, sizeof( mbedtls_pk_rsassa_pss_options ) );
+        if( pss_opts == NULL )
+            return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+
+        ret = mbedtls_x509_get_rsassa_pss_params( sig_params,
+                                          md_alg,
+                                          &pss_opts->mgf1_hash_id,
+                                          &pss_opts->expected_salt_len );
+        if( ret != 0 )
+        {
+            mbedtls_free( pss_opts );
+            return( ret );
+        }
+
+        *sig_opts = (void *) pss_opts;
+    }
+    else
+#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
+    {
+        /* Make sure parameters are absent or NULL */
+        if( ( sig_params->tag != MBEDTLS_ASN1_NULL && sig_params->tag != 0 ) ||
+              sig_params->len != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_ALG );
+    }
+
+    return( 0 );
+}
+
+/*
+ * X.509 Extensions (No parsing of extensions, pointer should
+ * be either manually updated or extensions should be parsed!)
+ */
+int mbedtls_x509_get_ext( unsigned char **p, const unsigned char *end,
+                          mbedtls_x509_buf *ext, int tag )
+{
+    int ret;
+    size_t len;
+
+    /* Extension structure use EXPLICIT tagging. That is, the actual
+     * `Extensions` structure is wrapped by a tag-length pair using
+     * the respective context-specific tag. */
+    ret = mbedtls_asn1_get_tag( p, end, &ext->len,
+              MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | tag );
+    if( ret != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+    ext->tag = MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | tag;
+    ext->p   = *p;
+    end      = *p + ext->len;
+
+    /*
+     * Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
+     */
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+    if( end != *p + len )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+/*
+ * Store the name in printable form into buf; no more
+ * than size characters will be written
+ */
+int mbedtls_x509_dn_gets( char *buf, size_t size, const mbedtls_x509_name *dn )
+{
+    int ret;
+    size_t i, n;
+    unsigned char c, merge = 0;
+    const mbedtls_x509_name *name;
+    const char *short_name = NULL;
+    char s[MBEDTLS_X509_MAX_DN_NAME_SIZE], *p;
+
+    memset( s, 0, sizeof( s ) );
+
+    name = dn;
+    p = buf;
+    n = size;
+
+    while( name != NULL )
+    {
+        if( !name->oid.p )
+        {
+            name = name->next;
+            continue;
+        }
+
+        if( name != dn )
+        {
+            ret = mbedtls_snprintf( p, n, merge ? " + " : ", " );
+            MBEDTLS_X509_SAFE_SNPRINTF;
+        }
+
+        ret = mbedtls_oid_get_attr_short_name( &name->oid, &short_name );
+
+        if( ret == 0 )
+            ret = mbedtls_snprintf( p, n, "%s=", short_name );
+        else
+            ret = mbedtls_snprintf( p, n, "\?\?=" );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        for( i = 0; i < name->val.len; i++ )
+        {
+            if( i >= sizeof( s ) - 1 )
+                break;
+
+            c = name->val.p[i];
+            if( c < 32 || c == 127 || ( c > 128 && c < 160 ) )
+                 s[i] = '?';
+            else s[i] = c;
+        }
+        s[i] = '\0';
+        ret = mbedtls_snprintf( p, n, "%s", s );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        merge = name->next_merged;
+        name = name->next;
+    }
+
+    return( (int) ( size - n ) );
+}
+
+/*
+ * Store the serial in printable form into buf; no more
+ * than size characters will be written
+ */
+int mbedtls_x509_serial_gets( char *buf, size_t size, const mbedtls_x509_buf *serial )
+{
+    int ret;
+    size_t i, n, nr;
+    char *p;
+
+    p = buf;
+    n = size;
+
+    nr = ( serial->len <= 32 )
+        ? serial->len  : 28;
+
+    for( i = 0; i < nr; i++ )
+    {
+        if( i == 0 && nr > 1 && serial->p[i] == 0x0 )
+            continue;
+
+        ret = mbedtls_snprintf( p, n, "%02X%s",
+                serial->p[i], ( i < nr - 1 ) ? ":" : "" );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+    }
+
+    if( nr != serial->len )
+    {
+        ret = mbedtls_snprintf( p, n, "...." );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+    }
+
+    return( (int) ( size - n ) );
+}
+
+/*
+ * Helper for writing signature algorithms
+ */
+int mbedtls_x509_sig_alg_gets( char *buf, size_t size, const mbedtls_x509_buf *sig_oid,
+                       mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg,
+                       const void *sig_opts )
+{
+    int ret;
+    char *p = buf;
+    size_t n = size;
+    const char *desc = NULL;
+
+    ret = mbedtls_oid_get_sig_alg_desc( sig_oid, &desc );
+    if( ret != 0 )
+        ret = mbedtls_snprintf( p, n, "???"  );
+    else
+        ret = mbedtls_snprintf( p, n, "%s", desc );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+    if( pk_alg == MBEDTLS_PK_RSASSA_PSS )
+    {
+        const mbedtls_pk_rsassa_pss_options *pss_opts;
+        const mbedtls_md_info_t *md_info, *mgf_md_info;
+
+        pss_opts = (const mbedtls_pk_rsassa_pss_options *) sig_opts;
+
+        md_info = mbedtls_md_info_from_type( md_alg );
+        mgf_md_info = mbedtls_md_info_from_type( pss_opts->mgf1_hash_id );
+
+        ret = mbedtls_snprintf( p, n, " (%s, MGF1-%s, 0x%02X)",
+                              md_info ? mbedtls_md_get_name( md_info ) : "???",
+                              mgf_md_info ? mbedtls_md_get_name( mgf_md_info ) : "???",
+                              pss_opts->expected_salt_len );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+    }
+#else
+    ((void) pk_alg);
+    ((void) md_alg);
+    ((void) sig_opts);
+#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
+
+    return( (int)( size - n ) );
+}
+
+/*
+ * Helper for writing "RSA key size", "EC key size", etc
+ */
+int mbedtls_x509_key_size_helper( char *buf, size_t buf_size, const char *name )
+{
+    char *p = buf;
+    size_t n = buf_size;
+    int ret;
+
+    ret = mbedtls_snprintf( p, n, "%s key size", name );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_HAVE_TIME_DATE)
+/*
+ * Set the time structure to the current time.
+ * Return 0 on success, non-zero on failure.
+ */
+#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+static int x509_get_current_time( mbedtls_x509_time *now )
+{
+    SYSTEMTIME st;
+
+    GetSystemTime( &st );
+
+    now->year = st.wYear;
+    now->mon  = st.wMonth;
+    now->day  = st.wDay;
+    now->hour = st.wHour;
+    now->min  = st.wMinute;
+    now->sec  = st.wSecond;
+
+    return( 0 );
+}
+#else
+static int x509_get_current_time( mbedtls_x509_time *now )
+{
+    struct tm *lt;
+    mbedtls_time_t tt;
+    int ret = 0;
+
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_lock( &mbedtls_threading_gmtime_mutex ) != 0 )
+        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+#endif
+
+    tt = mbedtls_time( NULL );
+    lt = gmtime( &tt );
+
+    if( lt == NULL )
+        ret = -1;
+    else
+    {
+        now->year = lt->tm_year + 1900;
+        now->mon  = lt->tm_mon  + 1;
+        now->day  = lt->tm_mday;
+        now->hour = lt->tm_hour;
+        now->min  = lt->tm_min;
+        now->sec  = lt->tm_sec;
+    }
+
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &mbedtls_threading_gmtime_mutex ) != 0 )
+        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+#endif
+
+    return( ret );
+}
+#endif /* _WIN32 && !EFIX64 && !EFI32 */
+
+/*
+ * Return 0 if before <= after, 1 otherwise
+ */
+static int x509_check_time( const mbedtls_x509_time *before, const mbedtls_x509_time *after )
+{
+    if( before->year  > after->year )
+        return( 1 );
+
+    if( before->year == after->year &&
+        before->mon   > after->mon )
+        return( 1 );
+
+    if( before->year == after->year &&
+        before->mon  == after->mon  &&
+        before->day   > after->day )
+        return( 1 );
+
+    if( before->year == after->year &&
+        before->mon  == after->mon  &&
+        before->day  == after->day  &&
+        before->hour  > after->hour )
+        return( 1 );
+
+    if( before->year == after->year &&
+        before->mon  == after->mon  &&
+        before->day  == after->day  &&
+        before->hour == after->hour &&
+        before->min   > after->min  )
+        return( 1 );
+
+    if( before->year == after->year &&
+        before->mon  == after->mon  &&
+        before->day  == after->day  &&
+        before->hour == after->hour &&
+        before->min  == after->min  &&
+        before->sec   > after->sec  )
+        return( 1 );
+
+    return( 0 );
+}
+
+int mbedtls_x509_time_is_past( const mbedtls_x509_time *to )
+{
+    mbedtls_x509_time now;
+
+    if( x509_get_current_time( &now ) != 0 )
+        return( 1 );
+
+    return( x509_check_time( &now, to ) );
+}
+
+int mbedtls_x509_time_is_future( const mbedtls_x509_time *from )
+{
+    mbedtls_x509_time now;
+
+    if( x509_get_current_time( &now ) != 0 )
+        return( 1 );
+
+    return( x509_check_time( from, &now ) );
+}
+
+#else  /* MBEDTLS_HAVE_TIME_DATE */
+
+int mbedtls_x509_time_is_past( const mbedtls_x509_time *to )
+{
+    ((void) to);
+    return( 0 );
+}
+
+int mbedtls_x509_time_is_future( const mbedtls_x509_time *from )
+{
+    ((void) from);
+    return( 0 );
+}
+#endif /* MBEDTLS_HAVE_TIME_DATE */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#include "mbedtls/x509_crt.h"
+#include "mbedtls/certs.h"
+
+/*
+ * Checkup routine
+ */
+int mbedtls_x509_self_test( int verbose )
+{
+    int ret = 0;
+#if defined(MBEDTLS_CERTS_C) && defined(MBEDTLS_SHA256_C)
+    uint32_t flags;
+    mbedtls_x509_crt cacert;
+    mbedtls_x509_crt clicert;
+
+    if( verbose != 0 )
+        mbedtls_printf( "  X.509 certificate load: " );
+
+    mbedtls_x509_crt_init( &cacert );
+    mbedtls_x509_crt_init( &clicert );
+
+    ret = mbedtls_x509_crt_parse( &clicert, (const unsigned char *) mbedtls_test_cli_crt,
+                           mbedtls_test_cli_crt_len );
+    if( ret != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        goto cleanup;
+    }
+
+    ret = mbedtls_x509_crt_parse( &cacert, (const unsigned char *) mbedtls_test_ca_crt,
+                          mbedtls_test_ca_crt_len );
+    if( ret != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        goto cleanup;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n  X.509 signature verify: ");
+
+    ret = mbedtls_x509_crt_verify( &clicert, &cacert, NULL, NULL, &flags, NULL, NULL );
+    if( ret != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        goto cleanup;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n\n");
+
+cleanup:
+    mbedtls_x509_crt_free( &cacert  );
+    mbedtls_x509_crt_free( &clicert );
+#else
+    ((void) verbose);
+#endif /* MBEDTLS_CERTS_C && MBEDTLS_SHA256_C */
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_X509_USE_C */
diff --git a/third-party/mbedtls-3.6/library/x509_create.c b/third-party/mbedtls-3.6/library/x509_create.c
new file mode 100644
index 00000000..252e835b
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/x509_create.c
@@ -0,0 +1,365 @@
+/*
+ *  X.509 base functions for creating certificates / CSRs
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_X509_CREATE_C)
+
+#include "mbedtls/x509.h"
+#include "mbedtls/asn1write.h"
+#include "mbedtls/oid.h"
+
+#include <string.h>
+
+typedef struct {
+    const char *name;
+    size_t name_len;
+    const char*oid;
+} x509_attr_descriptor_t;
+
+#define ADD_STRLEN( s )     s, sizeof( s ) - 1
+
+static const x509_attr_descriptor_t x509_attrs[] =
+{
+    { ADD_STRLEN( "CN" ),                       MBEDTLS_OID_AT_CN },
+    { ADD_STRLEN( "commonName" ),               MBEDTLS_OID_AT_CN },
+    { ADD_STRLEN( "C" ),                        MBEDTLS_OID_AT_COUNTRY },
+    { ADD_STRLEN( "countryName" ),              MBEDTLS_OID_AT_COUNTRY },
+    { ADD_STRLEN( "O" ),                        MBEDTLS_OID_AT_ORGANIZATION },
+    { ADD_STRLEN( "organizationName" ),         MBEDTLS_OID_AT_ORGANIZATION },
+    { ADD_STRLEN( "L" ),                        MBEDTLS_OID_AT_LOCALITY },
+    { ADD_STRLEN( "locality" ),                 MBEDTLS_OID_AT_LOCALITY },
+    { ADD_STRLEN( "R" ),                        MBEDTLS_OID_PKCS9_EMAIL },
+    { ADD_STRLEN( "OU" ),                       MBEDTLS_OID_AT_ORG_UNIT },
+    { ADD_STRLEN( "organizationalUnitName" ),   MBEDTLS_OID_AT_ORG_UNIT },
+    { ADD_STRLEN( "ST" ),                       MBEDTLS_OID_AT_STATE },
+    { ADD_STRLEN( "stateOrProvinceName" ),      MBEDTLS_OID_AT_STATE },
+    { ADD_STRLEN( "emailAddress" ),             MBEDTLS_OID_PKCS9_EMAIL },
+    { ADD_STRLEN( "serialNumber" ),             MBEDTLS_OID_AT_SERIAL_NUMBER },
+    { ADD_STRLEN( "postalAddress" ),            MBEDTLS_OID_AT_POSTAL_ADDRESS },
+    { ADD_STRLEN( "postalCode" ),               MBEDTLS_OID_AT_POSTAL_CODE },
+    { ADD_STRLEN( "dnQualifier" ),              MBEDTLS_OID_AT_DN_QUALIFIER },
+    { ADD_STRLEN( "title" ),                    MBEDTLS_OID_AT_TITLE },
+    { ADD_STRLEN( "surName" ),                  MBEDTLS_OID_AT_SUR_NAME },
+    { ADD_STRLEN( "SN" ),                       MBEDTLS_OID_AT_SUR_NAME },
+    { ADD_STRLEN( "givenName" ),                MBEDTLS_OID_AT_GIVEN_NAME },
+    { ADD_STRLEN( "GN" ),                       MBEDTLS_OID_AT_GIVEN_NAME },
+    { ADD_STRLEN( "initials" ),                 MBEDTLS_OID_AT_INITIALS },
+    { ADD_STRLEN( "pseudonym" ),                MBEDTLS_OID_AT_PSEUDONYM },
+    { ADD_STRLEN( "generationQualifier" ),      MBEDTLS_OID_AT_GENERATION_QUALIFIER },
+    { ADD_STRLEN( "domainComponent" ),          MBEDTLS_OID_DOMAIN_COMPONENT },
+    { ADD_STRLEN( "DC" ),                       MBEDTLS_OID_DOMAIN_COMPONENT },
+    { NULL, 0, NULL }
+};
+
+static const char *x509_at_oid_from_name( const char *name, size_t name_len )
+{
+    const x509_attr_descriptor_t *cur;
+
+    for( cur = x509_attrs; cur->name != NULL; cur++ )
+        if( cur->name_len == name_len &&
+            strncmp( cur->name, name, name_len ) == 0 )
+            break;
+
+    return( cur->oid );
+}
+
+int mbedtls_x509_string_to_names( mbedtls_asn1_named_data **head, const char *name )
+{
+    int ret = 0;
+    const char *s = name, *c = s;
+    const char *end = s + strlen( s );
+    const char *oid = NULL;
+    int in_tag = 1;
+    char data[MBEDTLS_X509_MAX_DN_NAME_SIZE];
+    char *d = data;
+
+    /* Clear existing chain if present */
+    mbedtls_asn1_free_named_data_list( head );
+
+    while( c <= end )
+    {
+        if( in_tag && *c == '=' )
+        {
+            if( ( oid = x509_at_oid_from_name( s, c - s ) ) == NULL )
+            {
+                ret = MBEDTLS_ERR_X509_UNKNOWN_OID;
+                goto exit;
+            }
+
+            s = c + 1;
+            in_tag = 0;
+            d = data;
+        }
+
+        if( !in_tag && *c == '\\' && c != end )
+        {
+            c++;
+
+            /* Check for valid escaped characters */
+            if( c == end || *c != ',' )
+            {
+                ret = MBEDTLS_ERR_X509_INVALID_NAME;
+                goto exit;
+            }
+        }
+        else if( !in_tag && ( *c == ',' || c == end ) )
+        {
+            if( mbedtls_asn1_store_named_data( head, oid, strlen( oid ),
+                                       (unsigned char *) data,
+                                       d - data ) == NULL )
+            {
+                return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+            }
+
+            while( c < end && *(c + 1) == ' ' )
+                c++;
+
+            s = c + 1;
+            in_tag = 1;
+        }
+
+        if( !in_tag && s != c + 1 )
+        {
+            *(d++) = *c;
+
+            if( d - data == MBEDTLS_X509_MAX_DN_NAME_SIZE )
+            {
+                ret = MBEDTLS_ERR_X509_INVALID_NAME;
+                goto exit;
+            }
+        }
+
+        c++;
+    }
+
+exit:
+
+    return( ret );
+}
+
+/* The first byte of the value in the mbedtls_asn1_named_data structure is reserved
+ * to store the critical boolean for us
+ */
+int mbedtls_x509_set_extension( mbedtls_asn1_named_data **head, const char *oid, size_t oid_len,
+                        int critical, const unsigned char *val, size_t val_len )
+{
+    mbedtls_asn1_named_data *cur;
+
+    if( ( cur = mbedtls_asn1_store_named_data( head, oid, oid_len,
+                                       NULL, val_len + 1 ) ) == NULL )
+    {
+        return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+    }
+
+    cur->val.p[0] = critical;
+    memcpy( cur->val.p + 1, val, val_len );
+
+    return( 0 );
+}
+
+/*
+ *  RelativeDistinguishedName ::=
+ *    SET OF AttributeTypeAndValue
+ *
+ *  AttributeTypeAndValue ::= SEQUENCE {
+ *    type     AttributeType,
+ *    value    AttributeValue }
+ *
+ *  AttributeType ::= OBJECT IDENTIFIER
+ *
+ *  AttributeValue ::= ANY DEFINED BY AttributeType
+ */
+static int x509_write_name( unsigned char **p, unsigned char *start,
+                            const char *oid, size_t oid_len,
+                            const unsigned char *name, size_t name_len )
+{
+    int ret;
+    size_t len = 0;
+
+    // Write PrintableString for all except MBEDTLS_OID_PKCS9_EMAIL
+    //
+    if( MBEDTLS_OID_SIZE( MBEDTLS_OID_PKCS9_EMAIL ) == oid_len &&
+        memcmp( oid, MBEDTLS_OID_PKCS9_EMAIL, oid_len ) == 0 )
+    {
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_ia5_string( p, start,
+                                                  (const char *) name,
+                                                  name_len ) );
+    }
+    else
+    {
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_printable_string( p, start,
+                                                        (const char *) name,
+                                                        name_len ) );
+    }
+
+    // Write OID
+    //
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_oid( p, start, oid, oid_len ) );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_CONSTRUCTED |
+                                                 MBEDTLS_ASN1_SEQUENCE ) );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_CONSTRUCTED |
+                                                 MBEDTLS_ASN1_SET ) );
+
+    return( (int) len );
+}
+
+int mbedtls_x509_write_names( unsigned char **p, unsigned char *start,
+                      mbedtls_asn1_named_data *first )
+{
+    int ret;
+    size_t len = 0;
+    mbedtls_asn1_named_data *cur = first;
+
+    while( cur != NULL )
+    {
+        MBEDTLS_ASN1_CHK_ADD( len, x509_write_name( p, start, (char *) cur->oid.p,
+                                            cur->oid.len,
+                                            cur->val.p, cur->val.len ) );
+        cur = cur->next;
+    }
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_CONSTRUCTED |
+                                                 MBEDTLS_ASN1_SEQUENCE ) );
+
+    return( (int) len );
+}
+
+int mbedtls_x509_write_sig( unsigned char **p, unsigned char *start,
+                    const char *oid, size_t oid_len,
+                    unsigned char *sig, size_t size )
+{
+    int ret;
+    size_t len = 0;
+
+    if( *p < start || (size_t)( *p - start ) < size )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+    len = size;
+    (*p) -= len;
+    memcpy( *p, sig, len );
+
+    if( *p - start < 1 )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+    *--(*p) = 0;
+    len += 1;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_BIT_STRING ) );
+
+    // Write OID
+    //
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_algorithm_identifier( p, start, oid,
+                                                        oid_len, 0 ) );
+
+    return( (int) len );
+}
+
+static int x509_write_extension( unsigned char **p, unsigned char *start,
+                                 mbedtls_asn1_named_data *ext )
+{
+    int ret;
+    size_t len = 0;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( p, start, ext->val.p + 1,
+                                              ext->val.len - 1 ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, ext->val.len - 1 ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_OCTET_STRING ) );
+
+    if( ext->val.p[0] != 0 )
+    {
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_bool( p, start, 1 ) );
+    }
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( p, start, ext->oid.p,
+                                              ext->oid.len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, ext->oid.len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_OID ) );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_CONSTRUCTED |
+                                                 MBEDTLS_ASN1_SEQUENCE ) );
+
+    return( (int) len );
+}
+
+/*
+ * Extension  ::=  SEQUENCE  {
+ *     extnID      OBJECT IDENTIFIER,
+ *     critical    BOOLEAN DEFAULT FALSE,
+ *     extnValue   OCTET STRING
+ *                 -- contains the DER encoding of an ASN.1 value
+ *                 -- corresponding to the extension type identified
+ *                 -- by extnID
+ *     }
+ */
+int mbedtls_x509_write_extensions( unsigned char **p, unsigned char *start,
+                           mbedtls_asn1_named_data *first )
+{
+    int ret;
+    size_t len = 0;
+    mbedtls_asn1_named_data *cur_ext = first;
+
+    while( cur_ext != NULL )
+    {
+        MBEDTLS_ASN1_CHK_ADD( len, x509_write_extension( p, start, cur_ext ) );
+        cur_ext = cur_ext->next;
+    }
+
+    return( (int) len );
+}
+
+#endif /* MBEDTLS_X509_CREATE_C */
diff --git a/third-party/mbedtls-3.6/library/x509_crl.c b/third-party/mbedtls-3.6/library/x509_crl.c
new file mode 100644
index 00000000..73a300d2
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/x509_crl.c
@@ -0,0 +1,801 @@
+/*
+ *  X.509 Certidicate Revocation List (CRL) parsing
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+/*
+ *  The ITU-T X.509 standard defines a certificate format for PKI.
+ *
+ *  http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
+ *  http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
+ *  http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
+ *
+ *  http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
+ *  http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_X509_CRL_PARSE_C)
+
+#include "mbedtls/x509_crl.h"
+#include "mbedtls/oid.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+#include "mbedtls/pem.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#include <stdio.h>
+#define mbedtls_free       free
+#define mbedtls_calloc    calloc
+#define mbedtls_snprintf   snprintf
+#endif
+
+#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+#include <windows.h>
+#else
+#include <time.h>
+#endif
+
+#if defined(MBEDTLS_FS_IO) || defined(EFIX64) || defined(EFI32)
+#include <stdio.h>
+#endif
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
+/*
+ *  Version  ::=  INTEGER  {  v1(0), v2(1)  }
+ */
+static int x509_crl_get_version( unsigned char **p,
+                             const unsigned char *end,
+                             int *ver )
+{
+    int ret;
+
+    if( ( ret = mbedtls_asn1_get_int( p, end, ver ) ) != 0 )
+    {
+        if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+        {
+            *ver = 0;
+            return( 0 );
+        }
+
+        return( MBEDTLS_ERR_X509_INVALID_VERSION + ret );
+    }
+
+    return( 0 );
+}
+
+/*
+ * X.509 CRL v2 extensions
+ *
+ * We currently don't parse any extension's content, but we do check that the
+ * list of extensions is well-formed and abort on critical extensions (that
+ * are unsupported as we don't support any extension so far)
+ */
+static int x509_get_crl_ext( unsigned char **p,
+                             const unsigned char *end,
+                             mbedtls_x509_buf *ext )
+{
+    int ret;
+
+    if( *p == end )
+        return( 0 );
+
+    /*
+     * crlExtensions           [0]  EXPLICIT Extensions OPTIONAL
+     *                              -- if present, version MUST be v2
+     */
+    if( ( ret = mbedtls_x509_get_ext( p, end, ext, 0 ) ) != 0 )
+        return( ret );
+
+    end = ext->p + ext->len;
+
+    while( *p < end )
+    {
+        /*
+         * Extension  ::=  SEQUENCE  {
+         *      extnID      OBJECT IDENTIFIER,
+         *      critical    BOOLEAN DEFAULT FALSE,
+         *      extnValue   OCTET STRING  }
+         */
+        int is_critical = 0;
+        const unsigned char *end_ext_data;
+        size_t len;
+
+        /* Get enclosing sequence tag */
+        if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+                MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+        end_ext_data = *p + len;
+
+        /* Get OID (currently ignored) */
+        if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &len,
+                                          MBEDTLS_ASN1_OID ) ) != 0 )
+        {
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+        }
+        *p += len;
+
+        /* Get optional critical */
+        if( ( ret = mbedtls_asn1_get_bool( p, end_ext_data,
+                                           &is_critical ) ) != 0 &&
+            ( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) )
+        {
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+        }
+
+        /* Data should be octet string type */
+        if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &len,
+                MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+        /* Ignore data so far and just check its length */
+        *p += len;
+        if( *p != end_ext_data )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                    MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+        /* Abort on (unsupported) critical extensions */
+        if( is_critical )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                    MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+    }
+
+    if( *p != end )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+/*
+ * X.509 CRL v2 entry extensions (no extensions parsed yet.)
+ */
+static int x509_get_crl_entry_ext( unsigned char **p,
+                             const unsigned char *end,
+                             mbedtls_x509_buf *ext )
+{
+    int ret;
+    size_t len = 0;
+
+    /* OPTIONAL */
+    if( end <= *p )
+        return( 0 );
+
+    ext->tag = **p;
+    ext->p = *p;
+
+    /*
+     * Get CRL-entry extension sequence header
+     * crlEntryExtensions      Extensions OPTIONAL  -- if present, MUST be v2
+     */
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &ext->len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+        {
+            ext->p = NULL;
+            return( 0 );
+        }
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+    }
+
+    end = *p + ext->len;
+
+    if( end != *p + ext->len )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    while( *p < end )
+    {
+        if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+                MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+        *p += len;
+    }
+
+    if( *p != end )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+/*
+ * X.509 CRL Entries
+ */
+static int x509_get_entries( unsigned char **p,
+                             const unsigned char *end,
+                             mbedtls_x509_crl_entry *entry )
+{
+    int ret;
+    size_t entry_len;
+    mbedtls_x509_crl_entry *cur_entry = entry;
+
+    if( *p == end )
+        return( 0 );
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &entry_len,
+            MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED ) ) != 0 )
+    {
+        if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+            return( 0 );
+
+        return( ret );
+    }
+
+    end = *p + entry_len;
+
+    while( *p < end )
+    {
+        size_t len2;
+        const unsigned char *end2;
+
+        cur_entry->raw.tag = **p;
+        if( ( ret = mbedtls_asn1_get_tag( p, end, &len2,
+                MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED ) ) != 0 )
+        {
+            return( ret );
+        }
+
+        cur_entry->raw.p = *p;
+        cur_entry->raw.len = len2;
+        end2 = *p + len2;
+
+        if( ( ret = mbedtls_x509_get_serial( p, end2, &cur_entry->serial ) ) != 0 )
+            return( ret );
+
+        if( ( ret = mbedtls_x509_get_time( p, end2,
+                                   &cur_entry->revocation_date ) ) != 0 )
+            return( ret );
+
+        if( ( ret = x509_get_crl_entry_ext( p, end2,
+                                            &cur_entry->entry_ext ) ) != 0 )
+            return( ret );
+
+        if( *p < end )
+        {
+            cur_entry->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_crl_entry ) );
+
+            if( cur_entry->next == NULL )
+                return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+
+            cur_entry = cur_entry->next;
+        }
+    }
+
+    return( 0 );
+}
+
+/*
+ * Parse one  CRLs in DER format and append it to the chained list
+ */
+int mbedtls_x509_crl_parse_der( mbedtls_x509_crl *chain,
+                        const unsigned char *buf, size_t buflen )
+{
+    int ret;
+    size_t len;
+    unsigned char *p = NULL, *end = NULL;
+    mbedtls_x509_buf sig_params1, sig_params2, sig_oid2;
+    mbedtls_x509_crl *crl = chain;
+
+    /*
+     * Check for valid input
+     */
+    if( crl == NULL || buf == NULL )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+    memset( &sig_params1, 0, sizeof( mbedtls_x509_buf ) );
+    memset( &sig_params2, 0, sizeof( mbedtls_x509_buf ) );
+    memset( &sig_oid2, 0, sizeof( mbedtls_x509_buf ) );
+
+    /*
+     * Add new CRL on the end of the chain if needed.
+     */
+    while( crl->version != 0 && crl->next != NULL )
+        crl = crl->next;
+
+    if( crl->version != 0 && crl->next == NULL )
+    {
+        crl->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_crl ) );
+
+        if( crl->next == NULL )
+        {
+            mbedtls_x509_crl_free( crl );
+            return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+        }
+
+        mbedtls_x509_crl_init( crl->next );
+        crl = crl->next;
+    }
+
+    /*
+     * Copy raw DER-encoded CRL
+     */
+    if( buflen == 0 )
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT );
+
+    p = mbedtls_calloc( 1, buflen );
+    if( p == NULL )
+        return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+
+    memcpy( p, buf, buflen );
+
+    crl->raw.p = p;
+    crl->raw.len = buflen;
+
+    end = p + buflen;
+
+    /*
+     * CertificateList  ::=  SEQUENCE  {
+     *      tbsCertList          TBSCertList,
+     *      signatureAlgorithm   AlgorithmIdentifier,
+     *      signatureValue       BIT STRING  }
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT );
+    }
+
+    if( len != (size_t) ( end - p ) )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+
+    /*
+     * TBSCertList  ::=  SEQUENCE  {
+     */
+    crl->tbs.p = p;
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+    }
+
+    end = p + len;
+    crl->tbs.len = end - crl->tbs.p;
+
+    /*
+     * Version  ::=  INTEGER  OPTIONAL {  v1(0), v2(1)  }
+     *               -- if present, MUST be v2
+     *
+     * signature            AlgorithmIdentifier
+     */
+    if( ( ret = x509_crl_get_version( &p, end, &crl->version ) ) != 0 ||
+        ( ret = mbedtls_x509_get_alg( &p, end, &crl->sig_oid, &sig_params1 ) ) != 0 )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( ret );
+    }
+
+    if( crl->version < 0 || crl->version > 1 )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( MBEDTLS_ERR_X509_UNKNOWN_VERSION );
+    }
+
+    crl->version++;
+
+    if( ( ret = mbedtls_x509_get_sig_alg( &crl->sig_oid, &sig_params1,
+                                  &crl->sig_md, &crl->sig_pk,
+                                  &crl->sig_opts ) ) != 0 )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG );
+    }
+
+    /*
+     * issuer               Name
+     */
+    crl->issuer_raw.p = p;
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+    }
+
+    if( ( ret = mbedtls_x509_get_name( &p, p + len, &crl->issuer ) ) != 0 )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( ret );
+    }
+
+    crl->issuer_raw.len = p - crl->issuer_raw.p;
+
+    /*
+     * thisUpdate          Time
+     * nextUpdate          Time OPTIONAL
+     */
+    if( ( ret = mbedtls_x509_get_time( &p, end, &crl->this_update ) ) != 0 )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( ret );
+    }
+
+    if( ( ret = mbedtls_x509_get_time( &p, end, &crl->next_update ) ) != 0 )
+    {
+        if( ret != ( MBEDTLS_ERR_X509_INVALID_DATE +
+                        MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) &&
+            ret != ( MBEDTLS_ERR_X509_INVALID_DATE +
+                        MBEDTLS_ERR_ASN1_OUT_OF_DATA ) )
+        {
+            mbedtls_x509_crl_free( crl );
+            return( ret );
+        }
+    }
+
+    /*
+     * revokedCertificates    SEQUENCE OF SEQUENCE   {
+     *      userCertificate        CertificateSerialNumber,
+     *      revocationDate         Time,
+     *      crlEntryExtensions     Extensions OPTIONAL
+     *                                   -- if present, MUST be v2
+     *                        } OPTIONAL
+     */
+    if( ( ret = x509_get_entries( &p, end, &crl->entry ) ) != 0 )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( ret );
+    }
+
+    /*
+     * crlExtensions          EXPLICIT Extensions OPTIONAL
+     *                              -- if present, MUST be v2
+     */
+    if( crl->version == 2 )
+    {
+        ret = x509_get_crl_ext( &p, end, &crl->crl_ext );
+
+        if( ret != 0 )
+        {
+            mbedtls_x509_crl_free( crl );
+            return( ret );
+        }
+    }
+
+    if( p != end )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+
+    end = crl->raw.p + crl->raw.len;
+
+    /*
+     *  signatureAlgorithm   AlgorithmIdentifier,
+     *  signatureValue       BIT STRING
+     */
+    if( ( ret = mbedtls_x509_get_alg( &p, end, &sig_oid2, &sig_params2 ) ) != 0 )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( ret );
+    }
+
+    if( crl->sig_oid.len != sig_oid2.len ||
+        memcmp( crl->sig_oid.p, sig_oid2.p, crl->sig_oid.len ) != 0 ||
+        sig_params1.len != sig_params2.len ||
+        ( sig_params1.len != 0 &&
+          memcmp( sig_params1.p, sig_params2.p, sig_params1.len ) != 0 ) )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( MBEDTLS_ERR_X509_SIG_MISMATCH );
+    }
+
+    if( ( ret = mbedtls_x509_get_sig( &p, end, &crl->sig ) ) != 0 )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( ret );
+    }
+
+    if( p != end )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Parse one or more CRLs and add them to the chained list
+ */
+int mbedtls_x509_crl_parse( mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen )
+{
+#if defined(MBEDTLS_PEM_PARSE_C)
+    int ret;
+    size_t use_len;
+    mbedtls_pem_context pem;
+    int is_pem = 0;
+
+    if( chain == NULL || buf == NULL )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+    do
+    {
+        mbedtls_pem_init( &pem );
+
+        // Avoid calling mbedtls_pem_read_buffer() on non-null-terminated
+        // string
+        if( buflen == 0 || buf[buflen - 1] != '\0' )
+            ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+        else
+            ret = mbedtls_pem_read_buffer( &pem,
+                                           "-----BEGIN X509 CRL-----",
+                                           "-----END X509 CRL-----",
+                                            buf, NULL, 0, &use_len );
+
+        if( ret == 0 )
+        {
+            /*
+             * Was PEM encoded
+             */
+            is_pem = 1;
+
+            buflen -= use_len;
+            buf += use_len;
+
+            if( ( ret = mbedtls_x509_crl_parse_der( chain,
+                                            pem.buf, pem.buflen ) ) != 0 )
+            {
+                mbedtls_pem_free( &pem );
+                return( ret );
+            }
+        }
+        else if( is_pem )
+        {
+            mbedtls_pem_free( &pem );
+            return( ret );
+        }
+
+        mbedtls_pem_free( &pem );
+    }
+    /* In the PEM case, buflen is 1 at the end, for the terminated NULL byte.
+     * And a valid CRL cannot be less than 1 byte anyway. */
+    while( is_pem && buflen > 1 );
+
+    if( is_pem )
+        return( 0 );
+    else
+#endif /* MBEDTLS_PEM_PARSE_C */
+        return( mbedtls_x509_crl_parse_der( chain, buf, buflen ) );
+}
+
+#if defined(MBEDTLS_FS_IO)
+/*
+ * Load one or more CRLs and add them to the chained list
+ */
+int mbedtls_x509_crl_parse_file( mbedtls_x509_crl *chain, const char *path )
+{
+    int ret;
+    size_t n;
+    unsigned char *buf;
+
+    if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
+        return( ret );
+
+    ret = mbedtls_x509_crl_parse( chain, buf, n );
+
+    mbedtls_zeroize( buf, n );
+    mbedtls_free( buf );
+
+    return( ret );
+}
+#endif /* MBEDTLS_FS_IO */
+
+/*
+ * Return an informational string about the certificate.
+ */
+#define BEFORE_COLON    14
+#define BC              "14"
+/*
+ * Return an informational string about the CRL.
+ */
+int mbedtls_x509_crl_info( char *buf, size_t size, const char *prefix,
+                   const mbedtls_x509_crl *crl )
+{
+    int ret;
+    size_t n;
+    char *p;
+    const mbedtls_x509_crl_entry *entry;
+
+    p = buf;
+    n = size;
+
+    ret = mbedtls_snprintf( p, n, "%sCRL version   : %d",
+                               prefix, crl->version );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf( p, n, "\n%sissuer name   : ", prefix );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+    ret = mbedtls_x509_dn_gets( p, n, &crl->issuer );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf( p, n, "\n%sthis update   : " \
+                   "%04d-%02d-%02d %02d:%02d:%02d", prefix,
+                   crl->this_update.year, crl->this_update.mon,
+                   crl->this_update.day,  crl->this_update.hour,
+                   crl->this_update.min,  crl->this_update.sec );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf( p, n, "\n%snext update   : " \
+                   "%04d-%02d-%02d %02d:%02d:%02d", prefix,
+                   crl->next_update.year, crl->next_update.mon,
+                   crl->next_update.day,  crl->next_update.hour,
+                   crl->next_update.min,  crl->next_update.sec );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    entry = &crl->entry;
+
+    ret = mbedtls_snprintf( p, n, "\n%sRevoked certificates:",
+                               prefix );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    while( entry != NULL && entry->raw.len != 0 )
+    {
+        ret = mbedtls_snprintf( p, n, "\n%sserial number: ",
+                               prefix );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        ret = mbedtls_x509_serial_gets( p, n, &entry->serial );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        ret = mbedtls_snprintf( p, n, " revocation date: " \
+                   "%04d-%02d-%02d %02d:%02d:%02d",
+                   entry->revocation_date.year, entry->revocation_date.mon,
+                   entry->revocation_date.day,  entry->revocation_date.hour,
+                   entry->revocation_date.min,  entry->revocation_date.sec );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        entry = entry->next;
+    }
+
+    ret = mbedtls_snprintf( p, n, "\n%ssigned using  : ", prefix );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_x509_sig_alg_gets( p, n, &crl->sig_oid, crl->sig_pk, crl->sig_md,
+                             crl->sig_opts );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf( p, n, "\n" );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    return( (int) ( size - n ) );
+}
+
+/*
+ * Initialize a CRL chain
+ */
+void mbedtls_x509_crl_init( mbedtls_x509_crl *crl )
+{
+    memset( crl, 0, sizeof(mbedtls_x509_crl) );
+}
+
+/*
+ * Unallocate all CRL data
+ */
+void mbedtls_x509_crl_free( mbedtls_x509_crl *crl )
+{
+    mbedtls_x509_crl *crl_cur = crl;
+    mbedtls_x509_crl *crl_prv;
+    mbedtls_x509_name *name_cur;
+    mbedtls_x509_name *name_prv;
+    mbedtls_x509_crl_entry *entry_cur;
+    mbedtls_x509_crl_entry *entry_prv;
+
+    if( crl == NULL )
+        return;
+
+    do
+    {
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+        mbedtls_free( crl_cur->sig_opts );
+#endif
+
+        name_cur = crl_cur->issuer.next;
+        while( name_cur != NULL )
+        {
+            name_prv = name_cur;
+            name_cur = name_cur->next;
+            mbedtls_zeroize( name_prv, sizeof( mbedtls_x509_name ) );
+            mbedtls_free( name_prv );
+        }
+
+        entry_cur = crl_cur->entry.next;
+        while( entry_cur != NULL )
+        {
+            entry_prv = entry_cur;
+            entry_cur = entry_cur->next;
+            mbedtls_zeroize( entry_prv, sizeof( mbedtls_x509_crl_entry ) );
+            mbedtls_free( entry_prv );
+        }
+
+        if( crl_cur->raw.p != NULL )
+        {
+            mbedtls_zeroize( crl_cur->raw.p, crl_cur->raw.len );
+            mbedtls_free( crl_cur->raw.p );
+        }
+
+        crl_cur = crl_cur->next;
+    }
+    while( crl_cur != NULL );
+
+    crl_cur = crl;
+    do
+    {
+        crl_prv = crl_cur;
+        crl_cur = crl_cur->next;
+
+        mbedtls_zeroize( crl_prv, sizeof( mbedtls_x509_crl ) );
+        if( crl_prv != crl )
+            mbedtls_free( crl_prv );
+    }
+    while( crl_cur != NULL );
+}
+
+#endif /* MBEDTLS_X509_CRL_PARSE_C */
diff --git a/third-party/mbedtls-3.6/library/x509_crt.c b/third-party/mbedtls-3.6/library/x509_crt.c
new file mode 100644
index 00000000..124f3dde
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/x509_crt.c
@@ -0,0 +1,2506 @@
+/*
+ *  X.509 certificate parsing and verification
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+/*
+ *  The ITU-T X.509 standard defines a certificate format for PKI.
+ *
+ *  http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
+ *  http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
+ *  http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
+ *
+ *  http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
+ *  http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+
+#include "mbedtls/x509_crt.h"
+#include "mbedtls/oid.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+#include "mbedtls/pem.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#include <stdlib.h>
+#define mbedtls_free       free
+#define mbedtls_calloc    calloc
+#define mbedtls_snprintf   snprintf
+#endif
+
+#if defined(MBEDTLS_THREADING_C)
+#include "mbedtls/threading.h"
+#endif
+
+#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+#include <windows.h>
+#else
+#include <time.h>
+#endif
+
+#if defined(MBEDTLS_FS_IO)
+#include <stdio.h>
+#if !defined(_WIN32) || defined(EFIX64) || defined(EFI32)
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <dirent.h>
+#endif /* !_WIN32 || EFIX64 || EFI32 */
+#endif
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
+/*
+ * Default profile
+ */
+const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default =
+{
+#if defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES)
+    /* Allow SHA-1 (weak, but still safe in controlled environments) */
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) |
+#endif
+    /* Only SHA-2 hashes */
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
+    0xFFFFFFF, /* Any PK alg    */
+    0xFFFFFFF, /* Any curve     */
+    2048,
+};
+
+/*
+ * Next-default profile
+ */
+const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next =
+{
+    /* Hashes from SHA-256 and above */
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
+    0xFFFFFFF, /* Any PK alg    */
+#if defined(MBEDTLS_ECP_C)
+    /* Curves at or above 128-bit security level */
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP256R1 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP384R1 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP521R1 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_BP256R1 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_BP384R1 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_BP512R1 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP256K1 ),
+#else
+    0,
+#endif
+    2048,
+};
+
+/*
+ * NSA Suite B Profile
+ */
+const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb =
+{
+    /* Only SHA-256 and 384 */
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ),
+    /* Only ECDSA */
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_PK_ECDSA ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_PK_ECKEY ),
+#if defined(MBEDTLS_ECP_C)
+    /* Only NIST P-256 and P-384 */
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP256R1 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP384R1 ),
+#else
+    0,
+#endif
+    0,
+};
+
+/*
+ * Check md_alg against profile
+ * Return 0 if md_alg acceptable for this profile, -1 otherwise
+ */
+static int x509_profile_check_md_alg( const mbedtls_x509_crt_profile *profile,
+                                      mbedtls_md_type_t md_alg )
+{
+    if( md_alg == MBEDTLS_MD_NONE )
+        return( -1 );
+
+    if( ( profile->allowed_mds & MBEDTLS_X509_ID_FLAG( md_alg ) ) != 0 )
+        return( 0 );
+
+    return( -1 );
+}
+
+/*
+ * Check pk_alg against profile
+ * Return 0 if pk_alg acceptable for this profile, -1 otherwise
+ */
+static int x509_profile_check_pk_alg( const mbedtls_x509_crt_profile *profile,
+                                      mbedtls_pk_type_t pk_alg )
+{
+    if( pk_alg == MBEDTLS_PK_NONE )
+        return( -1 );
+
+    if( ( profile->allowed_pks & MBEDTLS_X509_ID_FLAG( pk_alg ) ) != 0 )
+        return( 0 );
+
+    return( -1 );
+}
+
+/*
+ * Check key against profile
+ * Return 0 if pk_alg acceptable for this profile, -1 otherwise
+ */
+static int x509_profile_check_key( const mbedtls_x509_crt_profile *profile,
+                                   mbedtls_pk_type_t pk_alg,
+                                   const mbedtls_pk_context *pk )
+{
+#if defined(MBEDTLS_RSA_C)
+    if( pk_alg == MBEDTLS_PK_RSA || pk_alg == MBEDTLS_PK_RSASSA_PSS )
+    {
+        if( mbedtls_pk_get_bitlen( pk ) >= profile->rsa_min_bitlen )
+            return( 0 );
+
+        return( -1 );
+    }
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+    if( pk_alg == MBEDTLS_PK_ECDSA ||
+        pk_alg == MBEDTLS_PK_ECKEY ||
+        pk_alg == MBEDTLS_PK_ECKEY_DH )
+    {
+        mbedtls_ecp_group_id gid = mbedtls_pk_ec( *pk )->grp.id;
+
+        if( gid == MBEDTLS_ECP_DP_NONE )
+            return( -1 );
+
+        if( ( profile->allowed_curves & MBEDTLS_X509_ID_FLAG( gid ) ) != 0 )
+            return( 0 );
+
+        return( -1 );
+    }
+#endif
+
+    return( -1 );
+}
+
+/*
+ *  Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
+ */
+static int x509_get_version( unsigned char **p,
+                             const unsigned char *end,
+                             int *ver )
+{
+    int ret;
+    size_t len;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+            MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0 ) ) != 0 )
+    {
+        if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+        {
+            *ver = 0;
+            return( 0 );
+        }
+
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+    }
+
+    end = *p + len;
+
+    if( ( ret = mbedtls_asn1_get_int( p, end, ver ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_VERSION + ret );
+
+    if( *p != end )
+        return( MBEDTLS_ERR_X509_INVALID_VERSION +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+/*
+ *  Validity ::= SEQUENCE {
+ *       notBefore      Time,
+ *       notAfter       Time }
+ */
+static int x509_get_dates( unsigned char **p,
+                           const unsigned char *end,
+                           mbedtls_x509_time *from,
+                           mbedtls_x509_time *to )
+{
+    int ret;
+    size_t len;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_DATE + ret );
+
+    end = *p + len;
+
+    if( ( ret = mbedtls_x509_get_time( p, end, from ) ) != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_x509_get_time( p, end, to ) ) != 0 )
+        return( ret );
+
+    if( *p != end )
+        return( MBEDTLS_ERR_X509_INVALID_DATE +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+/*
+ * X.509 v2/v3 unique identifier (not parsed)
+ */
+static int x509_get_uid( unsigned char **p,
+                         const unsigned char *end,
+                         mbedtls_x509_buf *uid, int n )
+{
+    int ret;
+
+    if( *p == end )
+        return( 0 );
+
+    uid->tag = **p;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &uid->len,
+            MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | n ) ) != 0 )
+    {
+        if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+            return( 0 );
+
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+    }
+
+    uid->p = *p;
+    *p += uid->len;
+
+    return( 0 );
+}
+
+static int x509_get_basic_constraints( unsigned char **p,
+                                       const unsigned char *end,
+                                       int *ca_istrue,
+                                       int *max_pathlen )
+{
+    int ret;
+    size_t len;
+
+    /*
+     * BasicConstraints ::= SEQUENCE {
+     *      cA                      BOOLEAN DEFAULT FALSE,
+     *      pathLenConstraint       INTEGER (0..MAX) OPTIONAL }
+     */
+    *ca_istrue = 0; /* DEFAULT FALSE */
+    *max_pathlen = 0; /* endless */
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+    if( *p == end )
+        return( 0 );
+
+    if( ( ret = mbedtls_asn1_get_bool( p, end, ca_istrue ) ) != 0 )
+    {
+        if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+            ret = mbedtls_asn1_get_int( p, end, ca_istrue );
+
+        if( ret != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+        if( *ca_istrue != 0 )
+            *ca_istrue = 1;
+    }
+
+    if( *p == end )
+        return( 0 );
+
+    if( ( ret = mbedtls_asn1_get_int( p, end, max_pathlen ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+    if( *p != end )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    /* Do not accept max_pathlen equal to INT_MAX to avoid a signed integer
+     * overflow, which is an undefined behavior. */
+    if( *max_pathlen == INT_MAX )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_INVALID_LENGTH );
+
+    (*max_pathlen)++;
+
+    return( 0 );
+}
+
+static int x509_get_ns_cert_type( unsigned char **p,
+                                       const unsigned char *end,
+                                       unsigned char *ns_cert_type)
+{
+    int ret;
+    mbedtls_x509_bitstring bs = { 0, 0, NULL };
+
+    if( ( ret = mbedtls_asn1_get_bitstring( p, end, &bs ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+    if( bs.len != 1 )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_INVALID_LENGTH );
+
+    /* Get actual bitstring */
+    *ns_cert_type = *bs.p;
+    return( 0 );
+}
+
+static int x509_get_key_usage( unsigned char **p,
+                               const unsigned char *end,
+                               unsigned int *key_usage)
+{
+    int ret;
+    size_t i;
+    mbedtls_x509_bitstring bs = { 0, 0, NULL };
+
+    if( ( ret = mbedtls_asn1_get_bitstring( p, end, &bs ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+    if( bs.len < 1 )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_INVALID_LENGTH );
+
+    /* Get actual bitstring */
+    *key_usage = 0;
+    for( i = 0; i < bs.len && i < sizeof( unsigned int ); i++ )
+    {
+        *key_usage |= (unsigned int) bs.p[i] << (8*i);
+    }
+
+    return( 0 );
+}
+
+/*
+ * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
+ *
+ * KeyPurposeId ::= OBJECT IDENTIFIER
+ */
+static int x509_get_ext_key_usage( unsigned char **p,
+                               const unsigned char *end,
+                               mbedtls_x509_sequence *ext_key_usage)
+{
+    int ret;
+
+    if( ( ret = mbedtls_asn1_get_sequence_of( p, end, ext_key_usage, MBEDTLS_ASN1_OID ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+    /* Sequence length must be >= 1 */
+    if( ext_key_usage->buf.p == NULL )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_INVALID_LENGTH );
+
+    return( 0 );
+}
+
+/*
+ * SubjectAltName ::= GeneralNames
+ *
+ * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
+ *
+ * GeneralName ::= CHOICE {
+ *      otherName                       [0]     OtherName,
+ *      rfc822Name                      [1]     IA5String,
+ *      dNSName                         [2]     IA5String,
+ *      x400Address                     [3]     ORAddress,
+ *      directoryName                   [4]     Name,
+ *      ediPartyName                    [5]     EDIPartyName,
+ *      uniformResourceIdentifier       [6]     IA5String,
+ *      iPAddress                       [7]     OCTET STRING,
+ *      registeredID                    [8]     OBJECT IDENTIFIER }
+ *
+ * OtherName ::= SEQUENCE {
+ *      type-id    OBJECT IDENTIFIER,
+ *      value      [0] EXPLICIT ANY DEFINED BY type-id }
+ *
+ * EDIPartyName ::= SEQUENCE {
+ *      nameAssigner            [0]     DirectoryString OPTIONAL,
+ *      partyName               [1]     DirectoryString }
+ *
+ * NOTE: we only parse and use dNSName at this point.
+ */
+static int x509_get_subject_alt_name( unsigned char **p,
+                                      const unsigned char *end,
+                                      mbedtls_x509_sequence *subject_alt_name )
+{
+    int ret;
+    size_t len, tag_len;
+    mbedtls_asn1_buf *buf;
+    unsigned char tag;
+    mbedtls_asn1_sequence *cur = subject_alt_name;
+
+    /* Get main sequence tag */
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+    if( *p + len != end )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    while( *p < end )
+    {
+        if( ( end - *p ) < 1 )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                    MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+        tag = **p;
+        (*p)++;
+        if( ( ret = mbedtls_asn1_get_len( p, end, &tag_len ) ) != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+        if( ( tag & MBEDTLS_ASN1_TAG_CLASS_MASK ) !=
+                MBEDTLS_ASN1_CONTEXT_SPECIFIC )
+        {
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                    MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+        }
+
+        /* Skip everything but DNS name */
+        if( tag != ( MBEDTLS_ASN1_CONTEXT_SPECIFIC | 2 ) )
+        {
+            *p += tag_len;
+            continue;
+        }
+
+        /* Allocate and assign next pointer */
+        if( cur->buf.p != NULL )
+        {
+            if( cur->next != NULL )
+                return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS );
+
+            cur->next = mbedtls_calloc( 1, sizeof( mbedtls_asn1_sequence ) );
+
+            if( cur->next == NULL )
+                return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                        MBEDTLS_ERR_ASN1_ALLOC_FAILED );
+
+            cur = cur->next;
+        }
+
+        buf = &(cur->buf);
+        buf->tag = tag;
+        buf->p = *p;
+        buf->len = tag_len;
+        *p += buf->len;
+    }
+
+    /* Set final sequence entry's next pointer to NULL */
+    cur->next = NULL;
+
+    if( *p != end )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+/*
+ * X.509 v3 extensions
+ *
+ */
+static int x509_get_crt_ext( unsigned char **p,
+                             const unsigned char *end,
+                             mbedtls_x509_crt *crt )
+{
+    int ret;
+    size_t len;
+    unsigned char *end_ext_data, *end_ext_octet;
+
+    if( *p == end )
+        return( 0 );
+
+    if( ( ret = mbedtls_x509_get_ext( p, end, &crt->v3_ext, 3 ) ) != 0 )
+        return( ret );
+
+    end = crt->v3_ext.p + crt->v3_ext.len;
+    while( *p < end )
+    {
+        /*
+         * Extension  ::=  SEQUENCE  {
+         *      extnID      OBJECT IDENTIFIER,
+         *      critical    BOOLEAN DEFAULT FALSE,
+         *      extnValue   OCTET STRING  }
+         */
+        mbedtls_x509_buf extn_oid = {0, 0, NULL};
+        int is_critical = 0; /* DEFAULT FALSE */
+        int ext_type = 0;
+
+        if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+                MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+        end_ext_data = *p + len;
+
+        /* Get extension ID */
+        if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &extn_oid.len,
+                                          MBEDTLS_ASN1_OID ) ) != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+        extn_oid.tag = MBEDTLS_ASN1_OID;
+        extn_oid.p = *p;
+        *p += extn_oid.len;
+
+        /* Get optional critical */
+        if( ( ret = mbedtls_asn1_get_bool( p, end_ext_data, &is_critical ) ) != 0 &&
+            ( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+        /* Data should be octet string type */
+        if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &len,
+                MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+        end_ext_octet = *p + len;
+
+        if( end_ext_octet != end_ext_data )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                    MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+        /*
+         * Detect supported extensions
+         */
+        ret = mbedtls_oid_get_x509_ext_type( &extn_oid, &ext_type );
+
+        if( ret != 0 )
+        {
+            /* No parser found, skip extension */
+            *p = end_ext_octet;
+
+#if !defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION)
+            if( is_critical )
+            {
+                /* Data is marked as critical: fail */
+                return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                        MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+            }
+#endif
+            continue;
+        }
+
+        /* Forbid repeated extensions */
+        if( ( crt->ext_types & ext_type ) != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS );
+
+        crt->ext_types |= ext_type;
+
+        switch( ext_type )
+        {
+        case MBEDTLS_X509_EXT_BASIC_CONSTRAINTS:
+            /* Parse basic constraints */
+            if( ( ret = x509_get_basic_constraints( p, end_ext_octet,
+                    &crt->ca_istrue, &crt->max_pathlen ) ) != 0 )
+                return( ret );
+            break;
+
+        case MBEDTLS_X509_EXT_KEY_USAGE:
+            /* Parse key usage */
+            if( ( ret = x509_get_key_usage( p, end_ext_octet,
+                    &crt->key_usage ) ) != 0 )
+                return( ret );
+            break;
+
+        case MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE:
+            /* Parse extended key usage */
+            if( ( ret = x509_get_ext_key_usage( p, end_ext_octet,
+                    &crt->ext_key_usage ) ) != 0 )
+                return( ret );
+            break;
+
+        case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME:
+            /* Parse subject alt name */
+            if( ( ret = x509_get_subject_alt_name( p, end_ext_octet,
+                    &crt->subject_alt_names ) ) != 0 )
+                return( ret );
+            break;
+
+        case MBEDTLS_X509_EXT_NS_CERT_TYPE:
+            /* Parse netscape certificate type */
+            if( ( ret = x509_get_ns_cert_type( p, end_ext_octet,
+                    &crt->ns_cert_type ) ) != 0 )
+                return( ret );
+            break;
+
+        default:
+            return( MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE );
+        }
+    }
+
+    if( *p != end )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+/*
+ * Parse and fill a single X.509 certificate in DER format
+ */
+static int x509_crt_parse_der_core( mbedtls_x509_crt *crt, const unsigned char *buf,
+                                    size_t buflen )
+{
+    int ret;
+    size_t len;
+    unsigned char *p, *end, *crt_end;
+    mbedtls_x509_buf sig_params1, sig_params2, sig_oid2;
+
+    memset( &sig_params1, 0, sizeof( mbedtls_x509_buf ) );
+    memset( &sig_params2, 0, sizeof( mbedtls_x509_buf ) );
+    memset( &sig_oid2, 0, sizeof( mbedtls_x509_buf ) );
+
+    /*
+     * Check for valid input
+     */
+    if( crt == NULL || buf == NULL )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+    // Use the original buffer until we figure out actual length
+    p = (unsigned char*) buf;
+    len = buflen;
+    end = p + len;
+
+    /*
+     * Certificate  ::=  SEQUENCE  {
+     *      tbsCertificate       TBSCertificate,
+     *      signatureAlgorithm   AlgorithmIdentifier,
+     *      signatureValue       BIT STRING  }
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT );
+    }
+
+    if( len > (size_t) ( end - p ) )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+    crt_end = p + len;
+
+    // Create and populate a new buffer for the raw field
+    crt->raw.len = crt_end - buf;
+    crt->raw.p = p = mbedtls_calloc( 1, crt->raw.len );
+    if( p == NULL )
+        return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+
+    memcpy( p, buf, crt->raw.len );
+
+    // Direct pointers to the new buffer
+    p += crt->raw.len - len;
+    end = crt_end = p + len;
+
+    /*
+     * TBSCertificate  ::=  SEQUENCE  {
+     */
+    crt->tbs.p = p;
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+    }
+
+    end = p + len;
+    crt->tbs.len = end - crt->tbs.p;
+
+    /*
+     * Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
+     *
+     * CertificateSerialNumber  ::=  INTEGER
+     *
+     * signature            AlgorithmIdentifier
+     */
+    if( ( ret = x509_get_version(  &p, end, &crt->version  ) ) != 0 ||
+        ( ret = mbedtls_x509_get_serial(   &p, end, &crt->serial   ) ) != 0 ||
+        ( ret = mbedtls_x509_get_alg(      &p, end, &crt->sig_oid,
+                                            &sig_params1 ) ) != 0 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( ret );
+    }
+
+    if( crt->version < 0 || crt->version > 2 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( MBEDTLS_ERR_X509_UNKNOWN_VERSION );
+    }
+
+    crt->version++;
+
+    if( ( ret = mbedtls_x509_get_sig_alg( &crt->sig_oid, &sig_params1,
+                                  &crt->sig_md, &crt->sig_pk,
+                                  &crt->sig_opts ) ) != 0 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( ret );
+    }
+
+    /*
+     * issuer               Name
+     */
+    crt->issuer_raw.p = p;
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+    }
+
+    if( ( ret = mbedtls_x509_get_name( &p, p + len, &crt->issuer ) ) != 0 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( ret );
+    }
+
+    crt->issuer_raw.len = p - crt->issuer_raw.p;
+
+    /*
+     * Validity ::= SEQUENCE {
+     *      notBefore      Time,
+     *      notAfter       Time }
+     *
+     */
+    if( ( ret = x509_get_dates( &p, end, &crt->valid_from,
+                                         &crt->valid_to ) ) != 0 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( ret );
+    }
+
+    /*
+     * subject              Name
+     */
+    crt->subject_raw.p = p;
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+    }
+
+    if( len && ( ret = mbedtls_x509_get_name( &p, p + len, &crt->subject ) ) != 0 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( ret );
+    }
+
+    crt->subject_raw.len = p - crt->subject_raw.p;
+
+    /*
+     * SubjectPublicKeyInfo
+     */
+    if( ( ret = mbedtls_pk_parse_subpubkey( &p, end, &crt->pk ) ) != 0 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( ret );
+    }
+
+    /*
+     *  issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
+     *                       -- If present, version shall be v2 or v3
+     *  subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
+     *                       -- If present, version shall be v2 or v3
+     *  extensions      [3]  EXPLICIT Extensions OPTIONAL
+     *                       -- If present, version shall be v3
+     */
+    if( crt->version == 2 || crt->version == 3 )
+    {
+        ret = x509_get_uid( &p, end, &crt->issuer_id,  1 );
+        if( ret != 0 )
+        {
+            mbedtls_x509_crt_free( crt );
+            return( ret );
+        }
+    }
+
+    if( crt->version == 2 || crt->version == 3 )
+    {
+        ret = x509_get_uid( &p, end, &crt->subject_id,  2 );
+        if( ret != 0 )
+        {
+            mbedtls_x509_crt_free( crt );
+            return( ret );
+        }
+    }
+
+#if !defined(MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3)
+    if( crt->version == 3 )
+#endif
+    {
+        ret = x509_get_crt_ext( &p, end, crt );
+        if( ret != 0 )
+        {
+            mbedtls_x509_crt_free( crt );
+            return( ret );
+        }
+    }
+
+    if( p != end )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+
+    end = crt_end;
+
+    /*
+     *  }
+     *  -- end of TBSCertificate
+     *
+     *  signatureAlgorithm   AlgorithmIdentifier,
+     *  signatureValue       BIT STRING
+     */
+    if( ( ret = mbedtls_x509_get_alg( &p, end, &sig_oid2, &sig_params2 ) ) != 0 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( ret );
+    }
+
+    if( crt->sig_oid.len != sig_oid2.len ||
+        memcmp( crt->sig_oid.p, sig_oid2.p, crt->sig_oid.len ) != 0 ||
+        sig_params1.tag != sig_params2.tag ||
+        sig_params1.len != sig_params2.len ||
+        ( sig_params1.len != 0 &&
+          memcmp( sig_params1.p, sig_params2.p, sig_params1.len ) != 0 ) )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( MBEDTLS_ERR_X509_SIG_MISMATCH );
+    }
+
+    if( ( ret = mbedtls_x509_get_sig( &p, end, &crt->sig ) ) != 0 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( ret );
+    }
+
+    if( p != end )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Parse one X.509 certificate in DER format from a buffer and add them to a
+ * chained list
+ */
+int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain, const unsigned char *buf,
+                        size_t buflen )
+{
+    int ret;
+    mbedtls_x509_crt *crt = chain, *prev = NULL;
+
+    /*
+     * Check for valid input
+     */
+    if( crt == NULL || buf == NULL )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+    while( crt->version != 0 && crt->next != NULL )
+    {
+        prev = crt;
+        crt = crt->next;
+    }
+
+    /*
+     * Add new certificate on the end of the chain if needed.
+     */
+    if( crt->version != 0 && crt->next == NULL )
+    {
+        crt->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );
+
+        if( crt->next == NULL )
+            return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+
+        prev = crt;
+        mbedtls_x509_crt_init( crt->next );
+        crt = crt->next;
+    }
+
+    if( ( ret = x509_crt_parse_der_core( crt, buf, buflen ) ) != 0 )
+    {
+        if( prev )
+            prev->next = NULL;
+
+        if( crt != chain )
+            mbedtls_free( crt );
+
+        return( ret );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Parse one or more PEM certificates from a buffer and add them to the chained
+ * list
+ */
+int mbedtls_x509_crt_parse( mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen )
+{
+#if defined(MBEDTLS_PEM_PARSE_C)
+    int success = 0, first_error = 0, total_failed = 0;
+    int buf_format = MBEDTLS_X509_FORMAT_DER;
+#endif
+
+    /*
+     * Check for valid input
+     */
+    if( chain == NULL || buf == NULL )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+    /*
+     * Determine buffer content. Buffer contains either one DER certificate or
+     * one or more PEM certificates.
+     */
+#if defined(MBEDTLS_PEM_PARSE_C)
+    if( buflen != 0 && buf[buflen - 1] == '\0' &&
+        strstr( (const char *) buf, "-----BEGIN CERTIFICATE-----" ) != NULL )
+    {
+        buf_format = MBEDTLS_X509_FORMAT_PEM;
+    }
+
+    if( buf_format == MBEDTLS_X509_FORMAT_DER )
+        return mbedtls_x509_crt_parse_der( chain, buf, buflen );
+#else
+    return mbedtls_x509_crt_parse_der( chain, buf, buflen );
+#endif
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+    if( buf_format == MBEDTLS_X509_FORMAT_PEM )
+    {
+        int ret;
+        mbedtls_pem_context pem;
+
+        /* 1 rather than 0 since the terminating NULL byte is counted in */
+        while( buflen > 1 )
+        {
+            size_t use_len;
+            mbedtls_pem_init( &pem );
+
+            /* If we get there, we know the string is null-terminated */
+            ret = mbedtls_pem_read_buffer( &pem,
+                           "-----BEGIN CERTIFICATE-----",
+                           "-----END CERTIFICATE-----",
+                           buf, NULL, 0, &use_len );
+
+            if( ret == 0 )
+            {
+                /*
+                 * Was PEM encoded
+                 */
+                buflen -= use_len;
+                buf += use_len;
+            }
+            else if( ret == MBEDTLS_ERR_PEM_BAD_INPUT_DATA )
+            {
+                return( ret );
+            }
+            else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
+            {
+                mbedtls_pem_free( &pem );
+
+                /*
+                 * PEM header and footer were found
+                 */
+                buflen -= use_len;
+                buf += use_len;
+
+                if( first_error == 0 )
+                    first_error = ret;
+
+                total_failed++;
+                continue;
+            }
+            else
+                break;
+
+            ret = mbedtls_x509_crt_parse_der( chain, pem.buf, pem.buflen );
+
+            mbedtls_pem_free( &pem );
+
+            if( ret != 0 )
+            {
+                /*
+                 * Quit parsing on a memory error
+                 */
+                if( ret == MBEDTLS_ERR_X509_ALLOC_FAILED )
+                    return( ret );
+
+                if( first_error == 0 )
+                    first_error = ret;
+
+                total_failed++;
+                continue;
+            }
+
+            success = 1;
+        }
+    }
+
+    if( success )
+        return( total_failed );
+    else if( first_error )
+        return( first_error );
+    else
+        return( MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT );
+#endif /* MBEDTLS_PEM_PARSE_C */
+}
+
+#if defined(MBEDTLS_FS_IO)
+/*
+ * Load one or more certificates and add them to the chained list
+ */
+int mbedtls_x509_crt_parse_file( mbedtls_x509_crt *chain, const char *path )
+{
+    int ret;
+    size_t n;
+    unsigned char *buf;
+
+    if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
+        return( ret );
+
+    ret = mbedtls_x509_crt_parse( chain, buf, n );
+
+    mbedtls_zeroize( buf, n );
+    mbedtls_free( buf );
+
+    return( ret );
+}
+
+int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path )
+{
+    int ret = 0;
+#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+    int w_ret;
+    WCHAR szDir[MAX_PATH];
+    char filename[MAX_PATH];
+    char *p;
+    size_t len = strlen( path );
+
+    WIN32_FIND_DATAW file_data;
+    HANDLE hFind;
+
+    if( len > MAX_PATH - 3 )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+    memset( szDir, 0, sizeof(szDir) );
+    memset( filename, 0, MAX_PATH );
+    memcpy( filename, path, len );
+    filename[len++] = '\\';
+    p = filename + len;
+    filename[len++] = '*';
+
+    w_ret = MultiByteToWideChar( CP_ACP, 0, filename, (int)len, szDir,
+                                 MAX_PATH - 3 );
+    if( w_ret == 0 )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+    hFind = FindFirstFileW( szDir, &file_data );
+    if( hFind == INVALID_HANDLE_VALUE )
+        return( MBEDTLS_ERR_X509_FILE_IO_ERROR );
+
+    len = MAX_PATH - len;
+    do
+    {
+        memset( p, 0, len );
+
+        if( file_data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY )
+            continue;
+
+        w_ret = WideCharToMultiByte( CP_ACP, 0, file_data.cFileName,
+                                     lstrlenW( file_data.cFileName ),
+                                     p, (int) len - 1,
+                                     NULL, NULL );
+        if( w_ret == 0 )
+        {
+            ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
+            goto cleanup;
+        }
+
+        w_ret = mbedtls_x509_crt_parse_file( chain, filename );
+        if( w_ret < 0 )
+            ret++;
+        else
+            ret += w_ret;
+    }
+    while( FindNextFileW( hFind, &file_data ) != 0 );
+
+    if( GetLastError() != ERROR_NO_MORE_FILES )
+        ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
+
+cleanup:
+    FindClose( hFind );
+#else /* _WIN32 */
+    int t_ret;
+    int snp_ret;
+    struct stat sb;
+    struct dirent *entry;
+    char entry_name[MBEDTLS_X509_MAX_FILE_PATH_LEN];
+    DIR *dir = opendir( path );
+
+    if( dir == NULL )
+        return( MBEDTLS_ERR_X509_FILE_IO_ERROR );
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &mbedtls_threading_readdir_mutex ) ) != 0 )
+    {
+        closedir( dir );
+        return( ret );
+    }
+#endif /* MBEDTLS_THREADING_C */
+
+    while( ( entry = readdir( dir ) ) != NULL )
+    {
+        snp_ret = mbedtls_snprintf( entry_name, sizeof entry_name,
+                                    "%s/%s", path, entry->d_name );
+
+        if( snp_ret < 0 || (size_t)snp_ret >= sizeof entry_name )
+        {
+            ret = MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
+            goto cleanup;
+        }
+        else if( stat( entry_name, &sb ) == -1 )
+        {
+            ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
+            goto cleanup;
+        }
+
+        if( !S_ISREG( sb.st_mode ) )
+            continue;
+
+        // Ignore parse errors
+        //
+        t_ret = mbedtls_x509_crt_parse_file( chain, entry_name );
+        if( t_ret < 0 )
+            ret++;
+        else
+            ret += t_ret;
+    }
+
+cleanup:
+    closedir( dir );
+
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &mbedtls_threading_readdir_mutex ) != 0 )
+        ret = MBEDTLS_ERR_THREADING_MUTEX_ERROR;
+#endif /* MBEDTLS_THREADING_C */
+
+#endif /* _WIN32 */
+
+    return( ret );
+}
+#endif /* MBEDTLS_FS_IO */
+
+static int x509_info_subject_alt_name( char **buf, size_t *size,
+                                       const mbedtls_x509_sequence *subject_alt_name )
+{
+    size_t i;
+    size_t n = *size;
+    char *p = *buf;
+    const mbedtls_x509_sequence *cur = subject_alt_name;
+    const char *sep = "";
+    size_t sep_len = 0;
+
+    while( cur != NULL )
+    {
+        if( cur->buf.len + sep_len >= n )
+        {
+            *p = '\0';
+            return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL );
+        }
+
+        n -= cur->buf.len + sep_len;
+        for( i = 0; i < sep_len; i++ )
+            *p++ = sep[i];
+        for( i = 0; i < cur->buf.len; i++ )
+            *p++ = cur->buf.p[i];
+
+        sep = ", ";
+        sep_len = 2;
+
+        cur = cur->next;
+    }
+
+    *p = '\0';
+
+    *size = n;
+    *buf = p;
+
+    return( 0 );
+}
+
+#define PRINT_ITEM(i)                           \
+    {                                           \
+        ret = mbedtls_snprintf( p, n, "%s" i, sep );    \
+        MBEDTLS_X509_SAFE_SNPRINTF;                        \
+        sep = ", ";                             \
+    }
+
+#define CERT_TYPE(type,name)                    \
+    if( ns_cert_type & type )                   \
+        PRINT_ITEM( name );
+
+static int x509_info_cert_type( char **buf, size_t *size,
+                                unsigned char ns_cert_type )
+{
+    int ret;
+    size_t n = *size;
+    char *p = *buf;
+    const char *sep = "";
+
+    CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT,         "SSL Client" );
+    CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER,         "SSL Server" );
+    CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_EMAIL,              "Email" );
+    CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING,     "Object Signing" );
+    CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_RESERVED,           "Reserved" );
+    CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_SSL_CA,             "SSL CA" );
+    CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA,           "Email CA" );
+    CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA,  "Object Signing CA" );
+
+    *size = n;
+    *buf = p;
+
+    return( 0 );
+}
+
+#define KEY_USAGE(code,name)    \
+    if( key_usage & code )      \
+        PRINT_ITEM( name );
+
+static int x509_info_key_usage( char **buf, size_t *size,
+                                unsigned int key_usage )
+{
+    int ret;
+    size_t n = *size;
+    char *p = *buf;
+    const char *sep = "";
+
+    KEY_USAGE( MBEDTLS_X509_KU_DIGITAL_SIGNATURE,    "Digital Signature" );
+    KEY_USAGE( MBEDTLS_X509_KU_NON_REPUDIATION,      "Non Repudiation" );
+    KEY_USAGE( MBEDTLS_X509_KU_KEY_ENCIPHERMENT,     "Key Encipherment" );
+    KEY_USAGE( MBEDTLS_X509_KU_DATA_ENCIPHERMENT,    "Data Encipherment" );
+    KEY_USAGE( MBEDTLS_X509_KU_KEY_AGREEMENT,        "Key Agreement" );
+    KEY_USAGE( MBEDTLS_X509_KU_KEY_CERT_SIGN,        "Key Cert Sign" );
+    KEY_USAGE( MBEDTLS_X509_KU_CRL_SIGN,             "CRL Sign" );
+    KEY_USAGE( MBEDTLS_X509_KU_ENCIPHER_ONLY,        "Encipher Only" );
+    KEY_USAGE( MBEDTLS_X509_KU_DECIPHER_ONLY,        "Decipher Only" );
+
+    *size = n;
+    *buf = p;
+
+    return( 0 );
+}
+
+static int x509_info_ext_key_usage( char **buf, size_t *size,
+                                    const mbedtls_x509_sequence *extended_key_usage )
+{
+    int ret;
+    const char *desc;
+    size_t n = *size;
+    char *p = *buf;
+    const mbedtls_x509_sequence *cur = extended_key_usage;
+    const char *sep = "";
+
+    while( cur != NULL )
+    {
+        if( mbedtls_oid_get_extended_key_usage( &cur->buf, &desc ) != 0 )
+            desc = "???";
+
+        ret = mbedtls_snprintf( p, n, "%s%s", sep, desc );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        sep = ", ";
+
+        cur = cur->next;
+    }
+
+    *size = n;
+    *buf = p;
+
+    return( 0 );
+}
+
+/*
+ * Like memcmp, but case-insensitive and always returns -1 if different
+ */
+static int x509_memcasecmp( const void *s1, const void *s2, size_t len )
+{
+    size_t i;
+    unsigned char diff;
+    const unsigned char *n1 = s1, *n2 = s2;
+
+    for( i = 0; i < len; i++ )
+    {
+        diff = n1[i] ^ n2[i];
+
+        if( diff == 0 )
+            continue;
+
+        if( diff == 32 &&
+            ( ( n1[i] >= 'a' && n1[i] <= 'z' ) ||
+              ( n1[i] >= 'A' && n1[i] <= 'Z' ) ) )
+        {
+            continue;
+        }
+
+        return( -1 );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Return 0 if name matches wildcard, -1 otherwise
+ */
+static int x509_check_wildcard( const char *cn, mbedtls_x509_buf *name )
+{
+    size_t i;
+    size_t cn_idx = 0, cn_len = strlen( cn );
+
+    if( name->len < 3 || name->p[0] != '*' || name->p[1] != '.' )
+        return( 0 );
+
+    for( i = 0; i < cn_len; ++i )
+    {
+        if( cn[i] == '.' )
+        {
+            cn_idx = i;
+            break;
+        }
+    }
+
+    if( cn_idx == 0 )
+        return( -1 );
+
+    if( cn_len - cn_idx == name->len - 1 &&
+        x509_memcasecmp( name->p + 1, cn + cn_idx, name->len - 1 ) == 0 )
+    {
+        return( 0 );
+    }
+
+    return( -1 );
+}
+
+/*
+ * Compare two X.509 strings, case-insensitive, and allowing for some encoding
+ * variations (but not all).
+ *
+ * Return 0 if equal, -1 otherwise.
+ */
+static int x509_string_cmp( const mbedtls_x509_buf *a, const mbedtls_x509_buf *b )
+{
+    if( a->tag == b->tag &&
+        a->len == b->len &&
+        memcmp( a->p, b->p, b->len ) == 0 )
+    {
+        return( 0 );
+    }
+
+    if( ( a->tag == MBEDTLS_ASN1_UTF8_STRING || a->tag == MBEDTLS_ASN1_PRINTABLE_STRING ) &&
+        ( b->tag == MBEDTLS_ASN1_UTF8_STRING || b->tag == MBEDTLS_ASN1_PRINTABLE_STRING ) &&
+        a->len == b->len &&
+        x509_memcasecmp( a->p, b->p, b->len ) == 0 )
+    {
+        return( 0 );
+    }
+
+    return( -1 );
+}
+
+/*
+ * Compare two X.509 Names (aka rdnSequence).
+ *
+ * See RFC 5280 section 7.1, though we don't implement the whole algorithm:
+ * we sometimes return unequal when the full algorithm would return equal,
+ * but never the other way. (In particular, we don't do Unicode normalisation
+ * or space folding.)
+ *
+ * Return 0 if equal, -1 otherwise.
+ */
+static int x509_name_cmp( const mbedtls_x509_name *a, const mbedtls_x509_name *b )
+{
+    /* Avoid recursion, it might not be optimised by the compiler */
+    while( a != NULL || b != NULL )
+    {
+        if( a == NULL || b == NULL )
+            return( -1 );
+
+        /* type */
+        if( a->oid.tag != b->oid.tag ||
+            a->oid.len != b->oid.len ||
+            memcmp( a->oid.p, b->oid.p, b->oid.len ) != 0 )
+        {
+            return( -1 );
+        }
+
+        /* value */
+        if( x509_string_cmp( &a->val, &b->val ) != 0 )
+            return( -1 );
+
+        /* structure of the list of sets */
+        if( a->next_merged != b->next_merged )
+            return( -1 );
+
+        a = a->next;
+        b = b->next;
+    }
+
+    /* a == NULL == b */
+    return( 0 );
+}
+
+/*
+ * Return an informational string about the certificate.
+ */
+#define BEFORE_COLON    18
+#define BC              "18"
+int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
+                   const mbedtls_x509_crt *crt )
+{
+    int ret;
+    size_t n;
+    char *p;
+    char key_size_str[BEFORE_COLON];
+
+    p = buf;
+    n = size;
+
+    if( NULL == crt )
+    {
+        ret = mbedtls_snprintf( p, n, "\nCertificate is uninitialised!\n" );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        return( (int) ( size - n ) );
+    }
+
+    ret = mbedtls_snprintf( p, n, "%scert. version     : %d\n",
+                               prefix, crt->version );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+    ret = mbedtls_snprintf( p, n, "%sserial number     : ",
+                               prefix );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_x509_serial_gets( p, n, &crt->serial );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf( p, n, "\n%sissuer name       : ", prefix );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+    ret = mbedtls_x509_dn_gets( p, n, &crt->issuer  );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf( p, n, "\n%ssubject name      : ", prefix );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+    ret = mbedtls_x509_dn_gets( p, n, &crt->subject );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf( p, n, "\n%sissued  on        : " \
+                   "%04d-%02d-%02d %02d:%02d:%02d", prefix,
+                   crt->valid_from.year, crt->valid_from.mon,
+                   crt->valid_from.day,  crt->valid_from.hour,
+                   crt->valid_from.min,  crt->valid_from.sec );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf( p, n, "\n%sexpires on        : " \
+                   "%04d-%02d-%02d %02d:%02d:%02d", prefix,
+                   crt->valid_to.year, crt->valid_to.mon,
+                   crt->valid_to.day,  crt->valid_to.hour,
+                   crt->valid_to.min,  crt->valid_to.sec );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf( p, n, "\n%ssigned using      : ", prefix );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_x509_sig_alg_gets( p, n, &crt->sig_oid, crt->sig_pk,
+                             crt->sig_md, crt->sig_opts );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    /* Key size */
+    if( ( ret = mbedtls_x509_key_size_helper( key_size_str, BEFORE_COLON,
+                                      mbedtls_pk_get_name( &crt->pk ) ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    ret = mbedtls_snprintf( p, n, "\n%s%-" BC "s: %d bits", prefix, key_size_str,
+                          (int) mbedtls_pk_get_bitlen( &crt->pk ) );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    /*
+     * Optional extensions
+     */
+
+    if( crt->ext_types & MBEDTLS_X509_EXT_BASIC_CONSTRAINTS )
+    {
+        ret = mbedtls_snprintf( p, n, "\n%sbasic constraints : CA=%s", prefix,
+                        crt->ca_istrue ? "true" : "false" );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        if( crt->max_pathlen > 0 )
+        {
+            ret = mbedtls_snprintf( p, n, ", max_pathlen=%d", crt->max_pathlen - 1 );
+            MBEDTLS_X509_SAFE_SNPRINTF;
+        }
+    }
+
+    if( crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME )
+    {
+        ret = mbedtls_snprintf( p, n, "\n%ssubject alt name  : ", prefix );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        if( ( ret = x509_info_subject_alt_name( &p, &n,
+                                            &crt->subject_alt_names ) ) != 0 )
+            return( ret );
+    }
+
+    if( crt->ext_types & MBEDTLS_X509_EXT_NS_CERT_TYPE )
+    {
+        ret = mbedtls_snprintf( p, n, "\n%scert. type        : ", prefix );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        if( ( ret = x509_info_cert_type( &p, &n, crt->ns_cert_type ) ) != 0 )
+            return( ret );
+    }
+
+    if( crt->ext_types & MBEDTLS_X509_EXT_KEY_USAGE )
+    {
+        ret = mbedtls_snprintf( p, n, "\n%skey usage         : ", prefix );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        if( ( ret = x509_info_key_usage( &p, &n, crt->key_usage ) ) != 0 )
+            return( ret );
+    }
+
+    if( crt->ext_types & MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE )
+    {
+        ret = mbedtls_snprintf( p, n, "\n%sext key usage     : ", prefix );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        if( ( ret = x509_info_ext_key_usage( &p, &n,
+                                             &crt->ext_key_usage ) ) != 0 )
+            return( ret );
+    }
+
+    ret = mbedtls_snprintf( p, n, "\n" );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    return( (int) ( size - n ) );
+}
+
+struct x509_crt_verify_string {
+    int code;
+    const char *string;
+};
+
+static const struct x509_crt_verify_string x509_crt_verify_strings[] = {
+    { MBEDTLS_X509_BADCERT_EXPIRED,       "The certificate validity has expired" },
+    { MBEDTLS_X509_BADCERT_REVOKED,       "The certificate has been revoked (is on a CRL)" },
+    { MBEDTLS_X509_BADCERT_CN_MISMATCH,   "The certificate Common Name (CN) does not match with the expected CN" },
+    { MBEDTLS_X509_BADCERT_NOT_TRUSTED,   "The certificate is not correctly signed by the trusted CA" },
+    { MBEDTLS_X509_BADCRL_NOT_TRUSTED,    "The CRL is not correctly signed by the trusted CA" },
+    { MBEDTLS_X509_BADCRL_EXPIRED,        "The CRL is expired" },
+    { MBEDTLS_X509_BADCERT_MISSING,       "Certificate was missing" },
+    { MBEDTLS_X509_BADCERT_SKIP_VERIFY,   "Certificate verification was skipped" },
+    { MBEDTLS_X509_BADCERT_OTHER,         "Other reason (can be used by verify callback)" },
+    { MBEDTLS_X509_BADCERT_FUTURE,        "The certificate validity starts in the future" },
+    { MBEDTLS_X509_BADCRL_FUTURE,         "The CRL is from the future" },
+    { MBEDTLS_X509_BADCERT_KEY_USAGE,     "Usage does not match the keyUsage extension" },
+    { MBEDTLS_X509_BADCERT_EXT_KEY_USAGE, "Usage does not match the extendedKeyUsage extension" },
+    { MBEDTLS_X509_BADCERT_NS_CERT_TYPE,  "Usage does not match the nsCertType extension" },
+    { MBEDTLS_X509_BADCERT_BAD_MD,        "The certificate is signed with an unacceptable hash." },
+    { MBEDTLS_X509_BADCERT_BAD_PK,        "The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA)." },
+    { MBEDTLS_X509_BADCERT_BAD_KEY,       "The certificate is signed with an unacceptable key (eg bad curve, RSA too short)." },
+    { MBEDTLS_X509_BADCRL_BAD_MD,         "The CRL is signed with an unacceptable hash." },
+    { MBEDTLS_X509_BADCRL_BAD_PK,         "The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA)." },
+    { MBEDTLS_X509_BADCRL_BAD_KEY,        "The CRL is signed with an unacceptable key (eg bad curve, RSA too short)." },
+    { 0, NULL }
+};
+
+int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
+                          uint32_t flags )
+{
+    int ret;
+    const struct x509_crt_verify_string *cur;
+    char *p = buf;
+    size_t n = size;
+
+    for( cur = x509_crt_verify_strings; cur->string != NULL ; cur++ )
+    {
+        if( ( flags & cur->code ) == 0 )
+            continue;
+
+        ret = mbedtls_snprintf( p, n, "%s%s\n", prefix, cur->string );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+        flags ^= cur->code;
+    }
+
+    if( flags != 0 )
+    {
+        ret = mbedtls_snprintf( p, n, "%sUnknown reason "
+                                       "(this should not happen)\n", prefix );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+    }
+
+    return( (int) ( size - n ) );
+}
+
+#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
+int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt,
+                                      unsigned int usage )
+{
+    unsigned int usage_must, usage_may;
+    unsigned int may_mask = MBEDTLS_X509_KU_ENCIPHER_ONLY
+                          | MBEDTLS_X509_KU_DECIPHER_ONLY;
+
+    if( ( crt->ext_types & MBEDTLS_X509_EXT_KEY_USAGE ) == 0 )
+        return( 0 );
+
+    usage_must = usage & ~may_mask;
+
+    if( ( ( crt->key_usage & ~may_mask ) & usage_must ) != usage_must )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+    usage_may = usage & may_mask;
+
+    if( ( ( crt->key_usage & may_mask ) | usage_may ) != usage_may )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+    return( 0 );
+}
+#endif
+
+#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
+int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt,
+                                       const char *usage_oid,
+                                       size_t usage_len )
+{
+    const mbedtls_x509_sequence *cur;
+
+    /* Extension is not mandatory, absent means no restriction */
+    if( ( crt->ext_types & MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE ) == 0 )
+        return( 0 );
+
+    /*
+     * Look for the requested usage (or wildcard ANY) in our list
+     */
+    for( cur = &crt->ext_key_usage; cur != NULL; cur = cur->next )
+    {
+        const mbedtls_x509_buf *cur_oid = &cur->buf;
+
+        if( cur_oid->len == usage_len &&
+            memcmp( cur_oid->p, usage_oid, usage_len ) == 0 )
+        {
+            return( 0 );
+        }
+
+        if( MBEDTLS_OID_CMP( MBEDTLS_OID_ANY_EXTENDED_KEY_USAGE, cur_oid ) == 0 )
+            return( 0 );
+    }
+
+    return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+}
+#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
+
+#if defined(MBEDTLS_X509_CRL_PARSE_C)
+/*
+ * Return 1 if the certificate is revoked, or 0 otherwise.
+ */
+int mbedtls_x509_crt_is_revoked( const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl )
+{
+    const mbedtls_x509_crl_entry *cur = &crl->entry;
+
+    while( cur != NULL && cur->serial.len != 0 )
+    {
+        if( crt->serial.len == cur->serial.len &&
+            memcmp( crt->serial.p, cur->serial.p, crt->serial.len ) == 0 )
+        {
+            return( 1 );
+        }
+
+        cur = cur->next;
+    }
+
+    return( 0 );
+}
+
+/*
+ * Check that the given certificate is not revoked according to the CRL.
+ * Skip validation if no CRL for the given CA is present.
+ */
+static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
+                               mbedtls_x509_crl *crl_list,
+                               const mbedtls_x509_crt_profile *profile )
+{
+    int flags = 0;
+    unsigned char hash[MBEDTLS_MD_MAX_SIZE];
+    const mbedtls_md_info_t *md_info;
+
+    if( ca == NULL )
+        return( flags );
+
+    while( crl_list != NULL )
+    {
+        if( crl_list->version == 0 ||
+            x509_name_cmp( &crl_list->issuer, &ca->subject ) != 0 )
+        {
+            crl_list = crl_list->next;
+            continue;
+        }
+
+        /*
+         * Check if the CA is configured to sign CRLs
+         */
+#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
+        if( mbedtls_x509_crt_check_key_usage( ca,
+                                              MBEDTLS_X509_KU_CRL_SIGN ) != 0 )
+        {
+            flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
+            break;
+        }
+#endif
+
+        /*
+         * Check if CRL is correctly signed by the trusted CA
+         */
+        if( x509_profile_check_md_alg( profile, crl_list->sig_md ) != 0 )
+            flags |= MBEDTLS_X509_BADCRL_BAD_MD;
+
+        if( x509_profile_check_pk_alg( profile, crl_list->sig_pk ) != 0 )
+            flags |= MBEDTLS_X509_BADCRL_BAD_PK;
+
+        md_info = mbedtls_md_info_from_type( crl_list->sig_md );
+        if( mbedtls_md( md_info, crl_list->tbs.p, crl_list->tbs.len, hash ) != 0 )
+        {
+            /* Note: this can't happen except after an internal error */
+            flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
+            break;
+        }
+
+        if( x509_profile_check_key( profile, crl_list->sig_pk, &ca->pk ) != 0 )
+            flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
+
+        if( mbedtls_pk_verify_ext( crl_list->sig_pk, crl_list->sig_opts, &ca->pk,
+                           crl_list->sig_md, hash, mbedtls_md_get_size( md_info ),
+                           crl_list->sig.p, crl_list->sig.len ) != 0 )
+        {
+            flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
+            break;
+        }
+
+        /*
+         * Check for validity of CRL (Do not drop out)
+         */
+        if( mbedtls_x509_time_is_past( &crl_list->next_update ) )
+            flags |= MBEDTLS_X509_BADCRL_EXPIRED;
+
+        if( mbedtls_x509_time_is_future( &crl_list->this_update ) )
+            flags |= MBEDTLS_X509_BADCRL_FUTURE;
+
+        /*
+         * Check if certificate is revoked
+         */
+        if( mbedtls_x509_crt_is_revoked( crt, crl_list ) )
+        {
+            flags |= MBEDTLS_X509_BADCERT_REVOKED;
+            break;
+        }
+
+        crl_list = crl_list->next;
+    }
+
+    return( flags );
+}
+#endif /* MBEDTLS_X509_CRL_PARSE_C */
+
+/*
+ * Check if 'parent' is a suitable parent (signing CA) for 'child'.
+ * Return 0 if yes, -1 if not.
+ *
+ * top means parent is a locally-trusted certificate
+ * bottom means child is the end entity cert
+ */
+static int x509_crt_check_parent( const mbedtls_x509_crt *child,
+                                  const mbedtls_x509_crt *parent,
+                                  int top, int bottom )
+{
+    int need_ca_bit;
+
+    /* Parent must be the issuer */
+    if( x509_name_cmp( &child->issuer, &parent->subject ) != 0 )
+        return( -1 );
+
+    /* Parent must have the basicConstraints CA bit set as a general rule */
+    need_ca_bit = 1;
+
+    /* Exception: v1/v2 certificates that are locally trusted. */
+    if( top && parent->version < 3 )
+        need_ca_bit = 0;
+
+    /* Exception: self-signed end-entity certs that are locally trusted. */
+    if( top && bottom &&
+        child->raw.len == parent->raw.len &&
+        memcmp( child->raw.p, parent->raw.p, child->raw.len ) == 0 )
+    {
+        need_ca_bit = 0;
+    }
+
+    if( need_ca_bit && ! parent->ca_istrue )
+        return( -1 );
+
+#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
+    if( need_ca_bit &&
+        mbedtls_x509_crt_check_key_usage( parent, MBEDTLS_X509_KU_KEY_CERT_SIGN ) != 0 )
+    {
+        return( -1 );
+    }
+#endif
+
+    return( 0 );
+}
+
+/*
+ * Verify a certificate with no parent inside the chain
+ * (either the parent is a trusted root, or there is no parent)
+ *
+ * See comments for mbedtls_x509_crt_verify_with_profile()
+ * (also for notation used below)
+ *
+ * This function is called in two cases:
+ *  - child was found to have a parent in trusted roots, in which case we're
+ *    called with trust_ca pointing directly to that parent (not the full list)
+ *      - this is cases 1, 2 and 3 of the comment on verify_with_profile()
+ *      - case 1 is special as child and trust_ca point to copies of the same
+ *        certificate then
+ *  - child was found to have no parent either in the chain or in trusted CAs
+ *      - this is cases 4 and 5 of the comment on verify_with_profile()
+ *
+ * For historical reasons, the function currently does not assume that
+ * trust_ca points directly to the right root in the first case, and it
+ * doesn't know in which case it starts, so it always starts by searching for
+ * a parent in trust_ca.
+ */
+static int x509_crt_verify_top(
+                mbedtls_x509_crt *child, mbedtls_x509_crt *trust_ca,
+                mbedtls_x509_crl *ca_crl,
+                const mbedtls_x509_crt_profile *profile,
+                int path_cnt, int self_cnt, uint32_t *flags,
+                int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                void *p_vrfy )
+{
+    int ret;
+    uint32_t ca_flags = 0;
+    int check_path_cnt;
+    unsigned char hash[MBEDTLS_MD_MAX_SIZE];
+    const mbedtls_md_info_t *md_info;
+    mbedtls_x509_crt *future_past_ca = NULL;
+
+    if( mbedtls_x509_time_is_past( &child->valid_to ) )
+        *flags |= MBEDTLS_X509_BADCERT_EXPIRED;
+
+    if( mbedtls_x509_time_is_future( &child->valid_from ) )
+        *flags |= MBEDTLS_X509_BADCERT_FUTURE;
+
+    if( x509_profile_check_md_alg( profile, child->sig_md ) != 0 )
+        *flags |= MBEDTLS_X509_BADCERT_BAD_MD;
+
+    if( x509_profile_check_pk_alg( profile, child->sig_pk ) != 0 )
+        *flags |= MBEDTLS_X509_BADCERT_BAD_PK;
+
+    /*
+     * Child is the top of the chain. Check against the trust_ca list.
+     */
+    *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
+
+    md_info = mbedtls_md_info_from_type( child->sig_md );
+    if( mbedtls_md( md_info, child->tbs.p, child->tbs.len, hash ) != 0 )
+    {
+        /* Note: this can't happen except after an internal error */
+        /* Cannot check signature, no need to try any CA */
+        trust_ca = NULL;
+    }
+
+    for( /* trust_ca */ ; trust_ca != NULL; trust_ca = trust_ca->next )
+    {
+        if( x509_crt_check_parent( child, trust_ca, 1, path_cnt == 0 ) != 0 )
+            continue;
+
+        check_path_cnt = path_cnt + 1;
+
+        /*
+         * Reduce check_path_cnt to check against if top of the chain is
+         * the same as the trusted CA
+         */
+        if( child->subject_raw.len == trust_ca->subject_raw.len &&
+            memcmp( child->subject_raw.p, trust_ca->subject_raw.p,
+                    child->subject_raw.len ) == 0 )
+        {
+            check_path_cnt--;
+        }
+
+        /* Self signed certificates do not count towards the limit */
+        if( trust_ca->max_pathlen > 0 &&
+            trust_ca->max_pathlen < check_path_cnt - self_cnt )
+        {
+            continue;
+        }
+
+        if( mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &trust_ca->pk,
+                           child->sig_md, hash, mbedtls_md_get_size( md_info ),
+                           child->sig.p, child->sig.len ) != 0 )
+        {
+            continue;
+        }
+
+        if( mbedtls_x509_time_is_past( &trust_ca->valid_to ) ||
+            mbedtls_x509_time_is_future( &trust_ca->valid_from ) )
+        {
+            if ( future_past_ca == NULL )
+                future_past_ca = trust_ca;
+
+            continue;
+        }
+
+        break;
+    }
+
+    if( trust_ca != NULL || ( trust_ca = future_past_ca ) != NULL )
+    {
+        /*
+         * Top of chain is signed by a trusted CA
+         */
+        *flags &= ~MBEDTLS_X509_BADCERT_NOT_TRUSTED;
+
+        if( x509_profile_check_key( profile, child->sig_pk, &trust_ca->pk ) != 0 )
+            *flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
+    }
+
+    /*
+     * If top of chain is not the same as the trusted CA send a verify request
+     * to the callback for any issues with validity and CRL presence for the
+     * trusted CA certificate.
+     */
+    if( trust_ca != NULL &&
+        ( child->subject_raw.len != trust_ca->subject_raw.len ||
+          memcmp( child->subject_raw.p, trust_ca->subject_raw.p,
+                  child->subject_raw.len ) != 0 ) )
+    {
+#if defined(MBEDTLS_X509_CRL_PARSE_C)
+        /* Check trusted CA's CRL for the chain's top crt */
+        *flags |= x509_crt_verifycrl( child, trust_ca, ca_crl, profile );
+#else
+        ((void) ca_crl);
+#endif
+
+        if( mbedtls_x509_time_is_past( &trust_ca->valid_to ) )
+            ca_flags |= MBEDTLS_X509_BADCERT_EXPIRED;
+
+        if( mbedtls_x509_time_is_future( &trust_ca->valid_from ) )
+            ca_flags |= MBEDTLS_X509_BADCERT_FUTURE;
+
+        if( NULL != f_vrfy )
+        {
+            if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1,
+                                &ca_flags ) ) != 0 )
+            {
+                return( ret );
+            }
+        }
+    }
+
+    /* Call callback on top cert */
+    if( NULL != f_vrfy )
+    {
+        if( ( ret = f_vrfy( p_vrfy, child, path_cnt, flags ) ) != 0 )
+            return( ret );
+    }
+
+    *flags |= ca_flags;
+
+    return( 0 );
+}
+
+/*
+ * Verify a certificate with a parent inside the chain
+ *
+ * See comments for mbedtls_x509_crt_verify_with_profile()
+ */
+static int x509_crt_verify_child(
+                mbedtls_x509_crt *child, mbedtls_x509_crt *parent,
+                mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl,
+                const mbedtls_x509_crt_profile *profile,
+                int path_cnt, int self_cnt, uint32_t *flags,
+                int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                void *p_vrfy )
+{
+    int ret;
+    uint32_t parent_flags = 0;
+    unsigned char hash[MBEDTLS_MD_MAX_SIZE];
+    mbedtls_x509_crt *grandparent;
+    const mbedtls_md_info_t *md_info;
+
+    /* Counting intermediate self signed certificates */
+    if( ( path_cnt != 0 ) && x509_name_cmp( &child->issuer, &child->subject ) == 0 )
+        self_cnt++;
+
+    /* path_cnt is 0 for the first intermediate CA */
+    if( 1 + path_cnt > MBEDTLS_X509_MAX_INTERMEDIATE_CA )
+    {
+        /* return immediately as the goal is to avoid unbounded recursion */
+        return( MBEDTLS_ERR_X509_FATAL_ERROR );
+    }
+
+    if( mbedtls_x509_time_is_past( &child->valid_to ) )
+        *flags |= MBEDTLS_X509_BADCERT_EXPIRED;
+
+    if( mbedtls_x509_time_is_future( &child->valid_from ) )
+        *flags |= MBEDTLS_X509_BADCERT_FUTURE;
+
+    if( x509_profile_check_md_alg( profile, child->sig_md ) != 0 )
+        *flags |= MBEDTLS_X509_BADCERT_BAD_MD;
+
+    if( x509_profile_check_pk_alg( profile, child->sig_pk ) != 0 )
+        *flags |= MBEDTLS_X509_BADCERT_BAD_PK;
+
+    md_info = mbedtls_md_info_from_type( child->sig_md );
+    if( mbedtls_md( md_info, child->tbs.p, child->tbs.len, hash ) != 0 )
+    {
+        /* Note: this can't happen except after an internal error */
+        *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
+    }
+    else
+    {
+        if( x509_profile_check_key( profile, child->sig_pk, &parent->pk ) != 0 )
+            *flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
+
+        if( mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &parent->pk,
+                           child->sig_md, hash, mbedtls_md_get_size( md_info ),
+                           child->sig.p, child->sig.len ) != 0 )
+        {
+            *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
+        }
+    }
+
+#if defined(MBEDTLS_X509_CRL_PARSE_C)
+    /* Check trusted CA's CRL for the given crt */
+    *flags |= x509_crt_verifycrl(child, parent, ca_crl, profile );
+#endif
+
+    /* Look for a grandparent in trusted CAs */
+    for( grandparent = trust_ca;
+         grandparent != NULL;
+         grandparent = grandparent->next )
+    {
+        if( x509_crt_check_parent( parent, grandparent,
+                                   0, path_cnt == 0 ) == 0 )
+            break;
+    }
+
+    if( grandparent != NULL )
+    {
+        ret = x509_crt_verify_top( parent, grandparent, ca_crl, profile,
+                                path_cnt + 1, self_cnt, &parent_flags, f_vrfy, p_vrfy );
+        if( ret != 0 )
+            return( ret );
+    }
+    else
+    {
+        /* Look for a grandparent upwards the chain */
+        for( grandparent = parent->next;
+             grandparent != NULL;
+             grandparent = grandparent->next )
+        {
+            /* +2 because the current step is not yet accounted for
+             * and because max_pathlen is one higher than it should be.
+             * Also self signed certificates do not count to the limit. */
+            if( grandparent->max_pathlen > 0 &&
+                grandparent->max_pathlen < 2 + path_cnt - self_cnt )
+            {
+                continue;
+            }
+
+            if( x509_crt_check_parent( parent, grandparent,
+                                       0, path_cnt == 0 ) == 0 )
+                break;
+        }
+
+        /* Is our parent part of the chain or at the top? */
+        if( grandparent != NULL )
+        {
+            ret = x509_crt_verify_child( parent, grandparent, trust_ca, ca_crl,
+                                         profile, path_cnt + 1, self_cnt, &parent_flags,
+                                         f_vrfy, p_vrfy );
+            if( ret != 0 )
+                return( ret );
+        }
+        else
+        {
+            ret = x509_crt_verify_top( parent, trust_ca, ca_crl, profile,
+                                       path_cnt + 1, self_cnt, &parent_flags,
+                                       f_vrfy, p_vrfy );
+            if( ret != 0 )
+                return( ret );
+        }
+    }
+
+    /* child is verified to be a child of the parent, call verify callback */
+    if( NULL != f_vrfy )
+        if( ( ret = f_vrfy( p_vrfy, child, path_cnt, flags ) ) != 0 )
+            return( ret );
+
+    *flags |= parent_flags;
+
+    return( 0 );
+}
+
+/*
+ * Verify the certificate validity
+ */
+int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
+                     mbedtls_x509_crt *trust_ca,
+                     mbedtls_x509_crl *ca_crl,
+                     const char *cn, uint32_t *flags,
+                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                     void *p_vrfy )
+{
+    return( mbedtls_x509_crt_verify_with_profile( crt, trust_ca, ca_crl,
+                &mbedtls_x509_crt_profile_default, cn, flags, f_vrfy, p_vrfy ) );
+}
+
+
+/*
+ * Verify the certificate validity, with profile
+ *
+ * The chain building/verification is spread accross 4 functions:
+ *  - this one
+ *  - x509_crt_verify_child()
+ *  - x509_crt_verify_top()
+ *  - x509_crt_check_parent()
+ *
+ * There are five main cases to consider. Let's introduce some notation:
+ *  - E means the end-entity certificate
+ *  - I an intermediate CA
+ *  - R the trusted root CA this chain anchors to
+ *  - T the list of trusted roots (R and possible some others)
+ *
+ * The main cases with the calling sequence of the crt_verify_xxx() are:
+ *  1. E = R (explicitly trusted EE cert)
+ *      verify(E, T) -> verify_top(E, R)
+ *  2. E -> R (EE signed by trusted root)
+ *      verify(E, T) -> verify_top(E, R)
+ *  3. E -> I -> R (EE signed by intermediate signed by trusted root)
+ *      verify(E, T) -> verify_child(E, I, T) -> verify_top(I, R)
+ *      (plus variant with multiple intermediates)
+ *  4. E -> I (EE signed by intermediate that's not trusted)
+ *      verify(E, T) -> verify_child(E, I, T) -> verify_top(I, T)
+ *      (plus variant with multiple intermediates)
+ *  5. E (EE not trusted)
+ *      verify(E, T) -> verify_top(E, T)
+ *
+ * Note: this notation and case numbering is also used in x509_crt_verify_top()
+ */
+int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
+                     mbedtls_x509_crt *trust_ca,
+                     mbedtls_x509_crl *ca_crl,
+                     const mbedtls_x509_crt_profile *profile,
+                     const char *cn, uint32_t *flags,
+                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                     void *p_vrfy )
+{
+    size_t cn_len;
+    int ret;
+    int pathlen = 0, selfsigned = 0;
+    mbedtls_x509_crt *parent;
+    mbedtls_x509_name *name;
+    mbedtls_x509_sequence *cur = NULL;
+    mbedtls_pk_type_t pk_type;
+
+    *flags = 0;
+
+    if( profile == NULL )
+    {
+        ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+        goto exit;
+    }
+
+    if( cn != NULL )
+    {
+        name = &crt->subject;
+        cn_len = strlen( cn );
+
+        if( crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME )
+        {
+            cur = &crt->subject_alt_names;
+
+            while( cur != NULL )
+            {
+                if( cur->buf.len == cn_len &&
+                    x509_memcasecmp( cn, cur->buf.p, cn_len ) == 0 )
+                    break;
+
+                if( cur->buf.len > 2 &&
+                    memcmp( cur->buf.p, "*.", 2 ) == 0 &&
+                    x509_check_wildcard( cn, &cur->buf ) == 0 )
+                {
+                    break;
+                }
+
+                cur = cur->next;
+            }
+
+            if( cur == NULL )
+                *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
+        }
+        else
+        {
+            while( name != NULL )
+            {
+                if( MBEDTLS_OID_CMP( MBEDTLS_OID_AT_CN, &name->oid ) == 0 )
+                {
+                    if( name->val.len == cn_len &&
+                        x509_memcasecmp( name->val.p, cn, cn_len ) == 0 )
+                        break;
+
+                    if( name->val.len > 2 &&
+                        memcmp( name->val.p, "*.", 2 ) == 0 &&
+                        x509_check_wildcard( cn, &name->val ) == 0 )
+                        break;
+                }
+
+                name = name->next;
+            }
+
+            if( name == NULL )
+                *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
+        }
+    }
+
+    /* Check the type and size of the key */
+    pk_type = mbedtls_pk_get_type( &crt->pk );
+
+    if( x509_profile_check_pk_alg( profile, pk_type ) != 0 )
+        *flags |= MBEDTLS_X509_BADCERT_BAD_PK;
+
+    if( x509_profile_check_key( profile, pk_type, &crt->pk ) != 0 )
+        *flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
+
+    /* Look for a parent in trusted CAs */
+    for( parent = trust_ca; parent != NULL; parent = parent->next )
+    {
+        if( x509_crt_check_parent( crt, parent, 0, pathlen == 0 ) == 0 )
+            break;
+    }
+
+    if( parent != NULL )
+    {
+        ret = x509_crt_verify_top( crt, parent, ca_crl, profile,
+                                   pathlen, selfsigned, flags, f_vrfy, p_vrfy );
+        if( ret != 0 )
+            goto exit;
+    }
+    else
+    {
+        /* Look for a parent upwards the chain */
+        for( parent = crt->next; parent != NULL; parent = parent->next )
+            if( x509_crt_check_parent( crt, parent, 0, pathlen == 0 ) == 0 )
+                break;
+
+        /* Are we part of the chain or at the top? */
+        if( parent != NULL )
+        {
+            ret = x509_crt_verify_child( crt, parent, trust_ca, ca_crl, profile,
+                                         pathlen, selfsigned, flags, f_vrfy, p_vrfy );
+            if( ret != 0 )
+                goto exit;
+        }
+        else
+        {
+            ret = x509_crt_verify_top( crt, trust_ca, ca_crl, profile,
+                                       pathlen, selfsigned, flags, f_vrfy, p_vrfy );
+            if( ret != 0 )
+                goto exit;
+        }
+    }
+
+exit:
+    /* prevent misuse of the vrfy callback - VERIFY_FAILED would be ignored by
+     * the SSL module for authmode optional, but non-zero return from the
+     * callback means a fatal error so it shouldn't be ignored */
+    if( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED )
+        ret = MBEDTLS_ERR_X509_FATAL_ERROR;
+
+    if( ret != 0 )
+    {
+        *flags = (uint32_t) -1;
+        return( ret );
+    }
+
+    if( *flags != 0 )
+        return( MBEDTLS_ERR_X509_CERT_VERIFY_FAILED );
+
+    return( 0 );
+}
+
+/*
+ * Initialize a certificate chain
+ */
+void mbedtls_x509_crt_init( mbedtls_x509_crt *crt )
+{
+    memset( crt, 0, sizeof(mbedtls_x509_crt) );
+}
+
+/*
+ * Unallocate all certificate data
+ */
+void mbedtls_x509_crt_free( mbedtls_x509_crt *crt )
+{
+    mbedtls_x509_crt *cert_cur = crt;
+    mbedtls_x509_crt *cert_prv;
+    mbedtls_x509_name *name_cur;
+    mbedtls_x509_name *name_prv;
+    mbedtls_x509_sequence *seq_cur;
+    mbedtls_x509_sequence *seq_prv;
+
+    if( crt == NULL )
+        return;
+
+    do
+    {
+        mbedtls_pk_free( &cert_cur->pk );
+
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+        mbedtls_free( cert_cur->sig_opts );
+#endif
+
+        name_cur = cert_cur->issuer.next;
+        while( name_cur != NULL )
+        {
+            name_prv = name_cur;
+            name_cur = name_cur->next;
+            mbedtls_zeroize( name_prv, sizeof( mbedtls_x509_name ) );
+            mbedtls_free( name_prv );
+        }
+
+        name_cur = cert_cur->subject.next;
+        while( name_cur != NULL )
+        {
+            name_prv = name_cur;
+            name_cur = name_cur->next;
+            mbedtls_zeroize( name_prv, sizeof( mbedtls_x509_name ) );
+            mbedtls_free( name_prv );
+        }
+
+        seq_cur = cert_cur->ext_key_usage.next;
+        while( seq_cur != NULL )
+        {
+            seq_prv = seq_cur;
+            seq_cur = seq_cur->next;
+            mbedtls_zeroize( seq_prv, sizeof( mbedtls_x509_sequence ) );
+            mbedtls_free( seq_prv );
+        }
+
+        seq_cur = cert_cur->subject_alt_names.next;
+        while( seq_cur != NULL )
+        {
+            seq_prv = seq_cur;
+            seq_cur = seq_cur->next;
+            mbedtls_zeroize( seq_prv, sizeof( mbedtls_x509_sequence ) );
+            mbedtls_free( seq_prv );
+        }
+
+        if( cert_cur->raw.p != NULL )
+        {
+            mbedtls_zeroize( cert_cur->raw.p, cert_cur->raw.len );
+            mbedtls_free( cert_cur->raw.p );
+        }
+
+        cert_cur = cert_cur->next;
+    }
+    while( cert_cur != NULL );
+
+    cert_cur = crt;
+    do
+    {
+        cert_prv = cert_cur;
+        cert_cur = cert_cur->next;
+
+        mbedtls_zeroize( cert_prv, sizeof( mbedtls_x509_crt ) );
+        if( cert_prv != crt )
+            mbedtls_free( cert_prv );
+    }
+    while( cert_cur != NULL );
+}
+
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
diff --git a/third-party/mbedtls-3.6/library/x509_csr.c b/third-party/mbedtls-3.6/library/x509_csr.c
new file mode 100644
index 00000000..50988e01
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/x509_csr.c
@@ -0,0 +1,448 @@
+/*
+ *  X.509 Certificate Signing Request (CSR) parsing
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+/*
+ *  The ITU-T X.509 standard defines a certificate format for PKI.
+ *
+ *  http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
+ *  http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
+ *  http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
+ *
+ *  http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
+ *  http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_X509_CSR_PARSE_C)
+
+#include "mbedtls/x509_csr.h"
+#include "mbedtls/oid.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+#include "mbedtls/pem.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#include <stdio.h>
+#define mbedtls_free       free
+#define mbedtls_calloc    calloc
+#define mbedtls_snprintf   snprintf
+#endif
+
+#if defined(MBEDTLS_FS_IO) || defined(EFIX64) || defined(EFI32)
+#include <stdio.h>
+#endif
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
+/*
+ *  Version  ::=  INTEGER  {  v1(0)  }
+ */
+static int x509_csr_get_version( unsigned char **p,
+                             const unsigned char *end,
+                             int *ver )
+{
+    int ret;
+
+    if( ( ret = mbedtls_asn1_get_int( p, end, ver ) ) != 0 )
+    {
+        if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+        {
+            *ver = 0;
+            return( 0 );
+        }
+
+        return( MBEDTLS_ERR_X509_INVALID_VERSION + ret );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Parse a CSR in DER format
+ */
+int mbedtls_x509_csr_parse_der( mbedtls_x509_csr *csr,
+                        const unsigned char *buf, size_t buflen )
+{
+    int ret;
+    size_t len;
+    unsigned char *p, *end;
+    mbedtls_x509_buf sig_params;
+
+    memset( &sig_params, 0, sizeof( mbedtls_x509_buf ) );
+
+    /*
+     * Check for valid input
+     */
+    if( csr == NULL || buf == NULL || buflen == 0 )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+    mbedtls_x509_csr_init( csr );
+
+    /*
+     * first copy the raw DER data
+     */
+    p = mbedtls_calloc( 1, len = buflen );
+
+    if( p == NULL )
+        return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+
+    memcpy( p, buf, buflen );
+
+    csr->raw.p = p;
+    csr->raw.len = len;
+    end = p + len;
+
+    /*
+     *  CertificationRequest ::= SEQUENCE {
+     *       certificationRequestInfo CertificationRequestInfo,
+     *       signatureAlgorithm AlgorithmIdentifier,
+     *       signature          BIT STRING
+     *  }
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT );
+    }
+
+    if( len != (size_t) ( end - p ) )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+
+    /*
+     *  CertificationRequestInfo ::= SEQUENCE {
+     */
+    csr->cri.p = p;
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+    }
+
+    end = p + len;
+    csr->cri.len = end - csr->cri.p;
+
+    /*
+     *  Version  ::=  INTEGER {  v1(0) }
+     */
+    if( ( ret = x509_csr_get_version( &p, end, &csr->version ) ) != 0 )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( ret );
+    }
+
+    if( csr->version != 0 )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( MBEDTLS_ERR_X509_UNKNOWN_VERSION );
+    }
+
+    csr->version++;
+
+    /*
+     *  subject               Name
+     */
+    csr->subject_raw.p = p;
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+    }
+
+    if( ( ret = mbedtls_x509_get_name( &p, p + len, &csr->subject ) ) != 0 )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( ret );
+    }
+
+    csr->subject_raw.len = p - csr->subject_raw.p;
+
+    /*
+     *  subjectPKInfo SubjectPublicKeyInfo
+     */
+    if( ( ret = mbedtls_pk_parse_subpubkey( &p, end, &csr->pk ) ) != 0 )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( ret );
+    }
+
+    /*
+     *  attributes    [0] Attributes
+     *
+     *  The list of possible attributes is open-ended, though RFC 2985
+     *  (PKCS#9) defines a few in section 5.4. We currently don't support any,
+     *  so we just ignore them. This is a safe thing to do as the worst thing
+     *  that could happen is that we issue a certificate that does not match
+     *  the requester's expectations - this cannot cause a violation of our
+     *  signature policies.
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC ) ) != 0 )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+    }
+
+    p += len;
+
+    end = csr->raw.p + csr->raw.len;
+
+    /*
+     *  signatureAlgorithm   AlgorithmIdentifier,
+     *  signature            BIT STRING
+     */
+    if( ( ret = mbedtls_x509_get_alg( &p, end, &csr->sig_oid, &sig_params ) ) != 0 )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( ret );
+    }
+
+    if( ( ret = mbedtls_x509_get_sig_alg( &csr->sig_oid, &sig_params,
+                                  &csr->sig_md, &csr->sig_pk,
+                                  &csr->sig_opts ) ) != 0 )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG );
+    }
+
+    if( ( ret = mbedtls_x509_get_sig( &p, end, &csr->sig ) ) != 0 )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( ret );
+    }
+
+    if( p != end )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Parse a CSR, allowing for PEM or raw DER encoding
+ */
+int mbedtls_x509_csr_parse( mbedtls_x509_csr *csr, const unsigned char *buf, size_t buflen )
+{
+#if defined(MBEDTLS_PEM_PARSE_C)
+    int ret;
+    size_t use_len;
+    mbedtls_pem_context pem;
+#endif
+
+    /*
+     * Check for valid input
+     */
+    if( csr == NULL || buf == NULL || buflen == 0 )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+    if( buf[buflen - 1] == '\0' )
+    {
+        mbedtls_pem_init( &pem );
+        ret = mbedtls_pem_read_buffer( &pem,
+                                       "-----BEGIN CERTIFICATE REQUEST-----",
+                                       "-----END CERTIFICATE REQUEST-----",
+                                       buf, NULL, 0, &use_len );
+        if( ret == MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
+        {
+            ret = mbedtls_pem_read_buffer( &pem,
+                                           "-----BEGIN NEW CERTIFICATE REQUEST-----",
+                                           "-----END NEW CERTIFICATE REQUEST-----",
+                                           buf, NULL, 0, &use_len );
+        }
+
+        if( ret == 0 )
+        {
+            /*
+             * Was PEM encoded, parse the result
+             */
+            ret = mbedtls_x509_csr_parse_der( csr, pem.buf, pem.buflen );
+        }
+
+        mbedtls_pem_free( &pem );
+        if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
+            return( ret );
+    }
+#endif /* MBEDTLS_PEM_PARSE_C */
+    return( mbedtls_x509_csr_parse_der( csr, buf, buflen ) );
+}
+
+#if defined(MBEDTLS_FS_IO)
+/*
+ * Load a CSR into the structure
+ */
+int mbedtls_x509_csr_parse_file( mbedtls_x509_csr *csr, const char *path )
+{
+    int ret;
+    size_t n;
+    unsigned char *buf;
+
+    if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
+        return( ret );
+
+    ret = mbedtls_x509_csr_parse( csr, buf, n );
+
+    mbedtls_zeroize( buf, n );
+    mbedtls_free( buf );
+
+    return( ret );
+}
+#endif /* MBEDTLS_FS_IO */
+
+#define BEFORE_COLON    14
+#define BC              "14"
+/*
+ * Return an informational string about the CSR.
+ */
+int mbedtls_x509_csr_info( char *buf, size_t size, const char *prefix,
+                   const mbedtls_x509_csr *csr )
+{
+    int ret;
+    size_t n;
+    char *p;
+    char key_size_str[BEFORE_COLON];
+
+    p = buf;
+    n = size;
+
+    ret = mbedtls_snprintf( p, n, "%sCSR version   : %d",
+                               prefix, csr->version );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf( p, n, "\n%ssubject name  : ", prefix );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+    ret = mbedtls_x509_dn_gets( p, n, &csr->subject );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf( p, n, "\n%ssigned using  : ", prefix );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_x509_sig_alg_gets( p, n, &csr->sig_oid, csr->sig_pk, csr->sig_md,
+                             csr->sig_opts );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    if( ( ret = mbedtls_x509_key_size_helper( key_size_str, BEFORE_COLON,
+                                      mbedtls_pk_get_name( &csr->pk ) ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    ret = mbedtls_snprintf( p, n, "\n%s%-" BC "s: %d bits\n", prefix, key_size_str,
+                          (int) mbedtls_pk_get_bitlen( &csr->pk ) );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    return( (int) ( size - n ) );
+}
+
+/*
+ * Initialize a CSR
+ */
+void mbedtls_x509_csr_init( mbedtls_x509_csr *csr )
+{
+    memset( csr, 0, sizeof(mbedtls_x509_csr) );
+}
+
+/*
+ * Unallocate all CSR data
+ */
+void mbedtls_x509_csr_free( mbedtls_x509_csr *csr )
+{
+    mbedtls_x509_name *name_cur;
+    mbedtls_x509_name *name_prv;
+
+    if( csr == NULL )
+        return;
+
+    mbedtls_pk_free( &csr->pk );
+
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+    mbedtls_free( csr->sig_opts );
+#endif
+
+    name_cur = csr->subject.next;
+    while( name_cur != NULL )
+    {
+        name_prv = name_cur;
+        name_cur = name_cur->next;
+        mbedtls_zeroize( name_prv, sizeof( mbedtls_x509_name ) );
+        mbedtls_free( name_prv );
+    }
+
+    if( csr->raw.p != NULL )
+    {
+        mbedtls_zeroize( csr->raw.p, csr->raw.len );
+        mbedtls_free( csr->raw.p );
+    }
+
+    mbedtls_zeroize( csr, sizeof( mbedtls_x509_csr ) );
+}
+
+#endif /* MBEDTLS_X509_CSR_PARSE_C */
diff --git a/third-party/mbedtls-3.6/library/x509write_crt.c b/third-party/mbedtls-3.6/library/x509write_crt.c
new file mode 100644
index 00000000..daebb813
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/x509write_crt.c
@@ -0,0 +1,551 @@
+/*
+ *  X.509 certificate writing
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+/*
+ * References:
+ * - certificates: RFC 5280, updated by RFC 6818
+ * - CSRs: PKCS#10 v1.7 aka RFC 2986
+ * - attributes: PKCS#9 v2.0 aka RFC 2985
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_X509_CRT_WRITE_C)
+
+#include "mbedtls/x509_crt.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/asn1write.h"
+#include "mbedtls/sha1.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+#include "mbedtls/pem.h"
+#endif /* MBEDTLS_PEM_WRITE_C */
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
+/*
+ * For the currently used signature algorithms the buffer to store any signature
+ * must be at least of size MAX(MBEDTLS_ECDSA_MAX_LEN, MBEDTLS_MPI_MAX_SIZE)
+ */
+#if MBEDTLS_ECDSA_MAX_LEN > MBEDTLS_MPI_MAX_SIZE
+#define SIGNATURE_MAX_SIZE MBEDTLS_ECDSA_MAX_LEN
+#else
+#define SIGNATURE_MAX_SIZE MBEDTLS_MPI_MAX_SIZE
+#endif
+
+void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_x509write_cert ) );
+
+    mbedtls_mpi_init( &ctx->serial );
+    ctx->version = MBEDTLS_X509_CRT_VERSION_3;
+}
+
+void mbedtls_x509write_crt_free( mbedtls_x509write_cert *ctx )
+{
+    mbedtls_mpi_free( &ctx->serial );
+
+    mbedtls_asn1_free_named_data_list( &ctx->subject );
+    mbedtls_asn1_free_named_data_list( &ctx->issuer );
+    mbedtls_asn1_free_named_data_list( &ctx->extensions );
+
+    mbedtls_zeroize( ctx, sizeof( mbedtls_x509write_cert ) );
+}
+
+void mbedtls_x509write_crt_set_version( mbedtls_x509write_cert *ctx, int version )
+{
+    ctx->version = version;
+}
+
+void mbedtls_x509write_crt_set_md_alg( mbedtls_x509write_cert *ctx, mbedtls_md_type_t md_alg )
+{
+    ctx->md_alg = md_alg;
+}
+
+void mbedtls_x509write_crt_set_subject_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key )
+{
+    ctx->subject_key = key;
+}
+
+void mbedtls_x509write_crt_set_issuer_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key )
+{
+    ctx->issuer_key = key;
+}
+
+int mbedtls_x509write_crt_set_subject_name( mbedtls_x509write_cert *ctx,
+                                    const char *subject_name )
+{
+    return mbedtls_x509_string_to_names( &ctx->subject, subject_name );
+}
+
+int mbedtls_x509write_crt_set_issuer_name( mbedtls_x509write_cert *ctx,
+                                   const char *issuer_name )
+{
+    return mbedtls_x509_string_to_names( &ctx->issuer, issuer_name );
+}
+
+int mbedtls_x509write_crt_set_serial( mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial )
+{
+    int ret;
+
+    if( ( ret = mbedtls_mpi_copy( &ctx->serial, serial ) ) != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
+int mbedtls_x509write_crt_set_validity( mbedtls_x509write_cert *ctx, const char *not_before,
+                                const char *not_after )
+{
+    if( strlen( not_before ) != MBEDTLS_X509_RFC5280_UTC_TIME_LEN - 1 ||
+        strlen( not_after )  != MBEDTLS_X509_RFC5280_UTC_TIME_LEN - 1 )
+    {
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+    }
+    strncpy( ctx->not_before, not_before, MBEDTLS_X509_RFC5280_UTC_TIME_LEN );
+    strncpy( ctx->not_after , not_after , MBEDTLS_X509_RFC5280_UTC_TIME_LEN );
+    ctx->not_before[MBEDTLS_X509_RFC5280_UTC_TIME_LEN - 1] = 'Z';
+    ctx->not_after[MBEDTLS_X509_RFC5280_UTC_TIME_LEN - 1] = 'Z';
+
+    return( 0 );
+}
+
+int mbedtls_x509write_crt_set_extension( mbedtls_x509write_cert *ctx,
+                                 const char *oid, size_t oid_len,
+                                 int critical,
+                                 const unsigned char *val, size_t val_len )
+{
+    return mbedtls_x509_set_extension( &ctx->extensions, oid, oid_len,
+                               critical, val, val_len );
+}
+
+int mbedtls_x509write_crt_set_basic_constraints( mbedtls_x509write_cert *ctx,
+                                         int is_ca, int max_pathlen )
+{
+    int ret;
+    unsigned char buf[9];
+    unsigned char *c = buf + sizeof(buf);
+    size_t len = 0;
+
+    memset( buf, 0, sizeof(buf) );
+
+    if( is_ca && max_pathlen > 127 )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+    if( is_ca )
+    {
+        if( max_pathlen >= 0 )
+        {
+            MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_int( &c, buf, max_pathlen ) );
+        }
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_bool( &c, buf, 1 ) );
+    }
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                MBEDTLS_ASN1_SEQUENCE ) );
+
+    return mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_BASIC_CONSTRAINTS,
+                                        MBEDTLS_OID_SIZE( MBEDTLS_OID_BASIC_CONSTRAINTS ),
+                                        0, buf + sizeof(buf) - len, len );
+}
+
+#if defined(MBEDTLS_SHA1_C)
+int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ctx )
+{
+    int ret;
+    unsigned char buf[MBEDTLS_MPI_MAX_SIZE * 2 + 20]; /* tag, length + 2xMPI */
+    unsigned char *c = buf + sizeof(buf);
+    size_t len = 0;
+
+    memset( buf, 0, sizeof(buf) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_pk_write_pubkey( &c, buf, ctx->subject_key ) );
+
+    ret = mbedtls_sha1_ret( buf + sizeof( buf ) - len, len,
+                            buf + sizeof( buf ) - 20 );
+    if( ret != 0 )
+        return( ret );
+    c = buf + sizeof( buf ) - 20;
+    len = 20;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_OCTET_STRING ) );
+
+    return mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER,
+                                        MBEDTLS_OID_SIZE( MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER ),
+                                        0, buf + sizeof(buf) - len, len );
+}
+
+int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *ctx )
+{
+    int ret;
+    unsigned char buf[MBEDTLS_MPI_MAX_SIZE * 2 + 20]; /* tag, length + 2xMPI */
+    unsigned char *c = buf + sizeof( buf );
+    size_t len = 0;
+
+    memset( buf, 0, sizeof(buf) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_pk_write_pubkey( &c, buf, ctx->issuer_key ) );
+
+    ret = mbedtls_sha1_ret( buf + sizeof( buf ) - len, len,
+                            buf + sizeof( buf ) - 20 );
+    if( ret != 0 )
+        return( ret );
+    c = buf + sizeof( buf ) - 20;
+    len = 20;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC | 0 ) );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                MBEDTLS_ASN1_SEQUENCE ) );
+
+    return mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER,
+                                   MBEDTLS_OID_SIZE( MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER ),
+                                   0, buf + sizeof( buf ) - len, len );
+}
+#endif /* MBEDTLS_SHA1_C */
+
+static size_t crt_get_unused_bits_for_named_bitstring( unsigned char bitstring,
+                                                       size_t bit_offset )
+{
+    size_t unused_bits;
+
+     /* Count the unused bits removing trailing 0s */
+    for( unused_bits = bit_offset; unused_bits < 8; unused_bits++ )
+        if( ( ( bitstring >> unused_bits ) & 0x1 ) != 0 )
+            break;
+
+     return( unused_bits );
+}
+
+int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx,
+                                         unsigned int key_usage )
+{
+    unsigned char buf[4], ku;
+    unsigned char *c;
+    int ret;
+    size_t unused_bits;
+    const unsigned int allowed_bits = MBEDTLS_X509_KU_DIGITAL_SIGNATURE |
+        MBEDTLS_X509_KU_NON_REPUDIATION   |
+        MBEDTLS_X509_KU_KEY_ENCIPHERMENT  |
+        MBEDTLS_X509_KU_DATA_ENCIPHERMENT |
+        MBEDTLS_X509_KU_KEY_AGREEMENT     |
+        MBEDTLS_X509_KU_KEY_CERT_SIGN     |
+        MBEDTLS_X509_KU_CRL_SIGN;
+
+    /* Check that nothing other than the allowed flags is set */
+    if( ( key_usage & ~allowed_bits ) != 0 )
+        return( MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE );
+
+    c = buf + 4;
+    ku = (unsigned char)key_usage;
+    unused_bits = crt_get_unused_bits_for_named_bitstring( ku, 1 );
+    ret = mbedtls_asn1_write_bitstring( &c, buf, &ku, 8 - unused_bits );
+
+    if( ret < 0 )
+        return( ret );
+    else if( ret < 3 || ret > 4 )
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT );
+
+    ret = mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_KEY_USAGE,
+                                       MBEDTLS_OID_SIZE( MBEDTLS_OID_KEY_USAGE ),
+                                       1, c, (size_t)ret );
+    if( ret != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
+int mbedtls_x509write_crt_set_ns_cert_type( mbedtls_x509write_cert *ctx,
+                                    unsigned char ns_cert_type )
+{
+    unsigned char buf[4];
+    unsigned char *c;
+    size_t unused_bits;
+    int ret;
+
+    c = buf + 4;
+
+    unused_bits = crt_get_unused_bits_for_named_bitstring( ns_cert_type, 0 );
+    ret = mbedtls_asn1_write_bitstring( &c,
+                                        buf,
+                                        &ns_cert_type,
+                                        8 - unused_bits );
+    if( ret < 3 || ret > 4 )
+        return( ret );
+
+    ret = mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_NS_CERT_TYPE,
+                                       MBEDTLS_OID_SIZE( MBEDTLS_OID_NS_CERT_TYPE ),
+                                       0, c, (size_t)ret );
+    if( ret != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
+static int x509_write_time( unsigned char **p, unsigned char *start,
+                            const char *t, size_t size )
+{
+    int ret;
+    size_t len = 0;
+
+    /*
+     * write MBEDTLS_ASN1_UTC_TIME if year < 2050 (2 bytes shorter)
+     */
+    if( t[0] == '2' && t[1] == '0' && t[2] < '5' )
+    {
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( p, start,
+                                             (const unsigned char *) t + 2,
+                                             size - 2 ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_UTC_TIME ) );
+    }
+    else
+    {
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( p, start,
+                                                  (const unsigned char *) t,
+                                                  size ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_GENERALIZED_TIME ) );
+    }
+
+    return( (int) len );
+}
+
+int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng )
+{
+    int ret;
+    const char *sig_oid;
+    size_t sig_oid_len = 0;
+    unsigned char *c, *c2;
+    unsigned char hash[64];
+    unsigned char sig[SIGNATURE_MAX_SIZE];
+    unsigned char tmp_buf[2048];
+    size_t sub_len = 0, pub_len = 0, sig_and_oid_len = 0, sig_len;
+    size_t len = 0;
+    mbedtls_pk_type_t pk_alg;
+
+    /*
+     * Prepare data to be signed in tmp_buf
+     */
+    c = tmp_buf + sizeof( tmp_buf );
+
+    /* Signature algorithm needed in TBS, and later for actual signature */
+
+    /* There's no direct way of extracting a signature algorithm
+     * (represented as an element of mbedtls_pk_type_t) from a PK instance. */
+    if( mbedtls_pk_can_do( ctx->issuer_key, MBEDTLS_PK_RSA ) )
+        pk_alg = MBEDTLS_PK_RSA;
+    else if( mbedtls_pk_can_do( ctx->issuer_key, MBEDTLS_PK_ECDSA ) )
+        pk_alg = MBEDTLS_PK_ECDSA;
+    else
+        return( MBEDTLS_ERR_X509_INVALID_ALG );
+
+    if( ( ret = mbedtls_oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg,
+                                          &sig_oid, &sig_oid_len ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    /*
+     *  Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
+     */
+
+    /* Only for v3 */
+    if( ctx->version == MBEDTLS_X509_CRT_VERSION_3 )
+    {
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_extensions( &c, tmp_buf, ctx->extensions ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                           MBEDTLS_ASN1_SEQUENCE ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC |
+                                                           MBEDTLS_ASN1_CONSTRUCTED | 3 ) );
+    }
+
+    /*
+     *  SubjectPublicKeyInfo
+     */
+    MBEDTLS_ASN1_CHK_ADD( pub_len, mbedtls_pk_write_pubkey_der( ctx->subject_key,
+                                                tmp_buf, c - tmp_buf ) );
+    c -= pub_len;
+    len += pub_len;
+
+    /*
+     *  Subject  ::=  Name
+     */
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, tmp_buf, ctx->subject ) );
+
+    /*
+     *  Validity ::= SEQUENCE {
+     *       notBefore      Time,
+     *       notAfter       Time }
+     */
+    sub_len = 0;
+
+    MBEDTLS_ASN1_CHK_ADD( sub_len, x509_write_time( &c, tmp_buf, ctx->not_after,
+                                            MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) );
+
+    MBEDTLS_ASN1_CHK_ADD( sub_len, x509_write_time( &c, tmp_buf, ctx->not_before,
+                                            MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) );
+
+    len += sub_len;
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                    MBEDTLS_ASN1_SEQUENCE ) );
+
+    /*
+     *  Issuer  ::=  Name
+     */
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, tmp_buf, ctx->issuer ) );
+
+    /*
+     *  Signature   ::=  AlgorithmIdentifier
+     */
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_algorithm_identifier( &c, tmp_buf,
+                       sig_oid, strlen( sig_oid ), 0 ) );
+
+    /*
+     *  Serial   ::=  INTEGER
+     */
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &c, tmp_buf, &ctx->serial ) );
+
+    /*
+     *  Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
+     */
+
+    /* Can be omitted for v1 */
+    if( ctx->version != MBEDTLS_X509_CRT_VERSION_1 )
+    {
+        sub_len = 0;
+        MBEDTLS_ASN1_CHK_ADD( sub_len, mbedtls_asn1_write_int( &c, tmp_buf, ctx->version ) );
+        len += sub_len;
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC |
+                                                           MBEDTLS_ASN1_CONSTRUCTED | 0 ) );
+    }
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                       MBEDTLS_ASN1_SEQUENCE ) );
+
+    /*
+     * Make signature
+     */
+    if( ( ret = mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c,
+                            len, hash ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( ( ret = mbedtls_pk_sign( ctx->issuer_key, ctx->md_alg, hash, 0, sig, &sig_len,
+                         f_rng, p_rng ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    /*
+     * Write data to output buffer
+     */
+    c2 = buf + size;
+    MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len, mbedtls_x509_write_sig( &c2, buf,
+                                        sig_oid, sig_oid_len, sig, sig_len ) );
+
+    if( len > (size_t)( c2 - buf ) )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+    c2 -= len;
+    memcpy( c2, c, len );
+
+    len += sig_and_oid_len;
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c2, buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c2, buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                 MBEDTLS_ASN1_SEQUENCE ) );
+
+    return( (int) len );
+}
+
+#define PEM_BEGIN_CRT           "-----BEGIN CERTIFICATE-----\n"
+#define PEM_END_CRT             "-----END CERTIFICATE-----\n"
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *crt, unsigned char *buf, size_t size,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng )
+{
+    int ret;
+    unsigned char output_buf[4096];
+    size_t olen = 0;
+
+    if( ( ret = mbedtls_x509write_crt_der( crt, output_buf, sizeof(output_buf),
+                                   f_rng, p_rng ) ) < 0 )
+    {
+        return( ret );
+    }
+
+    if( ( ret = mbedtls_pem_write_buffer( PEM_BEGIN_CRT, PEM_END_CRT,
+                                  output_buf + sizeof(output_buf) - ret,
+                                  ret, buf, size, &olen ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_PEM_WRITE_C */
+
+#endif /* MBEDTLS_X509_CRT_WRITE_C */
diff --git a/third-party/mbedtls-3.6/library/x509write_csr.c b/third-party/mbedtls-3.6/library/x509write_csr.c
new file mode 100644
index 00000000..cbf4276e
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/x509write_csr.c
@@ -0,0 +1,331 @@
+/*
+ *  X.509 Certificate Signing Request writing
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+/*
+ * References:
+ * - CSRs: PKCS#10 v1.7 aka RFC 2986
+ * - attributes: PKCS#9 v2.0 aka RFC 2985
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_X509_CSR_WRITE_C)
+
+#include "mbedtls/x509_csr.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/asn1write.h"
+
+#include <string.h>
+#include <stdlib.h>
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+#include "mbedtls/pem.h"
+#endif
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
+/*
+ * For the currently used signature algorithms the buffer to store any signature
+ * must be at least of size MAX(MBEDTLS_ECDSA_MAX_LEN, MBEDTLS_MPI_MAX_SIZE)
+ */
+#if MBEDTLS_ECDSA_MAX_LEN > MBEDTLS_MPI_MAX_SIZE
+#define SIGNATURE_MAX_SIZE MBEDTLS_ECDSA_MAX_LEN
+#else
+#define SIGNATURE_MAX_SIZE MBEDTLS_MPI_MAX_SIZE
+#endif
+
+void mbedtls_x509write_csr_init( mbedtls_x509write_csr *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_x509write_csr ) );
+}
+
+void mbedtls_x509write_csr_free( mbedtls_x509write_csr *ctx )
+{
+    mbedtls_asn1_free_named_data_list( &ctx->subject );
+    mbedtls_asn1_free_named_data_list( &ctx->extensions );
+
+    mbedtls_zeroize( ctx, sizeof( mbedtls_x509write_csr ) );
+}
+
+void mbedtls_x509write_csr_set_md_alg( mbedtls_x509write_csr *ctx, mbedtls_md_type_t md_alg )
+{
+    ctx->md_alg = md_alg;
+}
+
+void mbedtls_x509write_csr_set_key( mbedtls_x509write_csr *ctx, mbedtls_pk_context *key )
+{
+    ctx->key = key;
+}
+
+int mbedtls_x509write_csr_set_subject_name( mbedtls_x509write_csr *ctx,
+                                    const char *subject_name )
+{
+    return mbedtls_x509_string_to_names( &ctx->subject, subject_name );
+}
+
+int mbedtls_x509write_csr_set_extension( mbedtls_x509write_csr *ctx,
+                                 const char *oid, size_t oid_len,
+                                 const unsigned char *val, size_t val_len )
+{
+    return mbedtls_x509_set_extension( &ctx->extensions, oid, oid_len,
+                               0, val, val_len );
+}
+
+static size_t csr_get_unused_bits_for_named_bitstring( unsigned char bitstring,
+                                                       size_t bit_offset )
+{
+    size_t unused_bits;
+
+     /* Count the unused bits removing trailing 0s */
+    for( unused_bits = bit_offset; unused_bits < 8; unused_bits++ )
+        if( ( ( bitstring >> unused_bits ) & 0x1 ) != 0 )
+            break;
+
+     return( unused_bits );
+}
+
+int mbedtls_x509write_csr_set_key_usage( mbedtls_x509write_csr *ctx, unsigned char key_usage )
+{
+    unsigned char buf[4];
+    unsigned char *c;
+    size_t unused_bits;
+    int ret;
+
+    c = buf + 4;
+
+    unused_bits = csr_get_unused_bits_for_named_bitstring( key_usage, 0 );
+    ret = mbedtls_asn1_write_bitstring( &c, buf, &key_usage, 8 - unused_bits );
+
+    if( ret < 0 )
+        return( ret );
+    else if( ret < 3 || ret > 4 )
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT );
+
+    ret = mbedtls_x509write_csr_set_extension( ctx, MBEDTLS_OID_KEY_USAGE,
+                                       MBEDTLS_OID_SIZE( MBEDTLS_OID_KEY_USAGE ),
+                                       c, (size_t)ret );
+    if( ret != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
+int mbedtls_x509write_csr_set_ns_cert_type( mbedtls_x509write_csr *ctx,
+                                    unsigned char ns_cert_type )
+{
+    unsigned char buf[4];
+    unsigned char *c;
+    size_t unused_bits;
+    int ret;
+
+    c = buf + 4;
+
+    unused_bits = csr_get_unused_bits_for_named_bitstring( ns_cert_type, 0 );
+    ret = mbedtls_asn1_write_bitstring( &c,
+                                        buf,
+                                        &ns_cert_type,
+                                        8 - unused_bits );
+
+    if( ret < 0 )
+        return( ret );
+    else if( ret < 3 || ret > 4 )
+        return( ret );
+
+    ret = mbedtls_x509write_csr_set_extension( ctx, MBEDTLS_OID_NS_CERT_TYPE,
+                                       MBEDTLS_OID_SIZE( MBEDTLS_OID_NS_CERT_TYPE ),
+                                       c, (size_t)ret );
+    if( ret != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
+int mbedtls_x509write_csr_der( mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng )
+{
+    int ret;
+    const char *sig_oid;
+    size_t sig_oid_len = 0;
+    unsigned char *c, *c2;
+    unsigned char hash[64];
+    unsigned char sig[SIGNATURE_MAX_SIZE];
+    unsigned char tmp_buf[2048];
+    size_t pub_len = 0, sig_and_oid_len = 0, sig_len;
+    size_t len = 0;
+    mbedtls_pk_type_t pk_alg;
+
+    /*
+     * Prepare data to be signed in tmp_buf
+     */
+    c = tmp_buf + sizeof( tmp_buf );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_extensions( &c, tmp_buf, ctx->extensions ) );
+
+    if( len )
+    {
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                        MBEDTLS_ASN1_SEQUENCE ) );
+
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                        MBEDTLS_ASN1_SET ) );
+
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_oid( &c, tmp_buf, MBEDTLS_OID_PKCS9_CSR_EXT_REQ,
+                                          MBEDTLS_OID_SIZE( MBEDTLS_OID_PKCS9_CSR_EXT_REQ ) ) );
+
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                        MBEDTLS_ASN1_SEQUENCE ) );
+    }
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                    MBEDTLS_ASN1_CONTEXT_SPECIFIC ) );
+
+    MBEDTLS_ASN1_CHK_ADD( pub_len, mbedtls_pk_write_pubkey_der( ctx->key,
+                                                tmp_buf, c - tmp_buf ) );
+    c -= pub_len;
+    len += pub_len;
+
+    /*
+     *  Subject  ::=  Name
+     */
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, tmp_buf, ctx->subject ) );
+
+    /*
+     *  Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
+     */
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_int( &c, tmp_buf, 0 ) );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                    MBEDTLS_ASN1_SEQUENCE ) );
+
+    /*
+     * Prepare signature
+     */
+    ret = mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c, len, hash );
+    if( ret != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_pk_sign( ctx->key, ctx->md_alg, hash, 0, sig, &sig_len,
+                                 f_rng, p_rng ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( mbedtls_pk_can_do( ctx->key, MBEDTLS_PK_RSA ) )
+        pk_alg = MBEDTLS_PK_RSA;
+    else if( mbedtls_pk_can_do( ctx->key, MBEDTLS_PK_ECDSA ) )
+        pk_alg = MBEDTLS_PK_ECDSA;
+    else
+        return( MBEDTLS_ERR_X509_INVALID_ALG );
+
+    if( ( ret = mbedtls_oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg,
+                                                &sig_oid, &sig_oid_len ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    /*
+     * Write data to output buffer
+     */
+    c2 = buf + size;
+    MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len, mbedtls_x509_write_sig( &c2, buf,
+                                        sig_oid, sig_oid_len, sig, sig_len ) );
+
+    if( len > (size_t)( c2 - buf ) )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+    c2 -= len;
+    memcpy( c2, c, len );
+
+    len += sig_and_oid_len;
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c2, buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c2, buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                 MBEDTLS_ASN1_SEQUENCE ) );
+
+    return( (int) len );
+}
+
+#define PEM_BEGIN_CSR           "-----BEGIN CERTIFICATE REQUEST-----\n"
+#define PEM_END_CSR             "-----END CERTIFICATE REQUEST-----\n"
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+int mbedtls_x509write_csr_pem( mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng )
+{
+    int ret;
+    unsigned char output_buf[4096];
+    size_t olen = 0;
+
+    if( ( ret = mbedtls_x509write_csr_der( ctx, output_buf, sizeof(output_buf),
+                                   f_rng, p_rng ) ) < 0 )
+    {
+        return( ret );
+    }
+
+    if( ( ret = mbedtls_pem_write_buffer( PEM_BEGIN_CSR, PEM_END_CSR,
+                                  output_buf + sizeof(output_buf) - ret,
+                                  ret, buf, size, &olen ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_PEM_WRITE_C */
+
+#endif /* MBEDTLS_X509_CSR_WRITE_C */
diff --git a/third-party/mbedtls-3.6/library/xtea.c b/third-party/mbedtls-3.6/library/xtea.c
new file mode 100644
index 00000000..a1e51414
--- /dev/null
+++ b/third-party/mbedtls-3.6/library/xtea.c
@@ -0,0 +1,306 @@
+/*
+ *  An 32-bit implementation of the XTEA algorithm
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ *
+ *  This file is provided under the Apache License 2.0, or the
+ *  GNU General Public License v2.0 or later.
+ *
+ *  **********
+ *  Apache License 2.0:
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  **********
+ *
+ *  **********
+ *  GNU General Public License v2.0 or later:
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ *  **********
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_XTEA_C)
+
+#include "mbedtls/xtea.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_XTEA_ALT)
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
+/*
+ * 32-bit integer manipulation macros (big endian)
+ */
+#ifndef GET_UINT32_BE
+#define GET_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
+        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 3]       );            \
+}
+#endif
+
+#ifndef PUT_UINT32_BE
+#define PUT_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
+}
+#endif
+
+void mbedtls_xtea_init( mbedtls_xtea_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_xtea_context ) );
+}
+
+void mbedtls_xtea_free( mbedtls_xtea_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_zeroize( ctx, sizeof( mbedtls_xtea_context ) );
+}
+
+/*
+ * XTEA key schedule
+ */
+void mbedtls_xtea_setup( mbedtls_xtea_context *ctx, const unsigned char key[16] )
+{
+    int i;
+
+    memset( ctx, 0, sizeof(mbedtls_xtea_context) );
+
+    for( i = 0; i < 4; i++ )
+    {
+        GET_UINT32_BE( ctx->k[i], key, i << 2 );
+    }
+}
+
+/*
+ * XTEA encrypt function
+ */
+int mbedtls_xtea_crypt_ecb( mbedtls_xtea_context *ctx, int mode,
+                    const unsigned char input[8], unsigned char output[8])
+{
+    uint32_t *k, v0, v1, i;
+
+    k = ctx->k;
+
+    GET_UINT32_BE( v0, input, 0 );
+    GET_UINT32_BE( v1, input, 4 );
+
+    if( mode == MBEDTLS_XTEA_ENCRYPT )
+    {
+        uint32_t sum = 0, delta = 0x9E3779B9;
+
+        for( i = 0; i < 32; i++ )
+        {
+            v0 += (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + k[sum & 3]);
+            sum += delta;
+            v1 += (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + k[(sum>>11) & 3]);
+        }
+    }
+    else /* MBEDTLS_XTEA_DECRYPT */
+    {
+        uint32_t delta = 0x9E3779B9, sum = delta * 32;
+
+        for( i = 0; i < 32; i++ )
+        {
+            v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + k[(sum>>11) & 3]);
+            sum -= delta;
+            v0 -= (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + k[sum & 3]);
+        }
+    }
+
+    PUT_UINT32_BE( v0, output, 0 );
+    PUT_UINT32_BE( v1, output, 4 );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/*
+ * XTEA-CBC buffer encryption/decryption
+ */
+int mbedtls_xtea_crypt_cbc( mbedtls_xtea_context *ctx, int mode, size_t length,
+                    unsigned char iv[8], const unsigned char *input,
+                    unsigned char *output)
+{
+    int i;
+    unsigned char temp[8];
+
+    if( length % 8 )
+        return( MBEDTLS_ERR_XTEA_INVALID_INPUT_LENGTH );
+
+    if( mode == MBEDTLS_XTEA_DECRYPT )
+    {
+        while( length > 0 )
+        {
+            memcpy( temp, input, 8 );
+            mbedtls_xtea_crypt_ecb( ctx, mode, input, output );
+
+            for( i = 0; i < 8; i++ )
+                output[i] = (unsigned char)( output[i] ^ iv[i] );
+
+            memcpy( iv, temp, 8 );
+
+            input  += 8;
+            output += 8;
+            length -= 8;
+        }
+    }
+    else
+    {
+        while( length > 0 )
+        {
+            for( i = 0; i < 8; i++ )
+                output[i] = (unsigned char)( input[i] ^ iv[i] );
+
+            mbedtls_xtea_crypt_ecb( ctx, mode, output, output );
+            memcpy( iv, output, 8 );
+
+            input  += 8;
+            output += 8;
+            length -= 8;
+        }
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* !MBEDTLS_XTEA_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/*
+ * XTEA tests vectors (non-official)
+ */
+
+static const unsigned char xtea_test_key[6][16] =
+{
+   { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
+     0x0c, 0x0d, 0x0e, 0x0f },
+   { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
+     0x0c, 0x0d, 0x0e, 0x0f },
+   { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
+     0x0c, 0x0d, 0x0e, 0x0f },
+   { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+     0x00, 0x00, 0x00, 0x00 },
+   { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+     0x00, 0x00, 0x00, 0x00 },
+   { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+     0x00, 0x00, 0x00, 0x00 }
+};
+
+static const unsigned char xtea_test_pt[6][8] =
+{
+    { 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48 },
+    { 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41 },
+    { 0x5a, 0x5b, 0x6e, 0x27, 0x89, 0x48, 0xd7, 0x7f },
+    { 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48 },
+    { 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41 },
+    { 0x70, 0xe1, 0x22, 0x5d, 0x6e, 0x4e, 0x76, 0x55 }
+};
+
+static const unsigned char xtea_test_ct[6][8] =
+{
+    { 0x49, 0x7d, 0xf3, 0xd0, 0x72, 0x61, 0x2c, 0xb5 },
+    { 0xe7, 0x8f, 0x2d, 0x13, 0x74, 0x43, 0x41, 0xd8 },
+    { 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41 },
+    { 0xa0, 0x39, 0x05, 0x89, 0xf8, 0xb8, 0xef, 0xa5 },
+    { 0xed, 0x23, 0x37, 0x5a, 0x82, 0x1a, 0x8c, 0x2d },
+    { 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41 }
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_xtea_self_test( int verbose )
+{
+    int i, ret = 0;
+    unsigned char buf[8];
+    mbedtls_xtea_context ctx;
+
+    mbedtls_xtea_init( &ctx );
+    for( i = 0; i < 6; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  XTEA test #%d: ", i + 1 );
+
+        memcpy( buf, xtea_test_pt[i], 8 );
+
+        mbedtls_xtea_setup( &ctx, xtea_test_key[i] );
+        mbedtls_xtea_crypt_ecb( &ctx, MBEDTLS_XTEA_ENCRYPT, buf, buf );
+
+        if( memcmp( buf, xtea_test_ct[i], 8 ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+
+            ret = 1;
+            goto exit;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+exit:
+    mbedtls_xtea_free( &ctx );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_XTEA_C */
diff --git a/third-party/mbedtls-3.6/makefile b/third-party/mbedtls-3.6/makefile
new file mode 100644
index 00000000..17f84019
--- /dev/null
+++ b/third-party/mbedtls-3.6/makefile
@@ -0,0 +1,5 @@
+include $(PROJECT_DIR)/sdkconfig
+
+include src.mk
+
+include $(SDK_DIR)/tools/build/compiler.mk
\ No newline at end of file
diff --git a/third-party/mbedtls-3.6/mbedtls.kconfig b/third-party/mbedtls-3.6/mbedtls.kconfig
new file mode 100644
index 00000000..b832fe10
--- /dev/null
+++ b/third-party/mbedtls-3.6/mbedtls.kconfig
@@ -0,0 +1,3 @@
+menu "MBEDTLS Freertos Port Configuration"
+ 
+endmenu
\ No newline at end of file
diff --git a/third-party/mbedtls-3.6/mbedtls_freertos.mk b/third-party/mbedtls-3.6/mbedtls_freertos.mk
new file mode 100644
index 00000000..8e1cddb9
--- /dev/null
+++ b/third-party/mbedtls-3.6/mbedtls_freertos.mk
@@ -0,0 +1,8 @@
+MBEDTLS_FREERTOS_CUR_DIR := $(FREERTOS_SDK_DIR)/third-party
+
+ifdef CONFIG_USE_MBEDTLS
+
+INC_DIR +=  $(MBEDTLS_FREERTOS_CUR_DIR)/mbedtls-3.6
+SRC_DIR +=  $(MBEDTLS_FREERTOS_CUR_DIR)/mbedtls-3.6
+
+endif
diff --git a/third-party/mbedtls-3.6/ports/inc/tls_certificate.h b/third-party/mbedtls-3.6/ports/inc/tls_certificate.h
new file mode 100644
index 00000000..a4e5a48e
--- /dev/null
+++ b/third-party/mbedtls-3.6/ports/inc/tls_certificate.h
@@ -0,0 +1,28 @@
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+ #ifndef MBEDTLS_CERTIFICATE_H
+ #define MBEDTLS_CERTIFICATE_H
+
+
+extern const char mbedtls_root_certificate[];
+
+extern const size_t mbedtls_root_certificate_len;
+
+#endif 
diff --git a/third-party/mbedtls-3.6/ports/inc/tls_net.h b/third-party/mbedtls-3.6/ports/inc/tls_net.h
new file mode 100644
index 00000000..3d60cd9d
--- /dev/null
+++ b/third-party/mbedtls-3.6/ports/inc/tls_net.h
@@ -0,0 +1,224 @@
+/**
+ * \file net.h
+ *
+ * \brief Network communication functions
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_NET_H
+#define MBEDTLS_NET_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "mbedtls/ssl.h"
+
+#include <stddef.h>
+#include <stdint.h>
+
+#define MBEDTLS_ERR_NET_SOCKET_FAILED                     -0x0042  /**< Failed to open a socket. */
+#define MBEDTLS_ERR_NET_CONNECT_FAILED                    -0x0044  /**< The connection to the given server / port failed. */
+#define MBEDTLS_ERR_NET_BIND_FAILED                       -0x0046  /**< Binding of the socket failed. */
+#define MBEDTLS_ERR_NET_LISTEN_FAILED                     -0x0048  /**< Could not listen on the socket. */
+#define MBEDTLS_ERR_NET_ACCEPT_FAILED                     -0x004A  /**< Could not accept the incoming connection. */
+#define MBEDTLS_ERR_NET_RECV_FAILED                       -0x004C  /**< Reading information from the socket failed. */
+#define MBEDTLS_ERR_NET_SEND_FAILED                       -0x004E  /**< Sending information through the socket failed. */
+#define MBEDTLS_ERR_NET_CONN_RESET                        -0x0050  /**< Connection was reset by peer. */
+#define MBEDTLS_ERR_NET_UNKNOWN_HOST                      -0x0052  /**< Failed to get an IP address for the given hostname. */
+#define MBEDTLS_ERR_NET_BUFFER_TOO_SMALL                  -0x0043  /**< Buffer is too small to hold the data. */
+#define MBEDTLS_ERR_NET_INVALID_CONTEXT                   -0x0045  /**< The context is invalid, eg because it was free()ed. */
+
+#define MBEDTLS_NET_LISTEN_BACKLOG         10 /**< The backlog that listen() should use. */
+
+#define MBEDTLS_NET_PROTO_TCP 0 /**< The TCP transport protocol */
+#define MBEDTLS_NET_PROTO_UDP 1 /**< The UDP transport protocol */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Wrapper type for sockets.
+ *
+ * Currently backed by just a file descriptor, but might be more in the future
+ * (eg two file descriptors for combined IPv4 + IPv6 support, or additional
+ * structures for hand-made UDP demultiplexing).
+ */
+typedef struct
+{
+    int fd;             /**< The underlying file descriptor                 */
+}mbedtls_net_context;
+
+/**
+ * \brief          Initialize a context
+ *                 Just makes the context ready to be used or freed safely.
+ *
+ * \param ctx      Context to initialize
+ */
+void mbedtls_net_init( mbedtls_net_context *ctx );
+
+/**
+ * \brief          Initiate a connection with host:port in the given protocol
+ *
+ * \param ctx      Socket to use
+ * \param host     Host to connect to
+ * \param port     Port to connect to
+ * \param proto    Protocol: MBEDTLS_NET_PROTO_TCP or MBEDTLS_NET_PROTO_UDP
+ *
+ * \return         0 if successful, or one of:
+ *                      MBEDTLS_ERR_NET_SOCKET_FAILED,
+ *                      MBEDTLS_ERR_NET_UNKNOWN_HOST,
+ *                      MBEDTLS_ERR_NET_CONNECT_FAILED
+ *
+ * \note           Sets the socket in connected mode even with UDP.
+ */
+int mbedtls_net_connect( mbedtls_net_context *ctx, const char *host, const char *port, int proto );
+
+/**
+ * \brief          Create a receiving socket on bind_ip:port in the chosen
+ *                 protocol. If bind_ip == NULL, all interfaces are bound.
+ *
+ * \param ctx      Socket to use
+ * \param bind_ip  IP to bind to, can be NULL
+ * \param port     Port number to use
+ * \param proto    Protocol: MBEDTLS_NET_PROTO_TCP or MBEDTLS_NET_PROTO_UDP
+ *
+ * \return         0 if successful, or one of:
+ *                      MBEDTLS_ERR_NET_SOCKET_FAILED,
+ *                      MBEDTLS_ERR_NET_BIND_FAILED,
+ *                      MBEDTLS_ERR_NET_LISTEN_FAILED
+ *
+ * \note           Regardless of the protocol, opens the sockets and binds it.
+ *                 In addition, make the socket listening if protocol is TCP.
+ */
+int mbedtls_net_bind( mbedtls_net_context *ctx, const char *bind_ip, const char *port, int proto );
+
+/**
+ * \brief           Accept a connection from a remote client
+ *
+ * \param bind_ctx  Relevant socket
+ * \param client_ctx Will contain the connected client socket
+ * \param client_ip Will contain the client IP address
+ * \param buf_size  Size of the client_ip buffer
+ * \param ip_len    Will receive the size of the client IP written
+ *
+ * \return          0 if successful, or
+ *                  MBEDTLS_ERR_NET_ACCEPT_FAILED, or
+ *                  MBEDTLS_ERR_NET_BUFFER_TOO_SMALL if buf_size is too small,
+ *                  MBEDTLS_ERR_SSL_WANT_READ if bind_fd was set to
+ *                  non-blocking and accept() would block.
+ */
+int mbedtls_net_accept( mbedtls_net_context *bind_ctx,
+                        mbedtls_net_context *client_ctx,
+                        void *client_ip, size_t buf_size, size_t *ip_len );
+
+/**
+ * \brief          Set the socket blocking
+ *
+ * \param ctx      Socket to set
+ *
+ * \return         0 if successful, or a non-zero error code
+ */
+int mbedtls_net_set_block( mbedtls_net_context *ctx );
+
+/**
+ * \brief          Set the socket non-blocking
+ *
+ * \param ctx      Socket to set
+ *
+ * \return         0 if successful, or a non-zero error code
+ */
+int mbedtls_net_set_nonblock( mbedtls_net_context *ctx );
+
+/**
+ * \brief          Portable usleep helper
+ *
+ * \param usec     Amount of microseconds to sleep
+ *
+ * \note           Real amount of time slept will not be less than
+ *                 select()'s timeout granularity (typically, 10ms).
+ */
+void mbedtls_net_usleep( unsigned long usec );
+
+/**
+ * \brief          Read at most 'len' characters. If no error occurs,
+ *                 the actual amount read is returned.
+ *
+ * \param ctx      Socket
+ * \param buf      The buffer to write to
+ * \param len      Maximum length of the buffer
+ *
+ * \return         the number of bytes received,
+ *                 or a non-zero error code; with a non-blocking socket,
+ *                 MBEDTLS_ERR_SSL_WANT_READ indicates read() would block.
+ */
+int mbedtls_net_recv( void *ctx, unsigned char *buf, size_t len );
+
+/**
+ * \brief          Write at most 'len' characters. If no error occurs,
+ *                 the actual amount read is returned.
+ *
+ * \param ctx      Socket
+ * \param buf      The buffer to read from
+ * \param len      The length of the buffer
+ *
+ * \return         the number of bytes sent,
+ *                 or a non-zero error code; with a non-blocking socket,
+ *                 MBEDTLS_ERR_SSL_WANT_WRITE indicates write() would block.
+ */
+int mbedtls_net_send( void *ctx, const unsigned char *buf, size_t len );
+
+/**
+ * \brief          Read at most 'len' characters, blocking for at most
+ *                 'timeout' seconds. If no error occurs, the actual amount
+ *                 read is returned.
+ *
+ * \param ctx      Socket
+ * \param buf      The buffer to write to
+ * \param len      Maximum length of the buffer
+ * \param timeout  Maximum number of milliseconds to wait for data
+ *                 0 means no timeout (wait forever)
+ *
+ * \return         the number of bytes received,
+ *                 or a non-zero error code:
+ *                 MBEDTLS_ERR_SSL_TIMEOUT if the operation timed out,
+ *                 MBEDTLS_ERR_SSL_WANT_READ if interrupted by a signal.
+ *
+ * \note           This function will block (until data becomes available or
+ *                 timeout is reached) even if the socket is set to
+ *                 non-blocking. Handling timeouts with non-blocking reads
+ *                 requires a different strategy.
+ */
+int mbedtls_net_recv_timeout( void *ctx, unsigned char *buf, size_t len,
+                      uint32_t timeout );
+
+/**
+ * \brief          Gracefully shutdown the connection and free associated data
+ *
+ * \param ctx      The context to free
+ */
+void mbedtls_net_free( mbedtls_net_context *ctx );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* net.h */
diff --git a/third-party/mbedtls-3.6/ports/src/tls_certificate.c b/third-party/mbedtls-3.6/ports/src/tls_certificate.c
new file mode 100644
index 00000000..6b78d3d8
--- /dev/null
+++ b/third-party/mbedtls-3.6/ports/src/tls_certificate.c
@@ -0,0 +1,47 @@
+
+/*
+ * Copyright (c) 2006-2018 RT-Thread Development Team. All rights reserved.
+ * License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#include "mbedtls/certs.h"
+
+const char mbedtls_root_certificate[] = 
+"-----BEGIN CERTIFICATE-----\r\n" \
+"MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/\r\n" \
+"MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT\r\n" \
+"DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow\r\n" \
+"PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD\r\n" \
+"Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\r\n" \
+"AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O\r\n" \
+"rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq\r\n" \
+"OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b\r\n" \
+"xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw\r\n" \
+"7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD\r\n" \
+"aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV\r\n" \
+"HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG\r\n" \
+"SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69\r\n" \
+"ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr\r\n" \
+"AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz\r\n" \
+"R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5\r\n" \
+"JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo\r\n" \
+"Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ\r\n" \
+"-----END CERTIFICATE-----\r\n" \
+
+;
+
+const size_t mbedtls_root_certificate_len = sizeof(mbedtls_root_certificate);
+
diff --git a/third-party/mbedtls-3.6/ports/src/tls_net.c b/third-party/mbedtls-3.6/ports/src/tls_net.c
new file mode 100644
index 00000000..72fbc0f9
--- /dev/null
+++ b/third-party/mbedtls-3.6/ports/src/tls_net.c
@@ -0,0 +1,508 @@
+/*
+ *  TCP/IP or UDP/IP networking functions
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+/* Some MS functions want int and MSVC warns if we pass size_t,
+ * but the standard fucntions use socklen_t, so cast only for MSVC */
+#if defined(_MSC_VER)
+#define MSVC_INT_CAST   (int)
+#else
+#define MSVC_INT_CAST
+#endif
+
+#include <string.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <time.h>
+#include <stdint.h>
+
+/* 头文件包含 */
+#include <sys/types.h>
+#include <sys/time.h>
+#include <unistd.h>
+#include <signal.h>
+#include <fcntl.h>
+#include <errno.h>
+
+#include "lwip/dhcp.h"
+#include "lwip/tcpip.h"
+#include "lwip/netdb.h"
+#include "lwip/sockets.h"
+#include "netif/ethernet.h"
+
+#include "tls_net.h"
+
+/*
+ * Prepare for using the sockets interface
+ */
+static int net_prepare( void )
+{
+    return ( 0 );
+}
+
+/*
+ * Initialize a context
+ */
+void mbedtls_net_init( mbedtls_net_context *ctx )
+{
+    ctx->fd = -1;
+}
+
+/*
+ * Initiate a TCP connection with host:port and the given protocol
+ */
+int mbedtls_net_connect( mbedtls_net_context *ctx, const char *host, const char *port, int proto )
+{
+    int ret;
+    struct addrinfo hints, *addr_list, *cur;
+
+    if( ( ret = net_prepare() ) != 0 )
+        return( ret );
+
+    /* Do name resolution with both IPv6 and IPv4 */
+    memset( &hints, 0, sizeof( hints ) );
+    hints.ai_family = AF_UNSPEC;
+    hints.ai_socktype = proto == MBEDTLS_NET_PROTO_UDP ? SOCK_DGRAM : SOCK_STREAM;
+    hints.ai_protocol = proto == MBEDTLS_NET_PROTO_UDP ? IPPROTO_UDP : IPPROTO_TCP;
+
+    if( getaddrinfo( host, port, &hints, &addr_list ) != 0 )
+        return( MBEDTLS_ERR_NET_UNKNOWN_HOST );
+
+    /* Try the sockaddrs until a connection succeeds */
+    ret = MBEDTLS_ERR_NET_UNKNOWN_HOST;
+    for( cur = addr_list; cur != NULL; cur = cur->ai_next )
+    {
+        ctx->fd = (int) socket( cur->ai_family, cur->ai_socktype,
+                            cur->ai_protocol );
+        if( ctx->fd < 0 )
+        {
+            printf("socket error\n");
+            ret = MBEDTLS_ERR_NET_SOCKET_FAILED;
+            continue;
+        }
+
+        if( connect( ctx->fd, cur->ai_addr, MSVC_INT_CAST cur->ai_addrlen ) == 0 )
+        {
+            ret = 0;
+            break;
+        }
+
+        closesocket( ctx->fd );
+        ret = MBEDTLS_ERR_NET_CONNECT_FAILED;
+    }
+
+    freeaddrinfo( addr_list );
+
+    return( ret );
+}
+
+/*
+ * Create a listening socket on bind_ip:port
+ */
+int mbedtls_net_bind( mbedtls_net_context *ctx, const char *bind_ip, const char *port, int proto )
+{
+    int n, ret;
+    struct addrinfo hints, *addr_list, *cur;
+
+    if( ( ret = net_prepare() ) != 0 )
+        return( ret );
+
+    /* Bind to IPv6 and/or IPv4, but only in the desired protocol */
+    memset( &hints, 0, sizeof( hints ) );
+    hints.ai_family = AF_UNSPEC;
+    hints.ai_socktype = proto == MBEDTLS_NET_PROTO_UDP ? SOCK_DGRAM : SOCK_STREAM;
+    hints.ai_protocol = proto == MBEDTLS_NET_PROTO_UDP ? IPPROTO_UDP : IPPROTO_TCP;
+    if( bind_ip == NULL )
+        hints.ai_flags = AI_PASSIVE;
+
+    if( getaddrinfo( bind_ip, port, &hints, &addr_list ) != 0 )
+        return( MBEDTLS_ERR_NET_UNKNOWN_HOST );
+
+    /* Try the sockaddrs until a binding succeeds */
+    ret = MBEDTLS_ERR_NET_UNKNOWN_HOST;
+    for( cur = addr_list; cur != NULL; cur = cur->ai_next )
+    {
+        ctx->fd = (int) socket( cur->ai_family, cur->ai_socktype,
+                            cur->ai_protocol );
+        if( ctx->fd < 0 )
+        {
+            ret = MBEDTLS_ERR_NET_SOCKET_FAILED;
+            continue;
+        }
+
+        n = 1;
+        if( setsockopt( ctx->fd, SOL_SOCKET, SO_REUSEADDR,
+                        (const char *) &n, sizeof( n ) ) != 0 )
+        {
+            closesocket( ctx->fd );
+            ret = MBEDTLS_ERR_NET_SOCKET_FAILED;
+            continue;
+        }
+
+        if( bind( ctx->fd, cur->ai_addr, MSVC_INT_CAST cur->ai_addrlen ) != 0 )
+        {
+            closesocket( ctx->fd );
+            ret = MBEDTLS_ERR_NET_BIND_FAILED;
+            continue;
+        }
+
+        /* Listen only makes sense for TCP */
+        if( proto == MBEDTLS_NET_PROTO_TCP )
+        {
+            if( listen( ctx->fd, MBEDTLS_NET_LISTEN_BACKLOG ) != 0 )
+            {
+                closesocket( ctx->fd );
+                ret = MBEDTLS_ERR_NET_LISTEN_FAILED;
+                continue;
+            }
+        }
+
+        /* I we ever get there, it's a success */
+        ret = 0;
+        break;
+    }
+
+    freeaddrinfo( addr_list );
+
+    return( ret );
+
+}
+
+#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && !defined(EFI32)
+/*
+ * Check if the requested operation would be blocking on a non-blocking socket
+ * and thus 'failed' with a negative return value.
+ */
+static int net_would_block( const mbedtls_net_context *ctx )
+{
+    ((void) ctx);
+    return( WSAGetLastError() == WSAEWOULDBLOCK );
+}
+#else
+/*
+ * Check if the requested operation would be blocking on a non-blocking socket
+ * and thus 'failed' with a negative return value.
+ *
+ * Note: on a blocking socket this function always returns 0!
+ */
+static int net_would_block( const mbedtls_net_context *ctx )
+{
+    /*
+     * Never return 'WOULD BLOCK' on a non-blocking socket
+     */
+    if( ( fcntl( ctx->fd, F_GETFL, 0) & O_NONBLOCK ) != O_NONBLOCK )
+        return( 0 );
+    return( 1 );
+
+}
+#endif /* ( _WIN32 || _WIN32_WCE ) && !EFIX64 && !EFI32 */
+
+/*
+ * Accept a connection from a remote client
+ */
+int mbedtls_net_accept( mbedtls_net_context *bind_ctx,
+                        mbedtls_net_context *client_ctx,
+                        void *client_ip, size_t buf_size, size_t *ip_len )
+{
+    int ret;
+    int type;
+
+    struct sockaddr_in client_addr;
+
+#if defined(__socklen_t_defined) || defined(_SOCKLEN_T) ||  \
+    defined(_SOCKLEN_T_DECLARED) || defined(__DEFINED_socklen_t)
+    socklen_t n = (socklen_t) sizeof( client_addr );
+    socklen_t type_len = (socklen_t) sizeof( type );
+#else
+    socklen_t n = (int) sizeof( client_addr );
+    socklen_t type_len = (int) sizeof( type );
+#endif
+
+    /* Is this a TCP or UDP socket? */
+    if( getsockopt( bind_ctx->fd, SOL_SOCKET, SO_TYPE,
+                    (void *) &type, &type_len ) != 0 ||
+        ( type != SOCK_STREAM && type != SOCK_DGRAM ) )
+    {
+        return( MBEDTLS_ERR_NET_ACCEPT_FAILED );
+    }
+
+    if( type == SOCK_STREAM )
+    {
+        /* TCP: actual accept() */
+        ret = client_ctx->fd = (int) accept( bind_ctx->fd,
+                                         (struct sockaddr *) &client_addr, &n );
+    }
+    else
+    {
+        /* UDP: wait for a message, but keep it in the queue */
+        char buf[1] = { 0 };
+
+        ret = (int) recvfrom( bind_ctx->fd, buf, sizeof( buf ), MSG_PEEK,
+                        (struct sockaddr *) &client_addr, &n );
+
+#if defined(_WIN32)
+        if( ret == SOCKET_ERROR &&
+            WSAGetLastError() == WSAEMSGSIZE )
+        {
+            /* We know buf is too small, thanks, just peeking here */
+            ret = 0;
+        }
+#endif
+    }
+
+    if( ret < 0 )
+    {
+        if( net_would_block( bind_ctx ) != 0 )
+            return( MBEDTLS_ERR_SSL_WANT_READ );
+
+        return( MBEDTLS_ERR_NET_ACCEPT_FAILED );
+    }
+
+    /* UDP: hijack the listening socket to communicate with the client,
+     * then bind a new socket to accept new connections */
+    if( type != SOCK_STREAM )
+    {
+        struct sockaddr_in local_addr;
+        int one = 1;
+
+        if( connect( bind_ctx->fd, (struct sockaddr *) &client_addr, n ) != 0 )
+            return( MBEDTLS_ERR_NET_ACCEPT_FAILED );
+
+        client_ctx->fd = bind_ctx->fd;
+        bind_ctx->fd   = -1; /* In case we exit early */
+
+        n = sizeof( struct sockaddr_in );
+
+        if( getsockname( client_ctx->fd,
+                         (struct sockaddr *) &local_addr, &n ) != 0 ||
+            ( bind_ctx->fd = (int) socket( local_addr.sin_family,
+                                           SOCK_DGRAM, IPPROTO_UDP ) ) < 0 ||
+            setsockopt( bind_ctx->fd, SOL_SOCKET, SO_REUSEADDR,
+                        (const char *) &one, sizeof( one ) ) != 0 )
+        {
+            return( MBEDTLS_ERR_NET_SOCKET_FAILED );
+        }
+
+        if( bind( bind_ctx->fd, (struct sockaddr *) &local_addr, n ) != 0 )
+        {
+            return( MBEDTLS_ERR_NET_BIND_FAILED );
+        }
+    }
+
+    if( client_ip != NULL )
+    {
+        if( client_addr.sin_family == AF_INET )
+        {
+            struct sockaddr_in *addr4 = (struct sockaddr_in *) &client_addr;
+            *ip_len = sizeof( addr4->sin_addr.s_addr );
+
+            if( buf_size < *ip_len )
+                return( MBEDTLS_ERR_NET_BUFFER_TOO_SMALL );
+
+            memcpy( client_ip, &addr4->sin_addr.s_addr, *ip_len );
+        }
+        else
+        {
+
+        }
+    }
+
+    return( 0 );
+}
+
+/*
+ * Set the socket blocking or non-blocking
+ */
+int net_set_block(int fd)
+{
+#if defined(WIN32) || defined(_WIN32_WCE)
+	long n = 0;
+	return (ioctlsocket(fd, FIONBIO, &n));
+#else
+	return (fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK));
+#endif
+}
+
+int net_set_nonblock(int fd)
+{
+#if defined(WIN32) || defined(_WIN32_WCE)
+	long n = 1;
+	return (ioctlsocket(fd, FIONBIO, &n));
+#else
+	return (fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) | O_NONBLOCK));
+#endif
+}
+
+/*
+ * Portable usleep helper
+ */
+void mbedtls_net_usleep( unsigned long usec )
+{
+#if defined(_WIN32)
+    Sleep( ( usec + 999 ) / 1000 );
+#else
+    struct timeval tv;
+    tv.tv_sec  = usec / 1000000;
+#if defined(__unix__) || defined(__unix) || \
+    ( defined(__APPLE__) && defined(__MACH__) )
+    tv.tv_usec = (suseconds_t) usec % 1000000;
+#else
+    tv.tv_usec = usec % 1000000;
+#endif
+    select( 0, NULL, NULL, NULL, &tv );
+#endif
+}
+
+/*
+ * Read at most 'len' characters
+ */
+int mbedtls_net_recv( void *ctx, unsigned char *buf, size_t len )
+{
+    int ret;
+    int fd = ((mbedtls_net_context *) ctx)->fd;
+
+    if( fd < 0 )
+        return( MBEDTLS_ERR_NET_INVALID_CONTEXT );
+
+    ret = (int) recv( fd, buf, len, 0);
+
+
+    if( ret < 0 )
+    {
+        if( net_would_block( ctx ) != 0 )
+            return( MBEDTLS_ERR_SSL_WANT_READ );
+
+#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
+    !defined(EFI32)
+        if( WSAGetLastError() == WSAECONNRESET )
+            return( MBEDTLS_ERR_NET_CONN_RESET );
+#else
+        if( errno == EPIPE || errno == ECONNRESET )
+            return( MBEDTLS_ERR_NET_CONN_RESET );
+
+        if( errno == EINTR )
+            return( MBEDTLS_ERR_SSL_WANT_READ );
+#endif
+
+        return( MBEDTLS_ERR_NET_RECV_FAILED );
+    }
+
+    return( ret );
+}
+
+/*
+ * Read at most 'len' characters, blocking for at most 'timeout' ms
+ */
+int mbedtls_net_recv_timeout( void *ctx, unsigned char *buf, size_t len,
+                      uint32_t timeout )
+{
+    int ret;
+    struct timeval tv;
+    fd_set read_fds;
+    int fd = ((mbedtls_net_context *) ctx)->fd;
+
+    if( fd < 0 )
+        return( MBEDTLS_ERR_NET_INVALID_CONTEXT );
+
+    FD_ZERO( &read_fds );
+    FD_SET( fd, &read_fds );
+
+    tv.tv_sec  = timeout / 1000;
+    tv.tv_usec = ( timeout % 1000 ) * 1000;
+
+    ret = select( fd + 1, &read_fds, NULL, NULL, timeout == 0 ? NULL : &tv );
+
+    /* Zero fds ready means we timed out */
+    if( ret == 0 )
+        return( MBEDTLS_ERR_SSL_TIMEOUT );
+
+    if( ret < 0 )
+    {
+#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
+    !defined(EFI32)
+        if( WSAGetLastError() == WSAEINTR )
+            return( MBEDTLS_ERR_SSL_WANT_READ );
+#else
+        if( errno == EINTR )
+            return( MBEDTLS_ERR_SSL_WANT_READ );
+#endif
+
+        return( MBEDTLS_ERR_NET_RECV_FAILED );
+    }
+
+    /* This call will not block */
+    return( mbedtls_net_recv( ctx, buf, len ) );
+}
+
+/*
+ * Write at most 'len' characters
+ */
+int mbedtls_net_send( void *ctx, const unsigned char *buf, size_t len )
+{
+    int ret;
+    int fd = ((mbedtls_net_context *) ctx)->fd;
+
+    if( fd < 0 )
+        return( MBEDTLS_ERR_NET_INVALID_CONTEXT );
+
+    ret = (int) send( fd, buf, len, 0 );
+
+    if( ret < 0 )
+    {
+        if( net_would_block( ctx ) != 0 )
+            return( MBEDTLS_ERR_SSL_WANT_WRITE );
+
+#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
+    !defined(EFI32)
+        if( WSAGetLastError() == WSAECONNRESET )
+            return( MBEDTLS_ERR_NET_CONN_RESET );
+#else
+        if( errno == EPIPE || errno == ECONNRESET )
+            return( MBEDTLS_ERR_NET_CONN_RESET );
+
+        if( errno == EINTR )
+            return( MBEDTLS_ERR_SSL_WANT_WRITE );
+#endif
+
+        return( MBEDTLS_ERR_NET_SEND_FAILED );
+    }
+
+    return( ret );
+}
+
+/*
+ * Gracefully close the connection
+ */
+void mbedtls_net_free( mbedtls_net_context *ctx )
+{
+    if( ctx->fd == -1 )
+        return;
+
+    closesocket( ctx->fd );
+    ctx->fd = -1;
+}
+
+
diff --git a/third-party/mbedtls-3.6/src.mk b/third-party/mbedtls-3.6/src.mk
new file mode 100644
index 00000000..58722910
--- /dev/null
+++ b/third-party/mbedtls-3.6/src.mk
@@ -0,0 +1,11 @@
+
+ifdef CONFIG_USE_MBEDTLS
+
+MBEDTLS_RT_C_DIR = $(abspath $(FREERTOS_SDK_DIR)/third-party/mbedtls-3.6)
+
+# src code of lwip
+ABSOLUTE_CFILES  += $(wildcard $(MBEDTLS_RT_C_DIR)/library/*.c) \
+				$(wildcard $(MBEDTLS_RT_C_DIR)/ports/src/*.c)
+
+endif #CONFIG_USE_MBEDTLS
+
diff --git a/third-party/third-party.kconfig b/third-party/third-party.kconfig
index cf55b0cc..d6f25c50 100644
--- a/third-party/third-party.kconfig
+++ b/third-party/third-party.kconfig
@@ -11,6 +11,17 @@ config USE_LWIP
         source "$(FREERTOS_SDK_DIR)/third-party/lwip-2.1.2/lwip.kconfig"
     endif
 
+config USE_MBEDTLS
+    bool
+    prompt "Use mbedtls"
+    default n
+    help
+        Include MBEDTLS for Network Protocol
+
+    if USE_MBEDTLS
+        source "$(FREERTOS_SDK_DIR)/third-party/mbedtls-3.6/mbedtls.kconfig"
+    endif    
+
 config USE_LETTER_SHELL
     bool
     prompt "Use letter shell"
diff --git a/third-party/thirdparty.mk b/third-party/thirdparty.mk
index e4b0b679..d94e4b51 100644
--- a/third-party/thirdparty.mk
+++ b/third-party/thirdparty.mk
@@ -66,6 +66,17 @@ lib_lwip_info:
 BAREMETAL_LIBS+= $(BUILD_OUT_PATH)/lib_lwip.a
 endif
 
+ifdef CONFIG_USE_MBEDTLS
+$(BUILD_OUT_PATH)/lib_mbedtls.a: lib_mbedtls.a
+lib_mbedtls.a: 
+	$(call rtos_invoke_make_in_dir,$(FREERTOS_SDK_DIR),third-party/mbedtls-3.6,makefile,all,)
+lib_mbedtls_debug:
+	$(call rtos_invoke_make_in_dir,$(FREERTOS_SDK_DIR),third-party/mbedtls-3.6,makefile,debug,)
+lib_mbedtls_info:
+	$(call rtos_invoke_make_in_dir,$(FREERTOS_SDK_DIR),third-party/mbedtls-3.6,makefile,compiler_info,)
+BAREMETAL_LIBS+= $(BUILD_OUT_PATH)/lib_mbedtls.a
+endif
+
 ifdef CONFIG_USE_SFUD
 $(BUILD_OUT_PATH)/lib_sfud.a: lib_sfud.a
 lib_sfud.a:
-- 
Gitee